[This was originally published on Hacker News Network (HNN) and mirrored on attrition.org.]
Is it worth it?
Dispelling the myths of law enforcement and hacking
A recent chat with an active web page defacer made me realize just how naïve some crackers can be about law enforcement (LE). Despite a large amount of cases being brought against crackers in the past, there is still an air of uncertainty and a handful of myths lingering in their minds. The problem can be tracked back to two types of individuals that contribute to the problem. I will touch a bit on the problem and spend the rest of this piece trying to clear up some of the myths, as well as bring to light new developments in law enforcement’s handling of computer crime.
The first and foremost problem is uninformed individuals that propagate (or make up) supposed facts about law enforcement procedure. Rather than using common sense to dispel the rumor or taking a little time to research what they say, they blindly pass on errata and treat it as gospel. A good example of this can be found in “Inside Happy Hacker, Jan. 19, 1999”, where Carolyn Meinel asserts “They have *not* sent me (Carolyn) a “target letter.” This is a letter that formally tells someone that he or she is a suspect.” There is absolutely no foundation for this outlandish rumor. Anyone under FBI investigation should know this. Meinel was questioned extensively about her involvement in the defacing of the New York Times web site. Despite this questioning and obvious investigation, she still made this ridiculous claim. The FBI investigation went so far as to ask her to take a polygraph test! Going against track record, Meinel did the right thing and refused to. More on polygraphs later.
The second problem arises from those close to, or involved in an FBI raid and investigation. After waking to gunpoint and watching agents harass family and sometimes neighbors, they see all of their equipment carted out the door. Inevitably, the first thing they do is call their friends and warn them about what happened. Adrenaline still pumping, they tend to exaggerate the events that just occurred. A question about another cracker may lead to “Dood, Joe.. they are coming to raid you next!” One thing often doesn’t mean another.
So, let’s set some minds at ease and answer questions about how law enforcement works. Disclaimer: If anything in this article is incorrect, please e-mail me and let me know! The information presented here is accurate to the best of my knowledge. I have consulted with one FBI agent and two DCIS agents to verify as much as I could.
1. Who's investigating you?
2. LE Resources
3. The Raid
4. What are they charging me with?
5. The Polygraph
6. Copping a plea
8. Why haven't they busted me yet?
Who’s investigating you?
There are at least five agencies that investigate computer crime in the United States. For computer crimes that do not involve crossing state lines (PBX hacking, local dialins, etc), many state or city LE agencies are equipped to investigate. Some state LE offices have a dedicated officer with adequate resources to investigate with no external help. Computer crimes that involve crossing state lines brings two more agencies to bear.
The Federal Bureau of Investigation (FBI) is the primary agency chartered to handle domestic interstate computer hacking. In the late 80’s and early 90’s, these investigations were handled by the Secret Service (SS). With a few rare exceptions, the Secret Service no longer handles computer crime investigation. Some of these exceptions are the hacking of White House machines (unconfirmed rumor) and hacking that involves threats to the President or other specific individuals.
The third agency that comes into play is the Defense Criminal Investigative Service (DCIS). When hacks occur that involve military machines (.mil), DCIS is brought in to investigate. These agents often work closely with the FBI and have liaison agents that spends most of their time working side by side with the FBI. DCIS agents are gun toting, badge carrying, door kicking agents just like the FBI. When not investigating computer crime, they are responsible for most criminal investigations that occur on US Military bases.
The fourth agency is the Air Force Office of Special Investigations (AFOSI). Any computer intrusion into a United States Air Force machine falls into their domain. They operate primarily out of a Washington field office, and work with DCIS when needed.
What NASA lacks in security, they make up for in the investigative department. National Aeronautics and Space Administration, Office of Inspector General (NASA OIG) is a highly regarded branch of NASA that investigates intrusions into their networks. Considered by some investigators to be the top of the food chain, they certainly have a large quantity of work.
If you deface a web site, any one of these (or all of them) may be investigating you. Like many government agencies, the FBI is not well known for inter office communication skills. There have been times when multiple agents investigated the same individual without knowledge of the other. This communication problem extends to DCIS despite their liaison agents to the FBI. Rest assured, at least one of the three does have an investigation into the defacement.
In the past few months I have been told by several defacers “Dood, the NSA is investigating me!” Hate to burst your bubble, but I seriously doubt it. The National Security Agency (NSA) does not even have the power to arrest. With a few exceptions (I imagine), they do not carry guns and they do not spy on you every second. I will not debate what power they do have, but those things I am pretty sure of. Suffice it to say, even if they were keeping tabs on you and your actions, it is the least of your worries. Any evidence they collect is not shared with the FBI, and would have to be explained in court how it was obtained. Do you think the NSA will admit to monitoring domestic communication over a few web page defacements? 😉
For active defacers and crackers in the United Kingdom, you will be investigated by the Computer Crime Unit (CCU) at Scotland Yard.
On top of entire labs dedicated to investigating computer crime, most law enforcement uses an entirely different set of resources for the initial investigation. Unbeknownst to many active crackers, it is their own words and actions that lead to trouble. Rather than admit they were careless, conspiracy theory and games of “who’s the narc” come up.
Law Enforcement uses the same resources you do. They view web sites that mirror defacements. They read Bugtraq and other sites that talk about new vulnerabilities. They read hacker social lists like dc-stuff and web based BBSs. They IRC quite frequently, and do so under fairly innocent names. Certainly nothing that screams their real identity. Add all of that up, and they can typically build a good profile of any given cracker with little to no effort.
There is nothing quite like waking up to the unfriendly barrel of a 9mm and large armored man pointing it at you. Equally disturbing is watching them parade your roommate or family half naked out to a central room or front porch while the agents secure the residence. LE raids are pretty straight forward. They come in with a Search and Seizure warrant that gives them the right to confiscate anything pertaining to the investigation. This includes everything from computers, to books, to ANY media including tapes, CDROMs, console cartridges and more. During this process you are questioned by several agents. This is where you invoke your right to have a lawyer present during questioning. Do not be hostile or insulting to the agents, just give them relevant information like name, birthdate and vital information. Before they begin the search, you should do two things. First, ask to see their identification and verify who they are. Second, ask to see a copy of the warrant. Some agents will not comply with either demand. Deal with it, they have guns and bad attitudes. You cannot reason with them.
During the questioning take notes. You have the right to have pencil and paper there, but you may not record the conversation or have a witness present. Assume that they are recording the conversation despite what they say. When they ask if you have any traps set to destroy computer equipment if tampered with, tell the truth. If you do not divulge that type of information and it results in an agent getting hurt, your life will not be pleasant and Title 18 will be the least of your concerns.
During the raid they will use all sorts of tactics during questioning. The familiar good cop/bad cop routine, the “let’s be friends after this“, harsh and accusing, and the all time favorite, outright lying. Yes, those oh-so-noble agents will lie to you, all the while bantering about how important honesty is. They are not required to tell you the truth, so don’t think otherwise.
At the conclusion of the raid, you should be left with a copy of the warrant, contact information for at least one agent, and a receipt for all material confiscated. If you are not left with those three items, immediately contact a lawyer and get advice on how to proceed. Despite there being rights and laws to protect you, FBI agents often overlook them.
What are they charging me with?
As many people know, computer crime falls under US Title 18 code. For each system you intrude on, LE can charge you with at least one (usually more) count of violating Title 18. There are adequate papers and web pages that cover this, so I won’t go into much detail. Instead, there are two other aspects which many people aren’t aware of that are worse than Title 18. These are the laws you should truly fear.
The first is Conspiracy. If your friend defaces a web site, you could go to jail as scary as it may sound. Having prior knowledge of, or being an accessory to the crime makes you guilty of Conspiracy. As a responsible law abiding citizen, if you have knowledge of a crime that is about to be, or has been committed, you must report it to the proper authorities. If you make no effort to stop the crime and at the very least report it before it occurs, you are just as guilty as the perpetrator of the crime. What makes this worse than Title 18 violation is the proof. A court of law only has to establish that you knew about the crime and did not act accordingly in order to convict you of it. One IRC chat log, one piece of mail confiscated from a machine, or one recorded phone call (or conference call) is all it takes.
The second set of laws you could conceivably be charged with is much more sinister. They apply to any hacking or defacing of government or military servers. From what I understand, DCIS agents are using this effectively to guarantee prosecution and encourage plea bargains. Rather than charge the cracker with US Title 18, Chapter 47, 1030, they revert to US Title 18, Chapter 119, 2511, which covers disruption and/or interception of communication of US Government and Military computers. By denying service or intercepting communications to or from a government system, you are committing a different crime than those covered under Chapter 47. DCIS was quite clever in using this one as it is apparently easier to prove in court.
The Polygraph test analyzes various physiological reactions to questions asked of you. Based on these reactions, they try to determine if you are lying. Sounds like the ultimate law enforcement tool right? Wrong. The courts have ruled that polygraph test results are inadmissible in court. The FBI and other LEs use the poly as a guideline to help steer their investigation. Asking someone to take one is one of many ways LE forces people into a Catch-22 of sorts. If you take it, you can’t lie about anything. Worse, you can’t get nervous as that could affect the results. If you decline the polygraph, the LE agency will imply or outright accuse you of declining because of guilt. Regardless of their request, decline all polygraph requests! A polygraph can rarely help you. Even if you did not commit a crime and say so under poly, it will never see a court. If the LE chooses to bring a case against you anyway, taking the test will not have helped.
Copping a plea
If the investigation progresses to the point of them pressing charges against you, the prosecuting attorney and agent may approach you to cut a deal. First and most important warning! LE Agents do NOT have the ability to cut deals! They can recommend certain actions to the prosecution, but have no power to cut a deal themselves.
There are two points in the investigation that LE agents may approach you to cut a deal: before and/or after pressing charges. If an agent comes to you promising a sweet deal without pressing charges, smile to yourself. No charges, no reason to cut a deal. This is another ploy used to encourage you to admit to a crime.
Once the prosecuting attorney presses charges, they may come to you looking for you to cut a deal. One thing this will entail is admitting to some or all of the crimes you stand accused of. Some of the other things they may look for:
- 1. Admission of other crimes you haven’t been accused of.
- 2. A list of additional systems you have or can access.
- 3. Cooperation in busting other individuals.
- –a. Current information you possess on other cracker activity (aka narc)
- –b. Gaining additional information via logged chat or recorded calls. (aka informant)
It is very difficult to guess what type of punishment you can expect to get if caught and convicted. Relevant factors that affect this are your age, level of crime, whether you are a repeat offender, if you cut a deal and more. Because most cracker cases never reach trial, there is little case history to draw off and try to isolate any trends. For the most part, cases end in a deal that involves little jail time, long probation, community service and fines. If convicted, you can expect all of the above.
Why haven’t they busted me yet?
One of the most often asked questions by young hackers is, “Why haven’t they raided me yet?” Seemingly the best evidence to support the theory that they are not being investigated, it is a lack of understanding on how the feds work, nothing more. Once an investigation begins, federal agents will do as much work on the case as humanly possible without running the chance of alerting the individual. This means that subpoenas or anything else that could get back to the target comes when all other resources have been exhausted. Once all of the evidence is processed and the case formed, agents will make sure they have a case.
Case information in hand, they take it to a judge to get a search and seizure warrant in order to accumulate more information. Once the judge issues this warrant, it is sometimes a matter of hours before they execute it and knock on the door. Because of the order of events and the way they work, it is quite likely you will not know of an investigation until you are looking down the barrel of a gun.
“But, it’s been six months since I did anything!” Another good observation, but still naïve. While the federal agents are investigating you, they are also investigating dozens, maybe hundreds of other people. Each agent works day to day with several cases open, contributing to several as they make phone calls and do research. It is not uncommon that with the amount of cases, they become backlogged. Six months? You aren’t in the clear.
Defacing a web page, especially one run by the government, is a serious crime. With the recent rash of government/military defacements, one has to wonder if the defacers are aware of the potential repercussions of their actions. Is replacing a web page with a hastily written one or two line text message worth going to jail for? No justification of ‘hacktivism’, free security audit, or any other shallow attempt to justify defacing holds up. No court will buy it, no agent will go easy on you for it.
"0wn3d by h4ckerX, fuk da gov. greetz to bob"
"hacked for my true love Meg!$!$@$"
Are either of those messages really worth rotting in jail for a year? At the end of which you are not allowed to touch a computer or cell phone? Did you really accomplish anything or get a message across?
I certainly think not.