[This is a copy of Emmanuel Goldstein's House subcommittee testimony, as- prepared. See markey_goldstein.testimony for the version as-delivered, with unkind interruptions and labasting from Congresspersons.] from Computer Underground Digest 5.43 Date: Thu, 10 Jun 1993 16:53:48 -0700 From: Emmanuel Goldstein Subject: File 1--Hacker testimony to House subcommittee largely unheard What follows is a copy of my written testimony before the House Subcommittee on Telecommunications and Finance. The June 9th hearing was supposed to have been on the topic of network security, toll fraud, and the social implications of the rapidly emerging technologies. I was asked to speak for those who had no voice, which translates to hackers and consumers. Instead I found myself barraged with accusations from the two representatives in attendance (Rep. Ed Markey D-MA and Rep. Jack Fields R-TX) who considered 2600 Magazine (of which I'm the editor) nothing more than a manual for computer crime. One article in particular that Markey latched upon was one in our Spring issue that explained how a cable descrambler worked. According to Markey, there was no use for this information outside of a criminal context. Fields claimed we were printing cellular "codes" that allowed people to listen in on cellular calls. In actuality, we printed frequencies. The difference didn't seem to matter - after explaining it to him, he still said he was very disturbed by the fact that I was allowed to keep publishing. It soon became apparent to me that neither one had read my testimony as there seemed to be no inclination to discuss any of the issues I had brought up. In a way, it was very much like being on the Geraldo show. Somehow I thought elected representatives would be less sensationalist and more interested in learning but this was not the case here. We got absolutely nowhere. Markey in particular was rude, patronizing, and not at all interested in entertaining any thought outside his narrow perception. It's too bad this opportunity was lost. There is a real danger in elected officials who don't listen to all relevant opinions and who persist in sticking to old-fashioned, outdated notions that just don't apply to high technology. You can look forward to more restrictive regulations and higher penalties for violating them if this mentality continues to dominate. +++++++++++++++++++ WRITTEN TESTIMONY FOLLOWS: Mr. Chairman, members of the Committee, thank you for the opportunity to speak on the issue of the rapid growth and changes in the telecommunications industry. My name is Emmanuel Goldstein and I am the publisher of 2600 Magazine, which is a journal for computer hackers as well as anyone else who happens to be interested in the direction that technology is taking us. We tend to be brutally honest in our assessments and, as a result, we do get some corporations quite angry at us. But we've also managed to educate a large number of people as to how their telephone system works, what kinds of computers may be watching them, and how they can shape technology to meet their needs, rather than be forced to tailor their existence to meet technology's needs. I am also the host of a weekly radio program called Off The Hook which airs over WBAI in New York. Through that forum we have discovered the eagerness and curiosity that many "ordinary people on the street" possess for technology. At the same time we have seen fears and suspicions expressed that would be unwise to ignore. HOW TO HANDLE RAPIDLY CHANGING TECHNOLOGY The next few years will almost certainly go down in history as those in which the most change took place in the least amount of time. The computer and telecommunications revolution that we are now in the midst of is moving full speed ahead into unknown territory. The potential for amazing advances in individual thought and creativity is very real. But so is the potential for oppression and mistrust the likes of which we have never before seen. One way or the other, we will be making history. I think we can imagine it best if we think of ourselves speeding down a potentially dangerous highway. Perhaps the road will become slick with ice or fraught with sharp curves. It's a road that nobody has gone down before. And the question we have to ask ourselves is what kind of a vehicle would we prefer to be in if things should start getting out of control: our own automobile where we would have at least some chance of controlling the vehicle and bringing it down to a safe speed or a bus where we, along with many others, must put all of our trust behind a total stranger to prevent a disaster. The answer is obviously different depending on the circumstances. There are those of us who do not want the responsibility of driving and others who have proven themselves unworthy of it. What's important is that we all have the opportunity at some point to choose which way we want to go. Rapidly changing technology can also be very dangerous if we don't look where we're going or if too many of us close our eyes and let someone else do the driving. This is a ride we all must stay awake for. I am not saying we should be overly suspicious of every form of technology. I believe we are on the verge of something very positive. But the members of this committee should be aware of the dangers of an uninformed populace. These dangers will manifest themselves in the form of suspicion towards authority, overall fear of technology, and an unhealthy feeling of helplessness. HOW NEW TECHNOLOGY CAN HURT US The recent FBI proposal to have wiretap capabilities built into digital telephone systems got most of its publicity because American taxpayers were expected to foot the bill. But to many of the non-technical people I talked to, it was just another example of Big Brother edging one step closer. It is commonly believed that the National Security Agency monitors all traffic on the Internet, not to mention all international telephone calls. Between Caller ID, TRW credit reports, video cameras, room monitors, and computer categorizations of our personalities, the average American feels as if life no longer has many private moments. Our Social Security numbers, which once were for Social Security, are now used for everything from video rentals to driver's licenses. These numbers can easily be used to track a person's location, expenses, and habits - all without any consent. If you know a person's name, you can get their telephone number. If you have their phone number, you can get their address. Getting their Social Security number is not even a challenge anymore. With this information, you can not only get every bit of information about this person that exists on any computer from Blockbuster Video to the local library to the phone company to the FBI, but you can begin to do things in this poor person's name. It's possible we may want a society like this, where we will be accountable for our every movement and where only criminals will pursue privacy. The American public needs to be asked. But first, they need to understand. In Germany, there is a fairly new computerized system of identity cards. Every citizen must carry one of these cards. The information includes their name, address, date of birth, and nationality - in other words, the country they were originally born in. Such a system of national identity can be quite useful, but in the wrong hands it can be extremely scary. For example, if a neo-Nazi group were to somehow get their hands on the database, they could instantly find out where everyone of Turkish nationality lived. A malevolent government could do the same and, since not carrying the card would be a crime, it would be very hard to avoid its wrath. Before introducing a new technology that is all-encompassing, all of its potential side-effects and disadvantages should be discussed and addressed. Opportunities must exist for everyone to ask questions. In our own country, nobody was ever asked if they wanted a credit file opened on them, if they wanted to have their phone numbers given to the people and companies they called through the use of Caller ID and ANI, or if they wanted to be categorized in any manner on numerous lists and databases. Yet all of this has now become standard practice. This implementation of new rules has resulted in a degree of cynicism in many of us, as well as a sense of foreboding and dread. We all know that these new inventions will be abused and used to somebody's advantage at some point. There are those who would have us believe that the only people capable of such misdeeds are computer hackers and their ilk. But it just isn't that simple. UNDERSTANDING COMPUTER HACKERS To understand computer hackers, it helps to think of an alien culture. We have such cultures constantly around us - those with teenage children ought to know what this means. There are alien cultures of unlimited varieties throughout the globe, sometimes in the most unexpected places. I'm convinced that this is a good thing. Unfortunately, all too often our default setting on whatever it is we don't understand is "bad". Suspicion and hostility follow and are soon met with similar feelings from the other side. This has been going on between and within our cultures for as long as we've existed. While we can't stop it entirely, we can learn to recognize the danger signs. The best way that I've found to deal with an alien culture, whether it's in a foreign country or right here at home, is to try and appreciate it while giving it a little leeway. There is not a single alien culture I've encountered that has not been decidedly friendly. That includes deadheads, skateboarders, Rastafarians, and hackers. When we talk about computer hackers, different images spring to mind. Most of these images have come about because of perceptions voiced by the media. Too often, as I'm sure the members of this committee already suspect, the media just doesn't get it. This is not necessarily due to malice on their part but rather a general lack of understanding and an overwhelming pressure to produce a good story. Hence we get an abundance of sensationalism and, when the dust clears, hackers are being compared with bank robbers, mobsters, terrorists, and the like. It's gotten to the point that the word hacker is almost analogous to the word criminal. Fortunately, the media is learning. Reporters now approach hackers with a degree of technological savvy. For the most part, they have stopped asking us to commit crimes so they can write a story about it. As the technology envelops us, journalists are developing the same appreciation and curiosity for it that hackers have always had. Any good reporter is at least part hacker because what a hacker does primarily is relentlessly pursue an answer. Computers naturally lend themselves to this sort of pursuit, since they tend to be very patient when asked a lot of questions. WHAT CONSTITUTES A HI-TECH CRIME? So where is the boundary between the hacker world and the criminal world? To me, it has always been in the same place. We know that it's wrong to steal tangible objects. We know that it's wrong to vandalize. We know that it's wrong to invade somebody's privacy. Not one of these elements is part of the hacker world. A hacker can certainly turn into a criminal and take advantage of the weaknesses in our telephone and computer systems. But this is rare. What is more likely is that a hacker will share knowledge with people, one of whom will decide to use that knowledge for criminal purposes. This does not make the hacker a criminal for figuring it out. And it certainly doesn't make the criminal into a hacker. It is easy to see this when we are talking about crimes that we understand as crimes. But then there are the more nebulous crimes; the ones where we have to ask ourselves: "Is this really a crime?" Copying software is one example. We all know that copying a computer program and then selling it is a crime. It's stealing, plain and simple. But copying a program from a friend to try it out on your home computer -- is this the same kind of crime? It seems obvious to me that it is not, the reason being that you must make a leap of logic to turn such an action into a crime. Imagine if we were to charge a licensing fee every time somebody browsed through a magazine at the local bookshop, every time material was borrowed from a library, or every time a phone number was jotted down from the yellow pages. Yet, organizations like the Software Publishers Association have gone on record as saying that it is illegal to use the same computer program on more than one computer in your house. They claim that you must purchase it again or face the threat of federal marshalls kicking in your door. That is a leap of logic. It is a leap of logic to assume that because a word processor costs $500, a college student will not try to make a free copy in order to write and become a little more computer literate. Do we punish this student for breaking a rule? Do we charge him with stealing $500? To the hacker culture on whose behalf I am speaking today, the only sensible answer is to make it as easy as possible for that college student to use the software he needs. And while we're at it, we should be happy that he's interested in the first place. Of course, this represents a fundamental change in our society's outlook. Technology as a way of life, not just another way to make money. After all, we encourage people to read books even if they can't pay for them because to our society literacy is a very important goal. I believe technological literacy is becoming increasingly important. But you cannot have literacy of any kind without having access. If we continue to make access to technology difficult, bureaucratic, and illogical, then there will also be more computer crime. The reason being that if you treat someone like a criminal, they will begin to act like one. If we succeed in convincing people that copying a file is the same as physically stealing something, we can hardly be surprised when the broad-based definition results in more overall crime. Blurring the distinction between a virtual infraction and a real-life crime is a mistake. LEGISLATION FOR COMPUTER AGE CRIME New laws are not needed because there is not a single crime that can be committed with a computer that is not already defined as a crime without a computer. But let us not be loose with that definition. Is mere unauthorized access to a computer worthy of federal indictments, lengthy court battles, confiscation of equipment, huge fines, and years of prison time? Or is it closer to a case of trespassing, which in the real world is usually punished by a simple warning? "Of course not," some will say, "since accessing a computer is far more sensitive than walking into an unlocked office building." If that is the case, why is it still so easy to do? If it's possible for somebody to easily gain unauthorized access to a computer that has information about me, I would like to know about it. But somehow I don't think the company or agency running the system would tell me that they have gaping security holes. Hackers, on the other hand, are very open about what they discover which is why large corporations hate them so much. Through legislation, we can turn what the hackers do into a crime and there just might be a slim chance that we can stop them. But that won't fix poorly designed systems whose very existence is a violation of our privacy. THE DANGERS OF UNINFORMED CONSUMERS The concept of privacy is something that is very important to a hacker. This is so because hackers know how fragile privacy is in today's world. Wherever possible we encourage people to protect their directories, encrypt their electronic mail, not use cellular phones, and whatever else it takes to keep their lives to themselves. In 1984 hackers were instrumental in showing the world how TRW kept credit files on millions of Americans. Most people had never even heard of a credit file until this happened. Passwords were very poorly guarded - in fact, credit reports had the password printed on the credit report itself. More recently, hackers found that MCI's Friends and Family program allowed anybody to call an 800 number and find out the numbers of everyone in a customer's "calling circle". As a bonus, you could also find out how these numbers were related to the customer: friend, brother, daughter-in-law, business partner, etc. Many times these numbers were unlisted yet all that was needed to "verify" the customer's identity was the correct zip code. In both the TRW and MCI cases, hackers were ironically accused of being the ones to invade privacy. What they really did was help to educate the American consumer. Nowhere is this more apparent than in the telephone industry. Throughout the country, telephone companies take advantage of consumers. They do this primarily because the consumer does not understand the technology. When we don't understand something complicated, we tend to believe those who do understand. The same is true for auto mechanics, plumbers, doctors, and lawyers. They all speak some strange language that the majority of us will never understand. So we tend to believe them. The difference with the phone companies, and here I am referring to the local companies, is that you cannot deal with somebody else if you happen to disagree with them or find them untrustworthy. The phone companies have us in a situation where we must believe what they say. If we don't believe them, we cannot go elsewhere. This is the frustration that the hacker community constantly faces. We face it especially because we are able to understand when the local phone companies take advantage of consumers. Here are a few examples: Charging a fee for touch tone service. This is a misnomer. It actually takes extra effort to tell the computer to ignore the tones that you produce. Everybody already has touch tone capability but we are forced to pay the phone company not to block it. While $1.50 a month may not seem like much, when added together the local companies that still engage in this practice are making millions of dollars a year for absolutely nothing. Why do they get away with it? Because too many of us don't understand how the phone system works. I try to draw an analogy in this particular case - imagine if the phone company decided that a fee would be charged to those customers who wanted to use the number five when dialing. They could argue that the five takes more energy than the four but most of us would see through this flimsy logic. We must seek out other such dubious practices and not blindly accept what we are told. Other examples abound: being charged extra not to have your name listed in the telephone directory, a monthly maintenance charge if you select your own telephone number, the fact that calling information to get a number now costs more than calling the number itself. More recently, we have become acquainted with a new standard called Signalling System Seven or SS7. Through this system it is possible for telephones to have all kinds of new features: Caller ID, Return Call, Repeat Calling to get through a busy signal, and more. But again, we are having the wool pulled over our eyes. For instance, if you take advantage of Call Return in New York (which will call the last person who dialed your number), you are charged 75 cents on top of the cost of the call itself. Obviously, there is a cost involved when new technologies are introduced. But there is no additional equipment, manpower, or time consumed when you dial *69 to return a call. It's a permanent part of the system. As a comparison, we could say that it also costs money to install a hold button. Imagine how we would feel if we were charged a fee every time we used it. The local companies are not the only offenders but it is particularly bad in their case because, for the vast majority of Americans, there is no competition on this level. The same complaints are being voiced concerning cable television companies. Long distance telephone companies are also guilty. AT&T, MCI, and Sprint all encourage the use of calling cards. Yet each imposes a formidable surcharge each and every time they're used. AT&T, for example, charges 13 cents for the first minute of a nighttime call from Washington DC to New York plus an 80 cent surcharge. Since a calling card can only be used to make telephone calls, why are consumers expected to pay an extra fee as if they were doing something above and beyond the normal capability of the card? Again, there is no extra work necessary to complete a calling card call - at least not on the phone company's part. The consumer, on the other hand, must enter up to 25 additional digits. But billing is accomplished merely by computers sending data to each other. Gone are the days of tickets being written up by hand and verified by human beings. Everything is accomplished quickly, efficiently, and cheaply by computer. Therefore, these extra charges are outdated. SOCIAL INJUSTICES OF TECHNOLOGY The way in which we have allowed public telephones to be operated is particularly unfair to those who are economically disadvantaged. A one minute call to Washington DC can cost as little as 12 cents from the comfort of your own home. However, if you don't happen to have a phone, or if you don't happen to have a home, that same one minute call will cost you $2.20. That figure is the cheapest rate there is from a Bell operated payphone. With whatever kind of logic was used to set these prices, the results are clear. We have made it harder and more expensive for the poor among us to gain access to the telephone network. Surely this is not something we can be proud of. A direct result of this inequity is the prevalence of red boxes. Red boxes are nothing more than tone generators that transmit a quick burst of five tones which convince the central office that a quarter has been deposited. It's very easy and almost totally undetectable. It's also been going on for decades. Neither the local nor long distance companies have expended much effort towards stopping red boxes, which gives the impression that the payphone profits are still lucrative, even with this abuse. But even more troubling is the message this is sending. Think of it. For a poor and homeless person to gain access to something that would cost the rest of us 12 cents, they must commit a crime and steal $2.20. This is not equal access. CORPORATE RULES Hackers and phone phreaks, as some of us are called, are very aware of these facts. We learn by asking lots of questions. We learn by going to libraries and doing research. We learn by diving into phone company trash dumpsters, reading discarded material, and doing more research. But who will listen to people like us who have been frequently characterized as criminals? I am particularly grateful that this committee has chosen to hear us. What is very important to us is open communications. Freedom of information. An educated public. This puts us at direct odds with many organizations, who believe that everything they do is "proprietary" and that the public has no right to know how the public networks work. In July of 1992 we were threatened with legal action by Bellcore (the research arm of the Regional Bell Operating Companies) for revealing security weaknesses inherent in Busy Line Verification (BLV) trunks. The information had been leaked to us and we did not feel compelled to join Bellcore's conspiracy of silence. In April of this year, we were threatened with legal action by AT&T for printing proprietary information of theirs. The information in question was a partial list of the addresses of AT&T offices. It's very hard for us to imagine how such information could be considered secret. But these actions are not surprising. They only serve to illustrate the wide disparities between the corporate mindset and that of the individual. It is essential that the hundreds of millions of Americans who will be affected by today's all-encompassing inventions not be forced to play by corporate rules. In 1990 a magazine similar to 2600 was closed down by the United States government because Bell South said they printed proprietary information. Most people never found out about this because Phrack Magazine was electronic, i.e., only available on computer bulletin boards and networks. This in itself is wrong; a publication must have the same First Amendment rights regardless of whether it is printed electronically or on paper. As more online journals appear, this basic tenet will become increasingly critical to our nation's future as a democracy. Apart from this matter, we must look at what Bell South claimed - that a document discussing the Enhanced 911 system which was worth $79,449 had been "stolen" and printed by Phrack. (Some newspaper accounts even managed to change it into an E911 program which gave the appearance that hackers were actually interfering with the operation of an E911 system and putting lives at risk. In reality there has never been a report of a hacker gaining access to such a system.) It was not until after the publisher of Phrack was forced to go to trial that the real value of the document was revealed. Anyone could get a copy for around $14. The government promptly dropped its case against the publisher who, to this day, is still paying back $100,000 in legal fees. As further evidence of the inquity between individual justice and corporate justice, Bell South was never charged with fraud for its claim that a $14 document was worth nearly $80,000. Their logic, as explained in a memo to then Assistant U.S. Attorney Bill Cook, was that the full salaries of everyone who helped write the document, as well as the full cost of all hardware and software used in the endeavor ($31,000 for a Vaxstation II, $6,000 for a printer), was perfectly acceptable. It is very disturbing that the United States government agreed with this assessment and moved to put a pre-law student behind bars for violating corporate rules. MISGUIDED AUTHORITY I wish I could stand before this committee and say that we have been successful in stopping all such miscarriages of justice. While the Phrack case may have been the most bizarre, there are many more instances of individuals being victimized in similar manners. A teenager in Chicago was jailed for a year for copying a file that was worth millions, according to AT&T, but was utterly worthless and unusable to a kid. A bulletin board operator in California, along with his entire family, was held at gunpoint for hours while authorities seized his equipment in an unsuccessful attempt to find child pornography. Three hackers in Atlanta, after being imprisoned up to a year for dialing into a Bell South computer system that had no password, were forced to pay $233,000 in restitution so the company could install a password system. More recently, a student at the University of Texas at Houston was suspended from school for a year because he accessed a file that merely listed the users of the system (a file which the system allows all users to access). In increasing numbers, young people are being sent to jail, not necessarily for something they did, but rather for something they could have done in a worst-case scenario. Again this indicates fear and misunderstanding of technology and its applications. But this time those feelings emanate from those in authority. Locally, an ominous happening occurred at a 2600 monthly meeting last November. (These meetings occur in public areas in cities throughout the nation on the first Friday of every month.) Shortly after it began, the Washington meeting was broken up by Pentagon City Mall security guards. Without any provocation, people were forced to submit to searches and everybody's name was taken down. One of the attendees who was writing down an officer's name had the paper ripped from his hand, another had his film taken from his camera as he tried to document what was going on. Upon questioning by a reporter from Communications Daily, the mall security chief claimed that he was acting under orders from the United States Secret Service. Subsequent Freedom of Information Act requests by Computer Professionals for Social Responsibility have yielded more evidence implicating the Secret Service in this illegal and unwarranted action. Nothing of a criminal nature was ever found in any of the bags that were searched. But a full list of the attendees wound up in the possession of the Secret Service. It seems ironic that while hackers are conducting an open gathering in the middle of a shopping mall in order to share knowledge and welcome new people, agents of the Secret Service are lurking in the shadows trying to figure out ways to stop them. How can we move forward and talk about exciting new applications of technology when we're off to such a bad start? The people that are being arrested, harassed, and intimidated are the people who will be designing and running these new systems. They are the ones who will appreciate their capabilities and understand their weaknesses. Through our short-sightedness and eagerness to listen to the loudest voices, we are alienating the promises of the future. How many here, who grew up in decades past, remember hearing teenagers talk of how the government is after them, watching their every move, listening to their phone calls, doing everything one might expect in a totalitarian regime. Such feelings are the sure sign of an ailing society. It does not matter if these things are not actually occurring - their mere perception is enough to cause lasting harm and mistrust. PROMISE OF THE INTERNET The future holds such enormous potential. It is vital that we not succumb to our fears and allow our democratic ideals and privacy values to be shattered. In many ways, the world of cyberspace is more real than the real world itself. I say this because it is only within the virtual world that people are really free to be themselves - to speak without fear of reprisal, to be anonymous if they so choose, to participate in a dialogue where one is judged by the merits of their words, not the color of their skin or the timbre of their voice. Contrast this to our existing "real" world where we often have people sized up before they even utter a word. The Internet has evolved, on its own volition, to become a true bastion of worldwide democracy. It is the obligation of this committee, and of governments throughout the world, not to stand in its way. This does not mean we should stand back and do nothing. Quite the contrary, there is much we have to do if accessibility and equality are our goals. Over-regulation and commercialization are two ways to quickly kill these goals. A way to realize them is to have a network access point in every house. Currently, network access is restricted to students or professors at participating schools, scientists, commercial establishments, and those who have access to, and can afford, local services that link into the Internet. Yes, a lot of people have access today. But a far greater number do not and it is to these people that we must speak. The bigger the Internet gets, the better it gets. As it exists today, cultures from around the globe are represented; information of all kinds is exchanged. People are writing, reading, thinking. It's potentially the greatest educational tool we have. Therefore, it is essential that we not allow it to become a commodity that only certain people in society will be able to afford. With today's technology, we face the danger of widening the gap between the haves and the have-nots to a monumental level. Or we can open the door and discover that people really do have a lot to learn from each other, given the opportunity. It is my hope that this committee will recognize the importance of dialogue with the American public, in order to answer the questions so many are asking and to address the concerns that have been overlooked. I thank you for this opportunity to express those issues that I feel relevant to this hearing.