**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 3, Issue #3.00 (January 6, 1991) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet) ARCHIVISTS: Bob Krause / Alex Smith / Bob Kusumoto BYTEMASTER: Brendan Kehoe USENET readers can currently receive CuD as alt.society.cu-digest. Anonymous ftp sites: (1) ftp.cs.widener.edu (2) cudarch@chsun1.uchicago.edu E-mail server: archive-server@chsun1.uchicago.edu. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors, however, do copyright their material, and those authors should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ------------------------------ From: Various Subject: From the Mailbag Date: January 6, 1991 ******************************************************************** *** CuD #3.00: File 2 of 6: From the Mailbag *** ******************************************************************** From: wayner@SVAX.CS.CORNELL.EDU(Peter Wayner) Subject: Re: Cu Digest, #2.19 Date: Thu, 3 Jan 91 14:27:26 -0500 This is in reply to John Debert's note in CuDigest #2.19: He writes: "Now, suppose that someone has used this method to encrypt files on his/her system and then suppose that Big Brother comes waltzing in with a seizure warrant, taking the system along with all the files but does not take the code keys with them. Knowing Big Brother, he will really be determined to find evidence of a crime and is not necessarily beneath (or above) fudging just a bit to get that evidence. What's to keep him from fabricating such evidence by creating code keys that produce precisely the resultsthat they want-evidence of a crime? Would it not be a relatively simple procedure to create false evidence by creating a new key using the encrypted files and a plaintext file that says what they want it to? Using that new key, they could, in court, decrypt the files and produce the desired result, however false it may be. How can one defend oneself against such a thing? By producing the original keys? Whom do you think a court would believe in such a case? One should have little trouble seeing the risks posed by encryption." This is really unlikely, because in practice most people only use one-time pads for communication. They are not in any way practical for on-site encryption. Imagine you have 40 megabytes of data. If you want to encrypt it with a one-time pad, you need 40 megabytes of key. If you did this, it would be very secure because there exists a perfectly plausible 40 Meg key for each possible 40 meg message. But, if you were going to keep the 40 megs of encrypted data handy, you would need to keep the 40 megs of key just as handy. When the government came to call, they would get the key as well. That is why it is only practical to use systems like DES and easy to remember, relatively short keys to do the encryption. That way there is nothing to seize but your brain. ---Peter Wayner Dept. of Computer Science, Cornell Univ. (wayner@cs.cornell.edu) ++++++++++++++++++++++++++ From: CuD Dump Account Subject: BBSs as Business Phones? Date: Thu, 03 Jan 91 15:57:49 EDT Ok this is just a quick question. How can it be legal to make BBS' operators shell out extra money for a hobby, answering machines aren't something people have to pay extra for, and in some cases thats what BBS's are used for. If its a public BBS, it is receiving no true income from its users, unless they pay a standard, billable time, (ie. A commercial BBS) What gives them the right to charge us now? They don't force you to pay for special business class lines/fiber optic lines to call lond distance do they? No its by choice. Most SysOps buy the cheapest line available which is usually local only, no dial out, etc. SysOp's in the long run absorb most, if not all the costs of running a BBS, that means power, servicing, and the phone. The phone line at minimum, is going to cost at least a hundred or so per year. Then power, its absurd. In my case, I run a BBS to share information, and I allow everyone on for free. I've seen the old FCC proposals to have people using modems pay more, but I don't rightly see why. If I am not mistaken this is bordering on their greed to make more money for the growing modem populous. Do they have a right to charge us? are they providing any type of special service because we have a modem on the line, instead of an answering machine, FAX, phone, or other? we are private citizens, it should be up to us how we use the phones. TelCo's still a monopoly There are a lot of rumours about this type of thing, only I've never seen it actually put into action. +++++++++++++++++++++++++ From: Paul Cook <0003288544@MCIMAIL.COM> Suject: Response to "Hackers as a software development tool" Date: Fri, 4 Jan 91 06:44 GMT %Andy Jacobson writes:% > >I received one of those packs of postcards you get with comp. subscription >magazines (Communications Week) that had an unbelievable claim in one of >the ads. I quote from the advertisement, but I in no way promote, >recommend, or endorse this. > >"GET DEFENSIVE! >YOU CAN'S SEE THEM BUT YOU KNOW THEY'RE THERE. >Hackers pose an invisible but serious threat to your information system. >Let LeeMah DataCom protect your data with the only data security system >proven impenetrable by over 10,000 hackers in LeeMah Hacker Challenges I >and II. For more information on how to secure your dial-up networks send >this card or call, today!" (Phone number and address deleted.) > >So it seems they're claiming that 10,000 hackers (assuming there are that >many!) have hacked their system and failed. Somehow I doubt it. Maybe they >got 10,000 attempts by a team of dedicated hackers, (perhaps employees?) >but has anyone out there heard of the LeeMah Hacker Challenges I and II? Yes, Lee Mah is for real. They make a some nice computer security equipment to stop folks from trying to gain access to your dialup modems. The "Hacker Challenge" is for real too. They publicized it for a long time, and I recall reading about it in PC Week, Byte, and possibly InfoWorld. I don't know how accurate the "10,000" hackers is (maybe it was 10,000 call attempts?) but they ran a couple of contests where they gave a phone number of one of their devices, and offered some kind of a prize to anyone who could figure out how to get in. I have seen the Lee Mah catalog, and I don't recall how they provide security, but I think some of their gear uses dialback modems that call pre-programmed user numbers when the right code is entered. ++++++++++++++++++++++ From: stanley@PHOENIX.COM(John Stanley) Subject: Re: a.k.a. freedom of expression Date: Fri, 04 Jan 91 23:45:31 EST In CuD 2.19, balkan!dogface!bei@CS.UTEXAS.EDU(Bob Izenberg) writes: > I read this in issue 2.16 of the Computer Underground Digest: > > [ quoted text follows ] > > ADAM E. GRANT, a/k/a The : > Urvile, and a/k/a Necron 99, : > FRANKLIN E. DARDEN, JR., a/k/a : > The Leftist, and : > ROBERT J. RIGGS, a/k/a : > The Prophet : > [ quoted text ends ] > > The assumption here, that an alias employed in computer communications is > the same as an alias used to avoid identification or prosecution, doesn't > reflect an awareness of the context within which such communications > exist. The only reason "The Prophet" was used was to avoid identification. But, that doesn't really matter. The reason it was included in the Government doohicky was to identify the one legal name and alternates chosen by the defendant used by him as his sole identification at specific times. > The very nature of some computer operating systems demands some > form of alias from their users. Management policy also affects how you > can identify yourself to a computer, and to anyone who interacts with you > through that computer. How you identify yourself in communications is entirely up to you. You do not need to use your computer User ID as your sole identity. Note that the From: line of your original post identified you, as does mine. If I add a .sig that identifies me as "Draken, Lord of Trysdil", and remove the From: comment name, then you know me as Draken, and bingo, I have an a.k.a. Am I doing it to commit a crime? Probably not. It doesn't really matter. > If we strip the implication from those three letters > that the party of the leftmost part is calling themselves the party of the > rightmost part to avoid getting nabbed with the goods, what's left? You are left with the fact that they are also known as ..., which is just what the a.k.a stands for. It does NOT stand for Alias for Kriminal Activity, as you seem to think it does. The "implication" you speak of is an incorrect inferance on your part. Guilty conscience? > In using a computer communications medium, particularly an informal one > like a BBS, the name you choose can set the tone for the aspect of your > personality that you're going to present (or exaggerate.) You mean, like, the name you chose is how you will be known? Like, you will be known to some as "Bob Izenberg", but on the BBS you will be also known as "Krupkin the Gatherer"? Like a.k.a.? > Are radio > announcers using their "air names" to avoid the law? How about people with > CB handles? Movie actors and crew members? Fashion designers? Society > contains enough instances of people who, for creative reasons, choose > another name by which they're known to the public. And if any of them go to court, they will have a.k.a., too. There will be their legal name, followed by the a.k.a. There is no implication of criminal activity from just having an a/k/a, just the indication that the prosecution wants to make sure the defendants are identified. "Him. That one, right there. His legal name is X, but he is also known as Y and Z. All the evidence that says that Y did something is refering to him, X, because the witness knows him by that." > Whenever somebody uses a.k.a., correct them%! Ok, consider this a correction, at your own demand. +++++++++++++++++++++++ From: 6600mld@UCSBUXA.BITNET Subject: Response to Encryption dangers in seizures Date: Sat, 5 Jan 91 14:19:07 PST >Subject: Encryption dangers in Seizures >Date: Sat, 29 Dec 90 11:20 PST [misc background on encryption and its use to thwart Big Brother deleted.] >Now, suppose that someone has used this method to encrypt files on his/her >system and then suppose that Big Brother comes waltzing in with a seizure >warrant, taking the system along with all the files but does not take the >code keys with them. Knowing Big Brother, he will really be determined to >find evidence of a crime and is not necessarily beneath (or above) fudging >just a bit to get that evidence. What's to keep him from fabricating such >evidence by creating code keys that produce precisely the results that they >want-evidence of a crime? Would it not be a relatively simple procedure to >create false evidence by creating a new key using the encrypted files and a >plaintext file that says what they want it to? Using that new key, they >could, in court, decrypt the files and produce the desired result, however >false it may be. How can one defend oneself against such a thing? By >producing the original keys? Whom do you think a court would believe in >such a case? > >One should have little trouble seeing the risks posed by encryption. I think it unlikely that if the Feds wanted to frame you or fabricate evidence that they would bother to use the encrypted data found at your site. Instead, I think, they would fabricate the whole wad -- plaintext, key, and ciphertext. For this reason, it is not only one-time key encryption that is threatened, but iterative algorithms as well. So, if I have data encrypted, and the feds are going to "fix" it, why is this any more dangerous than having NO DATA? If they want to frame me, they're going to (try), regardless of whether they found encrypted data or not! Thus, I see encryption as preventing the feds from really KNOWING what you do and do not have. This is very valuable. I think that even in our mostly corrupt government that it would be difficult to fabricate evidence to the tune of posession of AT&T source code. Similar tactics can be applied JUST AS EASILY to physical crimes. The crime lab finds a dead guy with a .44 slug in him. The suspect owns a .44, but not the one used in the shooting. What is to prevent the (now seized) .44 of the suspect to be fired and the slug swapped for the slug discovered in the body? This is trivial to accomplish, assuming the poeple involved are sufficiently crooked. Now, I'm not saying that the Feds don't fabricate evidence. But I do not think that encrypting one's data makes one a more vulnerable target to such injustice. >jd / onymouse@netcom.UUCP netcom!onymouse@apple.com ******************************************************************** >> END OF THIS FILE << ***************************************************************************