Computer underground Digest Mon, Feb 10, 1992 Volume 4 : Issue 06 Moderators: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Associate Moderator: Etaion Shrdlu CONTENTS, #4.06 ( Feb 10, 1992) File 1: Bust of "NotSoHumble Babe" / USA File 2: Keystone Stormtroopers File 3: Fine for "Logic Bomber" File 4: Re: Newsbytes on the Oregon BBS Rates Case File 5: Calif. "Privacy [& Computer Crime] Act of 1992" File 6: DIAC-92 Workshop Call for Paraticipation and Workshop Guidelines Issues of CuD can be found in the Usenet alt.society.cu-digest news group, on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM, on Genie, on the PC-EXEC BBS at (414) 789-4210, and by anonymous ftp from ftp.cs.widener.edu (147.31.254.132), chsun1.spc.uchicago.edu, and ftp.ee.mu.oz.au. To use the U. of Chicago email server, send mail with the subject "help" (without the quotes) to archive-server@chsun1.spc.uchicago.edu. NOTE: THE WIDENER SITE IS TEMPORARILY RE-ORGANIZING AND IS CURRENTLY DIFFICULT TO ACCESS. FTP-ERS SHOULD USE THE ALTERNATE FTP SITES UNTIL FURTHER NOTICE. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: 8 Feb 92 17:31: 39 CST From: Moderators (tk0jut2@mvs.niu.edu) Subject: File 1--Bust of "NotSoHumble Babe" / USA The recent busts of three persons in the Detroit and Los Angeles areas for alleged carding, theft, software copyright violations and fraud raise a number of issues of CU relevance. Because of misinformation circulating on the nature of the case, we summarize what we know of it below. "Amy" (handle: "NotSoHumble Babe") was busted on her birthday, and is not untypical of many CU types, so we focus on her. 1. "Amy" was busted on Jan 30, in Farmington Hills (Mi), by local, state, and federal agents. There were reportedly up to 20 agents. The large number was because there were several from each department, including the FBI, SecServ, Mi State police, and others. They reportedly showed no warrant, but knocked on the door and asked if they could come in. When "Amy" said "yes," they burst (rather than calmly entered) with weapons, including "semi-automatics." Her boyfriend was reportedly asleep, and the agents awakened him with a gun to his head. The agent in charge was Tony Alvarez of the Detroit SecServ. 2. There has been no indictment, but the agents indicated that charges would include theft, fraud, and copyright violations. (software piracy and carding). The initial figure given was a combined $20,00 for the three ("Amy," "Tom," and Mike"). 3. All equipment was confiscated, included "every scrap of paper in the house. She was informed that, whatever the outcome of the case, she would not receive the equipment back and that it would be kept for "internal use." The above account differs dramatically from one given by "anonymous" in "Phantasy #6," which was a diatribe against the three for "ratting." However, the above account seems fairly reliable, judging from a news account and a source close to the incident. "Amy" is 27, and reported to be the head of USA (United Software Alliance), which is considered by some to be the current top "cracking" group in the country. If memory serves, "ENTERPRISE BBS" was the USA homeboard. She was questioned for about 10 hours, and "cooperated." She has, as of Saturday (Feb 9) *not* yet talked to an attorney, although she was put in contact with one late Saturday. The prosecutor in Oakland County is the same one who is prosecuting Dr. Kavorkian (of "suicide machine" fame). He has a reputation as excessively harsh, and his demeanor in television interviews does not contradict this. The other two defendants, "Mike/The Grim Reaper," and "Tom/Genesis" are from the Detroit and Los Angeles areas. What are the issues relevant for us? My own radiclib concern is with over-criminalization created by imposing a label onto a variety of disparate behaviors and then invoking the full weight of the system against the label instead of the behaviors. It is fully possible to oppose the behaviors while recognizing that the current method of labelling, processing, and punishment may not be wise. Len Rose provides an example of how unacceptable but relatively benign behaviors lead to excessive punishment. This, however, is a broader social issue of which computer-related crimes is simply a symptom. Of more direct relevance: 1) It appears that the continued use of massive force and weaponry continues. We've discussed this before in alluding to cases in New York, Illinois, Texas, and California. The video tape of the bust of the "Hollywood Hacker" resembles a Miami Vice episode: A middle-aged guy is confronted with an army of yelling weapons with guns drawn charging through the door. Others on the board have reported incidences of being met with a shotgun while stepping out of the shower, a gun to the head while in bed, and (my favorite) a 15 year old kid busted while working on his computer and the agent-in-charge put her gun to his head and reportedly said, "touch that keyboard and die." The use of such force in this type of bust is simply unacceptable because of the potential danger (especially in multi-jurisdictional busts, which reduces the precision of coordination) of accidental violence. 2. Until indictments and supporting evidence are made public, we cannot be sure what the occured. But, it seems clear that, for "Amy" at least, we are not dealing with a major felon. Carding is obviously wrong, but I doubt that, in situations such as this, heavy-duty felony charges are required to "teach a lesson," "set an example," and re-channel behavior into more productive outlets. 3. We can continue to debate the legal and ethical implications of software piracy. There is a continuum from useful and fully justifiable "creative sharing" to heavy-duty predatory rip-off for profit. This case seems to be the former rather than the latter. There is no sound reason for treating extreme cases alike. 3. We should all be concerned about how LE frames and dramatizes such cases for public consumption. The Farmington newspaper gave it major coverage as a national crime of immense proportions. We should all be concerned about how piracy cases are handled, because even extreme cases have implications for minor ones. Does possession of an unauthorized copy of Aldus Pagemaker and Harvard Graphics, collective worth more than $1,000, really constitute a major "theft"? We have seen from the cases of Len and Craig how evaluation of a product is inflated to justify indictments that look serious but in fact are not. I'm not sure what purpose it serves to simply assert that people--even if guilty of carding or piracy--should "get what's coming to them" without reflecting on what it is they get and why. The issue isn't one of coddling or protecting "criminals," but to examine more carefully what kinds of computer-related crimes should be criminalized, which should be torts, and which should be accepted as minor nuisances and--if not ignored--at least not criminalized. To give the dead horse one last kick: I am not arguing that we condone behaviors. I am only suggesting that we reflect more carefully on how we respond to such behaviors. I do not know the circumstances of "Tom" and "Mike," but "Amy's" case raises many issues we can address without condoning the behavior. ------------------------------ Date: Mon, 20 Jan 92 07:56 EST From: "Michael E. Marotta" Subject: File 2--Keystone Stormtroopers GRID News. ISSN 1054-9315. vol 3 nu 3 January 19, 1992. World GRID Association, P. O. Box 15061, Lansing, MI 48901 USA ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ (74 lines) SPA: Jackboot Fascists or Keystone Kops? (C) 1992 by Michael E. Marotta Suddenly the doors burst open! US marshals take the Acme Inc., employees by surprise!! "Nobody move! Keep your hands away from those keyboards!" yells the copper. "Oh my gosh! It's the SPA!!" "Quick stash the disks!!" This 50s cartoon is the cover story of the June 17, 1991 issue of Information Week, "The Software Police." Inside is the story of the Software Publishers Associa- tion. There is nothing laughable about the $90,000 paid to SPA by IPL, the $100,000 paid by Entrix, the $17,500 paid by Healthline, the $350,000 paid by Parametrix. At SnapOn Tools, three US Marshals and an SPAer spent two days going through every one of 280 PCs with their special audit package. Then the burden of proof shifted to SnapOn to produce purchase orders, manuals, invoices and asset tags. "GOVERN-MENTALITY" The SPA claims a staff of 18 to 23 and a budget of $3.8 million. I had to call three times to get the free audit program, SPAudit. They also offer to sell a video "It's Just Not Worth the Risk" for $10 but my three voicemail requests (Nov, Dec 91 & Jan 92) for this tape were not answered. + People with govern-mentality are below norm and the program SP+Audit underscores this fact. + First of all, the README file was created with WordPerfect 5. Using LIST or TYPE gets you ascii garbage and uneven formating am+id the text. If you want to view the README file, the instructions tell you: + A) To display on screen type TYPE A:README:MORE which is bad documentation and doesn't work. Hardcopy reveals the same problems and when you get to the bottom of the page, you find that the last few lines print over each other. Apparently, the typist used the cursor keys to position the text, because it lacks some necessary LFs (ascii 0A). + I created four dummy files 123.EXE, MSDOS.SYS, PROCOMM.EXE and SK+.COM which are found in the PIF.TXT file of over 600 software names. The files I created said: "The problem of copyright looks somewhat different the moment one accepts copying technology as uncontrollable." Michael Crichton. + Then I made more copies at lower directory levels. SPAudit was indeed able to search down eight directory sublevels to find copies. However, when I went to print these, the program produced ascii garbage. It failed on C:+%123%MIKE%ANOTHER%DEEPER%NEMO%PLUTO%CHIRON%DANTE%ORPHEUS being unable to print beyond %NEMO. + Overall, the SPA proves itself unable to manage PC technology. This lack of quality is not surprising. No matter how much you pay for software, you know that the seller "makes no claim of merchantability or fitness for a particular use..." and won't be liable for "direct, indirect, special, incidental or consequential damages arising out of the use or inability to use the software or documentation." That is the disclaimer which comes with SPAudit. + "CATCH-22" Following SPAudit guidelines means that you can't have more than one copy of a program on one computer. Also, all oF the CARMEN SANDIEGO games run from CARMEN.EXE. The audit thinks it is looking for EUROPE but will also trip on WORLD, and TI+ME, etc., meaning that you can get busted for buying more than one CARMEN, a catch-22. + Also, there should be some confusion over dBase, which is no longer an Ashton-Tate but a Borland product. More importantly, US District judge Terrence Hatter, Jr., ruled in late 1990 that the copyright on dBase was voided by their not revealing that it is a cl+one of a public domain program from JPL. + Again, consider the case of SnapOn Tools. The SPA used their defective software to disrupt a business for two days -- and they have the nerve to call other people pirates. + (GRID News is FREQable from 1:159/450, the Beam Rider BBS) ------------------------------ Date: 27 Jan 92 18:48:35 EST From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: File 3--Fine for "Logic Bomber" "Logic Bomb Programmer Fined" (Reprinted with permission from STReport 8.04 Jan 24, 1992) Michael John Lauffenburger, a 31-year-old programmer formerly with General Dynamics, pleaded guilty Nov. 4 to attempted computer tampering. He has been fined $5,000, handed three years' probation and was ordered to perform 200 hours of community service for attempting to sabotage computers with a "logic bomb" that prosecutors say could have erased national security data. According to reports, Lauffenburger set up the logic bomb, then resigned, intending to get hired on as high-priced consultant to help reconstruct the data lost from the billion-dollar Atlas Missile Space Program when the virus was unleashed. A co-worker accidentally discovered the rogue program in early May. It had been set to go off May 24. Investigators said at the time the bomb would have caused about $100,000 in damage to computer systems at the Kearny Mesa plant. ------------------------------ Date: Fri, 07 Feb 92 06:10:49 PST From: walter@HALCYON.COM(Walter Scott) Subject: File 4--Re: Newsbytes on the Oregon BBS Rates Case On 2-5-92, reporter Dana Blankenhorn released a copyrighted exclusive story for Wendy Wood's Newsbytes covering the Oregon BBS rates case. What follows is an abstract of that story. Blankenhorn writes: "US West has launched a campaign before the Oregon Public Utility Commission which would force all bulletin board systems (BBSs) in that state to pay business rates on their phone lines." The Newsbytes exclusive also asserts that US West "wants the Oregon PUC to reinterpret its tariff so as to define any phone not answered by a human voice as a business line." Blankenhorn quotes extensively from an apparent interview with SysOp Stewart Anthony Wagner while summarizing the chronology of events in the case. Some folks here might find the chronology and alleged facts be a bit different from what has been reported in the past. According to Blankenhorn, Portland, Oregon SysOp Tony Wagner attempted to subscribe to extra phone lines so as to expand his BBS from 2 lines to 4, as well as make arrangements for a TDD. It was at this point Wagner was informed he would have to pay business rates on all lines by US West. According to Blankenhorn, US West relented on the voice and TDD lines while maintaining that the BBS lines would have to be classified as business lines. Wagner filed what Blankenhorn calls an "appeal" at the Oregon PUC "for the BBS". Wagner is reported to have closed his BBS almost immediately because he "can't afford it" at business rates, which blankenhorn states to be around $50 (presumably per month) on each line. Before closing his system, Wagner says he alerted regional SysOps via FidoNet to his plight. Wagner points out that some SysOps chipped in to pay for a lawyer. Blankenhorn quotes Wagner on a so-called "compromise proposal" that "they (US West) come up with a residential data line rate, as an alternate form of service." Wagner's proposal apparently included a guarantee of data quality at a rate that Wagner seems to assess at $5.00 above standard residential rates. Wagner asserts the proposal was rejected. Wagner's comments on the hearing display optimism as he offers the thought that "the hearing went quite well. The tariff says a residential line is for social or domestic purpose. They ignored the social, they talked only about domestic. The BBS is as social as you can get." In a series of quotes from Wagner on what he believes US West is doing, a grim picture is painted for more than BBS operators. For example: Wagner states "there is no question they want to apply this to all SysOps. Their position is that if it's not answered by a human voice, it's a business. A fax machine is a business, to them. So's an answering machine." Wagner spoke of what he might consider a silver lining in his cloudy future as a SysOp when he told Blankenhorn that publicity must be bad for US West. He reinforces this idea by noting "one thing that hurt them (US West) badly was that they picked on me. I'm very hard of hearing. Most of my users are disabled. A large percentage of our SysOps here are disabled. And Mr. Holmes (US West's attorney in the Wagner case) was unprepared for that." Blankenhorn talked with Judith Legg in the hearings section at the Oregon Public Utility Commission concerning the Wagner Case. He reports Legg told him "a hearing was held on the case in January, and US West has already submitted a 17-page brief supporting its position." Hearings Officer Simon Fitch was attributed as informing Newsbytes that Wagner "has until March 3 to file his own brief, after which reply briefs will be sought from both sides." Fitch is also reported to have said a decision in the case is due in late March or early April with final oversight from the Commissioners. Attempts, by Blankenhorn, to contact attorney Steven Holmes at US West were unsuccessful. Apparently, no one else in the company was available for comment. Thus, the Newsbytes article contained no synopsis of US West's side of the issues in the Wagner case. Blankenhorn left the door open to a future update by noting information requested from US West would be reported as soon as that information is made available to Newsbytes. So much for the abstract... A FEW OBSERVATIONS: It seems that Blankenhorn must not have been able to obtain a copy of US West's brief before going to press. Otherwise, Blankenhorn would realize, and could have noted, that US West's comments have no impact on FAX or answering machines. BBS operation in general, and Wagner's BBS in specific, are the myopic focus of the brief. Blankenhorn also could have asked about and cleared up what appears to be a discrepancy between Wagner's apparent indication that he was running his BBS on 2 phone lines at the time he requested new lines, and the repeated references in the US West brief to Wagner's "3" BBS phone lines. Finally, I called Judith Legg myself on 2-6-92 and asked her about the actual timing of the hearing. She informed me that the hearing was indeed in December. In Blankenhorn's defense, Legg admits that she was under the mistaken impression that the hearing took place in January, and that this is probably what she told Blankenhorn. A check of the Oregon PUC's computerized schedules was necessary to clarify the actual hearing date. Walter Scott ** The 23:00 News and Mail Service - +1 206 292 9048 - Seattle, WA USA PEP, V.32, V.42bis +++ A Waffle Iron, Model 1.64 +++ ------------------------------ Date: 22 Jan 92 19:12:22 CST From: Jim Warren (jwarren@well.sf.ca.us) Subject: File 5--Calif. "Privacy [& Computer Crime] Act of 1992" The Chair of the California State Senate, Bill Lockyer, is introducing what he calls "The Privacy Act of 1992." It addresses computer *crime* in a robust manner, but appears to be less concerned with some of the more major privacy issues (e.g. personal data/profiles built & used by government and private corporations) posed during public testimony in December. I scanned it in, OCRed it, proofed it, and believe this is an accurate copy of the original cover letter and content. The latter has already been sent to Legislative Counsel (on 1/8/92). Please upload it and circulate it to all others who might be interested. Note: Many consider that computer legislation at the state level in major, "bellweather" states may/can/will provide models for other states and for eventual federal legislation. Thus, this deserves *early* and widespread circulation, review and *public comment*. jim warren [chair, First Conference on Computers, Freedom & Privacy, 1991] ********************************************************************** ====== TEXT OF COVER-LETTER, RECEIVED JAN. 17, 1992 ===== California State Senate Bill Lockyer, Tenth [California] Senatorial District [Chairman, California State Senate Judiciary Committee] Southern Alameda County January 15, 1992 TO: Interested Parties FROM: Ben Firschein, Senator Lockyer's Office RE: Privacy legislation emerging from the interim hearing We have drafted language reflecting some of the suggestions made at the privacy hearing on December 10 [1991] and have sent it to Legislative Counsel. It is likely that Senator Lockyer will introduce the language as a bill when it comes back from Legislative Counsel. We welcome and encourage your suggestions, comments and proposed amendments. This language should be viewed as an initial proposal, and it is likely that it will be amended as it proceeds through the legislature. The bill as submitted to Legislative Counsel does the following: 1. Information obtained from driver's licenses: prohibit businesses from selling or using for advertising purposes information obtained from driver's licenses without the written consent of the consumer. 2. Automatic vehicle identification [AVI]: Require Caltrans to provide an opportunity to pre-pay tolls and use the facility anonymously. 3. Violation of privacy of employees: language has been drafted based on the Connecticut statute that Justice Grodin discussed at the hearing. The proposed language goes further than the Connecticut statute in that it also extends to prospective employees. 4. Amend Penal Code Section 502 (computer crime statute) as follows: a) Extend existing law to allow recovery by any injured party, not just the owner or lessee of the computer. b) Allow recovery for any consequential or incidental damages, not just for expenditures necessary to verify that a computer system was or was not damaged. c) Create civil penalty of $ 10,000 per injured party up to a maximum of fifty thousand dollars for recklessly storing data in a manner which enables a person to commit acts leading to a felony conviction. Failure to report to law enforcement a previous violation under the statute would be deemed to be possible evidence of recklessness d) Require that owner or lessee of computer report to law enforcement any known violations of the statute involving his/her system. Such reports required within 60 days after they become known to owner or lessee. Warrants for electronically stored materials: We are interested in working with interested parties on some of the proposals made at the hearing, for possible inclusion in the bill as amendments. Please direct your comments to: Ben Firschein Administrative Assistant Office of Senator Lockyer Room 2032 State Capitol Sacramento, CA 95814 (916) 445Q6671 ========== END OF JAN.17 COVER LETTER ========== <> ====== TEXT OF LEGISLATION, RECEIVED JAN. 17, 1992 ===== [hand-written] The people of the State of California do enact as follows: [hand-written] Section 1. This Act may be cited as the Privacy Act of 1992. [hand-written] Section 2. Section 1799.4 is added to the Civil Code to read: 1799.4. A business entity that obtains information from a consumer's driver's license or identification card for its business records or for other purposes shall not sell the information or use it to advertise goods or services, without the written consent of the consumer. [hand-written] Sent to Leg Counsel 1/8 [hand-written] Section 3. Section 502 of the Penal Code is amended to read: 502. (a) It is the intent of the Legislature in enacting this section to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. The Legislature finds and declares that the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data. The Legislature further finds and declares that protection of the integrity of all types and forms of lawfully created computers, computer systems, and computer data is vital to the protection of the privacy of individuals as well as to the well-being of financial institutions, business concerns, governmental agencies, and others within this state that lawfully utilize those computers, computer systems, and data. (b) For the purposes of this section, the following terms have the following meanings: (l) "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network. (2) "Computer network" means any system which provides communications between one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunication facilities. (3) "Computer program or software" means a set of instructions or statements, and related data, that when executed in actual or modified form, cause a computer, computer system, or computer network to perform specified functions. (4) "Computer services" includes, but is not limited to, computer time, data processing, or storage functions, or other uses of a computer, computer system, or computer network. (5) "Computer system" means a device or collection of devices, including support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, one or more of which contain computer programs, electronic instructions, input data, and output data, that performs functions including, but not limited to, logic, arithmetic, data storage and retrieval, communication, and control. (6) "Data" means a representation of information, knowledge, facts, concepts, computer software, computer programs or instructions. Data may be in any form, in storage media, or as stored in the memory of the computer or in transit or presented on a display device. (7) "Supporting documentation" includes, but is not limited to, all information, in any form, pertaining to the design, construction, classification, implementation, use, or modification of a computer, computer system, computer network, computer program, or computer software, which information is not generally available to the public and is necessary for the operation of a computer, computer system, computer network, computer program, or computer software. (8) "Injury" means any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by the access. (9) "Victim expenditure" means any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, deleted, damaged, or destroyed by the access. (10) "Computer contaminant" means any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information. They include, but are not limited to, a group of computer instructions commonly called viruses or worms, which are self-replicating or self-propagating and are designed to contaminate other computer programs or computer data, consume computer resources, modify, destroy, record, or transmit data, or in some other fashion usurp the normal operation of the computer, computer system, or computer network. (c) Except as provided in subdivision (h), any person who commits any of the following acts is guilty of a public offense: (1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data. (2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network. (3) Knowingly and without permission uses or causes to be used computer services. (4) Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network. (5) Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network. (6) Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section. (7) Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network. (8) Knowingly introduces any computer contaminant into any computer, computer system, or computer network. (d) (1) Any person who violates any of the provisions of paragraph (1), (2), (4), or (5) of subdivision (c) is punishable by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment. (2) Any person who violates paragraph (3) of subdivision (c) is punishable as follows: (A) For the first violation which does not result in injury, and where the value of the computer services used does not exceed four hundred dollars ($400), by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment. (B) For any violation which results in a victim expenditure in an amount greater than five thousand dollars ($5,000) or in an injury, or if the value of the computer services used exceeds four hundred dollars ($400), or for any second or subsequent violation, by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment. (3) Any person who violates paragraph (6), (7), or (8) of subdivision (c) is punishable as follows: (A) For a first violation which does not result in injury an infraction punishable by a fine not exceeding two hundred fifty dollars ($250). (B) For any violation which results in a victim expenditure in an amount not greater than five thousand dollars ($5,000), or for a second or subsequent violation, by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment. (C) For any violation which results in a victim expenditure in an amount greater than five thousand dollars ($5,000), by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment. (e) (1) In addition to any other civil remedy available, any injured party. including but not limited to the owner or lessee of the computer, computer system, computer network, computer program, or data, may bring a civil action against any person convicted under this section for compensatory damages, including any consequential or incidental damages. In the case of the owner or lessee of the computer, computer system, computer network, computer program, or data. such damages may include. but are not limited to. any expenditure reasonably.and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, damaged, or deleted by the access. (2) Whoever recklessly stores or maintains data in a manner which enables a person to commit acts leading to a felony ["a felony" hand-written] conviction under this section shall be liable for a civil penalty of ten thousand dollars ($ 10,000) per injured party, up to a maximum of fifty thousand dollars ($ 50.000). Failure to report to law enforcement a previous violation under subsection (f) may constitute evidence of recklessness. (3) For the purposes of actions authorized by this subdivision, the conduct of an unemancipated minor shall be imputed to the parent or legal guardian having control or custody of the minor, pursuant to the provisions of Section 1714.1 of the Civil Code. (4) In any action brought pursuant to this subdivision the court may award reasonable attorney's fees to a prevailing party. (5) A community college, state university, or academic institution accredited in this state is required to include computer-related crimes as a specific violation of college or university student conduct policies and regulations that may subject a student to disciplinary sanctions up to and including dismissal from the academic institution. This paragraph shall not apply to the University of California unless the Board of Regents adopts a resolution to that effect. (f) The owner or lesee of any computer, computer system, computer network, computer program, or data shall report to law enforcement any known violations of this section involving the owner or lesee's computer, computer system, computer network, computer program, or data. Such reports shall be made within 60 days after they become known to the owner or lesee. (g) This section shall not be construed to preclude the applicability of any other provision of the criminal law of this state which applies or may apply to any transaction, nor shall it make illegal any employee labor relations activities that are within the scope and protection of state or federal labor laws. (h) Any computer, computer system, computer network, or any software or data, owned by the defendant, which is used during the commission of any public offense described in subdivision (c) or any computer, owned by the defendant, which is used as a repository for the storage of software or data illegally obtained in violation of subdivision (c) shall be subject to forfeiture, as specified in Section 502.01. (i) (1) Subdivision (c) does not apply to any person who accesses his or her employer's computer system, computer network, computer program, or data when acting within the scope of his or her lawful employment. (2) Paragraph (3) of subdivision (c) does not apply to any employee who accesses or uses his or her employer's computer system, computer network, computer program, or data when acting outside the scope of his or her lawful employment, so long as the employee's activities do not cause an injury, as defined in paragraph (8) of subdivision of (b), to the employer or another, or so long as the value of supplies and computer services, as defined in paragraph (4) of subdivision (b), which are used do not exceed an accumulated total of one hundred dollars ($100). (j) No activity exempted from prosecution under paragraph (2) of subdivision (h) which incidentally violates paragraph (2), (4), or (7) of subdivision (c) shall be prosecuted under those paragraphs. (k) For purposes of bringing a civil or a criminal action under this section, a person who causes, by any means, the access of a computer, computer system, or computer network in one jurisdiction from another jurisdiction is deemed to have personally accessed the computer, computer system, or computer network in each jurisdiction. (l) In determining the terms and conditions applicable to a person convicted of a violation of this section the court shall consider the following: (1) The court shall consider prohibitions on access to and use of computers. (2) Except as otherwise required by law, the court shall consider alternate sentencing, including community service, if the defendant shows remorse and recognition of the wrongdoing, and an inclination not to repeat the offense [hand-written] Section 4. Section 12940.3 is added to the Government Code to read: (a) Any employer, including the state and any instrumentality or political subdivision thereof, shall be liable to an employee or prospective employee for damages caused by either of the following: (1) subjecting the employee to discipline or discharge on account of the exercise by such employee of rights guaranteed by Section l of Article I of the California Constitution, provided such activity does not substantially interfere with the employee's bona fide job performance or working relationship with the employer. (2) Denying employment to a prospective employee on account of the prospective employee's exercise of rights guaranteed by Section 1 of Article I of the California Constitution. (b) The damages awarded under this Section may include punitive damages, and reasonable attorney's fees as part of the costs of any such action for damages. If the court decides that such action for damages was brought without substantial justification, the court may award costs and reasonable attorney's fees to the employer. [hand-written] Section 5. Section 27565 of the Streets and Highways Code is amended to read: 27565. Automatic vehicle identification systems for toll collection (a) The Department of Transportation in cooperation with the district and all known entities planning to implement a toll facility in this state shall develop and adopt functional specifications and standards for an automatic vehicle identification system, in compliance with the following objectives: (1) In order to be detected, the driver shall not be required to reduce speed below the applicable speed for the type of facility being used. (2) The vehicle owner shall not be required to purchase or install more than one device to use on all toll facilities, but may be required to have a separate account or financial arrangement for the use of these facilities. (3) The facility operators shall have the ability to select from different manufacturers and vendors. The specifications and standards shall encourage multiple bidders and shall not have the effect of limiting the facilIty operators to choosing a system which is able to be supplied by only one or vendor. (b) The vehicle owner shall have the choice of pre-paying tolls, or being billed after using the facility. If the vehicle owner pre-pays tolls: (1) The facility or the Department shall issue an account number to the vehicle owner. The account number shall not be derived from the vehicle owner's name, address, social security number, or driver's license number, or the vehicle's license number, vehicle identification number, or registration. (2) Once an account has been established and an account number has been given to the vehicle owner, neither the facility nor the Department shall keep any record of the vehicle owner's name, address, social security number or driver's license number, or the vehicle's license number. vehicle identification number, or registration. (3) The vehicle owner may make additional pre-payments by specifying the account number and furnishing payment. (c) Any automatic vehicle identification system purchased or installed after January 1, 1991, shall comply with the specifications and standards adopted pursuant to subdivision (a). (d) Any automatic vehicle identification system purchased or installed after January 1, 1993. shall comply with the specifications and standards adopted pursuant to subdivisions (a) and (b). ====== END OF LEGISLATION DRAFT ====== [Note: The preceeding is the end-result of the draft-text. Some of the document had apparently-old wording with strike-thru lines; some of it was underlined, apparently indicating newly-added wording. Since there is no universally-accepted protocol for representing such "exotic" text-forms in the Barren ASCII Wasteland, the preceeding text does not reflect strike-thrus not underlines in the original text. Also, the preceeding reflects the paragraph-indenting and paranthesized section-labeling, as received. It is left as "an exercise for the reader" to figure out its rationale. --jim ] The vast majority of us would readily state that we, personally, "store and maintain data." To the extent that we do so on a shared host, it seems like it could be applied to us, *as individuals*. Unless, perhaps, we stored it in encrypted form or made other provable efforts to protect it while it's stored on a shared system. Please note that this scenario equally applies to folks working on LAN systems at a company. Is this, perhaps, "overly-broad legislation"? ------------------------------ Date: Wed, 22 Jan 1992 13:59:44 CST From: douglas%atc.boeing.com@UMCVMB.MISSOURI.EDU Subject: File 6--DIAC-92 Workshop Call for Paraticipation and Workshop Guidelines Directions and Implications of Advanced Computing DIAC-92 Berkeley, California May 3, 1992 Call for Workshop Proposals and Workshop Proposal Guidelines [Due Date Extended] DIAC-92 is a two-day symposium in which the the social implications of computing are explored. The first day (May 2, 1992) will consist of presentations. The second day will consist of a wide variety of workshops. These guidelines describe the intent for the workshops and the manner in which they are proposed. They are meant to augment and supercede the information found in the Call for Papers and Participation. The workshops are meant to be more informal than the presented papers of the previous day. For this reason the format for the proposals is expected to vary. Nevertheless there are some guidelines that we can offer that will help ensure a succesful workshop. The proposal should include the title, author's name, affiliation, and electronic mail address at the beginning. All workshop proposals will be included in the proceedings. The workshop proposal should be 1 - 8 pages in length. The desired range of attendees (smallest number - largest number) should be included. All workshops will be two hours in length with a short break 1/2 way through. It is possible to schedule two related workshops back to back, say "Introduction to Something" and "Advanced Something". If this is the case please submit two separate proposals but state that they are related. There are four major concerns for the workshops which should be addressed in the proposal. 1. Intellectual Content The intellectual content of the workshop should be made clear. What is the focus on the workshop? What are the relevant social issues? What relevant research exists already on the topic? Who is the intended audience? The topic should have a qualitative computing element in it. 2. Structure There should be some structure to the workshop. It can be quite loose and flexible but it shouldn't be completely open. The amount of structure will vary according to the topic at hand, the intended goals, the personalities of the audience and the organizers, etc. The proposal should describe the structure of the workshop. 3. Interactivity The workshop should be interactive. The workshop should be designed in such a way to promote meaningful interaction between the organizer or organizers and the attendees. Because there is group interaction it is hoped that more points will be raised, more issues considered, and deeper analysis performed. The methods of interaction should be described in the proposal. 4. Product or action oriented Ideally the workshop should result in some product or plan for action. Although this aspect is not critical, the program committee feels that this is quite important and we hope that workshop organizers will think in these terms and strive to promote an appropriate outcome. Possible "deliverables" are described below. Possible Output From a DIAC-92 Workshop + Statements or press releases + Bibliography on subject matter + Electronic distribution list on the subject + Ideas for a follow up meeting, workshop, or conference + List of possible projects on the subject + Writeup of meeting for electronic or print dissemination + A project proposal + A panel discussion proposal + A grant proposal + An experiment + A working agreement -- e.g. to connect two networks, to share data, to begin a study, to write an article, to build software jointly, etc. + A videotape of some or all of a workshop + A brainstormed list of viewpoints, a "semantic network" of the issues + A list of hypotheses + Any plan to continue discussion on the topic Please send proposal (four copies) to Doug Schuler, 2202 N. 41st St, Seattle, WA, 98103. Proposals are due by March 1, 1992. Proposals will be reviewed by the program committee. Acceptance or rejection notices will be mailed by April 1, 1992. We plan to incorporate workshop proposals into the proceedings. Please contact us if you have any questions or comments. Doug Schuler, 206-865-3832 (work), 206-632-1659 (home), dschuler@june.cs.washington.edu The program committee includes David Bellin (consultant), Eric Gutstein (U. WI), Batya Friedman (Mills College), Jonathan Jacky (U. WA), Deborah Johnson (Rensselaer Polytechnic Inst.), Richard Ladner (U. WA), Dianne Martin (George Washington U.), Judith Perrolle (Northeastern U.) Marc Rotenberg (CPSR), Douglas Schuler (Boeing Computer Services), Barbara Simons (IBM), Lucy Suchman (Xerox), Karen Wieckert (U. CA. Irvine), and Terry Winograd, (Stanford). Sponsored by Computer Professionals for Social Responsibility P.O. Box 717 Palo Alto, CA 94301 DIAC-92 is co-sponsored by the American Association for Artificial Intelligence, and the Boston Computer Society Social Impact Group, in cooperation with ACM SIGCHI and ACM SIGCAS. ------------------------------ End of Computer Underground Digest #4.06 ************************************