Chapter 5: Crime

Corresponding page number:

 Intentional, unauthorized access to computer
systems
 The term has changed over time
 Phase 1: The joy of programming
 Early 1960s to 1970s
 It was a positive term
 A "hacker" was a creative programmer who wrote
elegant or clever code
 A "hack" was an especially clever piece of code

Corresponding page number: 230-231

Phase 2: 1970s to mid 1990s
 Hacking took on negative connotations
 Breaking into computers for which the hacker
does not have authorized access
 Includes the spreading of computer worms and
viruses
 Companies began using hackers to analyze and
improve security

Corresponding page number: 231-232

Phase 3: The growth of the Web and mobile devices
 Beginning in mid 1990s
 The growth of the Web changed hacking; viruses
and worms could be spread rapidly
 Political hacking (Hacktivism) surfaced
 Denial-of-service (DoS) attacks used to shut down
Web sites
 Large scale theft of personal and financial
information

Corresponding page number: 232-235

 September 19, 1996, Hackers broke into the
CIA's home page
 Changed it to read "Central Stupidity Agency”
 Added links to unethical sites

Corresponding page number:

 Year 1999
 You are using Microsoft Outlook email
software.
 You receive an email from a friend.
 You open it.
 Outlook immediately send the same email to
the first 50 people on your address book.
 They receive an email from you.
 They open it. …
Corresponding page number:
 2000, 15-year-old Canadian found a virus
program on the Internet.
 He ran it.
 It shut down Yahoo, eBay, Amazon, E*Trade,
Buy.com, CNN, etc.
 Cost of destruction: $1.7 billion
 Should we punish him? How?
 Should such virus programs be illegal?

Corresponding page number: 275

Hacktivism, or Political Hacking
 Use of hacking to promote a political cause, e.g.,
anti-abortion, pro-marijuana
 Disagreement about whether it is a form of civil
disobedience and how (whether) it should be
punished
 Some use the appearance of hacktivism to hide
other criminal activities
 How do you determine whether something is
hacktivism or simple vandalism?

Corresponding page number: 236-237

Hackers as Security Researchers
“White hat hackers” use their skills to
demonstrate system vulnerabilities and improve
security

Corresponding page number: 237-239

Hacking as Foreign Policy
Hacking by governments has increased
Pentagon has announced it would consider and
treat some cyber attacks as acts of war, and the
U.S. might respond with military force.
How can we make critical systems safer from
attacks?

Corresponding page number: 239-240

Stuxnet
An extremely sophisticated worm
Targets a particular type of control system
Beginning in 2008, damaged equipment in a
uranium enrichment plant in Iran

Corresponding page number: 240

Responsibility for Security
Application developers have a responsibility to
develop with security in mind
Businesses have a responsibility to use security
tools and monitor their systems to prevent attacks
from succeeding.
Home users have a responsibility to ask questions
and educate themselves on the tools to maintain
security (personal firewalls, anti-virus and anti-
spyware).

Corresponding page number: 244-245

Discussion Questions
Is hacking that does no direct damage a
victimless crime?
Do you think hiring former hackers to enhance
security is a good idea or a bad idea? Why?

Corresponding page number: 230-245

 Catching hackers
 Law enforcement agents read hacker newsletters and
participate in chat rooms undercover
 They can often track a handle by looking through
newsgroup or other archives
 Security professionals set up ‘honey pots’ which are
Web sites that attract hackers, to record and study
 Computer forensics specialists can retrieve evidence
from computers, even if the user has deleted files and
erased the disks
 Investigators trace viruses and hacking attacks by
using ISP records and router logs

Corresponding page number: 246

 Penalties for young hackers
 Many young hackers have matured and gone on to
productive and responsible careers
 Temptation to over or under punish
 Sentencing depends on intent and damage done
 Most young hackers receive probation, community
service, and/or fines
 Not until 2000 did a young hacker receive time in
juvenile detention

Corresponding page number: 247-248

The Law: Catching and Punishing Hackers
 Criminalize virus writing and hacker tools?

Corresponding page number: 248-249

 Your bank sends you an email.

 What should you do?

Corresponding page number:
 Phishing without a lure.
 You want to go to www.yourbank.com
 Your browser go to a DNS (domain name
server) to look up its IP address.
 It then proceeds to route your request to that
IP address.
 What if the DNS was hacked and gave your
browser an IP address pretending to be your
bank?

Corresponding page number:

 Beware of a free gift.
 You need an alarm clock on your PC.
 You download a nice free one.
 You install it.
 Hidden in the clock is a keystroke logging
program.
 It records every key that you type and send
them to the horse maker.

Corresponding page number:

 Thieves search the trash of bank and stores
looking for credit card numbers, debit card
numbers, and phone numbers.
 Now, they only print the last 4 digits of these
numbers.
 In some countries, it is illegal to print all the
digits.

Corresponding page number:

Stealing Identities
 Identity Theft –various crimes in which criminals use the
identity of an unknowing, innocent person
 Use credit/debit card numbers, personal information,
and social security numbers
 18-29 year-olds are the most common victims
because they use the Web most and are unaware of
risks
 E-commerce has made it easier to steal and use card
numbers without having the physical card

Corresponding page number: 250-253

Stealing Identities
 Techniques used to steal personal and financial
information
 Requests for personal and financial information
disguised as legitimate business communication
 Phishing – e-mail
 Smishing – text messaging
 Vishing – voice phishing
 Pharming – false Web sites that fish for personal and
financial information by planting false URLs in Domain
Name Servers
 Online resumés and job hunting sites may reveal
SSNs, work history, birth dates and other information
that can be used in identity theft
Corresponding page number: 252-253
Responses to Identity Theft
 Google Chrome sometimes warns you of suspicious
websites.
 Use of encryption to securely store data, so it is useless if
stolen
 Authenticating customers to prevent use of stolen
numbers, may trade convenience for security
 In the event information is stolen, a fraud alert can flag
your credit report; some businesses will cover the cost of
a credit report if your information has been stolen

Corresponding page number: 253-256

Responses to Identity Theft
 Authenticating customers and preventing use of stolen
numbers
 Activation for new credit cards
 Retailers do not print the full card number and
expiration date on receipts
 Software detects unusual spending activities and will
prompt retailers to ask for identifying information
 Services, like PayPal, act as third party allowing a
customer to make a purchase without revealing their
credit card information to a stranger

Corresponding page number: 255-256

 Most customers using a credit card at a shop
do not want the hassles of authentication and
verification.
 Most merchants do not check signatures or
photos.
 Some merchants do not even require a
signature for small purchases.
 Some offers self-service checkout.
 Retails shops accept some losses in order to
make it more convenient for the customers.
Corresponding page number:
Biometrics
 Biological characteristics unique to an individual
 No external item (card, keys, etc.) to be stolen
 Used in areas where security needs to be high, such as
identifying airport personnel
 Biometrics can be fooled, but more difficult to do so,
especially as more sophisticated systems are developed

 If a thief steals your credit card, you can get a

replacement.
 If a hacker obtains your finger print biometrics, …

Corresponding page number: 257-258

 People spend billions of dollars on eBay each
year.
 Sellers do not send the items or inferior
products.
 Bid on your own good to drive up the price
 Sells drugs without a doctor’s prescription
 Sells copyrighted material

Corresponding page number:

 eBay’s competitor
 Send out bots (AI programs) to scan eBay
websites
 Collect list of products and their prices
 Relist them on Bidder’s Edge at cheaper
prices.

Corresponding page number:

Corresponding page number:
When Digital Actions Cross Borders
 Laws vary from country to country.
 Corporations that do business in multiple
countries must comply with the laws of all the
countries involved.
 Someone whose actions are legal in their own
country may face prosecution in another country
where their actions are illegal.

Corresponding page number: 258 - 262

Corresponding page number:
 Started on 5 May 2000, local time in the Philippines
 Overwriting image files
 Sent a copy of itself to the first 50 addresses in the
Windows Address Book used by Microsoft Outlook
 Within ten days, over fifty million infections had been
reported causing billions of dollars of damage
 Two young Filipino computer programmers were
arrested.
 Since there were no laws in the Philippines against
writing malware at the time, both were released with all
charges dropped by state prosecutors.
 Should police arrest the man if he visits Canada?
Corresponding page number:
Yahoo and French censorship
 Display and sale of Nazi memorabilia illegal in
France and Germany
 Yahoo was sued in French court because French
citizens could view Nazi memorabilia offered on
Yahoo’s U.S.-based auction sites
 Legal issue is whether the French law should
apply to Yahoo auction sites on Yahoo’s
computers located outside of France.

Corresponding page number: 260-261

Applying U.S. copyright law to foreign companies
 Russian company sold a computer program that
circumvents controls embedded in electronic
books to prevent copyright infringement.
 Program was legal in Russia, but illegal in U.S.
 Program’s author, Dmitry Sklyarov, arrested when
arrived in U.S. to present a talk on the
weaknesses in control software used in ebooks.
 After protests in U.S. and other countries, he was
allowed to return to Russia.
Corresponding page number: 261
Arresting executives of online gambling and
payment companies
An executive of a British online gambling site was
arrested as he transferred planes in Dallas. (Online
sports betting is not illegal in Britain.)
Unlawful Internet Gambling Enforcement Act
prohibits credit card and online-payment
companies from processing transactions between
bettors and gambling sites.

Corresponding page number: 262

Libel, Speech and Commercial Law
 Even if something is illegal in both countries, the
exact law and associated penalties may vary.
 In cases of libel, the burden of proof differs in
different countries.

Corresponding page number: 262-263

Libel, Speech and Commercial Law
 Libel tourism
 Traveling to places with strict libel laws in order to sue
 SPEECH Act of 2010 makes foreign libel judgments
unenforceable in the U.S. if they would violate the First
Amendment.
 Foreign governments can still seize assets
 Where a trial is held is important not just for differences in
the law, but also the costs associated with travel between
the countries; cases can take some time to come to trial
and may require numerous trips.
 Freedom of speech suffers if businesses follow laws of the
most restrictive countries.

Corresponding page number: 263-264

Libel, Speech and Commercial Law
 Some countries have strict regulations on
commercial speech and advertising.

Corresponding page number: 264

Discussion Questions
What suggestions do you have for resolving the
issues created by differences in laws between
different countries?
What do you think would work, and what do you
think would not?

Corresponding page number: 263-264

 Respecting cultural differences is not the same as
respecting laws
 Where a large majority of people in a country
support prohibitions on certain content, is it
ethically proper to abandon the basic human
rights of free expression and freedom of religion
for minorities?

Corresponding page number: 265

International agreements
 Countries of the World Trade Organization (WTO)
agree not to prevent their citizens from buying
certain services from other countries if those
services are legal in their own.
 The WTO agreement does not help when a
product, service, or information is legal in one
country and not another.

Corresponding page number: 266

Alternative principles
 Responsibility-to-prevent-access
 Publishers must prevent material or services from
being accessed in countries where they are illegal.
 Authority-to-prevent entry
 Government of Country A can act within Country A
to try to block the entrance of material that is
illegal there, but may not apply its laws to the
people who create and publish the material, or
provide a service, in Country B if it is legal there.

Corresponding page number: 266-267