Chapter 4: A Real Gullible Genius

Overview

CIA agent Knuth had been very insistent when he recruited Flir. He needed personal student information, including social security numbers , and, as an agent for a non-domestically focused intelligence agency, didn t have the authority to get such from the US government. He did, on the other hand, have the authority to get Flir complete immunity for any computer crimes that did not kill or physically injure anyone . The letter the agent gave Flir was on genuine CIA letterhead and stated both the terms of the immunity and promised Flir significant jail time if he disclosed any details about this mission.

Flir was a 16-year-old sophomore at one of the nation s best technical colleges, Pacific Tech. A professor had recruited him the previous year to solve some grant- funded physics problems. This was a rare thing to happen to any undergraduate and an extremely rare thing to happen to a 15 year old. You could call him a real genius.

While Flir s mind had a very rare intelligence, as the mind of a 16-year-old genius, it also possessed a gullibility that wasn t rare among 16 year olds or geniuses. So he never even suspected that Knuth wasn t a CIA agent “ he just asked for a pair of powerful, extremely thin laptops with the top of the line network cards and went to work.

Flir wasn t the kind of hacker depicted in most movies. He wasn t omniscient, but that wasn t really what hacking required. He was smart, understood computers fairly well, and was creative. The only real difference between a hacker and a really knowledgeable technologist was attitude. A hacker thought somewhat more critically about the technology, tried to understand what wrong assumptions people made in their implementations , and exploited these for his benefit.

He had chosen a handle quite simply. It was the acronym for forward looking infrared , a capability on the Comanche helicopter that allowed it superior reconnaissance at the time of its creation. Like most hacker handles, Flir chose it primarily because he liked the sound of it and later reasoned that hackers should look at technology from multiple perspectives, seeing details and flaws that others would miss .

Well, he thought, if I have to get social security numbers, a college campus is definitely the best place to do it. Colleges in the United States, like many companies and government agencies, used social security numbers as unique personal identifiers. At almost every school, they called it your student ID number. It didn t matter that this violated US law. It was simple and easy for students to remember and didn t require any creativity on the part of the school. It also saved a few bytes of storage, since the University didn t have to create a unique number for every student.

This simplicity, unfortunately , came at an extremely high cost. Using your social security number, an attacker could apply for credit cards in your name or access your account at most banks.

He could claim that you were disabled and apply for social security benefits. He could open bank accounts by mail. There was way too much that could be done with this supposedly secret number. In short, colleges should never have started using these numbers for identification. They should have generated a specific student ID that could be freely exchanged without allowing an attacker access to any non-University- related information. To do otherwise put students at risk every day, as most employees on campus had access to every student s social security number. Pacific Tech would learn very quickly how risky it was.