Chapter 4-4
Hacker Crackdown

Go to Table of Contents

John Nagle read the E911 Document.  He drew his own conclusions.
And he presented Zenner and his defense team with an overflowing box
of similar material, drawn mostly from Stanford University's
engineering libraries.  During the trial, the defense team--Zenner,
half-a-dozen other attorneys, Nagle, Neidorf, and computer-security
expert Dorothy Denning, all pored over the E911 Document line-by-line.

On the afternoon of July 25, 1990, Zenner began to cross-examine
a woman named Billie Williams, a service manager for Southern Bell
in Atlanta.  Ms. Williams had been responsible for the E911 Document.
(She was not its author--its original "author" was a Southern Bell
staff manager named Richard Helms.  However, Mr. Helms should not bear
the entire blame; many telco staff people and maintenance personnel
had amended the Document.  It had not been so much "written" by a
single author, as built by committee out of concrete-blocks of jargon.)

Ms. Williams had been called as a witness for the prosecution,
and had gamely tried to explain the basic technical structure
of the E911 system, aided by charts.

Now it was Zenner's turn.  He first established that the
"proprietary stamp" that BellSouth had used on the E911 Document
was stamped on EVERY SINGLE DOCUMENT that BellSouth wrote--
THOUSANDS of documents.  "We do not publish anything other
than for our own company," Ms. Williams explained.
"Any company document of this nature is considered proprietary."
Nobody was in charge of singling out special high-security publications
for special high-security protection.  They were ALL special,
no matter how trivial, no matter what their subject matter--
the stamp was put on as soon as any document was written,
and the stamp was never removed.

Zenner now asked whether the charts she had been using to explain
the mechanics of E911 system were "proprietary," too.
Were they PUBLIC INFORMATION, these charts, all about PSAPs,
ALIs, nodes, local end switches?  Could he take the charts out
in the street and show them to anybody, "without violating
some proprietary notion that BellSouth has?"

Ms Williams showed some confusion, but finally areed that the charts were,
in fact, public.

"But isn't this what you said was basically what appeared in Phrack?"

Ms. Williams denied this.

Zenner now pointed out that the E911 Document as published in Phrack
was only half the size of the original E911 Document (as Prophet
had purloined it).  Half of it had been deleted--edited by Neidorf.

Ms. Williams countered that "Most of the information that is
in the text file is redundant."

Zenner continued to probe.  Exactly what bits of knowledge in the Document
were, in fact, unknown to the public?  Locations of E911 computers?
Phone numbers for telco personnel?  Ongoing maintenance subcommittees?
Hadn't Neidorf removed much of this?

Then he pounced.  "Are you familiar with Bellcore Technical Reference
Document TR-TSY-000350?"  It was, Zenner explained, officially titled
"E911 Public Safety Answering Point Interface Between 1-1AESS Switch
and Customer Premises Equipment."  It contained highly detailed
and specific technical information about the E911 System.
It was published by Bellcore and publicly available for about $20.

He showed the witness a Bellcore catalog which listed thousands
of documents from Bellcore and from all the Baby Bells, BellSouth included.
The catalog, Zenner pointed out, was free.  Anyone with a credit card
could call the Bellcore toll-free 800 number and simply order any
of these documents, which would be shipped to any customer without question.
Including, for instance, "BellSouth E911 Service Interfaces to
Customer Premises Equipment at a Public Safety Answering Point."

Zenner gave the witness a copy of "BellSouth E911 Service Interfaces,"
which cost, as he pointed out, $13, straight from the catalog.
"Look at it carefully," he urged Ms. Williams, "and tell me
if it doesn't contain about twice as much detailed information
about the E911 system of BellSouth than appeared anywhere in Phrack."

"You want me to. . . ."  Ms. Williams trailed off.  "I don't understand."

"Take a careful look," Zenner persisted.  "Take a look at that document,
and tell me when you're done looking at it if, indeed, it doesn't contain
much more detailed information about the E911 system than appeared in Phrack."

"Phrack wasn't taken from this," Ms. Williams said.

"Excuse me?" said Zenner.

"Phrack wasn't taken from this."

"I can't hear you," Zenner said.

"Phrack was not taken from this document.  I don't understand
your question to me."

"I guess you don't," Zenner said.

At this point, the prosecution's case had been gutshot.
Ms. Williams was distressed.  Her confusion was quite genuine.
Phrack had not been taken from any publicly available Bellcore document.
Phrack's E911 Document had been stolen from her own company's computers,
from her own company's text files, that her own colleagues had written,
and revised, with much labor.

But the "value" of the Document had been blown to smithereens.
It wasn't worth eighty grand.  According to Bellcore it was worth
thirteen bucks.  And the looming menace that it supposedly posed
had been reduced in instants to a scarecrow.  Bellcore itself
was selling material far more detailed and "dangerous,"
to anybody with a credit card and a phone.

Actually, Bellcore was not giving this information to just anybody.
They gave it to ANYBODY WHO ASKED, but not many did ask.
Not many people knew that Bellcore had a free catalog and an 800 number.
John Nagle knew, but certainly the average teenage phreak didn't know.
"Tuc," a friend of Neidorf's and sometime Phrack contributor, knew,
and Tuc had been very helpful to the defense, behind the scenes.
But the Legion of Doom didn't know--otherwise, they would never
have wasted so much time raiding dumpsters.  Cook didn't know.
Foley didn't know.  Kluepfel didn't know.  The right hand
of Bellcore knew not what the left hand was doing.  The right
hand was battering hackers without mercy, while the left hand
was distributing Bellcore's intellectual property to anybody
who was interested in telephone technical trivia--apparently,
a pathetic few.

The digital underground was so amateurish and poorly organized
that they had never discovered this heap of unguarded riches.
The ivory tower of the telcos was so wrapped-up in the fog
of its own technical obscurity that it had left all the
windows open and flung open the doors. No one had even noticed.

Zenner sank another nail in the coffin.  He produced a printed issue
of Telephone Engineer & Management, a prominent industry journal
that comes out twice a month and costs $27 a year.  This particular issue
of TE&M, called "Update on 911," featured a galaxy of technical details
on 911 service and a glossary far more extensive than Phrack's.

The trial rumbled on, somehow, through its own momentum.
Tim Foley testified about his interrogations of Neidorf.
Neidorf's written admission that he had known the E911 Document
was pilfered was officially read into the court record.

An interesting side issue came up:  "Terminus" had once passed Neidorf
a piece of UNIX AT&T software, a log-in sequence, that had been cunningly
altered so that it could trap passwords.  The UNIX software itself was
illegally copied AT&T property, and the alterations "Terminus" had made to it,
had transformed it into a device for facilitating computer break-ins.  Terminus
himself would eventually plead guilty to theft of this piece of software,
and the Chicago group would send Terminus to prison for it.  But it was
of dubious relevance in the Neidorf case.  Neidorf hadn't written the program.
He wasn't accused of ever having used it.  And Neidorf wasn't being charged
with software theft or owning a password trapper.

On the next day, Zenner took the offensive.  The civil libertarians
now had their own arcane, untried legal weaponry to launch into action--
the Electronic Communications Privacy Act of 1986, 18 US Code,
Section 2701 et seq.  Section 2701 makes it a crime to intentionally
access without authorization a facility in which an electronic communication
service is provided--it is, at heart, an anti-bugging and anti-tapping law,
intended to carry the traditional protections of telephones into other
electronic channels of communication.  While providing penalties for amateur
snoops, however, Section 2703 of the ECPA also lays some formal difficulties
on the bugging and tapping activities of police.

The Secret Service, in the person of Tim Foley, had served Richard Andrews
with a federal grand jury subpoena, in their pursuit of Prophet,
the E911 Document, and the Terminus software ring.  But according to
the Electronic Communications Privacy Act, a "provider of remote
computing service" was legally entitled to "prior notice" from
the government if a subpoena was used.  Richard Andrews and his
basement UNIX node, Jolnet, had not received any "prior notice."
Tim Foley had purportedly violated the ECPA and committed
an electronic crime!  Zenner now sought the judge's permission
to cross-examine Foley on the topic of Foley's own electronic misdeeds.

Cook argued that Richard Andrews' Jolnet was a privately owned
bulletin board, and not within the purview of ECPA.  Judge Bua
granted the motion of the government to prevent cross-examination
on that point, and Zenner's offensive fizzled.  This, however,
was the first direct assault on the legality of the actions
of the Computer Fraud and Abuse Task Force itself--
the first suggestion that they themselves had broken the law,
and might, perhaps, be called to account.

Zenner, in any case, did not really need the ECPA.
Instead, he grilled Foley on the glaring contradictions in
the supposed value of the E911 Document.  He also brought up
the embarrassing fact that the supposedly red-hot E911 Document
had been sitting around for months, in Jolnet, with Kluepfel's knowledge,
while Kluepfel had done nothing about it.

In the afternoon, the Prophet was brought in to testify
for the prosecution.  (The Prophet, it will be recalled,
had also been indicted in the case as partner in a fraud
scheme with Neidorf.)  In Atlanta, the Prophet had already
pled guilty to one charge of conspiracy, one charge of wire fraud
and one charge of interstate transportation of stolen property.
The wire fraud charge, and the stolen property charge,
were both directly based on the E911 Document.

The twenty-year-old Prophet proved a sorry customer,
answering questions politely but in a barely audible mumble,
his voice trailing off at the ends of sentences.
He was constantly urged to speak up.

Cook, examining Prophet, forced him to admit that
he had once had a "drug problem," abusing amphetamines,
marijuana, cocaine, and LSD.  This may have established
to the jury that "hackers" are, or can be, seedy lowlife characters,
but it may have damaged Prophet's credibility somewhat.
Zenner later suggested that drugs might have damaged Prophet's memory.
The interesting fact also surfaced that Prophet had never
physically met Craig Neidorf.  He didn't even know
Neidorf's last name--at least, not until the trial.

Prophet confirmed the basic facts of his hacker career.
He was a member of the Legion of Doom.  He had abused codes,
he had broken into switching stations and re-routed calls,
he had hung out on pirate bulletin boards.  He had raided
the BellSouth AIMSX computer, copied the E911 Document,
stored it on Jolnet, mailed it to Neidorf.  He and Neidorf
had edited it, and Neidorf had known where it came from.

Zenner, however, had Prophet confirm that Neidorf was not a member
of the Legion of Doom, and had not urged Prophet to break into
BellSouth computers.  Neidorf had never urged Prophet to defraud anyone,
or to steal anything.  Prophet also admitted that he had never known Neidorf
to break in to any computer.  Prophet said that no one in the Legion of Doom
considered Craig Neidorf a "hacker" at all.  Neidorf was not a UNIX maven,
and simply lacked the necessary skill and ability to break into computers.
Neidorf just published a magazine.

On Friday, July 27, 1990, the case against Neidorf collapsed.
Cook moved to dismiss the indictment, citing "information currently
available to us that was not available to us at the inception of the trial."
Judge Bua praised the prosecution for this action, which he described as
"very responsible," then dismissed a juror and declared a mistrial.

Neidorf was a free man.  His defense, however, had cost himself
and his family dearly.  Months of his life had been consumed in anguish;
he had seen his closest friends shun him as a federal criminal.
He owed his lawyers over a hundred thousand dollars, despite
a generous payment to the defense by Mitch Kapor.

Neidorf was not found innocent.  The trial was simply dropped.
Nevertheless, on September 9, 1991, Judge Bua granted Neidorf's
motion for the "expungement and sealing" of his indictment record.
The United States Secret Service was ordered to delete and destroy
all fingerprints, photographs, and other records of arrest
or processing relating to Neidorf's indictment, including
their paper documents and their computer records.

Neidorf went back to school, blazingly determined to become a lawyer.
Having seen the justice system at work, Neidorf lost much of his enthusiasm
for merely technical power.  At this writing, Craig Neidorf is working
in Washington as a salaried researcher for the American Civil Liberties Union.