Wilson da Silva

Science journalist, feature writer and editor.

Aug 8, 1996
1 min read


BEING hacked is not a pleasant feeling. Sort of like being burgled - then being charged for breaking and entering. No-one really believes you’re innocent.

It might not be your fault. You might have an obscure enough password. You might check that no-one is looking on when you log in. You might ensure your username and password isn’t written next to the keyboard nor saved on your PC dial-up software. In short, you might practise the basics of good Netizenship. 

I thought I had. My password was obscure: THX-1138, the title of director George Lucas’s first film, a largely unnoticed science fiction flop starring Robert Duvall. Apparently, someone else is a fan of Lucas; or is a talented hacker: two weeks ago, someone hacked into my Internet account, then rummaged through all my private bits, as it were.

On July 11, using the log-on of “wdasilva” at Deakin University (where I do a part-time off-campus course), they said some very unpleasant and quite unprintable things on Internet Relay Chats around the world.

They sent abusive e-mail to people I’ve never met. They downloaded 18Mb of data into my mailbox, well beyond my 5Mb limit. For all I know, they read my mail too and messaged friends and colleagues or confronted Internet discussion groups to which I subscribe.

On July 15, an unprintable broadcast e-mail message was sent in my name to all 44,000 users at the university. Understandably, Deakin University froze my account.

I felt violated. And I was taken aback at being asked to prove that I was innocent.

“All universities face similar problems,” said Richard Tan, the head of information technology services at Deakin. “It’s no different from someone breaking into your office and going through your things. We have more and more users ... With the popularity of the Internet ... there are going to be more incidents like these.”

A Deakin investigation found my account was probably hacked via password: someone logged on masquerading as me and used the password.

How did they get it? Two methods: with “sniffers” or “crackers”. “Sniffers” are virus-like mini-programs that, once planted inside a mainframe computer, wait for people to log-in. They collect log-in usernames and passwords, which are then passed on to the hacker.

A “cracker” is a program that sits inside the hacker’s computer and tries to breach network security by brute force. The hacker picks a legitimate username, then uses the program to throw a dictionary at the task of logging-in, trying combinations of words with words, and words with numbers, such as “dog24”.

There is no way of knowing the extent of the damage. Were all of my friends e-mailed and abused too? Was my log-in used to mail-bomb ASIO, or even worse, the Church of Scientology? Have they perhaps suggested innovative uses for crucifixes to pope@vatican.org?

The other possibility is that I am guilty as charged. Maybe I was testing Deakin out. Maybe I had a momentary lack of sanity, and now don’t want to own up to it. Maybe I actually did it just so I could write this article!