"You'd be surprised how many modems are still out there to
dial into. How many companies depend on their partners' security to
provide them with security. For instance, you can link through four
Department of Defense contractors straight to the Pentagon right
now. It shouldn't be that way, but it is."
"Three Minutes With Hacker 'Fosdick'
A 17-year veteran of the hacking world talks about
ethics, the dangers of hacking, and the security of
government information.
Kim Zetter, PCWorld.com
Thursday, April 05, 2001
Fosdick, who goes by various names online, is a 27-year-old hacker
who works as a programming engineer. He began hacking at age 10
after his father, a prominent judicial official in the East Coast city
where he grew up, bought him his first computer. Within five months
of receiving it, Fosdick hacked into a bank. From there he progressed
to phone companies, utilities, and government systems. Most of the
time, he says, he just looks at data, but he has occasionally altered
it. He usually downloads whatever files interest him, then sifts
through the info while sipping coffee at Starbucks. We spoke to him
via IRC about his activities. We are withholding his real name at his
request.
PCW: When you hacked into the bank at age 10, what did you do?
Fosdick: I mostly looked around at FedEx transfers, wire transfers,
bank account information. I didn't want to screw anything up. The
thought, of course, entered my mind to change data, but I couldn't
have if I wanted to back then--it was an operating system I wasn't
familiar with ... just a jumble of impressive-looking numbers.
PCW: Why did you pick the bank?
Fosdick: It was down the street from me.
PCW: Describe your progression into hacking.
Fosdick: I mostly played around with whatever I could find. I just
picked numbers out of thin air and tried them [dialing random phone
numbers through a modem in hopes they were connected to a
computer]. When I was 12, I went for the summer to a program for
gifted kids at a university in Missouri. There wasn't a lot of
supervision there, and there was a "dungeon" full of computers I
could use when I wanted, provided I felt like sneaking downstairs.
And I did.
That summer I started getting much more hard core ... and I dialed
my first BBS [bulletin board service--the precursor to Usenet groups,
where hackers would share tips about exploiting systems]. At that
point I started being less cautious. I got maybe 3 hours of sleep a
night for three years of high school.
PCW: Did your father know what you were doing all this time?
Fosdick: Not until years later. One night he had had it with me
sneaking down in the middle of the night and using the phone line;
he put two and two together, found my hidden files, printed them
out, and yelled at me.
PCW: Have you ever done a denial-of-service attack?
Fosdick: Yes. In 1994 and 1995 I wrote some code that would do it.
It was just for amusement, to protest AOL. Their mail servers were
having lots of problems for a while [as a result]. But it was just a
game. I never took [AOL] down, out of respect. Someone could get
fired, and in general I don't like hurting people.
PCW: Would you consider yourself a black hat or a white hat
hacker?
Fosdick: What I do is certainly criminal ... [such as hacking into]
government computers. But I don't "destroy" systems I am on. For
the most part I just look around.
Of course, I've inserted and removed data where I had no business
doing so. I've played practical jokes here and there, forged e-mail,
changed features on phone lines, manipulated databases, that sort
of thing. I've had the opportunity on several occasions to make out
stocks-wise, but I haven't [done that].
PCW: How much time do you spend hacking?
Fosdick: Anywhere from 20 hours a week to nonstop for three to
four days at a stretch, with maybe a few hours sleep here and
there. But those latter times are getting rare. I'm getting old.
PCW: Is there such a thing as a hacker's ethic?
Fosdick: Hackers all have what they believe to be ethics. I'm using
ethics in a Nietzschean sense. In general, if you're doing what you
believe in, then you're ethical, to yourself. But everybody's ethics
differ. So I guess by that definition, even crackers have ethics.
PCW: Are hackers dangerous?
Fosdick: I think ignorance is the real danger. What's dangerous are
hackers who are out there doing this stuff because it's cool but don't
have the knowledge to give it respect.
PCW: But you've said that the really dangerous hackers are not the
ones making headlines. Who is dangerous then?
Fosdick: It's dangerous that corporate America thinks that the
hackers making noise are the danger. [Because] while [these
hackers are] getting attention, anybody who really wanted to could
just ...
PCW: Do what?
Fosdick: You'd be surprised how many modems are still out there to
dial into. How many companies depend on their partners' security to
provide them with security. For instance, you can link through four
Department of Defense contractors straight to the Pentagon right
now. It shouldn't be that way, but it is.
PCW: You mean that while the government is busy securing itself,
it's forgotten about securing the companies it does business with?
Fosdick: They haven't forgotten. I've worked at a Department of
Defense contractor ... [they have] firewall after firewall, machines
kept in locked rooms with TEMPEST-proof walls.
The DoD contractors try [to maintain security], but there's always a
need to exchange data with other companies. Say you're Lockheed
Martin. You're working on one part of an airplane, and another
company is working on the radio, and another the flight control
software. All these huge CAD files have to be exchanged so that
everything will work together. That cannot be done by e-mail. So
you need a dial-up or an FTP.... It's nobody's fault, really. It's just
the way business works. Security is not compatible with business.
PCW: The government says that classified information is not on
computers that are connected to the Net.
Fosdick: It's usually not. But you'd be surprised how many modems
are still available to dial into. [A modem] might be connected to a
computer that's connected to a computer that's connected to a
computer that has the single point of entrance into some
"forbidden" network.
PCW: Last fall, hackers broke into Microsoft's corporate network and
accessed source code for the latest versions of Windows and Office.
Do you think it will be possible in the future for hackers to place
malicious code, such as a Trojan horse, in a company like Microsoft's
source code?
Fosdick: Microsoft is a big target, but it's less likely to be Trojaned
than, say, Napster, or any of a dozen popular Net plug-ins like
Winamp or mIRC. Big companies tend to have more sophisticated
processes and better source-code control. Hacks there are more
likely to get noticed. But small companies tend to be more careless.
PCW: But isn't Napster so popular that few hackers would want to
harm the program?
Fosdick: Which is why it would be the perfect target. Between
mIRC, Napster, Eudora, and Winamp, you probably have about 85
percent of the Windows computers on the Net.
PCW: Will we see this kind of hack soon?
Fosdick: That requires skills most hackers don't have. And those
programs aren't free source, so if it happens you'll probably never
even hear about it.
Kim Zetter is a senior associate editor covering computer security for PCWorld.com."
pcworld.com |
