== Phrack Inc. ==

                 Volume Three, Issue Thirty-five, File 5 of 13

        ______________________________________________________________
      ||                                                              ||
      ||  Don't let THIS happen to you!                               ||
      ||                                                              ||
      ||           __________                                         ||
      ||     Heh  |          |/No life, no future...                  ||
      ||    /Heh! |          0                         H S L Q I F X  ||
      ||   O      |        --|--                                      ||
      || --|--    |         / \                                       ||
      ||  / \     |        /   \                                      ||
      || /   \____|____              E  N  _  R  _  P  M  E  N  _     ||
      ||  Dale               ^                                        ||
      ||  Drew               |                                        ||
      ||              Will this be YOU?!                              ||
      ||______________________________________________________________||


The following is a reprint of the article "Sting Operations" from the book
_Dedicated Computer Crime Units_ (pages 101-103) written by J. Thomas McEwen
for the U.S. Department of Justice and published in June 1989.

If you would like to get your own FREE copy of this book, or its companion
books:

- Organizing for Computer Crime Investigation and Prosecution
- Electronic Fund Transfer and Crime
- Electronic Fund Transfer Fraud

you can contact:

U.S. Department of Justice
Office of Justice Programs
National Institute of Justice
Washington, D.C.  20531
(301)251-5500
(800)851-3420
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

                        S T I N G   O P E R A T I O N S
                        ~~~~~~~~~   ~~~~~~~~~~~~~~~~~~~
                        Will *YOU* Be The Next Victim?!

                       Transcribed by Sovereign Immunity


ELECTRONIC BULLETIN BOARDS

An electronic bulletin board allows for the storage of information which can be
retrieved by other systems calling into the board.  It is essentially a
database maintained by a system that is accessible by others over telephone
lines.  Most bulletin boards have been created for specific purposes, usually
for the exchange of messages and information among parties with common
interests.  For example, members of computer clubs maintain bulletin boards for
communicating with each other between meetings.

Bulletin boards are especially popular among microcomputer users.
Establishment of a bulletin board is facilitated by programs that can be
purchased or obtained from public domain software.  With one of these programs,
a user can establish tailored menus for anyone dialing into the board.  These
menus will usually contain options on information about the board, bulletins,
news summaries, personal mail, conferences, and leaving messages.

In addition, most bulletin boards have different levels of access to restrict
users from certain parts of the board.  The bulletin board owner, usually
called the System Operator (SYSOP), personally establishes the authorized
access levels for each user and enters this information into the system.
Access is determined by having a user provide their name and password when
signing on to the system.  A telephone line into the system is the only other
requirement for establishing a board on a microcomputer.

Access to bulletin boards generally operates along the following lines:

- A user dials into the bulletin board.
- The board responds with a message asking for the person's name and password.
- The board then provides a menu showing the options available to the user.
- The user selects an option and starts interacting with the system.
- During a session, a user typically may read messages, leave messages,
  download files, upload files, or join a conference.
- The user eventually "quits" the session and hangs up from the board.

While most bulletin boards have been established for legitimate purposes, there
are also "pirate" or "elite" boards that contain illegal information or have
been established to advance an illegal activity.  Security on those boards is
tightly controlled by the owners.  With these bulletin boards, users usually
have to contact the owner directly to obtain a password for access to different
levels of the system.  A degree of trust must therefore be established before
the owner will allow access to the board, and the owners develop "power" over
who can use the system.

Pirate boards have been found with a variety of illegal information on them
including the following:

- Stolen credit card account numbers
- Long distance telephone service codes
- Telephone numbers to mainframe computers, including passwords and account
  numbers
- Procedures for making illegal drugs
- Procedures for making car bombs
- Hacking programs
- Tips on how to break into computer systems
- Schematics for electronic boxes (e.g., black box)

These boards obviously are a threat to communities, and their existence has
gained the attention of some police departments.


STING OPERATIONS WITH BULLETIN BOARDS

The experiences of the Maricopa County, Arizona, Sheriff's Department and the
Fremont, California, Police Department are very instructive on how local
departments can establish their own bulletin boards and become part of the
network with other boards.  Members of the Maricopa County Sheriff's Department
were the first in the country to establish such a board.  Their board resulted
in over 50 arrests with the usual charge being telecommunications fraud.

In September, 1985, the Fremont Police Department established a bulletin board
for the primary purpose of gathering intelligence on hackers and phreakers in
the area.  The operation was partially funded by VISA, Inc. with additional
support from Wells Fargo Bank, Western Union, Sprint, MCI, and ITT.

After establishing their bulletin board, they advertised it on other boards as
the newest "phreak board" in the area.  Within the first four days, over 300
calls were received on the board.  During the next three months, the board
logged over 2,500 calls from 130 regular users.  Through the bulletin board,
they persuaded these groups that they had stolen or hacked long-distance
telephone service codes and credit account numbers.  They were readily accepted
and were allowed access to pirate boards in the area.

The board was operated for a total of three months.  During that period, over
300 stolen credit card numbers and long-distance telephone service codes were
recovered.  Passwords to many government, educational, and corporate computers
were also discovered on other boards.

The operation resulted in the apprehension of eight teenagers in the area who
were charged with trafficking in stolen credit card accounts, trafficking in
stolen long-distance telephone service codes, and possession of stolen
property.  Within the next week, seven more teenagers in California and other
states were arrested on information from this operation.

It was established that this group had been illegally accessing between ten and
fifteen businesses and institutions in California.  They were regularly
bypassing the security of these systems with stolen phone numbers and access
codes.  One victim company estimated that it intended to spend $10,000 to
improve its security and data integrity procedures.  Other victimized
businesses were proceeding along the same lines.


CONCLUSIONS

There are several reasons for conducting Sting operations of this type.  One of
the most important is that it provides a proactive method of identifying
hackers and phreakers in the area.  These groups are particularly hard to find
since they operate in closed circles with personal networks developed from
friendships.

Another byproduct of these operations is the publicity surrounding the cases.
Sting operations result in considerable amount of attention from the media.
The publicity has the effect of closing down other pirate boards in the area.
One of the greatest fears of these offenders in that their systems will be
taken, and in the Fremont operation over $12,000 of computer equipment was
seized.  The publicity associated with these seizures seems to be the primary
reason for others to stop their pirate boards.

These operations also lead to other types of offenses.  In Fremont, for
example, drug and alcohol cases were developed as a result of the Sting
operation.   This has been typical of these operations.

The Sting operations with bulletin boards have been criticized because
teenagers, rather than hardened criminals, are arrested.  Many hackers believe
that they have a right to the data in other systems and that their activities
are not illegal since the companies can afford the losses.  On the other hand,
as one investigator observed, the hackers of today may be the sophisticated
computer criminals of tomorrow.  It is therefore important to set a lesson
early in their careers steering them away from these offenses.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

RESPONSE FROM A MEMBER OF THE HACKER COMMUNITY:

Now lets take a look at this article and the ignorant author J. Thomas
McEwen.

     "Pirate boards have been found with a variety of illegal
     information on them..."

The author names:

"Telephone numbers to mainframe computers" -- There is nothing illegal in
having the telephone number to a mainframe computer.  It is illegal to access a
computer without authorization.

"Procedures for making illegal drugs" -- It is NOT illegal to know how to
manufacture illegal drugs, only to actually manufacture or use them.

"Procedures for making car bombs" -- It is NOT illegal to know how to
manufacture car bombs, only to actually manufacture or use them.

"Hacking programs" -- Indeed most security companies, private security
consultants, or mainframe owners and operators use these to test their systems
very often.  It would only be illegal to use one on a machine that you are not
authorized to use it on.

"Tips on how to break into computer systems" -- Again, it is NOT illegal to
know how to break into a computer... although for a change, according to a
section of the Computer Fraud & Abuse Act of 1986 (Federal Law), it would be
illegal to traffic in passwords, codes, and theoretically any instructions that
would be the equivalent of passwords or codes for the unauthorized entry into
computer systems.

"Schematics for electronic boxes (e.g., black box)" -- This is getting boring.
It is NOT illegal to know how to build these devices, only the actual
construction or use of them is illegal.


     "These boards obviously are a threat to communities, and their
     existence has gained the attention of some police departments."

How are they obviously a threat?

The author would like us to believe that if the information on how to make
telephone devices, explosives, or narcotics is available on bulletin boards,
this is enough to make them a threat to communities.

What he ignores is that the same information can be found in public and
university libraries, text books, and technical journals;

He ignores that the mere possession of information on how a crime MIGHT be
committed is NOT a crime; and finally,

He fails to recognize any First Amendment rights whatsoever of computer
bulletin boards to have all such information to begin with.


     "It is therefore important to set a lesson early in the careers
     steering them away from these offenses."

Of course an arrest for some minor computer mischief is not going to be great
resume material when these teenagers start applying for jobs, even though the
establishment has inspired within them the socially acceptable goal of
conforming to society's expectations.


CONCLUSIONS

The author, J. Thomas McEwen, does not know much about freedom of speech and
for that matter, he does not know much about the law.  He does know a lot about
how to sensationalize very benign conduct into dangerous conspiracy.  Perhaps
he is close friends with Geraldo Rivera.

Bulletin board operators and users take note of the law and your rights.  Don't
let yourself get taken in by Sting boards or ignorant law enforcement officers
looking for some gratification on the job since they aren't getting it at home.


S o v e r e i g n   I m m u n i t y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Editor's Comments by: Dispater

Sting boards have been a popular topic in Phrack and Phrack World News over the
years.  In this file, Sovereign Immunity, showed us an excerpt that discussed a
Sting bulletin board in Fremont, California.  As it turns out, Knight Lightning
had some material about this way back in Phrack World News Issue 3 (which
actually appeared in Phrack Issue 4).  The article was titled "Phoenix
Phortress Stings 7."  There have also been many other articles in Phrack World
News about sting operations and bulletin boards.

Additionally, Phrack Issues 21-23 each carried one part of Knight Lightning's
"Vicious Circle" Trilogy.  The first two parts of which ("Shadows Of A Future
Past" and "The Judas Contract") contained a lot of material about sting boards
and informants.

Although Phrack has not presented material concerning Sting boards in Maricopa
County, Arizona, there was discussion about a bulletin board (The Dark Side) in
Arizona (602) run by "The Dictator" (Dale Drew) as a sting operation revealed
in Computer Underground Digest 3.02 and recently we heard that he was back in
action under the name "Blind Faith."

Dispater 
_____________________________________________________________________________?_