In Hacking, for Some, the Punishment May Not Fit the Crime BY LESLIE GORNSTEIN FORT WORTH STAR-TELEGRAM, TEXAS Aug. 19, 1997 -- He is 18, and may be looking at up to 10 years in prison. He hasn't stolen anything, he hasn't hurt anybody and many familiar with the crime that the crime he is accused of committing say the possible punishment borders on the absurd. The 18-year-old and a 17-year-old friend, police say, broke into a computer network. They added some funny pictures to a World Wide Web site run by the network operator, a Texas Internet service provider called FlashNet, police say. The two figured out some of the user names and passwords used by FlashNet customers. Then they left. It may not seem like much, but computer hacking is getting serious attention from folks in the Internet access business -- and their millions of business and consumer clients. Thanks to the popularity of the Internet, hacking, or breaking into somebody else's computers, is more popular and automated than ever. And even the most ardent of hackers, who see an art to what they do, admit that their universe is changing for the worse. A community that for years has prided itself on restraint and expertise is giving way to younger people with goals no greater than techno-graffiti, hackers and security consultants say. "The ratio of real hackers to pretenders is so small now, it has diluted," said Matt Hinze, former moderator of an Email newsletter called the Happy Hacker Digest. "We should be trying to learn things, and not trying to break things." And more people, it seems, are trying to break things. "It is like a fad," said Craig Rowland, network security consultant at WheelGroup Corp. in San Antonio. "We are going to be a lot busier since people are becoming (more) into the Internet . There are a lot more targets out there." Determining right and wrong in cyberspace is about as simple as finding a package recently sent via UPS. To many a hacker, FlashNet has itself to blame for having a system that could be broken into, and whoever did it should be thanked for calling attention to the weakness. "It is FlashNet's own fault that they left the door open to begin with," said Karl Grindley, a network administrator for content provider The Q Group in Hurst, Texas, a Fort Worth suburb. "A good network administrator or a good Internet service provider should have those things patched so people can't do that." But the Internet access industry, already wracked with growing pains, says that attitude is unacceptable. "That is like saying it is your fault that you left your house unlocked, and I came in and robbed you," said FlashNet President Scott Leslie. "The network is private property. It is a totally twisted way of thinking." For their part, the pair accused by police -- they haven't been formally charged yet -- aren't talking; they could not be reached for comment despite repeated efforts. Police say that hackers broke into FlashNet's system in late June. At the time, the 17-year-old was working for FlashNet as a technical support staffer. The 18-year-old was a former employee of MatchMaker, an area Internet matchmaking service. The hackers gained top access -- commonly called root access -- to FlashNet's Web server and added bizarre pictures to its site at www.flash.net, police and company officials say. They left behind a Dr. Seuss-inspired, red-and-white striped hat perched on top of the company logo. The hackers also included a shadowy portrait of somebody wearing a big chapeau. Splashed across the page was the phrase, "Hackers with Hats." The 18-year-old was arrested on suspicion of third-degree felonies that carry a sentence of two to 10 years in prison and a fine of up to $10,000. His friend, who was arrested on suspicion of a less severe misdemeanor, faces up to a year in jail and a $4,000 fine. Police say they plan to refer the case to the district attorney for prosecution under a crime classification called breach of computer security . Charlie Brandenburg, chief of the economic crimes division of the Tarrant County District Attorney's office, said it would be an unusual case. "I don't know that I have had any that we have really prosecuted," he said. The last case that was even vaguely similar happened about a decade ago, before Brandenburg had his current post. Donald Gene Burleson became the first person convicted under the state's computer virus statute after being found guilty of harmful access to a computer with valued loss of more than $2,500. He was ordered to pay $11,180 in restitution to his former employer, USPA & IRA, a Fort Worth securities brokerage and insurance company. Burleson's virus deleted 168,000 sales commission records from the company's computer. Burleson was given seven years' probation for the offense. But Brandenburg said that without more information on the FlashNet suspects, it's hard to say if the two would get similar punishment if convicted. The 17-year-old's attorney, Brock Groom, has said that his client is innocent but cannot be reached for further comment. Local observers aren't the only ones raising an eyebrow at the FlashNet case. "From my perspective, it is very rare for prosecutors to pursue teenagers who are essentially exercising misdemeanor graffiti," said Jonathan Littman, author of "The Fugitive Game", the story of infamous hacker Kevin Mitnick. "It sounds like (FlashNet) needs to shore up its security, and putting a couple of teen-agers in jail for several years isn't going to solve the problems." But Leslie said attempts to hack into FlashNet's system have escalated with the company's rapidly growing base of customers. FlashNet now serves 24 markets and has more than 140,000 customers. Just how many attempts are there? "If I told you, you would laugh," Leslie said. "A hundred." As in 100 "a day" -- up from 10 a day at the end of 1996. Leslie says he believes that only one-third of those are malicious attempts. The rest could just be customers accidentally using incorrect user names or passwords. Smaller service providers are facing similar concerns. "A couple of times a month, we will see something strange going on," said Jeff LaCoursiere, president of Fort Worth-based Fastlane, which is planning to expand into Houston. "Most are just curious script kids that have found these hacks on the Net, pre-compiled and ready to use." Scripts are pre-packaged ways to find weaknesses in computer systems. They've been around for years, but the growth of the Internet has led to higher demand for such tools, especially among a younger crowd dazzled by recent films such as "The Net" and "Hackers". They are known as "script kiddies," people who want to call themselves hackers but who don't necessarily want to spend a lot of time glued to a computer. "They are out there to get the glory of saying they can hack something," Grindley said. Grindley said he suspects that whoever messed with FlashNet's Web site -- used a script to access the company's servers. Others theorized that the hackers simply used a "packet sniffer," a program that grabs data off of a network -- that can include sensitive stuff like credit card numbers or passwords -- and saves it as a file. The hackers probably downloaded a sniffer off the Internet to break into FlashNet, Hinze said. Nobody can say for sure how large the hacking community has become or how much of it is made up of script kiddies. But no one doubts that the number of script kiddies is growing, to the annoyance of experienced hackers and security experts alike. Littman says he sees it happening as well. "There have always been truly talented and imaginative hackers and lazier groupies who rely on the breakthroughs of the leaders to earn their scalps," he said. "(Now) there is more automation, so there is probably a larger group of kids who can make some mischief." COPYRIGHT 1997 Fort Worth Star Telegram