By Richard Thieme – 1998
Processing power is dirt cheap and the Feds are crawling all over the Net. So why did Aaron Blosser hack US West to solve a 17th century math problem?
The question hangs in the air, a timid koan posed by a 28-year-old programmer sitting in his apartment in Denver, Colorado. Aaron Blosser has a lot more room to stretch out in his place these days, now that the FBI took away his Pentium II, his 486, and a pile of his CDs. It’s all gone, perhaps forever. And so is his job as a computer consultant.
Blosser lost big because he went on a careless quest for a mathematical grail – the next Mersenne prime. Ever since Marin Mersenne identified a unique class of prime numbers in the 17th century, digit-searchers have been on the prowl for the next Big One. Their search reached the Internet a few years ago, with the release of Mersenne-hunting software that anyone can download. Blosser, a systems consultant working for US West, installed it on the company’s customer service network in September. He should have known how to configure the software to run in the background, but instead he misconfigured the machines so that they checked for network activity every two seconds – flooding the system with packets in the process.
“We noticed a degradation of service at once,” says a spokesman for US West. “We respect the pursuit of knowledge, but we get irate if the network is not available for our work.” Thus, while the investigation of the case continues, US West is urging the FBI to prosecute Blosser as quickly as possible.
The Golden Age of Hacking is over. When he loaded the Mersenne program onto the network at U S West, Blosser wasn’t trying to bring down the network. And he certainly wasn’t trying to hide. (His name and email address were all over the software.) But his hack was unnecessary – kind of thing kids did back in the days when systems were cracked at 300 baud with ASCII Express and laws against unauthorized computer intrusion were all but Nonexistent. Today, hackers play the game of life with real money on the table and the credible threat of prison sentences hanging over their heads.
Taking over a Baby Bell’s network in the pursuit of pure Knowledge may still be romantic, but more experienced hackers say it no longer makes much practical sense.
“The media tends to portray all security breaches as ‘hacks,’ but hacking is not just about security,” says security professional Yobie Benjamin. “It’s about the whole domain of computer science – moving from node to node to see how things look. It’s about harnessing the power of distributed computing. Benjamin laughs. “Blosser needs a midnight basketball league to keep him off the streets.”
Indeed, that’s what the gang at Boston’s L0pht Heavy Industries call their pastime – a midnight basketball game for hackers. Still animated by a passion for Solving the Puzzle and Seeing the Big Picture, the L0pht crew carries those hacker ideals forward by uncovering security holes in Windows NT or Novell products – without actually trespassing on anyone’s system.
That’s easier than ever to do these days, thanks to the open-door network of Windows, UNIX and Sun machines available at upt.org – the computer playpen where some of hacking’s best and the brightest honed their skills before graduating into corporate and intelligence ranks. “A lot of the old reasons to break in just aren’t there any more,” says security consultant Tom Jackiewicz, who helped administer the upt.org BBS. “Nobody can say they can’t afford a UNIX box when all you have to do is throw some free LINUX onto a PC. You want to hack a Sun system? Break into ours – if you can.”
Likewise, if it was empty processor cycles that Blosser wanted, he didn’t need to siphon off US West’s resources. When the number-crunchers at Distributed.net decided to show that the US government’s security claims about 56-bit DES cryptography were a sham, they simply created a software client that anyone could download. After 4000 teams contributed computing power to break the code, DES fell in 212 days. The next challenge, DES II-1, cracked in 40. As David McNett of distributed.net puts it, “I question Blosser’s judgement, not his motives.”
Hacking’s “white hat” ideal lives on, but suitable targets for Robin Hood-style adventures have become increasingly hard to find. In 1997, a hacker named Se7en went on a rampage against cyber-pedophiles, targeting
their hangouts for network subversion. Nobody knows for sure how many web sites or IRC lairs Se7en and his cohorts took down, but nobody lifted a finger to curtail their vigilante attacks. And when Peter Shipley at dis.org uncovered gaping flaws in the Oakland, California fire department dispatch system during a massive war-dialing project, authorities overlooked his campaign – in no small part because Shipley volunteered to fix the holes instead of bringing chaos to the streets of Oakland.
With all that in mind, Blosser’s network-clogging “hack” was a throwback to the early 1990s – the Don Quixote apparition of a bygone age when the anarchist rhetoric of John Perry Barlow actually made some sense. Today, the laws have tightened, surveillance technologies are ubiquitous, big money is at stake, and the borderless economy is learning to regulate itself. Yet when asked why he hacked US West, a kid who is nearly 30 still says, “Why not?” Blosser’s naivete is charming, but more experienced hackers understand it no longer pays to have that kind of innocence.