Man, this whole series is so well written. I remember back in the day, when lophtcrack, Medusa, Cain and Abel, and JackTheRipper along with massive (for the time) rainbow tables were the tools of the trade (This was a little before internet exploits and Metasploit gained popularity). As a little script-kiddie, finding and running exploits on unsecured servers and machines, doing silly things like ARP poisoning in my high school lab network and bruteforcing zip files with passwords, oh such glorious times. I truly went from being a user of tech to a person with a hacker mindset, which has proved to be tremendously useful in my professional career.
I honestly feel that in the current day and age, if anyone tried the same stuff many of us got away with in the early 2000s (or 90s), then the punishment would be much much stricter. Not sure how that gets in the way of people learning by "banging things together till they work", which was a major source of learning for me.
Those rose colored glasses seem to have forgotten Kevin Mitnick, and the accounting practices used to inflate the impression of the amount of damage he did. He was confined to solitary for eight months (out of five years served) due to fears that he could "start a nuclear war by whistling into a pay phone".
The 90's in the school's computer lab may have felt differently if you escaped any sort of punishment for exploration, but the CFAA was first enacted in 1986 and the punishment for computer crimes have been disproportional since before then, owing to societal lack of understanding of how computers actually work.
My favorite picture with my now deceased mom is one with us in front of a prison/state facility that Kevin was being held in, with other protesters, holding a "FREE KEVIN!" bumper sticker. I was probably 13 at the time.
I just finished playing the game Hacknet which simulates that nostalgic experience, to some extent. Obviously it's oversimplified and gamified, but it's a fun little game; worth playing. Its DLC, Labyrinths, even adds an IRC channel where you interact with your fellow hackers.
if anyone tried the same stuff many of us got away with in the early 2000s (or 90s), then the punishment would be much much stricter.
It always amazes me that the person who effectively opens an unlocked door gets the book thrown at them while the people who left it unlocked get off scot-free.
Shouldn't criminals should face punishments that fit their crime? To use an example discussed elsewhere in this thread, is a juvenile with no priors changing their grades worth 14 felony charges?
Yes, they should face punishments that fit their crime. And I'm not arguing that 14 felony charges is reasonable for a grade change (although the way the legal system works you normally get charged with a lot although you might be convicted of very few if any charges).
But it's natural that someone who commits a crime receives a harsher punishment than someone who neglects to put all relevant deterrents in place.
I feel extremely lucky. I'm a part of gen Z, but I am from a very rural area (town pop 300, county 5000.) One day in 6th grade I was in math club and we needed to get to this fantasy football site that was blocked by our webfilter iPrism. Being curious enough, I just strip off the generated bit at the end to get to the admin sign-in page for the webmin. Being a curious kid, I just type in my network login credentials and boom it logs me right in. Couldn't fuckin' believe it, full admin privileges and all.
I never used it for anything evil per se, but I did unblock the football site we were told would be unblocked, and other sites that teachers were told would be unblocked but weren't. Problem was, when you signed in there was a nice box that said "Users Online" and showed their names. One day the DTC signed in as I was online and promptly the phone rang and I was told to take my hands away from the computer and walk to the office. I had to show her what I had done, and ended up being suspended from school computers for two weeks. I couldn't imagine the things I would be accused of if it happened today. Thank god I was a straight A student and favored by everyone in the community. I also had my Starcraft 2 collectors edition USB confiscated because I had the portable onion browser on it, and my friends called it the 'stick of freedom.' Imagine if the term darkweb was as highly villainized then as it is today.
I was lucky enough to start working with the school when I was 16 (now 20.) I remember the description of the look on the regional contact from the state when the DTC told him that the district had given me a key to the school and the equivalent of domain admin in our environment. Rightfully so, but I proved myself and my worth.
Bit long of a response for something so simple, and full of nostalgia as well. It's just a shame to see that curiosity and investigation is so heavily frowned upon.
In one case you are deliberately committing an action. In another you are not doing something. In most cultures you have more moral culpability for actions you take than for actions you don't take.
> I honestly feel that in the current day and age, if anyone tried the same stuff many of us got away with in the early 2000s (or 90s), then the punishment would be much much stricter. Not sure how that gets in the way of people learning by "banging things together till they work", which was a major source of learning for me.
There are still resources for this CTF365 comes to mind and the Offensive Security lab for their certs. There are also awesome people putting up networks you are invited to attack for free, there was one that was part of a workshop at HOPE XI but I can't recall the site. And running even multiple VMs to practice with is something a lot of people can do today.
> I honestly feel that in the current day and age, if anyone tried the same stuff many of us got away with in the early 2000s (or 90s), then the punishment would be much much stricter.
From poring over stuff from this milieu, I figured out how I could change grade records at my school. I never did it, so I don't know what would've happened if I got busted.
Some kid in the Bay Area just got busted for the same and is facing 14 felony charges.
Anyway. This was my first encounter with hacker culture, and it was so brain expanding even though I understood practically none of it. Now, I could barely recount more than the few sentences I just did, but that logo brings up waves of nostalgia.
Here's an article about the high school hacker extraordinaire [1]. My favorite line from the article has to be this one from the sergeant:
> We wrote numerous search warrants to get the IP addresses of the possible phishing site email. We got it and we did good old fashioned police detective work and we narrowed it down to an address
Yep. Teenagers who commit benign hacks for fun get more time than murderers. People's lives get ruined for effectively the digital form of trespass. It's pretty fucked up.
Do you have a source for people getting more time than murderers for "effectively the digital form of trespass". I agree that some parts of the legal system do not work very well, but I think that's a big exaggeration.
Reversing engineering cracks, visiting porn sites just for warez passwords or just wasting time reading 2600. It was the golden age for young kid with a passion for computers.
the good ol' days. I graduated high school in '99. grew up wardialing for BBSes and getting net access any way I could. My parents worked for schools and eventually the San Diego county office of education started an ISP for employees. I still remember when my mom received a letter because some scrub in Canada reported me for port scanning them. Almost lost our precious net access...I wasn't caught again.
As a kid l0pht was this mythical force, along with cDc. I would read a bunch of papers, not understanding any of it, but I thought it was so cool. I remember being very disappointed when the domain redirected to @stake.
They're generally cool people, but they're just people. The Cult of the Dead Cow people especially --- I have nothing bad to say about any of them, but if you're idolizing them, ask yourself why you don't just become one of them. They're just a group of people who wrote tfiles, shared bulletin board systems, and had varying levels of engagement with computer security. Virtually every serious software security person who blogs is clearing a higher bar than they set.
The one thing everyone involved with the L0pht and cDc has that you probably don't is age; they were doing this stuff in the 1990s and had time to make a name for themselves. But things move so much faster now than they did in the 1990s, that differentiator gets less and less forbidding every day.
As someone who also sort-of idolized these groups in the past, I think it's more about what they used to represent instead of just who they actually were.
When I was still discovering the computer and internet world, they were already "giants" in the space, so of course they would seem like the epitome of what I wanted to achieve.
"I want to be like them and be able to do the stuff they do", i.e your standard role model feeling.
Which of course sounds silly once you grow older and realize you can be like them if you study and put the hours on it, but at the time, being so much younger, it just seemed magical.
I compare them to what the movie "Hackers" made me feel. I knew it was a completely fantastical representation of what hackers actually were (and you could even argue it was a bad-ish movie), but the fact that I could imagine myself being able to break into a TV network and putting the show of my choosing felt like magic. I guess it's the analogue to what Dungeons and Dragons was for a lot of people, imagining being a wizard and killing dragons.
So while I agree with you that they were just a group of people that got together to share knowledge and explore this new frontier, it was so ahead of what I could achieve at the time that it was hard not to look up to them.
Kind of how I (and I would guess, a lot of other HNers) look up to what you (and e.g. Project Zero engineers) can do with security and cryptography stuff :)
It's not that I think I'm not capable or competent enough to do it, just that I haven't walked the thousand miles you have. But of course, I'm now an adult that can rationalize these things, instead of an impressionable kid with dreams of grandeur :).
I understand that now, but when I was 14 in 1996 it seemed like I was reading about some forbidden secret magic. Now it just feels like a different career path. I'm sure a good part of that change is me getting older, and knowing more. Though I think that the rising level of professionalism in computer security has robbed it of it's mystique. I think this is a good thing overall, but nostalgia and what not.
> I think that the rising level of professionalism in computer security has robbed it of it's mystique
It has, though basically every one of the now-respectable-looking professional security outfits you could point to has one or more of these late 80s early 90s "mystique era" hackers working for it (and I can probably tell you what their old bbs handle and/or irc nick was).
great article but it kind of petered off at the end... why not highlight what folks have gone on to do post @stake?
they got acquired by Symantec.
Mudge went on to work with the DoD to development a cyber fasttrack program,
Weld started and recently sold Veracode,
Katie started the bug bounty at Microsoft,
Joe Grand is still doing his thing w/ HW
etc...
these folks really are self-made titans of the industry and a true testament to meritocracy and the hacker ethos. They legitamized security research as we know it.
I honestly feel that in the current day and age, if anyone tried the same stuff many of us got away with in the early 2000s (or 90s), then the punishment would be much much stricter. Not sure how that gets in the way of people learning by "banging things together till they work", which was a major source of learning for me.
Damn, I feel old now!