One place where a significant number of people missed the mark is that they wrote more of a book report than a real critical review. That is, they restricted themselves to reporting on what the authors wrote, rather than providing an original critique and analysis. In general, a paper needed to include some elements of a critical review to score above a B on this assignment.
In addition, there was a tendency to restrict the papers to reacting solely to what was in the book, rather than synthesizing material from your own experience or from background we've covered in the class. For example, many people wrote about At Large and discussed Freedman and Mann's characterization of the attitudes of sysadmins and of law enforcement. But only one or two people remarked that we had an impromptu interchange in class the other week between Scott Larson and Nick Papadakis, who is one of the main sysadmin characters in the book -- and drew on that in evaluating Freedman and Mann's report.
The reason we're hammering on this point here is that it is this kind of syntesis we're looking for in the midterm paper. We don't want purely subjective flaming -- but we do want you to realize that your MIT experience and your background put you in a position to make critical, original comments on the topic you choose.
Another thing we'll be looking for in your midterm paper is a thesis, i.e., a major point or central idea that serves as the organizing framework for the paper. In assignment number #3, the best papers were the ones that began by stating a clear thesis, rather than just saying what the book was about.
As an example, read through the following paper, which was handed in for this assignment, on Hafner and Markoff's Cyberpunk, Note how in the very first paragraph the author sets out the theme of "what if", and then note how he not only carries this theme through the entire paper, but that he uses the "what if" theme to build a perspective that unifies the three very separate sections of Hafner and Markoff's book.
When we review your midterm papers, we'd like to see clearly stated, well-supported theses, and for papers that are organized around theses. As suggested on the page explaining the midterm paper assignment, it can be helpful to use the checklist provided by the Purdue Online Writing Lab to help evaluate how well your paper hangs together.
David Fillingham
Ethics and Law on the Electronic FrontierBook Reviewed: Cyberpunk - Outlaws and Hackers on the Computer Frontier
by Katie Hafner and John MarkoffWhen reading this book, one is struck by how much damage could have been done by the characters described, and how much was not done. "What if?" was the question that lay between many of the lines of the three stories described in Cyberpunk. What if Kevin Mitnick was fascinated by money rather than revenge? What if Hans Hubner (known to his friends as "Pengo") had Kevin Mitnick's skill and single-minded dedication? What if Robert Morris had not been a good kid who, despite extraordinary intelligence, made a mistake in judgment, but instead had been a malevolent genius, whose self-replicating Internet worm had been designed to destroy data? How much damage might have been done? In almost every case Hafner and Markoff described, successful apprehension of the computer-criminals followed deliberate or accidental betrayal by friends or enemies, or remarkably stupid moves, like hacking into a computer center within plain view of the systems administrator. What if the computer hackers described in Cyberpunk had worked alone, or in highly disciplined teams, and kept their mouths shut?
The first section of this three-part book describes the evolution of a group of teenagers from "phone phreaks" conducting simple manipulation of the telephone system using whistles and crude "blue box" electronic devices, into adult computer "crackers." From a clique led by a man named Roscoe, and including Mark Ross, Steven Rhoads, and a prostitute with the working name "Susan Thunder," arose Kevin Mitnick, an obsessive telephone manipulator and computer hacker. Kevin is described by Hafner and Markoff as extraordinarily skilled (even if not technically proficient in an academic sense) - able to remotely reconfigure the home telephones of his enemies as pay phones, fraudulently use long distance carrier lines at will, detect and execute telephone taps, and manipulate telephone billing information.
The authors point out that computer hacking involves technical skills - but that there is also a large element of "social engineering" involved. A wily hacker can extract passwords from users by claiming to be a maintenance technician, the secretary of a high-ranking military officer, or by the coaxing of an attractive woman. Cracking, as practiced by Mitnick and his friends, required both equipment and people to be manipulated with equal skill. It seems odd, then, that the downfall of Kevin came as a result of disastrous relationships with his friends.
All the hackers in the group were heavily engaged in their computer "cracking" hobby, but Kevin seemed utterly controlled by his desire to expand his cyber-conquests. Furthermore, he had a penchant for using his telephone and computer skills to exact revenge on others, including his erstwhile friends, for perceived wrongs. It was Kevin's vengeance attack on the U.S. Leasing computer, in which he destroyed the corporation's inventory, billing and customer records (at a cost of about $250,000), that provided Susan Thunder with the evidence she would provide the government to obtain her own vengeance for Kevin's phone attacks on her. Kevin's first conviction resulted from his petty and short-sighted harassment of Susan. What if Kevin had taken pains not to make enemies of those who could harm him?
Kevin's second conviction resulted from taking the absurd risk of hacking into the University of Southern California (USC) computers directly from the USC computer lab, in full view of the system operator, and later, with two campus police officers looking over his shoulder. What if he had not been so sloppy?
Kevin's third conviction came again as a result of betrayal by a friend, Lenny DiCicco, who was driven to cooperate with law-enforcement as the only way out of his relationship with the controlling, and obsessed Kevin Mitnick. After his third conviction, the authorities were quick to suspect Kevin for future break-ins.
Kevin lived for his cracking, and seemed largely disinterested in anything or anyone else. Though he obtained 21,600 credit card numbers, he didn't use them or sell them. He obtained the DEC VMS source that the Soviets tried to obtain through Pengo, but Kevin made no effort to sell it - rather he wanted it merely as an aid to further computer trespassing. But what if Kevin had been motivated by money, and not by the thrill of cracking for cracking's sake?
Perhaps the only way to gain the level of proficiency obtained by Kevin is by a single-minded dedication to the (often dull and repetitive) art of cracking. If so, then the only ones who could make much money from cracking are those who have no interest in money. It seems though, that had Kevin found a sponsor in organized crime who could have provided first-rate equipment, professional break-ins where required, and - most of all - the discipline of the code of silence, that Kevin could have operated indefinitely, and probably at a very high standard of living. One has to wonder if there are not such teams operating today. Katie Hafner expresses similar thoughts in her epilogue:
...revisiting the story of Kevin Mitnick has made me wonder if our preoccupation with Mitnick is an easy distraction, diverting our attention from those lurking in cyberspace whose intentions are far more malicious than his. It's already known that there's a fair amount of industrial espionage, and the presence of paramilitary fanatics on-line is difficult to overlook. Mitnick, it may turn out, is just the one who keeps getting caught.
One team that made an attempt to cash-in on their cracking skills was led by Hans Hubner (Pengo), who organized a gang of West Germans to sell hacking information to the Soviets. Pengo was, like Kevin Mitnick, highly skilled in the art of computer trespassing, and was capable of bringing down computer systems, as he demonstrated to the SLAC physics research facility at Stanford. Pengo assembled a circle of hackers consisting of Dirk-Otto Brzezinski (Dob), Peter Carl, and Hagbard Celine. These characters were all drug abusers or small-time drug smugglers. Hagbard in particular was a heavy drug user, delusional, and ultimately suicidal - he would not normally be considered a good security risk for a secret intelligence gathering project.
In the end, Pengo's gang failed, and was prosecuted on charges of spying for the Soviet Union. Their downfall was the result of an counter-espionage operation triggered by Chris Stoll's investigation of a 75 cent accounting error. What if Chris had not been assigned to track down that error? What if he had found it, but not decided to follow it up? How many systems administrators would have had the personality characteristics and the skill to follow-up the leads and track down Pengo and his gang? Perhaps if Pengo had been raiding banks or corporations, the victims would have weighed the cost of their losses to computer crime against the cost (in terms of money and prestige) of tracking down the criminals. As it was, Pengo's crew was in the service of the notoriously stingy KGB, attacking government funded research laboratories and facing the counterintelligence organizations of two nation-states. What if they had been more careful in their choice of clients and targets?
The last of Cyberpunk's stories recounts the somewhat sad story of Robert Tappan Morris and his Internet worm, unleashed on November 2, 1988. Unlike the fat, socially retarded Kevin Mitnick, or the hash-heads of Pengo's gang, Robert Morris was an exceptionally gifted computer scientist with the brightest of futures ahead of him, following in the footsteps of his father, Bob Morris, a computer security expert with the National Security Agency (NSA).
Robert wrote a self-replicating program exploiting vulnerabilities associated with the UNIX sendmail program and DEBUG feature. The program was intended to spread throughout the Internet, but was not intended to shut down any computers. Unfortunately, the program included a poorly designed "anti-immunization" mechanism that caused it to replicate out-of control, and crash about ten percent of the computers connected to the Internet at the time.
The obvious question is that if Robert Morris could shut down ten percent of the computers on the Internet by accident, what could he have done if he had malicious intent? Certainly, including a feature that wiped out hard-disk data after the worm had been resident for some time would have been trivially easy. But what if the worm had not contained the replication error that betrayed its existence, and instead had infected nearly all of the computers on the Internet, perhaps installing the loginout patch developed by the Chaos Computer Club? Perhaps the worm could have installed a logic bomb that would wipe out the data on the computer at some particular time. The Internet has grown tremendously in size and importance since Robert Morris executed his prank. What if a modern-day hacker with Robert Morris's skill and Pengo's morals were to be hired by an Islamic fundamentalist group, or a domestic militia fringe group?
In the end, this very interesting and well-written book leaves one wondering if the characters so carefully and colorfully described in Cyberpunk represented the real threats, or the almost-threats. Maybe almost-threats are the Kevin Mitnicks, interested in mean-spirited pranks against individuals, but not in money or widespread chaos, drug-impaired would-be espionage gangs, and pranksters with hearts of gold.
Might the real threat come from a Kevin Mitnick with a pathological need for vengeance on the society that's hounded him for his entire life? Perhaps the real threat will come from a Russian organized crime syndicate with a clear-headed, disciplined, membership? Or will the real threat manifest itself as a Morris worm developed and tested by a national laboratory over a period of months or years? These are the questions that Cyberpunk left this reviewer asking, and perhaps what will keep many computer security experts employed for the foreseeable future.
Return to Current announcements page
Return to Course home page
Last modified: September 28 1997, 6:37 PM