textfiles/magazines/CUD/cud0778.txt

Computer underground Digest    Sun  Oct 1, 1995   Volume 7 : Issue 78
                           ISSN  1004-042X

       Editors: Jim Thomas and Gordon Meyer (TK0JUT2@MVS.CSO.NIU.EDU
       Archivist: Brendan Kehoe
       Shadow Master: Stanton McCandlish
       Field Agent Extraordinaire:   David Smith
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Cu Digest Homepage: http://www.soci.niu.edu/~cudigest

CONTENTS, #7.78 (Sun, Oct 1, 1995)

File 1--System Administration as a Criminal Activity
File 2--Learn to Love CoS
File 3--"The Emperor's Virtual Clothes"
File 4--Cu Digest Header Info (unchanged since 19 Apr, 1995)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.

---------------------------------------------------------------------

From: "John S. Quarterman" <jsq@tic.com>
Subject: File 1--System Administration as a Criminal Activity
Date: Sat, 23 Sep 95 15:06:18 -0500

((MODERATORS' NOTE: John S. Quarterman is author of THE MATRIX:
COMPUTER NETWORKS AND CONFERENCING SYSTEMS WORLDWIDE, which has become
a classic on networking and telecommunications. The following is
reprinted with permission)).

System Administration as a Criminal Activity
or, the Strange Case of Randal Schwartz

Copyright (c) 1995
John S. Quarterman
jsq@mids.org

      From Matrix News, 5(9), September 1995
      Please redistribute this article.
      mids@mids.org, http://www.mids.org
      +1-512-451-7602, fax: +1-512-452-0127

The other week (16 Aug 1995) I went to our local UNIX User's Group
(CACTUS: Capital Area of Central Texas UNIX system User's Group)
meeting and heard Randal Schwartz tell a strange tale.  I'd heard
parts of it before, but the details were more peculiar than the gist.

The gist is that a few mistakes in judgment can easily make a system
administrator into a convicted felon.

Randal began Intel in early 1988, and worked there continuously
(except for two weeks in late 1988) until the end of 1993.  While
working at Intel iWarp (which later became part of SSD, the
Supercomputer System Division), he had recommended they maintain basic
security by following some standard procedures, such as using good
passwords.  (This really is basic, as any security expert from DIA to
NSA to CERT, the Internet's Computer Emergency Response Team, can tell
you.)  He had started checking their passwords by running crack in
mid-1991.

Crack is a program familiar to most system administrators today (and
one distributed by CERT; see ftp://cert.org/pub/tools/crack/).  What
crack does is to attempt to crack a set of passwords, typically as
found in a UNIX /etc/passwd file.  Randal was quite familiar with
crack, having served as a beta tester for crack version 3.  He left
SSD in the middle of 1992 to work for a different Intel division (HF),
and crack was still running in SSD at that time (on autopilot).

While working for Intel, Randal had started giving week-long training
courses for other organizations around the country.  These were about
Perl, a popular programming language invented by Larry Wall.  Since
these courses involved travel, he arranged ways to read his mail at
Intel over the Internet while he was still working for Intel but not
physically present.  This seemed prudent, since, starting in late
1993, he had become responsible for deploying DNS (Domain Name System)
servers throughout Intel.  Since DNS handles the basic mapping of
symbolic hostnames (such as ssd.intel.com) to IP addresses (such as
137.46.3.5), a broken DNS server can adversely affect almost every
other TCP/IP service.  Thus it was useful to know quickly of any
problems with Intel's DNS servers.  Intel has previously told MIDS
that everyone in their company from the President down uses there
enterprise TCP/IP network, so we can see how they would want it to
continue working.

Randal had co-authored a popular book for O'Reilly and Associates
(ORA) about Perl (*Programming Perl*, published January 1991).  He
also took the obvious next step with his training material, and wrote
another Perl book (*Learning Perl*, published November 1993).  He had
an account on ORA's machines, and figured they wouldn't mind if he did
a little testing there.  Against ORA's password files, crack found one
(1) password out of about 200.  And the ORA system administrator,
Tanya Herlick, had already discovered that bad password, so it was
cleaned up almost before Randal even found it (not that either of them
knew what the other was doing at the time).  Thus ORA was a good
comparison case for reasonably good security.

In late 1993, while working for Intel, but in a different division (as
a system administrator for HF), Randal ran crack against the password
file of an SGI machine in SSD where he had an account to support prior
work for SSD.  It found one password straight out of the dictionary
(user ronb password deacon).  This is very bad because it is an
ordinary dictionary word, which makes it easy to crack simply by
trying numerous dictionary words; a task that any programmer can
accomplish.

Randal decided to see how far the problem extended.  He was no longer
working for SSD, but he was currently a system administrator in a
different division, and he was consulting for corporate on the DNS
project.  Security is traditionally part of a system administrator's
job, and a security problem in one division is a security problem in
the whole company if it's on the corporate network, since a
compromised account on one machine can be used as a base to attack
other machines.  This particular user also had an account on the main
SSD server cluster.  Randal guessed that that account would have the
same password.  One might well say the prudent course would have been
to inform the current SSD system administrators of the problem.  But
Randal decided to try it himself.  It was the same.

Randal decided to test the password file for the main SSD cluster.  He
pulled its passwd file over to a fast machine and ran crack on it, and
similarly for other machines in that division.  Crack broke 48 out of
600 passwords.

So, it was clear that Intel's security was not very good.  Crack had
found about 50 likely ways an outsider might break in.  Randal thought
he was doing his employer a big favor by discovering these weak spots
in the company fence.  One of them was particularly bad, since it was
a vice-president's account, and the password was pre$ident, which is
an ordinary dictionary word with one letter (the most obvious letter,
S) replaced with a dollar sign.

Unfortunately, Randal was waiting until he had relatively final
results before informing regular SSD staff of what he was doing.
Meanwhile, one of them noticed that he was running crack, and told his
manager.  The manager, rather than approaching Randal about it,
reported it up the hierarchy.  Evidently many of the powers that be at
Intel thought they had discovered a corporate spy.

Three days later, Randal discovered something was amiss when police
arrived at his house on 1 November 1993.  About half a dozen of them
took all his computer equipment.  Having watched too many episodes of
Dragnet, he figured it was some sort of mistake, and the police would
clear it up if he just cooperated with them and told them anything
they wanted to know.  Unfortunately, real police are paid to find
things to charge people with, and they also kept his computers for 40
days, including the one with his checkbook on it.  He was also
terminated from Intel within the same two hour period as the raid.

He did have the consolation of learning that his new book, just
released on the same day, was selling like hotcakes.

What Randal didn't know was that the report up the Intel hierarchy had
resulted in criminal charges being filed against him.  Oregon has a
vague law against ``altering'' or ``transporting'' computerized
information, with the distinction between the two not being clear.
The D.A. considered moving a password file between two Intel machines
to be at least transporting.  So Randal stood accused of stealing
information from Intel, even though even the D.A. never alleged that
anything left Intel's premises.  Stood accused on three (3) criminal
felony counts.

The indictment was handed down 14 March 1994.  The three felony counts
of Computer Crime according to Oregon State Law are:

 Count 1: altering without authorization two computer systems.

 Counts 2 and 3: accessing a computer with intent to commit theft.

The first count has to do with the remote mail access.  It seems
Intel's interpretation was that Randal had ``altered'' their systems
by, for example, putting a .forward file in his login directory to
cause his mail to be forwarded elsewhere.  The defense attorney
apparently also wanted to show use of Intel accounts for non-Intel
business.

The other two counts have to do with the passwords he discovered on
other people's accounts by running crack.  What he was accused of
stealing (theft) was password files.

Meanwhile, the system administrator at ORA, Tanya Herlick, was
informed by the FBI that someone had allegedly broken into her
systems.  She was at a systems administration conference at the time.
As chance would have it, a security session was scheduled for the same
afternoon, so she asked the assembled administrators what they would
do in her situation.  Their advice was to do the standard things (run
tcpwrapper, install COPS, reinstall old binaries, etc.).  She says:

What no one knew at the time was that this was not a typical hacker
 breakin.  It wasn't a breakin at all in fact.  This did not keep me
 from having a heart attack at the conference however.  I mean,
 someone comes up to you and says "The FBI called and said someone
 hacked your main server."  And you were 2,000 miles away and afraid
 to log on (and definitely not as root)? What would you do?

She didn't know that the alleged perpetrator was Randal, which would
have been interesting, since he was known to her audience through his
books and tutorials and through USENET and the Internet.  She says:

 If I had known it was Randal, I possibly wouldn't have even brought
 it up!  ... Not because Randal is any kind of white knight or
 anything, but because I knew he had an account on our system so it
 couldn't have been a breakin.  I found out early the next morning
 that it was him.  I ran into Tim (O'Reilly) after I found out and it
 turned out that he already knew cause Randal had called him.

What she actually did was to disable Randal's account for a couple of
days and then reinstate it after talking to him.

The case went to a jury trial.  Some of the jury members apparently
did own computers, but of course anybody who might do anything
remotely resembling system administration was rejected.  This is
evidently common practice these days; a jury of your peers means
nobody that does what you do.

The ORA systems administrator testified (by telephone) for the defense
at the trial, saying that Randal still had his account at ORA and they
had no intention of taking any legal action against him.  Tim O'Reilly
(founder and President of ORA) even spoke up for Randal when asked by
the press.

Tanya Herlick says:

 If Randal had come to me and asked if he could run crack I would have
 said no.  It was presumptuous of him to think we wouldn't mind.  If
 anything, a system admin should know this better than other users.
 However, it is not a crime.  Just inappropriate (I wish I could have
 had the chance to say this at the trial, but I didn't).

Nonetheless, Randal was found guilty on all counts, on 25 July 1995.

The deciding factor may have been the prosecutor's final summary, in
which he made the analogy of letting a carpenter into your house to
fix the garage and finding him upstairs rifling your personal papers.
Never mind that the analogy is not apt, if for no other reason because
Randal *was* fixing the garage, to the best of his abilities and of
his understanding of his job description.  The jury didn't know that.

Randal is now a convicted felon, unable to vote, hold public office,
serve on a jury, or fulfill government contracts.  And he's already
spent $112,000 in legal fees, with an expection of a total of $140,000
just for the first trial.  All for helping his employer.

Why did this happen?

It wasn't because of the regular Intel staff.  Apparently they tried
to get their bosses to talk to Randal directly, and were told that
that would not be possible.

It was of course partly because Randal made mistakes.  For example,
one might count not keeping both Intel and ORA informed, and trying
the account with the deacon password.  He readily admits he made
mistakes, and has apologized to Intel more than once in public for
doing so.

But if Intel thought he had exceeded his authority as a systems
administrator or had shown poor judgment, they had plenty of recourse
available to them by traditional methods, ranging from a talk in his
supervisor's office to a cut in pay to being summarily fired and
walked out the gate.  Instead they brought criminal charges.

Randal also made mistakes during the legal proceedings.  The police
did read him his Miranda rights, and he now knows that ``you have the
right to remain silent'' is a very good phrase to consider without
speaking.

And he made at least one bad mistake during the trial.  When asked by
the prosecutor whether he had done what he had done for personal gain,
he thought about it and considered that helping his employer would
make him look good, bring in more consulting, maybe increase his pay,
etc., and said (one may well say foolishly), ``yes.'' The prosecutor,
no dummy, brought this up during his summation.

It may be relevant that that the prosecutor apparently remarked, in a
news conference after the verdict, that it would send a message that
Oregon was "safe for business".  It may also be relevant that Intel is
the largest employer in the state.  Not that this case (or the problem
it represents, anyway) is specifically about Intel; it could have
happened at any largish company or university.

System adminstrators almost always work in very vague job
descriptions, with little or no demarcation of the scope of their
activities or when or to whom they should report them.  Consultants
work under even more vague job descriptions, because they can't even
be required to work at specific hours or told when to work on specific
tasks or the IRS won't consider them to be consultants.  Intel is not
alone or even unusual in having no clear usage guidelines about their
systems.  The risk of the hierarchy at any large organization getting
incensed at some (to them) clerical worker running something called
``crack'' and finding out that, for example, high level executives
have bad (not to mention embarrassing) passwords, is always with us.

The nature of system administration leads to all sorts of
possibilities of civil or criminal charges.  If not crack, how about
illegal transportation of company property off the premises (taking
source listings home to study)?  Or illegal use of university
communications facilities for political purposes (sending an
electronic mail message to your Congress member)?  Or illegal export
of controlled processes (such as PGP, in the Phil Zimmermann case)?
Or, if the U.S. Senate has its way, ``making available'' files that
some D.A. chooses to consider ``indecent''?  The possibilities are
numerous.  They aren't limited to system administrators, either.  The
nature of, oh, library work has become so involved with computers and
networks these days that librarians, or professors, or schoolteachers,
or, yes, secretaries could be subject to the same difficulties.

Once again, Randal made mistakes.  The nature of Randal's mistakes was
such that you or I could easily have made them or others quite like
them.

The response to Randal's mistakes was out of all proportion to what he
did, under any reasonable interpretation by people knowledgable of the
nature of his work.  We're not talking Kevin Mitnich here; this is not
about a KGB-funded malicious cracker.  For that matter, the liberties
Randal took were small compared to those certain well-known trackers
of wiley hackers have taken in their self-appointed detective work.
We're not even talking Robert Morris Jr., where the alleged
perpetrator clearly was, for whatever reason, at least using lots of
computers in organizations that had not given him any permission.
We're talking a system administrator trying to do his job and being
branded a felon for simple mistakes in who he informed and when.

Sentencing in Randal's case is scheduled for 11 September.  The
sentence could involve any or all of jail time, a hefty fine, damages,
and a requirement not to leave the state.

It is possible to request leniency from the judge.  Letters of support
for Randal Schwartz to be put before the judge should be sent to his
lawyer's office so they can be presented to the judge as a package.
Randal's lawyer's address is:

      Marc Sussman
      503-221-0520
      135 SW Ash
      Suite 600
      Portland OR 97204

      Re: Randal Schwartz

Or send mail to fund@stonehenge.com to find out how else you can
assist Randal, for example financially.  That electronic mail address
goes to an autoresponder which will also send you Randal's short version
of the story.

On a personal note, I'd like to say that I actually had never met
Randal until he came to Austin recently.  However, when he sent me a
note in advance asking for a guest account on our Internet Service
Provider (Zilker Internet Park) so he could read his mail, read news,
look at web pages, etc., without having to call long distance back to
Portland, I had no hesitation in providing him one.  Yes, I knew he was
a convicted felon.  I also knew he was the co-author of *Learning Perl*
and *Programming Perl*, which are two of the most useful books about
one of the most useful programming languages I've ever encountered.  I
also knew a number of people he had taught Perl in his classes.  And I
had heard a version of his story before.  This man should not be
labeled a criminal.  He is, in fact, a pillar of the UNIX and Internet
communities (see his web page, http://www.teleport.com/~merlyn).  The
World Wide Web, for example, would not have grown as quickly and as
easily as it did without Perl, nor without Randal's efforts to
promulgate Perl.

Does being a pillar of the community make one immune from criminal
activity?  No (just ask Ivan Boesky).  However, I do not see how simple
timing mistakes while attempting to do one's job in the generally
accepted manner constitute felonious behavior.

Randal is taking this whole thing rather philosophically.  He thinks
the main benefit that could come out of it would be to prevent future
erroneous felony charges of this kind.

Much of the above account does come from Randal.  I have no reason
to doubt that he is telling the truth, but of course there may always
be more to the story.

If anyone has reports that cast a different light on the matter, do
send them in.  So far, the worst I've heard has been someone claiming
to know that Randal had ``broken into at least one system previously.''
This turned out to be an allusion to him running crack on ORA's
systems, which is something that he not only readily admits but
discussed at some length at the CACTUS meeting.  If he really did find
that crack could break no (zero) passwords on ORA's machines, it would
seem that ``broken into'' would be a rather inaccurate description.
Not to mention he already had accounts on ORA's machines.

Could it be that once someone is charged with criminal activity the
networked community considers that they must have done something to
deserve it?  If so, the networked world is much like the rest of the
world, indeed.  Actually, the discussion online has been mostly in
favor of Randal.  Incidentally, we have not yet received input from
Intel, but we would be happy to print some when we get it.

The discussion in the mainstream press has been mostly nonexistant.
Except for the local Portland newspaper and television station,
apparently no major news medium has carried the story.
So, it appears that *Matrix News* is the first national and
international publication to break the story.

====================================================================

Date: Fri, 15 Sep 1995 03:41:02 -0700
To: jsq@tic.com (John Quarterman)
Subject--Re--test

[This message was generated automatically because you sent me mail
containing @FUND on a line by itself, or sent mail to fund@stonehenge.com.
I did not read the rest of your note -- merlyn]

On March 14th, 1994, I was indicted on three felony counts of Computer
Crime according to Oregon State Law.  The "victim" and accuser is
Intel Corporation (yes, the multinational microchip manufacturer), a
client of mine for five years running, and possessor of vastly greater
financial, time, and legal resources than I could ever muster up.

On July 25th, 1995, I was convicted of those same counts.

On September 11th, 1995, the sentencing went as follows (counts are
described later):

Count 1, reduced to a misdemeanor, 5 years probation, 90 days jail to
begin september 1, *1998*.  However, 60 days before this date I can
petition the court to demonstrate excellent behavior and
rehabilitation, and they may dismiss the jailtime.  Disclosure
required (see below).

Count 2, 2 years probation, 480 hours of community service, disclosure
required (see below).

Count 3, 2 years probation, 480 hours of community service (hours
count for both counts 2 and 3, so it's 480 total, not 960).
Disclosure required (see below).

Restitution hearing still to be set. Intel is asking for an additional
$9,000 over the original $63,000.

Disclosure: I must not become either a contract employee or employee
without my potential employer becoming fully aware of my conviction.

I attend my "probation induction" meeting on September 20th.  More
details then.

The charges are as follows:

Count 1: altering without authorization two computer systems.

Counts 2 and 3: accessing a computer with intent to commit theft.

First, let me say that I am sorry that I caused Intel any grief or
hardship, and that in hindsight, I should have been clearer about my
intention and actions.  I'll never get to work at Intel again, and my
mistakes may even make it nearly impossible to get any work at any
location that respects Intel's beliefs about me.

However, my actions were motivated by my desire to give Intel the best
possible value for the money they were paying me.  At no time did I
*intend* to have any harm come to Intel, and any damage they may claim
resulted from their mopping up on things that I *might* have done but
they couldn't tell I hadn't.

In short, count 1 comes from me having installed two different methods
of accessing my Intel e-mail through the Internet while I was away but
still working for Intel.  I was responsible for the timely deployment
of the DNS servers for the entire corporation, and a system
administrator on some network support machines, and I wanted to keep
on top of developing situations.  I believed at the time that I was
complying with the intent of every rule I was aware of regarding the
setup of these access methods, but it became clear at the trial that
my understanding was very different from their understanding.

Count 1 is also based on a law about which we have raised
constitutional questions of overbreadth and vagueness.  We always
thought these issues would require appellate examination.

Counts 2 and 3, as I understand it, result from their claim that I
committed "theft" of a password file from the SSD division by
copying it to a machine in the HF division where I was working and
that by running crack (the password guesser) on the file, I also
committed "theft" of the passwords.  I was a sysadm for SSD about a
year and a half previous, and I still had an active account on a lab
machine at SSD.  I had discovered that a user at SSD had picked a
dictionary word ("deacon") for a password on the lab machine.
Fearing that the SSD folks had stopped running crack regularly, I
copied the SSD password file (using the cracked password from the lab
machine) and found that my fears were justified.  (The vice
president's password was "pre$ident", for example.) However, I now
had vital information that I had obtained through the use of a cracked
password, and I was in an awkward situation.  Before I reported the
findings to SSD, a co-worker noticed the crack runs (they were 6-8
days long!) running under my own userID on the systems that we shared
at HF, and feared the worst: that I had turned into a spy and was
actually stealing secrets.

Yes, as you can see, I made a number of bone-headed mistakes (not
getting the rules about internet access clear, not reporting the
single bad cracked password, and not immediately reporting the results
of the crack run), and I probably should have been terminated for
those mistakes, but NONE OF THE ACTS WERE BASED ON MALICIOUS INTENT.

I have fought the charges using money out of my pocket and
borrowed on credit cards, and the goodwill of many special Net
Citizens such as the folks at the Electronic Frontier Foundation.

If you'd like to help, you may choose to *pay* me for "services
rendered" by me to you which you had formerly received for free.  Any
such money will be disclosed as income, and thus not tax-deductable
unless you're a business and want to file a 1099 on me.  If you wish
to contribute in blind faith that this David vs. Goliath story might
make sense when the smoke clears, send a check made out to
"Stonehenge" to:

   Stonehenge Consulting Services
   attn: Legal Defense Fund
   4470 SW Hall Suite 107
   Beaverton, Oregon 97005-2122

I regret that I cannot accept credit-card payments.  If you cannot
send a check, please buy a copy of the Llama book for a friend or the
library (or for yourself)!

((list of contributors deleted ... CuD Moderators))

------------------------------

Date: 26 Sep 95 09:38:22 EDT
From: Lance Rose <72230.2044@COMPUSERVE.COM>
Subject: File 2--Learn to Love CoS

Church of Scientology: Sit Back & Watch the Show

Reports of CoS' setbacks in its case against Lerma are swiftly making the
rounds on the Net.  One gets the impression of Net denizens pumping their
fists in the air, another victory in the Net's struggles against the Church.
And indeed, the Church has taken on the Net full bore: with this lawsuit,
the Ehrlich lawsuit, the harassment of anonymous remailers, and all the
rest, now followed with as much detailed attention as the O.J. case by a
significant proportion of onliners.

However, those holding the attitude of being (at least vicariously)
part of a war against CoS are, I submit, just wasting their time.
Those *actually* at war with CoS are: (1) the guys who probably are
may be violating their copyrights, and (2) the online operations
dragged into it by the CoS.

As to (1), don't hold your breath waiting for gross copyright
violations to be endorsed by any court.  There may be some interesting
rulings on fair use on the Net, but that's as far as it will go. And
if these guys are actually violating copyrights, why go to the mat for
them? Seems to me it would be far better to put one's energies into
supporting outfits that don't rip others off.  And the fact that the
defendants have been posting entire CoS tracts, or large chunks of
them, puts the burden on them to justify their activities.

As to (2), any online services and the like dragged into the CoS
battles deserve all the support they can get.  They deserve not to be
implicated in CoS' battles against identified, alleged infringers. If
anyone wants to help them out, they certainly should.

But what about the rest of us?  Should we really be considering CoS
the "bad guy" here?  Perhaps they're doing all of us on the Net
(except their specific targets) an enormous favor.

Up to now, we've had a lot of flowery talk about the Net's resistance
to any form of censorship.  But until CoS was aroused, how many
deliberate, focused and persistent attacks on the Net distribution
system have we actually seen? None.

CoS is giving us all an opportunity to see just how robust and
adaptive the Net really is.  No more flowery talk.  Let's see how well
the Internet "routes around" censorship outfits like CoS.

Why waste time reviling CoS?  They're the first real Beta tester for
the Net's supposed resistance to power games, and they're real, real
eager.  Look at the hackers, who say they perform the valuable
function of showing supposedly secure systems their security holes in
advance of an actual hostile threat. CoS is performing precisely the
same function for the Net as a whole, and they're bringing in tools
and weapons far beyond the means of most hackers. They're not only
trying to cancel stuff out online (and I imagine, getting better at it
over time) in the hacker arena, they've also got a bevy of lawyers
using every legal trick in the book out in the land of courts and
cops.

In sum, CoS is doing a service for the bulk of the Net by showing us
what our expectations properly should be regarding attacks by powerful
groups against Net activities.

Why is recognition of this aspect of the CoS affair barely ever even
mentioned?  I believe it may be due to an early manifestation of
something very interesting: the emergence of Net mind, colonizing the
consciousnesses of those who spend a lot of time here. If CoS makes
various attacks against the Net, the Net does not just "route around"
it; it develops an attitude of resistance against the hostile invader,
and that attitude is distributed to a significant portion of
individual Net users. CoS is the bad guy. True Net believers rally
against them. We go to war until the invader is hopefully expelled.
Perhaps in the minds of Net faithful there's a little pledge of
allegiance, "to the collective, of the united believers on the
Internet" or some such once per morning, or around the clock.

If this is occurring, then I must issue a caution: keep your own mind.
Groupthink on the Net can be just another fascistic environment, if
we're not careful.  The proper response to CoS is not to form into its
mirror image, but to act on a more mature basis as a collective of
independently thinking individuals.  If we're capable of that.

Please understand I'm not saying that the wrongful targets of CoS
agendas should just grin and bear it.  They should fight back like
hell, and kick some butt (except for those who might actually be in
the wrong). And anyone who's moved to help defend wrongful targets of
CoS should certainly extend that help.

But for the rest of us, we serve ourselves best by watching the CoS
debacle unfold.  Learn what it tells us about the true strengths and
weaknesses of the Net.  Without tests like this, we'd be so busy
slapping each other on the back about the Net's resistance to attack
that when a real, general attack comes (such as a crypto-castrated
Net, courtesy of our national governments), we'd all be goners. And in
order to have a clear look, it would probably be best to stop looking
at CoS as "the problem", and start looking at it as part of the
solution.

                                       - Lance Rose

------------------------------

From: Alan Janesch <axj12@psu.edu>
To: cudigest@sun.soci.niu.edu
Subject: File 3--"The Emperor's Virtual Clothes"

Per your request, here's the news release on Dinty W. Moore's new book,
"The Emperor's Virtual Clothes."

THE INTERNET WON'T CHANGE US, IT'LL JUST SPEED THINGS UP, SAYS PENN
STATE AUTHOR

University Park, Pa. -- The Internet is: a. the greatest thing since
sliced bread; b. the work of the devil; c. going to change every
aspect of our lives, including the way we think; d. pretty much the
same as the rest of our lives, although maybe a little bit faster.

        Dinty W. Moore (yes, that's his real name), a Penn State English
professor and author of "The Emperor's Virtual Clothes: The Naked Truth
about Internet Culture," says the correct answer is "d."
        "Most of what's being predicted or touted about the Internet is an
exaggeration," says Moore. "It's neither as wonderful as its proponents
claim nor as horrifying as its critics believe. What I've found is that the
Internet is not going to change who we are, change the way we think and the
way we learn, or change the essential way that we communicate, much less
transform our culture, alter the political process, or rearrange the
balance of world power. What the Internet is doing is making it faster and
easier for people with similar interests to find each other and talk to
each other -- no matter where in the world they live."
        The bottom line, Moore says, is that the information highway is
simply speeding things up, not changing our destination.
        "We are talking about a machine here: a pretty interesting one, but
basically a big machine that spits data across long distances. Despite what
varied sorts of machines we have at our disposal, despite all the uploads
and downloads and listservers in the world, we are still going to be the
same human beings, the same contentious, territorial, ridiculous, lovely,
procastinating souls," Moore writes in his new book.
        "Wherever the human race is headed -- and I'm not sure where that
is -- the Net may get us there faster, but we are still headed the same
way. The electronic culture won't change the content of our lives, it will
simply change the pace."
        Moore ought to know. To do the book, which is being published this
month by Algonquin Books, he spent eight months trolling the Internet --
the loose, decentralized network that links upwards of 35 million computer
users worldwide.
        A former documentary filmmaker and UPI reporter, Moore met the
Internet's denizens on their own turf (on-line) and even interviewed some
of them face-to-face. (Moore, by the way, is named not after the famous
beef stew, but for a character in the early-1900s comic strip, "Bringing Up
Father.") Through his research, Moore found that the Internet, more than
anything else, mirrors human existence in all its various forms -- the good
as well as the bad and the ugly.
        That means that while you can indeed find "flames" (insulting
language), "cybersex" (basically, talking dirty via real-time electronic
mail) and pornography on the Internet, Moore says, you can also find
intelligent, thoughtful people who care about ideas and issues and who also
care about the people in their Internet communities.
        Moore says what surprised him most about the Internet "is how much
this cold, sterile electronic medium is really opening up communications
with other human beings for select groups of people -- not for everybody,
but for instance for people who are housebound, who have anxiety disorders
or agoraphobia, who have some sort of real or perceived secret that they
are unwilling to share with anybody in a face-to-face situation. Here, they
can go on-line and bare their souls and hear other people say, 'You know, I
feel that way, too,' or 'You know, you can get help for that,' or 'You
know, you're not so bad, that's a normal feeling.' People find this
positive and healing, and it enhances their lives."
        One of Moore's discoveries was a group of "virtual" friends who
have met through an electronic community called the Cellar, a small
bulletin board system (BBS) based in Montgomery County, about a 45-minute
drive north of Philadelphia.
        What makes this group different from the thousands of BBS's
scattered around the world is that once or twice a year they power down
their computers, flip off the high-resolution monitors, and leave home for
a face-to-face GTG (get-together) at the home of the Cellar's owner.
        The Cellar dwellers, Moore says, were not "awkward, ashen-faced
computer junkies. Well, okay, there were a few. But I was surprised by just
how interesting they were, and how sociable, compared to my own
preconceptions. I was also surprised by how well they could cook."
        One other surprise for Moore was how easily the Cellar's
heterosexual males accepted its "transgendered" subculture. For example,
one patron of the Cellar is a married man with two daughters who has always
sent messages as "Janice" and never refers to what he calls his "birth
gender." Some of the Cellar's patrons are surprised when they discover
"Janice" is not a woman, but on the whole they are very accepting.
        "Gender-switching on the Internet is probably confusing to a lot of
people, but some people find it extremely freeing," says Moore. "They like
to lose themselves in a fantasy, and as far as I can determine this is a
pretty benign, harmless way for them to do it."
        Moore devotes a chapter to the dark side of the Net -- on-line
child stalking by pedophiles, pornography, hate messages, flames, and so on
-- but he doesn't buy into "the current hysteria to regulate the Internet."
        "The Internet will sort itself out, just as any other innovation in
our society has sorted itself out," Moore says. "Society hasn't yet figured
out a way to deal with on-line crimes or other undesirable behavior. But we
have managed to deal with these kinds of things in other areas and I think
we will in this venue, too."
        Illegal or other unsavory activities on the Net "are really an
infinitesmal part of what's happening there, but they've been exploded into
a gigantic headline," says Moore.
        "The Internet is no scarier than the real world. In fact, it's less
scary. You can get flamed, you can get approached, you can get frightening
things said to you. But the people who do these things are thousands of
miles away and they don't really know who you are, so they can't really get
at you."
        Moore has put his money where his mouth is by listing his e-mail
address in the book. "Hopefully, readers of the book will ask me questions,
blow off steam, pay me a compliment. I'm not giving them my home address,
so they can't throw eggs at my house. I'm not giving them my phone number,
so they can't call me up at three in the morning. All they can do is fill
my electronic mailbox with e-mail, and if they're too tough on me I can
always erase their messages."

*aj*

Editors: For a review copy of "The Emperor's Virtual Clothes: The Naked
Truth about Internet Culture," contact Beverley Smith at Algonquin Books of
Chapel Hill, (919) 967-0108.

------------------------------

Date: Sun, 19 Apr 1995 22:51:01 CDT
From: CuD Moderators <cudigest@sun.soci.niu.edu>
Subject: File 4--Cu Digest Header Info (unchanged since 19 Apr, 1995)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send a one-line message:  SUB CUDIGEST  your name
Send it to  LISTSERV@VMD.CSO.UIUC.EDU
The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at:  Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

To UNSUB, send a one-line message:   UNSUB CUDIGEST
Send it to  LISTSERV@VMD.CSO.UIUC.EDU
(NOTE: The address you unsub must correspond to your From: line)

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on  internet);
and on Rune Stone BBS (IIRGWHQ) (203) 832-8441.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.

EUROPE:  In BELGIUM: Virtual Access BBS:  +32-69-844-019 (ringdown)
         Brussels: STRATOMIC BBS +32-2-5383119 2:291/759@fidonet.org
         In ITALY: ZERO! BBS: +39-11-6507540
         In LUXEMBOURG: ComNet BBS:  +352-466893

  UNITED STATES:  etext.archive.umich.edu (192.131.22.8)  in /pub/CuD/
                  ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
                  aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
                  world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
                  wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
  EUROPE:         nic.funet.fi in pub/doc/cud/ (Finland)
                  ftp.warwick.ac.uk in pub/cud/ (United Kingdom)

  JAPAN:          ftp://www.rcac.tdi.co.jp/pub/mirror/CuD

The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
  URL: http://www.soci.niu.edu:80/~cudigest/

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission.  It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified.  Readers are encouraged to submit reasoned articles
relating to computer culture and communication.  Articles are
preferred to short responses.  Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

------------------------------

End of Computer Underground Digest #7.78
************************************