**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 1, Issue #1.11 (May 29, 1990) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer REPLY TO: TK0JUT2@NIU.bitnet COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. -------------------------------------------------------------------- DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. -------------------------------------------------------------------- *************************************************************** *** Computer Underground Digest Issue #1.09 / File 4 of 4 *** *************************************************************** ------------------------ At least five different people contributed to the following independently of each other. The moderators edited the comments and added a few transitions to turn them into a single file. ------------------------ Folksinger Woody Guthrie was once asked by the "Ladies' Auxiliary" to write a song about them and get the name of their group in as many times as he could. In sarcastic jest, he did, slipping it into almost every line. The Secret Service press release and the prepared statement by SS Assistant Director Garry M. Jenkins describing Operation Sun Devil (OSD) (they can't decide whether it's one or two words in their release) would have made Woody smile. Typical of self-serving witch hunting documents, the release extols the virtues of the Secret Service's vigilance against the social threat of the dreaded computer underground. Both make sure the public knows who is in charge, who is doing saving, and who is on the front line protecting rights. Typical of witch hunting documents, it alludes, without facts, to a serious harm of substantial magnitude. Both identify a general menace, computer crime, and then, through subtle twists of phrase, lump a variety of illegal activities into a broad category called COMPUTER CRIME. From there, it takes only minimal effort to depict a national threat from which the SS will save us: The Secret Service will continue to investigate aggressively those crimes which threaten to disrupt our nation's businesses and government services (Garry M. Jenkins, OSD prepared statement). There are clearly computer-related crimes that require vigorous investigation, prosecution, and punishment. However, judging from the knowledge of the CU displayed by prosecutors--as revealed in their press releases, public and other interviews, conference papers, and published articles--few law enforcement officials are sufficiently familiar with the CU to be able to distinguish between crime, abuse, and legitimate Constitutionally-protected communications. When even experienced prosecutors or researchers (e.g., Kenneth Rosenblatt's presentations to the NIJ Computer Crime Conference, 1989; McEwen's book, "Dedicated Computer Crime Units," NIJ, 1989) call ALL boards they dislike "pirate" boards and are unaware of the fundamental differences between CU groups (hackers, pirates, cyberpunks), how can we have *any* confidence in their scare tactics that raise images of computer demons running amok? These are not mere quibbles over semantics, but raise fundamental (and frightening) issues of the competency of these people to protect innocent parties or or identify real threats. The press release re-affirms the commitment of the SS and others to protect "private and governmental agencies which have been targeted by computer criminals." To the average citizen, this may sound re-assuring. Unfortunately, and the irony surely is lost on the SS, OSD indeed "exemplifies the commitment" of federal agencies, and it is a commitment quite unconcerned with individual rights. Crimes commited with computers are wrong. Period! But, there are existing laws against fraud, whether through illegal use of long distance access codes or credit cards. It is certainly dangerous to muck about in hospital records, and trashing others' computers or files is clearly potentially serious. However, few p/h types engage in such behavior, contrary to whatever "facts" in possession of the SS. Perhaps the targets of OSD have ripped off $50 million as some sources have reported. But when asked for concrete estimates of the losses or for the formula by which they calculated it, they remain silent. Clifford Stoll misleadingly links hackers and virus spreaders in THE CUCKOO'S EGG. Jenkins claims that some hackers move on to plant computer viruses. Sounds dangerous, right? But, by definition, creating and planting a virus requires knowledge of programming and computer entry, and to equate computer underground activity with viruses is like equating learning to drive a car with drunken driving. "Hey! Some drivers move on to other destructive activities, like bank robbery, so let's stamp out drivers!" Perhaps a hacker or two might plant a virus. But virus-spreaders are considered irresponsible, and they affect *ALL* members of the computer-using community, and virus planting is not something accepted among the computer underground, period! Perhaps they have arrested 9,000 computer abusers as implied by Jenkins' comments, but when asked, sources with I have spoken cannot give a figure and indicate they cannot even begin to estimate the number of "hackers" arrested. The SS assumes anybody involved in a computer crime is a computer undergrounder out to subvert democracy. Unfortunately, the only members they come in contact with are those whom they suspect of wrong-doing or who might possess evidence of it. This gives them an understandably distorted view. However, rather than critically examine their own views, they proceed as if everybody is equally guilty, which feeds the media and public hysteria. Let's take an example. RipCo, a Chicago computer underground board, had 606 users when it was raided. A scan of RipCo's message logs over a six month period indicates that, at most, barely three percent of the callers could even remotely be classified as "illegal users," as defined by the posting of codez or other information of a questionable nature. Of these, about half of the message content was clearly erroneous or fraudulent, suggesting that the caller either made up the information or posted information so old as to be irrelevant. It is also possible that some of the postings were by law enforcement agents attempting to insinuate themselves into build credibility for themselves. On no-longer operative "hard-core" elite p/h boards, we have found that even on the higher access levels, a surprisingly small number of participants actually engaged in significant criminal activity of the type that would warrant an investigation. Yes, some CU types do commit illegal acts. And five years ago, perhaps more did. If the SS confined itself to prosecuting substantive crimes, we would not complain much. Currently, however, they are sweeping up the innocent by closing down boards, intimidating sysops of legitimate boards, creating a chilling effect for speech, and confiscating equipment of those unfortunate enough to be in the way. We are hardly romanticizing criminal behavior. Carding is wrong, violating the privacy of others is unethical, and obtaining goods or services fraudulently is illegal. But the SS is throwing out the baby with the bath water and irresponsibly fueling the fires of public hysteria with inflammatory rhetoric and inappropriate zealousness. What do we suggest be done about computer abuse? The following is hardly a complete list, but only a suggestive framework from which to begin thinking about alternatives. 1. There are already sufficient laws to prosecute fraud. We do not need more, as some prosecutors have called for. There is no sense in passing more laws or in strengthening existing laws relating to computer crime. The danger is the creation of more law so broad that misdemeanors can be prosecuted as felonies. We reject passing more laws because of the potential for infringing Constitutional rights. 2. Educate, don't inflame, the public. The best protection against computer invasion, whether by a hacker or virus spreader, is secure passwords, trustworthy diskettes, and backed up files. Computer literacy is a first line of defense. 3. Educate computer users early into the computer underground ethic of hackers and pirates. That ethic, which encourages respect for the property and privacy of others, has broken down in recent years. Too many in the new generation are coming into the culture with an "I want mine" attitude that is selfish and potentially destructive. 4. We agree with law enforcement officials who say that some of the younger abusers show early behavioral signs of potential abusive use. Parents should be made aware of these signs, but in a responsible manner, one that does not assume that any computer lover is necessarily a potential criminal. 5. Move away from criminalizing all forms of abuse as if they were alike. They are not. Even if a harm has occured, civil courts may, in at least some cases, be more appropriate for processing offenders. Both adults and juveniles should be channelled into diversion programs that includes community service or other productive sanctions. 6. Recognize that computer use *CAN* become obsessive. Although there is a fine line to tread here, the problem of "computer addiction" should be treated, not punished. 7. For minor offenses of juveniles, counselling with offender and parents may be more appropriate than punishment. 8. If criminal sanctions are imposed, community service could be more widely used rather than the harsh punishments some observers demand. These are just a few of the possible responses to computer abuse. One need not agree with all, or any, to recognize that it is possible to both appreciate the computer underground while not tolerating serious abuses. The computer underground should be recognized as symptomatic of social changes in ethics, technology, societal attitudes, and other factors, and not simply as a "crime" that can be eradicated by going after alleged culprits. Solutions to abuse require an examination of the entire social fabric, to include how we try to control those we don't like. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ END C-u-D, #1.11 + +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+===+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= !  Downloaded From P-80 International Information Systems 304-744-2253 12yrs+