Baase's "three phases of hacking"
1. Early years: "hacking" meant "clever programming"
2. ~1980-~1995: hacking for fame
3. post-1995: hacking for money
Stage 3: even now, not all
attacks are about money.
Baase, p 259:
"In 1998, the US Deputy defense secretary desribed a series of attacks
on US military computers as 'the most organized and systematic attack
the Pentagon has seen to date.' Two boys, aged 16 and 17, had carried
them out."
What about the London attack of about the same era on air-traffic
control?
2000: the "Love Bug" or ILOVEYOU virus, by someone named de Guzman. If
you read the subject and opened the document, an MS-word macro launched
the payload.
MS-word macros were (and are) an appallingly and obviously bad idea. Should
people be punished for demonstrating this in such a public way? Was
there a time when such a demonstration might have been legitimate?
Yahoo ddos attack & mafiaboy, aka Michael Calce
The attack was launched in February 2000. Calce got discovered by
bragging
about the attack pseudonymously on chatrooms. Alas for him, he'd
previously used his pseudonym "mafiaboy" in posts that contained
more-identifying information.
Conficker worm, April 1, 2009, apparently about creating a network of email 'bots.
Putting a dollar value on indirect attacks
This is notoriously hard. One of Mitnick's colleagues (Phiber Optik?)
was facing damage claims from one of the Baby Bell companies in excess
of $100,000, when it was pointed out that the stolen document was in
fact for sale for under $25.
Mark Abene (Phiber Optik) was imprisoned for a year. That was rather long for the actual charge. Mitnick himself spent
nearly five years in prison, 4.5 of which were pre-trial. That situation is similar to that of Terry
Childs in San Francisco, who is still in prison.
Calce, Abene & Mitnick now both work in computer security. Is this
appropriate?
One theory is that gaining notoriety for an exploit is the way to get a security job. Is that
appropriate?
If not, what could be done differently?
Modern phishing attacks (also DNS attacks)
Stealing credit-card numbers from stores. (Note: stores are not supposed
to retain these at all.
However, many do.)
Boeing attack, Baase p 262: how much should
Boeing pay to make sure no files were changed?
TJX attack: Baase p 87 and p 271
The breakin was discovered in December 2006, but may have gone back to 2005.
40 million credit-card numbers were stolen! And 400,000 SSNs, and a large number of drivers-license numbers.
Hackers apparently cracked the obsolete WEP encryption on wi-fi
networks to get in, using a "cantenna" from outside the building. Once
in, they accessed and downloaded files. There are some reports that
they eavesdropped on data streaming in from stores, but it seems likely
thatdirect downloads of files was also involved.
Six suspects were eventually arrested. I believe they have all now
been convicted; there's more information in the privacyrights.org page
below (which also pegs the cost to TJX at $500-1,000 million).
For a case at CardSystems Solutions, see
http://www.schneier.com/blog/archives/2005/06/cardsystems_exp.html.
Here the leak was
not due to wi-fi problems, but lack of compliance with standards was
apparently involved. Schneier does a good job explaining the
purely contractual security requirements involved, and potential
outcomes. Schneier also points out
The TJX and CardSystems attacks were intentional, not just data gone missing.
When attacks ARE about money, often the direct dollar value is huge. And tracing what happened can be difficult. An entire bank account may be gone. Thousands of dollars may be charged against EVERY stolen credit-card number.
Here's a summary of several incidents: http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP.
An emerging standard is Payment Card Industry Data Security Standard (PCI DSS), supported by MasterCard, Visa, Discover, American Express, and others. See http://www.pcicomplianceguide.org/pcifaqs.php for some particulars; a more official site is https://www.pcisecuritystandards.org.
Note that PCI DSS is not a law, but is "private regulation". Once upon
a time, the most effective regulators of steam-powered ships were
insurance companies [reference?]. This is similar, but MasterCard and
Visa are not quite the same as insurers. From the FAQ above:
It is important to be familiar with your merchant account agreement, which should outline your exposure.
If you are a store, you can refuse to pay the fine. But then you
will lose the ability to accept credit cards. This is extremely bad!
Visa's CISP program is described at http://www.visa.com/cisp.
The PCI standards do allow merchants to store the name and
account-number data. However, this is strongly discouraged. Sites that
keep this information are required by PCI to have it encrypted. CardSystems
was keeping this data because they were having a higher-than-expected
rate of problems with transactions, and they were trying to figure out why.
To some extent, PCI DSS compliance is an example of how ethical behavior is in your own long-term best interest.
what is it? What can be done?
And WHO IS RESPONSIBLE??
The most common form of identity theft is someone posing as you in
order to borrow money in your name, by obtaining a loan, checking
account, or credit card. When someone poses as you to empty your bank
account, that's generally known as "just plain theft".
Note that most "official" explanations of identity theft describe it
as something that is stolen from you; that is, something bad that has
happened to you. In fact, it is probably more accurate to describe
"identity theft" as a validation error made by banks and other lenders;
that is, as a lender problem.
This is a good example of nontechnical people framing the discourse to make it look
like your identity was stolen from you,
and that you are the victim, rather than the banks for making loans
without appropriate checks. And note that banks make loans without
requiring a personal appearance by the borrower (which would give the
bank a chance to check the drivers-license picture, if nothing else)
because that way they can make more
loans and thus be more profitable.
Is it ok to be "testing their security"?
What if it's a government site?
Should you be allowed to run a security scanner against other sites?
What if the security in question is APPALLINGLY BAD?
What if you have some
relationship to the other host?
Baase, p 270:
"The Defense Information Systems Agency estimated that there were
500,000 hacker attacks on Defense Department networks in 1996, that 65%
of them were successful, and that the Dept detected fewer than 1%". But 1996 was a long long time ago.
Do we as citizens have an obligation to hack into our government's
computers, to help demonstrate how insecure they are?
What about hacking into Loyola's computers? Are we obligated to do that? What about
Loyola's wireless network?
Ok, failing that, what is our obligation to prevent intrusions that are not likely to be directly
harmful to us?
In 2006, Kevin Mitnick's sites were defaced by a group. There's some
irony there.
Other Baase cases:
several attacks against Chinese gov't sites, due to repressive
policies
pro-Zapatista groups defacing Mexican government sites
US DoJ site changed to read "Department of Injustice"
Legal tools against hackers
Once upon a time, authorities debated charging a hacker for the value
of electricity used; they had no other tools. The relative lack of
legal tools for prosecution of computer breakins persisted for some
time.
Computer Fraud & Abuse Act of 1986: made it illegal to access
computers without authorization (or to commit fraud, or to get
passwords)
USAP AT RIOT act:
extends CFAA, and provides that when totting up the cost of the attack,
the victim may include all costs of response and recovery. Even
unnecessary or irresponsible costs.
Trespassing?
"Trespass of Chattels": maybe.
This is a legal doctrine in which one party intentionally interferes
with another's chattels,
essentially personal property (including computers). Often actual harm
need not be proven, just that the other party interfered, and that the
interference was intentional and without authorization.
In 2000 e-bay won a case against Bidder's Edge where the latter used
search robots to get information on e-bay auctions. The bots used
negligible computation resources. The idea was for Bidder's Edge to
sell information to those participating in eBay auctions. In March
2001, Bidder's Edge settled as it went out of business.
Later court cases have often required proof of actual harm, though.
In 1998 [?], Ken Hamadi used the Intel email system to contact all
employees regarding Intel's allegedly abusive and discriminating
employment policies. Intel sued, and won at the trial and appellate
court levels. The California Supreme Court reversed in 2003, ruling
that use alone was not sufficient for a trespass-of-chattels claim;
there had to be "actual or threatened interference".
How do you prosecute when there is no attempt to damage anything?
Part of the problem here is that trespass-of-chattels was a doctrine
originally applied to intrusions,
and was quickly seized on as a tool against those who were using a
website in ways unanticipated by the creator (eg Bidder's Edge). Is
that illegal? Should the law discourage that? Should website owners be
able to dictate binding terms of use
for publicly viewable pages (ie pages where a login is not required)?
Kutztown 13
Students were issued 600 apple ibooks in 2004
The
admin password was part of school address, taped to the back! The
password was changed, but the new one was cracked too. Some of the
students got admin privileges and:
bypassed browser filtering
installed chat/IM software, maybe others
disabled monitoring software
The students were accused of monitoring teachers or staff, but that seems unlikely.
The school's security model was hopelessly flawed. Who is responsible for that?
The school simply did not have the resources to proceed properly.
The offenders were warned repeatedly. But why didn't the schools simply take the iBooks away? Why were felony charges pursued? The charge was for felony computer trespass.
The school argued that the charges were filed because the students signed an "acceptable use"
policy. But why should that make any difference in whether felony
charges were pursued?
http://www.wired.com/news/technology/0,1282,68480,00.html
cutusabreak.org: now gone
Wikipedia: Kutztown_Area_high_School
Randall Schwarz
http://www.lightlink.com/spacenka/fors
Oregon made it a FELONY to do anything UNAUTHORIZED.
Also, taking a file without authorization was declared to be THEFT.
Schwartz faced three counts:
These he did as a former sysadmin, now assigned to other duties, but
still concerned about password security. All he did was to run the
"crack" program to guess passwords. This involved copying the public
/etc/passwd file, which at that time contained the encrypted passwords,
and to this day contains the username-to-userid mapping used every time
you run ls -l.
The appeals court argued that although "authorization" wasn't spelled out
in the law, Schwartz did things without authorization as narrowly
interpreted. The appellate court also upheld the trial court's
interpretation of "theft": taking anything without permission, even if
the thing is essentially useless or if the taking is implicitly
authorized.
The appellate court also seemed to believe that Schwartz might have
been looking for flaws to take credit for them, and that such personal
aggrandizement was inappropriate. But employees all the time look for problems at work and try to fix them, hoping to receive workplace recognition.
Schwartz and Kutztown 13 cases have in common the idea that sometimes
the law makes rather mundane things into felonies. For Schwartz, it is
very clear that he had no "criminal" intent in the usual sense,
although he did "intend" to do the actions he was charged with.
Terry Childs
Childs was a Cisco-certified Internetwork engineer (CCIE)
working for San Francisco; he was the only one with the router
passwords for the city's fiberWAN network.
He was suspended for insubordination on July 9, 2008,
apparently for refusing to turn over router passwords. There are GOOD
reasons for limiting access to such passwords on a need-to-know basis,
BUT refusing to turn them over might be going pretty far. (However,
there are some mitigating factors, including the fact that there was an
open speakerphone call in progress at the time Childs was asked for the
passwords). There is reasonable basis for believing that dismissal is
the only resort an employer should have when dealing with an
uncooperative employee.
Childs did nothing to damage the network, and the network was never down at any time.
He was arrested by SF police on Saturday, July 12, 2008 on four counts of computer tampering.
He is still [April 2010] in prison.
He refused to give the police valid passwords at his arrest
(such refusal without having the opportunity to consult with a lawyer is protected by the 5th Amendment).
He did give the passwords to the mayor of SF, on July 21, 2008, while in prison.
Childs had some past history: he committed a burglary at age 17 and
spent 4 years in prison. This apparently has no bearing on the present
case.
The city's main claim is that Childs was arrested because he placed
the city systems in jeapordy. However:
The biggest concern to computing professionals is that San Francisco then created a
laundry list of criminal allegations against Childs that in fact are standard practices:
Childs seems to have been "security-conscious to the point of paranoia".
But most good computer-security people are!
In opposing bail reduction for Childs, the city's attorneys wrote in July 2008:
The final four charges (pretty close to the original, but none of the
tantalizing allegations of the bail-reduction motion making it in): one
of "disrupting or denying computer services" (by not revealing the
passwords) and three of "providing a means of accessing a computer,
computer system, or computer network" (one for each of the three modems).
The latter three charges were finally dropped on August 21, 2009, over a year later;
as of this writing Childs is still in prison. Bail is still set at $5
million, even though the state's original argument against bail
reduction was based on the three dropped charges and the idea that the
"unauthorized" modems might mean that Childs had other
backdoors into the city network. Also, San Francisco has had a year to
tighten up security. It is possible that the three dropped
"unauthorized modem" charges were dropped because of the impossibility
of proving that they were in fact unauthorized, though that is to some
extent exactly the defense's point.
Childs is charged with "disrupting or denying computer services". However,
Note that in the first "disrupting or denying computer services"
charge, no computer services were actually disrupted. The only thing
denied was the password.
He did configure the
network in a manner that made it difficult for coworkers to
reconfiguring it. Was this about prudence, or job security? He
apparently did not
face day-to-day clear lines of authority; he definitely was not asked
to make the master passwords available to supervisors until the Dispute.
There are no charges (as filed in
February 2009) of network tampering; these appeared in court documents in
July and August 2008 but were dropped. ("Network tampering" appears to have been
replaced by the three modem charges.)
The modems were all apparently legitimate: the first was to dial Childs' pager if there was a problem (through the What's Up Gold monitoring package),
the second was to allow immediate dialin access to some SF networks
(not apparently the FiberWAN), and in addition was apparently installed
before Childs was hired, and the third was to provide an alternative
communications paths to emergency services across the San Andreas
fault. (See http://www.infoworld.com/d/data-management/could-childs-case-put-all-network-admins-in-danger-979)
If there was any additional illegitimate purpose, it does not appear to be documented anywhere in any filings to date.