A few crackers make headlines, like Robert T. Morris Jr., son of a top computer security expert for the supersecret National Security Agency, who let loose a "worm" program on a national network of university, research and government computers in 1988. There are also notorious crackers like Kevin Mitnick, who was under investigation at the age of 13 for illegally obtaining free long-distance phone calls and was sentenced to prison in 1989 for computer break-ins. Then there are legions of far more ordinary crackers who simply use their knowledge of computers to "explore" intriguing corporate or government computers or simply to go for the electronic equivalent of a joy ride and impress their friends. But they all share something: an air of mystery. How do they do it? At a recent conference on computer freedom and privacy, computer expert Russell L. Brand gave a four-hour lecture on the

inner workings of computer cracking. His basic message: Cracking is not as hard as it seems to an outsider, and it often goes undetected by legitimate users of "cracked" computers. "Just because you don't see a problem is no reason to think a problem hasn't occurred," Brand said. "Generally it's a month to six weeks before (operators) notice anything happened and usually because the cracker accidentally broke something." Home computers aren't in danger from crackers because they aren't accessible to outsiders--and because they aren't interesting to crackers. Instead, they target mainframes and minicomputers that support many users and are connected to telephone lines and large networks. Understanding how crackers work and what security weaknesses they exploit can help system managers prevent many break-ins, Brand said. And the biggest problem is carelessness. "When I started looking at break-ins, I had the assumption that technical problems were at fault," he said. "But the problem is human beings." The "Cracker": Most crackers are not bent on stealing either money or secrets but will target a particular computer for entry because of the bragging rights they will enjoy with fellow crackers once they prove they broke in. Typically, the computer belongs to a corporation or the government and is considered in cracking circles to be hard to penetrate. Often, it is connected to the nationwide NSFNet computer network. The attack: Crackers can attack the target computer from home, using a modem and a telephone line. Or they can visit a publicly accessible terminal room, like one on a college campus, using the school's computer to attack the target through a network. At home, the cracker works undisturbed and unseen for hours, but phone calls might be traced. The resources: If the target computer is nearby, the cracker may look through the owner's trash for valuable information, a practice called "dumpster diving." Discarded printouts, manuals or other paper may contain lists of accounts, some passwords, or technical data more sophisticated crackers can exploit. The target: The easiest way to enter the target is with an account name and its password. Passwords are often the weakest link in a computer's security system: Many are easy to guess, and some accounts have no password at all. Sophisticated crackers use their personal computers to quickly try thousands of potential passwords for a match. The cover: To make calls from home harder to trace, crackers might use stolen telephone credit-card numbers to place a series of calls through different long-distance carriers or corporate switchboards before calling the target computer's modem. The way in: Many crackers take advantage of "holes" in the operating system, the software that controls the basic operations of the machine. The holes are like secret doors that either let crackers make their own "super" accounts or just bypass accounts and passwords altogether. Five holes in the Unix operating system account for the bulk of computer break-ins--yet many installations have failed to patch them. The network: Most large computers are connected to several others through networks, a chief point of attack. Computers erect barriers to people but often completely trust other computers, so attacking a computer through another computer on the network can be easier than attacking it with a personal computer and a modem. Ill-used passwords let many pass Passwords are the security linchpin for most computer systems. But these supposedly secret keys to computer access are easily obtained by a determined cracker. The main reason: Users and system managers often are so careless with passwords that they are as easy to find as a door key left under the welcome mat. Part of the problem is the proliferation of computers and computerlike devices such as automated teller machines, all of which require passwords or personal identification numbers. Many people must now remember half a dozen or more such secret codes, encouraging them to make each one short and simple. Often, that means making their passwords the same as their account name, which in turn is often the user's own first or last name. Such identical combinations are called "Joe" accounts, and according to computer expert Russell L. Brand, they are "the single most common cause of password problems in the world." These `secret' keys to computer access are easily obtained by a determined cracker. The main reason: Users and system managers often are so careless with passwords that they are as easy to find as a key left under the welcome mat. Knowing there are Joes, a cracker can simply try a few dozen common English names with a reasonable chance that one will work. Armed with an easily obtained company directory of employees, the task can be even easier. Joe accounts also crop up when the system manager creates an account for a new employee, expecting that the user will immediately change the given password from his or her name to something else. But users often fail to make the change or aren't told how. Sometimes, they never use the account at all, providing not only easy access for the cracker but an account where the owner won't notice any illicit activity. Even if crackers can't find a "Joe" on the computer they want to enter, there are several other common ways for them to find a password that will work: - Many systems have accounts with no passwords or have accounts for occasional visitors to use where the ID and password are both GUEST. - Outdated operator's manuals retrieved from the trash often list the account name and standard password provided by the operating system for use by maintenance programmers. Although it can and should be changed, the password seldom is. - "Social engineering"--in effect, persuading someone, usually by telephone, to divulge account names, passwords or both--is a common ploy used by crackers. - Crackers are sometimes able to obtain an encrypted list of passwords for a target computer, discarded by the owners who mistakenly believe the coded words aren't useful to crackers. While it's true they are difficult to decode, it is easy for a cracker to use a personal computer to take a potential password and encode it. Because most passwords are ordinary English words, crackers can simply run a personal computer program to encode the contents of an electronic dictionary and identify any entries that match passwords on the coded list. - In another form of deception, crackers set up public bulletin board systems whose real purpose is to snag passwords. Because many people tend to use the same password for all their computer accounts, the cracker can simply wait until someone who has an account on the target computer also sets up an account on the bulletin board. The cracker then reads the password and tries it on the target system. While individual users can't delete dormant accounts from their computers or keep an eye on the trash, they can be intelligent about what passwords they use. Brand suggests users choose a short phrase that's easy for them to remember and then use the first two letters of each word as the password. As added protection, users who are able should mix uppercase and lowercase letters in their passwords or use a punctuation mark in the middle of the word.--Rory J. O'Connor The rights of bits Constitutional scholar Laurence H. Tribe, widely considered the first choice for any Supreme Court vacancy that might arise under a Democratic administration, proposed a fairly radical idea recently: a constitutional amendment covering computers. Tribe's proposal for a 27th Amendment would specifically extend First and Fourth Amendment protections to the rapidly growing and increasingly pervasive universe of computing. Those rights would be "construed as fully applicable without regard to the technological method or medium through which information content is generated, stored, altered, transmitted or controlled," in the words of the proposed amendment. I am not a constitutional scholar, but I have to believe that what's needed is not a change in the Constitution, but instead a change in the thinking of judges in particular and the public in general.