Risky Business - How the World Got Owned Episode 1: The 1980s
Episode Date: January 6, 2026In this special documentary episode, Patrick Gray and Amberleigh Jack take a historical dive into hacking in the 1980s. Through the words of those that were there, they ...discuss life on the ARPANET, the 414s hacking group, the Morris Worm, the vibe inside the NSA and a parallel hunt for German hackers happening at a similar time to Cliff Stoll’s famous Cuckoo’s Egg story. This podcast features the memories of: Jon Callas, former principal software engineer at Digital Equipment Corporation Mark Rasch, Morris Worm prosecutor Timothy Winslow, former 414 hacker Greg Chartrand, author of Cracking the Cuckoos Egg and Tony Sager, former NSA How the World Got Owned is produced in partnership with SentinelOne. Show notes 1988 Federal sentencing guidelines manual Computer Intruder is put on probation and fined $10,000 | The New York Times Computer Intruder is found guilty | The New York Times United States of America, Appellee, v. Robert Tappan Morris, Defendant-appellant, 928 F.2d 504 (2d Cir. 1991) The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage | Clifford Stoll Cracking the Cuckoo’s Egg: The Untold Story of tracking and finding Karl Koch aka Hagbard of the Chaos Computer Club | Greg Chartrand Computer Buffs Tapped NASA Files | The New York Times Young Computer Bandits Byte off More than They Could Chew | The Washington Post ‘Hacker’ is used by Mainstream Media, September 5, 1983 | EDN Neal Patrick to testify before congressional committee Wargames official trailer, 1983 CBS News Segment on Robert Morris Computer Hacker The Fall of the Berlin Wall | Sky News I Hacked a Nuclear Facility in the 1980’s. You’re Welcome | CNN
Transcript
Discussion (0)
Hello, I'm Patrick Gray.
In partnership with Sentinel One, this is our new historical series, How the World Got Owned.
There'll be five episodes in this series in total, focusing on hacking in the 1980s, 90s, noughts, tens, and 20s.
And this is episode one, the 1980s.
As the jury later told us, and by the way, we told the jury as well, Robert Morris is not a criminal.
He's not evil.
He's not a bad actor.
He wasn't trying to do something terrible.
This was, in a sense, a joyride on the internet that went wrong.
We're working the high-end problem, the classified information problem.
And the rest is the work of amateurs, the work of criminals.
My mom answered the door.
She came and woke me up.
And I know she was crying the whole time.
She was worried they were taking me away right then and there.
hacker always had an implicit just up at it.
There was, you know, it is like the word punk in that it intentionally is not entirely a compliment.
Hi everyone and welcome to something a little bit different from us here at Risky Business Media.
We're doing some history.
We are looking back at hacking through the decades from the 1980s, 1990s, 90s, noughts, I guess, tens and 20s.
and we're doing this in conjunction with Sentinel One
who've done this huge push into AI security.
You know, it's the future.
So they commissioned us to take a look at the past
and really look at how we got here
and how, I guess, you know, we've put it,
how the world got owned.
Now, it's not me putting together most of this work.
It's actually our journalist, Ambly Jack.
Ambly, how's it going?
Good day, Pat. How are you?
Pretty good.
So I guess we should probably explain to people exactly what we're doing here.
Yeah, for sure.
And it's quite funny.
You call it work.
But I have to say, I've had an absolute blast digging into the entire decade of 1980s hacking.
I don't know what you were doing in the 80s, Pat.
But my fluoro wearing bonjo loving self had nothing to do with computers, let alone hacking.
So it's been a fascinating delight.
Now, as you've just alluded to this first episode, we're just looking at the 19.
80s, you know, we're going to be talking about ARPANET and at parties, which are a whole
thing, which is in retrospect, rather funny. But like, what are we got in store today? Like,
what are we going to be hearing about in this episode? Obviously, in one episode about an
entire decade, we're not going to fit in every single hack and every single incident. So
what I did when I was, when I was looking into this, is I kind of chose the incidents that to me
embodied hacking of the 80s, which was innocence. It was mischievousness. So we're going to hear
from a group from Milwaukee called the 414s. We're going to hear a bit about the first
prosecution under brand new computer laws with the Morris Worm. We're going to hear a bit from
the government side, the NSA and what was going on there, or maybe what wasn't going on there.
And we are also going to take a look at a different angle of the very, very, very,
very famous cuckoo's egg story as well. You actually managed to track down someone who was dealing
with the same set of attackers as Cliff Stoll was when he wrote the cuckoozeg. I did. And it's
quite funny actually because when I was looking into that, and I spoke to our colleague,
Adam Bolo, a little while ago, and the cuckoozeg was the story that he as a kid read and he said
it was one of those stories that absolutely got me into hacking and computers. But the problem with
that is no one is ever going to tell that story as well as Cliff Stoll did in the book that he wrote.
And so I randomly stumbled across a guy Greg Chartrand, who will hear from later, who was
collaborating with Cliff and actually running his own kind of parallel hunt for a similar hacker
at the time.
So it wasn't the same hackers?
It wasn't the same hackers.
It was, they were all German.
They were all kind of connected to the Chaos Computer Club.
Cliff Stolzberg one was a hacker by the name of Marcus Hess,
and Greg's Hunt was a little-known hacker who went by the name Hagbard,
who you may also know as Carl Koch.
I've done some reporting for this episode as well,
and, you know, we had some expectations going into this, right?
Like, I was chatting with Adam Bualo about how I was going to speak with Tony Saga,
who joined the NSA in 1979 and spent 30-something years there,
and Adam's like, wow, they must have.
been well ahead of the curve on all of this hacking stuff. And then you actually go talk to him.
And they're like, yeah, we just weren't really paying attention to this stuff. We were too busy
noodling about with encryption. But before we get to the crime and the intelligence, it's worth
pondering where networks actually were back in the 80s. I mean, it was all about the ARPANET,
bullet and board systems. And there was just no mainstream awareness of the internet.
The internet was reserved for a very, very small portion of people, mostly academics, researchers,
military, governing people, large financial institutions.
And it was still divided into sort of the internet or ARPANET and Milnet, which were separate entities.
So that was Mark Rash, who in the 80s was a prosecutor for the Department of Justice.
And he later went on, spent his entire career sort of working cybersecurity law.
And he was, the reason we spoke to him for this doco is he was one of the prosecutors for the Morris Worm case, which we'll get into a bit later as well.
We'll be hearing more from Mark Rash throughout this episode.
But first of all, let's set the scene a little bit with John Callis.
Now, if that name sounds familiar, it's because John Callis has been around forever, basically, as long as security's been a thing.
With computers, John has been there.
He's worked on things like OpenPGP, and he was even the head of software at DEC, Digital Equipment Corporation, pretty much all through the 80s.
And I guess to set the scene, you know, John really says that the internet back in the day was just not at all a commercial space.
It was kind of like a bit of an in-club for nerds.
The ARPANET was universities and government mostly only.
there was extraordinarily little commercial involvement.
A friend of mine got literally thrown off the ARPANET
for saying he wanted to start a business
that we would now call an ISP.
Can't have those unwashed masses being on the internet, eh, Ambley?
Absolutely.
I mean, I think, you know, maybe it would be better
if we stuck with that sort of thinking.
Maybe.
But, yeah, John does actually continue.
He himself got himself into a little bit of trouble once or twice.
Wasn't he just asking for advice on a product he wanted to buy?
Yeah, absolutely.
But he happened to work for a corporation.
Oh, man.
Capitalist pigs, right?
No room for them on the internet.
I once, when I had gotten a job and all, asked on a mailing list,
hey, my company is thinking about buying a something or other.
I didn't even remember what it was.
but I remember that I nearly lost my account because I said,
can anybody give me essentially like recommendations for buying a product?
The problem was not that I was asking about these things.
The problem was that it was a university and government domain,
and they were very defiant that all corporate stuff was bad.
So, you know, you can't even admit that you work for a, for a corporate.
corporation because that's, you know, money being involved is day class A.
John says it wasn't just a non-commercial space.
Everything was really open and this sort of meant that it was a subculture from the get-go.
The punk music scenes and the early hacking scenes were very similar culturally.
There were no file protections.
You could log into a computer and especially on the MIT computer,
where I was, you could very easily crash the computer.
And if you crash the computer, you might lose,
they might throw you out.
But on the other hand, you had your own email
because that was the primary thing.
There was also predecessors to IRC around,
but they were only like, you know, two to five people.
And you'd find out what was going on
in the world of artificial intelligence
because you read Marvin Minsky's email.
in Minsky's email.
People could read your email.
And so things like everything from hanging out party plans to dating drama and so on,
all happened totally in the open.
It was about coding and making things and, oh, especially talking to your friends and playing
computer games.
Now, Ambly, these like hippie nerds were prone to a little bit of iron fist
rule. They were. John was telling me, and he still actually has one of the ARPANET sort of handbooks
from back in the day. And for those that remember phone books, he says it's about the size of a phone book.
But the ARPANET, they all kind of kept each other in check with all these informal rules.
And then this handbook happened to have all the phone numbers for all the cis admins.
So if you're not one of those cisadmins, there's every chance they're going to get in touch with yours,
and you're going to get in trouble on the ARPANET.
all talk to each other. And so one of the social controls was that if you pissed off somebody
at University of blah, blah, blah, they may call the people, you know, it's like, I'll tell your
mom you were rude to people. And it was a real threat because you could be grounded. I mean,
you could be thrown off. Now, what's amazing is how some things were just present immediately.
And one of those things was a generational divide, right? Between the young people who were
treating these networks as they're like playpen, and the adults who were very, very serious and
not at all impressed by what the kids were doing. And John has a story about a mailing list,
which encapsulates this whole thing perfectly.
Absolutely. So John was telling me about one of his favorite social pastimes, which was
the Bandico and mailing list. Now, Bandi was a friend who went through a bit of a breakup,
and John said quite comically didn't respond very well to the breakup. And so all of Bandi's
friends or bandies kin got together and they set up this bandica mailing list and what they used to do
is basically just fire messages at each other but of course the resources back in the 80s weren't
quite the resources that we have today so this constant firing of messages on this mailing list actually
got the heckled up on a few of the adults on the arpinet so they were using an email list as like chat
to make their friend feel better about a breakup pretty much yeah the adults hated us
because there were dozens, sometimes over 100,
sometimes 200 messages a day.
It was like IRC, except it was just email.
And I remember, you know, the people who are running the official computers talking about,
remember the official computers are all running on 56KB lines that are long distance lines.
And like sometimes we would generate like 10K or 30K of text in all of our
stupid messages. And that's like, you know, that's like 1% of the whole ARPANET. What are you kids doing?
Why are you wasting resources? There's a social dimension to all of this as well, right?
Like, they even used to have parties for people who had email accounts because that was like,
that was like your magic ticket to cool, cool kids events. It was. And when I was talking to John,
he sort of said, you know, I loved and hated these, but they were so explosionary. He was sort of saying,
as you told me, there were people that really wish they could go to these parties,
but they weren't quite cool enough to have an email address.
I mean, I guess everyone's cool now, right?
I guess we are.
Because we all have email addresses.
I've got a couple, so.
Friday night get together over at so-and-so's house,
and we would arrange it by email.
Science fiction conventions of the time that would have parties.
From time to time, I didn't like this because I thought it
was really exclusionary, but they would have what they would call at parties. And an at party
was a party where you had to have an at, like in an email address. It was both cool because it was
the in group, but it was also exclusionary because there were the people who wanted to get in,
and there was gatekeeping and ladder pulling and all of the sorts of things that humans
do to each other because humans are horrible, and that's why we have cybersecurity. Now, of
While ARPANET was the big serious network in town, that wasn't the only way people were getting online.
And a big thing back in the 80s, or a thing that really took off, was bulletin boards.
Now, bulletin boards were usually, you know, someone just had a server in their house with a bunch of phone lines and a bunch of modems attached to them,
and people could just dial up and connect directly to those bulletin boards.
So you could think of it as like an internet where only like five or six people could be online at the same time for a lot of them.
Some of them might have two lines.
I mean, that was how they talked about BBSs.
It's like, wow, that's a 10-line BBS, which in Australia, you know,
even in the 90s would have been unheard of because of the cost of phone lines.
But this is where a lot of the hacking culture started to sort of creep in, right?
Now, you told me that John had described the ARPANET as the gold standard, but it wasn't the only thing.
No, no, definitely not.
And the bulletin boards were great for kind of creating these communities.
of just sort of, I don't know, young, curious, kind of mischievous kids who maybe had a bit of an ego
wanted to one up themselves and share files and shared hacking conquests and everything else.
And I did speak to a hacker Tim Winslow from a Milwaukee group called the 414s.
The 414s were actually friends in real life and used to hang out and go to pizza parties and stuff,
but they still use these bulletin boards for communicating a lot.
Neil had his own BBS, and so we used his BBS to do a lot of messaging back and forth.
Sometimes like me, I'd put up a small bullet and board at night just so, you know, if I was sleeping and I'd turn off the ringers and let people log in and leave me messages.
You know, we'd do that too with all the friends, just so we could message back and forth, or we'd let our dialers go at night and do that stuff.
So basically it's ARPANET and it's BBSs and at this point it might make sense to check in with Tony Saga, who I mentioned earlier.
So he was at the NSA through all of the 80s and described back then as being really, it was the personal computer revolution.
And far from NSA being like some crazy pioneers in doing hacking, which is kind of what you would have expected,
they institutionally, they kind of looked down on this stuff.
What did you make of this?
I mean, you know, these black helicopters and unlimited resources,
you would think they were doing the thing,
and it turns out they were not, in fact, doing the thing.
Because, you know, ultimately, black helicopter or no black helicopter,
ultimately, it's a government agency.
Yeah, I was definitely surprised.
I thought that they would be taking this very seriously
and getting right in there.
And yeah, that sort of wasn't the case.
The way Tony tells it, you know, software was for amateurs.
My life changed forever, I think it was 1981.
And we were seeing the emergence of back then,
we might call it the personal computing era.
And we were seeing, one of the lessons of my career
is that economics always wins.
So, you know, software in the, say, 70s, early 80s
was considered two error-prone,
too changeable, too risky to put anything that you cared about into software.
If you wanted to build encryption, you built it in custom hardware.
And software was kind of, you know, that's the messy business of front panel displays
and communications processors.
But a friend asked me if I would be interested in changing career fields from math to computer
science.
And part of the draw was I would get an Apple 2 plus to have on my desk.
Now, we chose to start this series in the 80s because it's when things started growing.
growing, right? It's when this went from being a theoretical kind of thing for most people to,
well, okay, you know, maybe some college students could access certain things and maybe you could
dial into a BBS. And it started growing and growing and growing. And along with that, Ambelly,
came problems. Yeah, there definitely were some problems that came along, Pat. And these were
largely caused by eager and curious kids that sort of wanted to tinker around and have a look and see
how things work and maybe break into a few places that they know they shouldn't, even though
nothing's technically illegal yet. And of course, when you get enough people causing enough
mischief, someone's going to come along and break out the party. Yeah, John describes it, like,
I guess, teenagers having a party in the park, which is all fun in games until someone sets up a stage
and, you know, there's like people doing all sorts of dangerous stuff. But, you know, here's what he said
about that. Imagine that there was a big factory that was adjacent to a park and after dark people
would go there and they would play music and they would sit and they would talk and there would be
sometimes people dancing and always a six pack of beer and nobody asked really closely about
how old somebody was before they picked up a beer and eventually that all closed for
the reasons of these things always close for.
You know, something crosses over some line
and authority steps in and closes down the scene.
I kind of felt like, on the one hand,
it was, oh, come on, these are just kids having fun.
You know, they're like my little brothers and sisters.
They're doing just the same sorts of stuff that we did.
We did stuff when we were in college.
We wandered around the storm drains.
and it wasn't completely legal.
You know, we found the areas where you weren't exactly supposed to be,
and it's not clear whether it was trespassing or not to be there.
And they weren't really causing trouble.
You're just being grumpy old adults.
And so there's a certain amount of their grumpy old adults,
and then there was a thing of there were the people who stepped over some
unwritten rule that nobody told them about,
or a written rule that somebody did tell them,
them about and then they caused trouble. Consequences were all downhill and you know the scene changed
because it was getting too big and it was getting too noisy and the neighbors are complaining about
people playing guitars because it's no longer folks on an acoustic guitar somebody brought in an amp
and they're and they're playing their new punk songs and lights are coming on 11 o'clock and you tell people to
tone it down a little. You know, it's like, I like loud music too, but they're going to call the
cops and they're going to throw us out of the park. Now, speaking of some kids who brought an
amplifier to the park, tell me about the 414s. So the 414s were a group of young hackers from
Milwaukee and they're named after the Milwaukee area code. I love this story and one of the reasons
I love this story is this group really did nothing malicious.
or mean or horrible. I spoke to one of the hackers Tim Winslow, and he told me all they wanted to
do was find out how many computers were out there because they had computers but their friends didn't.
So they wanted to know how many were around, what these computers were doing and hopefully play
some games while they were there. To me, that kind of embodied those early 80s hackers, just curious
and a little bit mischievous and just kind of wanting to go into places they maybe shouldn't be
and have a little look around.
But the 4-1-4s did get themselves in a bit of trouble.
They visited us one by one, the FBI.
I believe I was the third or fourth person.
I had been up late the night before,
and they showed up bright and early in the morning.
My mom answered the door.
She came and woke me up.
I came directly up to the kitchen table,
and my mom sat in the living room in my dad's chair,
and I know she was crying the whole time.
And she was worried they were taking me away right then and there.
They took a few papers.
They never took my computer.
And we sat and talked.
And I didn't think a lot about it from that point forward for a while
because we didn't hear anything.
It was probably two months or so before anything really,
they started to bring us in to talk to us more.
Now one thing you've got to keep in mind is this is all pre-internet.
I mean, these guys were not running around being nuts on the arpanet or anything like that.
This really was just a case of them war dialing into any computers that they could find, right?
It was completely random exploration and not malicious.
However, they did wind up destroying some medical bills.
You know, we wasted boxes of paper in a couple of places, which, you know, can get expensive.
We accidentally raised some doctor.
bills? Oh, they said we got in a cancer center. Well, yeah, it was the doctor bills.
All that was touched. No patient information, nothing really except the doctor bills were
touched. Yes, it was one of our people that did get into Los Alamos. I never believed it was us
because the FBI never told me that it was our group that did it. So the FBI kind of gets involved,
but funnily enough, the FBI at the time, they did not really know.
what on earth to do about all of this?
They really did it for a couple of reasons.
And talking to Tim, he sort of said when, like, he had to sit there and explain to the FBI
how he was doing what he was doing and what he was doing.
Because on one hand, the FBI, they'd never dealt with this before.
So they weren't entirely sure what they were doing.
And then there was the problem of there's no actual laws against what these guys were doing.
So they didn't know what to charge them with either.
Now I guess one of the reasons we know about all of this is because it became pretty clear pretty quickly that the members of 414 who were under 18 as minors were not really going to face any consequences as a result of any of this.
So they did what any American does in that situation and they hit the media circuit, Ampley.
Yeah, some things never change, right?
So the guys that were over 18 were basically sitting and waiting to see what was going to happen and what they were going to be charged with and what the punishments would be.
In the meantime, Neil Patrick was a member of the group who was 17.
And so he wasn't being charged with anything.
He wound up on the cover of Newsweek.
He went on Good Morning America.
He was on CBS.
He was on CNN.
He did the full media rounds for this group.
And all of this while the FBI is still scratching their heads,
figuring out what they can charge these guys with.
Absolutely, yeah.
The only thing they could really pinpoint was making phone calls illegally across
international lights.
And that's what they got us with.
Now, of course, back in the 80s,
John Callis was a defender of Deck, right?
But he still had some sympathy for these guys.
Some of the groups like 4-14s
are people that I have a lot of sympathy for
because they were not trying.
They were like everybody else,
just kids having fun.
On the other hand, they did trip over things
that caused consequences
for them and you know and rolled downhill.
Myself and I think Jerry got a $500 fine, two years probation,
and the third person I believe got six-month probation and a thousand dollar fine.
So this is when it all started to get criminalized, right?
Yeah, absolutely.
And I was talking before about Neil Patrick who did the media rounds.
The other thing that Neil Patrick did in 83 was actually testify in front of Congress.
And in the months and years following, new computer laws did emerge, including the Computer Fraud and Abuse Act, 1986, which is still in play now.
And I actually asked him, looking back now, if he was proud of the legacy that he left behind.
And he sort of said it was for that reason that, yeah, he kind of is.
We did help create laws without creating too much havoc.
we were purposely tried not to be, you know, reckless.
We're going to take a quick break now to hear from Sentinel One, the security company that commissioned this series.
Now, a lot of you will know Sentinel One as one of the major EDR platforms,
but I guess we'd say these days they're more of a broader security company with a bunch of different products.
And they commissioned this documentary series because they want to contrast where they are now,
which is a very AI forward company of the future.
They wanted to contrast that with the history of this whole hacking discipline.
Now, instead of reading an advertisement, what we've done instead is we spoke to Steve Stone,
who's Sentinel One's SVP of threat discovery and response,
and we sort of cut that down into a few minutes of Steve talking about AI.
And the reason we spoke to him about Sentinel One's big AI push is because in his role,
Steve is actually a Sentinel One user, helping to detect and discover novel attacks against Sentinel One customers.
So here's cybersecurity and AI, according to Steve's done.
We're seeing it work in lots of areas where we're developing test cases.
Not all of them are home runs.
Not everything is a great application of AI.
But the more stress tests we're doing, the more capabilities we're seeing,
in actual meaningful ways of output versus it just demos well.
Like, we're actually seeing the opportunity to really affect cybersecurity people's daily lives.
Particularly in my organization as Thurn Operations, we are a Sentinel One customer.
We are consumers of how Sentinel One creates AI technologies.
And it does make our lives better.
It does affect people's daily routines.
There's no point to building something if people aren't going to use.
it. If it doesn't make lives better and easier, then we shouldn't be building it.
We found AI to be really, really effective doing a few things. First, anyone that's ever sat in
the MDR sock, you know what it's like to triage a constant flood of alerts, including the
same alert over and over and over again. AI is really good at that. It's really good at collapsing,
expanding, and applying at scale. We're hearing both high-end, well-resourced organizations say,
makes everything more accessible.
We're also hearing small organizations that don't have the resources say it's making everything
more accessible.
Those are radically different users and they're using it in radically different ways, but they're
coming to the same outcomes, even though their application is totally different.
And welcome back.
We left you for that sponsor segment as Tim Winslow of the 414s was explaining how his hacking
group wasn't out to cause chaos.
But chaos or not, there were rules creeping in, new laws being drafted,
and in the case of the 414s, old laws being used to charge new crimes.
Now, R Ambley, on that, John Callas, the head of software for deck at the time,
he was pretty philosophical about these new rules, wasn't he?
He is pretty philosophical about it, and he actually brings up a Lao Tzu quote,
which is basically the more rules and regulations, the more thieves and robbers.
Before there were locks, there were no burglars.
So this was an era where locks were invented.
It was a totally open culture.
And if you were not polite to other people and had some basic social skills like don't delete files,
you were going to get thrown off.
And it was highly controversial when the MIT computers developed file permissions
so that you couldn't go read other people's email files.
because that was part of the social culture,
was that you would find out what your friends were doing
by reading their email.
And that was controversial.
The fact that you would have passwords on things
was itself a controversial thing.
You know, imagine that you wake up, you go, you know,
you leave the, you go from your bedroom to the kitchen,
and there's someone eating leftovers out of your fridge.
And you say, what the hell are you doing here?
you know and they and they say well you know the door wasn't locked and I was kind of hungry so I'm eating something
you know and at some point someone's going to say get out and point to the door and the person
eating a chicken wing is going to say make me and you know and now you have a human confrontation
okay so the 414 has come along break a bunch of not quite laws yet I guess it's a way to say it
They testify to Congress.
As a result, the CFAA is created.
Now, let's talk about the first prosecution under the CFAA
because it's a very famous thing.
It is the Morris worm.
And this was a worm that was unleashed onto the very, very small internet back then
that just went a little bit berserk and caused all sorts of problems.
But again, you know, the person behind it, Robert Tappan Morris,
didn't actually mean for it to cause drama.
No, no.
So it was, I believe, 8.30pm on November the 2nd, 1988.
Robert Tappen Morris unleashed this worm from a computer at Cornell University.
And it wasn't actually supposed to go as wild as it did, but he messed up.
And within a day, about 6,000 computers were thought to be infected, which you may look at
now and go, okay, that's a lot, but it's not excessive.
But back in 88, those 6,000 computers were around 10% of, you.
the 60,000 or so that were estimated to actually be online at the time.
Mark Rash was working for the Department of Justice at the time,
and he was the guy who actually wound up prosecuting Robert Morris over the Morris Worm.
Most people think you have a crime, you try to figure out who did it.
In this case, the who did it was an interesting portion of figuring it out.
But once we hit did it, a lot of this case was about what did he do and why was it a crime?
And also, when prosecutors have a set of facts, they literally go through the code and say,
what can I charge him with and what should I charge him with?
The focus of computer crime has got to be on crime.
Now, that presented an actual problem for us in the Morris case, because as the jury later
told us, and by the way, we told the jury as well, Robert Morris is not a criminal.
He's not evil.
He's not a bad actor.
He wasn't trying to do something terrible.
okay, he wasn't trying to steal anything or anything like that.
This was, in a sense, a joyride on the internet that went wrong.
Here's Mark Rash explaining how he came to be the DOJ's computer guy.
I was the head of the Department of Justice Computer Crime Unit.
It consisted of me, and that was a part-time job, okay?
And that was because literally at that time somebody came off to me and says,
does anybody know anything about computers?
And I go, I know a little bit about computers.
And so I became the designated person at Maine Justice.
So I became the person to write policy statements about the new computer crime statute.
Now, of course, investigating crimes on the internet at the time necessitated internet access.
And even this was a bit of a challenge for America's Department of Justice.
I literally had to take apart the phone in my office at the Justice Department and go to Radio Shack and buy an adapter to plug in an RJ-45 plug to create a modem so I could create a computer that can get on the internet so that I could communicate with witnesses and victims all of whom were online.
We had no internet connection at the Justice Department.
So I had to create a dial-up internet connection.
And I remember when my secretary in a folder kept all the documents related to a case,
as well as the floppy disk, which had those folders,
stapled to the inside of the folder.
I had to explain why she should not staple the floppy disk to the inside of the folder.
Now, another challenge Mark Rash had back then was,
can you imagine trying to take something like this to a jury, to a jury trial in 1988?
Yes.
It was not the easiest thing.
So he had to stand there and explain what this worm was to people that had never used computers.
First you have to educate the judge.
Then you have to educate the jury.
And in our jury panel, we had two people who had ever used.
computers in their work. Nobody had email. Nobody had used the internet. How do you explain things
like a mail or demon or a buffer overflow or that kind of stuff for somebody who has never used
the computers? Now, one of the things that was going on through all of this, right, was a bit of a
barney among prosecutors about whether or not to try Robert Morris for felony charges or
misdemeanor charges, right? Yeah, there was. And the district attorney actually wanted to offer a
misdemeanor plea to Robert Morris. And there was a bit of argument back and forth about this,
largely because of how important this case was at the time. And so Mark was telling me there
were a few discussions about whether to go with misdemeanor, whether to go with felony, whether it was
going to be multiple felonies, and how they actually wound up making that decision in the end.
You know, that caused a bit of conflict.
This was a significant computer hacking case.
It involved losses anywhere up to the tens of millions of dollars.
It was a significant disruption to a critical infrastructure, and it was done deliberately,
not purposefully, like not with the intent to cause harm, but it was done deliberately.
On the other hand, Robert Morris was not an evil person.
He was a brilliant person, still is a brilliant person.
He was young and probably naive, naive, not stupid, okay, about how connected the Internet was.
He made some tactical errors in his code, which led to this.
But he never had any intent to cause harm.
So the question was, misdemeanor versus felony versus multiple felonies and all that.
So the decision we made at Maine Justice, and it was,
a thoughtful and considered decision was that we would indict him for one felony count.
So rather than taking each individual victim and making those a separate count, we lumped everything
into one count, do or die.
Could I have done it with a misdemeanor?
Maybe.
Okay?
And I debated that.
The problem was a woman who steals baby formula to feed her child gets prosecuted as a
demeanor. And I felt that the nature of this conduct was substantially different than that.
So ultimately, Robert Tappan Morris was found guilty. Then came the issue of sentencing, right?
So how, it's 1980 something, right? How are you supposed to sentence someone for creating an
accidentally awesome computer worm? So actually, January 1990 was when he finally went to court.
and a jury who have never used computers, found him guilty of this worm.
But on the same year that he released the worm, sentencing guidelines came out in the US.
And I had a look through the sentencing guidelines and they basically give indications for different crimes as to what sentences should be.
In the case of Robert Tappen-Morris, it worked out to, I think it was five years in prison.
And interestingly, in those guidelines, it specifically says if your minimum sentence is less than six months, you cannot get probation.
That wound up not being what happened. And I asked Mark about that.
I didn't want him to not spend any jail time because like I said, if you steal baby formula from a drugstore, you're going to spend a few days in jail.
But I didn't think this guy needed to spend a significant amount of time in jail.
We were trying to decide what kind of sentence was appropriate.
And we really had a hard time.
So we simply said to the court, you know, this is what the guidelines are, but you should feel free in this case alone to consider things like his youth, as an experience, the fact that he intended did not intend to cause harm.
The judge said at sentencing, the guidelines do not apply and I'm giving him probation, which was completely wrong as a matter of law.
And so when I called Maine Justice, you know, the powers that be, they said, we need to appeal.
And I said, we have two problems if we appeal.
One, we could lose.
And we establish a precedent that the sentencing guidelines don't apply to these cases for no particular reason.
And then we don't have any leverage in computer-active cases.
The second one, which is almost as bad, we could win.
And then the court's going to be ordered to give them an 18-month sentence.
We didn't want either of those.
So I said, this is the best of both possible worlds.
we get to say, this is an outrage.
He should be in jail for two years without any real threat that he ever does.
So we never appealed the sentence.
And so we got to have a deterrence that next time we get somebody,
we're going to throw the book at him.
We think the judge is wrong without ever having to give any consequences to it.
It's a funny, old world.
It is.
So it feels like in this case, everybody got what they wanted?
They kind of did.
And it's strange because, you know, as Mark was saying, they had to, you know, act very unimpressed that he didn't get this massive jail sentence and everything else.
But given that, I actually asked Mark when I was talking to him, looking back sort of 40 years later, whether he regretted chasing that felony charge in the end.
I don't say I regret it.
I question whether it was the right decision.
I generally think it was, considering the importance of this case in the end.
in the history of hacking, but I do regret if it had any effect on Robert Morris's ability to get
future employment or do work for the government. I have made it clear that if he wanted to petition
for a pardon or exoneration, I would have no problem sponsoring that myself.
So that's what was going on in the courts and with prosecutors and the FBI and whatnot,
but what about the intelligence community? So here we're going to hear from Tony Saga. Now, he had a
37 year career at the NSA beginning in 1979.
He worked mostly on the defensive side of the organization, but yeah, he was there for a long
time.
He saw it all.
And according to him, you know, software was kind of seen as being beneath most of the
people at NSA because they were getting to play with cool stuff like custom hardware
and whatnot and, you know, breaking encryption.
So all of this sort of software hacking, it just didn't get that exciting.
it wasn't that exciting for them.
And as much as we would like to think that the agencies that apparently have the black helicopters are at science fiction levels of sophistication, it's just not the way it works.
I mean, ultimately, intelligence organizations are government agencies, right?
I always try to explain to people outside of this whole world that, you know, you have to imagine that intelligence agencies still have a hint of the DMV about it, right?
they're still like the organizations where you go to renew your license in a lot of ways.
So it's not just always at these science fiction levels.
But yeah, as Tony explains it here, you know, at NSA they were aware of this sort of stuff
happening in the civilian world, like, you know, cybercrime, I guess, early cybercrime and
whatnot and hacking.
But it just wasn't really something they felt was particularly relevant to them, at least in the
earlier part of the decade.
I think on the defensive side, people would follow that, but didn't necessarily.
see it as relevant to what we were doing. I think internally the prevailing culture was we are,
we, the NSA types, right, in defense, we're solving the real security problems, the classified
information problems, right? The government, you know, sensitive information problems. And everything
else is, yeah, it's consumer stuff that's dabbling in security, but it's not serious security.
Now that said, as much as Tony said there was no sort of top-down directive in the intelligence world
that everyone should go and, you know, skill up and get involved in hacking things.
He said various groups within the intelligence world pretty quickly figured out that computer hacking was going to be a good way to get certain things done.
Who is the most experimental in the government with new technology?
it's to people who have spooky applications, and they tend to have lots of money and lots of freedom to not have to follow every letter of the law policy.
These are spooky people, people who do high-risk things, and on behalf of their nation.
And it turns out they were early to find the uses of this new technology.
So while the organization at large was trying to hold back the tide of economics and commodity processing, it turns out some of the most sensitive.
things being done were really using that technology because because it was a commodity. It didn't draw
suspicion, right? It could be done cheaply, quickly as a throwaway, for example. It was a more cultural
thinking than anything else, right? Our job, you know, the thinking, our job is to get the mathematics
right and to build it into government things. And these other improvements in commercial technology
and so forth, or mainstream thing or hacking things where, yeah, we'll help out on an ad hoc basis,
but not as a mainstream activity.
And there would be early attempts of what we would call operational testing.
So the way we described it, NSA would be work on development systems under development and in the field.
And there would be, could someone help us test a system in the field?
We have a requirement to do so.
And those were to handle kind of one-offs.
And I would say probably late 80s, he started to see the shift in analytic thinking to add computer science as a,
peer analytic discipline.
And I was one of the first in that in that.
So it became sort of engineering, software, hardware engineering, hardware engineering, software,
and mathematics.
The way Tony explains it is ultimately the world coming online just made the world,
everything in the world basically a really juicy target, right?
And there were people who saw the opportunity very early on.
You know, offense is often more creative.
I don't mean that as a personal attribute, but in some sense,
they're freer of things like, you know, the messiness of policies and acquisition, you know,
they look for ways in.
They're looking for to build a covert infrastructure.
And so they're looking for whatever might give them access to that one.
So when the world started to come online, you know, that was like now the world is a second target, right?
We have much greater reach than we would ever have before.
Certainly on a one individual basis, there would be, this is amazing.
We've been trying to get to this target for a long period of time.
and they're starting to come online, and this is, you know, it's a bit of a wild west, right,
for a long period.
I'm all still.
So, you know, I said, you know, one countercultural view of the evolution of the Internet is we've,
we have collectively built the greatest intelligence gathering operation in the history of humanity,
you know, and the U.S. has provided it essentially at no cost to the rest of the world.
And, you know, it's really, but that Yid and Yang of, you know, capability to attack
also makes us risky. And in fact, the U.S. was more at risk because of modernization, IT adoption,
the richness of our economy and all that. So it took us a while, I would say, on the defensive side.
Again, there were lots of individual instances, but to really collectively see it as, you know,
a core part of our mission. And there was, you know, for many years, it was still a pretty strong,
you know, we need to focus on the job that we were originally tasked to do, which is around
cryptography.
Ultimately, according to Tony, NSA was basically dragged into the cyber reality kicking and screaming,
which again, not what I expected going into this conversation.
I'm confessing to you.
Yes, it took a while to really appreciate the gravity of the situation.
And I'm not talking hours and days and months here.
I'm talking years to really think of it, right?
Again, we were working primarily in the classified world, highly sensitive kind of stuff.
And a lot of the early activity had this feeling of nuisance level work.
You know, these are kids.
These aren't professional.
We're professionals.
They're not professionals.
I certainly wasn't the last to appreciate the risk, but not the first, but somewhere early.
And it just, again, I think there's an institutional inertia.
There's a cultural resistance to say, we're working the important problems, and these are lesser.
problems or somebody else's problem to deal with.
And to recognize, and to the end, including towards the end of their careers and their lives,
some of the people I respect most in the world were fighting tooth and nail to hang on to the past.
And that was painful to watch, right, when you've studied at the feet of national heroes,
then you, to have the feeling that their time has passed.
Ultimately, though, the U.S. governments realized across the board that computers were a big deal,
and the economics here were a huge factor.
There was a recognition, not by me, but higher up, you know, I was working on these things,
that this is becoming part of our job.
And it was highly controversial inside.
Very inexpensive, you know, consumer-driven IT was starting to become part of the marketplace.
and inevitably people would find applications for that in government,
and it would start to creep into more secure, riskier applications, right?
Because the economics are so compelling.
You know, I could wait 10 years to build a custom piece of hardware,
or I could program this, you know, IBMPC or an Apple II or whatever,
into something useful immediately at very low cost.
So we've heard there that NSA was a little bit ho-ha,
about computer hacking.
But computer espionage
was already happening in the 80s
and we know this thanks to a wonderful
book by Cliff Stoll
named the Cuckoo's Egg. Now in the Cuckoo's Egg
Cliff Stoll was responsible for a couple
of Unix systems at a national lab
in the United States and there was some sort of
accounting issue on one of those boxes
and as he dug into it he discovered
that hackers had been having a good old time
on his systems in his network
and this kicked off a hunt for the attackers who turned out to be stealing information.
They were German guys who turned out to be stealing information from Cliff's workplace and selling it to the KGB.
So I guess at this case, I mean, we can kind of say, Ambley, computer espionage was already happening, like way back then.
Yeah, it definitely was.
And it'd be really easy to think that it was just that one case because Cliff's book was so good and so popular.
but I actually found a guy named Greg Chartrand
who worked as a network manager for Department of Energy's Fermilab back in the 80s.
And he spoke to Cliff Stoll quite a bit during that time,
and the reason he spoke to Cliff was because he was chasing his own German hacker,
who was in his deck-vax systems at Fermilab.
And there were also a few headlines at the time around other German hackers,
also associated with a chaos computer club, breaking into NASA.
Yeah, there was definitely some overlap there.
I was working in sensitive areas.
And our laboratory and my management gave me one order.
Please keep us out of the news.
I knew it was big.
I knew it was important because when it made the New York Times and,
the lab director talked to my director and said,
what in the world's going on here?
Are we involved?
What are we going to do?
You know?
And so we came to an understanding in the beginning.
And he said, take as much time as you want.
Do whatever you can to keep us out of the news and see if you can make us safe.
And so for over a year,
I spent the majority of my time working on that.
When Greek first discovered these hackers in the system,
he noticed that there were a few of them,
but they all kind of got bored because Ferm Lab didn't have anything that they wanted,
but the only one hacker that did stick around was Hagbard.
You know, our experimental systems, there's nothing there.
I mean, you know, we're not making bombs.
We're not sending astronauts to space.
You know, we're not doing anything that's in the paper.
So I think they just got bored with us,
with the exception of Hagbard, simply because he needed a system to do his own little development
on him. And so seeing we didn't bother him, he was perfectly happy just to log in there and use the
system as if it was his. And we just sat there and watched him all the time.
And Greg, through his time at Fermilab, had dealt with a number of hackers in the past.
Most of them being university kids, the kind that we've spoken about already in this episode.
So I asked him how Hagbar differed from those earlier hacks.
I thought, hey, this, you know, chasing after hacker business is really simple.
You look up the number.
You're all set.
Didn't work that way.
And getting law enforcement interested in this at all turned out to be a little bit of a challenge.
Getting law enforcement interested was very much a challenge.
You know, I called the FBI.
I had an agent come down.
He interviewed me.
I told him everything.
He wrote down pages and pages and pages and pages,
and he didn't understand a word I said.
And so he went back and he said, well, if anything exciting happens, let me know, right?
Now the FBI never actually charged Carl Koch or Hagbard, but he didn't have a happy ending.
He really didn't have a happy ending.
In 1989, Carl left his workplace and never returned, was found the month later where he was basically just bones.
He'd been shot.
The earth around him was completely scorched.
It was a not a good ending at all, no.
No.
but given everything that he'd been up to,
sort of conspiracy theories around his death
kind of flourished somewhat.
Yeah, for sure.
So there was the KGB stuff
and that's obviously going to stir up a bit of conspiracy,
especially around such a curious kind of death.
But Hagbar was also really quite heavily into drugs as well.
And Greg actually told me,
towards the end of Hagbart's time in their system,
he was very clearly and obviously becoming a bit less coherent
and a bit more all over the place
and making less and less sense.
So that drug use also fueled those conspiracy theories around his death as well.
And so I asked Greg, given the amount of headache and time and everything else that had gone into chasing Hagbard,
when he sort of started to learn what had happened and what went on,
how he kind of reconciled that and what he thought about it.
Initially, I was happy he was caught.
And it wasn't until Cliff came back from Germany.
And he told me the true story about Hagbard in his family life and his mother dying and not having any money and he can't find a job.
And going on and on, I said, man, this kid was really troubled.
I mean, he's had a rough life.
So I basically flipped real quick on him because he was a victim of many circumstances.
truly was a troubled person.
I think Greg was ahead of everyone too
because he got blackpilled on the internet
before the internet really existed.
Yeah, and he was recalling to me
a conversation that he had with someone
that was sort of involved in making some of these networks
and putting things together.
And Greg, from the very beginning,
had a much more pessimistic view
than a lot of people did about the internet
and what it was going to become.
I think he might have been the first person to say the internet was a mistake.
Maybe.
The internet is such a useful tool.
Everyone is going to use it for good.
They're not going to use it for evil.
And I'm sitting there saying, are you serious?
I didn't say it.
And sat back.
And, you know, that was the attitude of many of the network pioneers that
wrote the code for Unix and some of the first network equipment as well.
No, no one's going to abuse this.
Now, as much as it might have only been Greg at the time thinking the internet was going to be a
mistake, you know, you did have this sort of sense of unease out there in the general population
through the 80s, thanks to movies like war games and, you know, just general media coverage.
like almost had sort of satanic panic vibes.
Yeah, that's kind of the perfect way to sum it up, actually.
The War Games came out in 1983, actually the same year that the 414 has gotten a bit of trouble,
which later had them dubbed the War Games case.
But it was one of those movies that got a lot of people quite nervous,
but it wasn't appreciated by everyone in the actual scene.
Yeah, so it was almost like it made the average family a little bit scared,
but policymakers were like, eh, it's a movie, right?
Wow.
What?
We got something.
He found the right code word to play the game.
We're in.
But it was the wrong computer.
The movie War Games did not do any others any favors.
It's one of the things that fueled the downfall of the scene, not anything else.
Most of what people knew about computers and computer crime came from movies like
war games.
Russians are still denying everything, sir.
Who are you working with?
Nobody.
I don't have believed you.
This was something that it scared people, it spooked people, it worried people, but there
wasn't the same kind of fear about their credit cards or their personal information because
none of that was online yet.
Yeah, they weren't so much worried about their credit card details.
They were worried about like computers causing a nuclear war.
much less serious there but you know Tim from the 414s I mean he felt like that movie didn't really do them any favors
one of the things is saying we followed the movie which we didn't you know we were before way before
the movie so they're like well you you followed the movie we started in the 70s shall we play a game
and it wasn't just that one movie either but general media that loved a little bit of fair
mongering when it came to covering the hacking scene.
We weren't malicious.
They put more a malicious spin on everything.
It's news.
They're going to do what you've got to do to make newsworthy.
They really focused in on NASA.
NASA was the thing.
Oh, man, we can't have our satellites falling out of the sky because hackers are attacking us.
I mean, it was like that.
And, you know, that's the way the media works on virtually everything.
They've never changed.
The way computers were depicted in movies was either as an inherently evil technology
or as something that health criminals facilitate their crimes.
Now, as much as all of this was just fearmongering,
John Callis got a glimpse into the future and the fact that this stuff was going to be serious.
The problem with the fearmongering was that there was always a kernel of truth in it.
Stuff that I worked on was used in the London Stock Exchange.
It was used in fighter planes, despite the fact of not wanting to be in any military things.
Like, my stuff was used on every intermediate-range ballistic missile on both sides
because the Russians cloned vaxes and put them places because the stuff was good.
But, you know, it's like seeing your stuff being used for weapons of war and stuff that isn't good at all,
But they were also right in that there was this core of, yeah, fine.
It's like it's certainly theoretically possible that a kid having fun wanted to play computer games could start a nuclear war, but really it's not going to happen.
And you can't prove a negative.
So the fearmongering people have the advantage, and the fearmongering people ultimately win the narrative because fear sells.
I mean, today, things that are going on in the news, it's fear cells.
Nuclear destruction fear was a real thing.
It's like, I literally did not expect to live to be much past 30.
And, you know, party conversations included often things like,
so where are you going to run to when the bombs fall?
And, you know, that cultural fear you had to be there for.
So part of do you miss it, it's like, oh no, no, no.
It was, you know, God my heart sang when the Berlin Wall went down.
West Berliners greeted their brothers and sisters from the east with jubilation,
having themselves been surrounded by the world's most heavily guarded border for three decades.
And so there you have it, the 1980s in hacking.
Some of it anyway.
I do hope you enjoyed this episode, this first episode of how the world got owned,
looking at hacking in the 1980s.
Of course, we're going to be back with the 1990s
in the next edition of this series,
which is going to be,
you're going to be busy with that one, Ambelly.
I am, and I have a feeling
I'm going to be missing the niceness of the 80s as well.
It was a nice decade.
I have a feeling that's not going to last forever.
It doesn't last forever.
The 90s, I don't know, mixed bag, right?
Mixed bag, the 90s.
Still some good times.
I think things really start to go off the rails
in the knots and the tens.
I don't know, things just keep getting worse, right?
So that's the trajectory.
The trajectory ain't good.
All right, Ambley, thank you so much.
And let's roll on to the 90s.
Thank you, Pat.
See you, so on.
This has been a joint production between risky business media and Sentinel One.
How the World Got Owned was produced and researched by Amberly Jack
with some minor additional reporting and editing from me, Patrick Gray.
How the World Got Owned will return and cover the 1990.
in its next episode, which is coming soon.