The Home Page · The Integral Worm · My Resume · My Show Car · My White Papers · Organizations I Belong To
Technical Writing · Exposition & Argumentation · Non-fiction Creative Essays · Grammar and Usage of Standard English · The Structure of English · Analysis of Shakespeare
Analysis of Literary Language · The History of the English Language · First Internship: Tutoring in a Writing Workshop · Second Internship: Advanced Instruction: Tutoring Writing
Visual Literacy Seminar (A First Course in Methodology) · Theories of Communication & Technology (A Second Course in Methodology) · Language in Society (A Third Course in Methodology)
UMBC'S Conservative Newspaper: "The Retriever's Right Eye" · UMBC'S University Newspaper: "The Retriever Weekly" · Introduction to Journalism · Feature Writing · Science Writing Papers
Advanced Professional Paper 2 · Advanced Professional Paper 3
While working on my computer late at night and I receive an email from a trusted friend. I’m fully aware that one shouldn't open any file attachments, but I trust the source and open it anyway. The email reads, “This is really cool, take a look!” I've been on the Internet a few years and I should be apprehensive to opening the attachment, against my better judgment, I open it anyway. The attachment has the filename “Happy99.exe.” The file extension “.exe” sends shivers down my spine. A word to the wise; don’t open any attachments with an ‘.exe’! Never, ever! The words ring in my head like a five bar fire alarm, but I go ahead and open the file anyway. I see clusters of colors burst on the screen simulating a very poor attempt of simulated fireworks. Yawn, it wasn't very exiting if you ask me. Oh, but the party's just beginning Mr. Paul.
A few days later, I check into a posting forum that I frequent. The regulars in the forum are complaining about the attachment “Happy99.exe.” People are claiming it’s a self duplicating virus. Immediately I scoot over to Symantec.com and find that it's not a hoax. “Happy99.exe” is a Trojan horse. A program created by a hacker that replicates itself by installing onto your hard drive under some other file name. “Happy99” would copy your entire email address book and on the very next email you sent, "Happy99.exe" would mail itself to everyone in your address book. No wonder "Happy99.exe" is so happy! This particular virus was rather benign compared to the damage other viruses have done in the past. This incident was not the first nor will it be the last. Would serving hackers with stiffer penalties through the judicial system reduce the number of viruses passed through the Internet? Would recruiting hackers into the federal government working for the FBI or the NSA put their talents to a more productive use? Destructive talents used for productive means?
According to MSNBC.com, on August 19, 2003, FBI and Secret Service Agents searched Jeffrey Lee Parson's home and seized seven computers for analysis. Mr. Parson is currently under suspicion of being the author of the "SoBig" virus, a variant of the "MSBlaster.B" computer worm. 7,000 computers were reported as having caught the virus according to officials. I say reported in Italics to emphasize that according to the FBI, only thirty four percent of those infected with a virus are ever reported to authorities. Many companies never report a breach of computer security out of fear of losing their clients faith in protecting personal information. The reporting of breach in security would also negative impact on the company's stock if it was a publicly traded company. This was not Mr. Parson’s first incident. Two Internet Service Providers before this incident for creating mischief denied him service while he was their customer. This is typical of most apprehended hackers. They have been caught numerous times. Either hackers are not reported, or if tired in a court of law, they have been let off with a “hand slap,” i.e., “You naughty boy! Don’t do that again! Wack!” Bearing similarity to Sister Ellen Eberhart and her proverbial swat across the knuckles with a wooden ruler, which is not effective with the hard core offenders.
In a class discussion on Monday, September 15, 2003, Mr. Tate Redding, lecturer and Associate Director of the Undergraduate Program in Information Systems at the University of Maryland, Baltimore County, brought up the apprehension of Mr. Parson in my Computer Security course. What Mr. Redding added to my research was that Mr. Parson had cost industry 1.3 Billion dollars in lost revenue because of his attack on targeted web sites.
According to Tate Redding and my own research, the label "Hacker" is a rather broad paintbrush and is used by laymen to describe people who wreak havoc with computer systems. There are really two groups of hackers plus a third group, which are known as "Script Kiddies" in the computer industry.
Mr. Parson is not what the computer industry calls a "Hacker," but rather a "Script Kiddie." Michael Whitman and Herbert Mattord in their book "Principles of Information Security" improperly define the typical hacker. They claim a typical hacker's profile is a young male teenage boy between the ages of thirteen to eighteen with limited parental supervision on the computer. They spend most of their free time surfing the Web and doing things on the computer. This definition is more fitting of a script kiddie.
Mr. Parson is not the first of the script kiddies. When we look to a similar case to Mr. Parson’s, according to Edward H. Freeman, in his article “Prosecution of Computer Virus Authors”, he recalls the Melissa virus released on March 25, 1999. Melissa affected more than 100,000 users worldwide and caused an estimated $80 million dollars in damages to U.S. businesses alone. David Smith was apprehended for releasing the Melissa virus and in 2002 and appeared before Federal Judge Joseph Greenaway. Judge Greenaway sentenced Mr. Smith to twenty months of incarceration in a federal penitentiary and to pay a $5000 fine. In addition, he was sentenced to serve three years of supervised release, during which he could not use the Internet, computer networks, or bulletin boards unless authorized by the court.
Here I am going to expand the definition of a script kiddie. They are usually young, male teenagers between the ages of thirteen to eighteen and have only a low level understanding of coding, if they have any understanding of coding at all. Script kiddies search through known "Hacker's Web Sites" and download programs there. The script kiddie then alters the code slightly with a high level programming package such as Microsoft Visual Basic, assigns the program a new name and sends it back into the wild, otherwise known as the Internet. What the script kiddie has done is taken someone else's well known virus and created a variant of that virus. The new virus is not detected by old anti-virus software because these programs usually check for a virus by its file size. The script kiddie by adding a few lines of code has rendered the anti-viral software useless because the old virus has a new file size and goes undetected. The script kiddie's motivation is so he can go out and brag how he single-handedly crippled "x" number of computers.
A hacker, on the other hand, is a very highly skilled computer professional with high level understanding of how computers work and are usually programmers that are familiar with Assembler or C coding languages. Hackers understand exactly what each line of code they create is doing. It is this precise understanding of coding that separates hackers from script kiddies.
According to Whitman and Mattord, the modern hacker is male or female, between eighteen and sixty and works within the company. According to Tate Redding and my own research, Whitman and Mattord’s definition does not take into account that some hackers operate from the inside of the company and some operate from the outside. Most times in language we have a word for every particular variant, but in this case language has not caught up to the fact that there are two variants of hackers. In order to clear the air, I will use the terms “Inside Hackers,” “Outside Hackers” and “Script Kiddies” to distinguish between the three groups.
Outside hackers operate from the outside of the company usually are trying to fulfill a political agenda. They typically attack government sites and company sites that oppose or stand in the way of their political ideologies. Outside hackers are harmful, but not as harmful as inside hackers.
Inside hackers are the most dangerous because it may take years before their actions are discovered. Many times inside hackers are disgruntled employees who believe they have been overlooked for promotions and see most of their co-workers rise in the ranks of the company above them. They have been with the company for so long, they usually are well trusted by management and have a great deal of experience which provides them with clearances that allow them greater access to the company’s computer files. Inside hackers are the most dangerous because management believes that they are loyal employees therefore it may take years before their actions are discovered.
Since the advent of Graphical User Interfaces or GUI's, and the exponential growth of the Internet, computer hacking has become an incessant nuisance. Hacking is a devastating problem to individuals, businesses, organizations, and governments around the world costing millions of dollars in damages, lost information, work stoppages, and lost productivity. Considering incarceration is a great loss of talent and a large economic burden what other alternatives exist that would put hacker's talents to good use? Most hackers have been juveniles, which reduces the effectiveness of trying them in a court of law. How might this hitch be circumvented? In addition, because they are juveniles, the current method of punishing them with fines is ineffective; juveniles have no source of income. Is their another way of penalizing hackers? Publicizing hackers apprehension elevates them to a position of stardom and infamy. Do we really need to hear all the news that is fit for print or does printing this information glorify the antics of the hackers, thereby causing more juveniles to hack in order to get their name in the newspapers?
The judicial penalties being served by hackers have been way too soft considering the amount of havoc they wreak. They should be dealt with in a completely different way than they are today. Hackers who have been apprehended have been served at most 6 year prison terms and have paid $250,000 in reparations. Computer users have lost millions of dollars in lost productivity, theft of intellectual property, physical damage, and investment in security schemes which have encompassed hardware, software and strategies in protecting themselves from hackers. Instead of trying hackers through the judicial system, agencies such as the NSA and FBI could be offering these people a silent ultimatum. They could be offered two choices; one alternative would be to drop the fines altogether and simply increase the time they serve. Fines have little effect because most hackers don't have a source on income. So who's going to pay the fines? The parents most likely will end up paying the fines when referring to the script kiddies.
Mr. Edward H. Freeman proposes that government agencies on the federal and state level must continue to take strong actions to prevent the spread of computer viruses and to increase the penalties for such acts. Under the Computer Fraud and Abuse Law of 1984, the first such law of its kind, Mr. Freeman states that someone convicted of such a crime can be sentenced to 20 years and a fine up to $250,000. Since that time, several more laws have been passed with stiffer penalties, such as the Patriot Act. How about 50 years minimum in jail without computer privileges? By that time the technology would have changed so much they wouldn't be able to exploit computer systems. Current penalties on the books are harsh, but not as harsh as this. In the worst case scenario a hacker could be served 20 years of imprisonment. An alternative could be bringing them into the NSA and FBI utilizing their highly skilled talents for the purpose of computer espionage and national security with the stipulation that if the hacker ever leaks the information about the secret plea bargain they will end up serving their sentence in jail. This would put hacker’s talents to better use and would also save taxpayers money. Or would it? In addition if one was to interview male teenagers, how many do you think know what the federal penalties are for hacking? Probably very few. If teenage boys don’t know what the penalties are, how is this going to act as a deterrent to prevent them from hacking?
The script kiddies may be the easiest of the three groups to reprimand. Considering that they are juveniles, the court instead of putting them into juvenile corrections, could be serving them to perform community service within the FBI or the NSA. Considering that they are juveniles they would have to be highly supervised anyway, so watching what they do should be less of a problem and they also could be easily monitored from another terminal. The federal government is desperately seeking computer security people and is currently offering incentives to draw such talent. The federal government is offering to pay a student’s college tuition each year a student attends a computer security program in exchange for one year of service in a civil service position. Considering the federal government’s need, sentencing the script kiddies to community service within the government may be a way of reducing some of the strain. This would also avoid the problem associated with a silent plea bargain.
When sentencing the outside and inside hackers a silent plea bargain poses the problem of violating a person’s fifth constitutional right. A person cannot be punished without due process of law. The silent plea bargain would also violate their sixth constitutional right, a right to a trial by a jury. "As long as the human sprit is alive, there will always be hackers," said Eric Corley, aka Emmanuel Goldstein, an editor at 2600: The Hacker Quarterly. "We may have a hell of a fight on our hands if we (hackers) continue to be imprisoned and victimized for exploring, but that will do anything but stop us. I'm the first to say that people who cause damage should be punished, but I really don't think prison should be considered for something like this unless the offended is a true risk to society." I agree that the punishment does not agree with the penalty. Also bear in mind the underlying mindset is that a computer is an inanimate thing, therefore no matter what the damage, it will never be worth that of the loss of human life.
On the other hand, what becomes a question in my mind is the usage of the word "exploring." Is this really exploring or more of a form of "electronic peeping tom" or an “electronic voyeur” peering into other people’s computers to see what they can find. If a hacker does find something interesting, what will they do with that information considering that the hacker isn't supposed to be there in the first place.
Most computer-security experts have rejected Mr. Corley's reasoning. "Hacking is a felony — for good reason," said Charles C. Palmer of IBM, in Brian Hansen’s article with the CQ Weekly. "Some hackers think it's harmless if they don't do anything besides go in and look around. But if a stranger came to your house, looked through everything, touched several items, and left — after building a small, out-of-the way door to be sure he could easily enter again — would you consider that harmless?" When considering hacking from Mr. Palmer's viewpoint, hackers sound rather creepy don’t they? It could also be considered an electronic form of "breaking and entering." The only difference is that the tools used are now "high-tech."
The other side of this argument is that apprehending the hackers assigns them a type of infamy and martyrdom, which could easily cause hackers to band together and wreak more havoc than has been done in the past. Sarah Gordon, a virus expert at IBM’s research center was cited in Mr. Freeman’s article “Prosecution of Computer Virus Authors,” in her opinion tougher legislation is not the solution and could do more harm than good. Ms. Gordon goes on to say, “Legal intervention shows no positive correlation with the number of viruses in the wild. Police intervention does not offer a significant deterrent, and the media should not vilify or deify these people.” Hackers have Hacker’s Clubs, among them, the “2600,” which has readers and monthly meetings in locals similar to unions like “The Teamsters.” They also have software programs which allow them to connect to each other creating one huge network therefore pooling together their collective resources in say one huge super computer. This in itself has ominous implications that should be obvious.
Attorney Jennifer Stisa Granick at the San Francisco-based Computer Security Institute’s 27th Annual Computer Security Conference and Exhibition argued that harsher sentences for hackers would not serve as a deterrent. “When people do the crime, they don’t think they’re going to get caught,” said the San Francisco–based lawyer in Dan Verton’s article, “Attorneys Debate Making Cybercrime Laws Tougher.” Considering the profile of the script kiddies, teenage boys may not even be aware of what the current laws are on hacking. The counter argument that is used by law enforcement is that ignorance of the law is no excuse for breaking the law.
Now let us look at the arguments involved in recruiting hackers into the federal government. According to Ashby Jones of AM Law Tech, ‘Many former hackers have realized that they could cash in on their skills by teaching others how to insulate themselves from cybercrime. Many former hackers have become consultants to government agencies, banks, security firms, and law firms that are seeking to be hacker free.’ This is a far cry from directly recruiting hackers. Is this not the same as consulting reformed criminals to aid law enforcement in apprehending hackers? Looking at this from the opposing side, “Doesn't law enforcement understand that people, who break into other people’s computers, convicted or not, are breaking the law? I guess we’ll be hiring un-convicted bank robbers, rapists, and murderers as police detectives next. Certainly they know about crime and criminals,” said Peter Stephenson, in his article “It’s a Strange, Strange, Strange, Strange World.” Peter Stephenson is the Director of Technology, Global Security Practice, Netigy Corp, in Redwood City, California, but his comparison of hackers to bank robbers is fundamentally flawed, or is it?
Hacking is a highly technical skill while the crimes Mr. Stephenson refers to are not. Many hackers do not hack into systems for individual gain, but moreover, they see hacking as an intellectual exercise or a game similar to taking a challenge of solving a complex mathematical problem. Hacking is how hackers flex their muscles. The glory is in a successful break in. The hacker has proven to himself that he has the wit and resources to break in. Certainly it is a bit of a stretch comparing what other criminals do for personal gain to hacking. In addition, information systems experts that are in charge of security attend hackers meetings, frequent hackers web sites and conventions, and discuss hacking with hackers in order to improve their company’s security measures. Many hackers are quite open about hacking. Some subscribe to the philosophy, “I’m a nice guy even though I’m a hacker. I’m performing a service by indicating where your security leaks exist. Once I’m in, I could do something malicious, but I don’t because I’m one of the good guys.”
On the other hand, recruiting hackers into the federal government could also be argued to being similar to putting the fox in charge of the hen house. As employees, could they really be trusted, especially in organizations such as the FBI and the NSA where everything is on a “need to know” basis? The answer is probably not. Therefore, there would be a need to use software programs that analyze and record their every keystroke and a high level supervisor monitoring them at all times watching for breaches in security. In the economic long run, we may be better leaving hackers on the outside and utilize their talents on a consulting basis as so many hackers have already done.
Michael E. Whitman, author of “Principles of Information Security,” claims that deterrence is the best method for preventing illegal activity and that there must be three conditions present; “The first condition is the person desiring to commit the act must fear the penalty. Threats of informal reprimand or verbal warnings may not have the same impact as the threat of imprisonment or forfeiture of pay.” Only in a few rare cases, such as Kevin Mitnick, did the assailant receive a harsh penalty. Kevin’s sentence was sixty-eight months in jail, three years probation, his access to computers and his employment in the computer industry was severely restricted, $4,125 in fines were paid, and Kevin had agreed that any profits he made on films or books that were based on his criminal activity would be assigned to the victims of his crimes for a period of seven years following his release from prison. Mr. Mitnick pleaded guilty to a grand total of 68 counts of intercepting wire communications, wire fraud and computer fraud according to United States Attorney Alejandro N. Mayorkas. Kevin Mitnick was given many warnings by various organizations, he was an adult, and was tried as an adult. Even so, Kevin was not given a maximum sentence.
Mr. Whitman’s second condition is the assailant has to know that there is a strong possibility of being caught. Hackers are fully aware that this possibility does not exist unless they make mistakes in covering their electronic tracks. It takes a joint effort between government agencies and private businesses in the computer industry to trace hackers down and it’s not at all easy. Adding to the complexity of the problem, Internet Service Providers or ISP’s are not necessarily forthcoming with IP address information on suspected culprits. They will go to great lengths in protecting the privacy of their clients. An ISP will not release the information without a court injunction which may take months to get. By the time law enforcement officials do get the injunction, the hacker more than likely has moved on to another service provider. What also compounds the problem of tracing hackers is many ISP’s mail out free thirty day trials to promote their services. A hacker can use this as a tool to his advantage by using the ISP account to do his dirty work, cancel the subscription and move on compounding the problem of tracing.
The third condition Mr. Whitman asserts is an individual must believe that the penalty is severe, that they will get caught, and that they will actually receive the penalty. The problem here is not that the penalties on the books are not severe enough, but because most offenders are juveniles with no other convictions, judges assume that this one incident will cause the offender to think twice about their actions in the future. Therefore the judges assume just having to appear in court is enough to scare them so they serve the hacker with a light sentence. Furthermore because ISP’s are usually the first ones to see the abuses, they usually give the hacker a warning. The hacker discontinues his contract with the ISP and moves on to another provider. Therefore, there can be numerous incidents that go on without being reported which makes the job of apprehension even more difficult. Those who have been apprehended, once they have served their sentences emerge back into public life and are sought after as computer consultants in the field of security, henceforth handing them fame and fortune.
In summary, neither of my proposed alternatives are viable solutions to the problem of dealing with hackers. The only realistic solution is an improvement in security. Improving computer security may require a consortium of the federal government working in conjunction with the private sector. Both would have to utilize the same software tools the hackers use to breach a system to determine where the security holes exist and affect repairs to their systems. In addition, to level management, whether in the federal government or in the private sector would have to champion the cause in order for security procedures, polices and physical fixes to have the net required effect of securing computer systems. After all, computer security isn't just hardware and software…its people management too.
Corley, Eric. Editor. 2600: The Hacker Quarterly. 5 Sept. 2003. http://www.2600.com
Freeman, Edward H. “Prosecution of Computer Virus Authors.” Information Systems Security. Vol. 12, Issue 1. Mar/Apr 2003. p5, 5p. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=9147465&db=aph
Hansen, Brian. "Early Hackers Wanted to Advance Technology, Not Diminish it." CQ Weekly. Vol. 60, Issue 26. 29 June, 2002. P1768, 2p. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=6943653&db=aph
Jones, Ashby, "Hackers to the Rescue." Am Law Tech. Jun 2001. P10, 2p, 1c. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=6593324&db=aph
Parson, Lee. Interview with Eric Ortner. “I’m not the one they need to get.” NBC Today Show. NBC. 2 Sept. 2003. Msnbc.com. 2 Sept. 2003. 4 Sept. 2003. http://www.msnbc.com/news/960377.asp?0cv=CB10
Stephenson, Peter. "It's a Strange, Strange, Strange, Strange, Strange World." Information Systems Security. Vol. 9 Issue 5. Nov./Dec. 2000. P5, 6p. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=3736365&db=aph
Verton, Dan. "Attorneys Debate Making Cybercrime Laws Tougher." Computerworld. Vol. 34, Issue 47. 20 Nov. 2000. p16, 1/3p. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=3925229&db=aph
2600: The Hacker Quarterly. 5 Sept. 2003. http://www.2600.com
Bakst, Brian. "Accused Web Attacker Under House Arrest." Washingtonpost.com. The Associated Press. 30 Aug. 2003. 4 Sept. 2003. http://www.washingtonpost.com/wp-dyn/articles/A3440-2003Aug30.html
Freeman, Edward H. “Prosecution of Computer Virus Authors.” Information Systems Security. Vol. 12, Issue 1. Mar/Apr 2003. p5, 5p. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=9147465&db=aph
Hansen, Brian. "Early Hackers Wanted to Advance Technology, Not Diminish it." CQ Weekly. Vol. 60, Issue 26. 29 June, 2002. P1768, 2p. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=6943653&db=aph
Hulme, George V. "Antiterrorism Law Targets Hacker Around the World." InformationWeek. Issue 866. 3 Dec. 2001. p22, 1/2p. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=5616621&db=aph
Jones, Ashby, "Hackers to the Rescue." Am Law Tech. Jun 2001. P10, 2p, 1c. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=6593324&db=aph
Mayorkas, Alejandro N., and Thom Mrozek. "Kevin Mitnick Sentenced to Nearly Four Years in Prison; Computer Hacker Ordered to Pay Restitution to Victim Companies Whose Systems Were Compromised." U.S. Department of Justice, United States Attorney's Office, Central District of California. 9 Aug. 1999. 4 Sept. 2003. http://usdoj.gov/criminal/cybercrime/mitnick.htm
Parson, Lee. Interview with Eric Ortner. “I’m not the one they need to get.” NBC Today Show. NBC. 2 Sept. 2003. Msnbc.com. 2 Sept. 2003. 4 Sept. 2003. http://www.msnbc.com/news/960377.asp?0cv=CB10
Stephenson, Peter. "It's a Strange, Strange, Strange, Strange, Strange World." Information Systems Security. Vol. 9 Issue 5. Nov./Dec. 2000. P5, 6p. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=3736365&db=aph
Verton, Dan. "Attorneys Debate Making Cybercrime Laws Tougher." Computerworld. Vol. 34, Issue 47. 20 Nov. 2000. p16, 1/3p. Academic Search Premier. EBSCO. UMBC Albin O. Kuhn Lib. 16 Sept. 2003. http://search.epnet.com/direct.asp?an=3925229&db=aph
The Home Page · The Integral Worm · My Resume · My Show Car · My White Papers · Organizations I Belong To
Contact Me · FAQ · Useful Links