Hacker Tradecraft Volume 3 — History II: The Golden Age and Criminalization, 1980s–1990s

Contents

Section	Topic
1	About this volume
2	The microcomputer explosion and the BBS underground
3	WarGames (1983) and the public imagination — the 414s
4	The CFAA (1986) and the criminalization wave
5	The Morris Worm (1988) and the birth of the CERT
6	The zines and the groups — Phrack, 2600, LoD, MoD
7	Operation Sundevil, the Steve Jackson Games raid, and the founding of the EFF (1990)
8	Kevin Mitnick — the manhunt, the myth, and the reconstructed reality
9	The 1990s pivot — the web arrives, the commercial security industry emerges, DEF CON founded (1993)
10	Cheatsheet updates
11	Resources

---

1. About this volume

This is Volume 3 of the Hacker Tradecraft series — the second of three history volumes. Vol 2 traced the proto-hacker era from the late-1950s MIT Tech Model Railroad Club through the Bell System blue boxes and the Homebrew Computer Club. This volume picks up at the end of the 1970s, when the microcomputer had just become a consumer product and ARPANET was about to acquire the modems and dial-up gateways that would let teenagers in suburban basements reach it. It runs through the end of the 1990s, by which point the federal government had defined “computer crime” as a criminal-law category, the security industry had become a real industry, and the hacker conference had become an annual fixture of the cultural calendar. Vol 4¹ picks up at the 2000s with the maturation of the pentest profession, the APT era, and the ransomware industry.

The lens applied here is how the legal and technical environment that defines modern tradecraft came into being. Three things had to happen for the modern picture to exist: (a) hacking had to become visible — a thing the public knew existed, that journalists reported on, that legislators worried about; (b) it had to be criminalized as a distinct legal category, separate from theft of services or wire fraud; and (c) the practitioner community had to industrialize — develop the zines, conferences, mailing lists, employers, and shared toolchains that made it a profession rather than a hobby. The 1980s did (a) and (b); the 1990s did (c). By the time Vol 4 opens in 2000, the field has the same skeleton it has in 2026: a public consciousness, a body of federal law, a research community, a defensive industry, and a criminal industry. The flesh on the skeleton changes — APTs, ransomware-as-a-service, bug bounties — but the bones were set in this volume’s window.

The cast of characters in this volume is large. The 414s, John Markoff, Robert Tappan Morris, Phiber Optik, Acid Phreak, Erik Bloodaxe, The Mentor, Eric Corley, Taran King and Knight Lightning, Mitch Kapor, John Perry Barlow, John Gilmore, Steve Jackson, Tsutomu Shimomura, Kevin Mitnick, Jeff Moss. Most of them are still living. Many have written their own accounts, and where they have done so the accounts often conflict with each other and with the contemporaneous press coverage and with the court record. Hacker historiography for this era is unusually contested — the same incident is, for example, described very differently in Bruce Sterling’s The Hacker Crackdown², in John Markoff and Katie Hafner’s Cyberpunk³, and in Kevin Mitnick’s Ghost in the Wires⁴ — and where the accounts diverge this volume flags it rather than picking a side. The court records and the contemporaneous primary documents (the actual Phrack issues, the EFF’s founding documents, the published opinions in Steve Jackson Games v. United States Secret Service⁵) are the load-bearing sources; the journalism and the memoirs are colour.

A note on the “black-hat figure” framing for this volume: in keeping with the project-wide black/grey-hat content policy (see Vol 7 §1 and Vol 19, both forward-references), the treatments of Morris and Mitnick and the LoD/MoD principals here are factual and historical. What they did, when, the charges, the outcomes, the press response, and why each matters to the lineage of the craft are covered in depth. How to replicate a specific exploit — the actual injection payload, the social-engineering script verbatim, the precise patch state of the target — is not. The mechanism is described to the level the public engineering and legal record permits; the operational walkthrough is the kind of thing the court documents themselves redact, and this volume follows their example.

---

2. The microcomputer explosion and the BBS underground

The Homebrew Computer Club’s first meeting in March 1975 (see Vol 2 §6) ended the proto-hacker era’s institutional-mainframe assumption. The Altair 8800 cost $397 as a kit; by 1977 the Apple II, the TRS-80, and the Commodore PET were on retail shelves; by 1981 the IBM PC was on retail shelves at a typical price point of around $1,500 for a usable configuration⁶. The 1980s opened with the personal computer as a consumer product. What changed about hacking between 1979 and 1985 is that the population of people who had a hands-on computer in their home expanded from a few tens of thousands of hobbyists to several million households — and the population of people who had modems in their homes expanded with it.

The modem, as a piece of equipment, was the precondition for everything else in this volume. A 300-baud or 1200-baud modem (the Hayes Smartmodem 1200, released 1981, became the de-facto reference⁷) let a microcomputer dial another microcomputer over the public telephone network. The economics of the dial-up call were dictated by AT&T (and after 1984’s Bell System divestiture, by AT&T’s long-distance arm and the Regional Bell Operating Companies) — and the economics were unfriendly to teenagers. A long-distance call was tens of cents per minute, billed in full-minute increments, and a single evening of cross-country BBS calling could cost a hundred dollars. That economic friction is the explanation for both the local-board-clustering pattern of BBS culture and for the recurrence of phreaking technique into the 1980s: a kid with a blue box could reach the boards that a kid without one couldn’t afford to.

2.1 What a BBS was

A bulletin board system was, in its 1981–1991 form, a single microcomputer running BBS software (Ward Christensen and Randy Suess’s original CBBS in 1978; later TBBS, WWIV, PCBoard, RBBS-PC, the Amiga’s TAG, the Atari ST’s FoReM-ST, and many regional variants⁸) on a single telephone line. A caller dialed in with their modem, the BBS answered, and the caller entered a session — message areas, file-transfer areas (XMODEM, YMODEM, and ZMODEM were the dominant protocols), occasional door games, and the operator’s typically opinionated welcome screens. Most BBSes ran on one phone line; a few of the larger commercial-ish boards ran on two or three. There was no central directory. New boards were discovered by word-of-mouth in the message areas of existing boards, or by reading the phone-number lists in computer magazines.

The architecture had three properties that shaped its culture. First, it was asynchronous: a caller logged in, read what had been left for them, posted replies, and logged off; the next caller might be hours later. Discussion happened in slow-motion threads measured in days. Second, it was semi-anonymous: handles (the SysOp’s “Ghost Rider” and the user’s “Phantom” and “Phreak Master”) were the norm; the SysOp knew the user’s phone number from caller ID or call-back validation, and could in principle correlate it to a real identity, but most boards didn’t bother. Third, it was federated: each board was independent. There was no central authority that could shut down “the BBS scene” — only individual boards. FidoNet (Tom Jennings, 1984⁹) introduced a store-and-forward mail and discussion-area protocol that linked thousands of BBSes into a global network by the late 1980s, but FidoNet was still architecturally a graph of independent peers rather than a hub-and-spoke service.

For the underground specifically, the BBS architecture mattered because it produced the first technical-subculture community at sustained scale. The phreaks of the 1970s (Vol 2 §3–§4) had a community — letters, the occasional conference, YIPL/TAP magazine¹⁰ — but it ran on the slower clock of postal mail. The BBSes ran the same kind of community on a daily clock. By 1984 there were already specialized “elite” boards (Plovernet, Sherwood Forest, OSUNY, ShadowSpawn, and many others) where the discussion was specifically about phreaking, cracking commercial software, and increasingly, breaking into other people’s computers.

2.2 Warez, t-files, and the file architecture of the scene

The file-transfer areas of the underground BBSes carried three categories of content that defined the era.

Warez was cracked commercial software — the new Lotus 1-2-3 release with its copy protection removed, the new Sierra adventure game with the manual-lookup protection patched out, the new compiler with its license check NOPed. The cracking groups (Future Crew, INC, FairLight, Razor 1911, and many others) formed in the mid-1980s and were structured almost like a permanent international competition: crack the new release first, slap on a custom intro (“crack-tro”) with the group’s logo and a scrolling greet, post it to a network of “release boards,” and watch the BBSes spread it to a network of “leech boards.” The demoscene grew directly out of the crack-tro tradition — when MS-DOS PC clones became the dominant platform in the late 1980s the European cracking scenes especially started competing on the quality of the crack-tro itself, and within a few years the crack-tro had detached from the warez and become an independent art form (the European demo competitions, Assembly and The Party and Demobit, are the modern descendants¹¹).

T-files (text files, sometimes “philes”) were the underground’s information infrastructure — typed-up guides on phreaking, cracking, lockpicking, social engineering, drug synthesis, explosive synthesis (often dubious or actively dangerous), credit-card carding, BBS hacking. The classic format was a 80-column ASCII document with a hand-drawn ANSI/ASCII art header, written under a handle, hosted on a few major boards and replicated outward. The quality varied enormously. YIPL/TAP (the print magazine) and the early issues of Phrack (§6 below) were the high end; the typical message-base t-file was a high-school-kid-cargo-cult re-transcription of something they didn’t fully understand. The lasting cultural artifact of the t-file tradition is The Mentor’s “Hacker Manifesto” (Loyd Blankenship, Phrack Issue 7 Phile 3, January 1986¹²), which started as a t-file and has been reprinted continuously ever since.

Source code and tools rounded out the file architecture. Early password crackers (the “Cracker Jack” for DOS, John the Ripper’s precursors), wardialer programs (ToneLoc, THC-Scan), demo-coder utilities, and various flavors of trojan and “logic bomb” code circulated through the same channels. The 1980s underground was thus the first organized peer-to-peer distribution network for offensive technique — predating Usenet’s similar role for the slightly-different post-academic crowd, predating the web by a decade, and operating on a network architecture (point-to-point dial-up) that made it almost impossible to take down centrally. You could only take down individual boards.

2.3 The lineage from BBS to modern community

The cultural patterns the BBS underground set are still operative. The handle culture (the persistent pseudonym attached to a body of work and reputation, separated from the real-world identity) lives on as the conference handle and the IRC nick and the Twitter/Mastodon handle and the GitHub username. The federation-of-independent-boards architecture lives on in the federation-of-independent-conferences pattern of the modern field (DEF CON / Black Hat / regional security cons). The combined warez/t-files/source-and-tools file architecture lives on as the combined IRC channels / blog ecosystem / GitHub repositories pattern of the modern community. The 1980s underground’s instinct for archiving everything — every t-file ever posted, every crack-tro intro, every issue of every zine — survives as the modern field’s enthusiasm for archiving primary documents (Textfiles.com¹³, the Phrack archive at phrack.org, archive.org’s full holdings).

What changed between the 1980s underground and the modern scene is the legal climate, and that change is the topic of the next several sections. The BBS underground was operating in a window where unauthorized access to a computer was not yet a federal crime; the criminalization wave that closed that window started in 1984 with the CADCFAA, hardened in 1986 with the CFAA proper, and from then on every operator in the underground was making a different kind of decision about their work.

Era	Approx. dates	The community lives on…
Pre-BBS phreak underground	~1967–1980	YIPL/TAP, letters, the rare in-person convention, hobbyist newsletters
Classic BBS underground	~1981–1991	Dial-up boards (Plovernet, OSUNY, ShadowSpawn, etc.), FidoNet (1984+), early Phrack (1985+), 2600 (1984+)
Transitional Internet	~1992–1996	Usenet (alt.2600, alt.hacking, comp.security.*), IRC (EFnet’s #hack), early websites, BBS holdovers
Post-web modern era	~1996+	IRC + websites + mailing lists; later GitHub, Twitter/Mastodon, Discord, conference networks

Table 3.1 — The successive infrastructures of hacker community. Each new infrastructure was additive — the BBS scene didn’t die when IRC and the web arrived, it shrank — and there are people still running active BBSes in 2026 over telnet, though the population is small.

The canonical narrative source for the 1980s BBS-underground period is Bruce Sterling’s The Hacker Crackdown: Law and Disorder on the Electronic Frontier², which Sterling explicitly placed in the public domain shortly after publication; the full text remains freely available via Project Gutenberg at https://www.gutenberg.org/ebooks/101. Slatalla and Quittner’s Masters of Deception¹⁴ covers the Legion of Doom / Masters of Deception years (§6) in similar reported depth. Both are journalism, not engineering documents; cross-checking against the Phrack issues themselves (http://phrack.org/issues/), the Computer Crime court records, and the Sterling-era EFF documents is the right move for any specific factual claim.

---

3. WarGames (1983) and the public imagination — the 414s

The general public mostly didn’t know hacking existed until 1983. Two events that year — one a Hollywood film, the other an actual federal investigation — converged in roughly six months to introduce “the teenage computer hacker” into the American cultural vocabulary as a recognizable figure. The figure has been with us since.

3.1 WarGames (June 1983)

WarGames, directed by John Badham, premiered June 3, 1983¹⁵. The plot — a teenage hobbyist with a TRS-80 and a modem accidentally dials into NORAD’s nuclear-command computer, mistakes it for a game development system, and nearly starts World War III by playing “Global Thermonuclear War” against it — is now part of the cultural canon. As a movie, it was a competent middlebrow Cold War thriller; as a cultural artifact, it was something stranger. Two things about WarGames mattered for the lineage this volume is tracing:

First, it was the first sympathetic Hollywood portrayal of a hacker as a recognizable character type. Matthew Broderick’s character (David Lightman) was a clever, somewhat alienated suburban high-school kid whose technical skills the adults around him systematically failed to take seriously. The film treated his computer interest as an asset, not a deficiency. Every teenager in 1983 who had a modem suddenly had a cultural script for what they were doing. The film also introduced specific tradecraft to the public — wardialing (sequentially dialing every phone number in a prefix looking for modems that answered) was named in the film and entered the technique vocabulary directly; the term has been in continuous use since¹⁶.

Second, the film alarmed legislators. Within months of the film’s release, congressional hearings were being held on computer security; the August 1983 Newsweek cover story “Beware: Hackers at Play”¹⁷ established the press narrative; and a House subcommittee held the first formal hearings on computer crime later that year¹⁸. The film was specifically invoked in those hearings — Representative Dan Glickman screened a clip during one. The contemporaneous quote that traveled the furthest was variously attributed to several legislators: “WarGames is happening for real.” Whether or not anyone in NORAD actually treated the film as a security wake-up call (the historiography is mixed — see ¹⁹ for the much-told story about Reagan asking the Joint Chiefs whether the scenario was plausible), it gave Congress political cover to start passing computer-security legislation, which they did within two years.

The recurring observation is that the film retroactively scripted a community that already existed. The phreaks and the BBS underground (§2) had been operating since the late 1970s; WarGames introduced them to the rest of the country with a sympathetic-but-still-anxiety-inducing frame, and the country has not since had a non-anxious cultural relationship with computer hackers.

3.2 The 414s — the parallel actual case

The synchronicity is the part nobody quite plans. While WarGames was in theaters in the summer of 1983, the FBI was investigating an actual group of teenage computer intruders that journalists, with the film fresh in their minds, would soon dub the 414s²⁰. The 414s were six young men from Milwaukee, Wisconsin — aged 16 to 22 at the time, working out of suburban Milwaukee (telephone area code 414) — who had used home computers and modems to access something on the order of 60 computer systems around the United States. The targets included Memorial Sloan-Kettering Cancer Center in New York, Los Alamos National Laboratory, the Security Pacific National Bank, and a number of less-newsworthy systems²¹. They had reached most of these via default credentials and weak password discipline — the systems were unprotected by the standards of the era because the era’s “standards” were genuinely that low.

The technical mechanism was straightforward to the point of banality. The 414s had wardialed for modems within a numbering prefix, identified ones that answered (typically with the relatively-identifiable bell tones and prompt strings of a DEC VAX or a Honeywell minicomputer login banner), and tried common default credentials. The credentials worked, repeatedly, because in 1983 system administrators routinely left default-installed administrative accounts in place — SYSTEM/MANAGER on VMS, FIELD/SERVICE on various PDP-11 environments, and a number of similarly memorable combinations. Once inside, the 414s mostly looked around. They did not, by the assessment of the eventual FBI investigation, do significant damage. At Sloan-Kettering they did inadvertently delete a billing-records file, which was the most cited harm²².

The 414s’ case mattered to the lineage of this volume for two reasons. First, it was the first widely-publicized federal investigation of a non-financial computer intrusion case in the United States. The press, primed by WarGames and the Newsweek cover, ran the story extensively; Time, Newsweek, 60 Minutes, the major dailies — all covered the case. Neal Patrick, the 17-year-old most prominently featured, ended up testifying before Congress; he is, in some sense, the first teenage computer hacker the public had a name for. Second, the legal handling of the case revealed the statutory gap that the CFAA would shortly fill. The 414s were charged with what was available — making harassing phone calls, computer-related theft of services under state law — but the federal prosecutors found themselves without a clean federal statute that covered what the kids had actually done, which was access to a computer without authorization. Most of the 414s were not prosecuted; Neal Patrick was given immunity in exchange for congressional testimony. The visible legal exposure was light; the political exposure was the point.

That gap drove the 1984 CADCFAA and the 1986 CFAA, both covered in §4 below.

Date	Event
~1981–1983	The 414 group forms, operates through ~60 systems via wardialing + default credentials
May–June 1983	Several of the targets notice the intrusions, contact the FBI
June 3, 1983	WarGames premieres
August 1983	FBI raids the 414s in Milwaukee; the case becomes public
Sept 5, 1983	Newsweek “Beware: Hackers at Play” cover, with Neal Patrick on the cover
Sept 26, 1983	Neal Patrick testifies before the House Subcommittee on Transportation, Aviation and Materials (Computer and Communications Security and Privacy hearings)18
Oct 1983	Several similar hearings continue through the fall
1984	The CADCFAA passes — the predecessor statute to the CFAA

Table 3.2 — The 1983–84 timeline that drove the criminalization wave. The film, the case, the cover, the hearings, the statute. About 14 months end-to-end from premiere to predecessor statute.

The lesson the 1983 events drove home for every hacker reading the news — phreak, BBS sysop, warez kid, whoever — was that the legal environment had changed. By the end of 1984 the federal government had a statute (the CADCFAA), and by 1986 it had a substantially broader statute (the CFAA); the cost of the activity had risen from “trespass, maybe theft of services” to “federal felony.” The cultural shock-wave from WarGames and the 414s thus had a delayed legal echo that arrived two years later, and never left.

---

4. The CFAA (1986) and the criminalization wave

The Computer Fraud and Abuse Act, 18 U.S.C. § 1030, is the single most consequential piece of legislation for everything that happens in the rest of this series. Every hat distinction in Vols 6–12 rests on it (or its international analogs — UK Computer Misuse Act 1990; Australia Cybercrime Act 2001; the Council of Europe’s Budapest Convention). Every “without authorization” question in modern security work is a CFAA question. Every legitimate pentest scope letter is, in legal terms, a defense against a CFAA charge that hasn’t been filed. Vol 19²³ gives the statute its full operational treatment; this section is the historical-context treatment — how it came to exist, what it actually says, and how its load-bearing phrase (“without authorization or exceeds authorized access”) has been read by courts.

4.1 The predecessor statute — CADCFAA (1984)

The first federal computer-crime statute in the United States was the Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (CADCFAA), enacted October 12, 1984 as part of the Comprehensive Crime Control Act, Pub. L. 98-473²⁴. Driven directly by the post-414s congressional hearings (§3.2), it criminalized three narrow categories of computer access: (a) accessing classified information without authorization; (b) accessing financial records or credit information; and (c) accessing government computers. It was a relatively cautious statute — its drafters worried about overcriminalization, and the scope was therefore narrow. It also contained provisions on counterfeit access devices (credit-card-related — the “Counterfeit Access Device” in the name).

The CADCFAA was, in retrospect, a placeholder. Within 18 months Congress was already drafting its replacement. The political cause was a sense that the 1984 act was both too narrow (it didn’t cover non-financial intrusions of private-sector systems, which is most of what the 414s had done) and too vague in its definitions. The 1986 replacement was the act that has been the dominant statute since.

4.2 The CFAA — Pub. L. 99-474 (1986)

The Computer Fraud and Abuse Act, enacted October 16, 1986 as Pub. L. 99-474²⁵, replaced the access-device-related provisions of 18 U.S.C. § 1030 with a substantially expanded set of prohibitions. The 1986 act, as subsequently amended, is what we mean today by “the CFAA.” Its structure as it stands in 2026 (after amendments in 1988, 1989, 1990, 1994, 1996, 2001, 2002, and 2008) is approximately the following²⁶.

§ 1030(a) subsection	Prohibited conduct	Notes
(a)(1)	Accessing a computer without authorization, obtaining national-security information, and willfully communicating it	Espionage statute; rarely-charged standalone, often paired with the Espionage Act
(a)(2)	Intentionally accessing a computer without authorization or exceeding authorized access, and obtaining (A) financial record information from a financial institution, (B) information from any U.S. department/agency, or (C) information from any protected computer	The workhorse provision. (C) is broad enough to reach essentially any computer connected to the Internet
(a)(3)	Intentionally accessing without authorization any non-public computer of a U.S. department or agency	Government-system trespass
(a)(4)	Knowingly and with intent to defraud, accessing a protected computer without authorization (or exceeding) and by such conduct furthering the intended fraud and obtaining anything of value	The fraud-by-computer provision
(a)(5)	Three sub-prohibitions: (A) knowingly causing the transmission of a program, code, or command intentionally damaging a protected computer; (B) intentionally accessing without authorization and recklessly causing damage; (C) intentionally accessing without authorization and causing damage and loss	The malware / DoS / damage provision. The Morris case (§5) was charged under the predecessor of (A)
(a)(6)	Knowingly and with intent to defraud trafficking in passwords or similar information	Credential-trafficking
(a)(7)	Computer-related extortion — threatening to damage a protected computer, or threatening to obtain information from one, or demanding money in connection with extortion involving a protected computer	The provision that covers most ransomware-extortion cases when prosecuted under U.S. federal law (often paired with Hobbs Act / wire fraud)

Table 4.1 — The CFAA’s operative subsections as of 2026, summarized. The current statute is at 18 U.S.C. § 1030. Vol 19 reads the text in full operational detail; this table is the historical-reference index.

The technical engineering reader will notice that the act criminalizes conduct (“accesses a computer without authorization or exceeds authorized access”) rather than technique (the act says nothing about exploit type, network protocol, or method). This was deliberate — Congress wanted a statute that would not become technologically obsolete — and it has the effect that the statute applies just as cleanly to a 2026 cloud-API-key abuse case as it does to the kind of 1986-era dial-up VAX trespass it was drafted for. The trade-off, which has become the subject of three decades of litigation, is that “without authorization” and “exceeds authorized access” are not technically defined terms in the statute, and what they mean has been a moving target.

4.3 The “without authorization / exceeds authorized access” question

The load-bearing phrase in § 1030(a)(2) and several other subsections is “without authorization, or exceeds authorized access.” A great deal turns on what “exceeds authorized access” means. The narrow reading: it means using credentials you have to access data or files you weren’t supposed to reach — the database administrator who pulls customer records to sell to a private investigator (this was, almost exactly, the Van Buren fact pattern). The broad reading: it means using credentials you have to violate the terms of service or use policy of the system — the employee who uses their work computer to check personal email in violation of the AUP, the researcher who scrapes a website in violation of its robots.txt or terms-of-use.

For about two decades the broad reading was ascendant in some circuits, with the result that the CFAA was being used to charge cases that looked very far from anything the drafters had in mind. The Aaron Swartz case in 2011–13 (JSTOR scraping, MIT campus network access; covered in Vol 4) was the high-profile pressure point. The Ninth Circuit’s United States v. Nosal (2012, en banc) had already rejected the broadest reading of “exceeds authorized access” within its circuit; in 2021, the Supreme Court resolved the circuit split with Van Buren v. United States, 593 U.S. 374 (2021), No. 19-783; 141 S. Ct. 1648²⁷, adopting the narrow reading — “exceeds authorized access” reaches conduct where the defendant accesses files, folders, or databases that are off-limits even given valid credentials, but does not reach conduct where the defendant uses valid credentials to access files they’re authorized to see, even if they do so for an improper purpose.

Van Buren substantially narrowed the CFAA. It did not, however, narrow it to the point of irrelevance. The “without authorization” prong remains broad; what Van Buren removed was the most expansive reading of “exceeds authorized access.” Aggressive prosecution of unauthorized access cases remains routine.

4.4 Stacked-charges geometry — the aggregation effect

The other CFAA-mechanics issue worth understanding from an engineering perspective is that the statute’s counting rules can produce charge stacks that look numerically wild given the actual conduct. Each access to each protected computer can be charged as a separate violation. Each separate “transmission” of a malicious program (§ 1030(a)(5)(A)) can be charged separately. Penalty enhancements stack — financial-loss thresholds, repeat-offender status, conspiracy charges (18 U.S.C. § 371), wire-fraud counts (18 U.S.C. § 1343). The result, throughout the 1990s and 2000s, is that hacking defendants would routinely be charged with statutory exposure of decades or sometimes a century of imprisonment, which the actual sentences (after plea agreements and judicial discretion) almost never matched but the charge stack was used to drive plea negotiations²⁸.

This is the mechanic that defines the legal climate every hat in Vols 6–12 operates inside. It’s not that a CFAA charge guarantees a long sentence — most don’t, post-trial. It’s that the theoretical exposure is high enough that defendants almost always plead, and the resulting record of CFAA convictions is mostly plea-bargained. The “what would actually happen at trial” question is undertested precisely because the system is structured to discourage going to trial.

Danger callout — the CFAA’s reach in 2026. The CFAA applies to any computer connected to the Internet (the “protected computer” definition under § 1030(e)(2)(B) reaches any computer “used in or affecting interstate or foreign commerce or communication,” which is essentially every modern computer). It applies to any unauthorized access, regardless of motive, technique, or harm — though motive, technique, and harm affect penalty levels. Van Buren narrowed the “exceeds authorized access” prong but did not narrow the “without authorization” prong. Owning the hardware is the bright-line distinction that makes most home-lab and CTF work safe; written, signed, scoped authorization is the distinction that makes commercial pentest work safe. Anything in between sits in the grey-hat territory Vol 8 treats. Vol 19 covers the operational reading of the statute and its non-U.S. analogs.

The 1986 CFAA, then, is the legal climate shift the rest of this volume sits inside. Everything from the Morris case onward gets prosecuted under it or its amendments. The lineage from the 414s’ “we didn’t know what to charge them with” outcome in 1983 to the Morris prosecution in 1990 (§5) is fast: the cost of unauthorized access went from civil/administrative to felony in roughly five years, and it has not gone back.

---

5. The Morris Worm (1988) and the birth of the CERT

The first internet worm, and arguably the inaugural event of the modern security era, was released onto the ARPANET-becoming-Internet on the evening of November 2, 1988, by Robert Tappan Morris, then a first-year Cornell University graduate student. The worm propagated rapidly across thousands of systems, brought a substantial fraction of the connected Internet to a halt for two to three days, and triggered the first organized national-scale incident-response coordination — and the founding, three weeks later, of the CERT Coordination Center at Carnegie Mellon’s Software Engineering Institute. It was also the first federal felony prosecution under the year-and-a-half-old CFAA.

Figure 3.1 — Robert Tappan Morris, 2008. File:Robert Tappan Morris.jpg by Trevor Blackwell. License: CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3ARobert%20Tappan%20Morris.jpg).

5.1 The propagation mechanics

The worm was a roughly 99-line C program (the “grappling hook”) plus a larger object file that the grappling hook fetched from the infected system once it had established a foothold²⁹. The grappling hook was small enough to be sent through whichever of the three propagation channels had succeeded, and its job was to bootstrap the rest of the worm on the new host. The three propagation channels were the load-bearing piece of the worm’s design:

Channel 1 — the fingerd stack overflow. The 4.3BSD fingerd daemon used the standard-library gets(3) function to read its input from the network. gets() reads until a newline, with no bound on the buffer length — and the buffer in question was a 512-byte stack allocation. Morris’s worm sent fingerd a 536-byte payload: 400 bytes of NOP-equivalent filler, machine code that did execve("/bin/sh"), and the right address overwritten into the return-address slot of the saved stack frame³⁰. The shell ran with fingerd’s privileges (often root on BSD systems of the era), and the worm proceeded from there.

This is the first widely-publicized buffer-overflow attack against an Internet service. Buffer-overflow vulnerabilities had been known to academic researchers for years (the Multics security analyses identified the class formally in the early 1970s³¹); the practical exploitation technique on Unix was understood in a small circle. The Morris worm made it operational at scale on the Internet for the first time. Aleph One’s “Smashing the Stack for Fun and Profit” — the seminal Phrack article on stack-overflow exploitation — was still eight years away, in Phrack Issue 49, 1996³². The mechanism Morris exploited in fingerd became the prototype for an exploitation tradition that dominated the late-1990s and 2000s.

Channel 2 — the sendmail DEBUG-mode trapdoor. Eric Allman’s sendmail mail transfer agent (the dominant SMTP MTA of the era) shipped, on most BSD installations, with a DEBUG mode that allowed a connecting SMTP client to specify a command pipeline as the destination of a mail message — effectively a “send mail to a program” feature intended for testing³³. Sendmail’s documentation said the DEBUG feature should be compiled out before installing in production. Most administrators did not do this. The worm SMTP’d to the target, switched the conversation into DEBUG mode, and used the resulting command pipeline to write its grappling hook to a file on the target and run it. Privilege level: whatever sendmail ran as on the target, which was almost always root.

Channel 3 — rsh/rexec and weak passwords. The Berkeley rsh/rexec remote-shell suite used a host-based trust model: hosts listed in /etc/hosts.equiv (system-wide) and ~/.rhosts (per-user) could log in without a password from peer hosts in the trust list. The worm read hosts.equiv and .rhosts files on the infected host, identified peer hosts, and then attempted to rsh to each. If that failed (the trust wasn’t symmetric, for instance), the worm fell back to rexec with a list of common passwords against the user account names it had found in /etc/passwd — a small built-in dictionary (a few hundred entries) of words like aaa, academia, the user’s own login name reversed, etc.³⁴. This is the first widely-publicized password-dictionary attack at Internet scale.

   Morris Worm propagation, simplified.

   ┌─────────────────────────────────────────────────────────────────────┐
   │   Infected host (Host A)                                            │
   │                                                                     │
   │   Maintain list of candidate target hosts:                          │
   │   ┌ peer hosts from /etc/hosts.equiv, ~/.rhosts, ARP cache          │
   │   ├ hosts listed in /etc/hosts.equiv on Host A                      │
   │   └ hosts the worm has already seen tried                           │
   └──────────────┬──────────────────────────────────────────────────────┘
                  │
                  │  pick a target Host B
                  ▼
   ┌────────────────────────────────────────────────────────────────────┐
   │   Try three channels in parallel against Host B:                   │
   │                                                                    │
   │   (1) fingerd                  (2) sendmail              (3) rsh   │
   │       ─────────                    ────────                  ───   │
   │       Send 536-byte payload         SMTP HELO + MAIL FROM     loop:│
   │       to port 79.                   then  DEBUG mode          for  │
   │       Overflow gets()               then "recipient" =        each │
   │       buffer in stack-              "| sed -e '1,/^$/d' |     usr  │
   │       frame.                        sh"  to pipe message      try  │
   │       Return address                body into shell.          rsh; │
   │       → injected shellcode →        Drop grappling hook       on   │
   │       execve "/bin/sh".             into /tmp/x14481.c,       fail:│
   │       Now shell at fingerd's        compile, run.             try  │
   │       privs (usually root).                                   rexec│
   │                                                               with │
   │                                                               dict.│
   └──────────────┬───────────────────────┬───────────────────────┬─────┘
                  │                       │                       │
                  │ on any success:       │                       │
                  ▼                       ▼                       ▼
   ┌────────────────────────────────────────────────────────────────────┐
   │   Grappling hook running on Host B.                                │
   │   - Connect back to Host A                                         │
   │   - Pull main worm binary (architecture-specific: SUN-3 m68k or    │
   │     VAX 4.3BSD)                                                    │
   │   - Try to compile from source if binary doesn't match             │
   │   - Run main worm. Erase tracks. Forget Host A in propagation list.│
   │   - Spawn child every ~15 minutes (anti-reinfection check often    │
   │     fails — this is why the worm fork-bombed the Internet)         │
   └──────────────┬─────────────────────────────────────────────────────┘
                  │
                  ▼
                infect more hosts; eat all CPU on each; collapse
                the Internet into observability over 2-3 days.

Figure 3.2 — The Morris worm’s three-channel propagation. The fingerd overflow and the sendmail DEBUG channel got root-level execution; the rsh/rexec+dictionary channel got the same user-level access the original user had. The aggregate effect on the Internet was driven less by the worm’s propagation rate (which was actually moderate) than by its anti-reinfection check (a flag passed between worm instances on a TCP port) being defeatable by a coin-flip — so the same host could be reinfected dozens of times, and each running worm-instance consumed substantial CPU. The Internet didn’t go down because the worm was fast; it went down because every infected host became unresponsive.

5.2 The blast radius

There were approximately 60,000 computers on the Internet on November 2, 1988³⁵. Eichin and Rochlis’s MIT post-mortem, and Spafford’s Purdue post-mortem, both estimated that the worm infected approximately 6,000 systems — about 10% of the Internet of the time — at peak³⁶. The peak persisted for two to three days. The actual rate of infection was constrained by the worm’s grappling-hook + binary-pull architecture; each propagation cycle took on the order of seconds rather than the sub-second rates later worms (Code Red, SQL Slammer) would achieve. The real damage was the fork-bomb effect of the anti-reinfection bug: a single host could be infected by dozens of running worm processes, each consuming a substantial fraction of available CPU, with the result that infected hosts ceased to respond to operators logging in.

Eichin and Rochlis’s MIT team analyzed the worm by disassembling captured copies and reverse-engineering its behavior²⁹. Spafford and his Purdue group did the same work independently³⁶. Both produced canonical post-mortems within months — these are still the load-bearing engineering references for the worm’s actual behavior. Mark Eichin and Jon Rochlis’s “With Microscope and Tweezers” paper from February 1989, and Spafford’s “The Internet Worm Program: An Analysis” from June 1989 (later published in CACM), are required reading for anyone interested in the actual mechanism rather than the legend.

Numeric callout — the worm’s actual code path through fingerd. The vulnerability was the gets(3) call in fingerd’s main() reading a 512-byte stack buffer. The payload Morris sent was 536 bytes — enough to overflow the buffer, then the saved frame pointer, then overwrite the saved return address with the address of the buffer itself (0xefffefxx on the VAX 4.3BSD stack of the era). The buffer contained ~400 bytes of NOP-equivalent padding (specifically mov instructions whose effect was inert, since the VAX didn’t have a NOP of the right size), then a small shellcode payload that did execve("/bin/sh", ...). When fingerd returned from the function reading input, control transferred to the buffer, the inert padding ran (giving the address calculation some tolerance to imprecision), and then the shellcode ran. This is exactly the pattern that Aleph One would canonicalize in Phrack 49 (1996) eight years later — buffer + NOP-sled + shellcode + return-address overwrite. The Morris worm is the first widely-known field deployment of the technique³⁷. (The pattern was independently rediscovered many times in the late 1990s; many academics and practitioners thought of it as new in 1996. It was not new — Morris had used it in production in 1988.)

5.3 The response

The response was organized chaos. By November 3, system administrators across the country were exchanging information by phone and via the few mailing lists that hadn’t been swamped by the worm; the cs.purdue.edu, mit-eddie.mit.edu, and Berkeley-cad mailing lists were running with anyone who could still get an outbound connection contributing. DARPA, faced with this informal scrum being the entire incident-response capacity of the nascent Internet, decided in the immediate aftermath that the country needed something more durable. On November 17, 1988, DARPA chartered the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University’s Software Engineering Institute, funded under existing SEI contract authority³⁸. CERT/CC is, in a real sense, the Morris Worm’s most lasting legacy. The institution’s structure (a clearinghouse for vulnerability reports and incident coordination, operating with both vendor and operator relationships) became the template for the national-level CERTs in dozens of other countries (AusCERT, JPCERT/CC, CERT-IN, BSI-CERT, etc.) and for the eventual U.S. ICS-CERT, US-CERT, and CISA structures that operate in 2026.

5.4 The prosecution

Morris was identified within days as the worm’s author — partly because he had told a friend in advance about the worm and that friend (Andrew Sudduth, a Harvard sysadmin) had attempted to send an anonymous advisory describing how to defeat the worm on the same evening it was released. He surrendered, cooperated with the investigation, and was charged under what was then the relatively new 18 U.S.C. § 1030(a)(5)(A) — the CFAA’s prohibition on intentionally accessing a federal-interest computer without authorization. He was the first person prosecuted under the CFAA. He was convicted in January 1990 after trial and sentenced on May 4, 1990 to three years of probation, 400 hours of community service, and a $10,050 fine plus the costs of his supervision³⁹. He appealed; the Second Circuit affirmed in United States v. Morris, 928 F.2d 504 (2d Cir. 1991)⁴⁰. The case is a foundational CFAA opinion — it established, among other things, that the statute’s “intentionally accessing” mens rea did not require that the defendant intend the damage the access caused; intent to access was sufficient.

Morris’s subsequent career is, by the standards of late-1980s hacker prosecutions, an extraordinary outlier. He completed his sentence, finished his graduate work at Cornell and then Harvard, became an MIT EECS faculty member in 1999, and (with Paul Graham, Trevor Blackwell, and Jessica Livingston) co-founded Y Combinator in 2005. He remains an MIT CSAIL professor and YC partner in 2026.

Date	Event
Nov 2, 1988, ~17:30 EST	Worm released from a Cornell terminal (Morris was logged into an MIT AI Lab machine remotely; some accounts have him releasing from there)
Nov 2, 1988, late evening	First infections noticed at Stanford and other West-Coast sites
Nov 3, 1988	Cleanup efforts begin nationally; analysis groups form at MIT, Purdue, Berkeley
Nov 4, 1988	Sudduth’s attempted anonymous advisory becomes public (it had been written on the evening of the 2nd but mostly didn’t propagate due to the worm itself)
Nov 5–8, 1988	Eichin & Rochlis MIT analysis underway; Spafford Purdue analysis underway
Nov 17, 1988	DARPA charters CERT/CC at Carnegie Mellon SEI
Feb 1989	Eichin & Rochlis “With Microscope and Tweezers” preprint
June 1989	Spafford “The Internet Worm Program: An Analysis,” Purdue Tech Report (later CACM 32(6))
Jan 1990	Morris convicted under CFAA
1991	Second Circuit affirms in U.S. v. Morris, 928 F.2d 504

Table 3.3 — Morris-Worm timeline, from release to appellate affirmance.

The lessons for the lineage of the craft were several. First, the technical lesson: the same protocol stack the entire research community trusted was uniformly vulnerable to a small set of well-understood weaknesses (stack overflows in C, default-on debug features, weak password hygiene). Second, the institutional lesson: a single-incident response is not a sustainable model — CERT was the institutionalization of that lesson. Third, the legal lesson: the CFAA worked as intended on the first test case; Congress had passed the statute against the threat of just this kind of incident, the first such incident occurred, the perpetrator was identified and convicted, and the statute survived appellate review. Whether the sentence was proportionate (three years probation versus the maximum five-year imprisonment then on the books) was the subject of considerable debate — Morris’s defenders argued the harm was overstated and the worm a research mistake; the prosecutors argued exactly the opposite. The middle ground the judge picked is still cited.

---

6. The zines and the groups — Phrack, 2600, LoD, MoD

By 1985 the BBS underground (§2) had matured to the point where it had a literature. Two zines anchored the literature for the next decade and beyond, and a handful of organized groups anchored the social structure. The zines and the groups are the institutional inheritance of this volume that most clearly persists into 2026 — Phrack and 2600 are still publishing; the groups have mostly disbanded but their members are still in the field.

Figure 3.3 — 2600: The Hacker Quarterly, mid-2010s issue. File:2600 Magazine.jpg by Rbr4n. License: CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3A2600%20Magazine.jpg).

6.1 2600: The Hacker Quarterly (founded 1984)

2600: The Hacker Quarterly began publication in January 1984, founded and edited by Eric Corley under the pen name Emmanuel Goldstein (Orwell’s 1984, dystopian-resistance reference, somewhat on the nose)⁴¹. The magazine has been published quarterly without interruption since — 162+ issues by 2026. Format: print magazine (in 2026 still print, with digital subscriptions added late), letters and reader-submitted articles, original reporting on hacker prosecutions and civil-liberties cases, occasional technical t-file-style articles, the famous payphone-photos section (readers submit photos of unusual payphones from around the world). The name is the 2600 Hz blue-box tone — see Vol 2 §3.1 — and the editorial stance has always been a kind of hacker civil-libertarianism: privacy-rights-forward, anti-surveillance, sympathetic-to-defendant in any hacker prosecution. Corley’s Off The Hook radio show on WBAI New York has been running since 1988 in the same editorial spirit.

2600’s significance is partly cultural — the magazine is the most-read print artifact in the hacker reading public — and partly tactical. The magazine has, repeatedly, been at the center of First Amendment cases over publication of technical information; the most prominent is Universal v. Reimerdes / Universal v. Corley, 273 F.3d 429 (2d Cir. 2001), in which the Second Circuit held that 2600’s publication of the DeCSS DVD-decryption source code could be constitutionally restricted under the Digital Millennium Copyright Act’s anti-circumvention provisions⁴². The case is one of the foundational DMCA precedents and one of the harder cases for the Free-Software-aligned argument that code is speech.

6.2 Phrack (founded 1985)

Phrack — the name is a portmanteau of “phreak” and “hack” — began publication on November 17, 1985, founded and edited by Taran King (Randy Tischler) and Knight Lightning (Craig Neidorf), then both teenagers in St. Louis⁴³. Phrack was, from inception, a t-file zine in the BBS underground’s native format — distributed as a series of plain-ASCII “files” bundled per issue, posted to underground BBSes, redistributed outward. Each issue is a multi-file bundle: a “Phrack Pro-Phile” interviewing a member of the community, several technical articles, the “Phrack World News” current-events column, occasional manifestos and editorials. The frequency has always been irregular — Phrack publishes when its editors have a quorum of good submissions, with gaps from months to years between issues.

Phrack’s tactical significance is that it is the technical paper of record for offensive computing. From its first issues it has run engineering-grade articles on specific techniques — phreaking advances, VMS exploitation, Unix exploitation, social engineering case studies, malware authorship. Several articles in its history have been load-bearing for the field:

• Phrack Issue 7 Phile 3 (January 8, 1986) — “The Conscience of a Hacker” by The Mentor (Loyd Blankenship), better known as “The Hacker Manifesto”¹². Written immediately after Blankenship’s arrest, in roughly an evening, the piece is a 500-word first-person manifesto framing hackers as misunderstood-but-not-evil. The cultural reach is enormous — it has been quoted on conference t-shirts, in films (Hackers, 1995, quoted a paraphrased version), in subsequent t-files, in academic articles about hacker culture. The full text is in the public domain (Blankenship has explicitly placed it there) and reproduced widely; the canonical source is http://phrack.org/issues/7/3.html. A representative passage:

“This is our world now… the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore… and you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals.”

— The Mentor (Loyd Blankenship), “The Conscience of a Hacker,” Phrack Vol. 1 Issue 7 Phile 3, January 8, 1986.

• Phrack Issue 24 Phile 5 (February 25, 1989) — the E911 Document article, the article that triggered the Craig Neidorf prosecution (see §7.1 below). The article reproduced a leaked Bell South internal document describing the 911 emergency telephone system’s architecture; the document had been obtained from a Bell South system by another hacker (Robert Riggs of LoD) and forwarded to Neidorf for publication. The federal government valued the document at $79,449 in the Neidorf indictment; Bell South subsequently testified that the same document could be purchased for around $13 from a Bell South publications office. The case collapsed.

• Phrack Issue 49 Phile 14 (November 8, 1996) — “Smashing the Stack for Fun and Profit” by Aleph One (Elias Levy)³². The canonical engineering treatment of stack-buffer-overflow exploitation on Unix/Linux. Aleph One organized the technique systematically, walked through the assembly, and made the pattern reproducible by any competent programmer. The article is the citation for stack-overflow exploitation; everything from Code Red (2001) to the modern ROP/JOP literature traces back through it. It comes eight years after Morris had used the same technique in production (§5.2) and is the moment the technique became broadly understood in the field rather than known to a small expert circle.

Phrack has had ten different editorial groups in its history (the editorial mastheads change as the editors age out, get prosecuted, or move on to other work). It remains a primary historical source for any specific technique’s lineage. The full archive is at http://phrack.org/issues/.

6.3 The Legion of Doom (LoD)

The Legion of Doom was the first organized hacker group at sustained national scale⁴⁴. Founded around 1984 by Lex Luthor (the handle; real identity has remained semi-private), LoD was a loose association of phreaks and computer hackers — at peak in the late 1980s perhaps 15 to 30 active members at any one time, with another 100-ish associates. Membership turned over considerably; the group’s roster from 1985 differs substantially from its roster from 1989. Notable members and associates included Erik Bloodaxe (Chris Goggans), The Mentor (Loyd Blankenship), The Prophet (Robert Riggs), Phiber Optik (Mark Abene, before he switched groups; see §6.4), and a number of others.

The group’s operational pattern was the classic 1980s-elite-hacker pattern: maintain access to a network of target systems (predominantly Bell System Operations Support Systems, midrange VAX and IBM mainframes, university systems), share information with other LoD members, publish occasional technical articles in Phrack or in LoD’s own short-lived publications. The group did not, by all available accounts, engage in financial fraud or destructive activity — the operating ethic was very much in the curiosity-and-exploration tradition, even when (as in the Bell South E911-document case) the consequences were severe. Multiple LoD members were prosecuted in the 1989–91 period; the prosecutions were the federal government’s first organized push against an organized hacker group.

6.4 Masters of Deception (MoD)

The Masters of Deception were the second organized hacker group, founded around 1989 in New York City out of a split from LoD⁴⁵. The group’s principals were Phiber Optik (Mark Abene), Acid Phreak (Eli Ladopoulos), Scorpion (Paul Stira), Outlaw (Julio Fernandez), and Corrupt (John Lee). MoD was younger, more multiethnic, more aggressively oppositional in its public posture, and considerably more focused on the New York Telephone / NYNEX / AT&T-network side of telephony than LoD’s broader Bell System target set.

The proximate cause of MoD’s split from LoD was a personal falling-out between Phiber Optik and Erik Bloodaxe at the AT&T network-down event on January 15, 1990 (Martin Luther King Day) — an AT&T long-distance switch failure that took down a substantial fraction of AT&T’s domestic long-distance network for around nine hours⁴⁶. The press initially attributed the failure to hackers; AT&T eventually identified the cause as a software bug in a system the hackers had no involvement with whatsoever. By the time the truth came out, the Secret Service had spent two months running an investigation that became Operation Sundevil (§7).

6.5 The “Great Hacker War” (1990–1991)

The LoD/MoD split was followed by a period of inter-group conflict that the participants — with the self-aware grandiosity of the era — called the Great Hacker War. It was conducted on conference-call bridges (the “loop-arounds,” compromised telco bridges), on each other’s voicemail boxes, in Phrack op-eds, and to a lesser extent on each other’s actual systems. There is some genuine engineering-level retaliation in the historical record — phone redirects, voicemail-box compromises, mailbox shutdowns — but most of the war was rhetorical and social. Slatalla and Quittner’s Masters of Deception¹⁴ is the canonical reported source; its account is journalistic and somewhat shaped by the principals’ own self-narration.

The war ended not by resolution but by mass prosecution. In late 1991 and 1992 the federal government prosecuted the principal MoD members under the CFAA and wire-fraud statutes; Phiber Optik, Acid Phreak, and several others took plea agreements. Most served time in federal prison (Phiber Optik served ten months at Schuylkill in 1994). The LoD principals had been prosecuted earlier in slightly different cases (Operation Sundevil and offshoots). By 1994 the organized-hacker-group era was effectively over; the next generation operated in smaller, more diffuse, more security-conscious cliques.

   The 1985-1994 underground social structure, simplified.

                           ┌──────────────────────────┐
                           │                          │
                           │    PHRACK (1985+)        │
                           │    Taran King + Knight   │
                           │    Lightning, eds.       │
                           │    The technical paper   │
                           │    of record.            │
                           │                          │
                           └────┬─────────────────────┘
                                │ contributors:
                                │
              ┌─────────────────┼──────────────────────────┐
              │                 │                          │
              ▼                 ▼                          ▼
   ┌──────────────────┐  ┌──────────────────┐   ┌──────────────────┐
   │ LEGION OF DOOM   │  │ MASTERS OF       │   │ Independent      │
   │ (LoD)            │  │ DECEPTION (MoD)  │   │ contributors:    │
   │ ~1984-1992       │  │ ~1989-1992       │   │ Aleph One        │
   │                  │  │                  │   │ Mudge            │
   │ Lex Luthor       │  │ Phiber Optik     │   │ Erik Skoog       │
   │ Erik Bloodaxe    │  │ Acid Phreak      │   │ many others      │
   │ The Mentor       │  │ Scorpion         │   │                  │
   │ The Prophet      │  │ Outlaw           │   │                  │
   │ Phiber Optik(?)  │  │ Corrupt          │   │                  │
   │ The Eavesdropper │  │ ...              │   │                  │
   │ ...              │  │                  │   │                  │
   └────────┬─────────┘  └────────┬─────────┘   └──────────────────┘
            │                     │
            │     1989-1990       │
            │     Phiber Optik    │
            │  ──leaves LoD,──►   │
            │   joins MoD         │
            │                     │
            │     1990-1991       │
            │  THE "GREAT HACKER  │
            │       WAR"          │
            │  ─inter-group ──    │
            │  conflict, mostly   │
            │  rhetorical         │
            │                     │
            ▼                     ▼
   ┌──────────────────────────────────────────┐
   │  1990-1994: federal prosecutions break   │
   │  up both groups.  Operation Sundevil     │
   │  (May 1990) targets the broader BBS      │
   │  scene; specific cases against LoD       │
   │  (Neidorf E911, Riggs, Grant, Darden,    │
   │  1990) and MoD (Phiber, Acid, etc.,      │
   │  1992) follow.                           │
   └──────────────────┬───────────────────────┘
                      │
                      ▼
                ┌──────────────────────┐
                │ Post-1994 era:       │
                │ smaller cliques;     │
                │ IRC EFnet #hack;     │
                │ DEF CON (1993+);     │
                │ commercial security  │
                │ industry absorbs     │
                │ much of the talent.  │
                └──────────────────────┘

Figure 3.4 — The LoD / MoD / Phrack social structure, ~1985–1994. The most influential names in 1990s-era American hacking pass through these groups. Many of the principals subsequently moved into the commercial security industry (Erik Bloodaxe ran the consulting firm Comsec; Mudge — who came up in the same broad community though never an LoD or MoD principal — co-founded the L0pht and then went on to Defense Innovation Board, Stripe, Google ATAP, and Twitter security leadership roles), some went into journalism (Knight Lightning), some left the field entirely. The 1985–1994 generation is the principal source of the senior-engineer cohort that built the commercial security industry between 1995 and 2010.

6.6 The zines and groups in summary

Zine / group	Started	Founders / principals	What it was	Status 2026
2600: The Hacker Quarterly	1984	Eric Corley (Emmanuel Goldstein)	Print magazine; quarterly; civil-libertarian editorial stance; payphone photos; reader t-files	Still publishing
Phrack	1985 (Nov 17)	Taran King (Randy Tischler) + Knight Lightning (Craig Neidorf)	E-zine, ASCII t-file bundles, irregular schedule, technical paper-of-record	Still publishing (slow cadence)
Legion of Doom (LoD)	~1984	Lex Luthor; included The Mentor, Erik Bloodaxe, The Prophet, others	First organized national-scale hacker group; Bell System ops-systems heavy	Disbanded ~1992
Masters of Deception (MoD)	1989	Phiber Optik (Mark Abene), Acid Phreak (Eli Ladopoulos), Scorpion, Outlaw, Corrupt	NYC-based; NYNEX/AT&T heavy; aggressively oppositional public posture; split off from LoD	Disbanded ~1992 after prosecutions
The Hacker Manifesto	Jan 8, 1986	The Mentor (Loyd Blankenship)	500-word Phrack piece (Issue 7, File 3); cultural touchstone	Permanently in the public domain
AT&T MLK-Day outage	Jan 15, 1990	(AT&T’s own software bug — not a hacker incident, despite initial press)	Triggered Operation Sundevil (§7) when investigators initially suspected hackers	Famous as a cautionary tale about attribution

Table 3.4 — The principal zines and groups of the 1984–1994 underground. The two zines are still publishing; the two principal groups are long disbanded but their members are still in the field (notably MIT/Y Combinator faculty, Stripe, Google security, several consulting firms, and several federal-government technical-policy roles).

The lineage from this era into the modern field is direct: most of the senior architects of the post-2000 commercial security industry started their careers in this scene. The 1985–1994 underground is the principal pipeline for the people who built the 1996–2010 commercial-security firms (ISS, L0pht-then-@stake, Foundstone, IOActive, the first generation of bug-bounty programs at iDefense and TippingPoint, and many others); the founders of those firms are mostly people whose handles appear in the Phrack archives of the era. Vol 4 traces that pipeline forward.

---

7. Operation Sundevil, the Steve Jackson Games raid, and the founding of the EFF (1990)

The single calendar year of 1990 is, for civil-liberties-and-computer-law purposes, the most consequential in this volume. Three events that year — Operation Sundevil, the Steve Jackson Games raid, and the founding of the Electronic Frontier Foundation — together established the framework within which the legal-versus-civil-rights conflicts of the following three decades have been adjudicated. The EFF’s founding is, in effect, the institutional response to Sundevil and the Steve Jackson Games raid; the eventual civil-suit outcome in Steve Jackson Games v. United States Secret Service is the legal vindication that gave the EFF its first major win.

7.1 The E911 prosecution — Craig Neidorf (1989–1990)

A piece of context is needed to make Sundevil legible. In late 1988, Robert Riggs, an LoD member operating under the handle The Prophet, downloaded an internal Bell South document from a Bell South Network Operations Center system. The document — formally titled A Bell South Standard Practice (BSP) 660-225-104SV: Control Office Administration of Enhanced 911 Services for Special Services and Major Account Centers — described the architecture of the Bell South 911 emergency-telephone system at a procedural and administrative level. Riggs forwarded the document to Craig Neidorf (handle: Knight Lightning), one of the Phrack co-editors; Neidorf reformatted excerpts and published the redacted result in Phrack Issue 24 (February 25, 1989)⁴⁷.

The Secret Service (which had jurisdiction over electronic financial-fraud and certain telecommunications-fraud cases under 18 U.S.C. § 3056) opened a federal investigation. Riggs was arrested and pleaded guilty to wire fraud. Neidorf was indicted on multiple counts of wire fraud and transportation of stolen property; the value of the stolen E911 document was alleged by Bell South in the indictment papers to be $79,449. The case went to trial in July 1990. The Bell South valuation collapsed almost immediately on cross-examination: a defense witness obtained the same document from a Bell South publications-order line for about $13 (the exact figure varies slightly across accounts; the order is correct). The wire-fraud case against Neidorf could not survive that revelation, and the prosecution dropped its charges mid-trial on July 27, 1990⁴⁸.

The Neidorf case is the first clear instance of a federal hacker prosecution unraveling on the value question — and it is the case that radicalized several of the principals who would soon found the EFF. The Neidorf defense had been led by Sheldon Zenner of Katten Muchin & Zavis (Chicago); Mitch Kapor, the Lotus founder, paid much of the defense’s bill. The lesson Kapor and several others took was that the federal government was prosecuting hackers without a clear-headed understanding of either the technology or the underlying economic-value questions, and that civil-liberties counsel was unavailable.

7.2 Operation Sundevil (May 1990)

Operation Sundevil was a coordinated federal investigation, conducted principally by the Secret Service and announced on May 8, 1990⁴⁹, targeting the broader BBS underground that the Secret Service believed (correctly in some cases, incorrectly in others) was responsible for a wave of credit-card fraud, code-abuse, and telephone-fraud activity. The operation involved 27 search warrants executed in 15 cities⁵⁰, with seizures of approximately 40 computers and roughly 23,000 floppy disks. The arrests were modest — three indictments — but the seizure footprint was enormous, because the warrants were broadly drafted and the agents tended to seize anything that looked computer-shaped. The operation was the first systematic federal action against the BBS scene as such, rather than against a specific intrusion case.

The civil-libertarian critique of Sundevil that emerged in 1990–91, articulated most forcefully by Sterling in The Hacker Crackdown and by Barlow in “Crime and Puzzlement” (June 1990)⁵¹, was several-fold: that the operation conflated criminal credit-card-fraud activity with the broader, mostly-legal BBS-message-board culture; that the seizure warrants were excessively broad and effectively shut down BBSes that had no connection to the alleged fraud; that the Secret Service agents executing the warrants had little understanding of the technology and were over-seizing as a result; and that the press coverage was uncritically pro-prosecution. Sterling’s book is the load-bearing journalistic record; the EFF’s archive (https://www.eff.org/files/) holds many of the primary documents.

7.3 The Steve Jackson Games raid (March 1, 1990)

The Steve Jackson Games raid preceded Sundevil’s main announcement by two months but became inextricably linked to it in public memory. On March 1, 1990, the Secret Service executed a search warrant at the offices of Steve Jackson Games, an Austin, Texas role-playing-game publisher, seizing computers including the company’s main development machine and the server running its BBS, the Illuminati BBS⁵². The warrant was based on the Secret Service’s belief that one of Steve Jackson Games’ employees, Loyd Blankenship — yes, The Mentor, the same person who had authored the Hacker Manifesto five years earlier (§6.2) — had received a copy of the E911 document on his home computer and would have similar materials on his work systems. (Blankenship had not, in fact, received the E911 document on a work system; the Secret Service’s warrant theory required that he had.)

What made the raid notorious was the second-order target. Steve Jackson Games was at that moment finalizing GURPS Cyberpunk, a tabletop RPG sourcebook on a near-future cyberpunk-dystopian setting in the William Gibson tradition. The book contained, as part of its setting material, prose describing fictional computer-intrusion techniques. The Secret Service, on seizing the company’s systems, told company representatives that GURPS Cyberpunk was “a handbook for computer crime.” The actual draft of the manuscript was on the seized computers; Jackson’s company had no other copies, and the seizure delayed the book’s publication by months and nearly bankrupted the company. The development BBS (Illuminati) was kept off-line for months as well, despite no plausible argument that the BBS itself was a target of the investigation.

Steve Jackson Games sued the Secret Service under the Privacy Protection Act of 1980 and the Electronic Communications Privacy Act, with the EFF (newly founded — see §7.4) paying much of the legal bill. The case was decided in Jackson’s favor in 1993 (Western District of Texas)⁵³ and affirmed on appeal in Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994)⁵. The Fifth Circuit affirmed the district court’s Stored Communications Act holding — the Secret Service had violated ECPA by reading email stored on Jackson’s BBS server during the seizure — but reversed on the Wiretap Act count, drawing a distinction between “intercepted” (acquired contemporaneously with transmission) and “stored” electronic communications that has shaped the subsequent decade-plus of ECPA jurisprudence.

7.4 The founding of the EFF (July 1990)

The Electronic Frontier Foundation was founded July 10, 1990 by Mitch Kapor (Lotus founder), John Perry Barlow (Grateful Dead lyricist, essayist, sometime rancher in Pinedale, Wyoming, and unlikely-but-effective tech-civil-liberties figure), and John Gilmore (Sun Microsystems engineer, sometime cypherpunk, and one of the original DEC SRC team). The EFF’s founding mission was specifically the legal defense of the people swept up in Sundevil and adjacent prosecutions, and more broadly the establishment of a civil-liberties framework for digital communications⁵⁴. The EFF’s first cases were Steve Jackson Games (§7.3) and the Craig Neidorf prosecution (§7.1, retrospectively); within a few years the foundation had become the dominant digital-civil-liberties NGO in the United States.

Barlow’s two contemporaneous essays — “Crime and Puzzlement” (June 1990) and “A Declaration of the Independence of Cyberspace” (February 1996, Davos) — are the EFF’s load-bearing rhetorical artifacts of the era. Crime and Puzzlement was the document that motivated several of the early EFF donors and member-supporters to write checks; the Declaration, though it is widely (and not unfairly) mocked in 2026 for its libertarian-utopian overreach, was, at the time, an effective polemical intervention in the policy debate over the 1996 Telecommunications Act. The EFF’s actual operating work is, then and now, far less utopian than Barlow’s prose; the foundation’s legal docket is dominated by patient appellate-litigation strategy against specific government surveillance and unauthorized-access cases.

The EFF in 2026 is one of the few institutions whose mission, founding statement, and operating posture have remained roughly stable across 36 years. The legal-defense work continues; the policy-advocacy work continues; the publications (Deeplinks blog, the regular legal-analyst reports on CFAA cases and platform-liability cases) continue. The cross-link from this volume into the rest of the series is at Vol 19 (the legal-line treatment), which leans on EFF analysis throughout.

Date	Event
Feb 25, 1989	Phrack Issue 24, File 5 publishes the redacted E911 document
Dec 1989 / Jan 1990	Federal investigations underway; Riggs and Neidorf identified
Jan 15, 1990	AT&T MLK-Day long-distance outage (later found to be an AT&T software bug, not a hacker incident); blamed initially on hackers, fuels the Secret Service investigation
Mar 1, 1990	Steve Jackson Games raid in Austin
May 8, 1990	Operation Sundevil announced — 27 warrants, 15 cities
June 1990	Barlow publishes “Crime and Puzzlement”
Jul 10, 1990	EFF founded by Kapor, Barlow, Gilmore
Jul 27, 1990	Neidorf case dropped mid-trial when E911 valuation collapses
1993	District court decides Steve Jackson Games v. USSS for Jackson
Oct 31, 1994	Fifth Circuit affirms in 36 F.3d 457

Table 3.5 — The 1989–1994 legal-and-civil-liberties timeline that established the framework for the next several decades. The Sundevil-and-SJG-and-EFF complex of events is the single most important pattern in this volume for how the modern legal landscape works.

The synthesis is that 1990 is the year the federal government and the BBS underground met each other in court — a meeting both sides lost some of and both sides won some of. The federal government got the CFAA tested in court and survived (the Neidorf case did not invalidate the statute; it invalidated the specific valuation theory). The underground got the EFF, which by 1994 was systematically pushing back against the government’s overreach. The civil-liberties-litigation framework that runs forward through Bernstein v. United States (1995–99), the various DMCA cases, Lavabit v. United States (2013), and the present-day Section 215 / Section 702 surveillance challenges is built on the Sundevil-era foundation.

---

8. Kevin Mitnick — the manhunt, the myth, and the reconstructed reality

No figure from this volume’s era has been more written about, more contested, or more important to the public iconography of “hacker” than Kevin Mitnick. He is also a figure for whom the press myth and the court record diverge sharply, and this section treats the divergence as the substantive issue rather than picking a side.

Figure 3.5 — Kevin Mitnick after a Google talk for Ghost in the Wires. File:Kevin Mitnick at Google.jpg by Grendelkhan. License: CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AKevin%20Mitnick%20at%20Google.jpg).

Note on historiography. The three principal accounts of the Mitnick saga — John Markoff and Tsutomu Shimomura’s Takedown (1996), Jonathan Littman’s The Fugitive Game (1997), and Mitnick’s own Ghost in the Wires (2011) — disagree with each other on important matters of fact, motive, and chronology. Markoff’s contemporaneous New York Times coverage (1994–95) is, by 2026’s reading, sharper-edged than the court record supports. Littman’s account is largely sympathetic to Mitnick but also somewhat romanticized in the opposite direction. Mitnick’s own account, by an experienced principal looking back two decades, is the most internally consistent of the three but is also, structurally, an autobiography by a self-promoting subject. The court record — United States v. Mitnick, the various federal-court filings and the 1999 plea documents — is the load-bearing source where the accounts diverge. Where this section makes specific factual claims, it cites the source it follows; where the sources conflict, it flags the conflict.

8.1 What Mitnick actually did

Mitnick’s verifiable conduct, from the court record and the consistent portions of the various accounts, spans approximately 1980 through his arrest in 1995, with a gap of relative quiescence during his earlier shorter incarcerations.

His core technique was social engineering — pretexting calls to telephone-company employees and corporate-IT staff, using pretext identities developed by careful homework on the target organization’s internal structure and personalities. Mitnick was, by all accounts, an exceptional social engineer. He combined a very strong memory for organizational detail, an extensive working knowledge of the relevant phone-system internals, and the particular kind of confident-but-not-pushy phone presence that made his pretexts work⁵⁵.

His verifiable technical targets included: DEC’s TOPS-20 source code (1988, leading to a 1989 federal conviction and a one-year sentence); a series of Pacific Bell internal systems through the late 1980s and early 1990s; various cellular telephone code bases (Nokia, NEC, Motorola, Novatel, Qualcomm, Fujitsu — the “manufacturers list” that ran through the federal indictments); and various engineering workstations including, fatally, the system of Tsutomu Shimomura at the San Diego Supercomputer Center in December 1994⁵⁶. The Shimomura intrusion used a then-novel TCP sequence-number-prediction attack (the variant of IP-spoofing-with-blind-injection that Stephen Bellovin had described in a 1989 paper⁵⁷, which Mitnick — or his correspondents — had operationalized). Shimomura, on returning from a ski trip and finding his workstation compromised, devoted approximately six weeks to tracking Mitnick down — the federal Tracking and the technical-attribution work were a substantial expansion of the legal-and-technical envelope of what was then thought possible⁵⁸.

What Mitnick did not do, to the considerable degree to which the post-arrest claims have been audited: he did not (a) compromise NORAD as a teenager, (b) commit any directly-traceable financial fraud against any of his victims, (c) damage any of the systems he accessed in a way the post-event audits found, or (d) profit financially from the activities⁵⁹. The federal government’s eventual plea agreement reflected exactly this: the conduct was widespread access without authorization, but no fraud counts survived to the plea. The Markoff press treatment in 1994–95 implied (a) and was equivocal on (b)-(d); the court record contradicted (a) outright and substantially undercut (b) and (d).

8.2 The Shimomura takedown and the arrest

Tsutomu Shimomura was an unusual figure to be involved — a computational physicist at the San Diego Supercomputer Center with a specialization in cellular-telephony security, professionally well-connected, with a personal disposition toward following technical problems all the way to their source. His attribution and tracking work between January and February 1995, conducted in collaboration with the FBI and a small group of allies including Markoff (who was a personal friend), traced Mitnick through cellular-phone records, modem-bank-callback logs, and a final pen-register on a Raleigh, North Carolina apartment⁵⁸.

Mitnick was arrested in Raleigh on February 15, 1995⁶⁰. The arrest was sufficiently dramatic — a fugitive of the FBI’s most-wanted list, four years of pursuit, the involvement of a high-profile victim acting in a quasi-investigative role — that the press treatment was extensive and durably shaped public perception. Markoff’s contemporaneous NYT coverage and the subsequent Takedown book (Markoff with Shimomura, 1996)⁶¹ presented Mitnick as a more dangerous and more financially motivated figure than the court record would later support; Mitnick and his supporters (including Littman) pushed back hard in their own subsequent accounts. The historiography has not converged.

8.3 The pre-trial detention and the plea

Mitnick was held in federal custody from his February 1995 arrest until his August 1999 plea agreement — four and a half years of pre-trial detention⁶². The length of pre-trial detention was extraordinary by the standards of federal practice, and it became the principal civil-liberties grievance of the post-arrest period. His attorneys argued, with eventual success, that the government’s repeated continuances and the conditions of his detention (he was held without parole eligibility, was denied bail on the grounds that he had previously fled, and at one point was held in solitary confinement on the grounds that he could whistle 2600 Hz into a phone receiver — a claim that does not survive scrutiny against the Bell System’s mid-1980s migration to SS7 out-of-band signaling, which had eliminated in-band 2600 Hz control of long-distance trunks years before Mitnick’s detention, but which the court found credible at the time).

The plea agreement, accepted in March 1999 and finalized in August 1999, was to one count of wire fraud and various lesser counts. He was sentenced to 46 months of imprisonment, which, with credit for the 4.5 years of pre-trial detention already served, resulted in his release in January 2000 with three years of supervised release, during which he was prohibited from accessing the Internet, possessing a cellular phone, or working in a computer-related capacity except with specific court approval⁶³. The Internet-and-phone prohibitions were unusual for a non-violent offender; they were the subject of subsequent civil-liberties critique and were eventually relaxed.

8.4 The aftermath and the historical reading

Mitnick was, post-release, an extraordinary case of professional rehabilitation. He published The Art of Deception (2002), The Art of Intrusion (2005), and Ghost in the Wires (2011); built a successful consulting firm (Mitnick Security Consulting); became Chief Hacking Officer at KnowBe4 (the security-awareness-training firm); and was a frequently-invited keynote speaker for the rest of his life. He died in July 2023.

The contemporary historical reading of the case, two decades on, is that Mitnick was (a) a genuinely capable intruder, with social-engineering skills well above average, who (b) caused significant losses to his victim organizations (mostly through the cost of remediation, not direct theft) but did not commit the financial fraud the indictment originally implied, and (c) was treated by the federal system in a way that overshot the actual conduct, which became the more interesting policy question. The press myth — Mitnick as a dangerous computer-mastermind — gave the federal government the political cover to keep him in pre-trial detention for an extraordinary period. The Markoff coverage was, in retrospect, part of the press myth more than a check on it. The Free Kevin movement of 1998–99 (the bumper stickers, the website at freekevin.com) was substantially correct in its complaint about the pre-trial detention even if it was sometimes overheated in its other claims.

Case / actor	Year	Charge	Outcome
The 414s	1983	(charging gap — no clean federal statute)	Most not prosecuted; Neal Patrick given immunity for congressional testimony
Robert Tappan Morris	1989-91	CFAA § 1030(a)(5)(A)	3 yr probation + 400 hr CS + $10,050 fine
Robert Riggs (The Prophet, LoD)	1989-90	Wire fraud (E911)	Plea, 21 mos
Craig Neidorf (Knight Lightning, Phrack co-editor)	1990	Wire fraud, transportation of stolen property	Dismissed mid-trial after E911 valuation collapsed
Phiber Optik / Acid Phreak / et al. (MoD)	1992	CFAA, wire fraud, conspiracy	Pleas; ~10-12 months for principals
Kevin Mitnick	1995-99	CFAA, wire fraud, possession of unauthorized access devices	4.5 yr pre-trial detention + plea to 46 mos. Released Jan 2000
Eric Corley / 2600	2001 (Universal v. Corley)	DMCA anti-circumvention (DeCSS)	Magazine enjoined from posting DeCSS on First Amendment grounds rejected

Table 3.6 — Notable hacker prosecutions of the era. The pattern across the 1990 to 1999 window is approximate parity between cases where the prosecution succeeded (Riggs, Morris, MoD principals, Mitnick) and where it failed or was abandoned (Neidorf, Steve Jackson Games — civilly, against the government). The conviction outcomes are mostly via plea agreement; very few of these went to trial. The Mitnick pre-trial-detention duration is the outlier on the table by an order of magnitude.

The lesson for the lineage of the craft, treated honestly: the federal-government-vs.-hacker prosecution era of 1989–99 was neither the runaway federal overreach the underground retrospectively claims it was nor the sober and proportionate enforcement the press treatment of the era implied. It was a system finding its footing on a new class of cases, making some serious mistakes (the Neidorf valuation, the Mitnick pre-trial detention, the breadth of Sundevil warrants), and producing some legitimate convictions for genuinely harmful conduct (Morris, MoD-on-NYNEX, Mitnick on the source-code-theft counts). The mixed record is the one that’s instructive.

---

9. The 1990s pivot — the web arrives, the commercial security industry emerges, DEF CON founded (1993)

The 1990s are the decade in which the field professionalized. The mechanics of professionalization were three: the public web arrived (a new substrate that demanded new tradecraft and new defenders); the first generation of commercial security firms launched (which gave the underground-and-research community a payroll); and the hacker conference became the institutional venue at which the field’s practitioners met annually to exchange technique and recruit each other. By the end of the decade, “security researcher” was a job title with a salary range, “penetration test” was a billable service, and “DEF CON” was on the calendar of every working practitioner.

9.1 The web arrives (1989–1995)

Tim Berners-Lee proposed the World Wide Web architecture at CERN in March 1989; he had a working prototype on a NeXTcube by Christmas 1990; the first publicly-accessible website went up in August 1991⁶⁴. The web spread slowly through 1991–92 as a CERN-internal and academic phenomenon, then explosively through 1993–95 once NCSA Mosaic (Marc Andreessen and Eric Bina, University of Illinois NCSA, released in January 1993) provided a usable graphical browser⁶⁵. Andreessen and Jim Clark left NCSA to found Mosaic Communications (later Netscape Communications) in 1994; Netscape Navigator shipped in late 1994 and became the dominant browser of the mid-1990s; Microsoft launched Internet Explorer in 1995; the browser wars began.

For the lineage of this volume’s craft, the web matters because it created a vast new attack surface essentially overnight. The 1980s underground had operated against dial-up modems, telephone-network switches, mid-range timeshare systems, and (post-1988) a few thousand academic Internet hosts. The 1995 web added millions of hosts, all running essentially the same handful of server stacks (NCSA httpd, then Apache; CGI; the early ColdFusion and Perl scripting), all with essentially the same handful of vulnerabilities (path traversal, command injection, the early SQL-injection patterns). Within two years there was a body of literature on web application vulnerabilities; within four years the OWASP project had been founded (2001) and would in turn organize the web-application security discipline that occupies a substantial portion of every modern white-hat consultancy’s work (see Vol 6 — white hat, forthcoming).

9.2 The first commercial security firms

The commercial-security industry as a recognizable category began coalescing in the mid-1990s. The largest firms of the late-1990s era were:

• Internet Security Systems (ISS) — founded 1994 in Atlanta by Christopher Klaus; vulnerability-scanning product (ISS RealSecure, Internet Scanner); acquired by IBM in 2006 for $1.3 billion. Klaus was a CFAA-prosecution-era figure himself (he had been a teenage hacker in the late 1980s and avoided prosecution); the ISS commercial story is one of the cleanest cases of underground-to-mainstream professional transition.
• Foundstone — founded 1999 by Stuart McClure and George Kurtz; pentest and incident-response consulting plus a vulnerability-scanner; acquired by McAfee in 2004 for ~$86 million.
• @stake / L0pht Heavy Industries — the L0pht was a Boston-area hacker collective formed in 1992 (Mudge, Weld Pond, Brian Oblivion, Kingpin, Space Rogue, Stefan Von Neumann, John Tan, and others). L0pht published research, ran l0phtCrack (the password cracker), and famously testified before the U.S. Senate in May 1998 about the security of the Internet, telling the senators they could “take down the Internet in 30 minutes”⁶⁶. The L0pht merged with Cambridge Technology Partners’ security arm to form @stake in early 2000; @stake was acquired by Symantec in 2004.
• Cisco’s NetSec / NetSol acquisitions and Sun’s Internet Commerce Group ran in-house pentest practices supplying their respective product-line security validations.
• iDefense (founded 1998), the early vulnerability-information broker that pioneered the commercial vulnerability-purchase market before any formal bug-bounty programs existed (covered in Vol 4).

The hiring pipeline for these firms was, predictably, the BBS-underground-and-LoD/MoD-era cohort (§6). The L0pht in particular was substantially staffed by former underground operators who had aged into their late 20s and decided that being paid for their work was preferable to being prosecuted for it. The career-arc pattern — underground in the late 1980s, federal-investigation-adjacent in the early 1990s, commercial-security firm in the mid-1990s, senior-executive role in the 2000s — is so consistent across the first generation of professionals that it is essentially the standard biography.

9.3 DEF CON founded (1993)

The single institutional pivot that crystallized the professionalization is DEF CON, founded by Jeff Moss (handle: The Dark Tangent) in Las Vegas in 1993. The founding circumstances are themselves load-bearing in the lineage. Moss had been a sysop of a Canadian-and-American BBS network called PLATINUM NET, which was winding down; rather than have the network simply end, Moss organized a goodbye party in Las Vegas for the network’s users in June 1993 (June 9–11). About 100 people showed up. The next year — 1994 — Moss ran it again, this time formally as DEF CON 2, with about double the attendance. By 1995 it was the dominant annual hacker conference in the United States; by the 2010s it was drawing 25,000+ attendees; by 2023, DEF CON 31 had attendance in excess of 30,000⁶⁷.

DEF CON’s significance is partly cultural and partly institutional. Culturally, it is the venue at which the hacker community shows itself to itself once a year. The talks are the technical-paper-of-record for offensive research in the modern era (the Phrack role has substantially migrated to DEF CON / Black Hat presentation papers). The contests — Capture the Flag (CTF), Lock Picking Village, Social Engineering Village, Car Hacking Village, the various ICS/SCADA villages, the Aerospace Village — are the principal recruiting venues for the security industry. The badge-hacking tradition has become a substantial sub-discipline of its own. The pattern that Moss invented in 1993 (and substantially refined through the 1990s) has been copied by dozens of regional and international conferences (BSides, ToorCon, CCC Congress, NorthSec, Kawaii Con, Source, RSA’s hacker tracks, and many others).

Institutionally, DEF CON is the venue at which the professional industry meets the underground generation. The conference’s role in normalizing the migration from underground to commercial has been substantial — the 1990s-era underground figures who attended DEF CON in 1996 or 1997 were the same people who, by 2003, were running pentest practices at @stake or ISS, presenting research at the same conference’s microphone. The conference is also, by all accounts, the venue at which a substantial fraction of the security industry’s hiring happens informally — “the bar at DEF CON” is the recruiting venue the formal job-listings never replicate.

The corporate-aligned counterpart to DEF CON is Black Hat Briefings, also founded by Moss, first held in 1997⁶⁸. Black Hat occupies the week before DEF CON in Las Vegas, with substantially more corporate-sponsored / training-track / executive-briefing programming; the two conferences are operationally distinct but share the same founder, much of the same talk pipeline, and substantially overlapping attendance (it is normal to attend Black Hat for two days, then DEF CON for two-and-a-half days, then sleep on the plane home). Moss sold Black Hat to CMP Media in 2005 for an undisclosed sum (subsequently UBM, now Informa); DEF CON remains independent and is operated by Moss’s family-owned company DT, LLC.

9.4 The state of the field at the millennium

By 1999, the field’s institutional structure was approximately as it stands in 2026:

• A research community publishing in journals (USENIX, IEEE S&P, ACM CCS), zines (Phrack continuing, plus new generations like Uninformed and POC||GTFO in the 2000s), and conferences (DEF CON, Black Hat, regional cons).
• A commercial security industry with pentest, IR, vuln-scanning, and managed-security service lines, a recognizable Big Four-equivalent (ISS / Foundstone / @stake / iDefense in 1999; quite different five years later as M&A reshuffled the field), and a stable salary range for working practitioners.
• A criminal underground that had increasingly moved off public BBSes onto IRC EFnet’s #hack, then onto invite-only IRC channels, then onto privately-hosted boards; the underground’s center of gravity had shifted toward the former Soviet Union and Eastern Europe, where (a) the technical-education base was very strong, (b) the local economy was weak, and (c) the law-enforcement cooperation with U.S. agencies was patchy. This is the criminal-underground baseline Vol 4 picks up at.
• A legal-and-policy framework anchored by the CFAA (§4), substantially developed through Morris, Mitnick, Steve Jackson Games, Universal v. Corley, and several other foundational cases, with the EFF and the new ACLU technology programs running the civil-liberties opposition.
• A defensive-infrastructure backbone anchored by CERT/CC (§5) and rapidly proliferating national CERTs.
• Annual conferences as the institutional venues at which the community organized itself: DEF CON, Black Hat, USENIX Security, RSA Conference (more commercially oriented; founded 1991 by RSA Data Security as a cryptography conference, expanded into a general-security expo through the 1990s).

The lineage from this baseline to the modern field is what Vol 4 covers. The institutional skeleton above is essentially what 2026 still has; the changes since are additions and refinements (bug bounties from ~2010; APT-discourse from ~2010; ransomware-as-a-business from ~2015; cloud-native security from ~2015; the LLM/agent security discipline emerging from 2024 onward) rather than replacements.

9.5 Stallman and the GNU Manifesto {#stallman-and-the-gnu-manifesto}

One thread from Vol 2 that runs through this volume and deserves an explicit pickup before closing: the Stallman / GNU / FSF lineage⁶⁹ from the AI Lab “all information should be free” tenet through the practical-license-engineering work of the 1980s and into the modern open-source infrastructure. Richard Stallman left the MIT AI Lab in 1984, in part over the AI Lab’s licensing of the Lisp Machine technology to two competing commercial spin-offs (Symbolics and LMI); the licensing represented, to Stallman, the betrayal of the AI Lab’s hacker ethic. In response, Stallman announced the GNU Project in September 1983, founded the Free Software Foundation in October 1985, and began drafting what would become the GNU General Public License (GPL v1 in February 1989, v2 in June 1991, v3 in June 2007).

The Stallman-and-GNU lineage matters to this volume in two specific ways. First, it is the direct institutional descendant of the 1970s AI Lab hacker ethic — the most stable and least-contested example of “an AI Lab value carried forward into the modern field.” The GPL is, in 2026, the dominant copyleft license; combined with the BSD-and-MIT-derived permissive licenses, the open-source ecosystem these licenses enable is the infrastructure layer almost the entire modern computing industry rests on. Second, the GNU/FSF strand is the principled-political-organizing thread of the hacker lineage — separate from but not unrelated to the EFF’s legal-defense thread (§7.4) and the 2600/civil-libertarian-zine thread (§6.1). Vol 8 (grey hat, forthcoming) and Vol 17 (the legal-line treatment) both pick this thread up at length; this volume just registers that Stallman/GNU is the bridge from Vol 2’s AI Lab era to the modern free-and-open-source-software infrastructure most of this volume’s other developments rest on. The Manifesto and the GPL are the load-bearing primary documents; Stallman’s collected writings (Free Software, Free Society, FSF, 2002) is the consolidated source.

---

10. Cheatsheet updates

The one-liners destined for Vol 20’s cheatsheet, distilled from this volume:

Dates worth memorizing.

• 1984 — 2600 founded (Eric Corley / Emmanuel Goldstein).
• 1984 (Oct 12) — CADCFAA enacted, Pub. L. 98-473. First federal computer-crime statute.
• 1985 (Nov 17) — Phrack founded (Taran King + Knight Lightning).
• 1986 (Jan 8) — Phrack Issue 7 File 3: “The Hacker Manifesto” by The Mentor (Loyd Blankenship).
• 1986 (Oct 16) — CFAA enacted, Pub. L. 99-474. The dominant statute ever since.
• 1988 (Nov 2) — Morris Worm released. ~6,000 systems infected.
• 1988 (Nov 17) — DARPA charters CERT/CC at Carnegie Mellon SEI.
• 1989 (Feb 25) — Phrack 24 File 5: the E911 article.
• 1990 (Jan 15) — AT&T MLK-Day long-distance outage (AT&T software bug, blamed initially on hackers).
• 1990 (Mar 1) — Steve Jackson Games raided by Secret Service.
• 1990 (May 8) — Operation Sundevil announced. 27 warrants, 15 cities, ~40 computers, ~23,000 disks seized.
• 1990 (Jul 10) — EFF founded (Kapor, Barlow, Gilmore).
• 1990 (Jul 27) — Neidorf E911 prosecution dropped mid-trial.
• 1991 — U.S. v. Morris, 928 F.2d 504 (2d Cir.) affirms Morris CFAA conviction.
• 1993 — DEF CON 1 in Las Vegas (Jeff Moss / Dark Tangent).
• 1994 (Oct 31) — Steve Jackson Games v. USSS, 36 F.3d 457 (5th Cir.) affirms ECPA-violation finding.
• 1995 (Feb 15) — Kevin Mitnick arrested in Raleigh, NC.
• 1996 (Nov 8) — Phrack 49 File 14: “Smashing the Stack for Fun and Profit” by Aleph One.
• 1997 — Black Hat Briefings founded (Moss).
• 1998 (May) — L0pht testifies before U.S. Senate.
• 1999 (Mar) — Mitnick plea agreement. Released Jan 2000.
• 2001 — Universal v. Corley, 273 F.3d 429 (2d Cir.) on DeCSS / DMCA.
• 2021 — Van Buren v. United States, 593 U.S. 374 narrows CFAA “exceeds authorized access.”

Most-cited cases / incidents.

• U.S. v. Morris — first CFAA conviction; established that CFAA mens rea is intent to access, not intent to harm.
• Operation Sundevil + Steve Jackson Games — the precipitating events for the EFF founding; SJG v. USSS the foundational ECPA case.
• U.S. v. Mitnick — the most publicized hacker prosecution of the era; the pre-trial-detention duration is the lasting civil-liberties grievance.
• Universal v. Corley (2600’s DeCSS case) — DMCA anti-circumvention precedent.
• Van Buren v. United States — narrowed the “exceeds authorized access” prong of CFAA, but did not narrow the “without authorization” prong.

Legal foundation, one paragraph.

In 1983 the federal government had no clean statute for unauthorized access to a computer. In 1984 it had a narrow one (CADCFAA). In 1986 it had a broad one (CFAA). By 1991 the CFAA had survived its first appellate test (Morris) and was being applied broadly. By 1999 it was the dominant statute under which the entire hacking-related criminal docket was prosecuted. The “without authorization or exceeds authorized access” phrase is the load-bearing legal text; Van Buren (2021) narrowed the “exceeds” prong; the “without” prong remains broad. Stacked counts and per-protected-computer aggregation produce charge-stack arithmetic that almost always drives pleas rather than trials. Owning the hardware or having written-and-signed scope is the bright-line authorization the statute respects.

Cultural pivot, one paragraph.

The 1980s opened with hacking as an underground hobby and a press curiosity; it closed with hacking as a federal felony category. The 1990s opened with the EFF founded and the first commercial-security firms emerging; it closed with DEF CON as an annual institution, the L0pht in front of the Senate, Phrack still publishing, and a recognizable salary range for “security researcher.” The two decades together built the institutional skeleton — community, conferences, law, defenders, criminals, civil-liberties NGOs — that the modern field still has. Vol 4 covers what’s been hung on that skeleton since.

---

11. Resources

The footnotes below provide citations for every factual claim in this volume. Primary sources for the period:

• Sterling 1992² — The Hacker Crackdown. Public-domain via Project Gutenberg; the canonical narrative source for Sundevil, the Steve Jackson Games raid, and the early EFF.
• Slatalla & Quittner 1995¹⁴ — Masters of Deception. The LoD/MoD reporting source; somewhat shaped by the principals’ self-narration.
• Hafner & Markoff 1991³ — Cyberpunk: Outlaws and Hackers on the Computer Frontier. The earlier-vintage Mitnick and Morris-era journalism.
• Mitnick 2011⁴ — Ghost in the Wires. Mitnick’s own retrospective; load-bearing for the internally consistent post-1995 account but autobiographical in its framing.
• Markoff & Shimomura 1996⁶¹ — Takedown. The Shimomura-and-Markoff side of the Mitnick narrative; press-myth-aligned.
• Stoll 1989⁷⁰ — The Cuckoo’s Egg. The Hess / Chaos Computer Club / Astronomical-research-lab intrusion case (1986–87 — actually predates the main events of this volume, but is the canonical popular account of computer-intrusion forensics in the era).
• Eichin & Rochlis 1989²⁹ — the MIT post-mortem of the Morris Worm.
• Spafford 1989³⁶ — the Purdue post-mortem of the Morris Worm.
• Steve Jackson Games v. USSS, 36 F.3d 457 (5th Cir. 1994)⁵ — the foundational ECPA case.
• CFAA: 18 U.S.C. § 1030 (current); Pub. L. 98-473 (1984, CADCFAA); Pub. L. 99-474 (1986, CFAA). For the operational reading of the current statute, see Vol 19.
• Van Buren v. United States, 593 U.S. 374 (2021), No. 19-783; 141 S. Ct. 1648²⁷ — the most recent significant CFAA opinion.

The full Phrack archive (http://phrack.org/issues/), the 2600 archive (issues and the Off The Hook radio archive at https://2600.com), the EFF document archive (https://www.eff.org/about/history), and the Textfiles.com archive (http://textfiles.com/) are the primary-document repositories for the era. The DEF CON talk archives (https://defcon.org/html/links/dc-archives.html) are the principal record of post-1993 technical-research presentation.

---

This is Volume 3 of the Hacker Tradecraft series. Next: Vol 4 picks up at the millennium and traces the modern era — the maturation of the pentest profession, the rise of the APT discourse, the bug-bounty economy, the ransomware-as-a-business model, the cloud-native security pivot, the Snowden disclosures’ effect on the field’s posture, and the early-2020s collision of LLMs and security work. The institutional skeleton built across Vols 2 and 3 carries forward; what’s been hung on it since is the next volume’s content.

Footnotes

1. See Vol 4 — History III: the modern era for the 2000s-to-present arc, picking up where this volume leaves off. ↩

2. Sterling, Bruce. The Hacker Crackdown: Law and Disorder on the Electronic Frontier. Bantam Books, 1992. ISBN 978-0-553-08058-9. Sterling explicitly placed the work in the public domain shortly after publication; the full text is freely available via Project Gutenberg at https://www.gutenberg.org/ebooks/101. The canonical narrative source for Operation Sundevil, the Steve Jackson Games raid, the Neidorf prosecution, the founding of the EFF, and the broader 1989–91 criminalization wave. Sterling’s journalism is reported and largely sympathetic to the underground but not uncritical. ↩ ↩² ↩³

3. Hafner, Katie, and John Markoff. Cyberpunk: Outlaws and Hackers on the Computer Frontier. Simon & Schuster, 1991. ISBN 978-0-671-68322-1. Three case studies: Kevin Mitnick (pre-1995), Hans Hübner / Pengo of the Chaos Computer Club (the Cuckoo’s Egg case), and Robert Tappan Morris. Pre-dates the Mitnick manhunt of 1994–95 and the much fuller subsequent literature on each case. ↩ ↩²

4. Mitnick, Kevin, with William L. Simon. Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker. Little, Brown, 2011. ISBN 978-0-316-03770-9. Mitnick’s first-person retrospective. Internally consistent; obviously self-presenting; the most useful source for the specific timeline and technique-level claims if cross-checked against the court record and the other accounts. ↩ ↩²

5. Steve Jackson Games, Inc. v. United States Secret Service, 36 F.3d 457 (5th Cir. 1994). The Fifth Circuit affirmed the district court’s ECPA-violation finding but reversed the Wiretap Act portion of the holding, drawing a now-controversial distinction between “intercepted” and “stored” electronic communications. The case remains a foundational ECPA precedent and is widely cited in subsequent stored-communications cases. ↩ ↩² ↩³

6. For 1981 IBM PC pricing: IBM 5150 (PC) was announced August 12, 1981 at $1,565 for a base configuration (16 KB RAM, no monitor, no disk drives — keyboard and CGA video adapter); a typical usable configuration with monitor and a disk drive was around $2,500–3,000. Sources: Byte magazine August 1981; the IBM PC announcement materials, available at the Computer History Museum’s IBM-PC archive. The Altair 8800 pricing of $397/498 (kit/assembled) is from Vol 2 §6. ↩

7. The Hayes Smartmodem 1200 was introduced in 1981 by Hayes Microcomputer Products, Atlanta. List price $699. The “AT command set” that Hayes introduced (AT, ATD, ATH, etc.) became the universal modem-command language and is still in use in 2026 (in modems that still exist, including the cellular-data modems in modern handsets, which all answer to AT commands). The Smartmodem 1200 was the dominant high-end modem for the BBS era’s first phase. ↩

8. Christensen, Ward, and Randy Suess. CBBS (Computerized Bulletin Board System), first online February 16, 1978 in Chicago. The original BBS, described in Byte magazine November 1978 (Christensen and Suess, “Hobbyist Computerized Bulletin Board”). The subsequent BBS-software market is too large to enumerate here; Lance Leventhal’s BBS Magazine (1991–1998) covered the field at the time. The Textfiles.com archive maintains a working historical record at http://textfiles.com/bbs/. ↩

9. Jennings, Tom. FidoNet, established June 1984. Initially a store-and-forward private-mail protocol for BBSes; subsequently expanded into a global discussion-area distribution protocol (“Echomail”) with by the late 1980s tens of thousands of nodes. Jennings’s own history at http://www.wps.com/FidoNet/ is the canonical primary-source account. FidoNet still exists in 2026 in a much smaller form (around 1,800 active nodes as of 2024). ↩

10. YIPL: Youth International Party Line (1971–1973) and TAP: Technological American Party (1973–1984), the print-magazine predecessors of the BBS-era zines. Founded by Abbie Hoffman and Al Bell; covered phreaking, electronics, and counterculture politics. Phrack and 2600 both explicitly credit YIPL/TAP as a lineage source. ↩

11. The European demoscene’s history is documented at https://demozoo.org/, a community-maintained archive of demo and crack-tro releases dating from the early 1980s. The Assembly demo party in Helsinki has been held annually since 1992 and is the largest of the present-day demoscene gatherings. ↩

12. Blankenship, Loyd (“The Mentor”). “The Conscience of a Hacker.” Phrack Vol. 1, Issue 7, Phile 3, January 8, 1986. Full text at http://phrack.org/issues/7/3.html. The 500-word manifesto, written immediately after Blankenship’s arrest by what was probably a routine federal-investigation interview rather than a serious prosecution (Blankenship was never indicted on the 1986 events). Blankenship has explicitly placed the text in the public domain and confirmed authorship at many later venues including DEF CON. The piece is widely reprinted and has been quoted (in modified form) in Hackers (1995) and many other cultural artifacts. ↩ ↩²

13. Textfiles.com, maintained by Jason Scott Sadofsky, archives BBS-era ASCII text files at http://textfiles.com/. The archive is one of the most extensive of the era and is the primary source for many of the t-files cited in subsequent academic work on hacker culture. Sadofsky’s later film BBS: The Documentary (2005) is the canonical video oral history of the BBS era. ↩

14. Slatalla, Michelle, and Joshua Quittner. Masters of Deception: The Gang That Ruled Cyberspace. HarperCollins, 1995. ISBN 978-0-06-017030-9. The canonical reported account of the LoD-MoD split, the Great Hacker War, and the 1992 prosecutions. Journalistic; sympathetic to the principals; somewhat shaped by their self-narration as the authors interviewed them at length while the events were still recent. ↩ ↩² ↩³

15. WarGames. Directed by John Badham, produced by United Artists, screenplay by Lawrence Lasker and Walter F. Parkes. Released June 3, 1983. The film grossed $79 million domestically against an $12 million budget. Matthew Broderick plays David Lightman; Ally Sheedy plays Jennifer Mack; John Wood plays Dr. Stephen Falken; the WOPR / Joshua AI is voiced by John Wood (under processing). ↩

16. The technique predates the film name — the practice of dialing every number in a prefix looking for modems was common among phreaks and early BBS users from the mid-1970s onward — but WarGames gave it a name (the film called it “war-dialing” though the term in the film was just “I have my computer dial”). ToneLoc (Minor Threat and Mucho Maas, ~1990) was the canonical wardialer software of the BBS era and is preserved at http://textfiles.com/messages/. ↩

17. “Beware: Hackers at Play.” Newsweek, September 5, 1983, cover story. Neal Patrick is on the cover. The article is widely reprinted in subsequent academic and journalistic treatments of the era; the original print issue is in the Newsweek archive at the Library of Congress. ↩

18. U.S. House of Representatives, Subcommittee on Transportation, Aviation and Materials, Committee on Science and Technology. “Computer and Communications Security and Privacy.” Hearings held September 26 and October 17, 24 1983, 98th Congress, 1st Session. Neal Patrick of the 414 group testified on September 26. The hearings produced no immediate legislation but set the political stage for CADCFAA the following year. ↩ ↩²

19. The story about President Reagan watching WarGames shortly after its release, asking his National Security Adviser whether the scenario was plausible, and the resulting NSDD 145 (National Security Decision Directive 145, National Policy on Telecommunications and Automated Information Systems Security, September 1984) is widely repeated but the specific causal chain from film to NSDD has been contested. The film-influences-NSDD narrative is in the Markoff and Sterling treatments; subsequent archival work has not consistently confirmed it. ↩

20. The “414s” coinage is from the Newsweek coverage of August-September 1983. The name derives from Milwaukee’s telephone area code (414) and was selected by Neal Patrick and his group; it was not a pre-existing handle. ↩

21. The 414s’ target list and the approximate count of compromised systems is from the FBI’s 1983 investigation file, available via FOIA requests, and the contemporaneous press coverage. The Sloan-Kettering and Los Alamos identifications are well-established; Security Pacific Bank is in the official record; the broader “~60 systems” figure is the FBI’s estimate. ↩

22. The inadvertent deletion of a billing-records file at Sloan-Kettering Cancer Center is the most-cited specific harm from the 414s’ activity, but the file was reconstructible from backups and the actual operational harm was minor. The press coverage tended to emphasize the potential harm (the kids could in principle have damaged cancer-treatment records) rather than the actual harm (a small billing-file deletion). ↩

23. See Vol 19 — the legal line and ethics for the full operational treatment of the CFAA as it stands in 2026, including the non-U.S. analogs (UK Computer Misuse Act, EU Cybercrime Directive, Budapest Convention, Australian Cybercrime Act). ↩

24. Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (CADCFAA), Pub. L. 98-473, Title II, Chapter XXI, October 12, 1984. Codified primarily at 18 U.S.C. § 1029 (access devices) and 18 U.S.C. § 1030 (computer fraud). The 1984 act was rewritten essentially completely by the 1986 act; only § 1029 survives largely in its original form. ↩

25. Computer Fraud and Abuse Act, Pub. L. 99-474, October 16, 1986. Codified at 18 U.S.C. § 1030. The 1986 enactment substantially rewrote the 1984 § 1030; the current statute is a series of amendments to the 1986 base. ↩

26. 18 U.S.C. § 1030 (2024 edition). Available at https://www.law.cornell.edu/uscode/text/18/1030. The current statute reflects amendments enacted in 1988, 1989, 1990 (the Identity Theft and Assumption Deterrence Act), 1994 (the Computer Abuse Amendments Act), 1996 (the National Information Infrastructure Protection Act), 2001 (USA PATRIOT Act § 814), 2002 (the Cyber Security Enhancement Act), and 2008 (the Identity Theft Enforcement and Restitution Act). ↩

27. Van Buren v. United States, 593 U.S. 374 (2021), No. 19-783; 141 S. Ct. 1648. The Supreme Court’s most recent significant CFAA opinion. Held that the “exceeds authorized access” prong of § 1030(a)(2) does not reach conduct where the defendant has valid credentials to access a file but does so for an improper purpose — only conduct where the defendant accesses a file the credentials don’t grant access to. Narrowed the CFAA in one specific way; left the “without authorization” prong unaffected. ↩ ↩²

28. The aggregation effect is a feature of federal criminal procedure rather than the CFAA specifically, but the CFAA’s structure (each access to each protected computer as a separate violation; each separate “transmission” of a malicious program separately chargeable) interacts with stacking-of-counts in a way that produces theoretical exposures far in excess of likely sentences. The Aaron Swartz case (Vol 4) is the most-cited late example; the Mitnick indictment (covered in §8 above) is an earlier example, with the original federal indictment carrying a theoretical maximum of decades despite the eventual plea to 46 months. ↩

29. Eichin, Mark W., and Jon A. Rochlis. With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988. MIT Project Athena Technical Memo, February 9, 1989. Subsequently published in expanded form. The MIT post-mortem of the Morris worm, conducted in the immediate aftermath by disassembling captured worm copies. Required-reading engineering reference; the canonical source for the worm’s actual behavior alongside Spafford 1989. ↩ ↩² ↩³

30. Eichin and Rochlis 1989, §3.1 (the fingerd attack). The 512-byte buffer and the 536-byte payload, the gets(3) usage, and the return-address overwrite are all documented there with the actual buffer-layout diagram. The shellcode disassembly is at §3.1, including the VAX-specific NOP-equivalent padding. ↩

31. Karger, Paul A., and Roger R. Schell. Multics Security Evaluation: Vulnerability Analysis. ESD-TR-74-193, Vol. II, Air Force Electronic Systems Division, June 1974. The classic Multics security evaluation that formally identified the stack-buffer-overflow vulnerability class, among others. Re-published with a 2002 commentary by Karger and Schell describing how the security lessons had been forgotten by the time the same vulnerabilities re-emerged in 1988. ↩

32. Aleph One (Elias Levy). “Smashing the Stack for Fun and Profit.” Phrack 49, File 14, November 8, 1996. Full text at http://phrack.org/issues/49/14.html. The canonical engineering treatment of stack-buffer-overflow exploitation on Unix/Linux. Aleph One subsequently founded SecurityFocus (later acquired by Symantec) and ran the Bugtraq mailing list for many years. The 1996 article is the moment the buffer-overflow exploitation technique became broadly understood; the Morris Worm had used it eight years earlier. ↩ ↩²

33. For the sendmail DEBUG-mode trapdoor: Eichin & Rochlis 1989 §3.3 and Spafford 1989 §3.3.2. The DEBUG command in sendmail was an Eric Allman-authored feature dating to early Berkeley sendmail releases; it allowed an SMTP client to specify a Unix command pipeline as the recipient of a mail message, intended for debugging mail-delivery agent configuration. The feature was supposed to be compiled out for production via the -DDEBUG=0 make flag, but the default-on configuration shipped with most 4.3BSD and SunOS installations of the era. Allman’s own subsequent commentary (in various USENIX talks through the 1990s) acknowledged the feature should never have been distributed in production binaries. ↩

34. Eichin & Rochlis 1989 §3.2 lists the embedded dictionary in full (it’s about 432 entries) and walks through the cracking algorithm. The dictionary entries included aaa, academia, aerobics, airplane, …, the user’s own login name reversed (e.g., tjscientist → tsitneicsjt), the user’s first and last names from the gecos field, and the names of various common dictionary words. The hash-comparison cost on a SUN-3 of the era was on the order of ~50 hashes per second; against a few hundred users this was a few-minute computation. ↩

35. Estimating the Internet’s size in late 1988 is subject to the usual methodological problems. The commonly-cited 60,000 figure derives from the November 1988 Internet Protocol Implementations Reports and the Stanford host-count surveys of the same period; the precise figure varied from ~56,000 to ~68,000 depending on counting methodology. The ~6,000-infections figure for the Morris worm derives from Spafford 1989 and is the consensus estimate; some accounts cite as high as 10,000 and as low as 2,000. ↩

36. Spafford, Eugene H. The Internet Worm Program: An Analysis. Purdue University Technical Report CSD-TR-823, December 1988 / June 1989; published as “The Internet Worm: Crisis and Aftermath” in Communications of the ACM 32(6), June 1989, pp. 678-687. The Purdue post-mortem, conducted independently of and concurrently with Eichin & Rochlis. The CACM article is the most-cited published treatment. ↩ ↩² ↩³

37. The pattern is described from Morris’s actual implementation in Eichin & Rochlis 1989 §3.1 and Spafford 1989 §3.3.1. The match to Aleph One 1996’s later canonicalization is direct. ↩

38. DARPA charter for CERT/CC, November 17, 1988. The founding contract was with the Software Engineering Institute at Carnegie Mellon University, which had pre-existing DARPA contract authority and was therefore the fastest vehicle for the response. CERT/CC’s own institutional history is at https://www.sei.cmu.edu/about/divisions/cert/index.cfm. ↩

39. United States v. Morris, sentencing transcript, U.S. District Court for the Northern District of New York, May 4, 1990. The sentence — three years probation, 400 hours community service, $10,050 fine — was significantly below the statutory maximum (5 years imprisonment per § 1030(a)(5)(A) as then enacted) and prompted substantial criticism from federal prosecutors and from some commentators at the time. The judge, Howard Munson, cited Morris’s cooperation, lack of intent to cause harm, and the genuinely uncertain state of the law at the time of the offense. ↩

40. United States v. Morris, 928 F.2d 504 (2d Cir. 1991). The Second Circuit’s affirmance. The opinion is the foundational appellate reading of the CFAA’s mens-rea structure: the court held that “intentionally” in § 1030(a)(5)(A) modified only the access, not the resulting damage, so that the prosecution did not need to prove Morris intended the damage the worm caused. Full text at most federal-court reporters. ↩

41. 2600: The Hacker Quarterly, founded January 1984 by Eric Corley (pen name Emmanuel Goldstein) in New York. The magazine’s own founding history is at https://www.2600.com/about/. Corley’s Off The Hook radio program on WBAI New York has been running weekly since October 1988 with the same editorial perspective; the show archive at https://offthehook.cc/ is searchable. ↩

42. Universal City Studios, Inc. v. Reimerdes, 111 F. Supp. 2d 294 (S.D.N.Y. 2000); affirmed sub nom. Universal City Studios, Inc. v. Corley, 273 F.3d 429 (2d Cir. 2001). The case held that 2600’s posting of the DeCSS DVD-decryption source code violated the DMCA’s anti-circumvention provisions and that the First Amendment’s protection of code-as-speech did not, under intermediate scrutiny, defeat the DMCA’s narrow tailoring. The case is one of the foundational DMCA precedents and remains widely cited in DRM and platform-liability disputes. ↩

43. Phrack Issue 1 was released November 17, 1985, edited by Taran King (Randy Tischler) and Knight Lightning (Craig Neidorf). The masthead-and-editorial-history of every issue is at http://phrack.org/issues/. Neidorf is, infamously, the same Knight Lightning who was prosecuted in the Neidorf E911 case in 1990 (§7.1). ↩

44. For Legion of Doom: Sterling 1992 is the principal narrative source. The LoD’s own roster has been recounted in many later interviews; the most thorough is Erik Bloodaxe’s collected presentations and the Phrack “Legion of Doom Technical Journals” the group produced in 1987–88 (Issues 1 through 4 of LoD/H Technical Journal, archived at the Phrack mirrors). ↩

45. For Masters of Deception: Slatalla & Quittner 1995 is the principal narrative source. Phiber Optik’s subsequent interviews and the 2600 coverage of the 1992 prosecutions supplement. ↩

46. The AT&T MLK-Day outage of January 15, 1990 was caused by a software bug in AT&T’s #4ESS switch software, specifically in the SS7 signaling code. The bug was a recursive-message-handling issue that, once triggered by a particular sequence of events, caused cascading failures across the AT&T long-distance network. AT&T’s own post-mortem (published February 1990 in Telephony and in Bell Labs Technical Journal) is the canonical engineering account; the hacker theory was definitively eliminated within a few weeks of the event. ↩

47. For the E911 case: Sterling 1992, chapter 1, is the canonical narrative source. The court file is United States v. Neidorf, N.D. Ill. 1990; the case-was-dropped order is in the docket for late July 1990. The actual Phrack 24 article is at http://phrack.org/issues/24/5.html. ↩

48. The Neidorf trial collapsed when a defense witness was able to demonstrate, via simple ordering procedure, that the Bell South publications office sold the same document publicly. The exact figure is widely reported as around $13; some accounts say $13.50. Bell South’s original valuation in the indictment was $79,449. The discrepancy was the proximate cause of the case’s dismissal; the prosecution’s case did not survive the loss of the valuation theory. ↩

49. Operation Sundevil announced May 8, 1990, by U.S. Attorney Stephen McNamee, District of Arizona, at a press conference in Phoenix. The Secret Service operational details are described in Sterling 1992 chapters 2–3. The total operation involved approximately 150 federal agents, 27 search warrants, and 15 cities, though figures vary slightly between sources. ↩

50. Approximately 27 search warrants and 15 cities; ~40 computers and ~23,000 floppy disks seized. The exact numbers vary slightly between Sterling’s account and the Secret Service’s own subsequent statements. The eventual number of charges was small — three indictments — relative to the seizure footprint. ↩

51. Barlow, John Perry. “Crime and Puzzlement.” June 8, 1990. Distributed on the WELL and subsequently the EFF mailing lists; reprinted in numerous places. The essay was Barlow’s first major public statement on the issues that would lead to the EFF’s founding the following month; full text at https://www.eff.org/pages/crime-and-puzzlement. ↩

52. For the Steve Jackson Games raid: Steve Jackson Games’ own contemporaneous press releases (March 1990) and the subsequent court papers in Steve Jackson Games v. USSS are the primary documents. The case file is in the Western District of Texas archives. Sterling 1992 chapter 4 is the canonical narrative source; the EFF’s own archive at https://www.eff.org/cases/sjg has the surviving court documents. ↩

53. Steve Jackson Games, Inc. v. United States Secret Service, 816 F. Supp. 432 (W.D. Tex. 1993). The district court held that the Secret Service violated both the Privacy Protection Act of 1980 (in seizing the materials of a publisher) and the Stored Communications Act portion of the Electronic Communications Privacy Act (in reading email stored on the Illuminati BBS server during the seizure). ↩

54. Electronic Frontier Foundation, founded July 10, 1990. Founders: Mitch Kapor (Lotus founder; donated initial seed capital), John Perry Barlow (Grateful Dead lyricist and Wyoming-rancher essayist), John Gilmore (Sun Microsystems engineer, sometime cypherpunk). EFF’s own founding history is at https://www.eff.org/about/history. The foundation’s first physical office was in Cambridge, Massachusetts; the foundation moved its headquarters to Washington, DC in 1993 and to San Francisco in 1995, where it has been since. ↩

55. Mitnick’s own subsequent books The Art of Deception (2002) and The Art of Intrusion (2005) are the most detailed accounts of his social-engineering technique by the principal. The first-person retrospective in Ghost in the Wires covers the specific pretexts used in several of his major operations. ↩

56. For the Shimomura intrusion of December 25, 1994: Shimomura and Markoff’s Takedown 1996 is the principal narrative source. The technical method used — IP-spoofed TCP-sequence-number prediction with a blind reply — was a recognizable but operationally novel application of the technique described by Bellovin 1989; see ⁵⁷ below. The intrusion was discovered when Shimomura returned from his ski trip and noticed anomalies in his workstation’s logs. ↩

57. Bellovin, Steven M. “Security Problems in the TCP/IP Protocol Suite.” Computer Communications Review, Vol. 19, No. 2 (April 1989), pp. 32-48. The classic paper identifying multiple weaknesses in the original TCP/IP design, including the sequence-number-prediction attack that Mitnick (or a correspondent of Mitnick’s) operationalized against Shimomura. Bellovin’s paper described the theoretical vulnerability; the 1994 attack was its first widely-publicized practical exploitation. ↩ ↩²

58. The Shimomura-led tracking effort, January and February 1995, used a combination of cellular-call-record analysis (Mitnick had been using cloned cellular phones), modem-bank-callback logs from the various ISPs Mitnick was using to bounce through, and finally a pen-register order on a specific Sprint cellular tower in Raleigh. The arrest on February 15 was in a Raleigh apartment Mitnick had rented under an assumed name. ↩ ↩²

59. The post-plea legal record did not include any financial-fraud counts that the government had been able to prove. The federal indictment had alleged various theories of financial-fraud-by-theft-of-source-code, but the plea agreement dropped all fraud counts in favor of an unauthorized-access count and various lesser charges. The contemporary public discussion of whether Mitnick was a “thief” turns substantially on what counted as theft for these purposes; the legal record is that no financial-fraud counts survived to conviction. ↩

60. Kevin Mitnick was arrested February 15, 1995 in Raleigh, North Carolina, by FBI agents in cooperation with Tsutomu Shimomura and the local field office. Charges initially included multiple counts of CFAA violations, wire fraud, and possession of unauthorized access devices. ↩

61. Shimomura, Tsutomu, with John Markoff. Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaw. Hyperion, 1996. ISBN 978-0-7868-6210-6. The Shimomura-and-Markoff account of the 1994–95 Mitnick manhunt. The book and its subsequent film adaptation (Takedown, 2000, also released as Track Down) substantially shaped public perception; the account is technically accurate where checkable but is framed in a way Mitnick and his supporters strongly contested. ↩ ↩²

62. Mitnick was held without bail from February 15, 1995 through his plea acceptance in March 1999 and his sentencing in August 1999 — approximately 4.5 years of pre-trial detention. The legal-defense argument that this duration was unconstitutional was raised but not adopted by the court. The Free Kevin movement, including the bumper stickers and the freekevin.com website, was the public civil-liberties response. ↩

63. United States v. Mitnick, plea agreement March 1999, C.D. Cal. The plea was to one count of wire fraud and several other counts; sentence of 46 months with credit for time served (the 4.5 years of pre-trial detention); 3 years of supervised release with restrictions on Internet and cellular-phone use. The restrictions were lifted in part in 2003. ↩

64. Berners-Lee, Tim. Information Management: A Proposal. CERN, March 1989. The original web proposal, subsequently revised and re-circulated until management at CERN approved the project in 1990. The first web server (info.cern.ch on a NeXTcube) went online in December 1990; the first publicly-accessible site (info.cern.ch, the same machine, opened to outside hosts) went up in August 1991. Berners-Lee’s Weaving the Web (1999) is the canonical first-person retrospective. ↩

65. NCSA Mosaic, Marc Andreessen and Eric Bina, released January 23, 1993 by the National Center for Supercomputing Applications, University of Illinois Urbana-Champaign. The first widely-used graphical web browser; the Windows port followed later in 1993, by which point Mosaic was already the dominant browser of the academic-and-research user base. Andreessen and Jim Clark founded Mosaic Communications (later Netscape) in April 1994. ↩

66. U.S. Senate Committee on Governmental Affairs hearing, “Weak Computer Security in Government: Is the Public at Risk?” May 19, 1998. The seven L0pht testifiers — Brian Oblivion, Kingpin (Joe Grand), Mudge (Peiter Zatko), Space Rogue (Cris Thomas), Stefan Von Neumann, John Tan, and Weld Pond (Chris Wysopal) — testified that they could “take down the Internet in 30 minutes” using publicly-known BGP vulnerabilities. The hearing transcript is at https://www.govinfo.gov/. ↩

67. DEF CON, founded 1993 by Jeff Moss (Dark Tangent) in Las Vegas. The founding events have been described by Moss in many subsequent interviews; DEF CON’s own history page at https://defcon.org/html/links/dc-about.html is the primary source. DEF CON 1 in 1993 had approximately 100 attendees; by DEF CON 30 (2022) and 31 (2023) the conference was drawing over 30,000. ↩

68. Black Hat Briefings, founded 1997 by Jeff Moss as the corporate-aligned counterpart to DEF CON. Acquired by CMP Media in 2005 for an undisclosed sum (subsequently UBM and now Informa). The conference takes place annually in Las Vegas the week before DEF CON. ↩

69. Stallman, Richard. Free Software, Free Society: Selected Essays of Richard M. Stallman. Free Software Foundation, 2002. ISBN 978-1-882114-98-6. The consolidated source for the Stallman / GNU / FSF lineage. The GNU Manifesto’s original publication was in Dr. Dobb’s Journal, March 1985. The Free Software Foundation was incorporated October 4, 1985 in Massachusetts. The GPL versions and their publication dates: GPL v1 in February 1989; GPL v2 in June 1991 (this is the canonical version cited in most existing GPL-licensed code, including the Linux kernel); GPL v3 in June 2007 (after substantial drafting and review). ↩

70. Stoll, Clifford. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Doubleday, 1989. ISBN 978-0-385-24946-1. Stoll’s first-person account of tracking the German-and-East-Bloc-connected hacker Markus Hess through the Lawrence Berkeley Laboratory computer system in 1986–87. The case predates most of the events in this volume but is the canonical popular account of the era’s intrusion-forensics craft. Hess was tied to the Chaos Computer Club and to KGB recruitment efforts; the technical-attribution methods Stoll used were genuinely novel for 1986 and have a clear lineage into modern incident-response practice. ↩