smw@tilt.UUCP (Stewart Wiener) (05/01/84)
As reported in this morning's Washington Post, Gerald Wondra, a 21-year old from the Milwaukee area, was sentenced in U.S. District Court to two years' probation for gaining "unauthorized access to computers at a Los Angeles bank and a New York hospital.... Wondra pleaded guilty to two misdemeanor counts in connection with his part in a scheme by local computer enthusiasts to gain unauthorized access to computers. The loosely knit group of young computer hobbyists or 'hackers' became nationally known as '414s,' the telephone area code for the Milwaukee area. Thoughts: (a) At least the media equated the honorable term "hacker" with "computer hobbyist" instead of criminal. Not a perfect definition, but they seem to have learned a little. (b) Who thinks this guy should have served time in prison? I don't, but then I favor probation for most "white-collar" (or victimless) crimes. (c) Does anyone know just what misdemeanor Wondra was charged with? There are lots of laws on the books that the D.A. might have tried to apply to this case. Which did they settle on? -- Stewart Wiener :-) "Avast, ye scurvy corporate Princeton Univ. EECS :-) swabs! Prepare to be boarded!" princeton!tilt!smw :-) --Oliver Wendell Jones
fish@ihu1g.UUCP (Bob Fishell) (05/02/84)
I think that probation is the worst he should have gotten. I have
some rather anarchistic thoughts about this subject that I'll post here.
1) Computer security may be a matter for the law, but in my opinion,
any organization that is too stupid, lazy, or cheap to implement
effective security measures deserves to get their passwords hacked.
If I had a computer system that had been broken into by a 21-year-old
amateur, I'd prosecute the sheisskopf who set it up for me, not the
guy that broke into the system.
2) The same thing goes for video pirates and other electronic thieves.
I don't think that people who set up electronic networks and
communications systems for profit should turn to the law for
recourse when people start gaining unauthorized access to them.
Rather, a technological solution should be sought. That way,
us engineers stay employed, and the public is spared the expense
of the legislation and prosecution of laws regulating communications
access. I'm not advocating that it should be completely legal for
people to break into communications systems or computers if they
can do it, but to use the law in place of technology is a violation
of the public trust. If HBO and victims of computer breakins want
to bear all the costs of prosecuting the perpetrators, fine. But
if I gotta pay taxes so these people get punished at public expense,
I'm gonna be pretty pee-oh'ed about it!
3) Here in what used to be called the Bell System, we used to have a
problem with "blue boxes" that people used to gain illegal access
to the long distance network. Although AT&T did prosecute people
they caught doing it, a lot of hard work went into developing a
better, tamper-proof system called CCIS. Better to change the
lock than track down the guy who stole the key. Cheaper, too,
in the long run.
--
Bob Fishell
ihnp4!ihu1g!fishrichard@sequent.UUCP (05/02/84)
>>(b) Who thinks this guy should have served time in prison? I don't, but >> then I favor probation for most "white-collar" (or victimless) crimes. >> Stewart Wiener Uh, I hope you're not equating white-collr crime with "victimless" crimes? White-colar is generally supposed to be non-violent, as in EFT-type thefts, con jobs, etc. Victimless are crimes which are illegal solely by societies (sometimes odd) morals. Examples include drug abuse, prostitution and even suicide. (What's teh one crime you can be tried for only if you fail?) While I usually advocate the legalization of victimless crimes, white collar crimes are much more serious. I do believe in separating the convicts within prisons by whether their crimes had a violent aspect, however. If you just made a grammatical mistake, never mind. ___________________________________________________________________________ The preceding should not to be construed as the statement or opinion of the employers or associates of the author. It might not even be the author's. I try to make a point of protecting the innocent, but none of them can be found... ...!sequent!richard
rtf@ihuxw.UUCP (sparrow) (05/02/84)
Bob Fishell states: Computer security may be a matter for the law, but in my opinion, any organization that is too stupid, lazy, or cheap to implement effective security measures deserves to get their passwords hacked. Is this for real???? Using the same logic I could say that anyone who is too stupid, lazy or cheap to implement effective security measures on their [house|car|person] deserves to have same be [destroyed|stolen|mugged|raped] by some ambitious criminal. Maybe I am old fashioned but I think humans have a right to expect that their property and privacy be respected and anyone who violates this is a criminal. And who is to decide what is effective measures?? To a professional jewel thief who can break any alarm system there are no effectives measures. Does this give them the right to try to steal any jewels they please?? I disagree with Bob. I think the hacker getting probation got nothing more than a slap on the wrists. I don't see a big difference between picking a lock and breaking a computer security system. It's called 'breaking and entering' and should be treated as a felony. Just because computers are your profession doesn't give you special privileges over those who are simply users with average intelligence. sparrow
thor@ihuxw.UUCP (Mark Kohls ) (05/02/84)
++++ I think he got off much too easily. As a bare minimum he should have been sentenced to ten years of reading net.religion. Then we'll see how much he likes computers. -------- Mark "my sentence is over in two days" KohLS IHUXW!THOR
fish@ihu1g.UUCP (Bob Fishell) (05/02/84)
(oo)
"oooh, lord, don't let me be misunderstood..."
Equating a computer breakin by an amateur to breaking into a house
by a burglar is a false analogy. Most "password hackers," as it was
put, are interested in mischief and the personal satisfaction of
having beaten somebody's system. It's an elaborate game. Burglars,
on the other hand, are usually interested in more than breaking
into the house and leaving a calling card on the mantle. Rather,
they're interested in taking something that doesn't belong to them.
I stand by my original position; if an enterprise doesn't want to
take the trouble of implementing effective security measures, people
who break into their computers shouldn't be severely punished! It's
kind of like leaving your keys in the car; in most places, if some
kid comes along and takes it for a joy ride, the law will hold
the careless owner partly responsible for the crime. It's another
matter entirely if the same kid breaks into the car and yanks the
ignition lock with a slide hammer. Likewise, if a computer enterprise
has an effective security system, it will take more than a computer
brat with an Apple II and an autodial modem to break into it. Somebody
going to that kind of trouble to get into a computer probably is motivated
by something a little more worldly than electronic mischief.
--
Bob Fishell
ihnp4!ihu1g!fishcsc@watmath.UUCP (Computer Sci Club) (05/03/84)
I agree that intent in commiting a crime should be a factor in sentencing.
If someone breaks into a system simply out of a sense of mischief they should
get a lighter sentence than someone who breaks in for reasons of malice or
greed. Also, I think that the potential damage of the action should be taken
into account.
However, I do not think that the difficulty of the crime should be much of a
factor in sentencing. Should the guy who cracks a badly protected system to
disrupt it a gain revenge on an enemy recieve a lighter sentence
than the college student who cracks a difficult system just to see if it
can be done?
William Hughesignatz@ihuxx.UUCP (Dave Ihnat, Chicago, IL) (05/03/84)
Concerning the response by sparrow to Bob Fishell's note: Bob Fishell states: Computer security may be a matter for the law, but in my opinion, any organization that is too stupid, lazy, or cheap to implement effective security measures deserves to get their passwords hacked. Is this for real???? Using the same logic I could say that anyone who is too stupid, lazy or cheap to implement effective security measures on their [house|car|person] deserves to have same be [destroyed|stolen|mugged|raped] by some ambitious criminal. Ah...well, consider: I leave my car keys in the ignition, the door unlocked, and the window down. Then I come and cry to the police that my car was stolen. Sorry, Charlie...they'll take the report, and try and catch the guy. DON'T EXPECT SYMPATHY...they'll say you deserved it. Not only that, the criminal has some defense on grounds of unreasonable temptation. Stupidity usually deserves some sort of negative reinforcement. That doesn't mean that what you deserve is what is morally right or legal. SO...from a legal point of view, the police and D.A. prosecute. Personally, they probably think you're batty. Maybe I am old fashioned but I think humans have a right to expect that their property and privacy be respected and anyone who violates this is a criminal. Right...those who violate your property and privacy are criminals. I thoroughly agree. But the right to expect the respect of same? No. It would be nice, but live in a big City and see how far you go if you EXPECT it. You may reasonably expect your property, privacy, and self to be resonably PROTECTED before violation, by the police--but they can't be everywhere. You may expect PUNISHMENT for criminals after violation, by the law and the legal system. Does this mean you should take no precautions whatsoever? I think not. You severely weaken your case in the auto theft above if the situation can be proven to be as outlined; why should it be different for computer theft? And who is to decide what is effective measures?? To a professional jewel thief who can break any alarm system there are no effectives measures. Does this give them the right to try to steal any jewels they please?? Be reasonable; we've already provided for this in the law. Those who make the laws decide what's reasonable, based on expert testimony. The courts exist to interpret this on a case-by-case basis, tempered with precedent. No, this doesn't give them the right to try and steal anything; but it doesn't absolve the victim of the responsibility of proper preparation and precaution. I disagree with Bob. I think the hacker getting probation got nothing more than a slap on the wrists. I don't see a big difference between picking a lock and breaking a computer security system. It's called 'breaking and entering' and should be treated as a felony. Just because computers are your profession doesn't give you special privileges over those who are simply users with average intelligence. sparrow The point I'm trying to make--the only reason I'm getting involved in this at all--is that the hacker wasn't the only one who should have been punished. Ever hear of attractive nuisance? And don't consider probation on a felony charge nothing...look up what you LOSE. Not to mention you and I pay to prosecute, when the company or school that was so negligent pays nothing. I firmly believe that, for every case of this sort, an investigation should be conducted determining whether or not unreasonably lax security measures contributed to the situation, and if so, the organization responsible should shoulder some part of the cost of the legal actions, if not all. Just because you own a company doesn't give you license to be incompetent, negligent, and careless and expect full restitution. Dave Ihnat ihuxx!ignatz
opus@drutx.UUCP (ShanklandJA) (05/03/84)
Since we're edging into legal matters here, I thought I'd check with
my legal affairs consultant and see what she says about the notion
that ease of access to a computer system constitutes a legitimate
defense for the password cracker.
Dave Ihnat (ihuxx!ignatz) writes:
Ah...well, consider: I leave my car keys in the ignition, the door
unlocked, and the window down.... The criminal has some defense
on grounds of unreasonable temptation.... You severely weaken your
case in the auto theft above if the situation can be proven to be
as outlined; why should it be different for computer theft?...
Ever hear of attractive nuisance?
My legal affairs consultant says no. You may leave your car keys in the
ignition, the door unlocked, and the window open, but if I steal your car,
legally speaking, I'm just as guilty as if I had used the most sophisticated
tools in the car theft industry.
As for attractive nuisance, that is a cause of action in CIVIL law;
my legal consultant knows of no jurisdiction in which attractive
nuisance is a defense in a criminal action. She says, "Although you
might try to raise that argument in a criminal case, I wouldn't want
to be the one to do it; I don't think it would pass the straight-face
test."
Just trying to set the record straight (this is going to cost me
a fortune in legal fees :-).
Jim Shankland
..!ihnp4!druxy!opus
"Nun beating? Good Lord, man, I can't support that!"smw@tilt.UUCP (Stewart Wiener) (05/03/84)
>From: north@down.FUN (Professor X) > >tilt!smw thinks that people who break into computers should be >treated with compassion and put on probation. at princeton we >simply cut off their hands: that's what we did to tilt!smw when >he tried to grab eosp1!/etc/passwd. and that's why his account >is on tilt, not princeton. > stephen c. north "Professor X" (who is, by the way, a grad student) sees the irony in the situation. So do I, but I wasn't expecting to see it posted. I won't get defensive about this. But if you want the *whole* story of that long-ago fiasco, be it known that there's a lot more to it. The sordid details include the fact that I was a naive, inexperienced user of Unix at the time, with no idea that this was not nice to do. Boy, did I ever find out fast. Live and learn. :-) -- Stewart Wiener / Princeton Univ. EECS / princeton!tilt!smw
barmar@mit-eddie.UUCP (Barry Margolin) (05/03/84)
-------------------- Equating a computer breakin by an amateur to breaking into a house by a burglar is a false analogy. -------------------- Right. I prefer an analogy to trespassing. One problem, though, is in the definition of "adequate security measures". I would generally consider most computer password systems to be as good as the deadbolt lock on my front door, and I generally consider it to be adequate. Of course, leaving well-known passwords on the system (that is how the 414's got into Sloan-Kettering, I believe) is like locking one's front door with one of those tiny, standard locks for suitcases. Intentions are very important. At MIT we have a long tradition of "roof-hacking" and "tunnel-hacking", which generally involve hanging out in parts of the campus buildings that we are not supposed to be. There is never any malice involved, so when we are caught we are just asked to leave (they instituted a $50 fine for roof-hacking a couple of years ago, but I think it was mostly to appease the insurance company, and I have never heard of it being enforced). This is pretty close to what the kids who break into computers are doing. There is rarely any intentional damage, and they usually play around at night, so the computrons they are using would probably be wasted anyway. Of course, there are malicious crackers. One of the people I work with told me about something that took place while he was in college or HS. A cracker was caught by the operator when he broke into a system, and the operator politely asked him to get off. The cracker was annoyed by this, so he wiped out the file system. I would consider that system completely inadequate, since it sounds like a disgruntled employee with authorization to use the machine could dothe same thing. However, that doesn't alter the fact that the cracker maliciously destroyed the data. This is analogous to the fact that my car has no protection against someone with a sledge-hammer, but that doesn't give someone with a sledge-hammer the right to demolish it. -- Barry Margolin ARPA: barmar@MIT-Multics UUCP: ..!genrad!mit-eddie!barmar
rcd@opus.UUCP (Dick Dunn) (05/03/84)
From fish: >Computer security may be a matter for the law, but in my opinion, >any organization that is too stupid, lazy, or cheap to implement >effective security measures deserves to get their passwords hacked. >If I had a computer system that had been broken into by a 21-year-old >amateur, I'd prosecute the sheisskopf who set it up for me, not the >guy that broke into the system. I don't know about "deserves", but I tend to agree with the general sentiment. It seems to me that prosecuting the hacker but not the jerk who left the system unprotected is a case of killing the bearer of bad tidings - or perhaps of prosecuting prostitutes but not johns. If you don't prosecute one, forget the other. --- ...Relax...don't worry...have a homebrew. Dick Dunn {hao,ucbvax,allegra}!nbires!rcd (303) 444-5710 x3086 -- ...Relax...don't worry...have a homebrew. Dick Dunn {hao,ucbvax,allegra}!nbires!rcd (303) 444-5710 x3086
ljdickey@watmath.UUCP (Lee Dickey) (05/03/84)
>1) Computer security may be a matter for the law, but in my opinion, > any organization that is too stupid, lazy, or cheap to implement > effective security measures deserves to get their passwords hacked. > If I had a computer system that had been broken into by a 21-year-old > amateur, I'd prosecute the sheisskopf who set it up for me, not the > guy that broke into the system. I think that the real problem here is that society has not come to a definition of what "reasonable, effective security measures" are. If you consider the analogy of a home, and the security measures that are taken to prevent entry there, I think that you will agree that most homes are not "secure", but that there is a line of modest defense (lock(s) on the door) that most consider "reasonable". Homeowners make a decision, consious or not, to bolster these defenses with other measures, sometimes weighing the expense against the risk. When someone is caught "breaking and entering", they get some punnishment, dished out by society, because there is general agreement (a social contract) that this is a naughty thing to do. Society has to come to a consensus about how serious it is to "break and enter" a computer system, and the owner of a system has to make a decision about how much is to be spent on security. -- Lee Dickey, University of Waterloo. (ljdickey@watmath.UUCP) ... {allegra, decvax} !watmath!ljdickey
karl@dartvax.UUCP (S. Delage.) (05/03/84)
Victimless crimes? Come again, this time with feeling?
aaw@pyuxss.UUCP (Aaron Werman) (05/03/84)
{Refering to non-destructive crime}
If I remember correctly, he crashed an administration VAX at Memorial
Sloan Kettering hospital, a major cancer center. If this (there seems
to have been some undetected tampering of files before this) led to
injury or death of patients, it probably would not have been reported.
While I have no legal opinion on the matter, I feel that would bear
ethical responsibility for any such damage.
Please- no followups about system administration duties.
{harpo,houxm,ihnp4}!pyuxss!aaw
Aaron Wermangnome@olivee.UUCP (05/03/84)
Well, sparrow, yes, I think that your ideal is a bit idealistic - do you also leave the keys in the car (with the windows rolled down) when you get to work. The world is full of realities.. Sorry.
rpw3@fortune.UUCP (05/04/84)
#R:ihu1g:-30800:fortune:6700036:000:1741 fortune!rpw3 May 3 18:17:00 1984 +-------------------- | I don't think that people who set up electronic networks and | communications systems for profit should turn to the law for | recourse when people start gaining unauthorized access to them. | Rather, a technological solution should be sought. That way, | us engineers stay employed, and the public is spared the expense | of the legislation and prosecution of laws regulating communications | access. +-------------------- Unfortunately, for many common cases of interest (such as protecting high-volume over-the-counter retail software), there is no economically feasible technological "solution". The best the engineer can do (and what any security consultant SHOULD be telling you!), is to raise the cost of cracking the system just until the incremental cost of more protection is about to become greater than the incremental savings from such additional protection. The legal system is part of the "technology" of protection. By raising the cost of penetration, you also make the perpetrator (if rational) raise the scale of his/her activities to justify the "return on investment", increasing the visibility of those actions, thus making detection (by the legal system) more likely. I do agree that a certain minimum amount of protection is prudent, to deter both the naive/clumsy accident (the "klutz") and the irrational sociopath (the "fanatic"). But extreme technical expense must be justified on a balanced risk/benefit analysis. Too often one extreme or the other is taken, without cause (other than the "ostrich position"). Rob Warnock UUCP: {ihnp4,ucbvax!amd70,hpda,harpo,sri-unix,allegra}!fortune!rpw3 DDD: (415)595-8444 USPS: Fortune Systems Corp, 101 Twin Dolphin Drive, Redwood City, CA 94065
dave@utcsrgv.UUCP (Dave Sherman) (05/04/84)
For an article which supports Bob Fishell's position (that
breaking into computer systems "for the fun of it" should not
be considered a crime), see
"Computer Crime or Jay-walking on the Electronic Highway",
Criminal Law Quarterly, March 1984, pp. 217-250.
The author takes issue with the current draft legislation which would
make "intercepting" a computer "function" subject to the Criminal Code
(Canada), and recommends that unauthorized access to computers, where no
harm is caused, not be made part of the Criminal Code.
Dave Sherman
Toronto
--
dave at Toronto (CSnet)
{allegra,cornell,decvax,ihnp4,linus,utzoo}!utcsrgv!davejohnc@dartvax.UUCP (John Cabell) (05/04/84)
I agree, also, that intent should be considered when giving
a sentence to someone who breaks into a system, but there is
the problem of finding out if he *relly was* just breking in
to see if it could be done, or if he was trying to get some
secrets hidden deep in memory.
But I think that the difficulty of breaking into the system
should be considered. It takes alot of time, effort and money
to make a difficult system, and if some high school/college
student breaks into it on a rainy sunday afternoon, it shows
one that the system can't have been that difficult and two
that the company has to get someone to design another system.
John Cabell,
--johnc
<decvax, cornell>!dartvax!johncnugent@drutx.UUCP (NugentCP) (05/05/84)
*** > ...But I think that the difficulty of breaking into the system > should be considered. It takes a lot of time, effort, and money > to make a difficult system, and if some high school/college > student breaks into it on a rainy Sunday afternoon, it shows > one that the system can't have been that difficult and two (sic) > that the company has to get someone to design another system. The argument here appears to be that the hacker deserves compen- sation for the valuable service he has provided the company in exposing the security weakness. Certainly this has been of benefit to the company, as long as this is not the hacker who is the damage- causing one the company is trying to keep out. Shouldn't the one who receives the benefit of this service be the one to provide the compensation, if any is to be given? But if the company is to provide the compensation, this implies the existence of an implied contract between the company and *all* hackers. I don't think this contract exists, unless the legislature has recently imposed it upon all companies with computer systems.
tac@teldata.UUCP (05/07/84)
, (sop to the blank line eaters--consider it a religious sacrifice) >> From: johnc@dartvax.UUCP (John Cabell) >> Organization: Dartmouth College >> >> I agree, also, that intent should be considered when giving >> a sentence to someone who breaks into a system, but there is >> the problem of finding out if he *relly was* just breking in >> to see if it could be done, or if he was trying to get some >> secrets hidden deep in memory. >> But I think that the difficulty of breaking into the system >> should be considered. It takes alot of time, effort and money >> to make a difficult system, and if some high school/college >> student breaks into it on a rainy sunday afternoon, it shows >> one that the system can't have been that difficult and two >> that the company has to get someone to design another system. >> >> John Cabell, >> --johnc >> <decvax, cornell>!dartvax!johnc >> Well, if I came home and found some *ssh*l* picking the lock on my front door my first reaction would be to blow him away. Now it may well be that he just wanted to see if he could do it, and wasn't even going to enter if he made it, but he might have left the door unlocked when he was done f*ck*ng with it! Having been caught, what else would/could he say except "I just wanted to see if I could do it." It would be a good thing for him that I don't carry a gun, and couldn't do as my first impulse suggests, but let us analyze just what punishment should be met out. My second impulse would be to break all his fingers so he couldn't do it again soon (if at all), and that may seem a bit harsh to some of you out there. I admit that it is harsh. Somewhere he never picked up the idea of privacy, respecting the rights and possesions of others and a few other morals which are necessary to a society which lives cheek-by-jowl in large cities and suburbs. (Daisy May of 'Lil Abner fame once said, "Morals are great, every chile should have one.") Our little lock picker should be taught the error of his ways or he will never learn that what he did is wrong. The Jurisprudence system should be a learning experience--if caught and convicted you should learn not to do it again. Residency in jail will not teach you anything by hate, fear of others, the many positions of sodomy and five new criminal skills. We need to find another way of teaching criminals something. I suggest that the first lesson be painfull, but not of long duration, the second lesson be permanent but not disabling, and the third lesson be final. This may seem harsh and it is. When we quit coddling criminals we will find a lot less of them. Now it is I'm waiting for the lightening bolt to strike! I have presented a wide open target, have at me. From the Soapbox of Tom Condon {...!uw-beaver!teltone!teldata!tac} A Radical A Day Keeps The Government At Bay.
debray@sbcs.UUCP (Saumya Debray) (05/08/84)
> I agree that intent in commiting a crime should be a factor > in sentencing. If someone breaks into a system simply out > of a sense of mischief they should get a lighter sentence > than someone who breaks in for reasons of malice or greed. Perhaps the author could suggest an algorithm for determining the intent of crime? -- Saumya Debray, SUNY at Stony Brook uucp: {cbosgd, decvax, ihnp4, mcvax, cmcl2}!philabs \ {amd70, akgua, decwrl, utzoo}!allegra > !sbcs!debray {teklabs, hp-pcd, metheus}!ogcvax / CSNet: debray@suny-sbcs@CSNet-Relay
sdo@u1100a.UUCP (Scott Orshan) (05/08/84)
This addresses the "other electronic crimes" portion of the title.
Is it illegal to call someone else's answering machine and play
the messages using a remote playback beeper?
Consider these related points:
Was the beeper just a universal sound generator, that would work
on any of the same model answering machine?
Were the sounds encoded, so that they had to be counterfeited
to gain access?
If they were encoded, how were they obtained? Did the owner
leave the device lying around so the sounds could be recorded?
Were there a small number of combinations, such that they could
all be tried?
Consider the common issues between computer cracking and the
above:
Does connecting a device to the telephone network
reduce its owner's rights to privacy? Consider the
discussions of breaking into a house vs. cracking a computer.
Suppose that the entrance to the house were inside a
shopping mall, among many other open doors. Could it then
be expected that people might try to enter uninvited?
Are the issues of telephone messages and computer files
the same? Someone has connected a device to the telephone
network to allow remote access. Someone else obtains
a key to get in, either by trial and error, or by finding
it carelessly left around. That person reads, and possibly
erases, information on that device.
By nature, the telephone is a device which allows public entry
into the home. Until recently, this was limited to voice.
If you answered, the caller had a right to ask questions.
You could choose to hang up at any time. If the caller's identity
was misrepresented, you might have given information to
a stranger. Is this theft? Fraud? Something else? What if the
caller voice was recognized, but no identity was ever stated?
If you gave out information based on your faulty recognition
of a voice, was the caller guilty of anything?
How does this relate to telephone entry into electronic devices?
If you obtain a password, and use it to gain entry, is this
a misrepresentation of the caller's identity, or a failure
of the called machine to recognize a false entry?
I'm not trying to take any particular side here. I'm just
presenting some points to ponder. Mainly, what is the
relationship between a telephone connection and privacy?
I'm sure that if someone walked up to your machine and used
it without your permission (such as your car, computer,
answering machine), you would have no trouble seeing this
as wrong. The same applies if someone walks into your house
and starts talking to you. How does the telephone change all this?
Scott Orshan
Bell Communications Research
201-981-3064
{ihnp4,allegra,pyuxww}!u1100a!sdofish@ihu1g.UUCP (Bob Fishell) (05/08/84)
(oo)
Shoot somebody for picking your locks? Break their fingers? You'd be
in big trouble, bud.
Besides, breaking into a house and gaining unauthorized access to a
computer are two completely different things, so I wish you Law&Order
freaks would stop making the analogy. Consider the differences:
1) Housebreaking entails doing some physical damage to the building.
Computer breakins do not physically harm a system.
2) Housebreakers enter the building physically. This has the
following effects:
a) The occupants of the building are placed in physical
danger. Even if the burglar does not intend violence,
he might panic if surprised and hurt or kill somebody.
b) The burglar himself is in danger of being shot, beat
up, or having his fingers broken by the vindictive
resident.
Computer-breakers, on the other hand, enter the system via
a telephone that may be located thousands of miles away.
Although once inside, there is a potential for malicious
damage, the danger is not to anybody's life. Oh, don't give
me that line about somebody getting into a medical computer
and potentially killing somebody. That is a far-fetched
hypothetical situation, whereas the danger that occurs from
a housebreaking is real, and always present in such a situation.
You can always argue that any illegal act is potentially life-
threatening. If I throw a bag of empty beer bottles out of
the car, a kid with bare feet could potentially cut himself
and bleed to death or die of tetanus. However, that potential
is very small.
3) The worst a computer-breaker can do is wipe out files. While this
can cause a lot of grief, it will not in most cases result in any
physical damage to the computer system.
A housebreaker, on the other hand, can trash the building, steal
everything in sight, murder the occupants, and burn the place down.
I could go on, but I think I've made the point that, even though a
housebreaker *could* just intend a harmless prank, the potential
harm he can do is vastly greater than the harm that a password
"hacker" can do. Remember that "War Games" was just a silly movie.
Finally, I must reiterate: any enterprise whose computer facilities
are important enough that a breakin could cause serious problems
should take serious measures to prevent such activities. This
needn't be as elaborate as using pressurized cable, just enforce
password aging and make sure that passwords are long enough to
prevent breakins by Apple Basic programs that just try a progression
of character strings. This would prevent most mischievous breakins.
I don't advocate that it should be legal for any one who is resourceful
enough to break in to a computer. However, I don't advocate serious
punishment for those who do. A fine, say $100, ought to be enough
for a first offense. An unprotected computer system is an attractive
nuisance, and there should be some culpability on the part of the
system's owners when some bored college kid finds that he can get
into it.
--
Bob Fishell
ihnp4!ihu1g!fishron@brl-vgr.ARPA (Ron Natalie <ron>) (05/11/84)
I'm sorry. When someone is detect and he is warned to go away and he doesn't it ceases to be one of these trivial things anymore. Even the lightest offenses in this state and neighboring ones (and probably all of them) when repeated in the light of the person being told he is doing something wrong becomes a much more severe offense. -Ron
ron@brl-vgr.UUCP (05/11/84)
Relay-Version: version B 2.10 5/3/83; site houti.UUCP Posting-Version: version B 2.10.1 6/24/83; site brl-vgr.ARPA Message-ID: <1820@brl-vgr.ARPA> Date: Fri, 11-May-84 12:11:14 EDT u1g.UUCP> Organization: Ballistics Research Lab Lines: 6 I'm sorry. When someone is detect and he is warned to go away and he doesn't it ceases to be one of these trivial things anymore. Even the lightest offenses in this state and neighboring ones (and probably all of them) when repeated in the light of the person being told he is doing something wrong becomes a much more severe offense. -Ron
mpr@mb2c.UUCP (Mark Reina) (05/11/84)
Recently, an author on the net suggested that intent should be taken into
account for hackers who tap into other computer operations (other than the
ones they are authorized to use). This author suggested using malice or
greed as indexes.
I should like to point out that what I know from criminal law intent is
always taken into account for both conviction and sentencing. It would
work like this:
(a) for conviction, did the hacker intend to make unauthorized use of
another's computer system; and
(b) for sentencing, how much trouble did the hacker really cause or
intend to cause.
While criminal law as applied to misprision of computers is not my
forte, I believe these are close analogies for the topic.
Of course, a court or legislature could always impose strict liability
for unauthorized use of a computer. (ie. simply did the hacker have any
unauthorized use; a close analogy would be for statutory rape, no one
cares if you knew the female was underage, just did you commit the act)tac@teldata.UUCP (05/11/84)
Relay-Version: version B 2.10 5/3/83; site houti.UUCP Posting-Version: version B 2.10.1 6/24/83; site teldata.UUCP Message-ID: <338@teldata.UUCP> Date: Fri, 11-May-84 15:05:38 EDT cker gets probation (& other electronic crimes) Organization: Teltone Corp., Kirkland, WA Lines: 155 , (sop to the blank line eaters--consider it a religious sacrifice) Oh woe is us if this crap gets spread around, the grass will be too deep to mow in no time! >> From: fish@ihu1g.UUCP (Bob Fishell) >> >> (oo) >> Shoot somebody for picking your locks? Break their fingers? You'd be >> in big trouble, bud. I believe I said that would be my first inclination. Sort of like finding the dog has used the rug instead of the newspapers when you come home--the first inclination is that the dog is not worth keeping. You are right though, the criminals have many more rights than the victims these days so I could probably be in trouble just for being there to catch him. Have you ever had your house broken into? There is a terrible feeling of violation (I imagine it is similar to - though not as bad as - being raped). You loose all sense of security in you home, and wonder every time you come back what is missing now. No, if you have sympathy for the lock picker you probably have never been robbed. >> >> Besides, breaking into a house and gaining unauthorized access to a >> computer are two completely different things, so I wish you Law&Order >> freaks would stop making the analogy. Consider the differences: >> >> 1) Housebreaking entails doing some physical damage to the building. >> Computer breakins do not physically harm a system. A skilled lock picker can open your door without harming it-- in fact to make his job easier he may even oil the lock for you. Now that is what I call damage. The damage is to your mental security. That is damaged when a computer is entered also. >> >> 2) Housebreakers enter the building physically. This has the >> following effects: >> >> a) The occupants of the building are placed in physical >> danger. Even if the burglar does not intend violence, >> he might panic if surprised and hurt or kill somebody. >> >> b) The burglar himself is in danger of being shot, beat >> up, or having his fingers broken by the vindictive >> resident. Is it all right to rob someone if you don't put them in danger (wait until they are not home)? I had something stolen out of my storage locker once, and the person who did it did not break in. They got into the one next door and leaned over the top of the wall and fished out stuff. Never once entered my locker. Seems to me you could do the same with a window in a house--that is to never actually enter, but manage to hook the goods out the window. >> >> Computer-breakers, on the other hand, enter the system via >> a telephone that may be located thousands of miles away. >> Although once inside, there is a potential for malicious >> damage, the danger is not to anybody's life. Oh, don't give >> me that line about somebody getting into a medical computer >> and potentially killing somebody. That is a far-fetched >> hypothetical situation, whereas the danger that occurs from >> a housebreaking is real, and always present in such a situation. Need I remind you that computers frequently control machinery these days? You could accidentaly shut off or turn on all sorts of dangerous things. >> >> 3) The worst a computer-breaker can do is wipe out files. While this >> can cause a lot of grief, it will not in most cases result in any >> physical damage to the computer system. While I admit that there is only a small damage possibility to the actual COMPUTER system, there is the potential for great monetary loss (and thereby damage) to the company or person owning that computer. First case: A home enthusiast who keeps his projects on his computer. He has just invented the next *BIG HIT* video game or toy or whatever. Our potential hero (the hacker) breaks in and erases it destroying hours of work and sweat. Or worse yet steals it and pattens it first! Second case: Dr. Somebody has spent 13 years collecting data and analyzing it to make a great scientific breakthrough. Since all of this was funded by the government and the school where he was doing this he is required to publish and has, in fact, let out the mearest hint of what he is going to publish on, but comes back the next day to find some sh*t-head has run rampant through his data. Now it still looks good in some respects, but in all consceince he cannot PROVE it has not been modified. As a man of respectable morals he declines to publish until it can be re-verified and therefore looses his grant and job thus causing hardship for his family and possibly a difficult future. A worse case of this scenario is that our hero (remember the innocent hacker?) just modifies enough data for the Dr. to come to the wrong conclusion, or to overlook something important and he publishes false data which is exposed depriving him of he credibility along with his job! Third case: The most common institutional computer these days is banks. Now tell me that no damage or loss can be incured by messing with those. Want the picture painted for you? How about Granny Smith. All of her family is dead or moved on and she has just enough in the bank to keep her going for a few more years. Then some punk--eh, excuse me, our hero-- messes with her bank account and now she has no money at all (don't give me any cr*p about how she could live on SS and Welfare the rest of her life either). A worse case of that scenario? How about the bank decides it is her who has messed with their files and prosecutes. How should our hero feel about having been instrumental in sending a little old lady to jail? Some of these may be far fetched, but I think you will have to admit that they all fall within bounds you set out in the discussion. >> >> A housebreaker, on the other hand, can trash the building, steal >> everything in sight, murder the occupants, and burn the place down. >> >> I could go on, but I think I've made the point that, even though a >> housebreaker *could* just intend a harmless prank, the potential >> harm he can do is vastly greater than the harm that a password >> "hacker" can do. Remember that "War Games" was just a silly movie. Where have you been all the last 5 years? People have broken into some of the government security installations. Just what do you think it takes to create a catastrophy? I don't believe that someone could start a war with a computer, but some *REALLY* big sh*t could hit the fan. We still have not mentioned the other thing our hero could do--he could break in and leave the door open for anyone else by making the password so simple that anyone could get in, or just publish it on a billboard or network! Then all h*ll breaks loose. >> >> Finally, I must reiterate: any enterprise whose computer facilities >> are important enough that a breakin could cause serious problems >> should take serious measures to prevent such activities. This >> needn't be as elaborate as using pressurized cable, just enforce >> password aging and make sure that passwords are long enough to >> prevent breakins by Apple Basic programs that just try a progression >> of character strings. This would prevent most mischievous breakins. Do you live in a castle with a mote? If not your house is not secure enough, and if so YOU have provided the atractive nuisance. >> >> I don't advocate that it should be legal for any one who is resourceful >> enough to break in to a computer. However, I don't advocate serious >> punishment for those who do. A fine, say $100, ought to be enough >> for a first offense. An unprotected computer system is an attractive >> nuisance, and there should be some culpability on the part of the >> system's owners when some bored college kid finds that he can get >> into it. >> -- >> >> Bob Fishell >> ihnp4!ihu1g!fish Just by the by, how do you tell it is an unprotected system until you try to break in? And if you happen to be successful, does that make it poor protection or you just lucky or smart? From the Soapbox of Tom Condon {...!uw-beaver!teltone!teldata!tac} A Radical A Day Keeps The Government At Bay. (A gunfight a day keeps the muggers away?) :-)
csc@watmath.UUCP (Computer Sci Club) (05/13/84)
In a recent submision I expressed the view that intent should be a
major factor in determining the sentence in cases of computer "break
in". At least two people have replied asking how intent is to be
determined. Actually, as has already been pointed, out intent is
one of the factors taken into account by the courts in sentencing.
The courts have always had the difficult task of determining
"facts" such as these. In many cases there will be clear indications
of what the intent was. If no such clear indications exist, well
that's what we pay judges for.
Breaking into a computer can be a grave offence. As such the
maximum penalties should be severe, and no instance of the crime
should be treated trivially. However, in most cases the maximum
penalties would not be used. The ease with which the crime was
commited should have little bearing on the case.
William Hughes
Honest Judge, all I did was apply a little preasure with this knife
against his neck. It was really easy!derek@sask.UUCP (05/15/84)
All this talk about people cracking computer being similar to breaking
and entering a private home has gone far enough. It is silly. There
are too many emotional ties to a person's home. It is a private place.
We have been having some discussion on this topic and the following
comments are from Darwyn Peachey, sask!kimnovax!peachey.
I guess I will focus primarily on the analogy between a computer
system and an office building. The building itself is usually
considered to be a more-or-less public place, although it might
be owned by some firm. An individual's office is a more-or-less
private place (as is his computer account), but in some firms
there is an understood permission to enter other people's offices
in their absence in order to get the firm's work done. This
of course does not imply any permission for the general public
to enter someone's office. Members of the general public are
usually tolerated in the public part of the building, especially
if they are lost or are trying to contact someone in the firm.
It seems to me that this is analogous to logging on to public
or test accounts to send some mail, or to see if the system is
busy, or to see if there is anything connected to that Datapac
address. Of course, if a member of the public accidentally or
maliciously did some damage to the building, he would expect
to be liable for the cost of repairs. Moreover, someone who
set up a tent, cookstove, etc. in the lobby of an office building
might well expect to be asked to leave, because he is making an
unfair use of the firm's hospitality.
Use of someone's office by a co-worker is only fair when no
charges are incurred by the co-worker and fraudulently passed on
to the owner of the office. In most office buildings, employees
do not pay for phones, rent, etc. so this point is moot.
Computer accounts are much different if some form of charging
exists.
Deliberately damaging someone else's property is a no-no, whereever
it takes place. To me, modifying or deleting files from another
user's account without permission (specific or general) is a crime
of the same type.
Privacy should be respected. However, people who keep personal
material on computer accounts which are analogous to offices
(meaning accounts on machines they don't own or accounts they
don't pay for) are likely to have their privacy invaded accidentally,
just like the person who keeps his pornographic home movies in
his desk drawer at work.
It is the responsibility of the owner of a building to make it
clear to members of the public when access is not allowed. Anyone
who then enters or makes a deliberate attempt to enter is committing
an unethical act. I think that a computer system that asks for
a password is indicating that only certain people are allowed to enter.
Someone who then attempts to find the password is breaking and entering.
However, systems that have no such security check, however feeble,
are not really indicating that members of the public are not allowed
on. Just like the lobby of an office building, the public might be
expected to wander in. As long as they do no damage, and make no
unreasonable use of the facilities, they have not really done anything
wrong. Of course, they can be asked to leave by the management, and
they should comply with such a request.
It would be unreasonable to walk into the lobby of an office building
and be presented with a bill for this use of the lobby floor!
If the owner of a building makes some effort to inform the public
that they are not allowed to enter the building, then the quality of
the locks on the doors is not an issue. The burglar cannot defend
himself by arguing that the locks were too easy to pick!
Finally, let me say that I feel that a "doctrine of lesser evils"
should apply. If I were outside freezing to death and my only
chance of survival were to break into a private home, even inflicting
some damage to the windows in the process, I would break in without
a second thought. This is okay, in my view, because the preservation
of life is considered more important than privacy and property.
I would of course expect to pay for the damage I did. I'm not
sure that similar life-and-death cases exist in the computer world,
but I wouldn't be surprised. Note that you can't override one
evil with another evil at the same level, eg, one life with another
(but what about self defense?), one loss of property with another, ...
Darwyn
--
Derek Andrew, ACS, U of Saskatchewan, Saskatoon Saskatchewan, Canada, S7N 0W0
{ihnp4 | utah-cs | utcsrgv | alberta}!sask!derek 306-343-2638 0900-1630 CSTlat@stcvax.UUCP (Larry Tepper) (05/16/84)
Why don't we put our .signature's here and save a line per article?
How about putting these lines in your system's message of the day
or have the login program print something like:
*** WARNING *** Unauthorized access to this computer
is a punishable offense.
That would seem to me to be equivalent to a `no trespassing' sign.
Anyone who so enters will have been warned of the consequences.
--
{decvax, hao}!stcvax!lat Larry Tepper
{allegra, amd70, ucbvax}!nbires!stcvax!lat 303-673-5435