3. Guarding your electronic files

Sometimes, alas, the easiest-to-use computers may be the ones most vulnerable to computer crime and loss of important information—the subjects of the next chapter. Backups: ◼ IX, Window Shopping, page 343. ◼ X, Of Mice and Men—and Touch Pads, Touch Screens Etc., page 346. 10 ❑ Jewels that Blip The words have a nasty metallic ring, as if to suggest helmeted policemen with black jackets and billy clubs. Watch out: the “data security” troopers are at the front door. But a small business on the East Coast nowadays wishes it had enjoyed more “data security.” A fire melted its computer disks into plastic globs. The firm just missed bankruptcy after losing several hundred thousand dollars’ worth of information—everything from accounts receivable to tax records. Scrambling to recover, salesmen leaned on customers for copies of old bills. Arson? Maybe. A disgruntled worker _may_ have short-circuited some tangled wiring. Proof never came. Either way, however, the incident was a powerful argument for “data security”—the right kind. It’s nothing more than trying to make sure that your computer and its information are safe. This isn’t to advocate overkill. Don’t overprotect nonsecrets or facts that you can easily duplicate; for instance, instead of buying costly fireproof cabinets, you might simply keep backup disks at another location—perhaps a more secure approach, anyway. Why, however, do I say “trying” to make your computer and its information “safe”? An ex-hacker, Ian (“Captain Zap”) Murphy, now a computer security consultant, wisely observes: “You’re safe from average crooks—they don’t envision a nice, mild-mannered human being working at anything more than a souped-up typewriter. But you can never, never be able to 100 percent secure a computer system. Even the most trusted user could say, ‘F— the damn payroll,’ and destroy your records.” But in the best of all worlds, your electronic files are safe, accurate, and if need be, tamperproof and confidential. The equipment is sound. And so are you and others working with it. You’ve shown good judgment. You’re ideally safe not only from crooks but also your own blunders. You know you often can’t keep paper copies of all your electronic jewels, your treasured business files, at least not without giving up the conveniences of computerization. You have faith, then, that your green screen, at your command, will display the right blips. I’m stretching the meaning of the word “blips” to emphasize the transitory nature of what you see on the screen. Without your stashing it away on a disk or otherwise—and without your making an electronic backup—it may be lost forever. The unlucky owner of the East Coast company will never see his blips again because he violated a major precept of data security. He stored his original disks and his copies in the same room—the one with the fire. “The remark at all times in cases like this is ‘Why didn’t the dealer tell me?‘” says Harold Joseph Highland, a top computer crime consultant and author of _Protect Your Microcomputer System_ (John Wiley & Sons, 1984). A store can only sell you a computer, not common sense. Nor can this chapter impart it to you. It can, however, pound away at the elements of data security—people, policies, hardware, and software. They go together, these four. And so do the criminal and noncriminal parts of data security. If you’ve lost control of your computer files and don’t know what’s normal, you’ll hardly notice the abnormal. You’ll never thwart a computerized embezzler, for instance, with a gun. You will with good software. Buy it and errors in your electronic files may leap out at you. May. Remember Canyes’s Law of Computing: “Sooner or later you’ll feel like killing yourself.” In other places I’ve written about good software and other mundane ways to make yourself less suicidal. And here, too, you’ll read of everyday calamities like coffee spilled on floppy disks. But this is also the fun chapter, the one with the stories about errant whiz kids and a computer crook who supposedly stole $8 million and got away with it. Each of their sins met Harold Joseph Highland’s definition of a computer-related crime. They were “committed using a computer as a tool.” “In other words,” explains Highland, who has taught computer science at the State University of New York, “you use the computer to get to financial records. Or to get to software if you’re illegally copying software.” Estimates of the size of the threat have ranged from the double-digit millions up to over $5 billion a year. This uncertainty has sparked a feud between the icebergers and some computer makers. Highland is an iceberger. He says that reported computer-related crimes are “just the tip of the iceberg,” that the annual loot is at least $750 million and more likely reaches the billions. Another expert wrote a crime article livened up with a drawing of the _Titanic_. Meanwhile, the Computer and Business Equipment Manufacturers Association pooh-poohs all but the more conservative estimates. “Computer crime is not now, never has been, and never will be out of control,” an association official once said, “unless security is completely ignored. And that is not going to happen.” “If that’s your opinion, sir,” counters Captain Zap, the computer felon now working as a security consultant, “why are fourteen-year-olds getting on defense networks? And what about adult criminals doing their thing on banks?” Also, how about computer crimes against small business? “No one’s going to find out why Joe Blow goes out of business,” says Ken Churbuck, a New Hampshire lawyer and former computer engineer, who believes that electronic crime may be the downfall of many more small businessmen than supposed. “You think Joe Blow can afford an investigation? You think anyone else wants to autopsy the corpse?” Large business or small, however, don’t swear off computers and buy quill pens for your accountants. You may or may not get robbed electronically, but you’ll very possibly lose money if you cheat yourself of the benefits of computerization. Although computer crooks may be difficult quarry at times, at least you can console yourself that they’re normally _not_ geniuses. Consider a story from Highland. The law caught up with one crook—presumably more knowledgeable about computers than banks—after he asked a teller to cash seven identically dated checks made out to him. The embezzler had simply learned how to take advantage of a feature in the check-printing program. It allowed checks to be reprinted in the event of mistakes; only his stupidity offset this programming error. “You don’t have to be knowledgeable,” Highland says. “You can be an absolute idiot and try a computer-related crime.” Some of the victims, alas, show their own streaks of naïveté. One small business lost thousands of dollars to a bookkeeper who funneled it to relatives’ firms via phony invoices. Such crimes happen with or without computers. But the company begged for trouble here by retaining an accountant old-fashioned enough to have felt at home alongside Scrooge and Cratchitt. Computers baffled him but not the embezzler, who knew of this vulnerability. Executives at big corporations needn’t be smug about such grass-roots examples. Many large companies, for instance, have reduced _the crooks’_ risks in computerized crime by auditing samples instead of everything—pulling one hundred checks, perhaps, out of a batch of four thousand. The young man trying to cash his seven duplicates worked for a large West Coast firm given to quick and dirty sampling; just tote up the odds of catching him through an audit if he’d been smart enough to go to different banks. Ideally, at least, your system should flag quirks like the seven checks. You can also complicate life for computer crooks by studying classic cases of the past. Mostly the criminals sinned with or against large computers. And yet eternal truths linger on even in the micro-mini age. In fact, some mainframe cases may mean even more to the desktop crowd today, with so many small computers hooked up as terminals on large systems. You might also say giant machines are acquiring plenty of pygmy siblings—joined Siamese style with them at the brains. And the big and small machines aren’t just wired together by phone or otherwise. Increasingly, mainframes are sending electronic copies to micros outside data-processing departments. What’s more, in power and capabilities, the pygmies are matching some big IBMs and Univacs of yore. So whether you’re using a $1,000 Apple or a $100,000 mini, you’ll come out ahead knowing about the Golden Oldies of computer crime. Computer consultants, especially Donn Parker, a prominent expert with the SRI think tank in Menlo Park, California, have labeled various offenses.[50] Footnote 50: The categories of computer-crime offenses, together with many examples, come from Donn Parker’s _Computer Security Management_, published in 1981 by Reston Publishing Company, Reston, Virginia. Another book for more information is Parker’s _Fighting Computer Crime_, published in 1983 by Charles Scribner’s Sons, New York, N.Y. Data Diddling When a time-keeping clerk hoodwinked a railroad, he committed the most tried-and-tested computer crime: =data diddling=. That’s just jargon for fiddling with data before or during entry into the machine. The culprit’s duties included filling out time forms for three hundred employees, and he learned that someone had shown a fit of absentmindedness in setting up a computer system storing pay and hour records. The railroad put workers’ names as well as their identification numbers into the computer. But the machine used only the numbers to track down names and addresses to print on checks. Manually processing the forms, however, humans normally ignored the computer numbers. They actually had the gall to think of the workers just by their names. Wheels turned in the clerk’s head. Why not sneak in overtime pay by using other people’s names on the paper forms but _his_ own number for the myopic computer? And so his income increased by several thousand dollars each year.[51] Footnote 51: The example of the railroad clerk is from a report Parker coauthored for the Justice Department, “Computer Crime: Criminal Justice Resource Manual.” The clerk’s end came only when an auditor by chance looked over W-2 forms and asked why the railroad had been so generous toward the man. Confronted, the clerk confessed. There’s a moral here: if you have a timekeeping and payroll system, don’t rely on ID numbers alone. Attach to them the first few letters of workers’ names. Also, include a cross-comparison of names and numbers in your auditing procedure. Today scattered terminals—or micros or minis used as them—make data diddling as tempting as ever. A police officer in an eastern city told me criminals had walked into the offices of used-car lots, sneaked in a few minutes on terminals there, and altered financial records in a credit bureau’s computer. Forget about the mystique of computer crime. People have been diddling credit bureau files for years by changing or deleting paper records. Machines and lack of paper records in some cases just make their work easier and faster. The Trojan Horse A comely woman at a New England firm was the victim of what might loosely be called a computerized sex crime. “She would be doing her electronic paperwork,” Tracy Kidder said in _Soul of a New Machine_, “when suddenly everything would go haywire, all her labor would be spoiled, and on the screen of her cathode-ray tube would appear cold, lascivious suggestions.” Someone had electronically wheeled in a =Trojan horse=—hidden unauthorized instructions in the computer’s program. The “sex crime” kept up daily for several weeks, leading an executive to observe that the villain must have “the mentality of an assassin.” It was unfair. Young computer whizzes at the company played horse pranks on each other all the time. But this victim couldn’t strike back. Gallantly, the woman’s bosses set electronic traps to learn from which terminal the masher was mashing. The villain, though, was too nimble. “At one time,” said Kidder, “he made his escape by bringing to an abrupt halt the entire system on which most of the engineer departments relied.” Finally, one of the woman’s protectors chatted casually with a suspect about the computer’s wondrous vulnerabilities to pranks. The obscenities and glitches stopped. This Trojan horse was just a prankster’s, but the company may have squandered thousands of dollars in human and computer time to kill it off. Consider, too, the company—Data General, the mini maker that Kidder admired. Imagine a serious saboteur wheeling his horse into the computer of a company without the same knowhow. It happens. Donn Parker says Trojan horse tricks are “the most common method in computer-based frauds and sabotage.” A horse, in fact, may have shown up in the first federally prosecuted computer crime in Minneapolis in the 1960s. A programmer told an IBM 1404 to drop an unflattering series of bytes about his personal checking account—overdrawn. Trojan horses are more of a mainframe and mini problem than a micro one. Normally, professional programmers don’t run desktop computers. But as computer literacy spreads, this might not matter so much, and besides, unsecured micros make such easy nuts to crack. “They’re peanuts,” Highland says, “not butternuts.” Most micro systems today lack electronic console logs—requiring operator ID numbers—that some bigger computers have to tell who did what on the machines. In other words, there’s no =audit trail=. John Lewis, an FBI agent teaching a course on computer crime, told me, “I can write a perfectly error-free payroll program on a micro, load it in from a disk, and run it. But I modify one or two lines in there, saying, ‘When you find John Lewis’s name, add $1,000 to net pay.’” You can even have the program zap the evidence immediately after the crime. Significantly, too, you can reprogram a micro in a fraction of the time you’d need on a mainframe. And in the future the micros, while retaining their ease of programming, will develop more electronic nooks and crannies in which to hide horses. And what about the micros already hooked in at times with the big computers or using down-loaded data from them? If a saboteur or con man is giving fits to the giant machines, then the pygmy machines may suffer along. The Salami Trick You just can’t make sense of your savings account statement. No matter what you do, it’s a nickel off. You don’t, however, pursue the matter—not over five cents. All over your city your fellow depositors are thinking similarly. A computer crook, meanwhile, is growing rich. The nickels, dimes, whatever, add up. He works at the bank and has programmed its computer to round interest downward, for instance, rather than upward. The sliced-off money goes into a dummy account. From hundreds of cheated customers, maybe thousands, he’s amassing enough over the years for a new Buick. He may even have told the computer to steal prudently and not clip anyone more than twice a year. It’s the old salami trick, an MO of countless embezzlers inside and outside the computer world—ranging from pudgy, fat-bottomed drones to glamour figures in Hollywood and on Wall Street. An amusing salami tale comes from Thomas Whiteside’s brilliant _New Yorker_ series on computerized crime. The name “Zwanda” did the crook in. Programming for a mail-order sales company, he rounded down sales-commission accounts and diverted the loot to a dummy account for a “Zwanda.” The “Z” name made sense. The computer worked alphabetically, and he could more easily guide the money to the end account. “The system,” Whiteside says, “worked perfectly for three years, and then it failed—not because of a logical error on the culprit’s part but because the company, as a public-relations exercise, decided to single out the holders of the first and last sales-commission accounts on its alphabetical list for ceremonial treatment. “Thus, Zwanda was unmasked, and his creator fired.” Could Zwandas show up in your company’s microcomputer—not just mainframes? Perhaps. It’s no less likely than the micro case mentioned earlier in which the bookkeeper was paying bogus bills from his relatives’ firms. Of course, in the case of a micro, the trouble probably will be not in the way the program is written but in how it’s set. Most micros, after all, use off-the-shelf software. Superzapping It’s named after the “superzap” program used on some large IBM computers. “Superzap” is known among the pros as a break-glass program, the kind you use in emergencies to change or divulge the computer’s contents. It can bypass all security controls. You can also think of =superzapping= another way. The computer is a high-rise building, and this program is a master key to all the apartments or offices inside. Pity the building manager if a thief can counterfeit the key. Donn Parker, the source of those comparisons, says a New Jersey bank lost $128,000 to superzaps. The crook was none other than the bank’s manager of computer operations. He first superzapped legitimately to change errors in accounts as his superiors asked. The main program wasn’t working—hence, the superzapping. The bank was upgrading its computer system, the glitches kept piling up, and the operations manager zapped again and again, discovering the joys of ignoring the normal controls. The usual electronic logs and journals just didn’t show his actions. So, he decided, why not zap away the barriers to shifting the money to the accounts of three friends? The bank learned of the crime only after a customer saw that his own money wasn’t adding up right. Superzaps like this, of course, are simply special breeds of Trojan horses, just as the salami tricks _can_ be. Like the horses, the zaps aren’t so much a micro crime now. They’re more of a mini and mainframe one, but watch out for the future when garden-variety crooks are more learned and micros are more like the bigger computers. The Trap-Door Trick A =trap door=—or =back door=—normally is just a shortcut into the program, bypassing the normal security systems, meant as a debugging aid. Once the writers have a program up and running, they should get rid of the door. Large programs are so complicated that programmers sometimes leave the doors in as an emergency way for them to get back in if the main passwords are lost or the computer “hangs up.” David Lightman, the teenage hacker in the movie _WarGames_, used the trap-door ploy to penetrate a Defense Department computer and almost caused a nuclear Armageddon. In a real-life example mentioned by Parker, some automobile engineers in Detroit called up a computer service bureau in Florida, found a trap door, and could “search uninhibitedly” for privileged passwords. “They discovered the password of the president of the time-sharing company and were able to obtain copies of trade-secret computer programs that they proceeded to use free of charge.” The electronic thievery didn’t stop until the company found out accidentally. And it never learned how many other crooks were rummaging around inside the computer. Once again, this form of crime isn’t so much a worry for the desktop set as for those using bigger machines. At least for now. The Logic Bomb Heard the old joke about the Washington speech writer at odds with his boss? It’s a favorite story among journalists and other wordsmiths. The aide was tired of drudge work for a dumb, lazy but electable congressman who didn’t even read the immortal prose ahead of time. One day the politician, a square-jawed, movie-actorish man, was mellifluously speaking on the House floor. As usual, he was fresh to the material. But his rendition overwhelmed everyone, from the pols to the pages, to the tourists in the galleries. He _knew_ he was on his way to the White House. With actorlike polish he intonated through the third page, including the last sentence: “And now, let the words ring out, loud and clear, to all corners of the earth—to our friends, to our foes, across every ocean, every mountain. You purblind piece of excrement, I quit, and you’re on your own.” The fourth page, of course, was blank. Malicious programmers must nod and wink when they hear the story. For the speech writer had just the right kind of temperament to hide a =logic bomb=—a computer glitch that explodes, so to speak, only under certain conditions. The conditions in the Washington joke were clear. The congressman mustn’t read the speech to himself beforehand—something inevitable. He was dependably lazy. Nor must he understand the speech; no problem, certainly, for he was dumb about everything all the time. Above all, however, if this bomb were to “kill,” he must be embarrassable. And that’s why the bomb in a sense just maimed him—because, like most politicians, he never blushed. In a real-life story told by Parker, a payroll programmer hid a bomb to erase the entire personnel file if he ever got fired—that is, if his own name ever vanished from it. Simulation and Modeling A crooked accountant embezzled a million dollars using =simulation=. On his own computer he set up a mock version of the victim company’s accounting and general ledger. Then he could figure out how his thefts would show up on the company’s electronic books—and how to cover up the crime. Scavenging A Texan ripped off oil companies through computerized =scavenging=. He used a computer time-sharing service bureau, the same one as the oil companies. This thief read scratch tapes—temporary storage tapes without the safeguards protecting the main ones—by phone off the service’s computer. He was stealing secret seismic information to sell to the oilmen’s competitors. Finally, however, the service bureau caught on. A worker there had grown curious. Why did a red “read” light glow at bizarre times? How come the customer was prowling through the tapes before entering his own data? Parker says a “simple investigation” ended the electronic scam. Scavenging can be physical, too—nothing more complicated than rummaging through old trash barrels for printouts. Data Leakage “Hidden in the central processors of many computers used in the Vietnam War,” Parker says, “were miniature radio transmitters capable of broadcasting the contents of the computers to a remote receiver. “They were discovered when the computers were returned to the United States from Vietnam.” It was a =data-leakage= problem—defined by Parker and other pros as the removal of data or copies of it from a computer or a computer center. Culprits can even smuggle out secrets by hiding them in apparently routine reports. “Data leakage,” he says, “might be conducted through use of Trojan horse, logic bomb, and scavenging methods.” You don’t have to be in the Vietcong or KGB, of course, to spy on a computer by radio. Today a smart snoop can walk casually into your computer area and leave behind a miniature transmitter—perhaps hooked up to the maze of wires that snake under the floor of many modern offices. “I could then find out everything that you were sending for a year,” says Harold Joseph Highland, “which is the life of the unit I could transmit with. I could buy it for 9.50 from any of the large supply houses. There’s one more expensive that will transmit up to five miles away. With the forty-buck one I can park across from the building and keep a tape recorder going.” Wiretapping Some say it’s rare in the computer world. The thinking goes, There are easier ways to steal. Why tap when so often you can just call up your victim’s computer and be greeted with a friendly electronic whine? But don’t count on wiretapping not existing. Your local radio store carries cheap equipment usable for tappers. And electronic banking and new computer services will grow, making wiretapping more tempting. A security consultant, J. Michael Nye, opened an unlocked closet of the second floor of an office building in Hagerstown, Maryland, and pointed to the telephone wires inside. “See these?” he asked me. “They’re hooked up to a bank’s computer. If you wanted to change the amount of money in a deposit, you could attach a portable computer and no one might be the wiser.” The wiretapping threat may increase because of the break-up of the Bell system—as more and more repair people parade in and out of wire closets. You might be able to get around the threat, or at least reduce it, by electronically scrambling the messages you transmit over the phone wires. For the moment, don’t let fear of wiretapping obsess you unless, say, you’re routinely transferring millions of dollars via computer. Piggybacking and Impersonation It’s bone cold outside, the stranger looks harmless, and you let him in as you unlock the doors of your apartment building one night. The next day all the old ladies in the lobby are talking about a burglary. You fret. Rightly. You may have let a criminal succeed in =piggybacking= his way behind you into the building. It’s happening, too, in computer rooms, which crooks use similar tricks to enter. That’s physical piggybacking. The electronic kind, rare, can happen this way. You punch in a password or key on your terminal and hook up with the computer, unaware that the piggybacker has a hidden terminal connected to the same phone line. Perhaps you haven’t signed off properly. The computer keeps the connection going, and the piggybacker “rides” on. =Impersonation= is what it sounds like, and it can be physical or electronic. Leslie D. Ball, a Massachusetts consultant and college professor, once illustrated computers’ vulnerabilities to such tricks. “Why is it more difficult to rob a bank of $2,500 than to steal millions from its computer?” he asked, and quickly answered the question.[52] Footnote 52: All the Ball quotes and paraphrases in this chapter are from _Technology Review_. “During a security consulting project at an Atlantic City hotel,” Ball said, “I spent the evening with an associate in the casino. At about eleven p.m. we headed for our rooms, but the elevator stopped where the computer center was located, and we decided to look around. The door marked ‘Computer Center—No Admittance’ was locked but had a bell beside it. A computer operator opened the door when we rang, letting us in without a word. For the next ten minutes we wandered through the center without speaking to the operators on duty.” In effect, by acting as if they belonged in the room, Ball and the associate were impersonating authorized people. “Finally,” he recalled, “we said, ‘Thank you’ and left. They were lucky we were not disgruntled heavy losers!” A real impersonator, an ex-college professor named Stanley Mark Rifkin, passed himself off as a bank branch manager to steal $10.2 million. He bought diamonds in Switzerland. The law caught up with him only because, like many bright, cocky computer crooks, he bragged. That wasn’t all. “While awaiting trial,” Ball says, “he attempted a fifty-million-dollar transaction from another bank. When apprehended, Rifkin told a reporter that he thought he finally had all the bugs worked out.” Rifkin was just another example of an ordinary man using legally acquired skills to commit an illegal act. However smart, and despite his background as a computer science professor-consultant, he was hardly a _genius_. “Master criminal?” asked H. Michael Snell, a publisher who’d dealt with him.[53] “I could sooner imagine a smoking gun in the hands of Winnie the Pooh. In fact, Stan resembled Pooh Bear: short, stocky, paunchy from too much good food and wine, a deeply receding hairline above an intelligent, sloping forehead. Quiet, unassuming, not the kind of guy who’d stand out at a cocktail party.” Rifkin was good at puzzles, at problem solving, but as Snell and others agree, that’s true of all talented programmers. You could say the same, too, of first-rate accountants and engineers. Rifkin’s case made me think of Hannah Arendt’s phrase about Adolph Eichmann, applied not to the Nazis but to garden-variety crooks within the computer field: “the banality of evil.” Footnote 53: The H. Michael Snell quotes are from an article he published in _Computerworld_. Rifkin’s take happened to be larger than most. But his mind-set was the same. Snell said, “He shared the dreams of many academics who feel blocked from great success and wealth, and he loved ‘get-rich-quick’ stories, such as a friend who struck gold in California real estate or the Silicon Valley’s overnight millionaires.” Greed, however, isn’t the only motive. “People who like computers are games people,” John Lewis, the FBI agent, told me, “and they like challenges. It’s ‘me against the machine.’ You give them a computer and say you can do anything but that, and that’s the first thing they’re going to do. You go back to the Book of Genesis in the Bible where God said, ‘You can do anything in the Garden of Eden but eat from that tree,’ and what’s the first thing people did?” We were in a windowless, fluorescent-lit room at the FBI Academy in Quantico, Virginia, where Lewis lectured on computer crime. He looked at a fellow instructor, a tall, alert man who started out in the bureau not as an agent but as a programmer. “I’ve seen Ken get ahold of material. Like this one program that said it couldn’t be copied. Now he didn’t care what the program did. The first thing he did was copy it. Because they said he couldn’t do it. And he did it.” I thought of John and Ken three weeks later when I picked up a copy of _Technology Illustrated_ magazine. A stranger in Quantico, Virginia, it seemed, was dialing up the electronic bulletin boards on which computer pranksters sometimes left messages. The bulletin boards were a form of electronic mail. Callers could write out their thoughts for friends or anyone checking up on the highest-numbered entries. The mysterious computer dialer from Quantico, however, would just read, never send. Aware of the FBI Academy’s location, one of the pranksters posted a friendly suggestion on a board. He invited the Quantico caller to subscribe to the TAP newsletter—said to be “to phone phreaks what the _Wall Street Journal_ is to stockbrokers.” TAP stands for a group named the Technology Assistance Program, a successor to Youth International Party Line (YIPL), whose own radical pedigree goes back to Abbie Hoffman’s Yippies. “Al Bell” and Hoffman started YIPL. It was a high-tech display of Hoffman’s _Steal This Book_ philosophy, there being, however, a serious problem, one shared by society at large. The technocrats usurped the politicians. They were, reportedly, “more interested in blue boxing Ma Bell than in pushing politics.” Cheshire Catalyst, who was editing the TAP newsletter when I talked to him, said, “You don’t have to be a phone phreak to read us—but it helps.” Lindsay L. Baird, Jr., a tough, no-nonsense consultant with famous corporate clients, told me TAP was a serious threat. “They’re now using micro systems to test the 800 numbers methodically to see which ones have computers on them,” he said of some TAP people. The corporate computers whine their strange mating call no matter who dials up, saying electronically, “I am here, I am a computer, I am ready.” You might say they’re like an unlocked, unattended BMW left with the motor running in New York City. And Baird claimed, rightly or not, that TAP has some political zealots mixed in with the technocrats and that they could indulge in large-scale computer zapping over the next few years. The TAPpers’ side was this: they illegally logged on to networks like Telenet and the feds’ because they couldn’t stand seeing expensive computer time go unused. “Nobody wants to pool it as a computer utility and make it available to everyone because it would probably not make a profit,” groused “A. Ben Dump” in the newsletter. Cheshire portrayed TAP to _High Technology_ as basically just pranksters, at least in his case. “Good grief!” Cheshire once ghost-wired to a Telex machine; “I seem to have reached Adelaide, Australia. This is just a computer hacker in the United States out for a good time.” The TAPpers said they were against the Bell bureaucracy, not America at large, and, in fact, censored an article submitted to their newsletter telling how to build an H-bomb. “Among other things,” Cheshire worried, “anyone using that technology is going to take out the phone network.” I still wondered. Would TAP have printed the article if a way existed to H-bomb the countryside without toppling any microwave towers? ■ ■ ■ Hacking: An Addiction to Be “Squelched”? With _WarGames_-style break-ins in mind, someone once called hacking an addiction to be squelched. That’s wrong. Hacking is more an addiction to be tamed. The term “hacking,” perhaps born at M.I.T., just means someone who hacks away at computer problems until he solves them. Many hackers for some reason or another love Chinese food. Sooner or later a computer-crime expert will link computer addiction to ODing on monosodium glutamate. Cheshire Catalyst is a prototypical hacker in many ways. He’s a thin, bearded man in his twenties, extrapolite, who, when I saw him, was in Washington for an aeronautics and space gathering and wore a Space Shuttle tie and an Apple pin. His nickname indeed came from the grinning, vanishing cat in _Alice’s Adventures in Wonderland_. Proudly he told me how his clock ran counterclockwise. Cheshire said he hoped someday to meet another backward-clock buff, Grace Hopper, a distinguished military officer who helped give the world the COBOL computer language. Cheshire might find even more of a soulmate in Steve Wozniak, the Apple cofounder, who is perhaps one of the world’s leading hackers—in addition to having been a phone phreak in his time. “Woz” and a friend snooped on computers across America. The friend was John Drapper, a bearded, somewhat maniacal-looking man who earned the nickname Cap’n Crunch because he used prize whistles from cereal boxes to steal free long-distance calls by way of a tone at exactly the right frequency. Later, Crunch wrote the EasyWriter word-processing program used on the Apple and later the IBM PC. On balance Cheshire thinks that hackers do more good than harm. “Let’s say you have money in a bank,” he says. “Wouldn’t you rather that a hacker get into its computer than a criminal did? He could warn the bank. If I had money at a bank, I’d feel safer with hackers checking out security.” Well, it depends. Some hackers are nothing more than electronic vandals. Some are a privacy threat; they’re doing the equivalent of spying on mail and tapping phones. Still, talented hackers may become real assets to corporations. They’ll care infinitely more about your computer system—and all its quirks—than will programmers working nine to five for the money alone. Just a little oversimplistically it’s been said that you can befriend a hacker merely by supplying a computer with enough RAM, encouragement, a long leash, and lots of chow mein. ■ ■ ■ The TAPpers, depending on your viewpoint, came across in _Technology_ as reassuringly or distressingly middle class. Cheshire at the time of the article was teaching computer skills at a large corporation. “VAX-man”[54] worked as a computer programmer, “The Librarian” as a systems analyst, and another was, of all things, a middle manager for a defense contractor; indeed, every member reportedly boasted a technical background. Most, I suspect, perhaps nearly all, didn’t see themselves as criminals. Footnote 54: Presumably VAX-man chose his name with both the VAX minicomputer series and the Pac-Man game in mind. “We’re just an information service for the people,” said one. Well, okay. Maybe it’s good that if G-men want to bone up on the latest electronic tricks, they need only log on to hackers’ bulletin boards and read the TAP newsletter. Still, how many crooks have the same idea? TAP’s another indication that for the criminally greedy the “data cookie jar,” as it’s been called, is out there. Lindsay Baird scoffs at computer trade associations’ efforts to play down the problem. And he fires back with statistics of his own. “I’ve worked on thirty-five or forty cases,” he says, “and only one was reported to authorities.” The loot ranged from $40,000 to $29 million. And Baird, dismayed that some computer criminals’ sentences are more shoplifterlike than adequate, jokes, “My wife tells me I ought to commit a crime.” “The security problems with computing systems in the 1960s was like a balloon deflated,” he says, “and you could hold it in your hand. But now it’s like a huge balloon inflated. Or a big bowl of Jell-O. “You just can’t handle it now, and the manufacturers have got to be concerned.” Of course you should remember that most corporate data are far from sensitive, that only the most self-important executive would view everything as a national-security secret. Also, Baird is hardly hurting his bank account in sounding the computer-crime alarm. Still, he’s basically right in saying that computer buyers _with sexy data of interest to thieves_ now may have three choices: