Hack Heaven

By Stephen Glass
The New Republic, 5.18.98

Ian Restil, a 15-year-old computer hacker who looks like an even more adolescent version of Bill Gates, is throwing a tantrum. “I want more money. I want a Miata. I want a trip to Disney World. I want X-Man comic [book] number one. I want a lifetime subscription to Playboy, and throw in Penthouse. Show me the money! Show me the money!” Over and over again, the boy, who is wearing a frayed Cal Ripken Jr. t-shirt, is shouting his demands. Across the table, executives from a California software firm called Jukt Micronics are listening–and trying ever so delicately to oblige. “Excuse me, sir,” one of the suits says, tentatively, to the pimply teenager. “Excuse me. Pardon me for interrupting you, sir. We can arrange more money for you. Then, you can buy the [comic] book, and then, when you’re of more, say, appropriate age, you can buy the car and pornographic magazines on your own.”

It’s pretty amazing that a 15-year-old could get a big-time software firm to grovel like that. What’s more amazing, though, is how Ian got Jukt’s attention–by breaking into its databases. In March, Restil–whose nom de plume is “Big Bad Bionic Boy”–used a computer at his high school library to hack into Jukt. Once he got past the company’s online security system, he posted every employee’s salary on the company’s website alongside more than a dozen pictures of naked women, each with the caption: “the big bad boy has been here baby.” After weeks of trying futilely to figure out how Ian cracked the security program, Jukt’s engineers gave up. That’s when the company came to Ian’s Bethesda, Maryland, home–to hire him.

And Ian, clever boy that he is, had been expecting them. “The principal   told   us to hire a defense lawyer fast, because Ian was in deep trouble,” says   his   mother, Jamie Restil. “Ian laughed and told us to get an agent. Our boy   was   definitely right.” Ian says he knew that Jukt would determine it was cheaper   to hire him—and pay him to fix their database–than it would be to have   engineers do it. And he knew this because the same thing had happened to   more than a dozen online friends.

Indeed, deals like Ian’s are becoming common–so common, in fact, that   hacker agents now advertise their commissions on websites. Computer Insider,   a newsletter for hackers, estimates that about 900 recreational hackers were   hired in the last four years by companies they once targeted. Ian’s agent,   whose business card is emblazoned with the slogan “super-agent to   super-nerds,” claims to represent nearly 300 of them, ages nine to 68.   A   failed basketball agent, Joe Hiert got into the industry when one of his   son’s friends, 21-year-old Ty Harris, broke into an Internet security firm   three years ago and came to him for advice. The software maker paid Harris   $1 million, a monster truck, and promised “free agency”–meaning   he can quit   and work for a competitor at any time.

Of course, a cynic might say hacker schemes look an awful lot like   protection rackets. That’s an awfully nice computer network you got there.   It’d be a shame if somebody broke into it…. Law-enforcement officials, in   particular, complain that deals between companies and their online predators   have made prosecution of online security breaches impossible. “We are   basically paralyzed right now,” explains Jim Ghort, who directs the Center   for Interstate Online Investigations, a joint police project of 18 states. “We can’t arrest or prosecute most hackers, because corporate victims are   refusing to come forward. This is a huge problem.”

In March, Nevada law-enforcement officials got so desperate they ran the   following radio advertisement: “Would you hire a shoplifter to watch the   cash register? Please don’t deal with hackers.” The state took to the   airwaves shortly after a hacker broke into a regional department store’s   computer system and instructed it to credit his Visa card about $500 per   day. According to Nevada officials, the boy racked up more than $32,000 in   credit before he was caught–but the store wouldn’t press charges. It let   him keep the money, then threw in a $1,500 shopping spree–all in exchange   for showing them how to improve their security.

Little wonder, then, that 21 states are now considering versions of   something called the Uniform Computer Security Act, which would effectively   criminalize immunity deals between hackers and companies–while imposing   stiff penalties on the corporations who make such deals. “This is just   like   prostitution,” says Julie Farthwork of the anti-hacker Computer Security   Center, which helped draft the legislation. “As a society, we don’t want   people making a career out of something that’s simply immoral.”

Not surprisingly, hackers hate the proposed legislation. They see themselves   as “freelance security investigators,” and they even have their own   group–the National Assembly of Hackers–to lobby against the new law. “Really, hackers have to put in a lot of sunk costs before they find the one   that’s broken and get paid,” says Frank Juliet, the group’s president. “So,   it’s definitely a large community service that we are doing.”

Less predictable, however, is the opposition of companies that have been   hacked. It seems they don’t like the proposed law, either, because they’re   worried they’ll be stuck with no legal way to patch holes in their security   systems. The Association of Internet-based Businesses has actually formed a   task force with the National Assembly of Hackers to lobby against the law.

It remains to be seen who will win, but, until new laws are passed, hackers   like Ian Restil will continue to enjoy a certain exalted   status–particularly among their peers. At a conference sponsored by the   National Assembly of Hackers last week, teenage hackers and graying   corporate executives flocked to Ian, patting him on the back and giving him   high-fives. “We’re so proud of him,” said Ian’s mother. “He’s   doing such   good things, and he’s so smart and kind.” At the formal dinner that   followed, the emcee explained that Ian had just signed a contract for   $81,000 in scholarship money–and a collection of rare comic books. The   audience applauded wildly. Then, Ian stood on his chair and took a bow. He   announced that he had hacked into a new company and frozen their bank   account temporarily. “And now they’re going to show me the money,” he   said,   swirling his hips and shaking his fists. “I want a Miata. I want a trip   to Disney World….”

(Copyright 1998, The New Republic)