January 28, 1986 Challenger Launch
O-ring problems on the Solid Rocket Boosters (SRBs) had been known for a
decade.
Managers want yes/no answers; engineers give floating-point answers.
Both at NASA and at the SRB contractor Morton Thiokol, managers put engineers on the spot by demanding yes/no answers.
In general, frank discussions with ones manager are not only appropriate but required.
That said, however, managers do not necessarily respond positively to "ethical" arguments. Here are a few alternatives:
Bringing ethical issues to the attention of your supervisor
Programmers: quality issues
Network admins:
Nobody wants to make a Career Limiting Move
BUT your boss doesn't want something to blow up later.
Going over your boss's head: Generally a CLM, but sometimes there are specific avenues.
Challenger engineers
How managers tend to think, versus techies
Ethics and the notion of the Social Contract: JJ Rousseau, 1762
Legal liability: "yes, but we don't wanna get sued...."
Whistleblower protections: federal & state law, company policy
Writing a CYA memo: Richard M Daley and that guy who first noticed the potential leak
Louis Koncza was Chief Engineer for Chicago in 1992. He (or his staff) discovered leaks in the coal-railway tunnels under the Chicago River. He wrote a memo to his boss, DOT head John LaPlante, about the leaks. But the memo asked for money for repairs and didn't make it clear it was an emergency. LaPlante authorized, for example, a bidding process, which is not an emergency response. Daley fired Koncza, for failing to convey sufficient urgency, and because "sending a memo to a supervisor does not absolve you".
John LaPlante was fired too:
"Daley did what he had to do"
District Court issues
[quotes from NTP's Memorandum of Points and Authorities in Opposition
to RIM's First (or Second) Motion for Summary Judgement]
1. RIM seemed focused on obtaining summary judgement before the "Markman hearing"
(or claim-construction hearing), a hearing at which the judge rules on
the meaning of various patent claims. This seems awkward. NTP's reply:
RIM's preemptive May 3. 2002 motion for
partial summary judgment flies in the face of
its prior arguments and representations to the Court. The motion is an
attempt to short-circuit the Court's procedural schedule regarding
claim construction and to burden NTP with briefing before RIM even
files its responsive claim chart and prior art statement. RIM's motion
- which RIM admits will likely "miss the mark altogether" - seeks to
force the Court to engage in a wasteful, piecemeal, incomplete and
ultimately fruitless claim interpretation exercise before the disputed
claim terms are briefed or even identified.
A note about Markman hearings: generally, the plaintiff (NTP here) wants its claims broadly construed, so that they cover as much as possible. But if your claims are construed too broadly, they can be so general that some prior invention now qualifies as prior art; that is, NTP can't try to patent the idea of email itself.)
2. RIM introduced the Zabarsky prior art (pagers) rather late in the game. It
is not clear why they didn't pick up on this earlier. Perhaps the idea
of positioning their devices as pagers didn't occur to them.
(Zabarsky's wasn't the only late-arriving prior art. The BPAI decision places some weight on the 1989 Telenor system:
Actually, the BPAI concluded that the Telenor system did not anticipate all of NTP's claims.)
3. NTP was an advocate of the "push" idea:
The Campana patents bridged this
email-wireless divide by providing universal connectivity for email
between wired and wireless systems. For the First time, email sent to a
user at his or her normal electronic mail system could be "pushed" to the user's mobile processor
in a format suitable for standard email operations such as viewing,
replying and forwarding. The user no
longer needed to find his or her email; instead, the email would find
the user.
This "push" idea, though, is not new: it's what happens when a cellular network calls you (the call is "pushed" to you), and it's what happens in SMTP whenever the next hop is reachable. The last sentence sounds seductive, but again it is difficult to see the innovation here except in the context of actually building a wireless email network.
Another NTP description that makes the invention appear very deep is:
Campana opened access between the world
of landline-based electronic mail systems and the wireless world.
Campana taught the ability to "push"
the email stored in the user's mailbox on the email server all the way
to a mobile destination processor operated by that user. As Campana
recognized, the wireless user would be unable to periodically request
email because of all of the drawbacks cited above (e.g., uncertainty.
delay and inconvenience/cost). Thus, the wireless user would be best
served by a system that delivered email without the need for any
request from the user - similar to the way that a server delivers email
to the user's desktop computer when Outlook requests it.
But is this meaningful? It seems likely that anyone using RF links
for email in 1995 would have found all the ideas here obvious. However,
the notion that laptop users had to dial in to retrieve email was also
something that many people felt was "inevitable".
NTP also focused on their system as a way of addressing the
"inconvenience of dialing up": the difficulty finding a compatible
phone jack, and the possibility that there was no email to be received.
This seems to be a very tame description when compared to the utility
of receiving email while walking around. It seems likely that Campana
did not anticipate that part!
3.5: Note that all of the above amounts to a business justification
for believing that there would be a market for small RF-capable email
devices. If you accept that all the pieces for RF-based email were
already in place, this can be interpreted as suggesting that the real
innovation isn't the invention, but RIM's marketing of it.
4. RIM tried to claim their software was "not an email system". This
might be true in some precise sense, in that it is clearly an add-on to
an email system. RIM's precise claim was
The Blackberry relay and the Redirector
software are not a part of any email system. They do not alter or
modify any existing email system with which they may be used. Rather,
they are peripheral components....
To which NTP replied:
The blackberry Redirector software is
part of the email system on which it is installed. ... Indeed, RIM
admits that the redirector software cannot operate independently and
has no utility unless and until it is installed on an email server ....
Until now, RIM has always characterized
the blackberry ... as part of an electronic mail system. ... Indeed,
this Court is the only entity to which RIM has ever asserted that the
Blackberry is not part of an electronic email system.
This is an interesting argument. It seems likely here that RIM was
trying to argue that NTP's system was an "electronic mail system" and
that according to the strict construction of terms, their addition was
not.
5. RIM tried to interpret some NTP claims very literally; for
example, by claiming that the phrases below were equivalent. NTP argued
that the crucial "the" made the difference. RIM's argument was that
NTP's patent required both an
RF and a wireline transmission to the same processor. Clearly, the
Campana patent wording is very vague; in fact, it is vague even by the
execrable standards of the patent world. Who is being obfuscatory here,
RIM or NTP?
A system for transmitting originated
information from one of a plurality of originating processors in an
electronic mail system to at least one
of a plurality of destination processors in the electronic mail
system comprising...
a RF information transmission network for
transmitting the originated information to at least one RF receiver
which transfers the originated information to the at least one of
the plurality of destination processors
6. RIM argued that NTP's patent required the RF receiver and
destination processor to be distinct units. That seems specious, in
that consolidating components is routine.
7. RIM tried to argue that their wireless units acted as pagers:
email was not addressed to the blackberry itself, but only to the
user's usual email address. The blackberry system intercepted the email and forwarded
it to the blackberry.
First, this kind of forwarding was standard by 1990; most unix email
systems provided for .forward files to specify such forwarding.
However, RIM has a point: the Campana patents assume that the RF nodes
have email addresses. This is not
quite true of the Blackberry system: the email address is separate.
Note that the core issue of lack of novelty and obviousness was never raised directly, at leastin these arguments.
Indirectly, it appears in the guise that NTP's patents are to be
construed very narrowly because the basic ideas were already extant.
Appellate court notes; ruling of Aug 2, 2005
Somehow, in the appellate case RIM is constantly on the defensive with relatively farfetched claims. What happened to the central idea that Campana's patents were about to be overturned?
In their appeal, RIM appears to be trying to narrow the scope of the NTP
claims. Somehow the assertion that there was prior art for
Perhaps they should have focused on the patent's own claim of
prior art in trying to limit the patent claims??
RIM argued before the appellate court that the district court erred
in construing the claim terms:
(a) "electronic mail system"
(appearing in the '960, '670, and '172 patents);
(b) "gateway switch" (appearing in the '960 patent); and
(c) "originating processor" and "originated information"
(appearing in the '960, '670, and '592 patents).
It seems clear that the district court did NOT grasp the generality of any of these three terms, but the appeals court did NOT overrule. Instead they found
... the court looks to those sources available to the public that show what a person of ordinary skill in the art would have understood disputed claim language to mean
RIM argues there are two ordinary meanings of "electronic mail
system": a broad definition
that encompasses "communicating word
processors, PCs, telex, facsimile, videotex, voicemail and radio
paging systems (beepers)" and a narrow
definition that defines
the term in the context of "pull" technology. They were apparently trying to argue that the
blackberry system was not an "electronic mail system" in the narrow sense, and therefore wasn't
covered by the patents.
The appellate court cited Tanenbaum, Computer Networks, a classic text.
The court also wrote:
The message is next sorted by the recipient's ISP mail server into the recipient's particular "mailbox," where it is stored until the recipient initiates a connection with the server and downloads the message off the server onto his or her personal machine. This configuration is commonly referred to as a "pull" system because emails cannot be distributed to the user's machine without a connection being initiated by the user to "pull" the messages from the mail server.
Pull system??? This is marketing terminology.
Campana's particular innovation was to integrate existing electronic mail systems with RF wireless communications networks.
A message originating in an electronic mail system may be transmitted not only by wireline but also via RF, in which case it is received by the user and stored on his or her mobile RF receiver.
Is the court suggesting that this is a "push" system? Yes, in fact.
But this was a major misunderstanding of prior art.
The BlackBerry system uses "push" email
technology to route messages to the user's handheld device without a
user-initiated connection.
How is a blackberry different from a laptop with persistent Internet
connectivity,
limited to port 25 (email)?
An important issue for the court was that blackberries were NOT
seen as email endpoints. Rather, they were seen as portable
intermediate nodes:
they would receive email, they could display the email, but the email's
ultimate destination was the user's laptop (via some cable). This is an
interesting strategy, in that it makes the blackberry transparent to
the laptop that is receiving the email. However, it is not part of the
patent debate either!
The appeals court agreed with the district court that the latter's
interpretation of "electronic email system" as including the blackberry
system was entirely reasonable. This degenerated into more push/pull
debate, but part of the issue was that Campana himself tried to
characterize an "electronic mail system" as a wire system in order to
make his system appear different from Zabarsky's.
The appeals court said, [p 19 of pdf version]
Campana described prior art
"electronic-mail services" as "basically
a wireline - to - wireline, point-to-point type of system" (emphasis in
the court's quote). The use of the term "basically" suggests that an
electronic mail system may include other types of connections,
including wireless connections. Moreover, Campana provided an example
of one prior art electronic mail system in commercial use .... In this
prior art electronic mail system, "groups of processors ... may be
distributed at locations which are linked by the [PSTN]. The individual
processors may be portable computers with a modem which are linked to
the [PSTN] through wired or RF
communications as
indicated by a dotted line" [Campana quotes from 5436960]
Note that the appeals court is essentially granting here that RF
links in email were prior art! See that patent, paragraph beginning
"FIG. 1 illustrates a block diagram". Note also that, in the images,
Fig 1 appears twice, and in one the "RF information transmission
network" is deleted. RF links to end-users
were never shown. Figures are in http://cs.luc.edu/pld/ethics/campana/960
and http://cs.luc.edu/pld/ethics/campana/451.
As for the contested term "originating processor", the appeals court
says "We do not hold that the 'originating processor' is always the
processor on which text of the email message was created".[p 23] That
is, the blackberry is still an originating processor in the sense of
Campana's patents even if the message was created on the associated
laptop.
uspto.gov -> patents -> patft (uspto.gov/patft)
Search by patent number:
http://patft.uspto.gov/netahtml/PTO/srchnum.htm
6198783 System for wireless serial transmission of encoded information Modulation techniques
6067451 Electronic mail
system
with RF communications to mobile processors. See the Appendix, under
Background Art, for prior art. Note that in Figure 3, some of the
underlying telecom infrastructure is shown ("closest LATA switches").
The first non-prior-art diagram is Figure 8 (page 9). (2 of 9 NTP v RIM
claims)
Diagrams, and some text pages in .bmp format, are at http://cs.luc.edu/pld/ethics/campana.
6272190
System for wireless transmission and receiving of information
and method of operation thereof
4644351: Alan Zabarsky patent (1987),
possible prior art. Note that this is cited in
the '592 patent. Paging is also cited there as prior art, in the
paragraph beginning, "FIG. 2 illustrates a diagram of a prior art
network"
A communications system for carrying
messages via a radio channel between
one central site of a plurality of central sites and a plurality of
two-way remote data units is disclosed. Each central site has a
radio
coverage area and each remote unit has a unique address and
association
with one of the central sites. When a message addressed to one of
the
remote units is received in a central site, a file of remote unit
addresses is searched to find the location and central site
association of
the remote unit to which the message is addressed. If an address
match is
found indicating that the remote transceiver is in the coverage
area of
the message-receiving central site, the addressed message is stored
and
transmitted in that site. If an address match is found indicating
that the
remote transceiver is in another central site, the addressed
message is
conveyed to that site for transmission.
This would seem to cover delivering text to specific end-users; eg paging.
Patent reexaminations (from http://en.wikipedia.org/wiki/NTP,_Inc.)
To look these up, start at http://portal.uspto.gov/external/portal/pair. Actual documents are under the "image file wrapper" tab. Don't forget "select new case" as appropriate!
In the '451 rejection, the patent examiner found that the "Perkins"
prior art included all features of the NTP system, at least when the
NTP system was "broadly construed". Also, NTP tried to argue that
Perkins wasn't an "electronic mail system", by construing that term very narrowly.
See also page 114, regarding "obviousness". NTP made the following claims as to why their approach was an improvement:
Here are two primary claims. The "patentese" is unfortunate and confusing, but the core claim in both cases is using RF links to transmit email.
claim 248 of patent 6067 451
246. In a system comprising a communication system which transmits electronic mail containing information, with the electronic mail being inputted to the communication system from a plurality of processors, a RF system and an interface connecting the communication system to the RF system with the information contained in the electronic mail and an identification of a RF device in the RF system being transmitted from the interface to the RF system and broadcast by the RF system to an identified RF device, the identified RF device comprising:
a RF receiver, which receives the information when the identification of the device is detected in a broadcast by the RF system to the RF receiver; and
a memory, coupled to the RF receiver, which stores the information received by the RF receiver contained in the electronic mail inputted to the communication system.
247. The RF device in accordance with claim 246 further comprising:
a processor, coupled to the memory, which after the information has been outputted from the memory, processes the information.
248. The RF device in accordance with claim 247 further comprising:
at least one application program, executed by the processor,
which processes the information.
Fig. 8 is the first non-prior-art figure. It is described under the
"BEST MODE FOR CARRYING OUT THE INVENTION" heading.
Certainly Campana appears to
be patenting the use of RF links in email.
claim 150 of patent 6317592
150. In a communication system comprising a wireless system which communication system transmits electronic mail inputted to the communication system from an originating device which executes electronic mail programming to originate the electronic mail, mobile processors which execute electronic mail programming to function as a destination of electronic mail, and a destination processor to which the electronic mail is transmitted from the originating device and after reception of the electronic mail by the destination processor, information contained in the electronic mail and an identification of a wireless device in the wireless system are transmitted by the wireless system to the wireless device and from the wireless device to one of the mobile processors, the wireless device and one mobile processor comprising:
a wireless receiver connected to the one mobile processor
with the one mobile processor receiving the information
contained in the electronic mail after the identification
of the wireless device is detected by the wireless receiver
in a broadcast by the wireless system.
They have developed technology for storage of digital images of bank
checks. They actually did develop the whole system, although again the inevitability
issue arises here. They did not develop any of the actual root
technology: scanners, or data security, or digital storage systems with
enough capacity to hold images for negligible cost.
From their website:
That said, it is clear that none
of DataTreasury's ideas are revolutionary.
From politico.com/news/stories/0308/9202.html The company had benefited from a controversial 1998 court ruling that broadened the definition of a patent to include business processes.
The proposed (but never passed) patent-reform act of 2007 singled out this patent for congressional revocation.
It appears that DataTreasury is claiming a business-method patent on the use of electronic image scanning for check processing. They are looking for very significant licensing fees. Again, EVERY piece of the technology has been around from well before the patent (scanning, secure storage, ???)
The DataTreasury patent has been singled out by Congress for action, but it is not clear what will happen.
Patent reform:
Patent Reform Act of 2007: H.R. 1908 and S. 1145 (did not pass)
Those in bold are the most significant.
did not pass (yet) Here are some of the proposed changes in U.S. patent law
Discuss: first-to-file: who benefits? how are small inventors affected? How are prior-art rules affected?
publish applications.
This has again been introduced in 2009; apparently the issues are
the damages calculation, post-issuance reexamination proceedings, and
defining inequitable conduct. At least the last provision has been
removed from the 2009 bill. A
good-faith defense for believing a patent was invalid is also included.
Also included is a definition of prior art to include anything
"available to the public"; publication no longer would have to occur.
[Note that NTP argued that RIM's conduct was held to be inequitable simply because NTP had sent them a letter
outlining its patent claims, and RIM had disagreed.]
KSR v Teleflex, April 30, 2007
Some good patent news
This Supreme Court case altered the legal standard for disproving "non-obviousness" in favor of defendants. It is now slightly easier to challenge patents on this basis.
Teleflex had a patent on a pedal coupled to an electronic throttle control (basically cruise control). The question was whether that was "obvious".
The proper question to have asked was whether a pedal designer of ordinary skill, facing the wide range of needs created by developments in the field of endeavor, would have seen a benefit to upgrading [a prior art patent] with a sensor
not thought of it by themselves,
and not motivated to implement
the change,
but simply saw the benefit. The
old "nonobviousness" standard often in effect
required proving that a patent was "prior art". This test was known as
the
"teaching-suggestion-motivation" test. All three pieces had to be there. Another sentence from that decision:
Does that cover my obvious-in-context approach? Does that suggest that not clicking the mouse is obvious?
Teaching-suggestion-motivation test: too narrow
Would this have helped RIM? Probably.
Bilski case: (decision released October 30, 2008)
This is a HUGE case, decided by an en
banc
sitting of the Federal Circuit. The case is now before the Supreme
Court; the betting as of today is that the court will use the
opportunity to address the issue of patentability and might grant wider
patentability than the "machine or transformation" test would allow,
but that it is unlikely Bilski's patent will survive.
There is a huge supply of amicus filings. See:
Bilski patent: Claimed method of managing the risk of bad weather in commodities trading.
He submitted a patent application seeking exclusive rights to a method of using hedge contracts to reduce the risk that a commodity's wholesale price might change.
Again, the technique fails under both prior-art and obviousness standards. But those don't apply in the same way to business-method patents.
Patent was rejected by the Patent Board of Appeals. The Board, in rejecting the claim, asked the fedearl circuit court for assistance in determining patentability of non-technological method claims.
The federal circuit court did the following:
The court by its own action grants a hearing en banc. The parties are requested to file supplemental briefs that should address the following questions:
The court did affirm the need for a physical transformation. Their central doctrine is "Machine or Transformation". Business patents, and perhaps software patents, are in TROUBLE.
Note that their reasoning was taken straight from the few SCOTUS cases on record.
The question: is a patent "tailored narrowly enough to encompass only a particular application of a fundamental principle rather than to pre-empt the principle itself"?
Benson: NO
Diehr: YES (one of the prior SCOTUS cases)
Bilski: NO
Part of the Benson ruling: Transformation and reduction of an article 'to a different state or thing' is THE clue to the patentability of a process claim that does not include particular machines.
The Diehr patent was for making rubber, using a computer to control the process. It wins the "different state or thing" standard hands down.
They also DISMISS the "useful, concrete, or tangible result" test: that is NOT enough to establish patentability.
They also reject the "technological arts" test (see above) that was once-upon-a-time part of the method-patent rules. They agree that it is too hard to tell whether something involves the technological arts; however, unlike the USPTO, they end up ruling the OTHER WAY; that is, to reject MORE broadly than the TA test.
machine-or-transformation test: emphasize the OR.
We will, however, consider some of our past cases to gain insight into the transformation part of the test. A claimed process is patent-eligible if it transforms an article into a different state or thing. This transformation must be central to the purpose of the claimed process. But the main aspect of the transformation test that requires clarification here is what sorts of things constitute "articles" such that their transformation is sufficient to impart patent-eligibility under §101.
Tanning leather curing rubber (Diehr case)
The raw materials of many information-age processes, however, are electronic signals and electronically-manipulated data. And some so-called business methods, such as that claimed in the present case, involve the manipulation of even more abstract constructs such as legal obligations, organizational relationships, and business risks. Which, if any, of these processes qualify as a transformation or reduction of an article into a different state or thing constituting patent-eligible subject matter?
Note that while the Bilski decision does not claim to reverse State Street
(the case that led to business-method patents), most commentators seem
to feel that it has that effect. It is less clear that Bilski means
software patents no longer stand.
Applying Bilski to famous cases
RSA? material transformation in "real" terms The transformation is to a file. While it is electronic, it is decidedly material.
MP3? material transformation in "real" terms? An mp3 file isn't a physical thing, but it does have a certain "thingness". People think of them as things, and buy them as things. An mp3 file is material.
NTP? maybe no? The argument can be made that there is no "material thing" on the table here. Email messages are NOT it; the patent only addresses the delivery of email.
DataTreasury? It seems unlikely that DataTreasury's patents would stand up to this new test.
To some of you, hacking is clearly
wrong
and there shouldn't even be a question here. If you're one of them,
just pay attention to the legal-strategies-against-hackers part.
However, is using a website in a manner contrary to the provider's
intentions always hacking? A more serious case is logging on to a site, but not changing anything and in particular not committing theft.
Baase's "three phases of hacking"
1. Early years: "hacking" meant "clever programming"
2. ~1980-~1995:
hacking as a term for break-in
largely teenagers
"trophy" hacking
phone lines, BBSs, gov't systems
lots of social engineering
to get passwords
1994 Kevin Mitnick Christmas Day attack on UCSD
(probably not carried out by Mitnick personally), launched from
apollo.it.luc.edu. [!]
3. post-1995: hacking for money
early years / trophy
Phone phreaking: see Baase, p 256
Joe "The Whistler" Engressia
was born blind in 1949, with perfect pitch. He
discovered (apparently as a child) that, once a call was connected, if
you sent a 2600 Hz tone down the line, the phone system would now let
you dial a new call, while continuing to bill you for the old one.
Typically the first call would be local and the second long-distance,
thus allowing a long-distance call for the price (often zero) of a
local call. Engressia could whistle the 2600 Hz tone.
According to the wikipedia article on John Draper,
Engressia also discovered that the free whistle in
"Cap'n Crunch" cereal could be modified to produce the tone; Engressia
shared this with Draper who popularized it. Draper took the nickname
"Cap'n Crunch".
As an adult, Engressia wanted
to be known as "Joybubbles"; he died August 2007
Draper later developed
the "blue box" that would generate the 2600 Hz trunk-line-idle tone and
also other tones necessary for dialing.
How do we judge these people today? At the time, they were folk heroes.
Everyone hated the Phone Company!
Is phone-phreaking like file sharing? Arguably, there's some public
understanding now that phone phreaking is wrong. Will there later be a
broad-based realization that file-sharing is wrong?
How wrong is what they did? Is
there a role for exposing glitches in modern technology?
From Bruce Sterling's book The Hacker
Crackdown: Law and Disorder on the Electronic Frontier, mit.edu/hacker:
What did it mean to break into a computer
without permission and
use its computational power, or look around inside its files without
hurting
anything? What were computer-intruding hackers, anyway -- how should
society, and the law, best define their actions? Were they just
browsers, harmless intellectual explorers? Were they voyeurs,
snoops, invaders of privacy? Should they be sternly treated as
potential
agents of espionage, or perhaps as industrial spies? Or
were they best
defined as trespassers, a very common teenage misdemeanor? Was
hacking theft of service? (After all, intruders were getting
someone
else's computer to carry out their orders, without permission and
without
paying). Was hacking fraud? Maybe it was best described as
impersonation. The commonest mode of computer intrusion was (and
is) to swipe or snoop somebody else's password, and then enter the
computer in the guise of another person -- who is commonly stuck with
the blame and the bills.
What about the Clifford Stoll "Cuckoo's Egg" case:
tracking down an
intruder at Berkeley & Livermore Labs; Markus Hess was a West
German citizen allegedly working for the KGB. Hess was arrested and
eventually convicted (1990). Berkeley culture at that
time was generally to tolerate such incidents.
Robert Tappan Morris (RTM) released his Internet worm in 1988; this was
the first large-scale internet exploit. Due to a software error, it
propagated much
more aggressively than had been intended, often consuming all the
available CPU. It was based on two vulnerabilities: (1) a buffer
overflow in the "finger" daemon, and (2) a feature [!] in many sendmail
versions that would give anyone connecting to port 25 a root shell if
they entered the secret password "wiz".
Were Morris's actions wrong? How wrong? Was there any part that was legitimate? RTM was most likely trying to gain fame for discovering a security vulnerability. There was no financial incentive.
The jury that convicted him spent several hours discussing Morris's
argument that when a server listened on a port (eg an email server
listening on port 25), anyone was implicitly authorized to send that
port anything they wanted.
That is, it is the server's responsibility to filter out bad data.
While the jury eventually rejected this argument, they clearly took it
very seriously.
Mitnick attack: how much of a problem was that, after all? There are
reports that many Mitnick attacks were part of personal vendettas.
(Most of these reports trace back to John Markoff's book on Mitnick;
Markoff is widely believed to have at a minimum tried to put a slant on
the facts that would drive book sales.)
Stage 3: even now, not all
attacks are about money.
Baase, p 259:
"In 1998, the US Deputy defense secretary desribed a series of attacks
on US military computers as 'the most organized and systematic attack
the Pentagon has seen to date.' Two boys, aged 16 and 17, had carried
them out."
What about the London attack of about the same era on air-traffic
control?
2000: the "Love Bug" or ILOVEYOU virus, by someone named de Guzman. If
you read the subject and opened the document, an MS-word macro launched
the payload.
MS-word macros were (and are) an appallingly and obviously bad idea. Should
people be punished for demonstrating this in such a public way? Was
there a time when such a demonstration might have been legitimate?
Yahoo ddos attack & mafiaboy, aka Michael Calce
The attack was launched in February 2000. Calce got discovered by
bragging
about the attack pseudonymously on chatrooms. Alas for him, he'd
previously used his pseudonym "mafiaboy" in posts that contained
more-identifying information.
Conficker worm, April 1, 2009, apparently about creating a network of email 'bots.
Putting a dollar value on indirect attacks
This is notoriously hard. One of Mitnick's colleagues (Phiber Optik?)
was facing damage claims from one of the Baby Bell companies in excess
of $100,000, when it was pointed out that the stolen document was in
fact for sale for under $25.
Mark Abene (Phiber Optik) was imprisoned for a year. That was
extraordinarily long for the actual charge. Mitnick himself spent
nearly five years in prison, 4.5 of which were pre-trial. That situation is similar to that of Terry
Childs in San Francisco, who is still in prison.
Calce, Abene & Mitnick now both work in computer security. Is this
appropriate?
One theory is that gaining notoriety for an exploit is the way to get a security job. Is that
appropriate?
If not, what could be done differently?
Modern phishing attacks (also DNS attacks)
Stealing credit-card numbers from stores. (Note: stores are not supposed
to retain these at all.
However, many do.)
Boeing attack, Baase p 262: how much should
Boeing pay to make sure no files were changed?
TJX attack: Baase p 87 and p 271, ~2006
40 million credit-card numbers stolen! And 400,000 SSNs
Hackers apparently cracked the obsolete WEP encryption on wi-fi
networks to get in, using a "cantenna" from outside the building.
When attacks ARE about money, often the direct dollar value is huge.
And tracing what happened can be difficult. An entire bank account may
be gone. Thousands of dollars may be charged against EVERY stolen
credit-card number.
Is it ok to be "testing their security"?
What if it's a government site?
Should you be allowed to run a security scanner against other sites?
What if the security in question is APPALLINGLY BAD?
What if you have some
relationship to the other host?
Baase, p 270:
"The Defense Information Systems Agency estimated that there were
500,000 hacker attacks on Defense Department networks in 1996, that 65%
of them were SUCCESSFUL, and that the Dept detected fewer than 1%". But 1996 was a long long time ago.
Do we as citizens have an OBLIGATION to hack into our government's
computers, to help demonstrate how insecure they are?
What about hacking into Loyola's computers? Are we obligated to do that? What about
Loyola's wireless network?
Ok, failing that, what is our obligation to prevent intrusions that are not likely to be directly
harmful to us?
In 2006, Kevin Mitnick's sites were defaced by a group. There's some
irony there.
Other Baase cases:
several attacks against Chinese gov't sites, due to repressive
policies
pro-Zapatista groups defacing Mexican government sites
US DoJ site changed to read "Department of Injustice"
Legal tools against hackers
Once upon a time, authorities debated charging a hacker for the value
of electricity used; they had no other tools. The relative lack of
legal tools for prosecution of computer breakins persisted for some
time.
Computer Fraud & Abuse Act of 1986: made it illegal to access
computers without authorization (or to commit fraud, or to get
passwords)
USAP AT RIOT act:
extends CFAA, and provides that when totting up the cost of the attack,
the victim may include all costs of response and recovery. Even
unnecessary or irresponsible costs.
Trespassing?
"Trespass of Chattels": maybe.
This is a legal doctrine in which one party intentionally interferes
with another's chattels,
essentially personal property (including computers). Often actual harm
need not be proven, just that the other party interfered, and that the
interference was intentional and without authorization.
In 2000 e-bay won a case against Bidder's Edge where the latter used
search robots to get information on e-bay auctions. The bots used
negligible computation resources. The idea was for Bidder's Edge to
sell information to those participating in eBay auctions. In March
2001, Bidder's Edge settled as it went out of business.
Later court cases have often required proof of actual harm, though.
In 1998 [?], Ken Hamadi used the Intel email system to contact all
employees regarding Intel's allegedly abusive and discriminating
employment policies. Intel sued, and won at the trial and appellate
court levels. The California Supreme Courts reversed in 2003, ruling
that use alone was not sufficient for a trespass-of-chattels claim;
there had to be "actual or threatened interference".
How do you prosecute when there is no attempt to damage anything?
Part of the problem here is that trespass-of-chattels was a doctrine
originally applied to intrusions,
and was quickly seized on as a tool against those who were using a
website in ways unanticipated by the creator (eg Bidder's Edge). Is
that illegal? Should the law discourage that? Should website owners be
able to dicate binding terms of use
for publicly viewable pages (ie pages where a login is not required)?
