Exclusive Interview With A Hacker: "Captain Zap"
Who is Captain Zap? The year was 1981. The Reagan administration
was in its infancy. "Elvira" was setting the Billboard charts on
fire. And a young hacker was about to become the first person
ever arrested for a computer crime.
Eighteen months earlier, Ian Murphy (a.k.a. "Captain Zap") along
with three cohorts, hacked into AT&T's computers and changed
their internal clocks. People suddenly received late-night
discounts in the afternoon, while others who waited until
midnight to use the phone were greeted with hefty bills. For
his part in the crime, Murphy was greeted with 1,000 hours
of community service and 2 1/2 years probation (considerably
less than what fellow hackers would receive today). He also
became the inspiration for the movie Sneakers.
Today Murphy, like other hackers, runs his own security company - IAM Secure Data Systems, Inc. For $5,000 a day plus expenses.
Murphy has dressed up as a phone-company employee and cracked
a bank's security system, aided a murder investigation, and
conducted studies in airline terrorism. But Murphy's great love
is still hacking into company security systems - with their
permission - and helping them guard against potential break-ins.
Here is the W2Knews Exclusive interview. Questions 1 and 2 are
in this issue, the other questions are on the W2Knews website.
W2K: 1) What prompted you in the first place to start hacking
CapZap: Hacking systems, is a very broad term to underscore the
thoughts that have been part of my total life. From a very young
age, I was always a curious person. This love of technology stems
from a very early childhood where my parents made sure that my
education was of the highest caliber available in the area where
I grew up. At a very young age, toys that I was given were taken
apart to see what made them work. I also had an incredible
curiosity when any of the service personnel would come to the
house to attend to any of the problems from the televisions, to
the garbage disposals, intercom system, telephone systems, and
any other of the systems that are in the house.
I guess I would imagine that my first exposure to hacking a
system would have begun with my early fascination with the
telephone network. At that time in the early '60s, and mid-60s,
there was one telephone company in the country, and the telephone
company kept its technology secret from the general public in
general. I would say that my first hacking thoughts were with the
telephone system and the fact that I was intercepting telephone
calls of the local neighborhood girls to find out what they were
talking about. Making crude telephone sets to be able to go up
to a pole and the ability to listen on telephone calls or to make
telephone calls anywhere in the world.
Reading was a great source of pleasure and it was a lot of science
books and the like to understand things that work in the world.
In fact, long before we had the problems of Bio-Chemical warfare
and so-called terrorist attack scenarios, I was fascinated with
these systems and the manufacture of such devices and formulas.
I remember the first book that I ever read on the subject and it
was a book put out in the early 1970s called Chemical and Bio
Warfare by Seymour Hersch of the New York Times. I also was
fascinated with nuclear weapons and explosives. It opened up my
eyes to what can happen at a very early age.
But I have always been a hacker if you want to put it that way.
I prefer to call it unorthodox or guerilla research protocols
that test the limits of society, technological advances, overall
impact upon our world and the never ending thirst for finding out
just what the hell is out there. I really think that the lack of
our citizens to question technology, let alone understand how
anything works keeps most people in a provincial view of technology and stifles their mind in general. Today, we have a huge society that does not understand the working of a simple light switch that is in their homes, and have to call an electrician to change it. And then complains that it cost $150 bucks for
such a thing. Grow up and learn to hack your environment to understand what you are living in. Question everything that comes before you and don't take it for granted that it will be alright.
W2K: 2) How was IT security in those early days?
CapZap: IT Security was non-existent. It was a joke if it was
anything. Password control, access control, information control
did not exist in any real world environment. Only the military
had the real computers out there and that made it so much more
fun. In fact for all of you who need a history lesson, the
Internet was not something that just came along. This was a
network that was built for war, nuclear war and a way for the
military to converse after the big one to see if they needed
to do something else to the other side. Now one of the problems
of IT security was that no one ever had to really think about
all of this before. No technologies really were in the environment
and no one really thought that such things could occur. Computers
were large machines that people only saw on PBS or in science
fiction movies that were walls of blinking lights, and reels of
tape spinning around. No one really thought of access except
in research facilities or the like.
Access at first was a physical being, you had to get to the
systems, and telecommunications was a joke. 300 baud was
considered to be fast. It was the days of teletype and DEC
printer terminals, card readers and it was difficult in general
to just get online. The security issue had yet to raise its
head in general. Telephone switches and systems were fair game
for testing and exploration. It was very easy and guessing the
password, like guest was simple and easy. No one ever changed
the passwords because no one thought that anyone had access
to the systems except the systems' owners.
And then came the vast wake up call: war-dialers and password
hackers, simple programs that ran on the likes of Apple IIE
or a Franklin Ace 1200. These machines were nothing more than
souped-up calculators. And still we have the stupidity of the
masses being led by their noses by the likes of Microsoft and
the other of the cadre of monopolistic behavior. Such players
include the likes of Symantec, and Oracle, the loss of the
Novell's of the world and the fact that such entities are
controlling the lack of and the complete control of the security
that is now considered to be the real powerhouses of the cyber-world. And it is these guys that control so much and make sure that no one else will be able to make a buck or produce another method of security that really works, is a great shame of today's computer environment. In essence, Microsoft needs to wake up
and really release the source code of the systems that control 80-90% of the world's desktops. The real lack of security today is the simple fact that no one is allowed to look at the recipe of the broth. And without that recipe, it is going to continue to get worse.
But the reality is that the likes of Microsoft and Oracle, the
others who control the technologies that are now so fully
entrenched in our so-called information society are still causing
the failure of the security of millions due to their greed and
inability to allow others to see the magic behind the scenes. But
of course, when there was a security problem before, it was never
able to traverse the globe in a matter of hours and we did not
have the arrogance of the corporations, the malevolence of the
few cyber-punks who unleash various viruses and other crap upon
the masses due to the fact that so many are controlled by Redmond.
W2K: 3) From your perspective, what has changed in the security
posture of today's companies?
CapZap: Security was pleaded for by a number of us from the early
80's right up to today. We held back because nothing was happening
to the mainstream systems and not many systems were even connected
on a full time basis. Only the military had systems connected on a
full time basis, and that network, the Arpanet was the playground.
Today, a NIC is standard in most computers, broadband is standard
in the general population!
But we still see the various rejections of security from the
masses because they don't understand the need. Companies still
don't see the cost benefit and only respond once they have had
an incident. The ideas of security are still back-burner to many
system's owners little and big alike. Costs of over expensive
software that comes with major flaws in the security arena
offers no confidence to any consumer out there and the sheer
fact that the systems are so vulnerable to attack from any point
on the planet is a special cause for the need of security to be
addressed completely. Computer viruses are rampant and most
people today still have no idea that they have to update their
anti-virus software. And still we have the masses scurrying to
buy the latest flawed masterpiece from whomever and then have
to download updates and patches to make it work. And if the
patches do sometimes work, then you are lucky.
In addition, we have the problem that the systems are so many,
software so buggy and so many problems are so wide spread, that
even if a vast number of patches are downloaded, still we have
the others who are not "fixed" and the problem comes back in
spades. We have a major problem with so many systems and owners
who are educated in so many stages of computer usage. From the
simple home user with the scourge of AOL hell to the sophisticated
user who are super techies and build their own machines from
weekend computer shows, we have such a vast cornucopia of
potential problems that it boggles the mind.
Security today is now reported as a brief news story on your
local news with stories of the Love bug, Melissa, and other such
crap happening. As of the last few days, "Bugbear" has come around
and made the local news as a warning. But still we have a vast
sea of morons who have no concept of such things. The Klez virus
continues to plague any number of us each and every day and then
we have the continued problem of Spam. Spam has become a major
problem and it has reached a point where even I can not take
control of the volume of the crap that comes to my mailboxes
each and every day.
Between the constant offers to grow my breast, my penis and
gamble, it looks like I would have a pretty good weekend
according to the mail that arrives each and every day. My
personal mailbox has made it to 150 spams a day. In these
spams that go to a website or renegade IP address, there
is the vast potential to inflict major damage to your machine
and you not even know it. Trojans and other silicon biologics
are hidden in such emails and are commonplace these days and
still we have those of you who don't see the need to be
vigilant in the cyber-arenas. Stupidity because of cost is
one of the problems that we all face.
Anti-pirate technologies are worthless and only proceed to
piss off the users. AOL was found in the mid to late 1990's
to have installed software on computers that played music
cds without the user's permission. And the cost and the
backlash was too much to bear. But still this same trick
was tried again in the last 12 months and again, it backfired
again. And now we have the ability of the media giants to
silence the web from music anywhere on the planet because
they think that is cost them too much in lost revenue. But
in fact with all of the security apparatus being bandied
about as a cure-all of piracy and software protection, the
day it is released, there is a way to defeat it all. Microsoft
will continue to piss off the users who have multiple computers
and force them to allow Microsoft to know their machines from
the inside out. WHY?
The problems of security are vast, ever changing and will
continue to be a major pain in the ass to all of us now and in
the future. And in all of this fray we have the problems of the
users who are just plain stupid to begin with. No firewalls, you
get hacked, no anti-virus, you get sick and die, no control of
your connections, you may get a knock at the door from some very
nasty guys in bad suits and worse sunglasses with big guns.
Security is as simple as keeping your connection secure and
understanding that you can get hijacked anytime. You lock your
car, why not lock your computer.
Let's look at one thought for all of you to ponder. Now how many
of you work for a living? And for all of you that do work, you
have had to apply to some very basic and some complex employers.
How many of those employers have run your background and then
not hired you because you have a blemish on your credit record.
Now why is any employer running your credit in the first place?
Am I being hired because I pay my bills on time or because I
can do the job required on the position? And of those employers
that run your background, what happens to that information? Do
you have a right to see that information that they gathered and
do they destroy it properly? Do you destroy your information
that comes in the mail?
Now your security issues are yours alone. You are responsible
for your security posture and your total exposure to the rest
of the world. Leave your door unlocked on your car and it might
get stolen, same with your house, might get robbed, you are
taking chances each and every day with your informational
W2K: 4) How easy is it for you (in today's environment) to still
penetrate a medium size business?
CapZap: It has gotten a little bit tougher to get into systems,
but it is there and you have so many tools out on the net and so
many flaws that is becomes childs play. Scripts are rampant all
over the net and systems' owners do not take advantage of the
security tools available for free. In fact it comes with a fun
factor to really think about, it comes with an automated view. So
much that you can now just go to dinner and get back and find the
breaches in systems just waiting for you to play with.
Systems' owners have not created positions for security protection
policies because they themselves do not understand these needed
policies. And then we have the lack of understanding from the
users who will let you know anything that you need to know if you
just call them and ask. An authoritarian voice with the right
combination of buzz words and a bit of humor will get you past
anyone on the phone.
There are no real password policies in any of the small or mid-range systems out there in force. It is a very interesting mix of security and lack of knowledge. Security still costs money these days and most companies are going to cut back where there is no profit to be seen up front and in your face. And we all know that security is an expensive proposition and it is required.
But the fact is that senior management or even your boss will not
see the value of security unless it takes effect and even then
you never know if it ever really worked these days. Even with all
of the security postures fully in force, the advantage of the
cyber world is that the systems can be attacked by hackers; pros
looking to use the systems, your employees who store porn or their
baseball card collection or the latest recipes from Emrril's cooking
shows on the systems, or whoever else wants to use your systems.
You have to have a due diligence factor fully in place and in
constant force for any form of security to be effective. It is
open season on your systems out there and it is a global assault
force from anywhere on the planet that you have to face every
minute of every day.
Can you even start to figure out where the force that attacks
you is coming from? Do you have the ability to stop me from
anywhere on the planet? Can you figure out that I have figured
out that your systems are so weak minded that it is just too
easy to overrun you and seize control of your very digital life?
And the very worst point is that you go ahead and promote your
systems and people in the news and then you give me a chance
to understand more than you can ever understand. When the systems
are under attack, as it is now common place, it is done under a
way that most system's owners will never know. And this gives
us or me a better chance to go after you.
Now one of the problems that is growing each and every day is the
simple fact that any form of so-called law enforcement is sadly
lacking and grossly understaffed when it comes to computer related
incidents. Law enforcement is so far behind in technology and
ability, that well, it smacks of stupidity. After all, who would
sign up for a job where you can be radio dispatched to complete
and total morons who can shoot and kill you all for 35K a year if
they are lucky. People with brains do not become cops and not for
such low levels of pay to boot. In addition, too many incidents
overwhelm the law enforcement so-called professionals.
Then there is the fact that because it is a crime of economics
and due to the very nature that information security incidents
can become subjective in value and injury in the total scheme of
things, the law enforcement attitude seems to be at the 50K dollar
figure before they will even lift a finger. Think of it this way,
you report your car stolen, maybe you get a visit from the cops,
more than likely, you get an incident report number and a curt
phone call from these clowns saying that they may or may not find
it. Security for the most part is a multi-edge sword for the
companies and for the interloper. Most law enforcement persons
have no real understanding of computers in general, as do the
owners themselves. Remember that you are going to the local 14
year old who understands the complexities of the systems better
than you do. And that is the same problem that law enforcement has,
they will not invest the time, money or effort and don't have the
time money or effort available to investigate every computer
First when you go attack a system, you have the advantage to take
control and use all sorts of devious methods that range from Tech
support & social engineering to direct physical attack to just
outright banging on the IP door and breaking into the network. It
is most enjoyable to see such things happen and to then gain
access through the easiest means possible. But in the real world,
it is far easier than the security materials providers care to
really think about. Boxes put in place to so-call secure the
network still have gaping holes that allow any interloper to gain
access, but makes it easy to gain entry for a skilled professional.
In today's security environment, the advantages of a skilled
professional, be it for the betterment of the companies' information security or for the invasion of a companies database, has become so much childs play these days due to the multitude of scripts, known flaws and the loss of true dedication to the cause.
W2K: 5) How do you make your money these days?
CapZap: A very interesting question indeed! Retired in some respects,
active and hearty and hale in other respects and well just keeping
my fingers in so many pies. I still do investigations and consulting
for a number of international clients. It is now so much easier
to do the consulting with tele-consulting and information transfer
with high speed networks so readily available these days. In
addition, I have just completed a British video series for the
Discovery Channel on Information Security, completing a number
of interview requests like this one and writing my 4th book on
security issues and the ever-changing aspects of the internet,
completing a paper for publication in the near future titled "A
Madman's view of Terrorism!" on a major International Terrorism
and Information Warfare Website and in addition for a major
print publication, operating part time, an HVAC firm in Florida,
what a lucrative market that is; and being in early retirement
in sunny Florida out fishing on the D.J.6 on the Gulf Coast for
most respects, most days. Times have changed so much and the
advent of cell phones and day trading and stocks is now my daily
play job too. And computers have even made that job automated for
the most part. It is a very interesting lucrative and exciting
mix to say the very least.
W2K 6) What is the ONE thing you would advise W2Knews subscribers
to help them protect against hacker penetration?
CapZap: Due to companies' antiquated views of security and such
programs being static in nature and budget, it behooves any firm
to examine the needs of security on a dynamic basis every quarter
and more. Users and systems are a dynamic environment and ever-changing in profiles and data streams. Systems attacks are S.O.P. today and well you have to have a brain to stay on top of things. I would really suggest that a hacker viewpoint be established to attack the systems everyday with all of the tools that are available to all from the net. Why not have an office of systems in security research with a dedicated person who does nothing but surf the web
each and every day, looking for ways to break any and all systems
of the companies' environment. This includes any systems or support
structure that has any form of intelligence and connections to the
real world. The HVAC, the water systems, internal electrical grid,
back-up systems, telecommunications, physical electronic and
logical plant, waste management and document destruction; and
anything else that can be used as a possible information, weapon
or intelligence gathering resource. If you don't have a clue by
now as to what you are up against, and that is the entire world,
then you need to go sit in your box and close the lid and die.
And with that I bid you a fond farewell, for the fish are calling
and I don?t want to miss the tide. It's off to the Gulf of Mexico
and another day of laptop / cell phone, stocks and fishing fun.
Ian A. (Capt. Zap) Murphy, President & CEIO
IAM / Secure Data Systems, Inc
"Everyone is into computers! Who is in yours???????"?