Computer Crime

May 9th and 10th brought on two days that should be marked in every hacker's history book. The reason we assume these days will be important to many, is that maybe it's time we opened our eyes and saw the witch hunt currently in progress... It is my understanding that Gail Thackeray and the Secret Service are not, taking this lightly. She told Phrack Inc. that they are not distinguishing pirates, hackers, or phreakers. Basically, it's any kid with a modem that calls a BBS with an alias. Yes, we are the witches, and we are being hunted.
-- Phreak_Accident (from Phrack Magazine, May 1990)

In the old days [in drug busts], we'd get a search warrant, kick in the door, and if we did our job right, there would be white powder and currency and a little black book. And you opened up that little black book and you find names, dates and amounts. Well, now you kick in the door and you find the powder and the currency and a stand-alone PC.
-- Scott Charney (Chief of the Dept. of Justice Computer Crimes Unit, March 1995)

[In the early days] people were friendly, computer users were very social. Information was handed down freely, there was a true feeling of brotherhood in the underground. As the years went on people became more and more anti-social. As it became more and more difficult to blue-box, the social feeling of the underground began to vanish. People began to hoard information and turn people in for revenge. The underground today is not fun. It is very power hungry, almost feral in its actions. People are grouped off: you like me or you like him, you cannot like both... The subculture I grew up with, learned in, and contributed to, has decayed into something gross and twisted that I shamefully admit connection with. Everything changes and everything dies, and I am certain that within ten years there will be no such thing as a computer underground. I'm glad I saw it in its prime.
-- Chris Goggans (aka Phrack Magazine's "Erik Bloodaxe", quoted in Paul Taylor's book Hackers, 1996)

Required Readings

For a quick orientation to computer crime laws, read the overview from the book by Cavazos and Morin (to be distributed in class).

Read the Computer Fraud and Abuse Statute (U.S. Criminal Code Title 18 Section 1030). Look both at the pre-1986 version and also at the current version that resulted from passage of the National Information Infrastructure Protection Act of 1996, based on a bill introduced in 1995 by Senators Leahy, Kyl, and Grassley. There are also statements by Kyl and Leahy accompanying their introduction of the bill, as well as an analysis by the senators of their changes to 18 USC 1030.

Barlow, John Parry. "Crime and Puzzlement." John Perry Barlow, who spends half his time in New York and half his time in Wyoming, is a founder of the Electronic Frontier Foundation, retired cattle rancher, erstwhile lyricist for the Grateful Dead, and an outstanding polemicist. "Crime and Puzzlement" is the pamphlet that got the Electronic Frontier Foundation off the ground.

Godwin, Mike. "Cops on the I-Way." Time Magazine, Spring 95. Godwin is "on-line counsel" for the EFF. He will be a guest in the class later during the semester. In this article, describes the need to balance law enforcement with constitutional rights on the Internet.

Rasch, Mark. "Computer security: Legal Lessons in the Computer Age." Security Management, April 1996. Rasch, who is one of our guests tis semester, is the director of information security law and policy at the Center for Information Protection at SAIC, a major security consulting firm. He headed the Department of Justice's computer crime efforts until 1991, and he prosecuted the Robert Morris "internet worm" case. This article is an excellent overview of the computer crime issues that we will be discussing in the course.

Recommended Readings

Read at least one of the following books, all popularizations of computer break-ins involving the Internet.

Sterling, Bruce. The Hacker Crackdown: Law and Disorder on the Electronic Frontier. Bantam Books, 1992. This is a splendidly written overview of "trouble in cyberspace" from the beginning of the phone system through Operation Sun Devil and the Steve Jackson Games case. You should definitely read a good bit of it. Sterling, bless him, has made the entire book available on-line as "literary freeware." You may want to buy a copy, though, since it's not easy to read a 200-page book on-line.

Hafner, Katie, and John Markoff. Cyberpunk: Outlaws and Hackers on the Computer Frontier. Simon & Schuster, 1991. This is an in-depth study of three famous cases: Kevin Mitnick (not counting his escapade of winter 1995), the German Chaos Computer Club, and Robert Morris's Internet Worm. The three parts are completely separate.

Slatalla, Michelle, and Joshua Quittner. Masters of Deception: The gang that Ruled Cyberspace. HarperCollins Publishers, 1995. This is the story of the teenage phone and computer cracker group, the Masters of Deception, from its beginnings in 1989 through the 1993 trials of some of the leaders. If you read this book, also take a look at some postscripts about Phiber Optik's incarceration and release.

Freedman, David, and Charles Mann. At Large: The Strange Case of the World's Biggest Internet Invasion, Simon and Schuster, 1997. This book, just published over the summer, does a good job describing what responding to break-ins is like from the point of view of the system administrator. It is also a fun book to read for MIT people, because a lot of the action happened at MIT in fall 1992 and involved several people who are still at MIT. If you read this, take a look at the Tech article that appeared during the incident. It's remarkable how little of the real story (even the MIT part of the story) became generally known on campus. If you don't read the entire book, you should at least read the short article that Friedman and wrote for U.S. News & World Report.

There are also two books on Kevin Mitnick, but you should read both of them, since neither one gives a complete story. See the discussion below.

Taylor, Paul. "Them and Us." Chapter 6 in Hackers, explores the hostility between the computer underground and the computer security industry. It has provocative and insightful comments on many of the cases we are studying in this section of the course, including similarities between computer crime trials and the Salem witch trials, and comments on the use of violent physical analogies (e.g., arson and rape) often cited to describe computer break-ins.

Other Material on Computer Crime

Issues in Computer Law

Godwin, Mike. "The Feds and the Net: Closing the Culture Gap." (TXT) From Internet World, May, 1994. This is a thought-provoking report on a talk Godwin gave at the FBI academy, and the audience's response. It will help to have read Bruce Sterling's discussion of the Craig Neidorf, Steve Jackson Games, and Legion of Doom prosecutions, since they formed the background for Godwin's talk.

Cavazos, Edward, and Gavino Morin. Cyberspace and the Law: Your Rights and Duties in the On-Line World. This is a solid introduction to computer law, with good overviews of existing laws on privacy, contracts, and pornography.

Riddle, Michael. "The Electronic Communications Privacy Act of 1986: A Layman's View". This is a good overview of the complex law that governs privacy of electronic communications.

Loundy, David J. "E-Law 3.0: Computer Information Systems Law and System Operator Liability in 1995." This is an updated version of a long (150-page) article that originally appeared in the Albany Law Journal of Science and Technology 3, no. 1 (1993). It focuses on networks and responsibilities of SYSOPS.

Godwin, Mike. "When Copying Isn't Theft." Internet World, January-February 1994. This is a comment on some of the issues involved in the Craig Neidorf case. It forms a good link to our next topic on intellectual property protection.

U.S. Department of Justice, Federal Guidelines for Searching and Seizing Computers (TXT), July 1994. These guidelines were developed by the Justice Department's Computer Crime Division and an informal group of federal agencies known as the Computer Search and Seizure Working Group. These are are rather detailed, so you should probably just skim them and look at the analysis of the guidelines: Banisar, Dave. "Analysis of the Guidelines." The Electronic Privacy Information Center.
On a related note, have a look at the article "Downloading: Using Computer Software as an Investigative Tool" from the June 1996 issue of the FBI's Law Enforcement Bulletin.

The EFF Legislation archive contains text and analysis of laws on computer communications.

Jonathan Rosenoer's Cyberlaw is an educational service focusing on legal issues concerning computer technology. Rosenoer, together with Kimberly Smigel also publishes Cyberlex, a monthly report on legal developments touching the computer industry.

One important legal issue facing on-line service operators is the extent to which they are liable for defamatory statements of their subscribers. Here are some resources for investigating this topic:

  • "Online Defamation" from Jonathan Rosenoer's Cyberlaw gives an excellent overview of the legal issues and important cases.
  • Cubby v. Compuserve (October 1991) is one of the major cases.
  • Stratton-Oakmont v. Prodigy (May 1995) is another major case, in which Prodigy was held liable for damages caused by postings on the Prodigy network. The decision was appealed, and in October 1995 the parties came to an agreement not to pursue the case as reported by - Associated Press. "Prodigy Reaches Libel Pact." October 24, 1995.

Noteworthy Cases

1988: Robert Morris Internet Worm

Hafner, and Markoff. The Robert Morris Internet Worm. Look here for a brief summary of 1988 Internet Worm incident. If you are interested in learning more, you should read the chapter "RTM" in the book by Hafner and Markoff, which gives an outstanding presentation.

1988: Chaos Computer Club

This received notoriety with the publication of Cliff Stoll's best-seller The Cuckoo's Egg: Tracking a spy through the maze of computer espionage (Doubleday, 1989) which helped to focus public attention on computer break-ins. Stoll casts himself as Philip Marlowe in this detective story, to the detriment of any detached consideration of what these "spy threats" actually amounted to. It's enlightening to read Stoll's book in conjunction with Hafner and Markoff's chapter on the Chaos Computer Club, which describes these events from the point of view of the Germans.

1990: Steve Jackson Games Raid

The 1990 raid on Steve Jackson Games (and Operation Sun Devil) are described in the book by Bruce Sterling and in the paper by John Perry Barlow. With the help of the EFF, Jackson sued the Secret Service for violation of the Electronic Communications Privacy Act. The District Court held that the Secret Service violated the Privacy Protection Act (which protects publishers) and that it had violated the section of the EPCA that protects access to stored communications. But the Court did not agree that seizing unread electronic mail was an "interception" under the provisions of the EPCA. Jackson appealed this decision, but the decision of the lower court was affirmed.

  • For an extensive collection of documents and commentary, see the Web page devoted to Steve Jackson Games vs. the Secret Service.
  • Appellate court ruling on Steve Jackson Games Suit, October 31, 1994 (PDF)
  • The EFF Legal cases archive on SJG

1993: Homolka-Teale Media Ban

In 1991 two horrific sex and torture killings were uncovered in a town near Ontario. Paul Teale (aka Paul Bernardo) and his wife, Karla Homolka Teale, were arrested. Karla Homolka was tried in 1993, and she pleaded guilty. Although this was a sensational murder case, everyone at the trial - including the press - was banned from publishing any evidence or details on the murders in order to preserve Paul Teale's right to a fair trial. Details of the case, however, were widely published in the U.S., and Canadian officials were led to confiscate copies of US magazines and newspapers shipped to Canada and to black out some TV news broadcasts. When further details began to appear on the Internet, Canadian police and some Canadian universities began suppressing the Internet newsgroups that carried the banned material. The ban was lifted in the summer of 1995 when Paul Bernardo's trial began. Bernardo was convicted of first-degree murder on September 1, 1995.
"Desperately Seeking Karla", by Leslie Shade of McGill University (Proceedings of the Canadian Association for Information Science, 22nd Annual Conference, May 25-27, 1994, McGill University:109-126), is a provocative study of the ban and the associated legal issues of free speech on the Internet. There is also an extensive archive on this case maintained by Steven Miale at Indiana University, and the EFF archive contains several papers related to the case.

1994: David LaMacchia Indictment

In April 1994, MIT junior David LaMacchia was indicted for conspiracy to commit wire fraud, based on the accusation that he had modified an MIT Server workstation to allow people on the network to use it to download copyrighted software without paying. The case received national notoriety, the U.S. Attorney in Boston calling it the largest incident of software piracy ever. In December 1994, the charges against LaMacchia were dismissed, with the judge ruling that copyright infringement can not be prosecuted under the wire fraud statute. The case raises important issues about liability of system operators and about the scope of computer crime and copyright laws. Look here for articles and source material.

1994: Amateur Action Pornography Conviction

In summer 1994, Robert and Carleen Thomas were convicted of violating anti-obscenity laws, on the grounds that their California BBS (Amateur Action) was used to transmit obscene material to Tennessee. This case raises important issues about the meaning of community standards with regard to the net, as discussed in this article by Godwin, Mike. "BBS Obscenity Case Raises New Legal Issues." Virtual Community Standards. On January 29, 1996, US Court of Appeals for the Sixth Circuit upheld the Thomas's conviction

  • Here is an Amicus brief (PDF) filed by the Electronic Frontier Foundation, in the appeal of the Thomases' conviction.
  • Here is another Amicus brief (PDF) filed by the American Civil Liberties Union.
  • Here is the Appeals Court decision (PDF) upholding the conviction.
    You can find additional material in the EFF archives on this case.

1995: Jake Baker Arrest

In February, 1995, the University of Michigan suspended sophomore Jake Baker after he posted to the Internet a fictional story of rape, torture, and murder, using the name of a classmate as the victim. A few days later, Baker was arrested by the FBI for interstate transmission of a threat to kidnap, and held without bond for 29 days on the grounds that he was too dangerous to release. Charges against him were dismissed in June.
The MIT Student Association for Freedom of Expression (look here for general information about SAFE) maintains an archive on the case. Take a look, in particular, at the extracts in the archive from the campus newspaper, The Michigan Daily. You should also read the insightful article The Jake Baker Scandal: A Perversion of Logic by UMich journalism student Adam Miller, which was written in April 1995 (before the charges against Baker were dropped). For an excellent legal analysis, see - Godwin, Mike. "Baker Column." Internet World.

1995: Randal Schwartz Conviction

Randal Schwartz is author of the popular books Programming Perl and Learning Perl. In 1993, while working as a system administrator for Intel, he performed some security tests, running the Crack program to uncover weak passwords. When Intel management discovered this, they assumed that Schwartz was engaged in industrial espionage, and brought felony charges against him under Oregon's computer theft law. Schwartz was convicted in September, 1995 on a reduced charge and sentenced to probation.

  • Quarterman, John S. "System Administration as a Criminal Activity or, the Strange Case of Randal Schwartz." Matrix News, September 1995.
  • Morrissey, Mark. "Report on a Security Incident at the Oregon Facility." November 3, 1993. (Intel Investigative Report)

1995: Kevin Mitnick Arrest

Kevin Mitnick ("cyberspace's most wanted hacker") was arrested by the FBI in 1995. Computer security consultant Tsutomu Shimomura helped the FBI locate Mitnick, and New York Times reporter John Markoff was closely associated with Shimomura during this "hunt for Mitnick". The story of the pursuit and arrest can be grist for a fascinating case study of how the public (and the FBI) view the "hacker threat" and the extent to which this view can be subject to manipulation and exaggeration. But you'll have to put the story together yourself and try to resolve the contradictory views. Here are some of the pieces:

  • The chapter on Mitnick in the book by Hafner and Markoff (1991) describes Mitnick's early run-ins with the law and forms a useful background against which judge the following two books.
  • Tsutomu Shimomura (with John Markoff), Takedown: The pursuit and capture of Kevin Mitnick, America's most wanted computer outlaw -- by the man who did it (1996). This is the story as told by Shimomura, and it says a lot more about Shimomura than about Mitnick or hacking. In fact, it says a whole lot more about Shimomura than you'd want to know, with long, boring interludes about his personal life, as he tracks down the person who cracked into his computer. (Indeed, it's ironic that Shimomura villainizes Mitnick for violating other people's privacy -- reading their email -- while he himself broadcasts details of other people's private lives in this self-aggrandizing book.) There is also a Website for the book, which contains some of the evidence Shimomura accumulated while tracking Mitnick down.
  • Littman, Jonathan. The Fugitive Game: Online with Kevin Mitnick. This book, based on conversations between Littman and Mitnick while the latter was in hiding, contains a lot of Mitnick's side of the story. It contradicts Shimomura's version on several points, including raising the possibility that Shimomura ended up going after the wrong person. It also contains much criticism of Markoff for his personal involvement in this case while he was reporting on it for the Times, with the suggestion that he manufactured a lot of the hype surrounding Mitnick, from which he benefitted through a lucrative book contract with Shimomura. You should also look at Litman's update report on Mitnick's harsh treatment in prison.
  • For a comparison of the two books that is highly critical of Markoff and Shimomura, see - Smith, George. "Sex, Lies, and Computer Tape." Crypt Newsletter, January 1996 Review. For a more neutral comparison (and an interview with Markoff) see Scott Rosenberg's piece Mitnick's Malice, Shimomura's Chivalry from the December 30, 1995 issue of Salon.
  • To help judge things for yourself, you can read Markoff's stories about Mitnick in the Time during this period. To find these, go to the New York Times Web site, select the "search" option, and search for articles about Mitnick. The Times site will ask you to register as a new user if you have not previously done so. If you wish, you can get in with the username "cypherpunk" and the password "cypherpunk".
  • For pieces sympathetic to Mitnick, see the Cracking for Kevin (legal defense fund) site and the links you can follow from there.

Hacker Culture

Denning, Dorothy E. "Concerning Hackers Who Break into Computer Systems." 13th National Computer Security Conference, 1990. Dorothy Denning is Chair of the Computer Science Department at Georgetown University, and an expert in cryptography and information security. The paper was one of the first serious looks at computer hackers by a real computing professional, and argued that "hackers are learners and explorers who want to help rather than cause damage, and who often have very high standards of behavior." Incidentally, Denning is now demonized by much of the same hacker community that six years ago adored her, because she was one of the few prominent academic cryptographers to publicly support the Clipper chip and the Digital Telephony Bill.

Secrets of a Super Hacker, by The Knightmare. Loopmanics Unlimited, 1994. This is a "how to" manual on breaking into computer systems. It's not directly relevant to the course, but you might be interested in the cracker's perspective on how break-ins are pulled off. You'll see that it's more a matter of dumpster diving than technical insight.

For source material on hacking and a look at hacking culture, it's good to check out Phrack Magazine. You can find a complete archive of back issues at the Official Phrack Magazine Web Page.
The Phrack Website also maintains an archive of computer underground files and newsletters.
In particular, you might want to take a look at the Legion of Doom! Technical Journal (cited in the book by Slatalla and Quittner). You'll find that there's less there than meets the eye, but they do provide some insight.

Goldstein, Emmanuel. "Sen. Markey Tirade against "hackers" (courtesy of 2600)." February 4, 1994. In June 1993, Emmanuel Goldstein, editor of the hacker quarterly magazine 2600, appeared before the House subcommittee on Telecommunications and Finance. The hearings included, in Goldstein's words, "a tirade against the evils of computer hackers" in which Representatives Markey (D-MA) and Fields (Rep-TX) "generally demonstrated their ignorance on the subject and their unwillingness to listen to anything that didn't match their predetermined conclusions." The hearings show a stark contrast between the hacker perspective and the view of people making telecommunications policy.

Goldstein. "No Time For Goodbyes - Phiber Optik's Journey to Prison." Computer Underground Digest. January 11, 1994. On January 7, 1994, Mark Abene aka Phiber Optik -- see the book by Slatalla and Quittner began serving a 10-month sentence at the Schuylkill federal prison in Pennsylvania. His friends gave him a ride there from New York. Along with this article, take a look at - Gabriel, Trip. "Reprogramming A Convicted Hacker: To His On-Line Friends, Phiber Optik Is A Virtual Hero." New York Times, January 14, 1995. (the stories about Abene's release in 1995), and Sandberg, Jared. "Accidental Hacker Exposes Internet's Fragility." The Wall Street Journal (July 11, 1997). (An ironic incident from summer 1997.)

Computer Cracking Techniques

The growth of the World Wide Web has provided opportunities for enterprising mischief makers to tamper with the Web sites of high-profile organizations (notably government agencies). Some examples:

  • August 17, 1996: The U.S. Justice Department's Web page was replaced with another page titled "U.S. (Japan's) Department of Injustice Home Page," which included a protest against the Communications Decency Act.
  • September 19, 1996: The CIA's home page was transformed into a page for the "Central Stupidity Agency." government. (See the CNN story and update on the incident.)
  • December 9, 1996: The Singapore government's main Web Site was replaced with a list of the user identities of officials from various government bodies.
  • December 10, 1996: The Web pages of the UK Labor Party were replaced.
  • December 29, 1996: Someone changed the U.S. Air Force's Web site and replaced a page of aviation statistics with a pornographic picture. (See story from CNN.)

None of these pranks caused any serious damage other than annoyance and embarrassment to the agencies involved. But they did focus attention on the insecurity of the underlying Internet structure, and on the risks of setting up commercial applications on the Web.

Dan Farmer, Shall We Dust Moscow? (Security Survey of Key Internet Hosts & Various Semi-Relevant Reflections), 1996. Security expert Dan Farmer did a survey of over 2000 Web Sites of government agencies and commercial institutions in December 1996. He found that over two-thirds of them were vulnerable to simple cracking techniques, mostly as a result of oversights in configuring the Web Sites. This is a report of the experiment, together with Dan's comments on the dismal state of Internet security.

Computer Viruses

One way to cause damage to computers is by distributing viruses. Here are some references:

  • The Little Black Book of Computer Viruses, by Mark Ludwig. American Eagle Publications, 1991. You can take a look at this to see how some PC viruses work. It's very boring and has mostly to do with arcane details of the DOS operating system. It's also out of date, since the focus is on viruses spread by disks rather than via the network.
  • For a more contemporary view of viruses, see the collection of white papers by Cybersoft, Inc. One particular paper to start with is Computer Viruses In Unix Networks by Peter V. Radatti, 1996.
  • Before 1995, it was commonly believed that viruses could be contracted via the network only by explicitly loading and running program code, not other documents. The emergence of word processors such as Microsoft Word 6, where documents can include macros, engendered a new class of viruses that could be spread as ordinary documents or email.
  • Moving beyond macro viruses, the ability to spread trouble via the network has been greatly enhanced over the past year by the growing popularity of Java. We're just starting to see the beginning of the damage that can be done. For a taste, see Mark LaDue's Collection of Increasingly Hostile Applets.

Home page for the FBI National Computer Crime Squad.

Information Warfare

The computer break-ins described in the references above are mostly in the nature of pranks and minor crime. But as more facilities connect to the Internet, the potential for significant vandalism and sabotage grows, and the possibility arises for serious "information warfare" that exploits the vulnerability of a nation's information infrastructure.

Douglas Waller Washington, Onward Cyber Soldiers, Time Magazine cover story of August 21, 1995, on information warfare. See also If War Comes Home by Mark Thompson, from the same issue of Time.

On June 25, 1996, CIA Director John Deutch testified before the Senate Governmental Affairs Committee about the threat of information warfare.

Report of the Defense Science Board Task Force on Information Warfare - Defense, November 1996. The Defense Science Board (a government advisory group) commissioned a task force to make recommendations on how to defend against information warfare. This is a long report, so before diving in, you should look at the story on the report's release in Federal Computer Week.

F. Lynn McNulty, Internet Security (PDF). Before the U.S. House of Representatives Subcommittee on Science Committee on Science, Space, and Technology, March 22, 1994. McNulty is Associate Director for Computer Security at the National Institute of Standards and Technology. This is a summary of NIST's concerns about Internet security and ideas for addressing them.

Brandt, Daniel. "Infowar and Disinformation: From the Pentagon to the Net." NameBase NewsLine, no. 11 (October-December 1995). Brandt warns that the emphasis on infowar may be a fad that is being promoted in order to increase government control of information flow on the Internet.

On September 5, 1997, the Presidential Commission on Critical Infrastructure Protection released its preliminary report. A brief announcement can be seen in - O'Connor, Rory. "U.S. Infrastructure Could Easily Be Disrupted by Hackers!" San Jose Mercury News, September 5, 1997. The final report was due out in mid October.

Update:The final report, Critical Foundations: Protecting America's Infrastructures, was published at the end of October and is available on line. There is also an on-line a summary of the report.

For extensive material on information warfare, check out Winn Schwartau's infowar.com

Miscellaneous Items

Miscellaneous items collected from the Net over the last few years. May contain useful ideas for paper topics.