THE COMPUTER BULLETIN - September 2002
The Bulletin Interview
Robert SchifreenThe man whose hacking directly led to legislation in the UK now observes from the legitimate side of the fence - and he despairs about how much easier it has become to hack, and how software suppliers and users fail to respond adequately
ROBERT SCHIFREEN is surely the man for whom the phrase 'poacher turned gamekeeper' was invented. This former hacker hit the international headlines 15 years ago after being arrested for hacking into a British Telecom computer system and accessing the Duke of Edinburgh's e-mails.
Nowadays, with his feet firmly on the other side of the fence, he is a respected commentator and writer on IT in general and security in particular.
The court case was the world's first jury trial of a hacker and was sufficiently important to warrant a change in British law. At the time of his arrest in 1985, computer hacking was not illegal. Having made no secret of what he was doing - 'In fact I was using my skills to impress friends and girls' - he came to the attention of the newly formed Computer Crime Unit at Scotland Yard, headed by John Austen.
Detective Inspector Austen, intending to establish the precedent that typing in someone else's password was akin to writing his or her signature on a cheque, charged Robert Schifreen with forgery. He was convicted, but this was overturned on appeal by the High Court and later also by the House of Lords when the prosecution appealed against the acquittal. As a direct result, the Computer Misuse Act 1990 was introduced.
Robert Schifreen says that 'in a move that would not be out of place in a Hollywood movie, John Austen and I are now the best of buddies'.
'We've spoken together at conferences all over Europe, and on the occasional TV show,' he continues. 'Our double act goes down well at security seminars. I spend 45 minutes telling people how easy it is to get into their systems, then John tells them how to plug the holes and find out who did it.'
Robert Schifreen will talk at length about how IT security has evolved in the last 20 years.
'When I was an active hacker we all swapped passwords via underground online bulletin boards or round a table in a Chinese restaurant in London. There were typically 12 of us. The Internet has changed all that, though.
'Before the Internet really existed in its present form, hackers relied on telephone lines, so most hacks took place after 6pm, because the calls were cheaper.
'Few British hackers would even consider breaking into systems in other countries, for the same reason. If the Internet has done one thing for the hacker, it's made it possible to hack anywhere in the world for no more than the price of a local call.
'This might seem a flippant remark, but it's an important one. Tracing foreign hackers is difficult, and even if you do manage to locate them it's rarely possible to bring them to justice, because of issues of cost, jurisdiction, and global differences in anti-hacking legislation.'
The risk posed by hackers is infinitely more serious than it used to be, Robert Schifreen says.
'Back in the 1980s most corporate data was stored on paper in filing cabinets, and very little was held on computers,' he says. 'But if you wipe someone's server nowadays, or even put it out of action for a couple of days, you severely threaten the long-term viability of the organisation.
'The growing reliance on IT systems is just incredible. In addition, hacking doesn't require any skills now. Just do a Web search for "hacking tools" and you'll find what you need. Type in the IP address of the computer you want to hack and the tool does the rest.'
He has seen other threats come to the fore, too. He remembers the time when there were only five computer viruses, and when Alan Solomon invented his anti-virus toolkit.
'At the time, very few people considered that any more viruses would ever be written, and no one understood the need for installing anti-virus software,' he says. 'There are now more than 60,000 viruses, and the number is growing by around 10 a day.
'E-mail means viruses can spread incredibly fast - faster than anti-virus companies can update their scanners. Which is why things like the Love Bug virus and Melissa hit so many companies so hard.'
He continues, 'The Web is rapidly becoming a client/server architecture, where most Web pages aren't pure text but small executable files. It's a security nightmare, and it's going to get worse. How can IT managers be expected to keep up to date with all the problems, especially with critical security patches coming out of Microsoft almost every week?'
Another area of concern is the great shift to ADSL communications for home users and remote staff: 'Most people don't realise how important it is to use some sort of firewall if you have an always-on Internet connection at home. It's not uncommon for such people to get more than 50 attempted hacks and port scans every day.'
He warns users and companies to be constantly on their guard: 'Never underestimate the usefulness of getting your security tested. Companies offering penetration testing services are doing a roaring trade, and for good reason.'
The trend towards contracting out the security function worries him: 'A recent survey found that some 50% of large companies are handing over their security and firewalls to someone else, citing insufficient in-house knowledge of security as the driving factor. So many large companies admitting to such serious failings is undoubtedly going to cause problems.'
While noting that things have changed a great deal in the last decade or two, Robert Schifreen is also conscious of just how little improvement there has been in some basic elements of security.
'Most systems still rely on passwords, despite the fact that they're easy to crack or forget,' he says. 'Biometrics once looked like the saviour, but it's too expensive for all but the most security-obsessed or rich companies. So I guess the password will be around for many years to come.'
He criticises software developers for not having learned from past mistakes: 'Major software companies are still releasing fixes for unchecked buffers, yet these first afflicted systems in the 1970s, so surely they shouldn't still be a problem?'
Robert Schifreen still works at spreading the word in new ways: he is now setting up SecuritySavvy, to provide online security awareness training for staff. 'Security products and services are aimed at IT security managers, techies and board level directors - yet the people that get targeted by hackers are end-users,' he says.
As for his longer-term future, the poacher turned gamekeeper is uncertain: 'My life seems to get dictated by events. Who would have thought that I'd still be talking about hackers after 15 years? I did 12 radio and TV interviews in three days recently, commenting on a survey about how many people choose George Clooney or David Beckham as their Internet password. But I enjoy what I do. Maybe I'll get around to finishing my novel. I'd also love to open a restaurant, but friends tell me I'd just eat all the profits. They're probably right.'
Pen PortraitRobert Schifreen is an IT journalist by trade, having spent most of the last 20 years working for most of the UK's computer magazines as an employee or freelance. He once spent 18 months writing printer and PC manuals but 'hated every minute of it'. He has also devised and presented various IT security courses for users, technical specialists and senior managers. His latest venture is SecuritySavvy (www.securitysavvy.com), providing online security awareness training for staff.
Off DutyWhen not writing, speaking at events or Web surfing Robert Schifreen will normally be found in his kitchen - he is a keen cook - or sampling new restaurants. He is also working on his first novel, 'a sort of blokey Pretty Woman thing'.
This Issue's Contents