------------------------------ From: Moderators (Jim Thomas) Subject: Moving toward Common Ground? Reply to Gene Spafford Date: April 26, 1991 ******************************************************************** *** CuD #3.14: File 3 of 6: Moving toward Common Ground? *** ******************************************************************** Gene Spafford's comments raise a number of issues, and my guess is that he and other "moderates" are not that far apart from those of us considered "extremists." His post was sent in March, but we received it on April 24, so some of his comments about Len Rose have already received sufficient response (see Mike Godwin in CuD 3.13). We are more concerned with the potential points of converenge on which "moderates" and "radicals" might agree. Gene raises several issues: 1) The tone of some critics of recent "hacker" cases tends to be divisive and inhibits coming together on common ground; 2) There exists a danger in "crying wolf" in that cases in which legitimate abuses may have occured or that directly raise important issues about civil liberties will be ignored because of excessive concern with cases that are perceived as less meritorious or in which the defendants may not seem sympathetic; c) An aggressive social response is required to reverse the apparent trend in computer abuse. We disagree with none of these issues. There is, however, room for legitimate disagreement on how these issues should be addressed, and there is room for conciliation and compromise. Although many cases of law enforcement response to alleged computer abuse have been reported, only a few have generated any significant attention. These cases have not generally centered around issues of guilt or innocence, but on broader concerns. Other than general reporting of cases, CuDs own attention has been limited to: STEVE JACKSON GAMES: Few, if any, think the search of Steve Jackson's company and seizure of his equipment was acceptable. The seizure affidavit indicated that the justification for the raid was grossly exaggerated and its implementation extreme. There have been no arrests resulting from that raid, but the questions it raised have not yet been resolved. LEN ROSE: Whatever one thinks of Len Rose's behavior, the actions of AT&T and law enforcement raise too many issues to be ignored whatever Len's own culpability (or lack of it). The initial indictments, press releases, and prosecutor media comments connected Len to E911, the Legion of Doom, and computer security when the case was actually about possesion of unlicensed proprietary software. We have never denied the importance of either issue. Our concern continues to be the misconceptions about the nature of the case, what we see as an extreme response to a relatively minor incident, and the way the laws were used to inflate charges. These are all debatable issues, but the nets were buzzing with claims of Len's guilt, the need to "send a message to hackers," and other claims that reinforced the legitimacy of charges and sanctions that still seem inappropriate. The fact that some still see it as a security case, others as a piracy case, others as justice-run-amok, and still others as a signal to examine the limits of criminalization illustrates the significance of the events: If we can't agree on the issues involved without yelling at each other, then how can we even begin to address the issues? 3. CRAIG NEIDORF/PHRACK: When the prosecution dropped the case against Craig Neidorf for publishing alleged proprietary information valued at nearly $80,000 when it was found that the information was available to the public for under $14, most people thought it was a victory. However, the logic that impelled prosecution did not stop with Craig, and our concern continues to be over the apparent unwillingness of some law enforcement agents to recognize that this was not just a prosecutorial "mistake," but part of a pattern in which excessive claims are made to justify raids, indictments, or prosecution. THE HOLLYWOOD HACKER: Again, this is not a case of guilt or innocence, but one in which existing laws are sufficiently vague to over-criminalize relatively minor alleged acts. The apparent philosophy of prosecutors to "send a message" to "hackers" in a case that is not a hacker case but the sting of an investigative journalist seems another use of over-prosecution. There is also the possibility of a vindictive set-up by Fox of a freelance reporter who is alleged to have done what may be a common practice at Fox (see the post, this issue, citing Murray Povich). RIPCO: Dr. Ripco's equipment was seized and his BBS shut down, but no charges have been filed against him. He remains in limbo, his equipment has not been returned, and he still does not know why. Here, the issue of sysop liability, the reliability of informants, and the legal status of private e-mail are raised. THE "ATLANTA THREE:" The Riggs, Darden, and Grant case became an issue after the guilty verdict. We can think of no instance of anybody ever defending their actions for which they were indicted or in proclaiming them innocent after (or even before) their plea. At state in the debates was not that of guilt or a defense of intrusions, but of sentencing and the manner in which it was done. OPERATION SUN DEVIL: Operation Sun Devil, according to those participating in it, began in response to complaints of fraudulent credit card use and other forms of theft. The "hacking community" especially has been adamant in its opposition to "carding" and rip-off. Here, the issue was the intrusive nature of searches and seizures and the initial hyperbole of law enforcement in highly visible press releases in their initial euphoria following the raids. In an investigation that began "nearly two years" prior to the May 8, 1990 raids, and in the subsequent 12 months of "analysis of evidence," only two indictments have been issued. Both of those were relegated to state court, and the charges are, in the scheme of white collar crime, are relatively minor. There have also been questions raised about whether the evidence for prosecution might not have either already existed prior to Sun Devil or that it could have readily been obtained without Sun Devil. The key to the indictment seems to be a ubiquitous informant who was paid to dig out dirt on folks. For some, Sun Devil raises the issue of use of informants, over-zealousness of prosecutors, and lack of accountability in seizures. We fully agree that if there is evidence of felonious activity, there should be a response. The question, however, is how such evidence is obtained and at what social and other costs. Many may disagree with our perspective on these cases, but several points remain: 1) Each of them raises significant issues about the methods of the criminal justice system in a new area of law; 2) Each of them serves as an icon for specific problems (privacy, evidence, ethics, language of law, media images, sysop liability to name just a few); and 3) In each of them, whatever the culpable status of the suspects, there exists an avenue to debate the broader issue of the distinction between criminal and simply unethical behavior. Among the issues that, if discussed and debated, would move the level of discussion from personalities to common concerns are: 1. Overzealous law enforcement action: Prosecutors are faced with the difficult task of enforcing laws that are outstripped by technological change. Barriers to this enforcement include lack of resources and technical expertise, ambiguity of definitions, and vague laws that allow some groups (such as AT&T) who seem to have a history of themselves attempting to use their formidable economic and corporate power to jockey for legal privilege. Legal definitions of and responses to perceived inappropriate behavior today will shape how cyberspace is controlled in the coming decades. Questionable actions set bad precedents. That is why we refer to specific cases as ICONS that symbolize the dangers of over-control and the problems accompanying it. 2. Media distortions: This will be addressed in more detail in a future CuD, because it is a critically important factor in the perpetuation of public and law enforcements' misconceptions about the CU. However, concern for distortion should be expanded to include how we all (CuD included) portray images of events, groups, and individuals. Some law enforcers have complained about irresponsible media accuracy when the alleged inaccuracies have in fact come from law enforcement sources. But, media (and other) distortions of CU news is not simply a matter of "getting the facts straight." It also requires that we all reflect on how we ourselves create images that reinforce erroneous stereotypes and myths that in turn perpetuate the "facts" by recursive rounds of citing the errors rather than the reality. CuD AS PRO HACKER: The CuD moderators are seen by some as defending cybercrime of all kinds, and as opposing *any* prosecution of "computer criminals. Why must we constantly repeat that a) we have *never* said that computer intrusion is acceptable, and b) we fully believe that laws protecting the public against computer abuse are necessary. This, so I am told, "turns many people off." We have been clear about our position. There are occasions when discussion can reflect a variety of rhetorical strategies, ranging from reason to hyperbole. As long as the issues remain forefront, there seems nothing wrong with expressing outrage as a legitimate response to outrageous acts. 4. Crime and ethics in the cyber-frontier: These issues, although separate, raise the same question. Which behaviors should be sanctioned by criminal or civil penalties, and which sanctioned by collective norms and peer pressure? Unwise acts are not necessarily criminal acts, and adducing one's lack of wisdom as "proof" of criminality, and therefore sanctionable, is equally unwise. There are degrees of abuse, some of which require criminal penalties, others of which do not. The CU has changed largely because the number of computer users has dramatically increased make the "bozo factor" (the point at which critical mass of abusing bozos has been reached making them a group unto themselves) has a significant impact on others. There are also more opportunities not only to abuse, but to identify and apprehend abusers, which increases the visibility of the bozos. We can, as we did with the problems of crime, poverty, drugs, and other ills, declare a "war" on it (which most certainly means that we've lost before we've begun). Or, we can peruse a more proactive course and push for equitable laws and just responses to computer abuse while simultaneously emphasizing ethics. We fully agree that netethics should occur in schools, on the nets, in articles, and every other place where cybernauts obtain models and images of their new world. But, just as we should identify and work toward ethical behavior within the CU, we must also demand that others, such as AT&T, some law enforcement agents, BellSouth, et. al., do the same. It is hardly ethical to claim that a commodity valued at under $14 is worth over $79,000, and it is hardly ethical to compare possession of proprietary software with index crimes such as theft, arson, or embezzlement. Whether our own perspective is correct or not, the point is that what does or does not count as ethical behavior can no longer be assumed, but requires a level of debate the extends beyond netlynchings of individual suspects. Gene Spafford, like many others who share his view, is a productive and competent computer specialist who sees the dark side of computer abuse because he defends against it. I, like many others who share my view, see the dark side of law enforcement because, as a criminologist, I have been immersed in the abuses and fight against them. Our different experiences give us different demons to fight, an occasional windmill or two with which to joust, and a dissimilar arsenal that we use in our battles. Nonetheless, even though there is not total agreement on precisely which is a windmill and which a monster, Gene suggests that there is shared agreement on a minimal common reality and some common goals for making it more manageable. I fully, absolutely, and unequivocally agree with Gene: I agree that free speech should not be criminalized. However, I also think we should not hide criminal and unethical behavior behind the cry of "free speech. Promoting freedoms without equal promotion of the responsibility behind those freedoms does not lead to a greater good. If you cry "wolf" too often, people ignore you when the wolf is really there. I would only respond that his observation be taken to heart by all sides. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: Thu, 18 Apr 91 16:57:35 EDT From: CERT Advisory Subject: CERT Advisory - Social Engineering