I MARCH 1991 COMMUNICATIONS OF THE ACM

r ©

1 l/ I II

The following debate examines a landmark Donn Parker, Steven Levy, Eugene Spafford, electronic publishing case where the U.S. Paula Hawthorn, Marc Rotenberg, J.J. Buck government indicted the publisher of an elec- BloomBecker, and Richard Stallman all voice tronic newsletter on 10 felony counts of wire their individual concerns over the rights of fraud and interstate transportation of stolen vs. the risks to security. Interspersed property. Before the trial was over, such throughout the commentaries are quotes awesome issues as freedom of the gleaned from a panel discussion which press, the right to privacy, public occurred during the 13th National security, and the Constitution were Conference last called into question. At the center of it October when a group of writers, all was Craig Neidorf, then a 20-year- editors (and one attorney) examined the old college student. • Communications question of "Hackers: Who Are They?" asked Dorothy E. Denning, an expert Denning wraps up the discussion with witness for Neidorf's defense, to explore a rejoinder. • No doubt there are more the case and its far-reaching ramifications. Craig Neidorfs in our future; and many more She paints an insider's view of the event; re- questions to be raised as technology continues counting the indictments, the resulting trial, to allow us greater access to information not the rights of hackers, the role of government, intended for publication or public scrutiny. and the responsibilities--and liabilitiesmof This debate spurs us to consider: Does the computing community. • We then invited publishing sensitive information of specific seven of Denning's colleagues to comment on interest to hackers add fuel to a smoldering her conclusions as well as provide their own fire? Or does the U.S. Constitution indeed assessments of the way the case was handled. protect us from enveloping flames?

COMMUNICATIONSOF THE AOM/March 1991/Vol.34, No.3 2 3 U it d

A DEBATE ON ELECTRONIC PUBLISHING~ CONSTITUTIONAL RIGHTS AND HACKING

DOROTHY E. DENNING

24 March 1991/%1.34, No.3/COMMUNICATION$OFTHE ACM ~l n 1983, the media publi- and indictments provoked an out- security professionals, Phrack was cized a series of computer cry from people in the computer seen as a possible breeding ground break-ins by teenagers in industry who perceived the actions for computer criminals. They Wisconsin nicknamed "414 taken by law enforcers as a threat to found issues of Phrack among the hackers." At about the constitutional rights. One case in evidence of cases under investiga- same time, the popular movie War- particular that was cited as an ex- tion, and a told them that games depicted a computer wizard ample of threats against freedom of Phrack had provided information gaining access to the North Ameri- the electronic press was that of that helped him get started. can Air Defense (NORAD) Com- Craig Neidorf--a college student Phrack published 30 issues from mand in Cheyenne Mountain, Col- accused by the U.S. government of November 1985 through 1989. orado and almost triggering a fraud and interstate transportation Neidorf's main role with the news- nuclear war by accident. Since then, of stolen property regarding a doc- letter was editor of a column called a stereotype of a computer hacke/ ument published in his electronic "Phrack World News." In addition, has emerged based upon unscru- newsletter, Phrack. The trial began he was the publisher of issue 14, pulous young people who use their on July 23, 1990, and ended sud- and co-editor/publisher of issues computer skills to break into sys- denly four days later when the gov- 20-30. As publisher, he solicited tems, steal information and corn- ernment dropped the charges. I articles from authors, assembled

WN o C r&lg" N ©1"d or

puter and telecommunication re- attended the trial as an expert wit- the articles he received into an sources, and disrupt operations ness for the defense. issue, and distributed the issue to without regard for the owners and an electronic mailing list. OVERVIEW OF users of the systems. THE CASE On January 18, 1990, Neidorf Well-publicized incidents, such as received a visit from an agent of the the Internet worm [6] and the Ger- Craig Neidorf is a pre-law student U.S. Secret Service and a represen- man hackers who broke into un- at the University of Missouri. At the tative of Southwestern Bell Security classified defense systems and sold age of 13, he became interested in regarding a document about the information to the KGB [7], have computers, an extension of an ear- Enhanced 911 (E911) emergency reinforced that stereotype and lier intense interest in Atari 2600 system. This document, which was prompted policy makers and law and other video games. At 14, he in the form of a computer text file, enforcers to crack down on illegal adopted the handle Knight Light- had been published in Issue 24 of hacking. In May 1990, 150 Secret ning on computer networks and Phrack. During this visit, Neidorf, Service agents executed 27 search bulletin boards. At 16, he and a believing he had done nothing warrants and seized 40 systems as childhood friend started an elec- wrong, cooperated and turned over part of Operation Sun Devil, a two- tronic newsletter called Phrack. The information. The next day, the visi- year investigation led by Arizona name was composed from the tors returned with a representative prosecutors into incidents esti- words phreak and hack, which refer from the campus police and a mated to have cost companies mil- to telecommunications systems search warrant. Neidorf was also lions of dollars. Another investiga- () and computer systems asked to contact the U.S. Attorney's tion involving prosecutors in (hacking). To Phrack readers and office in Chicago. He did, and on Atlanta and Chicago led to several contributors, phreaking and hack- January 29 arrived at that office, indictments. ing covered both legal and illegal accompanied by a lawyer, for fur- Reports on some of the seizures activities, and some of the articles in ther interrogation. Again, the ~The term "hacker" originally meant anyone Phrack provided information that young publisher turned over infor- with a keen interest in learning about com- could be useful for someone trying marion and answered their ques- puter systems and using them in novel and to gain access to a system or free use tions. Neither he nor his attorney clever ways. Many computer enthusiasts still call themselves hackers in this nonpejorative of telecommunications lines. To were informed that four days ear- sense, some law enforcers and computer lier evidence had been presented to

COMMUNICATIONS OF THE ACM/March 1991/Vol.34,No.3 2 S a fedelral grand jury in Chicago for computer systems by various THE TRIAL the purpose of indicting him. On means." February 1, the grand jury was On May 21, 1990 Neidorf called The trial began on July 23, 1990 in given additional evidence and me to request a copy of nay paper Chicago's District Court for the charged Craig Neidorf with six about hackers, which I was prepar- Northern District of Illinois. It was counts in an indictment for wire ing for the National Computer Se- expected to last two weeks, with the fraud, computer fraud, and inter- curity Conference [1]. Although I government presenting its case state transportation of stolen prop- had not talked with him before that during the first week. I helped pre- erty valued at $5,000 or more. time, I knew who he was because I pare the cross examinations of the In June 1990, the grand jury met had been following his case in the government's witnesses and ex- again and issued a new indictment Computer Underground Digest, an pected to testify sometime during that dropped the computer fraud electronic newsletter, and in vari- the second week. charges, but added additional ous Usenet bulletin boards. Based After a day of jury selection, the counts of wire fraud. Neidorf was on what I had read, which included trial began with Assistant U.S. At- now charged with 10 felony counts the E911 file as published in Phrack, torney William Cook making the carrying a maximum penalty of 65 l did not see how the E911 file opening remarks for the prosecu- years in prison. could be used to break into the 911 tion. Cook reviewed the govern- The indictment centered on the system or, for that matter, any com- ment claims, weaving a tale of con- publication of the E911 text file in puter system. I was concerned that spiracy between Neidorf, Riggs, Phrack. The government claimed Neidorf may have been wrongly and members of the Legion of the E911 text file was a highly pro- indicted. I was also concerned that Doom who had broken into prietary and sensitive document a wrongful conviction--a distinct BellSouth computers. belonging to BellSouth and worth possibility in a highly technical Zenner then presented his open- $23,900. They characterized the trial--could have a negative impact ing remarks for the defense. He document as a road map to the 911 on electronic publication. reviewed Neidorf's history and in- phone system, and claimed that its In late June, I received a call volvement with Phrack, noting that publication in Phrack allowed hack- from Neidorf's attorney, Sheldon the goal of the newsletter was the ers to illegally manipulate the 911 Zenner of the firm Katten, Muchin free exchange of information. He computer systems in order to dis- & Zavis in Chicago. After several challenged the claims of the gov- rupt or halt 911 service. They fur- conversations with Neidorf and ernment and outlined the case for ther claimed that the document had Zenner, I agreed to be an expert the defense. He noted how the gov- been stolen from BellSouth by Rob- witness and provide assistance ernment had indicted Neidorf de- ert Riggs, also known as The throughout the trial. spite his extensive cooperation with Prophet, and that the theft and Zenner told me that John Nagle, them. He said that Neidorf believed publication of the document in an independent computer scientist his actions were covered by the First Phrack was part of a fraudulent in Menlo Park, California, had Amendment, and that his beliefs scheme devised by Neidorf and gathered articles, reports, and were formed from college classes members of the hacking group books on the E911 system from the he took as a pre-law student on con- Legion of Doom, of which Riggs Stanford University library and stitutional law and civil liberties. was a member. The object of the local bookstores, and by dialing a The government's witnesses scheme was to break into computer Bellcore 800 number. After Nagle through Thursday afternoon in- systems in order to obtain sensitive showed me the published docu- cluded Riggs, the Secret Service documents and then make the ments, I agreed with his conclusion agent, and employees of Bellcore stolen documents available to com- that Phrack did not give away any and of BellSouth and its subsidiar- puter backers by publishing the secrets. Nagle was also planning to ies. The evidence brought out dur- documents in Phrack. The govern- go to Chicago to help with the de- ing the examination and cross- ment claimed that as part of the fense and possibly testify. examination of these witnesses in- fraudulent scheme, Neidorf solic- Meanwhile, I gathered articles, dicated the E911 text file was not ited information on how to illegally books, and programs that showed the highly sensitive and secret doc- access computers and telecommu- there are plenty of materials in the ument that BellSouth had claimed, nication systems for publication in public domain that are at least as that BellSoutb had not treated the Phrack as "hacker tutorials." The useful for breaking into systems as document as though it were, and term hacker was defned in the in- anything published in Phrack. that Neidorf had not conspired dictment as an individual "involved (Some of these are referenced with Riggs. Although this seemed with the unauthorized access of later.) like cause for optimism, Zenner

26 March 1991/Vol.34, No.3/COMMUNICATIONS OF THE ACM reminded us that the government hacker tutorials published in Phrack published it in Phrack Issue 24 on loses very few cases. Issue 22; a login pro- February 24, 1989. The edited doc- On Friday morning, I arrived at gram; an announcement of The ument was less than half the size of the law offices to learn the govern- Phoenix Project in Phrack Issue 19; the original document, and was ment had been talking with Zenner and some email correspondence split into two Phrack files, the first about dropping the felony charges between Neidorf and Riggs. All (file 5) containing the main text and in exchange for a guilty plea to a these documents were introduced the second (file 6) containing the misdemeanor. Neidorf, however, as evidence by the government dur- glossary of terms. would not accept a charge for ing the presentation of its case. The government claimed that something he had not done. Mean- the E911 text file and Phrack ver- while, Zenner was meeting with the sion contained highly sensitive and U.S. attorneys. I went to the court- proprietary information that pro- room, where Zenner told me the Riggs testified that sometime dur- vided a road map to the 911 system government was now considering ing the summer of 1988, he ac- and could be used to gain access to dropping all charges. Zenner was cessed a BellSouth system called the system and disrupt service. The willing to lay out the case for the AIMSX and downloaded a file with claim was based on a statement defense to the prosecution; he a document issued by BellSouth made by an employee of Bellcore. asked Nagle and me to go to the U.S. Attorney's office and answer all their questions. We went, and Cook went through the E911 file paragraph by paragraph asking us for evidence that the material was or ~he r~gh~ of ~;he peop]le peacet'u~l]ly ~:o in the public domain. Nagle an- " swered most of the questions, ~I~SSe][iEI_ e o o ° FIRST AMENDMENT pointing Cook to the relevant pub- lic documents and demonstrating that the E911 Phrack file did not Services titled "Control Office As noted earlier, Nagle had lo- give away any secrets. Administration of Enhanced 911 cated articles and pamphlets that We then went to the courtroom Services for Special Services and contained much more information to await the final decision. Shortly Major Account Centers," Section about the E911 system than the thereafter, the court resumed, and 660-225-104SV, Issue A, March Phrack file. During cross examina- Judge Nicholas Bua announced the 1988. The document, which con- tion of the government's witness government's decision to drop tains administrative information who was responsible for the prac- charges, dismissed the jury, and related to E911 service, installation, tice described in the E911 docu- declared a mistrial. Five of the ju- and maintenance, bears the follow- ment, Zenner showed the witness rors were asked to remain and were ing notice on the first page: "Not two of these pamphlets available interviewed by Bua and both attor- for use or disclosure outside from Bellcore via an 800 number neys. At midday, the court ad- BellSouth or any of its subsidiaries for $13 and $21 respectively. The journed. except under written agreement." witness, who had not seen either Although Neidorf was freed of Sometime prior to September 1988, report before and was generally all criminal charges, he was not free Riggs transferred the file to a pub- unfamiliar with the public litera- of all costs. The trial cost of lic UnixTM system called Jolnet, ture on E911, agreed that the re- $100,000 was incurred by him and where it remained until July 1989. ports also gave road maps to the his family. Riggs testified he sent the E911 E911 system and included more text file to Neidorf via email from information than was in Phrack. Jolnet in January 1989 for publica- The witness also testified that a KEY DOCUMENTS tion in Phrack. He said he asked nondisclosure stamp is routinely The government's case focused on Neidorf to edit the file so that it put on every BellSouth document several documents that were pub- would not be recognizable by when it is first written, thereby lished in Phrack or were included in BellSouth, and to publish it under weakening any argument that the electronic mail between Neidorf the handle "The Eavesdropper." document contained particularly and others. These included the fol- Neidorf removed the nondisclosure sensitive trade secrets. lowing: the E911 text file and notice and deleted names, loca- The defense was prepared to Phrack version of that file; the tions, and telephone numbers, and argue that the E911 text file con-

COMMUNICATIONS OF THE ACM/March 1991/Vol.34, No.3 2 7 tained no information that was di- The defense believed that son of Bell Laboratories [4]. A re- rectly useful for breaking into the BellSouth's delay in acting to pro- cent article by Spafford gives details E911 system or any computer sys- tect the E911 document was incon- on the workings of the Internet tem. There were no dial-up num- sistent with its claim that the docu- worm [6]. bers, no network addresses, no ac- ment contained sensitive Password-cracking programs are counts, no passwords, and no information. To its credit, however, publicly available intentionally so mention of computer system vul- BellSouth did strengthen the secu- that system managers can run them nerabilities. The government rity of its systems following the against their own password files in claimed that the names, locations, breakins. order to discover weak passwords. organization phone numbers, and An example is the password cracker jargon in the E911 text file could be in COPS, a package that checks a useful for social engineering--that is, Unix system for different types of deceiving employees to get infor- The government claimed that three vulnerabilities. The complete pack- mation such as computer accounts files in Phrack Issue 22 were tutori- age can be obtained by and passwords. However, the als for breaking into systems and, as FTP from ftp.uu.net. Like the pass- Phrack version omitted the names, such, evidence of a fraudulent word cracker published in Phrack, locations, and phone numbers, and scheme to break into systems, steal the COPS cracker checks whether the jargon was all described in the documents, and publish them in any of the words in an on-line dic- published literature. Thus, the Phrack. These files, which corre- tionary correspond to a password in E911 Phrack file seemed no more sponded to one count of the indict- the password file. useful for social engineering than ment, were: Another file that the prosecution the related public documents. brought into evidence during the 4. "A Novices Guide to Hacking-- The defense was also prepared trial was file 6 in Phrack Issue 26, 1989 Edition" by The Mentor. to show that BellSouth had not "Basic Concepts of Translation," by 5. "An Indepth Guide in Hacking treated the document as one would The Dead Lord and The Chief Unix and The Concept of Basic expect a document of such alleged Executive Officers. This file, which Networking Utility" by Red sensitivity to be treated. Riggs testi- described translation in Electronic Knight. fied that the account he had used to Switching System (ESS) switches, 6. "Yet Another File on Hacking get into AIMSX had no password. contained a phrase "Anyone want Unix" by Unknown User. AT&T :security was notified in Sep- to throw the ESS switch into an tember 1988, that the E911 text file Files 4 and 5 of Phrack 22 briefly endless loop????" in a section on was publicly available in Riggs's di- introduce the art of getting com- indirect addressing in an index rectory on Jolnet, and Bellcore se- puter access through weak pass- table. This remark can be inter- curity was notified of this in Octo- words and default accounts, while preted as a joke, but even if it were ber. This was two months before File 6 contains a password-cracking not, the information in the article Riggs mailed the file to Neidorf for program. Most of file 5 is a descrip- seems no worse than Ritchie's code inclusion in Phrack, and about four tion of basic commands in Unix, for crashing a system, which is pub- months before its publication in which can be found in any Unix lished in the Unix Programmer's Phrack. Still, no legal action was manual. After examining these and Manual with the comment "Here taken until July 1989, nine months other Phrack files, I concluded that is a particularly ghastly shell se- from the time Bellcore was aware of Phrack contained no more informa- quence guaranteed to stop the the file's presence on Jolnet. At that tion about breaking into systems system: ..." [5]. point, Bellcore and BellSouth as- than articles written by computer The government's claims that serted to the government that a security specialists and published in these files were part of a fraudulent highly sensitive and dangerous doc- journals such as the Communications scheme were disproved by Riggs's ument was stolen. They urged the of the ACM, AT&T Bell Technical testimony and email (discussed U.S. Secret Service to act immedi- Journal, Information Age, and Unix/ later) showing that Neidorf and ately because of the purported risk WORLD, and in books. For exam- Riggs had not conspired to commit posed by the availability of this ple, Cliff Stoll's popular book The fraud by stealing property and "dangerous" information. How- Cuckoo's Egg [7] has been character- publishing stolen documents. ever, they did not tell the Secret ized as a "primer on hacking." In- By publishing articles that ex- Service that they had discovered all formation that could be valuable pose system vulnerabilities, Phrack, of this nine months earlier. The for breaking passwords is given in in one sense, is not unlike some government responded immedi- the 1979 paper on password vul- professional publications such as ately with a subpoena for Jolnet. nerabilities by Morris and Thomp- those issued by the ACM. The As-

28 March 1991/VoL34, No.3/COMMUNICATIONSOFTHEACM sociation encourages publishing likely to exploit, while hackers who strated his intentions to promote il- such articles on the grounds that in read Communications of the ACM may legal break-ins and the theft of pro- the long term, the knowledge of have learned something new about prietary information. To support vulnerabilities will lead to the de- breaking into systems or implanting its case, it brought into evidence sign of systems that are resistant to viruses. The Phrack reports on peo- email where Neidorf was relaying attacks and failures. But, there is an ple who were arrested may have messages between two other par- important difference between the discouraged some budding young ties. One party said he had other two publications. hackers from performing illegal Unix sources, including 4.3 BSD ACM explicitly states that it does acts; they also may have reminded Tahoe; the other asked for the not condone unauthorized use or hackers to take greater measures to Tahoe source so he could install the disruption of systems, it discour- cover up their tracks and avoid login program on some Internet ages authors of articles about vul- being caught. sites. nerabilities from writing in a way Even if Phrack promoted certain The defense believed the gov- that makes attacks seem like a wor- illegal actions, this does not make ernment's allegations against thy activity, and it declines to pub- the publication itself illegal. The Neidorf were weak on three lish articles that appear to endorse First Amendment protects such grounds. attacks of any kind. In addition, the publication unless it poses an immi- First, as with any publisher, the ACM is willing to delay publication of an article for a short time if pub- lishing the information could make ++Th+ v +h+ of +h+ p+opl+ +o ++ existing systems subject to attack. By comparison, Phrack appears per+ohm, hou+es, papers, +rid ef+ec+s, to encourage people to explore sys- tem vulnerabilities. In "A Novice's unre++monzb]e searches and seizure+, sh+]] nor Guide to Hacking," The Mentor + +o l++ed " gives 11 guidelines to hacking. The last says "Finally, you have to actu- ally hack .... There's no thrill quite nent danger to society. The thresh- mere receipt of a document is not the same as getting into your first old for this condition is sufficiently proof of intent to perform illegal system ... " Although the guide- high that, although courts have dis- acts. lines tell the reader "Do not inten- cussed its theoretical existence, it Second, after observing that the tionally damage *any* system," has never been met. source code contained notices that they also tell the reader to alter the code was copyrighted and pro- those system files "needed to en- prietary, Neidorf asked someone at sure your escape from detection Th+ T+o+n Hor+e Bellcore security for advice on what and your future access. ''2 The Logan Program to do. This action added credibility wording can be interpreted as en- The government found a modified to his claim that he had no intent to couraging unauthorized but non- version of the AT&T System V 3.2 perform illegal acts and that he did malicious break-ins. Thus, whereas login program in Neidori's files. not know that publishing the E911 reading Phrack could lead one to The program, which was modified text could be illegal. Although the the assessment that it promotes ille- and sent to Neidorf by someone E911 file had a nondisclosure no- gal break-ins, reading an ACM currently under indictment, was tice, the notice did not contain the publication is likely to lead to the part of the AT&T Unix source code words "copyright" or "proprietary." assessment that it discourages such and had "copyright" and "proprie- Third, how to write a Trojan acts and promotes protective ac- tary" stamps scattered throughout. horse login program is no secret. tions. The modifications included a Tro- For example, such programs have The actual effect of either publi- jan horse that captured accounts been published in Stoll's book [7] cation on illegal activities or com- and passwords, saving them in a file and an article by Grampp and Mor- puter security, however, is much that could later be retrieved. The ris [2]. Also, in his ACM Turning more difficult to determine, espe- government claimed that NeidorFs lecture, Ken Thompson, one of the cially since both publications are possession of this program demon- Bell Labs coauthors of Unix, ex- available to anyone. Computer se- plained how to create a powerful curity specialists who read Phrack 2Most system managers regard any modifica- Trojan horse that would allow its tion of system files as damage, because they may have found it useful to know must restore these files to a state that does not author to log onto any account with what vulnerabilities intruders were permit the intruder to re-enter the system. either the password assigned to the

COMMUNICATIONS OF THE ACM/March 1991/Vo1.34, No.3 2~ account or a password chosen by Judge Bua sustained their objec- news media, and publication of the the author [8]. Thompson's Trojan tion. E911 file in Phrack was compared horse had the additional property Two counts of the indictment with publication of the Pentagon of being undetectable in the login involved email messages from Papers in the New York Times and source code. This was achieved by Neidorf to Riggs and "Scott C." Washington Post. The government modifying the C-compiler so that it These messages, which were also had tried unsuccessfully to stop would compile the Trojan horse alleged to be part of the fraudulent publication of the Pentagon Papers, into the login program. scheme, were basically discussions arguing that publication would of particular individuals, mainly threaten national security. The members of the Legion of Doom. Supreme Court held that such The messages contained no plots to action would constitute a "prior re- defraud any organization and no straint" on the press, prohibited by solicitations for illegal information. the First Amendment. It therefore Correspondence surprises me that there is any doubt Issue 19, File 7 of Phrack an- that electronic publications should nounced "The Phoenix Project," RIGHTS AND be accorded the same protection as and portrayed it as a new beginning RESPONSIBILITIES printed ones. to the phreak/hack community Shortly before the Phrack case where "Knowledge is the key to the came to trial, Mitchell Kapor and Neidorf's indictment came in the future and it is FREE. The telecom- John Barlow founded the Elec- midst of a two-year investigation of munications and security industries tronic Frontier Foundation (EFF) illegal activity that involved the can no longer withhold the right to in order to help raise public aware- FBI, Secret Service, and other fed- learn, the right to explore, or the ness about civil liberties issues and eral and local law enforcement right to have knowledge." The new to support actions in the public in- agencies. As part of the investiga- beginning was to take place at Sum- terest to preserve and protect con- tion, the government seized over 40 merCon '88 in St. Louis. stitutional rights within the elec- systems and 23,000 disks. Several The government claimed this tronic media. The EFF hired the bulletin board systems were shut announcement was the beginning services of Terry Gross, attorney down in the process, including the of the [raudulent scheme to solicit with the New York law firm Rabin- Jolnet system on which Riggs stored and publish information on how to owitz, Boudin, Krinsky & Lieber- the E911 document. In most cases, access systems illegally, and its pub- man, to provide legal advice for the no charges have yet been made lication accounted for one of the Phrack case; Gross submitted two against the person owning the counts in the indictment. Yet, the friend-of-the-court briefings seek- equipment, and equipment that announcement explicitly says "The ing to have the indictment dis- seemed to have little bearing on any new age is here and with the use of missed because it threatened consti- illegal activity, such as a phone an- every *LEGAL* means available, tutionally protected speech. The swering machine, was sometimes the youth of today will be able to trial court judge denied EFF's mo- included in the haul. The Phrack teach the youth of tomorrow .... tion, but as it turned out, the case and computer seizures raised the practice of passing illegal infor- charges were dropped before the concerns about freedom of the mation is not a part of this conven- issue was seriously discussed during press, protection from unnecessary tion." Security consultants and law the Neidorf trial. searches and seizures, and the lia- enforcers were invited to attend Although certain information bilities and responsibilities of sys- . may be published legally, authors tem operators and owners. In this Although Neidorf was not and publishers should consider section, I shall discuss these issues charged with any crimes in 1988, how such information might be in- and give some of my own opinions the Secret Service sent undercover terpreted and used. In the case of about them. agents to SummerCon '88 to ob- hacker publications, the majority of serve the meeting. They secretly readers are impressionable young videotaped Neidorf and others people who are the foundation of through a two-way mirror during the future. Articles which encour- the conference for 15 hours. What Some observers interpreted age illegal break-ins or contain in- did they record? A few minors NeidorFs indictment as a threat to formation obtained in this manner drinking beer and eating pizza! freedom of the press in the elec- should not simply be dismissed as Zenner asked to introduce these tronic media. The practice of pub- proper just because they are pro- tapes as evidence for the defense, lishing materials obtained by ques- tected under First Amendment but the prosecution objected and tionable means is common in the rights.

30 March 1991/Vo1.34, No.3/COMMUNICATION8OF THE ACM can be reasonably confident that constitution in the same way that the owner of the system has not public meeting places and nonelec- The seizures of bulletin boards and participated in or condoned the tronic publications such as newspa- other systems raised questions activities under investigation, then pers are protected. This, of course, about the rights of the government it may be practical for the govern- does not necessarily mean they to take property and retain it for an ment to issue a subpoena for cer- should be free of all controls,just as extended period of time when no tain files rather than seize the entire public meetings are not entirely charges have been made. At least system. free of control. one small business, Steve Jackson When a complete system is Bulletin board systems often Games, claims to have suffered a seized, it seems reasonable that the provide private directories and serious loss as a result of having government be required under electronic mail. Private mail and equipment confiscated for over court order to provide copies of files should be given the same pro- three months. According to Jack- files to the owner at the owner's tections from surveillance and sei- son, the Secret Service raid cost his request and expense within some zure as First Class Mail and private company $195,000, and he had to time limit, say one week or one discussions that take place in homes lay off almost half of his employees month. or businesses. I believe the Elec- since all of the information about If a system shared by multiple tronic Communications Privacy Act their next product, a game called GURPS CYBERPUNK, was on the confiscated systems. Some of the person o o o &pA e l of ] fe, company's equipment was severely damaged, and data was lost. No ]l~]~er{y, or proper{y, w~{hou{ due process of charges have been made. ][ Seizing a person's computer sys- 8~ r o o o FIFTH AMENDMENT tem can be comparable to taking every document and piece of corre- spondence in that person's office users is seized, the search should be provides this protection. and home. It can shut down a busi- restricted to mail and files belong- The E911 text file was obtained ness. Moreover, by taking the sys- ing to the users under investigation. from a system with a null password. tem, the government has the capa- While this does not excuse the per- bility of reading electronic mail and son who got into the system and files unrelated to the investigation; L~aL~i~es an~ copied the file, I believe that system such broad seizures of paper docu- Respons~L~e~ of owners should take greater mea- ments are generally not approved ~ys~em ()perafors an~ sures to prevent break-ins and un- by judges issuing search warrants. authorized use of their systems. For these reasons, it has been There are known practices for pro- suggested that the government not The bulletin board seizures sent a tecting systems. While none of be allowed to take complete sys- chill through the legitimate net- these are foolproof, they offer a tems, but only the files related to work community, raising questions high probability for keeping in- the investigation. In most cases, this about the liabilities of an operator truders out and detecting those that seems impractical. There may be of a bulletin board or of any system. enter. Although the risks associated megabytes or even gigabytes of in- Operators of these boards asked if with insecure systems may not have formation stored on disks, and it they needed to check all informa- been great until recently, thereby takes time to scan through that tion passing through the system to justifying weak security in favor of much information. In addition, the make sure there is nothing that allocating more resources for other system may have nonstandard could be interpreted as a stolen, purposes, the risks are now suffi- hardware or software, making it proprietary document or as part of ciently great that weak security is extremely difficult to transfer the a fraudulent scheme. inexcusable for many environ- data to another machine and pro- Computer bulletin boards have ments. Moreover, system owners cess it. Similarly, if a computer is been referred to metaphorically as may be vulnerable to lawsuits if seized without its printer, it may be electronic meeting places where they do not have adequate protec- extremely difficult to print out files. assembly of people is not con- tion for customer information or Finally, originals are needed for strained by time or distance. Public for life-critical operations such as evidence in court, and the evidence boards are also a form of electronic patient monitoring or traffic con- must be protected up to the time of publication. It would seem, there- trol. trial. However, if the government fore, that they are protected by the Our current laws allow a person

COMMUNICATIONS OF THE ACM/March 1991/Vol.34, No.3 31 to be convicted of a felony for sim- The professional community rep- suggestions; to Pete Mellor for in- ply entering a system through an resented by ACM may be a good formation about the U. K. laws; and account without a password. I rec- source of such help. to my many friends and colleagues ommend we consider adopting a In the context of the new milieu who patiently educate me in areas policy where unauthorized entry created by computers and net- where I am vulnerable to my own into a system is at most a misde- works, a new form of threat has blindness. The views here are my meanor if certain standards have emerged--the computer criminal own and do not represent those of not been followed by the owner of capable of damaging or disrupting my employer. the system and the damage to in- the electronic infrastructure, invad- formation on the system is not high. ing people's privacy, and perform- References However, I recognize that it may be ing industrial espionage. While the very clifficult to set appropriate costs associated with these crimes 1. Denning, D.E. Concerning hackers standards and to determine may be small compared with com- who break into computer systems. In whether an organization has ad- puter crimes caused by company Proceedings of the 13th National Com- hered to them. employees and former employees, puter Security Conference (Oct. 1990). I also recommend we consider the costs are growing and are be- 2. Grampp, F.T., and Morris, R.H. establishing a range of offenses, coming significant. UNIX operating system security. possibly along the lines of those in For many young computer en- AT&T Bell Lab. Tech. J., 63, 8 (Oct. the U. K. Computer Misuse Act, thusiasts, illegal break-ins and 1984). which became effective in August phreaking are a juvenile activity 3. Lee, J.A.N., Segal, G., and Stier, R. 1990: that they outgrow as they see the Positive alternatives: A report on an consequences of their actions in the ACM panel on hacking, Commun. • Unauthorized access: seeking to world. However, a significant num- ACM, 29, 4 (Apr. 1986), 297-299; enter a computer system, know- ber of these hackers may go on to full report available from ACM ing that the entry is unauthor- become serious computer crimi- Headquarters, New York. ized. Punishable by up to six nals. To design an intervention that months' imprisonment. 4. Morris, R., and Thompson, K. Pass- will discourage people from enter- word security: A case history. Com- * Unauthorized access in further- ing into criminal acts, we must first mun. ACM 22, 11 (Nov. 1979). ance of a more serious crime: understand the hacker culture Punishable by up to five years' since it reveals the concerns of 5. Ritchie, D. On the security of Unix. imprisonment. Unix programmer's manual, Section hackers that must be taken into ac- • Unauthorized modification of 2, AT&T Bell Laboratories. count. We must also understand the computer material: introducing concerns of companies and law en- 6. Spafford, E.H. The Internet Worm: viruses, Trojan horses, etc., or forcers. We must understand how Crisis and aftermath. Commun. ACM causing malicious damage to all these perspectives interact. 32, 6 (June 1989). computer files. Punishable by up The 1985 ACM Panel on Hack- to five years' imprisonment. 7. Stoll, C. The Cuckoo's Egg. Doubleday, ing [3] offered several suggestions N.Y. 1990. for actions that could be taken to reduce illegal hacking, and my own 8. Thompson, K. Reflections on trust- CONCLUSIONS investigation confirmed these while ing trust. Turing Award Lecture, Making a sound assessment of the speculating about others [1]. Commun. ACM 27, 8, 761-763. claims made in the Phrack case re- Teaching computer ethics may quires expertise in the domains of help, and I applaud recent efforts computers, the Unix system, com- on the part of computer profes- TMUnixis a trademark of AT&T Bell Labora- puter security, phone systems, and sionals and educators to bring com- tories the public literature. Whereas Zen- puter ethics not only into the class- ner brought in outside technical room, but into their professional expertise to help with the defense, forums for discussion. Permission to copy without fee all or part of this material is granted provided that the the prosecution relied on experts copies are not made or distributed for direct belonging to the victim, namely, Acknowledgments commercial advantage, the ACM copyright employees of Bell. The indictment Special thanks to Chuck Bushey, notice and the title of the publication and its and costly trial may have been Peter Denning, Jef Gibson, Cynthia date appear, and notice is given that copying is by permission of the Association for avoided if the government had con- Hibbard, Steve Lipner, Craig ComputingMachinery. To copy otherwise, or sulted neutral experts before decid- Neidorf, Mike Schroeder, and to republish, requires a fee and/or specific ing whether to pursue the charges. Sheldon Zenner for many helpful permission.

32 March 1991/Vo1.34, No.3/COMMUNI~.,ATION$OF THE AC:M COMMUNICATIONSOF THE ACM/March 1991/Vol.34, No.3 33 ~F wenty years of study- at least according to the judge and shows a bias toward treating at least ing and writing the indictment. That issue was a some criminal activities against sys- about computer smoke screen used by the defense tems too lightly, even though she crime and the mali- and the EFF. The judge in this case has spent a good part of her distin- cious hacker culture stated that, "The First Amendment guished career engaged in research leads :me to conclude that Den- does not act as a shield to preclude to defend potential victims from ning's article presents a biased de- the prosecution of that individual such acts. Her bias also shows when, scription of a criminal case. The [who violates an otherwise valid describing the opening remarks at author states some ill-conceived criminal statute] simply because his the trial, she states that the prosecu- and naive conclusions and recom- criminal conduct involves tor "weaved a tale of conspiracy," mendations along with some sound speech .... In short, the court while Zenner for the defense "re- and p'~ractical ones. For example, finds no support for Neidori% ar- viewed ... noted ... challenged well-publicized incidents have not, gument that the criminal activity ... and outlined" in justifying as she concludes, necessarily with which he is charged in this case Neidorf's actions. And she cites the prompted law enforcers to crack is protected by the First Amend- maximum possible sentence facing down on illegal hacking. Rather, ment." Neidorf and the EFF failed Neidorf, even though such sen- the actions of law enforcers have to stop the trial on First Amend- tences are extremely rare; it would revealed a criminal problem that ment rights issues. have been more objective and less results in publicity. Otherwise, the If the trial had not been cut short explosive to state the range or aver- incidents would not be publicly by one flaw in the prosecutor's case, age. Denning presents the trial known, since victims usually at- I suspect that Neidorf would have strictly from the defense perspec- tempt to keep their embarrassing been easily convicted--if even a few tive. I would want to hear the pros- losses to themselves. of the offenses and evidence in the ecutor's and victim's perspectives Contrary to the author's state- indictment were valid. After all, before reaching the same conclu- ment, the outcry about computer Neidorf apparently did not know sions as the author. seizures and indictments from peo- that some of the information in the The author says that publication ple in the computer industry is not stolen BellSouth proprietary E911 of the E911 document owned by overwhelming. It comes from a report was being sold legally else- BellSouth was inconsequential. But very small number of people con- where, and his denial of knowing she leaves us wondering why cerned about two or three (seem- that the information he used was Neidorf removed the nondisclosure ingly extreme) incidents which are stolen or sensitive seems, in view of notice and deleted names, loca- still open questions since we have his admitted actions, implausible. tions, and telephone numbers from not yet heard the victims' and law On strictly moral and profes- the document before publishing it. enforcers' sides of them. Of course, sional grounds, I believe that pub- She also states that it was only law enforcers will use significant lishing criminal methods is impor- claimed that Neidorf's alleged con- force when the suspects brag that tant and fully justified when done spirator, Riggs, stole the document they will use guns against officers with the intent of helping people to from BellSouth, when in fact Riggs serving search warrants. And, of protect themselves. However it is was convicted of the theft before course, computers and computer antisocial, irresponsible, and im- the Neidorf trial. media are going to be seized and moral to publish the same material The author reports that publish- kept a,; long as possible when the when the intent is to amuse other ing criminal methods in Phrack has hacker.-owners publicly claim they people and tempt them to violate been compared with publishing the are going to bring down our tele- the rights and property of others. Pentagon Papers in the New York phone systems in retaliation for Those who engage in this activity Times and claims the publications indictment. are abusing their civil rights, and I should be accorded the same pro- Denning asserts that although believe we should treat such people tection. Although she is right about Phrack'~ publication of information as our adversaries, not our col- equal protection in general, the from E911 may have been im- leagues. comparison is weak. Phrack was proper, it was still protected by the Denning writes, "... articles in publishing methods used in an al- First Amendment as free speech. It Phrack provided information that leged criminal conspiracy for an was, of course, protected to the ex- could be useful for someone trying audience of malicious juvenile tent that any publication is pro- to gain access to a system or free use hackers. The New York Times was tected unless it is part of a conspir- of telecommunication lines." These publishing information alleged to acy to commit a crime. But the are euphemisms for breaking into be of national policy importance, freedom of the electronic press had others' computers and engaging in under the ethical constraints im- nothing to do with the Neidorfcase-- toll fraud. Her choice of words posed by society and the journalistic

34 March 1991/Vo1.34, No.3/COMMUNICATIONS OF THE ACM profession. pute this generality. In 20 years of The author states that, "Phrack interviewing malicious hackers, I appears to encourage people to have found that many spent their explore system vulnerabilities." teen years in a culture dedicated to g~ea~ ea~aei~y ~to ra~io~-~ This is another euphemism for tak- antisocial behavior, and that they ing advantage of vulnerabilities in lie, cheat, exaggerate, and steal, as a other people's computer systems by matter of course. Understanding breaking into them and violating the hacker culture does not mean their privacy. She further uses the that we must accept the hackers' SHELDON ZENNER term, "unauthorized but nonmali- "program" and values. Attorney cious break-ins." I conclude that the Contrary to popular belief, there Represented Craig Neidorf author believes that at least some is no single profile of malicious unauthorized break-ins are not hackers. There is a broad spectrum malicious. This is surprising com- of individual wrongdoers, each ing from someone so dedicated to having a unique motive and ration- protecting civil rights, and privacy ale for the offense; each having a is imFor an in particular, since breaking into different set of ideals, ethics, family other people's computer systems background, peer relations, goals, without their knowledge or permis- education, religious beliefs, and sion is surely a violation of privacy other values. Malicious hackers as well as an offense in federal and range from pranksters to attention most states' criminal laws. seekers, followers (groupies), hero 99 Denning suggests that adequate idolizers, antisocial aberrants, de- ass F6ons° security of systems be a criterion for linquents, occasional or part-time whether an attack is a minor or a criminals, career criminals, extreme KATIE HAFNER severe crime. I would rather keep advocates, and terrorists. There- Author the tradition of the criminal code fore, solutions must also be highly On the worthwhileness that determining if an offense is a varied and precisely applied, be- crime depends on the intent of the cause if not carefully matched to of hackers perpetrator and the seriousness of the particular individuals, they will the act, and not on the vulnerability fail. For some young hackers, a of the victim. There are specific strong dose of applied ethics and criminal laws such as the Foreign law instruction will suffice. For oth- Corrupt Practices Act and creating ers, forced removal from a peer 'H he s Jo; go a public nuisance to deal with fail- group and use of computers is nec- ure to meet a standard of due care. essary. For some, severe financial Denning wants to make unauthor- penalties on parents may work. ized entry into a system at most a Some require criminal convictions misdemeanor if certain standards with light to severe sanctions, in- have not been followed by the cluding incarceration. We, as com- owner. But unauthorized entry puter professionals and scientists, alone can do tremendous damage can play personal roles--one on and deserves felony status in some one--and can also help with ethical FRANK DRAKE cases--for example, in a time-sensi- instruction as a group. However, Editor tive process control computer that many of the solutions require the normally has protection but was efforts of competent and experi- W.OR.M. vulnerable during a momentary enced psychologists, social workers, (defunct cyperpunk magazine) lapse. We must not bind the hands penologists, probation officers, law of the criminal justice system in enforcers, prosecutors, defense dealing with simple break-ins that lawyers, judges, and legislators. We lems I have seen was expressed by are made with intent to cause mas- must also work indirectly by edu- Senator Pat Leahy (D-VT) in his sive losses. cating, encouraging, and support- opening remarks to a U.S. Senate Denning calls the majority of ing these other professionals in subcommittee meeting on October readers of hacker publications "im- their work. 31, 1990: "As a prosecutor for pressionable young people who are The broadest and best solution to more than eight years in Vermont, the foundation of the future." I dis- the many malicious hacker prob- I learned the best deterrent for

COMMUNICATIONS OF THE ACM/March 1991/Vol,34, No.3 3 S crime was the threat of swift appre- an investigation as to why the ring, and will continue to occur; the hension, conviction, and punish- hacker culture--which on balance need for effective law enforcement ment. Whether the offense is mur- has been a boon for our economy and prosecution will only increase der, drunk driving, or computer and intellectual vitality--is seen by as our internetworking of systems crime--we need clear laws to bring certain officials as something to be and our reliance on computer tech- offenders to justice!" stamped out. While Denning's con- nology increases. Shouldn't our limited time be clusions are reasonable, I think that Most of the prosecutors and in- spent encouraging and supporting some deeper questions remain. In vestigators I have met over the young people whose behavior is my point of view, the problems we years are well-meaning, earnest good, ;as an example for the bad are seeing in electronic publishing, people. They are concerned about ones? Shouldn't we leave the deter- constitutional rights, and hacking the need to temper rigorous law mined offenders to the systems of are not caused by hacker criminals, enforcement with a hefty respect juvenile courts, social workers, and which despite the wide-open nature for civil rights and liberties. Unfor- other professionals that we as a so- of our computer systems have yet to tunately, when it comes to comput- ciety have established? Shouldn't grind the wheels of computation to ers, they are often at a loss. Com- we, as Denning recommends, be a standstill. No, the difficulty seems puting courses are not required in devoting our time to persuading to be in getting these rights ex- law school or criminal justice pro- young people, before they enter tended to the electronic realm. And grams. As a result, most law en- that dark culture, that their success certainly matters are only made forcement personnel are without in our field depends on behaving more difficult by the government's the necessary background to un- ethically and obtaining the formal scapegoating a small, though high- derstand the subtleties involved in education that we have established? profile, group of high-tech an- computer-related investigations. Shouldn't we be supporting and tiauthoritarians in the hope that Often, they are forced to rely on educating the law enforcers who our security will be heightened by outside advice--with unfortunate are sworn to uphold our civil rights throwing a few teenagers in jail. results if their advisors are inappro- and protect us from crime by work- priate, poorly informed, or biased. STEVEN LEVY ing with them instead of complain- Part of this gap in understanding ing about their shortcomings and Author of "Hackers: Heroes of the Computer Revolution" undoubtedly exists because com- giving aid and comfort to our ad- puter technology is so new and, in (Doubleday, 1984) versaries? many ways, unpolished. Until re- N.Y., N.Y. cently, people in law enforcement DONN B. PARKER Senior Management Systems and the justice system have had lit- enning has summa- Consultant tle need to understand issues of rized a number of SRI International networks and computer security. concerns about the Menlo Park, Calif. Also, not until recently has there use of computers, been any substantial concern within personal freedoms, the profession to make computing r~he most striking as- andD criminal prosecution. The top- and policy issues concerning com- pect of Denning's ics are broad and difficult to discuss puters accessible to "outsiders." I account is the gov- briefly, but she touched upon many think it is clear that, in addition to ernment's, wil!ing- important concerns. With the ex- pointing out the instances in which ness to investigate ception of a small disagreement those individuals who make and and prosecute without ascertaining with one of her conclusions, my enforce our laws make mistakes, we whether the effort is justifiable. Not comments are directed to adding need to make a better effort to edu- only was the government case non- further material for the reader to cate and assist them. As Denning existenl; on a legal basis, but the ef- consider. notes in her conclusions, we must fort was a questionable priority for First, I think it is necessary to try to understand all the various an investigative institution with lim- realize that while there have been perspectives involved in the appli- ited resources. After the govern- examples of improper prosecution cation of the law to computers. ment spoke to Neidorf and found of computer-related incidents, such My second general comment him anything but malicious, what as the Neidorf and Steve Jackson regards potential applications of could have been gained by bringing cases, there have also been a num- Fourth and Fifth Amendment him to trial? Nothing, unless the ber of quiet, fair, and successful rights to computing technology. I motive was to "set an example" to prosecutions at the state and na- believe part of our problems here other youths who flout authority. tional levels. Crimes related to com- are a direct result of our successes. In short, the Neidorfcase begs for puters have occurred, are occur- Technology has made it possible for

36 March 1991/Vo1.34, No.3/COMMUNICATIONSOF THE ACM a business to fit equivalents of its fil- may require weeks or months of ing cabinets, typewriters, printing effort to properly search all that has equipment, mailboxes, telephones, been confiscated. After the search billing department, encryption is completed, the system may need material, address books, fax ma- to be held for potential use at a trial chine, customer records, payroll, to be conducted after further inves- and more into a small computer tigation is completed. During all system. The result is a greatly this time, the owners are deprived ~u~ we Are ~o~ ~ ~ow=~o heightened vulnerability to fire, of use of the equipment and may theft, sabotage . . . or execution of suffer unduly. a search warrant. I am not convinced that these are As Denning noted, searching instances of over-broad searches millions of bytes of storage for evi- that should be prohibited so much dence is not a quick or simple task. as they are instances of undue reli- It is complicated by the many places ance on the technology. As I sug- where information may be stored. gested earlier, many of these same Data can be written to blocks on a systems might be completely wiped disk marked as "bad," and added out by a fire or malicious act be- eere erv ee agen between software-defined disk par- cause of their centralized nature. titions. Data can be stored offline Developing mechanisms to allow odd idZ' on other media, such as cassette suspects to get copies of seized tapes, which may be mislabelled media as suggested in the editorial and stored away from the computer may not, in itself, be enough. I be- EMMANUEL GOLDSTEIN system itself. The data may even be lieve that a combination of Editor stored in nonvolatile memory of methods--including stronger re- 2600 Magazine peripheral devices, such as laser quirements on the evidence re- (A hackers' quarterly) printers and autodialers. Someone quired to obtain a warrant, better wishing to conceal computer data education of law enforcement from searchers has many options agents, and perhaps less reliance on available. Furthermore, a suspect computers by users--is also neces- does not even need to hide illicit sary. This problem requires consid- data on a personal system. The data erably more thought before it can can be hidden at school, at a place be solved. of employment, or on a hobbyist My third comment regards Den- bulletin board system, all without ning's implication that First the rightful owner knowing of the Amendment rights naturally ex- act. tend (or should extend) to com- If the material is required for a puter communications. I am very successful investigation and prose- hesitant to endorse such a position cution, it is necessary to obtain it all without qualification. I certainly at once, as computer data is easily believe that freedom of expression a~ eon~Fira~or~a~ ~ once destroyed. This usually requires is a precious right to be protected. confiscation of everything that can At the same time, I am concerned be used as storage, including tapes, about the limits of such expression, printouts, and the I/O devices that because what we expresswith com- may have written them in non- puters has so many new and un- standard format. (Anyone who has foreseen dimensions. Would send- suffered the frustration of transfer- ing a computer virus or worm (not ring diskettes between PCs with the source code--the executable) misaligned heads should be able to through electronic mail be pro- understand this.) Items that may tected as a form of expression? GORDON MEYER not be recognized by the owners as Should the use of other people's Coeditor possible storage places, such as the computers and networks for the Computer Underground Digest tapes in an answering machine, propagation of bulletin boards and may also need to be seized. mail be something that could not be After material has been seized, it regulated? Would instigating an

COMMUNICATIONS OF THE ACM/March 1991/Vol.34, No.3 3 7 email flood that causes a machine to cause I forgot to lock the door one y comments on crash be a protected form of ex- night. Denning's edito- pression? Is it perhaps naive to A better method would be more rial come from speak of First Amendment rights analogous to what happens in cases three different when we are referring to communi- of car theft: car thieves do not re- perspectives: as cations that potentially cross our ceive a lesser charge if the keys are chair of the ACM Committee on national boundaries into countries left in the ignition; however, the Scientific Freedom and Human that have different traditions of owner may find that his or her in- Rights (SFHR), as a person who individual rights? surance provides reduced or no studies the field of secure systems, My ambivalence on this issue is recovery in such cases. Breaking and as a private citizen. tinged with real alarm at incidents into a computer is wrong, and is not There are four issues that are such as the attempted banning of something that is done accidently addressed in the editorial: Usenet newsgroups at Stanford --the intruder must actively seek (1) Should electronic publications University, the University of Water- entry. be accorded the same [First loo, and other institutions. I believe Likewise, the lack of appreciable Amendment] protection as printed the increased incidence of efforts to damage should not be grounds to ones? (2) Should the" government ban books, movies, telecasts, and reduce a charge, although it should be constrained in what can be artwork viewed as obscene, racist, certainly be considered as a mitigat- seized for evidence? (3) Should the blasphemous, or otherwise contrary ing circumstance during sentenc- operators of electronic bulletin to the narrow interests of some in- ing. Considerable damage has been boards be held accountable for dividuals should not be allowed to caused by people who were 'just what is published on the boards? creep further into the realm of looking around" on others' systems. (4) Should there be a range of of- computer communications. At the Furthermore, for the victim, it is fenses for electronic "breaking and same time, I believe we should be often impossible to tell what has entering"? There is another, over- cautious that we do not end up with actually occurred during such an riding issue that the editorial ad- a situation where disruptive and incident, and recovery must often dresses: (5) How can we, as com- destructive behavior on the net- be performed as if a more substan- puter scientists, deal with the hacker works is (accidentally or otherwise) tial attack had been made. To the hysteria that seems to be sweeping given constitutional protection. victim, any break-in is likely to re- through the law enforcement agen- Neither do I think we want a future sult in considerable effort. Further- cies in this country? where computer users in the U.S. more, reducing the charges because Let us start with (5). The SFHR are prolhibited from connecting to of minimal actual damage fails to has historically been concerned international networks because take into account intent and ability-- with issues of discrimination against local (U.S.) law protects them as intruders apprehended immedi- computer scientists, especially they ignore international law and ately after breaking in may not yet where the discrimination was based custom. have had an opportunity to cause on one hysteria or another sweep- My last comment to Denning's damage, nor should they be given ing a country. Hacker hysteria is thought-provoking editorial is di- the opportunity to do so. difficult to counter, because there rected to her conclusion that simple In closing, I second the comment are real crimes being committed, unauthorized computer intrusions in Denning's conclusion about the and in some cases the hackers should not be considered serious necessity of bringing these discus- themselves attempt to justify the (i.e., considered as a misdemeanor). sions into classrooms and profes- crimes in the name of freedom of Here, I must disagree. Although I sional forums. The editorial raises information. The SFHR has not believe that the computer operators some very important issues that we been formally polled on this issue, should bear some responsibility if need to continue to discuss and but our general approach has al- they have not followed reasonable consider. The computing profes- ways been that the laws of a coun- security precautions, I do not be- sion, as represented by such organi- try, and the commonly accepted lieve a 1:eduction in charges is the zations as the ACM, should be help- rules on the humane treatment of way to do it, for it does not directly ing to guide the development of individuals, must not be swept aside impact them as intended. Instead, it fair and just laws, not merely react- by some hysteria. In the case of rewards the perpetrators of the ille- ing to cases like that of Craig Neidorf hacker hysteria, the problem par- gal acts, possibly because of an acci- and Steve Jackson Games. tially arises from the discovery by dent or oversight. For instance, I EUGENE SPAFFORD the media and others that the would not expect that criminal Assistant Professor growth of computer technology has charges would be reduced if some- Purdue University left us all vulnerable in mysterious one illegally entered my house be- W. Lafayette, Ind. ways to technologically induced

38 March 1991/Vol.34, No.3/COMMUNICATIONSOFTHE ACM failures. At Denning's panel discus- upon. Many of the hackers are boys he Neidorf case dem- sion on the hacker culture at the who are using hacking as previous onstrates the need to 13th National Computer Security generations used peeping-tomism view the recent spate Conference (Oct. 1990), an audi- or minor trespassing: for the sense ~ of prosecutions ence member stood with tears on of adventure, to satisfy curiosity, against computer his face as he described his son in etc. In the suburb in which I live, I hackers with some skepticism. The intensive care and his fear that once had the experience of a local government pressed its charges some hacker could change the au- teenage boy breaking into our against Craig Neidorf on all fronts. tomatic monitoring system on the house and doing various nonde- Spurious allegations were made in computer that was keeping his son structive things. When the police the national press as well as the alive. We are using computers, net- were called, they did not take the courtroom. Without good legal as- works of computers, in situations invasion of privacy very seriously: sistance and the help of computer that are very scary, and the idea no man-hunt, no breaking down experts, Neidorf might well have that someone can cause harm to doors, they didn't even dust for fin- gone to jail based on charges that happen is dreadful. The answer gerprints. Yet I experienced pre- should never have been brought. that a panelist gave the man--that cisely the same feeling of invasion This case should make clear to both no responsible hospital would or as I did when someone broke into a prosecutors and the public that fear should allow outside access to that computer I was using at work. I do and ignorance provide a weak computer, is not enough to reduce not condone either case: I simply foundation for a criminal indict- the scare, and did not satisfy the say they are the same. Each action ment. man. What can we do to help calm that can cause harm if your com- Computer-related crime is likely this hysteria, and to be certain that puter is broken into can be trans- to be a growing problem in this human rights and scientific free- lated into an action that can cause country. More valuable informa- dom are not swept away by it? harm if your home is broken into. tion will be stored in computer sys- Denning's editorial is an excel- So having a range of offenses, com- tems and more financial transac- lent example of what we can do. We parable to the range of offenses tions will occur on computer can focus on the facts of the situa- that exist for breaking into homes networks. Investigating and prose- tions, and refuse to participate in makes sense: walking into a house cuting these cases will pose new the hysteria. The four issues raised that is not locked is still a crime, but challenges for the law enforcement relate precisely to the facts of the less of a crime than breaking down community, the courts, and the leg- situations: (1) Should electronic a wall and destroying everything in islators. As Denning's editorial publications be accorded the same sight; and the most severe situation shows, computer scientists will also protection as printed ones? If com- is one in which property is stolen or have an important responsibility in puter scientists are to be given the people are hurt. These ranges need helping to sort out complex techni- same rights as everyone else, the to be built into the laws. cal questions. answer to this question clearly must As one who studies security is- At the same time, both profes- be "yes." (2) Should the govern- sues, I must say that this hysteria is sionally trained computer scientists ment be constrained in what can be truly misplaced. It continues to be and the public should be wary of seized for evidence? Again, com- reported that those who do the any prosecutions directed toward puter scientists must be allowed to most harm to systems are those who the exchange of digital informa- continue their work, even when have a right to use those systems: tion, as opposed to acts of destruc- accused of a crime. There need to the hospital maintenance person is tion or theft. The tendency in some be clear constraints on what is more likely than a hacker is to load quarters to view information itself seized for evidence, and for how the wrong program and cause a as a threat is at odds with the First long. (3) Should the operators of problem. Security features must be Amendment and our system of electronic bulletin boards be held appropriately viewed, of course; to open government. This is not a accountable for what is published? do less is irresponsible. But also we technical matter; it is a reflection of To reduce the free exchange of in- need to understand how to assure a system of government that is in- formation on electronic bulletin the correct functioning of this tech- tended to promote the exchange of boards is not in the service of de- nology. information and the protection of mocracy. Is the telephone company individual liberty. liable for what is said over tele- PAULA HAWTHORN Our laws draw a clear line be- phone lines? No. Chair tween words that may cause harm The question of a range of of- ACM Committee on Scientific and acts that result in actual harm. fenses for electronic breaking and Freedom and Human Rights If we did not make such a distinc- entering (4) needs to be expanded San Jose, Calif. tion, the shelves of many libraries

COMMUNICATIONS OF THE ACM/March 1991/Vol.34, No.3 3 and the racks of many newsstands puter security professionals. Mildly, republishing material wrongly al- would be left bare. Mystery 0ovels sweetly, she reports little that she leged to be valuable proprietary and hL,;tory books might well be re- did not personally experience, and information was enormously stu- strictecl because some passagi~s de- thus suggests much more than she pid. Could these two cases be the scribe criminal acts, or other pas- states. consummation of two years of in- sages recount acts of espionage. A master of understatement, she vestigation? It seems to me that Computer scientists should be par- notes without comment that the what we have here is more than ticularly cautious about govern- Secret Service secretly videotaped technological time lag. ment efforts to restrict the ex- Craig Neidorf and others drinking I suggest we are looking at "para- change of information because of beer and eating pizza. This investi- noia a deux." This is a unique the importance of the free flow of gation, if that is what is was, oc- dance in which each participant information to computer network- curred through a two-way mirror draws strength and support to the ing and technical innovation. for 15 hours, at SummerCon '88 in extent it can portray the other as Recognizing the right of Craig St. Louis. frighteningly strong and unprinci- Neidorf to publish Phrack is not an Why, concerned citizens and tax- pled. Its most potent current mani- endorsement of the views ex- payers will want to ask (perhaps festation is the posturing between pressed in Phrack. It is for each per- with greater anger than Denning Sadaam Hussein and George Bush. son to decide whether Phrack's edi- demonstrates), would professional Closer to home, the suggestion of a torial policies are appropriate or law enforcement personnel go to war against computer crime evokes respon:fible. However, it is not the such lengths? Demonstrating the similar passions. government's role to make such a eternal verity of the cliche that a lit- Those symbolizing the establish- judgement, and its heavy-handed tle knowledge is a dangerous thing, ment (i.e., law enforcement) and efforts to silence Phrack were po- the agents had apparently taken as those symbolizing the antiestablish- tentially as threatening to a new gospel the announcement that The ment (i.e., the "dreaded hackers") generation of electronic publishers Phoenix Project would begin at this can alternately deify and villify each as they were to Craig Neidorf. conference. The announcement, other, neither group showing much As a matter of legal precedence, Denning tells us, stated the goal of a interest in its relation to society as a the Neidorf case is not significant. community where "Knowledge is whole. No legal issues were adjudicated the key to the future and it is Aside from the restraint that and no new law was established. FREE." Clearly, this was probable makes her observations so palata- But the case has helped to raise cause to suspect a devilish conspir- ble, Denning's article is refreshingly important questions about the acy was afoot! commonsensical. Understand those prosecution of computer crime and Without this piece of historical whom you would pursue and pun- the importance of digital networks perspective, we might be tempted ish, she tells us. for the: exchange of inforriaation. to echo the optimistic view of law Consider the extensive resources These issues require further explo- enforcement suggested by John devoted to the investigation now ration and the best efforts of all Barlow in his now classic "Crime commonly called Operation Sun who are interested in the future and Puzzlement." Barlow seems to Devil. How much money does it development of digital information believe that law enforcement offi- take to justify a two-year surveil- system.,;. cers investigating computer crime lance extensive enough to involve are nothing more than a bunch of spying on pizza parties and violat- MARC ]~'OTENBER G blunderers, needing little more ing legitimate businesses' constitu- Director than technological training to re- tional rights? How much fear of Computer Professionals for turn to the path of righteousness hacking was required to sell this Social Responsibility and respect for the American way. expense to the higher-ups in the Washington, D.C. Somehow, I find it hard to agree. Secret Service, and various state I have read the search warrant and federal prosecutors' offices. It f the Electronic Frontier which eventuated in the seizure of required more fear, I believe, than Foundation wants a speech- large quantities of computers, print any documentation of Operation writer like President and computer media from Steve Sun Devil has yet shown. Instead, Bush's, Dorothy Denning is Jackson Games in Austin, Tex. I what I see looks more like a case of the ideal candidate. Her have read a number of the briefs in inadequate reflection. article offers a "kinder, gentler" the Craig Neidorf case. Frankly, I In fact, lashing out at hackers perspective on the dynamic which find the seizure at Steve Jackson with an operation as mammoth as involves young computer enthusi- Games unconscionable. At best, Operation Sun Devil is like throw- asts, law enforcement, and corn- prosecuting Craig Neidorf for ing a brick at a mirror. Like it or

40 March 1991/Vo1.34, No.3/COMMUNICATIONSOF THE ACM not--and clearly there are many in achieved anyway. Punishing unau- Ultimately, laws against unau- law enforcement who do not-- thorized access confuses means thorized access (or unauthorized Craig Neidorf, Steve Jackson, and with ends. anything) reflect the urge to control those who fancifully call themselves Unauthorized access is some- the actions of other people--a the Legion of Doom, are saying no times compared with trespassing. spirit of regimentation, in which more than rock star Boy George: They are similar in some respects, the greatest crime is disobedience. Before his fall from the public eye, but this does not imply they must be This spirit is incompatible with a the cross-dressed dandy sang per- judged alike. We do not, for exam- free society. suasively, pouting into the camera, ple, have laws against unauthorized But what about the practical "I'm the boy you made me." Hackers use of a typewriter. need for such laws? Carefully main- reflect social values: technological In addition, the analogy with tained computer security is effec- competence and impatience with trespassing fails to support the pro- tively impossible for casual visitors the property claims of others. We posed laws. To treat unauthorized to break. It is superfluous to prose- continue to reward wizardry and access as "computer trespassing" cute qffenses than can more easily ignore ethical behavior. Is it sur- would suggest a penalty compara- be prevented. prising when our young people get ble to that for real trespassing. In However, criminalization does our message? Massachusetts, this is one night in cause practical difficulties for com- I hope many of Denning's col- jail--worth avoiding, but not a seri- puter systems where strict security leagues will join her research. Con- ous matter. The Massachusetts state is not intended. fronted by a new form of social legislature, with this analogy in Many adolescent crackers are action, we need to be more reflec- mind, rejected a computer crime obsessed with security-breaking tive, and not simply try to destroy bill several years ago because the which they think of as a hobby and our reflections. proposed penalties seemed dispro- a challenge. They face a temptation J.J. BUCK BLOOMBECKER portionately severe. to do harmful things, but most of Director Certain activities--while not them resist it. When they visit a sys- National Center for harmful in themselves--are pro- tem, it is important to communicate Computer Crime Data hibited because they are considered with them, to encourage them to Santa Cruz, Calif. clear evidence of intent to commit a use their skills in a useful fashion. real crime. Unauthorized access is However, when unauthorized I concur with Denning's sug- not such evidence because most se- access is a crime, crackers are un- gestion that unauthorized curity breakers do no harm and in- derstandably afraid of communi- access to a computer should tend none. cating with anyone who might per- not be a felony--but this A breach of security may put a haps be planning to betray them to does not go far enough. person in a position to commit a the police. Even if we have no such The concept of justice is that only crime. Some would transfer the se- intention, there is no convincing actions that unjustly harm other riousness of these potential crimes way we can reassure them. people should be crimes. Unau- to the act of security-breaking itself; This inability to communicate thorized access in itself harms no but this would be inflicting punish- has the paradoxical effect of in- one, and thus should not be a crime ment for crimes that have not been creasing the likelihood that crack- at all. committed. ers will harden and move to actual Security measures are precau- Serious potential crime situations crime--the opposite of what tions-one method of preventing occur frequently in everyday life. criminalization is supposed to ac- various actions (including some For example, whenever two stran- complish. such as destruction of data) that we gers pass on a street, one could at- RICHARD STALLMAN can agree are crimes. However, tack the other. This suggests pun- Founder breaking security does not imply ishing the crime of unauthorized GNU Project such actions. presence on the street. Earlier this Cambridge, Mass. The harmless failure of a pre- year a black man was arrested for caution may raise concern regard- being in Wellesley, Mass. The police Permission to copy without fee all or part of this material is granted provided that the ing its effectiveness, and may sug- applied the reasoning that blacks copies are not made or distributed for direct gest that modifications are needed were unlikely to be authorized commercial advantage, the ACM copyright to reduce future risk; but it is not in users, and concluded he must have notice and the title of the publication and its itself a problem demanding a rem- been a criminal. This became a date appear, and notice is given that copying is by permission of the Association for edy. In this situation, the means (se- scandal because the man was fa- Computing Machinery. To copy otherwise, or curity) have failed, but the desired mous; otherwise it would not have to republish, requires a fee and/or specific end (avoiding harm) has been attracted attention. permission.

COMMUNICATIONS OF THE ACM/March 1991/Vo1.34, No.3 41 he electronic media have given us new paradigms for com- ~ municating, publish- ing, and conducting business. My colleagues' comments demonstrate significant disagree- ment on the interpretation of these paradigms, and they make clear these issues are not going to be solved merely by better computer security or law enforcement. Dia- logue is essential, and the points of disagreement show where that dia- logue is most needed. I would like to comment on four areas in which there is no clear agreement: whether there is a "hacker crackdown"; whether un- authorized entry alone is damag- D 9 ing; what penalties are appropriate when security is lax; and how young people who break into sys- tems or allegedly aid and abet crime should be treated. With respect to the crackdown, I agree with Parker that law enforc- ers are not taking disciplinary action on illegal hacking as a result of fear generated by well-publicized incidents, as I incorrectly suggested in the opening paragraphs of my article. Neither are they attempting to stamp out legal hacking or throw a small group of high-tech, antiau- thoritarian teenagers in jail in order to enhance security, as suggested by Levy. Rather, law enforcers are re- sponding to crimes reported by companies whose losses were suffi- ciently great to justify prosecution. Operation Sun Devil was the result of extensive credit card and toll fraud, and not a fear of hacking as BloomBecker states. I do not see what Hawthorn calls "hacker hyste- ria" in the law enforcement com- munity. Instead, I see an honest effort to be more responsive to computer crimes which have taken place. I also agree with Parker that the outcry over computer seizures and indictments has been prompted by only a few incidents--mainly the Neidorf and Steven Jackson cases.

42 March 1991/Vol.34, No.3/COMMUNICATIONS OF THE ACM Neither of these cases was part of there is no explicit damage, an in- believe that it is our responsibility as Sun Devil. I chose to write about trusion is disruptive because steps adults to help bring young people the Neidorf case because there are must be taken to remove the in- into the community as responsible important lessons to be learned truder and restore the system to a citizens. Many young people break from it and issues to be discussed. protected state. the law or encourage others to do I agree with Parker that we Since many hackers do not see so at some time in their lives. Most should support law enforcers, but I unauthorized access as harmful, we of them grow up to become respon- disagree with his view that we need to educate young people sible adults. While we should not should not raise concerns when we about the costs of their actions on approve of all their actions, treating see shortcomings. Doing so gener- organizations and why, as Parker them as our adversaries is, in my ates the opportunity for a different points out, unauthorized access is view, likely to alienate them and outcome in the future. regarded as a violation of the rights push them into a lifestyle of crime. The small number of complaints and property of others. At the same should not obliterate the fact that time, I agree with Stallman that we --Dorothy E. Denning most hacking cases have been han- must be careful that we do not pun- dled well. Law enforcers typically ish people for actions they could show considerable respect for civil have committed, but had no inten- liberties and an understanding of tion of committing. CR Categories and Subject Descrip- juvenile delinquency. There is a The role of computers in society tors: K.4.1 [Computers and Society]: wide spectrum of hackers and has changed dramatically from the Public Policy Issues--privacy, regulation; hacking cases, each requiring dif- early days of computing. Organiza- K.4.2 [Computers and Society]: Social ferent treatment. From what I have tions now use computers to support Issues--abuse and crime involving comput- observed, law enforcers are savvy to life-critical functions, keep track of ers; K.5.0 [Legal Aspects of Comput- ing]: General those differences. sensitive information, and manage General Terms: Legal Aspects, Secu- The second area of disagreement business operations. In such envi- rity is whether unauthorized entry into ronments, unauthorized access can- Additional Key Words and Phrases: a computer system is in itself dam- not be tolerated, and so it is reason- Computer crime, constitutional rights, aging. When Stallman says that able that our values and laws reflect electronic publication, enhanced 911 unauthorized access that does no that. Computer trespassing is now system, hacking harm should not be considered a regarded as blatant rejection of so- crime, he takes the position that it is cial values. not damaging. His view reflects his The third area of disagreement About the Author fundamental belief that all gener- is what penalties are appropriate DOROTHY E. DENNING is a member ally useful information, including when security is lax. I agree with of the research staff at Digital Equip- computer software, should be in Parker that a felony conviction is ment Corporation's Systems Research the public domain. He says that appropriate when extensive dam- Center where she researches computer most people who have gained ac- age was intended or performed, security and computer crimes commit- cess to his system have not damaged regardless of whether the system ted by young people. Before joining files or disrupted service. He be- was adequately protected. More- Digital, she served as a senior staff sci- lieves that most young people break over, I see merit in his position to entist at SRI and as an associate profes- in for the challenge and to learn treat an offense according to the sor of computer science at Purdue Uni- versity. Author's Present Address: rather than to cause harm. Parker's intent of the perpetrator and seri- Digital Equipment Corporation, Sys- use of the term "malicious hacker" ousness of the act, rather than ac- tems Research Center, 130 Lytton Ave., to denote any person who enters a cording to the vulnerability of the Palo Alto, CA 94301, denning@src. system without authorization shows victim. At the same time, system dec.com. a contrary view--that unauthorized administrators who permit lax se- entry is in itself harmful. Parker's curity are culpable for their own Permission to copy without fee all or part of view reflects his observation of negligence. this material is granted provided that the copies are not made or distributed for direct many cases where intruders dis- The fourth area of disagreement commercial advantage, the ACM copyright rupted service, stole trade secrets is how we should treat young peo- notice and the title of the publication and its and credit reports, read private ple who break into systems or pub- date appear, and notice is given that copying email, ran up huge phone bills, and lish magazines like Phrack that al- is by permission of the Association for Computing Machinery. To copy otherwise, or modified files. Spafford also points legedly promote criminal activity. to republish, requires a fee and/or specific out that considerable damage has Parker calls them our adversaries permission. been caused by people who were and suggests that I have given aid 'just looking around." Even when and comfort to our adversaries. I © ACM 0002-0782/91/0300-024 $1.50

COMMUNICATIONS OF THE ACM/March 1991/Vol.34, No.3 43