**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 3, Issue #3.10 (March 28, 1991) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet) ARCHIVISTS: Bob Krause / Alex Smith / Bob Kusumoto POETICA OBSCIVORUM REI: Brendan Kehoe USENET readers can currently receive CuD as alt.society.cu-digest. Back issues are also available on Compuserve (in: DL0 of the IBMBBS sig), PC-EXEC BBS (414-789-4210), and at 1:100/345 for those on FIDOnet. Anonymous ftp sites: (1) ftp.cs.widener.edu (or 192.55.239.132) (back up and running) and (2) cudarch@chsun1.uchicago.edu E-mail server: archive-server@chsun1.uchicago.edu. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors, however, do copyright their material, and those authors should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ CONTENTS THIS ISSUE: File 1: From the Mailbag File 2: Hollywood Hacker, Part Deuce File 3: Len Rose Outcome (from AP wire) File 4: Len Rose Pleads Guilty (Washington Post) File 5: Len Rose's "Guilt" and the Washington Post ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ---------------------------------------------------------------------- From: Various Subject: From the Mailbag Date: March 26, 1991 ******************************************************************** *** CuD #3.10--File 1 of 5: From the Mailbag *** ******************************************************************** Subject: Stormin Norman hacked? From: Bob Izenberg Date: Wed, 13 Mar 91 07:19:51 CST All Things Considered quoted a London Times article about an aide to Norman "Stormin' Norman" Schwartzkopf (sp?), the general in charge of a recent spate of calisthenics that may have made the headlines. ;-) The aide's PC, with some US battle plans on it, was stolen out of his car, and anonymously returned three weeks later. The NPR report quoted the Times article as saying that authorities were satisfied that the info on the portable's disk(s) never got into Iraqi hands, or computers. If only it was a telco employee's computer! Then we'd have somebody's balls on a platter already. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: youknowwho@MYSYS.EMU.EDU(Anonymous) Subject: Some Comments on Computer Fraud Enforcement Date: Sat, 17 Mar 91 05:17:49 GMT >From pages 9-11 of "Credit Card and Computer Fraud" dated August 1988 published by the Department of the Treasury, United States Secret Service: Computer Fraud Computer crimes have emerged as a major concern for law enforcement in recent years. Victims of computer crimes have sustained substantial losses, inconveniences, and even anxiety over the damage to their credit reputation. Some businesses, including small long-distance telephone companies, have gone bankrupt as a direct result of computer fraud losses. In 1986, Congress revised Title 18 of the United States Code, Section 1030, empowering the Secret Service, among other Federal law enforcement agencies, to investigate fraud and related activities in connection with "Federal-Interest computers." The law prohibits anyone from: [_] Knowingly accessing a computer to obtain certain information protected for reasons of national security with intent to injure the United States; [_] Intentionally accessing a computer to obtain, without authorization, information from a financial record of a financial institution; [_] Intentionally accessing a computer used for the exclusive use of the United States Government; [_] Intentionally accessing a computer to affect, without authorization, the government's use of any computer that is used by the United States Government; [_] Knowingly and intentionally accessing a Federal interest computer to fraudulently obtain anything of value other than the use of the computer; [_] Intentionally accessing a Federal interest computer to alter, damage, or destroy information, or prevent authorized use of any such computer, and thereby: a. cause a loss of $1,000 or more; or b. modify or impair a medical examination, medical diagnosis, medical treatment, or the medical care of an individual; or [_] Knowingly and intentionally accessing a computer to trafic in any password through which a computer can be accessed without authorization, where such trafficking affects interstate or foreign commerce, or such computer is used by or for the Government of the United States. The Secret Service maintains a group of highly trained computer specialists who participate in the investigation of computer fraud cases. Although the U.S. Secret Service is pioneering new law enforcement techniques in the identification and apprehension of computer criminals, the task of combating computer crime is not ours alone. The burden of responsibility for information and data security rests not only with law enforcement authorities, but also with the owners and operators of the computer systems who may, potentially, fall victim to computer fraud. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: halcyon!peterm@SUMAX.SEATTLEU.EDU(Peter Marshall) Subject: Re: New Telecom Laws Proposed Date: Mon, 18 Mar 91 09:53:28 PST Mike's post leaves one perplexed about what it's doing in CUD? Perhaps he could explain the relevance of this item to CU-related issues? Further, one tends to be left even more perplexed about Mike's assertion that the Michigan bill he describes "specifically seeks to overturn the MFJ." Now that's really quite a mouthful. But it's not disgesti. How does Mike think a Michigan bill could bring this about, one wonders? Peter Marshall ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Subject: Re; SWB PUC Ruling From: halcyon!peterm@SUMAX.SEATTLEU.EDU(Peter Marshall) Date: Mon, 18 Mar 91 09:58:32 PST Peter de Silva is right on this one; it was not exactly a near-optimal outcome, and for the reasons he notes, among others. On the other hand, where's the capability to "watch the various PUCs like a hawk"? Might be a tall order, methinks. Peter Marshall From: MMaples@cs1.bim.boville.edu Subject: Hacking and Breaking and Entering Date: Mon, 18 Mar 91 11:22:14 PST I've been reading a lot of posts that compare hacking to breaking and entering and wonder what CuD readers and editors think? I don't think the two are comparable. Breaking and entering is a type of violent crime and it physically destroys property. Sure, hacking might destroy data, but this doesn't happen much, which doesn't mean it's right, but that the two type of destruction aren't the same. A home is a private place and the type of privacy is different that the privacy of a computer. You can't curl up inside the computer and make love, retreat to its hard drives from the pressures of the outside world in the same way you do to the tv room, or make a sandwich. But it seems that the penalties for computer hacking are as severe as for breaking and entering. I just don't get it. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: brendan@CS.WIDENER.EDU(Brendan Kehoe) Subject: Response to Washington Post Article on Len Rose Date: Tue, 26 Mar 91 08:46:30 EST {Moderators' note: See File 5 of this issue for the Post piece.} The most intriguing part for me, was the way the Washington Post release made it sound like Mr. Rose's modified version of the login program was in itself inherently illegal. Even months after people complained about how blatantly uninformed making such a suggestion is, it persists and has taken a higher form. Had this case veered even one tenth of a degree from where it ended up, it could've set a rather dangerous precedent. It was a surprise when I read that Rose pleaded guilty .. and how quietly the trial took place. With the play it got earlier (Unix Today, etc) this year and last, the volume certainly did get lowered. Perhaps now Mr. Rose can get on with his life. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: Dave.Appel@P30.F30.N231.Z1.FIDONET.ORG(Dave Appel) Subject: Indianapolis is now PC-Pursuitable Date: Wed, 20 Mar 91 13:57:11 CST INDIANAPOLIS IS NOW PC-PURSUITABLE After years of promises, Telenet's (SprintNet's) PC-Pursuit service, also known as PCP, has finally installed outdials in Indianapolis. The official announcement from Telenet is still forthcoming, but the outdials are in place. Indy's semi-official BBS list comes from the IUPUI BBoard, and is maintained by sysop Don Smith. This file can be file requested from most of net 231's FidoNet boards as file INDY0301.ZIP. The latest version contains 96 local boards. However, taking all the multi-line boards into account, we have over 150 BBS lines! Some of the multi-line boards of note are: PBS-BBS (Public Brand Software) 317-856-2087, noted for its shareware; Data Central 317-543-2007, files and GIFs; User's Choice 317-894-1378, GIFs; and L.C. Midwest 317-924-2219, a dating/adult board. Those are pay boards. Most other boards are free. Indy is also Telelink/Starlink node 9349. Some people feel that Starlink is a better service than PC-Pursuit. Assuming that the outdial is in the same exchange as PCP's indial, the following exchanges should be accessible according to Indiana Bell's white pages. I include this list for your convenience because PCP has not yet published an official XCH list. Please excuse any typos or errors. These exchanges include Indianapolis proper, Carmel, Zionsville, Noblesville, Speedway, Beech Grove, Greenwood, Plainfield, Brownsburg, Fishers, Greenfield, Mooresville, and New Palestine. Outdial Site: D/ININD 317 222 226 230 231 232 233 235 236 237 238 239 240 241 242 317 243 244 247 248 251 252 253 254 255 256 257 259 261 262 317 263 264 265 266 267 269 271 272 273 274 276 277 278 283 317 290 291 293 297 298 299 321 322 326 328 335 351 352 353 317 355 356 357 359 422 424 425 431 432 439 441 442 443 445 317 461 462 464 465 466 467 469 470 471 485 486 488 535 539 317 541 542 543 545 546 547 549 556 571 573 574 575 576 577 317 578 579 580 630 631 632 633 634 635 636 637 638 639 681 317 684 685 686 687 691 694 736 738 745 769 773 776 780 781 317 782 783 784 786 787 788 823 831 835 838 839 841 842 843 317 844 845 846 848 849 852 856 861 862 867 870 871 872 873 317 875 876 877 878 879 881 882 885 887 888 889 891 892 894 317 895 896 897 898 899 920 921 923 924 925 926 927 928 929 317 976 994 996 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: Bob Izenberg Subject: L'Accused--a bust is a bust is a bust.... Date: Mon, 18 Mar 91 00:26:24 CST I ran across an interesting article in the January 29th, 1991 issue of the Village Voice. The author is Elizabeth Hess. I've included the relevant parts and omitted references to particular art galleries that were showing Sturges' work at the time. The general topic, that of a U.S. citizen penalized without trial or, even now, indictment or charges filed, may be familiar to CUD readers. (article excerpt follows) >From the 1-29-91 Village Voice article, "The Accused", by Elizabeth Hess: The opening of an exhibition of photographs by Jock Sturges would not ordinarily be news. But Sturges, as readers might recall, is currently under investigation for producing child pornography. Last April, members of the San Francisco police and the FBI entered the photographer's home, without a warrant, after receiving a tip from a local film processor (The Village Voice, June 12, 1990). Later that afternoon, a warrant was obtained and the officers carted off an estimated 1 million negatives, various pieces of darkroom and computer equipment, several business and personal files, eight address books, and a few cameras belonging to one terrified Jock Sturges. His life was impounded. Nine months have passed and the photographer has still not been charged with any crime, not have all of his belongings been returned. And, even more insidious, the FBI has launched an international investigation into the artist's work and personal life. While the art world, especially in San Francisco, has rallied around the case, Sturges says he has lost a show, friends, models, and jobs. On November 21, Michael Metzger, Sturges' attorney, filed a motion in the U.S. District Court in San Francisco for the return of the photographer's property; a hearing is scheduled for February 7. Sturges intends to follow up with a civil suit, seeking damages against local and federal authorities. Meanwhile, the photographer is also bringing his case to the public, traveling around the country in an effort to raise money and political support. [ lines on gallery exhibits skipped ] The artist's career was probably going at its proper pace prior to the totally unjustified, if not illegal, invasion into his privacy. It's hard to say how bad the authorities want Jock Sturges, They have certainly been putting a great deal of effort into an investigation of the folks listed in his address books. According to Sturges, the French police have visited and questioned every person who appears in his current Philadelphia exhibition and others: a total of 46 families. American authorities have also been busy making sure that people think twice before modeling in the nude for Sturges, or anybody else. According to the Philadelphia Inquirer Magazine, the FBI went to visit a family in California that included a 13-year old daughter whom Sturges has been shooting for the past eight years. During the interview, one of the agents turned to the young girl and asked, "Does this guy ever ask you to spread your legs?" Prior to this moment, no one in the family had ever been embarrassed by the photographs. The daughter recently hid her copies in a trunk. "The FBI has been instructing people in shame." says Sturges. "A visit from the police is traumatizing, and it has a chilling effect.~ Even Sturges recently wrapped a few bodies in towels before shooting them on the beach. {Moderator's note: We view this article as *directly* relevant to the CU for two reasons. First, it suggests how similar policies are filtered through different laws for the same result. The scenario between Sturges' experience and that of Steve Jackson and other is analogous: Media (whether computers or art) that Feds barely understand provides a context for identifying somebody who *appears* (in Fed-think) to be in violation of some heinous "crime of the week." The Feds swoop in, bust them and grab whatever equipment looks suspicious (substitute "computers" for "cameras," or "disks" for "negatives"). The second point is that the CU should be alert to apparent excessive zealousness in the non-computer world, because prosecutors' behavior seems, like cancer, to have a habit of spreading. In a recent federal drug bust on a Southeastern college fraternity, three fraternity houses were seized by the government because a few members were caught with drugs. This absurdity is reminiscent of J. Cousteau's yacht, The Calypso, being seized a few years ago because a crew member was found with a "roach" in his cabin. Federal agents and their supporters will argue for the necessity of such action, but in a free society, such seizures--which resemble tyrannies rather than democracies--affect us all. These are ALL CU issues. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: Jim Thomas / CuD Subject: Hollywood Hacker, Part Deuce Date: March 26, 1991 ******************************************************************** *** CuD #3.10--File 2 of 5: The Hollywood Hacker, Part II *** ******************************************************************** In CuD 3.09, we raised the case of Stuart Goldman, dubbed "The Hollywood Hacker." Judging from media accounts and legal documents, we identified a few disturbing questions about the case, including the typical over-zealous law enforcement reaction and the possibility of a set-up. We suggested that Goldman hardly appears to be a hacker, but rather an investigative journalist who allegedly used somebody else's access code to gather material on an expose of sleaze-tv shows. The story received far more attention in the Los Angeles media than it did in the Chicago Tribune or New York Times, but the issues involved will not disappear. The LA Times (Sept 4, 1990: A-1) argued that the case appears to be "a saga befitting supermarket tabloid newspapers--a battle of an influential television network versus a self-proclaimed muckraker." According to numerous Los Angeles papers and magazines, Goldman's credentials as a journalist and writer are well-established. LA Media indicate he worked as a freelance writer for "Current Affair" and "Inside Addition," and was working for a freelance tv segment for "Inside Edition" at the time of the arrest. He reportedly had worked as a music critic at the Los Angeles Times and had a column in the L.A. Reader for two years. In a radio talk show in Los Angeles, Goldman indicated that he was working on a book called "Snitch," an expose of tabloid journalism. The program's host raised the possibility that the manuscript-in-progress might be seen by some as a post-arrest attempt to add attempt to add credibility to his investigatory claims, and Goldman alluded to the pre-arrest work done on the book, adding that "it's hard to fabricate three hundred typed pages which are circulating to publishers." There is no evidence that Goldman was a hacker by any stretch of the term. After a telephone conversation with Goldman, it appeared that his computer skills were limited to text editing and some modeming. Judging from all available public information, it appears that the Fox Network hyped this case for motives yet to be determined. The original federal arrest warrant stated that the charge was "Unauthorized access and access in excess of authority into a federal interest computer with intent to defraud" under 18 s. 1030(a)(4). The Federal charges were dropped almost immediately. This, in our mind, suggests that there was not a sufficient case against him to warrant federal prosecution, because we have seen to many similar cases in which federal charges have been pursued on creatively-defined grounds. Although valuable equipment and resources were confiscated, it appears that Goldman was not as unfortunate as some others have been. Nonetheless, he lost his computer, disks on which his works in progress were stored, and other material that would be difficult to replace. Although the search warrant appeared to limit the removal of property related only to "A Current Affair," it seems that, as in other cases, the phrase "related only to" took on a rather broad meaning. Even those who oppose "hacking" should be concerned with this case. We repeat that the issue is not guilt or innocence, or whether Goldman (or any other suspect) is as sympathetic as a 17 year old college student. As Bob Izenberg notes in his commentary on the busts of photographers (File 1, above), the issue is the manner in which raids occur, the broad definitions of what is seized, the creative use of indictments, the possible inflation of charges and "losses," and the tendency to hold on to equipment of suspects, and the possibility that prosecutors are looking for test cases that increase the punitive nature of the consequences for all involved. Justice is more than catching crooks, is also is processessing defendants in a way that does not subvert confidence in the justice system. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: bill Subject: Len Rose Outcome (from AP wire) Date: Sat, 23 Mar 91 14:29:14 EST ******************************************************************** *** CuD #3.10--File 3 of 5: AP Story on Len Rose *** ******************************************************************** BALTIMORE (AP) -- A computer hacker pleaded guilty Friday to stealing information from American Telephone & Telegraph and its subsidiary Bell Laboratories. Under an agreement with prosecutors, Leonard Rose pleaded guilty in U.S. District Court to one count of sending AT&T source codes via computer to Richard Andrews, an Illinois hacker, and a similar wire fraud charge involving a Chicago hacker. Prosecutors said they will ask that Rose be sentenced to two concurrent one-year terms. Rose is expected to be sentenced in May. Neither Rose nor his attorney could be immediately reached for comment late Friday. "Other computer hackers who choose to use their talents to interfere with the security and privacy of computer systems can expect to be prosecuted and to face similar penalties," said U.S. Attorney Breckinridge L. Willcox. "The sentence contemplated in the plea agreement reflects the serious nature of this new form of theft," Willcox said. Rose, 32, was charged in May 1990 in a five-count indictment following an investigation by the Secret Service and the U.S. Attorney's offices in Baltimore and Chicago. He also had been charged with distributing "trojan horse" programs, designed to gain unauthorized access to computer systems, to other hackers. Prosecutors said Rose and other hackers entered into a scheme to steal computer source codes from AT&T's UNIX computer system. The plea agreement stipulates that after he serves his sentence, Rose must disclose his past conduct to potential employers that have computers with similar source codes. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: Anonymous Subject: Len Rose Pleads Guilty (Washington Post) Date: Mon, 25 Mar 91 11:22:13 PST ******************************************************************** *** CuD #3.10--File 4 of 5: Washington Post Story on Len Rose *** ******************************************************************** Source: Washington Post, March 23, 1991, pp A1, A10 "'Hacker' Pleads Guilty in AT&T CASE: Sentence Urged for Md. Man Among Stiffest Yet for Computer Crime" By Mark Potts/Washington Post Staff Writer BALTIMORE, March 22--A computer "hacker" who was trying to help others steal electronic passwords guarding large corporate computer systems around the country today pleaded guilty to wire fraud in a continuing government crackdown on computer crime. Federal prosecutors recommended that Leonard Rose Jr., 32, of Middletown, Md., be sent to prison for one year and one day, which would be one of the stiffest sentences imposed to date for computer crime. Sentencing is scheduled for May before U.S. District Judge J. Frederick Motz. Cases such as those of Rose and a Cornell University graduate student who was convicted last year of crippling a nationwide computer network have shown that the formerly innocent pastime of hacking has potentially extreme economic ramifications. Prosecutors, industry officials and even some veteran hackers now question the once popular and widely accepted practice of breaking into computer systems and networks in search of information that can be shared with others. "It's just like any other form of theft, except that it's more subtle and it's more sophisticated," said Geoffrey R. Garinther, the assistant U.S. attorney who prosecuted the Rose case. Rose--once part of a group of maverick hackers who called themselves the Legion of Doom--and his attorneys were not available for comment after the guilty plea today. The single fraud count replaced a five-count indictment of the computer programmer that was issued last May after a raid on his home by Secret Service agents. According to prosecutors, Rose illegally obtained information that would permit him to secretly modify a widely used American Telephone & (See HACKER, A10, Col 1) Telegraph Co. Unix software program--the complex instructions that tell computers what to do. The two former AT&T software employees who provided these information "codes" have not yet been prosecuted. Rose altered the AT&T software by inserting a "Trojan horse" program that would allow a hacker to secretly gain access to the computer systems using the AT&T Unix software and gather passwords used on the system. The passwords could then be distributed to other hackers, permitting them to use the system without the knowledge of its rightful operators, prosecutors said. Rose's modifications made corporate purchasers of the $77,000 AT&T Unix program vulnerable to electronic break-ins and the theft of such services as toll-free 800 numbers and other computer-based telecommunications services. After changing the software, Rose sent it to three other computer hackers, including one in Chicago, where authorities learned of the scheme through a Secret Service computer crime investigation called Operation Sun Devil. Officials say they do not believe the hackers ever broke into computer systems. At the same time he pleaded guilty here, Rose pleaded guilty to a similar charge in Chicago; the sentences are to be served concurrently, and he will be eligible for parole after 10 months. Rose and his associates in the Legion of Doom, whose nickname was taken from a gang of comic-book villains, used names like Acid Phreak Terminus--Rose's nickname--as their computer IDs. They connected their computers by telephone to corporate and government computer networks, outwitted security screens and passwords to sign onto the systems and rummaged through the information files they found, prosecutors said. Members of the group were constantly testing the boundaries of the "hacker ethic," a code of conduct dating back to the early 1960s that operates on the belief that computers and the information on them should be free for everyone to share, and that such freedom would accelerate the spread of computer technology, to society's benefit. Corporate and government computer information managers and many law enforcement officials have a different view of the hackers. To them, the hackers are committing theft and computer fraud. After the first federal law aimed at computer fraud was enacted in 1986, the Secret Service began the Operation Sun Devil investigation, which has since swept up many members of the Legion of Doom, including Rose. The investigation has resulted in the arrest and prosecution of several hackers and led to the confiscation of dozens of computers, thousands of computer disks and related items. "We're authorized to enforce the computer fraud act, and we're doing it to the best of our ability," Garry Jenkins, assistant director of investigations for the Secret Service, said last summer. "We're not interested in cases that are at the lowest threshold of violating the law...They have to be major criminal violations before we get involved." The Secret Service crackdown closely followed the prosecution of the most celebrated hacker case to date, that of Robert Tappan Morris Cornell University computer science graduate student and son of a computer sicentist at the National Security Agency. Morris was convicted early last year of infecting a vast nationwide computer network in 1988 with a hugely disruptive computer "virus," or rogue instructions. Although he could have gone to jail for five years, Mo $10,000, given three years probation and ordered to do 400 hours of community service work. Through Operation Sun Devil and the Morris case, law enforcement authorities have begun to define the boundaries of computer law. Officials are grappling with how best to punish hackers and how to differentiate between mere computer pranks and serious computer espionage. "We're all trying to get a handle for what is appropriate behavior in this new age, where we have computers and computer networks linked together," said Lance Hoffman, a computer science professor at George Washington University. "There clearly are a bunch of people feeling their way in various respects," said David R. Johnson, an attorney at Wilmer, Cutler & Pickering and an expert on computer law. However, he said, "Things are getting a lot clearer. It used to be a reasonably respectable argument that people gaining unauthorized access to computer systems and causing problems were just rambunctious youth." Now, however, the feeling is that "operating in unauthorized computing spaces can be an antisocial act," he said. Although this view is increasingly shared by industry leaders, some see the risk of the crackdown on hackers going to far. Among those concerned is Mitch Kapor, the inventor of Lotus 1-2-3, the best-selling computer "spreadsheet" program for carrying out mathematical and accounting analysis. Kapor and several other computer pioneers last year contributed several hundred thousands dollars to set up the Electron Freedom Foundation, a defense fund for computer hackers. EFF has funded much of Rose's defense and filed a friend-of-the-court brief protesting Rose's indictment. --end of article-- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: brendan@CS.WIDENER.EDU(Brendan Kehoe) Subject: Washington Post Retraction to Original Story Date: Wed, 27 Mar 91 08:49:00 EST From: The Washington Post, Tuesday March 26, 1991, Page A3. CORRECTION [to Saturday March 23, 1991 article] "Leonard Rose, Jr., the Maryland computer hacker who pleaded guilty last week to two counts of wire fraud involving his illegal possession of an American Telephone & Telegraph Co. computer program, was not a member of the "Legion of Doom" computer hacker group, as was reported Saturday, and did not participate in the group's alleged activities of breaking into and rummaging through corporate and government computer systems." ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: Moderators Subject: Len Rose's "Guilt" and the Washington Post Date: March 28, 1991 ******************************************************************** *** CuD #3.10--File 5 of 5: Len Rose and the Washington Post *** ******************************************************************** Although Len Rose accepted a Federal plea bargain which resolved Federal charges against him in Illinois and Maryland, and state charges in Illinois, he will not be sentenced until May. Therefore, many of the details of the plea or of his situation cannot yet be made public. Len pleaded guilty to two counts of violating Title 18 s. 1343: 18 USC 1343: Sec. 1343. Fraud by wire, radio, or television Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined not more than $1000 or imprisoned not more than five years, or both. In our view, Len's case was, is, and continues to be, a political case, one in which prosecutors have done their best to create an irresponsible, inaccurate, and self-serving imagery to justify their actions in last year's abuses in their various investigations. Len's guilty plea was the result of pressures of family, future, and the burden of trying to get from under what seemed to be the unbearable pressure of prosecutors' use of law to back him into corners in which his options seemed limited. The emotional strain and disruption of family life became too much to bear. Len's plea was his attempt to make the best of a situation that seemed to have no satisfactory end. He saw it as a way to obtain the return of much of his equipment and to close this phase of his life and move on. Many of us feel that Len's prosecution and the attempt to make him out to be a dangerous hacker who posed a threat to the country's computer security was (and remains) reprehensible. The government wanted Len's case to be about something it wasn't. To the end, they kept fomenting the notion that the case involved computer security--despite the fact that the indictment, the statute under which he was charged, or the evidence DID NOT RELATE TO security. The case was about possession of proprietary software, pure and simple. The 23 March article in the Washington Post typifies how creative manipulation of meanings by law enforcement agents becomes translated into media accounts that perpetuate the the type of witch hunting for which some prosecutors have become known. The front page story published on March 23 is so outrageously distorted that it cannot pass without comment. It illustrates how prosecutors' images are translated into media narratives that portray an image of hackers in general and Len in particular as a public threat. The story is so ludicrously inaccurate that it cannot pass without comment. Mark Potts, the author of the story, seems to convict Len of charges of which even the prosecutors did not accuse him in the new indictment. According to the opening paragraph of the story, Len pleaded guilty to conspiring to steal computer account passwords. This is false. Len's case was about possessing and possessing transporting unlicensed software, *NOT* hacking! Yet, Potts claims that Rose inserted a Trojan horse in AT&S software that would allow other "hackers" to break into systems. Potts defers to prosecutors for the source of his information, but it is curious that he did not bother either to read the indictments or to verify the nature of the plea. For a major story on the front page, this seems a callous disregard of journalistic responsibility. In the original indictment, Len was accused of possessing login.c, a program that allows capturing passwords of persons who log onto a computer. The program is described as exceptionally primitive by computer experts, and it requires the user to possess root access, and if one has root privileges, there is little point in hacking into the system to begin with. Login.c, according to some computer programmers, can be used by systems administrators as a security device to help identify passwords used in attempts to hack into a system, and at least one programmer indicated he used it to test security on various systems. But, there was no claim Len used this improperly, it was not an issue in the plea, and we wonder where Mark Potts obtained his prosecutorial power that allows him to find Len guilty of an offense for which he was not charged nor was at issue. Mark Potts also links Len directly to the Legion of Doom and a variety of hacking activity. Although a disclaimer appeared in a subsequent issue of WP (a few lines on page A3), the damage was done. As have prosecutors, Potts emphasizes the LoD connection without facts, and the story borders on fiction. Potts also claims that Len was "swept up" in Operation Sun Devil, which he describes as resulting "in the arrest and prosecution of several hackers and led to the confiscation of dozens of computers, thousands of computer disks and related items." This is simply false. At least one prosecutor involved with Sun Devil has maintained that pre-Sun Devil busts were not related. Whether that claim is accurate or not, Len was not a part of Sun Devil. Agents raided his house when investigating the infamous E911 files connected to the Phrack/Craig Neidorf case last January (1990). Although Len had no connection with those files, the possession of unlicensed AT&T source code did not please investigators, so they pursued this new line of attack. Further, whatever happens in the future, to our knowledge *no* indictments have occured as the result of Sun Devil, and in at least one raid (Ripco BBS), files and equipment were seized as the result of an informant's involvement that we have questioned in a previous issue of CuD ( #3.02). Yet, Potts credits Sun Devil as a major success. Potts also equates Rose's activities with those of Robert Morris, and in so-doing, grossly distorts the nature of the accusations against Len. Equating the actions to which Len pleaded guilty to Morris grossly distorts both the nature and magnitude of the offense. By first claiming that Len modified a program, and then linking it to Morris's infectious worm, it appears that Len was a threat to computer security. This kind of hyperbole, based on inaccurate and irresponsible reporting, inflames the public, contributes to the continued inability to distinguish between serious computer crime and far less serious acts, and would appear to erroneously justify AT&T's position as the protector of the nets when, in fact, their actions are far more abusive to the public trust. After focusing for the entire article on computer security, Potts seems to appear "responsible" by citing the views of computer experts on computer security and law. But, because these seem irrelevant to the reality of Len's case, it is a classic example of the pointed non sequitor. Finally, despite continuous press releases, media announcements, and other notices by EFF, Potts concludes by claiming that EFF was established as "a defense fund for computer hackers." Where has Potts been? EFF, as even a rookie reporter covering computer issues should know, was established to address the challenges to existing law by rapidly changing computer technology. Although EFF provided some indirect support to Len's attorneys in the form of legal research, the EFF DID NOT FUND ANY OF LEN'S defense. Len's defense was funded privately by a concerned citizen intensely interested in the issues involved. The EFF does not support computer intrusion, and has made this clear from its inception. And a final point, trivial in context, Potts credits Mitch Kapor as the sole author of Lotus 1-2-3, failing to mention that Jon Sachs was the co-author. The Washington Post issued a retraction of the LoD connection a few days later. But, it failed to retract the false claims of Len's plea. In our view, even the partial LoD retraction destroys the basis, and the credibility, of the story. In our judgement, the Post should publicly apologize and retract the story. It should also send Potts back to school for remedial courses in journalism and ethics. Some observers feel that Len should have continued to fight the charges. To other observers, Len's plea is "proof" of his guilt. We caution both sides: Len did what he felt he had to do for his family and himself. In our view, the plea reflects a sad ending to a sad situation. Neither Len nor the prosecution "won." Len's potential punishment of a year and a day (which should conclude with ten months of actual time served) in prison and a subsequent two or three year period of supervised release (to be determined by the judge) do not reflect the the toll the case took on him in the past year. He lost everything he had previously worked for, and he is now, thanks to publications like the Washington Post, labelled as a dangerous computer security threat, which may hamper is ability to reconstruct his life on release from prison. We respect Len's decision to accept a plea bargain and urge all those who might disagree with that decision to ask themselves what they would do that would best serve the interests both of justice and of a wife and two small children. Sadly, the prosecutors and AT&T should have also asked this question from the beginning. Sometimes, it seems, the wrong people are on trial. ******************************************************************** ------------------------------ **END OF CuD #3.10** ********************************************************************