Q&A: Mark Abene, from 'Phiber Optik' to security guru
Mark Abene first started using computers when he was about 9 years old, and by 12 he was exploring the electronic frontier from his home in Queens, New York. On bulletin board systems he swapped information with other phone phreakers and hackers, who formed the "Masters of Deception" group and inspired a book.
Abene, whose handle was "Phiber Optik," later received a one-year prison sentence for computer-related activities committed when he was a minor from a judge who said he wanted to send a message.
Featured in numerous newspaper and magazine articles, radio shows, and in a legendary face-off with members of early online community The Well, Abene became the unofficial spokesman for the hacker youth. He went on to numerous security and IT jobs, including work at Ernst & Young and American Lawyer Media, and started his own consultancy.
In the second of a three-part Q&A series with hackers, 37-year-old Abene talks about his love of programming and how his thirst for knowledge drove him to access sensitive networks.
Q: When did you start hacking or phone phreaking?
Abene:
When I first got online in the early 1980s I was using an online
service called CompuServe. I was initially looking for people with the
same computer as I had. I had a very simple computer in those days, an
old TRS-80, 32-column screen, no lower case, cassette tape recorder to
load and save programs, and you would connect it to a television set as
your monitor. I was online at a whopping 300 baud, which was normal at
the time. And I was seeking out people to trade programming ideas,
possibly software and so on. There wasn't a huge amount of commercial
software for my computer. One thing I had discovered about CompuServe
is that there was a programming environment you had access to...that
was a lot more powerful than the computer I had at home. It was the
first time I had the notion that you could actually use programming
languages and the ability to save and load back programs remotely on a
computer that wasn't yours.
The problem was that CompuServe at that time was insanely expensive, as
were any of the competing services. They charged by the hour, which is
unfathomable to people these days. I was chatting with people on
CompuServe CB (Simulator, the first online chat service). I also
discovered BBSes (bulletin board systems) many of which existed on Long
Island. I grew up in Queens. Behind the scenes there were often private
sections restricted to specific users to discuss certain underground
topics, not the least of which was trading passwords for online systems
and even calling card numbers to circumvent toll charges. Again at the
time, phone service was rather expensive. In most major cities it was
timed. No free local service, so you could easily run up a very large
phone bill. Bearing in mind, too, that we were kids. I was about 12 or
13 years old. The first passwords I got a hold of from these BBSes were
actually for minicomputers that were set up as part of an educational
program in Long Island at many of the high schools. It was sponsored by
DEC (Digital Equipment Corp.). A lot of the passwords I came across on
the BBSes originally were guest accounts.
So that was my initial exposure to being somewhere you were not supposed to be, although things were a lot more relaxed in those times. There was no real notion you were doing something illegal. It really wasn't (illegal). The fact that you were using a guest account on a minicomputer being maintained at a high school ... there wasn't any notion that anyone was doing anything wrong.
At this time I was weaning my way off CompuServe as I met people on BBSes. I had gotten pretty proficient not only at programming, but at understanding the system administration and security models of a lot of these operating systems from DEC. I was really interested in, not necessarily defeating them. But if, for example, you wanted to maintain access to these systems you would have to understand how the security mechanisms worked. Besides being fun it was definitely an intellectual challenge. If you were used to hanging out on one of these systems and if the guest account password was changed or an account you were using got locked out it would be kind of frustrating. So, that was probably my initial motivation in wanting to understand how to defeat the security mechanisms.
In doing so, I met a guy on BBS with an underground section and this guy introduced me to a couple of guys from the Legion of Doom, who were not from New York. This was probably in around 1985 or 1986. A guy I knew from BBSes, Steve, introduced me to a guy from the Legion of Doom who called himself "Marauder," from Connecticut and another guy in Florida, who called himself "CompuPhreak." Marauder was skilled with an operating system called RSTS. A lot of the minicomputers in the school program were DEC PDP-11s and they ran an operating system called RSTS...
I was always interested in the phone system from a relatively early age. The phone system was a lot more present then it is now. There's a certain silence now because it is digital. Behind the scenes it was electro-mechanical; it was done by machines with lots of moving parts. When you called somebody you heard a lot of these rickety machines in the background. You would hear the switching of the call before the phone started ringing and sometimes you would hear tones in the background going over trunk lines connecting you to the person being called. I was always interested in knowing what was going on when that was happening. I learned later on that a fair amount of that process was computerized and I figured there must be some pretty interesting computers doing that. I got to talking with Marauder and CompuPhreak about that.
On a lot of these BBSes it was very common to have sections with text
files which were nicknamed G files for general files. A lot of these
general files were categorized into a sort of underground knowledgebase
in the form of information that was typed up by other kids who had
encountered certain systems in their forays into places they probably
weren't supposed to be. They would describe lists of commands. A lot of
these systems had online help. It was not uncommon to log into one of
these DEC minicomputers and type in "help" and get a list of commands
in insane detail with information about how to get around in the
system. A lot of times you would find reprints of these help files.
You'd also find info about phreaking or exploring the telephone system.
Some of it was from a previous generation, from the '70s, stuff that
had been reprinted or re-transcribed. Other stuff was being put out by
other people, primarily in the Legion of Doom. Some of it was
re-transcriptions of phone company documents they had found in the
trash, for example. In other cases it was descriptions of systems that
people had gotten into, management systems in the phone company. In
these days security was a lot simpler. There are cases where certain
rather powerful management systems within the phone company could be
accessed simply by dialing in, knowing the phone number, and not even
needing a password because the previous user had forgotten to log out
and it wouldn't reset back to the log-in screen. That was a common
problem back then. That was the way a lot of hackers got into these
phone company management systems.
There was a lot of overlap between hacking and phreaking. Most of the management systems used in the phone company were actually Unix systems. So I started learning Unix in the 1980s. And my motivation for wanting to program in C stemmed from my wanting to run password crackers. Certainly you couldn't do anything like that on your home computer. You had to run a password cracker...Another thing that motivated me to learn C was to be able to do modifications to the security infrastructure of a lot of these systems in order to maintain access to them...The log-in program that runs on Unix was written in C. Being able to modify that and insert a backdoor password for easy entry is something you had to be skilled to do. These were systems we never would have had access to otherwise and we wanted to understand their intricacies and how they worked.
So, the motivation wasn't to make free phone calls?
Abene:
There was no motivation to make free phone calls. It was a means to an
end. The motivation was so you didn't get killed with a whopping phone
bill for all these dial-up calls...The way a lot of us justified it as
kids was it was an acceptable risk, a means to an end.
What were you learning from those systems?
Abene: I was
really interested in the telephone network, switching systems and
management systems associated with them, as well as large data
networks. Prior to the Internet there were packet switched networks
that were used for a variety of purposes. Two of them were Telenet and
Tymnet. They were private networks and they had a lot of private
subnets within them, in a lot of cases gateways to systems and networks
overseas. They were the first real international networks young hackers
ever saw. A lot of those young hackers reached out to each other on
chat systems that were set up. There were some famous chat systems set
up in Germany and the only way to get to them was to learn how to
navigate through some of these packet networks.
As far as who the customers were on these networks, pretty much everything under the sun, a cross section of big business. I and a couple other guys had gotten access to a lot of the internal maintenance and debugging tools used by the company that ran the Tymnet network and in doing so we were able to pretty much gain access to any system that was connected to the network just by watching people log in as they entered passwords. That was probably one of the earliest cases of, I guess you could call it interception or eavesdropping, but only in the sense of capturing passwords.
So, you weren't generally sniffing around networks for corporate information?
Abene: We were only interested in technical documents that
explained the workings of system X. Anything that had to do with
security...Our pursuits were highly technical. We were motivated by
wanting to learn more about the systems we were getting into. There was
lot more variety of systems out there than there is today.
What got you in trouble with the law?
Abene: When I first
got online and started getting access to systems there was a sort of
gray area. When you are a young teenager you're not really thinking
about what the law says. And when I first got online there were no
clear-cut computer crime laws. It wasn't really until 1986 or
thereabouts that some of the first laws were drafted specifically
addressing computer crime. Prior to that, unless they were doing
something really out of the ordinary, most people who got in to trouble
with the law at that time were usually doing something silly or
foolish. It was relatively easy to remain undetected in those times.
Unless you were doing something blatant or going somewhere that was
extremely sensitive. I let some of my guard down I suppose because of
the way things were changing towards the end of the 1980s...
There was a lot more publicity around hacking as more and more people were being arrested and tried and, as you can probably imagine, a lot of the publicity was very negative. In the United States hackers were public enemy No 1. It was high drama on the electronic frontier, with images of FBI agents kicking in doors and waking up kids at gunpoint, which happened to me personally, so that's no exaggeration. Things like that typically didn't happen in other places. There was definitely a high degree of paranoia in the U.S. surrounding all this.
Over the course of us doing this things became illegal. For example, I was charged with possessing 15 or more passwords. The laws themselves, if you read them, are just ludicrous to think about in stark comparison to when they didn't even exist. When you're a teenage kid and you're perusing around looking for access to interesting systems you would have hundreds, thousands of passwords and dial ups and so on. You would keep it all in a notebook. That was the information you collected; it was part of who you were and what your skill sets were. It wasn't anything unusual. Something like that became illegal. Forgetting about intent or whether or not they were used, it was simply possession. Many systems didn't even have passwords, in the mid-80s, including phone company systems. The administrators never set passwords.
What was your thinking when these activities were outlawed?
Abene: We always conducted our activities according to a certain code
of behavior and we always believed that as long as we adhered to that
code of behavior we wouldn't show up on too many people's radar. This
tended to be the case for a long time, even after laws started to pass.
(Around) 1986 a friend of mine who was in the Legion of Doom had gotten in trouble for various things he did having to do with the phone company and getting access to really sensitive systems. It was Dave Buchwald, who was also one of my business partners when I had my consultancy, (CrossBar Security). There was an internal investigation. Back then it was New York Telephone. At the time it was one of the biggest, most blatant upsets to internal phone company security probably than there had ever been. The phone company wanted to keep it rather quiet because frankly they were pretty embarrassed by it. By the time I had gotten into trouble for very similar things some years later, it was not long after some friends of ours in Atlanta, some Legion of Doom guys had gotten in trouble.
That hit close to home because I was in regular contact with those guys and I figured that if they had gotten into trouble we were on somebody's radar. And we were. That was around 1989. And the paranoia level had gotten so high that when the Secret Service came knocking in January of 1990 at my parents' house looking for me they were under the impression that I had something to do with crashing the AT&T network, which had gone down completely around Martin Luther King Day about a week before. As you can imagine they were overeager to find somebody to blame for that. If hackers had taken down the nation's primary long-distance company then something had to be done. That turned out not to be the case. AT&T then went on the record claiming it was their own software update containing an error which took down the network. They were the cause.
I figured that these guys were so far off in what they believed was going on it really didn't sway me from doing what I was doing. Although in retrospect, I could have been more careful at that point. There was a certain amount of publicity that was associated with it and the fame that went with it, fame within certain circles anyway, which kind of made it cool I guess for a lot of people. It was probably one of the first high-profile cases of that kind. That was 1990. Over the course of the next year we just did everything bigger and badder. We did lots of interviews, all the while we were still hacking. This basically made us enemies of the government and law enforcement everywhere. Federal law enforcement certainly had it in for us at that point. Again, it was largely our interpretation that these guys were so far off the mark from our initial encounter with them in 1990 that led to all of us getting in trouble in 1991. And that was the end of my first-hand dealings with the so-called "underground."
What were you arrested for?
Abene: In 1991 there was that aspect of phone company switching
systems which are considered a very sensitive part of the nation's
infrastructure and we can't have teenagers playing around in those.
There were also a lot of the public and private data networks we had
gotten access to. One of the major complainants in my case was British
Telecom, which ran Tymnet. Several of the regional bells were not all
too happy. I was charged with the least number of charges compared to
others in the case, but I got one of stiffest sentences and that was
due to the public image I had created.
What were you charged with and how much time did you serve?
Abene: I was sentenced to a year in prison in 1993, as a result of
being grouped into a major investigation by a joint FBI/Secret Service
task force in 1991, when I was already 18. Even though I was scarcely
mentioned in the indictment at all, I surprisingly received the
harshest sentence because of my public profile. The judge himself said
he wanted to "send a message" at my sentencing. I was charged with
conspiracy to commit certain specific acts. In the indictment they laid
out various overt acts. The other charge was basically computer
trespass on a grand scale. I was ultimately sentenced to a year and a
day and actually served about 11 months in federal prison. It was not
an experience I like thinking about and it is something I put behind me
long since. By the time all that happened I was already employed in
companies working as a system administrator.
But it hasn't hindered your career at all, has it?
Abene: Not at all. I've worked as a system administrator and
network administrator. Even when I was still doing things that could
obviously be construed as being illegal I did a fair amount of public
speaking. I did several talks at the New School for Social Research in
Manhattan, Parsons, and New York University. A lot of these talks were
purely technical, such as the history of the technology of the phone
system... After working as a system administrator for two of the first
public access BBSes with Internet access (MindVox and ECHO) I became a
system administrator and security consultant, and was recruited by
Ernst & Young to kick-start a new type of security consulting.
I successfully spun off my own consulting firm based on those experiences in the late '90s, and did information security work on four continents along with my business partners. We ultimately all went into private practice after the dot-com bubble burst in the early 2000s. I've been doing independent information security consulting for some rather large clients ever since, until recently forming a new intrusion detection start-up with some colleagues. I was still working at ECHO when I was released from prison. Then I worked for Radical Media, which was a production house, as a system administrator.
If you could do anything differently what would it be and do you have any regrets?
Abene: That's a pretty loaded question. You can't go back. I don't live
with any regrets. I took part in something that at least I considered
special. There were certainly some negative aspects in it in the
trouble I got into. But there was definitely a lot of positive that
came out of it. But I consider that to be a very minor phase of my
life. My trouble with the law lasted about a year and if you do a
Google search it is 99 percent of what you find.
Do you have any advice for young hackers?
Abene: Things are
a lot different today. One of our major motivations was that we wanted
to get access to computers that were more powerful than the simplistic
ones we had at home. Today most kids' home computers are a lot more
powerful. For us it was a great equalizer. We wanted to get access to
the high technology we otherwise wouldn't have access to, understand
it, and learn to program it. As far as anybody today doing a New York
sort of underground hacking, I'd caution against it even though,
naturally, it's going to happen. It's a completely different world
these days.
What are you doing now?
Abene: I have been doing lots of
consulting. After my own consulting firm folded after the dot-com bust
in the early 2000s I continued doing independent security consulting
for a lot of large companies. A fun job I had recently was writing the
encryption routines for the online streaming service for Major League
Baseball.
In : Reviews
Tags: mark abene phiber optik phreaking hacker