Shy in person, he doesn't like organised team sports and is not very
confident around girls. He has only had one serious girlfriend, but
the relationship finished. Now that he hacks and codes about four to
five hours per day on average, but sometimes up to 36 hours straight,
he doesn't have time for girls.
`Besides,' he says, `I am rather picky when it comes to girls. Maybe
if the girl shared the same interests ... but those ones are hard to
find.' He adds, by way of further explanation, `Girls are different
from hacking. You can't just brute force them if all else fails.'
SKiMo has never intentionally damaged a computer system, nor would he.
Indeed, when I asked him, he was almost offended by the question.
However, he has accidentally done damage on a few occasions. In at
least one case, he returned to the system and fixed the problem
great deal of time reading books in class--openly. He wanted to send
the teacher a message without actually jacking up in class.
He got into hacking after reading a magazine article about people who
hacked answering machines and VMBs. At that time, he had no idea what
a VMB was, but he learned fast. One Sunday evening, he sat down with
his phone and began scanning. Soon he was into phreaking, and visiting
English-speaking party lines. Somehow, he always felt more comfortable
speaking in English, to native English-speakers, perhaps because he
felt a little like an outsider in his own culture.
`I have always had the thought to leave my country as soon as I can,'
What made him want to hack or phreak in the first place? Maybe it was
the desire to screw over the universally hated phone company, or
`possibly the sheer lust for power' or then again, maybe he was simply
answering his desire `to explore an intricate piece of technology'.
Today, however, he is a little clearer on why he continues to hack.
`My first and foremost motivation is to learn,' he said.
When asked why he doesn't visit his local university or library to
satisfy that desire, he answered, `in books, you only learn theory. It
is not that I dislike the theory but computer security in real life is
much different from theory'. Libraries also have trouble keeping pace
with the rate of technological change, SKiMo said. `Possibly, it is
also just the satisfaction of knowing that what I learn is
proprietary--is "inside knowledge",' he added. There could, he said,
be some truth in the statement that he likes learning in an
Is he addicted to computers? SKiMo says no, but the indications are
there. By his own estimate, he has hacked between 3000 and 10000
computers in total. His parents--who have no idea what their son was
up to day and night on his computer--worry about his behaviour. They
pulled the plug on his machine many times. In SKiMo's own words, `they
tried everything to keep me away from it'.
Not surprisingly, they failed. SKiMo became a master at hiding his
equipment so they couldn't sneak in and take it away. Finally, when he
got sick of battling them over it and he was old enough, he put his
foot down. `I basically told them, "Diz is ma fuckin' life and none o'
yer business, Nemo"--but not in those words.'
SKiMo says he hasn't suffered from any mental illnesses or
instabilities--except perhaps paranoia. But he says that paranoia is
justified in his case. In two separate incidents in 1996, he believed
he was being followed. Try as he might, he couldn't shake the tails
for quite some time. Perhaps it was just a coincidence, but he can
never really be sure.
He described one hacking attack to me to illustrate his current
interests. He managed to get inside the internal network of a German
mobile phone network provider, DeTeMobil (Deutsche Telekom). A former
state-owned enterprise which was transformed into a publicly listed
corporation in January 1995, Deutsche Telekom is the largest
telecommunications company in Europe and ranks number three in the
world as a network operator. It employs almost a quarter of a million
people. By revenue, which totalled about $A37 billion in 1995, it is
one of the five largest companies in Germany.
After carefully researching and probing a site, SKiMo unearthed a
method of capturing the encryption keys generated for DeTeMobil's
mobile phone conversations.
He explained: `The keys are not fixed, in the sense that they are
generated once and then stored in some database. Rather, a key is
generated for each phone conversation by the company's AUC
[authentication centre], using the "Ki" and a random value generated
by the AUC. The Ki is the secret key that is securely stored on the
smart card [inside the cellphone], and a copy is also stored in the
AUC. When the AUC "tells" the cellphone the key for that particular
conversation, the information passes through the company's MSC [mobile
`It is possible to eavesdrop on a certain cellphone if one actively
monitors either the handovers or the connection set-up messages from
the OMC [operations and maintenance centre] or if one knows the Ki in
the smart card.
`Both options are entirely possible. The first option, which relies on
knowing the A5 encryption key, requires the right equipment. The
second option, using the Ki, means you have to know the A3/A8
algorithms as well or the Ki is useless. These algorithms can be
obtained by hacking the switch manufacturer, i.e. Siemens, Alcatel,
`As a call is made from the target cellphone, you need to feed the A5
key into a cellphone which has been modified to let it eavesdrop on
the channel used by the cellphone. Normally, this eavesdropping will
only produce static--since the conversation is encrypted. However,
with the keys and equipment, you can decode the conversation.'
This is one of the handover messages, logged with a CCITT7 link
monitor, that he saw:
13:54:46"3 4Rx< SCCP 12-2-09-1 12-2-04-0 13 CR
BSSMAP GSM 08.08 Rev 3.9.2 (BSSM) HaNDover REQuest (HOREQ)
-------0 Discrimination bit D BSSMAP
00101011 Message Length 43
00010000 Message Type 0x10
00001011 IE Name Channel type
00000011 IE Length 3
00000001 Speech/Data Indicator Speech
00001000 Channel Rate/Type Full rate TCH channel Bm
00000001 Speech Encoding Algorithm GSM speech algorithm Ver 1
00001010 IE Name Encryption information
00001001 IE Length 9
00000010 Algorithm ID GSM user data encryption V. 1
******** Encryption Key C9 7F 45 7E 29 8E 08 00
Classmark Information Type 2
00010010 IE Name Classmark information type 2
00000010 IE Length 2
-----001 RF power capability Class 2, portable
---00--- Encryption algorithm Algorithm A5
000----- Revision level
-----000 Frequency capability Band number 0
----1--- SM capability present
00000101 IE Name Cell identifier
00000101 IE Length 5
00000001 Cell ID discriminator LAC/CI used to ident cell
******** LAC 4611
******** CI 3000
00000001 IE Length 1
-------0 Preemption allowed ind not allowed
------0- Queueing allowed ind not allowed
--0011-- Priority level 3
Circuit Identity Code
00000001 IE Name Circuit identity code
00000000 PCM Multiplex a-h 0
---11110 Timeslot in use 30
101----- PCM Multiplex i-k 5
Downlink DTX flag
00011001 IE Name Downlink DTX flag
-------1 DTX in downlink direction disabled
******** LAC 4868
******** CI 3200
The beauty of a digital mobile phone, as opposed to the analogue
mobile phones still used by some people in Australia, is that a
conversation is reasonably secure from eavesdroppers. If I call you on
my digital mobile, our conversation will be encrypted with the A5
encryption algorithm between the mobile phone and the exchange. The
carrier has copies of the Kis and, in some countries, the government
can access these copies. They are, however, closely guarded secrets.
SKiMo had access to the database of the encrypted Kis and access to
some of the unencrypted Kis themselves. At the time, he never went to
the trouble of gathering enough information about the A3 and A8
algorithms to decrypt the full database, though it would have been
easy to do so. However, he has now obtained that information.
To SKiMo, access to the keys generated for each of thousands of German
mobile phone conversations was simply a curiosity--and a trophy. He
didn't have the expensive equipment required to eavesdrop. To an
intelligence agency, however, access could be very valuable,
particularly if some of those phones belonged to people such as
politicians. Even more valuable would be ongoing access to the OMC, or
better still, the MSC. SkiMo said he would not provide this to any
While inside DeTeMobil, SKiMo also learned how to interpret some of
the mapping and signal-strength data. The result? If one of the
company's customers has his mobile turned on, SKiMo says he can
pinpoint the customer's geographic location to within one kilometre.
The customer doesn't even have to be talking on the mobile. All he has
to do is have the phone turned on, waiting to receive calls.
SKiMo tracked one customer for an afternoon, as the man travelled
across Germany, then called the customer up. It turned out they spoke
the same European language.
`Why are you driving from Hamburg to Bremen with your phone on
stand-by mode?' SKiMo asked.
The customer freaked out. How did this stranger at the end of the
phone know where he had been travelling?
SKiMo said he was from Greenpeace. `Don't drive around so much. It
creates pollution,' he told the bewildered mobile customer. Then he
told the customer about the importance of conserving energy and how
prolonged used of mobile phones affected certain parts of one's brain.
Originally, SKiMo broke into the mobile phone carriers' network
because he wanted `to go completely cellular'--a transition which he
hoped would make him both mobile and much harder to trace. Being able
to eavesdrop on other people's calls-- including those of the
police--was going to be a bonus.
However, as he pursued this project, he discovered that the code from
a mobile phone manufacturer which he needed to study was `a
multi-lingual project'. `I don't know whether you have ever seen a
multi-lingual project,' SKiMo says, `where nobody defines a common
language that all programmers must use for their comments and function
names? They look horrible. They are no fun to read.' Part of this one
was in Finnish.
SKiMo says he has hacked a number of major vendors and, in several
cases, has had access to their products' source codes.
Has he had the access to install backdoors in primary source code for
major vendors? Yes. Has he done it? He says no. On other hand, I asked
him who he would tell if he did do it. `No-one,' he said, `because
there is more risk if two people know than if one does.'
SKiMo is mostly a loner these days. He shares a limited amount of
information about hacking exploits with two people, but the
conversations are usually carefully worded or vague. He substitutes a
different vendor's names for the real one, or he discusses technical
computer security issues in an in-depth but theoretical manner, so he
doesn't have to name any particular system.
He doesn't talk about anything to do with hacking on the telephone.
Mostly, when he manages to capture a particularly juicy prize, he
keeps news of his latest conquest to himself.
It wasn't always that way. `When I started hacking and phreaking, I
had the need to learn very much and to establish contacts which I
could ask for certain things--such as technical advice,' SKiMo said.
`Now I find it much easier to get that info myself than asking anyone
for it. I look at the source code, then experiment and discover new
Asked if the ever-increasing complexity of computer technology hasn't
forced hackers to work in groups of specialists instead of going solo,
he said in some cases yes, but in most cases, no. `That is only true
for people who don't want to learn everything.'
SKiMo can't see himself giving up hacking any time in the near future.
Who is on the other side these days?
In Australia, it is still the Australian Federal Police, although the
agency has come a long way since the early days of the Computer Crimes
Unit. When AFP officers burst in on Phoenix, Nom and Electron, they
were like the Keystone Cops. The police were no match for the
Australian hackers in the subsequent interviews. The hackers were so
far out in front in technical knowledge it was laughable.
The AFP has been closing that gap with considerable alacrity. Under
the guidance of officers like Ken Day, they now run a more technically
skilled group of law enforcement officers. In 1995-96, the AFP had
about 2800 employees, although some 800 of these worked in `community
policing'--serving as the local police in places like the ACT and
Norfolk Island. The AFP's annual expenditure was about $270 million in
As an institution, the AFP has recently gone through a major
reorganisation, designed to make it less of a command-and-control
military structure and more of an innovative, service oriented
Some of these changes are cosmetic. AFP officers are now no longer
called `constable' or `detective sergeant'--they are all just `federal
agents'. The AFP now has a `vision' which is `to fight crime and
win'.3 Its organisational chart had been transformed from a
traditional, hierarchical pyramid of square boxes into a collection of
little circles linked to bigger circles--all in a circle shape. No
phallo-centric structures here. You can tell the politically correct
management consultants have been visiting the AFP.
The AFP has, however, also changed in more substantive ways. There are
now `teams' with different expertise, and AFP investigators can draw
on them on an as-needed basis. In terms of increased efficiency, this
fluidity is probably a good thing.
There are about five permanent officers in the Melbourne computer
crimes area. Although the AFP doesn't release detailed budget
breakdowns, my back-of-the-envelope analysis suggested that the AFP
spends less than $1 million per year on the Melbourne computer crimes
area in total. Sydney also has a Computer Crimes Unit.
Catching hackers and phreakers is only one part of the unit's job.
Another important task is to provide technical computer expertise for
Day still runs the show in Melbourne. He doesn't think or act like a
street cop. He is a psychological player, and therefore well suited to
his opponents. According to a reliable source outside the underground,
he is also a clean cop, a competent officer, and `a nice guy'.
However, being the head of the Computer Crimes Unit for so many years
makes Day an easy target in the underground. In particular, hackers
often make fun of how seriously he seems to take both himself and his
job. When Day appeared on the former ABC show `Attitude', sternly
warning the audience off hacking, he told the viewers, `It's not a
game. It's a criminal act'.
To hackers watching the show, this was a matter of opinion. Not long
after the episode went to air, a few members of Neuro-cactus, an
Australian group of hackers and phreakers which had its roots in
Western Australia, decided to take the mickey out of Day. Two members,
Pick and Minnow, clipped Day's now famous soundbite. Before long, Day
appeared to be saying, `It's not a criminal act. It's a game'--to the
musical theme of `The Bill'. The Neuro-cactus crowd quickly spread
their lampoon across the underground via an illicit VMB connected to
its own toll-free 008 number.
Although Day does perhaps take himself somewhat seriously, it can't be
much fun for him to deal with this monkey business week in and week
out. More than one hacker has told me with great excitement, `I know
someone who is working on getting Day's home number'. The word is that
a few members of the underground already have the information and have
used it. Some people think it would be hilarious to call up Day at
home and prank him. Frankly, I feel a bit sorry for the guy. You can
bet the folks in traffic operations don't have to put up with this
But that doesn't mean I think these pranksters should be locked up
If we, as a society, choose not to lock hackers up, then what should
we do with them?
Perhaps a better question is, do we really need to do anything with
One answer is to simply ignore look-see hacking. Society could decide
dangerous criminals--forgers, embezzlers, white-collar swindlers,
corporate spies and malicious hackers--than to chase look-see hackers.
The law must still maintain the capacity to punish hard where someone
has strayed into what society deems serious crime. However, almost any
serious crime committed by a hacker could be committed by a non-hacker
and prosecuted under other legislation. Fraud, wilful damage and
dealing in stolen property are crimes regardless of the medium--and
should be punished appropriately.
Does it make sense to view most look-see hackers--and by that I mean
hackers who do not do malicious damage or commit fraud--as criminals?
Probably not. They are primarily just a nuisance and should be treated
as such. This would not be difficult to do. The law-makers could
simply declare look-see hacking to be a minor legal infringement. In
the worst-case scenario, a repeat offender might have to do a little
community service. But such community service needs to be managed
properly. In one Australian case, a corrections officer assigned a
hacker to dig ditches with a convicted rapist and murderer.
Many hackers have never had a job--in part because of the high youth
unemployment in some areas--and so their community service might be
their first `position'. The right community service placement must
involve hackers using their computer skills to give something back to
society, preferably in some sort of autonomous, creative project. A
hacker's enthusiasm, curiosity and willingness to experiment can be
directed toward a positive outcome if managed properly.
In cases where hacking or phreaking has been an addiction, the problem
should be treated, not criminalised. Most importantly, these hackers
should not have convictions recorded against them, particularly if
they're young. As Paul Galbally said to the court at Mendax's
sentencing, `All the accused are intelligent--but their intelligence
outstretched their maturity'. Chances are, most will be able to
overcome or outgrow their addiction.
In practice, most Australia's judges have been reasonably fair in
their sentencing, certainly compared to judges overseas. None of the
Australian hackers detailed in this work received a prison sentence.
Part of this is due to happenstance, but part is also due to the sound
judgments of people like Judge Lewis and Judge Kimm. It must be very
tempting, sitting on the bench every day, to shoot from the hip
interpreting new laws.
As I sat in court listening to each judge, it quickly became clear
that these judges had done their homework. With psychologist Tim
Watson-Munro on the stand, Judge Lewis rapidly zeroed in on the
subject of `free will'--as applied to addiction--regarding Prime
Suspect. In Trax's case, Judge Kimm asked pointed questions which he
could only have formulated after serious study of the extensive legal
brief. Their well-informed judgments suggested a deeper understanding
both of hacking as a crime, and of the intent of the largely untested
computer crime legislation.
However, a great deal of time and money has been wasted in the pursuit
of look-see hackers, largely because this sort of hacking is treated
as a major crime. Consider the following absurd situation created by
Australia's federal computer criminal legislation.
A spy breaks into a computer at the Liberal Party's headquarters and
reads the party's top-secret election strategy, which he may want to
pass on to the Labor Party. He doesn't insert or delete any data in
the process, or view any commercial information. The penalty under
this legislation? A maximum of six months in prison.
That same spy decides he wants to get rich quick. Using the local
telephone system, he hacks into a bank's computer with the intention
of defrauding the financial institution. He doesn't view any
commercial or personal information, or delete or insert any files. Yet
the information he reviews--about the layout of a bank building, or
how to set off its fire alarm or sprinkler system--proves vital in his
plan to defraud the bank. His penalty: a maximum of two years prison.
Our spy now moves onto bigger and better things. He penetrates a
Department of Defence computer with the intention of obtaining
information about Australia's military strategies and passing it on to
the Malaysians. Again, he doesn't delete or insert any data--he just
reads every sensitive planning document he can find. Under the federal
anti-hacking laws, the maximum penalty he would receive would also be
two years prison.
Meanwhile, a look-see hacker breaks into a university computer without
doing any damage. He doesn't delete any files. He FTPs a public-domain
file from another system and quietly tucks it away in a hidden, unused
corner of the university machine. Maybe he writes a message to someone