Computer underground Digest    Sun  July 27, 1997   Volume 9 : Issue 59
                           ISSN  1004-042X

       Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
       News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
       Archivist: Brendan Kehoe
       Shadow Master: Stanton McCandlish
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Field Agent Extraordinaire:   David Smith
       Cu Digest Homepage: http://www.soci.niu.edu/~cudigest

CONTENTS, #9.59 (Sun, July 27, 1997)

File 1--Paul Taylor's Forthcoming "Hacker" Book (excerpt)
File 2--Chapter 6 of P. Taylor's book - "Them and Us"
File 3--Cu Digest Header Info (unchanged since 7 May, 1997)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.

---------------------------------------------------------------------

Date: 18 Jun 97 17:25
From: P.A.Taylor@sociology.salford.ac.uk
Subject: File 1--Paul Taylor's Forthcoming "Hacker" Book (excerpt)

((MODERATORS' NOTE:  A few years ago, Paul Taylor solicited
information on "hackers" in a CuD post for his Phd dissertation.
He completed it, and it will soon be published by Routledge and
Kegan Paul.  The publication date is anticipated to be in early
1998, and the tentative title: HACKERS: A STUDY OF A
TECHNOCULTURE, although Paul is still searching for (and is open
to) suggestions.  Sadly, though, publishers usually suggest the
final title and their choice usually prevails.  The estimated
price for the paperback version should be about 15 pounds, which
would make the US version about $20.

CuD will run a chapter, which will be divided into two sections
of this CuD issue because of length)).

  ------------------

Jim has kindly agreed to put up on CuD an excerpt from my
forthcoming book on hackers.  Its present form is straight from
my PhD thesis but I would like to use peoples' feedback to help
me up-date my work prior and to make it more accessible to a
non-academic audience.  If you have any comments or views on my
portrayal of hacking then please contact me -
p.a.taylor@sociology.salford.ac.uk.

The reason for putting up the posting is

a) to thank and give something back to the original people who
contributed.
b) to stimulate further interest that will help in the up-dating
of the original work - specifically ...
  i) what do people think are the major developments in the CU over
      the last 3/4 years?
  ii) what do people think are the major differences (if any)
      between the CU scene in the US as compared to Europe/rest of the
      world?

There's an open invite for people to contact me and discuss the
above and/or anything else that they think is relevant/important.
Below is a brief overview of
the eventual book's rationale and proposed structure.

Hackers: a study of a technoculture

Background

"Hackers" is based upon 4 years PhD research conducted from
1989-1993 at the University of Edinburgh.  The research focussed
upon 3 main groups: the Computer Underground (CU); the Computer
Security Industry (CSI); and the academic community.  Additional
information was obtained from government officials, journalists
etc.

The face-to-face interview work was conducted in the UK and the
Netherlands.  It included figures such as Rop Gongrijp of
Hack-Tic magazine, Prof Hirschberg of Delft University, and
Robert Schifreen.  E-mail/phone interviews were conducted in
Europe and  the US with figures such as Prof Eugene Spafford of
Purdue Technical University, Kevin Mitnick, Chris Goggans and
John Draper.

Rationale

This book sets out to be an academic study of the social
processes behind hacking that is nevertheless accessible to a
general audience.  It seeks to compensate for the "Gee-whiz"
approach of many of the journalistic accounts of hacking.  The
tone of these books tends to be set by their titles: The Fugitive
Game; Takedown; The Cyberthief and the Samurai; Masters of
Deception - and so on ...

The basic argument in this book is that, despite the media
portrayal, hacking is not, and never has been, a simple case of
"electronic vandals" versus the good guys: the truth is much more
complex.  The boundaries between hacking, the security industry
and academia, for example, are often relatively fluid.  In
addition, hacking has a significance outside of its immediate
environment: the disputes that surround it symbolise society's
attempts to shape the values of the informational environments we
will inhabit tomorrow.



Book Outline

Introduction - the background of the study and the range of
contributors

Chapter 1 - The cultural significance of hacking: non-fiction and
fictional portrayals of hacking.

Chapter 2 - Hacking the system:  hackers and theories of technological change.

Chapter 3 - Hackers: their culture.

Chapter 4 - Hackers: their motivations

Chapter 5 - The State of the (Cyber)Nation: computer security weaknesses.

Chapter 6- Them and Us: boundary formation and constructing "the other".

Chapter 7 - Hacking and Legislation.

Conclusion

Paul Taylor

------------------------------

Date: 18 Jun 97 17:25
From: P.A.Taylor@sociology.salford.ac.uk
Subject: File 2--Chapter 6 of P. Taylor's book - "Them and Us"

Chapter 6 - 'Them and us'

6.1 INTRODUCTION

6.2 BOUNDARY FORMATION - 'THEM AND US'
6.2.1 The evidence - Hawkish strength of feeling

6.3 REASONS FOR 'THEM AND US'
6.3.1 Ethical differences between the CSI and CU
6.3.2 The fear of anonymity

6.4 THE ETHICAL BASIS OF THE 'THEM AND US' SCENARIO
6.4.1 Blurred and vestigial ethics
6.4.2 Industry examples of blurred ethics
6.4.3 Technology and ethics

6.5 BOUNDARY FORMATION - ROLE OF THE MEDIA

6.6  BOUNDARY FORMATION PROCESS AND THE USE OF  ANALOGIES

6.7 THE PROJECT OF PROFESSIONALISATION
6.7.1 Creation of the computer security market and professional  ethos
6.7.2 Witch-hunts and hackers
6.7.3 Closure - the evolution of attitudes

6.8 CONCLUSION



6.1 INTRODUCTION

Hackers are like kids putting a 10 pence piece on a railway line to see if
 the train can bend it, not realising that they risk de-railing the whole
 train (Mike Jones: London interview).

 The technical objections of the hawks to hacking, which reject the argument
 advocating cooperation with hackers, are supplemented by their ethical
 objections to the activity, explored in this chapter.  Previous chapters
 have shown that there is some interplay and contact between the hacker
 community and the computer security industry, as well as the more
 subsidiary group: the academics1.  The much more common relationship
 between hackers and the computer security industry, however, is the
 thinly-veiled or open hostility evident in the opinions of the hawks.
 This chapter examines the basis of this hostility.  The groups' contrasting
 ethical stances are highlighted, and their origins explained.  The
 technical evolution of computing is shown as creating new conditions that
 demand ethical judgements to be made with respect to what  constitutes
 ethical use of computer resources.  The CU and the CSI have different
 ethical interpretations that are expressed in a process of debate.  This
 debate then becomes part of a boundary forming process between the two
 groups.  Two identifiable influences upon such ethical judgements are the
 age of the person making the judgement, and the extent to which technology
 plays a part in the situation about which an ethical judgement has to be
 made.
 Elements of the CSI and the CU  stand in identifiable opposition to each
 other.  This chapter shows how this opposition is maintained and
 exacerbated as part of a boundary forming process.  Ethical differences
 between the two groups are espoused, but examples are given of the extent
 to such differences are still in a process of formation within computing's
 nascent environment.  Thus the type of mentality within the CU that fails
 to accept any ethical implications from phone-phreaking or hacking is
 sharply opposed by the CSI, whose typical sentiment  is that computer users
 such as hackers have forgotten "that sometimes they must leave the playpen
 and accept the notion that computing is more than just a game" (Bloombecker
 1990: 41).  This contention that hackers have failed to psychologically
 "come out of the playpen" is illustrative of some of the marked ethical
 differences between the two groups.
 This chapter, however, draws attention to examples of the more ambiguous
 and blurred ethical situations within computing, and how an on-going
 process of negotiation, group differentiation and boundary formation, is
 required to maintain such differences between the groups.  The ethical
 complexities surrounding computing are becoming increasingly important as
 it becomes a more prevalent aspect of everyday life.  The CSI, as a part of
 a dominant social constituency of business and political interests, is
 involved in a process of attempting to impose its interpretation of such
 ethical issues upon computing.  Advocates of different ethical approaches
 find themselves increasingly separated by moral boundaries that have become
 codified into professional regulations and government legislation.
 The "them and us" scenario caused by the contrasting ethical stances is
 fuelled by the media's portrayal of hackers as unethical outsiders.   The
 most obvious manifestation of this is the evolution of attitudes held
 towards hackers by the dominant social constituency.  The 'true hackers' of
 MIT were active from the late 1950's and were instrumental in the
 development of both hardware and software, whereas  hackers are now largely
 perceived as a problem to be legislated away.  This evolution in
 perceptions is simultaneously a result of the emergence of the CSI as a
 constituency, and a causal factor in that development.   To illustrate the
 process of boundary formation we note comparisons of the debate surrounding
 Robert Morris Jr's intrusion into the internet system with the language and
 attitudes displayed during the Salem Witch trials (Dougan and Gieryn 1988).
  The press, in particular, has been particularly active in the process of
 stereotyping and sensationalising hacking incidents, the process helping to
 produce a deviant group status for hackers.
  The chapter also includes analysis of one of the most interesting aspects
 of the boundary forming process between the CSI and the CU, namely, the way
 in which physical comparisons are made between situations that arise in
 computing and the real world.  These metaphors are used as explanatory
 tools and also in the production and maintenance of the value systems that
 separate the two groups.  The physical analogies used seem to fulfil both
 of these functions.  They allow what would otherwise be potentially
 complicated technical and ethical questions to be approached in a more
 manageable and everyday manner, yet they also contribute directly to the
 formation of ethical boundaries due to their particular suitability as a
 means of sensationalising hacking issues.
 Public commentators such as Gene Spafford have made various polemical
 statements of what hacking and its implications are: employing a hacker, is
 like making 'an arsonist your fire chief, or a paedophile a school
 teacher.'  The actions of hackers are thus forcefully taken out of the
 realms of 'cyberspace' and reintroduced into the concrete realm of
 threatening real world situations.  If the comparison is accepted, then the
 danger and harm to be suffered from such actions are more readily
 understood and feared, and hackers as a group may then be effectively
 viewed as moral pariahs.  With reference to Woolgar's (1990) attempt to
 link computer virus stories with the prevalence of 'urban/contemporary
 legends', it can be pointed out that the physical analogies used by the CSI
 in discussions of computer ethics emphasise the transgressive 'breaking and
 entering' qualities of hacking2.  In contrast, the CU reject such dramatic
 analogies and prefer to emphasise the intellectual and pioneering qualities
 of hacking which we will subsequently analyse with respect to their chosen
 analogies: comparisons of hacking's intellectual nature and frontier ethos
 to a game of chess and the Wild West, respectively.

6.2 BOUNDARY FORMATION - 'THEM AND US'

 Dougan and Gieryn (1988), like Meyer and Thomas (1990), have compared the
 process of boundary formation within computing with the historical examples
 of formalised witch trials.  This is an extreme process of 'boundary
 formation' whereby groups differentiate themselves by marginalising other
 groups thereby establishing their own identity.  "Witch hunts" occur in
 periods of social transition and we have seen in Chapter 3 that IT is
 undergoing a period of social change.  The economic order is attempting to
 impose property relations upon information, yet its changing nature
 undermines its properties as a commodity.
 Computer counter-cultures are increasingly perceived as a threat to the
 establishment's ability to control technology for its own purposes.  The
 initial awe and even respect with which hackers were originally viewed as
 'technological wizards' has given way to the more frequent hawkish
 perception that they are 'electronic vandals'.  Dominant social groups
 initially mythologise and then stigmatise peripheral groups that do not
 share their value-structure.  In the case of hackers, this tendency has
 been exacerbated by the fear and ignorance encouraged as a result of
 hacking's covert nature and the difficulties of documenting the activity.

 Dougan and Gieryn (1988), amongst others, point out that such concepts of
 deviancy have a function.  Put simply, a community only has a sense of its
 community status by knowing what it is not.  Distancing themselves from
 outsiders helps members within that group feel a sense of togetherness.
 Furthermore, cultures that emphasise certain values over others will tend
 to label as deviant those activities which threaten its most prized value.
 In the particular case of hackers, their stigmatisation and marginalisation
 has occurred because they have threatened, with their information-sharing
 culture, one of the basic crutches of the capitalist order: property
 rights.  The facilitating feature of the boundary forming process between
 the CU and the CSI is the sense of otherness and lack of affinity with
 which they confront each other: the "them and us" scenario.

6.2.1 The evidence - hawkish strength of feeling

 Direct access to the debate between the CSI and CU can be obtained by
 looking at examples of e-mail correspondence known as 'flames'.  These are
 strongly worded, and often insulting electronic mail messages.  They serve
 to illustrate the antagonism that exists between the CSI and CU.  The
 following are examples of the expressions used on e-mail to describe
 hackers and hacking:

I am for making the penalties for computer trespass extremely painful to the
 perpetrator ... Most administrators who've had to clean up and audit a
 system of this size probably think that a felony rap is too light a
 sentence.  At times like that, we tend to think in terms of boiling in oil,
 being drawn and quartered, or maybe burying the intruder up to his neck in
 an anthill (Bob Johnson: RISKS electronic digest, 11:32).

electronic vandalism (Warman: e-mail interview).

Somewhere near vermin i.e. possibly unavoidable, maybe even necessary pests
 that can be destructive and disruptive if not monitored (Zmudsinki e-mail
 interview).

Mostly they seem to be kids with a dramatically underdeveloped sense of
 community and society
(Bernie Cosell: e-mail interview).



 Opposition to hacking practices has become increasingly non-specific and
 moralistic, an example being Spafford's argument that   using hackers'
 knowledge on a regular basis within the computer security industry is
 equivalent to employing a known arsonist as your fire-chief, a fraudster as
 your accountant, or a paedophile as your child-minder.  The technical
 insights that they could provide or could be derived as a by-product of
 their activities become subordinate to the need to express opprobrium
 against the morality of the actions themselves.  The language of blame and
 morality is consistently used by hawkish members of the CSI to refer to
 hackers in what they would argue is a process of 'blame displacement'.  The
 CSI are accused of using moral condemnation as a means of deflecting any
 responsibility and blame for security breaches  that might be attached, not
 just to the perpetrators of intrusions, but also their victims.  As
 Herschberg said:

The pseudo-moral arguments and the moralistic language certainly cloud the
 issue in my view.  I think it obscures the fact that system owners or
 system administrators have a moral duty to do at least their level best to
 stop penetrations.  They are very remiss in their duty, they couldn't care
 less and therefore at least, there is quite an understandable tendency to
 blame the penetrator rather than blaming themselves for not having taken at
 least adequate counter measures, in fact in some cases counter measures
 have not been taken at all ... if it is proved to you that you haven't done
 your homework, then you almost automatically go into a defensive attitude
 which in this case, simply amounts to attacking the hacker, blaming him
 morally, heaping opprobrium on his head ... yes, the fear factor is
 involved (Herschberg: Delft interview).

 This undercurrent of moral censure was a recurrent quality of the
 field-work interviews with members of the CSI, for example:


I've been in this game ... this is my 36th year, in the interests of hacking
 as a whole I think hacking is something which is derogatory; to be played
 down, to possibly in fact, be treated as a minor form of criminal activity
 ... the last thing you want to do is to make hackers into public figures;
 give them publicity.  I think it needs to be played down when it occurs,
 but it shouldn't occur ... I wouldn't have them, no, under any
 circumstances (Taylor: Knutsford interview).

 Dr Taylor and others interviewees, involved in the provision of computer
 security, had had surprisingly little direct contact with hackers.  I asked
 him about this lack of direct contact/interplay and his perceptions of the
 motivations of hackers:

Well, there shouldn't be [any interplay] because the industry doesn't want
 to hear about hackers and certainly doesn't want to see the effects of what
 they do ... To me I'm not concerned with what the hacker does, I'm more
 concerned with keeping him out to start with ... You've talked to what are
 called the more ethical members of the hacking community for whom it's an
 intellectual challenge, but there are in fact people who are psychopaths,
 and Doctor Popp3 is one of these, where they just want to level a score
 with society which they feel has been unfair to them ... A chap called
 Whitely has just gone to prison for four years for destroying medical data
 at Queen Mary's hospital, London.  He just destroyed utterly and he wasn't
 just a hacker that was browsing, he was a psychopath almost certainly
 (Taylor: Knutsford interview).

 In contrast, and as an illustration of the negative perceptions each groups
 has of the other, a hacker, Mofo, argues that psychotic tendencies are not
 the sole preserve of the hacking community:

my experience has shown me that the actions of 'those in charge' of computer
 systems and networks have similar 'power trips' which need be fulfilled.
 Whether this psychotic need is developed or entrenched before one's
 association with computers is irrelevant.  Individuals bearing such faulty
 mental health are present in all walks of life.  I believe it is just a
 matter of probability that many such individuals are somewhat associated
 with the management of computers and networks [as well as intrusion into
 computer systems] (Mofo: e-mail interview).

 Taylor is wary of the damage to computing that greater publicisation of
 hacking could cause, yet as the above reference to Dr Popp and Nicholas
 Whitley shows, ironically, he seemed to be dependent upon the most
 publicised cases of hacking for his perceptions of hackers.  A further
 argument that prevents the CSI accepting hackers as potentially useful
 fault-finders in systems is the simple charge that without the existence of
 hackers in the first place, there would be very little need for extensive
 security measures.  Even if hackers are of some use in pointing out various
 bugs in systems, such a benefit is outweighed by the fact that a large
 amount of computing resources are 'wasted' on what would otherwise be
 unnecessary security measures.  For example, Dr Taylor's view is that:

hacking is a menace that stops people doing constructive work ... A lot of
 money get's spent today on providing quite complex solutions to keep ahead
 of hackers, which in my view should not be spent ... They're challenging
 the researchers to produce better technical solutions and they're
 stimulating the software service industry which provides these solutions
 and makes money out of it.  But you answer the question for me, what's that
 doing for society? (Taylor: Knutsford interview).

 Thus one reason for the use of moral language is in order to displace blame
 from those in charge of the systems where security is lax, to those who
 have broken that lax security.  Irrespective of the state of security of
 systems, there is a project of group formation whereby those who implement
 computer security wish to isolate and differentiate themselves from the CU,
 in a process that highlights the inherent differences that exist between
 the two groups.  This project is vividly illustrated in the following
 excerpt from the keynote Turing Award acceptance speech given by Ken
 Thompson:

I have watched kids testifying before Congress.  It is clear that they are
 completely unaware of the seriousness of their acts.  There is obviously a
 cultural gap.  The act of breaking into a computer system has to have the
 same social stigma as breaking into a neighbor's house.  It should not
 matter that the neighbour's door is unlocked.  The press must learn that
 misguided use of a computer is no more amazing than drunk driving of an
 automobile (Thompson 1984: 763).

   This degree of sentiment was consistently expressed amongst some of the
 most prominent and accomplished of those figures from the computer security
 industry who were  generally opposed to hackers:

Unfortunately ... it is tempting to view the hacker as something of a folk
 hero - a lone individual who, armed with only his own ingenuity, is able to
 thwart the system.  Not enough attention is paid to the real damage that
 such people can do...when somebody tampers with someone else's data or
 programs, however clever the method, we all need to recognise that such an
 act is at best irresponsible and very likely criminal.  That the offender
 feels no remorse, or that the virus had unintended consequences does not
 change the essential lawlessness of the act, which is in effect
 breaking-and-entering.   And asserting that the act had a salutary outcome,
 since it led to stronger safeguards, has no more validity than if the same
 argument were advanced in defense of any crime.  If after experiencing a
 burglary I purchase a burglar alarm for my house, does that excuse the
 burglar?  Of course not.  Any such act should be vigorously prosecuted
 (Parrish 1989).

 Several of the above quotations are notable for their heavy reliance upon
 the visual imagery of metaphors comparing the ethical issues arising from
 computing with real-world situations, a topic that will be looked at
 shortly.

6.3 REASONS FOR 'THEM AND US'

6.3.1 Ethical differences between the CSI and CU

 Having identified the strength of feeling of hawkish views of hacking, this
 section explores the ethical basis of that antagonism. The following
 quotation from a member of the CSI illustrates the stark difference between
 the ethical outlooks of certain members of the computing constituency.
 Elements of the CSI vehemently oppose the "playpen attitude" advocated by
 elements of the CU.  Presupposing that no harm is done, hackers tend to
 believe that it is not wrong to explore systems without prior permission,
 whilst those concerned with the security of those systems would
 characterise such a belief as offensive:

Just because YOU have such a totally bankrupt sense of ethics and propriety,
 that shouldn't put a burden on *me* to have to waste my time dealing with
 it.  Life is short enough to not have it gratuitously wasted on
 self-righteous, immature fools...If you want to 'play' on my system, you
 can ASK me, try to convince me *a priori* of the innocence of your intent,
 and if I say "no" you should just go away.  And playing without asking is,
 and should be criminal; I have no obligation, nor any interest, in being
 compelled to provide a playpen for bozos who are so jaded that they cannot
 amuse themselves in some non-offensive way (Cosell CUD 3:12).

 When we examine the factors underpinning the CSI's and CU's contrasting
 ethical interpretations we find an important feature is the tendency of the
 CSI to denigrate, or devalue the ethics articulated by hackers.  Bob
 Johnson, a Senior Systems analyst and Unix System Administrator at a US
 military installation criticises the justifications used by hackers as an
 example of the modern tendency to indulge in "positional ethics".
 Referring to the Internet worm case he states:

The majority of people refuse to judge on the basis of "right and wrong".
 Instead, they judge the actions in terms of result, or based on actual
 damages, or incidental damages or their own personal ideas.  In my mind,
 Morris was WRONG in what he did, regardless of damages, and should
 therefore be prepared to pay for his deeds.  Many others do not suffer from
 this "narrow frame of mind".  By the way, positional ethics is the same
 line of reasoning which asks, "When would it be right to steal a loaf of
 bread?"  I believe that the answer is "It may someday be necessary, but
 it's never right" (Bob Johnson: e-mail interview).

 The "hawkish" elements of the CSI are unequivocal in their condemnation of
 hacking and its lack of ethics.  They argue that the lack of ethics shown
 by hackers is indicative of a wider societal decline.   Thus Smb
 characterises the alleged degeneration of the average persons ethics, not
 as a breakdown in morality, but rather as a spread of amorality: "I'm far
 from convinced that the lack of ethics is unique to hackers.  I think it's
 a societal problem, which in this business we see manifested as hacking.
 Amorality rather than immorality is the problem" (Smb: E-mail interview).
 Similarly, Bob Johnson argues that:

In a larger sense, I view them [hacking and viruses] as part of the same
 problem, which is a degeneration of the average persons ethics - i.e.
 integrity and honesty.  There's a popular saying in America - 'You're not
 really breaking the speed limit unless you get caught.  I believe an
 ethical person would neither break into systems, nor write viruses (Bob
 Johnson: e-mail interview).

 Cosell takes this argument further, the "degeneration of the average
 person's ethics" is applied to a loss of respect by hackers for property
 rights:

The issue here is one of ethics, not damages.  I'll avoid the "today's
 children are terrors" argument, but some parts of that cannot be avoided:
 the hackers take the point of view that the world at large OWES them
 amusement, and that anything they can manage to break into is fair game [an
 astonishing step beyond an already reprehensible position, that anything
 not completely nailed down is fair game] (Cosell: e-mail interview).

 A study into social and business ethical questions was carried out by
 Johnston and Wood (1985, cited by Vinten 1990) for the British Social
 Attitudes Survey.  Apart from their major conclusion that the single most
 important factor influencing the strength of people's ethical judgements
 was age, it seems difficult to point to clear ethical boundaries and
 guide-lines in relation to many of the situations that arise in the modern
 world, especially in the realms of business.  Thus in his summary of the
 report Vinten describes how: "In situations ranging widely from
 illegitimate tipping of dustmen to serious corruption, no clear-cut
 boundaries emerged as between 'right' and 'wrong' ... Sub-group variation
 was greatest where situations were complicated by motivation questions, and
 by being remote from everyday experience" (Vinten 1990: 3).  Hacking
 fulfils both of these criteria.
 The advent of "virtual reality" or "cyberspace" tends to divorce computing
 from "everyday experience".  This leads directly to an ambiguous ethical
 status for many computing situations and a concomitant need to assert
 ethical standards by the dominant social constituency if it is to succeed
 in exerting control over computing.  Vinten's study of computer ethics
 (1990) points out that ethical judgements tend to be harsher, the older the
 person making the judgements.  Members of the CSI consistently have
 strongly critical views of the ethical stance taken by hackers.  They tend
 to be older than hackers, having been involved with computers, as a career,
 for many years.  Hackers, in contrast, tend to use computers more as a
 hobby and may hack in order to gain access to systems which their youth
 precludes them from obtaining access to by legitimate means.  This age
 difference is perhaps one reason why there are such fundamental differences
 in the ethical outlook of members of the CSI and CU4.

6.3.2 Fear of Anonymity

 One of the common themes that stems from the CSI's perception of hackers is
 their tendency to assume the worst intent behind the actions of intruders,
 a tendency encouraged by the fact that hacking is intrinsically anonymous:


There is a great difference between trespassing on my property and breaking
 into my computer.  A better analogy might be finding a trespasser in your
 high-rise office building at 3 AM, and learning that his back-pack
 contained some tools, some wire, a timer and a couple of detonation caps.
 He could claim that he wasn't planting a bomb, but how can you be sure?
 (Cosell: e-mail interview).

 Another vivid example of the doubt caused by the anonymity of hackers  is
 the comparison below made by Mike Jones of the DTI's security awareness
 division.  I pointed out that many hackers feel victimised by the
 establishment because they believe it is more interested in prosecuting
 them than patching up the holes they are pointing out with their activity.
 Jones accepted that there was prejudice in the views of the CSI towards the
 CU.  That prejudice, however, is based upon the potential damage that
 hackers can cause.  Even if there is no malicious intention from the
 hacker, suspicion and doubt as to what harm has been done exists:

Say you came out to your car and your bonnet was slightly up and you looked
 under the bonnet and somebody was tampering with the leads or there looked
 like there were marks on the brake-pipe.  Would you just put the bonnet
 down and say "oh, they've probably done no harm" and drive off, or would
 you suspect that they've done something wrong and they've sawn through a
 brake-pipe or whatever... say a maintenance crew arrived at a hanger one
 morning and found that somebody had broken in and there were screw-driver
 marks on the outside casing of one of the engines, now would they look
 inside and say "nothing really wrong here" or would they say, "hey, we've
 got to take this engine apart or at least look at it so closely that we can
 verify that whatever has been done hasn't harmed the engine"  (Jones:
 London interview).

 These two quotations proffer an important explanation of the alleged
 paranoid and knee-jerk reactions to hacking activity from the computing
 establishment.  The general prejudice held by the CSI  towards the CU is
 heightened by the anonymous quality of hacking.  The anonymity encourages
 doubts and paranoia as a result of being unable to assess the motivation of
 intruders and the likelihood that any harm that has been committed will be
 difficult to uncover.
 In addition to these points, the anonymity afforded by Computer Mediated
 Communication (CMC) encourages hackers to project exaggeratedly threatening
 personalities to the outside world and media.  Barlow (1990) describes
 meeting some hackers who had previously frightened him with their
 aggressive e-mail posturing.  When Barlow actually came face to face with
 two of the hackers they:

were well scrubbed and fashionably clad.  They looked to be as dangerous as
 ducks.  But ... as ... the media have discovered to their delight, the boys
 had developed distinctly showier personae for their rambles through the
 howling wilderness of Cyberspace.  Glittering with spikes of binary chrome,
 they strode past the klieg lights and into the digital distance.  There
 they would be outlaws.  It was only a matter of time before they started to
 believe themselves as bad as they sounded.  And no time at all before
 everyone else did (Barlow 1990: 48).

 The anonymity afforded by CMC thus allows hacking culture to indulge in
 extravagant role-playing which enhances the perception of it in the eyes of
 outsiders as being a potentially dangerous underground movement.  Hacking
 groups generally choose colourful names such as "Bad Ass Mother Fuckers,
 Chaos Computer Club, Circle of Death, Farmers of Doom"5, and so on.

6.4 THE ETHICAL BASIS OF THE 'THEM AND US' SCENARIO

6.4.1 Blurred and vestigial ethics

Cracking, virus writing, and all the rest, fall into the realm of
 possibility when dealing with intelligent, curious minds.  The ethics of
 such things come later.  Until then, users of computers remain in this
 infancy of cracking, etc. (Kerchen: e-mail interview).

 The ethical edges demarcating legal and illicit acts have a higher tendency
 to be blurred whenever technology has a significant presence in the context
 of the act.  The acts of such figures as Captain Crunch have been received
 with a combination of admiration and condemnation.  Opposition to attempts
 to commodify and institutionalise informational property relations can
 exist in such rebellious manipulations of technology; but also more
 'respectably' in the intellectual and political platforms of such figures
 as Richard Stallman and the League for Programming Freedom.  Activities
 involving the use of computers have given rise to a number of qualitatively
 new situations in which there is a debate as to whether the act in question
 is ethical or not.  These activities tend to centre upon such questions as
 whether the unauthorised access to and/or use of somebody's computer,
 system, or data can be adequately compared to more traditional crimes
 involving the physical access or manipulation of material objects or
 property.
 An example of such ambiguity is the fact that whereas the idiosyncratic
 behaviour of the early hackers of MIT was benignly tolerated now hacking is
 portrayed in the press as having evil associations and is subject to legal
 prosecution.  This apparent change in social values has occurred despite
 the fact that the motivations and lack of regard for property rights
 associated with hacking have remained constant over time.  Examples of the
 previously ad hoc morality with respect to computers abound.  The first
 generation MIT hackers engaged in such illicit activity as using equipment
 without authorisation (Levy 1984: 20), phone phreaking (pg 92),
 unauthorised modification of equipment (pg 96) and the circumvention of
 password controls (Pg 417)6.  Bloombecker gives the example of how
 authority's reaction to the behaviour of small school children may
 represent society's ambivalent response to the computing activities it
 originally encourages.  Definitive ethical judgements can prove difficult
 to make in certain situations:

Think of the dilemma expressed unknowingly by the mathematics teacher who
 spoke of the enthusiasm her 9 and 10-year-old students exhibited when she
 allowed them to use the school's computers.  "They are so excited" she
 said, "that they fight to get onto the system.  Some of them even erase
 others' names from the sign-up lists altogether".  The idea that this was
 not good preparation for the students' moral lives seemed never to have
 occurred to her ... Unfortunately, both for society and for those that need
 the guidance, there is no standard within the computer community to define
 precisely when the playing has got out of hand.  If a student uses an hour
 of computer time without permission, one university computer department may
 consider it criminal theft of service, while another views it as an
 exercise of commendable ingenuity (Bloombecker 1990: 42).

 This ambiguous ethical status of some computing activities is due to the
 relatively recent advent of computing as an area of human endeavour; this
 has led to a lack of readily agreed-upon computing mores: "Indeed, if we
 were to devise a personality test designed to spot the computer criminal,
 the first and most difficult task would be to create a task that did not
 also eliminate most of the best minds who have made computing what it is"
 (Bloombecker 1990: 39).  There is the further complicating factor, that to
 some extent at least, society encourages "getting hooked" upon computing,
 since it is perceived as representing a beneficial outlet for intellectual
 endeavour.  We now turn to more specific examples of computing's ethical
 complexity.

6.4.2  Industry examples of blurred ethics

 There is often a lack of agreement even amongst computer professionals as
 to what constitutes the correct procedures with which to confront certain
 research and educational issues within computing.  A specific example of
 this lack of agreement is the debate caused by the publication of an
 article by Cohen, entitled "Friendly contagion:  Harnessing the Subtle
 Power of Computer Viruses" (1991).  In the article, Cohen suggests that the
 vendor of a computer virus prevention product should sponsor a contest
 encouraging the development of new viruses, with the provisos that the
 spreading ability of the viruses should be inherently limited, and that
 they should only be tested on systems with the informed consent of the
 systems owners.  Spafford responded with the charge that: "For someone of
 Dr Cohen's reputation within the field to actually promote  the
 uncontrolled writing of any virus, even with his stated stipulations, is to
 act irresponsibly and immorally.  To act in such a manner is likely to
 encourage the development of yet more viruses "in the wild" by muddling the
 ethics and dangers involved" (Spafford 1991: 3).  Furthermore, even the
 publication of "fixes" can be viewed in certain instances as an unethical
 act, leading to what has been previously described as the phenomenon of
 "security through obscurity".  Spafford argues that: "We should realize
 that widespread publication of details will imperil sites were users are
 unwilling or unable to install updates and fixes.  Publication should serve
 a useful purpose; endangering the security of other people's machines or
 attempting to force them into making changes they are unable to make or
 afford is not ethical" (Spafford 1990:12).
 The disagreement over some of the ethical questions thrown up by hacking
 was also in evidence in the aftermath of the Internet Worm when a debate
 raged amongst computer professionals as to the ethical and technical
 implications of the event.  The debate tending to support the above
 argument positing ethical sub-group variation and a general lack of
 clear-cut moral boundaries as typical of the modern ethical environment,
 especially when there are contrasting opinions as to the originating
 motivations behind specific acts.  Such a debate was reflected in the
 "Communications of the  Association of Computing Machinery (ACM)" Forum of
 Letters, where even the ACM's president received quite strident criticism
 for his position indicated in the title of his letter: "A Hygiene Lesson",
 that the Internet Worm could be viewed as beneficial in so far as it
 increased awareness of security practices.  The president's view was
 described by one contributor to the forum as, "a massive error in judgement
 which sends the wrong message to the world on the matters of individual
 responsibility and ethical behaviour ... [it] is inexcusable and an
 exercise in moral relativism" (Denning, Peter 1990: 523).  Similarly,
 another writer illustrates the disparate nature of the feelings produced by
 the Internet Worm incident when he pointedly remarks:

while Spafford praises the efficacy of the ''UNIX 'old boy' network" in
 fighting the worm, he does not explain how these self-appointed fire
 marshals allowed such known hazards to exist for so long ... If people like
 Morris and people like him are the greatest threat to the proper working of
 the Internet then we face no threat at all.  If, on the other hand, our
 preoccupation with moralizing over this incident blinds us to serious
 security threats and lowers the standards of civility in our community,
 then we will have lost a great deal indeed  (Denning, Peter 1990: pp 526
 +7).

6.4.3 Technology and ethics

 Underlying some of these problems with ethics has been the tendency
 identified by Spafford (1990) to "view computers simply as machines and
 algorithims, and ... not perceive the serious ethical questions inherent in
 their use" (Spafford 1990: 12).  Spafford points to the failure to address
 the end result of computing decisions upon people's lives, and hence the
 accompanying failure to recognise the ethical component of computing.  As a
 result, he argues, there is a subsequent general failure to teach the
 proper ethical use of computers:

Computing has historically been divorced from social values, from human
 values, computing has been viewed as something numeric and that there is no
 ethical concern with numbers, that we simply calculate values of 0 and 1,
 and that there are no grey areas, no impact areas, and that leads to more
 problems than simply theft of information, it also leads to problems of
 producing software that is also responsible for loss and damage and hurt
 because we fail to understand that computers are tools whose products ...
 involve human beings and that humans are affected at the other end
 (Spafford US interview).

 This is due to the fact that often the staff of computer faculties are
 uncomfortable with the subject, or don't believe it's important.  Their
 backgrounds are predominantly in mathematics or scientific theory and hence
 they don't adequately understand how practical issues of use may apply to
 computing.  Spafford suggests that engineering provides a more appropriate
 model of computing than science in so far as it addresses the human as well
 as the scientific dimensions.

Computer science is really, in large part an engineering discipline and that
 some of the difficulties that arise in defining the field are because the
 people who are involved in computing, believe it's a science and don't
 understand the engineering aspects of it.  Engineers, for a very long time,
 have been taught issues of appropriateness and ethics and legality and it's
 very often a required part of engineering curricula ... computing is more
 than just dealing with numbers and abstractions, it does in fact have very
 strong applications behind it, a very strong real-world component (Spafford
 US interview).

 The extent to which computing has a non-material dimension, however,
 constantly mitigates against Spafford's desire for computing to be
 ethically approached in a similar manner to an engineering discipline.
 There is a fundamental difference between the 'real world' and the 'virtual
 world' of computing, and it is this difference which makes the literal
 transposing of ethical judgements from the former to the latter, difficult,
 if not untenable.  The correct balance with which to transpose ethical
 judgements from one realm to another is debateable.

6.5 BOUNDARY FORMATION - ROLE OF THE MEDIA

 This section debunks some of the sensationalising, demonising, and
 mythologising of hacking that has occurred with the recent spate of books,
 articles and television programmes dealing with the issue.  It also
 corrects the overwhelming tendency of most of the writings on the subject
 of hacking to concentrate on the minutiae of the activities and life
 histories of hackers or their adversaries.  Frequently, but superficially,
 deep-rooted psychological abnormalities are offered as explanations for
 hacking activity, whilst ignoring the ethical and political implications of
 those acts.  The overall effect of the media portrayal of hacking, it could
 be suggested, is a continuation by other means of the CSI's project of
 stigmatisation and closure.

(i) 'Hacker best-sellers'

 Two examples of the tendency towards sensationalism are The Cuckoo's Egg by
 Clifford Stoll and Cyberpunk by Hafner and Markoff. An example of the many
 uses of hyperbole in their choice and tone of language is their
 consideration of the issues at stake in the hiring of a hacker for security
 work.  "But hire such a mean-spirited person?  That would be like giving
 the Boston Strangler a maintenance job in a nursing-school dormitory"
 (Hafner and Markoff, 1991: 40).  Both of these books made a large impact on
 the computing public and yet both seem self-indulgent in their reliance
 upon trivial and tangential details in the narration of different hacking
 episodes.  In The Cuckoo's Egg, for example, we are given various
 descriptions of the author's girlfriend and seemingly irrelevant details of
 their shared Californian lifestyle.  In Cyberpunk, many unsubstantiated
 conjectures are made as to the state of mind of the hacker.  Thus the
 authors write about Kevin Mitnick:

When Kevin was three, his parents separated. His mother, Shelly got a job as
 a waitress at a local delicatessen and embarked upon a series of new
 relationships.  Every time Kevin started to get close to a new father, the
 man disappeared. Kevin's real father was seldom in touch; he remarried and
 had another son, athletic and good-looking.  During Kevin's high school
 years, just as he was getting settled into a new school, the family moved.
 It wasn't surprising that Kevin looked to the telephone for solace (Haffner
 and Markoff 1991: 26).

 This somewhat arbitrary assignation of motivation leads the authors to
 label Kevin Mitnick as the "dark-side" hacker,  whereas their analysis of
 Robert Morris, author of the Internet Worm, is much less condemning despite
 the fact the latter was responsible for much more damage and man-hours of
 data-recovery time.

(ii)  Press and Television

 The media faces, in its reporting of computer security issues, the
 perennial problem of how to report technical issues in a both accurate and
 entertaining manner.  Generally, the media has tended towards reporting
 those stories that contain the highest degree of 'electronic lethality' and
 it has exaggerated the 'darkness' of hacking motives.  For example, a
 Channel Four television documentary "Dispatches" entitled its investigation
 of hacking "The day of the Technopath", whilst the February 1991 edition of
 GQ magazine concerned the growth of virus writers in Bulgaria and was
 called "Satanic Viruses".
 Along with the above two treatments of the computer security issue I will
 also look at a Sunday Correspondent article of the 17th December 1989
 entitled "A Bug in the Machine"  and part of the transcript of an episode
 of the U.S. current affairs/chat-show programme, "Geraldo", for a sample of
 media treatments of the hacking issue.  The television portrayals of the
 problem of computer security seem to be the most superficial and dependent
 upon sensationalising techniques.  Newspaper and magazine articles to give
 relatively thorough and accurate technical descriptions of what it is to
 hack/write viruses but still make disproportionate use of 'dark-side'
 imagery7.

"A Bug in the Machine"

 This article is an example of the tendency of the press to concentrate upon
 the "sexy" elements of computer security stories. It contains a cynical
 description of Emma Nicholson M.P.'s unsubstantiated claims that hacking
 techniques are used for terrorist purposes by the European Green movement
 amongst others and her emotive description of hackers as: " ... malevolent,
 nasty evil-doers who fill the screens of amateur users with pornography"
 (Matthews 1989: 39).  Yet whilst dispelling some of the alarmist tendencies
 of such claims, the example of a hacker chosen by the journalists is that
 of the "computer anarchist Mack Plug".  Apart from making their own
 unsubstantiated claim that "Nearly all hackers are loners" (a contention
 refuted by my interviews with groups of Dutch hackers), their description
 of his hacking activity seems to deliberately over-emphasise the more
 "glamorous" type of hacking at the expense of describing the more mundane
 realities and implications of everyday hacking:

At the moment he is hacking electronic leg tags. "I've got it down to 27
 seconds" he says, "All you have to do is put a microset recorder next to
 the tag and when the police call to check you're there, you tape the tones
 transmitted by the tag and feed them on to your answering machine.  When
 the cops call back again, my machine will play back those tones.  I'll have
 a fail-safe alibi and I can get back to hacking into MI5 (Matthews 1989:
 39).


Geraldo Programme8

 On September 30th 1991, the Geraldo chat-show focused on hacking.  It
 involved a presentation of various hacking cameo shots, one of which showed
 Dutch hackers accessing US Department of Defense computers with super-user
 status.  The studio section of the show involved an interview with Craig
 Neidorf (alias Knight Lightning), who underwent a court case in the U.S.
 for having allegedly received the source code of the emergency services
 telephone computer programs.  Also interviewed was Don Ingraham the
 prosecuting attorney in Neidorf's case.
 Below I include excerpts from the dialogue that ensued as an example of the
 extent to which hacking is presented in the media in a superficial,
 trivialised and hyperbolic manner.  In the introductory part of the show,
 excerpts from the film "Die Hard II" are shown in which terrorists take
 over the computers of an airport.  The general tone of the show was
 sensationalistic with one of the guest hackers Craig Neidorf being
 repeatedly called the "Mad Hacker" by Geraldo and Don Ingraham consistently
 choosing emotive and alarmist language as shown in the following examples:

Geraldo: Don, how do you respond to the feeling common among so many hackers
 that what they're doing is a public service; they're exposing the flaws in
 our security systems?

Don:  Right, and just like the people who rape a co-ed on campus are
 exposing the flaws  in our nation's higher education security.  It's
 absolute nonsense.  They are doing nothing more than showing off to each
 other, and satisfying their own appetite to know something that is not
 theirs to know.

And on the question of th
give, in 30 seconds, a worst case scenario of what could result from the
 activities of hackers.  To which he replies: "They wipe out our
 communications system.  Rather easily done.  Nobody talks to anyone else,
 nothing moves, patients don't get their medicine. We're on our knees."

Dispatches - "the day of the technopath"9

 Emma Nicholson M.P. interviewed in the Dispatches programme, states, "A
 really good hacker could beat the Lockerbie bomber any day, hands down"
 and, "Perhaps only a small fraction of the population dislikes the human
 race, but they do, and some of them are highly computer-skilled".
 The following is another example taken from the programme's voiced-over
 commentary:

Until now the computer hacker has been seen affectionately as a skilled
 technocrat, beavering away obsessively in his den, a harmless crank
 exploring the international computer networks for fun.  But today it's
 clear that any computer, anywhere, can be broken into and interfered with
 for ulterior motives.  The technocrat has mutated to the technopath ...
 government and business are reluctant to admit that they're fragile and
 vulnerable to such threats, frightened of either the loss of public
 confidence or of setting themselves up as targets for the technopaths who
 stalk their electronic alleyways.


6.6  BOUNDARY FORMATION PROCESS AND THE USE OF ANALOGIES

 The previous sections of this chapter have established that the ethical
 issues surrounding computer usage are both complex and liable to
 fundamentally contrasting interpretations by the members of the CSI and the
 CU.  The debate that subsequently occurs between the two groups has been
 shown as part of a boundary forming process by means of which both groups
 reinforce their own identities.  This section analyses the way in which
 analogies are used within this process as both explanatory tools with which
 to examine some of the issues in the ethical debate over hacking, and also
 as a method of conveying the strength of opinion that is held.
 The role of physical analogies in the ethical debate over security issues
 has already been illustrated with the CSI's use of them to express fears of
 the anonymous nature of the threat hackers pose.  The general ease with
 which physical analogies are used and the strength of feeling behind them
 is vividly illustrated by Jerry Carlin's response to the question, ''Have
 system breakers become the 'whipping boys' for general commercial
 irresponsibility with regard to data security?"  He replied, "It's
 fashionable to blame the victim for the crime but if someone is raped it is
 not OK to blame that person for not doing a better job in fending off the
 attack!" (Carlin: e-mail interview)  Sherizen was one of the few
 interviewees to refrain from using analogies in his discussion of hacking,
 contending that:

Usually, arguing by analogy is a very weak argument.  When it comes to
 discussing the law, non-lawyers often try to approach arguments this way.
 I don't think that we can go very far to determine appropriate behaviours
 if we rely upon analogies.  What we need to develop are some social
 definitions of acceptable behaviour and then to structure "old law for new
 technologies."  The physical analogies may help to score points in a debate
 but they are not helpful here at all (Sherizen e-mail interview).

 The grey and indeterminate ethical quality of computing makes it difficult
 to establish such a code of 'acceptable behaviour', and it is in an attempt
 to do so that physical analogies are used.  Goldstein (editor of Hacking
 magazine 'Phrack') explores the ethical implications of hacking by
 questioning the use of an analogy that likens hacking to trespass:

Some will say ... 'accessing a computer is far more sensitive than walking
 into an unlocked office building.'  If that is the case, why is it still so
 easy to do?  If it's possible for somebody to easily gain unauthorised
 access to a computer that has information about me, I would like to know
 about it.  But somehow I don't think the company or agency running the
 system would tell me that they have gaping security holes.  Hackers, on the
 other hand, are very open about what they discover which is why large
 corporations hate them so much (Goldstein 1993).

 The moral debate about hacking makes frequent use of such physical
 analogies of 'theft' and 'trespass'.  The choice of the physical analogy
 reflecting the initial ethical position of the discussant and will be
 biased towards the point that the discussant is attempting to establish,
 and hence certain emotive images such as rape and burglary are repeatedly
 used.





(i) Property issues

 Members of the CSI tend to emphasise the authorisation and access rights
 criteria relating to information.  Such criteria are held to be fundamental
 to an ethical outlook on computing issues because of they stem from the
 basic belief that information and computer systems are the sole property of
 their owners, in the same way that property rights exist in material
 objects.  Physical analogies become a means to restrict the computer
 security debate: "to questions about privacy, property, possessive
 individualism, and at best, the excesses of state surveillance, while it
 closes off any examination of the activities of the corporate owners and
 institutional sponsors of information technology (the most prized 'target'
 of most hackers)." (Ross 1990: 83).  This is a rather partisan
 interpretation of the role analogies play in the socially shaping boundary
 formation occurring within computing.  A less controversial assessment,
 would be that in contrast to the CU, the CSI emphasises the property rights
 of system owners with its use of analogies  that are often dramatic and
 vivid: "As far as the raison d'=88tre for attackers, it is no more a valid
 justification to attack systems because they are vulnerable than it is
 valid to beat up babies because they can't defend themselves.  If you are
 going to demonstrate a weakness, you must do it with the permission of the
 systems administrators and with a great deal of care" (Cohen: e-mail
 interview).
 The difficulty faced with analogies that seek to emphasise the way in which
 hacking tends to transgress property rights, centres upon what we have
 already seen as the increasingly immaterial aspects of information and
 which is also shown in Chapter 7 to create various problems for drafting
 effective computer misuse legislation: "copyability is INHERENT in
 electronic media.  You can xerox a book but not very well and you don't get
 a nice binding and cover.  Electronic media, video tape, computer discs
 etc., do not have this limitation.  Since the ability to copy is within the
 nature of the media, it seems silly to try to prevent it" (Mercury: e-mail
 interview).  Software copying is an example of how duplication within
 computing  is inherently more easy than with physical commodities:
 copyability is intrinsic to the medium itself.  For example, Maelstrom
 contends that he: "can't remember a single analogy that works.  Theft is
 taking something else that belongs to someone without his/her permission.
 When you pirate you don't steal, you copy" (Maelstrom: e-mail interview).
 Similarly, in the case of cracking:

In absolutely no case can the physical analogies of 'theft' and
 'trespassing' be applied in the matter of computer system 'cracking'.
 Computers are a reservoir for information expressed in bits of zeroes and
 ones.  Homes and property have things far more intrinsically valuable to
 harbour.  Information protected properly whilst residing on a system is not
 at issue for 'theft'.  Encryption should have been a standard feature to
 begin with and truly confidential information should not be accessible in
 any manner via a remote means (Tester: e-mail interview).


(ii) Analogies - breaking and entering

 In order to emphasise the potential harm threatened to systems by anonymous
 intruders the physical analogies used tend to concentrate upon the fear and
 sense of violation that tend to accompany burglaries.  The dispute between
 the CSI and the CU as to whether it is ethical to break into systems is
 most often conducted with reference to the analogy of breaking and entering
 into a building.  Because of the divergence between the real world and
 cyberspace, however, even such a simple analogy is open to varying
 interpretations:  "My analogy is walking into an office building, asking a
 secretary which way it is to the records room, and making some Xerox copies
 of them.  Far different than breaking and entering someone's home" (Cohen:
 e-mail interview).
  Cosell presents the following scenario with which he attempts to frame the
 ethical issues surrounding hacking:

Consider: it is the middle of summer and you happen to be climbing in the
 mountains and see a pack of teenagers roaming around an
 abandoned-until-snow ski resort.  There is no question of physical harm to
 a person, since there will be no people around for months.  They are
 methodically searching EVERY truck, building, outbuilding, shed etc.,
 trying EVERY window, trying to pick EVERY lock.  When they find something
 they can open, they wander into it, and emerge a while later.  From your
 vantage point, you can see no actual evidence of any theft or vandalism,
 but then you can't actually see what they're doing while they're inside
 whatever-it-is (Cosell: CuD 3:12 April 1991).

 From this scenario, various questions arise, such as: do you call the
 Police? what would the intruders be charged with?  and would your response
 be different if you were the owner of the resort?  Someone more sympathetic
 to the hacker point of view illustrated the fundamentally different way in
 which the two groups, CSI and CU, conceptualise the ethical issues and the
 corresponding use of physical analogies.  He responded that:

Of course you should call the cops.  Unless they are authorised to be on the
 property, (by the owner) they are trespassing, and in the case of picking
 locks, breaking and entering.  However, you're trying to equate breaking
 into a ski resort with breaking into a computer system.  The difference
 being: 99 times out of 100, the people breaking into a computer system only
 want to learn, have forgotten a password, etc. ... 99 times out of 100, the
 people breaking into the ski resort are out for free shit (Rob Heins CuD
 3:13).

 The CU accuse the CSI of preferring to use physical analogies in order to
 marginalise a group, rather than make use of their information for
 improving the security of systems:

When you refer to hacking as 'burglary and theft' ... it becomes easy to
 think of these people as hardened criminals.  But it's just not the case.
 I don't know any burglars or thieves, yet I hang out with an awful lot of
 hackers.  It serves a definite purpose to blur the distinction, just as
 pro-democracy demonstrators are referred to as rioters by nervous political
 leaders.  Those who have staked a claim in the industry fear that the
 hackers will reveal vulnerabilities in their systems that they would just
 as soon forget about (Emmanuel Goldstein: CuD 1:13).

  This is one explanation of why, if physical analogies are inevitably only
 crude analytical approximations and rhetorical devices with which to
 conceptualise computing issues, they are frequently used by the CSI in
 their discourse.  Johnson argues in response to the claim that hackers
 serve a useful purpose by pointing out security faults that:

If a policeman walks down the street testing doors to see if they are
 locked, that's within his 'charter'- both ethically and legally.  If one is
 open, he is within the same 'charter' to investigate - to see if someone
 else is trespassing.  However, it's not in his 'charter' to go inside and
 snoop through my personal belongings, nor to hunt for illegal materials
 such as firearms or drugs ... If I come home and find the policeman in my
 house, I can pretty well assume he's doing me a favour because he found my
 door unlocked.  However, if a self-appointed 'neighbourhood watch' monitor
 decides to walk down the street checking doorknobs, he's probably
 overstepped his 'charter'.  If he finds my door unlocked and enters the
 house, he's trespassing ... Life is complicated enough without
 self-appointed watchdogs and messiahs trying to 'make my life safe (Bob
 Johnson: e-mail interview).

 Thus, hackers are seen to have no 'charter' which justifies their
 incursions into other peoples' systems, such incursions being labelled as
 trespass.  Even comparisons to trespass, however, tend to be too limited
 for those wishing to identify and label hacking as an immoral act.
 Trespass is a civil and not a criminal offence.  Onderwater, makes this
 distinction with his particular use of analogies:  "Trespassing means in
 Holland if somebody leaves the door open and the guy goes in, stands in the
 living room, crosses his arms and doesn't do anything."  In contrast,
 hacking involves the active overcoming of any security measures put before
 hackers, Onderwater sees it as more analagous to the situation whereby:

you find somebody in your house and he is looking through your clothes in
 your sleeping room, and you say 'what are you doing?' and he says 'well, I
 was walking at the back of the garden and I saw that if I could get onto
 the shed of your neighbour, there was a possibility to get onto the gutter,
 and could get to your bathroom window, get it open, that was a mistake from
 you, so I'd like to warn you ... You wouldn't see that as trespassing, you
 would see that as breaking and entering, which it is and I think it's the
 same with hacking (Onderwater: Hague interview).


(iii) Rejection of breaking and entering analogies - hackers use of
  physical analogies: chess vs breaking and entering

 Gongrijp's description of the motives lying behind hacking was typical of
 the hackers I met.  He concentrated on the intellectual stimulation it
 affords as opposed to any desire just to trespass onto computer systems .
 He emphasised the chess-like qualities of computer security, and was at
 pains to reject any analogies that might compare hacking to physical
 breaking and entering.   Gongrijp contended that:

Computer security is like a chess-game, and all these people that say
 breaking into my computer systems is like breaking into my house:
 bull-shit, because securing your house is a very simple thing, you just put
 locks on the doors and bars on the windows and then only brute force can
 get into your house, like smashing a window.  But a computer has a hundred
 thousand intricate ways to get in, and it's a chess game with the people
 that secure a computer... it's their job to make the new release of their
 Unix system more secure, and it's the job of the hackers to break in
 (Gongrijp: Amsterdam interview).

 Goggans turns the burglar analogy on its head when he argues that:

People just can't seem to grasp the fact that a group of 20 year old kids
 just might know a little more than they do, and rather than make good use
 of us, they would rather just lock us away and keep on letting things pass
 them by ... you can't stop burglars from robbing you when you leave the
 doors open, but lock up the people who can close them for you, another
 burglar will just walk right in (Goggans 1990).

 The implication of these combined views, is that the analogy comparing
 hacking with burglary fails because the real world barriers employed to
 deter burglars are not used in the virtual world of computing.  Such
 preventative measures are either not used at all, or are of a qualitatively
 different kind to the 'doors' and 'locks' that can be used in computing.
 Such barriers can be overcome by technologically knowledgeable young
 people, without violence or physical force of any kind.  The overcoming of
 such barriers, has a non-violent and intellectual quality that is not
 apparent in more conventional forms of burglary, and which therefore throws
 into question the whole suitability of such analogies.

(iv)  Problems of using physical analogies as explanatory tools

 The following excerpt is a newspaper editorial response to the acquittal of
 Paul Bedworth case.  It compares computer addiction to a physical addiction
 for drugs:

This must surely be a perverse verdict ... Far from being unusual in staying
 up half the night, Mr Bedworth was just doing what his fellows have done
 for years.  Scores of universities and private companies could each produce
 a dozen software nerds as dedicated as he ... Few juries in drug cases look
 so indulgently on the mixture of youth and addiction (Ind 18.3.93:
 editorial p. 25).

 This editorial emphasises how such analogies are utilised in an attempt to
 formulate ethical responses to an activity of ambiguous ethical content.
 As Goldstein pointed out, it becomes easier to attribute malign intent, if
 using such analogies succeeds in making a convincing comparison between
 hacking and an activity the public are more readily inclined to construe as
 a malicious activity.  The adaptability of this technique is shown by the
 way the editorial continues to utilise a physical analogy in order to
 elicit critical responses, this time against the victims of the previously
 maligned hacker: "Leaving those passwords unchanged is like leaving the
 chief executive's filing cabinet un-locked.  Organisations that do so can
 expect little public sympathy when their innermost secrets are brought into
 public view."
 The main reason why physical analogies tend not to succeed in any attempted
 project of stigmatisation/'ethicalisation' of hacking events is the
 difficulty of convincing people that events that transpire in virtual
 reality are in fact comparable and equivalent to criminal acts in the
 physical world.  We have seen for example the weaknesses of breaking and
 entering analogies.  They flounder upon the fact that hacking intrusions do
 not contain the same threats of transgression of personal physical space
 and therefore a direct and actual physical threat to an individual.  With
 the complete absence of such a threat, hacking activity will primarily
 remain viewed as an intellectual exercise and show of bravado rather than a
 criminal act, even if, on occasion, direct physical harm may be an indirect
 result of the technical interference caused by hacking.
 Thus the use of analogies is fraught with problems of equivalence.  Whilst
 they may be useful as a rough comparison between the real and virtual
 worlds, the innate but sometimes subtle, practical and ethical differences
 between the two worlds mean that analogies cannot be relied upon as a
 complete explanatory tool in seeking to understand the practical and
 ethical implications of computing:

They simply don't map well and can create models which are subtly and
 profoundly misleading.  For example, when we think of theft in the physical
 world, we are thinking of an act in which I might achieve possession of an
 object only by removing it from yours.  If I steal your horse, you can't
 ride.  With information, I can copy your software or data and leave the
 copy in your possession entirely unaltered (Barlow: e-mail interview).

 Information processed by computers is such that previous concepts of
 scarcity break down when correspondence is sought between the real and
 virtual worlds.  It is not just conceptions of scarcity that are affected,
 however,  the extent to which information correlates with the real world is
 questionable at the most fundamental levels:

Physical (and biological) analogies often are misleading as they appeal to
 an understanding from an area in which different laws hold.  Informatics
 has often mislead naive people by choosing terms such as 'intelligent' or
 'virus' though IT systems may not be compared to the human brain ... Many
 users (and even 'experts') think of a password as a 'key' despite the fact
 that you can easily 'guess' the password while it is difficult to do the
 equivalent for a key (Brunnstein: e-mail interview).

 Physical analogies are inevitably flawed in the respect  that they can only
 ever be used as an approximation of what occurs in 'cyberspace' in order to
 relate it to the everyday physical world.  Thus they attempt to evaluate
 and understand computing activities using a more natural and comfortable
 frame of reference.  Hence the language is often used by the CSI to
 describe computer attacks, and a security breach of the academic network
 with the acronym JANET, was referred to as the 'rape of JANET'.  Spafford
 admitted to having one of his systems hacked into at least three times, he
 argued that he: "didn't learn anything in particular that I didn't know
 before.  I felt quite violated by the whole thing, and did not view
 anything positive from it."(Spafford US interview [Emphasis mine]).  The CU
 stresses the differences between the virtual and real worlds and contends
 that the use of physical language in such a situation is not warranted.
 For example, despite such use of the language of physicality, it is
 difficult to conceive of a computer intrusion that could be as traumatising
 as the actual bodily violation of a rape.  A second, diametrically opposed,
 reason for questioning the validity of physical analogies would be that
 instead of overstating situations within computing, analogies used to
 describe a computer intrusion actually understate the harm caused by the
 intrusion due to the generic aspects of hacking identified earlier.
 In John Perry Barlow's "Crime and Puzzlement" recourse is made to the
 metaphors comparing hackers with cowboys from the nineteenth century USA.
 This specific comparison of hackers with cowboys illustrates some of the
 problems associated with the use of metaphors.  The basis of this metaphor
 rests upon the view of hackers as pioneers in the new field of computing,
 just as cowboys were portrayed as pioneers of the 'Wild West'.  Such a
 metaphor, in addition to the above discussion of the applicability of the
 concepts of trespass and theft to the world of computing, provides a useful
 example of both the suitability and limitations of analogies in discussions
 of hacking.  Commentators tend to 'customise' common metaphors used in the
 computer security debate, in order to derive from the metaphor the
 particular emphasis desired to further the point being argued:

Much of what we 'know' about cowboys is a mixture of myth, unsubstantiated
 glorification of 'independent he-men', Hollywood creations, and story
 elements that contain many racist and sexist perspectives.  I doubt that
 cracker/hackers are either like the mythic cowboy or the 'true' cowboy ...
 I think we should move away from the easy-but-inadequate analogy of the
 cowboy to other, more experienced-based discussions (Sherizen: e-mail
 interview).

 The tendency to use the 'easy-but-inadequate analogy' applies significantly
 to the orginator of the cowboy metaphor himself.  Thus, when I asked John
 Perry Barlow his views as to the accuracy of the metaphor, he replied:
 "Given that I was the first person to use that metaphor, you're probably
 asking the wrong guy.  Or maybe not, inasmuch as I'm now more inclined to
 view crackers as aboriginal natives rather than cowboys.  Certainly, they
 have an Indian view of property" (Barlow: e-mail interview).
 More negative responses to the comparison of hackers with cowboys came from
 the hackers themselves:

WHO is the electronic cowboy ... the electronic farmer, the electronic
 saloon keeper? ... I am not sold.  I offer no alternative, either.  I wait
 for hacking to evolve its own culture, its own stereotypes.  There was a
 T.V. show long ago, 'Have Gun Will Travel' about a gunslinger called
 'Palladin'.  The knightly metaphor ... but not one that was widely
 accepted.  Cowboys acted like cowboys, not knights, or Greeks, or cavemen.
 Hackers are hackers not cowboys (Marotta: e-mail interview).


6.7 THE PROJECT OF PROFESSIONALISATION

6.7.1 Creation of the computer security market and professional  ethos

 The creation of the 'them and us' situation forms part of the process
 whereby a professional status opposed to the hacking culture and ethic is
 established.  Examples have already been seen of the lack of cooperation
 that exists between the CSI and the CU in Chapter 5,  it gave various
 reasons for the CSI not being able to trust hackers sufficiently enough for
 cooperation to be feasible.  The antagonism that exists between the CSI and
 the CU contributes to a process of boundary formation, but there is also
 the widely-held belief that, along with legitimate reasons for
 differentiation between the two groups, there is also an element of
 manufactured difference.  Below are two examples, one from the commercial
 sector, and one from the CU, of people who believe parts of the CSI are
 involved in creating a market niche for themselves from which it then
 becomes necessary to exclude hackers:

Computer security industry' sounds like some high-priced consultants to me.
 Most of what they do could be summarised in a two-page leaflet - and its
 common sense anyway.  A consultant - particularly in the U.S. - spends
 3/4ths of his or her effort justifying the fee (Barrie Bates: e-mail
 interview).

These virus programs are about to make me sick!  In two years of heavily
 downloading from BBSs, I've yet to catch a virus from one.  Peter Norton
 should be drug to a field and shot!  McAffe too (Eric Hunt: e-mail
 interview).

 The veracity of opinions such as those above may be difficult to separate
 from their origin in the antagonism that exists between the CSI and the CU,
 but allegations that 'viral hype' has been used as a means of helping to
 create a computer security market come from security practitioners
 themselves:

It's very hard getting facts on this because the media hype is used as a
 trigger by people who are trying to sell anti-virus devices, programs,
 scanners, whatever.  This is put about very largely by companies who are
 interested in the market and they try to stimulate the market by putting
 the fear of God into people in order to sell their products, but selling
 them on the back of fear rather than constructive benefits, because most of
 the products in the industry are sold on constructive benefits.  You always
 sell the benefit first, this is selling it on the back of fear which is
 rather different, "you'd better use our products or else" (Taylor:
 Knutsford interview).

 The whole process of enforcing and furthering the proprietary attitude to
 information outlined in Chapter 3 is further strengthened by a new language
 of physicality resulting from the advent of computer viruses10.  Software
 is infected, and systems are spoken of in terms of being repeatedly
 'raped'.  Computer viruses are described in terms similar to those employed
 in discussions of the dangers of promiscuous sex.  Prophylactic safety
 measures are seen to be necessary to protect the moral majority from
 'unprotected contact' with the degeneracy of a minority group.  Ross argues
 that 'viral hysteria' has been deliberately used by the software industry
 to increase its market sales:

software vendors are now profiting from the new public distrust of program
 copies  ... the effects of the viruses have been to profitably clamp down
 on copyright delinquency, and to generate the need for entirely new
 industrial production of viral suppressors to contain the fallout.  In this
 respect it is hard to see how viruses could hardly, in the long run, have
 benefited industry producers more (Ross 1990: 80).

 In addition to the practical benefits the CSI has derived from the concerns
 associated with viruses, the threat they pose to systems' security has been
 used to reinforce ideological opposition to hackers and their
 anti-proprietary attitudes:

Virus-conscious fear and loathing have clearly fed into the paranoid climate
 of privatization that increasingly defines social identities in the new
 post-Fordist order.  The result -- a psycho-social closing of the ranks
 around fortified private spheres -- runs directly counter to the ethic that
 we might think of as residing at the architectural heart of information
 technology.  In its basic assembly structure, information technology is a
 technology is a technology of processing, copying, replication, and
 simulation, and therefore does not recognise the concept of private
 information property (Ross 1990: 80).

 The boundary formation exercise necessitates the exclusion of hackers from
 influence within computing, whilst, at the same time, developing a
 consistent ethical value system for 'legitimate' security professionals.
 An example of boundary formation in action is the advent of computer
 viruses and worms and the particular case of Robert Morris and the Internet
 Worm.  Cornell University published an official report into the Internet
 Worm incident, concluding that one of the causes of the act was Morris'
 lack of ethical awareness.  The report censures the ambivalent ethical
 atmosphere of Harvard, Morris' alma mater, where he failed to develop in a
 computing context a clear ethical sense of right and wrong.  Most
 significantly, the judgement made upon the Morris case was full of implicit
 assumptions that betrayed a boundary forming process in the way it stressed
 the need for professional ethics in opposition to those of hackers.
 Dougan and Gieryn (1988), sum up the boundary-forming aspects of responses
 to the Internet Worm in their analysis of the e-mail debate that occurred
 shortly after the incident.  The computer community is characterised as
 falling into two schools of thought with regard to their response to the
 event.  The first group is described as being organised around a principle
 of 'mechanic solidarity, the second, one of 'organic solidarity'.  The
 mechanic solidarity group's binding principle is the emphasis they place
 upon the ethical aspect of the Morris case, his actions are seen as
 unequivocally wrong and the lesson to be learnt in order to prevent future
 possible incidents is that a professional code of ethics needs to be
 promulgated.  These viewpoints have been illustrated in this study's
 depiction of the hawkish response to hacking.  The second group advocates a
 policy more consistent with the dovish element of the CSI and those hackers
 that argue their expertise could be more effectively utilised.  They
 criticise the first group for failing to prevent 'an accident waiting to
 happen'  and expecting that the teaching of computing ethics will solve
 what they perceive as an essentially technical problem.  The likelihood of
 eliminating the problem with the propagation of a suitable code of
 professional ethics seems to them remote:

I would like to remind everyone that the real bad guys do not share our
 ethics and are thus not bound by them.  We should make it as difficult as
 possible -- (while preserving an environment conducive to research)  for
 this to happen again.  The worm opened some eyes.  Let's not close them
 again by saying 'Gentlemen don't release worms' (Dougan and Gieryn 1988:
 12).

 The hacker Craig Neidorf known as 'Knight Lightning', in his  report on a
 CSI conference, underlines the theory that the debate over hacking centres
 upon a project of professionalisation, with the argument that what mostly
 distinguishes the two groups is the form, rather than content of the
 knowledge they seek to utilise:

Zenner and Denning11 alike discussed the nature of Phrack's12 articles.
 They found that the articles appearing in Phrack contained the same types
 of material found publicly in other computer and security magazines, but
 with one significant difference.  The tone of the articles.   An article
 named 'How to Hack Unix' in Phrack usually contained very similar
 information to an article you might see in Communications of the ACM only
 to be named 'Securing Unix Systems'. (Craig Neidorf: CuD 2.07).

 The implication is that hackers' security knowledge is not sought due to
 reasons other than its lack of technical value; instead the CSI fails to
 utilise such knowledge more fully because it interferes with their
 boundary-forming project that centres upon attempting to define the
 difference between a hacker and a 'computer professional':

Ironically, these hackers are perhaps driven by the same need to explore, to
 test technical limits that motivates computer professionals; they decompose
 problems, develop an understanding of them and then overcome them.  But
 apparently not all hackers recognise the difference between penetrating the
 technical secrets of their own computer and penetrating a network of
 computers that belong to others.  And therein lies a key distinction
 between a computer professional and someone who knows a lot about
 computers. (Edward Parrish 1989).

 Another interesting example of the similar traits that the CSI and CU share
 in common, is the case of Clifford Stoll's investigation of an intrusion
 into the Berkeley University computer laboratories, which he subsequently
 wrote up in the form of a best-selling book, The Cuckoo's Egg.  Thomas
 points out that:

Any computer undergrounder can identify with and appreciate Stoll's
 obsession and patience in attempting to trace the hacker through a maze of
 international gateways and computer systems.  But, Stoll apparently misses
 the obvious affinity he has with those he condemns.  He simply dismisses
 hackers as 'monsters' and displays virtually no recognition of the
 similarities between his own activity and those of the computer
 underground.  This is what makes Stoll's work so dangerous:  His work is an
 unreflective exercise in self-promotion, a tome that divides the sacred
 world of technocrats from the profane activities of those who would
 challenge it; Stoll stigmatises without understanding (Thomas 1990).

 What makes Stoll's behaviour even less understandable is that throughout
 the book he recounts how he himself engages in the same kind of activities
 that he criticises others for indulging in.  This fact that Stoll labels
 hackers as 'monsters' despite the fact he shares some of their qualities13
 is indicative of the boundary forming process the CSI have entered upon.
 The process also involves other groups that are involved in the de facto
 marginalisation of hackers whilst not actually being directly involved in
 computing, examples of such groups are the various government agencies and
 politicians involved in the drafting of legislation about hacking.
 Combined together, these groups have contributed towards a response to
 hacking that has been labelled a 'witch-hunt' mentality by some observers.

6.7.2 Witch-hunts and hackers

 Part of the cause of the witch-hunt mentality, that has allegedly been
 applied to hackers, is the increasing tendency within society towards the
 privatisation of consumption examined in the early chapters.  The pressures
 to commodify information can be seen as an extension of the decline of the
 public ethos in modern society which is accompanied by the search for
 scapegoats that will justify the retreat from communitarian spirit.   The
 hacker is the latest such scapegoat of modern times in a series including
 Communism, terrorism, child abductors and AIDS:

More and more of our neighbours live in armed compounds.  Alarms blare
 continuously.  Potentially happy people give their lives over to the
 corporate state as though the world were so dangerous outside its veil of
 collective immunity that they have no choice ... The perfect bogeyman for
 modern times is the Cyberpunk!  He is so smart he makes you feel even more
 stupid than you usually do.  He knows this complex country in which you're
 perpetually lost.  He understands the value of things you can't
 conceptualize long enough to cash in on.  He is the one-eyed man in the
 Country of the Blind  (Barlow 1990: 56).

 This is the root of peoples' fear of hackers and the reason why they are
 labelled as deviant within society despite the fact that, as we have seen
 above, hackers share some of the same characteristics as their CSI
 counterparts.  The simultaneous existence of shared characteristics and
 deviant status for hackers is a necessary result of the fact that:

The kinds of practices labelled deviant correspond to those values on which
 the community places its highest premium.  Materialist cultures are beset
 by theft (although that crime is meaningless in a utopian commune where all
 property is shared) ... The correspondence between kind of deviance and a
 community's salient values is no accident ... deviants and conformists both
 are shaped by the same cultural pressures -- and thus share some, if not
 all, common values -- though they may vary in their opportunities to pursue
 valued ends via legitimate means.  Deviance ... emerges exactly where it is
 most feared, in part because every community encourages some of its members
 to become Darth Vader, taking 'the force' over to the 'dark side' (Dougan
 and Gieryn 1990: 4).

 The vocalised antagonism between the CSI and CU and the exaggerated
 portrayals of the media examined in this chapter are part of the process
 whereby hackers are marginalised and defined as deviant.  In the quotation
 below Stoll is singled out to personify this process but the method he uses
 is held in common with all the other figures quoted in this chapter who
 contribute to the 'them and us' scenario by the strength of the views they
 express and the analogies they choose to express them with:

Witch hunts begin when the targets are labelled as 'other', as something
 quite different from normal people.  In Stoll's view, hackers, like
 witches, are creatures not quite like the rest of us, and his repetitious
 use of such pejorative terms as 'rats,' 'monsters,' 'vandals,' and
 'bastard' transforms the hacker into something less than human ... In a
 classic example of a degradation ritual, Stoll -- through assertion and
 hyperbole rather than reasoned argument -- has redefined the moral status
 of hackers into something menacing (Thomas 1990).

6.7.3 Closure - the evolution of attitudes

 The witch hunt process is a device to facilitate what Bijker and Law (1992)
 have analysed as closure.  The notion is usefully illustrated by examining
 the evolution of society's attitudes from the benign tolerance of the early
 MIT hackers to the present climate of anti-hacking legislation.  In
 addition to Levy's identification of three generations of hackers14,
 Landreth suggests the arrival of a fourth generation of hackers when he
 talks of a major change occurring in the CU around about the time the
 elitist hacking group he joined known as the "Inner Circle" was set up.  In
 addition to the effect of the increased dispersal of micro-computers, there
 was also the effect of the hacker movie Wargames.: "In a matter of months
 the number of self-proclaimed hackers tripled, then quadrupled.  You
 couldn't get through to any of the old bulletin boards any more - the
 telephone numbers were busy all night long.  Even worse, you could
 delicately work to gain entrance to a system, only to find dozens of
 novices blithely tromping around the files" (Landreth 1985 :18).  These
 'wannabe' hackers reflect the relative immaturity and absence of the
 original hacker ethic that characterises the latest manifestation of
 hacking.  Chris Goggans from the Legion of Doom concurs with this
 identification of a change in the basic nature of the CU environment.  In
 the early days:

People were friendly, computer users were very social.  Information was
 handed down freely, there was a true feeling of brotherhood in the
 underground.  As the years went on people became more and more anti-social.
  As it became more and more difficult to blue-box the social feeling of the
 underground began to vanish.  People began to hoard information and turn
 people in for revenge.  The underground today is not fun.  It is very power
 hungry, almost feral in its actions.  People are grouped off: you like me
 or you like him, you cannot like both ... The subculture I grew up with ,
 learned in, and contributed to, has decayed into something gross and
 twisted that I shamefully admit connection with.  Everything changes and
 everything dies, and I am certain that within ten years there will be no
 such thing as a computer underground.  I'm glad I saw it in its prime
 (Goggans: e-mail interview).

 Thus one reason for the changing nature of the computer underground is
 simply the fact that more would-be hackers arrived.  'Elite' hackers such
 as Goggans felt that this cheapened in some way the ethos and atmosphere of
 camaradarie that had previously existed within the CU.  Feelings of
 superiority which help to fuel the motivation of a hacker had become
 undermined by the advent of too many 'wanna-be' young hackers.  Sheer
 numbers alone would mean the demise of the previous emphasis hackers placed
 upon sharing knowledge and the importance of educating young hackers.  The
 idiosyncratic actions of the first generation hackers, within the isolated
 academic context of MIT, were often praised for their inventiveness.
 Similar actions in the wider modern computing community tend to be
 automatically more disruptive and liable to censure.
 The reasons for this change in attitude are inextricably linked with the
 evolution of computing as a technology.  Herschberg argues that computer
 security can be compared to the experiments of the Wright brothers, yet
 apart from such peripheral 'dovish' sentiments, the climate within the CSI
 and society as a whole is increasingly unsympathetic to the claims by
 hackers that they represent innocent intellectual explorers: closure in
 computer security has occurred.  Leichter's perception of the evolution of
 hacking is at odds with that of Herschberg.  He too uses an airplane
 analogy but prefers to emphasise that:

When the first 'airplane hackers' began working on their devices, they were
 free to do essentially as they pleased.  If they crashed and killed
 themselves well, that was too bad.  If their planes worked - so much the
 better.  After it became possible to build working airplanes , there
 followed a period in which anyone could build one and fly where he liked.
 But in the long run that became untenable ... If you want to fly today, you
 must get a license.  You must work within a whole set of regulations (Jerry
 Leichter: CuD 4.18).

 Over time, technologies develop, and as a result, people's interactions
 with that technology, even if they remain unchanged, will be viewed
 differently as society adapts to the changing technology.  An example of
 this is the changing role of system crashes.  In the earliest days of
 computing, the computers functioned by means of large glass valves, which
 after relatively short periods of use were liable to over-heat, thus
 causing a system crash.  Even if hackers were responsible for some of the
 system crashes that occurred, the fact that they were equally liable to be
 caused by other non-hacker means, led to a climate whereby hacker-induced
 crashes were accepted as a minor inconvenience even when they were
 extremely disruptive by today's standards.  This is an example, therefore,
 of the importance of taking into account the societal context of an act
 involving technology before an evaluation of its ethical content is made.

6.8 CONCLUSION

 This chapter has traced the origin of the ethical debate between the CSI
 and the CU, showing how the novel nature of some of the situations thrown
 up by computing has resulted in a process of negotiation.  This process
 takes the form of markedly different ethical responses to the novel
 situations being made and competing with each other.  The contrasting
 interests and perspectives of the two groups is highlighted by the fact
 that whilst  hackers see their activity as manifesting ethical concern over
 potential governmental and commercial abuses of privacy, the CSI prefers to
 see the activity as unethical or as evidence of a general decline in social
 values.
 There are two important elements of doubt regarding the view of the CSI.
 Firstly, the argument that hacking is intrinsically unethical is weakened
 by the fact that, as Levy documents, the same acts of hacking that are now
 criticised as immoral, were benignly tolerated in the days of the early MIT
 hackers.  Bloombecker even goes so far as to claim that what would nowadays
 be labelled a computer criminal, helped to make computing what it  is.
 Cohen also asserts, that unofficially, hackers are often used commercially
 to check the security of systems.  Secondly, the chapter has shown, that an
 increasing aspect of computing is the way in which it produces novel
 situations where there seem to be no clear-cut boundaries between right and
 wrong.  This is most noticeable in the situations produced by technology
 that are most divorced from everyday experience, typified by the notion of
 cyberspace.  Ethical uncertainty concerning hacking is also exacerbated by
 the fact that the activity is often motivated by a series of complex
 factors.  The fact that there is a keen debate, both within the CSI, and
 between the CSI and the CU, implies that any purported immorality of
 hacking is due to the social shaping of a perception that has evolved from
 the MIT  days of benign tolerance to the present atmosphere of
 criminalisation.
 An important part of this process of social shaping is the way in which
 physical analogies are used in the formation of computer ethics.  They are
 being increasingly used in professional discussions of the issues as part
 of the process of group delineation.  Where previously there were only
 blurred or indefinite computer ethics, physical analogies are now used to
 establish clearer computing mores.   The need to use physical analogies in
 the first place arises because hacking takes place in  the qualitatively
 new realm of human experience: cyberspace.  The fact that the real world
 and cyberspace are such different realms has led to a need to explain and
 make ethical judgements about hacking from a conventional frame of
 reference, that is, using analogies based upon the physical world.
  The constant use of physical analogies and metaphors in discussing the
 legal and ethical issues of hacking is thus an attempt to redefine, in a
 practical manner, the concept of informational property rights, as they are
 to be applied in the computer age.  The use of analogies is much more
 common within the CSI than it is from hackers themselves.  This is because
 the CSI have a general need to make comparisons between cyberspace and the
 real world in order to legitimate their role and to demonise the CU.
 Hackers do not have this need; their behaviour is based upon accepting
 computing as a realm of intellectual and social experimentation, and they
 find it attractive because of the very fact that it is different from the
 real world.
 In summary, there are perennial claims from each successive generation that
 the youth of the age are largely unethical, and that they are harbingers of
 a break-down in the general moral order.   Such claims are perhaps an
 inevitable part of the human condition, and its inter-generational
 relations.  This study, however,  is more concerned with the specific
 aspects of computing that give rise to  qualitatively new circumstances
 facing computer users, the ethics of which are indeterminate.  These
 situations encourage behaviour, which, to be recognised as unethical,
 assumes that an adequate and convincing comparison can be made with
 non-computing situations.  It is the difficulty of attempting to
 conceptualise the ethics of computer-induced scenarios that leads to
 attempts to translate them into a more easily understood and common-place
 experience.
 The chapter shows, however, that there is doubts as to whether 'real-world'
 ethics can be transposed in such a literal manner.  This is illustrated by
 the various examples given of the CSI's alleged double standards.  These
 examples imply that the vagueness of computing ethics is such that any
 professional code of ethics that is produced is likely to be more the
 result of one group enforcing its value system on another group, rather
 than one group having any inherently superior moral advantage in the
 ethical debate.
 The process whereby one group's value system can be imposed upon another
 has been analysed in a frame of reference that compares the increasing
 marginalisation of hackers from mainstream computer usage to the practice
 of witch-hunts.  One analysis of the gradual stigmatisation of hackers is
 that they have been part of a degradation ritual whereby a more dominant
 social group has progressively alienated them from 'normal' society in
 order to promote its professional interest.  The role of the media in this
 process has been shown by the way it projects hackers as stigmatised
 'others', thus aiding the boundary forming professionalisation process of
 the CSI.
 Particular examples of the process of group differentiation and
 professionalisation have been given, relating to the advent of viruses and
 the specific case of the Internet Worm.  The likelihood of eliminating
 threats to computer security with the propagation of a suitable code of
 professional ethics seems remote considering the extent of the CU's ethical
 disagreement with the CSI and the thrill obtained from the very fact that
 the CU is 'underground'.  Despite this, once the process of
 professionalisation has been initiated, the temptation is to proceed to
 codify the nascent but dominant group's response to computing's ethical
 dilemmas, by means of legislation.
 The subsequent closure of computing technology has occurred to such an
 extent that the hippy-like ethos of the CU looks increasingly anachronistic
 in the 1980's and 90's.  In so far as hackers have represented a force of
 anti-capitalistic information-sharing, their stance seems to have absorbed
 within the state's sponsorship of the development of computing technology.
 The second generation hard-ware hackers such as Steve Wozniak, have seen
 their 'wholesome and green' product (hence the name 'Apple') brought to the
 masses as indeed they wished, but significantly as a commodified product.
 This is perhaps a reflection of the market's ability to co-opt and absorb
 radical change.  It threatens, in the case of hackers, to undermine their
 status as a group embodying alternative values.  The new generation of
 'wanna-be' hackers, is significant because it represents more than simply
 adolescent boys intrigued by the intellectual challenge and feelings of
 power of illicit computing.  In addition, they also represent the
 increasing tendency of information to be viewed as a tradeable commodity in
 the form of 'Amiga kid'-type groups.  Their illicit blackmarket activities
 and their seemingly amoral views regarding the ethical implications of
 accessing and manipulating other peoples' information represents the
 extreme end of a spectrum which also includes the activity of 'benign'
 hackers.  It is a spectrum whose various points reflect some of the ethical
 issues that society still has to satisfactorily address regarding
 information and the implications of its changing properties.
 An example of the unsettled nature of society's response to  information is
 the doubt that still remains regarding the effects of its policy of closure
 towards hackers.  The question still arises from the above analysis of
 whether the evolution of attitudes towards the CU is in response to a
 change in its nature towards a more crime-orientated environment, or
 whether the increased tendency to perceive and portray hacking as a
 criminal and unethical activity has taken on the quality of a
 self-fulfilling prophecy, driving would-be 'pleasure hackers' into the arms
 of the criminal underground.  The implications of this latter scenario are
 examined in the next chapter.













1 Thus Eric Goggans and Robert Schifreen (as well as several other hackers
 encountered in the fieldwork) have started their own computer firms;
 Professor Herschberg has contacts with and produces interaction between
 hackers and the security industry by means of his consultancy work, and the
 authorised and unauthorised (in the case of accepting a documented hack in
 lieu of a dissertation) use of students to test systems.
2 Fear of boundary transgression is vividly portrayed in such urban legends
 as 'The Mexican Dog' and 'The Choking Doberman', c.f. Woolgar (1990).
3 Joseph Lewis Popp: he was charged in January 1990 with using a trojan
 horse hidden within a diskette to extort money from recipients whose
 systems had subsequently become infected.  The trial did not come to court,
 however, because his defence argued that he was mentally unfit to stand
 trial.  They described how he had taken to putting  hair curlers in his
 beard and wearing a cardboard box on his head in an apparent attempt to
 protect himself from radiation.
4 c.f. Appendix 1's summary of the fieldwork's statistical evidence of the
 age factor.
5 Sterling 1993: 95
6  references taken from CuD 4.11
7 As shown with the title of Paul Mungo's article: "Satanic Viruses" (c.f.
 bibliiography)
8 c.f. CuD 3:37
9 Channel 4 Television, November 1989

10  c.f Woolgar 1990.

11  The former was the defence lawyer for Craig Neidorf in the E911 trial of
 1990, Dorothy Denning being a computer scientist from Georgetown
 University, Washington, with  an academic interest in CU issues.
12 CU electronic magazine
13 Thomas' review of The Cuckoo's Egg includes numerous examples of Stoll
 indulging in such activities as borrowng other peoples' computers without
 permission and monitoring other peoples' electronic communications without
 authorisation.
14 c.f. Appendix 2 for a full account.

------------------------------

Date: Thu, 7 May 1997 22:51:01 CST
From: CuD Moderators <cudigest@sun.soci.niu.edu>
Subject: File 3--Cu Digest Header Info (unchanged since 7 May, 1997)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send post with this in the "Subject:: line:

     SUBSCRIBE CU-DIGEST
Send the message to:   cu-digest-request@weber.ucsd.edu

DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.

The editors may be contacted by voice (815-753-6436), fax (815-753-6302)
or U.S. mail at:  Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

To UNSUB, send a one-line message:   UNSUB CU-DIGEST
Send it to  CU-DIGEST-REQUEST@WEBER.UCSD.EDU
(NOTE: The address you unsub must correspond to your From: line)

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on  internet);
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.

         In ITALY: ZERO! BBS: +39-11-6507540

  UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD
    Web-accessible from: http://www.etext.org/CuD/CuD/
                  ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
                  aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
                  world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
                  wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
  EUROPE:         nic.funet.fi in pub/doc/CuD/CuD/ (Finland)
                  ftp.warwick.ac.uk in pub/cud/ (United Kingdom)


The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
  URL: http://www.soci.niu.edu/~cudigest/

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission.  It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified.  Readers are encouraged to submit reasoned articles
relating to computer culture and communication.  Articles are
preferred to short responses.  Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

------------------------------

End of Computer Underground Digest #9.59
************************************