Dissecting the `` Manifesto''

S.M. Furnell Research Co-ordinator, Network Research Group, School of Electronic, Communication and Electrical Engineering, University of Plymouth, Plymouth, UK P.S. Dowland Research Student, Network Research Group, School of Electronic, Communication and Electrical Engineering, University of Plymouth, Plymouth, UK P.W. Sanders Visiting Professor, Network Research Group, School of Electronic, Communication and Electrical Engineering, University of Plymouth, Plymouth, UK

Keywords as the ``Hacker Manifesto''. This was , Hacking, Introduction written in 1986 by a hacker who operated Information society The definition of the term ``hacker'' has under the pseudonym of ``The Mentor'' Abstract changed considerably over the last 30 years. and who was a member of the notorious Twelve years ago, a text was In the 1960s, were the dedicated hacking group the (Sterling, written within the hacking com- software and hardware gurus, and the term 1992). The full text is reproduced in munity which is widely referred to largely referred to persons capable of imple- Figure 1. as the ``Hacker Manifesto''. This text, and the opinions that it menting elegant/technically advanced solu- The Manifesto is still widely accessible, offers, have since been widely tions to technologically complex problems. In some 12 years after it was originally written. embraced by the hacker commu- the 1990s, however, the name implies some- Ordinarily, this could be considered no great nity and the document is refer- thing rather different and is commonly used feat for a piece of literature. However, it is enced from numerous sites on the Internet. This paper sets out to to refer to people dedicated to entering possibly more significant in the context of examine the content of the Mani- systems by identifying and exploiting the technology field, where the pace of festo and considers the validity of security weaknesses. At the extreme are a change frequently renders once leading edge many of the messages that it subset (often distinguished by the term imparts. The Manifesto is consid- thoughts obsolete after a few years. In fact, ered to present an undoubtedly ``crackers'') who perform openly malicious the Manifesto probably has wider exposure pro-hacker message, without ac- actions on the systems they enter, such as now than it did at the time that it was knowledging other perspectives or deleting files, modifying data and stealing written. A search on the WWW yields the wider implications of the ac- information. Such activities would be tivities that it is advocating. The numerous links to sites reproducing paper explores some of these frowned on by the traditional hackers from the text. Indeed, a search for the term issues, examining both the con- the 1960s. ``hacker'' followed by ``manifesto'' yielded sequences of the Manifesto's dis- Modern-day hackers are one part of a so- more hits than a search for ``Orange Book'' semination and ways in which called Computing Underground (Mizrach, security professionals and society followed by ``security'' (560 versus 173 hits, at large should respond. It is 1997). This is something of a catch-all term, with both figures resulting from Infoseek concluded that whilst the Mani- which encompasses a number of sub-groups searches conducted on 31 August 1998 festo obviously cannot bear the that would generally be classed as undesir- using the terms specified). For the unini- sole responsibility for promoting able by society at large. These include the tiated, the Orange Book is the name com- and encouraging hacker activity, it aforementioned crackers, phreakers (who at best sends out an incomplete monly used to refer to the US Department of message that should be balanced actively explore and/or control the telecom- Defence Trusted Computer Systems with appropriate counter-argu- munications networks), virus writers and Evaluation Criteria, a significant publication ment. software pirates. in the IT security field which was published This paper considers the principles from at roughly the same time as the Manifesto which many hackers operate and the justifi- (DOD, 1985). This crude example suggests cations that are often presented for their that the hacker perspective is more actions. Significant reference is made to the widely available than specific security so-called ``Hacker Manifesto'', which encap- guidelines. In addition, the Manifesto has sulates many of their beliefs and is widely found its way into other forms of media available within the hacker community. outside the WWW. For example, segments from it have been quoted in the 1995 film Hackers (MGM, 1997). Consequently, Information Management & The Hacker Manifesto Computer Security the text cannot be easily dismissed as 7/2 [1999] 69±75 A popular element of is a being merely the thoughts of one person # MCB University Press brief text entitled The Conscience of a Hacker, and the material is worthy of further [ISSN 0968-5227] which is more widely known and referred to examination. [69] S.M. Furnell, P.S. Dowland Figure 1 and P.W. Sanders The ``Hacker Manifesto'' Dissecting the ``Hacker Manifesto'' Information Management & Computer Security 7/2 [1999] 69±75

the modern, mass media definition). That Dissecting the Manifesto said, however, the Manifesto only presents a When reading the text of the Manifesto, the restricted view of a hacker ± as largely a first thing that is clear is that it is not using curious explorer, pursuing knowledge and/ the term ``hacker'' in its original, 1960s sense, or intellectual challenge. Fundamentally, i.e. the system and coding gurus as described, however, even unauthorised exploration of a for example, by Levy (1984). The perspective system is equivalent to trespassing and may is instead that of people gaining un- still result in a breach of commercial con- authorised access to computer systems (i.e. fidentiality or personal privacy. Parallels are [ 70 ] S.M. Furnell, P.S. Dowland frequently drawn between cyberspace and be an attractive target to hackers, with and P.W. Sanders the physical world (e.g. discussion of con- numerous incidents reported in the general Dissecting the ``Hacker cepts such as ``community'' occur in both media (Ungoed-Thomas, 1998). A standard Manifesto'' contexts). If such comparisons are applied to defence in such cases is often simple curios- Information Management & Computer Security notions such as property and privacy, it is ity rather than some more sinister purpose. 7/2 [1999] 69±75 clear that the incursions that some hackers However, the sharing of knowledge is one of would argue to be acceptable online would the underlying principles of the hacker not be so easily justified in the real-world community and, therefore, even if the hacker equivalent. For example, we could draw a effecting the break-in chooses not to use the parallel between an individual's Web site and information irresponsibly, others who gain his/her home, or between a company's site access through him/her may not be so and its high-street office or showroom. The reliable. would state that unauthorised Moving on from the debate about simple entry into the system running such a WWW exploration, a substantial body of evidence is server would be acceptable as long as no available to prove that various other moti- damage is done. However, no one would be vations frequently prevail. Examples include likely to be very tolerant of an intruder financial gain, espionage, malice/revenge or offering such excuses if found exploring in general mischief. Therefore, even if the their home or office. Regardless of whether ``harmless exploration'' proposition is ac- you agree with its sentiments, the views laid cepted as one potential motivation, security out in the Manifesto contradict the law in is still required to ensure protection against many countries. It would, for example, these other cases. breach the section of the UK Computer Another motivation stated in the Manifesto Misuse Act relating to ``Unauthorised access is to enable the free use of services that would to computer programs and data'' (HMSO, be ``dirt cheap'' were they not run by ``profit- 1990). eering gluttons''. The main parties referred to The defence that a hacker may not set here are telecommunications service opera- out intentionally to damage a system is tors, who provide the basic infrastructure actually a convenient over-simplification of through which hackers (and other users) are the issue. Actions may have an uninten- able to connect to remote systems. The tional/indirect impact that is not foreseen by observation that services could be cheaper the hacker. Many do not know in advance may well be valid in some cases, especially the nature of the systems that they are trying where a key player is able to exploit a to penetrate or the tasks that they are monopoly position. However, over time, performing (indeed, part of the challenge market forces (primarily the emergence of may be to find out). However, in a worst-case competition) or legislation often redress the scenario, the mere presence of a hacker balance and result in charges being reduced could result in undesirable consequences to a more realistic level. By contrast, the (e.g. degradation of system performance activities of hackers are more likely to such that essential operations are not com- provoke a response solely in respect of the pleted quickly enough ± which could be breach of security. As an aside, it may be potentially fatal in a real-time, safety critical observed that in the meantime, the hackers/ system). phreakers are paying nothing for the service. The Manifesto also overlooks the fact that Therefore, even if it eventually was to some systems/information may be protected become ``dirt cheap'', it is debatable whether from the general populace for good reason. many would be willing to depart from this There is a strong argument, for example, that desirable situation (their moral justification military systems should incorporate suffi- for not paying could then maybe switch to cient security in order to prevent casual ``We have the skills to avoid paying, so why users from being able to browse or modify should we need to?''). their contents. If everyone were to be allowed The Manifesto frequently repeats the unrestricted access, then this would impli- phrase ``They're all alike''. However, evi- citly include potentially undesirable or dence suggests that this is far from the dangerous groups, such as terrorist organi- case ± from the perspective of both their sations. Therefore, if society were to insist motivations and intellectual capabilities. For that all IT systems should be totally open, example, throughout the text there is an organisations such as the military would implicit assertion of intellectual superiority effectively be prevented from putting a great on the part of the hacker and of being deal of their information online for fear of the misunderstood and generally failed by so- potential consequences. Military- and de- ciety on this basis. While many hackers are fence-related sites, such as the US Air Force undoubtedly intellectually gifted, competent and the Pentagon, have actually proven to problem solvers and lateral thinkers, this [ 71 ] S.M. Furnell, P.S. Dowland categorisation cannot be applied across the incompatible with the hacker ethos. This, of and P.W. Sanders board. Furthermore, choosing to be a course, tends to ignore the fact that many of Dissecting the ``Hacker hacker does not automatically endow you the methods used by hackers to gain un- Manifesto'' with these characteristics. Many hackers authorised access to systems, or their activ- Information Management & Computer Security succeed through sheer persistence, determi- ities once having done so, would not be 7/2 [1999] 69±75 nation and, in many cases, an exceptionally considered by most people to be fair and high boredom threshold. A successful honest (e.g. deceiving people into parting hack is often the result of doggedly attempt- with passwords via social engineering; ing to apply the same technique to multiple planting programs to enable systems until a weakness is found. Further- data gathering or provide a ). more, unwitting assistance is often provided Nowhere in the text does it make a state- by system administrators, who have left ment about where to draw the line or where their systems vulnerable to attack through even hacker activity would be considered to inadequate attention to, or understanding be going too far. This has certainly been of, security. Such circumstances are appar- addressed/recognised in other hacker-origi- ent in most of the hacker ``case studies'' nated material which, whilst emphasising that have been documented in the popular themes such as free access to information, media (Stoll, 1989; Freedman and Mann, also advocates more responsible attitudes 1997). such as not inflicting intentional damage on The last paragraph includes the statement systems and not operating for personal that ``you can't stop us all''. Depending on financial gain. However, the promotion of one's interpretation, this has a rather mena- such values does not always accompany the cing undertone and does not offer much Manifesto and, therefore, many people will reassurance that subscribers to the Manifes- not receive the complete message. to represent a benign community. Based purely on the text of the Manifesto, this particular inference may be seen as over- Consequences of the Manifesto stating the case and it could be argued that the Mentor intended a less threatening The Manifesto cannot be criticised from the interpretation to be made. However, a perspective of some of the general sentiments further observation can be added which that it expresses ± there are undoubtedly perhaps adds weight to the first proposition. many parties who genuinely hold these Web sites that reproduce or link to the beliefs (e.g. the Mentor). However, the pro- Manifesto frequently include links to other blem is that the general dissemination of the related materials as well. It has been ob- text serves to invite and excuse a wider served by the authors that another text that population. For example, it excuses people sometimes shares ``link space'' with the whose activities are conducted with complete Manifesto is the Terrorist's Handbook (n.d.). disregard for their impact on other indivi- On this basis, it can be inferred that the two duals (e.g. breaching personal privacy or texts are considered to be of interest to a causing financial loss), by enabling them to similar audience (at the very least, they both convince themselves that their actions are interest the creators of the various Web sites compatible with the manifesto or a wider on which they appear together). Such an counterculture. association does not help the image of the Despite hacker's motivations and justifi- hacker community, but it is nevertheless an cations, their activities are not welcomed by interpretation that is open to be made by the society at large and their endeavours can be casual Web surfer. seen to cause measurable damage to organi- Returning again to consider the Manifesto sations and individuals. For example, in the in isolation, it can be observed that it does UK, the national Audit Commission conducts offer some very positive views (e.g. advocat- regular surveys into the levels of computer ing anti-racism and anti-war messages). crime and abuse observed in various sectors However, you do not have to be a hacker in (including, amongst others, health care, local order to adopt these beliefs. Furthermore, the government, manufacturing, financial insti- aforementioned assertion of intellectual tutions and retailing). The most recent re- superiority represents an attitude which sults (Audit Commission, 1998) show that itself could create a prejudicial society of a hacking accounts for around 11 per cent of different type. Additionally, what the text reported incidents, from a total of 510 in- plainly does not advocate is an anti-crime cidents reported in 870 survey responses. viewpoint. It is interesting to note that the These incidents were considered to have cost seventh paragraph accuses society of cheat- a total of £360,860 to the organisations ing and lying, with the implicit interpreta- involved. As an aside, the figures for both tion to be made that such activities are incidents and cost are more than doubled if [ 72 ] S.M. Furnell, P.S. Dowland other categories of malicious abuse, such as secure electronic transaction (SET) standard, and P.W. Sanders viruses, are also considered. The hacking for secure credit card transactions over the Dissecting the ``Hacker incidents occurred across a variety of do- Internet (SETCo, 1997). The ultimate adop- Manifesto'' mains, with local government, health care tion of such technologies should mean that Information Management & Computer Security and education representing the organisations Internet commence will actually be more 7/2 [1999] 69±75 most affected. One thing that is clear from secure than current practices. this is that hacker activity affects more than Another area in which it may be argued just the aforementioned ``profiteering glut- that hackers are providing a service is when tons''. Indeed, domains such as health care their activities are conducted in the context often have difficulty in ensuring sufficient of ``penetration testing'', authorised by the funding to satisfy demand for provision of owners of a system in order to test its their core services and can consequently do security. In this form of ``ethical'' hacking, without the need to divert money and re- the work is often carried out by ``tiger teams'' sources away from these to overcome secur- who break into systems and then explain to ity breaches. the systems operator how the hack was Another basic problem that we perceive achieved and, where appropriate, the means with the Manifesto is that it can create a by which the security hole can be ``plugged''. negative impact of the implications arising These services are considered to be attractive from information technology when, at the by numerous organisations and it has even same time, we are living in a society in which been speculated that US Department of our dependency on IT is only increasing. Justice has looked to recruit hackers in order Furthermore, there are numerous additional to conduct penetration tests on its networks opportunities that are being offered by IT (SECURE Computing, 1998). However, it is that have the potential to improve or simplify difficult to argue that this represents a our existing practices. An example of this is genuinely positive contribution by hackers ± the area of electronic commerce (or e-com- if they did not exist at all, the penetration merce). This represents a significant area of testing service would not be needed either. interest within the industry at the time of writing and various opportunities have been identified. However, there are still a number Responding to the Manifesto of barriers (both practical and conceptual) that must be overcome before e-commerce All of the above discussion leads to the will be widely embraced by mainstream obvious question of what can be done? The business or private individuals and two of authors view is that we cannot, and should the greatest concerns are security and priv- not, try to prevent the Manifesto's dissemi- acy (Ratnasingham, 1998). This can be illu- nation. This would simply represent censor- strated using the example of credit card ship, which would contradict not only any purchases, a form of commerce that is one of notion of a ``hacker ethic'', but also more the most easily migratable to the online widely held public beliefs regarding freedom context, but also one where a great deal of of information and individual choice. A more concern over security has been expressed rational way to respond is by making the (Partridge, 1997). Now, in actual fact, the use alternative point of view equally visible, of credit cards over the Internet may be no without presenting it in such a heavy-handed less secure than the uses to which they are manner as to imply ``Big Brother'' overtones. put in other scenarios. Most of us think In short, there is a need to present a positive nothing of providing credit card details over view of the information society, emphasising the telephone or handing over the card itself the need for trust and co-operation. Without to strangers serving us in shops or restau- this, development and progress will be rants. However, all of these activities expose stifled. our accounts to risk and, indeed, fraud and There are also a number of wider aspects to abuse are known to occur (Hill, 1998). which consideration should be given. The Nevertheless, the Internet is still perceived to first is in relation to the way that hackers are be much less secure, and a likely reason for portrayed in the media and the resultant this is the public perception of hacker influence that this has on public perception. activity resulting from the level of exposure Hacking is regarded by many as a glamorous that it has been given in the mass media. occupation. The idea of an underground Indirectly, however, it could also be movement of amateur ``criminals'' breaking claimed that hacking activity, and the fear it into computer networks, reading secret files engenders (well founded or not), does deliver and removing all traces of their presence some benefits. Using the credit card example may have a certain appeal. The media again, it can be observed that concern over frequently portrays hackers in a different security has led to the development of the light to those who commit obviously [ 73 ] S.M. Furnell, P.S. Dowland malicious crimes. For example, the 1983 film responsibility for promoting and endorsing and P.W. Sanders Wargames, in which the hacker is portrayed hacker activity. Hacking occurred before the Dissecting the ``Hacker Manifesto'' as a hero despite the potentially disastrous text was written and has developed in consequences of his actions. If the media is to Information Management & probably unforeseen ways since. Further- Computer Security adopt this stance, then there is rather less of more, there have been other, higher profile, 7/2 [1999] 69±75 a basis for future condemnation in cases contributions that have also presented where hacking activity causes damage of hacking/the hacker in a positive light. How- some kind. ever, the fact that the material suggests itself It was observed earlier that the Manifesto as a manifesto (i.e. something for a wider includes a strong thread of intellectual population to adopt and adhere to) means superiority and, indeed, in respect of the that its ultimate impact may be more pro- school system, includes the following quote: found. ``I'm smarter than the other kids, this crap The paper has not considered other wide- they teach us bores me?''. This is a poten- spread forms of computer abuse, such as tially significant point in the sense that viruses. These, of course, had not really been society has a general tendency to normalise conceived when the Manifesto was written. It people (preferring to recognise similarities is interesting to conjecture whether, if they rather than differences) and those falling had been, they would have received endor- outside the societal norms are often difficult sement or denunciation. It is certainly the to accommodate. Educational systems are case that virus writers have subsequently often a good example of this, generally focusing on meeting the needs of the ``nor- justified their own actions in similar terms, mal'' children, with the result that those with viewing them as a statement against a society abilities significantly above or below the that they disagree with or as a simple means average sometimes receive inappropriate or of electronic experimentation and self-ex- insufficient support. If individuals feel dis- pression (i.e. ignoring the resultant damage enfranchised by society, then it is not inflicted on others). entirely surprising that they choose not to Much of the discussion in this paper has accept/respect the societal norms. Unfortu- presented an intentionally bleak view, fo- nately, this point is far easier to recognise cusing on worst-case scenarios and outcomes than it is to resolve. in many cases. As such, it may be considered Perhaps the most appropriate response is by some to be exaggerating and overstating in terms of awareness. This may be consid- the problems. However, the authors do not ered from two perspectives. First, is ensuring believe this to be the case and many of the awareness of the Manifesto to people outside sources referenced provide sufficient evi- the hacker community ± not in the sense of dence of the points raised. Furthermore, a encouraging them to adopt it, but to highlight negative view is perhaps a necessary re- the point that there are people who have. sponse to the Hacker Manifesto, which pre- More important, however, is to ensure an sents its perspective in a manner oblivious to awareness of the need for IT security and the many of the wider issues. appropriate ways of protecting a system. Significant resources are available in this References respect (e.g. in terms of documentation, soft- Audit Commission (1998), Ghost in the Machine ± ware and specialist services to assist with An Analysis of IT Fraud and Abuse, Audit implementation), but there are still many Commission Publications, February, ISBN 1- systems in which security is overlooked or 86240-056-3. assigned a low priority. Unlike the issues of DOD (1985), Trusted Computer System Evaluation changing media and educational attitudes, Criteria, DOD Standard 5200.28-STD, Decem- these objectives are achievable at the orga- ber. nisational level, putting them within the Freedman, D.H. and Mann, C.C. (1997), At Large: reach of senior management to address. The Strange Case of the World's Biggest Whilst having to protect a system against Internet Invasion, Simon & Schuster, New hackers would not be necessary in an ideal York, NY, ISBN 0-684-82464-7. world, it is one of the many realities of our Hill, D. (1998), ``Stop card thieves taking off'', The IT-oriented society and is better faced than Sunday Times, ``Money'' supplement, 19 July, ignored. p. 3. HMSO (1990), Computer Misuse Act 1990, Her Majesty's Stationary Office, London, ISBN 0- Conclusions 10-541890-0. Levy, S. (1984), Hackers: Heroes of the Computer This paper does not intend to imply that the Revolution, Anchor Press/Doubleday, Garden Hacker Manifesto should bear the sole City, NJ. [ 74 ] S.M. Furnell, P.S. Dowland Mizrach, S. (1997), ``Is there a hacker ethic for 90s SETCo. (1997), SET Secure Electronic Transaction and P.W. Sanders hackers?''. http://www.infowar.com/hacker/ Specification ± Book 1: Business Description, Dissecting the ``Hacker hackzf.html-ssi. Version 1.0. 31 May, http://www.setco.org/ Manifesto'' MGM (1997), ``Hackers'', homepage at http:// set_specifications.html Information Management & mgmua.com/hackers/ Sterling, B. (1992), The Hacker Crackdown, Pen- Computer Security 7/2 [1999] 69±75 Partridge, C. (1997), ``Credit card fraud hits the guin Books Limited, London, ISBN 0-14- Internet'', The Times, ``Interface'' supplement, 017734-5. 26 November. Stoll, C. (1989), The Cuckoo's Egg, Pan Books Ratnasingham, P. (1998). ``The importance of trust Limited, London, ISBN 0-330-31742-3. in electronic commerce'', Internet Research, The Terrorist's Handbook (n.d.), available on Vol. 8 No. 4, pp. 313-21. Internet/WWW. SECURE Computing (1998), ``US justice hires Ungoed-Thomas, J. (1998), ``The schoolboy spy'', hackers'', SECURE Computing, September, The Sunday Times, ``News Review'', 29 March, p. 16. pp. 1-2.

[ 75 ]