Computer underground Digest Wed Feb 9, 1994 Volume 6 : Issue 14 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe (Improving each day) Acting Archivist: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Cowpie Editor: Buffy A. Lowe CONTENTS, #6.14 (Feb 9, 1994) File 1:--Sen. Markey Tirade against "hackers" (courtesy of 2600) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. To subscribe, send a one-line message: SUB CUDIGEST your name Send it to LISTSERV@UIUCVMD.BITNET or LISTSERV@VMD.CSO.UIUC.EDU The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (203) 832-8441. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893; In ITALY: Bits against the Empire BBS: +39-461-980493 ANONYMOUS FTP SITES: AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. EUROPE: ftp.funet.fi in pub/doc/cud. (Finland) UNITED STATES: aql.gatech.edu (128.61.10.53) in /pub/eff/cud etext.archive.umich.edu (141.211.164.18) in /pub/CuD/cud ftp.eff.org (192.88.144.4) in /pub/Publications/CuD halcyon.com( 202.135.191.2) in mirror2/cud ftp.warwick.ac.uk in pub/cud (United Kingdom) KOREA: ftp: cair.kaist.ac.kr in /doc/eff/cud COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Fri, 4 Feb 1994 03:16:28 -0800 From: Emmanuel Goldstein Subject: File 1--Sen. Markey Tirade against "hackers" (courtesy of 2600) ((MODERATORS' NOTE: On June 9, 1993, Emmanuel Goldstein, editor of 2600, appeared before The House Subcommittee on Telecommunications and Finance. The topic was ostensibly network security, toll fraud, and the social implications of changing technology. As reported in CuDs #5.43 and 5.45, the session turned into "Emmanuel bashing." As the following transcript shows, the Subcommittee's chairperson, Rep. Edward J. Markey (D-Mass.), was more interested in criticizing Emmanuel Goldstein than in pursuing comments by a major law enforcement official advocating restriction of Constitutional protections of free speech to stifle information. Thanks to the 2600 staff for transcribing the entire transcript. Sadly, it reveals that the knowledge gap between legislators and the laws they enact remains unacceptly wide.)) At long last, 2600 has obtained a transcript of the hearings from last June where two members of congress - Edward J. Markey (D-MA) and Jack Fields (R-TX) - launched into a tirade against the evils of computer hackers and generally demonstrated their ignorance on the subject and their unwillingness to listen to anything that didn't match their predetermined conclusions. Those conclusions are basically that 2600 Magazine is a manual for criminals and that hackers are a blight on civilization. At least, that was my interpretation, which is admittedly biased since I was on the receiving end of this double dose of dogma. I'd be most interested in hearing yours as would the rest of us at 2600. While you may think that members of Congress would also be interested, I would have to say it doesn't seem too likely. I was asked down there to address the issue of new technology, its implications, and the social benefits and dangers. That is what I addressed in my twenty pages of written testimony and my opening remarks. What happened during the hearing was like something out of the Geraldo show, only worse. This was the Congress of the United States. Look for the soundbites, the simplistic solutions, the demonization of a perceived enemy, and the eagerness to legislate away the problems and avoid the complex issues. It's too bad it took them three quarters of a year to get this transcript to us. To be official, this is the full transcript of all spoken testimony from the second panel on June 9, 1993. (If you want a copy of my written testimony, email me at emmanuel@well.sf.ca.us.) This is a literal transcript, meaning that any and all factual or technical inaccuracies are reproduced without comment. The panel you'll see being referred to that was on first was one on the Clipper Chip, a subject these members of Congress were a bit more enlightened on. To obtain your own copy of this hearing and the other related ones, contact the U.S. Government Printing Office (202-512-0000) and ask for Serial No. 103-53, known as "Hearings Before The Subcommittee on Telecommunications and Finance of the Committee on Energy and Commerce, House of Representatives, One Hundred Third Congress, First Session, April 29 and June 9, 1993". =================================================================== It was a very hot day in June.... Mr. MARKEY. If you could close the door, please, we could move on to this very important panel. It consists of Mr. Donald Delaney, who is a senior investigator for the New York State Police. Mr. Delaney has instructed telecommunications fraud at the Federal Law Enforcement Training Center and has published chapters on computer crime and telecommunications fraud. Dr. Peter Tippett is an expert in computer viruses and is the director of security products for Symantec Corporation in California. Mr. John J. Haugh is chairman of Telecommunications Advisors Incorporated, a telecommunications consulting firm in Portland, Oreg., specializing in network security issues. Dr. Haugh is the editor and principal author of two volumes entitled "Toll Fraud" and "Telabuse" in a newsletter entitled "Telecom and Network Security Review." Mr. Emmanuel Goldstein is the editor-in-chief of "2600: The Hacker Quarterly." Mr. Goldstein also hosts a weekly radio program in New York called "Off The Hook." Mr. Michael Guidry is chairman and founder of the Guidry Group, a security consulting firm specializing in telecommunications issues. The Guidry Group works extensively with the cellular industry in its fight against cellular fraud. We will begin with you, Mr. Delaney, if we could. You each have 5 minutes. We will be monitoring that. Please try to abide by the limitation. Whenever you are ready, please begin. STATEMENTS OF DONALD P. DELANEY, SENIOR INVESTIGATOR, NEW YORK STATE POLICE; JOHN J. HAUGH, CHAIRMAN, TELECOMMUNICATIONS ADVISORS; EMMANUEL GOLDSTEIN, PUBLISHER, 2600 MAGAZINE; PETER S. TIPPETT, DIRECTOR, SECURITY AND ENTERPRISE PRODUCTS, SYMANTEC CORP.; AND MICHAEL A. GUIDRY, CHIEF EXECUTIVE OFFICER, THE GUIDRY GROUP Mr. DELANEY. Thank you, Mr. Chairman, for the invitation to testify today. As a senior investigator with the New York State Police, I have spent more than 3 years investigating computer crime and telecommunications fraud. I have executed more than 30 search warrants and arrested more than 30 individuals responsible for the entire spectrum of crime in this area. I authored two chapters in the "Civil and Criminal Investigating Handbook" published by McGraw Hill entitled "Investigating Computer Crime and Investigating Telecommunications Fraud." Periodically I teach a 4-hour block instruction on telecommunications fraud at the Federal Law Enforcement Training Center in Georgia. Although I have arrested some infamous teenagers, such as Phiber Optic, ZOD, and Kong, in some cases the investigations were actually conducted by the United States Secret Service. Because Federal law designates a juvenile as one less than 18 years of age and the Federal system has no means of prosecuting a juvenile, malicious hackers, predominately between 13 and 17 years of age, are either left unprosecuted or turned over to local law enforcement. In some cases, local law enforcement were either untrained or unwilling to investigate the high-tech crime. In examining telecommunications security, one first realizes that all telecommunications is controlled by computers. Computer criminals abuse these systems not only for free service but for a variety of crimes ranging from harassment to grand larceny and illegal wiretapping. Corporate and Government espionage rely on the user-friendly networks which connect universities, military institutions, Government offices, corporate research and development computers. Information theft is common from those companies which hold our credit histories. Their lack of security endanger each of us, but they are not held accountable. One activity which has had a financial impact on everyone present is the proliferation of call sell operations. Using a variety of methods, such as rechipped cellular telephones, compromised PBX remote access units, or a combination of cellular phone and international conference lines, the entrepreneur deprives the telephone companies of hundreds of millions of dollars each year. These losses are passed on to each of us as higher rates. The horrible PBX problem exists because a few dozen finger hackers crack the codes and disseminate them to those who control the pay phones. The major long distance carriers each have the ability to monitor their 800 service lines for sudden peaks in use. A concerted effort should be made by the long distance carriers to identify the finger hackers, have the local telephone companies monitor the necessary dialed number recorders, and provide local law enforcement with timely affidavits. Those we have arrested for finger hacking the PBX's have not gone back into this type of activity or crime. The New York State Police have four newly trained investigators assigned to investigate telecommunications fraud in New York City alone. One new program sponsored by AT&T is responsible for having trained police officers from over 75 departments about this growing blight in New York State alone. Publications, such as "2600," which teach subscribers how to commit telecommunications crime are protected by the First Amendment, but disseminating pornography to minors is illegal. In that many of the phone freaks are juveniles, I believe legislation banning the dissemination to juveniles of manuals on how to commit crime would be appropriate. From a law enforcement perspective, I applaud the proposed Clipper chip encryption standard which affords individuals protection of privacy yet enables law enforcement to conduct necessary court-ordered wiretaps, and with respect to what was being said in the previous conversation, last year there were over 900 court-ordered wiretaps in the United States responsible for the seizure of tons of illicit drugs coming into this country, solving homicides, rapes, kidnappings. If we went to an encryption standard without the ability for law enforcement to do something about it, we would have havoc in the United States -- my personal opinion. In New York State an individual becomes an adult at 16 years old and can be prosecuted as such, but if a crime being investigated is a Federal violation he must be 18 years of age to be prosecuted. Even in New York State juveniles can be adjudicated and given relevant punishment, such as community service. I believe that funding law enforcement education programs regarding high-tech crime investigations, as exists at the Federal Law Enforcement Training Center's Financial Frauds Institute, is one of the best tools our Government has to protect its people with regard to law enforcement. Thank you. Mr. WYDEN [presiding]. Thank you very much for a very helpful presentation. Let us go next to Mr. Haugh. We welcome you. It is a pleasure to have an Oregonian, particularly an Oregonian who has done so much in this field, with the subcommittee today. I also want to thank Chairman Markey and his excellent staff for all their efforts to make your attendance possible today. So, Mr. Haugh, we welcome you, and I know the chairman is going to be back here in just a moment. STATEMENT OF JOHN J. HAUGH Mr. HAUGH. Thank you, Mr. Wyden. We expended some 9,000 hours, 11 different people, researching the problem of toll fraud, penetrating telecommunications systems, and then stealing long distance, leading up to the publication of our two-volume reference work in mid-1992. We have since spent about 5,000 additional hours continuing to monitor the problem, and we come to the table with a unique perspective because we are vender, carrier, and user independent. In the prior panel, the distinguished gentleman from AT&T, for whom I have a lot of personal respect, made the comment that the public justifiably is confident that the national wire network is secure and that the problem is wireless. With all due respect, that is a laudable goal, but as far as what is going on today, just practical reality, that comment is simply incorrect, and if the public truly is confident that the wired network is secure, that confidence is grossly misplaced. We believe 35,000 users will become victimized by toll fraud this year, 1993. We believe the national problem totals somewhere between $4 and $5 billion. It is a very serious national problem. We commend the chairman and this committee for continuing to attempt to draw public attention and focus on the problem. The good news, as we see it, over the last 3 years is that the severity of losses has decreased. There is better monitoring, particularly on the part of the long distance carriers, there is more awareness on the part of users who are being more careful about monitoring and managing their own systems, as a result of which the severity of loss is decreasing. That is the good news. The bad news is that the frequency is greatly increasing, so while severity is decreasing, frequency is increasing, and I will give you some examples. In 1991 we studied the problem from 1988 to 1991 and concluded that the average toll fraud loss was $168,000. We did a national survey from November of last year to March of this year, and the average loss was $125,000, although it was retrospective. Today we think the average loss is $30,000 to $60,000, which shows a rather dramatic decline. The problem is, as the long distance thieves, sometimes called hackers, are rooted out of one system, one user system, they immediately hop into another one. So severity is dropping, but frequency is increasing. Everybody is victimized. You have heard business users with some very dramatic and very sad tales. The truth is that everybody is victimized; the users are victimized; the long distance carriers are victimized; the cellular carriers are victimized, the operator service providers; the co-cod folks, the aggregators and resellers are victimized; the LEC's and RBOC's, to a limited extent, are victimized; and the vendors are victimized by being drawn into the problem. Who is at fault? Everybody is at fault. The Government is at fault. The FCC has taken a no-action, apathetic attitude toward toll fraud. That Agency is undermanned, it is understaffed, it is underfunded, it has difficult problems -- no question about that -- but things could and should be done by that Agency that have not been done. The long distance carriers ignored the problem for far too long, pretended that they could not monitor when, in fact, the technology was available. They have done an outstanding job over the last 2 years of getting with it and engaging themselves fully, and I would say the long distance carriers, at the moment, are probably the best segment of anyone at being proactive to take care of the problem. Users too often ignored security, ignored their user manuals, failed to monitor, failed to properly manage. There has been improvement which has come with the public knowledge of the problem. CPE venders, those folks who manufactured the systems that are so easy to penetrate, have done an abysmally poor job of engineering into the systems security features. They have ignored security. Their manuals didn't deal with security. They are starting to now. They are doing a far better job. More needs to be done. The FCC, in particular, needs to become active. This committee needs to focus more attention on the problem, jawbone, keep the heat on the industry, the LEC's and the RBOC's in particular. The LEC's and the RBOC's have essentially ignored the problem. They are outside the loop, they say, yet the LEC's and the RBOC's collected over $21 billion last year in access fees for connecting their users to the long distance networks. How much of that $21 billion did the LEC's and the RBOC's reinvest in helping to protect their users from becoming victimized and helping to combat user-targeted toll fraud? No more than $10 million, one-fifth of 1 percent. Many people in the industry feel the LEC's and the RBOC's are the one large group that has yet to seriously come to the table. Many in the industry -- and we happen to agree -- feel that 3 to 4 percent of those access fees should be reinvested in protecting users from being targeted by the toll fraud criminals. The FCC should become more active. The jawboning there is at a minimal level. There was one show hearing last October, lots of promises, no action, no regulation, no initiatives, no meetings. A lot could be done. Under part 68, for example, the FCC, which is supposed to give clearance to any equipment before it is connected into the network, they could require security features embedded within that equipment. They could prevent things like low-end PBX's from being sold with three-digit barrier codes that anyone can penetrate in 3 to 5 minutes. Thank you, Mr. Chairman. Mr. MARKEY. THANK YOU, MR. HAUGH, VERY MUCH. Mr. Goldstein, let's go to you next. STATEMENT OF EMMANUEL GOLDSTEIN Mr. GOLDSTEIN. Thank you, Mr. Chairman, and thank you to this committee for allowing me the opportunity to speak on behalf of those who, for whatever reason, have no voice. I am in the kind of unique position of being in contact with those people known as computer hackers throughout the world, and I think one of the misconceptions that I would like to clear up, that I have been trying to clear up, is that hackers are analogous to criminals. This is not the case. I have known hundreds of hackers over the years, and a very, very small percentage of them are interested in any way in committing any kind of a crime. I think the common bond that we all have is curiosity, an intense form of curiosity, something that in many cases exceeds the limitations that many of us would like to put on curiosity. The thing is though, you cannot really put a limitation on curiosity, and that is something that I hope we will be able to understand. I like to parallel the hacker culture with any kind of alien culture because, as with any alien culture, we have difficulty understanding its system of values, we have difficulty understanding what it is that motivates these people, and I hope to be able to demonstrate through my testimony that hackers are friendly people, they are curious people, they are not out to rip people off or to invade people's privacy; actually, they are out to protect those things because they realize how valuable and how precious they really are. I like to draw analogies to where we are heading in the world of high technology, and one of the analogies I have come up with is to imagine yourself speeding down a highway, a highway that is slowly becoming rather icy and slippery, and ask yourself the question of whether or not you would prefer to be driving your own car or to be somewhere inside a large bus, and I think that is kind of the question we have to ask ourselves now. Do we want to be in control of our own destiny as far as technology goes, or do we want to put all of our faith in somebody that we don't even know and maybe fall asleep for a little while ourselves and see where we wind up? It is a different answer for every person, but I think we need to be able to at least have the opportunity to choose which it is that we want to do. Currently, there is a great deal of suspicion, a great deal of resignation, hostility, on behalf of not simply hackers but everyday people on the street. They see technology as something that they don't have any say in, and that is why I particularly am happy that this committee is holding this hearing, because people, for the most part, see things happening around them, and they wonder how it got to that stage. They wonder how credit files were opened on them; they wonder how their phone numbers are being passed on through A&I [sic - actually it's ANI -- mech@eff.org] and caller ID. Nobody ever went to these people and said, "Do you want to do this? Do you want to change the rules?" The thing that hackers have learned is that any form of technology can and will be abused, whether it be calling card numbers or the Clipper chip. At some point, something will be abused, and that is why it is important for people to have a sense of what it is that they are dealing with and a say in the future. I think it is also important to avoid inequities in access to technology, to create a society of haves and have-nots, which I feel we are very much in danger of doing to a greater extent than we have ever done before. A particular example of this involves telephone companies, pay phones to be specific. Those of us who can make a telephone call from, say, New York to Washington, D.C., at the cheapest possible rate from the comfort of our own homes will pay about 12 cents for the first minute. However, if you don't have a phone or if you don't have a home, you will be forced to pay $2.20 for that same first minute. What this has led to is the proliferation of what are known as red boxes. I have a sample (indicating exhibit). Actually, this is tremendously bigger than it needs to be. A red box can be about a tenth of the size of this. But just to demonstrate the sound that it takes for the phone company to believe that you have put a quarter into the phone (brief tone is played), that is it, that is a quarter. Now we can say this is the problem, this huge demonic device here is what is causing all the fraud, but it is not the case. This tape recorder here (same brief tone is played) does the same thing. So now we can say the tones are the problem, we can make tones illegal, but that is going to be very hard to enforce. I think what we need to look at is the technology itself: Why are there gaping holes in them? and why are we creating a system where people have to rip things off in order to get the same access that other people can get for virtually nothing? I think a parallel to that also exists in the case of cellular phones. I have a device here (indicating exhibit) which I won't demonstrate, because to do so would be to commit a Federal crime, but by pressing a button here within the course of 5 seconds we will be able to hear somebody's private, personal cellular phone call. Now the way of dealing with privacy with cellular phone calls is to make a law saying that it is illegal to listen. That is the logic we have been given so far. I think a better idea would be to figure out a way to keep those cellular phone calls private and to allow people to exercise whatever forms of privacy they need to have on cellular phone calls. So I think we need to have a better understanding both from the legislative point of view and in the general public as far as technology in itself, and I believe we are on the threshold of a very positive, enlightened period, and I see that particularly with things like the Internet which allow people access to millions of other people throughout the world at very low cost. I think it is the obligation of all of us to not stand in the way of this technology, to allow it to go forward and develop on its own, and to keep a watchful eye on how it develops but at the same time not prevent it through overlegislation or overpricing. Thank you very much for the opportunity to speak. Mr. MARKEY. Thank you, Mr. Goldstein. Dr. Tippett. STATEMENT OF PETER S. TIPPETT Mr. TIPPET. Thank you. I am Peter Tippett from Symantec Corporation, and today I am also representing the National Computer Security Association and the Computer Ethics Institute. Today is Computer Virus Awareness Day, in case you are not aware, and we can thank Jack Fields, Representative Fields, for sponsoring that day on behalf of the Congress, and I thank you for that. We had a congressional briefing this morning in which nine representatives from industry, including telecommunications and aerospace and the manufacturing industry, convened, and for the first time were willing to talk about their computer virus problems in public. I have got to tell you that it is an interesting problem, this computer virus problem. It is a bit different from telephone fraud. The virus problem is one which has probably among the most misrepresentation and misunderstanding of these various kinds of fraud that are going on, and I would like to highlight that a little bit. But before I do, I would like to suggest what we know to be the costs of computer viruses just in America. The data I am representing comes from IBM and DataQuest, a Dunn and Bradstreet company, it is the most conservative interpretation you could make from this data. It suggests that a company of only a thousand computers has a virus incident every quarter, that a typical Fortune 500 company deals with viruses every month, that the cost to a company with only a thousand computers is about $170,000 a year right now and a quarter of a million dollars next year. If we add these costs up, we know that the cost to United States citizens of computer viruses just so far, just since 1990, exceeds $1 billion. When I go through these sorts of numbers, most of us say, well, that hype again, because the way the press and the way we have heard about computer viruses has been through hype oriented teachings. So the purpose here is not to use hype and not to sort of be alarmist and say the world is ending, because the world isn't ending per se, but to suggest that there isn't a Fortune 500 company in the United States who hasn't had a computer virus problem is absolutely true, and the sad truth about these viruses is that the misconceptions are keeping us from doing the right things to solve the problem, and the misconceptions stem from the fact that companies that are hit by computer viruses, which is every company, refused to talk about that until today. There are a couple of other unique things and misconceptions about computer viruses. One is that bulletin boards are the leading source of computer viruses. Bulletin boards represent the infancy of the superhighway, I think you could say, and there are a lot of companies that make rules in their company that you are not allowed to use bulletin boards because you might get a virus. In fact, it is way in the low, single-digit percents. It may be as low as 1 percent of computer viruses that are introduced into companies come through some route via a bulletin board. We are told that some viruses are benign, and, in fact, most people who write computer viruses think that their particular virus is innocuous and not harmful. It turns out that most virus authors, as we just heard from Mr. Goldstein, are, in fact, curious people and not malicious people. They are young, and they are challenged, and there is a huge game going on in the world. There is a group of underground virus bulletin boards that we call virus exchange bulletin boards in which people are challenged to write viruses. The challenge works like this: If you are interested and curious, you read the threads of communication on these bulletin boards, and they say, you know, "If you want to download some viruses, there's a thousand here on the bulletin board free for your downloading," but you need points. Well, how do you get points? Well, you upload some viruses. Well, where do you get some viruses from? If you upload the most common viruses, they are not worth many points, so you have to upload some really good, juicy viruses. Well, the only way to get those is to write them, so you write a virus and upload your virus, and then you gain acceptance into the culture, and when you gain acceptance into the culture you have just added to the problem. It is interesting to know that the billion dollars that we have spent since 1990 on computer viruses just in the United States is due to viruses that were written in 1988 and 1987. Back then, we only had one or two viruses a quarter, new, introduced into the world. This year we have a thousand new computer viruses introduced into our community, and it won't be for another 4 or 5 years before these thousand viruses that are written now will become the major viruses that hurt us in the future. So virus authors don't believe they are doing anything wrong, they don't believe that they are being harmful, and they don't believe that what they do is dangerous, and, in fact, all viruses are. Computer crime laws don't have anything to do with computer virus writers, so we heard testimony this morning from Scott Charney of the Department of Justice who suggested that authorized access is the biggest law you could use, and, in fact, most viruses are brought into our organizations in authorized ways, because users who are legitimate in the organizations accidentally bring these things in, and then they infect our companies. In summary, I think that we need to add a little bit of specific wording in our computer crime legislation that relates particularly to computer viruses and worms. We need, in particular, to educate. We need to go after an ethics angle. We need to get to the point where Americans think that writing viruses or doing these other kinds of things that contaminate our computer superhighways are akin to contaminating our expressways. In the sixties we had a big "Keep America Beautiful" campaign, and most Americans would find it unthinkable to throw their garbage out the window of their car, but we don't think it unthinkable to write rogue programs that will spread around our highway. Thank you. Mr. MARKEY. Thank you, Dr. Tippett. Mr. Guidry. STATEMENT OF MICHAEL A. GUIDRY Mr. GUIDRY. Thank you, Mr. Chairman, for giving me the opportunity to appear before this subcommittee, and thank you, subcommittee, for giving me this opportunity. The Guidry Group is a Houston-based security consulting firm specializing in telecommunication issues. We started working in telecommunication issues in 1987 and started working specifically with the cellular industry at that time. When we first started, we were working with the individual carriers across the United States, looking at the hot points where fraud was starting to occur, which were major metropolitan cities of course. In 1991, the Cellular Telephone Industry Association contacted us and asked us to work directly with them in their fight against cellular fraud. The industry itself has grown, as we all know, quite rapidly. However, fraud in the industry has grown at an unbelievable increase, actually faster than the industry itself, and as a result of that fraud now is kind of like a balloon, a water balloon; it appears in one area, and when we try to stamp it out it appears in another area. As a result, what has happened is, when fraud first started, there was such a thing as subscription fraud, the same type of fraud that occurred with the land line telecommunication industry. That subscription fraud quickly changed. Now what has occurred is, technology has really stepped in. First, hackers, who are criminals or just curious people, would take a telephone apart, a cellular phone apart, and change the algorithm on the chip, reinsert the chip into the telephone, and cause that telephone to tumble. Well, the industry put its best foot forward and actually stopped, for the most part, the act of tumbling in cellular telephones. But within the last 18 months something really terrible has happened, and that is cloning. Cloning is the copying of the MIN and and ESN number, and, for clarification, the MIN is the Mobile Identification Number that is assigned to you by the carrier, and the ESN number is the Electronic Cellular Number that is given to the cellular telephone from that particular manufacturer. As a result, now we have perpetrators, or just curious people, finding ways to copy the MIN and the ESN, thereby victimizing the cellular carrier as well as the good user, paying subscriber. This occurs when the bill is transmitted by the carrier to the subscriber and he says something to the effect of, "I didn't realize that I had made $10,000 worth of calls to the Dominican Republic," or to Asia or Nicaragua or just any place like that. Now what has happened is, those clone devices have been placed in the hands of people that we call ET houses, I guess you would say, and they are the new immigrants that come into the United States for the most part that do not have telephone subscriptions on the land line or on the carrier side from cellular, and now they are charged as much as $25 for 15 minutes to place a call to their home. Unfortunately, though, the illicit behavior of criminals has stepped into this network also. Now we have gang members, drug dealers, and gambling, prostitution, vice, just all sorts of crime, stepping forward to use this system where, by using the cloning, they are avoiding law enforcement. Law enforcement has problems, of course, trying to find out how to tap into those telephone systems and record those individuals. Very recently, cloning has even taken a second step, and that is now something that we term the magic phone, and the magic phone works like this: Instead of cloning just one particular number, it clones a variety of numbers, as many as 14 or 66, thereby distributing the fraud among several users, which makes it almost virtually impossible for us to detect at an early stage. In response to this, what has happened? A lot of legitimate people have started to look at using the illegitimate cellular services. They are promised that this is a satellite phone or just a telephone that if they pay a $2,500 fee will avoid paying further bills. So now it has really started to spread. Some people in major metropolitan areas, such as the Southwest, Northeast, and Southeast, have started running their own mini-cellular companies by distributing these cloning phones to possible clients and users, collecting the fee once a month to reactivate the phone if it is actually denied access. The cellular industry has really stepped up to the plate I think the best they can right now in trying to combat this by working with the switch manufacturers and other carriers, 150 of them to date with the cellular telephone industry, as well as the phone manufacturers, and a lot of companies have started looking at software technology. However, these answers will not come to pass very soon. What we must have is strong legislation. We have been working for the last 18 months, specifically with the Secret Service and a lot of local, State, and Federal law enforcement agencies. The Service has arrested over 100 people involved in cellular fraud. We feel very successful about that. We also worked with local law enforcement in Los Angeles to form the L.A. Blitz, and we arrested an additional 26 people and seized 66 illegal telephones and several computers that spread this cloning device. However, now we have a problem. U.S. Title 18, 1029, does not necessarily state cellular or wireless. It is very important, and I pray that this committee will look at revising 1029 and changing it to include wireless and cellular. I think wireless communications, of course, like most people, is the wave of the future, and it is extremely important that we include that in the legislation so that when people are apprehended they can be prosecuted. Thank you, sir. Mr. MARKEY. Thank you, Mr. Guidry, very much. We will take questions now from the subcommittee members. Let me begin, Mr. Delaney. I would like you and Mr. Goldstein to engage in a conversation, if we could. This is Mr. Goldstein's magazine, "The Hacker Quarterly: 2600," and for $4 we could go out to Tower Records here in the District of Columbia and purchase this. It has information in it that, from my perspective, is very troubling in terms of people's cellular phone numbers and information on how to crack through into people's private information. Now you have got some problems with "The Hacker Quarterly," Mr. Delaney. Mr. DELANEY. Yes, sir. Mr. MARKEY. And your problem is, among other things, that teenagers can get access to this and go joy riding into people's private records. Mr. DELANEY. Yes, sir. In fact, they do. Mr. MARKEY. Could you elaborate on what that problem is? And then, Mr. Goldstein, I would like for you to deal with the ethical implications of the problem as Mr. Delaney would outline them. Mr. DELANEY. Well, the problem is that teenagers do read the "2600" magazine. I have witnessed teenagers being given free copies of the magazine by the editor-in-chief. I have looked at a historical perspective of the articles published in "2600" on how to engage in different types of telecommunications fraud, and I have arrested teenagers that have read that magazine. The publisher, or the editor-in-chief, does so with impunity under the cloak of protection of the First Amendment. However, as I indicated earlier, in that the First Amendment has been abridged for the protection of juveniles from pornography, I also feel that it could be abridged for juveniles being protected from manuals on how to commit crime -- children, especially teenagers, who are hackers, and who, whether they be mischievous or intentionally reckless, don't have the wherewithal that an adult does to understand the impact of what he is doing when he gets involved in this and ends up being arrested for it. Mr. MARKEY. Mr. Goldstein, how do we deal with this problem? Mr. GOLDSTEIN. First of all, "2600" is not a manual for computer crime. What we do is, we explain how computers work. Very often knowledge can lead to people committing crimes, we don't deny that, but I don't believe that is an excuse for withholding the knowledge. The article on cellular phones that was printed in that particular issue pretty much goes into detail as to how people can track a cellular phone call, how people can listen in, how exactly the technology works. These are all things that people should know, and perhaps if people had known this at the beginning they would have seen the security problems that are now prevalent, and perhaps something could have been done about it at that point. Mr. MARKEY. Well, I don't know. You are being a little bit disingenuous here, Mr. Goldstein. Here, on page 17 of your spring edition of 1993, "How to build a pay TV descrambler." Now that is illegal. Mr. GOLDSTEIN. Not building. Building one is not illegal. Mr. MARKEY. Oh, using one is illegal? Mr. GOLDSTEIN. Exactly. Mr. MARKEY. I see. So showing a teenager, or anyone, how to build a pay TV descrambler is not illegal. But what would they do then, use it as an example of their technological prowess that they know how to build one? Would there not be a temptation to use it, Mr. Goldstein? Mr. GOLDSTEIN. It is a two-way street, because we have been derided by hackers for printing that information and showing the cable companies exactly what the hackers are doing. Mr. MARKEY. I appreciate it from that perspective, but let's go over to the other one. If I am down in my basement building a pay TV descrambler for a week, am I not going to be tempted to see if it works, Mr. Goldstein? Or how is it that I then prove to myself and my friends that I have actually got something here which does work in the real world? Mr. GOLDSTEIN. It is quite possible you will be tempted to try it out. We don't recommend people being fraudulent -- Mr. MARKEY. How do you know that it works, by the way? Mr. GOLDSTEIN. Actually, I have been told by most people that is an old version that most cable companies have gotten beyond. Mr. MARKEY. So this wouldn't work then? Mr. GOLDSTEIN. It will work in some places, it won't work in all places. Mr. MARKEY. Oh, it would work? It would work in some places? Mr. GOLDSTEIN. Most likely, yes. But the thing is, we don't believe that because something could be used in a bad way, that is a reason to stifle the knowledge that goes into it. Mr. MARKEY. That is the only way this could be used. Is there a good way in which a pay TV descrambler could be used that is a legal way? Mr. GOLDSTEIN. Certainly, to understand how the technology works in the first place, to design a way of defeating such devices in the future or to build other electronic devices based on that technology. Mr. MARKEY. I appreciate that, but it doesn't seem to me that most of the subscribers to "2600" magazine -- Mr. GOLDSTEIN. That is interesting that you are pointing to that. That is our first foray into cable TV. We have never even testified on the subject before. Mr. MARKEY. I appreciate that. Well, let's move on to some of your other forays here. What you have got here, it seems to me, is a manual where you go down Maple Street and you just kind of try the door on every home on Maple Street. Then you hit 216 Maple Street, and the door is open. What you then do is, you take that information, and you go down to the corner grocery store, and you post it: "The door of 216 Maple is open." Now, of course, you are not telling anyone to steal, and you are not telling anyone that they should go into 216 Maple. You are assuming that everyone is going to be ethical who is going to use this information, that the house at 216 Maple is open. But the truth of the matter is, you have got no control at this point over who uses that information. Isn't that true, Mr. Goldstein? Mr. GOLDSTEIN. The difference is that a hacker will never target an individual person as a house or a personal computer or something like that. What a hacker is interested in is wide open, huge data bases that contain information about people, such as TRW. A better example, I feel, would be one that we tried to do 2 years ago where we pointed out that the Simplex Lock Corporation had a very limited number of combinations on their hardware locks that they were trying to push homeowners to put on their homes, and we tried to alert everybody as to how insecure these are, how easy it is to get into them, and people were not interested. Hackers are constantly trying to show people how easy it is to do certain things. Mr. MARKEY. I appreciate what you are saying. From one perspective, you are saying that hackers are good people out there, almost like -- what are they called? -- the Angels that patrol the subways of New York City. Mr. GOLDSTEIN. Guardian Angels. I wouldn't say that though. Mr. MARKEY. Yes, the Guardian Angels, just trying to protect people. But then Mr. Delaney here has the joy riders with the very same information they have taken off the grocery store bulletin board about the fact that 216 Maple is wide open, and he says we have got to have some laws on the books here to protect against it. So would you mind if we passed, Mr. Goldstein, trespassing laws that if people did, in fact, go into 216 and did do something wrong, that we would be able to punish them legally? Would you have a problem with that? Mr. GOLDSTEIN. I would be thrilled if computer trespassing laws were enforced to the same degree as physical trespassing laws, because then you would not have teenage kids having their doors kicked in by Federal marshals and being threatened with $250,000 fines, having all their computer equipment taken and having guns pointed at them. You would have a warning, which is what you get for criminal trespass in the real world, and I think we need to balance out the real world -- Mr. MARKEY. All right. So you are saying, on the one hand, you have a problem that you feel that hackers are harassed by law enforcement officials and are unduly punished. We will put that on one side of the equation. But how about the other side? How about where hackers are violating people's privacy? What should we do there, Mr. Goldstein? Mr. GOLDSTEIN. When a hacker is violating a law, they should be charged with violating a particular law, but that is not what I see today. I see law enforcement not having a full grasp of the technology. A good example of this was raids on people's houses a couple of years ago where in virtually every instance a Secret Service agent would say, "Your son is responsible for the AT&T crash on Martin Luther King Day," something that AT&T said from the beginning was not possible. Mr. MARKEY. Again, Mr. Goldstein, I appreciate that. Let's go to the other side of the problem, the joy rider or the criminal that is using this information. What penalties would you suggest to deal with the bad hacker? Are there bad hackers? Mr. GOLDSTEIN. There are a few bad hackers. I don't know any myself, but I'm sure there are. Mr. MARKEY. I assume if you knew any, you would make sure we did something about them. But let's just assume there are bad people subscribing. What do we do about the bad hacker? Mr. GOLDSTEIN. Well, I just would like to clarify something. We have heard here in testimony that there are gang members and drug members who are using this technology. Now, are we going to define them as hackers because they are using the technology? Mr. MARKEY. Yes. Well, if you want to give them another name, fine. We will call them hackers and crackers, all right? Mr. GOLDSTEIN. I think we should call them criminals. Mr. MARKEY. So the crackers are bad hackers, all right? If you want another word for them, that is fine, but you have got the security of individuals decreasing with the sophistication of each one of these technologies, and the crackers are out there. What do we do with the crackers who buy your book? Mr. GOLDSTEIN. I would not call them crackers. They are criminals. If they are out there doing something for their own benefit, selling information -- Mr. MARKEY. Criminal hackers. What do we do with them? Mr. GOLDSTEIN. There are existing laws. Stealing is still stealing. Mr. MARKEY. OK. Fine. Dr. Tippett. Mr. TIPPETT. I think that the information age has brought on an interesting dilemma that I alluded to earlier. The dilemma is that the people who use computers don't have parents who used computers, and therefore they didn't get the sandbox training on proper etiquette. They didn't learn you are not supposed to spit in other people's faces or contaminate the water that we drink, and we have a whole generation now of 100 million in the United States computer users, many of whom can think this through themselves, but, as we know, there is a range of people in any group, and we need to point out the obvious to some people. It may be the bottom 10 percent. Mr. MARKEY. What the problem is, of course, is that the computer hacker of today doesn't have a computer hacker parent, so parents aren't teaching their children how to use their computers because parents don't know how to use computers. So what do we do? Mr. TIPPETT. It is incumbent upon us to do the same kind of thing we did in the sixties to explain that littering wasn't right. It is incumbent upon us to take an educational stance and for Congress to credit organizations, maybe through a tax credit or through tax deductions, for taking those educational opportunities and educating the world of people who didn't have sandbox training what is good and what is bad about computing. So at least the educational part needs to get started, because I, for one, think that probably 90 percent of the kids -- most of the kids who do most of the damage that we have all described up here, in fact, don't really believe they are doing any damage and don't have the concept of the broadness of the problem that they are doing. The 10 percent of people who are criminal we could go after potentially from the criminal aspect, but the rest we need to get after from a plain, straight ahead educational aspect. Mr. MARKEY. I appreciate that. I will just say in conclusion -- and this is for your benefit, Mr. Goldstein. When you pass laws, you don't pass laws for the good people. What we assume is that there are a certain percent of people -- 5 percent, 10 percent; you pick it -- who really don't have a good relationship with society as a whole, and every law that we pass, for the most part, deals with those people. Now, as you can imagine, when we pass death penalty statutes, we are not aiming it at your mother and my mother. It is highly unlikely they are going to be committing a murder in this lifetime. But we do think there is a certain percentage that will. It is a pretty tough penalty to have, but we have to have some penalty that fits the crime. Similarly here, we assume that there is a certain percentage of pathologically damaged people out there. The cerebral mechanism doesn't quite work in parallel with the rest of society. We have to pass laws to protect the rest of us against them. We will call them criminal hackers. What do we do to deal with them is the question that we are going to be confronted with in the course of our hearings? Let me recognize the gentleman from Texas, Mr. Fields. Mr. FIELDS. Thank you, Mr. Chairman. Just for my own edification, Mr. Goldstein, you appear to be intelligent; you have your magazine, so obviously you are entrepreneurial. For me personally, I would like to know, why don't you channel the curiosity that you talk about into something that is positive for society? And, I'm going to have to say to you, I don't think it is positive when you invade someone else's privacy. Mr. GOLDSTEIN. I agree. Mr. FIELDS. Whether it is an individual or a corporation. Mr. GOLDSTEIN. Well, I would like to ask a question in return then. If I discover that a corporation is keeping a file on me and I access that corporation's computer and find out or tell someone else, whose privacy am I invading? Or is the corporation invading my privacy? You see, corporations are notorious for not volunteering such information: "By the way, we are keeping files on most Americans and keeping track of their eating habits and their sexual habits and all kinds of other things." Occasionally, hackers stumble on to information like that, and you are much more likely to get the truth out of them because they don't have any interest to protect. Mr. FIELDS. Are you saying with this book that is what you are trying to promote? because when I look through this book, I find the same thing that the chairman finds, some things that could actually lead to criminal behavior, and when I see all of these codes regarding cellular telephones, how you penetrate and listen to someone's private conversation, I don't see where you are doing anything for the person, the person who is actually doing the hacking. I see that as an invasion of privacy. Mr. GOLDSTEIN. All right. I need to explain something then. Those are not codes, those are frequencies. Those are frequencies that anybody can listen to, and by printing those frequencies we are demonstrating how easy it is for anybody to listen to them. Now if I say that by tuning to 871 megahertz you can listen to a cellular phone call, I don't think I am committing a crime, I think I am explaining to somebody. What I have done at previous conferences is hold up this scanner and press a button and show people how easy it is to listen, and those people, when they get into their cars later on in the day, they do not use their cellular telephones to make private calls of a personal nature because they have learned something, and that is what we are trying to do, we are trying to show people how easy it is. Now, yes, that information can be used in a bad way, but to use that as an excuse not to give out the information at all is even worse, and I think it is much more likely that things may be fixed, the cellular industry may finally get its act together and start protecting phone calls. The phone companies might make red boxes harder to use or might make it easier for people to afford phone calls, but we will never know if we don't make it public. Mr. FIELDS. I want to be honest with you, Mr. Goldstein. I think it is frightening that someone like you thinks there is a protected right in invading someone else's privacy. Mr. Guidry, let me turn to you. How does a hacker get the codes that you were talking about a moment ago -- if I understood what you were saying correctly, the manual ID number, the other cellular numbers that allow them to clone? Mr. GUIDRY. Well, unfortunately, "2600" would be a real good bet to get those, and we have arrested people and found those manuals in their possession. The other way is quite simply just to what we call dumpster dive, and that is to go to cellular carriers where they may destroy trash. Unfortunately, some of it is shredded and put back together, some of it is not shredded, and kids, criminals, go into those dumpsters, withdraw that information, piece it together, and then experiment with it. That information then is usually sold for criminal activity to avoid prosecution. Mr. FIELDS. You are asking the subcommittee to include wireless and cellular, and I think that is a good recommendation. I think certainly that is one that we are going to take as good counsel. But it appears that much of what you are talking about is organized activity, and my question is, does the current punishment scheme actually fit the crime, or should we also look at increasing punishment for this type of crime? Mr. GUIDRY. I would strongly suggest that we increase the punishment for this sort of crime. It is unfortunate that some hackers take that information and sell it for criminal activity, and, as a result, if prosecution is not stiff enough, then it far outweighs the crime. Mr. FIELDS. What is the punishment now for this type of cellular fraud? Mr. GUIDRY. Right now, it can be as high as $100,000 and up to 20 years in the penitentiary. Mr. FIELDS. Mr. Delaney, do you feel that that is adequate? Mr. DELANEY. Under New York State law, which is what I deal with, as opposed to the Federal law, we can charge a host of felonies with regard to one illicit telephone call if you want to be creative with the law. Sections 1029 and 1039 really cover just about everything other than the cellular concern and the wireless concern. However, I think the thing that is not dealt with is the person who is running the call sell operations. The call selling operations are the biggest loss of revenue to the telephone companies, cellular companies. Whether they are using PBX's or call diverters or cellular phones, this is where all the fraud is coming from, and there is only a handful of people who are originating this crime. We have targeted these people in New York City right now, and the same thing is being done in Los Angeles and Florida, to determine who these people are that use just the telephone to hack out the codes on PBX's, use ESN readers made by the Curtis Company to steal the ESN and MIN's out of the air and then to disseminate this to the street phones and to the cellular phones that are in cars and deprive the cellular industry of about $300 million a year, and the rest of the telecommunications networks in the United States probably of about $1 billion a year, due to the call sell operations. In one particular case that we watched, as a code was hacked out on a PBX in a company in Massachusetts, the code was disseminated to 250 street phones within the period of a week. By the end of the month, a rather small bill of $40,000 was sent to the company, small only because they were limited by the number of telephone lines going through that company. Had it been a larger company whose code had been cracked by the finger hacker, the bill would have been in the hundreds of thousands of dollars, or over $1 million as typically some of the bills have been. But this is a relatively small group of people creating a tremendous problem in the United States, and a law specifically dealing with a person who is operating as an entrepreneur, running a call selling operation, I think would go far to ending one of the biggest problems we have. Mr. FIELDS. Let me ask so I understand, Mr. Delaney and Mr. Guidry, because I am a little confused, or maybe I just didn't understand the testimony, are these individual hackers acting separately, or are these people operating within a network, within an organization? Mr. DELANEY. These finger hackers are the people that control the network of people that operate telephone booths and cellular phones for reselling telephone service. These finger hackers are not computer hackers. Mr. FIELDS. When you say finger hackers, is this one person operating independently, or is that finger hacker operating in concert -- Mr. GUIDRY. No. He has franchised. He has franchised out. He actually sells the computer and the software and the cattail to do this to other people, and then they start their own little group. Now it is going internationally. Mr. FIELDS. Explain to me, if the chairman would permit -- Mr. MARKEY. Please. Mr. FIELDS. Explain to me the franchise. Mr. GUIDRY. What happens is, let's pretend we are in Los Angeles right now and I have the ability to clone a phone that is using a computer, a cattail, we call it, that goes from the computer, the back of the computer, into the telephone, and I have the diskette that tells me how to change that program. I can at some point sell the cloning. You can come to me, and I can clone your phone. However, that is one way for me to make money. The best way for me to make money is to buy computers, additional diskettes, and go to Radio Shack or some place and make additional cattails and say, "I can either clone your phone for $1,500, or what you can do for $5,000 is start your own company." So you say, "Well, wow, that's pretty good, because how many times would I have to sell one phone at from $500 to $1,500 to get my initial investment back?" As a result now, you have groups, you have just youngsters as well as organized crime stepping in. The Guidry Group has worked in the Philippines on this, we have worked in Mexico, the Dominican Republic, Chile, Argentina, and next week I will be in London and in Rome. It is so bad, sir, that now intelligence agencies in Rome have told me -- and that is what I am going there for -- that organized crime seems to think that telecommunications fraud is more lucrative, unfortunately, than drugs, and it is darned sure more lucrative in the Los Angeles, probably New York, and Miami areas, because right now prosecution is not that strong. It is unfortunate that all of law enforcement is not trained, nor could they be, to pick up on someone standing on a corner using an illegitimate phone. Mr. FIELDS. How would a person know where to get their telephone cloned? Mr. GUIDRY. Let me tell you what happens. Normally when we go into a major metropolitan city, or we also check the computer bulletin boards, a lot of times that information is there. Most of the time, though, it is in magazines, like green sheets, which are free advertisements saying, "Call anywhere in the world. Come to --" a location, or, "Call this number." Also in Los Angeles, for some reason, they seem to advertise a lot in sex magazines, and people will simply buy a sex magazine and there will be a statement in there, "Earn money the fast way. Start your own telecommunications company." And then we will follow up on that tip and work with the Secret Service to try to apprehend those people. Mr. FIELDS. Mr. Haugh. Mr. HAUGH. If I could just add a few comments, it would be most unfortunate if this denigrates into a discussion of adolescents who are curious and so-called finger hackers. The truth of the matter is that the toll fraudsters are adults, they are organized, they are smart, they are savvy, and the drug dealers in particular are learning very quickly that it is far more lucrative, far less dangerous, to go into the telecom crime business. "Finger hacking" is a term, but the truth is, war dialers, speed dialers, modems, automated equipment now will hack and crack into systems and break the codes overnight. While the criminal sleeps, his equipment penetrates those systems. He gets up in the morning, and he has got a print sheet of new numbers that his equipment penetrated overnight. We have interviewed the criminals involved. These so-called idle curiosity adolescents are being paid up to $10,000 a month for new codes. I don't call that curiosity, I call that venality. We are talking a $4 billion problem. The chairman came up with the Maple Street example. I think even better yet, Mr. Chairman, the truth is that 216 Maple had a security device on the door and a code, and what Mr. Goldstein and his ilk do is sell that code through selling subscriptions to these periodicals. There is a big difference, in my opinion, between saying, "216 Maple is open" -- that is bad enough -- than to say, "You go to 216 Maple, and push 4156, and you can get in the door." But we are talking about crime, we are talking about adults, we are talking about organized crime, perhaps not in the Cosa Nostra sense, but even the Cosa Nostra is wising up that they can finance some of these operations, and in New York and Los Angeles, in particular, the true Mafia is now beginning to finance some of these telecom fraud operations. Mr. FIELDS. Mr. Guidry, one last question. Is it the Secret Service that is at the forefront of Federal activity? Mr. GUIDRY. Yes, sir, it is. Mr. FIELDS. Do they have the resources to adequately deal with this problem? Mr. GUIDRY. No, sir. The problem is growing so rapidly that they are undermanned in this area but have asked for additional manpower. Mr. FIELDS. Is this a priority for the Secret Service? Mr. GUIDRY. Yes, sir, it is. Mr. FIELDS. Thank you, Mr Chairman. Mr. MARKEY. The gentleman's time has expired. Again, it is a $4 to $5 billion problem. Mr. HAUGH. That is what our research indicated. Mr. MARKEY. There were 35,000 victims last year alone. Mr. HAUGH. Yes, sir, and this is only users, large users. Now it can be businesses, nonprofits. There is a university on the East Coast that just this last week got hit for $490,000, and the fraud is continuing. Mr. MARKEY. The gentleman from Ohio. Mr. OXLEY. Thank you, Mr. Chairman. Let me ask the witnesses: Other than making the penalties tougher for this type of activity, what other recommendations, if any, would any of you have that we could deal with, that our subcommittee should look at, and the Judiciary Committee, I assume, for what we might want to try to accomplish? Mr. Haugh? Mr. HAUGH. I happen to disagree with a couple of the witnesses who have indicated tougher penalties. I mean it sounds great. You know, that is the common instant reaction to anything, expand the penalties. I happen to think 20 years is plenty enough for criminal penetration of a telecom system, and there are a few housekeeping things that could be done. The problem isn't the adequacy of the law, the laws are pretty adequate, and, as Mr. Delaney indicated, you have a violation someplace, you have got a State law and a Federal law, both, and if you are a smart prosecutor, there are about eight different ways you can go after these criminals. The truth is, we have got inadequate enforcement, inadequate funding, inadequate pressure on the part of the Congress on the FCC to make more proactive efforts and to put more heat on the industry to coordinate. The truth is that the carriers compete with each other fiercely. They, with some limited exceptions, don't share appropriate information with each other. The LEC's and the RBOC's hide behind privacy; they hide behind other excuses not to cooperate with law enforcement and with the rest of the industry as effectively as they should. So I think putting the heat on the industry, putting the heat on the FCC, more adequately funding the FCC, more adequately funding the Secret Service, and having hearings like this that focus on the problem is the answer and not expanding the penalty from 20 years to 25 years. Nobody gets 20 years anyway, so expanding the 20 years is, to me, not the answer. Mr. OXLEY. What is the average sentence for something like that? Mr. HAUGH. I think the average toll fraud criminal who actually goes to jail -- and they are few and far between -- spends 3 to 6 months, and they are out. Now recidivism levels are low, I agree with Mr. Delaney. Once you catch them, they rarely go back to it. So it isn't a question of putting them in jail forever, it is a question of putting them in jail. The certainty of punishment level is very low. We talked to a drug dealer in New York City who left the drug business to go into toll fraud because he told me he can make $900,000 a year -- nontaxable income, he called it -- and never ever worry about going to jail. Mr. DELANEY. In New York City, I have never seen anybody go to jail on a first offense for anything short of armed robbery, let alone telephone fraud. They typically get 200 hours of community service, depending upon the judge. These people that I am speaking about are not the computer hackers that we were speaking about earlier, these are the people that are the finger hackers that break into the PBX's around the country. These are immigrants in the United States, they are adults, they know how to operate a telephone. They sit there generally -- almost every one that we have arrested so far uses a Panasonic memory telephone, and they sit there night and day try ing to hack out the PBX codes. They go through all the default codes of the major manufacturers of PBX's. They know that much. We don't have a single person in New York City, that I know of, that is hacking PBX's with a computer. The long distance carriers can see patterns of hacking into 800 lines, which are typically the PBX's, and they can see that it is being done by telephone, by finger hacking a telephone key pad, as opposed to a computer. The war dialing programs that Mr. Haugh referred to are typically used by the computer hackers to get these codes, but they create only a minuscule amount of the fraud that is ongoing in the country. The great majority is generated by the finger hackers who then disseminate those codes to the telephone booths and the call selling operations that operate out of apartments in New York City. In one apartment with five telephones in it that operates 16 hours a day for 365 days a year selling telephone service at $10 for 20 minutes, you take in $985,000. It is a very profitable business. One of the individuals we arrested that said he did this because it was more profitable and less likely that he be caught than in selling drugs was murdered several months after we arrested him in the Colombian section of Queens because he was operating as an independent. It is a very controlled situation in New York City, and different ethnicities throughout New York City control the call sell operations in their neighborhoods, and everyone in those neighborhoods knows where they can go to make an illicit phone call or to get a phone cloned, whether it is a reprogrammed phone or rechipped. Mr. OXLEY. Mr. Guidry, did you have a comment? Mr. GUIDRY. Well, I think that we really do need to enforce the laws and we need to make some statutory changes in title 18, section 1029 to include cellular and wireless. I have been in courtrooms where really savvy defense attorneys say, "Well, it does not specifically indicate cellular or wireless," and that raises some question in the jury's mind, and I would just as soon that question not be there. Mr. OXLEY. Thank you. Mr. Chairman, I see we have got a vote, and I yield back the balance of my time. Mr. MARKEY. Thank you. We are going to have each one of you make a very brief summary statement to the committee if you could, and then we are going to adjourn the hearing. As you know, the Federal Communications Commission will be testifying before this subcommittee next week. We have a great concern that, although they held an all-day hearing on toll fraud last October, while we thought they were going to move ahead in an expeditious fashion, that, with a lot of good information, it has all sat on the shelf since that time. We expected them to act on that information to establish new rules protecting consumers and pushing carriers to do a lot more than they have done thus far to protect their networks. In light of recent court decisions holding that consumers are always liable I think that action by the FCC is long overdue, and at the FCC authorization hearing next week I expect to explore this issue with the commissioners in depth, so you can be sure of that, Mr. Haugh. Let's give each of you a 1-minute summation. Again, we will go in reverse order and begin with you, Mr. Guidry. Mr. GUIDRY. Thank you, sir. Telecommunications fraud, of course, is going internationally, and as it goes internationally and starts to franchise and get more organized, we are going to have to figure out a better way to combat it. Industry itself right now is putting its best foot forward. However, I would ask this committee to strongly look at changing some of this legislation and to also increase law enforcement's efforts through manpower. Thank you very much, sir. Mr. MARKEY. Thank you. Mr. Haugh. Mr. HAUGH. I agree with Mr. Guidry that there are some housekeeping changes that need to be made, and the particular title and section he referred to should definitely be amended to include more clearly wireless. The overall problem is an immense one; it is a very serious one; it is a complicated one. Everybody is at fault. Finger pointing has been carried to an extreme. Again, I think the long distance carriers, the big three -- AT&T, MCI, and Sprint -- have done a superb job of coming up to speed with monitoring. They are starting to cooperate better. They have really come to the table. The laggards are the LEC's and the RBOC's, the CPE manufacturers, and the FCC. In fairness to the FCC, they are understaffed, undermanned, underfunded. They can't even take care of all their mandated responsibilities right now, let alone take on new chores. All that said, there is a great deal the FCC can do -- jawboning, regulations, pushing the LEC's and the RBOC's, in particular, to get real, get serious -- and I would urge this committee -- applaud your efforts and urge you to continue that. Mr. MARKEY. Thank you. Dr. Tippett. Mr. TIPPETT. Thank you. The computer virus issue is a little bit different than the toll fraud issue. In fact, there are no significant laws that deal with viruses, and, in fact, the fact that there are no laws gives the people who write viruses license to write them. The typical statement you read is, "It's not illegal, and I don't do anything that is illegal." So in the computer virus arena we do need laws. They don't need to be fancy; they don't need to be extensive. There are some suggestions of approaches to virus legislation in my written testimony. We also need education, and I would encourage Congress to underwrite some education efforts that the private sector could perform in various ways, perhaps through tax incentives or tax credits. The problem is growing and large. It exceeds $1 billion already in the United States, and it is going to be a $2 billion problem in 1994. As bad as toll fraud seems, this virus issue is, oddly, more pervasive and less interesting to a whole lot of people, and I think it needs some higher attention. Mr. MARKEY. Thank you. Mr. Goldstein. Mr. GOLDSTEIN. Thank you. I would like to close by cautioning the subcommittee and all of us not to mix up these two very distinct worlds we are talking about, the world of the criminal and the world of the experimenter, the person that is seeking to learn. To do so will be to create a society where people are afraid to experiment and try variations on a theme because they might be committing some kind of a crime, and at the same time further legislation could have the effect of not really doing much for drug dealers and gangsters, who are doing far more serious crimes than making free phone calls, and it is not likely to intimidate them very much. I think the answer is for all of us to understand specifically what the weaknesses in the technology are and to figure out ways to keep it as strong and fortress-like as possible. I do think it is possible with as much research as we can put into it. Thank you. Mr. MARKEY. Thank you, Mr. Goldstein. Mr. Delaney. Mr. DELANEY. Last year, the Secret Service and the FBI arrested people in New York City for conducting illegal wiretaps. The ability to still do that by a hacker exists in the United States. Concerned with privacy, I am very happy to see that something like the Clipper chip is going to become available to protect society. I do hope, though, that we will always have for the necessary law enforcement investigation the ability to conduct those wiretaps. Without it, I see chaos. But with respect to the cellular losses, the industry is coming along a very rapid rate with technology to save them money in the future, because with encryption nobody will be able to steal their signals either. Mr. MARKEY. Thank you, Mr. Delaney. I apologize. There is a roll call on the Floor, and I only have 3 minutes to get over there to make it. You have all been very helpful to us here today. It is a very tough balancing act, but we are going to be moving aggressively in this area. And we are going to need all of you to stay close to us so that we pass legislation that makes sense. This hearing is adjourned. Thank you. [Whereupon, at 12:16 p.m., the subcommittee was adjourned.] ------------------------------ End of Computer Underground Digest #6.02 ************************************