Date: Mon, 17 Aug 1992 19:27:13 PDT From: Jim Thomas Subject: File 2--Ripco the Victim of Misinformation? The dangers of erroneous or fraudulent information can be demonstrated in the abuses of Operation Sun Devil and the "Bill Cook cases." Inaccurate interpretations, questionable "facts" and glib language of posts were used to weave an imagery of a dangerous national conspiracy of hackers intent in disrupting or destroying Life-As-We-Know-It. The Secret Service claimed that a post describing Kermit as a 7-bit protocol was evidence of a conspiracy; Bill Cook described publicly available documents as a map of the E911 system, implying that those who possessed it could endanger national safety and security; Henry Kluepfel identitied to the Secret Service "hackers" who are presumably the CuD moderators; BellSouth claimed that information available in a document costing under $15 was worth several hundred thousand dollars. These claims were used as the basis for raids, indictments, prosecutions, and the disruption of lives and business enterprises who fell victim to the abuse of misinformation. Ripco BBS was a victim of the Sun Devil raids in May, 1990. Although there was no evidence that the sysop, Dr. Ripco, ever engaged in the crimes for which he and others were suspected, and no user of his board was indicted for the suspected crimes, and no material on his board was ever adduced in court in the prosecution of others, he lost equipment, books, posters, and other items. Dr. Ripco was victim of misinformation. Because of the manner in which law enforcement has written search affidavits and indictments drawing from inaccurate information, gross reporting of potentially damaging "facts" cannot go without response. An article appearing in the July 30 issue of Privacy Times (PT), written by Evan Hendricks the editor, is the kind of article that requires a swift reaction. The article is "Hacker 'Manual' Tells 'Wannabes' how to Penetrate TRW Database." Although Ripco is mentioned in only one sentence, it is a damaging choice of words. The article itself describes a "hacker file" detailing how to obtain access to a TRW account, login to the TRW system, find and download information, and interpret the information once obtained. The author(s) of the TRW file, dated April, 1992, write in the style of the juvenile anarchists who fantasize mindless destruction of "The System," and who self-define themselves as "great criminal minds." The PT article itself is well-intended: The goal seems to be to raise the visibility of the security weaknesses of the TRW data base and simultaneously to dramatize the sociopathic tendencies of those who, as Cliff Stoll might say, put razor blades in the sand. But there is one dangerously inaccurate line in the PT story that cannot go without response: "Entitled 'TRW.Masterfile,' the manual was published on the 'Ripco' bulletin board by two authors who identify themselves as 'CitiZen-One" and "Evil Priest." Dr. Ripco responds to this in the following file. But, as a long-time user of Ripco BBS, I searched my own files and discovered the following: 1) There is *NO* such TRW file listed in the file lists 2) There is one Evile Priest and one citizen-0ne listed, but neither are regular users. As of August 15th, the former has not signed on since January, 1992, and the latter hasn't signed on since April, 1992. Neither was listed logs prior to January, 1992 that I could find. The TRW file in question can probably be found on a number of boards. Assuming that the copy I have obtained is identical to the file reported in PT, it would appear to contain no illegal information. Although a "how to" manual, it falls within literature protected under the First Amendment. Although it is poorly written (a Grammatik check rates it as incomprehensible), poorly conceived and argued, childishly simplistic, and quite silly, it reveals little about TRW and contains no proprietary information. To its credit, PT does not sensationalize the document, and the point of the TRW story is not to create hysteria about the dangers of hackers, but appears instead to be simply describing a variant of "anarckidz." However, CuD *strongly* condemns the unsubstantiated allegation that the file was "published" on Ripco. This is a distortion of how files are created and disseminated and implicates a BBS and its sysop in activities over which the sysop has no knowledge. This creates an association between illegal behaviors and Ripco that is not only erroneous, but dangerous. It puts the board and its users at risk for continued law enforcement excesses on the basis of what appears to be unsubstantiated claims of the kind that have been previous justifications for searches and seizures. Misinformation also creates the possibility that the line will be picked up by other media and repeated as true. This occured with the Privacy Times article. James Daley, of Computerword, received a fax of the PT piece, and repeated the allegation in his own column in the August 17 issue of Computerworld without checking the accuracy, without calling Evan Hendricks at Privacy Times, and without calling Ripco. Daley writes: "Two unidentified persons have used the "Ripco" bulletin board to electronically publish a detailed manual, complete with dial-up numbers, geographical codes and methods for conning bureau subscribers into divulging their passwords, for penetrating TRW's credit bureau data base." (p. 47) Seemingly trivial one-liners, like viruses, have a way of spreading their destructiveness. And, just parenthetically, if, in a term paper, a student reproduced material without acknowledging the original source, as the Computerworld article did in reproducing the Privacy Times piece without acknowledging the original author, I would raise the question of plagiarism. If I am correct in my belief that the files were never available on Ripco, I wonder why PT (and Computerworld) made the claim that they were? From what source *did* the writer of the PT article obtain the files? If the article's allusion to Ripco was based on a line in the file itself indicating that the authors of the file could be contacted on Ripco, then why wasn't mention made of other boards (in Florida) also mentioned? Why did the writer of the PT article make no attempt to contact Dr. Ripco? He is accessible, articulate, and quite open. Ripco's number was included in the file, making contact readily possible if the author tried. I contacted the author of the PT article, editor Evan Hendricks. Evan shared my concern that if the facts were as I presented them, then the choice of words was unfortunate. He explained that, especially in technical matters relating to computer technology, he relies on informants. In this case, his informants indicated that the files were "published" (and available) on Ripco. He indicated that he would have to check with his informants to clarify the apparent discrepancy between their account and ours. I agree (and fully sympathize) with Evan on one point: Sometimes secondary facts that are not immediately relevant to the primary focus of a story appears too minor to check. I am convinced of Evan's good faith, and readers of Privacy Times informed CuD that Evan has taken an aggressive and principled stand against excesses of the Secret Service in Steve Jackson games. I also agree that the offending sentence is of the kind that is normally innocuous and the result of a seemingly minor informant error translated into a vague phrase. In this case, however, the phrase could possibly re-appear in an indictment. Evan must, of course, check the accuracy of my account in challenging the availability of the TRW file on Ripco. However, he assured me that if my account is accurate, he will correct the mistake. The intent here is not simply to criticize Privacy Times or its editor. Evan impressed me as concerned, sincere, and highly interested in many of the same issues as CuD, EFF, and others. Of broader relevance is the way that the media often represent the computer culture and the ways in which the participants in that culture respond. In my own experience, most reporters and editors appreciate being informed of alternative interpretations and accurate facts. Sometimes "corrections" are over minor and inconsequential details of no import. At other times, they can be vitally important to rectifying potentially damaging depictions. Either way, gentle but explicit dialogue with the media is crucial to reducing the misunderstandings offered to the public. In this case, I am confident that Privacy Digest and Computerworld will "do the right thing" by checking the accuracy of their allegations. If they find they were in error, I am equally confident that they will retract it. ((Despite my criticism of this particular article, Privacy Times is considered a reputable and helpful source of information on law, government policy, and other issues related to intrusions into and protections of Constitutional rights. It is subscriber-sustained and contains no advertising. Examination copies are available, and subscriptions run $225 a year. For more information, contact Evan Hendricks, Editor; Privacy Times; PO Box 21501; Washington, D.C., ((ADDENDUM: Media persons wishing to contact Ripco BBS may do so at (312) 528-5020. If the lines are busy, which they often are because of its nearly 1,300 users, messages sent to Dr. Ripco at tk0jut2@mvs.cso.niu.edu will be immediately forwarded)) ------------------------------ Downloaded From P-80 International Information Systems 304-744-2253