   Postscript to "Concerning Hackers Who Break into Computer Systems"
                                    
                           Dorothy E. Denning
                          Georgetown University
                                    
                              June 11, 1995



     After completing the article five years ago, I interviewed people
in law enforcement and industry who investigated cases of system
intrusion.  I found that many of the claims made by hackers were not
substantiated by the evidence collected and that with few exceptions,
the cases were handled competently and professionally.  First and
Fourth Amendment rights were not being trampled, and the issue was not
law enforcement vs. civil liberties.  As a result of my continued
research, I developed a better understanding of all sides of the hacker
issue, and came to disagree with some of my earlier interpretations and
conclusions.  The purpose of this postscript is to summarize some of my
current thoughts on hackers.

     Hacking is a serious and costly problem.  Even when there is no
malicious intent, intrusions can be extremely disruptive if not
outright damaging.  A system administrator must assess whether
passwords or sensitive information might have been compromised, check
for altered files and Trojan horses, and, when necessary, restore the
system to a previous "safe" state or change passwords.  A system might
be down for hours or more than a day while these activities take
place.  At one university I know, a full time person is needed just to
respond to intruders.  Hackers either do not appreciate the
consequences of their "non-malicious" hacking on system administrators
and users, or else they deny these negative effects in order to justify
their actions.

     Hackers place responsibility for their intrusions on system
developers and administrators for not making their systems secure.
They do not seem to appreciate that security is only one factor that
must be considered in the design and operation of a system.  Real-world
requirements, constraints, and budgets can lead to tradeoffs with other
factors such as ease of use, network access, development time, and
system or administration overhead.  One system administrator I know
spends about a third of his time keeping up with and responding to
security threats.  That is time that otherwise could be spent
installing new software or making other improvement to the system.
Even when security is of high priority, it is difficult to fully
achieve since new designs and protocols can introduce new
vulnerabilities. In one recent case, a network security tool (SATAN)
that had been developed by security experts to detect vulnerabilities
was found to introduce one of its own.  I do not mean to suggest that
system developers, administrators, and users have no responsibility for
making their systems secure, but rather that those who carry out an
attack are responsible for the attack itself in the same way that
robbers and other criminals are responsible for their deeds.  It is
unrealistic to expect or demand that all systems will be fully secure.

     In placing the blame for their intrusions on their victims,
hackers fail to acknowledge how their own actions have contributed to
the security problem.  They spread knowledge about how to penetrate
systems through electronic publications and bulletin board systems, and
by teaching novices.  The current issue of Phrack (Volume Six, Issue
Forty-Seven), for example, contains articles on how to crack Unix and
VMS passwords, gain root access, erase one's tracks from system logs,
send fake mail, and defeat copy protection.  Many articles contain code
for implementing an attack or point the reader to sites where
penetration software can be downloaded and run.  Many attacks have been
sufficiently automated that novices can perform them with little effort
or understanding of the systems they are attacking.

     Hackers justify their illegal or unethical actions by appealing to
the First Amendment and by claiming that the vulnerabilities they
find need to be widely exposed lest they be exploited by "real
criminals" or "malicious hackers."  In fact, information disseminated
through hacker publications and bulletin boards has frequently been
used to commit serious crimes, with losses sometimes reaching millions
of dollars.  Hackers do not acknowledge the value of information to
those that produce it (even while jealously guarding access to some of
their own files), using the hacker ethic that "all information should
be free" as a convenient rationale for disseminating whatever they
please.  They do not distinguish between the dissemination of
information about system vulnerabilities and attacks for the purpose of
preventing attacks vs. performing them, a distinction that leads to
considerably different articles and publications (e.g., CERT advisories
vs.  Phrack's hacker tutorials).  Hackers do not see that in many
cases, they are the biggest threat.  Were it not for hackers, many
systems might never be attacked despite their weaknesses, just as many
of us are never robbed even though we are vulnerable.

     I do not have a solution to the hacker problem, but I no longer
recommend working closely with hackers towards one.  I doubt that
many hackers have any serious interest in seeing their attacks
successfully thwarted, as it would destroy a "game" they enjoy.
Moreover, working with people who flagrantly violate the law sends the
wrong message and rewards the wrong behavior.  Computer ethics
education might deter some potential hackers, but it will not deter
those hackers who are determined to pursue their trade and take
advantage of computer networks to spread their knowledge far and wide.
Better security and law enforcement are the best approaches, so that
the chances of penetration are reduced while those for detection and
prosecution are increased.  However, neither will solve the problem
completely.  There is no "silver bullet" that will stop hacking.