The 16 Dec 88 'Los Angeles Times' contains this story (excerpts only): EX-COMPUTER WHIZ KID HELD ON NEW FRAUD COUNTS By Kim Murphy Kevin Mitnick was 17 when he first cracked Pacific Bell's computer system, secretly channeling his computer through a pay phone to alter telephone bills, penetrate other computers and steal $200,000 worth of data from a San Francisco corporation. A Juvenile Court judge at the time sentenced Mitnick to six months in a youth facility.... [After his release,] his probation officer found that her phone had been disconnected and the phone company had no record of it. A judge's credit record at TRW Inc. was inexplicably altered. Police computer files on the case were accessed from outside.... Mitnick fled to Israel. Upon his return, there were new charges filed in Santa Cruz, accusing Mitnick of stealing software under development by Microport Systems, and federal prosecutors have a judgment showing Mitnick was convicted on the charge. There is, however, no record of the conviction in Sant Cruz's computer files. On Thursday, Mitnick, now 25, was charged in two new criminal complaints accusing him of causing $4 million damage to a DEC computer, stealing a highly secret computer security system and gaining access to unauthorized MCI long-distance codes through university computers in L.A. and England. U.S. Magistrate ...took the unusual step of ordering [Mitnick] held without bail, ruling that when armed with a keyboard he posed a danger to the community. "This thing is so massive, we're just running around trying to figure out what he did," said the prosecutor, an Asst. U.S. Atty. "This person, we believe, is very, very dangerous, and he needs to be detained and kept away from a computer." LA and FBI Investigators say they are only now beginning to put together a picture of Mitnick and his alleged high-tech escapades. "He's several levels above what you would characterize as a computer hacker," said Detective James K. Black, head of the LA Police Dept's computer crime unit. "He started out with a real driving curiosity for computers that went beyond personal computers.... He grew with the technology." Mitnick is to be arraigned on two counts of computer fraud. The case is believed to be the first in the nation under a federal law that makes it a crime to gain access to an interstate computer network for criminal purposes.... Federal prosecutors also obtained a court order restricting Mitnick's telephone calls from jail, fearing he might gain access to a computer over the phone lines....
The note from Don Alvarez <email@example.com> in RISKS-7.91 gives the text of proposed legislation that is intended to inhibit certain kinds of computer crime. If you look at it only as a protection against skulduggery then it looks reasonable, but it also seems to prohibit certain plausible defensive tactics against software piracy. Suppose that a software developer wishes to protect his program against theft and happens to know with certainty that the computing environments of all customers will have a certain property and that those of thieves may not have that property. It would be reasonable to have the program check for the property and, if it is missing, either self-destruct or malfunction in subtle ways. (Admittedly there is some risk in doing this, given all the crazy things that customers do, but with suitable admonitions this could be a reasonable defensive tactic. In fact it has been used in the past.) The proposed legislation reportedly says: "(a) Whoever knowingly- "(1) inserts into a program for a computer information or commands, knowing or having reason to believe that such information or commands will cause loss to users of a computer on which such program is run or to those who rely on information processed on such computer; and "(2) provides such a program to others in circumstances in which those others do not know of the insertion or its effects; or attempts to do so, shall if any such conduct affects interstate or foreign commerce, be fined under this title or imprisoned not more than 10 years, or both." This wording, as it stands, would appear to make defensive programming of the type described above illegal. The problem is that it fails to distinguish between the interests of legitimate users of programs and those who steal them. -Les Earnest
Just a week back a note appeared from me citing an Irish Times report of how our Department of Health spent approximately $67million on a medical informatics system which was substandard in many respects. A lamentable fact of the debacle is the Dept's dogged refusal to accept the advice of a range of academics concerning inadequacies in the system. This little anecdote will impress RISKS readers I hope. Shortly, after the contract had been agreed, one of the management consultants favouring the system because of its advanced features had the temerity to ring one of the opposed academics and ask if they could recommend a good introduction to medical information systems!
>From the Nov 14 Aviation Week & Space Technology (page 103): The [USAF] Electronic Systems Div. has developed a new system for Air Force source selection boards to use to evaluate contractors' software capabilities. Using a questionnaire, companies are ranked from one to five. Some 84% of the 178 contractors checked so far rank at the lowest level, with chaotic or unpredictable, poorly controlled processes. Only 14% ranked at the second level, meaning they could repeat previously mastered tasks. Two percent met the third level with well-understood processes. The processes for the fourth level are defined as well-measured and controlled, and for the fifth as optimized. So far no contractor has ranked above the third level.
I have a somewhat different interpretation of the draft ICAO standard than Steve. I originally quoted from a draft standard that included the following: > "... [Software] must be developed systematically in such a way that its > behavior, under all possible conditions, can be established by logical > reasoning (to a level of formality appropriate to the application). Steve responded with: <> It's my opinion that strict enforcement of the above requirement simply <> makes the developer liable for errors, but doesn't do much for actually <> improving software reliability. It is unlikely that "all possible <> conditions" can be for[e]seen, let alone provided for. The problem becomes <> bigger as the complexity of the system increases, to the point where <> exhaustive analysis of a system could take centuries to perform. One of the most effective ways to increase reliability is to decrease complexity. I have seen safety-critical systems where the developers purposely simplified their systems to make the above reasoning possible. The results were highly reliable. I believe (and have heard those in the field of formal verification confirm) that one of the advantages of formally verifying software is that it encourages simplicity in the software design in order to perform the necessary logical reasoning. Reasoning about all conditions is currently required for hardware. System safety engineers use techniques such as FMECA (Failure Modes, Effects, and Criticality Analysis, as mentioned in the standard) to accomplish this. Should regulatory agencies relax their standards for the software used to replace this hardware? Such hardware analyses currently do find many problems that are fixed before they can cause an accident. Microwave landing systems are used when visibility does not allow the pilot to land the plane alone. Current systems allow landing only when visibility is at least 200 feet, so the pilot has a chance to abort and go around. However, they are now talking about allowing landings where the visibility is zero. Perhaps we should not be putting trust in these systems if we cannot build them in such a way that we CAN reason logically about their behavior under all conditions. <> The requirement is essentially that systems be perfect. That goal has <> proven elusive (unattainable?) in all areas of human endeavor. Extensive <> formalism and verification should be required of critical systems, but <> requirements for perfect function are inane. I don't read the requirement as requiring perfection. It says that we must build the software in such a way that we can reason about it under all conditions, including presumably what happens when there are software errors. The standards certainly should not imply that failures in such systems are acceptable. Would you want a standard involving the safety of commercial aircraft to require less than perfection? Extremely high reliability requirements (e.g., 10^-9 probability of failure over a fixed period of time) are merely attempts to provide virtual perfection in hardware systems where failures are random. In fact, it has been written that the FAA 10^-9 figure is meant to be equivalent to: "is not expected to occur within the total life span of the whole fleet of the model." [Waterman, "FAA's certification position on advanced avionics," AIAA Astro. and Aero., May 1978, pp. 49-51] <> A better approach would be to require independent performance monitoring <> and evaluation as part of the complete system. I agree, but I don't think the standard precludes this; in fact, I read it as implying the necessity for it. However, independent performance monitoring and evaluation can be flawed and implemented imperfectly also; error detection can be quite difficult in many applications. I would feel most comfortable if companies do everything they can to make such safety-critical software as good as possible and then provide safeguards in case they had not been completely successful; both of these things need to be done in order for us to have the maximum confidence in our software at our current level of technology.
The recent discussions of the etymology of the terms "hacker", "cracker", _et al_ & the recent spirited defence of the activity by one or two contributors (at least one of them being a self-confessed "hacker") has set me to thinking. In RISKS & elsewhere, I see a "generation gap" between what, for want of a better term, I would describe as the "old-time hackers", who were experimenters, and the current cyberpunks, the "hackers" of popular mediaspeak, the eponymous "shatterers". I think this apparent generation gap is fundamental to the discussion. The "old-style hackers" (of whom I am vain enough to claim I belong) learned their computing in the 60s and 70s, often in a university or similar multi- user environment, where, as often as not, hacking involved programming. Today's stainless steel rats are much more likely to have discovered computers in the home, courtesy of Apple, Commodore or IBM, and started their "network tourist" activities by purchasing a modem. The old school (& I include myself here) resents the way the term "hacker" has been hi-jacked and is today being used to connotate anti-social activity. This is despite the ambiguous roots of the term (described by Weizenbaum in _Computer Power & Human Reason_). Today's cyberpunks are computer burglars, who are attempting to justify their activities by claiming a common motivation with their arguably less anti-social predecessors. Like any story of generation conflict, there are elements of truth in the claims of both sides. It is going to be impossible to prevent the media from using the word "hacker" in a way that the "old school" dislike. It would almost be easier to claim that the word "gay" meant "happy, carefree". But maybe the media and the collective unconscious understand the evolution of hackerism better than we do. For just as there is at least a tiny thread of commonality with the hackers of old in the network rats of the 80s, and I would say that there was some small element of today's network rats in the hackers of old. But of course, there IS a distinction between hacking around a system whose sole reason of being is to teach people about computers, and hacking into systems which are being used for serious business purposes and where outsiders no right to be. That difference is ethical, and has well expounded here in RISKS already. Seeing as we can't get rid of "hackers" in the popular media, I would like to coin the term "punk hackers" (an abbreviation of 'cyberpunk hackers') to describe their anti-social activities. It seems to fit only too well, just like "punk rock" is rock music with swearing & spitting at the audience. And using it would let us "old hackers" keep our self-respect! Nigel Roberts, Munich, W. Germany.
First of all I would like to thank all the ppl who gave me feedback on my prev- ious contribution to risks it has on the whole been quite positive :-) [You will now have gathered that I have gone legit as I am now too well known to continue with active hacking and will have to make do with the odd foray into the net on highdays and holidays]. But there has been at least one recent contributor who does not seem to get the point that I was trying to make and s my last effort was knocked up in 10mins I have decided to put a bit more effort into this one. My previous article [if you can call it that] was not trying to justify anything but was written to try to point out a major flaw that exists in the IT community and it is one that should at least show some signs of being rectified in the near future or more serious attacks on networks such s internet will no doubt occur. The contributor who compared modern day hackers to the punk rock musicians of the 70's obviously has not spent time within the hacker community in the last 10 to 20 years as if he had he would releise that the sense of ethics and morality is as strong if not stronger than in his day and his assumption is like saying all black male teenagers are muggers, rapists and murderers.[but i wander yet again] and I would like to say to him am I anyless of a caring,moral and intelligent human being becoz I learned my craft on a home micro,network of tandy modal 80's and a modem I made myself? Wot I think we have witnessed in recent issues of risks is a kind of computer snobbery that does little to promote the spirt of goodwill and intellectual exchange that should exist within our community [for all our sakes]. Comments have been made that Hackers of today do not inform the owners of the systems of the holes that exist and in some instances that is true but I ask you "When those of you who claim to be 'old-time hackers' found a possible security breach on a machine did you immdiatly go running printout in hand to the owner of the system?????" I think not the temptation to explore just that little bit further is too great. and in some cases the administrator is rude and often downright abusive when a security hole is brought to his attention [sorry I am not sexist the masculine gender is used to mean mankind in general not just the male sex] Which is often the case on commercial sites[an exparience I myself have expirienced] To finish this "article" off i will just make the following points:- 1. Can we please have less of this snobbery that exists 2. Work with the hacking community as much as possible. We will both gain from the exparience [offer an insentive if nessesary[an account that is open to all but only usable at nite and has say a MUD on it or even MONEY :-) ]] 3. Work with each other and finally if anyone has a need for any help with any thing that you think I can help with then mail me at ...!unido!alter!Shatter and i will see if I can help. Shatter
Please report problems with the web pages to the maintainer