Interview originally appeared here.
Interview with Jonathan James aka c0mrade
A teen-ager who broke into a Pentagon computer system that monitors threats from nuclear weapons was sentenced to six months in jail, becoming the first juvenile to be locked up for a hacking conviction.
What is it about the computer that makes it become such an obsession for young guys?
Well, it's power at your fingertips. You can control all these computers from the government, from the military, from large corporations. And if you know what you're doing, you can travel through the internet at your will, with no restrictions. That's power; it's a power trip.
Why is that so important?
Well, everybody likes to feel in control.
In my time, they did it by playing hockey or football. How does the computer compare?
It's intellectual. It stimulates my mind. It's a challenge.
How hard was it for you to get into some blue-chip locations?
The government didn't take too many measures for security on most of their computers. They lack some serious computer security, and the hard part is learning it. I know Unix and C like the back of my hand, because I studied all these books, and I was on the computer for so long. But the hard part isn't getting in. It's learning to know what it is that you're doing.
And how do you learn that?
Oh, by reading, by talking to people. And by spending so much time on the computer, learning how it works, learning the source code and the programs and the commands.
I gather that there's quite a network of hackers out there. Do you guys share information and secrets over the internet?
If someone told me that a 16-year-old could crack into NASA or into the U.S. Department of Defense, I'd say, "Sure. In the movies, maybe." How long did it take you to do that?
I was learning about computers and Unix and programming for two years. I was learning how to program in C for about a year. If I were targeting a computer, it would take between a few hours to a few weeks of looking around to find the way.
So is it just the rush of getting in there, of doing something smarter than they do? Or did you find anything there that was of interest to you?
Generally, the thrill is over once you've realized that you're on the computer and that you can do whatever you want--but it's not downloading their information, because usually it's pointless, bureaucratic stuff you don't need to know. . . .
When you start out, you sort of poke at various cyberfences and walls. You're just looking for the soft spots. You don't target a place because it's got something that you want--it's just that it's a challenge?
I would target a place because it looks like a challenge. Like, if I say, "The navy has a computer network in Jacksonville, maybe that would be fun to poke around." And then I'd target them. I'd look at their computers and I'd see what I can do there.
That doesn't sound like mischief. Sometimes I think you guys are like the graffiti spraypainters.
Not at all. Well, first of all, I was just looking around, playing around. What was fun for me was a challenge to see what I could pull off. But then there's other people that go into corporate web sites, government web sites, and change it. That's closer to what you're talking about-- that's mischievous. But I didn't do stuff like that.
You could have, though.
Oh, yes. I could have gotten a lot of recognition. . . .
A lot of attention was given to the fact that you downloaded software relating to the international space station. Could you have done anything with that?
No. It was for the environmental control program. Who wants that-- you can play with the air conditioner, or what? . . . The code itself was crappy . . . certainly not worth $1.7 million like they claimed. The only reason I was downloading the source code in the first place was because I was studying C programming. And what better way to learn than reading software written by the government?
Was it a big shock to you that the government was using such inferior code for such important work?
Yes, but you get used to it. I'm not surprised anymore when I see the failures of the government.
When did you first suspect that they knew you were snooping around?
Well, I never knew that they would actually come to my house. That was a total shock to me. Sometimes I would get kicked off a computer. and I'd figure, "Oh, great, the admin figured something was up and re-installed the software, added a little security, and forgot about it, because they don't care that I'm here. They just fix it and move on," which is reasonable. Nothing happened to me in the weeks following, so, great. They realized that all it takes is five minutes at the keyboard and they can make a computer secure. And they didn't care. I would email the system administrators sometimes and tell them that their computers were vulnerable. I would tell them how to break in, and how to fix the problems. I'd give them advice, and they would never follow it. Three weeks later I would go in and I still had access to their computers.
Even after you told them that there's a hole in the fence?
Oh, more than that. I told them how to fix the hole in the fence, and they didn't respond, so I figured that they didn't care.
But meanwhile, they've got all the resources of the government out looking for this guy.
And they should have been spending those resources on computer security.
How did they catch you?
They haven't told me exactly how they caught me. They sealed the affidavit for the search warrant. They said it was sealed for national security or some BS reason, but from what I understood, they probably called one of my friends, who gave information about me. Then they came to my house. My mom woke me from bed and said that the FBI was at the door. It's kind of unnerving. . . . I walk out and I see everybody with vests that say Federal Agents and NASA and DOD on the back with guns and all that good stuff.
. . . Were you scared?
No, I was just wondering what was up, and then I saw that their shirt said NASA.
And they walked out with all your computers?
They took me into a room in the back and questioned me for a few hours. And I admitted everything that I did, and I said, "Yes, I'm sorry. I won't do it again." I told them how I did it, what I did. They told me not to do it again, and if I do it again, I'll leave in handcuffs, but for now, they don't consider me a criminal, and that I just shouldn't do it again. And then they told me that they're taking my computers for investigative reasons. They said they don't need to read me my Miranda rights because they're not making an arrest. They're just investigating.
So what did they take out of there?
They took five of my computers. I had a nice little network going. They took my Palm Pilot, my CDs, my "Star Trek" book.
Your "Star Trek" book?
My "Star Trek" book, yes. Don't ask me why.
And when did it get serious?
. . . I didn't hear from them for another three months. Then, three months later, they had a little meeting. I talked to the prosecuting attorney. They said they might press charges. He said that I might get probation . . . but that they were unsure of what they're going to do. Then, in July, over the summer, I was in Israel. And I got a phone call from my father, who said that they wanted to put me in jail for six months.
Let's think about it from the other side's point of view. They don't know that it's some nice guy from a nice neighborhood. . . . It could be a real bad guy in Baghdad, or wherever. What are they supposed to do when they find somebody snooping around inside their systems?
Well, first of all, they should be responsible enough to provide adequate security from the start. But once they find out that it's some harmless kid . . . I think the appropriate response would be perhaps to take my computers away like they did, and leave it at that. They could tell me that I can't use the internet for a while, to teach me a lesson, teach me that they actually do care about what I'm doing, and that I shouldn't do it again. But they shouldn't put the youth of America in jail.
How does the prospect of sitting in jail for six months affect you?
First of all--six months. While it's not as long as some other sentences, it's still a long time. And that's six months of me being surrounded by people that did these actual crimes, did bad things to other people, to humanity. And I'm surrounding myself with these people that are lower than myself. Not to sound arrogant, but they lack morals, and it would be degrading to my character . . . and I'm worried.
Are you trying to tell me that you don't think the crime you committed is on the same order? . . .
Not at all. This is just harmless exploration. It's not a violent act or a destructive act. It's nothing.
They say that, at one point, you took possession of $1.7 million worth of software, and that you made them shut down and spend weeks with 13 or 14 important government computers down. That sounds serious.
Well, I think the price of the software is irrelevant, because the government overpays for everything. But it was source code that wouldn't even compile. The computer people know what I'm talking about. It was source code that wouldn't even compile without the proper equipment, or maybe it was just bad coding, I don't know. But the only reason I downloaded it was for the sake of learning what it is that they're doing, how they program, their techniques.
And you learned basically that it was no good?
Yes. They did stupid, stupid things that an experienced programmer would know not to do. But as for claiming that the addition of computer security is damages? That demonstrates a serious lack of responsibility on the government's behalf. The failure to put adequate security up from the start, from as soon as they turn the computers on, is a lack of responsibility. And then they cover up their mistakes. They call it damages when a computer enthusiast such as myself demonstrates their ineptitude.
What did that teach you about the state of computer security, and about the ability of public authorities and government people to police the security of the computer systems out there?
I certainly learned that there's a serious lack of computer security. If there's a will, there's a way, and if a computer enthusiast such as myself was determined to get into anywhere, be it the Pentagon or Microsoft, it's been demonstrated that it's possible and they will do it. And there's next to nothing they can do about it, because there's people with skill out there, and they'll get what they want.
How would you assess the skill levels of the law enforcement people who eventually came knocking at your door?
Okay, they got lucky, because I didn't take any measures whatsoever to hide myself. I didn't cover my tracks at all, and had I done that, they would not have been able to catch me. If I wanted to, I could have hidden myself, but I didn't think I was doing anything wrong, so, why bother?
You could have escaped detection?
I could have.
You could have done a lot of damage?
If one was so inclined, you could have deleted files, or put a virus up or sell information to foreigners. You could perform a denial of service attack and cause the computers to stop performing. Someone could do any number of things that I did not do.
Could you have done those things?
I could have.
They couldn't have stopped you? And they couldn't have caught you?
No. They could not have caught me.
What are you going to do now? People of my generation would ask if you've learned your lesson.
I've learned my lesson. I shouldn't do stuff like that.
But it seems to me that the big lesson is just how vulnerable everybody is to this technology.
It's a lesson to us all.
What are you going to do about it? Are you going to try and fix it?
Yes, maybe I'll start a computer security company.