Last modified on Fri Apr 19  8:57:57 PDT 1991 by denning

Communications of the ACM, Vol. 34, No. 3, March 1991, pp. 24-43.

                The United States vs. Craig Neidorf
A Viewpoint on Electronic Publishing, Constitutional Rights, and Hacking


                         Dorothy E. Denning


              
``Congress shall make no laws ... abridging the freedom of speech, or
of the press; or the right of the people peacefully to assemble ...''

                                        First Amendment
   
``The right of the people to be secure in their persons, houses,
papers, and effects, against unreasonable searches and seizures, shall
not be violated ...''
                                        Fourth Amendment
                                        
``No person shall be ... deprived of life, liberty, or property, without
due process of law ...''
                                        Fifth Amendment
                                                                      
              
                        
1. Introduction

In 1983, the media publicized a series of computer break-ins by 
teenagers in Wisconsin, the so-called ``414 hackers.'' At about the 
same time, the popular movie Wargames depicted a computer wizard 
gaining access to the North American Air Defense (NORAD) Command 
in Cheyenne Mountain, Colorado and almost triggering a nuclear war 
by accident.  Since then, a stereotype of a computer ``hacker'' [foot 
1] has emerged -- unscrupulous young people who use their computer 
skills to break into systems, steal information and computer and 
telecommunication resources, and disrupt operations without regard 
for the owners and users of the systems.  Well-publicized incidents 
such as the Internet worm [Spafford 89] and the German hackers who 
broke into unclassified defense systems and sold information to the 
KGB [Stoll 90] have reinforced that stereotype and prompted policy 
makers and law enforcers to crack down on illegal hacking.  In May 
1990, 150 Secret Service agents executed 27 search warrants and seized 
40 systems as part of Operation Sun Devil, a two-year investigation 
led by Arizona prosecutors into incidents estimated to have cost 
companies millions of dollars.  Another investigation involving 
prosecutors in Atlanta and Chicago led to several indictments.

Reports on some of the seizures and indictments provoked an outcry
from people in the computer industry who perceived the actions taken
by law enforcers as a threat to constitutional rights.  One case in
particular that was cited as an example of threats against freedom
of the electronic press was that of Craig Neidorf, a college student
accused by the U. S. Government of fraud and interstate transportation
of stolen property regarding a document published in his electronic
newsletter, Phrack.  The trial began on July 23, 1990, and ended
suddenly on July 27 when the government dropped the charges.  I attended
the trial as an expert witness for the defense.

I will first discuss the case, and then turn to several larger issues
related to it and to the crackdown. 
 

2. Overview of the Case

Craig Neidorf is a pre-law student at the University of Missouri.  At
age 13, he got interested in computers, which developed from an earlier
intense interest in Atari 2600 and other video games.  At 14, he adopted
the handle Knight Lightning on computer networks and bulletin boards.
At 16, he and a childhood friend started an electronic newsletter called
Phrack.  The name was composed from the words ``phreak'' and ``hack,''
which refer to telecommunications systems (``phreaking'') and computer
systems (``hacking'').  To Phrack readers and contributors, phreaking
and hacking covered both legal and illegal activities, and some of
the articles in Phrack provided information that could be useful for
someone trying to gain access to a system or free use of
telecommunications lines.  To some law enforcers and computer security
professionals, Phrack was seen as a possible breeding ground for
computer criminals.  They found issues of Phrack among the evidence
of cases under investigation, and a hacker told them that Phrack had
provided information that helped him get started.

Phrack published thirty issues from November, 1985 through 1989.
Neidorf's main role with the newsletter was editor of a column called
``Phrack World News.'' In addition, he was the publisher of issue 14,
and co-editor/publisher of issues 20-30.  As publisher, he solicited
articles from authors, assembled the articles he received into an
issue, and distributed the issue to an electronic mailing list. 

On January 18, 1990, Neidorf received a visit from Special Agent Tim
Foley of the Secret Service and a representative of Southwestern Bell
Security regarding a document about the Enhanced 911 (E911) emergency
system.  This document, which was in the form of a computer text file,
had been published in Issue 24 of Phrack.  During this visit, Neidorf,
believing he had done nothing wrong, cooperated and turned over
information.  The next day, the visitors returned with a representative
from the campus police and a search warrant.  Neidorf was also asked
to contact the U. S. Attorney's office in Chicago.  He did, and on
January 29 he went to their offices, accompanied by a lawyer, for
further interrogation.  Again, he turned over information and answered
their questions.  Neither he nor his attorney were informed that four
days earlier evidence had been presented to a federal grand jury in
Chicago for the purpose of indicting him.  On February 1, the grand
jury was given additional evidence and charged Neidorf with 6 counts
in an indictment for wire fraud, computer fraud, and interstate
transportation of stolen property valued at $5000 or more.

In June, the grand jury met again and issued a new indictment that
dropped the computer fraud charges, but added additional counts of
wire fraud.  Neidorf was now charged with 10 felony counts carrying
a maximum penalty of 65 years in prison.

The indictment centered on the publication of the E911 text file in
Phrack.  The government claimed that the E911 text file was a highly
proprietary and sensitive document belonging to BellSouth and worth
$23,900.  They characterized the document as a road map to the 911
system, and claimed that its publication in Phrack allowed hackers
to illegally manipulate the 911 computer systems in order to disrupt
or halt 911 service.  They further claimed that the document had been
stolen from BellSouth by Robert Riggs, also known as The Prophet, and
that the theft and publication of the document in Phrack was part of
a fraudulent scheme devised by Neidorf and members of the hacking group
Legion of Doom, of which Riggs was a member.  The object of the scheme
was to break into computer systems in order to obtain sensitive
documents and then make the stolen documents available to computer
hackers by publishing the documents in Phrack.  The government claimed
that as part of the fraudulent scheme, Neidorf solicited information on
how to illegally access computers and telecommunication systems for
publication in Phrack as ``hacker tutorials.'' The term ``hacker''
was defined in the indictment as an individual ``involved with the
unauthorized access of computer systems by various means.'' 

On May 21, Neidorf called me to request a copy of my paper about hackers,
which I was preparing for the National Computer Security Conference
[Denning 90].  Although I had not talked with him before that, I knew
who he was because I had been following his case in the Computer
Underground Digest, an electronic newsletter, and in various Usenet
bulletin boards.  Based on what I had read, which included the E911
file as published in Phrack, I did not see how the E911 file could
be used to break into the 911 system or, for that matter, any computer
system.  I was concerned that Neidorf may have been wrongly indicted.
I was also concerned that a wrongful conviction -- a distinct
possibility in a highly technical trial -- could have a negative impact
on electronic publication.

In late June, I received another phone call, this time from Neidorf's
attorney, Sheldon Zenner of the firm Katten, Muchin & Zavis in Chicago.
After several conversations with Neidorf and Zenner, I agreed to be
an expert witness and provide assistance throughout the trial.

Zenner told me that John Nagle, an independent computer scientist in
Menlo Park, California, had gathered articles, reports, and books on
the E911 system from the Stanford University library and local
bookstores, and by dialing a Bellcore 800 number.  After Nagle showed
me the published documents, I agreed with his conclusion that Phrack
did not give away any secrets.  Nagle was also planning to go to Chicago
to help with the defense and possibly testify.

Meanwhile, I gathered articles, books, and programs that showed that
there are as many materials in the public domain that are at least
as useful for breaking into systems as anything published in Phrack.
Some of these are referenced in Section 4.


3.  The Trial

The trial began on July 23, 1990 in Chicago's District Court for the
Northern District of Illinois.  It was expected to last two weeks,
with the government presenting their case during the first week.  I
helped prepare the cross examinations of the government's witnesses and
expected to testify sometime during the second week.

After a day of jury selection, the trial began with Assistant U. S.
Attorney William Cook making the opening remarks for the prosecution.
Cook reviewed the government claims, weaving a tale of conspiracy
between Neidorf, Riggs, and members of the Legion of Doom who had broken
into BellSouth computers.

Zenner then presented his opening remarks for the defense.  He reviewed
Neidorf's history and involvement with Phrack, noting that the goal
of Phrack was the free exchange of information.  He challenged the
claims of the government and outlined the case for the defense.  He
noted how the government had indicted Neidorf despite his extensive
cooperation with them.  He said that Neidorf believed that his actions
were covered by the First Amendment, and that his beliefs were formed
from college classes he took as a pre-law student on constitutional
law and civil liberties.

The government's witnesses up through Thursday afternoon included Riggs,
Foley, and employees of Bellcore and of BellSouth and its subsidiaries.
The evidence brought out during the examination and cross-examination
of these witnesses showed that the E911 text file was not the highly
sensitive and secret document that BellSouth had claimed, that BellSouth
had not treated the document as though it were, and that Neidorf had
not conspired with Riggs.  Although this seemed like cause for optimism,
Zenner reminded us that the government loses very few cases.

On Friday morning, I arrived at the law offices to learn that the
government had been talking with Zenner about dropping the felony
charges in exchange for a guilty plea to a misdemeanor.  Neidorf,
however, would not accept a charge for something he had not done.
Meanwhile, Zenner was meeting with the U. S. attorneys.  I went to
the court room, where Zenner told me that the government was now
considering dropping all charges.  Zenner was willing to lay out the
case for the defense to the prosecution, and asked Nagle and me to
go to the U. S. Attorney's office and answer all their questions.  We
went, and Cook went through the E911 file paragraph by paragraph asking
us for evidence that the material was in the public domain.  Nagle
answered most of the questions, pointing Cook to the relevant public
documents and demonstrating that the E911 Phrack file did not give
away any secrets.

We then went to the court room to await the final decision.  Shortly
thereafter, the court resumed, and Judge Nicholas Bua announced the
government's decision to drop charges, dismissed the jury, and declared
a mistrial.  Five of the jurors were asked to remain and were
interviewed by Bua and both attorneys.  At midday, the court adjourned.

Although Neidorf was freed of all criminal charges, he was not free
of all costs.  The trial cost him and his family $100,000.


4.  Key Documents

The government's case focused on several documents that were published
in Phrack or were included in electronic mail between Neidorf and
others.  These included the E911 text file and Phrack version of that
file, the ``hacker tutorials'' published in Phrack Issue 22, a Trojan
horse login program, an announcement of The Phoenix Project in Phrack
Issue 19, and some email correspondence between Neidorf and Riggs.
All these documents were introduced as evidence by the government during
the presentation of their case.
 

4.1  The E911 Text File

Riggs testified that sometime during the summer of 1988, he accessed
a BellSouth system called AIMSX and downloaded a file with a document
issued by BellSouth Services titled ``Control Office Administration
of Enhanced 911 Services for Special Services and Major Account
Centers,'' Section 660-225-104SV, Issue A, March 1988.  The document,
which contains administrative information related to E911 service,
installation, and maintenance, bears the following notice on the first
page: ``Not for use or disclosure outside BellSouth or any of its
subsidiaries except under written agreement.'' Sometime prior to
September of 1988, Riggs transferred the file to a public UNIX [foot
2] system called Jolnet, where it remained until July 1989.

Riggs testified that he sent the E911 text file to Neidorf via email
from Jolnet in January 1989 for publication in Phrack.  He said he
asked Neidorf to edit the file so that it would not be recognizable
by BellSouth, and to publish it under the handle ``The Eavesdropper.''
Neidorf removed the non-disclosure notice and deleted names, locations,
and telephone numbers, and published it in Phrack Issue 24 on February
24, 1989.  The edited document was less than half the size of the
original document, and was split into two Phrack files, the first (file
5) containing the main text and the second (file 6) containing the
glossary of terms.

The government claimed that the E911 text file and Phrack version
contained highly sensitive and proprietary information that provided
a road map to the 911 system and could be used to gain access to the
system and disrupt service.  The claim was based on a statement made
by an employee of Bellcore.

As noted earlier, Nagle had located articles and pamphlets that
contained much more information about the E911 system than the Phrack
file.  During cross examination of the government's witness who was
responsible for the practice described in the E911 document, Zenner
showed the witness two of these pamphlets available from Bellcore via
an 800 number for $13 and $21 respectively.  The witness, who had not
seen either report before and was generally unfamiliar with the public
literature on E911, agreed that the reports also gave road maps to
the E911 system and included more information than was in Phrack.  The
witness also testified that a non-disclosure stamp is routinely put
on every BellSouth document when it is first written, thereby
weakening any argument that the document contained particularly
sensitive trade secrets.

The defense was prepared to argue that E911 text file contained no
information that was directly useful for breaking into the E911 system
or any computer system.  There were no dial-up numbers, no network
addresses, no accounts, no passwords, and no mention of computer system
vulnerabilities.  The government claimed that the names, locations,
organization phone numbers, and jargon in the E911 text file could
be useful for ``social engineering,'' that is, deceiving employees
to get information such as computer accounts and passwords.  However,
the Phrack version omitted the names, locations, and phone numbers,
and the jargon was all described in the published literature.  Thus,
the E911 Phrack file seemed no more useful for social engineering than
the related public documents.

The defense was also prepared to show that BellSouth had not treated
the document as one would expect a document of such alleged sensitivity
to be treated.  Riggs testified that the account he had used to get
into AIMSX had no password.  AT&T security was notified in September,
1988, that the E911 text file was sitting publicly available in Riggs's
directory on Jolnet, and Bellcore security was notified of this in
October.  This was two months before Riggs mailed the file to Neidorf
for inclusion in Phrack, and about four months before publication in
Phrack.  Still, no legal action was taken until July of 1989, nine
months from the time Bellcore was aware of the file's presence on
Jolnet.  At that point, Bellcore and BellSouth alleged to the government
that a highly sensitive and dangerous document was stolen.  They urged
the U. S. Secret Service to act immediately because of the purported
risk posed by the availability of this ``dangerous'' information.
However, they did not tell the Secret Service that they had discovered
all of this nine months earlier.  The government responded immediately
with a subpoena for Jolnet.  The defense believed that BellSouth's
delay in acting to protect the E911 document was inconsistent with
their claim that the document contained sensitive information. 
To their credit, however, BellSouth did strengthen the security of
their systems following the break-ins.

 
4.2  The Hacker Tutorials

The government claimed that three files in Phrack Issue 22 were
tutorials for breaking into systems and, as such, evidence of a
fraudulent scheme to break into systems, steal documents, and publish
them in Phrack.  These files, which corresponded to one count of the
indictment, were:

  4. ``A Novices Guide to Hacking -- 1989 Edition'' by The Mentor.
  5. ``An Indepth Guide In Hacking UNIX and The Concept of Basic
          Networking Utility'' by Red Knight.
  6. ``Yet Another File on Hacking Unix'' by Unknown User.

Files 4 and 5 of Phrack 22 briefly introduce the art of getting computer
access through weak passwords and default accounts, while File 6
contains a password cracking program.  Most of file 5 is a description
of basic commands in UNIX, which can be found in any UNIX manual.  After
examining these and other Phrack files, I concluded that Phrack contained
no more information about breaking into systems than articles written
by computer security specialists and published in journals such as
the Communications of the ACM, AT&T Bell Technical Journal, Information
Age, and UNIX/WORLD, and in books.  For example, Cliff Stoll's popular
book ``The Cuckoo's Egg'' [Stoll 90] has been characterized as a
``primer on hacking.'' Information that could be valuable for breaking
passwords is given in the 1979 paper on password vulnerabilities by
Morris and Thompson of Bell Laboratories [Morris & Thompson 79].  A
recent article by Spafford gives details on the workings of the Internet
worm [Spafford 89].

Password cracking programs are publicly available intentionally so
that system managers can run them against their own password files
in order to discover weak passwords.  An example is the password cracker
in COPS, a package that checks a UNIX system for different types of
vulnerabilities.  The complete package can be obtained by anonymous
FTP from ftp.uu.net.  Like the password cracker published in Phrack,
the COPS cracker checks whether any of the words in an on-line
dictionary correspond to a password in the password file.

Another file that the prosecution brought into evidence during the
trial was file 6 in Phrack Issue 26, ``Basic Concepts of Translation,''
by The Dead Lord and The Chief Executive Officers.  This file, which
described translation in ESS (Electronic Switching System) switches,
contained a phrase ``Anyone want to throw the ESS switch into an endless
loop????'' in a section on indirect addressing in an index table.  This
remark can be interpreted as a joke, but even if were not, the information
in the article seems no worse than Ritchie's code for crashing a system,
which is published in the UNIX Programmer's Manual with the comment
``Here is a particularly ghastly shell sequence guaranteed to stop
the system: ...'' [Ritchie].

The government's claims that these files were part of a fraudulent
scheme were disproved by Riggs's testimony and email (discussed later)
showing that Neidorf and Riggs had not conspired to commit fraud by
stealing property and publishing stolen documents.

By publishing articles that expose system vulnerabilities, Phrack,
in one sense, is not unlike some professional publications such as
those of the ACM.  The ACM has encouraged such articles on the grounds
that in the long term, the knowledge of vulnerabilities will lead to
the design of systems that are resistant to attacks and failures.  But,
there is an important difference between the two publications.  

ACM explicitly states that it does not condone unauthorized use or
disruption of systems, it discourages authors of articles about
vulnerabilities from writing in a way that makes attacks seem like
a worthy activity, and it declines to publish an article that appears
to endorse attacks of any kind.  In addition, the ACM is willing to
delay publication of an article for a short time if publishing the
information could make existing systems subject to attack.

By comparison, Phrack appears to encourage people to explore system
vulnerabilities.  In ``A Novice's Guide to Hacking,'' The Mentor gives
eleven guidelines to hacking.  The last says ``Finally, you have to
actually hack.  ...  There's no thrill quite the same as getting into
your first system ...'' Although the guidelines tell the reader ``Do
not intentionally damage *any* system'', they also tell the reader
to alter those system files ``needed to ensure your escape from
detection and your future access.'' [foot 3]. The wording can be
interpreted as encouraging unauthorized but non-malicious break-ins.
Thus, whereas reading Phrack could lead one to the assessment that
it promotes illegal break-ins, reading an ACM publication is likely
to lead to the assessment that it discourages such acts and promotes
protective actions.

The actual effect of either publication on illegal activities or
computer security, however, is much more difficult to determine,
especially since both publications are available to anyone.  Computer
security specialists who read Phrack may have found it useful to know
what vulnerabilities intruders were likely to exploit, while hackers
who read the Communications may have learned something new about
breaking into systems or implanting viruses.  The Phrack reports on
people who were arrested may have discouraged some budding young hackers
from performing illegal acts; they also may have reminded hackers to
take greater measures to cover up their tracks and avoid being caught.

Even if Phrack promoted certain illegal actions, this does not make
the publication itself illegal.  The First Amendment protects such
publication unless it poses an imminent danger to society.  The
threshold for this condition is sufficiently high that, although courts
have discussed its theoretical existence, it has never been met.


4.3  The Trojan Horse Login Program

The government found a modified version of the AT&T System V 3.2 login
program in Neidorf's files.  The program, which was modified and sent
to Neidorf by someone currently under indictment, was part of the AT&T
UNIX source code and had ``copyright'' and ``proprietary'' stamps
scattered throughout.  The modifications included a Trojan horse that
captured accounts and passwords, saving them in a file that could be
later retrieved.  The government claimed that Neidorf's possession
of this program demonstrated his intentions to promote illegal break-ins
and the theft of proprietary information.  To support their case, they
brought into evidence email where Neidorf was relaying messages between
two other parties.  One party said he had other UNIX sources, including
4.3 BSD Tahoe, and the other asked for the Tahoe source so he could
install the login program on some Internet sites.

The defense believed that the government's allegations against Neidorf
were weak on three grounds.

First, like any publisher, the mere receipt of a document is not proof
of intent to perform illegal acts.

Second, after observing that the source code contained notices that
the code was copyrighted and proprietary, Neidorf asked someone at
Bellcore security for advice on what to do.  These actions added
credibility to his claim that he had no intent to perform illegal acts
and that he did not know that publishing the E911 text file could be
illegal.  Although the E911 file had a non-disclosure notice,
the notice did not contain the words ``copyright'' or ``proprietary.''

Third, how to write a Trojan horse login program is no secret.  For
example, such programs have been published in Stoll's book [Stoll 90]
and an article by Grampp and Morris [Grampp & Morris 84].  Also, in
his ACM Turing lecture, Ken Thompson, one of the Bell Labs co-authors
of UNIX, showed how to create a powerful Trojan horse that would allow
its author to log onto any account with either the password assigned
to the account or a password chosen by the author [Thompson 84].
Thompson's Trojan horse had the additional property of being
undetectable in the login source code.  This was achieved by modifying
the C-compiler so that it would compile the Trojan horse into the
login program.


4.4  The Phoenix Project and Email Correspondence

Issue 19, File 7 of Phrack announced ``The Phoenix Project,'' and
portrayed it as a new beginning to the phreak/hack community where
``Knowledge is the key to the future and it is FREE.  The
telecommunications and security industries can no longer withhold the
right to learn, the right to explore, or the right to have knowledge.''
The new beginning was to take place at SummerCon '88 in St. Louis.

The government claimed that this announcement was the beginning of
the fraudulent scheme to solicit and publish information on how to
access systems illegally, and its publication accounted for one of
the counts in the indictment.  Yet, the announcement explicitly says
``The new age is here and with the use of every *LEGAL* means available,
the youth of today will be able to teach the youth of tomorrow.  ...
the practice of passing illegal information is not a part of this
convention.'' Security consultants and law enforcers were invited to
attend SummerCon.  

Although Neidorf was not charged with any crimes in 1988, the Secret
Service sent undercover agents to SummerCon '88 to observe the meeting.
They secretly video-taped Neidorf and others through a two-way mirror
during the conference for fifteen hours.  What did they record?  A few
minors drinking beer and eating pizza.  Zenner asked to introduce these
tapes as evidence for the defense, but the prosecution objected and
Judge Bua sustained their objection.

Two counts of the indictment involved email messages from Neidorf to
Riggs and ``Scott C.'' These messages, which were also alleged to be
part of the fraudulent scheme, were basically discussions of particular
individuals, mainly members of the Legion of Doom.  The messages
contained no plots to defraud any organization and no solicitations
for illegal information.


5.  Rights and Responsibilities

Neidorf's indictment came in the midst of a two-year investigation
of illegal activity that involved the FBI, Secret Service, and other
federal and local law enforcement agencies.  As part of the
investigation, the government seized over forty systems and 23,000
disks.  Several bulletin board systems were shut down in the process,
including the Jolnet system on which Riggs stored the E911 document.
In most cases, no charges have yet been made against the person owning
the equipment, and equipment that seemed to have little bearing on
any illegal activity, such as a phone answering machine, was sometimes
included in the haul.  The Phrack case and computer seizures raised
concerns about freedom of the press, protection from unnecessary
searches and seizures, and the liabilities and responsibilities of
system operators and owners.  In this section, I shall discuss these
issues and give some of my personal opinions about them.


5.1  Electronic Publications  

Some observers interpreted Neidorf's indictment as a threat to freedom
of the press in the electronic media.  The practice of publishing
materials obtained by questionable means is common in the news media,
and publication of the E911 file in Phrack was compared with publication
of the Pentagon Papers in the New York Times and Washington Post.  The
government had tried unsuccessfully to stop publication of the Pentagon
Papers, arguing that publication would threaten national security.
The Supreme Court held that such action would constitute a ``prior
restraint'' on the press, prohibited by the First Amendment.  It
threfore surprises me that there is any doubt that electronic
publications should be accorded the same protection as printed ones.

Shortly before the Phrack case came to trial, Mitchell Kapor and John
Barlow founded the Electronic Frontier Foundation (EFF) in order to
help raise public awareness about civil liberties issues and to support
actions in the public interest to preserve and protect constitutional
rights within the electronic media.  The EFF hired the services of
Terry Gross, attorney with the New York law firm Rabinowitz, Boudin,
Krinsky & Lieberman, to provide legal advice for the Phrack case; Gross
submitted two friend-of-the-court briefings seeking to have the
indictment dismissed because it threatened constitutionally protected
speech.  The trial court judge denied EFF's motion, but as it turned
out, the charges were dropped before the issue was seriously discussed
during the Neidorf trial.

Although certain information may be published legally, authors and
publishers should consider how such information might be interpreted
and used.  In the case of hacker publications, the majority of readers
are impressionable young people who are the foundation of the future.
Articles which encourage illegal break-ins or contain information
obtained thusly should not simply be dismissed as proper just because
they are protected under First Amendment rights.


5.2  Searches and Seizures

The seizures of bulletin boards and other systems raised questions
about the rights of the government to take property and retain it for
an extended period of time when no charges have been made.  At least
one small business, Steve Jackson Games, claims to have suffered a
serious loss as a result of having equipment confiscated for over three
months.  According to Jackson, the Secret Service raid cost his company
$125,000, and he had to lay off almost half of his employees since
all of the information about their next product, a game called GURPS
CYBERPUNK, was on the confiscated systems.  Some of the company's
equipment was severely damaged, and data was lost.  No charges have
been made.

Seizing a person's computer system can be comparable to taking every
document and piece of correspondence in that person's office and home.
It can shut down a business.  Moreover, by taking the system, the
government has the capability to read electronic mail and files
unrelated to the investigation; such broad seizures of paper documents
are generally not approved by judges issuing search warrants.

For these reasons, it has been suggested that the government not be
allowed to take complete systems, but only the files related to the
investigation.  In most cases, this seems impractical.  There may be
megabytes or even gigabytes of information stored on disks, and it
takes time to scan through that much information.  In addition, the
system may have non-standard hardware or software, making it extremely
difficult to transfer the data to another machine and process it.
Similarly, if a computer is seized without its printer, it may be
extremely difficult to print out files.  Finally, originals are needed
for evidence in court, and the evidence must be protected up to the
time of trial.  However, if the government can be reasonably confident
that the owner of the system has not participated in or condoned the
activities under investigation, then it may be practical for the
government to issue a subpoena for certain files rather than seize
the entire system.

When a complete system is seized, it seems reasonable that the
government be required under court order to provide copies of files
to the owner at the owner's request and expense within some time limit,
say one week or one month.

If a system shared by multiple users is seized, the search should be
restricted to mail and files belonging to the users under investigation.


5.3  Liabilities and Responsibilities of System Operators and Owners

The bulletin board seizures sent a chill through the legitimate network
community, raising questions about the liabilities of an operator of
a bulletin board or of any system.  Operators of these boards asked
if they needed to check all information passing through the system
to make sure there is nothing that could be interpreted as a stolen,
proprietary document or as part of a fraudulent scheme.

Computer bulletin boards have been referred to metaphorically as
electronic meeting places where assembly of people is not constrained
by time or distance.  Public boards are also a form of electronic
publication.  It would seem, therefore, that they are protected by
the constitution in the same way that public meeting places and
non-electronic publications such as newspapers are protected.  This,
of course, does not necessarily mean they should be free of all
controls, just as public meetings are not entirely free of control.

Bulletin board systems often provide private directories and electronic
mail.  Private mail and files should be given the same protections
from surveillance and seizure as First Class Mail and private
discussions that take place in homes or businesses.  I believe the
Electronic Communications Privacy Act provides this protection.

The E911 text file was obtained from a system with a null password.
While this does not excuse the person who got into the system and copied
the file, I believe that system owners should take greater measures to
prevent break-ins and unauthorized use of their systems.  There are
known practices for protecting systems.  While none of these is
foolproof, they will with high probability keep intruders out and detect
those that enter.  Although the risks associated with insecure systems
may not have been great until recently, thereby justifying weak security
in favor of allocating more resources for other purposes, the risks
are now sufficiently great that weak security is inexcusable for many
environments.  Moreover, system owners may be vulnerable to lawsuits
if they do not have adequate protection for customer information or
for life-critical operations such as patient monitoring or traffic
control.

Our current laws allow a person to be convicted of a felony for simply
entering a system through an account without a password.  I recommend
that we consider adopting a policy where unauthorized entry into a
system is at most a misdemeanor if certain standards have not followed
by the owner of the system and the damage to information on the system
is not high.  However, I recognize that it may be very difficult to
set appropriate standards and to determine whether an organization
has adhered to them.

I also recommend we consider establishing a range of offenses, possibly
along the lines of those in the U. K. Computer Misuse Act, which became
effective in August, 1990:

 - Unauthorized access: seeking to enter a computer system knowing that
   the entry is unauthorized.  Punishable by up to six months
   imprisonment.
 
 - Unauthorized access in furtherance of a more serious crime.
   Punishable by up to five years imprisonment.
 
 - Unauthorized modification of computer material: introducing viruses,
   Trojan horses, etc., or causing malicious damage to computer files.
   Punishable by up to five years imprisonment.
 

6.  Conclusions

Making a sound assessment of the claims made in the Phrack case
requires expertise in the domains of computers, the UNIX system,
computer security, phone systems, and the public literature.  Whereas
Zenner brought in outside technical expertise to help with the defense,
the prosecution relied on experts belonging to the victim, namely,
employees of Bell.  The indictment and costly trial may have been
avoided if the government had consulted neutral experts before deciding
whether to pursue the charges.  The professional community represented
by ACM may be a good source of such help.  

In the context of the new milieu created by computers and networks,
a new form of threat has emerged -- the computer criminal capable of
damaging or disrupting the electronic infrastructure, invading people's
privacy, and performing industrial espionage.  While the costs
associated with these crimes may be small compared with computer crimes
caused by company employees and former employees, the costs are growing
and are becoming significant.

For many young computer enthusiasts, illegal break-ins and phreaking
are a juvenile activity that they outgrow as they see the consequences
of their actions in the world.  However, a significant number of these
hackers may go on to become serious computer criminals.  To design
an intervention that will discourage people from entering into criminal
acts, we must first understand the hacker culture since it reveals
the concerns of hackers that must be taken into account.  We must also
understand the concerns of companies and law enforcers.  We must
understand how all these perspectives interact.

The 1985 ACM Panel on Hacking [Lee 86] offered several suggestions
for actions that could be taken to reduce illegal hacking, and my own
investigation confirmed these while speculating about others [Denning
90].  Teaching computer ethics may help, and I applaud recent efforts
on the part of computer professionals and educators to bring computer
ethics not only into the classroom, but into their professional forums
for discussion.


Acknowledgments

Special thanks to Chuck Bushey, Peter Denning, Jef Gibson, Cynthia
Hibbard, Steve Lipner, Craig Neidorf, Mike Schroeder, and Sheldon Zenner
for many helpful suggestions; to Pete Mellor for information about
the U. K. laws; and to my many friends and colleagues who patiently
educate me in areas where I am vulnerable to my own blindness.  The
views here are my own and do not represent those of my employer.


References

[Denning 90]
  Dorothy E. Denning, ``Concerning Hackers Who Break Into Computer
  Systems,'' Proc. of the 13th National Computer Security Conf., Oct.
  1990.
  
[Grampp & Morris 84]
  F. T. Grampp and R. H. Morris, ``UNIX Operating System Security,''
  AT&T Bell Laboratories Technical Journal, Vol. 63, No. 8, Oct. 1984.

[Lee 86]
  John A. N. Lee, Gerald Segal, and Rosalie Stier, ``Positive 
  Alternatives: A Report on an ACM Panel on Hacking,'' Comm. ACM, 
  Vol. 29, No. 4, April 1986, p. 297-299; full report available from 
  ACM Headquarters, New York.

[Morris & Thompson 79]
  Robert Morris and Ken Thompson, ``Password Security: A Case History,''
  Comm. ACM, Vol. 22, No. 11, Nov. 1979.

[Ritchie]
  Dennis Ritchie, ``On the Security of UNIX,'' UNIX Programmer's Manual,
  Section 2, AT&T Bell Laboratories.
  
[Spafford 89]
  Eugene H. Spafford, ``The Internet Worm: Crisis and Aftermath,'' Comm.
  ACM, Vol. 32, No. 6, June 1989.
  
[Stoll 90]
  Clifford Stoll, The Cuckoo's Egg, Doubleday, 1990.

[Thompson 84]
  Ken Thompson, ``Reflections on Trusting Trust,'' Turing Award
  Lecture, Comm. ACM, Vol. 27, No. 8, p. 761-763.
  

Footnotes 

1.  The term ``hacker'' originally meant anyone with a keen interest
in learning about computer systems and using them in novel and clever
ways.  Many computer enthusiasts still call themselves hackers in
this non-pejorative sense.

2.  UNIX is a trademark of AT&T. 

3.  Most system managers regard any modification of system files as
damage, because they must restore these files to a state that does
not permit the intruder to re-enter the system.