I am sitting in a room in another state with a group of people I barely know. We are all silent, and my eyes are transfixed on a little machine. It's a modified scanner, altered somehow to allow its owner to tune in cellular telephone conversations from passing cars which are equipped with telephones.
It's no big deal to anyone else in the room. They've been listening for years. I am there to try to understand the attraction these people have to listening in on other people's conversations. It takes about three calls to become hooked.
I hear people fighting with their spouses, trying hard to score dates and discussing what they are looking for in prospective employees. I hear anger, laughter, secrets, credit card numbers, unlisted telephone numbers and lots of cursing. It turns out people curse about everything on the phone. The phone phreaks I am with tell me it is illegal to be listening to these cellular calls. I feel exhilarated at hearing things I shouldn't and I leave convinced there are times it's fun to violate people's privacy. What harm is done when they don't even know?
"Paranoia strikes deep... into your life it will creep ..." -Stephen Stills
A few days later my own telephone rings. On the other end is someone from the WELL, an on-line service we use to receive electronic mail from staff, subscribers, potential advertisers and fellow publishers. I have been using the WELL a lot lately. It allows me to connect to Internet Relay Chat (IRC) where I can chat with people from all over the world who might read magazines. The WELL staff member tells me he has something fairly serious to discuss with me but that I must first promise I will not print anything about it in Gray Areas. Hmn.
My first thought is that the WELL is canceling my account due to the number of gray people who E-mail me and the amount of time I am spending on IRC. I would have no particular interest in making this information public, so I quickly agree. I am then told someone has broken into the WELL and stolen my corporation's mail. I am in shock. Immediately I realize that dozens of other publications I correspond with and many past and future interviewees have also been compromised. I'm told the WELL has a log of what they guy did. From the time they started tracking him, my mail is the only mail he tampered with. I ask the WELL to find out exactly which pieces of my stored mail he looked at. We agree that if I choose to write about this, I will show the WELL the story first. I hang up and realize my life has profoundly changed.
This is a gray area I never thought we'd cover. It is clearly an electronic form of rape. The victim has no clue who the attacker was or even how many times they've been violated. In fact, people don't usually find out they've been a victim and when they do they keep silent, shamed, like physical rape victims. We were unable to find any other article that had ever been written on this subject from the victim's point of view.
My first thought is that someone I know did this to me. The WELL has over 7000 users including famous people such as Billy Idol, David Crosby and John Perry Barlow. It houses electronic mail accounts for many other publications such as Wired, Phrack, 2600, Factsheet Five, Mondo 2000, Computer underground Digest and Whole Earth Review. Why only me?
I start thinking maybe it was a competitor. This type of industrial espionage is common. One of my competitors actually called photographers and told them not to sell us Grateful Dead photographs. They asked photographers to break written contracts with us because they are so threatened by our existence. Initially, they are a prime suspect.
Or, it could be a virus writer. Of the 26 pieces of stored mail in my account on the date the WELL brought to my attention, over 20 of them happen to involve virus writers and anti-virus researchers. I correspond regularly with a lot of people in the computer underground who hate each other. Maybe someone wanted dirt on someone else they knew I write to. It's revolting to have to start suspecting that your friends are stabbing you in the back.
Finally, I decide I have no choice but to tell people I write to. I start spending what will eventually become thousands of dollars to try to protect my electronic mail and reputation. I write dozens of people initially to tell them that their real names, companies, sex lives and gossip may be posted on the Internet for millions of people to see. None are pleased but most don't blame me. One tells me he doesn't care if ten million people see his mail to me as long as I continue to write him. I cry a lot.
Then I decide to go public. As a former sexologist, I've always advocated that women report rapes and I would be hypocritical to keep my own assault a secret. Considering that my mail may be posted, altered, sent to the people gossiped about, etc. I feel I have no choice. I start to get physically sick. I throw up constantly. It lasts for weeks, ultimately resolved only by finding out what really happened.
I am also secretly flattered to have been chosen. Everyone I tell looks at me in new light. I must be important ("elite") for this to happen to me instead of the other luminaries on the WELL. I can't shake the feeling that I enjoyed invading other people's privacy by listening to that scanner. It doesn't bother me at all that someone read my mail. However, distributing it to others, publishing it or posting it is another matter entirely. My readers and staff should not have to suffer because someone was interested in me. Days pass. It seems the mail is not being spread.
Perhaps it was simply someone I tried to interview. I told many people in the computer underground to feel free to "check me out." Maybe one of them took me up on it in a way I never expected.
I decide to call in some favors and ask people I know to find the guy. I want to know how much of my mail he has, what he plans to do with it and ideally to obtain an interview with him.
I've told you before that the underground is a small place. It only took several days to find him. I was told the "cracker" would call me and to have my questions ready. Why did he come forward? No doubt because he has great respect for the person who asked him to. He was also told I was sick and and that I needed an explanation from him.
I found myself more nervous interviewing him than I've ever been with a celebrity. Why? This guy had talents I don't fully understand and I feared if I phrased a question badly he might simply hang up. Finally, he calls.
Below is a partial transcript of that interview which occured in early 1993, about two weeks after the WELL first called me.
"Starts when you're always afraid... Step out of line, the man come and take you away..." -Stephen Stills
Netta Gilboa: If it makes you feel any better, I'm probably as nervous about talking to you as you are to me.
WELL Cracker1: Oh. You really don't have any reason to be nervous. I guess I'm the one who would be in a lot of trouble if I got caught. Well, I'll tell you right now, I won't lie to you.
GA: Okay, that's good.
WC1: If I can't tell you, I'll just say so.
GA: That's fine. First you have to prove to me you're the guy because, obviously, a lot of people know about this.
WC1: Oh, that's fair.
GA: Whose account did you originally use to get into the WELL?
WC1: M---- whose password was L---*---. It probably still is, if it's not changed.
GA: It probably still is. The WELL hasn't told anyone to change their passwords. Did you use Satori, Nioski, or Old WELL to get in?
WC1: We didn't come in through Nioski, believe it or not. But we did get Nioski patched while in there. Can I just ask you, like one real quick question?
WC1: And, I mean, I believe you'll tell the truth, but...
GA: If you'd see my magazine, you'd know I would. Hey, you've seen my mail! You know I tell the truth.
WC1: The question I wanted to ask you was if you're working with law enforcement or something.
GA: Oh, no. Definitely not.
WC1: First of all, I want to let you know I'm horribly scared, not of you really so much, but of getting caught and getting busted.
GA: Well, that's a possibility. And one of the reasons I'm happy to talk to you is 'cause I don't want to see that happen. I'll just read you our Statement of Purpose (reads it in entirety). So that should say plenty. I have many, many questions and then you can ask me as many as you want to. How's that?
WC1: Well, how about if we trade off back and forth? I only really have one question. I'm just curious if they know who I am.
GA: I don't know how they knew who you are and I don't know who you are, but if you want to tell me who you are or you want to tell me what state you're from, I can confirm or deny whether that's the person they suspect.
WC1: But if I told you what state I was from, you could tell me whether they know that I came from that state or not?
GA: We could narrow it down to one out of fifty. They told me the state.
WC1: They told you the state? Is it (names state)?
WC1: Is it (names another state)?
WC1: S---. Do you think they actually completed a trace? All the way?
GA: I don't know. And you're asking me more questions. No fair.
WC1: Okay, go ahead.
GA: What other systems did you try to break into from the WELL?
WC1: Wetware.Com. I would look through my notes but they've all been destroyed.
WC1: But, I know that most of them were .Com Sites.
WC1: I may already have accounts connected to there, that's possible.
GA: Okay. They contacted all the systems that you went to.
WC1: Yeah, I haven't been on any of the systems that I came from. In fact, I've been off the Internet now and I've been off the WELL about ten days or eleven days, today. I counted; it's been about eleven days. In fact, those logs that I looked at that I noticed when I noticed they started logging, the logs started a day after, or I noticed the day after the logs had been running about 26-28 hours. And then that's the last time I ever connected.
GA: But that was the time you got my mail?
WC1: The only time I may have even looked through your mail is if I noticed you on IRC and I may have freaked out when I thought you were coming from the WELL. Because I was probably on coming from the WELL at the same time. And so I may have scanned through your directory for key words and stuff. I probably did it more for your in box. And just maybe tailed to see if you had been receiving or sending any mail indicating that you were aware of my presence. One thing you should know is I went horribly fast when I did things and I was just always very paranoid, always looking over my shoulder kind of thing.
GA: The WELL, according to the record they have, you definitely read my mail.
WC1: Okay. Then that's more than likely true.
GA: But you say that's only one time?
WC1: No, I didn't say it was only one time. I said, "I know if I did it, it was, probably, more than likely," if I went after someone's mail specifically it was because I heard of them before. Like Phiber Optic, Emmanuel Goldstein, Mitch Kapor, Clifford Stoll, Gail Thackery, Chris Goggans.
GA: What was in Chris' mailbox? Does he get more mail than me?
WC1: People sending subscriptions to Phrack. I remember him talking to someone about not getting their PGP key working right.
GA: Real exciting stuff.
WC1: Yeah. Do you think that I'm gonna get raided or something? I heard something to the effect that the FBI wasn't interested in pursuing this.
GA: The WELL is, though, and they're making public that they are.
GA: Uh huh.
WC1: So, if I came out and said, "Hello," and tell them that I'm not attacking their system anymore and if I showed them the weakness, the way that I got root, and all that other stuff. I'll only deal through Wisner (ed. note: Wisner is the WELL's system administrator) because I've heard of him through his reputation. I don't really know Wisner, but I've talked to a couple of people who either know him or talk to him or know or know of him. And I don't really want to face those people at work because they know who I am.
GA: That's fine. I'm not trying to get your identity out of you.
WC1: I know. Netta, you have me really scared now.
GA: Well, you can imagine how I felt! First of all, when they called me, I thought they were calling me to tell me that they were throwing me off the WELL because I was getting too much E-mail from hackers and you're not allowed to do that. Honest to God. I didn't know. You know, why else would they be calling me? So, I picked up the phone and they told me I had to promise not to publish it in Gray Areas, so what in the world could they want me not to publish in Gray Areas except the fact they're throwing me off the WELL because I get hang out on IRC and get E-mail from hackers? So I promise I won't publish it in Gray Areas and they tell me my account was gone into and that they called in the FBI, and I'm like, "Oh, we guarantee anonymity." And then they just kept going and kept telling me why I couldn't tell anyone and why I couldn't do this and, you know, I don't see them doing anything about it
WC1: If I'm ever caught, would you bring any of the information I'm talking to you about out in the public to be used against me?
GA: I'm guaranteeing you anonymity and immunity if I am called to testify against you.
WC1: Okay. I believe you.
GA: You should, you know, you have my home address, my real name and my mail. I mean, you have way more you can do to me than I can do to you.
WC1: Well, this is probably going to come out in your questions, but, I never deleted anything. I overwrote system logs to cover up my identity or my being on the system. But, I never had a malicious intent. I don't even go after people who I would want revenge on. If I had an enemy on the WELL, I wouldn't have deleted their stuff.
GA: What was your intent?
WC1: It was a challenge in the first place to get root, and once I had root, I thought I might as well reap the reward, and that is to see the things that no one else is allowed to see. More or less, I guess forbidden information.
GA: How many other people have seen the mail?
WC1: My one associate that I work with and I won't reveal his identity or talk about it. Just because he is a friend and we have more or less a pact. I can't break any pact that was made before I agreed to talk to you.
GA: One of the suspicions a lot of people have is since you came in and took specific peoples' mail, that there is an intention ultimately to do something with that mail.
WC1: Like what?
GA: Spread it on the Net, sell it, blackmail.
WC1: No, not sell it, because I'm not in it for financial gain. I did give copies of Billy Idol's mail (ed. note: Idol is a rock star) to a couple of friends. That's the truth.
GA: Um hm. But I think the publications are more worried.
WC1: You mean, like, magazines and stuff?
GA: Like, as you mentioned, us and 2600 and Phrack magazine.
WC1: I had more of an interest while I was on there in Billy Idol because he had a lot of new mail and stuff and the other people, I don't remember finding anything really interesting in theirs. Especially when it comes to Goggans and Goldstein, because I really have a lot of respect for them and I don't think I would screw up either of them because they are some of the few people that I guess are pro-hackers. And they are involved in their scene and I don't feel it would look good for me amongst my other friends if I were to screw up one of them. It's kind of an unwritten law to not tread on other people's feet. So, I guess really my intention was never for anyone to know that I read their mail but if there's any people I wouldn't ever want to know, it would be them. Billy Idol, I mean, to me he seems like the kind of person who wouldn't care; maybe even be impressed by it.
GA: Well, that's between you and Billy Idol. All I care about is my mail.
WC1: I couldn't tell you what was in your mail. You could even tell me what was in your mail and I wouldn't even be able to confirm or deny, because I really don't even remember if anything, if I could just say one word that described what I did when I dumped your mail file, it would be scan, more or less. Not even really reading. You're asking me, and I'm telling you the truth, really.
GA: So I'm not gonna see my mail on the Internet?
WC1: I guarantee it, and if you do, I absolutely guarantee it wasn't from me.
GA: Yeah, but if you gave it to other people, I won't know that.
WC1: I definitely did not give the mail, 'cause I didn't save it when I catted it. When I took copies of Billy Idol's mail, I didn't cat it. I copied it and then compressed it and FPP'd to a site somewhere else that was closer to me and downloaded it. That's what I would do if I were to take someone's mail, it would be a specific thing I was after. You were just kind of a quickie to see who you were and see if you were interested in me and when I found out you weren't, I was on my way doing something else. So, no, nothing you had in your file would probably have been particularly interesting.
GA: It was mostly stuff about viruses.
WC1: In fact, I thought you were a hacker and I didn't even know you're a female, I didn't even know you're a magazine.
GA: I heard that. It made me feel better. I stopped having nightmares.
WC1: Well, I'm sorry. It feels kind of weird; I've never said "sorry" to someone I stepped on before.
GA: Well, I don't care that you stepped on me for a number of reasons. First of all, you made me increase my own WELL security because I learned anybody can read anybody else's mail.
WC1: There's PGP and stuff like that.
GA: Uh huh. But they don't tell anybody to do that.
WC1: So is the WELL really pissed? I can't understand why they of all people would have gone around and told everyone and made a big fuss about it. It seems they would have wanted to keep it quiet and not tell people and try to correct the problem before it got out of hand.
GA: Well, the people they told are the people they brought in to know how to deal with the problem and the people who were affected by the problem. And they posted something on one of their conferences which, when you log on the WELL, you don't even see a pointer that it's there. Unless someone directs you there, you'd never know they were broken into.
WC1: I didn't even go into the conferences.
GA: So I heard. And I was told how lucky I am that posts weren't made on the conferences with my name.
WC1: If they do decide to come after me, what do you think they would do to me?
GA: I think they would look for some law enforcement body to do something so they didn't have to do anything. And I think they already decided to come after you. It's just a question of whether they got any cooperation from the places that they've turned to.
WC1: So you think it could be civil, too?
GA: I don't know. The WELL is run by some '60s type people who don't seem to really believe a lot in using the legal system to solve problems. They certainly never helped users out when users wanted to sue other users.
WC1: You're led to believe that they know who I am? That surprises me because I was on the system for such a short time, and I'd like to believe that I caught on early that they were monitoring me.
GA: They traced you very quickly by the fact that you looked in IRC for a while. That said a lot.
WC1: They knew I was in IRC for a long time?
GA: They have a record of almost everything that you did to me on that one night.
WC1: Do you think it's possible that they don't know who I am? And that they're waiting for me to connect again to do a trace or something?
GA: They're definitely not expecting it. They believe they've locked you out and their system is secure and no one needs to change their passwords.
WC1: I want them to believe that 'cause I'm not even going back. Do you think it's possible that they only know who I am by my handle?
GA: That's possible but yours is the handle they named.
WC1: They did say my handle?
GA: (confirms) And they definitely said your state. So either somebody that you showed mail to blabbed or...
WC1: I have never said my real name over the Internet and I've never said any of my real info, so, if they find me, they're going to have to find someone I guess who knows me well enough to have my info. Except that I've moved and that no one knows where I live and no one has my phone number now. Something in me just doesn't want to say it, you know, out loud. Something about saying it out loud makes me think it's going to go everywhere from that point. When you look at it like a hacker, you start to think in terms of, it's not a matter of trusting one person, it's a matter of trusting your whole environment that you're around. You know? Do you understand kind of what I mean?
GA: Yeah, I've hung out with plenty of hackers. For a girl.
WC1: So, do you think the FBI's even interested in this case at all?
GA: To be honest with you, I don't know how much truth the WELL is telling.
GA: They waited five and a half days to tell me and I personally believe that they only told me because some lawyer forced them to. And I believe that if they could've picked any WELL user in the 7,000 who they could have had this happen to, it would not have been me. I have a poor relationship with them and I think they knew immediately that this was a gray area of the law, and they knew immediately that I was going to want to make this public. And they knew immediately that I was going to be worried about it. And they knew immediately that they were going to come out smelling bad any way I wrote about it and any way I publicized it. Especially since they told me not to print it and they waited five days to tell me.
WC1: Are they going to pursue this from the standpoint that I cost them computing time and I was on the system without being a paying user or do you think they're going to prosecute from the standpoint that I compromised the security of private things like E-mail?
GA: Not so much compromised the security of the E-mail, but compromised their relationship with their customers. Right?
GA: And Billy Idol's pretty famous.
WC1: So, would that be like fraud though? I mean, connecting to the system without paying could be fraud, I could see that.
GA: I would imagine there's numerous crimes. I would imagine there's fraud, trespassing, tampering 'cause you went into someone's account and did something, right?
GA: Isn't there also interstate telephone stuff?
WC1: Oh, well. Alright. Do you know how long this is gonna be, because I'm kind of paying for the call. And I'm kind of right now wanting to go format my hard drive, so...
GA: I don't think this ten or fifteen minutes will make a huge difference in your life.
WC1: Do you think I should totally format my hard drive right now?
GA: You want to know what I think?
GA: I think your friends are your biggest leak. I think everybody you told anything to is who's going to do you in.
WC1: They're actually the last people I'm worrying about, my friends.
GA: Well then you're probably okay.
WC1: Do you have any intention on trying to get more information to help me or are you only interested in collecting the information further? I guess I'm just wondering.
GA: My primary interest is in not compromising my readers and subscribers and interviewees and staff which is whose mail was compromised, and making sure that their real names and their real activities don't get all over the world. My secondary interest is in getting a good story out of this. Because I don't really feel very good about the fact that the WELL called the FBI in on this magazine. I mean, if you think about that, that has political ramifications. And I think they should have talked to me first and I think they should have let me handle it myself. It was my account. And they took all that power away from me, and I'm much more angry at them than I am at you.
I think there's a huge difference between looking and spreading, and I think that if you came in and you looked at my mail and you took Billy Idol's mail and blah, blah, blah, and it ends there, it's one thing. I think if it starts showing up on Usenet groups and all the different places where things can get posted, and gets posted on BBSs, I can see where I and they'd be a whole lot madder.
WC1: I have a whole lot more valuable stuff that I'd put on news groups if I was going to post, but I don't really post that much.
GA: The lesson from this should be that if you are going to proceed with a life where you go in and you look, and you take, that you should learn to keep the spoils to yourself or, at most, to your one associate.
WC1: Most of my friends keep the stuff to themselves anyway.
GA: What do you think about a system that was compromised and that they have proof was compromised, that doesn't tell the users to change their passwords? What do you think about a system who calls the FBI in and tells the FBI about my mail five days before they tell me it was taken?
WC1: They told them what was in the mail?
GA: They didn't tell me they didn't.
WC1: Now, I'm totally being honest here. Now, you have me kind of curious what's in your mail. I mean, not like I want to know now, but you're kind of making me feel like there must have been something really important in your mail that you're so concerned.
GA: No, not at all. It's just that I protect people's privacy and I guarantee that in print.
GA: And so I wonder if I can be sued by every single one of my staff members whose names you got?
WC1: Just totally 100% be assured that I definitely was never interested in you enough to want even to know who you were or even read your mail. I really don't remember anything from your mail and I never took your mail and I never gave it to anybody. So that's all you really have to know about that.
WC1: That's the truth. (heavy sigh) Damn, I'm gonna get raided, aren't I?
GA: I mean, where does this system that's just been compromised send the system manager off to Paris on vacation?
WC1: I know I'm gonna get raided now. I know it's gonna happen. I know it. God,
Do you think that's a good possibility?
GA: I don't know enough about this sort of thing. I didn't even know people go in and read other people's mail until you told me.
WC1: Did you have any more questions or anything?
GA: How hard is the WELL to break into compared to all the other places you've been?
WC1: No system is hard to break into. When you say break into, do you just mean to get on there?
GA: To get root. They said you're the first person who ever got root. (ed. note: root access means you own the machine and can do anything to it) That's what they were so pissed at.
WC1: I'll say it isn't hard to get on but it's hard to get root. From a standpoint of getting on a system, I can get into any system. To get root is totally a different matter but, in this case, it wasn't hard to get root.
WC1: Normally, on the WELL I think it would be hard, but I think that they just got careless with certain things.
GA: Do you really believe they fixed them?
WC1: Really, I have a feeling if I logged in right now, and looked at a specific thing that I got root with, that it would probably still be there. Yeah, it's possible unless they, like you said, they were totally monitoring me, though, so who knows? Maybe they know about it.
GA: Maybe, but even so, if you're saying nothing's secure, then there must be other ways to see it.
WC1: But, really no type of approach in the way I took it. It was more or less kind of a common sense kind of thing. That you know enough about how the shell works...
GA: I don't. What systems have you tried to get into that you can't? Anything?
WC1: There hasn't been a system that I couldn't get into, but there are some systems that I couldn't get root on. And there are systems I wouldn't even try because one, the people on there, the security is so good that I just know from reputation that I couldn't. And I have friends who have tried and weren't able to.
GA: Do you want to name them? Or would that be dangerous?
WC1: I'll name one site that I wasn't able to get root on. The EFF network. I wasn't able to get root on there, but, to be fair to me I didn't try that long, too.
GA: Someone trojaned them, right?
WC1: That wasn't me. I did read that. That wasn't me.
WC1: Trojans aren't my style, Ethernet sniffing is. To sniff the Ethernet device means to log activities that go through the Ethernet device.
GA: I learn something new every day!
WC1: I used to patch to a net but I don't do that very much anymore. It's much more work to go to patch everything than it is to just sniff what's going through the system.
GA: Now that you know that in this case the WELL called in the FBI, do you think the stakes have increased where it's not worth cracking systems in the future?
WC1: In order to answer the question, I'd have to say why I felt safe hacking the WELL.
GA: Please do.
WC1: I guess because of all the security people that were on there, and the number of hackers that were on there, I must have felt that since all these other hackers were on there, that the WELL was a place that welcomed them. That's one half of it and then there's another half. I'm not sure if you know this, but there was, in the past, something that the WELL put out challenging hackers to try to compromise the security of their system.
GA: Do you think you could get a copy of that?
WC1: It's in CuD from what someone told me. And I have a friend right now looking trying to find which one it is. (ed. note: we checked with both the WELL and CuD and both denied any such challenge to hackers)
GA: Okay, so the WELL put out a challenge and the WELL welcomed hackers so that made them a better choice?
WC1: I guess that made it a better choice, what I felt was a more safe choice. It was also a challenge and there were a lot of interesting people there.
GA: I would think MindVOX has interesting people, too.
WC1: Except the people that I named before have secured that site and MindVOX is kind of in heavy shell accounts to begin with. And, even if I did get a shell account there, I've had friends that I know that I could safely say know everything I know, and a lot more, that have secured the site and I wouldn't want to go and undo the work that they've done.
GA: Do you use your home phone or your work phone when you do this stuff?
WC1: I never, ever use my work phone. I have always kept my work out of this.
GA: Good for you, because that only complicates the problem.
WC1: I like my boss and I like my work. And because if my life gets screwed up, that's my life but if I screw up my work, then I've screwed up other people's lives and I've lost my job and then my life is still screwed up at the same time. So I have always stayed away from hacking at work. Does that matter when they decide to close in on me?
WC1: They can still go after my work? Even though I've been doing it only at home?
GA: Well, with drug dealers, they certainly do that. They try very hard to tell the boss what the employee was doing. But it would make a big difference that you didn't do it from work.
WC1: Why, do you think they could still get it, orders to go to my work anyway?
GA: Oh, I was thinking more in terms of the fact that your employers would feel much more comfortable if it hit the newspaper or something. Generally when people get busted, it hits the newspaper, especially if you live in a small town.
WC1: But I'm saying all my boss cares about is if they show up there. And then my boss would fire me.
GA: If you didn't hack from there, they wouldn't know about there. Until they found you.
WC1: I've had law enforcement show up at my work before, not for hacking from there but from my house.
GA: Well then you know the answer better than me.
WC1: But they didn't raid the place in a raid when they take stuff, because my work is computers. It's not likely that they'd take my work computers if nothing was ever on them I think that there's a possibility that they only know my handle and they don't know my real info. They would know it came from (names state), not because they did a trace, but I think that CompuServe could probably just have records of where the connection came from because CompuServe has different ports in every city in the world. The connection would have shown up in their audit logs as just going to the WELL. The WELL, from the very beginning, would have known it came from CompuServe just by what TTY it came in on. That's my guess. And even if they didn't, they have to know that it came from the WELL anyway because they have to put that in their billing.
WC1: And that the billing's going directly to you, then they have you. 'Cause they know exactly what days and times you were there.
Right, they have to bill for the time, I guess the WELL, that goes through CompuServe, so they have to know when people come from the WELL so they have to log that anyway. That's a normal thing for them to log. And then, I guess, CompuServe could keep logs and say where that, where that connection came from, what city. So they might know the city and state or general area and so that's how they could know that. Then they could know my handle from monitoring my IRC activity.
GA: Or from other people who they talked to. Who are probably the same exact people that you're referring to who were interested in security and hacking.
WC1: If they raided me and they found absolutely nothing here at my house that was even interesting for them, would that be bad for them?
GA: From what you've told me, your CompuServe record might be a problem.
WC1: My CompuServe record? I don't have a CompuServe account.
GA: Okay, so wherever you went into CompuServe from, it can't be traced back to you?
WC1: I didn't say that. I called from home to CompuServe but I don't have a CompuServe account to give to you. What I'm saying, in other words...
GA: You hacked CompuServe?
WC1: No. You can just dial CompuServe and from the host prompt type WELL. You don't even have to log into CompuServe! I don't know, a lot of people might not know that. A lot of people do.
GA: Sounds like a security leak of CompuServe's.
WC1: I would think it's the opposite. If I'd have known what I know right now from you, I would have used a very multi-layered approach from the Internet. Maybe exchanging my connections from all over the world. I would have gone through Australia and Germany. The other ones maybe. But wouldn't that have been horrible, but maybe it would have been worth it. Now I wish I didn't call from (names state), because now they know what area I'm from.
GA: I was curious as to what magazines you read.
WC1: PC Computing, also electronic magazines like FBI magazine, Phrack, of course, CuD.
GA: And people are curious as to what type of computer you use.
WC1: It's just a 286 machine, I've never really seen where it mattered, but, out of curiosity, if they want to know, that's what it was. It wasn't even a very good machine.
GA: No, slow. But, I guess it's all text, so...
GA: How many other people besides yourself do you think are out there cracking systems just to read mail?
WC1: Like a count of how many people?
GA: Yeah, a rough guess.
WC1: Do you mean people like me who are into it really heavily that just do that or do you include people at the universities who get curious and that just try to break security? I think hundreds and hundreds as far as students at universities around the world, that just like to play with security and see what they can do. Maybe even thousands. But, I'd say there are under a hundred serious crackers.
GA: Do people who do what you do, let's say there are under a hundred, do they trade the mail kind of like people who trade Grateful Dead tapes and people who trade prank phone calls?
WC1: Like would we trade our treasures that we find? Yeah, sure. Most of the time, not even trade. If we know each other closely, if we find something good, we give it to each other. We don't insist on a trade. I'm just saying it's not on a trade-by-trade basis. We help each other out. But that's not always true. There are a lot of hackers that just don't get along with anyone, that just like to work alone.
GA: Now you can see why.
WC1: I have enemies and I have people that I like and work closely with. But the group I work with is anywhere maybe within a range of two to four people, but nothing larger than that. Not large groups when I say groups. Do you think that me doing this interview with you has helped my situation at all?
GA: If I'm subpoenaed into a courtroom and I'm asked to testify against you, provided that as of today my mail goes no further, I would testify in your behalf that I don't think you did anything serious enough to warrant jail time.
WC1: Oh. You can be connected to a computer, you're not really thinking about other people's feelings. You're just on a system, it's boring.
GA: And I can understand where you think a celebrity like Billy Idol has less feelings than an individual. Public figures do have feelings though.
WC1: Do you think he's probably pissed off about it? Or do you think he probably thinks it's cute? (ed. note: we invited Mr. Idol to comment but received no reply)
GA: I think that you should realize, I'm not sure they told him. I just don't know how honest they're being with everybody. But I think that you should realize in the future that the more power and clout somebody has, the more money and time they have to fight it, the more likely that they're going to.
WC1: I'm going to go right now, but anyway, I guess I should just say that there was never any personal hacking against you and there was nothing, I guess, for you to worry about. I guess all the worry is on me. My friends don't have anything to worry about. Because of you they only know about me. I'll never say anything about my other friend. I don't care if it means I'll go to jail. There isn't a chance in Hell that they'll ever get any info out of me about my friend.
GA: Well, I do thank you for calling.
WC1: Oh, okay, well, thanks for, I guess, all the, I don't know, it's weird thanking for information.
WC1: I don't know.
GA: Because you usually steal it?
WC1: Funny how you first put it in your statement of purpose when you first connected to me and I never really thought of myself as a deviant, but...
GA: We're all deviants. Society defines somebody who picks their nose in public is deviant, somebody who masturbates is deviant, if you think about it, everybody is deviant in one way or another. Let's hope so, 'cause I'm trying to build a magazine catering to them.
WC1: I guess I've always thought there are two factors that should be really important when you hack. One is total lack of any malicious intent, and two is to hack from a stealth approach, like more defensively than offensively. But, that's, I guess, the approach that really hasn't worked for me, since apparently, it looks like I'm about to get popped really hard. Okay. I guess I'll let you go just in the interest of keeping my phone bill down.
GA: Thanks, bye.
You can imagine all the thoughts that went through my mind as I hung up the phone. I confess the overwhelming one was that I wanted this guy to call me back. I was sure he knew all sorts of things about computers that I didn't, and I surely knew more about deviance. I found him intriguing as hell and I forgave him.
I was also intrigued by the idea that there had been two WELL crackers. I posted this on the WELL and was promptly ignored. Later I learned there were at least eight people who explored the WELL and its mail. I personally believe the number is higher but was unable to confirm this before we went to press. A back door was activated and the password disclosed to friends who flocked to the WELL for weeks before the WELL got wise.
One of these crackers used fakemail to send me mail which I was led to believe came from somebody else. (ed. note: for those unfamiliar with the concept of fakemail, it is possible to send electronic mail to someone which has the return address of anyone you choose. Mail can be sent, for example, as Bill Clinton from the White House. When the person answers "Bill," the mail gets routed to the impersonator instead.)
Another WELL cracker helped hinm out and got so interested in me that he also accessed my account at Netaxs.Com and used it to enter IRC as me. In addition, he created two other accounts there using my real data! I can only hope he didn't hack from them. He is still bothering me on IRC as we go to press. Someone thought the problem serious enough to give me his data including his social security number. I hope he will get the message when he reads this to finally leave me alone. I tried to befriend him, even gave him a copy of Gray Areas. No luck. I admire his skills even though I find him to be malicious and destructive in his dealings with both people and systems.
A third WELL cracker has been rude to me on IRC from day one. It was months before I realized why my presence there threatened him so.
I don't know a few of the other WELL crackers (no contact of any kind) and there are two others who have been very decent to me.
One of these turned up as a sort of "Christmas present." I had mentioned in my speech at HoHoCon (see review elsewhere this issue) that I was working on a piece on the WELL break-in. Several days after I got home my phone rang and the caller asked if I was interested in a second exclusive interview! I am grateful to him for coming forward and for whoever at HoHoCon decided to send him our way. The trust in us (and in me) was the best holiday present I received this year. We offered this cracker anonymity for speaking with us, and immunity if we are ever questioned or asked to testify against him. I am also declining to reveal how I am sure this person told me the truth. It's quite clear he called ready to talk and there was no hesitation in his answers to my questions. This guy is sharp. I found him to be one of the most articulate and intelligent people I have ever interviewed.
Netta Gilboa: I guess we should start by asking, what do you most want people to know about the WELL break-in, that you think might not be covered already?
Well Cracker 2: I'd say that a lot of people acted like it was a great big deal, but it really wasn't anything spectacular, except the fact that it happened to be the WELL.
GA: Um hm.
WC2: I just think that people really over-reacted and thought, "Wow," but the WELL's really nothing that hasn't probably been penetrated before, but this time it was exploited because there were mistakes made. That's what I would say.
GA: And how many people went into the WELL?
WC2: Um, as far as I know, only like four or five.
GA: And how come at least seven or nine are claiming that they did?
WC2: I don't know, I really don't. That's as far as I know.
GA: Okay. Is it possible though that other groups or individuals were there that you don't even know about?
WC2: Oh, completely possible. Just as it's possible to be in one machine and have it patched and do this and that, and, you know, it's just one machine that's been repatched and patched and patched over again and different people get root different ways and different people do things differently. It's completely possible, but I'd take it for face value. What I would do is consider the source, you know, and I'm sure that you do. Someone was telling me about a story he had heard third hand about it, and it was up to, like, twenty hackers,so there was twenty hackers in the WELL, and it was patched and blah, blah, blah. And then the story just got all screwed up and...
GA: I did hear there was a back door put in and a password given out.
WC2: Yeah, well, a password given out?
GA: Um hm.
WC2: Not distributed widely. I'm sure that there could have been a few more people that got in than I knew about. But at the time we started talking about it, there was only four or five, max.
GA: And how many weeks did this go on for?
WC2: A long time.
WC2: Um, I would say possibly two months, but that was a while ago, I don't really recall. You know, when you target a site, it's kind of hard to keep up with everything.
GA: And the four or five, or however many there were, were they all going into other sites at the same time, too?
WC2: Oh, yeah. And still are.
GA: Okay. Is there any relationship between the WELL incident and the Panix incident? (ed. note: described later in this article)
WC2: Huh? Yes.
GA: Okay. Ay other comments you want to make on that?
WC2: It's not part of some big master plan, but I'd say there is a connection.
WC2: I don't want you to think it's a big conspiracy, but, yes. (ed. note: I purposely did not press this issue further due to the hundreds of sites involved in the Panix break-in. I almost don't want to know. Proving that there was a connection between the two was enough for me)
GA: Okay. Do you think people, not necessarily anyone you know, are still in the WELL and still have root there now?
GA: And do you think that the fact that they changed to Solaris instead of the Sun operating system makes any difference in terms of people trying to penetrate it now or in the future?
WC2: I think they're total idiots for doing that.
GA: And why is that?
WC2: Because they're just starting over with their problems before, and my guess, the reason they are doing that is because they wanted to start over, from a new fresh source that wasn't patched and patched and patched or whatever.
GA: They claim that the decision to convert was planned before they knew that they were pentrated.
WC2: Well, that's what they claim. People claim a lot of things.
WC2: That's just how I feel about it. (ed. note: Peter M. Shipley, UNIX System Administrator for TRW Financial Systems, Inc., who had nothing to do with the WELL incident, confirmed for us that there are many known security holes in Solaris and that he considers it far more unsecure that the Sun operating system)
GA: Uh huh. What did you guys do when you were in the WELL?
WC2: Well, personally? Or as a group? I can't speak for everyone else. I would say that a lot of mail, um, there was someone involved that was trying to do something that involved getting into other networks from the WELL since it is connected to other machines overseas and progress was being made to use the WELL as a jumping point to other places.
GA: What did you guys play around with when you were in there? Anybody read conferences?
WC2: I didn't. I just looked through the mail and saw what was on there and looked for famous people, and just laughed a lot.
GA: What was the best thing you saw?
WC2: Your mail stuck out!
GA: Heh, heh. (ed. note: by now, months after the fact, I am able to crack up laughing at the thought)
WC2: How about credit cards? There was a credit card in somebody's mail from one person to another and it just said, "Hey, you know, this is my credit card, my expiration date, and here's my information, blah, blah, blah, blah, blah." I suppose, they just are stupid.
WC2: That's not the best. The best thing was actually being in it and looking around, I guess, I don't know, a lot of people maybe don't feel the same way as I do, but, when you're in a system and you're taking it over, and you know the people on it really have no idea that you're there, in a way you feel cool. But in another way, when you go on reading someone's mail and after you grab like 300K of somebody's mail, you know something about this person that this person will never know about you. You feel like maybe you're a voyeur that shouldn't be there. Kind of like the conquest was over.
GA: Ever have an interest in meeting anyone after you've read their mail? Like to get to know them in real life, without them knowing why you want to get to know them?
WC2: As a matter of fact, yes, but not on that system.
GA: Okay. Did it work out?
WC2: I called that person. Talked to him for a while, and it was a site that I was on for a while.
GA: Back to the WELL. Was their credit card data taken that you know of?
WC2: Um, yeah, but that wasn't, like, motivation. I could say, "Yes, and No." I can't speak for other people.
WC2: Yeah, I saw information and I took it.
GA: Okay, but, no one that you know has used it, right?
WC2: No, as far as I know, no.
GA: Okay, how about their password file?
WC2: What about it?
GA: Um, they claim no one could use it easily because it was encrypted somehow, shadowed, whatever that means.
WC2: The shadowed password file? That doesn't mean anything. Not really. Yeah, it means something, but, if you already have root on the system, what do you need a password file for, except to find out who the users are? Just because you know the password file doesn't mean anything. I personally don't even use the password file because you don't even need it. There's newer ways to hack than getting into a password file and crack it. I mean with a sniffer...
GA: Nobody's mail is safe because there can be sniffers anywhere and everywhere at any given time, right?
WC2: Well, there are new things coming out that can protect against it. That's not new technology, it's just becoming public right now. But the sniffer's pretty powerful, back to your question. Actually, there's just newer ways to hack then getting in and getting a password file, just because it has a shadow password file, like Linux has a shadow password file, okay? That's a bigger hole than it is a help. You can get a remote shell on a Linux box running shadow passwords super easy, and then you don't even have to see the password file. What I'm saying is the password file is pretty much a moot point.
GA: What advice would you give to the WELL about an operating system to use and how to secure their system? If any.
WC2: How to secure their system? I'd just say, watch their links of who they go through. I don't know, they're a target sort of, you know, because of the people that are on it.
WC2: Because there are gonna be people out there that say, "Hey, wow, Billy Idol." The advice that I would give about an operating system? Their administrator is a fairly knowledgeable guy and he's fairly skilled. I don't care how good of a hacker you are, if somebody's sniffing your account and you're not protected against it, I don't care how big your password is.
GA: Um hm.
WC2: You know, there's passwords, they could be a string of 17, 20 numbers, you know, we're gonna see it going in and it's gonna come out, and it doesn't matter if you change your password every day
GA: Um hm.
WC2: If you're coming in to a site, you know, you have to watch. My advice would actually be to the users not the administrator. My advice would be to the users to change your passwords frequently. If you have anything sensitive on line, I mean, PGP is public, if you have something sensitive.
As far as an operating system, to answer your question, System V, maybe, something with a little less bugs. Or SEO, but see, SEO's system it's secure but it doesn't have all that many features.
WC2: You know? The admin really can do nothing about this except using a utility like S/key. It utilizes a one-time password format where everytime you log in, you use a different password and it keeps track of it and it's all automated, it's really nice. There are other ways, too, that use one-time passwords. I would just say you can't really protect against something that you're not really looking for, you know? You have to keep track of all your system files and there's a pretty easy way to check to see what files change daily. It goes by the date. Wisner was a hacker himself and this isn't new technology.
GA: Were there really 40 megs of mail taken from the WELL or how much?
WC2: I'd say more.
WC2: Maybe, maybe more.
GA: But at least 40 megs.
WC2: Really, Idol's mail alone was like 600K, I think.
GA: And mine must have been 200-300K easy. So there's mail on hundreds of users. Right?
WC2: There could be. You don't just go in and penetrate everybody's mail. You just go around and see if anybody's was interesting. You know? I personally didn't download any; that's too big. What are you going to do with it? There's not really a file going around with everybody's mail in it. It's more like extracts of the stuff that was on-line.
WC2: Because it's not easy to download, especially if you're telneting through 16 different sites or something to get to the site.
GA: Okay. Was there any altered mail or any fake mail sent or received?
WC2: To my knowledge?
WC2: Before, after or during?
WC2: Um, uh, I don't know; I heard rumors, but they're just rumors. To my knowledge, I have no idea of any of that going on. I heard a rumor but I can't verify it so I don't want to say. You tell me. You tell me. Was there any?
GA: I think so, yeah.
WC2: Oh yeah?
WC2: Oh, okay, well maybe it was private.
GA: You know, involving mine, I think so.
WC2: As far as I know, no, but...
GA: How long have you been entering systems? Just in general.
WC2: Over a dozen years.
GA: Okay. And you're in your twenties now or thirties?
WC2: Yeah, twenties.
GA: What's the attraction to people's mail?
WC2: I guess it's kind of like that voyeur in everyone that wants to find out what's going on and being into something that they're not supposed to. That's just the allure of something, there's tons of mail and there's tons of systems I've been on where I haven't even looked at people's mailboxes. What I'll do is look at all the names that are on there and if I see a name of a girl maybe that I knew or the name of an old girlfriend, I'll just go in and look at their mail.
GA: Um hm.
WC2: And usually, guys' mail and girls' mail is different. Girls will talk about just bulls--- and guys usually talk business unless you're talking to their wife or something. I read people's mail, this one guy, I mean they went through an entire divorce over a period of like a year and a half. And once I started reading it, I just couldn't stop, it was like a soap opera. But generally I don't prey on people's mail. I do check the admin's mail all the time, so administrators should know their mail gets read all the time.
GA: Do you feel bad for the people whose mail you do see?
WC2: No. Very rarely. I told you before that I don't like to read mail if I really feel like I'm a voyeur, but something interesting like that divorce, that doesn't happen all the time, but that particular case, I happened to be on that system that long and I just kept looking at those people's mail.
GA: Do you share the treasures that you get off of different systems with your friends?
WC2: Oh, sure. With my friends. Underlined.
GA: Okay. And what are some of the best things that have come across the screens over the years?
WC2: Satellites, at least two.
GA: What does that mean?
WC2: Satellites, you know, like in space? Like, um, this one satellite for the Department of Energy or something like that, or maybe it was Environmental Resources or something like that.
GA: Uh huh.
WC2: It had 35 millimeter cameras. It would come on and tell me there's a 35mm camera up and everything was working okay and stuff like that. And then another satellite I was in was a communication satellite, that's pretty rad. And, major magazines. Major newspapers.
GA: Like their BBSs for their employees or what?
WC2: No, their mail system. Uh, the most fascinating? I don't know, cellular computers, government computers. The most fascinating thing that I have ever seen, I really liked that satellite, because just the idea of being able to control it! Oh, I know one. There used to be this chat system called QSD. Have you heard of that?
GA: Yeah, it's mentioned throughout this issue. I've never seen it personally.
WC2: Well, I was on QSD one time, and I had this Prime computer up in Canada and it had PrimeNet on it and it had like twelve outgoing pads on it, so I logged into QSD like 12-15 times, filled it up with all of me.
GA: Um hm.
WC2: It was just powerful because it was in a different country, I had complete control over this computer and I think that's the fascination. Complete control. I had complete control of that computer for a period of maybe six months.
GA: Any other neat things you've seen over the years?
WC2: Yeah. Interpol.
GA: Which is the British police system, right?
WC2: Yeah. International police. That's probably the biggest. The raddest. Pull people's criminal records and stuff. See if there's, you know...
GA: Anyone you knew?
GA: Was there?
WC2: No. I pulled a couple of people, you can pull them by just about anything.
There's just tons of stuff.
GA: More people getting computerized every day!
WC2: Well, let's see, climate control systems, Interpol, Satellites, grocery stores, phone companies, computers over in Japan, bank computers, funds transfer, stuff like that.
GA: Have you changed or altered anything anywhere you've been?
WC2: Mmm, I've altered stuff everywhere I go. Be more specific.
GA: Well, for example, you mentioned bank transfers. You've the knowledge to get in there, it must be awfully tempting to transfer funds.
WC2: Uh, yeah, but it's kind of tough, because there's all these paper records. You have to, if you were going to pull it off, you'd have to really do it quick.
GA: So, most of what you've altered is just to cover up the fact that you've been there.
WC2: Yes, I checked it out and I saw that it worked, and yes, I could have at one time physically gone in and transferred X amount of money into account blah, blah blah, you know?
GA: Um hm.
WC2: Yeah, and all the stuff for fun?
GA: Um hm.
WC2: Sure. Sure. Let me think. I don't know, it could be as simple as fakemail or no wipe on the time for a computer. And both take about the same amount of time. You can wipe out somebody's entire system in one command once you're in. Of course, they can back it up.
GA: Not everyone does. Heh heh.
WC2: No, hardly anyone does. Or if they do, they're old tapes, you know?
GA: Um hm.
WC2: One of the oldest laws is, "Thou shalt back up," and hardly anybody does, you know, maybe occasionally, but everybody's always busy and has something else to do. I back up religiously.
GA: And change your password frequently?
WC2: And change my password frequently and PGP everything and keep my computer completely locked out, but maybe I'm paranoid.
GA: Well, we're going to get to that in a second. I was just going to ask you, is there any place you can't get into or any place you couldn't get root on over the years?
WC2: There was one place that I couldn't get into that I really wanted to and it was like this germ warfare kind of deal. I had an account that I had picked up somewhere and it had been on the computer, but I couldn't get root. There was nothing I could do, it was a military site. That was me personally, but there's lots of other places that I didn't and now I may be able to. As you grow older, your skills get better and more diverse.
GA: Do you or would you hack for money?
WC2: Do I? No. Would I? It depends. Like, you can't just generally say yes or no. Have I ever in the past? I profited somewhat in a minor way. The opportunities are there. Like anybody will tell you, the opportunities are there, but, it depends if it was for the government or if was for another government,
GA: Or for a kid wanting to change his grades?
WC2: Stupid stuff like that, no, I would never do anything as childish as that. Corporate takeovers are possible, put companies out of business if you really wanted to. And like I said, it can all be proven. Evidence is there. One of the worst things you can do in this kind of an environment is lie. If you lie, it's gonna come back to you and if you lose your respectability among your peers, you have nothing.
GA: Hackers tend to be paranoid with good reason. Does it ever get to you? Either when you're on a system or after you've been there?
WC2: Oh, hell yeah, I've been on a system when something weird has happened because it just wasn't supposed to happen, you know, something out of the ordinary would happen. I've been on a system, a really big system, went to patch something, and as soon as I patched it, the computer locked up and I didn't have time to cover my trail because I had been in the heat of things. And I'd been through a bunch of different links and the response time was slow from the remote machine. Because if you are trying to hide yourself, you go through a bunch of different machines, and somewhere in there you hope to lose your trail. So I was on this machine and I was patching it so I could get back in, and I copied the file and I went to adjust it to make it look like it hadn't been tampered with, and the machine hung up. Click. So I called it back and it was off the Net. I called it back, called it back and called it back and called it back and continued to call back, and no response. So, it was dead, and the originating address that I started on was a legitimate account, which is generally a bad idea, so I was kind of paranoid, but sure, paranoia strikes all the time.
But, generally, I mean, if you're in a machine and you're doing something you're not supposed to be doing, if you can't handle the stress, then you shouldn't be there in the first place. You know?
GA: Heh, heh. Is there anything else that you want to add? Or anything else you want to bring up?
WC2: As far as the WELL, people should just really realize that this wasn't like something personal, you know, like this wasn't personal against anyone that was hurt, it's just something that happens every day and people don't hear about it. I'd say, maybe 50 to a 100 sites just in a day get compromised. That's just a guess. And the WELL just happened to be one of them and the only reason it was popularized was that there were people on there that have accounts and are famous people that really are no one in the cyber community at all. Like Billy Idol, he's just riding that wave that everybody's talking about and I truly believe that. Maybe he's interested in it, and he's capitalizing on it and that's his right.
GA: Right. David Crosby's music has nothing really to do with computers.
WC2: No, not at all. People just want access to the Net, you know, and, people just totally over-reacted to that. And personally, as far as Hacker #1 goes, I think what he did was stupid.
GA: In terms of what?
WC2: In terms of speaking up. Calling the system administrator of the WELL.
GA: Ah, yes.
WC2: Dumb, dumb. Whose side is he on? And what made him do that? Guilt? I highly doubt it. If he were guilty, he wouldn't have done it in the first place. You know?
WC2: Paranoia, very possibly, that's a very good trait of his. You know?
GA: Um hm. Comes through loud and clear in his interview. Heh heh, heh. Thank you!
WC2: Happy holidays. <Click>
The conversations with the crackers I interviewed, and my growing awareness of how big a story the WELL break-in really was, led to my spending hundreds of hours talking to hackers. I learned much from this and have literally thousands of dollars of phone and legal bills to prove it.
The biggest surprise was that some of the WELL's stored mail was copied. This means that any of the 7000+ WELL users who saved their E-mail during this time period might now have that mail in the posession of dozens of hackers. Few of these WELL users know this, of course. Some will read it for the first time here. We were unable to convince any of the hackers to give us the mail. I made it clear I was interested in printing portions of the password file and the hackers were no doubt too scared to cooperate. Enough of them told me they had seen my mail and what was in it, though, that I have no doubt it is out there.
The next surprise was that there was nothing unusual about the WELL break-in. The WELL is not that much more vulnerable than any other site. They are just despised by some members of the hacking community. During the time I researched this article over 250 other sites were broken into. Of particular note is the sniffer installed at Panix.Com. By the time they noticed it (up to a month after the fact), over 200 sites had to be notified that their passwords were insecure. These included: MindVOX, Yale Univ., MIT, Stanford Univ., Cyberspace.com, Delphi, Harvard Univ., Netcom.Com, World, Columbia Univ., etc. And, of course, the WELL was on the list. To their credit, unlike the WELL, Panix went public. Kudos to them for not hiding it as other sites do.
CERT (Computer Emergency Response Team) announced this on October 19, 1993, only 34 days after the WELL called me. Guess who did it? Cracker #2 confirms my suspicions that it was some of the same people who cracked the WELL. If hacking is a mindset, cracking is a seven day a week pastime that usually ends only when the cracker is caught, or his computer breaks, or he quits cold turkey. Someone had been very busy during these 34 days.
A clear lesson here is that these sniffers do get used. All electronic mail is therefore vulnerable. Even if the mail at your site is safe on any given day, the mail at the sites it is being sent to may not be. I no longer trust electronic mail. I no longer can believe it is from the person it says it is, and I wonder who else will see our reply. Cyberspace can become a very unfriendly place as your consciousness of its dark side grows.
But what of the WELL? Are they blameless since they were invaded too? Hardly. First of all, it burns me to no end that we were charged full price for on-line services during the months this happened. Since the WELL has only a truncated log, they have no idea if we were charged for time used by others. Considering the thousands of dollars this experience cost us (just so far!), I'd say the WELL is negligent in not offering us a credit of some kind.
Secondly, the first cracker interviewed above ended up calling the WELL to come clean. Their system administrator, Bill Wisner, came to me for confirmation that we'd spoken to the same guy. I could not confirm or deny anything until that cracker got word to me many days later that I had his permission to do so. Yet, I called the WELL in October and again in November to discuss my investigation and, on both occasions, they didn't return the call. This shows a thorough lack of concern for their customers and a desire to sweep things under the rug. I called to tell them that on over a dozen occasions after they considered the problem "solved," upon logging in I was not told there was new mail waiting when in fact there was. This was a possible signal that someone had been in my account. One of the many WELL crackers bragged to me that he had been in the WELL in mid-October. I believe him. Guess what? The WELL is going to read it here first.
Then there's the matter of the FBI being called in. There are moments when I believe Gray Areas, Inc. has more to fear from elements of the hacking community than it ever could from any government investigators. But, the WELL put us at risk to have the FBI visit us with no warning. They also discussed us to some unknown degree with the FBI and charged us the monthly fees as if it were business as usual. Further, they determined with the FBI that we would not incur over $10,000 damage from this (ed. note: this is the minimum amount needed before the FBI will get involved in a case). It was not solely their decision to make. I feel awful for their customers who don't have national magazines in which to get their sides across. To be fair, the WELL has stated that they will talk to customers first in the future if another break-in occurs. Let's hope so. Since I am still being harassed on IRC and see no end to the rumors and jerks, all of which originate from this break-in, this story is hardly over for me even now. We may still have over $10,000 worth of damage, especially after this article appears. In between there have also been all sorts of unwanted voice calls, tampering with my PC Pursuit account, stolen trash, an attempt to take down out PBX (bahaha - we don't have one), etc.
It's worth noting the WELL didn't ask customers to change their passwords for over three weeks after they contacted me. That seems like an ironic lack of interest in securing their system while just a few weeks before they were worried enough about it to have called in the FBI.
The WELL originally found out that they were being entered when one of their users (whom, of course, I exchanged E-mail with) came forward to tell them her boyfriend had heard details of her mail about him and their sex life. The crackers had been bragging. The WELL went "public" by opening a topic in the News conference section of their on-line conferences. It was called "System Security: Oxymoron Or What?" That title hardly tells users the WELL was penetrated! They posted nothing in the log-on screens so the average user never even saw it. At $2 an hour to be connected to the WELL (plus the cost of the long distance call), I surely never read the News conference.
While they did issue a few pointers to it, they did not put any pointers in the Hack/Crack conference or in the Factsheet Five /Zines conference or in the Grateful Dead conferences. It's all too clear why the Hack/Crack conference should have been clued in. Considering how many other magazine's mail was involved (ed. note: here's a very partial list of the other magazines we corresponded and with who were definitely affected: Computer underground Digest, 2600, Crypt Newsletter, Virus News Intl., Phrack. In addition, while not mentioned specifically in the interviews here, it is likely other magazines with accounts on the WELL were tampered with also. and that many, if not most, WELL users are Deadheads and spend the bulk of their time only in those conferences, this seems to me to be a large oversight.
Only two short articles have appeared about the WELL break-in. One of these was in Crypt Newsletter (an electronic publication) and the other was in Dark Tangent's column in New Media. Both publications referred to there being only one cracker, and to the problem being resolved quickly by the WELL. Both are wrong. I spoke to Dark Tangent and he agreed more than one cracker was involved. Yet he said his editor gave him very little space to devote to it and felt the words of the WELL system administrator would be perceived as more credible than those of a cracker. Gray Areas prints all points of view. We print the truth when we know it, not just what's politically correct or what we have room for. We paid to add 16 pages to this issue because the truth demanded that much space.
We sent an advance copy of this article to the WELL and offered them the chance to comment. Below was their reply. For more information on the WELL, call (415)332-4335.
Message 10: From gail Tue Jan 11 14:32:26 1994 From: Gail Ann Williams
To: grayarea Subject: Comments On Article Hi, Netta, Thanks for sending us the proof copy of the article about the intrusion into your mailbox on the WELL. It's a powerful pair of interviews, and your accounts of having your privacy violated are strong stuff. We noticed a couple of points that are not accurate, or that don't match our knowledge of the events. Perhaps another perspective will shed some additional light.
Matisse Enzer, the WELL staffer who called you originally, never meant to permanently swear you to secrecy. He asked you to keep it confidential while we tried to figure out who it was and how it was being done. Matisse is a relentless advocate of civil liberties and free speech, and if he left a different impression it was a misunderstanding. At the time, he reported back to his staffmates that you'd agreed to remain silent about it until we found the security holes, and that you initiated and offered to show us the text before it was printed, for fact-checking. This left us no doubt you'd be writing your story.
There was never an intention of getting your promise not to publish, and if that impression was created, we're sorry. As you pointed out in the article, we put it out in news, the most visited conference on the WELL, ourselves at the point that we stopped tracking the cracker's activities. So far as we know, the FBI did not investigate this incident. We did not give them any information on what users files were involved, so you can relax about the possibility of the FBI having been pointed to your mail. Seems they require a high dollar amount of damage to get interested.
The purchase of the new Sun required testing, budgeting, bids, and other interminable behind the scenes chores. It was in the works for months before this series of events, and the choice of the Solaris operating system was moot, since that's what the system runs. That failure to show that new mail had arrived was a missing feature in Solaris and not evidence of mail tampering. There was a discussion of the unwanted change in the system status and upgrade topics. So many people missed seeing that message that Wisner hacked it to work the way it did on the old OS. We're sorry that change made you uneasy in the context of having been intruded upon.
After he announded the crack in news, WELL general manager Maurice Weitman posted this to the discussion there:
"In retrospect, we made a flub. We should have contacted those affected earlier, but we were too concerned that we'd blow the cover of the trap. We will not do that in the future. We will notify those affected immediately."
It was just us staffers, not a lawyer, who debated what to do. Id you ask yourself what you'd do in a similar situation, you can see that you'd have many concerns on behalf of your users. We had an ongoing discussion of whether trying to identify the weaknesses he'd exploited was in fact the right approach. The WELL staff is sensitive to many gray areas, and this situation touched upon several. As Maurice posted, we'd handle it differently next time and we're sorry it happened at all.
Gail Williams for the WELL Staff
We're keeping our WELL account. We don't store mail anymore and we try not to send much either. Electronic mail is no longer fun for me. I don't know if it ever will be again. It's not that I care if every hacker in the world knows my secrets, it's just that I can't give them that information on other people. However, because this E-mail address is listed in our back issues it makes sense to keep the account open. We subscribe to a few electronic publications and it's as good a place as any to receive them. We also check the WELL for Grateful Dead ticket information and set lists. But I am not impressed that the WELL called the FBI and the Secret Service instead of an attorney or their users. I believe if the FBI or Secret Service had been interested that the WELL would have spoken to them about us without telling us. It amazes me that they continue even after seeing this piece to refer to a lone cracker! Their response indicates they believe my phone calls to them were unfounded. So I went back and checked. My phone bills shows calls to the WELL made on 9/23/93 and on 11/10/93. The first call was definitely before the switch to Solaris and the second call involved pre-Solaris dates as well. You decide if you think they do the maximum amount possible to protect their system and their users. They clearly do not believe the results of my research. Also, consider that I found these crackers, they could have too by going undercover. Their system administrator was once a major player in the hacking community. We wonder what they will do the next time they are entered. If you believe the crackers, it is, alas, most likely just a matter of time.
"Be on my side, I'll be on your side" -Neil Young
The big change is that in the four months since I began working on this piece I've broken contact with several friends and colleagues. Some of the friendships I had were 100% electronic. I've lost some other friends who don't wish to use caution in what they say on the phone. I simply can't have them in my life anymore. Other friends put the whole thing in perspective by spending a few days repeatedly uttering the names and data of people they'd like to see hurt by any hackers who may be listening. That got old fast.
I have chased this story long and hard. I have taken it personally, and even been harassed for it, and for caring about hackers as a whole. In the process I have lost the respect of two hackers I once considered friends and I have gained the respect of many others. Please bear in mind that how hackers treat me has great impact on how this publication will treat hackers. People who live in glass houses should not keep throwing stones. I have made a very sincere attempt to change the media's treatment of hackers. I will continue to dop so if you let me.
I will print all of your mail on this subject, friend or foe. If you've read through this whole piece, it must have made you think. Please send us a letter and share your thoughts. Thanks.
Permission is expressly NOT granted to post, scan, or otherwise disseminate this article (or any other portion of Gray Areas) without prior written permission of Gray Areas, Inc., PO Box 808, Broomall, PA 19008 USA.