F (2:49)

Obviously in One episode about an entire decade. We're not going to fit in every single hack, in every single incident. So what I did when I was, when I was looking into this is I kind of chose the, the incidents that to me embodied hacking of the 80s, which was innocence, it was mischievousness. So we're going to hear from a group from Milwaukee called the four 1 4s. We're going to hear a bit about the four first prosecution under brand new computer laws with the Morris worm. We're going to hear a bit from the government side, the NSA and what was going on there, or maybe what wasn't going on there. And we are also going to take a look at a different angle of the very famous Cuckoo's Egg story as well.

A (3:35)

You actually managed to track down someone who was dealing with the same set of attackers as Cliff Stoll was when he wrote the Cuckoo's Egg.

F (3:45)

I did, and it's quite funny actually, because when I was looking into that and I spoke to our colleague Adam Boileau a little while ago, and the Cuckoo's Egg was a story that he as a kid read and he said it was one of those stories that absolutely got me into hacking and computers. But the problem with that is no one is ever going to tell that story as well as Cliff Stoll did in the book that he wrote. And so I randomly stumbled across a guy, Greg Chart, who we'll hear from later, who was collaborating with Cliff and actually running his own kind of parallel hunt for a similar hacker at the time.

A (4:22)

So it wasn't the same hackers.

F (4:24)

It wasn't the same hackers. It was, they were all German, they were all kind of connected to the Chaos Computer Club. Cliff Stoll's big one was a hacker by the name of Marcus Hess. And Gregg's Hunt was a little known hacker who went by the name Hagbard, who you may also know as Carl Koch.

A (4:42)

I've done some reporting for this episode as well. And you know, we had some expectations going into this, right? Like I was chatting with Adam Boileau about how I was going to speak with Tony Sager who joined the NSA in 1979 and spent 30 something years there. And Adam's like, wow, they must have been well ahead of the curve on all of this hacking stuff. And then you actually go talk to him and they're like, yeah, we just weren't really paying attention to this stuff. We were too busy noodling about with encryption. But before we get to the crime and the intelligence, it's worth pondering where Networks actually were back in the 80s. I mean, it was all about the ARPANET bulletin board systems. And there was just no mainstream awareness of the Internet.

B (5:28)

The Internet was reserved for a very, very small portion of people, mostly academics, researchers, military, government people, large financial instit and it was still divided into sort of the Internet or ARPANET and Melnet, which were separate entities.

F (5:49)

So that was Mark Rash, who in the 80s was a prosecutor for the Department of Justice and he later went on spent his entire career sort of working cyber security law. And he was the reason we spoke to him for this doco is he was one of the prosecutors for the Morris Worm case, which we'll get into a bit later as well.

A (6:06)

We'll be hearing more from Mark Rash throughout this episode. But first of all, let's set the scene a little bit with John Callis. Now, if that name sounds familiar, it's because John Callis has been around forever, basically. As long as security has been a thing with computers, John has been there. He's worked on things like OpenPGP and he was even the head of software at DEC, Digital Equipment Corporation pretty much all through the 80s. And I guess to set the scene, you know, John really says that the Internet back in the day was just not at all a commercial space. It was kind of like a bit of an in club for nerds.

E (6:48)

The ARPANET was universities and government mostly, only there was extraordinarily little commercial involvement. A friend of mine got literally thrown off the ARPANET for saying he wanted to start a business that we would now call an isp.

A (7:08)

Can't have those unwashed masses being on the Internet, eh, Amberly? Absolutely. I mean, I think, you know, maybe it would be better if we stuck with that sort of thinking. Maybe.

F (7:21)

But yeah, John does actually he himself got himself into a little bit of trouble once or twice.

A (7:26)

Wasn't he just asking for advice on a product he wanted to buy?

F (7:30)

Yeah, absolutely. But he happened to work for a corporation, so.

A (7:33)

Oh man, the capitalist pigs, right? No room for them on the Internet.

E (7:38)

I once, when I had gotten a job and all, asked on a mailing list, hey, my company is thinking about buying a something or other. I didn't even remember what it was, but I remember that I nearly lost my account because I said, can anybody give me essentially like recommendations for buying a product? The problem was not that I was asking about these things. The problem was that it was a university and government domain and they were very defiant that all corporate stuff was bad. So, you know, you can't even admit that you work for a corporation because that's, you know, money being involved is declasse.

A (8:26)

John says it wasn't just a non commercial space. Everything was really open. And this sort of meant that it was a subculture from the get go.

E (8:35)

The punk music scenes and the early hacking scenes were very similar. Culturally. There were no file protections. You could log into a computer, and especially on the MIT computers where I was, you could very easily crash the computer. And if you crash the computer, you might lose. You might lose. They might throw you out. But on the other hand, you had your own email because that was the primary thing. There was also predecessors to IRC around, but they were only like, you know, two to five people. And you'd, you'd find out what was going on in the world of artificial intelligence because you read Marvin Minsky's email, people could read your email. And so things like everything from hanging out, party plans to dating, drama and so on all happened totally in the open. It was about coding and making things and, oh, especially talking to your friends and playing computer games.

A (9:43)

Now, Amberly, these like hippie nerds were prone to a little bit of iron fist rule.

F (9:51)

They were, John was telling me, and he still actually has one of the arpanet sort of handbooks from back in the day. And for those that remember phone books. He says it's about the size of a phone book. But the arpanet, they all kind of kept each other in check with all these informal rules. And then this handbook happened to have all the phone numbers for all the sysadmins. So if you annoyed one of those sysadmins, there's every chance they're gonna get in touch with yours and you're gonna get in trouble.

E (10:17)

On the arpanet, the sysadmins all talk to each other. And so one of the social controls was that if you pissed off somebody at University of blah, blah, blah, they may call the people. You know, it's like, I'll tell your mom you were rude to people. And, and it was a real threat because, because you, you could be grounded. I mean, you could be thrown off.

A (10:40)

Now what's amazing is how some things were just present immediately. And one of those things was a generational divide, right, between the young people who were treating these networks as they're like Playpen and the adults who were very, very serious and not at all impressed by what the kids were doing. And John has a story about a mailing list which encapsulates this whole thing perfectly.

F (11:03)

Absolutely. So John was telling me about one of his favourite social pastimes, which was the Bandican mailing list. Now Bandy was a friend who went through a bit of a breakup and John said quite comically, didn't resp very well to the breakup. And so all of Bandy's friends or Bandy's kin got together and they set up this Bandykin mailing list. And what they used to do is basically just fire messages at each other. But of course the resources back in the 80s weren't quite the resources that we have today. So this constant firing of messages on this mailing list actually got the heckles up on a few of the adults on the arpanet.

A (11:39)

So they were using an email list as like chat to make their friend feel better about a breakup?

F (11:45)

Pretty much, yeah.

E (11:47)

The adults hated us because there were dozens, sometimes over 100, sometimes 200 messages a day. It was like IRC except it was just email. And I remember, you know, the people who are running the official computers talking about, remember the official computers are all running on 56kb lines that are long distance lines and like sometimes we would generate like 10k or 30k of text in all of our stupid messages. And that's like, you know, that's like 1% of the whole ARPANET. What are you kids doing? Why are you wasting resources?

A (12:28)

There was a social dimension to all of this as well, right? Like they even used to have parties for people who had email accounts because that was like, that was like your magic ticket to cool, cool kids events.

E (12:41)

It was.

F (12:42)

And when I was talking to John, he sort of said, you know, I loved and hated these, but they were so exclusionary. He was sort of saying, as he told me, there were people that really wished they could go to these parties, but they weren't quite cool enough to have an email address.

A (12:56)

I mean, I guess everyone's cool now, right? I guess we are because we all have email addresses.

F (13:00)

I've got a couple, so Friday night.

E (13:04)

Get together over at so and so's house and we would arrange it by email. Science fiction conventions of the time that would have parties from time to time. I didn't like this because I thought it was really exclusionary, but they would have what they would call at parties. And an at party was a party where you had to have an like in an email address. It was both cool because it was the in group, but it was also exclusionary because they were the people who wanted to get in. And there was gatekeeping and ladder pulling and all of the sorts of things that humans do to each other, because humans are horrible and that's why we have cybersecurity.

A (13:48)

Now of course, while ARPANET was the big serious network in town, that wasn't the only way people were getting online. And a big thing back in the 80s or a thing that really took off was bulletin boards. Now bulletin boards were usually, you know, someone just had a server and in their house with a bunch of phone lines and a bunch of modems attached to them and people could just dial up and connect directly to those bulletin boards. So you could think of it as like an Internet where only like five or six people could be online at the same time. For a lot of them, some of them might have two lines. I mean that was how they talked about BBS is, it's like, wow, that's a 10 line BBS. Which in Australia, you know, even in the 90s would have been unheard of because of the cost of phone lines. But this is where a lot of the hacking culture started to sort of creep in. Right now you told me that John had described the ARPANET as the gold standard, but it wasn't the only thing.

F (14:41)

No, no, definitely not. And the bulletin boards were great for kind of creating these communities of just sort of, I don't know, young, curious, kind of mischievous kids who maybe had a bit of an ego, wanted to one up themselves and share files and shared hacking conquests and everything else. And I did speak to a hacker, Tim Winslow, from a Milwaukee group called the 414s. The 414s were actually friends in real life and used to hang out and go to pizza parties and stuff. But they still use these bulletin boards for communicating a lot.

D (15:16)

Neil had his own BBS and so we used his BBS to do a lot of messaging back and forth. Sometimes like me, I'd put up a small bulletin board at night just so you know, if I was sleeping and I'd turn off the ringers and let people log in and leave me messages. You know, we do that too with all the friends, just so we can message back and forth or we'd let our dialers go at night and do that stuff.

A (15:44)

So basically it's ARPANET and it's bbss. And at this point it might make sense to check in with Tony Sager who I mentioned earlier. So he was at the NSA through all of the 80s and described back then as being really, it was the personal computer revolution. And far from NSA being like some crazy pioneers in doing hacking, which is kind of what you would have expected. They institutionally, they kind of look down on this stuff. What did you make of this? I mean, we're supposed, you know, these black helicopters and unlimited resources, you would think they were doing the thing. And it turns out they were not, in fact doing the thing because, you know, ultimately, black helicopter or no black helicopter, ultimately it's a government agency.

F (16:33)

Yeah, I was definitely surprised. I thought that they would be taking this very seriously and getting right in there. And, yeah, that sort of wasn't the case.

A (16:43)

The way Tony tells it, you know, software was for amateurs.

C (16:48)

My life changed forever. I think it was 1981. We were seeing the emergence of, back then, we might call it the personal computing era. And we were seeing. One of the lessons of my career is that economics always wins. So software in the, say, 70s, early 80s, was considered too error prone, too changeable, too risky to put anything that you cared about into software. If you wanted to build encryption, you built it in custom hardware. And software was kind of. That's the messy business of front panel displays and communications processors. But a friend asked me if I would be interested in changing career fields for math to computer science. And part of the draw was I would get an Apple II plus to have on my desk.

A (17:33)

Now, we chose to start this series in the 80s because it's when things started growing, right. It's when this went from being a theoretical kind of thing for most people to, well, okay, you know, maybe some college students could access certain things and maybe you could dial into a bbs. And it started growing and growing and growing. And along with that, Amberley, came problems.

F (17:56)

Yeah, there definitely were some problems that came along, Pat, and these were largely caused by eager and curious kids that sort of wanted to tinker around and have a look and see how things work and maybe break into a few places that they know they shouldn't, even though nothing's technically illegal yet. And of course, when you get enough people causing enough mischief, someone's going to come along and break out the party.

A (18:21)

Yeah. John describes it like, I guess, teenagers having a party in the park, which is all fun and games until someone sets up a stage. And, you know, there's like, people doing all sorts of dangerous stuff. But, you know, here's what he said about that.

E (18:34)

Imagine that there was a big factory that. That was adjacent to a park, and after dark, people would go there and they would play music and they would sit and they would talk, and there would be sometimes people dancing and always a six pack of beer. And nobody Asked really closely about how old somebody was before they picked up a beer. And eventually that all closed for the reasons that these things always close for. You know, it's something crosses over some line and authority steps in and closes down the scene. I kind of felt like on the one hand was, oh, come on. These are just kids having fun. You know, they're like. They're like my little brothers and sisters. They're doing just the same sorts of stuff that we did. We did stuff when we were in college. We wandered around the storm drains and it wasn't completely legal. You know, we found the areas where you weren't exactly supposed to. Supposed to be. And it's not clear whether it was trespassing or not to be there. And they weren't really causing trouble. You're just being grumpy old adults. And so there's a certain amount of they're grumpy old adults. And then there was a thing of. There were the people who stepped over some unwritten rule that nobody told them about or a written rule that somebody did tell them about. And then they caused trouble. Consequences roll downhill. And, you know, the scene changed because it was getting too big and it was getting too noisy, and the neighbors are complaining about people playing guitars because it's no longer folks on an acoustic guitar. Somebody brought in an amp and they're. And they're playing their new punk songs and lights are coming on at 11 o'. Clock. And you tell people to, to tone it down a little. You know, it's like, I like loud music too, but they're going to call the cops and they're going to throw us out of the park.

A (20:39)

Now, speaking of some kids who brought an amplifier to the park, tell me about the 414s.

F (20:47)

So the 414s were a group of young hackers from Milwaukee, and they're named after the Milwaukee area code. I love this story. And one of the reasons I love this story is this group really did nothing malicious or mean or horrible. I spoke to one of the hackers, Tim Winslow, and he told me all they wanted to do was find out how many computers were out there, because they had computers, but their friends didn't. So they wanted to know how many were around what these computers were doing and hopefully play some games while they were there. To me, that kind of embodied those early 80s hackers, just curious and a little bit mischievous and just kind of wanting to go into places they maybe shouldn't be and have a little look around. But the 41 4s did get themselves in a bit of trouble.

D (21:34)

They visited us one by one. The FBI. I believe I was the third or fourth person. I had been up late the night before, and they showed up bright and early in the morning. My mom answered the door. She came and woke me up. I came directly up to the kitchen table and my mom sat in the living room in my dad's chair. And I know she was crying the whole time and she was worried they were taking me away right then and there. They took a few papers, they never took my computer. And we sat and talked. And I didn't think a lot about it from that point forward for a while because we didn't hear any. It was probably two months or so before anything, really. They started to bring us in to talk to us more.

A (22:27)

Now, one thing you've got to keep in mind is this is all pre Internet. I mean, these guys were not running around being nuts on the arpanet or anything like that. This really was just a case of them war dialing into any computers that they could find. Right. It was completely random exploration and not malicious. However, they did wind up destroying some medical bills.

D (22:48)

You know, we wasted boxes of paper in a couple of places, which, you know, can get expensive. We accidentally erased some doctor bills they said we got in a cancer center. Well, yeah, it was the doctor bills that was all that was touched. No patient information, nothing really, except the doctor bills were touched. Yes, it was one of our people that did get into Los Alamos. I never believed it was us because the FBI never told me that it was our group that did it.

A (23:20)

So the FBI kind of gets involved. But funnily enough, the FBI at the time, they did not really know what on earth to do about all of this.

F (23:29)

They really did it for a couple of reasons. And, and talking to Tim, he. He sort of said when, like, he had to sit there and explain to the FBI how he was doing what he was doing and what he was doing, because on one hand, the. The FBI that never dealt with this before, so they weren't entirely sure what they were doing. And then there was the problem of there's no actual laws against what these guys were doing, so they didn't know what to charge them with either.

A (23:54)

Now, I guess one of the reasons we know about all of this is because it became pretty clear pretty quickly that the members of 414 who were under 18 as minors were not really going to face any consequences as a result of any of this. So they did what any American does in that situation, and they Hit the media circuit, Amberly?

F (24:13)

Yeah, some things never change, right? So the guys that were over 18 were basically sitting and waiting to see what was going to happen and what they were going to be charged with and what the punishments would be in the meantime. Neil Patrick was a member of the group who was 17 and so he wasn't being charged with anything. He wound up on the COVID of Newsweek. He went on Good Morning America, he was on cbs, he was on cnn, he did the full media rounds for, for this group.

A (24:41)

And all of this while the FBI is still scratching their heads figuring out what they can charge these guys with.

F (24:46)

Absolutely, yeah.

D (24:48)

The only thing they could really pinpoint was making phone calls illegally across international flights. And that's what they got us with.

A (24:57)

Now, of course, back in the 80s, John Callis was a defender of Dec, right? But he still had some sympathy for these guys.

E (25:06)

Some of the groups like 4 14s are people that I have a lot of sympathy for because they were not trying, you know, they were like everybody else, just kids having fun. On the other hand, they did trip over things that caused consequences for them and, you know, and rolled downhill.

D (25:26)

Myself and I think Jerry got a $500 fine, two years probation and the third person, I believe, got six month probation and $1,000 fine.

A (25:39)

So this is when it all started to get criminalised, right?

F (25:43)

Yeah, absolutely. And I was talking before about Neil Patrick who did the media rounds. The other thing that Neil Patrick did in 83 was actually testify in front of Congress. And in the months and years following, new computer laws did emerge, including the Computer Fraud and Abuse Act, 1986, which is still in play now. And I actually asked him, looking back now, if he was proud of the legacy that he left behind. And he sort of said it was for that reason that, yeah, he kind of is.

D (26:11)

We did help create laws without creating too much havoc. We were purposely tried not to be, you know, reckless.

A (26:27)

We're gonna take a quick break now to hear from Sentinel One, the security company that commissioned this series. Now, a lot of you will know Sentinel One as one of the major EDR platforms, but I guess we'd say these days they're more of a broader security company with a bunch of different products. And they commissioned this documentary series because they want to contrast where they are now, which is a, you know, very AI forward company of the future. They wanted to contrast that with the history of this whole hacking discipline. Now, instead of reading an advertisement, what we've done instead is we spoke to Steve Stone, who's SentinelOne's SVP of Threat Discovery and response. And we sort of cut that down into a few minutes of Steve talking about AI. And the reason we spoke to him about Sentinel One's big AI push is because in his role, Steve is actually a SentinelOne user, helping to detect and discover novel attacks against Sentinel One customers. So here's cybersecurity and AI according to Steve Stone.

G (27:32)

We're seeing IT work in lots of areas where we're developing test cases. Not all of them are home runs. Not everything is a great application of AI. But the more stress tests we're doing, the more capabilities we're seeing in actual meaningful ways of output versus it just demos. Well, like we're actually seeing the opportunity to really affect cybersecurity people's daily lives, particularly in my organization is threat operations. We are a SentinelOne customer. We are consumers of how SentinelOne creates AI technologies and it does make our lives better. It does affect people's daily routines. There's no point to building something if people aren't going to use it. If it doesn't make lives better and easier, then we shouldn't be building it. We found AI to be really, really effective doing a few things. First, anyone that's ever sat in the MDR SoC, you know what it's like to triage a constant flood of alerts, including the same alert over and over and over again. AI is really good at that. It's really good at collapsing, expanding and applying its scale. We're hearing both high end well resourced organizations say it makes everything more accessible. We're also hearing small organizations that don't have the resources say it's making everything more accessible. Those are radically different users and they're using it in radically different ways, but they're coming to the same outcomes even though their application is totally different.

A (29:08)

And welcome back. We left you for that sponsor segment as Tim Winslow of the4one4s was explaining how his hacking group wasn't out to cause chaos. But chaos or not, there were rules creeping in, new laws being drafted and in the case of the 414s, old laws being used to charge new crimes. Now Amberly on that. John Callis, the head of software for DEC at the time, he was pretty philosophical about these new rules, wasn't he?

F (29:36)

He is pretty philosophical about it and he actually brings up a Lao Tzu quote which is basically the more rules and regulations that the more thieves and robbers.

E (29:45)

Before there were locks, there were no burglars. So this was an era where locks were invented. It was A totally open culture. And if you were not polite to other people and had some basic social skills, like don't delete files, you were going to get thrown off. And it was highly controversial when the MIT computers developed file permissions so that you couldn't go read other people's email files, because that was part of the social culture, was that you would find out what your friends were doing by reading their email. And that was controversial. The fact that you would have passwords on things was itself a controversial thing. Imagine that you wake up, you leave the. You go from your bedroom to the kitchen and there's someone eating leftovers out of your fridge. And you say, what the hell are you doing here? You know, and they, and they say, well, you know, the door wasn't locked and I was kind of hungry, so I'm eating something, you know, and at some point someone's going to say, get out and point to the door. And the person eating a chicken wing is going to say, make me. And you know, and now you have a human confrontation.

A (31:08)

OK, so the 414s come along, break a bunch of not quite laws yet. I guess it's the way to say it. They testify to Congress. As a result, the CFAA is created. Now let's talk about the first prosecution under the cfaa, because it's a very famous thing. It is the Morris worm. And this was a worm that was unleashed onto the very, very small Internet back then that just went a little bit berserk and caused all sorts of problems. But again, you know, the person behind it, Robert Tappan Morris didn't actually mean for it to cause drama.

F (31:42)

No, no, he did. So it was, I believe, 8:30pm on November 2, 1988, Robert Tapper Morris unleashed this worm from a computer at Cornell University. And it wasn't actually supposed to go as wild as it did, but he messed up. And within a day, about 6,000 computers were thought to be infected, which you may look at now and go, okay, that's a lot, but it's not excessive. But back in 88, those 6,000 computers were around 10% of the 60,000 or so that were estimated to actually be online at the time.

A (32:18)

Mark Rash was working for the Department of Justice at the time, and he was the guy who actually wound up prosecuting Robert Morris over the Morris worm.

B (32:28)

Most people think you have a crime, you try to figure out who did it. In this case, the who did it was an interesting portion of figuring it out. But once we hit did it, a lot of this case was about what did he do and why was it a crime? And also, when prosecutors have a set of facts, they literally go through the code and say, what can I charge him with and what should I charge him with? The focus of computer crime has got to be on crime. Now, that presented an actual problem for us in the Morris case because as the jury later told us, and by the way, we told the jury as well, Robert Morris is not a criminal. He's not an. He's not evil. He's not a bad actor. He wasn't trying to do something terrible, okay? He wasn't trying to steal anything or anything like that. This was, in a sense, a joyride on the Internet that went wrong.

A (33:23)

Here's Mark Rash explaining how he came to be the DOJ's computer guy.

B (33:28)

I was the head of the Department of Justice computer crime unit. It consisted of me. And that was a part time job, okay? And that was because literally at that time, somebody came up to me and says, does anybody know anything about computers? And I go, I know a little bit about computers. And so I became the designated person at Main Justice. So I became the person to write policy state statements about the new computer crime statute.

A (33:57)

Now, of course, investigating crimes on the Internet at the time necessitated Internet access. And even this was a bit of a challenge for America's Department of Justice.

B (34:08)

I literally had to take apart the phone in my office at the Justice Department and go to Radio Shack and buy an adapter to plug in an RJ45 plug to create a modem so I could create a computer that could get on the Internet so that I could communicate with witnesses and victims, all of whom were online. We had no Internet connection at the Justice Department, so I had to create a dial up Internet connection. And I remember when my secretary in a folder kept all the documents related to a case as well as the floppy disk, which had those folders stapled to the inside of the folder. I had to explain why she should not staple the floppy disk to the inside of the folder.

A (34:56)

Now, another challenge Mark Rasch had back then was, could you imagine trying to take something like this to a jury, to a jury trial in 1988?

F (35:06)

Yes, it was. It was not the easiest thing. So he had to stand there and explain what this worm was to people that had never used computers.

B (35:19)

First you have to educate the judge, then you have to educate the jury. And in our jury panel, we had two people who had ever used computers in their work. Nobody had email, nobody had used the Internet. How do you explain things Like a mailer demon or. Or a buffer overflow or that kind of stuff to somebody who has never used the computer.

A (35:45)

Now, one of the things that was going on through all of this, Right. Was a bit of a barney among prosecutors about whether or not to try Robert Morris for felony charges or misdemeanor charges, right?

F (35:59)

Yeah, there was. And the district attorney actually wanted to offer a misdemeanor plea to Robert Morris. And there was a bit of argument back and forth about this, largely because of how important this case was at the time. And so Mark was telling me there were a few discussions about whether to go with a misdemeanor, whether to go with felony, whether it was going to be multiple felonies, and how they actually wound up making that decision in the.

B (36:25)

End, you know, that caused a bit of conflict. This was a significant computer hacking case. It involved losses anywhere up to the tens of millions of dollars. It was a significant disruption to a critical infrastructure. And it was done deliberately. Not purposefully, like, not with the intent to cause harm, but it was done deliberately. On the other hand, Robert Morris was not an evil person. He was a brilliant person. Still is a brilliant person. He was young and probably naive. Naive, not stupid. Okay. About how connected the Internet was. He made some tactical errors in his code, which led to this, but he never had any intent to cause harm. So the question was misdemeanor versus felony versus multiple felonies and all that. So the decision we made at Main justice, and it was a thoughtful and considered decision, was that we would indict him for one felony count. So rather than taking each individual victim and making those a separate count, we lumped everything into one count. Do or die. Could I have done it with a misdemeanor? Maybe. Okay. And I debated that. The problem was a woman who steals baby formula to feed her child gets prosecuted as a misdemeanor. And I felt that the nature of this conduct was substantially different than that.

A (38:01)

So ultimately, Robert Tappan Morris was found guilty. Then came the issue of sentencing. Right. So how. It's 1980 something, right? How are you supposed to sentence someone for creating an accidentally awesome computer worm?

F (38:16)

So actually, January 1990 was when he finally went to court, and a jury who have never used computers found him guilty of this worm. But on the same year that he released the worm, sentencing guidelines came out in the US And I had a look through the sentencing guidelines, and they basically give indications for different crimes as to what sentences should be. In the case of Robert Tapper Morris, it worked out to, I think, it was five years in prison. And interestingly, in those guidelines, it specifically says if your minimum sentence is less than six months, you cannot get probation. That wound up not being what happened. And I asked Mark about that.

B (39:00)

I didn't want him to not spend any jail time because like I said, if you steal baby formula from a drugstore, you're going to spend a few days in jail. But I didn't think this guy needed to spend a significant amount of time in jail. We were trying to decide what kind of sentence was appropriate and we really had a hard time. So we simply said to the court, you know, this is what the guidelines are, but you should feel free in this case alone to consider things like his youth, his inexperience, the fact that he intended, did not intend to cause harm. The judge said at sentencing, the guidelines do not apply and I'm giving him probation, which was completely wrong as a matter of law. And so when I called Main justice, you know, the powers that be, they said we need to appeal. And I said, we have two problems if we appeal. One, we could lose, and we establish a precedent that the sentencing guidelines don't apply to these cases for no particular reason, and then we don't have any leverage in computer hacker cases. The second one, which is almost as bad, we could win, and then the court's going to be ordered to give them an 18 month sentence. We didn't want either of those. I said, this is the best of both possible worlds. We get to say, this is an outrage. He should be in jail for two years without any real threat that he ever does. So we never appealed the sentence, and so we got to have a deterrence. The next time we get somebody, we're going to throw the book at him. We think the judge is wrong without ever having to give any consequences to it.

A (40:36)

It's a funny old world. So it feels like in this case, everybody got what they wanted.

F (40:43)

They kind of did. And it's strange because, you know, as Mark was saying, they had to, you know, act very unimpressed that he didn't get this massive jail sentence and everything else. But given that, I actually asked Mark when I was talking to him, looking back sort of 40 years later, whether he regretted chasing that felony charge in the end.

B (41:05)

I don't say I regret it. I question whether it was the right decision. I generally think it was, considering the importance of this case in the, in the history of hacking. But I do regret if it had any effect on Robert Morris's ability to get future employment or do work for the government. I have made it clear that if, if he wanted to petition for a pardon or exoneration, I would have no problem sponsoring that myself.

A (41:34)

So that's what was going on in the courts and with prosecutors and the FBI and whatnot. But what about the intelligence community? So here we're going to hear from Tony Sager. Now he had a 37 year career at the NSA beginning in 1979. He worked mostly on the defensive side of the organization. But yeah, he was there for a long time, he saw it all. And according to him, you know, software was kind of seen as being beneath most of the people at NSA because they were getting to play with cool stuff like custom hardware and whatnot and you know, breaking encryption. So all of this sort of software hacking, it just didn't get that exciting. It wasn't that exciting for them. And you know, as much as we would like to think that the agencies that apparently have the black helicopters are at science fiction levels of sophistication, it's just not the way it works. I mean, ultimately intelligence organisations are government agencies, right? I always try to explain to people outside of this whole world that, you know, you have to imagine that intelligence agencies still have a hint of the DMV about it, right? They're still like the organisations where you go to renew your license in a lot of ways. So it's not just always at these science fiction levels. But yeah, as Tony explains it here, you know, at NSA they were aware of this sort of stuff happening in the civilian world, like, you know, cybercrime, I guess, early cybercrime and whatnot and hacking, but it just wasn't really something they felt was particularly relevant to them. At least in the earlier part of the decade.

C (43:06)

I think on the defensive side people would follow that, but didn't necessarily see it as relevant to what we were doing. I think internally the prevailing culture was we the NSA types, right? In defense we're solving the real security problems, the classified information problems, the, the government, you know, sensitive information problems and everything else is, yes, consumer stuff that's dabbling in security, but it's not serious security.

A (43:36)

Now that said as much as Tony said, there was no sort of top down directive in the intelligence world that everyone should go and, you know, skill up and get involved in hacking things. He said various groups within the intelligence world pretty quickly figured out that computer hacking was going to be a good way to get certain things done.

C (43:59)

Who is the most experimental in the government with new technology? It's the people who have spooky applications and they tend to have lots of money and lots of freedom to not have to follow every letter of the law policy. These are spooky people, right? People who do high risk things and on behalf of their nation. And it turns out they were early to find the uses of this new technology. So while the organization at large was trying to hold back the tide of economics and commodity processing, it turns out some of the most sensitive things being done were really using that technology because it was a commodity. It didn't draw suspicion. It could be done cheaply, quickly as a throwaway, for example. It was more cultural thinking than anything else. The our job, the thinking, our job is to get the mathematics right and to build it into government things and these other improvements in commercial technology and so forth, or mainstream thing, or hacking things where yeah, we'll help out on an ad hoc basis, but not as a mainstream activity. And there would be early attempts of what we would call operational testing. So the way we describe it at NSA would be work on development systems under development and in the field. And there would be. Could someone help us test a system in the field? We have a requirement to do so. And those were to handle kind of one offs. And I would say probably late 80s, you started to see the shift in analytic thinking to add computer science as a peer analytic discipline. And I was one of the first in that. So it became sort of engineering software, hardware engineering software and mathematics.

A (45:41)

The way Tony explains it is ultimately the world coming online just made the world, everything in the world, basically a really juicy target. Right. And there were people who saw the opportunity very early on.

C (45:54)

You know, offense is often more creative. I don't mean that as a personal attribute, but in some sense they're freer of things like, you know, the messiness of policies and acquisition. You know, they look for ways in, they're looking to build a covert infrastructure and so they're looking for whatever might give them access to that one. So when the world started to come online, that was like, now the world is a second target. We have much greater reach than we would ever have before. Certainly on a one individual basis there would be. This is amazing. We've been trying to get to this target for a long period of time and they're starting to come online and this is, you know, it's a bit of a wild west. Right? For a long period of time. Well, still. So, you know, I said, you know, one countercultural view of the evolution of the Internet is we've, we have collectively built the greatest intelligence Gathering operation in the history of humanity, you know, and the US has provided it essentially at no cost to the rest of the world. And you know, it's really. But that yin and yang of, you know, capability to attack also makes us risky. And in fact the US was more at risk because of modernization, it adoption, the richness of our economy and all that. So it took us a while, I would say on the defensive side. Again there were lots of individual instances but to really collectively see it as a core part of our mission. And there was for many years there was still a pretty strong we need to focus on the job that we were originally tasked to do, which is around cryptography.

A (47:28)

Ultimately, according to Tony, NSA was basically dragged into the cyber reality kicking and screaming, which again, not what I expected going into this conversation.

C (47:42)

I'm confessing to you, yes, it took a while to really appreciate the gravity of the situation. And I'm not talking hours and days and months here, I'm talking years to really think of it right again. We were working primarily in the classified world, highly sensitive kinds of, of stuff. And a lot of the early activity had this feeling of nuisance level work. These are kids, these aren't professional, we're professionals, they're not professionals. I certainly wasn't the last to appreciate the risk, not the first, but somewhere early. And I think there's an institutional inertia, there's a cultural resistance to say we're working the important problems and these are lesser problems that are somebody else's problem problem to deal with and to recognize and you know, to the end, including towards the end of their careers and their lives. Some of the people I respect most in the world were fighting tooth and nail to hang on to the past and that's, that was painful to watch right when you're, when you've studied at the feet of national heroes then you to have the feeling that their time has passed.

A (48:51)

Ultimately though, the US government realised across the board that computers were a big deal. And the economics here were a huge factor.

C (49:00)

There was a recognition not by me but higher up. I was working on these things that this is becoming part of our job. And it was highly controversial inside. Very inexpensive, consumer driven. It was starting to become part of the marketplace and inevitably people would find applications for that in government and it would start to creep into more secure, riskier applications because the economics are so compelling. You know, I could wait 10 years to build a custom piece of hardware or I could program this, you know, IBM PC or an Apple II or whatever into something useful Immediately at very low cost.

A (49:46)

So we've heard there that NSA was a little bit ho hum about computer hacking, but computer espionage was already happening in the 80s. And we know this thanks to a wonderful book by Cliff Stoll named the Cuckoo's Egg. Now, in the Cuckoo's Egg, Cliff Stoll was responsible for a couple of UNIX systems at a, at a national lab in the United States. And there was some sort of accounting issue on one of those boxes. And as he dug into it, he discovered that hackers had been having a good old time on his systems in his network. And this kicked off a hunt for the attackers who turned out to be stealing information. They were German guys who turned out to be stealing information from Cliff's workplace and selling it to the kgb. So I guess at this case, I mean, we can kind of say Amberly computer espionage was already happening, like way back then.

F (50:39)

Yeah, it definitely was. And it'd be really easy to think that it was just that one case because Cliff's book was so good and so popular. But I actually found a guy named Greg Chartrand who worked as a network manager for Department of Energy's Firmalab back in the 80s. And he spoke to Cliff Stahl quite a bit during that time. And the reason he spoke to Cliff was because he was chasing his own German hacker who was in his dec vac systems at Fermilab. And there were also a few headlines at the time around other German hackers also associated with the Chaos Computer Club breaking into NASA. Yeah, there was definitely some overlap there.

H (51:22)

I was working in sensitive areas and our laboratory and my management gave me one order. Please keep us out of the news. I knew it was big. I knew it was important because when it made the New York Times and the lab director talked to my director and said, what in the world's going on here? Are we involved? What are we going to do? So we came to an understanding in the beginning, and he said, take as much time as you want, do whatever you can to keep us out of the news and see if you can make us safe. And so for over a year, I spent the majority of my time working on that.

F (52:17)

When Greg first discovered these hackers in the system, he noticed that there were a few of them, but they all kind of got bored because Firm Lab didn't have anything that they wanted. But the only one hacker that did stick around was Hagbard.

H (52:29)

You know, our experimental systems, there's nothing there. I mean, you know, we're not making bombs, we're not sending astronauts to Space, you know, we're not doing anything that's in the paper. So I think they just got bored with us, with the exception of Hagbard, simply because he needed a system to do his own little development on. And so seeing we didn't bother him, he was perfectly happy just to log in there and use the system as if it was his. And we just sat there and watched him all the time.

F (53:07)

And Greg, through his time at Fermilab, had dealt with a number of hackers in the past, most of them being university kids, the kind that we've spoken about already in this episode. So I asked him how Hagbar differed from those earlier hacks.

H (53:21)

I thought, hey, this, you know, chasing after hacker business is really simple. All you look up the number, you're all set. Didn't work that way.

A (53:33)

And getting law enforcement interested in this at all turned out to be a little bit of a challenge.

F (53:39)

Getting law enforcement interested was very much a challenge.

H (53:44)

You know, I called the FBI. I had an agent call come down. He interviewed me. I told him everything. He wrote down pages and pages and pages, and he didn't understand a word I said. And so he went back and he said, well, if anything exciting happens, let me know right now.

A (54:04)

The FBI never actually charged Karl Koch or Hagbard, but he didn't have a happy ending.

F (54:11)

He really didn't have a happy ending. In 1989, Carl left his workplace and never returned. Was found the month later where he was basically just bones. He'd been shot. The earth around him was completely scorched. It was not a good ending at all.

A (54:31)

No, no. And it was ruled a suicide. But given everything that he'd been up to, sort of conspiracy theories around his death kind of flourished somewhat.

F (54:39)

Yeah, for sure. So there was the KGB stuff, and that's obviously gonna stir up a bit of conspiracy, especially around such a curious, kind death. But Hagbard was also really quite heavily into drugs as well. And Greg actually told me towards the end of Hagbard's time in their system, he was very clearly and obviously becoming a bit less coherent and a bit more all over the place and making less and less sense. So that drug use also fueled those. Those conspiracy theories around his death as well. And so I asked Greg, given the amount of headache and time and everything else that had gone into chasing Hagbard, when he sort of started to learn what had happened and what went on, how he kind of reconciled that and what he thought about it.

H (55:23)

Initially, I was happy he was caught, and it wasn't Until Cliff came back from Germany and he told me the true story about Hagbard and his family life and his mother died and not having any money and he can't find a job and going on and on. I said, man, this kid was really troubled. I mean, he's had a rough life. So I basically flipped real quick on him because he was a victim of many circumstances and truly was a troubled person.

A (56:07)

I think Greg was ahead of everyone too, because he got blackpilled on the Internet before the Internet really existed.

F (56:14)

Yeah. And he was recalling to me a conversation that he had with someone that was sort of involved in making some of these networks and putting things together. And Greg, from the very beginning had a much more pessimistic view than a lot of people did about the Internet and what it was going to become.

A (56:33)

I think he might have been the first person to say the Internet was a mistake.

F (56:37)

Maybe.

H (56:39)

The Internet is such a useful tool, everyone is going to use it for good, they're not going to use it for evil. And I'm sitting there saying, are you serious? I didn't say it, and sat back. And that was the attitude of many of the network pioneers that wrote the code for. For Unix and some of the first network equipment as well. No, no one's going to abuse this.

A (57:14)

Now as much as it might have only been Greg at the time thinking the Internet was going to be a mistake. You know, you did have this sort of sense of unease out there in the general population through the 80s thanks to movies like War Games and, you know, just general media coverage, like almost. Almost had sort of satanic panic vibes.

F (57:37)

Yeah, that's. That's kind of the perfect way to sum it up, actually. The War Games came out in 1983, actually the same year that the 41 4s got in a bit of trouble, which later had them dubbed the War Games Case. But it was one of those movies that got a lot of people quite nervous. But it wasn't appreciated by everyone in the actual scene.

A (58:02)

Yeah. So it was almost like it made the average family a little bit scared. But policymakers were like, eh, it's a movie, right?

B (58:10)

Wow.

F (58:11)

What?

B (58:11)

We got something.

E (58:12)

He found the right code word to.

A (58:14)

Play the game we're in, but it.

E (58:17)

Was the wrong computer. The movie War Games did not do any of us any favors. It's one of the things that fueled the downfall of the scene, not anything else.

B (58:28)

Most of what people knew about computers and computer crime came from movies like War Games.

A (58:33)

Russians are still denying everything, sir.

G (58:35)

Who are you working with nobody.

A (58:38)

Why don't I believe you?

B (58:40)

This was something that, it scared people, it spooked people, it worried people. But there wasn't the same kind of fear about their credit cards or their personal information because none of that was online yet.

A (58:54)

Yeah, they weren't so much worried about their credit card details. They were worried about like computers causing a nuclear war. Much less, less serious there. But you know, tim from the 41 4s, I mean, he felt like that movie didn't really do them any favors.

D (59:11)

One of the things is saying we followed the movie, which we didn't, you know, we were before way before the movie. So they, they're like, well, you, you followed the movie. We started in the 70s.

E (59:21)

Shall we play a game?

F (59:25)

And it wasn't just that one movie either, but general media that loved a little bit of fear mongering. When it, when it came to covering the hacking scene, we weren't malicious.

D (59:35)

They put more a malicious spin on everything. It's news. They're going to do what they got to do to make newsworthy.

H (59:43)

They really focused in on NASA. NASA was the thing, oh man, we can't have our satellites falling out of the sky because hackers are attacking us. I mean, it was like that. And you know, that's the way the media works on virtually everything. They've never changed.

B (60:00)

The way computers were depicted in movies was either as an inherently evil technology or as something that helped criminals facilitate their crimes.

A (60:12)

Now as much as all of this was just fear mongering, John Callas got a glimpse into the future and the fact that this stuff was gonna be serious.

E (60:21)

The problem with the fear mongering was that there was always a kernel of truth in it. Stuff that I worked on was used in the London Stock Exchange. It was used in fighter planes, despite the fact of not wanting to be in any military things. Like, my stuff was used on every intermediate range ballistic missile on both sides because the Russians cloned vaxes and put them places because the stuff was good. But it's like seeing your stuff being used for weapons of war and stuff that isn't good at all. But they were also right in that there was this core of, yeah, fine. You know, it's like it's certainly theoretically possible that a kid having fun wanting to play computer games could start a nuclear war. But really it's not going to happen and you can't prove a negative. So the fear mongering people have the advantage and the fear mongering people ultimately win the narrative because fear sells. I mean, today, things that are going on in the news, it's fear cells, nuclear destruction. Fear was a real thing. It's like I literally did not expect to live to be much past 30 and, you know, party conversations included. Often things like, so where are you going to run to when the bombs fall? And, you know, that cultural fear you had to be there for. So part of. Do you miss it? It's like, oh, no, no, no. It was, you know, God, my heart sang when the Berlin Wall went down.

A (62:04)

West Berliners greeted their brothers and sisters.

G (62:07)

From the east with jubilation, having themselves.

A (62:10)

Been surrounded by the world's most heavily guarded border for three decades. And so there you have it, the 1980s in hacking. Some of it. Anyway, I do hope you enjoyed this episode, this first episode of how the World Got Owned, looking at hacking in the 1980s. Of course, we're going to be back with the 1990s in the next edition of this series, which is going to be. You're going to be busy with that one, Amberly.

F (62:37)

I am. And I have a feeling I'm going to be missing the niceness of the 80s as well. It was a nice decade. I have a feeling that's not going to last forever.

A (62:46)

It doesn't last forever. The 90s, I don't know. Mixed bag, right? Mixed bag. The 90s, still some good times. I think things really start to go off the rails in the naughts and the tens. I don't know. Things just keep getting worse. Right. So that's the. The trajectory. The trajectory ain't good. All right, Amberly, thank you so much. And let's roll on to the 90s.

F (63:08)

Thank you. See you soon.

A (63:17)

This has been a joint production between Risky Business Media and Sentinel 1. How the world Got Owned was produced and researched by Amberly Jack, with some minor additional reporting and editing from me, Patrick Gray. How the World Got Owned will return and cover the 1990s in its next episode, which is coming soon.