Hackers Have It Easy

Copyright © 2009 National Public Radio®. For personal, noncommercial use only. See Terms of Use. For other uses, prior permission required.

NEAL CONAN, host:

This is TALK OF THE NATION. I'm Neal Conan, in Washington.

A year ago, toward the end of a heated election campaign, a kid in Tennessee allegedly hacked the Yahoo email account of then-Governor Sarah Palin. Though the victim is not exactly typical, the case drew attention to something that happens to many of us, and a story in The Washington Post yesterday made it clear you don't have to be a computer wiz to break into somebody's email. All you need is a hundred bucks. A number of Web sites openly offer to break into someone's personal email account, guaranteed. And while that is totally against the law, the authorities consider it very difficult to detect and the feds rarely prosecute.

So have you ever been tempted to use one of these services? Has your email been hacked? Tell us you your story. Give us a call: 800-989-8255. Email us - the email address, if you trust it, is talk@npr.org. You can also join the conversation on our Web site at npr.org. Click on TALK OF THE NATION.

Later this hour, Kunta Kinte and Geordi La Forge join us in the person of LeVar Burton, who just ended a 26-year run as the host of "Reading Rainbow." But first, Washington Post staff writer Tom Jackman joins us here in Studio 3A. His article, "Password Hackers Slippery to Collar" appeared Monday. And nice to have you on the program, Tom.

Mr. TOM JACKMAN (Staff Writer, Washington Post): Hey, Neal. Nice to be here.

CONAN: And you sort of backed into this hacking story by looking into the case of Elaine Cioni, right?

Mr. JACKMAN: That's right. I wouldn't call it backing in. I'd say leading in.

(Soundbite of laughter)

Mr. JACKMAN: But the lead in was something that catches the reader's attention.

CONAN: And in any case, this was a woman who was being brought up on charges. Well, it turned out that she had been a woman spurned and had hacked into her boyfriend's email account.

Mr. JACKMAN: She had, in fact, done that. Actually, she hadn't hacked into it. She'd hired somebody to do it, and that was what was interesting to me, is that there are these concerns, these businesses out there, probably overseas, who say that for Web-based email, you give them a $100, and they will give you the password of whatever email address you want. And off she went from there. She hacked - she purchased the password for her boyfriend, then she purchased the password for his wife, then she purchased a password for his other girlfriends and then for his kids, and from there started harassing him and the feds got involved.

CONAN: And court records show that they were totally unaware that this woman was reading their email.

Mr. JACKMAN: They only knew because she then started making phone calls and using another fascinating online service called Spoofing, in which you can disguise your voice. And so, when she would call the victim, the man, she would call as a man's - in a man's voice, because the service will do that. And in her conversations, she made it clear that she had information that you'd only have if you were reading a guy's email.

CONAN: And, in fact, she's being prosecuted, as I understand it, not so much for the hacking but for - using the phone.

Mr. JACKMAN: It's both. She was charged with both unauthorized use of a computer and the harassment, and she got convicted of both.

CONAN: And what does she face?

Mr. JACKMAN: She is now in prison, doing a 15-month stint for all of the above.

CONAN: And these sites, as you looked at them - and I know you called some federal authorities about them. You gave us their names, we went to their sites…

Mr. JACKMAN: Right.

CONAN: …and there…

Mr. JACKMAN: They are.

CONAN: …there they are…

Mr. JACKMAN: Right.

CONAN: …just ominous music and for a hundred bucks, we'll hack anybody's email account for you.

Mr. JACKMAN: It's true, and I'm no great technology wiz. So if I can find it, anybody can, and there are pages of them and they claim - erroneously - to be legal on some of these sites. And they claim that they're doing noble work because they're allowing you to save your marriage or check on your child or do many of the altruistic things that you might have as a motive for hacking into someone's email without their permission.

CONAN: And when you talked to people about why the government does not prosecute these people?

Mr. JACKMAN: Well, the government isn't anxious to talk about that, which leads me to believe that they - maybe they don't have the resources. They also point out they can't police the Internet. The Internet's pretty big. There are a lot of illegal things going on, on the Internet, many of which used to happen on Craigslist. And so, they have to take specific cases and follow them when they know of them. And in the case of this woman, they were made aware of the fact that she was hacking in and using the Spoofing services, and they were easily able, through subpoenas, to track the IP numbers of the computers that were used straight to this woman. And once they dug into it, they didn't seem to have much trouble figuring out who was where.

CONAN: But as to the services used, you said they are probably overseas and probably out of reach.

Mr. JACKMAN: Well, there are law enforcement agencies overseas. I mean, bad guys are caught in other countries with the help of, you know, cooperation between agencies. And that's presumably what Interpol is there for and all sorts of other, you know, non-American law enforcement, and so it can be done. I guess it's a question of do you want to spend the resources on a guy sitting at a computer if he isn't causing maximum damage? And some people discussed, well, if it's not causing big financial harm, it's not causing national security harm, where does it fall on the list of priorities of things for law enforcement to chase? And people that are hacking into each other's emails to see who's sleeping with who probably falls a little bit farther down on the priority list.

CONAN: And, at least as far as your sources told you, that seemed to be the number one interest.

Mr. JACKMAN: The hacking for…

CONAN: See who is sleeping with who.

Mr. JACKMAN: …sleazy purposes? Yeah, definitely.

CONAN: Yeah. Yeah, right. 800-989-8255. Email us: talk@npr.org. Tom Jackman is a staff writer for The Washington Post, and we want to know if you've been tempted to use one of these services, or if so far as you know, anybody has used them against you to hack your email account. Aaron's on the line calling from Sacramento.

AARON (Caller): Hi, how are you doing?

CONAN: Good, Aaron.

AARON: Good. Yeah, I - my ex-girlfriend did that. I think it was just purely out of spite. She went ahead and canceled two international flights, as well as two connecting flights from Heathrow when I was trying to see my new girlfriend. And I don't know she wound up just taking the time to figure out what my password was or if she went ahead and used one of these services, as well. But I'll tell you, it was definitely a nightmare for me. I had to cancel all my accounts, both email and bank accounts, things of that nature because, of course, I had, you know, personal information throughout my entire email.

Mr. JACKMAN: Did she use your email to do those cancellations?

AARON: Yes, she did.

Mr. JACKMAN: Ah-ha.

CONAN: And this was nothing you had provided her earlier in the relationship when things were better.

AARON: No, absolutely not. Absolutely not. So, that's what remained - and that's how it remained to be such a big mystery, is I don't know if she spent the money to have this done or I don't know what process she used to do this, but it was definitely a nightmare, I'll tell you that.

CONAN: Did you try to press charges?

AARON: You know, I did, and it was going to - and they said it would be a civil matter, and it wind up me - cost - the time and money then it would probably be worth. And I just figured for something that minor, at least I wasn't stuck, you know, at Heathrow, and I figured out then my flight was canceled. This all happened, and I found out before even I left the States. So I got - I was very fortunate in that regard. But I figured, you know, just, you know, let sleeping dogs lie and be done with it.

CONAN: And obviously, changed your email account.

AARON: Yes, sir.

(Soundbite of laughter)

CONAN: Right, Aaron thanks very much.

AARON: Hey, thank you.

CONAN: Bye-bye. Joining us now from member station KQED in San Francisco is Jon Erickson, the author of "Hacking: The Art of Exploitation." He has been hacking and programming since he was five years old. Nice to have you on the program with us today.

Mr. JON ERICKSON (Author, "Hacking: The Art of Exploitation"): Hi, Neal.

CONAN: And how is it - how easy is it for these companies to offer these services that guarantee, in fact, they get no money until they have provided you evidence that they have, indeed, hacked the password.

Mr. ERICKSON: Well, I think the key point here is that a lot of them are free public email services, like Gmail or Yahoo, and they just make money of advertising. So, their biggest incentive is to make it easy for someone who forgets their password to recover it, not to make sure that everyone's email is secure.

CONAN: So, by making it easy for - they will provide the clues, for example, so you can log on as long as you have the name of the account. You can log onto somebody's Yahoo or Gmail account, and it'll give you a prompt saying: Did you forget your password?

Mr. ERICKSON: Yeah, it's the way Sarah Palin's email was hacked was there's password recovery questions, where they ask you a super-secret question, like hers was: Where did you meet your true love? And then the guy was just able to Google for the information about where she met her husband, and the name of the high school was the password reset question.

CONAN: So, again, with Google and a little ingenuity and a little patience, you can find these things out. People often use, for example, their birth dates and stuff like that.

Mr. ERICKSON: Yeah, there's also a lot of other ways they might do it. They could just brute-force the passwords.

CONAN: What's that?

Mr. ERICKSON: You just try every password.

CONAN: Oh, you have a computer just try every combination of letters and numbers?

Mr. ERICKSON: Exactly.

CONAN: This could be a time-consuming process.

Mr. ERICKSON: Yeah, but a lot of hackers have botnets, which is just a whole bunch of systems set up that they can just set it a task and let it go, and Gmail has POP access and IMAP access, which are other ways to access the email. And if you have those turned on, it doesn't really limit the times you can try.

CONAN: And I wonder, is this is a lucrative business, do you think?

Mr. ERICKSON: Well, there's definitely an organized-crime aspect to this, I think, and they're trying to monetize their skills and botnets any way they can. So if they can get a few people this way, that's perfect. I actually checked out that site, and if you check, like, try all the links, a lot of them are just 404s. So…

CONAN: What are 404s?

Mr. ERICKSON: There's no page, nothing there. It's just - like, they just whipped up a page really quick and see who Googles for it, and enters in their emails.

CONAN: Is that yourhackerz?

Mr. ERICKSON: Yeah.

CONAN: Yourhackerz? OK. Yeah, well, we Googled - we went on that site today, and it was there.

Mr. ERICKSON: Oh, yeah. Try all the other links, like the about and, like, all the other links off the main page, and…

CONAN: And I wonder, do you suspect that Tom Jackman is right - at least his sources are right - and that these people are overseas?

Mr. ERICKSON: Yeah, I suspect so.

CONAN: And a lot of these - well, the botnets that do spamming and that sort of thing, I guess this is a case of more American jobs being shipped overseas.

Mr. ERICKSON: Well, I think they make their own jobs.

(Soundbite of laughter)

CONAN: I see. And there's a lot of incentive for people in a place like Central Europe. Well, you hear a lot of these people are from Russia or Ukraine or from Estonia, Latvia, the Baltic states.

Mr. ERICKSON: Yeah, honestly, for a lot of those people, that's their high-paying tech job. That's the only tech job they can get there, so…

CONAN: So there's no necessarily Silicon Valley in Riga or in Moscow.

Mr. ERICKSON: Right, right.

CONAN: So - and these sites are set up, and I suppose that they are relatively disposable. Once some, you know, legal action or anything else happens, you can set up a new site fairly quickly, and again, anybody who wants to Google one of these things can find it fairly easily.

Mr. ERICKSON: Yeah, absolutely. Yourhackerz actually goes to, like, something-something-cracks.com. So it's - there's a whole Web of stuff. Those are just, like, sort of front pages.

CONAN: And is this risky?

Mr. ERICKSON: For an individual to do, or…

CONAN: Yeah.

Mr. ERICKSON: Yeah, of course it is.

CONAN: That kid in Tennessee is facing, I think, a couple years in prison.

Mr. ERICKSON: Oh, yeah. I guess there's that, but also, you can just get scammed by them.

CONAN: Ah, so if you signed up with one of these companies to get your ex-husband's email account, you could get a - end up being scammed.

Mr. ERICKSON: Yeah. Also, what's really popular now are browser-based exploits. Because firewalls became so popular, it's hard to just attack someone's computer. So what they do is they send you a link, and then you follow the link, and then the Web browser has a vulnerability. and if you don't have your Web browser to the most up-to-date version, they can run code on your computer and take it over without you knowing.

CONAN: And all of a sudden, you're part of the botnet, among other things.

Mr. ERICKSON: Yeah, and key-loggers, also.

CONAN: Oh, it'll trace every keystroke you make. So then it can get into your bank account and all - anything else.

Mr. ERICKSON: Yeah, or hack into other places.

CONAN: We're talking about how easy it can be to hack into your email account and, as we just learned, into other places, as well. Stay with us. I'm Neal Conan. It's the TALK OF THE NATION from NPR News.

(Soundbite of music)

CONAN: This is TALK OF THE NATION. I'm Neal Conan in Washington. Fishing, infected Web sites, hired hackers, all kinds of ways to steal a password or hack into someone else's accounts. It can be lucrative. It can also land you in jail, though not as often as you might think.

Have you ever been tempted to use one of these services? Has your email been hacked? Tell us your story: 800-989-8255. Email us: talk@npr.org. You can also join the conversation at our Web site. That's at npr.org. Click on TALK OF THE NATION.

By the way, we're getting news reports about an airplane hijack in Mexico. An Aeromexico passenger plane was hijacked at the airport at the resort of Cancun and flown to Mexico City, where it's sitting on the runway. And you stay tuned to NPR News for more on that story as it develops.

Anyway, our guests on this hacking program are Tom Jackman, a Washington Post staff writer. He wrote the article "Password Hackers Slippery to Collar." We have a link to that article at npr.org. Click on TALK OF THE NATION. And Jon Erickson, who wrote the book "Hacking: The Art of Exploitation." He works as a vulnerability researcher for VMWare. He's with us from San Francisco.

Let's see if we can get another caller on the line. This is Jerry, Jerry with us from O'Fallon in Missouri.

JERRY (Caller): Good afternoon. Not to make your audience completely paranoid, but a very good friend of mine within the last two years had her old-fashioned postal mailbox, someone broke into it, and with the technology available, was able to duplicate her checks and thus gain access to her account. So…

CONAN: This - her post office box.

JERRY: This was her outgoing mailbox on a day that she had payments in the mail. But, of course, the technology of copying these days is to the point where, you know, physically copying a document, that they were able to duplicate her checks. And, of course, she was only out the money a short period of time. But just - as I say, not to say that there's no safe way to transfer money, I've been doing online banking for probably the last half-decade without a single incident. Maybe I'm naive, but…

CONAN: Well, maybe. Otherwise, we're just going to be carrying bags of pennies around to pay off our bills, yeah, right. Jerry, thanks very much.

JERRY: Thank you.

CONAN: Bye-bye. Here's an email question from Monica. Email hacking not only puts personal info at risk, but also financial information. For example, passwords are emailed. Should I stop using my Internet banking, bill-paying, etcetera? John Erickson, what do you think? How vulnerable is she?

Mr. ERICKSON: Well, it's okay to be careful about using free email services for those, to link all those banking accounts to. But if that's the only service you have, just make sure that you don't use the same password you use on all your other sites because that's another big thing, how people get gotten.

CONAN: That is frequently, the same password you use for your email account is the same password you use for your bank account, for a number of other things.

Mr. ERICKSON: Right, for all the social Web accounts you might have.

CONAN: Because all of us find it hard enough to remember one password.

Mr. ERICKSON: Yeah, and there's so many of them that if someone's able to hack one and you've got it linked with the same email, it's really easy for them to go try it on your email.

CONAN: Let's talk next to Pete, Pete with us from Lacrosse in Wisconsin.

PETE (Caller): Hi, Neal. Hey, here's a solution from yester-year that might be still applicable, and that is in the bad-old days, when I would log on to a mainframe computer system, it would tell me right away when I last logged on and when I last unsuccessfully tried to log on. So I could look at that information and say oh, geez, I wasn't on at four o'clock this morning. Someone must be trying to hack my account or, you know, look at a bunch of unsuccessful logon attempts and say, you know, something's wrong here. I need to beef up my password. But nobody provides that information anymore. Why couldn't we do that?

CONAN: Jon Erickson?

Mr. ERICKSON: I think it's because not everyone is so attentive to that. I mean, a lot of those places certainly could, but again, they're providing it as a free service. So their key interest is just, you know, getting a lot of users so they can do advertising or, you know, monetize their presence or whatever.

CONAN: Mm-hmm. Tom Jackman?

Mr. JACKMAN: I had a question about whether or not work-based emails that aren't necessarily Web-based. Somebody who has their email through work, is that significantly more secure, or is that also just as vulnerable?

Mr. ERICKSON: I would say it's more secure, but it's still vulnerable to - if someone installs a key-stroke logger on your machine, it's still vulnerable if you - if there's a Web-based login and you store your passwords in the browser.

CONAN: Remember me, that sort of thing.

Mr. ERICKSON: Yeah, exactly.

Mr. JACKMAN: Gotcha.

CONAN: All right. Pete, thanks very much for the call. Here's an email from Julia in Grand Rapids. My husband's email account and PayPal account were simultaneously hacked by a person in, supposedly, in Vietnam. The only reason we noticed there was - there was because there was a $1,500 pending charge on our bank account. We discovered that we were apparently purchasing a large amount of camera equipment and that we wanted it shipped to an address in Ohio. We found the hacker had created filters in my husband's email account that disabled all notifications from PayPal as to who had emailed to let him know that his PayPal account had been hacked.

We've quickly learned to never have the same password for multiple online accounts. Good things can never come from that - again, reinforcing the advice we just heard from Jon Erickson.

Let's go next to Greg, Greg with us from Boise.

GREG (Caller): Yes. I had a church group actually hack my email. We had a dispute in a church, and, you know, it was simple stuff like, you know, the nature of God. But they didn't like me, and so I knew a lot of people at the church, and they started pretending to be me by spoofing my email, eventually sent me an email that I responded back to using a password-hacking virus. It was a password-harvesting virus, and then eventually pretended to be me, where I had to actually get rid of a lot of my different emails, my parents' emails.

CONAN: And all of this developed from arguments over how many angels dance on the head of a pin, that sort of thing?

GREG: That sort of thing, yes.

CONAN: We remember that many of our longer wars and uglier ones were based on disputes over doctrine. So - well, Greg, did you finally resolve the situation?

GREG: Well, I just changed all my emails over and eventually found out most of the people that were involved and stopped talking with them. They ended up costing me a couple of business deals and things like that.

CONAN: And again, did you try to…

GREG: I had to sever ties, basically.

CONAN: Did you try to press charges?

GREG: You know, I called. The police said it would be hard to prove, and they just didn't want to spend the time.

CONAN: Thank you very much for that, Greg. And Jon Erickson, I wanted to ask -I know Tom has a question for you, too - but a password-harvesting virus, what is that?

Mr. ERICKSON: That's what I was talking about before, a keystroke logger. It's usually something that will get installed on your machine through a browser, probably. You know, you'll click on some link, and it'll, if your browser isn't up to date, it'll install a hidden keystroke logger that'll just log everything you type and then send it to whoever, to some drop zone.

CONAN: So the most up-to-date versions of Firefox or, you know, whichever, Explorer or whichever browser you use, will have protections to block these, but the old ones won't.

Mr. ERICKSON: Yeah. And basically, every time it gets updated, it's because someone found some new vulnerability, and they need to update it so people can't break into…

CONAN: If you're notified that there's a new version available, you should make sure to download it.

Mr. ERICKSON: Definitely.

CONAN: Uh-huh. Here's an email question from Elizabeth in Massachusetts. Are Mac computers just as vulnerable as PCs, and how can you tell if your computer has been compromised?

Mr. ERICKSON: So Mac computers aren't necessarily more secure, but because they have a smaller market share, they're not targeted as much because if you don't - if you're just giving someone a link that will install a password-harvesting program or a keystroke logger, you have to guess what system it is or do multiples for the Mac OS and the Windows. And if most people are Windows, you can just hit as many people as you can with that, and half the effort.

CONAN: Tom Jackman?

Mr. JACKMAN: I was going to point out that the way that a lot of people get suckered into this is they get an email from someone they don't know, and it provides them a link. Often, a greeting card is the most common one. Joe Dokes(ph) has sent you a greeting card, wishing you a happy Tuesday. And you click on that, and that one click is the death of your email because that then installs all these various malwares that we've been hearing about that will then swipe your passwords.

CONAN: Mal as in bad-ware.

Mr. JACKMAN: Bad, correct. Thank you for translating.

CONAN: Okay. It's my job sometimes. All right, let's go next to T.C., T.C. with us from Phoenix.

T.C. (Caller): Hello?

CONAN: Hi, you're on the air. Go ahead, please.

T.C.: I'm a first-time caller.

CONAN: Oh, thank you for that.

T.C.: Anyway, I just wanted to say, Neal, that I listen to your show all the time. By the way, I'm a big fan.

CONAN: Thank you.

T.C.: And, by the way, I think the (unintelligible) that are doing these viruses and everything that you're talking about, being able to break into people's accounts and everything, I think it's college kids that are doing that and everything because I'm a college student myself. I go to Phoenix College myself, and I study criminal justice a lot, and I've learned about a lot of these viruses, like almost 99 percent of these viruses, are usually created by college kids or people who have been to college and have learned all the trades and everything.

And I've actually noticed, too, that when I'm actually in the computer lab and everything, and I notice all these kids sitting around and everything, I actually notice that they're doing all kinds of things. And sometimes these computers aren't even monitored, too, and a lot of these computer classes that I've actually sat in on and listened to, and they've actually taught people how to make viruses because that's the whole point of the class, how to protect yourself against viruses. Sometimes, in order to protect yourself against a virus. And sometimes not only to protect yourself against the virus, but sometimes how to know how some of them are made.

CONAN: Yeah.

Mr. JACKMAN: They should shut down a lot of colleges, don't you think?

(Soundbite of laughter)

CONAN: I don't know. Jon Erickson, I think you were one of those college students, were you not?

Mr. ERICKSON: I was. I believe knowledge is power and it's just important to learn about those things. Granted there probably are a lot of college kids that are dabbling in this stuff, but I don't think it's as malicious or profit-oriented as, you know, paying someone. And I think a lot of the - just because people are paying for it is why it's probably associated with organized crime overseas.

CONAN: What is the - what was your motive when you were doing it, Jon?

Mr. ERICKSON: Just exploring. Figuring stuff out, like, oh, I can do this. It's pretty - didn't know if I could.

CONAN: Is it too strong a word to say power?

Mr. ERICKSON: Well, no, just power. So yeah.

CONAN: Knowledge is power, yes. So it was a sense of, I can actually affect something. And then the ability - I think there's a difference between - and by the way, T.C., thanks very much for the phone call. I think there's a difference between people who are saying, send us $100 and we'll get your ex-wife's, you know, email account password, difference between those people and those who's saying, let's see if we can bring down the Pentagon.

Mr. ERICKSON: Yeah. Yeah, definitely, there is probably a difference. And also, there's a difference between those two and also just the college kids that the caller was talking about.

CONAN: Sure.

Mr. ERICKSON: …just trying to get into their boyfriend or girlfriend's email…

CONAN: And how often…

Mr. ERICKSON: …for personal reasons.

CONAN: Do you know people who have been prosecuted for - and ended up in jail for violations like that?

Mr. ERICKSON: Well, not for email, but a friend of mine actually got - put away for nine years for something.

CONAN: Something.

Mr. ERICKSON: It was a big issue. His name was Brian Salcedo. He went by the handle XDR.

CONAN: And this is a celebrated case?

Mr. ERICKSON: Yeah. If you Google for it, you can…

CONAN: Or notorious depending on your point of view?

Mr. ERICKSON: Yeah. If you Google for it, you can find a lot of information about it. There's a lot of weirdness to it.

CONAN: Jon…

Mr. ERICKSON: It's probably - yeah - more detailed than we can go into now.

CONAN: All right. Well, Jon Erickson is a vulnerability researcher for VMware. He's gone to the other side, switched his black hat for white. And he also is the author of the book "Hacking: The Art of Exploitation." Also with us Tom Jackman, who was our entree into this story through a piece that he wrote for The Washington Post called "Password Hackers are Slippery to Collar." And you're listening to TALK OF THE NATION from NPR News.

And here's an email from Richard(ph) in Belmont, California. I suggest people find and use a password manager such us RoboForm. A password manager will allow you to generate very long passwords composed of random characters. I have hundreds of such passwords. I have no idea what they are, but that doesn't matter. My password manager keeps them in heavily encrypted form and plugs them in as appropriate. In addition, passwords do not go through the keyboard buffer, so they are invisible to keystroke loggers.

And is that kind of security, A, does it work, Jon Erickson, and, B, is it advisable?

Mr. ERICKSON: Yes. Something like that will work for sure. One thing that I do is I generate - I've got an algorithm that I use to generate different passwords for every site. And that basically does the same thing, but it just does it in a program.

CONAN: And though these are very long and complicated passwords, you don't have to remember them or write them down anywhere.

Mr. ERICKSON: Exactly.

CONAN: Oh, that's cool. Here's another email. This from Lee(ph) in Phoenix. How can you tell if somebody has hacked into you email account, presumably when you get the bill for $1,500 worth of camera equipment?

Mr. JACKMAN: I found that the people in the case that I wrote about did have some problems once in a while with logging in, but they just figured, oh, you know, it's the computer, it's AOL, I'm having problems, and I'll just change up. But some people had no clue whatsoever. And there isn't a way to tell.

Mr. ERICKSON: Yeah, I agree.

CONAN: Let's go next to Jimmy(ph). Jimmy with us from Winston-Salem in North Carolina.

JIMMY (Caller): Hey, what's going on, you all? I'm a DBA and I have actually a little bit more complicated question than just about password hacking. I mean, I think that a lot of us can be defeated by the traditional admin policy of something you have and something you know. I mean, you know, maybe we should issue people cards or some kind of security encryption protocol to allow them to have an actual token to allow them to log in to things like passwords.

But on a more interesting - or more - a broader scale, I would ask, you know, in the early days when this would happen, we had CERT that would handle a lot of these cases. And I'd like to know, you know, if international law is trying to empower some of these things so that we - (unintelligible) like CERT that would be handling some of the more complicated questions of hacking and penetration of larger systems…

CONAN: I have to interrupt, Jimmy, to ask you a couple of quick questions. What's a DBA and what is CERT?

JIMMY: Oh, I work on Oracle Systems and CERT is the Computer Emergency Response Team that was set up to deal with this in the early days. And I believe it's probably overwhelmed by now because you have so many different kinds of identity hacks and things like that. But at a more fundamental level, you have places like Nigeria and China where these guys are celebrated as rock stars.

And I think that when it comes back around, you know, until we get to the core issue of what to do about people who have no motivation not to do this, you know, that are offshore and able to use 15 or 20 proxies to get to you, you know, in the end, where do we end up if we can't do anything about people that aren't actually physically located in the United States?

CONAN: Well, that's a question I'm not sure either of our guests can answer, but…

Mr. JACKMAN: Those are the big question. Absolutely.

CONAN: Those are big questions. Jimmy, thanks very much. Go ahead. I'm sorry, Jon.

Mr. ERICKSON: Oh. On two-factor authentication it - one thing that I touched on earlier was that a lot of these free email services are exactly that. They're just free services. And so, with that economic model, there is no way they can issue tokens to everyone. And also for following up on, like, legal recourse, again, a lot of these are individual companies that are being hacked and it's just their free accounts that are being hacked. So to them, it really doesn't matter. But if you're a personal - you know, it's your personal email, of course, it matters to you. But to them, it's just, whatever, data and maybe their reputation.

CONAN: And, Tom Jackman, I want to end - after the publication of the piece Monday in The Post, have you gotten any response, people saying, you know, wait a minute. Why are you advertising these people and putting their Web sites into your newspaper?

Mr. JACKMAN: I expected that. And no - and I don't know why. I mean, people were troubled by the availability of these services and their susceptibility to being hacked, but no one raised the issue, which we definitely thought about, about giving publicity to these folks. And I reached out to these hackers in hopes that one of them would, you know, provide me with some insights into why they do what they do, but nobody responded.

CONAN: No comment. Won't confirm or deny.

Mr. JACKMAN: That's right.

CONAN: Exactly.

Mr. JACKMAN: Could not be reached.

CONAN: Tom Jackman, thank you very much for your time today.

Mr. JACKMAN: You're very welcome.

CONAN: Tom Jackman, a staff writer for the Washington Post. He joined us here in Studio 3A. There's a link to his piece that appeared in the paper at npr.org. Just click on TALK OF THE NATION.

And, Jon Erickson, thank you for your time, too.

Mr. ERICKSON: Thanks a lot, Neal.

CONAN: Jon Erickson with us from our member station in San Francisco, KQED. His book is "Hacking: The Art of Exploitation." He's also a vulnerability researcher for VMware.

Coming up, we're going to be talking with LeVar Burton who, of course, starred as Geordi La Forge, the guy with the visor on "Star Trek: The Next Generation." He's the longtime host of "Reading Rainbow" as well. Stay with us. It's NPR News.

Copyright ©2009 National Public Radio®. All rights reserved. No quotes from the materials contained herein may be used in any media without attribution to National Public Radio. This transcript is provided for personal, noncommercial use only, pursuant to our Terms of Use. Any other use requires NPR's prior permission. Visit our permissions page for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.