home *** CD-ROM | disk | FTP | other *** search
- ------------------------------
-
- From: mnemonic (Mike Godwin)
- Subject: Response to RISKS DIGEST (#11.43-- Len Rose Case)
- Date: Wed, 10 Apr 91 22:18:43 EDT
-
- ********************************************************************
- *** CuD #3.13: File 2 of 4: Response to Len Rose Article (1) ***
- ********************************************************************
-
- {Moderators' Note: The following article was written by Mike Godwin in
- response to a post by Jerry Leichter in RISKS #11.43.}
-
- ++++
-
- Jerry Leichter <leichter@lrw.com> writes the following:
-
- >With all the verbiage about whether Len Rose was a "hacker" and why he did
- >what he in fact did, everyone has had to work on ASSUMPTIONS.
-
- This is false. I have worked closely on Len's case, and have access to
- all the facts about it.
-
- >Well, it turns
- >out there's now some data: A press release from the US Attorney in Chicago,
- >posted to the Computer Underground Digest by Gene Spafford.
-
- In general, a press release is not data. A press release is a document
- designed to ensure favorable press coverage for the entity releasing it.
- There are a few facts in the press release, however, and I'll deal with
- them below.
-
- [Jerry quotes from the press release:]
- > In pleading guilty to the Chicago charges, Rose acknowledged that when
- > he distributed his trojan horse program to others he inserted several
- > warnings so that the potential users would be alerted to the fact that
- > they were in posession of proprietary AT&T information. In the text of
- > the program Rose advised that the source code originally came from
- > AT&T "so it's definitely not something you wish to get caught with."
- > and "Warning: This is AT&T proprietary source code. DO NOT get caught
- > with it."
-
- Although I am a lawyer, it does not take a law degree to see that this
- paragraph does not support Jerry's thesis--that Len Rose is interested
- in unauthorized entry into other people's computers. What it does
- show is that Len knew that he had no license for the source code in
- his possession. And, in fact, as a careful reader of the press release
- would have noted, Len pled guilty only to possession and transmission
- of unlicensed source, not to *any* unauthorized entry or any scheme
- for unauthorized entry, in spite of what is implied in the press
- release.
-
- [Jerry quotes "Terminus's" comments in the modified code:]
-
- >Hacked by Terminus to enable stealing passwords.
- >This is obviously not a tool to be used for initial
- >system penetration, but instead will allow you to
- >collect passwords and accounts once it's been
- >installed. (I)deal for situations where you have a
- >one-shot opportunity for super user privileges..
- >This source code is not public domain..(so don't get
- >caught with it).
- >
- >I can't imagine a clearer statement of an active interest in breaking into
- >systems, along with a reasonable explanation of how and when such code could
- >be effective.
-
- Indeed, it *can* be interpreted as a clear statement of an active
- interest in breaking into systems. What undercuts that interpretation,
- however, is that there is no evidence that Len Rose ever broke into
- any systems. Based on all the information available, it seems clear
- that Rose had authorized access in every system for which he sought
- it.
-
- What's more, there is no evidence that anyone ever took Rose's code
- and used it for hacking. There is no evidence that anyone ever took
- any *other* code of Rose's and used it for hacking.
-
- What Rose did is demonstrate that he could write a password-hacking
- program. Jerry apparently is unaware that some computer programmers
- like to brag about the things they *could* do--he seems to interpret
- such bragging as evidence of intent to do illegal acts. But in the
- absence of *any* evidence that Rose ever took part in unauthorized
- entry into anyone's computers, Jerry's interpretation is unfounded,
- and his posted speculations here are both irresponsible and cruel, in
- my opinion.
-
- Rose may have done some foolish things, but he didn't break into
- people's systems.
-
- >The only thing that will convince me, after reading this, that Rose was NOT an
- >active system breaker is a believable claim that either (a) this text was not
- >quoted correctly from the modified login.c source; or (b) Rose didn't write
- >the text, but was essentially forced by the admitted duress of his situation
- >to acknowledge it as his own.
-
- In other words, Jerry says, the fact that Rose never actually tried
- to break into people's systems doesn't count as evidence "that Rose was
- NOT an active system breaker." This is a shame. One would hope that
- even Jerry might regard this as a relevant fact.
-
- Let me close here by warning Jerry and other readers not to accept
- press releases--even from the government--uncritically. The government
- has a political stake in this case: it feels compelled to show that
- Len Rose was an active threat to other people's systems, so it has
- selectively presented material in its press release to support that
- interpretation.
-
- But press releases are rhetorical devices. They are designed to shape
- opinion. Even when technically accurate, as in this case, they can
- present the facts in a way that implies that a defendant was far more
- of a threat than he actually was. This is what happened in Len Rose's
- case.
-
- It bears repeating: there was no evidence, and the government did not
- claim, that Len Rose had ever tried to break into other people's
- systems, or that he took part in anyone else's efforts to do so.
-
- ***************************************************************************
- >> END OF THIS FILE <<
- ***************************************************************************
-
- �
