From: Tim Scanlon <tfs@adsl-122.cais.com>
Date: Sat, 30 Nov 1996 22:55:00 -0800 (PST)
To: cypherpunks@toad.com
Subject: Punative Seizure was: Re: denial of service and ...
Message-ID: <9612010654.AA08123@adsl-122.cais.com>
MIME-Version: 1.0
Content-Type: text



Tired.Fighter@dhp.com wrote:
> 
> 
> This thread is probably already due for a change in
> the Subject line, but I'll leave it untouched for 
> the moment.

I changed it, because I'm very familiar with what's being discussed.
I also snipped huge chunks, but tried to leave the salient stuff.
  
> On 30 Nov 96 at 13:10, Black Unicorn wrote:
> > On Fri, 29 Nov 1996, Greg Broiles wrote:
> > 
> > > I don't see any reason why this wouldn't be true for a
> > > computer. Fed.Rul.Crim.Pro. 41(b)(1) allows the seizure 
> > > (but seizure is not forfeiture) of "property that 
> > > constitutes evidence of the commission of a
> > > criminal offense". 
> [....] 
> > Recall also that Ripco was never specifically charged 
> > (or the minor charges that they did try to pin didn't 
> > stick).
> > Also recall that Ripco (now ripco.com) was raided with a
> > -sealed- warrant. I dont think that the contents of that 
> > warrant have, even today, been released (though I could 
> > be mistaken).  Certainly 5 years after they had not.
> [....]

Yes, it was & is sealed, the justification being that the 
investigation was "ongoing". The whole thig was weak & shameless,
but it works for the feds. Never mind that it's total & utter bullshit.


> > > But there's a big difference between "seizure" and 
> > > "forfeiture".

Not really. Only technicly. The technique used by LEO's is one that is
known as "Punative Seizure", and is well known in the Computer Underground.
It's standard practice for LEO's to engage in seizure of computer 
equipment and just to keep it. Much of the time it is accompanied with
an explicit and literal threat of prosecution if the unindited suspect
asks for the equipment back. It's cheaper than prosecuting, easier to
accomplish, and often achives the goal of "taking the bad guy off the 
street" without resort to such niceties as having a case that would
hold the moisture of a drop of spit.

It is such common practice, that most hackers who have been around for
even short lengths of time are very familiar with the practice. In cases
involving juviniles, it's a very effective technique. In those specific
types of incidents the drill is as follows:

Suspect "H", a 15 year old male, living at home with his parents, does
something to bring him under suspicion that he is involved in computer
fraud. Incidents are ongoing and seem to point to the suspect, local
or federal agents become interested in the suspect due to information
provided by a C.I. So they go fishing, and seize his equipment.

Seizure is accompanied in concert with several other actions and goals,
One of which is to explore the contents of the computer for further
evidence of wrongdoing. Since aquiring search warrents for such actions
are notoriously broad and relativly easy to come by, this is an effective
technique. The seizure usualy is stratigicly done to minimize parental
involvment and possible protections, in order to give investigators time
alone with the juvinile suspect to question him without the intervention
of his guardians. Basicly they want Mom or Pop out of the picture long 
enough to pump the kid for info before the parents can insist on
legal counsel. Obviously they use whatever info they can get...
	Keep in mind a poorly socialized, but bright, teenager is likely
to be a rather talkative target and an easy mark for interrogatory
techniques. "We find they want to talk, and often brag about their
exploits" is such a well worn quote, that I'd have to attribute it
to about 7 sources if I tried... You can extrapolate on this.

The next stage is threats to the parents of the juvinile, usualy big
federal time, that sort of thing, to try to terroroize them into
insisting on little Johnny's co-operation. Usualy this is done without
the advice of counsel if the feds can pull it off. There's a tradition
of inflating numbers far beyond anything rational, so the "damages" are
insanely high, and markedly fictional to anyone who knows how to cost
such stuff out. It's in the favor of everyone involved to 'play ball'
on cost inflation, for a multitude of reasons. Again, you can extrapolate
why. The E911 case is a great example of fictional cost inflation.

At that point they have Johnny under the gun, the parents terrorized,
and can either work that for further co-operation, or let the kid
dangle for a few years & pretty much make sure he never sees a computer.
What can I say, it works for them. Don't expect them to care any,
they've accomplished their goals. Quite often, as I have said, they
will explicitly say "Don't ask for your stuff back or we'll charge you".
(And YES that is a direct quote given to me on more than one occasion
by people who've had such encounters.)

In the case of adult individuals, the setup is nearly the same, wether
it is a consultant running a small buisness, or a college student. The
only big differences are threats to reputation, either academicly, or
in the community at large. After all, once branded an 'evil hacker' by
the police or media, what company would do buisness with such a 
scoundrel. Never mind wether or not they have a thing to do with
computer security, that part's utterly irrelivant. In the case of
college students, usualy it's a threat of expusion & prosecution etc.
Obviously techniques vary. But one thing is clear, there's plenty
of "examples" that have been made to terrorize people. I'm sure
you can think of a few, and probably will sit there and go 'yea but
he deserved it...' Well, when you think that I suggest very strongly that
you rethink it, and consider that perhaps you don't have all, or even
any, facts that have not been spun and spoon fed to you.  

The nuber of such punative seizures that I am aware of runs into
the hundreds.

> 
> And it sums to a very bleak picture, indeed.
> 
Bleak? heh, get used to it. Hell, this is so damned common that
it's made it into comic books as a normal operative procedure.
Look in "The Hacker Files" to find it. It's a comic book put out
in 1993 by D.C. Comics, and in the Jan issue, Vol 6, Page 14-15
you can see  exactly what I'm referencing. Obviously this is not
something new.

This is why the guidelines that were procured via FOIA by EPIC are
so important. Hell, look at the 2600 pentagon-city case for some
real chilling stuff. The Secret Service mounted what amounts to a
covert operation against attendee's at a 2600 meeting at a mall
in Northern Virginia. 

In any case, the search guidelines are pretty important, so is
the Steve Jackson Games case when it comes to ISP/Web Site providers
and the like. As is the ECPA, as it relates to individuals and 
service providers. There is substantive law on this stuff, you just
have to dig a bit to find it. Some of these "high profile examples" 
didn't work out too damned well cause of organizations like the EFF
& later on EPIC and the ACLU. 

Pardon me if I don't seem alarmed or appropriatly indignant, but I've
long since gotten used to getting calls as 4 am from some poor fucking
kid who's had his life ripped to shreds because he was doing something
relativly innocuous but altogether stupid and disruprive enough to
have him attract attention. Much less having similar calls from peoples
counsels who have no freaking clue how to proceed in defending their
clients. 

As for this type of activity from LEO's? Get used to it, this is how
it's done in America. I'm totaly sure that there's going to soon be
some poor freaking ISP out there who's going to be hit with very 
similar techniques, and in all probability prosecuted to provide
an example or 2. They need a few good examples for ISP's really,
there arn't enough right now. And, I am equaly sure that there's been
some quiet seizures & returns with deals involving "co-operation" 
of ISP's for warez and the like. 

I sure as hell have a very hard time beliving that Sameer and everyone
else who got hit with him by the SPA and their fucking goons were 
unique. I suspect they were to be an "example" however, as the SPA
has a traditional role of both being stooges & goons for Federal Law
Enforcment, and an appropriately one-step-removed publicity outlet. 
The SPA is much like what "railroad security" was in the 1800's,
basicly a private police force that operates allmost outside the law.

As to what anyone can do? Well not much, from what I've seen. It's
just not trendy to defend individual civil liberties, the EFF tossed
in the towel in favor of Telco donations. EPIC is doing a good job
with the resources they have, they could use some serious donations,
and it would be money well spent. Beyond that you have the ACLU, and
that's pretty much it. Too many software and hardware corporations
lost any moral compass at the end of the 80's and in the early 90's,
and don't consider such things to be a neccesary part of their world.
It's hard to compete with guys in black suits who wave the flag allot
and mutter about secrecy and such things. They're the same damned
bunch that want us all to have GAK too, so don't think you're somehow
immune cause you arn't a "hacker". You may soon be a 
"pirate cryptographer", and find yourself in the company of child
pornographers and terrorists. (What? Oh you've noticed you allready ARE?,
well, get used to it, it's only gonna get louder. First they came for
the hackers, now it's your turn.) 


Tim