CFP'92 - Ethics, Morality, and Criminality
Wednesday, March 18, 1992 4:30-6:00 PM
Chair: J. Michael Gibbons, Federal Bureau of
Panel: Scott Charney, U.S. Department of Justice
James Settle, Federal Bureau of Investigation
Mike Godwin, Electronic Frontier Foundation
Emory Hackman, Esq. (former president, Capital Area Sysops Association)
Don Delaney, New York State Police
PETER DENNING: Ethics, Morality, and Criminality... Leading the session is Mike Gibbons, who is a member of our steering committee, and also a member of the Federal Bureau of Investigation. Mike...
GIBBONS: (latecomers being seated) That's O.K. We'll publicly humiliate and abuse anyone who sneaks in in the middle of a session, so they don't know what they're in for yet. Anybody who leaves early I'll also humiliate -- I can't do it yet, I have to save it for a good one. A lot of people may want to leave, since this is scheduled rather late. Some people said, why are we at the tail end of this, and I said, because we are the most interesting, we keep people here for this.
I've got to tell you a little bit about how we're going to run this session. It will be a little different from some other things you may have seen, and maybe the same, but probably similar to most of them in that we're going to ask some questions of the gentlemen here on my panel. I'm going to introduce them, or they are going to introduce themselves and tell a little something about themselves. I've got some pre-loaded questions, and we'll go through some of those. They will have a chance to answer a question, and other panel members will have a chance to ask questions back and forth amongst themselves. Then we're going to open it up to the floor, because I found last year we had 10 to 20 minutes for each speaker, and most of them took at least 10 to 20 minutes. Then we had five, ten, or fifteen minutes for questions. Well, I'd like to do it the other way around this time; I'd like us to speak less, and address questions a little more. So I feel that that will be a little better.
I'd like to give us a little continuity from last year, tell you a little bit about where we left off, and also where I came from and how they found me in this myriad of Cyberspace. I was invited to be on a panel chaired by Dorothy Denning last year. Like I said, we had a lot of really hard questions, because at the pinnacle of everyone's thoughts back then was the Robert Morris investigation. Even The Cuckoo's Egg wasn't a dead book or a dead case back then. I guess it's still a best-seller, but I'll talk a little bit about that.
I think people are still asking the question, "Are there computer crimes?" I'd like to give you my focus, my experience over the last few years relative to computer fraud and abuse or computer crime. I'm basically looking at three different types of computer crimes, the first being the computer used as a tool in a crime. Now go back to 1986 and 1987 with Mr. Lyndon Larouche. I was a lowly new street agent in Alexandria, Virginia, and they said, "Hey, Mike, we know you have a computer background. We're going to execute a search warrant on a data center run by the organization of Mr. Larouche." I thought, Boy, this is great fun. They said, "Yeah, it's a Wang VS100 system." And I said, "A what?" (laughter) I'm sure all of you have run those in all your organizations. We had one at FBI headquarters, and I immediately grabbed a system administrator for that and dragged him along. I also grabbed a software engineer and a hardware engineer from Wang, and had them go along. We had a team of investigators from the Secret Service go along with us. So we had 400 law enforcement personnel assembled -- I'm not kidding, 400 law enforcement personnel assembled in the wee hours of the morning ... about 4:00 in the morning. It was a really interesting case in that we had to go in and secure a data facility that had about 25 dialup lines. We had to make sure that no one was going to get in; we had to make sure we were able to get in to get the information in a timely fashion, and the timely fashion turned into a two-day consecutive search. It was quite a long search.
Let me take you back to the wee hours of 5:00 in the morning when the Virginia State Police brought along the Jaws of Life and split the door off its hinges to get into a data center at Mr. Larouche's organization -- they didn't want to give us the password or code for the door. So they took the door off the hinges, and I went in and interrupted the processor. I used a highly technical device called a pen. You stick it in this little hole and it stops the processor on the Wang. The Wang guys that came in were pretty beneficial -- they told me how to do this and I was prepared for it. I practiced. (laughter) Worked real well. (laughter) The amazing thing was when we walked into the computer room itself, I don't think we had guns drawn, but we walked into the computer room at about 5:30 or 6:00 in the morning. There was an amazing sight. I'm expecting this Wang VS100, and I'm looking at a Vax 11/785 fifteen feet long. I said, "Hey, Secret Service, you know what that is -- go get it. How about it?" And they said, "Oh, yeah. We'll take on the challenge," because they ran Vaxes at the White House, and they had some expertise in the Vax. So we went to the Wang and tried to get in and we found that they had passwords on this system. It was kind of tough to get into and we had to search through all the offices looking to see if anyone had written down a user name and password that would let us inside. The Wang engineers told us a wonderful thing: if you can get us on as any privileged user account, we can get around security. We said, "Hey, this is a great thing to know -- we've got one of these at headquarters." (laughter)
The guy we brought along from our FBI headquarters was a programmer analyst. We were trying various account system field tests -- they were doing that on the Vax also -- and finally we found an account, OPROPR, Operator Operator. It's an ancient logon -- see, I go back about 10 years, that's ancient in computer-speak -- but it got us right in and the Wang guys were able to list all the system passwords using some double-secret editor they had on the system. So they didn't let lowly users or system administrators have this. Some Wang engineers alone knew, I guess, but it was interesting.
I looked at the system console over on the Vax, and Secret Service was having a devil of a time trying to get it running. I went over and pointed at the clue on the floor, the twelve feet of printouts from the system console -- they had had some problems obviously. They flew in tape and disk packs by helicopter from the White House operating system, and they got that thing running. About six hours later, they got it up and found that the Larouche organization had been trying to move some data over to it. In fact, I think a few weeks later the Larouches called them up and said, "Thanks, we've been trying for six weeks to get that thing running, and the Secret Service did it in six hours." (laughter)
The case, though, surrounded information stored on a computer system. It brings to light some of the issues and some of the problems we have, and even more problems when we talk about the area of data encryption -- can we compel people to provide us the electronic key to get into a computer? This is starting to crop up.
I had another case where they were merely using the computer as the tool of a crime in order to keep financial records and information with a place called the Pan American Financial Corporation. The person used the first and last name as the login and password, and I was able to not have the problem of trying to force them to give me the login and password for the account. And that was after she told me -- the system person -- that there was no information on the computer. We don't take some things at face value.
In another case, we had Operation Illwind -- computers were used in every facet of a number of defense-related consultants to maintain information about dealings with... well, we called it bribery and conversion of government assets. They called it business. We executed search warrants for 42 sites on the same day. Of the 42 sites, most of them had electronic evidence. I won't say all, I think two of them didn't, but most of them had it and there's yet another book being written about that investigation. Just to let you know how quickly justice moves, I testified three weeks ago on a search where I seized the electronic evidence on a case from 1988. The person was convicted on six out of seven felony counts, so I got the evidence in and testified. I sweated four years just to testify for six minutes on the stand.
Because the computer is a facet in every way of business and life -- it's such an important function of the way I do business every day and I'm sure the way you do business -- there's another form of computer abuse called interruption of service as evidenced by the Internet virus. The Internet worm caused a tremendous discomfort to people across the country. It was amazing. I was the person who opened the case for the FBI, and then we also got a case opened up in the Ithaca office, and a person up there worked on the investigation. We went about it in the same routine way that we would investigate anything else. We simply gathered the facts. The problem we have in the area of computer fraud investigation is that we run into difficulty educating the investigator about the unique terms surrounding the computer environment. It's interesting to note that although Mr. Morris didn't write any malicious code in his Internet worm (we had a copy of his remark statements that were used at trial), he chose not to limit the growth or spread of his virus purposely (according to his remark statements), because it was very difficult to do, keeping a global database. He stated that right in his remark statements, or his wish list of what he wanted his virus to accomplish. He didn't want to be beaten at the game of this virus. He said right in there that if he were to have some limiting database then other people could G-core him -- an old term for being able to beat his program, or send out a virus that could kill his virus -- and he didn't want to be beaten at his game. But when we took this jury in Syracuse, New York -- and none of the people had any computer background whatsoever, in fact, none of them had any college education -- and we explained things like source code versus assembly code versus object code, we found it difficult, but the people were able to grasp the concepts quite well. I wouldn't like to do that in all cases. Hopefully, in the future I won't have to do that with all juries, but I think probably in most of America you're going to have the same problem in that most of these juries won't understand the crimes that we bring. In the remark statements, when he did use words like "steal a password file" or "break into as many computers as possible," we called these clues (laughter), and we put that up. The words "steal" and "break in" have kind of a negative connotation for society, so while this worm might be considered a minor interference in people's lives, there was quite a bit of cleanup and quite a bit of fear and things associated with it. Maybe later on we'll talk about that case.
I also want to mention, just briefly, The Cuckoo's Egg, which is the West German hacker case which started with Cliff Stoll, who can't be here today. I'm sorry he can't be at the conference -- he's busy writing a new book, a good book, too, I read the first three chapters. Basically, you have a case where people who are not malicious are stealing information. Recently we're seeing where Social Security information was stolen from computers. It's been alleged that people inside of law enforcement have sold information out of the National Crime Information Computer (NCIC). Information is very valuable, and it just comes back to the point that we are going to have to deal with the theft of information, the destruction of information, the interruption of service and operating systems as a very serious matter.
I hope some of you are going to have some questions in a little while for the individuals on this panel. I'd like to introduce them. We'll start with Mike Godwin, who's from the Electronic Frontier Foundation. Are you called a legal counsel?
GODWIN: Staff Counsel.
GIBBONS: OK. Next to him is Jim Settle, or James Settle, who is the Supervisory Special Agent in the Washington Metropolitan field office who now heads a team of investigators who investigate computer fraud and abuse matters. He'll talk about that a little bit.
Emory Hackman is seated next to him. Emory Hackman, Esquire, has the notoriety of understanding computers, having been in sysops, and having represented many corporations who provide electronic services. He also has the notoriety of being one of the few attorneys in the state of Virginia to pass the bar on the first time, and he never attended law school. I think that's interesting. (applause)
Next to him is Scott Charney, who is the unit chief of the Computer Crime Unit in the General Litigation section of the Department of Justice, and I'll let him talk about what their initiative is now.
On the end is Don Delaney, who is with the New York State Police as a long-term investigator, a frontline street fighter in the area of electronic crime. Once again, we'll ask him a few questions about what's going on currently.
So, first of all, we have a lot to talk about, and I'd like to give each of these gentlemen an opportunity to talk about his role in society, and his role and what each one thinks is important in the area of electronic crime. They've assured me that they'll be much more brief than I have been.
GODWIN: We could hardly help... (laughter) I work for the Electronic Frontier Foundation, and the focus of my work is in a large part on civil liberties issues. I go around the country and I lecture on certain kinds of civil liberties issues that come up in computer crime context. When Mike invited me to be on this panel, I looked at the title that said "Ethics and Criminality," and said, "Well, you know, I sense that what we're going to talk about, if there's an ethics discussion here, is whether it's ethical to commit computer crime or not." This has often been a discussion -- whether it's ethical to access somebody else's computer without authorization, and so on. To me, I was a little bit frightened by that, because I think we all agree -- everyone here on this panel agrees and shares disapproval of that activity and we regard it as unethical. I know I do. Nevertheless, I often have to deal with people who have acted in a way that I regard as unethical, and the cases in which they're involved often raise issues of rights that affect not only people who have acted unethically, but people who've acted ethically, and, in fact, affect the rights of everybody.
So I tried to say, "What issues have I talked about elsewhere that I could couch in ethical terms for this presentation?" A couple of things came to mind. I've wanted to talk about the fact that we've made a commitment in this society to give law enforcement and the government a certain amount of discretion in how they do their jobs. I think that's appropriate. The fact is, for every case that ever gets to a courtroom, there are countless cases that never make it there because they're disposed of in some other way by a prosecutor. Or even more often, they're handled in the field by a law enforcement agent or a policeman. If you have a cop on the beat, that actually deters crime without having anything happen in a courtroom.
There are some ethical issues that come to mind with regard to the handling of some criminal cases, some computer crime investigations. I'm not going to give you a list of every case that I know of, but I want to give you two cases that I think raise significant ethical issues in how the government has chosen to proceed in its handling of a computer crime investigation.
The first is a case involving someone who's attending this conference. It's over, so I can pretty much talk about it. It's a fellow named Craig Neidorf. In that case, it was alleged that he had received stolen property because he was the publisher of a hacker fan newsletter called Phrack, and he received a memorandum describing some terms in the emergency 911 system from a a person who took it from a Bell South computer without authorization. Neidorf acted, and I believe him when he said it, on the assumption that this information was appropriate for publication, that it was the kind of thing that fell within First Amendment protection.
But that's not the issue I want to raise. The issue I want to raise was the fact that in the course of Craig Neidorf's prosecution, it was alleged by the Federal Prosecutor, first of all, that the document was actually a program -- that it was the E911 code itself, and it could be used to shut down the emergency 911 system. The second thing was that the value of the document, at least at one point, was alleged to be $79,000. The thing that troubled me about that was that as we followed the case -- and we've looked at related cases -- we discovered that the value of the document, that memorandum of about 13 pages, was calculated in a memorandum from a Bell South employee to the Federal Prosecutor by adding in the actual cost of the Vax workstation on which the document was produced, plus the cost of the software. Even if you're not a computer expert... if, for example, you are a lawyer, you can look at that kind of memorandum, and I think if you look at it critically, you're going to see... I think that an ethical and a reasonable person who looks at this is going to question that kind of valuation of the document.
Nevertheless, Craig Neidorf was prosecuted and the case was publicized as if he had stolen property worth $79,000. One other aspect of that case that I think is worth mentioning is that eventually -- it was revealed, as the public got interested in the case -- that that document valuation was way high, and it was rounded down some. If you talk to people about the case now, including some people at the Secret Service, what they'll tell you is -- and by the way, the resolution of that case was that the government dropped it -- they'll tell you that, well, we got the valuation wrong, but he still took some property. It's still stolen property -- it's just lucky that there was a technicality in the statute that it didn't make the $5,000 threshold to make it a federal crime. It turns out that the information in the document was available for about $13 from one of the regional Bell operating companies.
This raises a separate issue, because not everything that is stamped "Proprietary" by a Bell operating company is proprietary information, trade secret, property interest kind of stuff. In order for something to be a trade secret, it has to be secret, which this information was not. And it has to in the very least give a competitive advantage to one of the competitors of the people owning the information. Bell South has no competitors, so there were some real issues. It wasn't just a case, in Craig Neidorf's case, that he got off on a technicality, that the property was worth less. There was a genuine issue about the property, about whether it was property at all.
Now, having given you the long legal background of that case, let me say this: I think that law enforcement people make good faith mistakes, and they often rely on experts who can help do that in as technical and as complicated a society as we live in today. Nevertheless, Craig Neidorf and his family had to spend $100,000 to avoid conviction in that case. I think that the Secret Service and the prosecutor involved have an ethical obligation, if nothing else, to admit they were wrong. They've never, never admitted they were wrong. What that says to me is that there is a certain amount of arrogance -- it's not everywhere, but it exists in some places in the investigation of crime -- that needs to be responded to, that needs to be rooted out, that needs to be challenged, that needs to be answered.
I'm going to give you one more case, and this one is a bit briefer. In a related case, the hackers who actually did get the document in Atlanta were sentenced, after having pled guilty for intruding in that Bell South computer and getting the document. The sentencing memorandum produced by the prosecutor in that case said that there ought to be jail time for these hackers, because jail time is a deterrent. In the Robert Morris case, which Mike referred to, Robert Morris was sentenced to no jail time. He only had to do about 400 hours of community service. "We don't know how much deterrent the Robert Morris case was, but we know that his 400 hours of community service certainly did not deter these hackers," said the memo. That was a very interesting statement to the judge, because these three defendants had been searched and charged before Robert Morris was sentenced. So it was disingenuous to claim that they were not deterred by the light sentence in the Robert Morris case: they couldn't have known what the sentence was. To me, that is dishonest. I know that it's very fashionable now to say that lawyers put a very small premium on truth. I don't think that's true -- I think that the profession really still has very high standards, although maybe if you are outside the profession, you are a little bit reluctant to believe that. I think there are professional, ethical obligations to admit when you are wrong and not to be dishonest.
These things concern me very deeply, at least as much, and perhaps more, than the occasional teenage hacker who intrudes in somebody else's computer. And do you know why? Because the teenage hacker is still in the process of socialization, and you can say, "Well, you know at least he's growing up and needs to learn better. It's wrong and he needs to be taught that it's wrong." But the people who ethically transgressed in these cases, it seems to me, have no such excuse, and for that reason, that ethical issue I think is a little bit more salient. Thank you. (applause)
GIBBONS: Thanks, Mike. I'd like to introduce Jim Settle from FBI Headquarters.
SETTLE: Well, I'm going to try to be shorter than so far two have been, hopefully the end of the table gets some time. I'd like to say a couple of things up front. One is that I actually wear two hats, and it's helpful to know that, at least at this point. One is that I am actually part of the headquarters here in town and am responsible for the program management for computer crimes nationwide -- setting policy, training, and those types of issues. At the same time, which drives me ragged until about ten or eleven o'clock at night most nights, is that I am also the acting supervisor for the new computer crimes squad which was created in our Washington office here. Later on we'll go into what all that is about.
What I'd like to point out are some key issues. I first came into this picture about 1979 in Univac 1180's. The FBI had been investigating computer crimes even further back then that. They just weren't called that at the time. Most of them were prosecuted under statutes other than the computer fraud and abuse statute. We've looked at things such as tweaking of billing algorithms, the selling of MIS functions to state, local, and federal governmental agencies... so the investigation of computer crimes is not new.
I think another thing that is important to recognize is that the FBI does not create the law or interpret the law. Do we have an input into some of the laws as they are written? Of course we do, just the same as everyone in this room has input into the process -- and probably more than we have, quite frankly. So we don't really interpret the law. The law is made by Congress; it's made by industry, and yes, by the Department of Justice. The FBI, through the Department, has some input, but we are only one factor. The courts interpret the law. As most of us know in this room, there is not a lot of case law being developed out there.
I would also like to point out that over the last year and a half, I've been brought in to basically revamp our whole program. One thing that I sense out there in a lot of the industry is that "Law enforcement is computer stupid," which may have been a valid argument in the past. I think you'll see today that it's not. And this goes to a question that will be asked by the chair later. The other thing that I think is important to understand is that law enforcement is not out there trying to run over people's rights. I could take a personal example that happened five months ago, but it's a pending investigation and I can't tell you what it involved. The interesting thing, however, was that there were 20 people in the room and there wasn't a soul who said that what we were talking about was illegal. Everyone in the room agreed that it was legal. The question that everybody was thinking about and arguing about was morally, should we do this. And that discussion took place for three hours. No question that it is legal -- the answer is yes. The question was, should we do it? Sometimes we have three hours to make those decisions, sometimes we have three minutes to make them, especially when things are going across international borders in two seconds. Sometimes you don't have the luxury to make philosophical arguments at the time. You make what you feel is a rational decision based on your experience. We have a lot of people who are computer literate making those decisions, and there are a lot of factors to be considered. But I think the important thing for people to remember is that we encourage any groups -- and we have talked to a lot of groups -- that have, by most people's standards, divergent ideas as to what the individual rights are. We found in most cases, you're talking about a spectrum of 100%, and we may disagree on only about 10% of them. The overwhelming majority usually we're going to agree on.
So I'd like to ask you to keep those things in mind, and that's kind of what my role is and what I think the FBI is trying to do in the future. I hope I didn't take more than four minutes.
GIBBONS: Thanks, Jim, I appreciate that, thanks for that round of applause. (laughter) I'd like to introduce Emory Hackman, Esquire, next.
HACKMAN: Hi, I'm a practicing attorney in Springfield, Virginia. My practice covers business, wills, trusts and estates, corporate public and private securities offerings to raise money for technology products, including computers. I suppose about half of my clients are computer types in one way or another, professionally. In fact, some of my clients are in this room.
My view of computer crime/computer law is primarily a view of property. Copyright law is something I deal with tangentially. It's much more important for me, dealing with a client, for and against, to guide him away from the courts and the very expensive costs of civil litigation and criminal defense. In that milieu, and particularly speaking to system operators -- of whom I have a variety of clients and I actually serve on the Board of Directors for the Capital Area Sysops Association -- I try to give them guidance in an area of both the law as a general subject and the law as it regards computers where there are not clearcut answers. Most of these people are computer technicians. If they are in business, they have some people skills. But their background is the classic back-roomer -- the inventive, inquisitive nature. I deal with the same kinds of people in pharmaceutical products, in other technologies, and they're looking for engineered, tangible answers. They can see the water pitcher, they can describe it, they can invent it, they can understand water. But the moment I need to describe a right to use it, with issues of the man on my right having access to it, whsst! over their heads, and into the great beyond. So I wind up using examples to give them a sense of a balancing of the issues, and in that role I seem to stay very effectively. Mike?
GIBBONS: Thank you, Emory. Next, I'd like to introduce Scott Charney, who, as I said, is the new chief of the new Computer Crime Unit of the General Litigation section in the Department of Justice.
CHARNEY: Thanks, Mike. Let me explain to you how I got here. Eighteen months ago I was an Assistant United States Attorney working drug cases in a hardship post known as Honolulu, Hawaii. (laughter) About a year ago November, I transferred back to Washington in the General Litigation section, and I'm using my Eagle workstation, and I'm creating some subdirectories in DOS. Then my boss comes in, he looks at the screen, and he asks, "What are you doing?" (because this is not the typical Eagle Justice Department screen) And I say, "I'm creating some subdirectories for my files." And he looked pretty confused and walked out. A short time later, it was decided that computer crimes would be moved from the Fraud Section, where it was then housed, to the General Litigation Section. The powers-that-be called up my boss and said, "We are transferring Computer Crimes. Can you handle it?" He said, "No problem -- I have a computer expert." (laughter) In all fairness to him, but unbeknownst to him, I was actually working on a Honeywell mainframe when I was eight, because my father was a computer programmer, and then a systems analyst, and he worked down on Wall Street. I was writing programs in COBOL, and I actually did know a little about this, but we've learned a lot more in the last year that I have been doing this.
The Department of Justice has adopted what we call a computer crime initiative. Basically what this is is a program to help the federal government deal with the growing problem of computer crime. And basically the initiative has five or six components. The first thing is that we're trying to get a better handle on the scope of the problem in terms of how many cases are actually being reported by law enforcement so that we can allocate resources.
Secondly, we're coordinating the law enforcement effort. Because of the nature of the crime with which we are dealing, very often computer crime can be multi-state or international in nature. That raises the problem that there will be what we call parallel investigations opened into any case. Let me give you an example. You may have an intruder in New York who accesses a computer without authority in California. That victim will go the FBI in California and say, "I have an intruder." The same intruder may also access a computer in Texas, and that victim may go to the Texas Secret Service and say, "We have an intruder." And if this intruder accesses computers in seven, eight, nine, ten judicial districts, the next thing you know you have ten investigations all targeting the same person. Of course, as you can imagine, there is always a risk when that is done that people will get a little confused and they will step over each other. So one of the major focuses of the initiatives is to coordinate those investigations by having U.S. Attorneys' offices report computer crime cases to me in Washington.
The third thing we are doing is emphasizing training. We have set up a computer crime course for prosecutors. In the old days, we used to joke with the agents that came in and said that they had a computer crime case, then look over the table, and the Assistant U.S. Attorney was passed out on the floor. Training is a way to eliminate that problem. And when I talk about training, I'm not naive about it. We will never be computer experts, as some of you people are, but it is also not necessary. Lawyers -- the very discipline requires that they work in different areas. If they handle medical malpractice, they will know about medicine; brain problems if it's a brain case, accident cases. We know as much about what makes a plane crash as the engineers who designed the plane. In a similar vein, we need to have basic understanding of computer and telecommunications technologies, but we do not expect to become full-fledged experts.
The fourth area of concern for us is legislative changes -- 18 USC 1030, the primary computer fraud and abuse act. There are other amendments to that act that have been proposed by the Justice Department, as well as laws brought up on the Hill by Congressmen -- Senators and Representatives -- and we are continuing to analyze those amendments and make recommendations.
Now the fifth area is to develop an international response to the problem. The government is seeing a lot of intrusions from overseas, and as you can imagine, when an investigation moves into the international arena, it can become far more difficult. With rules of sovereignty applying, it requires international coordination, and we're encouraging that. Part of the problem is sometimes that foreign countries don't have laws prohibiting computer crimes. If we go to them and request assistance, they will tell us that what that person did is not a crime to them and they will not assist us. Sometimes the problem is simply getting the assistance fast enough. Usually in the international arena, there's a lot of papers that have to fly back and forth, and it can take months to get something accomplished. In the computer environment, months is simply too long to wait.
The sixth area that we're involved on has to do with formulating rational policies for the prosecutions of these cases. The new technologies do pose certain challenges for law enforcement. Both information that is evidence of crime or contraband in itself and legitimate, honest, legal information can easily be commingled. It's important that law enforcement, while aggressively pursuing the criminals, also very diligently protects the First, Fourth, and Fifth Amendment rights of those people who are affected by our conduct. So what we are trying to do is develop policies to balance all these interests.
GIBBONS: Last, but not least, we're going to talk to Don Delaney from the New York State Police. I want to ask him, to start off, what is the state of affairs with PBX fraud in the country, and you can throw in there a little bit about yourself, obviously. Thank you.
DELANEY: The original question was "my role in society"? A husband, a father... (laughter)
I supervise the major case squad for the State Police out on Long Island. I handle computer crimes in the southern portion of the state and Long Island. I cover "World Fraud Central," which is Manhattan and the rest of New York City. I've come a long way since last year when we were out in San Francisco at CFP-1. At that conference, I was on a panel and I asked for some things that I would like to see happen in the future that might make law enforcement's role different and assist with the problem of computer crime and telecommunications fraud in this country. Those things were to have a dedicated computer crime unit on federal and state levels, to get corporations involved in training, proper funding on a state and federal level, educating students by those in law enforcement about computer crime -- not so much in teaching ethics, but teaching them the results or the penalties for their misdeeds. What I was seeing was that I was arresting a lot of high school and college people who seemed to be unaware of the consequences of their criminal acts because it was hacking. They didn't think that there could be much that could happen to them.
Since that time, in one short year, the New York State Police did put together a dedicated computer crime unit, which is up in Albany, New York, and services the entire state. The investigators assigned to that are here, and will be glad to speak with anybody during the conference. They will analyze evidence from any police department in New York State, that is, computer evidence from any type of case, whether it's a homicide or you've seized a hard drive to gambling organization for the DA's office. We've been involved in teaching students at both high schools and colleges about what could happen to them if they commit computer crime, and the penalties for it. Corporations such as AT&T and MCI have provided free training to us that has helped greatly. The funding came out of nowhere in a state which is in the hole for billions of dollars. The State Police were able to put together money for some training also and for some equipment for a computer crime lab. So we have come a long way in a very short period of time, I think.
Further, my role in society has become a lecturer and author, and I get to go down to the Federal Law Enforcement Training Center in Georgia every couple of months and teach telecommunications fraud. You get good at it when that's all you do.
When I say "Fraud Central" in New York City, what I'm talking about is PBX fraud, call-sell operations, and the unlawful duplication of computer-related material that's ongoing. When Mike asked me about the state of affairs in PBX fraud, it's terrible. Every day I have at least one corporation across the country calling me up to complain to me that they've been hit, that they have taken tremendous precautions to protect their PBX -- they have shut off the remote access unit, they've done a lot of things that they've heard about and been taught at different conferences, and they still were hit. I got a call the day before yesterday where a company incurred only a $12,000 loss in a three-day period. It was sad because this person had done everything he had been told to do to protect his system. That is not typically the amount of fraud that we see on a given PBX. Generally losses come in somewhere between $40,000 and $400,000 in a very short period of time. I've found that there are glitches in the software by some of the equipment vendors, and people are calling me constantly with complaints that the vendor did not tell them that they had a remote access unit on the PBX when they purchased it. They were never told anything about default codes, they don't know what a remote access unit is -- "check my bills, I've never made a call out through one" -- and I find that I believe them. The vendors are not doing such a good job of educating the people to whom they are selling this equipment. The corporations and small businesses that have these PBXs are suffering gigantic losses.
This year I'm calling for the vendors of software for these PBXs to please reach out to all the people that you've sold those PBXs to, and tell them that if they haven't been hit, they're going to be hit, because the codes and the methods of accessing these remote access units are being sold and disseminated on the streets of New York to everybody on the street, and I would imagine actually all around the rest of the country. We executed a search warrant at a residence last week -- and I'll be brief with this -- which was the result of a six-week investigation looking at the call detailing of a corporation in Connecticut who had been hit. There were remote access units. They incurred $34,000 worth of fraud in a relatively short period of time. I saw that somebody was dialing into their computer on an 800 line at 3- second intervals, probably using a 9600 baud modem -- last year I didn't know what one was. This went on for a couple of weeks until he made an 8 minute and 36 second telephone call out through the remote access unit to the Dominican Republic. He obviously finally hacked out the code. One hour and 55 minutes later, at 7:05 on October 16, a telephone booth down the block from his house accesses that PBX and amazingly on the first attempt accesses that remote access unit and goes out with a phone call to the Dominican Republic. Later that night, telephone booths all over that neighborhood started accessing that PBX. Before the week was out, all of Manhattan had the code to that PBX and it was off to the races.
Now, we considered this person a prime target because obviously not only was he hacking out the codes, but he was disseminating the codes. We did execute a search warrant at his house while he was online, engaged in a fraudulent telephone call, so that we knew that we weren't going to arrest the telephone in his house. We wanted a person there online so that we could demonstrate that he was committing a crime. The crime that we can charge him with is the one telephone call that he is online making at that time, which successfully went out to Ecuador on that particular day. Unfortunately, I can't prove who was sitting in his house hacking away at that switch for that period of time, or making all those other telephone calls, or demonstrate that in fact he did disseminate that code to a telephone booth and from there whoever disseminated it out. We do know that the codes are being sold for between $50 to $500 to PBXs, stolen telephone credit card numbers, call diverter codes, and so on and so forth. On every street corner in several neighborhoods in New York City, there's a person standing next to a telephone booth selling telephone service for $10 for 20 minutes. The week before last, we went up with an NBC crew and filmed call-sell operations on these corners with people collecting money. If you want to see how bad PBX fraud is, there's going to be a special on NBC on the 31st of the month on the 7:00 news and there'll be a lot of the corporations who previously wouldn't talk to media. Jim Pope of NBC was able to get them to talk to him and you'll see how staggering some of the losses are and how pervasive this is, in New York City anyway. So please, vendors, wherever you are, go tell these people that have these PBXs that they're about to get hit if they haven't gotten hit already.
GIBBONS: Thank you, Don. Appreciate that. (applause) My original intention was to open it up to the floor, and I have some prepared questions, but I think I'd rather save some of them. I'd like to open up the microphones, and I'm going to ask for two things, very seriously. First, that the questions be brief and be questions -- we're not going to open up a diatribe between individuals here -- and that the answers should be brief. We'll try to keep it under two minutes or so an answer, otherwise I'll be the one cutting you off because we really want to get quite a few questions in here. So I'll flip a coin and start with John McMullen.
JOHN McMULLEN: Question for Don Delaney, plus a point. Tonight we'll continue some of these issues with the Birds of a Feather session that I'm running first at 7:30, and Mike Gibbons is picking up at 9:00. Don Delaney has talked often on some panels in the New York area on the need for targeting a particular subject and turning evidence around very rapidly. Much of the criticism on some other cases has been in the amount of time it takes to turn around evidence. I was hoping Don would share his thoughts with the group here on turning around evidence.
DELANEY: Well, in reaction to criticism in the past of other agencies -- and by no means is this meant to be critical of any other agency -- I decided that in the cases that I handle, I'm going to attempt to have a target identified prior to executing a search warrant. It's not always possible in cases you investigate, though. Wherever possible, I want to go in when I execute that search warrant and arrest somebody at that time, rather than having to get the evidence that's on the hard drive, and then make a presentation to a grand jury, have to argue about it with the District Attorney, and review the evidence as soon after as possible. In some cases you're going to be giving evidence back to people; in other cases, get a disposition of the evidence, and get a disposition of the case that the evidence is seized and disposed of outside of my evidence vault, because we just don't have space for handling a lot of evidence. I hope that answers the question.
MAURICE FREEDMAN: I'm Maurice Freedman. I'm chair of the American Library Association's Coordinating Committee on Access to Information, also director of the Westchester Library System, which pays my salary. That's a public library system in New York state. We were hit by a much less sophisticated communications disaster. I found out that when you make credit card phone calls in Grand Central Station, people with binoculars watch you at the phones and it cost... The phone company gave us credit for that, but it was about $15,000 in calls all over the world. Supposedly it's drug rings doing this. There's a follow-on for the FBI gentlemen.
I'm very concerned that public libraries and the American Library Association are deeply concerned that a privilege they have is not protected the way doctors, lawyers, priests, are protected. We look for confidentiality of information for the people who use our public libraries. We are destroying, as a matter of policy, the link between the circulation record and who took out the book. In manual times, the FBI did come into libraries to demand and take these records, and with court orders we had to provide them or go to jail. And now we are destroying them. Here's the question -- I'm sorry it took this long. Especially from the ethics standpoint -- we're being quite ethical and professional -- but are you interested? Do you want to pass a law that keeps us from destroying those records so that you can get access to them? Is this something you see in the future? Do you see it as good of the FBI or law enforcement agencies to be going after what is considered a relationship between the library and a person's use of it? An abridgement of their freedom? Thanks.
GIBBONS: Jim Settle?
SETTLE: That's a loaded question! (laughter) In the first place, understand that I'm on the criminal side of the house. There are a lot of different... You're talking about...
GIBBONS: Are you trying to throw that question back at me?
SETTLE: ...the intelligence side of the house. I will give a response, though. I would encourage this -- if you don't agree with the fact that you don't have an exemption for privileged status, that is appropriately handled by going to Congress and getting legislation passed. We didn't make the law that did not give you that status. If Mike wants to add to that, I'll be happy to...
GIBBONS: I'm going to play moderator this time and keep out of jail myself. Don Delaney?
DELANEY: If I might address the first thing the gentleman brought up with regards to getting telephone bills for $15,000 because somebody looking over your shoulder stole your telephone credit card number, I warn each of you who comes to New York City that if you use a public telephone booth there may be somebody shoulder-surfing -- watching your PIN. And not only there, but in most of the major cities in the United States there are people who use binoculars, telescopes, and tape recorders and write down the PIN numbers of everybody that comes into telephone booths.
HACKMAN: ...and laser equipment.
DELANEY: Yes. So, you should all be aware of it for your own safety, because the telephone bills that you are going to get on your telephone credit card within a very short period of time are gigantic.
GIBBONS: Emory's not supposed to tell what we're doing -- be quiet.
HACKMAN: The other side's doing it, too.
GIBBONS: Oh, OK. On this end...
MITCH KAPOR: I'm Mitch Kapor, I'm with the Electronic Frontier Foundation. Let me understand the ground rules for questions -- two minutes, maximum, and you've got to end with a question? (laughter)
GIBBONS: Should we break the rule for everyone else or just you?
KAPOR: No, no.
GIBBONS: No one else has followed it, so go ahead.
KAPOR: I was intrigued and attentive to the comments that the FBI doesn't make the laws. It does play a role in influencing the laws, which Jim Settle said, and Scott Charney's statement about efforts in DOJ to develop new policies to deal with new technology. This is a document called Digital Telephony. It comes out under the seal of the Department of Justice and Federal Bureau of Investigation. I just want to read a couple of things from it, because I want to ask a question about the document. "This is a proposal that will amend the Communications Act of 1934 to require providers of electronic communication services and private branch exchanges to ensure that the government's ability to lawfully intercept communications is unimpeded by the introduction of advanced digital telecommunications technology."
A number of points: "...the FCC shall issue regulations within 120 days after enactment requiring the modification of existing telecommunications systems if those systems impede the government's ability to conduct lawful electronic surveillance." And I want to read one other part, which says: "Notwithstanding Section 552b of Title V, the Attorney General or his designee may direct that any commission proceeding concerning regulations, standards, or registrations issued or to be issued under the authority of this section shall be closed to the public."
I find this extraordinarily frightening. This is "Son of S. 266." This is a licensing scheme for electronic communications providers. I take that to mean your bulletin board and mine, and Compuserve and Prodigy, with proceedings not to be held in public, requiring approval of the technology under the rubric of allowing surveillance. My question is simple: should we take this as a fair representation of current efforts to influence legislation and to set policy, or should we take it as an aberrant outlier? (applause)
GIBBONS: Who are you directing the question to? (laughter) I'm not going to give it to Mike Godwin. (laughter)
KAPOR: No, I know what Mike thinks. Feel free if this is outside your bailiwick, but it did seem to me to be germane to the comment about influencing the laws and about technology policy, so I would invite either of the gentlemen from the FBI or the DOJ, if they want to, just to frame any comment about where this document and this initiative stands with respect to the issues that they raised. That's a more neutral way of inviting a comment.
GIBBONS: OK, I'm going to toss that at Scott first.
CHARNEY: It is proposed legislation, and obviously as such, Congress will look at it and you can be heard about it. You have to understand that this legislation doesn't stand alone, but is directly related to 18 USC 2510, etc., which provides that under proper conditions with a court order the government can intercept certain communications. And that, in fact, has been done in many, many narcotics cases and other types of cases. The question is, if Congress gives you the authority to intercept communications upon a showing of probable cause and necessity, that is, you really need the wiretap and you have probable cause to get it, what happens if the technology does not allow you to implement it? So, the answer is one of two things: you can repeal Title III, or you can enact legislation that will enable you to follow Title III. That's what that legislation has to do with -- it's not as dramatic as you might think. (laughter) We're wiretapping now, we've been wiretapping for years.
UNKNOWN SPEAKER: What are you going to do when everyone in the mob scrambles their routines?
CHARNEY: When they encrypt? Encryption will be a problem. Absolutely. You know what we found, though? When we first started wiretapping? We said, What if they stop using the phone? (laughter)
GIBBONS: Ask Mr. Gotti if he uses the phone. (laughter) I'm going to move to the middle now.
HARRY GOODMAN: My name is Harry Goodman, and I produce a public radio series called "Your Expanding Infosphere." All of you have raised some very significant issues. The overzealousness in the Neidorf prosecution that Mike Godwin spoke to was real. I have two questions, one specifically for Mike and anyone else who would care to respond, and the other question for the rest of the panel. Mike, you said, "What about a teenage hacker who intrudes in someone else's computer? He's still being socialized." What if this teenager, as teenagers have, intrudes at Sloan-Kettering and it costs a life? Or what if a teenager, without malicious intent, intrudes in the FAA's traffic control system, and we lose 450 or more lives? The second question, and I'll sit down, is what I'm hearing from a lot of you gentlemen scares me -- and maybe it's because I misunderstand it -- especially Mr. Charney. What I think I'm hearing is the beginning of a formulation of a computer analog to the drug situation's zero tolerance. Everything from a flying squad to special prosecutors to special legislation -- some legislation that's even kept in the dark, maybe, we don't know how it would have shaken out if it didn't come to light. But are we heading to a zero tolerance computer crime initiative, when you're talking about your initiatives? Are we going to see more seizures, but instead of returning the material, is it going to be forfeit as property seized around a drug case might be forfeit?
GIBBONS: I'd like to get Mike Godwin to answer the first part of the question.
GODWIN: I'm going to try and be uncharacteristically brief. With regard to the Diehard-2 scenario of the air traffic controllers or the Sloan-Kettering vandalism or intrusion case, I think the thing you have to look at when you figure out how you want to respond to it is how the criminal law works. It's built to a certain extent around damage, and how much damage can be done, but it's also built to a very large extent around intention. So that if I accidentally run you down, the law treats me differently -- in my car -- than if I do it on purpose. I don't mean, and I do not want to be taken as saying anything that even remotely excuses any teenage hackers doing computer intrusion. I think that's wrong and it's appropriate to punish it. And I could repeat that: I think it's wrong. The question is whether we respond hysterically or not, and I don't mean to misapply that word, so let me explain it a little bit. The fact is computers are a new technology, so when new computer crimes arise, there's a tendency on the part of everybody, not just law enforcement, by the way, to get a handle on it, get control of it, don't let it get out of hand. And I think to a certain extent overzealousness, when it occurs, occurs partly because of that impulse. I think it's something, when you consider the amount of power the government has, that law enforcement has, you really have to be careful to police.
GIBBONS: I'd like to quickly answer the second part of the question, since he got two questions in. Basically, I'd like to answer the question, talking about the FBI having this flying computer squad of FBI agents to be able to address computer crime. I think you are misunderstanding the initiative, and it puts me in kind of a Catch-22. If we have agents that aren't trained in the area of computer crime across the country, wouldn't it be better if we had a few that were well-trained that could respond to an instance and -- this is the same question I was asked last year at CFP and you see in the Proceedings -- isn't it better that we have a trained investigator who knows what a G-file is or an innocuous type of intrusion versus someone who gets hysterical and blows something way out of proportion? So it's our answering the computer crime problem with trained personnel. Next question.
AUDIENCE MEMBER: (unintelligible)
GIBBONS: I'm not talking to legislation -- my other associate has said that that's the Department of Justice and that's a different issue. It is another case, though, that if we don't have any legislation or don't have good... One of my questions for Scott Charney is, Do you think the present laws are good enough for us to try to stop computer fraud and abuse, computer crime? Do they address the issues? Maybe some of these other laws are talking about that issue. But I'd like to continue with other people.
DONN PARKER: Donn Parker, SRI. I have a question that's the same or related to Mr. Kapor's question concerning wiretap. In the previous session, and in this session, there seemed to be a tremendous reaction against the use of wiretapping. Wiretapping in my impression is probably the single most important tool that our criminal justice and law enforcement people have to protect all of us from people like John Gotti, and to protect our investments, to protect us from malicious hacker attacks. People in the audience seem to think that we should do away with that extremely important tool. And they were also very negative in being unwilling to pay 20 cents per month to continue that, to have that tool. We already pay several dollars a month each for the salaries of these people up here and for law enforcement. I don't want them to sit around twiddling their thumbs -- I want them to have the most important tool retained even though technology is advancing. My question really is to reiterate and to ask the panel to try to convince this audience, with some comments, that it is absolutely essential for continued control of crime in this country and this world to have wiretapping capability duly authorized. I would just like to speak in favor of that and urge the panel to say something more and more strongly about the need to retain wiretapping as the most important tool of criminal justice.
GIBBONS: So, is the primary question whether or not wiretapping should be a government tool?
PARKER: That's right.
GIBBONS: OK, I'm going to ask both, I'll start with Mike Godwin first, to try to answer that.
GODWIN: Donn, I think that you've maybe mischaracterized some of the objection here to the FBI initiative. To look back at the history of wiretapping, it turns out to be the case that the phone system was not originated as a tool of surveillance. It was originated as a communications network. It turned out to be useful in gathering information about crime. Originally, and in the famous wiretapping cases, they're all a product of the fact that law enforcement discovered that it was relatively easy to take your alligator clips and a microphone and intercept a phone call. It just happened to be a serendipitous aspect to the fact that there was a phone system that reached everybody. This is different -- this is different. FBI is not seeking an expansion of its authority to get wiretaps. Scott is correct about that. What it is seeking is to change the design of the way the phone system is built in the future. I don't think you can justify that, and I don't think the issue is whether it costs me 20 cents a month. I think the issue is what kind of policy considerations go into the design of a phone system. If I have a computer that's designed for my desk, I want it to work for me as a tool. I don't want something to be added on to make it easier for the government to monitor me or regulate me. (applause)
The same thing is true for the phone system, and I believe me, I will gladly spend 20 cents more a month on all sorts of activities. I think you mischaracterize it when you say everybody in here is against wiretaps. I think a lot of people in here recognize that wiretaps have been a very constructive and useful tool in law enforcement. But what they are objecting to is a non-serendipitous addition to the telephone infrastructure designed just for the purpose of allowing the FBI to continue its wiretapping activity. One of the things I think that is particularly disingenuous about the FBI initiative, by the way, is William Sessions' letter accompanying it in which he says that we're just trying to maintain the status quo. Well, I think that may be true, but consider, if the technological advance had been on the other side, if there had been a new technique that the FBI or the government could use to monitor people, would William Sessions be there trying to speak out for maintaining the status quo? I just don't believe it. (applause)
GIBBONS: I'm going to ask Scott Charney to respond, but I'd like to make one quick response -- that even though I'm on the chair, I'm not real close to this initiative. I don't have any policy oversight in this area, and I've not read the legislation. I really don't know anything about this area -- Scott Charney's much better on this. I think I have to take Donn Parker's one statement, that is, we've had Attorney General guidelines in place since 1975, and we have this thing called Title III about which Scott Charney is much more expert than myself. It is VERY, VERY difficult to write the paperwork and present the facts to a magistrate to perform a wiretap. We just don't go clip on alligator clips. I think the issue is the same one that Donn Parker said before, and I'd like to restate his question: Should the FBI be allowed to perform a wiretap, irrespective? You're right, cost is not the issue -- they're saying that for 20 cents more a month they could have a cost. I'm asking his question... I'll ask it again -- should they be allowed to do wiretaps? You brought up a lot of big words like serendipitous. I'm sorry.
GODWIN: Are you asking me if I think wiretaps should be allowed? Sure, if they're approved procedurally by 2510, the statute that Scott cited.
GIBBONS: OK, that was under two minutes. Scott Charney, please.
CHARNEY: It comes back to our basic concern. If Mike Godwin agrees that if they're properly approved, we should do them, what happens if we technically can't?
(unintelligible-- another speaker not in front of mike)
CHARNEY: Well, the question is, though, if you say that, then are you also willing to take the other side of the coin and say, if people use the telephones to facilitate all sorts of criminal activity, that's OK with you? Because part of the problem is that it overstates the case to say the government wants to create a phone system for the sole purpose of wiretapping. That's simply false. The phone system was set up years ago so that people could communicate with one another and that's still its primary function. And in fact, we're not talking about monitoring every call in America by just clipping on wires without getting court orders.
The question is, assuming that the phone system is set up so people can communicate, what are you going to do when people are abusing that system? For example, the whole wire fraud statute is designed to deal with people who run scams over the telephone. Do you want to say -- and some of you may, and that's fine -- if they're doing it, but they're doing it over the phone, that's OK with me? If elderly citizens are getting swindled out of money, I'd rather have them swindled than give the government the power to wiretap. (smattering of applause and some laughter)
GODWIN: I'd really like to respond to that.
GIBBONS: My mike's on. I've got the switch right here. (laughter) I really don't -- just kidding. Okay, Mike, I'll give you 60 seconds.
GODWIN: 60 seconds. You're right. It is always a tradeoff whenever we decide that we're going to limit the ability of law enforcement to conduct its investigations. It is ALWAYS, ALWAYS, ALWAYS going to be a tradeoff. It's going to be harder to investigate some kinds of crimes. The policy issue is not just whether those crimes are going to be harder to investigate... it's what kind of society you want to live in. That's really it. (applause)
AUDIENCE MEMBER: That's the issue.
CHARNEY: We agree with that, that's the issue.
UNKNOWN AUDIENCE MEMBER: I want a safe society, eliminating wiretapping.
KAPOR: I wasn't going to respond until he said that. It's kind of overkill to require licensing with secret proceedings of all electronic communication service providers. It's not just the phone network, it's your bulletin board system and my bulletin board system. That's the way the language of the proposed legislation is drafted. When I asked whether this was a representative sample, I meant that. I want to know if we're living in the kind of adversarial society where good ends are supported by incredibly pathological means. (applause) It'll be great for EFF membership, because now we can go out and say, "Look, we've got to stop this thing again." Nobody is arguing that we shouldn't be safe from crime. Nobody is even arguing that we shouldn't be wiretapping, but we are saying, isn't it a little bit extreme to require licensing of all electronic technology with secret proceedings? Isn't this a little bit of overkill?
GIBBONS: OK, I really appreciate the commentary from all sides. I think it's been very balanced on this particular question. I'm going to go ahead and move onto some more questions. I don't remember if I'm in the middle or on the end. Glenn Tenney is saying the end. Glenn Tenney.
GLENN TENNEY: Glenn Tenney, yes, I'm a Congressional candidate. (laughter) I have a brochure if anyone wants one. I have to remember to say that often.
Actually, I had a question for Don, and I have to respond to you -- it's not about wiretapping. It does not just cost 20 cents a month. Everybody, every business, who has a small PBX in their house or their business could be fined $10,000 a day, based on rules decided in private behind closed doors. It has nothing to do with wiretapping per se. That is not the issue. It is a technology issue and it is a procedural issue.
Now, back off that subject and onto a different subject. In listening to everybody talk, I hear the common thread of a problem. We have the Morris case, where computer manufacturers knew about the hole. We had the case with Neidorf where Bell South knew better. We had the case of PBX fraud where the manufacturers knew better. What can corporate America do, or what can we make them do to own up to their ethical and moral responsibility in this problem? (applause)
GIBBONS: I'm going to call that a rhetorical question, but Emory Hackman is very good at handling rhetorical questions. Do you have a response, Emory?
HACKMAN: Oh, one or two or three or four. Corporate America, in my opinion, does not necessarily live up to the ethics that I think most of us as individuals would like them to. I think it's a very complex issue and there are lots of pieces in it, the primary one of which is the pressure to get enough money in to pay the help, keep the jobs to get something done. I don't think corporate America, as in the vendors or Bell West, is going to be accountable inside the system we've now got, and I'm not certain we want them to be accountable because of the cost. We of this society do not go into rigid Stalinistic-type control. We go for litigation, the personal injury lawyers get very high fees, because the cases are so hard to litigate. The net effect is that personal rights cases tend to drop off the end of the stove -- they just don't bring enough money.
Conversely, I'd like to respond to the previous question, even if everybody yells me down. I think the FBI legislation is being attacked from some hysterical viewpoints. My experience in defending criminal cases is not that the defendant was guilty, unless he told me so. It's that the FBI, your local state police -- New York is as good an example as Virginia or Maryland -- are strapped budget-wise. Somebody's got to complain before they are going to go do anything; it may be a rightful or wrongful complaint -- those complaints can be abused. But before anybody, who's generally rushed with more cases than he can handle, picks the case, he's going to start looking at the amount of damage that might have been caused. Is this the tip of the iceberg or the whole case? And they can make mistakes. They've got to spend hours and lots of budgeted time writing this up to try to get a judge -- the word magistrate was used, I think judge is more communicative -- to agree with them.
Now I happen to think that the judges in this area are becoming quite computer literate. They've all got computer terminals sitting there. But they don't put up with things that we all think -- "Oh my God, they're part of the government." They tend to listen carefully and say no. I think the system is much more self-correcting than we are viewing the statute.
I also think the Bell companies have had a hysterical reaction -- this 20 cents per line per month response. If you're running a BBS or network and paying for phone lines, it can be a crippling expense. I think that's an hysterical reaction, because if the BBS is making enough money for its services, it wouldn't be a crippling expense. I'm not at all impressed that the tap has to be any place on the network. I'm not impressed with 20 cents per line. I am impressed with the typical law enforcement officer who may be facing that telephone company employees who are a part of the problem may not want to walk into the front administrator of the telephone central office switching exchange and say: I want to tap lines 1 and 2. He may, in fact, give away what he's looking for. But I think that would be preferable to re-engineering the equipment.
I think the lobbyists in here, or those in contact with lobbyists, might do themselves and Congress a lot better service by looking at the statute technically, by coming up with an answer that's not 20 cents a month. My experience with law enforcement officers -- and I've always been the criminal defense attorney, so I find myself in an odd place arguing in their behalf -- is that if they go in with a wiretap order to a central office, and the activity stops, I think they just found probable cause to take a long, hard look at the telephone company technician. So I would like to offer a different viewpoint on the hysteria that's wandering around.
GIBBONS: Appreciate that. Let's go to the end.
AUDIENCE MEMBER: Just as a rhetorical question, the whole thing about the wiretap act would be the same as saying you can't put a Tempest room in your basement because it impedes electronic surveillance methods.
GIBBONS: That's next -- hold on. (laughter)
AUDIENCE MEMBER: OK, I've got two questions, if that's allowed. Mr. Charney, you've been in law enforcement for a while, and everyone has seen some major case meltdown. Would you be in favor, then, of mandating compensation to defendants who are wrongly accused because the complaining witnesses have other agendas to pursue? I mean, in Craig Neidorf's case, basically Bell South was pursuing other agendas.
GIBBONS: Can we just have one question, because really we have so many people..
AUDIENCE MEMBER: The other question, to Mr. Settle, was, Do you think the CFA is more effective than existing law was before?
GIBBONS: He's talking about the Computer Fraud and Abuse Act. The first question of Scott Charney. Could you get it, Scott?
CHARNEY: I heard the question. The biggest problem in terms of compensating has always been where the money's going to come from. If it's a vindictive prosecution, then there are civil remedies already existent under which victims can sue people for vindictive prosecution. If you're talking about -- and again, you have to be careful how you phrase the question -- saying, well, if someone's not convicted, they're entitled to monetary relief, you're talking about paying every acquitted defendant. I don't know that that's a feasible approach, or necessarily a wise one.
GIBBONS: Is the Computer Fraud and Abuse Act effective? Is that the question? (unintelligible) More effective than other existing statutes before the Computer Fraud and Abuse Act of 1986 was put into place?
AUDIENCE MEMBER: Equity Funding was prosecuted solely under a stock fraud case, and that was an enormous computer fraud case. I mean, that was a billion dollar case.
GIBBONS: Yes, but that was not a computer crime case. That was using a computer as a tool to juggle the books of a company. So that's just using a computer as a tool. It's not computer crime like you're erasing data or going and attacking or breaking in. If we have time, Jim, would you like to talk about CFA?
SETTLE: Yes. Just briefly, the answer is, it's just one statute. I think that's important to consider. The thing obviously when you look at it, the 1030 was passed in 1986 -- that was the last time it was revisited. Obviously, networks have increased significantly since then, which raises issues affecting that statute. Viruses were virtually, not unknown, but very limited -- I think most reports say four to seven were in existence in 1986, and that was at the end of the year, not when the legislation was passed. So, I think there are reasons to look at the computer fraud statute as it now exists. The other thing to remember is that most of the prosecutions occur, as you indicated, probably in the fraud by wire, interception of communications, and copyright statutes. In the past, that's where you've seen the bulk of the prosecutions -- for a variety of reasons, I might add. One is, prosecutors are more familiar with them, and our agents are more familiar with those old statutes. But people are becoming more familiar with the computer fraud and abuse statute, too.
GIBBONS: Thank you. The center?
WAYNE MADSEN: Yes. My name's Wayne Madsen and I'm a writer. I work for a large systems integrator that does a lot of work with the federal government, and which will remain unnamed. My question is, I've heard a lot of stories about Craig Neidorf and Robert Morris, Jr. and German hackers, but let's talk about the Justice Department and a software program called PROMIS. (laughter/applause/whistles)
GIBBONS: Wait -- I'm going to limit you to another minute and a half. Begin again.
MADSEN: OK. Given that PROMIS was allegedly misused by the Justice Department, reproduced illegally, given to a U.S. intelligence agency, it was re-engineered and wound up in the hands of the intelligence services of countries like Syria, Iraq, and Libya. Now what have we learned since this incident that was tied up in court? We have one dead journalist; we have a former contract programmer for the CIA who's in jail for cocaine possession who says it was planted on him; and we have an appellate judge who was fired from his job. Now I don't believe the Danny Casolaro suicide story one bit. If it was an FBI agent looking into this type of wrongdoing, and there was some type of mysterious death, you'd have the entire assets of the Justice Department and other agencies on that case. We had a Barney Fife-type coroner in West Virginia that investigated the case. Why the double standard here? That's my question. I think it's fairer, I didn't know Danny Casolaro, but I view him as a colleague, and I view that lack of investigating his death about as immoral as Iran's death threat on Salman Rushdie.
GIBBONS: I got lost there... So you're asking about a double standard? Do you want to direct that at a particular person or leave it as a statement?
MADSEN: Any FBI.
GIBBONS: FBI? We had nothing to do with PROMIS. We never run PROMIS, we never had PROMIS on any of our systems. Justice didn't give it to us. (laughter)
MADSEN: Aren't you supposed to investigate those types of things? You did it with the other cases.
GIBBONS: Scott? We can't comment because it's an ongoing investigation. (laughter) I don't know anything about it -- if I knew anything about it, believe me, am I going to shut up? No. Don?
DELANEY: I'd just like to say something about the Barney Fife aspect of his question. Not that I'm paranoid or think he's referring to local law enforcement as opposed to federal law enforcement in Barney Fife...
GIBBONS: No movie ever did that.
DELANEY: However, I want to say we constantly hear about Craig Neidorf and Steve Jackson Games cases ad nauseam -- two cases which, unfortunately, if there was any wrongdoing, it was a shame. There have been hundreds and hundreds of search warrants executed, computer cases handled, investigated, where people have been investigated, pled guilty and went to trial, and were found guilty. At each of these conferences, I come away feeling like law enforcement has been soiled by some of the people in the audience because all they do is bring up those two cases. I want to let you know there are good cases being handled. There are search warrants being executed all the time for computer crime and telecommunications fraud. The cases are being done intelligently by local and federal law enforcement, and being prosecuted by assistant district attorneys and U.S. attorneys who have come up to speed on all of the issues. There are judges who have had to be brought up to speed on the issues so that we can get the search warrants necessary. In regard to one other thing, remember that members of law enforcement are individual human beings who live in this country and know what the First and Fourth Amendments are, who want our rights protected also under the Constitution and the Bill of Rights. And just as we want our rights protected, so do the corporations who have computers, and they have the right to privacy for those computers. (applause)
GODWIN: Let me just say briefly that at the virus conference last week that Don and I both attended, he commented that too many people brought up the Steve Jackson case and hammered law enforcement with it, so I deliberately refrained from doing that at this panel.
GIBBONS: Craig, do you want us to use your name in vain any more? Can we call it a dead issue for a little while? OK. On the end?
KEITH BASIL: My name is Keith Basil. Basil-Rowland is my company and we do computer security services. Occasionally we tap into the computer underground to find out what new holes are there, basically to keep an edge on our risk analysis service, penetration testing, and training and awareness. My question is, I want to know if there is a government organization similar to CERT to let people know about Van Eck devices, PBX holes, back doors -- information that these vendors don't provide to the general public.
GIBBONS: I know NIST does have a bulletin board up with risks and known vulnerabilities that is publicly available. Jim?
SETTLE: There is an industrial group that is very similar to CERT -- it is called FIRST. And somebody's going to ask me what all that means -- it's FORUM FOR INCIDENT..., well, basically it does the same thing as CERT. I can never tell you what it means exactly, but it's private industry and government agencies who run computer systems. It's not necessarily Internet-connected, that's not a requirement.
GIBBONS: I'm going to tell you right now we're out of time in about one minute. Unfortunately, I know we're going to stay for a little bit. I'm going to go ahead and try. I don't know if I can get to Mr. Gelman or not.
BRUCE FANCHER: I'm Bruce Fancher. I run an information service and online simulation in New York, and the title of the panel was supposed to be morality and ethics, but the only person who started off talking about that was Mike Godwin. Generally speaking, I like cops, I'm from New York and it's a dangerous place (laughter), but these gentlemen pretty much avoided the issue. And you all got off very easy on the fact that there is no hacker up on that panel now. I hope that you will all be at the Birds of a Feather session tonight. I would like someone there to answer Mike Godwin's call before, and say, "This case was wrong." All I've heard is, "Well, it may have been wrong," but I'd like someone there to say, "I made a mistake," or, "One of my colleagues made a mistake," or just, "This case was wrong. Sun Devil was a fiasco." Will anybody there admit to that?
GIBBONS: OK, I'm going to terminate, but I am going to say one thing, a nice long thing, just before I turn over to Peter Denning. I've got to terminate this because I've been told we're on a very tight schedule, although we'll stay and answer questions individually. The Legion of Hackers/Legion of Doom investigation down south, which wasn't exactly what the problem with Craig Neidorf was, the Legion of Hackers/Legion of Doom has been around for a very long time. We had a couple of people sending information to the FBI about some of the things that they were doing for years, and we never went and executed search warrants. In fact, we talked to almost none of them because we basically didn't think their activities warranted a federal investigation. I don't think you'll ever find a person who will stand up and literally do like some of the physicians do and do malpractice cases. I don't do malpractice -- I don't stand up and say my colleagues were wrong because I evidently don't know all the facts in all cases. I doubt that you're going to get anyone from this panel to stand up and say they were wrong in that. I think that's going to be left to the courts to decide eventually, if Craig continues in the vein he's been in, and you're well aware of what he's doing. I'd like to turn it back over to Peter Denning. I appreciate this very polarized and very important topic, and it doesn't look like it's going to be a dead issue for the next CFP, although I wanted to put it to rest. (laughter and applause) Thank you very much.
PETER DENNING: Thank you, thank you. I think that we had a very good, frank, and open discussion there, which is, of course, what this conference is all about -- to get the things that are on your minds out on the table and get a discussion started, even if we don't reach an answer. So thank you for your frankness, in bringing up views, and thank the panel, too, for their frankness in answering them.
Return to CPSR conferences page.
Return to the CPSR home page.
Send mail to webmaster.
Created before October 2004