The Hamilton Spectator
Saturday, June 6, 1998
pages A1,A12

Secrets of a teenage hacker

Local lad reveals how he broke into U.S. military computers

by David Akin, dakin@ham.southam.ca

Shortly after 8 a.m. on a hot day last July, 13-year-old Jason woke up to find two police detectives standing at the foot of his bed.

Investigators had determined, after a long investigation, that Jason, a Burlington high school student, had hacked his way into top-secret U.S. military computers.

The detectives had arrived to confiscate Jason's computer, floppy disks, and anything else that looked like something a hacker might use. They even took a fishing magazine because it had an ad for America Online on the back.

Then, once the boxes were in the police van, they charged Jason with unlawful access to a computer system and mischief to data.

The hacker experience

He has had a couple of brief appearances in youth court, including some yesterday. He has not entered a plea. The case is back in court again on August 7. Because Jason has been charged under the Young Offenders Act, he cannot be identified. For this story, pseudonyms have been used for him and his family.

In an interview this week, Jason described the hacker experience.

Jason is a smart kid. At the age of 4, he was writing simple programs for his father's Commodore 64 computer. By the time he was 11, he had a part-time job fixing computers.

Learning the complex syntax and grammar of computer languages - BASIC, DOS, and UNIX - seemed to come easy.

A happy home life, however, was more difficult to come by. Jason's father walked out on the family when he was five.

Soon after he turned 10, Jason began physically assaulting his mother, to the point where she has to call the police. During one 12-month period, the police were called to Jason's Burlington home 13 times.

But where troubled teenaged boys of another age might steal cars and throw rocks through some windows, Jason became a rebel with a computer.

In the digital world, rebels like Jason come in three basic shapes:

Jason can hack, crack, and is a bit of a phreak.

For those like Jason, the first step into the digital underworld is getting access to the Internet. Jason's first hurdle, then, was finding a credit card number that can be used to pay for that Internet access.

To get a valid credit card number, Jason punched in his mother's credit card number plus one. When that didn't work, he added two to his mom's number. He kept going until one worked.

With that credit card, he signed up under a false name with CompuServe, the Ohio-based online service provider that was known for a period as the hacker's Internet service provider of choice, largely because it was easy to get around the service's minimal security provisions.

Phoney credit card

With his compuServe account, Jason was able to network with other hackers, finding, among other things, software programs that could generate more valid credit card numbers.

The use of a phoney credit card account is vital for a hacker to protect his or her identity. It is difficult and frequently impossible to trace a hacker who hides behind a phoney electronic identity.

The next step for a hacker is to get behind the electronic fences, or firewalls, erected to protect a computer network.

The simplest method of doing this is to set up a phoney account on the target network and give that account various network privileges that normally only system administrators would have.

HACKER: Passwords are easy to bust using software

The key to that operation is cracking the password of an authentic user and then using that user's account to set up the phoney account.

Here, hackers are aided by computer users who use predictable passwords and software programs, available for free download over the Internet, that can help a budding cracker figure out those passwords.

Passwords stored on a computer are usually encrypted or encoded using a complex algorithm that, under most circumstances, would be too difficult to crack.

But because most computer users use a password like hockey, chocolate, or Bobby8 rather than j&KL2y or p2W6o9Rd, the number of possible encryption patterns are reduced to a size that password-busting software can manage.

One of those programs is called John the Ripper. It comes with a 'dictionary' of passwords, a text file containing about 2,200 of the most commonly used passwords.

A user can easily edit that dictionary of passwords or add to the list.

John the Ripper methodically breaks down an encrypted password by matching it to every password in its dictionary.

Experts suggest that as many as 25 per cent of all computer users have passwords that can easily be determined by programs like John the Ripper.

Yahoo!

Using these sorts of procedures, Jason was able to give himself access to all sorts of computers, including a server that is part of the popular search engine Yahoo! and several Canadian government servers.

But when Jason went after some U.S. military computers - the holy grail for hackers - some alarm bells went off and the anti-hackers employed by the U.S. government started sniffing Jason out.

Jason had hacked his way into a computer called arl.mil. The computers at arl.mil store information about the U.S. Army Research Laboratory where, according to its home page at www.arl.mil, "the U.S. Army Research Laboratory executes fundamental and applied research to provide the army the key technologies and analytical support necessary to assure supremacy in future land warfare".

Jason said when he got into these computer networks, he never altered files or stole information. the name of the game was simply to get in, to break down the firewall.

The reward for hackers is recognition from others in their subculture. the currency they use to reward each other is passwords to other sites.

Around the same time as his hack into arl.mil, Jason had registered legitimately with his real name at a Burlington Internet service provider.

Still, he couldn't resist hacking into the Burlington service provider's password file and fiddling with those computers.

The system administrators, though, noticed the unauthorized activity on their machines and began their own investigation to determine which account holder was involved.

Service provider

The work of the U.S. military investigators quickly dovetailed with the work of the Burlington service provider.

Shortly after that, Jason found himself in an electronic chat room answering a lot of computer questions put to him by what he thought was a network administrator from the Burlington service provider. It turned out to be a detective from Halton Regional Police.

Within a few weeks, the police laid their charges.


Copyright © 1998 by The Hamilton Spectator. All Rights Reserved. Reprinted with permission.