YOU ARE HERE: LAT HomeCollections


Hackers Live by Own Code

Sure, they break into computer systems, but not always with bad intent. And these tech whizzes do have certain quirky rules of etiquette.

November 19, 2003|Joseph Menn | Times Staff Writer

It wasn't Mary Ann Davidson's worst nightmare, but it was close.

A fax from a hacker in the Middle East landed on her desk at Oracle Corp., proclaiming the discovery of a hole in the company's database software through which he could steal crucial information from such customers as Boeing Co., Ford Motor Co. and the CIA. The fax warned Davidson, the company's chief security officer, to contact the hacker immediately -- or else.

Luckily, the hacker hadn't found a real hole; he'd just misinterpreted a function of the program. More surprisingly, he meant no harm.

"The sort of threatening tone he took was really only to get our attention," Davidson said. "He actually turned out to be a nice guy."

The confrontational style of Davidson's hacker isn't unusual. As they troll through other people's computer networks, hackers abide by their own quirky rules of etiquette. What would strike most folks in corporate America as bad manners or worse may be considered the height of courtesy in hackerdom.

In large part, that disconnect stems from the fierce individualism of hackers -- they are, after all, the sort of people who set aside the instruction manual and take a machine apart to see how it works. Though they inhabit a lawless domain where no data are considered private and "No Trespassing" signs are meaningless, they adhere to their own codes of ethics that vary depending largely on what motivates the hacker to hack.

Sometimes it's fame. Now and then it's money. Often it's a selfless desire to make software more secure. And occasionally it's a yearning to wreak senseless havoc.

The frequency of such attacks is on the rise, capped by the Blaster worm and SoBig virus that overpowered e-mail programs and crashed computer systems this summer. Computer Economics Inc. of Carlsbad, Calif., estimates that damage caused by hackers will cost companies and consumers $12.5 billion this year, up 13% from 2002.

Most hackers aren't malicious, security experts agree. But from afar, it can be difficult to distinguish the saboteurs from the merely curious, because they use the same tools, travel in the same virtual circles and often share a disdain for the rule of law.

Their philosophy predates personal computers, going back to the days when pranksters manipulated the telephone system to make free long-distance calls and cause other mischief. The personal rules that guide them today generally allow them to break laws, as long as they believe nobody will get hurt.

Firms Are Fair Game

This maverick outlook is best personified by Kevin Mitnick, either the most notorious hacker or the most demonized, depending on your point of view. He stole millions of dollars' worth of software after cracking into the computer systems of big companies such as Sun Microsystems Inc. and Motorola Inc. But he said he never sold any of it or otherwise profited from his electronic theft.

Mitnick, now 40, served five years in federal prison. Yet that hasn't deterred a younger generation of hackers who view private companies as fair game as long as no data are destroyed or profit turned. For many of them, hacking is just something their curiosity compels them to do.

Adrian Lamo, a 22-year-old hacker from Sacramento, always viewed his hacking habit as harmless at worst and helpful at best. If he has a chance to inform people about a security flaw in a company's internal network, he considers the disclosure a form of public service.

Lamo says he can't help it. He just starts wondering, then he looks for holes in a company's infrastructure, and he's in.

"When I'm curious about something, it's difficult to not seek out security problems," he said.

Working sporadically during long nights in Kinko's copy shops two years ago, Lamo used his battered Toshiba laptop computer to burrow deep into WorldCom Inc.'s internal networks. By the time he was done, he could have redirected the phone giant's employee paychecks to his own account or shut down the system of WorldCom customer Bank of America Corp.

Lamo did neither.

Instead, he recounted his exploits to a hacker turned journalist at, a Web site devoted to tracking hacks, holes and fixes. SecurityFocus then called WorldCom executives and told them Lamo was happy to answer any of their questions. After Lamo showed WorldCom what he had done and how to prevent it from happening again, the company publicly thanked him for improving its security.

Part of Lamo's creed is a refusal to take financial advantage of anything he finds. The biggest compensation he's ever accepted from a company he's broken into, he said, was a bottle of water.

Chris Wysopal used to feel the same way when he worked at an outfit known as the L0pht, a band of security enthusiasts in a Boston apartment strewn with spare computer parts salvaged from area trash bins.

Los Angeles Times Articles