Sure, it's legal. Why wouldn't it be? You have these people who are hiding their true identities while they're getting ready to commit felonies against you. So if you can assume your own hidden identity and somehow convince them not to proceed, I don't see what the problem is. This may come as a shock, but if I were to represent myself as being from AntiOnline.com, there aren't a whole lot of people who would want to talk to me about what they're doing. So what we try to do is simply play the culture against itself. The culture inherently is built upon people seeking to protect their anonymity. But what that means is that disguises are the norm. So when yours is convincing enough, you can fit right in.

But when operating under this assumed identity, I take it you're not only gathering intelligence but also fomenting dissent.

Why not? A perfect example was when we were trying to break the CD Universe case. What we managed to do was invent people who were part of the scam. And we invented people who could make buys as well as people who could sell, and the whole nine yards. That gave us a way to monitor potential suspects for a while until we could find out what they liked, what they disliked, what their political beliefs were, what sort of jargon they used and all the rest of it. Then, using that, we were able to create a best friend for them who believed the same things, talked the same way and could quickly gain acceptance.

These sound like classic police techniques, only applied in cyberspace.

Absolutely. Basically, we caught the guy who did the CD Universe hack [in which 350,000 credit card numbers were made public] in much the same way an FBI agent would bring down a drug ring. The techniques are classic, but they're not used very often in the digital realm. There are a lot of adaptations that need to be made, of course. And you really need to understand the culture -- just like the people who do undercover work for the FBI need to know a lot about the gangs they intend to infiltrate.

And clearly most cops don't have a clue when it comes to the Internet -- which leads me to wonder what's going to happen once somebody begins to engage in some real cyberterrorism. Is our so-called New Economy ready for that?

Real cyberterrorism? No way. We're not ready for that. And I think the best evidence of that came from something called Project Eligible Receiver, which was sponsored by the DOD [Department of Defense] and carried out by the NSA [National Security Agency]. The NSA hackers managed to gain access to systems which they could have used to shut down the entire Pacific command fleet, shut down a significant portion of the nation's power grid and basically send the whole country into a spin. So I think that shows pretty conclusively that we're vulnerable. But at least we recognize that and are taking steps to try to mitigate that vulnerability.

And what do those steps entail?

You know, the No. 1 thing is education. With any given network, the weakest security link is always the end-user. So when the Melissa virus was making the rounds, the word went out telling people not to open up e-mail attachments. And that stopped the spread of the virus cold in its tracks. Some people still have to be told not to give out their password when somebody calls, no matter who they represent themselves to be. In the DOD, one of the biggest security concerns has to do with what we call "slippage," which happens whenever data coming from a secured, classified network finds its way onto an unclassified network.

So data slips really do sink ships?

Yeah. Write that one down. As you know, a certain former CIA director has already been called on the carpet for that very thing.

But in any event, isn't network security something of an oxymoron?

Yes. We live in extraordinary times. Security right now is a folk art. It really is. If you hired four different security firms today and asked them to secure the same network, each would come back with a different solution. And probably a year from now, each would be compromised in a different way.

Does that mean we're just a bunch of e-commerce lemmings about to take the plunge?

Yes, I'm afraid so. E-commerce right now is a very dangerous thing. After reading recently about online voting in Arizona, I've had recurring nightmares about electing President [Kevin] Mitnick. I mean, if everything else can be hacked, surely a voting system can be broken into. I think, in general, we're rushing forward much too fast. The Internet was originally designed for the free exchange of information between a large number of people -- scientists and researchers, mostly. Now, all of a sudden, the Internet has become commercialized. But it's still a long way from being industrial strength. So should you be nervous? Yes, very nervous.

The Free Software Project
Read Andrew Leonard's book-in-progress on Linux and open source -- and post your comments.