|
- Sen. Markey Tirade against hackers (courtesy of
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Computer underground Digest Wed Feb 9, 1994 Volume 6 : Issue 14
ISSN 1004-042X
Editors: Jim Thomas and Gordon Meyer ([email protected])
Archivist: Brendan Kehoe (Improving each day)
Acting Archivist: Stanton McCandlish
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cowpie Editor: Buffy A. Lowe
CONTENTS, #6.14 (Feb 9, 1994)
File 1:--Sen. Markey Tirade against "hackers" (courtesy of 2600)
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.
To subscribe, send a one-line message: SUB CUDIGEST your name
Send it to [email protected] or [email protected]
The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115.
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on internet);
and on Rune Stone BBS (IIRGWHQ) (203) 832-8441.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.
EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893;
In ITALY: Bits against the Empire BBS: +39-461-980493
ANONYMOUS FTP SITES:
AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD.
EUROPE: ftp.funet.fi in pub/doc/cud. (Finland)
UNITED STATES:
aql.gatech.edu (128.61.10.53) in /pub/eff/cud
etext.archive.umich.edu (141.211.164.18) in /pub/CuD/cud
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD
halcyon.com( 202.135.191.2) in mirror2/cud
ftp.warwick.ac.uk in pub/cud (United Kingdom)
KOREA: ftp: cair.kaist.ac.kr in /doc/eff/cud
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
----------------------------------------------------------------------
Date: Fri, 4 Feb 1994 03:16:28 -0800
From: Emmanuel Goldstein <[email protected]>
Subject: File 1--Sen. Markey Tirade against "hackers" (courtesy of 2600)
((MODERATORS' NOTE: On June 9, 1993, Emmanuel Goldstein, editor of
2600, appeared before The House Subcommittee on Telecommunications and
Finance. The topic was ostensibly network security, toll fraud, and
the social implications of changing technology. As reported in CuDs
#5.43 and 5.45, the session turned into "Emmanuel bashing." As the
following transcript shows, the Subcommittee's chairperson, Rep.
Edward J. Markey (D-Mass.), was more interested in criticizing
Emmanuel Goldstein than in pursuing comments by a major law
enforcement official advocating restriction of Constitutional
protections of free speech to stifle information. Thanks to the 2600
staff for transcribing the entire transcript. Sadly, it reveals that
the knowledge gap between legislators and the laws they enact remains
unacceptly wide.))
At long last, 2600 has obtained a transcript of the hearings from
last June where two members of congress - Edward J. Markey (D-MA)
and Jack Fields (R-TX) - launched into a tirade against the evils
of computer hackers and generally demonstrated their ignorance
on the subject and their unwillingness to listen to anything that
didn't match their predetermined conclusions. Those conclusions are
basically that 2600 Magazine is a manual for criminals and that
hackers are a blight on civilization. At least, that was my
interpretation, which is admittedly biased since I was on the
receiving end of this double dose of dogma. I'd be most interested
in hearing yours as would the rest of us at 2600. While you may
think that members of Congress would also be interested, I would
have to say it doesn't seem too likely. I was asked down there to
address the issue of new technology, its implications, and the
social benefits and dangers. That is what I addressed in my twenty
pages of written testimony and my opening remarks. What happened
during the hearing was like something out of the Geraldo show, only
worse. This was the Congress of the United States. Look for the
soundbites, the simplistic solutions, the demonization of a
perceived enemy, and the eagerness to legislate away the problems
and avoid the complex issues. It's too bad it took them three
quarters of a year to get this transcript to us.
To be official, this is the full transcript of all spoken testimony
from the second panel on June 9, 1993. (If you want a copy of
my written testimony, email me at [email protected].) This
is a literal transcript, meaning that any and all factual
or technical inaccuracies are reproduced without comment. The
panel you'll see being referred to that was on first was one on
the Clipper Chip, a subject these members of Congress were a bit
more enlightened on. To obtain your own copy of this hearing and
the other related ones, contact the U.S. Government Printing
Office (202-512-0000) and ask for Serial No. 103-53, known as
"Hearings Before The Subcommittee on Telecommunications and
Finance of the Committee on Energy and Commerce, House of
Representatives, One Hundred Third Congress, First Session,
April 29 and June 9, 1993".
===================================================================
It was a very hot day in June....
Mr. MARKEY. If you could close the door, please, we could move
on to this very important panel. It consists of Mr. Donald Delaney,
who is a senior investigator for the New York State Police. Mr.
Delaney has instructed telecommunications fraud at the Federal Law
Enforcement Training Center and has published chapters on computer
crime and telecommunications fraud. Dr. Peter Tippett is an expert
in computer viruses and is the director of security products for
Symantec Corporation in California. Mr. John J. Haugh is chairman
of Telecommunications Advisors Incorporated, a telecommunications
consulting firm in Portland, Oreg., specializing in network
security issues. Dr. Haugh is the editor and principal author of
two volumes entitled "Toll Fraud" and "Telabuse" in a newsletter
entitled "Telecom and Network Security Review." Mr. Emmanuel
Goldstein is the editor-in-chief of "2600: The Hacker Quarterly."
Mr. Goldstein also hosts a weekly radio program in New York called
"Off The Hook." Mr. Michael Guidry is chairman and founder of the
Guidry Group, a security consulting firm specializing in
telecommunications issues. The Guidry Group works extensively with
the cellular industry in its fight against cellular fraud.
We will begin with you, Mr. Delaney, if we could. You each
have 5 minutes. We will be monitoring that. Please try to abide by
the limitation. Whenever you are ready, please begin.
STATEMENTS OF DONALD P. DELANEY, SENIOR INVESTIGATOR, NEW YORK
STATE POLICE; JOHN J. HAUGH, CHAIRMAN, TELECOMMUNICATIONS ADVISORS;
EMMANUEL GOLDSTEIN, PUBLISHER, 2600 MAGAZINE; PETER S. TIPPETT,
DIRECTOR, SECURITY AND ENTERPRISE PRODUCTS, SYMANTEC CORP.; AND
MICHAEL A. GUIDRY, CHIEF EXECUTIVE OFFICER, THE GUIDRY GROUP
Mr. DELANEY. Thank you, Mr. Chairman, for the invitation to
testify today.
As a senior investigator with the New York State Police, I
have spent more than 3 years investigating computer crime and
telecommunications fraud. I have executed more than 30 search
warrants and arrested more than 30 individuals responsible for the
entire spectrum of crime in this area.
I authored two chapters in the "Civil and Criminal
Investigating Handbook" published by McGraw Hill entitled
"Investigating Computer Crime and Investigating Telecommunications
Fraud." Periodically I teach a 4-hour block instruction on
telecommunications fraud at the Federal Law Enforcement Training
Center in Georgia.
Although I have arrested some infamous teenagers, such as
Phiber Optic, ZOD, and Kong, in some cases the investigations were
actually conducted by the United States Secret Service. Because
Federal law designates a juvenile as one less than 18 years of age
and the Federal system has no means of prosecuting a juvenile,
malicious hackers, predominately between 13 and 17 years of age,
are either left unprosecuted or turned over to local law
enforcement. In some cases, local law enforcement were either
untrained or unwilling to investigate the high-tech crime.
In examining telecommunications security, one first realizes
that all telecommunications is controlled by computers. Computer
criminals abuse these systems not only for free service but for a
variety of crimes ranging from harassment to grand larceny and
illegal wiretapping. Corporate and Government espionage rely on the
user-friendly networks which connect universities, military
institutions, Government offices, corporate research and
development computers. Information theft is common from those
companies which hold our credit histories. Their lack of security
endanger each of us, but they are not held accountable.
One activity which has had a financial impact on everyone
present is the proliferation of call sell operations. Using a
variety of methods, such as rechipped cellular telephones,
compromised PBX remote access units, or a combination of cellular
phone and international conference lines, the entrepreneur deprives
the telephone companies of hundreds of millions of dollars each
year. These losses are passed on to each of us as higher rates.
The horrible PBX problem exists because a few dozen finger
hackers crack the codes and disseminate them to those who control
the pay phones. The major long distance carriers each have the
ability to monitor their 800 service lines for sudden peaks in use.
A concerted effort should be made by the long distance carriers to
identify the finger hackers, have the local telephone companies
monitor the necessary dialed number recorders, and provide local
law enforcement with timely affidavits. Those we have arrested for
finger hacking the PBX's have not gone back into this type of
activity or crime.
The New York State Police have four newly trained
investigators assigned to investigate telecommunications fraud in
New York City alone. One new program sponsored by AT&T is
responsible for having trained police officers from over 75
departments about this growing blight in New York State alone.
Publications, such as "2600," which teach subscribers how to
commit telecommunications crime are protected by the First
Amendment, but disseminating pornography to minors is illegal. In
that many of the phone freaks are juveniles, I believe legislation
banning the dissemination to juveniles of manuals on how to commit
crime would be appropriate.
From a law enforcement perspective, I applaud the proposed
Clipper chip encryption standard which affords individuals
protection of privacy yet enables law enforcement to conduct
necessary court-ordered wiretaps, and with respect to what was
being said in the previous conversation, last year there were over
900 court-ordered wiretaps in the United States responsible for the
seizure of tons of illicit drugs coming into this country, solving
homicides, rapes, kidnappings. If we went to an encryption standard
without the ability for law enforcement to do something about it,
we would have havoc in the United States -- my personal opinion.
In New York State an individual becomes an adult at 16 years
old and can be prosecuted as such, but if a crime being
investigated is a Federal violation he must be 18 years of age to
be prosecuted. Even in New York State juveniles can be adjudicated
and given relevant punishment, such as community service.
I believe that funding law enforcement education programs
regarding high-tech crime investigations, as exists at the Federal
Law Enforcement Training Center's Financial Frauds Institute, is
one of the best tools our Government has to protect its people with
regard to law enforcement.
Thank you.
Mr. WYDEN [presiding]. Thank you very much for a very helpful
presentation.
Let us go next to Mr. Haugh.
We welcome you. It is a pleasure to have an Oregonian,
particularly an Oregonian who has done so much in this field, with
the subcommittee today. I also want to thank Chairman Markey and
his excellent staff for all their efforts to make your attendance
possible today.
So, Mr. Haugh, we welcome you, and I know the chairman is
going to be back here in just a moment.
STATEMENT OF JOHN J. HAUGH
Mr. HAUGH. Thank you, Mr. Wyden.
We expended some 9,000 hours, 11 different people, researching
the problem of toll fraud, penetrating telecommunications systems,
and then stealing long distance, leading up to the publication of
our two-volume reference work in mid-1992. We have since spent
about 5,000 additional hours continuing to monitor the problem, and
we come to the table with a unique perspective because we are
vender, carrier, and user independent.
In the prior panel, the distinguished gentleman from AT&T, for
whom I have a lot of personal respect, made the comment that the
public justifiably is confident that the national wire network is
secure and that the problem is wireless. With all due respect, that
is a laudable goal, but as far as what is going on today, just
practical reality, that comment is simply incorrect, and if the
public truly is confident that the wired network is secure, that
confidence is grossly misplaced.
We believe 35,000 users will become victimized by toll fraud
this year, 1993. We believe the national problem totals somewhere
between $4 and $5 billion. It is a very serious national problem.
We commend the chairman and this committee for continuing to
attempt to draw public attention and focus on the problem.
The good news, as we see it, over the last 3 years is that the
severity of losses has decreased. There is better monitoring,
particularly on the part of the long distance carriers, there is
more awareness on the part of users who are being more careful
about monitoring and managing their own systems, as a result of
which the severity of loss is decreasing. That is the good news.
The bad news is that the frequency is greatly increasing, so
while severity is decreasing, frequency is increasing, and I will
give you some examples. In 1991 we studied the problem from 1988 to
1991 and concluded that the average toll fraud loss was $168,000.
We did a national survey from November of last year to March of
this year, and the average loss was $125,000, although it was
retrospective. Today we think the average loss is $30,000 to
$60,000, which shows a rather dramatic decline.
The problem is, as the long distance thieves, sometimes called
hackers, are rooted out of one system, one user system, they
immediately hop into another one. So severity is dropping, but
frequency is increasing. Everybody is victimized. You have heard
business users with some very dramatic and very sad tales. The
truth is that everybody is victimized; the users are victimized;
the long distance carriers are victimized; the cellular carriers
are victimized, the operator service providers; the co-cod folks,
the aggregators and resellers are victimized; the LEC's and RBOC's,
to a limited extent, are victimized; and the vendors are victimized
by being drawn into the problem.
Who is at fault? Everybody is at fault. The Government is at
fault. The FCC has taken a no-action, apathetic attitude toward
toll fraud. That Agency is undermanned, it is understaffed, it is
underfunded, it has difficult problems -- no question about that --
but things could and should be done by that Agency that have not
been done.
The long distance carriers ignored the problem for far too
long, pretended that they could not monitor when, in fact, the
technology was available. They have done an outstanding job over
the last 2 years of getting with it and engaging themselves fully,
and I would say the long distance carriers, at the moment, are
probably the best segment of anyone at being proactive to take care
of the problem.
Users too often ignored security, ignored their user manuals,
failed to monitor, failed to properly manage. There has been
improvement which has come with the public knowledge of the
problem. CPE venders, those folks who manufactured the systems that
are so easy to penetrate, have done an abysmally poor job of
engineering into the systems security features. They have ignored
security. Their manuals didn't deal with security. They are
starting to now. They are doing a far better job. More needs to be
done.
The FCC, in particular, needs to become active. This committee
needs to focus more attention on the problem, jawbone, keep the
heat on the industry, the LEC's and the RBOC's in particular. The
LEC's and the RBOC's have essentially ignored the problem. They are
outside the loop, they say, yet the LEC's and the RBOC's collected
over $21 billion last year in access fees for connecting their
users to the long distance networks. How much of that $21 billion
did the LEC's and the RBOC's reinvest in helping to protect their
users from becoming victimized and helping to combat user-targeted
toll fraud? No more than $10 million, one-fifth of 1 percent.
Many people in the industry feel the LEC's and the RBOC's are
the one large group that has yet to seriously come to the table.
Many in the industry -- and we happen to agree -- feel that 3 to 4
percent of those access fees should be reinvested in protecting
users from being targeted by the toll fraud criminals.
The FCC should become more active. The jawboning there is at
a minimal level. There was one show hearing last October, lots of
promises, no action, no regulation, no initiatives, no meetings. A
lot could be done. Under part 68, for example, the FCC, which is
supposed to give clearance to any equipment before it is connected
into the network, they could require security features embedded
within that equipment. They could prevent things like low-end PBX's
from being sold with three-digit barrier codes that anyone can
penetrate in 3 to 5 minutes.
Thank you, Mr. Chairman.
Mr. MARKEY. THANK YOU, MR. HAUGH, VERY MUCH.
Mr. Goldstein, let's go to you next.
STATEMENT OF EMMANUEL GOLDSTEIN
Mr. GOLDSTEIN. Thank you, Mr. Chairman, and thank you to this
committee for allowing me the opportunity to speak on behalf of
those who, for whatever reason, have no voice.
I am in the kind of unique position of being in contact with
those people known as computer hackers throughout the world, and I
think one of the misconceptions that I would like to clear up, that
I have been trying to clear up, is that hackers are analogous to
criminals. This is not the case. I have known hundreds of hackers
over the years, and a very, very small percentage of them are
interested in any way in committing any kind of a crime. I think
the common bond that we all have is curiosity, an intense form of
curiosity, something that in many cases exceeds the limitations
that many of us would like to put on curiosity. The thing is
though, you cannot really put a limitation on curiosity, and that
is something that I hope we will be able to understand.
I like to parallel the hacker culture with any kind of alien
culture because, as with any alien culture, we have difficulty
understanding its system of values, we have difficulty
understanding what it is that motivates these people, and I hope to
be able to demonstrate through my testimony that hackers are
friendly people, they are curious people, they are not out to rip
people off or to invade people's privacy; actually, they are out to
protect those things because they realize how valuable and how
precious they really are.
I like to draw analogies to where we are heading in the world
of high technology, and one of the analogies I have come up with is
to imagine yourself speeding down a highway, a highway that is
slowly becoming rather icy and slippery, and ask yourself the
question of whether or not you would prefer to be driving your own
car or to be somewhere inside a large bus, and I think that is kind
of the question we have to ask ourselves now. Do we want to be in
control of our own destiny as far as technology goes, or do we want
to put all of our faith in somebody that we don't even know and
maybe fall asleep for a little while ourselves and see where we
wind up? It is a different answer for every person, but I think we
need to be able to at least have the opportunity to choose which it
is that we want to do.
Currently, there is a great deal of suspicion, a great deal of
resignation, hostility, on behalf of not simply hackers but
everyday people on the street. They see technology as something
that they don't have any say in, and that is why I particularly am
happy that this committee is holding this hearing, because people,
for the most part, see things happening around them, and they
wonder how it got to that stage. They wonder how credit files were
opened on them; they wonder how their phone numbers are being
passed on through A&I and caller ID. Nobody ever went to these
people and said, "Do you want to do this? Do you want to change the
rules?"
The thing that hackers have learned is that any form of
technology can and will be abused, whether it be calling card
numbers or the Clipper chip. At some point, something will be
abused, and that is why it is important for people to have a sense
of what it is that they are dealing with and a say in the future.
I think it is also important to avoid inequities in access to
technology, to create a society of haves and have-nots, which I
feel we are very much in danger of doing to a greater extent than
we have ever done before. A particular example of this involves
telephone companies, pay phones to be specific. Those of us who can
make a telephone call from, say, New York to Washington, D.C., at
the cheapest possible rate from the comfort of our own homes will
pay about 12 cents for the first minute. However, if you don't have
a phone or if you don't have a home, you will be forced to pay
$2.20 for that same first minute.
What this has led to is the proliferation of what are known as
red boxes. I have a sample (indicating exhibit). Actually, this is
tremendously bigger than it needs to be. A red box can be about a
tenth of the size of this. But just to demonstrate the sound that
it takes for the phone company to believe that you have put a
quarter into the phone (brief tone is played), that is it, that is
a quarter.
Now we can say this is the problem, this huge demonic device
here is what is causing all the fraud, but it is not the case. This
tape recorder here (same brief tone is played) does the same thing.
So now we can say the tones are the problem, we can make tones
illegal, but that is going to be very hard to enforce.
I think what we need to look at is the technology itself: Why
are there gaping holes in them? and why are we creating a system
where people have to rip things off in order to get the same access
that other people can get for virtually nothing?
I think a parallel to that also exists in the case of cellular
phones. I have a device here (indicating exhibit) which I won't
demonstrate, because to do so would be to commit a Federal crime,
but by pressing a button here within the course of 5 seconds we
will be able to hear somebody's private, personal cellular phone
call.
Now the way of dealing with privacy with cellular phone calls
is to make a law saying that it is illegal to listen. That is the
logic we have been given so far. I think a better idea would be to
figure out a way to keep those cellular phone calls private and to
allow people to exercise whatever forms of privacy they need to
have on cellular phone calls.
So I think we need to have a better understanding both from
the legislative point of view and in the general public as far as
technology in itself, and I believe we are on the threshold of a
very positive, enlightened period, and I see that particularly with
things like the Internet which allow people access to millions of
other people throughout the world at very low cost. I think it is
the obligation of all of us to not stand in the way of this
technology, to allow it to go forward and develop on its own, and
to keep a watchful eye on how it develops but at the same time not
prevent it through overlegislation or overpricing.
Thank you very much for the opportunity to speak.
Mr. MARKEY. Thank you, Mr. Goldstein.
Dr. Tippett.
STATEMENT OF PETER S. TIPPETT
Mr. TIPPET. Thank you.
I am Peter Tippett from Symantec Corporation, and today I am
also representing the National Computer Security Association and
the Computer Ethics Institute. Today is Computer Virus Awareness
Day, in case you are not aware, and we can thank Jack Fields,
Representative Fields, for sponsoring that day on behalf of the
Congress, and I thank you for that.
We had a congressional briefing this morning in which nine
representatives from industry, including telecommunications and
aerospace and the manufacturing industry, convened, and for the
first time were willing to talk about their computer virus problems
in public. I have got to tell you that it is an interesting
problem, this computer virus problem. It is a bit different from
telephone fraud. The virus problem is one which has probably among
the most misrepresentation and misunderstanding of these various
kinds of fraud that are going on, and I would like to highlight
that a little bit. But before I do, I would like to suggest what we
know to be the costs of computer viruses just in America.
The data I am representing comes from IBM and DataQuest, a
Dunn and Bradstreet company, it is the most conservative
interpretation you could make from this data. It suggests that a
company of only a thousand computers has a virus incident every
quarter, that a typical Fortune 500 company deals with viruses
every month, that the cost to a company with only a thousand
computers is about $170,000 a year right now and a quarter of a
million dollars next year. If we add these costs up, we know that
the cost to United States citizens of computer viruses just so far,
just since 1990, exceeds $1 billion.
When I go through these sorts of numbers, most of us say,
well, that hype again, because the way the press and the way we
have heard about computer viruses has been through hype oriented
teachings. So the purpose here is not to use hype and not to sort
of be alarmist and say the world is ending, because the world isn't
ending per se, but to suggest that there isn't a Fortune 500
company in the United States who hasn't had a computer virus
problem is absolutely true, and the sad truth about these viruses
is that the misconceptions are keeping us from doing the right
things to solve the problem, and the misconceptions stem from the
fact that companies that are hit by computer viruses, which is
every company, refused to talk about that until today.
There are a couple of other unique things and misconceptions
about computer viruses. One is that bulletin boards are the leading
source of computer viruses. Bulletin boards represent the infancy
of the superhighway, I think you could say, and there are a lot of
companies that make rules in their company that you are not allowed
to use bulletin boards because you might get a virus. In fact, it
is way in the low, single-digit percents. It may be as low as 1
percent of computer viruses that are introduced into companies come
through some route via a bulletin board.
We are told that some viruses are benign, and, in fact, most
people who write computer viruses think that their particular virus
is innocuous and not harmful. It turns out that most virus authors,
as we just heard from Mr. Goldstein, are, in fact, curious people
and not malicious people. They are young, and they are challenged,
and there is a huge game going on in the world. There is a group of
underground virus bulletin boards that we call virus exchange
bulletin boards in which people are challenged to write viruses.
The challenge works like this: If you are interested and
curious, you read the threads of communication on these bulletin
boards, and they say, you know, "If you want to download some
viruses, there's a thousand here on the bulletin board free for
your downloading," but you need points. Well, how do you get
points? Well, you upload some viruses. Well, where do you get some
viruses from? If you upload the most common viruses, they are not
worth many points, so you have to upload some really good, juicy
viruses. Well, the only way to get those is to write them, so you
write a virus and upload your virus, and then you gain acceptance
into the culture, and when you gain acceptance into the culture you
have just added to the problem.
It is interesting to know that the billion dollars that we
have spent since 1990 on computer viruses just in the United States
is due to viruses that were written in 1988 and 1987. Back then, we
only had one or two viruses a quarter, new, introduced into the
world. This year we have a thousand new computer viruses introduced
into our community, and it won't be for another 4 or 5 years before
these thousand viruses that are written now will become the major
viruses that hurt us in the future.
So virus authors don't believe they are doing anything wrong,
they don't believe that they are being harmful, and they don't
believe that what they do is dangerous, and, in fact, all viruses
are.
Computer crime laws don't have anything to do with computer
virus writers, so we heard testimony this morning from Scott
Charney of the Department of Justice who suggested that authorized
access is the biggest law you could use, and, in fact, most viruses
are brought into our organizations in authorized ways, because
users who are legitimate in the organizations accidentally bring
these things in, and then they infect our companies.
In summary, I think that we need to add a little bit of
specific wording in our computer crime legislation that relates
particularly to computer viruses and worms. We need, in particular,
to educate. We need to go after an ethics angle. We need to get to
the point where Americans think that writing viruses or doing these
other kinds of things that contaminate our computer superhighways
are akin to contaminating our expressways.
In the sixties we had a big "Keep America Beautiful" campaign,
and most Americans would find it unthinkable to throw their garbage
out the window of their car, but we don't think it unthinkable to
write rogue programs that will spread around our highway.
Thank you.
Mr. MARKEY. Thank you, Dr. Tippett.
Mr. Guidry.
STATEMENT OF MICHAEL A. GUIDRY
Mr. GUIDRY. Thank you, Mr. Chairman, for giving me the
opportunity to appear before this subcommittee, and thank you,
subcommittee, for giving me this opportunity.
The Guidry Group is a Houston-based security consulting firm
specializing in telecommunication issues. We started working in
telecommunication issues in 1987 and started working specifically
with the cellular industry at that time. When we first started, we
were working with the individual carriers across the United States,
looking at the hot points where fraud was starting to occur, which
were major metropolitan cities of course.
In 1991, the Cellular Telephone Industry Association contacted
us and asked us to work directly with them in their fight against
cellular fraud. The industry itself has grown, as we all know,
quite rapidly. However, fraud in the industry has grown at an
unbelievable increase, actually faster than the industry itself,
and as a result of that fraud now is kind of like a balloon, a
water balloon; it appears in one area, and when we try to stamp it
out it appears in another area.
As a result, what has happened is, when fraud first started,
there was such a thing as subscription fraud, the same type of
fraud that occurred with the land line telecommunication industry.
That subscription fraud quickly changed. Now what has occurred is,
technology has really stepped in.
First, hackers, who are criminals or just curious people,
would take a telephone apart, a cellular phone apart, and change
the algorithm on the chip, reinsert the chip into the telephone,
and cause that telephone to tumble. Well, the industry put its best
foot forward and actually stopped, for the most part, the act of
tumbling in cellular telephones. But within the last 18 months
something really terrible has happened, and that is cloning.
Cloning is the copying of the MIN and and ESN number, and, for
clarification, the MIN is the Mobile Identification Number that is
assigned to you by the carrier, and the ESN number is the
Electronic Cellular Number that is given to the cellular telephone
from that particular manufacturer. As a result, now we have
perpetrators, or just curious people, finding ways to copy the MIN
and the ESN, thereby victimizing the cellular carrier as well as
the good user, paying subscriber. This occurs when the bill is
transmitted by the carrier to the subscriber and he says something
to the effect of, "I didn't realize that I had made $10,000 worth
of calls to the Dominican Republic," or to Asia or Nicaragua or
just any place like that.
Now what has happened is, those clone devices have been placed
in the hands of people that we call ET houses, I guess you would
say, and they are the new immigrants that come into the United
States for the most part that do not have telephone subscriptions
on the land line or on the carrier side from cellular, and now they
are charged as much as $25 for 15 minutes to place a call to their
home.
Unfortunately, though, the illicit behavior of criminals has
stepped into this network also. Now we have gang members, drug
dealers, and gambling, prostitution, vice, just all sorts of crime,
stepping forward to use this system where, by using the cloning,
they are avoiding law enforcement. Law enforcement has problems, of
course, trying to find out how to tap into those telephone systems
and record those individuals.
Very recently, cloning has even taken a second step, and that
is now something that we term the magic phone, and the magic phone
works like this: Instead of cloning just one particular number, it
clones a variety of numbers, as many as 14 or 66, thereby
distributing the fraud among several users, which makes it almost
virtually impossible for us to detect at an early stage.
In response to this, what has happened? A lot of legitimate
people have started to look at using the illegitimate cellular
services. They are promised that this is a satellite phone or just
a telephone that if they pay a $2,500 fee will avoid paying further
bills. So now it has really started to spread.
Some people in major metropolitan areas, such as the
Southwest, Northeast, and Southeast, have started running their own
mini-cellular companies by distributing these cloning phones to
possible clients and users, collecting the fee once a month to
reactivate the phone if it is actually denied access.
The cellular industry has really stepped up to the plate I
think the best they can right now in trying to combat this by
working with the switch manufacturers and other carriers, 150 of
them to date with the cellular telephone industry, as well as the
phone manufacturers, and a lot of companies have started looking at
software technology. However, these answers will not come to pass
very soon. What we must have is strong legislation.
We have been working for the last 18 months, specifically with
the Secret Service and a lot of local, State, and Federal law
enforcement agencies. The Service has arrested over 100 people
involved in cellular fraud. We feel very successful about that. We
also worked with local law enforcement in Los Angeles to form the
L.A. Blitz, and we arrested an additional 26 people and seized 66
illegal telephones and several computers that spread this cloning
device.
However, now we have a problem. U.S. Title 18, 1029, does not
necessarily state cellular or wireless. It is very important, and
I pray that this committee will look at revising 1029 and changing
it to include wireless and cellular. I think wireless
communications, of course, like most people, is the wave of the
future, and it is extremely important that we include that in the
legislation so that when people are apprehended they can be
prosecuted.
Thank you, sir.
Mr. MARKEY. Thank you, Mr. Guidry, very much.
We will take questions now from the subcommittee members.
Let me begin, Mr. Delaney. I would like you and Mr. Goldstein
to engage in a conversation, if we could. This is Mr. Goldstein's
magazine, "The Hacker Quarterly: 2600," and for $4 we could go out
to Tower Records here in the District of Columbia and purchase
this. It has information in it that, from my perspective, is very
troubling in terms of people's cellular phone numbers and
information on how to crack through into people's private
information.
Now you have got some problems with "The Hacker Quarterly,"
Mr. Delaney.
Mr. DELANEY. Yes, sir.
Mr. MARKEY. And your problem is, among other things, that
teenagers can get access to this and go joy riding into people's
private records.
(END PART ONE)
|
|
