http://www.infosecnews.org/pipermail/isn/1999-February/001454.html
From: Adam Penenberg (apenenberg[at]forbes.com) Feb. 8, 1999 Open letter to the hacking community: Last week, Steve Silberman of Wired News called to tell me he and I and some other journalists had been duped by a psuedo-hacker named Christian Valor, AKA se7en. In April 1998, I¢d posted a piece on the Forbes Digital Tool web site about Valor¢s kiddie porn vigilantism and the fact that law enforcement knew what he was doing, but turned a blind eye. Cool story. Too bad it turned out not to be true. I was certainly in good company. Steve also had written about Valor¢s exploits, as had Newsday, the Independent in London, etc. Both Steve and I received letters from se7en's ex-girlfriend simultaneously last week, but Steve got on to the story first. I was out of town. Sad to say, he and I were the only ones to respond to her letter. I told Steve I wouldn't post anything until his story hit. (See "Kid-Porn Vigilante Hacked Media http://www.wired.com/news/news/culture/story/17775.html). I can't comment on how the Steve or the Independent or Newsday conducted their research, but I would like to share with all of you how I did mine, and what went wrong. I¢m sure there are lessons to be learned. As you may or may not know, I am no stranger to taking on journalists I think have concocted stories out of thin air. I broke the Stephen Glass story, the associate editor of The New Republic who made up a story on hackers and was later discovered to have made up some three dozen stories for a number of well-known publications (See "Lies, damn lies and fiction": http://www.forbes.com/tool/html/98/may/0511/otw3.htm). I also took on Beth Piskora of The New York Post, who I believe made up a sexy tech story on Organized Crime setting up phony companies for Y2K remediation, who then, she claims, inserted software to divert money from bank accounts (read: clients) to mob-controlled accounts. (See "Phantom mobsters": http://www.forbes.com/tool/html/98/aug/0828/feat.htm). This canard was picked up by Vanity Fair in a recent feature on Y2K. Vanity Fair has yet to admit it published a lie. I hate it when you nail a journalist and instead of coming clean, he or she hides. This is what both Glass and Piskora have done. That's why I¢m writing this note. For my story (Kiddie porn vigilante: http://www.forbes.com/tool/html/98/apr/0417/feat.htm) I knew I couldn¢t get on IRC and traffic in kiddie porn on a Forbes computer. You remember what happened to that journalist for NPR who did, and is now had to plead guilty to a felony all because he was ostensibly researching a story? So I relied on law enforcement, EHAP, and NAMBLA. I called literally 10 law enforcement officials who said they studied under Valor in one of his security courses. On the record, they would all vouch for se7en¢s hacking skills. Off the record, they all said they knew what he was doing but they didn't care. Everyone hates kiddie porn traffickers. I also talked to EHAP, and they told me they were distressed by se7en¢s actions, because it gave hackers a bad name. Se7en should turn them over to the cops or the ISPs, they said, not break the law in going after them. They didn¢t say he was a fraud. I also contacted NAMBLA through its web site. I asked if anyone knew a hacker named se7en, who was purportedly going after kiddie porn traffickers on IRC. I received a cryptic response, something along the lines of, "Yes, some of our members have been complaining about this guy. We just want to be left alone." End of conversation. He refused to turn over any other details. So I felt confident that with all this cross-checking that Valor was who he said he was. Obviously, I made a mistake. I think the most important lesson I learned is that law enforcement doesn¢t have a clue what really goes on in hacking circles; they are not good sources for this. I also now won¢t write a hacking story unless I can meet the hacker face-to-face and actually see evidence that I can then verify with other hackers¯or computer security experts I trust. This is how I approached my story for Forbes magazine on the NY Times hack that ran last fall (available online at: (http://www.forbes.com/forbes/98/1116/6211132a.htm). If you want to send me taunting email, telling me what a fool I was, feel free. I¢m at apenenberg@forbes.com. But you can¢t possibly be harder on me than I¢ve been on myself this past week. You live, you learn. Sincerely, Adam Penenberg Senior Editor, Forbes Magazine