Hackers are 'Terrorists' Under Ashcroft's New Act 1021
Carlos writes "Most computer crimes are considered acts of terrorism under John Ashcroft's proposed 'Anti-Terrorism Act,' according to this story on SecurityFocus. The Act would abolish the statute of limitations for computer crime, retroactively, force convicted hackers to give the government DNA samples for a special federal database, and increase the maximum sentence for computer intrusion to life in prison. Harboring or providing advice to a hacker would be terrorism as well. This is on top of the expanded surveillance powers already reported on. The bill could be passed as early as this week. I feel safer already."
There's too many of us (Score:2, Informative)
Put us all in prison, and prisons will be freer than out here.
The true hacker is absolutely, completely, devoted to freedom.
-wp
Hey, Whattaya Want? (Score:1, Informative)
Here's the story. (Score:2, Informative)
By Kevin Poulsen
Sep 23 2001 11:00PM PT
Hackers, virus-writers and web site defacers would face life imprisonment without the possibility of parole under legislation proposed by the Bush Administration that would classify most computer crimes as acts of terrorism.
The Justice Department is urging Congress to quickly approve its Anti-Terrorism Act (ATA), a twenty-five page proposal that would expand the government's legal powers to conduct electronic surveillance, access business records, and detain suspected terrorists.
The proposal defines a list of "Federal terrorism offenses" that are subject to special treatment under law. The offenses include assassination of public officials, violence at international airports, some bombings and homicides, and politically-motivated manslaughter or torture.
Most of the terrorism offenses are violent crimes, or crimes involving chemical, biological, or nuclear weapons. But the list also includes the provisions of the Computer Fraud and Abuse Act that make it illegal to crack a computer for the purpose of obtaining anything of value, or to deliberately cause damage. Likewise, launching a malicious program that harms a system, like a virus, or making an extortionate threat to damage a computer are included in the definition of terrorism.
To date no terrorists are known to have violated the Computer Fraud and Abuse Act. But several recent hacker cases would have qualified as "Federal terrorism offenses" under the Justice Department proposal, including the conviction of Patrick Gregory, a prolific web site defacer who called himself "MostHateD"; Kevin Mitnick, who plead guilty to penetrating corporate networks and downloading proprietary software; Jonathan "Gatsby" Bosanac, who received 18-months in custody for cracking telephone company computers; and Eric Burns, the Shoreline, Washington hacker who scrawled "Crystal, I love you" on a United States Information Agency web site in 1999. The 19-year-old was reportedly trying to impress a classmate with whom he was infatuated.
The Justice Department submitted the ATA to Congress late last week as a response to the September 11th terrorist attacks in New York, Washington and Pennsylvania that killed some 7,000 people.
As a "Federal terrorism offense," the five year statute of limitations for hacking would be abolished retroactively -- allowing computer crimes committed decades ago to be prosecuted today -- and the maximum prison term for a single conviction would be upped to life imprisonment. There is no parole in the federal justice system
Those convicted of providing "advice or assistance" to cyber crooks, or harboring or concealing a computer intruder, would face the same legal repercussions as an intruder. Computer intrusion would also become a predicate offense for the RICO statutes.
DNA samples would be collected from hackers upon conviction, and retroactively from those currently in custody or under federal supervision. The samples would go into the federal database that currently catalogs murderers and kidnappers.
Civil liberties groups have criticized the ATA for its dramatic expansion of surveillance authority, and other law enforcement powers.
But Attorney General John Ashcroft urged swift adoption of the measure Monday.
Testifying before the House Judiciary Committee, Ashcroft defended the proposal's definition of terrorism. "I don't believe that our definition of terrorism is so broad," said Ashcroft. "It is broad enough to include things like assaults on computers, and assaults designed to change the purpose of government."
The Act is scheduled for mark-up by the committee Tuesday morning.
Re:Somebody has to say it, but... (Score:3, Informative)
I'm not against bad things being a crime, but who gets to define what is a crime or not? And what about when new types of hacking/cracking come out? Maybe windows virus authors should be made criminals? How about websites that use cookies to track you (doubleclick anyone?).
The problem with computers and hacking in general is that it's very hard to narrowly define what is and isn't a crime. Mitnick is a sure sign of this, as is Dimitri. On one side ($$) it's a crime of epic proportions, on the other side it's harmless fun, investigation, proving a point, whatever. This has been a problem since phreaking and probably far before....
The actual Anti-Terrorism Act bill (Score:1, Informative)
Unconstitutional (Score:2, Informative)
abolish the statute of limitations for computer crime, retroactively...
From Article I, section 9, paragraph 3:
"No Bill of Attainder or ex post facto Law shall be passed".
Ex Post Facto refers to laws having a retroactive effect, for those of you wondering.
So, as always, IANAL, but this sure doesn't sound constitutional to me.
Re:Somebody has to say it, but... (Score:2, Informative)
List of contacts (Score:5, Informative)
Judiciary Committee List
Name, party, state, phone, fax, e-mail.
James Sensenbrenner, Chair, R-WI, (202) 225-5101,(202) 225-3190,sensen09@mail.house.gov
Henry Hyde, R-IL, (202) 225-4561, (202) 225-1166.
John Conyers Jr., D-MI, (202) 225-5126, (202) 225-0072,john.conyers@mail.house.gov
George Gekas, R-PA, (202) 225-4315, (202) 225-8440, askgeorge@mail.house.gov
Barney Frank, D-MA, (202) 225-5931, (202) 225-0182
Howard Coble, R-NC, (202) 225-3065, (202) 225-8611, howard.coble@mail.house.gov
Howard Berman, D-CA, (202) 225-4695, (202) 225-3196,Howard.Berman@mail.house.gov
Lamar Smith, R-TX, (202) 225-4236, (202) 225-8628
Rick Boucher, D-VA, (202) 225-3861, (202) 225-0442,ninthnet@mail.house.gov
Elton Gallegly, R-CA, (202) 225-5811, (202) 225-1100
Jerrold Nadler, D-NY, (202) 225-5635, (202) 225-6923, jerrold.nadler@mail.house.gov
Bob Goodlatte, R-VA, (202) 225-5431, (202) 225-9681,talk2bob@mail.house.gov
Bobby Scott, D-VA, (202) 225-8351, (202) 225-8354
Steve Chabot, R-OH, (202) 225-2216, (202) 225-3012
Mel Watt, D-NC, (202) 225-1510, (202) 225-1512, nc12.public@mail.house.gov
Bob Barr, R-GA, (202) 225-2931, (202) 225-2944, barr.ga@mail.house.gov
Zoe Lofgren, D-CA, (202) 225-3072, (202) 225-3336, zoe@lofgren.house.gov
William Jenkins, R-TN, (202) 225-6356, (202) 225-5714
Sheila Jackson Lee, D-TX, (202) 225-3816, (202)225-3317, tx18@lee.house.gov
Christopher Cannon, R-UT, (202) 225-7751, (202)225-5629, cannon.ut03@mail.house.gov
Maxine Waters, D-CA, (202) 225-2201, (202) 225-7854
Lindsey Graham, R-SC, (202) 225-5301, (202) 225-3216
Marty Meehan, D-MA, (202) 225-3411, (202) 226-0771, martin.meehan@mail.house.gov
Spencer Bachus, R-AL, (202) 225-4921, (202) 225-2082
William Delahunt, D-MA, (202) 225-3111, (202)225-5658, william.delahunt@mail.house.gov
John Hostettler, R-IA, (202) 225-4636, (202)225-3284, john.hostettler@mail.house.gov
Robert Wexler, D-FL, (202) 225-3001, (202) 225-5974
Mark Green, R-WI, (202) 225-5665, (202) 225-5729, mark.green@mail.house.gov
Tammy Baldwin, D-W, (202) 225-2906, (202) 225-6942, tammy.baldwin@mail.house.gov
Ric Keller, R-FL, (202) 225-2176, (202) 225-0999
Anthony David Weiner, D-NY, (202) 225-6616, (202)226-7253
Darrell Issa, R-CA, (202) 225-3906, (202) 225-3303
Adam Schiff, D-CA, (202) 225-4176, (202) 225-5828
Melissa Hart, R-PA, (202) 225-2565, (202) 226-2274, melissa.hart@mail.house.gov
Jeff Flake, R-AZ, (202) 225-2635, (202) 226-4386
So let's do something about it (Score:5, Informative)
It takes TEN letters (dead tree letters, email gets deleted immediately) for a Senatorial office to open an issue. TEN. (According to Illinois Senator Dick Durban.) And regardless of the advertising and commercials that politicians raise huge war chests to fund, on election day it is YOUR VOTE that decides who ends up in DC. (East Coast, you have no say over the West Coast one.)
I'd like to issue a call to everyone who posted something modded up to 3 or above: Write a letter to your representatives with the same level of intelligence and Interesting/Insightful content. Write it once and send it three times, once to your Congressperson, and once to each Senator. Fax it if you'd prefer. (Snail mail and fax are what they like the most.) Keep it to one page. Reference the Constitution. Refer to yourself with your most impressive title. (Professor, Ph.d, Senior Engineer, Graduate Student, Independent Developer) and as a registered voter. In the name of the Tux do not tell them that you don't vote, even if that's the case (in which case you should be ashamed of yourself). Then when the next election rolls around, ignore the commercials, take an hour to do your own research, and vote for the candidate that did not support revoking the 4th Amendment and violating Ex Post Facto. It works. (See also: Former Senator Alan Dixon)
For those of you in countries outside of the US, the same applies to you. The Canadian, British, Australian, French, German, etc. governments are all popularly elected as well. (At least the active parts of the British government, anyway.) Politicians are the same everywhere. The same tactics apply. Use them. If you don't, you have no one to blame but yourselves.
Re:Flying Instructors (Score:2, Informative)
Very disturbing, but not quite as bad as it seems. (Score:3, Informative)
The specific sections of "computer crime" law that appear to be reclassified as "terrorist acts" appear to be only:
1030(a)(1), (a)(4), (a)(5)(A), or (a)(7) (relating to protection of computers)
Which are:
- (a) Whoever -
- (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
- (5)
- (Interestingly, they don't seem to include B and C under this act as "terrorism", which are similar to section A, and are almost identical to each other - I have no idea why they have them. "B" says "(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage;". C is word-for-word the same, except without the word "recklessly". ANy idea why they have them both?)
- (7) with intent to extort from any person, firm, association, educational institution, financial institution, government entity, or other legal entity, any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer; shall be punished as provided in subsection (c) of this section.
In short, the only "computer crimes" listed as "terrorism" by this act are stealing US Gov't, Inc secrets by computer, maliciously hacking into a system with intent to steal valuables (aside from CPU cycles), and using threats of malicious computer hacking to extort.(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;[...]
(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
The only one that concerns me very much here is 5A - it seems like high-paid corporate lawyers could easy "prove" that for example, if 1337D00D@scriptkiddy.com maliciously hacks into www.microsoft.com and puts a link to his website on the index page, that he's obtained at least $5000 worth of advertisement...
Come to think of it, I'm a little leery of the "or exceeds authorized access" bit in (4) - if one "accesses" a computer to purchase and legally download some proprietary "protected" piece of music or video, and finds a way to convert it to a nonproprietary format for personal use, has one "exceeded authorized access" and is therefore not merely a DMCA Criminal but a full-fledged DMCA Terrorist? It's a bit of a stretch, but I think a wealthy corporation can buy enough lawyer-approved powerpoint slides "proving" this to a non-technical jury...
Here is the applicable United States Code (Score:2, Informative)
"SS 25. Federal terrorism offense defined
As used in this title, the term `Federal terrorism offense' means a violation of, or an attempt or conspiracy to violate-
...1030(a)(1), (a)(4), (a)(5)(A), or (a)(7) (relating to protection of computers)... "
And here are the sections from the US Code [cornell.edu] that it refers to:
"Sec. 1030. Fraud and related activity in connection with computers
(a) Whoever -
(1) having knowingly accessed a computer without authorization
or exceeding authorized access, and by means of such conduct
having obtained information that has been determined by the
United States Government pursuant to an Executive order or
statute to require protection against unauthorized disclosure for
reasons of national defense or foreign relations, or any
restricted data, as defined in paragraph y. of section 11 of the
Atomic Energy Act of 1954, with reason to believe that such
information so obtained could be used to the injury of the United
States, or to the advantage of any foreign nation willfully
communicates, delivers, transmits, or causes to be communicated,
delivered, or transmitted, or attempts to communicate, deliver,
transmit or cause to be communicated, delivered, or transmitted
the same to any person not entitled to receive it, or willfully
retains the same and fails to deliver it to the officer or
employee of the United States entitled to receive it;
(4) knowingly and with intent to defraud, accesses a protected
computer without authorization, or exceeds authorized access, and
by means of such conduct furthers the intended fraud and obtains
anything of value, unless the object of the fraud and the thing
obtained consists only of the use of the computer and the value
of such use is not more than $5,000 in any 1-year period;
(5)
(A) knowingly causes the transmission of a program,
information, code, or command, and as a result of such conduct,
intentionally causes damage without authorization, to a protected
computer;
(7) with intent to extort from any person, firm, association,
educational institution, financial institution, government
entity, or other legal entity, any money or other thing of value,
transmits in interstate or foreign commerce any communication
containing any threat to cause damage to a protected computer; "
now IANAL, but this seems to make the following things terrorism:
1) Getting or transmitting any information that can be a threat to national security via computer (ie classified stuff)
2) Knowingly and intentionally doing damage to a computer system of at least $5000
3) Making and spreading viruses and computer worms
4) Threatening to do any of the above (within federal jurisdiction), with the intent to do it.
That's my interpretation, and it's probably wrong. I'm mainly posting this for easy reference.
NOT After Every Hacker (Score:4, Informative)
This list hardly seems to encompass "most computer crimes". For instance merely accessing or stealing non-classified information is not a terrorist act. Nor does it include breaking encryption ala DMCA. Defacing websites is not a terrorist act unless the computer belongs to one of the above categories and changing the website results in nontrivial financial losses. Writing viruses/worms is not a terrorist act unless you intentionally use it in a way that damages "protected" computers. (From the wording, I wouldn't interpret this to include merely releasing it into the wild, but a judicial ruling would have to clarify that issue). The crimes they are signaling out are pretty significant stuff and not just any old act of hacking. Let's not further contribute to the FUD.
What follows are excerpts of the laws in question:
From The Anti-Terrorism Act of 2001 (Draft 2)
http://www.eff.org/Privacy/Surveillance/20010919_
Sec. 309: "...the term 'Federal terrorism offense' means a violation of, or an attempt or conspiracy to violate...1030(a)(1), (a)(4), (a)(5)(A), or (a)(7) (relating to protection of computers)..."
From US Code Title 18, Section 1030
http://www4.law.cornell.edu/uscode/18/1030.html [cornell.edu]
(a)(1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y. of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
(a)(4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
(a)(5)(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
(a)(7) with intent to extort from any person, firm, association, educational institution, financial institution, government entity, or other legal entity, any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer; shall be punished as provided in subsection (c) of this section
Under the same Section, part (d)(e)(2) and (8): (2) the term "protected computer" means a computer -
- (A) exclusively for the use of a financial institution or the
United States Government, or, in the case of a computer not
exclusively for such use, used by or for a financial
institution or the United States Government and the conduct
constituting the offense affects that use by or for the
financial institution or the Government; or
- (B) which is used in interstate or foreign commerce or
communication;
(8) the term "damage" means any impairment to the integrity or availability of data, a program, a system, or information, that -Re:perversion (Score:1, Informative)
Okay, so now *maliciously* breaking into basically any computer system is a terrorist act. Couple this with the rest of the increases in anti-terroism this bill contains, and you're doing *LIFE* in FEDERAL PRISON (aka "no parole") because your Anti-CodeRed Perl script took down some dipshit's enterprise server. Meanwhile child molestors get time off for good behavior.
The simple solution is to track down and kill any sysadmins that would report you for doing this. You'd get out of jail a lot sooner.
CFAA Applies TO EVERY COMPUTER (Score:4, Informative)
You are so wrong you can't believe it. The CFAA defines a "protected computer" to mean a computer that is used in interstate commerce. This means any computer connected to the internet or a modem.
I have litigated CFAA civil actions, and I am here to tell you that virtually ANY unauthorized access where virtually ANY valuable information is received, or where ANY valuable data is modified or changed is quite arguably sufficient to lay down a prima facie case.
This bill is as bad as you first thought it was.
Re:discover a LAN, go to JAIL (Score:3, Informative)
I found this text (from 1030(a)(1), (a)(4), (a)(5)(A)):
(5) (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
so, does this also mean that if I happen to ping some windows box and maybe it crashes when I ping it (that doesn't surprise me, does it surprise you?), and that windows box belongs to some whitehouse bigwig, am I now a terrorist?
Terrorism? (Score:2, Informative)
What Next? (Score:2, Informative)