Saturday, June 21, 2008

Washington Scene: Hack Heaven

By Stephen Glass

Ian Restil, a 15-year-old computer hacker who looks like an even more adolescent version of Bill Gates, is throwing a tantrum. "I want more money. I want a Miata. I want a trip to Disney World. I want X-Man comic [book] number one. I want a lifetime subscription to Playboy, and throw in Penthouse. Show me the money! Show me the money!" Over and over again, the boy, who is wearing a frayed Cal Ripken Jr. t-shirt, is shouting his demands. Across the table, executives from a California software firm called Jukt Micronics are listening--and trying ever so delicately to oblige. "Excuse me, sir," one of the suits says, tentatively, to the pimply teenager. "Excuse me. Pardon me for interrupting you, sir. We can arrange more money for you. Then, you can buy the [comic] book, and then, when you're of more, say, appropriate age, you can buy the car and pornographic magazines on your own."

It's pretty amazing that a 15-year-old could get a big-time software firm to grovel like that. What's more amazing, though, is how Ian got Jukt's attention--by breaking into its databases. In March, Restil--whose nom de plume is "Big Bad Bionic Boy"--used a computer at his high school library to hack into Jukt. Once he got past the company's online security system, he posted every employee's salary on the company's website alongside more than a dozen pictures of naked women, each with the caption: "the big bad bionic boy has been here baby." After weeks of trying futilely to figure out how Ian cracked the security program, Jukt's engineers gave up. That's when the company came to Ian's Bethesda, Maryland, home--to hire him.

And Ian, clever boy that he is, had been expecting them. "The principal told us to hire a defense lawyer fast, because Ian was in deep trouble," says his mother, Jamie Restil. "Ian laughed and told us to get an agent. Our boy was definitely right." Ian says he knew that Jukt would determine it was cheaper to hire him—and pay him to fix their database--than it would be to have engineers do it. And he knew this because the same thing had happened to more than a dozen online friends.

Indeed, deals like Ian's are becoming common--so common, in fact, that hacker agents now advertise their commissions on websites. Computer Insider, a newsletter for hackers, estimates that about 900 recreational hackers were hired in the last four years by companies they once targeted. Ian's agent, whose business card is emblazoned with the slogan "super-agent to super-nerds," claims to represent nearly 300 of them, ages nine to 68. A failed basketball agent, Joe Hiert got into the industry when one of his son's friends, 21-year-old Ty Harris, broke into an Internet security firm three years ago and came to him for advice. The software maker paid Harris $1 million, a monster truck, and promised "free agency"--meaning he can quit and work for a competitor at any time.

Of course, a cynic might say hacker schemes look an awful lot like protection rackets. That's an awfully nice computer network you got there. It'd be a shame if somebody broke into it.... Law-enforcement officials, in particular, complain that deals between companies and their online predators have made prosecution of online security breaches impossible. "We are basically paralyzed right now," explains Jim Ghort, who directs the Center for Interstate Online Investigations, a joint police project of 18 states. "We can't arrest or prosecute most hackers, because corporate victims are refusing to come forward. This is a huge problem."

In March, Nevada law-enforcement officials got so desperate they ran the following radio advertisement: "Would you hire a shoplifter to watch the cash register? Please don't deal with hackers." The state took to the airwaves shortly after a hacker broke into a regional department store's computer system and instructed it to credit his Visa card about $500 per day. According to Nevada officials, the boy racked up more than $32,000 in credit before he was caught--but the store wouldn't press charges. It let him keep the money, then threw in a $1,500 shopping spree--all in exchange for showing them how to improve their security.

Little wonder, then, that 21 states are now considering versions of something called the Uniform Computer Security Act, which would effectively criminalize immunity deals between hackers and companies--while imposing stiff penalties on the corporations who make such deals. "This is just like prostitution," says Julie Farthwork of the anti-hacker Computer Security Center, which helped draft the legislation. "As a society, we don't want people making a career out of something that's simply immoral."

Not surprisingly, hackers hate the proposed legislation. They see themselves as "freelance security investigators," and they even have their own group--the National Assembly of Hackers--to lobby against the new law. "Really, hackers have to put in a lot of sunk costs before they find the one that's broken and get paid," says Frank Juliet, the group's president. "So, it's definitely a large community service that we are doing."

Less predictable, however, is the opposition of companies that have been hacked. It seems they don't like the proposed law, either, because they're worried they'll be stuck with no legal way to patch holes in their security systems. The Association of Internet-based Businesses has actually formed a task force with the National Assembly of Hackers to lobby against the law.

It remains to be seen who will win, but, until new laws are passed, hackers like Ian Restil will continue to enjoy a certain exalted status--particularly among their peers. At a conference sponsored by the National Assembly of Hackers last week, teenage hackers and graying corporate executives flocked to Ian, patting him on the back and giving him high-fives. "We're so proud of him," said Ian's mother. "He's doing such good things, and he's so smart and kind." At the formal dinner that followed, the emcee explained that Ian had just signed a contract for $81,000 in scholarship money--and a collection of rare comic books. The audience applauded wildly. Then, Ian stood on his chair and took a bow. He announced that he had hacked into a new company and frozen their bank account temporarily. "And now they're going to show me the money," he said, swirling his hips and shaking his fists. "I want a Miata. I want a trip to Disney World...."

(Copyright 1998, The New Republic)

No comments: