gtmhhlaw-1

____________________________________________________________

GUIDE TO (mostly) HARMLESS HACKING

Computer Crime Law Issue #1

By Peter Thiruselvam <pselvam@ix.netcom.com> and Carolyn
Meinel
____________________________________________________________

Tired of reading all those “You could go to jail” notes in

these guides? Who
says those things are crimes? Well, now you can get the
first in a series of
Guides to the gory details of exactly what laws we’re trying
to keep you
from accidentally breaking, and who will bust you if you go
ahead with the
crime anyhow.

This Guide covers the two most important US Federal computer

crime statutes:
18 USC, Chapter 47, Section 1029, and Section 1030, known as
the “Computer
Fraud and Abuse Act of 1986.”
Now these are not the *only* computer crime laws. It’s just
that these are
the two most important laws used in US Federal Courts to put
computer
criminals behind bars.
COMPUTER CRIMES: HOW COMMON? HOW OFTEN ARE THEY REPORTED?

The FBI’s national Computer Crimes Squad estimates that

between 85 and 97
percent of computer intrusions are not even detected. In a
recent test
sponsored by the Department of Defense, the statistics were
startling.
Attempts were made to attack a total of 8932 systems
participating in the
test. 7860 of those systems were successfully penetrated.
The management of
Page 1
 gtmhhlaw-1
only 390 of those 7860 systems detected the attacks, and
only 19 of the
managers reported the attacks (Richard Power, -Current and
Future Danger: A
CSI Primer on Computer Crime and Information Warfare_,
Computer Security
Institute, 1995.)

The reason so few attacks were reported was “mainly because

organizations
frequently fear their employees, clients, and stockholders
will lose faith
in them if they admit that their computers have been
attacked.” Besides, of
the computer crimes that *are* reported, few are ever
solved.
SO, ARE HACKERS A BIG CAUSE OF COMPUTER DISASTERS?

According to the Computer Security Institute, these are the

types of
computer crime and other losses:
— Human errors - 55%
— Physical security problems - 20%(e.g., natural disasters,
power problems)
— Insider attacks conducted for the purpose of profiting
from computer crime
- 10%
— Disgruntled employees seeking revenge - 9%
— Viruses - 4%
— Outsider attacks - 1-3%

So when you consider that many of the outsider attacks come

from
professional computer criminals -- many of whom are
employees of the
competitors of the victims, hackers are responsible for
almost no damage at
all to computers.

In fact, on the average, it has been our experience that

hackers do far more
good than harm.

Page 2
 gtmhhlaw-1
Yes, we are saying that the recreational hacker who just
likes to play
around with other people’s computers is not the guy to be
afraid of. It’s
far more likely to be some guy in a suit who is an employee
of his victim.
But you would never know it from the media, would you?

OVERVIEW OF US FEDERAL LAWS

In general, a computer crime breaks federal laws when it

falls into one of
these categories:

— It involves the theft or compromise of national defense,

foreign
relations, atomic energy, or other restricted information.
— It involves a computer owned by a U.S. government
department or agency.
— It involves a bank or most other types of financial
institutions.
— It involves interstate or foreign communications.
— it involves people or computers in other states or
countries.
Of these offenses, the FBI ordinarily has jurisdiction over
cases involving
national security, terrorism, banking, and organized crime.
The U.S. Secret
Service has jurisdiction whenever the Treasury Department is
victimized or
whenever computers are attacked that are not under FBI or
U.S. Secret
Service jurisdiction (e.g., in cases of password or access
code theft). In
certain federal cases, the customs Department, the Commerce
Department, or a
military organization, such as the Air Force Office of
Investigations, may
have jurisdiction.

In the United States, a number of federal laws protect

against attacks on
computers, misuse of passwords, electronic invasions of
Page 3
 gtmhhlaw-1
privacy, and other
transgressions. The Computer Fraud and Abuse Act of 1986 is
the main piece
of legislation that governs most common computer crimes,
although many
other laws may be used to prosecute different types of
computer crime. The
act amended Title 18 United States Code §1030. It also
complemented the
Electronic Communications Privacy Act of 1986, which
outlawed the
unauthorized interception of digital communications and had
just recently
been passed. The Computer Abuse Amendments Act of 1994
expanded the 1986 Act
to address the transmission of viruses and other harmful
code.

In addition to federal laws, most of the states have adopted

their own
computer crime laws. A number of countries outside the
United States have
also passed legislation defining and prohibiting computer
crime.
THE BIG NO NO’S -- THE TWO MOST IMPORTANT FEDERAL CRIME LAWS

As mentioned above, the two most important US federal

computer crime laws
are 18 USC: Chapter 47, Sections 1029 and 1030.

SECTION 1029
Section 1029 prohibits fraud and related activity that is
made possible by
counterfeit access devices such as PINs, credit cards,
account numbers, and
various types of electronic identifiers. The nine areas of
criminal
activity covered by Section 1029 are listed below. All
*require* that the
offense involved interstate or foreign commerce.

1. Producing, using, or trafficking in counterfeit access

Page 4
 gtmhhlaw-1
devices. (The
offense must be committed knowingly and with intent to
defraud.)

Penalty: Fine of $50,000 or twice the value of the crime

and/or up to 15
years in prison, $100,000 and/or up to 20 years if repeat
offense.
2. Using or obtaining unauthorized access devices to obtain
anything of
value totaling $1000 or more during a one-year period. (The
offense must be
committed knowingly and with intent to defraud.)
Penalty: Fine of $10,000 or twice the value of the crime
and/or up to 10
years in prison, $100,000 and/or up to 20 years if repeat
offense.

3. Possessing 15 or more counterfeit or unauthorized access

devices. (The
offense must be committed knowingly and with intent to
defraud.)
Penalty: Fine of $10,000 or twice the value of the crime
and/or up to 10
years in prison, $100,000 and/or up to 20 years if repeat
offense.

4. Producing, trafficking in, or having device-making

equipment. (The
offense must be committed knowingly and with intent to
defraud.)

Penalty: Fine of $50,000 or twice the value of the of the

crime and/or up
to 15 years in prison, $1,000,000 and/or up to 20 years if
repeat offense.

5. Effecting transactions with access devices issued to

another person in
order to receive payment or anything of value totaling $1000
or more during
Page 5
 gtmhhlaw-1
a one-year period. (The offense must be committed knowingly
and with intent
to defraud.)

Penalty: Fine of 10, or twice the value of the crime

and/or up to 10 years
in prison, 100,000 and/or up to 20 years if repeat offense.

6. Soliciting a person for the purpose of offering an

access device or
selling information that can be used to obtain an access
device. (The
offense must be committed knowingly and with intent to
defraud, and without
the authorization of the issuer of the access device.)
Penalty: Fine of $50,000 or twice the value of the crime
and/or up to 15
years in prison, $100,000 and/or up to 20 years if repeat
offense.
7. Using, producing, trafficking in, or having a
telecommunications
instruments that has been modified or altered to obtain
unauthorized use of
telecommunications services. (The offense must be committed
knowingly and
with intent to defraud.)
This would cover use of “Red Boxes,” “Blue Boxes” (yes, they
still work on
some telephone networks) and cloned cell phones when the
legitimate owner of
the phone you have cloned has not agreed to it being cloned.

Penalty: Fine of $50,000 or twice the value of the crime

and/or up to 15
years in prison, $100,000 and/or up to 20 years if repeat
offense.

8. Using, producing, trafficking in, or having a scanning

receiver or
hardware or software used to alter or modify
Page 6
 gtmhhlaw-1
telecommunications instruments
to obtain unauthorized access to telecommunications
services.

This outlaws the scanners that people so commonly use to

snoop on cell phone
calls. We just had a big scandal when the news media got a
hold of an
intercepted cell phone call from Speaker of the US House of
Representatives
Newt Gingrich.
Penalty: Fine of $50,000 or twice the value of the crime
and/or up to 15
years in prison, $100,000 and/or up to 20 years if repeat
offense.

9. Causing or arranging for a person to present, to a

credit card system
member or its agent for payment, records of transactions
made by an access
device.(The offense must be committed knowingly and with
intent to defraud,
and without the authorization of the credit card system
member or its agent.
Penalty: Fine of $10,000 or twice the value of the crime
and/or up to 10
years in prison, $100,000 and/or up to 20 years if repeat
offense.
SECTION 1030

18 USC, Chapter 47, Section 1030, enacted as part of the

Computer Fraud and
Abuse Act of 1986, prohibits unauthorized or fraudulent
access to government
computers, and establishes penalties for such access. This
act is one of
the few pieces of federal legislation solely concerned with
computers.
Under the Computer Fraud and Abuse Act, the U.S. Secret
Service and the FBI
explicitly have been given jurisdiction to investigate the
Page 7
 gtmhhlaw-1
offenses defined
under this act.
The six areas of criminal activity covered by Section 1030
are:
1. Acquiring national defense, foreign relations, or
restricted atomic
energy information with the intent or reason to believe that
the information
can be used to injure the United States or to the advantage
of any foreign
nation. (The offense must be committed knowingly by
accessing a computer
without authorization or exceeding authorized access.)
2. Obtaining information in a financial record of a
financial institution
or a card issuer, or information on a consumer in a file of
a consumer
reporting agency. (The offense must be committed
intentionally by
accessing a computer without authorization or exceeding
authorized access.)
Important note: recently on the dc-stuff hackers’ list a
fellow whose name
we shall not repeat claimed to have “hacked TRW” to get a
report on someone
which he posted to the list. We hope this fellow was lying
and simply paid
the fee to purchase the report.

Penalty: Fine and/or up to 1 year in prison, up to 10 years

if repeat offense.

3. Affecting a computer exclusively for the use of a U.S.

government
department or agency or, if it is not exclusive, one used
for the government
where the offense adversely affects the use of the
government’s operation of
the computer. (The offense must be committed intentionally
by accessing a
Page 8
 gtmhhlaw-1
computer without authorization.)

This could apply to syn flood and killer ping as well as

other denial of
service attacks, as well as breaking into a computer and
messing around.
Please remember to tiptoe around computers with .mil or .gov
domain names!
Penalty: Fine and/or up to 1 year in prison, up to 10 years
if repeat offense.
4. Furthering a fraud by accessing a federal interest
computer and
obtaining anything of value, unless the fraud and the thing
obtained
consists only of the use of the computer. (The offense must
be committed
knowingly, with intent to defraud, and without authorization
or exceeding
authorization.)[The government’s view of “federal interest
computer” is
defined below]
Watch out! Even if you download copies of programs just to
study them, this
law means if the owner of the program says, “Yeah, I’d say
it’s worth a
million dollars,” you’re in deep trouble.
Penalty: Fine and/or up to 5 years in prison, up to 10
years if repeat offense.
5. Through use of a computer used in interstate commerce,
knowingly
causing the transmission of a program, information, code, or
command to a
computer system. There are two separate scenarios:
a. In this scenario, (I) the person causing the
transmission intends
it to damage the computer or deny use to it; and (ii) the
transmission
occurs without the authorization of the computer owners or
Page 9
 gtmhhlaw-1
operators, and
causes $1000 or more in loss or damage, or modifies or
impairs, or
potentially modifies or impairs, a medical treatment or
examination.
The most common way someone gets into trouble with this part
of the law is
when trying to cover tracks after breaking into a computer.
While editing
or, worse yet, erasing various files, the intruder may
accidentally erase
something important. Or some command he or she gives may
accidentally mess
things up. Yeah, just try to prove it was an accident. Just
ask any systems
administrator about giving commands as root. Even when you
know a computer
like the back of your hand it is too easy to mess up.

A simple email bomb attack, “killer ping,” flood ping, syn

flood, and those
huge numbers of Windows NT exploits where sending simple
commands to many of
its ports causes a crash could also break this law. So even
if you are a
newbie hacker, some of the simplest exploits can land you in
deep crap!
Penalty with intent to harm: Fine and/or up to 5 years in
prison, up to 10
years if repeat offense.
b. In this scenario, (I) the person causing the
transmission does not
intend the damage but operates with reckless disregard of
the risk that the
transmission will cause damage to the computer owners or
operators, and
causes $1000 or more in loss or damage, or modifies or
impairs, or
potentially modifies or impairs, a medical treatment or
examination.

Page 10
 gtmhhlaw-1
This means that even if you can prove you harmed the
computer by accident,
you still may go to prison.

Penalty for acting with reckless disregard: Fine and/or up

to 1 year in prison.

6. Furthering a fraud by trafficking in passwords or

similar information
which will allow a computer to be accessed without
authorization, if the
trafficking affects interstate or foreign commerce or if the
computer
affected is used by or for the government. (The offense
must be committed
knowingly and with intent to defraud.)

A common way to break this part of the law comes from the
desire to boast.
When one hacker finds a way to slip into another person’s
computer, it can
be really tempting to give out a password to someone else.
Pretty soon
dozens of clueless newbies are carelessly messing around the
victim
computer. They also boast. Before you know it you are in
deep crud.

Penalty: Fine and/or up to 1 year in prison, up to 10 years

if repeat offense.

Re: #4 Section 1030 defines a federal interest computer

as follows:

1. A computer that is exclusively for use of a financial

institution[defined below] or the U.S. government or, if it
is not
exclusive, one used for a financial institution or the U.S.
government where
the offense adversely affects the use of the financial
institution’s or
government’s operation of the computer; or

2. A computer that is one of two or more computers used to

Page 11
 gtmhhlaw-1
commit the
offense, not all of which are located in the same state.
This section defines a financial institution as follows:

1. An institution with deposits insured by the Federal

Deposit Insurance
Corporation(FDIC).
2. The Federal Reserve or a member of the Federal Reserve,
including any
Federal Reserve Bank.

3. A credit union with accounts insured by the National

Credit Union
Administration.

4. A member of the federal home loan bank system and any

home loan bank.

5. Any institution of the Farm Credit system under the Farm

Credit Act of 1971.
6. A broker-dealer registered with the Securities and
Exchange
Commission(SEC) within the rules of section 15 of the SEC
Act of 1934.

7. The Securities Investors Protection Corporation.

8. A branch or agency of a foreign bank (as defined in the

International
Banking Act of 1978).

9. An organization operating under section 25 or 25(a) of

the Federal
Reserve Act.

WHO’S IN CHARGE OF BUSTING THE CRACKER WHO GETS A BIT FROGGY

REGARDING
SECTION 1030?

(FBI stands for Federal Bureau of Investigation, USSS for US

Secret Service)
Page 12
 gtmhhlaw-1
Section of Law Type of Information Jurisdiction
1030(a)(1) National Security FBI USSS JOINT

National defense X
1030(a)(2) Foreign relations X
Restricted atomic energy X

1030(a)(2) Financial or consumer

Financial records of X
banks, other financial
institutions
Financial records of
card issuers
X
Information on consumers
in files of a consumer
reporting agency
X
Non-bank financial
institutions
X
1030(a)(3) Government computers
National defense X
Foreign relations X
Restricted data X
White House
X
All other government
computers
X
1030(a)(4) Federal interest computers:
Intent to defraud
X

1030(a)(5)(A) Transmission of programs, commands:

Intent to damage or deny use
X

1030(a)(5)(B) Transmission off programs, commands:

Page 13
 gtmhhlaw-1
Reckless disregard
X
1030 (a)(6) Trafficking in passwords:

Interstate or foreign commerce X

Computers used by or for
the government
X

Regarding 1030 (a)(2): The FBI has jurisdiction over bank

fraud violations,
which include categories (1) through (5) in the list of
financial
institutions defined above. The Secret Service and FBI
share joint
jurisdiction over non-bank financial institutions defined in
categories (6)
and (7) in the list of financial institutions defined above.

Regarding 1030(a)(3) Government Computers: The FBI is the

primary
investigative agency for violations of this section when it
involves
national defense. Information pertaining to foreign
relations, and other
restricted data. Unauthorized access to other information
in government
computers falls under the primary jurisdiction of the Secret
Service.

MORAL: CONFUCIUS SAY: “CRACKER WHO GETS BUSTED DOING ONE

OF THESE CRIMES,
WILL SPEND LONG TIME IN JAILHOUSE SOUP.”

This information was swiped from _Computer Crime: A

Crimefighter’s
Handbook_ (Icove, Seger & VonStorch. O’Reilly & Associates,
Inc.)
_________________________________________________________
Want to see back issues of Guide to (mostly) Harmless
Hacking? See either
http://www.tacd.com/zines/gtmhh/ or
Page 14
 gtmhhlaw-1
http://ra.nilenet.com/~mjl/hacks/codez.htm. Or get complete
archives of our
Happy Hacker list digests at http://www.infowar.com under
the “Hackers” forum.
Subscribe to our email list by emailing to
hacker@techbroker.com with
message "subscribe".
Want to share some kewl stuph with the Happy Hacker list?
Correct mistakes?
Send your messages to hacker@techbroker.com. To send me
confidential email
(please, no discussions of illegal activities) use
cmeinel@techbroker.com
and be sure to state in your message that you want me to
keep this
confidential. If you wish your message posted anonymously,
please say so!
Please direct flames to dev/null@techbroker.com. Happy
hacking!
Copyright 1997 Carolyn P. Meinel. You may forward or post
on your Web site
this GUIDE TO (mostly) HARMLESS HACKING as long as you leave
this notice at
the end..
________________________________________________________
Carolyn Meinel
M/B Research -- The Technology Brokers

Page 15