To be presented at the 13th National Computer Security Conference,
Washington, D.C., Oct. 1-4, 1990.
Concerning Hackers Who Break into Computer Systems
Dorothy E. Denning
Digital Equipment Corp., Systems Research Center
130 Lytton Ave., Palo Alto, CA 94301
415-853-2252, denning@src.dec.com
Abstract
A diffuse group of people often called “hackers” has been
characterized as unethical, irresponsible, and a serious danger to
society for actions related to breaking into computer systems. This
paper attempts to construct a picture of hackers, their concerns,
and the discourse in which hacking takes place. My initial findings
suggest that hackers are learners and explorers who want to help
rather than cause damage, and who often have very high standards
of behavior. My findings also suggest that the discourse surrounding
hacking belongs at the very least to the gray areas between larger
conflicts that we are experiencing at every level of society and
business in an information age where many are not computer literate.
These conflicts are between the idea that information cannot be owned
and the idea that it can, and between law enforcement and the First
and Fourth Amendments. Hackers have raised serious issues about
values and practices in an information society. Based on my findings,
I recommend that we work closely with hackers, and suggest several
actions that might be taken.
1. Introduction
The world is crisscrossed with many different networks that are used
to deliver essential services and basic necessities — electric power,
water, fuel, food, goods, to name a few. These networks are all
publicly accessible and hence vulnerable to attacks, and yet virtually
no attacks or disruptions actually occur.
The world of computer networking seems to be an anomaly in the
firmament of networks. Stories about attacks, breakins, disruptions,
theft of information, modification of files, and the like appear
frequently in the newspapers. A diffuse group called “hackers”
is often the target of scorn and blame for these actions. Why are
computer networks any different from other vulnerable public networks?
Is the difference the result of growing pains in a young field?
Or is it the reflection of deeper tensions in our emerging information
society?
There are no easy or immediate answers to these questions. Yet it
is important to our future in a networked, information-dependent
world that we come to grips with them. I am deeply interested in
them. This paper is my report of what I have discovered in the early
stages of what promises to be a longer investigation. I have
concentrated my attention in these early stages on the hackers
themselves. Who are they? What do they say? What motivates them?
What are their values? What do that have to say about public policies
regarding information and computers? What do they have to say about
computer security?
From such a profile I expect to be able to construct a picture of
the discourses in which hacking takes place. By a discourse I mean
the invisible background of assumptions that transcends individuals
and governs our ways of thinking, speaking, and acting. My initial
findings lead me to conclude that this discourse belongs at the very
least to the gray areas between larger conflicts that we are
experiencing at every level of society and business, the conflict
between the idea that information cannot be owned and the idea that
it can, and the conflict between law enforcement and the First and
Fourth Amendments.
But, enough of the philosophy. On with the story!
2. Opening Moves
In late fall of 1989, Frank Drake (not his real name), Editor of
the now defunct cyberpunk magazine W.O.R.M., invited me to be
interviewed for the magazine. In accepting the invitation, I hoped
that something I might say would discourage hackers from breaking
into systems. I was also curious about the hacker culture. This
seemed like a good opportunity to learn about it.
The interview was conducted electronically. I quickly discovered
that I had much more to learn from Drake’s questions than to teach.
For example, he asked: “Is providing computer security for large
databases that collect information on us a real service? How do
you balance the individual’s privacy vs. the corporations?” This
question surprised me. Nothing that I had read about hackers ever
suggested that they might care about privacy. He also asked: “What
has [the DES] taught us about what the government’s (especially NSA’s)
role in cryptography should be?” Again, I was surprised to discover
a concern for the role of the government in computer security. I
did not know at the time that I would later discover considerable
overlap in the issues discussed by hackers and those of other computer
professionals.
I met with Drake to discuss his questions and views. After our
meeting, we continued our dialog electronically with me interviewing
him. This gave me the opportunity to explore his views in greater
depth. Both interviews appear in “Computers Under Attack,”
edited by Peter Denning [DenningP90].
My dialog with Drake increased my curiosity about hackers. I read
articles and books by or about hackers. In addition, I had discussions
with nine hackers whom I will not mention by name. Their ages ranged
from 17 to 28.
The word “hacker” has taken on many different meanings ranging
from 1) “a person who enjoys learning the details of computer systems
and how to stretch their capabilities” to 2) “a malicious or
inquisitive meddler who tries to discover information by poking around
.. possibly by deceptive or illegal means …” [Steele83] The
hackers described in this paper satisfy both of these definitions,
although all of the hackers I spoke with said they did not engage
in or approve of malicious acts that damage systems or files. Thus,
this paper is not about malicious hackers. Indeed, my research so
far suggests that there are very few malicious hackers. Neither
is this paper about career criminals who, for example, defraud
businesses, or about people who use stolen credit cards to purchase
goods. The characteristics of many of the hackers I am writing about
are summed up in the words of one of the hackers: “A hacker is someone
that experiments with systems… [Hacking] is playing with systems
and making them do what they were never intended to do. Breaking
in and making free calls is just a small part of that. Hacking is
also about freedom of speech and free access to information — being
able to find out anything. There is also the David and Goliath side
of it, the underdog vs. the system, and the ethic of being a folk
hero, albeit a minor one.”
Richard Stallman, founder of the Free Software Foundation who calls
himself a hacker according to the first sense of the word above,
recommends calling security-breaking hackers “crackers”
[Stallman84]. While this description may be more accurate, I shall
use the term “hacker” since the people I am writing about call
themselves hackers and all are interested in learning about computer
and communication systems. However, there are many people like
Stallman who call themselves hackers and do not engage in illegal
or deceptive practices; this paper is also not about those hackers.
In what follows I will report on what I have learned about hackers
from hackers. I will organize the discussion around the principal
domains of concerns I observed. I recommend Meyer’s thesis [Meyer89]
for a more detailed treatment of the hackers’ social culture and
networks, and Meyer and Thomas [MeyerThomas90] for an interesting
interpretation of the computer underground as a postmodernist rejection
of conventional culture that substitutes “rational technological
control of the present for an anarchic and playful future.”
I do not pretend to know all the concerns that hackers have, nor
do I claim to have conducted a scientific study. Rather, I hope
that my own informal study motivates others to explore the area
further. It is essential that we as computer security professionals
take into account hackers’ concerns in the design of our policies,
procedures, laws regulating computer and information access, and
educational programs. Although I speak about security-breaking hackers
as a group, their competencies, actions, and views are not all the
same. Thus, it is equally important that our policies and programs
take into account individual differences.
In focusing on what hackers say and do, I do not mean for a moment
to set aside the concerns of the owners and users of systems that
hackers break into, the concerns of law enforcement personnel, or
our own concerns as computer security professionals. But I do
recommend that we work closely with hackers as well as these other
groups to design new approaches and programs for addressing the
concerns of all. Like ham radio operators, hackers exist, and it
is in our best interest that we learn to communicate and work with
them rather than against them.
I will suggest some actions that we might consider taking, and I
invite others to reflect on these and suggest their own. Many of
these suggestions are from the hackers themselves; others came from
the recommendations of the ACM Panel on Hacking [Lee86] and from
colleagues.
I grouped the hackers’ concerns into five categories: access to
computers and information for learning; thrill, excitement and
challenge; ethics and avoiding damage; public image and treatment;
and privacy and first amendment rights. These are discussed in
the next five subsections. I have made an effort to present my
findings as uncritical observations. The reader should not infer
that I either approve or disapprove of actions hackers take.
3. Access to Computers and Information for Learning
Although Levy’s book “Hackers” [Levy84] is not about today’s
security-breaking hackers, it articulates and interprets a “hacker
ethic” that is shared by many of these hackers. The ethic includes
two key principles that were formulated in the early days of the
AI Lab at MIT: “Access to computers — and anything which might
teach you something about the way the world works — should be
unlimited and total,” and “All information should be free.” In
the context in which these principles were formulated, the computers
of interest were research machines and the information was software
and systems information.
Since Stallman is a leading advocate of open systems and freedom
of information, especially software, I asked him what he means by
this. He said: “I believe that all generally useful information
should be free. By `free’ I am not referring to price, but rather
to the freedom to copy the information and to adapt it to one’s own
uses.” By “generally useful” he does not include confidential
information about individuals or credit card information, for example.
He further writes: “When information is generally useful,
redistributing it makes humanity wealthier no matter who is
distributing and no matter who is receiving.” Stallman has argued
strongly against user interface copyright, claiming that it does
not serve the users or promote the evolutionary process [Stallman90].
I asked hackers whether all systems should be accessible and all
information should be free. They said that it is OK if some systems
are closed and some information, mainly confidential information
about individuals, is not accessible. They make a distinction between
information about security technology, e.g., the DES, and confidential
information protected by that technology, arguing that it is the
former that should be accessible. They said that information hoarding
is inefficient and slows down evolution of technology. They also
said that more systems should be open so that idle resources are
not wasted. One hacker said that the high costs of communication
hurts the growth of the information economy.
These views of information sharing seem to go back at least as far
as the 17th and 18th Centuries. Samuelson [Samuelson89] notes that
“The drafters of the Constitution, educated in the Enlightenment
tradition, shared that era’s legacy of faith in the enabling powers
of knowledge for society as well as the individual.” She writes
that our current copyright laws, which protect the expression of
information, but not the information itself, are based on the belief
that unfettered and widespread dissemination of information promotes
technological progress. (Similarly for patent laws which protect
devices and processes, not the information about them.) She cites
two recent court cases where courts reversed the historical trend
and treated information as ownable property. She raises questions
about whether in entering the Information Age where information is
the source of greatest wealth, we have outgrown the Enlightenment
tradition and are coming to treat information as property.
In a society where knowledge is said to be power, Drake expressed
particular concern about what he sees as a growing information gap
between the rich and poor. He would like to see information that
is not about individuals be made public, although it could still
be owned. He likes to think that companies would actually find it
to their advantage to share information. He noted how IBM’s disclosure
of the PC allowed developers to make more products for the computers,
and how Adobe’s disclosure of their fonts helped them compete against
the Apple-Microsoft deal. He recognizes that in our current political
framework, it is difficult to make all information public, because
complicated structures have been built on top of an assumption that
certain information will be kept secret. He cites our defense policy,
which is founded on secrecy for military information, as an example.
Hackers say they want access to information and computing and network
resources in order to learn. Both Levy [Levy84] and Landreth
[Landreth89] note that hackers have an intense, compelling interest
in computers and learning, and many go into computers as a profession.
Some hackers break into systems in order to learn more about how
the systems work. Landreth says these hackers want to remain
undiscovered so that they can stay on the system as long as possible.
Some of them devote most of their time to learning how to break the
locks and other security mechanisms on systems; their background
in systems and programming varies considerably. One hacker wrote
“A hacker sees a security hole and takes advantage of it because
it is there, not to destroy information or steal. I think our
activities would be analogous to someone discovering methods of
acquiring information in a library and becoming excited and perhaps
engrossed.”
We should not underestimate the effectiveness of the networks in
which hackers learn their craft. They do research, learn about
systems, work in groups, write, and teach others. One hacker said
that he belongs to a study group with the mission of churning out
files of information and learning as much as possible. Within the
group, people specialize, collaborate on research project, share
information and news, write articles, and teach other about their
areas of specialization. Hackers have set up a private system of
education that engages them, teaches them to think, and allows them
to apply their knowledge in purposeful, if not always legal,
activity. Ironically, many of our nation’s classrooms have been
criticized for providing a poor learning environment that seems to
emphasize memorization rather than thinking and reasoning. One hacker
reported that through volunteer work with a local high school, he
was trying to get students turned on to learning.
Many hackers say that the legitimate computer access they have through
their home and school computers do not meet their needs. One student
told me that his high school did not offer anything beyond elementary
courses in BASIC and PASCAL, and that he was bored by these. Hans
Huebner, a hacker in Germany who goes by the name Pengo, wrote in
a note to the RISKS Forum [Huebner89] : “I was just interested in
computers, not in the data which has been kept on their disks. As
I was going to school at that time, I didn’t even have the money
to buy [my] own computer. Since CP/M (which was the most sophisticated
OS I could use on machines which I had legal access to) didn’t turn
me on anymore, I enjoyed the lax security of the systems I had access
to by using X.25 networks. You might point out that I should have
been patient and wait[ed] until I could go to the university and
use their machines. Some of you might understand that waiting was
just not the thing I was keen on in those days.”
Brian Harvey, in his position paper [Harvey86] for the ACM Panel on
Hacking, claims that the computer medium available to students, e.g.,
BASIC and floppy disks, is inadequate for challenging intellectual
work. His recommendation is that students be given access to real
computing power, and that they be taught how to use that power
responsibly. He describes a program he created at a public high school
in Massachusetts during the period 1979-1982. They installed a
PDP-11/70 and let students and teachers carry out the administration
of the system. Harvey assessed that putting the burden of dealing
with the problems of malicious users on the students themselves was
a powerful educational force. He also noted that the students who
had the skill and interest to be password hackers were discouraged
from this activity because they also wanted to keep the trust of
their colleagues in order that they could acquire “superuser” status
on the system.
Harvey also makes an interesting analogy between teaching computing
and teaching karate. In karate instruction, students are introduced
to the real, adult community. They are given access to a powerful,
deadly weapon, and at the same time are taught discipline and to
not abuse the art. Harvey speculates that the reason that students
do not misuse their power is that they know they are being trusted
with something important, and they want to live up to that trust.
Harvey applied this principle when he set up the school system.
The ACM panel endorsed Harvey’s recommendation, proposing a
three-tiered computing environment with local, district-wide, and
nation-wide networks. They recommended that computer professionals
participate in this effort as mentors and role models. They also
recommended that outside of schools, government and industry be
encouraged to establish regional computing centers using donated
or re-cycled equipment; that students be apprenticed to local companies
either part-time on a continuing basis or on a periodic basis; and,
following a suggestion from Felsenstein [Felsenstein86] for a
“Hacker’s League,” that a league analogous to the Amateur Radio
Relay League be established to make contributed resources available
for educational purposes.
Related posts
