This article was originally submitted to a magazine named "Gray Areas" with the assurance that it would be published. However, the article never did appear in the magazine, and was never paid for, so six years later, the author has given me the non-exclusive right to post it here. HACKING MORALITY Copyright (C) 1995 by Timothy Campbell Internet: pinnacl@cam.org Introduction It was June 27, 1995 and I had just returned from the Shareware Industry Conference in Arizona. My mailbox contained a complimentary copy of an unusual counter-culture magazine named Gray Areas. I found it fascinating; I couldn't sleep until I'd read it cover to cover. It brought back memories of bygone days -- a time when I was a confident young hacker. I discovered that things had changed considerably since my days of telephone and computer hijinks, but in many ways they were exactly the same. After I had finished reading the Spring 1995 issue, I flipped back to page 25 to reread a few sentences that had stuck in my mind. Netta Gilboa -- the publisher of Gray Areas -- had put forth a challenge: "... what actions hackers do that cross a line ... is a subject no one in the community dares to address. I beg people to write on this for us and they won't. It is almost entirely absent from the literature in the field." Morality is, to most people, a rather dull subject. Moreover, articles about morality have a tendency to become preachy and condemnatory. Finally, hackers are an independent bunch, and prefer to make up their own minds about such matters. Nevertheless, I thought I'd ask Netta if she would accept a commentary from someone who hasn't cracked into a system or messed with a phone since the 70's. She looked over the outline I had prepared for this article, and gave me the go-ahead. Before I begin, let me assure you that I am not a Bible-thumper; in fact I am an atheist. Although I had a strict fundamentalist upbringing, I tossed it all when I was 18, and ever since I have had to face all the moral challenges in life without the benefit of a rule book. I hope this makes my words more accessible. This article comprises four sections. In "Early Days", I talk about my computer and phone escapades during the 70's. In this way, I hope to establish my bona fides with the new generation of hackers. Perhaps, also, some of you will be interested in hearing what hacking was like when our fastest connection was at a mere 110 baud on a clattering old teletype. In the second section, "Us and Them", I will talk about the character of the hacker. What makes him tick? What inspires him? Why do some hackers go over the line and cause harm? In the third section, "Specific Dilemmas", I will make observations about certain aspects of hacking, and identify some of the moral questions that face us in this field. The fourth section, "Conclusion" will tie together some of the ideas touched upon earlier, and propose some suggestions about a "Hacker Morality". In fairness, I should warn you in advance that by the measure of a young hacker, I am a bit of an old fogey. For example, last year I downloaded half a dozen issues of "Phrack", but never got around to reading them. I glance at "2600 Magazine" in the book store, but end up buying "Skeptical Inquirer" instead. I'm not as wild as I used to be. These days, I hack the business world. I have been earning a living at shareware (freely distributed "Try Before You Buy" software) for the past ten years, and I find it much more stimulating than my youthful forays into gray areas. I'm reminded of a quote by Al Capone: "If I'd know that doing it illegally would be this difficult, I'd have gone straight". For me, the reverse is true: I find that doing things above-board is a lot harder, and that makes it much more fulfilling. Netta expressed some surprise that so little has been written about hacking and morality. I think I can understand why, though. If I'm to recommend some kind of behaviour, I will be putting myself at odds with some clever people who have the means to make my life miserable. They may recognize themselves in what I write, and wish to retaliate in some way. They might think that doing so would put me in my place. Actually, I already know my place. I know that there are some brilliant hackers out there, who have skills I have never attained. If they turn their anger against me, I won't enjoy the experience. For such people, there's an intriguing alternative to letter-bombing me (or whatever): write me a letter and convince me that I'm wrong (my email address is pinnacl@cam.org). It might not be easy to get me to change my mind, but hackers love a challenge. If you're up to it, I think you'll find it is much more edifying than striking from a position of anonymity. As an added benefit, an open discourse will encourage us to think about what our actions mean. Are we rebels? Freedom fighters? Hoodlums? Perhaps we can find out who we really are, and what our true value is. Early Days I discovered computers in 1972, at age 14. A friend told me that there was a teletype connected to a computer in New England. Come lunchtime, I sprinted for the computer room. It was a cramped, dark, humid cubicle dominated by a big grey ASR-33 teletype. Somebody showed me how to log on. Like any newbie, I started off stupidly enough, by typing "HELLO?" This produced the word "ERROR". I figured computers liked to compute, so I tried typing "2+2". ERROR. I thought a moment, then typed "2+2=?" Another error. I turned the machine over to another student and went off to read the system manual. I learned that we were connected to the Dartmouth Time Sharing System (DTSS). You may recognize that as the system where the BASIC language was created. It was, for its time, a massive system, running on a GE635 mainframe. It supported numerous languages and dozens of concurrent users. I was enthralled by the wonderful digital landscape before me, and before long I was living two lives: my mundane "real" life, and my virtual life online. The online experience expanded my world into new dimensions. We were so enraptured by it that we would even type up stories on the teletype when the mainframe was off the air -- just to hear that print thimble chattering against the cheap, roll-fed paper. Eventually, we discovered that we could prepare programs on punch tape, and it wasn't long before the filing cabinet was filled with programs awaiting input during one of the 15 minute time-slots allotted to each student. There were several of us whose enthusiasm knew no bounds. We would stay for long hours after school, programming in 15 minute blocks and talking to each other so rapidly that nobody else could understand us. We learned to multi-task during classes, both listening to the teacher and writing out programs in longhand. We decided we were a band of brothers, so we gave our gang the name "Programmer's Elite". We thought highly of ourselves, indeed! One item on DTSS in particular caught my attention: a multi-player battleship game named "SALVO42" (Salvo For Two). I dumped the source code, but I wasn't sufficiently knowledgeable to understand how you could hook up two people. Nevertheless, the idea stuck in my mind, and would come to the fore two years later. The end of the school year put an end to our fun, but none of us was surprised to find that when we returned, each of us had a stack of programs laboriously hand-written and desk-checked over the summer. (Remember: the first micro-computer was still several years away.) That year passed by quickly, while we spent every free minute in the cluttered computer room. A new mark sense reader (which read cards encoded with pencil) enabled us to write programs during class and read them in at the start of our 15-minute block. We wrote games and dabbled with John Horton Conway's cellular automata ("Life") concepts -- much to the consternation of the teacher in charge, who couldn't understand why we used so much paper. JR Telecom By the next year, most of the original gang had moved on. A new batch of hackers had arrived, and we named our club "JR Telecom" (after the name of our school). We were no longer on DTSS, but had been moved to a system that was also located in Montreal; it was a Hewlett Packard 2000 mini. This was the beginning of the war between the schools. On DTSS, we were overwhelmed by its sheer scope. But on the HP2000, we quickly became aware that two other high schools were also online. There was a shared account, but the students were not permitted to use it. We discovered, though, that it was possible to save a program there. This posed a bit of a problem: once the program was there, it had to work perfectly, because we had no way to delete it. A failed program would make us look bad, and naturally we wanted our group to be the best. Eventually, a member from our group discovered the password while "shoulder surfing" (covertly watching) a teacher. This gave us a certain prestige, but a competing school came up with the same solution and we had to share our pedestal. That's when we decided to go for the big prize: A000. A000 is the system operator's account on an HP2000. We knew we wanted it, but it took us a few weeks to figure out how. Using our skill at writing programs that worked right the first time, we set up an elaborate ruse. One of our gang, whom we called "Phlash" (no connection with phreaking) went down to the headquarters to use their teletype, which operated at the blinding speed of 120 characters per second (1200 baud). He told one of the operators that he was going to play a prank on the secretary, but needless to say, he had something else up his sleeve. After half an hour of playing around online, he called out, "Joanne, there's something wrong with my account! Can you see if I've got all my space?" He fired up a program written by "Apple" (whom we named after the language APL, not the Apple computer, which wasn't invented yet). The secretary obliging signed on to A000 and typed a command, only to see a silly message along the lines of "THAT IS A BAD COMMAND -- GO AWAY, JOANNE!" Everybody laughed: Joanne, the operator, Phlash ... and those of us back at the school, who quickly printed out the file containing the master password. We immediately obtained the passwords to all high-level accounts on the system, and set up a procedure that would route all users through our own front-end program. The next day, when the competing schools logged on, they were greeted by the words "WELCOME TO JR TELECOM!" For safety reasons, we deleted this part of the code shortly thereafter. I'd like to pause at this point to mention that we had to cook up these schemes ourselves. For all we knew, nobody else was doing this kind of thing. We certainly couldn't go out and rent the movie "War Games" -- that wasn't in the theatres until nine years later. By that time most of us had already moved away from cracking to other pursuits, although we did watch the movie together and thoroughly enjoyed the memories it evoked. The other schools weren't ready to admit defeat. One of them sent a spy named Ron to do some "dumpster diving" (looking in garbage cans). He came away with a list of passwords we'd thrown out. As a common-sense precaution, we had carefully blacked out each password with a felt marker, but they discovered that by mounting the sheet on an overhead projector, they could read most of the text. Fortunately for us, they did not find any of the master account passwords. I think we flushed those down the toilet. As for the rest of our information, we kept this in our "Little Black Books", which were written in a code that looked like a cross between Greek and Cunieform. By the end of the year, Ron's team had advanced to more sophisticated techniques. They had assembled a low-power radio transmitter which could be hooked up to our phone line. It would send the sound of the modem to a receiver, which was hooked up to a tape recorder. They could then play this back through their own teletype and see what we'd been typing. As it happened, though, something else happened before they could put this plan into action. The company that ran the HP2000 (I'll call them UTD Inc.) knew that something was going on, but they couldn't tell what it was. Apart from the "WELCOME TO JR TELECOM" gimmick, we were extremely circumspect. For example, we had a standing rule that we would never log directly from one of our accounts to one of the high-level accounts; Phlash had hung around the UTD head office long enough to know that there were logs of such activity. UTD suspected that our school was responsible, but they couldn't prove it, so they faked a log showing us logging back and forth between our accounts and the master accounts, which got us banned from the computer room for a month. Undetered, Apple and Scoot (another one of our gang) volunteered to teach the younger students (who we referred to as "the grommets"). The teacher in charge saw no harm in this. Although he wouldn't allow them to touch the terminal, he did let them into the computer room. This let them set up a secret entry path. Just before leaving each night, they would unlock a window in an adjoining room. After all the school staff had gone home, they would open the window, squeeze through a small hole near the ceiling, remove the ventilation grill from the computer room door, and crawl inside. The telephone was locked in a filing cabinet, but they had altered the locking mechanism so that the drawer could be opened if it was pulled up at an angle. After about a month, the teacher in charge figured we'd learned our lesson, and let us use the computer again. We thanked him profusely, and continued exploring our little online empire. When we weren't poking our noses where they didn't belong, we wrote simulation programs. One day, the teacher came in unexpectedly while we were on the master account. Apple brazenly announced, "Hey, look at this, sir! We're simulating the master account!" The teacher wandered away when the rest of us started criticising Apple's "simulation" for supposed inaccuracies. UTD finally decided to change all the master passwords -- no small task, since there were many high-level accounts and they all had to be changed individually. As it happened, we were in the process of logging on to a master account, and when we found ourselves locked out, we rapidly tried several other accounts until we managed to log on. We then wrote down each new password as it was changed. Overconfidence was our undoing. Apple and Scoot were continuing to use the computer after hours, thanks to their secret entry route. They made the mistake of waiting a mere 10 minutes after the teacher had left. As it happened, he forgot his briefcase. Returning to retrieve it, he heard typing in the computer room. Apple and Scoot had, by this time, hidden in the adjoining washroom (each perched atop a toilet), but the teacher found them there. He kept repeating, over and over, "I don't believe it." The next day, Apple and Scoot were hauled before the principal, who had no idea what to do about this kind of thing. Apart from the illegal entry into the school, they hadn't broken any laws. At the time, Canadian law simply had nothing to say about cracking systems. In the end, they were told that the incident would be kept on file until they graduated. They were, once again, banned from the computer room. The next year (I had graduated, by then), they went back to teaching "the grommets", but as far as I know, they kept their act clean. By 1974, all of the warring factions from the various high schools had graduated. We decided to work together, and started up a group named "Montreal Telecom". The Altair microcomputer had just become available, and we knew that we had to have one! We put together a proposal whereby the Canadian government would buy us the computer, and we would use it to teach "grommets" how to use micros. This was, of course, a subterfuge; we wanted the machine for ourselves. As it happened, though, we were not able to get the project off the ground. It seemed we were much better at manipulating computers than the government. Phone Phiddling In 1975, microcomputers were still too expensive for our meager budgets, so Ron and I turned to what I will call "phone phiddling". That's a bit like phone phreaking, but considerably less sophisticated. Ron certainly had the electronics expertise to build a blue box, but we limited our long distance games to "bleeping" (an archaic method that used 2600-hertz tones). Even I was able to cobble together a bleeper, using a simple oscillator and a morse code key. Most of our experimenting involved scanning phone exchanges, by hand, using a dial-pulse phone; auto-dial modems were not yet available. Coordinating our experiments with stop watches, we discovered some interesting things, such as a single number that could busy-out a block of 100 numbers. Intriguing, but not very useful. Eventually, we discovered "Loop Lines". A loop line is a pair of numbers that allow two people to connect without knowing each others number. They are used by the phone company for testing, but we had other plans. Some university students were running a free phone conference as an experiment, so Ron and I started publicizing the loop lines. We quickly discovered that people didn't like to wait on the lines; they wanted a ready-made solution. So we ended up waiting for hours at a time on the loops, getting people used to the idea that they worked. Once one loop line was thus established, we'd announce the "activation" of another one, and go back to waiting. If it wasn't for a jury-rigged speakerphone (which let me read a book while I was waiting), I would have ended up with flat ears. Just before the free phone conference shut down for lack of funds, we had our first contact with an actual phone phreak. An American woman by the name of "Solitaire" started cutting in from time to time. She told us that one of the loop lines was "unsupervised" (also known as "unsuped"), which meant that people could call from anywhere in North America without being billed. Ron and I hooked up some voltmeters to our phones and went off in search of other unsuped loops. Since our phones were on ancient "Step by Step" switching systems, this meant two things. First, we didn't have touch tone. Second, and most important, we could detect an unsuped loop simply by noting that the polarity did not reverse when another caller dialed in. Once again, we got the ball rolling on these unsuped loops. Unfortunately, word got out and before long, local callers were jamming them up. It seemed like a tragic waste. Ron and I turned our attention to building up a reputation amongst the locals. This might sound pointless, but by this time the loops had evolved into quite a social scene, complete with gossip, "in groups", get-togethers (which we called GT's), and a two-page fanzine ("Telephone Journal"). Since we weren't particularly knowledgeable about phones, we decided that all we had to do to fool the natives was to appear capable. We got a lot of mileage out of a phone bridge (a primitive form of conference line, little more than a pair of wires between two phones). I would chat with somebody on a loop line for 10 minutes, then Ron (who was listening) would suddenly "cut in". We had a few circuits for making convincing clunks and chirps. He and I would talk arcanely about phones, and then he'd bid us farewell. The caller on the other end of the loop line was usually impressed by this performance. Most of our amazing technical talk was something we called "static" -- conversation that has two levels of meaning: one for the person listening in and one for ourselves. This sounds more complicated than it is. Most people evolve a shorthand for conversing with close friends, so that certain words and inflections take on added meaning. We played this to the hilt and it enabled each of us to cue the other as to what we wanted the ploy to accomplish. Once people started gossiping about our astonishing skills, we went to phase two, which we called "Admission of Denial". Somebody would ask something like, "I've heard that you can listen in on phone calls. Is that true?" We would deny this so vehemently that the person was convinced that we were lying. This proved far more convincing than saying, "Yes, we can". It also meant that we didn't have to demonstrate anything! Around this time, Ron and I were joined by Claude, a fellow I had met via the CB radio. At the time, the local CB radio club conducted a secret game of "Chasse Mobile" (French for "Car Hunt") every Sunday, in the wee hours of the morning. One vehicle would hide somewhere in town, and based on his short transmissions, the others had to locate him. This meant tearing around the streets of Montreal at 3:00 AM, at two or three times the speed limit. I managed to cram a complete CB radio setup onto my 400cc sport motorcycle, which proved to be an effective arrangement. Claude was peeved by the boasts of some CBers that they could find anything, so he modified a toy walkie-talkie to operate on the club frequency, and changed it over from battery power to house current. We decided to put it on top of a high-rise condominium that towered above the local buildings, where its continuous signal (a pathetic 100 milliwatts) would hinder CB communication within a 3 mile radius. My job was to get us into the building. Claude's job was to affix the device outside the safety fence. He wasn't phased by the height; I've seen him shinny up a 25-foot antenna pole near the edge of a four story building. Indeed, this is a fellow who rode through a 2 mile railway tunnel clinging to the outside of the train -- just for fun. He had a bit of trouble finding house current for the jammer, almost frying himself on a 600-volt line at one point. But once it was installed, the radio club was unable to find our little device -- probably because they expected something lower and more powerful. After a few days, we took it off the air. Claude's next project was "Telephone Journal - Tape Edition", a recorded message, running on a loop line, which announced the latest loop news. He managed to get his answering machine to monitor the polarity on the phone line so that it would start up when somebody "clicked in" to the loop, and rewind when they hung up. I have no idea if the phone company was aware of all the socializing taking place on their test lines. The loop lines were great fun for the first two years, but at one point a student posted the numbers in her high school. This resulted in an explosion of immature callers. We called this cataclysm "The Grommet Tide". The quality of conversation rapidly diminished. Worse still, we were starting to get a high percentage of "listeners". These were young men who would sit silently on the line, waiting for you to get bored and hang up; they wanted to talk to a female with naughty thoughts on her mind. Some loops would hang up both sides if either caller hung up, but some of the popular ones would let you stay on for as long as you wished. This led to protracted battles of will, in which both parties would try to out-wait the other. I heard of several cases where people doggedly held on to the line for more than 24 hours. To deal with this, Ron connected a high frequency oscillator to his phone. He'd announce that he was about to disconnect the listener, then throw a switch which would cause a distinct click, disconnect his mouthpiece, and connect the oscillator. The high-pitched tone was filtered by the phone system, so the other person would hear only a soft hissing sound. The only way I can describe the effect is to say that it sounds like you're not connected to anything. He had enormous success with this technique. We were becoming quite distainful of the average caller, so we decided that a prank was in order. A set of loops had been hooked together (reportedly by an sympathetic phone company technician) to form at 10-person conference. The result was pure bedlam, but the lines were very popular. This gave us an idea for that number we'd found which busied out a block of 100 numbers. In the middle of winter, Ron scaled the fence at an outdoor pool (which was closed for the season), dropped a coin in the payphone, dialed the magic number, and walked away. We then started a rumour of an amazing 100-person conference that was so popular that it was "almost impossible" to get anything other than a busy signal. The rumour propagated for few weeks, until the phone company cut off the payphone. Eventually, we accepted the fact that we couldn't stem the tide. On my final call, I got a listener. I asked him, in my most reasonable tone, why he didn't want to talk. He expostulated a short word questioning my sexual preference. When I said, "Hey, I'm just here to talk!" he informed me that the loops lines had been set up by the phone company so people could get dates. I could see that ignorance was going to defeat technology. The loop lines staggered along for another ten years before the phone company finally closed down the last one. Two events from the loop era stick in my mind which demonstrate the difference between a hacker and a slacker. The first case is my encounter with "The Original Phone Phreak from Pikesville". This fellow was, I gather, the husband of Solitaire. He is the most collosally arrogant person I have ever encountered, and I found him utterly delightful. That might sound odd, but his evident ego was so huge that I believe to this day that it was a put-on. I remember his words, "I like showing people that I am superior, because it makes me feel good." Solitaire, who was listening in, would chime in, "It's true! He really is superior!" I only regret that my limited knowledge didn't allow me to understand his explanations of phone technology. (The possibility that he was bluffing has occured to me, but from what I remember of his technical discourses, I think he really did know his stuff.) In contrast, I remember chatting with a fellow named Donald when Ron "cut in", using our phone bridge gimmick. Donald was begging us to teach him to do phone tricks. Ron and I got to talking, quite seriously, about some bewildering sounds we were hearing on the line at that moment. After about five minutes, Donald interrupted with, "But how do you know all this stuff?" It occured to me that he didn't want to figure things out; he wanted the answers handed to him. The process of inquiry and discovery had been unveiled right before his eyes, but he just didn't understand that sometimes you have to work, and theorize, and experiment, in order to obtain knowledge. The Golden Age In 1978, some Montreal schools set up student accounts on an HP2000 mini. To protect the reputations of the administrators, I will refer to this system as Quitchan. Ron and I were already familiar with the HP2000, thanks to our experiences during high school. We wanted to get on, so Ron started building his own modem (known as a "Pennywhistle"). He'd worry about the passwords later. Meanwhile, Claude (who was still in high school) told me that his school had direct lines to the computer, and that he had figured out how to open the front door without a key. On weekends, we engaged in an activity we referred to as "Watergating". We let ourselves in, then headed for the main office. Claude slipped the lock and plucked the computer room key from the secretary's desk. The computer room was behind two doors, so once we were inside, we didn't have to worry about being overheard, should somebody happen by. As it happened, each time we broke in we triggered an alarm, but it never occured to anybody to look in the computer room. In any case, we had already planned an escape route out the window. On the basis of my previous experience with Watergating, I suspected that we would eventually get caught, so I suggested to him that we simply write short, amusing programs for the benefit of other users on the system. If a program couldn't be written during a three-hour visit, we had no assurance that we would be able to finish it. This rather meaningless exercise marked the founding of the "Sno'd In Sine Programming Group", known later throughout the Montreal online scene as either SISPG or by the less flattering moniker "The SysPigs". As I'd predicted, Claude was called to the principal's office before long. The HP2000 logs showed sessions taking place when the school was supposed to be closed, and an alert system operator had reported this. "Let me get this straight," said the principal, "we're trying to get students not to skip classes, and you're breaking IN to school?" Claude affirmed that this was so. "But you didn't take or break anything?" Claude said no. In fact, we were always careful to clean up and lock all doors behind us. "But why did you do this?" asked the befuddled principal. "Because I want to LEARN," explained Claude. The principal shook his head. "That's good, but I'm still going to have to tell your parents." As it turned out, Claude's parents thought the whole thing was hilarious. Since this avenue was now closed to us, Claude and I pooled our slim monetary reserves. I bought a 300-baud non-auto-dialing modem (for about $600 Canadian), while Claude bought a Z80-based Exidy Sorceror microcomputer. For $2000 he got a machine with about 32K of memory, a black-and-white RF modulator hookup, a painfully unreliable cassette tape interface ... and an RS-232 connector so we could hook up the modem. It was the modem interface that made us choose the Sorceror instead of the Apple-II. Meanwhile, I purchased a TDD (Telephone Device for the Deaf), a simple television-based terminal that supposedly could use either Baudot (popular with deaf users) or ASCII. The "switch" to select ASCII mode was a RCA stereo jack with the two leads soldered together. It simply didn't work when connected to the HP2000 (it probably used 7E1, although I didn't know about such things at the time), so I shipped it back. It got lost in the mail, and I was out another $600. Claude managed to get a simple terminal program working on the Sorceror, though. He had to write in assembly language, which was rather difficult, since the Exidy manual simply listed the Z80 opcodes, plus the helpful advice, "Experiment around until you get a reasonable result"! The Sorceror's native mode was BASIC, so Claude wrote a simple byte-zapper and coded directly in hexadecimal. It was quite a sight to see him programming in raw hex, seldom referring to the opcode list. Meanwhile, Ron had built his own S100 computer from a kit, and was adding an auto-dialler to his Pennywhistle modem. He also installed a "switch" to send a BREAK signal: he did this by pressing together two wires that protruded from the modem. We were aiming for results, not beauty. Ron and I had done some simple hacking under the name "Advanced Methods Project". (In Ron's words, "We don't do anything; we're just ... advanced!") I suggested that we merge AMP into SISPG. It seemed silly for me to belong to two hacking groups, both of which had only two members! Suitably armed with two computers and two modems, we were ready for the assault on the Quitchan system. We weren't the only ones, though. All around Montreal, other hackers were trying to get into Quitchan. If you could break your way in, you were "a technical guy" ("elite" in the parlance of today's hackers). Ron wrote a program, which he named Holmes, which would try every possible password on an account. We concentrated on low-level accounts, because by this time we were more interested in building an online community than in attaining power over the system. (Montreal's first micro-based BBS was still four years away.) The Holmes program ran night and day. Unfortunately, Ron's autodialler (driven by a parallel port, I believe) used a surplus relay that was extremely loud. The only way he could sleep was to bury the relay in a large jar of pennies. I don't know what his parents thought of a bundle of wires emerging from his computer and disappearing into a container full of coins. Holmes cracked, on average, two accounts per week. We needed a lot of accounts because the low-level accounts had very little storage space. We did crack one large account, but it looked like it belonged to the Quitchan staff, so we used it for backing up our smaller accounts and avoided logging on. We called it "The Vault". Never again in my life have I been able to duplicate the spirit that moved the hackers on Quitchan. It was a "golden age". Hackers created all kinds of multi-player games and competed to see whose program could attract the most usage. There was, however, a lack of effective communication, so in 1980 I wrote a program named BRDCST ("Broadcast"), the first BBS in Montreal, although since it ran on Quitchan, it wasn't open to the public. The SISPG took on another member, named Ian. He wasn't a computer whiz, but we liked him for his wit. He also regaled us with tales of an earlier (and strictly legal) golden age on Quitchan. A little later, we were joined by Jeff, a sharp coder who actually owned an IBM-PC -- with diskettes, yet! At this time, I was still coding raw hex on my hand-built Southwest Technical Products SWTPC-6809, storing programs on the digital tape drives attached to a ten-year-old TI-733KSR thermal-paper terminal. We also encountered many other hackers, whose names we would hear again and again in the years to follow. We were at the dawning of a new era, and Quitchan was the "alma mater" for Montreal hackers. Inevitably, the competition was often less than cordial. The SISPG was the most cohesive and productive group, and the other hackers didn't like that. On top of this, I wrote a program, named ACCESS, which served as the central point of the system (mainly to "keep score" of whose programs were being run, and how many times). Despite the jovial atmosphere that pervaded Quitchan, the battle lines were being drawn. For our part, we were a bit miffed that despite the fact that our programs ACCESS and BRDCST were "central", we did not run the most popular game, which was a multi-terminal space war game named (reasonably enough) SPACE. By this time I was working as a computer operator, and late at night I would sneak over to one of the dial-out terminals and fire up a hunter program I had written. It searched Quitchan for two weeks, looking for the master files that controlled SPACE. While this was happening, I was getting trounced in SPACE; my programming skills are only average, and my gaming skills are worse. I watched in horror as my beautiful Class-20 ship was attacked by a flotilla of Class-40 ships. Before long, I was flying a Class-3 ship. Since even a beginner is awarded a Class-5 ship, this was not acceptable to me. Finally, my hunter program found the master SPACE files, but they were encrypted. It took me another two days to crack the encryption, whereupon I made some adjustments to my ship and returned to SPACE. Once again, the flotilla of Class-40 ships saw an opportunity to beat up an SISPG ship. They were closing in for the kill. Just before they got within firing range, I sent them a short message: "Scan me". They scattered like chaff in the wind. Apparently, they had indeed scanned me and realized that the ship I was flying had a class rating represented by a one followed by twenty five zeros. I let them get away, though. I had made my point, and blowing them up wouldn't have been sporting. This kind of activity seemed like fair game: hacker versus hacker, on a level playing field. Nevertheless, we adopted what we called "The Triple-S-R Code". This was inspired by the "Stainless Steel Rat" series of science fiction books. We styled ourselves "Stainless Steel Software Rats" (SSSR), and our rules were twofold: "Look but don't harm" and "Cover your tracks". Although we continuing cracking Quitchan and infiltrating security on our fellow hackers' accounts, we did not approve of vandals who destroyed data or programs. We figured that if somebody had worked hard on something, we wanted to see it. We didn't, however, want to destroy it. A common reconnaisance technique was the "Cat Stealer". This was a simple front-end to an otherwise useful program that would dump your file catalog into a holding file. In this manner, hackers discovered what the others had. We kept our more sensitive programs and data in "The Vault", and since we never logged on there, they were safe. The ACCESS Projects By the summer of 1981, micro-based BBS programs were starting to appear in Montreal. We would have ignored them, since Quitchan was more interesting, but all school-related accounts on that system became unavailable when school closed. In anticipation of its return, I spent several months designing my own SPACE-style game. We hoped that the 1981/1982 season would be the best yet, with the SISPG in firm control of Quitchan. When the system did go back on the air in September, we were mortified to learn that they had removed cross-account capabilities. This meant that although we could still log on, we couldn't communicate. The golden age was suddenly over. It took a few months for this to sink in. We couldn't imagine life without Quitchan, so we decided to start our own system, which we would name ACCESS (after the central program I wrote for Quitchan). At that time, microcomputers were not powerful enough to run a decent multi-user system, so we had to set up shop on a minicomputer. That would take money, investors, and incorporation. It was time to "go legit". While we were laying the groundwork for ACCESS, Claude and Jeff did a bit of system cracking on the side. They particularly enjoyed hacking HP3000 minicomputers because of a gaping security hole. Some sales whiz had gone to many HP3000 sites in Montreal and given them a sample installation of a security program. As it turns out, though, he never secured the account properly. Worse, he always left a program (which we called "The God Program") which would allow you to get maximum authority on the system. Claude once logged off the system operator and refused to give him back his machine until he agreed to a friendly chat. Claude and Jeff also experimented with Datapac (an international X.25 network similar to Tymenet). At that time, few security safeguards were in place, so they were able to connect to computers all over Canada. Of course, once you were connected, you still had to crack your way in, but by this time they were rather good at guessing passwords. In Montreal, for example, there was a Hewlett Packard technician who used the same account name and password on every machine he serviced. Claude's last cracking effort started normally enough. He cracked an HP3000 computer and took a quick look around. He was stunned by what he saw. He promptly dropped the line and erased his disk. You see, he had broken into a major government security institution, and he decided that he'd played the game long enough. Now that we were going into business, we had to stay out of jail. In 1982, we started on the long road to creating Canada's first coast-to-coast consumer telecomputing service. Over the next three years, we lost our youthful exuberance, officially disbanding the SISPG in 1985. I left my job of ten years to work full time on the project. Two months later, I was back on the street. Somebody we trusted (I'll call him Mr. King) had quietly bought up controlling interest in the company. One day he informed me I was no longer President, and that was that. I had been so busy programming that I never saw it coming. I'd been out-hacked. Somebody had "cracked" the stocks out from under me. You might find it odd that I am using computer terminology to describe what happened to me in the business world, but is it really that far a stretch? Was Mr. King clever, or devious? Was I stupid, or too trusting? All this was outside my familiar "tech" world; would I apply the same measure of morality by which I'd lived online? Apparently, I wasn't as smart as I thought I was. That particular illusion died hard. But it was a good lesson -- one I was destined to learn. It was inevitable. Us and Them It's not surprising that hackers see themselves as a special breed: most of their friends and relatives can not understand what they are doing. When we read news stories of a young hacker getting arrested for his activities, it almost invariably comes out that his parents had no idea that he was doing anything unusual. The majority of hackers are satisfied to do a bit of programming, play a few games, and surf the net. Most hackers exhibit an laudable morality by accepting people on the basis of their minds, rather than skin color, religion, gender, or physical characteristics. A hacker can't see the person at the other end of a modem connection, so each person can be judged equally. Moreover, since bulletin boards and newsgroups allow people to edit their words before committing them to the ether, everybody has a chance to present their best side. "Flame wars" (online arguments) do occasionally erupt, but hackers generally disapprove of people who respond viscerally to ideas, rather than thinking things through and submitting a well-reasoned statement. I found out how this "mind first" attitude can enhance my life when I entered into email correspondance with a wonderful lady. After a few months of increasingly tender letters, we decided to meet. Only then did I find out that she was confined to a wheelchair, but by this time it didn't make any difference to me. I must confess that if I hadn't had the chance to get to know her mind, my first impression would have been influenced by her disability. As it happened, though, we spent a wonderful year together. Hackers are often portrayed as social misfits -- "geeks" or "nerds". Of course, every group has its share of people who don't fit into the mainstream, but in general I find that hackers are loyal, forgiving people. They tend to establish enduring friendships with kindred spirits. My own experience tells me that when I run into hacker friends I haven't met for a long time, it's as if we can pick up our previous conversation where it left off, several years earlier. There's a deep connection. Another thing I've noticed about hackers is that they are so busy that they can't seem to spare the time or energy required to hold a grudge. I remember when I was talking to "The Original Phone Phreak from Pikesville" (mentioned earlier), I was worried that I'd said something to offend him. I asked him if he had any retribution in mind. He answered, "Once you hang up the phone, you're no longer of any concern to me." That was a rather brusque response, but I was glad he had better things to do than hassle me. The Breaker Most hackers don't give much thought to moral matters. Most of the virtual universe they inhabit is abstract, so moral questions -- a slippery issue at the best of times -- become even more abstract. Moreover, the hacker world spans different cultures, which highlights the provisional nature of morality. (To quote a line from the play "Teahouse of the August Moon": "Pornography is a question of geography".) It's hard to know what's "right" and "wrong". I would like to make a distinction between the regular hacker and one who systematically and deliberately harms others physically, monetarily, or emotionally. I call this latter breed a "breaker". He seems to be a hacker without a conscience. A breaker's credo appears to be "If I can trick you, I'm smarter than you". There several flaws in that statement which lead me to believe a breaker is more interested in self-aggrandizement than in testing his cleverness. For one thing, many breaker ploys involve unsuspecting people. This is hardly a fair measure of intelligence; it's akin to hiding around a corner and shooting the first person who strolls by. Where's the sport in that? Also, the term "smarter" (or "elite", or whatever award the breaker bestows upon himself) is specific to his area of knowledge. It is hardly surprising that an intelligent programmer can do computer tricks that would astonish a brain surgeon. It is, of course, not only the breaker who exhibits this narrowness of vision. Art snobs, gourmets and wine connaisseurs are also tempted to look down upon people who don't understand their particular area of expertise. I suppose there's a bit of the breaker spirit in all hackers. We all find it amusing to confound somebody with a gimmicked program or some kind of high- tech joke. However, hackers generally check their conscience before proceeding. That's not to say that all hackers will draw the line in the same place, although most hackers will agree that it is not appropriate for us to write a "trojan" program that wipes out somebody's hard disk. So why do breakers do such things? The usual answer is, "It's an ego thing". According to this argument, breaking is to hacking as rape is to sex: it's about power, not creation. I believe that is an incomplete explanation. To understand the breaker, we have to consider the nature of computers, and why they appeal to certain people. Computers are alluring because of the nature of our interaction with them. They do what they are told and provide quick feedback. They are never sleepy, or cranky, or awkward, the way people are. Within the digital space of the computer, we can create our own little worlds, driven by strict logic, holding no surprises. Pure lands of instant affirmation. True, computers don't always do what we expect them to do, but there's always a reason, and the problem can always be solved, provided we are technically proficient and understand the limitations of the hardware. Some people get hooked on video games and lose touch with reality. This can be tragic, but if you consider it an addiction, it's hard to pass a moral judgement. Breakers are a different story, though: they reach out beyond their own machine and inflict grief on others. But even as they reach out, they maintain that sacred control which drew them to the computer in the first place. They insulate themselves from retribution, hiding behind a keyboard, using an alias for anonymity and safety. You can sometimes peer into the mind of a breaker by inspecting the alias he uses. Aliases usually make the person out to be leaner, meaner and larger than life. (In one game I wrote, I proposed the alias "Dagger Lord, Savage Power Master of Ultimate Evil Megadoom".) In case you're wondering, I don't use aliases any more, but when I was cracking systems, I used the name "Teesey" (which are my initials "TC", spelled out). On the loop lines, I used the name "Jonah". Breakers like to portray themselves as revolutionaries, visionaries or some kind of balancing force in the evolution of the digital age. This leads us to wonder: are they acting altruistically, or are they simply enjoying their ability to strike with impunity? You may have in mind a particular person or a particular event which you think crossed the line between hacking and breaking, but let's remember that different people draw the line in different places. Let's consider various hacking activities and try to see both sides of the issue. Specific Dilemmas Software Proliferation I don't like the term "software piracy". The word "piracy" is one of those words which is judge, jury and executioner. Another example is the word "crippling", which some shareware distributors use to describe programs that have some kind of limitation until they are paid for. The software industry has generally put forth the idea that any kind of unpaid software proliferation (which I'll refer to as "prolif" from now on) is immoral -- case closed. The Software Publishers Association (SPA) runs full-page ads with the slogan "Don't Copy That Floppy", along with threats of dire results for those who do. This is a simplistic approach to a complex problem. In fact, since it doesn't even acknowledge the existence of shareware and freeware (both of which encourage copying), many large corporations have rules against using them. These corporations are worried about possible legal problems. To counter the tawdry image of shareware, certain shareware organizations -- especially the Association of Shareware Professional (ASP) -- have taken steps to make shareware more palatable. They have advocated a position known by some as the "Policy on No Crippling" and by others as "Virtual Freeware". In this system, a fully functional copy of the program is given away, and it does not protect itself against prolonged unregistered usage. This downplays the provisional nature of the temporary evaluation license and fosters a feeling of trust. Alas, many shareware authors have found that users take advantage of this trusting relationship and simply use the program for free. While this does mean the program displaces a competitor, it also means that the author does not get paid. Recent developments in the shareware scene suggest that we will be seeing less Virtual Freeware in the future. Underlying the prolif debate is the perception amongst many people in the microcomputer world that software should be free. This position strikes many people as perverse, but it has a long history, going back to the earliest days of computing. Let's consider microcomputing in particular. When the first micros came out, there was almost no software available. Hobbyists wrote tools and applications and distributed source code freely. Let's underline that point: micro software was free before it was commercial. Eventually, though, some of the micro hardware companies commissioned programmers to write robust applications. One of the first was a BASIC interpreter, brought into the world by Bill Gates of MicroSoft fame. The purists were scandalized. It seemed sinful to ask for money for software. But what was the alternative? Some of the free software was very good, but most of it was arcane, unreliable or both. Since the programmer was not getting paid for his work, where was his incentive to do better? Only the real artist-programmers produced work of lasting value, and even these worthy folks tended to give up when their bank account ran dry. One response to this dilemma was "User-Supported Software", which later became known as "Shareware". The idea here was, "If you like it, send me some money to encourage me to keep developing the program". Before the micro revolution, it was almost impossible to earn a living this way. Somewhat later, as the number of PC's increased rapidly, several authors (Bob Wallace, Bill Button and a few others) did manage to turn a tidy profit. However, as other authors tried to emulate their success, users became tired of the constant requests for money. "User-support Software" had entered a crisis phase. By 1993, there were several thousand shareware authors, but less than a hundred were actually earning a living this way. In the early days of micros, many programmers realized that they would have to "go commercial" in order to survive. Unfortunately for them, the "software should be free" mindset was firmly entrenched in the hobbyist community. Prolif was so common that it put companies out of business. This led to the "Copy Protection Wars". Commercial software companies (particularly the game publishers) tried to invent schemes which would make prolif impossible, but these were invariably cracked by "free software" crusaders, hacker jocks, and people who just didn't feel like paying. Additionally, copy protection made the programs awkward to install, use, and back up. In the end, commercial companies largely gave up on copy protection and worked on added value, such as support, manuals, newsletters and so on. They also lowered their prices. Borland International stunned the world when it introduced an excellent Pascal compiler for the IBM-PC for a mere $49.95. It would cost a hacker more than that just to photocopy the manual. The program was a massive success. Commercial software strategies deal with the realities of the marketplace. But what about the moral dimension? If we can get a program for free, should we pay for it? For many people, the instant answer is: "Piracy is stealing!" End of discussion. Unfortunately, their response does not lead to any understanding of the issues of prolif, and it ignores history. The underlying problem of prolif can be expressed by what I call "The Sheep Analogy". The standard model of theft works like this: a man has a sheep, you take it, and now you have a sheep and he has nothing. Clearly, that does not apply to software. When you copy a program from somebody, you have the program, and so does he. Who loses? It can be argued that you both lose, because if the programmer is never paid, you will never see any upgrades to the software. According to this argument, you are not paying for the software, but encouraging good work. This argument also has a counter-argument: "I'm just one guy." Will the lack of your single payment make or break the programmer? Probably not. This brings us to what I call "The Voter Analogy". If you don't vote during an election, it's highly unlikely it will make a difference. However, if you tell people you didn't vote, you foster an atmosphere that is unhealthy for the voting process. Now you can skip voting and keep your mouth shut, but if you copy software, at least one other person knows. Is one program all you need, though? Copy a dozen programs and you're making quite a statement. You CAN make a difference, but you might not like what you're accomplishing. One of the problems with considering the moral aspects of prolif is that people don't like to think of themselves as dishonest. A common rationalization we hear is, "I'd buy it, but those crooks charge ten times what it's worth." This casts the proliferator in the guise of a modern-day Robin Hood -- taking from the rich to give to the poor. This is a variation on the defense, "It's a big company, so they won't miss my few piddling dollars". I can think of only one situation where arguments like these make sense. If you are sure that you would not -- under any circumstances -- pay to use the program, then you're not depriving the programmer of his just reward. For example, you might "borrow" a word processor because it looks nice, but you'd be willing to use a lesser program that is free, but just as powerful. If the commercial program wasn't available to you for nothing, you simply wouldn't use it. The obvious objection to this line of reasoning is that people can tell themselves that they have an equivalent program to fall back upon, which is free, when in fact this is not the case. Humans are wonderful rationalizers. This is clearly a situation where one's conscience gets some serious exercise. Some solutions to the issue of prolif are available, or are coming soon. Some expensive software packages use a hardware key (known as a "dongle"), which plugs into a serial or parallel port. It requires considerable technical skill to circumvent this kind of protection. However, dongles add to the price of the software package. They also convey a message of distrust that is hardly a marketer's dream. Some software companies have proposed that hardware companies install anti- prolif circuitry in their machines. This is certainly more practical for the end user than a stack of dongles to validate each of his programs. Once again, though, it introduces price and compatibility issues. The price issue is particularly troublesome, since users don't like to pay extra for something that will prevent them from doing something. As a result of all this, there has been little progress on this front. Incidentally, some have claimed that anti-prolif circuitry would pay for itself because it would allow software companies to lower prices. This presupposes that software companies inflate their prices to offset prolif, much as stores increase prices to offset shoplifting. However, this argument runs up against a lack of convincing (i.e. unbiased) statistics to prove its case. Moreover, it can be argued that proliferated copies displace software produced by the competition. Early copies of Lotus 1-2-3 were heavily proliferated, and this certainly contributed to its becoming the de facto standard spreadsheet for many years. Shareware presents some intriguing possibilities. In my case, I give registered users an unlocking code to self-register any new versions I issue for the next two years -- they download the new versions from my BBS, CompuServe or the Internet. This is more like a service contract than a software sale, and the user can see how his investment earns new benefits. Since the user is buying a series of upgrades rather than a single product, he is not as likely to be interested in a cracked copy of the program. Of course, a cracker could always figure out the technology required to create unlocking codes. A hacker in Norway distributed a program that could remove registration reminder screens from popular shareware programs. Believe it or not, he required anybody who used his program to pay for it! Another idea, which was discussed in detail at the 1995 Shareware Industry Convention in Arizona, is metered or rented software, paid for with electronic cash. I am sure that these, too, can eventually be cracked -- I believe any protection method is crackable -- but when fully functional software can be downloaded direct from the author and run for only a few pennies a day, there is less temptation to obtain a cracked copy from a person of unknown reliability. The July 1995 issue of Wired magazine discussed the idea of using software as a vehicle for advertising. Initially, free or inexpensive (but simple) software could advertise better (more expensive) software -- this is already being done in shareware, and is known as the "Shareware/Professional Method". Software could advertise services related to the product being used, or it could even act like a billboard for snack food. One company actually obtained a patent for using software for advertising, but after a protracted court battle, the patent was finally cancelled, so you can count on seeing more advertising programs in the future. I am not sure if it will work. Several years ago I did an ad-based program and it utterly failed to produce sales leads, even though the program was quite successful in other incarnations. Still, if the adware idea does work, it will mean that software can once again be free. All we have to do is put up with a few commercials. Whether or not software "piracy" is an immoral act, it is not going to go away. It's heartening to see companies working hard to address reality rather than wasting their time writing sermons. The Wishy-Washy Problem At this point, some readers will be exasperated with me for not making a clear statement about the morality of software proliferation. Is it wrong, or is it okay? Bad or good? I will be a bit more emphatic about my views in the conclusion of this article, but at the moment I should mention that it is very tempting for a writer to reveal his biases even as he tries to give both sides of an issue. Actually, some people insist upon it. I remember a conversation I had about ten years ago with a sysop who was a crusader against software pirates. I explained how I saw both sides of the argument, and he replied, "So you're in favour of piracy, then?" I said I was still thinking about it. "So you're against it?" For the next 30 minutes, he tried to make me commit one way or the other. He didn't introduce any new information; he just wanted me to take a position so he could determine if I was friend or foe. As I see it, this kind of thinking (which is the norm rather than the exception) dooms most discussions about morality. System Cracking I've cracked my share of computer systems. I've logged in and looked around to see how things are set up. Sometimes I've given myself special capabilities. Sometimes I've left the system operator a message, telling him about his security problems, then disappeared. I've never lost any sleep over the moral dilemma. Still, I have to ask myself: would I appreciate it if somebody secretly planted a camera in my living room? Would it make it any better if he later told me how he did it? I would never consider peeping through somebody's window, but apparently I didn't feel it was the same when I was peeping at somebody's data. I'm reminded of a story I once heard, about a man who was staying at a hotel in a small town in (I think) Austria. One night, he rang up the desk clerk and complained that a man had been watching him through the window. The clerk asked him to describe the man, then said, "Oh, that's Crazy Hans. Just ignore him." Apparently, Crazy Hans was a mentally unbalanced individual, and the town figured that as long as he didn't hurt anybody, they'd just let him live his own weird life. I was touched by the decency reflected in that story. Now, I'm not suggesting that it's crazy to snoop around inside somebody else's computer, but it behooves us to remember that privacy means different things to different people. I don't care if somebody pokes around inside my computer. I don't even care if somebody sees my financial records. I do care, however, if somebody alters or deletes my data. Breakers will attack a system and damage it -- sometimes beyond recovery. I don't understand why they do it. Some breakers claim to have a political or sociological agenda. The Spring 1995 issue of Gray Areas contains an interesting interview with a self- proclaimed Internet vigilante. He first expresses his ambition as follows: "Our nemesis is big business, or any business that bothers us. A few corporations are exempt because of the [skilled hackers] they employ, but that is a select few." So far, it sounds like an anti-establishment movement. Later on, though, he makes the following statement: "If you have annoying users on your system, you should seriously consider getting rid of them before they annoy us. There are some people who just shouldn't be on the net -- people whose sole purpose in life seems to be making me hurt them." Thus, this anonymous person sits on an anonymous board of judgement, which weighs each person's worthiness by their standards. What I see here is simple lust for control. Here's another quote: "We don't enjoy any publications or TV programs. The only think we 'enjoy' is increasing power in any way we can." I've heard this kind of talk many times before. Breakers don't merely want access to power, they want to wield it. While a cracker is intrigued by the intellectual challenge of breaking through security, and is perhaps titillated by being where he shouldn't be, a breaker has an additional goal: control. I believe that breakers can be encouraged to ease up on their activities if they see why it is to their benefit to do so. I will cover this in more detail, in the conclusion of this article. Viruses One thing that intrigues me about viruses is the mystique that has grown around their creators. There is a pervasive myth that it is difficult to write a virus. People may think, "If they were easy to write, there'd be more of them." Actually, there is plenty of virus source code floating around, so any reasonably intelligent programmer could make a virus and add a few twists. I think the real reason there aren't more is because most people simply don't want to write them. Several years ago, I thought up a particularly nasty idea for a virus. It would do something that no virus has ever done before (or since, to my knowledge), and it could potentially cause billions of dollars worth of data destruction. I smiled when I thought up the idea, then moved on to other pursuits. It never occured to me to actually unleash the thing. Still, I can see why somebody would want to do it. Everybody is starved for affirmation. Look at how people behave when they notice a TV camera pointing in their direction. If they happen to be at the scene of a big news story, they might phone their friends: "Watch the six o'clock news! I think I'm on it!" Imagine the glee of the author of the Michelangelo virus. His handiwork was featured in the headlines for several weeks. Johnny Carson told jokes about it. Of course, the virus writer never got to hear his name mentioned, but the sheer volume of the coverage made up for that slight omission. Virus authors also become a "parent": they send their little child out into the world, and it grows and grows. They know that if they die tomorrow, something of them will live on. If, in 3000 AD, some archaeologist restarts an ancient IBM-XT, he might be greeted with a virus message. Immortality, in any form, is a seductive goal. Some virus writers, attracted only by the immortality or fame aspect, write viruses that apparently do no harm. I say "apparently", because although benign viruses don't destroy data, they do hurt people. Several weeks ago, my friend Patrick called me up just before midnight. He frantically told me that his computer had a virus, and he had a contract deadline only two days away. As I talked him through some initial steps, to ensure that his most important data was safe, he admitted that his hands were shaking so badly he could hardly type. I did some research on the virus. The literature said it was "harmless" and merely replicated. Nevertheless, we couldn't take any chances. We had to treat it like a ticking bomb. Around 3:00 AM, Patrick dropped by to pick up a "clean" copy of DOS on a write-protected diskette. Taking it from there, we were eventually able to put his system back to normal. It was now six in the morning and time to get to work on the project. Patrick was exhausted, but he was too shaken to sleep. We later found out that Patrick had contracted the virus from a disk he had received from a large international company. He discovered this when he happened to mention the incident to somebody at that company, and found out that they, too, were trying to get rid of the interloper. When I think of that "benign" virus, I have to multiply Patrick's hellish night by a thousand. Or maybe I should multiply it by a million. Who knows? The virus may not cause any physical damage, but the total psychic damage it has caused is incalculable. Some virus writers put forth the counter-argument that these episodes teach people to make backups. That is no doubt true; Patrick told me that in the future he would be much more diligent in this regard. I have to wonder, though: are virus writers really doing this for the good of mankind? Are virus writers famous for their other good works? I personally know only one virus writer. His virus appeared to be a "good work", inasmuch as it proclaimed a message of world brotherhood. It also advertised his business -- a risky move, but believably deniable. When I'd heard that the programmer in question had written a virus, my first reaction was, "I'm not surprised". He has always lived life on the very fringes of what is acceptable; his credo appears to be, "Thou shalt not get caught". He is exceptionally good at avoiding trouble, despite his many outlandish escapades. As it happened, his virus-of-brotherhood managed to get into some commercial software, and millions of copies were shipped. He was an overnight sensation. I can't help but wonder, though, if he ever helped a desperate friend eradicate a virus. If so, has he ever thought about how he shocked millions of people? I can't read his mind, but I'm guessing the answer is no. He is one of those rare people who believe in themselves totally. On the face of it, this sounds like a good thing, but I'm reminded of a comment by the Canadian comedian Brent Butt: "With self-confidence, you can move a ton of earth with a spoon, and never realize you're digging your own grave." Self-confidence taken to the extreme is recklessness. I can understand that somebody might write a benign virus and fail to consider the psychic damage it will cause. What I can't understand is how a breaker writes a virus that destroys or alters data. With computers becoming ever more pervasive, it won't be long before we hear of somebody dying because a much-needed medical computer was knocked out by a virus. Malicious viruses are not a prank but a crime against humanity. The author of such a virus is harder to fathom than somebody who sprays a crowd with a machine gun. In the latter case, there is a limit to how much damage can be done, but there is no inherent limit on the damage that can be done by a malicious virus. At no time before in the history of humanity has anybody deliberately released a device which is beyond recall and can carry on its impersonal destruction indefinitely. That somebody could inflict such a thing upon the planet is utterly beyond my comprehension. Phiddling, Phreaking, and Fraud Hacking is a form of magic: we delight in finding novel ways to exercise control over a small piece of the world. Hackers of various types will play with computers, model trains, radios and locks. They also find it interesting to mess around with phones, and people. When it comes to phone phreaking, I only have a bit of book knowledge. My phone tricks were mostly smoke and mirrors. I can, however, appreciate how phone phreaks enjoy the cat-and-mouse game between them and the phone company. Accomplished phone phreaks have the ability to wreak untold havoc, but the ones I know are more interested in the phone system itself. To them, it is the ultimate puzzle. If a phreak treats the system as a puzzle, how do we assess the harm, if any, that they cause? One of their experiments might cut off a conversation (maybe even an emergency call). But apart from such hypothetical scenarios, the main cost seems to be a few pennies worth of electricity, and (if they are tying up long-distance trunks) some lost earnings for the phone company. From what I've heard, the phone companies don't deal harshly with phone phreaks who are simply exploring. Of course, if the phreak persists after being caught, they will naturally become more threatening. Additionally, if the phreak brings grief to a third party, perhaps by using a company's DISA (dial-out) lines, the phone company is obliged to take stronger action. Some phreaks use their capabilities to line their pockets. Once they've mastered the phone system, many opportunities present themselves. They can intercept and sell confidential information. They can tap into a phone-based network and learn how to insert themselves into a company database, obtaining free merchandise or payments for non-existent goods. Most hackers find this kind of activity impressive, but nevertheless unethical. Some phreaks become breakers. They use their power to intimidate. Your girlfriend dumped you? Bill her for a twenty-four hour call to the Weather Information number in Hawaii. She'll know it was you, but she'll never prove it. You win! As I said earlier, hackers like to "hack people", not just machines. They even have a word for people-hacking: "Social Engineering". (I believe this term was invented by John Draper a.k.a. Captain Crunch.) It's fun to bamboozle people. Sometimes (as in the case of a truly amusing practical joke) it can be fun for everyone. But social engineering can easily turn into breaking; all you need is a malfunctioning conscience. Pickpockets and con artists are some of the most skilled social engineers. Law enforcement officials note that when these people are caught, they are almost invariably angry rather than sorry. The first thing they want to know is how they messed up. There's another social engineering enterprise that is growing into a multi- billion dollar industry: psychics. It really isn't all that hard to pretend to be psychic; the techniques are easily learned -- or hacked. When I was 17, a local radio station asked for a psychic or astrologer to dial in, to do readings for callers. Without preparation or previous experience, I decided to try. The host of the radio show was obviously not taken in, but none of the callers expressed any doubt in my abilities. Here is one of the readings, to the best of my recollection: Tim: Okay, what is your birth date? Caller: January 5, 1943 Tim: Ummm, okay, this is going to be a bit difficult. One of your main stars went nova last week. Caller: Is that bad? Tim: I'll see what I can do. Wait a sec ... oh, darn. The moon's occulting Vega. Caller: Can you give me any advice, though? Tim: Okay, I've got something. You know your neighbour's dog? Caller: Uh, yes. Host: Excuse me, but does your neighbour actually have a dog? Caller: Well, there's one ... yes. Host: Okay. (Snickers) Tim: So, your neighbour's dog... Caller: Yes? Tim: Be careful around him. That's all I'm gonna say. What isn't clear in this transcript is the sound of trust in the woman's voice. Listen to any psychic radio show and you'll get to know that sound. Two years ago, I took a lady to a psychic reading and explained to her all the techniques being used to extract useful hints from the victims ("cold reading"). By the end of the session, she was spotting the tricks herself, and was angered when she saw over a hundred people drop money into the collection plate. The "psychic" runs several such sessions each week, and has been doing so for at least ten years. She makes a very good living from social engineering. She is a people-hacker par excellence. Conclusion What is a hacker? There are plenty of definitions, including some insulting generalizations from the mainstream press. Here is a definition that I like: a hacker is someone who approaches a problem with a mind clear of any preconceptions and is thus able to find the most direct path to the solution. Hackers exhibit innovation and inventiveness. They never assume something is impossible, just because others say so. Hackers free their minds from artificial restraints and use lateral thinking to arrive at non-obvious solutions. Hackers unify with whatever they set their minds to. They join to the object of their interest and speak through it and for it. Hackers can hack machines and people. But what about morality? Can we "hack" morality? Will such a nebulous concept yield to the skills of a hacker? I believe so. When hackers find something interesting, they will pursue their answers doggedly. The key word is "interesting". Or, to use a common hacker word, "neat". When a hacker says something is "neat", it means it engages him in a way that non-hackers can not comprehend. Something "neat" reflects an underlying beauty, and the hacker will toil tirelessly to uncover it. In that sense, I think morality is "neat", because it touches on every aspect of life, and life is the ultimate hack. So now what? Where do we begin? Some hackers follow the adage of Aleister Crowley: "Do as thou wilt shall be the whole of the law". Some people see this as advice to act without regard to consequences, but soon discover that freedom to act means taking responsibility for their actions. The principle of "Thou shalt not get caught" isn't very comforting when your decisions cause you harm because you didn't foresee the ramifications. It is not my wish to say how you should behave. Your ultimate authority is you, not me. I believe, though, that if you take your authority seriously, you will "hack morality" and realize that you are what you do. I think the difference between hackers and breakers is that breakers are psychically isolated. They have drawn a circle around themselves. Inside that circle is "me", and outside that circle is "them". Are they in a fortress, or a prison? Our lives pass through various phases. For example, most boys start out being indifferent to girls, then they hate them, then want them, need them, and finally marry them. These phases are familiar to us all. Our relationships with other people also go through phases. A baby is utterly dependent, then progresses to an exploratory phase. Later, the child makes friends, and by the time he reaches puberty, he is beginning to define himself in terms of a group outside his family. Later on, as he reaches young adulthood, he may draw away to find himself. He asks, "Who am I?" If he emerges from this phase as a reasonably well-defined individual, he moves on to the stage where he reaches out to discover his connection with the world at large. I think that breakers freeze their development at the "Who Am I?" phase. They draw the circle, and in their escapades try to find out what they are. Time passes and they fail to find themselves. Eventually, they become so accustomed to being away from the world that they become a universe unto themselves. This is an extreme example of one of the perennial problems associated with hackers: isolation. Hackers can get so tied up with objects that they lose sight of people. Even hackers who "hack people" are treating them like objects -- problems to be solved -- so the situation is the same. Morality can not develop within us if we see ourselves as being separate from the world. Only if we see ourselves as participants -- rather than tinkerer-observers -- can we find the external world "neat" enough. Of course, the external world is, by definition, outside our control. Everybody has an deep-seated wish to be entirely self-sufficient. We have movie and television heros (e.g. The Prisoner, Clint Eastwood, The Fugitive) who are complete unto themselves, but do such people really exist? I've never met one. And even if people somewhat like that do exist, do they grow their own food? Make their own clothes? We are all interconnected, and that makes us a participant whether or not we like it. Some people explain self-centered action as "Social Darwinism". They believe in "survival of the fittest", and think that if they are clever or stealthy, they earn the right to whatever they obtain. One problem with this idea is that there are some things in life that can not be bought or stolen; they derive from our relationships. Our personal set of ethics represent our decisions as to how we participate. If we decide it's okay to steal, then we steal. But we must remember that each choice defines our relationship to the external world, and we are entirely responsible for our decisions. If we choose to isolate ourselves in an "me and them" condition, then we must live with that. Can we live comfortably with that? Humans have an inherent need to relate to other people. Physical isolation (such as solitary confinement) is almost unendurable. Psychic isolation (the "me and them" condition) will also take its toll. Every time you cheat or harm somebody, you are drawing a line; you have consigned that person to "them". One solution, for hackers, is to associate with other hackers. Hackers have formed what linguists call "speech communities", one of which can be identified by such words as "warez", "kewl" and "lamer". Incidentally, when this mode of speech started in the early 80's, we older hackers thought it was pretty silly, but since the argot defines the community, it's pointless to criticize it. In general, hackers are noted for their intellectual capacity rather than their social skills. As such, hackers may not give their fellow hackers a well rounded social experience. Most hackers are not one-dimensional characters, though, so they can help each other progress well beyond the "Who Am I?" phase and develop a code of ethics that allows them to widen their circle. Keeping this in mind, in the early 1980's I started up the Permanent Weekly Get-Together (PW-GT). Every Friday, hackers of all sorts would congregate at a downtown bar and get some actual human contact, rather than meeting solely by modem. This became a Montreal tradition, and the PW-GT lasted for at least six years. I was well aware of my own tendency to isolate myself, both physically and psychically. I can't say I've completely overcome this (which is exacerbated by the fact that I work at home), but I'm working on it. Overcoming the physical aspect is simply a matter of planning. Overcoming the psychic aspect, however, takes us into moral questions. If our moral decisions allow us to integrate with others, we can shatter many of the barriers of psychic isolation. Seen this way, morality is a selfish decision. Or to put it another way, morality is enlightened self-interest. I think carefully about my decisions, because if I harm others, I harm myself. If I help others, I help myself. So where does that lead us? Can we propose some general guidelines for hackers to consider? I think the Hippocratic oath gives us a good starting point when it says: first, do no harm. But that's a negative guideline in that it says what not to do. So what can we do? One alternative is to use your creativity to design something useful, or something that will enrich the lives of others. There are plenty of promising projects. Computer hackers can write demos or games. Doing it right will involve a lot of effort, and positive feedback can elude you for a long time. I wrote shareware for eight years before I was nominated for a national award. In the final analysis, you are your ultimate authority. You make your moral decisions, and you reap the rewards or pay the costs. Just remember that the rewards and costs aren't only located in a piece of hardware or represented by your bank balance. Your contentedness and fulfilment are at stake. The health of your psyche is the ultimate measuring rod. Please choose carefully.