LAW AND ORDER Of the various anti-hacker activities of 1990, "Operation Sundevil" had by far the highest public profile. The sweeping, nationwide computer
seizures of May 8, 1990 were unprecedented in scope and highly, if
rather selectively, publicized.
Unlike the efforts of the Chicago Computer Fraud and Abuse Task Force,
"Operation Sundevil" was not intended to combat "hacking" in the sense
of computer intrusion or sophisticated raids on telco switching stations.
Nor did it have anything to do with hacker misdeeds with AT&T's software,
or with Southern Bell's proprietary documents.
Instead, "Operation Sundevil" was a crackdown on those traditional
scourges of the digital underground: credit-card theft and telephone
code abuse. The ambitious activities out of Chicago, and the somewhat
lesser-known but vigorous anti- hacker actions of the New York State
Police in 1990, were never a part of "Operation Sundevil" per se,
which was based in Arizona.
Nevertheless, after the spectacular May 8 raids, the public, misled by
police secrecy, hacker panic, and a puzzled national press-corps, conflated
all aspects of the nationwide crackdown in 1990 under the blanket
term "Operation Sundevil." "Sundevil" is still the best-known synonym
for the crackdown of 1990. But the Arizona organizers of "Sundevil"
did not really deserve this reputation — any more, for instance, than all
hackers deserve a reputation as "hackers."
There was some justice in this confused perception, though. For one
thing, the confusion was abetted by the Washington office of the Secret
Service, who responded to Freedom of Information Act requests on
"Operation Sundevil" by referring investigators to the publicly known
cases of Knight Lightning and the Atlanta Three. And "Sundevil" was
certainly the largest aspect of the Crackdown, the most deliberate and
the best-organized. As a crackdown on electronic fraud, "Sundevil"
lacked the frantic pace of the war on the Legion of Doom; on the contrary, Sundevil's targets were picked out with cool deliberation over an
elaborate investigation lasting two full years.
And once again the targets were bulletin board systems.
Boards can be powerful aids to organized fraud. Underground boards
carry lively, extensive, detailed, and often quite flagrant "discussions"
of lawbreaking techniques and lawbreaking activities. "Discussing"
crime in the abstract, or "discussing" the particulars of criminal cases,
is not illegal — but there are stern state and federal laws against coldbloodedly
conspiring in groups in order to commit crimes.
In the eyes of police, people who actively conspire to break the law are
not regarded as "clubs," "debating salons," "users' groups," or "free
speech advocates." Rather, such people tend to find themselves formally
indicted by prosecutors as "gangs," "racketeers," "corrupt organizations"
and "organized crime figures."
What's more, the illicit data contained on outlaw boards goes well beyond
mere acts of speech and/or possible criminal conspiracy. As we have
seen, it was common practice in the digital underground to post purloined
telephone codes on boards, for any phreak or hacker who cared to
abuse them. Is posting digital booty of this sort supposed to be protected
by the First Amendment? Hardly — though the issue, like most issues
in cyberspace, is not entirely resolved. Some theorists argue that to
merely *recite* a number publicly is not illegal — only its *use* is
illegal. But anti-hacker police point out that magazines and newspapers
(more traditional forms of free expression) never publish stolen
telephone codes (even though this might well raise their circulation).
Stolen credit card numbers, being riskier and more valuable, were less
often publicly posted on boards — but there is no question that some
underground boards carried "carding" traffic, generally exchanged
through private mail.
Underground boards also carried handy programs for "scanning" telephone
codes and raiding credit card companies, as well as the usual
obnoxious galaxy of pirated software, cracked passwords, blue-box schematics, intrusion manuals, anarchy files, porn files, and so forth.
But besides their nuisance potential for the spread of illicit knowledge,
bulletin boards have another vitally interesting aspect for the professional
investigator. Bulletin boards are cram-full of *evidence.* All
that busy trading of electronic mail, all those hacker boasts, brags and
struts, even the stolen codes and cards, can be neat, electronic, realtime
recordings of criminal activity.
As an investigator, when you seize a pirate board, you have scored a
coup as effective as tapping phones or intercepting mail. However, you
have not actually tapped a phone or intercepted a letter. The rules of
evidence regarding phone-taps and mail interceptions are old, stern and
well- understood by police, prosecutors and defense attorneys alike.
The rules of evidence regarding boards are new, waffling, and understood
by nobody at all.
Sundevil was the largest crackdown on boards in world history. On May
7, 8, and 9, 1990, about forty- two computer systems were seized. Of
those forty- two computers, about twenty-five actually were running
boards. (The vagueness of this estimate is attributable to the vagueness
of (a) what a "computer system" is, and (b) what it actually means to
"run a board" with one — or with two computers, or with three.)
About twenty-five boards vanished into police custody in May 1990. As
we have seen, there are an estimated 30,000 boards in America today.
If we assume that one board in a hundred is up to no good with codes and
cards (which rather flatters the honesty of the board-using community),
then that would leave 2,975 outlaw boards untouched by Sundevil.
Sundevil seized about one tenth of one percent of all computer bulletin
boards in America. Seen objectively, this is something less than a comprehensive
assault. In 1990, Sundevil's organizers — the team at the
Phoenix Secret Service office, and the Arizona Attorney General's office
— had a list of at least *three hundred* boards that they considered
fully deserving of search and seizure warrants. The twenty-five
boards actually seized were merely among the most obvious and egregious
of this much larger list of candidates. All these boards had been
examined beforehand — either by informants, who had passed printouts to the Secret Service, or by Secret Service agents themselves, who not
only come equipped with modems but know how to use them.
There were a number of motives for Sundevil. First, it offered a chance
to get ahead of the curve on wire-fraud crimes. Tracking back creditcard
ripoffs to their perpetrators can be appallingly difficult. If these
miscreants have any kind of electronic sophistication, they can snarl
their tracks through the phone network into a mind-boggling, untraceable
mess, while still managing to "reach out and rob someone." Boards,
however, full of brags and boasts, codes and cards, offer evidence in the
handy congealed form.
Seizures themselves — the mere physical removal of machines — tends
to take the pressure off. During Sundevil, a large number of code kids,
warez d00dz, and credit card thieves would be deprived of those boards
— their means of community and conspiracy — in one swift blow. As
for the sysops themselves (commonly among the boldest offenders) they
would be directly stripped of their computer equipment, and rendered
digitally mute and blind.
And this aspect of Sundevil was carried out with great success.
Sundevil seems to have been a complete tactical surprise — unlike the
fragmentary and continuing seizures of the war on the Legion of Doom,
Sundevil was precisely timed and utterly overwhelming. At least forty
"computers" were seized during May 7, 8 and 9, 1990, in Cincinnati,
Detroit, Los Angeles, Miami, Newark, Phoenix, Tucson, Richmond, San
Diego, San Jose, Pittsburgh and San Francisco. Some cities saw multiple
raids, such as the five separate raids in the New York City environs.
Plano, Texas (essentially a suburb of the Dallas/Fort Worth metroplex,
and a hub of the telecommunications industry) saw four computer
seizures. Chicago, ever in the forefront, saw its own local Sundevil
raid, briskly carried out by Secret Service agents Timothy Foley and
Barbara Golden.
Many of these raids occurred, not in the cities proper, but in associated
white-middle class suburbs — places like Mount Lebanon, Pennsylvania
and Clark Lake, Michigan. There were a few raids on offices; most took
place in people's homes, the classic hacker basements and bedrooms. The Sundevil raids were searches and seizures, not a group of mass
arrests. There were only four arrests during Sundevil. "Tony the
Trashman," a longtime teenage bete noire of the Arizona Racketeering
unit, was arrested in Tucson on May 9. "Dr. Ripco," sysop of an outlaw
board with the misfortune to exist in Chicago itself, was also arrested
— on illegal weapons charges. Local units also arrested a 19-year-old
female phone phreak named "Electra" in Pennsylvania, and a male
juvenile in California. Federal agents however were not seeking
arrests, but computers.
Hackers are generally not indicted (if at all) until the evidence in their
seized computers is evaluated — a process that can take weeks, months
— even years. When hackers are arrested on the spot, it's generally an
arrest for other reasons. Drugs and/or illegal weapons show up in a
good third of anti-hacker computer seizures (though not during
Sundevil).
That scofflaw teenage hackers (or their parents) should have marijuana
in their homes is probably not a shocking revelation, but the surprisingly
common presence of illegal firearms in hacker dens is a bit disquieting.
A Personal Computer can be a great equalizer for the technocowboy
— much like that more traditional American "Great Equalizer,"
the Personal Sixgun. Maybe it's not all that surprising that some guy
obsessed with power through illicit technology would also have a few
illicit high-velocity-impact devices around. An element of the digital
underground particularly dotes on those "anarchy philes," and this element
tends to shade into the crackpot milieu of survivalists, gun-nuts,
anarcho-leftists and the ultra-libertarian right-wing.
This is not to say that hacker raids to date have uncovered any major
crack-dens or illegal arsenals; but Secret Service agents do not regard
"hackers" as "just kids." They regard hackers as unpredictable people,
bright and slippery. It doesn't help matters that the hacker himself has
been "hiding behind his keyboard" all this time. Commonly, police have
no idea what he looks like. This makes him an unknown quantity, someone
best treated with proper caution.To date, no hacker has come out shooting, though they do sometimes brag
on boards that they will do just that. Threats of this sort are taken
seriously. Secret Service hacker raids tend to be swift, comprehensive,
well-manned (even over- manned); and agents generally burst
through every door in the home at once, sometimes with drawn guns.
Any potential resistance is swiftly quelled. Hacker raids are usually
raids on people's homes. It can be a very dangerous business to raid an
American home; people can panic when strangers invade their sanctum.
Statistically speaking, the most dangerous thing a policeman can do is to
enter someone's home. (The second most dangerous thing is to stop a car
in traffic.) People have guns in their homes. More cops are hurt in
homes than are ever hurt in biker bars or massage parlors.
But in any case, no one was hurt during Sundevil, or indeed during any
part of the Hacker Crackdown.
Nor were there any allegations of any physical mistreatment of a suspect.
Guns were pointed, interrogations were sharp and prolonged; but
no one in 1990 claimed any act of brutality by any crackdown raider.
In addition to the forty or so computers, Sundevil reaped floppy disks in
particularly great abundance — an estimated 23,000 of them, which
naturally included every manner of illegitimate data: pirated games,
stolen codes, hot credit card numbers, the complete text and software of
entire pirate bulletin-boards. These floppy disks, which remain in
police custody today, offer a gigantic, almost embarrassingly rich
source of possible criminal indictments. These 23,000 floppy disks
also include a thus-far unknown quantity of legitimate computer games,
legitimate software, purportedly "private" mail from boards, business
records, and personal correspondence of all kinds.
Standard computer-crime search warrants lay great emphasis on seizing
written documents as well as computers — specifically including
photocopies, computer printouts, telephone bills, address books, logs,
notes, memoranda and correspondence. In practice, this has meant that
diaries, gaming magazines, software documentation, nonfiction books on
hacking and computer security, sometimes even science fiction novels,
have all vanished out the door in police custody. A wide variety of electronic items have been known to vanish as well, including telephones,
televisions, answering machines, Sony Walkmans, desktop printers,
compact disks, and audiotapes.
No fewer than 150 members of the Secret Service were sent into the
field during Sundevil. They were commonly accompanied by squads of
local and/or state police. Most of these officers — especially the locals
— had never been on an anti- hacker raid before. (This was one good
reason, in fact, why so many of them were invited along in the first
place.) Also, the presence of a uniformed police officer assures the
raidees that the people entering their homes are, in fact, police. Secret
Service agents wear plain clothes. So do the telco security experts who
commonly accompany the Secret Service on raids (and who make no
particular effort to identify themselves as mere employees of telephone
companies).
A typical hacker raid goes something like this. First, police storm in
rapidly, through every entrance, with overwhelming force, in the
assumption that this tactic will keep casualties to a minimum. Second,
possible suspects are immediately removed from the vicinity of any and
all computer systems, so that they will have no chance to purge or
destroy computer evidence. Suspects are herded into a room without
computers, commonly the living room, and kept under guard — not
*armed* guard, for the guns are swiftly holstered, but under guard
nevertheless. They are presented with the search warrant and warned
that anything they say may be held against them. Commonly they have a
great deal to say, especially if they are unsuspecting parents.
Somewhere in the house is the "hot spot" — a computer tied to a phone
line (possibly several computers and several phones). Commonly it's a
teenager's bedroom, but it can be anywhere in the house; there may be
several such rooms. This "hot spot" is put in charge of a two-agent
team, the "finder" and the "recorder." The "finder" is computertrained,
commonly the case agent who has actually obtained the search
warrant from a judge. He or she understands what is being sought, and
actually carries out the seizures: unplugs machines, opens drawers,
desks, files, floppy-disk containers, etc. The "recorder" photographs
all the equipment, just as it stands — especially the tangle of wired connections in the back, which can otherwise be a real nightmare to
restore. The recorder will also commonly photograph every room in the
house, lest some wily criminal claim that the police had robbed him
during the search. Some recorders carry videocams or tape recorders;
however, it's more common for the recorder to simply take written
notes. Objects are described and numbered as the finder seizes them,
generally on standard preprinted police inventory forms.
Even Secret Service agents were not, and are not, expert computer
users. They have not made, and do not make, judgements on the fly about
potential threats posed by various forms of equipment. They may exercise
discretion; they may leave Dad his computer, for instance, but they
don't *have* to. Standard computer-crime search warrants, which
date back to the early 80s, use a sweeping language that targets computers,
most anything attached to a computer, most anything used to operate
a computer — most anything that remotely resembles a computer —
plus most any and all written documents surrounding it. Computercrime
investigators have strongly urged agents to seize the works.
In this sense, Operation Sundevil appears to have been a complete success.
Boards went down all over America, and were shipped en masse to
the computer investigation lab of the Secret Service, in Washington DC,
along with the 23,000 floppy disks and unknown quantities of printed
material.
But the seizure of twenty-five boards, and the multi-megabyte mountains
of possibly useful evidence contained in these boards (and in their
owners' other computers, also out the door), were far from the only
motives for Operation Sundevil. An unprecedented action of great
ambition and size, Sundevil's motives can only be described as political.
It was a public-relations effort, meant to pass certain messages, meant
to make certain situations clear: both in the mind of the general public,
and in the minds of various constituencies of the electronic community.
First — and this motivation was vital — a "message" would be sent from
law enforcement to the digital underground. This very message was
recited in so many words by Garry M. Jenkins, the Assistant Director of
the US Secret Service, at the Sundevil press conference in Phoenix on May 9, 1990, immediately after the raids. In brief, hackers were
mistaken in their foolish belief that they could hide behind the "relative
anonymity of their computer terminals." On the contrary, they should
fully understand that state and federal cops were actively patrolling the
beat in cyberspace — that they were on the watch everywhere, even in
those sleazy and secretive dens of cybernetic vice, the underground
boards.
This is not an unusual message for police to publicly convey to crooks.
The message is a standard message; only the context is new.
In this respect, the Sundevil raids were the digital equivalent of the
standard vice-squad crackdown on massage parlors, porno bookstores,
head-shops, or floating crap-games. There may be few or no arrests in
a raid of this sort; no convictions, no trials, no interrogations. In cases
of this sort, police may well walk out the door with many pounds of
sleazy magazines, X-rated videotapes, sex toys, gambling equipment,
baggies of marijuana....
Of course, if something truly horrendous is discovered by the raiders,
there will be arrests and prosecutions. Far more likely, however,
there will simply be a brief but sharp disruption of the closed and
secretive world of the nogoodniks. There will be "street hassle."
"Heat." "Deterrence." And, of course, the immediate loss of the seized
goods. It is very unlikely that any of this seized material will ever be
returned. Whether charged or not, whether convicted or not, the perpetrators
will almost surely lack the nerve ever to ask for this stuff to
be given back.
Arrests and trials — putting people in jail — may involve all kinds of
formal legalities; but dealing with the justice system is far from the
only task of police. Police do not simply arrest people. They don't simply
put people in jail. That is not how the police perceive their jobs.
Police "protect and serve." Police "keep the peace," they "keep public
order." Like other forms of public relations, keeping public order is not
an exact science. Keeping public order is something of an art-form.
If a group of tough-looking teenage hoodlums was loitering on a street corner, no one would be surprised to see a street-cop arrive and sternly
order them to "break it up." On the contrary, the surprise would come
if one of these ne'er-do-wells stepped briskly into a phone-booth,
called a civil rights lawyer, and instituted a civil suit in defense of his
Constitutional rights of free speech and free assembly. But something
much along this line was one of the many anomolous outcomes of the
Hacker Crackdown.
Sundevil also carried useful "messages" for other constituents of the
electronic community. These messages may not have been read aloud
from the Phoenix podium in front of the press corps, but there was little
mistaking their meaning. There was a message of reassurance for
the primary victims of coding and carding: the telcos, and the credit
companies. Sundevil was greeted with joy by the security officers of the
electronic business community. After years of high-tech harassment
and spiralling revenue losses, their complaints of rampant outlawry
were being taken seriously by law enforcement. No more head-scratching
or dismissive shrugs; no more feeble excuses about "lack of computer-
trained officers" or the low priority of "victimless" white-collar
telecommunication crimes.
Computer-crime experts have long believed that computer-related
offenses are drastically under-reported. They regard this as a major
open scandal of their field. Some victims are reluctant to come forth,
because they believe that police and prosecutors are not computer-literate,
and can and will do nothing. Others are embarrassed by their
vulnerabilities, and will take strong measures to avoid any publicity;
this is especially true of banks, who fear a loss of investor confidence
should an embezzlement-case or wire-fraud surface. And some victims
are so helplessly confused by their own high technology that they never
even realize that a crime has occurred — even when they have been
fleeced to the bone.
The results of this situation can be dire. Criminals escape apprehension
and punishment. The computer-crime units that do exist, can't get work.
The true scope of computer-crime: its size, its real nature, the scope of
its threats, and the legal remedies for it — all remain obscured. Another problem is very little publicized, but it is a cause of genuine
concern. Where there is persistent crime, but no effective police protection,
then vigilantism can result. Telcos, banks, credit companies,
the major corporations who maintain extensive computer networks
vulnerable to hacking — these organizations are powerful, wealthy, and
politically influential. They are disinclined to be pushed around by
crooks (or by most anyone else, for that matter). They often maintain
well-organized private security forces, commonly run by experienced
veterans of military and police units, who have left public service for
the greener pastures of the private sector. For police, the corporate
security manager can be a powerful ally; but if this gentleman finds no
allies in the police, and the pressure is on from his board-of-directors,
he may quietly take certain matters into his own hands.
Nor is there any lack of disposable hired-help in the corporate security
business. Private security agencies — the 'security business' generally
— grew explosively in the 1980s. Today there are spooky gumshoed
armies of "security consultants," "rent-a- cops," "private eyes,"
"outside experts" — every manner of shady operator who retails in
"results" and discretion. Or course, many of these gentlemen and ladies
may be paragons of professional and moral rectitude. But as anyone
who has read a hard-boiled detective novel knows, police tend to be less
than fond of this sort of private-sector competition.
Companies in search of computer-security have even been known to
hire hackers. Police shudder at this prospect.
Police treasure good relations with the business community. Rarely
will you see a policeman so indiscreet as to allege publicly that some
major employer in his state or city has succumbed to paranoia and gone
off the rails. Nevertheless, police — and computer police in particular
— are aware of this possibility. Computer-crime police can and do
spend up to half of their business hours just doing public relations:
seminars, "dog and pony shows," sometimes with parents' groups or
computer users, but generally with their core audience: the likely victims
of hacking crimes. These, of course, are telcos, credit card companies
and large computer- equipped corporations. The police strongly
urge these people, as good citizens, to report offenses and press criminal charges; they pass the message that there is someone in authority
who cares, understands, and, best of all, will take useful action should a
computer-crime occur.
But reassuring talk is cheap. Sundevil offered action.
The final message of Sundevil was intended for internal consumption by
law enforcement. Sundevil was offered as proof that the community of
American computer-crime police had come of age. Sundevil was proof
that enormous things like Sundevil itself could now be accomplished.
Sundevil was proof that the Secret Service and its local law-enforcement
allies could act like a well- oiled machine — (despite the hampering
use of those scrambled phones). It was also proof that the Arizona
Organized Crime and Racketeering Unit — the sparkplug of Sundevil —
ranked with the best in the world in ambition, organization, and sheer
conceptual daring.
And, as a final fillip, Sundevil was a message from the Secret Service to
their longtime rivals in the Federal Bureau of Investigation. By
Congressional fiat, both USSS and FBI formally share jurisdiction over
federal computer-crimebusting activities. Neither of these groups has
ever been remotely happy with this muddled situation. It seems to suggest
that Congress cannot make up its mind as to which of these groups is
better qualified. And there is scarcely a G-man or a Special Agent anywhere
without a very firm opinion on that topic.
_____
No comments:
Post a Comment