**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 3, Issue #3.24 (July 3, 1991) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet) PHILEMEISTER: Bob Krause // VACATIONMEISTER: Bob Kusumoto MEISTERMEISTER: Brendan Kehoe +++++ +++++ +++++ +++++ +++++ CONTENTS THIS ISSUE: File 1: From the Mailbag (Response to "Cyberpunk" definition) File 2: Bill Vajk, Len Rose, Gene Spafford File 3: Comsec Security Press Release File 4: Comments on ComSec Data Security File 5: Police Confiscations and Police Profit File 6: House Crime Bill (1400) and its Threat to Modemers File 7: Law Panel Recommends Computer Search Procedures File 8: The CU in the News (data erasing; cellular fraud) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ CuD is available via electronic mail at no cost. Hard copies are available through subscription or single issue requests for the costs of reproduction and mailing. USENET readers can currently receive CuD as alt.society.cu-digest. Back issues of Computer Underground Digest on CompuServe can be found in these forums: IBMBBS, DL0 (new uploads) and DL4 (BBS Management) LAWSIG, DL1 (Computer Law) TELECOM, DL0 (New Uploads) and DL12 (Electronic Frontier) Back issues are also available from: GEnie, PC-EXEC BBS (414-789-4210), and at 1:100/345 for those on FIDOnet. Anonymous ftp sites: (1) ftp.cs.widener.edu (192.55.239.132); (2) cudarch@chsun1.uchicago.edu; (3) dagon.acc.stolaf.edu (130.71.192.18). E-mail server: archive-server@chsun1.uchicago.edu. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors, however, do copyright their material, and those authors should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ---------------------------------------------------------------------- Date: July 3, 1991 From: Various Subject: From the Mailbag (Response to "Cyberpunk" definition) ******************************************************************** *** CuD #3.24: File 1 of 8: From the Mailbag *** ******************************************************************** Date: Tue, 2 Jul 91 12:44:22 cdt From: Subject: Brad Hicks and Cyber Definitions I commend Brad Hicks for his generally concise set of definitions of definitions of computer underground types which make it clear that there are many different motivations and categories. However, I would modify his following definition: > CYBERPUNK: (n) A cyberpunk is to hackers/phreaks/crackers/crashers > what a terrorist is to a serial killer; someone who insists that their > crimes are in the public interest and for the common good, a > computerized "freedom fighter" if you will. In the works of Bruce Sterling, William Gibson, and others, cyberpunks are not terrorists in the conventional sense of the term, and the analogy to serial killers strikes me as a bit extreme. Cyberpunks are characterized by their resistance to oppressive authority (which makes them a form of freedom fighter), but the resistance tends to be highly individualistic. I wonder if cyberpunks might be based on the anti-hero model of westerns (Shane) or earlier science fiction in which the marginal but basically decent outsider steps in to use marginal skills to save the town, country, or civilization? I hope Mr. Hicks' comments generate some needed discussion along these lines. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Date: Tue, 2 Jul 91 14:34:38 edt From: wex@PWS.BULL.COM Subject: Cyberpunks (response to Brad Hicks in Cu Digest, #3.23) Hicks' gratuitous slap at cyberpunks tacked on to the end of his definitions of hackers, crackers and phreaks should not be allowed to pass. He refers to cyberpunks as being more extreme forms of the above, with an added dash of morality. I'd love to know where he got this idea. The cyberpunks I know are those who, as the word implies, have taken the punk ethic of disrespect for authority (and often for self, even to the point of nihilism) and applied it to the cyber world. Cyberpunks are those who think that the street has its own uses for technology (they're out there decoding the signals from Mattel Powergloves). They think that corporations are often a bigger threat than governments, though they dis both - sometimes to the point of breaking laws. The only freedom these people are interested in is the freedom to be left alone, both physically and, in the data world, to be left out of the ubiquitous info files being accumulated on us all. This combination often leads to a "fuck you, jack" attitude, not the platitudinous ``freedom fighter'' ethos Hicks talks about. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: Mon, 24 Jun 91 23:58:37 EDT From: Jerry Leichter <@mp.cs.niu.edu:leichter@LRW.COM> Subject: Bill Vajk, Len Rose, Gene Spafford ******************************************************************** *** CuD #3.24: File 2 of 8: Vill Vajk, Len Rose, Gene Spafford *** ******************************************************************** In CuD 3.22, Bill Vajk writes an (overly long, repetitive) note in response to an earlier note of Gene Spafford's. I don't want to go into the details of everything he has to say; I'll make one comment on fact, and another a general observation. On fact: Vajk tries to attack the claim that Rose violated a trade secret or copyright of AT&T's by saying that AT&T claims both trade secret and copyright protection on the Unix source code, and they are incompatible because copyright protection requires deposit of a copy of the code with the Library of Congress, where the copy is available freely to the public. This is dead wrong. First of all, deposit is required within 3 months of PUBLICATION; however, even unpublished material can be protected by copyright, and AT&T can reasonably claim that they never published the source code. Second, there are exceptions to the requirements for deposit which will usually cover software. In any case, as a matter of law, even if the copyright owner disregards the deposit requirement, the copyright remains enforceable (though the owner may be subject to fines or other penalties.) Third, even where deposit is required - as when one wishes to register the copyright, a necessary first step in defending it in court - the Copyright Office has recognized the issue of trade secrecy, and does not require the entire program to be deposited. There are a couple of choices - e.g., you can deposit the entire first and last 10 pages of source code, or the first and last 25 pages with no more than half of the text blacked out, etc. (Note: This is taken from a Notice of Proposed Rulemaking issued in 1986, as quoted in a 1990 book. Apparently it is the policy that is being followed, although it has yet to be made completely official.) Finally, while it is true that copyright infringement as such is not a criminal matter, the copyright law does provide criminal penalties for fraudulent copyright notices and false representation. Also, going beyond copyrights as such, once a property right exists, it can be stolen. Depending on the circumstances, the theft may or may not be a criminal matter. If you leave your car at my service station for some repair work and I start using it and refuse to return it, you can sue me civilly for conversion; I am probably also guilty of auto theft. Civil and criminal law are not necessarily mutually exclusive. On philosophy: Vajk is right in commenting that some of the pain people are feeling is from seeing the law applied to "nice middle class white kids" in a way it is usually applied to poor black ones. The fact of the matter is that, for the most part, the law leaves the nice white middle class alone. Its instincts and modes of operation are developed for a much rougher atmosphere, where a kid being rousted, whether for good reasons or bad, is quite likely to be armed, or at least potentially dangerous. Sure, a cracker - or a whitecolor criminal - is unlikely to attack the police who've arrested him; but policy says that those under arrest will be handcuffed, because it's safer (for the police) that way, and their safety outweighs the arrestee's dignity. Presumption of innocence or no, the gut feeling that police, prosecuters, and probably most defense attornies have is that those arrested are probably guilty, if not of the particular offense charged, then of SOME offense. Guilt and innocence are of much less importance than making sure the legal rules are followed - and those legal rules can and do play rough. Innocent or guilty, you DON'T want to be caught up in the criminal justice system. Vajk is incensed that police officers are "learning on the job" how to deal with computers. In "To Engineer is Human", a wonderful book, Henry Petrofsky points out that engineering never learns much from successes, only from failures. The law acts the same way. It's not only police officers and prosecutors and judges who are "learning on the job"; it's the entire legal system. Much of the law is based on precedent; before a precedent is established, there IS no settled law in a particular area. Even law that is based on statute doesn't come out of nowhere: Laws are usually drafted in response to perceived problems. Only rarely are they anticipatory, and then they often turn out to be wrong. What we are seeing right now is the legal system learning what the right way to deal with "computer crimes" is. It tried ignoring them; that eventually proved unsatisfactory. Now it is reacting, and as is to be expected, it is doing so by pushing as hard as it can. The eventual boundaries of the law will be determined by the sum of the various pushes - by overzealous prosecuters, by defense attornies, by citizens enraged by computer crimes and citizens enraged by government over-reaction. One way or the other, the Steve Jackson case will establish some of the boundaries of search and seizure of computers. Had the Neidorf case gone through a full trial, it might well have established something about First Amendment protections for electronic publication. As it is, it made the prosecuters look stupid and AT&T look like liars. The next time around, a prosecuter will think twice about putting his reputation on the line based on some unverifiable AT&T claims. That, too, is part of the education of the legal system. The courts deliberately avoid deciding issues until they are forced to by actual cases. (There are some minor exceptions to this rule.) In practice, this means that if you want to challenge, say, an abortion law in court, you have to violate it - and be prepared to go to jail (as many challengers did) if your challenge fails. This method has worked reasonably well over hundreds of years, but it has the unfortunate property that while the boundaries of the law are being paved, some people will end up in the wrong place at the wrong time and will end up being squashed by an on-coming steamroller. The steamroller may have to roll back later, but that doesn't do the flattened fellow much good. So ... don't look at the current problems as a sign that the legal system is incapable of dealing with computer and communication technology. That's not at all what is going on. Within a couple of years we'll be on pretty firm ground on these issues. The important things to do now are (a) help provide pressure to push the law in the right directions before it "sets"; (b) help support the relatively few casualties of the process. I applaud EFF's efforts to do (a) (even if I don't always agree with the particular positions they may choose to take). As far as I can see, EFF isn't deliberately doing (b), though that will be a side-effect of some of their other actions; but in general (b) is more effectively done by concerned individuals in any case. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: June 11, 1991 From: COMSEC Press Release Subject: Comsec Security Press Release ******************************************************************** *** CuD #3.24: File 3 of 8: Comsec Security Press Release *** ******************************************************************** COMSEC PRESS RELEASE June 11, 1991 For future release Contact Scott Chasin or Chris Goggins 713-721-6500 Houston, TX, Comsec Data Security announced its entrance into the field of computer security consulting. Comsec, comprised mainly of the now defunct computer group "The Legion of Doom," plans to offer a full-scale security package to private industry. The firm's officers are Scott Chasin, Robert Cupps, Chris Goggins and Ken Shulman. The three key computer specialists Chasin, Goggins and Shulman, all ex-members of LOD, each have over eight years experience dealing with computer security. Cupps, a graduate of Emory School of Business and former securities trader, will operate as the firm's administrative partner and concentrate on the firm's marketing efforts. Since it's formation in the summer of 1984, the Legion of Doom had been the object of much controversy in the media. Often referred to as "the most notorious hacker group in America," LOD underwent four major reorganizations of members. Goggins, one of the original nine founding members of the group said of the final reorganization, "we were looking for individuals who had the skills and desire to move the group specifically to this point. "We feel that we are bringing a fresh approach to security consulting in the corporate marketplace. We were all the cream of the crop of the computer underground and know precisely how systems are compromised and what actions to take to secure them," said Goggins. In fact, the group feels its success rate in the area of system penetration is 80 to 85 percent. Comsec will offer security penetration testing and full auditing services to corporate clients. In addition, the firm aims to endorse a wide range of software and hardware security products. "Our firm has taken a unique approach to its sales strategy and is confident that contracts currently under negotiation will firm up within the next 30 days," said Cupps. Aware of the possible shockwave among the hacking underground over this venture, the firm maintains that they are security consultants and not informants or hacker-trackers. "We are not going to go after people, we are going to ensure that no one, hacker or corporate spy, can compromise the security of our clients computers," said Chasin. Comsec is ready to assume normal operations and is looking to provide the business community with a much needed service. Comsec is located at 60 Braeswood Square, in Houston, Texas, and can be reached at 713-721-6500 or 713-683-5742 (A/ hrs). ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: Tue, 25 Jun 91 14:12:25 EST From: Gene Spafford Subject: Comments on ComSec Data Security ******************************************************************** *** CuD #3.24: File 4 of 8: Comments on ComSec *** ******************************************************************** I have a quick comment on the report of the start-up of Comsec Data Security. I have been quoted as asking people if they would hire a confessed/convicted arsonist to install their fire alarm system when talking about hiring "reformed" system crackers to do computer security. Personally and professionally, I think it is a dangerous decision from a business perspective and from a professional perspective. >From a business perspective, you need to ask yourself the following questions: * If these guys know how to break through certain kinds of security, does that prove they know how to make the security better? Using an analogy to start with, does someone who has experience putting sugar in the gas tank know how to tune the engine? Or, more closely, does someone who has shown expertise at stealing cars with the keys left in the ignition know how to tell you something more valuable than not to leave the keys in the ignition? They can guess at telling you to leave the doors locked and windows rolled up. But can they tell you about car alarms, various forms of insurance, removable stereos, LoJac (sic?) tracers, cost/benefit of using various other models of car, etc? Likewise, with computer security, because some people have had good luck breaking weak passwords and circumventing poorly-placed controls, that does not make them experts in security. What do these guys know about formal risk assessment models, information theoretical background of ComSec evaluation, formal legal requirements for security, business resumption planning, employee training, biometric systems, .....? * How do you know they are reformed? Just because they claim they have reformed and hang a shingle out, does that mean they have *really* reformed? If your business presents a very tempting target, how do you know they aren't casing the system to make a single big haul and then skip town? How do you know they aren't going to traffic info on your system with their friends? One big haul and a quick trip to another country with no extradition, and that's it. The literature is full of instances where people with clean records couldn't resist the temptation to take advantage of their access to the system to make a quick buck. How much more can you trust people who have already shown they aren't particularly interested in niceties of the law and ethics? Ask the folks at SRI if hiring "reformed" crackers/phreakers is ultimately a sound business decision.... * Can you be sure if these guys find some of their former associates playing with your system, they will act in your best interests? This is a standard problem in a new realm -- will these guys really turn in their former buddies if they find that they have penetrated a client's system? * If they miss a problem, or cause a problem, will your business insurance pay off? Will you be immune from prosecution or stock-holder's lawsuits? These guys and others like them have a checkered history. Hiring them to protect your systems against loss could be grounds for negligence suits in the case of loss, or be sufficient to cause non-payment of insurance policies. In the case of various state & federal laws, you might be responsible for not showing a concerted effort to really protect your data. Are these guys bondable? If so, for how much? Can they receive security clearances? The decision is also a bad one professionally. What kind of statement does hiring these guys send to the rest of the world? It says "Gee, build up some experience hacking into other people's (or our ) systems without permission, and we'll give you a job!" That's a bad statement to make. Furthermore, it says to the true professionals in the field, the people who study the material, act professionally and ethically their whole careers, and who make every attempt to be responsible: "We will hire people who behave improperly instead; your training is equivalent (or less than) experience gained from acting unethically." That is a worse statement to make. Most of the professionals in the field could easily break in to business systems because of lax security, but would never dream of doing so. To prefer confessed crackers over honorable professionals is quite an insult. As a professional, I would refuse to do business with firms who hire these guys as security consultants. They show surprisingly poor business sense, and an (indirect) contempt for the people who work hard and *ethically* their whole careers. Note that I'm not stating that these three, in particular, are less than honorable now or will commit any crimes in the future. I'm stating that, in the general case, such "reformed" individuals are a very poor choice for security consulting. Neither am I making the statement (incorrectly attributed to me in CACM a year ago) that people like these three should never be employed in computing-related jobs. I am disturbed, however, that they would be hired *because* of their unethical and illegal behavior-past. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: June 30, 1991 From: Moderators Subject: Police Confiscations and Police Profit ******************************************************************** *** CuD #3.24: File 5 of 8: Police Confiscations and Profit *** ******************************************************************** The policy of indiscriminant confiscation of computer property in search and seizure operations has drawn criticism. The roots of the policy stem from RICO and anti-drug enforcement policies. A recent article in _Law Enforcement News_ suggests that the police may be significant beneficiaries of seized assets when they are "donated" to the seizing agency. This creates the risk of police expansion of the (ab)use of seizure power by providing an incentive to increase the stockpiles of "forfeited" assets. The risky logic might run something like this: "Our agency is need, so if we seize enough assets that we can use, we can meet our needs." Although the seizure of assets in drug raids far exceeds seizures in computer raids, the danger remains the same: There is incentive for police to confiscate as much as they can if they will be the ultimate recipients. Two blurbs from _Law Enforcement News_ (April 30, 1991, p. 1, "Seized-asset funds prove tempting") underscore this point. One article subhead, "Mass. city seeks drug funds to avert layoffs of officers," begins: "The Mayor of a Massachusetts city says revenue shortfalls are forcing him to lay off police officers, and he believes he has a temporary solution to the bind: using forfeited assets and cash from drug busts to forestall layoffs or rehire furloughed officers." According to the article, Somerville Mayoer Michael Capuano introduced a petition to the Massachusetts Legislation in April to allow police agencies to use funds for personnel. Fund are currently restricted to drug enforcement expenditures. A second subhead, "Illinois audit eyes using funds to upgrade police wardrobe," indicates that: "The Illinois State Police spent $408,000 in seized drug assets to buy new uniforms--in an apparent violation of provisions of the state's asset-forfeiture laws--but State Police officials defended the purchase on the grounds that the money was spent before an amendment went into effect last year to require that such funds be spent only for drug enforcement." Liberal interpretation of law, expansion of policies intended for one type of crime (drugs) to other types of crime (e.g., computers), and the possibility that those who do the seizing have the most to gain by incentives that reward more seizures, poses a threat to Constitutional protections against deprivation of property. Given the erosion of First and Fourth Amendment protections in a variety of areas, the broader definitions of "criminal behavior" related to computer behavior, and the sweeping scope of equipment eligible for seizure in computer cases, expanding the profit motive for law enforcement agencies strikes us as a continuation of the danger trend of "Big Brotherism." ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: June 30, 1991 From: Moderators Subject: House Crime Bill (1400) and its Threat to Modemers ******************************************************************** *** CuD #3.24: File 6 of 8: Threat of HR 1400 to Modemers *** ******************************************************************** Why should modemers be concerned about the Bush "war on crime?" Proposed anti-crime legislation could, if passed, increase the risk of intrusion of government into the lives of law-abiding citizens. Among the provisions of HR 1400 (_The Comprehensive Violent Crime Control Act of 1991_) is a change in 18 USSC (sect) 2709 that expands the power of the FBI to intrude into the privacy of citizens. An article in _First Principles_ (June, 1991, p. 6) describes the proposed revision this way: "Sections 743 and 744 {of HR 1400} would grant the FBI authority to obtain subscriber information on persons with nonpublished telephone numbers, as well as credit records, simply by certifying in writing to the telephone company or credit bureau that such information is relevant to an authorized foreign counterintelligence investigation. The proposals would seriously erode current privacy protections by giving the FBI authority to obtain these records without a subpoena or court order and without notice to the individuals that their records have been obtained by the bureau." \/\/\/\/\/\/\/\/\/\/\/\/Current law\/\\/\/\/\/\/\/\/\/\/\/\/\ CHAPTER 121. STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS s 2709. Counterintelligence access to telephone toll and transactional records (a) Duty to provide. A wire or electronic communication service provider shall comply with a request for subscriber information and toll billing records information, or electronic communication transactional records in its custody or possession made by the Director of the Federal Bureau of Investigation under subsection (b) of this section. (b) Required certification. The Director of the Federal Bureau of Investigation (or an individual within the Federal Bureau of Investigation designated for this purpose by the Director) may request any such information and records if the Director (or the Director's designee) certifies in writing to the wire or electronic communication service provider to which the request is made that (1) the information sought is relevant to an authorized foreign counterintelligence investigation; and (2) there are specific and articulable facts giving reason to believe that the person or entity to whom the information sought pertains is a foreign power or an agent of a foreign power as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801). (c) Prohibition of certain disclosure. No wire or electronic communication service provider, or officer, employee, or agent thereof, shall disclose to any person that the Federal Bureau of Investigation has sought or obtained access to information or records under this section. (d) Dissemination by bureau. The Federal Bureau of Investigation may disseminate information and records obtained under this section only as provided in guidelines approved by the Attorney General for foreign intelligence collection and foreign counterintelligence investigations conducted by the Federal Bureau of Investigation, and, with respect to dissemination to an agency of the United States, only if such information is clearly relevant to the authorized responsibilities of such agency. (e) Requirement that certain Congressional bodies be informed. On a semiannual basis the Director of the Federal Bureau of Investigation shall fully inform the Permanent Select Committee on Intelligence of the House of Representatives and the Select Committee on Intelligence of the Senate concerning all requests made under subsection (b) of this section. \/\/\/\/\/\/\/\/\/\/\/\proposed law\/\/\/\/\/\/\/\/\/\/\/\/\ SEC. 743. COUNTERINTELLIGENCE ACCESS TO TELEPHONE RECORDS. Section 2709 of title 18 of the United States Code is amended by- (1) striking out subsections (b) and (c); and (2) inserting the following new subsections (b) and (c): "(b) REQUIRED CERTIFICATION.-The Director of the Federal Bureau of Investigation (or an individual within the Federal Bureau of Investigation designated for this purpose by the Director) may: "(1) request any such information and records if the Director (or the Director's designee) certifies in writing to the wire or electronic communication service provider to which the request is made that- "(A) the information sought is relevant to an authorized foreign counterintelligence investigation; and "(B) there are specific and articulable facts giving reason to believe that the person or entity about whom information is sought is a foreign power or an agent of a foreign power as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801); "(2) request subscriber information regarding a person or entity if the Director (or the Director's designee certifies in writing to the wire or electronic communications service provider to which the request is made that- "(A) the information sought is relevant to an authorized foreign counterintelligence investigation; and "(B) that information available to the FBI indicates there is reason to believe that communication facilities registered in the name of the person or entity have been used, through the services of such provider, in communication with a foreign power or an agent of a foreign power as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801). "(c) PENALTY FOR DISCLOSURE.-No wire or electronic communication service provider, or officer, employee, or agent thereof, shall disclose to any person that the Federal Bureau of Investigation has sought or obtained access to information under this section. A knowing violation of this section is punishable as a class A misdemeanor.". /\/\/\/\/\//\//\the end/\/\/\/\/\/\/\/\/\/\//\ David Cole (_The Nation_, May 6, 1991, "The Secret Tribunal", p. 581) describes aspects of the Crime Bill as a return to the seventeenth century Star Chamber. We agree with his concern that the expanded interpretation of the word "terrorism" creates new categories of people vulnerable to investigation--not on the basis of what they have done--but rather on the basis of who they may have associated with. Although looking at a different, but related, provision of the Bill, Cole's warning is sound: The current crime Bill contains changes that expand the power of government to curtail fundamental rights. In cloaking the rationale and the language in fears of terrorism, something most rationale people oppose, the Bill, if passed, reduces jeopardizes a broader number of law-abiding citizens to intrusion and potential harm by zealous law enforcement agents, and makes it a crime for other citizens to warn innocent folk of their vulnerability. Secret police tactics are not the way to create a safe society in a Constitutional democracy. Questions about HR1400 can be directed to Ted Vandermede, staff attorney for the House Criminal Justice subcommittee, at (202) 225-0600. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: July 2, 1991 From: Barbara E. McMullen and John F. McMullen (Newsbytes Reprint) Subject: Law Panel Recommends Computer Search Procedures ******************************************************************** *** CuD #3.24: File 7 of 8: Law Panel and Search Procedures *** ******************************************************************** LAW PANEL RECOMMENDS COMPUTER SEARCH PROCEDURES WASHINGTON, D.C., U.S.A., 1991 JULY 2 (NB) -- A panel of lawyers and civil libertarians, meeting at the Computer Professionals for Social Responsibility (CPSR) Washington roundtable, "Civilizing Cyberspace", have proposed procedures for police searches and seizures which they feel will both allow adequate investigations and protect the constitutional rights of the subject of the investigation. The panel, composed of Mike Godwin, staff counsel of Electronic Frontier Foundation; Sharon Beckman attorney with Silverglate & Good; David Sobel of CPSR, Jane Macht, attorney with Catterton, Kemp and Mason; and Anne Branscomb of Harvard University, based its proposals on the assumption that a person, in his use of computer equipment, has protection under both the Fourth Amendment and the free speech and association provisions of the first amendment. The panel first addressed the requirements for a specific warrant authorizing the search and recommended that the following guidelines be observed: 1. The warrant must contain facts establishing probable cause to believe that evidence of a particular crime or crimes will be found in the computers or disks sought to be searched. 2. The warrant must describe with particularity both the data to be seized and the place where it is to be found ("with particularity" is underlined). 3. The search warrant must be executed so as to minimize the intrusion of privacy, speech and association. 4. Officers may search for and seize only the data, software, and equipment specified in the warrant. 5. The search should be conducted on-site. 6. Officers must employ available technology to minimize the intrusive of data searches. The panel then recommended limitations on the ability of officials to actually seize equipment by recommending that "Officers may not seize hardware unless there is probable cause to believe that the computer is used primarily as an instrumentality of a crime or is the fruit of a crime; or the hardware is unique and required to read the data; or examination of hardware is otherwise required." The panel further recommended that, in the event hardware or an original and only copy of data has been seized, an adversary post-seizure hearing be held before a judge within 72 hours of the seizure. Panel member Sharon Beckman commented to Newsbytes on the recommendations, saying "It is important that we move now to the implementation of these guidelines. They may be implemented either by the agencies themselves through self-regulation or through case law or legislation. It would be a good thing for the agencies t o take the initiative." The panels recommendations come at a time in which procedures used in computer investigations have come under criticism from computer and civil liberties groups. The seizure of equipment by the United Secret Service from Steve Jackson Games has become the subject of litigation while the holding of equipment belonging to New York hacker "Phiber Optic" for more than a year before his indictment has prompted calls from law enforcement personnel as well as civil liberties for better procedures and technologies. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: July 3, 1991 From: Various Subject: The CU in the News (data erasing; cellular fraud) ******************************************************************** *** CuD #3.24: File 8 of 8: The CU in the News *** ******************************************************************** From: Subject: Ex-employee Attacks Data-base Date: Thu, 27 Jun 91 17:19:23 CDT "Ex-Employee Guilty of Erasing Data" By Joseph Sjostrom CHICAGO TRIBUNE, June 27, 1991, Section 2, p. 2 A computer technician pleaded guilty Wednesday in Du Page County Court to erasing portions of his former employer's database last November in anger over the firing of his girlfriend. Robert J. Stone, 30, of 505 W. Front St., Wheaton, entered the plea on a charge of computer fraud to Associate Judge Ronald Mehling. In exchange for the guilty plea, prosecutors dismissed a burglary charge. Mehling scheduled sentencing for Aug. 8. Defense lawyer Craig Randall said after the hearing that Stone still has a 30-day appeal period during which he can seek to withdraw the guilty plea. "I don't think he erased anything as alleged, and I don't think the {prosecution} would be able to prove that he did," Randall said. Stone was indicted last January for one count of burglary and one count of computer fraud for entering the office of his former employer, RJN Environmental, 202 W. Front St., Wheaton, and deleting eight programs from the company computer. Assistant Du Page County State's Atty. David Bayer, who prosecuted the case along with Assistant State's Atty. Brian Ruxton, said the progams were part of a company project for the state of Florida in which RJN was, in effect, redrawing maps in digital form and storing them in a computer. Bayer said Stone had left the company the previous April and that his girlfriend, who was not identified, worked there too but was fired in November. Bayer said Stone entered the firm's office last Nov. 24, a Saturday when nobody else was there. Employees who came to work on Sunday discovered that data had been erased and a quantity of data storage disks were missing. Bayer said the disks contained several months' worth of work, but were recovered. It took about a week to restore the rest of the missing computer information, Bayer said. Bayer said Wheaton police Detective Kenneth Watt interviewed Stone the following Monday, and said Stone admitted to erasing data and taking the disks. Bayer said Stone told the detective where to find the disks, which he had left under a stairwell at RJN. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Date: Tue, Jul 2, 1991 (22:30) From: Barbara E. McMullen and John F. McMullen (Newsbytes Reprint) Subject: Arrests in "Multi-Million" Cellular Phone Fraud ****ARRESTS IN "MULTI-MILLION" CELLULAR PHONE FRAUD 07/01/91 ALBANY, NEW YORK U.S.A., 1991 JUL 1 (NB) -- The New York State Attorney General's office has announced the arrest and arraignment of four individuals for allegedly illegally utilizing Metro One's cellular service for calls totalling in excess of $1 million per month. According to the charges, the arrested individuals duplicated a Metro One customer's electronic serial number (ESN) -- the serial number that facilitates customer billing -- and installed the chip in a number of cellular phones. Th defendants then allegedly installed the phones in cars which they parked in a location near a Metro One cell site in the Elmhurst section of Queens in New York City. From these cars, the defendants allegedly sold long distance service to individuals, typically charging $10 for a 20 minute call. Metro One told investigators that many of the calls were made to South American locations an that its records indicate that more than $1 million worth of calls were made in this manner in May 1991. The arrests were made by a joint law enforcement force composed of investigators from The New York State Police, New York City Police Special Frauds Squad, United States Service, and New York State Attorney General's office. The arrests were made after undercover officers, posing as customers, made phone calls from the cellular phones to out-of-state locations. The arrests were, according to a release from the Attorney General's office, the culmination of an investigation begun in September 1990 as the result of complaints from Metro One. The defendants, Carlos Portilla, 29, of Woodside, NY; Wilson Villfane, 33, of Jackson Heights, NY; Jaime Renjio-Alvarez, 29, of Jackson Heights, NY and Carlos Cardona, 40, of Jackson Heights, NY, were charged with computer tampering in the first degree and falsifying business records in the first degree, both Class E felonies,- and theft of services, a Class A misdemeanor. Additionally, Portilla and Villfane were charged were possession of burglar tools, also a Class A misdemeanor. At the arraignment, Portilla and Renjio-Alvarez pleaded guilty to computer tampering and the additional charges against those individuals were dropped. New York State Police Senior Investigator Donald Delaney, commenting on the case to Newsbytes, said "This arrest is but the tip of the iceberg. There is an on-going investigation in the area of cellular phone fraud and we are looking for those that are organizing this type of criminal activity." (Barbara E. McMullen & John F. McMullen/Press Contact: Edward Barbini, NYS Department of Law, 518-473-5525/19910701) ******************************************************************** ------------------------------ **END OF CuD #3.24** ********************************************************************