by Arik Hesseldahl
Hesseldahl writes frequently about Internet issues.

Within days in mid-September, the Internet demonstrated both its massive strength and its scariest weakness. On September 11, tens of thousands of people downloaded the Starr Report from the many Web sites that made the text available, giving the new medium a sense of critical mass. And on September 13, hackers attacked the Web site of The New York Times, forcing editors to pull the plug on the digital edition of the newspaper of record for nearly nine hours. Months after the hack, lingering questions remain: Who carried it out? Why? Who's vulnerable?

The apparent goal was to bring attention to the case of jailed hacker Kevin Mitnick, the hacker underground's favorite martyr. For more than three years Mitnick has been awaiting trial on a twenty-five-count federal indictment charging him with various hacking-related crimes, from wire fraud to unauthorized access to a federal computer. His trial is scheduled to begin April 20.

The "Free Kevin" crowd blames the Times, particularly its San Francisco-based technology reporter John Markoff, for causing Mitnick's arrest in 1995. Markoff's stories in the Times led to a book, Takedown, which he co-wrote with Tsutomu Shimomura, a California computer security expert who helped the FBI capture Mitnick. Supporters of Mitnick think the book exaggerates his alleged crimes. And now the book is about to become a movie, to be released in 1999 by Miramax.

Early on the morning of September 13, Bernard Gwertzman, the site's editor, and Richard Meislin, editor-in-chief of New York Times Electronic Media Co., discovered that the entry page to the Times site (www.nytimes.com) had been replaced with a page built by HFG, for "Hacking for Girlies." This is a group that claims to have invaded the Web sites of organizations as diverse as NASA, Motorola, and Penthouse magazine.

People logging into the Times site found all this news unfit to print: a mildly obscene HFG logo, a rambling statement attacking Markoff for putting "Kevin" in jail, and attacks on Shimomura, Matt Richtel (another Times tech reporter), and Carolyn Meinel, a New Mexico computer security consultant who writes about hacking for Scientific American and published a book on the subject, The Happy Hacker.

Times editors tried to publish over the vandalism, but the offending page kept reappearing. After a few hours they took the site offline completely and began to comb through the Times's computers, looking for ways to correct the problem. Some parts of the site, including the Times's archive files, remained offline for several days as security consultants looked for evidence of other, more subtle damage. Since the hackers had complete control, might they have, for example, changed the text of old stories, purloined a file of credit card numbers, or left a "back door" that would allow them to return?

As the FBI's computer crimes unit continued to investigate, a Forbes reporter claimed to have succeeded where many others have failed: he found and interviewed two HFG members, who call themselves Slut Puppy and Master Pimp. The reporter was Adam Penenberg, best known for being the first to investigate one of Stephen Glass's fabricated New Republic stories. In the interview the two said they attacked the Times because they were "bored."

Other clues in the case point tentatively in the direction of Brian Martin, a Scottsdale, Arizona, computer security consultant and a frequent source of Penenberg's. Martin runs a computer security newsletter, and was one of the first to spread the word of the Times hack. Also known by the hacker name Jericho, Martin has a complicated grudge against Meinel, the New Mexico writer, over credit he thought he was due in her book.

In an interview, Martin conceded that he is certain that his name is on the FBI's list of suspects. He was also once widely suspected to be "Angry Johnny" a hacker who about two years ago, harassed reporters — Markoff included — with e-mail "bombs" (a technique of overwhelming a target's e-mail account with thousands of messages). HFG, in the text of the statement it posted on the Times site, announced the enlistment of a new member named Resentful Jonathan.

"Some people thought I was Angry Johnny. As a result, they thought I was Resentful Jonathan after the New York Times hack," Martin says. "They were incorrect on both."

Both the scheduled start of Mitnick's trial and the release of the movie based on Takedown could encourage further hacking incidents, whether by HFG or others. "It's inevitable," says John Vranesevich, the nineteen-year-old founder of AntiOnline, a clearinghouse for news of the hacking scene (www.antionline.com).

What can Web site managers do? "Securing your site is not an event, it's a process," Vranesevich says. "New system vulnerabilities are coming out every day. It's a constant challenge."

cjr  |  archive  |  resources  |  contact  |  search  |  subscribe