Computer underground Digest Wed Sep 30, 1992 Volume 4 : Issue 47 Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivist: Dan Carosone Copy Editor: Rtaion Shrdleau, Esq. CONTENTS, #4.47 (Sep 30, 1992) File 1--Statement of Principle File 2--NEW WINDO BILL (HR 5983) File 3--"In House Hackers" (Excerpts from the WSJ) File 4--Software Piracy: A Felony? File 5--Hacker hits Cincinnati Phones Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM; on Genie in the PF*NPC RT libraries; from America Online in the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; and by anonymous ftp from ftp.eff.org (192.88.144.4) and ftp.ee.mu.oz.au Back issues also may be obtained from the mail server at mailserv@batpad.lgb.ca.us European distributor: ComNet in Luxembourg BBS (++352) 466893. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Wed, 23 Sep 92 22:15:02 EDT From: bruces@well.sf.ca.us Subject: File 1--Statement of Principle Bruce Sterling bruces@well.sf.ca.us Catscan 10 From SCIENCE FICTION EYE #10 A STATEMENT OF PRINCIPLE I just wrote my first nonfiction book. It's called THE HACKER CRACKDOWN: LAW AND DISORDER ON THE ELECTRONIC FRONTIER. Writing this book has required me to spend much of the past year and a half in the company of hackers, cops, and civil libertarians. I've spent much time listening to arguments over what's legal, what's illegal, what's right and wrong, what's decent and what's despicable, what's moral and immoral, in the world of computers and civil liberties. My various informants were knowledgeable people who cared passionately about these issues, and most of them seemed well-intentioned. Considered as a whole, however, their opinions were a baffling mess of contradictions. When I started this project, my ignorance of the issues involved was genuine and profound. I'd never knowingly met anyone from the computer underground. I'd never logged-on to an underground bulletin-board or read a semilegal hacker magazine. Although I did care a great deal about the issue of freedom of expression, I knew sadly little about the history of civil rights in America or the legal doctrines that surround freedom of the press, freedom of speech, and freedom of association. My relations with the police were firmly based on the stratagem of avoiding personal contact with police to the greatest extent possible. I didn't go looking for this project. This project came looking for me. I became inextricably involved when agents of the United States Secret Service, acting under the guidance of federal attorneys from Chicago, came to my home town of Austin on March 1, 1990, and confiscated the computers of a local science fiction gaming publisher. Steve Jackson Games, Inc., of Austin, was about to publish a gaming-book called GURPS Cyberpunk. When the federal law-enforcement agents discovered the electronic manuscript of CYBERPUNK on the computers they had seized from Mr. Jackson's offices, they expressed grave shock and alarm. They declared that CYBERPUNK was "a manual for computer crime." It's not my intention to reprise the story of the Jackson case in this column. I've done that to the best of my ability in THE HACKER CRACKDOWN; and in any case the ramifications of March 1 are far from over. Mr Jackson was never charged with any crime. His civil suit against the raiders is still in federal court as I write this. I don't want to repeat here what some cops believe, what some hackers believe, or what some civil libertarians believe. Instead, I want to discuss my own moral beliefs as a science fiction writer -- such as they are. As an SF writer, I want to attempt a personal statement of principle. It has not escaped my attention that there are many people who believe that anyone called a "cyberpunk" must be, almost by definition, entirely devoid of principle. I offer as evidence an excerpt from Buck BloomBecker's 1990 book, SPECTACULAR COMPUTER CRIMES. On page 53, in a chapter titled "Who Are The Computer Criminals?", Mr. BloomBecker introduces the formal classification of "cyberpunk" criminality. "In the last few years, a new genre of science fiction has arisen under the evocative name of 'cyberpunk.' Introduced in the work of William Gibson, particularly in his prize-winning novel NEUROMANCER, cyberpunk takes an apocalyptic view of the technological future. In NEUROMANCER, the protagonist is a futuristic hacker who must use the most sophisticated computer strategies to commit crimes for people who offer him enough money to buy the biological creations he needs to survive. His life is one of cynical despair, fueled by the desire to avoid death. Though none of the virus cases actually seen so far have been so devastating, this book certainly represents an attitude that should be watched for when we find new cases of computer virus and try to understand the motivations behind them. "The New York Times's John Markoff, one of the more perceptive and accomplished writers in the field, has written than a number of computer criminals demonstrate new levels of meanness. He characterizes them, as do I, as cyberpunks." Those of us who have read Gibson's NEUROMANCER closely will be aware of certain factual inaccuracies in Mr. BloomBecker's brief review. NEUROMANCER is not "apocalyptic." The chief conspirator in NEUROMANCER forces Case's loyalty, not by buying his services, but by planting poison-sacs in his brain. Case is "fueled" not by his greed for money or "biological creations," or even by the cynical "desire to avoid death," but rather by his burning desire to hack cyberspace. And so forth. However, I don't think this misreading of NEUROMANCER is based on carelessness or malice. The rest of Mr. BloomBecker's book generally is informative, well-organized, and thoughtful. Instead, I feel that Mr. BloomBecker manfully absorbed as much of NEUROMANCER as he could without suffering a mental toxic reaction. This report of his is what he actually *saw* when reading the novel. NEUROMANCER has won quite a following in the world of computer crime investigation. A prominent law enforcement official once told me that police unfailingly conclude the worst when they find a teenager with a computer and a copy of NEUROMANCER. When I declared that I too was a "cyberpunk" writer, she asked me if I would print the recipe for a pipe-bomb in my works. I was astonished by this question, which struck me as bizarre rhetorical excess at the time. That was before I had actually examined bulletin-boards in the computer underground, which I found to be chock-a-block with recipes for pipe-bombs, and worse. (I didn't have the heart to tell her that my friend and colleague Walter Jon Williams had once written and published an SF story closely describing explosives derived from simple household chemicals.) Cyberpunk SF (along with SF in general) has, in fact, permeated the computer underground. I have met young underground hackers who use the aliases "Neuromancer," "Wintermute" and "Count Zero." The Legion of Doom, the absolute bete noire of computer law-enforcement, used to congregate on a bulletin-board called "Black Ice." In the past, I didn't know much about anyone in the underground, but they certainly knew about me. Since that time, I've had people express sincere admiration for my novels, and then, in almost the same breath, brag to me about breaking into hospital computers to chortle over confidential medical reports about herpes victims. The single most stinging example of this syndrome is "Pengo," a member of the German hacker-group that broke into Internet computers while in the pay of the KGB. He told German police, and the judge at the trial of his co-conspirators, that he was inspired by NEUROMANCER and John Brunner's SHOCKWAVE RIDER. I didn't write NEUROMANCER. I did, however, read it in manuscript and offered many purportedly helpful comments. I praised the book publicly and repeatedly and at length. I've done everything I can to get people to read this book. I don't recall cautioning Gibson that his novel might lead to anarchist hackers selling their expertise to the ferocious and repulsive apparat that gave the world the Lubyanka and the Gulag Archipelago. I don't think I could have issued any such caution, even if I'd felt the danger of such a possibility, which I didn't. I still don't know in what fashion Gibson might have changed his book to avoid inciting evildoers, while still retaining the integrity of his vision -- the very quality about the book that makes it compelling and worthwhile. This leads me to my first statements of moral principle. As a "cyberpunk" SF writer, I am not responsible for every act committed by a Bohemian with a computer. I don't own the word "cyberpunk" and cannot help where it is bestowed, or who uses it, or to what ends. As a science fiction writer, it is not my business to make people behave. It is my business to make people imagine. I cannot control other people's imaginations -- any more than I would allow them to control mine. I am, however, morally obliged to speak out when acts of evil are committed that use my ideas or my rhetoric, however distantly, as a justification. Pengo and his friends committed a grave crime that was worthy of condemnation and punishment. They were clever, but treacherously clever. They were imaginative, but it was imagination in a bad cause. They were technically accomplished, but they abused their expertise for illicit profit and to feed their egos. They may be "cyberpunks" -- according to many, they may deserve that title far more than I do -- but they're no friends of mine. What is "crime"? What is a moral offense? What actions are evil and dishonorable? I find these extraordinarily difficult questions. I have no special status that should allow me to speak with authority on such subjects. Quite the contrary. As a writer in a scorned popular literature and a self-professed eccentric Bohemian, I have next to no authority of any kind. I'm not a moralist, philosopher, or prophet. I've always considered my "moral role," such as it is, to be that of a court jester -- a person sometimes allowed to speak the unspeakable, to explore ideas and issues in a format where they can be treated as games, thought-experiments, or metaphors, not as prescriptions, laws, or sermons. I have no religion, no sacred scripture to guide my actions and provide an infallible moral bedrock. I'm not seeking political responsibilities or the power of public office. I habitually question any pronouncement of authority, and entertain the liveliest skepticism about the processes of law and justice. I feel no urge to conform to the behavior of the majority of my fellow citizens. I'm a pain in the neck. My behavior is far from flawless. I lived and thrived in Austin, Texas in the 1970s and 1980s, in a festering milieu of arty crypto-intellectual hippies. I've committed countless "crimes," like millions of other people in my generation. These crimes were of the glamorous "victimless" variety, but they would surely have served to put me in prison had I done them, say, in front of the State Legislature. Had I lived a hundred years ago as I live today, I would probably have been lynched by outraged fellow Texans as a moral abomination. If I lived in Iran today and wrote and thought as I do, I would probably be tried and executed. As far as I can tell, moral relativism is a fact of life. I think it might be possible to outwardly conform to every jot and tittle of the taboos of one's society, while feeling no emotional or intellectual commitment to them. I understand that certain philosophers have argued that this is morally proper behavior for a good citizen. But I can't live that life. I feel, sincerely, that my society is engaged in many actions which are foolish and shortsighted and likely to lead to our destruction. I feel that our society must change, and change radically, in a process that will cause great damage to our present system of values. This doesn't excuse my own failings, which I regret, but it does explain, I hope, why my lifestyle and my actions are not likely to make authority feel entirely comfortable. Knowledge is power. The rise of computer networking, of the Information Society, is doing strange and disruptive things to the processes by which power and knowledge are currently distributed. Knowledge and information, supplied through these new conduits, are highly corrosive to the status quo. People living in the midst of technological revolution are living outside the law: not necessarily because they mean to break laws, but because the laws are vague, obsolete, overbroad, draconian, or unenforceable. Hackers break laws as a matter of course, and some have been punished unduly for relatively minor infractions not motivated by malice. Even computer police, seeking earnestly to apprehend and punish wrongdoers, have been accused of abuse of their offices, and of violation of the Constitution and the civil statutes. These police may indeed have committed these "crimes." Some officials have already suffered grave damage to their reputations and careers -- all the time convinced that they were morally in the right; and, like the hackers they pursued, never feeling any genuine sense of shame, remorse, or guilt. I have lived, and still live, in a counterculture, with its own system of values. Counterculture -- Bohemia -- is never far from criminality. "To live outside the law you must be honest" was Bob Dylan's classic hippie motto. A Bohemian finds romance in the notion that "his clothes are dirty but his hands are clean." But there's danger in setting aside the strictures of the law to linchpin one's honor on one's personal integrity. If you throw away the rulebook to rely on your individual conscience you will be put in the way of temptation. And temptation is a burden. It hurts. It is grotesquely easy to justify, to rationalize, an action of which one should properly be ashamed. In investigating the milieu of computer-crime I have come into contact with a world of temptation formerly closed to me. Nowadays, it would take no great effort on my part to break into computers, to steal long-distance telephone service, to ingratiate myself with people who would merrily supply me with huge amounts of illicitly copied software. I could even build pipe-bombs. I haven't done these things, and disapprove of them; in fact, having come to know these practices better than I cared to, I feel sincere revulsion for them now. But this knowledge is a kind of power, and power is tempting. Journalistic objectivity, or the urge to play with ideas, cannot entirely protect you. Temptation clings to the mind like a series of small but nagging weights. Carrying these weights may make you stronger. Or they may drag you down. "His clothes are dirty but his hands are clean." It's a fine ideal, when you can live up to it. Like a lot of Bohemians, I've gazed with a fine disdain on certain people in power whose clothes were clean but their hands conspicuously dirty. But I've also met a few people eager to pat me on the back, whose clothes were dirty and their hands as well. They're not pleasant company. Somehow one must draw a line. I'm not very good at drawing lines. When other people have drawn me a line, I've generally been quite anxious to have a good long contemplative look at the other side. I don't feel much confidence in my ability to draw these lines. But I feel that I should. The world won't wait. It only took a few guys with poolcues and switchblades to turn Woodstock Nation into Altamont. Haight-Ashbury was once full of people who could trust anyone they'd smoked grass with and love anyone they'd dropped acid with -- for about six months. Soon the place was aswarm with speed-freaks and junkies, and heaven help us if they didn't look just like the love-bead dudes from the League of Spiritual Discovery. Corruption exists, temptation exists. Some people fall. And the temptation is there for all of us, all the time. I've come to draw a line at money. It's not a good line, but it's something. There are certain activities that are unorthodox, dubious, illegal or quasi-legal, but they might perhaps be justified by an honest person with unconventional standards. But in my opinion, when you're making a commercial living from breaking the law, you're beyond the pale. I find it hard to accept your countercultural sincerity when you're grinning and pocketing the cash, compadre. I can understand a kid swiping phone service when he's broke, powerless, and dying to explore the new world of the networks. I don't approve of this, but I can understand it. I scorn to do this myself, and I never have; but I don't find it so heinous that it deserves pitiless repression. But if you're stealing phone service and selling it -- if you've made yourself a miniature phone company and you're pimping off the energy of others just to line your own pockets -- you're a thief. When the heat comes to put you away, don't come crying "brother" to me. If you're creating software and giving it away, you're a fine human being. If you're writing software and letting other people copy it and try it out as shareware, I appreciate your sense of trust, and if I like your work, I'll pay you. If you're copying other people's software and giving it away, you're damaging other people's interests, and should be ashamed, even if you're posing as a glamorous info-liberating subversive. But if you're copying other people's software and selling it, you're a crook and I despise you. Writing and spreading viruses is a vile, hurtful, and shameful activity that I unreservedly condemn. There's something wrong with the Information Society. There's something wrong with the idea that "information" is a commodity like a desk or a chair. There's something wrong with patenting software algorithms. There's something direly mean-spirited and ungenerous about inventing a language and then renting it out to other people to speak. There's something unprecedented and sinister in this process of creeping commodification of data and knowledge. A computer is something too close to the human brain for me to rest entirely content with someone patenting or copyrighting the process of its thought. There's something sick and unworkable about an economic system which has already spewed forth such a vast black market. I don't think democracy will thrive in a milieu where vast empires of data are encrypted, restricted, proprietary, confidential, top secret, and sensitive. I fear for the stability of a society that builds sandcastles out of databits and tries to stop a real-world tide with royal commands. Whole societies can fall. In Eastern Europe we have seen whole nations collapse in a slough of corruption. In pursuit of their unworkable economic doctrine, the Marxists doubled and redoubled their efforts at social control, while losing all sight of the values that make life worth living. At last the entire power structure was so discredited that the last remaining shred of moral integrity could only be found in Bohemia: in dissidents and dramatists and their illegal samizdat underground fanzines. Their clothes were dirty but their hands were clean. The only agitprop poster Vaclav Havel needed was a sign saying *Vaclav Havel Guarantees Free Elections.* He'd never held power, but people believed him, and they believed his Velvet Revolution friends. I wish there were people in the Computer Revolution who could inspire, and deserved to inspire, that level of trust. I wish there were people in the Electronic Frontier whose moral integrity unquestionably matched the unleashed power of those digital machines. A society is in dire straits when it puts its Bohemia in power. I tremble for my country when I contemplate this prospect. And yet it's possible. If dire straits come, it can even be the last best hope. The issues that enmeshed me in 1990 are not going to go away. I became involved as a writer and journalist, because I felt it was right. Having made that decision, I intend to stand by my commitment. I expect to stay involved in these issues, in this debate, for the rest of my life. These are timeless issues: civil rights, knowledge, power, freedom and privacy, the necessary steps that a civilized society must take to protect itself from criminals. There is no finality in politics; it creates itself anew, it must be dealt with every day. The future is a dark road and our speed is headlong. I didn't ask for power or responsibility. I'm a science fiction writer, I only wanted to play with Big Ideas in my cheerfully lunatic sandbox. What little benefit I myself can contribute to society would likely be best employed in writing better SF novels. I intend to write those better novels, if I can. But in the meantime I seem to have accumulated a few odd shreds of influence. It's a very minor kind of power, and doubtless more than I deserve; but power without responsibility is a monstrous thing. In writing HACKER CRACKDOWN, I tried to describe the truth as other people saw it. I see it too, with my own eyes, but I can't yet pretend to understand what I'm seeing. The best I can do, it seems to me, is to try to approach the situation as an open-minded person of goodwill. I therefore offer the following final set of principles, which I hope will guide me in the days to come. I'll listen to anybody, and I'll try to imagine myself in their situation. I'll assume goodwill on the part of others until they fully earn my distrust. I won't cherish grudges. I'll forgive those who change their minds and actions, just as I reserve the right to change my own mind and actions. I'll look hard for the disadvantages to others, in the things that give me advantage. I won't assume that the way I live today is the natural order of the universe, just because I happen to be benefiting from it at the moment. And while I don't plan to give up making money from my ethically dubious cyberpunk activities, I hope to temper my impropriety by giving more work away for no money at all. ------------------------------ Date: Tue, 29 Sep 1992 20:14:02 EDT From: LOVE@TEMPLEVM.BITNET Subject: File 2--NEW WINDO BILL (HR 5983) From--James Love Taxpayer Assets Project Re--HR 5983, legislation to provide online access to federal information (Successor to Gateway/WINDO bills) Date--September 23, 1992, Washington, DC. On Wednesday, September 23, the House Administration Committee unanimously approved H.R. 5983, the "Government Printing Office (GPO) Electronic Information Access Enhancement Act of 1992." The bill, which had been introduced the day before, was cosponsored by committee chairman Charlie Rose (D-NC), ranking minority member William Thomas (R-CA) and Pat Roberts (R-KA). The measure was a watered down version of the GPO Gateway/WINDO bills (S. 2813, HR 2772), which would provide one-stop-shopping online access to hundreds of federal information systems and databases. The new bill was the product of negotiations between Representative Rose and the republican members of the House Administration Committee, who had opposed the broader scope of the Gateway/WINDO bills. Early responses to the new bill are mixed. Supporters of the Gateway/WINDO bill were disappointed by the narrower scope of the bill, but pleased that the legislation retained the Gateway/WINDO policies on pricing of the service (free use by depository libraries, prices equal to the incremental cost of dissemination for everyone else). On balance, however, the new bill would substantially broaden public access to federal information systems and databases, when compared to the status quo. WHAT HR 5983 DOES The bill that would require the Government Printing Office (GPO) to provide public online access to: - the Federal Register - the Congressional Record - an electronic directory of Federal public information stored electronically, - other appropriate publications distributed by the Superintendent of Documents, and - information under the control of other federal departments or agencies, when requested by the department or agency. The Superintendent of Documents is also required to undertake a feasibility study of further enhancing public access to federal electronic information, including assessments the feasibility of: - public access to existing federal information systems, - the use of computer networks such as the Internet and NREN, and - the development (with NIST and other agencies) of compatible standards for disseminating electronic information. There will also be studies of the costs, cost savings, and utility of the online systems that are developed, including an independent study of GPO's services by GAO. WHAT HR 5983 DOESN'T DO The new bill discarded the names WINDO or Gateway without a replacement. The new system is simply called "the system," a seemingly minor change, but one designed to give the service a lower profile. A number of other features of the Gateway/WINDO legislation were also lost. - While both S. 2813 and HR 2772 would have required GPO to provide online access through the Internet, the new bill only requires that GPO study the issue of Internet access. - The Gateway/WINDO bills would have given GPO broad authority to publish federal information online, but the new bill would restrict such authority to documents published by the Superintendent of Documents (A small subset of federal information stored electronically), or situations where the agency itself asked GPO to disseminate information stored in electronic formats. This change gives agencies more discretion in deciding whether or not to allow GPO to provide online access to their databases, including those cases where agencies want to maintain control over databases for financial reasons (to make money off the data). - The republican minority insisted on removing language that would have explicitly allowed GPO to reimburse agencies for their costs in providing public access. This is a potentially important issue, since many federal agencies will not work with GPO to provide public access to their own information systems, unless they are reimbursed for costs that they incur. Thus, a major incentive for federal agencies was eliminated. - S. 2813 and HR 2772 would have required GPO to publish an annual report on the operation of the Gateway/WINDO and accept and consider *annual* comments from users on a wide range of issues. The new bill only makes a general requirement that GPO "consult" with users and data vendors. The annual notice requirement that was eliminated was designed to give citizens more say in how the service evolves, by creating a dynamic public record of citizen views on topics such as the product line, prices, standards and the quality of the service. Given the poor record of many federal agencies in addressing user concerns, this is an important omission. - S. 2813 would have provided startup funding of $3 million in fy 92 and $10 million in fy 93. The new bill doesn't include any appropriation at all, causing some observers to wonder how GPO will be able to develop the online Congressional Record, Federal Register, and directory of databases, as required by the bill. WHAT HAPPENED? The bill which emerged from Committee on Wednesday substantially reflected the viewpoints of the republicans on the House Administration Committee. The republican staffers who negotiated the new bill worked closely with lobbyists for the Industry Information Association (IIA), a trade group which represents commercial data vendors, and who opposed the broader dissemination mandates of the Gateway/WINDO bills. Why did WINDO sponsor Charlie Rose, who is Chair of the House Administration Committee, give up so much in the new bill? Because Congress is about to adjourn, and it is difficult to pass any controversial legislation at the end of a Congressional session. The failure to schedule earlier hearings or markups on the WINDO legislation (due largely to bitter partisan battles over the House bank and post office, October Surprise and campaign financing reform) gave the republican minority on the committee enormous clout, since they could (and did) threaten to kill the bill. Rose deserves credit, however, for being the first member of congress to give the issue of citizen online access to federal information systems and databases such high prominence, and his promise to revisit the question next session is very encouraging. PROSPECTS FOR PASSAGE The new bill has a long way to go. It must be scheduled for a floor vote in the House and a vote in the Senate. The last step will likely be the most difficult. In the last few weeks of a Congressional session, any member of the Senate can put a "hold" on the bill, preventing it from receiving Senate approval this year, thus killing the bill until next legislative session. OMB and the republican minority on the House Administration Committee have both signed off on the bill, but commercial data vendors would still like to kill the bill. There's a catch, however. Rose's staff has reportedly told the Information Industry Association (IIA) that if it kills HR 5983, it will see an even bolder bill next year. Since IIA was an active participant in the negotiations over the compromise bill, any effort to kill the bill will likely antagonize Rose. Of course, some observers think that an individual firm, such as Congressional Quarterly, may try to kill the bill. Only time will tell. IS THE GLASS HALF EMPTY OR HALF FULL? Despite the many changes that have weakened the bill, HR 5983 is still an important step forward for those who want to broaden public access to federal information systems and databases. Not only does the bill require GPO to create three important online services (the directory, the Congressional Record and the Federal Register), but it creates a vehicle that can do much more. Moreover, HR 5983 would provide free online access for 1,400 federal depository libraries, and limit prices for everyone else to the incremental cost of dissemination. These pricing rules are far superior to those used by NTIS, or line agencies like NLM, who earn substantial profits on the sale of electronic products and services. WHAT YOU CAN DO Urge your Senators and Representatives to support passage of HR 5983, quickly, before Congress adjourns in October. All members of Congress can be reached by telephone at 202/224-3121, or by mail at the following addresses: Senator John Smith Representative Susan Smith US Senate US House of Representatives Washington, DC 20510 Washington, DC 21515 The most important persons to contact are your own delegation, as well as Senators George Mitchell (D-ME) and Bob Dole (R-KA). For more information, contact the American Library Association at 202/547-4440 or the Taxpayer Assets Project at 215-658-0880. For a copy of HR 5983 or the original Gateway/WINDO bills, send an email message to tap@essential.org. ------------------------------ Date: Sun, 30 Aug 92 05:19:34 EDT From: Anonymous@anonvill.uunet.uu.net Subject: File 3--"In House Hackers" (Excerpts from the WSJ) Although cyber-surfing computer explorers receive the bulk of media attention, there is little evidence that they comprise the greatest danger to corporate computers or other resources. Confirming what some observers have been saying for years, the Wall Street Journal recently reported on the dangers of in-house hackers to corporate computer security. Summary of: "In House Hackers" From: THE WALL STREET JOURNAL (Thursday, Aug. 27, 1992) At its London office, American Telephone and Telegraph Co. says three technicians used a computer to funnel company funds into their own pockets. At General Dynamics Corp.'s space division in San Diego, an employee plotted to sabotage the company by wiping out a computer program used to build missiles. And at Charles Schwab & CO. headquarters in San Francisco, some employees used the stock brokerage firm's computer system to buy and sell cocaine. As these examples suggest, employees are finding increasingly ingenious ways to misuse their companies' computer systems. Although publicity about computer wrongdoing has often focused on outside hackers gaining entry to systems to wreak havoc, insiders are proving far more adept at creating computer mayhem. Workers may use company computer system to line their own pockets, to seek revenge because they didn't get a promotion or because of other perceived slights. Whatever the motive, high-tech misdeeds are creating significant problems for companies large and small. MEANS AND MOTIVE Although figures for damages from computer abuse are scarce, some companies report internal frauds involving losses of more than $1 million. Even more costly are losses from disrupted operations or form repairing the damage. "Employees are the ones with the skill, the knowledge and the access to do bad things," says Donn Parker, an expert on computer security at SRI International, Menlo Park, Calif. "They're the ones, for example, who can most easily plant a which can crash your entire computer system." Most companies quietly fire the culprits without publicity, Mr. Parker adds. Dishonest or disgruntled employees pose "a far greater problem than most people realize." The story reports interviews with various security experts who agree that the increase of computer use also creates risks of unauthorized computer access and tampering within a company. According to the story, laptops cause special concern because of their flexibility and power, which make it easier for employees to steal trade secrets. Companies are beginning to recognize the need to develop increased security measures to protect themselves from INTERNAL security breaches. These include closer monitoring of who has access to systems, encryption of sensitive files, and more carefully protecting systems against unauthorized company users. The story summarizes the AT&T trojan in England last year, in which three AT&T technicians were charged with unauthorized modification of computers and conspiracy to defraud. Although the case was later dropped because of legal technicalities, it underscores the dangers of the potential for inhouse crime. The story summarizes the case of Michael Lauffenburger, a 31 year old General Dynamics programmer in California, who was indicted in federal court for trying to destroy parts of a computer program, quit the company, and then get rehired as a well-paid consultant to rebuild the program: The plot, the indictment alleges, went like this: In March last year, Mr. Lauffenburger created a second computer program, this one a logic bomb called "Cleanup." It would totally erase the original parts program starting at 6 p.m. May 24, the beginning of the Memorial Day weekend, when few would be around to notice. When the bomb went off, Mr Lauffenburger wouldn't be around either; he quit March 29. Lauffenburger pleaded guilty to computer tampering in early 1992 and was fined $5,000 and required to perform community service. The story lists another company, Pinkerton Security and Investigation Services, that was victimized by an Employee. Tammy Juse, 48, used the name "Tammy Gonzalez" to obtain a position in the accounting department in 1988. She accessed Pinkerton accounts at Security Pacific National Bank, and was discovered in 1990 to be embezzling from the accounts. She was sentenced to 27 months in prison for embezzling over $1 from the company: Normally, a reconciliation of accounts would have caught the discrepancies. But Ms. Gonzalez was also supposed to do the reconciling, and somehow she didn't get around to it. At one point, it was nearly two years behind. The story lists the usual dangers of security lapses in companies, including password problems, open computers, and other "people problems" that leave systems vulnerable. It also identifies illegal uses of company computers as a potential problem: Sometimes it is the very advantages of computers, including speed and convenience of communication, that make them tempting tools of abuses. Late last year, officials at Charles Schwab, got a tip that a cocaine ring was flourishing among its headquarters employees in San Francisco. Hal Lipset, a private investigator hired by Schwab, soon discovered that sales were being arranged over Schwab's computer communications system. Schwab officials secretly began monitoring the messages and copying them for evidence. Two employees who allegedly were selling drugs masked their messages by seeming to talk of tickets to sports events or about a game of pool called eightball. But according to one investigator, a "ticket" represented a half gram of cocaine for $40, and "eightball" represented 3 grams for about $280. .............. An undercover man working for Mr. Lipset, in cooperation with San Francisco police, began buying cocaine to gather more evidence. In April, the police arrested two back-office workers at Schwab for drug dealing. Both pleaded guilty. Schwab has fired them as well as two others allegedly in the drug ring. The WSJ story nicely details the threats to security from those within the company entrusted to use and maintain them. Most "hackers" operating from the outside agree that poor security rather than external explorers are the greatest threat to company systems. It is refreshing to see the media recognize that the greatest potential for abuse comes from inside, and that the costs of computer crime are overwhelming created not by curious teenagers, but by predators who betray an employees trust. ------------------------------ Date: 27 Sep 92 22:59:05 EDT From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: File 4--Software Piracy: A Felony? Washington is currently considering a bill, S.893, which would expand felony provisions to all copyrighted materials, including computer software. The bill provides for felony convictions punishable by up to $250,000 in fines and two years in prison for willfully infringing on software copyrights in amounts exceeding retail amounts of $5,000. The bill is currently under consideration by the House Intellectual Property and Judicial Administration Subcommittee, chaired by Rep. William Hughes. For more details see 'A Felonious Crime', Amy Cortese, INFORMATION WEEK, Sept 14,1992, p14 VIRUS SPREAD LESS THAN EXPECTED A report released by IBM's High Integrity Computing Laboratory says that computer viruses are spreading slower than expected because assumptions made in earlier estimates haven't held true. Virus epidemics were predicted based on a "homogeneous mixing" theory modeled after the way diseases spread in humans. It turns out that despite all the computer networks, most viruses are spread via shared diskettes, which limits each computer's risk of exposure. (As reported in INFORMATION WEEK, Sept 14, 1992, p16) ------------------------------ Date: 27 Sep 92 23:20:17 EDT From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: File 5--Hacker hits Cincinnati Phones HACKER HITS CINCINNATI PHONES A computer hacker apparently in the New York area broke the code into one of the Cincinnati, Ohio, phone trunk lines, building up a $65,000 phone bill. Cincinnati city officials say the unknown invader racked up the charges last winter and spring by placing calls around the world. David Chapman, the city's assistant superintendent for telecommunica-tions, said that investigators think the tap originated in the New York-New Jersey area, but they have no suspects and the investigation is considered closed. Chapman added, "Apparently these people were pretty darn slick, but talking to the Secret Service, we were small potatoes. I understand there have been some major companies hit." (reprinted from STReport #8.38 with permission) COMPUTER EXEC'S ENDORSE CLINTON FOR PRESIDENT Thirty executives at a number of high-tech Silicon Valley firms --including Apple Computer, Hewlett Packard, National Semiconductor, Oracle Systems and Link Technologies -- have endorsed Democrat Bill Clinton in his bid for the White House. "Many of us here are actually not Democrats but Republicans," said Apple CEO John Sculley. Sculley added the group believes Clinton can put the country "back in the forefront of leading the world again." Oracle Systems CEO Lawrence Ellison said that the Democrat's economic plan is "why I am departing this year from my life-long support of the Republican Party to endorse the Clinton-Gore ticket." Besides Sculley and Ellison, those endorsing Clinton include HP President/CEO John Young, as well as Gil Amelio, CEO of National Semiconductor; Dave Barram, vice president of Apple Computers; Gerry Beemiller, CEO of Infant Advantage; Chuck Boesenberg, CEO of Central Point Software; Dick Brass, president of Oracle Data Publishing; Chuck Comiso, president of Link Technologies. Also: Gloria Rose Ott, president of GO Strategies; Ed McCracken, CEO of Silicon Graphics; Regis McKenna, chairman of Regis McKenna; Bill Miller, former CEO of SRI international, Sandy Robertson, general partner of Roberston, Colman and Stephans. (Reprinted from STReport #8.38 with permission) ------------------------------ End of Computer Underground Digest #4.47 ************************************