------------------------------ From: Moderators, J&B McMullen, and H. Silverglate and S. Beckman Subject: Business Week Article on The Dread Hacker Menace Date: April 15, 1991 ******************************************************************** *** CuD #3.12: File 3 of 4: Responses to Business Week Article *** ******************************************************************** In the April 15, 1991, issue of BUSINESS WEEK (p. 31), Mark Lewyn and Evan I. Schwartz combined to write "Why 'the Legion of Doom' has Little Fear of the Feds." The article has been criticized by attorneys, journalists, and computer professionals for its flagrant inaccuracies, potentially libelous commentary, and distortion of facts and issues. A superficial reading of the article might lead others to agree with the criticisms we print below. We, however, rather like the article and find it a refreshing narrative. Clearly, as we read Lewyn and Schwartz, they were writing satire. The article is obviously an attempt at postmodernist fiction in which truth is inverted and juxtaposed in playful irony in an attempt to illustrate the failure of Operation Sun Devil. The clever use of fiction underscores the abuses of federal and other agents in pursuing DHs ("Dreaded Hackers") by reproducing the symbols of bad acts (as found in government press releases, indictments and search affidavits) *as if* they were real in a deconstructionist style in which the simulacra--the non-real--become the substance. Let's take a few examples: In a table listing the suspect, the alleged crime, and the outcome of five hackers to show the "latest in a a series of setbacks for the government's highly publicized drive against computer crime (table)," the table lists Robert Morris, Steve Jackson, Craig Neidorf, the Atlanta Three, and Len Rose. Steve Jackson was not charged with a crime, even though the table tells us the case was dismissed for lack of evidence. The article calls Craig Neidorf a hacker (he was never charged with, nor is there any indication whatsoever, that he ever engaged in hacking activity), and fails to mention that the case was dropped because there was, in fact, no case to prosecute. We interpret this as a subtle way of saying that all innocent computerists could be accused of a crime, even if there were no evidence to do so, and then be considered a computer criminal. This, and other factual errors of readily accessable and common public knowledge suggests to us that the table is a rhetorical ploy to show the dangerous procedures used by the Secret Service. Why else would the authors risk a libel suit? In another clever bit of satirical prose, the authors write: Jerome R. Dalton, American Telephone & Telegraph Co.'s corporate security manager, is convinced that the feds simply can't convict. He points to Leonard Rose Jr., a computer consultant who pleaded guilty on Mar. 22 to wire-fraud charges in Chicago and Baltimore. Prosecutors said he sent illegal copies of a $77,000 AT&T computer-operating system known as Unix to hackers around the country after modifying it so it could be used to invade corporate and government systems. The article adds that Dalton contends that without AT&T's help, the government wouldn't have had a case. It was AT&T--not the feds--that verified that Rose wasn't a licensed Unix user and that the program had been modified to make breaking into computer systems easier." Now, this could be considered an innocuous statement, but the subtleness is obvious. To us, the authors are obviously saying that AT&T helped the feds by inflating the value of material available for about $13.95 to an astronomical value of $78,000 (later lowered to $23,000). And, why should the feds know who Unix is licensed to? Last we checked, AT&T, not the government, was responsible for keeping track of its business records, and AT&T was responsible for pursuing the charges. The Len Rose case was not a hacker case, the program was not sent to other "hackers," there was no evidence (or charges) that anybody had even tried to use the login.c program that allegedly was modified, and the case was not a hacker case at all, but rather a case about unlicensed software. So, it seems to us that the authors are trying to illustrate the arrogance of AT&T and the evidentiary aerobics used to try to secure indictments or convictions in cases that are more appropriately civil, rather than criminal matters. So, we say congrats to the authors for taking the risk to write news as fiction, and suggest that perhaps they should consider changing their career line. But, we recognize that others might interpret article as irresponsible, ignorant, and journalistically bankrupt. We reprint (with permission) two letters sent to Business Week in response to the article. Others wishing either to complain to BW or to commend their reporters on their fiction writing can fax letters to Business Week at (212) 512-4464. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ MCMULLEN & MCMULLEN, INC April 9, 1991 Readers Report Business Week 1221 Avenue of the Americas New York, NY 10020 Dear Madam or Sir, As a long time admirer of your coverage of technological issues, I was dismayed to find an appalling number of inaccuracies in "Why 'The Legion OF Doom' Has Little Fear Of The Feds" (BW, 04/15/91). The article, unfortunately, shows little attention to detail in its presentation of "facts" and winds up being unfair to those "accused" and law enforcement officials alike. The article states that Steve Jackson, "President of computer-game maker accused of publishing a 'handbook of computer crime' had his "case dismissed because of lack of evidence." In fact, Steve Jackson was never accused of anything (there was a remark made by a Secret Service Agent that the game about to be published read like a "handbook of computer crime" -- the game is a role playing game set in a future totalitarian society). Steve Jackson's computers, diskettes and printed records were seized pursuant to an investigation of one of his employees who was thought to be a recipient of information related to the investigation of Craig Neidorf's electronic publishing activities. Jackson's equipment has since been returned and law enforcement officials attending the recent "Computers, Freedom & Privacy" conference in San Francisco referred to the Jackson case as one that should not have happened (One of the authors of your piece, Evan Schwartz, was listed as an attendee at the conference. Copies of the search warrant used in obtaining Jackson's equipment were available to all attendees at the conference. The warrants clearly indicate that Jackson was not a subject of the investigation. It is my information that Jackson will shortly file suit against the government as a result of the damage that the "search and seizure" did to his business. I suggest that you, by your description, have made Jackson fit the public image of John Gotti -- a person "everyone knows is guilty" but for whom insufficient evidence exists to make him pay his just deserts. In Jackson's case, nothing could be further from the truth. The article states that Franklin Darden, Jr, Adam Grant and Robert Riggs were "each sentenced to one year split between a half-way house and probation." In fact, Riggs received 21 months in prison while Grant and Darden received 14 months with the stipulation that 7 may be served in a half-way house. Additionally, the three were ordered to jointly and/or separately make restitution to BellSouth for $233,000. After reading the article, I spoke to Kent Alexander, US Attorney responsible for the prosecution of Riggs, Darden and Grant to confirm the sentences. Alexander not only confirmed the sentences; he objected to the calling of the cases as other than a victory for the government (There are many in the computer community who feel that the sentence was, in fact, too harsh. None would consider it other than a government "victory".). Alexander also affirmed that each of the defendants is actually doing prison time, rather than the type of split sentence mentioned in the article. Alexander also told me, by the way, that he believes that he sent a copy of the sentencing memorandum to one of your reporters. The actual sentences imposed on Riggs, Darden and Grant also, of course, makes the article's statement that Rose's one-year sentence is "by far the stiffest to date" incorrect. The treatment of the Neidorf case, while perhaps not factually incorrect, was superficial to the point of dereliction. Neidorf, the publisher of an electronic newsletter, Phrack, was accused of publishing, as part of his newsletter, a document which later was proven to be unlawfully obtained by Riggs, Darden and Grant -- an activity that many saw as similar to the Pentagon Papers case. The case was, in fact, eventually dropped when it turned out that the document in question was publicly available for under $20. Many believe that the case should never have been brought to trian in the first place and it is to this kind of electronic publishing activity that Professor Tribe's constitutional amendment attempts to protect. It is a bit of a reach to call Neidorf a "hacker". He is a college senior with an interest in hacking who published a newsletter about the activities and interest of hackers. It is totally inaccurate to call Jackson a hacker, no matter what definition of that oft-misused terms is applied. The article further states that the target of the Sundevil investigation was the "Legion of Doom". According to Gail Thackeray, ex-Assistant Attorney General of the State of Arizona and one of the key players in the Sundevil investigation, and the aforementioned Kent Alexander (both in conversations with me and, in Thackeray's case, in published statements), this is untrue. The Legion of Doom was a loosely constructed network of persons who, it has been alleged and, in some cases, proven, illegally accessed computers to obtain information considered proprietary. The subjects of the Sundevil investigations were those suspected of credit card fraud and other crime for profit activities. On April 1st, commenting on the first major Sundevil indictment, Thackeray was quoted by the Newsbytes News Service as saying "The Sundevil project was started in response to a high level of complaint of communications crimes, credit card fraud and other incidents relating to large financial losses. These were not cases of persons accessing computers 'just to look around' or even cases like the Atlanta 'Legion of Doom' one in which the individuals admitted obtaining information through illegal access. They are rather cases in which the accused allegedly used computers to facilitate theft of substantial goods and services." The article further, by concentrating on a small number of cases, gives the reader the impression that so-called "hackers' are free to do whatever they like in the global network that connects businesses, government and educational institutions. There have been many arrests and convictions in recent months for computer crime. In New York State alone, there have been arrests for unlawful entries into PBX's, criminal vandalism, illegal access to computers, etc. Heightened law enforcement activity, greater corporate and government concern with security and a better understanding by "hackers" of acceptable limits are, if anything, making a safer climate for the global net while the concern of civil libertarians coupled with greater understanding by law enforcement officials seems to be reducing the possibility of frivolous arrests and overreaching. This improved climate, as evidenced by the recent conference on "Computers, Freedom and Privacy", is a far cry from the negative atmosphere evidenced in the conclusion of your article. I have spent the last few years discussing the issues of computer crime, access to information and reasonable law enforcement procedures with a wide range of individuals --police officers, prosecutors, defense attorneys, "hackers", civil libertarians, lawmakers, science fiction writers, etc. and have found that their opinions, while often quite different, warrant presentation to the general public. Unfortunately, your article with its factual errors and misleading conclusions takes away from this dialog rather than providing enlightenment; it is a great disappointment to one who has come to expect accuracy and insightful analysis from Business Week. I urge you to publish an article explaining these issues in full and correcting the many errors in the April 15th piece. Yours truly, John F. McMullen Executive Vice President +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Response #2 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ April 8, 1991 Readers Report Business Week 1221 Avenue of the Americas New York, NY 10020 Dear Editor, Mark Lewyn and Evan Schwartz are correct that the Secret Service's "Operation Sundevil" has been a disaster ("Why `The Legion of Doom' has little fear of the Feds", BW April 15th), but the rest of their article completely misses the point. The problem with the government's war on computers is not that "it's much harder to nail hackers for electronic mayhem than prosecutors ever imagined," but rather, that lack of computer sophistication has caused prosecutors and investigators to treat law-abiding citizens like criminals. Their reporting on Steve Jackson Games is particularly egregious. To call Steve Jackson a "suspect" in the "war on hackers" is to allege criminal conduct that even the government never alleged. Steve Jackson Games is a nationally known and respected, award-winning publisher of books, magazines, and adventure company was ever accused of any criminal activity. The government has verified that Jackson is not the target of any investigation, including "Operation Sundevil." There was no criminal case "dismissed because of lack of evidence" --there simply was no criminal case at all. Lewyn and Schwartz missed the real story here. Based on allegations by government agents and employees of Bellcore and AT&T, the government obtained a warrant to seize all of the company's computer hardware and software, and all documentation related to its computer system. Many of the allegations were false, but even if they had been true, they did not provide any basis for believing that evidence of criminal activity would be found at Steve Jackson Games. The Secret Service raid caused the company considerable harm. Some of the equipment and data seized was "lost" or damaged. One of the seized computers ran an electronic conferencing system used by individuals across the country to discuss adventure games and related literary genres. The company used the system to communicate with its customers and writers and to get feedback on new game ideas. The seizure shut the conferencing system down for over a month. Also seized were all of the current drafts of the company's about-to-be-released book, GURPS Cyberpunk. The resulting delay in the publication of the book caused the company considerable financial harm, forcing it to lay off half of its employees. Jackson has resuscitated his electronic conferencing system and his business. GURPS Cyberpunk was partially reconstructed from old drafts and eventually published. It has been nominated for a prestigious game industry award and is assigned reading in at least one college literature course. But what happened at Steve Jackson Games demonstrates the vulnerability of computer users -- whether corporate or individual -- to government ineptitude and overreaching. What the Secret Service called a "handbook for computer crime" was really a fantasy role playing game book, something most twelve-year-olds would have recognized after reading the first page. Sincerely, Harvey A. Silverglate Sharon L. Beckman Silverglate & Good Boston, Massachusetts Counsel for Steve Jackson Games ******************************************************************** >> END OF THIS FILE << ***************************************************************************