Taken from “The Sunday Business Post Online” www.sbpost.ie
Cib Cover Story Confessions of a hacker
Dublin , Ireland, April 1, 2001

Mathew Bevan was known as Kuji, hacker extraordinaire, probing everything from company ceo’s files to US military bases. The Pentagon described him as “the number one threat to US security”. One day men in dark suits arrested him and he faced charges that might have sent him to jail for 15 years

This, in his own words, is his story.

I cannot help being a hacker. I have always been clever and resourceful. Later on, I became addicted to the adrenaline of electronically rifling a chief executive’s files or looking at the latest space station plans at NASA. In the months leading up to my arrest, I was described by a Pentagon official as “possibly the single biggest threat to world peace since Adolf Hitler”. Then, I faced 15 years in prison.

But first I would like to tell you about my background. I believe it will help you understand why I became what I am. This is my story.
I was 12 when I first got a computer. I was given a Sinclair ZX81 and a subscription to some computing magazines.

When I was 12, I was a nerd. I was beaten and bullied almost every day of my young school life. Through my latter school years the physical abuse was replaced with name-calling and other mental abuse.

Later on, I realised that it was this time in my life which proved the precursor to my hacking.
Like most nerds, I upgraded my machine as often as I could. At the age of 15, I bought an Amiga 500. To me, the Amiga was a piece of computing genius. Not only did it have better graphics than any PC, but also had four channel stereo sound, something that would prove useful in the months to come.

My first revelation was in discovering bulletin boards. A bulletin board was what would be described as a usenet chat forum today. Except it was much more basic. And much less regulated. My friend gave me his 2,400 baud modem and, for a month, I called every BBS (Bulletin Board) number I could get my hands on.

At the end of the month, my mother showed me a ?400 phone bill. She said she never wanted to see a phone bill like that again. From that point onwards, she never did.

I began learning about manipulation of the phone system. Not only could I make free calls, but I could obfuscate call origin. Like every aspiring hacker, I wanted to be anonymous. I found I could do so by diverting the call through several countries before reaching my destination.

I had the ability to call anywhere in the world for free and be untraceable. I was given the number to a bulletin board in Belgium called Sin City. It was a hangout for electronic deviants. I met people on that bulletin boards who were interested in the skills I had accumulated on the phone system. As a trade for that information they gave me documents, files and other information to break into computers.

Then, hackers were free with their information and less wary of the law. Then, there was no such thing as a Computer Misuse Act (British legislation) and hackers could see no harm in anything they were doing. (Today, we face longer prison sentences than those who have committed the most heinous of crimes. We can now be dealt with under the new [British] anti-terrorist laws putting our crimes above that of murder.)

So I began to make friends. I was able for the first time to interact with people all across the globe. These people wanted nothing more than to share interests and as a result we became good friends, even though I would only ever actually meet a handful of them in person. Here, in the computer realm, I was strong and fearless, even if I felt scared and powerless in real life. I would get up and go to school, hate it, return home and get on the internet until about 4am or 5am. Then I would sleep for an hour or two and repeat the cycle.

I began taking the path of the computer mis-user very quickly, and it was not long before I was breaking into all sorts of machines, big and small. I did it purely because I could. One way of describing it is in relation to the curiosity that a parent feels when they find their child’s diary. They know it is wrong to read it, but something inside is just too inquisitive.

Hacking is like that in many ways. You know it’s wrong but the excitement, the rush of being in a powerful institution’s files is overwhelming. That is where the addictive nature of hacking can take hold. You feel the rush once — you want it again. And again. And again.

I cannot actually remember the first; I hacked so many machines in quick succession that the specifics elude me for all but the most memorable.
But this was soon to come.

I hacked everything I could, but there was something lacking; I wanted a direction. I found that needed direction on a bulletin board based in Australia. The bulletin board was called Destiny Stone and was run by a phone phreaker called Ripmax. A phone phreaker is a term for someone who hacks at systems using a phone connection. Ripmax had ended up on the wrong side of the law. What I found on his system were hundreds of documents about UFOs, government cover-ups and conspiracy theories.

I became interested. At that time, a hacker publication called PHRACK released a story about the alleged disappearance of 40 hackers. They had been targeting military systems to try an uncover the truth.

PHRACK printed the names of the bases that were thought to have been the targets by the missing group. I noted all of the military bases that were named in the various UFO documents I had downloaded.

I then began a systematic attack on each of the ones I could find with online equivalents. I had many jump-off points with which to attack these military bases. I thought I was safe.

I had already broken so many other systems, corporate, educational, and government contractors that it would be easy to find routes into the systems.

I was naive. While I was penetrating the different bases, four thousand miles away a group of high-ranking military personnel from the Air Force Office of Special Investigations (AFOSI) and Air Force Information Warfare Centre (AFIWAC) were gathered around a few computer terminals at Griffiss Air Force Base in Rome, New York.
This group, I learned from later reports (and three subsequent US Senate enquiries), were `hacker trackers’. They monitored all activity including keystrokes within the network and they were watching a particular chain of events closely. Over the preceding days, they had been following the activities of two hackers, Datastream Cowboy and Kuji, who had penetrated numerous sensitive computer systems belonging to the army and Air Force.

They discovered via an informant on an Internet chat system, IRC, that Datastream Cowboy was a 15 year old English boy. Shortly afterwards, a boy, Richard Pryce was arrested by the Metropolitan Computer Crime Unit, in England.
For legal reasons, I must be careful now about how I continue. The other hacker was deemed more elusive and wily and the only thing the group had to go on was his handle Kuji. Little was known about this hacker. Kuji had been spotted on an Australian bulletin board by investigators but that is where information ran dry. Investigators said that Kuji would stay online for only short periods of time, never long enough to be traced successfully.

The investigators said that while Datastream Cowboy made mistakes, Kuji seemes flawless in his technique. They would observe what they believed to be Datastream Cowboy attempting to attack a site, fail, talk to Kuji and a minute later successfully get in.

They concluded that Kuji was far more sophisticated and had financial motives. They decided that Kuji was a spy, tutoring the younger Datastream Cowboy in exchange for military secrets. It did not occur to them that the culprit could be an 18 year old kid living in Cardiff with very little stashed under the floorboards.
In the following year, Kuji became the subject of unprecedented comment and speculation. The story of the hacking broke. US Senate enquiries ensued. One pentagon official described Kuji as “possibly the single biggest threat to world peace since Adolf Hitler”.

One year later, a year after Pryce’s arrest (he was later fined ?1,200), a tip-off to the police identified ‘Kuji’ and subsequently I was arrested at work.

At the time, I was working in the IT department of an Insurance company and was fixing the MD’s computer. A group of dark suited men walked into the office. I was read my rights and arrested for various computer crimes against NATO, NASA, the US Air Force and other military installations.
I had a suspicion they might find me, but believed that due to them looking for a spy the chances were slim. My reaction was one of calm. I had read reports of Pryce’s arrest and was aware that he had broken down in tears. Reports had claimed that he began shouting “God, what have I done”. I did not want that to be held against me.

I was taken to the local police station for questioning and charged with conspiracy under the (British) Computer Misuse Act.
For the next 18 months I was prosecuted and underwent preparation for a trial which could have sent me to prison for 15 years.
I maintained throughout that any hacking I had done was on my own. There was no conspiracy. My argument was that I was in competition. As such I refused to accept any deals with which the prosecution offered based upon conspiracy.
In addition, conflicting information regarding sensitive information held on the sites and various other technical faults affected the prosecution’s case.

By the time the prosecution realised there was no conspiracy, they had run out of time to charge me with the other original offence, unauthorised access. This left them with only three more serious offences including unauthorised access with intent to impair the operation of the computer. This was nonsense. I would never wish to impair a machine I am having fun using to attack other machines.

The case was finally decided before going to trial with the prosecution offering no evidence. That meant a full acquittal with not guilty verdicts recorded. The British Crown Prosecution Service held that it was not in the public interest to prosecute me. They estimated the cost of a four month trial at ?10,000 a day plus the cost of bringing high ranking military personnel from America.

Looking back, I now believe that my case was not about hacking, but an exercise in propaganda. In the same year that a handful of hackers were caught, there was an estimated 250,000 attacks on computers in the US Department of Defence.
It was a prime target. I believe it was no coincidence that when the Senate was being asked for money to fund protection against Information Warfare, a case study appearing to proving their point fell in their laps.

But I am not bitter. I have respect, now. I am not bullied anymore. I will not attack your company anymore. I now work on the right side of the law as a computer consultant, mainly work performing penetration tests. I also volunteer my time and technical ability to www.antichildporn.org.

But I am still a hacker.

Mathew Bevan can be reached at hacker@kujimedia.com or www.kujimedia.com