ch31.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,189 行 · 第 1/4 页

actual damage they have caused. What would have been, could have been, and should
have been are irrelevant. If the intention of the commission is that the loss be
measured by the cost to restore the file, this upward departure in sentencing is
completely inconsistent. Effectively, a defendant could be given a longer prison
sentence not for what he did but what he could have done. Thus, this proposed amendment
suggests that the actual loss has no bearing on the sentence, but the sentencing
court's likely erroneous notion of the defendant's intent (and his knowledge of the
consequences of his actions) does.</P>
<P>At any rate, most states have modeled their computer law either on the Computer
Fraud and Abuse Act or on principles very similar. The majority treat unauthorized
access and tampering, and occasionally, some other activity as well.
<H3><FONT COLOR="#000077"><B>California</B></FONT></H3>
<P>California is the computer crime and fraud capital of the world. On that account,
the Golden State has instituted some very defined laws regarding computer cracking.
The major body of this law can be found in California Penal Code, Section 502. It
begins, like most such statutes, with a statement of intent:

<DL>
	<DD>It is the intent of the Legislature in enacting this section to expand the degree
	of protection afforded to individuals, businesses, and governmental agencies from
	tampering, interference, damage, and unauthorized access to lawfully created computer
	data and computer systems. The Legislature finds and declares that the proliferation
	of computer technology has resulted in a concomitant proliferation of computer crime
	and other forms of unauthorized access to computers, computer systems, and computer
	data. The Legislature further finds and declares that protection of the integrity
	of all types and forms of lawfully created computers, computer systems, and computer
	data is vital to the protection of the privacy of individuals as well as to the well-being
	of financial institutions, business concerns, governmental agencies, and others within
	this state that lawfully utilize those computers, computer systems, and data.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Visit <A HREF="http://www.leginfo.ca.gov/"><TT>http://www.leginfo.ca.gov/</TT></A>
	to see the California Penal Code, Section 502 in full. 
<HR>


</BLOCKQUOTE>

<P>The statute is comprehensive. It basically identifies a laundry list of activities
that come under its purview, including but not limited to any unauthorized action
that amounts to intrusion or deletion, alteration, theft, copying, viewing, or other
tampering of data. The statute even directly addresses the issue of denial of service.</P>
<P>The penalties are as follows:

<UL>
	<LI>For simple unauthorized access that does not amount to damage in excess of $400,
	either a $5,000 fine or one year in imprisonment or both<BR>
	<BR>
	
	<LI>For unauthorized access amounting to actual damage greater than $400, a $5,000
	fine and/or terms of imprisonment amounting to 16 months, two years, or three years
	in state prison or one year in county jail
</UL>

<P>As you might expect, the statute also provides for comprehensive civil recovery
for the victim. Parents should take special note of subsection (e)1 of that title:

<DL>
	<DD>For the purposes of actions authorized by this subdivision, the conduct of an
	unemancipated minor shall be imputed to the parent or legal guardian having control
	or custody of the minor...
</DL>

<P>That means if you are a parent of a child cracking in the state of California,
you (not your child) shall suffer civil penalties.</P>
<P>Another interesting element of the California statute is that it provides for
possible jurisdictional problems that could arise. For example, say a user in California
unlawfully accesses a computer in another state:

<DL>
	<DD>For purposes of bringing a civil or a criminal action under this section, a person
	who causes, by any means, the access of a computer, computer system, or computer
	network in one jurisdiction from another jurisdiction is deemed to have personally
	accessed the computer, computer system, or computer network in each jurisdiction.
</DL>

<P>I do not know how many individuals have been charged under 502, but I would suspect
relatively few. The majority of computer cracking cases seem to end up in federal
jurisdiction.
<H3><FONT COLOR="#000077"><B>Texas</B></FONT></H3>
<P>In the state of Texas, things are a bit less stringent (and far less defined)
than they are in California. The Texas Penal Code says merely this:

<DL>
	<DD>A person commits an offense if the person knowingly accesses a computer, computer
	network, or computer system without the effective consent of the owner.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Find the Texas Penal
	Code on the Web at <A HREF="http://www.capitol.state.tx.us/statutes/pe/pe221.htm"><TT>http://www.capitol.state.tx.us/statutes/pe/pe221.htm</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>In all instances where the defendant's actions are undertaken without the intent
&quot;to obtain a benefit or defraud or harm another,&quot; the violation is a Class
A misdemeanor. However, if the defendant's actions are undertaken with such intent,
this can be a state jail felony (if the amount is $20,000 or less) or a felony in
the third degree (if the amount exceeds $20,000).</P>
<P>There is one affirmative defense:

<DL>
	<DD>It is an affirmative defense to prosecution under Section 33.02 that the actor
	was an officer, employee, or agent of a communications common carrier or electric
	utility and committed the proscribed act or acts in the course of employment while
	engaged in an activity that is a necessary incident to the rendition of service or
	to the protection of the rights or property of the communications common carrier
	or electric utility.
</DL>

<P>It is also interesting to note that the term <I>access</I> is defined within the
construct of the statute to mean the following:

<DL>
	<DD>...to approach, instruct, communicate with, store data in, retrieve or intercept
	data from, alter data or computer software in, or otherwise make use of any resource
	of a computer, computer system, or computer network.
</DL>

<P>Does this suggest that scanning the TCP/IP ports of a computer in Texas is unlawful?
I believe that it does, though the statute has probably not been used for this purpose.
<H3><FONT COLOR="#000077"><B>Other States</B></FONT></H3>
<P>Most other states have almost identical laws. Nevertheless, there are a few special
points that I would like to focus on, by state. Some are interesting and others are
amusing. Table 31.1 offers a few examples.
<H4><FONT COLOR="#000077"><B>Table 31.1. Interesting United States computer crime
provisions.</B></FONT></H4>
<P>
<TABLE BORDER="1">
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><I>State</I></TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Provision</I></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Alaska</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">One can commit the crime of (and be subject to punishment for) deceiving a machine.
			This is so even though a machine is neither a sentient being nor capable of perception.
			Hmmm.</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Connecticut</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Provides for criminal and civil penalties for disruption of computer services (even
			the degradation of such services). Clearly, ping and syn_flooding are therefore crimes
			in Connecticut.</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Georgia</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">Crackers, take note: Do not perform your cracking in the state of Georgia. The penalties
			are stiff: 15 years and a $50,000 fine. Ouch.</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Hawaii</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">The system breaks unauthorized use and access into two different categories, and
			each category has three degrees. Just taking a look inside a system is a misdemeanor.
			Fair enough.</TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Minnesota</TD>
		<TD ALIGN="LEFT" VALIGN="TOP">This state has a special subdivision that provides for penalties for individuals
			who create or use destructive computer programs.</TD>
	</TR>
</TABLE>
</P>
<P>Information about computer crime statutes can be obtained from the Electronic
Frontier Foundation. EFF maintains a list of computer crime laws for each state.
Of particular interest is that according to the EFF's compilation, as of May 1995,
the state of Vermont had no specific provisions for computer crimes. This would either
suggest that very little cracking has been done in Vermont or, more likely, such
crimes are prosecuted under garden-variety trespassing-theft laws.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>EFF's Web site is located
	at <TT>http://www.eff.org/</TT>. EFF's list of computer crime laws for each state
	(last updated in May, 1995) can be found at <A 
HREF="http://www.eff.org/pub/Privacy/Security/Hacking_cracking_phreaking/Legal/comp_crime_us_state.laws"><TT>http://www.eff.org/pub/Privacy/Security/Hacking_cracking_phreaking/Legal/comp_crime_us_state.laws</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>The Law in Action</B></FONT></H3>
<P>Despite the often harsh penalties for computer crimes, crackers are rarely sentenced
by the book. The average sentence is about one year. Let's take a look at a few such
cases:

<UL>
	<LI>A New York youngster named Mark Abene (better known as Phiber Optik) compromised
	key networks, including one division of Bell Telephone and a New York television
	station. A United States District Court sentenced Abene to one year in prison. (That
	sentence was handed down in January 1994.) Abene's partners in crime also received
	lenient sentences, ranging from a year and a day to six months in federal prison.<BR>
	<BR>
	
	<LI>John Lee, a young student in New York, was sentenced to a year and a day in federal
	prison after breaching the security of several telecommunications carriers, an electronics
	firm, and a company that designed missiles.
</UL>

<P>To date, the longest period spent in custody by an American cracker was served
by Californian Kevin Poulsen. Poulsen was unfortunate enough to crack one site containing
information that was considered by the government to be defense related. He was therefore
charged under espionage statutes. Poulsen was held for approximately five years,
being released only this past year after shaking those spying charges. As reported
in <I>the L.A. Times</I>:

<DL>
	<DD>...the espionage charge was officially dropped Thursday as part of the agreement
	crafted by Poulsen's lawyer and the U.S. attorney's office. In exchange, he pleaded
	guilty to charges of possessing computer access devices, computer fraud, and the
	use of a phony Social Security card, according to his defense attorney, Paul Meltzer.
</DL>

<P>There is a strong unwillingness by federal courts to sentence these individuals
to the full term authorized by law. This is because, in many instances, to do so
would be an injustice. Security personnel often argue that cracking into a network
is the ultimate sin, something for which a cracker should never be forgiven. These
statements, however, are coming from individuals in constant fear that they are failing
at their basic occupation: securing networks. Certainly, any security expert whose
network comes under successful attack from the void will be angry and embarrassed.
Shimomura, oddly enough, has recovered nicely. (This recovery is no doubt therapeutic
for him as well, for he produced a book that had national distribution.) But the
basic fact remains: One of the most talented security specialists in the world was
fleeced by Kevin Mitnik. It is irrelevant that Mitnik was ultimately captured. The
mere fact that he cracked Shimomura's network is evidence that Shimomura was dozing
on the job. So, statements from security folks about sentencing guidelines should
be taken with some reservation.</P>
<P>In reality, the previous generation of crackers (and that includes Mitnik, who
was not yet old enough to drive when he began) were not destructive. They were an
awful nuisance perhaps, and of course, telephone service was often stolen. However,
damage was a rare aftermath. In contrast, the new generation cracker is destructive.
Earlier in this book, I discussed a university in Hawaii that was attacked (the university
left a gaping hole in its SGI machines). In that case, damage was done and significant
effort and costs were incurred to remedy the problem. Similarly, the theft of source
code from Crack Dot Com (the makers of the awesome computer game, Quake) was malicious.</P>
<P>This shift in the character of the modern cracker will undoubtedly trigger stiffer
sentences in the future. Social and economic forces will also contribute to this
change. Because the network is going to be used for banking, I believe the judiciary
will take a harsher look at cracking. Nonetheless, something tells me that American
sentences will always remain more lenient than those of, say, China.
<H2><FONT COLOR="#000077"><B>China</B></FONT></H2>
<P>China has a somewhat harsher attitude towards hackers and crackers. For example,
in 1992, the Associated Press reported that Shi Biao, a Chinese national, managed
to crack a bank, making off with some $192,000. He was subsequently apprehended and
convicted. His sentence? Death. Mr. Biao was executed in April, 1993. (Note to self:
Never crack in China.)</P>
<P>In any event, the more interesting features of China's laws expressly related
to the Internet can be found in a curious document titled <I>The Provisional Regulation
on the Global Connection via Computer Information Network by the People's Republic
of China</I>. In the document, several things become immediately clear. First, the
Chinese intend to control all outgoing traffic. They have therefore placed certain
restrictions on how companies can connect:

<DL>
	<DD>A computer network will use the international telecommunications paths provided
	by the public telecommunications operator of the Bureau of Posts and Telecommunications
	when accessing the Internet directly. Any sections or individuals will be prohibited
	from constructing and using independent paths to access the Internet.
</DL>

<P>Moreover, the Chinese government intends to intercept and monitor outgoing traffic:

<DL>
	<DD>The existing interconnected networks will go through screening and will be adjusted
	when necessary in accordance with the regulations of the State Council, and will
	be placed under the guidance of the Bureau of Posts and Telecommunications. Construction
	of a new interconnected network will require a permission from the State Council.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B><I>The Provisional Regulation
	on the Global Connection via Computer Information Network by the People's Republic
	of China</I> can be found on the Web at <TT>http://www.smn.co.jp/topics/0087p01e.html</TT>.
	
<HR>


</BLOCKQUOTE>