|
The Morris worm of November 1998.
- Robert Morris was an
undergrad at Cornell U. His father was a famous computer security
expert. Morris knew about various security holes in Unix systems via
his father & common knowledge at the time.
- Morris wrote a self-replicating program that spread itself from
computer to computer.
- Morris' worm infected a good proportion of the Unix computers on
the Internet at the time over a period of a couple of days. Most of
the source code is (was) available;
local copy here.
- From the
Worm FAQ:
Robert T. Morris, the author of the Internet Worm program, was
convicted of a Federal felony in the case. The law involved was 18 USC
1030 (A)(5)(a), the Computer Crime and Abuse Act of 1986. He was found
guilty in February of 1990 in US District Court in Syracuse, NY.
In May of 1990, he was sentenced -- outside of Federal sentencing
guidelines -- to 3 years of probation, 400 hours of community service,
and $10,050 in fines plus probation costs. His lawyers appealed the
conviction to the Circuit Court of Appeals, and the conviction was
upheld. His lawyers then appealed to the Supreme Court, but the Court
declined to hear the case -- leaving the conviction intact.
Morris was the first to be tried under the Computer Fraud and Abuse
Act of 1986 (PL
99-474). His worm served as a wake-up call to the security world.
The most evident concrete outcome was the formation of
CERT, with the purpose of being
a central source for reporting computer security incidents, as well as
maintaining listings of key personnel at Internet sites in the US. (Later,
CERT became essentially a service for subscribers only.)
Operation SunDevil and the Hacker Crackdown
- As chronicled in Stirling's
Hacker Crackdown, Barlow's Crime and
Puzzlement and elsewhere, law enforcement took an active role in
fighting computer crime in 1990.
- The US Secret Service (part of the Treasury Department) played a
leading role that has since been taken by the FBI. They obtained
search (usually not arrest) warrants and confiscated lots of
computer equipment, mostly belonging to teenagers. Almost no criminal
charges were ever filed.
- Some BBS operators, including Steve Jackson Games, also suffered
as a result of having copies of illicit documents, including the
famous E911
document (local copy).
- Part of the impetus against SJG & others was the risk and
dollar value of the E911 document: nearly $80K, plus fear that the
document would give hackers control over emergency services.
- In the end, the main long-term impact outside of the individuals
involved was the formation of the EFF, through a partnership of John
Perry Barlow, Mitch Kapor and Harry Silverstein. The EFF still
exists, though was for years seriously diluted by corporate
contributions, and played a key role in the DVD case (below) and is
at the forefront of addressing the need for change in the DMCA.
Kevin Mitnick
- Kevin Mitnick did not break into NORAD's computers, by all
accounts (including the DoD's). But he was a computer criminal, with
an emphasis on "social engineering." He had strong skills with cell
phones as well.
- His main assets are creativity and persistence. Using well-known
techniques, he would talk his way into getting insider information at
organizations, then use this as a springboard to elevate his access.
- Mitnick didn't sell information he got, and evidently never
profited from his crimes (he held "straight" jobs most of the time).
But he did get caught, several times, and spent time in jail.
- On July 4, 1994, the New York Times published a front-page article
by John Markoff citing Mitnick as the world's most dangerous computer
hacker. On December 25, 1994, somebody broke into the home computer
of UCSD computer expert Tsotomu Shimomura. Shimomura became convinced
that it was Mitnick, and began working with Markoff to track him down.
- On February 15, 1995, Mitnick was arrested in Raleigh, NC. He
stayed in prison until January 21, 2000 (just shy of 5 years). His
release was a result of a plea bargain. Mitnick was denied a bail
hearing, and spent many months in solitary confinement and other
months with violent offenders - the basis of this was the dollar value
of his alleged crimes, totalling hundreds of millions of dollars for
possessing source code to cell phones and operating systems.
- See "NYTimes Reporter Issues Weak Response to Charges of Libelous and
Defamatory Reporting January 23, 2000" in kevinmitnick.com for Kevin's
refutation of Markoff's claims against him.
- Kevin's parole ended January 21, 2003. He plans on pursuing
a career as a security consultant, and has expressed regret for his
past criminal behavior.
Back Orifice
- See the Web site at bo2k.com, current developments (if
any) at sourceforge.net.
Back Orifice is a tool for remote administrative access to Win95/98
computers. It is similar to legitimate (commercial) tools for this
purpose.
BO & BO2k are feared and misunderstood. They are flagged
as viruses by scanners from Norton and McAffee. However, they have
all the features of commercial remote management software and then
some, but without the price tag or support. (But with source code.)
The writers of BO2k work hard to make sure they are not taken
seriously, see cultdeadcow.com,
and have not been charged with crimes.
Modern history == Post-DMCA
- The Sonny Bono act of 1998 extended copyright from 75 to 95
years, meaning that materials scheduled to go into the public domain
in 1998 (75 years after 1923) won't until at least 2018 -- barring
further extensions. Because Mickey Mouse would have gone into the
public domain in 2003, this act is sometimes called the Disney act.
Upheld by the Supreme Court in 2003.
- At the same time as Sonny Bono, other components made up the
Digital Millennium Copyright Act. This provided much-needed updates
to US copyright to address digital content. Unfortunately, it also
gave tremendous additional powers to content owners and created
conflict with fair use.
- Modern topics (to be covered in future classes) include:
- Distributed Denial of Service (DDoS) attacks, including the one
that took down Yahoo! and other sites.
- The MPAA v. 2600 and others. Content owners test their new
powers in the courts, and win.
- The RIAA v. Napster. Content owners win again. The
RIAA versus Kazaa et al. is still in play.
- Adobe v. Skylarov. (Turned into the US government v.
Elcomsoft). What if you're a foreigner working in a foreign land,
and happen to visit the US? Can you be accountable for doing
something that's legal in your country, but illegal in the US?
Answer so far: No.
|