dave@oldcolo.UUCP (Dave Hughes) (05/17/89)
May 16th, 1989
Senator Patrick Leahy
Senate Judicial Subcommittee on Technology and Law
815 Hart Office Building
Washington, DC, 20510
Honorable Chairman Leahy:
I listened late tonight (1 to 2 AM MST, May 16th, CSPAN) to the
entire one hour testimony of Clifford Stoll and your questions
and comments on the issue of computer viruses. And I noted your
statement that the Hearing was only recessed so that people could
comment officially on the topic for a period of two weeks. Thus I
request that this letter be considered input to your Hearings on
Computer Viruses.
I first want to commend you for the line of questioning and your
closing remarks in which you expressed your view (in my words)
that although we need to be able to deal with the problem of
computer vandals that we must not be so afraid of the future that
we curtail the flow of information - both scientific, business,
and political -and the linking up of human genius to networks and
each other.
I agree completely with your balanced view of the issue, with
your stress on the need for continued access and free information
flow. This is important, not just for the flourishing of the
'geniuses' you refer to, and the unimpeded functioning of
business and government, but also - and this is very important to
the future of our society - for giving the general public -
ordinary people - no matter where they are, from our smallest
towns, farms and ranches to the largest cities, the greatest
possible, and lowest cost access to public computer networks for
purposes of employment or the pursuit of their own businesses,
education and training, enjoyment of and contribution to culture,
and better access to their own government and the political
process.
If this nation is to avoid becoming a polarized society of the
'information rich and information poor' and 'computer strong and
computer weak,' laws and administrative measures aimed at
preventing computer crime must not intensify the natural
tendencies for institutions to put their problems before the
long term interests of the public at large, for which, presumably
those institutions exist.
I agree generally with Clifford Stoll's testimony in which he
accurately described the functioning and values of computer
'communities' at the rarified scientific level of research. But
he really did not answer your question very well of "What would
you do if you were in my place" for he seemed torn between
wanting to trust the ethical standards of the computer community
but having lost time away from his science because of a few
irresponsible people, he was ready to admit there might be a need
for new laws.
I would like to focus the thoughts of your committee more sharply
on the way I believe the general problem of legally dealing with
human behavior via computer networks needs to be approached.
I am neither one of the 'young geniuses' you refer to, nor a
computer scientist per se, though I now enjoy an international
reputation for my 10 years on hands-on-computer and modem work (4
hours a day) exploring, developing, ways at the very grass roots
community and individual (not institutional) level ordinary
people (not just exceptional professionals) can use computer
(modem, fax, voice mail) communications to discuss and debate,
online, public issues and engage in the political process, pursue
both formal and informal education remotely, undertake successful
small entrepenurial enterprises, enjoy cultural experiences, and
all made possible by the economics, convenience of modem
communications.
I am a 60 year old retired military professional officer who has
served in high policy, management and sensitive positions (to
include Washington) so I am fully aware of the importance of
dealing with the problems arising from this new medium.
However, partly because I forsaw the broad and potentially
beneficial impact of small digital devices linked together
globally by advances in telecomunications I determined in 1977 to
personally master and apply the rvolutionary new 'individual'
digital tools at the grass roots community level of our society
rather than at the large business, scientific, or government
level.
I did so on the grounds that if we learn how to make the
Information Age work in middle America on main street, in small
neighborhoods and schools, and for general local community
purposes, not just advanced business, government, or scientific
needs, or for computer elites, we will not have to fear for our
future as a nation. For our strong political traditions of
individual responsibility, reliance as much on community ethics
and peer actions as government imposed standards, freedom of
speech and of assembly, and our willingness to 'risk' the
abberant behavior of some, so that the freedoms of many will not
be impaired - all these have their direct counterpart in computer
communications - which some have come to call, rather accurately
'virtual communities.'
I have operated four 'local' dial up systems in the Old Colorado
City neighborhood (population 12,000) of Colorado Springs over
the past 8 years, from one line free bulletin boards to multi-
user unix subscription systems (which are networked and
accessible precisely the same way Mr Stoll's computers are). My
'community level' systems have been dialed into over 125,000
times, by over 12,000 different individuals. I have also spent an
average of 4 hours a day online for the past 7 years - both
tending my own systems and accessing other national, and
international systems. In both my small business, educational and
community volunteer computers, I am just as vulnerable to
technical crime, vandalism, computer viruses as larger systems. I
find I have been able (precisely because some societal problems
are more easily dealt with at the local small scale community
level than at the large, abstract, national level) to handle the
abberant behavior of the few without recourse to extreme
measures or the calling on law enforcement.
I believe you must think very carefully and reflect in
legislation the profound difference between treating
'information' on computer systems as (1) property (2) premises,
or (3) speech before acting.
ELECTRONIC PROPERTY - it is obvious that some data on a computer
system may be property which can be stolen, destroyed or damaged.
Laws designed to prevent theft, destruction, or damage to
computer information are indicated here. But we understand pretty
clearly in this society the concept of 'property' and applying
our knowledge to computer 'property' is not difficult and the
laws that are on the books and coming out seem balanced in this
regard.
ELECTRONIC PREMISES - a computer can be regarded as a place,
which if intentionally protected by passwords or other devices
intended to keep out those not authorized, can be protected by
extention of laws that are designed to prevent tresspass,
breaking and entering, or breach of privacy. (The Computer
Privacy Act of 1976 does a pretty good job here).
ELECTRONIC SPEECH - the area that is very poorly understood by
those who have not used modem 'communciations' capabilities of
computer systems is the activity of 'free speech' on computer
systems. People become de facto members of 'virtual communities'
- whether in associations of scientists such as Mr. Goddard an
Astronomer with his colleages on scientific computers, or groups
of local individuals who have no other institutional
relationships but dial into local free 'bulletin-boards' where
they socialize, debate local political issues, bypass the media
to share information, conduct business or pursue personal
interests and hobbies. Their activity on these systems far more
can be legally defined as the practice of 'free assembly' and
'public speech' than as dealing with data as 'property' or the
computer as a 'premises.'
Freedom of Electronic Speech must be as jealously protected as
non-electronic forms of speech are in society at large. And I
urge your committe to think very carefully about the consequences
of limiting such speech by laws aimed at curbing computer
viruses.
A piece of 'data' (as technically defined) on a computer system
can be any one of the three catagories above. What makes it one
or the other is less its technical description in computer terms
than its relationship to the individuals who put it there, the
owner/operator of the system it resides on or moves through, and
either the contractual or 'understood' rules for its uses and the
behavior of those who deal with it.
When a dozen people dial into either a free and open local
computer bulletin-board, or the 'computer conferencing' sections
of a national, commercial, password-protected information service
for the purpose of exchanging comments on a subject, they are
engaged in a form of 'electronic assembly' and they are
practicing 'electronic speech.' Speech and assembly forms , the
freedom to pursue which MUST be forever protected by extension,
if necessary, of appropriate Constitutional guarantees into this
new medium. And this use of computer systems should not be
confused with issues of 'property' or 'premise'.
When a person dials into a computer system and places
'information' there which by its prior ownership, his actions to
identify it as such (such as a copyright notice) or by either
the specifically spelled out by the system managers or
'understood' rules that whatever he places there is private or
insitutional 'intellectual property' then the laws pertaining to
its protection may apply. But one must look at much more than
just the 'data' to determine if it is property, or speech. There
is a burden on the users of systems, and the operators of
systems, to make clear what the status of (1) access to the
system and (2) ownership of the data thereon is if they expect to
be protected at law. Various system operators make very different
rules on such matters, and they should be free to do so.
Compuserve, for example, chooses to bind its users to an
agreement that specifies that anything posted in its computers by
subscribers becomes the property of Compuserve, and its disposal
must be dealt with accordingly. I choose to state that anything
posted on my dial up subscription system remains the property of
those who post it there - with all the obligations and rights
flowing from that. The difference is not the data, but the
agreements made between system operators and their users before
the users are given access.
Obviously - and the application of the Electronic Privacy Act of
1986 turns on this key criteria - the question of what legal
responsibility must be borne for 'breaking and entering' a
computer, or transmitting a virus through a system, or stealing
of data from a computer has to do with whether the operators of
systems take steps to prevent access to a system unless specific
permission is granted - using in the form of an assigned (not
self generated) password giving access. And that the potential
user of a system knows that permission is required. A system
which permits uncontrolled access to its ports, or self-assigned
passwords is not even covered under the Electronic Privacy Act.
Nor need it be. Such computer systems are 'public' as far as
privacy is concerned. Even if the system is privately owned.
What makes this matter more complex however, that 'parts' of a
computer system, or network may be open to the outside public, or
closed. In my own case, so that no person in the community is
denied access by reasons of cost, to our discussions about public
issues, I permit one port (719-632-3391) of our 'Old Colorado
City Electronic Cottage' to be free, with self-assigned access to
the 'Roger's Electronic Bar' political debate section. Regular
subscribers to my service use other ports (and phone numbers)
have to be issued a password specifically by us before gaining
access, and are responsible for security of their passwords, They
also have e-mail, (and access to the global network which was
affected by the virus in November), private file spaces, and
other conferences which cannot be accessed by the public. But
they can go inside the 'Rogers Bar' section too, on the same
computer. But when they do they understand that their remarks are
not private, what they post there, unless they specifically
designate it by copyright notice or other statement, is free to
be copied and used by others, and the Electronic Privacy Act does
not apply. Law enforcement agencies are as welcome to that
section as anyone else.
Thus inside one system the rules - and laws are different
depending on rights of access. If a person stole or guessed a
password on my system, and then used it to propegate a virus
throughout the Internet, by his acts of illegal entry into the
system in the first place he could be prosecuted. He 'broke and
entered.' If he already is a legitimate subscriber, and
promulgated a virus through the system, whether or not he did
anything illegal depends as much on whether he further breached
security whose intentions are to prevent access, or whether he
used a feature which he had no reason to believe was prohibited,
and of course whether what he did caused damage to others on
other systems. Thus you must constantly struggle to craft any
laws in terms that recognizes that individual computers and
networks are themselves multi-faceted and you cannot simply deal
with a computer as one legal entity for these purposes.
I have found that when the focus shifts from the 'computer'
and 'network' itself as physical entities and more deals with the
'computer communities' and behavior, intentions, prudent actions
of the adminstrators and users to protect themselves, inform
others of the status of access, data, users, and groups of users
that it is far easier - by extention - to apply the laws and
precedences of the past with respect to property, premises, and
speech.
Another extremely important fact to keep in mind is that access
to computers and information networks will have to be supplied by
the same institutions which historically we have created to give
people 'access' to knowledge - schools and libraries. Not
everyone will own their own personal computers, modems, or even
phones. But we can insure that all have access if schools,.
libraries and other public agencies (possibly even the Post
Offices of the future) own computers and terminals and give the
public free, or lowest possible shared cost access. Your laws
must be sensitive to the different circumstances of this sector
of 'public' computers and public access too.
I am extremely sensitive to the potential for 'Electronic
Democracy' in making it at once easier, cheaper, and more
effective for individuals to participate in the political process
than currently. We have made great progress here in Colorado
Springs in the serious practice of Electronic Democracy - and
both private, and public dial up systems participate vigerously.
Many of us want to see no law which suffocates that promising
potential. For we have serious problems in America with the costs
and complexities of public participation in the political
process. Mass media has introduced as many problems as it has
solved. These new personal tools can help, so long as the public
Highways of the Mind are not turned into highly restrictive or
closed routes.
My start point when thinking about freedoms and restrictive laws
pertaining to computers is to realize that if we turned the clock
back 200 years, Benjamin Franklin would have been the first owner
of a microcompter, probably an Apple, and would have been
considered a hacker. Thomas Jefferson would have written the
Declaration of Independence on a wordprocessor, probably a
corporate IBM PC. But Thom Paine would have first published
'Common Sense' on a pirate bulletin board. And I for one do not
want the corporate or government Kings George to tread on my
cursor. We must preserve Freedom of Electronic Speech.
I have a request to make. And a suggestion. In answer to your
question of Clifford Stoll "What would you do if you were me."
One method of dealing with the growing problem of computer crimes
and mischief, some of it not fully intended by its perpetrators,
is the education of computer communications users to these
issues. Clifford Stoll admitted he never really thought about the
problem until he was affected by it. In my very extensive
experience online (I calculate I have read over 13,000,000 words
on hundreds of systems, and produced probably 1,000,000 words of
my own online) I find that there is little knowledge of even the
appropriate laws and regulations which apply.
A direct, simple, timely and cheap method for assisting in the
progressive sensitization and education of computer network users
is to put transcripts of applicable hearings and Federal debate
over these issues out over the Network! And to make it far easier
and cheaper for the computer-modem owning public to dial up
central systems which contain the applicable laws and regulations
that everyone is supposed to know!
Relying solely on mass media and press, or the Congressional
Record to convey this information, is no longer necessary. And
given the nature of the culture of computer networkers, it would
be far more to the point to 'publish' electronically these laws,
and make it cheap and easy for any modem-owing citizen to access
them, and even hold online discussions about them in forums
hosted by knowledgable public officials. I suggest that the
Congress initiate by law and funding - perhaps through the
Library of Congress - a dial-up network which carries the full
text of all laws pertaining to computer crime and associated
matters. Ideally the access should be free to the public.
Secondarily, however, a transcript of the hearings you are
holding on the specific issue of Computer Viruses, could be put
out over Usenet (Internet, Usenet, and academic Bitnet) for
reading by the online population. I believe, for example, that
the excellent and informative one-hour interchange between you
and Clifford Stoll at the Monday, May 15th Hearing would be
widely read on the network - which at least one half million
persons on 14,000 computers use regularly. Since the rate of
'information exchange' at your oral hearings was approximately
120 oral words per minute, about 7,200 words were uttered. In an
online Ascii form that entire hour can be scanned at 1200 baud in
6 minutes, read carefully and completely in 15 minutes, and
occupy less that 24k of file space on any computer. In terms of
Usenet in which over 5 megabytes of information is generated
daily, that is a drop in the bucket.
If your staff does not know how to do this, I would gladly
volunteer to take a floppy disk with the transcript in ascii form
and disemminate it over the network myself from my local system
from Colorado Springs. It would take little effort and
practically no cost.
But in any case I do request that your staff send me a floppy
disk in msdos form, of a transcript of the hearing, and any
amplifying comments, so that I may post it on my own local
computer system for the free education and enlightenment of those
thousands of local callers to local systems where such issues are
discussed every day. Many of us who use and administer public
systemd can do our part in this important task of
education/sensitizing the online culture to the issues.
We might as well use the networks where the problems are to
disseminate the general societal solutions, as well as technical
ones. The Federal government could be doing a lot more than it is
now in using the new technologies to both publicize its
deliberations, solicit public input, and disseminate its
decisions. When the computer-using public has had a chance by the
means I have outlined above to learn about, discuss and debate,
and take their own 'virtual community' actions to prevent and
deal with computer crimes, and that method proves insufficent,
then the time for new legislation may be at hand. But until they
have had such a chance, informed by the valuable content of your
hearings, I for one am reluctant to lead with new laws.
By the way, I am posting this letter to you on several networks,
urging readers to consider airing their views to your committee
before you terminate the hearings.
Thank you
David R Hughes
6 N 24th Street
Colorado Springs, Colorado 80904
719-636-2040 (voice)
719-632-3391 (modem)
--
Dave Hughes Old Colorado City Communications
"It is better to light one screen than cursor the darkness"
hp-lsd!oldcolo!dave
Bill Robinsonpeter@ficc.uu.net (Peter da Silva) (05/20/89)
In article <154@oldcolo.UUCP>, dave@oldcolo.UUCP (Dave Hughes) writes: > A system > which permits uncontrolled access to its ports, or self-assigned ^^^^^^^^^^^^^ > passwords is not even covered under the Electronic Privacy Act. ^^^^^^^^^ > Nor need it be. Such computer systems are 'public' as far as > privacy is concerned. Even if the system is privately owned. What possible relationship does this have to do with coverage under the Electronic Privacy Act? Every UNIX system on the net permits users to assign their own passwords. It is ludicrous to presume that the existence of a "Password" command should have anything to do with the public nature of a system. Either you're confusing passwords with accounts, or the EPA is grossly misdesigned, or you're misinterpreting it. -- Peter da Silva, Xenix Support, Ferranti International Controls Corporation. Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com.
gdhour@well.UUCP (Grateful Dead Hour) (05/22/89)
May 22, 1989
Senator Patrick Leahy
Senate Judicial Subcommittee on Technology and Law
815 Hart Office Building
Washington, DC, 20510
Honorable Chairman Leahy:
As a participant in several computer-mediated "online communities" and a
concerned observer of our government's efforts to deal with the impact of
advancing technology on the lives of the citizens, I watched with interest your
conversation Clifford Stoll last week. (I should note that I got word of
C-SPAN's live broadcast immediately after it began, via a message on a public
computer system.)
I am writing to voice a hearty "amen" to a May 16 letter to you from David
Hughes of Old Colorado City Communications (a copy of which is enclosed in case
it eluded your attention). Hughes posted a copy of the letter on a public-
access computer system to which we both subscribe.
Dave Hughes' assessment of the issues raised by improvements in connectivity -
particularly the three distinct states of online information environments to
which he refers ("property," "premises," and "speech") - makes an eloquent case
for the importance of these new media in amplifying the voice of the private
citizen, so often drowned out in the political arena by the roar of business,
government and the military.
I am impressed by the open-mindedness you evinced in the hearing. I am not at
all sure, though, that the government at large will be so reasonable as these
matters progress toward legislation. Over the years I have observed the steady
degradation of long-standing concepts of the rights of individuals (and thus the
rights of small communities); for example, we may soon find ourselves
incarcerating an alarming percentage of our population over the contents of
their bloodstreams, which (to my mind and heart) the constitution ostensibly
protects under the umbrella of privacy. Having failed to harness the outlaw
economy of drugs, the government seems willing, even determined, to sacrifice
what it purports to hold in highest esteem: liberty, and privacy - the primacy
of citizen over establishment. To which I ask, gamely: cui bono?
Culturally, and politically and geographically, Dave Hughes and I are half a
continent apart. We have never met face to face, but we have engaged in
constructive discourse on many subjects and I have immense respect for his
leadership in the quest to re-empower our citizens by promoting communication
among ourselves and between the government and the governed.
The electronic highways used by Dave Hughes, Clifford Stoll and their
colleagues (and myself) are a bloodstream of another sort, vital to this new
collective organism and vulnerable to misbegotten regulation. Overzealous
regulation of the computer nets could be very costly in the long run. It is
entirely possible that our next Edison will be not one person but three or four
or five "isolated" individuals who never meet in the flesh but share effort and
inspiration in a virtual laboratory that exists only when their computers
connect over those phone lines.
Sincerely,
David Gans
encl.
--
Grateful Dead Hour well!gdhour@lll-lcc.arpa
David Gans {pacbell,hplabs,lll-crg,apple}!well!gdhour
Truth and Fun, Inc. 484 Lake Park Ave #102, Oakland CA 94610dave@well.UUCP (Dave Hughes) (05/24/89)
In article <4246@ficc.uu.net>, peter@ficc.uu.net (Peter da Silva) writes: > In article <154@oldcolo.UUCP>, dave@oldcolo.UUCP (Dave Hughes) writes: > > A system > > which permits uncontrolled access to its ports, or self-assigned > ^^^^^^^^^^^^^ > > passwords is not even covered under the Electronic Privacy Act. > ^^^^^^^^^ > > Nor need it be. Such computer systems are 'public' as far as > > privacy is concerned. Even if the system is privately owned. > > What possible relationship does this have to do with coverage under the > Electronic Privacy Act? Every UNIX system on the net permits users > to assign their own passwords. It is ludicrous to presume that the > existence of a "Password" command should have anything to do with the > public nature of a system. > > Either you're confusing passwords with accounts, or the EPA is grossly > misdesigned, or you're misinterpreting it. > -- Well, what I was trying to put into layman language was the fact that, according to the Electronic Privacy Act, the managers of systems have to prevent 'ready access' to their system for it to be considered a 'private' system. i.e. if one can just dial a numebr, get a modem connect, having never dialed it before, and get into the system without anybody's permission the system is not a closed system. One typical way is to have either no passwords required, or to permit the first time caller to assign himself an id and a password and then to have full access. Without a sysop individually approving his access (or giving him an 'account'). Which means that anyone can log on. Which then makes it public, not private. Thus not covered under the Electronic Privacy Act. There was a major debate over just what electronic forms could be covered under the act. Radio was a major debate. No matter what the 'intent' of the broadcaster, the broadcast was public unless is was scrambled in some way, so there was a physical effort to deny access without deliberate permission. Maybe you have some fancier words for all that - ones that Congressmen will understand who don't 'do modems'?
peter@ficc.uu.net (Peter da Silva) (05/24/89)
In article <11813@well.UUCP>, dave@well.UUCP (Dave Hughes) writes: > In article <4246@ficc.uu.net>, peter@ficc.uu.net (Peter da Silva) writes: > > In article <154@oldcolo.UUCP>, dave@oldcolo.UUCP (Dave Hughes) writes: > > > A system > > > which permits uncontrolled access to its ports, or self-assigned > > ^^^^^^^^^^^^^ > > > passwords is not even covered under the Electronic Privacy Act. > > ^^^^^^^^^ > > Either you're confusing passwords with accounts, or the EPA is grossly > > misdesigned, or you're misinterpreting it. > If one can just dial a numebr, get a modem > connect, having never dialed it before, and get into the system > without anybody's permission the system is not a closed system. Well, I hope the act uses language that reflects that meaning instead of talking about self-assigned passwords. > One > typical way is to have either no passwords required, or to permit > the first time caller to assign himself an id and a password and > then to have full access. Exactly. Assign himself an ID and a password. We don't let people set up their own ids, but forcing them to use system-assigned passwords would reduce security, not enhance it. The password by itself is not a key. You need a password and a valid account id. And you need the old password to change the new one. > Maybe you have some fancier words for all that - ones that > Congressmen will understand who don't 'do modems'? "User id and password"? "Self-assigned accounts"? "Automatically assigned accounts?" Just what precisely does the act say about this? -- Peter da Silva, Xenix Support, Ferranti International Controls Corporation. Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com.
arossite@oracle.uucp (Bruce Rossiter) (05/24/89)
! sittetetuce Me{{{|<1<1<}s ininiiy-CCpsfnomomo: R
+iri000DsiitN666e@ess 2W=||si666plplpDA<
DADAeenBrueTTTH@o16sBruT
e
DAFp>.
DA
DA
@fYYVYYVYL
DAle.omp13e@q8ororoDAivsiGsiGssparks@corpane.UUCP (John Sparks) (05/25/89)
In article <4246@ficc.uu.net> peter@ficc.uu.net (Peter da Silva) writes: >In article <154@oldcolo.UUCP>, dave@oldcolo.UUCP (Dave Hughes) writes: >> A system >> which permits uncontrolled access to its ports, or self-assigned > ^^^^^^^^^^^^^ >> passwords is not even covered under the Electronic Privacy Act. > ^^^^^^^^^ >> Nor need it be. Such computer systems are 'public' as far as >> privacy is concerned. Even if the system is privately owned. > >What possible relationship does this have to do with coverage under the >Electronic Privacy Act? Every UNIX system on the net permits users >to assign their own passwords. It is ludicrous to presume that the >existence of a "Password" command should have anything to do with the >public nature of a system. > >Either you're confusing passwords with accounts, or the EPA is grossly >misdesigned, or you're misinterpreting it. >-- >Peter da Silva, Xenix Support, Ferranti International Controls Corporation. > >Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. >Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com. Peter, By self-Assigned Passwords I think he is refering to those BBS's that when you first log into them they tell you to "enter your name or type New" And when you type New, they give you a password for future logins and then give you full access to their system, without doing a security check on you. In other words: The BBS creates the account for you without checking you out. These systems can be considered completly public because the passwords are only to provide a means of separating users and not as a means of keeping people off of the system in general. Anyone can get on just by typing 'New' and get a password. Many BBS's will not do this anymore. They will allow you to log into a temporary account and read about the BBS and leave your name and phone number. The Sysop then decides whether to let you on or not. Most times he will call you up and verify your phone number and then give you your password. -- John Sparks | {rutgers|uunet}!ukma!corpane!sparks | D.I.S.K. 24hrs 1200bps [not for RHF] | sparks@corpane.UUCP | 502/968-5401 thru -5406 I fear explanations explanatory of things explained.
peter@ficc.uu.net (Peter da Silva) (05/27/89)
In article <675@corpane.UUCP>, sparks@corpane.UUCP (John Sparks) writes: > In article <4246@ficc.uu.net> peter@ficc.uu.net (Peter da Silva) writes: > >In article <154@oldcolo.UUCP>, dave@oldcolo.UUCP (Dave Hughes) writes: > >>[system with self-assigned passwords not covered under ECPA] > >Either you're confusing passwords with accounts, or the ECPA is grossly > >misdesigned, or you're misinterpreting it. > Peter, > By self-Assigned Passwords I think he is refering to those BBS's that when you > first log into them they tell you to > "enter your name or type New" > And when you type New, they give you a password for future logins... I'm familiar with this scheme. TBBS still uses it... I recall that a local religious-oriented board had a bit of trouble a few years back when a bunch of self-styled satanists guessed passwords like "jesus" and "mary". This is the problem with confusing passwords and accounts. Anyway, what you're saying here is that he is confusing passwords and accounts. Or the ECPA is written so it confuses passwords and accounts. If the latter, the ECPA is grossly misdesigned. -- Peter da Silva, Xenix Support, Ferranti International Controls Corporation. Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com.
dave@well.UUCP (Dave Hughes) (05/27/89)
You may flip off th eElectronic Privacy Act as 'badly designed' but it sure is better than the total vacuum which preceeded it. One woman lawyer in the midwest was a user of a bulletin-board. She got into a dispute witht he Sysop, via private mail to him. He made their private correspondence public online. She sued him under the EPCA for $50,000. The betting is she will win. The EPCA is quite enforcable on computer systems. And it *ALSO* insures that the local police deaprtment cannot call me up and say "hey we suspect this guy of doing bad things. Turn over your tapes to us." They would, according to the terms of the law, go to court, show probable cause, and depend on whether a judge agreed with them enough to approve a warrant. Which is the only instument I have to honor. It also says that, as a sysop, I *may*, if I detect illegal activites online, turn that over to law enforcement. I am not compelled to. I say that is pretty sensible start on electronic privacy. As for cordless phones - pretty tough to 'include' them when they can be intercepted and there is no encrptian of the traffic. Which means it is public by definition. Anybody *accidentally* can intercept it. (which means, if they were included, the accidental interception would be illegal. *That* is pretty stupid.) Dave Hughes dave@oldcolo.uucp
peter@ficc.uu.net (Peter da Silva) (05/29/89)
In article <11853@well.UUCP>, dave@well.UUCP (Dave Hughes) writes: > As for cordless phones - pretty tough to 'include' them when > they can be intercepted and there is no encrptian of the traffic. The same is true of Cellular, I believe, and they *are* included. I heard that the whole cellular/cordless stuff was an attempt to head off an alternate mobile phone system. -- Peter da Silva, Xenix Support, Ferranti International Controls Corporation. Business: uunet.uu.net!ficc!peter, peter@ficc.uu.net, +1 713 274 5180. Personal: ...!texbell!sugar!peter, peter@sugar.hackercorp.com.
sparks@corpane.UUCP (John Sparks) (06/01/89)
<11853@well.UUCP> Sender: Reply-To: sparks@corpane.UUCP (John Sparks) Followup-To: Distribution: usa Organization: Corpane Industries, Inc. Keywords: In article <11853@well.UUCP> dave@well.UUCP (Dave Hughes) writes: > > As for cordless phones - pretty tough to 'include' them when >they can be intercepted and there is no encrptian of the traffic. >Which means it is public by definition. Anybody *accidentally* can >intercept it. (which means, if they were included, the accidental >interception would be illegal. *That* is pretty stupid.) >Dave Hughes >dave@oldcolo.uucp But what you call "stupid" for cordless phones is exactly the way it is now with cellular phones. There is no encription of the data and you can intercept them easily. It is said to be legal to 'accidentally' intercept cellular phones but strictly illegal to purposefully eavesdrop on them. So why aren't cordless phones included? eh? It's the same situation on a different frequency and a shorter range. Personally I think if they don't want people listening in on phones they should scramble the signal so you can't listen in. The burden should be on the phone manufacturers and the phone company, not the public. If the radio waves come into my house uninvited and unscrambled then I should have the right to listen to them. Laws shouldn't be passed to make listening illegal. That's working from the wrong end. It takes away from our freedom. I have no qualms about someone wanting to protect their information. But if they are using radio, they should take precautions to encode the information to keep it private, not make it illegal to listen. First, that doesn't stop anyone who wants to listen from listening. It just lulls them into thinking that just because it's illegal to listen in that no one will do it. The information is still unscrambled and out there for anyone to listen to. The problem with the laws that regulate electronic information is that the lawyers that write and pass the laws don't know anything about the technology they are trying to regulate. They hear horror stories and watch late night sci- fi thrillers about killer robots and computer conspiracy and decide that they are going to save the world with new laws. But what they really end up doing is limiting our freedoms. -- John Sparks | {rutgers|uunet}!ukma!corpane!sparks | D.I.S.K. 24hrs 1200bps [not for RHF] | sparks@corpane.UUCP | 502/968-5401 thru -5406 Beware of quantum ducks: Quark, Quark.
desnoyer@Apple.COM (Peter Desnoyers) (06/03/89)
In article <729@corpane.UUCP> sparks@corpane.UUCP (John Sparks) writes: > [illegality of receiving cellular phone calls] > >I have no qualms about someone wanting to protect their information. But if >they are using radio, they should take precautions to encode the information to >keep it private, not make it illegal to listen. First, that doesn't stop anyone >who wants to listen from listening. It just lulls them into thinking that just >because it's illegal to listen in that no one will do it. The information is >still unscrambled and out there for anyone to listen to. I was recently at an event billed as an "art performance" where the sound system - during idle periods - was playing a mixture of odd music such as marches and bagpipes, and telephone calls. From the instructions an operator gave at one point, I believe the calls were cellular phone calls being "illegally" tapped. Not exactly what the caller intended when they dialed... Peter Desnoyers
barmar@think.COM (Barry Margolin) (06/03/89)
In article <729@corpane.UUCP> sparks@corpane.UUCP (John Sparks) writes: Re: Electronic Communication Privacy Act >So why aren't cordless phones included? eh? It's the same situation on a >different frequency and a shorter range. I think the shorter range has a lot to do with it. Someone can't just set up a single receiver and start tapping into the cordless phone conversations of everyone in town. Were cordless phones even discussed when drafting the law? If not, then it seems to me that the reason they aren't included is that no one thought to bring the issue up, rather than that the lawmakers specifically wanted to allow cordless phone eavesdropping. >Personally I think if they don't want people listening in on phones they should >scramble the signal so you can't listen in. The burden should be on the phone >manufacturers and the phone company, not the public. If the radio waves come >into my house uninvited and unscrambled then I should have the right to listen >to them. Laws shouldn't be passed to make listening illegal. That's working >from the wrong end. It takes away from our freedom. Just because you CAN listen, doesn't mean that you have the right to listen. If I leave my door unlocked that doesn't give you the right to walk in uninvited. I'm not required to put a lock on my mailbox, yet it is still illegal for someone to look at my mail. And the phone company isn't required to scramble their signals (some of which go through microwave links, i.e. through the "public" air), yet it is illegal to put on a wire tap. The business of laws is to tell people that certain things that they are capable of doing are not considered right. Intentionally listening in on phone conversations is considered wrong, so why should it be the burden of the users to scramble their data. Also, even if the data is scrambled, it's possible for eavesdroppers to get descramblers. I hope you don't think it should be legal for them to listen and descramble. >It just lulls them into thinking that just >because it's illegal to listen in that no one will do it. Come on, give people the benefit of some intelligence. Everyone knows it's illegal to steal, but we all know that theft occurs. But we also know that if we catch someone doing it, we can send them to jail. >But what they really end up doing is >limiting our freedoms. I agree that it is a good idea for cellular phone companies to scramble their signals. But I don't think anyone has a RIGHT to listen to my phone conversation, scrambled or otherwise. Therefore, I don't think phone companies should be REQUIRED to scramble their signals. Barry Margolin Thinking Machines Corp. barmar@think.com {uunet,harvard}!think!barmar
lnewman@emdeng.Dayton.NCR.COM (Lee.A.Newman) (06/06/89)
In article <21465@news.Think.COM> barmar@kulla.think.com.UUCP (Barry Margolin) writes: >In article <729@corpane.UUCP> sparks@corpane.UUCP (John Sparks) writes: >Re: Electronic Communication Privacy Act > >>Personally I think if they don't want people listening in on phones they should >>scramble the signal so you can't listen in. The burden should be on the phone >>manufacturers and the phone company, not the public. If the radio waves come >>into my house uninvited and unscrambled then I should have the right to listen >>to them. Laws shouldn't be passed to make listening illegal. That's working >>from the wrong end. It takes away from our freedom. > >Just because you CAN listen, doesn't mean that you have the right to >listen. If I leave my door unlocked that doesn't give you the right >to walk in uninvited. Incorrect. If my car breaks down outside your house, I have the right to come up to your house and talk to you. If you do not come to the door, I can take reasonable steps to find you. If I see your wallet on the table, or your chicken in its coop, I cannot take it. Do you see the difference? I'm not required to put a lock on my mailbox, >yet it is still illegal for someone to look at my mail. Exactly correct. One is a passive activity, and the other is active. If you consciously go onto my property (or the Post Offices's property) and look at my mail, you are violating a good law. If the Post Office sends you someone else's mail, and you open it without noticing the addressee, should you be put in jail? Obviously, no, because you took no action PURPOSELY on someone elses property. the phone >company isn't required to scramble their signals (some of which go >through microwave links, i.e. through the "public" air), yet it is >illegal to put on a wire tap. It is only illegal to attach an item to the phone which records. I can put a very sensitive microphone on my cassette deck, which is sensitive enough to record phone calls, and be perfectly legal (Note I am sidestepping the problem of placing the mike on someone else's property). > >The business of laws is to tell people that certain things that they >are capable of doing are not considered right. This statement is completely wrong. [No flame intended. Explanation follows] Many people, including an awful lot of politicians, feel the way you do. Unfortunately, such a misconception of the purpose of law is becoming so widespread that many other people are also beginning to beleive it. The following definition of law vs. moral should clear the air. Law: Minimum standard of behavior. Moral: Maximum standard of behavior. Think about that for a minute or two. Maybe a little bit longer. There are millions of things that are not right to do. Only a minute percentage of them are illegal to do. Do you really want someone to be able to put you in jail, or fine you, or take away your right to vote*, if you do something which THEY consider to be wrong? Think about that. How many laws do you disagree with? Intentionally >listening in on phone conversations is considered wrong, so why should >it be the burden of the users to scramble their data. You consider it to be wrong. I consider it to be wrong. But I do not want the government able to tell me which frequencies I can have a receiver. Think about that. Right now, it seems absurd to expect the FCC Police to come into your home and verify that your receiver cannot receive certain frequencies. Such a thought, however, does not seem to be too unreasonable 30, or 50 years from now. >>It just lulls them into thinking that just >>because it's illegal to listen in that no one will do it. [Stuff about scrambling signals deleted] > >>But what they really end up doing is >>limiting our freedoms. VERY WELL SAID > >I agree that it is a good idea for cellular phone companies to >scramble their signals. But I don't think anyone has a RIGHT to >listen to my phone conversation, scrambled or otherwise. Therefore, I >don't think phone companies should be REQUIRED to scramble their >signals. If you, or your phone company sends signals onto my property, I DO HAVE THE RIGHT to receive these signals. If you don't want me to receive them, do something to prevent me from receiving the signals. * My senator, Sen. Metzenbaum, beleives that no citizen of the United States should be able to own a gun. He has stated so repeatedly. He currently is proposing a bill which would require me to submit to an FBI background check, then let some Federal bureeaucrat decide, based on that check, if I can legally own a semiautomatic gun. Then I get to pay a $200 tax, and I have to ask permission every time I cross a state line with it. If I decide that this law is one I will not obey, I will be thrown in jail, without the protections of the criminal code (such a being presumed innocent ) as the law is written as a violation of civil code, rather than criminal code. Oh, I forgot... ANY PERSON FOUND GUILTY WILL LOSE HIS RIGHT TO VOTE FOREVER. This is the basis of why I beleive the way I do. Prevent your government from thinking that they need to look (or approve) your receiving equipment . ALL receiving equipment is legal and should remain so... forever. Lee Newman lnewman@emdeng.dayton.NCR.com
childers@avsd.UUCP (Richard Childers) (06/09/89)
barmar@kulla.think.com.UUCP (Barry Margolin) writes: >sparks@corpane.UUCP (John Sparks) writes: >Re: Electronic Communication Privacy Act >>So why aren't cordless phones included? eh? It's the same situation on a >>different frequency and a shorter range. Because the government already has a well-established base of equipment for listening to such transmissions, and doesn't want to outlaw itself. Just us. >I think the shorter range has a lot to do with it. Someone can't just >set up a single receiver and start tapping into the cordless phone >conversations of everyone in town. What ever happened to those notes of Nikola Tesla ? The ones that the U. S. Government seized for reasons of national security ? You think they didn't read them ? And why haven't they been published ? I hear they've got listening to the electronic noise generated by CPUs down to such a fine art that people whom take security seriously - like the U. S. Government - place their CPUs in lead-lined safes. Why do you suppose that is ? ( Those buss lines make fine antennae, I hear ... ) >>... I think if they don't want people listening in on phones they should >>scramble the signal so you can't listen in. The burden should be on the phone >>manufacturers and the phone company, not the public. If the radio waves come >>into my house uninvited and unscrambled then I should have the right to listen >>to them. Laws shouldn't be passed to make listening illegal. That's working >>from the wrong end. It takes away from our freedom. >Just because you CAN listen, doesn't mean that you have the right to >listen. If I leave my door unlocked that doesn't give you the right >to walk in uninvited. I'm not required to put a lock on my mailbox, >yet it is still illegal for someone to look at my mail. And the phone >company isn't required to scramble their signals (some of which go >through microwave links, i.e. through the "public" air), yet it is >illegal to put on a wire tap. This is blatant sophistry. A mailbox doesn't permeate the entire ecosphere, and microwaves travel in a line of sight. You have to work hard to get into the line of sight, and you stand a good chance of getting irradiated in the process. Can we see an example more true to the circumstances, as opposed to being true to the desired outcome of the discussion ? >Also, even if the data is scrambled, it's possible for eavesdroppers >to get descramblers. I hope you don't think it should be legal for >them to listen and descramble. Right. You make it sound like a scrambler is like a modem. The whole idea of a scrambler is that it's _damned hard_ to descramble it. It takes brains and hardware even to make a start, you can't do it with pencil and paper. Which is why Uncle Slime (tm) doesn't want you scrambling your conversation. Or encrypting your files. So they can have free access to anything without fail. In many ways, this represents a power trip on the part of the government and its agents, a function of hiring people whom believe they have not only a right, but a responsibility, to invade your privacy so as to insure that you are no threat to them, under the doddering twin premises that (a) if you have nothing to hide, you have nothing to be afraid of, and (b) what you don't know won't hurt you. >Come on, give people the benefit of some intelligence. Everyone knows >it's illegal to steal, but we all know that theft occurs. But we also >know that if we catch someone doing it, we can send them to jail. Interception is separate from stealing. If you send mail to my house, I have no responsibility to deliver it, and making it a law instead of tightening the circumstances around delivery of letters is plain laziness on the part of all concerned with correct delivery of mail. If there's a line of people concerned with correct delivery of mail, the people _not_ at the address have no reason to be in that line. They'll be at the tail end, if anywhere. I read private mail several times a week. Occasionally I am amused or intrigued by what I read in bounced mail that's delivered to 'postmaster', but I don't think a law telling me I can read the header but not the contents would be helpful in guaranteeing that the mail arrived. I deliver it because it's the right thing to do, because it's my job ... and I read it because I need to decide whether it needs to be forwarded manually. To assume machiavellian tendencies without substantial proof is to engage in outrageous projections of your fears upon my person. The fact that you are able to get it encoded as a law that I must obey under penalty of imprisonment doesn't do anything to lessen the psychological abberation(s) at the heart of such an assumption on your part. No, this evaluates to coercion on the part of politically powerful people, to avoid taking responsibility for the communications they initiate, instead they abuse the system to make everyone responsible for their private doings. What a crock of feces. >>But what they really end up doing is limiting our freedoms. And thus expanding theirs. Sounds kind of like a parasitic relationship to me. >I agree that it is a good idea for cellular phone companies to >scramble their signals. But I don't think anyone has a RIGHT to >listen to my phone conversation, scrambled or otherwise. Therefore, I >don't think phone companies should be REQUIRED to scramble their >signals. I disagree. The aether is in the public domain, by the laws of nature, and any effort to make it appear otherwise will only facilitate arresting lots of talented and intelligent people. The trucks puttering around, scanning for people receiving on frequencies they aren't supposed to - a la World War II's Nazi-occupied territories and the Cold War countries we supposedly detest for their complete lack of freedoms - will be paid for by your tax dollars. Presumably the government - or selected members of it - feel their position of power will be secured if they arrest everyone who disagrees. Much like what's happened - and continues to happen - in South America. What this comes down to is a not-so-subtle attempt to convict The People without establishing guilt first. It's an old trick. They've already got it well established in traffic court, police have a ticket quota based upon the unreasonable and unproven assumption that a statistical percentage of the population is already guilty - what's known as the Napoleonic Code of Justice, you're presumed guilty until proven innocent. The Constitution is exactly as good as your intentions to stick with it, no matter how hard the going gets. Taking the easy way out is simple to do, but the long-term consequences of your unwillingness to protect the U. S. Constitution are sure to come back and haunt you, too, eventually. >Barry Margolin >Thinking Machines Corp. -- richard -- * "We must hang together, gentlemen ... else, we shall most assuredly * * hang separately." Benjamin Franklin, 1776 * * * * ..{amdahl|decwrl|octopus|pyramid|ucbvax}!avsd.UUCP!childers@tycho *
morris@jade.jpl.nasa.gov (Mike Morris) (06/13/89)
In article <32205@apple.Apple.COM> desnoyer@Apple.COM (Peter Desnoyers) writes: > >I was recently at an event billed as an "art performance" where the >sound system - during idle periods - was playing a mixture of odd >music such as marches and bagpipes, and telephone calls. From the >instructions an operator gave at one point, I believe the calls were >cellular phone calls being "illegally" tapped. Not exactly what the >caller intended when they dialed... > Probably cordless phones. Most of the cheap wireless microphones (and even some of the expensive ones) use 45-50mhz, 152mhz, or 158mhz. The cordless phones use 46 & 49mhz channels, and the older IMTS mobile phones have 6 channels in the 152-158 mhz range. Since the wireless mikes have low power and rotten antennas, and are built to a price rather than to a performance spec they need sloppy, broad and sensitive (but selectivity costs money) receivers. Hence the receivers pick up everything when the mikes are turned off between numbers (to save batteries). Somebody forgot to tell the sound man to shut off the wireless mike channel when it wasn't being used. US Snail: Mike Morris UUCP: Morris@Jade.JPL.NASA.gov P.O. Box 1130 Also: WA6ILQ Arcadia, Ca. 91006-1130 #Include disclaimer.standard | The opinions above probably do not even
desnoyer@Apple.COM (Peter Desnoyers) (06/14/89)
In article <1340@jato.Jpl.Nasa.Gov> morris@jade.Jpl.Nasa.Gov (Mike Morris) writes: >In article <32205@apple.Apple.COM> desnoyer@Apple.COM (Peter Desnoyers) writes: >> >>I was recently at an event billed as an "art performance" where the >>sound system ... [was playing music & possibly intercepted cellular calls] >> >Probably cordless phones. Most of the cheap wireless microphones (and even >some of the expensive ones) use 45-50mhz, 152mhz, or 158mhz. The cordless >phones use 46 & 49mhz channels, and the older IMTS mobile phones have 6 channels >in the 152-158 mhz range. Since the wireless mikes have low power and rotten >antennas, and are built to a price rather than to a performance spec they need >sloppy, broad and sensitive (but selectivity costs money) receivers. Hence >the receivers pick up everything when the mikes are turned off between numbers >(to save batteries). Somebody forgot to tell the sound man to shut off the >wireless mike channel when it wasn't being used. > >US Snail: Mike Morris UUCP: Morris@Jade.JPL.NASA.gov > P.O. Box 1130 Also: WA6ILQ > Arcadia, Ca. 91006-1130 >#Include disclaimer.standard | The opinions above probably do not even Nah. It was clearly intentional - the phone calls were mixed louder than the background music. When the music went away for the performance, the phone calls went away. Some of the phone calls at the end of the show had been put through a tape loop. Peter Desnoyers