Copy Link
Add to Bookmark
Report
Computer Undergroud Digest Vol. 04 Issue 06
Computer underground Digest Mon, Feb 10, 1992 Volume 4 : Issue 06
Moderators: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
Associate Moderator: Etaion Shrdlu
CONTENTS, #4.06 ( Feb 10, 1992)
File 1: Bust of "NotSoHumble Babe" / USA
File 2: Keystone Stormtroopers
File 3: Fine for "Logic Bomber"
File 4: Re: Newsbytes on the Oregon BBS Rates Case
File 5: Calif. "Privacy [& Computer Crime] Act of 1992"
File 6: DIAC-92 Workshop Call for Paraticipation and Workshop Guidelines
Issues of CuD can be found in the Usenet alt.society.cu-digest news
group, on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG,
and DL0 and DL12 of TELECOM, on Genie, on the PC-EXEC BBS at (414)
789-4210, and by anonymous ftp from ftp.cs.widener.edu (147.31.254.132),
chsun1.spc.uchicago.edu, and ftp.ee.mu.oz.au. To use the U. of
Chicago email server, send mail with the subject "help" (without the
quotes) to archive-server@chsun1.spc.uchicago.edu.
NOTE: THE WIDENER SITE IS TEMPORARILY RE-ORGANIZING AND IS CURRENTLY
DIFFICULT TO ACCESS. FTP-ERS SHOULD USE THE ALTERNATE FTP SITES UNTIL
FURTHER NOTICE.
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted as long as the source
is cited. Some authors do copyright their material, and they should
be contacted for reprint permission. It is assumed that non-personal
mail to the moderators may be reprinted unless otherwise specified.
Readers are encouraged to submit reasoned articles relating to the
Computer Underground. Articles are preferred to short responses.
Please avoid quoting previous posts unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
----------------------------------------------------------------------
Date: 8 Feb 92 17:31: 39 CST
From: Moderators (tk0jut2@mvs.niu.edu)
Subject: File 1--Bust of "NotSoHumble Babe" / USA
The recent busts of three persons in the Detroit and Los Angeles areas
for alleged carding, theft, software copyright violations and fraud
raise a number of issues of CU relevance. Because of misinformation
circulating on the nature of the case, we summarize what we know of it
below. "Amy" (handle: "NotSoHumble Babe") was busted on her birthday,
and is not untypical of many CU types, so we focus on her.
1. "Amy" was busted on Jan 30, in Farmington Hills (Mi), by local,
state, and federal agents. There were reportedly up to 20 agents.
The large number was because there were several from each
department, including the FBI, SecServ, Mi State police, and
others. They reportedly showed no warrant, but knocked on the door
and asked if they could come in. When "Amy" said "yes," they burst
(rather than calmly entered) with weapons, including
"semi-automatics." Her boyfriend was reportedly asleep, and the
agents awakened him with a gun to his head. The agent in charge
was Tony Alvarez of the Detroit SecServ.
2. There has been no indictment, but the agents indicated that charges
would include theft, fraud, and copyright violations. (software
piracy and carding). The initial figure given was a combined $20,00
for the three ("Amy," "Tom," and Mike").
3. All equipment was confiscated, included "every scrap of paper in
the house. She was informed that, whatever the outcome of the case,
she would not receive the equipment back and that it would be kept
for "internal use."
The above account differs dramatically from one given by "anonymous"
in "Phantasy #6," which was a diatribe against the three for
"ratting." However, the above account seems fairly reliable, judging
from a news account and a source close to the incident.
"Amy" is 27, and reported to be the head of USA (United Software
Alliance), which is considered by some to be the current top
"cracking" group in the country. If memory serves, "ENTERPRISE BBS"
was the USA homeboard. She was questioned for about 10 hours, and
"cooperated." She has, as of Saturday (Feb 9) *not* yet talked to an
attorney, although she was put in contact with one late Saturday. The
prosecutor in Oakland County is the same one who is prosecuting Dr.
Kavorkian (of "suicide machine" fame). He has a reputation as
excessively harsh, and his demeanor in television interviews does not
contradict this.
The other two defendants, "Mike/The Grim Reaper," and "Tom/Genesis"
are from the Detroit and Los Angeles areas.
What are the issues relevant for us?
My own radiclib concern is with over-criminalization created by
imposing a label onto a variety of disparate behaviors and then
invoking the full weight of the system against the label instead of
the behaviors. It is fully possible to oppose the behaviors while
recognizing that the current method of labelling, processing, and
punishment may not be wise. Len Rose provides an example of how
unacceptable but relatively benign behaviors lead to excessive
punishment. This, however, is a broader social issue of which
computer-related crimes is simply a symptom.
Of more direct relevance:
1) It appears that the continued use of massive force and weaponry
continues. We've discussed this before in alluding to cases in New
York, Illinois, Texas, and California. The video tape of the bust
of the "Hollywood Hacker" resembles a Miami Vice episode: A
middle-aged guy is confronted with an army of yelling weapons with
guns drawn charging through the door. Others on the board have
reported incidences of being met with a shotgun while stepping out
of the shower, a gun to the head while in bed, and (my favorite) a
15 year old kid busted while working on his computer and the
agent-in-charge put her gun to his head and reportedly said, "touch
that keyboard and die." The use of such force in this type of bust
is simply unacceptable because of the potential danger (especially
in multi-jurisdictional busts, which reduces the precision of
coordination) of accidental violence.
2. Until indictments and supporting evidence are made public, we
cannot be sure what the occured. But, it seems clear that, for
"Amy" at least, we are not dealing with a major felon. Carding is
obviously wrong, but I doubt that, in situations such as this,
heavy-duty felony charges are required to "teach a lesson," "set
an example," and re-channel behavior into more productive outlets.
3. We can continue to debate the legal and ethical implications of
software piracy. There is a continuum from useful and fully
justifiable "creative sharing" to heavy-duty predatory rip-off for
profit. This case seems to be the former rather than the latter.
There is no sound reason for treating extreme cases alike.
3. We should all be concerned about how LE frames and dramatizes such
cases for public consumption. The Farmington newspaper gave it
major coverage as a national crime of immense proportions. We
should all be concerned about how piracy cases are handled, because
even extreme cases have implications for minor ones. Does
possession of an unauthorized copy of Aldus Pagemaker and Harvard
Graphics, collective worth more than $1,000, really constitute a
major "theft"? We have seen from the cases of Len and Craig how
evaluation of a product is inflated to justify indictments that
look serious but in fact are not.
I'm not sure what purpose it serves to simply assert that people--even
if guilty of carding or piracy--should "get what's coming to them"
without reflecting on what it is they get and why. The issue isn't
one of coddling or protecting "criminals," but to examine more
carefully what kinds of computer-related crimes should be
criminalized, which should be torts, and which should be accepted as
minor nuisances and--if not ignored--at least not criminalized.
To give the dead horse one last kick: I am not arguing that we condone
behaviors. I am only suggesting that we reflect more carefully on how
we respond to such behaviors. I do not know the circumstances of "Tom"
and "Mike," but "Amy's" case raises many issues we can address without
condoning the behavior.
------------------------------
Date: Mon, 20 Jan 92 07:56 EST
From: "Michael E. Marotta" <MERCURY@LCC.EDU>
Subject: File 2--Keystone Stormtroopers
GRID News. ISSN 1054-9315. vol 3 nu 3 January 19, 1992.
World GRID Association, P. O. Box 15061, Lansing, MI 48901 USA
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
(74 lines) SPA: Jackboot Fascists or Keystone Kops?
(C) 1992 by Michael E. Marotta
Suddenly the doors burst open! US marshals take the Acme Inc.,
employees by surprise!! "Nobody move! Keep your hands away from
those keyboards!" yells the copper. "Oh my gosh! It's the SPA!!"
"Quick stash the disks!!" This 50s cartoon is the cover story of
the June 17, 1991 issue of Information Week, "The Software
Police." Inside is the story of the Software Publishers Associa-
tion. There is nothing laughable about the $90,000 paid to SPA by
IPL, the $100,000 paid by Entrix, the $17,500 paid by Healthline,
the $350,000 paid by Parametrix. At SnapOn Tools, three US
Marshals and an SPAer spent two days going through every one of
280 PCs with their special audit package. Then the burden of proof
shifted to SnapOn to produce purchase orders, manuals, invoices
and asset tags.
"GOVERN-MENTALITY" The SPA claims a staff of 18 to 23 and a
budget of $3.8 million. I had to call three times to get the free
audit program, SPAudit. They also offer to sell a video "It's
Just Not Worth the Risk" for $10 but my three voicemail requests
(Nov, Dec 91 & Jan 92) for this tape were not answered.
+ People with govern-mentality are below norm and the program
SP+Audit underscores this fact.
+ First of all, the README file was created with WordPerfect 5.
Using LIST or TYPE gets you ascii garbage and uneven formating
am+id the text. If you want to view the README file, the
instructions tell you:
+ A) To display on screen type TYPE A:README:MORE
which is bad documentation and doesn't work. Hardcopy reveals the
same problems and when you get to the bottom of the page, you find
that the last few lines print over each other. Apparently, the
typist used the cursor keys to position the text, because it lacks
some necessary LFs (ascii 0A).
+ I created four dummy files 123.EXE, MSDOS.SYS, PROCOMM.EXE and
SK+.COM which are found in the PIF.TXT file of over 600 software
names. The files I created said:
"The problem of copyright looks somewhat different the moment one
accepts copying technology as uncontrollable." Michael Crichton.
+ Then I made more copies at lower directory levels. SPAudit
was indeed able to search down eight directory sublevels to find
copies. However, when I went to print these, the program produced
ascii garbage. It failed on
C:+%123%MIKE%ANOTHER%DEEPER%NEMO%PLUTO%CHIRON%DANTE%ORPHEUS being
unable to print beyond %NEMO.
+ Overall, the SPA proves itself unable to manage PC technology.
This lack of quality is not surprising. No matter how much you
pay for software, you know that the seller "makes no claim of
merchantability or fitness for a particular use..." and won't be
liable for "direct, indirect, special, incidental or consequential
damages arising out of the use or inability to use the software or
documentation." That is the disclaimer which comes with SPAudit.
+
"CATCH-22" Following SPAudit guidelines means that you can't
have more than one copy of a program on one computer. Also, all
oF the CARMEN SANDIEGO games run from CARMEN.EXE. The audit
thinks it is looking for EUROPE but will also trip on WORLD, and
TI+ME, etc., meaning that you can get busted for buying more than
one CARMEN, a catch-22.
+ Also, there should be some confusion over dBase, which is no
longer an Ashton-Tate but a Borland product. More importantly, US
District judge Terrence Hatter, Jr., ruled in late 1990 that the
copyright on dBase was voided by their not revealing that it is a
cl+one of a public domain program from JPL.
+ Again, consider the case of SnapOn Tools. The SPA used their
defective software to disrupt a business for two days -- and they
have the nerve to call other people pirates.
+
(GRID News is FREQable from 1:159/450, the Beam Rider BBS)
------------------------------
Date: 27 Jan 92 18:48:35 EST
From: Gordon Meyer <72307.1502@COMPUSERVE.COM>
Subject: File 3--Fine for "Logic Bomber"
"Logic Bomb Programmer Fined"
(Reprinted with permission from STReport 8.04 Jan 24, 1992)
Michael John Lauffenburger, a 31-year-old programmer formerly with
General Dynamics, pleaded guilty Nov. 4 to attempted computer
tampering. He has been fined $5,000, handed three years' probation
and was ordered to perform 200 hours of community service for
attempting to sabotage computers with a "logic bomb" that prosecutors
say could have erased national security data.
According to reports, Lauffenburger set up the logic bomb, then
resigned, intending to get hired on as high-priced consultant to help
reconstruct the data lost from the billion-dollar Atlas Missile Space
Program when the virus was unleashed. A co-worker accidentally
discovered the rogue program in early May. It had been set to go off
May 24. Investigators said at the time the bomb would have caused
about $100,000 in damage to computer systems at the Kearny Mesa
plant.
------------------------------
Date: Fri, 07 Feb 92 06:10:49 PST
From: walter@HALCYON.COM(Walter Scott)
Subject: File 4--Re: Newsbytes on the Oregon BBS Rates Case
On 2-5-92, reporter Dana Blankenhorn released a copyrighted exclusive
story for Wendy Wood's Newsbytes covering the Oregon BBS rates case.
What follows is an abstract of that story.
Blankenhorn writes: "US West has launched a campaign before the Oregon
Public Utility Commission which would force all bulletin board systems
(BBSs) in that state to pay business rates on their phone lines." The
Newsbytes exclusive also asserts that US West "wants the Oregon PUC to
reinterpret its tariff so as to define any phone not answered by a
human voice as a business line."
Blankenhorn quotes extensively from an apparent interview with SysOp
Stewart Anthony Wagner while summarizing the chronology of events in
the case. Some folks here might find the chronology and alleged facts
be a bit different from what has been reported in the past.
According to Blankenhorn, Portland, Oregon SysOp Tony Wagner attempted
to subscribe to extra phone lines so as to expand his BBS from 2 lines
to 4, as well as make arrangements for a TDD. It was at this point
Wagner was informed he would have to pay business rates on all lines
by US West. According to Blankenhorn, US West relented on the voice
and TDD lines while maintaining that the BBS lines would have to be
classified as business lines. Wagner filed what Blankenhorn calls an
"appeal" at the Oregon PUC "for the BBS".
Wagner is reported to have closed his BBS almost immediately because
he "can't afford it" at business rates, which blankenhorn states to be
around $50 (presumably per month) on each line. Before closing his
system, Wagner says he alerted regional SysOps via FidoNet to his
plight. Wagner points out that some SysOps chipped in to pay for a
lawyer. Blankenhorn quotes Wagner on a so-called "compromise proposal"
that "they (US West) come up with a residential data line rate, as an
alternate form of service." Wagner's proposal apparently included a
guarantee of data quality at a rate that Wagner seems to assess at
$5.00 above standard residential rates. Wagner asserts the proposal
was rejected.
Wagner's comments on the hearing display optimism as he offers the
thought that "the hearing went quite well. The tariff says a
residential line is for social or domestic purpose. They ignored the
social, they talked only about domestic. The BBS is as social as you
can get."
In a series of quotes from Wagner on what he believes US West is
doing, a grim picture is painted for more than BBS operators. For
example: Wagner states "there is no question they want to apply this
to all SysOps. Their position is that if it's not answered by a human
voice, it's a business. A fax machine is a business, to them. So's an
answering machine."
Wagner spoke of what he might consider a silver lining in his cloudy
future as a SysOp when he told Blankenhorn that publicity must be bad
for US West. He reinforces this idea by noting "one thing that hurt
them (US West) badly was that they picked on me. I'm very hard of
hearing. Most of my users are disabled. A large percentage of our
SysOps here are disabled. And Mr. Holmes (US West's attorney in the
Wagner case) was unprepared for that."
Blankenhorn talked with Judith Legg in the hearings section at the
Oregon Public Utility Commission concerning the Wagner Case. He
reports Legg told him "a hearing was held on the case in January, and
US West has already submitted a 17-page brief supporting its
position." Hearings Officer Simon Fitch was attributed as informing
Newsbytes that Wagner "has until March 3 to file his own brief, after
which reply briefs will be sought from both sides." Fitch is also
reported to have said a decision in the case is due in late March or
early April with final oversight from the Commissioners.
Attempts, by Blankenhorn, to contact attorney Steven Holmes at US West
were unsuccessful. Apparently, no one else in the company was
available for comment. Thus, the Newsbytes article contained no
synopsis of US West's side of the issues in the Wagner case.
Blankenhorn left the door open to a future update by noting
information requested from US West would be reported as soon as that
information is made available to Newsbytes.
So much for the abstract...
A FEW OBSERVATIONS: It seems that Blankenhorn must not have been able
to obtain a copy of US West's brief before going to press. Otherwise,
Blankenhorn would realize, and could have noted, that US West's
comments have no impact on FAX or answering machines. BBS operation in
general, and Wagner's BBS in specific, are the myopic focus of the
brief. Blankenhorn also could have asked about and cleared up what
appears to be a discrepancy between Wagner's apparent indication that
he was running his BBS on 2 phone lines at the time he requested new
lines, and the repeated references in the US West brief to Wagner's
"3" BBS phone lines. Finally, I called Judith Legg myself on 2-6-92
and asked her about the actual timing of the hearing. She informed me
that the hearing was indeed in December. In Blankenhorn's defense,
Legg admits that she was under the mistaken impression that the
hearing took place in January, and that this is probably what she told
Blankenhorn. A check of the Oregon PUC's computerized schedules was
necessary to clarify the actual hearing date.
Walter Scott
**
The 23:00 News and Mail Service - +1 206 292 9048 - Seattle, WA USA
PEP, V.32, V.42bis
+++ A Waffle Iron, Model 1.64 +++
------------------------------
Date: 22 Jan 92 19:12:22 CST
From: Jim Warren (jwarren@well.sf.ca.us)
Subject: File 5--Calif. "Privacy [& Computer Crime] Act of 1992"
The Chair of the California State Senate, Bill Lockyer, is
introducing what he calls "The Privacy Act of 1992." It addresses
computer *crime* in a robust manner, but appears to be less concerned
with some of the more major privacy issues (e.g. personal
data/profiles built & used by government and private corporations)
posed during public testimony in December. I scanned it in, OCRed
it, proofed it, and believe this is an accurate copy of the original
cover letter and content. The latter has already been sent to
Legislative Counsel (on 1/8/92).
Please upload it and circulate it to all others who might be
interested. Note: Many consider that computer legislation at the
state level in major, "bellweather" states may/can/will provide
models for other states and for eventual federal legislation. Thus,
this deserves *early* and widespread circulation, review and *public
comment*.
jim warren [chair, First Conference on Computers, Freedom & Privacy, 1991]
**********************************************************************
====== TEXT OF COVER-LETTER, RECEIVED JAN. 17, 1992 =====
California State Senate
Bill Lockyer, Tenth [California] Senatorial District
[Chairman, California State Senate Judiciary Committee]
Southern Alameda County
January 15, 1992
TO: Interested Parties
FROM: Ben Firschein, Senator Lockyer's Office
RE: Privacy legislation emerging from the interim hearing
We have drafted language reflecting some of the suggestions made at
the privacy hearing on December 10 [1991] and have sent it to
Legislative Counsel. It is likely that Senator Lockyer will
introduce the language as a bill when it comes back from Legislative
Counsel.
We welcome and encourage your suggestions, comments and proposed
amendments. This language should be viewed as an initial proposal,
and it is likely that it will be amended as it proceeds through the
legislature.
The bill as submitted to Legislative Counsel does the following:
1. Information obtained from driver's licenses: prohibit businesses
from selling or using for advertising purposes information obtained
from driver's licenses without the written consent of the consumer.
2. Automatic vehicle identification [AVI]: Require Caltrans to
provide an opportunity to pre-pay tolls and use the facility
anonymously.
3. Violation of privacy of employees: language has been drafted
based on the Connecticut statute that Justice Grodin discussed at the
hearing. The proposed language goes further than the Connecticut
statute in that it also extends to prospective employees.
4. Amend Penal Code Section 502 (computer crime statute) as
follows:
a) Extend existing law to allow recovery by any injured party,
not just the owner or lessee of the computer.
b) Allow recovery for any consequential or incidental damages,
not just for expenditures necessary to verify that a computer system
was or was not damaged.
c) Create civil penalty of $ 10,000 per injured party up to a
maximum of fifty thousand dollars for recklessly storing data in a
manner which enables a person to commit acts leading to a felony
conviction. Failure to report to law enforcement a previous
violation under the statute would be deemed to be possible evidence
of recklessness
d) Require that owner or lessee of computer report to law
enforcement any known violations of the statute involving his/her
system. Such reports required within 60 days after they become
known to owner or lessee.
Warrants for electronically stored materials: We are interested in
working with interested parties on some of the proposals made at the
hearing, for possible inclusion in the bill as amendments.
Please direct your comments to:
Ben Firschein
Administrative Assistant
Office of Senator Lockyer
Room 2032 State Capitol
Sacramento, CA 95814
(916) 445Q6671
========== END OF JAN.17 COVER LETTER ==========
<<BEWARE! The entry following this one is about 5 print-pages long
-- the full text of Sen. Lockyer's draft legislation that has already
been sent to Legislative Counsel for review, apparently the final
prerequisite to formal introduction.>>
====== TEXT OF LEGISLATION, RECEIVED JAN. 17, 1992 =====
[hand-written] The people of the State of California do enact as follows:
[hand-written] Section 1. This Act may be cited as the Privacy Act of 1992.
[hand-written] Section 2. Section 1799.4 is added to the Civil Code to
read:
1799.4. A business entity that obtains information from a consumer's
driver's license or identification card for its business records or for
other purposes shall not sell the information or use it to advertise goods
or services, without the written consent of the consumer.
[hand-written] Sent to Leg Counsel 1/8
[hand-written] Section 3. Section 502 of the Penal Code is amended to read:
502. (a) It is the intent of the Legislature in enacting this section to
expand the degree of protection afforded to individuals, businesses, and
governmental agencies from tampering, interference, damage, and
unauthorized access to lawfully created computer data and computer
systems. The Legislature finds and declares that the proliferation of
computer technology has resulted in a concomitant proliferation of computer
crime and other forms of unauthorized access to computers, computer
systems, and computer data.
The Legislature further finds and declares that protection of the
integrity of all types and forms of lawfully created computers, computer
systems, and computer data is vital to the protection of the privacy of
individuals as well as to the well-being of financial institutions,
business concerns, governmental agencies, and others within this state
that lawfully utilize those computers, computer systems, and data.
(b) For the purposes of this section, the following terms have the
following meanings:
(l) "Access" means to gain entry to, instruct, or communicate with the
logical, arithmetical, or memory function resources of a computer, computer
system, or computer network.
(2) "Computer network" means any system which provides communications
between one or more computer systems and input/output devices including,
but not limited to, display terminals and printers connected by
telecommunication facilities.
(3) "Computer program or software" means a set of instructions or
statements, and related data, that when executed in actual or modified
form, cause a computer, computer system, or computer network to perform
specified functions.
(4) "Computer services" includes, but is not limited to, computer time,
data processing, or storage functions, or other uses of a computer,
computer system, or computer network.
(5) "Computer system" means a device or collection of devices, including
support devices and excluding calculators which are not programmable and
capable of being used in conjunction with external files, one or more of
which contain computer programs, electronic instructions, input data, and
output data, that performs functions including, but not limited to, logic,
arithmetic, data storage and retrieval, communication, and control.
(6) "Data" means a representation of information, knowledge, facts,
concepts, computer software, computer programs or instructions. Data may
be in any form, in storage media, or as stored in the memory of the
computer or in transit or presented on a display device.
(7) "Supporting documentation" includes, but is not limited to, all
information, in any form, pertaining to the design, construction,
classification, implementation, use, or modification of a computer,
computer system, computer network, computer program, or computer software,
which information is not generally available to the public and is
necessary for the operation of a computer, computer system, computer
network, computer program, or computer software.
(8) "Injury" means any alteration, deletion, damage, or destruction of
a computer system, computer network, computer program, or data caused by
the access.
(9) "Victim expenditure" means any expenditure reasonably and necessarily
incurred by the owner or lessee to verify that a computer system, computer
network, computer program, or data was or was not altered, deleted,
damaged, or destroyed by the access.
(10) "Computer contaminant" means any set of computer instructions that
are designed to modify, damage, destroy, record, or transmit information
within a computer, computer system, or computer network without the intent
or permission of the owner of the information. They include, but are not
limited to, a group of computer instructions commonly called viruses or
worms, which are self-replicating or self-propagating and are designed to
contaminate other computer programs or computer data, consume computer
resources, modify, destroy, record, or transmit data, or in some other
fashion usurp the normal operation of the computer, computer system, or
computer network.
(c) Except as provided in subdivision (h), any person who commits any of
the following acts is guilty of a public offense:
(1) Knowingly accesses and without permission alters, damages, deletes,
destroys, or otherwise uses any data, computer, computer system, or
computer network in order to either (A) devise or execute any scheme or
artifice to defraud, deceive, or extort, or (B) wrongfully control or
obtain money, property, or data.
(2) Knowingly accesses and without permission takes, copies, or makes use
of any data from a computer, computer system, or computer network, or takes
or copies any supporting documentation, whether existing or residing
internal or external to a computer, computer system, or computer network.
(3) Knowingly and without permission uses or causes to be used computer
services.
(4) Knowingly accesses and without permission adds, alters, damages,
deletes, or destroys any data, computer software, or computer programs
which reside or exist internal or external to a computer, computer system,
or computer network.
(5) Knowingly and without permission disrupts or causes the disruption of
computer services or denies or causes the denial of computer services to an
authorized user of a computer, computer system, or computer network.
(6) Knowingly and without permission provides or assists in providing a
means of accessing a computer, computer system, or computer network in
violation of this section.
(7) Knowingly and without permission accesses or causes to be accessed
any computer, computer system, or computer network.
(8) Knowingly introduces any computer contaminant into any computer,
computer system, or computer network.
(d) (1) Any person who violates any of the provisions of paragraph (1),
(2), (4), or (5) of subdivision (c) is punishable by a fine not exceeding
ten thousand dollars ($10,000), or by imprisonment in the state prison for
16 months, or two or three years, or by both that fine and imprisonment, or
by a fine not exceeding five thousand dollars ($5,000), or by imprisonment
in the county jail not exceeding one year, or by both that fine and
imprisonment.
(2) Any person who violates paragraph (3) of subdivision (c) is
punishable as follows:
(A) For the first violation which does not result in injury, and where
the value of the computer services used does not exceed four hundred
dollars ($400), by a fine not exceeding five thousand dollars ($5,000), or
by imprisonment in the county jail not exceeding one year, or by both that
fine and imprisonment.
(B) For any violation which results in a victim expenditure in an amount
greater than five thousand dollars ($5,000) or in an injury, or if the
value of the computer services used exceeds four hundred dollars ($400), or
for any second or subsequent violation, by a fine not exceeding ten
thousand dollars ($10,000), or by imprisonment in the state prison for 16
months, or two or three years, or by both that fine and imprisonment, or by
a fine not exceeding five thousand dollars ($5,000), or by imprisonment in
the county jail not exceeding one year, or by both that fine and
imprisonment.
(3) Any person who violates paragraph (6), (7), or (8) of subdivision (c)
is punishable as follows:
(A) For a first violation which does not result in injury an infraction
punishable by a fine not exceeding two hundred fifty dollars ($250).
(B) For any violation which results in a victim expenditure in an amount
not greater than five thousand dollars ($5,000), or for a second or
subsequent violation, by a fine not exceeding five thousand dollars
($5,000), or by imprisonment in the county jail not exceeding one year, or
by both that fine and imprisonment.
(C) For any violation which results in a victim expenditure in an amount
greater than five thousand dollars ($5,000), by a fine not exceeding ten
thousand dollars ($10,000), or by imprisonment in the state prison for 16
months, or two or three years, or by both that fine and imprisonment, or
by a fine not exceeding five thousand dollars ($5,000), or by imprisonment
in the county jail not exceeding one year, or by both that fine and
imprisonment.
(e) (1) In addition to any other civil remedy available, any injured
party. including but not limited to the owner or lessee of the computer,
computer system, computer network, computer program, or data, may bring a
civil action against any person convicted under this section for
compensatory damages, including any consequential or incidental damages. In
the case of the owner or lessee of the computer, computer system, computer
network, computer program, or data. such damages may include. but are not
limited to. any expenditure reasonably.and necessarily incurred by the
owner or lessee to verify that a computer system, computer network,
computer program, or data was or was not altered, damaged, or deleted by
the access.
(2) Whoever recklessly stores or maintains data in a manner which enables
a person to commit acts leading to a felony ["a felony" hand-written]
conviction under this section shall be liable for a civil penalty of ten
thousand dollars ($ 10,000) per injured party, up to a maximum of fifty
thousand dollars ($ 50.000). Failure to report to law enforcement a
previous violation under subsection (f) may constitute evidence of
recklessness.
(3) For the purposes of actions authorized by this subdivision, the
conduct of an unemancipated minor shall be imputed to the parent or legal
guardian having control or custody of the minor, pursuant to the provisions
of Section 1714.1 of the Civil Code.
(4) In any action brought pursuant to this subdivision the court may
award reasonable attorney's fees to a prevailing party.
(5) A community college, state university, or academic institution
accredited in this state is required to include computer-related crimes as
a specific violation of college or university student conduct policies and
regulations that may subject a student to disciplinary sanctions up to and
including dismissal from the academic institution. This paragraph shall
not apply to the University of California unless the Board of Regents
adopts a resolution to that effect.
(f) The owner or lesee of any computer, computer system, computer network,
computer program, or data shall report to law enforcement any known
violations of this section involving the owner or lesee's computer,
computer system, computer network, computer program, or data. Such reports
shall be made within 60 days after they become known to the owner or lesee.
(g) This section shall not be construed to preclude the applicability of
any other provision of the criminal law of this state which applies or may
apply to any transaction, nor shall it make illegal any employee labor
relations activities that are within the scope and protection of state or
federal labor laws.
(h) Any computer, computer system, computer network, or any software or
data, owned by the defendant, which is used during the commission of any
public offense described in subdivision (c) or any computer, owned by the
defendant, which is used as a repository for the storage of software or
data illegally obtained in violation of subdivision (c) shall be subject
to forfeiture, as specified in Section 502.01.
(i) (1) Subdivision (c) does not apply to any person who accesses his or
her employer's computer system, computer network, computer program, or
data when acting within the scope of his or her lawful employment.
(2) Paragraph (3) of subdivision (c) does not apply to any employee who
accesses or uses his or her employer's computer system, computer network,
computer program, or data when acting outside the scope of his or her
lawful employment, so long as the employee's activities do not cause an
injury, as defined in paragraph (8) of subdivision of (b), to the employer
or another, or so long as the value of supplies and computer services, as
defined in paragraph (4) of subdivision (b), which are used do not exceed
an accumulated total of one hundred dollars ($100).
(j) No activity exempted from prosecution under paragraph (2) of
subdivision (h) which incidentally violates paragraph (2), (4), or (7) of
subdivision (c) shall be prosecuted under those paragraphs.
(k) For purposes of bringing a civil or a criminal action under this
section, a person who causes, by any means, the access of a computer,
computer system, or computer network in one jurisdiction from another
jurisdiction is deemed to have personally accessed the computer, computer
system, or computer network in each jurisdiction.
(l) In determining the terms and conditions applicable to a person
convicted of a violation of this section the court shall consider the
following:
(1) The court shall consider prohibitions on access to and use of
computers.
(2) Except as otherwise required by law, the court shall consider
alternate sentencing, including community service, if the defendant shows
remorse and recognition of the wrongdoing, and an inclination not to repeat
the offense
[hand-written] Section 4. Section 12940.3 is added to the Government Code
to read:
(a) Any employer, including the state and any instrumentality or political
subdivision thereof, shall be liable to an employee or prospective
employee for damages caused by either of the following:
(1) subjecting the employee to discipline or discharge on account of the
exercise by such employee of rights guaranteed by Section l of Article I
of the California Constitution, provided such activity does not
substantially interfere with the employee's bona fide job performance or
working relationship with the employer.
(2) Denying employment to a prospective employee on account of the
prospective employee's exercise of rights guaranteed by Section 1 of
Article I of the California Constitution.
(b) The damages awarded under this Section may include punitive damages,
and reasonable attorney's fees as part of the costs of any such action for
damages. If the court decides that such action for damages was brought
without substantial justification, the court may award costs and reasonable
attorney's fees to the employer.
[hand-written] Section 5. Section 27565 of the Streets and Highways Code
is amended to read:
27565. Automatic vehicle identification systems for toll collection
(a) The Department of Transportation in cooperation with the district and
all known entities planning to implement a toll facility in this state
shall develop and adopt functional specifications and standards for an
automatic vehicle identification system, in compliance with the following
objectives:
(1) In order to be detected, the driver shall not be required to reduce
speed below the applicable speed for the type of facility being used.
(2) The vehicle owner shall not be required to purchase or install more
than one device to use on all toll facilities, but may be required to have
a separate account or financial arrangement for the use of these facilities.
(3) The facility operators shall have the ability to select from different
manufacturers and vendors. The specifications and standards shall encourage
multiple bidders and shall not have the effect of limiting the facilIty
operators to choosing a system which is able to be supplied by only one or
vendor.
(b) The vehicle owner shall have the choice of pre-paying tolls, or being
billed after using the facility. If the vehicle owner pre-pays tolls:
(1) The facility or the Department shall issue an account number to the
vehicle owner. The account number shall not be derived from the vehicle
owner's name, address, social security number, or driver's license number,
or the vehicle's license number, vehicle identification number, or
registration.
(2) Once an account has been established and an account number has been
given to the vehicle owner, neither the facility nor the Department shall
keep any record of the vehicle owner's name, address, social security
number or driver's license number, or the vehicle's license number.
vehicle identification number, or registration.
(3) The vehicle owner may make additional pre-payments by specifying the
account number and furnishing payment.
(c) Any automatic vehicle identification system purchased or installed
after January 1, 1991, shall comply with the specifications and standards
adopted pursuant to subdivision (a).
(d) Any automatic vehicle identification system purchased or installed
after January 1, 1993. shall comply with the specifications and standards
adopted pursuant to subdivisions (a) and (b).
====== END OF LEGISLATION DRAFT ======
[Note: The preceeding is the end-result of the draft-text. Some of the
document had apparently-old wording with strike-thru lines; some of it was
underlined, apparently indicating newly-added wording. Since there is no
universally-accepted protocol for representing such "exotic" text-forms in
the Barren ASCII Wasteland, the preceeding text does not reflect strike-thrus
not underlines in the original text. Also, the preceeding reflects
the paragraph-indenting and paranthesized section-labeling, as
received. It is left as "an exercise for the reader" to figure out
its rationale.
--jim ]
The vast majority of us would readily state that we, personally,
"store and maintain data." To the extent that we do so on a shared
host, it seems like it could be applied to us, *as individuals*.
Unless, perhaps, we stored it in encrypted form or made other
provable efforts to protect it while it's stored on a shared system.
Please note that this scenario equally applies to folks working on
LAN systems at a company.
Is this, perhaps, "overly-broad legislation"?
------------------------------
Date: Wed, 22 Jan 1992 13:59:44 CST
From: douglas%atc.boeing.com@UMCVMB.MISSOURI.EDU
Subject: File 6--DIAC-92 Workshop Call for Paraticipation and Workshop Guidelines
Directions and Implications of Advanced Computing
DIAC-92
Berkeley, California May 3, 1992
Call for Workshop Proposals and
Workshop Proposal Guidelines
[Due Date Extended]
DIAC-92 is a two-day symposium in which the the social implications of
computing are explored. The first day (May 2, 1992) will consist of
presentations. The second day will consist of a wide variety of
workshops. These guidelines describe the intent for the workshops and the
manner in which they are proposed. They are meant to augment and
supercede the information found in the Call for Papers and Participation.
The workshops are meant to be more informal than the presented papers of
the previous day. For this reason the format for the proposals is
expected to vary. Nevertheless there are some guidelines that we can
offer that will help ensure a succesful workshop.
The proposal should include the title, author's name, affiliation, and
electronic mail address at the beginning. All workshop proposals will be
included in the proceedings. The workshop proposal should be 1 - 8 pages
in length. The desired range of attendees (smallest number - largest
number) should be included. All workshops will be two hours in length with
a short break 1/2 way through. It is possible to schedule two related
workshops back to back, say "Introduction to Something" and "Advanced
Something". If this is the case please submit two separate proposals but
state that they are related.
There are four major concerns for the workshops which should be
addressed in the proposal.
1. Intellectual Content
The intellectual content of the workshop should be made clear.
What is the focus on the workshop? What are the relevant social
issues? What relevant research exists already on the topic? Who
is the intended audience? The topic should have a qualitative
computing element in it.
2. Structure
There should be some structure to the workshop. It can be quite
loose and flexible but it shouldn't be completely open. The
amount of structure will vary according to the topic at hand, the
intended goals, the personalities of the audience and the organizers,
etc. The proposal should describe the structure of the
workshop.
3. Interactivity
The workshop should be interactive. The workshop should be
designed in such a way to promote meaningful interaction between
the organizer or organizers and the attendees. Because there is
group interaction it is hoped that more points will be raised,
more issues considered, and deeper analysis performed. The
methods of interaction should be described in the proposal.
4. Product or action oriented
Ideally the workshop should result in some product or plan for
action. Although this aspect is not critical, the program
committee feels that this is quite important and we hope that
workshop organizers will think in these terms and strive to
promote an appropriate outcome. Possible "deliverables" are
described below.
Possible Output From a DIAC-92 Workshop
+ Statements or press releases
+ Bibliography on subject matter
+ Electronic distribution list on the subject
+ Ideas for a follow up meeting, workshop, or conference
+ List of possible projects on the subject
+ Writeup of meeting for electronic or print dissemination
+ A project proposal
+ A panel discussion proposal
+ A grant proposal
+ An experiment
+ A working agreement -- e.g. to connect two networks, to share
data, to begin a study, to write an article, to build software
jointly, etc.
+ A videotape of some or all of a workshop
+ A brainstormed list of viewpoints, a "semantic network" of the
issues
+ A list of hypotheses
+ Any plan to continue discussion on the topic
Please send proposal (four copies) to Doug Schuler, 2202 N. 41st St,
Seattle, WA, 98103. Proposals are due by March 1, 1992. Proposals
will be reviewed by the program committee. Acceptance or rejection
notices will be mailed by April 1, 1992. We plan to incorporate
workshop proposals into the proceedings. Please contact us if you
have any questions or comments.
Doug Schuler, 206-865-3832 (work), 206-632-1659 (home),
dschuler@june.cs.washington.edu
The program committee includes David Bellin (consultant), Eric Gutstein (U.
WI), Batya Friedman (Mills College), Jonathan Jacky (U. WA), Deborah
Johnson (Rensselaer Polytechnic Inst.), Richard Ladner (U. WA), Dianne
Martin (George Washington U.), Judith Perrolle (Northeastern U.) Marc
Rotenberg (CPSR), Douglas Schuler (Boeing Computer Services), Barbara
Simons (IBM), Lucy Suchman (Xerox), Karen Wieckert (U. CA. Irvine), and
Terry Winograd, (Stanford).
Sponsored by Computer Professionals for Social Responsibility
P.O. Box 717
Palo Alto, CA 94301
DIAC-92 is co-sponsored by the American Association for Artificial
Intelligence, and the Boston Computer Society Social Impact Group, in
cooperation with ACM SIGCHI and ACM SIGCAS.
------------------------------
End of Computer Underground Digest #4.06
************************************