LAURA EVENSON, MICHELLE QUINN, Chronicle Staff Writers
Near a row of pay phones in an Embarcadero Center plaza, the early birds are hovering over white picnic tables wedged between a Mrs. Fields and a wine bar.
Mostly young men, they wear the grunge fashions of plaid shirts, ski caps and baggy pants. They show off cellular phones, hand out copies of pirated software and swap stories about how to add value to a BART card without paying. A few older men sport survivalist wear -- army fatigues and fly-fishing jackets. The men with natty blazers and polished shoes are computer security specialists.
The meeting is so low-profile that there's only way to find it: the back page of "2600: The Hacker's Quarterly," an offbeat newsletter published in Long Island, N.Y. The newsletter posts the numbers and locations of public phones around the country where hackers hold meetings each month. (Any hacker knows better than to make risky calls and computer connections from home.) Today's meeting is at (415) 398-9805 and (415) 398-9806 in 4 Embarcadero Center.
In keeping with the anarchic hacker ethos, the meeting has no agenda. Conversation among the 25 hackers turns to one of their own who made it to the front page of the New York Times: Kevin Mitnick, the reputed "Billy the Kid" of the Internet, arrested in February for skipping out on parole and allegedly stealing 20,000 credit card numbers from network computers.
The arrest of Mitnick, depicted by the media as a renegade on the cyberprairie, has sparked a national debate about what laws rule the wilderness of bits and bytes, hackers say. Was Mitnick simply a curious hacker out to satisfy his intellectual curiosity? Or was the high school dropout a mischievous cracker, a technowhiz out to profit from digital skulduggery? Mitnick's arrest has triggered intense discussions about what constitutes right and wrong in cyberspace, even what is legal or illegal, and who will make the rules.
There's no consensus on any of these issues. But hackers agree on one thing: There's a witchhunt to persecute people like Mitnick who explore computer and phone networks for the challenge and thrill.
"They're going to crucify him," says Tom Farley, an intense man in a Patagonia jacket and jeans who drove up from Carmichael. He publishes a journal on the minutia of telephone systems. "If they had a cross they would nail him to it."
The hoopla surrounding the February 15 arrest of Mitnick, an overweight and bespeckled 31-year- old, is a signal that the stakes have soared on the high-tech frontier as its population explodes. More than 35 million people log on to the Internet, which over the past 26 years has mutated from a creation of the Defense Department to a plaything with mass appeal, as well as a channel for commerce.
Computer break-ins have skyrocketed, from 132 in 1989 to 2,341 last year, said Terry McGillen, a spokesman for the Computer Emergency Response Team (CERT), a group of security experts at Carnegie Mellon University in Pittsburgh. Either more people are hacking into systems, or more are getting caught, or both, McGillen said.
Hackers define themselves as people who can figure out what makes a computer network tick.
"We are the type of people who like taking clocks apart, says Rich Adams, a computer security expert for Chevron dressed in a fly-fishing jacket and hat. He rode BART from San Ramon to join the group. "We don't like reading manuals but figuring it out on our own. We're the people who built the Internet."
As commerce and crime explode on the Internet, veteran hackers fear the public won't tolerate their freewheeling culture. They call Mitnick a "cracker" -- a criminal hacker.
The law doesn't distinguish a hacker from a cracker, said Marc Rotenberg, director of the Electronic Privacy Information Center, a pro-privacy public interest group.
"Trespassing is entering onto someone else's property, and that's what hackers do," he said. But a cracker is different. "Burglary is taking from someone's property, and arson is burning down someone else's property. The problem is that if you treat trespassers like arsonists, you'll probably have fewer intrusions and many more fires." Rotenberg fears that draconian penalties for unauthorized forays into computer networks may discourage some benign hackers while goading others into malicious acts.
Laws governing computer break-ins are murky. For example, federal law makes it illegal for anyone to steal other users' computer passwords. However, prosecutors can pursue only those crackers who have stolen more than 15 passwords or who use a password to commit fraud. The law forgives a pilfered password here or there.
"Just because a hacker illegally obtains one credit card number doesn't mean you charge him with anything unless he starts using it and defrauding you," said David Schindler, an assistant U.S. attorney in Los Angeles who is prosecuting Mitnick.
Mitnick, who on court order has spent time at a Los Angeles treatment center for his "addiction" to computer hacking, isn't the only cracker demonstrating the vulnerabilities of the online world recently. Convicted cracker Kevin Poulsen, 29, will be sentenced April 10 for using his computer expertise and intimate knowledge of telephone operations to seize control of phone lines leading to various Los Angeles area radio stations. He used that knowledge to win two Porsches and $50,000 in cash. Poulsen also pleaded guilty to breaking into a computer to get the names of undercover businesses operated by the FBI.
In May, Poulsen's accomplice Justin Tanner Petersen, 34, will be sentenced for his role in the radio contest scam. Petersen's been around -- he pleaded guilty to tapping a credit card information bureau and illegally transferring $150,000 from a Glendale financial institution to an account held by a co-conspirator at another bank. In between crimes, he worked for the FBI to track down a few hackers.
Why did Mitnick get so much attention, the hackers ask.
Some accuse the press of turning Mitnick's case into a circus and Tsutomu Shimomura, the hacker who tracked down Mitnick, into a hero. A few question the motives of York Times reporter John Markoff, who broke the Mitnick story. They see Markoff and other reporters as carpetbaggers who overdramatize Mitnick's case for the sake of a good yarn and perhaps a few extra bucks in book and movie rights.
Several suggest Markoff set the trap for Mitnick months earlier by writing about mysterious break- ins on the Internet and profiling the straight-talking pursuer, Shimomura. They theorize that the two knew the high-profile coverage would provoke Mitnick to take more risks.
"Some of the incidents looked too convenient," says a hacker named Cliff, a security expert for a Silicon Valley company.
Markoff, who co-wrote the 1991 book "Cyberpunks" that featured Mitnick, denied he had any role in the investigation. Four days before the arrest, he discovered Mitnick had been reading his electronic mail, a fact left out of the original New York Times stories. "I don't think it affected my reporting in anyway," he said. "I didn't sensationalize anything."
Markoff and Shimomura are now negotiating book and movie deals.
The hackers themselves quarrel over Mitnick. Some defend him, saying he simply fed intellectual hunger and never used the credit card numbers he allegedly "borrowed." In fact, they say, the online service Netcom, where Mitnick pilfered the credit card numbers, should thank him for pointing out their high-tech Achilles' heel.
Others are less sure of Mitnick's merits.
Mitnick had a near-pathological addiction to computers and had no use for school, degrees or authority figures, points out Ken Kumasawa, a telecommunications security expert with TeleDesign Management Inc. in Burlingame who attends the hacker meetings to pick up tips on how to keep intruders out of his clients' telephone systems. Kumasawa believes Mitnick profited from his technological expertise. "How do you think he survived on the lam for two years?" said Kumasawa. "How do you think he got his money?"
Speaking for many others, one 16-year-old from Pacific Heights who would not give his name said that Mitnick "was doing stupid things on a large scale."
Regardless of their opinions, hackers are uncomfortable with the attention they're getting in the wake of Mitnick's arrest. They both wallow in the media's limelight and try to deflect its glare. As freely as they chant their mantra that "information wants to be free," the hackers guard their own privacy. Few give out their full, real names. Most use either a first name only or pseudonyms such as Nana Second and Argus. Notoriety is OK; interference is not.
Despite their disdain for the press at large, the hackers are downright friendly to the reporters who attend their meeting, offering seats, cookies and anonymous E-mail accounts. They revel in the chance to show off their talents and rhapsodize about the "free flow of information in cyberspace."
An hour into the hackers meeting, the information begins to flow like beer at a keg party with little concern for legality or ethics -- or whether a cop mingles with the throng. A high-tech show-and-tell begins spontaneously. Some refer to textbooks they've brought along: "Introduction to Computing" and "Cellular Phone Principles and Design." Security experts trade information with young hackers.
"I have a trick for all of you," says Peter Shipley, a pony-tailed security expert from Berkeley dressed in black leather a la Mel Gibson in "The Road Warrior."
With a magician's flourish, he places a cellular phone on the table. "A Motorola 950 standard," he announces. Speaking in the brisk, machine-gun patter typical of hackers, he adds, "I can turn this into a scanner. Just a piece of foil puts it in diagnostic mode."
He punches in a few numbers and passes the phone around. The receiver emits the voice of a woman engaged in a juicy gossip.
But Shipley's trick bores the crowd. Such phone conversations are dull; one hacker yawns.
Asked a few questions about right and wrong, the hackers emit a cacophony of responses.
"We're standing up for what we believe in," says an older man who identifies himself as Argus. "What about the reporters who looked at Tonya Harding's e-mail?" asks another hacker. "Aren't the telephone companies ripping us off?" is a common reply.
"There's a potential for maliciousness," said a 34-year-old wearing a suit under a rain coat and tapping on a laptop computer. "It's cool to share your knowledge. It's a question of being responsible. It's the responsibility of the group to police itself."
Many hackers believe the rules they play by in cyberspace differ from the rules governing the real world. There's a difference between getting a few free phone calls and making money selling phone calls at a public telephone; there's a difference between poking around in someone's computer without disturbing anything and actually copying a file.
Dan Farmer, who developed software to diagnose security holes in computer networks, criticizes the cyberspace culture that has evolved.
"Many of these people believe they should be allowed to roam freely into other peoples' files," said Farmer, reached at his home by phone. "But if you start talking about looking at their own medical histories, love letters or personal correspondence, they get outraged."
Farmer, 32, lost his job at Silicon Graphics recently because he plans to release on the Internet a free program to give hackers and corporations alike a quick view of security weaknesses in a computer network. The company and Farmer had a philosophical disagreement over the ethics of Farmer's freelance program.
"People who spend an enormous amount of time on computers haven't had time to become socially (adjusted) or to mature in a lot of ways, and so their online interactions have become very different from what is acceptable in real life," Farmer said.
Eager to justify their tricks at the meeting are hackers like "Alex," a 15-year-old from Russia fluent in American slang. But Alex tied himself into ethical pretzels to justify his pranks.
Pulling out a Phillips head screw driver, the young man hovers over a small metal box with a few wires that he bought at Radio Shack for $10. The contraption can make a dial tone, he boasts.
"It's not illegal if you do it and you don't use it," he says. "We're not calling Egypt. We make a dozen local calls, not very much . . . I mean we're not doing anything for profit -- that's the difference."
But law enforcement officials don't see it that way. They say it's illegal to make unauthorized free phone calls of any kind, or to break into any computer.
Even supposedly victimless crimes can cause damage, said Scott Charney, chief of the computer crime unit for the criminal division at the U.S. Department of Justice. Charney told how a man recently broke into a Seattle court via a computer at Boeing. Although the hacker was only passing through Boeing's network, the airplane builder had to shell out $75,000 to make sure no damage was done to its computer systems.
"People who browse the system are not as dangerous as people who steal information," Charney said. "But it's really important to understand that that kind of browsing is not victimless."
Attempts to safeguard computer systems by providing some form of encryption -- coding that makes it more difficult for an intruder to break into a computer -- have run into resistance. Last year, the Clinton Administration proposed the so-called Clipper Chip, touted as an encryption standard that offers consumers privacy but lets the FBI and police conduct authorized electronic surveillance. But the gadget makes the civil libertarians and the electronics industry squirm because the government will keep "keys" to the codes.
For now, nationalized encryption is on the back burner. Hackers at the Embarcadero Center meeting boast that they make their own encryption. It's a tough world out there, they say. If they get broken into, it's their fault for poor encryption, not the criminals'.
At the end of the hackers meeting, a few head out to Harry Denton's for post-meeting drinks. Others go home to parents for dinner or to their bedroom computer to try a few new tricks.As they bade each other farewell, an Embarcadero security guard in a brown uniform cleaned up the litter of milk cartons and cigarette butts.
Older hackers point to two things that ended their electronic delinquency. In some cases, it was a friendly telephone call from someone identifying himself as an FBI agent or police officer. For others, it was a technical job, specifically in security, that gave them the intellectual challenge they craved, along with a paycheck.
The younger, smarter hackers may grow into future security experts. At the moment, they dabble in digital delinquency. Instead of breaking windows, they pick electronic locks. And a few real ones.
"Watch out for the security on newspaper boxes," one kid yells to departing reporters.
A GLOSSARY OF HACKERSPEAK
Hacker: Someone fascinated with the workings of technology who takes
pleasure in exploring how to stretch the capabilities of computers
and other programmable systems.
Cracker: A person who commits illegal acts with technology, such as
illicitly entering businesses' computer systems, stealing property or
making free phone calls.
Phone phreak: Someone who enjoys figuring out how the phone system
works in order to make free phone calls. Originally a semirespectable
activity among hackers, who saw it as a form of legitimate
intellectual exploration, phreaking lost its respectability in the
1980s as techniques were disseminated widely.
Social engineering: Calling up a business and pretending to be
someone important in order to get confidential information such as
computer codes or passwords.
Trojan horse: A program that runs undetected on a computer, disguised
as something benign such as a game or a directory list, that secretly
spies on the user. It can also pick up passwords and even damage a
computer system.
Virus: A cracker program that searches out other programs and embeds
itself in them. Once that program is executed, the embedded virus
comes alive to infect other programs in the system. Sometimes the
program may do nothing but propagate itself and allow a system to run
normally. Usually, however, viruses start playing tricks on a
display, writing cute messages and even destroying files. Infected
programs pass the virus to other programs.
Encryption: Encoding data for security purposes by converting it into
secret code.
Sniffing: Similar to a wire tap, a program hidden on a network that
records log-ons and passwords, which then are stored in a secret
file. Within days, this file can divulge hundreds of user names and
their associated passwords.
Spoofing: Gaining access to a different computer system by forging
the Internet address of a trusted machine.
Firewalls: Security barriers that look for the identity of the
computer user before letting the user pass on to a bigger network.
DAY: MONDAY
DATE: 4/2/95
PAGE: 1/Z1
© 4/2/95 , San Francisco Chronicle, All Rights Reserved, All Unauthorized Duplication Prohibited