In February 1988 my routine workday was interrupted. I was asked to look at some 9-track tapes that the local PD had seized, in connection with the arrests of three people either working at, or previously working at, my place of employ. SRI. Stanford Research International, Engineering Division, Building 3. Home of the CSL, the AI Lab, and the ISTD, home to part of the Army's HTRD, to the Navy's SPAWAR, and some other less public projects. My job was to manage the ISTD's computing assets, local and remote, and the SAC SCIF in the basement. It was a good job, I ran the largest set of ARPA and MIL nets routing assets outside of BBN, but it didn't pay enough to fund a child custody fight, so eventually I went adrift.
The tapes themselves were banal, Menlo Park PD, "aided by" PacTel's legion of weenies, couldn't read them. That was because they were (surprise) in Unix tar format, contained my prior subordinate's home directory and the usual rubbish people collect, and about .01% of actually encrypted data.
The fun came later. When I saw the indictments. Kevin was hit with about 20 counts, Rob and Mark with lesser hits, and most of the Federal dog pile was actually dog poop. One count had that the boys having an ATM (yes, several hundred pounds of electro-mechanical and 8-bit digital rubbish) was proof positive of some horrific crime. The ATM had been bought at auction. Those things don't self-distruct any more than old Chevys do. Another count had that the boys (begin scary voice) trafficed in access codes to a Government Interest Computer (shoot scary voice guy twice behind ear). The evidence for this horrific crime was a screen-shot of a "keep out fool" banner on some Army box on the (unclassified) net, which at the time was rather novel, annotated with "hey, would you look at that!" commentary. The photo-of-the-no-tresspass-sign was offered as proof that the boys hopped the fence and had carnal knowledge of the farmer's cow.
It went on and on and on. In those days, PacTel pretty much ran any local PD operation it wanted to by simply claiming that they were chasing toll-fraud. The boys were committing toll-fraud. PacTel pretty much ran the local EFF-BEE-EYE operation as well, and the US AG for the district, so toll-fraud got an automatic promotion to Government Interest. It was a world of armed, dumb, arrogant, corrupt men, protected by badges, taking orders from corporate suits, oh so very, very different from today.
I stopped looking at the Computer Fraud and Abuse Act 1986 (US) 18 USC 1030 after Rob and Mark made reasonable deals, and Kevin's case degenerated into hoplessness and flight (he should have gone to Paraguay and operated their phone system), but somethings made a lasting impression.
You can find this on the NSA's notice page. It lives on boatloads of federal boxen, more than I have time or interest to jiggle the handles of. Time hasn't stood still since 1988, Patrick Leahy contributed to this body of law in 1996 with the National Information Infrastructure Protection Act (NIIPA). I'll look into that tomorrow.
Unauthorized attempts to upload information or change information on this service are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act.
How does this song begin?
18 USC 1030 (a) Whoever-- (1) knowingly accesses a computer without authorization or exceeds authorized access, and by means of such conduct obtains information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations,
or
(3) intentionally, without authorization to access any computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States,
or
(4) knowingly and with intent to defraud, accesses a Federal interest computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer;
or
(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if--(B) such computer is used by or for the Government of the United States;
shall be punished as provided in subsection (c) of this section.
(c) The punishment for an offense under subsection (a) or (b) of this
section is -(1)(A) a fine under this title or imprisonment for not more than ten years or
both, in the case of an offense under subsection (a)(1) of this section
which does not occur after a conviction for another offense under such
subsection, or an attempt to commit an offense punishable under this
subparagraph; and
(B) a fine under this title or imprisonment for not more than twenty years,
or both, in the case of an offense under subsection (a)(1) of this
section which occurs after a conviction for another offense under such
subsection, or an attempt to commit an offense punishable under this
subparagraph; and...
The language for (a)(3) or (a)(6) is a fine or one to ten. The language for (a)(5) is fine and no more than five. Both double for a second offense, the (B) para above repeats with the appropriate duration.
The net of this is, looking at the story in today's Globe, if the same standards apply, toe-tags will be handed out by summer to federal employees. Then there is everybody's favorite piece of legislation (begin really scary voice, Alien and Sedition Act scary voice), das Patriot Act. I don't read historically bad legislation, I guess I'll have to make an exception this weekend.
Oblig Note: Assume your assets are targets. Harden them. Partition. Go black end-to-end. Invest in real mirrors, hot-stand-by, and replicated archival store. Every IETF/NANOG/RIPE/... meeting has a PGP key reading, we work in a hostile environment. If you're not operating at the level of the Red Player, the hostile foreign power, you may not get in power.
The text of Computer Fraud and Abuse Act 1986 (US) 18 USC 1030 follows.
Computer Fraud and Abuse Act 1986 (US) 18 USC 1030
Computer Fraud and Abuse Act 1986 (US) 18 USC 1030(a)
1030. Fraud and related activity in connection with computers
(a) Whoever--
(1) knowingly accesses a computer without authorization or
exceeds authorized access, and by means of such conduct obtains
information that has been determined by the United States Government
pursuant to an Executive order or statute to require protection against
unauthorized disclosure for reasons of national defense or foreign
relations, or any restricted data, as defined in paragraph r. of
section 11 of the Atomic Energy Act of 1954, with the intent or reason to
believe that such information so obtained is to be used to the injury of
the United States, or to the advantage of any foreign nation;
(2) intentionally accesses a computer without authorization or exceeds
authorized access, and thereby obtains information contained in a financial
record of a financial institution, or of a card issuer as defined in
section 1602(n) of title 15, or contained in a file of a consumer reporting
agency on a consumer, as such terms are defined in the Fair Credit
Reporting Act (15 U.S.C. 1681 et seq.);
(3) intentionally, without authorization to access any computer of a
department or agency of the United States, accesses such a computer of
that department or agency that is exclusively for the use of the
Government of the United States or, in the case of a computer not
exclusively for such use, is used by or for the Government of the United
States and such conduct affects the use of the Government's operation of
such computer;
(4) knowingly and with intent to defraud, accesses a Federal interest computer
without authorization, or exceeds authorized access, and by means
of such conduct furthers the intended fraud and obtains anything of value,
unless the object of the fraud and the thing obtained consists only of the
use of the computer;
(5) intentionally accesses a Federal interest computer without authorization
and by means of one or more instances of such conduct alters, damages, or
destroys information in any such Federal interest computer, or prevents
authorized use of any such computer or information, and thereby--
(A) causes loss to one or more others of a value aggregating $1,000 or
more during any one year period; or
(B) modifies or impairs, or potentially modifies or impairs the medical
examination, medical diagnosis, medical treatment, or medical care of
one or more individuals; or
(6) knowingly and with intent to defraud traffics (as defined in section 1029)
in any password or similar information through which a computer may be
accessed without authorization, if--
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
shall be punished as provided in subsection (c) of this section.
Computer Fraud and Abuse Act 1986 (US) 18 USC 1030(b)
(b) Whoever attempts to commit an offense under subsection (a) of this section
shall be punished as provided in subsection (c) of this section.
Computer Fraud and Abuse Act 1986 (US) 18 USC 1030(c)
(c) The punishment for an offense under subsection (a) or (b) of this
section is -
(1)(A) a fine under this title or imprisonment for not more than ten years or
both, in the case of an offense under subsection (a)(1) of this section
which does not occur after a conviction for another offense under such
subsection, or an attempt to commit an offense punishable under this
subparagraph; and
(B) a fine under this title or imprisonment for not more than twenty years,
or both, in the case of an offense under subsection (a)(1) of this
section which occurs after a conviction for another offense under such
subsection, or an attempt to commit an offense punishable under this
subparagraph; and
(2)(A) a fine under this title or imprisonment for not more than one year, or
both, in the case of an offense under subsection (a)(2), (a)(3) or
(a)(6) of this section which does not occur after a conviction for
another offense under such subsection, or an attempt to commit an
offense punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than ten years,
or both, in the case of an offense under subsection (a)(2), (a)(3) or
(a)(6) of this section which occurs after a conviction for another
offense under such subsection, or an attempt to commit an offense
punishable under this subparagraph; and
(3)(A) a fine under this title or imprisonment for not more than five years or
both, in the case of an offense under subsection (a)(4) or (a)(5) of
this section which does not occur after a conviction for another
offense under such subsection, or an attempt to commit an offense
punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than ten years, or
both, in the case of an offense under subsection (a)(4) or (a)(5) of
this section which occurs after a conviction for another offense under
such subsection, or an attempt to commit an offense punishable under
this subparagraph.
Computer Fraud and Abuse Act 1986 (US) 18 USC 1030(d)
(d) The United States Secret Service shall, in addition to any other agency
having such authority, have the authority to investigate offenses under this
section. Such authority of the United States Secret Service shall be exercised
in accordance with an agreement which shall be entered into by the Secretary
of the Treasury and the Attorney General.
Computer Fraud and Abuse Act 1986 (US) 18 USC 1030(e)
(e) As used in this section--
(1) the term "computer" means an electronic, magnetic, optical,
electrochemical, or other high speed data processing device performing
logical, arithmetic, or storage functions, and includes any data storage
facility or communications facility directly related to or operating in
conjunction with such device, but such term does not include an automated
typewriter or typesetter, a portable hand held calculator, or other
similar device;
(2) the term "Federal interest computer" means a computer--
(A) exclusively for the use of a financial institution or the United States
Government, or, in the case of a computer not exclusively for such use,
used by or for a financial institution or the United States Government
and the conduct constituting the offense affects the use of the
financial institution's operation or the Government's operation of
such computer; or
(B) which is one of two or more computers used in committing the offense,
not all of which are located in the same State;
(3) the term "State" includes the District of Columbia, the Commonwealth of
Puerto Rico, and any other possession or territory of the United States;
(4) the term "financial institution" means--
(A) an institution with deposits insured by the Federal Deposit Insurance
Corporation;
(B) the Federal Reserve or a member of the Federal Reserve including
any Federal Reserve Bank;
(C) a credit union with accounts insured by the National Credit Union
Administration;
(D) a member of the Federal home loan bank system and any home loan
bank;
(E) any institution of the Farm Credit System under the Farm Credit Act
of 1971;
(F) a broker-dealer registered with the Securities and Exchange
Commission pursuant to section 15 of the Securities Exchange Act
of 1934; and
(G) the Securities Investor Protection Corporation;
(5) the term "financial record" means information derived from any record
held by a financial institution pertaining to a customer's relationship
with the financial institution;
(6) the term "exceeds authorized access" means to access a computer with
authorization and to use such access to obtain or alter information in the
computer that the accesser is not entitled so to obtain or alter; and
(7) the term "department of the United States" means the legislative or
judicial branch of the government or one of the executive departments
enumerated in section 101 of title 5.
Computer Fraud and Abuse Act 1986 (US) 18 USC 1030(f)
(f) This section does not prohibit any lawfully authorized investigative,
protective, or intelligence activity of a law enforcement agency of the
United States, a State, or a political subdivision of a State, or of an
intelligence agency of the United States.
Eric, thanks for writing this. It's important that we keep connecting the dots, even if the media doesn't.
Posted by: Mithras at January 23, 2004 12:59 AM