Computer underground Digest Wed Aug 21, 1996 Volume 8 : Issue 61 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Field Agent Extraordinaire: David Smith Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #8.61 (Wed, Aug 21, 1996) File 1--Seeking opinions of Mankato State University email policy File 2--Commends requested on Mankato "email" policy File 3--DOJ homepage hacked!!! File 4--Re: USDOJ Hacked File 5--Microsoft Acknowledges Flaw in Internet Browser File 6--Re: Cu Digest, #8.60--Sun, 18 Aug 96 File 7--Cu Digest Header Info (unchanged since 7 Apr, 1996) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Mon, 19 Aug 1996 10:30:32 -0500 (CDT) From: "Robert A. Hayden" Subject: File 1--Seeking opinions of Mankato State University email policy -----BEGIN PGP SIGNED MESSAGE----- At the beginning of the year, Mankato State University adopted the following "email policy". Being a member of the student senate, I expressed my concerns to the student government about the policy (particularily the prohibitions on "political" speech), but it wasn't politically feasible to challenge the policy as the student government had approved it prior to my election (ie, I don't really thing they knew what it was they were signing/signing-away). When I did bring it up to the administration of the university, it was basicly reduced to "well, the Senate said it was ok, so stick it" (well, that's somewhat paraphrased :-). Anyways, I'd like some opinions about this, as, in light of the Princeton case (and the ACLU's response), I think I would like to attack this policy. I would just like a little better feeling about where this policy stands than the general "yucky" feeling I get. Thanks for your time. Robert Hayden - ----------------------------- Mankato State University MANKATO STATE UNIVERSITY ELECTRONIC MAIL TRANSMISSION REGULATION Article I. Objective To ensure that electronic mail transmissions between and among MSU authorized "E-mail" users are consistent with state statutes limiting the use of state services and equipment to state business purposes only. This effort is consistent with existing practices governing other forms of communication on campus including telephone calls, bulletin board postings, the mass distribution of promotional flyers, and the use of intra-campus mail services. Minnesota Statutes Chapter 43A.38, Subd. 4 - Use of State Property An employee shall not use or allow the use of state time, supplies or state owned or leased property and equipment for the employee's private interests or any other use not in the interest of the state, except as provided by law. Minnesota Statutes Chapter 43A.39, Subd. 2 - Noncompliance Any employee who intentionally fails to comply with the provisions of Chapter 43A shall be subject to disciplinary action and action pursuant to Chapter 609. An appointing authority shall report in writing to the legislative auditor when there is probable cause to believe that a substantial violation has occurred. Any person convicted of a crime based on violations of this chapter shall be ineligible for appointment in the civil service for three years following conviction. Minnesota Statues Chapter 609.87 thru 609.8911 - Computer Crime [Statute deals with definitions; destructive computer programs; intentional damage to computers, computer systems, computer networks, computer software, etc.; theft of services and equipment; unauthorized computer access; gross misdemeanor and misdemeanor criminal penalties; and reporting violations.] University Facilities and Services - Restricted Use Faculty and staff are to use University facilities and services for University business only. [Mankato State's Employee Handbook - General Policies Section] Professional and Ethical Standards University equipment shall not be used by employees for personal use without notice to and the written consent of his/her employer . . . . [State University System Regulations Article 2.4] Similar language is contained in Articles 4 and 27 of the IFO Labor Agreement and Article 20 Section C of the MSUAASF Agreement. Students, who are not already on-campus part-time employees covered by the above statute citations, shall adhere to all E-mail policies and regulations contained herein. It is the intent of this E-mail regulation to cover all E-mail users within the campus community. Article II. Regulation The electronic mailing privilege is provided to members of the University community to enhance their ability to quickly and conveniently send and receive written communications and documents for the purpose of conducting University business. Use of the privileges for personal gain and for non-University related business is prohibited. (The University continues to invest significant amounts of its budget in the maintenance and improvement of electronic transmission capability, in addition to the enormous past outlays which have been made for computer hardware, software, and cabling.) SECTION 1. FOR PROFIT USE PROHIBITED : NONPROFIT USE REQUIRE PRIOR APPROVAL For profit organizations are strictly prohibited from the use of University electronic mail services. (University contract vendors like Wallace's University Bookstore and the ARAMARK food service shall be provided access to the University electronic mail system only upon agreement to pay MSU for these state provided services.) Non-profit organizations may be allowed access only if the transmission has been approved in advance by the University Operations Vice President (or designee). Authorization for such access by a non-profit organization will hinge on how closely it relates to the "state business use" standard and the organization's traditional or direct tie to the University (e.g., Mankato State University Foundation, United Way, etc.). SECTION 2. ACADEMIC FREEDOM PRINCIPLES APPLY Commonly understood principles of academic freedom shall be applied to the administration of information transmitted by E-mail. SECTION 3. EXTERNAL TRANSMISSIONS TO MSU E-MAIL USERS The ability of the University to monitor and regulate incoming Internet transmissions is almost impossible. If unsolicited or unwanted Internet transmissions are received, E-mail users may contact their mail system manager so that an effort can be made to ensure that such transmissions do not reoccur from the same source. SECTION 4. POLITICAL USE OF E-MAIL PROHIBITED Political transmissions are prohibited. This would include transmissions which advocate the election of particular candidates for public office at either the federal, state, or local level. Also banned are those messages that advocate support of or opposition to any particular referendum proposal that will be decided by the voters during a general or special election affecting the public at large. SECTION 5. COLLECTIVE BARGAINING UNITS, RECOGNIZED STUDENT GROUPS - E-MAIL TRANSMISSIONS ALLOWED This regulation is not to be interpreted as prohibiting transmissions protected by existing employee collective bargaining agreement provisions dealing with mailing privileges nor shall it be used to deny access to recognized student organizations and related student service departments who wish to announce upcoming events that may be of interest to members of the University community. SECTION 6. GENERAL STANDARDS AND GUIDELINES 1. Personal uses of E-mail which are prohibited include, but are not limited to: chain letters; recipes; "garage sale" announcements; solicitation or requests for contributions (e.g.needy family, special relief efforts, etc.); commercial advertisements; and advertisements for events or items for sale or rent that result in personal gain or revenue for non-University departments and programs or unapproved organizations as prohibited by provisions in Article II, Section 1 of this policy. 2. E-mail users are asked to take care in directing their messages to large audiences and to avoid sending repeats of the same messages as "reminders." Concerns also exist that many messages sent to all MSU mail users could be better targeted to smaller groups of users. 3. E-mail transmissions shall not be used in any way which violate Higher Education Board or University policies regarding harassment. The University is not responsible for transmissions which are libelous or defamatory. 4. A user's password is the key to the E-mail network and as such users are advised that they are responsible for the security of their respective password. There are major risks when a user's password is known to others. Transmission made using that password are assumed to be initiated by the password's user, though managers of E-mail systems who investigate complaints shall not automatically assume that the author of an offending transmission is the password's user. 5. It is not the intent of this regulation to interfere with private communications between individuals. 6. E-mail managers and network system administrators are expected to treat the contents of electronic files as private and confidential. Any inspection of electronic files, and any action based upon such inspection, shall be governed by applicable federal and state laws and by University policies. Article III. Sanctions for Violations Complaints by any user receiving electronic transmissions through Data General, Microsoft Mail, and existing VAX services may be submitted to any manager of a major E-mail system or directly to the University Operations Vice President's Office. An E-mail manager will investigate the complaint and make a determination on its validity. If a violation did occur the E-mail manager shall inform the employee's immediate supervisor and make a recommendation to implement one of the following sanctions. Severity of the sanction is dependent on the nature of the violation and history, if any, of past violations. The employee's supervisor has five work days in which to approve, and or modify, the E-mail system manager's recommendation. If no action occurs the E-mail manager's recommendation is forwarded to the University Operations Vice President for disposition. SANCTIONS - DEPENDENT ON SEVERITY OF VIOLATION AND/OR HISTORY OF PAST VIOLATIONS * Verbal warning. * Discipline pursuant to appropriate collective bargaining or other employment regulations; discipline pursuant to appropriate student conduct codes. * Warning letter to the violator formally notifying of additional sanctions if violations continue. * Suspension of electronic mail privileges for five work days. The user would continue to receive electronic mail but would not be able to read it until after the suspension of privileges is lifted and a new electronic mail password is issued by the appropriate E-mail manager. * Penalty consistent with federal or state law and/or employee collective bargaining agreements. (Could involve referral of matter to criminal authorities..) APPEALS Applicable appeal procedures may be implemented consistent with employee bargaining unit contracts or student conduct codes. Article IV. Electronic Mail Oversight Team The "Electronic Mail Oversight Team" shall review e-mail practices, procedures and policies and may make recommendations for improvement to the Vice President for University Operations. The ten member oversight team include the managers of these major e-mail systems: * University Operations server (Microsoft Mail) * P.E.T. server (Microsoft Mail) * Student Develop. Prgms. & Activities server (Microsoft Mail) * MSUS/PALS servers (Microsoft Mail) * College of Science, Eng. & Tech. server (Microsoft Mail) * Krypton server (Academic DEC with Unix Operating System) * AS/400 server (Academic IBM System) * MSMail 4,5,6,7,8, Computer Svcs., ACTS, Admin., MSU Academic, & Memorial Library servers (Microsoft Mail) * VAX1 server (MSU Academic VAX) * Data General server The team shall be convened at least twice annually and chaired by a member elected by and from among the panel members. Article V. Confidentiality and/or Privacy Users are advised that the privacy of data stored or sent on the system cannot be guaranteed; furthermore, there are a number of circumstances in which data stored on the system will be accessed by authorized individuals. Those circumstances include, but are not limited, to the following: * Performing administrative tasks, such as: identifying and pursuing breaches of security mechanisms; maintaining the integrity or operational state of the E-mail and related computer systems; collecting aggregate data; etc. The individual authorizing any search of a user's data must have reasonable grounds for suspecting that the search will reveal evidence that the user has violated a specific University, Higher Education Board policy, state or federal law, or has committed work related misconduct. The search of a user's data must be reasonably related in scope to the suspicion which generated this search. * Monitoring use of the E-mail and related computer systems to determine whether the polices of the University, Higher Education Board, and/or state or federal law have been broken. * Monitoring use of the E-mail and related computer systems when it is necessary so that the University can provide its services or protect the rights or property of the University. Meet and Confers Held Date Proposal Submitted/Reviewed IFO Faculty Association September 14, 1995 and October 12, 1995 MSUAASF Meet and Confer September 18, 1995 and October 16, 1995 Classified Employee Meet and Confer September 28, 1995 Student Association Meet and Confer October 12, 1995 Approved _____________________________________________ ___________________ Mankato State University President Date Document signed by Richard R. Rush on 1/30/1996 ------------------------------ Date: Tue, 20 Aug 1996 09:18:16 -0700 (PDT) From: "Carl M. Kadie" Subject: File 2--Commends requested on Mankato "email" policy I've never seen such a contradictory academic policy. It says that "private" use is allowed, but that "personal" use is banned. It says that academic freedom principles prevail, but that political use is banned. It says that searches must be based on "reasonable grounds for suspecting that the search will reveal evidence that the user has violated a specific [policy]", but also allows general suspensionless "monitoring use of the E-mail [...] to determin whether the [polices] have been broken. [There must be a very interesting story about the creation of a policy that contracts itself in alternating paragraphs.] In any case, I believe the policy as it stands is illegal because: It is unconstitutionally vague (and contradictory). There is no way that a reasonable person could know if he or she was violating the policy. It applies employment rules to students. Students are not employees. (As the U. of Wisconsin and U. of Michican found out in federal court). It bans protected political speech. As the ACLU letter to Princeton pointed out, political speech not on behalf of the university can not be singled out censorship. It seems to authorize illegal searches. Why all this trouble? I'm sure the University already has general rules for speech via University resoures, media, forums. Don't make email a second-class citizen, treat the same as traditional forums. - Carl ANNOTATED REFERENCES (All these documents are available on-line. Access information follows.) ================= law/political-speech ================= * Expression -- Academic - Political Speech A letter from the ACLU to Princeton University explaining why a ban on on-line political speech is unnecessary and perhaps illegal. ================= faq/email.privacy ================= * Email -- Privacy q: Can (should) my university monitor my email? a: Ethically (and perhaps legally) email communications should have ... ================= faq/email.policies ================= * Email -- Policies q: Do any universities treat email and computer files as private? a: Yes, many universities treat email and computer files as private. ... ================= ================= If you have gopher, you can browse the CAF archive with the command gopher gopher.eff.org These document(s) are also available by anonymous ftp (the preferred method) and by email. To get the file(s) via ftp, do an anonymous ftp to ftp.eff.org, and then: cd /pub/CAF/law get political-speech cd /pub/CAF/faq get email.privacy cd /pub/CAF/faq get email.policies To get the file(s) by email, send email to ftpmail@decwrl.dec.com Include the line(s): connect ftp.eff.org cd /pub/CAF/law get political-speech cd /pub/CAF/faq get email.privacy cd /pub/CAF/faq get email.policies ------------------------------ Date: Mon, 19 Aug 1996 05:29:19 -0700 (PDT) From: Declan McCullagh Subject: File 3--DOJ homepage hacked!!! ((MODERATORS' NOTE: To see what the DoJ page looked like during the "hack," point your browser to: lynx http://www.doobie.com/~baby-x/usdoj )) --- From--"L. G. Shirley" Date--17 Aug 1996 22:47:59 GMT About 10PM last night I clicked on my bookmark for the Federal Gov't and then selected, by random, the Dept of Justice. http://justice2.usdoj.gov/ SURPRISE!!!!!!!!!! Someone had made a few changes, For one it is now called the Department of Injustice. You are immediately greeted by the Nazi swastika all over your screen's background. A flag w/the symbol is apparent. George Washington's picture is captioned with his words, "Move my grave to a free country! This rolling is making me an insomniac". Janet Reno's portrait has been replaced by Hitler's. And a flag now bears the Nazi symbol. She is now called Attorney General Furher. There is plenty of nudity and the many links will take you to places you may never have been before. I don't think we're in Kansas anymore Toto! I have no clues how it was done or when. My guess is someone changed all the links to the DOJ page to another one, the one you see when you click on the DOJ's homepage. I worked today and when I came home and tried to get back to the DOJ's page, no luck. Must be a major overload of people trying to get to the link of women clad in, well, next to nothing and tied with rope! I don't think the author will make any brownie points w/women. He hacked the homepage they have w/the DOJ on violence against women. I'm not condoning such action and violence is a very serious issue but whoever did the hack was also very serious. He changed a Clinton speech on affirmative action and insulted blacks with his choice of words. There is a lot of rambling about the internet and the Gov't taking away our rights on it. The author has a interesting slant on things. This should be enough of a warning if you're easily offended by racism, hate, foul language, porn on the net, and general crudeness. Don't go there. I would like to know just how this was done, any ideas? Is it that easy to hack someones homepage? I wonder how long it'll be before this homepage link is removed and can they find who did the evil deed? Two months on the Net and just when I think I'd seen it all, wow. ------------------------------ Date: Mon, 19 Aug 1996 04:49:58 -0700 (PDT) From: Declan McCullagh Subject: File 4--Re: USDOJ Hacked .... August 18, 1996 Hacker Vandalizes Web Site Of U.S. Justice Department By JOHN O'NEIL The New York Times / National News WASHINGTON -- A computer hacker vandalized the Internet home page of the Department of Justice on Friday night, posting obscenities and anti-government graffiti, a department official said Saturday. The Justice Department's site on the World Wide Web was shut down early Saturday after members of the public called to report that the site had been altered, apprarently by a hacker or hackers who posted nazi insignia, nude photographs and an attack on the Communications Decency Act. A department spokesman, Joe Krovisky, said that the site would remain off line while the department's technical experts assess its security. Krovisky said that the system the hacker broke into was separate from the department's internal computer system, which contains highly sensitive information about criminal cases and investigations. "There's no way that the internal department information could have been affected" by a hacker who gained access to the information presented on the web site, he said. "That would have been impossible." The hacker replaced information on the home page with obscenities, graffiti and anti-government statements, he said, but declined to give details. The Associated Press reported that the site's title had been changed to "United States Department of Injustice," next to a red, black and white flag bearing a swastika. The text of the page was written over a background of gray swastikas, and at the top declared in red letters: "This page is in violation of the Communications Decency Act." The page included color pictures of George Washington, Adolf Hitler, who is identified as the attorney general, and a topless Jennifer Aniston, one of the stars of NBC's "Friends," the Associated Press said. Other sexually explicit images were also shown. [...] ------------------------------ Date: Sun, 18 Aug 1996 23:25:50 -0400 (EDT) From: Noah Subject: File 5--Microsoft Acknowledges Flaw in Internet Browser From -Noah ---------- Forwarded message ---------- Date--Sun, 18 Aug 1996 13:00:21 -0500 From--Frosty The Sun Herald 18 August 1996 MICROSOFT ACKNOWLEDGES FLAW IN INTERNET BROWSER Redmond, Wash. - Microsoft Corp.'s Internet Explorer 3.0, its much-promoted new software for browsing the Internet, has a flaw that affects its performance on some World Wide Web sites, a company executive says. The new version of the browser launched Monday to compete with Netscape Communications Corp.'s Navigator, had been downloaded for free by more than 100,000 people by Friday, said Bill Koszewski, a Microsoft product manager. The flaw is a bug in the software that will slow users trying to access certain Web sites that require their name and a password, he said. -Commentary: Isn't this the same standard of slipshod performance that the world expects form Microsoft ?!?! ------------------------------ Date: Mon, 19 Aug 1996 14:47:59 +0000 From: e.tan@UCL.AC.UK(Emerson Tan) Subject: File 6--Re: Cu Digest, #8.60--Sun, 18 Aug 96 Re: CuD 8.60 File 6--UK ISPs Restrict cyberporn > >U.K. INTERNET PROVIDERS PLAN TO RESTRICT CYBERPORN > This issue seems to have finally pointed out to the public in the UK just how difficult it is to stamp out internet pronography. It has also pointed out a major deficency in the legal systems of the nations that are on the net, namely that of cross border legisaltion. Without some kind of cross border legislation it is impossible to control this kind of crime. It is up to the governements and judical systems of the nation where these criminals reside to adequately prosecute those that distribute illiegal porn. The problem is that currently those in authority still veiw this a technical problem for which there is an easy cheap technical fix. Indeed there is a technical fix, but it runs counter to the entire idea of the net and can be used for all manner of control purposes. This is to put the entire nation behind a firewall as in the case of singapore. But still the possiblity exists that illegal comunications links could spring up using such things as satalites and dial up modems both legitimate comunications technologies which are hard to regulate, without being precieved as being excessive. In short there is no other solution but to prosecute purveors of offensive materials 'in real life' and the burden for this task falls on the judicaries of the world. It also calls for unprecedented co-operation of law enforcement agencies of the world, rather than increased pressure on the internet service providers which will only serve to put in plave legislation which could ultimately snuff out the cosmopolitain nature of the net, replacing it with a bland set of corporate offerings. ------------------------------ Date: Thu, 21 Mar 1996 22:51:01 CST From: CuD Moderators Subject: File 7--Cu Digest Header Info (unchanged since 7 Apr, 1996) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (860)-585-9638. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown) Brussels: STRATOMIC BBS +32-2-5383119 2:291/759@fidonet.org In ITALY: ZERO! BBS: +39-11-6507540 In LUXEMBOURG: ComNet BBS: +352-466893 UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/CuD ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #8.61 ************************************