From 'Phiber Optik' to security guru

newsmaker Mark Abene first started using computers when he was about nine years old, and by 12 he was exploring the electronic frontier from his home in Queens, New York. On bulletin board systems he swapped information with other phone phreakers and hackers, who formed the "Masters of Deception" group and inspired a book.

Abene, whose handle was "Phiber Optik", later received a one-year prison sentence for computer-related activities committed when he was a minor from a judge who said he wanted to send a message.

Featured in numerous newspaper and magazine articles, radio shows, and in a legendary face-off with members of early online community The Well, Abene became the unofficial spokesman for the hacker youth. He went on to numerous security and IT jobs, including work at Ernst & Young and American Lawyer Media, and started his own consultancy.

In an interview with ZDNet Asia's sister site CNET News, the 37-year-old talks about his love of programming and how his thirst for knowledge drove him to access sensitive networks.

Q: When did you start hacking or phone phreaking?
Abene: When I first got online in the early 1980s I was using an online service called CompuServe. I was initially looking for people with the same computer as I had. I had a very simple computer in those days, an old TRS-80, 32-column screen, no lower case, cassette tape recorder to load and save programs, and you would connect it to a television set as your monitor. I was online at a whopping 300 baud, which was normal at the time. And I was seeking out people to trade programming ideas, possibly software and so on. There wasn't a huge amount of commercial software for my computer.

One thing I had discovered about CompuServe is that there was a programming environment you had access to...that was a lot more powerful than the computer I had at home. It was the first time I had the notion that you could actually use programming languages and the ability to save and load back programs remotely on a computer that wasn't yours.

The problem was that CompuServe at that time was insanely expensive, as were any of the competing services. They charged by the hour, which is unfathomable to people these days. I was chatting with people on CompuServe CB (Simulator, the first online chat service). I also discovered BBSes (bulletin board systems) many of which existed on Long Island. I grew up in Queens. Behind the scenes there were often private sections restricted to specific users to discuss certain underground topics, not the least of which was trading passwords for online systems and even calling card numbers to circumvent toll charges.

Again at the time, phone service was rather expensive. In most major cities it was timed. No free local service, so you could easily run up a very large phone bill. Bearing in mind, too, that we were kids. I was about 12 or 13 years old. The first passwords I got a hold of from these BBSes were actually for minicomputers that were set up as part of an educational program in Long Island at many of the high schools. It was sponsored by DEC (Digital Equipment Corp.). A lot of the passwords I came across on the BBSes originally were guest accounts.

So that was my initial exposure to being somewhere you were not supposed to be, although things were a lot more relaxed in those times. There was no real notion you were doing something illegal. It really wasn't (illegal). The fact that you were using a guest account on a minicomputer being maintained at a high school...there wasn't any notion that anyone was doing anything wrong.

There was no motivation to make free phone calls...The motivation was so you didn't get killed with a whopping phone bill for all these dial-up calls...The way a lot of us justified it as kids was it was an acceptable risk, a means to an end.

At this time I was weaning my way off CompuServe as I met people on BBSes. I had gotten pretty proficient not only at programming, but at understanding the system administration and security models of a lot of these operating systems from DEC. I was really interested in, not necessarily defeating them. But if, for example, you wanted to maintain access to these systems you would have to understand how the security mechanisms worked. Besides being fun it was definitely an intellectual challenge. If you were used to hanging out on one of these systems and if the guest account password was changed or an account you were using got locked out it would be kind of frustrating. So, that was probably my initial motivation in wanting to understand how to defeat the security mechanisms.

In doing so, I met a guy on BBS with an underground section and this guy introduced me to a couple of guys from the Legion of Doom, who were not from New York. This was probably in around 1985 or 1986. A guy I knew from BBSes, Steve, introduced me to a guy from the Legion of Doom who called himself "Marauder", from Connecticut and another guy in Florida, who called himself "CompuPhreak". Marauder was skilled with an operating system called RSTS. A lot of the minicomputers in the school program were DEC PDP-11s and they ran an operating system called RSTS....

I was always interested in the phone system from a relatively early age. The phone system was a lot more present then it is now. There's a certain silence now because it is digital. Behind the scenes it was electro-mechanical; it was done by machines with lots of moving parts. When you called somebody you heard a lot of these rickety machines in the background. You would hear the switching of the call before the phone started ringing and sometimes you would hear tones in the background going over trunk lines connecting you to the person being called. I was always interested in knowing what was going on when that was happening. I learned later on that a fair amount of that process was computerized and I figured there must be some pretty interesting computers doing that. I got to talking with Marauder and CompuPhreak about that.

On a lot of these BBSes it was very common to have sections with text files which were nicknamed G files for general files. A lot of these general files were categorized into a sort of underground knowledge base in the form of information that was typed up by other kids who had encountered certain systems in their forays into places they probably weren't supposed to be. They would describe lists of commands. A lot of these systems had online help. It was not uncommon to log into one of these DEC minicomputers and type in "help" and get a list of commands in insane detail with information about how to get around in the system. A lot of times you would find reprints of these help files.

You'd also find info about phreaking or exploring the telephone system. Some of it was from a previous generation, from the '70s, stuff that had been reprinted or re-transcribed. Other stuff was being put out by other people, primarily in the Legion of Doom. Some of it was re-transcriptions of phone company documents they had found in the trash, for example. In other cases it was descriptions of systems that people had gotten into, management systems in the phone company. In these days security was a lot simpler. There are cases where certain rather powerful management systems within the phone company could be accessed simply by dialing in, knowing the phone number, and not even needing a password because the previous user had forgotten to log out and it wouldn't reset back to the log-in screen. That was a common problem back then. That was the way a lot of hackers got into these phone company management systems.

There was a lot of overlap between hacking and phreaking. Most of the management systems used in the phone company were actually Unix systems. So I started learning Unix in the 1980s. And my motivation for wanting to program in C stemmed from my wanting to run password crackers. Certainly you couldn't do anything like that on your home computer. You had to run a password cracker...Another thing that motivated me to learn C was to be able to do modifications to the security infrastructure of a lot of these systems in order to maintain access to them...The login program that runs on Unix was written in C. Being able to modify that and insert a backdoor password for easy entry is something you had to be skilled to do. These were systems we never would have had access to otherwise and we wanted to understand their intricacies and how they worked.

So, the motivation wasn't to make free phone calls?
There was no motivation to make free phone calls. It was a means to an end. The motivation was so you didn't get killed with a whopping phone bill for all these dial-up calls...The way a lot of us justified it as kids was it was an acceptable risk, a means to an end.

What were you learning from those systems?
I was really interested in the telephone network, switching systems and management systems associated with them, as well as large data networks. Prior to the Internet there were packet switched networks that were used for a variety of purposes. Two of them were Telenet and Tymnet. They were private networks and they had a lot of private subnets within them, in a lot of cases gateways to systems and networks overseas. They were the first real international networks young hackers ever saw.

A lot of those young hackers reached out to each other on chat systems that were set up. There were some famous chat systems set up in Germany and the only way to get to them was to learn how to navigate through some of these packet networks.

As far as who the customers were on these networks, pretty much everything under the sun, a cross section of big business. I and a couple other guys had gotten access to a lot of the internal maintenance and debugging tools used by the company that ran the Tymnet network and in doing so we were able to pretty much gain access to any system that was connected to the network just by watching people log in as they entered passwords. That was probably one of the earliest cases of, I guess you could call it interception or eavesdropping, but only in the sense of capturing passwords.

So, you weren't generally sniffing around networks for corporate information?
We were only interested in technical documents that explained the workings of system X. Anything that had to do with security...Our pursuits were highly technical. We were motivated...