[net.misc] Password hacker gets probation

smw@tilt.UUCP (Stewart Wiener) (05/01/84)

As reported in this morning's Washington Post, Gerald Wondra, a 21-year old
from the Milwaukee area, was sentenced in U.S. District Court to two years'
probation for gaining "unauthorized access to computers at a Los Angeles bank
and a New York hospital....  Wondra pleaded guilty to two misdemeanor counts
in connection with his part in a scheme by local computer enthusiasts to gain
unauthorized access to computers.  The loosely knit group of young computer
hobbyists or 'hackers' became nationally known as '414s,' the telephone area
code for the Milwaukee area.

Thoughts:

(a)	At least the media equated the honorable term "hacker" with "computer
	hobbyist" instead of criminal.  Not a perfect definition, but they
	seem to have learned a little.

(b)	Who thinks this guy should have served time in prison?  I don't, but
	then I favor probation for most "white-collar" (or victimless) crimes.

(c)	Does anyone know just what misdemeanor Wondra was charged with?  There
	are lots of laws on the books that the D.A. might have tried to apply
	to this case.  Which did they settle on?

--
	   Stewart Wiener		:-)   "Avast, ye scurvy corporate
	Princeton Univ. EECS		:-)  swabs!  Prepare to be boarded!"
	 princeton!tilt!smw		:-)     --Oliver Wendell Jones

fish@ihu1g.UUCP (Bob Fishell) (05/02/84)

I think that probation is the worst he should have gotten.  I have
some rather anarchistic thoughts about this subject that I'll post here.

1) Computer security may be a matter for the law, but in my opinion,
   any organization that is too stupid, lazy, or cheap to implement
   effective security measures deserves to get their passwords hacked.
   If I had a computer system that had been broken into by a 21-year-old
   amateur, I'd prosecute the sheisskopf who set it up for me, not the
   guy that broke into the system.

2) The same thing goes for video pirates and other electronic thieves.
   I don't think that people who set up electronic networks and
   communications systems for profit should turn to the law for
   recourse when people start gaining unauthorized access to them.
   Rather, a technological solution should be sought.  That way,
   us engineers stay employed, and the public is spared the expense
   of the legislation and prosecution of laws regulating communications
   access.  I'm not advocating that it should be completely legal for
   people to break into communications systems or computers if they
   can do it, but to use the law in place of technology is a violation
   of the public trust.  If HBO and victims of computer breakins want
   to bear all the costs of prosecuting the perpetrators, fine.  But
   if I gotta pay taxes so these people get punished at public expense,
   I'm gonna be pretty pee-oh'ed about it!

3) Here in what used to be called the Bell System, we used to have a
   problem with "blue boxes" that people used to gain illegal access
   to the long distance network.  Although AT&T did prosecute people
   they caught doing it, a lot of hard work went into developing a
   better, tamper-proof system called CCIS.  Better to change the
   lock than track down the guy who stole the key.  Cheaper, too,
   in the long run.
-- 

                               Bob Fishell
                               ihnp4!ihu1g!fish

richard@sequent.UUCP (05/02/84)

>>(b)	Who thinks this guy should have served time in prison?  I don't, but
>>	then I favor probation for most "white-collar" (or victimless) crimes.
>>	   Stewart Wiener

Uh, I hope you're not equating white-collr crime with "victimless" crimes?
White-colar is generally supposed to be non-violent, as in EFT-type
thefts, con jobs, etc.  Victimless are crimes which are illegal solely by
societies (sometimes odd) morals. Examples include drug abuse, prostitution
and even suicide. (What's teh one crime you can be tried for only if you fail?)

While I usually advocate the legalization of victimless crimes, white collar
crimes are much more serious.  I do believe in separating the convicts
within prisons by whether their crimes had a violent aspect, however.

If you just made a grammatical mistake, never mind.
___________________________________________________________________________
The preceding should not to be construed as the statement or opinion of the
employers or associates of the author.   It might not even be the author's.

I try to make a point of protecting the innocent,
	but none of them can be found...
							...!sequent!richard

rtf@ihuxw.UUCP (sparrow) (05/02/84)

Bob Fishell states:

   Computer security may be a matter for the law, but in my opinion,
   any organization that is too stupid, lazy, or cheap to implement
   effective security measures deserves to get their passwords hacked.

Is this for real????  Using the same logic I could say that anyone
who is too stupid, lazy or cheap to implement effective security
measures on their [house|car|person] deserves to have same be
[destroyed|stolen|mugged|raped] by some ambitious criminal.  Maybe
I am old fashioned but I think humans have a right to expect that
their property and privacy be respected and anyone who violates this
is a criminal.  And who is to decide what is effective measures??
To a professional jewel thief who can break any alarm system there
are no effectives measures.  Does this give them the right to try
to steal any jewels they please??  

I disagree with Bob.  I think the hacker getting probation got
nothing more than a slap on the wrists.  I don't see a big 
difference between picking a lock and breaking a computer security
system.  It's called 'breaking and entering' and should be 
treated as a felony.  Just because computers are your profession
doesn't give you special privileges over those who are simply
users with average intelligence.

					sparrow

thor@ihuxw.UUCP (Mark Kohls ) (05/02/84)

++++

I think he got off much too easily. As a bare minimum he should have
been sentenced to ten years of reading net.religion. Then we'll
see how much he likes computers.


--------
Mark "my sentence is over in two days" KohLS
IHUXW!THOR

fish@ihu1g.UUCP (Bob Fishell) (05/02/84)

(oo)
"oooh, lord, don't let me be misunderstood..."

Equating a computer breakin by an amateur to breaking into a house
by a burglar is a false analogy.  Most "password hackers," as it was
put, are interested in mischief and the personal satisfaction of
having beaten somebody's system.  It's an elaborate game.  Burglars,
on the other hand, are usually interested in more than breaking
into the house and leaving a calling card on the mantle.  Rather,
they're interested in taking something that doesn't belong to them.

I stand by my original position; if an enterprise doesn't want to 
take the trouble of implementing effective security measures, people
who break into their computers shouldn't be severely punished! It's
kind of like leaving your keys in the car; in most places, if some
kid comes along and takes it for a joy ride, the law will hold
the careless owner partly responsible for the crime.  It's another
matter entirely if the same kid breaks into the car and yanks the
ignition lock with a slide hammer.  Likewise, if a computer enterprise
has an effective security system, it will take more than a computer
brat with an Apple II and an autodial modem to break into it.  Somebody
going to that kind of trouble to get into a computer probably is motivated
by something a little more worldly than electronic mischief.
-- 

                               Bob Fishell
                               ihnp4!ihu1g!fish

csc@watmath.UUCP (Computer Sci Club) (05/03/84)

I agree that intent in commiting a crime should be a factor in sentencing.
If someone breaks into a system simply out of a sense of mischief they should
get a lighter sentence than someone who breaks in for reasons of malice or
greed.  Also, I think that the potential damage of the action should be taken
into account.

However, I do not think that the difficulty of the crime should be much of a
factor in sentencing.  Should the guy who cracks a badly protected system to
disrupt it a gain revenge on an enemy recieve a lighter sentence
than the college student who cracks a difficult system just to see if it
can be done? 
                             William Hughes

ignatz@ihuxx.UUCP (Dave Ihnat, Chicago, IL) (05/03/84)

Concerning the response by sparrow to Bob Fishell's note:

	Bob Fishell states:
	
	   Computer security may be a matter for the law, but in my opinion,
	   any organization that is too stupid, lazy, or cheap to implement
	   effective security measures deserves to get their passwords hacked.
	
	Is this for real????  Using the same logic I could say that anyone
	who is too stupid, lazy or cheap to implement effective security
	measures on their [house|car|person] deserves to have same be
	[destroyed|stolen|mugged|raped] by some ambitious criminal. 

Ah...well, consider: I leave my car keys in the ignition, the door
unlocked, and the window down.  Then I come and cry to the police that
my car was stolen.  Sorry, Charlie...they'll take the report, and try
and catch the guy.  DON'T EXPECT SYMPATHY...they'll say you deserved
it.  Not only that, the criminal has some defense on grounds of unreasonable
temptation.  Stupidity usually deserves some sort of negative reinforcement.
That doesn't mean that what you deserve is what is morally right or
legal.  SO...from a legal point of view, the police and D.A.
prosecute.  Personally, they probably think you're batty.

	Maybe I am old fashioned but I think humans have a right to expect that
	their property and privacy be respected and anyone who violates this
	is a criminal.

Right...those who violate your property and privacy are criminals.  I
thoroughly agree.  But the right to expect the respect of same?  No.  It
would be nice, but live in a big City and see how far you go if you
EXPECT it.  You may reasonably expect your property, privacy, and
self to be resonably PROTECTED before violation, by the police--but
they can't be everywhere.  You may expect PUNISHMENT for criminals
after violation, by the law and the legal system.  Does
this mean you should take no precautions whatsoever?  I think not.
You severely weaken your case in the auto theft above if the situation
can be proven to be as outlined; why should it be different for
computer theft?

	And who is to decide what is effective measures??
	To a professional jewel thief who can break any alarm system there
	are no effectives measures.  Does this give them the right to try
	to steal any jewels they please??  

Be reasonable; we've already provided for this in the law.  Those who
make the laws decide what's reasonable, based on expert testimony.
The courts exist to interpret this on a case-by-case basis, tempered
with precedent.  No, this doesn't give them the right to try and steal
anything; but it doesn't absolve the victim of the responsibility of
proper preparation and precaution.
	
	I disagree with Bob.  I think the hacker getting probation got
	nothing more than a slap on the wrists.  I don't see a big 
	difference between picking a lock and breaking a computer security
	system.  It's called 'breaking and entering' and should be 
	treated as a felony.  Just because computers are your profession
	doesn't give you special privileges over those who are simply
	users with average intelligence.
	
						sparrow

The point I'm trying to make--the only reason I'm getting involved in
this at all--is that the hacker wasn't the only one who should have
been punished.  Ever hear of attractive nuisance?  And don't consider
probation on a felony charge nothing...look up what you LOSE.  Not to
mention you and I pay to prosecute, when the company or school that
was so negligent pays nothing.  I firmly believe that, for every case
of this sort, an investigation should be conducted determining whether
or not unreasonably lax security measures contributed to the
situation, and if so, the organization responsible should shoulder
some part of the cost of the legal actions, if not all.

Just because you own a company doesn't give you license to be
incompetent, negligent, and careless and expect full restitution.

					Dave Ihnat
					ihuxx!ignatz

opus@drutx.UUCP (ShanklandJA) (05/03/84)

Since we're edging into legal matters here, I thought I'd check with
my legal affairs consultant and see what she says about the notion
that ease of access to a computer system constitutes a legitimate
defense for the password cracker.

Dave Ihnat (ihuxx!ignatz) writes:

    Ah...well, consider: I leave my car keys in the ignition, the door
    unlocked, and the window down....  The criminal has some defense
    on grounds of unreasonable temptation....  You severely weaken your
    case in the auto theft above if the situation can be proven to be
    as outlined; why should it be different for computer theft?...
    Ever hear of attractive nuisance?  

My legal affairs consultant says no.  You may leave your car keys in the
ignition, the door unlocked, and the window open, but if I steal your car,
legally speaking, I'm just as guilty as if I had used the most sophisticated
tools in the car theft industry.

As for attractive nuisance, that is a cause of action in CIVIL law;
my legal consultant knows of no jurisdiction in which attractive
nuisance is a defense in a criminal action.  She says, "Although you
might try to raise that argument in a criminal case, I wouldn't want
to be the one to do it; I don't think it would pass the straight-face
test."

Just trying to set the record straight (this is going to cost me
a fortune in legal fees :-).

Jim Shankland
..!ihnp4!druxy!opus

"Nun beating?  Good Lord, man, I can't support that!"

smw@tilt.UUCP (Stewart Wiener) (05/03/84)

	>From: north@down.FUN (Professor X)
	>
	>tilt!smw thinks that people who break into computers should be
	>treated with compassion and put on probation.  at princeton we
	>simply cut off their hands: that's what we did to tilt!smw when
	>he tried to grab eosp1!/etc/passwd.  and that's why his account
	>is on tilt, not princeton.
	>	stephen c. north

"Professor X" (who is, by the way, a grad student) sees the irony in the
situation.  So do I, but I wasn't expecting to see it posted.

I won't get defensive about this.  But if you want the *whole* story of that
long-ago fiasco, be it known that there's a lot more to it.  The sordid
details include the fact that I was a naive, inexperienced user of Unix at
the time, with no idea that this was not nice to do.  Boy, did I ever find
out fast.  Live and learn. :-)
--
	Stewart Wiener / Princeton Univ. EECS / princeton!tilt!smw

barmar@mit-eddie.UUCP (Barry Margolin) (05/03/84)

--------------------
Equating a computer breakin by an amateur to breaking into a house
by a burglar is a false analogy.
--------------------

Right.  I prefer an analogy to trespassing.

One problem, though, is in the definition of "adequate security
measures".  I would generally consider most computer password systems to
be as good as the deadbolt lock on my front door, and I generally
consider it to be adequate.  Of course, leaving well-known passwords on
the system (that is how the 414's got into Sloan-Kettering, I believe)
is like locking one's front door with one of those tiny, standard locks
for suitcases.

Intentions are very important.  At MIT we have a long tradition of
"roof-hacking" and "tunnel-hacking", which generally involve hanging out
in parts of the campus buildings that we are not supposed to be.  There
is never any malice involved, so when we are caught we are just asked to
leave (they instituted a $50 fine for roof-hacking a couple of years
ago, but I think it was mostly to appease the insurance company, and I
have never heard of it being enforced).  This is pretty close to what
the kids who break into computers are doing.  There is rarely any
intentional damage, and they usually play around at night, so the
computrons they are using would probably be wasted anyway.

Of course, there are malicious crackers.  One of the people I work with
told me about something that took place while he was in college or HS.
A cracker was caught by the operator when he broke into a system, and
the operator politely asked him to get off.  The cracker was annoyed by
this, so he wiped out the file system.  I would consider that system
completely inadequate, since it sounds like a disgruntled employee with
authorization to use the machine could dothe same thing.  However, that
doesn't alter the fact that the cracker maliciously destroyed the data.
This is analogous to the fact that my car has no protection against
someone with a sledge-hammer, but that doesn't give someone with a
sledge-hammer the right to demolish it.
-- 
			Barry Margolin
			ARPA: barmar@MIT-Multics
			UUCP: ..!genrad!mit-eddie!barmar

rcd@opus.UUCP (Dick Dunn) (05/03/84)

From fish:
>Computer security may be a matter for the law, but in my opinion,
>any organization that is too stupid, lazy, or cheap to implement
>effective security measures deserves to get their passwords hacked.
>If I had a computer system that had been broken into by a 21-year-old
>amateur, I'd prosecute the sheisskopf who set it up for me, not the
>guy that broke into the system.

I don't know about "deserves", but I tend to agree with the general
sentiment.  It seems to me that prosecuting the hacker but not the jerk who
left the system unprotected is a case of killing the bearer of bad tidings
- or perhaps of prosecuting prostitutes but not johns.  If you don't
prosecute one, forget the other.
---
...Relax...don't worry...have a homebrew.		Dick Dunn
{hao,ucbvax,allegra}!nbires!rcd				(303) 444-5710 x3086
-- 
...Relax...don't worry...have a homebrew.		Dick Dunn
{hao,ucbvax,allegra}!nbires!rcd				(303) 444-5710 x3086

ljdickey@watmath.UUCP (Lee Dickey) (05/03/84)

>1) Computer security may be a matter for the law, but in my opinion,
>   any organization that is too stupid, lazy, or cheap to implement
>   effective security measures deserves to get their passwords hacked.
>   If I had a computer system that had been broken into by a 21-year-old
>   amateur, I'd prosecute the sheisskopf who set it up for me, not the
>   guy that broke into the system.
I think that the real problem here is that society has not come to a definition
of what "reasonable, effective security measures" are.  If you consider the
analogy of a home, and the security measures that are taken to prevent entry
there, I think that you will agree that most homes are not "secure", but that
there is a line of modest defense (lock(s) on the door) that most consider
"reasonable".  Homeowners make a decision, consious or not, to bolster these
defenses with other measures, sometimes weighing the expense against the risk.
When someone is caught "breaking and entering", they get some punnishment,
dished out by society, because there is general agreement (a social contract)
that this is a naughty thing to do.

Society has to come to a consensus about how serious it is to "break and enter"
a computer system, and the owner of a system has to make a decision about how
much is to be spent on security.  
-- 
  Lee Dickey, University of Waterloo.  (ljdickey@watmath.UUCP)
 	... {allegra, decvax} !watmath!ljdickey

karl@dartvax.UUCP (S. Delage.) (05/03/84)

Victimless crimes? Come again, this time with feeling?

aaw@pyuxss.UUCP (Aaron Werman) (05/03/84)

{Refering to non-destructive crime}

If I remember correctly, he crashed an administration VAX at Memorial
Sloan Kettering hospital, a major cancer center. If this (there seems
to have been some undetected tampering of files before this) led to
injury or death of patients, it probably would not have been reported.
While I have no legal opinion on the matter, I feel that would bear
ethical responsibility for any such damage.

Please- no followups about system administration duties.
			{harpo,houxm,ihnp4}!pyuxss!aaw
			Aaron Werman

gnome@olivee.UUCP (05/03/84)

Well, sparrow, yes, I think that your ideal
is a bit idealistic -  do you also leave the
keys in the car (with the windows rolled down)
when you get to work.

The world is full of realities..
Sorry.

rpw3@fortune.UUCP (05/04/84)

#R:ihu1g:-30800:fortune:6700036:000:1741
fortune!rpw3    May  3 18:17:00 1984

+--------------------
| I don't think that people who set up electronic networks and
| communications systems for profit should turn to the law for
| recourse when people start gaining unauthorized access to them.
| Rather, a technological solution should be sought.  That way,
| us engineers stay employed, and the public is spared the expense
| of the legislation and prosecution of laws regulating communications
| access.
+--------------------

Unfortunately, for many common cases of interest (such as protecting
high-volume over-the-counter retail software), there is no economically
feasible technological "solution". The best the engineer can do (and what
any security consultant SHOULD be telling you!), is to raise the cost of
cracking the system just until the incremental cost of more protection is
about to become greater than the incremental savings from such additional
protection.

The legal system is part of the "technology" of protection. By raising
the cost of penetration, you also make the perpetrator (if rational)
raise the scale of his/her activities to justify the "return on
investment", increasing the visibility of those actions, thus making
detection (by the legal system) more likely.

I do agree that a certain minimum amount of protection is prudent, to
deter both the naive/clumsy accident (the "klutz") and the irrational
sociopath (the "fanatic"). But extreme technical expense must be
justified on a balanced risk/benefit analysis. Too often one extreme
or the other is taken, without cause (other than the "ostrich position").

Rob Warnock

UUCP:	{ihnp4,ucbvax!amd70,hpda,harpo,sri-unix,allegra}!fortune!rpw3
DDD:	(415)595-8444
USPS:	Fortune Systems Corp, 101 Twin Dolphin Drive, Redwood City, CA 94065

dave@utcsrgv.UUCP (Dave Sherman) (05/04/84)

For an article which supports Bob Fishell's position (that
breaking into computer systems "for the fun of it" should not
be considered a crime), see

"Computer Crime or Jay-walking on the Electronic Highway",
Criminal Law Quarterly, March 1984, pp. 217-250.

The author takes issue with the current draft legislation which would
make "intercepting" a computer "function" subject to the Criminal Code
(Canada), and recommends that unauthorized access to computers, where no
harm is caused, not be made part of the Criminal Code.

Dave Sherman
Toronto
-- 
 dave at Toronto (CSnet)
 {allegra,cornell,decvax,ihnp4,linus,utzoo}!utcsrgv!dave

johnc@dartvax.UUCP (John Cabell) (05/04/84)

  I agree, also, that intent should be considered when giving
a sentence to someone who breaks into a system, but there is
the problem of finding out if he *relly was* just breking in
to see if it could be done, or if he was trying to get some
secrets hidden deep in memory.
  But I think that the difficulty of breaking into the system
should be considered.  It takes alot of time, effort and money
to make a difficult system, and if some high school/college
student breaks into it on a rainy sunday afternoon, it shows
one that the system can't have been that difficult and two
that the company has to get someone to design another system.

               John Cabell,
               --johnc
               <decvax, cornell>!dartvax!johnc

nugent@drutx.UUCP (NugentCP) (05/05/84)

***
>      ...But I think that the difficulty of breaking into the system
> should be considered.  It takes a lot of time, effort, and money
> to make a difficult system, and if some high school/college
> student breaks into it on a rainy Sunday afternoon, it shows
> one that the system can't have been that difficult and two (sic)
> that the company has to get someone to design another system.

     The argument here appears to be that the hacker deserves compen-
sation for the valuable service he has provided the company in 
exposing the security weakness.  Certainly this has been of benefit
to the company, as long as this is not the hacker who is the damage-
causing one the company is trying to keep out.  Shouldn't the one
who receives the benefit of this service be the one to provide the
compensation, if any is to be given?   But if the company is to provide 
the compensation, this implies the existence of an implied contract
between the company and *all* hackers.  I don't think this contract
exists, unless the legislature has recently imposed it upon all
companies with computer systems.

tac@teldata.UUCP (05/07/84)

, (sop to the blank line eaters--consider it a religious sacrifice)

>>  From: johnc@dartvax.UUCP (John Cabell)
>>  Organization: Dartmouth College
>>  
>>    I agree, also, that intent should be considered when giving
>>  a sentence to someone who breaks into a system, but there is
>>  the problem of finding out if he *relly was* just breking in
>>  to see if it could be done, or if he was trying to get some
>>  secrets hidden deep in memory.
>>    But I think that the difficulty of breaking into the system
>>  should be considered.  It takes alot of time, effort and money
>>  to make a difficult system, and if some high school/college
>>  student breaks into it on a rainy sunday afternoon, it shows
>>  one that the system can't have been that difficult and two
>>  that the company has to get someone to design another system.
>>  
>>                 John Cabell,
>>                 --johnc
>>                 <decvax, cornell>!dartvax!johnc
>>  
Well, if I came home and found some *ssh*l* picking the lock on my 
front door my first reaction would be to blow him away.  Now it may
well be that he just wanted to see if he could do it, and wasn't even
going to enter if he made it, but he might have left the door unlocked
when he was done f*ck*ng with it!  Having been caught, what else 
would/could he say except "I just wanted to see if I could do it."

It would be a good thing for him that I don't carry a gun, and couldn't
do as my first impulse suggests, but let us analyze just what punishment
should be met out.  My second impulse would be to break all his fingers
so he couldn't do it again soon (if at all), and that may seem a bit 
harsh to some of you out there.  I admit that it is harsh.  Somewhere
he never picked up the idea of privacy, respecting the rights and possesions
of others and a few other morals which are necessary to a society which
lives cheek-by-jowl in large cities and suburbs.  (Daisy May of 'Lil Abner
fame once said, "Morals are great, every chile should have one.")  Our
little lock picker should be taught the error of his ways or he will 
never learn that what he did is wrong.  The Jurisprudence system should
be a learning experience--if caught and convicted you should learn not
to do it again.  Residency in jail will not teach you anything by hate,
fear of others, the many positions of sodomy and five new criminal skills.
We need to find another way of teaching criminals something.  I suggest that
the first lesson be painfull, but not of long duration, the second lesson
be permanent but not disabling, and the third lesson be final.  This may
seem harsh and it is.  When we quit coddling criminals we will find a lot
less of them.

Now it is I'm waiting for the lightening bolt to strike!  I have presented
a wide open target, have at me.


	    From the Soapbox of
	    Tom Condon     {...!uw-beaver!teltone!teldata!tac}

	    A Radical A Day Keeps The Government At Bay.

debray@sbcs.UUCP (Saumya Debray) (05/08/84)

	> I agree that intent in commiting a crime should be a factor
	> in sentencing.  If someone breaks into a system simply out
	> of a sense of mischief they should get a lighter sentence
	> than someone who breaks in for reasons of malice or greed.

Perhaps the author could suggest an algorithm for determining the intent of
crime?
-- 
Saumya Debray, 	SUNY at Stony Brook

	uucp:
	    {cbosgd, decvax, ihnp4, mcvax, cmcl2}!philabs \
		    {amd70, akgua, decwrl, utzoo}!allegra  > !sbcs!debray
	       		{teklabs, hp-pcd, metheus}!ogcvax /
	CSNet: debray@suny-sbcs@CSNet-Relay

sdo@u1100a.UUCP (Scott Orshan) (05/08/84)

This addresses the "other electronic crimes" portion of the title.

Is it illegal to call someone else's answering machine and play
the messages using a remote playback beeper?

Consider these related points:

   Was the beeper just a universal sound generator, that would work
   on any of the same model answering machine?

   Were the sounds encoded, so that they had to be counterfeited
   to gain access?

   If they were encoded, how were they obtained?  Did the owner
   leave the device lying around so the sounds could be recorded?
   Were there a small number of combinations, such that they could
   all be tried?

Consider the common issues between computer cracking and the
above:

   Does connecting a device to the telephone network
   reduce its owner's rights to privacy?  Consider the
   discussions of breaking into a house vs. cracking a computer.
   Suppose that the entrance to the house were inside a
   shopping mall, among many other open doors.  Could it then
   be expected that people might try to enter uninvited?

   Are the issues of telephone messages and computer files
   the same?  Someone has connected a device to the telephone
   network to allow remote access.  Someone else obtains
   a key to get in, either by trial and error, or by finding
   it carelessly left around.  That person reads, and possibly
   erases, information on that device.

By nature, the telephone is a device which allows public entry
into the home.  Until recently, this was limited to voice.
If you answered, the caller had a right to ask questions.
You could choose to hang up at any time.  If the caller's identity
was misrepresented, you might have given information to
a stranger.  Is this theft? Fraud? Something else?  What if the
caller voice was recognized, but no identity was ever stated?
If you gave out information based on your faulty recognition
of a voice, was the caller guilty of anything?

How does this relate to telephone entry into electronic devices?
If you obtain a password, and use it to gain entry, is this
a misrepresentation of the caller's identity, or a failure
of the called machine to recognize a false entry?

I'm not trying to take any particular side here.  I'm just
presenting some points to ponder.  Mainly, what is the
relationship between a telephone connection and privacy?
I'm sure that if someone walked up to your machine and used
it without your permission (such as your car, computer,
answering machine), you would have no trouble seeing this
as wrong.  The same applies if someone walks into your house
and starts talking to you.  How does the telephone change all this?


	Scott Orshan
	Bell Communications Research
	201-981-3064
	{ihnp4,allegra,pyuxww}!u1100a!sdo

fish@ihu1g.UUCP (Bob Fishell) (05/08/84)

(oo)
Shoot somebody for picking your locks? Break their fingers? You'd be
in big trouble, bud.

Besides, breaking into a house and gaining unauthorized access to a
computer are two completely different things, so I wish you Law&Order
freaks would stop making the analogy.  Consider the differences:

1) Housebreaking entails doing some physical damage to the building.
   Computer breakins do not physically harm a system.

2) Housebreakers enter the building physically.  This has the
   following effects:

	a) The occupants of the building are placed in physical
	   danger.  Even if the burglar does not intend violence,
	   he might panic if surprised and hurt or kill somebody.

	b) The burglar himself is in danger of being shot, beat
	   up, or having his fingers broken by the vindictive
	   resident.

   Computer-breakers, on the other hand, enter the system via
   a telephone that may be located thousands of miles away.
   Although once inside, there is a potential for malicious
   damage, the danger is not to anybody's life.  Oh, don't give
   me that line about somebody getting into a medical computer
   and potentially killing somebody.  That is a far-fetched
   hypothetical situation, whereas the danger that occurs from
   a housebreaking is real, and always present in such a situation.

   You can always argue that any illegal act is potentially life-
   threatening.  If I throw a bag of empty beer bottles out of
   the car, a kid with bare feet could potentially cut himself
   and bleed to death or die of tetanus.  However, that potential
   is very small.

3) The worst a computer-breaker can do is wipe out files.  While this
   can cause a lot of grief, it will not in most cases result in any
   physical damage to the computer system.  

   A housebreaker, on the other hand, can trash the building, steal
   everything in sight, murder the occupants, and burn the place down.

I could go on, but I think I've made the point that, even though a
housebreaker *could* just intend a harmless prank, the potential
harm he can do is vastly greater than the harm that a password
"hacker" can do.  Remember that "War Games" was just a silly movie.

Finally, I must reiterate: any enterprise whose computer facilities
are important enough that a breakin could cause serious problems
should take serious measures to prevent such activities.  This
needn't be as elaborate as using pressurized cable, just enforce
password aging and make sure that passwords are long enough to
prevent breakins by Apple Basic programs that just try a progression
of character strings.  This would prevent most mischievous breakins.

I don't advocate that it should be legal for any one who is resourceful
enough to break in to a computer.  However, I don't advocate serious
punishment for those who do.  A fine, say $100, ought to be enough
for a first offense.  An unprotected computer system is an attractive
nuisance, and there should be some culpability on the part of the
system's owners when some bored college kid finds that he can get
into it.  
-- 

                               Bob Fishell
                               ihnp4!ihu1g!fish

ron@brl-vgr.ARPA (Ron Natalie <ron>) (05/11/84)

I'm sorry.  When someone is detect and he is warned to go away and
he doesn't it ceases to be one of these trivial things anymore.
Even the lightest offenses in this state and neighboring ones (and
probably all of them) when repeated in the light of the person being
told he is doing something wrong becomes a much more severe offense.
-Ron

ron@brl-vgr.UUCP (05/11/84)

Relay-Version: version B 2.10 5/3/83; site houti.UUCP
Posting-Version: version B 2.10.1 6/24/83; site brl-vgr.ARPA
Message-ID: <1820@brl-vgr.ARPA>
Date: Fri, 11-May-84 12:11:14 EDT

u1g.UUCP>
Organization: Ballistics Research Lab
Lines: 6

I'm sorry.  When someone is detect and he is warned to go away and
he doesn't it ceases to be one of these trivial things anymore.
Even the lightest offenses in this state and neighboring ones (and
probably all of them) when repeated in the light of the person being
told he is doing something wrong becomes a much more severe offense.
-Ron

mpr@mb2c.UUCP (Mark Reina) (05/11/84)

Recently, an author on the net suggested that intent should be taken into
account for hackers who tap into other computer operations (other than the
ones they are authorized to use).  This author suggested using malice or
greed as indexes.
I should like to point out that what I know from criminal law intent is
always taken into account for both conviction and sentencing.  It would
work like this:
 (a) for conviction, did the hacker intend to make unauthorized use of 
     another's computer system; and
 (b) for sentencing, how much trouble did the hacker really cause or
     intend to cause.
While criminal law as applied to misprision of computers is not my
forte, I believe these are close analogies for the topic.

Of course, a court or legislature could always impose strict liability
for unauthorized use of a computer. (ie. simply did the hacker have any
unauthorized use;  a close analogy would be for statutory rape, no one 
cares if you knew the female was underage, just did you commit the act)

tac@teldata.UUCP (05/11/84)

Relay-Version: version B 2.10 5/3/83; site houti.UUCP
Posting-Version: version B 2.10.1 6/24/83; site teldata.UUCP
Message-ID: <338@teldata.UUCP>
Date: Fri, 11-May-84 15:05:38 EDT

cker gets probation (& other electronic crimes)
Organization: Teltone Corp., Kirkland, WA
Lines: 155

, (sop to the blank line eaters--consider it a religious sacrifice)

Oh woe is us if this crap gets spread around, the grass will be too deep
to mow in no time!

>>  From: fish@ihu1g.UUCP (Bob Fishell)
>>  
>>  (oo)
>>  Shoot somebody for picking your locks? Break their fingers? You'd be
>>  in big trouble, bud.

I believe I said that would be my first inclination.  Sort of like finding
the dog has used the rug instead of the newspapers when you come home--the
first inclination is that the dog is not worth keeping.  You are right
though, the criminals have many more rights than the victims these days so
I could probably be in trouble just for being there to catch him.  Have
you ever had your house broken into?  There is a terrible feeling of
violation (I imagine it is similar to - though not as bad as - being
raped).  You loose all sense of security in you home, and wonder every
time you come back what is missing now.  No, if you have sympathy for
the lock picker you probably have never been robbed.
>>  
>>  Besides, breaking into a house and gaining unauthorized access to a
>>  computer are two completely different things, so I wish you Law&Order
>>  freaks would stop making the analogy.  Consider the differences:
>>  
>>  1) Housebreaking entails doing some physical damage to the building.
>>     Computer breakins do not physically harm a system.

A skilled lock picker can open your door without harming it-- in fact to
make his job easier he may even oil the lock for you.  Now that is what
I call damage.  The damage is to your mental security.  That is damaged
when a computer is entered also.
>>  
>>  2) Housebreakers enter the building physically.  This has the
>>     following effects:
>>  
>>  	a) The occupants of the building are placed in physical
>>  	   danger.  Even if the burglar does not intend violence,
>>  	   he might panic if surprised and hurt or kill somebody.
>>  
>>  	b) The burglar himself is in danger of being shot, beat
>>  	   up, or having his fingers broken by the vindictive
>>  	   resident.

Is it all right to rob someone if you don't put them in danger (wait
until they are not home)?  I had something stolen out of my storage locker
once, and the person who did it did not break in.  They got into the one
next door and leaned over the top of the wall and fished out stuff.  Never
once entered my locker.  Seems to me you could do the same with a window
in a house--that is to never actually enter, but manage to hook the goods
out the window.
>>  
>>     Computer-breakers, on the other hand, enter the system via
>>     a telephone that may be located thousands of miles away.
>>     Although once inside, there is a potential for malicious
>>     damage, the danger is not to anybody's life.  Oh, don't give
>>     me that line about somebody getting into a medical computer
>>     and potentially killing somebody.  That is a far-fetched
>>     hypothetical situation, whereas the danger that occurs from
>>     a housebreaking is real, and always present in such a situation.

Need I remind you that computers frequently control machinery these
days?  You could accidentaly shut off or turn on all sorts of dangerous
things.
>>  
>>  3) The worst a computer-breaker can do is wipe out files.  While this
>>     can cause a lot of grief, it will not in most cases result in any
>>     physical damage to the computer system.  

While I admit that there is only a small damage possibility to the actual
COMPUTER system, there is the potential for great monetary loss (and thereby
damage) to the company or person owning that computer.  First case:  A
home enthusiast who keeps his projects on his computer.  He has just invented
the next *BIG HIT* video game or toy or whatever.  Our potential hero (the
hacker) breaks in and erases it destroying hours of work and sweat.  Or
worse yet steals it and pattens it first!  Second case:  Dr. Somebody has
spent 13 years collecting data and analyzing it to make a great scientific
breakthrough.  Since all of this was funded by the government and the school
where he was doing this he is required to publish and has, in fact, let out
the mearest hint of what he is going to publish on, but comes back the next
day to find some sh*t-head has run rampant through his data.  Now it still
looks good in some respects, but in all consceince he cannot PROVE it has
not been modified.  As a man of respectable morals he declines to publish
until it can be re-verified and therefore looses his grant and job thus
causing hardship for his family and possibly a difficult future.  A worse
case of this scenario is that our hero (remember the innocent hacker?) just
modifies enough data for the Dr. to come to the wrong conclusion, or to
overlook something important and he publishes false data which is exposed
depriving him of he credibility along with his job!  Third case:  The most
common institutional computer these days is banks.  Now tell me that no
damage or loss can be incured by messing with those.  Want the picture
painted for you?  How about Granny Smith.  All of her family is dead or
moved on and she has just enough in the bank to keep her going for a few
more years.  Then some punk--eh, excuse me, our hero-- messes with her
bank account and now she has no money at all (don't give me any cr*p about
how she could live on SS and Welfare the rest of her life either).  A
worse case of that scenario?  How about the bank decides it is her who
has messed with their files and prosecutes.  How should our hero feel
about having been instrumental in sending a little old lady to jail?
  Some of these may be far fetched, but I think you will have to admit
that they all fall within bounds you set out in the discussion.
>>  
>>     A housebreaker, on the other hand, can trash the building, steal
>>     everything in sight, murder the occupants, and burn the place down.
>>  
>>  I could go on, but I think I've made the point that, even though a
>>  housebreaker *could* just intend a harmless prank, the potential
>>  harm he can do is vastly greater than the harm that a password
>>  "hacker" can do.  Remember that "War Games" was just a silly movie.

Where have you been all the last 5 years?  People have broken into some
of the government security installations.  Just what do you think it
takes to create a catastrophy?  I don't believe that someone could
start a war with a computer, but some *REALLY* big sh*t could hit the fan.
We still have not mentioned the other thing our hero could do--he could
break in and leave the door open for anyone else by making the password
so simple that anyone could get in, or just publish it on a billboard or
network!  Then all h*ll breaks loose.
>>  
>>  Finally, I must reiterate: any enterprise whose computer facilities
>>  are important enough that a breakin could cause serious problems
>>  should take serious measures to prevent such activities.  This
>>  needn't be as elaborate as using pressurized cable, just enforce
>>  password aging and make sure that passwords are long enough to
>>  prevent breakins by Apple Basic programs that just try a progression
>>  of character strings.  This would prevent most mischievous breakins.

Do you live in a castle with a mote?  If not your house is not secure 
enough, and if so YOU have provided the atractive nuisance.
>>  
>>  I don't advocate that it should be legal for any one who is resourceful
>>  enough to break in to a computer.  However, I don't advocate serious
>>  punishment for those who do.  A fine, say $100, ought to be enough
>>  for a first offense.  An unprotected computer system is an attractive
>>  nuisance, and there should be some culpability on the part of the
>>  system's owners when some bored college kid finds that he can get
>>  into it.  
>>  -- 
>>  
>>                                 Bob Fishell
>>                                 ihnp4!ihu1g!fish

Just by the by, how do you tell it is an unprotected system until you try
to break in?  And if you happen to be successful, does that make it poor
protection or you just lucky or smart?


	    From the Soapbox of
	    Tom Condon     {...!uw-beaver!teltone!teldata!tac}

	    A Radical A Day Keeps The Government At Bay.
	    (A gunfight a day keeps the muggers away?)      :-)

csc@watmath.UUCP (Computer Sci Club) (05/13/84)

In a recent submision I expressed the view that intent should be a
major factor in determining the sentence in cases of computer "break
in".  At least two people have replied asking how intent is to be
determined.  Actually, as has already been pointed, out intent is
one of the factors taken into account by the courts in sentencing.
The courts have always had the difficult task of determining 
"facts" such as these.  In many cases there will be clear indications
of what the intent was.  If no such clear indications exist, well
that's what we pay judges for.
    Breaking into a computer can be a grave offence.  As such the
maximum penalties should be severe, and no instance of the crime
should be treated trivially.  However, in most cases the maximum
penalties would not be used.  The ease with which the crime was
commited should have little bearing on the case.

                                                William Hughes

Honest Judge, all I did was apply a little preasure with this knife
against his neck.  It was really easy!

derek@sask.UUCP (05/15/84)

All this talk about people cracking computer being similar to breaking
and entering a private home has gone far enough.  It is silly.  There
are too many emotional ties to a person's home.  It is a private place.
We have been having some discussion on this topic and the following
comments are from Darwyn Peachey, sask!kimnovax!peachey.


	I guess I will focus primarily on the analogy between a computer
	system and an office building.  The building itself is usually
	considered to be a more-or-less public place, although it might
	be owned by some firm.  An individual's office is a more-or-less
	private place (as is his computer account), but in some firms
	there is an understood permission to enter other people's offices
	in their absence in order to get the firm's work done.  This
	of course does not imply any permission for the general public
	to enter someone's office.  Members of the general public are
	usually tolerated in the public part of the building, especially
	if they are lost or are trying to contact someone in the firm.
	It seems to me that this is analogous to logging on to public
	or test accounts to send some mail, or to see if the system is
	busy, or to see if there is anything connected to that Datapac
	address.  Of course, if a member of the public accidentally or
	maliciously did some damage to the building, he would expect
	to be liable for the cost of repairs.  Moreover, someone who
	set up a tent, cookstove, etc. in the lobby of an office building
	might well expect to be asked to leave, because he is making an
	unfair use of the firm's hospitality.

	Use of someone's office by a co-worker is only fair when no
	charges are incurred by the co-worker and fraudulently passed on
	to the owner of the office.  In most office buildings, employees
	do not pay for phones, rent, etc. so this point is moot.
	Computer accounts are much different if some form of charging
	exists.

	Deliberately damaging someone else's property is a no-no, whereever
	it takes place.  To me, modifying or deleting files from another
	user's account without permission (specific or general) is a crime
	of the same type.

	Privacy should be respected.  However, people who keep personal
	material on computer accounts which are analogous to offices
	(meaning accounts on machines they don't own or accounts they
	don't pay for) are likely to have their privacy invaded accidentally,
	just like the person who keeps his pornographic home movies in
	his desk drawer at work.

	It is the responsibility of the owner of a building to make it
	clear to members of the public when access is not allowed.  Anyone
	who then enters or makes a deliberate attempt to enter is committing
	an unethical act.  I think that a computer system that asks for
	a password is indicating that only certain people are allowed to enter.
	Someone who then attempts to find the password is breaking and entering.
	However, systems that have no such security check, however feeble,
	are not really indicating that members of the public are not allowed
	on.  Just like the lobby of an office building, the public might be
	expected to wander in.  As long as they do no damage, and make no
	unreasonable use of the facilities, they have not really done anything
	wrong.  Of course, they can be asked to leave by the management, and
	they should comply with such a request.

	It would be unreasonable to walk into the lobby of an office building
	and be presented with a bill for this use of the lobby floor!

	If the owner of a building makes some effort to inform the public
	that they are not allowed to enter the building, then the quality of
	the locks on the doors is not an issue.  The burglar cannot defend
	himself by arguing that the locks were too easy to pick!

	Finally, let me say that I feel that a "doctrine of lesser evils"
	should apply.  If I were outside freezing to death and my only
	chance of survival were to break into a private home, even inflicting
	some damage to the windows in the process, I would break in without
	a second thought.  This is okay, in my view, because the preservation
	of life is considered more important than privacy and property.
	I would of course expect to pay for the damage I did.  I'm not
	sure that similar life-and-death cases exist in the computer world,
	but I wouldn't be surprised.  Note that you can't override one
	evil with another evil at the same level, eg, one life with another
	(but what about self defense?), one loss of property with another, ...

					Darwyn


-- 
Derek Andrew, ACS, U of Saskatchewan, Saskatoon Saskatchewan, Canada, S7N 0W0
{ihnp4 | utah-cs | utcsrgv | alberta}!sask!derek  306-343-2638  0900-1630 CST

lat@stcvax.UUCP (Larry Tepper) (05/16/84)

Why don't we put our .signature's here and save a line per article?

How about putting these lines in your system's message of the day
or have the login program print something like:

	*** WARNING *** Unauthorized access to this computer
	is a punishable offense.

That would seem to me to be equivalent to a `no trespassing' sign.
Anyone who so enters will have been warned of the consequences.
-- 
{decvax, hao}!stcvax!lat				Larry Tepper
{allegra, amd70, ucbvax}!nbires!stcvax!lat		303-673-5435