**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 1, Issue #1.00 (March 28, 1990) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer REPLY TO: TK0JUT2@NIU.bitnet COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. -------------------------------------------------------------------- DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. -------------------------------------------------------------------- =================================================== === Computer Underground Digest - File 2 of 5 === =================================================== ----------------------------- The following articles are reprinted from an issue of TELECOM DIGEST that appeared a few days ago. Because further responses could not be reprinted, we present them again to provide the background that spawned CuD. We have not added Professor Spafford's original comment because Mike Godwin cites the bulk of it. If we err in not doing so, we apoligize in advance, but are guided here by space constraints and not malice. ----------------------------- Inside This Issue: Moderator: Patrick A. Townson Preface to Special Issue [TELECOM Moderator] Re: Legion of Doom Rebuttal to Moderator [Mike Godwin] Re: Legion of Doom Rebuttal to Moderator [Douglas Mason] Re: Legion of Doom Rebuttal to Moderator [Scott Edward Conrad] Re: Legion of Doom Rebuttal to Moderator [Gordon Burditt] ---------------------------------------------------------------------- Date: Sun, 25 Mar 90 11:45:32 CST >From: TELECOM Moderator Subject: Preface to Special Issue This issue is devoted to replies to Gene Spafford about the activities of the Legion of Doom. Like many controversial topics (Caller*ID for one), the LoD has the potential to use great amounts of network resources as the arguments go on. Because Mr. Spafford is a highly respected member of the net community, the people who responded to his article here certainly deserve the courtesy of being heard, but with this selection of responses, we will discontinue further pros-and-cons messages on LoD, at least until the criminal proceedings are finished. Obviously, *new* information about LoD, government investigative activities, etc is welcome, but let's not rehash old stuff again and again. Patrick Townson ------------------------------ >From: Mike Godwin Subject: Re: Legion of Doom Rebuttal to Moderator Date: 22 Mar 90 20:16:43 GMT Reply-To: Mike Godwin Organization: The University of Texas at Austin, Austin, Texas In article <5462@accuvax.nwu.edu> Gene Spafford writes: >The information I have available from various sources indicates that the >investigation is continuing, others are likely to be charged, and there >MAY be some national security aspects to parts of the investigation that >have yet to be disclosed. The information that I have is that many innocent third parties are being trampled by the federal agents in their investigatory zeal. The unnecessary seizure of equipment at Steve Jackson Games in Austin, Texas, is a notable example. In that case, the Secret Service assumed that, since SJ Games employed a reformed computer hacker, it was likely that their company BBS (used for feedback from role-playing game testers nationwide) contained relevant evidence. So, the SS seized all the company's computer equipment, including its laser printer, all available copies of the company's new Cyberpunk game (set in a William Gibson future involving penetration of repressive corporate computer systems), and copies of Gordon Meyer's dangerous academic thesis, in which the author proposed that the hacker underground had been "criminalized" in the public mind due to images created by a few destructive individuals and by the fairly ignorant media. In spite of this, they assured Jackson and his lawyer that neither Jackson nor his company was the target of the investigation. (Jackson, who owes his livelihood to the copyright laws, is an adamant opponent of piracy.) Apparently, the federal agents were angered by the Cyberpunk gaming manual, which romanticized 21st-century computer "cowboys" like Case in Gibson's novel NEUROMANCER. They further conjectured that the game is a cookbook for hackers. Jackson's business is losing, at his estimate, thousands of dollars a month thanks to this seizure, which was far more intrusive than necessary (why take the hardware at all?), and which seemed to demonstrate the agents' willingness to find evildoings everywhere. The Federal Tort Claims Act bars tort recovery based on law-enforcement-related seizures of property, I note in passing. >Now maybe there are one or two people on the law enforcement side who >are a little over-zealous (but not the few I talk with on a regular >basis). Yeah, maybe one or two. >For someone to be indicted requires that sufficient evidence >be collected to convince a grand jury -- a group of 23 (24? I forget >exactly) average people -- that the evidence shows a high probability >that the crimes were committed. The notion that grand juries are any kind of screening mechanism for prosecutions, while correct in theory, has long been discredited. In general, not even prosecutors pretend that the theory is accurate anymore. In law school, one of the first things you're taught in criminal-procedure courses is that grand juries are not screening mechanisms at all. (It is so rare for a grand jury to fail to follow a prosecutor's recommendation to indict that when it does happen the grand jury is known as a "rogue grand jury.") The basic function of grand juries at the federal level is INVESTIGATORY -- the grand-jury subpoena power is used to compel suspects' and witnesses' presence and testimony prior to actual prosecution. >Search warrants require probable >cause and the action of judges who will not sign imprecise and poorly >targeted warrants. Ha! Dream on. >Material seized under warrant can be forced to be >returned by legal action if the grounds for the warrant are shown to >be false, so the people who lost things have legal remedy if they are >innocent. Guess who pays for pursuing the legal remedy in most cases. (Hint: it's not the government.) Now guess how long such proceedings can take. >The system has a lot of checks on it, and it requires convincing a lot >of people along the way that there is significant evidence to take the >next step. The system does have checks in it, but they are neither as comprehensive nor as reliable as you seem to think. >If these guys were alleged mafioso instead of electronic >terrorists, would you still be claiming it was a witch hunt? Possibly. There have been periods in this country in which it was not very pleasant to be involved in a criminal investigation if your name ended in a vowel. >Conspiracy, fraud, theft, violations of the computer fraud and abuse >act, maybe the ECPA, possesion of unauthorized access codes, et. al. >are not to be taken lightly, and not to be dismissed as some >"vendetta" by law enforcement. I don't think anyone is proposing that the investigation of genuine statutory violations is necessarily a vendetta. In fact, I don't think this is the case even in the Jolnet sting. But lack of understanding on the part of the federal officials involved, plus the general expansion of federal law-enforcement officials powers in the '70s and '80s, mean that life can be pretty miserable for you if you even KNOW someone who MIGHT be the target of an investigation. There are civil-rights and civil-liberties issues here that have yet to be addressed. And they probably won't even be raised so long as everyone acts on the assumption that all hackers are criminals and vandals and need to be squashed, at whatever cost. Before you jump to conclusions about my motivations in posting this, let me point out the following: 1) I'm against computer crime and believe it should be prosecuted. 2) I'm nor now, nor have I ever been, a "hacker." (The only substantive programming I've ever done was in dBase II, by the way.) 3) Even though (1) and (2) are true, I am disturbed, on principle, at the conduct of at least some of the federal investigations now going on. I know several people who've taken their systems out of public access just because they can't risk the seizure of their equipment (as evidence or for any other reason). If you're a Usenet site, you may receive megabytes of new data every day, but you have no common-carrier protection in the event that someone puts illegal information onto the Net and thence into your system. And (3) is only one of the issues that has yet to be addressed by policymakers. >Realize that the Feds involved are prohibited from disclosing elements >of their evidence and investigation precisely to protect the rights of >the defendants. They're also secretive by nature. Much has been withheld that does not implicate defendants' rights (e.g., the basis for Secret Service jurisdiction in this case). >If you base your perceptions of this whole mess on >just what has been rumored and reported by those close to the >defendants (or from potential defendants), then you are going to get a >very biased, inaccurate picture of the situation. Even if you screen out the self-serving stuff that defendants (and non-defendants) have been saying, you still get a disturbing picture of the unbridled scope of federal law-enforcement power. In addition, we can't fall into the still-fashionable Ed Meese mentality: "If they're innocent they don't have to worry about being indicted." This is simply not true. >Only after the whole mess comes to trial will we all be able to get a >more complete picture, and then some people may be surprised at the >scope and nature of what is involved. Ah, just the way the Oliver North trial cleared things up? (I know that's a bit unfair, but it expresses my feeling that we're better off relying on the press, flawed as it is, than waiting for the feds to tell us what it's good for us to know at the time they think it's good for us to know it.) In sum, the *complaint* has been this: "Look at the way the feds are losing their cool over this! Lots of folks are being harmed, and lots of rights are being violated!" The *response* of those whose justifiable opposition to computer crime has blinded them to the rights, due-process, and justice issues involved has been something like this: "They're the government. They wouldn't be doing this stuff if they weren't a good reason for it." I have no trouble with Gene Spafford's scepticism about the complaint; please understand, however, why I insist on being sceptical about the response. Mike Godwin, UT Law School |"Neither am I anyone; I have dreamt the world as mnemonic@ccwf.cc.utexas.edu | you dreamt your work, my Shakespeare, and among mnemonic@walt.cc.utexas.edu | the forms in my dream are you, who like myself (512) 346-4190 | are many and no one." --Borges ------------------------------ >From: Douglas Mason Subject: Re: Legion of Doom Rebuttal to Moderator Reply-To: douglas@ddsw1.MCS.COM (Douglas Mason) Organization: ddsw1.MCS.COM Contributor, Mundelein, IL Date: Thu, 22 Mar 90 12:49:29 GMT I don't think that there is anyone out there saying that what those guys did was right in any way, shape or form. Granted, there are people out there that are probably saying to themselves "These guys were just trying to show what capitalistic pigs the government is and now they are being stomped on for exposing ... " You get the idea. I think (from the 60 or so messages that I received in the last few days) that the general opinion seems to be "Yes, these guys are very much in the wrong, BUT did their case deserve as much media hype as it has received?" Just the other day a group of people murdered a tax collector here. The papers made it out to be a joke and a "get back at the government" type of thing. I personally couldn't see the funny side of a 27 year old getting killed. Anyways, the article was towards the back of the paper (ie: not page one material) and was gone and forgotton immediately after. The infamous "LOD" busts, on the other hand, seem to be springing up again and again. Something else I noticed about the whole affair and LOD in general (before the big ordeal): A large chunk of the respect and whatnot over the group (in the hacker circles) seemed to be because LOD did very little "broadcasting" of the information they came up with collectively. On the other hand, if I had been "wired for sound" by some agency in the past, the LOD affair would have been over with much sooner, as all members seemed to be more than willing to give out information on CBI, Trans Union, SBDN, SCCS, ESACS, LMOS, Cosmos [insert favorite acrynom here] when they were approached individually. Last time I visited one of the infamous LOD people, he showed me how he could monitor phone lines remotely. Sounds like complete BS and it is a worn out subject as to if it can really be done, but he ran some Bell telco software and it allowed him to enter the number of any phone number that was serviced by his local CO (I believe) and then enter a callback number. While I stood there not believing him, the other phone rang, and sure enough, it was "testing for audio quality" on another line. He told me the acronym for the name of this software, but it slips my mind, as I no longer have any interest in that type of stuff. Point is that these guys were pretty trusting. If the feds wanted to get them, they could have done it long ago. My guess is that by this point they have MORE than enough evidence to prosecute these guys. There is absolutely no doubt in my mind about that. Douglas T. Mason | douglas@ddsw1.UUCP or dtmason@m-net | ------------------------------ Date: Thu, 22 Mar 90 13:20:10 CST >From: Scott Edward Conrad Subject: Re: Legion of Doom Rebuttal to Moderator Because I happened to start researching a paper on law applied to computer hacking, I have been following the LoD bust with great interest. Recently, someone mentioned that they didn't think these alleged perpetrators (sp?) deserved 31 years. Where did this number come from? According to the Computer Fraud and Abuse Act of 1984, there seem to be 3 areas covered: (see also Computer/Law Journal, Vol. 6, 1986) 1) It is a felony to access a computer without authorization to obtain classified US military or foreign policy info with the intent or reason to believe that such info will be used to harm the US or to benefit a foreign nation. 2) It is a misdemeanor to access a computer without authorization to obtain financial or credit info that is protected by federal financial privacy laws. 3) It is a misdemeanor to access a federal government computer without authorization and thereby use, modify, destroy, or disclose any information therein. (3) seems the most applicable. Where I am confused is whether or not the 911 code is considered government property. If it is, does this make Bell South, a federal government computer? What exactly are the LoD being tried for? (or has there been charges filed against them, or is the SS still gathering info?) Please send any thoughts to me. Scott Conrad sec0770@cec2.wustl.edu ------------------------------ >From: Gordon Burditt Subject: Re: Legion of Doom Rebuttal to Moderator Date: 24 Mar 90 10:21:24 GMT In article <5462@accuvax.nwu.edu> Gene Spafford writes: >that the crimes were committed. Search warrants require probable >cause and the action of judges who will not sign imprecise and poorly >targeted warrants. Material seized under warrant can be forced to be >returned by legal action if the grounds for the warrant are shown to >be false, so the people who lost things have legal remedy if they are >innocent. I don't believe it. It certainly doesn't work that way for non-computer crimes. Let's suppose I am a homeowner, and a burglar rips off my TV set. I surprise him, and he shoots me with my own gun. Later he is caught with the TV and the gun in his apartment. Can I get my TV set back before the trial? No. How about the gun (assuming it's legal for me to have it)? No. Does anyone seriously think I'm guilty of stealing my own TV or shooting myself with my own gun? (I got lucky and had a priest, two off-duty cops, and the mayor as witnesses). No. Does anyone think the TV and gun aren't mine? (They have my name engraved, and I have receipts.) No, but it doesn't matter. Do you really think that the operator of any BBS seized because it was used by crooks to exchange long-distance access codes is going to get his system back any time soon, even if the Feds are convinced of his innocence and active cooperation? Even if the active cooperation started before there were any access codes on the system, and the crooks were deliberately led to this system as part of a sting operation? No, it's evidence, and it will probably be released long after anyone convicted has served his sentence, and only after the owner has spent more in legal fees than the system is worth at the time of its return. I doubt also that the Feds are going to be helpful to a non-suspect BBS operator, and give him a copy of his own data, (They took all the backups) sanitized to remove anything illegal. Nope, all those disks with his tax records (which had nothing to do with the BBS) on them will have to be manually reconstructed, even if he can borrow a system somewhere. Gordon L. Burditt sneaky.lonestar.org!gordon ------------------------------ End of TELECOM Digest Special: LoD Rebuttals ******************************  Downloaded From P-80 International Information Systems 304-744-2253 12yrs+