Costa (pronounced “COAST-uh”) Katsaniotis started learning about computers when he got a Commodore Vic 20 at age 11 and began programming to improve the machine’s performance. At that tender age, he also wrote a piece of software that allowed his friend to dial up and see a list of the contents of his hard drive. “That’s where I really started with computers and loving the what-makes-things-work aspect of having a computer.” And not just programming: He probed the hardware, unworried, he said, about losing the screws “because I started out taking things apart when I was three.”

His mother sent him to a Christian private school until eighth grade and then to a public school. At that age his tastes in music leaned toward U2 (it was his first album and he’s still a big fan), as well as Def Leppard and “some of the darker music”; meanwhile his tastes in computing were expanding to include “getting into what I could do with phone numbers.” A couple of older kids had learned about 800-WATS extenders, phone numbers they could use to make free long-distance calls.

Costa loved computers and had a natural understanding of them. Perhaps the absence of a father heightened the teen’s interest in a world where he enjoyed complete control.

Costa met Matt — Charles Matthew Anderson — on a BBS (bulletin board system) in the Washington state area. “We were friends for I think probably a year via telephone and messaging on these bulletin boards before we actually even met.” Matt — whose handle is “Cerebrum” — describes his childhood as “pretty normal.” His father was an engineer at Boeing and had a computer at home that Matt was allowed to use. It’s easy to imagine the father so uncomfortable with the boy’s preferences in music (“industrial and some of the darker stuff”) that he overlooked what the dangerous path Matt was following on the computer.

Matt finished high school among the top 10 in his class, entered the University of Washington, and began learning about legacy computing: mainframe computing. At college, with a legitimate account on a Unix machine, he started teaching himself about Unix for the first time, “with some help from the underground bulletin-board and web sites.”

The boys bought OKI 900 cells phones and a device to burn new programming onto the computer chips in the phones. They did more than just program new numbers; while they were at it, they also installed a special firmware upgrade that allowed them to program any desired phone number and ESN number into each of the phones. By programming the phones to the special test numbers they had found, the two were providing themselves free cell phone service. “The user chooses which number he wants to use for placing a call. If we had to we could switch through to another number real quick,” Costa said.

(This is what I call “the Kevin Mitnick cellular phone plan” — zero a month, zero a minute, but you may end up paying a heavy price at the end, if you know what I mean.)

With this reprogramming, Matt and Costa could make all the cell phone calls they wanted, anywhere in the world; if the calls were logged at all, they would have gone on the books as official business of the cell company. No charges, no questions. Just the way any phone phreaker or hacker likes it.

Besides dumpster diving and phone phreaking, the two friends would often set their computers war dialing, looking for dial-up modems that might be connected to computer systems they could break into. They could between them check out as many as 1,200 phone numbers in a night. With their machines dialing non-stop, they could run through an entire telephone prefix in two or three days. When they returned to their machines, the computer logs would show what phone numbers they had gotten responses from. “I was running my wardialer to scan a prefix up in Seattle, 206-553,” Matt said. “All those phone numbers belong to federal agencies of some sort or another. So just that telephone prefix was a hot target because that’s where you would find the federal government computers.” In fact, they had no particular reason for checking out government agencies.

Costa looked at his war dialer log one day and saw that the program had dialed into a computer that returned a banner reading something like “U.S. District Courthouse.” It also said, “This is federal property,” He thought, “This looks juicy.”

But how to get into the system? They still needed a username and password. “I think it was Matt that guessed it,” Costa says. The answer was too easy: Username: “public.” Password: “public.” So there was “this really strong, scary banner” about the site being federal property, yet no real security barring the door.

“Once we were into their system, we got the password file,” Matt says. They easily obtained the judges’ sign-on names and passwords. “Judges would actually review docket information on that court system and they could look at jury information or look at case histories.”

Sensing the risk, Matt says, “We didn’t explore too far into the court.” At least, not for the moment.

They continued to hone their skills and break into computers. “We were on a lot of computers around town. We were on car dealerships. Oh, and there was one hotel in the Seattle area. I had called them and acted like I was a software technician for the company that made the hotel reservation software. I talked to one of the ladies at the front desk and explained that we were having some technical difficulties, and she wouldn’t be able to do her job correctly unless she went ahead and made a few changes.”

With this standard, familiar social engineering gambit, Matt easily found out the logon information for the system. “The username and password were ‘hotel’ and ‘learn.’” Those were the software developers’ default settings, never changed.

The break-in to the computers of the first hotel provided them a learning curve on a hotel reservations software package that turned out to be fairly widely used. When the boys targeted another hotel some months later, they discovered that this one, too, might be using the software they were already familiar with. And they figured this hotel might be using the same default settings. They were right on both counts. According to Costa:

Their access to the hotel’s computer system also gave them access to information on guests who had stayed at the hotel, “including their financial information.”

Before checking out of the hotel, the boys stopped by the front desk and tried to get change from their “cash deposit.” When the clerk said the hotel would send a check, they gave him a phony address and left.

“We were never convicted of that,” Costa says, adding, “Hopefully the statute of limitations is up.” Any regrets? Hardly. “That one had a little bit of a payoff in that wet bar.”

Matt had a friend, another C programmer, who had the skills to write a Trojan — a piece of software that provides a secret way for a hacker to get back onto a computer he has made his way into earlier. This was very handy if passwords are changed or other steps are taken to block access. Through the computer at the District Court, Matt sent the Trojan to the Subsequent corporate computer. The software was designed so that it would also “capture all the passwords and write them to a secret file, as well as allow us a root [administrator access] bypass in case we ever got locked out.”

Getting into the Subsequent computer brought them an unexpected bonus: access to a list of other companies running the Subsequent operating system. Pure gold. “It told us what other machines we could access.” One of the companies named on the list was a giant local firm, the place where Matt’s father worked: Boeing Aircraft.

“We got one of the Subsequent engineer’s username and password, and they worked on the boxes that he had sold Boeing. We found we had access to login names and passwords to all the Boeing boxes,” Costa said.

The first time Matt called the phone number for external connections to the Boeing system, he hit a lucky break.

(Some early dial-up modems were not configured so they would automatically log off the system when a caller hung up. As a youngster, whenever I would stumble across these types of modem configurations, I would cause the user’s connection to be dropped by either sending a command to a telephone company switch, or by social engineering a frame technician to pull the connection. Once the connection was broken, I could dial in and have access to the account that was logged in at the time of the dropped connection. Matt and Costa, on the other hand, had simply stumbled into a connection that was still live.)

Having a user’s Unix shell meant that they were inside the firewall, with the computer in effect standing by, waiting for him to give instructions. Matt recalls:

If it was a coincidence that the modem just happened to online when Matt called, what was going on at Boeing when Matt and Costa started their break-in to the company was an even greater coincidence.

Overseeing the session was Don Boelling, a man intimate with Boeing’s computer security measures and the efforts to improve them. Don had been fighting the security battles internally for a number of years. “Our network and computing security was like everywhere else, it was basically zip. And I was really concerned about that.”

As early as 1988, when he was with the newly formed Boeing Electronics, Don had walked into a meeting with the division president and several vice presidents and told them, “Watch what I can do with your network.” He hacked modem lines and showed that there were no passwords on them, and went on to show he could attack whatever machines he wanted. The executives saw one computer after another that had a guest account with a password of “guest.” And he showed how an account like that makes it easy to access the password file and download it to any other machine, even one outside the company.

He had made his point. “That started the computing security program at Boeing,” Don told us. But the effort was still in its infancy when Matt and Costa began their break-ins. He had been having “a hard time convincing management to really put resources and funding into computing security.” The Matt and Costa episode would prove to be “the one that did it for me.”

His courageous role as a spokesman for security had led to Don organizing the groundbreaking computer forensics class at Boeing. “A government agent asked us if we wanted to help start a group of law enforcement and industry people to generate information. The organization was designed to help train law enforcement in computer technology forensics, involving high-tech investigations techniques. So I was one of the key players that helped put this together. We had representatives from Microsoft, US West, the phone company, a couple of banks, several different financial organizations. Secret Service agents came to share their knowledge of the high-tech aspects of counterfeiting.”

Don was able to get Boeing to sponsor the sessions, which were held in one of the company’s computer training centers. “We brought in about thirty-five law enforcement officers to each week-long class on how to seize a computer, how to write the search warrant, how to do the forensics on the computer, the whole works. And we brought in Howard Schmidt, who later was recruited onto the Homeland Security force, answering to the President for cyber-crime stuff.”

On the second day of the class, Don’s pager went off. “I called back the administrator, Phyllis, and she said, ‘There’s some strange things going on in this machine and I can’t quite figure it out.” A number of hidden directories had what looked like password files in them, she explained. And a program called Crack was running in the background.

That was bad news. Crack is a program designed to break the encryption of passwords. It tries a word list or a dictionary list, as well as permutations of words like Bill1, Bill2, Bill3 to try to discern the password.

Don sent his partner, Ken (“our Unix security guru”) to take a look. About an hour later, Ken paged Don and told him, “You better get up here. This looks like it might be pretty bad. We’ve got numerous passwords cracked and they don’t belong to Boeing. There’s one in particular you really need to look at.”

Meanwhile, Matt had been hard at work inside the Boeing computer networks. Once he had obtained access with system administrator privileges, “it was easy to access other accounts by looking into some of the other machines those people had accessed.” These files often had telephone numbers to software vendors and other computers the machine would call. “A primitive directory of other hosts that were out there,” says Matt. Soon the two hackers were accessing the databases of a variety of businesses. “We had our fingers in a lot of places,” Costa says.

Not wanting to leave the seminar, Don asked Ken to fax down what he was seeing on the administrator’s screen. When the transmission arrived, Don was relieved not to recognize any of the user IDs. However, he was puzzled over the fact that many of them began with “Judge.” Then it hit him:

Don watched as an FBI agent he’d worked with in the past made a few phone calls.

Don looked down at the list in his hand and saw that the root password — the top-level password known only to system administrators — had been cracked. He pointed it out to Rich.

As he returned to the classroom, Don sensed a storm brewing. “I said, ‘Well, guys, it’s time for some on-the-job real life training.’”

With part of the class tagging along, Don prepared for battle. First, he went to the computer center in Bellevue where the firewall was located. “We found the account that was actually running the Crack program, the one the attacker was logging in and out of, and the IP address he was coming from.”

By this time, with their password-cracking program running on the Boeing computer, the two hackers had moved into the rest of Boeing’s system, “spider-webbing” out to access hundreds of Boeing computers.

One of the computers that the Boeing system connected to wasn’t even in Seattle. In fact, it was on the opposite coast. According to Costa:

The folks in the seminar were taking turns watching the fun in the computer center. They were stunned when the Boeing security team discovered their attackers had gotten access to the Cray, and Don could hardly believe it. “We were able to very quickly, within an hour or two, determine that access point and the access points to the firewall.” Meanwhile, Ken set up virtual traps on the firewall in order to determine what other accounts the attackers had breached.

Don rang the local phone company and asked to have a “trap and trace” put on the Boeing modem lines that the attackers were using. This is a method that would capture the phone number that the calls were originating from. The telephone people agreed without hesitation. “They were part of our team and knew who I was, no questions asked. That’s one of the advantages of being on these law enforcement teams.”

Don put laptops in the circuits between the modems and the computers, “basically to store all the keystrokes to a file.” He even connected Okidata printers to each machine “to print everything they did in real time. I needed it for evidence. You can’t argue with paper like you can with an electronic file.” Maybe it’s not surprising when you think about which a panel of jurors is more likely to believe: an electronic file or a document printed out at the very time of the incident.

The group returned to the seminar for a few hours where Don outlined the situation and defensive measures taken. The law enforcement officers were getting hands-on, graduate-level experience in computer forensics. “We went back up to do some more work and check on what we had, and while I was standing there with two federal officers and my partner, the modem goes off. Bingo, these guys came in, logged in on the account,” Don said.

The local phone company tracked Matt and Costa to their homes. The team watched as the hackers logged into the firewall. They then transferred over to the University of Washington, where they logged in to Matt Anderson’s account.

Matt and Costa had taken precautions that they thought would protect their calls from being traced. For one thing, instead of dialing Boeing directly, they were calling into the District Court computers and then routing a call from the Court to Boeing. They figured that “if there was someone monitoring us at Boeing, they were probably having a rough time figuring out where our call was originating from,” Costa said.

They had no idea their every move was being watched and recorded as Matt dialed into the Court, from there to Boeing, and then transferred to his personal student account.

Don’s team felt like the proverbial fly on the wall as Matt started reading the email on his student account. “In this guy’s email is all this stuff about their hacker exploits and responses from other hackers.”

Meanwhile, Don was ripping the sheets off the printer, having everybody sign as a witness, and sealing then as evidence. “In less than six hours from the point we knew we had this intrusion, we already had these guys on criminal trespass.”

Boeing management was not laughing. “They were scared out of their wits and wanted the hackers terminated — ‘Get them off the computers and shut all this off right now.’” Don was able to convince them it would be wiser to wait. “I said, ‘We don’t know how many places these guys have gotten into. We need to monitor them for a while and find out what the heck is going on and what they’ve done.’” When you consider the risk involved, it was a remarkable testament to Don’s professional skills that management capitulated.

On the Boeing side, the security team took every precaution they could think of. The goal wasn’t to keep the boys out but to watch closely, continuing to gather evidence while making sure they didn’t do any damage. Don explains, “We had all of our computers’ main entry points set up to where either the system administrator or the computer would page us and let us know some activity was going on.” The pager’s beep became a cry to “battle stations.” Team members immediately notified select individuals on a call list to let them know the hackers were on the prowl again. Several times, Don’s group electronically tracked Matt and Costa’s activity through the University of Washington — where key staff had been briefed — all the way through the Internet, from point to point. It was like being beside the two as they made the actual break in.

Don decided to watch them for another four or five days because “basically we had them fairly well contained and they weren’t doing anything that I would consider extremely dangerous, though they had considerable access and could have if they wanted to.”

But Costa soon learned something was up:

Costa turned off the TV and lights and proceeded to videotape the FBI agents watching his place. A little later, he saw a second car pull up next to the first one. The men in the two cars discussed something and then both drove off.

The next day, a team of officers showed up at Costa’s apartment. When he asked, they acknowledged that they didn’t have a warrant, but Costa wanted to look like he was cooperating so didn’t object to being interviewed. He didn’t object, either, when they asked him to call Matt and draw him out about the cell phone activities, while they recorded the conversation.

Why was he willing to call his closest friend and talk about their illegal activities with law enforcement listening in? Simple: Joking around one night, playing a variation of “What if?” the two had actually anticipated a situation in which it might be hazardous to talk freely and had devised a code. If one of them dropped “nine, ten” into the conversation, it would mean “Danger! watch what you say.” (They chose the number as easy to remember, being one less than the emergency phone number, 911.)

So with the phone tapped and the recorder running, Costa dialed Matt. “I called you a few minutes ago, at nine-ten, and couldn’t get through,” he began.

The law enforcement people attending the computer security seminar were getting far more than they had bargained for. “For the guys that didn’t go out with us in the field,” Don said, “every day we’d go back to the classroom and detail what we did. They were getting a firsthand account of everything that was going on with the case.”

And yet here they were back to breaking the law as if invulnerable. How come? Costa explained that he and Matt were already worried because there was so much more to the original case than the prosecutors had found out.

The story had been leaked by a Boeing employee unhappy with the decision to watch Matt and Costa’s activities rather than arrest them immediately, Don later found out. Don raced to his office and called everyone involved. “I said, ‘Look, this whole thing has broke! It’s on the news! We gotta do something now.’ Howard Schmidt was there and being an expert on writing search warrants for computers, he stepped in and helped them so they got it right — so there wasn’t any question about it.”

In fact, Don wasn’t too upset about the leak. “We were pretty close to busting them anyway. We had plenty, tons of evidence on these guys.” But he suspected there was even more that hadn’t come to light yet. “There’s a few things we figured they were into, like credit card fraud. Later on they did get caught for that. I think it was six months or a year later that the Secret Service nailed them.”

Matt remembers seeing the story about a computer break-in at Boeing on television at his parents’ home. Around 10 P.M., there was a knock on the front door. It was two FBI agents. They interviewed him in the dining room for about two hours while his parents slept upstairs. Matt didn’t want to wake them. He was scared to.

Don Boelling would have gone along on the arrest if he could have. Despite all his good connections, he wasn’t invited. “They weren’t too keen about having civilians go on the actual bust.”

Boeing was concerned to learn that one of the hackers had a name that matched an employee’s. Matt was not happy to see his father dragged into the mess. “Since Dad worked at Boeing and we share the same name, he actually was interrogated.” Costa was quick to point out that they’d been careful not to access Boeing using any of Matt’s father’s information. “He totally kept his dad out of the loop and didn’t want to involve him from the get-go, even before we ever thought we’d be in trouble.”

Don was a little miffed when the Special Agent in Charge at the FBI’s Seattle office was interviewed after the case broke. One of the TV reporters asked how they had tracked and caught the hackers. The agent answered something like, “The FBI used technical procedures and techniques too complicated to discuss here.” Don thought to himself, “You’re full of crap! You didn’t do anything! We did it!’” A whole coordinated group had been involved, people from Boeing;, from other companies; from the District Court; and from local, state, and federal law enforcement agencies. “This was the first time we’d ever done anything like this. It was a team effort.”

Luckily, Matt and Costa had done little damage considering the potential havoc they could have inflicted. “As far as actually harming Boeing, they really didn’t do that much,” Don acknowledged. The company got off easy but wanted to make sure the lesson was learned. “They pled guilty because basically we had them dead to rights. There was no way they were getting out of this one,” Don recalls with satisfaction.

But once again the charges were reduced; this time multiple felony charges being dropped to “computer trespass.” The two walked out with another slap on the wrist: 250 hours of community service and five years probation with no use of computers allowed. The one tough part was restitution: They were ordered to pay $30,000, most of it to Boeing. Even though neither was still a juvenile, the boys had been given another chance.

But the breaks that Matt and Costa were being handed by the criminal justice system were about to end. And the cause would not be for any reason they could have anticipated but, of all things, jealousy.

Costa says his then-girlfriend thought he was cheating on her with another woman. Nothing of the kind, says Costa; the other lady was “just a friend, nothing more.” When he wouldn’t give up seeing her, Costa believes the girlfriend called the authorities and reported that “the Boeing hackers are selling stolen computers.”

When investigators showed up at his mother’s home, Costa wasn’t in but his mother was. “Oh, yes, come on in,” she told them, sure there would be no harm.

They didn’t find any stolen property. That was the good news. The bad news was that they found a scrap of paper that had fallen to the floor and been lost to sight under the edge of a carpet. On it was a phone number and some digits that one investigator recognized as an electronic serial number. A check with the phone company revealed that the information was associated with a cell phone account that was being used illegally.

Costa heard about the raid on his mother’s home and decided to drop out of sight.

Matt was picked up, as well. The two found themselves on separate floors of Seattle’s King County Jail.

Meanwhile they would each be questioned in detail. They knew the drill: Keep the bad guys separated and trip them up when they tell different stories.

Matt and Costa found that jail, for them at least, was a harder place than prison to serve time. “County jail is the worst, like no other place. I was threatened by a couple of people,” says Costa. “I actually got in a fight. If you don’t bark back, then you’re gonna get chewed up.” Matt remembers getting punched. “I think it was because I didn’t get off the phone. So, lesson learned.”

Jail was hard in another way. Costa recalls:

Jails generally have two types of telephones: pay phones where conversations are monitored to make sure inmates are not plotting something illegal and phones that connect directly to the Public Defenders Office so that inmates can talk to their lawyers.

At the Seattle jail, calls to the Public Defenders are dialed from a list of two-digit codes. Matt explained, “But if you call after hours, what do you get? You’re in their voicemail system and you can enter as many touch tones as you like.” He began exploring the voicemail system.

He was able to identify the system as a Meridian, a type he and Costa were both very familiar with, and he programmed it so it would transfer his calls to an outside line. “I set up a menu number eight, which the automated voice announcement didn’t prompt for. Then I could dial a local number, and a six-digit code I knew. From there I could call anywhere in the world.”

Even though the phones were turned off at 8 P.M., the Public Defenders line was always left on. “We would just play with the phones all night and there’s nobody waiting to use them because they think they’re turned off,” says Costa. “They just think you’re crazy, sitting there with the phone. So, it just worked out perfectly.”

While Costa was discovering how to make outside calls, Matt was also using the telephone on his own unit at night to do some exploring of his own. He located a “bridge number in an old loop” of a Pennsylvania telephone company, which allowed both to call in on a phone company test number and talk to each other.

The two spent hours on the unmonitored phones talking to one another. “We had the ability to discuss our case prior to our interviews. That was handy, really handy,” says Costa. Matt added, “We would discuss forever what the other side was being told. We wanted to have everything corroborated.”

Word spread among the inmates that the two new kids were wizards with the phones.

Sitting in jail and breaking the law by making illegal phone calls and planning their stories in hopes of deceiving the prosecutors. To any hacker, that’s just plain funny. For Matt and Costa, it meant risking more charges being piled on top of the ones they were already facing.

In the end, their efforts at collusion didn’t help. The facts were stacked high against them, and this time they were in front of a judge who wasn’t going to hand them just another slap on the wrist. They were each sentenced to serve “a year and a day” in a federal facility, with credit for time already served in the county jail. The extra “day” of prison time was of substantial benefit to them. Under federal sentencing laws, that made them eligible to be released up to 54 days earlier for good behavior.

The two were held without bond for three and a half months, then released on their own recognizance under a heavy set of restrictions until the judge decided on a sentence. Don was right: no leniency this time.

Nevertheless, this wasn’t exactly “hard time” for either of them. As Costa recalls:

Boron was the last federal institution with a pool, and Costa heard later that a Barbara Walters television story had resulted in the pool being filled in just after he was released. Personally I can understand not spending taxpayer money to put in a swimming pool when a new prison is being built, but I can’t understand destroying one that already exists.

At the Sheridan prison, Matt found out another inmate was a former executive from Boeing. “He got in trouble for some type of embezzlement or white collar crime.” It seemed somehow ironic.

Costa and other Boron inmates were frequently driven half an hour across the desert in a steaming prison bus to do menial labor at nearby Edwards Air Force Base. “They put me in an army hangar where they had a VAX server. I wasn’t even supposed to be near a computer.” He alerted the sergeant. “I told him my story and he’s like, ‘Oh, go ahead.’” Costa wasted no time getting acquainted with the military computer. “I was getting on the IRC every day and chatting away while I was locked up. I was downloading Doom at high speed. It was amazing, great!”

At one point Costa was assigned to clean out a classified communications van filled with sensitive electronics. “I just couldn’t believe they were letting us do this.”

On one level, their prison time sounds like a lark, almost a joke. It wasn’t. Every month they spent inside was a month of life wasted, a month of education missed, a month apart from people they cared about and wanted to be with. Every morning a prisoner starts his day wondering if today will bring a fistfight to defend himself or his property. Jail and prison can be terrifying.

Part of the reason this happens, I believe, is that many hackers follow a path like I did, spending an inordinate amount of time learning about computer systems, operating system software, applications programs, networking, and so on. They are largely self-taught but also partly mentored in an informal but highly effective “share the knowledge” tutoring arrangement. Some barely out of junior high have put in enough time and gained enough knowledge in the field that they qualify for a Bachelor of Science in Hacking degree. If MIT or Cal Tech awarded such a degree, I know quite a few I would nominate to sit for the graduation exam.

No wonder so many security consultants have a secret past as a black-hat hacker (including more than a couple whose stories appear in these pages). Compromising security systems requires a particular type of mindset that can thoughtfully analyze how to cause the security to fail. Anybody trying to enter the field strictly on the basis of classroom learning would require a lot of hands-on experience, since he or she would be competing with consultants who started their education in the subject at age 8 or 10.

It may be painful to admit, but the truth is that everyone in the security field has a lot to learn from the hackers, who may reveal weakness in the system in ways that are embarrassing to acknowledge and costly to address. They may break the law in the process, but they perform a valuable service. In fact, many security “professionals” have been hackers in the past.

Some will read this and put it down to Kevin Mitnick, the one-time hacker, simply defending today’s generation of hackers. But the truth is that many hacker attacks serve the valuable purpose of exposing weaknesses in a company’s security. If the hacker has not caused any damage, committed a theft, or launched a denial-of-service attack, has the company suffered from the attack, or benefited by being made to face up to their vulnerabilities?

At the risk of sounding — here and elsewhere — as if we’re promoting our earlier book, The Art of Deception (Wiley Publishing, Inc., 2002) provides a plan for employee computer-security awareness training. Systems and devices should be security tested prior to being put into production.

I firmly believe that relying only on static passwords should be a practice of the past. A stronger form of security authentication, using some kind of physical device such as time-based token or a reliable biometric, should be used in conjunction with a strong personal password — changed often — to protect systems that process and store valuable information. Using a stronger form of authentication doesn’t guarantee it can’t be hacked, but at least it raises the bar.

Organizations that continue to use only static passwords need to provide training and frequent reminders or incentives that will encourage safe password practices. Effective password policy requires users to construct secure passwords containing at least one numeral, and a symbol or mixed-case character, and to change them periodically.

A further step requires making certain that employees are not catering to “lazy memory” by writing down the password and posting it on their monitor or hiding it under the keyboard or in a desk drawer — places any experienced data thief knows to look first. Also, good password practice requires never using the same or similar password on more than one system.

But this isn’t just user stupidity. Software manufacturers have not made security a higher priority than interoperability and functionality. Sure, they put careful guidelines in the user guides and the installation instructions. There’s an old engineering saying that goes, “When all else fails, read the instructions.” Obviously, you don’t need an engineering degree to follow that bad rule.

It’s about time that manufacturers began getting wise to this perennial problem. How about hardware and software manufacturers starting to recognize that most people don’t read the documentation? How about providing a warning message about activating the security or changing the default security settings that pops up when the user is installing the product? Even better, how about making it so the security is enabled by default? Microsoft has done this recently — but not until late 2004, in the security upgrade to Windows XP Professional and Home editions with their release of “Service Pack 2,” in which the built-in firewall is turned on by default. Why did it take so long?

Microsoft and other operating system manufactures should have thought about this years ago. A simple change like this throughout the industry might make cyberspace a little safer for all of us.