Kath Camp on Scientology

 

Viruses

Richard Butt

The differences between the facts and myths of viruses will be explored. The most popular viruses of the past few years will be discussed. As a practical matter, suggestions on how to deal with the "threat" of viruses will be presented. Futher, recent cases involving liability of BBS providers to users regarding the spread of viruses will also be analyzed in conjunction with the issue of damages. Finally, predictions of the future development of viruses and their solutions will also be discussed.


Links

www.bocklabs.wise.edu

www.stiller.com

www.datafellows.com

www.symantec.com

www.mcafee.com





Computer Viruses and You
Introduction
One only needs to search the Internet using any search engine with the key words "computer virus" to realize that the subject of computer viruses is of great importance to many computer users. For example, a search using Alta Vista within the scope of the entire Internet utilizing the term "computer virus" produced more than a thousand hits. In the last five years there has been a proliferation of computer users reaching out beyond their own individual computer. A steady increase of computer users have begun utilizing the Internet and electronic mail to both consume and produce information.
In fact, an entire software aisle in a typical computer superstore is dedicated to virus detectors and virus eradicators.

What Is a Virus?
In the traditional sense, according to the American Heritage Dictionary, a virus is defined by "any of various submicroscopic pathogens consisting essentially of a core of a single nucleic acid surrounded by a protein coat, having the ability to replicate only inside a living cell." A computer virus is much harder to define because computer viruses can materialize in many different forms and under many different environments. Fred Cohen, a renown virus expert, defines a computer virus as "a computer program that can infect other computer programs by modifying them in such a way as to include a (possibly evolved) copy of itself." Cohen's computer virus definition is very broad and technically also encompasses running "DISK COPY" under DOS. Most people would agree that a more contemporary definition of a computer virus is a self-replicating program containing code that explicitly copies itself and that can infect other programs by modifying them or their environment such that a call to an infected program implies a call to a possibly evolved copy of the virus. The addition of the term "explicitly copies" narrows Cohen's broad definition. In common usage, a computer virus encompasses any such program that tries to hide its malicious function and/or tries to spread onto as may computers as possible. Some of these mis-labeled computer viruses may actually more accurately be classified as "worms" or "trojan horses".
A computer worn is usually defined as a self-contained program which is able to spread functional copies of itself to other computer systems. Accordingly, these copies can also spread other functional copies. A major difference between computer viruses and worms is that worms do not need to attach themselves to host programs.
As a general definition, a trojan horse is a program that completes a function that the programmer intended but the user would not approve of the function if the user knew. There are differing opinions as to which category the trojan horse belongs to. For example, some people define a trojan horse as a particular type of virus which can spread to other programs. However, other people define a trojan horse as a non-replicating malware and are not viruses at all.
There are two main types of viruses. The first type are called FILE INFECTORS, and the second type are called SYSTEM INFECTORS. These two type of viruses have unique characteristics.
FILE INFECTORS attach themselves to ordinary program files. By definition, they usually infect selective COM and/or EXE programs. However, there have been some instances in which FILE INFECTORS attach themselves to SYS, OVL, OBJ, PRG, MNU, and BAT files in which a program must call as a sub-routine to effectively be execute. These FILE INFECTORS viruses can further be classified as either DIRECT-ACTION or RESIDENT. A DIRECT-ACTION virus infects one or more other programs and infects them each time the infected program is executed. A RESIDENT virus installs itself somewhere in the random access memory (RAM) in the computer the first time the infected program is executed. Thereafter, the RESIDENT virus infects other programs when they are executed.
SYSTEM INFECTORS which comprise the second main type of viruses infect executable code found in certain system areas on a disk. On personal computers, there are ordinary boot-sector viruses which only infect the DOS boot sector, and MBR viruses which infect the Master Boot Record on fixed disk and the DOS boot sector on floppy diskettes. MBR viruses are memory resident.
There is also a growing class of viruses which infect both files and boot sectors. They are a combination of the FILE and SYSTEM INFECTORS and are appropriately called MULTI-PARTITE viruses.
Besides the two main types of viruses, as discussed directly above, there are many other distinct classes of viruses. These additional classes of viruses include: CLUSTER viruses, KERNAL viruses, STEALTH viruses, POLYMORPHIC viruses, COMPANION viruses, and TUNNELING viruses.
A CLUSTER viruses modify the directory table entries of the infected program so that the virus is loaded and executed before the infected program is. The infected program itself is not physically altered; only the directory entry of the program file of the infected program is altered. CLUSTER viruses are very similar to FILE INFECTORS.
A KERNAL viruses target specific features of the target program which are contained in the "core" or "kernal" of the target program. This type of virus is distinguished from viruses which may infect the "kernal" of a program; KERNAL viruses attack special features of the "kernal" files such as loading or calling operations.
A STEALTH virus, as its name implies, can hide the modifications it has made to files or boot records while the virus is active. From a practical point of view, when programs try to read infected files or sectors, these programs only see the original, uninfected form of the infected files. Thus, by only inspecting the files, the computer user as well as an anti-virus program may overlook the virus infection. However, the STEALTH virus must be resident in memory, and can thus be detected.
A POLYMORPHIC virus is one which produces varied but operational copies of itself. This type of replication is employed to attempt to hide different variations of the same virus from detection. To make a polymorphic virus, the key is to choose among a large variety of different encryption schemes which, or course, require different decryption schemes. To be detected, the anti-virus program must exploit multiple scan strings to reliably identify all the variations of this virus. A different scan string must be used for each different encryption and decryption scheme. Further, a more sophisticated polymorphic viruses vary their sequence of instructions in the different variation of the same virus by inserting "junk" instructions, by changing equivalent instruction sets, or by changing sequence of operations.
A COMPANION virus creates a new program instead of modifying an existing file. Unknown to the user, this newly created infected program is executed instead of the original program. After the newly created program executes, the original intended program is then executed so that, to the user, everything appears normal. Further, an ant-virus program will not detect this virus since they usually look for changes to existing programs.
A TUNNELING virus finds the original interrupt codes in DOS and the BIOS and calls them directly.
In addition, there are viruses which are considered fast, slow, sparse infectors. They can belong to any of the previously mentioned categories above. There are benefits to fast, slow, and sparse infectors. For example, a fast infector virus is active in a computer's memory so that the virus infects not only programs that are executed but also programs which are merely open. In marked contrast, the slow infector virus only infects files as they are modified or executed. The sparse infector virus is similar to the slow infector virus in that it infects only occasionally. There are benefits to either the fast, slow, and sparse infectors. The fast infector can efficiently spread to many files, but unfortunately will probably quickly discovered. However, the fast infector virus can be combined with a polymorphic virus which makes it difficult to identify all the mutations of the virus. The slow and sparse infector virus will not spread as quickly but will also probably not be discovered as easily.

Sources of Viruses
There is a common myth that being attached to a network such as Compuserve, America On Line, or the Internet, a bulletin board system, or even a local area network will make your computer more susceptible to viruses. This is wrong. The only way to get a virus is to execute an infected program on your computer. Sure you may download an infected program from the Internet, but you have to execute this infected program before the virus will be active. An exception is the possibility of downloading a worn which is self executable type of virus.
An important fact that sometimes gets forgotten is that data files cannot infect your computer with a virus. A myth is perpetuated that data or electronic mail can transmit viruses. However, since data or electronic mail cannot be executed, accordingly, they cannot spread viruses. For example, Microsoft Word users can receive viruses inside what appears to be document files. Thus on the surface, it appears that these users can become infected through electronic mail or the Internet. However, the virus infection can only be manifested when Microsoft Word program is activated, not just merely opening and viewing these infected files. To avoid becoming infected by what is called a MACRO type of virus, users should disable their Microsoft Work program or any other program from automatically launching from their web browser or electronic mail program. Accordingly, data or electronic mail messages by themselves cannot infect a computer system.
Although data files cannot be infected by a virus, the physical diskette used to hold the data files can contain a program infected by a virus which is hidden in the boot sector of the diskette. Thus, if this diskette with an infected boot sector is left inside a computer while the computer is being started, then the computer will also become infected with the virus from the boot sector.
Detection of Viruses
A practical consideration for many computer users involves the issue of how to detect a virus. All the descriptions and categories of viruses which can attack a computer is of little value if one cannot detect a virus before damage is done. There is good news because viruses can be detected or prevented from infecting a computer long before they can inflict serious damage. For example, a hypothetical virus which is programmed to reformat your hard disk probably needs to infect and reside within your computer for quite a while before your hard disk will be reformatted. If this hypothetical virus was to reformat your hard drive very shortly after infecting a portion of your computer, this hypothetical virus would wipe itself out too early and not have many opportunities to spread to other computers.
Several methods for detecting viruses are commonly utilized in anti-virus software. These methods include the following: checking changes in file size, checking date and time stamps, checking assignment of system resources, and checking code for known viruses. Many anti-virus software checks for any changes in the file size of applications and boot sectors. Thus, checking for changes in file size can be used to detect file infectors, system infectors, and multi-partite infectors. The increase in file size can indicate an attack by a virus. An infected file or application will often have an increased file size from the immediate onset of the virus attack which in theory should give the computer owner advanced warning to neutralize the virus attack before any damage is done. However, many viruses can disguise the actual enlarged file size and fool the anti-virus program into thinking that the file size is unchanged. The method of checking date and time stamps of applications is another way to check for virus activity. Abnormally frequent changes to application and boot sector files can indicate a computer infected by a virus. However, like checking for changes in file size, the effectiveness of checking date and time stamps can also be circumvented. For example, a virus can hide recent date or time stamps so that the anti-virus program will not detect date or time stamp abnormalities.

The reallocation of system resources can also be checked by an anti-virus program. If unusual unaccounted use of RAM or reduction in the amount of available RAM is detected, it is usually a sign of a virus attacking the system. Further, an even more effective way to check for viruses involves scanning vital areas such as the boot sector of the hard drive, the RAM, and all program files for code which resembles a virus. A simple method for checking these vital areas for code which resembles virus is to check this code against a large library which contains code for known viruses. Utilizing the large library of known viruses can consume large amounts of hard drive space and can take a long amount of time to complete the virus scan. Further, since there are always new viruses being discovered, the library of virus codes will never be complete and will also require constant updating. However, as a benefit, the scan for virus codes using a library of virus codes ensures with a high degree of certainty that the viruses contained in the library are not found inside the scanned computer. An improvement over a fixed library of known viruses is to also utilize a heuristic means to spot virus-like code. This method of combining algorithms to recognize viruses allows the anti-virus program to become adaptive and flexible so that new unknown viruses may also be recognized in addition to known viruses. However, this method of a heuristic means does not always spot all new viruses and also consumes a larger amount of computing resources.
Several simple steps should be taken to detect viruses before they infect or before they cause damage to your computer. A virus scanner will help identify viruses early. In order to gain the maximum benefit from a virus scanner, the virus scanner should be run on new programs before installation onto your computer and on all applications, RAM, and boot sectors upon starting your computer. Lastly, it is also important to periodically update your virus scanner.

Common Viruses
As of January 20, 1997, the following viruses comprise the top five most frequently found viruses. They include the following: WM.Concept, Form.A, One Half.3544, AntiEXE.A, and Stoned.Empire.Monkey.A.
The WM.Concept virus utilizes five macros to infect the host computer and affects Microsoft Word documents. The computer user initiates the first stage of the infection by depressing the OK button when the dialog box displays a number "1". Then, the virus replaces the "Save As" command in the File Pulldown menu with its own command so that every time the user saves a document, the document is placed in a new format. Further, this virus also replaces the macro "Auto Open" with different contents so that "Auto Open" is automatically executed each time a document is opened which allows the virus to replicate in new documents.
The Form.A virus infects the boot sector of a hard drive. This virus reserves 2k of RAM memory and the last two sectors of the hard drive for the original boot sector and the virus sector. This virus does not protect the last two sectors of the hard drive so that these two sector can be overwritten. This virus checks for the 18th day of any month. Upon reaching the 18th day, this virus produces a clicking sound each time the keyboard is depressed. This virus contains no intentionally damaging code. However, there are two bugs which can cause the infected computer to crash. The virus is programmed to only allow one disk read and not allow a retry so that after the first failed disk read the system will crash. Further, since the boot sector of the hard drive may be overwritten, the drive may be rendered unbootable.
The One Half virus is an advanced multi-partite virus which infects both the boot sector and application files. The One Half virus utilizes both stealth techniques to hide the master boot record infection on the hard drive and also polymorphic techniques to make file detection and removal nearly impossible. One of the stealth capabilities include displaying a clean copy of the master boot record and a hidden infection size while the files are being displayed. The master boot record infection from the One Half virus is generic. A major concern is that this virus slowly encrypts the hard drive. Every time the hard drive is cold booted, two more cylinders of the hard drive are encrypted. The real problem is when the One Half virus is removed from the master boot record which can be accomplished by using a typical anti-virus program, all the data in the encrypted area of the hard drive is lost. For the file infector portion of the One Half virus, this virus only infects files with a .COM or .EXE extension. One Half does not attack files with SCAN, CLEAN, FINDVIRU, GUARD, NOD , VSAFE, or MSAV. When One Half finds an appropriate file to infect, this virus inserts portions of itself into random points within the host file and also changes its form to disguise the virus. In addition, this virus also appears to be compatible with most versions of DOS and Windows 3.1.
The AntiEXE virus is a system infector which attacks the master boot record and DOS boot sectors. Fortunately, this virus can only spread from computer to computer by booting the system from an infected floppy disk. However, once the computer is infected with the AntiEXE virus, this virus remains active in memory. Then, this virus searches for specific files with the EXE extension and corrupts the file if found. To prevent virus scanners from detecting this virus, the AntiEXE virus has stealthing capabilities so that disk reads of the infected master boot record or DOS boot sectors are redirected to their clean uninfected counterparts.
The Stoned.Empire.Monkey which is also called Monkey is a system infector which attacks the master boot record and floppy boot sectors. The purpose of this virus is not to cause intentional damage. However, because of the rapid and aggressive replication of this virus, portions of the infected computer's hard drive can be overwritten and damage data.

Virus Hoaxes
The Good Times virus scare started in early December 1994. The supposed Good Times virus is carried by electronic mail. It was purported that just by reading a message with "Good Times" in the subject line will erase your hard drive and even destroy your computer's circuits. This propaganda turned out to be a hoax. The original "warning" message concluded with instructions to forward this warning message to all friends. The following are excerpts from this "warning" message:

Somebody is sending electronic mail under the title "good
times". If you get anything like this, do not download the
file!!! It has a virus that rewrites your hard drive, and you
lose anything on your hard drive. Please be careful and
forward this mail to anyone you care about.

To combat the Good Times virus hoax, several links were created on the Internet to help overcome this Good Times virus hoax. Some these informative sites include the following: http://www.tcp.co.uk/tcp/good-times/ and Data Fellows Ltd's Virus Information Centre. The negative effect of virus hoaxes like the Good Times hoax is that people who already know it is a hoax keep getting bombarded with repeated hoax warnings and others who do not know it is a hoax, spend needless time and energy worrying about a Good Times infection. Further, the extra energy and bandwidth devoted to informing users of the Good Times virus hoax and the wasted productivity of uninformed people worrying about the virus is like a virus in itself. Even though the Good Times virus does not even exist, the effects of this virus hoax has the same effect of a real virus. In fact, many people say that the Good Times virus hoax was not a computer virus, but rather it is a social or thought virus. Instead of replicating like a typical computer virus inside a computer host, this thought virus replicates copies of Good Times virus hoax warnings by using people as its host instead of a computer. Many people also believe that the best way to control a thought virus is to create a counter virus as an antidote. Further, as the hoax virus is contagious, the key to making the antidote effective is to make sure that the counter virus spreads as well.
Some of the companies which have fallen for the Good Times virus hoax include the following companies: AT&T, CitiBank, NBC, Hughes Aircraft, and Texas Instruments. The U.S. government has also been a victim to the hoax and has spread to the following divisions: Department of Defense, FCC, NASA, and Department of Health and Human Services.
The Deeyenda hoax follows the Good Times virus hoax and uses similar tactics to scare users. The Deeyenda hoax warning contains similar facts which appear in the Good Times warning. Additionally, the Deeyenda hoax falsely claims that the FCC issued this alert to watch out for the Deeyenda virus. The FCC does not is in the business of issuing virus warnings. Further, the Deeyenda virus warning also claims that once the Deeyenda virus attacks a computer, this virus is virtually undetectable. This is not true; all viruses become detectable after the host computer is infected. Lastly, like the Good Times virus hoax, the Deeyenda virus warning does not reference a verifiable author to the warning. Thus, the facts and accuracy of the warning cannot be confirmed. This is an especially useful and common element for spreading all virus hoaxes.

Common Cure for Viruses
Some unscrupulous anti-virus software products claim that by running their anti-virus software, you will be safe from viruses forever. Unfortunately, as enticing as this sounds, it is not true. As you can guess by the brief description of computer viruses as found above, the solution cannot be this simple. Any anti-virus software product will need to be updated to be able to detect and/or protect you from ever evolving viruses.
Some people advocate write protecting certain files or even write protecting the entire hard drive. These write protection mechanisms are usually implemented by software which makes these write protection mechanisms especially vulnerable to viruses themselves. In fact, a virus can easily bypass the costly and inconvenient results of write protecting both files and hard drives. It is important to note that while write protecting selected files or entire hard drives may be ineffective and therefore impractical, write protecting floppy diskettes by locking the movable tab is extremely effective for a clean floppy diskette from becoming infected.
It is a common myth that a user who only runs retail software is safe from exposure to viruses. One of the most common types of viruses, the boot sector virus, will infect a computer if an infected floppy diskette is booted up. There have been quite a few viruses which have been shipped inside shrink wrapped products directly from the manufacturer. Further, some software stores allow software to be returned after being used. The returned software could have been infected by the first user. Then, this infected software is re-shrink wrapped and sold again. Clearly, a user who only runs retail software is not free from the threat of viruses.

Legislation Addressing Viruses
One of the most relevant federal statutes regulating the spread of viruses is 18 U.S.C.S. section 1030 entitled, "Fraud and Related Activity in Connection with Computers." Following directly below is the history of relevant portions of title 18 section 1030 from 1988 to the present. By tracing the changes in these statutes involving computer viruses allows us to explore the contours of the past as well as the current state of our law.

1984 version:
anyone who knowingly accesses a computer without authorization, or having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend, and by means of such conduct knowingly uses, modifies, destroys, or discloses information in, or prevents authorized use of, such computer, if such computer is operated for or on behalf of the Governement of the United States and such conduct affects such operation.

1988 version:
1030(a)(5)(A): whoever intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer, or prevents authorized use of any such computer or information, and thereby
(A) causes loss to one or more others of a value aggregating $1,000 or more during any one year period;

1992 version:
No change from 1988

1994 version:
1030(a)(5) intentionally accesses a Federal interest computer without authorization, and by means of one or more instances of such conduct alters, damages, or destroys information in any such Federal interest computer or prevents authorized use of any such computer or information and thereby--
(A) causes loss to one or more others of value aggregating $1,000 or more during any one year period;

1995 version:
1030(a)(5)
(A): whoever through means of a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information, code, or command to a computer or computer system if--
(i) the person causing the transmission intends that such transmission will--
(I) damage, or cause to damage to, a computer, computer system, network, information data, or program; or
(II) withhold or deny, or cause the withholding or denial, of the use of a computer, computer services, system or network, information, data or program; and
(ii) the transmission of the harmful component of the program, information, code, or command--
(I) occurred without the authorization of the person or entities who own or are responsible for the computer system receiving the program, information, code, or command; and
(II) (aa) causes loss or damage to one or more other persons of value aggregating $1,000 or more during a 1-year period; or
(B) whoever through means of a computer used in interstate commerce or communications, knowingly causes the transmission of a program, information, code, or command to a computer or computer system--
(i) with reckless disregard of a substantial and unjustifiable risk that the transmission will--
(I) damage, or cause to damage to, a computer, computer system, network, information data, or program; or
(II) withhold or deny, or cause the withholding or denial, of the use of a computer, computer services, system or network, information, data or program; and
(ii) the transmission of the harmful component of the program, information, code, or command--
(I) occurred without the authorization of the person or entities who own or are responsible for the computer system receiving the program, information, code, or command; and
(II) (aa) causes loss or damage to one or more other persons of value aggregating $1,000 or more during a 1-year period; or


1996 version:
1030(a)(5)(A): whoever knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization to a protected computer;

1030(a)(5)(B): whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage;

1030(a)(5)(C): whoever intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage;


Case Law
Since the introduction of Section 2(d) of the Computer Fraud and Abuse Act of 1986, there have only been several cases which specifically address section 1030(a)(5)(A). Two such cases are United States v. Robert Morris (928 F.2d 504) and United States v. Bernadette Sablan (92 F.3d 865).
In United States v. Robert Morris (928 F.2d 504), the United States government charged Robert Morris with violation of section 1030(a)(5)(A) 1988 which punishes "anyone who intentionally access without authorization a category of computers known as federal interest computers and damages or prevents authorized use of information in such computers, causing loss of $1000 or more." In the fall of 1988, Morris was a first year graduate student in Cornell University's computer science Ph.D. program. Morris already had significant computer experience and expertise. Upon entering Cornell, Morris was given a computer account with access to the University's computer network.
In October of 1988, Morris began working on a program which is referred to as a "worm" or "virus". According to Morris, the goal of this program was to demonstrate the inadequacies of the current security measures on computer networks by exploiting the defects which Morris had already discovered. Morris chose to release his worm program onto the network computers. Morris had designed the worm program to spread across a national network of computers after his worm program was merely inserted at one computer location connected to this national network. This national network of computers is commonly known today as the INTERNET. However, back in 1988, the INTERNET was used primarily to connect university, governmental, and military computers around the country.
Morris programmed his INTERNET worm to spread widely without drawing attention to itself. In other words, Morris wanted his worm to have stealth properties. To attain stealth properties and not be detected, the worm was supposed to occupy little computer processing time and thus not interfere with normal computer use. Further, Morris also made his worm difficult to detect.
As another step to ensure that his worm would not be detected, Morris wanted to ensure that multiple copies of his worm did not occupy the same computer because multiple worms on the same computer would bog down this computer and would ultimately crash this computer. Further, multiple copies of the worm on the same computer would make detection much easier. Accordingly, Morris designed his worm to ask the potential host computer if it already had a copy of this worm. If the host computer responded negatively, the Morris' worm would be copied onto the host computer. Otherwise, the worm would not be duplicated. However, Morris was concerned that other programmers could prevent the worm from being copied onto an uninfected host computer by simply having the host computer answering the worm with a false positive answer which signals the worm not replicate. To circumvent this possible protection against his worm, Morris programmed a security feature in the worm to duplicate itself every seventh time it received a positive answer to the worm's question. Morris underestimated the number of times a computer would be asked the question by his worm and Morris's security feature resulted in far more duplication than he expected.
Morris identified four ways in which his worm could break into computers. Morris utilized a bug in the SEND MAIL function to infect computers through electronic mail. He also found a bug in the "finger demon" program which permits a person to obtain limited information about users of another computer. Morris utilized the "trusted hosts" feature which gives a user of one computer to have similar privileges on another computer without using a password. Finally, Morris also utilized a very simple and low tech method of password guessing.
On November 2, 1988, Morris released his worm. Soon after November 2, Morris discovered that the worm was replicating and re-infecting machines at a much faster rate than he anticipated. Many computers around the country crashed because of Morris' worm. Damages ranged at each installation from $200 to $53,000. Morris was found guilty of violating 18 U.S.C. section 1030(a)(5)(A).
Morris appealed the verdict and argued that the Government had to prove in addition that he intended unauthorized access, but also that he "intended" to prevent others from using it, and thus caused a loss. The court ruled that in this case, punctuation alone is not so clear as to preclude review of the legislative history.
The court held that in the lower court correctly held that the Government did not have to prove that Morris "intended" to cause the damage and that it was enough to show that Morris intended to gain unauthorized access and subsequently caused damage. The court based its decision on the legislative history of this code section. In this code's earlier version in 1984, this subsection covered anyone who "knowingly" accessed an unauthorized computer. The 1986 version changed from "knowingly" to "intentionally". The resulting move toward intentional unauthorized access prevents a person who inadvertently stumbles into someone else's computer files or data. The "intentional" standard is a higher hurdle to clear than the "knowledge" standard.
Morris also argued that he exceeded his authorized access rather than gaining "unauthorized access". Morris argued that he was authorized to use computers at Cornell, Harvard, and Berkeley, all of which were on the INTERNET. The court cited a Senate Report at 10, U.S. Code Cong. & Admin. News at 2488. The Report stated that this subsection applies "where the offender is completely outside the Government, . . . or where the offender's act of trespass is interdepartmental in nature." The court ruled that Morris's use of SEND MAIL and finger demon were not used for their intended purpose and therefore, Morris's conduct falls well within the area of unauthorized access. The ruling by the Appellat Court affirmed that Morris was guilty.
In United States v. Bernadette Sablan (92 F.3d 865), the government charged Sablan with the same subsection 1030(a)(5)(A) described above in the Morris case. After Sablan was fired from her duties as an employee of a bank, she returned to the bank and illegally entered the bank with a copied key. Sablan then proceeded to access the computer system using an old password. The Government asserted that Sablan severely damaged several bank files.
Sablan argued that the word "intentionally" in subsection 1030(a)(5)(A) applied to each of the elements of the crime. The court adopted the reasoning of the Morris court and ruled that the "intentionally" standard only applies to the "accesses" phrase and not to the "damages" phrase. Sablan also argued that if subsection 1030(a)(5)(A) does not require intent for the damages element, the statute is unconstitutional. Sablan relied on the Supreme Court's decision in X-Citement Video, 115 S. Ct. 464. The present court ruled that since the subsection 1030(a)(5)(A) does not criminalize otherwise innocent conduct, subsection 1030(a)(5)(A) is constitutionally valid. In the present case, the Government proved that Sablan intentionally accessed a federal interest computer without authorization. Thus, Sablan must have had a wrongful intent in accessing the computer.


From D. Friedman

Finally--a (Word macro) virus that really does spread by EMail.

 


Back to the list of student paper topics

Back to the CCP home page