Date: 14 Jul 92 22:02:12 PDT
From: mcmullen@well.sf.ca.us
Subject: File 2--Newsbytes Editorial on MOD Indictment

NEWSBYTES EDITORIAL

Second Thoughts On New York Computer Crime Indictments 7/13/92
NEW YORK, N.Y., U.S.A., 1992 JULY 13 (NB) -- On Wednesday, July 9th, I
sat at a press briefing in New York City's Federal Court Building
during which law enforcement officials presented details relating to
the indictment of 5 young computer "hackers". In describing the
alleged transgressions of the indicted, United States Assistant
Attorney Stephen Fishbein wove a tale of a conspiracy in which members
of an evil sounding group called the "Masters of Destruction" (MOD)
attempted to wreck havoc with the telecommunications system of the
country.

The accused were charged with infiltrating computer systems belonging
to telephone companies, credit bureaus, colleges and defense
contractors --Southwestern Bell, BT North America, New York Telephone,
ITT, Information America, TRW, Trans Union, Pacific Bell, the
University of Washington, New York University, U.S. West, Learning
Link, Tymnet and Martin Marietta Electronics Information, and Missile
Group. They were charged with causing injury to the telephone systems,
charging long distance calls to the universities, copying private
credit information and selling it to third parties -- a long list of
heinous activities.

The immediate reaction to the indictments were predictably knee-jerk.
Those who support any so-called "hacker"-activities mocked the
government and the charges that were presented, forgetting, it seems
to me, that these charges are serious -- one of the accused could face
up to 40 years in prison and $2 million in fines; another - 35 years
in prison and $1.5  million in fines. In view of that possibility, it
further seems to me that it is a wasteful diversion of effort to get
all excited that the government insists on misusing the word "hacker"
(The indictment defines computer hacker as "someone who uses a
computer or a telephone to obtain unauthorized access to other
computers.") or that the government used wiretapping evidence to
obtain the indictment (I think that, for at least the time being that
the wiretapping was carried out under a valid court order; if it were
not, the defendants' attorneys will have a course of action.).

On the other hand, those who traditionally take the government and
corporate line were publicly grateful that this threat to our
communications life had been removed -- they do not in my judgement
properly consider that some of these charges may have been
ill-conceived and a result of political considerations.

Both groups, I think, oversimplify and do not give proper
consideration to the wide spectrum of issues raised by the indictment
document. The issues range from a simple black-and-white case of
fraudulently obtaining free telephone time to the much broader
question of the appropriate interaction of technology and law
enforcement.

The most clear cut cases are the charges such as the ones which allege
that two of the indicted, Julio Fernandez a/k/a "Outlaw" and John Lee
a/k/a "Corrupt" fraudulently used the computers of New York University
to avoid paying long distance charges for calls to computer systems in
El Paso Texas and Seattle, Washington. The individuals named either
did or did not commit the acts alleged and, if it is proven that they
did, they should receive the appropriate penalty (it may be argued
that the 5 year, $250,000 fine maximum for each of the counts in this
area is excessive but that is a sentencing issue not an indictment
issue.).

Other charges of this black-and-white are those that allege that
Fernandez and/or Lee intercepted electronic communications over
networks belonging to Tymnet and the Bank of America. Similarly, the
charge that Fernandez, on December 4, 1991 possessed hundreds of user
id's and passwords of Southwestern Bell, BT North America and TRW fits
in the category of "either he did it or he didn't."

A more troubling count is the charge that the indicted 5 were all part
of a conspiracy to "gain access to and control of computer systems in
order to enhance their image and prestige among other computer
hackers; to harass and intimidate rival hackers and people they did
not like; to obtain telephone, credit, information, and other services
without paying for them; and to obtain. passwords, account numbers and
other things of value which they could sell to others."

To support this allegation, the indictment lists 26, lettered A
through Z, Overt Acts" to support the conspiracy. While this section
of the indictment lists numerous telephone calls between some of the
individuals, it mentions the name Paul Stira a/k/a "Scorpion" only
twice with both allegations dated "on or about" January 24, 1990, a
full 16 months before the next chronological incident. Additionally,
Stira is never mentioned as joining in any of the wiretapped
conversation -- in fact, he is never mentioned again!  I find it hard
to believe that he could be considered, from these charges, to have
engaged in a criminal conspiracy with any of the other defendants.

Additionally, some of the allegations made under the conspiracy count
seem disproportionate to some of the others. Mark Abene a/k/a "Phiber
Optik" is of possessing proprietary technical manuals belonging to BT
North America while it is charged that Lee and Hernandez, in exchange
for several hundred dollars, provided both information on how to
illegally access credit reporting bureaus and an actual TRW account
and password to a person, Morton Rosenfeld, who later illegally
accessed TRW, obtained credit reports on 176 individuals and sold the
reports to private detective (Rosenfeld, indicted separately, pled
guilty to obtaining and selling the credit reports and named "Julio"
and "John" as those who provided him with the information). I did not
see anywhere in the charges any indication that Abene, Stira or Elias
Lapodoulos conspired with or likewise encouraged Lee or Fernandez to
sell information involving the credit bureaus to a third party

Another troubling point is the allegation that Fernandez, Lee, Abene
and "others whom they aided and abetted" performed various computer
activities "that caused losses to Southwestern Bell of approximately
$370,000." The $370,000 figure, according to Assistant United States
Attorney Stephen Fishbein, was developed by Southwestern Bell and is
based on "expenses to locate and replace computer programs and other
information that had been modified or otherwise corrupted, expenses to
determine the source of the unauthorized intrusions, and expenses for
new computers and security devices that were necessary to prevent
continued unauthorized access by the defendants and others whom they
aided and abetted."

While there is precedent in assigning damages for such things as
"expenses for new computers and security devices that were necessary
to prevent continued unauthorized access by the defendants and others
whom they aided and abetted." (the Riggs, Darden & Grant case in
Atlanta found that the defendants were liable for such expenses), many
feel that such action is totally wrong. If a person is found uninvited
in someone's house, they are appropriately charged with unlawful entry,
trespassing, burglary --whatever th statute is for the transgression;
he or she is, however, not charged with the cost of the installation
of an alarm system or enhanced locks to insure that no other person
unlawfully enters the house.

When I discussed this point with a New York MIS manager, prone to take
a strong anti-intruder position, he said that an outbreak of new
crimes often results in the use of new technological devices such as
the nationwide installation of metal detectors in airports in the
1970's. While he meant thi as a justification for liability, the
analogy seems rather to support the contrary position. Air line
hijackers were prosecuted for all sorts of major crimes; they were,
however, never made to pay for the installation of the metal detectors
or absorb the salary of the additional air marshalls hired to combat
hijacking.

I think the airline analogy also brings out the point that one may
both support justifiable penalties for proven crimes and oppose
unreasonable ones -- too often, when discussing these issues,
observers choose one valid position to the unnecessary exclusion of
another valid one. There is nothing contradictory, in my view, to
holding both that credit agencies must be required to provide the
highest possible level of security for data they have collected AND
that persons invading the credit data bases, no matter how secure they
are, be held liable for their intrusions. We are long past accepting
the rationale that the intruders "are showing how insecure these
repositories of our information are." We all know that the lack of
security is scandalous; this fact, however, does not excuse criminal
behavior (and it should seem evident that the selling of electronic
burglar tools so that someone may copy and sell credit reports is not
a public service).

The final point that requires serious scrutiny is the use of the
indictment a a tool in the on-going political debate over the FBI
Digital Telephony proposal. Announcing the indictments, Otto G.
Obermaier, United States Attorney for the Southern District of New
York, said that this investigation was "the first investigative use of
court-authorized wiretaps to obtain conversations and data
transmissions of computer hackers." He said that this procedure was
essential to the investigation and that "It demonstrates, think, the
federal government's ability to deal with criminal conduct as it moves
into new technological areas." He added that the interception of data
was possible only because the material was in analog form and added
"Most of the new technology is in digital form and there is a pending
statute in Congress which seeks the support of telecommunications
companies to allow the federal government, under court authorization,
to intercept digital transmission. Many of you may have read the
newspaper about the laser transmission which go through fiber optics
as a method of the coming telecommunications method. The federal
government needs the help of Congress and, indeed, the
telecommunications companies to able to intercept digital
communications."

The FBI proposal has been strongly attacked by the American Civil
Liberties Union (ACLU), the Electronic Frontier Foundation (EFF) and
Computer Professionals for Social Responsibility (CPSR) as an attempt
to institutionalize, for the first time, criminal investigations as a
responsibility of the communications companies; a responsibility that
they feel belongs solely to law-enforcement. Critics further claim
that the proposal will impede the development of technology and cause
developers to have to "dumb-down" their technologies to include the
requested interception facilities. The FBI, on the other hand,
maintains that the request is simply an attempt to maintain its
present capabilities in the face of advancing technology.

Whatever the merits of the FBI position, it seems that the indictments
either would not have been made at this time or, at a minimum, would
not have been done with such fanfare if it were not for the desire to
attempt to drum up support for the pending legislation. The press
conference was the biggest thing of this type since the May 1990
"Operation Sun Devil" press conference in Phoenix, Arizona and, while
that conference, wowed us with charges of "hackers" endangering lives
by disrupting hospital procedures and being engaged in a nationwide,
13 state conspiracy, this one told us about a bunch of New York kids
supposedly engaged in petty theft, using university computers without
authorization and performing a number of other acts referred to by
Obermaier as "anti-social behavior" -- not quite as heady stuff!

It is not to belittle these charges -- they are quite serious -- to
question the fanfare. The conference was attended by a variety of high
level Justice Department, FBI and Secret Service personnel and veteran
New York City crime reporters tell me that the amount of alleged
damages in this case would normally not call for such a production --
New York Daily News reporter Alex Michelini publicly told Obermaier
"What you've outlined, basically, except for the sales of credit
information, this sounds like a big prank, most of it" (Obermaier's
response -- "Well, I suppose, if you can characterize that as a prank
but it's really a federal crime allowing people without authorization
to rummage through the data of other people to which they do not have
access and, as I point out to you again, the burglar cannot be your
safety expert. He may be inside and laugh at you when you come home
and say that your lock is not particularly good but I think you, if
you were affected by that contact, would be somewhat miffed"). One
hopes that it is only the fanfare surrounding the indictments that is
tied in with the FBI initiative and not the indictments themselves.

As an aside, two law enforcement people that I have spoken to have
said that while the statement that the case is "the first
investigative use of court-authorized wiretaps to obtain conversations
and data transmissions of computer hackers.", while probably true,
seems to give the impression that the case is the first one in which
data transmission was intercepted.  According to these sources, that
is far from the case -- there have been many instances of inception of
data and fax information by law enforcement officials in recent years.

I know each of the accused in varying degrees. The one that I know the
best, Phiber Optik, has participated in panels with myself and law
enforcement officials discussing issues relating to so-called "hacker"
crime.  He has also appeared on various radio and television shows
discussing the same issues. These high profile activities have made him
an annoyance to some in law enforcement. One hopes that this annoyance
played no part in the indictment.

I have found Phiber's presence extremely valuable in these discussions
both for the content and for the fact that his very presence attracts
an audience that might never otherwise get to hear the voices of
Donald Delaney, Mike Godwin, Dorothy Denning and others addressing
these issues from quite different vantage points. While he has, in
these appearances, said that he has "taken chances to learn things",
he has always denied that he has engaged in vandalous behavior and
criticized those who do. He has also called those who engage in
"carding" and the like as criminals (These statements have been made
not only in the panel discussion but also on the occasions that he has
guest lectured to my class in "Connectivity" at the New School For
Social Research in New York City. In those classes, he has discussed
the history of telephone communications in a way that has held a class
of professionals enthralled by over two hours.

While my impressions of Phiber or any of the others are certainly not
a guarantee of innocence on these charges, they should be taken as my
personal statement that we are not dealing with a ring of hardened
criminals that one would fear on a dark knight.

In summary, knee-jerk reactions should be out and thoughtful analysis
in!  We should be insisting on appropriate punishment for lawbreakers
-- this means neither winking at "exploration" nor allowing inordinate
punishment. We should be insisting that companies that have collected
data about us properly protect -- and are liable for penalties when
they do not.  We should not be deflected from this analysis by support
or opposition to the FBI proposal before Congress -- that requires
separate analysis and has nothing to do with the guilt or innocence of
these young men or the appropriate punishment should any guilt be
established.

(John F. McMullen/19920713)

Downloaded From P-80 International Information Systems 304-744-2253