---------------------------------------------------------------- Internet Computer Crime Fact or Fiction?? Written by Alan Hoffman a.k.a. -Q- ---------------------------------------------------------------- --------- || INDEX || ----------------------------------------- (A) Foreword: (1) Hacker Ethics, Hacker Profile. (2) Internet & Computer Crimes Analysis (3) Computer Security Overview (4) Organizations & Legislation (5) Accountability (6) Appendices...Misc.Info ----------------------------------------- ----------------------------------------------------------------------- (A) FOREWORD: ----------------------------------------------------------------------- Foreword: This article was originally intended to be a report on Internet computer crime... But the fact remains that after having just finished this article, I can say that their really is no Internet crime.. It is quite literally a hoax. And it is thusly unfortunate that us computer and technology lovers have to take cheap-shot blows from unscrupulous journalists who tell half-distorted facts when reporting on criminal cases involving computer crime. It is quite literally a "witch-hunt" and ALL computer users are the target. The reason for this witch hunt is simply because computers, and the information superhighway (the Internet) is the hottest "scoop" (story) to happen to the newspaper and journalism industry in the last 3 decades. The journalists are determined to "milk" this subject and get as much ratings as they can for as long as they can by printing glorified distorted newspaper articles. Rather, I have chosen to focus on the overall picture.. Who is REALLY responsible for most of the crimes? What are the major computer crimes? Are hackers really the cause of all of our problems as the media would lead you to believe? Or are hackers actually a big blessing to the field of technology? ------------------------------------------------------------------------ (1) HACKER ETHICS, HACKER PROFILE. HACKERS BENEFIT TO SOCIETY. ------------------------------------------------------------------------ Profile: Age: 15-32 [Professional hackers 17 - 32] [Beginning hackers 14 - 21] [Casual/hobby hackers 14 - 40] Hackers Code of Ethics: [This is common law among hackers, and the] [hackers that do not follow these ethics ] [codes strictly; or deliberately commit ] [crimes for personal gain & profit are ] [thought of as scum and trash by the real ] [hackers. ] ................................................................... Ethics List-1 ................................................................... Here is a sample ethics list, this one is written by me. (1) Learning should always be your ultimate goal..first and foremost. (2) You should try to help the system administrator if you find a flaw in your system. (3) If you find flaws in systems, you should write a research paper and release it on the I-Net for all to see and benefit from. (4) Never ever steal, and that usually includes software piracy. (5) Never,ever,ever,ever,damage anything on the system or release viruses. (It is o.k. to release trojan type devices with the intent of testing security, so long as the device is designed to test security and isnt a maliscious trojan). (6) Never post password list for accounts that you hacked for all to see. (7) Try to trespass as little as you can when testing a systems security. (8) Always try to ask the system admins permission first beforehand. Quite often, the system admin will let you play with his system so long as your intentions are honorable. (9) Try never to use other peoples accounts... If it is necessary to enter somebody elses account while testing security... dont be a nosy buisybody and check on that persons mail.. Justuse the persons account for the intention of testing security. ................................................................... Ethics List-2 ................................................................... This is a partial ethics list wriiten by a good friend of mine name ChrisDemilo, who used to be an active hacker (now a comsec/compusec conultant). (1) Thou shall look, but NEVER touch. One may obtain a much information as one pleases, from any system, but never should damage be done in any way shape or form. (although the unwritten laws of hacker ethic states, that a data traveler may cover his tracks, by altering system audit logs). (2) Thou shall NOT steal. (This unwritten law primarily refers to not necessarily stealing per se, but one should not use services or buy products and charge those services or products to anyone else, and if one does do this, it should only be done, if the person that you are victimizing can dispute the bill with the proper authority and have the charges easily removed). (3) Thou shall NOT use other peoples Credit Card Numbers. (although this falls under commandment number 2, this one is especially important and worthy of its own seperate commandment!) (Stealing credit card numbers is about as low as a data traveler can get... Not to mention, that their is no technology involved in this whatseoever, no technical mastery, anybody can dig through the trash and obtain credit card numbers, thats not what data traveling is about.) (4) If it's in the trash...then it's public domain. (Although technically garbage has to be out in the street for it to be considered public domain, it is acceptable for a data traveler to do a bit of creative trespass to go dumpster diving). [one may take as many manuals, books, papers, or pieces of equiptment from the trash as one likes. Hey, if its in the garbage, then its not theft... [although the legal system might not see it that way.] (5) Thou shall NEVER profit from ones misdeeds. (Although its perfectly acceptable to sell your knowledge, as that is the whole part of dissemination of information. If one is stealing, he shall not sell his stolen goods, or services to others.) [Selling illegal goods or services is an even worse charge than obtaining the goods or services, because not only does it put the other guy in jeapordy, but it also looks worse, because you appear to be an organize "gang" of techno criminals which prosecutors love to make up fantasy stories about. PLUS Selling the goods or services is yet another seperate legal charge to contend with, you can be charged with "intent to sell illegal services" or even worse with "Interstate trafficking of illegal goods or services" (the latter is a federal crime (a felony also!!!) "illegal goods" is now referred to as an "access device" which includes credit card #'s, ATM Card #'s, Telephone calling Card PIN #'s, etc...] (6) Thou shall NOT commit treason. (Should one find himself in possesion of sensitive government material, one should not disseminate it to anyone. Nor should one sell his findings to any foreign power, or non-US Citizen). (One should take special care in storing this material, and keep it in encrypted format only!) (7) Thou shall NOT "rat-out" his partners, or fellow data travelers. (This should quite possibly be on the top of the list, far too often, a data traveler is caught wether on bogus or real charges, and that person begins to "sing like a jay-bird" and name, names.) (9) Thou shalt NOT engage in software piracy! (H/P and Warez just dont mix, for the simple reason that it just invites more trouble into your life.. If you should ever be suspected for something, and the Secret Service obtains a warrant to seize your computer equiptment, you can be sure that every single electronic item in the house will go with them, along with every single scrap of paper with something written on it and all of your computer or science, and/or "alternative" books such as anarchy or politics), They will literally look through every single file on your computer system, and if you have any stolen software, your just inviting trouble upon yourself! 90 percent of the time, when your stuff is seized, they dont find bubkas other than a few phone numbers in your dialing directory, and a few generic H/P files which you must remember is NOT illegal so dont sweat it if they give you grief for having H/P files, their just playing on your fears., but if you happen to have warez, well then consider yourself in trouble, even though you cant be arrested for warez under current law because its not a criminal crime to have warez (despite what most people think) its only a civil offense, of course that wont stop the federal agents for railroading you on bogus charges that they know are not illegal, but the secret service basically has a way of saying "hey fuck this guys rights, by the time anybody figures out that what he's done is not even a crime, he will have been in jail for 5 months awaiting trial" (and thats the Secret Services way of harrasing you and its totally legal! and is even considered an ethical way to harrass someone and even destroy their life when they know they cant get the goods on you, lest not forget that, you will never ever see your equiptment again, or at the very least, dont expect it back within 2 years!). << and if you think I'm over exaggerating this in any way, I can name over 20 cases off the top-of my head to back up those statements>> (10) Thou shall NOT pretend to be someone else for the purpose of misleading authorities and deliberately getting some innocent person in trouble. ................................................................... Different Types of Hackers: ................................................................... (1) Beginning Hacker (2) "Real" Hacker [a] "Real" Hackers / Techno Enthusiast [b] Hobbyists Casual/Curious Hacker [c] Security Professionals (3) Software Pirates (4) Generic Scum & Thieves [a] Industrial Spy's / Industrial Espionage [b] Generic Petite Thieves [c] Maliscious Hackers ............................................... Description Of The Different Types Of Hackers ............................................... (1) Beginning Hacker- First I shall give you the basic description and mindset to help you understand, how people get into the field of hacking. Although it all depends upon age... most persons get interested in hacking through gaining access to a computer bulletin board system that caters to talk of computer hacking (these are known as "underground" BBS's although that is somewhat of a misnomer.. They are not "underground".. they are simply private boards which cater only to people who are interested in various types of technology. Their are approximately 20,000 underground computer bulletin boards of various types in the United States (You can quote that figure.. its pretty accurate). Most people who decide to call an underground board are usually persons who are very intelligent, and very very interested in not just technology, but the way things work (or at least thats true for hackers, but not for software pirates). On these underground boards You DO NOT just find talk about computer hacking... thats not what hacking is about.. You will find talk about technology in general, how things work (NOT just computers, also telephone technology).. Hackers basically like to figure out how things work, why they work, and most importantly, what security holes are in the device, or the system. You may ask yourself.. Why do they like to find holes and flaws and glitches in systems? They must have evil intentions of exploiting these holes.. That is absolutely false.. Hackers seek to exploit weaknesses merely because it HAS to be done.. Technology must always progress, computers must always be made better and faster, and the same goes for the software and security systems.. As security holes are placed in the software by the developers, the hackers mission is to find these holes, and let everyone know (preferably through legitimate means such as writing research papers on the topic) about these holes so that they can be fixed.. In reality.. the only difference between a legitimate hacker and a system admin or security consultant is that security consultants get paid, and hackers do things for free. * If you logon to an underground board, as I stated... Some of the conversation might be construed as not exactly legitimate as I have stated.. You have to be realistic in understanding that hackers are not "evil".. Alot of them are just kids, and they are immature.. that cant be helped... The basic fact has always been that kids like to do things that are fun.. And when they have a legitimate interest in things, they should not be discouraged into doing what they like (studying technology). It is up to the older board members, those that are more knowledgeable, and have been doing things along time to subtly guide the younger folks in the right direction.. (You would be amazed at what influence the older more prestiogious users have.. They carry alot of influence among the kids, and the kids usually listen to everything that these older folks say.) They key has always been to give these young kids (14-17) guidance and morality lessons... They (the kids) have to be told the rules of hacker ethics.. "This is what you can do", "this is what you cant do".. You can study securty flaws all you want, but you cant pirate software, you cant destroy anything, you should always help the system administrator help fix his system, etc.. * After about 1 or 2 years of being a "beginner" and learning the rules of the game... The person moves onto the next stage.. Where this person goes in the next stage, all depends upon if this person listened to the advice of his elders , and what he's interested in doing.. Some people will choose to be software pirates, others will chose to be hobby hackers, who just like to play around a bit but arent all that serious, and then some people will move onto professional hacking.. (the latter people are extremely serious about technology and security matters, and they quite often go on to become security consultants and sysadmins when their older.) (2) "Real" Hacker [a] Hobbyists Casual/Curious Hacker A hobby hacker basically describes 95 percent of all hackers and telephone phreaks [telephone phreaking is a whole other part of the underground, and its filled with people who like to play with telephones rather than computers..but we wont discuss that]. Basically a hobby hacker is everyone whos ever used a computer.. We've all had a hankering, just to play and explore a bit.. You might be sitting down one night at your internet terminal and decide to just see what sites you connect to just for the fun of it, like trying to call up some national laboratories and see if they have any good science files that you can anonymous FTP.. That is basically all that hacking is about; exploring! Professional hackers are a bit different of course... Most pro hackers are not so much into exploring, but their into studying computer security.. learning about operating systems, becoming more proficient at UNIX, and learning how TCP/IP and the Internet works. [b] "Real" Hackers / Techno Enthusiast A professional hacker who is someone who is seriously obsessed with security technology (NOT! just with computers, but also physical type security, surveillance, communications security, cryptography and codebreaking, industrial security, anti-shoplifting technology, anti-theft technology, alarm systems, etc.. etc.., etc..) These types of hackers literally dedicate most of their lives to learning security and computers.. Not because they have evil intentions to break into systems.. simply because they like what they do. Just as any professional such as a scientists likes what he does. Their are basically 2 types of professional hackers: (1) Profesional Hobby Hackers- Pro hobby hackers simply hack for the fun and joy that the field of security brings to them. Their not the least bit whatsoever in making any profit from what their doing (and if they want to make a profit, they'll do it legally by becoming a security consultant, etc..) (2) Indutrial Thieves, spy's etc..- These people are obviously undesirable scum that give hackers a bad name. These people arent so much interested in the actual information that their stealing off systems....basically these people will obtain obtain information by whatever means possible, and will sell it to either the highest bidder, or the person thats directing their activities. Computer spy's in reality only make up about .05 percent) of all of the hackers. Lastly, I wont pretend that hackers are angels, they sometimes step outside the bounds of where their allowed and quite occasionally they'll trespass bit... But the realistic fact is that legitimate hackers whos only interest is security will provide an extreme asset to the electronic society.. These are the people who are soely responsible for finding 90 percent of the security flaws, and bringing it to everyones attention, so that it could be fixed. You might be thinking to yourself, that its best if nobody finds the security flaws... since if nobody knows about them, then their wont be any problem... People who think that are blisfully ignorant of reality.. You cannot just ignore a problem (such as computer security flaws) and pretend that the problem doesnt exist and that people wont epose those flaws, because they will, either on accident, or on purpose. You will find that the modern concensus nowadays among sysadmins is that they actally welcome hackers almost with open arms so long as they have honorable intentions in mind. System Admins are finally realizing that you cant ignore or supress security flaws, and many a System admins have been helped by friendly hackers who have taken the time to write mail to the system admin telling him of his systems vulnerabilities. [c] Security Professionals- The last group of hackers are security professionals. These are quite likely and usually are people who were at one time computer hackers themselves, but matured a bit, and decided to get a real job, and make money at this game. Not much needs to be said, and we should put all hackers in a bad light because as stated before, the only difference between a hacker and a security professional, is that one gets payed and the other doesnt. (3) Software Pirates- Software pirates are a whole different breed of computer underground people.. Hackers and software pirates are as distant as America and Australia.. Although their both part of the underground, both groups dont really care for each other. Warez people like hackers, but hackers dont really care for software pirates because their viewed as (1) Thieves, who have nothing better to do than rip off software companies, and (2) They posses little intelligence (or their acts require little intelligence) as it doesnt take much brainpower to upload and download files... Hackers view intelligence as a very important tool, and they often get a bit arrogant towards people who may not be quite so knowledgeable. * I'd like to point out 1 facts at this point. (1) Software Piracy technically is not even illegal! Despite what everyone has been brainwashed into believeing, the law very clearly states pertaining to copyright infringement, that it is only a crime IF you make a profit [or can potentially make a profit of ($1,000 or over) from your crimes.] This is exactly why video stores who sell bootleg copies of pirated tapes are always getting arrested (especially here on Long Island, check the NY Newsday archives.) That also explains why out of the 15,000 pirate boards in the United States... not once has any of them been raided and more specifically the SysOps convicted. Provided that the software that you provide is not sold and is given free tham you are not commiting of crime.. Those cute little "FBI Warning" notices at the very beginning of ALL videotape movies cleverly forget to mention the fact that its not an actual crime to copy unless your make a profit from said action. * Coyright infringement however is a civil crime, and you can be sued for possessing illegal copies of pirate software. Most people however have still been deluded into believing that software piracy is a crime because of what they read on the Internet... Unfortunately, all the poeple that have been feeding this line of bull are not lawyers, and probably have never actually looked the law up. In the past congress has tried many many times to add a provision to the bill to make copyright infringement a crime but it has failed simply because that would have most massive implications.. If we were to arrest everyone who had commited copyright infringement, we would have practically arrested everyone in america.. I'm not just talking about software.. I'm talking about all the 400 million people who make photocopies from books (perhaps such as you while your doing this very report!) Before you judge software pirates too harshly, you should also take a look at yourself, and ask yourself... While doing this research paper.. Did you copy that library book? If so then you violated copyrigt laws.. Should we put you in jail for that? * [ See the copy of U.S. Law that I have enclosed pertaining ] [ to Coyright laws.... ] (4) Generic Scum & Thieves [a] Industrial/Military Spy's / Industrial Espionage- This is the most fancifull of all fields as portrayed by the media.. The number of hackers who are actually Industrial thieves and have money as a motive in mind are far less than 1 percent, and the number of people who are military spies and are traitors is actually far less; .0001 percent). Their have only been maybe 1 or 2 cases where a person was convicted of trying to steal military computers,... and those people were not even americans, [author note: read "The Cuckoos Egg"] (although they were still hackers per se', the media often falsely portays american kids as the perpetrators of these crimes. Even when american kids manage to break into military computer systems (as happens quite a bit...they have absolutely no intention of selling the information to "the russians".. thats just utter nonesense.. Kids just get a kick out of being smart, and being able to defeat the United States government who has all these multi-million dollar computers and security procedures. [b] Generic Petite Thieves- Petty thieves should not be associated with real hackers either.. Their are always going to be people who steal, and it doesnt matter how you do it really, a thief is still a thief, and these people dont deserve to be called hackers. Examples of petty thieves are people who do credit card and calling card scams...They generate fake credit card numbers using a special computer program which comes up with valid numbers based on a specifica algorith, or they rip off credit card receipts from the trash at the local gas station, or they may even (but rarely) break into computer systems such as TRW, and other systems that maintain credit card numbers, and steal loads of valid numbers and then they order stuff by catalog from the mail using those credit card numbers. The newspaper often call these people hackers but I hardly think that digging through the trash or using a computer program to get valid CC numbers is hacking. Their was a recent case in NY Newsday detailing the arrest of 3 brothers and 1 friend, who used a computer program to do the aforementioned. [c] Malischous Hackers- Maliscious people are a specific breed of spitefull, hatefull person. These people are usually and quite literally sociopaths who have no feelings of guilt after doing something wrong and quite often they get a "kick" or "rush" from doing something evil. Examples of such people are persons who would gain access to a system, and then erase all, or part of system files just for the fun of it.. Another example are people who release virii and trojan horses and worms WITH the intention of these programs destroying or damaging computers. NOTE: People who write virii, or trojans, or worms, are not necessarily maliscious.. Writing virii is a extremely legitimate field, and it is something that most people dont even know is practiced by many professionals who study different types of viruses, also not all viruses are "bad". Some viruses are actually designed to help your computer, and they possess AI (artifical intelligence) and will help maintain your system (perhaps by cleaning up and archiving old files or temporary files, etc..) The key is... what a person intends to do with the virus once he creates it. Objects(programs/guns) should never be viewed as evil.... Its the people that use such objects for destruction that are to blame. ---------------------------------------------------------------------- (2) A DESCRIPTION OF CRIMES THAT OCCUR ON THE INTERNET. ---------------------------------------------------------------------- --------------------------------- System Break-In Percentage Rate --------------------------------- Educational Institutions (75%) Internet Providers (22%) Corporate Systems ( 2%) Military Systems ( 1%) --------------------------------- Actual "Crimes/Offenses" Commited --------------------------------- Software Piracy (70%) General Exploration (20%) [Approximate rough values based] User Spoofing ( 5%) [on my experience as a hacker ] Packet Sniffing ( 2%) [and as a security consultant ] Industrial Espionage ( 2%) [dealing with industrial and ] Viruses/Worms/Trojan Attacks( 1%) [corporate security matters. ] Military Snooping [by hobby hackers] ( 1%) Military Espionage (.01%) Packet Spoofing (.01%) --------------------------------- Reading of Users E-Mail (15%) --------------------------------- SOFTWARE PIRACY: Warez makes up about 70 percent of all computer "crimes". Software piracy [also referred to as warez] (the act of copying software and distributing it to others so that they do not have to pay for a copy) is the only true "crime" that occurs on the internet. In fact it is very common, but it should be noted that computer hackers DO NOT! steal software... that is NOT what a computer hacker does... Software thieves are officially referred to as "software pirates" or more informally in the computer underground they may be called "warez dudes", and they should not in any manner be associated with hackers. [ In fact Hackers HATE software pirates because all their ] [ interested in is ripping off software... Hackers are ] [interested in learning everything they can and exploring!] * The very first thing I need point out about software piracy. While it is the most widespread "crime" on the Internet (or even on local bulletin board systems)..... IT TECHNICALLY IS NOT A CRIME! 95 percent of the people who run their mouths off about illegal software and pirates, do not even realize that software piracy is NOT an actual crime for which you can be arrested for. (people have been arrested in the past for this, but they were eventually released to the embarresement of the prosecutor when the DA found out that its not actually a crime)... Rather, software piracy is a civil offense. Under current copyright laws, it is not illegal to copy and/or distribute software or videotapes unless you make a profit of $1,000 or more from your misdeeds. You can however be sued by the software companies for making copies of the tape without permission. * Second, I would like to point out some rationale as to why software pirates freely distribute software. Their is alot of debate about software companies being rip-offs, and over charging for worthless products, etc.. etc.. Hey, everybody hates the software companies. (well some software comapnies are bigger rip-offs than others... The whole debate about getting back at software manufacturers is a smokescreen.... It's just statements made by a few immature people, who feel that they need to get back at these software companies because they feel their being taken advantage of.. The REAL reason pirates trade software, is the same reason, that everyone else trades legal (shareware/freeware) software, and its the same reason that their are 20,000 plus ANONYMOUS FTP sites on the Internet. Basically, the whole purpose of software piracy, is simply to share with each other. The computer community is like no other community in the world. People go out of their way to help other people. [hence thats why I'm giving you this big article.. cause' I like helping and sharing]. Sharing and helping is what the computer community is all about. So while it may not exactly be ethical to copy software, you should keep in mind, that when alot of people do copy comercial software, they do not do it to be maliscious bad guys... they simply do it, because they want to help the other fellow out. Hey, face it.. this is reality.. we cant all afford a $700 Word Processor which we need to do our college term papers. * We should not all be so hypocritical about things that we dont understand. As stated, first off, its not even a crime, therefore people have no right to run their mouths off about these evil software pirates breaking the law, when in reality their is no law against software piracy... Wether their should be a law against them is another story, Personally I say, it should be illegal, but facts are at the current time, that its not.. The law is currently under review and several senators have tried to proposed bills in congress which would make copying software a misdemeanor, but attempts at passing that bill have so far failed. * As stated again, people need not to be so hypocritical. These very same people who complain about software piracy probably have an unregistered (illegal) cable box in their home (it is estimated that their are 50,000 illegal cable boxes in the NY area) so these very same people who complain about computer network crime because they read some sleazy half-truth newspaper article, conveniently overlook that they too are commiting crimes.. Most everybody commits one form or crime or another (and cable boxes are a perfect example.. So many people have them, that it's not even viewed as a crime anymore). |----------------------------------------------------------------| | Software Piracy Statistics: (VERY ACCURATE FIGURES) | |----------------------------------------------------------------| |# of Pirate BBS's in NY State. | 300 BBS's | |Value of Pirate Software in NY | 2,400,000 Dollars | |----------------------------------------------------------------| |# of Pirate BBS' in the U.S.A | 15,000 BBS's | |Value of Pirate Software in USA | 120,000,000 Dollars | |----------------------------------------------------------------| |AVERAGE value of pirate software | Approx. 8,000 Dollars | |on each BBS | on each BBS. | |----------------------------------------------------------------| |# of Pirate Sites on I-Net (U.S.)| 300 BBS's | |Value of Pirate sftwr on I-Net | 1,200,000 Dollars | |----------------------------------------------------------------| |AVERAGE value of pirate software | Approx. 4,000 Dollars | |on each Internet site | on each site. | |----------------------------------------------------------------| [You may quote these figures if you wish, as they are very] [accurate.. I base my statistics on experience from having] [been on most of the pirate boards in the past in NY. ] * As you can see by the statistics which are quite accurate in my opinion (at least as far as the number of actual Pirate BBS's.... the $$$ figures for each board vary however and its hard to calculate.. Some pirate boards only have $2,000 in commercial software, others have close to $70,000!! * THE MOST IMPORTANT NOTE THAT YOU SHOULD MAKE.... is the fact that pirate software is almost non-existant on the Internet when compared to private dial-up BBS's... The whole song and dance about the Internet being a breeding ground for pirate software is the biggest farce (or outright lie) ever to be told. When you compare the statistics, you will note that the Internet only has approximately 1 percent of the pirate software.. the other 99 percent are on private BBS's. In addition, Internet pirate sites have much less pirate software on the systems. Internet pirate sites rarely have more than $4,000 worth of software on each site, and these sites close down nearly as soon as they go up.. While on private (dial-up) BBS's the avarege amount of software ranges from $7,000 to $70,000! * [ See the copy of United States law that I enclosed at the ] [ lower portion of this article, stating copyright laws... ] GENERAL EXPLORATION: Hobby hackers are responsible for the largest amount of hobby hacking which makes up about 20 percent of all computer "crime". Hobby hackers includes about every user who has used the Internet.. Many of us have sit down at our Internet terminal server and were bored and wanted to find some new stuff to read, or satisfy our curiosity so we started telnetting and FTP'ing to various sites, such as military, government, and national labs, and educational institutions, etc.. Even with sites that have anonymous FTP logins, it is still considered a form of hacking since your intent is to explore and look around, and learn which by the definition of the dictionary is exactly what hacking is. * Common sites for hobby hackers to explore are educational institutions, many people will call up as many colleges as they can and see what they can get for files, or if they can get in, people also commonly call government sites, many of which have anonymous FTP but hobby hackers occasionally like to see if they can get into any hidden directories so that they can get at the good stuff. (which they rarely ever find, its moreover the curiosity that is the exciting part!) * Other common sites are military bases, and command centers. Many have anonymous logons, so that other branch members can call the system with as little hassle as possible. Hackers often explore these systems, and almost never find anything of interest except a bunch of boring military junk which is almost worthless unless your in the military. Most "hackers" logon, search files and logoff seeing that theirs nothing their but beurocratic bubkas. MILITARY GENERIC SNOOPING: Hobby and casual hackers breaking into military sites (or simply trying to FTP into them) makes up less than 1 percent of all computer "crimes". This isnt military espionage, nor is it hacking.. 95 percent of the time, this so called crime consists of a 14 or 15 year old playing with the Internet seeing if he can conect to any "cool" sites so that he can play with the information. ALSO 99 percent of military sites are not clasified, and anyone who thinks that a 15 year old can hack in and get classified information is a stupid fool has been brainwashed by the media. I was in the military and I'm well aware of the security procedures required on computer sites, and I have personally witnessed such "break-ins" by kids, while in the course of my work in the Navy.. 99 percent of the time, the kids login, check the directories, read a file or 2, see that all this military stuff is actually very boring, and they'll logout no harm done. * System admins at military sites could care less about these casual intrusions... It happens all the time, and they realize that most of the time, its just people trying to find some interesting files by FTP.. The only time that sysadmins get worried is when hobby hackers start doing dial-throughs and connecting via telnet or ftp to other military sites and start searching for keyword files. Of course hobby hackers never find any classified info because it is not on standard military dial-in systems, it is on a very secured and seperate server at the site, sometimes only accessible locally. USER SPOOFING: User spoofing is the third most common "crime" among hackers and makes up about 5 percent of all "crimes". User spoofing falls into the realm of hobby hacking, but is a bit more devious and can performed by pro hackers as well as maliscious hackers. User spoofing in itself is actually pretty serious, but it all depends upon what the hackers intent is when spoofing. * User spoofing is when a hacker uses another persons account by obtaining a users password through various means. * User spoofing is commonly practiced and is touted by amateur hackers as away of showing how weak most UNIX and Internet systems are. It is a piece of cake to obtain users passwords on almost all UNIX systems with poor security. How is it done? Simply by downloading the password file which in UNIX is a publicly available document that most sysadmins dont "shadow" like their supposed to. * The users passwords however are not in "cleartext", they are encrypted with a one-way-hash algorithm known as Crypt(3) which uses DES. The hackers then run a special commonly available program that will "crack" these one-way-hashed (encrypted) passwords, and they'll come up with valid users passwords provided that the passwords are in the dictionary. Random passwords cant be "cracked".. Usually an attack like this would yield 20 - 30 percent of the passwords for all the users! On a large system, you could very well obtain 200 passwords! I recently was testing the security on my host system, and I was able to crack over 275 passwords for 275 different users. * User Spoofing is usually not meant to do any harm, alot of times, hobby hackers will only obtain the password lists simply to prove that a site is vulnerable. Occasionally these password lists may get distrubuted among the computer underground, or may even get distributed to the sysadmin himself, or to everyones mailbox. Hobby hackers do this, as a way to get everyones attention, and to say.. "Wake up.. this system is NOT secured" "your account and your privacy can very well be in danger". When you see your user_name and password in a cracked password file in your mailbox, or posted on the system, you can be damned sure that you'll get one big wake-up call, and you'll instantly realize just how important computer security and choosing good passwords are. Too many people neglect this fact, and it is these ignorant people who's accounts get violated by devious people. If not for the effeorts of the good/decent hackers making everyone aware that the system has poor security, you could very well have been a victim of a hack attack. * A pro hacker may use another persons account with somewhat honorable intentions so long as he only uses that account to perform his security cracking. It is never acceptable to snoop around in the other persons account, running up a bill (if their is one) or by reading personal e-mail, thats despicable and no real cracker would ever do that. It is generally frowned upon to use somebodies account unless you absolutely have to in order to test security.. A pro hacker testing security, will not use a persons account, just for the sake of having a free account. * General Hobbyist hacker is actually more likely to be more nosy and maybe read your e-mail, but thats up to the ethics of that person. Most hobby hackers will simply logon to see if they really hacked your account, then will logout, they really dont care about you or your account and mean no harm. * Maliscious hackers... Their are a few maliscious hackers who have the intent to use your account without your permission so that they can do evil things such as run up your bill, destroy your files, read your personal mail, leave you nasty notes claimng that youve been hacked, upload virri, etc.. These scumbags are extremely rare and make up only about .05 percent if not less of all the accounts that are hacked. * If you want to try this out on your system for research purposes (and I will point out that this is PERFECTLY LEGITIMATE! as the password files are SUPPOSE to be publicly available, so you cant get in trouble..) At the C shell prompt (%); or Borne/Korne prompt (@) type: % cd /etc /etc % cat passwd | more OR % cd /etc /etc % ypcat passwd | more By typing in either set of commands (try both on your system, as one of them might not work, it all depends upon the type of unix system that you have), you will see a list of users "encrypted" passwords be spewed out. SYSTEM CRACKING: (Real/Hobby Hackers / Security Professionals) System cracking goes a bit beyond hobby hacking, and may although not necessarily may include a bit of creative trespass.. Most often system crackers dont need to logon to other systems. Most of the time (approx: 90 percent) they have legitimate access to the system but seek to explore it, to get to know UNIX commands or VMS, or Multics commands better, etc.. as well as the directories, and how the O/S works.. UNIX isnt at all like DOS... Its alot more complex, and many people are fascinated with it. Most people including hobby hackers will quite often try to expose the various security flaws in the system, merely for the fact that it helps them understand the system better. It does not imply that they have evil intentions. Learning about a system is perfectly legitimate, so long as you have authorized access to that system. Theirs the old saying of: "why does man climb a mountain... because its their".. Why do people find security holes? Because their their, and that is simply that! Without these security holes being discovered, technology would never progress, and we would proverbially be stuck in the dark ages.. * Admittedly system administrators do not always like it when their users try to gain unauthorized priveledges, most of the time these system admins are extremely insecure, and it is probably these systems need to be tested for security weaknesses because the sysadmins is that afraid. It is never the answer for a SysAmdin to turn a blind eye to security holes and pretend that they dont exist.. Not dealing with the situations never solves anything. * As for the ethics of cracking a system... that is of course very debateable, and depends on a wide variety of factors. If you have access to a system legally, and it is a "public" system, or a system which you are paying for, you should have every right to explore it, as far as you can without going past the line of exploring. If you are paying $20 to $50 per month for an Internet account, then you have every right to use that Internet providers system any way you see fit. (most I-net providers do not have any legal disclaimers which says you cant use the system for this and that, etc..) their is no rule or law that say's that you have to use your internet account simply for Internet purposes such as Telnet, FTP, Newsgroups, etc.. if you simply want to learn UNIX, and explore the various directories and commands on that Internet providers system, than you have every right to do so as your paying for the system usage. You also have every right to find security holes and glitches on your internet account, so long as your not using anyone elses account.. That is definately within your right, and that is what hacking is about... Its a learning experience, and it is totally legal! It is also very common to ask a system administrators permission to hack. Most will grant your wish with great amusement, thinking that this user will never be able to crack his security. If you dont have access to a system, such as you dial into the system via dial-in, telnet, telenet, ftp, tymnet, milnet, mitrenet ,sypernet, internet, etc.. and attempt to hack the system, then that is a different story. At the very least, it is trespass, a minor nuisance, but if a hacker gets in, and takes proprietary information, then that should raise some concern, as no one wants to have their private system (and privacy violated). THE BIGGEST FACTOR in hacking and in great debate among most hackers is when is it permissible to hack, or should I say, what systems is it ethical for you to hack... Their are 5 main types of systems: (1) Private BBS, etc (individual owned) (2) Corporate (3) University/College (4) Government/State/Federal/Town/etc.. (5) Military [1] Almost all but the sleaziest of people will admit that hacking into a private computer is quite unscrupulous. This is just something you dont do... This is a persons private computer, with private files, and private thoughts and ideas, and proprietary data. Its not ethical to be a snoop. [2] Corporate, this is a very debateable area.. Corporate systems are usually thought of as fair game... Many hackers feel its unethical to hack into corporate computers as they are private in terms of its a private business and you have no right to be in their system, plus most hackers dont enter corporate systems because they dont want to be branded with the stereotype of being a sleazy industrial thief. (although just entering a corporate computer doesnt make you an industral thief so long as your sole purpose is to just crack security, and not take any information, or more importantly, NOT to sell it). Some corporate systems are fair game, especially the big mega-companies that everyone hates.. The ones that bring in 200 million dollars per day. Very few people have sympathy for these robber barron companies, (nor do I). [3] Universities and Colleges are definately fair game to any hacker. As far as the hacker community is concerned colleges are public domain,... hell we pay taxes..My tax dollars help to support that college therefore the info on that system is open to public record. [4] Government/StateAgency/Town computers etc.. are likewise game/fair target... although perhaps not as much as the colleges... Colleges should be free repositories of information, but state/government computer systems do need their privacy. Personally, my feeling and shared by many people, is that we pay taxes, and these are public systems which we feel we have a right to use as taxpayers. I am not saying that we have a right to steal all the information, and sell it, or disclose private/secret government or town records, but simply to use or explore the system, and even to test its security, and all info obtained should be kept private by that individual. [5] Military systems; another target of casual and pro hackers. Normally people feel it is best to stay out of military ststems, but that is only out of fear of government reprisal. Most people feel that military systems are public domain, and I feel very strongly about this also.. My tax dollars help pay for all these wonderfull supercomputers, and super government databases, and I should have a right to use said systems, or at least check them out or test security. So long as all information obtain is kept private and not released, then your commiting no real crime (or none that should be a crime). INDUSTRIAL ESPIONAGE: Industrial Espionage is the act of stealing or copying corporate secrets such as software, source code, plans, diagrams, prototype, models, thesis papers, research papers, etc.. with the intention of selling said stuff for profit. Simply getting the aforementioned items from a computer system does not constitute Industrial Espionage... you must have the intent to sell the items. Simply taking the information for your own benefit is simply stealing. Less than 2 percent of all computer crimes includes Industrial espionage.. The fact is that real Industrial espionage does not involve computers or hackers at all. It involes current or ex-employees who steal their own companies secrets and sell it the competition or the highest bidder. [case example: IBM and the Adirondack books...etc.. etc..] Breaking down the topic of Industrial Espionage further you will find that only 2-5 percent of said espionage is commited by computers, the remaining 95-98percent are by employees. [those stats are from my experience as a security consultant, and through various trade papers]. VIRUS/WORMS/LOGIC BOMBS/TROJANS: VIRUSES- * Viruses, worms, and trojans are actually quite a rare occurence on the Internet. This topic is greatly hyped up by the media and is severaly blow out of proportion. Viruses however are a problem on private dial-up BBS's and make up about 95 percent of the worlds viruses. * Although most viruses start out being on the Internet and are passed around legitimately among virii developers and they often originate from other cuontries and are FTP'ed into sites in this country, the viruses are rarely activated so to speak in the Internet. People on the Internet seem to be a bit smarter than those in the private BBS world, and they realize that virii are bad if spread. The second most famous internet case was the Pakistani Brain virus that spread rapidly throughout the Internet in 1989. Program was developed by 2 engineering students in Pakistan and was sent over the Internet to america. The authors of this program actually meant no harm, and they even had their name right inside the virus, and it had a message which stated contact us for instructions on how to de-activate this virii. Apparently, this was some sort of experimental virus that was released but was not supposed to cause any damage, but apparemtly the programmers made a slight error that made the virus a bit more dangerous than intended. WORMS- Their have only been 5 or 6 major cases of a virus being spread rapidly among the Internet. The most infamous of all (but by far NOT the most damaging, just the most hyped up by the media) was the "Internet Worm" worm created by Robert T. Morris; Son of Bob Morris who worked for Bell Labs, and then later the NSA. Rober T. Morris was obviously caught (thusly we know his name) because he placed his initials into the virus source code (although his initials didnt actually display.. a developer had to dissasemble the machine language program into assembler and then would find out how the program worked.) This worm possessed a bit of intelligence, and was actually able to crack into computer systems by using the SENDMAIL flaw, and the unshadowed passwords technique, to crack the accounts of legitimate users. Robert T. Morris was caught by being tracked down through the network. It wasnt easy, but he was traced through various computer systems, to see who the original sender of the file was. The trace came back to an account of Morris's friend. Apparently Morris borrowed his friend account to release the thing. Originally it was supposed to be a legitmate experiment and the worm was only supposed to expose security flaws in systems, and enter those systems to prove their vulnerability, but it went a bit beyone that to the point of mischiev to the point where the programmer realized that the worm was much more powerfull than originally intended. That is one of the major problems with viruses. Originally their created as harmless experiments, then when their released, their more powerfull than the author realized, so much that their out of control and spread rapidly. This worm was originally claimed to have cost Hundreds of Millions of dollars in damage, but after several years when the real facts came out after the media got its filthy hands out of the situation, the real facts were that only $50,000 in damage was caused. Most of the damage was not even physical, but merely lost time and manpower. LOGIC BOMBS- Logic Bombs are the same as viruses, but the only difference is that logic bombs have a trigger mechanism, and only activate when the trigger is activated. The trigger can be anything, and is up to the authors imagination. A device can trigger on a ceartain day such as a holiday, it can activate when you turn your computer exactly X amount of times, or X amount of times within a ceartain period of time, etc.. etc.. the possibilities of trigger mechanisms are endless. One can even make a logic bomb that will shut the program down if the program is an illegal pirated copy, or if the program wasnt fully payed for. An example of a logic bomb may be set by a ex-employee, perhaps disgruntled. He could set a logic bomb in a computer to activate on a ceartain day, and the bomb could modify the business accounting and give everybody a nice $10,000 bonus. Their was even a recent case of a software developer who routinely placed legitimate logic bombs in his custom developed software which he wrote especially for the company that he was working for. If the companies decided to rip this developer off and be cheapskate deadbeats by not paying the bill in full to the developer, then the logic bomb would activate and shut the system down permanently with a message that says something to the effect of: "Pay me my money you stinkin' deadbeat or you dont get to use my software". Personally, I feel that the latter is an example of a legitimate virus that developers should be allowed to install to protect their interests. TROJAN HORSES- Trojan horses are very much as their name implies. If your familiar with greek mythology, of the horse that had a hidden suprise, well the same applies here. A trojan horse is a program which appears legitimate and may interact with the user but holds a hidden surprise. Usually Trojan horses are totally harmless (usually) and are used very often by hackers to penetrate security. An example of a trojan horse for hacking, is a program that looks like a normal login computer screen where you type in your name and password. This program will load up before the real login program and will ask the user for his username and password, it will then store these passwords in a logfile which only the hacker knows about. After the program collects your password, it will usually give you a phony messages such as "wrong password", "password incorrect", etc.. and most people will simply think that they typed in the wrong password by accident. The trojan then shuts down and activated the teal login program, and the user logs in again, and nobody is the wiser. DATA INTERCEPTION: Data interception is an advanced form of surveillance, as well as a method of advanced hacking depending upon the intended application. Data interception is the process of tapping into a line, wether it be a telephone line, or a LAN/WAN or internet connecting, and filtering out a specific intended piece of data wether it be voice, fax, modem communications, or data packets. * Using data interception, a hacker may gain system passwords by observing what the target types into his computer and what gets transmitted over the line, or he may intercept a whole data packet with the intent to steal that information, as it may have a ceartain value. It could be the latest corporate financial secrets, corporate technical secrets, private e-mail, files, manuals, anything!! * A slightly more devious approach might entail intercepting data, and modifying it with bogus information, then retransmitting it, with the intent to deceive the receiver. This is why kerberos authentification, smart cards, and other forms of authentifucation and verification are necessary. PACKET SNIFFING: Packet sniffing is very similar to "data interception", however the term is slightly more refined, and refers strictly to intercepting computer data packets over various kinds of networks. This packet sniffing can search for key words that may interest the perpetrator, wether it be information, or passwords, or ID Codes. * In order to packet sniff, a user uploads a special program written in a low-level language which accesses the computers memory, buffers, etc.. and searches for key words. An example of a few packet sniffing programs are: NETFIND, ETHERSNIFF, NFSWATCH, SNOOP, LanPatrol, NETMON, ETHLOAD, ETHERMAN, and ETHERFIND. PACKET SPOOFING: Packet spoofing is one of the most advanced forms of hacking. Packet spoofing is related to the 2 aforementioned topics ;"data interception", and "packet sniffing". Packet spoofing is the actual process of intercepting and/or re-routing a data packet from a network, and then either: [a] pretending to be the authorized user (the sender) by dropping into the data transfer in real time, using the senders real authentification or identification information, then logging into a system under the victims account. [b] actally their are many advanced forms of packet spoofing, each with a slightly different purpose. On the Internet, packet spoofing is known as "TCP/IP" or "IP" spoofing, which is named after the Internet Protocol standard used by the entire internet system. LAN spoofing uses slightly different protocols for tapping and spoofing data. PIGGYBACK ENTRY: Piggyback entry is the process of entering into the account of another legitimate authorized user, while they are way from their terminal. This can be done either remotely, via data tapping into the LAN connection and identifying the users port connection, then using the account while the authorized user is away from his terminal, or can be done at the actual terminal where the user is seated. One should never walk away from a computer terminal without either suspending the account so that it cant be activated by a snoopy user walking by the terminal (many LAN programs have temporary lock-out software) which let you take a cofee break while still remaining logged in... or the best solution is simply to hang up and re-establish the connection at a later time when you are back at your terminal. MILITARY ESPIONAGE: Military espionage is quite often carried out by the very people who are entrusted by these agencies to keep this information secret. Case after case can be documented throughout the years of how government employees have stolen top-secret information and sold it to foreign powers (usually the russions). 3 cases in point (1) The Ames case, a top ranking CIA official gets nabbed stealing government secrets and selling them to the russions. (2) The theft of nuclear secrets which were sold to Russia during the mid 1950's. I believe that was known as the "Roswell" case. (3) Various CIA & NSA employees over the past 50 years have been arrested for espionage. Of course these cases were discreetly hushed up so very few people ever learn about them. The NSA and other government agencies should stop crying "hacker", and they should worry about their own affairs, and keeping their employees from turning traitor. READING OF USERS E-MAIL: One of the most unethical acts in the world of computer networks is not done by that of a hacker, or software pirate but rather that of a "friendly" System Administrator. System Admins have long been notorious for totally disregarding the privacy rights of the system users and routinely read all of the users personal electronic mail. While it is stated on most systems; that the e-mail is not actually private, and system admins have occasion to enter e-mail if it is justified in the case of maintaing the system, but all too often (95% of the time) system admins just read through the users mail for the hell of it. I have worked for several commercial bulletin board systems, and internet providers in the past, as well as for several major companies, and I can say from experience that this massive invasion of personal privacy is far too common. ---------------------------------------------------------------------- (3) METHODS USED TO DETER SNOOPERS. ---------------------------------------------------------------------- [a] ISOLATION- The best way to deter snoopers, theives, hackers, telephone phreaks, curious passer-byes, etc.. has always been to implement a policy of isolationism on a computer network, wheras the computer network is not physically connected to the outside world, that way no one can get into the system. And even if the computer system has a line connecting to the outside world, it should only allow outgoing calls, or if the transmission is allowed both ways, then only 1 or 2 incoming lines (nodes/ports) should be used, and both should be closely monitored. * The practice of isolationism was practiced quite succesfully for several decades by high-level military bases, nuclear weapons labs and facilities (lawrence livermore national labs, rocky flats nuclear procesing facility, and even the NSA to a small extent, etc..). While network isolation proved quite succesful in keeping people out, it unfortunately did not provide any realy protecting other than as a placebo to make people feel better. The real hard facts are that a network is only as secured as its users, and in 98 percent of the documented cases the perpetrators were NOT computer hackers, but an "inside man". * Isolationism is a dead technology now. It still remains among the best at keeping out intruders, but in todays modern society where the entire government is entirely networked (or it will be totally networked down to every last agency within the next 10 years), isolationism is just not a realistic practice.. These government agencies have grown too big, and they can no longer do things the old fashion way (that being to securely transport documents by paper using snail mail (postal mail). The same goes with corporations, and scientific laboratories. * "The general concensus nowadays is that the benefits of isolationism are far outweighed by the convenience and vast amounts of information that can be gotten by networking". [b] ENCRYPTION- Encryption is the process of taking computer data and converting that data into a code that can only be read by the intended recipients who possess the key to that code. * Encryption has been used for hundreds of years by private individuals to protect their communications with near 100 percent secrecy. However, the U.S. government (read: the NSA and primarily the FBI) are trying to outlaw the right to privacy by banning encryption. However, I wont get into this subject as it strays more into poitics than discussion of hackers and computer security. * Of all the forms of computer security, encryption has proven to be the most succesfull. Their are 2 types of data encryption. (1) Hardware encryption..(2) Software encryption. [1] Sardware encrytors are expensive high speed devices which can encrypt voice, fax, or modem communications. These hardware encryptors are often utilized in high security situations such as in banks, as well as government and military use. These hardware devices are "hands" off devices. The user need not touch the device, it works all by itself. These devices however, are out of the price range of ordinary citizens and cost in excess of $2,500 - $20,000. In addition the NSA has placed strict regulations on the selling and use of hardware encryptors (even to american citizens). [2] Software encryption is freely available, and unlike hardware encryptors, american citizens are allowed to use any system that they choose too. (however under State Dept. ITAR Regulations you cannot legally export cryptographic products without a permit) [with the exception of the DES algorithm which you may export to Canada]. Software encryptors can be used to encrypt your e-mail, computer files, secret proprietary documents, even your entire hard drive can be encrypted, software encryption can also be used to encode computer data in "real-time" such as conversations by modem (although a hardware encryptor is more suitable for that because it is faster). * Software encryption can also be used to protect computer systems by providing various forms of "authentication and verification". [which will be described later in this article]. * It should also be noted that the government (read: NSA) has developed a system by which they rate encryption devices, and american citizens are not allowed to own encryption hardware that is too "powerfull". The classes are as follows: Type 1: Military Grade encryption for government, military use ONLY. (Canadian military may also use type 1 devices, as well as defense contractors who do classifed govt/military work). Type 2: These devices may be used by local law-enforcement. Type 3: These devices may be used by ordinary citizens. Type 4: Export version. Type 4 encryptors may be sold to Canada. * Unfortunately, at the current time... Encryption is not a realistic approach to computer security. The cost of quality encryptors is beyond that of ordinary citizens, and the software methods of encryption are not suitable for professional applications such as protecting a network in "real time". The only real use of software encryption right now, is to encrypt e-mail to keep it secret from the prying nosy eyes of the system administrators. * The following institutions rely VERY heavily on cryptographic quality hardware to protect themselves from hackers and/or thieves or spies. [1] Banking or Money Institutions rely extremely heavily on encryption hardware. Things such as ATM transactions, and EFT's (Electronic Fund Transfers) are sent encrypted via sattelite, leased lines, and especially the TYMNET computer network (which is as big as the Internet, just not as well known). Advanced hackers have often sought the challenge of trying to defeat the complex EFT schemes used in the old days for the sole purpose of advancing security. Thanks to the efforts of these hackers, banking institutions are a bit wiser nowadays and encrypt most all EFT data. [2] Military and Government are really the only other heavy users of cryptographic hardware. The reason that the aforementioned use encryption is quite obvious. [3] Defense Contractors that do classified government work and have government contractors quite often also use encryption hardware to foil information thieves, and industrial espionage. [c] COMPARTMENTILIZATION- Compartmentilization is an advanced method of securing a workplace. It is often used in situations where high level confidential information is present such as in the CIA and NSA where classified information flows through different departments. Major "Fortune 500" companies are also utilizing compartmentilization to prevent Industrial Espionage. * Compartmentilization is a combination of 3 techniques. [a] All persons should be properly trained, and are given detailed guidlines, manuals, as well as occasionally take brainwashing classes where they are fed various forms of propaganda regarding that all of the secrets (wether they be governmental or corporate) should be guarded with their life, and should never be stolen, or copied without permission. Work should never be taken home. Your line of work, or the latest corporate strategy should not be discussed with anyone including your spouse and family and especially your not supposed to discuss work with your co-workers (from other divisions). The purpose is to keep any one person from knowing the "master plan" (so to speak) each division goes about its business and performs its work, and each division does not discuss work or plans with the other divisions. Only a few high level individuals will know the overall plan. [b] All paperwork should be strictly kept in the appropriate departments and should not drift between each dep't. [c] All computer data should be compartmentalized as much as possible. The computer should be broken up into groups wheras each dept can only access the information from their group. Only high level gov't/corporate officials can gain access to the overall records of each dept. Normally, each department has its own seperate disk space (different departments should NEVER share the same disk). and in a really secured situation, each dep't may be on a totally seperate computer system. [d] FIREWALLS- Firewalls are pieces of software that a system admin places on his computer network which help to close up all the backdoors, and to cover all the exits so to speak so that hackers cannot get into a system by exposing flaws. * A firewall gets its name from the very principle of an actual firewall. A real firewall is kind of like a wall outside of a wall, which keeps the fire from entering the inner wall (or the hacker from entering the inner system). A firewall can also be analogized as a front porch.. A stranger can walk up to your front porch, and knock on your door but unless he meets ceartain requirments, hes not going to get into the inner system. * A firewall is a program that you must enter, and should meet ceartain requirements (by being positively identified) before you can enter the actual computer system. Being identified is known as "authentifications" and is actually a whole seperate process not necessarily related to firewalls, but the two techniques combined together provide powerfull security. * A firewall, can actually let you partially into the system wheras you would be between the firewall and the inner system, and you may do things such as anonymous FTP in a very restricted enviroment, which insures that you only transfer files, and dont try anything else tricky, like d/l'ing the users password file. * The firewall monitors very closely ceartain system activities. the firewall program lets you enter the "front porch" of the computer... from that point you can execute a limited amount of restricted commands. [such as FTP and telnet commands] Hackers often exploit the "front porch" of a computer to gain access to a system. Thusly the firewall keeps an eye on all people and monitors them to make sure that their not up to any "monkey business".. The firewall has special "filters" which will strip out ceartain data that the user may be uploading to the system in order to hack the system. Some of the things that a firewall may look for are: [a] Entering the system through restricted ports. [b] Writing and executing script files. [c] Uploading "trojan horses" or source code. [d] Trying to execute programs on the system. [e] Manipulating packet headers. [f] Uploading smart bombs. * Some popular firewall programs are: BSD and SunO/S firewall, SIDEWINDER, NETCOM-1, DE Firewall Service, and TIS's Gauntlet Firewall. [e] WATCHWORD GENERATORS- A WatchWord Generator is a special program that a system administrator adds onto his computer system to make it very secured, and also to defeat various hack attempts by methods such as spoofing and packet sniffing. * A watchword generator is a program that consists of 2 parts. (1) A totally unique code book is given to every user and contains thousands of possible code combinations. (2) A watchword generation utility. * The way the program works is as follows: A user logs onto a system. He is prompted for his Login name, and for his usual password. If both are correct then the watchword generator activates and prompts the user with a "challenge:" prompt.. The challenge prompt has a 4-8 digit seemingly random selection of characters. The user then must look in his code book, and observe ceartain patters in his book. He then obtains a "reponse" code from the book, and he enters in his response at the "response:" prompt. If the response is correct then, the user is verified as the authentic user and is allowed to logon. (if not then the system will promt for a challenge/response pair 2 more times then will hang up on the user if he fails). The challenge/response is totally different every single time, so only the authorized user with the codebook, can verify himself by entering in the proper response. (every code book is unique so merely possesing a code book will not grant you access to the system, you must possess the specific codebook for that user who you are trying to spoof.) This protects against an intruder logging onto the system using your password (should he be able to steal it via one method or another). The NSA and the NCSC (National Computer Security Center) use such a scheme to protect their DOCKMASTER computer system. * WatchWord authenticators are insecure insofaras that if your code book is stolen then the authentification is useless as the attacker will be able to logon to the system under your account (provided that he also has your actual password). This is not really a vulnerability though, because the same applies true for any system. * Actually their are a variety of different types of WatchWord generator systems, and each one works a little different. Some have huge code books, others have small tables that you do a calculation on, etc.. But thats the basic idea. [f] AUTHENTIFICATION AND VERIFICATION: SMART CARDS- These are devices that insure authentification and verification, and effectively positively ID a user as the actual authorized individual and not an imposter who may have dropped onto the line by wiretapping, packet sniffing, or spoofing. * A "smart card" is a cryptographically secured electronic device that contains various types of cryptosystems, that are exchanged between the two recipients. Only the person in posession of the smart card can transfer data to the recipient. If a hacker/ intruder/anyone breaks into a conversation, cuts one of the lines off, and tries to pretend that he is the other party, the smart card system will realize that the hacker is not the actual other recipient because the proper authentication codes are not being transmitted. * Smart cards, are usually the size of an ordinary credit card, and have a tiny integrated circuit (microchip) with a crypto- graphic algorithm and a key (secret unique password) built into it. The smart card algorithm is usually of the public key (SEEK,RSA) type along with a secret key algorithm, usually IDEA or DES). * The smart card usually fits into a special card reader along side the computer. The smart card doesnt use a magnetic strip like regular credit cards, rather it has a microchip along with a seres of pinouts (card edge connecter) that slides into contacts in the smart card reader. * Their are 2 kinds of authentification schemes: [1] The card can simply be used as an access device that verifies that you are the actual intended user. Once you are verified you are allowed to logon. This type of device is very similar to a WatchWord generator, only instead of a code book you have a smart card which generates the proper identification for you automatically once you enter the smart card into the reader. The problem with this method is its insecurity. While it works great on a single user computer to let you gain access to just one computer. You are highly vulnerable on a networked system such as a LAN or WAN (or even on the Internet). The problem with this method, is that after you are verified as the authentic user, a hacker could tap into the line using packet sniffing software, and could sieze your line up and then continue the conversation with the host, and the hacker could pretend as if they were you. [2] The more advanced smart cards are interactive devices that insure authentication nearly the entire time that you are on-line. In this scheme, an initial public cryptographic key is exchanged between the user and server. Upon which a secret key is exchanged. After the initial handshaking and key exchanege protocols, the session of data transfer between the 2 recipients begins. The smart card encodes an encrypted ID# onto the data packet and as that data packet is received by the other recipient, the verification software and smart card verify the authenticity of the received packet to make sure that it was sent by the intended user and not by an imposter who has broken into the line and may be trying to spoof the other user. The second recipient then takes the approved code, and generates another encrypted ID# based on the first received code, and attaches it to a data packet which is routed through the network, and the other recipients software and smart card then verify the validity of the received packet, and the process continues back and forth until the session is over. To simplify the whole thing. Basically, the ID#'s are encrypted and placed into the control packets, and a hacker could not realistically crack the encryption scheme and spoof (pretend to be) the other user. KERBEROS AUTHENTIFICATION- Kerberos authentification is a popular modern system to insure the ID of a user to a fair degree. It is not an ultra-secured system, and has many flaws, but it is currently coming into widespread use as a means to secure the Internet. Although, kerberos is not the most secure system on the market, it does have 1 very big advantage; and that is compatability. Kerberos is considered to be (or it will be soon) the defacto standard among almost Internet connected and LAN/WAN connected systems. Kerberos software is readily available FREE, via anonymous FTP, and many mant research papers and newsgroups discuss kerberos. * Kerberos works very similar to a "smart card" based system with the only difference is that kerberos is a pure software system, while smart cards are hardware. * Kerberos works by encrypting an ID code onto every packet of data in the network. Only the intended users can decrypt ID code to verify its authenticity, and it is almost impossible for a perpetrator to forge a false ID code. encrypted ID codes are passed back and forth with every single data packet, and each data packet is verified that it came from the intended authorized user, and that a perp didnt tap onto the network line, and try to send phony data. * Kerberos like most other authentification schemes are only allowed to be used in the united states. The Department of Commerce and Department of state have outlawed the transport of cryptographic products. which is covered under ITAR Federal Regulations. (You can request a copy of ITAR Regs from the Department of State or also Dept' of Commerce). OTHER AUTHENTIFICATION SCHEMES- Their are endless amounts of authentification schemes, but I do not want to get into a whole computer security thesis... Their are things such as card access systems, voice print ID's, etc.. etc.. etc.. etc.. etc.. But those devices are a bit esoteric and are only used on extremely secure system, and doesnt really fall into the category of Internet Security. [g] PASSWORD SHADOWING: Password Shadowing is a UNIX term which means that the password records are hidden and can not be gotten at through the normal means, and is in a secured directory to which only root (highest security level), or the staff have access to. Unfortunately, shadowing is not always effective, because users can gain root access through other flaws in the UNIX system, then once they get root, they can look at the secured password files. * Note the passwd file in UNIX is publicly available to all users and is located it the /etc directry and the file is called "passwd". This password file contains more than just passwords.. It also contains, user/account names, users home directory, users shell, password expiration dates (if any), users Real Name, and users group assignment. When passwords are shadowed.. the whole passwd file is NOT hidden away in a secured directory... ONLY the actual hashed passwords are hidden away. * Most systems today only shadow important password files which leaves all the systems users vulnerable to having their accounts violated. This is the oldest problem in UNIX, and has been talked about for years.. Any SysAdmin who does not shadow his password is a bloody ignorant fool... But the fact is that 70 percent of all SysOps DONT shadow their password files (except for the important ones). That fact is barbaric and foolish by todays standards. SysAdmins have been told time and time again for the past 2 decades that passwords must be shadowed, and hundreds of thosands of accounts have ben violated by this method, but people are plain stupid and they never learn their lesson. Their may be legitimate reasons why some sysops dont shadow password files, such as the system may have alot of users, and it may be too difficult to shadow all of the users, but quite frankly that is a very poor excuse for negligence in security. [j] TEMPEST PROTECTION: TEMPEST (Transient Electro-Magnetic Pulse Emmenation Standard). Tempest is an extremely important advanced computer security topic. TEMPEST remains one of the most effective and dangerous forms of effective hacking to date. However it is very high tech and is a big hassle, and is only used as a last resort, or when a person does not want to risk being detected. TEMPEST is a form of data interception surveillance. It is passive hacking in effect. The interceptor can see what your doing but cant interact with the system, he only sees what your doing at a specific moment. * All computers (as with any electronic device) emits radio freqency electromagnetic waves. These EMF waves come from various parts of your computer, mainly from the cables such as to your monitor, CRT, or Dumb Terminal. These EMF waves trabvel through the air, up to 1 kilometer away (about 3/4's of a mile for you dummies who use the american system of measurement). With the proper equiptment, these EMF waves can be intercepted and monitored. A device that intercepts these tempest signals is known as a TEMPEST Receiver or more informally and commonly called a "Van Eck Tempest Receiver". * All computers emit 2 types of radiation. (1) Video emmenations- video emmenations are basic stuff. Virtually every computer thats unprotected emits a fair amount of them. Video emmenations from your monitor cable literally send your video signal over the airwaves up to a kilometer away. A Van Eck tempest receiver will receive these frequencies, it will demodulate the video signal and add a new carrier frequency (NTSC or VGA or SVGA) onto the signal which is then set to a NTSC CRT or to a VGA or SVGA computer monitor. The end effect is that the interceptor will literally see what you are typing on your computer screen, and will see exactly what you see on your screen (minus the color which does not get transmitted far enough for the tempest receiver to pick the color signals up). Have you ever wondered why when you type in a password, the characters are masked by an echo character "*", etc or are blanked out? [well read the section below on password echoing]. (2) Data emmenations- data emmenations are way out of the scope of this article.. That is NSA material discussion, something that you might imagine could be used in high tech NSA grade equiptment and sattelites. Data emmenations are direct data signals sent from your computers motherboard CPU, and various processing cards.. This data does not travel very far, not at all, but with an ULTRA sophisticated receiver, these data emmenations can be monitored. This device could theoretically, dig right into a computers memory to a limited extent to extract information. Many persons claim that such devices dont exist, but the fact is that they do, and have been developed for well over a decade and have been used by ceartain 3 letter agencies. [k] PASSWORD ECHOING: Password echoing is the process of blanking out passwords on your computer screen and replacing the characters you typed in with a mask character such as "*" or sometimes as you type in the password, it will be invisible. This technique was invented about 15 years ago by the NSA. It is urban myth as to why passwords are masked with an echo character, and most people have been falsely told that its to prevent someone from looking over your shoulder and seeing the password you type in... Well in short, that is false! Although, echoing ceartainly does stop people from "shoulder surfing" to snatch your password, the real reason that the NSA originally developed it was to prevent TEMPEST Receiever attackers from spying in on sensitive government and military sites and seeing the government employees type in their passwords on the screen. [l] SECURITY AUDITING: One of the most effective methods ever developed to combat system intruders and uninvited guests as well as to catch authorized system users who exceed their appointed authority is to implement auditing of the system. Although audit logs are kind of after the fact protecting and they dont really keep people out, they do let you know who has done what, where they have went, what systems they went to, what time, for how long, etc.. etc.. Audit logs can serve as evidence in a court of law, that an individual was improperly using the system, but more importantly it can be used to monitor hackers in progress. By "in" progress, I dont necessarily mean at the specific moment.. Rather hackers sometimes will spend weeks or months at a system quietly and discreetly working away. They may be active for short perious of time, then take a break for a few weeks till their sure that the "heat is off". Audit logs will tell you where this hacker is getting in and what he is doing so that you can be alerted the next time this user logs on. Perhaps you can set up an audit log that will set of an beeper alarm to warn you, so that you can monitor this indivduals activities. * Audit logs can be set up to literally detect anything. All you need do is program it in, or write a script file, and you can monitor anything that you want. * Although audit logs are part of the UNIX system and are built in, their are a number of better and more detailed auditing systems freely available. Such sofware are: NETWATCH and PORTWATCH [m] SECURITY CRACKING SOFTWARE: Another common technique used today is the use of security packages. These packages are a SysAdmins best friend (especially, if said sysadmin is not too keen as understanding his O/S or its security glitches).. It also however is a hackers best friend. Security programs, are a large collection of executable programs, script files, and libraries that are designed to crack virtually every known security flaw. These arent miracle devices and have their limits, but they do work wonders, and will crack a system about 10 times faster than the best expert can. The SysAdmin simply runs these programs and batch files and the program does the rest.. Their are different packages available for different O/S's, but some of the most common packages are: COPS, TIGER, and SATAN. [n] SECURITY RATINGS: (Trusted Computing Systems/Bases) The last method used in the pursuity of security, and to promote the strength of an Internet based system is to have your computer meet ceartain evaluation criteria. This is not actually a technique of security per se' but their are ceartain guidelines which must be followed, and if you follow those guidelines by implementing the required software, then you are assured of having a fairly secured system. * The NCSC (National Computer Security Center) is the sister agency to the NSA (National Security Agency), the 2 facilities are located right next to each other in Fort Meade, MD. It is the job of the NCSC to set evaluation criteria and federal standards for computer security guidlines. Their are currently 3 government agencies that set official standards and they all work very closely together in their projects. The 3 Computer Security Agencies are: (1) NCSC- National Computer Security Center is the backbone for the entire computer security community. The NCSC is staffed with hudreds of the worlds best computer security experts, whos knowledge of computers greatly exceeds that of any privately employed individual. Their primary strength in computer security knowledge however is due to the fact that the agency is properly and very efficiently administered, and all employees are trained very well. It is the job of the NCSC to evaluate every possible facet of not only computers but also for office equiptment. (Office equiptment hacking is a VERY advanced topic I wont even deal with). The NCSC publishes hundreds of official manuals and books which very thoroughly outline the details for secured computer systems. These are oficial books which are the "defacto" standard, and when judging how secure a computer is, these books are used. Although the NCSC produces thousands of books and manuals on every conceivabel topic, the NCSC is most famous for what is called the "NCSC Rainbow Manuals" or "NCSC Color Books". These rainbow manuals, approximately 75 in all, are approximately 100 - 500 pages in length for every volume. These manuals cover every conceivable topic for computer security that you can think of. Each manual covers a different aspect of computer security, and each manual has a fairly strict set of guidelines that must be followed in order for a computer to be evaluated and rated. You can obtain free copies of the Rainbow Manuals by contacting the National Computer Security Center (It would be preferable if you could address your request to the "INFOSEC Awareness Division", as they deal with pubic inquiries, or you may download the NCSC Rainbow Manuals from the NSA's DOCKMASTER computer system, however you need an account on that system to do so, as their is no anonymous FTP service. You may contact me if you want to take a look at these manuals and I'll get it from the Dockmaster system.) (2) NSA - The NSA Also deals with computer security to a limited extent. MOst of what the NSA does is not of public interest or isnt disclosed in general to the public, but the NSA does set ceartain standards which are beyond the capabilites and charter of the NCSC. For instance, the NSA deals with cryptography, and cryptographic standards, and helps to develop new standards. The NSA works very closely with the NIST in the field of cryptography. The NIST doesnt do too much cryptography work per se' but the NIST is responsible for setting all the official guidelines that the government MUST follow. The NSA also deals with product evaluations and TEMPEST technology, as well as with the rating and categorizing of commercial encryption devices such as Motorola STU SECTEL Phones or Cylink devices. The NSA also deals with setting up secured telecom networks for both commercial and governmental use. They rate various commercial communications services for security and publish the results so that people know which telephone companies have quality secured communications lines. (3) NIST- The NIST is a division of the Department of Commerce. The NIST is the National Institure of Standards and Technology. Their main purose is to set official government standards and to evaluate the latest technologies, and products from other agencies such as the NCSC and the NSA. The aforementioned agencies spend literally a decade developing new systems and procedures, and after a ceartain amount of time, the NIST will declare that a product has been evaluated enough and is secure and can be approved for government use, or the product may even become the defacto standards for the government. The NIST has many divisions, and they literally evaluate everything. (the NIST is very similar to ANSI, their job is simply to set standards which the government must follow and that the public should follow. The NIST has a computer division, and in this section I'm specifically referring to the computer division of the NIST. The NIST Computer Systems Laboratory deals very heavily with encryption. The NIST CSL has its own professional cryptographers which rank in par with some of the NSA's cryptographers, and these cryptographers evaluate the products and system that the NSA and NCSC have developed. After a product has been evaluated for about 5 - 8 years by the NIST, NCSC, and NSA, it is proven to be worthy, and the NIST will publish a FIPS.. A FIPS is a very important term which means Federal Information Processing Standard. Once the NIST publishes a new FIPS, forever more all products must follow these guidlines. The FIPS usually consists of 2 parts. (1) A technical portion of the FIPS details the guidlines of the product and how it MUST be adhered to. Like if a new cryptosystem is implemented, the NIST FIPS states clearly that everyone must implement the algorithm for the encryption the same way so that everyones cryptosystem is compatable and is of similar strength and quality. (2) The second part of the FIPS is a decree to all government agencies which states that forever more all government agencies (that meet ceartain guidelines) must use this product or system from now on.. Any example is DES... many years ago DES was declared a FIPS, and all government agencies who processed ceartain material had to use DES and they could not use anything else (unless specifically approved that it is a better product). DES is no longer a FIPS, and is being replaced now, and in fact has been replaced, although the NIST is looking into renewing the DES FIPS charter, for another couple years as DES still has a few years left of life in it. But it cant be used for processing of classified information. ----------------------------------------------------------------------- (4) ORGANIZATIONS AND LEGISLATION TO CONTROL HACKERS AND CRACKERS. ----------------------------------------------------------------------- EFF - Electronic Freedom Foundation SEA - Society for Electronic Access SPA - Software Publishers Association CPSR- Computer Professionals for Social Responsibility CEI - Computer Ethics Institute NCSC- National Computer Security Center NSA - National Security Agency CERT- Computer Emergency Response Team [a] CIAC- Computer Incident Advisory Center [b] NASIR- [c] DDN Management Bulletin- Congressional Laws/Bills: (a) S.314 (b) Seizure Of Equiptment Policy by the Secret Service. (c) Californias Law to Turn Phone Phreak Eqpt over to Telco. (d) OmniBus Crime Act (e) Electronic Communications Privacy Act (f) Copyright Infringement Laws * The following is an actual copy of the current law pertaining to copyrights. Note the stipulations: "s 506 subsection [a]"; which state that infringement is only a crime if you either: (1) Have the potential to make a profit, or (2) are currently making a profit (selling copied software or bootlegged audio or videotapes.) In the case of warez (or software piracy, no profit is being made, and the software is being distributed free. << Part of this document got destroyed, and a few sentances are missing >> 17 U.S.C.A. section 506 UNITED STATES CODE ANNOTATED TITLE 17. COPYRIGHTS CHAPTER 5--COPYRIGHT INFRINGEMENT AND REMEDIES Copr. (C) West 1995. All rights reserved. Current through P.L. 103-465, approved 12-8-94 s 506. Criminal offenses (a) Criminal infringement.--Any person who infringes a copyright willfully and for purposes of commercial advantage or private financial gain shall be punished as provided in section 2319 of title 18. (b) Forfeiture and Destruction.--When any person is convicted of any violation of subsection (a), the court in its judgment of conviction shall, in addition to the penalty therein prescribed, order the forfeiture and destruction or other disposition (c) Fraudulent Copyright Notice.--Any person who, with fraudulent intent, places on any article a notice of copyright or words of the same purport that such person knows to be false, or who, with fraudulent intent, publicly distributes or imports (d) Fraudulent Removal of Copyright Notice.--Any person who, with fraudulent intent, removes or alters any notice of copyright appearing on a copy of a copyrighted work shall be fined not more than $2,500. (e) False Representation.--Any person who knowingly makes a false representation of a material fact in the application for copyright registration provided for by section 409, or in any written statement filed in connection with the application (f) Rights of attribution and integrity.--Nothing in this section applies to infringement of the rights conferred by section 106A(a). CREDIT(S) 1977 Main Volume (Pub.L. 94-553, Title I, s 101, Oct. 19, 1976, 90 Stat. 2586.) 1995 Pocket Part (As amended Pub.L. 97-180, s 5, May 24, 1982, 96 Stat. 93; Pub.L. 101-650, Title VI, s 606(b), Dec. 1, 1990, 104 Stat. 5131.) < General Materials (GM) - References, Annotations, or Tables > HISTORICAL AND STATUTORY NOTES Notes of Committee on the Judiciary, House Report No. 94-1476 Four types of criminal offenses actionable under the bill are listed in s 506 [this section]: willful infringement for profit, fraudulent use of a copyright notice, fraudulent removal of notice, and false representation in connection with a copyright. Section 506(a) [subsec. (a) of this section] contains a special provision applying to any person who infringes willfully and for purposes of commercial advantage the copyright in a sound recording or a motion picture. 1990 Amendment Subsec. (f). Pub.L. 101-650 added subsec. (f). 1982 Amendment Subsec. (a). Pub.L. 97-180, substituted "shall be punished as provided in section 2319 of title 18" for "shall be fined not more than $10,000 or imprisoned for not more than one year, or both:" and struck out provision that any person who infringes Effective Date of 1990 Amendment Amendment by section 606(b) of Pub.L. 101-650 effective 6 months after Dec. 1, 1990, see section 610(a) of Pub.L. 101-650, set out as a note under section 106A of this title. Effective Date Section effective Jan. 1, 1978, except as otherwise expressly provided, see s 102 of Pub.L. 94-553, set out as a note preceding s 101 of this title. Legislative History For legislative history and purpose of Pub.L. 97-180, see 1982 U.S. Code Cong. and Adm. News, p. 127. CROSS REFERENCES Making and distribution of phonorecords subject to penalties provided by this section, see 17 USCA s 115. Secondary transmission of primary transmission subject to penalties provided by this section, see 17 USCA s 111. Transportation, sale or receipt of phonograph records bearing forged or counterfeit labels, see 18 USCA s 2318. Unauthorized rental, lease, or lending of sound recordings as constituting infringement but not a criminal offense under this section, see 17 USCA s 109. Works consisting of sounds or images, first fixation of which is made simultaneously with its transmission, subject to penalties provided by this section though no copyright registration has been made, see 17 USCA s 411. LAW REVIEW COMMENTARIES Computer crime: The federal vs. state approach to solving the problem. Robert D. Starkman, 65 Mich.B.J. 314 (1986). Computers, copyright and tying agreements: An argument for the abandonment of the presumption of market power. Glen P. Belvis, 28 B.C.L.Rev. 265 (1987). Impoundment procedures under the Copyright Act: The constitutional infirmities. Paul S. Owens, 14 Hofstra L.Rev. 211 (1985). Information infrastructure. David Goldberg and Robert J. Bernstein, 212 N.Y.L.J. 3 (Sept. 16, 1994). Visual Artists Rights Act: Federal versus state moral rights. Brett Sirota, 21 Hofstra L.Rev. 461 (1992). Waning of the fraud defense. David Goldberg and Robert J. Bernstein, 211 N.Y.L.J. 3 (Jan. 21, 1994).? ------------------------------------------------------------------- (5) WHO IS ACCOUNTABLE FOR LOSSES DUE TO THESE ACTS. ------------------------------------------------------------------- (a) Software companies- The SPA and major software publishers often propagandize by claiming that each year they lose billions of dollars in revenue due to software piracy. These statistics are blatently false. Please note my figures on the amount of software piracy... The actual amount is barely 125 Million per year. * This is a very greatly debated topic, in the authors opinion, and in technical fact, software piracy does not actually cause these companies to lose so much as 1 cent.. What software piracy does do... is prevent these companies from gaining the revenue that they should be getting from legitimate paying users. [their IS a difference] * Debate also stems over the fact that software piracy is not actually a crime.. It is merely a civil offense unless the piracy involves the perpetrator intending to make money or having the ability to make money over $1,000. If our own government does not even outlaw software piracy, then are we not doing anything wrong??? [this is NOT my opinion, but merely a hypotehtical... in reality it is true.. If its not a crime, then their really is no problem, but thats not to say that it is morally ethical. Because it is not. * The bottom line is that we the consumer (meaning everyone inlcuding the software pirtates themselves), end up paying outrageous rates by rip-off software companies, and are given the old excuse that they must raise rates in order to make up for lost revenue. That whole argument on the part of the software companies is a massively deceptive excuse to suck more money out of us consumers, under the guise that these companies are poverty stricken and "have to" charge these ludicrous rates otherwise they'll go bankrupt.. These companies need to stop crying poverty, because if they really were broke they would not be Fortune 100 companies bringing in 400 million dollars in revenu per day! < and as I stated before, this whole argument about them "losing" money is false, because they are not losing any money... they just are not gaining any money >.. (b) System administrator (c) Users- Out of all the groups of people who are affected the most by unscrupulous individuals; it is US; you and me, the legitimate computer user who gets royally screwed and ends up with the short end of the stick so to speak.. It is these mega- corporations who are just begging for any excuse whatsoever to jack their rates up 500 percent. These companies have every right to profit, but us citizens do not feel it is fair that we have to suffer massive price increases for your petty losses. Indeed these mega-companies are losing money from theives and maybe even hackers, but these companies also make back 3 times what they lose in fraud by jacking up the prices claiming that its necessary. Ie: they lose 125 million in fraud, so instead of jacking up the prices to a small reasonable amount such as 15 percent for each user which would undoubtebly cover these software losses, they jack the price up 100 to 500 percent and end up with 5 times more money than they claim they are losing. I feel that if we are to be subject to price increases it should only be to the extent that the price increase will cover the cost of the losses incurred by these companies due to illegal activities. * Secondly, pertaining to constitutional rights.. We are slowly losing those rights and are very slowly heading to a police state, where citizens are denied their basic constitutional rights under the false guise that its for the general benefit of the american public. * People are quite often brainwashed by clever politician, sick religious fanatics, and various lobbying groups, who are more interested in shoving their crusade down everyones throat, than they are in preserving the way of life we have in america (or shall I say the way it is supposed to be, but is not thanks to a few assholes who have to play god and dictate to everyone what is ethical and what isnt. * One of the differences that has set our country apart in the past from other countries is the fact that traditionally, we have always been allowed unrestricted free speech (or thats the way its supposed to be, but isnt unfortunately).. But we can freely discuss our politics, our religion, our disgruntlements in public without fear of reprisal or even a death punishment from our government as they quite often have in Arabic countries. God forbid you say anything about "Allah" or about the political regime in Kuwait, or Pakistan.. You'll be hung without a trial, and in many countries you can be locked in prison without a trial and forever.. Such is the case with South Africa and Nelson Mandella who was imprisoned (without trial I believe and was sentanced to life for simply being an "enemy of the state" because he has different views, and maybe a better idea for a better government. In america, we can live without fear of such barbaric things because freedom of speech is nearly unconditional in the United States (so long as its not physically threatening and is just your opinion).. The thing that makes freedom of speech so powerfull is that it has no bounds, cannot have bounds, and should not have bounds.. As soon as you start putting restrictions on what people can and cant say then you have thusly destroyed freedom of speech by dictating to the citizens what they can and cannot think about and say. Even if the law may seem harmless and even a benefit to society, you still cannot infringe upon the freedom of speech because it thusly denies a ceartain group of people their right to their opinion. * Thusly if bills like S.314 pass, this country will be totally destroyed, and will never again be the same unless us citizens are willing to stand up and say, were not going to accept this law and have no intention of following it since it destroys the constitution. [see later comments on S.314 americas most dangerous bill]. * Excessive media hype, blatently false, sensationalized, and innacurately reported events regarding computers and hackers along with the thorough brainwashing of the american public by the media has caused 95 percent of all the problems that we have today, and could very well end america the democracy, and the constiutioon as we know it... It is ironic, that we profess freedom of speech as being all important, but yet it is these same sleazball scumbag jornalists, talk show hosts, and reporters that are destroying america. * If anyone has become the victim from so-called computer, it is the 1 million plus legitimate computer hackers and network explorers, who have been unconstitutionally abused by overzealous law enforcement authorities, who have clearly stepped over the line, and disregard all constitutional rights and due process by absuing their power and exposing loopholes in the law, to strike with vengeance against anyone who they feel might have commited some type of computer crime. And far too often law-enforcement officials, and specifically the prosecutors) will go out of their way to trump up false or unnecssary charges in order to obtain some type of conviction, even when they know that the person they have arrested has commited no crime, they would be too embarresed (as is the case in any type of crime) to release that person. D.A.'s have a real nasty habit of not being able to admit when a mistake was made, and that the person in question is actually inncoent.. The reason for this is simply, human pride, and also the embarresment that it would cause the office, should this person go public claiming how the DA's office falsely prosecuted the individual with no evidence whatsoever. So instead DA's will do everything n their power to "railroad" any individual who comes before them, regardless of their innocence or guilt. Never before have we americans seen such "witch hunts" since the "1690 Salem Witch Trials" in Massachusets. Now we have a new type of witch hunt beforth us, this time, courtesy of the scumbags from the media, who have falsely portrayed hackers in a untruthfull manner, as well as brainwashing the entire population into believeing such bubkas. Politicians, and law-enforcement being among the many brainwashed people have made it their crusade to pursue hackers to the ends of the earth and punish them with every intent of destroying their lives, a witch hunt if you will, where the punishment clearly does not fit the crime. Their is currently an over-abundance of laws pertaining to hackers and telephone phreaks, and I feel that it is an outrage that the penalty for hackers and phone phreaks is far greater than that for murderers, rapists, bank robbers, spies, etc... It is truly a shame, when a 15 year old kid, who makes a few free phone calls, or manages to gain access to a government computer system can be sent to prison for 350 Years and have 50 charges brought against him (thanks to the numerous over-abundance of laws which I mentioned before), while a murderer simply gets 15 to 25 years to life, and one or 2 charges at most brought against him. Where is the justice? Is stealing 5 bux worth of free phone calls on the same level as a murderer? Obviously so, according to our wonderfull government. No wonder why so few people have faith in our justice system anymore. The small time petty criminals get the full brunt of abuse and mistreatment, and the real criminals, the ones who should be punished, get treated like gold... I have seen a local drug dealers who sold 1 gram of crack get sent to prison for 350 years, (see NY newsday), while the real criminal, who brings in 2 tons of Cocaine by smuggling it in via ship gets only 5 years in prison (see NY Newsday article on that also).. Aside from the actual punishments of criminals, their also seems to be massive abuses in the arrest of petty criminals. I am all for the punishment of anybody that commits a crime to a reasnable extent. But I think its a damned shame, that people like Jeffery Dahmmer, Collin Fergusen, etc... were brought in without any incident whatsoever, were treated like "gold" practically; with their own private little cell, and a nice bullet-proof vest for them to wear...... While some teenage hacker sits in his room putzing with his computer, and next thing you know, law-enforcement is quite literally busting down the door with their weapons drawn, screaming: "GET DOWN, SEARCH WARRANT, NOBODY MOVE OR I'LL BLOW YOUR FUCKING HEADS OFF!!" Is that outrageous attitude acceptable? Are we going to take that abuse? Are the police really willing to blow some 15 year old head off because he might try to get rid of some petty piece of evidence? Where is this kind of abuse when we really need it... like for the murderers? [ on this note: do NOT think I am exaggerating.... If you do not ] [ believe that these barbaric monstrous acts occur, then simply ] [ get holds of the transcripts, and many available books on the ] [ subject pertaining to hackers, and you can see how the hackers ] [ were apprehended, threatedened and abused during arrest. ] The last thing I'll mention pertaining to hacker arrests, is that law enforcement (specifically the Secret Service who has the biggest history of abuse of power) usually unjustifiable seizes every single piece of property in the hackers home, with the exception of the house furniture. The Secret Service will often steal (err I mean seize) the hacker/phreakers video game systems, stereo, books, manuals, notebooks, every scrap of paper in the entire house that has some type of scribbling on it, all software, all office eqpt such as photocopiers, all computer eqpt, including scanners and printers (you never know, the hacker just might have some "secret microchip" embedded in his printer in which he's going to smuggle the nuclear secrets out of the country.) << I of course meant that to be extremely sarcastic to show the idiocy of law-enforcement. >> Why is it necessary for law-enforcement to steal all the equiptment in the household, including objects that clearly have nothing to do with the crime in question? << Why has the secret service taken kids video games in such raids? Can you justify a reason for that? I think not!! They just clearly want to abuse there power and make this person pay severely, ith no thought of to the fact of if he is really guilty or not. >> A good example, is "Steve Jackson" from Steve Jackson Games...I highly recommend you read up on this case if your not familiar with it.. Here is a man who ran a very legitimate business of making board games, and his business somehow got falsely wrapped up in some bogus hacker case. Jackson was working on a current project for a new board game about computer hackers... His computers happened to contain the manuals for this board game, and when the police falsely arrested this individual, they found his instruction manual for his game, and accused him of writing a "manual for destruction for hacker" and charged him on numerous bogus charges which clearly didnt hold any water in court. Well when this individual was finally cleared of the false charges, he thought that the abuse was finally over... But no.. The law states that an individual does not get his/her seized property back... He/she has to go through a whole seperate case to get their property back, and it finally took many many many many months until Jackson got his equiptment back. of course nobody ever repayed Jackson for the tens or possibly hundreds of thousands of dollars that he incurred by this railraded false arrest due to his loss in bussiness and his lost contracts and lost work time, etc.. (as well as the abuse he had to undergo mentally..) Their are many similar cases as to Jacksons, of people who have been falsely arrested and had their lifes work seized and never ever returned even when they were proved innocent because the Secret Service DOES NOT have to return your equiptment when your proven innocent! Even in cases where hackers or phone phreaks were guilty of commiting some petty crime, the seizing of their lifes assets hardly is justifiable and should not be tolerated.. Its is clearly an absue of power.. Did the police seize all of Collin Furgusons assets, or Jeffrey Dahhmer? NO!!.... And those guys were murderers.. Why must petty criminals who steal 10, 20 bux in phone calls, etc.. take the full brunt of the law, while real criminals roam the streets or get off easy? The bottom line, is that their are currently more than enough laws on the books to adequately punish hackers and telephone phreakers. We dont need any more laws, and we should not tolerate any more laws, as it is an abuse of power, as well as a waste of taxpayer dollars to regulate something to death.. Do we really nned congress to waste time coming up with dozens of new laws, and spend 10 years arguing over the little looholes in the bill, when their are already 130 laws on the books that a hacker could be charged with. What we need to do, is snap into reality, and punish these people, as well as spend more time investigating these crimes rather than spending years on end, trying to come up with "the perfect law". What good are all these overkill laws if it's not enforced? In fact, what do we even need these extra laws for in the first place? They just make things more complicated, and leave more loopholes for lawers (and police to abuse)! if a person commits telecommunications fraud, do we really need a phone phreakers law? Why not charge them with theft as we do with every other criminal? Why must hackers have their own special laws to be witch hunted with? (d) Noone- -------------------------------------------------------------- (6) APPENDICES: Miscellaneous Information -------------------------------------------------------------- ----------- Suggested Reading List ------------ I obviously cant tell you everything in this small article.. If you want to gain an understanding of what hacking is really about, and want to learn about the various laws, and how they are prosecuted, etc.. etc.. I suggest the following books: (a) Friendly Spies (details dozens of Industrial Espionage cases) (b) Masters Of Deception (c) Approaching Zero (d) The Hacker Crackdown (e) The Cuckoos Egg by Clifford Stoll (f) Cyberpunk(s) [books placed in order from "a" to "f" measured ] [by importance as far as real usefull information] ---------- Other Reference Material ------------ "Off-The-Hook" radio program hosted by Emmanual Goldstein (editor of the famous 2600 Magazine) and the 1 hour long radio show deals with computer hacking issues, internet security, etc.. WBAI 99.5MHz FM Wednesday 2200 - 2300hrsEST ---------- Internet Newsgroups ------------- alt.2600 alt.2600hz alt.cyberpunk alt.cyberpunk.technology alt.hackers alt.security alt.protocols.kerberos comp.security.firewalls comp.security.misc comp.unix.admin ''' (o o) ---------------------------------------------oOO--(_)--OOo------------ | Alan Hoffman, CEO/Security Consultant | The Code Breakers BBS | | Electronic Securities Ltd. | 516.744.xxxx CALL TODAY! | | sahoffman@dockmaster.ncsc.mil | (compusec/comsec/telecom) | ----------------------------------------------------------------------