LACC: Account sharing leads to false imprisonment

[Dr. Frederick B. Cohen]

...
> What I find so amazing is the fascinating arguments exposed here. Let's
> see... First, let me say I start from a different point of view.
> 
> I see the University as a place for forming people and distributing ideas,
> not juts the ideas of the "Establishment", but all kind of ideas. A place for 
> the free interchange of all ideas and the formation of new persons.

This may be the first problem you will encounter if you try to really
put forth new ideas in the University community.  You may find that they
are more oriented toward getting grants and keeping their jobs that
toward free expression of new ideas.  If you like, I will give you at
least two examples I have personally run into where "academic freedom"
was given a back seat to whatever else they had in mind.

> Now, all your message transpires a special horror against the dispersion
> of "anti-establishment" ideas. Of things that one could find "disturbing"
> from some point of view...

I strongly disagree.  I said nothing about the ideas being disturbing. 
The thing that was wrong was the illegal use of someone else's computers
without their permission.  I said nothing - I repeat NOTHING about the
ideas being the problem.

...
> >From your message, it looks like you want instead the Spanish Inquisition back:
> if someone distributes strange ideas -anarchist, communist, etc...- that 
> person is a risk for the stablishment and should be punished. Isn't it?

Again, you either didn't read what I wrote, or read it with a mindset
that ignored what I actually wrote.  I said nothing - I repeat NOTHING
about the ideas being the problem. 

> >Ignorance of the law is no excuse, and being easy to catch doesn't make
> >you innocent of a crime.
> >
> 	Yeah, but not showing volunteer to hide, expressing opinions openly,
> is not being easy to catch, it's being confident in one's freedom of speech
> and on the democratic system to protect it. Even in spite of overzealous
> system administrators.

Hardly.  If I break into your computer by making unauthorized use of
your password, and if your computer is connected to the Internet, I am
breaking the law.  It has nothing to do with what I use the account for. 

> >> facility computer, received a complaint from someone at the University
> >> of British Columbia about The Anarchives being posted to net news. The
> >> person wanted it stopped.
> >
> >Interstate transport of stolen (presumably copyrighted) property, possible
> >violation of national laws of both nations.  Unauthorized use of the
> >computers at the University of British Columbia.
> >
> 	Well, I don't know if that was copyrighted property. But, if it was,
> it was up to the (C) holder to decide what actions if any to take. BSD-Unix 
> is copyrighted code, but I wouldn't say that all the copies around are illegal,
> or stolen.

All material is copyrighted from its inception at this point in time
(as I interpret US law - but then I am not a lawyer).

> 	Unauthorized use? May I say that if that person asked someone (whomever)
> for permission, then it is whoever gave permission (if any) who should be
> pursued instead? I guess that if a poor guy is sold the Golden Gate, it is not
> that poor guy's fault as much as the "seller's".

That is an interesting proposition.  In fact, as I understand it, if the
person granting access was a University employee, they would have been
acting for the University and the use would therefore have been
authorized.  But since the step-brother was not acting in the capacity
of a University employee when granting use, the use was unauthorized. 
The US statutes state (as far as I can tell) that any unauthorized use
of a federal interest computer (which includes any computer connected to
an Interstate communications system) in excess of $500 is a felony. 
There is no requirement for mens re (criminal intent) at this point
either.  This is one of the things many people disagree with in the
US vs. Morris case of 1988.

> 	Ah, but that guy was distributing "anarchistic" information: he
> must have been pretty bad intentioned then. No one should have "unauthorized
> ideas" and even less dare to distribute or share them. I see.
> 
> 	Great that if someone complains about the distribution of 'X' kind
> of ideas there's always a willing sysadmin to hunt the witch instead of
> defending freedom of speech. Great.

Again you miss the target.  Just because the anarchist information got
the attention of the systems administrator doesn't mean that this had
anything to do with the law that was (perhaps) broken.  It could have
been cooking instructions for BLT sandwiches - the law doesn't
differentiate - but those who enforce the law are concerned about
terrorism and insurrection, so they look at those cases sooner than the
others.

> >> have different last names, Gorrie concluded a larger hacker conspiracy
> >> was afoot.
> >
> >Reasonable assumption.  The only way to find out different would be to
> >violate the users' privacy by reading their mail, etc.
> >
> 	What? May I suggest that, if the account has a owner, and a system
> manager, and all that, those people should be asked prior to jumping to
> conspiracy theories? The same kind of reasoning lead many innocents to die
> with the Spanish Inquisition: hey, they were plotting with the devil against
> god laws. Sorry, but I think a phone call to the implicated persons can
> easily clear all those doubts without "electronic surveillance" as you propose.

The comparison of this case to the Spanish inquisition is just not
relevent or in any way valid.  When you use someone else's account on a
computer and that use is not authorized byt he owners or their
designated assignees, you are risking prosecution.  If a sysop catches
you doing it, it is, presumably, their job to investigate, call in
proper authorities, and so on. 

> >Collected possible evidence.  A good idea.  Allerting potential criminals
> >
> 	Yeah. I suppose that if they were expressing distrubing ideas, they
> were "potential criminals"... What else could they possibly be?

No, the actor was a criminal because of the unauthorized access, not
because of the ideas being expressed.  However, given that we have two
criminals, one who is expressing ideas about better BLT sandwich
recepies and one who is expressing ideas about anarchy, the priority in
the investigation will almost certainly go to the one expressing ideas
about anarchy - because of the perception by law enforcement (valid or
not) that anarchists are more likely to blow up federal buildings than
chefs.

> >If he turned out to be a terrorist who was planning to blow up a
> >building, you would have called this a tremendous piece of police work,
> >they could have written a million-selling book, and you would hail the
> >sysadmin as a computer age hero.
> >
> 	Great! I guess that prettily summarizes all: "if" he had turned to
> be a "fill in your fears here". Just the same as it was with the Inquisition,
> if they were good guys they shouldn't fear torture or dying for God. And it
> was better to torture innocents than allowing any "potential bad guy" to get
> along.

Again, your analogy goes way too far for the reality here. 
Investigation is not "torture or dying" - and the investigation found
that a crime may have been committed, so the person was arrested and, in
the end, the result came to having to pay the approximate cost of the
unauthorized services taken.  It just doesn't sound like the Spanish
inquisition to me.

> >So Hirsh agreed that he had been illegally using the computer system
> >and the case was settled with a monetary fine.
> >
> 	I bet so. Under torture many innocents also confessed. And faced with
> a multimillion dollar trial which, if you can't afford- will take you to
> jail (which can be a real torture), I guess that most innocents will prefer
> to go along with a smaller fine.
...

You make a lot of assumptions here - like that Hirsh was tortured by
being arrested - that he was raped in jail - and that he was arrested
for the ideas he was expressing.

This is a lot of hogwash. 

Being tortured is nothing like being taken to a Canadian jail (with the
possible exception of having to eat the food - but he got out before
that became a necessity).  When you use someone's computer - just as
when you use their car - without permission, you risk being arrested.
That is what he was arrested for, as far as I can tell.

If you don't want to be arrested, don't use other peoples' accounts!
It's wrong, it's illegal, and if I catch you doing it on my computer, I
will try to have you arrested as well. 

...

> Look, I don't really know about the case. But I do really understand one thing:
> if this guy hadn't posted what some person considered were "pernicious ideas"
> he would have never been tracked down, villipendiated and taken to trial.

Right - if you are going to break the law, don't call attention to
yourself.  If you do, they will try to catch you.  Otherwise, they
may not even notice you.

> I don't care about if he was using public resources for something they shouldn't
> be. That's something else to be discussed. Is it wrong to use a University
> to spread ideas, specially when the mainstream media avoid them? I won't
> comment on that.

That is the only issue here as far as I can tell.  The rest is just a
smoke screen to try to excuse people from their social responsibility.
It's like saying Robin Hood didn't break the law because he gave what he
stole to the poor.  In Robin's case their may have been a legaly valid
excuse (something about a necessity defense), but in this case, there
was no such thing. 

Why do you claim that it is acceptable to break the law if you post
anarchist ideas when it is not acceptable when you post BLT recepies?

-- 
-> See: Info-Sec Heaven at URL http://all.net
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236