Watch where you go, once you have entered there, and to whom you turn!

Do not be misled by that wide and easy passage!

And my Guide [said] to him That is not your concern;
it is his fate to enter every door.
This has been willed where what is willed must be,
and is not yours to question. Say no more.
Dante Alighieri, The Inferno

In a skyline of mostly symmetrical high-rise buildings, the Citicorp Center

stands out.
With its top sliced off at a 45-degree angle it looks like a bookend without its
twin wedged into place among other flat-roofed office buildings and needle-topped
towers for which New Yorks skyline are known. The angular roof was once intended
to accommodate solar panels, which at the time of its completion in 1978 were
thought to be the solution of the energy crisis that dogged the nation.
But on the first Friday of each month, this post-modern building in a not-quite
post modern city bears another unique distinction. Since the mid-1980s, the building
has been the monthly meeting place of New Yorks computer hackers and telephone
phreakers the 2600 meeting.
Sanctioned by the editors of 2600: The Hacker Quarterly, a magazine
considered to be the Bible of hacking and phreaking, 55 similar meetings take place
on the same Friday in 25 states and nine countries. The name of the magazine is taken

from a now obsolete tone 2600 hertz that until the early 1980s was the key to
controlling access to long distance phone lines.
Dozens of teenagers and young adults, very few of them older than 20, most
of them male, stand in unorganized groups, some of them passing around copies of
the magazine, asking questions of each other and listening intently to those members
of the group with more advanced skills than the novices and beginners. Citicorp
security guards watch warily from a distance, interrupting only when the
conglomeration blocks other foot traffic through the buildings public mall area.
Each meeting takes place in a centrally located public building; a mall,
convention center or a student union building, usually near a bank of pay telephones.
There is no call to order, no agenda, no chairman, no treasure, no procedure, no
podium. But for the new generation of young hackers, there is plenty of business to
conduct and information to exchange, information which wants to be free.
Over the course of four months, I attended the New York 2600 meetings and
met dozens of hackers with varying levels of skill, a handful of whom I interviewed
extensively. Though I was never allowed to witness any actual acts of hacking, the
people I interviewed described in exacting detail incidents involving the intrusion of
several computer systems on the Internet through the use of well-documented security
flaws. I met a boy not yet old enough to shave who is able to gather personal
information on people, including social security numbers, criminal background
information on their relatives and bank account numbers, all using a personal
computer and a modem. I met a man who at one time could access the credit history
of nearly anyone and alter it, before the credit bureaus finally tightened their security.

The same man can today still access phone and bank account records, and has
masqueraded as an employee of at least one Fortune 500 financial company to steal
trade secrets for a competitor.
All this from a handful of inquisitive technically adept young men driven by
compulsion to understand the very machines that keep our society running. Most
people have a vague idea of what a hacker is mostly from stories on the arrests of
so-called superhackers. Some people would have the public believe that hackers are
a threat to the countrys electronic infrastructure. Others say that adolescent hackers
should be considered an early-warning system. If a group of unorganized teenagers
playing around on home computer can infiltrate the computers of a major corporation
or government agency, the theory goes, what could a politically motivated well
financed group of hackers using more powerful computers and employed by a foreign
government accomplish? Hackers could be considered a national resource. The truth
must lie somewhere in between.
There are many things that make us what we are. One is the determination and the
drive to gain knowledge.
From How I Knew When I Was a Hacker by Revelation, founder of the Legion
of the Apocalypse, a hacking group that folded in early 1997.
Defining who hackers are and exactly what constitutes hacking can be
tricky. The computer science students at the Massachusetts Institute of Technology
are generally credited with coining the two terms in the late 1950s and early 1960s. A
hack as explained by Steven Levy in his 1984 book Hackers and later by Katie
Hafner and John Markoff in their book Cyberpunk was a prank or clever project

undertaken for no purpose other than to satisfy the person doing it, generally
involving a technically challenging system, electronic or otherwise. To be labeled a
hacker at MIT meant having created a unique program or solved a problem with a
truly innovative solution. To be a hacker was to have earned a badge of honor
requiring near-monastic dedication to refining a computer program to perfection over
the course of several hours, if not days.
In the mid-1980s to be a hacker was to be something else entirely. The first
wave of personal home computers the Apple II and Apple Macintosh, the
Commodore 64, the IBM PC landed in the living rooms of many American
families. Hackers were software pirates, deft at cracking the codes that protected
games, word processing programs and other software from being copied and
circulated illegally.
Then in the 1990s, the civilized world discovered the Internet. With the help
of the news media hacking came to mean nearly any crime in which a computer was
somehow involved, even though it required no real skill. Someone with an America
Online account entices a woman he meets in a chat room to meet him somewhere
then rapes her, and the newspapers call him a hacker. Someone uses a government
computer to store a collection of pornographic pictures, and the police call him a
hacker.
To some the word hacker is synonymous with criminal, thanks to many well
publicized cases of computer users who used their skills for personal gain or were for
one reason or another judged to have violated the law. The 1995 arrest of Kevin
Mitnick made front-page news around the country and was the focus of no less than

three bestselling books on his pursuit and capture. In 1992 five members of the New
York-based hacker group MoD (depending on which period of time youre referring
to MoD stands for Masters of Destruction or Deception) were indicted in federal
court and charged with several computer-related crimes stemming from a conflict
with a rival Texas group, the Legion of Doom. All five served time in prison, their
sentences intended as an example to other would-be hackers. The MoD case became
the subject of yet another book that contributed to the hacker tradition, and elevated
Queens native Mark Abene, aka Phiber Optik, to the status of a hacking deity.
But to the people attending the 2600 meeting, hacking is nothing more than
the quest for knowledge; an unquenchable thirst to understand the way computer
systems in all their various forms function and shape our society from the desktop
PC to the specialized switching systems of the telephone networks. In a society
increasingly controlled by information stored in computers all over the world, they
strive to understand how that information is gathered, stored and used. Their quest is
to understand the machinery that makes our society work; often that understanding
exceeds that of the people who build it and the companies who own it.
Demographically, hackers tend to be male, aged 12 to 20 years. They are
intelligent but perform poorly in school. Some tend to be social misfits, sharing little
in common with schoolmates. But there is one common denominator among them all:
at some point they have discovered a skill for using the computer.
There are many documents circulating on the Internet that attempt to describe
how hackers think and why. None of them is more popular than Conscience of a
Hacker also known as The Hackers Manifesto, written in 1986 by The Mentor, a

Texas hacker whose real name is Lloyd Blankenship. Other documents are sets of
rules by which hackers are urged to abide, or primers for beginners. There are
hundreds of these so-called text philes but none so articulate as Blankenships
Manifesto:

I am a hacker, enter my world... Mine is a world that begins with school...

Im smarter than most of the other kids, this crap they teach us bores me...
Damn underachiever. Theyre all alike....
And then it happened... a door opened to a world... rushing through the
phone line like heroin through an addicts veins, an electronic pulse is sent out, a
refuge from the day-to-day incompetencies is sought... a board is found. This is it...
this is where I belong... I know everyone here... even if Ive never met them, never
talked to them, may never hear from them again... I know you all...
Damn kid. Tying up the phone line again. Theyre all alike...
Yes, I am a criminal. My crime is that of curiosity. My crime is that of
judging people by what they say and think, not what they look like. My crime is that of
outsmarting you, something you will never forgive me for.
I am a hacker, and this is my manifesto. You may stop this individual, but you
cant stop us all . . . after all were all alike.

They operate by a code of ethics, sometimes broken either by accident or in

the name of youthful exuberance and inexperience, sometimes in defiance of the law.
But followed or not, the ethics are clear: look and learn as much as possible, but do

no damage. Do nothing for personal profit. Interpretations of the rules may vary, and
various hackers have written about them and tried to explain them, as Revelation did
in his Ultimate Guide to Hacking and Phreaking found on the Internet:

Hacking Rules: 1. Never damage any system. This will only get you in trouble.
2. Never alter any of the systems files, except for those needed to ensure that you are
not detected, and those to ensure that you have access to that computer in the future.
3. Do not share any information about your hacking projects with anyone but those
youd trust with your life....
7. DO NOT hack government computers.

Friday, December 6, 1996. 6 p.m.

I am not the only newcomer at the December 2600 meeting. Others are
waiting near the pay phone the Citicorp Center Barnes and Noble Bookstore. They
too have read the meeting announcement on the back page of latest issue of 2600 and
are waiting for some kind of acknowledgment that they are in the right place on the
appointed day. Four young men and one woman, about old enough to be college
freshmen or sophomores talk quietly as they glance at the articles in the five-inch by
eight-inch magazine.
Their waiting pays off as a large guy with a head of long and bushy, dark hair
appears and informs the group that the meeting is starting downstairs. His name is

Vince, but he prefers being called Defrag. That is his handle, a nom de keyboard, by
which a hacker prefers to be known among other hackers.
Defrag is a friendly, humorous 18-year old who looks to be about 25. He tries
to make everyone feel welcome. He stands about 5 feet eight inches tall, and carries a
round, solid frame. His open manner of welcoming the newcomers is a bit disarming
at first. Perhaps they expected a more secretive meeting. But there is nothing
secretive or subtle about smiling, hand-shaking Defrag. For the moment he is about as
close to being a leader as any one person can be at a 2600 meeting. The group follows
him downstairs to a crowded table where another group of newcomers, mostly young
men, are waiting, some drinking coffee or cappuccino.
Whats your handle? is the greeting of the hour. For a hacker, a handle is an
alternative name, not unlike the creative names of CB radio enthusiasts used in the
1970s. Their handles come from characters in Japanese science fiction cartoons
(Gundam), punk rock groups, (Minor Threat), the names of well-known firearms
(Uzi), virii (Ebola). Defrag takes his name from a personal computer software
product.
So whats your handle? one of the group asks me. Caught off guard, my
brain kicks into sudden high-gear.
Zero. You can call me Zero, I say, practically placing a newbies dunce cap
on my head in the process. But thats what I am ... a newbie. Someone who knows
practically nothing about all this.
Defrag then leads the group out into the mall area of the building where a
second group of people arriving, led by Comport, Defrags 20-year old cousin.

Defrag tells Comport that WebTV the latest technological toy du jour
intended to bring the unsettled, uncivilized Internet to the masses has set up a sales
booth. Now you no longer need a personal computer to surf the World Wide Web, all
you need is a phone line, a TV and a WebTV box. Curiosity about the new gadget is
sufficient to move the entire group upstairs to the booth. Once there, they meet a
pretty red-haired saleswoman named Marion.
With WebTV youll be able to connect to the Internet through a 33 dot six
modem, surf the World Wide Web and send and receive email... she starts, giving a
well-rehearsed sales pitch.
Then the questions begin. What version of HTML does it support? 2.0 or
3.0? What kind of browser does it use? What kind of mail client does it have? Whos
the provider?....
Seemingly technologically illiterate beyond the parameters of her script,
Marion cedes control of the demonstration to Comport. As the machine attempts to
connects to the Internet, the WebTV screen shows an animated graphic of a scrolling
highway with a city off in the distance.
Look, its the information superhighway, Comport says, mocking the now
laughably stale nickname for the Internet coined by Vice-President Al Gore in 1994.
But the connection doesnt work. Marion cant explain it, so Comport
reprograms the WebTV box to dial the number of an Internet service provider he
knows by heart, but again the connection fails. He sets down the keyboard and shifts
around to the opposite side of the display booth to examine the cables running into
the back of the machine. Though hes curious about WebTVs claims, hes not so

curious that he wants to spend any more time with it. Get me away from this thing
before I start thinking, he says.
With Citicorp building security looking on, it seems an odd coincidence that
the machine, which had been connecting to the Internet perfectly all day, suddenly
stops working only minutes before the 2600 meeting is to begin. The rumor will later
circulate that as a precaution, either a Citicorp security official or someone connected
to WebTV, severed WebTVs ability to connect to the Internet.
Though related to Defrag, Comport looks nothing like his cousin. He has a
wiry medium build and thick, straight black hair that reaches to the bottom of his
ears. Under a black leather jacket, he wears a plaid flannel shirt buttoned to the top,
and carries a backpack slung over one shoulder. He is not a stereotypical nerd, but
rather an intense presence at the meeting who loves to debate and argue and theorize
about computers in a fast, powerful, and somewhat high voice which he uses
authoritatively. Quieter people in the room are drawn to listen in on his conversations
and debates about mother boards and Unix boxes and computer security. He gives the
impression that he is both informed and intelligent, and prepared to prove it.
After the WebTV diversion, the meeting begins in earnest, and more regulars
arrive. A tall, blonde-haired college student from Long Island dressed in a black Tshirt and black jeans, his handle is Gundam, passes around the first issue of his new
zine: TIP (The Information Project.) He solicits donations of pocket change to help
cover the cost of copies. One of TIPs contributors is Iconoclast, a gangly teen,
maybe 16 or 17 years old, with short brown hair and thick glasses and a reputation for
trashing foraging through trash dumpsters of telephone, computer and cellular

10

phone companies for discarded printout, technical manuals or anything else that
might prove useful. In his hands are several pages mapping out a network of
computers linking airports and some general information the network. He didnt even
know the network existed until he happened upon these documents while digging
through a NYNEX trash dumpster. He wont say exactly where he found it.
Groups of younger kids show up. A boy appearing to be about 13 wearing
jeans so baggy they look as they might slip right off his bony frame is accompanied
by two girls, one with long blue hair hidden by a green stocking cap, the other with
orange hair that match the color of her bargain basement polyester pants. They are of
a generation used to seeing computers in the classroom and at home. Their favorite
toys may have been may still be video games. They send and receive email as
though it has never been a novelty. To them it never has been. But hacking is
something new. There is much to be learned about such things as Unix, the computer
language that is the lifeblood of the Internet. The teenaged trio join six or seven kids
crowding around a tall, handsome adult who appears to be in his mid-20s, wearing a
leather jacket and a fedora. His handle is Master Chemist, and he is scrawling out a
rough diagram of a Unix box explaining how files are arranged and what each one
does. The teens are fascinated. This is not something they will learn in school, it is
rather something forbidden, something someone does not want them to know.
Circulating from one group to another is a hacker known as Vandal. He
already knows Unix, and is an accomplished hacker. He talks easily with Defrag and
Comport, who both make reference to Vandals unspecified bag of tricks. He has
clout here, and he knows it.

11

Sunday, 15 December, 1996. 3 p.m.: Interview with Vandal

I met Vandal at the Manhattan Mall on the corner of 36th St. and Second
Avenue. It is about as public a place for a meeting as one could ask for, especially
with fewer than two weeks to go before Christmas. So crowded is this monstrous
monument to capitalism that it takes 10 minutes to get from the ground-level floor to
the eighth-floor food court. Four tightly packed elevators are overrun by young
mothers pushing strollers. The only possible way to make the climb is to use the
escalator.
Vandals instructions are to meet him at the sushi bar near the newsstand. He
has picked this meeting place for a reason the crowd. If something unexpected
were to happen, hed have a good chance at escaping. And though he says nothing
about it, it is likely that at least one friend, possibly more, are looking on, protecting
him in case this is some sort of set-up. Weeks later, he will admit that my suspicions
about this are correct.
There are ground rules for this interview:
No tape recordings. I dont want anyone to be able to identify me from my
voice.
No using his name in the story. Only his handle is acceptable.
No asking him if he has done anything illegal.
Vandal is dressed in layers, a khaki-colored coat on the outside with a hood
hanging down the back. The zipper is open revealing a black T-shirt printed with the

12

2600 logo. His head is covered in a dark blue stocking cap, his medium brown hair
showing around the edges. He wears nondescript blue-jeans and a pair of light brown
suede leather shoes. What at first appear to be stunningly blue eyes turn out to be
fake. They show faint outlines around the pupils that suggest he is wearing contact
lenses that make his eyes appear blue.
I have to say I still think you are a fed, he says, suggesting that I might be
part of a federal sting operation.
But to Vandal, there is also a chance that this reporter is legitimate, and that
this interview is an opportunity to help dispel the stereotype of hackers as criminals.
Vandal is intelligent and articulate. He speaks easily about telephone
switching systems and his philosophy of free access to information. If it werent for
his five foot-two inch body and his adolescent voice, it would be easy to forget that
he is only 12 years old.
Vandal fits the description of the character in The Hackers Manifesto
almost perfectly. As a 7th grader at a Manhattan public school he wont say which
one he considers himself a loner, trusting few people his own age. His best friends
tend to be several years older than he, and they are all hackers. Last semester he failed
his math class. Yet in his spare time he reads about research into fuzzy logic a
field involving some of the most complex mathematical equations in world and the
development of artificially intelligent computers.
Its not that I wanted to fail math. I just didnt like the way it was taught, he
said.

13

One day he would like to go to a good college, but hed also like to quit
school now. I realized early on that its just a matter of jumping through all the
hoops. Its all mindless busywork. I could go get a GED right now if I were 14, but I
wont because I want to go to a good college, and no good school will take you with a
GED.
Vandal says he wrote his first computer program when he was seven years
old. Using an IBM-clone 286 computer running Q-Basic, he keyed in a program that
would ask for the users name. Type in his name and the computer would respond
Hello, how nice to see you again. Type in any other name, and the computer would
respond with a mere Hello.
By the age of nine he had discovered the Internet. One of his two older
brothers had an account with Panix, New Yorks first private Internet Service
Provider. By then he had graduated to using a Macintosh IIci that the brother had
received as a Bar Mitzvah gift. It came with a 2,400-baud modem.
I just found it was much easier to live on the Internet than in the real world,
he said.
He tried everything he could. He explored the world of Gopher space, a textonly precursor to the World Wide Web that was popular with universities and
publications experimenting with online publishing in the early 1990s. He sampled
Usenet newsgroups, but found the strong opinions expressed by people posting to the
groups annoyed him.
He found his true online home on the channels of IRC Internet Relay Chat
the real-time chat rooms of cyberspace. Like a corner tavern each channel has its

14

own set of regulars who share a common interest, and neophytes who are just
learning the ropes. Vandals favorite channel was #hack, where he spent most of his
time simply paying attention to other peoples conversations, a practice known as
lurking, and learning. During the chats, he heard about 2600, which he started
reading at about age 10. By the time he was 11 he was attending the meetings at the
Citicorp Center.
It made sense to me, he says. It spoke my language. When I went to my
first meeting, it was like I finally found people who were like me.
At that first meeting, an older hacker refused to take Vandal seriously. He
talked down to the boy, seeing only the small body, not the mind of a potential equal.
I spent a weekend getting all the information I could on him, Vandal says. Then I
called him and read him his Social Security number, his fathers name and
occupation, his school address, his mothers maiden name, and the fact that his father
had a criminal record. Then I told him who I was. Some people underestimate me,
he said.
For a few months in 1996, Vandal attended a Manhattan private school with a
strong reputation for its use of computers. But the new school turned out to be a
nightmare. As the new boy in school, a small, weird one at that, the boys in his grade
apparently decided that Vandal would be their new punching bag.
I guess Im kind of a weird guy. I listen to punk rock and I dont like sports.
It must have seemed to them that they had a new whipping boy.

15

He also apparently didnt get along with teachers and administrators at the
school. Lets just say I measured far beyond what they were equipped for, and they
didnt really know what to do with me.
Feeling like a prisoner, he made arrangements to transfer out of the school,
but not before making a statement one that left several desktop computers in a
school computer lab a useless, smoking heap. He was at war, and with the help of a
handful of other students, used a weapon in his arsenal to strike back at the enemy.
That weapon was a disk bomb, a typical 3.5-inch floppy diskette modified in such a
way that when inserted into a computer it causes a small internal fire that melts the
mother board the essential internal brain of any personal computer.
He places a small black diskette on the table, saying, Thats got all the
information youll need on it. Its not disk bomb, but a normal computer disk
containing three huge text files, including one called The Anarchists Cookbook. In a
section of that cookbook are the instructions for making a disk bomb: Pry a common
diskette apart, remove the cotton lining. Scrape the heads of several strike-anywhere
matches into a bowl. Paint a small stripe of clear nail polish onto the inside of the
disk, then take the match scrapings and spread them over the still-wet nail polish.
Allow it to dry, then put the disk back together. When inserted into any computer the
internal disk drive will spin the disk, which ignites the match scrapings and starts the
fire.
To this day I dont think anyone knows what really happened, Vandal says.
I think they attributed it to some kind of power surge or something. They never
really acknowledged that it happened. That lab was suddenly closed with no

16

explanation. Im sure they replaced all the computers though. At places like that
money flows like water. But it sure made me and a lot of other kids who felt like I did
feel better.
The other two files on the disk are Boxes, a primer on the form and function
of boxes, home-brewed electronic devices used to manipulate the phone system in a
myriad of ways, a practice known as phone phreaking, and PhreakFAQ a file of
Frequently Asked Questions about phreaking. Both files include instructions for
building and using a red box, the most common and easiest to build of all the boxes.
Listen carefully when you drop a quarter into pay phone, and youll hear five highpitched tones, spaced very precisely apart. A red box reproduces the tones which
when played into the phones mouthpiece can fool a public pay phone into acting as if
has been paid for a call. Then again, sometimes a telephone operator can tell when
real coins have not been used, and may block the call. Many pay phones have had
security measures installed to resist red boxing, but some have not.
While genuinely illegal, no one has ever been prosecuted for red boxing. But
one hacker known as Bernie S. went to prison for having the parts to build a red box
parts which are readily available in electronics stores.
On one occasion, Vandal and a friend took their Red boxes directly into what
they considered belly of the beast itself. They had dared each other to make a Red
box phone call from the pay phones in the lobby of a NYNEX central office. That
was like going right into the enemy camp and waving a flag. But we didnt get
caught, he said.

17

We walk around the mall, pausing at Radio Shack. Here he asks for a tonedialer, a device that emits the sounds of telephone dialing buttons. Take it apart and
switch an internal computer chip with another chip available at another store, and the
dialer can become a red box.
But Vandal says he considers himself only about one-third phone phreaker.
The rest is all hacker.
A typical night of hacking for Vandal might take place in his bedroom at
home, where he uses a Macintosh computer. He will have a six-pack of Jolt Cola a
soft drink containing twice the sugar and twice the caffeine of a normal cola in the
refrigerator.
The computer program he uses most often is Telnet, a tool that dates back to
the earliest days of the Internet. While the World Wide Web may be the shiny new
car of the Information Superhighway, Telnet is often described as an all-terrain
vehicle. It allows a user to login to a computer across town, across the country or on
the other side of the globe. Once connected to one site by Telnet, it is easy to connect
to another, and another, as many times as is necessary. Every time the connection
crosses a state line or international border, it complicates the procedure that a system
administrator would have to follow in order to trace the connection.
If Im going to do something serious I might Telnet to 10 or 15 sites before I
try connecting to my target, he said.
Most of those targets are commercial computer systems or those owned by
universities or research institutions.

18

They key to hacking in to these systems in a technique known as gaining

root. Root is the user name generally assigned to the most powerful person in charge
of a network. It is accomplished by exploiting known bugs and errors in the Unix
operating system on the host computers themselves, and by breaking passwords.
Once I have root, I rule all on that system. I can read peoples e-mail, I can
look at any file stored anywhere on the system, and if I want to I can destroy those
files, but I never do. Generally I just go in a check out what theyve got. Its like
visiting a foreign country.
After gaining root to a computer at the University of Kansas, Vandal used the
university presidents email account to request a catalog from an adult bookstore in
California.
Im not given to doing anything really bad. If someone has a system theyve
worked on for years, Im not going to do anything to destroy it....What Im after is
knowledge. Hacking is not about just getting into computers. Its about what you gain
in knowledge by getting in.
The ultimate goal of hacking, Vandal said, is to set information free, to slowly
erode the profit-driven philosophy that governs the phone system and is quickly
overtaking the Internet where profit motivations had once been taboo.
People like us shouldnt have to suffer because other people are stupid.
Think of this conversation were having right now. If we were talking on the phone
wed have to pay for the right to talk to each other. How absurd would it be if
someone were to charge us 25 cents for every five minutes we wanted to talk in

19

person? Basic human contact shouldnt have a price. Basic human needs shouldnt
have a price.

Friday, 3 January, 1997. 6 p.m.: The second meeting

The night is positively balmy for New York City in January, so the January
2600 meeting is held outside the Citicorp Centers 53rd Street entrance. The sidewalk
is littered with cigarette butts and crushed red sample boxes of a new candy, M&M
Minis.
With a black UPS truck as a backdrop the meeting begins to buzz and small
groups begin to gather. A man clad in a UPS uniform loads one package into the
truck which then sits motionless for at least 90 minutes. Some begin to wonder out
loud if the truck is a cover for some government agency trying to listen in on the
meeting.
But the thought of having their conversations monitored doesnt deter them
from sharing what theyve learned since the last meeting. One group of boys listens
intently as a well-spoken female college student details her forays into the computers
of New York University. Vandal arrives with Dr. Suess, aka Doc, a 16-year-old New
Jersey hacker who is nearly twice Vandals height and 100 pounds heavier. Since
school has not yet returned to session from the holiday break, the pair have been
roaming the city drinking milk by the quart and smoking cigarettes.
One quiet presence at the meeting is a lean African American guy, who looks
to be a few years older than the rest of the 2600 crew. He gives his handle as Avirex,

20

but says he used to be known under a different handle. He says he has been hacking
since the early 1980s.
Avirex wont give his previous handle, but claims to have spent two years in a
federal prison in Pennsylvania following a conviction for conspiracy to commit credit
fraud and computer tampering. He got out on Dec. 19, 1994. Federal prosecutors had
alleged that he had changed credit reports on computers belonging to TRW and one
other credit reporting agency.
As a condition of his release, he is not hold any jobs that deal with using a
computer. But he readily says that he is available as hacker for hire. You can send
me a PGP-encrypted message with a proposal, and Ill answer saying if it can be done
or not, and what it will cost you, he says, referring to the Pretty Good Privacy
encryption program designed to prevent e-mail messages from being read by anyone
other than the intended recipient.
About a week after the meeting I sent a non-encrypted message to the address
he specified. Days later I received this reply:

OK well I got your email today, just give me a day or so for me to check you out
and I will let you know from there whats what, no problem. I like your work and if
you are who you say you are then Im sure you will enjoy having some insight from
someone that has been in the hacking game for 10 years and that has done time. So sit
back and surf the net and check your e-mail daily, I will call you when things are cool
and/or send you e-mail!
LATER!
AVIREX
Six days later we made arrangements to meet at the Barnes and Noble
Bookstore at 83rd St. and Broadway.

21

Thursday, January 23, 1997: Interview with Avirex

To have a conversation with Avirex is to do so with two people

simultaneously. One is the talented young computer technician who works as a
system administrator for a Brooklyn-based business he will not name. He makes
enough money to pay his bills, and lives a seemingly quiet life.
The other is the man who in 1991 eluded arrest by the U.S. Secret Service for
four months following a raid on his home, and who later served 18 months of a 24month sentence in a federal prison after pleading guilty to several crimes, including
credit fraud, and conspiracy to commit cellular phone fraud.
He leads a double life, one day telling his parole officer how hard it is to find
work with a criminal record, and working for an employer who knows nothing of his
criminal past the next. On the side he works as a freelance hacker for hire gathering
information of almost any kind for a price.
Avirex knows more about me that I do myself. He has seen my phone records,
and has cross-referenced the numbers I call frequently. He has seen my credit report,
my bank records and my World Wide Web home page. He knows where I live and
some of my previous addresses. He knows where I went to college, and checked to
see if I have a criminal record. But mainly, he has looked for any connection I might
have to a law enforcement agency. He and a colleague, a hacker known as The Saint,
did the check at my suggestion before agreeing to the interview.

22

A Manhattan native, Avirex, now 25, is the son of middle class parents. His
father is the owner of a successful small business. He says he first became a hacker in
1984 after receiving a Commodore VIC-20 computer with a cassette tape drive as a
gift. A forerunner of the more powerful and popular Commodore 64, the VIC-20 was
reliable workhorse. He was into hacking computer games cracking the codes that
protected the games from being copied for people who had not paid for them.
It wasnt long before he had convinced his mother to buy him a 300-baud
modem. He had heard about bulletin board systems, dialup online services created by
individuals or organizations that offer their members email, access to computer file
archives and other service, which predated the Internet.
I called this board called Force Hackers BBS, and the guys who ran it had
this meeting by the World Trade Center. We were just little kids running around and
learning about computers then. That was when TAP was still around, he said.
By TAP, Avirex is referring to the Technological Assistance Program
newsletter, the grandfather of publications like 2600. Established in 1973 by a phone
phreaker who called himself Al Bell, a colleague of Abbie Hoffman, TAP published
information taken from AT&T technical journals, the kinds of information that Ma
Bell would have liked to keep to itself. In the late 70s TAP was taken over by two
phreakers calling themselves Tom Edison and Chesire Catalyst. By then the four-page
leaflet boasted an estimated 4,000 subscribers around the world. But in 1983 a
burglary and attempted arson at Toms suburban New Jersey apartment brought it to
an end. By 1984, 2600, though not connected to TAP, had begun to fill the void the

23

older publication left behind. A complete collection of TAP newsletters is available

for sale in 2600s classified ads.
I met everyone at those meetings, Avirex said. We would pass around
copies of TAP and wed go hack around Greenwich Village. That was when everyone
could exchange information through the underground. It wasnt like it is now at the
2600 meetings where theres a bunch of people who really dont know what theyre
doing, he says.
Eventually, Avirex was admitted into the inner circle of Force Hackers
Association, whose members included Acid Phreak, one of the five members of
MoD to serve time in prison.
He and his friends used programs called war dialers to use the modem to
dial phone numbers in a sequence and record which numbers are answered by
computers. He would leave his computer running the war dialer for days at a time,
dialing over and over. We werent even sure what we were doing. Wed pick a
computer system and dial into it, and theyd have default passwords all the time.
Wed log in with names like test or guest or demo, and the password would be the
same as the name, he said.
His explorations of computers and the phone system continued unabated until
1985, when his parents were paid a visit by officials from the telephone company.
I was blue boxing from my home, which was stupid.
Now obsolete, the blue box was the first phone phreaking device of its kind.
Like its successor, the red box, the now-obsolete blue box emitted tones that
controlled access to long distance phone lines: the 2600-hertz tone to be exact. Older

24

phone phreaks remember the blue box about as fondly as stereo equipment
enthusiasts remember eight-track tapes. But by the time Avirex had taken up blue
boxing, the phone company had built more sophisticated scanning equipment, which
made it a simple matter to track the source of his calls. It wasnt long until a pair of
phone company employees paid a visit to his parents.
He was never charged with a crime; his family settled out of court with the
phone company. His parents decided to send him away to a boarding school in
Virginia. It was better that he go away for awhile, they thought. He would be gone for
two and-a-half years.
When he returned to New York in 1987, he fell right back into the scene, as if
he had never left. I really cant tall you how I fell back in. I just did, he says.
This time his computer was a borrowed Compaq 286. He decided it would be
best to simply hold back and quietly collect information for a few years. By 1990, he
was ready to make his mark on the computer underground scene again. He founded
The New York Hack Exchange, a hacker computer bulletin board service and joined a
group which called itself High Tech Hoods, a group which stressed hacking on the
right side of the law.
The board was really successful. I had good information and a couple of
friends helped me hook it up with an 800 number so that made a lot of people could
call, he said. The board stayed up until 1993, but was interrupted for a few months in
1991. A hacking friend in the group that helped operate the board got into some kind
of trouble with the U.S. Secret Service.

25

I still not sure what he got into trouble for. But he ended up giving the Secret
Service my information and they ended up coming over to my apartment, he says.
One day while out running errands, his electronic pager beeped. It was the
friend, saying he was in Manhattan, and asking him to come and meet him.
It sounded funny to me. I thought he was supposed to be locked up. When
youre in trouble with the feds youre usually in trouble for awhile, and it had only
been a few days. And then hes paging me, saying hes over in the city. That didnt
make sense. So I called my apartment, he says.
Another friend, this one a girl, was at his apartment and answered the phone.
I said hey its me and she said no hes not here. I said no, no its me its
me...I didnt catch on at first. Then I hung up and realized what was going on. I
called her back and told her to get all the papers and throw them out. She said Ok,
Ill give him the message. The Secret Service was already over there.
A Secret Service raid on his home was in progress. The agents confiscated his
computer, disks, printouts, and anything that might be connected to hacking.
I decided to disappear for awhile. I needed to get my thoughts together. I had
my car with me and I ran to Florida. I was sleeping in my car, and when I got there I
stayed with another member of the group, he said.
At first the Secret Service ordered his pager turned off. The pager company,
Mobile Metromedia, had been running its paging and billing software on a Unix
system suffering from an easily exploited security flaw, so Avirex had his pager and
those of the other members of his circle connected for free, meaning the company had
no records for any of the pagers.

26

They cut my pager off, and the next day I cut it back on. Then they cut it off
again, so I left it alone. Then they finally put it back on so they could tell me to call
them and to come back in. They told me they were having a tough time convincing
the company to turn off a pager they [the pager company] didnt even know about,
he said.
After about a four months on the lam, Avirex decided to surrender, and did so
at the offices of his lawyer, a public defender, in Manhattan. He was handcuffed and
taken away in a car.
He realized that his lawyer did not fully understand the nature of the charges
against him, nor did he understand the technology involved.
We went to trial, and I just pled guilty. They said they were still downloading
stuff from my computers to use as evidence, and that really got me scared. They
offered me 36 months if I pled guilty. There was no way I was going to court, so I
took it, and the judge dropped the sentence down to 24 months, he said.
He was sent to the correctional facility in Lewisburg, Penn., a minimum
security facility reserved for white collar criminals. It was interesting serving time
there, but I wouldnt want to go back. Of the 11 members of the High Tech Hoods,
four did time in prison, some only a few months; of the four, Avirex served the
longest sentence.
We all tried to be good hackers back then, but we fell off the ethics path.
He got out in December, 1994. Now more than two years later, he is back in
the scene, and working under several assumed identities.

27

I got back just through talking to friends that I missed so much while I was
away. I had no choice but to get back into the scene. Since I started it was always
something I ended up doing.
Today his current employer has no idea who he really is nor any idea that he
has a criminal record. He simply created another identity for himself. It was not a
hacker trick, just a series of paperwork tricks he learned about through his various
readings. He has a fake birth certificate, a falsified social security number and is
currently working on getting a fake drivers license.
Avirex said he has the ability to create and delete bank accounts for himself
any time he needs a convenient place to store money temporarily. He said he has used
information taken from discarded documents and manuals found in trash dumpsters
belonging to both banks. This information in hand, he places phone calls to bank
employees posing as an employee needing some kind of technical help relating a
bank computer network. This is called social engineering, and Avirex has used it to
acquire hundreds of passwords and access commands.
These abilities have come in handy. When hes not working at his legitimate
job, he moonlights as a covert private investigator. He could easily become a PI, but
his criminal record forbids it.
I have a few PIs who use my services. I can get information that cant get
sometimes. Stuff they cant usually afford to get through other means.
His most interesting case, he says, was one of corporate espionage. One
Fortune 500 company wanted a list of a competitors clients. Once again, he
employed his skills in social engineering, this time in person.

28

I got approached by a person who worked for them. They said everything
had to be quiet, and asked if I could I do it. I said I would try. It took close to six
months. First I tried going in for a job, but they wouldnt hire me. Then I ended up
working for a cleaning company that cleaned their offices after-hours. So when I was
supposed to be sweeping floors and vacuuming I was using their computers. They
wanted to look at reports, customer lists, trade secret stuff. I never want to know why
my clients need the information I get for them. But thats how I do my cases. Its
simple enough to become another person. Everything is verifiable. I can give them
phone numbers and answering services. School records can sometimes be iffy, but
theyre really not too much of a problem.
Ive worked for companies like Goldman-Sachs, just to gain information for
myself. I got hired as a consultant, which gave me access to their computers. Then
one morning I called them up and said I wanted to terminate the project. Thats how it
works most of the time... I get hired as a consultant.
His current project involves rebuilding the High Tech Hoods now renamed
High Tech Hackers as a computer security firm.
What we want to do is find some good hackers, maybe some of the guys
from the 2600 meetings, and teach them the ropes. Well keep them on the level, and
let them do what they like to do, which is hacking, while they get paid for it, he said.
He is also bringing back the New York Hacker Exchange in the form of a site
on the World Wide Web. At the March 2600 meeting he handed out copies of a disk
with a sample of files that will be archived on the site.

29

I cannot control someone if they use my information for destruction

purposes, he said. Ever since I got into the hacking scene so many hackers showed
me with no problem. They helped me learn and that how I think the game should be
played, so I will do the same. This information can be used by a computer security
pro just as much as it could be used by a hacker.

Monday, 20 January 1997: Interview with Comport

I believe hackers are merely endemic of the real problems that our economic
and technical infrastructure face today. Hackers have shown the chinks in the
electronic armor. ...They have penetrated the establishments technocastle and
crossed the moat with little resistance. They have shown that the walls that protect
our resources are not as solid as the managers of the information would have us
believe. ...This is not a defense of hacking activities, but one could certainly make a
case that hackers have made us aware of issues about which we might otherwise be
blithely ignorant.
Security Consultant Winn Schwartau in Information Warfare, 1996.
In contrast to many of his colleagues, Comport has no secrets to hide. His
name is Chris Hollander, he lives in Queens, and he is a 20-year old student at Baruch
College, where he has a part-time job as computer systems administrator.
Baruch College is part of the City University of New York. Its computers are
a sub-network of the larger CUNY computer network that give students, staff and
faculty their access to e-mail and the World Wide Web. The system is also the home
to several city government Web pages, including those of Public Advocate Mark
Green and City Comptroller Alan Hevesi.

30

Using a simple World Wide Web browsing program, Hollander was able to
exploit a weakness in the CUNY system, and obtain the passwords of every user on
the entire system.
People make such a big deal over hackers rewriting Web pages. I had the
information right there to do just that, and I got it using an elementary hacker attack,
Hollander said. He informed his boss of the security bug and it was fixed, but he said
such tricks are the sort of thing that hackers cut their teeth on.
The weakness on the CUNY system involved a protocol developed for the
Web called CGI (for Common Gateway Interface). It retrieves information stored in a
computer database that is constantly being updated or changed, and automatically
presents it on the Web, eliminating the need for a human being to type the
information in HTML (Hypertext Markup Language), the primary language of Web
pages. For example, Web pages that constantly update weather information use CGI
to check the latest temperature readings stored on one computer and transfer them to a
Web page. The CUNY system also used a program called PHF that allows a user to
search the CGI information for specific key words.
I entered a search on the Alta Vista search engine for pages that use CGI and
PHF and it stopped counting at 13,000 systems that are exploitable using that
weakness. Theres been a security advisory out on that since 1995, he said.
Such a weakness can be used by a hacker to root the system which means to
achieve root-level access the highest level of access on any computer system.
Ideally, root access is reserved only for senior technicians and system administrators.
When a serious technical glitch occurs on a system, root access allows a tech to

31

pinpoint the problem and fix it without first having to jump over security hurdles.
Hollander said getting root access to a system is seen as a challenge to many hackers,
many of whom never do anything with the privilege once they achieve it.
The goal is not the pound (#) sign prompt that you get when you gain root.
Its the things you do that get you there. ...Ive talked to people who root three
systems a day. To anyone using an ISP I would say its not just likely, its a sure thing
that someone has rooted that system. ...Every night someone comes into the chat
rooms on IRC (Internet Relay Chat) as root from one of the big service providers,
Hollander said.
Michael Erde is head of security for Interport Communications, one of New
Yorks largest ISPs. Interports business clients include Hearst Publishing, World
Wide Diamond Source, S.C. Johnson Wax, Edelman Public Relations, Sothebys
Auction House and The New York Observer. He said that simply appearing as root
on an IRC channel doesnt prove anything.
Those users may not have root access at all on that system. They may have
just taken advantage of some relatively innocuous hole or in the IRC program or
something that it interfaces with, he said.
But he did acknowledge that it is not uncommon for service providers have
their systems compromised. He subscribes to an email mailing list on which ISP
administrators compare notes and solutions to security problems.
For example on one of the mailing lists I subscribe to, it isnt uncommon for
someone to say he suspects or knows he has been rooted, and is seeking help from the
members of the list, Erde said.

32

And if rooting is as common as Hollander claims, is it something that ISPs try

to hide from their customers? Erde doesnt think so.
Most ISPs are traditionally tight-lipped on security stuff because they dont
want to invite hack attempts, he said.
Erde was the only representative of a New York ISP to return messages for
this story. Representatives at Panix, and Internet Channel did not return phone and
email messages.
I can understand why people dont want to discuss this type of stuff. To be
honest, I only do it grudgingly, he said.
While a growing number of government and private organizations are relying
increasingly on the Internet and organizational intranets to exchange important
information and other vital business functions, studies are showing an almost
shocking lack of computer security measures.
A survey of 1,300 information security officers conducted by the trade
magazine Information Week and Ernst and Young Information Security in late 1996
found that more than half of the companies surveyed suffered a financial loss related
to lapses in information security during the previous two years. More than onequarter of those companies said their losses amounted to more than $250,000, and in
some cases $1 million or more.
63 percent of the respondents attributed the losses to computer virus
outbreaks;
33 percent cited malicious acts by disgruntled employees or former
employees;

33

 Only 17 percent of the companies surveyed blamed the losses on people

from outside the company.
Of the companies that monitor Internet activity inside and outside their
organization, one-quarter reported they had experienced attempts to break into their
systems via the Internet.
Statistics like this are no surprise to Hollander. Everyone and their mother is
putting a box on the Internet these days and they have no reason to be there. There are
so many bugs in Unix besides PHF. If they just install the Unix software straight out
of the box and dont even bother to look at what theyre installing on their system,
theyre just opening the door to an attack. That is where 90 percent of the security
holes come from, people installing things and not knowing what theyre doing, he
said.
Information security lapses in the corporate world are exactly the kind of thing
that Winn Schwartau, president of Interpact Inc., a Florida-based electronic security
firm, and editor of the book Information Warfare is trying to educate people about.
Schwartau said that despite the capabilities of some hackers, they are not the menace
that some people would like to believe.
Hacking is good. It has contributed immeasurably. Hackers are an earlywarning system for cyberspace, and most people have no clue what is really going on.
If you look at what these teenagers are able to do with no money and a typical home
computer, then take that capability put behind it some kind of financial or political
agenda, then youve suddenly got some serious problems, he said.

34

One contributor to Schwartaus book, Michael Devost, goes so far to suggest

that some hackers should be embraced as a national resource. Devost described one
case in which a hacker, while looking for the credit history of former President
Ronald Reagan, discovered one individual credit card held by 700 people, each of
which had no credit history. He soon realized that he had found the names and
addresses of people in the Federal Witness Protection Program, and promptly
informed the FBI of the security hole.
Schwartau said he talked several FBI agents into giving a presentation at a
recent hacker convention in Las Vegas. By and large the crowd loved it. The
question most often asked of the guys was Can I work for? I think that many of the
better hackers, not the wanna-bes, but the really good hackers want security jobs.
...The most common way that security administrators are hired in the private sector is
the Hey you method. They find people within the organization that really dont
know anything, and put them in charge of computer security, he said.

In 1993, Emmanuel Goldstein, the publisher of 2600 went before a U.S.

House of Representatives subcommittee to defend the content of the magazine he
founded.
Goldstein, whose real name is Eric Corley, has often been the lightning rod of
criticism of hackers and their activities. But he is also their most outspoken defender.
Though in the past he has granted interviews to several publications, he did not
respond to repeated requests for an interview. But this exchange with Rep. Edward

35

Markey, a Democrat from Massachussetts, taken from Congressional records, sums

up his position well:
Mr. Goldstein: First of all 2600 is not a manual for computer crime. What we do is,
we explain how computers work. Very often knowledge can lead to people
committing crimes, we dont deny that, but I dont believe that is an excuse for
witholding the knowledge. ...These are all things that people should know, ...
Mr. Markey: Lets go to the other side of the problem, the joy rider or the criminal
that is using this information. What penalties would you suggest to deal with the bad
hacker? Are there bad hackers?
Mr. Goldstein: There are a few bad hackers. I dont know any myself, but Im sure
there are.
Mr. Markey: I assume if you knew any, you would make sure we did something
about them. But lets just assume there are bad people subscribing [to the magazine].
What do we do about the bad hacker?
Mr. Goldstein: Well, I just would like to clarify something. We have heard here
testimony that there are gang members and drug dealers who are using this
technology. Now are we going to define them as hackers because they are using this
technology?
Mr. Markey: Yes. Well, if you want to give them another name, fine. We will call
them hackers and crackers, all right?
Mr. Goldstein: I think we should call them criminals.
Mr. Markey: So the crackers are bad hackers, all right? If want another word for
them, that is fine, but you have got the security of individuals decreasing with the
sophistication of each one of these technologies, and the crackers are out there. What
do we do with the crackers who buy your book?
Mr Goldstein: I would not call them crackers. They are criminals. If they are out
there doing something for their own benefit, selling information
Mr. Markey: Criminal hackers. What do we do with them?
Mr Goldstein: There are existing laws. Stealing is still stealing.

36

Postscript

When I ventured into the Citicorp Center on December 6, 1996, I expected to

be ignored by the regulars of the 2600 meeting. Reporters are not a popular among
hackers. John Markoff of The New York Times is probably the least popular
journalist to ever write about hackers. His front-page stories on the pursuit and
capture of Kevin Mitnick, and the book he co-authored with Tsutomu Shimomura, the
California computer security consultant who helped the FBI track down and arrest
Mitnick, have been criticized heavily by other journalists who covered the story and
hackers who say Markoff blew the story out of proportion.
With that in mind, I didnt reveal my true reason for attending the meeting
until I had talked with several people there. In hacker parlance, I was lurking
listening in an attempt to learn what I could. Once I made it clear to the people who
would become my sources Defrag, Comport, Vandal, Avirex, and a handful of
others not mentioned in the story that I was interested in more than quick,
sensational story, they opened up. However they only did so after checking and
double-checking my credentials, which apparently included calling several members
of the faculty of the Graduate School of Journalism to confirm that I was indeed a
student at the school. These checks of my credibility were performed with my
blessing. Had I not given such permission, I would have been checked out anyway.
In order to maintain regular contact with some of my sources, Vandal and
Avirex in particular, I had to develop a routine involving the use of their pagers.
Neither one of them ever gave me their phone numbers, only their pager numbers.

37

Contacting Avirex calling him on his pager and hoping he would respond by leaving
a message on my home phone voice mail. This caused some frustration, especially
when I was in a hurry. For our first interview, Avirex was nearly two hours late, and
never did show for a second interview we had arranged.
Eventually I came to be in regular email contact with Vandal and Avirex, but
the addresses they gave me were only email forwarding services, and not their true
email addresses. Occasionally I would get sudden phone calls from Vandal,
sometimes very late at night, which had no clear purpose. Perhaps he was bored, or
keyed up on caffeine or both.
One assumption the reader may make in reading this story is that I have a
background in computer programming. I dont. Nor do I think such a background is
required for writing about technology. I am fascinated by what computers can do and
by the potential benefits and pitfalls in the growth of the Internet. I dont think you
need a computer science degree to understand how they work. Curiosity is a virtue for
both a hacker and a reporter.
I expect that Ill remain in contact with the hackers I met at the Citicorp
Center. For good or ill, there are going to be more well-publicized hacking incidents
making the news in the coming years. I want to be covering the beat when they
happen. In August, hackers from around the country will converge on New York for
the Beyond Hope Conference, the eagerly awaited follow-up to 1994s Hackers on
Planet Earth (HOPE) Conference. With any luck, Ill be there.
I am indebted, of course, to those reporters who have gone before me. Steven
Levys landmark work Hackers is widely praised for its explanation of the hacker

38

ethic. Josh Quittner and Michelle Slattallas Masters of Deception is considered a

classic by hackers and non-hackers alike. Bruce Sterlings The Hacker Crackdown
was also useful.
I also owe a debt of thanks to the several anonymous hackers who have posted
their various essays on hacking and phreaking to thousands of sites on the World
Wide Web. I never met Revelation, for example, whose documents I quoted several
times in the story. He never responded to any email message I sent him, yet his
documents speak for themselves, and for the hacking community as a whole.
Finally, I must acknowledge the cooperation of the 2600 hackers Defrag,
Comport, Vandal and Avirex. To them I can only say: Thanks guys. It was phun.

Arik Hesseldahl
[email protected]

39