Taking a byte out of crime

Arjen K. Lenstra enjoys being cryptic. With a PhD in mathematics and computer science, this 39-year-old is interested in computational number theory, in particular the algorithms for integer factorization. That's about as cryptic as it gets for most of us. But when Lenstra's not working on network design and security at Bellcore, he's busy running a highly elite, virtually secret, and nearly impenetrable organization of his own, Digicrime.

A resident of Basking Ridge, NJ, Lenstra runs Digicrime to satirize the security of online transactions. The site invites people to reroute airline flights, move money between bank accounts, tap telephone lines, etc. Of course, none of it actually works -- the idea, however, is to show people how dangerous online transactions could be. For each joke, Lenstra and the other members of the company provide a link to a real story about digital crime.

What do you think about the security of online transactions? Do you think it's a joke?

Yes, it is largely a joke. What is missing is security. Credit card fraud is already enormous. And insecure transactions over the Internet make high volume credit card fraud much easier than it is now.

Where did you get the idea for Digicrime?

At a banquet of the 1994 annual Smart Card meeting in Washington, DC. I was discussing with someone the great opportunities that the growth of the Internet (and the deployment of electronic commerce) would offer to criminal elements. As a joke, I remarked that a company named "Digicrime" would have excellent business opportunities. Of course, we didn't want to [start] a company to actually commit digital crimes. Instead, we wanted to use the name as a way to warn people that digital crime is not inconceivable, and possibly just around the corner.

How are people reacting to Digicrime?

Most people I meet at conferences like the idea, and want to join. They encourage us to keep making people aware of the limitless possibilities for digital crime.

What kind of people want to join Digicrime?

Recently, an employee of a well-known software company asked if he could join as the "Window Cleaner." Later he decided that he would prefer to be "Head of Insecurity." But actually, Window Cleaner is quite appropriate: people might realize that software companies can easily install "features" in their products that might affect their privacy. Maybe it's not company policy to install such features, but just a nice little 'joke' from one of the programmers (who might later profit from his or her little trick). People have no way of knowing what they're using when they're using software.

The following are listed as your employees: a philatelist, a key salesman, an executive escrow agent, an arms trafficker, and a three-headed dog catcher. What function do each of them serve?

Well, we need a philatelist to collect stamps -- some stamps are worth a lot of money. We need a key salesman to sell keys. Selling keys means you don't have to break them. We need an escrow agent to escrow keys so as to facilitate key retrieval. We need an arms trafficker to make sure that we obey the US export restrictions on cryptological software. And we need a three-headed dog catcher to catch three-headed dogs, a common species on the Net.

What's a three-headed dog -- I'm not one, am I?

No, you wouldn't count as one. Kerberos, the monstrous dog guarding the entrance to Hades, is often depicted as a three-headed dog. And, as you might know, Kerberos is also the name of a computer security system.

Excuse me if I sound out of line, but if you could hack a site and wreak havoc with its members' confidential information, which site would you hack?

None. Don't confuse satire with unethical behavior.

But aren't you worried that some of Digicrime's fans might do just that?

No, because I have not met anyone yet who thinks that we are personally involved in, or intend to be involved in, digital crime. People realize that Digicrime is only meant as a warning, a preview (if you like) of the really bad stuff that's yet to come. [Making the Internet secure] is part of the "real" job of most people (including myself) who are listed as Digicrime's "employees."

So if someone actually passed on their credit card or bank account number to your site, would you be tempted to do anything with it?

No, I'm not at all tempted. I have better things to do in life.

Name three.

Do my work, drink an espresso, or factor a number.

Hey, how'd you pull that "Don't touch this" trick?

Hackers learn the tricks themselves. HINT: it only works with Netscape, but uses an HTML extension.

Who is your idol in criminal history? That Russian guy who recently hacked Citibank? Michael Milken? Bonnie and Clyde?

Richard Nixon.