The New Statesman Profile - the hacker

He may be a white hat, a black hat, a phreaker or a script kiddie. But is he just a vandal, or is he

When word got out that Egg, Prudential's internet bank, had been the target of fraud, there was no doubt who was to blame: "a gang of computer hackers", according to the Daily Telegraph; "professional hackers", agreed the Independent. Suddenly, the magical powers of hackers were again threatening the security of computer users everywhere.

It was the same story with the midsummer leaks from No 10 - those hackers again, some said. On internet chat sites, wild stories circulated that the Conservative Party had hired professional hackers to obtain embarrassing details from Millbank's computers. And when a PowerGen customer complained that he had stumbled across thousands of customer details on the company's website, PowerGen quickly accused him of having illegally broken into its computers to find them.

Great stories. The only problem is that none was true. The leaks from Tony Blair and Philip Gould turned out to have been found by Benji the Binman, rooting in the dustbins, and sold to newspapers. PowerGen ended up apologising to its customers for its lax security. And Egg announced: "This is not about hacking."

Whenever computers run into problems these days, the finger is pointed first at hackers. "Most people have no idea of what hacking is all about," says a hacker who has asked not to be named - not even by his internet "handle", the nickname by which hackers identify each other ("I've done very well so far by being paranoid, and I'm not going to stop now").

There are many different breeds of hackers, with the community divided into "white hat" and "black hat" users. The white hats are worn by hackers who are motivated by a desire to pit their knowledge against the professionals at Microsoft and BT - and might even work for them. If they find a security flaw in the software or a website, they will often tip off the company involved or make it public. The black hats are the malicious hackers of the public imagination, who tamper illegally with computers and tell other black hatters how to do the same thing.

Finding hackers is difficult, as they are not easy to spot. To the security guards at London's Trocadero, they are just another bunch of teenagers hanging around in a big group on a Friday evening, getting in the way. But anyone who understands their cryptic black hats emblazoned with the number 2600 will recognise them as computer hackers.

Once a month, the group, which is based around the US magazine 2600: The Hacker Quarterly, meet each other in the flesh, rather than through their computer screens. "It's a pretty social atmosphere," says one. "There isn't too much stuff about hacking goes on; it's mainly about hanging out." But much of the conversation is unintelligible to anyone without a detailed knowledge of computers or telephone networks.

The odd thing about hacking is that, despite the image of the solitary teenager in his bedroom using a computer to vandalise the internet, it is actually an intensely social activity of shared experience, even if most of the sharing takes place in internet chat, e-mails and websites. Hacker meetings such as the London 2600 gathering resemble some sort of weird offshoot of the Boy Scouts: mostly male, although there are a few women, mostly clean-cut and middle class, with ages ranging from the mid-teens to the early twenties. Some of the older ones have respectable careers, not all in the computer industry. Not many smoke or drink alcohol, even when the meeting moves on to a licensed internet cafe in Soho.

The term "hackers" that is bandied about doesn't even cover the activity that most associate it with. Hacking, in its original sense, is about taking apart the programming code of computer software. The challenge is to make a program do something it wasn't designed to do. What the public thinks of as hacking - breaking into other computers - is more properly called cracking, as in "cracking open a box" ("box" being geek-speak for computer).

Alongside the hackers and crackers are "phreakers", the telecommunications equivalent, who specialise in deciphering telephone networks, usually with the aim of getting free phone calls. Phreakers have been around for a lot longer - the name of 2600 magazine is, in fact, a reference to a technical piece of telephony - although many hackers are also interested in phreaking. The motivation is the same: to find out how things work. For example, there is a fascinating website run by a phreaker which lists the results of ringing certain freephone numbers in the UK. Some of the results are slightly disturbing: dialling 0800 891422 connects to a fax number in the Pentagon, while 0800 891585 calls Bank of America's military banking services.

But as more people have got access to powerful computer equipment and faster online connections, the hacker scene has been swamped by an invasion of what they rudely call "script kiddies" - wannabe hackers without the skills to write their own programming codes, the generation brought up using computers mainly through Microsoft's Windows software.

The script kiddies feed off the skills of the black hats who write hacking programs (called "exploits") and distribute them over the internet. This makes some forms of hacking available to just about anyone with the nous to switch a computer on - and has unleashed most of the petty vandalism seen on the internet.

Available on websites around the world, free of charge, are programs that exploit attacks on the unwary and unprepared. These include password crackers, programs that use brute force to try thousands of password combinations, as well as scanners that can roam the web looking for vulnerable computers hooked up to the internet. Even more frightening are the remote "administration", hidden programs that allow their operators to spy on and control an individual computer.

What lets the script kiddies have their fun is the same thing that has allowed the explosion in computer use over the past few years: the availability of easy-to-use software for building internet servers, networks and websites, bought off the shelf and requiring no great expertise to install. Once one black hat finds a security flaw in a piece of software, it can be passed rapidly around the internet.

As a result, security flaws that are two or three years old can still be exploited by hackers if the unwary administrator isn't up with the play. Many hackers claim they are performing an important role in highlighting dangerous insecurities: if they didn't publicise the faults, then malicious hackers would exploit the flaws for their own ends. Even Microsoft grudgingly concedes that hackers have a role in improving internet security, although one member of the company's security team likened it to "improving public safety by painting a target on everyone's head".

Sometimes, the hackers don't even have to type a key to embarrass big businesses. In July, Barclays Bank's online operation was found to include a major bug that mixed up customers' accounts. "The event itself and its root causes were anything but unique and surprising; it all boils down to spending too little on security, and rushing to market with new services," according to Thomas Greene, a journalist with The Register, a leading information technology news service.

The problem is that the internet was never designed to be secure. Access, not security, is its main priority. Yet rather than concentrate on getting operators such as Barclays to pull their socks up, the government prefers to focus on the threat from hackers who flourish in the weak security environment.

The police, the 2600 members agree, have little chance of tracking down experienced computer hackers, "even if they had the skills, which they don't", because of the difficulty in collecting evidence from hard disks and e-mails that will stand up in court. "There's never been a successful contested prosecution in this country [under the Misuse of Computers Act 1990]," says one. That's because the evidence in hacking cases is often only the contents of computer hard disks and print-outs of internet activity, both very easy to tamper with or fake, and so unlikely to convince a jury without supporting evidence.

That track record will soon be put to the test, when Swansea Crown Court becomes the unlikely venue of the UK's first international computer hacking case. In March this year, the 18-year-old Raphael Gray was arrested under the 1990 act and charged with downloading unauthorised information from websites in the UK, the US, Canada, Japan and Thailand. "There were eight police officers in a riot van, so it was an unusual sight in Clynderwyn," Gray said, after the dawn raid on the village in west Wales where he lives with his mother.

Gray's crime, according to the police, was breaking into commercial websites and retrieving credit card details. According to Gray, he contacted the companies involved when he realised that he could exploit a security hole in the particular Microsoft software they used. When the sites didn't respond, Gray began publishing credit card details on a website; this brought the van full of police and an FBI agent in regulation trenchcoat to Clynderwyn.

Back in London, the 2600 gathering slowly breaks up, as members start worrying about catching the Tube home. A few slip out into night-time Soho for "skip surfing", a tour of the rubbish from the big companies in the area, on the lookout for computer equipment they can recycle. Security guards can be a problem. "They are just worried that we'll cause a mess," says one member, as they poke around for the valuable bits and pieces that companies overlook, whether in the skips of Soho or the far reaches of the internet.

The writer is a Guardian journalist

Next Article