At some time in your career as users of computers, someone is going to tell you how much fun it is to hack into computer systems and networks. I'm here to tell you it's a bad idea. I'd like you to understand what happens on the other side of that modem -- on the other side of that Internet connection -- when someone uses a computer system without permission.

Let me tell you a little about myself first. Strange as it may seem, I was once a kid. Admittedly, I was a pretty strange kid, but then so are many criminal hackers. I began programming computers when I was 15. That's probably around the time some of your parents were born--it was 1965. At that time, computers were pretty much as big as a house, needed enormous power cables to supply all the electricity, needed enormous air-conditioning units to carry all the heat away, and could serve one user at a time. We used to program these monstrous computers--computers that had not much more power than a hand-held programmable calculator today--using punch cards. It was pretty hard to gain unauthorized access to computers back them because he they were locked up. The only way you got to program the computer was to hand in your cards through a window into this big room. If the technicians knew you or if you could show them your identification, they would feed your cards into the computer. Whenever you finished running your program, it would disappear from the inside of the computer--the memory--and someone else's program would be loaded.

Giving your name to the technician was a form of identification. Identification means telling who you are. The next step was authentication. Authentication means proving that you are who you say you are. Showing your ID card from your school or from your employer is a form of authentication because it represents something that only you are supposed to own. When your parents enter their bank-card into the automatic teller machine, that card is their identification. When your parents punch in their personal identification number (PIN), they are authenticating themselves.

Identification and authentication are very important in today's computer systems, but we do it differently now. Instead of speaking to a technician, now we usually type in a user-ID and give a password that no one else is supposed to know. Sometimes modern computers use other forms of identification and authentication; for instance, some computers look at your fingerprints, the shape of your hand, your eyes (retinas and irises), or your face and identify and authenticate you that way. Some computer systems recognize your voice or your handwriting and they identify and authenticate you that way. Other computer systems read a special card that has a little computer -- a microchip -- in it and that belongs only to you.

Well anyway, back in the 1960s and 1970s, computers and communications continued to evolve. Computers began to allow several people--sometimes hundreds of people--to use them all at the same time. It also became possible to communicate with computers from much further away than in the old days. The development of modems meant that you could communicate with a computer from many miles away by using the phone system.

Well, that kind of access meant that it was possible to get into computer systems without permission. For example, people could find out your user-ID and password and pretend to be you--after all, there was no technician to check to see if it really was you. Many computers back then had tight limits on how many hours of use you had on the computer every month, so someone who used your user-ID was in a way stealing computer time. If the person did not know your password, sometimes they would guess over and over; if you had a password that was easy to guess -- if it were really short, or was maybe your own name, or your dog's name, or your favorite sports team -- it could be pretty easy to guess. These people who used the computer in your name were among the earliest criminal hackers.

What do we mean by criminal hacking? Basically it means using a computer without the permission of the owners.

To understand why a using a computer system without permission causes problems, you have to understand the basic goals of information security. There are six different aspects of information that needs protection. Let's look at these one by one. The six principals are as follows: confidentiality, control, integrity, authenticity, availability, and finally usability. Let's look at these one by one.

Security experts talk about confidentiality. Confidentiality refers to limits on who can get what kind of information. For example, you might want to keep it secret that you have a crush on the child who sits in front of you! If someone were to find that out and tell other people, that would be a breach of confidentiality. If somebody were to find out your parents' bank account number and their secret number (the PIN, or Personal Identification Number) that they use at the banking machine, that would be a breach of confidentiality.

Another kind of protection for information is the preservation of control. As an example, imagine what would happen if somebody told your parents that they had taken a video film showing exactly what buttons your parents pushed when entering their bank-card PINs -- but that everything was OK because no one had looked at the video yet. Your parents would be frantic. They would be worried because they would no longer have control over their own secret number and over their own bank accounts. Something very similar--a loss of control--is what would occur if a stranger broke into your house when everyone was away. Even if they didn't do anything, you would still feel comfortable. You wouldn't know if maybe the strangers did something bad to your food. You might want a throw food away just in case. You might feel uncomfortable because maybe the strangers looked in your diary. These would all be indications of a breach of control.

Security people next consider the issue of integrity. Integrity refers to being correct. For example imagine how bad you would be if somebody took one of your exam papers and change it so that your answers were now wrong. This would be a breach of integrity. If someone were to take a check that your parents wrote and then changed the amount payable, that would be a breach of integrity. Changing information without permission is a breach of integrity.

There have been cases where criminals have altered medical data. Changing medical records can lead to very dangerous situations for the patients. Some criminal hackers have played around in school records. They changed grades that were recorded by teachers. Now of course, this may sound funny, but it stops being funny when you think about what would happen if somebody changed your grades and made them worse. Unauthorized modification of data is a breach of integrity.

Another principle of security is authenticity. Authenticity means that information should be labeled correctly. For example sometimes a criminal hacker sends electronic mail in somebody else's name. In one case, a professor in a Texas university found that someone had broken into his e-mail account. The hacker sent out two thousand e-mail messages in the professor's name. These e-mail messages were full of hateful, racist language and therefore some of the people who got the messages became very angry with the professor. This was not fair, because the professor didn't write the messages. However, he and his family received death threats and had to be put under police protection because people threatened to burn their house down. This was an example of a breach of authenticity. You might want to think about how embarrassing it would be if someone were to send e-mail messages in your name that said things you didn't agree with. Suppose someone were to insult your teachers by sending them messages signed with your name. You might get into a lot of trouble even though you had not done anything wrong. Protecting authenticity is one of the reasons that you must never reveal your password to anyone else. You have to protect the authenticity of your communications.

This fifth principle of information security is preservation of availability. Availability means having timely access to information. Timely access refers to getting hold of the information you need when you need it. For example, suppose you have to write an essay on the novel, The Wind in the Willows. You want to read the novel before you write the essay. If someone hides all the copies of the novel at the library and at the bookstores, you can't read the novel in time for your essay. That would be a breach of availability of that novel.

One of the most serious and widespread problems in today's computers is called denial of service. Denial of service can occur when someone overloads a computer system or network with bogus requests. One bad case of denial of service occurred when some nut who called himself Johnny [x]Chaotic subscribed dozens of people to huundreds of e-mail lists. These poor people began receiving e-mail on basket weaving, engineering, plumbing -- you name it. One writer received 20,000 e-mail messages in a single day. Imagine trying to find your own e-mail messages if someone sent you twenty thousand messages you did not want. It would take hours just to read through the subject lines to find the e-mail you wanted. That would be a denial of service. Denial of service is a breach of availability.

Finally, the last principle of information security is utility. Utility means usefulness. For example, if you went to the local store and all of the prices were in Norwegian Kroner but nobody knew how many Kroner there were in the dollar, that would not be very useful to you.

Now that you have some idea of what information security people worry about, it's pretty easy to understand why breaking into somebody's computer system is really bad.

Of course the obvious problems concern confidentiality, integrity and authenticity.

Anyone can see that going into a computer system and reading other people's documents, other people's e-mail--or even information relating to national security in military computers--all of these breaches of confidentiality are a real problem.

Changing accounting records, stealing money by making false bank transfers, altering prescriptions so the people can become sick, sending out bad the email other people's names--these breaches of integrity and authenticity or all so obviously bad.

One of the most popular forms of criminal hacking is Web vandalism: damaging Web sites by substituting often obscene pictures and offensive text for the original materials. The CIA was renamed the Central Stupidity Agency; the Florida Supreme Court's Web page was turned into an illustrated sex-manual--you get the idea. The people are usually children or young teenagers. These cybervandals are just like the punks who throw rocks through people's windows or who spray-paint curses and foul words on buildings to express their rage and rebellion. They're bored, childish nuisances.

The really tricky problem is that criminal hackers always claim that if they don't alter information, they haven't done anything wrong--or at least, they haven't done anything really wrong, as they say. This point of view is simply, flatly wrong.

The fundamental problem caused by unauthorized access to information systems is loss of control. Let me explain what really happens when some punk breaks into a computer system.

First you have to understand that many people depend on computer systems to get their work done. The computer systems they depend on are known as production systems. For example the local banks need to have computers process their checks so that people can get paid and so that the right amounts can be taken out of the employer bank accounts and deposited in the employee bank accounts. What do you think happens in the bank if someone breaks into their computer system? I'll tell you: it's a real mess.

The poor bank employees don't know whether the intruders have damaged some of their bank records or programs. Even if the criminal hackers leave a note (you know, "W3 D1DN'7 DO 4NY7H1NG WR0NG C4USE W3R3 313373" using that code of theirs), how do the employees really know if everything's still OK or whether the hackers have damaged something?

The only thing to do is to check. Security experts say that such a system is no longer trusted. The employees have to reestablish trust in the data and also in the programs. Criminal hackers have been known to insert their own changes to certain computer programs. Criminal hackers often leave what are called back doors into the systems they've already broken into. Back doors allow the hackers to re-enter the compromised computer systems anytime they want. This kind of change to system software is a real threat to the people that have been victimized. It can take days to check all of the information on a computer system that has been broken into. Sometimes the checking costs hundreds of thousands of dollars in wasted salary or consulting fees.

I remember that when I was in charge of a big computer center in the 1980, my staff and I would spend from midnight to 6 in the morning every day for five days testing the new version of the computer operating system that the computer maker had sent to us. If we were willing to spend five nights testing the manufacturer's software, doesn't that tell you how important trust was for us? Now think about why on earth we would trust a production system that might have been damaged by a criminal hacker. It wouldn't make sense. We have to check the system after every intrusion. So that's why it's not true that breaking into computer systems is harmless fun.

I hope you will think about this the next time someone suggests that you play with them by breaking into somebody's computer system. Try to tell them this isn't a videogame. Hacking computers hurts real people. The victims of hacking spend sleepless nights away from their families working hard to see if their computer systems have been damaged by intruders. They worry about it. If there has been damage, it can cost lot of money to fix the data and the programs. This money lowers profits for companies or increases costs for nonprofit organizations.

If the criminal hackers laugh at the costs and tell you that "it's only a company -- it's not real people" then you will know that they are either stupid or they are deliberately lying to you. Organizations are made of real people. Real people lose because of criminal hacking.

On another level, some people get caught when they hack, and their reputation for dishonesty can follow them for many years. I have met young people who didn't think they were doing anything wrong but who discovered how hard it is to be accepted at universities were to get good jobs when they have shown themselves to be sneaky criminals who obviously did not care about the people that they hurt. If these people continue hacking past their eighteenth birthday, they can go to jail for unauthorized access to some kinds of computers.

There are many ways to learn about computing. It is not necessary to become a criminal in order to learn. Enjoy computers and respect your fellow human beings while you enjoy this wonderful new world of cyberspace.