💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › CUD › cud0509.txt captured on 2022-06-12 at 10:50:24.
-=-=-=-=-=-=-
Computer underground Digest Sun Jan 31, 1993 Volume 5 : Issue 09
ISSN 1004-042X
Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
Archivist: Brendan Kehoe
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Copy Editor: Etaion Shrdlu, Junoir
CONTENTS, #5.09 (Jan 31, 1993)
File 1--Media hype goes both ways (in re: Forbes article)
File 2--Forbes, NPR, and a Response to Jerry Leichter
File 3--Revised Computer Crime Sent
File 4--Balancing Computer Crime Statutes and Freedom
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be
contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at:
Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115.
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL0 and DL12 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS
at (414) 789-4210; in Europe from the ComNet in Luxembourg BBS (++352)
466893; and using anonymous FTP on the Internet from ftp.eff.org
(192.88.144.4) in /pub/cud, red.css.itd.umich.edu (141.211.182.91) in
/cud, halcyon.com (192.135.191.2) in /pub/mirror/cud, and
ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD.
European readers can access the ftp site at: nic.funet.fi pub/doc/cud.
Back issues also may be obtained from the mail server at
mailserv@batpad.lgb.ca.us.
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Some authors do copyright their material, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
----------------------------------------------------------------------
Date: Tue, 12 Jan 93 12:20:21 EDT
From: Jerry Leichter <leichter@LRW.COM>
Subject: 1--Media hype goes both ways (in re: Forbes article)
In Cu Digest, #4.66, Jim Thomas reviews article from the 21 December
1992 Forbes Magazine, and grants it CuD's 1992 MEDIA HYPE award. I
read the article before reading Thomas's comments, and was considering
posting a very different summary. Did we read the same words?
Let me briefly summarize what I got out of the article, and then go
over some of Thomas's points. The article claims that we are seeing a
new kind of computer miscreant. Let me call such people "crims", a
word I've just invented; according to the article, they identify
themselves as hackers (to the extent they identify themselves at all),
so the article also calls them hackers (sometimes, "hacker hoods"),
thus raising many irrelevant emotional issues.
Unlike old-style hackers, who were in it for what they could build; or
new-style hackers, who are nominally in it for what they can learn;
crims are in it for what they can steal. The article does NOT claim
that the same people who've been hackers have now turned to real
crime; rather, as I read it it claims that the crims have taken the
techniques developed by the hackers and gone on to different things.
Just look at the title of the article: "The Playground Bullies are
Learning how to Type". The crims are the people who a few years ago
might be burglars or jewel thieves; today, they are learning how to go
after money and other valuable commodities (like trade or military
secrets) in their new, electronic form.
Thomas's criticism begins with a long attack on Brigid McMenamin, one
of the reporters on the piece. He is upset that she keeps "bugging"
people for information. Reporters do that; it's not their most
endearing quality, but it's essential to their job, especially when
dealing with people who don't particularly want to talk to them. He
is upset that she kept asking about "illegal stuff" and "was oblivious
to facts or issues that did not bear upon hackers-as-criminals." Given
the article she was writing - exactly focusing on the crims - that's
exactly what I would have expected her to do. Just because Thomas is
interested in the non-criminal side of hacking doesn't mean McMenamin
is under any obligation to be. Thomas reports that in his own
conversations with McMenamin "Her questions suggested that she did not
understand the culture about which she was writing." Again, Thomas
presumes that she was writing about the people *Thomas* is interested
in.
In general, Thomas's criticisms of McMemanim reveal him to be so
personally involved with the "hacker culture" that he studies that
he's protective of it - and blind to the possibility that the world
may be bigger and nastier than he would like.
Thomas then summarizes "The Story". He criticizes it for not
presenting a "coherent and factual story about the types of computer
crime", but rather for making "hackers" the focal point and taking on
a narrative structure. Well, I didn't particularly see "hackers" as
the focal point, and considering the nature of the material being
covered - it's all recent, and the crims are hardly likely to be
interested in making themselves available to reporters - a narrative
structure is probably inevitable. Perhaps Thomas will write the
definitive study of the types of computer crime; I doubt any working
reporter will do so for a magazine.
Len Rose's story is told with a reasonable slant. None of us know ALL
the facts, but at least Rose is pictured as a relatively innocent
victim, chosen pretty much at random to bear the weight of actions
taken by many people. In fact, that's just what a prosecutor
interviewed in this piece of the story says: Because of the nature of
the crimes, such as they are, the people caught and punished are often
not the ones who actually did much of anything. He doesn't indicate
that he LIKES this - just the opposite. He reports on facts about the
real world.
Thomas then says that the article describes a salami-slicing attack,
alleged to have taken place at Citibank. He criticizes the article
for lack of evidence. He's right, but after all, this was a criminal
enterprise, and the criminals weren't caught. Just what evidence
would he expect? He then goes on with a comment that makes no sense
at all:
Has anybody calculated how many accounts one would have to "skim" a
few pennies from before obtaining $200,000? At a dime apiece, that's
over 2 million. If I'm figuring correctly, at one minute per account,
60 accounts per minute non-stop for 24 hours a day all year, it would
take nearly 4 straight years of on-line computer work for an
out-sider. According to the story, it took only 3 months. At 20
cents an account, that's over a million accounts.
Why would anyone even imagine that an attack of this nature would be
under-taken on an account-at-a-time basis? The only way it makes
sense is for the attack to have modified the software. If the
criminals had a way to directly siphon money out of an account, they
would have made one big killing and disappeared. Citibank has many
thousands of accounts with much more than $200,000 in them; it
probably has many thousands of accounts for which a $200,000
discrepancy wouldn't be noticed until the end of the quarter. A
salami-slice attack only makes sense when the attacker intends to
remain undetected, so that the attack continues to operate
indefinitely.
The romantic picture of the hacker sitting at his terminal, day in and
day out, moving a few pennies here and there, may have a lot of
appeal, but it's not reality.
The crux of the Thomas's critique is: "Contrary to billing, there was
no evidence in the story, other than questionable rumor, of %hacker'
connection to organized crime." But, again, that isn't the point of
the story, which to me seemed to do a fairly reasonable (though
imperfect) job of distinguishing between the innocents who "just want
to hack" and the new "crims". The article does, however, warn that
the crims will have no compunctions about using the hackers, whether
by just showing up at hacker conventions to learn the latest tricks -
like every group, hackers think they can identify the "true" group
members who believe in the group's ideals, when in fact it's always
been trivially easy for those who are willing to lie to sneak in - or
by hiring hackers, with money, drugs, or whatever.
I don't know to what degree the rumors of the spread of the crims are
true. It makes SENSE that they would be true, and in certain cases
(particularly cellular telephone fraud) we have strong evidence. It's
naive to think that the hacker community or the hacker ethic is
somehow immune to the influence of criminal minds.
There was an explicit warning from some prosecuter quoted in the
article. What he said was that people are upset by the crimes, and
government is responding harshly, often against the wrong targets. No
one would be so stupid as to walk into a bank carrying a toy gun and
try to get money from a teller, intending to leave it at the door,
"just to test security". Yet hackers seem to believe that they can do
the same thing with a bank's computers. If there were no such thing
as real bank robbers, the toy gun game would be just fine; in the real
world, that's an excellent way to get shot - or sent to prison for
many years. As the crims become more active - and even if the current
stories are all baseless, they inevitably will, and sooner rather than
later - any hackers who don't adjust to the new reality will find
themselves in big trouble. Many's the idealist who's been lead by the
nose to help the dishonest - and it's usually the idealist who gets
stuck with the bills.
------------------------------
Date: Sat, 30 Jan 93 23:01:49 CST
From: Jim Thomas <cudigest@mindvox.phantom.com>
Subject: 2--Forbes, NPR, and a Response to Jerry Leichter
Jerry Leichter asks of our mutual reading of Forbes' Magazine's "The
Hacker Hood" article (see CuD #4.66): "Did we read the same words?"
Although his question is presumably rhetorical, and although we
normally do not respond to articles (even if critical), Jerry's
question and commentary raises too many issues to let pass. The answer
to his rhetorical question is: No, we did not read the same words. Not
only did we not read the same words in the Forbes piece, I'm not
certain that Jerry read the Forbes article with particular care, and
it's certain he did not read our response to it (or our oft-repeated
position on "computer deviance" over the years) with care. This would
be of little consequence except that he makes several false assertions
about my own background and he embodies an attitude that perpetuates
the kinds of misunderstandings that lead to questionable laws, law
enforcement, and misunderstanding among the public. Although Jerry
obviously wrote in passion and in good faith, his commentary again
raises the issues that we found disturbing in the Forbes piece. We
thank him for his post and for the opportunity to again address these
issues.
Jerry's criticism's of the Forbes' commentary can be divided into
three parts: 1) His perception of my naivete; 2) His disagreement with
our evaluation and interpretation of the Forbes writers and the
substance of the article; and 3) A disagreement over the nature and
extend of "hacker crime."
1. JERRY'S CRITICISMS OF THOMAS
Jerry's criticisms of me include several of sufficient magnitude that
they require a response. First, he claims that I'm apparently blinded
to objectivity because of a commitment to hacking:
>In general, Thomas's criticisms of McMemanim (sic) reveal him to
be >so personally involved with the "hacker culture" that he
>studies that he's protective of it - and blind to the
>possibility that the world may be bigger and nastier than he
>would like.
Had he claimed that I'm so involved in civil rights that I sometimes
lose objectivity, I might agree with him. However, even a cursory
reading of my response indicates that the criticisms of one of the
Forbes writers, Brigid McMenamin would reveal that the objections had
nothing to do with hackers or rights, but with journalistic ethics and
responsibility. Those with whom I spoke who were contacted by Ms.
McMenamin all reached an independent consensus about her methods,
"homework," and ability to write a factual story. Jerry counters with
no facts that would dispute any of the interpretations, but instead
seems to defend what some judged as incompetence. Is it not possible,
in Jerry's worldview, to question a reporter's methods, especially
when those methods seem troublesome to others who are experienced in
dealing with the press?
It's also unclear how Jerry interprets anything written by CuD editors
as "protective" of "hacker culture." My Forbes commentary was quite
clear: The issue isn't whether one supports of opposes "hacker
culture." It's simply whether we believe that a medium such as Forbes
should be committed to minimal standards of accuracy or whether we are
willing to accept broad assertions and innuendo that contribute to the
hysteria that feeds bad legislation and questionable law enforcement
tactics such as those occuring during the "hacker crackdown."
I also assure Jerry that, as a criminologist who has lived in and also
studied the nastiest criminal cultures, I recognize that segments of
the world are indeed big and nasty. I also recognize that nastiness is
not limited to the criminal segment of society. In the scheme of
things, even the worst of computer crime is generally not among the
worst offenses that one can commit. He seems unaware that the current
U.S. prison population hoovers around 900,000, and that it's
increasing by almost ten percent a year. Much of this increase is due
to "get tough" attitudes on crime in which an increasing number of
behaviors are criminalized, sanctions for crimes are increased, and
sentences imposed (and time served) grows longer. Jerry fails to
understand that the issue isn't simply "hackers," but rather what
constitutes an acceptable social response to new social offenses.
Jerry also implies that to criticize increased criminalization and to
oppose demonization for relatively mild offenses is naively
idealistic. Although he fails to provide a rationale for this claim,
it presumably stems from a view that sees advocates of civil rights
siding with criminals rather than victims. This, of course, is a false
argument. There is little, if any, evidence that civil rights
advocates side with criminals. Rather, they side with the rule of law
that, under our Constitution, guarantees protections to all people.
The Forbes article creates an image that, in a time of strong
opposition to civil rights, promotes inappropriately strong laws and
weaker protections of rights. If adhering to the Enlightenment
principles and Constitutional values on which our judicial (and
social) system were founded makes me a naive idealist, then I'm guilty
as charged. I find this a far more civilized stance than the
alternative.
2. JERRY'S CRITICISMS OF MY INTERPRETATION OF THE FORBES PIECE
Jerry "didn't particularly see 'hackers' as the focal point of the
story." The title and the narrative of the piece seemed quite clear:
"The Hacker Hoods?" Nearly every paragraph alluded to vague hacker
criminality or to specific people identified as criminal "hackers."
No, I do not think we did read the same words. If I had any lingering
doubts about Jerry's lack of thoroughness in reading the Forbes piece,
they were eliminated when I read his criticism of my commentary on the
"salami attack." The Forbes piece adduced as an example of a "hacker
crime" an unsupported story about a computer intruder who lopped a
penny or two from various accounts. Jerry thinks it odd that one
would question the veracity of the story and suggests that, contrary
to what I said, a hacker could easily do this in a few seconds with a
"big killing." He apparently failed to note that the story indicated
this was done by skimming "off a penny or so from each account. Once he
((the hacker)) had $200,000, he quit" (p. 186). Again, it seems we
didn't read the same words. The point wasn't whether this could be
done, but that the story was provided as "fact" with no corroboration.
In fact, neither the banking victim (Citibank) nor a nationally
recognized computer crime expert (Donn Parker) had knowledge of the
deed. As written in Forbes, the method does raise some skepticism, as
Jerry concedes:
>The romantic picture of the hacker sitting at his terminal,
>day in and day out, moving a few pennies here and there, may
>have a lot of appeal, but it's not reality.
Here we agree. Had he read the Forbes piece accurately, he would
see that this was precisely my point. The picture Jerry disputes is
the one drawn in the Forbes piece. It appears that he agrees with me:
The Forbes picture is not reality.
The issue here isn't that Jerry didn't read either the Forbes piece or
the commentary carefully. Rather, it's that his comments show how
easily even an otherwise informed reader can uncritically gloss over
material that doesn't conform to a preferred view. It's not that I
disagree with Jerry (or the Forbes piece). Rather, the issue at
stake lies in a fundamental difference over how material is to
be presented. In highly volatile topics, sensationalistic portrayals
strike me as irresponsible and reinforce attitudes that lead to
unacceptable social responses. The Forbes piece and Jerry's
uncritical acceptance of it contribute to what in past times were
called witch hunts. Jerry seems to find it odd that one would object
to claims being made without evidence:
>He ((Thomas)) criticizes the article for lack of
>evidence. He ((Thomas))'s right, but after all, this
>was a criminal enterprise, and the criminals weren't
>caught. Just what evidence would he expect?
Crimes are detected in two ways. First, the criminal is apprehended in
the act. Second, a victim reports the crime. As a criminologist, I've
been taught that however one measures crime, it is generally done
either by some combination of crimes known to police or by
victimization surveys. In an article ostensibly describing crime, I
would assume that there would be at least minimal evidence for the
hard core crimes attributed to "hackers". It's obvious Jerry and I
did not read the same words. Didn't he read Managing Editor Lawrence
Minard's introduction?
>While working with Bill Flanagan on the multibillion-dollar
>telephone toll fraud phenomenon (Forbes, Aug. 3), Brigid
>McMenamin was intrigued to find that organized crime was
>hiring young computer hackers to do some of their electronic
>dirty work.
This is a claim. Other claims are made in the article. It's not
unreasonable to expect at least minimal evidence for the claims made.
The story was not based on facts but on innuendo. The Forbes piece
was criticized *not* because it was in opposition to a preferred view
of a particular social group, but because it took a stigmatized group
and further demonized it by making claims without recourse to specific
cases.
3. WHAT'S AT STAKE IN THIS DISCUSSION
As I stated explicitly in my original Forbes commentary, the issue is
not whether "hackers" are portrayed to one's liking. The point is how
one creates images of groups or behaviors that lead to social stigma
and criminal sanctions. I judged the Forbes piece to grossly err on
the side of falsely dramatizing a label that has been misused, abused,
and used to create what many judge as inappropriate or chaotic laws.
If the Forbes piece were limited to identifying new types of computer
crime without attempting to exaggerate the link between "hackers" and
organized crime, and if it had been more factual, it would not have
been objectionable. If it had focused on computer delinquents and the
problems they cause by identifying explicit instances of security
transgressions, telephone abuse, or other identifiable behaviors, it
would have been less objectionable. Had it made a clear distinction
between the culture of "hackers," whether the old-guard explorer or
the newer nuisance and computer criminals who do use a computer to
prey (but are not "hackers"), it would have been less objectionable.
The Forbes piece did none of this. Instead, it distorted both
"hacking" and computer crime. The authors did nothing to clarify a
complex problem and did much to obscure it. There is computer crime?
Old news. Some hackers commit computer crimes? Old news. What is new
in the piece is that it implies a logic in which a) anyone adept at a
computer is a hacker; b) Computer criminals (by definition) are adept
at computers; c) Computer criminals are hackers.
Conclusion: Look out for the hackers!
Consider: Substitute the term "computer professionals" or "sys ads"
for "hackers." "Sys ad bullies?" "Sys ads learn to type and commit
crimes?" Computer criminals, by definition, have computer skills, and
to conflate all computer crime with "hacking" makes as much sense as
conflating computer criminals with any other label that captures the
imagination of a public that can't distinguish between the reality and
the simulacrum. In the Forbes piece, the symbol, "hackers," becomes an
abstract demon. Forbes employed its resources, which are considerable,
to produce a misleading piece that subverts the efforts of those who
attempt to balance fair laws and their application to civil liberties.
I doubt that Forbes' readers, over one million of them, were able to
ascertain the complexities of this delicate balance from the article.
The visibility of the Forbes article also put one author, William
Flanagan, in the public eye on a National Public Radio "Morning
Edition" segment (21 December, '92). Flanagan essentially repeated his
points from the article. When asked by reporter Renee Montagne "But
are we talking about computer hackers who've become criminals, or is
it criminals who've become computer hackers?" Flanagan responded:
It's--it's a bit of both actually. You really have three
categories. You have the--the sport hackers who used to
fool around and show off. They would go into a government
or a telephone company computer and pull out a sensitive
file and then show it off as a trophy. They really didn't
have too much malice in what they were doing other than the
anarchic thing that you will find among a lot of
late-teenage boys and--and it's mainly boys. But some of
them have been co-opted into it by the Mafia, by organized
crime. They give them money and drugs and they perform some
stunts for them like come up with telephone numbers. Then,
there are those who are larcenous to start with and--and who
have developed the techniques or have hired others to do it.
Then, the third category--and perhaps this is even the most
dangerous. It's people who have an awful lot of computer
knowledge and are suddenly out of work and are very angry
and have the capability of creating all kinds of mayhem or
stealing great deals of money.
Of course there are hackers who commit crimes, just as there are
systems administrators who commit crimes. But, in putting
together the beginnings of a data base on computer crime in
recent years, I have yet to come across a pointer to a Mafia-related
"hacker" case. The thinking reflected in Flanagan's commentary
resembles that of someone who's read one too many National Inquirer
articles or seen one too many Geraldo shows. It distorts the problem,
distorts possible solutions, and offers no new information.
When we distort the nature of the problem, we obstruct a solution.
Flanagan repeats the error of equating Robert T. Morris, of
"the Internet work" fame with "hackers." The reporter notes that
he was given probation, and asks, "What about now?"
Flanagan: He would be in jail and I guarantee you, his
father's connections wouldn't have helped him in this day
and age.
Montagne: His father was...
Flanagan: Was a high government official I think with the
FTC. Throughout most of the '80s when these kids were
caught, they would be given a rap on the knuckles and there
was a widespread belief that all they had to do was to tell
law enforcement or tell the telephone company how they did
something and to give up that information or maybe give up
the names of some of their friends, and they'd be let go.
But that's not the case any more.
Now, it's a seemingly minor error to assume that Morris's father's
connections helped him, a claim for which there's no evidence. It's
also relatively minor that a detail such as linking Morris' father to
the FTC was wrong (the senior Morris was a computer security expert
who was the chief scientist at the NSA's National Computer Security
Center). It's also a minor quibble that Flanagan thinks that three
years probation, a $10,000 fine, 400 of community service and almost
$150,000 in legal fees is a light punishment. But, in the aggregate,
these errors indicate that Flanagan, speaking as an "expert" on the
issues of hacking and computer crime, doesn't know his subject. His
pronouncements have a high profile: If it's in Forbes *and* on NPR, it