Ethics Week 13 - April 20



A brief history of hacking
Legal tools
Felony prosecutions

Baase's "three phases of hacking"

1. Early years: "hacking" meant "clever programming"

2. ~1980-~1995:  hacking for fame
  
3. post-1995: hacking for money


Stage 3: even now, not all attacks are about money.

Baase, p 259:
"In 1998, the US Deputy defense secretary desribed a series of attacks on US military computers as 'the most organized and systematic attack the Pentagon has seen to date.' Two boys, aged 16 and 17, had carried them out."
   
What about the London attack of about the same era on air-traffic control?

2000: the "Love Bug" or ILOVEYOU virus, by someone named de Guzman. If you read the subject and opened the document, an MS-word macro launched the payload.

MS-word macros were (and are) an appallingly and obviously bad idea. Should people be punished for demonstrating this in such a public way? Was there a time when such a demonstration might have been legitimate?


Yahoo ddos attack & mafiaboy, aka Michael Calce
The attack was launched in February 2000. Calce got discovered by bragging about the attack pseudonymously on chatrooms. Alas for him, he'd previously used his pseudonym "mafiaboy" in posts that contained more-identifying information.

Conficker worm, April 1, 2009, apparently about creating a network of email 'bots.

Putting a dollar value on indirect attacks

This is notoriously hard. One of Mitnick's colleagues (Phiber Optik?) was facing damage claims from one of the Baby Bell companies in excess of $100,000, when it was pointed out that the stolen document was in fact for sale for under $25.

Mark Abene (Phiber Optik) was imprisoned for a year. That was rather long for the actual charge. Mitnick himself spent nearly five years in prison, 4.5 of which were pre-trial. That situation is similar to that of Terry Childs in San Francisco, who is still in prison.


Calce, Abene & Mitnick now both work in computer security. Is this appropriate?

One theory is that gaining notoriety for an exploit is the way to get a security job. Is that appropriate?

If not, what could be done differently?


Modern phishing attacks (also DNS attacks)


Stealing credit-card numbers from stores. (Note: stores are not supposed to retain these at all. However, many do.)

Boeing attack, Baase p 262: how much should Boeing pay to make sure no files were changed?

TJX attack: Baase p 87 and p 271

The breakin was discovered in December 2006, but may have gone back to 2005.

40 million credit-card numbers were stolen! And 400,000 SSNs, and a large number of drivers-license numbers.

Hackers apparently cracked the obsolete WEP encryption on wi-fi networks to get in, using a "cantenna" from outside the building. Once in, they accessed and downloaded files. There are some reports that they eavesdropped on data streaming in from stores, but it seems likely thatdirect downloads of files was also involved.

Six suspects were eventually arrested. I believe they have all now been convicted; there's more information in the privacyrights.org page below (which also pegs the cost to TJX at $500-1,000 million).

For a case at CardSystems Solutions, see http://www.schneier.com/blog/archives/2005/06/cardsystems_exp.html. Here the leak was not due to wi-fi problems, but lack of compliance with standards was apparently involved. Schneier does a good job explaining the purely contractual security requirements involved, and potential outcomes. Schneier also points out

Every credit card company is terrified that people will reduce their credit card usage. They're worried that all of this press about stolen personal data, as well as actual identity theft and other types of credit card fraud, will scare shoppers off the Internet. They're worried about how their brands are perceived by the public.

The TJX and CardSystems attacks were intentional, not just data gone missing.

When attacks ARE about money, often the direct dollar value is huge. And tracing what happened can be difficult. An entire bank account may be gone. Thousands of dollars may be charged against EVERY stolen credit-card number.


Here's a summary of several incidents: http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP.

An emerging standard is Payment Card Industry Data Security Standard (PCI DSS), supported by MasterCard, Visa, Discover, American Express, and others. See http://www.pcicomplianceguide.org/pcifaqs.php for some particulars; a more official site is https://www.pcisecuritystandards.org. Note that PCI DSS is not a law, but is "private regulation". Once upon a time, the most effective regulators of steam-powered ships were insurance companies [reference?]. This is similar, but MasterCard and Visa are not quite the same as insurers. From the FAQ above:

Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees.  Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business. 

It is important to be familiar with your merchant account agreement, which should outline your exposure.

If you are a store, you can refuse to pay the fine. But then you will lose the ability to accept credit cards. This is extremely bad!

Visa's CISP program is described at http://www.visa.com/cisp.

The PCI standards do allow merchants to store the name and account-number data. However, this is strongly discouraged. Sites that keep this information are required by PCI to have it encrypted. CardSystems was keeping this data because they were having a higher-than-expected rate of problems with transactions, and they were trying to figure out why.

To some extent, PCI DSS compliance is an example of how ethical behavior is in your own long-term best interest.

Identity Theft

what is it? What can be done?

And WHO IS RESPONSIBLE??

The most common form of identity theft is someone posing as you in order to borrow money in your name, by obtaining a loan, checking account, or credit card. When someone poses as you to empty your bank account, that's generally known as "just plain theft".

Note that most "official" explanations of identity theft describe it as something that is stolen from you; that is, something bad that has happened to you. In fact, it is probably more accurate to describe "identity theft" as a validation error made by banks and other lenders; that is, as a lender problem.

This is a good example of nontechnical people framing the discourse to make it look like your identity was stolen from you, and that you are the victim, rather than the banks for making loans without appropriate checks. And note that banks make loans without requiring a personal appearance by the borrower (which would give the bank a chance to check the drivers-license picture, if nothing else) because that way they can make more loans and thus be more profitable.


Hacking and probing

Is it ok to be "testing their security"?
What if it's a government site?

Should you be allowed to run a security scanner against other sites?

What if the security in question is APPALLINGLY BAD?

What if you have some relationship to the other host?
 
Baase, p 270:
"The Defense Information Systems Agency estimated that there were 500,000 hacker attacks on Defense Department networks in 1996, that 65% of them were successful, and that the Dept detected fewer than 1%". But 1996 was a long long time ago.

Do we as citizens have an obligation to hack into our government's computers, to help demonstrate how insecure they are?

What about hacking into Loyola's computers? Are we obligated to do that? What about Loyola's wireless network?

Ok, failing that, what is our obligation to prevent intrusions that are not likely to be directly harmful to us?


Hactivism


In 2006, Kevin Mitnick's sites were defaced by a group. There's some irony there.

Other Baase cases:
    several attacks against Chinese gov't sites, due to repressive policies
    pro-Zapatista groups defacing Mexican government sites
    US DoJ site changed to read "Department of Injustice"


Legal tools against hackers

Once upon a time, authorities debated charging a hacker for the value of electricity used; they had no other tools. The relative lack of legal tools for prosecution of computer breakins persisted for some time.

Computer Fraud & Abuse Act of 1986: made it illegal to access computers without authorization (or to commit fraud, or to get passwords)

USAP AT RIOT act:
extends CFAA, and provides that when totting up the cost of the attack, the victim may include all costs of response and recovery. Even unnecessary or irresponsible costs.
   
Trespassing?
"Trespass of Chattels": maybe. This is a legal doctrine in which one party intentionally interferes with another's chattels, essentially personal property (including computers). Often actual harm need not be proven, just that the other party interfered, and that the interference was intentional and without authorization.

In 2000 e-bay won a case against Bidder's Edge where the latter used search robots to get information on e-bay auctions. The bots used negligible computation resources. The idea was for Bidder's Edge to sell information to those participating in eBay auctions. In March 2001, Bidder's Edge settled as it went out of business.

Later court cases have often required proof of actual harm, though. In 1998 [?], Ken Hamadi used the Intel email system to contact all employees regarding Intel's allegedly abusive and discriminating employment policies. Intel sued, and won at the trial and appellate court levels. The California Supreme Court reversed in 2003, ruling that use alone was not sufficient for a trespass-of-chattels claim; there had to be "actual or threatened interference".

       After reviewing the decisions analyzing unauthorized electronic contact with computer systems as potential trespasses to chattels, we conclude that under California law the tort does not encompass, and should not be extended to encompass, an electronic communication that neither damages the recipient computer system nor impairs its functioning. Such an electronic communication does not constitute an actionable trespass to personal property, i.e., the computer system, because it does not interfere with the possessor’s use or possession of, or any other legally protected interest in, the personal property itself. [emphasis added]

How do you prosecute when there is no attempt to damage anything?

Part of the problem here is that trespass-of-chattels was a doctrine originally applied to intrusions, and was quickly seized on as a tool against those who were using a website in ways unanticipated by the creator (eg Bidder's Edge). Is that illegal? Should the law discourage that? Should website owners be able to dictate binding terms of use for publicly viewable pages (ie pages where a login is not required)?


International Airport Centers v Citrin

Generally the Computer Fraud & Abuse Act (CFAA) is viewed as being directed at "hackers" who break in to computer systems. However, nothing in the act requires that a network breakin be involved, and it is clear that Congress understood internal breakins to be a threat as well.

Just when is internal access a violation of the CFAA? Internal access is what Terry Childs is accused of.

In the 2006 Citrin case, the defendant deleted files from his company-provided laptop before quitting his job and going to work for himself. From http://technology.findlaw.com/articles/01033/009953.html:

Citrin ultimately decided to quit and go into business for himself, apparently in breach of his employment contract with the companies. Before returning the laptop to the companies, Citrin deleted all of the data in it, including not only the data he had collected [and had apparently never turned over to his employer -- pld], but also data that would have revealed to the companies improper conduct he had engaged in before he decided to quit. He caused this deletion using a secure-erasure program, such that it would be impossible to recover the deleted information.

His previous employer sued under the CFAA, noting that the latter contained a provision allowing suits against anyone who "intentionally causes damage without authorization to a protected computer". Citrin argued that he had authorization to use his company-provided laptop. The District Court agreed. The Seventh Circuit reversed, however, arguing in essence that once Citrin had decided to leave the company, and was not acting on the company's behalf, his authorization ended. Or (some guesswork here), Citrin's authorization was only for work done on behalf of his employer; work done against the interests of his employer was clearly not authorized.

Once again, the court looked at Citrin's actions in broad context, rather than in narrow technological terms.

Note that Citrin's specific act of deleting the files was pretty clearly an act that everybody involved understood as not what his employer wanted. This is not a grey-area case.

Compare this to the Terry Childs or Randall Schwartz cases. below. We don't have all the facts yet on Childs, but on a black-and-white scale these cases would seem at worst to be pale eggshell (that is, almost white). It seems very likely that Schwartz's intent was always to improve security at Intel; it seems equally likely that at least in the three modem-related charges against Childs there was absolutely no intent to undermine city security, or to act in any way contrary to what the city would have wanted if it had in fact any clue.

Felony prosecutions: Kutztown 13, Randall Schwartz, Terry Childs, Julie Amero

Kutztown 13
Students were issued 600 apple ibooks in 2004
The admin password was part of school address, taped to the back! The password was changed, but the new one was cracked too. Some of the students got admin privileges and:
                bypassed browser filtering
                installed chat/IM software, maybe others
                disabled monitoring software
The students were accused of monitoring teachers or staff, but that seems unlikely.

The school's security model was hopelessly flawed. Who is responsible for that?
The school simply did not have the resources to proceed properly.
       
The offenders were warned repeatedly. But why didn't the schools simply take the iBooks away? Why were felony charges pursued? The charge was for felony computer trespass.

The school argued that the charges were filed because the students signed an "acceptable use" policy. But why should that make any difference in whether felony charges were pursued?
      
http://www.wired.com/news/technology/0,1282,68480,00.html
cutusabreak.org: now gone
Wikipedia: Kutztown_Area_high_School
       


Randall Schwarz
    http://www.lightlink.com/spacenka/fors

Oregon made it a FELONY to do anything UNAUTHORIZED.
Also, taking a file without authorization was declared to be THEFT.

Schwartz faced three counts:

  1. Installation of an email backdoor at Intel (he thought he had some kind of permission)
  2. Taking password file
  3. Taking individual passwords

These he did as a former sysadmin, now assigned to other duties, but still concerned about password security. All he did was to run the "crack" program to guess passwords. This involved copying the public /etc/passwd file, which at that time contained the encrypted passwords, and to this day contains the username-to-userid mapping used every time you run ls -l.

The appeals court argued that although "authorization" wasn't spelled out in the law, Schwartz did things without authorization as narrowly interpreted. The appellate court also upheld the trial court's interpretation of "theft": taking anything without permission, even if the thing is essentially useless or if the taking is implicitly authorized.

The appellate court also seemed to believe that Schwartz might have been looking for flaws to take credit for them, and that such personal aggrandizement was inappropriate. But employees all the time look for problems at work and try to fix them, hoping to receive workplace recognition.


Schwartz and Kutztown 13 cases have in common the idea that sometimes the law makes rather mundane things into felonies. For Schwartz, it is very clear that he had no "criminal" intent in the usual sense, although he did "intend" to do the actions he was charged with.

Terry Childs

Childs was a Cisco-certified Internetwork engineer (CCIE) working for San Francisco; he was the only one with the router passwords for the city's fiberWAN network.

He was suspended for insubordination on July 9, 2008, apparently for refusing to turn over router passwords. There are GOOD reasons for limiting access to such passwords on a need-to-know basis, BUT refusing to turn them over might be going pretty far. (However, there are some mitigating factors, including the fact that there was an open speakerphone call in progress at the time Childs was asked for the passwords). There is reasonable basis for believing that dismissal is the only resort an employer should have when dealing with an uncooperative employee.

Childs did nothing to damage the network, and the network was never down at any time.

 He was arrested by SF police on Saturday, July 12, 2008 on four counts of computer tampering. He is still [April 2010] in prison. He refused to give the police valid passwords at his arrest (such refusal without having the opportunity to consult with a lawyer is protected by the 5th Amendment). He did give the passwords to the mayor of SF, on July 21, 2008, while in prison.

Childs had some past history: he committed a burglary at age 17 and spent 4 years in prison. This apparently has no bearing on the present case.

The city's main claim is that Childs was arrested because he placed the city systems in jeapordy. However:

  1. Refusal to share passwords is hard to see as a criminal act. After all, Childs could always quit.
  2. The city knowingly created and encouraged the environment in which Childs was the only one with the passwords.
  3. No working systems were ever at risk.

The biggest concern to computing professionals is that San Francisco then created a laundry list of criminal allegations against Childs that in fact are standard practices:

  1. Childs knew several other people's passwords. (A list of 150 such was found in Child's house, and entered into evidence at his bail hearing without redacting the passwords themselves.)
  2. He had network sniffers in place
  3. He had "back-door" access to the routers, through several modems (three in the final criminal count). But these were pretty clearly for emergency access.
  4. Routers were configured to resist password recovery (this is standard practice when the physical security of the device is in question).
  5. Configurations were not written to flash memory (same as 4)
  6. Childs' pager was sent a page by one of the routers (duh)

Childs seems to have been "security-conscious to the point of paranoia". But most good computer-security people are!

In opposing bail reduction for Childs, the city's attorneys wrote in July 2008:

In the training room locked by the Defendant, they discovered two modems that allowed access to the City's network from unauthorized locations. A further analysis of the network by Principle Security Consultant Anthony Maupin determined that the Defendant had configured multiple Cisco network devices with a command that erases all configurations and data in the event somone tried to recover the password. Further, the Defendant had created his own private network that bypassed all City monitoring and security systems. He had programs that monitored and detected any intrusions and notified the Defendant if others were monitoring or trying to access his information. The Defendant had implemented his own email server and had multiple remote access systems, some which [sic] were hidden in locked storage cabinets and connected to modems. This permitted the Defendant to access the City's network infrastructure undetected. An additional modem was discovered in a locked cabinet near his cubicle that was connected to a phone line and had access to the network.

... There are over 1100 different devices, routers, switches, modems, etc, scattered throughout the  city's offices that the Defendant may have configured and even locked with his own passwords.  ... there is a serious threat to the City's network system if the Defendant was out of custody without the City having full control over all the 1100 devices as the Defendant may have access any of these devices [sic].

The final four charges (pretty close to the original, but none of the tantalizing allegations of the bail-reduction motion making it in): one of "disrupting or denying computer services" (by not revealing the passwords) and three of "providing a means of accessing a computer, computer system, or computer network" (one for each of the three modems).

The latter three charges were finally dropped on August 21, 2009, over a year later; as of this writing Childs is still in prison. Bail is still set at $5 million, even though the state's original argument against bail reduction was based on the three dropped charges and the idea that the "unauthorized" modems might mean that Childs had other backdoors into the city network. Also, San Francisco has had a year to tighten up security. It is possible that the three dropped "unauthorized modem" charges were dropped because of the impossibility of proving that they were in fact unauthorized, though that is to some extent exactly the defense's point.

Childs is charged with "disrupting or denying computer services". However,

Note that in the first "disrupting or denying computer services" charge, no computer services were actually disrupted. The only thing denied was the password.

He did configure the network in a manner that made it difficult for coworkers to reconfiguring it. Was this about prudence, or job security? He apparently did not face day-to-day clear lines of authority; he definitely was not asked to make the master passwords available to supervisors until the Dispute.

There are no charges (as filed in February 2009) of network tampering; these appeared in court documents in July and August 2008 but were dropped. ("Network tampering" appears to have been replaced by the three modem charges.)

The modems were all apparently legitimate: the first was to dial Childs' pager if there was a problem (through the What's Up Gold monitoring package), the second was to allow immediate dialin access to some SF networks (not apparently the FiberWAN), and in addition was apparently installed before Childs was hired, and the third was to provide an alternative communications paths to emergency services across the San Andreas fault. (See http://www.infoworld.com/d/data-management/could-childs-case-put-all-network-admins-in-danger-979)
If there was any additional illegitimate purpose, it does not appear to be documented anywhere in any filings to date.

It is indeed possible that Childs decided not to have configurations written to flash memory for "job security"; ie so that, if there was a problem, he would be irreplaceable. Alternatively, it could have been because Childs was having conflicts with management and wanted them to know they couldn't work without him. There is no hard evidence, though, of this.

Childs has been in jail since July 2008. Bail is $5 million. There remains no clear-cut charge that makes sense technically. The formal allegations against Childs do not spell out any specific evidence of intent to disrupt the network (though they do not have to).

One possible reason Childs has been denied reasonable bail is the fact that a search of his residence just before his arrest turned up some 9mm ammunition, and Childs had in 1985 been convicted of a felony: armed robbery (with a knife). Possession of ammunition by a convicted felon is illegal in California (and many other states). Also, the fact that Childs had $10,000 in cash in his house was interpreted by the police as evidence that he was a flight risk. Finally, Childs lied to his supervisors when he said he had no past felony convictions, and lied again on the day of his management confrontation when he said his fiberWAN password no longer worked. Both of these are perhaps understandable, and in principle they shouldn't matter, but one doesn't know.

It does seem likely, however, that a big part of the reason Childs remains in jail is that the City keeps raising the specter that he could break in. But if he could, even a few months later, let alone close to two years, then so could anyone else, and the City's security is just plain negligent.

One plausible charge against Childs is the allegation that he configured the routers not to store their configurations, and that this was done in order that if the network crashed, only he could ressurect it. From the arrest-warrant affidavit of police officer James Ramsay:

Mr Maupin [the city's security consultant] was also able to determine and validate that Mr Childs had, in fact, intentionally configured multiple Cisco network devices with a command that erases all configuration and data in the event that someone tries to restore administrative access or tries to perform disaster recovery. This command was created for military applications that require the deployment of network devices in areas that may have the possibility of hostile forces that could get physical access to network devices.

Officer Ramsay also was the one to tell Childs initially that failure to divulge the passwords was "a denial of service as defined under Penal Code violation Section 502(c)(5)". This claim remains farfetched, at face value, given the lack of clear authority within DTIS, although it might apply if Childs had withheld the password with malicious intent.

Note that the quoted line "this command was created for military applications ..." is both misleading and a bit of a stretch. It seems likelier that the command was suggested for military applications, but even if it was created for that, so was GPS.

As for the configuration-to-erase claim, Childs' attorneys claimed in his bail-reduction motion that one of his colleagues, Carl Sian, intentionally kept (as for study) computer viruses, and later spread one to Childs (possibly accidentally). Somewhat later, Childs' supervisor Herb Tong made some technically inappropriate changes to the fiberWAN system. In light of those events, Childs may very well have felt that the "hardened" configuration of the routers was appropriate.

The early case documents are back online at http://www.infoworld.com/d/data-management/terry-childs-case-in-its-own-words-928. Child's trial is currently underway, and there is very little current news available. The trial began January 15.

Overall, it seems to me that people who work in very structured environments have no sympathy for Childs; he clearly broke the rules. Partly that is not the point; just about everyone agrees his firing was legitimate.


Julie Amero case