Government Use of Hackers as an Object of Fear

Interesting article about the perception of hackers in popular culture, and how the government uses the general fear of them to push for more power:

But these more serious threats don't seem to loom as large as hackers in the minds of those who make the laws and regulations that shape the Internet. It is the hacker -- a sort of modern folk devil who personifies our anxieties about technology -- who gets all the attention. The result is a set of increasingly paranoid and restrictive laws and regulations affecting our abilities to communicate freely and privately online, to use and control our own technology, and which puts users at risk for overzealous prosecutions and invasive electronic search and seizure practices. The Computer Fraud and Abuse Act, the cornerstone of domestic computer-crime legislation, is overly broad and poorly defined. Since its passage in 1986, it has created a pile of confused caselaw and overzealous prosecutions. The Departments of Defense and Homeland Security manipulate fears of techno-disasters to garner funding and support for laws and initiatives, such as the recently proposed Cyber Intelligence Sharing and Protection Act, that could have horrific implications for user rights. In order to protect our rights to free speech and privacy on the internet, we need to seriously reconsider those laws and the shadowy figure used to rationalize them.


In the effort to protect society and the state from the ravages of this imagined hacker, the US government has adopted overbroad, vaguely worded laws and regulations which severely undermine internet freedom and threaten the Internet's role as a place of political and creative expression. In an effort to stay ahead of the wily hacker, laws like the Computer Fraud and Abuse Act (CFAA) focus on electronic conduct or actions, rather than the intent of or actual harm caused by those actions. This leads to a wide range of seemingly innocuous digital activities potentially being treated as criminal acts. Distrust for the hacker politics of Internet freedom, privacy, and access abets the development of ever-stricter copyright regimes, or laws like the proposed Cyber Intelligence Sharing and Protection Act, which if passed would have disastrous implications for personal privacy online.

Note that this was written last year, before any of the recent overzealous prosecutions.

Posted on April 8, 2013 at 6:34 AM • 13 Comments


Clive RobinsonApril 8, 2013 9:30 AM

The problem is not just in the US.

Back in the 1980's in the UK various people were prosecuted with all sorts of nonsense in an attempt to define computer activities within existing fraud and other legislation.

Eventually a rather stupid attempt by the authorities to prosecute two supposed hackers (Robert Schifreen & Steven Gold) for pointing out a glaring error by system designers and system administrators resulted in the House of Lords throwing out the case and strongly telling parliment that it should come up with appropriate legislation ( )

I was fortunate in that although I'd been involved in one or two other notable event's prior to this [1] my natural waryness had stoped me becoming an earlier victim.

Basicaly British Telecom had two services the Gold business system and the Prestel TeleText system.

Basicaly Gold engineers and the Gold managment had lied to the press about the security of Gold after a highly embarising incident and I'd found out by a simple series of tests. And being involved with the Association of Commpuert Clubs (ACC), I pointed out this lie and the further security weaknesses to the senior ACC members Len Stuart and Vernon Quaintance involved with Gold&Prestel. I showed Len what the issue was and he encoraged me to write it up as a private page on Prestel (which I did) and he then contacted the Gold managment via Micronet800. Well nothing happened for a day or so then Gold Managment wanted to see a "demonstration of the fault". I smelled a rat when they talked about "demonstrating the fault" after I'd provided explicit instructions via the ACC. I declined and there was then preasure applied via Micronet800 to do the demo. I spoke to my then boss about this and he spoke to a couple of legaly minded people who said don't unless you've a cast iron guaranty of immunity. The preasure mounted and various people were saying "it's just a demo" and I followed the advise and when I asked about immunity suddenly the whole demo idea disappeared, which made me deeply suspicious...

But back to Robert and Steve's little misadventure which neearly cost them everything. Micronet800 was part of Prestel setup to involve computer clubs and smart kid programers such that bulk upload software for various home computers etc could be written and made available to push the system into mainstream use by small businesses etc (it never realy happened).

As part of this the Prestel engineers had set up a test system called pandora and put details of the admin login details on the home page. Also because they were either lazy or not worldly wise they had simply copied an active system over from backup tapes etc. Included in the Prestel system which all admins could see was a plaintext account and password file... hence the security problem which was brought to the attention of Robert (who was known as the "bug hunter" from his column in Acorn User Mag). Amongst other users details was HRH Prince Philip who was (and probably still is) a bit of a technophile...

So when I'd been told via Simon Williams (a co-worker) that Robin and Steven were taking their findings on the security to Dave Babski of Micronet800 and were going to demo it I said it was unwise and reiterated why I thought so. I was actually accused of being "paranoid" by one and others agreed with the "it's just a demo" mantra so I said the were foolissh and I was not having anything to do with it and kept well out of it.

As it turned out I was right and observing a very low profile had prevented me becoming a British Telecom and Met Police scalp (unlike RS&SG).

Unfortunatly even the the Lords kicked out the prosecution, the resulting law was (and still is) a compleate shambles and has such broad definitions that software developers have been convicted under it when the clients they had worked for decided not to pay for the work etc...

[1] BT-Gold on Prime OS systems was BT's flagship business system that they wanted to push into the market hence they pushed it onto the BBC Micro Live program as special interest" but realy as free advertising. Unfortunatly Gold had a number of technical and security weaknesses but they were not what caused Acorn's Herman Hauser's ACN001 account getting cracked by Oz&Yug. What actually happened was that the password (HH) was guessed and a copy of "The Hackers Song" was put in the acount startup script so it was displayed immediatly on login and was thus seen by over 10million viewers. Anyway the Gold engineers changed various programs within 24hours after the highly emmbarising BBC Micro live program and told various newspaper journalists that the system was secure. Unfortunatly it was not and atleast one of the changes made by the Gold engineers made things worse...

andyinsdcaApril 8, 2013 10:05 AM

How is this any different from any other scare tactic from the government? "Terrorists are going to blow up your plane! Take off your shoes" Etc. etc.

aboniksApril 8, 2013 11:26 AM

More broadly though, fear is an excellent goad when you're driving sheep of any species.

Hacker-fear is just a cultural artifact though, exploited by many. Look to the popular culture generators for your original sinners though...politicians don't manufacture these fears, they just make use of them after the fact.

The same way politicians use gun-fear, gay-fear, climate-fear, drug-fear, etc. The problem isn't the politicians, per se; The problem is ignorance.

DinosaurApril 8, 2013 11:33 AM

Hackers in fiction are not different than other stereotyped characters: badarse bullet proof cops or commandos, flying martial artists, omniscent mad scientists, serial killers that can hide in the thin air etc.
Of course it is a kind of stereotype can be profitably used to shape mass perception of security, dangers and what is consequently a reasonable tradeoff.

Bob RobertsonApril 8, 2013 1:01 PM

Dinosaur, interesting how those tradeoffs are always in the direction of more govt control, more govt authority, more ways to prosecute people who have harmed no one.

BearApril 8, 2013 1:26 PM

No news here.

Fear the Spanish! Pass the phone tax!
Fear the marijuana smokers! Anslinger says those brown people will get our wimmenfolk!
Fear the Reds! Expand the DOD budget! Fear poor brown people! Ban "Saturday Night Specials"!
Fear Saddam's chemical weapons! Invade Iraq!
Fear the terrists! Surrender your freedoms so we have nothing left to hate!
Fear Iranian nukes! They'll photoshop us back into the Stone Age!
Fear "assault weapons"! Or the ATF will smuggle more to the Mexican cartels!

Fearmongering is the basis of government. All the way back to, "Fear the reivers! Let our armored knights protect you out of your crops so the thieves can't get 'em!"

Northern RealistApril 8, 2013 2:06 PM

And jsut how is this any different from how governmetns, police and neo-cons use radicals, dissidents, and even crome statistics to further their own agendas...?

MingoVApril 8, 2013 5:26 PM

What happened to distinction between hackers and crackers? The former generally were not destructive and were not electronic thieves. The latter either damaged systems, stole information, or stole money. Today, both categories are lumped together as hackers. So what do we call old-style hackers?

NeuromancerApril 8, 2013 6:17 PM


As an ex BT employee I used to work on both telecom Gold and Prestel I need to correct you. Back in the day I developed billing systems for telecom gold in the 80’s.

The gold system was telecom gold or Dialcom in the USA and it was the Prestel system that got hacked not telecom gold. Guessing a password isn’t a weakness Id have tried Acorn or Atom for Herman Hauser's ACN001 account.

I haven’t heard of any problems with the dialcom systems and I was a member of a dev team and I had sysad (root) on all the Pr1me systems and had level 7 (beyond root) on the billing system.

What actually happened at Prestel was the Price Philip account was set up with all 1’s as a demo account for prince Philip to use at some exhibition – this was shoulder surfed at the show and then reused. What they didn’t do was remove the demo account afterwards.

Schifreen and Gold got of on a technicality the judge ruled that an electronic key was not the same as a physical one, which I feel was an incorrect decision.

This information comes via conversations with coworkers who worked at prestel at the time In fact I used to work later on for the poor sod who was the engineer in charge on the day. Though I don’t think he got a promotion after that so he probably lost out because of that.

Rumour had it that SD (BT feared internal security department) had taken the guy out and had him fired but in fact he continued at BT until he took VR around 2000.

Holger L. RatzelApril 10, 2013 1:09 AM


Non-IT guys will call all kind of hackers just "hacker". In the mainstream media and even big IT companies (at least in germany) can't distinguish between a "host name" and a "domain name". So how shoud people learn the difference between a hacker and a cracker? For them a cracker is some thing to eat (again at least in germany) ;-)

AlexApril 13, 2013 12:26 PM

I remember back in the day when hacking was for pure informational purposes only. You tried to get into different systems to see how they worked, to sharpen your own knowledge, etc. You did your best not to disrupt anything and cover your tracks. It was more along the lines of wanting to know what was behind a locked door.

I think the problem with the today's hackers is that they're a bunch of script kiddies with no thought of the repercussions.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.