The Hacker Crackdown Part 28

Another problem is very little publicized, but it is a cause of genuine concern. Where there is persistent crime, but no effective police protection, then vigilantism can result.

Telcos, banks, credit companies, the major corporations who maintain extensive computer networks vulnerable to hacking --these organizations are powerful, wealthy, and politically influential. They are disinclined to be pushed around by crooks (or by most anyone else, for that matter). They often maintain well-organized private security forces, commonly run by experienced veterans of military and police units, who have left public service for the greener pastures of the private sector. For police, the corporate security manager can be a powerful ally; but if this gentleman finds no allies in the police, and the pressure is on from his board-of-directors, he may quietly take certain matters into his own hands.

Nor is there any lack of disposable hired-help in the corporate security business. Private security agencies-- the 'security business' generally--grew explosively in the 1980s.

Today there are spooky gumshoed armies of "security consultants,"

"rent-a- cops," "private eyes," "outside experts"--every manner of shady operator who retails in "results" and discretion.

Or course, many of these gentlemen and ladies may be paragons of professional and moral rect.i.tude. But as anyone who has read a hard-boiled detective novel knows, police tend to be less than fond of this sort of private-sector compet.i.tion.

Companies in search of computer-security have even been known to hire hackers. Police shudder at this prospect.

Police treasure good relations with the business community.

Rarely will you see a policeman so indiscreet as to allege publicly that some major employer in his state or city has succ.u.mbed to paranoia and gone off the rails. Nevertheless, police --and computer police in particular--are aware of this possibility. Computer-crime police can and do spend up to half of their business hours just doing public relations: seminars, "dog and pony shows,"

sometimes with parents' groups or computer users, but generally with their core audience: the likely victims of hacking crimes. These, of course, are telcos, credit card companies and large computer-equipped corporations.

The police strongly urge these people, as good citizens, to report offenses and press criminal charges; they pa.s.s the message that there is someone in authority who cares, understands, and, best of all, will take useful action should a computer-crime occur.

But rea.s.suring talk is cheap. Sundevil offered action.

The final message of Sundevil was intended for internal consumption by law enforcement. Sundevil was offered as proof that the community of American computer-crime police had come of age. Sundevil was proof that enormous things like Sundevil itself could now be accomplished.

Sundevil was proof that the Secret Service and its local law-enforcement allies could act like a well-oiled machine--(despite the hampering use of those scrambled phones). It was also proof that the Arizona Organized Crime and Racketeering Unit--the sparkplug of Sundevil--ranked with the best in the world in ambition, organization, and sheer conceptual daring.

And, as a final fillip, Sundevil was a message from the Secret Service to their longtime rivals in the Federal Bureau of Investigation.

By Congressional fiat, both USSS and FBI formally share jurisdiction over federal computer-crimebusting activities. Neither of these groups has ever been remotely happy with this muddled situation. It seems to suggest that Congress cannot make up its mind as to which of these groups is better qualified. And there is scarcely a G-man or a Special Agent anywhere without a very firm opinion on that topic.

For the neophyte, one of the most puzzling aspects of the crackdown on hackers is why the United States Secret Service has anything at all to do with this matter.

The Secret Service is best known for its primary public role: its agents protect the President of the United States.

They also guard the President's family, the Vice President and his family, former Presidents, and Presidential candidates. They sometimes guard foreign dignitaries who are visiting the United States, especially foreign heads of state, and have been known to accompany American officials on diplomatic missions overseas.

Special Agents of the Secret Service don't wear uniforms, but the Secret Service also has two uniformed police agencies. There's the former White House Police (now known as the Secret Service Uniformed Division, since they currently guard foreign emba.s.sies in Was.h.i.+ngton, as well as the White House itself). And there's the uniformed Treasury Police Force.

The Secret Service has been charged by Congress with a number of little-known duties. They guard the precious metals in Treasury vaults.

They guard the most valuable historical doc.u.ments of the United States: originals of the Const.i.tution, the Declaration of Independence, Lincoln's Second Inaugural Address, an American-owned copy of the Magna Carta, and so forth. Once they were a.s.signed to guard the Mona Lisa, on her American tour in the 1960s.

The entire Secret Service is a division of the Treasury Department.

Secret Service Special Agents (there are about 1,900 of them) are bodyguards for the President et al, but they all work for the Treasury.

And the Treasury (through its divisions of the U.S. Mint and the Bureau of Engraving and Printing) prints the nation's money.

As Treasury police, the Secret Service guards the nation's currency; it is the only federal law enforcement agency with direct jurisdiction over counterfeiting and forgery. It a.n.a.lyzes doc.u.ments for authenticity, and its fight against fake cash is still quite lively (especially since the skilled counterfeiters of Medellin, Columbia have gotten into the act).

Government checks, bonds, and other obligations, which exist in untold millions and are worth untold billions, are common targets for forgery, which the Secret Service also battles. It even handles forgery of postage stamps.

But cash is fading in importance today as money has become electronic.

As necessity beckoned, the Secret Service moved from fighting the counterfeiting of paper currency and the forging of checks, to the protection of funds transferred by wire.

From wire-fraud, it was a simple skip-and-jump to what is formally known as "access device fraud." Congress granted the Secret Service the authority to investigate "access device fraud" under t.i.tle 18 of the United States Code (U.S.C. Section 1029).

The term "access device" seems intuitively simple. It's some kind of high-tech gizmo you use to get money with. It makes good sense to put this sort of thing in the charge of counterfeiting and wire-fraud experts.

However, in Section 1029, the term "access device" is very generously defined. An access device is: "any card, plate, code, account number, or other means of account access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds."

"Access device" can therefore be construed to include credit cards themselves (a popular forgery item nowadays). It also includes credit card account NUMBERS, those standards of the digital underground. The same goes for telephone charge cards (an increasingly popular item with telcos, who are tired of being robbed of pocket change by phone-booth thieves).

And also telephone access CODES, those OTHER standards of the digital underground. (Stolen telephone codes may not "obtain money," but they certainly do obtain valuable "services," which is specifically forbidden by Section 1029.)

We can now see that Section 1029 already pits the United States Secret Service directly against the digital underground, without any mention at all of the word "computer."

Standard phreaking devices, like "blue boxes," used to steal phone service from old-fas.h.i.+oned mechanical switches, are unquestionably "counterfeit access devices." Thanks to Sec.1029, it is not only illegal to USE counterfeit access devices, but it is even illegal to BUILD them.

"Producing," "designing" "duplicating" or "a.s.sembling" blue boxes are all federal crimes today, and if you do this, the Secret Service has been charged by Congress to come after you.

Automatic Teller Machines, which replicated all over America during the 1980s, are definitely "access devices," too, and an attempt to tamper with their punch-in codes and plastic bank cards falls directly under Sec. 1029.

Section 1029 is remarkably elastic. Suppose you find a computer pa.s.sword in somebody's trash. That pa.s.sword might be a "code"--it's certainly a "means of account access." Now suppose you log on to a computer and copy some software for yourself. You've certainly obtained "service" (computer service) and a "thing of value" (the software).

Suppose you tell a dozen friends about your swiped pa.s.sword, and let them use it, too. Now you're "trafficking in unauthorized access devices." And when the Prophet, a member of the Legion of Doom, pa.s.sed a stolen telephone company doc.u.ment to Knight Lightning at Phrack magazine, they were both charged under Sec. 1029!

There are two limitations on Section 1029. First, the offense must "affect interstate or foreign commerce" in order to become a matter of federal jurisdiction. The term "affecting commerce" is not well defined; but you may take it as a given that the Secret Service can take an interest if you've done most anything that happens to cross a state line.

State and local police can be touchy about their jurisdictions, and can sometimes be mulish when the feds show up. But when it comes to computer-crime, the local police are pathetically grateful for federal help--in fact they complain that they can't get enough of it.

If you're stealing long-distance service, you're almost certainly crossing state lines, and you're definitely "affecting the interstate commerce"

of the telcos. And if you're abusing credit cards by ordering stuff out of glossy catalogs from, say, Vermont, you're in for it.

The second limitation is money. As a rule, the feds don't pursue penny-ante offenders. Federal judges will dismiss cases that appear to waste their time. Federal crimes must be serious; Section 1029 specifies a minimum loss of a thousand dollars.

We now come to the very next section of t.i.tle 18, which is Section 1030, "Fraud and related activity in connection with computers." This statute gives the Secret Service direct jurisdiction over acts of computer intrusion.

On the face of it, the Secret Service would now seem to command the field.

Section 1030, however, is nowhere near so ductile as Section 1029.

The first annoyance is Section 1030(d), which reads:

"(d) The United States Secret Service shall, IN ADDITION TO ANY OTHER AGENCY HAVING SUCH AUTHORITY, have the authority to investigate offenses under this section.

Such authority of the United States Secret Service shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury AND THE ATTORNEY GENERAL."

(Author's italics.) [Represented by capitals.]

The Secretary of the Treasury is the t.i.tular head of the Secret Service, while the Attorney General is in charge of the FBI. In Section (d), Congress shrugged off responsibility for the computer-crime turf-battle between the Service and the Bureau, and made them fight it out all by themselves. The result was a rather dire one for the Secret Service, for the FBI ended up with exclusive jurisdiction over computer break-ins having to do with national security, foreign espionage, federally insured banks, and U.S. military bases, while retaining joint jurisdiction over all the other computer intrusions. Essentially, when it comes to Section 1030, the FBI not only gets the real glamor stuff for itself, but can peer over the shoulder of the Secret Service and barge in to meddle whenever it suits them.

The second problem has to do with the dicey term "Federal interest computer." Section 1030(a)(2) makes it illegal to "access a computer without authorization"

if that computer belongs to a financial inst.i.tution or an issuer of credit cards (fraud cases, in other words). Congress was quite willing to give the Secret Service jurisdiction over money-transferring computers, but Congress balked at letting them investigate any and all computer intrusions.

Instead, the USSS had to settle for the money machines and the "Federal interest computers." A "Federal interest computer"

is a computer which the government itself owns, or is using.

Large networks of interstate computers, linked over state lines, are also considered to be of "Federal interest." (This notion of "Federal interest" is legally rather foggy and has never been clearly defined in the courts. The Secret Service has never yet had its hand slapped for investigating computer break-ins that were NOT of "Federal interest," but conceivably someday this might happen.)

So the Secret Service's authority over "unauthorized access"

to computers covers a lot of territory, but by no means the whole ball of cyberspatial wax. If you are, for instance, a LOCAL computer retailer, or the owner of a LOCAL bulletin board system, then a malicious LOCAL intruder can break in, crash your system, trash your files and scatter viruses, and the U.S. Secret Service cannot do a single thing about it.

At least, it can't do anything DIRECTLY. But the Secret Service will do plenty to help the local people who can.

The FBI may have dealt itself an ace off the bottom of the deck when it comes to Section 1030; but that's not the whole story; that's not the street. What's Congress thinks is one thing, and Congress has been known to change its mind. The REAL turf-struggle is out there in the streets where it's happening.

If you're a local street-cop with a computer problem, the Secret Service wants you to know where you can find the real expertise. While the Bureau crowd are off having their favorite shoes polished--(wing-tips)--and making derisive fun of the Service's favorite shoes--("pansy-a.s.s ta.s.sels")-- the ta.s.sel-toting Secret Service has a crew of ready-and-able hacker-trackers installed in the capital of every state in the Union.

Need advice? They'll give you advice, or at least point you in the right direction. Need training? They can see to that, too.

If you're a local cop and you call in the FBI, the FBI (as is widely and slanderously rumored) will order you around like a coolie, take all the credit for your busts, and mop up every possible sc.r.a.p of reflected glory.