Computer Underground Digest--Thu Aug 1, 1991 (Vol #3.28) >> SPECIAL ISSUE: RESPONSE TO FORESTER ARTICLE << Moderators: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Contents, #3.28 (August 1, 1991) Subject: File 1--SPECIAL ISSUE: THE TOM FORESTER ARTICLE Subject: File 2--CuD Review of _Computer Ethics_ (Reprint) Subject: File 3--Re: Hackers - Clamp Down NOW! Subject: File 4--Reply to Tom Forester Article Administratia: ARCHIVISTS: BRENDAN KEHOE BOB KUSUMOTO SCANMEISTER: BOB KRAUSE CuD is available via electronic mail at no cost. Printed copies are available by subscription. Single copies are available for the costs of reproduction and mailing. Issues of CuD can be found in the Usenet alt.society.cu-digest news group, on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM, on Genie, on the PC-EXEC BBS at (414) 789-4210, and by anonymous ftp from ftp.cs.widener.edu, chsun1.uchicago.edu, and dagon.acc.stolaf.edu. To use the U. of Chicago email server, send mail with the subject "help" (without the quotes) to archive-server@chsun1.uchicago.edu. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: July 31, 1991 From: "The Moderators" Subject: File 1--SPECIAL ISSUE: THE TOM FORESTER ARTICLE A recently publicly posted reprint of a letter in an Australian newspaper, apparently originally done for the letter's author for the purpose of generating discussion on the nets, has provoked considerable discussion on usenet. The author of the letter, Tom Forester, has written several books on computers, including _Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing_; _High Tech Society: The Story of the Information Technology Revolution_; and (as editor) _Computers in the Human Context: Information Technology, Productivity, and People_. Because of the stature of the author in some circles, and because of his gross inaccuracies, simplistic generalizations, flawed logic, and inflammatory call for "get-tough" measures against "hackers," we devote this issue to the letter and invite responses that we will print in a second special issue. Because Forester's comments deviate so wildly from his book _Computer Ethics_, we thought the post might be a hoax, but upon checking were assured that it was indeed the same Tom Forester and that the post was legitimate. Despite the criticisms of the post on Usenet's comp.org.eff.talk, and despite the fact that the article was originally reported to be posted at his request as a way of generated discussion, he has not participated in the discussion. Below, we first reprint the CuD review of _Computer Ethics_, which we liked, then a response to selected aspects of the public post by Mike Godwin, and finally a detailed reply by Jim Thomas, writing wearing his "professor of criminology" hat rather than CuD editor. ------------------------------ Date: July 31, 1991 From: "The Moderators" Subject: File 2--CuD Review of _Computer Ethics_ (Reprint) Date: March 8, 1991 ******************************************************************** *** CuD #3.07: File 5 of 6: Book Review: Computer Ethics *** ******************************************************************** Review of COMPUTER ETHICS: CAUTIONARY TALES AND ETHICAL DILEMMAS IN COMPUTING, by Tom Forester and Perry Morrison. 1990. Oxford (Eng.): Basil Blackwell. 193 pp. (np). (Reviewed by Jim Thomas, Northern Illinois University). The questions raised in the U.S. by Secret Service procedures in so-called "computer crime" investigations such as Operation Sun Devil, the growth in public computer literacy, and the general public recognition that computers are moving from the periphery to the center of social control and organizational operations make COMPUTER ETHICS a timely and worthwhile tome. Although both authors resided in Australia when the book was written (Tom Forester remains at Griffith University in Queensland and Perry Morrison is now at the University of Singapore), the work focuses primarily on the U.S. for examples, but draws as well from international data to argue that society has yet to confront the twin dilemmas of hardware and software malfunctions and misuse by humans. In some ways, the book is misnamed. The themes are not restricted to those of ethics, but include as well risks to society by over-reliance on computer technology (especially when it fails) and to thornier social issues, such as privacy, the social implications of artificial intelligence, and the potential problems of the increasingly computerized workplace. The authors organize each of the eight chapters around a specific issue (Our Computerized Society, Computer Crime, Software Theft, Hacking and Viruses, Unreliable Computers, The Invasion of Privacy, AI and Expert System, and Computerizing the Workplace), summarize the problems by drawing from an impressive wealth of data from conventional and other media, and conclude each chapter with a hypothetical example and set of questions that enhance the value of the work for college graduate and undergraduate classes. About one third of the book directly confronts computer crime and "computer underground" activities, such as piracy and hacking. There is no obvious ax-grinding, and especially with piracy the authors raise issues in a generally non-judgmental manner. They observe that an increasing number of software authors have recognized the general ineffectiveness of program-protecting their products and have increasingly moved away from the practice. However, the focus of the discussion avoids the type of "warez sharing" that occurs on pirate BBSs and begs the issue of swapping copyright programs without purchasing them. The discussion example focuses on the ethical issue of copy-protecting programs with a disk-wiping virus rather than using an example that teases out the nuances of using unpurchased software. I am also a bit troubled by the cursory attention given to the different types of piracy. Participants enmeshed in the "pirate culture" on BBSs would agree that theft of proprietary source code for profit or reselling copied programs is clearly wrong. Further, even within the computer underground, pirates range from "kids" who crack and swap games to older and more sophisticated users who simply enjoy collecting and examining various types of programs. Without teasing out the complexity of the pirate culture, many of the important issues are glossed over, such as the ethics of "fair use" to pre-test a program, the harm (or lack of it) in using a program that would not have been purchased, but whose use expands a product's visibility and reputation (thereby expanding the market), and the problem of an increasing array of available software that if purchased would be exceed the resources of all but the most affluent computerists. In fairness, not all relevant ideas can be addressed in a single chapter, and the authors satisfactorily provoked enough questions to make this an interesting and useful section. The most troublesome chapter, "Hacking and Viruses," simplifies the phreak/hacking community and alludes to studies that do not accurately reflect the computer underground. Although a relatively short and seemingly innocuous discussion, the section "why do hackers 'hack'?" cites studies suggesting that "severe social inadequacy" typifies many hackers. The authors do make it clear that there is no simple answer to explain motivation, they tend to ignore the primary reasons cited by most hackers: The challenge, the excitement, and the satisfaction of success and increased knowledge. Granted, these reasons, too, are simplistic as a satisfactory explanation but they provide an antidote to the general imagery portrayed by law enforcement officials that hackers are dangerous social misfits and criminals who should be prosecuted to the full extent of the law. Also troublesome is the inclusion of virus writers and spreaders with hacking activity. Hackers are as vehemently opposed to spreading viruses as law enforcement. In fact, hackers, because of their use of networks and reliance on smoothly functioning hardware, have far more to lose than the average computer user by their spread. Nonetheless, the authors do raise a few questions about the differences in the various types of activity, asking, for example, whether system-browsing should be criminalized in the same way as other predatory behavior. The degree to which this chapter provokes disagreement and challenge to some of the claims (or vehement responses to some of the questions) is simply an indicator of the utility of this work both for stimulating thought and for generating discussion. Although the remainder of the book is not as directly relevant to the CU community, it nonetheless provides interesting reading. The authors continually remind the reader that despite their benefits, computers possess numerous demonstrable dangers. The value of the work is not simply the admonition of the risks of computer misuse, but more importantly, that social attitudes, ethical issues, governmental policies, and social control strategies have lagged far behind in the need to be aware of how computers change our lives and how these changes may usher in new forms of social interaction for which we are unprepared as we cross into the cyber-frontier. The authors' scholarship and documentation, although impressive, does not tempt them to fall back into academicese. The volume reads like a novel and--even where one might disagree with claims or conclusions--the provocations are stimulating rather than combatative. In short, Computer Ethics is fun and worth reading. ------------------------------ From: mnemonic@eff.org (Mike Godwin) Subject: File 3--Re: Hackers - Clamp Down NOW! Date: 16 Jul 91 23:41:11 GMT I am astonished both at the moral simplicity and the factual inaccuracy of Tom Forester's newspaper column. For details, see below. In article <2118@limbo.Intuitive.Com> geo@manta.mel.dit.csiro.au (George Bray) writes [posting for Tom Forester]: >It's about time we got tough with hackers and exposed them for >the irresponsible electronic vandals they really are. It certainly is time we got tough on "vandals." But it is well-established, in Tom Forester's own book COMPUTER ETHICS among other places, that there is more than one motivation for computer trespass. A "vandal," according to my dictionary at hand, is one who "willfully or maliciously defaces or destroys public or private property." Few if any of the particular cases Forester cites below are cases that a native speaker of the English language would normally call "vandalism" ... unless his intent were to provoke an emotional reaction rather than a reasoned assessment of a problem. But the use of this term is among the smallest of the faults in Forester's piece. >Breaking into a computer is no different from breaking into your >neighbour's house. It is burglary plain and simple - though often >accompanied by malicious damage and theft of information. Nothing is "plain" or "simple" about analogizing computer trespass to burglary. The English common law that informs the British, American, and Australian legal systems has always treated burglary harshly, primarily because it involves a threat to the victim's *residence* and to his *person*. But computer intrusion in general, and the cases Forester discusses in particular, pose neither threat. A mainframe computer at a university or business, while it clearly ought to be protected "space" under the law, is not a house "plain and simple." The kind of invasion and the potential threat to traditional property interests is not the same. Consider this: anyone who has your phone number can dial your home-- can cause an electronic event to happen *inside your house*. That "intruder" can even learn things about you from the attempt (especially if you happen to answer, in which case he learns your whereabouts). Do we call this attempted burglary? Do we call it spying or information theft? Of course not--because we're so comfortable with telephone technology that we no longer rely on metaphors to do our thinking for us. Whenever anyone glibly asserts that computer intrusion is just like burglary ("plain and simple"), he is showing that he knows very little, if anything, about the history and character of the concept of burglary. This is not a semantic quibble. It is a dispute about metaphors. The metaphor you choose dictates your emotional response. Is computer intrusion *truly* like burglary "plain and simple"? Or is it like trespass--the kind in which the neighborhood kid leaps your fence to swim in your private pool at midnight. Both acts should be illegal, but one is taken far more seriously than the other. This is not to say that all computer intrusion is innocuous. Some of it is quite harmful--as when a true "vandal" runs programs that damage or delete important information. But it is important to continue to make moral and legal distinctions, based on the intent of the actor and the character of the damage. Tom Forester seems to want to turn his back on making such distinctions. This, to me, is a shameful position to take. So much for the moral argument--let's look at Forester's factual errors. There are many egregious ones. >Last year, the so-called 'Legion of Doom' managed to completely >stuff up the 911 emergency phone system in nine US states, thus >endangering human life. They were also later charged with trading >in stolen credit card numbers, long-distance phone card numbers >and information about how to break into computers. Only a person who is willfully ignorant of the record could make these statements. The so-called Legion of Doom never damaged or threatened to damage the E911 system. If Forester had done even minimal research, he could have discovered this. What they did, of course, was copy a bureaucratic memo from an insecure Bell South computer and show it to each other. At the trial of Craig Neidorf, who was charged along with Legion of Doom members, it was revealed that the information in that memo was publicly available in print. Thus, there was no proprietary information involved, much less a threat to the E911 system. Forester is simply inventing facts in order to support his thesis. For an academic, this is the gravest of sins. >Leonard Rose Jr. was charged with selling illegal >copies of a US $77,000 AT&T operating system. Len Rose was never charged with "selling" anything. >Robert Morris, who launched the disastrous Internet worm, got a >mere slap on the wrist in the form of a US $10,000 fine and 400 >hours' community service. If Forester had investigated the case, he might have discovered an explanation for the lightness of Robert Morris Jr.'s sentence: that Morris never intended to cause any damage to the networks. In any case, Morris hardly qualifies as a "hacker" in the sense that Forester uses the word; by all accounts, he was interested neither in "theft" nor "burglary" nor "vandalism." The interference with the functioning of the network was (again, by all accounts) accidental. Of course, making such subtle distinctions would only blunt the force of Forester's thesis, so he chooses to ignore them. >Instead, he tends to spend his time with the computer, rising at >2pm, then working right through to 6am,, consuming mountains of >delivered pizza and gallons of soft drink. This is the kind of stereotyping that Forester should be embarrassed to parrot in a public forum. >Some suffer from what Danish doctors are now calling "computer >psychosis" - an inability to distinguish between the real world >and the world inside the screen. > >For the hacker, the machine becomes a substitute for human >contact, because it responds in rational manner, uncomplicated by >feelings and emotions. And here Forester diagnoses people whom he has never met. One is forced to wonder where Forester acquired his medical or psychiatric training. Of the people whose names he blithely cites above, I have met or spoken to half a dozen. None of them has been confused about the difference between computers and reality, although it may be understandable that they prefer working with computers to working with people who prejudge them out of hatred, ignorance, or fear. >One day, these meddlers will hack into a vital military, utility >or comms system and cause a human and social catastrophe. It's >time we put a stop to their adolescent games right now. History suggests that we have far more to fear from badly designed or overcomplex software than from hackers. Recent failures of phone networks in the United States, for example, have been traced to software failures. Even if we grant that there are some hackers with the ability to damage critical systems, the question Forester fails to ask is this: Why hasn't it happened already? The answer seems to be that few hackers want to damage or destroy the very thing they are interested in exploring. Of course, there are some "vandals" out there, and they should be dealt with harshly. But there are far more "hackers" interested in exploring and understanding systems. While they may well violate the law now and then, the punishments they earn should take into account both their intentions and their youth. It has been noted many times that each generation faces the challenge of socializing a wave of barbarians--its own children. We will do our society little good if we decide to classify all our half-socialized children into criminals. For an ethicist, Forester seems to have given little thought to the ethics of lumping all computer trespass into one category of serious crime. Mike Godwin is staff counsel for the Electronic Frontier Foundation and has written on the topic of law and cyberspace. ------------------------------ Date: July 31, 1991 From: jthomas@well.sf.ca.us Subject: File 4--Reply to Tom Forester Article The post by Tom Forester is surprising both for its strident tone and ill-conceived agenda. Normally, there will be consistency between scholars' findings and the pronouncements they make derived from such findings. This is not simply an intellectually ethical practice, but responsible discourse as well. We all succumb to occasional hyperbole, factual faux pas, or miswordings that create ambiguity or misunderstandings--a gap between what we intend to say and what we actually do say. However, the Forester article is recklessly flawed and is compounded by the fact that his errors are in an area in which he claims special expertise. His claims require a detailed response lest his readers grant the post more credibility than is justified. It appears that the letter is quite at odds with his book, (co-authored with Perry Morrison). It is always possible that the co-author wrote the passages cited below, but when any work is co-authored, the norm is to assume joint responsibility for the entirety unless otherwise indicated. There is no indication that Tom Forester detached himself from any of the book's contents. What is troublesome is not that Forester seems to disassociate himself from passages in the work, but that he actually seems unaware of arguments that bear his name. The post, as it appeared publicly in several sources on the net, began as follows: >A colleague recently published this article in the computer section >of 'The Australian' newspaper last week. He thought it might interest >newspaper form. > >George Bray [posting for Tom Forester] > > > >Opinion: "Hackers: 'Clamp Down Now' " > >The Australian, 2 July 1991, page 34. > Forester's point is quite clear: >It's about time we got tough with hackers and exposed them for >the irresponsible electronic vandals they really are. > >Jailing a few of these malicious meddlers would set an example to >other would-be data thieves and help stem the tide of >computerized anarchism which is threatening to engulf the IT >industry. In the space of a few sentences, Forester categorically reduces the meaning of the term "hacker" to one denoting "vandals," "meddlers," "data thieves," and "anarchism." "Hackers" is a broad term referring on one hand to what Bob Bickford describes as "any person who derives joy from discovering ways to circumvent limitations" to, on the other, the cybervandals who trash systems. The broad use of the term to define any computer behavior that displeases us contributes to public misunderstanding and to law-enforcement excesses by expanding categories of people eligible for prosecution. For example, if I have committed no violation of law, but publicly call myself a "hacker" in Bob Bickford's sense, such a claim could be adduced as evidence against me in the event I were to come under investigation. No definitions are written in stone. However, words have meanings, and meanings connote images and metaphors. Forester's metaphors reinforce the ill-considered images reflected in the most abusive search warrants in several 1990 raids in the U.S. (e.g., Craig Neidorf, Steve Jackson Games, Len Rose, Ripco BBS). The hacker imagery painted by Forester has no hues or shades--only black and white icons reflecting the ancient battle between the forces of light and darkness. Most hackers aren't "meddlers" or data thieves. Like most crimes, there is a continuum ranging from simple curiosity to harmful intrusion. Forester also fails to mention that, whatever the excesses of even the most malicious intruders, "hackers" are not responsible for the bulk of computer crime. According to virtually all studies, most "computer crime" is done from the inside (estimates range from 60-80 pct). A significant proportion of the remainder is done by computer literate rip-off artists whose purpose is larceny rather than exploratory curiosity or illicit--but still relatively benign--behavior. One need not approve of intrusions to recognize that there are differences between types of abuse and methods of responding to these different types. In his article, Forester makes no distinctions between categories of "hacker" or types of hacks. He refers simply to "electronic vandals," hardly a value-neutral (or accurate) label. This is a radical departure from _Computer Ethics_ (pp 40-44), in which clear distinctions are made, an even-handed treatment of the risks and problems is presented, and "hacking is explicitly distinguished from computer crime, something not done in his article. >Breaking into a computer is no different from breaking into your >neighbour's house. It is burglary plain and simple--though often >accompanied by malicious damage and theft of information. >Sometimes--as in the case of stolen credit card numbers--it is >followed by fraud. > >The essence of hacking is that it is about gaining unauthorized >access to other peoples' systems. It is an activity which has not >been sanctioned by or approved of by the system's owner, be they >private or public. The phrase "plain and simple" usually reflects an attempt to silence differing views by rejecting at the outset any possibility of alternative meanings or points of view. The complexity of computer abuse and the failure of law to catch up with rapidly changing technology and the problems this creates for law enforcement and others is plainly obvious but hardly simply resolved by crude categories and retributionist thinking. Forester forces extreme examples of disparate behavior into neat bundles, forces a metaphor (breaking and entering) onto them, and then argues from the metaphor, not the original behavior. This is legitimate when metaphors are used to make something unfamiliar more understandable, but when the metaphor is flawed, or when the metaphor becomes the thing itself, distortion results. Computer invasion, even in the worst case, is not analogous to home invasion. Physical presence of an offender and the corresponding dangers it poses is absent. A better analogy would be a kid setting up a lemonade stand on your yard when you weren't looking, or somebody peeking through your window from their own property across the street with binoculars. The problem with viewing all inappropriate computer behavior as of the same magnitude is that it leads to silly analogies. Consider "automotive technology." We don't have a general category of crime called "auto crime" and argue that we should lock "auto offenders up." There are many "auto offenses," ranging from parking tickets, moving violations, auto-theft, burglarizing autos, using autos in the commission of another crime, stealing the trade-secrets of auto manufacturers, and as most teenaged minors know, getting it on in the back seats of them. Some of these auto-related acts are simply nuisances, others are quite serious. We distinguish between them and don't call for "setting examples" by jailing young lovers in a back seat *as well as* drunk drivers or auto thieves. Instead of the term "hacker," Forester's argument would be better served by term "computer intruder," which would allow him to make distinctions between kinds of intrusion. In law, there are similar distinctions, and there is nothing *PLAIN AND SIMPLE* about such acts. Computer intrusion is *NOT* burglarly, even if information is copied. Forester's inaccurate analogy reflects either the incompetence of one ignorant of law--rather strange for a self-styled expert on "computer ethics"--or a cavalier disregard for accuracy which is anathema to responsible scholarship. Forester again seems to ignore his own book, which explicitly challenges such a "plain and simple" analogy: "Unfortunately, the legal basis of system break-ins languishes in the dark ages of real locks and doors and physical forms of information such as blueprints and contracts. Equally, the law as it applies to breaking and entering--the destruction of physical locks--and the theft of information a it exists in paper form, IS A POOR ANALOGY WHEN APPLIED TO THE ELECTRONIC LOCKS THAT MODEMS AND PASSWORD SYSTEMS PROVIDE AND THE HIGHLY MUTABLE FORMS OF INFORMATION THAT COMPUTER FILES REPRESENT . After all, when one 'breaks' into a system, nothing has been broken at all--hence there is no obvious intent to cause harm (p. 60)." Forester's intent here is hardly to justify hacking, but in context, he is attempting to raise questions by showing the complexity of computer intrusion and the gap between law and new technology. By contrast, his letter reflects the reverse. Which Tom Forester should we take seriously? The one who writes thoughtfully for academics, or the one who incites the public with supercilious rhetoric that is totally at odds with his scholarly discourse? >Hackers are often portrayed as 'brilliant' or glamourized in the >media as 'whiz-kids,' but often they are only mediocre >programmers. Most 'great' hacks have in fact involved very little >in the way of intellectual ability--you don't have to be an >expert to work an autodialler and Unix systems--a favourite >target of the hacker--have notoriously poor security. > >Far from being budding computer geniuses, hackers are often so >incompetent and clumsy that they frequently cause more >unintentional damage than intentional damage when blundering >around inside someone else's system. > >Far from being heroes of the computer revolution, hackers are >little more than common thieves. Their modus operandi involves >stealing log-in names and passwords and then stealing information >expensively collected by the victim. The author confuses the term "hacker" with "phreaks," those who attempt to avoid toll charges. The author displays no knowledge of his topic or of the diversity of hacker activities, and seems totally unaware that "hackers" who explore systems generally oppose predatory behavior of any kind. Further, in his book, Forester does not equate "great hacks" with auto-dialing or mundane incidents, as he does in his letter. By "great hack" he seems to mean "publicized hacks," because the examples of "great hacks" in the book (p. 51-52) refer to Marcus Hess and the Chaos Computer Club, and a group of British hackers who penetrated a license centre. These would hardly be described as "great hacks" by most observers, although they did captivate media attention. I can recall no media story in the U.S. in recent years that has portrayed hackers, as a category, as uniformally "brilliant" or as "whiz kids." This claim is simply a straw icon Forester sets up for purposes of hacker-bashing. Further, Forester is as guilty as those he criticizes for alluding to the "brilliance" of hackers. In his book, he attempts to account for the shift from licit to illicit computer activity by "THE BEST AND THE BRIGHTEST" (p. 43) and suggests the emergence of value conflict that the current breed of hacker as made more sinister. Granted, Forester was alluding to a different crop of computerists with his term, but so to are most others who have used that description in the past. Forester seems to want to hold others responsible for past laudatory language, but is unwilling to hold himself to that same standard. With the expansion of computer users, some hackers, like some scholars, will be bright, principled, and imaginative. Others won't. As in any distribution of valued characteristics, there will be far more of the latter than the former. If Forester's point is that we should not romanticize predators, then he should be willing to provide examples and examine his own role in perpetuating those images he criticizes. If, however, he merely intends to say that most "hackers" possess modest talent, then this is a truism that few would dispute and one wonders: So what? >Some hackers have even become infamous by betraying their >country. Members of the Chaos Computer Club of Hamburg, in then >West Germany,were caught selling United States military secrets >to the KGB--the charred body of one of their number, Karl Koch, >was later found in a forest outside Hanover. If Forester refers here to Pengo, Hess, and the others, this claim is false. Despite the espionage element, there was no evidence that this group betrayed its country, Germany, by selling German military secrets. Nor is there evidence that they sold U.S. military secrets. In fact, I can think of no "hacker" known to have sold military secrets in the U.S. According to the Hafner and Markoff book, _Cyberpunk_, the Soviets received commercial software and some relatively inconsequential other files, and according to one source they cited, the Soviets "got rooked." The author's statement is pure hyperbole. While it is fully appropriate to identify the dangers of computer intrusion to national security, to raise it as a way of stigmatizing all forms of intrusion and to justify a "crackdown" by incarcerating a few examples moves from reasonable concern to unthinking hysteria. And, what is the point of mentioning Hagbard's charred body? Is this apparent suicide supposed to show that hacking leads to violence? To murder? Hagbard, according to all accounts, was a psychologically unstable substance abuser. Images of violence make good copy, no matter how irrelevant, and perhaps charred bodies just go with the territory. Forester's swipe at Chaos Computer Club also seems at odds with his book (p. 49), in which he, with seeming approval, observes: Indeed, we now know that at the time of the Chernobyl nuclear power station disaster in the Soviet Union, hackers from the Chaos COmputer Club released more information to the public about developments than did the West German government itself. All of this information was gained by illegal break-ins carried out in government computer installations. >Other hackers, such as the group that infiltrated six London >banks in 1989, have swiftly turned to blackmail. Yet some >misguided persons have sought to justify this despicable crime by >claiming hackers are really only helping 'test system security.' Can Forester name anybody who claims that blackmail, ripping of money from banks, or similar kinds of behavior is justifiable as a security test? I have never heard a single instance of such a justification of this type of predatory behavior, other than, perhaps, by the culprits as a defense during trial. But, then, I've also heard murderers claim that junkfood made them kill, a defense hardly supported by "some misguided persons". Some may attempt to justify computer intrusion by appealing to "security interests," "freedom of information," or other grounds. But there is near universal loathing for predators of this type. Forester moves from justifying computer intrusion to justifying bank robbery quite easily, proving that the shallower the water, the quicker the pace. >A second justification of hacking is that hackers safeguard our >civil liberties by keeping a check on the activities of >governments. I know of no cases where revealing the contents of a >state database has done good rather than harm. Is this the *same* Tom Forester who wrote: "We might therefore ask ourselves whether, for the sake of balance, a truly democratic society should possess a core of technically gifted but recalcitrant people. Given that more and more information about individuals is now being stored on computers, often without our knowledge or consent, is it not reassuring that some citizens are able to penetrate these databases to find out what is going on? Thus it could be argued that hackers represent one way in which we can help avoid the creation of a more centralized, even totalitarian government (p. 49). . . . Given this background and the possibility of terrorist acts becoming more and more technologically sophisticated, perhaps we can look to hackers as a resource to be used to foil such acts and to improve our existing security arrangements. TO SOME EXTENT, THIS IS ALREADY HAPPENING: (p. 49). Poor Tom. He doesn't seem to be able to figure out what position he wants to take. The danger is not that he selects one over the other, but that he seems to continually contradict himself. The contradictions lead to public statements that do no service to clarifying the issues in ways that result in resolving the risks of computer intruders in a just, yet effective way. >If hacking cannot be defended, then virus creation is wholly >unforgivable. Enormous time and effort has been spent in recent >years making good the damage caused by the pranksters who gave us >the 'Stoned,' 'Bouncing Ball,' 'Pakistani Brain' and 'Israeli' >viruses, to name but a few. > >Such computer anarchists have caused mayhem in recent years in >the US. The famous Internet worm let loose by Cornell University >student Robert Morris in late 1988 infected no less than 6,000 >systems and cost thousands of dollars to contain. In his book, Forester offers a defense of hackers as well as posing some of their dangers. As a consequence, his "if-then" logic seems odd. Has he recanted? Has he elsewhere offered a reasoned treatise defending the "if" premise? Nobody defends viruses, a very special and destructive form of computer intrusion. His statement is analogous to saying, "If trespassing cannot be defended, then arson is unforgivable." Trespassing can be forgiven (if we are in metaphysical, rather than legal mode), but arson cannot be. Whether hacking is defensible or not, it has no bearing on the claim that computer viruses are indefensible. To say that we should jail hackers because those who spread computer viruses are highly destructive is a major non sequitor. They are different sorts of acts with different consequences. Viruses are made for one purpose only: To disrupt or destroy. The Morris worm, although disruptive and totally irresponsible, was not so-intended, and it was hardly the result of a "computer anarchist." Forester seems to be grabbing any and all examples to justify his claim that hackers should be jailed. No matter that these examples reflect behaviors ranging from benign innocence to conscious malice. Just lump 'em all together in a barrel and chuck 'em into the fire. >Last year, the so-called 'Legion of Doom' managed to completely >stuff up the 911 emergency phone system in nine US states, thus >endangering human life. They were also later charged with trading >in stolen credit card numbers, long-distance phone card numbers > >In another case, Leonard DeCicco was charged with stealing US $1 >million worth of security software from Digital Equipment >Corporation. Leonard Rose Jr. was charged with selling illegal >copies of a US $77,000 AT&T operating system. > >One group of phone hackers was charged with stealing more than US >$1.6 million worth of free long-distance phone calls, while >another group was caught manipulating voice-mail boxes and 008 >toll-free numbers to the tune of millions of dollars. These claims are totally false. As Mike Godwin (above) notes, the "Atlanta 3" were not charged with "stuffing up" the E911 system, period. Nor were they charged with the other allegations. Leonard "DeCicco" presumably refers to Kevin Mitnick's confederate described in the Hafner/Markoff book who cooperated with the FBI in apprehending Mitnick. Spokespersons at DEC had no knowledge of any such infraction by DiCicco. Los Angeles U.S. Attorney's Office spokesperson Carole Levitzky indicated that there were no such federal charges against him, and that if he were involved in a subsequent offense of such magnitude after the Mitnick affair, it would show up in their records. DiCicco pleaded guilty on Nov. 29, 1989, to one count of aiding and abetting Mitnick's theft and was sentenced to five years probation, 750 hours of community service, and restitution of $13,000. If Forester refers to the DiCicco of the Mitnick and DiCicco incident, this claim is blatantly false. If there is a similarly named "Leonard DeCicco" who has stolen $1 million from DEC, Forester seems to be the only one who knows about it. apprehend Kevin Mitnick and they make no mention of Forester's charges, nor have such charges been made public. Leonard Rose was not charged with stealing but with possession of unlicensed UNIX software, not uncommon among some programmers. Phone phreaks and others have, indeed, freely utilized illicit means of avoiding long distance charges. Such acts are wrong, but, as Gail Thackeray, a prosecutor of computer crime, has convincingly argued, jail is not necessarily the best sanction for these delinquents. What's troublesome here is that Forester seems to have no grasp of facts and is not troubled by generalizations based on inaccuracies. He nonetheless calls for changes in public policy on the basis of his errors. If Forester were a common citizen, these flaws would be understandable. But, because he claims to be knowledgeable in the area of computer ethics and crime, his misinformation borders on professional negligence. These are not just small matters of detail: His errors reflect consistent lack of knowledge of the most basic information accessible in media and across the nets. >Unfortunately, attempts by US authorities to nail these delinquent >nerds have not always been successful. This is because the law is >unclear, and police lack the expertise in dealing with the >crimes. > >For example, last year's Operation Sun Devil, which involved >raids in 14 cities and the seizure of 42 systems and 23, 000 >disks, has yet to result in any major prosecutions. > >Robert Morris, who launched the disastrous Internet worm, got a >mere slap on the wrist in the form of a US $10,000 fine and 400 >hours' community service Only in Britain--where the >Computer Misuse Act became law in 1990--do the authorities seem >to winning the war against hackers: 'mad' hacker Nicholas >Whiteley was recently jailed for four months for a series of >malicious attacks on university computers. Perhaps in Forester's logic a single example of a four month sentence for attacks on university computers signifies "winning a war" in a country with a much smaller population and proportionately fewer personal computers. Perhaps he actually believes in the power of such a superficial example, or perhaps he is just an Anglophile who is too lazy to ferret out the successful intervention of law enforcement and others in responding to "hacking" related crimes in the U.S. That quibble aside, Mike Godwin (above) addressed the Morris sentence. Operation Sun Devil was not successful largely because it was ill-conceived, poorly executed and misdirected. By contrast, prosecutors such as Gail Thackeray, Ken Rosenblatt, and Don Ingraham have all had considerable success prosecuting computer crime. Forester also fails to explain how a single example of a four month jail sentence, relatively short, reflects more success than the sentences of imprisonment given to Riggs, Darden, Grant, Rose, Zinn, and others, the imprisonment of non-hacking computer criminals, and the substantial probations given to many, many others (including Mitnick, Majette, DiCicco, Morris, Goldman, and countless others). Whether we agree with each individual indictment or sentence, the fact is that U.S. law enforcement is prosecuting and prosecuting successfully in most cases. The trend also seems to be that U.S. law enforcement, thanks largely to the efforts of EFF and prosecutors such as Don Ingraham, Gail Thackeray, and others, are--despite whatever other criticisms some may have--demonstrating an explicit willingness to move away from the Draconian measurese espoused by Forester and balance the needs of law enforcement and security with those of Constitutional protections against First and Fourth Amendment abuses and "justice as fairness." It is true that law enforcement is not particularly knowledgeable and that laws are vague, but they are vague on the side of over-criminalization. Nonetheless, the primary answer to resolving the problem of computer abuse does not lie in strengthening law enforcement, but rather in expanding public education and awareness. There are an overwhelming number of cases in the U.S. in which computer and telephone abusers have been apprehended, either by law enforcement or by other officials. Forester's implied claim that somehow law enforcement needs to be tougher, rather than wiser, is--like the rest of his article--totally inaccurate. >To some extent hacking has attracted individuals who are not at >ease socially--the classic "nerd," if you like. They may relate >better to machines than other humans. > >One image of the hacker is of an adolescent male, who, for >reasons of shyness or "spots" does not get on with girls. > >Instead, he tends to spend his time with the computer, rising at >2pm, then working right through to 6am,, consuming mountains of >delivered pizza and gallons of soft drink. > >Some suffer from what Danish doctors are now calling "computer >psychosis"--an inability to distinguish between the real world >and the world inside the screen. > >For the hacker, the machine becomes a substitute for human >contact, because it responds in rational manner, uncomplicated by >feelings and emotions. Again, Forester is at odds with his own work, where he indicates that there are different types of hackers and motivations. He seems to draw from Sherry Turkle's _The Second Self_, in his cartoon depiction of hackers. Turkle's data were limited to MIT students and a few interviews from Internet users. Turkle's study, published in 1984, well before the "hacking craze" of the late 1980s, was more a study of computer enthusiasts rather than "hackers," and her descriptions were partly ironic and hardly "scientific," although this did not undermine the value of her book. The "hackers" depicted in in _Cyberpunk_ range from seemingly normal (whatever that might mean) to certifiably loony, much as participants in any other collection of avid enthusiasts, including sports fans or researchers. From our own (Gordon Meyer and Jim Thomas) studies of the computer underground, "hackers" are a diverse lot, and Forester's grotesque imagery is as simplistic as would be dismissing his article because of Australian inbreeding from the days when it was a penal colony. Psychological explanations for any behavior can be helpful in contributing to our understanding, but data-free generalizations that reduce complex behaviors to simple-minded categories, especially when done by one who makes a living as a scholar, do a disservice to the scholarly community. >In some senses, one can't help but feel sorry for hackers, but by >taking out their hang-ups on society they do enormous damage and >we all end up paying for their anarchic antics. > >One day, these meddlers will hack into a vital military, utility >or comms system and cause a human and social catastrophe. It's >time we put a stop to their adolescent games right now. > >TOM FORESTER > > > >*Tom Forester is co-author, with Perry Morrison, of Computer >Ethics: Cautionary Tales and Ethical Dilemmas in Computing >(Blackwell / Allen & Unwin, 1990,). Hollinger and Lanza-Kaduce argued in their 1988 article in _Criminology_ that legislative testimony leading to anti-computer abuse law relied heavily on anecdotal evidence, hyperbolic assertions lacking empirical support, and media accounts. For this reason, Forester's letter, which fits all three categories, subverts the problem-solving process and hampers effective legislation and sanctions intended to address the problem of technologically-created offenses. Few people justify indiscriminate computer intrusions, so the question does not center on a defense of computer abuse. The issue is what do we do about it. Forester argues for increased criminalization and incarceration. There is little evidence that incarceration deters crime. It is unlikely that "setting examples" will resolve anything. Those most likely to be deterred those not engaged in serious misbehavior and are therefore the least risk to society. In the US, at least, sentencing is supposed to be "offense-drive," not "policy-driven." We sanction on the basis of an act, not on the basis of establishing social a political policy. "Setting examples" is not justice, but a political policy. Neither Forester's call for heavier example-setting sanctions nor the logic of his call serve the debates surrounding the problem of computer abuse. He muddies the waters, inflames the passions of the non-computer literate public with false information, and apparently fails to recognize the lesson of his own writing, which is that reasoned dialogue rather than strident demagoguery is the ethical approach to problem solving. This seems a rather glaring lapse for one who writes on computer ethics. Former prosecutor Gail Thackeray, in an interview with NEWSBYTES, offered a sound justification for temperance in incarceration to explain her reasons for opposing a five year prison sentence for "Doc Savage:" "Usually computer hackers who get into trouble for activities of this nature are kids or young adults who are not the type to be in trouble for any other criminal activities. The point of sentencing in these cases should be rehabilitation. If we can break the pattern of illegal behavior, society will benefit from Majette's participation. If we simply locked him up for 5 years, neither he nor society would benefit." None can doubt her passion for deterring computer abuse, but she also recognizes the complexity of the problems and the value of social responses that benefit society, set *productive* examples, and simultaneously improve the security and harmony of the nets. The views reflected in the Forester post would return us to the dark ages of repression based on ignorance. Perhaps somebody should send Forester a copy of _Computer Ethics_ along with the suggestion that he read it. Jim Thomas is a professor of sociology/criminal justice at Northern Illinois University. With Gordon Meyer, he has conducted research on the computer underground culture. His specialty is the culture of the dreadful enclosures that we call prisons, where some feel hackers belong. ------------------------------ End of Computer Underground Digest #3.28 ************************************