PART 1 Some administrative details were taken care of (scribes, oral reports). Hal Abelson passed around a subpoena as an example of how the government could command someone (in this case, Jim Bruce, Vice President of IS) to furnish information. (The subpoena commands you to appear before a court or grand jury, but states that you can furnish information in lieu of a court appearance.) Hal also passed around a copy of a Technology Review article about computer crime. Hal said that the class discussion was going well, except that we didn't need to write so much. He was particularly interested in the use of metaphors (such as putting pictures up on a dorm room door as a metaphor for putting information on a web home page) to try to form justification for policies. He also liked the comment, "What happened to ethics?" He promised to try to get the date ordering bug in the mailing list software fixed [and indeed, it seems to be fixed by now]. He wants people to post another two messages this week, continuing the current discussion. Some news this week: * There was a report of computer fraud against Citibank from Russia. * There were news reports on MIT's ratings system plan (PICS). This is relevant to how the conference committee will work out the differences between the House and Senate versions of the telecommunications overhual bill; the House version prevents the FCC from censoring telecommunications and looks to industry self-regulation, while the Senate version contains the Exon amendment which is very strict regarding material deemed unsuitable for children. * People had an article on the Hamulka case in Canada, but it didn't mention the Internet. * The Globe had an article on a BSA (Business Software Alliance) software piracy raid. * There was an FBI sting on credit card fraud using a BBS set up by the FBI to attract defrauders. * Reuters had a news article on the AOHell program which allows people to circumvent AOL security and do nasty things. * NIST is developping standards for escrowed cryptography. We had an oral report by John Allen on the Chaos Computer Club crime case: The hackers involved in the case were: - Pengo, "the best hacker in the world" - Hagbard, an Illuminati-fixated drug addict who believed he was trying to subvert a world conspiracy - Dob, a technical and programming expert, also involved with drugs - Carl, a "techno-groupie" who wasn't particularly skilled but idolized Dob - Hess, an otherwise clean-cut and well-to-do person who was apparently looking for rebellion The Chaos Computer Club was founded by Val Holland in 1984 as a public group to computer-oriented people to have fun. Val believed in the "hacker's ethic," which asserts that information "wants to be free" and that computer access should be free, but that people also had privacy rights. One of the hacks performed by the Chaos club was the BTX hack, where a bank subscribing to an online service was hacked to log $81,000 of calls to the Chaos service; the bill was never collected, of course. In another hack, they hacked an insecure NASA VMS system with a Trojan horse to collect passwords, and told journalists about it in order to expose the bad security on an important network. Carl worked with a KGB contact in "Project Equalizer," which was supposed to equalize computer technology between the US and Russia. No valuble technology was stolen (mostly public domain software or cheap software like Minix, an educational Unix-like operating system, was given to the KGB), but the members of Chaos club was prosecuted for espionage in Germany (there were no more applicable laws) and mostly given probation. Issues raised by this case include privacy versus freedom of information (what kinds of information should be kept private, and what should be made free?), security versus openness and freedom of information (should big computer networks be made secure, or should they be left open?), and the failure of laws to address computer crimes. John referred to the argument made by some that hackers are beneficial to society because they bring people's attention to security holes; John found this argument to be weak, sort of like breaking a lock on your home to bring your attention to your having a bad lock. At this point, a debate cropped up about the appropriate analogy to be made; someone asked if it would be a crime to search John's bag while he was giving a presentation, and John suggested a car or a refrigerator box sitting on the street. Hal Abelson suggested that metaphors aren't necessarily important here, and asked what the CFAA actually says; I pointed out that state laws often cover areas not covred by the CFAA. Someone (Hal, I think) referred to a Phrack conference with Hess which didn't go well because Hess only spoke German and no one else did. There was also a presentation on Operation Sun Devil (I didn't catch the speaker's name). The speaker passed around the copy of the 911 document which was published in Phrack. Operation Sun Devil was a ywo-year operation against computer fraud (credit cards, phones) in order to send a message that the government can take action against such activities. The Secret Service worked with security people in the phone and credit industries, and used questionable tactics including several civil rights violations which led to the formation of the EFF (raids, twelve-year-old girls being held at gunpoint, equipment seized without charges ever being filed, etc.). Acid Phreak and Scorpion were convicted and sentenced to six months in prison and six months home detention. Phiber Optik was sentenced to a year and a day in prison. The raids were conducted over a short period of time, were efficient, and were usually targeted at the suspects' equipment. In December of 1988 "The Prophet" stole a phone company document (E911) and posted it to bulletin boards. The Secret Service systematically shut down every BBS the document had come in touch with. In order to justify the actions it took, the Secret Service valued the E911 document (which can be purchased for something like $20) at $79,000 by facttoring in the cost of the computer it was written on (the speaker compared this to factoring the cost of a photocopy machine into the value of a photocopy). Steve Jackson Games had their machines seized, as well as all copies of the GURPS Cyberpunk game (which the Secret Service called a manual for hacking). The company nearly collapsed, and had to lay off half of their employees. SJG eventually won damages against the Secret Service, but hasn't collected yet. In this case, the issue is that the govenment must do something, but in this case they exceeded the law. Another issue is the legitimacy of te practice of seizing computer equipment as "evidence" for cases that never go to court. The third speaker was not here, so the third case will be covered next week. Our first guest was Special Agent Levord Burns from the FBI computer crime squad. Burns started off by saying that federal investigators are much more professional now, and the civil rights violations of Operatioan Sun Devil are a thing of the past. The Secret Service shares concurrent jurisdiction on computer crimes with the FBI, with the SS doing mostly cellular and credit card fraud. Burns is a former sysadmin who has been with the FBI for 28 years. In 1991, in response to suspicious AT&T phone switch crashes on the west and east coasts, the FBI identified agents with computer skills and formed a single clearinghouse for computer investigations. Computer crime is classified as white-collar and non-violent. According to the CERT (Computer Emergency Response Team), computer break-ins increased frmo 773 to 2300 between 1992 and 1994. An estimated 5% of sysadmins realized that their systems have been compromised. The lifetime of software is 12-18 months, hardware 36-48 months. Criminals are using state-of-the-art software and hardware, while law enforcement is about five years behind. Employees have access to corporate assets not available to upper management. Employees are usually not prosecuted for computer crimes; they are instead fired and shuttled off to competitors to avoid publicity. Criminals could disrupt national security by damaging the phone network, power grid, dams, etc.. Law enfrocement and national security have become more indistinguishable, organized crime an international security challenge. Extremists use the net to communicate, and anonymity may encourage "armchair activistm". Laws have not kept up with new criminals. Burns brought up a scenario of a site having downstream liability for lack of security (e.g. NASA). Jeff Schiller clarified the scenario, saying that once you know about a breakin, you must inform downstream sites of possible risks. Connectivity has gone from modems to ISDN and the Internet. Risks include employees who got wind of impending termination, as well as conducting business over a network or outsourced maintenance. Current trends which create law enforcement problems: - Magnitude of computer production - Increased computer sophistication - Increased linkage through LANs, WANs - Exponentially increasing number of users authorized to use computers - Disparity of knowledge among users [ Some not recorded] - Seeing more denial of service attacks, which are the main damage in intrusions. Denial of service is often accidental. (Burns brought up a theoretical scenario of a hacker accidentally taking down a Mass Genreal Hospital database and causing deaths of several patience.) Somenoe suggested that sites should be liable for the own bad security. Yoav suggested that an OS is not an open door but a crappy lock, and Jeff Schiller commented that security holes in login programs are usually the fault of OS vendors, but OS vendors don't get sued. Jeff Schiller commented that the FBI will ask you to allow breakins to continue so they can catch people, but will not indemnify you for civil damages. "Things get dicey." Hops are usually intended to make it hard to trace back. A security system is only as strong as its weakest link. Universities are good entry points due to researchers administering machines, lots of independent machines, and lack of accounting of resources. When intruders can comrpomise accounts (so the authorization of an account isn't a good indication of who is at fault), it becomes difficult to catch them. People are usually caught when they make mistakes; sometimes people do get away. Criminal hackers are usually introverts who get power through hacking which they couldn't get otherwise. Burns enumerated the threats as follows: - Intruders/pure hackers - Insiders (embezzlres, etc.) - Pure criminals - Industrial spies - Foreign intelligence operations