- Email: [email protected]
US Focus
JUL o- AUG
TIIE COMPUTER I,AW AND SECURITY REPORT
TRANSBORDER DATA FLOW A N D 1992 Recently, I had the opportunity to review some of the papers presented at the Commission of the European Communities and the Council of Europe's March 1990 meeting in Luxembourg. The meeting entitled, "Access to public sector information, data protection and computer crime - Legal challenges and opportunities created by the prolific growth of electronic information services" dealt with the growing problem of computer crime and the prosecution of same. At this conference the legal affairs department of the Council of Europe submitted a paper, "Computerrelated Crime - Recommendation No. R(89) 9," which offered guidelines for national legislatures when drafting anti-computer crime legislation. The paper discusses, in great depth, the problem of computer crime, especially when crossing national boarders; procedural law problems; and the application of European penal law conventions to computer-related crime. In the report, the European Committee on Crime Problems called for two list of computer crimes. A "Minimum List," which consists of computer crimes that should be included with all anti-computer crime legislation and a "Optional List," which may or not be included. The two lists are as follows:
"MINIMUM LIST" 1. 2. 3.
Computer-related fraud Computer forgery Damage to computer data or equipment 4. Computer sabotage 5. Unauthorized access 6. Unauthorized interception 7. Unauthorized reproduction of a protected program 8. Unauthorized reproduction of a topography
"OPTIONAL LIST" 9.
Alteration of computer data or computer programs 10. Computer espionage 11. Unauthorized use of a computer 12. Unauthorized use of a protected computer program I disagree with the Committee's recommendations regarding
"Minimum" and "Optional" lists. Crimes such as: unauthorized access and unauthorized use should be included in the "Minimum List." Almost any type of computer crime will involve some type of unauthorized use or access. Alteration of computer data or computer programs could be covered under damage to computer data or equipment since a computer program in actuality is nothing more than a file containing data (machine instructions). Any changes to that file could be construed as damage, hence, damage to computer data or equipment could be used. Additionally, computer espionage could fall under the category of unauthorized access or unauthorized interception. Computer espionage today is a very real threat as Harvard astronomer Clifford Stoll found out when he tried to track down a $0.75 billing error. During his investigation, Stoll discovered a KGB contracted hacker who, operating in West Germany, was trying to break into U.A. computers looking for SDI ("Star Wars") information. He later wrote a book on his escapades entitled, "The Cuckoo's Egg," which is now a best seller. The goal of the European Committee on Crime Problems is the development of some method to deal with the problem of computer crime crossing national boundaries. The committee had representation from: Austria, Denmark, France, the Federal Republic of Germany, Greece, Italy, Luxembourg, the Netherlands, Norway, Portugal, Spain, Sweden and Switzerland. Canada, Finland, Japan, the United States, the European Communities, OECD and UNSDRSI sent observers. We need some method to deal with international computer crime. With today's communication networks it is very easy to be in Chicago and access computers in Australia, London, Zurich, and Bonn, in just a matter of minutes. If a hacker caused damage or just copied some proprietary information off of each of these computers, prosecution would be difficult with today's current system. Other papers at the conference included discussions on transborder flow of information, privacy, and the use of public information in the
32
[~ 990-9~ I 2 CLSR
private sector in light of the coming single Community in 1992.
ROBERT T. MORRIS, JR. Convicted Robert T. Morris, Jr., the author of the famed "lnternet Worm," was sentenced to 400 hours of community service, a $10,000 fine and three years' probation for his computer activities by U.S. District Court Judge Howard G. Munson. The legal and computer security communities are split on whether or not Morris should have served some time in jail for his crime. Morris could have received up to five years in prison and a $250,000 fine. In a published report by Evan Schuman in UNIX Today!, Keith Bostic, one of Morris' victims who testified against him said, " /don' t think that anything would have been served by Morris going to jail ... I believe that a felony convection was a reasonable deterrent." Others, including myself, still content that you do not go around developing a 50,000 line program that attempted to gather passwords, encrypt them, and then transmit them back without criminal intent. This program always had a malicious purpose. Granted, the purpose was not to crash the Internat network that was due to a bug in the program - but to gather passwords. What if the bug had not caused the programs discovery? Morris would have had the passwords to a number of computers on the Internet network; all without any knowledge on the part of the computer centers involved. As a result of this malicious intent, Morris should have done some time in jail as a message to others who might consider the same thing. Now, with the courts "slap on the wrist" for Morris, hackers can inconvenience thousands of computer users and not worry about going to jail.
U.S. SECRET SERVICE CRACKS D O W N ON HACKERS The U.S, Secret Service, in addition to providing protection for the President, Vice President and visiting dignitaries, is investigating counterfeiting activity, is also empowered to investigate computer crimes on a
.............................................................................................................................................................................. L : .....
:
i
.................................................................................
national level. As a result, the Secret Service, working with private business and phone companies has been actively investigating and prosecuting computer crimes and toll fraud theft. Recently, the Secret Service, working with private businesses and phone companies has been actively investigating and prosecuting computer crimes and toll fraud theft. Recently, the Secret Service conducted raids at 27 sites in the United States. Investigators estimate the losses in system thefts and damages caused by the hackers at
upwards of $50 million. Some of the people arrested are said to be involved in the "The Legion of Doom." The Legion of Doom is a group of UNIX computer hackers who try illegally to access computers in order to steal UNIX source code and disseminate information about UNIX secu'rity loop holes. This incident again points out the growing problem with computer hackers. Unfortunately, l believe that as long as we have computers, we will have computer hackers. But still the biggest threat is not from the transglobal hacker, but the
33
disgruntled employee or person involved in computer espionage, be it corporate or military. Today, information is power. As we computerize and build bigger and better on-line systems, we must continue to build in security measures and have enact laws to protect ourselves. Bernard P. Zajac, Jr I
P~
I]of
J 1
TIIE COMPUTER I,AW AND SECURITY REPORT
TRANSBORDER DATA FLOW A N D 1992 Recently, I had the opportunity to review some of the papers presented at the Commission of the European Communities and the Council of Europe's March 1990 meeting in Luxembourg. The meeting entitled, "Access to public sector information, data protection and computer crime - Legal challenges and opportunities created by the prolific growth of electronic information services" dealt with the growing problem of computer crime and the prosecution of same. At this conference the legal affairs department of the Council of Europe submitted a paper, "Computerrelated Crime - Recommendation No. R(89) 9," which offered guidelines for national legislatures when drafting anti-computer crime legislation. The paper discusses, in great depth, the problem of computer crime, especially when crossing national boarders; procedural law problems; and the application of European penal law conventions to computer-related crime. In the report, the European Committee on Crime Problems called for two list of computer crimes. A "Minimum List," which consists of computer crimes that should be included with all anti-computer crime legislation and a "Optional List," which may or not be included. The two lists are as follows:
"MINIMUM LIST" 1. 2. 3.
Computer-related fraud Computer forgery Damage to computer data or equipment 4. Computer sabotage 5. Unauthorized access 6. Unauthorized interception 7. Unauthorized reproduction of a protected program 8. Unauthorized reproduction of a topography
"OPTIONAL LIST" 9.
Alteration of computer data or computer programs 10. Computer espionage 11. Unauthorized use of a computer 12. Unauthorized use of a protected computer program I disagree with the Committee's recommendations regarding
"Minimum" and "Optional" lists. Crimes such as: unauthorized access and unauthorized use should be included in the "Minimum List." Almost any type of computer crime will involve some type of unauthorized use or access. Alteration of computer data or computer programs could be covered under damage to computer data or equipment since a computer program in actuality is nothing more than a file containing data (machine instructions). Any changes to that file could be construed as damage, hence, damage to computer data or equipment could be used. Additionally, computer espionage could fall under the category of unauthorized access or unauthorized interception. Computer espionage today is a very real threat as Harvard astronomer Clifford Stoll found out when he tried to track down a $0.75 billing error. During his investigation, Stoll discovered a KGB contracted hacker who, operating in West Germany, was trying to break into U.A. computers looking for SDI ("Star Wars") information. He later wrote a book on his escapades entitled, "The Cuckoo's Egg," which is now a best seller. The goal of the European Committee on Crime Problems is the development of some method to deal with the problem of computer crime crossing national boundaries. The committee had representation from: Austria, Denmark, France, the Federal Republic of Germany, Greece, Italy, Luxembourg, the Netherlands, Norway, Portugal, Spain, Sweden and Switzerland. Canada, Finland, Japan, the United States, the European Communities, OECD and UNSDRSI sent observers. We need some method to deal with international computer crime. With today's communication networks it is very easy to be in Chicago and access computers in Australia, London, Zurich, and Bonn, in just a matter of minutes. If a hacker caused damage or just copied some proprietary information off of each of these computers, prosecution would be difficult with today's current system. Other papers at the conference included discussions on transborder flow of information, privacy, and the use of public information in the
32
[~ 990-9~ I 2 CLSR
private sector in light of the coming single Community in 1992.
ROBERT T. MORRIS, JR. Convicted Robert T. Morris, Jr., the author of the famed "lnternet Worm," was sentenced to 400 hours of community service, a $10,000 fine and three years' probation for his computer activities by U.S. District Court Judge Howard G. Munson. The legal and computer security communities are split on whether or not Morris should have served some time in jail for his crime. Morris could have received up to five years in prison and a $250,000 fine. In a published report by Evan Schuman in UNIX Today!, Keith Bostic, one of Morris' victims who testified against him said, " /don' t think that anything would have been served by Morris going to jail ... I believe that a felony convection was a reasonable deterrent." Others, including myself, still content that you do not go around developing a 50,000 line program that attempted to gather passwords, encrypt them, and then transmit them back without criminal intent. This program always had a malicious purpose. Granted, the purpose was not to crash the Internat network that was due to a bug in the program - but to gather passwords. What if the bug had not caused the programs discovery? Morris would have had the passwords to a number of computers on the Internet network; all without any knowledge on the part of the computer centers involved. As a result of this malicious intent, Morris should have done some time in jail as a message to others who might consider the same thing. Now, with the courts "slap on the wrist" for Morris, hackers can inconvenience thousands of computer users and not worry about going to jail.
U.S. SECRET SERVICE CRACKS D O W N ON HACKERS The U.S, Secret Service, in addition to providing protection for the President, Vice President and visiting dignitaries, is investigating counterfeiting activity, is also empowered to investigate computer crimes on a
.............................................................................................................................................................................. L : .....
:
i
.................................................................................
national level. As a result, the Secret Service, working with private business and phone companies has been actively investigating and prosecuting computer crimes and toll fraud theft. Recently, the Secret Service, working with private businesses and phone companies has been actively investigating and prosecuting computer crimes and toll fraud theft. Recently, the Secret Service conducted raids at 27 sites in the United States. Investigators estimate the losses in system thefts and damages caused by the hackers at
upwards of $50 million. Some of the people arrested are said to be involved in the "The Legion of Doom." The Legion of Doom is a group of UNIX computer hackers who try illegally to access computers in order to steal UNIX source code and disseminate information about UNIX secu'rity loop holes. This incident again points out the growing problem with computer hackers. Unfortunately, l believe that as long as we have computers, we will have computer hackers. But still the biggest threat is not from the transglobal hacker, but the
33
disgruntled employee or person involved in computer espionage, be it corporate or military. Today, information is power. As we computerize and build bigger and better on-line systems, we must continue to build in security measures and have enact laws to protect ourselves. Bernard P. Zajac, Jr I
P~
I]of
J 1