------------------------------ From: John Higdon and Dennis Rears Subject: More on Thrifty-Tel Date: June 25, 1991 ******************************************************************** *** CuD #3.23: File 1 of 4: More on Thrifty-Tel *** ******************************************************************** {Moderators' note: The following is reprinted from Telecom Digest} Date: Sat, 15 Jun 91 02:24 PDT From: John Higdon Mark Seecof quotes the {LA Times}: > ``Little Phone Company on a Hacker Attack'' > By Susan Christian, Times Staff Writer. On June 13, the {San Jose Mercury} ran a story about Ms. Bigley's courageous efforts. The writer, Alex Barnum, did a little more investigating and presented a little more balanced picture than Ms. Christian. Excerpts below: Firm's Big Phone Fees Hang up Hackers by Alex Barnum, Mercury Staff Writer "A year ago, Thrifty Tel Inc. won approval from the state Public Utilities Commission ot charge unauthorized users of its long-distance lines a 'special' rate: a $3,000 'set-up' charge, a $3,000 daily line fee, $200 an hour for labor and the costs of investigating and prosecuting the offender. "Since then, the Garden Grove company has netted $500,000 and caught 72 hackers, ranging from an 11-year-old girl to a grandma-grandpa team of professional phone hackers." [Doesn't sound as if Thrifty Tel came off too badly on that one, does it? That's $500,000 NET profit on hackers. JH] "But while many have applauded Thrifty Tel's ingenuity, others have criticized the company for taking the law into its own hands. Some Los Angeles law enforcement officials, in fact, say the approach borders on extortion ... "Others charge that Thrifty Tel is deliberately baiting its long-distance system with lax security to catch hackers and bring in new revenue. Thrifty Tel is 'a vigilante,' says John Higdon, a San Jose phone network expert." [blush].... "Even a single call can cost a hacker more than $6,000. And Thrifty Tel charges an extra $3,000 for every access code the hacker uses. Since about half of Thrifty Tel's hacker 'customers' are minors, their parents usually wind up footing the bill. "Moreover, as a condition of the settlement, Thrifty Tel requires hackers to hand over their computers which mirrors a provision in the criminal code. Bigley usually turns the computer over to authorities, although she says she kept one once. [She kept more than that according to her own conversation with me. JH] "While praising Bigley's basic strategy, law enforcement officials say she has taken it a step too far. 'She can threaten a civil suit, but not criminal charges,' says one official. 'You don't use a criminal code to enforce a civil settlement.'"... "Other critics charge that Thrifty Tel is deliberately baiting hackers with antiquated switching technology and short access codes that are easier to hack than the more modern, secure technology and 14-digit access codes of the major long-distance carriers." Mr. Barnum has all the quotes from Ms. Bigley that the {LA Times} article had, which essentially contain the circular argument that it costs money to upgrade to FGD and why should Thrifty have to spend that money on account of "thugs and criminals" while whining about all the losses suffered at the hands of the hackers. Thrifty's technique looks more like a profit center than hacker "prevention". **************************************************************** {Moderators' note: The following is reprinted from TELECOM Digest, #476}. Date: Fri, 21 Jun 91 11:07:35 EDT From: "Dennis G. Rears (FSAC)" Subject: Re: Speaking in Defense of ThriftyTel (was Fighting Hackers) Kurt Guntheroth writes: > John Higdon says: >> Mr. Barnum has all the quotes from Ms. Bigley that the {LA Times} >> article had, which essentially contain the circular argument that it >> costs money to upgrade to FGD and why should Thrifty have to spend >> that money on account of "thugs and criminals" while whining about all >> the losses suffered at the hands of the hackers. Thrifty's technique >> looks more like a profit center than hacker "prevention". > Let's suppose ThriftyTel is deliberately baiting hackers (though using > older equipment because it is cheap sounds more reasonable to me). > How can this be considered more reprehensible than stealing network > services in the first place? I find it quite just that a company > should hang hackers with their own rope. If ThriftyTel was posting > the access codes on pirate BBS's, this might be going a bit too far on > the entrapment side, but there is no evidence this is happening. Have you ever heard of an attractive nuisance? Granted it may be stretching a point, but hey we are talking about California? :-) It could be argued that ThriftyTel has created an attractive nuisance by not securing their systems in accordance with industry standards; just like the homeowner who does not build a secure enough fence to keep the little cretins out of his/her pool. > And whoever asked whether ThriftyTel was inducing minors to enter into > an unenforceable contract, or an ex-post-facto contract, this may be > true. The hackers do have the option of refusing the contract and > letting ThriftyTel make good on its threat to initiate criminal > proceedings if it can. Probably most hackers, caught crouched over > the body with the smoking gun in their hand, and with the knowledge of > their guilt in mind, are reluctant to test their luck in court. Contract, hell it is extortion. As any first year law student could tell you the following must exist to be a contract: o legality of object # OK o mutual consideration # OK o contractual capacity # OK; minors create # a voidable contract o manifestion of consent (offer/acceptance) # NO o meeting of the minds The hacker is not aware of the offer (tariff), there is no manifestion of consent, and there is not meeting of the minds. Another point, California has the Uniform Commercial Code, thus the statue of frauds would apply. This means the contract (including acceptance) must be in writing for amount of over $500.00. One last point if they are saying a contract was formed, it becomes a civil matter only not a criminal. Either it is a contract in all cases or a contract in no cases. If they decide it is a contract they have to sue for breach of contract; they can't have criminal charges too. They must be consistent. BTW, I don't approve of what the hackers/phreakers are doing either, but ThriftyTel response is just as abusive of the laws as hackers/phreakers. We are still innocent until proven guilty, and there is no way I can tolerate any company or government "official" altering this. dennis +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Subject: Re: Speaking in Defense of ThriftyTel (was Fighting Hackers) Date: 21 Jun 91 12:32:56 PDT (Fri) From: John Higdon Kurt Guntheroth writes: > Record me as a supporter of ThriftyTel. You are overlooking a major flaw in Thrifty Tel's scam. In the United States, the system of jurisprudence requires the plaintiff in a civil case to 1.) prove damages and 2.) show mitigation of damages. Thrifty Tel does neither. In a five-day period, Thrifty Tel whisked a "Hacker Tariff" through the CPUC without comment, showing, documentation, or any justification WHATSOEVER. This tariff, which provides for "charges" that are around three hundred times the company's going rate for services, is then used in civil suits to claim damages. Thrifty Tel sits back in court, presents the logs showing the intruder's usage and then holds up this bogus tariff. In other words, TT has at no time ever proved its claim for the extortion it pulls on the "criminals and thugs" that it so actively crusades against. Concerning point two, let me give you an analogy. Let us suppose that I have decided to go into the banking business, but find that the cost of constructing a vault is prohibitively expensive. So I leave all the cash sitting around in the tellers' drawers. Word gets around that my bank is an easy mark, and consequently I find that frequently the cash has been cleaned out by thieves the night before. To combat this, I install a very sophisticated intrusion detection system with cameras and the like. I am now able to identify the thieves and I manage to get a law passed that allows my bank to claim damages against the burglars at about three hundred times the value of the cash stolen. Obviously, a bank vault would solve the lion's share of my problem, but why should I have to pay for a vault when it is "criminals and thugs" that are at the root of my "losses"? This is precisely the argument that TT uses when it is suggested that it upgrade its equipment and use FGD instead of FGB. Of course, FGD would not allow it to skim intraLATA traffic from Pac*Bell as it now does, but that is a different matter altogether. Believe me when I tell you that Thrifty Tel has no moral high ground to stand on. John Higdon (hiding out in the desert) ******************************************************************** >> END OF THIS FILE << ***************************************************************************