💾 Archived View for aphrack.org › issues › phrack35 › 11.gmi captured on 2021-12-03 at 14:04:38. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
==Phrack Inc.== Volume Three, Issue Thirty-five, File 11 of 13 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Issue XXXV / Part Two PWN PWN PWN PWN Compiled by Dispater PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Justice Revs Up Battle On Computer Crime October 7, 1991 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Michael Alexander (ComputerWorld)(Page 4) Washington D.C. -- The nation's top federal computer crime law enforcers announced plans to escalate the war on computer crime. At the federal government's 14th National Computer Security Conference held in Washington D.C., officials at the U.S. Department of Justice said the department is launching a computer crime unit that will be charged with prosecuting crimes and pushing for stiffer penalties for convicted computer outlaws. "Computer crime is on the rise, and the Justice Department is taking this area very seriously -- as well as the FBI, U.S. Secret Service, and the military," said Mary Spearing, chief of general litigation and legal advice in the criminal division at the Justice Department. The new crime unit will also advocate closing loopholes in the government's computer crime statute. The Computer Fraud & Abuse Act of 1986 "is outmoded and outdated," said Scott Charney, a computer crime prosecutor and chief of the new computer crime unit. The Justice Department wants to amend the law with a provision that would make inserting a virus or worm into a computer system a crime, Charney said. Those convicted of computer crimes will more often be sentenced according to federal guidelines rather than on recommendation of prosecutors, who may ask for lighter penalties, said Mark Rasch, the government's attorney who prosecuted Robert Morris in the infamous Internet worm case. A new Justice Department policy now mandates that all defendants will be treated equally, without regard for personal history or other factors that might mitigate stiffer sentences, Rasch said. "The penalties for computer crime will become increasingly more severe," predicted Kent Alexander, assistant U.S. attorney in Atlanta <prosecutor of the Atlanta members of the Legion of Doom>. "In five years, they are going to look back and think a year in jail was a light sentence." The FBI is "staffing up to address concerns about computer crimes" and increasing its training efforts, said Mike Gibbons, FBI supervisory special agent <who worked on both the Morris and the Clifford Stoll KGB hackers cases>. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Supreme Court Refuses Morris Appeal October 14, 1991 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Michael Alexander (ComputerWorld)(Page 14) Washington, D.C. -- The U.S. Supreme Court refused without comment to hear Robert T. Morris' appeal last week, ending a legal journey that began nearly three years ago when he injected a worm into the Internet network. While the trek is over for Morris, there remain serious questions about the Computer Fraud and Abuse Act of 1986, the statute under which he was prosecuted. The refusal to review the Morris case leave intact a "bone breaker" law that could transform otherwise law-abiding computer users in felons and inhibit the creative uses of computer technology according to Thomas Viles, an attorney at the Silverglate & Good law firm in Boston. Viles authored a friend of the court brief in the Morris appeal on behalf of the Electronic Frontier Foundation. Some legal experts worry that computer users who enter a computer system without authorization, either unwittingly or with the intention of merely looking around, could be given penalties that are overly severe. "A single computer entry is of an entirely different order than the destruction of data or the intentional alteration of data, just as simple trespass is pretty minor stuff compared to vandalism or burglary," Viles said. "Now if people whose livelihoods depend on computers get into somebody else's computer without authorization, they could be in Leavenworth for five years." The Morris appeal boiled down to the critical question of whether he intended to cause the harm that ensued after he set loose his ill-conceived computer program on November 2, 1988. In 1990, a federal judge in Syracuse, New York ruled that it was not necessary for the government to prove that Morris intended to cause harm, only that Morris intended to access computers with authorization or to exceed authorization that he may have had. Earlier this year a federal appeals court upheld Morris' May 1990 conviction under which he received three years probation, a $10,000 fine, and 400 hours of community service. That affirmation goes against the widely accepted tenet that an injury can amount to a crime only when deliberately intended, Viles said. "The law distinguishes, say, between murder and manslaughter. You can't be guilty of murder if the killing was utterly accidental and unintended." A General Accounting Office (GAO) report released in 1989 noted other flaws in the federal computer statute. While the law makes it a felony to access a computer without authorization, the law does not define what is meant by "access" or "authorization," the GAO reported. UPDATING THE LAW U.S. Department of Justice Officials recently acknowledged that the Computer Fraud and Abuse Act is outdated and noted that it should be refined <see Justice Revs Up Battle On Computer Crime (the previous article)>. Scott Charney, chief of the Justice Department's newly created computer crime unit, said the department will lobby to fortify the law with provisions that would outlaw releasing viruses and worms and make it a felony to access a computer without authorization and cause damage through reckless behavior. Trespassing into a computer is more serious than it may appear at first glance, Charney said. "It is not easy to determine what happened, whether there was damage, how safe the system now is or what the intruder's motives were." Some legal experts said they believe the law is already overly broad and do not advocate expanding it with new provisions. "It is a far-reaching law, whose boundaries are still not known," said Marc Rotenberg, an attorney and director of the Washington, D.C. office of Computer Professionals for Social Responsibility. "The way I read the law is, the Justice Department has everything it needs and more," he said. "After the Morris decisions, if you sneeze, you could be indicted." The Morris case pointed out deficiencies in the law that have resulted from technology's rapid advance, said Thomas Guidoboni, the Washington, D.C.-based attorney who defended Morris. Neither Guidoboni nor Morris were surprised by the Supreme Court's refusal to hear his appeal, according to Guidoboni. "Robert's case had a particular problem in that it was the first one involving the 1986 act. They like to take cases after the circuit courts had had some chance to play with them and see if there is a disagreement." Morris is working as a computer programmer in Cambridge, Massachusetts for a company that "knows who he is and what he's done," Guidoboni said. He declined to identify the company. <Editor's Note: Morris was actually the SECOND person to be tried under the 1986 Computer Fraud and Abuse Act. The first person was Herbert Zinn, Jr. a/k/a Shadow Hawk of Chicago, Illinois, who was convicted in 1989 in a prosecution led by William Cook, a now former assistant U.S. attorney whose name most of you should recognize from the Craig Neidorf (Knight Lightning) and Lynn Doucette (Kyrie) cases. Zinn was tried as a minor and therefore in a bench trial before a sole judge. Morris is the first person to be tried under the Act in front of a jury. Zinn's conviction earned him 10 months in a juveniles prison facility in South Dakota, a fine of $10,000, and an additional 2 1/2 years of probation that began after his prison term ended. For additional information about the Shadow Hawk case, please read "Shadow Hawk Gets Prison Term," which appeared in Phrack World News, Issue 24, Part 2. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Justice Unit Spurred On By Cross-Border Hackers October 21, 1991 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Michael Alexander (ComputerWorld)(Page 6) Washington D.C. -- The U.S. Department of Justice's formal launch of a computer crime unit was prompted largely by an alarming rise in computer invasions that traverse geographic and jurisdictional boundaries, according to a top Justice Department official. Robert Mueller III, assistant U.S. attorney general, said the Justice Department needs to be better prepared to prosecute computer criminals. he is one of the architects of a five-person unit recently established by the justice department expressly to combat computer crime. "One of the principal functions of the unit is to anticipate areas where federal, state, and local law enforcement will have to expend resources in the future," Mueller said. "One that comes immediately to our attention is crime related to computers used as a target as in The Cuckoo's Egg." He was referring to author Clifford Stoll's account of how he tracked West German hackers who penetrated U.S. computers for the KGB in exchange for cash and cocaine. Increasingly, computer crimes cut across state and international boundaries, making them difficult to investigate because of jurisdictional limits and differing laws, Mueller said. The computer crime unit will be charged with coordinating the efforts of U.S. attorneys general nationwide during investigations of crimes that may have been committed by individuals in several states. One of the unit's first assignments will be to take a pivotal role in OPERATION SUN-DEVIL, last year's much-publicized roundup of computer hackers in several states. That investigation is still under way, although no arrests have resulted, Justice Department officials said. The unit will coordinate efforts with foreign law enforcers to prosecute hackers who enter U.S. computer systems from abroad while also working to promote greater cooperation in prosecuting computer criminals according to Mueller. The unit will also assist in investigations when computers are used as a tool of a crime -- for example, when a computer is used to divert electronically transferred funds -- and when computers are incidental to a crime, such as when a money launderer uses a computer to store records of illegal activities, Mueller said. "There have been many publicized cases involving people illegally accessing computers, from phone phreaks to hackers trying to take military information," said Scott Charney, chief of the new computer unit. "Those cases have high importance to us because any time that computers are the target of an offense, the social cost is very high. If you bring down the Internet and cripple 6,000 machines and inconvenience thousands of users, there is a high social cost to that type of activity." The computer crime unit will also work to promote closer cooperation between the Justice Department and businesses that have been the victims of computer crime, Charney said. Law enforcers are better trained and more knowledgeable in investigating and prosecuting computer crimes, Charney said. "Businesses need not be concerned that we are going to come in, remove all of their computers, and shut their businesses down. FBI and Secret Service agents can go in and talk to the victim in a language they understand and get the information they need with a minimum amount of intrusion." <Editor's Note: "Businesses need not be concerned that we are going to come in, remove all of their computers, and shut their businesses down." Excuse me, but I think STEVE JACKSON GAMES in Austin, Texas might disagree with that statement. Mr. Charney -- Perhaps you should issue an apology!> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - V I E W P O I N T Let's Look Before We Legislate October 21, 1991 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Marc Rotenberg (ComputerWorld)(Page 25) "Laws Are Adequate To Handle Computer Crime -- 'Net Police' Not Needed" The U.S. Department of Justice is now circulating a proposal to expand the reach of federal computer crime law. On first pass, this might seem a sensible response to concerns about computer crime. The reality, however, it that the current federal law is more than adequate and the Justice Department proposal is poorly conceived. The Justice Department proposal will give federal agencies broad authority to investigate computer crime, allowing them to intercede in any situations involving a computer hooked to a network. Creating a worm or virus could become a felony act, no questions asked. Espionage laws would be broadened and intent requirements would be lowered. Certain procedural safeguards would be removed from existing law. CURRENT LAW ADEQUATE Taken as a whole, the proposal will make it possible for the federal government to prosecute many more computer crimes, but the question is whether this additional authority will improve computer security. Between the current federal statute, the Morris decision, and the sentencing guidelines, federal prosecutors already have more than enough tools to prosecute computer crime. Under the Computer Fraud & Abuse Act, passed in 1984 and amended in 1986, the unauthorized use of a computer system is a felony. Though the act does not define what "authorization" is or how it is obtained, a person found guilty faces up to five years in jail and fines of $250,000. It is a far-reaching law whose boundaries are still not known. THE MORRIS FACTOR The Morris case strengthened the hand of federal prosecutors still further. The judge ruled that it was not necessary for the government to prove that Morris intended the harm that resulted when the worm was released, only that he intended unauthorized use when he did what he did. >From a common law viewpoint, that's a surprising result. Traditional criminal law distinguishes between trespass, burglary, and arson. In trespass, which is a misdemeanor, the offense is entering onto someone else's property. Burglary is simple theft and arson is destruction. To punish a trespasser as an arsonist is to presume an intent that may not exist. A federal appeals court affirmed the Morris decision, and the Supreme Court has refused to hear his appeal, so now the computer crime statute is essentially a trip-wire law. The government only has to show that the entry was unauthorized -- not that any resulting harm was intentional. There is another aspect of the Morris case that should be clearly understood. Some people were surprised that Morris served no time and jumped to the conclusion that sentencing provisions for this type of offense were insufficient. In fact, under the existing federal sentencing guidelines, Morris could easily have received two years in jail. The judge in Syracuse, New York, considered that Morris was a first-time offender, had no criminal record, was unlikely to commit a crime in the future, and, not unreasonably, decided that community service and a stiff fine were appropriate. To "depart" as the judge did from the recommended sentence was unusual. Most judges follow the guidelines and many depart upwards. That said, if the Department of Justice persists in its efforts, there are at least three other issues that should be explored. UNANSWERED QUESTIONS First there is the question of whether it is sensible to expand the authority of federal agents at the expense of local police and state government. If theft from a cash register is routinely prosecuted by local police, why should the FBI be called in if the cash register is a computer? What will happen to the ability of state government to tailor their laws to their particular needs? Do we really want "Net Police"? There is also the need to explore the government's performance in recent computer crime investigations before granting new powers. For example, the botch Operation Sun-Devil raid, which involved almost one quarter of all Secret Service agents, resulted in hardly a conviction. (A good cop could have done better in a night's work.) In a related investigation, Steve Jackson, the operator of a game business in Texas was nearly forced out of business by a poorly conceived raid. In fact, documents just released to Computer Professionals for Social Responsibility by the Secret Service under the Freedom of Information Act raise substantial questions about the conduct, scope, and purpose of Operation Sun-Devil investigations. They reveal, for example, that the Secret Service monitored and downloaded information from a variety of on-line newsletters and conferences. A congressional hearing to assess Operation Sun-Devil would certainly be in order before granting federal officials new powers. PROTECTION OF RIGHTS Finally we should not rush to create new criminal sanctions without fully recognizing the important civil liberties interests in information technologies, such as the rights of privacy and free expression. There are, for example, laws that recognize a special First Amendment interest in newsroom searches. But no case has yet made clear the important principle that similar protections should be extended to computer bulletin boards. New criminal sanctions without necessary procedural safeguards throws off an important balance in the criminal justice system. Expanding the reach of federal law might sound good to many people who are concerned about computer crime, but broadening criminal law is always double-edged. Could you prove to a court that you have never used a computer in an "unauthorized" manner? <Editor's Note: Marc Rotenberg is the Director of the Washington office of Computer Professionals for Social Responsibility and he has testified in both the House of Representatives and the Senate on computer crime legislation.> _______________________________________________________________________________ PWN Quicknotes ~~~~~~~~~~~~~ 1. Operation Sun-Devil Scope Emerges (ComputerWorld, 10/14/91, page 119) -- The Computer Professionals for Social Responsibility (CPSR), an advocacy group, received more than 2,400 documents from the U.S. Secret Service under the Freedom of Information Act. The documents relate to Operation Sun-Devil, last year's nationwide dragnet through the hacker underground. An early look at the documents reveals that the scope of the operation was considerably broader than the U.S. Secret Service has admitted, said Marc Rotenberg, director of CPSR's Washington, D.C. office. CPSR will soon hold a press conference to discuss the findings, he added. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2. 6 Police Employees Probed for Wiretaps (Washington Post/AP, 10/24/91, page A4) -- Jefferson City, Missouri -- Missouri's Highway Patrol is investigating six employees implicated in three illegal wiretaps, officials said. The wiretaps were "stupid" and were intended to "gain personal information in an effort to supervise subordinates," said Colonel C.E. 'Mel' Fisher, the patrol's chief. Fisher said that six employees are on administrative leave without pay after a two-month internal investigation confirmed conversations were recorded at patrol headquarters and at a troop office in Kirkwood, Missouri. Fisher did not identify the employees, who face hearings that could lead to possible penalties ranging from a written reprimand to dismissal. It is a federal felony to conduct an illegal wiretap. He said the FBI investigated the wiretaps. Major Bobby G. Gibson, chief of the patrol's Criminal Investigation Bureau, in which two of the wiretaps occurred, committed suicide on October 9, 1991. He was among five defendants in a $7 million federal lawsuit filed recently by a black patrolman, Corporal Oliver Dixon, who alleged he had been wiretapped and denied promotions because of his race. All of the defendants, including Fisher, are white. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3. Patrick Townson, the moderator of the Internet's Telecom Digest (comp.dcom.telecom) was less than pleased when an unknown person placed Phrack 34 into alt.dcom.telecom. Townson consistently preaches about the evils of hacking, but we know that he did not learn everything he knows about telecommunications in the classroom. See you after World War Three Pat! We know who you are, we know who you WERE and we know what crimes you have committed in the realm of telecommunications. We're anxious to talk some more with you about this in the near future. See below: "I assume you saw the stuff which was left in alt.dcom.telecom today: A whole series of messages telling how to break into several voicemail systems; how to break into the MILNET; a program designed to discover passwords; and other obnoxious files. All of them were left by the same anonymous user at the same non-existent site. Siemens Medical Systems (one of the victims in the theft-of-voicemail-services tutorial in alt.dcom.telecom today) has been notified that their 800 number link to voicemail is now under attack, and given the box number involved. Like cockroaches, you can stomp on those people all you like; they seem to survive. One person has said in the event of WW-3, the only species to survive will be the cockroaches and the hackerphreaks. Good socially responsible computing, that's what it is! PAT" _______________________________________________________________________________ 4. The existence of back issues of Phrack Inc. found in a user's home directory was enough for a system administrator at Tufts University in Massachusetts to revoke a users account. Michael Godwin, an attorney for the Electronic Frontier Foundation went to bat for this individual and succeeded in restoring the user's account. The incident prompted the following response by a reader of Telecom Digest (comp.dcom.telecom): On Oct 19 at 11:51, TELECOM Moderator writes: > Is it easier and more pragmatic for a > system administrator to answer to his/her superiors regarding files at > the site which harassed or defrauded some third party (ie. telco) or > to simply remove the files and/or discontinue the feed" PAT] But this requires a judgment call on the part of the system administrator, does it not? Most of the system administrators that I know are too busy administering the system to worry about this file or that feed, except perhaps as it relates to traffic volume or disk space consumed. Will we ever get to the point where those in charge will stop dreaming of practicing mind control? I am so sick of those who are paranoid that someone somewhere may actually express an uncontrolled thought or idea to someone else. Ah, the advantages of owning one's own UUCP site ... _______________________________________________________________________________ 5. The National Public Network Begins Now. You Can Help Build it. Telecommunications in the United States is at a crossroads. With the Regional Bell Operating Companies now free to provide content, the shape of the information networking is about to be irrevocably altered. But will that network be the open, accessible, affordable network that the American public needs? You can help decide this question. The Electronic Frontier Foundation recently presented a plan to Congress calling for the immediate deployment of a national network based on existing ISDN technology, accessible to anyone with a telephone connection, and priced like local voice service. We believe deployment of such a platform will spur the development of innovative new information services, and maximize freedom, competitiveness, and civil liberties throughout the nation. The EFF is testifying before Congress and the FCC; making presentations to public utility commissions from Massachusetts to California; and meeting with representatives from telephone companies, publishers, consumer advocates, and other stakeholders in the telecommunications policy debate. The EFF believes that participants on the Internet, as pioneers on the electronic frontier, need to have their voices heard at this critical moment. To automatically receive a description of the platform and details, send mail to archive-server@eff.org, with the following line: send documents open-platform-overview or send mail to eff@eff.org. _______________________________________________________________________________ 6. The September/October 1991 issue of The Humanist has a cover story regarding Cyberspace, rights and freedoms on nets such as Usenet, and makes reference to Craig Neidorf, Jolnet, Prodigy and other matters. _______________________________________________________________________________ 7. A Virginia Beach restaurateur plead guilty to illegally taping a telephone call by Governor L. Douglas Wilder and said he arranged for the tape to be delivered to the staff of Senator Charles Robb, D-Va., hoping it would be damaging to Wilder and politically helpful to Robb. Robert Dunnington, a onetime social companion of Robb's, admitted in federal court that he intercepted a 1988 car phone call by then-Lt. Governor Wilder as part of his hobby of monitoring and recording cellular calls. From February 1988 to October 1990, Dunnington overheard and taped hundreds of calls and, his attorney said, it was "just happenstance" that Wilder's call was picked up. (Washington Post) _______________________________________________________________________________ 8. A Federal District Judge in New York ruled that a computer-network company is not legally liable for the contents of information it disseminates. While the decision could be influential because it tackles free speech on an electronic network, it is not clear how the ruling would affect bulletin boards ^S^Qon which users add comments. The decision concerned an electronic gossip column carried by CompuServe. In the decision, the judge stated "CompuServe has no more editorial control over such a publication than does a public library, bookstore or newsstand, and it would be no more feasible for CompuServe to examine every publication it carries for potentially defamatory statements than it would be for any other distributor to do so." (Wall Street Journal, October 31, 1991) _______________________________________________________________________________