Computer underground Digest Wed Dec 16, 1992 Volume 4 : Issue 66 ISSN 1066-662X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Copy Editor: Etaion Shrdlu, Junior CONTENTS, #4.66 (Dec 16, 1992) File 1-- CPSR and the Transition File 2--Cellular Phone Fraud Techniques & Countermeasures (CU News) File 3--Police Hackers / Computer Privacy Survey (Cu News) File 4--EFF Nominations for PIONEER AWARDS File 5--Organizational Changes at the EFF File 6--Response to CERT advisory (Re: CuD 4.65) File 7--CuD's 1992 MEDIA HYPE award to FORBES MAGAZINE Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM; on Genie in the PF*NPC RT libraries; from America Online in the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; in Europe from the ComNet in Luxembourg BBS (++352) 466893; and using anonymous FTP on the Internet from ftp.eff.org (192.88.144.4) in /pub/cud, red.css.itd.umich.edu (141.211.182.91) in /cud, halcyon.com (192.135.191.2) in /pub/mirror/cud, and ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. European readers can access the ftp site at: nic.funet.fi pub/doc/cud. Back issues also may be obtained from the mail server at mailserv@batpad.lgb.ca.us. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue, 15 Dec 1992 13:13:39 EDT From: Marc Rotenberg Subject: File 1-- CPSR and the Transition Over the last several years CPSR has worked extensively on access to government information, the Freedom of Information Act, computer security policy, and privacy protection. We have now sent the following recommendations to several transition team groups. (The "(b)(1) exemption" in the first recommendation refers to the national security exemption in the Freedom of Information Act.) We hope that the new administration will give our proposals full consideration. Marc Rotenberg, Director CPSR Washington Office rotenberg@washofc.cpsr.org ============================================= FROM--Marc Rotenberg, CPSR RE--Classification, Computer Security, Privacy CC--Policy Group, Justice Cluster DATE--December 10, 1992 Three issues that the Executive Order Project should address: 1) Rescind E.O. 12356 (1982 Reagan Order on classification) The Reagan Order on classification is the bane of the FOIA and science communities. It has led to enormous overclassification, frustrated government accountability, and skewed national priorities. It should be rescinded. A new E.O. should narrow the scope of classification authority. It should reduce the classification bureaucracy. And it should reflect the economic cost of classifying scientific and technical information, i.e. such information should be presumptively available. In the FOIA context, the new E.O. should also require agencies to identify "an ascertainable harm" before invoking the (b)(1) exemption. 2) Rescind NSD-42 (1991 Bush Directive on computer security authority) This directive undermined a fairly good 1987 law (the Computer Security Act) and transferred authority for computer security from the civilian sector to the intelligence community. It led to several bad decisions in the area of technical standard setting (e.g. network standards that facilitate surveillance rather than promoting security) and has made it more difficult to ensure agency accountability. It should be rescinded. The President could either leave the 1987 Act in place and issue no new E.O. or he could revise the E.O. consistent with the aims of the 1987 law, recognizing the recent problems with technical standard setting by the intelligence community. 3) Establish a task force on privacy protection The new administration should move quickly on the privacy front, particularly in the telecommunications arena. The United States currently lags behind Canada, Japan, and the EC on telecomm privacy policy. These policies are necessary for the development of new services and the protection of consumer interests. An Executive Order on privacy should include the following elements: (1) the creation of an intra-agency task force with public participation, (2) a report to the President within 180 days with legislative recommendations, (3) a procedure for ongoing review and coordination with Justice, Commerce, State, and OSTP. ------------------------------ Date: 13 Dec 92 14:00:21 EST From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: File 2--Cellular Phone Fraud & Countermeasures (CU News) Industry sponsored studies on the amount of money lost to fraudulent calls vary, as they do with estimates of computer crime and software piracy, but one figure from the Cellular Telecommunications Industry Association (CTIA) places the cost at somewhere between 100 and $300 million annually. Other estimates are as high at $600 million. Typical methods used to obtain service for free include paying off company employees to provide the all-essential ESN (Electronic Serial Number, a unique identifier transmitted with each call that identifies who is placing the call.), to 'cloning' ESN's from existing phones, sometimes using radio receivers to evesdrop on cellular traffic and copy the ESN from other calls. Earlier this year the Secret Service raided homes in Phoenix and confiscated 35 phones, 10,000 microchips, and other equipment used to steal cellular service. The El Segundo based Computer Sciences Corp has recently released an Artificial Intelligence based device that attempts to thwart fraudulent activity by maintaining a data base of calling patterns for a particular ESN. When the pattern of activity changes, the cellular company is notified that the ESN may have been compromised. The CTIA has set up a fraud task force, with an annual budget of $4 million dollars, to help fight the problem. Individual cellular companies have also established their own fraud investigation units. Unlike the long-distance industry, cellular companies do not have a policy of holding the customer responsible for fraudulent calls. For more information read "Stop, Thief!", Information Week, November 30, 1992. pg. 32 ------------------------------ Date: 13 Dec 92 14:00:21 EST From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: File 3--Police Hackers / Computer Privacy Survey (Cu News) According to news reports, up to 45 members (since 1989) of the Los Angeles Police Department have been disciplined for using for unauthorized use of police databases. They have been freely digging up information on everyone from potential baby sitters to local celebrities. There are reportedly some cases of using the databases to file false insurance claims as well. For more information see Karen M. Carriol's "Was Police Search Warranted? Information Week. Nov 23 1992 pg 79 ============= Privacy vs Computers Survey. Equifax's June '92 update to their "Consumers in the Information Age" study shows some interesting survey results. Of the 1200+ people surveyed, 80% said that computers improved the overall quality of life, but nearly 70% agree that present uses of computers threaten their personal privacy. Other results include: - Just over 75% worry that consumers have lost all control over how businesses use and circulate personal information. - About half see no signs of improving this, saying that protection of individual consumer data will weaken over the next ten years. - Almost 70% agree that if privacy is to be preserved, the use of computers must be sharply restricted in the future. For more information refer to: "The Databases That Knew Too Much", Information Week. 12/7/92 pg 22 ------------------------------ Date: Fri, 11 Dec 92 15:01:26 EST From: Rita Marie Rouvalis Subject: File 4--EFF Nominations for PIONEER AWARDS THE SECOND ANNUAL INTERNATIONAL EFF PIONEER AWARDS: CALL FOR NOMINATIONS Deadline: December 31,1992 In every field of human endeavor,there are those dedicated to expanding knowledge, freedom, efficiency and utility. Along the electronic frontier, this is especially true. To recognize this,the Electronic Frontier Foundation has established the Pioneer Awards for deserving individuals and organizations. The Pioneer Awards are international and nominations are open to all. In March of 1992, the first EFF Pioneer Awards were given in Washington D.C. The winners were: Douglas C. Engelbart of Fremont, California; Robert Kahn of Reston, Virginia; Jim Warren of Woodside, California; Tom Jennings of San Francisco, California; and Andrzej Smereczynski of Warsaw, Poland. The Second Annual Pioneer Awards will be given in San Francisco, California at the 3rd Conference on Computers, Freedom, and Privacy in March of 1993. All valid nominations will be reviewed by a panel of impartial judges chosen for their knowledge of computer-based communications and the technical, legal, and social issues involved in networking. There are no specific categories for the Pioneer Awards, but the following guidelines apply: 1) The nominees must have made a substantial contribution to the health, growth, accessibility, or freedom of computer-based communications. 2) The contribution may be technical, social, economic or cultural. 3) Nominations may be of individuals, systems, or organizations in the private or public sectors. 4) Nominations are open to all, and you may nominate more than one recipient. You may nominate yourself or your organization. 5) All nominations, to be valid, must contain your reasons, however brief, on why you are nominating the individual or organization, along with a means of contacting the nominee, and your own contact number. No anonymous nominations will be allowed. 6) Every person or organization, with the single exception of EFF staff members, are eligible for Pioneer Awards. 7) Persons or representatives of organizations receiving a Pioneer Award will be invited to attend the ceremony at the Foundation's expense. You may nominate as many as you wish, but please use one form per nomination. You may return the forms to us via email to pioneer@eff.org You may mail them to us at: Pioneer Awards, EFF, 155 Second Street Cambridge MA 02141. You may FAX them to us at: +1 617 864 0866 Just tell us the name of the nominee, the phone number or email address at which the nominee can be reached, and, most important, why you feel the nominee deserves the award. You may attach supporting documentation. Please include your own name, address, and phone number. We're looking for the Pioneers of the Electronic Frontier that have made and are making a difference. Thanks for helping us find them, The Electronic Frontier Foundation -------EFF Pioneer Awards Nomination Form------ Please return to the Electronic Frontier Foundation via email to: pioneer@eff.org via surface mail to EFF 155 Second Street, Cambridge, MA 02141 USA; via FAX to +1 617 864 0866 Nominee: Title: Company/Organization: Contact number or email address: Reason for nomination: Your name and contact information: Extra documentation attached: DEADLINE: ALL NOMINATIONS MUST BE RECEIVE BY THE ELECTRONIC FRONTIER FOUNDATION BY MIDNIGHT, EASTERN STANDARD TIME U.S., DECEMBER 31,1992. ------------------------------ Date: Mon, 14 Dec 92 14:47:43 EST From: Rita Marie Rouvalis Subject: File 5--Organizational Changes at the EFF EFF EXPLAINS ORGANIZATIONAL CHANGES Mitchell Kapor, Chairman and President of the Electronic Frontier Foundation (EFF), today explained several organizational moves and initiatives approved by the EFF Board at its November 10, 1992 meeting in San Francisco. According to Kapor, "they are designed to increase our effectiveness in making EFF into a national public education, advocacy, membership, and chapters organization that represents and serves our growing constituency on the electronic frontier." Berman Becomes Acting Executive Director Kapor stated that "Jerry Berman, who currently heads our Washington Office, has been designated by the EFF board to serve as the interim Executive Director of EFF with present overall responsibility for managing the activities of our Cambridge and Washington, D.C. offices. In this capacity, he will oversee EFF's public policy, membership, and chapter building activities." Berman said: "I am delighted to be working with Cliff Figallo, our Cambridge Office Director and the entire EFF staff and Board. In the next two months we will be making a concerted effort to develop a plan to make EFF into a more effective and powerful public interest organization." Chapters Summit On January, 23 and 24, 1993, EFF will hold a "chapters summit" in Atlanta, Georgia. Dave Farber, EFF Board Member, stated that the meeting would be "an open, candid sharing of views about chapter relations with EFF and EFF's relations with chapters with the goal of making the chapters an integral part of the EFF mission." The meeting is being organized by a steering committee made up of Cliff Figallo, Jerry Berman, Dave Farber and representatives from chapters and potential chapters including Mitch Ratcliffe and Jon Lebkowsky . Mitchell Kapor to Chair EFF Board and Oversee Critical Policy Studies and Initiatives Mitchell Kapor, who serves as Chairman of the EFF Board, has turned over management functions to Berman and Figallo to devote his energy and talents to developing EFF strategy and public policy initiatives, such as a pragmatic program for achieving an open broadband communications network and an exploration of the potential role of the cable television network in serving as a interactive, multimedia electronic communications highway. Kapor will also continue to lead EFF's current public policy initiative to develop a near term digital path to the home designed to maximize free speech, innovation, and privacy. Permanent Executive Director The EFF Board, once it has developed and approved an overall strategic plan in January, will proceed with an open search for a permanent Executive Director for the organization. ------------------------------ Date: 15 Dec 92 15:11:24 From: Louis Giliberto Subject: File 6--Response to CERT advisory (Re: CuD 4.65) In CuD #4.65 this CERT advisory appeared: > CA-92:19 CERT Advisory > December 7, 1992 > Keystroke Logging Banner There are several issues that need to be considered before implementing a system such as this, the last of which should be defensibility. Killing in self-defense is defensible, but there are other considerations involved. The point? Just because someone *can* do something does not mean someone *should* do something. Who should/could be monitored? +++++++++++++++ This advisory seems to give free license to the system administrator to monitor as he/she sees fit. What if you own a company, and your administrator logs and monitors all activity as outlined? Then he leaves your company and joins your competitor. He has read over every piece of information typed into your system. Obviously this causes problems if the computer is used for proprietary information. However, let us assume the administrator can be trusted. Who does he decide to log? The fairest way would be to log everyone. However, this is near impossible since the resources required would be overwhelming. More resources would be spent on logging than on computation. One might suggest that he log only those accounts that have had illegal logon attempts or suspicious activity. But this brings up two points: 1) If the logs are catching the activity, is keystroke monitoring needed to secure the system? 2) In the cases where keystroke monitoring would be most effective (i.e., determining the method of intrustion) the logs are most likely doctored in some way, so the determination of which account to monitor could not even be made. Therefore the most effective use of keystroke logging would be 1) monitor those accounts with suspicious activity and 2) monitor at random. In this manner, illegal entries not caught in the logs or other security measures may be picked up in the keystroke loggings. But this brings up even more questions: What type of notification should there be? +++++++++++++++++++++ Is the banner enough? Is more notification needed? Way back when, it was determined system administrators should give notice (in the form of a banner or some such publicly visible medium) that e-mail and files are not secure on the system and are open to incidental inspection by the system administrator in the course of system maintenance. Most people expect this and trust the system administrator enough to feel that he is not reading their mail for kicks. The banner is enough of a notification in this instance since monitoring does not take place in real-time. Unlike monitoring on the phone system where it happens as the voice is transmitted, e-mail and file monitoring takes place often when the user is not on so that instant notification is not possible (or even warranted in most cases when it happens in the course of system maintenance). Keystroke logging differs in that it takes place in real-time while the user is logged on. Is a banner enough notification? I would argue no. While using the phone system, if an operator comes into your call, his/her presence is announced with several tones and the name of the company. The law requires that any taping of conversations to be accompanied by a tone every so often of a specific duration. The logging of keystrokes is the same type of monitoring, and should be subject to the same requirements. The user should be notified in real-time that he is being monitored in real-time. Any type of monitoring without such a warning is usually called "wiretapping," and such monitoring is illegal except by law enforcement agencies with a court order allowing the event after cause is shown. Many people would contend: "But this is a privately owned system, not a public utility." Yes, but there is reasonable expectation of privacy allowed even in the workplace. I'm too lazy to look up the court cases (and I'm not a lawyer, so I don't care either), but there are multiple instances where searches of employee desks and lockers and the like were determined to be a violation of privacy rights. A company could clearly not monitor the voice transmissions of an employee's telephone but could log the number he called. In the same way, a system administrator could log login attempts, but should not be given free license to monitor the actual keystrokes. It violates the reasonable rights of the employee. Even high school students are given reasonable rights in the expectation of privacy of the contents of their lockers and person. Well, unless you went to Catholic high school like I did + never tell a Jesuit he can't do something (unless you like corporal punishment). Extensions of keystroke monitoring +++++++++++++++++ Given the fact that keystrokes are passed over the internet in the form of IP packets generated by telnet (and other comparable applications), does this allow keystroke monitoring at a remote site? In other words, can routing centers sniff packets at will if they inform the other sites they are going to? According to the interpretation given by the justice department, yes, they can. They can monitor keystrokes. The argument would be there is a reasonable expectation for keystrokes to appear in an IP packet, so all of them are open to examination if a banner is presented or prior notification given. Does apple.com want ibm.com to monitor its packets? Nope. Does a prof at Purdue want a prof at Champaign to monitor his? Nope. However, if a packet goes through someone's machine (possible since many machines are used for gatewaying and routing) he could argue that he had the right to sniff it. Can pay services monitor your keystrokes legally? Say CompuServe or America Online or Prodigy or another fine reputable service put this measure in place. These services are comparable to a public service such as a bookstore (which was proven in litigation with CompuServe) or a phone company. Don't they then have the responsibility to respect the privacy of the customers? If you walk into K-Mart they can't strip search you at their whim. The phone company can't (legally) listen into your conversations. Is keystroke monitoring without real time notification to be allowed on these systems as well? An argument may be: "But security cameras are allowed to videotape customers" Ah, yes! But that is a different scenario: 1) The videotaping does not center on a specific individual. As stated before, to monitor the keystrokes of everyone would be near-impossible. 2) The store is a publically accessible place, and there is no reasonable expectation of privacy except to your person. Why is there a reasonable expectation of privacy on a computer system? Well, what are file permissions for? To keep one's files and stuff private. Just as a lock on a desk or a closed door intimates privacy, so do file permissions. If a system is truly public as a Sears or WalMart, there would be no file permissions. There would be no accounts with names on them giving ownership. Ownership implies a right to security from trespass and interference. There are many arguments to be made for privacy expectations on computer systems that I won't go into here. Let me just clarify "truly public" as I used it in describing Sears and WalMart. By "truly public" I mean that they may not turn away anyone entering their property without good reason. They may not discriminate, and being employed by them is not a criteria for entering their sales area. Customers are allowed to move unimpeded throughout the sales area, and customers do not get lockers to put stuff in on a daily basis which are provided by the store. In other words, their is no private ownership on the part of the customer within the store except for what he carries on his person. This is comparable to being in a public area. The comparison I am making believes that being inside a computer system is not comparable to being in a public area if ownership of files and accounts are given. Conclusion +++++ While I realize that CERT was merely passing on the findings of the Justice Department, I have to question 1) the presentation of those findings including giving almost a "non-liability kit" in their advisory, and, 2) the findings themselves. Anything is defensible. Charles Manson had a defense. However, even if the act is defensible, it may still be illegal. Defensible merely means "there is a reasonable expectation that consideration will be given to your side." I think CERT went a bit too far in suggesting a banner and not bringing up possible consequences. I tried to "balance" the situation here. For any company, I would seriously advise you to consult an attorney before you implement this type of monitoring, and to think about what effects it could have. It may weaken security rather than improve it. As a system administrator (albeit a tiny system consisting of myself, 4 friends, my sister, and my girlfriend) I would not implement such a scheme since I feel that it would be illegal without real-time notification, and such real-time notification is, quite frankly, a pain to give to someone using an editor without disrupting their session or their train of thought. In a nutshell, the point is this: just because it's defensible does not mean it's legal, and in this case I feel that it just might be illegal. ------------------------------ Date: 15 Dec 92 18:48:01 CST From: Jim Thomas Subject: File 7--CuD's 1992 MEDIA HYPE award to FORBES MAGAZINE In recent years, media depiction of "hackers" has been criticized for inaccurate and slanted reporting that exaggerates the public dangers of the dread "hacker menace." As a result, CuD annually recogizes the year's most egregious example of media hype. The 1992 annual CuD GERALDO RIVERA MEDIA HYPE award goes to WILLIAM G. FLANAGAN AND BRIGID McMENAMIN for their article "The Playground Bullies are Learning how to Type" in the 21 December issue of Forbes (pp 184-189). The authors improved upon last year's winner, Geraldo himself, in inflammatory rhetoric and distorted narrative that seems more appropriate for a segment of "Inside Edition" during sweeps week than for a mainstream conservative periodical. The Forbes piece is the hands-down winner for two reasons. First, one reporter of the story, Brigid McMenamin, was exceptionally successful in creating for herself an image as clueless and obnoxious. Second, the story itself was based on faulty logic, rumors, and some impressive leaps of induction. Consider the following. The Reporter: Brigid McMenamin It's not only the story's gross errors, hyperbole, and irresponsible distortion that deserve commendation/condemnation, but the way that Forbes reporter Brigid McMenamin tried to sell herself to solicit information. One individual contacted by Brigid McM claimed she called him several times "bugging" him for information, asking for names, and complaining because "hackers" never called her back. He reports that she explicitly stated that her interest was limited to the "illegal stuff" and the "crime aspect" and was oblivious to facts or issues that did not bear upon hackers-as-criminals. Some persons present at the November 2600 meeting at Citicorp, which she attended, suggested the possibility that she used another reporter as a credibility prop, followed some of the participants to dinner after the meeting, and was interested in talking only about illegal activities. One observer indicated that those who were willing to talk to her might not be the most credible informants. Perhaps this is one reason for her curious language in describing the 2600 meeting. Another person she contacted indicated that she called him wanting names of people to talk to and indicated that because Forbes is a business magazine, it only publishes the "truth." Yet, she seemed not so much interested in "truth," but in finding "evidence" to fit a story. He reports that he attempted to explain that hackers generally are interested in Unix and she asked if she could make free phone calls if she knew Unix. Although the reporter stated to me several times that she had done her homework, my own conversation with her contradicted her claims, and if the reports of others are accurate, here claims of preparation seem disturbingly exaggerated. I also had a rather unpleasant exchange with Ms. McM. She was rude, abrasive, and was interested in obtaining the names of "hackers" who worked for or as "criminals." Her "angle" was clearly the hacker-as-demon. Her questions suggested that she did not understand the culture about which she was writing. She would ask questions and then argue about the answer, and was resistant to any "facts" or responses that failed to focus on "the hacker criminal." She dropped Emmanuel Goldstein's name in a way that I interpreted as indicating a closer relationship than she had--an incidental sentence, but one not without import--which I later discovered was either an inadvertently misleading choice of words or a deliberate attempt to deceptively establish credentials. She claimed she was an avowed civil libertarian. I asked why, then, she didn't incorporate some of those issues. She invoked publisher pressure. Forbes is a business magazine, she said, and the story should be of interest to readers. She indicated that civil liberties weren't related to "business." She struck me as exceptionally ill-informed and not particularly good at soliciting information. She also left a post on Mindvox inviting "hackers" who had been contacted by "criminals" for services to contact her. >Post: 150 of 161 >Subject: Hacking for Profit? >From: forbes (Forbes Reporter) >Date: Tue, 17 Nov 92 13:17:34 EST > >Hacking for Profit? Has anyone ever offered to pay you (or >a friend) to get into a certain system and alter, destroy or >retrieve information? Can you earn money hacking credit >card numbers, access codes or other information? Do you know >where to sell it? Then I'd like to hear from you. I'm >doing research for a magazine article. We don't need you >name. But I do want to hear your story. Please contact me. >Forbes@mindvox.phantom.com. However, apparently she wasn't over-zealous about following up her post or reading the Mindvox conferences. When I finally agreed to send her some information about CuD, she insisted it be faxed rather than sent to Mindvox because she was rarely on it. Logs indicate that she made only six calls to the board, none of which occured after November 24. My own experience with the Forbes reporter was consistent with those of others. She emphasized "truth" and "fact-checkers," but the story seems short on both. She emphasized explicitly that her story would *not* be sensationalistic. She implied that she wanted to focus on criminals and that the story would have the effect of presenting the distinction between "hackers" and real criminals. Another of her contacts also appeared to have the same impression. After our less-than-cordial discussion, she reported it to the contact, and he attempted to intercede on her behalf in the belief that her intent was to dispel many of the media inaccuracies about "hacking." If his interpretation is correct, then she deceived him as well, because her portrayal of him in the story was unfavorably misleading. In CuD 4.45 (File #3), we ran Mike Godwin's article on "How to Talk to the Press," which should be required reading. His guidelines included: 1) TRY TO THINK LIKE THE REPORTER YOU'RE TALKING TO. 2) IF YOU'RE GOING TO MEET THE REPORTER IN PERSON, TRY TO BRING SOMETHING ON PAPER. 3) GIVE THE REPORTER OTHER PEOPLE TO TALK TO, IF POSSIBLE. 4) DON'T ASSUME THAT THE REPORTER WILL COVER THE STORY THE WAY YOU'D LIKE HER TO. Other experienced observers contend that discussing "hacking" with the press should be avoided unless one knows the reporter well or if the reporter has established sufficient credentials as accurate and non-sensationalist. Using these criteria, it will probably be a long while before any competent cybernaught again speaks to Brigid McMenamin. The Story Rather than present a coherent and factual story about the types of computer crime, the authors instead make "hackers" the focal point and use a narrative strategy that conflates all computer crime with "hackers." The story implies that Len Rose is part of the "hacker hood" crowd. The lead reports Rose's prison experience and relates his feeling that he was "made an example of" by federal prosecutors. But, asks the narrative, if this is so, then why is the government cracking down? Whatever else one might think of Len Rose, no one ever has implied that he as a "playground bully" or "hacker hood." The story also states that 2600 Magazine editor Emmanuel Goldstein "hands copies out free of charge to kids. Then they get arrested." (p. 188--a quote attributed to Don Delaney), and distorts (or fabricates) facts to fit the slant: According to one knowledgeable source, another hacker brags that he recently found a way to get into Citibank's computers. For three months he says he quietly skimmed off a penny or so from each account. Once he had $200,000, he quit. Citibank says it has no evidence of this incident and we cannot confirm the hacker's story. But, says computer crime expert Donn Parker of consultants SRI International: "Such a 'salami attack' is definitely possible, especially for an insider" (p. 186). Has anybody calculated how many accounts one would have to "skim" a few pennies from before obtaining $200,000? At a dime apiece, that's over 2 million. If I'm figuring correctly, at one minute per account, 60 accounts per minute non-stop for 24 hours a day all year, it would take nearly 4 straight years of on-line computer work for an out-sider. According to the story, it took only 3 months. At 20 cents an account, that's over a million accounts. Although no names or evidence are given, the story quotes Donn Parker of SRI as saying that the story is a "definite possibility." Over the years, there have been cases of skimming, but as I remember the various incidents, all have been inside jobs and few, if any, involved hackers. The story is suspiciously reminiscent of the infamous "bank cracking" article published in Phrack as a spoof several years ago. The basis for the claim that "hacker hoods" (former "playground bullies") are now dangerous is based on a series of second and third-hand rumors and myths. The authors then list from "generally reliable press reports" a half-dozen or so non-hacker fraud cases that, in context, would seem to the casual reader to be part of the "hacker menace." I counted in the article at least 24 instances of half-truths, inaccuracies, distortions, questionable/spurious links, or misleading claims that are reminiscent of 80s media hype. For example, the article attributes to Phiber Optik counts in the MOD indictment that do not include him, misleads on the Len Rose indictment and guilty plea, uses second and third hand information as "fact" without checking the reliability, and presents facts out of context (such as attributing the Morris Internet worm to "hackers). Featured as a key "hacker hood" is "Kimble," a German hacker said by some to be sufficiently media-hungry and self-serving that he is ostracized by other German hackers. His major crime reported in the story is hacking into PBXes. While clearly wrong, his "crime" hardly qualifies him for the "hacker hood/organized crime" danger that's the focus of the story. Perhaps he is engaged in other activities unreported by the authors, but it appears he is simply a run-of-the-mill petty rip-off artist. In fact, the authors do not make much of his crimes. Instead, they leap to the conclusion that "hackers" do the same thing and sell the numbers "increasingly" to criminals without a shred of evidence for the leap. To be sure the reader understands the menace, the authors also invoke unsubstantiated images of a hacker/Turkish Mafia connection and suggest that during the Gulf war, one hacker was paid "millions" to invade a Pentagon computer and retrieve information from a spy satellite (p. 186). Criminals use computers for crime. Some criminals may purchase numbers from others. But the story paints a broader picture, and equates all computer crime with "hacking." The authors' logic seems to be that if a crime is committed with a computer, it's a hacking crime, and therefore computer crime and "hackers" are synonymous. The story ignores the fact that most computer crime is an "inside job" and it says nothing about the problem of security and how the greatest danger to computer systems is careless users. One short paragraph near the end mentions the concerns about civil liberties, and the next paragraph mentions that EFF was formed to address these concerns. However, nothing in the article articulates the bases for these concerns. Instead, the piece promotes the "hacker as demon" mystique quite creatively. The use of terms such as "new hoods on the block," "playground bullies," and "hacker hoods" suggests that the purpose of the story was to find facts to fit a slant. In one sense, the authors might be able to claim that some of their "facts" were accurate. For example, the "playground bullies" phrase is attributed to Chesire Catalyst. "Gee, *we* didn't say it!" But, they don't identify whether it's the original CC or not. The phrase sounds like a term used in recent internecine "hacker group" bickering, and if this was the context, it hardly describes any new "hacker culture." Even so, the use of the phrase would be akin to a critic of the Forbes article refering to it as the product of "media whores who are now getting paid for doing what they used to do for free," and then applying the term "whores" to the authors because, hey, I didn't make up the term, somebody else did, and I'm just reporting (and using it as my central metaphor) just the way it was told to me. However, I suspect that neither Forbes' author would take kindly to being called a whore because of the perception that they prostituted journalistic integrity for the pay-off of a sexy story. And this is what's wrong with the article: The authors take rumors and catch-phrases, "merely report" the phrases, but then construct premises around the phrases *as if* they were true with little (if any) evidence. They take an unconfirmed "truth" (where are fact checkers when you need them) or an unrelated "fact" (such as an example of insider fraud) and generalize from a discrete fact to a larger population. The article is an excellent bit of creative writing. Why Does It All Matter? Computer crime is serious, costly, and must not be tolerated. Rip-off is no joke. But, it helps to understand a problem before it can be solved, and lack of understanding can lead to policies and laws that are not only ineffective, but also a threat to civil liberties. The public should be accurately informed of the dangers of computer crime and how it can be prevented. However, little will be served by creating demons and falsely attributing to them the sins of others. It is bad enough that the meaning" of the term "hacker" has been used to apply both to both computer delinquents and creative explorers without also having the label extended to include all other forms of computer criminals as well. CPSR, the EFF, CuD, and many, many others have worked, with some success, to educate the media about both dangers of computer crime and the dangers of inaccurately reporting it and attributing it to "hackers." Some, perhaps most, reporters take their work seriously, let the facts speak to them, and at least make a good-faith effort not to fit their "facts" into a narrative that--by one authors' indication at least--seems to have been predetermined. Contrary to billing, there was no evidence in the story, other than questionable rumor, of "hacker" connection to organized crime. Yet, this type of article has been used by legislators and some law enforcement agents to justify a "crackdown" on conventional hackers as if they were the ultimate menace to society. Forbes, with a paid circulation of over 735,000 (compared to CuDs unpaid circulation of only 40,000), reaches a significant and influential population. Hysterical stories create hysterical images, and these create hysteria-based laws that threaten the rights of law-abiding users. When a problem is defined by irresponsibly produced images and then fed to the public, it becomes more difficult to overcome policies and laws that restrict rights in cyberspace. The issue is not whether "hackers" are or are not portrayed favorably. Rather, the issue is whether images re-inforce a witch-hunt mentality that leads to the excesses of Operation Sun Devil, the Steve Jackson Games fiasco, or excessive sentences for those who are either law-abiding or are set up as scapegoats. The danger of the Forbes article is that it contributes to the persecution of those who are stigmatized not so much for their acts, but rather for the signs they bear. ------------------------------ End of Computer Underground Digest #4.66 ************************************