In May, 1998, Stephen Glass, who then worked at The New Republic, wrote an article called called “Hack Heaven,” about a 15-year old hacker named Ian Restil.  According to that story, Ian Restil used a computer at his high school library to hack into software firm “Jukt Micronics.”  Jukt decided it would be cheaper to hire Restil to tell them how he did it rather than have their in-house engineers determine how he did.  Glass claimed that stories like Restil’s were “common” and that “Computer Insider,” a newsletter for hackers, estimated that 900 hackers were hired.

It was a compelling story, and one which resonated with the 1998 audience of The New Republic – the idea of hacker protection rackets.  Except, none of it was true.  Restil was fiction.  Jukt Micronics was fiction.  Computer Insider was fiction.  There was no “Center for Interstate Online Investigations,” no radio advertisement against hacker protection in Nevada, no “Uniform Computer Security Act,” no “National Assembly of Hackers.” Even Jukt Micronics Web site was a (pathetic) fake one set up by Glass on members.aol.com.    This was revealed by Adam Penenberg, then working at Forbes Digital, (a milestone for internet journalism – as an online news site took down the star reporter of one of the most storied print magazine publications.) 

I mention this story, because that story bears a bit of a resemblance to this one, published by the Associated Press on Mar. 25th: “Teen Hacker turns corporate cyber-crime consultant.”

WELLINGTON, New Zealand - A New Zealand teenager who helped a crime gang hack into more than 1 million computers worldwide and skim millions of dollars from bank accounts has a new job as a security consultant for a telecom company….

[Owen] Walker pleaded guilty last July — when he was 18 — to a raft of charges connected to his work for an international network that the FBI estimated infiltrated 1.3 million computers and skimmed bank accounts or damaged computer systems to the tune of more than $20 million.

The charges against Walker… were dismissed and he was released without a criminal record after paying a fine and forfeiting cash paid by the criminal group for his expertise.

But after contacting Telstra Clear, the telecom company in question, spokesman Chris Mirams explained that the story was “fairly accurate with the following exceptions”:

“Owen Walker was contracted to be one of three speakers for us at two seminars delivered to customers and prospective customers last October and November. Those audiences included IT, security and senior management. We also used his image for a targeted advertising campaign for our specialist security unit, DMZ Global.”

“He has not presented any seminars to TelstraClear staff, used any computer equipment or had access to our network. He was contracted for those duties only, a period of around two months, and was not, and is not, a fulltime employee…”

“Prior to contracting Owen the company consulted the Police case officer, who was positive in his feedback, and read both the Judge and probation service reports filed with the court. He was, you might remember, not convicted and the Police later publicly stated the outcome was fair.”

The unnamed AP reporter is not the next Stephen Glass, and the main problem with the story seems to be one of semantics and implication rather than facts: “new job” implies full time employment, but does not explicitly state it, and makes it sound like Walker absconded or destroyed $20M. In fact, he was the “ringleader” only so far as he designed the software used in the attack – in short, a botnet author.  In fact, his share of the damage to UPenn’s computer system came to a reasonably low $9526 according to the judge in the case who asked him to pay restitution.

“Black Hat” hackers have gone “White Hat” before – Kevin Mitnick now operates a security consulting company – and similarly to Walker, produced a keynote presentation on computer security called “Art of Deception”, and Kevin Poulsen now writes “Threat Level” and identified 744 registered sexual offenders with MySpace profiles. 

What is different is, perhaps, the methodology – Mitnick and Poulsen, not to romanticize their crimes – operated at a time when hacking was, essentially, a game, and operated primarily alone for the challenge of it – “disorganized crime,” if you will.  On the other hand, Walker used botnets, an attack that only the broadband era would make feasible.  To strain a metaphor, Mitnick and Poulsen targeted individual companies and corporations; while botnets target the general public – the difference between cat burglary and mugging.  Well, mugging a whole bunch of people.

Additionally, the strain that botnets can put on both public Internet and private enterprise networks has placed emphasis on computer security and computer networking working hand in hand – in the field of network behavior analysis.  So… it’s… like mugging a whole bunch of people and making them late for work – okay, the metaphor is falling apart. 

But back to the point at hand – in order to protect the general public from computer-security related problems, like botnets, what we need is level-headed, non-sensational reporting from the mass media (and it doesn’t get any more mass media than the Associated Press.)  Botnets thrive on technical ignorance and misinformation; and it is the role of the press to fight both ignorance and misinformation. 

I just think that the press should be doing a better job here.