[alt.society.cu-digest] Cu Digest, #3.10

TK0JUT2%MVS.CSO.NIU.EDU@UICVM.uic.edu (03/29/91)

  ****************************************************************************
                  >C O M P U T E R   U N D E R G R O U N D<
                                >D I G E S T<
              ***  Volume 3, Issue #3.10 (March 28, 1991)   **
  ****************************************************************************

MODERATORS:   Jim Thomas / Gordon Meyer  (TK0JUT2@NIU.bitnet)
ARCHIVISTS:   Bob Krause / Alex Smith / Bob Kusumoto
POETICA OBSCIVORUM REI: Brendan Kehoe

USENET readers can currently receive CuD as alt.society.cu-digest.
Back issues are also available on Compuserve (in: DL0 of the IBMBBS sig),
PC-EXEC BBS (414-789-4210), and at 1:100/345 for those on
FIDOnet.  Anonymous ftp sites: (1) ftp.cs.widener.edu (or
192.55.239.132) (back up and running) and (2)
cudarch@chsun1.uchicago.edu E-mail server:
archive-server@chsun1.uchicago.edu.

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may be reprinted as long as the source is
cited.  Some authors, however, do copyright their material, and those
authors should be contacted for reprint permission.  It is assumed
that non-personal mail to the moderators may be reprinted unless
otherwise specified. Readers are encouraged to submit reasoned
articles relating to the Computer Underground.  Articles are preferred
to short responses.  Please avoid quoting previous posts unless
absolutely necessary.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Contributors assume all
            responsibility for assuring that articles submitted do not
            violate copyright protections.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CONTENTS THIS ISSUE:
File 1: From the Mailbag
File 2: Hollywood Hacker, Part Deuce
File 3: Len Rose Outcome (from AP wire)
File 4: Len Rose Pleads Guilty (Washington Post)
File 5: Len Rose's "Guilt" and the Washington Post

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

----------------------------------------------------------------------
From: Various
Subject: From the Mailbag
Date: March 26, 1991

********************************************************************
***  CuD #3.10--File 1 of 5: From the Mailbag                    ***
********************************************************************

Subject: Stormin Norman hacked?
From: Bob Izenberg <dogface!bei@CS.UTEXAS.EDU>
Date: Wed, 13 Mar 91 07:19:51 CST

All Things Considered quoted a London Times article about an aide to
Norman "Stormin' Norman" Schwartzkopf (sp?), the general in charge of
a recent spate of calisthenics that may have made the headlines. ;-)
The aide's PC, with some US battle plans on it, was stolen out of his
car, and anonymously returned three weeks later.  The NPR report
quoted the Times article as saying that authorities were satisfied
that the info on the portable's disk(s) never got into Iraqi hands, or
computers.  If only it was a telco employee's computer!  Then we'd
have somebody's balls on a platter already.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

From: youknowwho@MYSYS.EMU.EDU(Anonymous)
Subject: Some Comments on Computer Fraud Enforcement
Date: Sat, 17 Mar 91 05:17:49 GMT

>From pages 9-11 of "Credit Card and Computer Fraud" dated August 1988
published by the Department of the Treasury, United States Secret
Service:

Computer Fraud

Computer crimes have emerged as a major concern for law enforcement in
recent years.  Victims of computer crimes have sustained substantial
losses, inconveniences, and even anxiety over the damage to their
credit reputation.  Some businesses, including small long-distance
telephone companies, have gone bankrupt as a direct result of computer
fraud losses.  In 1986, Congress revised Title 18 of the United States
Code, Section 1030, empowering the Secret Service, among other Federal
law enforcement agencies, to investigate fraud and related activities
in connection with "Federal-Interest computers."

     The law prohibits anyone from:

[_] Knowingly accessing a computer to obtain certain information
    protected for reasons of national security with intent to injure
    the United States;

[_] Intentionally accessing a computer to obtain, without authorization,
    information from a financial record of a financial institution;

[_] Intentionally accessing a computer used for the exclusive use of the
    United States Government;

[_] Intentionally accessing a computer to affect, without authorization,
    the government's use of any computer that is used by the United
    States Government;

[_] Knowingly and intentionally accessing a Federal interest computer
    to fraudulently obtain anything of value other than the use of the
    computer;

[_] Intentionally accessing a Federal interest computer to alter,
    damage, or destroy information, or prevent authorized use of any
    such computer, and thereby:

       a. cause a loss of $1,000 or more; or

       b. modify or impair a medical examination, medical diagnosis,
          medical treatment, or the medical care of an individual; or

[_] Knowingly and intentionally accessing a computer to trafic in any
    password through which a computer can be accessed without
    authorization, where such trafficking affects interstate or
    foreign commerce, or such computer is used by or for the
    Government of the United States.

The Secret Service maintains a group of highly trained computer
specialists who participate in the investigation of computer fraud
cases.  Although the U.S. Secret Service is pioneering new law
enforcement techniques in the identification and apprehension of
computer criminals, the task of combating computer crime is not ours
alone.  The burden of responsibility for information and data security
rests not only with law enforcement authorities, but also with the
owners and operators of the computer systems who may, potentially,
fall victim to computer fraud.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

From: halcyon!peterm@SUMAX.SEATTLEU.EDU(Peter Marshall)
Subject: Re: New Telecom Laws Proposed
Date: Mon, 18 Mar 91 09:53:28 PST

Mike's post leaves one perplexed about what it's doing in CUD? Perhaps
he could explain the relevance of this item to CU-related issues?

Further, one tends to be left even more perplexed about Mike's
assertion that the Michigan bill he describes "specifically seeks to
overturn the MFJ." Now that's really quite a mouthful. But it's not
disgesti. How does Mike think a Michigan bill could bring this about,
one wonders?

Peter Marshall

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Subject: Re; SWB PUC Ruling
From: halcyon!peterm@SUMAX.SEATTLEU.EDU(Peter Marshall)
Date: Mon, 18 Mar 91 09:58:32 PST

Peter de Silva is right on this one; it was not exactly a near-optimal
outcome, and for the reasons he notes, among others.

On the other hand, where's the capability to "watch the various PUCs like
a hawk"? Might be a tall order, methinks.

Peter Marshall
From:  MMaples@cs1.bim.boville.edu
Subject: Hacking and Breaking and Entering
Date: Mon, 18 Mar 91 11:22:14 PST

I've been reading a lot of posts that compare hacking to breaking and
entering and wonder what CuD readers and editors think? I don't think
the two are comparable. Breaking and entering is a type of violent
crime and it physically destroys property. Sure, hacking might destroy
data, but this doesn't happen much, which doesn't mean it's right, but
that the two type of destruction aren't the same. A home is a private
place and the type of privacy is different that the privacy of a
computer. You can't curl up inside the computer and make love, retreat
to its hard drives from the pressures of the outside world in the same
way you do to the tv room, or make a sandwich.  But it seems that the
penalties for computer hacking are as severe as for breaking and
entering. I just don't get it.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

From: brendan@CS.WIDENER.EDU(Brendan Kehoe)
Subject: Response to Washington Post Article on Len Rose
Date: Tue, 26 Mar 91 08:46:30 EST

{Moderators' note: See File 5 of this issue for the Post piece.}
The most intriguing part for me, was the way the Washington Post
release made it sound like Mr. Rose's modified version of the login
program was in itself inherently illegal. Even months after people
complained about how blatantly uninformed making such a suggestion is,
it persists and has taken a higher form. Had this case veered even one
tenth of a degree from where it ended up, it could've set a rather
dangerous precedent.

It was a surprise when I read that Rose pleaded guilty .. and how
quietly the trial took place. With the play it got earlier (Unix
Today, etc) this year and last, the volume certainly did get lowered.

Perhaps now Mr. Rose can get on with his life.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

From: Dave.Appel@P30.F30.N231.Z1.FIDONET.ORG(Dave Appel)
Subject: Indianapolis is now PC-Pursuitable
Date: Wed, 20 Mar 91 13:57:11 CST

                INDIANAPOLIS IS NOW PC-PURSUITABLE

After years of promises, Telenet's (SprintNet's) PC-Pursuit service,
also known as PCP, has finally installed outdials in Indianapolis.
The official announcement from Telenet is still forthcoming, but the
outdials are in place.

Indy's semi-official BBS list comes from the IUPUI BBoard, and is
maintained by sysop Don Smith.  This file can be file requested from
most of net 231's FidoNet boards as file INDY0301.ZIP.

The latest version contains 96 local boards.  However, taking all the
multi-line boards into account, we have over 150 BBS lines!

Some of the multi-line boards of note are: PBS-BBS (Public Brand
Software) 317-856-2087, noted for its shareware; Data Central
317-543-2007, files and GIFs; User's Choice 317-894-1378, GIFs; and
L.C. Midwest 317-924-2219, a dating/adult board.  Those are pay
boards.  Most other boards are free.

Indy is also Telelink/Starlink node 9349.  Some people feel that
Starlink is a better service than PC-Pursuit.

Assuming that the outdial is in the same exchange as PCP's indial, the
following exchanges should be accessible according to Indiana Bell's
white pages.  I include this list for your convenience because PCP has
not yet published an official XCH list. Please excuse any typos or
errors.  These exchanges include Indianapolis proper, Carmel,
Zionsville, Noblesville, Speedway, Beech Grove, Greenwood, Plainfield,
Brownsburg, Fishers, Greenfield, Mooresville, and New Palestine.

Outdial Site: D/ININD

317     222 226 230 231 232 233 235 236 237 238 239 240 241 242 317
243 244 247 248 251 252 253 254 255 256 257 259 261 262 317     263
264 265 266 267 269 271 272 273 274 276 277 278 283 317     290 291
293 297 298 299 321 322 326 328 335 351 352 353 317     355 356 357
359 422 424 425 431 432 439 441 442 443 445 317     461 462 464 465
466 467 469 470 471 485 486 488 535 539 317     541 542 543 545 546
547 549 556 571 573 574 575 576 577 317     578 579 580 630 631 632
633 634 635 636 637 638 639 681 317     684 685 686 687 691 694 736
738 745 769 773 776 780 781 317     782 783 784 786 787 788 823 831
835 838 839 841 842 843 317     844 845 846 848 849 852 856 861 862
867 870 871 872 873 317     875 876 877 878 879 881 882 885 887 888
889 891 892 894 317     895 896 897 898 899 920 921 923 924 925 926
927 928 929 317     976 994 996

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

From: Bob Izenberg <dogface!bei@CS.UTEXAS.EDU>
Subject: L'Accused--a bust is a bust is a bust....
Date: Mon, 18 Mar 91 00:26:24 CST

I ran across an interesting article in the January 29th, 1991 issue of
the Village Voice.  The author is Elizabeth Hess.  I've included the
relevant parts and omitted references to particular art galleries that
were showing Sturges' work at the time.

The general topic, that of a U.S. citizen penalized without trial or,
even now, indictment or charges filed, may be familiar to CUD readers.
(article excerpt follows)

>From the 1-29-91 Village Voice article, "The Accused", by Elizabeth
Hess:  The opening of an exhibition of photographs by Jock Sturges
would not ordinarily be news.  But Sturges, as readers might recall,
is currently under investigation for producing child pornography.
Last April, members of the San Francisco police and the FBI entered
the photographer's home, without a warrant, after receiving a tip from
a local film processor (The Village Voice, June 12, 1990).  Later that
afternoon, a warrant was obtained and the officers carted off an
estimated 1 million negatives, various pieces of darkroom and computer
equipment, several business and personal files, eight address books,
and a few cameras belonging to one terrified Jock Sturges.  His life
was impounded.

Nine months have passed and the photographer has still not been
charged with any crime, not have all of his belongings been returned.
And, even more insidious, the FBI has launched an international
investigation into the artist's work and personal life.  While the art
world, especially in San Francisco, has rallied around the case,
Sturges says he has lost a show, friends, models, and jobs.

On November 21, Michael Metzger, Sturges' attorney, filed a motion in
the U.S. District Court in San Francisco for the return of the
photographer's property; a hearing is scheduled for February 7.
Sturges intends to follow up with a civil suit, seeking damages
against local and federal authorities.  Meanwhile, the photographer is
also bringing his case to the public, traveling around the country in
an effort to raise money and political support.  [ lines on gallery
exhibits skipped ]

The artist's career was probably going at its proper pace prior to the
totally unjustified, if not illegal, invasion into his privacy.  It's
hard to say how bad the authorities want Jock Sturges,  They have
certainly been putting a great deal of effort into an investigation of
the folks listed in his address books. According to Sturges, the
French police have visited and questioned every person who appears in
his current Philadelphia exhibition and others:  a total of 46
families.

American authorities have also been busy making sure that people think
twice before modeling in the nude for Sturges, or anybody else.
According to the Philadelphia Inquirer Magazine, the FBI went to visit
a family in California that included a 13-year old daughter whom
Sturges has been shooting for the past eight years.  During the
interview, one of the agents turned to the young girl and asked, "Does
this guy ever ask you to spread your legs?"  Prior to this moment, no
one in the family had ever been embarrassed by the photographs.  The
daughter recently hid her copies in a trunk.

"The FBI has been instructing people in shame." says Sturges.  "A
visit from the police is traumatizing, and it has a chilling effect.~
Even Sturges recently wrapped a few bodies in towels before shooting
them on the beach.

{Moderator's note: We view this article as *directly* relevant to
the CU for two reasons. First, it suggests how similar policies
are filtered through different laws for the same result.
The scenario between Sturges' experience and that of Steve Jackson
and other is analogous: Media (whether computers or art) that Feds
barely understand provides a context for identifying somebody
who *appears* (in Fed-think) to be in violation of some heinous
"crime of the week." The Feds swoop in, bust them and grab whatever
equipment looks suspicious (substitute "computers" for "cameras,"
or "disks" for "negatives"). The second point is that the CU should
be alert to apparent excessive zealousness in the non-computer world,
because prosecutors' behavior seems, like cancer, to have a habit
of spreading. In a recent federal drug bust on a Southeastern
college fraternity, three fraternity houses were seized by the
government because a few members were caught with drugs. This
absurdity is reminiscent of J. Cousteau's yacht, The Calypso, being
seized a few years ago because a crew member was found with a
"roach" in his cabin. Federal agents and their supporters will
argue for the necessity of such action, but in a free society,
such seizures--which resemble tyrannies rather than
democracies--affect us all. These are ALL CU issues.

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From: Jim Thomas / CuD
Subject: Hollywood Hacker, Part Deuce
Date: March 26, 1991

********************************************************************
***  CuD #3.10--File 2 of 5: The Hollywood Hacker, Part II       ***
********************************************************************

In CuD 3.09, we raised the case of Stuart Goldman, dubbed "The
Hollywood Hacker." Judging from media accounts and legal documents, we
identified a few disturbing questions about the case, including the
typical over-zealous law enforcement reaction and the possibility of a
set-up. We suggested that Goldman hardly appears to be a hacker, but
rather an investigative journalist who allegedly used somebody else's
access code to gather material on an expose of sleaze-tv shows. The
story received far more attention in the Los Angeles media than it did
in the Chicago Tribune or New York Times, but the issues involved will
not disappear.

The LA Times (Sept 4, 1990: A-1) argued that the case appears to be "a
saga befitting supermarket tabloid newspapers--a battle of an
influential television network versus a self-proclaimed muckraker."
According to numerous Los Angeles papers and magazines, Goldman's
credentials as a journalist and writer are well-established.  LA Media
indicate he worked as a freelance writer for "Current Affair" and
"Inside Addition," and was working for a freelance tv segment for
"Inside Edition" at the time of the arrest.  He reportedly had worked
as a music critic at the Los Angeles Times and had a column in the
L.A. Reader for two years.  In a radio talk show in Los Angeles,
Goldman indicated that he was working on a book called "Snitch," an
expose of tabloid journalism. The program's host raised the
possibility that the manuscript-in-progress might be seen by some as a
post-arrest attempt to add attempt to add credibility to his
investigatory claims, and Goldman alluded to the pre-arrest work done
on the book, adding that "it's hard to fabricate three hundred typed
pages which are circulating to publishers."

There is no evidence that Goldman was a hacker by any stretch of the
term. After a telephone conversation with Goldman, it appeared that
his computer skills were limited to text editing and some modeming.
Judging from all available public information, it appears that the Fox
Network hyped this case for motives yet to be determined. The original
federal arrest warrant stated that the charge was "Unauthorized access
and access in excess of authority into a federal interest computer
with intent to defraud" under 18 s. 1030(a)(4). The Federal charges
were dropped almost immediately. This, in our mind, suggests that
there was not a sufficient case against him to warrant federal
prosecution, because we have seen to many similar cases in which
federal charges have been pursued on creatively-defined grounds.

Although valuable equipment and resources were confiscated, it appears
that Goldman was not as unfortunate as some others have been.
Nonetheless, he lost his computer, disks on which his works in
progress were stored, and other material that would be difficult to
replace. Although the search warrant appeared to limit the removal of
property related only to "A Current Affair," it seems that, as in
other cases, the phrase "related only to" took on a rather broad
meaning.

Even those who oppose "hacking" should be concerned with this case.
We repeat that the issue is not guilt or innocence, or whether Goldman
(or any other suspect) is as sympathetic as a 17 year old college
student. As Bob Izenberg notes in his commentary on the busts of
photographers (File 1, above), the issue is the manner in which raids
occur, the broad definitions of what is seized, the creative use of
indictments, the possible inflation of charges and "losses," and the
tendency to hold on to equipment of suspects, and the possibility that
prosecutors are looking for test cases that increase the punitive
nature of the consequences for all involved. Justice is more than
catching crooks, is also is processessing defendants in a way that
does not subvert confidence in the justice system.

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From: bill <bill@GAUSS.GATECH.EDU>
Subject: Len Rose Outcome (from AP wire)
Date: Sat, 23 Mar 91 14:29:14 EST

********************************************************************
***  CuD #3.10--File 3 of 5: AP Story on Len Rose                ***
********************************************************************

BALTIMORE (AP) -- A computer hacker pleaded guilty Friday to stealing
information from American Telephone & Telegraph and its subsidiary
Bell Laboratories.

Under an agreement with prosecutors, Leonard Rose pleaded guilty in
U.S. District Court to one count of sending AT&T source codes via
computer to Richard Andrews, an Illinois hacker, and a similar wire
fraud charge involving a Chicago hacker.

Prosecutors said they will ask that Rose be sentenced to two
concurrent one-year terms. Rose is expected to be sentenced in May.

Neither Rose nor his attorney could be immediately reached for comment
late Friday.

"Other computer hackers who choose to use their talents to interfere
with the security and privacy of computer systems can expect to be
prosecuted and to face similar penalties," said U.S. Attorney
Breckinridge L. Willcox.

"The sentence contemplated in the plea agreement reflects the serious
nature of this new form of theft," Willcox said.

Rose, 32, was charged in May 1990 in a five-count indictment following
an investigation by the Secret Service and the U.S. Attorney's offices
in Baltimore and Chicago.

He also had been charged with distributing "trojan horse" programs,
designed to gain unauthorized access to computer systems, to other
hackers.

Prosecutors said Rose and other hackers entered into a scheme to steal
computer source codes from AT&T's UNIX computer system.

The plea agreement stipulates that after he serves his sentence, Rose
must disclose his past conduct to potential employers that have
computers with similar source codes.

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From: Anonymous
Subject: Len Rose Pleads Guilty (Washington Post)
Date: Mon, 25 Mar 91 11:22:13 PST

********************************************************************
***  CuD #3.10--File 4 of 5: Washington Post Story on Len Rose   ***
********************************************************************

Source: Washington Post, March 23, 1991, pp A1, A10

       "'Hacker' Pleads Guilty in AT&T CASE: Sentence Urged for
            Md. Man Among Stiffest Yet for Computer Crime"
              By Mark Potts/Washington Post Staff Writer

BALTIMORE, March 22--A computer "hacker" who was trying to help others
steal electronic passwords guarding large corporate computer systems
around the country today pleaded guilty to wire fraud in a continuing
government crackdown on computer crime.

Federal prosecutors recommended that Leonard Rose Jr., 32, of
Middletown, Md., be sent to prison for one year and one day, which
would be one of the stiffest sentences imposed to date for computer
crime. Sentencing is scheduled for May before U.S. District Judge J.
Frederick Motz.

Cases such as those of Rose and a Cornell University graduate student
who was convicted last year of crippling a nationwide computer network
have shown that the formerly innocent pastime of hacking has
potentially extreme economic ramifications. Prosecutors, industry
officials and even some veteran hackers now question the once popular
and widely accepted practice of breaking into computer systems and
networks in search of information that can be shared with others.

"It's just like any other form of theft, except that it's more subtle
and it's more sophisticated," said Geoffrey R. Garinther, the
assistant U.S. attorney who prosecuted the Rose case.

Rose--once part of a group of maverick hackers who called themselves
the Legion of Doom--and his attorneys were not available for comment
after the guilty plea today. The single fraud count replaced a
five-count indictment of the computer programmer that was issued last
May after a raid on his home by Secret Service agents.

According to prosecutors, Rose illegally obtained information that
would permit him to secretly modify a widely used American Telephone &

(See HACKER, A10, Col 1)

Telegraph Co. Unix software program--the complex instructions that
tell computers what to do. The two former AT&T software employees who
provided these information "codes" have not yet been prosecuted.

Rose altered the AT&T software by inserting a "Trojan horse" program
that would allow a hacker to secretly gain access to the computer
systems using the AT&T Unix software and gather passwords used on the
system. The passwords could then be distributed to other hackers,
permitting them to use the system without the knowledge of its
rightful operators, prosecutors said.

Rose's modifications made corporate purchasers of the $77,000 AT&T
Unix program vulnerable to electronic break-ins and the theft of such
services as toll-free 800 numbers and other computer-based
telecommunications services.

After changing the software, Rose sent it to three other computer
hackers, including one in Chicago, where authorities learned of the
scheme through a Secret Service computer crime investigation called
Operation Sun Devil. Officials  say they do not believe the hackers
ever broke into computer systems.

At the same time he pleaded guilty here, Rose pleaded guilty to a
similar charge in Chicago; the sentences are to be served
concurrently, and he will be eligible for parole after 10 months.

Rose and his associates in the Legion of Doom, whose nickname was
taken from a gang of comic-book villains, used names like Acid Phreak
Terminus--Rose's nickname--as their computer IDs. They connected their
computers by telephone to corporate and government computer networks,
outwitted security screens and passwords to sign onto the systems and
rummaged through the information files they found, prosecutors said.

Members of the group were constantly testing the boundaries of the
"hacker ethic," a code of conduct dating back to the early 1960s that
operates on the belief that computers and the information on them
should be free for everyone to share, and that such freedom would
accelerate the spread of computer technology, to society's benefit.

Corporate and government computer information managers and many law
enforcement officials have a different view of the hackers.  To them,
the hackers are committing theft and computer fraud.

After the first federal law aimed at computer fraud was enacted in
1986, the Secret Service began the Operation Sun Devil investigation,
which has since swept up many members of the Legion of Doom, including
Rose. The investigation has resulted in the arrest and prosecution of
several hackers and led to the confiscation of dozens of computers,
thousands of computer disks and related items.

"We're authorized to enforce the computer fraud act, and we're doing
it to the best of our ability," Garry Jenkins, assistant director of
investigations for the Secret Service, said last summer.  "We're not
interested in cases that are at the lowest threshold of violating the
law...They have to be major criminal violations before we get
involved."

The Secret Service crackdown closely followed the prosecution of the
most celebrated hacker case to date, that of Robert Tappan Morris
Cornell University computer science graduate student and son of a
computer sicentist at the National Security Agency. Morris was
convicted early last year of infecting a vast nationwide computer
network in 1988 with a hugely disruptive computer "virus," or rogue
instructions. Although he could have gone to jail for five years, Mo
$10,000, given three years probation and ordered to do 400 hours of
community service work.

Through Operation Sun Devil and the Morris case, law enforcement
authorities have begun to define the boundaries of computer law.
Officials are grappling with how best to punish hackers and how to
differentiate between mere computer pranks and serious computer
espionage.

"We're all trying to get a handle for what is appropriate behavior in
this new age, where we have computers and computer networks linked
together," said Lance Hoffman, a computer science professor at George
Washington University.

"There clearly are a bunch of people feeling their way in various
respects," said David R. Johnson, an attorney at Wilmer, Cutler &
Pickering and an expert on computer law.  However, he said, "Things
are getting a lot clearer. It used to be a reasonably respectable
argument that people gaining unauthorized access to computer systems
and causing problems were just rambunctious youth." Now, however, the
feeling is that "operating in unauthorized computing spaces can be an
antisocial act," he said.

Although this view is increasingly shared by industry leaders, some
see the risk of the crackdown on hackers going to far. Among those
concerned is Mitch Kapor, the inventor of Lotus 1-2-3, the
best-selling computer "spreadsheet" program for carrying out
mathematical and accounting analysis.  Kapor and several other
computer pioneers last year contributed several hundred thousands
dollars to set up the Electron Freedom Foundation, a defense fund for
computer hackers.

EFF has funded much of Rose's defense and filed a friend-of-the-court
brief protesting Rose's indictment.

                          --end of article--

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

From: brendan@CS.WIDENER.EDU(Brendan Kehoe)
Subject: Washington Post Retraction to Original Story
Date: Wed, 27 Mar 91 08:49:00 EST

From: The Washington Post, Tuesday March 26, 1991, Page A3.

CORRECTION [to Saturday March 23, 1991 article]

"Leonard Rose, Jr., the Maryland computer hacker who pleaded guilty
last week to two counts of wire fraud involving his illegal possession
of an American Telephone & Telegraph Co. computer program, was not a
member of the "Legion of Doom" computer hacker group, as was reported
Saturday, and did not participate in the group's alleged activities of
breaking into and rummaging through corporate and government computer
systems."

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From: Moderators
Subject: Len Rose's "Guilt" and the Washington Post
Date: March 28, 1991

********************************************************************
***  CuD #3.10--File 5 of 5: Len Rose and the Washington Post    ***
********************************************************************

Although Len Rose accepted a Federal plea bargain which resolved
Federal charges against him in Illinois and Maryland, and state
charges in Illinois, he will not be sentenced until May.  Therefore,
many of the details of the plea or of his situation cannot yet be made
public.  Len pleaded guilty to two counts of violating Title 18 s.
1343:

      18 USC 1343:

      Sec. 1343. Fraud by wire, radio, or television

      Whoever, having devised or intending to devise any scheme or
      artifice to defraud, or for obtaining money or property by
      means of false or fraudulent pretenses, representations, or
      promises, transmits or causes to be transmitted by means of
      wire, radio, or television communication in interstate or
      foreign commerce, any writings, signs, signals, pictures,
      or sounds for the purpose of executing such scheme or
      artifice, shall be fined not more than $1000 or imprisoned
      not more than five years, or both.

In our view, Len's case was, is, and continues to be, a political
case, one in which prosecutors have done their best to create an
irresponsible, inaccurate, and self-serving imagery to justify their
actions in last year's abuses in their various investigations.

Len's guilty plea was the result of pressures of family, future, and
the burden of trying to get from under what seemed to be the
unbearable pressure of prosecutors' use of law to back him into
corners in which his options seemed limited. The emotional strain and
disruption of family life became too much to bear.  Len's plea was his
attempt to make the best of a situation that seemed to have no
satisfactory end. He saw it as a way to obtain the return of much of
his equipment and to close this phase of his life and move on. Many of
us feel that Len's prosecution and the attempt to make him out to be a
dangerous hacker who posed a threat to the country's computer security
was (and remains) reprehensible.

The government wanted Len's case to be about something it wasn't.  To
the end, they kept fomenting the notion that the case involved
computer security--despite the fact that the indictment, the statute
under which he was charged, or the evidence DID NOT RELATE TO
security. The case was about possession of proprietary software, pure
and simple.

The 23 March article in the Washington Post typifies how creative
manipulation of meanings by law enforcement agents becomes translated
into media accounts that perpetuate the the type of witch hunting for
which some prosecutors have become known.  The front page story
published on March 23 is so outrageously distorted that it cannot pass
without comment.  It illustrates how prosecutors' images are
translated into media narratives that portray an image of hackers in
general and Len in particular as a public threat. The story is so
ludicrously inaccurate that it cannot pass without comment.

Mark Potts, the author of the story, seems to convict Len of charges
of which even the prosecutors did not accuse him in the new
indictment. According to the opening paragraph of the story, Len
pleaded guilty to conspiring to steal computer account passwords. This
is false. Len's case was about possessing and possessing transporting
unlicensed software, *NOT* hacking!  Yet, Potts claims that Rose
inserted a Trojan horse in AT&S software that would allow other
"hackers" to break into systems.  Potts defers to prosecutors for the
source of his information, but it is curious that he did not bother
either to read the indictments or to verify the nature of the plea.
For a major story on the front page, this seems a callous disregard of
journalistic responsibility.

In the original indictment, Len was accused of possessing login.c, a
program that allows capturing passwords of persons who log onto a
computer. The program is described as exceptionally primitive by
computer experts, and it requires the user to possess root access, and
if one has root privileges, there is little point in hacking into the
system to begin with.  Login.c, according to some computer
programmers, can be used by systems administrators as a security
device to help identify passwords used in attempts to hack into a
system, and at least one programmer indicated he used it to test
security on various systems. But, there was no claim Len used this
improperly, it was not an issue in the plea, and we wonder where Mark
Potts obtained his prosecutorial power that allows him to find Len
guilty of an offense for which he was not charged nor was at issue.

Mark Potts also links Len directly to the Legion of Doom and a variety
of hacking activity. Although a disclaimer appeared in a subsequent
issue of WP (a few lines on page A3), the damage was done.  As have
prosecutors, Potts emphasizes the LoD connection without facts, and
the story borders on fiction.

Potts also claims that Len was "swept up" in Operation Sun Devil,
which he describes as resulting "in the arrest and prosecution of
several hackers and led to the confiscation of dozens of computers,
thousands of computer disks and related items." This is simply false.
At least one prosecutor involved with Sun Devil has maintained that
pre-Sun Devil busts were not related. Whether that claim is accurate
or not, Len was not a part of Sun Devil.  Agents raided his house when
investigating the infamous E911 files connected to the Phrack/Craig
Neidorf case last January (1990). Although Len had no connection with
those files, the possession of unlicensed AT&T source code did not
please investigators, so they pursued this new line of attack.
Further, whatever happens in the future, to our knowledge *no*
indictments have occured as the result of Sun Devil, and in at least
one raid (Ripco BBS), files and equipment were seized as the result of
an informant's involvement that we have questioned in a previous issue
of CuD ( #3.02). Yet, Potts credits Sun Devil as a major success.

Potts also equates Rose's activities with those of Robert Morris, and
in so-doing, grossly distorts the nature of the accusations against
Len.  Equating the actions to which Len pleaded guilty to Morris
grossly distorts both the nature and magnitude of the offense.  By
first claiming that Len modified a program, and then linking it to
Morris's infectious worm, it appears that Len was a threat to computer
security.  This kind of hyperbole, based on inaccurate and
irresponsible reporting, inflames the public, contributes to the
continued inability to distinguish between serious computer crime and
far less serious acts, and would appear to erroneously justify AT&T's
position as the protector of the nets when, in fact, their actions are
far more abusive to the public trust.

After focusing for the entire article on computer security, Potts
seems to appear "responsible" by citing the views of computer experts
on computer security and law. But, because these seem irrelevant to
the reality of Len's case, it is a classic example of the pointed non
sequitor.

Finally, despite continuous press releases, media announcements, and
other notices by EFF, Potts concludes by claiming that EFF was
established as "a defense fund for computer hackers." Where has Potts
been? EFF, as even a rookie reporter covering computer issues should
know, was established to address the challenges to existing law by
rapidly changing computer technology.  Although EFF provided some
indirect support to Len's attorneys in the form of legal research, the
EFF DID NOT FUND ANY OF LEN'S defense. Len's defense was funded
privately by a concerned citizen intensely interested in the issues
involved. The EFF does not support computer intrusion, and has made
this clear from its inception.  And a final point, trivial in context,
Potts credits Mitch Kapor as the sole author of Lotus 1-2-3, failing
to mention that Jon Sachs was the co-author.

The Washington Post issued a retraction of the LoD connection a few
days later. But, it failed to retract the false claims of Len's plea.
In our view, even the partial LoD retraction destroys the basis, and
the credibility, of the story. In our judgement, the Post should
publicly apologize and retract the story. It should also send Potts
back to school for remedial courses in journalism and ethics.

Some observers feel that Len should have continued to fight the
charges. To other observers, Len's plea is "proof" of his guilt.  We
caution both sides: Len did what he felt he had to do for his family
and himself. In our view, the plea reflects a sad ending to a sad
situation. Neither Len nor the prosecution "won." Len's potential
punishment of a year and a day (which should conclude with ten months
of actual time served) in prison and a subsequent two or three year
period of supervised release (to be determined by the judge) do not
reflect the the toll the case took on him in the past year. He lost
everything he had previously worked for, and he is now, thanks to
publications like the Washington Post, labelled as a dangerous
computer security threat, which may hamper is ability to reconstruct
his life on release from prison.  We respect Len's decision to accept
a plea bargain and urge all those who might disagree with that
decision to ask themselves what they would do that would best serve
the interests both of justice and of a wife and two small children.
Sadly, the prosecutors and AT&T should have also asked this question
from the beginning. Sometimes, it seems, the wrong people are on
trial.

********************************************************************

------------------------------

                         **END OF CuD #3.10**
********************************************************************