Hackers Who Break into Computer Systems.txt

 
To be presented at the 13th National Computer Security Conference,
Washington, D.C., Oct. 1-4, 1990.
 
 
          Concerning Hackers Who Break into Computer Systems
 
                         Dorothy E. Denning
           Digital Equipment Corp., Systems Research Center
               130 Lytton Ave., Palo Alto, CA 94301
                 415-853-2252, denning@src.dec.com
 
 
Abstract
 
A diffuse group of people often called ``hackers'' has been
characterized as unethical, irresponsible, and a serious danger to
society for actions related to breaking into computer systems.  This
paper attempts to construct a picture of hackers, their concerns,
and the discourse in which hacking takes place.  My initial findings
suggest that hackers are learners and explorers who want to help
rather than cause damage, and who often have very high standards
of behavior.  My findings also suggest that the discourse surrounding
hacking belongs at the very least to the gray areas between larger
conflicts that we are experiencing at every level of society and
business in an information age where many are not computer literate.
These conflicts are between the idea that information cannot be owned
and the idea that it can, and between law enforcement and the First
and Fourth Amendments.  Hackers have raised serious issues about
values and practices in an information society.  Based on my findings,
I recommend that we work closely with hackers, and suggest several
actions that might be taken.
 
 
1.  Introduction
 
The world is crisscrossed with many different networks that are used
to deliver essential services and basic necessities -- electric power,
water, fuel, food, goods, to name a few.  These networks are all
publicly accessible and hence vulnerable to attacks, and yet virtually
no attacks or disruptions actually occur.
 
The world of computer networking seems to be an anomaly in the
firmament of networks.  Stories about attacks, breakins, disruptions,
theft of information, modification of files, and the like appear
frequently in the newspapers.  A diffuse group called ``hackers''
is often the target of scorn and blame for these actions.  Why are
computer networks any different from other vulnerable public networks?
Is the difference the result of growing pains in a young field?
Or is it the reflection of deeper tensions in our emerging information
society?
 
There are no easy or immediate answers to these questions.  Yet it
is important to our future in a networked, information-dependent
world that we come to grips with them.  I am deeply interested in
them.  This paper is my report of what I have discovered in the early
stages of what promises to be a longer investigation.  I have
concentrated my attention in these early stages on the hackers
themselves.  Who are they?  What do they say?  What motivates them?
What are their values?  What do that have to say about public policies
regarding information and computers?  What do they have to say about
computer security?
 
From such a profile I expect to be able to construct a picture of
the discourses in which hacking takes place.  By a discourse I mean
the invisible background of assumptions that transcends individuals
and governs our ways of thinking, speaking, and acting.  My initial
findings lead me to conclude that this discourse belongs at the very
least to the gray areas between larger conflicts that we are
experiencing at every level of society and business, the conflict
between the idea that information cannot be owned and the idea that
it can, and the conflict between law enforcement and the First and
Fourth Amendments.
 
But, enough of the philosophy.  On with the story!
 
 
2.  Opening Moves
 
In late fall of 1989, Frank Drake (not his real name), Editor of
the now defunct cyberpunk magazine W.O.R.M., invited me to be
interviewed for the magazine.  In accepting the invitation, I hoped
that something I might say would discourage hackers from breaking
into systems.  I was also curious about the hacker culture.  This
seemed like a good opportunity to learn about it.
 
The interview was conducted electronically.  I quickly discovered
that I had much more to learn from Drake's questions than to teach.
For example, he asked: ``Is providing computer security for large
databases that collect information on us a real service?  How do
you balance the individual's privacy vs. the corporations?''  This
question surprised me.  Nothing that I had read about hackers ever
suggested that they might care about privacy.  He also asked: ``What
has [the DES] taught us about what the government's (especially NSA's)
role in cryptography should be?''  Again, I was surprised to discover
a concern for the role of the government in computer security.  I
did not know at the time that I would later discover considerable
overlap in the issues discussed by hackers and those of other computer
professionals.
 
I met with Drake to discuss his questions and views.  After our
meeting, we continued our dialog electronically with me interviewing
him.  This gave me the opportunity to explore his views in greater
depth.  Both interviews appear in ``Computers Under Attack,''
edited by Peter Denning [DenningP90].
 
My dialog with Drake increased my curiosity about hackers.  I read
articles and books by or about hackers.  In addition, I had discussions
with nine hackers whom I will not mention by name.  Their ages ranged
from 17 to 28.
 
The word ``hacker'' has taken on many different meanings ranging
from 1) ``a person who enjoys learning the details of computer systems
and how to stretch their capabilities'' to 2) ``a malicious or
inquisitive meddler who tries to discover information by poking around
.. possibly by deceptive or illegal means ...'' [Steele83]  The
hackers described in this paper satisfy both of these definitions,
although all of the hackers I spoke with said they did not engage
in or approve of malicious acts that damage systems or files.  Thus,
this paper is not about malicious hackers.  Indeed, my research so
far suggests that there are very few malicious hackers.   Neither
is this paper about career criminals who, for example, defraud
businesses, or about people who use stolen credit cards to purchase
goods.  The characteristics of many of the hackers I am writing about
are summed up in the words of one of the hackers: ``A hacker is someone
that experiments with systems... [Hacking] is playing with systems
and making them do what they were never intended to do.  Breaking
in and making free calls is just a small part of that.  Hacking is
also about freedom of speech and free access to information -- being
able to find out anything.  There is also the David and Goliath side
of it, the underdog vs. the system, and the ethic of being a folk
hero, albeit a minor one.''
 
Richard Stallman, founder of the Free Software Foundation who calls
himself a hacker according to the first sense of the word above,
recommends calling security-breaking hackers ``crackers''
[Stallman84].  While this description may be more accurate, I shall
use the term ``hacker'' since the people I am writing about call
themselves hackers and all are interested in learning about computer
and communication systems.  However, there are many people like
Stallman who call themselves hackers and do not engage in illegal
or deceptive practices; this paper is also not about those hackers.
 
In what follows I will report on what I have learned about hackers
from hackers.  I will organize the discussion around the principal
domains of concerns I observed.  I recommend Meyer's thesis [Meyer89]
for a more detailed treatment of the hackers' social culture and
networks, and Meyer and Thomas [MeyerThomas90] for an interesting
interpretation of the computer underground as a postmodernist rejection
of conventional culture that substitutes ``rational technological
control of the present for an anarchic and playful future.''
 
I do not pretend to know all the concerns that hackers have, nor
do I claim to have conducted a scientific study.  Rather, I hope
that my own informal study motivates others to explore the area
further.  It is essential that we as computer security professionals
take into account hackers' concerns in the design of our policies,
procedures, laws regulating computer and information access, and
educational programs.  Although I speak about security-breaking hackers
as a group, their competencies, actions, and views are not all the
same.  Thus, it is equally important that our policies and programs
take into account individual differences.
 
In focusing on what hackers say and do, I do not mean for a moment
to set aside the concerns of the owners and users of systems that
hackers break into, the concerns of law enforcement personnel, or
our own concerns as computer security professionals.  But I do
recommend that we work closely with hackers as well as these other
groups to design new approaches and programs for addressing the
concerns of all.   Like ham radio operators, hackers exist, and it
is in our best interest that we learn to communicate and work with
them rather than against them.
 
I will suggest some actions that we might consider taking, and I
invite others to reflect on these and suggest their own.  Many of
these suggestions are from the hackers themselves; others came from
the recommendations of the ACM Panel on Hacking [Lee86] and from
colleagues.
 
I grouped the hackers' concerns into five categories: access to
computers and information for learning; thrill, excitement and
challenge; ethics and avoiding damage; public image and treatment;
and privacy and first amendment rights.  These are discussed in
the next five subsections.  I have made an effort to present my
findings as uncritical observations.  The reader should not infer
that I either approve or disapprove of actions hackers take.
 
 
3.  Access to Computers and Information for Learning
 
Although Levy's book ``Hackers'' [Levy84] is not...