Reply From: Russell Coker <russell@coker.com.au>
>Meet Gail Thackeray, the world's foremost legal expert on computer crime.
>A former assistant attorney general of the state of Arizona, Thackeray has
>Taking a break from the slide show for a moment, she shows me a little
>number-generating program stored on her laptop. It generates random
>numbers for Visa cards. Give it the four-digit code that identifies a card
>issuer and within minutes you'll have hundreds of false credit card
>numbers to play with. "Now supposing you had another little program that
>made the bank think these numbers were legitimate - How much do you think
What exactly is being suggested here? That a hacker can insert some code
into the credit-card validation software of a bank? If that can be done it's
"game over" anyway. Programs to generate 16digit numbers that pass the basic
checksums of credit-cards are not difficult to write. I've got a program to
verify credit card number checksums (designed to be used in E-commerce
systems), I'm sure I could reverse-engineer it and write a program to
generate 16 digit numbers that pass.
The issue is that if you just take numbers with no other validation than the
checksum then it's not going to be too hard for someone to rip you off. The
solution is simple, get the name and expiry date of the card and verify it
with VISA/Mastercard/whoever. Of course using this system someone can still
rip you off, but at least they need to see the real card information (collect
carbon paper from bins etc).
>Does she think this new generation of Web hackers is a real threat to
>people? "Every baby in America knows the 911 emergency system. If mommy's
>drowning in the pool, we've had three-year- olds save her life by dialling
>911. The hackers have attacked the 911 system and they're still doing it.
>That's not for knowledge or for glory, that's just an act of vicious ego."
Has any evidence of such attacks ever been shown? The law enforcement people
always use the 911 system to stir up an emotional response in the general
public to gain support for their attempts to ban encryption etc. Have they
ever shown evidence of 911 hacks?
Then of course there's the issue of why the 911 system would be connected to
the Internet or to modem dial-in lines...
>Thackeray denies this. "It's a hacker myth that we take away their
>computers and sit on them forever. In one case we came across, the guy had
>over 12Gb of data stored on his system - that's equivalent to 15,000
>paperback books. It's better that we seize all that material - you might
>have love letters, cook book recipes and your extortion kidnapping letter
>on the same disk. We can't take one without taking the other. We cannot
>physically copy that volume. It is far easier for us to take computers
>away than for us to camp out in your house for six months."
I could setup a machine with a 12Gb hard drive that could copy 12gigs of data
across an ordinary Ethernet network in 4 hours. If American law enforcement
agencies need my help to setup such a system (they claim to be incapable of
doing it themselves) then I'll be visiting that country later this year and
I'd be happy to work for them.
Of course stealing someone's computer is the modern equivalent to being a
"horse theif". It is a great punishment and you don't even need a conviction
to impose it!
>A hovel of a bedroom fills the projector screen. Coke cans everywhere,
>rubbish dotted across an unmade bed. In the corner sits a naked computer,
>stripped of casing, wires exposed. Thackeray calls it a rat's nest. She
>has hundreds of similar photos. "Back in Philadelphia I began collecting
>pictures of computers with their wires hanging out. When the geeks speak
>to a jury we call the language they use technocrap. What you have here is
>the physical version of technocrap." She gestures at the screen. Typically
>hackers will set up a stereo system within easy reach of the computer, and
>often a drinks cabinet as well.
Ahh. So people with poor hygeine standards are criminals, and people who
dress well and have clean houses aren't.
If I ever get involved in any criminal activity in the US I'll be sure to
wear my best suit. :-#
>A recent innovation is the home network. "We've come up against four or
>five houses recently where people have had multiple systems networked in
>the house. And that's even without running a bulletin board. When we get
>lucky and we're fast enough we can find the guilty computer - but the
>hardest part of the job is finding the brain behind the computer. To find
>that person is good old- fashioned low-tech police work."
What has this got to do with hackers or law enforcement? Doom, Quake, and Red
Alert are all good reasons for having home networks. I know many people who
couldn't code or hack to save their lives who have home networks to play
games.
>"Police management is dominated by the physical crimes people. We've got
>to dissolve some of these barriers. When we move we need to move fast like
>the Texas rangers - both legally and bureaucratically we're just not there
>yet. When I started 20 years ago law enforcement was behind the computer
>crime wave. We're farther behind today than we were then."
>From what I keep reading about the attitudes and approaches used by police
against suspects in computer crimes cases I am very glad that they are
getting further behind. The legal system of all first-world countries is
based around the principle of "innocent until proven guilty". It seems that
if the police catch someone (maybe the wrong person) in a computer crimes
case that principle is not upheld. Apparently the only way to avoid
punishing innocent people (often without convicting them) is for the police
to lack the powers or ability to combat computer crime.
--
I am a wolf, but I like to wear sheep's clothing.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
Received on Wed Aug 5 18:39:41 1998