Is it worth it?
Dispelling the myths of law enforcement and hacking
A recent chat with an active web page defacer made me realize
just how naive some crackers can be about law enforcement (LE).
Despite a large amount of cases being brought against crackers
in the past, there is still an air of uncertainty and a handful
of myths lingering in their minds. The problem can be tracked
back to two types of individuals that contribute to the problem.
I will touch a bit on the problem and spend the rest of this piece
trying to clear up some of the myths, as well as bring to light
new developments in law enforcement's handling of computer crime.
The first and foremost problem is uninformed individuals that
propogate (or make up) supposed facts about law enforcement procedure.
Rather than using common sense to dispel the rumor or taking a little
time to research what they say, they blindly pass on errata and treat
it as gospel. A good example of this can be found in "Inside Happy Hacker,
Jan. 19, 1999",
where Carolyn Meinel asserts "They have *not* sent me (Carolyn) a "target
letter." This is a letter that formally tells someone that he or she is a suspect."
There is absolutely no foundation for this outlandish rumor.
Anyone under FBI investigation should know this. Meinel was questioned
extensively about her involvement in the defacing of the New York Times
web site. Despite this questioning and obvious investigation, she still
made this ridiculous claim. The FBI investigation went so far as to ask
her to take a polygraph test! Going against track record, Meinel did the
right thing and refused to. More on polygraphs later.
The second problem arises from those close to, or involved in an FBI
raid and investigation. After waking to gunpoint and watching agents
harass family and sometimes neighbors, they see all of their equipment
carted out the door. Inevitably, the first thing they do is call their
friends and warn them about what happened. Adrenaline still pumping,
they tend to exaggerate the events that just occured. A question about
another cracker may lead to "Dood, Joe.. they are coming to raid you
next!" One thing often doesn't mean another.
So, let's set some minds at ease and answer questions about how law
enforcement works. Disclaimer: If anything in this article is incorrect,
please e-mail me and let me know!
The information presented here is accurate to the best of my knowledge.
I have consulted with one FBI agent and two DCIS agents to verify as
much as I could.
1. Who's investigating you?
2. LE Resources
3. The Raid
4. What are they charging me with?
5. The Polygraph
6. Copping a plea
8. Why haven't they busted me yet?
Who's investigating you?
There are at least five agencies that investigate computer crime in the
United States. For computer crimes that do not involve crossing state
lines (PBX hacking, local dialins, etc), many state or city LE
agencies are equipped to investigate. Some state LE offices have a
dedicated officer with adequate resources to investigate with no external
help. Computer crimes that involve crossing state lines brings two more
agencies to bear.
The Federal Bureau of Investigation (FBI)
is the primary agency chartered to handle domestic
interstate computer hacking. In the late 80's and early 90's, these
investigations were handled by the Secret
Service (SS). With a few rare exceptions, the Secret Service no longer
handles computer crime investigation. Some of these exceptions are the
hacking of White House machines (unconfirmed rumor) and hacking that
involves threats to the President or other specific individuals.
The third agency that comes into play is the
Defense Criminal Investigative Service (DCIS). When hacks occur that
involve military machines (.mil), DCIS is brought in to investigate. These
agents often work closely with the FBI and have liason agents that spends
most of their time working side by side with the FBI. DCIS agents are
gun toting, badge carrying, door kicking agents just like the FBI. When
not investigating computer crime, they are responsible for most criminal
investigations that occur on US Military bases.
The fourth agency is the Air Force Office of
Special Investigations (AFOSI).
Any computer intrusion into a United States Air Force machine falls into
their domain. They operate primarily out of a Washington field office, and
work with DCIS when needed.
What NASA lacks in security, they make up for in the investigative
department. National Aeronautics
and Space Administration, Office of Inspector General (NASA OIG) is a highly
regarded branch of NASA that investigates intrusions into their networks.
Considered by some investigators to be the top of the food chain, they
certainly have a large quantity of work.
If you deface a web site, any one of these (or all of them) may be
investigating you. Like many government agencies, the FBI is not well
known for inter office communication skills. There have been times when
multiple agents investigated the same individual without knowledge of
the other. This communication problem extends to DCIS despite their
liason agents to the FBI. Rest assured, at least one of the three does
have an investigation into the defacement.
In the past few months I have been told by several defacers "Dood,
the NSA is investigating me!" Hate to burst your bubble, but I seriously
doubt it. The National Security Agency (NSA)
does not even have the power to arrest. With a few exceptions (I imagine), they
do not carry guns and they do not spy on you every second. I will not
debate what power they do have, but those things I am pretty sure of.
Suffice it to say, even if they were keeping tabs on you and your actions,
it is the least of your worries. Any evidence they collect is not shared
with the FBI, and would have to be explained in court how it was obtained.
Do you think the NSA will admit to monitoring domestic communication over
a few web page defacements? ;)
For active defacers and crackers in the United Kingdom, you will be
investigated by the Computer Crime Unit
(CCU) at Scotland Yard.
On top of entire labs dedicated to investigating computer crime, most
law enforcement uses an entirely different set of resources for the
initial investigation. Unbeknownst to many active crackers, it is their
own words and actions that lead to trouble. Rather than admit they were
careless, conspiracy theory and games of "who's the narc" come up.
Law Enforcement uses the same resources you do. They view web sites that
mirror defacements. They read bugtraq and other sites that talk about
new vulnerabilities. They read hacker social lists like dc-stuff
and web based BBSs. They IRC quite frequently, and do so under fairly
innocent names. Certainly nothing that screams their real identity. Add
all of that up, and they can typically build a good profile of any given
cracker with little to no effort.
There is nothing quite like waking up to the unfriendly barrel of a 9mm
and large armored man pointing it at you. Equally disturbing is watching
them parade your roomate or family half naked out to a central room or
front porch while the agents secure the residence. LE raids are pretty
straight forward. They come in with a Search and Seizure warrant
that gives them the right to confiscate anything pertaining to the
investigation. This includes everything from computers, to books, to
ANY media including tapes, CDROMs, console cartridges and more. During
this process you are questioned by several agents. This is where you invoke
your right to have a lawyer present during questioning. Do not be hostile
or insulting to the agents, just give them relevant information like
name, birthdate and vital information. Before they begin the search,
you should do two things. First, ask to see their identification
and verify who they are. Second, ask to see a copy of the warrant. Some
agents will not comply with either demand. Deal with it, they have guns
and bad attitudes. You cannot reason with them.
During the questioning take notes. You have the right to have pencil
and paper there, but you may not record the conversation or have a witness
present. Assume that they are recording the conversation despite what
they say. When they ask if you have any traps set to destroy computer
equipment if tampered with, tell the truth. If you do not divulge that
type of information and it results in an agent getting hurt, your life
will not be pleasant and Title 18 will be the least of your concerns.
During the raid they will use all sorts of tactics during questioning.
The familiar good cop/bad cop routine, the "let's be friends after this",
harsh and accusing, and the all time favorite, outright lying. Yes, those
oh-so-noble agents will lie to you, all the while bantering about how
important honesty is. They are not required to tell you the truth, so
don't think otherwise.
At the conclusion of the raid, you should be left with a copy of the
warrant, contact information for at least one agent, and a receipt for all
material confiscated. If you are not left with those three items, immediately
contact a lawyer and get advice on how to procede. Despite there being
rights and laws to protect you, FBI agents often overlook them.
What are they charging me with?
As many people know, computer crime falls under
US Title 18 code.
For each system you intrude on, LE can charge you with at least one
(usually more) count of violating Title 18. There are adequate papers
and web pages that cover this, so I won't go into much detail. Instead,
there are two other aspects which many people aren't aware of that
are worse than Title 18. These are the laws you should truly fear.
The first is Conspiracy. If your friend defaces a web site, you
could go to jail as scary as it may sound. Having prior knowledge of,
or being an accessory to the crime makes you guilty of Conspiracy.
As a responsible law abiding citizen, if you have knowledge of a crime
that is about to be, or has been committed, you must report it to the
proper authorities. If you make no effort to stop the crime and at the
very least report it before it occurs, you are just as guilty as the
perpetrator of the crime. What makes this worse than Title 18 violation
is the proof. A court of law only has to establish that you knew about
the crime and did not act accordingly in order to convict you of it. One IRC
chat log, one piece of mail confiscated from a machine, or one recorded
phone call (or conference call) is all it takes.
The second set of laws you could conceivably be charged with is much more
sinister. They apply to any hacking or defacing of government or military
servers. From what I understand, DCIS agents are using this effectively
to guarantee prosecution and encourage plea bargains. Rather than charge
the cracker with
US Title 18, Chapter 47, 1030,
they revert to
US Title 18, Chapter 119, 2511,
which covers disruption and/or interception of communication of US Government and Military
computers. By denying service or intercepting communications to or from a
government system, you are committing a different crime than those covered
under Chapter 47. DCIS was
quite clever in using this one as it is apparently easier to prove in
The Polygraph test analyzes various physiological reactions to questions
asked of you. Based on these reactions, they try to determine if you are
lying. Sounds like the ultimate law enforcement tool right? Wrong. The
courts have ruled that polygraph test results are inadmissible in court.
The FBI and other LEs use the poly as a guideline to help steer their
investigation. Asking someone to take one is one of many ways LE
forces people into a Catch-22 of sorts. If you take it, you can't lie
about anything. Worse, you can't get nervous as that could affect the
results. If you decline the polygraph, the LE agency will imply or
outright accuse you of declining because of guilt. Regardless of their
request, decline all polygraph requests! A polygraph can rarely
help you. Even if you did not commit a crime and say so under poly,
it will never see a court. If the LE chooses to bring a case against
you anyway, taking the test will not have helped.
Copping a plea
If the investigation progresses to the point of them pressing charges
against you, the prosecuting attorney and agent may approach you to
cut a deal. First and most important warning! LE Agents do NOT have the
ability to cut deals! They can recommend certain actions to the prosecution,
but have no power to cut a deal themselves.
There are two points in the investigation that LE agents may approach
you to cut a deal: before and/or after pressing charges. If an agent
comes to you promising a sweet deal without pressing charges, smile
to yourself. No charges, no reason to cut a deal. This is another ploy
used to encourage you to admit to a crime.
Once the prosecuting attorney presses charges, they may come to you
looking for you to cut a deal. One thing this will entail is admitting
to some or all of the crimes you stand accused of. Some of the other
things they may look for:
- 1. Admission of other crimes you haven't been accused of.
- 2. A list of additional systems you have or can access.
- 3. Cooperation in busting other individuals.
- --a. Current information you possess on other cracker activity (aka narc)
- --b. Gaining additional information via logged chat or recorded calls. (aka informant)
It is very difficult to guess what type of punishment you can expect to get
if caught and convicted. Relevent factors that affect this are your age,
level of crime, whether you are a repeat offender, if you cut a deal
and more. Because most cracker cases never reach trial, there is little
case history to draw off and try to isolate any trends. For the most part,
cases end in a deal that involves little jail time, long probation,
community service and fines. If convicted, you can expect all of the above.
Why haven't they busted me yet?
One of the most often asked questions by young hackers is, "Why haven't
they raided me yet?" Seemingly the best evidence to support the theory
that they are not being investigated, it is a lack of understanding on
how the feds work, nothing more. Once an investigation begins, federal
agents will do as much work on the case as humanly possible without
running the chance of alerting the individual. This means that subpoenas
or anything else that could get back to the target comes when all other
resources have been exhausted. Once all of the evidence is processed and
the case formed, agents will make sure they have a case.
Case information in hand, they take it to a judge to get a search and
seizure warrant in order to accumulate more information. Once the judge
issues this warrant, it is sometimes a matter of hours before
they execute it and knock on the door. Because of the order of events
and the way they work, it is quite likely you will not know of an
investigation until you are looking down the barrel of a gun.
"But, it's been six months since I did anything!" Another good
observation, but still naive. While the federal agents are investigating
you, they are also investigating dozens, maybe hundreds of other people.
Each agent works day to day with several cases open, contributing to
several as they make phone calls and do research. It is not uncommon that
with the amount of cases, they become backlogged. Six months? You aren't
in the clear.
Defacing a web page, especially one run by the government, is a serious
crime. With the recent rash of government/military defacements, one has to
wonder if the defacers are aware of the potential repurcussions of their
actions. Is replacing a web page with a hastily written one or two line
text message worth going to jail for? No justification of 'hacktivism',
free security audit, or any other shallow attempt to justify defacing
holds up. No court will buy it, no agent will go easy on you for it.
"0wn3d by h4ckerX, fuk da gov. greetz to bob"
"hacked for my true love Meg!$!$@$"
Are either of those messages really worth rotting in jail for a year?
At the end of which you are not allowed to touch a computer or cell phone?
Did you really accomplish anything or get a message across?
I certainly think not.
Brian Martin (email@example.com)