Digital Mischief:

A Primer on Computer Intrusion and the Law

by Quillaby

a.k.a. quillaby@yahoo.com

January, 2001

Contents

Introduction: The Phonemasters
Hackers and Crackers
Subcultural Icons: The Rock Stars of the Hacking World

John Draper
Robert Morris
Mark Abene
Kevin Poulsen
Justin Petersen
Kevin Mitnick

Legislation: The Computer Fraud and Abuse Act, 18 U.S.C. § 1030

Unauthorized Access to a Government Computer
Unauthorized Access plus Data Theft
Unauthorized Access with Intent to Defraud
Unauthorized Access plus Damage

Enforcement
Hacktivism
Denial of Service Attacks
Causing Damage
Conclusion: Fear and Flu Shots

I. Introduction: The Phonemasters

In the early 1990's, a group of computer hackers known as the "Phonemasters" were responsible for the "most extensive illegal breach of the nation's telecommunications infrastructure in high-tech history."⁽¹⁾ At various times, they could "eavesdrop on phone calls, compromise secure databases, and redirect communications at will."⁽²⁾ Using their computer skills, they could access and manipulate "portions of the national power grid, [and] air-traffic-control systems."⁽³⁾ Despite all their power, the Phonemasters did not bring the country's information infrastructure to its knees. The fact they did not cause devastating damage is not a testimonial to the great security of our information systems; it is more properly attributed to the Phonemasters relative lack of malice, and their exercise of restraint.

The Phonemasters never sought to topple the United States. Instead, they waged a limited campaign of theft and fraud, all in the pursuit of the almighty dollar. For them, hacking was all about business, and business meant stealing and selling information from allegedly secure databases. They typically charged $75 for personal credit reports, and $500 for the unlisted celebrity telephone number of your choice. Sometimes they sold codes which could be used to make international calls for free. And for a mere $100, the Phonemasters were willing to sell you records from the Federal Bureau of Investigation's very own Crime Information Center. Their customers included private investigators, and (indirectly at least) the Sicilian Mafia.⁽⁴⁾

Although the Phonemasters were primarily oriented toward business, they also liked to play pranks. When one of their gang was given a speeding ticket, he retaliated by simultaneously paging thousands of pagers across the country to the police station's telephone number. The hacker evidently intended for the "resulting flood of incoming calls" to "crash the department's phone system."⁽⁵⁾ In another incident, after browsing through a stolen list of telephone numbers which were being monitored by the police, one of the Phonemasters decided to amuse himself by randomly calling one number and letting the owner know his line was being tapped.

The Phonemasters were tracked down and arrested by the FBI in 1995. It's true that their capture has helped to make the United States' information infrastructures a bit safer, but there are still plenty of hackers out there, and some of them pose genuine threats, not just to the integrity of commercial communications, but to public safety and national security. Statistics on hacking are fairly unreliable because the vast majority of cyber attacks are never detected, and only some of the detected attacks are reported.⁽⁶⁾ However is clear that the explosive growth of the Internet has been accompanied by a parallel increase in illegal computer intrusions.

The hacking world is a genuine subculture, with it's own language, and with a set of rules and ethics that separate it from our larger society. In order to effectively address the growing problem of computer intrusion, it is critical that all of the attorneys, judges, and law enforcement officers involved in hacking prosecutions have at least a basic understanding of what hacking is all about. The anecdotes in this essay are intended to give outsiders some insight into the hacker mind set.

II. Hackers and Crackers

Over the past forty years or so, the term "hacker" has been used to describe many different kinds of computer users.⁽⁷⁾ In the late 1950's and 60's, the term was used to refer to especially gifted computer programmers. In the 70's, "hacker" meant an entrepreneur like Bill Gates and Steve Jobs, someone who was revolutionizing the computer world. In the 80's, a "hacker" was someone who was good at bypassing the copy protection devices on computer games. For perhaps a century, the Massachusetts Institute of Technology has had a proud tradition of spectacular (yet harmless) pranks called "hacks."⁽⁸⁾ Today, the most common meaning of "hacker," the meaning used in the popular media as well as in this essay, is a person who uses a computer to virtually break into someone else's computer.

The term "cracker"⁽⁹⁾ is often used to describe hackers who intrude into computer systems with a "criminal intent or purpose." This term is often thrown around by hackers who don't consider themselves to be criminals. The perceived distinction here ignores the fact that it's probably always illegal to intrude into someone else's computer system without permission, even if the hacker is only breaking in for the sake of finding out how difficult it would be to break in. However, this "Hacker/ Cracker" dichotomy may deserve a closer look. Not all hackers are equally dangerous, and our legal system should recognize this fact when it comes to meting out punishment.

In general, hackers are very much aware that computer intrusions violate the law, but they are motivated to continue hacking for a variety of reasons. Some hack because they are looking for entertainment. Some hack out of intellectual curiosity. Some hackers seek infamy and prestige, while others seek to achieve a political goal. Some hackers are trying to achieve an illegal profit, and some are hacking out of sheer malice.

Hackers also vary widely in their skill level. Some have no real computer skills; these "script kiddies" hack into systems using software written by more experienced hackers. At the other end of the spectrum are the professionals, with top notch skills and equipment; some work for themselves as the Phonemasters did, while others might work for an Eastern Bloc criminal organization, for a terrorist group, or for the United States Air Force.⁽¹⁰⁾ Additionally, many "old school" hackers can now be found in the executive offices of America's information technology corporations. Today these "ex-hackers" have dedicated their abilities to far more productive ends, like securing monopolies.

While hackers vary widely in motivation and ability, they do have some things in common. Many hackers follow the "Hacker Ethic," which can be traced back to Steven Levy's 1984 book, Hackers: Heroes of the Computer Revolution. Using almost biblical language, Levy preached that "[A]ccess to computers should be unlimited and total. All information should be free. Mistrust authority -- promote decentralization. Hackers should be judged only by their hacking. You can create art and beauty on a computer. Computers can change your life for the better."⁽¹¹⁾

Over the years, hackers have embraced and modified these ideals to varying degrees, such that the central tenet of today's version of the Hacker Ethic seems to be "thou shalt not harm another person's computer." Whether a particular hacker follows this Ethic or not is another convenient way to distinguish regular "hackers" from criminal "crackers." In 1997, a modified version of the Hacker Ethic was published in an underground high school newspaper near Milwaukee, Wisconsin.⁽¹²⁾ According to this version of the Ethic:

Contrary to popular belief hackers do have ethics. We may do things which are deemed illegal but we never do things which we believe are immoral. So here is your Code of Ethics that we would like all to follow with their hacking. We cannot force you to follow those rules nor would we want to be able to force anyone to do anything. We are merely asking you to follow these ethics. Thank you.

1. Never harm, alter or damage any computer, piece or software, or person in any way.

2. If damage has been done do what is necessary to correct that damage, and to prevent it from occurring in the future.

3. Inform computer managers about lapses in their security, when you're done exploiting it.

4. Teach when you are asked to teach, share when you have knowledge to spread. Remember that someone had to teach you and you would know nothing if others hadn't shared their information with you so return the favor and help the spread of hackers.

5. Be aware of potential vulnerability in all computing environments, including the ones you will enter as a hacker. Act discreetly and remember that you are not invincible. Forgetting this is how idiots get caught.

6. Persevere, but don't be stupid and don't take greedy risks.

III. Subcultural Icons: The Rock Stars of the Hacking World

As a subculture, the hacking world has it's own heroes and forefathers, individuals whose exploits have earned them a permanent place in the annals of hacking history. These are a few of

their stories.

A. John T. Draper a.k.a. Cap'n Crunch

In 1968, John Draper was honorably discharged from the Air Force after completing a tour of duty in Vietnam.⁽¹³⁾ In 1972, Draper discovered that he could use the prize from a box of Cap'n Crunch cereal to manipulate telephone services.⁽¹⁴⁾ The prize was a whistle that blew at precisely 2600 hertz. At that time, phone companies used the same circuit to transmit both voices and the signals used to route telephone calls. By blowing the whistle into the phone, Draper discovered that he could open up the circuit, and communicate directly with the computers that directed long distance calls. Using the whistle in conjunction with a tone generator (called a "blue box"), Draper learned place long distance calls for free.

Draper was arrested for phone fraud in 1972.⁽¹⁵⁾ While serving his sentence, Draper was allowed to participate in a work furlough program and continue to work with computers. He ended up working for his buddy Steve Wozniak,⁽¹⁶⁾ co-founder of Apple Computer, Inc. and wrote the first word processor for the Apple II. Today in 2001, Draper is a professional web page designer, and also writes customized McIntosh software.⁽¹⁷⁾ If you are so inclined, he will sell you a tee shirt commemorating the twenty-fifth anniversary of his first bust.⁽¹⁸⁾

Draper's practice of phone hacking eventually became known as "phreaking" or "phracking." To this day, long distance providers insist that phone hackers are driving up the billing rates for the customers who actually pay for their calls.

B. Robert Tappan Morris, Jr.

Robert Morris, Jr. grew up in a family that was serious about high technology. His father, Robert Morris, Sr. was the chief scientist at the National Computer Security Center (a division of the United States National Security Agency).⁽¹⁹⁾ Morris Sr. kept one of the original World War II "Enigma" cryptographic machines in the family home and used it as a conversation piece. In 1988, 23 year old Morris, Jr. started graduate school at Cornell University, seeking a Ph.D. in computer science. By today's standards, the Internet in 1988 was extremely primitive. Data transmission was awkward, slow, and expensive. There were very few people online in those days, and few of those who were online thought that the Net had the potential to be useful for much more than plain text e-mail. The primary users were the military, federal agencies, and research universities.

The relative smallness of the late eighties Internet community led to very trusting habits. Computer systems attached to the Net had not been designed with security in mind. Young Mister Morris saw these gaping security holes and decided to point them out to the online world. Morris designed a program called the "Internet Worm" (also known as the "Morris Worm") to demonstrate the Net's inadequate security. Once released, the Worm would exploit security weaknesses and spread into every computer on the Internet.

Morris did not want the Worm to cause any damage to these computers. He purposefully designed the Worm to be very small so that the its presence on a computer wouldn't even slow the computer down. He wanted his Worm to slowly spread across the Internet, undetected and innocuous. He imagined that several months down the line, some system administrator would discover the Worm on their machine, and then discover that the Worm was everywhere. Morris just wanted people to realize how easy it would be for a malicious programmer to infect the entire Internet with a harmful program, and he wanted to demonstrate this ease with a harmless program.

Morris wanted to Worm to infect every computer on the Net, but he wanted to avoid making multiple copies of the Worm on any one machine. Once a computer was infected, it would ask every other computer to which it was connected "do you have a copy of the Morris Worm?" If the answer was "no, I don't," then first computer would send a copy of the Worm to the second. If the answer was "yes, I already do," then the first computer would not reinfect the second.

Morris realized that this setup would make it very easy to purge the Internet of the Worm once it was discovered; everybody would just delete the copy of the Worm on their computer, and set their computer to always answer "yes, I still have a copy of the Worm." Morris didn't want to make it that easy, so he changed the Worm's programming. The final version of the Worm was configured to replicate itself every seventh time it received a "yes" response, as well as every time it received a "no." Morris realized that some computers would become infected multiple times, but he figured that his Worm was so small, and was going to spread so slowly, that there was no danger that these multiple infections would become a problem. This turned out to be a drastic miscalculation.

Morris released the Worm on November 2, 1988. The Worm rapidly spread across the Internet, and began infecting computers multiple times. Soon, computers were carrying so many copies of the tiny Worm program that they began to noticeably slow down. Within 72 hours, the Worm had crashed or incapacitated essentially every computer on the Internet (some 6000 systems with several hundred thousand users).⁽²⁰⁾ Once Morris realized what was happening, he attempted to anonymously e-mail instructions for killing the Worm, but it was too late.

Morris eventually turned himself in to the authorities. He was prosecuted under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. The particular subsection under which Morris was charged, § 1030(a)(5)(A), made it a crime to "intentionally access[] a Federal interest computer without authorization" and "cause[] loss to one or more others of a value aggregating $1000 or more during any one year period[....]" Morris argued that he was not guilty under the statute because, although he had intentionally gained access to Federal interest computers, he did so without any intent to cause damage. The Second Circuit held that the required mental state applied only to the act of accessing the computer, and not to the act of causing damage.⁽²¹⁾ Thus, the government must only prove that the unauthorized access was intentional, and does not have to prove that any damage was intentional. This requirement was made clear by Congress in subsequent amendments to the act.⁽²²⁾

Morris was sentenced to 3 years probation, 400 hours community service, a $10,500 fine, plus the cost of his supervision. He's now a professor at MIT, doing research into parallel and distributed operating systems.⁽²³⁾

C. Mark Abene a.k.a. Phiber Optik

Mark Abene grew up in a working class neighborhood in Queens, New York. He discovered he had a knack for computers and ended up dropping out of high school to pursue his experiments with telephones networks. In the tradition of John Draper, he learned how to manipulate telephone services, and used his skills for pranks. He was known to trick the telephone company's computers into thinking the personal phones of his hacker rivals were actually pay phones, i.e. "In order to place your call, you must first deposit twenty-five cents."

In the 1980's Abene became affiliated with the "Masters of Deception,"⁽²⁴⁾ a prominent hacker gang based in New York City. Abene has insisted that he was never a member, but has admitted that he taught the MOD many of his tricks. In November of 1989, the MOD crashed the computers at a New York public television station and left the message "Happy Thanksgiving you Turkeys, from all of us at MOD."⁽²⁵⁾

MOD went on to hack into computers at AT&T, the Bank of America, and the National Security Agency. Abene was personally linked to 69 intrusions into AT&T computers that occurred over a period of just six months. In January of 1990, hackers almost shut down AT&T. This prompted a crackdown by the FBI and the Secret Service. Abene was arrested in 1992 and eventually pleaded guilty although he maintained that he had done nothing wrong. Abene's version of the hacker ethic "justifies any computer intrusion as long as the motive is pure," and he insisted that "he was studying the phone system as an architecture student would [study] the floor plan for a cathedral: as a thing of beauty."⁽²⁶⁾ The judge didn't see things his way, and sentenced Abene to one year in federal prison. Abene served ten months. While in prison, he received so many visits from reporters that the other inmates nicknamed him "CNN." Soon after his release, New York Magazine named Abene one of the city's "One Hundred Smartest People." The exploits of the Masters of Deception were recorded in the book Masters of Deception: The Gang that Ruled Cyberspace, by Joshua Quittner⁽²⁷⁾ and Michele Slatalla.

D. Kevin Lee Poulsen

Draper, Morris, and Abene seem to have had relatively pure motives. Other hackers are more interested in making money. Kevin Poulsen first got in trouble for hacking in 1982 at the age of 17. The Los Angeles County District Attorney's Office raided him for gaining unauthorized access to the Internet. Poulsen was not charged, and instead became a programmer/security supervisor for a Silicon Valley corporation.⁽²⁸⁾

By the late eighties, Poulsen held a SECRET level security clearance and worked for a defense contractor. In his free time, Poulsen hacked into Pacific Bell computers. Not all of his intrusions were virtual; Poulsen was also handy with lock picks,⁽²⁹⁾ fast talking, and forging driver's licenses and ID badges.⁽³⁰⁾ Pacific Bell discovered his intrusions in 1987 and notified the FBI, who began to investigate the possibility that Poulsen had committed espionage. Poulsen fled.

While on the run, Poulsen hid out in Los Angeles and supported himself by hacking into the phone systems of Los Angeles radio stations so that he was always the right caller to "win" call in contests. He used assumed names so that he could win contest after contest without drawing attention to himself. In addition to cash prizes, Poulsen "won" a trip to Hawaii and a Porsche 944-S2 Cabriolet. During this time, Poulsen also hacked into some computers "in order to obtain information relating to electronic surveillance conducted by the Federal Bureau of Investigation[....]"⁽³¹⁾

After two appearances on the television show "Unsolved Mysteries," Poulsen was finally apprehended on April 10th, 1991. He pleaded guilty to 7 counts of mail, wire, and computer fraud, as well as money laundering and obstruction of justice.⁽³²⁾ The government dropped the espionage case.

Poulsen was sentenced to 71 months in prison. He served 62, and finished his three years of supervised release on June 4, 1999. Poulsen now works as a freelance journalist, writing about cybercrime for ZDNet News⁽³³⁾ and SecurityFocus.com.⁽³⁴⁾ He also has spoken at hacker conventions in Las Vegas, and at an Information Warfare course at Maxwell Air Force Base.

E. Justin Petersen

Justin Petersen was one of Kevin Poulsen's confederates. In 1991, Petersen hacked into some computers at a credit reporting agency and used the information he stole in order to fraudulently obtain credit cards. Like Poulsen, Petersen had also been involved in radio call in schemes. He had also physically stolen a car by never returning it after a test drive. When Petersen was arrested, he promptly made a plea bargain. He agreed to plead guilty and help the FBI track down other hackers. In exchange, the Bureau agreed that at his sentencing they would notify the judge about the extent of his cooperation. The Bureau provided Petersen with an apartment, computers, telephones, and pagers.⁽³⁵⁾

For a while, Petersen did help the FBI (he helped secure evidence used to convict Poulsen) but he also continued to hack. In 1993, when the FBI discovered his continuing criminal activity, Petersen fled. In 1994, while on the run, Petersen hacked into a bank and arranged a wire transfer of $150,000. Petersen called in a bomb threat to distract the bank employees, but the transfer was discovered and stopped before it went though.

Petersen was captured and convicted. He received a "special skill" enhancement under the Sentencing Guidelines.⁽³⁶⁾ Petersen challenged this enhancement because he had never had any formal computer training. The Ninth Circuit rejected this argument and held that a special skill carries with it a greater chance of recidivism, regardless of how the skill was acquired, and that an increased sentence "may be needed to discourage its use for abuse."⁽³⁷⁾

Petersen was sentenced to 41 months imprisonment plus three years of supervised release. He ended up walking away from his supervised release, but was re-captured by the U.S. Marshals on December 11, 1998.⁽³⁸⁾

F. Kevin David Mitnick

The 1999 Guinness Book of World Records names Kevin Mitnick "The World's Most Notorious Hacker."⁽³⁹⁾ Department of Justice officials have called Mitnick a "computer terrorist" and "the most wanted computer hacker in the world."⁽⁴⁰⁾ In 1981, at age 17, Mitnick was put on probation for hacking into Pacific Bell computers. He was given probation. In 1989, Mitnick was again caught hacking, this time into Digital Equipment Corporation. He allegedly caused millions of dollars of damage, and was sentenced to one year in a minimum security prison.

In 1992, Mitnick, still on probation, disappeared. He was pursued for probation violation, but he eluded authorities. On December 25, 1994, Mitnick hacked into a system belonging to Tsutomu Shimomura, a computer security expert. Mitnick stole some specialized software which Shimomura had written. Shimomura helped the authorities track down Mitnick,⁽⁴¹⁾ who was captured on February 15, 1995.

Mitnick's case became a focal point for the attention of hackers all over the world. One of Mitnick's greatest cheerleaders has been Emmanuel Goldstein,⁽⁴²⁾ the editor of 2600 magazine,⁽⁴³⁾ and Mitnick's case was a regular topic on Goldstein's New York radio talk show "Off the Hook."⁽⁴⁴⁾ During Mitnick's incarceration, the phrase "Free Kevin!" could be found scrawled all over the Internet. The attention focused on Mitnick's case lead to many web page defacements in his honor.⁽⁴⁵⁾

After a long drawn out legal battle, Mitnick was finally sentenced on August 9, 1999. He was sentenced to 46 months in prison, and ordered to pay $4,125 in restitution.⁽⁴⁶⁾ Part of Mitnick's defense was that he was addicted to hacking, and that he could not control this compulsion. On January 20, 2000, Mitnick, then 36, was released from a medium security prison in Lompoc, California. Until January 20 2003, the conditions of Mitnick's supervised release prohibit him from using a computer, or from acting as a computer consultant.

IV. Legislation: The Computer Fraud and Abuse Act

In 1984, Congress passed the Computer Fraud and Abuse Act, codified at 18 U.S.C. § 1030.⁽⁴⁷⁾ The act has been revised several times, most recently by the National Information Infrastructure Protection Act of 1996. Under the act, there are seven offenses: 1) classified data theft, 2) unauthorized access plus data theft, 3) unauthorized access of a government computer, 4) unauthorized access plus intent to defraud, 5) unauthorized access plus damage, 6) password trafficking, and 7) threatening to cause damage. This portion of the essay briefly outlines the four offenses most commonly related to hacking.

A. Unauthorized Access to a Government Computer: 18 U.S.C. § 1030(a)(3)

For this offense, the prosecutor must prove that the defendant 1) intentionally gained unauthorized access 2) to a federal government computer or 1) intentionally gained access 2) to a computer the government sometimes uses, and 3) affected the government's use. This is a simple trespass offense, and requires no showing of damage. If this is the defendant's first offense under any subsection of the act, this is a misdemeanor. If the defendant has already been convicted of an offense under the act, the subsequent offense is punishable by five years.

The phrase "protected computer" is used in the definition of the next three offenses. It is defined in 18 U.S.C. § 1030(e)(2). A computer is a "Protected Computer" if it 1) is used in interstate communication (this covers every computer attached to the Internet), or 2) is used by the federal government, or 3) is used by a financial institution.

B. Unauthorized Access plus Data Theft 18 U.S.C. § 1030(a)(2)

For this offense, the prosecutor must prove that the defendant 1) intentionally gained unauthorized access and 2) obtained information from 3) a federal government computer or a financial institution's computer. This subsection also covers attacks against other Protected Computers (meaning those used in interstate communication) but only if the attack involved an interstate communication, and thereby implicated the Commerce Clause.

The prosecutor doesn't have to prove that data which was stolen had any particular value. In fact, if the prosecutor can prove value, she probably ought to prosecute the conduct as an Unauthorized Access plus Intent to Defraud (below). The Department of Justice's position is that "obtaining information" includes merely seeing it, e.g. voyeuristically browsing through someone else's personal financial information.

The first offense is normally a misdemeanor, but if the data theft is committed for financial gain, or in furtherance of a criminal or tortious act, or the value of the stolen data is greater than $5000, then the theft is punishable by five years. A subsequent offense is punishable by ten years.

C. Unauthorized Access plus Intent to Defraud 18 U.S.C. § 1030(a)(4)

For this offense, the prosecutor must prove that the defendant 1) knowingly gained unauthorized access 2) to a protected computer 3) with intent to defraud and 4) obtained anything of value. "Anything of Value" does not include mere use of the computer if the total amount of computer time stolen during one year is worth $5000 or less. Proof of an interstate attack is not required for attacks against non-government, non-financial institution computers that are used in interstate communication; presumably, defrauding a computer used in interstate communication automatically implicates the Commerce Clause.

The first offense is punishable by five years, and the Sentencing Guidelines mandate a six month minimum sentence. A subsequent offense is punishable by ten years.

D. Unauthorized Access Plus Damage: 18 U.S.C. § 1030(a)(5)

For this offense, the prosecutor must prove that the defendant 1) intentionally accessed 2) a protected computer and 3) caused damage. "Damage" occurs whenever 1) a person is physically injured, or 2) a medical record is modified (or potentially modified), or 3) public health or safety is threatened, or 4) at least $5000 is lost during a one year period. Proof of an interstate communication is not required, presumably because damaging a computer used in interstate communication automatically implicates the Commerce Clause.

This subsection punishes defendants differently based on their mental states, and based on whether their access was authorized. People who were authorized to access the computer are only punished for intentionally causing damage (felony), never for recklessly or negligently causing damage. People who accessed the computer without authorization are held accountable for all the damage they cause, whether intentional (felony), reckless (felony), or negligent (misdemeanor). The chart below may prove helpful.

Unauthorized Access Plus Damage: 18 U.S.C. § 1030(a)(5)
	Unauthorized Access	Authorized Access
Intentional Damage	Felony	Felony
Reckless Damage	Felony	No Crime
Negligent Damage	Misdemeanor	No Crime

When the first offense is a felony, it is punishable by five years. First offense misdemeanors and felonies both carry a six month minimum sentence. A subsequent offense is punishable by ten years.

V. Enforcement

There have been few prosecutions under the Computer Fraud and Abuse Act, and there are many reasons why. The original act was written so narrowly that prosecutors usually chose to charge defendants under other statutes (e.g. the wire fraud statute, 18 U.S.C. § 1343). Another reason is that computer intrusions are frequently not detected by the victims. If your system was not damaged, you might never know that a hacker had intruded and copied all your sensitive files.

A further reason for the small number of prosecutions is that corporations who discover that they have been victimized by hackers don't always report the attacks.⁽⁴⁸⁾ Corporations, always concerned about consumer confidence, don't want the negative publicity a police investigation might bring, and don't want to encourage other hackers to exploit their publicized weaknesses.

When a corporation discovers an attack, the officers and directors may decide that it makes good business sense to pay the hackers to leave them alone. "The Times of London reported that several multinational banks, anxious to maintain public confidence, paid hush money to hackers to keep quiet their successful intrusions into the banks' networks. The banking industry denied any payoffs."⁽⁴⁹⁾ Some corporations might prefer to see a hacker torment its competitors than see him or her behind bars.

Even if a corporation would ideally like to see a hacker prosecuted, they may decline to report the attack if they believe that reporting would be futile. Lack of confidence in the government's ability to apprehend a hacker may lead to such attitudes. State and federal law enforcement agencies have often been criticized for putting too little an emphasis on fighting computer crime.⁽⁵⁰⁾

The National Infrastructure Protection Center⁽⁵¹⁾ was created by presidential directive in February 1998, to help coordinate state and federal efforts to protect the critical infrastructures of the United States. A large part of that infrastructure is the communications infrastructure. NIPC has tried to foster close contacts with corporate America in order to increase the reporting rate of computer crime, so that it may be battled more effectively. It remains to be seen whether these new contacts will have a long term effect on how American businesses approach computer intrusions.

In those rare cases when a hacker is detected, caught, prosecuted, and convicted, another slew of issues comes into play at sentencing. Should the hacker be given probation, like Robert Morris, or imprisoned like Mark Abene? One important consequence of imprisonment which might be overlooked at sentencing is illustrated by the case of John Draper (Cap'n Crunch, above). Draper was clearly a nonviolent criminal. He was certainly not placed in a maximum security prison, but he was locked up with people who were much tougher and meaner than he was. Draper discovered that he could avoid harassment (or worse) by teaching his fellow prisoners the fundamentals of telephone hacking. By proving that he was valuable, he became protected in prison society.

When prosecutors are deciding whether or not to seek imprisonment, they ought to consider whether the social benefit of additional punishment for the particular hacker is worth the social cost of increased proliferation of the hacker's skills. This is not to suggest that hacker skills do not proliferate outside of prison. Quite the contrary. But a hacking student in prison very likely has different, more dangerous motives than his counterpart in the free world. If a

lonely high school computer geek can be somewhat dangerous to society, then perhaps a middle aged ex-con with a modem is truly frightening.

VI. Hacktivism "Hacktivism" is an odd combination of hacking and political activism. Hacktivism usually resembles online civil disobedience, but sometimes it can be decidedly uncivil. Hacktivism is most frequently seen when hackers deface someone else's web page, i.e. alter the page by putting their own message in its place. Individuals and groups deface web pages to get attention for their causes. The rationale for defacement is simple: putting up your own web page is unlikely to get media attention, but defacing someone else's web page (especially a high profile web page like www.yahoo.com or www.whitehouse.gov) might get a lot of media attention since the public and the media find hackers to be mysterious and sexy.

In most cases of web page defacement, the page's owner discovers the vandalism and removes it within a few hours or days,⁽⁵²⁾ but copies of the defaced pages live on forever on sites dedicated to archiving defacements.⁽⁵³⁾ Archive sites enable the attention paid to a particular web defacement (by the media, and by the hacking community itself) to long outlast the duration of the actual graffiti.

Some hacktivists insist that their actions are protected by the freedom of speech; assuming they caused no damage to the files containing the original page, they claim that all they have done is exercise a little free expression courtesy of the First Amendment. This argument fails because it ignores the web page owner's right to free speech. Worse, it ignores the absurd ease with which anyone can publish their own web site for free.⁽⁵⁴⁾ While a hacktivist's message is certainly protected by the First Amendment, the act of defacement tramples on the web page owner's right to speak, and such conduct cannot be protected.⁽⁵⁵⁾ Defacement is speaking through a stolen forum; while the speech is protected, the theft of the forum is not.

The first hacktivist group to get a lot of media attention was called X-Ploit. X-Ploit supported the Zapatista movement in Chiapas, Mexico, and in 1998, they attacked many Mexican government web sites⁽⁵⁶⁾ in order to draw world attention to their claims of government corruption and mistreatment of citizens. X-ploit gave the world sound bytes such as "The revolution will be digitized," and "La información es poder, y el saber nos hace libres!"⁽⁵⁷⁾

The U.S. Department of justice web site was defaced in 1996 by unknown perpetrator(s) opposed to the Communications Decency Act.⁽⁵⁸⁾ They renamed the page "U.S. (Japan's) Department of Injustice," replaced Janet Reno's picture with Adolph Hitler's, added a little nudity, and left the disclaimer"This page is in violation of the Communications Decency Act!"

In September of 1996, a Swedish hacker group called "Power Through Resistance" defaced the Central Intelligence Agency's page, renaming it the "Central (Un)Intelligence Agency."⁽⁵⁹⁾ They left the message "STOP LYING BO SKARINDER!!!" Bo Skarinder is the name of a Swedish official who was prosecuting a hacker in Sweden at the time. Whatever Power Through Resistance was protesting, it was probably not connected to the CIA.

The White House page was hacked in May of 1999 by a group called "Global Hell" (a.k.a. gH).⁽⁶⁰⁾ They renamed the page and left a statement. "Why did we hack this domain? Simple, we fucking could. Maybe this will teach the world a fucking lesson. Stop all the war. Consintrate [sic] on your own problems. Nothing was damaged, but we not telling how we got in. Fear the end of the world is upon us, in a few short months it will all be over. Y2K is coming. "

The U.S. Senate web page was hacked twice in 1999. In May 1999, the "Masters of Downloading" (a.k.a. MOD) left a challenge to the FBI.⁽⁶¹⁾ The second hack, in June 1999, was perpetrated by a Bulgarian hacking group. In addition to a typical "FREE KEVIN" banner, they offered to sell a car, and made sexual innuendos, all written in Bulgarian.⁽⁶²⁾

Not all web page defacements can rightly be called the work of hacktivists. Many defacements hold no discernible political content at all, and instead seem to have been perpetrated for no particular reason besides the thrill of the virtual conquest and the chance to gain a bit of notoriety within the subculture. Amnesty International was defaced in April of 1997, but in spite of the extremely high profile target, no political message was evident.⁽⁶³⁾ UNICEF was likewise hacked in January of 1998.⁽⁶⁴⁾ The UNICEF hackers, calling themselves Drunkz Against Madd Mothers, threatened that unless Kevin Mitnick was released from prison, supermodels all over the world would start to eat third world children.

In a move that is strikingly similar to Robert Morris' justification of the Internet Worm, many web page hackers claim that they are only defacing pages to point out a system's security holes before a more malicious hacker comes along and really exploits them. One such hacker goes by the handle "ytcracker."⁽⁶⁵⁾ In an attack on a NASA page in November of 1999, ytcracker left this message:

to the us government and military - i have warned you about these security flaws. please secure our military systems to protect us from cyber attack. if the most powerful country in the world is not prepared to defend against its own citizens, how can we trust other countries to show the same grace?⁽⁶⁶⁾

Also in November, in an attack on a NATO page, his message read "thank you to nato for keeping our world safe. we respect that, please fix your security.."⁽⁶⁷⁾

VII. Denial of Service Attacks

Defacing web pages is not the only form of action that Hacktivism can take. Hacktivism also includes "mail bombing" (inundating an enemy with nuisance e-mail) and "Denial of Service Attacks." Denial of service attacks involve a large group simultaneously and repeatedly calling up the same web site.⁽⁶⁸⁾ The sudden surge in traffic is intended to deny (or greatly slow) access to the web site by legitimate users, and could potentially crash a site's server. This kind of attack has been described as a "virtual sit-in." A rash of denial of service attacks shook the Internet in February of 2000, and caused many to question the continued viability of e-commerce. The attacks were directed at Amazon.com, eBay, E-Trade, and even the FBI's web site.⁽⁶⁹⁾

A group called the Electronic Disturbance Theater used denial of service attacks frequently in their support of the Zapatista rebels in Mexico. They staged several "protest actions" against White House and DOD computers. A Defense Department spokesman said "if it wasn't illegal it was certainly immoral - -there are other constructive methods of electronic protest."⁽⁷⁰⁾

VIII. Causing Damage

Some Hacktivists actually seek to damage to the computer systems they attack. In late 1998, a hacker group called "Legion of the Underground" (a.k.a. LoU) threatened to destroy the information infrastructures of China and Iraq in order to punish the oppressive governments there. In January of 1999, seven different major hacking organizations responded to these threats in a "Joint Statement."⁽⁷¹⁾ These organizations, who normally can't agree on much of anything, stated that although hacktivism "could in the eyes of some of the signatories sometimes be a legitimate way" of achieving publicity, "[o]ne cannot legitimately hope to improve a nation's free access to information by working to disable its data networks."

The threatened destruction never came, but in October of 1998, two LoU members did take it upon themselves to deface some Chinese web sites. Just days after the Chinese government unveiled a web site defending their handling of human rights, two hackers ("Bronc Buster" and "Zyklon") defaced the site, adding links to Amnesty International, and a New York based group called "Human Rights in China."⁽⁷²⁾ Their message:

China's people have no rights at all, never mind Human Rights. I really can't believe our government deals with them. ... How can the United States trade millions and millions of dollars with them and give them most favored trade status when they know what is happening? ...Chinese Communist Government - from me to you - FUCK OFF!!

In addition to his efforts to topple the communist regime in China, the hacker Zyklon defaced the web pages of domestic corporations like Bell South.⁽⁷³⁾ He didn't accuse these corporations of violating anybody's human rights but he did frequently profess his love for "Crystal." In real life, Zyklon was a high school student who was infatuated with a girl who didn't know he existed. In his Bell South defacement, Zyklon left the following message. "As you have guessed... this web site has been hacked. Why? because I was bored? yes... but more so, I was upset... [....] I am the loser... I will never have my Crystal... I will never be happy... Fuck life... I hope I goto [sic] prison and die."

Zyklon isn't dead yet, but part of his wish did come true. He was busted. At age nineteen he was sentenced to fifteen months in federal prison, ordered to pay $36,000 in restitution, and ordered not to touch a computer for 3 years after his release.⁽⁷⁴⁾

1999 was chock full of hacking related to the conflicts in the former republic of Yugoslavia.⁽⁷⁵⁾ Serb hackers attacked sites promoting the ethnic Albanian cause, pledging that "[w]e shall continue to remove ethnic Albanian lies from the Internet." Serbs also attacked a Croatian state-owned newspaper. Croatians retaliated by attacking the Serbian National Library.

During the NATO air campaign, hackers sympathetic to Serbia electronically "ping" attacked NATO web servers. Serb supporters from Russia and elsewhere attacked web sites in NATO countries, including the U.S., using virus infected e-mail and hacking attempts. Some British organizations lost files and databases. The United States claims that the war effort was not disrupted, but that such attacks may become a more serious problem in the future.

Peacenik hackers also joined the fray. The hacktivist group "Team Spl0it" defaced several government pages in protest of the war. One of the members, "f0bic," said "Our message was bright and clear: Stop the war before we go to World War III.... We are activists because we see there are wrongs that need to be corrected."⁽⁷⁶⁾ f0bic was also fond of commenting on U.S. pollution control policies, and the high school shooting in Littleton, Colorado. He was reportedly caught by the FBI and the DoD.⁽⁷⁷⁾

Last but not least, the perpetual hostilities between Iraq and Israel have provoked hacktivist attacks. In February, 1999, a fourteen year old boy from Tel Aviv, named Nir Zigdon, became a national hero after he reportedly wiped out www.iraq.org,an Iraqi government Internet site.⁽⁷⁸⁾ Zigdon said "I figured that if Israel is afraid of assassinating Saddam Hussein, at least I can try to destroy his site." He wrote an e-mail to an Iraqi system administrator, claiming to be a Palestinian admirer of Saddam's who had produced a virus capable of wiping out Israeli websites. Zigdon persuaded the Iraqi to open the message and click on the designated batch file, triggering the virus. Within hours the site had been destroyed.⁽⁷⁹⁾ Zigdon is quite the prodigy when it comes to viruses; he wrote his first one at age ten. In 1999, Zigdon was working for an Israeli computer firm managing thirty people, all considerably older than he is. Zigdon's job was to develop Internet software designed to withstand viruses. As of February, 1999, he was "planning an operation against neo-Nazi e-mail."

IX. Conclusion: Fear and Flu Shots Hackers do present a real threat to our way of life. They have the ability to discover secrets we assumed were secure, and manipulate our communications for their own ends. The threat that an individual hacker poses is difficult to gauge; it would be comforting to think that the only hackers we need fear are Ivy league graduate students, but today any middle school kid with Internet access can download all the tools needed to cause at least a little chaos.

If it is so easy to wreak havoc on our information infrastructures, why hasn't the sky fallen already? One possible answer is the Hacker Ethic; the Ethic preaches restraint, plain and simple. Most people are relatively decent, hackers included. The less desirable hackers in our midst wouldn't think twice about pilfering a credit card number, or surreptitiously copying an unreleased software package and publishing it on the world wide web. But it would take a truly sick individual to hack into a hospital's records database and start switching blood types.

Almost any one of you reading this has the power to obtain a high powered rifle, take it to the roof of a tall building, and open fire on the crowded street below. But we don't do it. Just because we have the power to do something horribly destructive doesn't mean we would ever do it in a million years, even by accident. We need to remember that when we prosecute hackers. We need to punish them for the damage they have actually caused, and for the threat they actually pose as individuals. We shouldn't punish them only for the skills they have, just because those abilities frighten us.

As a society, we should avoid sending non-malicious hackers to a prison where they will be exposed to hardened criminals. If we don't avoid this, as John Draper's story illustrates, we are going to end up with more and more bad guys educated in the arts of computer terrorism. If we the people collectively decide to "send a message" to high school hackers by putting them in prison, then we need to prepare ourselves for the inevitable proliferation of their skills among a decidedly unsavory component of our society.

Lastly, the idea that the punishment should fit the crime is an honored part of our tradition. Hacking crimes do cause damage, serious damage that needs to be combated. But there are real benefits to hacking which our government should be obligated to honestly recognize. Whenever they are detected, the actions of hackers point out security holes which we never knew were there. Once we see the hole, we can work to close it, so that we are never vulnerable in the same way again. Every winter, millions of people get flu shots. We allow ourselves to be injected with weakened influenza virus. The shot itself hurts our arms a little, and might make us sick to our stomachs. But we do this year after year, because we know the vaccine will help us gain immunity from that big bad bug of which we are all afraid. Most of the hackers out there do the exact same thing for our information infrastructures. They hurt us a little, and they worry us a lot, but the fact that they are there helps keep us on our toes, and that extra bit of attentiveness just might make the difference the next time a real cyber terrorist comes to town.

Notes

1. See John Simons, How a Cyber Sleuth, Using a 'Data Tap,' Busted a Hacker Ring, The Wall Street Journal, Oct. 1, 1999, A1.

2. Id.

3. Id.

4. Id.

5. Id.

6. Every day the Department of Defense detects some 80 to 100 events on their computer systems which could be hacking attempts, and the FBI's has over 800 pending hacking investigations. See Michael A. Vatis, Prepared Statement before the Subcomm. on Technology and Terrorism of the Senate Judiciary Comm., Oct. 6, 1999.

7. See Cyber-terrorists may lurk on a site near you, The Irish Times, Jan. 22, 1999, p. 59.

8. See MIT awards third Oscar to "Good Will Hunting" (Mar. 25, 1998) <http://web.mit.edu/newsoffice/nr/1998/oscarhack.html>, and see How to Get Around MIT (visited Jan. 27, 2001) <http://www.mit.edu/afs/athena.mit.edu/course/21/21w785/F98/HTG/hackingC.html> .

9. See Eric S. Raymond, The New Hackers Dictionary, MIT Press (1996), and see Hackers and Crackers (visited Jan. 27, 2001) <http://bvsd.k12.co.us/~clarkj/Hackers.html>.

10. See Niall McKay, Yugoslavian conflict spreads to the Internet but safety is ignored, The Irish Times, Apr. 9, 1999, p. 58.

11. Steven Levy, Hackers: Heroes of the Computer Revolution (1984).

12. See Boucher v. School Board of the School District of Greenfield, 134 F.3d 821 (7th Cir. 1998).

13. See Michelle Slatalla, Discovery Online, Hacker's Hall of Fame (1997) <http://www.discovery.com/area/technology/hackers/crunch.html>.

14. See John T. Draper, Cap'n Crunch's Home in Cyberspace (visited Dec.5, 1999) <http://www.webcrunchers.com/crunch/Play/history/home.html>.

15. See Bill Wall's list of 195 famous computer exploits (visited Jan. 27, 2001) <http://all.net/journal/50/hacks.html>.

16. Before they founded Apple Computer, both Steve Wozniak and Steve Jobs did their fair share of phone hacking with the Homebrew Computer Club. Wozniak went by the handle "Oak Toebark," and Jobs was known as "Berkeley Blue." See Robert Trigaux, Hackers: The Underbelly of Cyberspace, St. Petersburg Times, June 14, 1998, 1H.

17. See John T. Draper, Cap'n Crunch's Home in Cyberspace (Last modified 1/10/2001) <http://www.webcrunchers.com/crunch/>.

18. See John T. Draper, More Info here (visited Jan. 27, 2001) <http://www.webcrunchers.com/crunch/offer.html>.

19. See Michelle Slatalla, Discovery Online, Hacker's Hall of Fame (1997) <http://www.discovery.com/area/technology/hackers/morris.html>.

20. See Jerome Woody, Syracuse was site of Historic High-Tech Trial, Syracuse Herald-Journal, Mar. 4, 1999.

21. See United States v. Morris, 928 F.2d 504 at 509 (2d Cir, 1991).

22. As of January 2001, the most recent version of the act was amended by the National Information Infrastructure Protection Act of 1996, Pub. L. No. 104-294, § 102 (1996).

23. His personal web page makes no mention of the infamous Worm. See Robert T. Morris, Robert Morris (visited Jan. 27, 2001) <http://www.pdos.lcs.mit.edu/~rtm/>.

24. See Michelle Slatalla, Discovery Online, Hacker's Hall of Fame (1997) <http://www.discovery.com/area/technology/hackers/optik.html>.

25. See Mona Fikak, Mark Abene: "Phiber Optik" (visited Jan. 27, 2001) <http://minyos.its.rmit.edu.au/~s9608309/2.htm>.

26. Joshua Quittner, Hacker Homecoming, Time Magazine, January 23, 1995 Volume 145, No. 4, and see Technology: Phiber Optik Back Online (last modified Mar. 3, 1995) <http://www.virtualschool.edu/mon/Outlaws/PhiberOptikReturns.html>.

27. Hackers relentlessly harassed Quittner after the book was published. They disrupted his e-mail account, and rerouted his phone service to a sex line. The attacks lasted about a year. "Write another hacker book? I'd rather take on the Scientologists." See Robert Trigaux, Hackers: The Underbelly of Cyberspace, St. Petersburg Times, June 14, 1998, 1H.

28. Kevin Poulsen, Kevin Poulsen's Bio (visited Jan. 27, 2001) <http://www.kevinpoulsen.com/bio.html>.

29. See Michelle Slatalla, Discovery Online, Hackers' Hall of Fame (1997) <http://www.discovery.com/area/technology/hackers/poulsen.html>.

30. See Doug Fine, Why is Kevin Lee Poulsen Really in Jail? (1995) <http://www.well.com/user/fine/journalism/jail.html>.

31. Kevin Poulsen, www.KevinPoulsen.com: Scales-O-Justice (visited Jan. 27, 2001) <http://www.kevinpoulsen.com/scales.html>.

32. See Mona Fikak, Kevin Poulsen: Hacker for the Dark Side (visited Jan. 27, 2001) <http://minyos.its.rmit.edu.au/~s9608309/3.htm>.

33. See News: Page One (2001) <http://www.zdnet.com/zdnn/>.

34. See Security Focus (visited January 27, 2001) <http://www.securityfocus.com/>.

35. See United States v. Petersen, 98 F.3d 502 at 505 (9th Cir. 1996).

36. See U.S.S.G. § 3B1.3.

37. See United States v. Petersen, 98 F.3d 502 at 507 (9th Cir. 1996).

38. See Kevin Poulsen and Iolande Bloxsom, Tech TV | Marshals Nab Petersen (Dec. 11, 1998) <http://www.techtv.com/cybercrime/features/story/0,23008,2175248,00.html>.

39. Kevin Poulsen claims unintentional responsibility for Mitnick earning this title. See Kevin Poulsen, Tech TV | World Record Blunder (Jan. 8, 1999) <http://www.techtv.com/cybercrime/chaostheory/story/0,23008,2184507,00.html>.

40. See John Schwartz, Chipping In to Curb Computer Crime; Federal Authorities Get High-Tech Help in tracking Down Hacker, The Washington Post, Feb. 19, 1995, A01.

41. Shimomura and John Markoff wrote a book about the hunt for Mitnick. There allegedly was a major motion picture in the works, staring Skeet Ulrich. See generally TAKEDOWN (visited Jan. 27, 2001) <http://www.takedown.com>.

42. Goldstein's real name is Eric Corley. An ex-hacker, Corley adopted the name of the underground leader in the George Orwell novel, 1984. See Bruce Haring, Computer Hacker's Biggest Backer, USA Today, Sept. 15, 1995, D8.

43. See 2600: The Hacker Quarterly <http://www.2600.com>, and FREE KEVIN MITNICK, The Official Kevin Mitnick Site <http://www.freekevin.com>, (both sites visited Jan. 27, 2001) .

44. "Off The Hook" is broadcast live over the Internet. You may also download archived shows. See 2600| Off The Hook Real Audio (visited Jan. 27, 2001) <http://www.2600.com/offthehook/>.

45. The count as of Dec. 9, 1999 was approximately 154 government sites and 98 military sites. By Jan. 27, 2001, the count was up to 336 government sites, and 154 military sites. See <http://www.attrition.org/mirror/attrition/gov.html>, and <http://www.attrition.org/mirror/attrition/mil.html> respectively.

46. See Kevin Poulsen, ZDNet: News: It's over - Mitnick finally sentenced (Aug. 9, 1999) <http://www.zdnet.com/zdnn/stories/news/0,4586,2311616,00.html?chkpt=hpqs014>.

47. This is not the only statute relevant to hacker prosecutions. In the past, many hackers have been prosecuted under the wire fraud statute (18 U.S. C. § 1343), but Congress passed § 1030 to provide comprehensive coverage of computer crime. Other statutes which may be relevant are 18 U.S.C. § 1029 (which criminalizes password trading), the Copyright Act, and the Electronic Communications Privacy Act.

48. See generally Ian C. Ballon, Alternative Corporate Responses to Internet Data Theft, 471 PLI/Pat 737 (1997).

49. Robert Trigaux, Hackers: The Underbelly of Cyberspace, St. Petersburg Times, June 14, 1998, 1H.

50. See generally Marc D. Goodman, Why the Police Don't Care About Computer Crime, 10 Harv. J.L. & Tech. 465 (1997).

51. Welcome to the National Infrastructure Protection Center Page (visited Jan. 27, 2001) <www.nipc.gov>.

52. Hacktivists normally leave behind undamaged (but renamed) copies of all the original web files. This is probably due partly to the Hacker Ethic's command to "do no harm," and partly due to the very real difference between unauthorized access (misdemeanor) and unauthorized access plus damage (felony).

53. The primary archive site used for this essay was attrition.org (visited Jan. 27, 2001) <http://www.attrition.org>. Attrition's motto: "They defaced it. We mirrored it. That settles it."

54. The author recommends the free services of Yahoo! GeoCities - Your Home on the Web (visited Jan. 27, 2001) <http://www.oocities.org>.

55. Hacktivism has been condemned by "HateWatch," an Internet watchdog. See From child porn to racist hate, Internet 'violence' is an issue, The Irish Times, Nov. 17, 1999 p. 10.

56. See X-Ploit Homepage! (Jan. 1, 1998) <http://www.attrition.org/mirror/attrition/1998/01/01/www.ssa.gob.mx/>, X-Ploit Homepage! [EZLN] (Feb. 4, 1998) <http://www.attrition.org/mirror/attrition/1998/02/04/www.shcp.gob.mx/>, and !! Viva Mexico Viva !! Por X-Ploit (Sept. 16, 1998) <http://www.attrition.org/mirror/attrition/1998/09/16/www.sanpedro.gob.mx/>.

57. Loosely translated, "Information is power, and knowledge will set us free!"

58. See US (Japan's) Department of Injustice Home Page (Aug. 18, 1996) <http://www.attrition.org/mirror/attrition/1996/08/18/www.doj.gov/>. Warning: this defaced page contains nudity.

59. See Central (Un)Intelligence Agency (Sept. 20, 1996) <http://www.attrition.org/mirror/attrition/1996/09/20/www.cia.gov/mirror.html>.

60. See gH and Hong Kong Danger Duo w00p! (May 10, 1999) <http://attrition.org/mirror/attrition/1999/05/10/www.whitehouse.gov/mirror.html>.

61. "FBI vs. M0D in '99, BR1NG IT 0N FUQRZ!" See w3lc0m3 t0 th3 ph34r n4t10n (May 27, 1999) <http://www.attrition.org/mirror/attrition/1999/05/27/www.senate.gov/>.

62. The car offer translation:"I will sell my FIAT car in very good condition -Contact schMATKA :")) " Interestingly, the Bulgarians didn't hack web site itself, but somehow altered the Domain Name Server so that traffic intended for www.senate.gov was temporarily routed elsewhere. See U.S. Senate hackeD by VHG (June 11, 1999) <http://www.attrition.org/mirror/attrition/1999/06/11/www.senate.gov-2/mirror.html>.

63. See wh0 laughs last? (Apr. 26, 1997) <http://www.attrition.org/mirror/attrition/1997/04/26/www.amnesty.org/mirror.html>.

64. See UNICEF/DAMM Coallition [sic] (Jan. 7, 1998) <http://www.attrition.org/mirror/attrition/1998/01/07/www.unicef.org/>.

65. See [ytcracker labs] [colorado springs] [sevennenine] (last updated Dec. 23, 1999) <http://www.felons.org/ytcracker/>.

66. See [ytcracker] [s0n] [ytcracker labs] (Nov. 23, 1999) <http://attrition.org/mirror/attrition/1999/11/23/international.gsfc.nasa.gov/>.

67. See [ytcracker and fuqrag] [NATO] (Nov. 22, 1999) <http://attrition.org/mirror/attrition/1999/11/22/www.naewfc.nato.int/>.

68. Denial of service attacks are sometimes facilitated by a program called Floodnet, written by a Quincy, Massachusetts "digital performance artist" named Carmin Karasic. Karasic has been affiliated with the hacktivist group "the Electronic Disturbance Theatre." See Patti Hartigan, The Morphing of Carmin Karasic, The Boston Globe, Apr. 30,1999, D1.

69. See John Schwartz, Hackers Hit FBI Web Site, The Washington Post, Feb. 26, 2000, E02.

70. Amy Harmon, 'Hacktivists' of all Persuasions Take Their Struggle to the Web, N.Y. Times, Oct. 31, 1998, A1.

71. See LoU Joint Statement, (visited Jan. 27, 2001) <http://www.l0pht.com/lou.html>.

72. See China Fuck Off! (Oct. 27, 1998) <http://www.attrition.org/mirror/attrition/1998/10/27/www.humanrights-china.org-1/>.

73. See I love Crystal (Jan. 1, 1999) <http://www.attrition.org/mirror/attrition/1999/01/01/www.bellsouthcorp.com/>.

74. See TechTV | 'Zyklon' Jail-bound (Nov. 23, 1999) <http://www.techtv.com/news/hackingandsecurity/story/0,23008,2331529,00.html>.

75. See Niall McKay, Yugoslavian conflict spreads to the Internet but safety is ignored, The Irish Times, Apr. 9, 1999, p. 58.

76. See Patti Hardigan, Electronic infiltration is burgeoning war zone of hackers worldwide, The Boston Globe, Apr. 3, 1999, A2.

77. See evolve or perish (July 1, 1999) <http://attrition.org/mirror/attrition/1999/07/01/www.maris.int/>.

78. See Tom Gross, Israeli boy, 14, hacks Saddam off the Internet, Sunday Telegraph (London), Feb. 7, 1999, p. 26.

79. The web site's operator denied the attack was successful, and claimed the site's temporary absence from the Internet was a security precaution. See BBC News | Middle East | Teenage hacker 'destroys anti-Israeli Website' (Feb. 1, 1999) <http://news2.thdo.bbc.co.uk/hi/english/world/middle_east/newsid_269000/269399.stm>.