------------------------------ From: Gene Spafford Subject: Comments on your comments on Len Rose Date: Sat, 30 Mar 91 14:41:02 EST ******************************************************************** *** CuD #3.14: File 2 of 6: Comments on Len Rose Articles *** ******************************************************************** {Moderators' comment: Spaf just sent his latest book, PRACTICAL UNIX SECURITY, co-authored with Simson Garfinkel to the publishers (O'Reilly and Associates ((the Nutshell Handbook people). It's approximately 475 pages and will available in mid-May. From our reading of the table of contents, and from preview comments ("definitive," destined to be the "standard reference"), it looks like something well-worth the $29.95 investment.} There is little doubt that law enforcement has sometimes been overzealous or based on ignorance. That is especially true as concerns computer-related crimes, although it is not unique to that arena. Reporting of some of these incidents has also been incorrect. Obviously, we all wish to act to prevent future such abuses, especially as they apply to computers. However, that being the case does not mean that everyone accused under the law is really innocent and the target of "political" persecution. That is certainly not reality; in some cases the individuals charged are clearly at fault. By representing all of them as innocents and victims, you further alienate the moderates who would otherwise be sympathetic to the underlying problems. By trying to represent every individual charged with computer abuse as an innocent victim, you are guilty of the same thing you condemn law enforcement of when they paint all "hackers" as criminals. In particular, you portray Len Rose as an innocent whose life has been ruined through no fault of his own, and who did nothing to warrant Federal prosecution. That is clearly not the case. Len has acknowledged that he was in possession of, and trafficing in, source code he knew was proprietary. He even put multiple comments in the code he modified stating that, and warning others not to get caught with it. The patch he made would surreptitiously collect passwords and store them in a hidden file in a public directory for later use. The argument that this patch could be used for system security is obviously bogus; a system admin would log these passwords to a protected, private file, not a hidden file in a public directory. Further, your comments about having root access are not appropriate, either, for a number of reasons -- sometimes, root access can be gained temporarily without the password, so a quick backdoor is all that can be planted. Usually, crackers like to find other ways on that aren't as likely to be monitored as "root", so getting many user passwords is a good idea. Finally, if passwords got changed, this change would still allow them to find new ways in, as long as the trojan wasn't found. The login changes were the source of the fraud charge. It is certainly security-related, and the application of the law appears to be appropriate. By the comments Len made in the code, he certainly knew what he was doing, and he knew how the code was likely to be used: certainly not as a security aid. As somebody with claimed expertise in Unix as a consultant, he surely knew the consequences of distributing this patched code. An obvious claim when trying to portray accused individuals as victims is that their guilty pleas are made under duress to avoid further difficulties for their family or some other third party. You made that claim about Len in your posting. However, a different explanation is just as valid -- Len and his lawyers realized that he was guilty and the evidence was too substantial, and it would be more beneficial to Len to plead guilty to one charge than take a chance against five in court. I am inclined to believe that both views are true in this case. Your comments about Len's family and career are true enough, but they don't mean anything about his guilt or innocence, do they? Are bank robbers or arsonists innocent because they are the sole means of support for their family? Should we conclude they are "political" victims because of their targets? Just because the arena of the offenses involves computers does not automatically mean the accused is innocent of the charges. Just because the accused has a family which is inconvenienced by the accused serving a possible jail term does not mean the sentence should be suspended. Consider that Len was under Federal indictment for the login.c stuff, then got the job in Illinois and knowingly downloaded more source code he was not authorized to access (so he has confessed). Does this sound like someone who is using good judgement to look out for his family and himself? It is a pity that Len's family is likely to suffer because of Len's actions. However, I think it inappropriate to try and paint Len as a victim of the system. He is a victim of his own poor judgement. Unfortunately, his family has been victimized by Len, too. I share a concern of many computer professionals about the application of law to computing, and the possible erosion of our freedoms. However, I also have a concern about the people who are attempting to abuse the electronic frontier and who are contributing to the decline in our freedoms. Trying to defend the abusers is likely to result in a loss of sympathy for the calls to protect the innocent, too. I believe that one reason the EFF is still viewed by some people as a "hacker defense fund" is because little publicity has been given to the statements about appropriate laws punishing computer abusers; instead, all the publicity has been given to their statements about defending the accused "hackers." In the long term, the only way we will get the overall support we need to protect innocent pursuits is to also be sure that we don't condone or encourage clearly illegal activities. Groups and causes are judged by their icons, and attempts to lionize everyone accused of computer abuse is not a good way to build credibility -- especially if those people are clearly guilty of those abuses. The Neidorf case is probably going to be a rallying point in the future. The Steve Jackson Games case might be, once the case is completed (if it ever is). However, I certainly do not want to ask people to rally around the cases of Robert Morris or Len Rose as examples of government excess, because I don't think they were, and neither would a significant number of reasonable people who examine the cases. I agree that free speech should not be criminalized. However, I also think we should not hide criminal and unethical behavior behind the cry of "free speech." Promoting freedoms without equal promotion of the responsibility behind those freedoms does not lead to a greater good. If you cry "wolf" too often, people ignore you when the wolf is really there. ******************************************************************** >> END OF THIS FILE << ***************************************************************************