Why the hacker ethos is bad for the net
with journalist Katrina Onstad
Technology Magazine, fall, 1996
Hacker culture is a pervasive part of the computer age. Most hackers are pretty harmless, wanna-bes or kids who learn to program from bulletin-board systems. At the other end of the spectrum are the hard-core superhackers, or crackers, who are out to infiltrate and damage computer systems. The most extreme are those who overcome security and pirate software for profit. While most hackers outside cyberspace are law-abiding, if sulky, citizens, almost all share a common set of values. These roughly constitute a Hacker’s Code: information on the Internet should be free; intellectual property should belong to anyone who understands it; large corporations are to be distrusted; large governments are to be distrusted even more; any attempt to police or secure any parts of cyberspace must be resisted; and, of paramount importance, technical know-how is a virtue to be valued above others, including the virtue of social responsibilities.
Hackers and software pirates used to lurk on the fringes of the computer industry. Now they’ve been put in charge.
MICHAEL STARTED breaking into computer systems when he was 12 years old. “I made acquaintances in the early ’80s. It was exciting. You get onto these hackerfreaker bulletin boards. The things you start finding out, it’s incredible: credit card numbers whipping by, calling card numbers. I didn’t do anything super-illegal. I was 12 years old.”
Ten years later, Michael was doing something super-illegal. Then an undergraduate at a prominent Canadian university, Michael (not his real name) was the software pirate everyone wanted to catch.
“It was just a very simple file transfer program,” he says. “So at first, I thought, `I’ll compile it [translate it into computer language] and see if I can get new files.’ It took me about 15 minutes.” He left the program running-out of curiosity, he says, just to see if he could. Nothing illegal so far. Only the server wasn’t getting much action, so Michael posted a message at another university-“Hey, anybody out there?”-and included his address. Suddenly, the server was rocking with contacts from as far away as Australia. “It was amazing to watch the connections from all around the world,” he says.
Michael and two of his friends were looking after the server, usually just erasing the files that came in. But when winter exams hit, no one monitored the experiment. Software started to be uploaded and downloaded at an alarming rate. “The server just went crazy,” Michael says. Some of it was shareware; a lot was commercial software, the kind IBM Corp. and Microsoft Corp. prefer you purchase using cash, not cable. The transfer of the commercial software was the illegal part, and it was duly noted.
“The university [administration] noticed the usage, probably because there were something like 600 megs unaccounted for on one file server,” says Michael. “They went through our e-mail. Someone mailed me and I think I mailed something back like, `Don’t tell anyone.”
On the first day of classes after Christmas break, Michael and his accomplices were pulled out of their lectures. “I’m sitting in the dean’s office and there’s the dean, the assistant dean, the head of the computer engineering department,” says Michael. “They start mentioning the RCMP and, all of a sudden, I’m shitting a brick.”
Telling his story in a downtown Toronto cafe, Michael doesn’t fit the stereotype of the hacker: that blinking, stuttering, sensory-deprivation-experiment-come-tolife you’d find in a John Hughes film. Sporting an expensive leather jacket and an extremely polite manner, Michael seems more the young business executive than a basement dweller. And so it’s not surprising to learn that he is a young business executive. Two years after his brush with the law, Michael is a programmer at one of the world’s top computer companies.
“We really didn’t think it was a big deal. I just wanted to see what would happen,” Michael says about his hacking. After many hearings at the university, Michael and one of his friends were punished (if that’s the word) by being denied the right to attend convocation. The father of the other friend hired a lawyer and got his son off without any punishment. All three now work for high-tech companies.
Michael’s story is a perfect illustration of the strange love/hate relationship between hackers and the “legitimate” computer industry that has sprung up as the industry’s technology explodes. If Michael and friends had been in any other sector-say, law students who stole from a law firm-they would never have worked in the field again. But in the computer business, Michael’s experience is acceptable, even laudable.
Hacker culture is a pervasive part of the computer age. Like Michael at 12, most hackers are pretty harmless, wanna-bes or kids who learn to program from BBSs (bulletin-board systems). At the other end of the spectrum are the hard-core superhackers, or “crackers,” who are out to infiltrate and damage computer systems. The most extreme are those who overcome security and pirate software for profit.
While most hackers outside cyberspace are law-abiding, if sulky, citizens, almost all share a common set of values. These roughly constitute a Hacker’s Code: information on the Internet should be free; intellectual property should belong to anyone who understands it; large corporations are to be distrusted; large governments are to be distrusted even more; any attempt to police or secure any parts of cyberspace must be resisted; and, of paramount importance, technical know-how is a virtue to be valued above others, including the virtue of social responsibility. In his book, Hackers: Heroes of the Computer Revolution, Steven Levy offers this illustration of the hacker ethos: “In a perfect hacker world, anyone pissed off enough to open up a control box near a traffic light and take it apart to make it work better should be perfectly welcome to make the attempt.
Those traits may have been harmless, even endearing, in the early days of cyberspace. But as technology becomes a greater part of mainstream culture, hackers begin to present a problem. Aside from the great irony of hackers-those backroom rebels sleeping with the corporate meanies, there is another, more disturbing aspect to the computer industry’s ambivalence toward hackers: the widespread influence of the hacker ethos is undermining the best interests not only of the industry but of the wider, wired community. And, as the digital age makes further inroads into our daily lives, the paradoxical effect of the hacker influence may be to tip network computing in favor of large corporations and against small entrepreneurs and individuals. Is this what hackers really had in mind for the electronic future?
TODAY, THE CHIEF APOLOGIST for the hacker ethos is Wired magazine. Wired, which has made the issue of freedom of information its most important political imperative, lobbied heavily against the US government’s Communications Decency Act, the portion of a recently passed telecommunications reform bill that deals with the Internet. (A court in Philadelphia recently ruled that the Decency Act was unconstitutional. The government is considering an appeal.) Wired has also repeatedly minimized the threat posed by criminal hackers. An excerpt from the April 1994 issue: “The government’s response to `the hacker threat’ remains painfully out of proportion to the actual nature of the computer underground’s supposed transgressions.” Wired has consistently taken a dim view of the more recent efforts to commercialize the Internet: “Entrepreneurs have come out of the closet like roaches after dark.” The magazine’s July 1996 cover story proposes a new bill of rights for children in the digital community.
Other advocates of the information age include Nicholas Negroponte, whose book, Being Digital, forecasts an electronic utopia; John Perry Barlow, a former Grateful Dead lyricist and a cofounder of the Electronic Frontier Foundation; and author and social analyst Sherry Turkle, who is swiftly becoming the hacker movement’s Boswell or, at least, its Helen Gurley Brown, when she writes, “Ten years ago people who were very involved with computers were geeks-it was pejorative. Now we’re coming into a phase of the hacker as hunk.”
The roots of the hacker ethos are honorable ones, growing out of the early days of the Internet. A generation ago, high technology was a frontier known only to a handful of specialists, most of them employed at universities. To operate computers, you needed to understand such things as DOS and UNIX. While most people drifted further and further from understanding high technology in their daily lives (the way VCRs functioned or LANs worked, for example), hackers-the generally male, generally pale people who sat up all night programming their computers-knew exactly how to take things apart, and how to put them back together.
Because of their solitary, late-night habits, hackers weren’t too good at the more conventional practices of societygetting a job, socializing, settling down. So, for the most part, they made their own society with its own rules as the Internet grew. If you wrote a neat software program, you shared it. You didn’t make money off your inventions-that was for crass commercialists such as Steve Jobs. And, if you wanted something, you went out and got it. “It was a very interesting time and place in which to grow up,” Patrick Kroupa, a former hacker, told Wired. “The problem was that a lot of us didn’t grow up.” Levy recounts an incident in his book about a group of hackers at the Massachusetts Institute of Technology who needed a set of diodes: “A few people would wait until dark and find their way into the places where those things were kept. None of the hackers, who were as a rule scrupulously honest in other matters, seemed to equate this with `stealing.’ ”
Indeed, a culture of bravado began to surround the hacker. Nothing illustrates the romantic ideal of the hacker as outlaw better than the case of the famous US superhacker, Kevin Mitnick. Mitnick, whose nickname was “The Condor,” a bird whose grace and power obscure its genus as a vulture, began his career of breaking into computer systems at age 17. In 1981, he was convicted of stealing technical manuals from Pacific Bell-and placed on probation. In 1988 Mitnick was convicted of stealing software from Santa Cruz Operation Inc. and again placed on probation. In 1989 he was convicted of stealing an operating system from Digital Equipment Corp. A proviso in his presentence treatment demonstrated the gap in technoliteracy between Mitnick and those who were his judges: he was allowed no telephone access “whatsoever” for a week before he was sentenced. His final capture, in 1995, at the hands of fellow hacker Tsutomu Shimomura, spawned no fewer than three books.
Canada’s best-known hacker is Adam Shiffman. In 1994 Shiffman, then a 20-year old living in Toronto, was charged with breaking into the computer systems of almost every university and college in Canada and a few in the US. (Shiffman, still awaiting trial, refused through his lawyer to be interviewed.) Shiffman’s story lacks the mythic scale of Mitnick’s: he employed the distinctly unromantic tactic of punching in the same code over and over every day, from 4 p.m. to 4 a.m.
“He would spend an entire night smoking and hacking,” says David Wiseman, network manager in the department of computer science at the University of Western Ontario in London, Ont., who helped to catch Shiffman. “Once you get to that level, you really don’t need much of a motive. You’re high. You don’t know what you’re doing.”
Still, Shiffman was conscious enough to play the cocky hacker to the hilt, even pretending he was part of a hacking gang. “Shiffman sent us an e-mail saying, ‘Ha ha, you’ll never catch us,” says Wiseman. “But he wasn’t very clever. We were watching his keystrokes from our server, waiting for the search warrants while he typed.”
What are the costs of this kind of hacking? There is no evidence that Mitnick directly benefited from his hacking, despite the 20,000 credit-card numbers he had in his possession when he was caught. Likewise, Shiffman didn’t profit from his actions in any tangible way, having never cashed in on the dozens of passwords and account numbers he collected.
For Wiseman, whether or not Shiffman or Mitnick got rich is a moot point.
“No computers burst into flames-that only happens in movies,” he says. “But the number of people involved is incalculable. I was on the [Shiffman] case full-time for a month; there were a couple [people] here on it part-time; in Toronto there were two or three part-time; and systems administrators from 50 or 60 sites were involved for an hour or a week or two. That’s the kind of damage courts have been slow to recognize.”
There are those who argue that hackers like Mitnick and Shiffman fulfill a function, that they ensure companies work twice as hard to plug the holes and so make computers safer from more dangerous hackers. Wiseman is less than generous of this defence. “I think it’s a load of dingo’s kidneys, if I may quote Douglas Adams. There is nothing socially clever about demonstrating again that Chrysler [Corp.] can’t build a lock to save its life.”
Wiseman recently watched a case against a hacker he helped catch wither in the courts for a year. “If someone was borrowing your keys to make copies, would you wait until after the break-in to have your locks changed?” he asks. “The answer is no. But with computers, that’s what we’re supposed to do. The rules that apply to property in the real world just don’t seem to apply to computer property yet.”
Brian Down, a senior systems developer for Border Network Technologies Inc. of Toronto, one of North America’s fastest-growing “firewall” companies (firewalls being the security devices set up to prevent hacker intrusions), agrees.
“Professionally, I think that hackers are a tremendous threat to the well-being of any person or any organization that uses computers and computer networks,” he says. “The risks associated with [hacker] attacks are immeasurable. However, as someone who makes his living developing network security products, I like hackers. They’re good for my business.”
JASON (NOT HIS REAL NAME) works as a graphic designer at a multimedia company. When he started university six years ago, Jason figured he needed a good computer to get ahead. He scraped together $3,500 for his computer, but finding the additional thousands of dollars he would need for the accompanying software was simply not a possibility. So he got what he needed-Adobe Photoshop (worth US$895) and Autodesk 3D Studio (worth $5,000)-through connections at a large firm. “Software companies say, `We have to have these high prices because of the pirating.’ But you just know that they wouldn’t change,” says Jason, seemingly reading from the Hacker’s Code. “They charge these prices because it’s a smaller market and they know they can get away with it:’
According to the Business Software Alliance, the US-the prime design site of new software-lost an estimated US$2.8 billion last year because of domestic and foreign copying of software. The estimated loss to the Canadian software industry in 1994 was more than US$254 million. And the increasing popularity of on-line services is only going to make the problem worse. “It’s already big. But because of the Internet, the whole pirating software ring is going to get huge,” Jason says. “Software companies are definitely going to start losing a lot more money.”
OK, it’s hard to feel sorry for Bill Gates. But it shouldn’t be hard to see the bigger issue of proprietary rights behind those losses. Very real work has gone into the valuable material that is being tossed around the Internet like stolen candy. How much longer will programmers be willing to contribute their intelligence with the knowledge that the fruits of their labor will be distributed under the proposition that on the Internet, “Information needs to be free?”
” `Information needs to be free’ makes a mockery of anyone who sat up all night trying to craft a sentence,” says Don Ingraham, an assistant district attorney based in Oakland, Calif., in charge of that county’s high-tech crimes unit. What’s worse, people might stop staying up all night to craft anything. Intellectual property rights are what guarantee the creator of a sentence-or software-that his or her effort will be rewarded. If the pharmaceutical industry were run the way the hacker apologists think cyberspace should be run, it’s doubtful any company would make the investment to devise Prozac, or even an AIDs test. And we would probably never find a cure for AIDS.
Why shouldn’t the same intellectual property rights that apply to physical sciences exist in cyberspace? Because, reply the hackers, that would stifle innovation. But the technological innovations that led to the computer itself were made with those proprietary guarantees in place. A lot of those innovations took place at the prestigious Palo Alto Research Center in California, funded by Xerox Corp. The centre had been the subject of so many intellectual “raids” that its usefulness as a research tool was, for a time, severely compromised.
When Michael is asked if he now believes it’s wrong to pirate software, he responds slowly: “Well, I program now, so I see how long it takes to develop software. I know all the work that goes into it.” And? “And so, yeah, I don’t approve of pirating.”
YOU DON’T HAVE TO LOOK far into corporate annual reports to see how the hacker ethos has infiltrated high-tech business culture.
Many operating systems and other important software that took years to develop are now routinely available on the Internet for free. Indeed, companies offering new World Wide Web browsers and other Internet innovations deliberately offer them for free-a risky business practice at best-in the hopes that their product will become so widely used they can charge for it when the Internet is no longer a lawless, cashless frontier.
And there are rumors that many companies surreptitiously distribute software through pirates in order to help establish new releases in the marketplace. Rumors that companies give out free software to hackers who would help them find bugs were substantiated this year. Netscape Communications Corp. happily announced on its website that two hackers had figured out how to break their encryptions in 25 seconds. The company then set up a contest called Bugs Bounty, awarding prizes, such as free mugs, polo shirts and even cash, to hackers who found errors in their code. Another company, an Internet security provider called Community ConneXion Inc., runs a similar contest called “Hack Netscape.” Ottawa’s Corel Corp. now pays “beta-testers” to vet all their new releases. (Thanks, guys, the Tshirt is in the mail!)
These companies aren’t just trying to befriend a bunch of pasty-faced nebbishes. Eventually-despite their “hey, how did I get here?” demeanor from companies like Netscape-they want to profit from the World Wide Web. Appealing to the hacker mentality is, on the surface, a sound marketing strategy.
A bigger reason why the prevailing business culture is shot through with the hacker ethos is that hackers are starting to run the industry. The founders of the US$4-billion Cisco Systems Inc., for example, got their start on the campus of Stanford University, using university computers and a sizable chunk of employee office time to midwife a computer networking idea. The two company founders resigned from Stanford’s staff on a Friday and miraculously managed to ship product the following Monday. The university’s legal department was considering filing charges against the founders at the same time the university’s venture-capital group was racing to invest in their idea.
“The thing about hackers is that they’re very subversive until they’re given a lot of money. Then, boom! They’re onside,” says one executive at a Toronto telecommunications firm. “Screwing the system in a different way-for profit” Says Michael: “The hackers who are out there breaking the law, most of them aren’t that great. And the good ones, they get hired.” Michael, whose current employer doesn’t know about his campus pirating days, works next to some colleagues who used their hacking past to get jobs. “They’re honest about it. They say, `Hey, I broke into your system: And the company says, `Why don’t you come work for us?”‘
Even today, Michael breaks into a system now and then. The difference is that now he’s paid to do so. “It helps me do my work faster,” he says with an ironic smile. On days when people want something repaired at their stations, Michael can simply break in, do the fix from his own station and then get out. It’s quicker than seeking permission, and possibly more fun.
THE DREAM THAT COMPUTERS would be democratizing instruments capable of putting real intellectual power into the hands of more people has largely come true. Computers are viewed as everyday tools that allow nontechnical people to conduct business around the world at the speed of light, enlarging their businesses, their scope and, at times, their world view.
The next great step in cyberspace’s evolution is the capability to perform financial transactions over the Internet through on-line business, credit-card transactions and new developments such as e-mail. And the step into financial transactions is one that hackers-with their inborn distrust of large corporations and their obsessive desire to break down all security systems on the Internet-are impeding. Everybody is nervously wondering how hackers such as Michael will find ways to use the system to their advantage. The result won’t be the hacker ideal of an electronic global village with access for all. Gates, the big banks-institutions that have the resources to pour into firewall security systems or are wealthy enough to absorb hacker intrusions-will devise their own solutions.
But smaller companies and individuals who are supposed to benefit from the rise of business on the Internet will find themselves out in the cold, unable to compete.
This may be the final, self-defeating irony of the hacker ethos: that it is entrenching the very kind of corporate monolithism that it claims to despise. It is this irony we are all paying for with a less competitive, less dynamic-and more limited-future.
The Internet’s community has just started a period of self-examination. Academic institutions, where the hacker community began, have spent considerable time examining the consequences of the hacker ethos and, in some cases, have developed codes of behavior for those working with computers. The University of Toronto’s “Appropriate Use of Information Technology” guidelines outline nine “inappropriate” uses of information technology, including unauthorized access, theft of resources and harassment.
But the guidelines are, of course, voluntary. Inspections and investigations depend on the goodwill of those least likely to have any. The profession as a whole depends too much on goodwill. Just as there are no standards of professional conduct or accountability for software programmers, there are no standards for ethical behavior either. Conscientious Internet societies and professional groups are only beginning to debate what standards to set and how those standards could be enforced-almost two generations after the high-tech revolution began.
Hackers can no longer appropriate two personalities: reveling in the position of power they now enjoy and wearing the white hat of society’s adulation, yet whining “poor me” when they are caught abusing their power or behaving like outlaws. This town ain’t big enough for the both of them.
Copyright 1998, CB Media Ltd.