HACKERS ARE INDEED ENEMIES:

A rebuttal of Chris Goggans' 1992 Viewpoint

by M. E. Kabay, PhD, CISSP-ISSMPAssoc. Prof. Information Assurance
School of Business and Management
Norwich University, Northfield, VT

Written in 1992 and submitted to ComputerWorld

Copyright 1992, 2004 by M. E. Kabay. All rights reserved.

In his Viewpoint (Computerworld, 8 June 92) entitled, "Hackers aren't the real enemy," Chris Goggans offers a misleading and dangerous misrepresentation of what hackers (or, more precisely, crackers) do to computer systems and networks.

We should all beware of any statement that uses words like "real"; e.g., "the real reason," or "the true cause." The writer is likely to be redefining the problem to suit himself. Goggans tries, and fails, to disguise a pernicious defense of illegality as a call to arms for better information security.

No one argues that crackers are the main problem. It is a commonplace that about 4/5 or 5/6 of all damage to information systems is due to human error and malfeasance by authorized users. No one knows for sure, since we base our estimates only on those cases that are discovered and reported.

Goggans admits to having broken into private systems and "looked behind doors that were marked 'employees only' but ... [he]... never disrupted the operation of business." Rubbish.

Crackers cause more trouble and anxiety than Goggans admits. Each penetration that is discovered causes operational disruption. It is true that not all breakins are followed by theft of or damage to data. However, since no one can know without examination whether a cracker has modified data, production may have to halt until data integrity is verified. In large installations, where data may be measured in terabytes, such verification may take hours to days. During this time, personnel who should be concerned with their normal business have to act as detectives and auditors. Production personnel may be unable to access their data, or may have to resort to manual methods. Until the cracker is identified as an outsider, employees may be or feel themselves to be under suspicion, worsening personnel relations and further decreasing productivity.

Admitting that "the actions of some hackers are illegal," Goggans incorrectly states that "they are hardly criminal in nature." In most jurisdictions, unauthorized access to computer systems is a felony, punishable by fines and imprisonment. Goggans writes that "Voyeurism is a far cry from rape." This tasteless and sexist observation is irrelevant. Mentioning one crime does not mitigate the seriousness of another crime.

Goggans claim that he and others turned to cracking because he was deprived of the opportunity to learn about operating system internals. He writes of "the need to break a law to learn." Nonsense.

No one has to break the law to learn about computers. There are free books at local and academic libraries; there are local, regional and national computer user groups; one may even be able, as Goggans himself admits, to be "given access by merely talking to administrators." Goggans admits that he and his friends read restricted files. However, there is no link between reading a confidential database and learning about computers. On the contrary, reading private information is not a trivial crime. Crackers are known to traffic in personal information of all kinds, including credit card and telephone access card numbers. The temptation to earn "rep" (reputation) among their peers must be overwhelming to youngsters with few other sources of self-esteem.

Goggans' platitudes about improving security do not compensate for his cracker apologetics. Crackers no more contribute to awareness of the need for improved security than ruffians contribute to public safety. People who break the law and invade our privacy have no business lecturing us on how shockingly bad our security systems are. Virus authors spout similar nonsense when they defend their creations as contributions to improved computer security. Goggans and other apologists are contributing to a romanticized vision of cracking that misleads other youngsters into thinking that crime is a game and that the criminals are admirable.

Children and adolescents must understand the consequences of cracking, including damaging one's own reputation in the adult world. Goggans is described as an unemployed 23-year old who wants a job with someone who won't make him cut his hair. It will be even harder finding an employer who will trust him to work with computer systems. Goggans' defence of invasion of privacy will make him even less attractive to security-conscious employers than if he were apologetic about his cracking.