That scofflaw teenage hackers (or their parents) should have marijuana in their homes is probably not a shocking revelation, but the surprisingly common presence of illegal firearms in hacker dens is a bit disquieting. A Personal Computer can be a great equalizer for the techno-cowboy -- much like that more traditional American "Great Equalizer," the Personal Sixgun. Maybe it's not all that surprising that some guy obsessed with power through illicit technology would also have a few illicit high-velocity-impact devices around. An element of the digital underground particularly dotes on those "anarchy philes," and this element tends to shade into the crackpot milieu of survivalists, gun-nuts, anarcho-leftists and the ultra-libertarian right-wing. This is not to say that hacker raids to date have uncovered any major crack-dens or illegal arsenals; but Secret Service agents do not regard "hackers" as "just kids." They regard hackers as unpredictable people, bright and slippery. It doesn't help matters that the hacker himself has been "hiding behind his keyboard" all this time. Commonly, police have no idea what he looks like. This makes him an unknown quantity, someone best treated with proper caution.
To date, no hacker has come out shooting, though they do sometimes brag on boards that they will do just that. Threats of this sort are taken seriously. Secret Service hacker raids tend to be swift, comprehensive, well-manned (even over- manned); and agents generally burst through every door in the home at once, sometimes with drawn guns. Any potential resistance is swiftly quelled. Hacker raids are usually raids on people's homes. It can be a very dangerous business to raid an American home; people can panic when strangers invade their sanctum. Statistically speaking, the most dangerous thing a policeman can do is to enter someone's home. (The second most dangerous thing is to stop a car in traffic.) People have guns in their homes. More cops are hurt in homes than are ever hurt in biker bars or massage parlors.
But in any case, no one was hurt during Sundevil, or indeed during any part of the Hacker Crackdown. Nor were there any allegations of any physical mistreatment of a suspect. Guns were pointed, interrogations were sharp and prolonged; but no one in 1990 claimed any act of brutality by any crackdown raider.
In addition to the forty or so computers, Sundevil reaped floppy disks in particularly great abundance -- an estimated 23,000 of them, which naturally included every manner of illegitimate data: pirated games, stolen codes, hot credit card numbers, the complete text and software of entire pirate bulletin-boards. These floppy disks, which remain in police custody today, offer a gigantic, almost embarrassingly rich source of possible criminal indictments. These 23,000 floppy disks also include a thus-far unknown quantity of legitimate computer games, legitimate software, purportedly "private" mail from boards, business records, and personal correspondence of all kinds.
Standard computer-crime search warrants lay great emphasis on seizing written documents as well as computers -- specifically including photocopies, computer printouts, telephone bills, address books, logs, notes, memoranda and correspondence. In practice, this has meant that diaries, gaming magazines, software documentation, nonfiction books on hacking and computer security, sometimes even science fiction novels, have all vanished out the door in police custody. A wide variety of electronic items have been known to vanish as well, including telephones, televisions, answering machines, Sony Walkmans, desktop printers, compact disks, and audiotapes. No fewer than 150 members of the Secret Service were sent into the field during Sundevil. They were commonly accompanied by squads of local and/or state police. Most of these officers -- especially the locals -- had never been on an anti- hacker raid before. (This was one good reason, in fact, why so many of them were invited along in the first place.) Also, the presence of a uniformed police officer assures the raidees that the people entering their homes are, in fact, police. Secret Service agents wear plain clothes. So do the telco security experts who commonly accompany the Secret Service on raids (and who make no particular effort to identify themselves as mere employees of telephone companies).
A typical hacker raid goes something like this. First, police storm in rapidly, through every entrance, with overwhelming force, in the assumption that this tactic will keep casualties to a minimum. Second, possible suspects are immediately removed from the vicinity of any and all computer systems, so that they will have no chance to purge or destroy computer evidence. Suspects are herded into a room without computers, commonly the living room, and kept under guard -- not *armed* guard, for the guns are swiftly holstered, but under guard nevertheless. They are presented with the search warrant and warned that anything they say may be held against them. Commonly they have a great deal to say, especially if they are unsuspecting parents.
Somewhere in the house is the "hot spot" -- a computer tied to a phone line (possibly several computers and several phones). Commonly it's a teenager's bedroom, but it can be anywhere in the house; there may be several such rooms. This "hot spot" is put in charge of a two-agent team, the "finder" and the "recorder." The "finder" is computer-trained, commonly the case agent who has actually obtained the search warrant from a judge. He or she understands what is being sought, and actually carries out the seizures: unplugs machines, opens drawers, desks, files, floppy-disk containers, etc. The "recorder" photographs all the equipment, just as it stands -- especially the tangle of wired connections in the back, which can otherwise be a real nightmare to restore. The recorder will also commonly photograph every room in the house, lest some wily criminal claim that the police had robbed him during the search. Some recorders carry videocams or tape recorders; however, it's more common for the recorder to simply take written notes. Objects are described and numbered as the finder seizes them, generally on standard preprinted police inventory forms.
Even Secret Service agents were not, and are not, expert computer users. They have not made, and do not make, judgements on the fly about potential threats posed by various forms of equipment. They may exercise discretion; they may leave Dad his computer, for instance, but they don't *have* to. Standard computer-crime search warrants, which date back to the early 80s, use a sweeping language that targets computers, most anything attached to a computer, most anything used to operate a computer -- most anything that remotely resembles a computer -- plus most any and all written documents surrounding it. Computer-crime investigators have strongly urged agents to seize the works.
In this sense, Operation Sundevil appears to have been a complete success. Boards went down all over America, and were shipped en masse to the computer investigation lab of the Secret Service, in Washington DC, along with the 23,000 floppy disks and unknown quantities of printed material.
But the seizure of twenty-five boards, and the multi-megabyte mountains of possibly useful evidence contained in these boards (and in their owners' other computers, also out the door), were far from the only motives for Operation Sundevil. An unprecedented action of great ambition and size, Sundevil's motives can only be described as political. It was a public-relations effort, meant to pass certain messages, meant to make certain situations clear: both in the mind of the general public, and in the minds of various constituencies of the electronic community.
First -- and this motivation was vital -- a "message" would be sent from law enforcement to the digital underground. This very message was recited in so many words by Garry M. Jenkins, the Assistant Director of the US Secret Service, at the Sundevil press conference in Phoenix on May 9, 1990, immediately after the raids. In brief, hackers were mistaken in their foolish belief that they could hide behind the "relative anonymity of their computer terminals." On the contrary, they should fully understand that state and federal cops were actively patrolling the beat in cyberspace -- that they were on the watch everywhere, even in those sleazy and secretive dens of cybernetic vice, the underground boards.
This is not an unusual message for police to publicly convey to crooks. The message is a standard message; only the context is new.
In this respect, the Sundevil raids were the digital equivalent of t
he standard vice-squad crackdown on massage parlors, porno bookstores, head-shops, or floating crap-games. There may be few or no arrests in a raid of this sort; no convictions, no trials, no interrogations. In cases of this sort, police may well walk out the door with many pounds of sleazy magazines, X-rated videotapes, sex toys, gambling equipment, baggies of marijuana.... Of course, if something truly horrendous is discovered by the raiders, there will be arrests and prosecutions. Far more likely, however, there will simply be a brief but sharp disruption of the closed and secretive world of the nogoodniks. There will be "street hassle." "Heat." "Deterrence." And, of course, the immediate loss of the seized goods. It is very unlikely that any of this seized material will ever be returned. Whether charged or not, whether convicted or not, the perpetrators will almost surely lack the nerve ever to ask for this stuff to be given back. Arrests and trials -- putting people in jail -- may involve all kinds of formal legalities; but dealing with the justice system is far from the only task of police. Police do not simply arrest people. They don't simply put people in jail. That is not how the police perceive their jobs. Police "protect and serve." Police "keep the peace," they "keep public order." Like other forms of public relations, keeping public order is not an exact science. Keeping public order is something of an art-form.
If a group of tough-looking teenage hoodlums was loitering on a street-corner, no one would be surprised to see a street-cop arrive and sternly order them to "break it up." On the contrary, the surprise would come if one of these ne'er-do-wells stepped briskly into a phone-booth, called a civil rights lawyer, and instituted a civil suit in defense of his Constitutional rights of free speech and free assembly. But something much along this line was one of the many anomolous outcomes of the Hacker Crackdown.
Sundevil also carried useful "messages" for other constituents of the electronic community. These messages may not have been read aloud from the Phoenix podium in front of the press corps, but there was little mistaking their meaning. There was a message of reassurance for the primary victims of coding and carding: the telcos, and the credit companies. Sundevil was greeted with joy by the security officers of the electronic business community. After years of high-tech harassment and spiralling revenue losses, their complaints of rampant outlawry were being taken seriously by law enforcement. No more head-scratching or dismissive shrugs; no more feeble excuses about "lack of computer-trained officers" or the low priority of "victimless" white-collar telecommunication crimes.
Computer-crime experts have long believed that computer-related offenses are drastically under-reported. They regard this as a major open scandal of their field. Some victims are reluctant to come forth, because they believe that police and prosecutors are not computer-literate, and can and will do nothing. Others are embarrassed by their vulnerabilities, and will take strong measures to avoid any publicity; this is especially true of banks, who fear a loss of investor confidence should an embezzlement-case or wire-fraud surface. And some victims are so helplessly confused by their own high technology that they never even realize that a crime has occurred -- even when they have been fleeced to the bone. The results of this situation can be dire. Criminals escape apprehension and punishment. The computer-crime units that do exist, can't get work. The true scope of computer-crime: its size, its real nature, the scope of its threats, and the legal remedies for it -- all remain obscured.
Another problem is very little publicized, but it is a cause of genuine concern. Where there is persistent crime, but no effective police protection, then vigilantism can result. Telcos, banks, credit companies, the major corporations who maintain extensive computer networks vulnerable to hacking -- these organizations are powerful, wealthy, and politically influential. They are disinclined to be pushed around by crooks (or by most anyone else, for that matter). They often maintain well-organized private security forces, commonly run by experienced veterans of military and police units, who have left public service for the greener pastures of the private sector. For police, the corporate security manager can be a powerful ally; but if this gentleman finds no allies in the police, and the pressure is on from his board-of-directors, he may quietly take certain matters into his own hands.
Nor is there any lack of disposable hired-help in the corporate security business. Private security agencies -- the 'security business' generally -- grew explosively in the 1980s. Today there are spooky gumshoed armies of "security consultants," "rent-a- cops," "private eyes," "outside experts" -- every manner of shady operator who retails in "results" and discretion. Or course, many of these gentlemen and ladies may be paragons of professional and moral rectitude. But as anyone who has read a hard-boiled detective novel knows, police tend to be less than fond of this sort of private-sector competition.
Companies in search of computer-security have even been known to hire hackers. Police shudder at this prospect.
Police treasure good relations with the business community. Rarely will you see a policeman so indiscreet as to allege publicly that some major employer in his state or city has succumbed to paranoia and gone off the rails. Nevertheless, police -- and computer police in particular -- are aware of this possibility. Computer-crime police can and do spend up to half of their business hours just doing public relations: seminars, "dog and pony shows," sometimes with parents' groups or computer users, but generally with their core audience: the likely victims of hacking crimes. These, of course, are telcos, credit card companies and large computer- equipped corporations. The police strongly urge these people, as good citizens, to report offenses and press criminal charges; they pass the message that there is someone in authority who cares, understands, and, best of all, will take useful action should a computer-crime occur.
But reassuring talk is cheap. Sundevil offered action.
The final message of Sundevil was intended for internal consumption by law enforcement. Sundevil was offered as proof that the community of American computer-crime police had come of age. Sundevil was proof that enormous things like Sundevil itself could now be accomplished. Sundevil was proof that the Secret Service and its local law-enforcement allies could act like a well- oiled machine -- (despite the hampering use of those scrambled phones). It was also proof that the Arizona Organized Crime and Racketeering Unit -- the sparkplug of Sundevil -- ranked with the best in the world in ambition, organization, and sheer conceptual daring.
And, as a final fillip, Sundevil was a message from the Secret Service to their longtime rivals in the Federal Bureau of Investigation. By Congressional fiat, both USSS and FBI formally share jurisdiction over federal computer-crimebusting activities. Neither of these groups has ever been remotely happy with this muddled situation. It seems to suggest that Congress cannot make up its mind as to which of these groups is better qualified. And there is scarcely a G-man or a Special Agent anywhere without a very firm opinion on that topic.
#
For the neophyte, one of the most puzzling aspects of the crackdown on hackers is why the United States Secret Service has anything at all to do with this matter.
The Secret Service is best known for its primary public role: its agents protect the President of the United States. They also guard the President's family, the Vice President and his family, former Presidents, and Presidential candidates. They sometimes guard foreign dignitaries who are visiting the United States, especially foreign heads of state, and have been known to accompany American officials on diplomatic missions overseas.
Special Agents of the Secret Service don't wear uniforms, but the Secret Service also has two uniformed police agencies. There's the former White House Police (now known as the Secret Service Uniformed Division, since they currently guard foreign embassies in Washington, as well as the White House itself). And there's the uniformed Treasury Police Force.
The Secret Service has been charged by Congress with a number of little-known duties. They guard the precious metals in Treasury vaults. They guard the most valuable historical documents of the United States: or
iginals of the Constitution, the Declaration of Independence, Lincoln's Second Inaugural Address, an American-owned copy of the Magna Carta, and so forth. Once they were assigned to guard the Mona Lisa, on her American tour in the 1960s.
The entire Secret Service is a division of the Treasury Department. Secret Service Special Agents (there are about 1,900 of them) are bodyguards for the President et al, but they all work for the Treasury. And the Treasury (through its divisions of the U.S. Mint and the Bureau of Engraving and Printing) prints the nation's money.
As Treasury police, the Secret Service guards the nation's currency; it is the only federal law enforcement agency with direct jurisdiction over counterfeiting and forgery. It analyzes documents for authenticity, and its fight against fake cash is still quite lively (especially since the skilled counterfeiters of Medellin, Columbia have gotten into the act). Government checks, bonds, and other obligations, which exist in untold millions and are worth untold billions, are common targets for forgery, which the Secret Service also battles. It even handles forgery of postage stamps.
But cash is fading in importance today as money has become electronic. As necessity beckoned, the Secret Service moved from fighting the counterfeiting of paper currency and the forging of checks, to the protection of funds transferred by wire.
From wire-fraud, it was a simple skip-and-jump to what is formally known as "access device fraud." Congress granted the Secret Service the authority to investigate "access device fraud" under Title 18 of the United States Code (U.S.C. Section 1029).
The term "access device" seems intuitively simple. It's some kind of high-tech gizmo you use to get money with. It makes good sense to put this sort of thing in the charge of counterfeiting and wire- fraud experts.
However, in Section 1029, the term "access device" is very generously defined. An access device is: "any card, plate, code, account number, or other means of account access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds."
The Hacker Crackdown Page 18