------------------------------

From: mnemonic (Mike Godwin)
Subject: Response to RISKS DIGEST (#11.43-- Len Rose Case)
Date: Wed, 10 Apr 91 22:18:43 EDT

********************************************************************
***  CuD #3.13: File 2 of 4: Response to Len Rose Article (1)    ***
********************************************************************

{Moderators' Note: The following article was written by Mike Godwin in
response to a post by Jerry Leichter in RISKS #11.43.}

++++

Jerry Leichter <leichter@lrw.com> writes the following:

>With all the verbiage about whether Len Rose was a "hacker" and why he did
>what he in fact did, everyone has had to work on ASSUMPTIONS.

This is false. I have worked closely on Len's case, and have access to
all the facts about it.

>Well, it turns
>out there's now some data:  A press release from the US Attorney in Chicago,
>posted to the Computer Underground Digest by Gene Spafford.

In general, a press release is not data. A press release is a document
designed to ensure favorable press coverage for the entity releasing it.
There are a few facts in the press release, however, and I'll deal with
them below.

[Jerry quotes from the press release:]
> In pleading guilty to the Chicago charges, Rose acknowledged that when
> he distributed his trojan horse program to others he inserted several
> warnings so that the potential users would be alerted to the fact that
> they were in posession of proprietary AT&T information. In the text of
> the program Rose advised that the source code originally came from
> AT&T "so it's definitely not something you wish to get caught with."
> and "Warning: This is AT&T proprietary source code. DO NOT get caught
> with it."

Although I am a lawyer, it does not take a law degree to see that this
paragraph does not support Jerry's thesis--that Len Rose is interested
in unauthorized entry into other people's computers.  What it does
show is that Len knew that he had no license for the source code in
his possession. And, in fact, as a careful reader of the press release
would have noted, Len pled guilty only to possession and transmission
of unlicensed source, not to *any* unauthorized entry or any scheme
for unauthorized entry, in spite of what is implied in the press
release.

[Jerry quotes "Terminus's" comments in the modified code:]

>Hacked by Terminus to enable stealing passwords.
>This is obviously not a tool to be used for initial
>system penetration, but instead will allow you to
>collect passwords and accounts once it's been
>installed.  (I)deal for situations where you have a
>one-shot opportunity for super user privileges..
>This source code is not public domain..(so don't get
>caught with it).
>
>I can't imagine a clearer statement of an active interest in breaking into
>systems, along with a reasonable explanation of how and when such code could
>be effective.

Indeed, it *can* be interpreted as a clear statement of an active
interest in breaking into systems. What undercuts that interpretation,
however, is that there is no evidence that Len Rose ever broke into
any systems. Based on all the information available, it seems clear
that Rose had authorized access in every system for which he sought
it.

What's more, there is no evidence that anyone ever took Rose's code
and used it for hacking. There is no evidence that anyone ever took
any *other* code of Rose's and used it for hacking.

What Rose did is demonstrate that he could write a password-hacking
program. Jerry apparently is unaware that some computer programmers
like to brag about the things they *could* do--he seems to interpret
such bragging as evidence of intent to do illegal acts. But in the
absence of *any* evidence that Rose ever took part in unauthorized
entry into anyone's computers, Jerry's interpretation is unfounded,
and his posted speculations here are both irresponsible and cruel, in
my opinion.

Rose may have done some foolish things, but he didn't break into
people's systems.

>The only thing that will convince me, after reading this, that Rose was NOT an
>active system breaker is a believable claim that either (a) this text was not
>quoted correctly from the modified login.c source; or (b) Rose didn't write
>the text, but was essentially forced by the admitted duress of his situation
>to acknowledge it as his own.

In other words, Jerry says, the fact that Rose never actually tried
to break into people's systems doesn't count as evidence "that Rose was
NOT an active system breaker."  This is a shame.  One would hope that
even Jerry might regard this as a relevant fact.

Let me close here by warning Jerry and other readers not to accept
press releases--even from the government--uncritically. The government
has a political stake in this case: it feels compelled to show that
Len Rose was an active threat to other people's systems, so it has
selectively presented material in its press release to support that
interpretation.

But press releases are rhetorical devices. They are designed to shape
opinion. Even when technically accurate, as in this case, they can
present the facts in a way that implies that a defendant was far more
of a threat than he actually was. This is what happened in Len Rose's
case.

It bears repeating: there was no evidence, and the government did not
claim, that Len Rose had ever tried to break into other people's
systems, or that he took part in anyone else's efforts to do so.

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************