By Joshua Benton

In its omnipresent ad campaign, Microsoft asks computer users: "Where do you want to go today?"

For dozens of Yale hackers, the answer is simple: wherever they're not supposed to.

With over 10,000 users and 1.3 million email messages sent every week, Yale's computer system stands as an open challenge to the programming skills of these students, and nothing else matches the thrill of breaking into someplace they don't belong.

While Nick Ryan, DC '98, who recently pleaded guilty to charges of computer fraud, and faces up to five years behind bars and a quarter-million dollars in fines, served as an example of the few who get caught, most just float through the ether, blissfully unthreatened by authorities. They forge e-mails (like the one last week that sent hundreds of unwitting Electrical Engineering 101 students to the wrong classroom to watch Tron), look at other people's grades, and create general havoc. And they seem to do it better here than elsewhere.

"There are students at Yale who are simply better hackers than students at other colleges," one computer science department administrator said. "Yale brings in the elite in all fields of endeavor, you know."

Easy access

Administrators and hackers agree on one thing: it isn't too hard to cause trouble on the Pantheon. "It's almost trivial to crash the machines," Assistant Pantheon Administrator Bret Martin, BR '97, said.

"If havoc is your only aim, it's easy," one Yale hacker said. "It's easy to flood a network with crap and shut it down. It doesn't take much knowledge if you have the will." Indeed, users crash the Pantheon regularly by accident, sometimes for hours at a time.

Breaking into a user's account isn't too difficult, either, if a hacker sets his mind-- they are almost all male--to it. "The biggest problem is people who leave their accounts sitting open on a computer," Academic Computing Services Director Phil Long, JE '71, said. "They're almost asking for trouble."

If a knowledgable hacker sits down in front of someone else's session, he has the full power of the account in his hands. He could send a forged e-mail in that person's name to the user's parents or significant other; he could delete every e-mail that user has ever written or received; he could add pornographic images or anti-Semitic slogans to the user's web page. A more advanced hacker could alter the software used to read e-mail to damage the entire network, or take steps to ensure that, even if the user changes his or her password later, the hacker can still get into the account, years later. (One ACS official said he deals with dozens of these longer-term hacks every year.)

"Suppose someone knows your password, so you change it," Stephen Slade, a visiting professor in the computer science department, said. "They could have already changed everything and become you."

Even if users habitually log out of their accounts after checking e-mail, some still have passwords that any hacker could guess. "You'd be amazed how many students have their password as their name, or their girlfriend's name, or their room number," Long said. "Those are the things people guess first when they're guessing passwords."

The list of ways to get into people's accounts is seemingly endless. In some parts of the Yale network, a hacker can "sniff" through the ethernet cables and grab passwords at the moment they flow through the network; in certain segments of the system, the process only requires knowledge available in an introductory networking textbook. Hackers can record the keystrokes of a user and filter out his or her password.

Hackers have even been known to masquerade as system administrators, calling up users and asking them to tell them their password over the phone. And now, with Bulldog Access, knowing a password can mean knowing a student's grades, course schedule, and financial aid status. Long said that his department has already found several individuals successfully accessing Bulldog Access with another person's password.

"We investigate a major new incident every two weeks or so, and send out `stop-it' letters for borderline cases every week now," Long said. "And there are no doubt plenty of instances we don't know about."

Disappearing acts

Most frustrating for administrators hunting down hackers is the seeming futility of it all. Even the most sophisticated technology cannot detect who was sitting at what computer when. "Often, we can narrow it down to a particular Macintosh, but if it's in a public cluster, we can't do anything," a computer science department administrator said. "Hundreds of students

have used that computer, and we don't know who did it."

Long pointed out that, despite the fact that

the number of Pantheon users has quadrupled in the last three years, staff and budget allocations for Academic Computing have remained constant, leaving less time for investigative work.

Still, administrators say the Pantheon is more secure than most machines. For example, many hacking tools freely available on the Internet work on the password file, the encrypted list of every user's name and password kept on all servers. If a hacker can access the password file, it's usually only a matter of time before the system collapses. Yale, however, moved the Pantheon password file off Minerva and onto a separate machine whose very name is top secret, and whom only three administrators can access, Long said.

But the Pantheon isn't the only place with potential for hacking. Every night, hackers go "zone surfing"--the term for opening up a Chooser on a networked Macintosh and searching for computers whose owners have turned on "file sharing" without requiring a password. The entire contents of those computers can be copied, or erased, by anyone on the network. Long said he knew of at least one recorded case of an entire hard drive being erased over the network.

And even these loopholes don't approach the security lapses in places like the Dunham Zoo, the computer cluster for computer science majors where the campus' best coders spent much of their time. One recent graduate became famous for writing a program that looked just like the normal login prompt on machines in the Zoo. However, instead of logging the user in, the program recorded the password and emailed it to the program's creator, who amassed dozens of passwords in this manner.

In the Zoo, people have written programs whose only purpose is to crash the workstation of a fellow computer science major. One major broke into another student's computer and posted a message in the alt.hackers newsgroup on the Internet inviting hackers to alter the machine's contents as they pleased. Soon, hundreds of people from around the world were attacking the machine over the Net, effectively killing the student's data. "It was seen as positive," one department administrator said. "People admire people who pull off successful hacks. It's the `boys will be boys' attitude."

But, as Martin pointed out, "It's one thing to be curious. It's another to be curious and destructive."

Still, many would point out that the mean-spirited behavior often associated with hackers is not particular to, or inspired by, computer technology. "If you don't like someone, you could spread rumors about their sexual behavior," David Sklar, BK '97, said. "If you don't like someone and you're a geek, you can mess with their e-mail. It's just the choice of tools.

"You've got a lot of people who are talented in computing and who have a corresponding deficit in social skills," Sklar continued. "They can demonstrate their power through computing."

`A game that got out of hand'

In the summer of 1995, the most notorious password break-in in recent Yale history took place in the calm confines of 175 Whitney Ave., which holds the Yale Computer Center. Every summer, Yale hires a few computing assistants to work on networking projects full-time, and that summer, Andrew Ryder, CC '96, and Ben Trumbull, SY '98, were among them. "Things were kind of slow," Trumbull remembered. "So we started screwing around. We were CS [computer science] majors, so we knew what we were doing."

The pair got into what they both describe as a "friendly little competition": to break into each other's Pantheon accounts. Without too much trouble, they both succeeded, and decided to break into other Pantheon accounts. They placed stealth programs on computers in the Computer Center that recorded every key anyone pressed on the keyboard. From there, it was simple--if they wanted to find the password of user "jsmith," they scanned the recorded keystrokes for "jsmith," then saw whatever was typed after it. That was the password. They were in. Depending on who you believe, the pair stole a dozen, or several hundred, passwords that way.

In a decision that shocked many students, especially CAs, the culprits got off virtually scot-free when they were finally caught. There was no trip to the Executive Committee. Their rights to use campus computers were not revoked. In fact, both got to keep their jobs as CAs, even though one of the major responsibilities of the position is teaching users about the ethical use of the network. "These people are supposed to be model network citizens," Long said. "I mean, they're CAs, for Christ's sake."

And lots of CAs thought that was just fine. "Some thought it was evil and malicious, but some thought it was just good fun done with poor judgment," Trumbull said. "They said, `Well, it's kinda neat they did it all.' "

"I don't think Andrew is a bad guy," Martin said. "I think it was just a game that got out of hand."

Long saw that ambivalence as a problem. "I was very disappointed that there wasn't a clearer belief among all the CAs that these acts were wrong," he said. Meanwhile, neither student faced any real career consequences. Trumbull has since worked in the Advanced Technologies Group at Apple Computer, and Ryder is now in suburban Seattle, working as a software design engineer for Microsoft. Some of the giants of the computer industry--men like Steve Jobs and Steve Wozniak, the cofounders of Apple--began their careers as hackers, and hiring someone with a history of criminal computing behavior is not unheard of in Silicon Valley.

In Yale's system of discipline, the transition from Academic Computing to the Executive Committee is a rough one. "There's often a question of who has the right to raise a complaint. Is it a crime against Yale? Against a user?" Long said. "Real life is not cut and dry, unfortunately, and that slows down the process."

If two CAs could avoid any substantial penalty for stealing dozens or hundreds of passwords, some asked if hacking was punishable at all. The conviction of Nicholas Ryan proves that it is. "I hope he's treated at least somewhat harshly," Martin said. "It would be nice to, by the end of the decade, have people realize that just because something is electronic, that doesn't mean it isn't valuable."

Mostly harmless?

Some students see the rise of the Internet--and the attendant rise of student interest in networking--as a potential threat to security. "There are a lot more students now who are knowledgable in networking," Martin said.

"There's also a new sense of discovery with each incoming undergraduate class now," Slade said. "They all want to experiment." Indeed, most of the hacking activity at Yale is experimentation, the work of bored computer mavens who want to see how far they can take their skills. All parties agreed that most hackers do no damage and do not have malicious intentions.

But one sobering thought is that the hackers who come to the public's attention--like Nick Ryan--are simply not the cream of the crop. "Ryan went around posting messages about his program in AOL chat rooms," Ryder said. "I mean, what was he thinking? That's just not too bright."

"The people who are very good, there's no publicity about them," Sklar said. "The people who you hear about get publicity because they're not good enough to get away with it. Ben [Trumbull], Nick Ryan, they want the publicity and start telling their friends about what they've done. The really good ones--you'll never know about them."