The Risks of WarDialing

by Dr. Delam

<RING> <RING>
Hello?
"Yes, you just called my house."
No I didn't, my computer did, it's wardialing...  Don't call me again!
<CLICK>

As the *67 and *69 battle continues, hackers have arrived at creative solutions to annoying callbacks, such as placing an outgoing telco error message on their answering machines.  Though this is effective in general, there have been some bizarre incidents.

A hacker had been wardialing with ToneLoc and soon found himself confronted by two very forceful police who were hot on the trail with "trap-n-trace."  He had been told his number was on a GTE printout and that he had called not only the same person multiple times, but that he had called other numbers that were being watched.  He knew this was a fabrication and stated that he may have dialed the wrong number with his computer, but only once.  The one cop remarked that he knew how a computer works and said that the party who was called heard nothing and if a computer had called, the person would have heard a tone.  (The cop is as bright as an unplugged dumb terminal.)

In checking the laws concerning the scanning of telephone prefixes with GTE security in Tampa, a representative stated he knows of no law prohibiting scanning and that it is something that occurs all the time.  Some local lawyers have rumored otherwise.  It has been stated that merely connecting with a modem can be construed as breaking the law.

Florida Statute 815.03 of the "Florida Computer Crimes Act" defines "access" in this way: "To approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer, computer system, or computer network."

Simply connecting with a modem can thus be considered "access."  A modem is definitely a computer resource; and in connecting with a modem, you are not only approaching, but instructing and communicating with a computer resource.

Statute 815.06, "Offenses Against Computer Users," states: "Whoever willfully, knowingly, and without authorization accesses or causes to be accessed any computer, computer system, or computer network; or whoever willfully, knowingly, and without authorization denies or causes the denial of computer system services to an authorized user of such computer system services, which, in whole or part, is owned by, under contract to, or operated for, on behalf of, or in conjunction with another commits an offense against computer users... an offense against computer users is a felony of the third degree..."

Lawyers have interpreted this as meaning every time you simply make a modem connection to a machine for which you do not have authorization, you are breaking the law.  Imagine the implications of one night's scanning with ToneLoc or any other software capable of finding and connecting to all modems in a particular telephone prefix.  One could easily be charged with 50 felonies; yet, this is what is currently being stated as law.  It is true that you knowingly and willingly connect to the machines, however, the question remains: "Have those who administer authorization given you authorization?"

Although administrators may argue that connecting with their computer may occur without "authorization," it cannot be denied that their computer, computer system, or computer network is in the public arena.  A choice was made to make the computer available for "access" through public telephone lines, or through a public network.  These public telephone lines and public networks are a means of communication for which the public has "authorization" and legitimate access.  For anyone to place their computer, computer system, or computer network in connection with a public service, such as the telephone system, there exist certain inherent risks for which the owner or administrator should be rightly responsible.

It is clear stupidity for anyone to place a computer, computer system, or computer network in connection with any publicly accessible system or network without having first instituted appropriate security and continuing to keep abreast of the ever changing issues in computer security.

Most everyone who has ever scanned a telephone prefix has found totally open systems, systems with working defaults, and a vast majority of systems that have no warning sign even close to "private system, keep out" much less a posted definition of what "authorized access" is.  If you encounter a system for which a default account lets you in, your knowledge of system defaults is analogous to the knowledge of how a doorknob works... it is simply a commonly known way of getting in.  You have successfully gained "access" to a system which has not stated what "authorized" access is, and through the inherent nature of its presence on a public "access" system, for which you are "authorized," you can easily argue that you have legitimate access to the system.

Furthermore, within the terse constructions of computer commands lie many powerful abilities for which the user may not be totally aware of the consequences.  A simple keystroke can easily format a hard drive, and the user may have no knowledge of what he or she has done; yet, one can argue that he or she was "authorized" to perform the fateful instruction(s).

As frightening as these facts may be, as a society we must mature and learn to accept new truths.  Hackers have an innate ability to adjust to the new rules and new environments that their curiosities have brought them to face.  Just as with all other explorers, it is a moral obligation for hackers to not only present their findings, but to present the findings contextually to avoid misinterpretations.  Sometimes discoveries are of such a nature that they can only be understood by placing people in direct contact with them; and even then it may take a while before the neophytes grasp the concepts in such a way that they will rightfully respect them.  Hackers not only respect and understand computers and their power, but have seen gross misuse of computing power by corporations and the governments.

There have been, and continue to be, blatant vagrancies of inalienable human rights and exploitations of the individual.  All of these are done in corporate and governmental motions for which no readily apparent traces exist in the material world.  The public is blinded in computer illiteracy and stifled by the media's insidious portrayal of hackers.  Hackers have much to say but are rarely heard with open ears.  Teddy Roosevelt's philosophy was "Speak softly and carry a big stick."  Fortunately, in "cyberspace" there are no sticks.

The time has come to adopt the hacker philosophy: speak loudly...  Communication is everything.