

  ****************************************************************************
                  >C O M P U T E R   U N D E R G R O U N D<
                                >D I G E S T<
              ***  Volume 2, Issue #2.17 (December 16, 1990)   **
  ****************************************************************************

MODERATORS:   Jim Thomas / Gordon Meyer  (TK0JUT2@NIU.bitnet)
ARCHIVISTS:   Bob Krause / Alex Smith
RESIDENT INSOMNIAC:  Brendan Kehoe

USENET readers can currently receive CuD as alt.society.cu-digest.

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may be reprinted as long as the source is
cited.  Some authors, however, do copyright their material, and those
authors should be contacted for reprint permission.
It is assumed that non-personal mail to the moderators may be reprinted
unless otherwise specified. Readers are encouraged to submit reasoned
articles relating to the Computer Underground.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DISCLAIMER: The views represented herein do not necessarily represent the
            views of the moderators. Contributors assume all responsibility
            for assuring that articles submitted do not violate copyright
            protections.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

------------------------------

From: Electronic Frontier Foundation
Subject: EFF Response to Atlanta Sentencing Memorandum
Date:  December 10, 1990

********************************************************************
***  CuD #2.17: File 3 of 7: EFF Response to Atlanta Sentencing  ***
********************************************************************

                      EFF News #1.00: Article 7 of 7:
            How Prosecutors Misrepresented the Atlanta Hackers

   Although the Electronic Frontier Foundation is opposed to unauthorized
computer entry, we are deeply disturbed by the recent sentencing of Bell
South hackers/crackers Riggs, Darden, and Grant. Not only are the sentences
disproportionate to the nature of the offenses these young men committed,
but, to the extent the judge's sentence was based on the prosecution's
sentencing memorandum, it relied on a document filled with
misrepresentations.

   Robert J. Riggs, Franklin E. Darden, Jr., and Adam E. Grant were sentenced
Friday, November 16 in federal court in Atlanta.  Darden and Riggs had each
pled guilty to a conspiracy to commit computer fraud, wire fraud,
access-code fraud, and interstate transportation of stolen property. Grant
had pled guilty to a separate count of possession of access codes with
intent to defraud.

   All received prison terms; Grant and Darden, according to a Department of
Justice news release, "each received a sentence of 14 months incarceration
(7 in a half-way house) with restitution payments of $233,000." Riggs, said
the release, "received a sentence of 21 months incarceration and $233,000
in restitution." In addition, each is forbidden to use a computer, except
insofar as such use may be related to employment, during his
post-incarceration supervision.

   The facts of the case, as related by the prosecution in its sentencing
memorandum, indicate that the defendants gained free telephone service and
unauthorized access to BellSouth computers, primarily in order to gain
knowledge about the phone system.  Damage to the systems was either minimal
or nonexistent.  Although it is well-documented that the typical motivation
of phone-system hackers is curiosity and the desire to master complex
systems (see, e.g., HACKERS: HEROES OF THE COMPUTER REVOLUTION, Steven
Levy, 1984), the prosecution attempts to characterize the crackers as major
criminals, and misrepresents facts in doing so.

   Examples of such misrepresentation include:

   1) Misrepresenting the E911 file.

   The E911 file, an administrative document, was copied by Robert Riggs and
eventually published by Craig Neidorf in the electronic magazine PHRACK.
Says the prosecution: "This file, which is the subject of the Chicago
[Craig Neidorf] indictment, is noteworthy because it contains the program
for the emergency 911 dialing system. As the Court knows, any damage to
that very sensitive system could result in a dangerous breakdown in police,
fire, and ambulance services. The evidence indicates that Riggs stole the
E911 program from BellSouth's centralized automation system (i.e., free run
of the system). Bob Kibler of BellSouth Security estimates the value of the
E911 file, based on R&D costs, is $24,639.05."

   This statement by prosecutors is clearly false. Defense witnesses in the
Neidorf case were prepared to testify that the E911 document was not a
program, that it could not be used to disrupt 911 service, and that the
same information could be ordered from Bell South at a cost of less than
$20. Under cross-examination, the prosecution's own witness admitted that
the information in the E911 file was available in public documents, that
the notice placed on the document stating that it was proprietary was
placed on all Bell South documents (without any prior review to determine
whether the notice was proper), and that the document did not pose a danger
to the functioning of the 911 system.

    2) Guilt by association.

   The prosecution begins its memorandum by detailing two crimes: 1) a plot
to plant "logic bombs" that would disrupt phone service in several states,
and 2) a prank involving the rerouting of calls from a probation office in
Florida to "a New York Dial-A-Porn number."

   Only after going to some length describing these two crimes does the
prosecution state, in passing, that *the defendants were not implicated in
these crimes.*

   3) Misrepresentation of motives.

   As we noted above, it has been documented that young phone-system hackers
are typically motivated by the desire to understand and master large
systems, not to inflict harm or to enrich themselves materially. Although
the prosecution concedes that "[defendants claimed that they never
personally profited from their hacking activities, with the exception of
getting unauthorized long distance and data network service," the
prosecutors nevertheless characterize the hackers' motives as similar to
those of extortionists: "Their main motivation [was to] obtain power
through information and intimidation." The prosecutors add that "In
essence, stolen information equalled power, and by that definition, all
three defendants were becoming frighteningly powerful."

   The prosecution goes to great lengths describing the crimes the defendants
*could* have committed with the kind of knowledge they had gathered. The
prosecution does not mention, however, that the mere possession of
*dangerous* (and non-proprietary) information is not a crime, nor does it
admit, explicitly, that the defendants never conspired to cause such damage
to the phone system.

   Elsewhere in the memorandum, the prosecution attempts to suggest the
defendants' responsibility in  another person's crime.  Because the
defendants "freely and recklessly disseminated access information they had
stolen," says the memorandum, a 15-year-old hacker committed $10,000 in
electronic theft. Even though the prosecution does not say the defendants
intended to facilitate that 15-year-old's alleged theft, the memorandum
seeks to implicate the defendants in that theft.

   4) Failure to acknowledge the outcome of the Craig Neidorf case.

   In evaluating defendants' cooperation in the prosecution of Craig Neidorf,
the college student who  was prosecuted for his publication of the E911
text file in an electronic newsletter, the government singles out Riggs as
being less helpful than the other two defendants, and recommends less
leniency because of this. Says the memorandum: "The testimony was somewhat
helpful, though the prosecutors felt defendant Riggs was holding back and
not being as open as he had been in the earlier meeting." The memorandum
fails to mention, however, that Riggs's testimony tended to support
Neidorf's defense that he had never conspired with Riggs to engage in the
interstate transportation of stolen property or that the case against
Neidorf was dropped. Riggs's failure to implicate Neidorf in a crime he did
not commit appears to have been taken by prosecutors as a lack of
cooperation, even though Riggs was simply telling the truth.

Sending a Message to Hackers?

   Perhaps the most egregious aspect of the government's memorandum is the
argument that Riggs, Grant, and Darden should be imprisoned, not for what
*they* have done, but send the right "message to the hacking community."
The government focuses on the case of Robert J. Morris Jr., the
computer-science graduate student who was sentenced to a term of probation
in May of this year for his reckless release of the worm program that
disrupted many computers connected to the Internet. Urging the court to
imprison the three defendants, the government remarked that "hackers and
computer experts recall general hacker jubilation when the judge imposed a
probated sentence. Clearly, the sentence had little effect on defendants
Grant, Riggs, and Darden."

   The government's criticism is particularly unfair in light of the fact
that the Morris sentencing took place almost a year *after* the activities
leading to the defendants' convictions! (To have been deterred by the
Morris sentencing the Atlanta defendants would have to have been able to
foretell the future.)

   The memorandum raises other questions besides those of the prosecutors'
biased presentation of the facts. The most significant of these is the
government's uncritical acceptance of BellSouth's statement of the damage
the defendants did to its computer system. The memorandum states that "In
all, [the defendants] stole approximately $233,880 worth of
logins/passwords and connect addresses (i.e., access information) from
BellSouth.  BellSouth spend approximately $1.5 million in identifying the
intruders into their system and has since then spent roughly $3 million
more to further secure their network."

   It is unclear how these figures were derived. The stated cost of the
passwords is highly questionable: What is the dollar value of a password?
What is the dollar cost of replacing a password?

   And it's similarly unclear that the defendants caused BellSouth to spend
$4.5 million more than they normally would have spent in a similar period
to identify intruders and secure their network. Although the government's
memorandum states that "[t]he defendants ... have literally caused
BellSouth millions of dollars in expenses by their actions," the actual
facts as presented in the memorandum suggest that BellSouth had *already
embarked upon the expenditure of millions of dollars* before it had heard
anything about the crimes the defendants ultimately were alleged to have
committed. Moreover, if the network was insecure to begin with, wouldn't
BellSouth have had to spend money to secure it regardless of whether the
security flaws were exploited by defendants?

   The Neidorf case provides an instructive example of what happens when
prosecutors fail to question the valuations a telephone company puts on its
damages. But the example may not have been sufficiently instructive for the
federal prosecutors in Atlanta.

   Not only are there questions about the justice of the restitution
requirement in the sentencing of Riggs, Darden, and Grant, but there also
are Constitutional issues raised by the prohibition of access to computers.
The Court's sentencing suggests a belief that anything the defendants do
with computers is likely to be illegal; it ignores the fact that computers
are a communications medium, and that the prohibition goes beyond
preventing future crimes by the defendants--it treads upon their rights to
engage in lawful speech and association.

   EFF does not support the proposition that computer intrusion and
long-distance theft should go unpunished. But we find highly disturbing the
misrepresentations of facts in the prosecutors' sentencing memorandum as
they seek disproportionate sentences for Riggs, Darden, and Grant--stiff
sentences that supposedly will "send a message" to the hackers and
crackers.

   The message this memorandum really sends is that the government's
presentation of the facts of this case has been been heavily biased by its
eagerness to appear to be deterring future computer crime.

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

Downloaded From P-80 International Information Systems 304-744-2253 12yrs+