ignore security and it'll go away

hackers.q

hackers.q
Posted Aug 26, 2002

Internet Computer Crime Fact or Fiction?? Written by Alan Hoffman a.k.a. -Q-

tags | bbs
MD5 | 26de4f3f06a6caba10b65f65b2f7a860

hackers.q

Change Mirror Download
      
----------------------------------------------------------------
Internet Computer Crime
Fact or Fiction??


Written by Alan Hoffman
a.k.a. -Q-
----------------------------------------------------------------

---------
|| INDEX ||
-----------------------------------------
(A) Foreword:
(1) Hacker Ethics, Hacker Profile.
(2) Internet & Computer Crimes Analysis
(3) Computer Security Overview
(4) Organizations & Legislation
(5) Accountability
(6) Appendices...Misc.Info
-----------------------------------------


-----------------------------------------------------------------------
(A) FOREWORD:
-----------------------------------------------------------------------

Foreword:
This article was originally intended to be a report on Internet
computer crime... But the fact remains that after having just finished
this article, I can say that their really is no Internet crime.. It
is quite literally a hoax. And it is thusly unfortunate that us
computer and technology lovers have to take cheap-shot blows from
unscrupulous journalists who tell half-distorted facts when reporting
on criminal cases involving computer crime. It is quite literally a
"witch-hunt" and ALL computer users are the target. The reason for this
witch hunt is simply because computers, and the information superhighway
(the Internet) is the hottest "scoop" (story) to happen to the newspaper
and journalism industry in the last 3 decades. The journalists are
determined to "milk" this subject and get as much ratings as they can
for as long as they can by printing glorified distorted newspaper articles.

Rather, I have chosen to focus on the overall picture.. Who is REALLY
responsible for most of the crimes? What are the major computer crimes?
Are hackers really the cause of all of our problems as the media would
lead you to believe? Or are hackers actually a big blessing to the
field of technology?


------------------------------------------------------------------------
(1) HACKER ETHICS, HACKER PROFILE. HACKERS BENEFIT TO SOCIETY.
------------------------------------------------------------------------
Profile:
Age: 15-32 [Professional hackers 17 - 32]
[Beginning hackers 14 - 21]
[Casual/hobby hackers 14 - 40]

Hackers Code of Ethics: [This is common law among hackers, and the]
[hackers that do not follow these ethics ]
[codes strictly; or deliberately commit ]
[crimes for personal gain & profit are ]
[thought of as scum and trash by the real ]
[hackers. ]

...................................................................
Ethics List-1
...................................................................
Here is a sample ethics list, this one is written by me.

(1) Learning should always be your ultimate goal..first and foremost.
(2) You should try to help the system administrator if you find
a flaw in your system.
(3) If you find flaws in systems, you should write a research paper
and release it on the I-Net for all to see and benefit from.
(4) Never ever steal, and that usually includes software piracy.
(5) Never,ever,ever,ever,damage anything on the system or release
viruses. (It is o.k. to release trojan type devices with the
intent of testing security, so long as the device is designed to
test security and isnt a maliscious trojan).
(6) Never post password list for accounts that you hacked for all to see.
(7) Try to trespass as little as you can when testing a systems security.
(8) Always try to ask the system admins permission first beforehand.
Quite often, the system admin will let you play with his system
so long as your intentions are honorable.
(9) Try never to use other peoples accounts... If it is necessary to
enter somebody elses account while testing security... dont be a
nosy buisybody and check on that persons mail.. Justuse the
persons account for the intention of testing security.

...................................................................
Ethics List-2
...................................................................
This is a partial ethics list wriiten by a good friend
of mine name ChrisDemilo, who used to be an active
hacker (now a comsec/compusec conultant).


(1) Thou shall look, but NEVER touch.
One may obtain a much information as one pleases, from any system,
but never should damage be done in any way shape or form.
(although the unwritten laws of hacker ethic states, that a
data traveler may cover his tracks, by altering system audit logs).

(2) Thou shall NOT steal.
(This unwritten law primarily refers to not necessarily
stealing per se, but one should not use services or buy
products and charge those services or products to anyone else,
and if one does do this, it should only be done, if the person
that you are victimizing can dispute the bill with the proper
authority and have the charges easily removed).


(3) Thou shall NOT use other peoples Credit Card Numbers.
(although this falls under commandment number 2, this one
is especially important and worthy of its own seperate commandment!)
(Stealing credit card numbers is about as low as a data traveler
can get... Not to mention, that their is no technology involved
in this whatseoever, no technical mastery, anybody can dig through
the trash and obtain credit card numbers, thats not what data
traveling is about.)

(4) If it's in the trash...then it's public domain.
(Although technically garbage has to be out in the street for it
to be considered public domain, it is acceptable for a data
traveler to do a bit of creative trespass to go dumpster diving).
[one may take as many manuals, books, papers, or pieces of equiptment
from the trash as one likes. Hey, if its in the garbage, then its
not theft... [although the legal system might not see it that way.]

(5) Thou shall NEVER profit from ones misdeeds.
(Although its perfectly acceptable to sell your knowledge,
as that is the whole part of dissemination of information.
If one is stealing, he shall not sell his stolen goods, or
services to others.) [Selling illegal goods or services is
an even worse charge than obtaining the goods or services,
because not only does it put the other guy in jeapordy, but
it also looks worse, because you appear to be an organize
"gang" of techno criminals which prosecutors love to make
up fantasy stories about. PLUS Selling the goods or services
is yet another seperate legal charge to contend with,
you can be charged with "intent to sell illegal services" or
even worse with "Interstate trafficking of illegal goods or
services" (the latter is a federal crime (a felony also!!!)
"illegal goods" is now referred to as an "access device"
which includes credit card #'s, ATM Card #'s, Telephone
calling Card PIN #'s, etc...]

(6) Thou shall NOT commit treason.
(Should one find himself in possesion of sensitive government
material, one should not disseminate it to anyone. Nor should
one sell his findings to any foreign power, or non-US Citizen).
(One should take special care in storing this material, and
keep it in encrypted format only!)

(7) Thou shall NOT "rat-out" his partners, or fellow data travelers.
(This should quite possibly be on the top of the list, far too
often, a data traveler is caught wether on bogus or real charges,
and that person begins to "sing like a jay-bird" and name, names.)

(9) Thou shalt NOT engage in software piracy!
(H/P and Warez just dont mix, for the simple reason that it
just invites more trouble into your life.. If you should ever be
suspected for something, and the Secret Service obtains a warrant to
seize your computer equiptment, you can be sure that every single
electronic item in the house will go with them, along with every single
scrap of paper with something written on it and all of your computer
or science, and/or "alternative" books such as anarchy or politics),
They will literally look through every single file on your computer
system, and if you have any stolen software, your just inviting
trouble upon yourself! 90 percent of the time, when your stuff is
seized, they dont find bubkas other than a few phone numbers in
your dialing directory, and a few generic H/P files which you must
remember is NOT illegal so dont sweat it if they give you grief for
having H/P files, their just playing on your fears., but if you happen
to have warez, well then consider yourself in trouble, even though
you cant be arrested for warez under current law because its not
a criminal crime to have warez (despite what most people think) its
only a civil offense, of course that wont stop the federal agents
for railroading you on bogus charges that they know are not illegal,
but the secret service basically has a way of saying "hey fuck this
guys rights, by the time anybody figures out that what he's done is not
even a crime, he will have been in jail for 5 months awaiting trial"
(and thats the Secret Services way of harrasing you and its totally
legal! and is even considered an ethical way to harrass someone
and even destroy their life when they know they cant get the goods
on you, lest not forget that, you will never ever see your equiptment
again, or at the very least, dont expect it back within 2 years!).
<< and if you think I'm over exaggerating this in any way, I can
name over 20 cases off the top-of my head to back up those statements>>

(10) Thou shall NOT pretend to be someone else for the purpose of
misleading authorities and deliberately getting some innocent
person in trouble.


...................................................................
Different Types of Hackers:
...................................................................
(1) Beginning Hacker
(2) "Real" Hacker
[a] "Real" Hackers / Techno Enthusiast
[b] Hobbyists Casual/Curious Hacker
[c] Security Professionals
(3) Software Pirates
(4) Generic Scum & Thieves
[a] Industrial Spy's / Industrial Espionage
[b] Generic Petite Thieves
[c] Maliscious Hackers
...............................................
Description Of The Different Types Of Hackers
...............................................

(1) Beginning Hacker- First I shall give you the basic description
and mindset to help you understand, how people get into the
field of hacking. Although it all depends upon age... most
persons get interested in hacking through gaining access to
a computer bulletin board system that caters to talk of computer
hacking (these are known as "underground" BBS's although that is
somewhat of a misnomer.. They are not "underground".. they are
simply private boards which cater only to people who are
interested in various types of technology. Their are approximately
20,000 underground computer bulletin boards of various types in
the United States (You can quote that figure.. its pretty accurate).
Most people who decide to call an underground board are usually
persons who are very intelligent, and very very interested in not
just technology, but the way things work (or at least thats true for
hackers, but not for software pirates). On these underground boards
You DO NOT just find talk about computer hacking... thats not what
hacking is about.. You will find talk about technology in general,
how things work (NOT just computers, also telephone technology)..
Hackers basically like to figure out how things work, why they work,
and most importantly, what security holes are in the device, or
the system. You may ask yourself.. Why do they like to find holes
and flaws and glitches in systems? They must have evil intentions
of exploiting these holes.. That is absolutely false.. Hackers
seek to exploit weaknesses merely because it HAS to be done..
Technology must always progress, computers must always be made
better and faster, and the same goes for the software and security
systems.. As security holes are placed in the software by the
developers, the hackers mission is to find these holes, and let
everyone know (preferably through legitimate means such as writing
research papers on the topic) about these holes so that they can
be fixed.. In reality.. the only difference between a legitimate
hacker and a system admin or security consultant is that security
consultants get paid, and hackers do things for free.

* If you logon to an underground board, as I stated... Some of the
conversation might be construed as not exactly legitimate as I
have stated.. You have to be realistic in understanding that
hackers are not "evil".. Alot of them are just kids, and they
are immature.. that cant be helped... The basic fact has always
been that kids like to do things that are fun.. And when they
have a legitimate interest in things, they should not be
discouraged into doing what they like (studying technology).
It is up to the older board members, those that are more
knowledgeable, and have been doing things along time to subtly
guide the younger folks in the right direction.. (You would
be amazed at what influence the older more prestiogious users
have.. They carry alot of influence among the kids, and the kids
usually listen to everything that these older folks say.)
They key has always been to give these young kids (14-17) guidance
and morality lessons... They (the kids) have to be told the rules
of hacker ethics.. "This is what you can do", "this is what
you cant do".. You can study securty flaws all you want, but you
cant pirate software, you cant destroy anything, you should
always help the system administrator help fix his system, etc..

* After about 1 or 2 years of being a "beginner" and learning the
rules of the game... The person moves onto the next stage.. Where
this person goes in the next stage, all depends upon if this person
listened to the advice of his elders , and what he's interested
in doing.. Some people will choose to be software pirates, others
will chose to be hobby hackers, who just like to play around a bit
but arent all that serious, and then some people will move onto
professional hacking.. (the latter people are extremely serious
about technology and security matters, and they quite often go
on to become security consultants and sysadmins when their older.)

(2) "Real" Hacker
[a] Hobbyists Casual/Curious Hacker
A hobby hacker basically describes 95 percent of all hackers and
telephone phreaks [telephone phreaking is a whole other part of the
underground, and its filled with people who like to play with
telephones rather than computers..but we wont discuss that].
Basically a hobby hacker is everyone whos ever used a computer..
We've all had a hankering, just to play and explore a bit.. You
might be sitting down one night at your internet terminal and decide
to just see what sites you connect to just for the fun of it,
like trying to call up some national laboratories and see if they
have any good science files that you can anonymous FTP.. That is
basically all that hacking is about; exploring! Professional
hackers are a bit different of course... Most pro hackers are
not so much into exploring, but their into studying computer
security.. learning about operating systems, becoming more
proficient at UNIX, and learning how TCP/IP and the Internet works.

[b] "Real" Hackers / Techno Enthusiast
A professional hacker who is someone who is seriously obsessed with
security technology (NOT! just with computers, but also physical
type security, surveillance, communications security, cryptography
and codebreaking, industrial security, anti-shoplifting technology,
anti-theft technology, alarm systems, etc.. etc.., etc..)

These types of hackers literally dedicate most of their lives to
learning security and computers.. Not because they have evil
intentions to break into systems.. simply because they like what
they do. Just as any professional such as a scientists likes
what he does.

Their are basically 2 types of professional hackers:
(1) Profesional Hobby Hackers- Pro hobby hackers simply hack for
the fun and joy that the field of security brings to them.
Their not the least bit whatsoever in making any profit from
what their doing (and if they want to make a profit, they'll
do it legally by becoming a security consultant, etc..)

(2) Indutrial Thieves, spy's etc..- These people are obviously
undesirable scum that give hackers a bad name. These people
arent so much interested in the actual information that their
stealing off systems....basically these people will obtain
obtain information by whatever means possible, and will sell it
to either the highest bidder, or the person thats directing
their activities. Computer spy's in reality only make up
about .05 percent) of all of the hackers.

Lastly, I wont pretend that hackers are angels, they sometimes
step outside the bounds of where their allowed and quite
occasionally they'll trespass bit... But the realistic fact is
that legitimate hackers whos only interest is security will provide
an extreme asset to the electronic society.. These are the people
who are soely responsible for finding 90 percent of the security
flaws, and bringing it to everyones attention, so that it could
be fixed. You might be thinking to yourself, that its best
if nobody finds the security flaws... since if nobody knows about
them, then their wont be any problem... People who think that
are blisfully ignorant of reality.. You cannot just ignore a
problem (such as computer security flaws) and pretend that the
problem doesnt exist and that people wont epose those flaws,
because they will, either on accident, or on purpose. You will
find that the modern concensus nowadays among sysadmins is that
they actally welcome hackers almost with open arms so long as they
have honorable intentions in mind. System Admins are finally
realizing that you cant ignore or supress security flaws, and many
a System admins have been helped by friendly hackers who have taken
the time to write mail to the system admin telling him of his
systems vulnerabilities.


[c] Security Professionals- The last group of hackers are security
professionals. These are quite likely and usually are people who
were at one time computer hackers themselves, but matured a
bit, and decided to get a real job, and make money at this game.
Not much needs to be said, and we should put all hackers in a
bad light because as stated before, the only difference between
a hacker and a security professional, is that one gets payed
and the other doesnt.


(3) Software Pirates- Software pirates are a whole different breed of
computer underground people.. Hackers and software pirates are
as distant as America and Australia.. Although their both part
of the underground, both groups dont really care for each other.
Warez people like hackers, but hackers dont really care for
software pirates because their viewed as (1) Thieves, who have
nothing better to do than rip off software companies, and
(2) They posses little intelligence (or their acts require little
intelligence) as it doesnt take much brainpower to upload and
download files... Hackers view intelligence as a very important
tool, and they often get a bit arrogant towards people who may
not be quite so knowledgeable.

* I'd like to point out 1 facts at this point.
(1) Software Piracy technically is not even illegal!
Despite what everyone has been brainwashed into
believeing, the law very clearly states pertaining
to copyright infringement, that it is only a crime
IF you make a profit [or can potentially make a profit
of ($1,000 or over) from your crimes.]
This is exactly why video stores who sell bootleg copies
of pirated tapes are always getting arrested (especially
here on Long Island, check the NY Newsday archives.)
That also explains why out of the 15,000 pirate boards in
the United States... not once has any of them been raided
and more specifically the SysOps convicted. Provided that
the software that you provide is not sold and is given free
tham you are not commiting of crime..
Those cute little "FBI Warning" notices at the very beginning
of ALL videotape movies cleverly forget to mention the fact
that its not an actual crime to copy unless your make a
profit from said action.

* Coyright infringement however is a civil crime, and you
can be sued for possessing illegal copies of pirate software.
Most people however have still been deluded into believing
that software piracy is a crime because of what they read
on the Internet... Unfortunately, all the poeple that have
been feeding this line of bull are not lawyers, and probably
have never actually looked the law up.
In the past congress has tried many many times to add a
provision to the bill to make copyright infringement a crime
but it has failed simply because that would have most
massive implications.. If we were to arrest everyone who
had commited copyright infringement, we would have practically
arrested everyone in america.. I'm not just talking about
software.. I'm talking about all the 400 million people who
make photocopies from books (perhaps such as you while your
doing this very report!) Before you judge software pirates
too harshly, you should also take a look at yourself, and
ask yourself... While doing this research paper.. Did you copy
that library book? If so then you violated copyrigt laws..
Should we put you in jail for that?

* [ See the copy of U.S. Law that I have enclosed pertaining ]
[ to Coyright laws.... ]


(4) Generic Scum & Thieves
[a] Industrial/Military Spy's / Industrial Espionage- This is the
most fancifull of all fields as portrayed by the media..
The number of hackers who are actually Industrial thieves and
have money as a motive in mind are far less than 1 percent,
and the number of people who are military spies and are traitors
is actually far less; .0001 percent). Their have only been maybe
1 or 2 cases where a person was convicted of trying to steal
military computers,... and those people were not even americans,
[author note: read "The Cuckoos Egg"]
(although they were still hackers per se', the media often falsely
portays american kids as the perpetrators of these crimes.

Even when american kids manage to break into military computer
systems (as happens quite a bit...they have absolutely no intention
of selling the information to "the russians".. thats just utter
nonesense.. Kids just get a kick out of being smart, and being able
to defeat the United States government who has all these
multi-million dollar computers and security procedures.

[b] Generic Petite Thieves- Petty thieves should not be associated with
real hackers either.. Their are always going to be people who
steal, and it doesnt matter how you do it really, a thief is still
a thief, and these people dont deserve to be called hackers.
Examples of petty thieves are people who do credit card and calling
card scams...They generate fake credit card numbers using a special
computer program which comes up with valid numbers based on a
specifica algorith, or they rip off credit card receipts from
the trash at the local gas station, or they may even (but rarely)
break into computer systems such as TRW, and other systems that
maintain credit card numbers, and steal loads of valid numbers
and then they order stuff by catalog from the mail using those
credit card numbers. The newspaper often call these people hackers
but I hardly think that digging through the trash or using a
computer program to get valid CC numbers is hacking.

Their was a recent case in NY Newsday detailing the arrest of
3 brothers and 1 friend, who used a computer program to do
the aforementioned.


[c] Malischous Hackers- Maliscious people are a specific breed of
spitefull, hatefull person. These people are usually and quite
literally sociopaths who have no feelings of guilt after doing
something wrong and quite often they get a "kick" or "rush"
from doing something evil.

Examples of such people are persons who would gain access to
a system, and then erase all, or part of system files just
for the fun of it.. Another example are people who release
virii and trojan horses and worms WITH the intention of
these programs destroying or damaging computers.

NOTE: People who write virii, or trojans, or worms, are
not necessarily maliscious.. Writing virii is a extremely
legitimate field, and it is something that most people dont
even know is practiced by many professionals who study
different types of viruses, also not all viruses are "bad". Some
viruses are actually designed to help your computer, and they
possess AI (artifical intelligence) and will help maintain your
system (perhaps by cleaning up and archiving old files or
temporary files, etc..)
The key is... what a person intends to do with the virus once
he creates it. Objects(programs/guns) should never be viewed
as evil.... Its the people that use such objects for destruction
that are to blame.



----------------------------------------------------------------------
(2) A DESCRIPTION OF CRIMES THAT OCCUR ON THE INTERNET.
----------------------------------------------------------------------

---------------------------------
System Break-In Percentage Rate
---------------------------------
Educational Institutions (75%)
Internet Providers (22%)
Corporate Systems ( 2%)
Military Systems ( 1%)
---------------------------------
Actual "Crimes/Offenses" Commited
---------------------------------
Software Piracy (70%)
General Exploration (20%) [Approximate rough values based]
User Spoofing ( 5%) [on my experience as a hacker ]
Packet Sniffing ( 2%) [and as a security consultant ]
Industrial Espionage ( 2%) [dealing with industrial and ]
Viruses/Worms/Trojan Attacks( 1%) [corporate security matters. ]
Military Snooping [by hobby
hackers] ( 1%)
Military Espionage (.01%)
Packet Spoofing (.01%)
---------------------------------
Reading of Users E-Mail (15%)
---------------------------------


SOFTWARE PIRACY:
Warez makes up about 70 percent of all computer "crimes".
Software piracy [also referred to as warez] (the act of copying
software and distributing it to others so that they do not have
to pay for a copy) is the only true "crime" that occurs on the
internet. In fact it is very common, but it should be noted
that computer hackers DO NOT! steal software... that is NOT
what a computer hacker does... Software thieves are officially
referred to as "software pirates" or more informally in the
computer underground they may be called "warez dudes", and
they should not in any manner be associated with hackers.

[ In fact Hackers HATE software pirates because all their ]
[ interested in is ripping off software... Hackers are ]
[interested in learning everything they can and exploring!]

* The very first thing I need point out about software piracy.
While it is the most widespread "crime" on the Internet (or
even on local bulletin board systems)..... IT TECHNICALLY
IS NOT A CRIME! 95 percent of the people who run their
mouths off about illegal software and pirates, do not even
realize that software piracy is NOT an actual crime for which
you can be arrested for. (people have been arrested in the
past for this, but they were eventually released to the
embarresement of the prosecutor when the DA found out that its
not actually a crime)... Rather, software piracy is a
civil offense. Under current copyright laws, it is not
illegal to copy and/or distribute software or videotapes
unless you make a profit of $1,000 or more from your misdeeds.
You can however be sued by the software companies for making
copies of the tape without permission.

* Second, I would like to point out some rationale as to
why software pirates freely distribute software. Their is
alot of debate about software companies being rip-offs, and
over charging for worthless products, etc.. etc.. Hey,
everybody hates the software companies. (well some software
comapnies are bigger rip-offs than others...
The whole debate about getting back at software manufacturers
is a smokescreen.... It's just statements made by a few
immature people, who feel that they need to get back at these
software companies because they feel their being taken advantage
of..
The REAL reason pirates trade software, is the same reason,
that everyone else trades legal (shareware/freeware) software,
and its the same reason that their are 20,000 plus ANONYMOUS
FTP sites on the Internet. Basically, the whole purpose of
software piracy, is simply to share with each other. The
computer community is like no other community in the world.
People go out of their way to help other people. [hence thats
why I'm giving you this big article.. cause' I like helping and
sharing]. Sharing and helping is what the computer community
is all about. So while it may not exactly be ethical to
copy software, you should keep in mind, that when alot of people
do copy comercial software, they do not do it to be maliscious
bad guys... they simply do it, because they want to help the
other fellow out. Hey, face it.. this is reality.. we cant
all afford a $700 Word Processor which we need to do our
college term papers.

* We should not all be so hypocritical about things that we
dont understand. As stated, first off, its not even a crime,
therefore people have no right to run their mouths off about
these evil software pirates breaking the law, when in reality
their is no law against software piracy...
Wether their should be a law against them is another story,

Personally I say, it should be illegal, but facts are at the
current time, that its not.. The law is currently under review
and several senators have tried to proposed bills in congress
which would make copying software a misdemeanor, but attempts
at passing that bill have so far failed.

* As stated again, people need not to be so hypocritical.
These very same people who complain about software piracy
probably have an unregistered (illegal) cable box in their
home (it is estimated that their are 50,000 illegal cable boxes
in the NY area) so these very same people who complain about
computer network crime because they read some sleazy half-truth
newspaper article, conveniently overlook that they too are
commiting crimes.. Most everybody commits one form or crime
or another (and cable boxes are a perfect example.. So many
people have them, that it's not even viewed as a crime anymore).

|----------------------------------------------------------------|
| Software Piracy Statistics: (VERY ACCURATE FIGURES) |
|----------------------------------------------------------------|
|# of Pirate BBS's in NY State. | 300 BBS's |
|Value of Pirate Software in NY | 2,400,000 Dollars |
|----------------------------------------------------------------|
|# of Pirate BBS' in the U.S.A | 15,000 BBS's |
|Value of Pirate Software in USA | 120,000,000 Dollars |
|----------------------------------------------------------------|
|AVERAGE value of pirate software | Approx. 8,000 Dollars |
|on each BBS | on each BBS. |
|----------------------------------------------------------------|
|# of Pirate Sites on I-Net (U.S.)| 300 BBS's |
|Value of Pirate sftwr on I-Net | 1,200,000 Dollars |
|----------------------------------------------------------------|
|AVERAGE value of pirate software | Approx. 4,000 Dollars |
|on each Internet site | on each site. |
|----------------------------------------------------------------|

[You may quote these figures if you wish, as they are very]
[accurate.. I base my statistics on experience from having]
[been on most of the pirate boards in the past in NY. ]

* As you can see by the statistics which are quite accurate
in my opinion (at least as far as the number of actual
Pirate BBS's.... the $$$ figures for each board vary however
and its hard to calculate.. Some pirate boards only have
$2,000 in commercial software, others have close to $70,000!!

* THE MOST IMPORTANT NOTE THAT YOU SHOULD MAKE.... is the fact
that pirate software is almost non-existant on the Internet
when compared to private dial-up BBS's... The whole song and
dance about the Internet being a breeding ground for pirate
software is the biggest farce (or outright lie) ever to be told.
When you compare the statistics, you will note that the Internet
only has approximately 1 percent of the pirate software.. the
other 99 percent are on private BBS's. In addition, Internet
pirate sites have much less pirate software on the systems.
Internet pirate sites rarely have more than $4,000 worth of
software on each site, and these sites close down nearly
as soon as they go up.. While on private (dial-up) BBS's
the avarege amount of software ranges from $7,000 to $70,000!

* [ See the copy of United States law that I enclosed at the ]
[ lower portion of this article, stating copyright laws... ]



GENERAL EXPLORATION:
Hobby hackers are responsible for the largest amount of hobby
hacking which makes up about 20 percent of all computer "crime".
Hobby hackers includes about every user who has used the
Internet.. Many of us have sit down at our Internet terminal
server and were bored and wanted to find some new stuff to
read, or satisfy our curiosity so we started telnetting and
FTP'ing to various sites, such as military, government, and
national labs, and educational institutions, etc.. Even with sites
that have anonymous FTP logins, it is still considered a form
of hacking since your intent is to explore and look around, and
learn which by the definition of the dictionary is exactly
what hacking is.

* Common sites for hobby hackers to explore are educational
institutions, many people will call up as many colleges as
they can and see what they can get for files, or if they can
get in, people also commonly call government sites, many
of which have anonymous FTP but hobby hackers occasionally like
to see if they can get into any hidden directories so that they
can get at the good stuff. (which they rarely ever find, its
moreover the curiosity that is the exciting part!)

* Other common sites are military bases, and command centers.
Many have anonymous logons, so that other branch members can
call the system with as little hassle as possible. Hackers often
explore these systems, and almost never find anything of interest
except a bunch of boring military junk which is almost worthless
unless your in the military. Most "hackers" logon, search files
and logoff seeing that theirs nothing their but beurocratic bubkas.


MILITARY GENERIC SNOOPING:
Hobby and casual hackers breaking into military sites (or simply
trying to FTP into them) makes up less than 1 percent of all
computer "crimes". This isnt military espionage, nor is it
hacking.. 95 percent of the time, this so called crime
consists of a 14 or 15 year old playing with the Internet
seeing if he can conect to any "cool" sites so that he can
play with the information. ALSO 99 percent of military sites
are not clasified, and anyone who thinks that a 15 year old can
hack in and get classified information is a stupid fool has
been brainwashed by the media. I was in the military and I'm
well aware of the security procedures required on computer sites,
and I have personally witnessed such "break-ins" by kids, while
in the course of my work in the Navy.. 99 percent of the time,
the kids login, check the directories, read a file or 2, see
that all this military stuff is actually very boring, and they'll
logout no harm done.

* System admins at military sites could care less about these
casual intrusions... It happens all the time, and they realize
that most of the time, its just people trying to find some
interesting files by FTP.. The only time that sysadmins get worried
is when hobby hackers start doing dial-throughs and connecting
via telnet or ftp to other military sites and start searching for
keyword files. Of course hobby hackers never find any classified
info because it is not on standard military dial-in systems, it
is on a very secured and seperate server at the site, sometimes
only accessible locally.


USER SPOOFING:
User spoofing is the third most common "crime" among hackers
and makes up about 5 percent of all "crimes".
User spoofing falls into the realm of hobby hacking, but is
a bit more devious and can performed by pro hackers as well
as maliscious hackers. User spoofing in itself is actually
pretty serious, but it all depends upon what the hackers
intent is when spoofing.

* User spoofing is when a hacker uses another persons account
by obtaining a users password through various means.

* User spoofing is commonly practiced and is touted by amateur
hackers as away of showing how weak most UNIX and Internet
systems are. It is a piece of cake to obtain users passwords
on almost all UNIX systems with poor security.
How is it done? Simply by downloading the password file
which in UNIX is a publicly available document that most
sysadmins dont "shadow" like their supposed to.

* The users passwords however are not in "cleartext", they are
encrypted with a one-way-hash algorithm known as Crypt(3)
which uses DES. The hackers then run a special commonly
available program that will "crack" these one-way-hashed (encrypted)
passwords, and they'll come up with valid users passwords
provided that the passwords are in the dictionary. Random
passwords cant be "cracked".. Usually an attack like this would
yield 20 - 30 percent of the passwords for all the users!
On a large system, you could very well obtain 200 passwords!
I recently was testing the security on my host system, and
I was able to crack over 275 passwords for 275 different users.

* User Spoofing is usually not meant to do any harm, alot of times,
hobby hackers will only obtain the password lists simply to prove
that a site is vulnerable. Occasionally these password lists
may get distrubuted among the computer underground, or may
even get distributed to the sysadmin himself, or to everyones
mailbox. Hobby hackers do this, as a way to get everyones
attention, and to say.. "Wake up.. this system is NOT secured"
"your account and your privacy can very well be in danger".
When you see your user_name and password in a cracked password
file in your mailbox, or posted on the system, you can be damned
sure that you'll get one big wake-up call, and you'll instantly
realize just how important computer security and choosing good
passwords are. Too many people neglect this fact, and it is
these ignorant people who's accounts get violated by devious
people. If not for the effeorts of the good/decent hackers
making everyone aware that the system has poor security, you
could very well have been a victim of a hack attack.

* A pro hacker may use another persons account with somewhat
honorable intentions so long as he only uses that account
to perform his security cracking. It is never acceptable
to snoop around in the other persons account, running up a
bill (if their is one) or by reading personal e-mail, thats
despicable and no real cracker would ever do that. It is
generally frowned upon to use somebodies account unless you
absolutely have to in order to test security.. A pro hacker
testing security, will not use a persons account, just for
the sake of having a free account.

* General Hobbyist hacker is actually more likely to be more
nosy and maybe read your e-mail, but thats up to the
ethics of that person. Most hobby hackers will simply logon
to see if they really hacked your account, then will logout,
they really dont care about you or your account and mean no
harm.

* Maliscious hackers... Their are a few maliscious hackers who
have the intent to use your account without your permission
so that they can do evil things such as run up your bill,
destroy your files, read your personal mail, leave you
nasty notes claimng that youve been hacked, upload virri, etc..
These scumbags are extremely rare and make up only about .05
percent if not less of all the accounts that are hacked.

* If you want to try this out on your system for research
purposes (and I will point out that this is PERFECTLY
LEGITIMATE! as the password files are SUPPOSE to be publicly
available, so you cant get in trouble..)

At the C shell prompt (%); or Borne/Korne prompt (@) type:

% cd /etc
/etc
% cat passwd | more

OR
% cd /etc
/etc
% ypcat passwd | more


By typing in either set of commands (try both on your system,
as one of them might not work, it all depends upon the type
of unix system that you have), you will see a list of users
"encrypted" passwords be spewed out.


SYSTEM CRACKING: (Real/Hobby Hackers / Security Professionals)
System cracking goes a bit beyond hobby hacking, and may although
not necessarily may include a bit of creative trespass.. Most often
system crackers dont need to logon to other systems. Most of the
time (approx: 90 percent) they have legitimate access to the system
but seek to explore it, to get to know UNIX commands or VMS, or
Multics commands better, etc.. as well as the directories, and
how the O/S works.. UNIX isnt at all like DOS... Its alot more
complex, and many people are fascinated with it. Most people
including hobby hackers will quite often try to expose the
various security flaws in the system, merely for the fact that
it helps them understand the system better. It does not imply
that they have evil intentions. Learning about a system is perfectly
legitimate, so long as you have authorized access to that system.
Theirs the old saying of: "why does man climb a mountain... because
its their".. Why do people find security holes? Because their
their, and that is simply that! Without these security holes being
discovered, technology would never progress, and we would
proverbially be stuck in the dark ages..

* Admittedly system administrators do not always like it when their
users try to gain unauthorized priveledges, most of the time
these system admins are extremely insecure, and it is probably
these systems need to be tested for security weaknesses because
the sysadmins is that afraid. It is never the answer for a
SysAmdin to turn a blind eye to security holes and pretend that
they dont exist.. Not dealing with the situations never solves
anything.

* As for the ethics of cracking a system... that is of course
very debateable, and depends on a wide variety of factors.

If you have access to a system legally, and it is a "public"
system, or a system which you are paying for, you should have
every right to explore it, as far as you can without going
past the line of exploring. If you are paying $20 to $50 per
month for an Internet account, then you have every right to use
that Internet providers system any way you see fit. (most I-net
providers do not have any legal disclaimers which says you cant
use the system for this and that, etc..) their is no rule or
law that say's that you have to use your internet account simply
for Internet purposes such as Telnet, FTP, Newsgroups, etc.. if
you simply want to learn UNIX, and explore the various directories
and commands on that Internet providers system, than you have
every right to do so as your paying for the system usage. You
also have every right to find security holes and glitches on
your internet account, so long as your not using anyone elses
account.. That is definately within your right, and that is what
hacking is about... Its a learning experience, and it is totally
legal!

It is also very common to ask a system administrators permission
to hack. Most will grant your wish with great amusement, thinking
that this user will never be able to crack his security.

If you dont have access to a system, such as you dial into the
system via dial-in, telnet, telenet, ftp, tymnet, milnet, mitrenet
,sypernet, internet, etc.. and attempt to hack the system, then
that is a different story. At the very least, it is trespass,
a minor nuisance, but if a hacker gets in, and takes proprietary
information, then that should raise some concern, as no one wants
to have their private system (and privacy violated).

THE BIGGEST FACTOR in hacking and in great debate among most hackers
is when is it permissible to hack, or should I say, what systems
is it ethical for you to hack...

Their are 5 main types of systems:
(1) Private BBS, etc (individual owned)
(2) Corporate
(3) University/College
(4) Government/State/Federal/Town/etc..
(5) Military

[1] Almost all but the sleaziest of people will admit that
hacking into a private computer is quite unscrupulous.
This is just something you dont do... This is a persons
private computer, with private files, and private thoughts
and ideas, and proprietary data. Its not ethical to
be a snoop.

[2] Corporate, this is a very debateable area.. Corporate
systems are usually thought of as fair game... Many hackers
feel its unethical to hack into corporate computers as
they are private in terms of its a private business and
you have no right to be in their system, plus most hackers
dont enter corporate systems because they dont want to
be branded with the stereotype of being a sleazy industrial
thief. (although just entering a corporate computer
doesnt make you an industral thief so long as your sole
purpose is to just crack security, and not take any
information, or more importantly, NOT to sell it).

Some corporate systems are fair game, especially the
big mega-companies that everyone hates.. The ones that bring
in 200 million dollars per day. Very few people have
sympathy for these robber barron companies, (nor do I).

[3] Universities and Colleges are definately fair game to
any hacker. As far as the hacker community is concerned
colleges are public domain,... hell we pay taxes..My
tax dollars help to support that college therefore the
info on that system is open to public record.

[4] Government/StateAgency/Town computers etc.. are likewise
game/fair target... although perhaps not as much as the
colleges... Colleges should be free repositories of
information, but state/government computer systems do need
their privacy. Personally, my feeling and shared by many
people, is that we pay taxes, and these are public systems
which we feel we have a right to use as taxpayers.
I am not saying that we have a right to steal all the
information, and sell it, or disclose private/secret
government or town records, but simply to use or explore
the system, and even to test its security, and all info
obtained should be kept private by that individual.

[5] Military systems; another target of casual and pro
hackers. Normally people feel it is best to stay out
of military ststems, but that is only out of fear of
government reprisal. Most people feel that military systems
are public domain, and I feel very strongly about this
also.. My tax dollars help pay for all these wonderfull
supercomputers, and super government databases, and I
should have a right to use said systems, or at least
check them out or test security. So long as all information
obtain is kept private and not released, then your commiting
no real crime (or none that should be a crime).


INDUSTRIAL ESPIONAGE:
Industrial Espionage is the act of stealing or copying corporate
secrets such as software, source code, plans, diagrams,
prototype, models, thesis papers, research papers, etc..
with the intention of selling said stuff for profit.
Simply getting the aforementioned items from a computer
system does not constitute Industrial Espionage... you
must have the intent to sell the items. Simply taking
the information for your own benefit is simply stealing.

Less than 2 percent of all computer crimes includes
Industrial espionage.. The fact is that real Industrial
espionage does not involve computers or hackers at all.
It involes current or ex-employees who steal their own
companies secrets and sell it the competition or the
highest bidder. [case example: IBM and the Adirondack
books...etc.. etc..]

Breaking down the topic of Industrial Espionage further
you will find that only 2-5 percent of said espionage
is commited by computers, the remaining 95-98percent are
by employees. [those stats are from my experience as a
security consultant, and through various trade papers].


VIRUS/WORMS/LOGIC BOMBS/TROJANS:
VIRUSES-
* Viruses, worms, and trojans are actually quite a rare
occurence on the Internet. This topic is greatly hyped
up by the media and is severaly blow out of proportion.
Viruses however are a problem on private dial-up BBS's
and make up about 95 percent of the worlds viruses.

* Although most viruses start out being on the Internet
and are passed around legitimately among virii developers
and they often originate from other cuontries and are FTP'ed
into sites in this country, the viruses are rarely activated
so to speak in the Internet. People on the Internet seem to
be a bit smarter than those in the private BBS world, and
they realize that virii are bad if spread.

The second most famous internet case was the Pakistani Brain
virus that spread rapidly throughout the Internet in 1989.
Program was developed by 2 engineering students in Pakistan
and was sent over the Internet to america. The authors of
this program actually meant no harm, and they even had
their name right inside the virus, and it had a message
which stated contact us for instructions on how to de-activate
this virii. Apparently, this was some sort of experimental
virus that was released but was not supposed to cause any
damage, but apparemtly the programmers made a slight error
that made the virus a bit more dangerous than intended.


WORMS-
Their have only been 5 or 6 major cases of a virus being
spread rapidly among the Internet. The most infamous
of all (but by far NOT the most damaging, just the most
hyped up by the media) was the "Internet Worm" worm
created by Robert T. Morris; Son of Bob Morris who worked
for Bell Labs, and then later the NSA. Rober T. Morris
was obviously caught (thusly we know his name) because
he placed his initials into the virus source code
(although his initials didnt actually display.. a developer
had to dissasemble the machine language program into
assembler and then would find out how the program worked.)

This worm possessed a bit of intelligence, and was actually
able to crack into computer systems by using the SENDMAIL
flaw, and the unshadowed passwords technique, to crack the
accounts of legitimate users.

Robert T. Morris was caught by being tracked down through
the network. It wasnt easy, but he was traced through various
computer systems, to see who the original sender of the
file was. The trace came back to an account of Morris's
friend. Apparently Morris borrowed his friend account
to release the thing. Originally it was supposed to be
a legitmate experiment and the worm was only supposed to
expose security flaws in systems, and enter those systems to
prove their vulnerability, but it went a bit beyone that
to the point of mischiev to the point where the programmer
realized that the worm was much more powerfull than originally
intended. That is one of the major problems with viruses.
Originally their created as harmless experiments, then when
their released, their more powerfull than the author realized,
so much that their out of control and spread rapidly.

This worm was originally claimed to have cost Hundreds
of Millions of dollars in damage, but after several years
when the real facts came out after the media got its filthy
hands out of the situation, the real facts were that only
$50,000 in damage was caused. Most of the damage was not
even physical, but merely lost time and manpower.


LOGIC BOMBS-
Logic Bombs are the same as viruses, but the only difference
is that logic bombs have a trigger mechanism, and only activate
when the trigger is activated. The trigger can be anything, and
is up to the authors imagination. A device can trigger on a
ceartain day such as a holiday, it can activate when you turn
your computer exactly X amount of times, or X amount of times
within a ceartain period of time, etc.. etc.. the possibilities
of trigger mechanisms are endless. One can even make a logic
bomb that will shut the program down if the program is an
illegal pirated copy, or if the program wasnt fully payed for.
An example of a logic bomb may be set by a ex-employee,
perhaps disgruntled. He could set a logic bomb in a computer
to activate on a ceartain day, and the bomb could modify
the business accounting and give everybody a nice $10,000
bonus. Their was even a recent case of a software developer
who routinely placed legitimate logic bombs in his custom
developed software which he wrote especially for the company
that he was working for. If the companies decided to rip
this developer off and be cheapskate deadbeats by not paying
the bill in full to the developer, then the logic bomb would
activate and shut the system down permanently with a message
that says something to the effect of: "Pay me my money you
stinkin' deadbeat or you dont get to use my software".
Personally, I feel that the latter is an example of a
legitimate virus that developers should be allowed to
install to protect their interests.

TROJAN HORSES-
Trojan horses are very much as their name implies. If your
familiar with greek mythology, of the horse that had a
hidden suprise, well the same applies here. A trojan horse
is a program which appears legitimate and may interact with
the user but holds a hidden surprise. Usually Trojan horses
are totally harmless (usually) and are used very often by
hackers to penetrate security. An example of a trojan
horse for hacking, is a program that looks like a normal
login computer screen where you type in your name and
password. This program will load up before the real
login program and will ask the user for his username and
password, it will then store these passwords in a logfile
which only the hacker knows about. After the program collects
your password, it will usually give you a phony messages
such as "wrong password", "password incorrect", etc.. and
most people will simply think that they typed in the
wrong password by accident. The trojan then shuts down and
activated the teal login program, and the user logs in
again, and nobody is the wiser.



DATA INTERCEPTION:
Data interception is an advanced form of surveillance, as well
as a method of advanced hacking depending upon the intended
application. Data interception is the process of tapping into
a line, wether it be a telephone line, or a LAN/WAN or internet
connecting, and filtering out a specific intended piece of data
wether it be voice, fax, modem communications, or data packets.

* Using data interception, a hacker may gain system passwords
by observing what the target types into his computer and what
gets transmitted over the line, or he may intercept a whole
data packet with the intent to steal that information, as it
may have a ceartain value. It could be the latest corporate
financial secrets, corporate technical secrets, private e-mail,
files, manuals, anything!!

* A slightly more devious approach might entail intercepting data,
and modifying it with bogus information, then retransmitting it,
with the intent to deceive the receiver. This is why kerberos
authentification, smart cards, and other forms of authentifucation
and verification are necessary.

PACKET SNIFFING:
Packet sniffing is very similar to "data interception", however
the term is slightly more refined, and refers strictly to
intercepting computer data packets over various kinds of networks.
This packet sniffing can search for key words that may interest
the perpetrator, wether it be information, or passwords, or ID Codes.

* In order to packet sniff, a user uploads a special program written
in a low-level language which accesses the computers memory,
buffers, etc.. and searches for key words. An example of a few
packet sniffing programs are: NETFIND, ETHERSNIFF, NFSWATCH,
SNOOP, LanPatrol, NETMON, ETHLOAD, ETHERMAN, and ETHERFIND.


PACKET SPOOFING:
Packet spoofing is one of the most advanced forms of hacking.
Packet spoofing is related to the 2 aforementioned topics
;"data interception", and "packet sniffing". Packet spoofing is
the actual process of intercepting and/or re-routing a data packet
from a network, and then either:

[a] pretending to be the authorized user (the sender) by dropping
into the data transfer in real time, using the senders real
authentification or identification information, then logging
into a system under the victims account.
[b] actally their are many advanced forms of packet spoofing, each
with a slightly different purpose. On the Internet, packet
spoofing is known as "TCP/IP" or "IP" spoofing, which is named
after the Internet Protocol standard used by the entire internet
system. LAN spoofing uses slightly different protocols for
tapping and spoofing data.

PIGGYBACK ENTRY:
Piggyback entry is the process of entering into the account of
another legitimate authorized user, while they are way from their
terminal. This can be done either remotely, via data tapping into
the LAN connection and identifying the users port connection, then
using the account while the authorized user is away from his terminal,
or can be done at the actual terminal where the user is seated.
One should never walk away from a computer terminal without either
suspending the account so that it cant be activated by a snoopy
user walking by the terminal (many LAN programs have temporary
lock-out software) which let you take a cofee break while still
remaining logged in... or the best solution is simply to hang up
and re-establish the connection at a later time when you are
back at your terminal.

MILITARY ESPIONAGE:
Military espionage is quite often carried out by the very people
who are entrusted by these agencies to keep this information secret.
Case after case can be documented throughout the years of how
government employees have stolen top-secret information and sold
it to foreign powers (usually the russions). 3 cases in point
(1) The Ames case, a top ranking CIA official gets nabbed
stealing government secrets and selling them to the russions.
(2) The theft of nuclear secrets which were sold to Russia during
the mid 1950's. I believe that was known as the "Roswell" case.
(3) Various CIA & NSA employees over the past 50 years have been
arrested for espionage. Of course these cases were discreetly
hushed up so very few people ever learn about them.
The NSA and other government agencies should stop crying
"hacker", and they should worry about their own affairs,
and keeping their employees from turning traitor.



READING OF USERS E-MAIL:
One of the most unethical acts in the world of computer
networks is not done by that of a hacker, or software pirate
but rather that of a "friendly" System Administrator.
System Admins have long been notorious for totally disregarding
the privacy rights of the system users and routinely read all
of the users personal electronic mail. While it is stated on
most systems; that the e-mail is not actually private, and
system admins have occasion to enter e-mail if it is justified
in the case of maintaing the system, but all too often (95% of
the time) system admins just read through the users mail for the
hell of it. I have worked for several commercial bulletin board
systems, and internet providers in the past, as well as for
several major companies, and I can say from experience that this
massive invasion of personal privacy is far too common.



----------------------------------------------------------------------
(3) METHODS USED TO DETER SNOOPERS.
----------------------------------------------------------------------

[a] ISOLATION- The best way to deter snoopers, theives, hackers,
telephone phreaks, curious passer-byes, etc.. has always been
to implement a policy of isolationism on a computer network,
wheras the computer network is not physically connected to
the outside world, that way no one can get into the system.
And even if the computer system has a line connecting to the
outside world, it should only allow outgoing calls, or if the
transmission is allowed both ways, then only 1 or 2 incoming
lines (nodes/ports) should be used, and both should be closely
monitored.

* The practice of isolationism was practiced quite succesfully
for several decades by high-level military bases, nuclear
weapons labs and facilities (lawrence livermore national labs,
rocky flats nuclear procesing facility, and even the NSA to
a small extent, etc..). While network isolation proved quite
succesful in keeping people out, it unfortunately did not provide
any realy protecting other than as a placebo to make people feel
better. The real hard facts are that a network is only as secured
as its users, and in 98 percent of the documented cases the
perpetrators were NOT computer hackers, but an "inside man".

* Isolationism is a dead technology now. It still remains among
the best at keeping out intruders, but in todays modern society
where the entire government is entirely networked (or it will
be totally networked down to every last agency within the next
10 years), isolationism is just not a realistic practice.. These
government agencies have grown too big, and they can no longer
do things the old fashion way (that being to securely transport
documents by paper using snail mail (postal mail). The same goes
with corporations, and scientific laboratories.

* "The general concensus nowadays is that the benefits of isolationism
are far outweighed by the convenience and vast amounts of information
that can be gotten by networking".


[b] ENCRYPTION- Encryption is the process of taking computer data
and converting that data into a code that can only be read by
the intended recipients who possess the key to that code.

* Encryption has been used for hundreds of years by private
individuals to protect their communications with near 100
percent secrecy. However, the U.S. government (read: the NSA
and primarily the FBI) are trying to outlaw the right to
privacy by banning encryption. However, I wont get into
this subject as it strays more into poitics than discussion
of hackers and computer security.

* Of all the forms of computer security, encryption has proven
to be the most succesfull. Their are 2 types of data encryption.
(1) Hardware encryption..(2) Software encryption.
[1] Sardware encrytors are expensive high speed devices which
can encrypt voice, fax, or modem communications. These
hardware encryptors are often utilized in high security
situations such as in banks, as well as government and
military use. These hardware devices are "hands" off devices.
The user need not touch the device, it works all by itself.
These devices however, are out of the price range of ordinary
citizens and cost in excess of $2,500 - $20,000. In addition
the NSA has placed strict regulations on the selling and
use of hardware encryptors (even to american citizens).

[2] Software encryption is freely available, and unlike hardware
encryptors, american citizens are allowed to use any system
that they choose too. (however under State Dept. ITAR Regulations
you cannot legally export cryptographic products without a
permit) [with the exception of the DES algorithm which you may
export to Canada]. Software encryptors can be used to encrypt
your e-mail, computer files, secret proprietary documents,
even your entire hard drive can be encrypted, software
encryption can also be used to encode computer data in
"real-time" such as conversations by modem (although a hardware
encryptor is more suitable for that because it is faster).

* Software encryption can also be used to protect computer
systems by providing various forms of "authentication and
verification". [which will be described later in this article].

* It should also be noted that the government (read: NSA) has
developed a system by which they rate encryption devices,
and american citizens are not allowed to own encryption
hardware that is too "powerfull". The classes are as follows:

Type 1: Military Grade encryption for government, military
use ONLY. (Canadian military may also use type 1
devices, as well as defense contractors who do
classifed govt/military work).
Type 2: These devices may be used by local law-enforcement.
Type 3: These devices may be used by ordinary citizens.
Type 4: Export version. Type 4 encryptors may be sold to Canada.

* Unfortunately, at the current time... Encryption is not a realistic
approach to computer security. The cost of quality encryptors is
beyond that of ordinary citizens, and the software methods of
encryption are not suitable for professional applications such as
protecting a network in "real time". The only real use of software
encryption right now, is to encrypt e-mail to keep it secret from
the prying nosy eyes of the system administrators.

* The following institutions rely VERY heavily on cryptographic
quality hardware to protect themselves from hackers and/or
thieves or spies.
[1] Banking or Money Institutions rely extremely heavily
on encryption hardware. Things such as ATM transactions,
and EFT's (Electronic Fund Transfers) are sent encrypted
via sattelite, leased lines, and especially the TYMNET
computer network (which is as big as the Internet, just
not as well known). Advanced hackers have often sought the
challenge of trying to defeat the complex EFT schemes used
in the old days for the sole purpose of advancing security.
Thanks to the efforts of these hackers, banking institutions
are a bit wiser nowadays and encrypt most all EFT data.

[2] Military and Government are really the only other heavy
users of cryptographic hardware. The reason that the
aforementioned use encryption is quite obvious.

[3] Defense Contractors that do classified government work
and have government contractors quite often also use
encryption hardware to foil information thieves, and
industrial espionage.

[c] COMPARTMENTILIZATION- Compartmentilization is an advanced method
of securing a workplace. It is often used in situations where
high level confidential information is present such as in
the CIA and NSA where classified information flows through
different departments. Major "Fortune 500" companies are also
utilizing compartmentilization to prevent Industrial Espionage.

* Compartmentilization is a combination of 3 techniques.
[a] All persons should be properly trained, and are given
detailed guidlines, manuals, as well as occasionally
take brainwashing classes where they are fed various
forms of propaganda regarding that all of the secrets
(wether they be governmental or corporate) should be
guarded with their life, and should never be stolen,
or copied without permission. Work should never be
taken home. Your line of work, or the latest corporate
strategy should not be discussed with anyone including
your spouse and family and especially your not supposed
to discuss work with your co-workers (from other divisions).
The purpose is to keep any one person from knowing
the "master plan" (so to speak) each division goes about
its business and performs its work, and each division
does not discuss work or plans with the other divisions.
Only a few high level individuals will know the overall
plan.

[b] All paperwork should be strictly kept in the appropriate
departments and should not drift between each dep't.

[c] All computer data should be compartmentalized as much as
possible. The computer should be broken up into groups
wheras each dept can only access the information from their
group. Only high level gov't/corporate officials can gain
access to the overall records of each dept.
Normally, each department has its own seperate disk space
(different departments should NEVER share the same disk).
and in a really secured situation, each dep't may be on a
totally seperate computer system.


[d] FIREWALLS- Firewalls are pieces of software that a system admin
places on his computer network which help to close up all
the backdoors, and to cover all the exits so to speak so
that hackers cannot get into a system by exposing flaws.

* A firewall gets its name from the very principle of an
actual firewall. A real firewall is kind of like a wall
outside of a wall, which keeps the fire from entering the
inner wall (or the hacker from entering the inner system).
A firewall can also be analogized as a front porch.. A
stranger can walk up to your front porch, and knock on your
door but unless he meets ceartain requirments, hes not going
to get into the inner system.

* A firewall is a program that you must enter, and should meet
ceartain requirements (by being positively identified) before
you can enter the actual computer system. Being identified
is known as "authentifications" and is actually a whole
seperate process not necessarily related to firewalls, but the
two techniques combined together provide powerfull security.

* A firewall, can actually let you partially into the system
wheras you would be between the firewall and the inner system,
and you may do things such as anonymous FTP in a very restricted
enviroment, which insures that you only transfer files, and dont
try anything else tricky, like d/l'ing the users password file.

* The firewall monitors very closely ceartain system activities.
the firewall program lets you enter the "front porch" of the
computer... from that point you can execute a limited amount
of restricted commands. [such as FTP and telnet commands]
Hackers often exploit the "front porch" of a computer to gain
access to a system. Thusly the firewall keeps an eye on all
people and monitors them to make sure that their not up to any
"monkey business".. The firewall has special "filters" which
will strip out ceartain data that the user may be uploading to
the system in order to hack the system.

Some of the things that a firewall may look for are:

[a] Entering the system through restricted ports.
[b] Writing and executing script files.
[c] Uploading "trojan horses" or source code.
[d] Trying to execute programs on the system.
[e] Manipulating packet headers.
[f] Uploading smart bombs.

* Some popular firewall programs are: BSD and SunO/S firewall,
SIDEWINDER, NETCOM-1,
DE Firewall Service,
and TIS's Gauntlet Firewall.

[e] WATCHWORD GENERATORS- A WatchWord Generator is a special program
that a system administrator adds onto his computer system to
make it very secured, and also to defeat various hack attempts
by methods such as spoofing and packet sniffing.

* A watchword generator is a program that consists of 2 parts.
(1) A totally unique code book is given to every user and contains
thousands of possible code combinations.
(2) A watchword generation utility.

* The way the program works is as follows:
A user logs onto a system. He is prompted for his Login
name, and for his usual password. If both are correct
then the watchword generator activates and prompts the
user with a "challenge:" prompt.. The challenge prompt
has a 4-8 digit seemingly random selection of characters.
The user then must look in his code book, and observe
ceartain patters in his book. He then obtains a "reponse"
code from the book, and he enters in his response at the
"response:" prompt. If the response is correct then,
the user is verified as the authentic user and is allowed
to logon. (if not then the system will promt for a
challenge/response pair 2 more times then will hang up on
the user if he fails). The challenge/response is
totally different every single time, so only the authorized
user with the codebook, can verify himself by entering in
the proper response. (every code book is unique so merely
possesing a code book will not grant you access to the system,
you must possess the specific codebook for that user who
you are trying to spoof.)
This protects against an intruder logging onto the system
using your password (should he be able to steal it via
one method or another). The NSA and the NCSC (National
Computer Security Center) use such a scheme to protect
their DOCKMASTER computer system.

* WatchWord authenticators are insecure insofaras that if your
code book is stolen then the authentification is useless
as the attacker will be able to logon to the system under
your account (provided that he also has your actual password).
This is not really a vulnerability though, because the same
applies true for any system.

* Actually their are a variety of different types of WatchWord
generator systems, and each one works a little different.
Some have huge code books, others have small tables that you
do a calculation on, etc.. But thats the basic idea.


[f] AUTHENTIFICATION AND VERIFICATION:

SMART CARDS- These are devices that insure authentification and
verification, and effectively positively ID a user as the actual
authorized individual and not an imposter who may have dropped
onto the line by wiretapping, packet sniffing, or spoofing.

* A "smart card" is a cryptographically secured electronic device
that contains various types of cryptosystems, that are exchanged
between the two recipients. Only the person in posession of
the smart card can transfer data to the recipient. If a hacker/
intruder/anyone breaks into a conversation, cuts one of the lines
off, and tries to pretend that he is the other party, the smart
card system will realize that the hacker is not the actual
other recipient because the proper authentication codes are not
being transmitted.

* Smart cards, are usually the size of an ordinary credit card,
and have a tiny integrated circuit (microchip) with a crypto-
graphic algorithm and a key (secret unique password) built into
it. The smart card algorithm is usually of the public key (SEEK,RSA)
type along with a secret key algorithm, usually IDEA or DES).

* The smart card usually fits into a special card reader along
side the computer. The smart card doesnt use a magnetic strip
like regular credit cards, rather it has a microchip along with
a seres of pinouts (card edge connecter) that slides into
contacts in the smart card reader.

* Their are 2 kinds of authentification schemes:

[1] The card can simply be used as an access device that
verifies that you are the actual intended user. Once you
are verified you are allowed to logon. This type of
device is very similar to a WatchWord generator, only
instead of a code book you have a smart card which generates
the proper identification for you automatically once you
enter the smart card into the reader.
The problem with this method is its insecurity. While it works
great on a single user computer to let you gain access to
just one computer. You are highly vulnerable on a networked
system such as a LAN or WAN (or even on the Internet).
The problem with this method, is that after you are verified
as the authentic user, a hacker could tap into the line
using packet sniffing software, and could sieze your line up
and then continue the conversation with the host, and the
hacker could pretend as if they were you.

[2] The more advanced smart cards are interactive devices that
insure authentication nearly the entire time that you are
on-line. In this scheme, an initial public cryptographic
key is exchanged between the user and server. Upon which
a secret key is exchanged. After the initial handshaking
and key exchanege protocols, the session of data transfer
between the 2 recipients begins. The smart card encodes
an encrypted ID# onto the data packet and as that data
packet is received by the other recipient, the verification
software and smart card verify the authenticity of the
received packet to make sure that it was sent by the
intended user and not by an imposter who has broken into the
line and may be trying to spoof the other user. The second
recipient then takes the approved code, and generates another
encrypted ID# based on the first received code, and attaches
it to a data packet which is routed through the network, and
the other recipients software and smart card then verify the
validity of the received packet, and the process continues
back and forth until the session is over. To simplify the
whole thing. Basically, the ID#'s are encrypted and placed
into the control packets, and a hacker could not realistically
crack the encryption scheme and spoof (pretend to be) the other
user.

KERBEROS AUTHENTIFICATION- Kerberos authentification is a popular
modern system to insure the ID of a user to a fair degree.
It is not an ultra-secured system, and has many flaws, but
it is currently coming into widespread use as a means to
secure the Internet. Although, kerberos is not the most
secure system on the market, it does have 1 very big
advantage; and that is compatability. Kerberos is considered
to be (or it will be soon) the defacto standard among almost
Internet connected and LAN/WAN connected systems. Kerberos
software is readily available FREE, via anonymous FTP, and
many mant research papers and newsgroups discuss kerberos.

* Kerberos works very similar to a "smart card" based system
with the only difference is that kerberos is a pure software
system, while smart cards are hardware.

* Kerberos works by encrypting an ID code onto every packet
of data in the network. Only the intended users can
decrypt ID code to verify its authenticity, and it is
almost impossible for a perpetrator to forge a false ID
code. encrypted ID codes are passed back and forth with
every single data packet, and each data packet is verified
that it came from the intended authorized user, and that
a perp didnt tap onto the network line, and try to send
phony data.

* Kerberos like most other authentification schemes are
only allowed to be used in the united states. The Department
of Commerce and Department of state have outlawed the transport
of cryptographic products. which is covered under ITAR Federal
Regulations. (You can request a copy of ITAR Regs from
the Department of State or also Dept' of Commerce).


OTHER AUTHENTIFICATION SCHEMES- Their are endless amounts of
authentification schemes, but I do not want to get into
a whole computer security thesis... Their are things such
as card access systems, voice print ID's, etc.. etc..
etc.. etc.. etc.. But those devices are a bit esoteric and
are only used on extremely secure system, and doesnt
really fall into the category of Internet Security.

[g] PASSWORD SHADOWING:
Password Shadowing is a UNIX term which means that the
password records are hidden and can not be gotten at
through the normal means, and is in a secured directory
to which only root (highest security level), or the
staff have access to. Unfortunately, shadowing is
not always effective, because users can gain root
access through other flaws in the UNIX system, then once
they get root, they can look at the secured password files.

* Note the passwd file in UNIX is publicly available to all
users and is located it the /etc directry and the file
is called "passwd". This password file contains more than
just passwords.. It also contains, user/account names,
users home directory, users shell, password expiration
dates (if any), users Real Name, and users group assignment.
When passwords are shadowed.. the whole passwd file is NOT
hidden away in a secured directory... ONLY the actual
hashed passwords are hidden away.

* Most systems today only shadow important password files
which leaves all the systems users vulnerable to having
their accounts violated. This is the oldest problem in
UNIX, and has been talked about for years.. Any SysAdmin who
does not shadow his password is a bloody ignorant fool...
But the fact is that 70 percent of all SysOps DONT shadow
their password files (except for the important ones).
That fact is barbaric and foolish by todays standards.
SysAdmins have been told time and time again for the past
2 decades that passwords must be shadowed, and hundreds of
thosands of accounts have ben violated by this method,
but people are plain stupid and they never learn their
lesson. Their may be legitimate reasons why some sysops
dont shadow password files, such as the system may have
alot of users, and it may be too difficult to shadow
all of the users, but quite frankly that is a very poor
excuse for negligence in security.


[j] TEMPEST PROTECTION:
TEMPEST (Transient Electro-Magnetic Pulse Emmenation Standard).
Tempest is an extremely important advanced computer security
topic. TEMPEST remains one of the most effective and dangerous
forms of effective hacking to date. However it is very high
tech and is a big hassle, and is only used as a last resort,
or when a person does not want to risk being detected.
TEMPEST is a form of data interception surveillance. It is
passive hacking in effect. The interceptor can see what your
doing but cant interact with the system, he only sees what
your doing at a specific moment.

* All computers (as with any electronic device) emits radio
freqency electromagnetic waves. These EMF waves come from
various parts of your computer, mainly from the cables such
as to your monitor, CRT, or Dumb Terminal. These EMF waves
trabvel through the air, up to 1 kilometer away (about 3/4's
of a mile for you dummies who use the american system of
measurement). With the proper equiptment, these EMF waves
can be intercepted and monitored. A device that intercepts
these tempest signals is known as a TEMPEST Receiver or more
informally and commonly called a "Van Eck Tempest Receiver".

* All computers emit 2 types of radiation.
(1) Video emmenations- video emmenations are basic stuff.
Virtually every computer thats unprotected emits a fair
amount of them. Video emmenations from your monitor
cable literally send your video signal over the airwaves
up to a kilometer away. A Van Eck tempest receiver will
receive these frequencies, it will demodulate the video
signal and add a new carrier frequency (NTSC or VGA or SVGA)
onto the signal which is then set to a NTSC CRT or to a
VGA or SVGA computer monitor. The end effect is that the
interceptor will literally see what you are typing on your
computer screen, and will see exactly what you see on
your screen (minus the color which does not get transmitted
far enough for the tempest receiver to pick the color signals
up). Have you ever wondered why when you type in a
password, the characters are masked by an echo character
"*", etc or are blanked out? [well read the section
below on password echoing].

(2) Data emmenations- data emmenations are way out of the
scope of this article.. That is NSA material discussion,
something that you might imagine could be used in high
tech NSA grade equiptment and sattelites. Data emmenations
are direct data signals sent from your computers motherboard
CPU, and various processing cards.. This data does not
travel very far, not at all, but with an ULTRA sophisticated
receiver, these data emmenations can be monitored. This
device could theoretically, dig right into a computers
memory to a limited extent to extract information. Many
persons claim that such devices dont exist, but the fact is
that they do, and have been developed for well over a decade
and have been used by ceartain 3 letter agencies.

[k] PASSWORD ECHOING:
Password echoing is the process of blanking out passwords on
your computer screen and replacing the characters you typed
in with a mask character such as "*" or sometimes as you type
in the password, it will be invisible. This technique was
invented about 15 years ago by the NSA. It is urban myth
as to why passwords are masked with an echo character, and
most people have been falsely told that its to prevent
someone from looking over your shoulder and seeing the password
you type in... Well in short, that is false! Although,
echoing ceartainly does stop people from "shoulder surfing"
to snatch your password, the real reason that the NSA originally
developed it was to prevent TEMPEST Receiever attackers from
spying in on sensitive government and military sites and
seeing the government employees type in their passwords
on the screen.

[l] SECURITY AUDITING:
One of the most effective methods ever developed to combat
system intruders and uninvited guests as well as to catch
authorized system users who exceed their appointed authority
is to implement auditing of the system. Although audit logs
are kind of after the fact protecting and they dont really
keep people out, they do let you know who has done what,
where they have went, what systems they went to, what time,
for how long, etc.. etc.. Audit logs can serve as evidence
in a court of law, that an individual was improperly using the
system, but more importantly it can be used to monitor hackers
in progress. By "in" progress, I dont necessarily mean at the
specific moment.. Rather hackers sometimes will spend weeks
or months at a system quietly and discreetly working away.
They may be active for short perious of time, then take a break
for a few weeks till their sure that the "heat is off".
Audit logs will tell you where this hacker is getting in and
what he is doing so that you can be alerted the next time
this user logs on. Perhaps you can set up an audit log that
will set of an beeper alarm to warn you, so that you can
monitor this indivduals activities.

* Audit logs can be set up to literally detect anything. All you
need do is program it in, or write a script file, and you can
monitor anything that you want.

* Although audit logs are part of the UNIX system and are built in,
their are a number of better and more detailed auditing systems
freely available. Such sofware are: NETWATCH and PORTWATCH

[m] SECURITY CRACKING SOFTWARE:
Another common technique used today is the use of security
packages. These packages are a SysAdmins best friend
(especially, if said sysadmin is not too keen as understanding
his O/S or its security glitches).. It also however is a
hackers best friend. Security programs, are a large collection
of executable programs, script files, and libraries that are
designed to crack virtually every known security flaw. These
arent miracle devices and have their limits, but they do work
wonders, and will crack a system about 10 times faster than the
best expert can. The SysAdmin simply runs these programs and
batch files and the program does the rest.. Their are
different packages available for different O/S's, but some of
the most common packages are: COPS, TIGER, and SATAN.

[n] SECURITY RATINGS: (Trusted Computing Systems/Bases)
The last method used in the pursuity of security, and to
promote the strength of an Internet based system is to
have your computer meet ceartain evaluation criteria.
This is not actually a technique of security per se'
but their are ceartain guidelines which must be followed,
and if you follow those guidelines by implementing the
required software, then you are assured of having a
fairly secured system.

* The NCSC (National Computer Security Center) is the
sister agency to the NSA (National Security Agency),
the 2 facilities are located right next to each other in
Fort Meade, MD. It is the job of the NCSC to set
evaluation criteria and federal standards for computer
security guidlines. Their are currently 3 government
agencies that set official standards and they all work
very closely together in their projects.

The 3 Computer Security Agencies are:

(1) NCSC- National Computer Security Center is the backbone
for the entire computer security community. The NCSC
is staffed with hudreds of the worlds best computer
security experts, whos knowledge of computers greatly
exceeds that of any privately employed individual.
Their primary strength in computer security knowledge
however is due to the fact that the agency is properly
and very efficiently administered, and all employees
are trained very well.
It is the job of the NCSC to evaluate every possible
facet of not only computers but also for office
equiptment. (Office equiptment hacking is a VERY
advanced topic I wont even deal with).
The NCSC publishes hundreds of official manuals
and books which very thoroughly outline the details
for secured computer systems. These are oficial books
which are the "defacto" standard, and when judging
how secure a computer is, these books are used.
Although the NCSC produces thousands of books and
manuals on every conceivabel topic, the NCSC is most
famous for what is called the "NCSC Rainbow Manuals"
or "NCSC Color Books". These rainbow manuals,
approximately 75 in all, are approximately 100 -
500 pages in length for every volume. These manuals
cover every conceivable topic for computer security
that you can think of. Each manual covers a different
aspect of computer security, and each manual has a
fairly strict set of guidelines that must be followed
in order for a computer to be evaluated and rated.
You can obtain free copies of the Rainbow Manuals
by contacting the National Computer Security Center
(It would be preferable if you could address your
request to the "INFOSEC Awareness Division", as they
deal with pubic inquiries, or you may download the
NCSC Rainbow Manuals from the NSA's DOCKMASTER computer
system, however you need an account on that system
to do so, as their is no anonymous FTP service.
You may contact me if you want to take a look at these
manuals and I'll get it from the Dockmaster system.)

(2) NSA - The NSA Also deals with computer security to a limited
extent. MOst of what the NSA does is not of public
interest or isnt disclosed in general to the public,
but the NSA does set ceartain standards which are beyond
the capabilites and charter of the NCSC. For instance,
the NSA deals with cryptography, and cryptographic
standards, and helps to develop new standards. The
NSA works very closely with the NIST in the field of
cryptography. The NIST doesnt do too much cryptography
work per se' but the NIST is responsible for setting
all the official guidelines that the government
MUST follow. The NSA also deals with product evaluations
and TEMPEST technology, as well as with the rating
and categorizing of commercial encryption devices
such as Motorola STU SECTEL Phones or Cylink devices.
The NSA also deals with setting up secured telecom
networks for both commercial and governmental use.
They rate various commercial communications services
for security and publish the results so that people
know which telephone companies have quality secured
communications lines.

(3) NIST- The NIST is a division of the Department of Commerce.
The NIST is the National Institure of Standards and
Technology. Their main purose is to set official
government standards and to evaluate the latest
technologies, and products from other agencies such
as the NCSC and the NSA. The aforementioned agencies
spend literally a decade developing new systems and
procedures, and after a ceartain amount of time, the
NIST will declare that a product has been evaluated
enough and is secure and can be approved for government
use, or the product may even become the defacto
standards for the government.

The NIST has many divisions, and they literally evaluate
everything. (the NIST is very similar to ANSI, their
job is simply to set standards which the government
must follow and that the public should follow.

The NIST has a computer division, and in this section
I'm specifically referring to the computer division
of the NIST. The NIST Computer Systems Laboratory
deals very heavily with encryption. The NIST CSL
has its own professional cryptographers which rank in
par with some of the NSA's cryptographers, and these
cryptographers evaluate the products and system that
the NSA and NCSC have developed.

After a product has been evaluated for about 5 - 8
years by the NIST, NCSC, and NSA, it is proven to be
worthy, and the NIST will publish a FIPS.. A FIPS
is a very important term which means Federal Information
Processing Standard. Once the NIST publishes a new
FIPS, forever more all products must follow these
guidlines. The FIPS usually consists of 2 parts.
(1) A technical portion of the FIPS details the
guidlines of the product and how it MUST be
adhered to. Like if a new cryptosystem is
implemented, the NIST FIPS states clearly that
everyone must implement the algorithm for the
encryption the same way so that everyones
cryptosystem is compatable and is of similar
strength and quality.
(2) The second part of the FIPS is a decree to all
government agencies which states that forever
more all government agencies (that meet ceartain
guidelines) must use this product or system from
now on..
Any example is DES... many years ago DES was
declared a FIPS, and all government agencies
who processed ceartain material had to use DES
and they could not use anything else (unless
specifically approved that it is a better product).
DES is no longer a FIPS, and is being replaced
now, and in fact has been replaced, although
the NIST is looking into renewing the DES FIPS
charter, for another couple years as DES still
has a few years left of life in it. But it cant
be used for processing of classified information.



-----------------------------------------------------------------------
(4) ORGANIZATIONS AND LEGISLATION TO CONTROL HACKERS AND CRACKERS.
-----------------------------------------------------------------------

EFF - Electronic Freedom Foundation
SEA - Society for Electronic Access
SPA - Software Publishers Association
CPSR- Computer Professionals for Social Responsibility
CEI - Computer Ethics Institute
NCSC- National Computer Security Center
NSA - National Security Agency
CERT- Computer Emergency Response Team
[a] CIAC- Computer Incident Advisory Center
[b] NASIR-
[c] DDN Management Bulletin-

Congressional Laws/Bills:
(a) S.314
(b) Seizure Of Equiptment Policy by the Secret Service.
(c) Californias Law to Turn Phone Phreak Eqpt over to Telco.
(d) OmniBus Crime Act
(e) Electronic Communications Privacy Act
(f) Copyright Infringement Laws

* The following is an actual copy of the current law pertaining
to copyrights. Note the stipulations: "s 506 subsection [a]";
which state that infringement is only a crime if you either:
(1) Have the potential to make a profit, or
(2) are currently making a profit (selling copied software or
bootlegged audio or videotapes.) In the case of warez
(or software piracy, no profit is being made, and the
software is being distributed free.

<< Part of this document got destroyed, and a few sentances are missing >>

17 U.S.C.A.
section 506

UNITED STATES CODE ANNOTATED
TITLE 17. COPYRIGHTS
CHAPTER 5--COPYRIGHT INFRINGEMENT AND REMEDIES
Copr. (C) West 1995. All rights reserved.
Current through P.L. 103-465, approved 12-8-94

s 506. Criminal offenses

(a) Criminal infringement.--Any person who infringes a copyright
willfully and for purposes of commercial advantage or private financial gain
shall be punished as provided in section 2319 of title 18.

(b) Forfeiture and Destruction.--When any person is convicted of any
violation of subsection (a), the court in its judgment of conviction shall,
in addition to the penalty therein prescribed, order the forfeiture and
destruction or other disposition

(c) Fraudulent Copyright Notice.--Any person who, with fraudulent
intent, places on any article a notice of copyright or words of the same
purport that such person knows to be false, or who, with fraudulent intent,
publicly distributes or imports

(d) Fraudulent Removal of Copyright Notice.--Any person who, with
fraudulent intent, removes or alters any notice of copyright appearing on a
copy of a copyrighted work shall be fined not more than $2,500.

(e) False Representation.--Any person who knowingly makes a false
representation of a material fact in the application for copyright
registration provided for by section 409, or in any written statement filed
in connection with the application

(f) Rights of attribution and integrity.--Nothing in this section
applies to infringement of the rights conferred by section 106A(a).

CREDIT(S)

1977 Main Volume


(Pub.L. 94-553, Title I, s 101, Oct. 19, 1976, 90 Stat. 2586.)

1995 Pocket Part (As amended Pub.L. 97-180, s 5, May 24, 1982, 96 Stat.
93; Pub.L. 101-650, Title VI, s 606(b), Dec. 1, 1990, 104 Stat. 5131.)

< General Materials (GM) - References, Annotations, or Tables >

HISTORICAL AND STATUTORY NOTES
Notes of Committee on the Judiciary, House Report No. 94-1476

Four types of criminal offenses actionable under the bill are listed in
s 506 [this section]: willful infringement for profit, fraudulent use of a
copyright notice, fraudulent removal of notice, and false representation in
connection with a copyright.

Section 506(a) [subsec. (a) of this section] contains a special
provision applying to any person who infringes willfully and for purposes of
commercial advantage the copyright in a sound recording or a motion picture.

1990 Amendment

Subsec. (f). Pub.L. 101-650 added subsec. (f).

1982 Amendment

Subsec. (a). Pub.L. 97-180, substituted "shall be punished as provided
in section 2319 of title 18" for "shall be fined not more than $10,000 or
imprisoned for not more than one year, or both:" and struck out provision
that any person who infringes

Effective Date of 1990 Amendment

Amendment by section 606(b) of Pub.L. 101-650 effective 6 months after
Dec. 1, 1990, see section 610(a) of Pub.L. 101-650, set out as a note under

section 106A of this title.

Effective Date

Section effective Jan. 1, 1978, except as otherwise expressly provided,
see s 102 of Pub.L. 94-553, set out as a note preceding s 101 of this title.

Legislative History

For legislative history and purpose of Pub.L. 97-180, see 1982 U.S. Code
Cong. and Adm. News, p. 127.

CROSS REFERENCES

Making and distribution of phonorecords subject to penalties provided by this
section, see 17 USCA s 115.
Secondary transmission of primary transmission subject to penalties provided
by this section, see 17 USCA s 111.
Transportation, sale or receipt of phonograph records bearing forged or
counterfeit labels, see 18 USCA s 2318.
Unauthorized rental, lease, or lending of sound recordings as constituting
infringement but not a criminal offense under this section, see 17 USCA s
109.
Works consisting of sounds or images, first fixation of which is made
simultaneously with its transmission, subject to penalties provided by this
section though no copyright registration has been made, see 17 USCA s 411.


LAW REVIEW COMMENTARIES

Computer crime: The federal vs. state approach to solving the problem.
Robert D. Starkman, 65 Mich.B.J. 314 (1986).

Computers, copyright and tying agreements: An argument for the
abandonment of the presumption of market power. Glen P. Belvis, 28
B.C.L.Rev. 265 (1987).

Impoundment procedures under the Copyright Act: The constitutional
infirmities. Paul S. Owens, 14 Hofstra L.Rev. 211 (1985).

Information infrastructure. David Goldberg and Robert J. Bernstein, 212
N.Y.L.J. 3 (Sept. 16, 1994).

Visual Artists Rights Act: Federal versus state moral rights. Brett
Sirota, 21 Hofstra L.Rev. 461 (1992).

Waning of the fraud defense. David Goldberg and Robert J. Bernstein,
211 N.Y.L.J. 3 (Jan. 21, 1994).?



-------------------------------------------------------------------
(5) WHO IS ACCOUNTABLE FOR LOSSES DUE TO THESE ACTS.
-------------------------------------------------------------------

(a) Software companies- The SPA and major software publishers often
propagandize by claiming that each year they lose billions
of dollars in revenue due to software piracy. These statistics
are blatently false. Please note my figures on the amount of
software piracy... The actual amount is barely 125 Million
per year.

* This is a very greatly debated topic, in the authors opinion,
and in technical fact, software piracy does not actually
cause these companies to lose so much as 1 cent.. What software
piracy does do... is prevent these companies from gaining the
revenue that they should be getting from legitimate paying
users. [their IS a difference]

* Debate also stems over the fact that software piracy is not
actually a crime.. It is merely a civil offense unless the
piracy involves the perpetrator intending to make money or
having the ability to make money over $1,000. If our own
government does not even outlaw software piracy, then are we
not doing anything wrong??? [this is NOT my opinion, but
merely a hypotehtical... in reality it is true.. If its not
a crime, then their really is no problem, but thats not to
say that it is morally ethical. Because it is not.

* The bottom line is that we the consumer (meaning everyone
inlcuding the software pirtates themselves), end up paying
outrageous rates by rip-off software companies, and are given
the old excuse that they must raise rates in order to make
up for lost revenue. That whole argument on the part of
the software companies is a massively deceptive excuse to
suck more money out of us consumers, under the guise that
these companies are poverty stricken and "have to" charge these
ludicrous rates otherwise they'll go bankrupt.. These companies
need to stop crying poverty, because if they really were broke
they would not be Fortune 100 companies bringing in 400 million
dollars in revenu per day! < and as I stated before, this
whole argument about them "losing" money is false, because
they are not losing any money... they just are not gaining
any money >..





(b) System administrator




(c) Users- Out of all the groups of people who are affected the most
by unscrupulous individuals; it is US; you and me, the legitimate
computer user who gets royally screwed and ends up with the
short end of the stick so to speak.. It is these mega-
corporations who are just begging for any excuse whatsoever to
jack their rates up 500 percent. These companies have every
right to profit, but us citizens do not feel it is fair that
we have to suffer massive price increases for your petty losses.
Indeed these mega-companies are losing money from theives and
maybe even hackers, but these companies also make back 3 times
what they lose in fraud by jacking up the prices claiming that
its necessary. Ie: they lose 125 million in fraud, so
instead of jacking up the prices to a small reasonable amount
such as 15 percent for each user which would undoubtebly cover
these software losses, they jack the price up 100 to 500 percent
and end up with 5 times more money than they claim they are
losing. I feel that if we are to be subject to price increases
it should only be to the extent that the price increase will
cover the cost of the losses incurred by these companies due to
illegal activities.

* Secondly, pertaining to constitutional rights.. We are slowly
losing those rights and are very slowly heading to a police
state, where citizens are denied their basic constitutional
rights under the false guise that its for the general benefit
of the american public.

* People are quite often brainwashed by clever politician, sick
religious fanatics, and various lobbying groups, who are
more interested in shoving their crusade down everyones throat,
than they are in preserving the way of life we have in america
(or shall I say the way it is supposed to be, but is not thanks
to a few assholes who have to play god and dictate to everyone
what is ethical and what isnt.

* One of the differences that has set our country apart in the
past from other countries is the fact that traditionally, we
have always been allowed unrestricted free speech (or thats
the way its supposed to be, but isnt unfortunately).. But we
can freely discuss our politics, our religion, our disgruntlements
in public without fear of reprisal or even a death punishment
from our government as they quite often have in Arabic countries.
God forbid you say anything about "Allah" or about the political
regime in Kuwait, or Pakistan.. You'll be hung without a trial,
and in many countries you can be locked in prison without a trial
and forever.. Such is the case with South Africa and Nelson
Mandella who was imprisoned (without trial I believe and was
sentanced to life for simply being an "enemy of the state"
because he has different views, and maybe a better idea for a
better government. In america, we can live without
fear of such barbaric things because freedom of speech is
nearly unconditional in the United States (so long as its not
physically threatening and is just your opinion).. The thing
that makes freedom of speech so powerfull is that it has no
bounds, cannot have bounds, and should not have bounds.. As soon
as you start putting restrictions on what people can and cant
say then you have thusly destroyed freedom of speech by dictating
to the citizens what they can and cannot think about and say.
Even if the law may seem harmless and even a benefit to society,
you still cannot infringe upon the freedom of speech because
it thusly denies a ceartain group of people their right to their
opinion.

* Thusly if bills like S.314 pass, this country will be
totally destroyed, and will never again be the same unless
us citizens are willing to stand up and say, were not going
to accept this law and have no intention of following it since
it destroys the constitution. [see later comments on S.314
americas most dangerous bill].

* Excessive media hype, blatently false, sensationalized, and
innacurately reported events regarding computers and hackers
along with the thorough brainwashing of the american public by
the media has caused 95 percent of all the problems that we have
today, and could very well end america the democracy, and
the constiutioon as we know it... It is ironic, that we profess
freedom of speech as being all important, but yet it is these
same sleazball scumbag jornalists, talk show hosts, and reporters
that are destroying america.

* If anyone has become the victim from so-called computer, it is
the 1 million plus legitimate computer hackers and network
explorers, who have been unconstitutionally abused by overzealous
law enforcement authorities, who have clearly stepped over the
line, and disregard all constitutional rights and due process by
absuing their power and exposing loopholes in the law, to strike
with vengeance against anyone who they feel might have commited
some type of computer crime. And far too often law-enforcement
officials, and specifically the prosecutors) will go out of their
way to trump up false or unnecssary charges in order to obtain
some type of conviction, even when they know that the person they
have arrested has commited no crime, they would be too embarresed
(as is the case in any type of crime) to release that person.
D.A.'s have a real nasty habit of not being able to admit when
a mistake was made, and that the person in question is actually
inncoent.. The reason for this is simply, human pride, and also
the embarresment that it would cause the office, should this
person go public claiming how the DA's office falsely prosecuted
the individual with no evidence whatsoever. So instead DA's
will do everything n their power to "railroad" any individual
who comes before them, regardless of their innocence or guilt.

Never before have we americans seen such "witch hunts" since the
"1690 Salem Witch Trials" in Massachusets. Now we have a new type
of witch hunt beforth us, this time, courtesy of the scumbags
from the media, who have falsely portrayed hackers in a untruthfull
manner, as well as brainwashing the entire population into
believeing such bubkas. Politicians, and law-enforcement being
among the many brainwashed people have made it their crusade to
pursue hackers to the ends of the earth and punish them with
every intent of destroying their lives, a witch hunt if you will,
where the punishment clearly does not fit the crime. Their is
currently an over-abundance of laws pertaining to hackers and
telephone phreaks, and I feel that it is an outrage that the
penalty for hackers and phone phreaks is far greater than that
for murderers, rapists, bank robbers, spies, etc...

It is truly a shame, when a 15 year old kid, who makes a few free
phone calls, or manages to gain access to a government computer
system can be sent to prison for 350 Years and have 50 charges
brought against him (thanks to the numerous over-abundance of laws
which I mentioned before), while a murderer simply gets 15 to 25
years to life, and one or 2 charges at most brought against him.

Where is the justice? Is stealing 5 bux worth of free phone
calls on the same level as a murderer? Obviously so, according
to our wonderfull government. No wonder why so few people have
faith in our justice system anymore. The small time petty
criminals get the full brunt of abuse and mistreatment, and the
real criminals, the ones who should be punished, get treated
like gold... I have seen a local drug dealers who sold 1 gram
of crack get sent to prison for 350 years, (see NY newsday),
while the real criminal, who brings in 2 tons of Cocaine by
smuggling it in via ship gets only 5 years in prison (see NY
Newsday article on that also)..

Aside from the actual punishments of criminals, their also
seems to be massive abuses in the arrest of petty criminals.
I am all for the punishment of anybody that commits a crime to
a reasnable extent. But I think its a damned shame, that people
like Jeffery Dahmmer, Collin Fergusen, etc... were brought in
without any incident whatsoever, were treated like "gold"
practically; with their own private little cell, and a nice
bullet-proof vest for them to wear...... While some teenage
hacker sits in his room putzing with his computer, and next thing
you know, law-enforcement is quite literally busting down the
door with their weapons drawn, screaming: "GET DOWN, SEARCH WARRANT,
NOBODY MOVE OR I'LL BLOW YOUR FUCKING HEADS OFF!!" Is that
outrageous attitude acceptable? Are we going to take that abuse?
Are the police really willing to blow some 15 year old head off
because he might try to get rid of some petty piece of evidence?

Where is this kind of abuse when we really need it...
like for the murderers?

[ on this note: do NOT think I am exaggerating.... If you do not ]
[ believe that these barbaric monstrous acts occur, then simply ]
[ get holds of the transcripts, and many available books on the ]
[ subject pertaining to hackers, and you can see how the hackers ]
[ were apprehended, threatedened and abused during arrest. ]

The last thing I'll mention pertaining to hacker arrests, is that
law enforcement (specifically the Secret Service who has the biggest
history of abuse of power) usually unjustifiable seizes every single
piece of property in the hackers home, with the exception of the
house furniture. The Secret Service will often steal (err I mean
seize) the hacker/phreakers video game systems, stereo, books,
manuals, notebooks, every scrap of paper in the entire house that
has some type of scribbling on it, all software, all office eqpt
such as photocopiers, all computer eqpt, including scanners and
printers (you never know, the hacker just might have some "secret
microchip" embedded in his printer in which he's going to smuggle
the nuclear secrets out of the country.) << I of course meant that
to be extremely sarcastic to show the idiocy of law-enforcement. >>

Why is it necessary for law-enforcement to steal all the equiptment
in the household, including objects that clearly have nothing to do
with the crime in question? << Why has the secret service taken
kids video games in such raids? Can you justify a reason for
that? I think not!! They just clearly want to abuse there power
and make this person pay severely, ith no thought of to the fact
of if he is really guilty or not. >>

A good example, is "Steve Jackson" from Steve Jackson Games...I
highly recommend you read up on this case if your not familiar
with it.. Here is a man who ran a very legitimate business of
making board games, and his business somehow got falsely wrapped
up in some bogus hacker case. Jackson was working on a current
project for a new board game about computer hackers... His
computers happened to contain the manuals for this board game,
and when the police falsely arrested this individual, they found
his instruction manual for his game, and accused him of writing a
"manual for destruction for hacker" and charged him on numerous
bogus charges which clearly didnt hold any water in court. Well
when this individual was finally cleared of the false charges,
he thought that the abuse was finally over... But no.. The law
states that an individual does not get his/her seized property
back... He/she has to go through a whole seperate case to
get their property back, and it finally took many many many many
months until Jackson got his equiptment back. of course nobody
ever repayed Jackson for the tens or possibly hundreds of
thousands of dollars that he incurred by this railraded false
arrest due to his loss in bussiness and his lost contracts
and lost work time, etc.. (as well as the abuse he had to
undergo mentally..)

Their are many similar cases as to Jacksons, of people who have
been falsely arrested and had their lifes work seized and never
ever returned even when they were proved innocent because
the Secret Service DOES NOT have to return your equiptment
when your proven innocent! Even in cases where hackers or
phone phreaks were guilty of commiting some petty crime, the
seizing of their lifes assets hardly is justifiable and should
not be tolerated.. Its is clearly an absue of power.. Did the
police seize all of Collin Furgusons assets, or Jeffrey Dahhmer?
NO!!.... And those guys were murderers.. Why must petty criminals
who steal 10, 20 bux in phone calls, etc.. take the full brunt of
the law, while real criminals roam the streets or get off easy?

The bottom line, is that their are currently more than enough
laws on the books to adequately punish hackers and telephone
phreakers. We dont need any more laws, and we should not
tolerate any more laws, as it is an abuse of power, as well as
a waste of taxpayer dollars to regulate something to death..
Do we really nned congress to waste time coming up with dozens
of new laws, and spend 10 years arguing over the little looholes
in the bill, when their are already 130 laws on the books that
a hacker could be charged with.

What we need to do, is snap into reality, and punish these
people, as well as spend more time investigating these crimes
rather than spending years on end, trying to come up with
"the perfect law". What good are all these overkill laws if
it's not enforced? In fact, what do we even need these
extra laws for in the first place? They just make things
more complicated, and leave more loopholes for lawers (and
police to abuse)! if a person commits telecommunications
fraud, do we really need a phone phreakers law? Why not charge
them with theft as we do with every other criminal? Why must
hackers have their own special laws to be witch hunted with?


(d) Noone-



--------------------------------------------------------------
(6) APPENDICES: Miscellaneous Information
--------------------------------------------------------------

----------- Suggested Reading List ------------
I obviously cant tell you everything in this small article..
If you want to gain an understanding of what hacking is
really about, and want to learn about the various laws, and
how they are prosecuted, etc.. etc.. I suggest the following
books:

(a) Friendly Spies (details dozens of Industrial Espionage cases)
(b) Masters Of Deception
(c) Approaching Zero
(d) The Hacker Crackdown
(e) The Cuckoos Egg by Clifford Stoll
(f) Cyberpunk(s)

[books placed in order from "a" to "f" measured ]
[by importance as far as real usefull information]

---------- Other Reference Material ------------
"Off-The-Hook" radio program hosted by Emmanual Goldstein
(editor of the famous 2600 Magazine) and the 1 hour long radio
show deals with computer hacking issues, internet security, etc..
WBAI 99.5MHz FM
Wednesday 2200 - 2300hrsEST

---------- Internet Newsgroups -------------
alt.2600
alt.2600hz
alt.cyberpunk
alt.cyberpunk.technology
alt.hackers
alt.security
alt.protocols.kerberos
comp.security.firewalls
comp.security.misc
comp.unix.admin


'''
(o o)
---------------------------------------------oOO--(_)--OOo------------
| Alan Hoffman, CEO/Security Consultant | The Code Breakers BBS |
| Electronic Securities Ltd. | 516.744.xxxx CALL TODAY! |
| sahoffman@dockmaster.ncsc.mil | (compusec/comsec/telecom) |
----------------------------------------------------------------------

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close