3.05: Good Cop, Bad Hacker

Archive | 3.05 - May 1995 | electrosphere

Good Cop, Bad Hacker

Bruce Sterling has a "frank chat" with some cops.

By Bruce Sterling

Last November, sci-fi writer Bruce Sterling addressed police and private security officers at the High Technology Crime Investigation Association. The transcript of his talk has been edited for Wired. The best thing that can be said for the speech, Sterling quips, is that it allowed "American law enforcement personnel to receive training credits for sitting still and listening to it."

My name is Bruce Sterling, and I'm a sometime computer crime journalist and a longtime science fiction writer from Austin, Texas. I'm the guy who wrote Hacker Crackdown, which is the book you're getting on one of those floppy disks that are being distributed at this gig like party favors.

People in law enforcement often ask me, Mr. Sterling, if you're a science fiction writer like you say you are, then why should you care about American computer police and private security? And also, how come my kids can never find any copies of your sci-fi novels? Well, as to the second question, my publishers do their best. As to the first, the truth is that I've survived my brief career as a computer-crime journalist. I'm now back to writing science fiction full time, like I want to do and like I ought to do. I really can't help the rest of it.

So why did I write Hacker Crackdown in the first place? Well, I figured that somebody ought to do it, and nobody else was willing. When I first got interested in Operation Sundevil and the Legion of Doom and the raid on Steve Jackson Games and so forth, it was 1990. All these issues were very obscure. It was the middle of the Bush presidency. There was no information-superhighway vice president. There was no Wired magazine. There was no Electronic Frontier Foundation. There was no Clipper Chip and no Digital Telephony Initiative. There was no PGP and no World Wide Web. There were a few books around, and a couple of movies, that glamorized computer crackers, but there had never been a popular book written about American computer cops.

When I got started researching Hacker Crackdown, my first and only nonfiction book, I didn't even think I was going to write it. There were four other journalists hot on the case who were all better qualified than I was. But one by one, they all dropped out. Eventually, I realized that either I was going to write it, or nobody was ever going to tell the story. All those strange events and peculiar happenings would have passed without a public record. I couldn't help but feel that if I didn't take the trouble to tell people what had happened, it would probably have to happen all over again. And again and again, until people finally noticed it and were willing to talk about it publicly.

Nowadays it's different. There are about a million journalists with Internet addresses. There are other books around, like for instance Katie Hafner and John Markoff's Cyberpunk: Outlaws and Hackers on the Computer Frontier, which is a far better book about hackers than my book. Paul Mungo and Bryan Clough's book Approaching Zero has a pretty interesting take on the European virus scene. Then there's Cyberspace and the Law by Edward Cavazos and Gavino Morin, which is a good practical handbook on digital civil-liberties issues. This book explains in legal detail exactly what kind of modem stunts are likely to get you into trouble. (This is a useful service for keeping people out of hot water, which is what my book was intended to do. Only this book does it better.) And there have been a lot of magazine and newspaper articles published.

Basically, I'm no longer needed as a computer-crime journalist. The world is full of computer journalists now, and the stuff I was writing about four years ago is hot and sexy and popular. That's why I don't have to write it anymore. I was ahead of my time. I'm supposed to be ahead of my time. I'm a science fiction writer. Believe it or not, I'm needed to write science fiction. Taking a science fiction writer and turning him into a journalist is like stealing pencils from a blind man's cup.

Even though I'm not in the computer-crime game anymore, I do maintain an interest. For a lot of pretty good reasons. I still read most of the computer-crime journal-ism that's out there. And I'll tell you one thing about it: there's way, way too much blather going on about teenage computer intruders, and nowhere near enough coverage of computer cops. Computer cops are at least a hundred times more interesting than sneaky teenagers with kodes and kards. A guy like Carlton Fitzpatrick - a telecom crime instructor at the Federal Law Enforcement Training Center in Glynco, Georgia - should be a hundred times more famous than some wretched hacker kid like Mark Abene. A group like the Federal Computer Investigations Committee is a hundred times more influential and important and interesting than the Chaos Computer Club, Hack-Tic, and the 2600 group put together.

The United States Secret Service is a heavy outfit. It's astounding how little has been written or published about Secret Service people - their lives, their history, and how life really looks to them. Cops are really good material for a journalist or a fiction writer. Cops see things most human beings never see. Even private security people have a lot to say for themselves. Computer-intrusion hackers and phone phreaks, by contrast, are pretty damned boring.

You know, I used to go looking for hackers, but I don't bother anymore. I don't have to. Hackers come looking for me these days. And they find me, because I make no particular effort to hide.

I also get a lot of calls from journalists. Journalists doing computer-crime stories. I've somehow acquired a reputation as a guy who knows something about computer crime and is willing to talk to journalists. And I do that, too. Because I have nothing to lose. Why shouldn't I talk to other journalists? They've got a boss; I don't. They've got a deadline; I don't. I know more or less what I'm talking about, they usually don't have a ghost of a clue.

Hackers will also talk to journalists. Hackers brag all the time. Computer cops, however, have not had a stellar record in their press relations. This is sad. I understand there's a genuine need for operational discretion and so forth, but since a lot of computer cops are experts in telecommunications, you'd think they'd come up with some neat trick to get around these limitations.

Let's consider, for instance, the Kevin Mitnick problem. The FBI tried to nab Kevin a few months back at a computer civil-liberties convention in Chicago and apprehended the wrong guy. That was pretty embarrassing, frankly. I was there. I saw it. I also saw the FBI trying to explain it all to about 500 enraged self-righteous liberals, and it was pretty sad. The local FBI officers came a cropper because they didn't really know what Kevin Mitnick looked like.

I don't know what Mitnick looks like either - even though I've written about him a little bit - and my question is, How come? How come there's no publicly accessible World Wide Web page with mug shots of wanted computer-crime fugitives? Even the US Postal Service has got this much together, and they don't even have modems. Why don't the FBI and the US Secret Service have public-relations stations in cyberspace? For that matter, why doesn't the High Technology Crime Investigation Association have its own Internet site? All the computer businesses have Internet sites now, unless they're totally out of it. Why aren't computer cops in much, much better rapport with the computer community through computer networks? You don't have to grant live interviews with every journalist in sight if you don't want to - I understand that can create a big mess sometimes. But just put some data up in public, for heaven's sake. Crime statistics. Wanted posters. Security advice. Antivirus programs, whatever. Stuff that will help the cyberspace community you are supposed to be protecting and serving.

I know there are people in computer-law enforcement who are ready and willing and able to do this. But they can't make it happen because of too much bureaucracy and, frankly, too much useless hermetic secrecy. Computer cops ought to publicly walk the beat in cyberspace a lot more. Stop hiding your light under a bushel. What is your problem, exactly? Are you afraid somebody might find out that you exist?

This is an amazing oversight and a total no-brainer on your part, to be the cops in an information society and not be willing to get online big time and really push your information. Let me tell you about a few recent events in your milieu that I have no conceptual difficulties with. Case Number One: Some guy up around San Francisco is cloning off cell phones. He's burning EPROMs and pirating cellular IDs, and he's moved about a thousand of these hot phones to his running buddies in the mob in Singapore, and they've bought him a real nice sports car with the proceeds. The Secret Service shows up at the guy's house, catches him with his little soldering iron in hand, busts him, hauls him downtown, calls a press conference after the bust, says that this activity is a big problem for cell phone companies and they're gonna turn up the heat on people who do this stuff. I have no problem with this situation. I even take a certain grim satisfaction in it. Is this a crime? Yes. Is this a bad guy with evil intent? Yes. Is law enforcement performing its basic duty here? Yes. Do I mind if corporate private security is kinda pitching in behind the scene and protecting its own commercial interests here? No, not really. Is there some major civil-liberties and free-expression angle involved in this guy's ripping off cellular companies? No. Is there a threat to privacy here? Yeah - him, the perpetrator. Is the Secret Service emptily boasting and grandstanding when they hang this guy out to dry in public? No, this looks like legitimate deterrence to me, and if they want a little glory out of it - well, hell, we all want a little glory sometimes. We can't survive without a little glory. Take the dumb bastard away with my blessing.

OK, next case: some group of Vietnamese Triad types hijack a truckload of chips in Silicon Valley, then move the loot overseas to the Asian black market through some smuggling network that got bored with running heroin. Are these guys "Robin Hoods of the electronic frontier?" I don't think so. Am I all impressed because some warlord in the Golden Triangle may be getting free computation services, and information wants to be free? No. This doesn't strike me as a positive development, frankly. Is organized crime a menace to our society? Yeah! It is!

I can't say I've ever had much to do - knowingly that is - with wise-guy types, but I spent a little time in Moscow recently, and in Italy too at the height of the Tangentopoli kickback scandal, and, you know, organized crime and endemic corruption are very serious problems indeed. You get enough of that evil crap going on in your society, and it's like nobody can breathe. I never quite grasped how a protection racket worked and what it meant to victims till I spent a couple of weeks in Moscow in December 1993. That's a nasty piece of work, that stuff.

Another case: some joker gets a job at a long-distance provider and writes a PIN-trapping network program. He gets his mitts on about 8 zillion PINs and he sells them for a buck apiece to his hacker buddies all over the US and Europe. Do I think this is clever? Yeah, it's pretty ingenious. Do I think it's a crime? Yes, it's a criminal act. This guy is basically corrupt. Do I think free or cheap long distance is a good idea? Yeah, I do; if there was a very low flat rate on long distance, then you would see usage skyrocket so drastically that long-distance providers would make more money in the long run. I'd like to see them try that experiment sometime; I don't think the way they run phone companies today is the only way to run them successfully. Phone companies are probably gonna have to change their act if they expect to survive in the 21st century's media environment.

But, you know, that's not this guy's look- out. He's not the one to make that business decision. Theft is not an act of reform. He's abusing a position of trust as an employee in order to illegally line his own pockets. This guy is a crook.

So I have no problems with those recent law enforcement operations. I wish they'd gotten more publicity, and I'm kinda sorry I wasn't able to give them more publicity myself, but at least I've heard of them, and I was paying attention when they happened.

Now I want to talk about some stuff that bugs me. I'm an author and I'm interested in free expression. That's only natural because that's my bailiwick. Free expression is a problem for writers, and it's always been a problem, and it's probably always gonna be a problem. We in the West have these ancient and honored traditions of free speech and freedom of the press, and in the US we have this rather more up-to-date concept of "freedom of information." But even so, there is an enormous amount of "information" today that is highly problematic. Just because freedom of the press was in the Constitution didn't mean that people were able to stop thinking about what press freedom really means in real life, and fighting about it and suing each other about it. We Americans have lots of problems with our freedom of the press and our freedom of speech. Problems like libel and slander. Incitement to riot. Obscenity. Child pornography. Flag-burning. Cross-burning. Race-hate propaganda. Political correctness. Sexist language. Tipper. Gore's Parents Music Resource Council. Movie ratings. Plagiarism. Photocopying rights. A journalist's so-called right to pro- tect sources. Fair-use doctrine. Lawyer- client confidentiality. Paid political announcements. Banning ads for liquor and cigarettes. The fairness doctrine for broadcasters. School textbook censors. National security. Military secrets. Industrial trade secrets. Arts funding for so-called obscenity. Even religious blasphemy such as Salman Rushdie's famous novel Satanic Verses, which is hated so violently by the kind of people who like to blow up the World Trade Center. All these huge problems about what people can say to each other, under what circumstances. And that's without computers and computer networks.

Every single one of those problems is applicable to cyberspace. Computers don't make any of these old free-expression problems go away; on the contrary, they intensify them, and they introduce a bunch of new problems. Problems like software piracy. Encryption. Wire fraud. Interstate transportation of stolen digital property. Free expression on privately owned networks. So-called "data-mining" to invade personal privacy. Employers spying on employee e-mail. Intellectual rights over electronic publications. Computer search-and-seizure practice. Legal liability for network crashes. Computer intrusion. And on and on and on. These are real problems. They're out there. They're out there now. In the future, they're only going to get worse. And there's going to be a bunch of new problems that nobody's even imagined.

I worry about these issues because people in positions like mine ought to worry about these issues. I can't say I've ever suffered much because of censorship, or through my government's objections to what I have to say. On the contrary, the current US government likes me so much it makes me nervous. But I've written 10 books, and I don't think I've ever written one that could have been legally published in its entirety 50 years ago. I'm 40 years old; I can remember when people didn't use the word condom in public. Nowadays, if you don't know what a condom is and how to use it, there's a pretty good chance you're gonna die. Standards change a lot. Culture changes a lot. The laws supposedly governing this behavior are gray and riddled with contradictions and compromises. There are some people who don't want our culture to change, or they want to change it even faster in a direction that they've got their own ideas about. When police get involved in a cultural struggle, it's always highly politicized. The chances of it ending well are not good.

It's been quite a while since there was a really good, ripping computer-intrusion scandal in the news. Presumably, everyone was waiting for Kevin Mitnick to get really restless. Nowadays, the hot-button issue is porn. Kidporn and other porn. I don't have much sympathy for kidporn people; I think the exploitation of children is a vile and grotesque criminal act, but I've seen some computer porn cases lately that look pretty problematic and peculiar to me. There's not a lot to be gained by playing up the terrifying menace of porn on networks. Porn is just too treacherous an issue to be of much use to anybody. It's not a firm and dependable place in which to take a stand on how we ought to run our networks.

For instance, there's this Amateur Action case. We've got this couple in California, and they're selling some pretty seriously vile material off their bulletin board. They get indicted in Tennessee, and now face sentencing on 11 obscenity convictions, each carrying a maximum sentence of five years in prison and US$250,000 in fines. What is that about? Do we really think that people in Memphis can enforce their pornographic community standards on people in California? I'd be impressed if a prosecutor got a jury in California to indict and convict some pornographer in Tennessee. I'd figure that that Tennessee pornographer had to be pretty heavy-duty. Doing that in the other direction is like shooting fish in a barrel. There's something cheap about it. This doesn't smell like an airtight criminal case to me. This smells like someone from Tennessee trying to enforce the local cultural standards via a long-distance phone line. That may not be the truth about the case, but that's what the case looks like. It's hard to make a porn case look good at any time. If it's a weak case, then the prosecutor looks like a bluenosed goody-goody wimp. If it's a strong case, then the whole mess is so disgusting that nobody even wants to think about it or even look hard at the evidence. Porn is a no-win situation when it comes to the basic social purpose of instilling law and order on networks.

You could make a pretty good case in Tennessee that people in California are a bunch of flaky, perverted lunatics; in California, you can make a pretty good case that people from Tennessee are a bunch of hillbilly fundamentalist wackos. You start playing one community off another, and pretty soon you're out of the realm of criminal law, and into the realm of trying to control people's cultural behavior with a nightstick. There's not a lot to be gained by this fight. You may intimidate a few pornographers here and there, but you're also likely to seriously infuriate a bunch of bystanders. It's not a fight you can win - even if you win a case, or two cases, or ten cases. People in California are never gonna behave in a way that satisfies people in Tennessee. People in California have more money and more power and more influence than people living in Tennessee. People in California invented Hollywood and Silicon Valley, and people in Tennessee invented ways to put smut labels on rock-and-roll albums.

This is what Pat Buchanan and Newt Gingrich are talking about when they talk about cultural war in America. If I were a cop, I would be very careful of looking like a pawn in some cultural warfare by ambitious radical politicians. The country's infested with zealots now - to the left and right. A lot of these people are fanatics motivated by fear and anger, and they don't care two pins about public order or the people who maintain it and keep the peace in our society. They don't want a debate. They just want to crush their enemies by whatever means possible. If they can use cops to do it, then great! Cops are expendable.

There's another porn case that bugs me even more. There's this guy in Oklahoma City who had a big fidonet bulletin board, and a storefront where he sold CD-ROMs. Some of them, a few, were porn CD-ROMs. The Oklahoma City police catch this local hacker kid, and of course he squeals - they always do - and he says, Don't nail me, nail this other guy, he's a pornographer. So off the police go to raid this guy's place of business, and while they're at it, they carry some minicams and they broadcast their raid on that night's Oklahoma City evening news (this is in August of '93). It was a really high-tech and innovative thing to do, but it was also a really reckless cowboy thing to do, because it left no political fallback position. They were now utterly committed to crucifying this guy, because otherwise it was too much of a political embarrassment. They couldn't just shrug and say, Well, we've just busted this guy for selling a few lousy CD-ROMs that anybody in the country can mail order with impunity out of the back of a computer magazine. They had to assemble a jury, with a couple of fundamentalist ministers on it, and show the most rancid graphic image files to the 12 good people. And, sure enough, it was judged in a court to be pornographic. I don't think there was much doubt that it was pornography, and I don't doubt that any jury in Oklahoma City would have called it pornography by the local Oklahoma City community standards. This guy got convicted. Lost the trial. Lost his business. Went to jail. His wife sued for divorce. He's a convict. His life is in ruins.

I don't think this guy was a pornographer by any genuine definition. He had no previous convictions. Never been in trouble. Didn't have a bad character. Had an honorable war record in Vietnam. Paid his taxes. People who knew him personally spoke very highly of him. He wasn't some loony sleazebag. He was just a guy selling disks that other people (just like him) sell all over the country, without anyone blinking an eye. As far as I can figure, the Oklahoma City police and an Oklahoma prosecutor skinned this guy and nailed his hide to the side of a barn, just because they didn't want to look bad. A serious injustice was done here. It was a terrible public relations move. There's a magazine out called Boardwatch - practically everybody who runs a bulletin board system in this country reads it. When the editor of this magazine heard about the outcome of this case, he basically went nonlinear. He wrote this scorching furious editorial berating the authorities. The Oklahoma City prosecutor sent his little message all right, and it went over the Oklahoma City evening news, and probably made him look pretty good, locally and personally. But this magazine sent a much bigger and much angrier message, which went all over the country to a perfect target computer-industry audience of BBS sysops. This editor's message was that the Oklahoma City police are a bunch of crazed no-neck Gestapo who don't know nothing about nothing, and hate anybody who does. I think that the genuine cause of computer law and order was very much harmed by this case.

There are a couple of useful lessons to be learned here. The first, of course, is don't sell porn in Oklahoma City. And the second is, if your city's on an antiporn crusade and you're a cop, it's a good idea to drop by the local porn outlets and openly tell the merchants that porn is illegal. Tell them straight out that you know they have some porn, and they'd better knock it off. If they've got any sense, they'll take this word from the wise and stop breaking the local community standards forthwith. If they go on doing it, well, presumably they're hardened porn merchants of some kind, and when they get into trouble with ambitious local prosecutors, they'll have no one to blame but themselves. Don't jump in headfirst with an agenda and a videocam. It's real easy to wade hip deep into a blaze of publicity, but it's real hard to wade back out without getting the sticky stuff all over you.

It's generally a thankless lot being an American computer cop. You know this; I know this. I even regret having to bring these matters up, though I feel that I ought to, given the circumstances. I do, however, see one small ray of light in the American computer-law enforcement scene, and that is the behavior of computer cops in other countries. American computer cops have had to suffer under the spotlight because they were the first people in the world doing this sort of activity. But now, we're starting to see other law enforcement people in other countries. To judge by early indications, the situation's going to be a lot worse overseas.

Italy, for instance. The Italian finance police recently decided that everybody on fidonet was a software pirate, so they went out and seized somewhere between 50 and 100 bulletin boards. Accounts are confused, not least because most of the accounts are in Italian. Nothing much has appeared in the way of charges or convictions, and there's been a lot of anguished squalling from deeply alienated and radicalized Italian computer people. Italy is a country where entire political parties have been annihilated because of endemic corruption and bribery scandals. A country where organized crime shoots judges and blows up churches with car bombs. In Italy, politics is so weird that the Italian Communist Party has a national reputation as the party of honest government.

The hell of it is, in the long run I think the Italians are going to turn out to be one of the better countries at handling computer crime. Wait till we start hearing from the Poles, the Romanians, the Chinese, the Serbs, the Turks, the Pakistanis, the Saudis.

Here in America we're getting used to this stuff, a little bit. We have a White House with its own Internet address and its own World Wide Web page. American law enforcement agencies are increasingly equipped with a clue. In Europe, you have computers all over the place, but they are imbedded in a patchwork of PTTs and peculiar local jurisdictions and even more peculiar and archaic local laws. In a few more years, American cops are going to earn a global reputation as being very much on top of this stuff.

As for the computer crime scene, it's pretty likely that American computer crime is going to look relatively low-key, compared to the eventual rise of ex-Soviet computer crime, and Eastern European computer crime, and Southeast Asian computer crime.

Since I'm a science fiction writer, I like to speculate about the future. American computer police are going to have a hard row to hoe, because they are almost always going to be the first in the world to catch hell from these issues. Certain bad things are naturally going to happen here first, because we're the people who are inventing almost all the possibilities. But I also feel that it's not very likely that bad things will reach that extremity of awfulness here. It's quite possible that American computer police will make some awful mistakes, but I can almost guarantee that other people's police will make worse mistakes by an order of magnitude. American police may hit people with sticks, but other people's police are going to hit people with axes and cattle prods. Computers will probably help people manage better in those countries where people can manage. In countries that are falling apart, overcrowded countries with degraded environments and deep social problems, computers might well make things fall apart even faster.

Countries that have offshore money laundries are gonna have offshore data laundries. Countries that now have lousy oppressive governments and smart, determined terrorist revolutionaries are gonna have lousy oppressive governments and smart determined terrorist revolutionaries with computers. Not too long after that, they're going to have tyrannical revolutionary governments run by zealots with computers; then we're likely to see just how close to Big Brother a government can really get. Dealing with these people is going to be a big problem for us.

Bruce Sterling (bruces@well.sf.ca.us) is the author of five science fiction novels, the nonfiction work The Hacker Crackdown, and co-author, with William Gibson, of The Difference Engine.