I. Class Mechanics: Seminar
II. Three topics:
III. Privacy and encryption: The need
IV. Encryption: The technology (Detailed information is in the FAQ
from rsa.com. Some excerpts are on p. 33 of BBB. The following is my
simplified version.
V. The Supporting Technology: power, bandwidth, Virtual Reality
VI. Implications of strong privacy
I. Can strong privacy be stopped, and if so how?
I. About encryption:
II. Key distribution and management problems.
III. Public key as a solution to both problems.
III. A Digital Signature serves three functions--identify sender,
prove sender, untampered text.
IV. As computers get faster, they can encrypt faster, decrypt
faster, and break encryption faster.
I. Non-cryptographic attacks: Consider a simple password cracking
problem. You are a hacker who had dialed into a computer and is
trying to get privileges on it--which requires giving it a password
it recognizes as associated with a legitimate user.
II. Why does the government care about cryptography?
III. The question of standards:
I. Review:
II. On to Clipper
I. Odds and Ends
No person shall import, manufacture or distribute any device,
product, or component incorporated into a device or product, or offer
or perform any service, the primary purpose or effect of which is to
avoid, bypass, remove, deactivate, or otherwise circumvent, without
the authority of the copyright owner or the law, any process,
treatment, mechanism or system which prevents or inhibits the
violation of any of the exclusive rights of the copyright owner under
section 106.
II. How important is wiretapping? Freeh's statement
I. Non-clipper escrow solutions:
II. Function of Clipper
III. Hardware v Software encryption--can we do the equivalent of
Clipper in software?
IV. Digital Telephony bill
V. Cost/benefit calculations:
I. Readings from Chapter 6 of BBB
I. Verisign is a new firm, marketing its product as a way of
facilitating the use of digital signatures rather than an encryption
approach. Nonetheless, it may be very important for the spread of
strong privacy. Information can be found at:
http://www.verisign.com/faqs/id_faq.html and, in much briefer form,
below.
II. How does a digital signature work?
II. So far we have assumed the recipient already has the sender's
public key. We now drop that assumption. The sender can, of course,
send the recipient his public key--but how can he prove that public
key XYZ really belongs to person P? Until he does so, he cannot
provide a digital signature--and without a digital signature, he
cannot prove that the message is really being sent by him.
III. What Verisign is doing:
IV. Who are they?
V. Details:
VI. Is a digital signature legally valid? We don't know yet.
VII. Verisign can be viewed as a Trojan Horse for Public Key
Encryption!
0: Guest Lecturer--Silicon Valley's Computer Cop. Some bits.
I. Review Digisign
II. The new hole in Netscape Security?
III. Economic espionage problem?
IV. DSS--was the trap door intentional?
V. Is ITAR constitutional?
I. Lund v Commonwealth of Virginia 232 S.E. 2d 745 (Va.
1977); SC of VA
II. United States v. Seidlitz 589 F.2d 152 (4th Cir. 1978)
III. United States v Jones 553 F. 2d 351 (4th Cir. 1977)
IV. The People of New York v. Robert Versaggi
I. If someone wants to do a paper on the pretensions of the
Attorney General of Minnesota to rule the internet, some interesting
questions might be:
II. The Hacker Crackdown: The sociology of computer crime
III. U.S. v. Robert Riggs (and Craig Neidorf)
IV. Unix source code cases. 1990.
VI. Review: Issues raised by the criminal cases.
VII. Steve Jackson case:
2. When is that legal?
VIII. "Sending a Message"
IV. Sociology issue: "Those Kids aren't Criminals"
V. Odds and Ends:
"However, the problem is becoming moot, as Cancelmoose(tm)
(moose@cm.org) has devised a new mechanism, called NoCeM, that will
let you set your system to respond however you'd like to PGP-signed
requests from people you authorize, where responses include things
like not showing you the postings andshowing you only the postings
that are named in the requests. So you can get a lot more control
over spam without having to open your system up to forgeable
cancels."
According to Restatement (2d) of Torts sec. 623A,
I: The old nightmare: Computers as the end of privacy.
II. Public Fork:
- A. Merriken v. Cressman: A school drug prevention
program
- 1. The proposal:
- a. Collect lots of personal information about kids
- b. Without getting informed consent from parents
- c. And use it to figure out which ones are at risk of
drug use, in order to
- d. Take preventive action.
- 2. Arguments against it:
- a. If you decide a kid is likely to use drugs, that may
be a self-fulfilling prophecy or lead to scapegoating by
other children.
- b. Gathering the information may be a violation of
family privacy and the child's loyalty
- c. "Preventive action" means incompetent psychotherapy
by amateurs
- d. Inadequate precautions to keep the information
private.
- 3. Constitutional issues:
- a. Privacy, freedom of speech, etc.
- b. No consent to waiver of rights (even supposing they
are waivable).
- c. A balancing test is appropriate, but goes heavily
against permitting the program.
- B. Robert P. Whalen v. Richard Roe. Can NY state
maintain a file of names and addresses of those who have gotten a
prescription for controlled substances?
- 1. Precautions by state--barbed wire, locks, 17 people have
access, 24 might get it.
- 2. After 20 months, data had been used in two
investigations.
- 3. District court enjoined enforcement of that part of the
statute as a needlessly broad infringement on the privacy of
patients.
- 4. Supreme Court: Legislation that has some effect on
liberty or privacy need only be a reasonable attempt to achieve
a legitimate state goal; it cannot be enjoined just because the
court thinks it is unnecessary.
- III. Rogan v City of Los Angeles
- A. Against a municipality, must show
- 1. deprivation of protected interest
- 2. due to an official policy etc.
- B. Erroneous information, identifying Rogan as a wanted murder
suspect. Suspect (escapee) had gotten his birth certificate.
- 1. Readily available information that would avoid confusion
was not included. Real suspects physical characteristics. Also
a bulletin, more narrowly distributed, with that info.
- 2. Rogan arrested, held, checked, wrong man, released. five
times.
- 3. The information was repeatedly reentered, as per policy,
with no checking.
- C. Plaintiff deprived of rights because
- 1. NCIC record violated fourth amendment particular
description requirement.
- 2. Maintanance and reentry caused further arrests without
due process of law.
- D. By policy of L.A.?
- 1. Police officers were not trained in how to amend
information in the system or the need to do so.
- 2. They did not even know it was possible to do so, nor did
they consider doing so after initial misidentification
incidents.
- 3. Crotsley had a policy, inconvenient to victim, for
dealing with such situations.
- E. Result
- 1. L.A. is liable.
- 2. Officers are not because of qualified immunity.
IV. Private fork: Thompson v San Antonio Retail Merchants
Association
- A. Automatic capture of information--strengths and weaknesses.
- 1. Cheap and easy way of adding information, but ...
- 2. Individual merchant may be careless, since he does not
pay costs of error.
- 3. Did in fact misidentify one William D. Thompson (bad
debt) with another and
- 4. Wards denied the latter credit.
- 5. He thought it was because of a recent past felony
conviction for burglary (probation)
- 6. Took a lot of trouble and a court suit to get them to
fix their records
- B. Is SARMA testifying to facts or transmitting them?
- 1. Suppose the information was added to the data base with
a note of its source? Can SARMA then shift the blame and the
liability to the merchant who reported the information?
- 2. Is it libel to report another's libel? Yes, often. So
shifting the liability will not work--they will both be liable.
- C. FCRA imposes duty of reasonable care--which was not met
here.
- D. Damages. $10,000+costs
- 1. Humiliation and and mental distress, because ...
- 2. He was falsely suspected of reneging on a $77 debt, when
...
- 3. He was in fact only a convicted felon!
- 4. One suspects punitive etc. motives in the court.
V. Fair Credit reporting act.
A. [[paragraph]] 609 Disclosures
1. Credit agency must provide subject with all nonmedical
information it has on him,
2. Provide him the sources except for investigative consumer
reports, and
3. Tell him who the recipients of the information are.
4. The act immunizes credit bureaus against defamation suits and
the like, except for violating specific provisions or acting with
malice.
B. [[paragraph]] 611 Procedure for disputing and recording
disputes, and correction.
C. [[paragraph]] 613 Public Record Information for employment
1. Information goes to court or grand jury, or anyone the subject
wants it to go to, or to anyone with a legitimate business purpose in
connection with a transaction involving that subject.
2. Legal rules on when information becomes obsolete.
a. Why? Bankruptcy 10 yrs.
b. Only applies to small transactions.
III. Obscenity on-line
A. Obscenity vs Indecency
1. Obscene--It is constitutional to forbid people in general from
reading it. A work is obscene if:
a. The average person, defined by community standards, would find
that the work as a whole appeals to the pruriant interest, and
b. The work depicts or describes, in a patently offensive way,
sexual conduct specifically defined by the applicable state law, and
c. The work, taken as a whole, lacks serious literary, artistic,
political or scientific value. Not defined by local community
standards.
2. Indecent--may be kept from to children, but not from adults
(except to the extent that keeping it from adults is an unavoidable
consequence of keeping it from children).
3. Sable Communications v FCC:
a. The invention of Dial-a-porn resulted in a series of acts,
regulations, suits on how much the providers could be constrained in
order to protect children.
b. 1988 act--total ban on both obscene and indecent, no FCC
regulations to limit serving children required.
c. The court held that banning obscene speech is constitutional,
even though the standard of obscenity will vary from place to place.
The burden is on the provider to tailor its product accordingly.
d. Indecent speech is protected by the 1st amendment, so the law
must restrict it more narrowly to only protect children. That part of
the 1988 act is unconstitutional.
e. FCC v Pacifica--banned dirty words only by time of day.
And broadcasting "can intrude on privacy without prior warning as to
program content, uniquely accessible to children, even those too
young to read." "Captive audience, ... unwilling listeners." So the
case for regulating radio is stronger than for regulating telephone
conversations.
f. Alternatives suggested by the FCC: require credit card, an
access code obtained by providing proof of age, or a scrambler only
sold to adults.
g. Dissent (Brennan, Marshall, Stevens) holds that imposing
criminal penalties for distributing obscene material to consenting
adults is constitutionally intolerable, because of the vagueness of
the definition of obscene, hence chilling effect.
B. How does this apply to networks?
1. The act applies to anyone who : "Makes obscene communication by
means of telephone for commercial purpose" or "permits any telephone
facility under such person's control to be used for ..." That might
apply to Compuserve EMail and other forms of electronic communication
to people using modems over telephone lines. Even if the EMail or
posting is not made for commercial purposes, you could argue that its
transmission (by Compuserve, or a commercial net access provider) is.
2. A future act directed at networks would raise constitutional
issues similar to those in Sable. Obscene could be prohibited
but indecent could probably not be if less extreme alternatives were
available. The difficulty of dealing with a multitude of community
standards would not prevent such an act.
3. Currently, alt.talk.sex is not under the act because it is not
commercial. But access providers arguably are!
C. Technical issue--possible control and associated liability.
1. Posters must identify themselves via digital signature. Require
the poster of indecent or obscene material to restrict his post to
"World minus K12," or "World minus Prudes."
2. Posting machine--require users to label posts as "adult only,"
"PG," ... ?
3. Receiving machine--require it to provide its community
standards in a way that makes it possible for posters to include it
out if their posts would offend its community.
4. Who defines the code--courts? Internet standards committee?
5. What about an owned information utility such as Compuserve or
AOL? Must they require age evidence for customers?
492 U.S. 115, 109 S.Ct. 2829
FCC proposed regs: credit card, ID gotten through the mail, time
of day (set aside by court of appeals as too narrow and too broad).
Set aside for failure to conider customer premises blocking.
Proposed third alternative of scrambling, unscrambler only for
adults.
2nd ct of appeals upheld this stuff, but invalidated the statute
wrt non-obscene.
statute amended to ban all dial-a-porn, adults and children.
Obscene part upheld. Justice BRENNAN, with whom Justice MARSHALL
and Justice STEVENS dissent.
Indecent part not narrowly enough tailored
Mark Twain Bank and Chaum's digicash are now offering Chaumian
digital cash. So one more of the requirements for strong privacy is
in place.
U.S. v Thomas
I. Why it matters:
Interactive Services Association: Not just obscenity. defamation,
franchise, real estate laws, ...
II. Tangibility, means of transmission:
Does law apply only to tangible objects: U.S. v. Carlin only case
to interpret. Phone sex case under. USC 1465 "facility or means of
interstate commerce."!= "any means of communication?" as judge
instructed jury. Congress could have added computer, phone terms to
statute, did for child porn, did not here when revised. AG had given
the opinion that 1465 did not cover phone transmission. not "by
private conveyance" (section the govt chose to rely on)
[prosecution denies tangible, claims Carlin was wrong]
III. Who transported it?
Transfer initiated by customer.
like Buying book and bringing it home. They paid for the call.
Civil analog.
IV. What is the relevant community?
CA? Local police had seized, looked at, released. Not child porn.
Computer community. World? Customers of that BBS?
"the states of a legitimate interest in prohibiting dissemination
or exhibition of obscene material when the mode of dissemination
carries with it a significant danger of offending the sensibilities
of unwilling recipients or of exposure to juveniles." Miller v CA
1973.
Community is users. So no need for laws--if violated, users go
elsewhere.
EFF argues that ... No impact on the local community. Like reading
a book. Can screen out children. Much better filtering.
Miller court said community standard rule might result in "some
possible incidental effect on the flow of [otherwise protected]
materials across state lines," acceptable because only "incidental."
This is more than incidental. So District court should have weighed
chilling effect against Tennessee interest--case of first impression.
V. Could they guard against?
1. Descriptions free and obscene. (but not themselves appealing to
prurient ...)
2. Thomas had to call inspector in Tennessee to acknowledge
receipt of membership application. But did not know thereafter where
inspector was calling from!
3. Inspector claims that Thomas' knew he was sending them child
porn, Mr. Thomas denied it.
4. No harder than Sable, but ...
5. Precedent for the Internet?
VI. Reasons for special laws:
This is an expecially good first amendment medium--low entry
barriers, interactive, ... Open to unpopular speakers--easily
chilled.
Could use electronic community, or could prosecute the buyer, who
affirmatively acts to bring material into his community.
Or balancing test according to how much is obscene where, and how
easy to bar from particular places.
ACLU: stream of 1s and 0s en route, only became obscenity in the
receiver's house. Expand Stanley v Georgia.
EMail on Thomas' network.
Scanned pictures.
Transport for purpose of sale or distribution? After sale.
Child porn frame: mailed magazines to Mr. Thomas, watched Mrs.
pick up the envelope, followed her home, executed search warrant.
Acquittal on child porn charges.
Jury was shown or told about lots of stuff not included in the
charges. inflammatory.
Acceptance of responsibility.
Also mailed videotapes.
Misleading advertising.
Should they have used the Sable statute?
Will this become irrelevant with internet from Netherlands?
I. Review of U.S. v Thomas and related stuff.
- A. Applying Miller: Relevant community standards?
- B. Revising Miller for a new technology.
II. Odds and ends.
- A. Teens on AOL
- B. Under CDA who is the offender? Does it depend on ...
- Here's a bit of scaryness with some privacy implications. If
you've
- got the Netscape browser running on your micro, click on "Net
- Search"...one of the items is called "Deja News" which will
basically
- search through the dejanews Usenet archives for a certain
search
- string.
-
- the URL is "http://www.dejanews.com" and it works from all
- browsers...even lynx (text browser).
-
- The search will return a list of articles and who posted them.
-
- You can "click" on the article to see the actual article
posted
- ...OR...
- You can "click" on the poster of the article and the dejanews
server
- will give you an "Author profile" which lists how many
articles you
- post to which news groups! I look at my profile and I can see
that I
- am a VMS/DEC person with interest in SNMP, network management,
and
- privacy (from my previous posts to comp.society.privacy). I
also
- probably have some cisco equipment at my site due to one post
in
- comp.sys.cisco.
III. Computer Crime:
A. Jerry Schneider and Pacific Tel. Get into order system.
Stole/ordered equipment. 40 days in jail. Computer security
consultatn.
B. Stanley Mark Rivkin. Working on backup system for a bank wire
room.
- 1. Authorized employee wit code system--on a piece of paper in
te wire room.
- 2. Called, identified imself as from Intl div, requested 10.2
Million to is account in NY, to Swiss bank.
- 3. Russalmaz got telegram "from" head of the wire room,
identifying Lon stein as representative, purcahsing diamonds for
te bank.
- 3. Stein got baggage ticket, flew to luxembourg, looked at
pack--diamonds.
- 4. Told is attorney wo had come up with diamond idea, attorney
went to FBI
- 5. Tried to get acquantance to sell diamonds for him, news
story, acquaintance went to FBI
- 6. Asked acquaintance to mail money back to another friend.
FBI followed, found him.
- 7. Out on bail, got someone to try to make relevant contact
for a repeat--with an underround FBI agent. 8 year sentence.
- 8. Expert in computer, not crime. Posturin?
- C. 75% by employees.
- D. Fry Guy. 1989
- 1. Call customer of credit Systems of America--credit card
numbers and credit info. Get customers ID info by claimin to be
from CSA: acct # and password.
- 2. Called in as customer, wandered around, ot staff area,
found local resident with valid credit card. So far could
have done without computer.
- 3. Rerouted victim's incoming calls to phone booth in
Paducah, from there to him.
- 4. Called Western Union, wired $687 to its Paducah to be
transferred to a friend, gave victim's credit card. Tey called
back to confirm. Confirmed. Reprogrammed everything.
- 5. Repeat with another victim.
- 6. Phone hacking. But could also reverse--change phone
number in relevant records to booth.
- E. Captain Zap:
- 1. Hack into credit agency, create good credit rating for
an imaginary company.
- 2. Hack into supplier, create real-world paper trail. cut
order, pay invoice, write delivery manifest, deliver to a mail
drop.
- 3. Caught by connection to the mail drop.
- 4.$500,000
- 5. Plea barain to $1000 fine + 2 1/2 yrs probation. 1981
- 6. State laws thereafter, fed started 1986
- F. First worm at PARC. To do housekeeping. Left it one night,
found it all over the place, killed it, abandoned the project.
- G. Virus blackmail?
- 1. Junk mail diskette with unique license--threat. in small
print. To list of a UK magazine.
- 2. Info on AIDS, interactive.
- 3. Counted bootups, after 90 started encrypting files and
hiding programs.
- 4. Asked for money to Panama City address.
- 5. Did considerable damage.
- 6. Attempt to call number coincided with U.s. invasion of
Panama. Marine answered.
- 7. Bogus Nigerian businessmen.
- 8. Caught man because crazy. Company seal in his bags.
Amsterdam police.
- 9. Unfit to stand trial. Or a legitimate business device.
(disabling proram precedent)
- 10. Extradited to Britain. Got crazy enough not to be
tried.
- 11. A million disks in his house.
- 12. Would it work if done intelligently?
- 13. Against one corporation?
How we would do it:
A. Subvert company, sell short.
B. Time bomb customers, blackmail company.
C. Are we too late?
- H. Market in Computer Crime?
- 1. Need division of labor.
- 2. Offshore data havens.
- 3. Market in live credit cards.
- 4. In free long distance: sidewalk enterprise, free calls
on pay or cellular.
- 5. $1.4 million in 4 days against one PBX. $10/call?
- I. Leslie Lynn Doucette. Hacker service industry.
- 1. Gets a number from someone over the phone.
- 2. Check it by hacking or calling a chat line phone number.
- 3. PBX has a long distance from 800 option. Use for
communication.
- 4. Voice mail computers as bulletin boards.
- a. Hacker boards were known, monitored--credit cards
could be cancelled.
- b. Find an empty box in a voice mail system, use it. Low
security because ...
- c. Leave lists of verified codes.
- d. Subordinates pick up, get money, send to her.
- 5. Real estate man found his voice mail system overloaded
with free riders.
- 6.Secret Service had tip about Doucette from Canada
(convicted, left)
- 7. Informants said Chicago.
- 8. Dialed Number Recorder on her phone.
- 9. Then on her 5 major subordinates.
- 10. Plea Bargain, 27 months, 1990. claimed $1.6 million in
losses.
- J. Citibank hack. N.Y. recent. EFT intercept.
- 1. On Telenet. Trial and error found addresses for a bunch
of Citinet banks.
- 2. Found a computer that might be for EFT, got in through
default password left active, created program to log all
transmissions to their file.
- 3. Next day logged on, bingo. Captured hundreds of
transactions, vanished w/o a trace.
- 4. Opened a numbered Swiss Account. Got birth certificates,
new ID and SS#
- 5. Opened accounts at six anks in Houston and Dallas.
- 6. Rigged Citicorp computer to send to their Telenet
terminal, collected, returned acknowledgement. Real transfers.
- 7. Then transferred the money to the Swiss bank, then
withdrew to U.S. accts $7,333 each (below notice requirement).
- 8. End of week each get $66,000.
- 9. Citibank denies. Is it true? Posted to a BBS.
0: New stuff:
- A. New Computer crime: explain. dejaNews?
- B. British doctors vs British spies
- C. CMU to censor "obscene" newsgroups.
- D. Canadian cases--child porn text story got a BBS in trouble.
Computer created child porn pictures got someone else in trouble..
I. Review:
- A. Filling out the Rivkin story. He was setup for the second
charge because there were legal problems with first.
- B. One other way of profiting by a virus--be in the fixit
business.
II. Low tech computer crime:
- A. name vs number story. Caught bc W-2 too high. Solution.
- B. Criminal on work furlough--job in accounts payable of city
govt.
- 1. Duplicate vouchers, changed addresses
- 2. Cashed and converted into gold coins etc.
- 3. Eventually spotted duplicates.
- 4.Trying for sixteen million,caught pastone.
- B. Sabotage out of boredom story.
- C. ATM repair scam.
III. Another extortion--all tapes and backups and backups of ...
Caught on payoff.
IV. Stealing services from ex-employer. Thought it was all
right--they would have ...
- Milling machine tapes.
- Was helping their customers, plus providing free services for
new employer that would have been offered free as marketing.
- Probation and restitution
- Lesson about psychology of morals.
V. Leslie Lynn Doucette. Hacker service industry.
- 1. Gets a number from someone over the phone.
- 2. Check it by hacking or calling a chat line phone number.
- 3. PBX has a long distance from 800 option. Use for
communication.
- 4. Voice mail computers as bulletin boards.
- a. Hacker boards were known, monitored--credit cards could
be cancelled.
- b. Find an empty box in a voice mail system, use it. Low
security because ...
- c. Leave lists of verified codes.
- d. Subordinates pick up, get money, send to her.
- 5. Real estate man found his voice mail system overloaded
with free riders.
- 6.Secret Service had tip about Doucette from Canada
(convicted, left)
- 7. Informants said Chicago.
- 8. Dialed Number Recorder on her phone.
- 9. Then on her 5 major subordinates.
- 10. Plea Bargain, 27 months, 1990. claimed $1.6 million in
losses.
VI. Market in Computer Crime?
- 1. Need division of labor.
- 2. Offshore data havens.
- 3. Market in live credit cards.
- 4. In free long distance: sidewalk enterprise, free calls on
pay or cellular.
- 5. $1.4 million in 4 days against one PBX. $10/call?
VII. Check Kiting story.
- A. Explain kiting
- B. Use of computer
- C. Crash--and crash.
VIII. Card counting? Not illegal. $10,000 materials, $390,000
labor.
Four teams, eleven people. In 22 days made $130,000. Two systems
captured, FBI reported just a computer. No indictments.
VIII. How much computer crime? Total of 1000 1958-1981 tabulated.
flat abt 1973
Financial>Govt>Student
VIII. Suppose you discover a hole ... Responsible you.
- A. Real example.
- B. Problem--practical
- C. legal.
IX. Protecting one program from another.
- A. Old version--multiuser mainframe
- B. New version--many progams in micro.
- C. How to do it.
- D. Market inside computer approach. Some programs might cheat.
-
-
- Wednesday, John Domingue on university obscenity issues. I
should read up on CMU case.
-
I. Bank slip story.
II. How to predict the future:
- A. The non-obvious consequences of what is already in place.
- 1. Heinlein and the car.
- 2. word processor->end of secretary as typist. Irvine.
- B. The consequences of what is already invented.Computer
--> word processor
- C. What will be invented.
III. What is already in place: How is the (computer) world
different from 15-20 years ago (and most of our crime experience)?
- A.then it was small number of big machines, many handling
large sums, lots of custom software, lots of people who knew
little about computers. Inverted hierarchy age/expertise.
- B. Lots of small machines.
- 1. Running almost entirely off-the-shelf software
- 2. Many of them networked
- 3. Most of them controlling small amounts of wealth.
- 4. Few with encryption or digital signatures.
- 5. Many belonging to people who do not know very much about
computers
- C. Many bigger machines
- 1. With lots of communication, but ...
- 2. Firewalls where necessary.
- 3. Encryption and digital signatures where necessary, or
rapidly coming online.
- 4. Mostly off the shelf software?
- 5. Mostly run by people who know a fair amount about
computers?
IV. Implications for computer crime:
- A. Then: Programming scams. Data entry scams. Hacking mostly
for fun. Viruses (the only micro crime) mostly for fun. Piracy.
Use as a tool. Theft of services. Information theft.
- B. How do those come across to now?
- 1. Programming scams only via bogus versions, illicit
modification.
- 2. Data entry over the net?
- 3. A thousand hackers wouldn't get noticed.
- 4. Tool and piracy--always. Muchmore.
- 5. Theft of services? Maybe use of lots of machines at
once???
- 6. Information theft?
- a. Via net, less because of firewalls, but ...
- b. Still via EMail interception. Computerised searching?
- c. Still from employees--unchanged.
- C. New possibilities:
- 1. High volume low amount scams, such as:
- a. Blackmail scheme suggested (alternate
explanation--also volume scam)
- b. Chain letters.
- c. Any fraud where cheap communications are key--lots of
them.
- d. But payoff is still a weak link, on the otherhand ...
- e. Most of it can be done secretly abroad, by experts.
- 2. Modifying or fooling off-the-shelf software. Again high
volume with computer bill paying and the like.
- 3. Large amount crimes that depend in holes in the
encryption etc. scheme.
- a. This is what computers were--inverted hierarchy.
- b. Hackers again? Clever tech + social engineering.
- 4. Information theft
- a. via equivalent of wiretap for EMail.
- b. via equivalent of hacking--get into the unprotected
computers. Who has info worth stealing?
- 5. International net?
- a. Using one country to do things illegal in another
(Porn: Neth->US, Heresy U.S.->Iran, Piracy:
China->US)
- b. Violating labor laws on a large scale. Child etc.
- c. Coordinating a crime outside of the jurisdiction.
Division of labor.
- D. Are the old crimes dead?
- 1. Data entry an option for a while, but ...
- a. as more done over the net by originator ... .
- b. shifts to a network interception crime instead.
- 2. hacking gets lost in forest
- a. Unprotected small machines in the tens of millions,
small amoutns at stake.
- b. Big machines protected.
- c. What about--Foreign geeks 20 hrs before a screen?
- 3. Contract programming scams down--off the shelf.
- 4. Theft of services? Unlikely. Processing power so cheap,
stolen is inconvenient.
- a. What about foreigners,
- b. With net connections, without access to bigger
machines?
- c. Kids ditto? Unlikely.
V. Next step: Crime in a world of strong privacy.
I. More suggestions on crimes in the new world?
- A. Crimes depending on large numbers, connectivity?
- 1. What crimes became possible with the phone? Some con
games?
- 2. What about victimless crimes?
- a. Gambling is easy with digital cash
- b. Phone sex from outside the U.S.
- 3. What about crime info? ANFO or Phonefreaking info to the
world?
- 4. harassment: Tell the world my VISA number. Phonecharge
number.
- 5. Blackmail--we won't do 4 if ... .
- 6. Blackmail: Information exchange. Automate it with real
info. How do you know it is real? Victim pays. If not, send it
to appropriate target (also provided by subcontractor).
- B. Depending on crypto ignorance?
- C. Other?
II. How do you prevent these?
- A. Passive.
- 1. Checksums on CDRom or equivalent? Other techno
protections?
- 2. Firewalls inside computers, bringing only data off the
net?
- 3. Software that requires active confirmation for cash
transfers?
- B. Active:
- 1. FTC or equivalent prowling the net? How do you find
perps?
- 2. Vigilantes?
- 3. Reliable data banks on scams?
- 4. Filters for rent--like surfwatch.
- 5. Fight info with info.
- C. Framework:
- 1. Digital signatures. 10 million 100 byte records on one
CDROM.
- 2. Sites that only accept signed and verified messages.
- 3. Auto encrypting stuff a la Netscape to prevent
interception/altering.
- 4. Caveat Creditor.
- D. Are there interesting niches? For lawyers?
-
- Computer Crime Summary
I. Old technology:
- A. Small number of big machines, many handling large sums,
lots of custom software, lots of people who knew little about
computers. Inverted hierarchy age/expertise.
- B. Programming scams. Data entry scams. Hacking mostly for
fun. Viruses (the only micro crime) mostly for fun. Piracy. Use as
a tool. Theft of services. Information theft.
- C. Problem of division of labor in illegal markets.
II. Current technology: Crime based on what is here now.
- A. Lots of small machines.
- 1. Running almost entirely off-the-shelf software
- 2. Many of them networked
- 3. Most of them controlling small amounts of wealth.
- 4. Few with encryption or digital signatures.
- 5. Many belonging to people who do not know very much about
computers
- B. Many bigger machines
- 1. With lots of communication, but ...
- 2. Firewalls where necessary.
- 3. Encryption and digital signatures where necessary, or
rapidly coming online.
- 4. Mostly off the shelf software?
- 5. Mostly run by people who know a fair amount about
computers?
- C. Old crimes?
- 1. Programming scams only via bogus versions, illicit
modification.
- 2. Data entry over the net?
- 3. A thousand hackers wouldn't get noticed.
- 4. Tool and piracy--always. Muchmore.
- 5. Theft of services? Maybe use of lots of machines at
once???
- 6. Information theft?
- a. Via net, less because of firewalls, but ...
- b. Still via EMail interception. Computerised searching?
- c. Still from employees--unchanged.
- D. New possibilities:
- 1. High volume low amount scams, such as:
- a. Blackmail scheme suggested (alternate
explanation--also volume scam)
- b. Chain letters.
- c. Any fraud where cheap communications are key--lots of
them.
- d. But payoff is still a weak link, on the otherhand ...
- e. Most of it can be done secretly abroad, by experts.
- 2. Modifying or fooling off-the-shelf software. Again high
volume with computer bill paying and the like.
- 3. Large amount crimes that depend in holes in the
encryption etc. scheme.
- a. This is what computers were--inverted hierarchy.
- b. Hackers again? Clever tech + social engineering.
- 4. Information theft
- a. via equivalent of wiretap for EMail.
- b. via equivalent of hacking--get into the unprotected
computers. Who has info worth stealing?
- 5. International net?
- a. Using one country to do things illegal in another
(Porn: Neth->US, Heresy U.S.->Iran, Piracy:
China->US)
- b. Coordinating a crime outside of the jurisdiction.
Division of labor.
- E. Defenses?
- 1. Firewalls etc. inside ordinary micro computers.
- 2. On line information providers about scams, etc.
- 3. Entrapment by law enforcement.
- 4. Mechanisms for checking data integrity--CDRom for
example.
- 5. Note that info can be distributed using digital
signatures from manufacturer.
- F. New legal issues?
- 1. Does software manufacturer have a cause of action
against software that alters covertly? against someone else for
negligence in permitting it?
- 2. International law issues:
- a. Minnesota equivalent.
- b. How active are we willing to be? Panama invasion?
- 3. Others?
II. Farther future: Strong Privacy
- A. Assumptions: Clipper and Son of Clipper fail. Widespread
digital signatures, public key encryption, remailers, etc.
- B. Pirate archives:
- 1. Enforcement goes to the user level.
- 2. What if firms have anonymous employees?
- 3. Enforcement by contract.
- 4. Live without IP protection.
- C. Criminal firms with brand name reputation:
- 1. Blackmail. Live carefully.
- 2. Assassination. Cui Bono.
- 3. Entrapment. That is why you need a reputation.
- D. Fight info with info? Entrapment. Scam bank.
I. FBI wiretap proposal:
- A. It is aFederal register notice outlining capacity
requirements. under the Communications Assistance for Law
Enforcement Act (the "Digital Telephony" bill or "CALEA").
- B. How derived:The capacity figures that are presented in this
initial notice were derived as a result of a thorough analysis of
electronic surveillance needs. Information regarding electronic
surveillance activities for a specific time period was obtained
from telecommunications carriers, law enforcement, U.S. District
Courts, State Courts, State Attorneys General, and State District
Attorneys to establish a historical baseline of activity. The
historical baseline of electronic surveillance activity was
determined after examination of both the location and occurrence
of each electronic surveillance reported. The historical baseline
was then analyzed to derive the total and simultaneous electronic
surveillance activity by switch and within specific geographic
areas. Future capacity needs were then determined after
consideration of the impact of demographics, market trends, and
other factors on the historical baseline.
- C. Historical numbers--not provided by FBI:
- 1. Wiretaps, Fed&State 1994, Title III: 1154
- 2. Foreign Intelligence Serveilance act: 576
- 3. Pen Registers: 17,410
- 4. Trap and trace: 4,789 (records originating numbers)
- 5. TotalAbout 24,000 total during the year
- D. Requirements: Three geographical categories: Actual (3/4
yrs)and maximum
- 1. Cat I+II=25% of equipment.
- 2. All suveillance, incl pen reg.
- 3. I:0.5% /1%
- II: .25/.5
- .025/.25
- 4. EPIC estimates--about 30,000 simultaneous taps or
traces.
- E. Freeh: Deputy Attorney General Gorelick said this morning:
"Let me make it perfectly clear, there is no intention to expand
the number of wiretaps or the extent of wiretapping."
- F: Recent past: State fairly stable, Fed 1992: 340, 1994: 554
- 1. The vast majority of cases where wiretaps are approved
involve drug trafficking.
- 2. In 1994, seventy-six percent of all orders were for
narcotics investigations and eight percent each for
racketeering and gambling.
II. Clipper II .
- A. 64 bit, private but there must be key escrow with govt
certified escrow agents.
- 1. Is 64=56? For 64 bit DES, yes.
- 2. If they manage to limit encryption to "64 bit" DES, it
matters
- 3. By a factor of 256.
- B. No interoperability with unescrowed programs.
- C. Proposal recently was rejected by an industry group with
lots of big players.
III. Default rule for your info: Avrahami claims it requires
express consent.
IV. S. 1360: Medical Records Privacy Act
- A. Must provide info to subject unless endangers life or
confidentiality or only used for internal admin purposes.
- B. Subject may ask for a correction, if not granted insist on
having statement of disagreement included.
- C. Must maintain record of disclosures.
- D. May disclose only if purpose compatible with and related to
purpose for which obtained
- E. Disclose persuant to authorisation by subject,
- F. May disclose for creation of nonidnetifiable info without
authorisation to certified info services. They must remove id.
- G. May disclose for health research, which must remove
identification unless internal process determines info is needed.
- H. May disclose to court etc., or subpoena with notice to
subject.
- Objections--preempts state confidentiality and most common
law. Dangerous to HIV patients?
V. Net censorship opposed by CATO, ACLU, Brookings
VI. Monitoring vs spoofing: Netscape vs public key phone book.
VII. Drop-in encryption?
- A. Apple story.
- B. CAPI (Cryptographic Applications Programming Interface).
NATO initiative. NSA mixed reviews.
VIII. Rumour boards vs credible boards?
IX. Should blackmail be illegal?
- A. No--mutual benefit. Wrong.
- B. Yes--hinders law enforcement. wrong.
- C. Maybe--private enforcement, but ...
- 1. Wrong laws?
- 2. Or prevention of social fraud.
- 3. Is the world better if social fraud is easier or harder?
Deja News, etc.
Two recent cases
I. Cornell: http://joc.mit.edu/~joc/
- A. Did they do anything wrong? Should there be a rule against
it?
- 1. Mailed to people not offended
- 2. Is nabokov at fault if I put a copy of Lolita in the
local elementary school library, in the hope of getting him in
trouble?
- B. Did Cornell do anything wrong? How do you interpret their
action--was the punishment really voluntary?
II. Caltech case: Mercury.
- A. Based on story.
- 1. Aquitted, and ...
- 2. Terrible evidence, including alibi, so ...
- 3. Cal techis wrong
- 4. Puzzling--they should know EMail evidence is worthless.
- B. Attorney's version.
- 1. Acquitted because.
- 2. Password changed after they broke up, and ...
- 3. Some material on Cray, only 30 students on campus had
access.
- 4. EMail sent by devious method, but keystroke monitor
traced it.
- 5. Mostly non EMail related evidence, including letter to
her family in China warning that they would get daughter back
in a coffin if she did not marry him.
- C. Thesis sponsor's version.
- 1. lovers for some months, planned to marry, broke up,
brief quarrel.
- 2. Still friends for months after, he helped her do her
research on his account with his software.
- 3. Jan 1 met, discovered living with new boyfriend,
quarrel.
- a. Jinsong: Threat to makeJiajun's guilty secrets
public. Context-PRC is a sexually conservative culture.
- b. Jiajun and Bo: Duel, gun talk.
- c. Jinsong: Counterthreat to prosecute
- 4. That night, obscene EMail forged b y Jinsong's account
from Bo to Jiajun
- 5. Jan 2-3rd, complaint, account frozen,
- 6. Jinsung EMails Bo, now his responsibility.
- 7. Jan 3rd, alibi'ed case, EMail to Bo with threats.
- 8. 1/4 J&B complain to Caltech of harassment from
August, showed gun permit, threats.
- 9. 1/6 complaint to police, rape added.
- 10. 1/6 bogus EMail from friend of Bo out of town. Well
informed.
- 11. Jinjong held on 150,000 bail, physically slight (15
size), 5 1/2 months. Bo and Jiajun refuse to cooperate with
lowering bail. Friends pay for an attorney.
- 12. Keystroke evidence brought out by defense.
- 13. Rape inconsistency.
- 14. Acquittal without reaching question of truthof threats.
- 15. Biased hearing, dean who had intervened in trial
against Jinjong.
- D. Attorney. Bo and brother tried to pressure other Chinese
students, with threats. Active in prosecution, prepared a 20 page
pamphlet including stories about unrelated chinese murder cases.
Grammar argument.
- E. My points:
- 1. Attorney tried to keep me from hearing the other side. 3
vs 7 volumes
- 2. Did not mention evidence re password.
- 3. Motive.
- 4. Gun permit.
- 5. Whole story of the relationship inconsistent.
- 6. To believe them, must believe that his fellow students
are lying.
- 7. Character Evidence.
- 8. Will get more, put on reserve.
I. Would digital signatures have solved this problem?
- A. Only if Jinsong did not tell Jianjing
- B. But he would have--he trusted her, told her his password,
loved her, ...
- C. Could one create institutions such that he would not have?
- 1. Strongly felt customs of privacy? That strong?
- 2. Mechanical? Card that he must have, cannot copy, will
not loan out.
- 3. Fingerprint or retina or ... ? with stored private key
that owner cannot get?
- D. But it would eliminate the forged message to Jiajun, since
Jinsong would not have been able to forge Bo's digital signature,
so could not have expected to persuade anyone the message was
genuine.
II. Does Jianjing have adequate motive?
- A. Different standards of sexual behavior.
- 1. We don't know how different, but ...
- 2. They don't seem to have been very careful to keep it
secret, but ...
- 3. It sounds as though she admitted to as little as
possible sex in the trial.
- B. Might the threat have been something else (secrets about
her family?)
- 1. Foreign communities here may care a lot about issues not
central to us.
- 2. Perhaps she had told him something that would get her
family in trouble with the govt, or ...
- 3. That her family spied for the government, which might
get her in trouble with other Chinese here, or...
- 4. ???
III. Lessons of the case for us:
- A. Risks of anti-harassment, stalking, etc. laws.
- 1. Everything that makes it easy to convict the guilty
makes it easier to frame the innocent.
- 2. The more severe the penalty, the more serious the threat
available
- 3. Here Jinsong was punished severely despite being
acquitted--5 1/2months+$20,000.
Course Summary:
I. Computer Crime.
- A. Fitting it in ...
- 1. By description? Moving things around vs destroying or
modifying property?
- 2. By analogy? But then what analogy you use matters a lot.
- a. "intruding" or "defrauding" or "talking" for hacking
into a computer.
- b. Where do cyberspace events happen? The Thomases.
- c. Is my private key my castle?
- d. Is breaking copy protection burglar's tools? White
Paper v old cases.
- e. If stealing time on a computer stealing? Stealing
services? Lund v VA
- 3. Is information property?
- a. Copyright says no (Dowling), U.S. v
Riggs says yes.
- b. How valued. Bell South.
- c. Trade secret as an old version of this
- d. But a lot more value as easily copied, transferred
info than there used to be. Is a difference in degree a
difference in kind?
- e. Controlling info cuts close to Fdm of speech issues:
Hacker Crackdown. Old version: AIDS book.
- f. Civil vs criminal? Why does criminal law exist?
- 4. Common sense problems: NYT story. Randal Schwartz, PERL
- a. Big name network person, subcontract sysop for part
of Intel, then different part,
- Ran Crack against his old part, found Deacon, moved
password list, broke 48/600
- 5 yrs probation, $170,000 legal fees, $72,000 maybe in
damages.
- b. Maybe a replay of U.S. v Seidlitz, although clearer.
- c. Also Unix/hacker crackdown issue, also fuzzier.
- d. Is this simply jury ignorance, or ...
- e. Intel goofed, did not want to admit it, or
- f. sending a signal, or ...
- g. Intel's left hand does not know what its right hand
is doing.
- h. Digression--encoded password files.
- 5. Also analogy problem--Intel claimed it was "theft" to
move file from one Intel computer to another.
- 6. By legislation.
- a. Many states now make altering computer program,
files, etc. criminal.
- b. Federal ECPA
- 7. By realspace property and contract law? Specify when you
connect.
- B. Special nature?
- 1. People working with things they don't understand
- 2. And their status inferiors do.
- C. Old computer crime: talked it to death.
- 1. Data entry frauds.
- 2. Hacking--persistence, social engineering, technical
skill.
- a. Largely remote con game.
- b. Like telephone frauds
- c. And mail frauds.
- d. Plus victim ignorance.
- 3.
- D. New Computer crime
- E. World of Strong Privacy
- 1. It's here in embryo.
- a. Digicash and Mark Twain bank are now in business.
- b. As is Verisign
- c. netscape offers encryption support.
- d. My Newsreader supports anonymous remailers.
- e. ABA has its digital signature guidelines at
http://www.intermarket.com/edl
- f. NetBack (http://www.netback.com) Digital
notary--timestamps and stores documents
- 2. Prevent it--Clipper 2, export control
- 3. Control it. Require digital signatures to post. Real
internet driver's license?
- 4. Or live with it.
- a. Use secrecy. My recent Usenet story.
- b. Replace IP where you can't protect it.
- c. Virtues of digital signatures--consensual relations
easier than before.
- d. Cancelmoose vs Spam, Flame vs Spam, etc.
- 5. Ask--can the objective be accomplised?
- a. What is the point of shutting down the Thomases
- b. If they just move to Amsterdam?
- c. What is it worth to cut the lines to Amsterdam?
II. Privacy
- A. Against legal data bases
- 1. Is privacy a good thing? Why?
- 2. What about freedom of contract, if they see it its
theirs?
- 3. Current rules more restrictive, but ...
- 4. How well enforced?
- 5. What would a world of less privacy be like? Web may give
it deliberately. Linking my lives.
- B. Against data spying: Encryption, if permitted
- C. Against data interception: Legal limits, encryption if
permitted.
IV. Random number issue--how to choose a password.
- A. What is relevant is randomness to everyone but you--can
they guess it.
- B. So the perfect selected password is obvious to you, but
nobody else.
- C. PGP passphrase.
V. Digital time stamping idea.
VI. Cornell--what makes it private/public?
Preliminary Syllabus: Computers, Crime and Privacy
Hoffman, Lance, ed. Building in Big Brother (BBB); 1[3]
meansCh 1, part 3
Bruce Sterling The Hacker Crackdown
Week BBB Other
Encryption and the Future of Privacy
8/28 1[1-4] D. Friedman, "A World of Strong Privacy" (forthcoming
in Philosophy and Public Policy)
The Clipper Chip Proposal
9/4 2[1,5, 8], 3
Which Future? The Controversy
9/11 4,5
9/18 6,7
Crime and Law Enforcement: The Past
9/25 Lund v Commonwealth of Virginia 232 S.E. 2d 745 (Va.
1977);
United States v. Seidlitz 589 F.2d 152 (4th Cir. 1978)
United States v Jones 553 F. 2d 351 (1977)
The People of New York v. Robert Versaggi 518 N.Y. S. 2d
553 (1987)
10/2 The Hacker Crackdown: Parts 1 and 2
U. S. v. Neidorff
10/11 The Hacker Crackdown: Parts 3 and 4
Steve Jackson Games v U.S. Secret Service and ...
The Old Privacy Issues
10/16 Fair Credit Reporting Act and cases.
Merriken v. Cressman;
Electronic Communications Privacy Act
Obscenity On-Line*
10/16
Computer Crime and law Enforcement: Today*
10/23
Computer Crime and law Enforcement: Tomorrow*
10/30
Strong Privacy Reconsidered
11/6
[Student Presentations from here on]
11/13
*: May be student presentations
Readings will be available on line, on disk (library reserve), and
in some cases as hardcopy.
Office hours: M/W 2:20-4:00, Room 204, Phone # 5732, EMail
dfriedman@scuacc.scu.edu, ddfr@best.com.
Paper Ideas
Computer Crime in the 1990s: What it is
Computer Crime in the Twenty-first Century: What it will be
How Can and Should On-line Obscenity be Regulated?
On-Line Obscenity: Whose Community Standards?
Problems of Privacy: Anonymous Letters + VR =?
Obscenity and Harassment: Can Private Solutions Work?
Does Cyberspace Need Its Own Laws?
Norms of the Net: How are They Enforced, Do They Work?
Shareware: An Experiment in Unprotected Intellectual Property
Cyberpunk: Does SF Get the Legal Issues Right? (True Names,
Snowcrash, Trouble and Her Friends, ...)
Privacy and Computer Crime in a World of Many Nations
The Church of Scientology vs anon.penet.fi
Can Strong Privacy be Stopped? At What Cost?
The Legal System in a World of Strong Privacy
A Few Places to Look for Stuff
Electronic Frontier Foundation (EFF.com, Web page)
Cypherpunks
RSA.com
www.digicash.com
...
Back to the list of
articles.
Back to my home
page.