Maclean's Magazine
January 20, 1997

[Jolly Roger]

Pirates invade the web!

[H]ackers, Krakers, Phreaks, and Pir8's. They are the renegades of the Internet. If browsers flew flags, theirs would be the Jolly Roger. Armed with the latest "hacks and kraks" - code breaking utilities that range from software skeleton keys to virtual cloaks of invisibility - they sail effortlessly through Internet security screens and password checkpoints. Once inside a Web-site computer, they can freely load up on whatever bounty of programs and files have been stored there. Whether the interlopers are bootleggers browsing for the latest software to sell on the black market, industrial spies, or teenagers just out for kicks, your only hope is that they don't set fire to the place on the way out.

Today, thanks to the growth of the World Wide Web, software piracy - the unauthorized copying and distribution of commercial computer programs - has reached crisis proportions. Once confined to local computer bulletin board services and circles of friends, the world's hackers and software pirates now roam the world's digital highways courtesy of the vast interconnectivity of the Net. Joining forces in so-called private Web-rings and communicating in cryptic messages, they have created a netherworld of Web sites to house and barter pirated software. Today, these sites - known as "warez" sites - are appearing on the Web at an alarming rate.

As well as becoming more numerous, web pirates have become increasingly bold. Even the uninitiated can unearth dozens of pirate websites operating openly on the Net by dropping into any one of the major on-line search engines, typing in a keyword or two from the hackers' lexicon (such as "warez") , and following the ensuing chain of links. Some sites contain dozens - if not hundreds - of brand-name computer applications, from the latest games to graphics packages and desktop publishing programs worth $1,000 or more. Not only are the programs freely downloadable to anyone surfing the Web, but in almost every case, the manufacturer's serial number or disk copy-protection has been removed by hackers.

In addition to warez sites housing pirated commercial software, there are numerous Web pages with links to other hacks and kraks sites. These feature warez bulletin boards and chat groups where pirates gather to exchange information. One hacker, who runs an openly advertised warez BBS in Japan, offers links to pirated software to anyone who can guess his weekly "riddle". Another pirate site can be found by dialling a phone-sex hotline in South Africa. Callers to the number hear the web-page address revealed at the end of a long-winded message about "constantly updated X-rated material". This particular method has got to be a first - hiding bootleg software behind references to illicit pornography.

The apparent ease with which pirates set up and operate illegal Web sites is a case study in network vulnerability. Typically, a hacker will dial into and breach the password protection of a server computer, then establish his own temporary address. Picture a 17th-century pirate scouting for a cave to hide his booty, and you get the idea. In this case, however, the cave is disguised electronically - the hacker will often create "invisible" files and folders that will likely go undetected by even the host computer's administrators. Once the pirate site has been established, the pirate sends word out to other warez sites and bulletin boards, which add the site to their lists of links. Soon droves of pirates are descending on the site and using it as a transfer point to exchange software.

According to Peter Tippett, president of the U.S.-based National Computer Security Association, "somewhere between 50 and 90 per cent of computer systems on the Internet have been hacked and broken into". One site, monitored by Maclean's over the course of several days, grew to contain more than a hundred commercial software titles, worth tens of thousands of dollars. The site, at U.S. computer supplier Computize Inc., was eventually discovered by the company's Web master S. K. Kang. "We had no idea the files even existed", says Kang, who became alerted to the site when a Computize employee stumbled across it while surfing the Web. Kang immediately searched out and erased the hacker's files. In their place he left a document saying: "Pirates will not be tolerated!"

While the breach of the Computize computer is every Web administrator's nightmare, there is actually very little that can be done to stop such invasions. The main reason is that on the information highway there is in fact no highway patrol. Web security experts are busy plugging the holes in their pipes while information is pouring out at both ends. Even hackers themselves are amazed at the audacity of the lawbreakers. "Is it just me, or is everyone on this board just asking to get arrested", writes one warez BBS member. "Leaving your real e-mail addresses, openly discussing warez, etc. Try and be more discreet!"

Unfortunately, even when the authorities do stumble across a pirate operation, taking legal action can be next to impossible, particularly when it comes to enforcing copyright laws across international borders. "It's definitely a huge problem", says Sandra Sellers, vice-president of intellectual property, education, and enforcement at the Software Publishers Association (SPA) in Washington. "It's a cutting-edge area of law that authorities aren't sure what to do with."

Sellers recently received a complaint about an e-mail message sent to millions of America Online subscribers from a pirate in Germany who promised "$20,000 worth of software for $200". While Sellers is looking into the matter, she says that by the time her people track the source of the e-mail, the pirate will likely be long gone, and probably impossible to trace. The SPA, which represents 85 per cent of commercial software manufacturers, has just three employees assigned to investigate software piracy. According to Sellers, none of them has the time to actually sit down and surf around the Net on a daily basis to see what's going on.

Not that software manufacturers are not concerned. A major SPA survey released in late December found that more than a quarter of commercial desktop computer applications used in the United States are "unauthorized copies". That adds up to more than $3.5 billion in stolen software - a lot of money even for Bill Gates. In Canada, the situation is even worse, with illegal software accounting for an estimated one-third of all computer programs in use. According to the SPA's Canadian counsel, Montreal-based lawyer Marek Nitoslawski, the percentage of pirated computer games is probably even higher.

One problem is that there is no Canadian authority actively policing the Web - or for that matter, even looking. "It's really mind-boggling to be honest", says RCMP officer Gary Osmond, part of an eight-person Montreal-based Mountie section responsible for copyright and trademark violations. "Though we've been getting complaints a lot more lately, we're not actively searching the Internet to find out who is offering pirated software or that kind of thing. We don't actually get on there [the Web]. We don't have the time or the money or personnel." And with budget-cutting restraints at the RCMP, says Osmond, the situation isn't likely to change. "Sure, people may be getting ripped off, but there's no personal injury involved. After all, if someone gives a copy of Windows '95 to a friend, who does it hurt? The feeling on the force is that their are more important priorities."

If the police aren't actively pursuing software pirates, who is? Some analysts have speculated that the big-bucks software manufacturers like Microsoft will have to resort to a private investigators - or even a Pinkerton's-style private security force - to help track down Web pirates. For its part, the SPA is counting on a new program of anti-piracy initiatives, including a telephone hotline to handle complaints, educational programs to heighten public awareness of the problem, and increased legal action against hackers and pirates. Last year, the SPA launched nearly 600 lawsuits, netting $2.6 million (U.S.) in penalties. At the same time, the organization doubled its number of foreign lawsuits. The idea, says the SPA's Sellers, is to "change fundamentally the worldwide perception that stealing intellectual property is acceptable."

But it's far from clear that the SPA's efforts will be enough to stop the flow of billions of dollars worth of pirated software on the Internet. Without a more active presence on the Web to monitor and follow up illegal activities, Web pirates will continue to ply their trade virtually unopposed. "Is this legal? writes one pirate on his "House o' Software" home page: Hell no! All the stuff at these sites is totally illegal. So is the software posted to the warez news groups. But quite simply, there's nothing that can be done about it! The Feds and the cops have no way to track down the people involved, nor do they begin to have the manpower to enforce the anti-piracy laws."

The software industry's other main line of defence against illegal software copying - increasingly elaborate serial number and key-disk copy protection schemes - has proven to be more of an annoyance to registered owners than a deterrent to software pirates. And little wonder, considering the determination illustrated by one hacker in a freely distributed on-line document How to Become a Serial Killer: "If you've ever cracked an application before, you understand the thrill of the quest . . . [while] there are many more difficult [copy protection] routines being used today, you must keep in mind that nothing is impossible through determination. No matter how you fold a piece of paper, it's always possible to unfold it again. Some folds may be tucked in deep and difficult to pull out. There may be times you encounter hundreds of folds. But no matter how much time is put into folding that sheet of paper, someone else can always unfold it."

by Bob Scott

Copyright © 1997 by Maclean's Magazine. All Rights Reserved. Reprinted with permission.