TK0JUT1@mvs.cso.niu.edu (03/29/91)
Although Len Rose accepted a Federal plea bargain which resolved
Federal charges against him in Illinois and Maryland, and state
charges in Illinois, he will not be sentenced until May. Therefore,
many of the details of the plea or of his situation cannot yet be made
public. Len pleaded guilty to two counts of violating Title 18 s.
1343:
18 USC 1343:
Sec. 1343. Fraud by wire, radio, or television
Whoever, having devised or intending to devise any scheme or
artifice to defraud, or for obtaining money or property by
means of false or fraudulent pretenses, representations, or
promises, transmits or causes to be transmitted by means of
wire, radio, or television communication in interstate or
foreign commerce, any writings, signs, signals, pictures,
or sounds for the purpose of executing such scheme or
artifice, shall be fined not more than $1000 or imprisoned
not more than five years, or both.
In our view, Len's case was, is, and continues to be, a political
case, one in which prosecutors have done their best to create an
irresponsible, inaccurate, and self-serving imagery to justify their
actions in last year's abuses in their various investigations.
Len's guilty plea was the result of pressures of family, future, and
the burden of trying to get from under what seemed to be the
unbearable pressure of prosecutors' use of law to back him into
corners in which his options seemed limited. The emotional strain and
disruption of family life became too much to bear. Len's plea was his
attempt to make the best of a situation that seemed to have no
satisfactory end. He saw it as a way to obtain the return of much of
his equipment and to close this phase of his life and move on. Many of
us feel that Len's prosecution and the attempt to make him out to be a
dangerous hacker who posed a threat to the country's computer security
was (and remains) reprehensible.
The government wanted Len's case to be about something it wasn't. To
the end, they kept fomenting the notion that the case involved
computer security -- despite the fact that the indictment, the statute
under which he was charged, or the evidence DID NOT RELATE TO
security. The case was about possession of proprietary software, pure
and simple.
The 23 March article in the {Washington Post} typifies how creative
manipulation of meanings by law enforcement agents becomes translated
into media accounts that perpetuate the the type of witch hunting for
which some prosecutors have become known. The front page story
published on March 23 is so outrageously distorted that it cannot pass
without comment. It illustrates how prosecutors' images are
translated into media narratives that portray an image of hackers in
general and Len in particular as a public threat. The story is so
ludicrously inaccurate that it cannot pass without comment.
Mark Potts, the author of the story, seems to convict Len of charges
of which even the prosecutors did not accuse him in the new
indictment. According to the opening paragraph of the story, Len
pleaded guilty to conspiring to steal computer account passwords. This
is false. Len's case was about possessing and possessing transporting
unlicensed software, *NOT* hacking! Yet, Potts claims that Rose
inserted a Trojan horse in AT&S software that would allow other
"hackers" to break into systems. Potts defers to prosecutors for the
source of his information, but it is curious that he did not bother
either to read the indictments or to verify the nature of the plea.
For a major story on the front page, this seems a callous disregard of
journalistic responsibility.
In the original indictment, Len was accused of possessing login.c, a
program that allows capturing passwords of persons who log onto a
computer. The program is described as exceptionally primitive by
computer experts, and it requires the user to possess root access, and
if one has root privileges, there is little point in hacking into the
system to begin with. Login.c, according to some computer
programmers, can be used by systems administrators as a security
device to help identify passwords used in attempts to hack into a
system, and at least one programmer indicated he used it to test
security on various systems. But, there was no claim Len used this
improperly, it was not an issue in the plea, and we wonder where Mark
Potts obtained his prosecutorial power that allows him to find Len
guilty of an offense for which he was not charged nor was at issue.
Mark Potts also links Len directly to the Legion of Doom and a variety
of hacking activity. Although a disclaimer appeared in a subsequent
issue of WP (a few lines on page A3), the damage was done. As have
prosecutors, Potts emphasizes the LoD connection without facts, and
the story borders on fiction.
Potts also claims that Len was "swept up" in Operation Sun Devil,
which he describes as resulting "in the arrest and prosecution of
several hackers and led to the confiscation of dozens of computers,
thousands of computer disks and related items." This is simply false.
At least one prosecutor involved with Sun Devil has maintained that
pre-Sun Devil busts were not related. Whether that claim is accurate
or not, Len was not a part of Sun Devil. Agents raided his house when
investigating the infamous E911 files connected to the Phrack/Craig
Neidorf case last January (1990). Although Len had no connection with
those files, the possession of unlicensed AT&T source code did not
please investigators, so they pursued this new line of attack.
Further, whatever happens in the future, to our knowledge *no*
indictments have occured as the result of Sun Devil, and in at least
one raid (Ripco BBS), files and equipment were seized as the result of
an informant's involvement that we have questioned in a previous issue
of CuD ( #3.02). Yet, Potts credits Sun Devil as a major success.
Potts also equates Rose's activities with those of Robert Morris, and
in so-doing, grossly distorts the nature of the accusations against
Len. Equating the actions to which Len pleaded guilty to Morris
grossly distorts both the nature and magnitude of the offense. By
first claiming that Len modified a program, and then linking it to
Morris's infectious worm, it appears that Len was a threat to computer
security. This kind of hyperbole, based on inaccurate and
irresponsible reporting, inflames the public, contributes to the
continued inability to distinguish between serious computer crime and
far less serious acts, and would appear to erroneously justify AT&T's
position as the protector of the nets when, in fact, their actions are
far more abusive to the public trust.
After focusing for the entire article on computer security, Potts
seems to appear "responsible" by citing the views of computer experts
on computer security and law. But, because these seem irrelevant to
the reality of Len's case, it is a classic example of the pointed non
sequitor.
Finally, despite continuous press releases, media announcements, and
other notices by EFF, Potts concludes by claiming that EFF was
established as "a defense fund for computer hackers." Where has Potts
been? EFF, as even a rookie reporter covering computer issues should
know, was established to address the challenges to existing law by
rapidly changing computer technology. Although EFF provided some
indirect support to Len's attorneys in the form of legal research, the
EFF DID NOT FUND ANY OF LEN'S defense. Len's defense was funded
privately by a concerned citizen intensely interested in the issues
involved. The EFF does not support computer intrusion, and has made
this clear from its inception. And a final point, trivial in context,
Potts credits Mitch Kapor as the sole author of Lotus 1-2-3, failing
to mention that Jon Sachs was the co-author.
The {Washington Post} issued a retraction of the LoD connection a few
days later. But, it failed to retract the false claims of Len's plea.
In our view, even the partial LoD retraction destroys the basis, and
the credibility, of the story. In our judgement, the Post should
publicly apologize and retract the story. It should also send Potts
back to school for remedial courses in journalism and ethics.
Some observers feel that Len should have continued to fight the
charges. To other observers, Len's plea is "proof" of his guilt. We
caution both sides: Len did what he felt he had to do for his family
and himself. In our view, the plea reflects a sad ending to a sad
situation. Neither Len nor the prosecution "won." Len's potential
punishment of a year and a day (which should conclude with ten months
of actual time served) in prison and a subsequent two or three year
period of supervised release (to be determined by the judge) do not
reflect the the toll the case took on him in the past year. He lost
everything he had previously worked for, and he is now, thanks to
publications like the {Washington Post}, labelled as a dangerous
computer security threat, which may hamper is ability to reconstruct
his life on release from prison. We respect Len's decision to accept
a plea bargain and urge all those who might disagree with that
decision to ask themselves what they would do that would best serve
the interests both of justice and of a wife and two small children.
Sadly, the prosecutors and AT&T should have also asked this question
from the beginning. Sometimes, it seems, the wrong people are on
trial.
[Moderator's Note: Jim Thomas, the author of this article, is the
Moderator of Computer Underground Digest, a publication which began
about a year ago as an offshoot from TELECOM Digest. For subscription
information, write: tk0jut1@niu.bitnet. And my thanks to Jim for an
excellent presentation here today. PAT]