home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Textfiles
/
zines
/
DNA
/
DNAV1I6.sit
/
DNAV1I6
/
ARTICLE.004
< prev
next >
Wrap
Text File
|
1993-12-01
|
18KB
|
321 lines
Written 11/30/93
by The Shadow
This article only talks about California's criminal penalties for
hacking. There are civil remedies, and provisions that permit the feds to
seize all equipment used in hacking, as well. I've chosen California's law
because I live there, and because it is one of a number of virtually identical
"Computer Crime" laws that have been passed in various laws over the last
decade. There may also be Federal anti-hacking laws, but I haven't looked at
them yet. Furthermore, there are separate laws that deal with phreaking,
carding, and other matters. I'm not dealing with any of those in this article,
but if the interest level is high enough, I may write about the other laws in
future DnA issues.
First, the bad news. California's anti-hacking laws are pretty broad.
No, I take that back. They are incredibly broad. "Computer Crime" is defined
by California Penal Code section 502. If you haven't read it before, I urge
you to read it now. Why? for three reasons. First, we, as hackers, need to
know what we're getting ourselves into legally. That way, if we cross the line
(we almost always do) when we hack, we do it consciously. Second, if we are
caught, we need to be aware of why the feds are asking a particular question--
in effect, what part of the case against us are they trying to make? Third --
and most important -- we need to know how we can get around the law, or at
least, minimize any penalties if we are caught. 1/
_____________________
1/ By the way, I hope that if ANY of you get caught and questioned, your first
response is, "I want to talk to a lawyer before I discuss anything with you."
See, that means the feds have to stop questioning you, and let you talk to a
lawyer before they continue. With the advice of a good lawyer, you know what
you're getting yourself into before answering any questions. And regardless of
what any cop says, they don't "go easier on you" if you "cooperate" by telling
them everything. They hate you and fear you, and all they care about is making
a case against you. Only the D.A. can cut you a deal. Read about Robert W.
Clark's ordeal in Phrack 4.3 if you have any doubts.
The heart of California Penal Code section 502 reads:
"Any person who commits any of the following acts is guilty of a public
offense:
(1) Knowingly accesses and without permission alters, damages, deletes,
destroys, or otherwise uses any data, computer, computer system, or computer
network in order to either (A) devise or execute any scheme or artifice to
defraud, deceive, or extort, or (B) wrongfully control or obtain money,
property, or data.
(2) Knowingly accesses and without permission takes, copies, or makes use of
any data from a computer, computer system, or computer network, or takes or
copies any supporting documentation, whether existing or residing internal or
external to a computer, computer system, or computer network.
(3) Knowingly and without permission uses or causes to be used computer
services.
(4) Knowingly accesses and without permission adds, alters, damages, deletes,
or destroys any data, computer software, or computer programs which reside or
exist internal or external to a computer, computer system, or computer network.
(5) Knowingly and without permission disrupts or causes the disruption of
computer services or denies or causes the denial of computer services to an
authorized user of a computer, computer system, or computer network.
(6) Knowingly and without permission provides or assists in providing a means
of accessing a computer, computer system, or computer network in violation of
this section.
(7) Knowingly and without permission accesses or causes to be accessed any
computer, computer system, or computer network in violation of this section.
(8) Knowingly introduces any computer contaminant into any computer, computer
system, or computer network."
The law also defines most of the terms used above. "Computer network" is
defined as "any system which provides communications between one or more
computer systems and input/output devices including, but not limited to,
display terminals and printers connected by telecommunication facilities."
"Data" is defined as "a representation of information, knowledge, facts,
concepts, computer software, computer programs or instructions. Data may be in
any form, in storage media, or as stored in the memory of the computer or in
transit or presented on a display device."
"Access" means "to gain entry to, instruct, or communicate with the
logical, arithmetical, or memory function resources of a computer, computer
system, or computer network."
"Permission" is not defined in the statute, but where a term is not
defined, you use the ordinary English meaning. "Permission" is defined in the
American Heritage Dictionary, second edition, as "formal consent."
"Computer contaminant" is defined to include virii, trojans, and anything
else that damages a computer's software.
Well, that's the heart of it. Let's look at each of the sections above
and try to determine what they mean, and how they apply to hackers.
"(1) Knowingly accesses and without permission alters, damages, deletes,
destroys, or otherwise uses any data, computer, computer system, or computer
network in order to either (A) devise or execute any scheme or artifice to
defraud, deceive, or extort, or (B) wrongfully control or obtain money,
property, or data."
The section above should not apply to the pure hacker. It is obviously
intended to catch people working the "Salami scheme," and similar scenarios.
(For those of you not familiar with it, the Salami scheme is the one that skims
a small amount of money off a lot of accounts in some relatively undetectable
pattern and transfers it to the "hacker" in some way.) But read the section
again. You apparently violate it if you "access" and "without permission" "use
any data" in order to "obtain data." Arguably if you download a user list and
use that list to obtain another user's password, you've violated the section!
But you also violate this section if you "access and without permission...use
...any computer...to obtain...data." For example, if you are in a computer
store, go over to a computer and "without permission" use the demo of the CD-
ROM Encyclopedia Britannica to look up an entry without first asking for
permission -- i.e., formal consent -- you've just commited a computer crime!
Let's look at the next section.
"(2) Knowingly accesses and without permission takes, copies, or makes use of
any data from a computer, computer system, or computer network, or takes or
copies any supporting documentation, whether existing or residing internal or
external to a computer, computer system, or computer network."
It's fairly clear that this section was intended to make trashing illegal.
But there's a flaw in the section. It requires you to "knowingly access" the
documentation. And as you saw in the definition above, "access" requires you
"to gain entry to, instruct, or communicate with the logical, arithmetical, or
memory function resources of a computer, computer system, or computer network."
If you trash, you are not gaining entry to any part of a computer, so you can't
violate this section by trashing!!
Let's look at section three.
"(3) Knowingly and without permission uses or causes to be used computer
services."
What the fuck is this!!?? "Computer services" is defined in the law as
"computer time, data processing, or storage functions, or other uses of a
computer, computer system or computer network." So, in other words, if you use
a computer in any way without permission, you're fucked.
Section four makes the following illegal:
"(4) Knowingly accesses and without permission adds, alters, damages, deletes,
or destroys any data, computer software, or computer programs which reside or
exist internal or external to a computer, computer system, or computer network."
This section makes it illegal to change any info on a computer. Not a big
problem if you are into traditional hacking, and not into doing any damage to a
system you are on. But, if you alter the user list to give yourself an
account, you've violated this section.
Section five:
"(5) Knowingly and without permission disrupts or causes the disruption of
computer services or denies or causes the denial of computer services to an
authorized user of a computer, computer system, or computer network."
This refers to actual damage. I think we all know that if you crash a
system or lock an authorized user out, we've committed a crime. This is the
section that makes it a crime.
Section six:
"(6) Knowingly and without permission provides or assists in providing a means
of accessing a computer, computer system, or computer network in violation of
this section."
This section says that if you help someone break into a system, you're as
guilty as if you were breaking in yourself. That's standard law. "Aiding and
abbetting" is always considered the same as actually doing the act, and there's
nothing particularly unusual about this section.
Section seven:
"(7) Knowingly and without permission accesses or causes to be accessed any
computer, computer system, or computer network in violation of this section."
I've pondered this one for days. I don't think it adds anything that
isn't already there in the other sections. But it's here, anyway.
Section eight:
"(8) Knowingly introduces any computer contaminant into any computer, computer
system, or computer network."
Well, this is obvious. Using a virus, trojan, or other destructive
program to trash a system is illegal. This part of the law was passed later,
in 1989, so apparently the legislature felt that the other sections of the
law do not apply to destruction of a computer system by virii or trojans.
That's important to know, because if you are ever nabbed for uploading a
virus and are charged with one of the other sections, you might be able to get
the charges dismissed.
Now, what happens if you are convicted under any of these sections? Well,
obviously it will depend on a lot of different things. But, here is what the
authorized penalties are. The lightest penalties provided are for a first
violation of sections six, seven or eight where there is no injury. A first
violation gets you a maximum fine of $250 and no jail time. However, for
violations that cause damage, for violations of the other sections, and for
second violations, the penalty goes up increasingly, up to a maximum of $10,000
and 3 years in jail.
Pretty broad, eh? Well, that's the bad news. Now the good news. If you
find yourself charged with violating any of these sections, there are some
defenses you might try, some of which you would have to do before you even
start to hack a system.
First, paragraph (h) of the law provides that none of the above conduct is
illegal "to any person who accesses his or her employer's computer system,
computer network, computer program, or data when acting within the scope of his
or her lawful employment."
This means that if you are acting in the "lawful course of your
employment" on your employer's computer system or network or using your
employer's data, none of the above sections can be used to prosecute you.
Second, paragraphs (h) and (i) provide that, even if you are NOT acting in
the "lawful course of your employment," you can not violate sections 2, 3, 4 or
7 on your employer's computer system or network or by using your employer's
data, as long as you don't cause any harm and the value of "computer services"
used is less than $100.
What does this mean? Well, it means that, if you want to avoid illegal
hacking, use your "social engineering" skills to get a temporary or part-time
job at the company whose computers you plan to hack. If you are a student,
hacking into a school system, get a work study or other part time job at some
admin office for a few days while you are hacking. Yeah, I know, it feels a
lot safer hacking from the relative anonymity of a remote computer terminal.
You can still do that. You don't have to be on the job while hacking--just
an "employee." And besides, if it's not illegal, who cares whether you are
discovered? What are they going to do, fire you?
Third, the breadth of the law itself can be used against it. You see,
there's this little thing in the 5th and 14th Amendments of the Constitution
called the "Due Process" clause. It says that the government can't deprive you
of life, liberty or property "without Due Process of law." That has been
interpreted to mean that, essentially, if a law is so broad that it prohibits a
lot of legal conduct along with the illegal conduct, and the law is not
"rationally related" to the evil that it is trying to prohibit, it is
unconstitutional. "Due process" also makes it unconstitutional for a law to be
so vague that you can't reasonably understand what is illegal.
This "Computer Crime" law came about as the result of a lot of paranoia
about hackers, and in making itself as broad as it did, it appears to
prohibit a LOT of legitimate conduct. Therefore, this law potentially violates
"due process" and is unconstitutional. So, if you are ever in a situation
where you are on trial for a violation of this law, show this article to your
lawyer and ask him or her whether s/he thinks you should challenge the law as a
"due process" violation.
A fourth potential defense to the law relies on common sense. In the case
of Mahru versus Superior Court, volume 237 of the California Reporter, page
298, one of the only two cases decided under Penal Code Section 502, the
California Court of Appeal in Los Angeles said:
"The urge to spite others is one of the more miserable
concomitants of human intelligence. Compared to human
behavior as a whole, relatively few forms of spiteful
conduct are [criminal]. More often they are merely
upsetting and reprehensible. The legislature could not
have meant, by enacting section 502, to bring the Penal
Code into the Computer Age by making annoying or spiteful
acts criminal offenses whenever a computer is used to
accomplish them. Individuals and organizations use computers
for typing and other routine conduct in the course of their
affairs, and sometimes in the course of these affairs they do
vexing, annoying, and injurious things. Such acts cannot all
be criminal."
Page 300. This quote clearly expresses the Court's concern over the breadth of
the statute. What the Court seems to be doing here is trying to save an
unconstitutional statute by saying that, just because an act appears to violate
the statute, it may not be a crime. Instead, the court will look at whether
what you did is inherently evil, or just a "vexing, annoying or injurious"
prank. In the Mahru case, a company had a contract to provide data processing
services to a credit union. The company put its terminal in the credit union,
and helped credit union employees operate it. The credit union later broke its
contract with the data processing company and hired another company to provide
data processing services. The first company re-named some of the programs on
the system and did not run the procedures to bring the tellers on line, so that
the relatively computer-illiterate credit union employees could not use the
system. The court held that this did not violate Penal Code section 502.
What does all this mean? Well, first of all, it's just one more reason
that the law can be said to be unconstitutionally vague. Second of all, it
probably means that, unless you do some serious damage to the system, you're
not likely to get hit very hard for hacking, if you are hit at all. (Perhaps
this is why the only other case decided under Penal Code section 502, People of
California versus Gentry, California Reporter volume 285, page 591, involved a
"credit repair scam," where the computer crime charge was just one of a number
of fraud charges against the defendant, who created fake IDs for his clients,
went into TRW's records, and created fake credit histories so that they could
get credit.)
So, if you want to avoid criminal prosecution, use common sense. Don't
trash a system once you are inside. If you decide to trash it, the penalties
are more severe, so you darned well had better not go around bragging about it.
And, in the meantime, if you think that this law is ridiculously draconian
and paranoid (I do), do something about it. There are a lot of ways to get
involved with changing your world, and files on some of them can be found on
DnA. Check it out, and don't be one of the mindless, directionless minions
that accept tyranny, facism and mediocrity in lawmaking and government. Make
a difference. Educate yourself on what's out there, and change what you don't
like!
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
If you have any questions about any of the things in this article, I
can be found both on the DnA and on the Digital Decay BBSes in Orange County,
California.