Here’s what I was told after my interview, as they presented me with an employment contract and a check for moving expenses, when I asked what I could possibly do for the information security group of an international private detective agency.
“Have you ever heard of Packet Storm?”
“Me neither, but last week I bought it. It was a Web site that was being run for a while by a student at Harvard, a big collection of security information and tools and—”
“You mean hacking stuff?”
“Basically. As he was getting close to graduating, it came to the attention of Harvard that they’d been hosting Packet Storm and they shut the site down. He can’t afford to host it himself, so he sold it to us. He’s shipping us the hard drive. We should have it early next week. So we want to know what’s there, first. Then we need the site redesigned — it needs to look professional — and then all the tools and the scripts and the—”
“Are we talking tutorials or attack tools?”
“It’s a lot of things, I’m sure, but what’s there for certain, I’m not sure.”
“Do you know and you don’t want to say, or do you really not know and you need me to find out?”
“I’m sure I don’t know everything that’s in there.”
Mary smiled lightly.
“So you want me to index and categorize a Web site full of computer cracking scripts—”
“—of security tools—”
“And then run it, run the site. Organize everything, manage it, post new things.” She smiled more deeply, as if sharing a secret. “Because we’re not simply buying the hard drive, we’re buying the domain, and one of the most valuable things that we’re getting with that will be the email.”
It took me half a beat. “Because little kids all around the world are constantly emailing their new attacks and exploits and terrible, terrible shit to Packet Storm.”
“Right. And if we can use any advanced information we get coming up from these channels to protect our clients, all the better.”
So they wanted me to do for real, as an adult, what I’d being doing on the sly as far back as high school, collecting and distributing information that many people believed was dangerous but which, for whatever reason, I’d always felt strongly needed to be collected and shared. Or collected, at least — by me, at least.
It’s not that I would do anything with information like that, probably.
When I got to California, on my first day at work, I more formally met my boss, Phil, a Yorkshireman only a little shorter than me but about as broader again across his shoulders than I was. His hairline was a dark, receding buzz that only made his eyebrows seem more severe. He was a serious guy, as I’d find out. He smiled a lot, and he’d joke about things, but he was serious.
We’d met at the interview, though things were different this time. He smiled a little more deeply, in a way that made me feel like I was no longer an outsider. I didn’t just feel like I was talking to a serious person. I was talking to a serious person who was on my side.
“So,” he said. “Bit of a change in plans.”
He winced. “So, the guy who actually owns the Packet Storm project here internally, he’s out of town right now, but he doesn’t want anything to happen on it until he gets back. Sorry.”
“Well, apparently he’s not impressed that I’ve hired someone to run the site for him.”
“He wants to run it?”
“No. He doesn’t actually want to do any work. He’s off in the middle of fucking Africa watching the eclipse.” I’d heard about the eclipse. Four months before the end of the millennium, and everybody’s talking about the total solar eclipse.
“Wasn’t that a week ago?”
“Something. But if you go all the way to bloody Africa, you stay a while.”
“So, we’re gonna be working on something else.”
“Wait. What’s the deal with Packet Storm?”
“He’s going to run it, with his people, let them do their own thing. He won’t be around much, anyway.”
“Is…is this guy a problem for you?”
Phil shrugged. “Was. He’s a bit of competition.”
He smiled. “Just got into his machine and fucked with him a bit. Drove him mental over a couple of weeks. I thought, ‘That’s sorted.’ Now I think he suspects and he’s a bit pissed off. So he’s drawing a big line around Packet Storm. We’ll be working on something different.”
“Okay, like what?”
“A service. Something that could make money.” He paused. “I get the impression you know a bit about security tools, eh?”
I winced. “A long time ago—”
“I don’t mean a long time ago. I mean now, recently. You’ve kept your foot in it, have you?”
“Mmm,” I said.
I’d paused, many times, but I’d never truly stopped. I was never malicious, though I was that other, lighter M: mischievous. My drive toward mischief kept me reading certain mailing lists, and at least thinking sideways about how certain new bits of computerdom worked. Here’s an example.
Working my way through college, I’d gotten a job at a computer mail-order parts place. It was probably the most dangerous job of my life. In nearly every room of the joint, somewhere, was a loaded, semi-automatic weapon. The parts company — we sold memory, drives, printers, monitors — was run out of the back of a bankruptcy attorney’s office, and about every six months or so some client’s spouse, or ex-spouse, or creditor or other associate would come by and try to cause trouble. This was in downtown Austin, and nobody batted an eye. The density of weapons was simply so that our boss could most quickly, with the least amount of fuss, be able to discourage someone from making further trouble for themselves.
A woman in the office below us, a divorce attorney, was shot and killed by a client’s husband, who then killed his wife before turning the gun on himself. I was working that day, one thin floor right above them.
I disliked our boss. For such a smart guy, he was kind of dull, but he loved his toys. He let me design his magazine ads, which was how I did my first professional print work, but I had to use one of the crappy black-and-white 13″ monitors on the Macs in the sales room where I spent most days answering phones and taking orders or otherwise coping with angry customers. We had a lot of angry customers. In his office, though, he had two enormous 19″ monitors hooked up to the same computer. He had the biggest, most bad-ass machine I’d ever seen, and he used it to do really simple things with spreadsheets, and to try out all the new junk that people used to send him, to see if he wanted to sell it.
Like the Voice Navigator, the first commercial voice-control system that I ever heard about for the Mac. It was a thin black box with a thin microphone that came up at a 45° angle and ending in a puff of black foam about a foot from your mouth. You’d train it, saying, “Computer, shutdown,” three or four different ways so that it would have some slightly different samples to compare against as it sat there, constantly churning away, listening, in case you wanted it to do something for you. It sounded pretty cool, even though in practice it seldom worked at all, unless you had a really good sample.
One time, on a Saturday, he let me work on the ad on his machine. I’d already turned it into him but he wanted a bunch of changes, so I got to sit in the big leather chair while he cleaned his pistols in the other room, worried that we wouldn’t make the 3 PM FedEx deadline to get our ad in the next issue of MacWorld magazine. Every 15 minutes, his secretary would buzz me on his intercom to ask if I was finished. So when I was done, I figured out how the Voice Navigator worked, and the next time the buzz came through I recorded it, all three buzzes, really good samples, and I assigned them to the Shutdown action.
Days later, he was cursing. He didn’t know nearly as much about computers as he said he did, he just thought they were cool and wanted more than anyone else he knew. He had so much crap jacked into that Mac that it took something like five minutes to fully start up. Shutting down was as major an event, a shifting of applications, all running at the same time, which slowly tried quitting. Shutdown took so long that he never had an opportunity to associate it with the Voice Navigator. All he knew was his intercom would buzz, and he’d turn away from the computer to answer it, usually having to get on the phone after that. Once he was done with his call, he’d turn back to the Mac and it would be off. What the hell?
I caught it in action, one time. The phone buzzed and he looked away, but he kept his hand on his mouse; he’d been irritated for a good couple of days, and he was getting twitchy.
“Uh, huh,” he said over the phone. “Well, tell him he can—wait, hang on.” He squinted into his enormous monitor. “No, computer, don’t lose my changes, save the file. Okay, I’m back with you. Wait.” Under his breath, he muttered as he moved his mouse around to click buttons that were popping up in dialog boxes on screen. “Why are all these programs closing? Yes, save changes. Save changes.” Then he slammed the mouse down against his heavy wooden table so hard that the little circle holding in its rubber ball popped off and the ball that actually fed the motion data up through the mouse fell right out and rolled into the tangle of cables and floppy disks underneath his table. “Goddammit!” he screamed. “Fucking computer. Goddammit.” He remembered he was on the phone. “I’m gonna have to call you back.”
After a wholly unproductive week, he ended up erasing the entire machine, and losing a couple of months worth of data because he was afraid that any backups might also be corrupted. I’ve never heard a man curse that much or that hard in such a short period of time. He wasn’t a poet, he just had a good, workman-like approach to his cursing. I felt entirely justified, even though I hadn’t really done it on purpose. I just thought it’d be funny, especially that his problems stemmed from his inability to troubleshoot a simple problem, compounded by his poor computer hygiene — no one needed that much crap running at once. He so clearly had no idea how anything could possibly go wrong with what he’d made, so he had no idea what was going wrong. It must be some virus that no one knows about, he howled.
Also, I’d found out that he’d ripped me off for about two thousand dollars over a six month period of time, when some manufacturers were giving bonuses to salespeople on the sales of certain items. He told us that the paperwork didn’t go through, when really it had gone through — he’d simply used his own name in filling out all the forms for the five of us who worked for him. Still, I hadn’t meant for it to cause him that much grief. The second time, though — the second time I got to see him running around the office, literally pulling his thin hair out from his scalp, I meant it.
And that was just the kind of stuff you could do if you had hands-on access to someone’s computer. Early applications that connected machines to each other over the Internet were not especially well-coded, early on. As the Internet grew, more computers were connected to other computers, which meant that while more and more people could send each other email, or chat on private relays, it also meant that more and more people could attack random targets, at low cost to themselves and at a potentially high return on their effort — given a good target, or enough crappy ones.
For example, in the mid-1990s there was The Ping of Death. You could craft a couple of malformed packets of data, pop them in digital bottles and float them over to very many machines on the Internet, and when they opened them up to read them they would die. Or rather, the machine’s processing would hang, and you’d have to reboot the machine to get it to do anything again. I first ran into that on a chat client, a crappy little app which was itself vulnerable to a ping attack. If you wanted to kick someone off of a chat line, or out of some games, you could send some very innocuous traffic over the network to their address. At best, from their perspective, it would slow down their interactions, and at best, from your perspective, it would knock them offline.
Sometimes all you had to do was simply send a bunch of packets to the target faster than they could respond, again at least slowing them down but more likely crashing some service on their machine. There was a version of this called a Smurf attack. If you were on the same network as a machine, you could send out a bunch of packets which were fraudulently marked as having been sent by your victim machine, and the barrage of responses from all the hosts who thought the victim wanted something from them would crash the victim. You smurfed your target.
As people wrote more services — more name services, more mail servers, Web servers — the vulnerabilities only got more sophisticated. I could go a couple of months without paying much attention, or trying anything out, but things change so fast, and I’d have hated to have missed much, especially because I was still insatiably paranoid.
“Yeah,” I said offhandedly. “I kept my foot in it, a little bit.”
“How long you been hacking?”
“Since I was fifteen, so: half my life.”
He nodded. “Alright. You can do this. Here’s what we’re going to do.”