Security Scene Errata


Taken off www.net-live.com
Meet the Hacker Trackers 
Matt McGrath 

A gang of convicts dressed in cartoon-striped uniforms shuffle slowly
along a sidewalk, searing in the noon-day sun. This is downtown Phoenix, a
low-rise high-tech city with a decidedly old- fashioned approach to crime.
From her office on the sixth floor of the county attorney's office, the
prosecutor remains unmoved by the sight of the prisoners. "People 'round
here don't have much in the way of sympathy for criminals of any kind. And
most of those guys are real criminals, not jumped up nobodies screaming
for attention - the kind of people I deal with!"

Meet Gail Thackeray, the world's foremost legal expert on computer crime.
A former assistant attorney general of the state of Arizona, Thackeray has
been fighting hackers and fraudsters for nearly 25 years. Now she works as
a prosecutor for the Maricopa County attorney's office, a jurisdiction the
size of New England that takes in all of Phoenix. It's most famous as the
home of Sheriff Joe Arpaio, "the meanest sheriff in America". This is the
man responsible for the convicts in stripes. He has made his reputation by
toughening up prison conditions, to loud hollers of approval from
freedom-loving Arizonans. 

Fighting hackers for 25 years? Doubt that.

Good citizens of Maricopa County can now walk the streets in safety, but
for the big technology companies that have moved to the "valley of the
sun", the unseen hand of hackers and computer phreaks is proving a major
distraction. Whether it's a left-over hippy feeling, the University campus
or just a reaction to the extreme heat, Phoenix is a top spot for computer
criminals. Thackeray is there to stop them.

Arizona has perhaps the United States' strongest legal code against the
activities of hackers, but sometimes Gail aches to fight fire with fire.
"We have to document every step of the way we investigate. They don't need
to have our education. They just need one other crook showing them, like
monkeys at a keyboard, how to imitate the crime. The bulletin boards were
the precursors to this, but the Net has exploded it down to the individual
level anywhere in the world. You don't need sophistication, you don't even
need very good equipment - one of the best hackers we've ever dealt with
had a Compaq luggable 286 and he was wreaking havoc around the world. Just
a list of his route on different systems attached to the Internet would
keep me in the hacker business for the rest of my life - it goes on for
pages." 

Getting away with it 

We move from her office to the conference room next door. Thackeray
proudly displays her new Compaq notebook. Her famous slide show is now
held on the notebook's hard disk. For more years than she'd care to
remember, Thackeray has been showing her slides to police forces and
prosecutors across the United States, advising them how to build a case
against hackers. She also trains police forces all over the country,
including secret service agents at the Georgia Federal training centre. 
Even the bad guys have been known to call her to find out what the cops
have been up to.
 
Although she has been a hacker tracker for 25 years, Thackeray is more
depressed than ever by the escalating scale of computer crime. The Web,
she says, has made it impossible to catch the crooks. "Even if it's the
boy next door, we haven't a chance. He may be doing something rotten to
your high-tech consulting firm, he may be next door trying to steal your
stuff - but he's looping through a long-distance carrier, a corporate
phone system, three Internet providers and circling the world twice before
he hits you. That's the problem from our standpoint. Even assuming all
those parties can trace the links they're involved in, we have to go
through a different process, and probably a different law enforcement
agency, for every single one. 

"In the old days out here, the Texas rangers were very famous for catching
bank robbers. They didn't stop at the Texas border when chasing a killer.
They'd jump on their horse and, even if they crossed the state line, they
would follow wherever the chase lead them. In the computer age we can't do
that at all. What we have now in the US is a mish-mash of laws and
agencies. Multiply that on the international level and it's completely out
of hand." 

High-tech law enforcement 

Thackeray moved to Arizona in 1986 after beginning her career as a
prosecutor in Philadelphia. She worked in the attorney general's office
running an organised crime and racketeering unit that won a national
reputation for its technical ability in the fight against hackers. She was
also the mastermind behind Operation Sundevil (see panel, overleaf), the
first nationally coordinated raid on hackers. But then democracy took a
turn and she became a victim of the strange process by which Americans
elect their most senior law officers. Her boss lost the race to be elected
attorney general. The victor wasn't interested in technology so 12 people
got sacked, including Thackeray.

Taking a break from the slide show for a moment, she shows me a little
number-generating program stored on her laptop. It generates random
numbers for Visa cards. Give it the four-digit code that identifies a card
issuer and within minutes you'll have hundreds of false credit card
numbers to play with. "Now supposing you had another little program that
made the bank think these numbers were legitimate - How much do you think
you could make?" We go on-line to see some of the hacker sites. Thackeray

Can't make much. If it is that simple, more hackers would give 
in to temptation and do it. Simply having a 'valid' credit card number
is not very helpful in today's world. You need expiration date, billing 
address, and often more information.

believes that the Web is making a bigger range of crimes much easier to
commit. "In the future the good parts of the Internet will be bigger and
more complex and available to more people and that's great. But this means
all of those people will have victim potential. Thanks to the growth of
the Web, one criminal can now do an unprecedented amount of damage,
whether it's to corporations or to individual's feelings by threatening
and stalking, spam attacks or just shutting down ISPs.

"We have had four incidents in the first six months of this year.  These
people are attacking not just the little local service provider, but also
some of the 19 Internet backbone carriers. They're absolutely ruthless and
don't care who they hurt. In a case in Tucson, tens of thousands of users
were shut down just because some person with an adolescent level of
maturity decided he was mad at another ISP, so he took all of its
customers off-line. It's frighteningly easy to do and only took one
broadcast message. All the routers that run the Internet shake hands
periodically, so if you can infect one router, given time it will infect
the entire world. And that's what happened. It took just a few days for
the entire world to believe that this service provider, and all its
customers, didn't exist."  Not only is the Web host to a whole new range
of crimes, it's also home to a brand new band of weirdos. "Unfortunately
the Web is the best playground ever invented for sociopaths. They can
hide, are anonymous and can't be traced. Nobody is in charge and it gives
them that power rush that psychologists say is what they live off. It's
their whole life's breath. It's the chest-beating power surge of being
able to do it and get away with it. We are just seeing more acts of wanton
destruction simply for the sake of showing that you can do it."

Does she think this new generation of Web hackers is a real threat to
people? "Every baby in America knows the 911 emergency system. If mommy's
drowning in the pool, we've had three-year- olds save her life by dialling
911. The hackers have attacked the 911 system and they're still doing it.
That's not for knowledge or for glory, that's just an act of vicious ego."

This smacks of completely unfounded scare tactic. I seriously
doubt there are more than two or three documented hacker cases that dealt
with the 911 system.

Rat's nests and technocrap 

Personal liberty is taken very seriously in the western United States.
No-one likes the idea of "big government" interfering with people's lives.
Even hackers gain sympathy when they complain of harassment by police and
prosecutors. Some say they've been victimised by the authorities.

Thackeray denies this. "It's a hacker myth that we take away their
computers and sit on them forever. In one case we came across, the guy had
over 12Gb of data stored on his system - that's equivalent to 15,000
paperback books. It's better that we seize all that material - you might
have love letters, cook book recipes and your extortion kidnapping letter
on the same disk. We can't take one without taking the other. We cannot
physically copy that volume. It is far easier for us to take computers
away than for us to camp out in your house for six months."

Contradiciton? "myth that we take away their computers.."
quickly followed by "it is far easier for us to take computers away.."
It is fairly well documented that hackers lose their machines and hardware
forever,a nd in some rare cases, years. Even if no charges are brought
against them.

A hovel of a bedroom fills the projector screen. Coke cans everywhere,
rubbish dotted across an unmade bed. In the corner sits a naked computer,
stripped of casing, wires exposed. Thackeray calls it a rat's nest. She
has hundreds of similar photos. "Back in Philadelphia I began collecting
pictures of computers with their wires hanging out. When the geeks speak
to a jury we call the language they use technocrap. What you have here is
the physical version of technocrap." She gestures at the screen. Typically
hackers will set up a stereo system within easy reach of the computer, and
often a drinks cabinet as well.

A recent innovation is the home network. "We've come up against four or
five houses recently where people have had multiple systems networked in
the house. And that's even without running a bulletin board. When we get
lucky and we're fast enough we can find the guilty computer - but the
hardest part of the job is finding the brain behind the computer. To find
that person is good old- fashioned low-tech police work."

Thackeray's team face another new problem caused by the huge increase in
storage capacity. "In the computer situation no one throws anything out.
That makes our life more difficult. We don't want to read the last five
year's worth of your e-mail, life's too short and frankly it's not that
interesting. But sometimes we're searching for one piece of evidence and
it's buried in a huge volume of stuff so what else can we do?" 

Tracking or trailing?

The slide show draws to an end. We amble downstairs to the office of
another investigator. He shows us an array of hacker memorabilia on his
computer. I ask Gail about the future. She believes that unless there's a
fundamental change in the way police forces treat computer crime, there is
no hope at all. "The police departments and prosecutors around the country
are, frankly, paramilitary organisations with very bureaucratic, layered
decision- making processes. They see the need for more training in gangs;
they don't see the need for more training in computers because the
management came out of the knife and gun club.

"Police management is dominated by the physical crimes people.  We've got
to dissolve some of these barriers. When we move we need to move fast like
the Texas rangers - both legally and bureaucratically we're just not there
yet. When I started 20 years ago law enforcement was behind the computer
crime wave. We're farther behind today than we were then." 

She started 20 years ago, yet has been fighting hackers for
25 years?

Matt McGrath is an investigative journalist who works for Radio 5.