828 lines
41 KiB
Plaintext
828 lines
41 KiB
Plaintext
|
||
|
||
****************************************************************************
|
||
>C O M P U T E R U N D E R G R O U N D<
|
||
>D I G E S T<
|
||
*** Volume 3, Issue #3.14 (April 26, 1991) **
|
||
****************************************************************************
|
||
|
||
MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet)
|
||
ARCHIVISTS: Bob Krause / Alex Smith / Bob Kusumoto
|
||
GAELIC GURU: Brendan Kehoe
|
||
|
||
+++++ +++++ +++++ +++++ +++++
|
||
|
||
CONTENTS THIS ISSUE:
|
||
File 1; Moderators' Corner
|
||
File 2; Comments on your comments on Len Rose
|
||
File 3; Moving toward Common Ground? Reply to Gene Spafford
|
||
File 4; CERT Advisory - Social Engineering
|
||
File 5; And Fox is after the Hollywood Hacker?
|
||
File 6; MONDO -- GREAT NEW 'ZINE!
|
||
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||
|
||
USENET readers can currently receive CuD as alt.society.cu-digest.
|
||
Back issues are also available on Compuserve (in: DL0 of the IBMBBS sig),
|
||
PC-EXEC BBS (414-789-4210), and at 1:100/345 for those on FIDOnet.
|
||
Anonymous ftp sites: (1) ftp.cs.widener.edu (192.55.239.132);
|
||
(2) cudarch@chsun1.uchicago.edu;
|
||
(3) dagon.acc.stolaf.edu (130.71.192.18).
|
||
E-mail server: archive-server@chsun1.uchicago.edu.
|
||
|
||
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
|
||
information among computerists and to the presentation and debate of
|
||
diverse views. CuD material may be reprinted as long as the source is
|
||
cited. Some authors, however, do copyright their material, and those
|
||
authors should be contacted for reprint permission. It is assumed
|
||
that non-personal mail to the moderators may be reprinted unless
|
||
otherwise specified. Readers are encouraged to submit reasoned
|
||
articles relating to the Computer Underground. Articles are preferred
|
||
to short responses. Please avoid quoting previous posts unless
|
||
absolutely necessary.
|
||
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||
DISCLAIMER: The views represented herein do not necessarily represent
|
||
the views of the moderators. Contributors assume all
|
||
responsibility for assuring that articles submitted do not
|
||
violate copyright protections.
|
||
|
||
********************************************************************
|
||
>> END OF THIS FILE <<
|
||
***************************************************************************
|
||
|
||
------------------------------
|
||
|
||
From: Moderators
|
||
Subject: Moderators' Corner
|
||
Date: 26 April, 1991
|
||
|
||
********************************************************************
|
||
*** CuD #3.14: File 1 of 6: Moderators Corner ***
|
||
********************************************************************
|
||
|
||
++++++++++++++++++++
|
||
Mail and Corrupted Issues
|
||
++++++++++++++++++++
|
||
|
||
We received a number of notes asking about the resend of CuD 3.13.
|
||
Our system is an IBM clone, and the mailer is patched in. When we have
|
||
mail problems, we are not able to determine the status of any mail we
|
||
send out because of the limited capabilities of the patch. On
|
||
occasion, especially during net-jams, this leads to some readers
|
||
receiving duplicate files. If a number of files are corrupted, as
|
||
sometimes happens when the nets are jammed or a gateway is not
|
||
operating properly, it is sometimes necessary to resend a file or, in
|
||
the case 3.13, the entire list. Optimal size is about 40K, and the
|
||
last issue ran well over that. To facilitate mailing, we deleted the
|
||
single file that brought us to the 40 K file size and re-sent. If
|
||
people are experiencing problems receiving CuD, drop us a note.
|
||
|
||
We have also received on 23 April a horde of email posts dated between
|
||
30 March-2 April. The bulk of it seemed to originate from the west and
|
||
southwest. We generally reply to posts on the same day they are
|
||
received, so if you do not receive a reply, let us know.
|
||
|
||
++++++++++++
|
||
LET US KNOW IF YOUR ACCOUNT EXPIRES
|
||
++++++++++++
|
||
|
||
If your account is about to expire, please drop a note simply saying
|
||
"unsub," and be sure to include at the bottom your account number.
|
||
|
||
++++++++++++++++
|
||
Information on subversive software wanted
|
||
++++++++++++++++
|
||
|
||
Gordon is in the beginning stages of research for a technical paper on
|
||
'subversive' software. The article will discuss software that has
|
||
been written for unusual purposes and circumstances, not all of which
|
||
may be legal. Examples in this "genre" would be 'Fuckin' Hacker',
|
||
'Code Thief', and 'Receipt Writer'.
|
||
|
||
It would be helpful to gather as many examples as possible, from many
|
||
different computer platforms. He is *not* seeking executable copies,
|
||
but just the name and description of the program. Any additional
|
||
historical information, such as author name, date, innovative
|
||
features, etc would be a bonus. If you can recall having seen, used,
|
||
or heard of any unusual software that you feel fits in this category
|
||
He would appreciate it if you'd drop me a line. The article has not,
|
||
as of yet, been slated for publication, but he will supply a finished
|
||
copy to anyone who responds or requests one. The finished work may
|
||
also appear in a future issue of CuD.
|
||
|
||
Thanks for your time and assistance! Gordon Meyer
|
||
72307.1502@Compuserve.com GRMEYER (GEnie and Delphi) or via CuD at
|
||
tk0jut2@niu.bitnet
|
||
|
||
+++++++++++++++++++++
|
||
PhD Seeks info on Computer Security
|
||
+++++++++++++++++++++
|
||
|
||
Paul Taylor, a PhD candidate in England, sent the following note
|
||
along. He is doing some interesting research, and is trying to
|
||
obtain additional data.
|
||
|
||
+++++++
|
||
|
||
From: P.A.Taylor@EDINBURGH.AC.UK
|
||
Subject: PhD Seeks Info on Computer Security
|
||
Date: 18 Apr 91 14:17:16 bst
|
||
|
||
I'm into the second year of a PhD looking at the rise of the computer
|
||
security industry and the concomitant rise of cracking/browsing and
|
||
viruses, here at the University of Edinburgh.
|
||
|
||
Part of my research involves e-mail interviews and questionnaires. If
|
||
you would be willing to take part in it, then please get in touch.
|
||
I'll send you a yes/no type questionnaire and after that if you are
|
||
willing, a set of questions designed more to start a dialogue about
|
||
some of the issues surrounding computer security, which could form the
|
||
basis of an on-going e-mail interview to be acknowledged or kept
|
||
anonymous in my final thesis, depending on the wishes of the
|
||
respondent.
|
||
|
||
ALL MY WORK IS FOR PURELY ACADEMIC PURPOSES AND TOTAL CONFIDENTIALITY
|
||
IS GUARANTEED.
|
||
|
||
IF IN DOUBT AS TO MY ACADEMIC STATUS PLEASE CONTACT ME AND INDEPENDENT
|
||
VERIFICATION CAN BE SUPPLIED.
|
||
|
||
Thank you in advance,
|
||
|
||
Paul A. Taylor,
|
||
Depts of Economics and Politics,
|
||
Edinburgh University.
|
||
|
||
********************************************************************
|
||
>> END OF THIS FILE <<
|
||
***************************************************************************
|
||
|
||
------------------------------
|
||
|
||
From: Gene Spafford <spaf@CS.PURDUE.EDU>
|
||
Subject: Comments on your comments on Len Rose
|
||
Date: Sat, 30 Mar 91 14:41:02 EST
|
||
|
||
********************************************************************
|
||
*** CuD #3.14: File 2 of 6: Comments on Len Rose Articles ***
|
||
********************************************************************
|
||
|
||
%Moderators' comment: Spaf just sent his latest book, PRACTICAL UNIX
|
||
SECURITY, co-authored with Simson Garfinkel to the publishers
|
||
(O'Reilly and Associates ((the Nutshell Handbook people). It's
|
||
approximately 475 pages and will available in mid-May. From our
|
||
reading of the table of contents, and from preview comments
|
||
("definitive," destined to be the "standard reference"), it looks like
|
||
something well-worth the $29.95 investment.%
|
||
|
||
There is little doubt that law enforcement has sometimes been
|
||
overzealous or based on ignorance. That is especially true as
|
||
concerns computer-related crimes, although it is not unique to that
|
||
arena. Reporting of some of these incidents has also been incorrect.
|
||
Obviously, we all wish to act to prevent future such abuses,
|
||
especially as they apply to computers.
|
||
|
||
However, that being the case does not mean that everyone accused under
|
||
the law is really innocent and the target of "political" persecution.
|
||
That is certainly not reality; in some cases the individuals charged
|
||
are clearly at fault. By representing all of them as innocents and
|
||
victims, you further alienate the moderates who would otherwise be
|
||
sympathetic to the underlying problems. By trying to represent every
|
||
individual charged with computer abuse as an innocent victim, you are
|
||
guilty of the same thing you condemn law enforcement of when they
|
||
paint all "hackers" as criminals.
|
||
|
||
In particular, you portray Len Rose as an innocent whose life has been
|
||
ruined through no fault of his own, and who did nothing to warrant
|
||
Federal prosecution. That is clearly not the case. Len has
|
||
acknowledged that he was in possession of, and trafficing in, source
|
||
code he knew was proprietary. He even put multiple comments in the
|
||
code he modified stating that, and warning others not to get caught
|
||
with it. The patch he made would surreptitiously collect passwords
|
||
and store them in a hidden file in a public directory for later use.
|
||
The argument that this patch could be used for system security is
|
||
obviously bogus; a system admin would log these passwords to a
|
||
protected, private file, not a hidden file in a public directory.
|
||
Further, your comments about having root access are not appropriate,
|
||
either, for a number of reasons -- sometimes, root access can be
|
||
gained temporarily without the password, so a quick backdoor is all
|
||
that can be planted. Usually, crackers like to find other ways on
|
||
that aren't as likely to be monitored as "root", so getting many user
|
||
passwords is a good idea. Finally, if passwords got changed, this
|
||
change would still allow them to find new ways in, as long as the
|
||
trojan wasn't found.
|
||
|
||
The login changes were the source of the fraud charge. It is
|
||
certainly security-related, and the application of the law appears to
|
||
be appropriate. By the comments Len made in the code, he certainly
|
||
knew what he was doing, and he knew how the code was likely to be
|
||
used: certainly not as a security aid. As somebody with claimed
|
||
expertise in Unix as a consultant, he surely knew the consequences of
|
||
distributing this patched code.
|
||
|
||
An obvious claim when trying to portray accused individuals as victims
|
||
is that their guilty pleas are made under duress to avoid further
|
||
difficulties for their family or some other third party. You made
|
||
that claim about Len in your posting. However, a different
|
||
explanation is just as valid -- Len and his lawyers realized that he
|
||
was guilty and the evidence was too substantial, and it would be more
|
||
beneficial to Len to plead guilty to one charge than take a chance
|
||
against five in court. I am inclined to believe that both views are
|
||
true in this case.
|
||
|
||
Your comments about Len's family and career are true enough, but they
|
||
don't mean anything about his guilt or innocence, do they? Are bank
|
||
robbers or arsonists innocent because they are the sole means of
|
||
support for their family? Should we conclude they are "political"
|
||
victims because of their targets? Just because the arena of the
|
||
offenses involves computers does not automatically mean the accused is
|
||
innocent of the charges. Just because the accused has a family which
|
||
is inconvenienced by the accused serving a possible jail term does
|
||
not mean the sentence should be suspended.
|
||
|
||
Consider that Len was under Federal indictment for the login.c stuff,
|
||
then got the job in Illinois and knowingly downloaded more source code
|
||
he was not authorized to access (so he has confessed). Does this
|
||
sound like someone who is using good judgement to look out for his
|
||
family and himself? It is a pity that Len's family is likely to
|
||
suffer because of Len's actions. However, I think it inappropriate to
|
||
try and paint Len as a victim of the system. He is a victim of his
|
||
own poor judgement. Unfortunately, his family has been victimized by
|
||
Len, too.
|
||
|
||
I share a concern of many computer professionals about the application
|
||
of law to computing, and the possible erosion of our freedoms.
|
||
However, I also have a concern about the people who are attempting to
|
||
abuse the electronic frontier and who are contributing to the decline
|
||
in our freedoms. Trying to defend the abusers is likely to result in
|
||
a loss of sympathy for the calls to protect the innocent, too. I
|
||
believe that one reason the EFF is still viewed by some people as a
|
||
"hacker defense fund" is because little publicity has been given to
|
||
the statements about appropriate laws punishing computer abusers;
|
||
instead, all the publicity has been given to their statements about
|
||
defending the accused "hackers."
|
||
|
||
In the long term, the only way we will get the overall support we need
|
||
to protect innocent pursuits is to also be sure that we don't condone
|
||
or encourage clearly illegal activities. Groups and causes are judged
|
||
by their icons, and attempts to lionize everyone accused of computer
|
||
abuse is not a good way to build credibility -- especially if those
|
||
people are clearly guilty of those abuses. The Neidorf case is
|
||
probably going to be a rallying point in the future. The Steve
|
||
Jackson Games case might be, once the case is completed (if it ever
|
||
is). However, I certainly do not want to ask people to rally around
|
||
the cases of Robert Morris or Len Rose as examples of government
|
||
excess, because I don't think they were, and neither would a
|
||
significant number of reasonable people who examine the cases.
|
||
|
||
I agree that free speech should not be criminalized. However, I also
|
||
think we should not hide criminal and unethical behavior behind the
|
||
cry of "free speech." Promoting freedoms without equal promotion of
|
||
the responsibility behind those freedoms does not lead to a greater
|
||
good. If you cry "wolf" too often, people ignore you when the wolf is
|
||
really there.
|
||
|
||
********************************************************************
|
||
>> END OF THIS FILE <<
|
||
***************************************************************************
|
||
|
||
------------------------------
|
||
|
||
From: Moderators (Jim Thomas)
|
||
Subject: Moving toward Common Ground? Reply to Gene Spafford
|
||
Date: April 26, 1991
|
||
|
||
********************************************************************
|
||
*** CuD #3.14: File 3 of 6: Moving toward Common Ground? ***
|
||
********************************************************************
|
||
|
||
Gene Spafford's comments raise a number of issues, and my guess is
|
||
that he and other "moderates" are not that far apart from those of us
|
||
considered "extremists." His post was sent in March, but we received
|
||
it on April 24, so some of his comments about Len Rose have already
|
||
received sufficient response (see Mike Godwin in CuD 3.13). We are
|
||
more concerned with the potential points of converenge on which
|
||
"moderates" and "radicals" might agree.
|
||
|
||
Gene raises several issues: 1) The tone of some critics of recent
|
||
"hacker" cases tends to be divisive and inhibits coming together on
|
||
common ground; 2) There exists a danger in "crying wolf" in that cases
|
||
in which legitimate abuses may have occured or that directly raise
|
||
important issues about civil liberties will be ignored because of
|
||
excessive concern with cases that are perceived as less meritorious or
|
||
in which the defendants may not seem sympathetic; c) An aggressive
|
||
social response is required to reverse the apparent trend in computer
|
||
abuse. We disagree with none of these issues. There is, however, room
|
||
for legitimate disagreement on how these issues should be addressed,
|
||
and there is room for conciliation and compromise.
|
||
|
||
Although many cases of law enforcement response to alleged computer
|
||
abuse have been reported, only a few have generated any significant
|
||
attention. These cases have not generally centered around issues of
|
||
guilt or innocence, but on broader concerns. Other than general
|
||
reporting of cases, CuDs own attention has been limited to:
|
||
|
||
STEVE JACKSON GAMES: Few, if any, think the search of Steve Jackson's
|
||
company and seizure of his equipment was acceptable. The seizure
|
||
affidavit indicated that the justification for the raid was grossly
|
||
exaggerated and its implementation extreme. There have been no
|
||
arrests resulting from that raid, but the questions it raised have not
|
||
yet been resolved.
|
||
|
||
LEN ROSE: Whatever one thinks of Len Rose's behavior, the actions of
|
||
AT&T and law enforcement raise too many issues to be ignored whatever
|
||
Len's own culpability (or lack of it). The initial indictments, press
|
||
releases, and prosecutor media comments connected Len to E911, the
|
||
Legion of Doom, and computer security when the case was actually about
|
||
possesion of unlicensed proprietary software. We have never denied the
|
||
importance of either issue. Our concern continues to be the
|
||
misconceptions about the nature of the case, what we see as an extreme
|
||
response to a relatively minor incident, and the way the laws were used
|
||
to inflate charges. These are all debatable issues, but the nets were
|
||
buzzing with claims of Len's guilt, the need to "send a message to
|
||
hackers," and other claims that reinforced the legitimacy of charges
|
||
and sanctions that still seem inappropriate. The fact that some still
|
||
see it as a security case, others as a piracy case, others as
|
||
justice-run-amok, and still others as a signal to examine the limits
|
||
of criminalization illustrates the significance of the events: If we
|
||
can't agree on the issues involved without yelling at each other, then
|
||
how can we even begin to address the issues?
|
||
|
||
CRAIG NEIDORF/PHRACK: When the prosecution dropped the case against
|
||
Craig Neidorf for publishing alleged proprietary information valued at
|
||
nearly $80,000 when it was found that the information was available to
|
||
the public for under $14, most people thought it was a victory.
|
||
However, the logic that impelled prosecution did not stop with Craig,
|
||
and our concern continues to be over the apparent unwillingness of
|
||
some law enforcement agents to recognize that this was not just a
|
||
prosecutorial "mistake," but part of a pattern in which excessive
|
||
claims are made to justify raids, indictments, or prosecution.
|
||
|
||
THE HOLLYWOOD HACKER: Again, this is not a case of guilt or innocence,
|
||
but one in which existing laws are sufficiently vague to
|
||
over-criminalize relatively minor alleged acts. The apparent
|
||
philosophy of prosecutors to "send a message" to "hackers" in a case
|
||
that is not a hacker case but the sting of an investigative journalist
|
||
seems another use of over-prosecution. There is also the possibility
|
||
of a vindictive set-up by Fox of a freelance reporter who is alleged
|
||
to have done what may be a common practice at Fox (see the post, this
|
||
issue, citing Murray Povich).
|
||
|
||
RIPCO: Dr. Ripco's equipment was seized and his BBS shut down, but no
|
||
charges have been filed against him. He remains in limbo, his
|
||
equipment has not been returned, and he still does not know why.
|
||
Here, the issue of sysop liability, the reliability of informants, and
|
||
the legal status of private e-mail are raised.
|
||
|
||
THE "ATLANTA THREE:" The Riggs, Darden, and Grant case became an issue
|
||
after the guilty verdict. We can think of no instance of anybody ever
|
||
defending their actions for which they were indicted or in proclaiming
|
||
them innocent after (or even before) their plea. At state in the
|
||
debates was not that of guilt or a defense of intrusions, but of
|
||
sentencing and the manner in which it was done.
|
||
|
||
OPERATION SUN DEVIL: Operation Sun Devil, according to those
|
||
participating in it, began in response to complaints of fraudulent
|
||
credit card use and other forms of theft. The "hacking community"
|
||
especially has been adamant in its opposition to "carding" and
|
||
rip-off. Here, the issue was the intrusive nature of searches and
|
||
seizures and the initial hyperbole of law enforcement in highly
|
||
visible press releases in their initial euphoria following the raids.
|
||
In an investigation that began "nearly two years" prior to the May 8,
|
||
1990 raids, and in the subsequent 12 months of "analysis of evidence,"
|
||
only two indictments have been issued. Both of those were relegated to
|
||
state court, and the charges are, in the scheme of white collar crime,
|
||
are relatively minor. There have also been questions raised about
|
||
whether the evidence for prosecution might not have either already
|
||
existed prior to Sun Devil or that it could have readily been obtained
|
||
without Sun Devil. The key to the indictment seems to be a ubiquitous
|
||
informant who was paid to dig out dirt on folks. For some, Sun Devil
|
||
raises the issue of use of informants, over-zealousness of
|
||
prosecutors, and lack of accountability in seizures. We fully agree
|
||
that if there is evidence of felonious activity, there should be a
|
||
response. The question, however, is how such evidence is obtained and
|
||
at what social and other costs.
|
||
|
||
Many may disagree with our perspective on these cases, but several
|
||
points remain: 1) Each of them raises significant issues about the
|
||
methods of the criminal justice system in a new area of law; 2) Each
|
||
of them serves as an icon for specific problems (privacy, evidence,
|
||
ethics, language of law, media images, sysop liability to name just a
|
||
few); and 3) In each of them, whatever the culpable status of the
|
||
suspects, there exists an avenue to debate the broader issue of the
|
||
distinction between criminal and simply unethical behavior.
|
||
|
||
Among the issues that, if discussed and debated, would move the level
|
||
of discussion from personalities to common concerns are:
|
||
|
||
1. Overzealous law enforcement action: Prosecutors are faced with the
|
||
difficult task of enforcing laws that are outstripped by technological
|
||
change. Barriers to this enforcement include lack of resources and
|
||
technical expertise, ambiguity of definitions, and vague laws that
|
||
allow some groups (such as AT&T) who seem to have a history of
|
||
themselves attempting to use their formidable economic and corporate
|
||
power to jockey for legal privilege. Legal definitions of and
|
||
responses to perceived inappropriate behavior today will shape how
|
||
cyberspace is controlled in the coming decades. Questionable actions
|
||
set bad precedents. That is why we refer to specific cases as ICONS
|
||
that symbolize the dangers of over-control and the problems
|
||
accompanying it.
|
||
|
||
2. Media distortions: This will be addressed in more detail in a
|
||
future CuD, because it is a critically important factor in the
|
||
perpetuation of public and law enforcements' misconceptions about the
|
||
CU. However, concern for distortion should be expanded to include how
|
||
we all (CuD included) portray images of events, groups, and
|
||
individuals. Some law enforcers have complained about irresponsible
|
||
media accuracy when the alleged inaccuracies have in fact come from
|
||
law enforcement sources. But, media (and other) distortions of CU news
|
||
is not simply a matter of "getting the facts straight." It also
|
||
requires that we all reflect on how we ourselves create images that
|
||
reinforce erroneous stereotypes and myths that in turn perpetuate the
|
||
"facts" by recursive rounds of citing the errors rather than the
|
||
reality.
|
||
|
||
CuD AS PRO HACKER: The CuD moderators are seen by some as defending
|
||
cybercrime of all kinds, and as opposing *any* prosecution of
|
||
"computer criminals. Why must we constantly repeat that a) we have
|
||
*never* said that computer intrusion is acceptable, and b) we fully
|
||
believe that laws protecting the public against computer abuse are
|
||
necessary. This, so I am told, "turns many people off." We have been
|
||
clear about our position. There are occasions when discussion can
|
||
reflect a variety of rhetorical strategies, ranging from reason to
|
||
hyperbole. As long as the issues remain forefront, there seems nothing
|
||
wrong with expressing outrage as a legitimate response to outrageous
|
||
acts.
|
||
|
||
4. Crime and ethics in the cyber-frontier: These issues, although
|
||
separate, raise the same question. Which behaviors should be
|
||
sanctioned by criminal or civil penalties, and which sanctioned by
|
||
collective norms and peer pressure? Unwise acts are not necessarily
|
||
criminal acts, and adducing one's lack of wisdom as "proof" of
|
||
criminality, and therefore sanctionable, is equally unwise. There are
|
||
degrees of abuse, some of which require criminal penalties, others of
|
||
which do not. The CU has changed largely because the number of
|
||
computer users has dramatically increased make the "bozo factor" (the
|
||
point at which critical mass of abusing bozos has been reached making
|
||
them a group unto themselves) has a significant impact on others.
|
||
There are also more opportunities not only to abuse, but to identify
|
||
and apprehend abusers, which increases the visibility of the bozos. We
|
||
can, as we did with the problems of crime, poverty, drugs, and other
|
||
ills, declare a "war" on it (which most certainly means that we've
|
||
lost before we've begun). Or, we can peruse a more proactive course
|
||
and push for equitable laws and just responses to computer abuse while
|
||
simultaneously emphasizing ethics. We fully agree that netethics
|
||
should occur in schools, on the nets, in articles, and every other
|
||
place where cybernauts obtain models and images of their new world.
|
||
But, just as we should identify and work toward ethical behavior
|
||
within the CU, we must also demand that others, such as AT&T, some law
|
||
enforcement agents, BellSouth, et. al., do the same. It is hardly
|
||
ethical to claim that a commodity valued at under $14 is worth over
|
||
$79,000, and it is hardly ethical to compare possession of proprietary
|
||
software with index crimes such as theft, arson, or embezzlement.
|
||
Whether our own perspective is correct or not, the point is that what
|
||
does or does not count as ethical behavior can no longer be assumed,
|
||
but requires a level of debate the extends beyond netlynchings of
|
||
individual suspects.
|
||
|
||
Gene Spafford, like many others who share his view, is a productive
|
||
and competent computer specialist who sees the dark side of computer
|
||
abuse because he defends against it. I, like many others who share my
|
||
view, see the dark side of law enforcement because, as a
|
||
criminologist, I have been immersed in the abuses and fight against
|
||
them. Our different experiences give us different demons to fight, an
|
||
occasional windmill or two with which to joust, and a dissimilar
|
||
arsenal that we use in our battles. Nonetheless, even though there is
|
||
not total agreement on precisely which is a windmill and which a
|
||
monster, Gene suggests that there is shared agreement on a minimal
|
||
common reality and some common goals for making it more manageable. I
|
||
fully, absolutely, and unequivocally agree with Gene:
|
||
|
||
I agree that free speech should not be criminalized.
|
||
However, I also think we should not hide criminal and
|
||
unethical behavior behind the cry of "free speech.
|
||
Promoting freedoms without equal promotion of the
|
||
responsibility behind those freedoms does not lead to a
|
||
greater good. If you cry "wolf" too often, people ignore
|
||
you when the wolf is really there.
|
||
|
||
I would only respond that his observation be taken to heart by all
|
||
sides.
|
||
|
||
********************************************************************
|
||
>> END OF THIS FILE <<
|
||
***************************************************************************
|
||
|
||
------------------------------
|
||
|
||
Date: Thu, 18 Apr 91 16:57:35 EDT
|
||
From: CERT Advisory <cert-advisory-request@CERT.SEI.CMU.EDU>
|
||
Subject: CERT Advisory - Social Engineering
|
||
|
||
********************************************************************
|
||
*** CuD #3.14: File 4 of 6: CERT Advisory ***
|
||
********************************************************************
|
||
|
||
CA-91:04 CERT Advisory
|
||
April 18, 1991
|
||
Social Engineering
|
||
|
||
DESCRIPTION:
|
||
|
||
The Computer Emergency Response Team/Coordination Center (CERT/CC) has
|
||
received several incident reports concerning users receiving requests
|
||
to take an action that results in the capturing of their password.
|
||
The request could come in the form of an e-mail message, a broadcast,
|
||
or a telephone call. The latest ploy instructs the user to run a
|
||
"test" program, previously installed by the intruder, which will
|
||
prompt the user for his or her password. When the user executes the
|
||
program, the user's name and password are e-mailed to a remote site.
|
||
We are including an example message at the end of this advisory.
|
||
|
||
These messages can appear to be from a site administrator or root. In
|
||
reality, they may have been sent by an individual at a remote site,
|
||
who is trying to gain access or additional access to the local machine
|
||
via the user's account.
|
||
|
||
While this advisory may seem very trivial to some experienced users,
|
||
the fact remains that MANY users have fallen for these tricks (refer
|
||
to CERT Advisory CA-91:03).
|
||
|
||
IMPACT:
|
||
|
||
An intruder can gain access to a system through the unauthorized use
|
||
of the (possibly privileged) accounts whose passwords have been
|
||
compromised. This problem could affect all systems, not just UNIX
|
||
systems or systems on the Internet.
|
||
|
||
SOLUTION:
|
||
|
||
The CERT/CC recommends the following actions:
|
||
|
||
1) Any users receiving such a request should verify its
|
||
authenticity with their system administrator before acting on
|
||
the instructions within the message. If a user has received
|
||
this type of request and actually entered a password, he/she
|
||
should immediately change his/her password to a new one and
|
||
alert the system administrator.
|
||
|
||
2) System administrators should check with their user communities
|
||
to ensure that no user has followed the instructions in such a
|
||
message. Further, the system should be carefully examined for
|
||
damage or changes that the intruder may have caused. We also
|
||
ask that you contact the CERT/CC.
|
||
|
||
3) The CERT/CC urges system administrators to educate their users
|
||
so that they will not fall prey to such tricks.
|
||
|
||
SAMPLE MESSAGE as received by the CERT (including spelling errors,
|
||
etc.)
|
||
|
||
OmniCore is experimenting in online - high resolution graphics
|
||
display on the UNIX BSD 4.3 system and it's derivatives [sic].
|
||
But, we need you're help in testing our new product -
|
||
TurboTetris. So, if you are not to busy, please try out the
|
||
ttetris game in your machine's /tmp directory. just type:
|
||
|
||
/tmp/ttetris
|
||
|
||
Because of the graphics handling and screen-reinitialization
|
||
[sic], you will be prompted to log on again. Please do so, and
|
||
use your real password. Thanks you for your support. You'll be
|
||
hearing from us soon!
|
||
|
||
OmniCore
|
||
|
||
END OF SAMPLE MESSAGE
|
||
|
||
If you believe that your system has been compromised, contact CERT/CC
|
||
via telephone or e-mail.
|
||
|
||
Computer Emergency Response Team/Coordination Center (CERT/CC),
|
||
Software Engineering Institute, Carnegie Mellon University,
|
||
Pittsburgh, PA 15213-3890
|
||
|
||
412-268-7090 24-hour hotline: CERT/CC personnel answer
|
||
7:30a.m.-6:00p.m. EST, on call for emergencies during other hours.
|
||
E-mail: cert@cert.sei.cmu.edu
|
||
|
||
Past advisories and other computer security related information are
|
||
available for anonymous ftp from the cert.sei.cmu.edu (128.237.253.5)
|
||
system.
|
||
|
||
********************************************************************
|
||
>> END OF THIS FILE <<
|
||
***************************************************************************
|
||
|
||
------------------------------
|
||
|
||
From: Anonymous <xxx.xxxx.COMPUSERVE.COM>M>
|
||
Subject: And Fox is after the Hollywood Hacker?
|
||
Date: 23 Apr 91 05:12:22 CDT
|
||
|
||
********************************************************************
|
||
*** CuD #3.14: File 5 of 6: Fox and the Hollywood Hacker ***
|
||
********************************************************************
|
||
|
||
Fox's assault on the Hollywood Hacker gets even more bizarre. First
|
||
one of their camera people is busted with a weapon by the Secret
|
||
Service when they found him near President Bush, and now Murray Povich
|
||
has come out with his book that makes us wonder what goes on inside
|
||
the corporate board rooms, bedrooms, and computer rooms.
|
||
|
||
If what Povich says is true, it seems that some of these tabloid tv
|
||
types routinely bustle around spying and snooping, but when somebody
|
||
turns the tables the scream and yell.
|
||
|
||
Consider this from
|
||
"Current Affairs: A Life on the Edge" by Maury Povich with Ken Gross.
|
||
Published 1991 by GP Putnam's Sons.
|
||
|
||
Chapter 14, pgss 207-208.
|
||
|
||
"The launch date for 'Inside Edition' was January of 1989 and we
|
||
went shopping around the satellites, trying to find out what
|
||
stories they were going to do. That's how shows worked--they
|
||
fiddled around with frequencies and latched onto the
|
||
communications channels and listened in on the shop talk. It was
|
||
spying. We all did it, switching around the dials, trying to
|
||
pick up their satellite, pointing the transponders to find their
|
||
bird so we could listen to their teleconferences and their
|
||
stations, trying to winkle out what stories they were after.
|
||
|
||
They were also doing the same thing to us, because they knew how
|
||
we worked and it was part of the game. Young and Tomlin were not
|
||
there for nothing. I knew 'Inside Edition' was into our computer
|
||
because that's the way it is. Maybe it's illegal, but that's the
|
||
'Front Page' mentality."
|
||
|
||
Throughout the entire book, Povich brags about the many and sundry
|
||
ploys, devious tactics, and outright lies used by Current Affair
|
||
staffers to get material (tapes and/or interviews) for their show. He
|
||
constantly puts down the stuffed-shirt/establishment news types and
|
||
makes he and his minions out to be heroic characters-- pioneers of a
|
||
newer, braver school of journalism. "Killer journalists of the
|
||
nineties," he calls them. Their battle cry: "Maybe it's not ethical,
|
||
mate, but it's legal." (pg 254).
|
||
|
||
I thought that maybe inquiring minds would want to know.
|
||
|
||
********************************************************************
|
||
>> END OF THIS FILE <<
|
||
***************************************************************************
|
||
|
||
------------------------------
|
||
|
||
From: Gordon Meyer <72307.1502@COMPUSERVE.COM>
|
||
Subject: MONDO -- GREAT NEW 'ZINE!
|
||
Date: 10 Apr 91 01:24:08 EDT
|
||
|
||
********************************************************************
|
||
*** CuD #3.14: File 6 of 6: MONDO -- Great new 'Zine! ***
|
||
********************************************************************
|
||
|
||
After hearing many good things about a magazine called "Mondo 2000" we
|
||
were pleased to finally locate a copy on a SF Bay area newsstand. In
|
||
the interest of helping to spread the word about this very interesting
|
||
publication we pres-ent a brief overview of the Winter 1991 issue.
|
||
|
||
"Mondo 2000" (issue 3), from Fun City MegaMedia, is a sort of
|
||
cyper-punk/PoMo/Discordian publication covering diverse (and
|
||
fascinating) topics such as designer drugs, a Congressional assault on
|
||
the Constitution, growth hormones, cybernetic jewelry, House Music,
|
||
computer graphics, Frank Zappa's political ambitions, interviews with
|
||
Debbie Harry, Tina Weymouth & Chris Franz, and cracking Macintosh
|
||
software. There is a lot of material here (about 175 pages all total)
|
||
and there is sure to be something to interest most anyone. The
|
||
"reader mail" column indicates that past issues have covered vir-tual
|
||
reality, UFO's, and The Church of the Sub-Genius.
|
||
|
||
In addition the above topics, issue three also contains a number of
|
||
articles of direct relevance to CuD. Namely, articles on the LoD,
|
||
EFF, and the CU in general. [How's that for a plethora of acronyms in
|
||
one sentence?! -GRM] In the "Hackers and Crackers" section we find the
|
||
following selections:
|
||
|
||
* "Do G-Men Dream of Electric Sheep?" by R.U. Sirius and George
|
||
Gleason (pp 40-43) This article essentially presents a time line of
|
||
CU related events beginning with Hackers' 4.0 misrepresentation by
|
||
CBS, thru the Internet worm, NuPrometheus, Operation Sun Devil, and
|
||
Zod's bust. In all, 22 of some of the most significant events are
|
||
chronicled and the article serve as a handy, and disturbing, summary
|
||
of the last couple of years.
|
||
|
||
* "Civilizing the Electronic Frontier: an interview with Mitch
|
||
Kapor and John Barlow of the Electronic Frontier Foundation" by David
|
||
Gans and R.U. Sirius (pp45-49) Kapor and Barlow discuss the FBI's
|
||
investigation of the NuPrometheus League, the origin of the EFF, and
|
||
the future of the law and cyberspace.
|
||
|
||
* "Synergy Speaks: Goodbye Banks, Goodbye Telephones, Goodbye
|
||
Welfare Checks" by Michael Synergy (pp 51-54) A self-professed
|
||
cyberpunk offers brief comments on a variety of topics such as
|
||
viruses, blackmail, the EFF, modern justice, criminal evidence, and
|
||
many more. Synergy's comments aren't in depth, but present views on a
|
||
wide enough selection of topics for someone un-familiar with the
|
||
movement to get an idea of the cyberpunk philosophy.
|
||
|
||
* "Freaked by Phrack: an interview with Craig Neidorf" by John
|
||
Perry Barlow (pp 55-56) An extract from on online interview with
|
||
Neidorf, former publisher of Phrack, Inc. Neidorf discusses the
|
||
nature of Phrack, his trial, and effect it has had on his life.
|
||
|
||
* "A Message to You From Legion of Doom Member 'The Mentor'" by
|
||
The Mentor (p 58) An edited version of "The Conscience of a Hacker"
|
||
or "Hacker Manifesto" as widely published in Phrack, CuD, Thrasher,
|
||
and a number of other places.
|
||
|
||
* "On the Road to Chaos in East Berlin" by Morgan Russell (pp
|
||
60-63) A gonzo-esque account of the Chaos Computer Club Kongress in
|
||
East Berlin. Also mentions the squatters' movement and The Foundation
|
||
for the Advancement of Il-legal Knowledge (AKILKNO).
|
||
|
||
* "The Worlds Oldest Secret Conspiracy: Fronted by Steve Jackson
|
||
Games, Inc." by Gareth Branwyn (pp 64-67) An interview with Steve
|
||
Jackson, concern-ing his business and Secret Service raids brought
|
||
about by _GURPS Cyberpunk_. An excerpt from the book is included.
|
||
|
||
* "Guess Work: an interview with August Bequai" by Gareth
|
||
Branwyn (pp 70-71) This is a particularly enlightening interview with
|
||
Bequai, a well-published expert of computer crime. Although brief,
|
||
Bequai has some 'inter-esting' things to say. Here are some excerpts,
|
||
in the same question/answer format found in the original article:
|
||
|
||
Mondo: ...what do you think about the criticism that, with
|
||
Operation Sun Devil, they've [the feds] unconstitutionally confiscated
|
||
equipment such as public bulletin boards? This sort of thing has
|
||
struck fear in the hearts of many systems operators. The seizure of
|
||
the Steve Jackson Games BBS is a case in point. They were, by the
|
||
admission of the Secret Service, not the target of the investigation.
|
||
And yet their BBS was confiscated.
|
||
|
||
Bequai: Then they have the option to go to court and challenge
|
||
it. We have laws and legal system, and they work!
|
||
|
||
Mondo: If you have the resources!
|
||
|
||
Bequai: You don't necessarily need a lot of resources. It
|
||
doesn't take a heck of a lot of money to go to court and challenge
|
||
some of these things.
|
||
|
||
Mondo: You're telling me it doesn't take a lot of time and
|
||
money to challenge the US Secret Service!?
|
||
|
||
Bequai: No sir, it does not. If you hire a small firm, no.
|
||
|
||
[...]
|
||
|
||
Mondo: What sort of groups do you lecture to:
|
||
|
||
Bequai: Computer professionals, security professionals,
|
||
executive-types, management-types, supervisors, lawyers, government
|
||
officials.
|
||
|
||
Mondo: In a recent speech, you stated that "Millions of
|
||
Americans find themselves the victims of computer crimes" and "The
|
||
public is called upon to pick up the tab for billions of dollars in
|
||
annual losses...at the hands of computer criminals, hackers, and
|
||
pranksters." [...] Where did you get those figures?
|
||
|
||
Bequai: Oh, that's just guess work. White collar crime runs in
|
||
excess of a hundred billion dollars. My sympathy goes to the public.
|
||
I'm not so in-terested in technophiles who think they have an inherent
|
||
right to do whatever they feel. I'm concerned for the average Joe
|
||
Blow American.
|
||
|
||
Bequai is an oft-quoted expert when anti-CU types discuss the hacker
|
||
underground. This article was particularly insightful, and in many
|
||
ways makes the pursuit of MONDO 2000 worthwhile in and of itself.
|
||
|
||
* "Phreaks R Us: an interview with hacker publishers Emmanuel
|
||
Goldstein of 2600 and Rop Gonggrijp of Hack-Tic" by R.U. Sirius and
|
||
George Gleason (pp 74-76) Goldstein and Gonggrijp discuss their
|
||
journals, the CU movement, and freedom of information.
|
||
|
||
In conclusion, MONDO 2000 (issue 3) is worth searching out. It is a
|
||
more than worthy successor to Reality Hackers, and offers many
|
||
articles of interest. It is one of the most fascinating and
|
||
refreshing publications to hit the stands, and will be very enjoyable
|
||
to any CU-attentive individual.
|
||
Mondo 2000 (published quarterly)
|
||
(subscriptions)
|
||
Fun City MegaMedia
|
||
PO Box 10171
|
||
Berkeley, CA 94709-5171 USA
|
||
(correspondence)
|
||
PO Box 40271
|
||
Berkeley, CA 94704
|
||
Fax: 415.649.9630 MCI Mail: MONDO2000
|
||
$24.00 (US) for 5 issues
|
||
|
||
********************************************************************
|
||
|
||
------------------------------
|
||
|
||
**END OF CuD #3.14**
|
||
********************************************************************
|
||
|
||
|
||
|