Accidental Hacker Exposes Internet's Fragility BY JARED SANDBERG The Wall Street Journal July 11, 1997 This may not sit well with his probation officer, but Mark Abene says it's all a mistake. Mr. Abene, one of the world's best-known computer hackers, recently found his e-mail box stuffed with thousands of Internet users' secret passwords. Mr. Abene -- whose nom de hacking was Phiber Optik -- spent nearly a year in jail after he and his cohorts in the so-called Masters of Deception gang were convicted of breaking into telephone networks. Now on probation, he has been working, of all things, as a computer security consultant. Late last week, in testing a client's system, he sent a command intended to break into the system's password files -- but the command accidentally was broadcast to Internet computers world-wide. Needless to say, the 25-year-old New Yorker was distressed by the flood of passwords into his mailbox. "It's unbelievable," says Mr. Abene. "I'm getting them from everywhere -- every country in the world. From corporations, from military sites -- I got a password file from the Australian navy," he says. Mr. Abene's plight underscores the fragile nature of security on the global network. Many of the millions of people who sign on to the Internet each day believe their privacy is safely guarded behind the secrecy of their passwords. But passwords can be broken or otherwise breached -- in Mr. Abene's case, by a simple command meant to test computers for security vulnerabilities. In this incident, it was accidentally and dramatically compounded by misconfigured software at Mr. Abene's client that replicated the rogue command across thousands of "server" computers on the Internet. A less ethical hacker could have used the purloined passwords to tap into other people's Internet accounts, possibly reading their e-mail or even impersonating them online. Though security experts have known about vulnerabilities for years, most users might be alarmed to know that one man could inadvertently punch in a command and pull in passwords from all over the world. The recent glitch is likely to prompt many computer operators to examine their software to make sure it doesn't have the same vulnerability. But while fixes for many potential Internet security problems are often available, many Internet operators have a hard time keeping up to date with the Net's growing complexity. "The software is so big and complex that nobody can understand it all and therefore nobody knows what the bugs are," says William R. Cheswick, senior security researcher at Lucent Technologies Inc.'s Bell Labs. Adds Jeffrey Schiller, a security expert at Massachusetts Institute of Technology: "Vendors are selling systems that aren't perfect and the people who understand the technology are stretched so thin." While Mr. Abene's job may sound as strange as a bank hiring Willie Sutton, the notorious robber, to count gold bars, corporations often find their best hope for testing and fixing Internet software is to hire the very people who have breached these complicated systems. Enter Mr. Abene. In addition to providing computer-security services for corporate clients including a Big Six accounting firm, he has been performing community-service work at Dorsai Embassy, a nonprofit Internet service provider in New York. Mr. Abene's road to notoriety began at age 10, when he obtained his first computer, a cheap Radio Shack model. Though brainy, he dropped out of high school, and by age 18 he was frolicking electronically through some of the world's largest phone networks. But he always maintained that his goal was simply exploration of the networks, not destruction or financial gain. "It was the challenge of mapping them out," he says. MORE COPYRIGHT 1997 Wallstreet Journal