The United States vs. Craig Neidorf

Journal:   Communications of the ACM  March 1991 v34 n3 p24(9)
           * Full Text COPYRIGHT Association for Computing Machinery 1991.
-----------------------------------------------------------------------------
Title:     The United States vs. Craig Neidorf: a debate on electronic
           publishing, constitutional rights and hacking. (one of three
           articles) (Cover Story)
Author:    Denning, Dorothy E.

Summary:   Craig Neidorf was a college student accused of fraud and
           interstate transportation of stolen property as a result of a
           document published in his electronic newsletter, Phrack.  The case
           ended after four days of trial when the government dropped its
           charges.  The charges against Neidorf came as part of a two-year
           investigation into illegal activity, during which the government
           seized over 40 systems and 23,000 disks.  The seizures, and the
           Neidorf case, raise serious questions about the liabilities and
           responsibilities of system users.  Neidorf's indictment has been
           seen by some as a threat to the freedom of the press.  On the
           other hand, publications that print information that encourage
           people conduct illegal break-ins should not be considered proper
           simply because they are protected under the First Amendment.  Some
           of the activities that might decrease illegal hacking include
           teaching computer ethics, both in classrooms and in professional
           forums.
-----------------------------------------------------------------------------
Descriptors..
Topic:     Computer crimes
           Electronic publishing
           Freedom of information
           Ethics.
Person:    Neidorf, Craig (Cases).

Record#:   10 489 782.
-----------------------------------------------------------------------------
*Note*    Only Text is presented here; see printed issues for graphics.
Full Text:

The United States vs.  Craig Neidorf

In 1983, the media publicized a series of computer break-ins by teenagers in
Wisconsin nicknamed "414 hackers."  At about the same time, the popula movie
War-games depicted a computer wizard gaining access to the North american Air
Defense (NORAD) Command in Cheyenne Mountain, Colorado and almost triggering
a nuclear war by accident.  Since then, a stereotype of a computer hacker (1)
has emerged based upon unscrupulous young people who use their computer
skills to break into systems, steal information and computer and
telecommunication resources, and disrupt operations without regard for the
owners and users of the systems.

Well-publicized incidents, such as the Internet worm [6] and the German
hackers who broke into unclassified defense systems and sold information to
the KGB [7], have reinforced that stereotype and prompted policy makers and
law enforces to crack down on illegal hacking.  In May 1990, 150 Secret
Service agents executed 27 search warrants and seized 40 systems as part of
Operation Sun Devil, a two-year investigation led by Arizona prosecutors into
incidents estimated to have cost companies millions of dollars.  Another
investigation involving prosecutors in Atlanta and Chicago let to several
indictments.

Reports on some of the seizures and indictments provoked an out-cry from
people in the computer industry who perceived the actions taken by law
enforcers as a threat to constitutional rights.  One case in particular that
was cited as an example of threats against freedom of the electronic press
was that of Craig Neirdorf--a college student accused by the U.S.  government
of fraud and interstate transportation of stolen property regarding a
document published in his electronic newsletter, Phrack.  The trial began on
July 23, 1990, and ended suddenly four days later when the government dropped
the charges.  I attended the trial as an expert witness for the defense.

OVERVIEW OF

THE CASE

Craig Neidorf is a pre-law student at the University of Missouri.  At the age
of 13, he became interested in computers, an extension of an earlier intense
interest in Atari 2600 andother video games.  At 14, he adopted the handle
Knight Lightning on computer networks and bulletin boards.  At 16, he and a
childhood friend started an electronic newsletter called Phrack.  The name
was composed from the words phreak and hack, which refer to
telecommunications systems (phreaking) and computer systems (hacking).  To
Phrack readers and contributors, phreaking and hacking covered both legal and
illegal activities, and some of the articles in Phrack provided information
that could be useful for someone trying to gain access to a system or free
use of telecommunications lines.  To some law enforcers and computer security
professionals, Phrack was seen as possible breeding ground for computer
criminals.  They found issues of Phrack among the evidence of cases under
investigation, and a hacker told them that Phrack had provided information
that helped him get started.

Phrack published 30 issues from November 1985 through 1989.  Neidorf's main
role with the newsletter was editor of a column called "Phrack World News."
In addition, he was the publisher of issue 14, and co-editor/publisher of
issues 20-30.  As publisher, he solicited articles from authors, assembled
the articles he received into an issue, and distributed the issue to an
electronic mailing list.

On January 18, 1990, Neidorf received a visit from an agent of the U.S.
Secret Service and a representative of Southwestern Bell Security regarding a
document about the Enhanced 911 (E911) emergency system.  This document,
which was in the form of a computer text file, had been published in Issue 24
of Phrack.  During this visit, Neidorf, believing he had done nothing wrong,
cooperated and turned over information.  The next day, the visitors returned
with a representative from the campus police and a search warrant.  Neidorf
was also asked to contact the U.S.  Attorney's office in Chicago.  He did,
and on January 29 arrived at that office, accompanied by a lawyer, for
further interrogation.  Again, the young publisher turned over information
and answered their questions.  Neither he nor his attorney were informed that
four days earlier evidence had been presented to a federal grand jury in
Chicago for the purpose of indicting him.  On February 1, the grand jury was
given additional evidence and charged Craig Neidorf with six counts in an
indictment for wire fraud, computer fraud, and interstate transportation of
stolen property valued at $5,000 or more.

In June 1990, the grand jury met again and issued a new indictment that
dropped the computer fraud charges, but added additional counts of wire
fraud.  Neidorf was now charged with 10 felony counts carrying a maximum
penalty of 65 years in prison.

The indictment centered on the publication of the E911 text file in Phrack.
The government claimed the E911 text file was a highly proprietary and
sensitive document belonging to BellSouth and worth $23,900.  They
characterized the document as a road map to the 911 phone system, and claimed
that its publication in Phrack allowed hackers to illegally manipulate the
911 computer systems in order to disrupt or halt 911 service.  They further
claimed that the document had been stolen from BellSouth by Robert Riggs,
also known as The Prophet, and that the theft and publication of the document
in Phrack was part of a fraudulent scheme devised by Neidorf and members of
the hacking group Legion of Doom, of which Riggs was a member.  The object of
the scheme was to break into computer systems in order to obtain sensitive
documents and then make the stolen documents available to computer hackers by
publishing the documents in Phrack.  The government claimed that as part of
the fraudulent scheme, Neidorf solicited information on how to illegally
access computers and telecommunication systems for publication in Phrack as
"hacker tutorials."  The term hacker was defined in the indictment as an
individual "involved with the unauthorized access of computer systems by
various means."

On May 21, 1990 Neidorf called me to request a copy of my paper about
hackers, which I was preparing for the National Computer Security Conference
[1].  Although I hadnot talked with him before that time, I knew who he was
because I had been following his case in the Computer Underground Digest, an
electronic newsletter, and in various Usenet bulletin boards.  Based on what
I had read, which included the E911 file as published in Phrack, I did not
see how the E911 file could be used to break into the 911 system or, for that
matter, any computer system.  I was concerned that Neidorf may have been
wrongly indicted.  I was also concerned that a wrongful conviction--a
distinct possibility in a highly technical trial--could have a negative
impact on electronic publication.

In late June, I received a call from Neidorf's attorney, Sheldon Zenner of
the firm Katten, Muchin & Zavis in Chicago.  After several conversations with
Neidorf and Zenner, I agreed to be an expert witness and provide assistance
throughout the trial.

Zenner told me that John Nagle, an independent computer scientist in Menlo
Park, California, had gathered articles, reports, and books on the E911
system from the Stanford University library and local bookstores, and by
dialing a Bellcore 800 number.  After Nagle showed me the published
documents, I agreed with his conclusion that Phrack did not give away any
secrets.  Nagle was also planning to go to Chicago to help with the defense
and possibly testify.

Meanwhile, I gathered articles, books, and programs that showed there are
plenty of materials in the public domain that are at least as useful for
breaking into systems as anything published in Phrack.  (Some of these are
referenced later.)

THE TRIAL

The trial began on July 23, 1990 in Chicago's District Court for the Northern
District of Illinois.  It was expected to last two weeks, with the government
presenting its case during the first week.  I helped prepare the cross
examinations of the government's witnesses and expected to testify sometime
during the second week.

After a day of jury selection, the trial began with Assistant U.S.  Attorney
William Cook making the opening remarks for the prosecution.  Cook reviewed
the government claims, weaving a tale of conspiracy between Neidorf, Riggs,
and members of the Legion of Doom who had broken into BellSouth computers.

Zenner then presented his opening remarks for the defense.  He reviewed
Neidorf's history and involvement with Phrack, noting that the goal of the
newsletter was the free exchange of information.  He challenged the claims of
the government and outlined the case for the defense.  He noted how the
government had indicted Neidorf despite his extensive cooperation with them.
He said that Neidorf believed his actions were covered by the First
Amendment, and that his beliefs were formed from college classes he took as a
pre-law student on constitutional law and civil liberties.

The government's witnesses through Thursday afternoon included Riggs, the
Secret Service agent, and employees of BEllcore and of BellSouth and its
subsidiaries.  The evidence brought out during the examination and
cross-examination of these witnesses indicated the E911 text file was not the
highly sensitive and secret document that BellSouth had claimed, that
BellSouth had not treated the document as though it were, and that Neidorf
had not conspired with Riggs.  Although this seemed like cause for optimism,
Zenner reminded us that the government loses very few cases.

On Friday morning, I arrived at the law offices to learn the government had
been talking with Zenner about dropping the felony charges in exchange for a
guilty plea to a misdemeanor.  Neidorf, however, would not accept a charge
for something he had not done.  Meanwhile, Zenner was meeting with the U.S.
attorneys.  I went to the courtroom, where Zenner told me the government was
now considering dropping all charges.  Zenner was willing to lay out the case
for the defense to the prosecution  he asked Nagle and me to go to the U.S.
Attorney's office and answer all their questions.  We went, and Cook went
through the E911 file paragraph by paragraph asking us for evidence that the
material was in the public domain.  Nagle answered most of the questions,
pointing Cook to the relevant public documents and demonstrating that the
E911 Phrack file did not give away any secrets.

We then went to the courtroom to await the final decision.  Shortly
thereafter, the court resumed, and Judge Nicholas Bua announced the
government's decision to drop charges, dismissed the jury, and declared a
mistrial.  Five of the jurors were asked to remain and were interviewed by
Bua and both attorneys.  At midday, the court adjourned.

Although Neidorf was freed of allcriminal charges, he was not free of all
costs.  The trial cost of $100,000 was incurred by him and his family.

KEY DOCUMENTS

The government's case focused on several documents that were published in
Phrack or were included in electronic mail between Neidorf and others.  These
included the following: the E911 text file and Phrack version of that file
the hacker tutorials published in Phrack Issue 22  a Trojan horse login
program an announcement of The Phoenix Project in Phrack Issue 19 and some
email correspondence between Neidorf and Riggs.  All these documents were
introduced as evidence by the government during the presentation of its case.

The E911 Text File

Riggs testified that sometime during the summer of 1988, he accessed a
BellSouth system called AIMSX and downloaded a file with a document issued by
BellSouth Services titled "Control Office Administration of Enhanced 911
Services for Special Services and Major Account Centers," Section
660-225-104SV, Issue A, March 1988.  The document, which contains
administrative information related to E911 service, installation, and
maintenance, bears the following notice on the first page: "Not for use or
disclosure outside BellSouth or any of its subsidiaries except under written
agreement."  Sometime prior to September 1988, Riggs transferred the file to
a public [Unix.sup.TM] system called Jolnet, where it remained until July
1989.

Riggs testified he sent the E911 text file to Neidorf via email from Jolnet
in January 1989 for publication in Phrack.  He said he asked Neidorf to edit
the file so that it would not be recognizable by BellSouth, and to publish it
under the handle "The Eavesdropper."  Neidorf removed the nondisclosure
notice and deleted names, locations, and telephone numbers, and published it
in Phrack Issue 24 on February 24, 1989.  The edited document was less than
half the size of the original document, and was split into two Phrack files,
the first (file 5) containing the main text and the second (file 6)
containing the glossary of terms.

The government claimed that the E911 text file and Phrack version contained
highly sensitive and proprietary information that provided a road map to the
911 system and could be used to gain access to the system and disrupt
service.  The claim was based on a statement made by an employee of Bellcore.

As noted earlier, Nagle had located articles and pamphlets that contained
much more information about the E911 system than the Phrack file.  During
cross examination of the government's witness who was responsible for the
practice described in the E911 document, Zenner showed the witness two of
these pamphlets available from Bellcore via an 800 number for $13 and $21
respectively.  The witness, who had not seen either report before and was
generally unfamiliar with the public literature on E911, agreed that the
reports also gave road maps to the E911 system and included more information
than was a Phrack.  The witness also testified that a nondisclosure stamp is
routinely puton every BellSouth document when it is first written, thereby
weakening any argument that the document contained particularly sensitive
trade secrets.

The defense was prepared to argue that the E911 text file contained no
information that was directly useful for breaking into the E911 system or any
computer system.  There were no dial-up numbers, no network addresses, no
accounts, no passwords, and no mention of computer system vulnerabilities.
The government claimed that the names, locations, organization phone numbers,
and jargon in the E911 text file could be useful for social engineering--that
is, deceiving employees to get information such as computer accounts and
passwords.  However, the Phrack version omitted the names, locations, and
phone numbers, and the jargon was all described in the published literature.
Thus, the E911 Phrack file seemed no more useful for social engineering than
the related public documents.

The defense was also prepared to show that Bellsouth had not treated the
document as one would expect a document of such alleged sensitivity to be
treated.  Riggs testified that the account he had used to get into AIMSX had
no password.  AT&T security was notified in September 1988, that the E911
text file was publicly available in Riggs's directory on Jolnet, and Bellcore
security was notified of this in October.  This was two months before Riggs
mailed the file to Neidorf for inclusion in Phrack, and about four months
before its publication in Phrack.  Still, no legal action was taken until
July 1989, nine months from the time Bellcore was aware of the file's
presence on Jolnet.  At that point, Bellcore and BellSouth asserted to the
government that a highly sensitive and dangerous document was stolen.  They
urged the U.S.  Secret Service to act immediately because of the purported
risk posed by the availability of this "dangerous" information.  However,
they did not tell the Secret Service that they had discovered all of this
nine months earlier.  The government responded immediately with a subpoena
for Jolnet.  The defense believed that BellSouth's delay in acting to protect
the E911 document was inconsistent with its claim that the document contained
sensitive information.  To its credit, however, BellSouth did strengthen the
security of its systems following the breakins.

The Hacker Tutorials

The government claimed that three files in Phrack Issue 22 were tutorials for
breaking into systems and, as such, evidence of a fraudulent scheme to break
into systems, steal documents, and publish them in Phrack.  These files,
which corresponded to one count of the indictment, were:

4.  "A Novices Guide to Hacking--1989 Edition" by The Mentor.

5.  "An Indepth Guide in Hacking Unix and The Concept of Basic Networking
Utility" by Red Knight.

6.  "Yet Another File on Hacking Unix" by Unknown User.

Files 4 and 5 Phrack 22 briefly introduce the art of getting computer access
through weak passwords and default accounts, while File 6 contains a
password-cracking program.  Most of file 5 is a description of basic commands
in Unix, which can be found in any Unix manual.  After examining these and
other Phrack files, I concluded that Phrack contained no more information
about breaking into systems than articles written by computer security
specialists and published in journals such as the Communications of the ACM,
AT&T Bell Technical Journal, Information Age, and Unix/WORLD, and in books.
For example, Cliff Stoll's popular book The Cuckoo's Egg [7] has been
characterized as a "primer on hacking."  Information that could be valuable
for breaking passwords is given in the 1979 paper on password vulnerabilities
by Morris and Thompson of Bell Laboratories [4].  A recent article by
Spafford gives details on the workings of the Internet worm [6].

Password-cracking programs are publicly available intentionally so that
system managers can run them against their own password files in order to
discover weak passwords.  An example is the password cracker in COPS, a
package that checks a Unix system for different types of vulnerabilities.
The complete package can be obtained by anonymous FTP from ftp.uu.net.  Like
the password cracker published in Phrack, the COPS cracker checks whether any
of the words in an on-line dictionary correspond to a password in the
password file.

Another file that the prosecution brought into evidence during the trial was
file 6 in Phrack Issue 26, "Basic Concepts of Translation," by The Dead Lord
and The Chief Executive Officers.  This file, which described translation in
Electronic Switching System (ESS) switches, contained a phrase "Anyone want
to throw the ESS switch into an endless loop????" in a section on indirect
addressing in an index table.  This remark can be interpreted as a joke, but
even if it were not, the information in the article seems no worse than
Ritchie's code for crashing a system, which is published in the Unix
Programmer's Manual with the comment "Here is a particularly ghastly shell
sequence guaranteed to stop the system: ..." [5].

The government's claims that these files were part of a fraudulent scheme
were disproved by Riggs's testimony and email (discussed later) showing that
Neidorf and Riggs had not conspired to commit fraud by stealing property and
publishing stolen documents.

By publishing articles that expose system vulnerabilities, Phrack, in one
sense, is not unlike some professional publications such as those issued by
the ACM.  The Association

encourages publishing such articles on the grounds that in the long term, the
knowledge of vulnerabilities will lead to the design of systems that are
resistant to attacks and failures.  But, there is an important difference
between the two publications.

ACM explicitly states that it does not condone unauthorized use or disruption
of systems, it discourages authors of articles about vulnerabilities from
writing in a way that makes attacks seem like a worthy activity, and it
declines to publish articles that appear to endorse attacks of any kind.  In
addition, the ACM is willing to delay publication of an article for a short
time if publishing the information could make existing systems subject to
attack.

By comparison, Phrack appears to encourage people to explore system
vulnerabilities.  In "A Novice's Guide to Hacking," The Mentor gives 11
guidelines to hacking.  The last says "Finally, you have to actually hack.  .
.  .  There's no thrill quite the same as getting into your first system .  .
."  Although the guidelines tell the reader "Do not intentionally damage
*any* system," they also tell the reader to alter those system files "needed
to ensure your escape from detection and your future access." (2)  The
wording can be interpreted as encouraging unauthorized but non-malicious
break-ins.  Thus, whereas reading Phrack could lead one to the assessment
that it promotes illegal break-ins, reading an ACM publication is likely to
lead to the assessment that it discourages such acts and promotes protective
actions.

The actual effect of either publication on illegal activities or computer
security, however, is much more difficult to determine, especially since both
publications are available to anyone.  Computer security specialists who read
Phrack may have found it useful to know what vulnerabilities intruders were
likely to exploit, while hackers who read Communications of the ACM may have
learned something new about breaking into systems or implanting viruses.  The
Phrack reports on people who were arrested may have discouraged some budding
young hackers from performing illegal acts  they also may have reminded
hackers to take greater measures to cover up their tracks and avoid being
caught.

Even if Phrack promoted certain illegal actions, this does not make the
publication itself illegal.  The First Amendment protects such publication
unless it poses an imminent danger to society.  The threshold for this
condition is sufficiently high that, although courts have discussed its
theoretical existence, it has never been met.

The Trojan Horse

Login Program

The government found a modified version of the AT&T System V 3.2 login
program in Neidorf's files.  The program, which was modified and sent to
Neidorf by someone currently under indictment, was part of the AT&T Unix
source code and had "copyright" and "proprietary" stamps scattered
throughout.  The modifications included a Trojan horse that captured accounts
and passwords, saving them in a file that could later be retrieved.  The
government claimed that Neidorf's possession of this program demonstrated his
intentions to promote illegal break-ins and the theft of proprietary
information.  To support its case, it brought into evidence email where
Neidorf was relaying messages between two other parties.  One party said he
had other Unix sources, including 4.3 BSD Tahoe  the other asked for the
Tahoe source so he could install the login program on some Internet sites.

The defense believed the government's allegations against Neidorf were weak
on three grounds.

First, as with any publisher, the mere receipt of a document is not proof of
intent to perform illegal acts.

Second, after observing that the source code contained notices that the code
was copyrighted and proprietary, Neidorf asked someone at Bellcore security
for advice on what to do.  This action added credibility to his claim that he
had no intent to perform illegal acts and that he did not know that
publishing the E911 text could be illegal.  Although the E911 file had a
nondisclosure notice, the notice did not contain the words "copyright" or
"proprietary."

Third, how to write a Trojan horse login program is no secret.  For example,
such programs have been published in Stoll's book [7] and an article by
Grampp and Morris [2].  Also, in his ACM Turning lecture, Ken Thompson, one
of the Bell Labs coauthors of Unix, explained how to create a powerful Trojan
horse that would allow its author to log onto any account with either the
password assigned to the account or a password chosen by the author [8].
Thompson's Trojan horse had the additional property of being undetectable in
the login source code.  This was achieved by modifying the C-compiler so that
it would compile the Trojan horse into the login program.

The Phoenix Project

and Email

Correspondence

Issue 19, File 7 of Phrack announced "The Phoenix Project," and portrayed it
as a new beginning to the phreak/hack community where "Knowledge is the key
to the future and it is FREE.  The telecommunications and security industries
can no longer withhold the right to learn, the right to explore, or the right
to have knowledge."  The new beginning was to take place at SummerCon '88 in
St. Louis.

The government claimed this announcement was the beginning of the fraudulent
scheme to solicit and publish information on how to access systems illegally,
and its publication accounted for one of the counts in the indictment.  Yet,
the announcement explicitly says "The new age is here and with the use of
every *LEGAL* means available, the youth of today will be able to teach the
youth of tomorrow.  .  .  .  the practice of passing illegal information is
not a part of this convention."  Security consultants and law enforcers were
invited to attend SummerCon.

Although Neidorf was not charged with any crimes in 1988, the Secret Service
sent undercover agents to SummerCon '88 to observe the meeting.  They
secretly videotaped Neidorf and others through a two-way mirror during the
conference for 15 hours.  What did they record?  A few minors drinking beer
and eating pizza!  Zenner asked to introduce these tapes as evidence for the
defense, but the prosecution objected and Judge Bua sustained their
objection.

Two counts of the indictment involved email messages from Neidorf to Riggs
and "Scott C."  These messages, which were also alleged to be part of the
fraudulent scheme, were basically discussions of particular individuals,
mainly members of the Legion of Doom.  The messages contained no plots to
defraud any organization and no solicitations for illegal information.

RIGHTS AND

RESPONSIBILITIES

Neidorf's indictment came in the midst of a two-year investigation of illegal
activity that involved the FBI, Secret Service, and other federal and local
law enforcement agencies.  As part of the investigation, the government
seized over 40 systems and 23,000 disks.  Several bulletin board systems were
shut down in the process, including the Jolnet system on which Riggs stored
the E911 document.  In most cases, no charges have yet been made against the
person owning the equipment, and equipment that seemed to have little bearing
on any illegal activity, such as a phone answering machine, was sometimes
included in the haul.  The Phrack case and computer seizures raised concerns
about freedom of the press, protection from unnecessary searches and
seizures, and the liabilities and responsibilities of system operators and
owners.  In this section, I shall discuss these issues and give some of my
own opinions about them.

Electronic Publications

Some observers interpreted Neidorf's indictment as a threat to freedom of the
press in the electronic media.  The practice of publishing materials obtained
by questionable means is common in the news media, and publication of the
E911 file in Phrack was compared with publication of the Pentagon Papers in
the New York Times and Washington Post.  The government had tried
unsuccessfully to stop publication of the Pentagon Papers, arguing that
publication would threaten national security.  The Supreme Court held that
such action would constitute a "prior restraint" on the press, prohibited by
the First Amendment.  It therefore surprises me that there is any doubt that
electronic publications should be accorded the same protection as printed
ones.

Shortly before the Phrack case came to trial, Mitchell Kapor and John Barlow
founded the Electronic Frontier Foundation (EFF) in order to help raise
public awareness about civil liberties issues and to support actions in the
public interest to preserve and protect constitutional rights within the
electronic media.  The EFF hired the services of Terry Gross, attorney with
the New York law firm Rabinowitz, Boudin, Krinsky & Lieberman, to provide
legal advice for the Phrack case  Gross submitted two friend-of-the-court
briefings seeking to have the indictment dismissed because it threatened
constitutionally protected speech.  The trial court judge denied EFF's
motion, but as it turned out, the charges were dropped before the issue was
seriously discussed during the Neidorf trial.

Although certain information may be published legally, authors and publishers
should consider how such information might be interpreted and used.  In the
case of hacker publications, the majority of readers are impressionable young
people who are the foundation of the future.  Articles which encourage
illegal break-ins or contain information obtained in this manner should not
simply be dismissed as proper just because they are protected under First
Amendment rights.

Searches and Seizures

The seizures of bulletin boards and other systems raised questions about the
rights of the government to take property and retain it for an extended
period of time when no charges have been made.  At least one small business,
Steve Jackson Games, claims to have suffered a serious loss as a result of
having equipment confiscated for over three months.  According to Jackson,
the Secret Service raid cost his company $125,000, and he had to lay off
almost half of his employees since all of the information about their next
product, a game called GURPS CYBERPUNK, was on the confiscated systems.  Some
of the company's equipment was severely damaged, and data was lost.  No
charges have been made.

Seizing a person's computer system can be comparable to taking every document
and piece of correspondence in that person's office and home.  It can shut
down a business.  Moreover, by taking the system, the government has the
capability of reading electronic mail and files unrelated to the
investigation such broad seizures of paper documents are generally not
approved by judges issuing search warrants.

For these reasons, it has been suggested that the government not be allowed
to take complete systems, but only the files related to the investigation.
In most cases, this seems impractical.  There may be megabytes or even
gigabytes of information stored on disks, and it takes time to scan through
that much information.  In addition, the system may have nonstandard hardware
or software, making it extremely difficult to transfer the data to another
machine and process it.  Similarly, if a computer is seized without its
printer, it may be extremely difficult to print out files.  Finally,
originals are needed for evidence in court, and the evidence must be
protected up to the time of trial.  However, if the government can be
reasonably confident that the owner of the system has not participated in or
condoned the activities under investigation, then it may be practical for the
government to issue a subpoena for certain files rather than seize the entire
system.

When a complete system is seized, it seems reasonable that the government be
required under court order to provide copies of files to the owner at the
owner's request and expense within some time limit, say one week or one
month.

If a system shared by multiple users is seized, the search should be
restricted to mail and files belonging to the users under investigation.

Liabilities and

Responsibilities of

System Operators and

Owners

The bulletin board seizures sent a chill through the legitimate network
community, raising questions about the liabilities of an operator of a
bulletin board or of any system.  Operators of these boards asked if they
needed to check all information passing through the system to make sure there
is nothing that could be interpreted as a stolen, proprietary document or as
part of a fraudulent scheme.

Computer bulletin boards have been referred to metaphorically as electronic
meeting places where assembly of people is not constrained by time or
distance.  Public boards are also a form of electronic publication.  It would
seem, therefore, that they are protected by the constitution in the same way
that public meeting places and nonelectronic publications such as newspapers
are protected.  This, of course, does not necessarily mean they should be
free of all controls, just as public meetings are not entirely free of
control.

Bulletin board systems often provide private directories and electronic mail.
Private mail and files should be given the same protections from surveillance
and seizure as First Class Mail and private discussions that take place in
homes or businesses.  I believe the Electronic Communications Privacy Act
provides this protection.

The E911 text file was obtained from a system with a null password.  While
this does not excuse the person who got into the system and copied the file,
I believe that system owners should take greater measures to prevent
break-ins and unauthorized use of their systems.  There are known practices
for protecting systems.  While none of these are foolproof, they offer a high
probability for keeping intruders out and detecting those that enter.
Although the risks associated with insecure systems may not have been great
until recently, thereby justifying weak security in favor of allocating more
resources for other purposes, the risks are now sufficiently great that weak
security is inexcusable for many environments.  Moreover, systems owners may
be vulnerable to lawsuits if they do not have adequate protection for
customer information or for life-critical operations such as patient
monitoring or traffic control.

Our current laws allow a person to be convicted of a felony for simply
entering a system through an account without a password.  I recommend we
consider adopting a policy where unauthorized entry into a system is at most
a misdemeanor if certain standards have not been followed by the owner of the
system and the damage to information on the system is not high.  However, I
recognize that it may be very difficult to set appropriate standards and to
determine whether an organization has adhered to them.

I also recommend we consider establishing a range of offenses, possibly along
the lines of those in the U. K. Computer Misuse Act, which became effective
in August 1990:

* Unauthorized access: seeking to enter a computer system, knowing that the
entry is unauthorized.  Punishable by up to six months' imprisonment.

* Unauthorized access in furtherance of a more serious crime: Punishable by
up to five years' imprisonment.

* Unauthorized modification of computer material: introducing viruses, Trojan
horses, etc., or causing malicious damage to computer files.  Punishable by
up to five years' imprisonment.

CONCLUSIONS

Making a sound assessment of the claims made in the Phrack case requires
expertise in the domains of computers, the Unix system, computer security,
phone systems, and the public literature.  Whereas Zenner brought in outside
technical expertise to help with the defense, the prosecution relied on
experts belonging to the victim, namely, employees of Bell.  The indictment
and costly trial may have been avoided if the government had consulted
neutral experts before deciding whether to pursue the charges.  The
professional community represented by ACM may be a good source of such help.

In the context of the new milieu created by computers and networks, a new
form of threat has emerged--the computer criminal capable of damaging or
disrupting the electronic infrastructure, invading people's privacy, and
performing industrial espionage.  While the costs associated with these
crimes may be small compared with computer crimes caused by company employees
and former employees, the costs are growing and are becoming significant.

For many young computer enthusiasts, illegal break-ins and phreaking are a
juvenile activity that they outgrow as they see the consequences of their
actions in the world.  However, a significant number of these hackers may go
on to become serious computer criminals.  To design an intervention that will
discourage people from entering into criminal acts, we must first understand
the hacker culture since it reveals the concerns of hackers that must be
taken into account.  We must also understand the concerns of companies and
law enforcers.  We must understand how all these perspectives interact.

The 1985 ACM Panel on Hacking [3] offered several suggestions for actions
that could be taken to reduce illegal hacking, and my own investigation
confirmed these while speculating about others [1].  Teaching computer ethics
may help, and I applaud recent efforts on the part of computer professionals
and educators to bring computer ethics not only into the classroom, but into
their professional forums for discussion.

(1) The term "hacker" originally meant anyone with a keen interest in
learning about computer systems and using them in novel and clever ways.
Many computer enthusiasts still call themselves hackers in this nonpejorative
sense.

(2) Most system managers regard any modification of system files as damage,
because they must restore these files to a state that does not permit the
intruder to re-enter the system.

References

[1.] Denning, D.E.  Concerning hackers who break into computer systems.  In
Proceedings of the 13th National Computer Security Conference (Oct.  1990).

[2.] Grampp, F.T., and Morris, R.H.  UNIX operating system security.  AT&T
Bell Lab.  Tech.  J., 63, 8 (Oct.  1984).

[3.] Lee, J.A.N., Segal, G., and Stier, R.  Positive alternatives: A report
on an ACM panel on hacking, Commun.  ACM, 29, 4 (Apr.  1986), 297-299 full
report available from ACM Headquarters, New York.

[4.] Morris, R., and Thompson, K.  Password security: A case history.
Commun.  ACM 22, 11 (Nov.  1979).

[5.] Ritchie, D.  On the security of Unix.  Unix programmer's manual, Section
2, AT&T Bell Laboratories.

[6.] Spafford, E.H.  The Internet Worm: Crisis and aftermath.  Commun.  ACM
32, 6 (June 1989).

[7.] Stoll, C.  The Cuckoo's Egg.  Doubleday, N.Y.  1990.

[8.] Thompson, K.  Reflections on trusting trust.  Turing Award Lecture,
Commun.  ACM 27, 8, 761-763.