Computer underground Digest Sun Dec 8, 1996 Volume 8 : Issue 86 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Field Agent Extraordinaire: David Smith Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #8.86 (Sun, Dec 8, 1996) File 1--Fort Bragg hacker/spy case shrouded in secrecy File 2--Utah High School Hackers Club File 3--Debate on "Fastfoto" as "a scam"? File 4--Censorship on cypherpunks? -- from The Netly News File 5--CDT Policy Post 2.38 - Pres Takes First Steps Towards Clipper File 6--"NEWS ALERT -- Findings Reveal Security Problems in Fortune 1,000 File 7--US Touts Duty-Free Internet (fwd) File 8--Cu Digest Header Info (unchanged since 8 Dec, 1996) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Sun, 1 Dec 1996 16:12:56 -0600 (CST) From: Crypt Newsletter Subject: File 1--Fort Bragg hacker/spy case shrouded in secrecy In late October, the Fayetteville Observer-Times started reporting on the trial of Eric Jenott, a Fort Bragg, NC, paratrooper accused of spying. In testimony at a pre-trial hearing on October 23rd, Chief Warrant Officer Lorenzo Clemmons said Jenott had told him he could break into an Army communications system three months before the paratrooper was arrested on spying charges. Clemmons said Jenott told him in March 1996 that the Army's Mobile Subscriber Equipment, carried by hummvee and the Army's equivalent of cellular telephones, computer and fax communications, "might not be as secure as we think . . . " Jenott demonstrated the system's weakness to a supervisor who passed it along to a Major Jerry R. Moore. Moore met with Jenott to discuss the weaknesses. On October 23rd, Jenott's defense attempted to show that statements the paratrooper made to investigators not be allowed as evidence since Moore did not advise Jenott of his rights. In news already published, Jenott's family said that he gave an unclassified Internet access code to a friend from China. The Army maintains Jenott gave secret computer passwords to a Chinese accomplice, named "Mr. Liu." At the hearing, Jenott's lawyer, Tim Dunn, said "Mr. Liu" had left the country and could not be located. According the Observer, the Jenott hearings were shrouded in secrecy. "During the hearing only a few minutes of testimony were open. The hearing was closed to reporters twice when court wasn't even in session," reads a boxed-out quote from the 24th October edition of the newspaper. Security officers for the Army claim some testimony and audiotapes presented at the hearing contain classified information. During a period in which Jenott's lawyer questioned Moore over what he would do if he discovered a soldier had "hacked" into Army systems, Army prosecution objected maintaining Dunn was getting into classified information. More testimony was taken behind closed doors. Jenott's court-martial is scheduled to begin on December 9, according to reports in the Observer. Crypt Newsletter http://www.soci.niu.edu/~crypt ------------------------------ Date: Mon, 2 Dec 96 18:54:40 -0800 From: Gordon Meyer Subject: File 2--Utah High School Hackers Club Officials at Bonneville High School in Ogden, Utah are considering what do with an unofficial "hacking club." A group of students calling themselves the "Bonneville Hacking Society" recently distributed information to other students about how to break into the schools DOS and AutoCAD computer systems. A recent editorial in the local paper, The Ogden Standard-Examiner, points out that disseminating information is perfectly legal and called for a reasonable response from the administration: "While we don't in any way condone the activites of the Bonneville Hacker Society, we do caution school administrators to view the kids' actions in the proper context. [...] What they did was, in most respects, stupid and irresponsible; ...But we should be careful not to overreact in these kinds of situations." ------------------------------ Date: Tue, 12 Nov 1996 14:23:13 -0500 (EST) From: "I G (Slim) Simpson" Subject: File 3--Debate on "Fastfoto" as "a scam"? In Cu Digest #8.79 you included the following response to my post. I have taken the libery of a few resposes of my own (starting debate?). >Dear Sirs, >In Cu Digest #8.73, you included a note from Slim Simpson, warning of a potential scam of >some sort by a company by a Fastfoto of Pomano Beach, Florida. In the header the author >suggested that he was unsure of whether it was appropriate for the CU-Digest or not, and >personally I think it was not. >Obviously Mr. or Ms. Simpson, was frustrated at the inability to lash out at the person who had >spammed their mailbox. It's Mr. Why *obviously frustrated*? Why *lash out*? I don't like spam but I reply "Please take me off your list." Most do. When people asking me to send money have a false e-mail address, no phone number, and no fax number I smell scam. I forwarded same to Cu Digest. > Lately, with more an more newcomers to the net, I have noticed that one thing they seem to >find out quickly is their supposed right to be spamless, and their little private electronic >domain, called their mailbox. I am not a newcomer to the net. >Many of these same people invite advertising material like flyers, magazines, coupons, to their >household door or mailbox on a daily basis, but never confront these advertisers. Advertising >material created by the decimation of forests, pollution of the environment by the processing >of such, and ending up as filler for our garbage dumps. Mine ends up in my woodstove. > Amazingly only 4% of the recipients will ever be interested in the message that these >advertising materials contain. >Yet this person will strike out from their armchair, in their little form of civil protest against an >action they do not agree with, in relative obscurity. Mean while they sit passively while shots >are fired outside their home, children are being abused, homeless people starve, and guard >the sanctity of their mailbox. Shots *are * fired outside my home. I live on the water and it's duck season. But in Summerstown, Ont, Canada, there's no child abuse and no homeless people that I know of. If I hear of any it will be reported. >The bottom line is they could have just deleted the note, went on their merry way and ignored >the invasion of privacy. Instead they chose to track this down, and highlight it in some sort of >shroud of scam and sent it in to CU-Digest, after their inability to express their displeasure to >the offending party. I should ignore *possible* spam; never warn others about it? >Personally I would accept my mailbox having a few useless nuisance messages, from >recyclable electrons if it meant stopping the destructive process of our current advertising >means. Maybe it was not a spam. Maybe they just left their email address off to protect >themselves from individuals who want to stop this method of advertising Maybe they thought >they might end up scanning material of a questionable nature, considering the way certain >individuals are communicating with other individuals today. Maybe they should have added >the word Adult, then their obscurity would make more sense And maybe they just wanted me to send money. >There were people who did not like the introduction of the printing press at one time either, >and of course they are no longer living. I just think that this message was NOT appropriate for >the CU-Digest, but hopefully will spark debate. You've made your point. And you think that I was so *frustrated* that I had to *lash out*. The fact that there was no way to communicate with the company to me was suspicious. I don't consider sending Cu Digest a short, ironic, message about it is lashing out. And since when is the environment a fit subject for Cu Digest? (But, I, for one, am content to let the moderator decide). Slim Simpson >The thousands of people who regularly send a message to someone who has spammed >them, just has to lighten up, and learn how to use some filtering software. Then maybe >everyone can communicate without destroying our environment. >This is just my opinion, on recyclable material I might add, :)). >Jeffrey Hinchey ------------------------------ --=====================_847837132==_ Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: Content-Description: Beowulf How ceaselessly Grendel harassed...... --=====================_847837132==_-- ------------------------------ Date: Tue, 12 Nov 1996 09:34:15 -0800 (PST) From: Declan McCullagh Subject: File 4--Censorship on cypherpunks? -- from The Netly News From -- fight-censorship@vorlon.mit.edu The Netly News http://www.netlynews.com/ November 11, 1996 Cypher-Censored By Declan McCullagh (declan@well.com) The cypherpunks mailing list, so legend goes, coalesced around two principles: the dissemination of strong encryption and an absolute commitment to free speech. It was a kind of crypto-anarchist utopia: Here was a place where anonymity was encouraged and PGP-signed postings were the norm -- and nobody seemed to be in control. That is, until recently, when Dimitri Vulis was given the boot. After he refused to stop posting flames, rants and uninspired personal attacks, Vulis was summarily removed from the mailing list. Now, normally, when someone gets evicted from a mailing list, it excites little attention. But here was an ironic -- some would say momentous -- event: The list is run, after all, by John Gilmore, the EFF cofounder, a cypherpunk god who is famous for having once said that the Internet interprets censorship as damage and routes around it. And it was none other than Gilmore who gave Vulis the boot. The shunning of Vulis was "an act of leadership," Gilmore said. Thus began a debate over what the concept of censorship means in a forum devoted to opposing it. Did Gilmore have the right to show Vulis the virtual door? Or should he have let the ad hominem attacks continue, encouraging people to set their filters accordingly? The incident raises deeper questions about how a virtual community can prevent one person from ruining the forum for all and whether only government controls on expression can be called "censorship." Vulis, a 31-year old Russian emigre who completed a PhD in mathematics last year at the City University of New York, is described as sociable, even friendly, by people who have met him. Online, though, he's almost notorious. His .sig file, for instance, proudly points out that he's a former Kook of the Month; Vulis was also a Net-legend and even has the alt.fan.dimitri-vulis newsgroup named after him. Vulis portrays himself as a victim, but as I posted to the list last week, I disagree. Anyone who's spent any time on the 100-plus-messages-a-day list can read for themselves the kind of nasty daily messages that came from Vulis's keyboard. The list is on Gilmore's machine and he can do what he wants with it; he can moderate the postings, he can censor material, he can shut the whole thing down. By kicking off an offending user, a list owner merely exercises his property right. There's no government involvement, so the First Amendment doesn't apply. And the deleted, disgruntled user is free to start his own mailing list with different rules. But then the question is whether Gilmore should have exercised that right, especially in such an open forum. Again, I think Gilmore's actions were justified. Consider inviting someone into your home or private club. If your guest is a boor, you might ask him to leave. If your guest is an slobbish drunk of a boor, you have a responsibility to require him to leave before he ruins the evening of others. Eugene Volokh, a law professor at UCLA, runs a number of mailing lists and has kicked people off to maintain better editorial control. Volokh says that the most valuable publications are those that exercise the highest degree of editorial control. But what if your private club's express purpose is to cherish free speech? That's where the terrain gets mucky. One 'punk wrote: "For someone who espouses freedom of speech to arbitrarily censor someone is indeed hypocritical." Another called it a "big cypherpunkish move" that couldn't be condoned "even bearing in mind the inane and wearisome behaviour of Dr. Vulis." Still others said that this demonstrated that "libertarianism can't work without some measure of authoritarianism." (Libertarianism being the primordial flame war topic, the debate nearly consumed itself at this point.) Vulis told me yesterday: "I'm particularly disappointed by John Gilmore's actions. I've known him and communicated with him before. His treatment of me was rude and unprofessional and inappropriate." In posts to the mailing list, Vulis levels the additional criticism that it was "arbitrary and capricious" and that he was not notified that he would be forcibly unsubscribed. This week Vulis busied himself by saying that now Gilmore can be sued for what happens on cypherpunks, arguing that the list owner is exercising greater control and so is subject to greater liability. Of course, in this country anyone can sue for anything. But it's highly unlikely the suit would go anywhere. Solveig Bernstein, a lawyer with the Cato Institute, says: "Chances are in a defamation lawsuit he'd be treated like a publisher or bookstore owner.. They exercise some control over content and enjoy pretty broad immunity from lawsuits." For his part, Gilmore calls removing the Russian mathematician "an act of leadership." He says: "It said we've all been putting up with this guy and it's time to stop. You're not welcome here... It seemed to me that a lot of the posts on cypherpunks were missing the mark. They seemed to have an idea that their ability to speak through my machine was guaranteed by the Constitution." What does Vulis's ouster mean to the community that sprang up around this mailing list, of which he had been a member for nearly three years? Many of his peers think he did it for attention or notoriety; one longtime list-denizen declined to be interviewed for fear of encouraging him. (If that's his goal, he's already succeeded. Will Rodger from Inter@ctive Week and Lewis Koch from Upside Magazine are writing about this.) Other cypherpunks wonder why Vulis is abrasive online, yet mild-mannered in person; Gilmore likened him to "a Jekyll-and-Hyde personality." The flap comes at a time when other prominent cypherpunks are leaving, citing too many flames and too little content. Perry Metzger, another longtime member, announced last month he would start his own, moderated mailing list. The hard-core programmers have moved on. Yet the list membership has never been higher, at 1,949 direct subscribers. And the cyber-rights issues the group discusses have never been more important. Ironically, tools like anonymous remailers that the cypherpunks labored to create now make it impossible to get rid of Vulis completely. Blocking posts from remailers is unthinkable to the cypherpunks. So the embattled Russian =E9migr=E9 continues to read the list under a pseudonym and appears to be posting as frequently as ever. But perhaps Gilmore succeeded in part. If not more polite, Vulis's messages now are at least on-topic. ------------------------------ Date: Mon, 18 Nov 1996 18:56:33 -0500 From: Bob Palacios Subject: File 5--CDT Policy Post 2.38 - Pres Takes First Steps Towards Clipper Source - fight-censorship@vorlon.mit.edu The Center for Democracy and Technology /____/ Volume 2, Number 38 ---------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------- CDT POLICY POST Volume 2, Number 38 November 18, 1996 CONTENTS: (1) President Takes First Steps Towards Clipper 3.1.1 (2) Details of the Executive Order (3) How to Subscribe/Unsubscribe (4) About CDT, contacting us ** This document may be redistributed freely with this banner intact ** Excerpts may be re-posted with permission of ** This document looks best when viewed in COURIER font ** ----------------------------------------------------------------------- (1) PRESIDENT TAKES FIRST STEPS TOWARDS CLIPPER 3.1.1 In a move that leaves major unanswered questions about the privacy of global communications on the Internet, President Clinton has taken the first concrete steps towards implementing the government's controversial key recovery encryption proposal. On Friday November 15, the President appointed an ambassador-level "Special Envoy for Cryptography" and signed an Executive Order that gives the Commerce Department jurisdiction over encryption exports but includes the Justice Department in all such export decisions. These developments do little to change the underlying regulations on encryption that have prevented the development of a strong worldwide encryption standard needed to protect privacy and security on the Internet. The full text of the executive order and other relevant background materials are available on CDT's Encryption Policy Page: http://www.cdt.org/crypto/ Friday's White House announcements demonstrate the Administration's commitment to its dangerous key recovery approach to worldwide encryption. This approach fails to meet the fundamental privacy needs of computer users and industry because: * International communications are still vulnerable since products sold by the dominant U.S. hardware and software manufacturers must conform to U.S. export controls. * Key recovery won't protect privacy internationally and institutionalizes a global government surveillance mechanism without privacy safeguards. * U.S. exports are still controlled and uncompetitive making it harder for the market to develop a secure global encryption standard. The Administration policy, initially announced on October 1st and dubbed "Clipper 3.1.1," leaves Internet users without the technical means to secure their communications or the international legal standards needed to protect their privacy. In other developments this week, Hewlett-Packard and other companies announced preliminary approval to export new "dormant encryption" products, which contain strong encryption that can only be activated with a special license. While this new architecture is expected to make it easier for industry to market encryption products, this technology does not change the underlying privacy problems created by the Administration's export control policy. Granting of licenses to use strong encryption will still be subject to the current export controls limiting key length and requiring key recovery for strong encryption. CONTINUING A DANGEROUS KEY RECOVERY POLICY The Administration's announcements mark the first real steps towards implementing an approach to encryption policy based on the dangerous and untested idea of global key recovery. This approach would institutionalize worldwide governmental access to encrypted communications without providing any privacy standards for electronic communications or stored data. The Administration's approach leaves computer users at risk operating on a global network without the technical security provided by strong encryption or the legal privacy rights afforded here in the United States by the Fourth Amendment and federal law. For example, the Administration policy would not solve the following privacy problems: * International communications are still vulnerable. For example, an American individual doing business with someone in France would still be forced to use weaker forms of encryption, or use key recovery systems that make their communications accessible to law enforcement officials of both countries. * Key recovery won't protect privacy internationally. A Chinese dissident communicating with supporters in the U.S. and fearful of weaker encryption would be to forced to use key recovery. The Administration indicates that such key recovery mechanisms would be based on bilateral key-access arrangements between governments. Even if the dissident's keys were recoverable only in the U.S., such a global key access policy would almost certainly make those keys accessible to the Chinese government. If the United States expects China to assist U.S. law enforcement with key recovery for issues of national interest, such as anti-piracy efforts in China, we can also expect China to require U.S. disclosure of keys to its law enforcement community. * Exports are still controlled and uncompetitive. A Japanese company using exportable U.S. encryption products would be forced to use lower strength encryption -- or use an key recovery agent approved by the U.S. law enforcement community. This is unlikely to help the global market develop a worldwide standard for secure communications. As a result of this policy, computer users all over the world will be left with a lowest common denominator infrastructure that does not provide for either technical security or legal privacy for sensitive communications and data. CDT believes that any workable U.S. encryption policy must be designed to protect the privacy and security of Internet users. ---------------------------------------------------------------- (2) DETAILS OF THE EXECUTIVE ORDER The Executive Order signed by the President on Friday does not change the type of encryption products that will be exportable. Rather, it lays the groundwork for the eventual transfer of encryption export control jurisdiction from the State Department to the Commerce Department pending Final Regulations by both departments. Encryption exports have traditionally been regulated as "munitions" controlled by the State Department. While the Commerce Department is widely viewed as more sensitive to the needs of business and individual encryption users, Commerce is still constrained by Administration encryption policy. Additional provisions of the Executive Order indicate that the Commerce Department's encryption controls will continue to be dominated by law enforcement and national security interests: * New Justice Department role in export review committee -- In an unusual step, the Order adds the Justice Department to the interagency group reviewing Commerce encryption export decisions. * Source code treated as a "product" -- The Order specifically singles out encryption source code to be given the stricter review scrutiny of a "product" rather than a "technology." * Broad definition of export -- The export of encryption source code or object code is extended to explicitly include posting to FTP sites or electronic bulletin boards unless "adequate" precautions are taken to prevent transfer abroad. As reflected by a recent Federal Court finding in the CDA indecency case that Internet users rarely have control over the parties accessing materials via FTP, Usenet, or the Web, this provision could have the chilling effect of preventing most dissemination or discussion of new cryptographic tools on the Internet. The Administration's announcements will have little effect on the existing encryption privacy problem unless the underlying policies governing the export and use of encryption are changed. These announcements do little to address the unanswered questions about how privacy will be protected in the key recovery system envisioned by the Administration. APPOINTMENT OF THE "SPECIAL ENVOY FOR CRYPTOGRAPHY" On Friday the President also designated Ambassador David L. Aaron as the new "Special Envoy for Cryptography." According to the White House, this Special Envoy will have "responsibility to promote the growth of electronic commerce and robust, secure global communications in a manner that protects the public safety and national security. . . . Ambassador Aaron will promote international cooperation, coordinate U.S. contacts with foreign governments on encryption matters and provide a focal point for identifying and resolving bilateral and multilateral encryption issues." Ambassador Aaron is currently the U.S. Ambassador to the OECD. CDT hopes that the new Special Envoy, as a representative of the United States, will work to represent the needs of Americans to communicate privately in the currently insecure global environment. Until now, U.S. encryption representation abroad has been dominated by law enforcement and national security interests. CDT hopes that the new Special Envoy will also consult with the computer user community, consumers, privacy advocates, and industry to promote their need for secure networks worldwide. NEXT STEPS In the coming months, both the Department of Commerce and the State Department must issue rules to implement the Administration's new encryption policy. * The State Department will issue a rule transferring its jurisdiction of encryption licensing to the Commerce Department. * The Commerce Department will issue rules spelling out exactly how it will approve products for export, and what the requirements for approved key recovery centers and key recovery plans will look like. CDT hopes and expects that the Administration will provide an opportunity for public comment in the rulemaking process to allow input from those concerned about privacy and security in the formulation of U.S. encryption policy. ----------------------------------------------------------------- (3) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by nearly 10,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to policy-posts-request@cdt.org with a subject: subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts ---------------------------------------------------------------- (4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info@cdt.org World Wide Web: URL:http://www.cdt.org/ FTP URL:ftp://ftp.cdt.org/pub/cdt/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ------------------------------ Date: Mon, 25 Nov 1996 07:47:13 -0500 (EST) From: Noah