6.805/STS085: Readings on Computer Crime
May 9th and 10th brought on two days that should
be marked in every hacker's history book. The reason we assume these
days will be important to many, is that maybe it's time we opened our
eyes and saw the witch hunt currently in progress...
It is my understanding that Gail Thackeray and the Secret Service are not,
taking this lightly. She told Phrack inc. that they are not distinguishing
pirates, hackers, or phreakers. Basically, it's any kid with a modem that calls
a BBS with an alias. Yes, we are the witches, and we are being
hunted.
-- Phreak_Accident (from Phrack Magazine, May 1990)
In the old days [in drug busts], we'd get a search warrant, kick in the door, and if
we did our job right, there would be white powder and currency and a
little black book. And you opened up that little black book and you
find names, dates and amounts. Well, now you kick in the door and you
find the powder and the currency and a stand-alone PC.
-- Scott Charney (Chief of the Dept. of Justice Computer Crimes Unit,
March 1995)
[In the early days] people were friendly, computer users were very
social. Information was handed down freely, there was a true feeling
of brotherhood in the underground. As the years went on people became
more and more anti-social.
As it became more and more difficult to blue-box, the social
feeling of the underground began to vanish. People began to
hoard information and turn people in for revenge. The
underground today is not fun. It is very power hungry,
almost feral in its actions. People are grouped off: you
like me or you like him, you cannot like both ... The
subculture I grew up with , learned in, and contributed to,
has decayed into something gross and twisted that I
shamefully admit connection with. Everything changes and
everything dies, and I am certain that within ten years there
will be no such thing as a computer underground. I'm glad I
saw it in its prime.
-- Chris Goggans (aka Phrack Magazine's "Erik Bloodaxe",
quoted in Paul Taylor's book Hackers, 1996)
For a quick orientation to computer crime laws, read the overview from
the book by Cavazos and Morin (to be
distributed in class).
Read the
Computer
Fraud and Abuse Statute (US Criminal Code Title 18 Section
1030). Look both at the
pre-1986
version and also at the
current version that resulted from passage of the National
Information Infrastructure Protection Act of 1996, based on a bill
introduced in 1995 by Senators Leahy, Kyl, and Grassley. There
are also statements by Kyl
and Leahy
accompanying their introduction of the bill, as well as an analysis
by the senators of their changes to 18 USC 1030.
John Perry Barlow,
"Crime and Puzzlement". John Perry Barlow, who spends half his
time in New York and half his time in Wyoming, is a founder of the
Electronic Frontier Foundation, retired cattle rancher, erstwhile
lyricist for the Grateful Dead, and an outstanding polemicist. "Crime
and Puzzlement" is the pamphlet that got the Electronic Frontier
Foundation off the ground.
Mike Godwin,
Cops on the I-Way
From the Spring 95 Special Issue of Time Magazine.
Godwin is "on-line counsel" for the EFF. He will be a guest in the
class later during the semester. In this article, describes the need
to balance law enforcement with constitutional rights on the Internet.
Mark Rasch, Computer
security: Legal Lessons in the Computer Age From the April 1996
issue of Security Management. Rasch, who is one of our
guests tis semester, is the director of information security law and
policy at the Center for Information Protection at SAIC, a major
security consulting firm. He headed the Department of Justice's
computer crime efforts until 1991, and he prosecuted the Robert Morris
"internet worm" case. This article is an excellent overview of the
computer crime issues that we will be discussing in the course.
Read at least one of the following books, all popularizations of
computer break-ins involving the Internet. You should be able to find
copies of these at the Coop or at Quantum books, and I've put copies
of some on reserve for the course. If you want your own copy and
trouble finding one, any of these books can be ordered via the Web
from amazon.com.
-
Bruce Sterling,
The Hacker Crackdown: Law and Disorder on the Electronic
Frontier,
Bantam Books, 1992. This is a splendidly written overview of "trouble
in cyberspace" from the beginning of the phone system through
Operation Sun Devil and the
Steve Jackson Games case. You should definitely read a good bit of
it. Sterling, bless him, has made the
entire book available on-line as "literary freeware." You may want to
buy a copy, though, since it's not easy to read a 200-page book on-line. The
on-line version has an
afterword, not contained in the printed book, which updates events
to 1994.
-
Katie Hafner and John Markoff, Cyberpunk: Outlaws and hackers on
the computer frontier, Simon & Schuster, 1991. This is an
in-depth study of three famous cases: Kevin Mitnick (not counting his
escapade of winter 1995), the German Chaos Computer Club, and Robert
Morris's Internet Worm. The three parts are completely separate.
The book is on reserve for the
course.
-
Michelle Slatalla and Joshua Quittner, Masters of deception: The
gang that ruled cyberspace, HarperCollins Publishers, 1995. This
is the story of the teenage phone and computer cracker group, the
Masters of Deception, from its beginnings in 1989 through the 1993
trials of some of the leaders. The book is on reserve for the
course. If you read this book, also take a look at some
postscripts about Phiber Optik's
incarceration and release.
-
David Freedman and Charles Mann, At Large : The Strange Case of
the World's Biggest Internet Invasion, Simon and Schuster, 1997.
This book, just published over the summer, does a good job describing
what responding to break-ins is like from the point of view of the
system administrator. It is also a fun book to read for MIT people,
because a lot of the action happened at MIT in fall 1992 and involved
several people who are still at MIT. If you read this, take a look at
the Tech
article that appeared during the incident. It's remarkable how
little of the real story (even the MIT part of the story) became
generally known on campus. If you don't read the entire book, you
should at least read the short
article that Friedman and wrote for US News & World
Report. There is a copy of the book on reserve for the course,
and there are also a few copies at the MIT Press bookstore.
-
There are also two books on Kevin Mitnick, but you should read both of
them, since neither one gives a complete story. See the discussion below.
Paul Taylor Them and
Us. This chapter, from Taylor's forthcoming book
Hackers, explores the hostility between the computer
underground and the computer security industry. It has provocative
and insightful comments on many of the cases we are studying in this
section of the course, including similarities between computer crime
trials and the Salem witch trials, and comments on the use of violent
physical analogies (e.g., arson and rape) often cited to describe
computer break-ins.
Mike Godwin,
"The Feds and the Net: Closing the Culture Gap". From
Internet World, May, 1994. This is a thought-provoking
report on a talk Godwin gave at the FBI academy, and the audience's
response. It will help to have read Bruce Sterling's discussion of
the Craig Neidorf, Steve Jackson Games, and Legion of Doom
prosecutions, since they formed the background for Godwin's talk.
Edward Cavazos and Gavino Morin, Cyberspace and the Law: Your
Rights and Duties in the On-Line World. This is a solid
introduction to computer law, with good overviews of existing laws on
privacy, contracts, and pornography. Available at the MIT Press
Bookstore and on reserve for the
course.
Michael Riddle,
"The Electronic Communications Privacy Act of 1986: A Layman's View".
This is a good overview of the complex law that governs
privacy of electronic communications.
David J. Loundy
"E-Law 3.0: Computer Information
Systems Law and System Operator
Liability in 1995".
This is an updated version of a long (150-page) article that
originally appeared in the Albany Law Journal of Science and
Technology, Volume 3, Number 1, 1993. It focuses
on networks and
responsibilities of SYSOPS.
Mike Godwin,
"When Copying Isn't Theft", Internet World,
January-February 1994.
This is a comment on some of the issues
involved in the Craig Neidorf case. It forms a good link to our next
topic on intellectual property protection.
US Department of Justice,
Federal Guidelines for Searching and Seizing Computers, July
1994.
These
guidelines were developed by the Justice Department's Computer
Crime Division and an informal group of federal agencies known as the
Computer Search and Seizure Working Group. These are are rather
detailed, so you should probably just skim them and look at the
analysis of the guidelines prepared by Dave Banisar of the
Electronic Privacy Information Center. On a related note, have a look
at the article
Downloading: Using Computer Software as an Investigative Tool from
the June 1996 issue of the FBI's Law Enforcement
Bulletin.
The EFF
Legislation
archive contains text and analysis of laws on computer communications.
Jonathan Rosenoer's Cyberlaw is
an educational service focusing on legal issues concerning computer
technology. Rosenoer, together with Kimberly Smigel also publishes Cyberlex, a monthly
report on legal developments touching the computer industry.
One important legal issue facing on-line service operators is the
extent to which they are liable for defamatory statements of their
subscribers. Here are some resources for investigating this topic:
1988: Robert Morris Internet Worm
Look here for a brief summary of 1988 Internet Worm incident. If
you are interested in learning more, you should read the chapter "RTM"
in the book by Hafner and Markoff, which gives an
outstanding presentation.
1988: Chaos Computer Club
This received notoriety with the publication of Cliff Stoll's
best-seller The Cuckoo's Egg: Tracking a spy through the maze of
computer espionage (Doubleday, 1989) which helped to focus public
attention on computer break-ins. Stoll casts himself as Philip
Marlowe in this detective story, to the detriment of any detached
consideration of what these "spy threats" actually amounted to. It's
enlightening to read Stoll's book in conjunction with Hafner and Markoff's chapter on the Chaos
Computer Club, which describes these events from the point of view of
the Germans.
1990: Steve Jackson Games Raid
The 1990 raid on Steve Jackson Games (and Operation Sun Devil) are
described in the
book by Bruce Sterling and in the
paper by John Perry Barlow. With the help of the EFF, Jackson
sued the Secret Service for violation of the Electronic Communications
Privacy Act. The District Court held that the Secret Service violated
the Privacy Protection Act (which protects publishers) and that it had
violated the section of the EPCA that protects access to stored
communications. But the Court did not agree that seizing unread
electronic mail was an "interception" under the provisions of the
EPCA. Jackson appealed this decision, but the decision of the lower
court was affirmed.
1993: Homolka-Teale Media Ban
In 1991 two horrific sex and torture killings were uncovered in a town
near Ontario. Paul Teale (aka Paul Bernardo) and his wife, Karla
Homolka Teale, were arrested. Karla Homolka was tried in 1993, and
she pleaded guilty. Although this was a sensational murder case,
everyone at the trial - including the press - was banned from
publishing any evidence or details on the murders in order to preserve
Paul Teale's right to a fair trial. Details of the case, however,
were widely published in the US, and Canadian officials were led to
confiscate copies of US magazines and newspapers shipped to Canada and
to black out some TV news broadcasts. When further details began to
appear on the Internet, Canadian police and some Canadian universities
began suppressing the Internet newsgroups that carried the banned
material. The ban was lifted in the summer of 1995 when Paul
Bernardo's trial began. Bernardo was convicted of first-degree murder
on September 1, 1995.
Desperately Seeking Karla, by Leslie Shade of McGill University,
is a provocative study of the ban and the associated legal issues of free
speech on the Internet. There is also an
extensive
archive on this case maintained by
Steven Miale at Indiana University,
and the EFF archive contains several
papers related to the case.
1994: David LaMacchia Indictment
In April 1994, MIT junior David LaMacchia was indicted for conspiracy
to commit wire fraud, based on the accusation that he had modified an
Athena workstation to allow people on the network to use it to
download copyrighted software without paying. The case received
national notoriety, the US Attorney in Boston calling it the largest
incident of software piracy ever. In December 1994, the charges
against LaMacchia were dismissed, with the judge ruling that copyright
infringement can not be prosecuted under the wire fraud statute. The
case raises important issues about liability of system operators and
about the scope of computer crime and copyright laws. Look here for articles and source
material.
1994: Amateur Action Pornography Conviction
In summer 1994, Robert and Carleen Thomas were convicted of violating
anti-obscenity laws, on the grounds that their California BBS (Amateur
Action) was used to transmit obscene material to Tennessee. This case
raises important issues about the meaning of community standards with
regard
to the net, as discussed in this article by Mike
Godwin. On January 29, 1996, US Court of Appeals for the Sixth
Circuit upheld the Thomas's conviction.
1995: Jake Baker Arrest
In February, 1995, the University of Michigan suspended sophomore Jake
Baker after he posted to the Internet a fictional story of rape,
torture, and murder, using the name of a classmate as the victim. A
few days later, Baker was arrested by the FBI for interstate
transmission of a threat to kidnap, and held without bond for 29 days
on the grounds that he was too dangerous to release. Charges against
him were dismissed in June.
The MIT Student Association for Freedom of Expression
(look
here for general information about SAFE) maintains
an
archive on the case. Take a look,
in particular, at the extracts in the archive from the campus
newspaper, The Michigan Daily. You should also read the insightful
article
The Jake Baker Scandal: A Perversion of Logic by UMich journalism
student Adam Miller, which was written in April 1995 (before the
charges against Baker were dropped). For an excellent legal analysis,
see the
column
by Mike Godwin from Internet World.
1995: Randal Schwartz Conviction
Randal Schwartz is author of the popular books Programming
Perl and Learning Perl. In 1993, while working as a
system administrator for Intel, he performed some security tests,
running the Crack program to uncover weak passwords. When Intel
management discovered this, they assumed that Schwartz was engaged in
industrial espionage, and brought felony charges against him under
Oregon's computer theft law. Schwartz was convicted in September,
1995 on a reduced charge and sentenced to probation.
1995: Kevin Mitnick Arrest
Kevin Mitnick ("cyberspace's most wanted hacker") was arrested by
the FBI in 1995. Computer security consultant Tsutomu Shimomura
helped the FBI locate Mitnick, and New York Times reporter John
Markoff was closely associated with Shimomura during this "hunt for
Mitnick". The story of the pursuit and arrest can be grist for a
fascinating case study of how the public (and the FBI) view the
"hacker threat" and the extent to which this view can be subject to
manipulation and exaggeration. But you'll have to put the story
together yourself and try to resolve the contradictory views. Here
are some of the pieces:
- The chapter on Mitnick in the book by Hafner
and Markoff (1991) describes Mitnick's early run-ins with the law
and forms a useful background against which judge the following two
books.
- Tsutomu Shimomura (with John Markoff), Takedown: The pursuit
and capture of Kevin Mitnick, America's most wanted computer outlaw --
by the man who did it (1996). This is the story as told by
Shimomura, and it says a lot more about Shimomura than about Mitnick
or hacking. In fact, it says a whole lot more about Shimomura than
you'd want to know, with long, boring interludes about his personal
life, as he tracks down the person who cracked into his computer.
(Indeed, it's ironic that Shimomura villainizes Mitnick for violating
other people's privacy -- reading their email -- while he himself
broadcasts details of other people's private lives in this
self-aggrandizing book.) The book is on reserve for the course
and you can buy a copy from amazon.com. There is also a website for the book, which
contains some of the evidence Shimomura accumulated while tracking
Mitnick down.
- Jonathan Littman, The Fugitive Game: Online with Kevin
Mitnick. This book, based on conversations between Littman and
Mitnick while the latter was in hiding, contains a lot of Mitnick's
side of the story. It contradicts Shimomura's version on several
points, including raising the possibility that Shimomura ended up
going after the wrong person. It also contains much criticism of
Markoff for his personal involvement in this case while he was
reporting on it for the Times, with the suggestion that he
manufactured a lot of the hype surrounding
Mitnick, from which he benefitted through a lucrative book contract
with Shimomura. The book is on reserve for the course
and you can buy a copy from amazon.com.
You should also look at Litman's
update report
on Mitnick's harsh treatment in prison.
- For a comparison of the two books that is highly critical of Markoff
and Shimomura, see George Smith's January 1996 review from Crypt
Newsletter, Sex,
Lies, and Computer Tape. For a more neutral comparison (and an
interview with Markoff) see Scott Rosenberg's piece
Mitnick's Malice, Shimomura's Chivalry from the December 30, 1995
issue of Salon.
- To help judge things for yourself, you can read
Markoff's stories about Mitnick in the Time during this
period. To find these, go to the New York
Times web site, select the "search" option, and search for
articles about Mitnick. The Times site will ask you to
register as a new user if you have not previously done so. If you
wish, you can get in with the username "cypherpunk" and the password
"cypherpunk".
- For pieces sympathetic to Mitnick, see the Cracking for Kevin (legal defense
fund) site and the links you can follow from there.
You can find archives on other computer crime cases in the
The EFF Legal Cases Archive.
Dorothy Denning,
"Concerning Hackers Who Break into Computer Systems". This paper
was presented at the 13th National Computer Security Conference, in
1990. Dorothy Denning is Chair of the Computer Science Department at
Georgetown University, and an expert in cryptography and information
security. The paper was one of the first serious looks at computer
hackers by a real computing professional, and argued that "hackers are
learners and explorers who want to help rather than cause damage, and
who often have very high standards of behavior." Incidentally,
Denning is now demonized by much of the same hacker community that six
years ago adored her, because she was one of the few prominent
academic cryptographers to publicly support the Clipper chip and the
Digital Telephony Bill.
Secrets of a Super Hacker, by The Knightmare. Loopmanics
Unlimited, 1994. This is a "how to" manual on breaking into computer
systems. It's not directly relevant to the course, but you might be
interested in the cracker's perspective on how break-ins are pulled
off. You'll see that it's more a matter of dumpster diving than
technical insight.
Here is a brief
review of the book.
( On
reserve for the course.)
For source material on hacking and a look at hacking culture, it's
good to check out Phrack Magazine.
You can find a complete archive of back issues
at the Official Phrack Magazine Web Page.
There is an
on-line index
to issues 1 through 32 that automatically links into
the archive.
Some particularly notable issues are:
-
Phrack, Issue 1, November 17, 1985. Here's how it got
started. It includes some interesting information, such as an 800
number for "MIT Research" (no longer valid, if it ever was).
-
Phrack, Issue 24, February 25, 1989. This is the issue that
reprinted the infamous E911 document that was the basis of the Craig
Neidorf prosecution.
-
Phrack, Issue 31, May 28, 1990. A pivotal issue. It includes an
interview with Markus Hess (see Hafner and Markoff's
Cyberpunk and Stoll's Cuckoo's Egg). It also has
the first reactions to the announcement of Operation Sun Devil.
-
Phrack, Issue 45, March 30, 1994. This issue
created a bit of a stir by reprinting (what is claimed to
be) the
National Security Agency's Handbook for new employees. Here's a
news article that describes the incident.
The Phrack Website also maintains an
archive of computer underground files and newsletters.
In particular, you might want to take a look at the Legion of
Doom! Technical Journal (cited in the book by
Slatalla and Quittner). You'll find that there's less there than
meets the eye, but they do provide some insight. Here is Issue number 1. You can
find the other issues here, but you'll
have to download them by hand and unzip them.
Emmanuel Goldstein,
Sen. [sic] Markey's Tirade Against Hackers. In June
1993, Emmanuel Goldstein, editor of the hacker quarterly magazine
2600, appeared before the
House subcommittee on Telecommunications and Finance. The hearings
included, in Goldstein's words, "a tirade against the evils of
computer hackers" in which Representatives Markey (D-MA) and Fields
(Rep-TX) "generally demonstrated their ignorance on the subject and
their unwillingness to listen to anything that didn't match their
predetermined conclusions." The hearings show a stark contrast
between the hacker perspective and the view of people making
telecommunications policy.
See also Goldstein's
"No Time For Goodbyes - Phiber Optik's Journey to Prison"
Computer Underground Digest, Jan 11, 1994. On January 7,
1994, Mark Abene (aka Phiber Optik -- see the book by
Slatalla and Quittner) began serving a 10-month sentence at
the Schuylkill federal prison in Pennsylvania. His friends gave him
a ride there from New York. Along with this article, take a look the
stories about Abene's
release
in 1995 and
an
ironic
incident from summer 1997.
For fun, check out the parody website of
DigiCrime, Inc. (a full service criminal computer hacking
organization).
The growth of the World Wide Web has provided opportunities for
enterprising mischief makers to tamper with the web sites of
high-profile organizations (notably government agencies). Some
examples:
- August 17, 1996: The US Justice Department's web page was replaced
with another page titled "US (Japan's) Department of
Injustice Home Page," which included a protest against the
Communications Decency Act.
(See story
from C|Net.)
- September 19, 1996:
The CIA's home page was transformed into a page
for the
"Central Stupidity Agency."
government.
(See the CNN story
and update
on the incident.)
- December 9, 1996: The Singapore government's main Web site was
replaced with a list of the user identities of officials from various
government bodies.
- December 10, 1996: The web pages of the UK Labor Party were
replaced.
- December 29, 1996: Someone changed the US Air Force's Web site
and replaced a page of aviation statistics with a pornographic picture.
(
See story from CNN.)
None of these pranks caused any serious damage other than annoyance
and embarrassment to the agencies involved. But they did focus
attention on the insecurity of the underlying Internet structure, and
on the risks of setting up commercial applications on the Web.
Dan Farmer, Shall We Dust Moscow?
(Security Survey of Key Internet Hosts & Various Semi-Relevant
Reflections), 1996. Security expert Dan Farmer did a survey of over
2000 web sites of government agencies and commercial institutions in
December 1996. He found that over two-thirds of them were vulnerable
to simple cracking techniques, mostly as a result of oversights in
configuring the web sites. This is a report of the experiment,
together with Dan's comments on the dismal state of Internet security.
Computer Viruses
One way to cause damage to computers is by distributing viruses. Here
are some references:
- The Little Black Book of Computer Viruses, by Mark
Ludwig. American Eagle Publications, 1991. You can take a look at
this to see how some PC viruses work. It's very boring and has mostly
to do with arcane details of the DOS operating system. It's also out
of date, since the focus is on viruses spread by disks rather than via
the network. ( On
reserve for the course.)
- For a more contemporary view of viruses, see the collection of
white papers by Cybersoft,
Inc. One particular paper to start with is
Computer Viruses In Unix Networks by Peter V. Radatti, 1996.
- Before 1995, it was commonly believed that viruses could be
contracted via the network only by explicitly loading and running
program code, not other documents.
The emergence of word processors such as Microsoft Word
6, where documents can include macros, engendered a new class of
viruses that could be spread as ordinary documents or email. See
MS Word 6.x Macro Viruses Frequently Asked Questions
by Richard John Martin, 1996.
- Moving beyond macro viruses, the ability to spread trouble via
the network has been greatly enhanced over the past year by the
growing popularity of Java. We're just starting to see the beginning
of the damage that can be done. For a taste, see Mark LaDue's Collection
of Increasingly Hostile Applets.
Home page for the FBI National
Computer Crime Squad.
The computer break-ins described in the references above are mostly in
the nature of pranks and minor crime. But as more facilities connect
to the Internet, the potential for significant vandalism and sabotage
grows, and the possibility arises for serious "information warfare"
that exploits the vulnerability of a nation's information
infrastructure.
Douglas Waller Washington,
Onward Cyber Soldiers, Time Magazine cover story of
August 21, 1995, on information warfare. See also
If War Comes Home by Mark Thompson, from the same issue of Time.
On June 25, 1996, CIA Director John Deutch testified before the Senate
Governmental Affairs Committee about the threat
of information warfare. Here is the
report
on his testimony from CNN.
Report of the Defense Science Board Task Force on Information Warfare
- Defense, November 1996. The Defense Science Board (a government
advisory group) commissioned a task force to make recommendations on
how to defend against information warfare. This is a long report, so
before diving in, you should look at the story on the
report's release in Federal Computer Week.
F. Lynn McNulty
Statement on Internet Security
Before the U.S. House of Representatives Subcommittee on Science
Committee on Science, Space, and Technology, March 22, 1994. McNulty
is Associate Director for Computer Security at the National Institute
of Standards and Technology. This is a summary of NIST's
concerns about Internet security and ideas for addressing them.
Daniel Brandt, Infowar
and Disinformation: From the Pentagon to the Net. (From NameBase
NewsLine, No. 11, October-December 1995.) Brandt warns that the
emphasis on infowar may be a fad that is being promoted in order to
increase government control of information flow on the Internet.
On September 5, 1997, the Presidential Commission on Critical
Infrastructure Protection released its preliminary report. Here is a
brief
announcement. The final report is due out in mid October.
Update: The final report, Critical Foundations:
Protecting America's Infrastructures, was published at the end of
October and is available on line. There is also an on-line a summary of the report.
For extensive material on information warfare, check out Winn Schwartau's www.infowar.com
Miscellaneous items collected from the net over the past couple of
years. May contain useful ideas for paper topics.
Hal Abelson (hal@mit.edu)
Mike Fischer (mfischer@mit.edu)
Joanne Costello (joanne@mit.edu)
Last modified: September 6 1999, 8:18 PM