Wednesday, Apr. 11, 2001

'We Lead Perfectly Normal Lives'

By DAFFYD RODERICK

Eyestrain -- he doesn't want his real name used –- is a cyber-thief. The 21-year-old is part of a virulent breed of computer hackers in the Philippines, totaling about 1,000 strong, with real grievances, a blurry sense of right and wrong and a knack for stealing passwords and software. Eyestrain alone has hundreds of credit card numbers in his date base. He, and fellow hacker Hiiro, spoke to TIME Asia Technology writer Daffyd Roderick in Manila recently. Edited excerpts:

TIME: Why do you hack?
Eyestrain: We were curious, and one path led us to others. The more you know the more you want to know. Sometimes we'd hack into a site using a password we got from another hacker. And once we get access to one server, we can use it to gain access to another connected server by planting a packet sniffer.

TIME: What's that?
Hiiro: It's a program similar to the one used to catch Kevin Mitnick (one of America's most notorious hackers). It senses when a server is sending passwords and user names to access another server, and it harvests the information and gives it to us. The way the network is set up, once you're in, you're in.

TIME: But you have no right to be in those servers, to access that information.
Hiiro: We're not the only ones inside your server. And we aren't trying to get access to illegal things like banks or sensitive information. We lead perfectly normal lives.

TIME: Why aren't you working in the IT industry?
Hiiro: They are looking for graduates, not for skills. So it's hard to get a job if you don't have that piece of paper. In Manila it's not important that you're good. I applied for work at an antivirus company and they weren't interested. All that matters here is your diploma. It's very biased. And most people that graduate don't know what they're doing. They're just script kiddies.

TIME: What's a script kiddie?
Hiiro: Script kiddies use pre-written programs to hack. You can download them from a ton of websites, but it's quite dangerous. These people are clueless and don't really know what they are doing. By accident they can do a lot of damage to a computer's files. We don't damage computers; that's not what we want to do. We just try and make companies aware of the fact that they have a security problem.

TIME: Aren't you worried about being caught by the police? If I can find you guys, can't they?
Hiiro: He (Eyestrain) has a computer and is on-line all the time, but I don't even have a computer. I just use computers in Internet cafes and computer shops. Anyway, the police wouldn't know what to do even if they did find us.

TIME: Don't you feel like you're ripping people off by using their passwords?
Hiiro: No. It's the Internet Service Provider's fault for making it so easy to do. They don't care about their customers at all. About 80% of the ISPs here are insecure. If someone gets hacked into, the ISPs just tell the victims to change their password. Now that doesn't make any sense, or solve the problem. As long as the ISPs server is insecure, we can still easily access the new password. And the accounts we use are usually corporate accounts so they have unlimited access -- and it doesn't cost them anything anyway.

TIME: What about using stolen credit card numbers?
Eyestrain: That's wrong. I don't do it anymore. I just wanted to see if it would work, but it's too much.

TIME: What do you guys think of e-commerce?
Hiiro: It's a bad idea unless you're using a very sophisticated site. It's very dangerous to use your credit card, unless you're using Amazon.com or something of that level. The punishment, too, would be much more severe for a hacker hacking into a site like Amazon. You could do it, but when you tango with a company like that, you're going to step on some feet and you can end up in jail.