Slashdot Mirror
Paper: "Cybercrimes: A Practical Approach..."
tgeller writes "The Santa Clara Computer High Technology Law Journal just published a paper by lawyer Eric Sinrod and William P. Reilly: "Cybercrimes: A Practical Approach to
the Application of Federal Computer Crime Laws". The 54-page paper gives an excellent overview of computer crime methods, legal remedies, and motives. And he gets the "hacker/cracker" distinction right! Download the PDF or Word version (sorry, no hypertext)." Good background info if you are interested in this.
Sigh. He's so close to a logical viewpoint, it's frustrating. His first point is incongruous with his second. What he doesn't realize is that successful prosecution of the perpetrators prevents system administrators from collaborating to devise plans for rapid network response. There's no incentive for the Internet community to work to patch holes in security when we can just rely on fear of governmental reprimand to do the same thing. The inverse is true as well: fixing DoS problems on a technical level prevents more government regulation of the Internet from having to occur.
Yes, passing laws is the easier solution, but haven't we learned this lesson already? The government is simply not a qualified caretaker for the Internet! The more we let governments assume jurisdiction, the worse the Internet gets. Duh. Joe Senator or even Jane Supreme-Court-Justice is simply not as qualified as you or me to make decisions about how the Internet is run. The problem is so many people are reliant on the government protecting them from everything, they've forgotten how to do things for themselves. The problem is, the biggest whiners also have the most amount of money and money = political influence. God bless America.
The HTML file is here and the zipped HTML file is here.
--
The above post is probably just flamebait, but sadly enough there are many people who actually hold similar beliefs. The reality is that trading DivX and mp3 files is not only very minor--there are even conflicting studies as to whether it hurts or helps CD sales--but these days it's also arguably a form of civil disobedience.
I consider it a protest against the perversion of copyright and other IP laws by big corporations which are insinuating themselves into positions of undue influence in government; corporations have vastly more resources than individuals, and as such individuals can no longer influence their government to such a great extent as corporations can.
The whole notion that IP no longer passes into the public domain after a reasonable period of time in which its creators can derive profit, but instead remains locked up for 100 years after the death of the creator, is deplorable. Corporations like Disney made their fortunes by using public domain IP (half of Disney's cartoons are from other people's stories, used for free) which they'd have never been able to use under the IP law they've now implemented to keep their own creations indefinitely instead of giving back to the public domain they so richly borrowed from. The music industry is similarly guilty.
As such, it's a valid form of protest to pirate mp3s and DivX of songs and films created by companies which have taken from public domain IP but never contributed back. Real cybercrime involves matters more serious than trading mp3s privately rather than for profit.
Even more, I object to the notion in the paper referenced that it's a bad thing that "many countries do not share the urgency to combat cyber-crime for many reasons, including different values concerning piracy and espionage or the need to address more pressing social problems." That's one of the things I dislike most about the U.S.: cultural imperialism. The U.S. government has a tendency to try to push its own values and legal precepts onto other nations, and that's just plain wrong. Unless human rights are being violated in a very fundamental way, the U.S. has no right to attempt to coerce other countries into accepting our own cultural values.
For example, if a sovereign nation wants to adopt a policy which makes all IP public domain within a few years, that's the right of that nation to do so. Originally, copyrights in the U.S. lasted only 14 years. But instead the U.S. tries to put pressure on such countries, or else bribes them with "humanitarian" grants into accepting the U.S. position. Would we allow the largest corporation in the U.S. to bully all others into adopting particular strategies, dividing up markets, and bribing competitors into submission? No. So, why is the U.S. allowed to dictate its values to the rest of the world?
This is important because "cybercrime" as it's defined now in the U.S. includes matters which are legal in other nations, and the U.S. is attempting to pressure other nations into accepting U.S. offenses as international ones. Most of this pressure comes from the far right in this country, who are campaigning against pornography and recreational narcotics as well as trying to extend corporate hegemony.
One of the prime examples is the U.S. characterization of the Netherlands as being the largest producer of child pornography and a major point of interest in drug trafficking. Since the Reagan-Meese morality policing of the 80s, The Netherlands has been in FBI reports as the largest producer of child pornography, because the age of consent for porn in The Netherlands is 16 rather than 18. Rather skewed to call that child pornography, merely because cultural attitudes toward sex are more permissive in one country than in the most puritanical one on the planet. Also, The Netherlands actually has very strict controls placed on marijuana, which is legal to purchase in certain locales even though it's not legally easily exportable or even transportable within the country itself. That's similarly no reason for FBI reports to classify The Netherlands as a notable place for drug trafficking.
The Netherlands was replaced by Japan in FBI reports on cybercrime as the largest producer of child pornography, despite the fact that once again a cultural difference comes into play. Japan has never suffered the same sexual repression/oppression that some Western nations such as the U.S. have suffered, due to huge religious and cultural differences, hance the age of consent for pornography was lower than 18. The U.S. applied economic and political pressure to force the sovereign nation of Japan to raise its own internal age of consent for pornography production, which regardless of one's own attitudes towards sex or pornography is an inappropriate thing for one nation to do to another. Japan happily has no stigma attached to sex, and no Puritanical expectation of chastity until marriage. To include what is legal in its own nation and hosted in its own nation in cybercrime statistics is both cylturally imperialistic and dishonest.
This hasn't even touched upon the Chinese attitudes toward piracy of music and film, which would never be allowed by the U.S. to continue were it not for the fact that China is one of the most powerful nations. Were it a small, average country, the U.S. would have pressured them and economically blackmailed or bribed them already to buy into U.S. cultural values on the subject.
While the paper's details about various cracking exploits and their relationships with applicable federal laws is informative, I find its nonchalant inclusion of software piracy together with extortion and money laundering and fraud to be laughable, and its comments about laws which diverge in other countries from U.S. law to be downright offensive. It's extremely selfish and culturally imperialistic to assume that American ways are right and any others are wrong and still to be considered illegal even when permitted in the country in question. And anyone who wants to know why I harped on the differing definition of child pornography in the U.S. and in other nations, it's because the FBI likes to artificially inflate those figures in order to make the threat appear more significant than it is, in order to secure more of our tax dollars and to get away with more abuses of civil rights--after all, when anyone mentions children people start being emotional instead of rational. More about that here at this link.
"The more corrupt the state, the more numerous the laws."--Tacitus, *The Annals*
Hackers consider themselves members of an elite meritocracy based on ability and trade hacker techniques and "war stories" amongst themselves in Usenet forums, local or regional clubs, and national conferences, such as the annual Def Con Computer Underground Convention held in Las Vegas.
/. readers know a still running TOPS-10 (or 20) system?
They almost got it right, but then the report throws the underground movement in with the creative hackish crowd. Granted, they mostly go together, but I'd have associated DefCon, HacTic, CCCC, HOPE and the other cons with the cracker crowd. I've been to many of the cons in europe and the US, and ALL the discussions revolved around criminal activity, NONE of it was about building better IP stacks or the pros and cons of threads in kernel space.
The rest of the report uses Hacker in place of the term cybercriminal.
In the middle of page 20 is a distorted look at a TCP intercept attack. It isn't necessary to DoS computer B to predict a TCP sequence number and redirect the TCP flow to computer A. There seems to be a lot of misunderstandings like this through the rest of the report.
All in all, this is an excellent look at the type of information used to train law enforcement. This is the level of detail they are taught, and then they have to extrapolate this to each case they handle. They even quote a 20 year old entry in the Jargon Dictionary that telnet on a TOPS-10 is called IMPCOM. Any
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
http://cow.mooresystems.com/~amoore/cybercrime.txt .
If the author would like this copy removed, please mail me. I would be more than happy to remove it.
All in all, this looks to be the equivalent of a Processing Crackers HOWTO, for either Law Enforcement or for corporations.
One of the problems I have with this article, is that it outlines all the different laws applicable where either the District Attourney or the corporation can prosecute, but it only goes very briefly or not at all into how a SysAdmin can actually stop these attacks.
All of these attacks can be stopped if the sysadmin is doing his job correctly. Especially if the sysadmin can be held legally responsible for attacks mounted from his system, he MUST keep on top of these things.
Obviously the article is meant to focus on the legal issues, and it can be a useful resource for someone who has already been compromised. But I know that whenever *I* as a sysadmin have a successful attack performed against *my* system, I am grateful for the heads up. Unless there is *real* and measurable damage (for instance stealing all the users' credit card numbers, etc) I do not believe in prosecuting the "hacker". YMMV.
------------
"He's more machine now than man, twisted and evil."
There is *no* such thing as a cybercrime.