Computer underground Digest    Mon, Feb 10, 1992   Volume 4 : Issue 06

       Moderators: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
       Associate Moderator: Etaion Shrdlu

CONTENTS, #4.06 ( Feb 10, 1992)
File 1: Bust of "NotSoHumble Babe" / USA
File 2: Keystone Stormtroopers
File 3: Fine for "Logic Bomber"
File 4: Re: Newsbytes on the Oregon BBS Rates Case
File 5: Calif. "Privacy [& Computer Crime] Act of 1992"
File 6: DIAC-92 Workshop Call for Paraticipation and Workshop Guidelines

Issues of CuD can be found in the Usenet alt.society.cu-digest news
group, on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG,
and DL0 and DL12 of TELECOM, on Genie, on the PC-EXEC BBS at (414)
789-4210, and by anonymous ftp from ftp.cs.widener.edu (147.31.254.132),
chsun1.spc.uchicago.edu, and ftp.ee.mu.oz.au.  To use the U. of
Chicago email server, send mail with the subject "help" (without the
quotes) to archive-server@chsun1.spc.uchicago.edu.
NOTE: THE WIDENER SITE IS TEMPORARILY RE-ORGANIZING AND IS CURRENTLY
DIFFICULT TO ACCESS. FTP-ERS SHOULD USE THE ALTERNATE FTP SITES UNTIL
FURTHER NOTICE.

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted as long as the source
is cited.  Some authors do copyright their material, and they should
be contacted for reprint permission.  It is assumed that non-personal
mail to the moderators may be reprinted unless otherwise specified.
Readers are encouraged to submit reasoned articles relating to the
Computer Underground.  Articles are preferred to short responses.
Please avoid quoting previous posts unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

----------------------------------------------------------------------

Date: 8 Feb 92 17:31: 39 CST
From: Moderators (tk0jut2@mvs.niu.edu)
Subject: File 1--Bust of "NotSoHumble Babe" / USA

The recent busts of three persons in the Detroit and Los Angeles areas
for alleged carding, theft, software copyright violations and fraud
raise a number of issues of CU relevance. Because of misinformation
circulating on the nature of the case, we summarize what we know of it
below.  "Amy" (handle: "NotSoHumble Babe") was busted on her birthday,
and is not untypical of many CU types, so we focus on her.

1. "Amy" was busted on Jan 30, in Farmington Hills (Mi), by local,
    state, and federal agents. There were reportedly up to 20 agents.
    The large number was because there were several from each
    department, including the FBI, SecServ, Mi State police, and
    others. They reportedly showed no warrant, but knocked on the door
    and asked if they could come in. When "Amy" said "yes," they burst
    (rather than calmly entered) with weapons, including
    "semi-automatics." Her boyfriend was reportedly asleep, and the
    agents awakened him with a gun to his head.  The agent in charge
    was Tony Alvarez of the Detroit SecServ.

2. There has been no indictment, but the agents indicated that charges
   would include theft, fraud, and copyright violations.  (software
   piracy and carding). The initial figure given was a combined $20,00
   for the three ("Amy," "Tom," and Mike").

3. All equipment was confiscated, included "every scrap of paper in
   the house. She was informed that, whatever the outcome of the case,
   she would not receive the equipment back and that it would be kept
   for "internal use."

The above account differs dramatically from one given by "anonymous"
in "Phantasy #6," which was a diatribe against the three for
"ratting." However, the above account seems fairly reliable, judging
from a news account and a source close to the incident.

"Amy" is 27, and reported to be the head of USA (United Software
Alliance), which  is considered by some to be the current top
"cracking" group in the country. If memory serves, "ENTERPRISE BBS"
was the USA homeboard.  She was questioned for about 10 hours, and
"cooperated." She has, as of Saturday (Feb 9) *not* yet talked to an
attorney, although she was put in contact with one late Saturday. The
prosecutor in Oakland County is the same one who is prosecuting Dr.
Kavorkian (of "suicide machine" fame). He has a reputation as
excessively harsh, and his demeanor in television interviews does not
contradict this.

The other two defendants, "Mike/The Grim Reaper," and "Tom/Genesis"
are from the Detroit and Los Angeles areas.

What are the issues relevant for us?

My own radiclib concern is with over-criminalization created by
imposing a label onto a variety of disparate behaviors and then
invoking the full weight of the system against the label instead of
the behaviors. It is fully possible to oppose the behaviors while
recognizing that the current method of labelling, processing, and
punishment may not be wise. Len Rose provides an example of how
unacceptable but relatively benign behaviors lead to excessive
punishment. This, however, is a broader social issue of which
computer-related crimes is simply a symptom.

Of more direct relevance:

1) It appears that the continued use of massive force and weaponry
   continues. We've discussed this before in alluding to cases in New
   York, Illinois, Texas, and California. The video tape of the bust
   of the "Hollywood Hacker" resembles a Miami Vice episode: A
   middle-aged guy is confronted with an army of yelling weapons with
   guns drawn charging through the door.  Others on the board have
   reported incidences of being met with a shotgun while stepping out
   of the shower, a gun to the head while in bed, and (my favorite) a
   15 year old kid busted while working on his computer and the
   agent-in-charge put her gun to his head and reportedly said, "touch
   that keyboard and die." The use of such force in this type of bust
   is simply unacceptable because of the potential danger (especially
   in multi-jurisdictional busts, which reduces the precision of
   coordination) of accidental violence.

2.  Until indictments and supporting evidence are made public, we
    cannot be sure what the occured. But, it seems clear that, for
    "Amy" at least, we are not dealing with a major felon.  Carding is
    obviously wrong, but I doubt that, in situations such as this,
    heavy-duty felony charges are required to "teach a lesson," "set
    an example," and re-channel behavior into more productive outlets.

 3. We can continue to debate the legal and ethical implications of
    software piracy. There is a continuum from useful and fully
    justifiable "creative sharing" to heavy-duty predatory rip-off for
    profit. This case seems to be the former rather than the latter.
    There is no sound reason for treating extreme cases alike.

3. We should all be concerned about how LE frames and dramatizes such
   cases for public consumption. The Farmington newspaper gave it
   major coverage as a national crime of immense proportions. We
   should all be concerned about how piracy cases are handled, because
   even extreme cases have implications for minor ones. Does
   possession of an unauthorized copy of Aldus Pagemaker and Harvard
   Graphics, collective worth more than $1,000, really constitute a
   major "theft"? We have seen from the cases of Len and Craig how
   evaluation of a product is inflated to justify indictments that
   look serious but in fact are not.

I'm not sure what purpose it serves to simply assert that people--even
if guilty of carding or piracy--should "get what's coming to them"
without reflecting on what it is they get and why.  The issue isn't
one of coddling or protecting "criminals," but to examine more
carefully what kinds of computer-related crimes should be
criminalized, which should be torts, and which should be accepted as
minor nuisances and--if not ignored--at least not criminalized.

To give the dead horse one last kick: I am not arguing that we condone
behaviors. I am only suggesting that we reflect more carefully on how
we respond to such behaviors. I do not know the circumstances of "Tom"
and "Mike," but "Amy's" case raises many issues we can address without
condoning the behavior.

------------------------------

Date: Mon, 20 Jan 92 07:56 EST
From: "Michael E. Marotta" <MERCURY@LCC.EDU>
Subject: File 2--Keystone Stormtroopers

    GRID News. ISSN 1054-9315. vol 3 nu 3            January 19, 1992.
    World GRID Association, P. O. Box 15061, Lansing, MI     48901 USA
    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    (74 lines)  SPA: Jackboot Fascists or Keystone Kops?
               (C) 1992 by Michael E. Marotta

    Suddenly the doors burst open! US marshals take the Acme Inc.,
    employees by surprise!! "Nobody move! Keep your hands away from
    those keyboards!" yells the copper.  "Oh my gosh! It's the SPA!!"
    "Quick stash the disks!!"  This 50s cartoon is the cover story of
    the June 17, 1991 issue of Information Week, "The Software
    Police."  Inside is the story of the Software Publishers Associa-
    tion. There is nothing laughable about the $90,000 paid to SPA by
    IPL, the $100,000 paid by Entrix, the $17,500 paid by Healthline,
    the $350,000 paid by Parametrix. At SnapOn Tools, three US
    Marshals and an SPAer spent two days going through every one of
    280 PCs with their special audit package. Then the burden of proof
    shifted to SnapOn to produce purchase orders, manuals, invoices
    and asset tags.

    "GOVERN-MENTALITY"    The SPA claims a staff of 18 to 23 and a
    budget of $3.8 million. I had to call three times to get the free
    audit program, SPAudit.  They also offer to sell a video "It's
    Just Not Worth the Risk" for $10 but my three voicemail requests
    (Nov, Dec 91 & Jan 92) for this tape were not answered.
      +  People with govern-mentality are below norm and the program
    SP+Audit underscores this fact.
      +  First of all, the README file was created with WordPerfect 5.
    Using LIST or TYPE gets you ascii garbage and uneven formating
    am+id the text.  If you want to view the README file, the
    instructions tell you:
      +       A) To display on screen type TYPE A:README:MORE
    which is bad documentation and doesn't work.  Hardcopy reveals the
    same problems and when you get to the bottom of the page, you find
    that the last few lines print over each other.  Apparently, the
    typist used the cursor keys to position the text, because it lacks
    some necessary LFs (ascii 0A).
      +  I created four dummy files 123.EXE, MSDOS.SYS, PROCOMM.EXE and
    SK+.COM which are found in the PIF.TXT file of over 600 software
    names.  The files I created said:
    "The problem of copyright looks somewhat different the moment one
    accepts copying technology as uncontrollable." Michael Crichton.
      +  Then I made more copies at lower directory levels.  SPAudit
    was indeed able to search down eight directory sublevels to find
    copies. However, when I went to print these, the program produced
    ascii garbage.  It failed on
    C:+%123%MIKE%ANOTHER%DEEPER%NEMO%PLUTO%CHIRON%DANTE%ORPHEUS being
    unable to print beyond %NEMO.
      +  Overall, the SPA proves itself unable to manage PC technology.
    This lack of quality is not surprising.  No matter how much you
    pay for software, you know that the seller "makes no claim of
    merchantability or fitness for a particular use..." and won't be
    liable for "direct, indirect, special, incidental or consequential
    damages arising out of the use or inability to use the software or
    documentation."  That is the disclaimer which comes with SPAudit.
      +
    "CATCH-22"    Following SPAudit guidelines means that you can't
    have more than one copy of a program on one computer.  Also, all
    oF the CARMEN SANDIEGO games run from CARMEN.EXE.  The audit
    thinks it is looking for EUROPE but will also trip on WORLD, and
    TI+ME, etc., meaning that you can get busted for buying more than
    one CARMEN, a catch-22.
      +  Also, there should be some confusion over dBase, which is no
    longer an Ashton-Tate but a Borland product.  More importantly, US
    District judge Terrence Hatter, Jr., ruled in late 1990 that the
    copyright on dBase was voided by their not revealing that it is a
    cl+one of a public domain program from JPL.
      +  Again, consider the case of SnapOn Tools. The SPA used their
    defective software to disrupt a business for two days -- and they
    have the nerve to call other people pirates.
      +
     (GRID News is FREQable from 1:159/450, the Beam Rider BBS)

------------------------------

Date: 27 Jan 92 18:48:35 EST
From: Gordon Meyer <72307.1502@COMPUSERVE.COM>
Subject: File 3--Fine for "Logic Bomber"

"Logic Bomb Programmer Fined"
(Reprinted with permission from STReport 8.04  Jan 24, 1992)

 Michael John Lauffenburger, a 31-year-old programmer formerly with
 General Dynamics, pleaded guilty Nov. 4 to attempted computer
 tampering.  He has been fined $5,000, handed three years' probation
 and was ordered to perform 200 hours of community service for
 attempting to sabotage computers with a "logic bomb" that prosecutors
 say could have erased national security data.

 According to reports, Lauffenburger set up the logic bomb, then
 resigned, intending to get hired on as high-priced consultant to help
 reconstruct the data lost from the billion-dollar Atlas Missile Space
 Program when the virus was unleashed.  A co-worker accidentally
 discovered the rogue program in early May. It had been set to go off
 May 24. Investigators said at the time the bomb would have caused
 about $100,000 in damage to computer systems at the Kearny Mesa
 plant.

------------------------------

Date: Fri, 07 Feb 92 06:10:49 PST
From: walter@HALCYON.COM(Walter Scott)
Subject: File 4--Re: Newsbytes on the Oregon BBS Rates Case

On 2-5-92, reporter Dana Blankenhorn released a copyrighted exclusive
story for Wendy Wood's Newsbytes covering the Oregon BBS rates case.
What follows is an abstract of that story.

Blankenhorn writes: "US West has launched a campaign before the Oregon
Public Utility Commission which would force all bulletin board systems
(BBSs) in that state to pay business rates on their phone lines." The
Newsbytes exclusive also asserts that US West "wants the Oregon PUC to
reinterpret its tariff so as to define any phone not answered by a
human voice as a business line."

Blankenhorn quotes extensively from an apparent interview with SysOp
Stewart Anthony Wagner while summarizing the chronology of events in
the case. Some folks here might find the chronology and alleged facts
be a bit different from what has been reported in the past.

According to Blankenhorn, Portland, Oregon SysOp Tony Wagner attempted
to subscribe to extra phone lines so as to expand his BBS from 2 lines
to 4, as well as make arrangements for a TDD. It was at this point
Wagner was informed he would have to pay business rates on all lines
by US West. According to Blankenhorn, US West relented on the voice
and TDD lines while maintaining that the BBS lines would have to be
classified as business lines. Wagner filed what Blankenhorn calls an
"appeal" at the Oregon PUC "for the BBS".

Wagner is reported to have closed his BBS almost immediately because
he "can't afford it" at business rates, which blankenhorn states to be
around $50 (presumably per month) on each line. Before closing his
system, Wagner says he alerted regional SysOps via FidoNet to his
plight.  Wagner points out that some SysOps chipped in to pay for a
lawyer. Blankenhorn quotes Wagner on a so-called "compromise proposal"
that "they (US West) come up with a residential data line rate, as an
alternate form of service." Wagner's proposal apparently included a
guarantee of data quality at a rate that Wagner seems to assess at
$5.00 above standard residential rates. Wagner asserts the proposal
was rejected.

Wagner's comments on the hearing display optimism as he offers the
thought that "the hearing went quite well.  The tariff says a
residential line is for social or domestic purpose. They ignored the
social, they talked only about domestic. The BBS is as social as you
can get."

In a series of quotes from Wagner on what he believes US West is
doing, a grim picture is painted for more than BBS operators. For
example: Wagner states "there is no question they want to apply this
to all SysOps. Their position is that if it's not answered by a human
voice, it's a business. A fax machine is a business, to them. So's an
answering machine."

Wagner spoke of what he might consider a silver lining in his cloudy
future as a SysOp when he told Blankenhorn that publicity must be bad
for US West. He reinforces this idea by noting "one thing that hurt
them (US West) badly was that they picked on me. I'm very hard of
hearing. Most of my users are disabled. A large percentage of our
SysOps here are disabled. And Mr. Holmes (US West's attorney in the
Wagner case) was unprepared for that."

Blankenhorn talked with Judith Legg in the hearings section at the
Oregon Public Utility Commission concerning the Wagner Case. He
reports Legg told him "a hearing was held on the case in January, and
US West has already submitted a 17-page brief supporting its
position." Hearings Officer Simon Fitch was attributed as informing
Newsbytes that Wagner "has until March 3 to file his own brief, after
which reply briefs will be sought from both sides." Fitch is also
reported to have said a decision in the case is due in late March or
early April with final oversight from the Commissioners.

Attempts, by Blankenhorn, to contact attorney Steven Holmes at US West
were unsuccessful. Apparently, no one else in the company was
available for comment. Thus, the Newsbytes article contained no
synopsis of US West's side of the issues in the Wagner case.
Blankenhorn left the door open to a future update by noting
information requested from US West would be reported as soon as that
information is made available to Newsbytes.

So much for the abstract...

A FEW OBSERVATIONS: It seems that Blankenhorn must not have been able
to obtain a copy of US West's brief before going to press. Otherwise,
Blankenhorn would realize, and could have noted, that US West's
comments have no impact on FAX or answering machines. BBS operation in
general, and Wagner's BBS in specific, are the myopic focus of the
brief. Blankenhorn also could have asked about and cleared up what
appears to be a discrepancy between Wagner's apparent indication that
he was running his BBS on 2 phone lines at the time he requested new
lines, and the repeated references in the US West brief to Wagner's
"3" BBS phone lines. Finally, I called Judith Legg myself on 2-6-92
and asked her about the actual timing of the hearing. She informed me
that the hearing was indeed in December. In Blankenhorn's defense,
Legg admits that she was under the mistaken impression that the
hearing took place in January, and that this is probably what she told
Blankenhorn. A check of the Oregon PUC's computerized schedules was
necessary to clarify the actual hearing date.

          Walter Scott

**
The 23:00 News and Mail Service - +1 206 292 9048 - Seattle, WA USA
                PEP, V.32, V.42bis
        +++ A Waffle Iron, Model 1.64 +++

------------------------------

Date: 22 Jan 92 19:12:22 CST
From: Jim Warren (jwarren@well.sf.ca.us)
Subject: File 5--Calif. "Privacy [& Computer Crime] Act of 1992"

 The Chair of the California State Senate, Bill Lockyer, is
 introducing what he calls "The Privacy Act of 1992."  It addresses
 computer *crime* in a robust manner, but appears to be less concerned
 with some of the more major privacy issues (e.g. personal
 data/profiles built & used by government and private corporations)
 posed during public testimony in December.  I scanned it in, OCRed
 it, proofed it, and believe this is an accurate copy of the original
 cover letter and content.  The latter has already been sent to
 Legislative Counsel (on 1/8/92).

 Please upload it and circulate it to all others who might be
 interested.  Note:  Many consider that computer legislation at the
 state level in major, "bellweather" states may/can/will provide
 models for other states and for eventual federal legislation.  Thus,
 this deserves *early* and widespread circulation, review and *public
 comment*.

 jim warren  [chair, First Conference on Computers, Freedom & Privacy, 1991]

    **********************************************************************

        ====== TEXT OF COVER-LETTER, RECEIVED JAN. 17, 1992 =====

                     California State Senate
          Bill Lockyer, Tenth [California] Senatorial District
         [Chairman, California State Senate Judiciary Committee]
                     Southern Alameda County

 January 15, 1992

 TO: Interested Parties

 FROM: Ben Firschein, Senator Lockyer's Office

 RE: Privacy legislation emerging from the interim hearing

 We have drafted language reflecting some of the suggestions made at
 the privacy hearing on December 10 [1991] and have sent it to
 Legislative Counsel.  It is likely that Senator Lockyer will
 introduce the language as a bill when it comes back from Legislative
 Counsel.

  We welcome and encourage your suggestions, comments and proposed
 amendments.  This language should be viewed as an initial proposal,
 and it is likely that it will be amended as it proceeds through the
 legislature.

  The bill as submitted to Legislative Counsel does the following:

   1. Information obtained from driver's licenses: prohibit businesses
 from selling or using for advertising purposes information obtained
 from driver's licenses without the written consent of the consumer.

   2. Automatic vehicle identification [AVI]: Require Caltrans to
 provide an opportunity to pre-pay tolls and use the facility
 anonymously.

   3. Violation of privacy of employees: language has been drafted
 based on the Connecticut statute that Justice Grodin discussed at the
 hearing. The proposed language goes further than the Connecticut
 statute in that it also extends to prospective employees.

   4. Amend Penal Code Section 502 (computer crime statute) as
follows:

      a) Extend existing law to allow recovery by any injured party,
 not just the owner or lessee of the computer.

      b) Allow recovery for any consequential or incidental damages,
 not just for expenditures necessary to verify that a computer system
 was or was not damaged.

     c) Create civil penalty of $ 10,000 per injured party up to a
 maximum of fifty thousand dollars for recklessly storing data in a
 manner which enables a person to commit acts leading to a felony
 conviction.  Failure to report to law enforcement a previous
 violation under the statute would be deemed to be possible evidence
 of recklessness

     d) Require that owner or lessee of computer report to law
 enforcement any known violations of the statute involving his/her
 system.   Such reports required within 60 days after they become
 known to owner or lessee.

 Warrants for electronically stored materials: We are interested in
 working with interested parties on some of the proposals made at the
 hearing, for possible inclusion in the bill as amendments.
 Please direct your comments to:

 Ben Firschein
 Administrative Assistant
 Office of Senator Lockyer
 Room 2032 State Capitol
 Sacramento, CA 95814
 (916) 445Q6671

                 ========== END OF JAN.17 COVER LETTER ==========

 <<BEWARE!  The entry following this one is about 5 print-pages long
 -- the full text of Sen. Lockyer's draft legislation that has already
 been sent to Legislative Counsel for review, apparently the final
 prerequisite to formal introduction.>>

          ====== TEXT OF LEGISLATION, RECEIVED JAN. 17, 1992 =====

 [hand-written] The people of the State of California do enact as follows:

 [hand-written] Section 1.  This Act may be cited as the Privacy Act of 1992.
 [hand-written] Section 2.  Section 1799.4 is added to the Civil Code to
 read:

 1799.4.  A business entity that obtains information from a consumer's
 driver's license or identification card for its business records or for
 other purposes shall not sell the information or use it to advertise goods
 or services, without the written consent of the consumer.

 [hand-written] Sent to Leg Counsel 1/8

 [hand-written] Section 3.  Section 502 of the Penal Code is amended to read:

   502. (a) It is the intent of the Legislature in enacting this section to
 expand the degree of protection afforded to individuals, businesses, and
 governmental agencies from tampering, interference, damage, and
 unauthorized access to lawfully created computer data and computer
 systems.  The Legislature finds and declares that the proliferation of
 computer technology has resulted in a concomitant proliferation of computer
 crime and other forms of unauthorized access to  computers, computer
 systems, and computer data.

   The Legislature further finds and declares that protection of the
 integrity of all types and forms of lawfully created computers, computer
 systems, and computer data is vital to the protection of the privacy of
 individuals as well as to the well-being of financial institutions,
 business concerns, governmental agencies, and others within this state
 that lawfully utilize those computers, computer systems, and data.

   (b) For the purposes of this section, the following terms have the
 following meanings:

   (l) "Access" means to gain entry to, instruct, or communicate with the
 logical, arithmetical, or memory function resources of a computer, computer
 system, or computer network.

   (2) "Computer network" means any system which provides communications
 between one or more computer systems and input/output devices including,
 but not limited to, display terminals and printers connected by
 telecommunication facilities.

   (3) "Computer program or software" means a set of instructions or
 statements, and related data, that when executed in actual or modified
 form, cause a computer, computer system, or computer network to perform
 specified functions.
   (4) "Computer services" includes, but is not limited to, computer time,
 data processing, or storage functions, or other uses of a computer,
 computer system, or computer network.

   (5) "Computer system" means a device or collection of devices, including
 support devices and excluding calculators which are not programmable and
 capable of being used in conjunction with external files, one or more of
 which contain computer programs, electronic instructions, input data, and
 output data, that performs functions including, but not limited to, logic,
 arithmetic, data storage and retrieval, communication, and control.

   (6) "Data" means a representation of information, knowledge, facts,
 concepts, computer software, computer programs or instructions.  Data may
 be in any form, in storage media, or as stored in the memory of the
 computer or in transit or presented on a display device.

   (7) "Supporting documentation" includes, but is not limited to, all
 information, in any form, pertaining to the design, construction,
 classification, implementation, use, or modification of a computer,
 computer system, computer network, computer program, or computer software,
 which information is not generally available to the public and is
 necessary for the operation of a computer, computer system, computer
 network, computer program, or computer software.

   (8) "Injury" means any alteration, deletion, damage, or destruction of
 a computer system, computer network, computer program, or data caused by
 the access.

   (9) "Victim expenditure" means any expenditure reasonably and necessarily
 incurred by the owner or lessee to verify that a computer system, computer
 network, computer program, or data was or was not altered, deleted,
 damaged, or destroyed by the access.

   (10) "Computer contaminant" means any set of computer instructions that
 are designed to modify, damage, destroy, record, or transmit information
 within a computer, computer system, or computer network without the intent
 or permission of the owner of the information.  They include, but are not
 limited to, a group of computer instructions commonly called viruses or
 worms, which are self-replicating or self-propagating and are designed to
 contaminate other computer programs or computer data, consume computer
 resources, modify, destroy, record, or transmit data, or in some other
 fashion usurp the normal operation of the computer, computer system, or
 computer network.

   (c) Except as provided in subdivision (h), any person who commits any of
 the following acts is guilty of a public offense:

   (1) Knowingly accesses and without permission alters, damages, deletes,
 destroys, or otherwise uses any data, computer, computer system, or
 computer network in order to either (A) devise or execute any scheme or
 artifice to defraud, deceive, or extort, or (B) wrongfully control or
 obtain money, property, or data.

   (2) Knowingly accesses and without permission takes, copies, or makes use
 of any data from a computer, computer system, or computer network, or takes
 or copies any supporting documentation, whether existing or residing
 internal or external to a computer, computer system, or computer network.

   (3) Knowingly and without permission uses or causes to be used computer
 services.

   (4) Knowingly accesses and without permission adds, alters, damages,
 deletes, or destroys any data, computer software, or computer programs
 which reside or exist internal or external to a computer, computer system,
 or computer network.

   (5) Knowingly and without permission disrupts or causes the disruption of
 computer services or denies or causes the denial of computer services to an
 authorized user of a computer, computer system, or computer network.

   (6) Knowingly and without permission provides or assists in providing a
 means of accessing a computer, computer system, or computer network in
 violation of this section.

   (7) Knowingly and without permission accesses or causes to be accessed
 any computer, computer system, or computer network.

   (8) Knowingly introduces any computer contaminant into any computer,
 computer system, or computer network.

   (d) (1) Any person who violates any of the provisions of paragraph (1),
 (2), (4), or (5) of subdivision (c) is punishable by a fine not exceeding
 ten thousand dollars ($10,000), or by imprisonment in the state prison for
 16 months, or two or three years, or by both that fine and imprisonment, or
 by a fine not exceeding five thousand dollars ($5,000), or by imprisonment
 in the county jail not exceeding one year, or by both that fine and
 imprisonment.

   (2) Any person who violates paragraph (3) of subdivision (c) is
 punishable as follows:

   (A) For the first violation which does not result in injury, and where
 the value of the computer services used does not exceed four hundred
 dollars ($400), by a fine not exceeding five thousand dollars ($5,000), or
 by imprisonment in the county jail not exceeding one year, or by both that
 fine and imprisonment.

   (B) For any violation which results in a victim expenditure in an amount
 greater than five thousand dollars ($5,000) or in an injury, or if the
 value of the computer services used exceeds four hundred dollars ($400), or
 for any second or subsequent violation, by a fine not exceeding ten
 thousand dollars ($10,000), or by imprisonment in the state prison for 16
 months, or two or three years, or by both that fine and imprisonment, or by
 a fine not exceeding five thousand dollars ($5,000), or by imprisonment in
 the county jail not exceeding one year, or by both that fine and
 imprisonment.

   (3) Any person who violates paragraph (6), (7), or (8) of subdivision (c)
 is punishable as follows:

   (A) For a first violation which does not result in injury an infraction
 punishable by a fine not exceeding two hundred fifty dollars ($250).

   (B) For any violation which results in a victim expenditure in an amount
 not greater than five thousand dollars ($5,000), or for a second or
 subsequent violation, by a fine not exceeding five thousand dollars
 ($5,000), or by imprisonment in the county jail not exceeding one year, or
 by both that fine and imprisonment.

   (C) For any violation which results in a victim expenditure in an amount
 greater than five thousand dollars ($5,000), by a fine not exceeding ten
 thousand dollars ($10,000), or by imprisonment in the state prison for 16
 months, or two or three years, or by both that fine and imprisonment, or
 by a fine not exceeding five thousand dollars ($5,000), or by imprisonment
 in the county jail not exceeding one year, or by both that fine and
 imprisonment.

   (e) (1) In addition to any other civil remedy available, any injured
 party. including but not limited to  the owner or lessee of the computer,
 computer system, computer network, computer program, or data, may bring a
 civil action against any person convicted under this section for
 compensatory damages, including any consequential or incidental damages. In
 the case of the owner or lessee of the computer, computer system, computer
 network, computer program, or data. such damages may include. but are not
 limited to. any expenditure reasonably.and necessarily incurred by the
 owner or lessee to verify that a computer system, computer network,
 computer program, or data was or was not altered, damaged, or deleted by
 the access.

 (2) Whoever recklessly stores or maintains data in a manner which enables
 a person to commit acts leading to a felony ["a felony" hand-written]
 conviction under this section shall be liable for a civil penalty of ten
 thousand dollars ($ 10,000) per injured party, up to a maximum of fifty
 thousand dollars ($ 50.000). Failure to report to law enforcement a
 previous violation under subsection (f) may constitute evidence of
 recklessness.

 (3) For the purposes of actions authorized by this subdivision, the
 conduct of an unemancipated minor shall be imputed to the parent or legal
 guardian having control or custody of the minor, pursuant to the provisions
 of Section 1714.1 of the Civil Code.

   (4) In any action brought pursuant to this subdivision the court may
 award reasonable attorney's fees to a prevailing party.

   (5) A community college, state university, or academic institution
 accredited in this state is required to include computer-related crimes as
 a specific violation of college or university student conduct policies and
 regulations that may subject a student to disciplinary sanctions up to and
 including dismissal from  the academic institution.  This paragraph shall
 not apply to the University of California unless the Board of Regents
 adopts a resolution to that effect.

 (f) The owner or lesee of any computer, computer system, computer network,
 computer program, or data shall report to law enforcement any known
 violations of this section involving the owner or lesee's computer,
 computer system, computer network, computer program, or data.  Such reports
 shall be made within 60 days after they become known to the owner or lesee.

 (g) This section shall not be construed to preclude the applicability of
 any other provision of the criminal law of this state which applies or may
 apply to any transaction, nor shall it make illegal any employee labor
 relations activities that are within the scope and protection of state or
 federal labor laws.

 (h) Any computer, computer system, computer network, or any software or
 data, owned by the defendant, which is used during the commission of any
 public offense described in subdivision (c) or any computer, owned by the
 defendant, which is used as a repository for the storage of software or
 data illegally obtained in violation of subdivision (c) shall be subject
 to forfeiture, as specified in Section 502.01.

 (i) (1) Subdivision (c) does not apply to any person who accesses his or
 her employer's computer system, computer network, computer program, or
 data when acting within the scope of his or her lawful employment.

     (2) Paragraph (3) of subdivision (c) does not apply to any employee who
 accesses or uses his or her employer's computer system, computer network,
 computer program, or data when acting outside the scope of his or her
 lawful employment, so long as the employee's activities do not cause an
 injury, as defined in paragraph (8) of subdivision of (b), to the employer
 or another, or so long as the value of supplies and computer services, as
 defined in paragraph (4) of subdivision (b), which are used do not exceed
 an accumulated total of one hundred dollars ($100).

   (j) No activity exempted from prosecution under paragraph (2) of
 subdivision (h) which incidentally violates paragraph (2), (4), or (7) of
 subdivision (c) shall be prosecuted under those paragraphs.

   (k) For purposes of bringing a civil or a criminal action under this
 section, a person who causes, by any means, the access of a computer,
 computer system, or computer network in one jurisdiction from another
 jurisdiction is deemed to have personally accessed the computer, computer
 system, or computer network in each jurisdiction.

   (l) In determining the terms and conditions applicable to a person
 convicted of a violation of this section the court shall consider the
 following:

   (1) The court shall consider prohibitions on access to and use of
 computers.

   (2) Except as otherwise required by law, the court shall consider
 alternate sentencing, including community service, if the defendant shows
 remorse and recognition of the wrongdoing, and an inclination not to repeat
 the offense

 [hand-written] Section 4. Section 12940.3 is added to the Government Code
 to read:

 (a) Any employer, including the state and any instrumentality or political
 subdivision thereof, shall be liable to an employee or prospective
 employee for damages caused by either of the following:

 (1) subjecting the employee to discipline or discharge on account of the
 exercise by such employee of rights guaranteed by Section l of Article I
 of the California Constitution, provided such activity does not
 substantially interfere with the employee's bona fide job performance or
 working relationship with the employer.

 (2) Denying employment to a prospective employee on account of the
 prospective employee's exercise of rights guaranteed by Section 1 of
 Article I of the California Constitution.


 (b) The damages awarded under this Section may include punitive damages,
 and reasonable attorney's fees as part of the costs of any such action for
 damages.  If the court decides that such action for damages was brought
 without substantial justification, the court may award costs and reasonable
 attorney's fees to the employer.

 [hand-written] Section 5.  Section 27565 of the Streets and Highways Code
 is amended to read:

      27565. Automatic vehicle identification systems for toll collection
 (a) The Department of Transportation in cooperation with the district and
 all known entities planning to implement a toll facility in this state
 shall develop and adopt functional specifications and standards for an
 automatic vehicle identification system, in compliance with the following
 objectives:

 (1) In order to be detected, the driver shall not be required to reduce
 speed below the applicable speed for the type of facility being used.

 (2) The vehicle owner shall not be required to purchase or install more
 than one device to use on all toll facilities, but may be required to have
 a separate account or financial arrangement for the use of these facilities.

 (3) The facility operators shall have the ability to select from different
 manufacturers and vendors. The specifications and standards shall encourage
 multiple bidders and shall not have the effect of limiting the facilIty
 operators to choosing a system which is able to be supplied by only one or
 vendor.

 (b) The vehicle owner shall have the choice of pre-paying tolls, or being
 billed after using the facility.  If the vehicle owner pre-pays tolls:

 (1) The facility or the Department shall issue an account number to the
 vehicle owner. The account number shall not be derived from the vehicle
 owner's name, address, social security number, or driver's license number,
 or the vehicle's license number, vehicle identification number, or
 registration.

 (2) Once an account has been established and an account number has been
 given to the vehicle owner, neither the facility nor the Department shall
 keep any record of the vehicle owner's name, address, social security
 number or driver's license number, or the vehicle's license number.
 vehicle identification number, or registration.

 (3) The vehicle owner may make additional pre-payments by specifying the
 account number and furnishing payment.

 (c) Any automatic vehicle identification system purchased or installed
 after January 1, 1991, shall comply with the specifications and standards
 adopted pursuant to subdivision (a).

 (d) Any automatic vehicle identification system purchased or installed
 after January 1, 1993. shall comply with the specifications and standards
 adopted pursuant to subdivisions (a) and (b).

               ====== END OF LEGISLATION DRAFT ======

 [Note:  The preceeding is the end-result of the draft-text.  Some of the
 document had apparently-old wording with strike-thru lines; some of it was
 underlined, apparently indicating newly-added wording.  Since there is no
 universally-accepted protocol for representing such "exotic" text-forms in
 the Barren ASCII Wasteland, the preceeding text does not reflect strike-thrus
 not underlines in the original text.  Also, the preceeding reflects
 the paragraph-indenting and paranthesized section-labeling, as
 received.  It is left as "an exercise for the reader" to figure out
 its rationale.
--jim ]

 The vast majority of us would readily state that we, personally,
 "store and maintain data."  To the extent that we do so on a shared
 host, it seems like it could be applied to us, *as individuals*.
 Unless, perhaps, we stored it in encrypted form or made other
 provable efforts to protect it while it's stored on a shared system.

 Please note that this scenario equally applies to folks working on
 LAN systems at a company.

 Is this, perhaps, "overly-broad legislation"?


------------------------------

Date: Wed, 22 Jan 1992 13:59:44 CST
From: douglas%atc.boeing.com@UMCVMB.MISSOURI.EDU
Subject: File 6--DIAC-92 Workshop Call for Paraticipation and Workshop Guidelines
              Directions and Implications of Advanced Computing

                                 DIAC-92

                   Berkeley, California      May 3, 1992

                      Call for Workshop Proposals and

                       Workshop Proposal Guidelines

                            [Due Date Extended]


DIAC-92 is a two-day symposium in which the the social implications of
computing are explored.  The first day (May 2, 1992) will consist of
presentations.  The second day will consist of a wide variety of
workshops.  These guidelines describe the intent for the workshops and the
manner in which they are proposed.  They are meant to augment and
supercede the information found in the Call for Papers and Participation.
The workshops are meant to be more informal than the presented papers of
the previous day.  For this reason the format for the proposals is
expected to vary.  Nevertheless there are some guidelines that we can
offer that will help ensure a succesful workshop.

The proposal should include the title, author's name, affiliation, and
electronic mail address at the beginning. All workshop proposals will be
included in the proceedings.  The workshop proposal should be 1 - 8 pages
in length.  The desired range of attendees (smallest number - largest
number) should be included.  All workshops will be two hours in length with
a short break 1/2 way through.  It is possible to schedule two related
workshops back to back, say "Introduction to Something" and "Advanced
Something".  If this is the case please submit two separate proposals but
state that they are related.

There are four major concerns for the workshops which should be
addressed in the proposal.

1. Intellectual Content
   The intellectual content of the workshop should be made clear.
   What is the focus on the workshop?  What are the relevant social
   issues? What relevant research exists already on the topic?  Who
   is the intended audience?  The topic should have a qualitative
   computing element in it.

2. Structure
   There should be some structure to the workshop.  It can be quite
   loose and flexible but it shouldn't be completely open.  The
   amount of structure will vary according to the topic at hand, the
   intended goals, the personalities of the audience and the organizers,
   etc. The proposal should describe the structure of the
   workshop.

3. Interactivity
   The workshop should be interactive.  The workshop should be
   designed in such a way to promote meaningful interaction between
   the organizer or organizers and the attendees.  Because there is
   group interaction it is hoped that more points will be raised,
   more issues considered, and deeper analysis performed.  The
   methods of interaction should be described in the proposal.

4. Product or action oriented
   Ideally the workshop should result in some product or plan for
   action.  Although this aspect is not critical, the program
   committee feels that this is quite important and we hope that
   workshop organizers will think in these terms and strive to
   promote an appropriate outcome.  Possible "deliverables" are
   described below.


               Possible Output From a DIAC-92 Workshop

  + Statements or press releases
  + Bibliography on subject matter
  + Electronic distribution list on the subject
  + Ideas for a follow up meeting, workshop, or conference
  + List of possible projects on the subject
  + Writeup of meeting for electronic or print dissemination
  + A project proposal
  + A panel discussion proposal
  + A grant proposal
  + An experiment
  + A working agreement -- e.g. to connect two networks, to share
    data,  to  begin  a study, to write an article, to build software
    jointly, etc.
  + A videotape of some or all of a workshop
  + A brainstormed list of viewpoints, a "semantic network" of  the
    issues
  + A list of hypotheses
  + Any plan to continue discussion on the topic

Please send proposal (four copies) to Doug Schuler, 2202 N. 41st St,
Seattle, WA, 98103.   Proposals are due by March 1, 1992.  Proposals
will be reviewed by the program committee.  Acceptance or rejection
notices will be mailed by April 1, 1992.  We plan to incorporate
workshop proposals into the proceedings.  Please contact us if you
have any questions or comments.

Doug Schuler, 206-865-3832 (work), 206-632-1659 (home),
dschuler@june.cs.washington.edu

The program committee includes David Bellin (consultant), Eric Gutstein (U.
WI), Batya Friedman (Mills College), Jonathan Jacky (U. WA), Deborah
Johnson (Rensselaer Polytechnic Inst.), Richard Ladner (U. WA), Dianne
Martin (George Washington U.), Judith Perrolle (Northeastern U.) Marc
Rotenberg (CPSR), Douglas Schuler (Boeing Computer Services), Barbara
Simons (IBM), Lucy Suchman (Xerox), Karen Wieckert (U. CA. Irvine), and
Terry Winograd, (Stanford).


   Sponsored by Computer Professionals for Social Responsibility
                           P.O. Box 717
                       Palo Alto, CA  94301

DIAC-92 is co-sponsored by the American Association for Artificial
Intelligence, and the Boston Computer Society Social Impact Group, in
cooperation with ACM SIGCHI and ACM SIGCAS.

------------------------------

End of Computer Underground Digest #4.06
************************************