The middle-aged man-call him john-peered at the numbers rolling across his computer monitor, which provided the only illumination in the cramped basement. One number, 307, caught his eye. Like the others, it designated a port, or gateway, between a certain corporation's computers and the outside world. John had just run a program on his PC that sent electronic probes throughout the corporation's network to find a complete list of these ports. Port 307 was "open"-any data coming through it could be displayed on John's screen. Would the information prove useful?

It did. Port 307 turned out to be where one network server sent bad passwords, along with the usernames of whoever typed them in. Network administrators had taken the trouble to hide legitimate passwords from prying eyes but hadn't worried about rejected passwords. John knew, however, that most failed passwords aren't wild guesses but rather are "fat-fingered," or typos. It was pretty easy to guess what "valentime3" was meant to be. Seconds later, John had logged onto the server. Three minutes after that he discovered a password file that listed one user's password as blank-a shortcut favored by systems administrators out to avoid having to type in a password hundreds of times daily. Now John had "root access," meaning the server recognized him as God. He whooped and called Jim Settle, former head of the FBI's computer crime squad and now CEO of Washington, DC-based security consultancy SST. "I'm in."