http://www.infosecnews.org/pipermail/isn/1999-February/001454.html

From: Adam Penenberg (apenenberg[at]forbes.com)

Feb. 8, 1999

Open letter to the hacking community:

Last week, Steve Silberman of Wired News called to tell me he and I and
some other journalists had been duped by a psuedo-hacker named Christian
Valor, AKA se7en. In April 1998, IĘd posted a piece on the Forbes Digital
Tool web site about ValorĘs kiddie porn vigilantism and the fact that law
enforcement knew what he was doing, but turned a blind eye. Cool story.
Too bad it turned out not to be true. 

I was certainly in good company. Steve also had written about ValorĘs
exploits, as had Newsday, the Independent in London, etc. Both Steve and I
received letters from se7en's ex-girlfriend simultaneously last week, but
Steve got on to the story first. I was out of town. Sad to say, he and I
were the only ones to respond to her letter. I told Steve I wouldn't post
anything until his story hit. (See "Kid-Porn Vigilante Hacked Media
http://www.wired.com/news/news/culture/story/17775.html). 

I can't comment on how the Steve or the Independent or Newsday conducted
their research, but I would like to share with all of you how I did mine,
and what went wrong. IĘm sure there are lessons to be learned. 

As you may or may not know, I am no stranger to taking on journalists I
think have concocted stories out of thin air. I broke the Stephen Glass
story, the associate editor of The New Republic who made up a story on
hackers and was later discovered to have made up some three dozen stories
for a number of well-known publications (See "Lies, damn lies and
fiction": http://www.forbes.com/tool/html/98/may/0511/otw3.htm). I also
took on Beth Piskora of The New York Post, who I believe made up a sexy
tech story on Organized Crime setting up phony companies for Y2K
remediation, who then, she claims, inserted software to divert money from
bank accounts (read: clients) to mob-controlled accounts. (See "Phantom
mobsters": http://www.forbes.com/tool/html/98/aug/0828/feat.htm). This
canard was picked up by Vanity Fair in a recent feature on Y2K. Vanity
Fair has yet to admit it published a lie.

I hate it when you nail a journalist and instead of coming clean, he or
she hides. This is what both Glass and Piskora have done. That's why IĘm
writing this note. 

For my story (Kiddie porn vigilante: 
http://www.forbes.com/tool/html/98/apr/0417/feat.htm) I knew I couldnĘt
get on IRC and traffic in kiddie porn on a Forbes computer. You remember
what happened to that journalist for NPR who did, and is now had to plead
guilty to a felony all because he was ostensibly researching a story? So I
relied on law enforcement, EHAP, and NAMBLA. I called literally 10 law
enforcement officials who said they studied under Valor in one of his
security courses. On the record, they would all vouch for se7enĘs hacking
skills. Off the record, they all said they knew what he was doing but they
didn't care. Everyone hates kiddie porn traffickers. 

I also talked to EHAP, and they told me they were distressed by se7enĘs
actions, because it gave hackers a bad name. Se7en should turn them over
to the cops or the ISPs, they said, not break the law in going after them. 
They didnĘt say he was a fraud.

I also contacted NAMBLA through its web site. I asked if anyone knew a
hacker named se7en, who was purportedly going after kiddie porn
traffickers on IRC. I received a cryptic response, something along the
lines of, "Yes, some of our members have been complaining about this guy. 
We just want to be left alone." End of conversation. He refused to turn
over any other details. 

So I felt confident that with all this cross-checking that Valor was who
he said he was. Obviously, I made a mistake. I think the most important
lesson I learned is that law enforcement doesnĘt have a clue what really
goes on in hacking circles; they are not good sources for this. I also now
wonĘt write a hacking story unless I can meet the hacker face-to-face and
actually see evidence that I can then verify with other hackersĮor
computer security experts I trust. This is how I approached my story for
Forbes magazine on the NY Times hack that ran last fall (available online
at: (http://www.forbes.com/forbes/98/1116/6211132a.htm).

If you want to send me taunting email, telling me what a fool I was, feel
free. IĘm at apenenberg@forbes.com. But you canĘt possibly be harder on me
than IĘve been on myself this past week. You live, you learn. 

Sincerely,
Adam Penenberg
Senior Editor, Forbes Magazine



main page ATTRITION feedback