Stuff You Should be Interested In
by Felipe Rodriquez and Rop Gonggrijp
Dutch Hacker Raids
AMSTERDAM - At 10:30 on the morning of Monday the 27th of January 1992 Dutch police searched the homes of two hackers. In the city of Roermond, the parental home of the 21-year old student H.W. was searched and in Nuenen the same happened to the parental home of R.N., a Computer Science engineer, age 25. Both were arrested and taken into custody. At both sites, members of the Amsterdam Police Pilot Team for computer crime were present, alongside local police officers and representatives of the national organization Criminal Investigations Agency (CRI). Both suspects were transported to Amsterdam. The brother of one of the suspects was told the they could receive no visits or mail. The two remained in jail for more than one week.
The Charges
A break-in supposedly occurred at the bronto.geo.vu.nl site at the Vrije Universiteit University in Amsterdam. This UNIX system running on a SUN workstation (Internet Address 130.37.64.3) has been taken off the Net at least for the duration of the investigation. What happened to the actual hardware is unknown at this time.
The formal charges are: forgery, racketeering, and vandalism. The police justify the forgery part by claiming that files on the system have been changed. They say the vandalism charge is valid because the system had to be taken off the Net for a period of time to investigate the extent of the damage. By pretending to be regular users or even system management the hackers committed racketeering, the police say.
Both suspects, according to the Dutch police, have made a full statement. According to a police spokesman the motive was "fanatical hobbyism." Spokesperson Slort for the CRI speaks of the "kick of seeing how far you can get."
Damages
According to J. Renkema, head of the geo-physics faculty at the VU, the university is considering filing a civil lawsuit against the suspects. "The system was contaminated because of their doing and had to be cleaned out. This cost months of labor and 50,000 guilders (about US $30,000). Registered users pay for access to the system and these hackers did not. Result: tens of thousands of guilders in damages." Renkema also speaks of a "moral disadvantage." The university lost trust from other sites on the network. Renkema claims the university runs the risk of being expelled from some networks.
Renkema also claims the hackers were discovered almost immediately after the break-in and were monitored at all times. This means all the damages had occurred under the watchful eyes of the supervisors. All this time, no action was taken to kick the hackers off the system. According to Renkema all systems at the VU were protected according to guidelines as laid down by CERT and SurfNet BV (SurfNet is the company that runs most of the inter-university data traffic in The Netherlands).
What Really Happened?
The charge of "adapting system software" could mean that the hackers installed back doors to secure access to the system or to the root level, even if passwords were changed. New versions of telnet, FTP, rlogin, and other programs could have been compiled to log access to the networks.
What really happened is anybody's guess. One point is that even the CRI acknowledges that there were no "bad" intentions on the part of the hackers. They were there to look around and play with the networks.
About Hacking in General
In the past we have warned that new laws against computer crime can only be used against harmless hackers. Against the real computer criminals a law is useless because they will probably remain untraceable. The CRI regularly goes on the record to say that hackers are not the top priority in computer crime investigation. It seems that hackers are an easy target when "something has to be done."
And "something had to be done" - The pressure from especially the U.S. to do something about the "hacking problem" was so huge that it would have been almost humiliating for the Dutch not to respond. It seems as if the arrests are mainly meant to ease the American fear of the overseas hacker-paradise.
A Closer Look at the Charges and Damages
The VU has launched the idea that system security on their system was only needed because of these two hackers. All costs made in relation to system security are billed to the two people that just happened to get in. For people that like to see hacking in terms of analogies: It is like walking into a building full of students, fooling around, and then getting the bill for the new alarm system that they had to install just for you.
Systems security is a normal part of the daily task of every system administrator. Not just because the system has to be protected from break-ins from the outside, but also because the users themselves need to be protected from each other. The "bronto" management has neglected some of their duties, and now they still have to secure their system. This is not damages done, it's work long overdue.
If restoring back-ups costs tens of thousands of guilders, something is terribly wrong at the VU. Every system manager that uses a legal copy of the operating system has a distribution version within easy reach.
"Months of tedious labor following the hackers around in the system." It would have been much easier and cheaper to deny the hackers access to the system directly after they had been discovered. "Moral damages" by break-ins in other systems would have been small. The VU chose to call the police and trace the hackers. The costs of such an operation cannot be billed to the hackers.
Using forgery and racketeering makes one wonder if the OvJ (the District Attorney here) can come up with a better motive than "they did it for kicks." If there is no monetary or material gain involved, it is questionable at best if these allegations will stand up in court.
As far as the vandalism goes: there have been numerous cases of system management overreacting in a case like this. A well trained system manager can protect a system without making it inaccessible to normal users. Again, the hackers have to pay for the apparent incompetence of system management.
This does not mean that having hackers on your system cannot be a pain. The Internet is a public network and if you cannot protect a system, you should not be on it. This is not just our statement, it is the written policy of many networking organizations. One more metaphor: It's like installing a new phone switch that allows direct dial to all employees. If you get such a system, you will need to tell your employees not to be overly loose-lipped to strangers. It is not the caller's fault if some people can be "hacked." If you tie a cord to the lock and hang it out the mail slot, people will pull it. If these people do damages, you should prosecute them, but not for the costs of walking after them and doing your security right.
Consequences of a Conviction
If these suspects are convicted, the VU has a good chance of winning the civil case. Furthermore, this case is of interest to all other hackers in Holland. Their hobby is suddenly a crime and many hackers will cease to hack. Others will go "underground," which is not beneficial to the positive interaction between hackers and system management or the relative openness in the Dutch computer security world.
Public Systems
If you are not a student at some big university or work for a large corporation, there is no real way for you to get on the Internet. As long as there is no way for some people to connect to the Net, there will be people that hack their way in. Whether this is good or bad is besides the point. If there is no freedom to explore, some hackers will become the criminals that government wants them to be.
More AT&T Confusion
Because of a routing error last fall, AT&T mistakenly routed calls made to 800-555-5555 to 900-555-5555.
This resulted in people all over the country being billed premium rates for what appeared to be a toll-free call. It's also resulted in an ethical question: should people be billed when they know they're being connected to a 900 number by mistake, even though they dialed an 800 number?
To us, the answer is pretty clear. AT&T should take the full blame here. It's their network and if they can't manage it properly, customers shouldn't have to pay a penalty.
If you're able to find an 800 number that routes to a 900 number, you haven't committed a crime. 800 numbers are toll free and should remain that way. AT&T is now also pushing a product that "transfers" 800 numbers to 900 numbers. In other words, a customer can call a company toll-free, ask for a certain service, and then be transferred to a 900 number where the meter starts running.
This is an absurd idea that will completely negate the idea of 900 blocking for starters. More importantly, it will confuse consumers even more as to what calls cost money and what calls don't.
Progression
Some good news to report: our friends at The WELL are now reachable on the Internet.
This means that many more people will now have access to this electronic meeting ground where freedom of speech and diversity are still held in high regard. It also means that users of The WELL will be able to reach out to the Internet, the vast, decentralized network of schools, institutions, and businesses that spans the globe.
Unlike those ripoff commercial services, The WELL charges a minimal fee ($10 a month and $2 an hour) and is a whole lot more personal. It's also a great environment to learn UNIX and keep in touch with the world via an Internet mailbox.
We hope more of our readers take advantage of one of the more positive developments in the high-tech world.
The WELL's online registration number is 415-332-6106 and their new Internet address is 192.132.30.2. Their office number is 415-332-4335.
Regression
A very disturbing incident has occurred in California. On January 20, Robert Thomas, his wife, and their two children were awakened by San Jose police who demanded entry into their home where they proceeded to seize all of their computers and a number of personal effects, including clothing.
At the heart of the matter was a bulletin board, Amateur Action, which stored and distributed adult pictures in the form of GIF files. Thomas did not allow first-time access to the files and he voice-verified all calls. He and his wife took great pains to ensure that the material did not get distributed to anyone underage.
The warrant was for grand theft, bringing obscene matter into the state, and distributing and/or possessing controlled matter of sexual content of persons under 14. Thomas says that none of these accusations apply even remotely to his bulletin board and that he is being persecuted because of its content, viewed as objectionable by some. With such logic, the next step would be to raid the homes of the people who posed in the pictures. Or those of the authors of controversial books.
With the usual obstinance, the authorities are remaining silent and refusing to give anything back. A police officer assured Thomas his equipment would be safe because it would be sitting right on his own desk. In fact, it was later suggested to Thomas that matters would be expedited if he bought the police department a 300 meg hard drive so they could go through the data quicker! Otherwise, they implied, it could drag on for a while.
We're continuing down a very unfriendly road where censorship and raids become commonplace. Hackers were among the first to feel the effects. Now it's spreading to "average American families." Because somebody is suspected of doing something wrong, every bit of high tech equipment on the premises is taken. The most personal of information is now in the hands of the police.
How can one deny that there is a sort of emotional terror in such actions? Imagine if every time you were suspected of anything at all, a vast library of your private thoughts was scanned by the authorities to see what your true feelings really were. That is the ultimate effect of taking people's computers from them. A tremendous amount of information and persona is stored there. Even a hacker, known for wandering where he's told not to go, would feel wrong about going through a personal computer. Faceless entities are one thing. Individuals and families, quite another.
If the mind rape setting doesn't convince you that we're heading straight into a Kafka tale, consider the economic punishment being inflicted here. A family has been deprived of income (several completely legitimate computer-run businesses were being operated from the house) and no charges have even been made. Thomas estimates the value of the seized equipment at $30,000. Thomas' children had their computer taken as well. It contained all of their schoolwork and some games.
If a message is to be understood here, it's that our society is increasingly punishing those of us who do anything even slightly out of the ordinary. There is nothing illegal about running a bulletin board with adult pictures. But not everybody approves. Because of this, a moral judgment quickly tums into a very real form of harassment. After witnessing such actions, how many of us would really have the guts to stand up for free speech?
How many of us can afford to remain silent?