Emmanuel Goldstein Fri, 30 Nov 90 01:00:21 pst The following is from the forthcoming Autumn 1990 edition of 2600, The Hacker Quarterly. We would appreciate it being distributed to as many interested people as possible. We consider this to be a very major and very frightening issue. If there are any questions or comments, we can be reached at 2600@well.sf.ca.us or (516) 751-2600. Emmanuel Goldstein, Editor, 2600 Magazine - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Over the past year there has been a great deal of publicity concerning the actions of computer hackers. Since we began publishing in 1984 we've pointed out cases of hackers being unfairly prosecuted and victimized. We wish we could say things were getting better but we cannot. Events of recent months have made it painfully clear that the authorities, above all else, want to "send a message". That message of course being that hacking is not good. And there seems to be no limit as to how far they will go to send that message. And so we come to the latest chapter in this saga: the sentencing of three hackers in Atlanta, Georgia on November 16. The three, Robert Riggs (The Prophet), Frank Darden, Jr. (The Leftist), and Adam Grant (The Urville) were members of the Legion of Doom, one of the country's leading hacker "groups". Members of LOD were spread all over the world but there was no real organization, just a desire to learn and share information. Hardly a gang of terrorists, as the authorities set out to prove. The three Atlanta hackers had pleaded guilty to various charges of hacking, particularly concerning SBDN (the Southern Bell Data Network, operated by BellSouth). Supposedly Riggs had accessed SBDN and sent the now famous 911 document to Craig Neidorf for publication in PHRACK. Earlier this year, BellSouth valued the document at nearly $80,000. However, during Neidorf's trial, it was revealed that the document was really worth $13. That was enough to convince the government to drop the case. But Riggs, Darden, and Grant had already pleaded guilty to accessing BellSouth's computer. Even though the facts in the Neidorf case showed the world how absurd BellSouth's accusations were, the "Atlanta Three" were sentenced as if every word had been true. Which explains why each of them received substantial prison time, 21 months for Riggs, 14 months for the others. We're told they could have gotten even more. This kind of a sentence sends a message all right. The message is that the legal system has no idea how to handle computer hacking. Here we have a case where some curious people logged into a phone company's computer system. No cases of damage to the system were ever attributed to them. They shared information which we now know was practically worthless. And they never profited in any way, except to gain knowledge. Yet they are being treated as if they were guilty of rape or manslaughter. Why is this? In addition to going to prison, the three must pay $233,000 in restitution. Again, it's a complete mystery as to how this staggering figure was arrived at. BellSouth claimed that approximate figure in "stolen logins/passwords" which we have a great deal of trouble understanding. Nobody can tell us exactly what that means. And there's more. BellSouth claims to have spent $1.5 million tracking down these individuals. That's right, one and a half million dollars for the phone company to trace three people! And then they had to go and spend $3 million in additional security. Perhaps if they had sprung for security in the first place, this would never have happened. But, of course, then they would have never gotten to send the message to all the hackers and potential hackers out there. We think it's time concerned people sent a message of their own. Three young people are going to prison because a large company left its doors wide open and doesn't want to take any responsibility. That in itself is a criminal act. We've always believed that if people cause damage or create a nuisance, they should pay the price. In fact, the LOD believed this too. So do most hackers. And so does the legal system. By blowing things way out of proportion because computers were involved, the government is telling us they really don't know what's going on or how to handle it. And that is a scary situation. If the media had been on top of this story and had been able to grasp its meaning, things might have been very different indeed. And if BellSouth's gross exaggerations had been taken into account at the sentencing, this injustice couldn't have occurred. Consider this: if Riggs' sentence were as much of an exaggeration as BellSouth's stated value of their $13 document, he would be able to serve it in full in just over two hours. And the $233,000 in restitution would be under $40. So how much damage are we really talking about? Don't look to BellSouth for answers. In early 1991, the three are to begin their sentences. Before that happens, we need to reach as many people as possible with this message. We don't know if it will make a difference in this particular case if the general public, government officials, and the media hear this side of the story. But we do know it would be criminal not to try.