6.805/STS085: Readings on Computer Crime

May 9th and 10th brought on two days that should be marked in every hacker's history book. The reason we assume these days will be important to many, is that maybe it's time we opened our eyes and saw the witch hunt currently in progress... It is my understanding that Gail Thackeray and the Secret Service are not, taking this lightly. She told Phrack inc. that they are not distinguishing pirates, hackers, or phreakers. Basically, it's any kid with a modem that calls a BBS with an alias. Yes, we are the witches, and we are being hunted.
-- Phreak_Accident (from Phrack Magazine, May 1990)

In the old days [in drug busts], we'd get a search warrant, kick in the door, and if we did our job right, there would be white powder and currency and a little black book. And you opened up that little black book and you find names, dates and amounts. Well, now you kick in the door and you find the powder and the currency and a stand-alone PC.
-- Scott Charney (Chief of the Dept. of Justice Computer Crimes Unit, March 1995)

[In the early days] people were friendly, computer users were very social. Information was handed down freely, there was a true feeling of brotherhood in the underground. As the years went on people became more and more anti-social.

As it became more and more difficult to blue-box, the social feeling of the underground began to vanish. People began to hoard information and turn people in for revenge. The underground today is not fun. It is very power hungry, almost feral in its actions. People are grouped off: you like me or you like him, you cannot like both ... The subculture I grew up with , learned in, and contributed to, has decayed into something gross and twisted that I shamefully admit connection with. Everything changes and everything dies, and I am certain that within ten years there will be no such thing as a computer underground. I'm glad I saw it in its prime.
-- Chris Goggans (aka Phrack Magazine's "Erik Bloodaxe", quoted in Paul Taylor's book Hackers, 1996)

Required Readings

For a quick orientation to computer crime laws, read the overview from the book by Cavazos and Morin (to be distributed in class).

Read the Computer Fraud and Abuse Statute (US Criminal Code Title 18 Section 1030). Look both at the pre-1986 version and also at the current version that resulted from passage of the National Information Infrastructure Protection Act of 1996, based on a bill introduced in 1995 by Senators Leahy, Kyl, and Grassley. There are also statements by Kyl and Leahy accompanying their introduction of the bill, as well as an analysis by the senators of their changes to 18 USC 1030.

John Perry Barlow, "Crime and Puzzlement". John Perry Barlow, who spends half his time in New York and half his time in Wyoming, is a founder of the Electronic Frontier Foundation, retired cattle rancher, erstwhile lyricist for the Grateful Dead, and an outstanding polemicist. "Crime and Puzzlement" is the pamphlet that got the Electronic Frontier Foundation off the ground.

Mike Godwin, Cops on the I-Way From the Spring 95 Special Issue of Time Magazine. Godwin is "on-line counsel" for the EFF. He will be a guest in the class later during the semester. In this article, describes the need to balance law enforcement with constitutional rights on the Internet.

Mark Rasch, Computer security: Legal Lessons in the Computer Age From the April 1996 issue of Security Management. Rasch, who is one of our guests tis semester, is the director of information security law and policy at the Center for Information Protection at SAIC, a major security consulting firm. He headed the Department of Justice's computer crime efforts until 1991, and he prosecuted the Robert Morris "internet worm" case. This article is an excellent overview of the computer crime issues that we will be discussing in the course.

Recommended Readings

Read at least one of the following books, all popularizations of computer break-ins involving the Internet. You should be able to find copies of these at the Coop or at Quantum books, and I've put copies of some on reserve for the course. If you want your own copy and trouble finding one, any of these books can be ordered via the Web from amazon.com.

Paul Taylor Them and Us. This chapter, from Taylor's forthcoming book Hackers, explores the hostility between the computer underground and the computer security industry. It has provocative and insightful comments on many of the cases we are studying in this section of the course, including similarities between computer crime trials and the Salem witch trials, and comments on the use of violent physical analogies (e.g., arson and rape) often cited to describe computer break-ins.

Other Material on Computer Crime

Issues in Computer Law

Mike Godwin, "The Feds and the Net: Closing the Culture Gap". From Internet World, May, 1994. This is a thought-provoking report on a talk Godwin gave at the FBI academy, and the audience's response. It will help to have read Bruce Sterling's discussion of the Craig Neidorf, Steve Jackson Games, and Legion of Doom prosecutions, since they formed the background for Godwin's talk.

Edward Cavazos and Gavino Morin, Cyberspace and the Law: Your Rights and Duties in the On-Line World. This is a solid introduction to computer law, with good overviews of existing laws on privacy, contracts, and pornography. Available at the MIT Press Bookstore and on reserve for the course.

Michael Riddle, "The Electronic Communications Privacy Act of 1986: A Layman's View". This is a good overview of the complex law that governs privacy of electronic communications.

David J. Loundy "E-Law 3.0: Computer Information Systems Law and System Operator Liability in 1995". This is an updated version of a long (150-page) article that originally appeared in the Albany Law Journal of Science and Technology, Volume 3, Number 1, 1993. It focuses on networks and responsibilities of SYSOPS.

Mike Godwin, "When Copying Isn't Theft", Internet World, January-February 1994. This is a comment on some of the issues involved in the Craig Neidorf case. It forms a good link to our next topic on intellectual property protection.

US Department of Justice, Federal Guidelines for Searching and Seizing Computers, July 1994. These guidelines were developed by the Justice Department's Computer Crime Division and an informal group of federal agencies known as the Computer Search and Seizure Working Group. These are are rather detailed, so you should probably just skim them and look at the analysis of the guidelines prepared by Dave Banisar of the Electronic Privacy Information Center. On a related note, have a look at the article Downloading: Using Computer Software as an Investigative Tool from the June 1996 issue of the FBI's Law Enforcement Bulletin.

The EFF Legislation archive contains text and analysis of laws on computer communications.

Jonathan Rosenoer's Cyberlaw is an educational service focusing on legal issues concerning computer technology. Rosenoer, together with Kimberly Smigel also publishes Cyberlex, a monthly report on legal developments touching the computer industry.

One important legal issue facing on-line service operators is the extent to which they are liable for defamatory statements of their subscribers. Here are some resources for investigating this topic:

Noteworthy Cases

1988: Robert Morris Internet Worm

Look here for a brief summary of 1988 Internet Worm incident. If you are interested in learning more, you should read the chapter "RTM" in the book by Hafner and Markoff, which gives an outstanding presentation.

1988: Chaos Computer Club

This received notoriety with the publication of Cliff Stoll's best-seller The Cuckoo's Egg: Tracking a spy through the maze of computer espionage (Doubleday, 1989) which helped to focus public attention on computer break-ins. Stoll casts himself as Philip Marlowe in this detective story, to the detriment of any detached consideration of what these "spy threats" actually amounted to. It's enlightening to read Stoll's book in conjunction with Hafner and Markoff's chapter on the Chaos Computer Club, which describes these events from the point of view of the Germans.

1990: Steve Jackson Games Raid

The 1990 raid on Steve Jackson Games (and Operation Sun Devil) are described in the book by Bruce Sterling and in the paper by John Perry Barlow. With the help of the EFF, Jackson sued the Secret Service for violation of the Electronic Communications Privacy Act. The District Court held that the Secret Service violated the Privacy Protection Act (which protects publishers) and that it had violated the section of the EPCA that protects access to stored communications. But the Court did not agree that seizing unread electronic mail was an "interception" under the provisions of the EPCA. Jackson appealed this decision, but the decision of the lower court was affirmed.

1993: Homolka-Teale Media Ban

In 1991 two horrific sex and torture killings were uncovered in a town near Ontario. Paul Teale (aka Paul Bernardo) and his wife, Karla Homolka Teale, were arrested. Karla Homolka was tried in 1993, and she pleaded guilty. Although this was a sensational murder case, everyone at the trial - including the press - was banned from publishing any evidence or details on the murders in order to preserve Paul Teale's right to a fair trial. Details of the case, however, were widely published in the US, and Canadian officials were led to confiscate copies of US magazines and newspapers shipped to Canada and to black out some TV news broadcasts. When further details began to appear on the Internet, Canadian police and some Canadian universities began suppressing the Internet newsgroups that carried the banned material. The ban was lifted in the summer of 1995 when Paul Bernardo's trial began. Bernardo was convicted of first-degree murder on September 1, 1995.

Desperately Seeking Karla, by Leslie Shade of McGill University, is a provocative study of the ban and the associated legal issues of free speech on the Internet. There is also an extensive archive on this case maintained by Steven Miale at Indiana University, and the EFF archive contains several papers related to the case.

1994: David LaMacchia Indictment

In April 1994, MIT junior David LaMacchia was indicted for conspiracy to commit wire fraud, based on the accusation that he had modified an Athena workstation to allow people on the network to use it to download copyrighted software without paying. The case received national notoriety, the US Attorney in Boston calling it the largest incident of software piracy ever. In December 1994, the charges against LaMacchia were dismissed, with the judge ruling that copyright infringement can not be prosecuted under the wire fraud statute. The case raises important issues about liability of system operators and about the scope of computer crime and copyright laws. Look here for articles and source material.

1994: Amateur Action Pornography Conviction

In summer 1994, Robert and Carleen Thomas were convicted of violating anti-obscenity laws, on the grounds that their California BBS (Amateur Action) was used to transmit obscene material to Tennessee. This case raises important issues about the meaning of community standards with regard to the net, as discussed in this article by Mike Godwin. On January 29, 1996, US Court of Appeals for the Sixth Circuit upheld the Thomas's conviction.

1995: Jake Baker Arrest

In February, 1995, the University of Michigan suspended sophomore Jake Baker after he posted to the Internet a fictional story of rape, torture, and murder, using the name of a classmate as the victim. A few days later, Baker was arrested by the FBI for interstate transmission of a threat to kidnap, and held without bond for 29 days on the grounds that he was too dangerous to release. Charges against him were dismissed in June.

The MIT Student Association for Freedom of Expression (look here for general information about SAFE) maintains an archive on the case. Take a look, in particular, at the extracts in the archive from the campus newspaper, The Michigan Daily. You should also read the insightful article The Jake Baker Scandal: A Perversion of Logic by UMich journalism student Adam Miller, which was written in April 1995 (before the charges against Baker were dropped). For an excellent legal analysis, see the column by Mike Godwin from Internet World.

1995: Randal Schwartz Conviction

Randal Schwartz is author of the popular books Programming Perl and Learning Perl. In 1993, while working as a system administrator for Intel, he performed some security tests, running the Crack program to uncover weak passwords. When Intel management discovered this, they assumed that Schwartz was engaged in industrial espionage, and brought felony charges against him under Oregon's computer theft law. Schwartz was convicted in September, 1995 on a reduced charge and sentenced to probation.

1995: Kevin Mitnick Arrest

Kevin Mitnick ("cyberspace's most wanted hacker") was arrested by the FBI in 1995. Computer security consultant Tsutomu Shimomura helped the FBI locate Mitnick, and New York Times reporter John Markoff was closely associated with Shimomura during this "hunt for Mitnick". The story of the pursuit and arrest can be grist for a fascinating case study of how the public (and the FBI) view the "hacker threat" and the extent to which this view can be subject to manipulation and exaggeration. But you'll have to put the story together yourself and try to resolve the contradictory views. Here are some of the pieces:

You can find archives on other computer crime cases in the The EFF Legal Cases Archive.

Hacker Culture

Dorothy Denning, "Concerning Hackers Who Break into Computer Systems". This paper was presented at the 13th National Computer Security Conference, in 1990. Dorothy Denning is Chair of the Computer Science Department at Georgetown University, and an expert in cryptography and information security. The paper was one of the first serious looks at computer hackers by a real computing professional, and argued that "hackers are learners and explorers who want to help rather than cause damage, and who often have very high standards of behavior." Incidentally, Denning is now demonized by much of the same hacker community that six years ago adored her, because she was one of the few prominent academic cryptographers to publicly support the Clipper chip and the Digital Telephony Bill.

Secrets of a Super Hacker, by The Knightmare. Loopmanics Unlimited, 1994. This is a "how to" manual on breaking into computer systems. It's not directly relevant to the course, but you might be interested in the cracker's perspective on how break-ins are pulled off. You'll see that it's more a matter of dumpster diving than technical insight. Here is a brief review of the book. ( On reserve for the course.)

For source material on hacking and a look at hacking culture, it's good to check out Phrack Magazine. You can find a complete archive of back issues at the Official Phrack Magazine Web Page.

There is an on-line index to issues 1 through 32 that automatically links into the archive. Some particularly notable issues are:

The Phrack Website also maintains an archive of computer underground files and newsletters.

In particular, you might want to take a look at the Legion of Doom! Technical Journal (cited in the book by Slatalla and Quittner). You'll find that there's less there than meets the eye, but they do provide some insight. Here is Issue number 1. You can find the other issues here, but you'll have to download them by hand and unzip them.

Emmanuel Goldstein, Sen. [sic] Markey's Tirade Against Hackers. In June 1993, Emmanuel Goldstein, editor of the hacker quarterly magazine 2600, appeared before the House subcommittee on Telecommunications and Finance. The hearings included, in Goldstein's words, "a tirade against the evils of computer hackers" in which Representatives Markey (D-MA) and Fields (Rep-TX) "generally demonstrated their ignorance on the subject and their unwillingness to listen to anything that didn't match their predetermined conclusions." The hearings show a stark contrast between the hacker perspective and the view of people making telecommunications policy.

See also Goldstein's "No Time For Goodbyes - Phiber Optik's Journey to Prison" Computer Underground Digest, Jan 11, 1994. On January 7, 1994, Mark Abene (aka Phiber Optik -- see the book by Slatalla and Quittner) began serving a 10-month sentence at the Schuylkill federal prison in Pennsylvania. His friends gave him a ride there from New York. Along with this article, take a look the stories about Abene's release in 1995 and an ironic incident from summer 1997.

Computer Cracking Techniques

For fun, check out the parody website of DigiCrime, Inc. (a full service criminal computer hacking organization).

The growth of the World Wide Web has provided opportunities for enterprising mischief makers to tamper with the web sites of high-profile organizations (notably government agencies). Some examples: None of these pranks caused any serious damage other than annoyance and embarrassment to the agencies involved. But they did focus attention on the insecurity of the underlying Internet structure, and on the risks of setting up commercial applications on the Web.

Dan Farmer, Shall We Dust Moscow? (Security Survey of Key Internet Hosts & Various Semi-Relevant Reflections), 1996. Security expert Dan Farmer did a survey of over 2000 web sites of government agencies and commercial institutions in December 1996. He found that over two-thirds of them were vulnerable to simple cracking techniques, mostly as a result of oversights in configuring the web sites. This is a report of the experiment, together with Dan's comments on the dismal state of Internet security.

Computer Viruses

One way to cause damage to computers is by distributing viruses. Here are some references:

Home page for the FBI National Computer Crime Squad.

Information Warfare

The computer break-ins described in the references above are mostly in the nature of pranks and minor crime. But as more facilities connect to the Internet, the potential for significant vandalism and sabotage grows, and the possibility arises for serious "information warfare" that exploits the vulnerability of a nation's information infrastructure.

Douglas Waller Washington, Onward Cyber Soldiers, Time Magazine cover story of August 21, 1995, on information warfare. See also If War Comes Home by Mark Thompson, from the same issue of Time.

On June 25, 1996, CIA Director John Deutch testified before the Senate Governmental Affairs Committee about the threat of information warfare. Here is the report on his testimony from CNN.

Report of the Defense Science Board Task Force on Information Warfare - Defense, November 1996. The Defense Science Board (a government advisory group) commissioned a task force to make recommendations on how to defend against information warfare. This is a long report, so before diving in, you should look at the story on the report's release in Federal Computer Week.

F. Lynn McNulty Statement on Internet Security Before the U.S. House of Representatives Subcommittee on Science Committee on Science, Space, and Technology, March 22, 1994. McNulty is Associate Director for Computer Security at the National Institute of Standards and Technology. This is a summary of NIST's concerns about Internet security and ideas for addressing them.

Daniel Brandt, Infowar and Disinformation: From the Pentagon to the Net. (From NameBase NewsLine, No. 11, October-December 1995.) Brandt warns that the emphasis on infowar may be a fad that is being promoted in order to increase government control of information flow on the Internet.

On September 5, 1997, the Presidential Commission on Critical Infrastructure Protection released its preliminary report. Here is a brief announcement. The final report is due out in mid October.

Update: The final report, Critical Foundations: Protecting America's Infrastructures, was published at the end of October and is available on line. There is also an on-line a summary of the report.

For extensive material on information warfare, check out Winn Schwartau's www.infowar.com

Miscellaneous Items

Miscellaneous items collected from the net over the past couple of years. May contain useful ideas for paper topics.

Hal Abelson (hal@mit.edu)
Mike Fischer (mfischer@mit.edu)
Joanne Costello (joanne@mit.edu)

Last modified: September 6 1999, 8:18 PM