procedure that most law enforcement agencies will use
only when lives are demonstrably in danger. The raiders'
true motives were not discovered until the Jackson search-
warrant was unsealed by his lawyers, many months later.
The Secret Service, and the Chicago Computer Fraud and
Abuse Task Force, said absolutely nothing to Steve
Jackson about any threat to the police 911 System. They
said nothing about the Atlanta Three, nothing about
*Phrack* or Knight Lightning, nothing about Terminus.
Jackson was left to believe that his computers had
been seized because he intended to publish a science
fiction book that law enforcement considered too
dangerous to see print.
This misconception was repeated again and again,
for months, to an ever-widening public audience. It was
not the truth of the case; but as months passed, and this
misconception was publicly printed again and again, it
became one of the few publicly known "facts" about the
mysterious Hacker Crackdown. The Secret Service had
seized a computer to stop the publication of a cyberpunk
science fiction book.
The second section of this book, "The Digital
Underground," is almost finished now. We have become
acquainted with all the major figures of this case who
actually belong to the underground milieu of computer
intrusion. We have some idea of their history, their
motives, their general modus operandi. We now know, I
hope, who they are, where they came from, and more or
less what they want. In the next section of this book, "Law
and Order," we will leave this milieu and directly enter the
world of America's computer-crime police.
At this point, however, I have another figure to
introduce: myself.
My name is Bruce Sterling. I live in Austin, Texas,
where I am a science fiction writer by trade: specifically,
a
*cyberpunk* science fiction writer.
Like my "cyberpunk" colleagues in the U.S. and
Canada, I've never been entirely happy with this literary
label -- especially after it became a synonym for computer
criminal. But I did once edit a book of stories by my
colleagues, called *MIRRORSHADES: the Cyberpunk
Anthology,* and I've long been a writer of literary-
critical
cyberpunk manifestos. I am not a "hacker" of any
description, though I do have readers in the digital
underground.
When the Steve Jackson Games seizure occurred, I
naturally took an intense interest. If "cyberpunk" books
were being banned by federal police in my own home
town, I reasonably wondered whether I myself might be
next. Would my computer be seized by the Secret
Service? At the time, I was in possession of an aging Apple
IIe without so much as a hard disk. If I were to be raided
as an author of computer-crime manuals, the loss of my
feeble word-processor would likely provoke more snickers
than sympathy.
I'd known Steve Jackson for many years. We knew
one another as colleagues, for we frequented the same
local science-fiction conventions. I'd played Jackson
games, and recognized his cleverness; but he certainly
had never struck me as a potential mastermind of
computer crime.
I also knew a little about computer bulletin-board
systems. In the mid-1980s I had taken an active role in an
Austin board called "SMOF-BBS," one of the first boards
dedicated to science fiction. I had a modem, and on
occasion I'd logged on to Illuminati, which always looked
entertainly wacky, but certainly harmless enough.
At the time of the Jackson seizure, I had no
experience whatsoever with underground boards. But I
knew that no one on Illuminati talked about breaking into
systems illegally, or about robbing phone companies.
Illuminati didn't even offer pirated computer games.
Steve Jackson, like many creative artists, was markedly
touchy about theft of intellectual property.
It seemed to me that Jackson was either seriously
suspected of some crime -- in which case, he would be
charged soon, and would have his day in court -- or else he
was innocent, in which case the Secret Service would
quickly return his equipment, and everyone would have a
good laugh. I rather expected the good laugh. The
situation was not without its comic side. The raid, known
as the "Cyberpunk Bust" in the science fiction community,
was winning a great deal of free national publicity both for
Jackson himself and the "cyberpunk" science fiction
writers generally.
Besides, science fiction people are used to being
misinterpreted. Science fiction is a colorful,
disreputable,
slipshod occupation, full of unlikely oddballs, which, of
course, is why we like it. Weirdness can be an
occupational hazard in our field. People who wear
Halloween costumes are sometimes mistaken for
monsters.
Once upon a time -- back in 1939, in New York City --
science fiction and the U.S. Secret Service collided in a
comic case of mistaken identity. This weird incident
involved a literary group quite famous in science fiction,
known as "the Futurians," whose membership included
such future genre greats as Isaac Asimov, Frederik Pohl,
and Damon Knight. The Futurians were every bit as
offbeat and wacky as any of their spiritual descendants,
including the cyberpunks, and were given to communal
living, spontaneous group renditions of light opera, and
midnight fencing exhibitions on the lawn. The Futurians
didn't have bulletin board systems, but they did have the
technological equivalent in 1939 -- mimeographs and a
private printing press. These were in steady use,
producing a stream of science-fiction fan magazines,
literary manifestos, and weird articles, which were picked
up in ink-sticky bundles by a succession of strange, gangly,
spotty young men in fedoras and overcoats.
The neighbors grew alarmed at the antics of the
Futurians and reported them to the Secret Service as
suspected counterfeiters. In the winter of 1939, a squad
of
USSS agents with drawn guns burst into "Futurian House,"
prepared to confiscate the forged currency and illicit
printing presses. There they discovered a slumbering
science fiction fan named George Hahn, a guest of the
Futurian commune who had just arrived in New York.
George Hahn managed to explain himself and his group,
and the Secret Service agents left the Futurians in peace
henceforth. (Alas, Hahn died in 1991, just before I had
discovered this astonishing historical parallel, and just
before I could interview him for this book.)
But the Jackson case did not come to a swift and
comic end. No quick answers came his way, or mine; no
swift reassurances that all was right in the digital world,
that matters were well in hand after all. Quite the
opposite. In my alternate role as a sometime pop-science
journalist, I interviewed Jackson and his staff for an
article
in a British magazine. The strange details of the raid
left
me more concerned than ever. Without its computers,
the company had been financially and operationally
crippled. Half the SJG workforce, a group of entirely
innocent people, had been sorrowfully fired, deprived of
their livelihoods by the seizure. It began to dawn on me
that authors -- American writers -- might well have their
computers seized, under sealed warrants, without any
criminal charge; and that, as Steve Jackson had
discovered, there was no immediate recourse for this.
This was no joke; this wasn't science fiction; this was
real.
I determined to put science fiction aside until I had
discovered what had happened and where this trouble
had come from. It was time to enter the purportedly real
world of electronic free expression and computer crime.
Hence, this book. Hence, the world of the telcos; and the
world of the digital underground; and next, the world of
the police.
Of the various anti-hacker activities of 1990,
"Operation Sundevil" had by far the highest public
profile. The sweeping, nationwide computer
seizures of May 8, 1990 were unprecedented in
scope and highly, if rather selectively, publicized.
Unlike the efforts of the Chicago Computer
Fraud and Abuse Task Force, "Operation Sundevil"
was not intended to combat "hacking" in the sense
of computer intrusion or sophisticated raids on telco
switching stations. Nor did it have anything to do
with hacker misdeeds with AT&T's software, or with
Southern Bell's proprietary documents.
Instead, "Operation Sundevil" was a crackdown
on those traditional scourges of the digital
underground: credit-card theft and telephone code
abuse. The ambitious activities out of Chicago, and
the somewhat lesser-known but vigorous anti-
hacker actions of the New York State Police in 1990,
were never a part of "Operation Sundevil" per se,
which was based in Arizona.
Nevertheless, after the spectacular May 8 raids,
the public, misled by police secrecy, hacker panic,
and a puzzled national press-corps, conflated all
aspects of the nationwide crackdown in 1990 under
the blanket term "Operation Sundevil." "Sundevil" is
still the best-known synonym for the crackdown of
1990. But the Arizona organizers of "Sundevil" did
not really deserve this reputation -- any more, for
instance, than all hackers deserve a reputation as
"hackers."
There was some justice in this confused
perception, though. For one thing, the confusion
was abetted by the Washington office of the Secret
Service, who responded to Freedom of Information
Act requests on "Operation Sundevil" by referring
investigators to the publicly known cases of Knight
Lightning and the Atlanta Three. And "Sundevil"
was certainly the largest aspect of the Crackdown,
the most deliberate and the best-organized. As a
crackdown on electronic fraud, "Sundevil" lacked
the frantic pace of the war on the Legion of Doom;
on the contrary, Sundevil's targets were picked out
with cool deliberation over an elaborate
investigation lasting two full years.
And once again the targets were bulletin board
systems.
Boards can be powerful aids to organized fraud.
Underground boards carry lively, extensive,
detailed, and often quite flagrant "discussions" of
lawbreaking techniques and lawbreaking activities.
"Discussing" crime in the abstract, or "discussing"
the particulars of criminal cases, is not illegal -- but
there are stern state and federal laws against
coldbloodedly conspiring in groups in order to
commit crimes.
In the eyes of police, people who actively
conspire to break the law are not regarded as
"clubs," "debating salons," "users' groups," or "free
speech advocates." Rather, such people tend to
find themselves formally indicted by prosecutors as
"gangs," "racketeers," "corrupt organizations" and
"organized crime figures."
What's more, the illicit data contained on
outlaw boards goes well beyond mere acts of speech
and/or possible criminal conspiracy. As we have
seen, it was common practice in the digital
underground to post purloined telephone codes on
boards, for any phreak or hacker who cared to abuse
them. Is posting digital booty of this sort supposed
to be protected by the First Amendment? Hardly --
though the issue, like most issues in cyberspace, is
not entirely resolved. Some theorists argue that to
merely *recite* a number publicly is not illegal --
only its *use* is illegal. But anti-hacker police point
out that magazines and newspapers (more
traditional forms of free expression) never publish
stolen telephone codes (even though this might well
raise their circulation).
Stolen credit card numbers, being riskier and
more valuable, were less often publicly posted on
boards -- but there is no question that some
underground boards carried "carding" traffic,
generally exchanged through private mail.
Underground boards also carried handy
programs for "scanning" telephone codes and
raiding credit card companies, as well as the usual
obnoxious galaxy of pirated software, cracked
passwords, blue-box schematics, intrusion manuals,
anarchy files, porn files, and so forth.
But besides their nuisance potential for the
spread of illicit knowledge, bulletin boards have
another vitally interesting aspect for the professional
investigator. Bulletin boards are cram-full of
*evidence.* All that busy trading of electronic mail,
all those hacker boasts, brags and struts, even the
stolen codes and cards, can be neat, electronic, real-
time recordings of criminal activity.
As an investigator, when you seize a pirate
board, you have scored a coup as effective as
tapping phones or intercepting mail. However, you
have not actually tapped a phone or intercepted a
letter. The rules of evidence regarding phone-taps
and mail interceptions are old, stern and well-
understood by police, prosecutors and defense
attorneys alike. The rules of evidence regarding
boards are new, waffling, and understood by nobody
at all.
Sundevil was the largest crackdown on boards in
world history. On May 7, 8, and 9, 1990, about forty-
two computer systems were seized. Of those forty-
two computers, about twenty-five actually were
running boards. (The vagueness of this estimate is
attributable to the vagueness of (a) what a
"computer system" is, and (b) what it actually means
to "run a board" with one -- or with two computers, or
with three.)
About twenty-five boards vanished into police
custody in May 1990. As we have seen, there are an
estimated 30,000 boards in America today. If we
assume that one board in a hundred is up to no good
with codes and cards (which rather flatters the
honesty of the board-using community), then that
would leave 2,975 outlaw boards untouched by
Sundevil. Sundevil seized about one tenth of one
percent of all computer bulletin boards in America.
Seen objectively, this is something less than a
comprehensive assault. In 1990, Sundevil's
organizers -- the team at the Phoenix Secret Service
office, and the Arizona Attorney General's office --
had a list of at least *three hundred* boards that
they considered fully deserving of search and
seizure warrants. The twenty-five boards actually
seized were merely among the most obvious and
egregious of this much larger list of candidates. All
these boards had been examined beforehand --
either by informants, who had passed printouts to
the Secret Service, or by Secret Service agents
themselves, who not only come equipped with
modems but know how to use them.
There were a number of motives for Sundevil.
First, it offered a chance to get ahead of the curve on
wire-fraud crimes. Tracking back credit-card ripoffs
to their perpetrators can be appallingly difficult. If
these miscreants have any kind of electronic
sophistication, they can snarl their tracks through
the phone network into a mind-boggling,
untraceable mess, while still managing to "reach out
and rob someone." Boards, however, full of brags
and boasts, codes and cards, offer evidence in the
handy congealed form.
Seizures themselves -- the mere physical
removal of machines -- tends to take the pressure
off. During Sundevil, a large number of code kids,
warez d00dz, and credit card thieves would be
deprived of those boards -- their means of
community and conspiracy -- in one swift blow. As
for the sysops themselves (commonly among the
boldest offenders) they would be directly stripped of
their computer equipment, and rendered digitally
mute and blind.
And this aspect of Sundevil was carried out with
great success. Sundevil seems to have been a
complete tactical surprise -- unlike the fragmentary
and continuing seizures of the war on the Legion of
Doom, Sundevil was precisely timed and utterly
overwhelming. At least forty "computers" were
seized during May 7, 8 and 9, 1990, in Cincinnati,
Detroit, Los Angeles, Miami, Newark, Phoenix,
Tucson, Richmond, San Diego, San Jose, Pittsburgh
and San Francisco. Some cities saw multiple raids,
such as the five separate raids in the New York City
environs. Plano, Texas (essentially a suburb of the
Dallas/Fort Worth metroplex, and a hub of the
telecommunications industry) saw four computer
seizures. Chicago, ever in the forefront, saw its own
local Sundevil raid, briskly carried out by Secret
Service agents Timothy Foley and Barbara Golden.
Many of these raids occurred, not in the cities
proper, but in associated white-middle class suburbs
-- places like Mount Lebanon, Pennsylvania and
Clark Lake, Michigan. There were a few raids on
offices; most took place in people's homes, the
classic hacker basements and bedrooms.
The Sundevil raids were searches and seizures,
not a group of mass arrests. There were only four
arrests during Sundevil. "Tony the Trashman," a
longtime teenage bete noire of the Arizona
Racketeering unit, was arrested in Tucson on May 9.
"Dr. Ripco," sysop of an outlaw board with the
misfortune to exist in Chicago itself, was also
arrested -- on illegal weapons charges. Local units
also arrested a 19-year-old female phone phreak
named "Electra" in Pennsylvania, and a male
juvenile in California. Federal agents however were
not seeking arrests, but computers.
Hackers are generally not indicted (if at all)
until the evidence in their seized computers is
evaluated -- a process that can take weeks, months --
even years. When hackers are arrested on the
spot, it's generally an arrest for other reasons. Drugs
and/or illegal weapons show up in a good third of
anti-hacker computer seizures (though not during
Sundevil).
That scofflaw teenage hackers (or their parents)
should have marijuana in their homes is probably
not a shocking revelation, but the surprisingly
common presence of illegal firearms in hacker dens
is a bit disquieting. A Personal Computer can be a
great equalizer for the techno-cowboy -- much like
that more traditional American "Great Equalizer,"
the Personal Sixgun. Maybe it's not all that
surprising that some guy obsessed with power
through illicit technology would also have a few illicit
high-velocity-impact devices around. An element of
the digital underground particularly dotes on those
"anarchy philes," and this element tends to shade
into the crackpot milieu of survivalists, gun-nuts,
anarcho-leftists and the ultra-libertarian right-wing.
This is not to say that hacker raids to date have
uncovered any major crack-dens or illegal arsenals;
but Secret Service agents do not regard "hackers" as
"just kids." They regard hackers as unpredictable
people, bright and slippery. It doesn't help matters
that the hacker himself has been "hiding behind his
keyboard" all this time. Commonly, police have no
idea what he looks like. This makes him an
unknown quantity, someone best treated with
proper caution.
To date, no hacker has come out shooting,
though they do sometimes brag on boards that they
will do just that. Threats of this sort are taken
seriously. Secret Service hacker raids tend to be
swift, comprehensive, well-manned (even over-
manned); and agents generally burst through every
door in the home at once, sometimes with drawn
guns. Any potential resistance is swiftly quelled.
Hacker raids are usually raids on people's homes.
It can be a very dangerous business to raid an
American home; people can panic when strangers
invade their sanctum. Statistically speaking, the
most dangerous thing a policeman can do is to enter
someone's home. (The second most dangerous
thing is to stop a car in traffic.) People have guns in
their homes. More cops are hurt in homes than are
ever hurt in biker bars or massage parlors.
But in any case, no one was hurt during
Sundevil, or indeed during any part of the Hacker
Crackdown.
Nor were there any allegations of any physical
mistreatment of a suspect. Guns were pointed,
interrogations were sharp and prolonged; but no one
in 1990 claimed any act of brutality by any
crackdown raider.
In addition to the forty or so computers,
Sundevil reaped floppy disks in particularly great
abundance -- an estimated 23,000 of them, which
naturally included every manner of illegitimate
data: pirated games, stolen codes, hot credit card
numbers, the complete text and software of entire
pirate bulletin-boards. These floppy disks, which
remain in police custody today, offer a gigantic,
almost embarrassingly rich source of possible
criminal indictments. These 23,000 floppy disks also
include a thus-far unknown quantity of legitimate
computer games, legitimate software, purportedly
"private" mail from boards, business records, and
personal correspondence of all kinds.
Standard computer-crime search warrants lay
great emphasis on seizing written documents as well
as computers -- specifically including photocopies,
computer printouts, telephone bills, address books,
logs, notes, memoranda and correspondence. In
practice, this has meant that diaries, gaming
magazines, software documentation, nonfiction
books on hacking and computer security,
sometimes even science fiction novels, have all
vanished out the door in police custody. A wide
variety of electronic items have been known to
vanish as well, including telephones, televisions,
answering machines, Sony Walkmans, desktop
printers, compact disks, and audiotapes.
No fewer than 150 members of the Secret
Service were sent into the field during Sundevil.
They were commonly accompanied by squads of
local and/or state police. Most of these officers --
especially the locals -- had never been on an anti-
hacker raid before. (This was one good reason, in
fact, why so many of them were invited along in the
first place.) Also, the presence of a uniformed
police officer assures the raidees that the people
entering their homes are, in fact, police. Secret
Service agents wear plain clothes. So do the telco
security experts who commonly accompany the
Secret Service on raids (and who make no particular
effort to identify themselves as mere employees of
telephone companies).
A typical hacker raid goes something like this.
First, police storm in rapidly, through every
entrance, with overwhelming force, in the
assumption that this tactic will keep casualties to a
minimum. Second, possible suspects are
immediately removed from the vicinity of any and
all computer systems, so that they will have no
chance to purge or destroy computer evidence.
Suspects are herded into a room without computers,
commonly the living room, and kept under guard --
not *armed* guard, for the guns are swiftly
holstered, but under guard nevertheless. They are
presented with the search warrant and warned that
anything they say may be held against them.
Commonly they have a great deal to say, especially
if they are unsuspecting parents.
Somewhere in the house is the "hot spot" -- a
computer tied to a phone line (possibly several
computers and several phones). Commonly it's a
teenager's bedroom, but it can be anywhere in the
house; there may be several such rooms. This "hot
spot" is put in charge of a two-agent team, the
"finder" and the "recorder." The "finder" is
computer-trained, commonly the case agent who
has actually obtained the search warrant from a
judge. He or she understands what is being sought,
and actually carries out the seizures: unplugs
machines, opens drawers, desks, files, floppy-disk
containers, etc. The "recorder" photographs all the
equipment, just as it stands -- especially the tangle
of wired connections in the back, which can
otherwise be a real nightmare to restore. The
recorder will also commonly photograph every room
in the house, lest some wily criminal claim that the
police had robbed him during the search. Some
recorders carry videocams or tape recorders;
however, it's more common for the recorder to
simply take written notes. Objects are described
and numbered as the finder seizes them, generally
on standard preprinted police inventory forms.
Even Secret Service agents were not, and are
not, expert computer users. They have not made,
and do not make, judgements on the fly about
potential threats posed by various forms of
equipment. They may exercise discretion; they may
leave Dad his computer, for instance, but they don't
*have* to. Standard computer-crime search
warrants, which date back to the early 80s, use a
sweeping language that targets computers, most
anything attached to a computer, most anything
used to operate a computer -- most anything that
remotely resembles a computer -- plus most any
and all written documents surrounding it.
Computer-crime investigators have strongly urged
agents to seize the works.
In this sense, Operation Sundevil appears to
have been a complete success. Boards went down
all over America, and were shipped en masse to the
computer investigation lab of the Secret Service, in
Washington DC, along with the 23,000 floppy disks
and unknown quantities of printed material.
But the seizure of twenty-five boards, and the
multi-megabyte mountains of possibly useful
evidence contained in these boards (and in their
owners' other computers, also out the door), were far
from the only motives for Operation Sundevil. An
unprecedented action of great ambition and size,
Sundevil's motives can only be described as
political. It was a public-relations effort, meant to
pass certain messages, meant to make certain
situations clear: both in the mind of the general
public, and in the minds of various constituencies of
the electronic community.
First -- and this motivation was vital -- a
"message" would be sent from law enforcement to
the digital underground. This very message was
recited in so many words by Garry M. Jenkins, the
Assistant Director of the US Secret Service, at the
Sundevil press conference in Phoenix on May 9,
1990, immediately after the raids. In brief, hackers
were mistaken in their foolish belief that they could
hide behind the "relative anonymity of their
computer terminals." On the contrary, they should
fully understand that state and federal cops were
actively patrolling the beat in cyberspace -- that they
were on the watch everywhere, even in those sleazy
and secretive dens of cybernetic vice, the
underground boards.
This is not an unusual message for police to
publicly convey to crooks. The message is a
standard message; only the context is new.
In this respect, the Sundevil raids were the
digital equivalent of the standard vice-squad
crackdown on massage parlors, porno bookstores,
head-shops, or floating crap-games. There may be
few or no arrests in a raid of this sort; no convictions,
no trials, no interrogations. In cases of this sort,
police may well walk out the door with many pounds
of sleazy magazines, X-rated videotapes, sex toys,
gambling equipment, baggies of marijuana....
Of course, if something truly horrendous is
discovered by the raiders, there will be arrests and
prosecutions. Far more likely, however, there will
simply be a brief but sharp disruption of the closed
and secretive world of the nogoodniks. There will be
"street hassle." "Heat." "Deterrence." And, of
course, the immediate loss of the seized goods. It is
very unlikely that any of this seized material will ever
be returned. Whether charged or not, whether
convicted or not, the perpetrators will almost surely
lack the nerve ever to ask for this stuff to be given
back.
Arrests and trials -- putting people in jail -- may
involve all kinds of formal legalities; but dealing with
the justice system is far from the only task of police.
Police do not simply arrest people. They don't
simply put people in jail. That is not how the police
perceive their jobs. Police "protect and serve."
Police "keep the peace," they "keep public order."
Like other forms of public relations, keeping public
order is not an exact science. Keeping public order
is something of an art-form.
If a group of tough-looking teenage hoodlums
was loitering on a street-corner, no one would be
surprised to see a street-cop arrive and sternly order
them to "break it up." On the contrary, the surprise
would come if one of these ne'er-do-wells stepped
briskly into a phone-booth, called a civil rights
lawyer, and instituted a civil suit in defense of his
Constitutional rights of free speech and free
assembly. But something much along this line was
one of the many anomolous outcomes of the Hacker
Crackdown.
Sundevil also carried useful "messages" for
other constituents of the electronic community.
These messages may not have been read aloud
from the Phoenix podium in front of the press corps,
but there was little mistaking their meaning. There
was a message of reassurance for the primary
victims of coding and carding: the telcos, and the
credit companies. Sundevil was greeted with joy by
the security officers of the electronic business
community. After years of high-tech harassment
and spiralling revenue losses, their complaints of
rampant outlawry were being taken seriously by law
enforcement. No more head-scratching or
dismissive shrugs; no more feeble excuses about
"lack of computer-trained officers" or the low priority
of "victimless" white-collar telecommunication
crimes.
Computer-crime experts have long believed
that computer-related offenses are drastically
under-reported. They regard this as a major open
scandal of their field. Some victims are reluctant to
come forth, because they believe that police and
prosecutors are not computer-literate, and can and
will do nothing. Others are embarrassed by their
vulnerabilities, and will take strong measures to
avoid any publicity; this is especially true of banks,
who fear a loss of investor confidence should an
embezzlement-case or wire-fraud surface. And
some victims are so helplessly confused by their own
high technology that they never even realize that a
crime has occurred -- even when they have been
fleeced to the bone.
The results of this situation can be dire.
Criminals escape apprehension and punishment.
The computer-crime units that do exist, can't get
work. The true scope of computer-crime: its size, its
real nature, the scope of its threats, and the legal
remedies for it -- all remain obscured.
Another problem is very little publicized, but it
is a cause of genuine concern. Where there is
persistent crime, but no effective police protection,
then vigilantism can result. Telcos, banks, credit
companies, the major corporations who maintain
extensive computer networks vulnerable to hacking
-- these organizations are powerful, wealthy, and
politically influential. They are disinclined to be
pushed around by crooks (or by most anyone else,
for that matter). They often maintain well-organized
private security forces, commonly run by
experienced veterans of military and police units,
who have left public service for the greener pastures
of the private sector. For police, the corporate
security manager can be a powerful ally; but if this
gentleman finds no allies in the police, and the
pressure is on from his board-of-directors, he may
quietly take certain matters into his own hands.
Nor is there any lack of disposable hired-help in
the corporate security business. Private security
agencies -- the 'security business' generally -- grew
explosively in the 1980s. Today there are spooky
gumshoed armies of "security consultants," "rent-a-
cops," "private eyes," "outside experts" -- every
manner of shady operator who retails in "results"
and discretion. Or course, many of these
gentlemen and ladies may be paragons of
professional and moral rectitude. But as anyone
who has read a hard-boiled detective novel knows,
police tend to be less than fond of this sort of
private-sector competition.
Companies in search of computer-security have
even been known to hire hackers. Police shudder at
this prospect.
Police treasure good relations with the business
community. Rarely will you see a policeman so
indiscreet as to allege publicly that some major
employer in his state or city has succumbed to
paranoia and gone off the rails. Nevertheless, police
-- and computer police in particular -- are aware of
this possibility. Computer-crime police can and do
spend up to half of their business hours just doing
public relations: seminars, "dog and pony shows,"
sometimes with parents' groups or computer users,
but generally with their core audience: the likely
victims of hacking crimes. These, of course, are
telcos, credit card companies and large computer-
equipped corporations. The police strongly urge
these people, as good citizens, to report offenses and
press criminal charges; they pass the message that
there is someone in authority who cares,
understands, and, best of all, will take useful action
should a computer-crime occur.
But reassuring talk is cheap. Sundevil offered
action.
The final message of Sundevil was intended for
internal consumption by law enforcement. Sundevil
was offered as proof that the community of
American computer-crime police had come of age.
Sundevil was proof that enormous things like
Sundevil itself could now be accomplished.
Sundevil was proof that the Secret Service and its
local law-enforcement allies could act like a well-
oiled machine -- (despite the hampering use of
those scrambled phones). It was also proof that the
Arizona Organized Crime and Racketeering Unit --
the sparkplug of Sundevil -- ranked with the best in
the world in ambition, organization, and sheer
conceptual daring.
And, as a final fillip, Sundevil was a message
from the Secret Service to their longtime rivals in the
Federal Bureau of Investigation. By Congressional
fiat, both USSS and FBI formally share jurisdiction
over federal computer-crimebusting activities.
Neither of these groups has ever been remotely
happy with this muddled situation. It seems to
suggest that Congress cannot make up its mind as to
which of these groups is better qualified. And there
is scarcely a G-man or a Special Agent anywhere
without a very firm opinion on that topic.
#
For the neophyte, one of the most puzzling
aspects of the crackdown on hackers is why the
United States Secret Service has anything at all to do
with this matter.
The Secret Service is best known for its primary
public role: its agents protect the President of the
United States. They also guard the President's
family, the Vice President and his family, former
Presidents, and Presidential candidates. They
sometimes guard foreign dignitaries who are visiting
the United States, especially foreign heads of state,
and have been known to accompany American
officials on diplomatic missions overseas.
Special Agents of the Secret Service don't wear
uniforms, but the Secret Service also has two
uniformed police agencies. There's the former
White House Police (now known as the Secret
Service Uniformed Division, since they currently
guard foreign embassies in Washington, as well as
the White House itself). And there's the uniformed
Treasury Police Force.
The Secret Service has been charged by
Congress with a number of little-known duties.
They guard the precious metals in Treasury vaults.
They guard the most valuable historical documents
of the United States: originals of the Constitution,
the Declaration of Independence, Lincoln's Second
Inaugural Address, an American-owned copy of the
Magna Carta, and so forth. Once they were
assigned to guard the Mona Lisa, on her American
tour in the 1960s.
The entire Secret Service is a division of the
Treasury Department. Secret Service Special
Agents (there are about 1,900 of them) are
bodyguards for the President et al, but they all work
for the Treasury. And the Treasury (through its
divisions of the U.S. Mint and the Bureau of
Engraving and Printing) prints the nation's money.
As Treasury police, the Secret Service guards
the nation's currency; it is the only federal law
enforcement agency with direct jurisdiction over
counterfeiting and forgery. It analyzes documents
for authenticity, and its fight against fake cash is still
quite lively (especially since the skilled
counterfeiters of Medellin, Columbia have gotten
into the act). Government checks, bonds, and other
obligations, which exist in untold millions and are
worth untold billions, are common targets for
forgery, which the Secret Service also battles. It
even handles forgery of postage stamps.
But cash is fading in importance today as
money has become electronic. As necessity
beckoned, the Secret Service moved from fighting
the counterfeiting of paper currency and the forging
of checks, to the protection of funds transferred by
wire.
From wire-fraud, it was a simple skip-and-jump
to what is formally known as "access device fraud."
Congress granted the Secret Service the authority to
investigate "access device fraud" under Title 18 of
the United States Code (U.S.C. Section 1029).
The term "access device" seems intuitively
simple. It's some kind of high-tech gizmo you use to
get money with. It makes good sense to put this sort
of thing in the charge of counterfeiting and wire-
fraud experts.
However, in Section 1029, the term "access
device" is very generously defined. An access device
is: "any card, plate, code, account number, or other
means of account access that can be used, alone or
in conjunction with another access device, to obtain
money, goods, services, or any other thing of value,
or that can be used to initiate a transfer of funds."
"Access device" can therefore be construed to
include credit cards themselves (a popular forgery
item nowadays). It also includes credit card account
*numbers,* those standards of the digital
underground. The same goes for telephone charge
cards (an increasingly popular item with telcos, who
are tired of being robbed of pocket change by
phone-booth thieves). And also telephone access
*codes,* those *other* standards of the digital
underground. (Stolen telephone codes may not
"obtain money," but they certainly do obtain
valuable "services," which is specifically forbidden
by Section 1029.)
We can now see that Section 1029 already pits
the United States Secret Service directly against the
digital underground, without any mention at all of
the word "computer."
Standard phreaking devices, like "blue boxes,"
used to steal phone service from old-fashioned
mechanical switches, are unquestionably
"counterfeit access devices." Thanks to Sec.1029, it
is not only illegal to *use* counterfeit access devices,
but it is even illegal to *build* them. "Producing,"
"designing" "duplicating" or "assembling" blue
boxes are all federal crimes today, and if you do this,
the Secret Service has been charged by Congress to
come after you.
Automatic Teller Machines, which replicated all
over America during the 1980s, are definitely "access
devices," too, and an attempt to tamper with their
punch-in codes and plastic bank cards falls directly
under Sec. 1029.
Section 1029 is remarkably elastic. Suppose you
find a computer password in somebody's trash. That
password might be a "code" -- it's certainly a "means
of account access." Now suppose you log on to a
computer and copy some software for yourself.
You've certainly obtained "service" (computer
service) and a "thing of value" (the software).
Suppose you tell a dozen friends about your swiped
password, and let them use it, too. Now you're
"trafficking in unauthorized access devices." And
when the Prophet, a member of the Legion of Doom,
passed a stolen telephone company document to
Knight Lightning at *Phrack* magazine, they were
both charged under Sec. 1029!
There are two limitations on Section 1029. First,
the offense must "affect interstate or foreign
commerce" in order to become a matter of federal
jurisdiction. The term "affecting commerce" is not
well defined; but you may take it as a given that the
Secret Service can take an interest if you've done
most anything that happens to cross a state line.
State and local police can be touchy about their
jurisdictions, and can sometimes be mulish when
the feds show up. But when it comes to computer-
crime, the local police are pathetically grateful for
federal help -- in fact they complain that they can't
get enough of it. If you're stealing long-distance
service, you're almost certainly crossing state lines,
and you're definitely "affecting the interstate
commerce" of the telcos. And if you're abusing
credit cards by ordering stuff out of glossy catalogs
from, say, Vermont, you're in for it.
The second limitation is money. As a rule, the
feds don't pursue penny-ante offenders. Federal
judges will dismiss cases that appear to waste their
time. Federal crimes must be serious; Section 1029
specifies a minimum loss of a thousand dollars.
We now come to the very next section of Title
18, which is Section 1030, "Fraud and related activity
in connection with computers." This statute gives
the Secret Service direct jurisdiction over acts of
computer intrusion. On the face of it, the Secret
Service would now seem to command the field.
Section 1030, however, is nowhere near so ductile as
Section 1029.
The first annoyance is Section 1030(d), which
reads:
"(d) The United States Secret Service shall, *in
addition to any other agency having such authority,*
have the authority to investigate offenses under this
section. Such authority of the United States Secret
Service shall be exercised in accordance with an
agreement which shall be entered into by the
Secretary of the Treasury *and the Attorney
General.*" (Author's italics.)
The Secretary of the Treasury is the titular head
of the Secret Service, while the Attorney General is
in charge of the FBI. In Section (d), Congress
shrugged off responsibility for the computer-crime
turf-battle between the Service and the Bureau, and
made them fight it out all by themselves. The result
was a rather dire one for the Secret Service, for the
FBI ended up with exclusive jurisdiction over
computer break-ins having to do with national
security, foreign espionage, federally insured banks,
and U.S. military bases, while retaining joint
jurisdiction over all the other computer intrusions.
Essentially, when it comes to Section 1030, the FBI
not only gets the real glamor stuff for itself, but can
peer over the shoulder of the Secret Service and
barge in to meddle whenever it suits them.
The second problem has to do with the dicey
term "Federal interest computer." Section 1030(a)(2)
makes it illegal to "access a computer without
authorization" if that computer belongs to a
financial institution or an issuer of credit cards
(fraud cases, in other words). Congress was quite
willing to give the Secret Service jurisdiction over
money-transferring computers, but Congress balked
at letting them investigate any and all computer
intrusions. Instead, the USSS had to settle for the
money machines and the "Federal interest
computers." A "Federal interest computer" is a
computer which the government itself owns, or is
using. Large networks of interstate computers,
linked over state lines, are also considered to be of
"Federal interest." (This notion of "Federal interest"
is legally rather foggy and has never been clearly
defined in the courts. The Secret Service has never
yet had its hand slapped for investigating computer
break-ins that were *not* of "Federal interest," but
conceivably someday this might happen.)
So the Secret Service's authority over
"unauthorized access" to computers covers a lot of
territory, but by no means the whole ball of
cyberspatial wax. If you are, for instance, a *local*
computer retailer, or the owner of a *local* bulletin
board system, then a malicious *local* intruder can
break in, crash your system, trash your files and
scatter viruses, and the U.S. Secret Service cannot
do a single thing about it.
At least, it can't do anything *directly.* But the
Secret Service will do plenty to help the local people
who can.
The FBI may have dealt itself an ace off the
bottom of the deck when it comes to Section 1030;
but that's not the whole story; that's not the street.
What's Congress thinks is one thing, and Congress
has been known to change its mind. The *real* turf-
struggle is out there in the streets where it's
happening. If you're a local street-cop with a
computer problem, the Secret Service wants you to
know where you can find the real expertise. While
the Bureau crowd are off having their favorite shoes
polished -- (wing-tips) -- and making derisive fun of
the Service's favorite shoes -- ("pansy-ass tassels") --
the tassel-toting Secret Service has a crew of ready-
and-able hacker-trackers installed in the capital of
every state in the Union. Need advice? They'll give
you advice, or at least point you in the right
direction. Need training? They can see to that, too.
If you're a local cop and you call in the FBI, the
FBI (as is widely and slanderously rumored) will
order you around like a coolie, take all the credit for
your busts, and mop up every possible scrap of
reflected glory. The Secret Service, on the other
hand, doesn't brag a lot. They're the quiet types.
*Very* quiet. Very cool. Efficient. High-tech.
Mirrorshades, icy stares, radio ear-plugs, an Uzi
machine-pistol tucked somewhere in that well-cut
jacket. American samurai, sworn to give their lives
to protect our President. "The granite agents."
Trained in martial arts, absolutely fearless. Every
single one of 'em has a top-secret security clearance.
Something goes a little wrong, you're not gonna hear
any whining and moaning and political buck-
passing out of these guys.
The facade of the granite agent is not, of course,
the reality. Secret Service agents are human beings.
only when lives are demonstrably in danger. The raiders'
true motives were not discovered until the Jackson search-
warrant was unsealed by his lawyers, many months later.
The Secret Service, and the Chicago Computer Fraud and
Abuse Task Force, said absolutely nothing to Steve
Jackson about any threat to the police 911 System. They
said nothing about the Atlanta Three, nothing about
*Phrack* or Knight Lightning, nothing about Terminus.
Jackson was left to believe that his computers had
been seized because he intended to publish a science
fiction book that law enforcement considered too
dangerous to see print.
This misconception was repeated again and again,
for months, to an ever-widening public audience. It was
not the truth of the case; but as months passed, and this
misconception was publicly printed again and again, it
became one of the few publicly known "facts" about the
mysterious Hacker Crackdown. The Secret Service had
seized a computer to stop the publication of a cyberpunk
science fiction book.
The second section of this book, "The Digital
Underground," is almost finished now. We have become
acquainted with all the major figures of this case who
actually belong to the underground milieu of computer
intrusion. We have some idea of their history, their
motives, their general modus operandi. We now know, I
hope, who they are, where they came from, and more or
less what they want. In the next section of this book, "Law
and Order," we will leave this milieu and directly enter the
world of America's computer-crime police.
At this point, however, I have another figure to
introduce: myself.
My name is Bruce Sterling. I live in Austin, Texas,
where I am a science fiction writer by trade: specifically,
a
*cyberpunk* science fiction writer.
Like my "cyberpunk" colleagues in the U.S. and
Canada, I've never been entirely happy with this literary
label -- especially after it became a synonym for computer
criminal. But I did once edit a book of stories by my
colleagues, called *MIRRORSHADES: the Cyberpunk
Anthology,* and I've long been a writer of literary-
critical
cyberpunk manifestos. I am not a "hacker" of any
description, though I do have readers in the digital
underground.
When the Steve Jackson Games seizure occurred, I
naturally took an intense interest. If "cyberpunk" books
were being banned by federal police in my own home
town, I reasonably wondered whether I myself might be
next. Would my computer be seized by the Secret
Service? At the time, I was in possession of an aging Apple
IIe without so much as a hard disk. If I were to be raided
as an author of computer-crime manuals, the loss of my
feeble word-processor would likely provoke more snickers
than sympathy.
I'd known Steve Jackson for many years. We knew
one another as colleagues, for we frequented the same
local science-fiction conventions. I'd played Jackson
games, and recognized his cleverness; but he certainly
had never struck me as a potential mastermind of
computer crime.
I also knew a little about computer bulletin-board
systems. In the mid-1980s I had taken an active role in an
Austin board called "SMOF-BBS," one of the first boards
dedicated to science fiction. I had a modem, and on
occasion I'd logged on to Illuminati, which always looked
entertainly wacky, but certainly harmless enough.
At the time of the Jackson seizure, I had no
experience whatsoever with underground boards. But I
knew that no one on Illuminati talked about breaking into
systems illegally, or about robbing phone companies.
Illuminati didn't even offer pirated computer games.
Steve Jackson, like many creative artists, was markedly
touchy about theft of intellectual property.
It seemed to me that Jackson was either seriously
suspected of some crime -- in which case, he would be
charged soon, and would have his day in court -- or else he
was innocent, in which case the Secret Service would
quickly return his equipment, and everyone would have a
good laugh. I rather expected the good laugh. The
situation was not without its comic side. The raid, known
as the "Cyberpunk Bust" in the science fiction community,
was winning a great deal of free national publicity both for
Jackson himself and the "cyberpunk" science fiction
writers generally.
Besides, science fiction people are used to being
misinterpreted. Science fiction is a colorful,
disreputable,
slipshod occupation, full of unlikely oddballs, which, of
course, is why we like it. Weirdness can be an
occupational hazard in our field. People who wear
Halloween costumes are sometimes mistaken for
monsters.
Once upon a time -- back in 1939, in New York City --
science fiction and the U.S. Secret Service collided in a
comic case of mistaken identity. This weird incident
involved a literary group quite famous in science fiction,
known as "the Futurians," whose membership included
such future genre greats as Isaac Asimov, Frederik Pohl,
and Damon Knight. The Futurians were every bit as
offbeat and wacky as any of their spiritual descendants,
including the cyberpunks, and were given to communal
living, spontaneous group renditions of light opera, and
midnight fencing exhibitions on the lawn. The Futurians
didn't have bulletin board systems, but they did have the
technological equivalent in 1939 -- mimeographs and a
private printing press. These were in steady use,
producing a stream of science-fiction fan magazines,
literary manifestos, and weird articles, which were picked
up in ink-sticky bundles by a succession of strange, gangly,
spotty young men in fedoras and overcoats.
The neighbors grew alarmed at the antics of the
Futurians and reported them to the Secret Service as
suspected counterfeiters. In the winter of 1939, a squad
of
USSS agents with drawn guns burst into "Futurian House,"
prepared to confiscate the forged currency and illicit
printing presses. There they discovered a slumbering
science fiction fan named George Hahn, a guest of the
Futurian commune who had just arrived in New York.
George Hahn managed to explain himself and his group,
and the Secret Service agents left the Futurians in peace
henceforth. (Alas, Hahn died in 1991, just before I had
discovered this astonishing historical parallel, and just
before I could interview him for this book.)
But the Jackson case did not come to a swift and
comic end. No quick answers came his way, or mine; no
swift reassurances that all was right in the digital world,
that matters were well in hand after all. Quite the
opposite. In my alternate role as a sometime pop-science
journalist, I interviewed Jackson and his staff for an
article
in a British magazine. The strange details of the raid
left
me more concerned than ever. Without its computers,
the company had been financially and operationally
crippled. Half the SJG workforce, a group of entirely
innocent people, had been sorrowfully fired, deprived of
their livelihoods by the seizure. It began to dawn on me
that authors -- American writers -- might well have their
computers seized, under sealed warrants, without any
criminal charge; and that, as Steve Jackson had
discovered, there was no immediate recourse for this.
This was no joke; this wasn't science fiction; this was
real.
I determined to put science fiction aside until I had
discovered what had happened and where this trouble
had come from. It was time to enter the purportedly real
world of electronic free expression and computer crime.
Hence, this book. Hence, the world of the telcos; and the
world of the digital underground; and next, the world of
the police.
Of the various anti-hacker activities of 1990,
"Operation Sundevil" had by far the highest public
profile. The sweeping, nationwide computer
seizures of May 8, 1990 were unprecedented in
scope and highly, if rather selectively, publicized.
Unlike the efforts of the Chicago Computer
Fraud and Abuse Task Force, "Operation Sundevil"
was not intended to combat "hacking" in the sense
of computer intrusion or sophisticated raids on telco
switching stations. Nor did it have anything to do
with hacker misdeeds with AT&T's software, or with
Southern Bell's proprietary documents.
Instead, "Operation Sundevil" was a crackdown
on those traditional scourges of the digital
underground: credit-card theft and telephone code
abuse. The ambitious activities out of Chicago, and
the somewhat lesser-known but vigorous anti-
hacker actions of the New York State Police in 1990,
were never a part of "Operation Sundevil" per se,
which was based in Arizona.
Nevertheless, after the spectacular May 8 raids,
the public, misled by police secrecy, hacker panic,
and a puzzled national press-corps, conflated all
aspects of the nationwide crackdown in 1990 under
the blanket term "Operation Sundevil." "Sundevil" is
still the best-known synonym for the crackdown of
1990. But the Arizona organizers of "Sundevil" did
not really deserve this reputation -- any more, for
instance, than all hackers deserve a reputation as
"hackers."
There was some justice in this confused
perception, though. For one thing, the confusion
was abetted by the Washington office of the Secret
Service, who responded to Freedom of Information
Act requests on "Operation Sundevil" by referring
investigators to the publicly known cases of Knight
Lightning and the Atlanta Three. And "Sundevil"
was certainly the largest aspect of the Crackdown,
the most deliberate and the best-organized. As a
crackdown on electronic fraud, "Sundevil" lacked
the frantic pace of the war on the Legion of Doom;
on the contrary, Sundevil's targets were picked out
with cool deliberation over an elaborate
investigation lasting two full years.
And once again the targets were bulletin board
systems.
Boards can be powerful aids to organized fraud.
Underground boards carry lively, extensive,
detailed, and often quite flagrant "discussions" of
lawbreaking techniques and lawbreaking activities.
"Discussing" crime in the abstract, or "discussing"
the particulars of criminal cases, is not illegal -- but
there are stern state and federal laws against
coldbloodedly conspiring in groups in order to
commit crimes.
In the eyes of police, people who actively
conspire to break the law are not regarded as
"clubs," "debating salons," "users' groups," or "free
speech advocates." Rather, such people tend to
find themselves formally indicted by prosecutors as
"gangs," "racketeers," "corrupt organizations" and
"organized crime figures."
What's more, the illicit data contained on
outlaw boards goes well beyond mere acts of speech
and/or possible criminal conspiracy. As we have
seen, it was common practice in the digital
underground to post purloined telephone codes on
boards, for any phreak or hacker who cared to abuse
them. Is posting digital booty of this sort supposed
to be protected by the First Amendment? Hardly --
though the issue, like most issues in cyberspace, is
not entirely resolved. Some theorists argue that to
merely *recite* a number publicly is not illegal --
only its *use* is illegal. But anti-hacker police point
out that magazines and newspapers (more
traditional forms of free expression) never publish
stolen telephone codes (even though this might well
raise their circulation).
Stolen credit card numbers, being riskier and
more valuable, were less often publicly posted on
boards -- but there is no question that some
underground boards carried "carding" traffic,
generally exchanged through private mail.
Underground boards also carried handy
programs for "scanning" telephone codes and
raiding credit card companies, as well as the usual
obnoxious galaxy of pirated software, cracked
passwords, blue-box schematics, intrusion manuals,
anarchy files, porn files, and so forth.
But besides their nuisance potential for the
spread of illicit knowledge, bulletin boards have
another vitally interesting aspect for the professional
investigator. Bulletin boards are cram-full of
*evidence.* All that busy trading of electronic mail,
all those hacker boasts, brags and struts, even the
stolen codes and cards, can be neat, electronic, real-
time recordings of criminal activity.
As an investigator, when you seize a pirate
board, you have scored a coup as effective as
tapping phones or intercepting mail. However, you
have not actually tapped a phone or intercepted a
letter. The rules of evidence regarding phone-taps
and mail interceptions are old, stern and well-
understood by police, prosecutors and defense
attorneys alike. The rules of evidence regarding
boards are new, waffling, and understood by nobody
at all.
Sundevil was the largest crackdown on boards in
world history. On May 7, 8, and 9, 1990, about forty-
two computer systems were seized. Of those forty-
two computers, about twenty-five actually were
running boards. (The vagueness of this estimate is
attributable to the vagueness of (a) what a
"computer system" is, and (b) what it actually means
to "run a board" with one -- or with two computers, or
with three.)
About twenty-five boards vanished into police
custody in May 1990. As we have seen, there are an
estimated 30,000 boards in America today. If we
assume that one board in a hundred is up to no good
with codes and cards (which rather flatters the
honesty of the board-using community), then that
would leave 2,975 outlaw boards untouched by
Sundevil. Sundevil seized about one tenth of one
percent of all computer bulletin boards in America.
Seen objectively, this is something less than a
comprehensive assault. In 1990, Sundevil's
organizers -- the team at the Phoenix Secret Service
office, and the Arizona Attorney General's office --
had a list of at least *three hundred* boards that
they considered fully deserving of search and
seizure warrants. The twenty-five boards actually
seized were merely among the most obvious and
egregious of this much larger list of candidates. All
these boards had been examined beforehand --
either by informants, who had passed printouts to
the Secret Service, or by Secret Service agents
themselves, who not only come equipped with
modems but know how to use them.
There were a number of motives for Sundevil.
First, it offered a chance to get ahead of the curve on
wire-fraud crimes. Tracking back credit-card ripoffs
to their perpetrators can be appallingly difficult. If
these miscreants have any kind of electronic
sophistication, they can snarl their tracks through
the phone network into a mind-boggling,
untraceable mess, while still managing to "reach out
and rob someone." Boards, however, full of brags
and boasts, codes and cards, offer evidence in the
handy congealed form.
Seizures themselves -- the mere physical
removal of machines -- tends to take the pressure
off. During Sundevil, a large number of code kids,
warez d00dz, and credit card thieves would be
deprived of those boards -- their means of
community and conspiracy -- in one swift blow. As
for the sysops themselves (commonly among the
boldest offenders) they would be directly stripped of
their computer equipment, and rendered digitally
mute and blind.
And this aspect of Sundevil was carried out with
great success. Sundevil seems to have been a
complete tactical surprise -- unlike the fragmentary
and continuing seizures of the war on the Legion of
Doom, Sundevil was precisely timed and utterly
overwhelming. At least forty "computers" were
seized during May 7, 8 and 9, 1990, in Cincinnati,
Detroit, Los Angeles, Miami, Newark, Phoenix,
Tucson, Richmond, San Diego, San Jose, Pittsburgh
and San Francisco. Some cities saw multiple raids,
such as the five separate raids in the New York City
environs. Plano, Texas (essentially a suburb of the
Dallas/Fort Worth metroplex, and a hub of the
telecommunications industry) saw four computer
seizures. Chicago, ever in the forefront, saw its own
local Sundevil raid, briskly carried out by Secret
Service agents Timothy Foley and Barbara Golden.
Many of these raids occurred, not in the cities
proper, but in associated white-middle class suburbs
-- places like Mount Lebanon, Pennsylvania and
Clark Lake, Michigan. There were a few raids on
offices; most took place in people's homes, the
classic hacker basements and bedrooms.
The Sundevil raids were searches and seizures,
not a group of mass arrests. There were only four
arrests during Sundevil. "Tony the Trashman," a
longtime teenage bete noire of the Arizona
Racketeering unit, was arrested in Tucson on May 9.
"Dr. Ripco," sysop of an outlaw board with the
misfortune to exist in Chicago itself, was also
arrested -- on illegal weapons charges. Local units
also arrested a 19-year-old female phone phreak
named "Electra" in Pennsylvania, and a male
juvenile in California. Federal agents however were
not seeking arrests, but computers.
Hackers are generally not indicted (if at all)
until the evidence in their seized computers is
evaluated -- a process that can take weeks, months --
even years. When hackers are arrested on the
spot, it's generally an arrest for other reasons. Drugs
and/or illegal weapons show up in a good third of
anti-hacker computer seizures (though not during
Sundevil).
That scofflaw teenage hackers (or their parents)
should have marijuana in their homes is probably
not a shocking revelation, but the surprisingly
common presence of illegal firearms in hacker dens
is a bit disquieting. A Personal Computer can be a
great equalizer for the techno-cowboy -- much like
that more traditional American "Great Equalizer,"
the Personal Sixgun. Maybe it's not all that
surprising that some guy obsessed with power
through illicit technology would also have a few illicit
high-velocity-impact devices around. An element of
the digital underground particularly dotes on those
"anarchy philes," and this element tends to shade
into the crackpot milieu of survivalists, gun-nuts,
anarcho-leftists and the ultra-libertarian right-wing.
This is not to say that hacker raids to date have
uncovered any major crack-dens or illegal arsenals;
but Secret Service agents do not regard "hackers" as
"just kids." They regard hackers as unpredictable
people, bright and slippery. It doesn't help matters
that the hacker himself has been "hiding behind his
keyboard" all this time. Commonly, police have no
idea what he looks like. This makes him an
unknown quantity, someone best treated with
proper caution.
To date, no hacker has come out shooting,
though they do sometimes brag on boards that they
will do just that. Threats of this sort are taken
seriously. Secret Service hacker raids tend to be
swift, comprehensive, well-manned (even over-
manned); and agents generally burst through every
door in the home at once, sometimes with drawn
guns. Any potential resistance is swiftly quelled.
Hacker raids are usually raids on people's homes.
It can be a very dangerous business to raid an
American home; people can panic when strangers
invade their sanctum. Statistically speaking, the
most dangerous thing a policeman can do is to enter
someone's home. (The second most dangerous
thing is to stop a car in traffic.) People have guns in
their homes. More cops are hurt in homes than are
ever hurt in biker bars or massage parlors.
But in any case, no one was hurt during
Sundevil, or indeed during any part of the Hacker
Crackdown.
Nor were there any allegations of any physical
mistreatment of a suspect. Guns were pointed,
interrogations were sharp and prolonged; but no one
in 1990 claimed any act of brutality by any
crackdown raider.
In addition to the forty or so computers,
Sundevil reaped floppy disks in particularly great
abundance -- an estimated 23,000 of them, which
naturally included every manner of illegitimate
data: pirated games, stolen codes, hot credit card
numbers, the complete text and software of entire
pirate bulletin-boards. These floppy disks, which
remain in police custody today, offer a gigantic,
almost embarrassingly rich source of possible
criminal indictments. These 23,000 floppy disks also
include a thus-far unknown quantity of legitimate
computer games, legitimate software, purportedly
"private" mail from boards, business records, and
personal correspondence of all kinds.
Standard computer-crime search warrants lay
great emphasis on seizing written documents as well
as computers -- specifically including photocopies,
computer printouts, telephone bills, address books,
logs, notes, memoranda and correspondence. In
practice, this has meant that diaries, gaming
magazines, software documentation, nonfiction
books on hacking and computer security,
sometimes even science fiction novels, have all
vanished out the door in police custody. A wide
variety of electronic items have been known to
vanish as well, including telephones, televisions,
answering machines, Sony Walkmans, desktop
printers, compact disks, and audiotapes.
No fewer than 150 members of the Secret
Service were sent into the field during Sundevil.
They were commonly accompanied by squads of
local and/or state police. Most of these officers --
especially the locals -- had never been on an anti-
hacker raid before. (This was one good reason, in
fact, why so many of them were invited along in the
first place.) Also, the presence of a uniformed
police officer assures the raidees that the people
entering their homes are, in fact, police. Secret
Service agents wear plain clothes. So do the telco
security experts who commonly accompany the
Secret Service on raids (and who make no particular
effort to identify themselves as mere employees of
telephone companies).
A typical hacker raid goes something like this.
First, police storm in rapidly, through every
entrance, with overwhelming force, in the
assumption that this tactic will keep casualties to a
minimum. Second, possible suspects are
immediately removed from the vicinity of any and
all computer systems, so that they will have no
chance to purge or destroy computer evidence.
Suspects are herded into a room without computers,
commonly the living room, and kept under guard --
not *armed* guard, for the guns are swiftly
holstered, but under guard nevertheless. They are
presented with the search warrant and warned that
anything they say may be held against them.
Commonly they have a great deal to say, especially
if they are unsuspecting parents.
Somewhere in the house is the "hot spot" -- a
computer tied to a phone line (possibly several
computers and several phones). Commonly it's a
teenager's bedroom, but it can be anywhere in the
house; there may be several such rooms. This "hot
spot" is put in charge of a two-agent team, the
"finder" and the "recorder." The "finder" is
computer-trained, commonly the case agent who
has actually obtained the search warrant from a
judge. He or she understands what is being sought,
and actually carries out the seizures: unplugs
machines, opens drawers, desks, files, floppy-disk
containers, etc. The "recorder" photographs all the
equipment, just as it stands -- especially the tangle
of wired connections in the back, which can
otherwise be a real nightmare to restore. The
recorder will also commonly photograph every room
in the house, lest some wily criminal claim that the
police had robbed him during the search. Some
recorders carry videocams or tape recorders;
however, it's more common for the recorder to
simply take written notes. Objects are described
and numbered as the finder seizes them, generally
on standard preprinted police inventory forms.
Even Secret Service agents were not, and are
not, expert computer users. They have not made,
and do not make, judgements on the fly about
potential threats posed by various forms of
equipment. They may exercise discretion; they may
leave Dad his computer, for instance, but they don't
*have* to. Standard computer-crime search
warrants, which date back to the early 80s, use a
sweeping language that targets computers, most
anything attached to a computer, most anything
used to operate a computer -- most anything that
remotely resembles a computer -- plus most any
and all written documents surrounding it.
Computer-crime investigators have strongly urged
agents to seize the works.
In this sense, Operation Sundevil appears to
have been a complete success. Boards went down
all over America, and were shipped en masse to the
computer investigation lab of the Secret Service, in
Washington DC, along with the 23,000 floppy disks
and unknown quantities of printed material.
But the seizure of twenty-five boards, and the
multi-megabyte mountains of possibly useful
evidence contained in these boards (and in their
owners' other computers, also out the door), were far
from the only motives for Operation Sundevil. An
unprecedented action of great ambition and size,
Sundevil's motives can only be described as
political. It was a public-relations effort, meant to
pass certain messages, meant to make certain
situations clear: both in the mind of the general
public, and in the minds of various constituencies of
the electronic community.
First -- and this motivation was vital -- a
"message" would be sent from law enforcement to
the digital underground. This very message was
recited in so many words by Garry M. Jenkins, the
Assistant Director of the US Secret Service, at the
Sundevil press conference in Phoenix on May 9,
1990, immediately after the raids. In brief, hackers
were mistaken in their foolish belief that they could
hide behind the "relative anonymity of their
computer terminals." On the contrary, they should
fully understand that state and federal cops were
actively patrolling the beat in cyberspace -- that they
were on the watch everywhere, even in those sleazy
and secretive dens of cybernetic vice, the
underground boards.
This is not an unusual message for police to
publicly convey to crooks. The message is a
standard message; only the context is new.
In this respect, the Sundevil raids were the
digital equivalent of the standard vice-squad
crackdown on massage parlors, porno bookstores,
head-shops, or floating crap-games. There may be
few or no arrests in a raid of this sort; no convictions,
no trials, no interrogations. In cases of this sort,
police may well walk out the door with many pounds
of sleazy magazines, X-rated videotapes, sex toys,
gambling equipment, baggies of marijuana....
Of course, if something truly horrendous is
discovered by the raiders, there will be arrests and
prosecutions. Far more likely, however, there will
simply be a brief but sharp disruption of the closed
and secretive world of the nogoodniks. There will be
"street hassle." "Heat." "Deterrence." And, of
course, the immediate loss of the seized goods. It is
very unlikely that any of this seized material will ever
be returned. Whether charged or not, whether
convicted or not, the perpetrators will almost surely
lack the nerve ever to ask for this stuff to be given
back.
Arrests and trials -- putting people in jail -- may
involve all kinds of formal legalities; but dealing with
the justice system is far from the only task of police.
Police do not simply arrest people. They don't
simply put people in jail. That is not how the police
perceive their jobs. Police "protect and serve."
Police "keep the peace," they "keep public order."
Like other forms of public relations, keeping public
order is not an exact science. Keeping public order
is something of an art-form.
If a group of tough-looking teenage hoodlums
was loitering on a street-corner, no one would be
surprised to see a street-cop arrive and sternly order
them to "break it up." On the contrary, the surprise
would come if one of these ne'er-do-wells stepped
briskly into a phone-booth, called a civil rights
lawyer, and instituted a civil suit in defense of his
Constitutional rights of free speech and free
assembly. But something much along this line was
one of the many anomolous outcomes of the Hacker
Crackdown.
Sundevil also carried useful "messages" for
other constituents of the electronic community.
These messages may not have been read aloud
from the Phoenix podium in front of the press corps,
but there was little mistaking their meaning. There
was a message of reassurance for the primary
victims of coding and carding: the telcos, and the
credit companies. Sundevil was greeted with joy by
the security officers of the electronic business
community. After years of high-tech harassment
and spiralling revenue losses, their complaints of
rampant outlawry were being taken seriously by law
enforcement. No more head-scratching or
dismissive shrugs; no more feeble excuses about
"lack of computer-trained officers" or the low priority
of "victimless" white-collar telecommunication
crimes.
Computer-crime experts have long believed
that computer-related offenses are drastically
under-reported. They regard this as a major open
scandal of their field. Some victims are reluctant to
come forth, because they believe that police and
prosecutors are not computer-literate, and can and
will do nothing. Others are embarrassed by their
vulnerabilities, and will take strong measures to
avoid any publicity; this is especially true of banks,
who fear a loss of investor confidence should an
embezzlement-case or wire-fraud surface. And
some victims are so helplessly confused by their own
high technology that they never even realize that a
crime has occurred -- even when they have been
fleeced to the bone.
The results of this situation can be dire.
Criminals escape apprehension and punishment.
The computer-crime units that do exist, can't get
work. The true scope of computer-crime: its size, its
real nature, the scope of its threats, and the legal
remedies for it -- all remain obscured.
Another problem is very little publicized, but it
is a cause of genuine concern. Where there is
persistent crime, but no effective police protection,
then vigilantism can result. Telcos, banks, credit
companies, the major corporations who maintain
extensive computer networks vulnerable to hacking
-- these organizations are powerful, wealthy, and
politically influential. They are disinclined to be
pushed around by crooks (or by most anyone else,
for that matter). They often maintain well-organized
private security forces, commonly run by
experienced veterans of military and police units,
who have left public service for the greener pastures
of the private sector. For police, the corporate
security manager can be a powerful ally; but if this
gentleman finds no allies in the police, and the
pressure is on from his board-of-directors, he may
quietly take certain matters into his own hands.
Nor is there any lack of disposable hired-help in
the corporate security business. Private security
agencies -- the 'security business' generally -- grew
explosively in the 1980s. Today there are spooky
gumshoed armies of "security consultants," "rent-a-
cops," "private eyes," "outside experts" -- every
manner of shady operator who retails in "results"
and discretion. Or course, many of these
gentlemen and ladies may be paragons of
professional and moral rectitude. But as anyone
who has read a hard-boiled detective novel knows,
police tend to be less than fond of this sort of
private-sector competition.
Companies in search of computer-security have
even been known to hire hackers. Police shudder at
this prospect.
Police treasure good relations with the business
community. Rarely will you see a policeman so
indiscreet as to allege publicly that some major
employer in his state or city has succumbed to
paranoia and gone off the rails. Nevertheless, police
-- and computer police in particular -- are aware of
this possibility. Computer-crime police can and do
spend up to half of their business hours just doing
public relations: seminars, "dog and pony shows,"
sometimes with parents' groups or computer users,
but generally with their core audience: the likely
victims of hacking crimes. These, of course, are
telcos, credit card companies and large computer-
equipped corporations. The police strongly urge
these people, as good citizens, to report offenses and
press criminal charges; they pass the message that
there is someone in authority who cares,
understands, and, best of all, will take useful action
should a computer-crime occur.
But reassuring talk is cheap. Sundevil offered
action.
The final message of Sundevil was intended for
internal consumption by law enforcement. Sundevil
was offered as proof that the community of
American computer-crime police had come of age.
Sundevil was proof that enormous things like
Sundevil itself could now be accomplished.
Sundevil was proof that the Secret Service and its
local law-enforcement allies could act like a well-
oiled machine -- (despite the hampering use of
those scrambled phones). It was also proof that the
Arizona Organized Crime and Racketeering Unit --
the sparkplug of Sundevil -- ranked with the best in
the world in ambition, organization, and sheer
conceptual daring.
And, as a final fillip, Sundevil was a message
from the Secret Service to their longtime rivals in the
Federal Bureau of Investigation. By Congressional
fiat, both USSS and FBI formally share jurisdiction
over federal computer-crimebusting activities.
Neither of these groups has ever been remotely
happy with this muddled situation. It seems to
suggest that Congress cannot make up its mind as to
which of these groups is better qualified. And there
is scarcely a G-man or a Special Agent anywhere
without a very firm opinion on that topic.
#
For the neophyte, one of the most puzzling
aspects of the crackdown on hackers is why the
United States Secret Service has anything at all to do
with this matter.
The Secret Service is best known for its primary
public role: its agents protect the President of the
United States. They also guard the President's
family, the Vice President and his family, former
Presidents, and Presidential candidates. They
sometimes guard foreign dignitaries who are visiting
the United States, especially foreign heads of state,
and have been known to accompany American
officials on diplomatic missions overseas.
Special Agents of the Secret Service don't wear
uniforms, but the Secret Service also has two
uniformed police agencies. There's the former
White House Police (now known as the Secret
Service Uniformed Division, since they currently
guard foreign embassies in Washington, as well as
the White House itself). And there's the uniformed
Treasury Police Force.
The Secret Service has been charged by
Congress with a number of little-known duties.
They guard the precious metals in Treasury vaults.
They guard the most valuable historical documents
of the United States: originals of the Constitution,
the Declaration of Independence, Lincoln's Second
Inaugural Address, an American-owned copy of the
Magna Carta, and so forth. Once they were
assigned to guard the Mona Lisa, on her American
tour in the 1960s.
The entire Secret Service is a division of the
Treasury Department. Secret Service Special
Agents (there are about 1,900 of them) are
bodyguards for the President et al, but they all work
for the Treasury. And the Treasury (through its
divisions of the U.S. Mint and the Bureau of
Engraving and Printing) prints the nation's money.
As Treasury police, the Secret Service guards
the nation's currency; it is the only federal law
enforcement agency with direct jurisdiction over
counterfeiting and forgery. It analyzes documents
for authenticity, and its fight against fake cash is still
quite lively (especially since the skilled
counterfeiters of Medellin, Columbia have gotten
into the act). Government checks, bonds, and other
obligations, which exist in untold millions and are
worth untold billions, are common targets for
forgery, which the Secret Service also battles. It
even handles forgery of postage stamps.
But cash is fading in importance today as
money has become electronic. As necessity
beckoned, the Secret Service moved from fighting
the counterfeiting of paper currency and the forging
of checks, to the protection of funds transferred by
wire.
From wire-fraud, it was a simple skip-and-jump
to what is formally known as "access device fraud."
Congress granted the Secret Service the authority to
investigate "access device fraud" under Title 18 of
the United States Code (U.S.C. Section 1029).
The term "access device" seems intuitively
simple. It's some kind of high-tech gizmo you use to
get money with. It makes good sense to put this sort
of thing in the charge of counterfeiting and wire-
fraud experts.
However, in Section 1029, the term "access
device" is very generously defined. An access device
is: "any card, plate, code, account number, or other
means of account access that can be used, alone or
in conjunction with another access device, to obtain
money, goods, services, or any other thing of value,
or that can be used to initiate a transfer of funds."
"Access device" can therefore be construed to
include credit cards themselves (a popular forgery
item nowadays). It also includes credit card account
*numbers,* those standards of the digital
underground. The same goes for telephone charge
cards (an increasingly popular item with telcos, who
are tired of being robbed of pocket change by
phone-booth thieves). And also telephone access
*codes,* those *other* standards of the digital
underground. (Stolen telephone codes may not
"obtain money," but they certainly do obtain
valuable "services," which is specifically forbidden
by Section 1029.)
We can now see that Section 1029 already pits
the United States Secret Service directly against the
digital underground, without any mention at all of
the word "computer."
Standard phreaking devices, like "blue boxes,"
used to steal phone service from old-fashioned
mechanical switches, are unquestionably
"counterfeit access devices." Thanks to Sec.1029, it
is not only illegal to *use* counterfeit access devices,
but it is even illegal to *build* them. "Producing,"
"designing" "duplicating" or "assembling" blue
boxes are all federal crimes today, and if you do this,
the Secret Service has been charged by Congress to
come after you.
Automatic Teller Machines, which replicated all
over America during the 1980s, are definitely "access
devices," too, and an attempt to tamper with their
punch-in codes and plastic bank cards falls directly
under Sec. 1029.
Section 1029 is remarkably elastic. Suppose you
find a computer password in somebody's trash. That
password might be a "code" -- it's certainly a "means
of account access." Now suppose you log on to a
computer and copy some software for yourself.
You've certainly obtained "service" (computer
service) and a "thing of value" (the software).
Suppose you tell a dozen friends about your swiped
password, and let them use it, too. Now you're
"trafficking in unauthorized access devices." And
when the Prophet, a member of the Legion of Doom,
passed a stolen telephone company document to
Knight Lightning at *Phrack* magazine, they were
both charged under Sec. 1029!
There are two limitations on Section 1029. First,
the offense must "affect interstate or foreign
commerce" in order to become a matter of federal
jurisdiction. The term "affecting commerce" is not
well defined; but you may take it as a given that the
Secret Service can take an interest if you've done
most anything that happens to cross a state line.
State and local police can be touchy about their
jurisdictions, and can sometimes be mulish when
the feds show up. But when it comes to computer-
crime, the local police are pathetically grateful for
federal help -- in fact they complain that they can't
get enough of it. If you're stealing long-distance
service, you're almost certainly crossing state lines,
and you're definitely "affecting the interstate
commerce" of the telcos. And if you're abusing
credit cards by ordering stuff out of glossy catalogs
from, say, Vermont, you're in for it.
The second limitation is money. As a rule, the
feds don't pursue penny-ante offenders. Federal
judges will dismiss cases that appear to waste their
time. Federal crimes must be serious; Section 1029
specifies a minimum loss of a thousand dollars.
We now come to the very next section of Title
18, which is Section 1030, "Fraud and related activity
in connection with computers." This statute gives
the Secret Service direct jurisdiction over acts of
computer intrusion. On the face of it, the Secret
Service would now seem to command the field.
Section 1030, however, is nowhere near so ductile as
Section 1029.
The first annoyance is Section 1030(d), which
reads:
"(d) The United States Secret Service shall, *in
addition to any other agency having such authority,*
have the authority to investigate offenses under this
section. Such authority of the United States Secret
Service shall be exercised in accordance with an
agreement which shall be entered into by the
Secretary of the Treasury *and the Attorney
General.*" (Author's italics.)
The Secretary of the Treasury is the titular head
of the Secret Service, while the Attorney General is
in charge of the FBI. In Section (d), Congress
shrugged off responsibility for the computer-crime
turf-battle between the Service and the Bureau, and
made them fight it out all by themselves. The result
was a rather dire one for the Secret Service, for the
FBI ended up with exclusive jurisdiction over
computer break-ins having to do with national
security, foreign espionage, federally insured banks,
and U.S. military bases, while retaining joint
jurisdiction over all the other computer intrusions.
Essentially, when it comes to Section 1030, the FBI
not only gets the real glamor stuff for itself, but can
peer over the shoulder of the Secret Service and
barge in to meddle whenever it suits them.
The second problem has to do with the dicey
term "Federal interest computer." Section 1030(a)(2)
makes it illegal to "access a computer without
authorization" if that computer belongs to a
financial institution or an issuer of credit cards
(fraud cases, in other words). Congress was quite
willing to give the Secret Service jurisdiction over
money-transferring computers, but Congress balked
at letting them investigate any and all computer
intrusions. Instead, the USSS had to settle for the
money machines and the "Federal interest
computers." A "Federal interest computer" is a
computer which the government itself owns, or is
using. Large networks of interstate computers,
linked over state lines, are also considered to be of
"Federal interest." (This notion of "Federal interest"
is legally rather foggy and has never been clearly
defined in the courts. The Secret Service has never
yet had its hand slapped for investigating computer
break-ins that were *not* of "Federal interest," but
conceivably someday this might happen.)
So the Secret Service's authority over
"unauthorized access" to computers covers a lot of
territory, but by no means the whole ball of
cyberspatial wax. If you are, for instance, a *local*
computer retailer, or the owner of a *local* bulletin
board system, then a malicious *local* intruder can
break in, crash your system, trash your files and
scatter viruses, and the U.S. Secret Service cannot
do a single thing about it.
At least, it can't do anything *directly.* But the
Secret Service will do plenty to help the local people
who can.
The FBI may have dealt itself an ace off the
bottom of the deck when it comes to Section 1030;
but that's not the whole story; that's not the street.
What's Congress thinks is one thing, and Congress
has been known to change its mind. The *real* turf-
struggle is out there in the streets where it's
happening. If you're a local street-cop with a
computer problem, the Secret Service wants you to
know where you can find the real expertise. While
the Bureau crowd are off having their favorite shoes
polished -- (wing-tips) -- and making derisive fun of
the Service's favorite shoes -- ("pansy-ass tassels") --
the tassel-toting Secret Service has a crew of ready-
and-able hacker-trackers installed in the capital of
every state in the Union. Need advice? They'll give
you advice, or at least point you in the right
direction. Need training? They can see to that, too.
If you're a local cop and you call in the FBI, the
FBI (as is widely and slanderously rumored) will
order you around like a coolie, take all the credit for
your busts, and mop up every possible scrap of
reflected glory. The Secret Service, on the other
hand, doesn't brag a lot. They're the quiet types.
*Very* quiet. Very cool. Efficient. High-tech.
Mirrorshades, icy stares, radio ear-plugs, an Uzi
machine-pistol tucked somewhere in that well-cut
jacket. American samurai, sworn to give their lives
to protect our President. "The granite agents."
Trained in martial arts, absolutely fearless. Every
single one of 'em has a top-secret security clearance.
Something goes a little wrong, you're not gonna hear
any whining and moaning and political buck-
passing out of these guys.
The facade of the granite agent is not, of course,
the reality. Secret Service agents are human beings.