From: InfoSec News (isnC4I.ORG)
Date: Thu Apr 05 2001 - 19:52:57 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.pcworld.com/news/article/0,aid,44687,00.asp

Kim Zetter, PCWorld.com
Thursday, April 05, 2001

Fosdick, who goes by various names online, is a 27-year-old hacker who
works as a programming engineer. He began hacking at age 10 after his
father, a prominent judicial official in the East Coast city where he
grew up, bought him his first computer. Within five months of
receiving it, Fosdick hacked into a bank. From there he progressed to
phone companies, utilities, and government systems. Most of the time,
he says, he just looks at data, but he has occasionally altered it. He
usually downloads whatever files interest him, then sifts through the
info while sipping coffee at Starbucks. We spoke to him via IRC about
his activities. We are withholding his real name at his request.

PCW: When you hacked into the bank at age 10, what did you do?

Fosdick: I mostly looked around at FedEx transfers, wire transfers,
bank account information. I didn't want to screw anything up. The
thought, of course, entered my mind to change data, but I couldn't
have if I wanted to back then--it was an operating system I wasn't
familiar with ... just a jumble of impressive-looking numbers.

PCW: Why did you pick the bank?

Fosdick: It was down the street from me.

PCW: Describe your progression into hacking.

Fosdick: I mostly played around with whatever I could find. I just
picked numbers out of thin air and tried them [dialing random phone
numbers through a modem in hopes they were connected to a computer].
When I was 12, I went for the summer to a program for gifted kids at a
university in Missouri. There wasn't a lot of supervision there, and
there was a "dungeon" full of computers I could use when I wanted,
provided I felt like sneaking downstairs. And I did.

That summer I started getting much more hard core ... and I dialed my
first BBS [bulletin board service--the precursor to Usenet groups,
where hackers would share tips about exploiting systems]. At that
point I started being less cautious. I got maybe 3 hours of sleep a
night for three years of high school.

PCW: Did your father know what you were doing all this time?

Fosdick: Not until years later. One night he had had it with me
sneaking down in the middle of the night and using the phone line; he
put two and two together, found my hidden files, printed them out, and
yelled at me.

PCW: Have you ever done a denial-of-service attack?

Fosdick: Yes. In 1994 and 1995 I wrote some code that would do it. It
was just for amusement, to protest AOL. Their mail servers were having
lots of problems for a while [as a result]. But it was just a game. I
never took [AOL] down, out of respect. Someone could get fired, and in
general I don't like hurting people.

PCW: Would you consider yourself a black hat or a white hat hacker?

Fosdick: What I do is certainly criminal ... [such as hacking into]
government computers. But I don't "destroy" systems I am on. For the
most part I just look around.

Of course, I've inserted and removed data where I had no business
doing so. I've played practical jokes here and there, forged e-mail,
changed features on phone lines, manipulated databases, that sort of
thing. I've had the opportunity on several occasions to make out
stocks-wise, but I haven't [done that].

PCW: How much time do you spend hacking?

Fosdick: Anywhere from 20 hours a week to nonstop for three to four
days at a stretch, with maybe a few hours sleep here and there. But
those latter times are getting rare. I'm getting old.

PCW: Is there such a thing as a hacker's ethic?

Fosdick: Hackers all have what they believe to be ethics. I'm using
ethics in a Nietzschean sense. In general, if you're doing what you
believe in, then you're ethical, to yourself. But everybody's ethics
differ. So I guess by that definition, even crackers have ethics.

PCW: Are hackers dangerous?

Fosdick: I think ignorance is the real danger. What's dangerous are
hackers who are out there doing this stuff because it's cool but don't
have the knowledge to give it respect.

PCW: But you've said that the really dangerous hackers are not the
ones making headlines. Who is dangerous then?

Fosdick: It's dangerous that corporate America thinks that the hackers
making noise are the danger. [Because] while [these hackers are]
getting attention, anybody who really wanted to could just ...

PCW: Do what?

Fosdick: You'd be surprised how many modems are still out there to
dial into. How many companies depend on their partners' security to
provide them with security. For instance, you can link through four
Department of Defense contractors straight to the Pentagon right now.
It shouldn't be that way, but it is.

PCW: You mean that while the government is busy securing itself, it's
forgotten about securing the companies it does business with?

Fosdick: They haven't forgotten. I've worked at a Department of
Defense contractor ... [they have] firewall after firewall, machines
kept in locked rooms with TEMPEST-proof walls.

The DoD contractors try [to maintain security], but there's always a
need to exchange data with other companies. Say you're Lockheed
Martin. You're working on one part of an airplane, and another company
is working on the radio, and another the flight control software. All
these huge CAD files have to be exchanged so that everything will work
together. That cannot be done by e-mail. So you need a dial-up or an
FTP.... It's nobody's fault, really. It's just the way business works.
Security is not compatible with business.

PCW: The government says that classified information is not on
computers that are connected to the Net.

Fosdick: It's usually not. But you'd be surprised how many modems are
still available to dial into. [A modem] might be connected to a
computer that's connected to a computer that's connected to a computer
that has the single point of entrance into some "forbidden" network.

PCW: Last fall, hackers broke into Microsoft's corporate network and
accessed source code for the latest versions of Windows and Office. Do
you think it will be possible in the future for hackers to place
malicious code, such as a Trojan horse, in a company like Microsoft's
source code?

Fosdick: Microsoft is a big target, but it's less likely to be
Trojaned than, say, Napster, or any of a dozen popular Net plug-ins
like Winamp or mIRC. Big companies tend to have more sophisticated
processes and better source-code control. Hacks there are more likely
to get noticed. But small companies tend to be more careless.

PCW: But isn't Napster so popular that few hackers would want to harm
the program?

Fosdick: Which is why it would be the perfect target. Between mIRC,
Napster, Eudora, and Winamp, you probably have about 85 percent of the
Windows computers on the Net.

PCW: Will we see this kind of hack soon?

Fosdick: That requires skills most hackers don't have. And those
programs aren't free source, so if it happens you'll probably never
even hear about it.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]