Spooks and crooks in cyberspace

For free real time breaking news alerts sent straight to your inbox sign up to our breaking news emails

Sign up to our free breaking news emails

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy policy

PHIL Zimmermann, an American peacenik who once dreamt of putting the nuclear industry out of business, had a pretty good idea of how to make computers safe from hackers and government snoopers alike. He designed a clever piece of software that enabled computer owners to encrypt their data in a virtually uncrackable code. He called it Pretty Good Privacy and made it widely available.

Unfortunately, someone - Zimmermann insists it wasn't him - put the software on to the Internet, the international computer network open to millions of people worldwide. The result was that Zimmermann's uncrackable product was taken up by Internet users outside the US and he now faces the prospect of criminal charges for exporting an encryption product - regarded as ``munitions'' by US customs officers - without a licence.

Zimmermann's predicament demonstrates the seriousness with which government agencies regard the development and distribution of encryption technology. From their point of view, anything that makes data secret is potentially a threat to law enforcement and even national security. They do not want organised criminals making use of encryption devices to evade police surveillance. Neither do they want to see uncrackable codes being exported to countries engaged in spying, which in practice means just about every other foreign power.

Yet Zimmermann's Pretty Good Privacy has struck a chord with many Internet users, who have made him into something of a cyberspace folk-hero. As the number of computers attached to the Internet has mushroomed, so has people's desire to protect their data from prying eyes. The free exchange of ideas, software, facts and general gossip on the Internet has had a liberating effect - but the downside of computer networking is the ease with which it has become possible for hackers and others to gain access to sensitive information.

The lengths to which the US government will go to control computer encryption will undoubtedly be the chief topic of conversation at next week's Computers, Freedom and Privacy Conference, opening in San Francisco on Tuesday. The meeting is a forum for a disparate group of computer lawyers, security experts, ``cipherpunks'', anarchists and hackers to discuss what has become the hottest issue of cyberspace - the right to privacy. The topic has added urgency since the US government's unsuccessful attempt last year to impose its own encryption device, the Clipper chip, on US computer and telecommunications companies.

Clipper, like all encryption devices, requires decryption ``keys'' to unscramble the encoded message. These keys are in effect secret codes written in the digital language of computers which can convert gobbledegook into a meaningful message. The chip, designed by the National Security Agency, the equivalent of Britain's GCHQ, in fact requires two hidden keys to be programmed into the hardware of computers, modems and faxes to enable police and security agencies to decipher secret messages either stored in computers or transmitted over telephone or computer networks.

In the world of cryptology it is not unusual for government agencies to demand the capability of eavesdropping on coded information. For at least two decades companies and official organisations have used the international Data Encryption Standard to put sensitive data in a ciphered form. The data standard was designed by IBM and adopted by the US government as far back as 1975 for ``sensitive but unclassified'' information. As a result, it became the western world's encryption standard.

Unlike Clipper, the Data Encryption Standard uses a single key to decipher messages between two parties, which is kept by both of them. It is an open secret that GCHQ, the NSA and other official eavesdroppers have, with IBM's help, a master key to the data standard that permits official agents to access supposedly confidential transmissions. (Pretty Good Privacy has two keys, one kept by the sender, the other by the recipient, which makes it practically impossible for third parties to crack .)

Such cosy agreements between computer companies and government bodies are no longer so easily fixed up in a world of mass computer ownership. The Clipper chip met with a wave of opposition among Internet users. One pressure group, a Washington think-tank called the Electronic Privacy Information Center, helped organise probably the largest petition to date on the Internet, to block the Clipper proposal. Partly as a result of receiving 47,000 ``virtual'' signatures, the White House shelved its plans for the Clipper chip at the end of last year.

Marc Rotenberg, director of the Electronic Privacy Information Center, acknowledges that there is a fundamental dichotomy between the interests of government agencies, such as the police, and the privacy rights of computer users. "Technologies can be designed both for the purposes of surveillance and for protecting privacy. How do you design systems to maximise privacy whilst minimising surveillance?"

The dilemma has become more significant in the age of hacking because the surveillance tools used by unofficial snoopers are often the same as those used by official agencies. If you make it difficult for one, you also make it harder for the other. The recent case of Kevin Mitnick, the ``world's most wanted hacker'', shows that, to adapt the old maxim, you need the tools of a thief to catch a thief.

Mitnick, a 31-year-old with a string of hacking offences to his name, including a cyber break-in at a top-secret military command centre in the US, was arrested last month for allegedly stealing 20,000 credit card numbers from a company providing Internet services. Mitnick's downfall came after he had hacked into the personal computer of Tsutomu Shimomura, a researcher at the San Diego Supercomputer Center, on Christmas Day last year. Incensed with the invasion of his privacy, Shimomura cancelled a skiing holiday in order to help the FBI track down the intruder.

Mitnick's Achilles heel proved to be his penchant for telephone ``phreaking'', an activity that stems from the anarchic Yippie movement of the early 1970s. In his younger days, Mitnick would amuse himself by manipulating the telephone network to play pranks on friends and enemies alike.

Mitnick's obsession with phone-phreaking without being detected was richly illustrated some years before his last arrest, when he was able to neuter the call-tracing technology of the FBI by the clever alteration of a phone- programming instruction. The result on one occasion sent the Feds crashing through the door of an astonished and totally innocent man watching television. Mitnick had somehow managed to feed the man's telephone number into the FBI's telephone-tracing equipment

When mobile phones came out in the 1980s, Mitnick saw the potential to use them as a way of evading the increasingly sophisticated technology of tracing traditional telephone calls. A trick that Mitnick had learnt was how to "clone" mobile phones. He used a scanner hitched up to a laptop computer to listen in to other people's cellular phone calls. The scanner, a piece of equipment freely available in Britain and the US, records and identifies the unique serial and identification numbers of a mobile phone as they are transmitted during each phone call for the purposes of billing the genuine customer.

Mitnick let his scanner and laptop roam the ether for mobile calls. He then ``re-chipped" the captured numbers into other mobile phones to create a clone of the mobile phone he had intercepted. He connected up the clone to his computer modem to hack into computer networks over the cellular telephone system, in the hope of evading the call-tracing technology used on traditional phone lines.

Ironically, however, it was this new obsession that finally led government agents to his front door. Shimomura and the FBI had discovered that Mitnick had used a company providing access to the Internet; with the help of telephone records subpoenaed from the company, the agents found he was making calls from a mobile phone cell near the international airport at Raleigh-Durham in North Carolina.

One morning earlier this year, Shimomura and an FBI telephone technician took a phone scanner, laptop computer and direction-finding antenna out in a van to try to locate the source of the calls. They narrowed it down to the apartment complex where Mitnick was eventually arrested. The cat- and-mouse game was over for Mitnick, who had a few final words for Shimomura at the end of the court hearing last month when he was charged with computer fraud and illegal use of a telephone access device - which carries a sentence of up to 15 years. "Hello, Tsutomu," he said to the man he had never met before. "I respect your skills."

The pair had a grudging respect for each other's expertise. As Shimomura later remarked, he was able to catch Mitnick because "the tools he used to snip networks are the tools we used to monitor him and catch him". Which goes to show that in this area, spook and crook have a lot in common. !