Computer underground Digest Thu Jan 28, 1993 Volume 5 : Issue 08 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Copy Editor: Etaion Shrdlu, Junoir CONTENTS, #5.08 (Jan 28, 1993) File 1--Response to "Resistance at Shopping Mall" (CuD 5.07) File 2--Offworld BBS Raided (StLPD File 3--Colonel Guilty of Sending Computer Porn File 4--ISPTS Organizing Information File 5--New case for EFF, ACLU, and CPSR File 6--Public Service for Cornell Hackers File 7--CFP Special Issue on Security [Change in Due Date] File 8--Talking with the Underground Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; in Europe from the ComNet in Luxembourg BBS (++352) 466893; and using anonymous FTP on the Internet from ftp.eff.org (192.88.144.4) in /pub/cud, red.css.itd.umich.edu (141.211.182.91) in /cud, halcyon.com (192.135.191.2) in /pub/mirror/cud, and ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. European readers can access the ftp site at: nic.funet.fi pub/doc/cud. Back issues also may be obtained from the mail server at mailserv@batpad.lgb.ca.us. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Wed, 27 Jan 93 16:59:26 EST From: ims@beach.kalamazoo.mi.us Subject: File 1--Response to "Resistance at Shopping Mall" (CuD 5.07) Overall, this was a well-written and accurate article. As Ron stated, his article gives suggestions on how to deal with private individuals; my stance will be on how to deal with gov't agents. I promise to keep the quoting to a minimum. >You may be able to fight city hall and win, but fighting with people >in uniforms (even on a verbal level) is almost always a disaster. This is 100% true. Gov't cannot break the law, by definition, for in Brookfield Co. v Stuart, 234 F. Supp. 94, it was recognized that "an...officer who acts in violation of the Constitution ceases to represent the government." However, individual representatives of gov't can and do break the laws pertaining to them, which is nothing less than treason, being a violation of their oath of office. Remember, though, as Mr. Carolina has stated, that this applies to gov't, and not to anyone else. If at all possible, you should always avoid confrontations with officers low on the totem pole. >...guards, cops, and other "uniforms" get really nervous around >organized groups. The more inexperienced the uniform, the more >nervous they get. Second, when a uniformed person starts a >confrontation with anyone, he or she is trained to assert control >over the situation as quickly as possible. Any perceived challenge >to his authority, including "mouthing off", will produce a harmonic >disturbance at least double in intensity to the perceived >non-acquiescence. That's why we have the three rules for dealing with gov't officials: Don't say anything, be quiet, and SHUT UP! There's plenty of time to talk later in court, where it counts. >Money awarded by a court is a poor substitute for missing teeth. Perhaps, but it may be the only substitute possible in some cases. Ideally, we would never be assaulted by gov't. But when we are, it is our right and duty to extract compensation for damages. >Third, recognize that a mall IS private property and the mall >operators can throw you out for little or no reason. To be totally accurate, they can throw you out for NO REASON AT ALL. It may sound cruel and unfair, but without the concept of private property, we'd still be scratching in the dirt just worrying about bare survival. If you really want to have a secure meeting, order takeout and meet at someone's house -- which is also private property, and cannot be lawfully entered without a valid 4th Amendment warrant. Now when a gov't agent violates your rights, he loses his immunity from prosecution -- IF IT'S HANDLED CORRECTLY. Of course, you have to know what those rights are, or you'll never know if they're being violated. When a gov't agent is stepping outside the bounds wherein he would be protected by "sovereign immunity", and he is violating your right, you ARE REQUIRED to tell him, to give him "constructive notice" of his violation of law, just as he would inform YOU of some of your rights if he were to arrest YOU. If you don't do that, the courts will not entertain your lawsuit for damages later. You have to tell him what rights he is violating, what laws he is breaking, what the penalties are that he is risking, and what action is open to him so that he doesn't break the law. If on giving him notice, he corrects his error, then there is no need to take him to court over any damages. We all are required to behave so as to minimize damages to ANYONE, including ourselves. >Fourth, mall cops are not gov't agents, and as such, their >conduct is (mostly) not governed by the Constitution. Their conduct is not governed AT ALL by the Constitution, since it only applies to the gov't and its agents. >If you are confronted by a group of threatening looking mall cops and >they hassle you, ask if you are being ejected from the mall. When dealing with gov't agents, NEVER ask, "Am I under arrest?". Rather, ask, "Am I free to go?". >If the mall cop tries to detain you, ask if you are under arrest. See above. This is a preferable strategy no matter who you are dealing with. >If you are physically blocked from leaving (no scuffles please), OR if >they have the guts to claim that you are under arrest, then YOU ask for >the police on the grounds that you wish to file a criminal complaint >for wrongful imprisonment. The strategy here is to escalate by >demanding the presence of lawful authority. Again, this is the preferable method of handling gov't officials as well. The lower an officer is in the hierarchy, the more likely he is to violate the laws which restrain him from rights violations, usually because he is more likely to be ignorant of them. It's always a good idea to politely request that he call for a superior officer, and not bother trying to explain yourself until the superior arrives. >if the real cops actually do show up, you are once again fully >protected by the Constitution. For this reason, real cops tend to be >a little more cautious in these encounters and can often defuse >problems like this. Even "real cops" are usually ignorant of the laws which govern their conduct. You may be "protected by the Constitution", but that won't do you any good if you're not willing to fight to the last to defend those rights. You are the only one who can protect your rights, in the end. See my comments below regarding lawyers. >If the mall cops look like they might get physical, tell them that >anything silly on their part will draw a complaint of criminal assault, >and will force your father, the lawyer, to sue everyone in sight. The minute you rely on a lawyer, you've pissed away your rights. You lose your powers as a sovereign over government. You can't claim all rights at all times. For example, a lawyer cannot claim your right to remain silent: "The right of a person under the 5th Amendment to refuse to incriminate himself is purely a personal privilege of the witness. It was never intended to permit him to plead the fact that some third person might be incriminated by his tesimony, even though he were the agent of such person." Hale v. Henkel, 201 U.S. 43. Not only that, but if you allow anyone to "represent you", instead of being "the belligerent claimant in person" (Hale v Henkel, i.s.c.), you become a "ward of the court". Why? Because obviously, if someone else has to defend your rights for you, you must be incompetent! Clients are called "wards" of the court in regard to their relationship with their attorneys. See a copy of "Regarding Lawyer Discipline & Other Rules", as well as Canons 1 through 9. Also, see Corpus Juris Secundum (CJS), Volume 7, Section 4, Attorney & client: "The attorney's first duty is to the courts and the public, NOT TO THE CLIENT, and wherever the duties to his client conflict with those he owes as an officer of the court in the administration of justice, THE FORMER MUST YIELD TO THE LATTER." (emphasis mine) I trust this needs no further explanation. Corpus Juris Secundum assumes courts will operate in a lawful manner. If you make this assumption, you may learn, to your detriment, through experience, that certain questions of law, including the question of personal jurisdiction, may never be raised and addressed, especially if you are represented by the bar. (Sometimes "licensed counsel" appears to take on the characteristics of a fox guarding the hen house. Send me e-mail if you would like more info regarding "licenses to practice law".) Lawyers will NEVER do the necessary things before arraignment to get a case dismissed. They will guarantee that you are locked into a criminal proceeding from the start by entering a "not-guilty" plea for you, and will give the government all the time it needs to win the case by waiving the speedy-trial time limits. With a lawyer as a friend, you don't need any enemies! >first make it clear that you protest the action, and then let them >take it from you. The trick here is to make sure that you have not >"consented" to the search -- however, you must give in to a claim of >authority from a police officer. An officer has no authority until he proves it. If you let this strange person do whatever they want without having determined their lawful authority and their true identity, you have "consented", no matter how much you may verbally protest. >(And no, you do not get to argue the Fourth Amendment search and >seizure issue right there on the spot. Your lawyer will do that later >at your criminal trial... No lawyers, unless you want to lose. >A really smart cop might say to the guard, "I will not make the search, >but I won't stop you if you search." Stand your ground at this point. >Tell the real cop that you REFUSE to allow the search unless the real >cop orders the search to take place. Excellent suggestion, but be sure to take the above precautions regarding true identity and lawful authority before you think about "consenting". >The only words you should utter after being arrested are "I want to >speak with a lawyer." Change this to, "I demand counsel of my choice." The 6th Amendment is your authority. If the court tries to force you to use a "licensed lawyer" or a "public defender", it is not counsel of your choice. >ROBERT A. CAROLINA >Member, Illinois State Bar Association Your advice is surprisingly good, for a member of the bar. :-) Not all lawyers are ignorant and lawless, but the 99% that are give the other 1% a bad name. I'm glad to see we have a few of the good ones reading CuD. Finally, let me leave you with one of the most eloquent statements ever by the Supreme Court: "Decency, security and liberty alike demand that government officials shall be subjected to the same rules of conduct that are commands to the citizen. In a government of laws, existence of the government will be imperiled if it fails to observe the law scrupulously. Our government is the potent, the omnipresent teacher. For good or for ill, it teaches the whole people by its example. If the government becomes a lawbreaker, it breeds contempt for the law; it invites every man to become a law unto himself; it invites anarchy. To declare that in the administration of the criminal law the end justifies the means...would bring terrible retribution...[and] against that pernicious doctrine, this court should resolutely set its face." Olmstead v U.S., 277 U.S. 348 (1928) Justice Brandeis, dissenting ------------------------------ Date: 20 Jan 93 16:31:22 GMT From: mc/G=Brad/S=Hicks/OU=0205925@MHS.ATTMAIL.COM Subject: File 2--Offworld BBS Raided (StLPD St. Louis Post-Dispatch Tuesday, January 19, 1993 Pages 1A, 10A COMPUTER OPERATOR DENIES PORN MENU By Christine Bertelson Of the Post-Dispatch Staff The owner of a St. Louis computer bulletin board that was shut down by the FBI last week denied Monday that he is responsible for the pornographic images seen by some users. On Friday night, the FBI confiscated more than $40,000 worth of computer equipment at Offworld, a computer company owned and operated by Joey Jay. Jay, 28, ran the business from his residence in the basement of his father's house on Tecumseh Drive in Chesterfield. Jay was not arrested, and no charges have been filed against him. Jay said his father threw him out of the house after the raid. "Everyone assumes we are some kiddie porn ring," Jay said. "We are not. We are a nonprofit community service." A spokesman for the FBI said that someone had reported that Offworld had images available showing bestiality, as well as child pornography. It is a federal offense to have child pornography, and any property used to promote it is subject to being seized and forfeited to law enforcement authorities, an FBI spokesman said. "We get all kinds of files across the system, and one or two at most showed up in terms of a private conversation," Jay said. "When I found them, I deleted them immediately." Offworld began operating in St. Louis last June, and is free to its 4,300 users. Jay said it cost him $1,800 a month to operate the system, using money from family inheritance. About 100 people showed up Monday morning in Chesterfield at a rally in support of Offworld, Jay said. He said he was soliciting contributions of computer hardware, or cash, to get his system up and running again. Computer bulletin board systems, or BBSs, as they are known, allow users to chat electronically, and share information on a variety of subjects. Offworld has bulletin boards that feature job listings, book and movie reviews, restaurants and clubs, and discussion groups for people with "diverse lifestyles." Jay said that any time illegal material appears on a bulletin board --whether it is child pornography, offers of sex for sale, or drugs --it is purged and the people who posted such messages are kicked off the system. "Unfortunately, that doesn't prevent them from coming back and using another fictitious name," Jay said. FBI seizures of electronic bulletin board systems are "quite common," said Mike Godwin, a lawyer at the Electronic Frontier Foundation. The foundation is a civil liberties group based in Washington for those in computer communications. Godwin said that pornography is widely available on the thousands of electronic bulletin boards in use across the country. New computer users often use their scanners to recreate sexy pictures, much the same as children who delight in using a newly acquired dirty word. "Usually the novelty wears off," Godwin said. Child pornography is relatively rare, Godwin said. When it shows up, the operator of the system is faced with a choice: delete it immediately, or keep it on the system and report it to the police. The FBI finds raids effective because they are punitive in and of themselves, whether or not a computer systems operator is ever charged with a crime. But even the most conscientious systems operator cannot keep all pornography off a bulletin board, Godwin agreed. Jay had previous conversations with the St. Louis County Police about his system, he said. "I told them I would simply try to use responsibility and common sense and ... keep the system legal," Jay said. "I extend the First Amendment right to all aspects of the system, unless it violates the law." Jay said he was seeking legal advice to help him get his computer equipment back. +++++++++++++++ St. Louis Post-Dispatch Tuesday, January 19, 1993 Page 10A GIF GETS BULLETIN BOARD IN A JIFF 'We Celebrate Human As Art Forum,' One Manager Says of Nude Issue By Daniel R. Browning (Of the Post-Dispatch Staff) Dirty pictures transmitted over the telephone to your home computer? It had to happen. Computer bulletin board systems, called BBSs, proliferate not only locally, but nationally and internationally. The biggest ones call themselves "information services," and the granddaddy is CompuServe. It has nearly 1.2 million members from China to Chile. St. Louis Computing, a free monthly computing newspaper, publishes a list of local bulletin boards and their phone numbers. Within these bulletin boards people interested in particular topics go to chat, share information, and yes, show their favorite slides. The pictures are transmitted in a special computer code called GIF (pronounced jif), which is short for Graphics Interchange Format. To see them, you need the special "viewers" included in some communications software. To capture an image, you have your computer's modem dial the bulletin board, then search for whatever you find interesting. In the giant databases, that means logging on to a special-interest section within the information service or bulletin board. CompuServe calls these "forums." A forum exists for just about any professional interest or hobby. Journalists, lawyers, doctors, aerospace workers, artists, photographers, beer and wine enthusiasts, automobile buffs -- you'll find them all in the forums. Within these, you can find thousands of pictures ranging from NASA space shots, to great works of art, to travel photos, to The Girl (or Boy) Next Door in a birthday suit. A wary technician overseeing the forum warns members that they had to be older than 18 to get nude images. But practically speaking, there's no way to prevent a minor from capturing a nude photo on CompuServe, said Dave Kishler, a company spokesman. The Federal Communications Commission does not regulate BBSs, he said. So the BBSs have worked up their own sets of rules and regulations. Dave Shaver, operations manager of CompuServe's Fine Arts Forum, said all the images are screened for content before they are made available to the members. That's why you'll find hundreds of nudes under a category called "Plain Brown Wrapper," but no XXX-rated pictures, he said. "We celebrate the human as an art form." Some bulletin boards are free. The big ones charge a flat monthly fee of $5 to $8. Certain activities within the databases may also include hourly surcharges, which vary in price to about $15 an hour. Joining a special interest forum and capturing pictures would fit in that category on most information services. That cost -- and the requirement that members have a credit card or a checking account -- helps limit memberships to adults, Shaver said. ------------------------------ Date: Wed, 27 Jan 1993 00:32:04 -0600 (CST) From: joe@DOGFACE.AUSTIN.TX.US(Joe Zitt) Subject: File 3--Colonel Guilty of Sending Computer Porn Colonel guilty of sending porn over computer Associated Press SAN ANGELO -- The former commander of Goodfellow Air Force Base was convicted in a court martial Monday of sending obscene material via his home computer. A jury of four men and one woman, all Air Force colonels, deliberated about two hours before returning guilty verdicts on all counts again Col. James Maxwell. He was convicted of transmitting obscene material via home computer, of transmitting child pornography through his computer and using indecent language with a junior Air Force officer. Maxwell, a 26-year Air Force veteran, now faces a possible 16-year prison sentence and loss of his military retirement benefits. Charges were filed against Maxwell after the FBI found his name among users of an on-line computer network who accessed computer-generated pornographic images of children. Maxwell also was said to have used the computer network to inquire about the location of homosexual meeting places. Maxwell's attorney had sought to have the charges dropped on grounds his transmissions on the computer from the privacy of his home were protected under the constitution. But the trial judge, Col. Donald Weir of Randolph Air Force Base, allowed the charges to stand last week, ruling that freedom of speech can be limited when it involves conduct unbecoming an officer. "That the writings were private between consenting adults, that they may have been welcome doesn't place them under the judicial umbrella of a constitutional protected condition," Weir had ruled. Weir dismissed a count alleging Maxwell had disgraced the Air Force by allegedly using electronic mail to ask about homosexual bars and child pornography. Maxwell, 48, was removed from command at the Goodfellow Air Force Base training center last summer after the charges were filed. +++++++++++++++++++++ COMMENT: Looks to me like this thing is full of red flags. Isn't it coincidental that the story breaks just as there's a flap over gays in the military?! And where it says "the FBI found his name among users of an on-line computer network who accessed computer-generated pornographic images of children", one might ask what network? what was the FBI doing there? how did the images get there? how did the FBI think to track them? who else is getting snared? civilians? were the images really "computer-generated" or just scanned? It's enough to restore one's healthy paranoia... ------------------------------ Date: Wed, 13 Jan 93 21:09:00 -0600 From: cylinder@news.weeg.uiowa.edu (Cylinder) Subject: File 4--ISPTS Organizing Information The International Society for the Philosophy of Tools & Space We are an interdisciplinary organization, small but growing, dedicated to thoughtful discussion about and research into issues concerning tools and space. Currently, we maintain a membership list and circulate a short newsletter. Our future plans call for expansion - a regular journal and a number of conferences are possible in the coming year. Our membership list includes philosophers, artists, computer programmers, scientists, graphic designers, architects, teachers - as well as those whose professions are still unnamed. We are not a school or a sect or party because we are not in agreement over particular doctrines. Our society is bound by an implicit faith in the silent potency of tools, space, meaning and metaphor, in a wide range of seemingly unrelated fields. Within the scope of our talks to date, members have raised diverse and fascinating issues for consideration: - A phenomenology of humor, tools and toys - Space and the banality of cause and effect - Rhetoric and metaphor: language as tool/toy - The iconology of computers - Speed and annihilation - Victimless crimes and crimes of trespass - The mechanics of the dreamwork in psycho-analysis - Architectural theory and practice - Political theories of reterritorialization - Viruses: information systems and genetic engineering - Media theory - Virtual Reality: the emergence of simulacra in social space - Transit technology and urban planning - Infrastructure catastrophes The thematic study of tools and space forces us to reconsider and sharpen the boundaries separating the various specialties of our members. Many of us are involved in concrete and ongoing projects which undo customary lines of inquiry and uncover fruitful new questions in what was formerly considered "obvious" and explained. We seek to move beyond conventional genres without abandoning meaning and beauty for the sake of novelty. For more information about Cylinder, including membership materials, please write us with your name and address. CYLINDER c/o Graham Harman, Secretary Philosophy Dept., DePaul University Chicago, IL 60614 USA email: cylinder@uiowa.edu (If you have already written to Cylinder, please refrain from doing so a second time. Your name and address have been added to our mailing list and you should be expecting membership materials in the coming months.) ------------------------------ Date: Fri, 22 Jan 1993 13:52:48 -0500 From: Shari Steele Subject: File 5--New case for EFF, ACLU, and CPSR On the evening of November 6, 1992, approximately 30 computer enthusiasts, who had gathered for a meeting of 2600 magazine readers at the food court at Pentagon City Mall in Arlington, VA, were detained and searched and had some of their possessions seized by about half a dozen mall security guards acting under the direction of the Secret Service. Somewhere between two and five officers from the Arlington County Police were there, as well, having responded to a call about fraud. Several of the attendees are interested in suing the mall, police and Secret Service, and EFF and CPSR have done some preliminary research into the case to determine what, if any, civil liberties violations were involved. After interviewing about a dozen people who were there, we have determined that the Secret Service does seem to have been involved (a county police officer on the scene confirmed that), and we are ready to proceed with the case. We contacted the Virginia ACLU, which has found a litigator in Northern Virginia who wants to litigate the case. EFF, the ACLU and CPSR are currently doing research on the legal theories we will need to pursue. EFF is very committed to standing up for the civil liberties of those who attended this open, publicized and nondisruptive meeting. Shari Steele, Staff Attorney, Electronic Frontier Foundation ------------------------------ Date: 14 Jan 93 22:19:52 PST From: Kpro-Madness Subject: File 6--Public Service for Cornell Hackers The following should be of interest to CuD readers. It originally appeared in RISKS Digest ( V. 14 #27). ++++ Date--Wed, 13 Jan 93 09:56:50 -0700 From--dclawson@clipr.colorado.edu Subject--Public Service for Cornell Hackers "Public Service for Hackers" by John Marcham _Cornell_Alumni_News_ magazine Two former [Cornell] students will develop a computer program to make it easier for a quadraplegic man in Tennessee to use a computer he owns, as part of their punishment for launching a computer virus that damaged programs and caused hard drive crashes last February. David Blumenthal '96 and Mark A. Pilgrim '94 were sentenced by a Tompkins County Court judge to pay restitution to users whose computers were jammed by the men's virus, at and near Stanford University and in Japan, and to perform ten hours of community service per week for a year. A computer buff who knew the quadraplegic and heard of the Cornell virus case wrote the judge in Ithaca, and asked if the students' public service could be worked off developing a less expensive and cumbersome program for the disabled man, who uses a mouthstick and outdated software to operate his McIntosh computer. The judge and the former students agreed to the proposal: the students start work in November. A third former student, found guilty of a lesser infraction, was asked by not required to do public service, and declined. ------------------------------ Date: Mon, 18 Jan 93 08:04:30 -0500 From: Matt Bishop Subject: File 7--CFP Special Issue on Security [Change in Due Date] [NOTE CHANGE IN SUBMISSIONS DUE DATE: IT IS NOW JUNE 1, 1993] Matt Bishop will be Guest Editor of a special issue of the journal "Computing Systems" to be published in 1993. The issue will be devoted to "Security and Integrity of Open Systems." Papers on all aspects of policy, issues, theory, design, implementation, and experiences with security and integrity in open systems are solicited for the issue. The deadline for submissions is June 1, 1993; papers submitted after this deadline will not be considered. Prospective authors should send five copies of their papers to: Professor Matt Bishop Mathematics and Computer Science Dartmouth College 6188 Bradley Hall Hanover, NH 03755-3551 (603) 646-3267 Matt.Bishop@dartmouth.edu Submissions should not have appeared in other archival publications prior to their submission. Papers developed from earlier conference, symposia and workshop presentations are welcome. "Computing Systems" is a journal dedicated to the analysis and understanding of the theory, design, art, engineering and implementation of advanced computing systems, with an emphasis on systems inspired or influenced by the UNIX tradition. The journal's content includes coverage of topics in operating systems, architecture, networking, interfaces, programming languages, and sophisticated applications. "Computing Systems" (ISSN 0895-6340) is a refereed, quarterly journal published by the University of California Press for the USENIX Association. Usenix is a professional and technical association of individuals and institutions concerned with breeding innovation in the UNIX tradition. Now in its fifth year of publication, "Computing Systems" is regularly distributed to 4900 individual subscribers and over 600 institutional subscribers (libraries, research labs, etc.) around the world. Some special-topic issues are often distributed more widely. The editor-in-chief of "Computing Systems" is Mike O'Dell of Bellcore. Gene Spafford of Purdue University is Associate Editor, and Peter Salus of the Sun User Group is the Managing Editor. ------------------------------ Date: 23 Jan 1993 16:14:31 -0700 (MST) From: Subject: File 8--Talking with the Underground (Previously published in the Computer Security Institute's newsletter - The Alert - and the French Chaos Computer Club's Chaos Digest) Talking with the underground by Ray Kaplan and Joe Kovara Information about system and network vulnerabilities is sparse, not readily available and carefully guarded by those segments of the security community that collect and control it. Given that the legitimate security community won't share information about vulnerabilities with us, isn't it logical that we include outsiders (the computer underground or ex-computer criminals) in these discussions. Amid criticism, we decided to let the community ask the advice of experts the crackers who have successfully cracked computer networks. Exploring the details of vulnerabilities Over 300 participants at 25 sites in US, Canada, Europe and Mexico joined law enforcement, members of the security community, and former members of the computer underground as we explored these questions in the November 24, 1992, audio teleconference entitled System and Network Security: How You Will Be Attacked and What to do About It. Our guests included Kevin Mitnick and Lenny DiCicco, who successfully penetrated a range of networks and telephone systems. They were both sentenced in federal court after successfully penetrating Digital Equipment Corporation's computer network in 1988. They stole the source code to VMS, Digital's widely used operating system. Their exploits were profiled in the book Cyberpunk: Outlaws and Hackers on the Computer Frontier, by Katie Hafner and John Markoff (1991, Simon and Schuster). Our panelists included Hal Hendershot, head of the FBI Computer Crime Unit in Washington D.C.; Don Delaney, Senior Investigator with the New York State Police; Computer security consultant Dave Johnson of Talon Systems (Los Alto, CA); Robert Clyde, V.P. of the Security Products Group, RAXCO, Inc.; and Lew, the organizational director of automation for a medium size company a former cracker. The panelists shared their considerable experience and discussed techniques used to break in to computer networks. Among the penetration techniques discussed were the uses of psychological subversion, telecommunications monitoring techniques, and the exploitation of known system and network bugs. Despite the popularity of these attack techniques, they are little known outside of the computer underground and the computer security community. Panelists issue stern warnings about telecommunications security Don Delaney stated that tremendous loss of money from both toll and Private Branch eXchange (PBX) fraud is whats happening in the telecom area. Since the security of a PBX is the responsibility of its owner, such losses are not being absorbed by the telephone companies involved. These losses have been known to force the owners of compromised PBXs into bankruptcy. Delaney joins us in saying that its not a matter of if you will be hit, but when. According to DiCicco, compromising the telephone system gave he and Kevin the ability to attack systems without the fear of discovery - telco tracebacks were simply ineffective. They could attack networks at many different points of entry all over the country. This is why no one could keep them out, even though their victims knew their systems and networks had been compromised. If all of this does not scare you, consider Lenny's admission that at one point he and Kevin had compromised over 50 telco switches in the United States, including all of California, parts of New Jersey, New York and New Hampshire. At one point they even controlled all three of the switches that provided phone service to Manhattan. Yes, the law is ready to help - but the threat is a tough, sophisticated, international one. Threats from abroad? Yes, the threat does exist according to Hal Hendershot of the FBI. Robert Clyde reports getting many calls from people trying to solve security problems. In keeping with what we know of reported computer crimes, most sites see problems from insiders: employees, consultants and vendors. Robert reports that two companies publicly spoke of being approached by former East German agents for hire for as little as $10,000 at a September conference in Sweden where he spoke in 1992. We appear to be seeing the criminalization of hacker activity that many have long feared: hackers and ex-foreign intelligence agents for hire. James Bond is alive and well, thank you In late 1992 Don Delaney reported the first case he's seen of James Bond techniques. Remote surveillance can be done by intercepting, decoding and displaying the Radio Frequency (RF) emanations of various computing devices such as terminals and network cabling. Delaney reports that in late 1992, an antenna was put up on the balcony of a 19th floor room in New York's Helmsley building pointing at Chemical Bank. He indicated that it was being very carefully adjusted before being locked into position. By the time they were able to investigate, the antenna and its manipulator had vanished - presumably having successfully gathered the intelligence that they were after. This is no longer gee, we knew it was possible, but holy shit, it's happening now. Imagine someone reading your terminal screen from across the street. Management's show me attitude Dave Johnson insists that his biggest problem when he was at Lockheed was getting corporate management to understand that there is a problem. One of the areas in which this type of conference can really help is understanding the enemy. Management simply doesn't understand the thinking of hackers. Since it makes no sense to them, they tend to deny its existence until theres proof. Of course, the proof is usually very expensive: once a system has been compromised the work of cleaning it up is a long, hard and complicated. A well-connected system or network makes an excellent platform from which to launch attacks on other hosts or on other networks. A major problem for Digital in securing their network against Kevin Mitnick and Lenny DiCicco was that only one vulnerable system on Digitals EASYnet was needed. From there, they were able to penetrate other systems. Even nodes that were known to have been penetrated and were secured were penetrated repeatedly by using other vulnerable nodes to monitor either users or network traffic accessing the secured nodes. While at Lockheed, Dave Johnson implemented policies, awareness training and widescale authentication for all external access, including dialup lines and telnet connections using challenge-response tokens or smart cards. He does not trust the phone system and assumes that it has been compromised. Kevin Mitnick and Lenny DiCicco illustrated just how vulnerable the phone system was in 1988 and the MOD bust in July 1992 shows that things have not improved. Kevin reminds us that you must assume the telephone system is insecure: even robust challenge-response systems can be compromised. You simply have to play the telecommunications game for real. Kevin reminds us that unless you use encryption, all bets are off. As an example of how deep, long lived and dedicated a serious attack can be, consider that Kevin and Lenny were in DEC's network for years. They knew exactly what DEC and telco security were doing in their efforts to catch them since they were reading the security personnel's email. They evaded the security forces for over 12 months and they had a pervasive, all powerful, privileged presence on DEC's internal network. I've seen the enemy and them is us (this is a quote from Pogo). Mitnick insists that people are the weakest link. According to his considerable experience, you don't even need to penetrate a system if you can talk someone on the inside into doing it for you. Why bother breaking in to a computer system if you can talk someone in accounts payable into cutting you a check? Using the finely tuned tools of psychological subversion, practiced social manipulators can get most anything that they want from the ranks of the generally unsuspecting (uncaring?) employees that inhabit most of our organizations today. The only cure is a massive and complete educational program that fosters loyalty, awareness and proper skepticism in every employee. In the end Perhaps the strongest message from everyone was that you can't trust the phone system. Telephone companies have been, and continue to be, compromised. While Mitnick & DiCicco's penetration of DEC's internal network happened in 1988, the 1992 MOD bust showed us that the same techniques are still being used successfully today. Data and voice, including FAX transmissions, are subject to eavesdropping and spoofing. Encryption is absolutely required for secure, trustworthy communications. The coupling of social engineering and technical skills is a potent threat. Most sites that have addressed technical security are still wide open to penetration from people who have well-practiced social engineering skills. However, in all, you don't even need social engineering skills to get into most systems. Are your systems and networks secure? Are your systems and networks at risk? What will you do if you are attacked? Although the questions seem simple, they are not. Future teleconferences will explore both the questions and the answers in more detail. ++++ Ray Kaplan and Joe Kovara have been independent computer consultants for more than a decade. They specialize in operating systems, networks and solving system and network security problems. Ray Kaplan is also a well known writer and lecturer. He is a regular contributor to Digital News and Review and other computer trade publications. Tapes and handout materials for the System and Network Security teleconference series are available from Ray Kaplan, P.O. Box 42650, Tucson, AZ USA 85733 FAX (602) 791-3325 Phone (602) 323-4606. ------------------------------ End of Computer Underground Digest #5.08 ************************************