Web hosting Custom Email SiteBuilder

In the past ten years, our country’s computer assets have become the targets of an international assault over the Internet. More than a decade ago, the United States government found that the Internet offered an amazing ability to share ideas and information. The Internet has allowed the government to easily connect groups of people who work all over the country. The network was so easy, that the government connected thousands of computers at hundreds of sites. The government, rightfully so, set up a separate network for classified information to keep such data secure. However important data is still vulnerable on unclassified networks, many countries such as China, Iraq and Korea would love to steal that information. Such countries have found that international hacking is one of the simplest and most economical ways of gathering intelligence. These hackers use a variety of techniques to compromise US systems. In past five years alone, computers at the Air Force’s Rome Lab, US Navy submarine systems and the National Aerospace Plane were all attacked by international hackers. These known hackers came from countries such Britain, the Netherlands, Germany and Latvia.

Ever since Cliff Stoll tracked down a German hacker who was attacking his lab back in 1986, some government agencies have been interested in trying to catch these intruders. However, as the Rome Lab’s analysis of their attack points out, "The situation at Rome Lab open[ed] a Pandora’s Box of legal, military, intelligence collection and technical issues" [AFI95:14]. This comment lists the main problems with any plan to trace and apprehend international hackers. The technical issues include software that we can not effectively test or use because of the legal implications. The legal implications involve sovereignty of foreign countries and their appropriate computer and search and seizure laws. Unfortunately, for the law enforcement agencies, all the work of tracking the criminal can eventually result in a foreign government that simply doesn’t care about computer crimes.

In an attempt to remedy this situation, I have created four alternative solutions: making backtracking legal, legal only with a State Department warrant, legal only with an international warrant (based on a treaty) or illegal under all circumstances. I have examined each alternative in terms of its legal and technical feasibly, its respect for the sovereignty of other nations and its ability to effective enforce the law and catch the criminal. With these objectives in mind, I choose the idea of an international warrant. Such a plan offers a moderately quick enforcement of the law while upholding the sovereignty of other nations and holding up in a court of law. The Rome Lab incident shows us that this is technically feasible. The only major vulnerability of this plan is that not all countries might sign the treaty and those that did not would become havens as hacker’s stepping stones.

In the end, it is most important that we, as a nation, address this problem and come to a solution. Currently, we are without a firm policy on this issue, thereby giving these international thieves free reign of our databases. Hopefully, we can address this issue before it is too late.

Until that morning in the summer of 1986, Cliff Stoll led a quiet life of astronomy, quilting and bike riding. His boss told him to check out a bug in the accounting program on the UNIX computer system. Back then, the Lawrence Berkeley Lab(LBL), where Stoll worked, sold process time to others users through the network. The accounting program was reporting 75 cents worth of time that had no owner. Thus Stoll set out to discover who used that time. He tracked the "used" cycles to a physicist, who couldn’t have used the time since he had been in England for about a year. Eventually, Stoll’s detective work led him to a mysterious hacker who was violating the LBL system and using the system as a stepping stone to other Milnet sites. The hacker had used a little-known hole in the GNU-Emacs text editor to gain system privileges, to copy password files and read everyone’s e-mail. Over more than six months, the hacker attempted to break into roughly a hundred military and defense contractor sites. Meanwhile, using a printer connected to the network, Stoll covertly recorded all the hacker’s keystrokes. Stoll contacted the FBI, the CIA, the NSA, the DIA and the Secret Service in an attempt to get help in tracking the hacker. With little help from these agencies and a lot of persistence, Stoll eventually traced his hacker to Hanover, West Germany. It was another six months until the Germans finally prosecuted the hacker, Markus Hess, and his accomplices. Throughout his investigation, Stoll confronted many of the problems of international back hacking including incongruent laws and customs as well as technical differences.

In recent years, many individuals from countries such as China, Iraq and Korea have invaded our country’s Internet and done considerable damage, as Cliff Stoll discovered. "The Pentagon recently admitted that large portions of its non-classified computer systems connected to the Internet have been infiltrated. Intruders have stolen, altered or erased data and even shut down the systems. The compromised systems include those for ballistic weapons research, aircraft and ship design military payroll, personnel records, procurement, email and computer security research"[MIL96:358]. To catch these criminals, the system administrators engage in ‘hot pursuit’ which is essentially chasing the hacker across the Internet to his source. This paper will discuss both the problems that Cliff Stoll encountered during ‘hot pursuit’ as well as the developments in the area in the past ten years. However, due to legal constraints it has been extremely hard for U.S. officials to apprehend these international criminals. Finally, this paper will discuss the general legal and technical issues and consider what policy would be in the best interests of the United States to mitigate the international backtracking problem.

The main problem of international back hacking include international hackers who go unchallenged and our need to protect our systems somehow. These hackers steal our information and download it back to their home countries. Currently, as Clifford Stoll discovered, no particular government agency is interested in international hacking, that is breaking into foreign computers across international borders. From more than one agency, Stoll heard the familiar phrase, "I’m sorry I can’t help you, but it’s really not my bailiwick." [STO90:67]. Eventually, and only after a lot of convincing did Stoll convince the FBI to give him a little bit of help. Most agencies wanted to listen, but not to get involved. We would like to trace them into their country of origin and identify them for arrest, but we must consider the legal entanglements from entering another country without their permission. Most government agencies are reluctant to help back-hackers because there are not concrete laws in this area.

In addition, unfortunately these computer crimes have a low priority. Jim Christy of the Air Force OSI said, "The FBI isn’t required to investigate every crime. Probably they look at one in five. Computer crimes aren’t easy – not like kidnapping or bank robbery, where there are witnesses and obvious losses. Don’t blame them for shying away from a tough case with no clear solution" [STO90:68].

There are five objectives that a good policy in backtracking of international hackers should follow. Our current policy in some cases is to chase the attacker away, but not (legally) pursue them over international boundaries to their source. Currently, we must instead rely on "the good-will and voluntary concurrence of host governments" when conducting searches and investigations [DuK91:700]. My first objective in solving this problem is to stop the hackers since they are damaging and stealing American property. The number of attacks must be reduced through law enforcement to preserve the safety of our intellectual property. Second, I think it is important that our decision be legal, although this goal may be very hard to achieve. The choice should be in accordance with current US laws and beliefs about what is right and wrong in society. Next, another objective is that US law enforcement shouldn’t enter another country on a whim, for there is a level of respect that should be upheld between one sovereign country and another. The policy should convey that respect of sovereignty. We, as a country, may want to share some ideas, but be allowed to keep other information secret as a matter of national security. In addition, my fourth objective is that the option be politically feasible. Without the potential support of our government, a solution will be doomed no matter how good it is. Finally in my last objective, we must ask if, "Is it technically possible and logistically feasible to catch these intruders considering the time frame of these incidents?" There is no point in making policies if we can not enforce them. The policy should consider each of these five factors.

The international hacker has many tools at his disposal. He may be funded by a government or not, but regardless of his finances, he usually knows his way around the Internet. Sometimes he is a student and other times he is a government agent or a civilian working for a government[DiC96:38]. There are many ways for him to obtain access to a system, including cracking passwords and bypassing access controls. Usually the hacker chooses his target carefully, as well as his method of attack. In the case of the Cuckoo’s Egg case, the hacker had been given a list of sites that the Soviets were interested in and he searched around until he found one [STO90:326].

Lt Kevin McGowan of the Air Force Academy Department of Computer Science pointed out that the hacker would bounce off many different computers to hide his tracks before attacking. The hacker will try to confuse the victim by criss-crossing his path through many other computers and networks. Markus Hess used both the University of Bremen and the LBL network to try and cover his tracks as well as save money on long distance calls. In the case of the break-in at "Rome Lab, the Air Force’s premier command and control research facility…between 23 March and 16 April 1994" a 16 year old British hacker and his accomplice used a computer in Seattle, Washington as their bouncing point [AFI95:1].

In addition, a hacker knows that he can be traced as long as he remains in one medium. These novice hacker might just connect to system though a series of Telnet connections. However, a skillful hacker will use the Internet as an intermediate means, with his actual connection being to a satellite through a cell phone, an underwater cable wire through the ocean or even just the regular phone lines⁴. "Not calling from your house means calling from someplace else. That means [the hacker] may want to splurge for a laptop computer….All this should run you about one or two thousand dollars – a lot less than the cost of retaining an attorney to defend you in court"[FIE94:146]. For example, Lt McGowan recommended a modem and a laptop that are connected to a cell phone whose ID number has been striped off. Then the hacker needs to request a routing through a satellite for his conversation. (In his book, Clifford Stoll points out that this is not an unusual request since many customers like the clearer sounds of satellite communications over undersea cables.) Better yet, since the phone has no ID number the hacker can charge his call to a local house using their phone line and billing the owners. "The money problem is one which gets to hackers in other ways. Phone bills add up fast, which is why most serious hackers are phreaks too. A phreak is someone who hacks the telephone networks"[FIE94:147].

After picking his medium, the international hacker needs to carefully pick his route for the best attack. The best countries include those that have a mixture of the Internet and intranets as well connections to the world wide web. This way the hacker has a lot of flexibility in movement. Next, the hacker wants to pick a country that has less than great relations with the United States and who would be offended by a US "intrusion" into their country to chase the hacker. Such countries as China, Iraq, Syria and France would work quite nicely. It is not that US will not chase the hacker, but the idea is to make the tracking officials think twice before entering. Hackers know that some countries will not prosecute them or do not have the time; so this decision can be crucial. Former hacker Ian Murphy summed it up when he told the Boston Herald: "One of the beauties of the Internet are that there are no more borders. It doesn’t matter if I’m in Argentina, China or across the street. I might as well be sitting at your terminal in your building. I am at your site."[DiC96:32]

Usually the backtracker is employed by any one of a number of agencies including the FBI (inside the US), the CIA (outside the US) and the Defense Information Services Agency (DISA) which deals with attacks on military computer systems [DIC97: 17]. If the network is classified then the National Security Agency (NSA) will become involved.

In general there are two types of monitoring: context and content. An example of content monitoring would be "collecting every keystroke entered by the user"(AFI95:14). This type of monitoring can be time consuming and creates a lot more information that the system administrator may actually need. Instead, usually context monitoring is a method of looking at information that is "publicly available to legitimate system users"(AFI95:15). A system administrator could employ this technique by looking at the processes running on the system and noticing that one user is transferring (by FTP) a large amount of files to his home computer.

The backtracker traditionally will discover the intruder by using clues learned from context monitoring. These clues include message traffic that is bounced off many machines and mail without return addresses in addition to any problems created by the intrusion. Other clues include a large number of processes being used by a previously inactive account. This suggests that the hacker may have stolen an existing account to use⁴. Sometimes hackers are only reading information, which can be a compromise of security, however they are not doing any real damage that can be detected.

At this point it is necessary to delineate between domestic and international hackers. If Rome Labs had found that the Telnet connections were coming from a high school kid in New Jersey, then they could have easily called the system administrator at the home site, exchanged login files, found the hacker then call the local police and the child’s parents. However, with the international environment, the trackers can not always just call the system administrator and complain about the unruly user. In many cases the system administrator’s names are not published and they do not speak English. With the addition of phone lines for undersea communications, the tracing problem becomes much more complex than just a normal phone line trace (as with a domestic modem). Some international hackers are not just kids playing after-school. Instead they represent a true threat to our national security. While many hackers are really harmless, I think that we should prepare and plan for a hacker that is not some benign. Skillful hackers like Marcus Hess, who was working for the KGB, cover their tracks so that a simple ‘finger’ command does not provide much information. Many of our current problems with hackers come from the traditional view that they are harmless and can be ignored. The following search details the exhaustive process that is sometimes necessary when dealing with an advanced hacker.

To start an international search, usually trackers will examine packets of data for IP addresses, number of hops, time to live and even user names all in an effort to find a clue about the hacker’s origin⁴. Programs such as TCP dump and snoop will both perform this function. If none of that data helps to find the intruder, then the tracker can examine the log-in files and the routing tables for clues about who was on the system and where the message may have originated.

The routing tables are harder to read than the header and may be altered by the hacker, so this is why they are not examined at first. Certain programs will provide the Ethernet address (specific to each machine) given the IP address. This information can help unless the hacker is using a system like America OnLine, which generates IP addresses on the fly as the user logs in⁴. This is because AOL doesn’t want to have to buy an IP address for every single user; instead it just recycles them. This type of system gives the hacker anonymity from the IP/Ethernet address connection.

But don’t think that the folks at the NSA are spending all their time pouring over routing tables tracking criminals. Instead there exists a program that can do this job for them. The Rome Labs in New York created a program called Pathfinder which used simple UNIX commands and known vulnerabilities in UNIX systems to trace Datastream Cowboy to his source [AFI95:24]. (If you read the first appendix and wonder why Clifford Stoll did not use such a tracking program, remember that it was only 1986 and such programs were not widely used at the time.) To use Pathfinder, they needed an "active suspicious connection" (AFI95:16). The program would automate the "entire process from intrusion detection to tracing the unauthorized connection along the Internet path" (AFI95:16). However, the program has two main problems. It was created and used for only 3 days to catch the Datastream Cowboy. The program has a problem in that it only uses a single version of UNIX commands to exploit the vulnerabilities of other systems. In the Rome Labs case, the program traced the hackers back to a computer in Seattle, Mindvox, which used another type of UNIX. The program attempted to command the remote computer and the command that the program used was not in the vocabulary of Mindvox (AFI95:20). Thus Pathfinder was stuck and this is where the trace ended (AFI95:17). However, if the trace had not ended there, then there is no reason to believe that the program could not have traced the hackers back to England. Unfortunately, as will be discussed in future sections, this presents a problem. The Pathfinder does not understand or respect national boundaries. Instead the program is solely based on IP and Ethernet addresses. The second problem with Pathfinder is that it can not trace through intermediate systems like phone lines or satellite links. However, with this type of program and a phone line wiretap backhackers can easily track a hacker through any one of the countries mentioned previously. It is the job of the NSA to determine what should be done about the information gained in this way.

It was mentioned that Pathfinder was only used for three days. According to the official report, "the total lack of legislation governing this type of law enforcement activity was the main reason for Pathfinder’s brief debut. In fact, if not for verbal permission granted by the Department of Justice attorney Scott Charney during the incident, it could never have been used at all. These limitations underscored the success of Pathfinder at Rome Lab"(AFI95:20). As a result many of the bugs and problems with the program have not been fixed or tested to this day and many never be.

The origins of much of our modern tracking methods comes from the incident at LBL in 1986 [STO95:533]. The hacker was using the LBL system as a "springboard to other primarily military computer systems" [DuK91:524]. The technique that Clifford Stoll used to catch the hacker including monitors, alarms and traffic analysis were the beginnings of the modern tracking software [STO95:535].

Today, tracking usually starts with the NSA or the FBI, but quickly spreads to include the Department of Justice(DoJ) and sometimes the Department of Commerce. In the case of Julio Cesar Ardita, an Argentinean university student who broke into the US Navy submarine system, the DoJ was eventually the US party that sought his arrest [NII96:62].

Tim May, Cypherfunk founder said, "National Borders are just speed bumps on the information superhighway" [MIL96:371]. May’s comment is especially significant to the notion of backtracking across the international Internet to catch a hacker. Essentially this is a legal issue regarding unlawful searches and seizures. However, to complicate matters, the backtracking action can travel across many international boundaries in only a few seconds. The act of backtracking can in and of itself be considered another form of hacking to catch a criminal. This criminal’s actions usually fall under everything from burglary and criminal mischief to fraud and larceny [FIE94:140-41]. However, "when dealing with electronic media in a computer, questions regarding the occurrence of the physical act itself may provide obstacles as there may be no physical evidence available"[WOO97:138]. Currently we have created many computer-related laws such as the Violent Crime Content and Law Enforcement Act of 1994 which focus on transmitting of computer viruses [MIL96:359]. "Every state except Vermont has explicit laws forbidding computer crime" [FIE94: 139]. However, most computer crimes are actually under federal not state jurisdiction, since "any computer that accesses the Internet will likely fall within [the] statute" which states that "computers used ‘in interstate commerce or communications’" are considered under federal government jurisdiction[DiC97:17]. In addition, the FBI has mostly focused its efforts on unauthorized copying of software and not on on-line searches[MIL96:357]. But our laws are only part of the international legal puzzle of backtracking.

Most experts contend that international backtracking is initially a two-part problem. The first is the danger that "computer crime will not be considered to be of sufficiently serious nature to warrant a high priority enforcement"[WOO97:138]. For as one assistant district attorney pointed out, "Computer crimes are difficult, time consuming and costly and in the face of other crimes, have a low priority.... Computer crime just doesn’t stack up against murder" [ALE95: 217]. "One sort of strange requirement" of The Computer Fraud and Abuse Act of 1986 is that this law can "only be applied to crimes where the victim has lost $1,000 or more due to the crime"[FIE94:143]. With such laws, it is hard to determine the value of copied information or stolen password files. In addition, crimes against classified computers usually the most attention. However, a 1987 break-in at the Air Force’s System Command brought up another consideration. "The System’s Command’s Space Division has nothing to lose: its computer is unclassified…. But there’s a deeper problem. Individually, public documents don’t contain classified information. But once you gather many documents together, they may reveal secrets"[STO90:210]. This is exactly what the Soviets were hoping to gain from Markus Hess. They did not need true secrets, only conformation of what they already knew.

The second problem, a foreign source intrusion, is technically a situation for the CIA not the FBI [DIC96:17]. The federal laws apply whenever there is any network traffic across state lines. In today’s network environment, it is nearly impossible not to cross state lines when trying to break into a system. The question then becomes, does a crime that crosses international boundaries become an international crime? In addition, whose laws apply to the criminal? Has the law been broken in the hacker’s country where he sits or in the other country that he just attacked or in an intermediary country through which his signal has passed? These two questions make the tracking cases difficult to complete since often very few people are interested in investigating them.

These problems leave the international backtracking largely in the hands of the National Security Agency. It is their job to obtain "the cooperation of the international police agencies" to complete their search [DIC96:19]. In fact search and seizure laws vary radically from country to country. Not all governments recognize the US exigency search exception to the United States Constitution when the US seeks to intrude into their systems without any preexisting authority[DiC96:19]. However, since currently we still believe in the "all-important concept of national sovereignty" and do not want to create international incidents, our official policy right now is to ask for help from the host nation [DIC96:20]. Unfortunately, the real problem are foreign country’s laws. Most countries don’t recognize hacking as crime or they have outdated laws. "In Canada, a hacker that broke into a computer was convicted of stealing electricity, rather than trespassing. He was prosecuted only because the connection had used a microwatt of power from the computer." [STO90:166]. It is very difficult to get extradition for what is perceived as such a petty crime. "In the case of Rome Labs and the Argentine Intrusion…the hackers electronically traveled through foreign nations before reaching their intended targets. In each case, the primary problem in rapidly identifying the intruder was obtaining the cooperation of the international police agencies and governments involved"[DiC96:19]. The foreign country, however, must turn the offender over to the United States. Most countries will only extradite when the offense is a crime in that jurisdiction. In addition, most nations are reluctant to extradite their own citizens [NII97:2-54]. In Germany, "hacking into a computer isn’t a big deal there. As long as you didn’t destroy the computer, breaking into a system wasn’t much worse than double parking" [STO90:222].

A cyberspace "hot pursuit" search on the Internet would usually fall under our exigent exception to the Fourth Amendment. Under our laws, we would have the right to chase the criminal and search the network if we felt that waiting to get authority would mean that a dangerous criminal would escape. But not all countries have the same laws that we do, nor do they take kindly to us intruding in and out of their country’s network during our search. Lt McGowan mentioned that the NSA’s current policy is to ask for State Department permission before searching a foreign system. However, he also pointed out that this "warrant" is nothing more than a technique of informing the diplomatic corps that the country may be upset by the intrusion. If it is found that the criminal is based in another country, then the NSA asks local authorities to help his apprehension. In some cases, like the LBL incident, the country will listen and eventually help, in others like the Dutch hacker incident, the host nation government does not act as quickly. In the second case, the US had to wait for the Dutch to decide what their laws on the subject would be.

The most obvious solution to this problem would be to create a general, international agreement about the rights of a country when conducting an international search. Today, multinational organizations conform to the laws of their host countries and have established international laws that fit their own operation [DuK91:701]. Much like the international GATT agreement on patents, this type of international treaty would lay the groundwork for all future searches. "Successful globalization of networks and information systems requires the good-will and voluntary concurrence of host governments" [DuK91:700]. However, Steven Miller points out that

With this kind of world order, it makes sense that most countries are not interested in making agreements about international backtracking.

Finally, Robert Ackerman pointed out in Signal magazine that "the national policy on the NSA’s national security mission all must be balanced against issues of privacy for individual citizens and business"[ACK97:23]. Unfortunately what we must remember is that our own concepts of individual privacy vs. national security do not apply around the world. Any international agreement would need to take into account the differing ideas about state vs. individual rights in terms of exigent searches and seizures. Many countries might not mind doing an exigent search on their own populous, but they would not readily allow the American authorities to conduct such a search. Contacting the proper host nation authorities may take more time than the trackers have. This is a fight between enforcing the laws effectively and not stepping on anyone’s international toes in the process.

Now that the technical and legal issues of international back-hacking have been addressed, it is time to consider the alternatives that are available to solve our problem. There are four possible solutions to this problem that I will consider: making back-tracking legal, legal only with a State Department warrant, legal only with an international warrant (based on a treaty) or illegal under all circumstances. Each alternative will be valued based on the objectives and on the likelihood of the idea working in an effort to choose the best idea.

Option 1. International back-hacking is legal and should be actively pursued. This choice would mean that we could track attackers without a warrant or any other restrictions. This means that we could release tracking programs immediately upon intruder detection, which would give us the best chance of catching the international hacker. This option offers the highest likelihood of catching the criminal in the shortest time possible, since there is no need to get permission from another body. Given small amount of time since the act, it will be more likely to catch the criminal. Although it is important to remember that the criminal may cover his tracks so well that the amount of time is insignificant. However, there is also a high likelihood that the other country or countries that you track the criminal through will feel that their sovereignty has been violated and as a result the criminal maybe able to challenge the legal basis for the search. This option can create political problems as well. I think that the fallout from the foreign countries feelings of sovereignty being violated, would manifest themselves in a political nightmare. Thus, our government would have a difficult time approving of this option.

Option 2. International Back-hacking is legal but only with a State Department warrant. This choice would allow us to violate the sovereign virtual borders of other countries, only if our government deemed that we had cause. This idea would limit our ability to do instantaneous pursuit, thus lowering our chance of apprehension, but would be more respectful of other countries. The foreign government might feel violated, but they could also have some knowledge of the trace through diplomatic channels. Beginning a search would be fairly immediate, since the State Department could issue the warrant fairly quickly(depending on the government bureaucracy). The State Department warrant would be a method of insuring that we had political approval for our actions. Also, our government would be ready for any political problems resulting from the investigation. Since the information of the attacker’s whereabouts is usually preserved in files along the way, we could still track him even days or weeks after the attack, providing time to get the warrant and assuming that the hacker does not erase his tracks. In the end, it is possible that the legal basis for the warrant might be challenged but only if some international treaties were taken into consideration.

Option 3. International Back-hacking is legal, but only with a warrant that is issued by a neutral international body. This method of issuing a warrant conforms better with the neutral magistrate idea from our own US laws. This method would take more time, but the warrant would be nearly indisputable since presumably the countries agreed to abide by the international rules beforehand. Recently, the Council of Europe met to discuss this idea. The Council decided that "it was clear that the various nations need to work together toward standardized uniform criminal procedures…[and they] recommended that the power to extend a search to other computer systems should also be applicable when the system is located in a foreign jurisdiction, provided that immediate action is required"[DiC96:19]. The additional time, which is required to get to warrant, would greatly reduce the chance of catching the criminal on the first try. Instead, the tracker would have to hope that he had the warrant if the hacker ever came back a second time and that the hacker used the same route on the second visit. If the hacker uses another route through a different country, then a new warrant would need to be issued. (The hacker is likely to return since he usually needs more than one visit if his intention is anything serious.) The trail will get cold pretty quickly as other users cover up the hacker’s movements or he intentionally erases his tracks. By using an international body to decide when we could back-hack into another country, we have removed most if not all of the political ramifications. We are in a sense simply doing something that the host country has agreed to allow when they signed the treaty.

Others have suggested that the basis for an "Information War" treaty (of which back-hacking would be a necessary issue under defense) would be to follow the lead of the Space Law[DiC96:46]. Following this type of law would require an acknowledgment that the Internet, like Space, is not really owned by anyone; that it’s community property. For example if we consider the Internet to be like the Moon. The Moon is not owned by any one country on the Earth. However, if a country sets up a base on the Moon, then we would probably need permission to enter that base, even though the country does not really own the land that the base is on. I propose that the Internet is similar, since it is not owned by any one country. However, we should ask for permission from a neutral body before entering another country’s portion of the Internet, like its base on the moon.

Option 4. International Back-hacking is illegal under all circumstances. We could choose to hold the sovereignty of other nations in highest regard. Thus we would have no possibility of our legal basis being challenged or any chance of our country offending another one. At the same time, considering the type of countries that we are discussing, it is unlikely that we would ever catch our criminals. Whether the criminal is actually in the other country or merely using that country as a pass-through, the hacker would be immune to our investigation. This would mean that we would track attackers until the trail led out of the country at which time we would stop tracking and inform the other country of the criminal within their midst. Our country’s politicians would never have to deal with any political concerns from back-hacking, since it would not exist as a form of acceptable law enforcement.

Based on these alternatives, I have critiqued and valued the ideas to determine the best course of action. Unfortunately, the most effective choice, making the traces legal without a warrant, would probably be the least likely, considering the international ramifications. One of the warrant systems could work and be incorporated with a program to work with local authorities.

The following chart summarizes each alternative’s ability to address the different objectives. The objectives have been ordered according to my personal opinions about what objective should be most important.

I think that enforcing the law and the concern for sovereignty are equally important. However if pressed, I would say the enforcing the law to protect our information is slightly more important that making sure we don’t anger other countries. However, getting a warrant of some type means that one has to think before just tracking into another country, which gives the venture more of a legal tone than a technical one. Finally legal issues in this area are more difficult to resolve than technical ones.

Based on my chart, I think that the most beneficial choice would be to have a warrant system based on international agreements and restrictions. This system would need to be in concert with an international treaty on the subject. Such a treaty would ensure that everyone is playing from the same sheet of music when requesting an international warrant. The warrants would need to be issued by a group that is on call 24 hours a day to be available whenever such warrants are needed. (The hackers work all day long; so the trackers need to work the same hours.) This warrant would make sure that we were only breaking the sovereignty of another nation when our national security was at risk. In other words, the trackers would need to take a second look at what they were doing and consider the consequences. Also the trackers would need sufficient evidence to trace into another country, more than just a hunch. This system would be the most politically acceptable of the three choices. We would be doing something about the problem, while respecting the rights of the rest of the world.

In this paper, I have discussed the problem of apprehending international hackers. Since we have the technology to complete the searches, the legal ideas of sovereignty and law enforcement have been more important. By examining the different alternative solutions, I have chosen the international treaty to be the best choice in terms of my objectives. This alternative provides us with a sound legal basis for our search while respecting the other countries as well.

In the end, it is most important that we, as a nation, address this problem and come to a solution. Currently, we are without a firm policy on this issue, thereby giving these international thieves free reign of our databases. Hopefully, we can address this issue before it is too late.

[ACK97] Robert K. Ackerman, "Security Balances Needs of Privacy and Law Enforcement."

[AFI95] Air Force Information Warfare Center, A Technical Analysis of the Rome Laboratory

Attacks, Kelly Air Force Base, Texas, Government Printing Office, 20 January 1995.

[ALE96] Michael Alexander, The Underground Guide to Computer Security, Addison-Wesley,

[DIC97] David DiCenso, Maj. USAF, "CyberLaw Enforcement," Department of Law, USAF

[DIC96] David DiCenso, Maj. USAF, "CyberLaw: Legal Issues in the International Information

[DuK91] Charles Dunlop and Rob Kling, Computerization and Controversy: Value Conflicts

[FIE94] Dennis Fiery, Secrets of a Super Hacker, Loompanics Unlimited, Port Townsend,

[MIL96] Steven Miller, Civilizing Cyberspace, Addison-Wesley, Reading, Mass, 1996.

[NII:96] Office of Management & Budget, NII Security: "The Federal Role.", Washington,

[STO95] Clifford Stoll, Silicon Snake Oil. Bantam, New York, 1995.

[STO90] Clifford Stoll, The Cuckoo’s Egg. Pocket Books, New York, 1990.

[WOO97] Charles C. Wood, Computer Security. Wiley, New York, 1987.

"On my second day at work, Dave [Stoll’s boss] wandered into my office, mumbling about a hiccup in the UNIX accounting system. Someone must have used a few seconds of computing time without paying for it. The computer’s books didn’t quite balance; last month’s bills of $2,387 showed a 75-cent shortfall," recounts Clifford Stoll, a Lawrence Berkeley Lab astronomer, at the beginning of his book[STO90:2]. He soon tracked the 75-cent mistake to a mysterious hacker who entered his system from the TymNet switching system. The intruder used an old account belonging to a physicist named Joe Sventek who was on sabbatical in England[STO90:7].

Stoll eventually discovered that this hacker had found a way to get the highest level of privileges on the system. He used a hole in the Gnu-Emacs program. This text editor, at the time, was fairly well used in scientific circles. In fact, "Gnu-Emacs [is] more than just a text editor; it’s easy to customize to your personal preferences. It’s a foundation upon which other programs can be built…. Just one problem, there’s a bug in that software [which] allows you to move a protected file from the protected systems area, [an area where] only the system manager is allowed. Gnu didn’t check [that]. It let anyone move a file into protected systems space," Stoll writes, "The hacker knew this; we didn’t"[STO90:25].

This little bug gave the hacker system privileges; in other words he became the super-user.

"As super-user, he had the run of our system. First thing he did was erase his tracks… Then he listed the electronic mail of all our users, reading news, gossip, and love letters" [STO90:25].

"Every ten minutes, the hacker issued the command, "who," to list everyone logged onto the computer. Apparently, he was worried that someone might see him connected, or might be watching"[STO90:26]. In addition, the hacker always looked for the system administrator and always checked to see if the system files had been modified to track his presence. The only way that Stoll could record the tracker’s presence without his knowledge was to use of a printer that was physically connected to the network which record keystrokes. Stoll’s methods were revolutionary at the time, considering the fact that most system administrators just blocked any hackers out of their systems. Stoll’s idea was different; he didn’t just want to delay the hacker, instead he wanted to catch the hacker and stop him for good.

When the hacker entered other systems, he would do two things. First he would either create a new account for himself or he would commandeer an unused account from a real user. Second, he would plant a program inside the system to help him later, in case someone plugged the Gnu hole, which had provided him system privileges. "That morning, the hacker wrote a short program to grab privileges. Normally, UNIX won’t allow such a program to run, since it never gives privileges beyond what a user is assigned. But run this program … and he’ll become privileged. His problem was to masquerade this special program – the cuckoo’s egg – so that it would be hatched by the system"[STO90:24]. The hacker would hide this program in an area that was open to any user, but not obvious. That way he could still get root privileges if he lost his Gnu hole.

In one case at Anniston Army Base, Alabama, the system administrator detected the hacker although he "thought that he’d thoroughly eradicated any dangerous file"[STO90:103]. The hacker hid his "egg" in the .d file. Unfortunately the Anniston administrator had missed a few files. "That .d file [which the hacker had laid as his egg] was a useful benchmark. The hacker had laid this egg on July 3, yet remembered exactly where he’d hidden three months later [when he came back to execute it]"[STO90:103].

From the beginning, Stoll wanted to track the hacker to his source. He started by personally tracking the hacker to the TymNet switching system. This is a system that allows scientists to log into distant computers with only a local phone call to their local TymNet switching box. The local TymNet box in northern California was in Oakland. However, at the box in Oakland, there was an out-going telephone line. With a search warrant obtained by the LBL legal office, Stoll got the phone company to track the hacker to a telephone line in Langley, Virginia. Stoll recounted his experience with the telephone trace, "It was hard to imagine a faster trace. I’d taken five minutes tracking the call through TymNet; it had taken Lee Cheng another seven minutes to snake through several telephone exchange. In a shade under a quarter hour, we’d traced the hacker through a computer and two networks"[STO90:59].

However, the search warrant from California didn’t hold in Virginia. Stoll wrote that the phone company technician said, "[The Virginia phone company] won’t budge without a Virginia search warrant. He checked our the Virginia state law, and the hacker’s committing no crime there…. Breaking into a California computer isn’t a crime in Virginia"[STO90:107]. Luckily, Stoll had heard six of the seven numbers in the phone number from Virginia during the trace. So Stoll hit the phones and found that the number belonged to a defense contractor named Mitre. Stoll informed Mitre and they promptly blocked out the hacker. (Stoll had asked Mitre to help with the trace, but they refused.) After a month or so, the hacker came directly to LBL without using the Mitre pass-through. Then, Stoll and phone company, with the help of the FBI, were all able to track the hacker through TymNet and the phone lines across the ocean. "As far as Tymnet’s concerned, the hacker’s coming from ITT’s satellite [across the Atlantic Ocean]. But from inside of ITT’s computers, we can see past their satellite link and trace the connection all the way back." [STO90:159]. Later the hacker came over the transatlantic cables, not the satellites. "Today the hacker is coming across the number six transatlantic cable. The cable channels are less crowded. Every time you connect through a satellite there’s a quarter second delay. The undersea cables don’t slow down your messages as much." [STO90:203].

Finally, Stoll discovered that the hacker was coming from Germany. First he came from the University of Bremen, but later when the school was closed for vacation, he came directly from a public link in Hanover, Germany. It was extremely hard for the Bundespost, the German telephone and postal service, to track the hacker since all of there switches were mechanical and a technician had to be physically standing next to the switching box to complete the trace. Once the German’s arrested Hess, they discovered the full scope of his plan. Their plan went something like this:

Apparently, Hess and his cohorts used the money to buy cocaine and pay the phone bill for all their international calls. Hess was found guilty of espionage on 15 Feb 1990 and received one- to two- year sentence.

In the end, the ultimate problems were not tracing the lines, instead there were two major concerns one about the law and the other about who was suppose to enforce the law. These issues are discussed in the body of my paper and constitute the bulk of my argument for a international treaty on backhacking over international borders.

The following article comes from a National Information Infrastructure report by the Office of Management and Budget which I found on the Internet.

ARGENTINEAN HACKER

In April 1996, Attorney General Janet Reno announced that [Department of Justice] was seeking the arrest of Julio Cesar Ardita, a 21-year old Argentinean university student, for breaking into computer systems belonging to the Navy, NASA, and U.S. universities. Ardita launched his attack on the Navy and NASA from pirated accounts on a Harvard University computer system. He accessed these accounts using various accounts from a service provider in Argentina. When the Navy detected the Ardita intrusion, they sought, in cooperation with the FBI, the first ever computer network (Title III) wiretap. Previous court-ordered wiretaps have authorized wiretapping of telephone lines. This order authorized an automated search of the Harvard University system. The automated nature of the search is key for two reasons. First, an automated tool was necessary to monitor and analyze the 16,000 user account activities to identify the intruder. Second, the automated search protected authorized users from "content monitoring." Content monitoring by a human or humans of the activities of the other 16,000 Harvard account holders would probably have been considered a violation of their privacy and would not have been authorized. Though charges and an arrest warrant were filed in Federal court, the alleged crimes are not covered under an extradition treaty with Argentina and could only be served if Ardita enters the United States or another country, which does recognize the alleged computer crime and that has an extradition treaty with the United States. Argentina has cooperated with U.S. authorities, has initiated its own investigation, and may file charges. This case demonstrates the nature of computer crime and the difficulties associated with apprehending a perpetrator. At the same time, it is an encouraging signal that, with the proper tools and processes, law enforcement can successfully investigate and identify intruders, and provide proper evidence for prosecution. [NII96:pg. 62, Figure 2-2-10]

"In March and April 1994, a British hacker know as "Datastream Cowboy" and another hacker called "Kuji" (hackers commonly use nicknames or "handles" to conceal their real identities) attacked Rome Laboratory’s computer system over 150 times. To make tracing their attack more difficult, the hackers weaved their way through international phone switches to a computer modem in Manhattan. The two hackers used fairly common hacker techniques, including loading "Trojan horses" and "sniffer" programs, to break into the lab’s systems. Trojan horses are programs that when called by authorized users perform unauthorized functions, often usurping the privileges of the user. They may also add "back doors" into a system which hackers can exploit. Sniffer programs surreptitiously collect information passing through networks, including user identifications and passwords. The hackers took control of the lab’s networks, ultimately taking all 33 subnetworks off-line for several days." [DiC96:7]

Eventually the hackers were able to compromise the artificial intelligence and Air Tasking Order computers at the New York State labs. According to the official report on the incident, the Incident Support Cell (ISC) which deployed to Rome Lab on 29 March controlled the lab’s network within 48 hours [AFI94:1].

This chart shows the output from Pathfinder that was compiled to help AFOSI and Scotland Yard build their case against the Datastream Cowboy. The Process List shows the results of the UNIX command ‘ps’ on the Rome Lab computers. The last name on the Process List shows the handle of Datastream. Next the program determines which of the processes are from telnet connections. Again Datastream’s handle appears at the bottom of the list. Finally, the program lists the users logged onto Mindvox in Seattle, Washington. Since Mindvox was not standard UNIX, the program can not use ‘finger’ or ‘netstat’ to find all the users on the system. Instead the search is stalled at the Mindvox host. The remaining entries in the table are empty for this reason. [AFI95:23]