The Consequences of .gov/.mil Hacking (Spring, 1997) ---------------------------------------------------- By Chocolate Phoetus In recent times, the Air Force homepage has been hacked by someone with enough patience to deal with the bloody thing. We ve all probably seen the hacked pages now thanks to 2600.com, but how many of you know how the military reacts to such an "attack?" What you're about to read may help you think twice about any ideas you have concerning government sites. I'm not condoning anything, and I'm certainly not telling you how to run your affairs, simply giving you a little advice that's commonly known in the ".mil" and, ".gov" community. The military does not, as a general rule, leave "sensitive" systems containing classified information open to anyone who wants to "dial in." There are many different ways of preventing access, from closed systems with no dialups, to restricting usage to users with ".gov" or ".mil" addresses. You won't, as a matter of course, find classified information on a government computer that is hooked up to the Net. That's not to say that you won't find material you shouldn't, by law, access. There's plenty of information protected by the Privacy Act floating around out there. But, let's face it, that info is pretty boring unless you are into social engineering, and know how to use the information once you get it. The government world has strange protocols and routines that someone "not in the know" will "tread on" unknowingly. The simple misuse of a bit of jargon or ignorance of an acronym will often raise eyebrows, and get you "looked into." If you are bewildered by that last line, that's a clear indication you don't understand the minds of people who work for these agencies. Beware - your ignorance could get you into trouble. Mistakes Hackers Make One of the biggest idiosyncrasies of ".gov" and ".mil" people is the incessant need for immediate damage control. Example: When the Air Force homepage was hacked, a press release was immediately put out, saying that the incident was being investigated, and that hackers had put "pornography" on the site. Anyone who has seen the 2600 posts of these pages knows that a single moving .gif with a couple having sex was on there. The impression by the press release was that there were loads of vile images posted to the poor Air Force homepage. The people who wrote the press release would never consider telling the truth about what happened that someone made them look foolish by cracking a pathetic security system and posting loads of sarcasm towards the Air Force in general. Hackers who put "pornography" on their target sites are actually helping these people put "spin control" on these incidents. Many hackers are also blissfully unaware that the Air Force (as well as other branches of government) has a special office that is dedicated to research and arresting so-called computer criminals. By putting links to other pages, you could be getting your friends an unwanted phone call by people in blue suits. You may also be leading right back to yourself, if you frequent these sites. Sadly, many hackers go right for the throat when they "alter" these web sites. It's clear that the page has been hacked, usually discovered by some retired sergeant with nothing better to do than surf the web, and then rat you out. Subtlety is a desired trait. Instead of changing the entire page, why do hackers not make more subtle alterations? The best pranks are the ones where the mark doesn't realize he s being had, at least not right away. Altering only the links, for example, to go to porn sites would be a hell of a lot more shocking to a ".mil" person surfing the Net than logging into the Air Force homepage and seeing that "somebody hacked it." Many people surf the ".mil" sites at work. They're permitted to do that. But the people who monitor the networks (and yes, they do) are looking for "unauthorized" or "not for official business" surfing and downloading. Imagine the sick feeling the person surfing on their government computer would feel to link to what they think is some other base's site, only to be taken to "www.bigtits.com." These people live in an atmosphere of fear, and seeing that on the government computer would give them apoplectic fits. I would never encourage anyone to do something as risky and profitless as to hack or to intrude on a government web site. These systems are run on taxpayer dollars, and that means your dollars. But there are some interesting legal stipulations that affect the people who have hacked these sites: On the front gate of any military installation, a sign can clearly be read stating that access to the installation is permitted only by the commander's authority, and that trespassing is a Federal Offense. Don't think that those warnings apply only to your trying to walk into the installation. The same rule applies to ".mil" sites as well. Even though there is no sensitive information on these systems, you can still be arrested for espionage for trying to hack a government site. The intent is what they're after. Consider this if you're thinking about "becoming a hacker." When you "modem in" to a military site, you are also entering into a military phone system, which is monitored. Every telephone in every military base has a sticker saying so. This is no joke, and your modem is not immune. Use of the system implies consent, even if you object later. There is legal precedent for this challenging it will do you no good in court. If a military site is hacked, someone will be assigned to look into it, sometimes in conjunction with the FBI. Hacking is taken very seriously by the government, and they do not give up easily. I hope this has helped someone rethink hacking a ".gov" or ".mil" site.