**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 2, Issue #2.17 (December 16, 1990) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet) ARCHIVISTS: Bob Krause / Alex Smith RESIDENT INSOMNIAC: Brendan Kehoe USENET readers can currently receive CuD as alt.society.cu-digest. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors, however, do copyright their material, and those authors should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ CONTENTS: File 1: Moderators' Corner File 2: From the Mailbag File 3: EFF Response to Atlanta Sentencing Memorandum File 4: Some Thoughts on the Atlanta Sentencing File 5: Earning your Stripes File 6: Playgrounds of the Mind: Cyberspace File 7: The CU in the News ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ---------------------------------------------------------------------- ******************************************************************** *** CuD #2.17: File 1 of 7: Moderator's corner *** ******************************************************************** From: Moderators Subject: Moderators' Corner Date: December 16, 1990 ++++++++++ In this file: 1. LEN ROSE UPDATE 2. FTP FILES ++++++++++ +++++++++++++++++++++ Len Rose Update +++++++++++++++++++++ Len Rose will go to trial in Baltimore in late January barring any extensions. He asked us to pass on his thanks to the many, many people who responded to his request for witnesses. Len is still unemployed and is prevented from seeking menial work because his leg remains in a cast and he cannot stand for extended periods of time. He sends his thanks to those who have helped in financially and emotionally during this period. Those wishing to help him through the holidays are encouraged to send donations to: Len Rose Donation c/o Sheldon Zenner Katten, Muchin and Zavis 525 W. Monroe, Suite 1600 Chicago, IL 60606 Checks should be made out to either Sheldon Zenner or Len Rose. +++++++++++++++ FTP Files +++++++++++++++ A few more state statutes have been added to the ftp site along with a few legal papers. The complete NIA (Network Information Access, #s 1-67) will also be up by Christmas. DAVE BANISAR has been helpful in expanding the legal documents. The EFF NEWSLETTER, which just came out, will also be added. We encourage people to ftp it and upload it elsewhere. Their first issue is excellent (we reprint their response to the Riggs sentencing memo in file 3). ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: Various Subject: From the Mailbag Date: December 16, 1990 ******************************************************************** *** CuD #2.17: File 2 of 7: From the Mailbag *** ******************************************************************** From: Robert McClenon <76476.337@COMPUSERVE.COM> Subject: Cowboys and Indians and the cyberfrontier Date: 11 Dec 90 00:54:55 EST The question was posed as to whether hackers are cowboys seeking new territory to stake out. Maybe. But I propose a different (electronic) frontier metaphor. Cowboys lived on the frontier in what they perceived to be freedom but did not understand the limits of the world and eventually wasted the commons. There were another group of people, living further out on the frontier, who in general did understand the limits of the world and the interdependency of all things, and who had their own tribal culture and ethic that was not well understood by outsiders. They were called by many names and called themselves by many names, but at the time most outsiders called them Indians. Their society was tribal, but most tribes had an organization that at the same time was mostly democratic and yet placed a great deal of authority and respect in a chief. They had a few enemies. Principal among their enemies were the federal cavalry. The objective of the cavalry was in general to herd the Indians onto reservations as a step toward fencing in the free range, and some of the cavalry had the secondary wish to massacre a few Indians in the process. The cavalry often waited for a provocation, which sometimes came from rogue Indians who interfered with the white man's property, by raiding his sheep, or with his communication, by cutting telegraph lines or harassing the pony express. I suggest that the BBS community are comparable to Indians, living peacefully on the frontier, in harmony with the world, and mostly respecting the authority of the chiefs (sysops), although not without complaining. Hackers are rogue Indians, who threaten communication and property. It does not take much of a provocation to bring on the feds. And the feds do not respect the Indian culture and have shown a willingness to slaughter Indian chiefs who tried to cooperate with the feds in controlling the rogue Indians. What are the conclusions? The rogue Indians threaten the continued existence of the Indians. The worse rogues are the feds, who do not seem to respect anyone's law, even their own. The only long-term hope for the Indians is to maintain their own discipline. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: wex@PWS.BULL.COM Subject: A Philosophical Reminder Date: Mon, 10 Dec 90 13:41:49 est Not to rain on Dark Adept's parade since I largely agree with him, but... The ancient wizards he refers to, and whom he credits with things such as Physics and Philosophy, were but pale imitations of their Greek, Babylonian, and Chinese forbears. It was these men (for women were systematically excluded) who -- as far as we know -- founded such things as Philosophy. The alchemists (and similar "wizards") were indeed similar to (some) hackers in that they were unsystematic dabblers in things that were supposed to be forbidden. But credit where credit is due, please. It was people like Descartes and Russell who systematized and made Western science what it became. --Alan Wexelblat phone: (508)294-7485 Bull Worldwide Information Systems internet: wex@pws.bull.com ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: Electronic Frontier Foundation Subject: EFF Response to Atlanta Sentencing Memorandum Date: December 10, 1990 ******************************************************************** *** CuD #2.17: File 3 of 7: EFF Response to Atlanta Sentencing *** ******************************************************************** EFF News #1.00: Article 7 of 7: How Prosecutors Misrepresented the Atlanta Hackers Although the Electronic Frontier Foundation is opposed to unauthorized computer entry, we are deeply disturbed by the recent sentencing of Bell South hackers/crackers Riggs, Darden, and Grant. Not only are the sentences disproportionate to the nature of the offenses these young men committed, but, to the extent the judge's sentence was based on the prosecution's sentencing memorandum, it relied on a document filled with misrepresentations. Robert J. Riggs, Franklin E. Darden, Jr., and Adam E. Grant were sentenced Friday, November 16 in federal court in Atlanta. Darden and Riggs had each pled guilty to a conspiracy to commit computer fraud, wire fraud, access-code fraud, and interstate transportation of stolen property. Grant had pled guilty to a separate count of possession of access codes with intent to defraud. All received prison terms; Grant and Darden, according to a Department of Justice news release, "each received a sentence of 14 months incarceration (7 in a half-way house) with restitution payments of $233,000." Riggs, said the release, "received a sentence of 21 months incarceration and $233,000 in restitution." In addition, each is forbidden to use a computer, except insofar as such use may be related to employment, during his post-incarceration supervision. The facts of the case, as related by the prosecution in its sentencing memorandum, indicate that the defendants gained free telephone service and unauthorized access to BellSouth computers, primarily in order to gain knowledge about the phone system. Damage to the systems was either minimal or nonexistent. Although it is well-documented that the typical motivation of phone-system hackers is curiosity and the desire to master complex systems (see, e.g., HACKERS: HEROES OF THE COMPUTER REVOLUTION, Steven Levy, 1984), the prosecution attempts to characterize the crackers as major criminals, and misrepresents facts in doing so. Examples of such misrepresentation include: 1) Misrepresenting the E911 file. The E911 file, an administrative document, was copied by Robert Riggs and eventually published by Craig Neidorf in the electronic magazine PHRACK. Says the prosecution: "This file, which is the subject of the Chicago [Craig Neidorf] indictment, is noteworthy because it contains the program for the emergency 911 dialing system. As the Court knows, any damage to that very sensitive system could result in a dangerous breakdown in police, fire, and ambulance services. The evidence indicates that Riggs stole the E911 program from BellSouth's centralized automation system (i.e., free run of the system). Bob Kibler of BellSouth Security estimates the value of the E911 file, based on R&D costs, is $24,639.05." This statement by prosecutors is clearly false. Defense witnesses in the Neidorf case were prepared to testify that the E911 document was not a program, that it could not be used to disrupt 911 service, and that the same information could be ordered from Bell South at a cost of less than $20. Under cross-examination, the prosecution's own witness admitted that the information in the E911 file was available in public documents, that the notice placed on the document stating that it was proprietary was placed on all Bell South documents (without any prior review to determine whether the notice was proper), and that the document did not pose a danger to the functioning of the 911 system. 2) Guilt by association. The prosecution begins its memorandum by detailing two crimes: 1) a plot to plant "logic bombs" that would disrupt phone service in several states, and 2) a prank involving the rerouting of calls from a probation office in Florida to "a New York Dial-A-Porn number." Only after going to some length describing these two crimes does the prosecution state, in passing, that *the defendants were not implicated in these crimes.* 3) Misrepresentation of motives. As we noted above, it has been documented that young phone-system hackers are typically motivated by the desire to understand and master large systems, not to inflict harm or to enrich themselves materially. Although the prosecution concedes that "[defendants claimed that they never personally profited from their hacking activities, with the exception of getting unauthorized long distance and data network service," the prosecutors nevertheless characterize the hackers' motives as similar to those of extortionists: "Their main motivation [was to] obtain power through information and intimidation." The prosecutors add that "In essence, stolen information equalled power, and by that definition, all three defendants were becoming frighteningly powerful." The prosecution goes to great lengths describing the crimes the defendants *could* have committed with the kind of knowledge they had gathered. The prosecution does not mention, however, that the mere possession of *dangerous* (and non-proprietary) information is not a crime, nor does it admit, explicitly, that the defendants never conspired to cause such damage to the phone system. Elsewhere in the memorandum, the prosecution attempts to suggest the defendants' responsibility in another person's crime. Because the defendants "freely and recklessly disseminated access information they had stolen," says the memorandum, a 15-year-old hacker committed $10,000 in electronic theft. Even though the prosecution does not say the defendants intended to facilitate that 15-year-old's alleged theft, the memorandum seeks to implicate the defendants in that theft. 4) Failure to acknowledge the outcome of the Craig Neidorf case. In evaluating defendants' cooperation in the prosecution of Craig Neidorf, the college student who was prosecuted for his publication of the E911 text file in an electronic newsletter, the government singles out Riggs as being less helpful than the other two defendants, and recommends less leniency because of this. Says the memorandum: "The testimony was somewhat helpful, though the prosecutors felt defendant Riggs was holding back and not being as open as he had been in the earlier meeting." The memorandum fails to mention, however, that Riggs's testimony tended to support Neidorf's defense that he had never conspired with Riggs to engage in the interstate transportation of stolen property or that the case against Neidorf was dropped. Riggs's failure to implicate Neidorf in a crime he did not commit appears to have been taken by prosecutors as a lack of cooperation, even though Riggs was simply telling the truth. Sending a Message to Hackers? Perhaps the most egregious aspect of the government's memorandum is the argument that Riggs, Grant, and Darden should be imprisoned, not for what *they* have done, but send the right "message to the hacking community." The government focuses on the case of Robert J. Morris Jr., the computer-science graduate student who was sentenced to a term of probation in May of this year for his reckless release of the worm program that disrupted many computers connected to the Internet. Urging the court to imprison the three defendants, the government remarked that "hackers and computer experts recall general hacker jubilation when the judge imposed a probated sentence. Clearly, the sentence had little effect on defendants Grant, Riggs, and Darden." The government's criticism is particularly unfair in light of the fact that the Morris sentencing took place almost a year *after* the activities leading to the defendants' convictions! (To have been deterred by the Morris sentencing the Atlanta defendants would have to have been able to foretell the future.) The memorandum raises other questions besides those of the prosecutors' biased presentation of the facts. The most significant of these is the government's uncritical acceptance of BellSouth's statement of the damage the defendants did to its computer system. The memorandum states that "In all, [the defendants] stole approximately $233,880 worth of logins/passwords and connect addresses (i.e., access information) from BellSouth. BellSouth spend approximately $1.5 million in identifying the intruders into their system and has since then spent roughly $3 million more to further secure their network." It is unclear how these figures were derived. The stated cost of the passwords is highly questionable: What is the dollar value of a password? What is the dollar cost of replacing a password? And it's similarly unclear that the defendants caused BellSouth to spend $4.5 million more than they normally would have spent in a similar period to identify intruders and secure their network. Although the government's memorandum states that "[t]he defendants ... have literally caused BellSouth millions of dollars in expenses by their actions," the actual facts as presented in the memorandum suggest that BellSouth had *already embarked upon the expenditure of millions of dollars* before it had heard anything about the crimes the defendants ultimately were alleged to have committed. Moreover, if the network was insecure to begin with, wouldn't BellSouth have had to spend money to secure it regardless of whether the security flaws were exploited by defendants? The Neidorf case provides an instructive example of what happens when prosecutors fail to question the valuations a telephone company puts on its damages. But the example may not have been sufficiently instructive for the federal prosecutors in Atlanta. Not only are there questions about the justice of the restitution requirement in the sentencing of Riggs, Darden, and Grant, but there also are Constitutional issues raised by the prohibition of access to computers. The Court's sentencing suggests a belief that anything the defendants do with computers is likely to be illegal; it ignores the fact that computers are a communications medium, and that the prohibition goes beyond preventing future crimes by the defendants--it treads upon their rights to engage in lawful speech and association. EFF does not support the proposition that computer intrusion and long-distance theft should go unpunished. But we find highly disturbing the misrepresentations of facts in the prosecutors' sentencing memorandum as they seek disproportionate sentences for Riggs, Darden, and Grant--stiff sentences that supposedly will "send a message" to the hackers and crackers. The message this memorandum really sends is that the government's presentation of the facts of this case has been been heavily biased by its eagerness to appear to be deterring future computer crime. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: The Advocate / return deleted Subject: Some Thoughts on the Atlanta Sentencing Date: Tue, 11 Dec 90 15:37:23 -0500 ******************************************************************** *** CuD #2.17: File 4 of 7: Thoughts on the Atlanta Sentencing *** ******************************************************************** I find the statement in the sentencing memo "these three had acquired tremendous information, enough to become frighteningly powerful" to be the key to the governments prosecution. The governemnt has always feared those who have gained power outside of the channels of normal authority, and sought to destroy all those who have gained this power. The FBI sought to destroy King and the SCLC, not because he was a bad man, but because he threatened the status quo. The Black Panthers threatened the status quo and they were destroyed. Read the history of organized labor. Every initial unionization attempt was met with violence and legal assault, until the unions became part of the establishment. Jesus was crucified because he threatened the order. Now hackers have started to seize information and power. That power is a potential force for good or evil. That power could shake the world as they know it. So now all forces of law enforcement have begun to turn on those who may threaten the order. I would recommend that all those who wish to hack, listen to "Ruby, an intergalactic gumshoe". It's a radio drama from the people who did the "fourth tower of Inverness"(best guess). There there is an organization called the digital circus, who build wrestling robots. THey wrestle against the rulers machines. They never win, but always come a little closer before throwing the match. I would suggest that the sentencing memo serve as a warning to all other hackers. SQUEALERS NEVER PROSPER......... John Doe the indiana stool pigeon, got for his troubles, a search warrant and indictment. The atlanta three got for their guilty plea and cooperation about 8 years and $250,000 in punishment. I have been around criminal lawyers and investigators, for the better part of my life. I cannot suggest any case where cooperation brings help. Now all of them are also vulnerable on civil charges. Had they all sat odwn, said prove the case and fought it out, they would have done no worse. and probably could have demolished the case with Dr Dennings testimony. But no, they squealed. Someone ought to slap around their attorneys. Craig Neidorf had it right with sheldon zenner. Fight all the way. Don't fight the good fight. Fight with every drop of blood you have. Fight constitutionality. fight civilly. fight in the press. fight in the legislature. If you are indicted, use your rights. Subpoena every document of the firms opposing you. They claim billions in damages, subpoena all their operating records. get their expense records of top officials. Use your subpoena rights to find dirt on their witnesses. It's there, you just have to look for it. IF there is going to be a computer underground, then it's going to have to learn how to fight and win in the courts and legislatures and public opinion. that means controlling our excesses. learning how to measure performance, and developing ethics. Ethics. The Dark adept wrote about these. Why break into yet another TSO machine? Don't damage data. Learn to respect privacy rights. IF you find a security bug, publish it, but learn how to offer your services to fix these. Learn to realize that trespassing via computer is no different then trespass by foot. Create playlands. The LOTS machine at stanford provided many a safe outlet. Get these machines going at the larger colleges. Why can't their still be LOTS? Learn to realize limits, as well. well best of luck for those of you out there. I remain, The Advocate. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Subject: Earning your Stripes From: Silver Surfer Date: Tue, 11 Dec 90 07:06 EDT ******************************************************************** *** CuD #2.17: File 5 of 7: Earning your Stripes *** ******************************************************************** In an article by Katie Hafner entitled "Morris Code", she describes a long standing tradition that computer security experts have earned their stripes by defeating the computer's barriers. But now instead of earning pin stripes, hackers are earning their prison stripes for defeating computer's barriers. What has happened to change the norms and values in the computer world in the last 10 to 15 years? Now it is a crime to pursue forbidden unlawful computer knowledge. Just recently the "Atlanta Three" (Robert Riggs, Adam Grant and Franklin Darden) have been sentenced to prison terms for breaking into the BellSouth computer systems. It is stated by the government that these individuals have a vast knowledge concerning computer and telecommunication services. So with this aptitude they are being sent to prison where they might learn a lesson. What lesson might they learn, I do not know. It is hard to believe that the government would not impose a fine on them and community service similar to what Morris received (but then again I bet none of their fathers are at the NSA..or could afford the lawyers Morris's family provided their son). I think the "Atlanta Three" should be viewed as technological clepto maniacs. They would pursue information and knowledge even though they knew the means were illegal. You could say that their value system of right and wrong was skewed. But is this a reason to imprison these young men? Their critics site the millions of dollars lost (just like the thousands of dollars for the 911 manuscript ....it's revised net value is under $20 now) and the threat to life they could have caused through network disruption. The key words are COULD HAVE CAUSED. They never actually caused loss of life or injury to anyone. If that was the case, I would drive them to prison myself. So the federal government has issued a message to hackers and phreaks, that the only stripes you can earn now are prison stripes. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: Silicon Surfer /
Subject: Playgrounds of the Mind: Cyberspace Date: Tue, 11 Dec 90 07:06 EDT ******************************************************************** *** CuD #2.17: File 6 of 7: Playgrounds of the Mind: Cyberspace *** ******************************************************************** Playgrounds Of The Mind: Cyberspace By Silicon Surfer Why do hackers hack? The majority seem to say it's a thrill or a challenge to get into a system. Others say that it's a means to learn about mainframe computers and their various communication networks. Every year the government and with donations from industry pour millions of dollars into athletic facilities for it's youth and adult citizens. There is even a President's Fitness Council to encourage Americans to exercise their bodies. The government and industry does spend millions of dollars to fight computer "hackers" and fix security holes. But where are the playgrounds for the mind? If the government and industry provided regionally located computer centers for the young and old computer enthusiasts to use or break into what would happen? Industry and the government would have a place to test it's new software and find security holes. It would also be developing a young crop of computer programmers and security experts. Imagine what it would be like to develop young adults with years of computer experience, we already see this result in sports every year during the various professional drafts and attempts by colleges to recruit players. And what of the crime of computer hackers? There would be no excuse if you were allowed to use or crack a specific computer system. There would still be the thrill, challenge and knowledge to achieve, BUT it would be legal. It would also teach ethics. Imagine a hacker defeating a system and gaining an account, then only weeks later to lose that account to another hacker (of course a large increase of computer expertise would be developed by hackers to defend their own accounts). And if a hacker broke into a system that was outside the allowed systems...there would be no excuse except for criminal mischief. There already exits a network called the Internet that would allow various playgrounds of cyberspace to be connected. Today, most high school districts have minicomputers or mainframe systems (imagine students staying after school to work and learn with a computer...they would most likely have to sign up for time...images of the old days of the old hackers of the 70's) that could connect to the Internet. And what of the computing resources of community colleges and state universities that could be opened up to the public. They already open up their gyms, athletic fields, and pools to the community, why not their computers? A perfect example is the Cleveland Free-Net by CASE Western. They have developed a computer city that exists on the Internet and is accessible to anyone at NO cost. The EFF wants to encourage the growth and inhabitance of cyberspace. Why not develop outposts at various academic sites to accommodate the "greenhorns" that are venturing out into this new and open frontier? The EFF does not need to spend vast amounts of money, instead it should provide encouragement. They could aid in the development of a program to bring computers to the people (..help establish a Community Memory Project...like the one that existed in the late 70's in California). It would be easier for the more famous of their members to get donations from industry of used or new equipment. But then again it is easier for the government and industry to spend resources of time and money to monitor and hunt hackers. It is better to foster the idea that computer access and knowledge should be the realm of the few. That it would be better to complain and wring their hands saying that the US should do something to regain it's technological edge and by the way, let's get rid of these dangerous and evil hackers. Of course the media is of no help. What profit is it to print news stories or support an initiative like this. There is no sensationalism in law and order. The bed time horror stories of 15 year olds breaking into military computers and emergency networks would disappear, leaving them instead with stories of a educated and ethical computer community. I believe we are at a turning point in the computer culture. We have reached the cross roads, we can encourage the open development of computer knowledge by providing open systems or we can make it a crime to pursue knowledge. After reading this you might ask what have I done to encourage computer knowledge? I have taught computer courses for elementary students while in college and later developed a course outline to use a state university's mainframe computer to provide accounts and instruction for high school students (the program although was shot down by the state university's bureaucracy plan to fight this decision). That is why I am posting this article under a handle, to protect any future projects of mine from misinterpretation. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: Various Subject: The CU in the News Date: 15 December, 1990 ******************************************************************** *** CuD #2.17: File 7 of 7: The CU in the News *** ******************************************************************** From: someplace!anonymous@UUNET.UU.NET Subject: Well, did anything happen? Date: Wed, 12 Dec 90 02:59:59 -0500 Or was it a case of hysterical or malicious rumor mongering? COMPUTER JOCKEYS THREATEN PHONE WAR SAN JOSE MERCURY NEWS (SJ) - Friday, November 16, 1990 By: Associated Press Edition: Stock Final Section: Front Page: 16A Telephone companies are taking precautions today against a possible disruption of service somewhere in the country by computer vandals breaking into the phone network. Non-specific threats had been made to invade the massive computers that control the telephone network, but not to attack physical facilities, industry sources said. Sources who spoke on condition of anonymity said the threats apparently were in connection with a sentencing scheduled in Atlanta this afternoon for three members of a computer group called the Legion of Doom who had broken into BellSouth Corp. computers. Franklin E. Darden Jr. and Robert J. Riggs pleaded guilty earlier this year in federal court to one conspiracy count each. Adam E. Grant pleaded guilty to possessing 15 or more access devices with intent to defraud. 'Everyone is on alert' "We have not been able to assess the validity of the threats, but we certainly take any threats seriously, and we've taken precautions to minimize the risk of intrusion," BellSouth spokesman Bill McCloskey said. "We are aware of the purported threat to try and disrupt at least part of the nationwide network," said Herb Linnen, a spokesman for American Telephone and Telegraph Co. "Our corporate security organization has sent word around the country to make sure everyone is on alert in the coming days." Linnen said the purported threat was not against any single company. He said the rumor of the attempted disruption was discussed at a regular meeting Wednesday of technical executives of a number of phone companies. "We have no idea how widespread the threat might be, but it's our understanding that the group may be national," said Peter Goodale, a spokesman for Nynex Corp., parent of the New England Telephone and New York Telephone companies. "We've taken the appropriate security measures to ensure the integrity of our network." Copied 911 program FBI and Defense Department officials said they were unaware of any such threat. Federal prosecutors in Chicago last year charged that members of the Legion of Doom had used their computers in February 1989 to tap into the 911 system of Atlanta-based BellSouth and copy the program. The information then was published in an electronic newsletter in Chicago for hackers, but the 911 network was not disrupted. Charges against the Chicago publisher were dropped in July. Copyright 1990, San Jose Mercury News ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: elroy!grian!alex@AMES.ARC.NASA.GOV(Alex Pournelle) Subject: Esquire Hacking Article Date: Wed, 5 Dec 90 09:55:23 GMT In the December Esquire magazine (with Michelle Pfeiffer on the cover), there is an article on "hacking" (system-cracking or password-stealing, really): "Terminal Delinquents", pp. 174ff, by Jack Hitt and Paul Tough, under the "Outlaws" banner. And it deserves some comments. I plan a rather lengthier commentary on this article, to be sent to the magazine, but thought it appropriate to tell the hacking community how they are portrayed. Certainly, all readers of cu-digest would do well to pick it up. The article is written about a small group of New York-based juvenile hackers (their term) who break into the Nynex billing and phone add/move/change system--to play around, look around, and just fiddle. A little time is spent on the background of phone phreaking (Draper discovering Cap'n Crunch whistles, blue boxes), essentially none on the history of actual hacking. The actions of these teenage trespassers are taken at face value; the only fact-checking appears to be one call for comment to the Nynex security office (they had no comment). Even when they are shown the "White House PROF system" (perhaps they meant PROFS?), they make no effort at independent corroboration. I find it even more disturbing that no editor at Esquire even suggested some fact-checking. The authors have not, to my eye, even done basic research like reading The Cuckoo's Egg. They talk about "The Internet Virus", not worm; their long treatise on "social-engineering of passwords" (getting people to tell them to you, or guessing them) only implicitly and offhandedly mentions the knife-edge balance between access and security. There is a lot of computer-as-electronic-phlogiston talk, some more successful than others. There is much scare talk about how any dam' fool can get your credit history from TRW. There's no direct discussion of how random system-breakins might endanger lives. There is essentially no talk about the morality, guidance or beliefs of the hackers--are we to presume that some Big Brother of government or school is supposed to teach the good and bad of computers? Or is this just a scary-but-true-to-life story about how any pimply-faced bag of teenage hormones with a modem can change your credit rating forever? I think the latter. In short, the piece is maddeningly obtuse in a magazine with a circulation of over 800,000. It is long on anecdote and very short on fact. It is a disservice to anyone who calls him/her/itself a hacker. The magazine deserves to be told this. Sincerely, Alex Pournelle ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: P.A.Taylor@EDINBURGH.AC.UK Subject: Virus Planters from Eastern Europe? Date: 27 Nov 90 17:22:04 gmt FEARS OF COMPUTER VIRUS ATTACK FROM EASTERN EUROPE GROW. From: The Independent, Sat 24.11.90, By Susan Watts, Science reporter. The computer industry in Britain is being warned against an influx of malicious viruses from eastern Europe. Governments and companies there use computers less widely than those in the West. The range of applications is limited and so programmers have time to write these destructive programs. Bryan Clough, a computer consultant based in Hove, East Sussex, returned last week from Bulgaria with 100 viruses unknown in the West. "People have been writing these as a form of protest against the authorities. Some are very good indeed...I am terrified of running them on my machine but until I do I will have no idea of what they are capable of", he says. Mr Clough predicts a wave of virus attacks on Britain, launched mainly through electronic message systems known as Bulletin boards. One bulletin board in Birmingham already believes it has been hit by Bulgarian viruses. These programs can corrupt or destroy data stored on a computer's hard disk. Jim Bates, who dismantles viruses for Scotland Yard's Computer Crime Unit,says "I'm having a hell of a job keeping up with the viruses coming through already. The problem is that we can only screen for viruses that we know about". He warns the computer industry against rogue software from eastern Europe, Bulgaria and Russia are thought to harbour the most virulent viruses. The small but legitimate software industry in Bulgaria complains that programming is one of the few skills that the industry can exploit. Recent concern is killing off even this slim chance of gaining hard currency from overseas. Part of the problem is that the authorities do not believe in copyright or patent protection for software. "Programmers are used to ripping off software" Mr Clough says, "so that they are expert at hacking into each others systems and planting viruses." He found at least 30 people producing viruses in Bulgaria. Most are known to the police who can do little to stop them since the country has no laws against computer crime. Even in Britain which introduced legislation against hacking this summer, virus writers can be arrested only if they enter a computer system without authority or cause damage once inside. Scotland Yard's anti-virus team can extradite foreign programmers who flout this law, if Britain has an extradition treaty with the country concerned. One of the most worrying of the virus-writers calls himself the "Dark Avenger". He has written a number of malicious programs, and Mr Clough believes he intends to plant these in Britain shortly. Virus detectives are dismantling one such program called "Nomenklatura", thought to have been written by this man. Security experts in Britain fear programmers in the Soviet Union may soon follow Bulgaria's lead. The Soviet Union has no copyright laws, and some sections of the software industry are already using viruses as a way to punish those who steal programs. One such virus displays the message "Lovechild in "Lovechild:in reward for stealing software" on the screen. Less than two years ago there were only 20 or so virus programs around, now there are hundreds. In Bulgaria a new virus appears once a week, Mr Clough says. ******************************************************************** ------------------------------ **END OF CuD #2.17** *********************************************************************