informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/magazines/CUD/cud0614.txt

1327 lines
75 KiB
Plaintext
Raw Blame History

Computer underground Digest Wed Feb 9, 1994 Volume 6 : Issue 14
ISSN 1004-042X
Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
Archivist: Brendan Kehoe (Improving each day)
Acting Archivist: Stanton McCandlish
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cowpie Editor: Buffy A. Lowe
CONTENTS, #6.14 (Feb 9, 1994)
File 1:--Sen. Markey Tirade against "hackers" (courtesy of 2600)
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.
To subscribe, send a one-line message: SUB CUDIGEST your name
Send it to LISTSERV@UIUCVMD.BITNET or LISTSERV@VMD.CSO.UIUC.EDU
The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115.
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on internet);
and on Rune Stone BBS (IIRGWHQ) (203) 832-8441.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.
EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893;
In ITALY: Bits against the Empire BBS: +39-461-980493
ANONYMOUS FTP SITES:
AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD.
EUROPE: ftp.funet.fi in pub/doc/cud. (Finland)
UNITED STATES:
aql.gatech.edu (128.61.10.53) in /pub/eff/cud
etext.archive.umich.edu (141.211.164.18) in /pub/CuD/cud
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD
halcyon.com( 202.135.191.2) in mirror2/cud
ftp.warwick.ac.uk in pub/cud (United Kingdom)
KOREA: ftp: cair.kaist.ac.kr in /doc/eff/cud
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
----------------------------------------------------------------------
Date: Fri, 4 Feb 1994 03:16:28 -0800
From: Emmanuel Goldstein <emmanuel@WELL.SF.CA.US>
Subject: File 1--Sen. Markey Tirade against "hackers" (courtesy of 2600)
((MODERATORS' NOTE: On June 9, 1993, Emmanuel Goldstein, editor of
2600, appeared before The House Subcommittee on Telecommunications and
Finance. The topic was ostensibly network security, toll fraud, and
the social implications of changing technology. As reported in CuDs
#5.43 and 5.45, the session turned into "Emmanuel bashing." As the
following transcript shows, the Subcommittee's chairperson, Rep.
Edward J. Markey (D-Mass.), was more interested in criticizing
Emmanuel Goldstein than in pursuing comments by a major law
enforcement official advocating restriction of Constitutional
protections of free speech to stifle information. Thanks to the 2600
staff for transcribing the entire transcript. Sadly, it reveals that
the knowledge gap between legislators and the laws they enact remains
unacceptly wide.))
At long last, 2600 has obtained a transcript of the hearings from
last June where two members of congress - Edward J. Markey (D-MA)
and Jack Fields (R-TX) - launched into a tirade against the evils
of computer hackers and generally demonstrated their ignorance
on the subject and their unwillingness to listen to anything that
didn't match their predetermined conclusions. Those conclusions are
basically that 2600 Magazine is a manual for criminals and that
hackers are a blight on civilization. At least, that was my
interpretation, which is admittedly biased since I was on the
receiving end of this double dose of dogma. I'd be most interested
in hearing yours as would the rest of us at 2600. While you may
think that members of Congress would also be interested, I would
have to say it doesn't seem too likely. I was asked down there to
address the issue of new technology, its implications, and the
social benefits and dangers. That is what I addressed in my twenty
pages of written testimony and my opening remarks. What happened
during the hearing was like something out of the Geraldo show, only
worse. This was the Congress of the United States. Look for the
soundbites, the simplistic solutions, the demonization of a
perceived enemy, and the eagerness to legislate away the problems
and avoid the complex issues. It's too bad it took them three
quarters of a year to get this transcript to us.
To be official, this is the full transcript of all spoken testimony
from the second panel on June 9, 1993. (If you want a copy of
my written testimony, email me at emmanuel@well.sf.ca.us.) This
is a literal transcript, meaning that any and all factual
or technical inaccuracies are reproduced without comment. The
panel you'll see being referred to that was on first was one on
the Clipper Chip, a subject these members of Congress were a bit
more enlightened on. To obtain your own copy of this hearing and
the other related ones, contact the U.S. Government Printing
Office (202-512-0000) and ask for Serial No. 103-53, known as
"Hearings Before The Subcommittee on Telecommunications and
Finance of the Committee on Energy and Commerce, House of
Representatives, One Hundred Third Congress, First Session,
April 29 and June 9, 1993".
===================================================================
It was a very hot day in June....
Mr. MARKEY. If you could close the door, please, we could move
on to this very important panel. It consists of Mr. Donald Delaney,
who is a senior investigator for the New York State Police. Mr.
Delaney has instructed telecommunications fraud at the Federal Law
Enforcement Training Center and has published chapters on computer
crime and telecommunications fraud. Dr. Peter Tippett is an expert
in computer viruses and is the director of security products for
Symantec Corporation in California. Mr. John J. Haugh is chairman
of Telecommunications Advisors Incorporated, a telecommunications
consulting firm in Portland, Oreg., specializing in network
security issues. Dr. Haugh is the editor and principal author of
two volumes entitled "Toll Fraud" and "Telabuse" in a newsletter
entitled "Telecom and Network Security Review." Mr. Emmanuel
Goldstein is the editor-in-chief of "2600: The Hacker Quarterly."
Mr. Goldstein also hosts a weekly radio program in New York called
"Off The Hook." Mr. Michael Guidry is chairman and founder of the
Guidry Group, a security consulting firm specializing in
telecommunications issues. The Guidry Group works extensively with
the cellular industry in its fight against cellular fraud.
We will begin with you, Mr. Delaney, if we could. You each
have 5 minutes. We will be monitoring that. Please try to abide by
the limitation. Whenever you are ready, please begin.
STATEMENTS OF DONALD P. DELANEY, SENIOR INVESTIGATOR, NEW YORK
STATE POLICE; JOHN J. HAUGH, CHAIRMAN, TELECOMMUNICATIONS ADVISORS;
EMMANUEL GOLDSTEIN, PUBLISHER, 2600 MAGAZINE; PETER S. TIPPETT,
DIRECTOR, SECURITY AND ENTERPRISE PRODUCTS, SYMANTEC CORP.; AND
MICHAEL A. GUIDRY, CHIEF EXECUTIVE OFFICER, THE GUIDRY GROUP
Mr. DELANEY. Thank you, Mr. Chairman, for the invitation to
testify today.
As a senior investigator with the New York State Police, I
have spent more than 3 years investigating computer crime and
telecommunications fraud. I have executed more than 30 search
warrants and arrested more than 30 individuals responsible for the
entire spectrum of crime in this area.
I authored two chapters in the "Civil and Criminal
Investigating Handbook" published by McGraw Hill entitled
"Investigating Computer Crime and Investigating Telecommunications
Fraud." Periodically I teach a 4-hour block instruction on
telecommunications fraud at the Federal Law Enforcement Training
Center in Georgia.
Although I have arrested some infamous teenagers, such as
Phiber Optic, ZOD, and Kong, in some cases the investigations were
actually conducted by the United States Secret Service. Because
Federal law designates a juvenile as one less than 18 years of age
and the Federal system has no means of prosecuting a juvenile,
malicious hackers, predominately between 13 and 17 years of age,
are either left unprosecuted or turned over to local law
enforcement. In some cases, local law enforcement were either
untrained or unwilling to investigate the high-tech crime.
In examining telecommunications security, one first realizes
that all telecommunications is controlled by computers. Computer
criminals abuse these systems not only for free service but for a
variety of crimes ranging from harassment to grand larceny and
illegal wiretapping. Corporate and Government espionage rely on the
user-friendly networks which connect universities, military
institutions, Government offices, corporate research and
development computers. Information theft is common from those
companies which hold our credit histories. Their lack of security
endanger each of us, but they are not held accountable.
One activity which has had a financial impact on everyone
present is the proliferation of call sell operations. Using a
variety of methods, such as rechipped cellular telephones,
compromised PBX remote access units, or a combination of cellular
phone and international conference lines, the entrepreneur deprives
the telephone companies of hundreds of millions of dollars each
year. These losses are passed on to each of us as higher rates.
The horrible PBX problem exists because a few dozen finger
hackers crack the codes and disseminate them to those who control
the pay phones. The major long distance carriers each have the
ability to monitor their 800 service lines for sudden peaks in use.
A concerted effort should be made by the long distance carriers to
identify the finger hackers, have the local telephone companies
monitor the necessary dialed number recorders, and provide local
law enforcement with timely affidavits. Those we have arrested for
finger hacking the PBX's have not gone back into this type of
activity or crime.
The New York State Police have four newly trained
investigators assigned to investigate telecommunications fraud in
New York City alone. One new program sponsored by AT&T is
responsible for having trained police officers from over 75
departments about this growing blight in New York State alone.
Publications, such as "2600," which teach subscribers how to
commit telecommunications crime are protected by the First
Amendment, but disseminating pornography to minors is illegal. In
that many of the phone freaks are juveniles, I believe legislation
banning the dissemination to juveniles of manuals on how to commit
crime would be appropriate.
From a law enforcement perspective, I applaud the proposed
Clipper chip encryption standard which affords individuals
protection of privacy yet enables law enforcement to conduct
necessary court-ordered wiretaps, and with respect to what was
being said in the previous conversation, last year there were over
900 court-ordered wiretaps in the United States responsible for the
seizure of tons of illicit drugs coming into this country, solving
homicides, rapes, kidnappings. If we went to an encryption standard
without the ability for law enforcement to do something about it,
we would have havoc in the United States -- my personal opinion.
In New York State an individual becomes an adult at 16 years
old and can be prosecuted as such, but if a crime being
investigated is a Federal violation he must be 18 years of age to
be prosecuted. Even in New York State juveniles can be adjudicated
and given relevant punishment, such as community service.
I believe that funding law enforcement education programs
regarding high-tech crime investigations, as exists at the Federal
Law Enforcement Training Center's Financial Frauds Institute, is
one of the best tools our Government has to protect its people with
regard to law enforcement.
Thank you.
Mr. WYDEN [presiding]. Thank you very much for a very helpful
presentation.
Let us go next to Mr. Haugh.
We welcome you. It is a pleasure to have an Oregonian,
particularly an Oregonian who has done so much in this field, with
the subcommittee today. I also want to thank Chairman Markey and
his excellent staff for all their efforts to make your attendance
possible today.
So, Mr. Haugh, we welcome you, and I know the chairman is
going to be back here in just a moment.
STATEMENT OF JOHN J. HAUGH
Mr. HAUGH. Thank you, Mr. Wyden.
We expended some 9,000 hours, 11 different people, researching
the problem of toll fraud, penetrating telecommunications systems,
and then stealing long distance, leading up to the publication of
our two-volume reference work in mid-1992. We have since spent
about 5,000 additional hours continuing to monitor the problem, and
we come to the table with a unique perspective because we are
vender, carrier, and user independent.
In the prior panel, the distinguished gentleman from AT&T, for
whom I have a lot of personal respect, made the comment that the
public justifiably is confident that the national wire network is
secure and that the problem is wireless. With all due respect, that
is a laudable goal, but as far as what is going on today, just
practical reality, that comment is simply incorrect, and if the
public truly is confident that the wired network is secure, that
confidence is grossly misplaced.
We believe 35,000 users will become victimized by toll fraud
this year, 1993. We believe the national problem totals somewhere
between $4 and $5 billion. It is a very serious national problem.
We commend the chairman and this committee for continuing to
attempt to draw public attention and focus on the problem.
The good news, as we see it, over the last 3 years is that the
severity of losses has decreased. There is better monitoring,
particularly on the part of the long distance carriers, there is
more awareness on the part of users who are being more careful
about monitoring and managing their own systems, as a result of
which the severity of loss is decreasing. That is the good news.
The bad news is that the frequency is greatly increasing, so
while severity is decreasing, frequency is increasing, and I will
give you some examples. In 1991 we studied the problem from 1988 to
1991 and concluded that the average toll fraud loss was $168,000.
We did a national survey from November of last year to March of
this year, and the average loss was $125,000, although it was
retrospective. Today we think the average loss is $30,000 to
$60,000, which shows a rather dramatic decline.
The problem is, as the long distance thieves, sometimes called
hackers, are rooted out of one system, one user system, they
immediately hop into another one. So severity is dropping, but
frequency is increasing. Everybody is victimized. You have heard
business users with some very dramatic and very sad tales. The
truth is that everybody is victimized; the users are victimized;
the long distance carriers are victimized; the cellular carriers
are victimized, the operator service providers; the co-cod folks,
the aggregators and resellers are victimized; the LEC's and RBOC's,
to a limited extent, are victimized; and the vendors are victimized
by being drawn into the problem.
Who is at fault? Everybody is at fault. The Government is at
fault. The FCC has taken a no-action, apathetic attitude toward
toll fraud. That Agency is undermanned, it is understaffed, it is
underfunded, it has difficult problems -- no question about that --
but things could and should be done by that Agency that have not
been done.
The long distance carriers ignored the problem for far too
long, pretended that they could not monitor when, in fact, the
technology was available. They have done an outstanding job over
the last 2 years of getting with it and engaging themselves fully,
and I would say the long distance carriers, at the moment, are
probably the best segment of anyone at being proactive to take care
of the problem.
Users too often ignored security, ignored their user manuals,
failed to monitor, failed to properly manage. There has been
improvement which has come with the public knowledge of the
problem. CPE venders, those folks who manufactured the systems that
are so easy to penetrate, have done an abysmally poor job of
engineering into the systems security features. They have ignored
security. Their manuals didn't deal with security. They are
starting to now. They are doing a far better job. More needs to be
done.
The FCC, in particular, needs to become active. This committee
needs to focus more attention on the problem, jawbone, keep the
heat on the industry, the LEC's and the RBOC's in particular. The
LEC's and the RBOC's have essentially ignored the problem. They are
outside the loop, they say, yet the LEC's and the RBOC's collected
over $21 billion last year in access fees for connecting their
users to the long distance networks. How much of that $21 billion
did the LEC's and the RBOC's reinvest in helping to protect their
users from becoming victimized and helping to combat user-targeted
toll fraud? No more than $10 million, one-fifth of 1 percent.
Many people in the industry feel the LEC's and the RBOC's are
the one large group that has yet to seriously come to the table.
Many in the industry -- and we happen to agree -- feel that 3 to 4
percent of those access fees should be reinvested in protecting
users from being targeted by the toll fraud criminals.
The FCC should become more active. The jawboning there is at
a minimal level. There was one show hearing last October, lots of
promises, no action, no regulation, no initiatives, no meetings. A
lot could be done. Under part 68, for example, the FCC, which is
supposed to give clearance to any equipment before it is connected
into the network, they could require security features embedded
within that equipment. They could prevent things like low-end PBX's
from being sold with three-digit barrier codes that anyone can
penetrate in 3 to 5 minutes.
Thank you, Mr. Chairman.
Mr. MARKEY. THANK YOU, MR. HAUGH, VERY MUCH.
Mr. Goldstein, let's go to you next.
STATEMENT OF EMMANUEL GOLDSTEIN
Mr. GOLDSTEIN. Thank you, Mr. Chairman, and thank you to this
committee for allowing me the opportunity to speak on behalf of
those who, for whatever reason, have no voice.
I am in the kind of unique position of being in contact with
those people known as computer hackers throughout the world, and I
think one of the misconceptions that I would like to clear up, that
I have been trying to clear up, is that hackers are analogous to
criminals. This is not the case. I have known hundreds of hackers
over the years, and a very, very small percentage of them are
interested in any way in committing any kind of a crime. I think
the common bond that we all have is curiosity, an intense form of
curiosity, something that in many cases exceeds the limitations
that many of us would like to put on curiosity. The thing is
though, you cannot really put a limitation on curiosity, and that
is something that I hope we will be able to understand.
I like to parallel the hacker culture with any kind of alien
culture because, as with any alien culture, we have difficulty
understanding its system of values, we have difficulty
understanding what it is that motivates these people, and I hope to
be able to demonstrate through my testimony that hackers are
friendly people, they are curious people, they are not out to rip
people off or to invade people's privacy; actually, they are out to
protect those things because they realize how valuable and how
precious they really are.
I like to draw analogies to where we are heading in the world
of high technology, and one of the analogies I have come up with is
to imagine yourself speeding down a highway, a highway that is
slowly becoming rather icy and slippery, and ask yourself the
question of whether or not you would prefer to be driving your own
car or to be somewhere inside a large bus, and I think that is kind
of the question we have to ask ourselves now. Do we want to be in
control of our own destiny as far as technology goes, or do we want
to put all of our faith in somebody that we don't even know and
maybe fall asleep for a little while ourselves and see where we
wind up? It is a different answer for every person, but I think we
need to be able to at least have the opportunity to choose which it
is that we want to do.
Currently, there is a great deal of suspicion, a great deal of
resignation, hostility, on behalf of not simply hackers but
everyday people on the street. They see technology as something
that they don't have any say in, and that is why I particularly am
happy that this committee is holding this hearing, because people,
for the most part, see things happening around them, and they
wonder how it got to that stage. They wonder how credit files were
opened on them; they wonder how their phone numbers are being
passed on through A&I [sic - actually it's ANI -- mech@eff.org]
and caller ID. Nobody ever went to these people and said, "Do you want to
do this? Do you want to change the rules?"
The thing that hackers have learned is that any form of
technology can and will be abused, whether it be calling card
numbers or the Clipper chip. At some point, something will be
abused, and that is why it is important for people to have a sense
of what it is that they are dealing with and a say in the future.
I think it is also important to avoid inequities in access to
technology, to create a society of haves and have-nots, which I
feel we are very much in danger of doing to a greater extent than
we have ever done before. A particular example of this involves
telephone companies, pay phones to be specific. Those of us who can
make a telephone call from, say, New York to Washington, D.C., at
the cheapest possible rate from the comfort of our own homes will
pay about 12 cents for the first minute. However, if you don't have
a phone or if you don't have a home, you will be forced to pay
$2.20 for that same first minute.
What this has led to is the proliferation of what are known as
red boxes. I have a sample (indicating exhibit). Actually, this is
tremendously bigger than it needs to be. A red box can be about a
tenth of the size of this. But just to demonstrate the sound that
it takes for the phone company to believe that you have put a
quarter into the phone (brief tone is played), that is it, that is
a quarter.
Now we can say this is the problem, this huge demonic device
here is what is causing all the fraud, but it is not the case. This
tape recorder here (same brief tone is played) does the same thing.
So now we can say the tones are the problem, we can make tones
illegal, but that is going to be very hard to enforce.
I think what we need to look at is the technology itself: Why
are there gaping holes in them? and why are we creating a system
where people have to rip things off in order to get the same access
that other people can get for virtually nothing?
I think a parallel to that also exists in the case of cellular
phones. I have a device here (indicating exhibit) which I won't
demonstrate, because to do so would be to commit a Federal crime,
but by pressing a button here within the course of 5 seconds we
will be able to hear somebody's private, personal cellular phone
call.
Now the way of dealing with privacy with cellular phone calls
is to make a law saying that it is illegal to listen. That is the
logic we have been given so far. I think a better idea would be to
figure out a way to keep those cellular phone calls private and to
allow people to exercise whatever forms of privacy they need to
have on cellular phone calls.
So I think we need to have a better understanding both from
the legislative point of view and in the general public as far as
technology in itself, and I believe we are on the threshold of a
very positive, enlightened period, and I see that particularly with
things like the Internet which allow people access to millions of
other people throughout the world at very low cost. I think it is
the obligation of all of us to not stand in the way of this
technology, to allow it to go forward and develop on its own, and
to keep a watchful eye on how it develops but at the same time not
prevent it through overlegislation or overpricing.
Thank you very much for the opportunity to speak.
Mr. MARKEY. Thank you, Mr. Goldstein.
Dr. Tippett.
STATEMENT OF PETER S. TIPPETT
Mr. TIPPET. Thank you.
I am Peter Tippett from Symantec Corporation, and today I am
also representing the National Computer Security Association and
the Computer Ethics Institute. Today is Computer Virus Awareness
Day, in case you are not aware, and we can thank Jack Fields,
Representative Fields, for sponsoring that day on behalf of the
Congress, and I thank you for that.
We had a congressional briefing this morning in which nine
representatives from industry, including telecommunications and
aerospace and the manufacturing industry, convened, and for the
first time were willing to talk about their computer virus problems
in public. I have got to tell you that it is an interesting
problem, this computer virus problem. It is a bit different from
telephone fraud. The virus problem is one which has probably among
the most misrepresentation and misunderstanding of these various
kinds of fraud that are going on, and I would like to highlight
that a little bit. But before I do, I would like to suggest what we
know to be the costs of computer viruses just in America.
The data I am representing comes from IBM and DataQuest, a
Dunn and Bradstreet company, it is the most conservative
interpretation you could make from this data. It suggests that a
company of only a thousand computers has a virus incident every
quarter, that a typical Fortune 500 company deals with viruses
every month, that the cost to a company with only a thousand
computers is about $170,000 a year right now and a quarter of a
million dollars next year. If we add these costs up, we know that
the cost to United States citizens of computer viruses just so far,
just since 1990, exceeds $1 billion.
When I go through these sorts of numbers, most of us say,
well, that hype again, because the way the press and the way we
have heard about computer viruses has been through hype oriented
teachings. So the purpose here is not to use hype and not to sort
of be alarmist and say the world is ending, because the world isn't
ending per se, but to suggest that there isn't a Fortune 500
company in the United States who hasn't had a computer virus
problem is absolutely true, and the sad truth about these viruses
is that the misconceptions are keeping us from doing the right
things to solve the problem, and the misconceptions stem from the
fact that companies that are hit by computer viruses, which is
every company, refused to talk about that until today.
There are a couple of other unique things and misconceptions
about computer viruses. One is that bulletin boards are the leading
source of computer viruses. Bulletin boards represent the infancy
of the superhighway, I think you could say, and there are a lot of
companies that make rules in their company that you are not allowed
to use bulletin boards because you might get a virus. In fact, it
is way in the low, single-digit percents. It may be as low as 1
percent of computer viruses that are introduced into companies come
through some route via a bulletin board.
We are told that some viruses are benign, and, in fact, most
people who write computer viruses think that their particular virus
is innocuous and not harmful. It turns out that most virus authors,
as we just heard from Mr. Goldstein, are, in fact, curious people
and not malicious people. They are young, and they are challenged,
and there is a huge game going on in the world. There is a group of
underground virus bulletin boards that we call virus exchange
bulletin boards in which people are challenged to write viruses.
The challenge works like this: If you are interested and
curious, you read the threads of communication on these bulletin
boards, and they say, you know, "If you want to download some
viruses, there's a thousand here on the bulletin board free for
your downloading," but you need points. Well, how do you get
points? Well, you upload some viruses. Well, where do you get some
viruses from? If you upload the most common viruses, they are not
worth many points, so you have to upload some really good, juicy
viruses. Well, the only way to get those is to write them, so you
write a virus and upload your virus, and then you gain acceptance
into the culture, and when you gain acceptance into the culture you
have just added to the problem.
It is interesting to know that the billion dollars that we
have spent since 1990 on computer viruses just in the United States
is due to viruses that were written in 1988 and 1987. Back then, we
only had one or two viruses a quarter, new, introduced into the
world. This year we have a thousand new computer viruses introduced
into our community, and it won't be for another 4 or 5 years before
these thousand viruses that are written now will become the major
viruses that hurt us in the future.
So virus authors don't believe they are doing anything wrong,
they don't believe that they are being harmful, and they don't
believe that what they do is dangerous, and, in fact, all viruses
are.
Computer crime laws don't have anything to do with computer
virus writers, so we heard testimony this morning from Scott
Charney of the Department of Justice who suggested that authorized
access is the biggest law you could use, and, in fact, most viruses
are brought into our organizations in authorized ways, because
users who are legitimate in the organizations accidentally bring
these things in, and then they infect our companies.
In summary, I think that we need to add a little bit of
specific wording in our computer crime legislation that relates
particularly to computer viruses and worms. We need, in particular,
to educate. We need to go after an ethics angle. We need to get to
the point where Americans think that writing viruses or doing these
other kinds of things that contaminate our computer superhighways
are akin to contaminating our expressways.
In the sixties we had a big "Keep America Beautiful" campaign,
and most Americans would find it unthinkable to throw their garbage
out the window of their car, but we don't think it unthinkable to
write rogue programs that will spread around our highway.
Thank you.
Mr. MARKEY. Thank you, Dr. Tippett.
Mr. Guidry.
STATEMENT OF MICHAEL A. GUIDRY
Mr. GUIDRY. Thank you, Mr. Chairman, for giving me the
opportunity to appear before this subcommittee, and thank you,
subcommittee, for giving me this opportunity.
The Guidry Group is a Houston-based security consulting firm
specializing in telecommunication issues. We started working in
telecommunication issues in 1987 and started working specifically
with the cellular industry at that time. When we first started, we
were working with the individual carriers across the United States,
looking at the hot points where fraud was starting to occur, which
were major metropolitan cities of course.
In 1991, the Cellular Telephone Industry Association contacted
us and asked us to work directly with them in their fight against
cellular fraud. The industry itself has grown, as we all know,
quite rapidly. However, fraud in the industry has grown at an
unbelievable increase, actually faster than the industry itself,
and as a result of that fraud now is kind of like a balloon, a
water balloon; it appears in one area, and when we try to stamp it
out it appears in another area.
As a result, what has happened is, when fraud first started,
there was such a thing as subscription fraud, the same type of
fraud that occurred with the land line telecommunication industry.
That subscription fraud quickly changed. Now what has occurred is,
technology has really stepped in.
First, hackers, who are criminals or just curious people,
would take a telephone apart, a cellular phone apart, and change
the algorithm on the chip, reinsert the chip into the telephone,
and cause that telephone to tumble. Well, the industry put its best
foot forward and actually stopped, for the most part, the act of
tumbling in cellular telephones. But within the last 18 months
something really terrible has happened, and that is cloning.
Cloning is the copying of the MIN and and ESN number, and, for
clarification, the MIN is the Mobile Identification Number that is
assigned to you by the carrier, and the ESN number is the
Electronic Cellular Number that is given to the cellular telephone
from that particular manufacturer. As a result, now we have
perpetrators, or just curious people, finding ways to copy the MIN
and the ESN, thereby victimizing the cellular carrier as well as
the good user, paying subscriber. This occurs when the bill is
transmitted by the carrier to the subscriber and he says something
to the effect of, "I didn't realize that I had made $10,000 worth
of calls to the Dominican Republic," or to Asia or Nicaragua or
just any place like that.
Now what has happened is, those clone devices have been placed
in the hands of people that we call ET houses, I guess you would
say, and they are the new immigrants that come into the United
States for the most part that do not have telephone subscriptions
on the land line or on the carrier side from cellular, and now they
are charged as much as $25 for 15 minutes to place a call to their
home.
Unfortunately, though, the illicit behavior of criminals has
stepped into this network also. Now we have gang members, drug
dealers, and gambling, prostitution, vice, just all sorts of crime,
stepping forward to use this system where, by using the cloning,
they are avoiding law enforcement. Law enforcement has problems, of
course, trying to find out how to tap into those telephone systems
and record those individuals.
Very recently, cloning has even taken a second step, and that
is now something that we term the magic phone, and the magic phone
works like this: Instead of cloning just one particular number, it
clones a variety of numbers, as many as 14 or 66, thereby
distributing the fraud among several users, which makes it almost
virtually impossible for us to detect at an early stage.
In response to this, what has happened? A lot of legitimate
people have started to look at using the illegitimate cellular
services. They are promised that this is a satellite phone or just
a telephone that if they pay a $2,500 fee will avoid paying further
bills. So now it has really started to spread.
Some people in major metropolitan areas, such as the
Southwest, Northeast, and Southeast, have started running their own
mini-cellular companies by distributing these cloning phones to
possible clients and users, collecting the fee once a month to
reactivate the phone if it is actually denied access.
The cellular industry has really stepped up to the plate I
think the best they can right now in trying to combat this by
working with the switch manufacturers and other carriers, 150 of
them to date with the cellular telephone industry, as well as the
phone manufacturers, and a lot of companies have started looking at
software technology. However, these answers will not come to pass
very soon. What we must have is strong legislation.
We have been working for the last 18 months, specifically with
the Secret Service and a lot of local, State, and Federal law
enforcement agencies. The Service has arrested over 100 people
involved in cellular fraud. We feel very successful about that. We
also worked with local law enforcement in Los Angeles to form the
L.A. Blitz, and we arrested an additional 26 people and seized 66
illegal telephones and several computers that spread this cloning
device.
However, now we have a problem. U.S. Title 18, 1029, does not
necessarily state cellular or wireless. It is very important, and
I pray that this committee will look at revising 1029 and changing
it to include wireless and cellular. I think wireless
communications, of course, like most people, is the wave of the
future, and it is extremely important that we include that in the
legislation so that when people are apprehended they can be
prosecuted.
Thank you, sir.
Mr. MARKEY. Thank you, Mr. Guidry, very much.
We will take questions now from the subcommittee members.
Let me begin, Mr. Delaney. I would like you and Mr. Goldstein
to engage in a conversation, if we could. This is Mr. Goldstein's
magazine, "The Hacker Quarterly: 2600," and for $4 we could go out
to Tower Records here in the District of Columbia and purchase
this. It has information in it that, from my perspective, is very
troubling in terms of people's cellular phone numbers and
information on how to crack through into people's private
information.
Now you have got some problems with "The Hacker Quarterly,"
Mr. Delaney.
Mr. DELANEY. Yes, sir.
Mr. MARKEY. And your problem is, among other things, that
teenagers can get access to this and go joy riding into people's
private records.
Mr. DELANEY. Yes, sir. In fact, they do.
Mr. MARKEY. Could you elaborate on what that problem is?
And then, Mr. Goldstein, I would like for you to deal with the
ethical implications of the problem as Mr. Delaney would outline
them.
Mr. DELANEY. Well, the problem is that teenagers do read the
"2600" magazine. I have witnessed teenagers being given free copies
of the magazine by the editor-in-chief. I have looked at a
historical perspective of the articles published in "2600" on how
to engage in different types of telecommunications fraud, and I
have arrested teenagers that have read that magazine.
The publisher, or the editor-in-chief, does so with impunity
under the cloak of protection of the First Amendment. However, as
I indicated earlier, in that the First Amendment has been abridged
for the protection of juveniles from pornography, I also feel that
it could be abridged for juveniles being protected from manuals on
how to commit crime -- children, especially teenagers, who are
hackers, and who, whether they be mischievous or intentionally
reckless, don't have the wherewithal that an adult does to
understand the impact of what he is doing when he gets involved in
this and ends up being arrested for it.
Mr. MARKEY. Mr. Goldstein, how do we deal with this problem?
Mr. GOLDSTEIN. First of all, "2600" is not a manual for
computer crime. What we do is, we explain how computers work. Very
often knowledge can lead to people committing crimes, we don't deny
that, but I don't believe that is an excuse for withholding the
knowledge.
The article on cellular phones that was printed in that
particular issue pretty much goes into detail as to how people can
track a cellular phone call, how people can listen in, how exactly
the technology works. These are all things that people should know,
and perhaps if people had known this at the beginning they would
have seen the security problems that are now prevalent, and perhaps
something could have been done about it at that point.
Mr. MARKEY. Well, I don't know. You are being a little bit
disingenuous here, Mr. Goldstein. Here, on page 17 of your spring
edition of 1993, "How to build a pay TV descrambler." Now that is
illegal.
Mr. GOLDSTEIN. Not building. Building one is not illegal.
Mr. MARKEY. Oh, using one is illegal?
Mr. GOLDSTEIN. Exactly.
Mr. MARKEY. I see. So showing a teenager, or anyone, how to
build a pay TV descrambler is not illegal. But what would they do
then, use it as an example of their technological prowess that they
know how to build one? Would there not be a temptation to use it,
Mr. Goldstein?
Mr. GOLDSTEIN. It is a two-way street, because we have been
derided by hackers for printing that information and showing the
cable companies exactly what the hackers are doing.
Mr. MARKEY. I appreciate it from that perspective, but let's
go over to the other one. If I am down in my basement building a
pay TV descrambler for a week, am I not going to be tempted to see
if it works, Mr. Goldstein? Or how is it that I then prove to
myself and my friends that I have actually got something here which
does work in the real world?
Mr. GOLDSTEIN. It is quite possible you will be tempted to try
it out. We don't recommend people being fraudulent --
Mr. MARKEY. How do you know that it works, by the way?
Mr. GOLDSTEIN. Actually, I have been told by most people that
is an old version that most cable companies have gotten beyond.
Mr. MARKEY. So this wouldn't work then?
Mr. GOLDSTEIN. It will work in some places, it won't work in
all places.
Mr. MARKEY. Oh, it would work? It would work in some places?
Mr. GOLDSTEIN. Most likely, yes. But the thing is, we don't
believe that because something could be used in a bad way, that is
a reason to stifle the knowledge that goes into it.
Mr. MARKEY. That is the only way this could be used. Is there
a good way in which a pay TV descrambler could be used that is a
legal way?
Mr. GOLDSTEIN. Certainly, to understand how the technology
works in the first place, to design a way of defeating such devices
in the future or to build other electronic devices based on that
technology.
Mr. MARKEY. I appreciate that, but it doesn't seem to me that
most of the subscribers to "2600" magazine --
Mr. GOLDSTEIN. That is interesting that you are pointing to
that. That is our first foray into cable TV. We have never even
testified on the subject before.
Mr. MARKEY. I appreciate that.
Well, let's move on to some of your other forays here. What
you have got here, it seems to me, is a manual where you go down
Maple Street and you just kind of try the door on every home on
Maple Street. Then you hit 216 Maple Street, and the door is open.
What you then do is, you take that information, and you go down to
the corner grocery store, and you post it: "The door of 216 Maple
is open."
Now, of course, you are not telling anyone to steal, and you
are not telling anyone that they should go into 216 Maple. You are
assuming that everyone is going to be ethical who is going to use
this information, that the house at 216 Maple is open. But the
truth of the matter is, you have got no control at this point over
who uses that information. Isn't that true, Mr. Goldstein?
Mr. GOLDSTEIN. The difference is that a hacker will never
target an individual person as a house or a personal computer or
something like that. What a hacker is interested in is wide open,
huge data bases that contain information about people, such as TRW.
A better example, I feel, would be one that we tried to do 2
years ago where we pointed out that the Simplex Lock Corporation
had a very limited number of combinations on their hardware locks
that they were trying to push homeowners to put on their homes, and
we tried to alert everybody as to how insecure these are, how easy
it is to get into them, and people were not interested.
Hackers are constantly trying to show people how easy it is to
do certain things.
Mr. MARKEY. I appreciate what you are saying. From one
perspective, you are saying that hackers are good people out there,
almost like -- what are they called? -- the Angels that patrol the
subways of New York City.
Mr. GOLDSTEIN. Guardian Angels. I wouldn't say that though.
Mr. MARKEY. Yes, the Guardian Angels, just trying to protect
people.
But then Mr. Delaney here has the joy riders with the very
same information they have taken off the grocery store bulletin
board about the fact that 216 Maple is wide open, and he says we
have got to have some laws on the books here to protect against it.
So would you mind if we passed, Mr. Goldstein, trespassing
laws that if people did, in fact, go into 216 and did do something
wrong, that we would be able to punish them legally? Would you have
a problem with that?
Mr. GOLDSTEIN. I would be thrilled if computer trespassing
laws were enforced to the same degree as physical trespassing laws,
because then you would not have teenage kids having their doors
kicked in by Federal marshals and being threatened with $250,000
fines, having all their computer equipment taken and having guns
pointed at them. You would have a warning, which is what you get
for criminal trespass in the real world, and I think we need to
balance out the real world --
Mr. MARKEY. All right. So you are saying, on the one hand, you
have a problem that you feel that hackers are harassed by law
enforcement officials and are unduly punished. We will put that on
one side of the equation. But how about the other side? How about
where hackers are violating people's privacy? What should we do
there, Mr. Goldstein?
Mr. GOLDSTEIN. When a hacker is violating a law, they should
be charged with violating a particular law, but that is not what I
see today. I see law enforcement not having a full grasp of the
technology. A good example of this was raids on people's houses a
couple of years ago where in virtually every instance a Secret
Service agent would say, "Your son is responsible for the AT&T
crash on Martin Luther King Day," something that AT&T said from the
beginning was not possible.
Mr. MARKEY. Again, Mr. Goldstein, I appreciate that. Let's go
to the other side of the problem, the joy rider or the criminal
that is using this information. What penalties would you suggest to
deal with the bad hacker? Are there bad hackers?
Mr. GOLDSTEIN. There are a few bad hackers. I don't know any
myself, but I'm sure there are.
Mr. MARKEY. I assume if you knew any, you would make sure we
did something about them. But let's just assume there are bad
people subscribing. What do we do about the bad hacker?
Mr. GOLDSTEIN. Well, I just would like to clarify something.
We have heard here in testimony that there are gang members and
drug members who are using this technology. Now, are we going to
define them as hackers because they are using the technology?
Mr. MARKEY. Yes. Well, if you want to give them another name,
fine. We will call them hackers and crackers, all right?
Mr. GOLDSTEIN. I think we should call them criminals.
Mr. MARKEY. So the crackers are bad hackers, all right? If you
want another word for them, that is fine, but you have got the
security of individuals decreasing with the sophistication of each
one of these technologies, and the crackers are out there. What do
we do with the crackers who buy your book?
Mr. GOLDSTEIN. I would not call them crackers. They are
criminals. If they are out there doing something for their own
benefit, selling information --
Mr. MARKEY. Criminal hackers. What do we do with them?
Mr. GOLDSTEIN. There are existing laws. Stealing is still
stealing.
Mr. MARKEY. OK. Fine.
Dr. Tippett.
Mr. TIPPETT. I think that the information age has brought on
an interesting dilemma that I alluded to earlier. The dilemma is
that the people who use computers don't have parents who used
computers, and therefore they didn't get the sandbox training on
proper etiquette. They didn't learn you are not supposed to spit in
other people's faces or contaminate the water that we drink, and we
have a whole generation now of 100 million in the United States
computer users, many of whom can think this through themselves,
but, as we know, there is a range of people in any group, and we
need to point out the obvious to some people. It may be the bottom
10 percent.
Mr. MARKEY. What the problem is, of course, is that the
computer hacker of today doesn't have a computer hacker parent, so
parents aren't teaching their children how to use their computers
because parents don't know how to use computers. So what do we do?
Mr. TIPPETT. It is incumbent upon us to do the same kind of
thing we did in the sixties to explain that littering wasn't right.
It is incumbent upon us to take an educational stance and for
Congress to credit organizations, maybe through a tax credit or
through tax deductions, for taking those educational opportunities
and educating the world of people who didn't have sandbox training
what is good and what is bad about computing.
So at least the educational part needs to get started, because
I, for one, think that probably 90 percent of the kids -- most of
the kids who do most of the damage that we have all described up
here, in fact, don't really believe they are doing any damage and
don't have the concept of the broadness of the problem that they
are doing. The 10 percent of people who are criminal we could go
after potentially from the criminal aspect, but the rest we need to
get after from a plain, straight ahead educational aspect.
Mr. MARKEY. I appreciate that.
I will just say in conclusion -- and this is for your benefit,
Mr. Goldstein. When you pass laws, you don't pass laws for the good
people. What we assume is that there are a certain percent of
people -- 5 percent, 10 percent; you pick it -- who really don't
have a good relationship with society as a whole, and every law
that we pass, for the most part, deals with those people.
Now, as you can imagine, when we pass death penalty statutes,
we are not aiming it at your mother and my mother. It is highly
unlikely they are going to be committing a murder in this lifetime.
But we do think there is a certain percentage that will. It is a
pretty tough penalty to have, but we have to have some penalty that
fits the crime.
Similarly here, we assume that there is a certain percentage
of pathologically damaged people out there. The cerebral mechanism
doesn't quite work in parallel with the rest of society. We have to
pass laws to protect the rest of us against them. We will call them
criminal hackers. What do we do to deal with them is the question
that we are going to be confronted with in the course of our
hearings?
Let me recognize the gentleman from Texas, Mr. Fields.
Mr. FIELDS. Thank you, Mr. Chairman.
Just for my own edification, Mr. Goldstein, you appear to be
intelligent; you have your magazine, so obviously you are
entrepreneurial. For me personally, I would like to know, why don't
you channel the curiosity that you talk about into something that
is positive for society? And, I'm going to have to say to you, I
don't think it is positive when you invade someone else's privacy.
Mr. GOLDSTEIN. I agree.
Mr. FIELDS. Whether it is an individual or a corporation.
Mr. GOLDSTEIN. Well, I would like to ask a question in return
then. If I discover that a corporation is keeping a file on me and
I access that corporation's computer and find out or tell someone
else, whose privacy am I invading? Or is the corporation invading
my privacy?
You see, corporations are notorious for not volunteering such
information: "By the way, we are keeping files on most Americans
and keeping track of their eating habits and their sexual habits
and all kinds of other things." Occasionally, hackers stumble on to
information like that, and you are much more likely to get the
truth out of them because they don't have any interest to protect.
Mr. FIELDS. Are you saying with this book that is what you are
trying to promote? because when I look through this book, I find
the same thing that the chairman finds, some things that could
actually lead to criminal behavior, and when I see all of these
codes regarding cellular telephones, how you penetrate and listen
to someone's private conversation, I don't see where you are doing
anything for the person, the person who is actually doing the
hacking. I see that as an invasion of privacy.
Mr. GOLDSTEIN. All right. I need to explain something then.
Those are not codes, those are frequencies. Those are frequencies
that anybody can listen to, and by printing those frequencies we
are demonstrating how easy it is for anybody to listen to them.
Now if I say that by tuning to 871 megahertz you can listen to
a cellular phone call, I don't think I am committing a crime, I
think I am explaining to somebody. What I have done at previous
conferences is hold up this scanner and press a button and show
people how easy it is to listen, and those people, when they get
into their cars later on in the day, they do not use their cellular
telephones to make private calls of a personal nature because they
have learned something, and that is what we are trying to do, we
are trying to show people how easy it is.
Now, yes, that information can be used in a bad way, but to
use that as an excuse not to give out the information at all is
even worse, and I think it is much more likely that things may be
fixed, the cellular industry may finally get its act together and
start protecting phone calls. The phone companies might make red
boxes harder to use or might make it easier for people to afford
phone calls, but we will never know if we don't make it public.
Mr. FIELDS. I want to be honest with you, Mr. Goldstein. I
think it is frightening that someone like you thinks there is a
protected right in invading someone else's privacy.
Mr. Guidry, let me turn to you. How does a hacker get the
codes that you were talking about a moment ago -- if I understood
what you were saying correctly, the manual ID number, the other
cellular numbers that allow them to clone?
Mr. GUIDRY. Well, unfortunately, "2600" would be a real good
bet to get those, and we have arrested people and found those
manuals in their possession.
The other way is quite simply just to what we call dumpster
dive, and that is to go to cellular carriers where they may destroy
trash. Unfortunately, some of it is shredded and put back together,
some of it is not shredded, and kids, criminals, go into those
dumpsters, withdraw that information, piece it together, and then
experiment with it. That information then is usually sold for
criminal activity to avoid prosecution.
Mr. FIELDS. You are asking the subcommittee to include
wireless and cellular, and I think that is a good recommendation.
I think certainly that is one that we are going to take as good
counsel. But it appears that much of what you are talking about is
organized activity, and my question is, does the current punishment
scheme actually fit the crime, or should we also look at increasing
punishment for this type of crime?
Mr. GUIDRY. I would strongly suggest that we increase the
punishment for this sort of crime. It is unfortunate that some
hackers take that information and sell it for criminal activity,
and, as a result, if prosecution is not stiff enough, then it far
outweighs the crime.
Mr. FIELDS. What is the punishment now for this type of
cellular fraud?
Mr. GUIDRY. Right now, it can be as high as $100,000 and up to
20 years in the penitentiary.
Mr. FIELDS. Mr. Delaney, do you feel that that is adequate?
Mr. DELANEY. Under New York State law, which is what I deal
with, as opposed to the Federal law, we can charge a host of
felonies with regard to one illicit telephone call if you want to
be creative with the law. Sections 1029 and 1039 really cover just
about everything other than the cellular concern and the wireless
concern.
However, I think the thing that is not dealt with is the
person who is running the call sell operations. The call selling
operations are the biggest loss of revenue to the telephone
companies, cellular companies. Whether they are using PBX's or call
diverters or cellular phones, this is where all the fraud is coming
from, and there is only a handful of people who are originating
this crime.
We have targeted these people in New York City right now, and
the same thing is being done in Los Angeles and Florida, to
determine who these people are that use just the telephone to hack
out the codes on PBX's, use ESN readers made by the Curtis Company
to steal the ESN and MIN's out of the air and then to disseminate
this to the street phones and to the cellular phones that are in
cars and deprive the cellular industry of about $300 million a
year, and the rest of the telecommunications networks in the United
States probably of about $1 billion a year, due to the call sell
operations.
In one particular case that we watched, as a code was hacked
out on a PBX in a company in Massachusetts, the code was
disseminated to 250 street phones within the period of a week. By
the end of the month, a rather small bill of $40,000 was sent to
the company, small only because they were limited by the number of
telephone lines going through that company. Had it been a larger
company whose code had been cracked by the finger hacker, the bill
would have been in the hundreds of thousands of dollars, or over $1
million as typically some of the bills have been.
But this is a relatively small group of people creating a
tremendous problem in the United States, and a law specifically
dealing with a person who is operating as an entrepreneur, running
a call selling operation, I think would go far to ending one of the
biggest problems we have.
Mr. FIELDS. Let me ask so I understand, Mr. Delaney and Mr.
Guidry, because I am a little confused, or maybe I just didn't
understand the testimony, are these individual hackers acting
separately, or are these people operating within a network, within
an organization?
Mr. DELANEY. These finger hackers are the people that control
the network of people that operate telephone booths and cellular
phones for reselling telephone service. These finger hackers are
not computer hackers.
Mr. FIELDS. When you say finger hackers, is this one person
operating independently, or is that finger hacker operating in
concert --
Mr. GUIDRY. No. He has franchised. He has franchised out. He
actually sells the computer and the software and the cattail to do
this to other people, and then they start their own little group.
Now it is going internationally.
Mr. FIELDS. Explain to me, if the chairman would permit --
Mr. MARKEY. Please.
Mr. FIELDS. Explain to me the franchise.
Mr. GUIDRY. What happens is, let's pretend we are in Los
Angeles right now and I have the ability to clone a phone that is
using a computer, a cattail, we call it, that goes from the
computer, the back of the computer, into the telephone, and I have
the diskette that tells me how to change that program. I can at
some point sell the cloning. You can come to me, and I can clone
your phone.
However, that is one way for me to make money. The best way
for me to make money is to buy computers, additional diskettes, and
go to Radio Shack or some place and make additional cattails and
say, "I can either clone your phone for $1,500, or what you can do
for $5,000 is start your own company." So you say, "Well, wow,
that's pretty good, because how many times would I have to sell one
phone at from $500 to $1,500 to get my initial investment back?" As
a result now, you have groups, you have just youngsters as well as
organized crime stepping in.
The Guidry Group has worked in the Philippines on this, we
have worked in Mexico, the Dominican Republic, Chile, Argentina,
and next week I will be in London and in Rome. It is so bad, sir,
that now intelligence agencies in Rome have told me -- and that is
what I am going there for -- that organized crime seems to think
that telecommunications fraud is more lucrative, unfortunately,
than drugs, and it is darned sure more lucrative in the Los
Angeles, probably New York, and Miami areas, because right now
prosecution is not that strong. It is unfortunate that all of law
enforcement is not trained, nor could they be, to pick up on
someone standing on a corner using an illegitimate phone.
Mr. FIELDS. How would a person know where to get their
telephone cloned?
Mr. GUIDRY. Let me tell you what happens. Normally when we go
into a major metropolitan city, or we also check the computer
bulletin boards, a lot of times that information is there. Most of
the time, though, it is in magazines, like green sheets, which are
free advertisements saying, "Call anywhere in the world. Come to --"
a location, or, "Call this number." Also in Los Angeles, for some
reason, they seem to advertise a lot in sex magazines, and people
will simply buy a sex magazine and there will be a statement in
there, "Earn money the fast way. Start your own telecommunications
company." And then we will follow up on that tip and work with the
Secret Service to try to apprehend those people.
Mr. FIELDS. Mr. Haugh.
Mr. HAUGH. If I could just add a few comments, it would be
most unfortunate if this denigrates into a discussion of
adolescents who are curious and so-called finger hackers. The truth
of the matter is that the toll fraudsters are adults, they are
organized, they are smart, they are savvy, and the drug dealers in
particular are learning very quickly that it is far more lucrative,
far less dangerous, to go into the telecom crime business.
"Finger hacking" is a term, but the truth is, war dialers,
speed dialers, modems, automated equipment now will hack and crack
into systems and break the codes overnight. While the criminal
sleeps, his equipment penetrates those systems. He gets up in the
morning, and he has got a print sheet of new numbers that his
equipment penetrated overnight.
We have interviewed the criminals involved. These so-called
idle curiosity adolescents are being paid up to $10,000 a month for
new codes. I don't call that curiosity, I call that venality. We
are talking a $4 billion problem.
The chairman came up with the Maple Street example. I think
even better yet, Mr. Chairman, the truth is that 216 Maple had a
security device on the door and a code, and what Mr. Goldstein and
his ilk do is sell that code through selling subscriptions to these
periodicals. There is a big difference, in my opinion, between
saying, "216 Maple is open" -- that is bad enough -- than to say,
"You go to 216 Maple, and push 4156, and you can get in the door."
But we are talking about crime, we are talking about adults,
we are talking about organized crime, perhaps not in the Cosa
Nostra sense, but even the Cosa Nostra is wising up that they can
finance some of these operations, and in New York and Los Angeles,
in particular, the true Mafia is now beginning to finance some of
these telecom fraud operations.
Mr. FIELDS. Mr. Guidry, one last question. Is it the Secret
Service that is at the forefront of Federal activity?
Mr. GUIDRY. Yes, sir, it is.
Mr. FIELDS. Do they have the resources to adequately deal with
this problem?
Mr. GUIDRY. No, sir. The problem is growing so rapidly that
they are undermanned in this area but have asked for additional
manpower.
Mr. FIELDS. Is this a priority for the Secret Service?
Mr. GUIDRY. Yes, sir, it is.
Mr. FIELDS. Thank you, Mr Chairman.
Mr. MARKEY. The gentleman's time has expired.
Again, it is a $4 to $5 billion problem.
Mr. HAUGH. That is what our research indicated.
Mr. MARKEY. There were 35,000 victims last year alone.
Mr. HAUGH. Yes, sir, and this is only users, large users. Now
it can be businesses, nonprofits. There is a university on the East
Coast that just this last week got hit for $490,000, and the fraud
is continuing.
Mr. MARKEY. The gentleman from Ohio.
Mr. OXLEY. Thank you, Mr. Chairman.
Let me ask the witnesses: Other than making the penalties
tougher for this type of activity, what other recommendations, if
any, would any of you have that we could deal with, that our
subcommittee should look at, and the Judiciary Committee, I assume,
for what we might want to try to accomplish?
Mr. Haugh?
Mr. HAUGH. I happen to disagree with a couple of the witnesses
who have indicated tougher penalties. I mean it sounds great. You
know, that is the common instant reaction to anything, expand the
penalties. I happen to think 20 years is plenty enough for criminal
penetration of a telecom system, and there are a few housekeeping
things that could be done.
The problem isn't the adequacy of the law, the laws are pretty
adequate, and, as Mr. Delaney indicated, you have a violation
someplace, you have got a State law and a Federal law, both, and if
you are a smart prosecutor, there are about eight different ways
you can go after these criminals.
The truth is, we have got inadequate enforcement, inadequate
funding, inadequate pressure on the part of the Congress on the FCC
to make more proactive efforts and to put more heat on the industry
to coordinate.
The truth is that the carriers compete with each other
fiercely. They, with some limited exceptions, don't share
appropriate information with each other. The LEC's and the RBOC's
hide behind privacy; they hide behind other excuses not to
cooperate with law enforcement and with the rest of the industry as
effectively as they should.
So I think putting the heat on the industry, putting the heat
on the FCC, more adequately funding the FCC, more adequately
funding the Secret Service, and having hearings like this that
focus on the problem is the answer and not expanding the penalty
from 20 years to 25 years. Nobody gets 20 years anyway, so
expanding the 20 years is, to me, not the answer.
Mr. OXLEY. What is the average sentence for something like
that?
Mr. HAUGH. I think the average toll fraud criminal who
actually goes to jail -- and they are few and far between -- spends
3 to 6 months, and they are out.
Now recidivism levels are low, I agree with Mr. Delaney. Once
you catch them, they rarely go back to it. So it isn't a question
of putting them in jail forever, it is a question of putting them
in jail. The certainty of punishment level is very low.
We talked to a drug dealer in New York City who left the drug
business to go into toll fraud because he told me he can make
$900,000 a year -- nontaxable income, he called it -- and never
ever worry about going to jail.
Mr. DELANEY. In New York City, I have never seen anybody go to
jail on a first offense for anything short of armed robbery, let
alone telephone fraud. They typically get 200 hours of community
service, depending upon the judge.
These people that I am speaking about are not the computer
hackers that we were speaking about earlier, these are the people
that are the finger hackers that break into the PBX's around the
country. These are immigrants in the United States, they are
adults, they know how to operate a telephone. They sit there
generally -- almost every one that we have arrested so far uses a
Panasonic memory telephone, and they sit there night and day try
ing to hack out the PBX codes. They go through all the default
codes of the major manufacturers of PBX's. They know that much.
We don't have a single person in New York City, that I know
of, that is hacking PBX's with a computer. The long distance
carriers can see patterns of hacking into 800 lines, which are
typically the PBX's, and they can see that it is being done by
telephone, by finger hacking a telephone key pad, as opposed to a
computer.
The war dialing programs that Mr. Haugh referred to are
typically used by the computer hackers to get these codes, but they
create only a minuscule amount of the fraud that is ongoing in the
country. The great majority is generated by the finger hackers who
then disseminate those codes to the telephone booths and the call
selling operations that operate out of apartments in New York City.
In one apartment with five telephones in it that operates 16 hours
a day for 365 days a year selling telephone service at $10 for 20
minutes, you take in $985,000. It is a very profitable business.
One of the individuals we arrested that said he did this
because it was more profitable and less likely that he be caught
than in selling drugs was murdered several months after we arrested
him in the Colombian section of Queens because he was operating as
an independent. It is a very controlled situation in New York City,
and different ethnicities throughout New York City control the call
sell operations in their neighborhoods, and everyone in those
neighborhoods knows where they can go to make an illicit phone call
or to get a phone cloned, whether it is a reprogrammed phone or
rechipped.
Mr. OXLEY. Mr. Guidry, did you have a comment?
Mr. GUIDRY. Well, I think that we really do need to enforce
the laws and we need to make some statutory changes in title 18,
section 1029 to include cellular and wireless.
I have been in courtrooms where really savvy defense attorneys
say, "Well, it does not specifically indicate cellular or
wireless," and that raises some question in the jury's mind, and I
would just as soon that question not be there.
Mr. OXLEY. Thank you.
Mr. Chairman, I see we have got a vote, and I yield back the
balance of my time.
Mr. MARKEY. Thank you.
We are going to have each one of you make a very brief summary
statement to the committee if you could, and then we are going to
adjourn the hearing.
As you know, the Federal Communications Commission will be
testifying before this subcommittee next week. We have a great
concern that, although they held an all-day hearing on toll fraud
last October, while we thought they were going to move ahead in an
expeditious fashion, that, with a lot of good information, it has
all sat on the shelf since that time. We expected them to act on
that information to establish new rules protecting consumers and
pushing carriers to do a lot more than they have done thus far to
protect their networks. In light of recent court decisions holding
that consumers are always liable I think that action by the FCC is
long overdue, and at the FCC authorization hearing next week I
expect to explore this issue with the commissioners in depth, so
you can be sure of that, Mr. Haugh.
Let's give each of you a 1-minute summation. Again, we will go
in reverse order and begin with you, Mr. Guidry.
Mr. GUIDRY. Thank you, sir.
Telecommunications fraud, of course, is going internationally,
and as it goes internationally and starts to franchise and get more
organized, we are going to have to figure out a better way to
combat it. Industry itself right now is putting its best foot
forward. However, I would ask this committee to strongly look at
changing some of this legislation and to also increase law
enforcement's efforts through manpower.
Thank you very much, sir.
Mr. MARKEY. Thank you.
Mr. Haugh.
Mr. HAUGH. I agree with Mr. Guidry that there are some
housekeeping changes that need to be made, and the particular title
and section he referred to should definitely be amended to include
more clearly wireless.
The overall problem is an immense one; it is a very serious
one; it is a complicated one. Everybody is at fault. Finger
pointing has been carried to an extreme. Again, I think the long
distance carriers, the big three -- AT&T, MCI, and Sprint -- have
done a superb job of coming up to speed with monitoring. They are
starting to cooperate better. They have really come to the table.
The laggards are the LEC's and the RBOC's, the CPE
manufacturers, and the FCC. In fairness to the FCC, they are
understaffed, undermanned, underfunded. They can't even take care
of all their mandated responsibilities right now, let alone take on
new chores.
All that said, there is a great deal the FCC can do --
jawboning, regulations, pushing the LEC's and the RBOC's, in
particular, to get real, get serious -- and I would urge this
committee -- applaud your efforts and urge you to continue that.
Mr. MARKEY. Thank you.
Dr. Tippett.
Mr. TIPPETT. Thank you.
The computer virus issue is a little bit different than the
toll fraud issue. In fact, there are no significant laws that deal
with viruses, and, in fact, the fact that there are no laws gives
the people who write viruses license to write them. The typical
statement you read is, "It's not illegal, and I don't do anything
that is illegal." So in the computer virus arena we do need laws.
They don't need to be fancy; they don't need to be extensive. There
are some suggestions of approaches to virus legislation in my
written testimony.
We also need education, and I would encourage Congress to
underwrite some education efforts that the private sector could
perform in various ways, perhaps through tax incentives or tax
credits. The problem is growing and large. It exceeds $1 billion
already in the United States, and it is going to be a $2 billion
problem in 1994.
As bad as toll fraud seems, this virus issue is, oddly, more
pervasive and less interesting to a whole lot of people, and I
think it needs some higher attention.
Mr. MARKEY. Thank you.
Mr. Goldstein.
Mr. GOLDSTEIN. Thank you.
I would like to close by cautioning the subcommittee and all
of us not to mix up these two very distinct worlds we are talking
about, the world of the criminal and the world of the experimenter,
the person that is seeking to learn. To do so will be to create a
society where people are afraid to experiment and try variations on
a theme because they might be committing some kind of a crime, and
at the same time further legislation could have the effect of not
really doing much for drug dealers and gangsters, who are doing far
more serious crimes than making free phone calls, and it is not
likely to intimidate them very much.
I think the answer is for all of us to understand specifically
what the weaknesses in the technology are and to figure out ways to
keep it as strong and fortress-like as possible. I do think it is
possible with as much research as we can put into it.
Thank you.
Mr. MARKEY. Thank you, Mr. Goldstein.
Mr. Delaney.
Mr. DELANEY. Last year, the Secret Service and the FBI
arrested people in New York City for conducting illegal wiretaps.
The ability to still do that by a hacker exists in the United
States. Concerned with privacy, I am very happy to see that
something like the Clipper chip is going to become available to
protect society. I do hope, though, that we will always have for
the necessary law enforcement investigation the ability to conduct
those wiretaps. Without it, I see chaos.
But with respect to the cellular losses, the industry is
coming along a very rapid rate with technology to save them money
in the future, because with encryption nobody will be able to steal
their signals either.
Mr. MARKEY. Thank you, Mr. Delaney.
I apologize. There is a roll call on the Floor, and I only
have 3 minutes to get over there to make it. You have all been very
helpful to us here today. It is a very tough balancing act, but we
are going to be moving aggressively in this area. And we are going
to need all of you to stay close to us so that we pass legislation
that makes sense.
This hearing is adjourned. Thank you.
[Whereupon, at 12:16 p.m., the subcommittee was adjourned.]
------------------------------
End of Computer Underground Digest #6.02
************************************
Reference in New Issue View Git Blame Copy Permalink