Computer-Savvy Buddies Hack Their Way Into Federal Prison

Terry Ewing was late. His plane left in an hour and he was cutting it close. But he couldn’t tear himself away from his computer and the hole he’d hacked into the security network of Tower Records.

He kept poking around, looking for something interesting to take to the hackers’ convention he was attending. Finally, five minutes before the airport shuttle beeped in front of his apartment, he downloaded a file containing 1,700 credit card numbers.

“I thought, ‘I’ll grab this database and see what’s on it that I can use,’ as sort of a leverage at this hacker convention--to actually be somebody instead of just spouting off a lot of garbage,” Ewing remembers.

“We didn’t expect anyone was watching,” he said seven months later--through an inch of Plexiglas at the Sacramento County Jail.

Looking back on it now, with 21 months in federal custody stretching before him, the 21-year-old Ewing managed a wry grin and said, “Idle hands, I guess.”

Idle hands and a ethic that says, “If your security can’t keep me out, it’s your own fault if I break in.” Overwhelmingly male, often young, hackers are bright when it comes to technology.

But they can be stupid when it comes to reality. They imagine themselves to be invincible, invisible and smarter than the people on the other side of the screen.

The truth is, most hackers who steal get caught, most intrusions are noticed and the authorities on the other side of that screen are becoming more and more technically astute--and they’re serious about prosecuting computer crime. Despite dreams of glory, most hackers don’t get media attention, just prison time.

Smart, likable and funny, Ewing and his best friend, Michael Kim, are a case in point. They figured if Tower caught them, they’d get some kind of warning, they’d stop and everything would be fine.

That’s how it might have gone down in the old days. The hacker community sprung up in the 1960s and ‘70s, when the Internet was first being built. In the old days, there really wasn’t much of anything there.

“If you dial the clock back a long way, to the ‘70s, there were systems at MIT that had no access control at all. Anyone would walk up, log in and poke around,” said Noel Chiappa, one of scientists involved to the Internet’s development.

It was the golden age of the network, when what are called hackers today were known somewhat affectionately as “tourists.”

Times have changed.

“You’ve got the older hackers justifying what they’ve always done, giving these kids a false sense of what the situation is--and it’s not the same situation,” said Bill Benton, a Secret Service agent in the agency’s financial crimes division in Washington.

Business has come online in a major way in the last three years. The stakes are higher, and the old days of getting nasty e-mail from a system administrator for breaking in are long gone.

“It’s not fun and games. It’s not cowboys and Indians. There’s too much commerce happening online to allow these cases to go unprosecuted,” said William Portanova, the assistant U.S. attorney in Sacramento who prosecuted Ewing and Kim.

Ewing had second thoughts about taking the Tower Records file with him on July 31, so he left it on his hard drive while he and Kim hit DefCon, the biggest of the West Coast hacker gatherings, for a weekend of bragging, hanging out and messing around.

“We never guessed they were on to us. Their security was so weak . . . ,” said Kim, 20, speaking by phone from the sixth floor of the same jail that held his friend. He is facing an 18-month sentence.

“We actually went and took a tour of their corporate offices. We saw where the guy who runs their computer sits, in a little itty-bitty cubicle, and we thought, ‘This guy doesn’t know anything.’

“But then,” he added, “we really weren’t all that bright either.”

Indeed not. According to Kelli O’Neill, an investigator with the Yolo County District Attorney’s office, Tower executives knew they were under siege the first time the hackers entered the system.

The computer operators Kim had thought so clueless actually rigged it so that every time the duo logged in, beepers alerted Tower to the intrusion. They also set up a program to monitor the hackers’ every keystroke.

Tower went to the police, who persuaded the firm not to close the security holes but instead wait to see what the hackers would do next.

As the case progressed, the police called in the Secret Service, who persuaded O’Neill to bump the case to the federal level. It was the first big hacker incident that officials in California’s Eastern District of the U.S. Justice Department had seen, and they were eager to make an example of it.

“We wanted to get the word out as far as we could. It seems incomprehensible that sitting in your bedroom pushing little bits of light around on your monitor is going to land you in federal prison--well, here’s proof it can happen,” Portanova said. Seventy miles to the southwest, the duo had no idea there was a spider in their net.

They’d rented a small room in a shared apartment in Berkeley. Kim, who was from Los Angeles, was waiting to find out if his applications to the UC Berkeley computer science program had been accepted. Ewing, from Pocatello, Idaho, was waiting to establish his California residency so he was eligible for in-state tuition.

Both were proficient hackers, but neither viewed himself as a criminal: It was a game.

“We didn’t know we’d get in,” Ewing said of the Tower computer, which controls information for the chain’s book, video and record stores worldwide. “We just got caught in a big ‘Can we do it?’ game and it snowballed.”

Not quite crime kingpins. The first thing the duo used their computing powers for was to open an account at the Tower video store just up the road--which they promptly erased after they rented some movies, to escape the fees.

But to set up the account, Kim used their real address. And when Ewing downloaded the file containing the credit cards, that bit of honesty came back to haunt them.

“Somebody remembered that a couple of weeks previous, one of the kids had set up an account for themselves. . . . The [Tower employee] printed out the screen, thinking it might be important later,” Portanova said.

It was. A month later, the hackers finally did something worth looking into: The programmers watched as someone in Berkeley issued a command to sort the credit card numbers by expiration date, then created a separate file containing only those cards with dates at least a year off.

This was no hacker trophy to be shown off: It was clear criminal intent. “What they were doing up to that point was illegal, but they hadn’t really risen to a level justifying federal involvement,” Portanova said.

So while Ewing and Kim were hanging out in Las Vegas, agents were busting into their apartment.

Under federal law, each “access device,” as credit cards are known in legal parlance, is worth $100. The few commands Ewing had typed had resulted in a theft worth $170,000 in the eyes of the law--a felony offense.

Even though the two never had a chance to do anything with the cards, they still were guilty, despite a hacker myth that says if you don’t actually use the numbers you can’t be prosecuted.

Ewing and Kim turned themselves in and admitted guilt as part of a plea bargain.

“The whole time, we were thinking, if we just plead guilty, we’ll get six months’ house arrest. But it didn’t work,” said Kim, a slight young man with wire-framed glasses who looks closer to 17.

Both were charged with conspiracy to commit fraud and possession of credit card information, and have been sent to separate federal facilities to serve their time.

They are under court order to have no contact with each other and, after they are released, cannot hold jobs where they might have access to credit cards.

Reading through the court documents, it’s clear Ewing and Kim aren’t anybody’s idea of angels. Both have fairly long histories of run-ins with authorities dating back to their early teens.

Ewing got busted for a false ID, and ran into trouble when he tried a little chemistry experiment he’d read would make a vending machine give up its soda cans.

Kim, reared in Rancho Palos Verdes, looks too clean-cut to have charges for car theft on his record. But there they are.

“Oh, the Mercedes,” he said from jail. “That was just something really stupid. My friends decided to steal a car and I happened to be in the passenger seat.”

Some of their other exploits are closer to larceny. The two grabbed some credit card numbers off a computer while at DefCon, then used them while they were living in Berkeley--to buy takeout food.

Ewing and Kim clearly didn’t learn their lesson from previous brushes with the law. They say they have now.

“Hopefully, we’ve gotten their attention,” Portanova said. “We’ve put the word out. Hacking is bad. Hacking will get you in trouble. Hacking will send you up in jail.”

“They have this myth that they are the cool guys and the cool guys always win over the suits,” Mike Godwin of the Electronic Frontier Foundation in San Francisco said of hackers.

“But the fact is that they are half-socialized, post-adolescents with serious ethical and moral boundary problems.”