Copyright Michael B. Scher This document may be freely distributed by electronic media solely for non-commercial purposes. Reproduction in any form must be of the entire work including this copyright notice. Print copies (except a personal use copy) with permission of the author only. All other rights reserved.
strange(at)cultural.com"Hype" Talk given at Summercon 1996 by Mike Scher (strange) [Introduction] (more or less: "I'm Strange." Wait for chuckles to die down. "Yeah, I get that a lot.") Right now, I'm a grad student -- I study unauthorized access laws, hacking, law enforcement, and reporting about it in the U.S. I'm also an attorney, but I'm not going to talk about law, at least not directly. What I am gonna talk about . . . is HYPE. Hype. Hype in the media. Hype in government. And hype in law enforcement, and what all this HYPE means to anybody interested in security, privacy, computers, and unauthorized access. Here's a recent bit of hype: According to the New York Times, Congress's General Accounting Office reports that, last year, there were - ONE HUNDRED SIXTY-FIVE THOUSAND - successful attacks on Department of Defense computers. ONE HUNDRED SIXTY-FIVE THOUSAND The number sounds pretty impressive, eh? It should. You do the math on it, and that's one -successful- attack. Every three minutes. Twenty-four hours a day, seven days a week, for the whole year. . . . On average . . . You folks have been very . . . . . . busy. But, like I said, it's hype. Or maybe someone just added wrong. But I doubt that. More likely, someone from the New York Times, that bastion of literacy, can't read so . . . good. Because, if you look at the GAO report ITSELF, you find that the "attacks" were almost all internal. And that ANY use of a DOD machine outside its authorized use, counted as an -attack- No wonder the numbers were so high. But the Associated Press, and the Times, and a lot of other media vents couldn't resist reporting it as a big ole hacker scoop. And that's how Congress is taking it. Well, that's the "state of the art" in reporting this kind of stuff. I don't have to mention four hundred... MILLION pounds in Britain allegedly taken by computer terrorist blackmail over the last decade-- because for all the reporting on it, not ONE first-hand witness or authority is mentioned. Not one. Let alone interviewed. Just Winn Schwartau, and the whole story sounds suspiciously like one of his talks; like the one he gave THIS YEAR at the Info War conference, which the London Times termed a "summit" among info war experts to work out ways to defend against such kinds of attacks. Yeah, that's it. The London Times stands by the story anyhow. This is all just stuff to poke fun at, until you realize that most of Congress read the New York Times story, and not the GAO report. Not that most of them would have understood it. But the HYPE makes a bunch of naughty INTERNAL DOD employees out to be a HOARD of UNSTOPPABLE hackers in WHO-KNOWS-WHERE doing WHO KNOWS WHAT. So, as you can imagine. . . we'll be seeing some new legislation. No matter that we already have harsh laws for messing with "federal interest computers." They'll up the penalties. Heck, why not DEATH!? How about just chopping off your index fingers -- you know, to slow down your typing? What's Noogz up for? Thirty years, potentially? Right? In Illinois, a state known for its great foresight, they reacted to the massive, and, um, less than successful crackdown called Operation Sundevil, by passing some real nice computer crime laws. yesssirree... So there, we have a law that makes all ELECTRONIC IMPULSES property like physical property for all other laws. That means, type a personal letter on the company computer -- where you're employed -- and you're committing EMBEZZLEMENT. Ya don't even have to print it out. The HELL with unauthorized access laws. Now if you get into a system, you're STEALING their ELECTRONIC IMPULSES! And guess who gets to set the VALUE of those impulses, so you get to face GRAND LARCENY instead of petty theft? Oh, Illinois has unauthorized access laws, too. What the hell. Why not? A law for every BIT of hype. Right now, Canada has a fairly new computer crime statute -- it pretty much says you're breaking the law if you alter data on a computer. Doesn't say whose. Doesn't even say who can or can't authorize it. Now, it probably won't get used to put anyone in jail for using their own computer. But it theoretically can get anyone for doing just about anything. It's vague as hell. It's paranoid. It's a reaction to hype. Get ready to see some more of that coming out of D.C. this fine election year. Playing Doom'll only be a misdemeanor, mind you, because the gaming industry has a good lobbyist in D.C. Hackers don't. There are hardly any hackers who write anything in the popular press. Congress only looks at 2600 and Phrack when they want to get nervous. There are hardly any reporters with halfway decent contacts with hackers, who get a clue about what some alleged big story really is. When a certain story broke in Boston this year, there was one big Boston paper that made a huge bunch of hype about it. And another with a reporter with just a touch of sense. Not tons. Bust just enough sense to ring up Emmanuel Goldstein and ask for some rough background. In the end, he decided there was no real big story -- only hype. And his paper published nothing. No hype, but no truth either. Now imagine if he'd had some contacts already. Congress-critters, if they read anything at all, read the Times. They read the Wall Street Journal. They read their hometown papers. They read YOUR home town papers. You can all type. Now, don't play with naughty reporters who become "experts" for the FBI. But definitely, definitely, call hype where you see it. Write in. Write friendly, write honest, --write anonymously-- even, and write well. And start breaking down the hack HYPE the way the Internet porn hype is finally starting to break down. Or else you'll soon see some of the scariest damn laws you can imagine. Thanks. ---------------------------------------------------------------------