Trying to keep computer buffs from peeking into a firm's high-tech files
Menlo Park, Calif.
Geoffrey Goodfellow leans over his computer keyboard and taps a few keys. The text of news articles begins cascading across the screen, detailing the recent computer raids that have reaped banner headlines in the nation's papers.
He's been avidly following reports on how a group of computer operators in Milwaukee allegedly gained unsanctioned entry into a newly installed computer system at the Los Alamos Scientific Laboratory in New Mexico and one at the Memorial Sloan-Kettering Cancer Center in Manhattan. The Federal Bureau of Investigation is looking into the case.
Mr. Goodfellow has more than a passing interest in such news. He is a full-time consultant to SRI International, a think tank, and his responsibilities include security for SRI's data-processing system. But he also freely acknowledges that when in high school, he gained unauthorized access to a number of computer systems.
He agrees, if reluctantly, with SRI colleague Donn B. Parker, an internationally recognized authority on computer crime and abuse, when he says, ''This kind of raiding is socially unacceptable.''
Mr. Parker nods emphatically and continues: ''My major concern is not the danger that arises from the raiding itself, but the potential damage that raiders like this may do in their future careers. These kids are learning a value system that is antisocial. These are the same individuals who, in the future, will rise into high trust positions running computer systems. In these positions they can do some very severe damage.''
Although there are no credible estimates of the amount of computer raiding going on, Parker says there are indications that it's becoming an epidemic: Every school that teaches computer science has been subject to repeated raids; and every major city in the United States has as many as half a dozen pirate bulletin boards - computer networks that exchange information on raiding techniques, system access codes, and passwords.
While raiding may clearly be antisocial, its legal status is gray at best. Twenty-one states now have computer-crime laws, but a number don't cover this particular problem, Parker reports.
The federal government has some 40 statutes that could be applied to raiding but is hindered by limitations on its ability to prosecute juveniles. As a result, the FBI, whose own computers have been prime targets, has been extremely frustrated. Thus, the fact that there are some adults involved in the Milwaukee case makes it particularly interesting to federal authorities, Parker explains.
''Maybe the 414 case will serve as a catalyst for passage of a federal computer-crime law,'' Parker adds hopefully, referring to the Milwaukee computer group that calls itself the ''414s'' - the group the FBI claims was behind the electronic break-ins.
The most important thing is to make sure that teen-age computer enthusiasts understand that what they are doing is wrong, Parker emphasizes. They must be educated out of their unwritten rule that they can do anything they want as long as they don't do any harm, he says.
''Every hacker I've ever met, except a few who weren't completely wound, knows exactly what he is doing. The risk of being caught is part of the thrill, '' Goodfellow says. He defines a hacker as ''one who programs computers enthusiastically for the sheer fun of it and gets a nonprofessional amount of enjoyment (out) of them. . . .''
Hackers form a meritocracy, he claims, where ability is what counts. They tend to be loners whose talent is misdirected. In a perverse way they actually want to be caught so that their skill can be properly appreciated, he says.
Goodfellow lays a share of the blame for these problems at the doorstep of the managers of computer systems. ''It's unfortunate, but many systems are run like totalitarian states,'' he charges. This attitude fosters resentment and a desire to challenge authority represented in the raiding incidents.
The best way to handle raiders is to get to know them, to express interest and appreciation of their skills, Goodfellow says. He says he did this with a group raiding SRI's computers and they stopped. The worst thing a system operator can do is start trying to freeze hackers out once they have gained access. They take this as a challenge and escalate their responses. Thus, a programming ''war'' can be touched off that can do considerable damage to the system.
Goodfellow points to his own case. Operators of a computer time-sharing company gave him a free account and then forgot about him. When they rediscovered his presence because of his hacking, they offered him a job. As a result of what he learned, he was later able to get a guest account on the SRI computers in return for doing odd programming jobs. This led to a part-time programming job and, ultimately, to his present position.
''I'm not too hot on the idea of prosecuting hackers,'' Goodfellow says.
But Dr. Parker disagrees. To Parker, raiding a computer is like sneaking into someone's office while he is out, looking through his papers, snooping through his desk. It is a modern form of trespass and should be treated as such.
''Computer technology has become so important, and plays such a major role in the business of government - serving the people - that we have to impose a significant amount of discipline, even if this requires management controls which sound a bit Orwellian,'' Parker asserts.
A point both agree completely on is that many system operators, through laxity or naivete, have put unnecessary temptation in the way of the hackers. An example is the Sloan-Kettering computer. Management there had not changed the standard password - which gives an operator access to a system - that came with the computer.