Computer underground Digest Sun Aug 23, 1998 Volume 10 : Issue 46 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Field Agent Extraordinaire: David Smith Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #10.46 (Sun, Aug 23, 1998) File 1--Islands in the Clickstream. If Truth Be Told. August 1, 1998 File 2--NYT: Report Reveals Cost of Computer Incidents at Universities File 3--FTC Cites GeoCities for Privacy Violations File 4--new book on Alan Turing File 5--Cyber-Liberties Update, August 11, 1998 File 6--Cu Digest Header Info (unchanged since 25 Apr, 1998) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Tue, 04 Aug 1998 23:53:47 -0500 From: Richard Thieme Subject: File 1--Islands in the Clickstream. If Truth Be Told. August 1, 1998 Islands in the Clickstream: If Truth Be Told The press coverage of the Black Hat Briefings II and Def Con VI tells part of the story, but the fact that mainstream media covered those cons the way they did tells much of the rest. Def Con is the biggest and most celebrated convention for computer hackers. The con has grown from sixty to two thousand in six years. The Black Hat Briefings, which grew out of Def Con, is a forum in which the best and brightest hackers engage in serious conversation with experts in computer security. The technical presentations are as good as it gets, and attendance at Black Hat tripled in a year. Stories about Def Con in the New York Times and L. A. Times had similar slants: Young hackers who a few years ago hesitated to reveal even their on-line handles now occupy critical positions in business and government. Which is certainly part of the story. The crew from CNN, however, floating through Def Con like the bright shining bubble of the Good Witch of the North, was a symbol of a bigger truth. Leon Panetta once said that CNN inserted itself like a filter between our minds and our own experience of reality. Panetta recalled his arrival at the White House as Chief of Staff. One of the first things he wanted to see was the Situation Room. He wanted to know if it really looked like the one in "Doctor Strangelove." So what did he find? "Two guys in shirtsleeves sitting at a table watching CNN." Now, think about it. A much younger Leon P sits in a darkened movie theater. Inside his head are "symbolic modules" generated by his youthful experience and education. "Doctor Strangelove" coupled an image of a hidden, forbidden reality - the situation room where life and death decisions are made - with that modular interface. With all his experience and political savvy, Panetta still wondered when he arrived at the White House years later if the image fit. He said it did not but in a deeper way, maybe it did. Panetta saw two people interact with CNN, a medium that couples symbolic modules with our modular constructions of reality. Panetta had interacted with a movie that coupled a symbolic module with his construction of reality. In other words, decades later he laughed at two guys for doing what he had done and he had believed in his images all those years. The CNN crew attracted everyone's attention. The camera and fuzzy mike on a long boom were huge, and every time they turned on the bright lights, attention in the room swirled around them like water going down a bathtub drain. Like physicists observing sub-atomic particles, they altered what they saw by the act of observing it. The reporters who directed the process knew their business, but not hacker reality. "Three weeks ago, I had never heard of Def Con," said one. They looked forward to the Black-and-White Ball on Saturday night because they wanted good visuals. The visuals would be filtered to fit the expectations of the audience - expectations created by the media, where images of hackers have replaced Cold War spies as magnets of fear and fascination. The media need modules that snap tightly together without being forced. News and entertainment are virtually indistinguishable in the digital world. Their agendas are set by those who own the media and decide what is thinkable. Those who determine the questions that can be asked do not need to worry about the answers. The answers fly about in simulated opposition like birds flocking to a few recursive rules inside a digital cage. Because the birds have enough room, they do not even notice the cage. At a deeper level, the structure of our information infrastructure determines how we think, the questions that we ask. That infrastructure is the context of our lives. Those who work at the nexus of context and content rule the digital world. We don't notice those cages either, but that's what the real geniuses at Black Hat and Def Con are building. Those who code software and build chips (i.e. code in a harder state, like ice and water) create the contours or parameters of commerce, social interaction, and the kinds of wars we fight. Although intrusion and data manipulation or destruction can be damaging, hackers are not threatening simply because they can break into systems. At the top level, it is their ability to piece together the Big Picture and see how the imaginary landscapes that we call "the real world" are constructed that constitutes a threat. Hackers, spies and journalists resemble one another. A reporter told me of her journey through ostensible coverage of the software industry to the unintended discovery of how things really work. Her off-the-record account detailed infiltration, collusion, and sabotage. "It wasn't what I was looking for," she said, "but I can't forget what I saw." I mentioned something a hacker had uncovered, and she laughed. I repeated what I said and she laughed again. "Ridicule is easy," I said. "The first line of defense of consensus reality. " "I have to laugh at that," she said, suddenly not laughing. "I would go insane otherwise." If truth be told, that reporter is telling it. Wisdom and sanity depend on a context to give them meaning. When the context shifts, wisdom becomes nonsense, what is sensible sounds insane. And vice versa. The first line of defense of consensus reality is always to laugh, then ridicule, then attack. Hackers don't live inside that consensus. Nor do spies. They live too close to the edge, the terminator on the moon where everything is thrown into relief, where intentionality creates consensus. In a world of pure information, intentionality is everything. There's plenty of laughter at Def Con, but it's laughter at the paradox of the mind observing itself, watching itself build worlds in which - in spite of seeing marks of the tools on the raw material, the tools in our own hands - we lack the freedom not to believe. ********************************************************************** Islands in the Clickstream is a weekly column written by Richard Thieme exploring social and cultural dimensions of computer technology. Comments are welcome. Feel free to pass along columns for personal use, retaining this signature file. If interested in (1) publishing columns online or in print, (2) giving a free subscription as a gift, or (3) distributing Islands to employees or over a network, email for details. To subscribe to Islands in the Clickstream, send email to rthieme@thiemeworks.com with the words "subscribe islands" in the body of the message. To unsubscribe, email with "unsubscribe islands" in the body of the message. Richard Thieme is a professional speaker, consultant, and writer focused on the impact of computer technology on individuals and organizations. Islands in the Clickstream (c) Richard Thieme, 1998. All rights reserved. ThiemeWorks on the Web: http://www.thiemeworks.com ThiemeWorks P. O. Box 17737 Milwaukee WI 53217-0737 414.351.2321 ------------------------------ Date: Tue, 28 Jul 1998 10:59:39 -0700 From: Jim Galasyn Subject: File 2--NYT: Report Reveals Cost of Computer Incidents at Universities July 27, 1998 Report Reveals Cost of Computer Incidents at Universities By PAMELA MENDELSBio A student receives an e-mail message with a fake warning that he is a suspect in a Federal Bureau of Investigation child pornography case. A hacker sets up a "Trojan horse" log-in screen that captures the confidential passwords of 75 university students. An innocent software upgrade leads to weeks of computer crashes and disruption of service for students, faculty and administration personnel. These are three of the 30 incidents that researchers at the University of Michigan uncovered in a recent report that examined computer-related misdeeds and malfunctions in university settings. The study took a look at computer snafus that had occurred from about September 1996 to April 1998 at the 12 Midwestern universities that make up the Committee on Institutional Cooperation. The group, an academic consortium whose members include the University of Chicago, Northwestern University, Purdue University and the University of Minnesota, paid for the effort, called the Incident Cost Analysis and Modeling Project. The purpose was to get an idea of the kind of computer problems that crop up at the universities and to estimate how much they cost to handle. The study was prompted by concern that university lawyers and insurers need a clearer picture of the kinds of mischief that university computers can cause so they are better prepared to manage the risk. In the 30 cases documented, researchers estimated that universities spent about $1 million in cleanup costs. The money paid for everything from new equipment to staff time, including about 1,160 hours spent by one university computer specialist to track down what eventually turned out to be a group of 20 to 30 hackers, one of whom had used a university computer account to try to threaten a California-based Internet service provider. Rezmierski emphasized that the study was not a scientific one -- and for a simple reason. Because no one knows about all of the computer-related incidents that occur at the schools, researchers could not select a random sampling of cases to examine. But hackers were far from the only source of headaches. Indeed, other incidents involved old-fashioned theft, such as a break-in at a university fundraising office. The stolen goods included a computer containing sensitive information about 180,000 donors, including their Social Security numbers, addresses and the amount of money they contributed. And some serious incidents happened without any malicious intent. For example, among the cases studied, the problem that cost the most to solve occurred in a bumpy attempt to update the software of a computer containing student files, financial information and the school's Web page. After the upgrade, the system began crashing frequently over a two week period and then required another week of repair before it functioned properly. It cost the university about $14,300 to fix the problem, but students, staff members and professors lost about another $175,000 in time that could not be spent working on computer-dependent projects. ------------------------------ Date: Sat, 15 Aug 98 07:34:27 EST From: Computer Privacy Digest Moderator Subject: File 3--FTC Cites GeoCities for Privacy Violations Source: Computer Privacy Digest Sat, 15 Aug 98 Volume 13 / #11 Moderator: Leonard P. Levine From--Anonymous Date--14 Aug 1998 06:12:07 +0200 Subject--FTC Cites GeoCities for Privacy Violations WASHINGTON (AP) -- Federal regulators accused GeoCities on Thursday of lying to its Internet customers and revealing to advertisers details that it collected about people online, such as their income and marital status. GeoCities' shares fell more than 15 percent Thursday, down $7 to close at $38.50. http://www.cnn.com/TECH/computing/9808/13/geocities.ap/ :http://dailynews.yahoo.com/headlines/ts /story.html?s=v/nm/19980813/ts/internet_3.html Federal regulators accused GeoCities Thursday of lying to its customers about maintaining their privacy. http://www.cnn.com/QUICKNEWS/#Sci-Tech4 There's a separate bite that indicates Geocities' stock took a dive today. http://www.cnn.com/TECH/computing/9808/13/geocities.ap/ ++++++ From--"Prof. L. P. Levine" Date--14 Aug 1998 13:15:35 -0500 (CDT) Subject--Telling a Lie Organization--University of Wisconsin-Milwaukee According to an Associated Press story in today's Milwaukee Journal Sentinel the company GeoCities gives people free space to build Web sites in return for the answers to personal information questions. The Federal Trade Commission has accused the company of releasing that data to advertisers in violation of a promise not to do so. This story is interesting in itself but brings to my mind the question of just what does an individual owe a questioner who asks personal questions. If I am asked for my birthdate by an insurance company, I owe them an honest answer as the true cost of insurance might well be affected by the answer. But if I am asked that question by the vendor of a camera, perhaps on a warantee card, I can reasonably argue that there is no need to speak the truth, the warantee should be valid if I am 1 or 100 years old. Of course I can just refuse to fill in the answer and submit the form with a blank field, but I can alternately answer with a deliberately false value. After all, a blank field gives the vendor the information that someone does not wish to participate in the survey but a false answer, given by several folks, gives the vendor reason to believe that the entire data set is invalid, a much more satisfying result. -- Leonard P. Levine e-mail levine@uwm.edu Professor, Computer Science Office 1-414-229-5170 University of Wisconsin-Milwaukee Fax 1-414-229-2769 Box 784, Milwaukee, WI 53201 ------------------------------ Date: Sun, 16 Aug 1998 14:39:29 -0700 (PDT) From: David Batterson Subject: File 4--new book on Alan Turing Alan Turing's Biographer Publishes New Book on Turing, Pays Tribute to Gay Genius at a Dedication Ceremony by David Batterson Mathematician Andrew Hodges, author of the biography, "Alan Turing: the Enigma," has a new book out on the British gay computer genius Alan Turing, and Hodges also recently paid tribute at Turing's birthplace in England. About his newest book, Hodges said "my short text on Alan Turing's philosophy of mind appeared in November 1997 as 'Turing,' number three of a new series of 'The Great Philosophers' issued by Weidenfeld and Nicolson (London). My subtitle is 'Alan Turing: a natural philosopher.' It runs to 58 pages, about half taken up with original Turing text, and half with my commentary." "Turing" is available on Hodges' recently updated Alan Turing Home Page (www.turing.org.uk/turing/). Hodges added that "in accordance with the scheme of the Great Philosophers series, the text is intended to show exactly what Turing wrote, particularly regarding the Turing machine. To some extent this is a condensation of the critique in my biography. But I've found something new to say about the development of Turing's thought; in particular about the way his ideas developed between 1935 and 1945." Alan Turing (1912-54), was an openly-gay computer genius, one of the most significant pioneers in the history of computers. He founded computer science (1936), cracked the German U-boat "Enigma" cipher during World War II (1939-45), led the world in schemes for computer software (1945-47), and started the first Artificial Intelligence program (1946-50). According to Hodges, "Alan Turing was the originator of the computer as we understand it now. He was also an open gay man. In 1952 he was arrested, and although unrepentant at his trial had to submit to humiliating treatment with hormones (Estrogen) to avoid going to prison. He found himself under watch. In 1954 he ended his life; he ate an apple dipped in cyanide." Hodges said that "on June 23 I had the honor of being asked by English Heritage to unveil the official Blue Plaque on Alan Turing's birthplace. It would have been his 86th birthday." The day turned out to be ironic. "There was a great deal of publicity for the 50th anniversary of the world's first working modern computer," Hodges said, "which ran at Manchester on June 21, 1948. And at 10:30 p.m. the night before, the House of Commons had voted by a large majority to change the law so that homosexual and heterosexual acts would alike be governed by an 'age of consent' of 16." At the tribute, Hodges read a statement from the Rt. Hon. Chris Smith, the UK Minister of State for Culture, Media and Sport, which stated: "It is long overdue and very welcome indeed that the birthplace of Alan Turing should now receive official recognition. Alan Turing did more for his country and for the future of science than almost anyone. He was dishonorably persecuted during his life; today let us wipe that national shame clean by honoring him properly." Excerpts from Hodges' June 23 oration follow: "In 1952, while Nazi war criminals went free, Alan Turing faced punishment: a choice between prison and chemical castration. The shame is that this country enforced a sexual Apartheid law which penalized honesty. Betrayed by his country, Alan Turing embodied scornful resistance to that Apartheid; he acted and suffered accordingly." "Turing being a free-thinking free-living and open homosexual could not, at the height of Cold War panic, be consistent with his chosen duty, of knowing innermost secrets of the security state. But it does not amaze me that eventually he found existence self-contradictory and life unlivable, on that tenth anniversary of the invasion made possible by his work." Playwright Hugh Whitemore used Hodges' "Enigma" as the basis for his play, "Breaking the Code." The "cut-down version of the play" was filmed for BBC television, and later appeared on "Masterpiece Theatre" in the U.S. Hodges wasn't too happy with the results, saying "what I really hope to see is a real film based on my book, something true to history but connecting with the 1990s and beyond." Hodges" Website contains "The Alan Turing Internet Scrapbook." As Hodges explained its content, "these pages are full of images and links to exploit the interactive and cooperative world of the Web as created by Alan Turing's invention, the computer. They don't try to give a complete picture. They will mix thoughtfulness and feeling and anarchic humor like Alan Turing himself, and be in perpetual development as the Internet expands." The biography of Alan Turing was originally published in 1983, simultaneously in the UK by Burnett Books and Hutchinson, and in the U.S. by Simon & Schuster. It's now in print in the UK Vintage paperback edition, ISBN 0-09-911641-3. You can also order "Enigma" from the Turing Web site. Hodges said "a new American edition is currently being negotiated by my literary agents, but will not be available until 1999." Hodges is now writing a novel titled "The Unwelding." The author said that "one reason for calling it "The Unwelding" is that it tries to combine subjects which are usually kept far apart. That makes it highly realistic--real lives don't divide into neatly pigeonholed 'genres'." He added that "it's a 'gay novel' in that most of the characters are gay men." The content includes "explicit equations as well as explicit sex. Taboos are broken," Hodges added. A preview of the novel is on the Web at: www.turing.org.uk/preview/. ### Copyright 1998 David Batterson. This article may not be reprinted by other publications without permission from the writer (davidbat@yahoo.com). ------------------------------ Date: Mon, 10 Aug 1998 15:05:05 -0400 (EDT) From: owner-cyber-liberties@aclu.org Subject: File 5--Cyber-Liberties Update, August 11, 1998 Source - CYBER-LIBERTIES UPDATE, AUGUST 11, 1998 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ = ACLU Criticizes Lack of Might in Gore's =93E-Bill of Rights Vice President Gore announced support for an =93electronic bill of rights, to protect privacy of electronic communications earlier this month. =93You should have the right to choose whether your personal information is disclosed; you should have the right to know how, when, and how much of that information is being used; and you should have the right to see it yourself, to know if it's accurate, Gore said. Privacy advocates, including the ACLU have said that while Gore's statement is a move in the right direction, the administration still fails to support meaningful legislative solutions -- and instead continues to rely on self regulatory measures. The ACLU believes that there is little incentive in a free market setting to provide genuine accountability to the user for violations of stated privacy principles. Even where penalties are imposed by self auditing programs -- these penalties may effect the site's accreditation -- but there is no recourse available to an aggrieved user. A recent ACLU survey of privacy policies of top rated financial sites, one site out of the 14 reviewed uses the TRUSTe self- auditing mechanism. However, the site disclaims any liability "for any breach of security or for any actions of third parties which receive information." None of the sites we surveyed provided anything beyond an e-mail address for complaints or questions about privacy protections and half of the sites do not provide even an e-mail address or a general privacy information. In a recent letter to the Department of Commerce, the ACLU stated that the following principles must be incorporated into legislation in order to provide true privacy protection: -Personal information should never be collected or given out without knowledge and permission by the subject of such information. The most sensitive personal information, such as Security Numbers, should be non-transferable without notification or express affirmative consent and the circumstances under which it can be collected must be limited. -Federal and state government may not acquire information that is collected by the private sector. Moreover, individuals who are the subject of improper government browsing of data should be provided notice and redress. -There must be no intermingling of government and private sector collected data for the creation of membership or identification cards -- e.g. smart cards --which include private information and government issued driver's license numbers. -Organizations must inform users as to why they are collecting personally identifiable information and they may not reuse such information for any purpose other than the stated reason for which they receive user permission. Information may only be reused if the individual provides affirmative consent to the new use. -Information that is collected with permission must be secure from intrusion and unauthorized browsing. Any information that is no longer being used for the stated purpose for which it is sought should not be retained. -Users who provide consent to collection of information must have the right to examine, copy, and correct their own personal information. -Government restrictions on the development and use of strong encryption programs to secure online information and communications must be removed. Such utilities must be widely available to provide security against government and third party abuse of information. These principles should be enforceable by law in order for individuals to have recourse or remedies when their rights are violated. The ACLU cited the need for such legislative protection because of the widespread availability of thousands of online databases that provide ready access to revealing personal information about ordinary people, either through privately owned dial-up services or via the Internet. =93These databases cover information ranging from tax records to arrest records, home addresses and telephone numbers. Moreover, many sites that provide personal information tout the ability to provide virtually any information, the ACLU said. The ACLU's July letter to the Department of Commerce, which includes the results of our informal survey of privacy policies of the =93top rated financial sites can be found online at ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PROTECT YOUR CIVIL LIBERTIES. BECOME A CARD CARRYING MEMBER OF THE AMERICAN CIVIL LIBERTIES UNION BY VISITING THE ACLU WEB SITE AT About Cyber-Liberties Update: A. Cassidy Sehgal (csehgal@aclu.org), Editor William J. Brennan First Amendment Fellow American Civil Liberties Union National Office 125 Broad Street, New York, New York 10004 The Update is a bi-weekly e-zine on cyber-liberties cases and controversies at the state and federal level. Questions or comments can be sent to Cassidy Sehgal at csehgal@aclu.org. Past issues are archived at: To subscribe to the ACLU Cyber-Liberties Update, send a message to majordomo@aclu.org with "subscribe Cyber-Liberties" in the body of your message. To terminate your subscription, send a message to majordomo@aclu.org with "unsubscribe Cyber-Liberties" in the body. FOR GENERAL INFORMATION ABOUT THE ACLU, WRITE TO info@aclu.org. SEE US ON THE WEB AT AND AMERICA ONLINE KEYWORD: ACLU TAKE THE FIRST AMENDMENT PLEDGE: This Message was sent to cyber-liberties ------------------------------ Date: Thu, 25 Apr 1998 22:51:01 CST From: CuD Moderators Subject: File 6--Cu Digest Header Info (unchanged since 25 Apr, 1998) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-6436), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) CuD is readily accessible from the Net: UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD Web-accessible from: http://www.etext.org/CuD/CuD/ ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #10.46 ************************************