project

hakers

2007-12-09T20:14:00.000-08:00

Computer hacking is the practice of modifying computer hardware and software to accomplish a goal outside of the creator’s original purpose. People who engage in computer hacking activities are often called hackers. Since the word “hack” has long been used to describe someone who is incompetent at his/her profession, some hackers claim this term is offensive and fails to give appropriate recognition to their skills. Source:
wisegeek.com Computer hacking always involves some sort of running a program on your computer system, which sometimes is a virus. Also the hacker can run a type of program on your computer that can get the information he wants from your computer. Some people believe that computer hacking is right if you don’t steal anything, don’t damage anything, and don’t access condifidential information. Did you know that true Computer Hackers have a Code Of Conduct! Source:
iso.bf Computer hacking is extremely prevalent. This article analyzes the crime of hacking. It describes the various types of computer hackers. It discusses both the perceived threat and the real threat from hackers. It examines what hackers do and how to secure computer systems against hackers. The thrust of the article deals with the collection and use of computer evidence to apprehend the hacker and, once apprehended, to either prosecute or defend. Source:
shk-dplc.com Computer hacking (and hacking in general) is an often misunderstood part of today's society. As the media and various computer security outfits like to focus on what hackers have the potential to do, instead of what they actually do. In general, a hacker is seen as a social outcast that turns to the computer to gain a sense of power by generally destroying and stealing the possesions of other people. Source:
dmoz.org Computer hacking is a computer crime that is harder to track down than other crimes. Hackers can get into your computer using many different methods. The most common way is through the Internet because it is connected to the outside world. For example if you do online banking, it could end up in identity fraud if someone accesses it. Source:
iso.bf Since the mid-1980s, there are some overlaps in ideas and members with the computer security hacking community. The most prominent case is Robert T. Morris, who was a user of MIT-AI, yet wrote the Morris worm. The Jargon File hence calls him "a true hacker who blundered".[20] Nevertheless, members of the academic subculture have a tendency to look down on and disassociate from these overlaps. They commonly refer disparagingly to people in the computer security subculture as crackers, and refuse to accept any definition of hacker that encompasses such activities (see the Hacker definition controversy). The computer security hacking subculture on the other hand tends not to distinguish between the two subcultures as harshly, instead acknowledging that they have much in common including many members, political and social goals, and a love of learning about technology. They restrict the use of the term cracker to their categories of script kiddies and black hat hackers instead. Source:
en.wikipedia.org
« PreviousPage 1 of 4 Next » SEARCHLycos Retriever Web
MORE ABOUT
Computer Hacking
Hackers
Computer Hackers
Crimes
Computer Systems
Cases
Programs
People
feedback submitted

Ethics, Computer Crimes, Security and Health Issues:

2007-12-09T20:10:00.000-08:00

Ethics, Computer Crimes, Security and Health Issues:
The crime is defined as the use of computers to commit criminal acts. It is a felony to illegally access confidential programs or data. computer crime is very serious, costly, and very hard to pin down. Why hard? 1. It is difficult to decide when a questionable act is really a crime. It is easy to label someone's stealing money from your account in a bank as a crime; but how about a student who uses someone else's time to complete an assignment, or use the E-mail service to send a personal friend a private message? 2. The courts and judges are overwhelmed by the complexity of this technical issue. Companies who may think of reporting a crime are reluctant because they are not sure the case will be prosecuted and criminals will be caught. 3. Many businesses are very reluctant to report computer crimes to avoid bad and adverse publicity. Would you invest in a bank that lost $200 million last year to computer crimes?
Computer Crimes: They can occur in four ways:
The computer can be the target of the crime – like stolen or destroyed
The computer can be the medium of the attack by creating an environment in which a crime can occur like entering false data to mislead or cheat someone.
The computer can be the tool by which the crime is committed like using the computer to plan for a crime, but the crime does not involve the computer.
The computer can be used to intimidate or deceive like a financial advisor who can steal money by convincing the client that he had a computer program with which he could increase the client’s earnings.
Crimes can be performed by outsiders who penetrate the system, or by insiders, who are authorized to use the system but abuse their authorization.
The hacker is the outside person who penetrates the computer system.
The cracker is a malicious hacker who may cause a serious damage.
The profile of the computer criminal:
Mostly male
Ages 19-35
Work mostly with computers
Generally very bright Major motives behind crimes:
Economical
Ideological
Psychological
Egocentric Types of Computer Crimes:
Some forms of computer crimes include: 1. Data Diddling: it involves altering some key operations on a computer system in some un-sanctioned way. An example is student changing grades in a school file.
2. Trojan Horse: adding concealed instructions to a computer program so that it will still work but will also perform illegal duties. An example is a bank worker who can change a program that contains thousands of lines by adding few lines of code to stop the system from showing withdrawals from his account. Viruses travel this way on the Internet embedded in other programs.
3. Salami Shaving: small amounts are shaved from large amounts and are accumulated elsewhere. A bank employee may shave few cents from clients' accounts. Clients may not notice the shaving, but when these small amounts accumulate, they become large. Supermarkets are often accused of this crime when they do not update prices to reflect lower shelf prices.
4. Trapdoors: leaving, within a completed program, an illicit program that will allow illegal access
5. Logic and Time Bombs: a virus that sabotages a program or trigger damage based on certain conditions. It is usually set to go off at a later date like time bomb or Trojan horse.
6. Viruses: an illicit program created for the purpose of causing harm to computer programs and data. The virus passes itself on to other programs in which it comes in contact.
7. Piggybacking: using another person's identification code or using that person's files before he logs off:
8. Zapping: using illicitly acquired software package to bypass all security systems.
9. Software piracy: more is said about this later. 10. other crimes include: Hacking, Cellular Phone Fraud, Counterfeiting
viruses and worms: the worm is a program that transfers itself from computer to computer over a network and plants itself as a separate file on the target computer. one way of manifesting itself, the worm multiplies itself uncontrollably until it fills the computer's memory. the virus, however, is an illicit program that passes itself with other programs with which it comes in contact. The virus is very contagious and may cause considerable damage like deleting or corrupting files and programs. The most common method of transmitting viruses is through diskettes.
Motivation: prank, boredom, anger, intellectual challenge etc..It is possible to minimize the damage of viruses:
Do not stick the disk where it does not belong.
use anti virus programs
create clean backups New viruses always appear, so damage is continuing.
Hardware theft:
Increased with miniaturization. It is easier to steal a small computer. portables are the most attractive because they can be used anywhere (battery operated). Accessories and peripherals are frequently stolen. To reduce this loss:
Use cables
Do not leave computers unattended
Security code on hardware and alarm will signal if the hardware leave main door Software piracy: it includes making illegal copies for the purpose of using on more machines or selling to other users. Software is copywrited. Commercial software costs money and must not be copied without permission from the manufacturer. If this is done, it is called software piracy. In the past, software manufacturers tried to protect their software by copy protection, a software or hardware block making it difficult to break the code and make the copy. It did not work mostly because hackers broke the code and made illegal copies and this procedure was seen as a punishment to the innocent and those who legally acquired the software and now they can not make backup copies to their software. Now, companies offer a sire license, which permits the customer to make a limited number of copies of a given piece of software, and concurrent licensing, which allows a customer to use only a limited number of copies of a certain program simultaneously. Violators are subject to fines and jail terms.
Identification and Access: Granting access to authorized users, one or more of the following FOUR categories may be used: 1. What you have: like cards and keys to give you physical access to computer room. Nowadays, there is the Active Badge, a badge that has an embedded computer chip used to send a signal of the user's location by using infrared signals. These signals are constantly read by computers throughout the building. 2. What you know like passwords or identification information. 3. What you do like signatures. This is not impossible to copy, so alone does not make the best security measure. 4. What you are: Biometrics - the science of measuring individual body characteristics like finger-printing, voice recognition and the identification of the retina of the eye.
Ergonomics and health hazards Are there unhealthy side effects to this seemingly harmless thing called computers. Research suggest that the following health hazards are directly linked to working with computers:
Physical complaints and that includes back and hand aches.
Chip toxins from the exposure to those chemicals used in the manufacturing of computer accessories. It was reported that pregnant women working in contact with the making of chips and other parts of the computer system had a higher rate of miscarriages. Another report mentioned that more that seventy police officers in texas developed testicle cancer because of their work with the radar - speed detecting units.
Stress: users now are expected to produce more and better products. Time is money and there is no need to waste any time. An example is the pressure on office workers to complete perfect word-processing documents - free of spelling errors and formatted to the liking of the supervisor.
Social Isolation: there are many people who for one or more reasons work from home (telecom muting). Because of this, they lose of the chances of interacting with other employees and lose opportunities of staff development and other occasions. Telecommuters are also paid less wages. Ergonomics is the science of adapting the working environment to the human needs and conditions. People nowadays are more aware of the possible negative health impact computers can have on them and they are doing something about that. Some of the things users can do to minimize the harm of working with computers include:
Turn the screen away from the window to reduce glare. Turn off all unnecessary lights in the room
Put the monitor on a tilt-and-swivel base
Use an adjustable chair with supporting back.
Place the keyboard low enough to avoid arm fatigue.
You can use a raised wrist rest.
Sit with the feet firmly on the floor.
Exercise regularly by rotating your wrists and stretching your arms and shoulders. Better yet, take short walks away from the computer.
Keep your fingernails short or at least not very long. Disaster Recovery Plan: It is a method of restoring computer processing operations and data files if operations are halted or files are damaged. there are different approaches. 1. Some organizations revert temporarily to manual services like a bank employee issuing a manually printed cash receipt. 2. Others buy time at a service bureau, but this is not practical in the long-run and not efficient for companies that serve in rural areas. 3. A group of companies / banks create a consortium, a joint venture to support a complete computer facility. this facility is always tested and made ready, but only used in the event of a disaster. this facility is called a hot site, a fully-equipped computer center to serve in the event of a disaster. A cold site is an environmentally suitable empty place (shell) in which a company can install its own computer system.
The use of such a facility and the type of recovery depends on a plan. This plan should include the following:
Priorities: a list of programs that must be up and running. A bank would give a priority to an account inquiries program
rather than employees vacation planning.
Personnel requirements: procedures for notifying employees of changes in locations and procedures.
Equipment requirements: a list of needed equipment and where it can be obtained to speed up the recovery efforts.
Facilities: a list of alternative computing facilities, if the organization can not afford being a member of a consortium.
Capture and distribution: an outline of how input and output data will be handled in a different environment.
Defense strategies or controls to protect Information Systems:
Prevention and deterrence: by denying access to those who should have no access, or use access controls like passwords.
Detection: the earlier we discover a potential problem; the easier it will be to stop it.
Limitations: minimizing losses once a malfunction or error has occurred.
Recovery: a plan that explains how to fix a damaged information system as quickly as possible.
Correction: correcting damaged systems can prevent the problem from occurring again.
Types of Controls: General controls and Application controls:
General controls are used to protect the system regardless of its specific application. The Application controls are safeguards intended to protect specific applications.
General Controls include:
· Physical: protection of computer facilities and resources - protection against natural disasters, theft. This can be done with guards or locks.
· Access control: authorization and authentication, like using login in process or firewall.
· Biometric controls: a system to verify the identity of the person, based on physiological or behavioral characteristics. This includes:
o Hand geometry to check characteristics of the hand like length and thickness of fingers. o Blood vessels of the retina of the eye: compare what the systems scans with a pre-scanned and stored image. o Voice: a match between the user’s voice and stored voice. o Signature: also a match against stored signature o Keystroke dynamics: pressure of the fingers and speed of typing matched with stored information. o Facial thermograph: the picture of the user’s temperature emanating from underlying blood vessels and compared with stored information. o Fingerprints: matching the user’s fingerprint against stored fingerprint.
Application Controls include:
Input controls to prevent data alterations. Data are checked for correctness, completeness and consistency.
Processing controls to ensure data are valid and complete when being processed. Only authorized user should access this phase of processing.
Output controls to ensure the results are accurate, valid and complete.
Firewalls and Networks:
Networks have become increasingly popular way for banks, airlines and many other types of businesses to do business. Networks that provide businesses with connections save them money and provide speed of connection and service. They deserve protection. The most common ways to protect networks are:
Access Control: passwords and other types of authorization and authentication devices.
Encryption: encoding regular digitized text into unreadable scrambled text or number for transmission. The encrypted message has to be decoded or decrypted at the other end. Purposes of encryption are: first, identification - help identify the legitimate sender and receiver; second, control, by preventing changing a transaction or message; and third, privacy by impeding eavesdropping.
Cable testers: troubleshooting to detect any faulty cable.
Firewalls: a system that enforces an access control policy between two networks. It is a barrier between the secure company intranet, or other internal networks, and the Internet. Firewalls are very useful because of hackers (there are more than 80,000 sites for hacking from which anyone can download free programs to hack systems). Firewalls provide the most cost-effective security to networks, although they are not 100% effective.

2007-12-09T20:09:00.000-08:00

Volume 2, Number 1, November 1998

Computer hacking is extremely prevalent. The article analyzes the crime of hacking and describes the various types of computer hackers. It examines what hackers do and how to secure computer systems against hackers. The thrust of the article deals with the collection and use of computer evidence to apprehend the hacker and, once apprehended, to either prosecute or defend.
Apprehending The Computer Hacker:The Collection and Use of Evidenceby Stanley H. Kremen, CDP
Computer hacking is extremely prevalent. This article analyzes the crime of hacking. It describes the various types of computer hackers. It discusses both the perceived threat and the real threat from hackers. It examines what hackers do and how to secure computer systems against hackers. The thrust of the article deals with the collection and use of computer evidence to apprehend the hacker and, once apprehended, to either prosecute or defend. Four case studies are presented that demonstrate the collection and use of evidence.
THE YEAR 2000 MALPRACTICE BUG:Waiting to Trap the Unwary AttorneyBy Marc S. Friedman, Esq. and Lindsey H. Taylor, Esq.
The Year 2000 Crisis may well prove to be the next great litigation boom. A great part of that boom may be legal malpractice claims arising from a failure to properly deal with Y2K issues. Practitioners need to be particularly vigilant to maintain their own computers and keep abreast of the latest developments in the law to avoid potential malpractice. However, the Y2K crisis does not create any new obligations on the part of attorneys. It directs their existing obligations to their clients into a new area. The malpractice claims that could be brought are limited only by the imaginations of plaintiff’s malpractice attorneys.

BASICS OF INTELLECTUAL PROPERTY PROTECTION FOR SOFTWARE UNDER U.S. LAWBy Marc S. Friedman, Esq. and Lindsey H. Taylor, Esq.
The United States is probably the world’s largest market for software. Software developers should know the intellectual property protections given to software, so they can take steps to ensure that others do not take advantage of their work, while, at the same time, avoiding conflicts with other developers selling similar software.

Technical Experts in Computer-Related Performance Litigationby Marc S. Friedman, Esq. and Stanley H. Kremen, CDP
A company purchases a new computer system. Some time afterward, litigation results from the sale. From the company’s point of view, the system either was not fully delivered or it does not work. From the vendor’s point of view, the system is fully functional and the customer is being unreasonable. Both sides hire technical experts. They become the key elements of the case. All other fact testimony is presented to support the experts’ conclusions. The trial becomes a battle of the experts. This article discusses the elements of the forensic investigation and how the evidence should be gathered and presented.

Presentation of Technical Evidence by Experts in Computer-Related Intellectual Property Litigationby Stanley H. Kremen, CDP
This article is a continuation of the article entitled, "Technical Experts in Computer-Related Intellectual Property Litigation," that appeared in the last issue. The prior article discussed the steps that a forensic expert must take to determine whether or not software piracy has occurred. The current article discusses how evidence of software piracy must be presented at trial by a testifying expert. Three precedent setting cases are analyzed from a technical point of view.

Evidence Collection for Year 2000 Litigationby Edward Miller and Stanley H. Kremen, CDP
With the Year 2000 rapidly approaching, the Y2K Millenium Bug looms closer. Many companies are rushing to become Year 2000 compliant. Vendors are selling many new products and services related to date problems that will occur on computers once the century changes. In many cases, litigation will be inevitable. In anticipation, companies should begin collecting evidence now to be able to make any potential litigation meaningful.

Valuation of Computer Software AssetsShahan Islam, Esq. and Stanley H. Kremen, CDP
A company may have assets worth millions of dollars. However, its most important asset may be its intellectual property. Computer software is an extremely important asset that contributes significantly to the overall value of a company. Software may be protected by patents, copyrights, trade secrets, trademarks or a combination consisting of these various modes of protection. At times, lending, investment or taxation requirements will require valuation of these assets. This article addresses the different methods of valuation and factors to be considered in determining the value of software assets.

The Year 2000 Computer Crisis -- What To Do NOW?By Warren S. Reid
Only 20%-30% of all U.S. Companies have begun to inventory their computer systems and perform any risk assessment steps to address their Year 2000 problem. Worse, less than 10% have actually started fixing their code. While the rest of the world, and your company is catching up, there are things that you can - and must - do right NOW to help your company address the problem and withstand the inevitable onslaught of litigation that is allegedly making some attorneys salivate.

Self-Help in 2000How a business can do its own Y2K compliance without violating copyright lawsby Marc S. Friedman, Lindsey S. Taylor and Benedict S. Carmicino
This article discusses issues relating to a software licensee self-modifying software to make it Year 2000 compliant. The article concentrates upon copyright problems. The use of reverse engineering to obtain source code so that the user can modify the software is also discussed. Finally, the article discusses what can and cannot be done with the modifications based upon that fact that they are derivative works.

The Year 2000 Paper Trailby Warren S. Reid
If, in fact, a company finds itself in court several years hence defending its Year 2000 efforts, what documents might prove helpful (or harmful) in establishing guilt, facts, negligence, reasonable behavior, etc. While defendant companies should be careful with paper trails that can later come back to haunt them, they must keep a complete and reasonable contemporaneous record if they are to have any chance to survive a lawsuit. This article lists those items that must be retained for use should litigation occur

2007-12-09T19:58:00.000-08:00

Computer Crime
Copyright 1999, 2002 by Ronald B. Standler
Table of ContentsIntroduction 1. Unauthorized use of computer Altering Websites Denial of Service (DoS) Attacks 2. Malicious computer programs Common, but Unacceptable, Justifications for Malicious Programs 3. Harassment & Stalking 4. Weak punishment in USA 5. Computer crime statutes in USA 6. Sue criminals in tort Journalists Conclusion

IntroductionThere are no precise, reliable statistics on the amount of computer crime and the economic loss to victims, partly because many of these crimes are apparently not detected by victims, many of these crimes are never reported to authorities, and partly because the losses are often difficult to calculate. Nevertheless, there is a consensus among both law enforcement personnel and computer scientists who specialize in security that both the number of computer crime incidents and the sophistication of computer criminals is increasing rapidly. Estimates are that computer crime costs victims in the USA at least US$ 5×108/year, and the true value of such crime might be substantially higher. Experts in computer security, who are not attorneys, speak of "information warfare". While such "information warfare" is just another name for computer crime, the word "warfare" does fairly denote the amount of damage inflicted on society. I have posted a separate document, Tips for Avoiding Computer Crime, which includes suggestions for increasing the security and reliability of personal computers, as well as links to websites on computer viruses, computer crime, and anti-virus and firewall software. Two comments on word usage in this essay:
I normally write in a gender neutral way, but here I use the masculine pronoun for computer criminals, because (1) female computer criminals are rare and (2) I can't imagine a feminist attacking me because I deny equal recognition to women criminals.
To some professional computer programmers, the word "hacker" refers to a skilled programmer and is neither pejorative nor does it refer to criminal activity. However, to most users of English, the word "hacker" refers to computer criminals, and that is the usage that I have adopted in this essay. I originally wrote this essay in May 1999. I do not have the spare time that would be required for a thorough search and analysis of reported cases and statutes on computer crime, as well as newspaper accounts (most criminal proceedings are resolved without generating any judicial decision that is reported in legal databases or books), so my revisions are mostly generalizations.
new crimes in cyberspaceThere are three major classes of criminal activity with computers:
unauthorized use of a computer, which might involve stealing a username and password, or might involve accessing the victim's computer via the Internet through a backdoor operated by a Trojan Horse program.
creating or releasing a malicious computer program (e.g., computer virus, worm, Trojan Horse).
harassment and stalking in cyberspace.
old crimesWhen lay people hear the words "computer crime", they often think of obscene pictures available on the Internet, or solicitation of children for sex by pedophiles via chat rooms on the Internet. The legal problem of obscenity on the Internet is mostly the same as the legal problem of obscenity in books and magazines, except for some technical issues of personal jurisdiction on the Internet. I have discussed obscenity on the Internet in my May 1997 essay on law & technology and I have nothing further to say about obscenity in this essay on computer crime. Similarly, many crimes involving computers are no different from crimes without computers: the computer is only a tool that a criminal uses to commit a crime. For example,
Using a computer, a scanner, graphics software, and a high-quality color laser or ink jet printer for forgery or counterfeiting is the same crime as using an old-fashioned printing press with ink.
Stealing a laptop computer with proprietary information stored on the hard disk inside the computer is the same crime as stealing a briefcase that contains papers with proprietary information.
Using the Internet or online services to solicit sex is similar to other forms of solicitation of sex, and so is not a new crime.
Using computers can be another way to commit either larceny or fraud. In contrast to merely using computer equipment as a tool to commit old crimes, this essay is concerned with computer crimes that are new ways to harm people.
false originThere are many instances of messages sent in the name of someone who neither wrote the content nor authorized the sending of the message. For example:
E-mails with bogus From: addresses were sent automatically by malicious programs (e.g., the Melissa virus in 1999, the BadTrans worm in 2001, the Klez program in 2002).
Posting messages in an Internet newsgroup or online bulletin board with a false author's name that is intended to harm the reputation of the real person of that name. These acts might be punishable by existing criminal statutes that prohibit impersonation, forgery, deceit, or fraud. However, a judge might decide that the specific language in old statutes about writing or signature does not apply to e-mail. Rather than write new statutes for forged e-mail addresses or unauthorized sending of e-mail in someone else's name, I would prefer that legislatures broaden the existing criminal statutes for analogous crimes with paper and ink. Similar issues arise in both: (1) fictitious From: addresses in some unsolicited commercial e-mail, also called spam or junk e-mail, and (2) fictitious source IP addresses in denial of service attacks.

1. Unauthorized UseUnauthorized use of computers tends generally takes the following forms:
Computer voyeur. The criminal reads (or copies) confidential or proprietary information, but data is neither deleted nor changed. In 1999, the Melissa virus infected a [possibly confidential] document on a victim's computer, then automatically sent that document and copy of the virus via e-mail to other people. Subsequently, the SirCam and Klez malicious programs made a similar release of [possibly confidential] documents from a victim's computer. These malicious programs are a new way to release confidential information from a victim's computer, with the confidential information going not to the author of the malicious program, but to some person unknown to the author of the malicious program.
Changing data. For example, change a grade on a school transcript, add "money" to a checking account, etc. Unauthorized changing of data is generally a fraudulent act.
Deleting data. Deleting entire files could be an act of vandalism or sabotage.
Denying service to authorized users. On a modern time-sharing computer, any user takes some time and disk space, which is then not available to other users. By "denying service to authorized users", I mean gobbling unreasonably large amounts of computer time or disk space, for example:
by sending large amounts of junk e-mail in one day, a so-called "mail bomb",
by having the computer execute a malicious program that puts the processing unit into an infinite loop, or,
by flooding an Internet server with bogus requests for webpages, thereby denying legitimate users an opportunity to download a page and also possibly crashing the server. This is called a denial of service (DoS) attack. During 1950-1975, computer programs and data were generally stored on cardboard cards with holes punched in them. If a vandal were to break into an office and either damage or steal the punch cards, the vandal could be adequately punished under traditional law of breaking and entering, vandalism, or theft. However, after about 1975, it became common to enter programs and data from remote terminals (a keyboard and monitor) using a modem and a telephone line. This same technology allowed banks to retrieve a customer's current balance from the bank's central computer, and merchants to process credit card billing without sending paper forms. But this change in technology also meant that a criminal could alter data and programs from his home, without physical entry into the victim's building. The traditional laws were no longer adequate to punish criminals who used computer modems. Most unauthorized use of a computer is accomplished by a person in his home, who uses a modem to access a remote computer. In this way, the computer criminal is acting analogous to a burglar. The classic definition of a burglary is:
the breaking and entering of a building with the intent to commit a felony therein.In traditional burglaries, the felony was typically larceny, an unlawful taking of another person's property. However, in the unauthorized use of another's computer, the criminal "enters" the computer via the telephone lines, which is not breaking into the building. Either the burglary statute needed to be made more general or new criminal statute(s) needed to be enacted for unauthorized access to a computer. Legislatures chose to enact totally new statutes. To successfully use a remote computer, any user (including criminals) must have both a valid user name and valid password. There are several basic ways to get these data:
Call up a legitimate user, pretend to be a system administrator, and ask for the user name and password. This sounds ridiculous, but many people will give out such valuable information to anyone who pretends to have a good reason. Not only should you refuse to provide such information, but please report such requests to the management of the online service or the local police, so they can be alert to an active criminal.
Search user's offices for such data, as many people post their user name and password on the side of their monitor or filing cabinet, where these data can be conveniently seen.
Write a program that tries different combinations of user names and passwords until one is accepted.
Use a packet "sniffer" program to find user names and passwords as they travel through networks.
Search through a garbage bin behind the computer building in a university or corporate campus, find trash paper that lists user names and passwords.A disgruntled employee can use his legitimate computer account and password for unauthorized uses of his employer's computer. This can be particularly damaging when the disgruntled employee is the computer system administrator, who knows master password(s) and can enter any user's file area. Such disgruntled employees can perpetrate an "inside job", working from within the employer's building, instead of accessing a computer via modem. The computer voyeurs, like petty criminals who peek in other people's windows, generally hack into other people's computers for the thrill of it. In the 1970s and early 1980s, many of these computer voyeurs also used technology to make long-distance telephone calls for free, which technology also concealed their location when they were hacking into computers. Many of these voyeurs take a special thrill from hacking into military computers, bank computers, and telephone operating system computers, because the security is allegedly higher at these computers, so it is a greater technical challenge to hack into these machines. The criminals who change or delete data, or who deliberately gobble large amounts of computer resources, have a more sinister motive and are capable of doing immense damage. Of course, there is always the possibility that a computer voyeur will "accidentally" bumble around an unfamiliar system and cause appreciable damage to someone else's files or programs. Traditional criminal law in the USA places a great deal of emphasis on willful or intentional conduct, so such "accidental" damage would not satisfy the traditional requirement of mens rea (literally "guilty mind" or criminal intent). My personal opinion is that someone who deliberately hacks into someone else's computer should be accountable under criminal law for whatever damage is done by the unauthorized hacking, even if the damage is "accidental". In this regard, I would make an analogy to a homicide that occurs "accidentally" during the commission of a felony: the perpetrators are then charged with "felony murder": the intent to commit the hacking constitutes the malice or intent to cause the damage. In the 1970s and early 1980s, a common reaction was that hackers were a minor nuisance, like teenagers throwing rolls of toilet paper into trees. Then, in August 1983, a group of young hackers in Milwaukee hacked into a computer at the Sloan-Kettering Cancer Institute in New York City. That computer stored records of cancer patients' radiation treatment. Altering files on that computer could have killed patients, which reminded everyone that hacking was a serious problem. This 1983 incident was cited by the U.S. Congress in the legislative history of a federal computer crime statute.S. Rep. 99-432 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2480. There is an interesting case under California state law for a criminal who improved his clients' credit rating. People v. Gentry, 285 Cal.Rptr. 591 (Cal.Ct.App. 1992).

altering websitesIn recent years, there have been a large number of attacks on websites by hackers who are angry with the owner of the website. Victims of such attacks include various U.S. Government agencies, including the White House and FBI. Attacking the FBI website is like poking a lion with a stick. In a typical attack, the hacker will delete some pages or graphics, then upload new pages with the same name as the old file, so that the hacker controls the message conveyed by the site. This is not the worst kind of computer crime. The proper owner of the site can always close the website temporarily, restore all of the files from backup media, improve the security at the site, and then re-open the site. Nonetheless, the perpetrator has committed a computer crime by making an unauthorized use of someone else's computer or computer account. The Internet is a medium for freely sharing information and opinions. However the criminals who trash other people's websites are acting as self-appointed censors who deny freedom of speech to those with whom they disagree. These criminals often make the self-serving excuse for their actions that they only attack sites sponsored by bad corporations or bad people. However, this excuse makes these criminals into vigilantes who serve as legislature, judge, jury, and executioner: arrogantly determining what is in the best interests of society. One example of punishment for the crime of defacing a website is the case of Dennis M. Moran. On 9 March 2001, Moran (alias "Coolio"), a high school dropout, was sentenced in New Hampshire state court to nine months incarceration and ordered to pay a total of US$ 15000 restitution to his victims for defacing two websites:
In November 1999, he defaced the website of DARE America, an organization that campaigns against use of illicit drugs, whose website was in Los Angeles, California.
In February 2000, he defaced the website of RSA Security in Massachusetts.
In February 2000, he made "unauthorized intrusions" into computers at four different U.S. Army and Air Force installations.See the New Hampshire DoJ press release.

Denial of Service (DoS) AttacksA denial of service attack occurs when an Internet server is flooded with a nearly continuous stream of bogus requests for webpages, thereby denying legitimate users an opportunity to download a page and also possibly crashing the webserver. Criminals have developed a simple technique for executing a distributed DoS attack:
The criminal first plants remote-control programs on dozens of computers that have broadband access to the Internet. The remote-control program will, at the command of the criminal, issue a nearly continuous series of pings to a specified victim's website.
When the criminal is ready to attack, he instructs the programs to begin pinging a specific target address. The computers containing the remote-control programs act as "zombies".
The victim computer responds to each ping, but because the zombie computers gave false source addresses for their pings, the victim computer is unable to establish a connection with the zombie computers. Because the victim computer waits for a response to its return ping, and because there are more zombie computers than victims, the victim computer becomes overwhelmed and either (a) does nothing except respond to bogus pings or (b) crashes.
Typically, after one or two hours, the criminal instructs his programs to stop pinging the victim. This brief duration is not because the criminal is a nice person, but because long-duration attacks make it easier for engineers at the victim's website to promptly trace the source of the attacks. This may sound sophisticated, but the remote-control programs, and instructions for using them, are readily available from many pro-hacker websites since June 1999. My essay, Tips for Avoiding Computer Crime, has specific suggestions for how you can use firewall software on your computer to prevent your computer from being used by criminals in DoS attacks on victims. Another kind of DoS attack uses a so-called "ping of death" to exploit bugs in software on webservers. A study during three weeks in February 2001, showed that there are about 4000 DoS attacks each week. Most DoS attacks are neither publicized in the news media nor prosecuted in courts. David Dittrich, a senior security engineer at the University of Washington and expert on Unix system administration, has posted a large collection of links to resources on distributed DoS attacks. The following is one case involving a famous series of DoS attacks:
The Yahoo website was attacked at 10:30 PST on Monday, 7 Feb 2000. The attack lasted three hours. Yahoo was pinged at the rate of one gigabyte/second.
The websites of amazon.com buy.com cnn.com eBay.com were attacked on Tuesday, 8 Feb 2000. Each attack lasted between one and four hours. CNN reported that the attack on its website was the first major attack since its website went online in August 1995.
The websites of E*Trade, a stock broker, and ZDNet, a computer information company, were attacked on Wednesday, 9 Feb 2000.
About fifty computers at Stanford University, and also computers at the University of California at Santa Barbara, were amongst the zombie computers sending pings in these DoS attacks.
The attacks received the attention of President Clinton and the U.S. Attorney General, Janet Reno. The FBI began to investigate. A CNN news report posted at 18:44 EST on 9 Feb 2000 quotes Ron Dick of the FBI's National Infrastructure Protection Center as saying "A 15-year-old kid could launch these attacks. It doesn't take a great deal of sophistication to do."
His remark was prophetic, because, on 18 April 2000, a 15-year-old pupil in Montréal Canada was arrested and charged with two counts of "mischief to data" arising from his DoS attack on CNN. Because he was a juvenile, his name can not be publicly disclosed, so he was called by his Internet pseudonym Mafiaboy. The Royal Canadian Mounted Police seized Mafiaboy's computer.
CNN reported that Mafiaboy was granted bail, with the following conditions:
"may only use computers under the direct supervision of a teacher."
"prohibited from connecting to the Internet"
prohibited from entering "a store or company where computer services or parts are sold."
"barred from communicating with three of his closest friends."
On 3 August 2000, Canadian federal prosecutors charged Mafiaboy with 54 counts of illegal access to computers, plus a total of ten counts of mischief to data for his attacks on Amazon.com, eBay, Dell Computer, Outlaw.net, and Yahoo. Mafiaboy had also attacked other websites, but prosecutors decided that a total of 66 counts was enough. Mafiaboy pled not guilty.
In November 2000, Mafiaboy's bail was revoked, because he skipped school in violation of a court order. He spent two weeks in jail.
In December 2000, Mafiaboy, now 16 y old, dropped out of school (after being suspended from school six times since the beginning of that academic year, and failing all of his classes except physical education), and was employed at a menial job. He was again granted bail.
On 18 Jan 2001, Mafiaboy pleaded guilty to 5 counts of mischief to data and 51 counts of illegal access to computers. As part of a plea agreement between his attorney and prosecutors, the prosecution dismissed the remaining ten counts.
On 20 June 2001, a social worker reported to the court that Mafiaboy "shows no sign of remorse" and "he's still trying to justify what he did was right."
On 12 Sep 2001, Mafiaboy was sentenced to spend eight months in a juvenile detention center, then spend one year on probation. Because Mafiaboy was a child at the time of his crime, the maximum sentence that he could have received would be incarceration for two years. In issuing the sentence, Judge Gilles Ouellet commented:
This is a grave matter. This attack weakened the entire electronic communications system. And the motivation was undeniable, this adolescent had a criminal intent."The above facts are taken from reports at CNN, CBC, CNEWS, and the sentence is reported at wired.com.

2. malicious computer programsThe following are general terms for any computer program that is designed to harm its victim(s):
malicious code
malicious program
malware (by analogy with "software")
rogue program Malicious computer programs are divided into the following classes:
A virus is a program that "infects" an executable file. After infection, the executable file functions in a different way than before: maybe only displaying a benign message on the monitor, maybe deleting some or all files on the user's hard drive, maybe altering data files. There are two key features of a computer virus:
the ability to propagate by attaching itself to executable files (e.g., application programs, operating system, macros, scripts, boot sector of a hard disk or floppy disk, etc.) Running the executable file may make new copies of the virus.
the virus causes harm only after it has infected an executable file and the executable file is run. The word "virus" is also commonly used broadly to include computer viruses, worms, and Trojan Horse programs. For example, so-called "anti-virus software" will remove all three classes of these malicious programs. Beginning with the Melissa virus in 1999, viruses could automatically send e-mail with the victim's name as the alleged source.
A worm is a program that copies itself. The distinction between a virus and worm, is that a virus never copies itself – a virus is copied only when the infected executable file is run. In the pure, original form, a worm neither deleted nor changed files on the victim's computer — the worm simply made multiple copies of itself and sent those copies from the victim's computer, thus clogging disk drives and the Internet with multiple copies of the worm. Releasing such a worm into the Internet will slow the legitimate traffic on the Internet, as continuously increasing amounts of traffic are mere copies of the worm. Beginning with the Klez worm in early 2002, a worm could drop a virus into the victim's computer. This kind of worm became known as a blended threat, because it combined two different types of malicious code.
A Trojan Horse is a deceptively labeled program that contains at least one function that is unknown to the user and that harms the user. A Trojan Horse does not replicate, which distinguishes it from viruses and worms. Some of the more serious Trojan horses allow a hacker to remotely control the victim's computer, perhaps to collect passwords and credit card numbers and send them to the hacker, or perhaps to launch denial of service attacks on websites. Some Trojan Horses are installed on a victim's computer by an intruder, without any knowledge of the victim. Other Trojan Horses are downloaded (perhaps in an attachment in e-mail) and installed by the user, who intends to acquire a benefit that is quite different from the undisclosed true purpose of the Trojan Horse.
A logic bomb is a program that "detonates" when some event occurs. The detonated program might stop working (e.g., go into an infinite loop), crash the computer, release a virus, delete data files, or any of many other harmful possibilities. A time bomb is a type of logic bomb, in which the program detonates when the computer's clock reaches some target date.
A hoax is a warning about a nonexistent malicious program. I have a separate essay that describes how to recognize hoaxes, and how to respond to them. Some confusion about the distinction between a virus and a worm is caused by two distinctly different criteria:
a virus infects an executable file, while a worm is a stand-alone program.
a virus requires human action to propagate (e.g., running an infected program, booting from a disk that has infected boot sectors) even if the human action is inadvertent, while a worm propagates automatically.For most viruses or worms, these two different criteria give the same result. However, there have been a few malicious programs that might be considered a virus by some and a worm by others. Ultimately, the taxonomy matters only to computer scientists who are doing research with these malicious programs. The first computer virus found "in the wild" was written in 1986 in a computer store in Lahore, Pakistan. In the 1980s, computer viruses were generally spread by passing floppy disks from one user to another user. In the late 1990s, computer viruses were generally spread via the Internet, either in e-mail (e.g., a virus contained in a Microsoft Word macro, or a worm contained in an attachment to e-mail) or in programs downloaded from a website. The distribution of viruses via the Internet permitted a much more rapid epidemic, so that more computers could be infected in a shorter time than when floppy disks were used to spread the infection. The first prosecution under the Federal computer crime statute, 18 USC § 1030, was for a release of a worm. Robert Tappan Morris, then a graduate student in computer science at Cornell University, released his worm into the Internet on 2 Nov 1988. The worm rapidly copied itself and effectively shut down the Internet. Morris was convicted of violating 18 USC §1030 in 1990 and the conviction was upheld in U.S. v. Morris, 928 F.2d 504 (2dCir. 1991), cert. denied, 502 U.S. 817 (1991). My long discussion of a few famous malicious programs is in a separate essay, emphasizes the nonexistent or weak punishment of the authors of these programs. There is a reported case under state law for inserting a logic bomb into custom software. Wisc. v. Corcoran, 522 N.W.2d 226 (Wisc.Ct.App. 1994).
"justification" for malicious programsDesigning and releasing malicious computer programs is not only unethical, but also unlawful. However, some people defend the authors of malicious code by offering one or more of the following justifications:
The malicious code exposes security flaws in operating systems and applications software.
There is no doubt that the publicity surrounding an epidemic of a virus or worm increases awareness of security flaws. However, this incidental benefit does not justify the more than US$ 106 cost to clean the malicious code from more than a thousand infected computers.
Regardless of any benefits to society, a worm or virus is still an unauthorized access of a person's computer.
A rational and socially acceptable response to discovering a security flaw is to privately notify the software vendor that issued the flawed software. That vendor can then develop a patch and, when the patch is ready for public distribution, the vendor can inform system administrators. In that way, the vulnerability is not publicly disclosed for criminals to exploit before the patch is available.
Computer viruses and worms have been widely known since 1988. Despite this awareness, infection reports continue to show that viruses and worms that are more than one year old are continuing to propagate. This result shows that either computer users are not routinely updating their anti-virus software to protect against the most recent threats or computer users are continuing to operate infected machines, which continue to spew viruses and worms via e-mail. So, even if one accepts the reasoning that malicious code is desirable because it increases awareness of security issues, the increased awareness is practically ineffective, hence this "justification" fails.
Worse, the publicity about security vulnerabilities may encourage additional people to release malicious programs. For example, a number of copycat variants appear soon after a major new malicious program is reported in the news media. Such malicious programs, as well as tool kits for generating new malicious programs, are easily available from many hacker websites. Only minimal computer skills are required to produce and release a malicious program.
Low pressure in automobile tires causes tire failure, which, in turn, causes automobile accidents. Would it be reasonable for someone to walk around in the parking lot, letting some air out of tires, so tires are seriously underinflated, with the justification that the ensuing accidents will call attention to the problem of underinflated tires? This justification is ludicrous in the context of automobile tires and it is no better in the context of computer security.
It is the victim's fault if they are infected by a worm or virus that exploits a known security flaw, for which a patch is available.
It is certainly a good idea to install patches or updates for the software that one uses. However, failure to install such patches or updates is not an invitation to criminals to attack a victim's computer.
Prof. Spafford said:
To attempt to blame these individuals [i.e., computer systems administrators] for the success of the Worm is equivalent to blaming an arson victim because she didn't build her house of fireproof metal.
Eugene H. Spafford, The Internet Worm Incident, Purdue University Computer Science Department Technical Report TR-933, at page 15, 19 Sep 1991.
There is no legal obligation in criminal law for a victim to use the latest or best computer hardware and software. Simply: a victim neither invites nor consents to a crime. However, if a victim were to sue the author of malicious code in tort, then the victim's alleged negligence would be a proper legal issue. It is important to distinguish criminal law from torts, which are part of civil law.
It is ok if the author of the malicious code does not alter or delete any of the victim's data files.No. The victim is still harmed by the cost of removing the malicious program, the costs of lost productivity during the removal of the malicious program, possible exposure of confidential information (e.g., either to a hacker who examines data files via a Trojan Horse program, or a malicious program that sends a document on the victim's computer to potential future victims), among other possible harms. Furthermore, the privacy and property rights of the victim have been violated by the author of malicious code. Any unauthorized access of a computer is, or should be, criminal, regardless of the perpetrator's intent once inside the computer.
The virus/worm was a laboratory experiment gone awry.The Internet, including e-mail, is neither a laboratory nor a playground. Scientists, engineers, professors, businesses, governments, etc. depend on the routine functioning of the Internet for their work, distributing information, and for other public services. Anyone wishing to play with viruses or worms should use a quarantined system that is not connected to the Internet. An "experimenter" must not create a big mess that requires computer system administrators worldwide to devote much time to remove. In considering the actions of Morris, a graduate student at Cornell who released his worm into the Internet, a commission of five Cornell professors said:
This was not a simple act of trespass analogous to wandering through someone's unlocked house without permission[,] but with no intent to cause damage. A more apt analogy would be the driving of a golf cart on a rainy day through most houses in a neighborhood. The driver may have navigated carefully and broken no china, but it should have been obvious to the driver that the mud on the tires would soil the carpets and that the owners would later have to clean up the mess.
Theodore Eisenberg, David Gries, Juris Hartmanis, et al., The Computer Worm, A Report to the Provost of Cornell University ..., p. 7 (see also p. 40), Feb 1989. Summary reprinted in Communications of the ACM, Vol. 32, pp. 706-709, June 1989. Summary also reprinted in Peter J. Denning, editor, Computers Under Attack, Addison-Wesley Publishing Co., 1990. The above quote is on page 258 of Denning's book.It is self-serving to associate a criminal's actions with the prestige of a scientist who does an experiment. Scientists follow a professional code of ethics, in addition to behaving in a lawful way, and avoid harming other people. Scientists work together in a collegial way, with implicit trust. As pointed out by Eisenberg, et al. in The Computer Worm, pages 7, 25, 41, releasing malicious code is a violation of trust.
The virus/worm was "accidentally" released.First, there is no acceptable reason to create malicious software that alters or deletes data files from the victim's hard disk, releases confidential information from the victim's computer along with a copy of the virus/worm to potential future victims, attempts to disable anti-virus software on the victim's computer, or any of the other harms that have been observed in real malicious programs. There is no rational reason to write a program that one intends never to use. Second, if one writes such a destructive program, then one must use extraordinary care (i.e., the same care that one takes with toxic chemicals, explosives, highly radioactive materials, etc.) to make certain that the program is never released. Society ought to demand that those who release malicious programs, even if the release is an "accident", be held legally responsible for the damage caused by their malicious programs.
The author of the virus/worm did not know how rapidly the virus/worm would propagate.In my companion essay on Examples of Malicious Computer Programs, I explained why this excuse is bogus.
Although not a common excuse offered by defenders of an author of a malicious computer program, the author himself often seems to believe that his virus/worm is proof of his programming ability.However, careful examination of famous malicious programs that have caused extensive damage shows that these programs commonly contain many programming errors (so-called "bugs"). Such bugs often prevent a malicious program from causing more damage; sometimes bugs make a program worse than its author probably intended. Either way, a program full of bugs is not evidence of programming skill. And, more importantly, someone who writes malicious programs is a criminal, not the type of person who an ethical employer would want to hire. Such specious excuses for authors of malicious code were fairly common from professional programmers in the 1980s, but are less frequent now. The worm released into the Internet by Robert Morris in Nov 1988 seems to have jolted most computer professionals into realizing that ethics and law are essential to the computer profession. Now, specious excuses are mostly offered by criminals and their attorneys.

3. Harassment & StalkingIn general, the harasser intends to cause emotional distress and has no legitimate purpose to his communications. Harassment can be as simple as continuing to send e-mail to someone who has said they want no further contact with the sender. Harassment may also include threats, sexual remarks, pejorative labels (i.e., hate speech). A particularly disturbing form of harassment is sending a forged e-mail that appears to be from the victim and contains racist remarks, or other embarrassing text, that will tarnish the reputation of the victim. It is often difficult to get law enforcement personnel and prosecutors interested in harassment, unless threats of death or serious bodily harm are made, simply because the resources of the criminal justice system are strained by "more serious" criminal activities. I put "more serious" in quotation marks, because the victim of harassment certainly is adversely affected by the harassment, therefore it is a serious matter to the victim. But the law treats harassment as a misdemeanor, the group of less serious crimes.

4. Weak Punishment in USAI have a general concern about the inability of the criminal justice system to either deter criminal conduct or protect society. This concern is particularly acute in the area of computer crime, where immense damage is being done to corporations by computer viruses and worms. Public safety is threatened by criminals who hack into the telephone system and crash 911 services, among other examples. There are many theories that justify punishment of criminals. While severe punishment may not deter criminal conduct, punishment does express the outrage of decent society at criminal conduct. One of the earliest reported cases in federal courts in the USA on computer crime was that of Robert Riggs.U.S. v. Riggs, 739 F.Supp. 414 (N.D.Ill 1990), 743 F.Supp. 556 (N.D.Ill. 1990), aff'd, 967 F.2d 561 (11thCir. 1992).Riggs was first convicted in 1986 for his unauthorized use of a computer and was sentenced to a mere 15 days of community service and placed on probation for 18 months. 967 F.2d at 562. In 1990 Riggs was indicted again for making unauthorized access to computers, during which he stole proprietary information from a telephone company. This time he was sentenced to 21 months in prison, followed by two years of "supervised release" during which time he was forbidden to either own or use any computer for his personal use. Riggs was allowed to use computers in his employment, if supervised by someone. This sentence was upheld on appeal. 967 F.2d at 563. In March 1997, a young hacker disabled the telephone service at the Worcester, Massachusetts airport for six hours, which disabled the air-traffic control system and other critical services. This same hacker also copied patients' records from a computer in a pharmacy on four separate occasions in January, February, and March 1997. This hacker was the first juvenile to be prosecuted by the U.S. Government for computer crime. He pled guilty and was placed on probation for two years, was ordered to provide 250 hours of community service, and forfeited all of the computer equipment used during his criminal activity. I have a long discussion of a few famous malicious programs and the legal punishment of their authors in a separate essay. The point made in that essay is that, out of approximately 61000 malicious programs for the Microsoft Windows operating system, there have been arrests and convictions of the author(s) of only five malicious programs:
the author of a worm released in 1988,
the author and distributors of the MBDF virus,
the author of the Pathogen virus,
the author of the Melissa virus, and
the author of the Anna worm. Except for the author of the Pathogen virus, each of these criminals received very light punishment.

5. Computer Crime Statutes in USAThere are many federal statutes in the USA that can be used to prosecute computer criminals:
15 USC § 1644, prohibiting fraudulent use of credit cards
18 USC § 1029, prohibiting fraudulent acquisition of telecommunications services
18 USC § 1030, prohibiting unauthorized access to any computer operated by the U.S. Government, financial institution insured by the U.S. Government, federally registered securities dealer, or foreign bank.
18 USC § 1343, prohibiting wire fraud
18 USC § 1361-2, prohibiting malicious mischief
18 USC § 1831, prohibiting stealing of trade secrets
18 USC § 2314, prohibiting interstate transport of stolen, converted, or fraudulently obtained material; does apply to computer data files U.S. v. Riggs, 739 F.Supp. 414 (N.D.Ill 1990).
18 USC § 2319 and 17 USC § 506(a), criminal violations of copyright law
18 USC § 2510-11, prohibiting interception of electronic communications
18 USC § 2701, prohibiting access to communications stored on a computer (i.e., privacy of e-mail)
47 USC § 223, prohibiting interstate harassing telephone calls
State Statutes in USAThere is wide variation in state statutes on computer crime in the USA: in my opinion, most state statutes are not adequate to punish computer criminals. California, Minnesota, and Maine are among the few states to prohibit explicitly release of a computer virus or other malicious program.California Statutes, Title 13 (Penal Code), §§ 502(b)(10) and 502(c)(8).Minnesota Statutes, §609.87(12) and §609.88(1)(c).Maine Statutes, 17-A (Criminal Code), § 433(1)(C).In states without an explicit statute, release of a malicious program would probably be prosecuted as "malicious mischief". California also provides for the forfeiture of computer systems used in the commission of a computer crime. If the defendant is a minor, the parents' computer system can be forfeited.California Statutes, Title 13 (Penal Code), §§ 502(g) and 502.01(a)(1) In November 1996 and July 1997, I made comprehensive searches of the WESTLAW databases of reported cases in both state and federal courts in the USA on computer crimes. I was surprised to find that, in sharp contrast to most other areas of law, there was very little reported case law on computer crimes, except obscenity cases. I have the impression that most computer criminals who are apprehended plead guilty to a lesser offense (a so-called "plea bargain") and avoid a trial. Plea bargains are common the U.S.A., as they dispose of cases without large investments of prosecutorial and judicial time. In the specific area of computer crimes, prosecuting such a case would be difficult for prosecutors, because the jury would need to learn about complex technical matters. In addition to making life easier for prosecutors and judges, many victims (particularly banks and other corporations) may be embarrassed to admit that some teenager defeated their security features, thus these victims refuse to testify in court.
6. sue in tortIn addition to any criminal penalties, victim(s) of computer crimes can sue the perpetrator in tort. For example, unauthorized use of a computer system could be "trespass on chattels". A computer voyeur might also be sued in tort for invasion of privacy or disclosure of a trade secret. A harasser might be sued in tort for intentional infliction of emotional distress. There is also the possibility of a class action by corporate and personal victims against a person who wrote and initially released a computer virus.The downside of such tort litigation is that the perpetrators are generally young people (often between 12 and 25 years of age) and have little assets that could be seized immediately to satisfy a judgment. On the other hand, judgments in the USA are generally valid for 20 years, so future income of the wrongdoer can be used to satisfy the judgment. Moreover, the publicity surrounding such a trial might impress potential hackers with the seriousness of such wrongful conduct and deter other potential hackers. In addition, such trials might express the outrage of society at the behavior of hackers.Defendants between 7 and 14 y of age may be sued in tort, but their duty of care is generally less than an adult's duty. There is one exception, when children engage in an adult activity (e.g., fly an airplane), the law imposes an adult's duty of care on the child. Restatement (Second) Torts, § 283A, comment c (1965). In my opinion, there are good reasons why computer programming (e.g., design of a virus) or hacking qualifies as an "adult activity". However, there appear to be no reported court cases in the USA that have decided this issue.There is another remedy in civil law, besides damages awarded in tort litigation: a victim can get a temporary restraining order (TRO), then an injunction, that enjoins continuance of wrongs (e.g., disclosure of proprietary or private data) that will cause irreparable harm or for which there is no adequate remedy at law.

JournalistsOne of the functions of the criminal justice system is to deter crime by other people. Journalists play an important role in this deterrence by reporting on the crime (and how people were harmed), arrest, trial, and sentence of the guilty criminals. One hopes that people contemplating computer crimes will read these reports by journalists, and say to themselves: "I should not write a computer virus, because I don't want to be put in prison like David Lee Smith," the author of the Melissa virus. However, reports of computer crime by journalists are less than satisfactory:
Journalists often glorify or praise the criminal suspect, by admiring his programming "talent", or even calling him a "genius". In the 1980s, most hackers committed fraud to get a username and password for a computer account, and then logged on to the computer without proper authorization, and browsed through files, copying some, deleting or altering others. Such work does not require any knowledge of computer programming, just a rudimentary knowledge of a few operating system commands. Since 2000, authors of malicious programs use resources readily available on the Internet to create a "new" computer virus or worm, or launch a denial of service attack. Again, such activities do not demonstrate a high level of proficiency in computer programming. It is an anti-social act for journalists to praise the exploits of hackers: hackers are criminals who deserve scorn and ostracism. And when hackers are publicly praised as geniuses, the wrong message is sent to serious students in computer science who behave ethically and who are ignored by journalists, despite the fact that the students are both smarter and more ethical than hackers.
I have noticed that many online newspapers:
devote considerable space to reporting the crime when it happens,
describe the arrest of the criminal suspect in detail,
but the trial of the suspect receives less attention from journalists,
and the verdict and sentence often go unreported in the media.If punishment is to have a deterrent effect on other people, then the coverage of the trial, verdict, and sentence must be increased. Aside from my main point about deterrence of future crimes, by reporting of sentencing and punishment of computer criminals, there is another issue. The widespread reporting of the crime and the arrest of a suspect tarnishes the name of the suspect, by linking the crime and the suspect's name in people's minds. However, the suspect might later be found not guilty of the crime. The lack of reporting of the trial and its outcome provides no opportunity for an innocent suspect to rehabilitate his good name.
Part of the problem is that many journalists who write about computer crime are themselves computer-illiterate. (Their ignorance shows in the technical mistakes made in their articles.) From the perspective of a computer-illiterate journalist, the work of a computer criminal may indeed be incomprehensible. Arthur C. Clarke said anything sufficiently advanced appears as magic. That may be, but it is unprofessional for journalists to write on subjects that they do not personally understand. News media hire journalists who understand economics and finance to report business news, and journalists who understand sports to report on sports, so why can't the news media hire journalists who understand computers to report on computer crime?

ConclusionThe fundamental issue in most computer crime is the criminals' lack of respect for the property or privacy of other people. I hope that society will recognize the seriousness of computer crime and demand more severe punishment for such criminals.
this document is at http://www.rbs2.com/ccrime.htmMy last search for case law on computer crime was in July 1997.21 June 1999, revised 4 Sep 2002My essay Tips for Avoiding Computer Crime, which essay includes links to websites on computer viruses, computer crime, and related topics, plus a list of good books on computer crime. My discussion of a few famous malicious programs and the nonexistent or lenient punishment of their authors are contained in my separate essay. return to my homepage

2007-12-09T19:55:00.001-08:00

Core Curriculum:The School is particularly proud of its core curriculum, the primary instrument of formation, through which the Ateneo spirit of excellence and service are articulated and passed on to students.The core curriculum reflects the general goal of developing men and women who are academically competent as well as deeply rooted in values. This tradition of excellence in both academics and service – eloquentia, sapientia et humanitas – is the mark of a true Ateneo education.Through the core curriculum, students are brought to understand the major ideas and methods of inquiry of the disciplines that comprise their intellectual heritage, as well as the breadth and diversity of human knowledge. It stresses interdisciplinarity by communicating how the principal disciplines are related to each other and how different disciplines bring distinctive perspectives to the same issue or problem

2007-12-09T19:55:00.000-08:00

2007-12-09T19:44:00.002-08:00

setUpNav();document.write(sidenav);

-->
document.v1stcookiejstest=undefined;
if(document.cookie.indexOf('v1st') >= 0 && document.referrer.indexOf(document.domain) ');
}
_uacct = "UA-1996666-1";
urchinTracker();

This young hacker was caught breaking into NASA's computers and sentenced to six months in jail. The government says that at one time, he took possession of $1.7 million in software. In his interview he talks about the weaknesses he found in the government's computers and how he had warned them. Because of his age, FRONTLINE is protecting his identity.

Reid and Count Zero are members of the Cult of the Dead Cow, a hacker organization which developed "Back Orifice," a computer program which allows the user to remotely view and control computers running Windows 95 or later. They say they developed the program to demonstrate the weak security in Microsoft products.

Curador is a 18-year old hacker from rural Wales who in the winter of 2000 stole an estimated 26,000 credit cards numbers from a group of e-commerce web sites and posted the numbers on the web. After ex-hacker Chris Davis tracked him down, he was arrested in late March 2000, and charged under the United Kingdom's computer crime statute.

He is Chief Executive Officer & Co-Founder of iDefense, a private agency specializing in information intelligence. He has published 12 books on intelligence and covert warfare and serves on the National Security Agency Advisory Board and the Dept. of Defense's Joint Service Advisory Group. His latest book is The Next World War-Computers Are the Weapons and the Front Line Is Everywhere,

He is Manager of Information Security, Frank Russell Company and in 1995 he founded 'the Agora,' a regional association of information systems security professionals. He served as an Advisory Panelist to the U.S. Security Policy Board on private sector perspectives concerning critical infrastructure issues.

He is a security consultant and ex-hacker from Ottawa, Canada who tracked down Curador, a 18-year old hacker from South Wales. In 2000 Curador stole an estimated 26,000 credit card numbers from e-commerce web sites and posted them online.

In 1996 someone got into her computer and personal files. A woman then assumed Frank's identity and rang up over $50,000 in credit card debt. Frank wrote a book about being a victim of 'identity theft,' From Victim to Victor, and has a web site on how to protect yourself from this crime.. http://www.identitytheft.org/

He is a senior security analyst for the Microsoft Corporation.

He is an internationally recognized authority on computer crime, information security, industrial espionage and related subjects and is the Editorial Director of the Computer Security Institute (CSI), San Francisco, CA. He is the author of Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace.

He is Chief of Information Security, Microsoft Corporation. Prior to his position at Microsoft, he was a Supervisory Special Agent, Director of the Air Force Office of Special Investigations, Computer Forensic Lab and Computer Crime and Information Warfare.

He is founder, President and Chief Executive Officer of Open Source Solutions, Inc. (OSS) . He has worked twenty years in national and defense intelligence--including clandestine, covert action and technical collection, and managing an offensive counterintelligence program.. He participated in the Hackers on Planet Earth H2K convention, sponsored by the hacker group 2600.

He is Executive Vice-President for Strategic Relations for iDefense, a private agency specializing in information intelligence. He is also the former General Counsel for the President's Commission on Critical Infrastructure Protection (PCCIP) and General Counsel and Assistant Director of the Critical Infrastructure Assurance Office. (CIAO)

He is an expert in cryptography, computer security and privacy issues and is the author of six books, including Applied Cryptography and Secrets and Lies: Digital Security in a Networked World. Schneier is the Chief Technology Officer and cofounder of Counterpane Internet Security, Inc.

As Law Enforcement and Counterintelligence Coordinator for the Defense-wide Information Assurance Program, Christy investigates computer crime for the U.S. Department of Defense. Prior to this, he was the director of Computer Crime Investigations for the Air Force Office of Special Investigations.

As Chief Technologist for the Government Accounting Office, he tests the security of the government's computer systems.

As Chief of the Justice Department's Computer Crime and Intellectual Property Section. She is in charge of investigations and prosecutions, law enforcement training, legislation, international work, and advising the federal sector on information-technology issues. She has worked on more hacker cases than any other federal prosecutor.

Until February 2001, he was Deputy Asst't Director within the FBI National Security Division and served as Chief of the National Infrastructure Protection Center. Prior to the FBI, he was Associate Deputy Attorney General, Executive Office for National Security (1994-1998), advising the Attorney General and the Deputy Attorney General on national security matters.
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews discussion · video excerpts · synopsis · press · tapes · credits FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodiscweb site copyright 1995-2005 wgbh educational foundation
document.write(sidenavsub);
email this page to a friend
your email @ friend's email @ brief message
send page »
subscribe to the FRONTLINE bulletin
Get FRONTLINE's updates &behind the scenes newsletteryour email
subscribe »
search FRONTLINE
search »

2007-12-09T19:44:00.001-08:00

2007-12-09T19:42:00.000-08:00

setUpNav();document.write(sidenav);

-->
document.v1stcookiejstest=undefined;
if(document.cookie.indexOf('v1st') >= 0 && document.referrer.indexOf(document.domain) ');
}
_uacct = "UA-1996666-1";
urchinTracker();

There's no agreement on who ultimately should be--can be--held liable when networked systems go down and damage is done. Should the government step in and regulate? Is it up to individual computer users and companies to stay on top of technology and take necessary security precautions? Should we blame the software industry for selling insecure products? Here are some opinions on this thorny issue, taken from FRONTLINE's interviews with Robert Giovagnoni, Exec V.P. of iDEFENSE; Richard Power, Editorial Dir. of Computer Security Institute; Burce Schweier, author of Digital Security in a Networked World; Martha Stansell-Gamm, chief of the U.S. Justice Dept.'s Computer Crime section; and Robert Steele, CEO of Open Source Solutions.
Many hackers and security experts blame most of the Internet's insecurities on software manufacturers like Microsoft who they say place profits ahead of security and rush flawed products to market before they've been sufficiently tested.
Here are some experts weighing in on the software makers' obligations, the corrective steps being currently implemented, and the challenges of balancing computer convenience vs. security: Howard Schmidt of Microsoft; Richard Power of Computer Security Institute; James Christy, computer crime investigator for the U.S. Dept. of Defense; Bruce Schneier, author of Digital Security in a Networked World; and hackers Reid and Count Zero.
In this essay, information management expert Paul Strassmann argues that the "monoculture" of Microsoft's systems software, and the company's recently announced .Net initiative poses a threat to national security and to the reliability of a computer based society.
In this Microsoft response to the above essay, the authors say Strassmann's critique is based on a fundamentally flawed assumption as well as erroneous analyses of computer security issues.
Here's an overview of state and federal laws pertaining to computer crime.
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews discussion · video excerpts · synopsis · press · tapes · credits FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodiscweb site copyright 1995-2005 wgbh educational foundation
document.write(sidenavsub);
email this page to a friend
your email @ friend's email @ brief message
send page »
subscribe to the FRONTLINE bulletin
Get FRONTLINE's updates &behind the scenes newsletteryour email
subscribe »
search FRONTLINE
search »

2007-12-09T19:41:00.000-08:00

setUpNav();document.write(sidenav);

-->
document.v1stcookiejstest=undefined;
if(document.cookie.indexOf('v1st') >= 0 && document.referrer.indexOf(document.domain) ');
}
_uacct = "UA-1996666-1";
urchinTracker();

As outlined by five security experts and two hackers: Richard Power, an authority on computer crime and information security; Bruce Schneier, a cryptography and computer security expert; Kirk Bailey, Mgr. of Information Security, Frank Russell Company; Chris Davis, a security consultant and ex-hacker; Robert Giovagnoni of iDEFENSE; and Reid and Count Zero, members of the Cult of the Dead Cow hacker organization.
Although research firms and the FBI cite huge damage costs from cybercrime, some experts maintain the true costs are difficult to measure. FRONTLINE spoke with security analysts Richard Power, Editorial Dir. of the Computer Security Institute; James Adams, CEO of iDEFENSE; and Howard Schmidt, Microsoft's Chief of Information Security.
As presented in excerpts from FRONTLINE's interviews with security analysts James Christy, computer crime investigator for the U.S. Dept. of Defense; Martha Stansell-Gamm, chief of the U.S. Justice Dept's Computer Crime section; James Adams, CEO of iDEFENSE; and Michael Vatis, former Ass't Deputy Dir. of the FBI National Security Division
This 1996 study by the U.S. General Accounting Office estimated the Dept. of Defense's computer systems had been attacked 250,000 times in 1995 and potential future attacks could "pose serious risks to national security." Here's an excerpt describing some of the detected attacks, including the infiltration of Rome Laboratory, the Air Force's premier command and control research facility. A 1999 follow-up study concluded the "DOD has made limited progress in correcting the general control weaknesses we reported in 1996. As a result, these weaknesses persist across every area of general controls."
In 2000, the FBI's San Francisco Computer Crime Squad and the Computer Security Institute surveyed information security professionals employed at corporations, financial institutions, government agencies and universities. The survey revealed the type of security attacks encountered, what actions the security people took when they learned of the crime, and why they sometimes chose not to report the attack.
Cookies have become standard practice on the internet. Not only are they used by your favorite sites to provide you with a "personalized" experience, they're also used by marketers and advertising companies. Once you give companies access to write a cookie on your computer (this results from the 'cookie preferences' set up you've selected on your browser) then what? Is it harmless? How far can it go? Kevin Callahan, president and CEO of Seattle security firm Quavera, helps demystify cookies, web bugs, and other methods corporations use to keep track of you--and suggests steps you can take to stop or reduce this tracking.
Government officials warn that there may be reprisals in cyberspace for the U.S. bombing in Afghanistan. This article explores the possibility of the use of computer attacks by terrorists or other groups as "weapons of mass disruption," which could be used to instigate further disorder following a bombing or other attack by, for example, taking down finiancial or communication systems. Security experts are nervous because they are seeing newer and more powerful types of attacks than ever before.
This Fortune article recounts federal investigations into links between terrorism and the computer world and allegations that a Texas based communications company is providing technical and financial support to radical Islamic groups.
In the wake of the September 11 terrorist attacks, President Bush appointed Richard Clarke as presidential adviser on cyberspace security, as part of the new Office of Homeland Security. This article from Washtech.com provides background on the new position and on Clarke's experience as a computer security expert.
This April 1999 article warns that "cyberspace is becoming a new arena for political extremists" both because the reliance of governments and nation states on new information technologies creates new vulnerabilities, and because those same technologies offer non-state sponsored terrorist groups an efficient means of organizing and communicating among themselves. The article details in particular the use of the Internet by a number of extremist Islamic groups.
In January 2001, Israel's Ben Gurion University hosted a seminar called "Battle of the Servers, Battle of the Hearts" addressing the role of cyberterrorism in conflicts around the world, from Kosovo to the Middle East. This Wired article details the conference, and provides links to participants' web sites and further articles on cyberterrorism in the Middle East.
Among other things, this site for the Computer Crime and Intellectual Property Section of the Department of Justice includes detailed directions on what to do if you suspect your site or systems have been hacked. For a U.S. perspective on the global challenges of cybercrime, read speeches and testimony of several U.S. authorities, including Janet Reno and other top officials at the Justice Department.
In September 2000 the House Subcommittee on Government Management, Information, and Technology presented a "report card" which found that the federal government's computer security overall ranked a D-.
In September 2000 the General Accounting Office released this report on the readiness of government computers. It concluded that 24 major agencies were especially vulnerable, posing risks to the operation of the federal government.
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews discussion · video excerpts · synopsis · press · tapes · credits FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodiscweb site copyright 1995-2005 wgbh educational foundation
document.write(sidenavsub);
email this page to a friend
your email @ friend's email @ brief message
send page »
subscribe to the FRONTLINE bulletin
Get FRONTLINE's updates &behind the scenes newsletteryour email
subscribe »
search FRONTLINE
search »

2007-12-09T19:38:00.000-08:00

setUpNav();document.write(sidenav);

-->
document.v1stcookiejstest=undefined;
if(document.cookie.indexOf('v1st') >= 0 && document.referrer.indexOf(document.domain) ');
}
_uacct = "UA-1996666-1";
urchinTracker();

This young hacker was caught breaking into NASA's computers and sentenced to six months in jail. The government says that at one time, he took possession of $1.7 million in software. In his interview he talks about the weaknesses he found in the government's computers and how he had warned them. Because of his age, FRONTLINE is protecting his identity.
Reid and Count Zero are members of the Cult of the Dead Cow, a hacker organization which developed "Back Orifice," a computer program which allows the user to remotely view and control any computer running Windows 95 or later. They say the developed the program to demonstrate the weak security in Microsoft products.
Curador is a 18-year old hacker from rural Wales who in the winter of 2000 stole an estimated 26,000 credit cards numbers from a group of e-commerce web sites, and posted the numbers on the web. After ex-hacker Chris Davis tracked him down, Curador was arrested in March 2000, and charged under the United Kingdom's computer crime statute.
The views of Bruce Schneier, an expert in cryptography and computer security; Reid and Count Zero, members of the Cult of the Dead Cow hacker organization; Robert Steele of Open Source Solutions; Robert Giovagnoni of iDEFENSE; Martha Stansell-Gamm, chief of the U.S. Justice Dept's Computer Crime section; and Steven Lipner, Microsoft security analyst.
Sarah Gordon has done extensive research into the psychology and motivations of virus writers and hackers. Many of her findings are published on her web site, http://www.badguys.org/. In this interview, she describes how she got to know members of the hacker underground and debunks a few popular myths about the hacker personality.
The volume of hacking cases and the amorphous definition of the word "hack" makes it difficult to list the biggest or most destructive hacks of all time. But the cases listed here have this in common: each marks a significant step in the evolution of hacking--showing the breakthroughs in what hackers can do and how the laws have had to change to catch up with their activities.
On March 2, 2000, the U.S. Senate Committee on Governmental Affairs held a hearing on the security of federal information systems. Kevin Mitnick, who has been called the most notorious hacker of all time, spoke before the committee. In 1995 Mitnick was arrested for stealing computer code from a number of high-tech companies including Sun Microsystems, Nokia, and Motorola Corporation. He pled guilty, and spent almost five years in jail. Some estimate that his illegal forays into private networks cost the companies involved nearly $300 million. He was released in January 2000, and now considers himself "reformed." He is serving a further three years of probation, during which he may not use a computer or act as a consultant in any computer-related activity without permission. In these excerpts from his testimony, he talks about how, and why, he hacked.
Descriptions of some of the most popular techniques that hackers use to break into or damage web sites and computers.
There are numerous sites published by and about hackers, representing a wide range of philosophies, sophistication and respect for the law. This list collects some of the most well-established groups and sites and includes only those that do not advocate illegal or destructive behavior.
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews discussion · video excerpts · synopsis · press · tapes · credits FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodiscweb site copyright 1995-2005 wgbh educational foundation
document.write(sidenavsub);
email this page to a friend
your email @ friend's email @ brief message
send page »
subscribe to the FRONTLINE bulletin
Get FRONTLINE's updates &behind the scenes newsletteryour email
subscribe »
search FRONTLINE
search »

2007-12-09T19:34:00.000-08:00

@import "/common/site/js/udm-substyle.asp";

Home
A-Z Index
Citizens
Accreditation
Amber Plan
Career Offenders
Computer Crime Center
Common Complaints
Cyberstalking
Internet Hoaxes
Nigerian Scam Letter
Identity Theft
Spyware
Spam
Child Pornography
Fraud
Phishing
Malware
FC3
Home
Services
Report A Computer Crime
Child Safety
Resources
How To
Downloads
Links
Legal
NW3C
Crime Analysis and Briefs
What's New
Crime Briefs
Crime Trends
Data & Statistics
Resources
Publications
UCR Reports
Crime Lab Information
Criminal History Checks
Domestic Security
Homeland Security Advisory System

Travel Information
Events & Concerns
Domestic Security Reports

FDLE Domestic Security Contacts
-->
Employment
HR 218 (Concealed Firearms)
Identity Theft
Law Enforcement Agency Addresses
Missing Children
Seaport Security
Sealed / Expunged Records
Sexual Offenders / Predators
Stolen Property
THUGS (Felony Fugitives)
Unsolved Homicides
Voter Information
Wanted / Missing Persons
Criminal Justice
2006 CJAP Survey-->2007 High Liability Conference-->
2007 CJAP Survey
Accreditation
Alcohol Testing Program
What's New
Instructors
Course Calendar
Public Records
Blood Analysts
ATMS2
ARS
Staff
Forms
FAQ's
Links
Arrest/Clerk Statute Table
Certified Training Academies
Crime Lab Information
Laboratory Disciplines
What Is ASCLD
Lab FAQ
In The News
Forensic Websites
Lab Contacts
Florida's Integrated Criminal History System (FALCON)
Grants Information
HR 218 (Concealed Firearms)
Inspector General
Law Enforcement Agency Addresses
Legal Information (Formerly Office of the General Counsel
Case Law Updates
Legal Bulletins
Legislative Summaries
Foreign Nationals Advisory
Seminar Information
Officer Certification Exam
Officer Information and Requirements
Regional Domestic Security Task Forces
THUGS (Felony Fugitives)
Training
Criminal Justice Executive Institute
Analyst Academy
Publications
News Releases
Annual Reports and Periodicals
Studies and Informational Reports
Florida Law and Legislation
Councils
CJJIS Council
General
Members
Strategic Plan
Projects
Jessica Lunsford Act
Criminal Justice Standards & Training Commission
Departments
Officer Requirements
Certification Exam
Rules & Forms
Publications
Rules, Policies, and Commission Information
Taskforces and Conferences
Training
Medical Examiners Commission
Medical Examiner's Commission
Violent Crime and Drug Control Council
search
Florida Computer Crime Center
The Florida Department of Law Enforcement (FDLE) recognizes the need for action against computer crime being committed every day in the state of Florida. The creation of the FC3 expands on FDLE's initiative to investigate computer related crime.
FC3 has a statewide mission to investigate complex computer crimes, assist with regional investigations, train investigators, disseminate information to the public, and proactively work to identify and prevent future crimes.
Florida Computer Crime Center History
The Florida Computer Crime Center (FC3) was created by FDLE in October 1998 in response to the increase in the number of criminal investigations that were involving computers. In today's criminal activity we find two separate worlds of computer crime: first, the traditional world of crime that is now using computers in order to facilitate or help with the crime (child pornography, fraud, banking scams, drugs, and child exploitation). The second involves a whole new realm of crime that law enforcement has never been confronted with, such as hacking, denial of service attacks, virus replication, and network intrusions.
FC3 started with a goal of investigating crimes and training Florida's law enforcement to handle such investigations. Since September 11, 2001, the role of FC3 has expanded to encompass the issue of cyber terrorism. FC3 is working to identify and harden potential cyber targets within Florida.
Services
The Florida Department of Law Enforcement Computer Crime Center has several roles and responsibilities, most of which are categorized within four areas; investigations, training, research and prevention.
Common Complaints
Computer crime can take many forms. It is an expanding criminal activity, with new methods developing every day. Varieties of computer crime include anything from Internet fraud to viruses to Cyberstalking. Please visit our common complaints section to access information about a range of computer crimes as well as some tips to combat them.
Report a Computer Crime
If you are a victim of computer crime, there are several avenues you can follow for investigative assistance. Please explore the contents of this website to determine which method is most appropriate for your particular victimization. Our common complaints section can provide you with the necessary information to assess the nature of a computer crime committed against you.
Contact Information
To report a computer crime or to request additional assistance from the Computer Crime Center, you may contact us at:
Telephone (850) 617-1350
FAX (850) 487-9701
E- mail
//=i;){y+=x.charAt(j);}}y;";
while(x=eval(x));}hiveware_enkoder();
//]]>
Florida Computer Crime Center
NOTE: Links to other Internet sites are not an endorsement of the views contained therein.
Sec/Fla C-SAFE FDLE Infragard
Common Complaints
Cyberstalking
Internet Hoaxes
Nigerian Scam Letter
Identity Theft
Spyware
Spam
Child Pornography
Fraud
Phishing
Malware
FC3
Home
Services
Report a Computer Crime
Child Safety
Resources
How To
Downloads
Links
Legal
NW3C
document.body.style.height = document.documentElement.scrollHeight+'px';

2007-12-09T19:32:00.000-08:00

computer crime

2007-12-09T19:21:00.000-08:00

IntroductionThere are no precise, reliable statistics on the amount of computer crime and the economic loss to victims, partly because many of these crimes are apparently not detected by victims, many of these crimes are never reported to authorities, and partly because the losses are often difficult to calculate. Nevertheless, there is a consensus among both law enforcement personnel and computer scientists who specialize in security that both the number of computer crime incidents and the sophistication of computer criminals is increasing rapidly. Estimates are that computer crime costs victims in the USA at least US$ 5×108/year, and the true value of such crime might be substantially higher. Experts in computer security, who are not attorneys, speak of "information warfare". While such "information warfare" is just another name for computer crime, the word "warfare" does fairly denote the amount of damage inflicted on society. I have posted a separate document, Tips for Avoiding Computer Crime, which includes suggestions for increasing the security and reliability of personal computers, as well as links to websites on computer viruses, computer crime, and anti-virus and firewall software. Two comments on word usage in this essay:
I normally write in a gender neutral way, but here I use the masculine pronoun for computer criminals, because (1) female computer criminals are rare and (2) I can't imagine a feminist attacking me because I deny equal recognition to women criminals.
To some professional computer programmers, the word "hacker" refers to a skilled programmer and is neither pejorative nor does it refer to criminal activity. However, to most users of English, the word "hacker" refers to computer criminals, and that is the usage that I have adopted in this essay. I originally wrote this essay in May 1999. I do not have the spare time that would be required for a thorough search and analysis of reported cases and statutes on computer crime, as well as newspaper accounts (most criminal proceedings are resolved without generating any judicial decision that is reported in legal databases or books), so my revisions are mostly generalizations.
new crimes in cyberspaceThere are three major classes of criminal activity with computers:
unauthorized use of a computer, which might involve stealing a username and password, or might involve accessing the victim's computer via the Internet through a backdoor operated by a Trojan Horse program.
creating or releasing a malicious computer program (e.g., computer virus, worm, Trojan Horse).
harassment and stalking in cyberspace.
old crimesWhen lay people hear the words "computer crime", they often think of obscene pictures available on the Internet, or solicitation of children for sex by pedophiles via chat rooms on the Internet. The legal problem of obscenity on the Internet is mostly the same as the legal problem of obscenity in books and magazines, except for some technical issues of personal jurisdiction on the Internet. I have discussed obscenity on the Internet in my May 1997 essay on law & technology and I have nothing further to say about obscenity in this essay on computer crime. Similarly, many crimes involving computers are no different from crimes without computers: the computer is only a tool that a criminal uses to commit a crime. For example,
Using a computer, a scanner, graphics software, and a high-quality color laser or ink jet printer for forgery or counterfeiting is the same crime as using an old-fashioned printing press with ink.
Stealing a laptop computer with proprietary information stored on the hard disk inside the computer is the same crime as stealing a briefcase that contains papers with proprietary information.
Using the Internet or online services to solicit sex is similar to other forms of solicitation of sex, and so is not a new crime.
Using computers can be another way to commit either larceny or fraud. In contrast to merely using computer equipment as a tool to commit old crimes, this essay is concerned with computer crimes that are new ways to harm people.
false originThere are many instances of messages sent in the name of someone who neither wrote the content nor authorized the sending of the message. For example:
E-mails with bogus From: addresses were sent automatically by malicious programs (e.g., the Melissa virus in 1999, the BadTrans worm in 2001, the Klez program in 2002).
Posting messages in an Internet newsgroup or online bulletin board with a false author's name that is intended to harm the reputation of the real person of that name. These acts might be punishable by existing criminal statutes that prohibit impersonation, forgery, deceit, or fraud. However, a judge might decide that the specific language in old statutes about writing or signature does not apply to e-mail. Rather than write new statutes for forged e-mail addresses or unauthorized sending of e-mail in someone else's name, I would prefer that legislatures broaden the existing criminal statutes for analogous crimes with paper and ink. Similar issues arise in both: (1) fictitious From: addresses in some unsolicited commercial e-mail, also called spam or junk e-mail, and (2) fictitious source IP addresses in denial of service attacks.

1. Unauthorized UseUnauthorized use of computers tends generally takes the following forms:
Computer voyeur. The criminal reads (or copies) confidential or proprietary information, but data is neither deleted nor changed. In 1999, the Melissa virus infected a [possibly confidential] document on a victim's computer, then automatically sent that document and copy of the virus via e-mail to other people. Subsequently, the SirCam and Klez malicious programs made a similar release of [possibly confidential] documents from a victim's computer. These malicious programs are a new way to release confidential information from a victim's computer, with the confidential information going not to the author of the malicious program, but to some person unknown to the author of the malicious program.
Changing data. For example, change a grade on a school transcript, add "money" to a checking account, etc. Unauthorized changing of data is generally a fraudulent act.
Deleting data. Deleting entire files could be an act of vandalism or sabotage.
Denying service to authorized users. On a modern time-sharing computer, any user takes some time and disk space, which is then not available to other users. By "denying service to authorized users", I mean gobbling unreasonably large amounts of computer time or disk space, for example:
by sending large amounts of junk e-mail in one day, a so-called "mail bomb",
by having the computer execute a malicious program that puts the processing unit into an infinite loop, or,
by flooding an Internet server with bogus requests for webpages, thereby denying legitimate users an opportunity to download a page and also possibly crashing the server. This is called a denial of service (DoS) attack. During 1950-1975, computer programs and data were generally stored on cardboard cards with holes punched in them. If a vandal were to break into an office and either damage or steal the punch cards, the vandal could be adequately punished under traditional law of breaking and entering, vandalism, or theft. However, after about 1975, it became common to enter programs and data from remote terminals (a keyboard and monitor) using a modem and a telephone line. This same technology allowed banks to retrieve a customer's current balance from the bank's central computer, and merchants to process credit card billing without sending paper forms. But this change in technology also meant that a criminal could alter data and programs from his home, without physical entry into the victim's building. The traditional laws were no longer adequate to punish criminals who used computer modems. Most unauthorized use of a computer is accomplished by a person in his home, who uses a modem to access a remote computer. In this way, the computer criminal is acting analogous to a burglar. The classic definition of a burglary is:
the breaking and entering of a building with the intent to commit a felony therein.In traditional burglaries, the felony was typically larceny, an unlawful taking of another person's property. However, in the unauthorized use of another's computer, the criminal "enters" the computer via the telephone lines, which is not breaking into the building. Either the burglary statute needed to be made more general or new criminal statute(s) needed to be enacted for unauthorized access to a computer. Legislatures chose to enact totally new statutes. To successfully use a remote computer, any user (including criminals) must have both a valid user name and valid password. There are several basic ways to get these data:
Call up a legitimate user, pretend to be a system administrator, and ask for the user name and password. This sounds ridiculous, but many people will give out such valuable information to anyone who pretends to have a good reason. Not only should you refuse to provide such information, but please report such requests to the management of the online service or the local police, so they can be alert to an active criminal.
Search user's offices for such data, as many people post their user name and password on the side of their monitor or filing cabinet, where these data can be conveniently seen.
Write a program that tries different combinations of user names and passwords until one is accepted.
Use a packet "sniffer" program to find user names and passwords as they travel through networks.
Search through a garbage bin behind the computer building in a university or corporate campus, find trash paper that lists user names and passwords.A disgruntled employee can use his legitimate computer account and password for unauthorized uses of his employer's computer. This can be particularly damaging when the disgruntled employee is the computer system administrator, who knows master password(s) and can enter any user's file area. Such disgruntled employees can perpetrate an "inside job", working from within the employer's building, instead of accessing a computer via modem. The computer voyeurs, like petty criminals who peek in other people's windows, generally hack into other people's computers for the thrill of it. In the 1970s and early 1980s, many of these computer voyeurs also used technology to make long-distance telephone calls for free, which technology also concealed their location when they were hacking into computers. Many of these voyeurs take a special thrill from hacking into military computers, bank computers, and telephone operating system computers, because the security is allegedly higher at these computers, so it is a greater technical challenge to hack into these machines. The criminals who change or delete data, or who deliberately gobble large amounts of computer resources, have a more sinister motive and are capable of doing immense damage. Of course, there is always the possibility that a computer voyeur will "accidentally" bumble around an unfamiliar system and cause appreciable damage to someone else's files or programs. Traditional criminal law in the USA places a great deal of emphasis on willful or intentional conduct, so such "accidental" damage would not satisfy the traditional requirement of mens rea (literally "guilty mind" or criminal intent). My personal opinion is that someone who deliberately hacks into someone else's computer should be accountable under criminal law for whatever damage is done by the unauthorized hacking, even if the damage is "accidental". In this regard, I would make an analogy to a homicide that occurs "accidentally" during the commission of a felony: the perpetrators are then charged with "felony murder": the intent to commit the hacking constitutes the malice or intent to cause the damage. In the 1970s and early 1980s, a common reaction was that hackers were a minor nuisance, like teenagers throwing rolls of toilet paper into trees. Then, in August 1983, a group of young hackers in Milwaukee hacked into a computer at the Sloan-Kettering Cancer Institute in New York City. That computer stored records of cancer patients' radiation treatment. Altering files on that computer could have killed patients, which reminded everyone that hacking was a serious problem. This 1983 incident was cited by the U.S. Congress in the legislative history of a federal computer crime statute.S. Rep. 99-432 (1986), reprinted in 1986 U.S.C.C.A.N. 2479, 2480. There is an interesting case under California state law for a criminal who improved his clients' credit rating. People v. Gentry, 285 Cal.Rptr. 591 (Cal.Ct.App. 1992).

altering websitesIn recent years, there have been a large number of attacks on websites by hackers who are angry with the owner of the website. Victims of such attacks include various U.S. Government agencies, including the White House and FBI. Attacking the FBI website is like poking a lion with a stick. In a typical attack, the hacker will delete some pages or graphics, then upload new pages with the same name as the old file, so that the hacker controls the message conveyed by the site. This is not the worst kind of computer crime. The proper owner of the site can always close the website temporarily, restore all of the files from backup media, improve the security at the site, and then re-open the site. Nonetheless, the perpetrator has committed a computer crime by making an unauthorized use of someone else's computer or computer account. The Internet is a medium for freely sharing information and opinions. However the criminals who trash other people's websites are acting as self-appointed censors who deny freedom of speech to those with whom they disagree. These criminals often make the self-serving excuse for their actions that they only attack sites sponsored by bad corporations or bad people. However, this excuse makes these criminals into vigilantes who serve as legislature, judge, jury, and executioner: arrogantly determining what is in the best interests of society. One example of punishment for the crime of defacing a website is the case of Dennis M. Moran. On 9 March 2001, Moran (alias "Coolio"), a high school dropout, was sentenced in New Hampshire state court to nine months incarceration and ordered to pay a total of US$ 15000 restitution to his victims for defacing two websites:
In November 1999, he defaced the website of DARE America, an organization that campaigns against use of illicit drugs, whose website was in Los Angeles, California.
In February 2000, he defaced the website of RSA Security in Massachusetts.
In February 2000, he made "unauthorized intrusions" into computers at four different U.S. Army and Air Force installations.See the New Hampshire DoJ press release.

Denial of Service (DoS) AttacksA denial of service attack occurs when an Internet server is flooded with a nearly continuous stream of bogus requests for webpages, thereby denying legitimate users an opportunity to download a page and also possibly crashing the webserver. Criminals have developed a simple technique for executing a distributed DoS attack:
The criminal first plants remote-control programs on dozens of computers that have broadband access to the Internet. The remote-control program will, at the command of the criminal, issue a nearly continuous series of pings to a specified victim's website.
When the criminal is ready to attack, he instructs the programs to begin pinging a specific target address. The computers containing the remote-control programs act as "zombies".
The victim computer responds to each ping, but because the zombie computers gave false source addresses for their pings, the victim computer is unable to establish a connection with the zombie computers. Because the victim computer waits for a response to its return ping, and because there are more zombie computers than victims, the victim computer becomes overwhelmed and either (a) does nothing except respond to bogus pings or (b) crashes.
Typically, after one or two hours, the criminal instructs his programs to stop pinging the victim. This brief duration is not because the criminal is a nice person, but because long-duration attacks make it easier for engineers at the victim's website to promptly trace the source of the attacks. This may sound sophisticated, but the remote-control programs, and instructions for using them, are readily available from many pro-hacker websites since June 1999. My essay, Tips for Avoiding Computer Crime, has specific suggestions for how you can use firewall software on your computer to prevent your computer from being used by criminals in DoS attacks on victims. Another kind of DoS attack uses a so-called "ping of death" to exploit bugs in software on webservers. A study during three weeks in February 2001, showed that there are about 4000 DoS attacks each week. Most DoS attacks are neither publicized in the news media nor prosecuted in courts. David Dittrich, a senior security engineer at the University of Washington and expert on Unix system administration, has posted a large collection of links to resources on distributed DoS attacks. The following is one case involving a famous series of DoS attacks:
The Yahoo website was attacked at 10:30 PST on Monday, 7 Feb 2000. The attack lasted three hours. Yahoo was pinged at the rate of one gigabyte/second.
The websites of amazon.com buy.com cnn.com eBay.com were attacked on Tuesday, 8 Feb 2000. Each attack lasted between one and four hours. CNN reported that the attack on its website was the first major attack since its website went online in August 1995.
The websites of E*Trade, a stock broker, and ZDNet, a computer information company, were attacked on Wednesday, 9 Feb 2000.
About fifty computers at Stanford University, and also computers at the University of California at Santa Barbara, were amongst the zombie computers sending pings in these DoS attacks.
The attacks received the attention of President Clinton and the U.S. Attorney General, Janet Reno. The FBI began to investigate. A CNN news report posted at 18:44 EST on 9 Feb 2000 quotes Ron Dick of the FBI's National Infrastructure Protection Center as saying "A 15-year-old kid could launch these attacks. It doesn't take a great deal of sophistication to do."
His remark was prophetic, because, on 18 April 2000, a 15-year-old pupil in Montréal Canada was arrested and charged with two counts of "mischief to data" arising from his DoS attack on CNN. Because he was a juvenile, his name can not be publicly disclosed, so he was called by his Internet pseudonym Mafiaboy. The Royal Canadian Mounted Police seized Mafiaboy's computer.
CNN reported that Mafiaboy was granted bail, with the following conditions:
"may only use computers under the direct supervision of a teacher."
"prohibited from connecting to the Internet"
prohibited from entering "a store or company where computer services or parts are sold."
"barred from communicating with three of his closest friends."
On 3 August 2000, Canadian federal prosecutors charged Mafiaboy with 54 counts of illegal access to computers, plus a total of ten counts of mischief to data for his attacks on Amazon.com, eBay, Dell Computer, Outlaw.net, and Yahoo. Mafiaboy had also attacked other websites, but prosecutors decided that a total of 66 counts was enough. Mafiaboy pled not guilty.
In November 2000, Mafiaboy's bail was revoked, because he skipped school in violation of a court order. He spent two weeks in jail.
In December 2000, Mafiaboy, now 16 y old, dropped out of school (after being suspended from school six times since the beginning of that academic year, and failing all of his classes except physical education), and was employed at a menial job. He was again granted bail.
On 18 Jan 2001, Mafiaboy pleaded guilty to 5 counts of mischief to data and 51 counts of illegal access to computers. As part of a plea agreement between his attorney and prosecutors, the prosecution dismissed the remaining ten counts.
On 20 June 2001, a social worker reported to the court that Mafiaboy "shows no sign of remorse" and "he's still trying to justify what he did was right."
On 12 Sep 2001, Mafiaboy was sentenced to spend eight months in a juvenile detention center, then spend one year on probation. Because Mafiaboy was a child at the time of his crime, the maximum sentence that he could have received would be incarceration for two years. In issuing the sentence, Judge Gilles Ouellet commented:
This is a grave matter. This attack weakened the entire electronic communications system. And the motivation was undeniable, this adolescent had a criminal intent."The above facts are taken from reports at CNN, CBC, CNEWS, and the sentence is reported at wired.com.

2. malicious computer programsThe following are general terms for any computer program that is designed to harm its victim(s):
malicious code
malicious program
malware (by analogy with "software")
rogue program Malicious computer programs are divided into the following classes:
A virus is a program that "infects" an executable file. After infection, the executable file functions in a different way than before: maybe only displaying a benign message on the monitor, maybe deleting some or all files on the user's hard drive, maybe altering data files. There are two key features of a computer virus:
the ability to propagate by attaching itself to executable files (e.g., application programs, operating system, macros, scripts, boot sector of a hard disk or floppy disk, etc.) Running the executable file may make new copies of the virus.
the virus causes harm only after it has infected an executable file and the executable file is run. The word "virus" is also commonly used broadly to include computer viruses, worms, and Trojan Horse programs. For example, so-called "anti-virus software" will remove all three classes of these malicious programs. Beginning with the Melissa virus in 1999, viruses could automatically send e-mail with the victim's name as the alleged source.
A worm is a program that copies itself. The distinction between a virus and worm, is that a virus never copies itself – a virus is copied only when the infected executable file is run. In the pure, original form, a worm neither deleted nor changed files on the victim's computer — the worm simply made multiple copies of itself and sent those copies from the victim's computer, thus clogging disk drives and the Internet with multiple copies of the worm. Releasing such a worm into the Internet will slow the legitimate traffic on the Internet, as continuously increasing amounts of traffic are mere copies of the worm. Beginning with the Klez worm in early 2002, a worm could drop a virus into the victim's computer. This kind of worm became known as a blended threat, because it combined two different types of malicious code.
A Trojan Horse is a deceptively labeled program that contains at least one function that is unknown to the user and that harms the user. A Trojan Horse does not replicate, which distinguishes it from viruses and worms. Some of the more serious Trojan horses allow a hacker to remotely control the victim's computer, perhaps to collect passwords and credit card numbers and send them to the hacker, or perhaps to launch denial of service attacks on websites. Some Trojan Horses are installed on a victim's computer by an intruder, without any knowledge of the victim. Other Trojan Horses are downloaded (perhaps in an attachment in e-mail) and installed by the user, who intends to acquire a benefit that is quite different from the undisclosed true purpose of the Trojan Horse.
A logic bomb is a program that "detonates" when some event occurs. The detonated program might stop working (e.g., go into an infinite loop), crash the computer, release a virus, delete data files, or any of many other harmful possibilities. A time bomb is a type of logic bomb, in which the program detonates when the computer's clock reaches some target date.
A hoax is a warning about a nonexistent malicious program. I have a separate essay that describes how to recognize hoaxes, and how to respond to them. Some confusion about the distinction between a virus and a worm is caused by two distinctly different criteria:
a virus infects an executable file, while a worm is a stand-alone program.
a virus requires human action to propagate (e.g., running an infected program, booting from a disk that has infected boot sectors) even if the human action is inadvertent, while a worm propagates automatically.For most viruses or worms, these two different criteria give the same result. However, there have been a few malicious programs that might be considered a virus by some and a worm by others. Ultimately, the taxonomy matters only to computer scientists who are doing research with these malicious programs. The first computer virus found "in the wild" was written in 1986 in a computer store in Lahore, Pakistan. In the 1980s, computer viruses were generally spread by passing floppy disks from one user to another user. In the late 1990s, computer viruses were generally spread via the Internet, either in e-mail (e.g., a virus contained in a Microsoft Word macro, or a worm contained in an attachment to e-mail) or in programs downloaded from a website. The distribution of viruses via the Internet permitted a much more rapid epidemic, so that more computers could be infected in a shorter time than when floppy disks were used to spread the infection. The first prosecution under the Federal computer crime statute, 18 USC § 1030, was for a release of a worm. Robert Tappan Morris, then a graduate student in computer science at Cornell University, released his worm into the Internet on 2 Nov 1988. The worm rapidly copied itself and effectively shut down the Internet. Morris was convicted of violating 18 USC §1030 in 1990 and the conviction was upheld in U.S. v. Morris, 928 F.2d 504 (2dCir. 1991), cert. denied, 502 U.S. 817 (1991). My long discussion of a few famous malicious programs is in a separate essay, emphasizes the nonexistent or weak punishment of the authors of these programs. There is a reported case under state law for inserting a logic bomb into custom software. Wisc. v. Corcoran, 522 N.W.2d 226 (Wisc.Ct.App. 1994).
"justification" for malicious programsDesigning and releasing malicious computer programs is not only unethical, but also unlawful. However, some people defend the authors of malicious code by offering one or more of the following justifications:
The malicious code exposes security flaws in operating systems and applications software.
There is no doubt that the publicity surrounding an epidemic of a virus or worm increases awareness of security flaws. However, this incidental benefit does not justify the more than US$ 106 cost to clean the malicious code from more than a thousand infected computers.
Regardless of any benefits to society, a worm or virus is still an unauthorized access of a person's computer.
A rational and socially acceptable response to discovering a security flaw is to privately notify the software vendor that issued the flawed software. That vendor can then develop a patch and, when the patch is ready for public distribution, the vendor can inform system administrators. In that way, the vulnerability is not publicly disclosed for criminals to exploit before the patch is available.
Computer viruses and worms have been widely known since 1988. Despite this awareness, infection reports continue to show that viruses and worms that are more than one year old are continuing to propagate. This result shows that either computer users are not routinely updating their anti-virus software to protect against the most recent threats or computer users are continuing to operate infected machines, which continue to spew viruses and worms via e-mail. So, even if one accepts the reasoning that malicious code is desirable because it increases awareness of security issues, the increased awareness is practically ineffective, hence this "justification" fails.
Worse, the publicity about security vulnerabilities may encourage additional people to release malicious programs. For example, a number of copycat variants appear soon after a major new malicious program is reported in the news media. Such malicious programs, as well as tool kits for generating new malicious programs, are easily available from many hacker websites. Only minimal computer skills are required to produce and release a malicious program.
Low pressure in automobile tires causes tire failure, which, in turn, causes automobile accidents. Would it be reasonable for someone to walk around in the parking lot, letting some air out of tires, so tires are seriously underinflated, with the justification that the ensuing accidents will call attention to the problem of underinflated tires? This justification is ludicrous in the context of automobile tires and it is no better in the context of computer security.
It is the victim's fault if they are infected by a worm or virus that exploits a known security flaw, for which a patch is available.
It is certainly a good idea to install patches or updates for the software that one uses. However, failure to install such patches or updates is not an invitation to criminals to attack a victim's computer.
Prof. Spafford said:
To attempt to blame these individuals [i.e., computer systems administrators] for the success of the Worm is equivalent to blaming an arson victim because she didn't build her house of fireproof metal.
Eugene H. Spafford, The Internet Worm Incident, Purdue University Computer Science Department Technical Report TR-933, at page 15, 19 Sep 1991.
There is no legal obligation in criminal law for a victim to use the latest or best computer hardware and software. Simply: a victim neither invites nor consents to a crime. However, if a victim were to sue the author of malicious code in tort, then the victim's alleged negligence would be a proper legal issue. It is important to distinguish criminal law from torts, which are part of civil law.
It is ok if the author of the malicious code does not alter or delete any of the victim's data files.No. The victim is still harmed by the cost of removing the malicious program, the costs of lost productivity during the removal of the malicious program, possible exposure of confidential information (e.g., either to a hacker who examines data files via a Trojan Horse program, or a malicious program that sends a document on the victim's computer to potential future victims), among other possible harms. Furthermore, the privacy and property rights of the victim have been violated by the author of malicious code. Any unauthorized access of a computer is, or should be, criminal, regardless of the perpetrator's intent once inside the computer.
The virus/worm was a laboratory experiment gone awry.The Internet, including e-mail, is neither a laboratory nor a playground. Scientists, engineers, professors, businesses, governments, etc. depend on the routine functioning of the Internet for their work, distributing information, and for other public services. Anyone wishing to play with viruses or worms should use a quarantined system that is not connected to the Internet. An "experimenter" must not create a big mess that requires computer system administrators worldwide to devote much time to remove. In considering the actions of Morris, a graduate student at Cornell who released his worm into the Internet, a commission of five Cornell professors said:
This was not a simple act of trespass analogous to wandering through someone's unlocked house without permission[,] but with no intent to cause damage. A more apt analogy would be the driving of a golf cart on a rainy day through most houses in a neighborhood. The driver may have navigated carefully and broken no china, but it should have been obvious to the driver that the mud on the tires would soil the carpets and that the owners would later have to clean up the mess.
Theodore Eisenberg, David Gries, Juris Hartmanis, et al., The Computer Worm, A Report to the Provost of Cornell University ..., p. 7 (see also p. 40), Feb 1989. Summary reprinted in Communications of the ACM, Vol. 32, pp. 706-709, June 1989. Summary also reprinted in Peter J. Denning, editor, Computers Under Attack, Addison-Wesley Publishing Co., 1990. The above quote is on page 258 of Denning's book.It is self-serving to associate a criminal's actions with the prestige of a scientist who does an experiment. Scientists follow a professional code of ethics, in addition to behaving in a lawful way, and avoid harming other people. Scientists work together in a collegial way, with implicit trust. As pointed out by Eisenberg, et al. in The Computer Worm, pages 7, 25, 41, releasing malicious code is a violation of trust.
The virus/worm was "accidentally" released.First, there is no acceptable reason to create malicious software that alters or deletes data files from the victim's hard disk, releases confidential information from the victim's computer along with a copy of the virus/worm to potential future victims, attempts to disable anti-virus software on the victim's computer, or any of the other harms that have been observed in real malicious programs. There is no rational reason to write a program that one intends never to use. Second, if one writes such a destructive program, then one must use extraordinary care (i.e., the same care that one takes with toxic chemicals, explosives, highly radioactive materials, etc.) to make certain that the program is never released. Society ought to demand that those who release malicious programs, even if the release is an "accident", be held legally responsible for the damage caused by their malicious programs.
The author of the virus/worm did not know how rapidly the virus/worm would propagate.In my companion essay on Examples of Malicious Computer Programs, I explained why this excuse is bogus.
Although not a common excuse offered by defenders of an author of a malicious computer program, the author himself often seems to believe that his virus/worm is proof of his programming ability.However, careful examination of famous malicious programs that have caused extensive damage shows that these programs commonly contain many programming errors (so-called "bugs"). Such bugs often prevent a malicious program from causing more damage; sometimes bugs make a program worse than its author probably intended. Either way, a program full of bugs is not evidence of programming skill. And, more importantly, someone who writes malicious programs is a criminal, not the type of person who an ethical employer would want to hire. Such specious excuses for authors of malicious code were fairly common from professional programmers in the 1980s, but are less frequent now. The worm released into the Internet by Robert Morris in Nov 1988 seems to have jolted most computer professionals into realizing that ethics and law are essential to the computer profession. Now, specious excuses are mostly offered by criminals and their attorneys.

3. Harassment & StalkingIn general, the harasser intends to cause emotional distress and has no legitimate purpose to his communications. Harassment can be as simple as continuing to send e-mail to someone who has said they want no further contact with the sender. Harassment may also include threats, sexual remarks, pejorative labels (i.e., hate speech). A particularly disturbing form of harassment is sending a forged e-mail that appears to be from the victim and contains racist remarks, or other embarrassing text, that will tarnish the reputation of the victim. It is often difficult to get law enforcement personnel and prosecutors interested in harassment, unless threats of death or serious bodily harm are made, simply because the resources of the criminal justice system are strained by "more serious" criminal activities. I put "more serious" in quotation marks, because the victim of harassment certainly is adversely affected by the harassment, therefore it is a serious matter to the victim. But the law treats harassment as a misdemeanor, the group of less serious crimes.

4. Weak Punishment in USAI have a general concern about the inability of the criminal justice system to either deter criminal conduct or protect society. This concern is particularly acute in the area of computer crime, where immense damage is being done to corporations by computer viruses and worms. Public safety is threatened by criminals who hack into the telephone system and crash 911 services, among other examples. There are many theories that justify punishment of criminals. While severe punishment may not deter criminal conduct, punishment does express the outrage of decent society at criminal conduct. One of the earliest reported cases in federal courts in the USA on computer crime was that of Robert Riggs.U.S. v. Riggs, 739 F.Supp. 414 (N.D.Ill 1990), 743 F.Supp. 556 (N.D.Ill. 1990), aff'd, 967 F.2d 561 (11thCir. 1992).Riggs was first convicted in 1986 for his unauthorized use of a computer and was sentenced to a mere 15 days of community service and placed on probation for 18 months. 967 F.2d at 562. In 1990 Riggs was indicted again for making unauthorized access to computers, during which he stole proprietary information from a telephone company. This time he was sentenced to 21 months in prison, followed by two years of "supervised release" during which time he was forbidden to either own or use any computer for his personal use. Riggs was allowed to use computers in his employment, if supervised by someone. This sentence was upheld on appeal. 967 F.2d at 563. In March 1997, a young hacker disabled the telephone service at the Worcester, Massachusetts airport for six hours, which disabled the air-traffic control system and other critical services. This same hacker also copied patients' records from a computer in a pharmacy on four separate occasions in January, February, and March 1997. This hacker was the first juvenile to be prosecuted by the U.S. Government for computer crime. He pled guilty and was placed on probation for two years, was ordered to provide 250 hours of community service, and forfeited all of the computer equipment used during his criminal activity. I have a long discussion of a few famous malicious programs and the legal punishment of their authors in a separate essay. The point made in that essay is that, out of approximately 61000 malicious programs for the Microsoft Windows operating system, there have been arrests and convictions of the author(s) of only five malicious programs:
the author of a worm released in 1988,
the author and distributors of the MBDF virus,
the author of the Pathogen virus,
the author of the Melissa virus, and
the author of the Anna worm. Except for the author of the Pathogen virus, each of these criminals received very light punishment.

5. Computer Crime Statutes in USAThere are many federal statutes in the USA that can be used to prosecute computer criminals:
15 USC § 1644, prohibiting fraudulent use of credit cards
18 USC § 1029, prohibiting fraudulent acquisition of telecommunications services
18 USC § 1030, prohibiting unauthorized access to any computer operated by the U.S. Government, financial institution insured by the U.S. Government, federally registered securities dealer, or foreign bank.
18 USC § 1343, prohibiting wire fraud
18 USC § 1361-2, prohibiting malicious mischief
18 USC § 1831, prohibiting stealing of trade secrets
18 USC § 2314, prohibiting interstate transport of stolen, converted, or fraudulently obtained material; does apply to computer data files U.S. v. Riggs, 739 F.Supp. 414 (N.D.Ill 1990).
18 USC § 2319 and 17 USC § 506(a), criminal violations of copyright law
18 USC § 2510-11, prohibiting interception of electronic communications
18 USC § 2701, prohibiting access to communications stored on a computer (i.e., privacy of e-mail)
47 USC § 223, prohibiting interstate harassing telephone calls
State Statutes in USAThere is wide variation in state statutes on computer crime in the USA: in my opinion, most state statutes are not adequate to punish computer criminals. California, Minnesota, and Maine are among the few states to prohibit explicitly release of a computer virus or other malicious program.California Statutes, Title 13 (Penal Code), §§ 502(b)(10) and 502(c)(8).Minnesota Statutes, §609.87(12) and §609.88(1)(c).Maine Statutes, 17-A (Criminal Code), § 433(1)(C).In states without an explicit statute, release of a malicious program would probably be prosecuted as "malicious mischief". California also provides for the forfeiture of computer systems used in the commission of a computer crime. If the defendant is a minor, the parents' computer system can be forfeited.California Statutes, Title 13 (Penal Code), §§ 502(g) and 502.01(a)(1) In November 1996 and July 1997, I made comprehensive searches of the WESTLAW databases of reported cases in both state and federal courts in the USA on computer crimes. I was surprised to find that, in sharp contrast to most other areas of law, there was very little reported case law on computer crimes, except obscenity cases. I have the impression that most computer criminals who are apprehended plead guilty to a lesser offense (a so-called "plea bargain") and avoid a trial. Plea bargains are common the U.S.A., as they dispose of cases without large investments of prosecutorial and judicial time. In the specific area of computer crimes, prosecuting such a case would be difficult for prosecutors, because the jury would need to learn about complex technical matters. In addition to making life easier for prosecutors and judges, many victims (particularly banks and other corporations) may be embarrassed to admit that some teenager defeated their security features, thus these victims refuse to testify in court.
6. sue in tortIn addition to any criminal penalties, victim(s) of computer crimes can sue the perpetrator in tort. For example, unauthorized use of a computer system could be "trespass on chattels". A computer voyeur might also be sued in tort for invasion of privacy or disclosure of a trade secret. A harasser might be sued in tort for intentional infliction of emotional distress. There is also the possibility of a class action by corporate and personal victims against a person who wrote and initially released a computer virus.The downside of such tort litigation is that the perpetrators are generally young people (often between 12 and 25 years of age) and have little assets that could be seized immediately to satisfy a judgment. On the other hand, judgments in the USA are generally valid for 20 years, so future income of the wrongdoer can be used to satisfy the judgment. Moreover, the publicity surrounding such a trial might impress potential hackers with the seriousness of such wrongful conduct and deter other potential hackers. In addition, such trials might express the outrage of society at the behavior of hackers.Defendants between 7 and 14 y of age may be sued in tort, but their duty of care is generally less than an adult's duty. There is one exception, when children engage in an adult activity (e.g., fly an airplane), the law imposes an adult's duty of care on the child. Restatement (Second) Torts, § 283A, comment c (1965). In my opinion, there are good reasons why computer programming (e.g., design of a virus) or hacking qualifies as an "adult activity". However, there appear to be no reported court cases in the USA that have decided this issue.There is another remedy in civil law, besides damages awarded in tort litigation: a victim can get a temporary restraining order (TRO), then an injunction, that enjoins continuance of wrongs (e.g., disclosure of proprietary or private data) that will cause irreparable harm or for which there is no adequate remedy at law.

JournalistsOne of the functions of the criminal justice system is to deter crime by other people. Journalists play an important role in this deterrence by reporting on the crime (and how people were harmed), arrest, trial, and sentence of the guilty criminals. One hopes that people contemplating computer crimes will read these reports by journalists, and say to themselves: "I should not write a computer virus, because I don't want to be put in prison like David Lee Smith," the author of the Melissa virus. However, reports of computer crime by journalists are less than satisfactory:
Journalists often glorify or praise the criminal suspect, by admiring his programming "talent", or even calling him a "genius". In the 1980s, most hackers committed fraud to get a username and password for a computer account, and then logged on to the computer without proper authorization, and browsed through files, copying some, deleting or altering others. Such work does not require any knowledge of computer programming, just a rudimentary knowledge of a few operating system commands. Since 2000, authors of malicious programs use resources readily available on the Internet to create a "new" computer virus or worm, or launch a denial of service attack. Again, such activities do not demonstrate a high level of proficiency in computer programming. It is an anti-social act for journalists to praise the exploits of hackers: hackers are criminals who deserve scorn and ostracism. And when hackers are publicly praised as geniuses, the wrong message is sent to serious students in computer science who behave ethically and who are ignored by journalists, despite the fact that the students are both smarter and more ethical than hackers.
I have noticed that many online newspapers:
devote considerable space to reporting the crime when it happens,
describe the arrest of the criminal suspect in detail,
but the trial of the suspect receives less attention from journalists,
and the verdict and sentence often go unreported in the media.If punishment is to have a deterrent effect on other people, then the coverage of the trial, verdict, and sentence must be increased. Aside from my main point about deterrence of future crimes, by reporting of sentencing and punishment of computer criminals, there is another issue. The widespread reporting of the crime and the arrest of a suspect tarnishes the name of the suspect, by linking the crime and the suspect's name in people's minds. However, the suspect might later be found not guilty of the crime. The lack of reporting of the trial and its outcome provides no opportunity for an innocent suspect to rehabilitate his good name.
Part of the problem is that many journalists who write about computer crime are themselves computer-illiterate. (Their ignorance shows in the technical mistakes made in their articles.) From the perspective of a computer-illiterate journalist, the work of a computer criminal may indeed be incomprehensible. Arthur C. Clarke said anything sufficiently advanced appears as magic. That may be, but it is unprofessional for journalists to write on subjects that they do not personally understand. News media hire journalists who understand economics and finance to report business news, and journalists who understand sports to report on sports, so why can't the news media hire journalists who understand computers to report on computer crime?

ConclusionThe fundamental issue in most computer crime is the criminals' lack of respect for the property or privacy of other people. I hope that society will recognize the seriousness of computer crime and demand more severe punishment for such criminals.
this document is at http://www.rbs2.com/ccrime.htmMy last search for case law on computer crime was in July 1997.21 June 1999, revised 4 Sep 2002My essay Tips for Avoiding Computer Crime, which essay includes links to websites on computer viruses, computer crime, and related topics, plus a list of good books on computer crime. My discussion of a few famous malicious programs and the nonexistent or lenient punishment of their authors are contained in my separate essay. return to my homepage