Ethical issues in hacking, phreaking, and piracy

From Computer Underground Digest #6.27 (Mar 27, 1994)

Date: Wed, 9 Mar 1994 14:13:30 -0500
From: Dennis Shayne Weyker 
Subject: File 2--Some thoughts on piracy, hacking and phreaking.

The following is a long response I've had laying around to Emmanuel
Goldstein's testimony to congress last summer. I think the issues
mentioned are still relevant, so I've decided to finish the thing and
send it in.

I come across sounding a bit like a phone-company advocate, but I
don't really think I am. My real reason for writing was to counter
what I thought were some poorly thought-out anarchist and
libertarian-flavored arguments that hackers and phreaks use to justify
behaviors that don't seem justifiable to me.

Comments are welcome.

Shayne Weyker
weyker@wam.umd.edu

+>Date:   Thu, 10 Jun 1993 16:53:48 -0700
+>From: Emmanuel Goldstein 
>     It is easy to see this when we are talking about crimes that we
>understand as crimes. But then there are the more nebulous crimes; the
>ones where we have to ask ourselves: "Is this really a crime?" Copying
>software is one example. We all know that copying a computer program
>and then selling it is a crime. . . .  organizations like
>the Software Publishers Association have gone on record as saying that
>it is illegal to use the same computer program on more than one
>computer in your house. They claim that you must purchase it again or
>face the threat of federal marshals kicking in your door. That is a
>leap of logic.

I don't like or agree with the SPA's position, but I also think that
users who copy copyrighted non-shareware software and get significant
productive use or entertainment out of the software should buy it, and
be liable for fines and forced purchase if they don't buy it.

The problem with enforcing this is that you can't determine usefulness
or entertainment value to the user by auditing their hard drive. And
fining them for possessing copyrighted software they don't use is
unfair, (in cases where businesses are the target of the software
audit the company may not even know it has the software). This doesn't
bother the SPA, but if it bothers readers out there in net.land they
should get working on ideas for metering the use of software that
might be included in every program and that could be reset only the
first time its installed on a new storage device (hmm. that might have
some of the same hassles as old copy protection schemes).

>     It is a leap of logic to assume that because a word processor
>costs $500, a college student will not try to make a free copy in
>order to write and become a little more computer literate.

Students don't pirate WordPerfect to become computer literate, they
pirate it to write papers. In using the program they may become more
computer literate.

>Do we punish this student for breaking a rule? Do we charge him with
>stealing $500?

Certainly not $500, because WP isn't out the cost of manuals, disks,
distribution, or free tech support. They are losing a chunk of income
of the cost of developing the software, but this loss is compensated
for at least partly by the fact that WordPerfect Corp.'s future market
share goes up because pirated WP is so widely available and thus
becomes the only word processor many people ever bother to learn to
use. I would hope they would stick to trying to nail businesses and
leave individuals (other than those who resell pirated software) alone
as not worth the trouble. WP (like Microsoft) is a very rich and
successful software company whom the status quo has served quite well
and massive anti-piracy campaigns seem motivated by profit-motive
rather than economic self-defense.

But the problem remains that those who buy WP are paying for the
development of the program while those who pirate are not. The pirates
are freeloading by using a good (use of a program that cost millions
to develop) and not helping to reimburse the company for the costs of
development. This seems not so much like theft as being delinquent on
club dues, homeowners association fees, etc. Maybe assigning deadbeats
to bill collectors would be a good model for punish piracy. In a
perfect world, everything would be shareware, and there would the use
verification schemes so that everybody who used would pay up. To the
extent that those who pirate WP now get just as much productive use
out of it as paid users, pirates are transferring wealth from the paid
users to themselves (they both get use of the program, and the
legitimate user has to pay for them both).  Pirates may also be
transferring wealth from WP's employees and stockholders too.

Two questions arise:  1) "What gives the pirate the moral right to
freeload on the development cost of the software and transfer wealth
too themselves from others?" And 2) "We are all (except in dire cases
like Nazi Germany) morally bound to obey the law, except where one
*publicly* protests the law by deed and is willing to make oneself a
test-case to get the law changed (ala Doc Kervorkian). So where do
pirates get off claiming all by themselves that laws protecting the
intellectual property rights of software companies are void and that
they can go around violating the law covertly at little risk to
themselves just because they don't like it?"

Now if society decides it is willing to allow these unfair transfers
of wealth in return for a more computer literate and productive
workforce then okay. We allow what some think are unfair disparities
of wealth in order to help assure a productive workforce already.

But those in favor of punishing piracy could just as easily make
libertarian arguments that transfers of wealth that aren't explicitly
consented to by the person losing wealth is unjust, and that justice
is a higher goal than a somewhat more computer-literate and productive
society.

>Of course, this represents a fundamental change in our society's
>outlook. Technology as a way of life, not just another way to make
>money.

Does this mean that because its your way of life you shouldn't have to
pay for it? (see comments below about phreaking) That because
technology is your way of life, other people who make their living
producing technology shouldn't be able to make money off of you? Why
is technology different than all other categories of commodity to be
traded in the marketplace? Don't get me wrong, I have my beefs with
capitalism and I like Bruce Sterling's concept of money moving in to
control everything in "Green Days in Brunei". But I get the feeling
that, deep down, you deny others' right to make money off of you and
those like you (making you pay for all long distance, cable TV, fancy
telephone services, and all the software that you use regularly)
because you couldn't afford it and you wouldn't be able to make as
much use of technology (consume as many technological goods) as you
would like.

I doubt that using your technical skill to cheat the marketplace is a
morally acceptable form of protesting the restraints a capitalist
system places on you.

>After all, we encourage people to read books even if they can't
>pay for them because to our society literacy is a very important goal.

True, but libraries pay for their copies of books and it is neither
encouraged nor legal to photocopy entire books. It's gonna be
interesting to see what happens when libraries turn into big full-text
on-line databases and as many people can download a particular text as
can call in. Like a guy said in Wired 1.1, if the libraries don't
charge for this, it might put book publishers out of business. If that
happens, who's going to pay authors to write books?

>If we succeed in convincing people
>that copying a file is the same as physically stealing something, we
>can hardly be surprised when the broad-based definition results in
>more overall crime. Blurring the distinction between a virtual
>infraction and a real-life crime is a mistake.

There is a kind of prohibition-era effect that current law (as SPA
interprets it) makes petty criminals out of a lot of people. But, the
SPA members may feel the opposite way, that if people are made to feel
criminal/guilty/fearful for copying software (regardless of whether
they get productive use or entertainment out of it) they will copy a
lot less and buy a little more. You certainly wouldn't respond this
way, but John Q. User might be a different story.

A big reduction in the distribution of pirated software is bad for the
user (less ability to evaluate before buying, less chance to use new
software or software of tangential to one's business) but good for the
software companies (more profits for the software industry and
possibly more wealth trickling down to those who work for it). SPA is
intentionally shortsighted as to the benefits of piracy for users as a
whole. Pirates are shortsighted about the justifiably expected
economic return for those who invested their money or labor so that
MondoBase+ 2.0 has lots of cool features, runs fast and bug free, and
comes out before 1996.

>LEGISLATION FOR COMPUTER AGE CRIME
>Is mere unauthorized access to a computer worthy of
>federal indictments, lengthy court battles, confiscation of equipment,
>huge fines, and years of prison time?

It depends on who's computer you mess with, generally no. Whether they
look at restricted information or not the state might have a
legitimate interest in making an example of someone who was playing
around in 911 computers or computers with honest-to-goodness sensitive
911-related information, the National Crime Information Center,
Department of Defense, IRS, Department of State, Nuke power plants,
hospitals, city electrical grid controls, etc. I want people to stay
the hell out of critical systems like that. But this hasn't been the
kind of hacking most folks have been busted for... I agree the
government has been clumsy and techno-illiterate in its response and
has stomped on more than a few people's rights.

>Or is it closer to a case of trespassing, which in the real world is usually
>punished by a simple warning? "Of course not," some will say, "since accessing
>a computer is far more sensitive than walking into an unlocked office
>building." If that is the case, why is it still so easy to do?

However, I think the analogy to an unlocked office building is a bad
one. It more like entering the office building through city sewers or
steam tunnels or looking for a forgotten unlocked window to crawl
through. Hackers don't just wander into a system, it takes effort and
some applied skill. If somebody had a really wimpy lock on their front
door you could open with a credit card, I think it would still be
breaking and entering to do so. And I wouldn't expect any thanks for
demonstrating how bad their security is.

>If it's possible for somebody to easily gain unauthorized access to a computer
>that has information about me, I would like to know about it.

Are you saying that you would only hack into a system that you knew or
expected held information about you personally? I'm guessing that you
would extend this argument that held information about other people,
any people, and that you would be doing them a service by showing them
if their system is insecure. If your reason for penetrating computers
reduces to nothing more than to show it can be done, thereby
marginally improving someone's (not necessarily your) privacy, then
issues of protecting people's privacy as a motive for your hacking
recede into the background.

I firmly believe that hackers hack because they like the challenge,
the ego boost, the subversive feel of it, the feeling of power, etc.
They may wind up goading sysadmins into producing more secure systems,
but I doubt that's their motive. If that were so, they would
anonymously inform sysadmins of holes as soon as they found them. If
the admin doesn't fix the hole then warn the admin "the hole will be
disseminated to others soon, get on the ball or else". I've gotten the
impression that hackers actually penetrate a system repeatedly the
same way just so they can do fun superuser kinds of things and try to
conceal their penetrations for as long as possible rather than inform
the sysadmin of the hole.

Goofing around or inviting others into the system and leaving the
admin to discover unauthorized highly priviledged users, degraded
system performance, or damage to files may get a faster closure of the
hole, but is unethical and unnecessary if the real goal is protecting
the system's users' privacy.

>But somehow I don't think the company or agency running the system would tell
>me that they have gaping security holes. Hackers, on the other hand, are
>very open about what they discover which is why large corporations
>hate them so much.

And they hate you for "being open" because it makes extra work for the
sysadmins, and broadcasts the presence of security holes to malicious
as well as non-malicious hackers, thereby increasing the chance that a
malicious hacker will get in and do some real damage before the hole
is fixed. The increased security of systems is a nice side-effect of
hacking, but as long as hackers keep publishing holes there are going
to be some poor schmuck sysadmins who get or act on the news a bit
later than some malicious hacker, and get their systems' users get
hurt.

>THE DANGERS OF UNINFORMED CONSUMERS
>In 1984 hackers were instrumental in showing the world how TRW kept credit
>files on millions of Americans. Most people had never even heard of a
>credit file until this happened.  Passwords were very poorly guarded -
>in fact, credit reports had the password printed on the credit report
>itself. . . . More recently, hackers found that MCI's Friends and Family
>program allowed anybody to call an 800 number and find out the numbers
>of everyone in a customer's "calling circle".  In both the TRW and MCI
>cases, hackers were ironically accused of being the ones to invade
>privacy. What they really did was help to educate the American
>consumer.

I believe they actually did both. They read and in some cases altered
people's credit records. And I'm guessing they fooled around with
playing see-who's-in-so-and-so's calling circle for a while until they
got bored.  Nevertheless, these were cases were hackers' activity was
eventually socially useful.  Phreakers' much more common activity of
toll fraud driving up everyone else's phone rates is not socially
useful. Hackers blowing into local business and university computers
and grabbing "trophies" to show each other and changing the system
passwords so the sysadmin can't get in, is not socially useful.

>the local phone companies take advantage of consumers. Here are a few
>examples:
>     Charging a fee for touch tone service. This is a misnomer.  It
>actually takes extra effort to tell the computer to ignore the tones
>that you produce. Everybody already has touch tone capability but we
>are forced to pay the phone company not to block it. While $1.50 a
>month may not seem like much, when added together the local companies
>that still engage in this practice are making millions of dollars a
>year for absolutely nothing. Why do they get away with it?

Because they justify it as recouping the cost of buying and installing
the DTMF equipment that lets them offer touch tone service. If they
have long since gotten back their investment in the equipment the
charge should be dropped. And they way to do that is get a group of
people or a lawyer upset about it and then to go to the appropriate
regulatory agency and say "look how this monopoly is gouging
consumers".

>Other examples abound: being charged extra not to have your name
>listed in the telephone directory, a monthly maintenance charge if you
>select your own telephone number,

Both of these require the phone company to break with normal routines,
thereby becoming a bit less productive and spending a bit more money.
In their preparation of the phone book and of assigning new numbers,
they use more labor to serve your wants relative to those of other
phone customers. (Of course, this is also true as a class of people
who live in the rural/low population density areas, but they're
subsidized by the taxpayers.)

If you're unlisted they have to insert a few extra steps into the
production of the phonebook before it goes to press to make positively
sure you're not in it.  If you're not in information, they probably
have to 1) make a (probably trivial) change in your computer record
and 2) make (less trivial) allowances in the programming/design of the
information assistance software for people desiring un-assistable
numbers. If you have a custom phone number they have to check that 1)
its not being used (trivial) and 2) make allowances in their
planning/programming of the number assigning system for numbers
(re)entering service sooner than would have been expected if numbers
had been moved in and out of use according to plan rather than by
customer whims. Some people will pick custom numbers which they could
have gotten by normal assignment, which eliminates the second reason,
but for efficiency in billing and fair/equal treatment of those who
want custom numbers, all should be charged the same.

The main point here is that somebody had to make the design changes in
how the phonebook is produced and in the computer systems that manage
information assistance and number allocation to accommodate these
requests for additional privacy/customization, and those changes cost
money to design and implement and cost a (tiny) bit more in operating
costs/maintenance/upgrades each year than one which didn't have to
make allowances for privacy and custom phone numbers.

Of course, that doesn't answer the question of why individuals who
want privacy should have to bear the costs rather than the entire
phone-using community . .  . but again (like with the issue of earning
back the cost of installing touch-tone equipment) this is something to
take up with the agency who regulates the telco or an interested
legislator.

>the fact that calling information to get a number now costs more than calling
>the number itself.

Directory assistance requires the use of human operators and the
creation and maintenance of a particular subset of the phone company's
computer database system for public access. Placing a normal
direct-dial call requires neither.  Lazy people who create more demand
for this service by not looking up numbers in the phone book should
pay more (remember assistance at payphones, where you may not have a
book, is free). Ideally getting information for numbers that have been
added since the book came out should be free as well, but the added
administrative cost of doing that is probably prohibitive.

>More recently, we have become acquainted with a new standard
>called Signalling System Seven or SS7. Through this system it is
>possible for telephones to have all kinds of new features: Caller ID,
>Return Call, Repeat Calling to get through a busy signal, and more.
>But again, we are having the wool pulled over our eyes. For instance,
>if you take advantage of Call Return in New York (which will call the
>last person who dialed your number), you are charged 75 cents on top
>of the cost of the call itself.
**>Obviously, there is a cost involved when new technologies are introduced.
>But there is no additional
>equipment, manpower, or time consumed when you dial *69 to return a
>call. It's a permanent part of the system. As a comparison, we could
>say that it also costs money to install a hold button. Imagine how we
>would feel if we were charged a fee every time we used it.

The cost of a hold button is paid for all at once in the price of your
phone, and it costs the phone company nothing to maintain. There was
probably a time when hold buttons were a hot new feature and phones
with them cost significantly more.

The tens of millions (I'm guessing) of dollars in electronics and
human labor that went into making SS7 go from an IDEA in some Bellcore
engineer's mind to DESIGN then to PROTOTYPE then to PRODUCTION then to
INSTALLED EQUIPMENT came from somewhere, and those people want their
money back, with interest. So the phone company recoups their cost.
And they do it from those who actually use the SS7 services, which
seems fair. Again, they phone company should not be allowed to make
undue profits off of SS7 services, but merely charging for them is
okay.

There is an issue of information-technology haves and have-nots here
though. If all these cool SS7 options are expensive then only rich
people will be able to afford them easily and middle-class people on
down will have to make decisions about what they'll give up each month
in order to afford the SS7 services. You may not like it, I may not
like it, but that's how capitalism works. Including the cost of SS7 in
basic rates would be unfair to the poor since I suspect they as a
group would be significantly less likely to use the services than the
rich and middle class but would then be paying for the SS7 services
they don't use as well.

>The local companies are not the only offenders but it is
>particularly bad in their case because, for the vast majority of
>Americans, there is no competition on this level.

If they're a monopoly, someone outside their company has to approve
their rate schedule. Mobilize a group, find that someone who regulates
rates, and complain, or write your congressman. If there were
competition, all providers might still charge for SS7 services the
same way since customers choosing a local phone company would probably
be most price sensitive about the basic monthly rate rather than the
bells and whistles. Telcomm-power-users are not a big enough group to
be the bread and butter of you local telco.

It might be that the phone company is getting lots of profits off of
SS7 and using that to subsidize the basic rate for everyone,
effectively shifting some costs from all users to "power-users" of the
phone system. This may or may not be fair, but it is not the same
thing as the phone company ripping you off.  Cross-subsidy is a way of
life.

It might also be that since its a new technology, there is a
relatively limited supply of SS7 equipment out there to be bought by
telco's and the installed base of SS7 equipment in your area can only
handle so much usage.  Microeconomics 101 Solution: Charge a mint for
the SS7 services and demand will stay manageable despite the wonderful
convenience it offers. Once again, capitalism at work.

>AT&T, MCI, and Sprint all encourage the use of calling cards.
>Yet each imposes a formidable surcharge each and every time they're used.
>there is no extra work necessary to complete a calling card call - at least >
>not on the phone company's part. . . .  But billing is accomplished merely by
>computers sending data to each other.  . . . Everything is
>accomplished quickly, efficiently, and cheaply by computer. Therefore,
>these extra charges are outdated.

I bet a bunch of phone co. programmers and EE's had to write a lot of
code and design and install networks that upgraded the phone company's
computerized billing system to handle calling cards. See the above
comments on SS7 for what this means. And let's not forget calling card
fraud and the investments in security to control it, an unfortunate
side-effect of offering card-calling.  Who should bear that cost? All
customers, or those that use the calling cards?  You might say, why
not the employees and shareholders of the phone company for not having
a more secure calling card system? Sometimes they do: phreakers ran
Metrophone out of business if I remember right. But if phone companies
gave individuals pass-numbers that didn't include their phone numbers
and were much harder to memorize, people would either change phone
companies or raise holy hell with the regulatory agency to get them to
undo it. Computerized calling-card identification by voiceprint might
crush toll-fraud, but who is going to pay to design, build, install,
and maintain the system?

Phreakers seem to feel that their consumption of time on phone company
lines and equipment without paying for them is like hackers breaking
in and using otherwise-unused CPU time on some company's computer.

First, I'm not too sure that hackers don't degrade performance of
systems they invade if only by soaking up the labor of system
administrators who could be doing other things besides constantly
updating and improving system security.  To which you'd say "we're not
making work for them, we're keeping them from being complacent and
becoming sitting ducks for industrial espionage and malicious
hackers." Maybe so, but you're also taking time away from their
efforts to make their systems faster, more reliable, friendlier, etc.
And what is the Hacker community's record with regard to malicious
hackers who trash companies systems? Do they actively try to find out
these guys and inform on them? I doubt it, although I'd be happy to
learn otherwise. If non-malicious hackers' real purpose is to help
companies to defend themselves against malicious hackers, then they
probably should as a rule inform on malicious hackers.

But is phreaking morally equivalent to hacking? Is it just using
left-over bandwidth, which can be thought of as being like unused CPU
cycles? I don't know. I can imagine scenarios where because of the
additional demand for services created by phreakers, more switching
equipment and programmer-hours have to be bought which might not have
been bought otherwise. And there is still the issue of making work for
phone system admins trying to catch people stealing long distance. Not
to mention making work for the customer service reps who have to
rectify some poor customer's $7000 phone bill. Fooling around with
satellites thousands of people depend on is definitely not ok.
Phreaking at off-times where there's lots of slack in the phone system
and doesn't create pressures for new equipment is more tolerable, but
still creates non-profit-making work for customer service, security,
and sysadmins in reacting to the threat that drives up the company's
operating costs, and, probably, everyone's rates.

>SOCIAL INJUSTICES OF TECHNOLOGY
>     The way in which we have allowed public telephones to be operated
>is particularly unfair to those who are economically disadvantaged. A
>one minute call to Washington DC can cost as little as 12 cents from
>the comfort of your own home. However, if you don't happen to have a
>phone, or if you don't happen to have a home, that same one minute
>call will cost you $2.20. That figure is the cheapest rate there is
>from a Bell operated payphone. With whatever kind of logic was used to
>set these prices, the results are clear. We have made it harder and
>more expensive for the poor among us to gain access to the telephone
>network. Surely this is not something we can be proud of.
>     A direct result of this inequity is the prevalence of red boxes.
>Red boxes are nothing more than tone generators that transmit a quick
>burst of five tones which convince the central office that a quarter
>has been deposited. It's very easy and almost totally undetectable.
>It's also been going on for decades.  Neither the local nor long
>distance companies have expended much effort towards stopping red
>boxes, which gives the impression that the payphone profits are still
>lucrative, even with this abuse. But even more troubling is the
>message this is sending.  Think of it. For a poor and homeless person
>to gain access to something that would cost the rest of us 12 cents,
>they must commit a crime and steal $2.20. This is not equal access.

In theory I think you're absolutely right, there shouldn't be this
massive surcharge on LD pay-phone calls. However, it may not be true
that redboxing truly serves to rectify this inequity for those it
hurts the worst. I'd guess that in practice very poor people who can't
afford homes and phones also can't afford hand-held cassette players
either, nor are they good friends with some phreak who will do it for
them on a regular basis, thus the poor aren't in a position to do
redboxing. Redboxing doesn't really do anything about the
price-inequity unless poor folks actually make use of it. Now if the
poor are out of the picture, it looks more like the phreaks are just
mad at the telco for price-gouging and decide to rip off said telco
because of it.

[I wrote the above before I heard about the trick of using the 
sound-sampling device in certian hallmark cards to capture a 
quarter-tone. The issue then becomes how many homeless will actually be 
shown how to do this by phreakers?]

I wonder though: how much of high pay-phone prices are due to the
telco trying to recover losses from payphones due to redboxing?

[See the replies below, the biggest reason for payphone surcharges are
probably cost of the phone, repairs (esp. for breakins and vandalism), and
coin collection runs. Why are the europeans and japanese so into stored
value phone cards after all?]

Call-Sell operations using cloned cellular phones might be better able
to use your argument about compensating for price-inequity than
redboxing since it seems (based on some recent testimony I read) to be
pretty widely available to at least the urban poor on an as-needed
basis. Call-selling has at least a potential a wealth-redistributing
effect from relatively rich legitimate cell-phone users to poor folks
without phones (especially immigrants w/lots of relatives to reach out
and touch back home) and the Call-Sell operators. Note though, to the
extent that call-selling serves middle-class people who already own
phones and not the poor and phoneless it serves merely to redistribute
wealth from the users who use their cell-phones legitimately and the
telco, and transfer it to users who choose not to use their legitimate
phone and to use call-sell service instead, as well as the call-sell
operators. This kind of redistribution cannot rely on social justice
arguments and is just massive toll-fraud.

>CORPORATE RULES
>. . . This puts us at direct odds with many organizations, who believe
>that everything they do is "proprietary" and that the public has no
>right to know how the public networks work. In July of 1992 we were
>threatened with legal action by Bellcore (the research arm of the
>Regional Bell Operating Companies) for revealing security weaknesses
>inherent in Busy Line Verification (BLV) trunks. The information had
>been leaked to us and we did not feel compelled to join Bellcore's
>conspiracy of silence.

See my earlier comments about publishing security holes or sharing
them with hackers before letting the sysadmins have adequate warning
and time to fix the hole. Instant publication of holes is not socially
responsible.

Also, publishing one company's private data can in some cases create a
competitive disadvantage relative to that company's competitors with
real economic effects. If Phrack runs a long series of articles about
"how to hack the new Fujitsu switches", the communications engineer at
BellAtlantic deciding what brand of switch to buy may decide to buy
some other brand of switch besides Fujitsu. And he might be doing this
solely of the publication of those articles makes him think (rightly
or wrongly) that the Fujitsu's switch is more likely to get hacked
into than, say, Northern Telecom's. Phrack has just transferred wealth
from Fujitsu to Northern Telecom and possibly influenced the telco
into buying the less competitive switch (which could wind up
increasing telco operating costs and users' rates) out of fear of
getting hacked.

Moral: not all arguments about the social and commercial value of
keeping proprietary information secret are bogus.

>In April of this year, we were threatened with
>legal action by AT&T for printing proprietary information of theirs.
>The information in question was a partial list of the addresses of
>AT&T offices.  It's very hard for us to imagine how such information
>could be considered secret. But these actions are not surprising.

I'd bet money those addresses were sensitive because they would be
very useful to someone trying to con, misrepresent, and
social-engineer their way into the telco's computers. What possible
use there would be to the non-hacker/phreaker member of the public for
obscure telco-bureaucracy addresses and phone #s the phone company
decides not to let out to the general public eludes me.

[In retrospect, maybe a reporter or competitor trying to uncover
anti-competitive or other illegal practices through social enginnnering
might make good use of such knowledge]

>This in itself is wrong; a publication must have
>the same First Amendment rights regardless of whether it is printed
>electronically or on paper. As more online journals appear, this basic
>tenet will become increasingly critical to our nation's future as a
>democracy.

I couldn't agree more.

>The government promptly dropped its case against
>the publisher who, to this day, is still paying back $100,000 in legal
>fees.

This sucks. The gov't/telco should have had to eat the defense's legal fees.

>As further evidence of the inequity between individual justice
>and corporate justice, Bell South was never charged with fraud for its
>claim that a $14 document was worth nearly $80,000. Their logic, as
>explained in a memo to then Assistant U.S. Attorney Bill Cook, was
>that the full salaries of everyone who helped write the document, as
>well as the full cost of all hardware and software used . . .

The Phrack/E911 case is one of the worst abuses of rights to date.

However, please let my speculate for a moment, working from the assumptions
that
1) The document was not expected to diffuse into the hands of hackers.
The "catalog anyone could order the document from" was, I suspect,
used only by and intended only for vendors and employees.
2) That possession of the E911 document would at least marginally aid
in the efforts of those who were interested in hacking into 911.

Granted, if both #1 and #2 are true then it could mean that BellSouth
had negligent security practices and deserved what it got. It might
also be the case that #2 is simply not true (I just can't say one way
or another due to not having read the document closely and lacking the
knowledge needed to understand the significance of everything said
in the document). If #2 is false the following argument can be
ignored.

It seems to me that there could be an economic cost to Bell South
*because of the publication of that document in the hacker community*.
If Bellcore has to devote additional resources to beefing up E911
security solely because certain features of the E911 system are now
much more widely known to the hacker community (and thus more likely
to be attacked) than before the publication of the document in Phrack,
then Phrack has done BellSouth economic harm (and may also have
indirectly contributed to the risk of a breach of security in E911
until their new security measures kick in). It think it the case that
protecting the first amendment requires us to ignore such economic
harm and not make it legally actionable, but I believe that the "cost"
to BellSouth of the publication of that document in Phrack was
probably much greater than a few lost sales of the document's physical
incarnation.

The added short-term risk of a breach in 911 security due to the
publication of the document might have slightly more weight against
first-amendment claims but would probably still be outweighed by
freedom of speech. I could imagine a case though, where publication
(especially quiet publication within the hacker community so that the
average telco security person and E911 sysadmin person might not hear
about the publication for a few weeks) of the factory-default
passwords and dialup numbers for E911 computers would be great enough
a risk to public safety as to merit strong punishments and prior
restraint.

I hope the above article has provided some new middle-ground between
anti-establishment and establishment people to stand on and discuss
piracy, hacking and phreaking. I hope also that some hackers and
phreakers will use to above to re-examine wether they are, as claimed,
actually doing society a favor, and if not, how they could change
their ways so as to be a positive force.

Shayne Weyker
weyker@wam.umd.edu

---------------

Addenda:  I have since found out that I made a few erroneous assumptions
in the piece. some corrections: information from payphones isn't free most
places, payphones probably have a surcharge because they cost so much more
to build and service, phone hackers don't generate enough demand for
service to significantly pressure telcos to buy extra equipment to meet
the hackers' needs, hackers' real threat is to the integrity and
cost-effectiveness of a telco's billing system (i.e. its source of
revenue), etc.. If you are interested I have some replies on file or you
can follow the debate in the CuD archives. There were some replies 
to this message and some replies of my own to those replies.

Shayne
-------------------------------------------------------------------------