spaf@cs.purdue.EDU (Gene Spafford) (09/02/90)
In article <1990Sep2.030722.25255@cs.rochester.edu> yamauchi@heron.cs.rochester.edu (Brian Yamauchi) responds to my posting: >I don't think anyone is arguing that the victims should be ignored, but >I have yet to see any reasonable justification for actions such as the >confiscation of equipment from Steve Jackson Games just because they >publish a Cyberpunk role-playing game. There is no evidence that the SJG system was confiscated "just because they publish a Cyberpunk role-playing game." (Of course, there has been no evidence that that was not the reason, either.) If you are going to be objective and fair about this, you can say "it APPEARS to ME that the system was confiscated because...." Three key things about this one incident (and related) that should be considered before making statements about such seizures: 1) The presentations made to the judges leading to the issue of search warrants have often been sealed. Therefore, it is not clear why the agencies involved felt they needed to confiscate the systems (and why the judge went along with them). 2) The law enforcement people involved have not (and in most cases cannot, because the cases are still pending) make public statements about the facts of these cases. 3) It often takes many months to do a thorough analysis of confiscated equipment, gather further evidence, and present an indictment. Just because an indictement has not yet been issued does not mean that one will not. Neither does it mean one will (or can be). Now, contrary to what some people claim, I'm not trying to defend the seizure of the equipment at SJG or claim that they (folks at SJG) were involved in something illegal. HOWEVER, I am also not claiming the opposite. The only side of the story we've heard so far is from the folks at SJG, and they would obviously not admit to anything illegal. Indeed, if only one person there was using the system for something illegal, the protestations of the rest would indeed be sincere and honest. We just don't know the full story yet -- if we ever will. Nobody should automatically be blamed in these situations; we do not automatically assume the guilt of the people whose equipment was confiscated, and neither should we automatically assume an abuse of power by government because we aren't privy to their investigation. The seizure of equipment at Steve Jackson Games may well turn out to be a terrible abuse by Federal investigators. It may turn out to be a terrible mistake. And it may turn out to be a step in a valid investigation. When statements are made, all three possibilities should be borne in mind. The real problems with this case (and others like it) have to do with how long it takes to search a computer system, the grounds under which a search warrant is issued, and the length of time it takes to either return the equipment or file charges. Those problems exist in other arenas, too, although we don't often hear about them because the people don't have e-mail access. >Certainly there is a role for anti-cracking, anti-virus organizations, >but such organizations exist (CERT and NCSC, for example). Not good examples. CERT responds to break-in reports and tries to help close up system holes. They don't do anything proactive. Neither does the (ex-)NCSC -- they develop security standards for systems, and do analysis of security methods. My "missing mission" statements didn't involve these groups because I wasn't talking about standards or response or enforcement -- I was talking about fostering a sense of responsibility along with any claim of rights. The two are very closely tied. >However, up >until now there have been no organizations devoted to protecting >electronic rights from government infringement -- EFF seems to be ready >to do so. I think it's unreasonable to require that EFF do the job of >CERT, just as it would be unreasonable to require that the ACLU do the >job of the FBI. I have not suggested that the EFF do the job of the CERT; if you think that, you misundstand the reasons the CERT exists, as well as misunderstand the reasons for my statements. The ACLU has a poor reputation with a segment of the population because of their (to some) one-sided approach to the law. I would like to see the EFF get across-the-board support from everybody, but that can't happen if they get a similarly one-sided reputation. Rights do not come without responsibilities. -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf
plouff@kali.enet.dec.com (09/05/90)
In several articles spaf@cs.purdue.EDU (Gene Spafford) writes... >I just finished reading through mailing #3, and I am disappointed. >Why? Because there is a very important mission statement missing from >the list given: helping to establish a sense of responsibility in >users of networks and computers. > and later... >I have worked as a consultant for a number of firms and government >agencies. I have seen transcripts of login sessions where hackers >damaged files, boody-trapped systems, stole proprietary information, >and crashed systems. I have had my own machine broken into and >damaged. I know from personal experience that there are some real >rotten people out there. Let's assume for the sake of argument that there is an organization promoting the security of networked computers. It actively tries to reach system managers with step-by-step guidelines on closing common security holes, provides security monitor software and actively lobbies with computer manufacturers to write and ship reasonably secure operating systems. In other words, this mythical organization is active in the "prevention" side of computer and network security. Is it reasonable for this organization to work for the rights of persons accused in computer crime-related activities? And later... >>I have yet to see any reasonable justification for actions such as the >>confiscation of equipment from Steve Jackson Games just because they >>publish a Cyberpunk role-playing game. > >There is no evidence that the SJG system was confiscated "just because >they publish a Cyberpunk role-playing game." (Of course, there has >been no evidence that that was not the reason, either.) >[...] >Now, contrary to what some people claim, I'm not trying to defend the >seizure of the equipment at SJG or claim that they (folks at SJG) were >involved in something illegal. HOWEVER, I am also not claiming the >opposite. The only side of the story we've heard so far is from the >folks at SJG, and they would obviously not admit to anything illegal. I would respectfully suggest that someone challenge Steve Jackson on this point when he speaks at a public general meeting of the Boston Computer Society later this month. -- Wes Plouff plouff@kali.enet.dec.com Digital Equipment Corp, Maynard, Mass.
spaf@cs.purdue.EDU (Gene Spafford) (09/05/90)
In article <15155@shlump.nac.dec.com> plouff@kali.enet.dec.com writes: >I would respectfully suggest that someone challenge Steve Jackson on >this point when he speaks at a public general meeting of the Boston Computer >Society later this month. Note that Mr. Jackson is not the only person who had access to his computer system. Things *may* have been transpiring of which he had (and still has) no knowledge. Also, as the system was hooked up as a bulletin board system, depending on the software and the care with which it was administered, it is possible that things crossed the system that no one at SJG knew about but were nonetheless a problem (unlikely, but certainly within the realm of possibility). -- Gene Spafford NSF/Purdue/U of Florida Software Engineering Research Center, Dept. of Computer Sciences, Purdue University, W. Lafayette IN 47907-2004 Internet: spaf@cs.purdue.edu uucp: ...!{decwrl,gatech,ucbvax}!purdue!spaf
emv@math.lsa.umich.edu (Edward Vielmetti) (09/07/90)
In article <11557@medusa.cs.purdue.edu> spaf@cs.purdue.EDU (Gene Spafford) writes:
Also, as the system was hooked up as a bulletin board system,
depending on the software and the care with which it was administered,
it is possible that things crossed the system that no one at SJG knew
about but were nonetheless a problem (unlikely, but certainly within
the realm of possibility).
For that matter, there's probably stuff passing through the usenet spool
directories on cs.purdue.edu which no one reads and which might possibly
be a problem for someone.
I believe the Electronic Communications Privacy Act might also be relevant.
--Ed
Edward Vielmetti, U of Michigan math dept <emv@math.lsa.umich.edu>
moderator, comp.archivesyamauchi@granite.cs.rochester.edu (Brian Yamauchi) (09/10/90)
In article <11522@medusa.cs.purdue.edu>, spaf@cs.purdue.EDU (Gene Spafford) writes: > > The seizure of equipment at Steve Jackson Games may well turn out to > be a terrible abuse by Federal investigators. It may turn out to be a > terrible mistake. And it may turn out to be a step in a valid > investigation. When statements are made, all three possibilities > should be borne in mind. What bothers me about this case is that even if noone at SJG was responsible for any criminal action, its employees will still suffer at the hands of the SS. Suppose this all turns out to be a big mistake -- is the SS going to be held responsible for repairing all the damage it has inflicted? I'm not saying that the SS/FBI shouldn't go after the real criminals: credit card # stealers, virus writers, crackers, etc. But some recent actions smell more like a witch hunt to me -- in the 50s people worried about Reds overthrowing the government, now they're worried about Hackers wiping their bank accounts -- both fears may have some basis in reality, but this seems dwarfed by the level of overreaction. It's one thing to arrest (and if necessary shoot) KGB agents, it's another to blacklist Hollywood movie directors. Similarly, it's one thing to arrest crackers, and quite another to seize equipment from someone who makes a cyberpunk RPG. Perhaps some net.legal.expert can answer a question -- can Steve Jackson (and other victims) sue the SS (and other agencies) for his losses? If he does, what are his chances (assuming he and his employees are not charged/convicted)? _______________________________________________________________________________ Brian Yamauchi University of Rochester yamauchi@cs.rochester.edu Computer Science Department _______________________________________________________________________________
mnemonic@walt.cc.utexas.edu (Mike Godwin) (09/10/90)
Brian Yamauchi writes: >Perhaps some net.legal.expert can answer a question -- can Steve Jackson >(and other victims) sue the SS (and other agencies) for his losses? If >he does, what are his chances (assuming he and his employees are not >charged/convicted)? Based on what we currently know about the warrant, the chances are not very good. In general, the Federal Tort Claims Act bars actions against law-enforcement agents and agencies that cause harm to individuals while executing a lawful warrant. For a cause of action to accrue against, say, the Secret Service, it would have to be shown that the SS went beyond the authorization of the search warrant when they sought and seized all that property and paper and Steve Jackson Games. Now, the warrant was sealed, which means that few people have had access to the warrant itself and therefore few can say whether the language of the warrant has been overstepped. But since very broad search warrants have been held to be lawful in the past, I think the odds are fairly poor that Steve Jackson Games will recover in tort against the federal government. It's still possible, however, that we may all be surprised on that issue. --Mike Mike Godwin, UT Law School |"If the doors of perception were cleansed mnemonic@ccwf.cc.utexas.edu | every thing would appear to man as it is, (512) 346-4190 | infinite." | --Blake
bob@MorningStar.Com (Bob Sutterfield) (09/14/90)
In article <1990Sep10.012530.4008@cs.rochester.edu> yamauchi@granite.cs.rochester.edu (Brian Yamauchi) writes: In article <11522@medusa.cs.purdue.edu>, spaf@cs.purdue.EDU (Gene Spafford) writes: The seizure of equipment at Steve Jackson Games may well turn out to be a terrible abuse by Federal investigators. Suppose this all turns out to be a big mistake -- is the SS going to be held responsible for repairing all the damage it has inflicted? ...can Steve Jackson (and other victims) sue the SS (and other agencies) for his losses? If he does, what are his chances (assuming he and his employees are not charged/convicted)? About two years ago (exact references upon request, they're at home and I'm at the office), a small civil airplane was proceeding under Visual Flight Rules by a private pilot between two small Florida airports. During his landing rollout, the pilot found his craft suddenly and uncontrollably flipping onto its back. Upon extricating himself from the fuel-soaked wreckage, he was glad to see men in uniform nearby, and he began to approach them seeking assistance. The men in uniform were Customs agents (another branch of the Treasury department). They had been closely following the small airplane, without the pilot's knowledge, for some distance. They had just landed their helicopter near the small airplane, and the rotor wash caused it to flip. Thankfully, there was no fire. The pilot was instructed to lie on the ground while his airplane was thoroughly searched. When no drug-related contraband was found, the agents bid him farewell and departed. The aircraft was destroyed - a total loss, useful only for component salvage. When the pilot tried to sue the Customs Service for the damages caused to his airplane, he was denied permission. His insurance company declined to pay because the damage was the result of government action. The main difference that I (a pilot, but not a lawyer) can see between the airplane-flipping incident and SJG's is that, so far as I know, SJ was never in mortal danger.