Computer underground Digest Sun Sep 26 1993 Volume 5 : Issue 75 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Copie Editor: Etaoin Shrdlu, III CONTENTS, #5.75 (Sep 26 1993) File 1--THE ANARCHISTS AMONGST US: Is PBS One of *THEM?* File 2--Elansky/Hartford BBS Update, 25 Sept '93 File 3--Raising the Issue of Copyright on the Nets File 4--Ethics of reposting File 5--Number of CuD Articles File 6--CuD Posting Policies and Processes (A Response) File 7--September 29 BBLISA meeting] File 8--The State of Security of Cyberspace (SRI Research Summary) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG WHQ) (203) 832-8441 NUP:Conspiracy; RIPCO BBS (312) 528-5020 CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893; In ITALY: Bits against the Empire BBS: +39-461-980493 ANONYMOUS FTP SITES: AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. EUROPE: nic.funet.fi in pub/doc/cud. (Finland) UNITED STATES: aql.gatech.edu (128.61.10.53) in /pub/eff/cud etext.archive.umich.edu (141.211.164.18) in /pub/CuD/cud ftp.eff.org (192.88.144.4) in /pub/cud halcyon.com( 202.135.191.2) in /pub/mirror/cud ftp.warwick.ac.uk in pub/cud (United Kingdom) COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Thu, 23 Sep 1993 14:18:00 -0400 (EDT) From: soneill@NETAXS.COM Subject: File 1--THE ANARCHISTS AMONGST US: Is PBS One of *THEM?* Since, as far as anyone can tell, the crux of the Elansky case lies in the "anarchy" file found on his BBS, the following information may be of interest to the West Hartford prosecutor and judge in the case, and may be of special interest to Elansky's defense lawyer. Last week, on Sept. 15, to be exact, the local PBS outlet here in Philadelphia showed a program called "Your Toxic Trash", narrated by Ed Begley, Jr, and produced by station KERA of Dallas/Ft. Worth. The theme of this program was how much of our trash is composed of dangerous chemicals and how we should properly dispose of them. To demonstrate how dangerous the accidental combination of substances could be, the producers had a Professor of Chemistry at U.C. Berkeley, Prof. William Lester, show what happens when you mix powdered pool chlorine and brake fluid. The combination resulted in an immediate and intense flame which reduced the pool chlorine to a charred black lump in seconds. He also showed that when pool chlorine is mixed with an ordinary soda, like Coca-Cola, free chlorine is released in great quantity. As I sat watching this, it occurred to me that anyone with an interest in setting fire to things, or in poisoning people had just been given the necessary information to do either or both. And this was done by highly reputable people working for equally reputable organizations. Therefore, if the law in West Hartford thinks that such information as was found on Elansky's board is dangerous and should never be publicly disseminated, what in the world are they going to make of "Your Toxic Trash"? More important, this perfectly makes the point that whatever was in the file is public knowledge, easily obtainable, in some cases, from as unexpected a source as Public Television ------------------------------ Date: Sat, 25 Sep 93 15:58:21 CDT From: CuD Moderators Subject: File 2--Elansky/Hartford BBS Update, 25 Sept '93 There is little change on the status of Michael Elansky, the sysop of a Hartford BBS arrested in August because of the contents of two "Anarchy files" on his system (See CuD 5.69, 5.71). We are told that nothing of substance occurred at his hearing on Thursday, Sept. 24: 1) As of Friday, Sept. 25, Elansky remained in jail, unable to post $500,000 bond. 2) The hearing was postponed until early October 3) We have been told, but have NOT YET confirmed, that no motions were filed by the defense at the hearing. This, we are told, includes no motions for bail reduction. In short, Elansky seems to be languishing in jail and little seems to be done about. The case gets odder and odder..... ------------------------------ Date: Thu, 9 Sep 93 14:19:16 EDT From: gray@ANTAIRE.COM(Gray Watson) Subject: File 3--Raising the Issue of Copyright on the Nets In CuD #5.70, File 2 ("Big time hacker from the small town"), an article began: >"POLICE NAB OBSCENE CALLER" by Bill Latimer (reprinted without asking) ^^^^^^^^^^^^^^^^^^^^^^^^ I don't think CUD should have allowed this. I send out a standard message when I see such posts and it is applicable here: >For your information, including a significant amount of text >from copyright publications in posts is a breach of >copyright law. The publishing industry will *never* adopt >digital distribution if the net does not honor the copyright >laws. > >If possible in the future, please try to contact the author >and ask for a limited release of the document. If this is >not unavailable, please consider posting a summary of the >work instead. If the legalities of an electronic issue are ill-defined then we must look to the physical world as our guide. No publication, commercial, non-profit, nor educational, republishes copyrighted works without first gaining permission. I believe that if we in cyberspace are ever going to achieve the same rights as physical publishers, broadcasters, and speakers, we must consider our electronic actions to actually _be_ the same as their physical equivalents -- in terms of the legalities. If we don't think twice about duplicated works that are copyrighted, then we are asking for special treatment -- and with the obvious benefits come serious detriments. ------------------------------ Date: Tue, 24 Aug 1993 23:39:05 CDT From: Eric Schnoebelen Subject: File 4--Ethics of reposting CuD #5.61, file 11, contained a message by William Reeder of Sun Microsystems which was in reply to a message of mine, describing a successful breaking and entering of the Sun internal network. These messages were originally posted to a private list for system managers in the Dallas/Ft Worth area, with the expectation of confidentiality. Neither William Reeder or myself were consulted before the message was sent to CuD by a third party. Mr Reeder's message was posted in response to a comment of mine about the happenings with texsun, a major UUCP hub in the Dallas/Ft Worth region. texsun was/is operated by the SUN Central region as a community service. The message was not intended to be distributed outside the scope of the list. It was certainly not intended for general distribution. This reposting does bring to the foreground the ethics and issues of reposting messages. I believe, and many on the list in question do as well, that the list was private, or semi-private at worst, and that the information on it is generally considered confidential. Most also believe it was impolite to repost the message to another list, or any other forum with out the consent of the author(s), William Reeder and myself in this case. The expectation of privacy on mailing lists is another issue that arises from this. There are several forms of mailing lists on the internet today. There are lists that can be joined by invitation only, usually sponsored by an existing list member. There are lists that are can only be joined by folks meeting a certain set of criteria, such as being a female computer scientist/researcher/developer, or being gay/bisexual. There are lists which are well known in an (geographic or technical) area, but are not well know out side of that area. Prospective new list members are usually told about the list by current members, but it up to the new folks to actually do something about subscribing. Lists like this are frequently used for discussion and dissemination of information amongst system managers, etc. Then there are lists that are well know, and there are no restrictions on membership. CuD is an example of such a list. And beyond that, there are USENET newsgroups. Of course, there are other types of lists as well. The last two types, wide open lists, and USENET groups are pretty much broadcast mediums, with corresponding expectations upon readership and privacy. The first three types of lists have a higher expectation of privacy and confidentiality. People on these lists believe that what they say will not be taken out of context, where perhaps it may cause problems for the poster, or others. Reposting something from such a list, without permission of the original poster is somewhat analogous to submitting a personal letter from a third party to a news paper for publication in the letters to the editor column. It boils down to this: Just because something is easy to re-distribute does not mean that it is ethical to do so. If we of cyberspace cannot handle this responsibility with our own intellectual property, it will be impossible to convince (non-cyber) institutions that we can respect their copyrights and other intellectual property. Another issue is that of copyright violation. Since the United States adopted the Bern Convention Copyright Treaty in 1986 (I believe), everything written is copyrighted from the moment it looks like text. (aka, this message is implicitly copyright, 1993, Eric Schnoebelen) Most of the rest of the developed nations have been a signer of the Bern Convention longer than the US, so the same rules apply. Solutions? Courtesy. Before reposting anything, it is polite to ask the original author(s) if reposting is acceptable. The original author may wish that his words not be redistributed, or at least may wish the chance to edit them. ------------------------------ Date: Sun, 5 Sep 1993 06:59:57 -0800 (PDT) From: ygoland@HURRICANE.SEAS.UCLA.EDU Subject: File 5--Number of CuD Articles I like CuD very much and have contributed to the overloading of your mail programs by turning many people on to it. I'v even submitted several news pieces that you later included in CuD. So please understand my comments in context:I LIKE CuD. When I first started reading CuD it was basically a 'news magazine' which included many short articles on a variety of topics, occasional 'theme' issues, and some good editorial content. Lately I've noticed that it's character is changing. It has gone from a pre-processed information source to a news clipping service. Every time something of interest happens it is immediately sent out to CuD (usually the original document announcing the occurrence is just re-posted). This is not necessarily bad, I never liked anyone volunteering their opinion anyway. =) However I think if this is the trend that CuD is going to follow that you might want to consider a different format for your articles. Instead of sending them out why not put them on a gopher (or better yet) WWW server? That way one can not only quickly get to useful information but that information will stick around after the article is autodeleted (I read CuD through usenet) a week or so after it's posted. Using gopher or WWW formats is also much easier to deal with than ftp. I hope CuD decides to develop a split personality. I like having a 'human' going through the net and pulling out interesting information but I also liked the articles, commentary, etc. that used to the mainstay of CuD. And of course, being a big believer in putting your money where your mouth is, I would be willing to help set up (i.e. learn how to) and maintain (i.e. donate time) a gopher or WWW server. Never the less CuD is doing a great job and is a definite must read for anyone who wants to understand the legal aspects of the computer world. ------------------------------ Date: Thu, 23 Sep 1993 17:31:01 CDT From: CuD Moderators Subject: File 6--CuD Posting Policies and Processes (A Response) Eric Schnoebelen, Yaron Goland, and Gray Watson provide us with the opportunity to address several issues with which we constantly grapple, often without successful resolution. Their concerns raise issues of the rights, responsibilities, and other problems facing electronic media. We have tried to frame our answers in three ways. First, we attempt to address the concerns raised by Eric, Gray, and Yaron. Second, we attempt to place them in a context that provides insights into putting out CuD. Finally, we expand our responses to include similar questions and concerns expressed by readers. What follows may be excessively self indulgent for some, but we feel it necessary in part to address some of the concerns raised, but also to provide a clearer sense of the backstage CuD region. RESPONSE TO GRAY Gray observes that we re-published a lengthy news article without permission and even included the original line indicating that permission was not obtained. He finds this troubling. So do we. We assume that readers have obtained permission to reprint articles UNLESS OTHERWISE STATED. If it's clear that permission has not been obtained, if the article warrants publishing, we will edit down to fair-use limitations. Sometimes we judge it necessary to reprint an entire article because either editing would distort the meaning, or--when doing a media critique--the entire article is necessary to avoid risk of seeming to take isolated quotes out of context. Although "fair-use" remains ambiguously broad, CuD is in that category of publications in which fair-use is flexible: We are non-profit and educational. Despite the latitude, we do our best to err on the side of caution. In the case of the article that Gray cites, we simply goofed. The article was in the "to-edit" pile, and somehow it simply slipped into the "go" pile when the posts for the issue were assembled. Although time and other constraints do not excuse us, we hope they at least explain it, as we indicate below in our response to Yaron. Sometimes mistakes happen, and while we're pleased that they seem to happen relatively infrequently, we remain red-faced when they occur. For this reason, we continually urge readers to do one of three things when sending reprints: 1) Obtain permission for long articles (fair use applies for short articles); or 2) Edit the article with a series of quotes and summaries; or 3) Indicate that permission was *not* obtained, and we will try to edit. Unfortunately, time is scarce, so especially long pieces may not be printed. Nonetheless, all articles are appreciated, because they keep us abreast of the news, and we add them to our own files. RESPONSE TO ERIC Eric raises a few serious issues that, despite passionate debate on all sides, remain unresolved. He notes that we ran a post from a semi-private discussion list without first obtaining permission. We resolved the case to which Eric alludes in private e-mail. The persons directly affected were reasonable, understanding, and helpful. We apologized privately, and we apologize again for any inconvenience we may have caused them. We did not understand the context of the post and assumed it was a public announcement. This was our misunderstanding and *not* the fault of the person who sent the original post to us or anybody else. But, this raises other issues. 1) CuD POLICY ON RE-PRINTING POSTS When we intend to reprint a piece posted elsewhere, we try to assure in writing that we have permission. Some frequent contributors provide blanket permission. Others we write to obtain permission. Sometimes we receive posts that are for our information and not to be reprinted. However, we assume that any article that is obviously not personal mail that does not indicate NOT FOR PUBLICATION is sent for consideration. Generally, there are few slips, either by CuD or by contributors. Sometimes there is a gray area. Sometimes what we or a contributor find acceptable is not deemed so by original authors. 2) MAY PUBLIC POSTS BE REPRINTED WITHOUT PERMISSION? Eric's concerns raise a fundamental question for electronic communication. The status of public electronic posts remains unclear. In our view, a public e-post is fair game in the same sense as a public speech or other public behavior. We often receive relevant informational posts cross-posted on Usenet newsgroups. In these cases, we assume that wide distribution was intended by the original poster and that reprint permission is assumed. If we receive articles that include one or more posts from elsewhere, we assume that publication of the enclosed comments are acceptable. It is simply impossible to track down every poster or check every fact in articles. Nor do we avoid publishing a piece that we judge to be proper simply because somebody may criticize us for running it. But, we do our best to follow Internet norms, and those norms generally hold that permissions to reprint ought be obtained when possible. There is another issue, however, one relevant especially for researchers. Should PUBLIC posting areas be a research ground for graduate students and others? Is it proper to use public posts in research? Is it proper to do statistical analyses of public posts without obtaining permission from those on the list? In our own view, the nature of most research and the pre/proscriptions of professional codes of ethics cover this: Research in public places is fully permissible without notifying those being observed. Therefore, counting flames on alt.feminism, or using snippets from a given newsgroup to display social processes of, for example, computer-mediated communication, is neither illegal nor unethical if done in accordance with existing professional standards of conduct. We take Eric's concerns sufficiently seriously that we intend to address them soon in a future conference paper. We do not see any easy answers, and certainly none likely to generate consensus. But, a healthy debate helps clarify what's at stake and hopefully minimizes abuse and increases responsibility, and Eric's comments are helpful for this. RESPONSE TO YARON Yaron Goland is probably correct in noting the changes in CuD over the years. We think there are several reasons for this: 1) The "cyberworld" has changed from our early days, and we reflect the climate. 2) the basic issues that we addressed (eg, Sundevil, Bill Cook, etc) have receded into the background, and the conflicts have generally taken more genteel forms low on drama but high on import, such as legislative lobbying for California's electronic access bill, lobbying efforts opposing encryption control, or the backstage efforts of groups such as CPSR or EFF that quietly file FOIA requests and adapt slow-moving legal tactics. 3) Our readership has grown dramatically---our first issue had less than 200 readers in March, 1990--all on a mailing list. Today, we have over 80,000 from usenet, the mailing list, BBSes, public access systems, ftp/etc, and the diversity means we try to match our articles to the broader-based interests. We are not sure that this is good, but on the other hand, we decided to let things just take their course; 4) The readers themselves change---and their interests follow. 5) There are simply more issues and much more information available. THE GENESIS OF CuD -- Maturity or Senility? At the heart of Yaron's comment lies a broader issue: What are the crucial issues affecting cyberspace and what is the best way to disseminate information and encourage discussion amongst those who do not have easy access to a forum to express their views? What is the role of Cu Digest, RISKS, TELECOM Digest, and others in providing such a forum? What obligations do such digests have to readers, and how can editors or moderators assure that they reflect crucial issues and diverse points of view without becoming a self-indulgent platform for idiosyncratic opinions? CuD has changed: Some have complimented (or criticized) us for "mellowing out" and refining (or dulling) the gadfly edge. The observation does have some merit. CuD originated as a temporary mailing list to handle posts related to the Phrack and Len Rose cases and to generate related discussion that TELECOM Digest could not publish. As a consequence, the CuD editors had no long-range goals or unifying vision. The early style of posters and editors reflected passion and urgency--not always wisely expressed in the immediacy and heat of the moment--to rectify perceived injustice. We saw little reason at the time for caution, because we did not believe we would be pursuing the issues for very long. Then came Sun Devil and a new round of discussions. Chip Rosenthal's initiative in making CuD a Usenet group expanded the readership, Bob Krause set up a mail archive, Brendan Kehoe set up the ftp archives, and we became "establishment." With the expanded sites and growing readership, we were no longer speaking to a small audience, but to a group with dramatic diversity in perspectives, interests, and background. The posters comments and articles reflected this diversity, and we try to reflect it in the posts we publish. Both CuD editors are academics at heart, so the tenor of the posts perhaps over-represents conferences, reviews, research, and other material of fairly specialized interest. On the other hand, the overwhelming bulk of CuDs Net readers come from academia as scholars, programmers, or students, or from an areas sharing similar interests (media personnel, attorneys). BBS readers, by contrast, are more varied, and from them we often receive suggestions to expand the range of articles even further to cover the BBS world more thoroughly. Unfortunately, putting out CuD is time consuming. We say this without complaint, and note it as a simple fact of life that significantly shapes what we do. Managing the mailing list, writing our own comments, formatting posts, responding to considerable mail, digging up any information for news notes that we ourselves write, trying to edit news stories to fit within "fair use" restrictions, and other small tasks take, in the aggregate, on average of 25-30 hours a week. Both editors have "real jobs" unrelated to CuD that require at least 50 hours a week. With no resources, no staff, and no other incentive than a naive passion for information, we often cannot put the effort into obtaining, writing, or editing news that we would like. Sometimes we goof, as Gray and Eric noted above. On the other hand, the initiative of readers in sending us information, of posters who provide not-for-publication thought-provoking comments, and the networking aspect of putting out a 'Zine is rewarding because of the people we meet face-to-face and electronically and the intellectual rewards that accrue. Our intent here is not simply self-indulgence. Rather, by laying out the genesis and structure of what happens behind the scenes, we hope that readers will have a better understanding of the editorial processes and, if they have suggestions for changes in direction or content, make them within the context of these processes. How are CuDs Put Out? We're periodically asked how we put out an issue. It's rather simple: 1) posts arrive in our mailbox or by disk and we sort through them. We do not run "Usenet" type posts in which a poster simply responds with a few lines, but we do try to present any reasonable post that raises issues or presents new information. We do not censor content, and we occasionally ask posters to revise to clarify or elaborate on their points. We're occasionally asked why we run a particular piece, because it may seem offensive, unrelated to readers' interests, or otherwise inappropriate. The answer is simple: We try to give everybody a chance to speak, and diversity of ideas and perspectives beats the opposite. 2) We select about 800 lines (40 K), give or take 10 percent. As a consequence, some posts might be delayed because of space constraints and "fit." 3) We usually format to 70 characters per line and edit the subject headers to try about 50 characters, and remove sigs and control characters. 4) We assemble the articles, run a spell check, and then add the "Administrivia" and index. 5) We sent out three separate files: One to Usenet, one to the Central Michigan U. listserv, and one to the bad addresses that the listserv can't read. 6) We wait for the bounces, usually about 15 each issue, of which about half are "anomalies" (full mailboxes, down systems) and the rest are "user not known" or "unknown domain." After three consecutive bounces, a user is notified of deletion from the mailing list with an explanation and instructions for resubbing (assuming the notification does not bounce, which they usually do). We've tried the various suggestions and mini-programs that readers have send over as a way of automating each issue, but the system from which we work can't accommodate most of them, so we rely on primitive batch files when possible. Deletions, subscriptions, and other tasks are done semi-manually. Gordon lives and works in the Chicago suburbs, and Jim lives about 60 miles west in DeKalb. They try to coordinate as much as possible by e-mail and telephone. Imperfect, but it works. So, for those who've asked in the past, now ya probably know more than you ever wanted. SOME SUGGESTIONS Readers have suggested a variety of things CuD could do. In an unpublished section of his post, Yaron urged that we set up a gopher site. An interesting idea, and we're open to suggestions. Yaron also suggested recruiting readers to perform certain tasks on a regular basis. For example, we could add a book review editor, a media commentator, somebody willing to conduct an interview with newsworthy cyberfolk once every few months, or other tasks. The suggestion of periodic special issues by guest editors is also a possibility. Other readers have suggested that we focus more on specific issues (e.g., law, BBSes, research papers, interviews with newsworthy cyberpersonalities). We like all of these ideas, but they are time-consuming. We especially like the idea of interviews, but a one-issue interview would require at least an hour of the interview itself, about 3 hours for transcribing, and another hour of editing, plus incidental time of set-up and other tasks. That's a day's work, and time is scarce. Perhaps readers could conduct interviews on occasion and send them over. The suggestion of assembling issues into themes so they could be discarded more easily if readers weren't interested in the theme is tempting. For example, conference notices could be placed in one issue, bibliographies in one issue, news blurbs in a single issue--we'll consider it. Expanding CuDs to three issues a week? Probably not wise. Two issues seems about the limit of tolerance for most readers. Then there are the mixed/contradictory suggestions: More writing by CuD editors/Less writing by CuD editors; Some fiction and creative writing/No fiction or fluff stuff; Don't stray so far from explicitly cyber-issues/More straying; Don't be so leftist/Move to the right; Set an example/challenge convention; Be more serious/Lighten up a bit.......the list goes on. While we may appear unresponsive to suggestions/criticisms, we actually do take most of them seriously. All of this is a terribly verbose way of saying that, given the growth of CuD, it's time to reassess what a CuD is. If you have ideas for guidance in the coming year(s), let us know. For those who have read this far and haven't been hit by the MEGO ("my eyes glazeth over") effect, our intent has been to explain, *not* justify, how and why errors occur, and to give a sense of what goes on at this end of the screen. Hopefully, it will reduce some of the misunderstandings that some media and law enforcement folk have about CuD. It might also provide a few paragraphs for the occasional student paper inquiry we receive. Most responses to "whither CuD" are "keep up what you're doing," but we're open to suggestions and especially receptive to articles of relevance. Jim and Gordon ------------------------------ Date: Fri, 24 Sep 1993 15:18:56 -0700 From: Brendan Kehoe Subject: File 7--September 29 BBLISA meeting] +------ Forwarded Message From--etnibsd!vsh@uunet.uu.net Message-Id--<9309242000.AA02698@grumpy> Subject--September 29 BBLISA meeting To--sage-announce@usenix.org, nneuug@coos.dartmouth.edu Date--Fri, 24 Sep 93 16:00:56 EDT [ apologies if this is a duplicate posting -- vsh ] ANNOUNCEMENT September 29 BBLISA meeting Topic: Computer Crime Jim Powers of the FBI and a prosecutor from the Attorney General's office will be the speakers next Wednesday's Back Bay LISA meeting. They will be addressing what you should be aware of when administering your site, what we can do to protect ourselves, and what steps you should take when you suspect your system is being wrongly used. Date: Wed., Sept. 29, 7:30pm *[note the changed time]* Where: MIT Room 329 Building E51 70 Memorial Drive (entrance at corner of Wadworth and Amherst) Cambridge, MA Directions: Car: For folks driving, follow Memorial Drive to Wadsworth St. which will take you to the rear of the building. Entrance and parking are at the rear. T: Red Line Kendall Square stop. Head over to Au Bon Pain, take a right onto Wadsworth St. E51 is at the corner of Wadsworth and Amherst. Back Bay LISA (BBLISA) holds monthly meetings, on the last Wednesday of each month, except November and December. Meetings are usually at a Boston-Metro location. Meetings feature a speaker, or a panel of speakers, and time for announcements and group discussion. Topics include all aspects of system administration (both large and small), networking, security, privacy, etc. Membership in the group is FREE. To become a member, join one of the following mailing lists. You'll receive full details of forthcoming meetings, locations, precise dates, etc. BLISA information is distributed by email, only. To join the announcement mailing list, send email to the list server at %bblisa-announce-request@cs.umb.edu' with a text line of %subscribe'. There is also a BBLISA discussion list. To join this list, send a subscribe message to %bblisa-request@cs.umb.edu'. All announcement messages are automatically relayed to this list, so you don't need to join both. + -- Steve Harris - Eaton Corp. - Beverly, MA - etnibsd!vsh@uunet.uu.net ++++++- End of Forwarded Message ------------------------------ NEW HAVEN (AP)--A federal grand jury indicated a Redding (Conn) man Wednesday, charging him with conspiring with others to import child pornography into the United States, authorities said. The four-count indictment charging John Looney, 51, is part of "Operation Longarm," a U.S. Department of Justice and Customs Service effort focusing on the use of computers to import pornographic materials from Denmark. Search warrants have been issued in 15 states. ------------------------------ Date: 24 Sep 1993 11:26:49 -0800 From: "AJ Bate" Subject: File 8--The State of Security of Cyberspace (SRI Research Summary) THE STATE OF SECURITY OF CYBERSPACE A Summary of Recent Research by SRI International June 1993 SRI International (SRI) conducted a worldwide study in 1992 of a broad range of security issues in "cyberspace." In brief, cyberspace comprises all public and private communications networks in the United States and elsewhere, including telephone or public switched telephone networks (PSTNs), packet data networks (PDNs) of various kinds, pure computer networks, including the Internet, and wireless communications systems, such as the cellular telephone system. We did not address security vulnerabilities associated with classified, secure communications networks used by and for governments, nor did we explore toll fraud issues. The study was conducted as part of our ongoing research into the vulnerabilities of various software components of cyberspace. Our approach was to conduct research through field interviews with a broad range of experts, including people we characterize as "good hackers," into security issues and vulnerabilities of cyberspace and the activities of the international "malicious hacker" community. While the specific results of the study are proprietary to SRI, this brief report summarizes our general conclusions for the many individuals who kindly participated in our field interviews. As we indicated during the interviews, the original research for this project was not part of any other kind of investigation, and we have not revealed the identity of any of our respondents. The study aimed to understand "malicious hackers"-that is, people who have and use the technical knowledge, capability, and motivation to gain unauthorized access, for various reasons, to systems in cyberspace. It is important to understand that by no means all hackers are malicious, nor does most hacking involve unauthorized access to cyberspace systems; indeed, only a small fraction of computer hacking involves such activities but this fraction gives hacking an otherwise undeserved bad reputation. While we intended to focus on technical (software) vulnerabilities, our interviews led us to look more at the broader motivations for, and different approaches to, cracking into various networks and networked systems. MAIN CONCLUSIONS Our main conclusion is that social, organizational, and technological factors still combine in ways that make much of cyberspace relatively vulnerable to unauthorized access. The degree of vulnerability varies from one type of communications system to another. In general, the PSTN is the least vulnerable system, the PDNs are somewhat more vulnerable than the PSTN, the Internet is relatively insecure, and as is widely known, the cellular phone system is the most vulnerable of the four major areas we addressed. The main vulnerabilities in most communications networks involve procedural, administrative, and human weaknesses, rather than purely technical vulnerabilities of network management, control systems, hardware, and software. There are technical vulnerabilities-poor system design and specific security flaws in software-but they are exploitable mainly because of the above-cited problems. Highlights of the study's conclusions include: o Malicious attacks on most networks and networked systems cannot be completely prevented, now or in the future. More than enough information is publicly available to hackers and other technically literate people to preclude attempts at prevention of intrusions. o It is possible that individuals or groups could bring down individual systems or related groups of systems, on purpose or by accident. However, security is generally improving as a result of dealing with past threats and challenges to system security. For instance, responses to the most recent serious threat to the Internet, the so-called Internet Worm in 1989, included improved security at sites vulnerable to this type of worm. o We found no evidence that the current generation of U.S. hackers is attempting to sabotage entire networks. On the contrary, doing so is inconsistent with the stated ethics and values of the hacker community, which are to explore cyberspace as a purely intellectual exercise without malicious intent or behavior. Some individuals who operate outside this informal ethical framework, however, can and do damage specific systems and occasionally use systems for personal gain or vindictive activities. o There is some evidence that the newest generations of hackers may be motivated more by personal gain than by the traditional motive of sheer curiosity. This development could mean that networks and networked systems could become more likely targets for attacks by hardened criminals or governments' intelligence services or their contractors (i.e., employing malicious hackers). This threat does not appear to be significant today but is a possible future scenario. o The four major areas of vulnerability uncovered in our research have little or nothing to do with specific software vulnerabilities per se. They relate more to the ways in which hackers can gain critical information they need in order to exploit vulnerabilities that exist because of poor systems administration and maintenance, unpatched "holes" in networks and systems, and so on. - The susceptibility of employees of businesses, public organizations, schools, and other institutions to "social engineering" techniques - Lax physical and procedural controls - The widespread availability of nonproprietary and of sensitive and proprietary information on paper about networks and computer systems - The existence of "moles," employees of communications and computer firms and their suppliers who knowingly provide proprietary information to hackers. o The vulnerabilities caused by shortcomings in software-based access controls and in hardware-related issues constitute significantly lower levels of risk than do the four areas discussed above on more secure networks such as the PSTN and PDNs. However, on the Internet and similar systems, software-based access controls (for instance, password systems) constitute significant problems because of often poor system maintenance and other procedural flaws. RECOMMENDATIONS On the basis of our research, we recommend the following: 1. Protection of organizational information and communications assets should be improved. Issues here range from those involving overall security systems to training employees in, and informing customers of the importance of, maintenance of security on individual systems, handling and disposition of sensitive printed information, and dealing with social engineering. 2. Techniques used to protect physical assets should be improved. For example, doors and gates should be locked properly and sensitive documents and equipment guarded appropriately. 3. Organizations and their employees should be made aware of the existence of moles and their role in facilitating and enabling hacker intrusions, and care should be taken in hiring and motivating employees with the mole problem in mind. 4. Software- and hardware-based vulnerabilities should also be addressed as a matter of course in systems design, installation, and maintenance. 5. Organizations concerned with information and communications security should proactively promote educational programs for students and parents about appropriate computer and communications use, personal integrity and ethics, and legitimate career opportunities in the information industry; and they should reward exemplary skills, proficiency, and achievements in programming and ethical hacking. 6. Laws against malicious hacking should be fairly and justly enforced. SRI's believes that the results of this study will provide useful information to both the operators and users of cyberspace, including the hacker community. We plan to continue our research in this area during 1993 within the same framework and conditions (i.e., anonymity of all individuals and organizations) as those that governed the 1992 research. We invite hackers and others who are interested in participating in this work through face-to-face, telephone, or e-mail interviews to contact the following member of the SRI project team: A. J. Bate SRI International Phone:415 859 2206 Fax:415 859 3154 E-mail:aj@sri.com ------------------------------ End of Computer Underground Digest #5.75 ************************************