Sprint Cleared of Negligence in
State commission finds Sprint's
security no worse than any other telephone company.
Kevin Poulsen, Sep 12
The Nevada Public Utilities
Commission pulled the plug Thursday on a Las Vegas adult
entertainment operator's claim that telephone calls meant for
his stable of private dancers are being blocked by hackers
with access to local phone company Sprint of Nevada's systems,
closing an eight-year-old legal battle that pitted the
vanquished brokers of Sin City's competitive sex trade against
the corporate legal muscle of a telecom giant.
"Having reviewed all of the evidence in the hearing, and taken
a lot of thought and reviewed everything over and over
again... in my opinion there is no evidence that Sprint has
caused this to occur or has substandard security," said
commission Adriana Escobar Chanos, recommending the case's
dismissal to the full commission in a morning PUC agenda
Plaintiff Eddie Munoz first complained to the PUC in 1994 that
the phone company was allowing mercenary hackers to cripple
his business by diverting, monitoring and blocking his phone
calls -- a complaint that's been echoed by private
investigators, bail bondsmen and some of Munoz's competitors.
In the years of testing and legal wrangling that followed,
Munoz produced a wealth of anecdotal evidence, but no
empirical proof to support his claim.
Munoz faulted Sprint for not cooperating in the testing, and
had asked the PUC to order a new round of tests under close
supervision, a plea the commissioners rejected Thursday.
The commission found that there wasn't sufficient evidence to
believe that Munoz's problems were in Sprint's network, rather
than in his own equipment, or at the hotel PBXs where most
also rejected the recommendation of the PUC's own staff
investigators, who, while arguing for the dismissal, had urged
the commission to open a new docket to closely supervise
Sprint's computer security practices. The recommendation would
have forced the company to retain outside security
consultants, launch a security training program for employees,
develop a process for detecting and deterring intrusion
attempts into its network, and begin documenting its security
In several days of hearings held earlier this year by Escobar
Chanos, Sprint officials admitted that they'd lost or
destroyed years of records in a reorganization of their
security department, and that they permitted dial-up access
into their switches for maintenance purposes with little
logging. In June, ex-hacker Kevin Mitnick -- hired by Munoz as
a consultant -- testified that prior to his 1995 arrest he had
illicit control of the company's switching systems through the
dial-ups, and also enjoyed unfettered access to a computerized
testing system called CALRS that allows users to monitor phone
lines and intercept or originate calls throughout Las Vegas.
A draft of the commission's final order in the case suggests
that Escobar Chanos found Mitnick's testimony convincing, but
that in some ways it actually hurt Munoz's case: the
ex-hacker's own testing found no evidence of ongoing call
diversion, and Mitnick testified that his access as a fugitive
was not limited to Sprint's network, but included every phone
company in every city where he'd holed up.
The draft order concludes that "Sprint's security is no better
nor no worse than that of other telephone companies," and
credits the company with taking "reasonable steps" to protect
In an interview following the ruling, Munoz vowed to take his
case to the federal courts. "What's a consumer supposed to
do?... They sent a message across the United States that the
telephone company can do whatever they want to do."