JC - 100% on your comments. The person who created that virus could have been anyone - it was not particularly sophisticated. He or she may have had no idea that it would take off like it did. And in any event, the people poking at the foundations of our software world do the rest of us a service, even if we are inconvenienced a little.
Bank of America had a guy who hacked into their systems a ways back and actually transferred a bunch of money. When they finally caught up with the guy, they offered him a deal - if he returned the funds, they would drop charges and hire him to head an internal "hacker's team" to try and do the same thing again. He took them up on the deal and as far as I know, he is still working there.
I had a similar experience about 15 years ago. My team contracted to do a control program for a Department of Defense system being built. The Prime (Stone and Webster) had a bunch of crap in their procedures about how tight their security was and how we should all be quaking in our boots if we even THOUGHT about stepping out of line. My two top programmers (neither of whom had a degree or formal computer training) got into a contest (unknown to me) to see if they could cut the system administrators down to size. They hacked into the main development machine and reset priorities on all the Stone and Webster initiated tasks to snail mode. Then they started subtly altering the environment itself. Then they created a phantom shell which captured all the Stone and Webster sessions and put all the content in a log file - including accounts and passwords.
It was about that time that I figured out what they were doing. Initially I was pretty upset - this was the DoD after all - but then decided that if these guys could take control of the system, anyone could. So I just monitored their activity and made sure they didn't do anything which actually damaged the project.
After about a month, the program administrators finally figured out that something was up and called a big pow-wow with the DoD auditors to talk about "the problem". They were ready to point the finger at us - but they had only discovered the initial hacks, not the phantom shell.
With the auditor present, my guys showed that they had gotten control of the administrative accounts, the mail system, and had access to all of the program documentation including material that required a higher level of clearance than we had, and that even after discovering the simple level of tricks that they had initially done, the system administrators did not know that their whole system had been breached.
The upshot was that the DoD auditor recommended that we get an additional contract to continue attempts to break the security, and "advise" Stone and Webster on where their security holes were. |
