Copy Link
Add to Bookmark
Report
Computer Undergroud Digest Vol. 05 Issue 09
Computer underground Digest Sun Jan 31, 1993 Volume 5 : Issue 09
ISSN 1004-042X
Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
Archivist: Brendan Kehoe
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Copy Editor: Etaion Shrdlu, Junoir
CONTENTS, #5.09 (Jan 31, 1993)
File 1--Media hype goes both ways (in re: Forbes article)
File 2--Forbes, NPR, and a Response to Jerry Leichter
File 3--Revised Computer Crime Sent
File 4--Balancing Computer Crime Statutes and Freedom
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be
contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at:
Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115.
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL0 and DL12 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS
at (414) 789-4210; in Europe from the ComNet in Luxembourg BBS (++352)
466893; and using anonymous FTP on the Internet from ftp.eff.org
(192.88.144.4) in /pub/cud, red.css.itd.umich.edu (141.211.182.91) in
/cud, halcyon.com (192.135.191.2) in /pub/mirror/cud, and
ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD.
European readers can access the ftp site at: nic.funet.fi pub/doc/cud.
Back issues also may be obtained from the mail server at
mailserv@batpad.lgb.ca.us.
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Some authors do copyright their material, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
----------------------------------------------------------------------
Date: Tue, 12 Jan 93 12:20:21 EDT
From: Jerry Leichter <leichter@LRW.COM>
Subject: 1--Media hype goes both ways (in re: Forbes article)
In Cu Digest, #4.66, Jim Thomas reviews article from the 21 December
1992 Forbes Magazine, and grants it CuD's 1992 MEDIA HYPE award. I
read the article before reading Thomas's comments, and was considering
posting a very different summary. Did we read the same words?
Let me briefly summarize what I got out of the article, and then go
over some of Thomas's points. The article claims that we are seeing a
new kind of computer miscreant. Let me call such people "crims", a
word I've just invented; according to the article, they identify
themselves as hackers (to the extent they identify themselves at all),
so the article also calls them hackers (sometimes, "hacker hoods"),
thus raising many irrelevant emotional issues.
Unlike old-style hackers, who were in it for what they could build; or
new-style hackers, who are nominally in it for what they can learn;
crims are in it for what they can steal. The article does NOT claim
that the same people who've been hackers have now turned to real
crime; rather, as I read it it claims that the crims have taken the
techniques developed by the hackers and gone on to different things.
Just look at the title of the article: "The Playground Bullies are
Learning how to Type". The crims are the people who a few years ago
might be burglars or jewel thieves; today, they are learning how to go
after money and other valuable commodities (like trade or military
secrets) in their new, electronic form.
Thomas's criticism begins with a long attack on Brigid McMenamin, one
of the reporters on the piece. He is upset that she keeps "bugging"
people for information. Reporters do that; it's not their most
endearing quality, but it's essential to their job, especially when
dealing with people who don't particularly want to talk to them. He
is upset that she kept asking about "illegal stuff" and "was oblivious
to facts or issues that did not bear upon hackers-as-criminals." Given
the article she was writing - exactly focusing on the crims - that's
exactly what I would have expected her to do. Just because Thomas is
interested in the non-criminal side of hacking doesn't mean McMenamin
is under any obligation to be. Thomas reports that in his own
conversations with McMenamin "Her questions suggested that she did not
understand the culture about which she was writing." Again, Thomas
presumes that she was writing about the people *Thomas* is interested
in.
In general, Thomas's criticisms of McMemanim reveal him to be so
personally involved with the "hacker culture" that he studies that
he's protective of it - and blind to the possibility that the world
may be bigger and nastier than he would like.
Thomas then summarizes "The Story". He criticizes it for not
presenting a "coherent and factual story about the types of computer
crime", but rather for making "hackers" the focal point and taking on
a narrative structure. Well, I didn't particularly see "hackers" as
the focal point, and considering the nature of the material being
covered - it's all recent, and the crims are hardly likely to be
interested in making themselves available to reporters - a narrative
structure is probably inevitable. Perhaps Thomas will write the
definitive study of the types of computer crime; I doubt any working
reporter will do so for a magazine.
Len Rose's story is told with a reasonable slant. None of us know ALL
the facts, but at least Rose is pictured as a relatively innocent
victim, chosen pretty much at random to bear the weight of actions
taken by many people. In fact, that's just what a prosecutor
interviewed in this piece of the story says: Because of the nature of
the crimes, such as they are, the people caught and punished are often
not the ones who actually did much of anything. He doesn't indicate
that he LIKES this - just the opposite. He reports on facts about the
real world.
Thomas then says that the article describes a salami-slicing attack,
alleged to have taken place at Citibank. He criticizes the article
for lack of evidence. He's right, but after all, this was a criminal
enterprise, and the criminals weren't caught. Just what evidence
would he expect? He then goes on with a comment that makes no sense
at all:
Has anybody calculated how many accounts one would have to "skim" a
few pennies from before obtaining $200,000? At a dime apiece, that's
over 2 million. If I'm figuring correctly, at one minute per account,
60 accounts per minute non-stop for 24 hours a day all year, it would
take nearly 4 straight years of on-line computer work for an
out-sider. According to the story, it took only 3 months. At 20
cents an account, that's over a million accounts.
Why would anyone even imagine that an attack of this nature would be
under-taken on an account-at-a-time basis? The only way it makes
sense is for the attack to have modified the software. If the
criminals had a way to directly siphon money out of an account, they
would have made one big killing and disappeared. Citibank has many
thousands of accounts with much more than $200,000 in them; it
probably has many thousands of accounts for which a $200,000
discrepancy wouldn't be noticed until the end of the quarter. A
salami-slice attack only makes sense when the attacker intends to
remain undetected, so that the attack continues to operate
indefinitely.
The romantic picture of the hacker sitting at his terminal, day in and
day out, moving a few pennies here and there, may have a lot of
appeal, but it's not reality.
The crux of the Thomas's critique is: "Contrary to billing, there was
no evidence in the story, other than questionable rumor, of %hacker'
connection to organized crime." But, again, that isn't the point of
the story, which to me seemed to do a fairly reasonable (though
imperfect) job of distinguishing between the innocents who "just want
to hack" and the new "crims". The article does, however, warn that
the crims will have no compunctions about using the hackers, whether
by just showing up at hacker conventions to learn the latest tricks -
like every group, hackers think they can identify the "true" group
members who believe in the group's ideals, when in fact it's always
been trivially easy for those who are willing to lie to sneak in - or
by hiring hackers, with money, drugs, or whatever.
I don't know to what degree the rumors of the spread of the crims are
true. It makes SENSE that they would be true, and in certain cases
(particularly cellular telephone fraud) we have strong evidence. It's
naive to think that the hacker community or the hacker ethic is
somehow immune to the influence of criminal minds.
There was an explicit warning from some prosecuter quoted in the
article. What he said was that people are upset by the crimes, and
government is responding harshly, often against the wrong targets. No
one would be so stupid as to walk into a bank carrying a toy gun and
try to get money from a teller, intending to leave it at the door,
"just to test security". Yet hackers seem to believe that they can do
the same thing with a bank's computers. If there were no such thing
as real bank robbers, the toy gun game would be just fine; in the real
world, that's an excellent way to get shot - or sent to prison for
many years. As the crims become more active - and even if the current
stories are all baseless, they inevitably will, and sooner rather than
later - any hackers who don't adjust to the new reality will find
themselves in big trouble. Many's the idealist who's been lead by the
nose to help the dishonest - and it's usually the idealist who gets
stuck with the bills.
------------------------------
Date: Sat, 30 Jan 93 23:01:49 CST
From: Jim Thomas <cudigest@mindvox.phantom.com>
Subject: 2--Forbes, NPR, and a Response to Jerry Leichter
Jerry Leichter asks of our mutual reading of Forbes' Magazine's "The
Hacker Hood" article (see CuD #4.66): "Did we read the same words?"
Although his question is presumably rhetorical, and although we
normally do not respond to articles (even if critical), Jerry's
question and commentary raises too many issues to let pass. The answer
to his rhetorical question is: No, we did not read the same words. Not
only did we not read the same words in the Forbes piece, I'm not
certain that Jerry read the Forbes article with particular care, and
it's certain he did not read our response to it (or our oft-repeated
position on "computer deviance" over the years) with care. This would
be of little consequence except that he makes several false assertions
about my own background and he embodies an attitude that perpetuates
the kinds of misunderstandings that lead to questionable laws, law
enforcement, and misunderstanding among the public. Although Jerry
obviously wrote in passion and in good faith, his commentary again
raises the issues that we found disturbing in the Forbes piece. We
thank him for his post and for the opportunity to again address these
issues.
Jerry's criticism's of the Forbes' commentary can be divided into
three parts: 1) His perception of my naivete; 2) His disagreement with
our evaluation and interpretation of the Forbes writers and the
substance of the article; and 3) A disagreement over the nature and
extend of "hacker crime."
1. JERRY'S CRITICISMS OF THOMAS
Jerry's criticisms of me include several of sufficient magnitude that
they require a response. First, he claims that I'm apparently blinded
to objectivity because of a commitment to hacking:
>In general, Thomas's criticisms of McMemanim (sic) reveal him to
be >so personally involved with the "hacker culture" that he
>studies that he's protective of it - and blind to the
>possibility that the world may be bigger and nastier than he
>would like.
Had he claimed that I'm so involved in civil rights that I sometimes
lose objectivity, I might agree with him. However, even a cursory
reading of my response indicates that the criticisms of one of the
Forbes writers, Brigid McMenamin would reveal that the objections had
nothing to do with hackers or rights, but with journalistic ethics and
responsibility. Those with whom I spoke who were contacted by Ms.
McMenamin all reached an independent consensus about her methods,
"homework," and ability to write a factual story. Jerry counters with
no facts that would dispute any of the interpretations, but instead
seems to defend what some judged as incompetence. Is it not possible,
in Jerry's worldview, to question a reporter's methods, especially
when those methods seem troublesome to others who are experienced in
dealing with the press?
It's also unclear how Jerry interprets anything written by CuD editors
as "protective" of "hacker culture." My Forbes commentary was quite
clear: The issue isn't whether one supports of opposes "hacker
culture." It's simply whether we believe that a medium such as Forbes
should be committed to minimal standards of accuracy or whether we are
willing to accept broad assertions and innuendo that contribute to the
hysteria that feeds bad legislation and questionable law enforcement
tactics such as those occuring during the "hacker crackdown."
I also assure Jerry that, as a criminologist who has lived in and also
studied the nastiest criminal cultures, I recognize that segments of
the world are indeed big and nasty. I also recognize that nastiness is
not limited to the criminal segment of society. In the scheme of
things, even the worst of computer crime is generally not among the
worst offenses that one can commit. He seems unaware that the current
U.S. prison population hoovers around 900,000, and that it's
increasing by almost ten percent a year. Much of this increase is due
to "get tough" attitudes on crime in which an increasing number of
behaviors are criminalized, sanctions for crimes are increased, and
sentences imposed (and time served) grows longer. Jerry fails to
understand that the issue isn't simply "hackers," but rather what
constitutes an acceptable social response to new social offenses.
Jerry also implies that to criticize increased criminalization and to
oppose demonization for relatively mild offenses is naively
idealistic. Although he fails to provide a rationale for this claim,
it presumably stems from a view that sees advocates of civil rights
siding with criminals rather than victims. This, of course, is a false
argument. There is little, if any, evidence that civil rights
advocates side with criminals. Rather, they side with the rule of law
that, under our Constitution, guarantees protections to all people.
The Forbes article creates an image that, in a time of strong
opposition to civil rights, promotes inappropriately strong laws and
weaker protections of rights. If adhering to the Enlightenment
principles and Constitutional values on which our judicial (and
social) system were founded makes me a naive idealist, then I'm guilty
as charged. I find this a far more civilized stance than the
alternative.
2. JERRY'S CRITICISMS OF MY INTERPRETATION OF THE FORBES PIECE
Jerry "didn't particularly see 'hackers' as the focal point of the
story." The title and the narrative of the piece seemed quite clear:
"The Hacker Hoods?" Nearly every paragraph alluded to vague hacker
criminality or to specific people identified as criminal "hackers."
No, I do not think we did read the same words. If I had any lingering
doubts about Jerry's lack of thoroughness in reading the Forbes piece,
they were eliminated when I read his criticism of my commentary on the
"salami attack." The Forbes piece adduced as an example of a "hacker
crime" an unsupported story about a computer intruder who lopped a
penny or two from various accounts. Jerry thinks it odd that one
would question the veracity of the story and suggests that, contrary
to what I said, a hacker could easily do this in a few seconds with a
"big killing." He apparently failed to note that the story indicated
this was done by skimming "off a penny or so from each account. Once he
((the hacker)) had $200,000, he quit" (p. 186). Again, it seems we
didn't read the same words. The point wasn't whether this could be
done, but that the story was provided as "fact" with no corroboration.
In fact, neither the banking victim (Citibank) nor a nationally
recognized computer crime expert (Donn Parker) had knowledge of the
deed. As written in Forbes, the method does raise some skepticism, as
Jerry concedes:
>The romantic picture of the hacker sitting at his terminal,
>day in and day out, moving a few pennies here and there, may
>have a lot of appeal, but it's not reality.
Here we agree. Had he read the Forbes piece accurately, he would
see that this was precisely my point. The picture Jerry disputes is
the one drawn in the Forbes piece. It appears that he agrees with me:
The Forbes picture is not reality.
The issue here isn't that Jerry didn't read either the Forbes piece or
the commentary carefully. Rather, it's that his comments show how
easily even an otherwise informed reader can uncritically gloss over
material that doesn't conform to a preferred view. It's not that I
disagree with Jerry (or the Forbes piece). Rather, the issue at
stake lies in a fundamental difference over how material is to
be presented. In highly volatile topics, sensationalistic portrayals
strike me as irresponsible and reinforce attitudes that lead to
unacceptable social responses. The Forbes piece and Jerry's
uncritical acceptance of it contribute to what in past times were
called witch hunts. Jerry seems to find it odd that one would object
to claims being made without evidence:
>He ((Thomas)) criticizes the article for lack of
>evidence. He ((Thomas))'s right, but after all, this
>was a criminal enterprise, and the criminals weren't
>caught. Just what evidence would he expect?
Crimes are detected in two ways. First, the criminal is apprehended in
the act. Second, a victim reports the crime. As a criminologist, I've
been taught that however one measures crime, it is generally done
either by some combination of crimes known to police or by
victimization surveys. In an article ostensibly describing crime, I
would assume that there would be at least minimal evidence for the
hard core crimes attributed to "hackers". It's obvious Jerry and I
did not read the same words. Didn't he read Managing Editor Lawrence
Minard's introduction?
>While working with Bill Flanagan on the multibillion-dollar
>telephone toll fraud phenomenon (Forbes, Aug. 3), Brigid
>McMenamin was intrigued to find that organized crime was
>hiring young computer hackers to do some of their electronic
>dirty work.
This is a claim. Other claims are made in the article. It's not
unreasonable to expect at least minimal evidence for the claims made.
The story was not based on facts but on innuendo. The Forbes piece
was criticized *not* because it was in opposition to a preferred view
of a particular social group, but because it took a stigmatized group
and further demonized it by making claims without recourse to specific
cases.
3. WHAT'S AT STAKE IN THIS DISCUSSION
As I stated explicitly in my original Forbes commentary, the issue is
not whether "hackers" are portrayed to one's liking. The point is how
one creates images of groups or behaviors that lead to social stigma
and criminal sanctions. I judged the Forbes piece to grossly err on
the side of falsely dramatizing a label that has been misused, abused,
and used to create what many judge as inappropriate or chaotic laws.
If the Forbes piece were limited to identifying new types of computer
crime without attempting to exaggerate the link between "hackers" and
organized crime, and if it had been more factual, it would not have
been objectionable. If it had focused on computer delinquents and the
problems they cause by identifying explicit instances of security
transgressions, telephone abuse, or other identifiable behaviors, it
would have been less objectionable. Had it made a clear distinction
between the culture of "hackers," whether the old-guard explorer or
the newer nuisance and computer criminals who do use a computer to
prey (but are not "hackers"), it would have been less objectionable.
The Forbes piece did none of this. Instead, it distorted both
"hacking" and computer crime. The authors did nothing to clarify a
complex problem and did much to obscure it. There is computer crime?
Old news. Some hackers commit computer crimes? Old news. What is new
in the piece is that it implies a logic in which a) anyone adept at a
computer is a hacker; b) Computer criminals (by definition) are adept
at computers; c) Computer criminals are hackers.
Conclusion: Look out for the hackers!
Consider: Substitute the term "computer professionals" or "sys ads"
for "hackers." "Sys ad bullies?" "Sys ads learn to type and commit
crimes?" Computer criminals, by definition, have computer skills, and
to conflate all computer crime with "hacking" makes as much sense as
conflating computer criminals with any other label that captures the
imagination of a public that can't distinguish between the reality and
the simulacrum. In the Forbes piece, the symbol, "hackers," becomes an
abstract demon. Forbes employed its resources, which are considerable,
to produce a misleading piece that subverts the efforts of those who
attempt to balance fair laws and their application to civil liberties.
I doubt that Forbes' readers, over one million of them, were able to
ascertain the complexities of this delicate balance from the article.
The visibility of the Forbes article also put one author, William
Flanagan, in the public eye on a National Public Radio "Morning
Edition" segment (21 December, '92). Flanagan essentially repeated his
points from the article. When asked by reporter Renee Montagne "But
are we talking about computer hackers who've become criminals, or is
it criminals who've become computer hackers?" Flanagan responded:
It's--it's a bit of both actually. You really have three
categories. You have the--the sport hackers who used to
fool around and show off. They would go into a government
or a telephone company computer and pull out a sensitive
file and then show it off as a trophy. They really didn't
have too much malice in what they were doing other than the
anarchic thing that you will find among a lot of
late-teenage boys and--and it's mainly boys. But some of
them have been co-opted into it by the Mafia, by organized
crime. They give them money and drugs and they perform some
stunts for them like come up with telephone numbers. Then,
there are those who are larcenous to start with and--and who
have developed the techniques or have hired others to do it.
Then, the third category--and perhaps this is even the most
dangerous. It's people who have an awful lot of computer
knowledge and are suddenly out of work and are very angry
and have the capability of creating all kinds of mayhem or
stealing great deals of money.
Of course there are hackers who commit crimes, just as there are
systems administrators who commit crimes. But, in putting
together the beginnings of a data base on computer crime in
recent years, I have yet to come across a pointer to a Mafia-related
"hacker" case. The thinking reflected in Flanagan's commentary
resembles that of someone who's read one too many National Inquirer
articles or seen one too many Geraldo shows. It distorts the problem,
distorts possible solutions, and offers no new information.
When we distort the nature of the problem, we obstruct a solution.
Flanagan repeats the error of equating Robert T. Morris, of
"the Internet work" fame with "hackers." The reporter notes that
he was given probation, and asks, "What about now?"
Flanagan: He would be in jail and I guarantee you, his
father's connections wouldn't have helped him in this day
and age.
Montagne: His father was...
Flanagan: Was a high government official I think with the
FTC. Throughout most of the '80s when these kids were
caught, they would be given a rap on the knuckles and there
was a widespread belief that all they had to do was to tell
law enforcement or tell the telephone company how they did
something and to give up that information or maybe give up
the names of some of their friends, and they'd be let go.
But that's not the case any more.
Now, it's a seemingly minor error to assume that Morris's father's
connections helped him, a claim for which there's no evidence. It's
also relatively minor that a detail such as linking Morris' father to
the FTC was wrong (the senior Morris was a computer security expert
who was the chief scientist at the NSA's National Computer Security
Center). It's also a minor quibble that Flanagan thinks that three
years probation, a $10,000 fine, 400 of community service and almost
$150,000 in legal fees is a light punishment. But, in the aggregate,
these errors indicate that Flanagan, speaking as an "expert" on the
issues of hacking and computer crime, doesn't know his subject. His
pronouncements have a high profile: If it's in Forbes *and* on NPR, it
*must* be true. Yet, his factual errors and the style of crafting them
into narrative demonic images cast fatal doubt on his credibility. One
way to counter this kind of hyperbole and disinformation is to provide
an antidote by challenging the veracity of the facts and the images.
This, as Jerry's response indicates, bothers some people.
As I argued, I hope clearly, in the original Forbes commentary, the
concern isn't with "hackers," but with law and justice. For over a
decade, we have witnessed the curtailment of civil and other rights
that were thought to be well-established. We have seen the
criminalization of a variety of new behaviors and the imposition of
harsher sentences on old ones. We have seen the abuses of a few law
enforcement officials and others in pursuing their targets. We have
seen creative use of seizure and forfeiture laws to take property and
disrupt lives. We have seen a public, frustrated by crime, succumb to
the hyperbole and rhetoric of politicians and media sensationalism.
To oppose the Forbes piece and those who defend it is not to take
issue with personalities or a given medium. Rather, it is a modest,
perhaps chimerical attempt to joust with those repressive windmills
that substitute emotionalism and ignorance in solving problems for the
harder task of coming to grips with thier complexity and nuances.
So, no, Jerry, we did not read the same words, nor do we see the world
in the same way. Which is fine. We learn through the dialogic
competition of ideas. And, yes, I do recognize that the world is a far
more nasty place than suits my liking. However, I also recognize that
not all of the nastiness is caused by criminals.
To modify a line from Stephenson's Snow Crash, condensing fact from
the vapor of nuance is fine, but replacing facts with vaporous nuances
isn't.
------------------------------
Date: Sat, 30 Jan 1993 15:12:11 EST
From: Dave Banisar <banisar@WASHOFC.CPSR.ORG>
Subject: 3--Revised Computer Crime Sent
Revised Computer Crime Sentencing Guidelines
>From Jack King (gjk@well.sf.ca.us)
The U.S. Dept. of Justice has asked the U.S. Sentencing Commission to
promulgate a new federal sentencing guideline, Sec. 2F2.1,
specifically addressing the Computer Fraud and Abuse Act of 1988 (18
USC 1030), with a base offense level of 6 and enhancements of 4 to 6
levels for violations of specific provisions of the statute.
The new guideline practically guarantees some period of confinement,
even for first offenders who plead guilty.
For example, the guideline would provide that if the defendant
obtained %%protected'' information (defined as %%private information,
non-public government information, or proprietary commercial
information), the offense level would be increased by two; if the
defendant disclosed protected information to any person, the offense
level would be increased by four levels, and if the defendant
distributed the information by means of %%a general distribution
system,'' the offense level would go up six levels.
The proposed commentary explains that a %%general distribution
system'' includes %%electronic bulletin board and voice mail systems,
newsletters and other publications, and any other form of group
dissemination, by any means.''
So, in effect, a person who obtains information from the computer of
another, and gives that information to another gets a base offense
level of 10; if he used a 'zine or BBS to disseminate it, he would get
a base offense level of 12. The federal guidelines prescribe 6-12
months in jail for a first offender with an offense level of 10, and
10-16 months for same with an offense level of 12. Pleading guilty
can get the base offense level down by two levels; probation would
then be an option for the first offender with an offense level of 10
(reduced to 8). But remember: there is no more federal parole. The
time a defendant gets is the time s/he serves (minus a couple days a
month "good time").
If, however, the offense caused an economic loss, the offense level
would be increased according to the general fraud table (Sec. 2F1.1).
The proposed commentary explains that computer offenses often cause
intangible harms, such as individual privacy rights or by impairing
computer operations, property values not readily translatable to the
general fraud table. The proposed commentary also suggests that if the
defendant has a prior conviction for %%similar misconduct that is not
adequately reflected in the criminal history score, an upward
departure may be warranted.'' An upward departure may also be
warranted, DOJ suggests, if %%the defendant's conduct has affected or
was likely to affect public service or confidence'' in %%public
interests'' such as common carriers, utilities, and institutions.
Based on the way U.S. Attorneys and their computer experts have
guesstimated economic "losses" in a few prior cases, a convicted
tamperer can get whacked with a couple of years in the slammer, a
whopping fine, full "restitution" and one to two years of supervised
release (which is like going to a parole officer). (Actually, it *is*
going to a parole officer, because although there is no more federal
parole, they didn't get rid of all those parole officers. They have
them supervise convicts' return to society.)
This, and other proposed sentencing guidelines, can be found at 57 Fed
Reg 62832-62857 (Dec. 31, 1992).
The U.S. Sentencing Commission wants to hear from YOU. Write: U.S.
Sentencing Commission, One Columbus Circle, N.E., Suite 2-500,
Washington DC 20002-8002, Attention: Public Information. Comments
must be received by March 15, 1993.
* * *
Actual text of relevant amendments:
UNITED STATES SENTENCING COMMISSION
AGENCY: United States Sentencing Commission.
57 FR 62832
December 31, 1992
Sentencing Guidelines for United States Courts
ACTION: Notice of proposed amendments to sentencing guidelines,
policy statements, and commentary. Request for public comment.
Notice of hearing.
SUMMARY: The Commission is considering promulgating certain
amendments to the sentencing guidelines, policy statements, and
commentary. The proposed amendments and a synopsis of issues to be
addressed are set forth below. The Commission may report amendments
to the Congress on or before May 1, 1993. Comment is sought on all
proposals, alternative proposals, and any other aspect of the
sentencing guidelines, policy statements, and commentary.
DATES: The Commission has scheduled a public hearing on these
proposed amendments for March 22, 1993, at 9:30 a.m. at the
Ceremonial Courtroom, United States Courthouse, 3d and Constitution
Avenue, NW., Washington, DC 20001.
Anyone wishing to testify at this public hearing should notify
Michael Courlander, Public Information Specialist, at (202) 273-4590
by March 1, 1993.
Public comment, as well as written testimony for the hearing,
should be received by the Commission no later than March 15, 1993,
in order to be considered by the Commission in the promulgation of
amendments due to the Congress by May 1, 1993.
ADDRESSES: Public comment should be sent to: United States
Sentencing Commission, One Columbus Circle, NE., suite 2-500, South
Lobby, Washington, DC 20002-8002, Attention: Public Information.
FOR FURTHER INFORMATION CONTACT: Michael Courlander, Public
Information Specialist, Telephone: (202) 273-4590.
* * *
59. Synopsis of Amendment: This amendment creates a new guideline
applicable to violations of the Computer Fraud and Abuse Act of 1988
(18 U.S.C. 1030). Violations of this statute are currently subject
to the fraud guidelines at S. 2F1.1, which rely heavily on the
dollar amount of loss caused to the victim. Computer offenses,
however, commonly protect against harms that cannot be adequately
quantified by examining dollar losses. Illegal access to consumer
credit reports, for example, which may have little monetary value,
nevertheless can represent a serious intrusion into privacy
interests. Illegal intrusions in the computers which control
telephone systems may disrupt normal telephone service and present
hazards to emergency systems, neither of which are readily
quantifiable. This amendment proposes a new Section 2F2.1, which
provides sentencing guidelines particularly designed for this unique
and rapidly developing area of the law.
Proposed Amendment: Part F is amended by inserting the following
section, numbered S. 2F2.1, and captioned "Computer Fraud and
Abuse," immediately following Section 2F1.2:
"S. 2F2.1. Computer Fraud and Abuse
(a) Base Offense Level: 6
(b) Specific Offense Characteristics
(1) Reliability of data. If the defendant altered information,
increase by 2 levels; if the defendant altered protected
information, or public records filed or maintained under law or
regulation, increase by 6 levels.
(2) Confidentiality of data. If the defendant obtained protected
information, increase by 2 levels; if the defendant disclosed
protected information to any person, increase by 4 levels; if the
defendant disclosed protected information to the public by means of
a general distribution system, increase by 6 levels.
Provided that the cumulative adjustments from (1) and (2), shall
not exceed 8.
(3) If the offense caused or was likely to cause
(A) interference with the administration of justice (civil or
criminal) or harm to any person's health or safety, or
(B) interference with any facility (public or private) or
communications network that serves the public health or safety,
increase by 6 levels.
(4) If the offense caused economic loss, increase the offense
level according to the tables in S. 2F1.1 (Fraud and Deceit). In
using those tables, include the following:
(A) Costs of system recovery, and
(B) Consequential losses from trafficking in passwords.
(5) If an offense was committed for the purpose of malicious
destruction or damage, increase by 4 levels.
(c) Cross References
(1) If the offense is also covered by another offense guideline
section, apply that offense guideline section if the resulting level
is greater. Other guidelines that may cover the same conduct
include, for example: for 18 U.S.C. 1030(a)(1), S. 2M3.2 (Gathering
National Defense Information); for 18 U.S.C. 1030(a)(3), S. 2B1.1
(Larceny, Embezzlement, and Other Forms of Theft), S. 2B1.2
(Receiving, Transporting, Transferring, Transmitting, or Possessing
Stolen
Property), and S. 2H3.1 (Interception of Communications or
Eavesdropping); for 18 U.S.C. 1030(a)(4), S. 2F1.1 (Fraud and
Deceit), and S. 2B1.1 (Larceny, Embezzlement, and Other Forms of
Theft); for 18 U.S.C. S. 1030(a)(5), S. 2H2.1 (Obstructing an
Election or Registration), S. 2J1.2 (Obstruction of Justice), and
S. 2B3.2 (Extortion); and for 18 U.S.C. S. 1030(a)(6), S. 2F1.1
(Fraud and Deceit) and S. 2B1.1 (Larceny, Embezzlement, and Other
Forms of Theft).
Commentary
Statutory Provisions: 18 U.S.C. 1030(a)(1)-(a)(6)
Application Notes:
1. This guideline is necessary because computer offenses often
harm intangible values, such as privacy rights or the unimpaired
operation of networks, more than the kinds of property values which
the general fraud table measures. See S. 2F1.1, Note 10. If the
defendant was previously convicted of similar misconduct that is not
adequately reflected in the criminal history score, an upward
departure may be warranted.
2. The harms expressed in paragraph (b)(1) pertain to the
reliability and integrity of data; those in (b)(2) concern the
confidentiality and privacy of data. Although some crimes will cause
both harms, it is possible to cause either one alone. Clearly a
defendant can obtain or distribute protected information without
altering it. And by launching a virus, a defendant may alter or
destroy data without ever obtaining it. For this reason, the harms
are listed separately and are meant to be cumulative.
3. The terms "information," "records," and "data" are
interchangeable.
4. The term "protected information" means private information,
non-public government information, or proprietary commercial
information.
5. The term "private information" means confidential information
(including medical, financial, educational, employment, legal, and
tax information) maintained under law, regulation, or other duty
(whether held by public agencies or privately) regarding the history
or status of any person, business, corporation, or other
organization.
6. The term "non-public government information" means
unclassified information which was maintained by any government
agency, contractor or agent; which had not been released to the
public; and which was related to military operations or readiness,
foreign relations or intelligence, or law enforcement investigations
or operations.
7. The term "proprietary commercial information" means non-public
business information, including information which is sensitive,
confidential, restricted, trade secret, or otherwise not meant for
public distribution. If the proprietary information has an
ascertainable value, apply paragraph (b) (4) to the economic loss
rather than (b) (1) and (2), if the resulting offense level is
greater.
8. Public records protected under paragraph (b) (1) must be filed
or maintained under a law or regulation of the federal government, a
state or territory, or any of their political subdivisions.
9. The term "altered" covers all changes to data, whether the
defendant added, deleted, amended, or destroyed any or all of it.
10. A "general distribution system" includes electronic bulletin
board and voice mail systems, newsletters and other publications,
and any other form of group dissemination, by any means.
11. The term "malicious destruction or damage" includes injury to
business and personal reputations.
12. Costs of system recovery: Include the costs accrued by the
victim in identifying and tracking the defendant, ascertaining the
damage, and restoring the system or data to its original condition.
In computing these costs, include material and personnel costs, as
well as losses incurred from interruptions of service. If several
people obtained unauthorized access to any system during the same
period, each defendant is responsible for the full amount of
recovery or repair loss, minus any costs which are clearly
attributable only to acts of other individuals.
13. Consequential losses from trafficking in passwords: A
defendant who trafficked in passwords by using or maintaining a
general distribution system is responsible for all economic losses
that resulted from the use of the password after the date of his or
her first general distribution, minus any specific amounts which are
clearly attributable only to acts of other individuals. The term
"passwords" includes any form of personalized access identification,
such as user codes or names.
14. If the defendant's acts harmed public interests not
adequately reflected in these guidelines, an upward departure may be
warranted. Examples include interference with common carriers,
utilities, and institutions (such as educational, governmental, or
financial institutions), whenever the defendant's conduct has
affected or was likely to affect public service or confidence".
------------------------------
Date: 22 Dec 92 15:31:52 EST
From: Ken Citarella <70700.3504@COMPUSERVE.COM>
Subject: 4--Balancing Computer Crime Statutes and Freedom
An Illustration of How Computer Crime Statutes Try To
Balance Competing Interests of Security and Freedom
-- and Come Up With Interesting Answers
copyright 1992, Kenneth C. Citarella
(CompuServe; 70700,3504)
Computers deserve protection. If we did not all agree on that
state legislatures and the Congress would not have passed computer
crime statutes. Exactly how much protection to afford them, however,
is the crux of the problem. Sometimes resolving that gets confused
with a desire to avoid criminalizing inquisitive and youthful computer
intruders.
The New York State computer crime statutes illustrate this
confusion. The basic computer crime in New York is Unauthorized Use
of a Computer, a misdemeanor. A person commits this crime when he
uses, or causes to be used, a computer without authorization, and the
computer is programmed to prevent unauthorized use. Thus, the
unauthorized use of any computer in New York which does not have
user-id/password security or some equivalent is arguably lawful under
this statute. Moreover, under the definition of "uses a computer
without authorization", the unauthorized user must be notified orally,
in writing, or by the computer itself that unauthorized users are not
welcome.
There are, therefore, two threshold protections that a system
owner must install to have his computer come under the protection of
the New York unauthorized use statute. First, there must be
protective programming; second, there must a warning to the
prospective intruder. These obligations do not seem excessive
regarding misuse by an employee or other user with limited access to
the computer in question. It is difficult to include with everyone's
employment materials a written warning regarding unauthorized use of
the computer, and it is certainly common enough to issue user-ids and
passwords.
Consider, however, the remote unauthorized user. If a
business has a computer with an unlisted modem number, has issued
user-ids and passwords to its authorized users, has dial back modems,
and has encrypted log-in procedures, its computer may still not be
protected by the unauthorized use statute. Should an intruder locate
the modem number by random demon dialling, guess at a password and
encryption code, and enter the system to install and operate a pirate
bulletin board, it may not be a criminal act. As long as the intruder
does not access government records, medical records, or corporate
secrets, alter any file or program, or download anything from the
system, there may not be a crime. As long as the system did not
display a warning that unauthorized users were not welcome, the crime
of unauthorized use cannot occur. Thus, the legislature has elevated
the display of a few words almost certain to deter no one to far
greater legal importance than actual technical protective steps, all
in the name of not criminalizing our inquisitive youths. Yet, if
technical security procedures cannot convince them not to intrude upon
a system, what importance can be attached to the displayed warning?
Aren't unlisted phones, passwords, and other standard security
procedures sufficient warning in and of themselves? Or, is form
really more important than substance?
It is curious to note that the legislature seized upon notice
as the prerequisite for computer crime law protection. It is a crime
to enter and drive away with a car without permission, even if the car
door is open, the key in the ignition, and the engine running. It is
a crime to enter a premises without permission, even if the door is
open, the lights on, and dinner on the table. In either scenario,
notice is implicit in the intruder's knowledge that he does not belong
there. The prosecutor must prove the absence of permission at trial,
just as he rightly should in a computer crime case. But under current
legislation, egregious computer intrusions must go unprosecuted if,
despite extensive technical protection, three little words --
"Authorized Users Only" -- do not appear to warn an intruder not to
enter where he already knows he does not belong.
If computers are ever to become as integrated into our lives
as cars and homes should they not be afforded the same protection
under the criminal law?
((The author is a Deputy Bureau Chief of the Frauds Bureau in the
District Attorney's Office, Westchester County, New York. The
opinions expressed herein are purely personal and do not necessarily
reflect the opinions or policies of the District Attorney's Office.))
------------------------------
End of Computer Underground Digest #5.09
************************************