Computer underground Digest Sun Aug 16, 1992 Volume 4 : Issue 36 Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Copy Editor: Etaion Shrdlu, III Archivist: Brendan Kehoe Shadow-Archivist: Dan Carosone CONTENTS, #4.36 (Aug 16, 1992) File 1--COMP.SOCIETY.CU-DIGEST CHANGE File 2--Bell System Policies - in Re CuD 4.35 File 3--Bell System Policies (John's Response 1) File 4--Bell System Policies (Jerry's Response 2) File 5--Bell System Policies (John's Response 2) File 6--Pacbell security - The Final Word File 7--Brooks Statement on INSLAW Report File 8--Special Investigator Requested for Inslaw (Press Release) File 9--Summary of NBC's Coverage of Danny Casolaro/Inslaw File 10--Re: Overstated? (Chic Tribune summary) File 11--Elite Pirates? I think not. File 12--Deferring the Piracy Debate until September File 13--Software piracy in America's schools? Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM; on Genie in the PF*NPC RT libraries; from America Online in the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; and by anonymous ftp from ftp.eff.org (192.88.144.4) and ftp.ee.mu.oz.au European distributor: ComNet in Luxembourg BBS (++352) 466893. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Fri, 14 Aug, 1992 17:15:32 CDT From: CuD Moderators Subject: File 1--COMP.SOCIETY.CU-DIGEST CHANGE Chip Rosenthal reminds everybody: The comp.society.cu-digest newsgroup has been created. Effective immediately, the CuD will be cross-posted into both the old alt group and the new comp group. After about a month's time to allow for changeover, I will delete the old alt group and send it only to the comp group. SO: If you're reading CuD as an ALT group, BE SURE TO unjoin and join COMP.SOCIETY.CU-DIGEST instead. Chip took the initiative for the change, managed the discussion on newss.groups, and is making the transition smooth and easy. THANKS CHIP!! NICE JOB!! ------------------------------ Date: Mon, 10 Aug 1992 15:51:38 GMT From: jmcarli@SRV.PACBELL.COM(Jerry M. Carlin) Subject: File 2--Bell System Policies - in Re CuD 4.35 ((MODERATORS' COMMENT: We asked Jerry Carlin and John Higdon to frame their discussion of Bell System/Bellcore policies as a point-counterpoint exchange. We found their discussion exceptionally informative and commend them for putting together a stimulating sequence of posts)). In CuD 4.35, John Higdon wrote: >But the policy of "The Bell System" and now Bellcore and the RBOCs >seems to be to do nothing about any such problems and wait for some >phreak to get caught with a hand in the cookie jar... I'm not going to argue history but John's contention that Bellcore and the RBOCs are doing nothing is incorrect. BTW, I work for PacBell. Some examples: Bellcore has issued "Technical Advisories" on the subject of security including FA-NWT-000835 "Generic Framework Requirements for Network Element and Network System Security Administration Messages" and FA-STS-001324 "Framework Generic Requirements for X Window System Security". They participate in security organizations such as IEEE P1003.6 doing security standards for POSIX (UNIX) and ISO/IEC JTC1/SC27 and ANSI X3T4 (a mouthful :-) I personally voted on the last draft of P1003.6, spending quite a bit of time to try to fathom a very large document. Also, a set of Bellcore security requirements forms a large part of a draft NIST "Minimum Security Functionality Requirements for Multi-User Operating Systems" (MSFR) document designed to replace the DoD Orange Book. They are doing work on using Kerberos and exploring OSF/DCE security features to increase the robustness of distributed applications. We (Pacbell) have spent millions of dollars implementing various security measures including security packages (RACF for MVS) and in using Security Dynamics "SecureID" cards for dial access. We have been working on enhancing UNIX security. Bellcore has developed a UNIX Security Toolkit which added many features to the basic scripts first outlined in the book "UNIX System Security" by Wood & Kochan. They added a one-week course on UNIX security to their curriculum. We and they now have security components to reviews of applications. Bellcore developed a set of UNIX security requirements and asked all the major vendors to respond. Systems security is now part of the purchasing decisions. Is all of this enough? Well, that is another argument but I hope it's clear that Bellcore and Pacbell (and the other RBOCS) are "doing something". ++++ Jerry M. Carlin (510) 823-2441 jmcarli@srv.pacbell.com Alchemical Engineer and Virtual Realist ------------------------------ Date: Mon, 10 Aug 92 17:37 PDT From: john@ZYGOT.ATI.COM(John Higdon) Subject: File 3--Bell System Policies (John's Response 1) jmcarli@SRV.PACBELL.COM(Jerry M. Carlin) writes: [Lots of stuff about how Bellcore and Pac*Bell give major lip service to security.] But the truth of the matter is that while Bellcore may have written a book on the matter of security, it apparently forgot to read it. Even to this day, it is more or less a trivial matter for a knowledgeable person to get into things he shouldn't. If you want to have a good horse laugh, you should read the COSMOS training manual. This system WAS so full of holes that you could literally set up your own phone company using Pac*Bell's network with the company becoming none the wiser. This has been tightened up somewhat. And how did it get tightened up? Go down to the LA area sometime and pull the microfilm on the LA Times and the Orange County Register and see the pictures of the evil desperados (a bunch of sixteen year old kids) who easily penetrated Pac*Bell and set up all manner of telephonic conveniences for themselves using COSMOS. This took place in the mid-eighties. Pac*Bell should have been exceedingly embarrassed. > Is all of this enough? Well, that is another argument but I hope it's > clear that Bellcore and Pacbell (and the other RBOCS) are "doing > something". Dialups into CO switches used to have no password protection whatsoever. Now they do. That's a start, folks. So you are now thinking about security? Good for you. It is about time. Why has it taken so long? ------------------------------ Date: Tue, 11 Aug 92 09:01:16 PDT From: jmcarli@SRV.PACBELL.COM(Jerry M. Carlin) Subject: File 4--Bell System Policies (Jerry's Response 2) > From zygot!john@apple.com Mon Aug 10 17:48:25 1992 > > jmcarli@SRV.PACBELL.COM(Jerry M. Carlin) writes: > [Lots of stuff about how Bellcore and Pac*Bell give major lip service > to security.] I don't consider spending tens of millions of dollars over the past few years as "lip service". If you wonder what on: such things as RACF for MVS is not cheap. SecureID cards cost quite a bit when multiplied by 10,000 people. Getting lots of shredders costs money. Could we have spent it more wisely. Of course, but what else is new. IMHO we've done pretty well. > But the truth of the matter is that while Bellcore may have written a > book on the matter of security, it apparently forgot to read it. Even > to this day, it is more or less a trivial matter for a knowledgeable > person to get into things he shouldn't. It's neither easy nor quick to plug all the holes in 'swiss cheese'. The point I'm trying to make is that we've been working on it for a number of years and are continuing to work on it and that we've made good progress. > ... Good for you. It is about time. Why has it taken so long? Some of the reasons are our fault and some are not. We have been yelling at vendors to deliver operating systems with adequate security features and bug fixes for a number of years now. I'm REALLY tired of having stupidities like /etc/hosts.equiv "+" and initial ID's without passwords forcing us to do work we should not have to do to clean it up. Some of the problems require new technology. We REALLY want Kerberos and/or OSF DCE but they are not ready yet. We're just getting to the point of having secure SNMP. When the protocols are full of security holes it makes it kind of difficult to have true security. By the way, my personal opinion is that the biggest security problem is people. We can have the most secure systems in the world, and they can even be maintained in a secure state but one successful "social engineer" can knock all of that into a cocked hat. It is a non-trivial problem to make sure that all legitimate calls from one employee to another get responded to without delay while at the same time catching all those trying to talk employees out of confidential information or into opening up some access in the name of a (bogus) emergency. There is a public trust issue here. If someone gets the unlisted number of a public figure and then uses that to harass the person, it's a serious matter. If the 911 service is disrupted lives are at stake. If someone's conversations are intercepted illegally, we've violated an expectation of privacy if not various laws. While I obviously believe that John is overemphasizing the negative, his feeling that security is vital and that we need to finish the job is one that I share. I think it is mandatory that we do so if we want to succeed in the coming era where any customer will have a choice between several vendors for basic dial tone. We're getting close now with cellular and will get closer with the next generation mobile technology. Even the hard-wired local loop will be opened up. We can no longer be arrogant since "we're the phone company, after all". It's not true now and it will be less true in the future. We're "A" phone company not "THE" phone company. ------------------------------ Date: Wed, 12 Aug 92 14:13 PDT From: john@ZYGOT.ATI.COM(John Higdon) Subject: File 5--Bell System Policies (John's Response 2) jmcarli@SRV.PACBELL.COM(Jerry M. Carlin) responds: > It's neither easy nor quick to plug all the holes in 'swiss cheese'. The > point I'm trying to make is that we've been working on it for a number > of years and are continuing to work on it and that we've made good progress. Yes, and it is important to separate "inherent insecurity" from "sloppiness". The matter of inband signaling (from which the publication "2600" derives its name) involved an imbedded, virtually uncorrectable security hole. Most of these, thank heaven, are becoming history. But Pac*Bell, among others, is still just a wee bit sloppy on the administrative level. Just one example: After having eight of my residence phone numbers changed, I suddenly realized that my Pac*Bell Calling Card was invalid. I called the business office and explained that I wanted a new card. No problem. In fact, I could select my own PIN. And if I did so, the card would become usable almost immediately. Do you see where I am going with this? No effort was made to verify that I was who I claimed to be, even though my accounts are all flagged with a password. (When I reminded the rep that she forgot to ask for my password, she was highly embarrassed.) If I had been Joe Crook, I would have a nice new Calling Card, complete with PIN, of which the bill-paying sucker (me) would not have had any knowledge. By the time the smoke cleared, how many calls to the Dominican Republic could have been made? When will Pac*Bell do something about this wide, gaping security hole? I will tell you: when losses become significant, and/or the press gets wind of it and some notable, visible cases go to court. So, you want to go into the "Call Back to your Homeland Cheap" business? Call the Pac*Bell business office, tell the rep you want a calling card for a particular number (perferably one you do not get the bill for) and select your own PIN (one that you can easily remember :-). So, Pac*Bell, do you want to sue me for publishing "sensitive" information? Or do you want to plug the hole and fix the problem? I think by now you get the point. ------------------------------ Date: Wed, 12 Aug 92 16:45:35 PDT From: jmcarli@SRV.PACBELL.COM(Jerry M. Carlin) Subject: File 6--Pacbell security - The Final Word John writes: > But Pac*Bell, among others, is still just a wee bit sloppy on the > administrative level. Just one example:... > > Do you see where I am going with this? No effort was made to verify > that I was who I claimed to be, even though my accounts are all flagged > with a password. (When I reminded the rep that she forgot to ask for my > password, she was highly embarrassed.)... > > When will Pac*Bell do something about this wide, gaping security hole?... All I can say is that we're trying. As I pointed out earlier in this conversation, it all comes down to people. A mistake was made, no doubt about it. Can be do a better job than we are doing? We're trying to. Is being Ok enough? As the current advertising slogan says "Good enough isn't". This slogan has to translate into real action. As my part in this effort, I'm going to pass all of this along so that management realizes that a mistake was made so that action can be taken to minimize the chances of it reoccuring. At the very least we can remind service reps that they need to remember to verify users and to make sure that the procedures and training are up to snuff. Even though it is uncomfortable to be the recipients of criticism, we need to listen to our customers, especially knowedgeable ones like John, otherwise they will go elsewhere as competition comes to the business. ------------------------------ Date: Fri, 14 Aug, 1992 17:15:32 CDT From: CuD Moderators Subject: File 7--Brooks Statement on INSLAW Report Statement of Chairman Jack Brooks Committee on the Judiciary re: INSLAW Report Tuesday, August 11, 1992 (MODERATORS' COMMENT: Following is the complete text of Jack Brooks (Texas), chair of the House Judiciary Committee, summarizing the findings of the Committee's investigation into the dispute between INSLAW and the U.S. Department of Justice). THE LAST ITEM ON OUR AGENDA TODAY IS THE CONSIDERATION OF THE INVESTIGATIVE REPORT "THE INSLAW AFFAIR," WHICH WITHOUT OBJECTION WILL BE CONSIDERED AS READ. THIS REPORT DESCRIBES THE COMMITTEE'S INVESTIGATION INTO SERIOUS ALLEGATIONS THAT HIGH-LEVEL DEPARTMENT OF JUSTICE OFFICIALS WERE INVOLVED IN A CRIMINAL CONSPIRACY TO FORCE INSLAW, A SMALL COMPUTER COMPANY, OUT OF BUSINESS AND STEAL ITS PRIMARY ASSET--A SOFTWARE SYSTEM CALLED PROMIS. BASED ON THE COMMITTEE'S INVESTIGATION AND TWO SEPARATE FEDERAL COURT RULINGS, THE DRAFT REPORT CONCLUDES THAT HIGH-LEVEL DEPARTMENT OF JUSTICE OFFICIALS DELIBERATELY IGNORED INSLAW'S PROPRIETARY RIGHTS IN THE ENHANCED VERSION OF PROMIS AND MISAPPROPRIATED THIS SOFTWARE FOR USE AT LOCATIONS NOT COVERED UNDER CONTRACT WITH THE COMPANY. JUSTICE THEN PROCEEDED TO CHALLENGE INSLAW'S CLAIMS IN COURT EVEN THOUGH IT KNEW THAT THESE CLAIMS WERE VALID AND THAT THE DEPARTMENT WOULD MOST LIKELY LOSE IN COURT ON THIS ISSUE. AFTER ALMOST SEVEN YEARS OF LITIGATION AND $1 MILLION IN COST, THE DEPARTMENT IS STILL DENYING ITS CULPABILITY IN THIS MATTER. UNFORTUNATELY, INSTEAD OF CONDUCTING AN INVESTIGATION INTO INSLAW'S CLAIMS THAT CRIMINAL WRONGDOING BY HIGH-LEVEL GOVERNMENT OFFICIALS HAD OCCURED, ATTORNEYS GENERAL MEESE AND THORNBURGH BLOCKED OR RESTRICTED CONGRESSIONAL INQUIRIES INTO THE MATTER, IGNORED THE FINDINGS OF TWO FEDERAL COURTS AND REFUSED TO SEEK THE APPOINTMENT OF AN INDEPENDENT COUNSEL. THESE ACTIONS WERE TAKEN IN THE FACE OF A GROWING BODY OF EVIDENCE THAT SERIOUS WRONGDOING HAD OCCURED WHICH REACHED THE HIGHEST LEVELS OF THE DEPARTMENT. THE EVIDENCE RECEIVED BY THE COMMITTEE DURING ITS INVESTIGATION CLEARLY RAISES SERIOUS CONCERNS ABOUT THE POSSIBILITY THAT A HIGH-LEVEL CONSPIRACY AGAINST INSLAW DID EXIST AND THAT GREAT EFFORTS HAVE BEEN EXPENDED BY THE DEPARTMENT TO BLOCK ANY OUTSIDE INVESTIGATION INTO THE MATTER. BASED ON THE EVIDENCE PRESENTED IN THIS REPORT, IT IS CLEAR THAT EXTRAORDINARY STEPS ARE REQUIRED TO RESOLVE THE INSLAW ISSUE. THE REPORT RECOMMENDS THAT THE ATTORNEY GENERAL TAKE IMMEDIATE STEPS TO REMUNERATE INSLAW FOR THE HARM THE DEPARTMENT HAS EGREGIOUSLY CAUSED THE COMPANY. IT ALSO RECOMMENDS THAT IN INDEPENDENT COUNSEL BE APPOINTED WITH BROAD POWERS TO INVESTIGATE ALL MATTERS RELATED TO THE ALLEGATIONS OF WRONGDOING IN THE INSLAW MATTER. IN MY VIEW, CONGRESS AND THE EXECUTIVE BRANCH MUST TAKE IMMEDIATE AND FORCEFUL STEPS TO RESTORE THE PUBLIC CONFIDENCE AND FAITH IN OUR SYSTEM OF JUSTICE WHICH HAS BEEN SEVERELY ERODED BY THIS PAINFUL AND UNFORTUNATE AFFAIR. I, THEREFORE URGE ALL MEMBERS TO SUPPORT THE ADOPTION OF THIS REPORT. (end -- original report all in upper case) ------------------------------ Date: Fri, 14 Aug, 1992 19:52:31 PDT From: pinknoiz@well.sf.ca.us Subject: File 8--Special Investigator Requested for Inslaw (Press Release) One Hundred Second Congress Congress of the United States U.S. House of Representatives Committee on the Judiciary Washington, D.C. 20515 For Immediate Release August 11, 1992 NEWS RELEASE JUDICIARY COMMITTEE REPORT CALLS FOR INDEPENDENT COUNSEL TO INVESTIGATE THE INSLAW CONTROVERSY By a vote of 21 to 13, the House Committee on the Judiciary today voted to adopt an investigative report entitled, "The INSLAW Affair." This report recommends that Attorney General Barr seek the appointment of an Independent Counsel to investigate potential criminal conduct of current and former Justice officials involved in an alleged conspiracy to steal the PROMIS software system from INSLAW, Inc. Congressman Jack Brooks (D-Tex.), Chairman of the full Committee, stated, "This report culminates the Committee's three-year investigation into serious allegations that high-level Department of Justice officials were involved in a criminal conspiracy to force INSLAW, a small computer company, out of business and steal its primary asset -- a software system called PROMIS. While the Department continues to attempt to describe its conflict with INSLAW as a simple contract dispute that has been blown out of proportion by the media, the Committee's investigation has uncovered information which suggests a much different, disturbing conclusion." In March 1982, the Justice Department awarded INSLAW, Inc., a $10 million, three year contract to implement a case management software system called PROMIS at 94 U.S. Attorney's offices across the country and U.S. territories. While PROMIS could have gone a long way toward correcting the Department's long- standing need for a standardized case management system, the contract between INSLAW and Justice quickly became embroiled in bitterness and controversy which has lasted for almost a decade. The report concludes that there appears to be strong evidence, as indicated by the findings of two Federal court proceedings, as well as by the Committee investigation, that the Department of Justice "acted willfully and fraudulently," and "took, converted and stole" INSLAW's Enhanced PROMIS by "trickery, fraud and deceit." The report finds that these actions against INSLAW were implemented through the Project Manager from the beginning of the contract and under the direction of high-level Justice Department officials. The evidence presented in the report demonstrates that high-level Department officials deliberately ignored INSLAW's proprietary rights and misappropriated its PROMIS software for use at locations not covered under contract with the company. Justice then proceeded to challenge INSLAW's claims in court even though its own internal deliberations had concluded that these claims were valid and that the Department would most likely lose in court on this issue. Brooks stated, "After almost seven years of litigation and $1 million in cost to the taxpayer, the Department is still trying to avoid accountability for the actions it took against INSLAW. It is time for Justice to recognize its mistakes and cut its losses and restore its moral standing as an enforcement agency, which is just as committed to living by the law as any other citizen." According to the report, the second phase of the Committee's investigation concentrated on the allegations that high-level officials at the Department of Justice conspired to drive INSLAW into insolvency and steal PROMIS. In this regard, the report states that several individuals testified under oath that INSLAW's PROMIS software was stolen and distributed internationally in order to provide financial gain to associates of Justice Department officials and to further intelligence and foreign policy objectives of the United States. Additional corroborating evidence was uncovered by the Committee which substantiated to varying degrees the information provided by these individuals. Brooks stated, "It is unfortunate that the Department chose not to conduct a thorough investigation into INSLAW's allegations of criminal wrongdoing by high-level government officials. Although they were faced with a growing body of evidence that serious wrongdoing had occurred which reached to the highest levels of the Department, both Attorneys General Meese and Thornburgh blocked or restricted Congressional inquiries into this matter and in the case of Attorney General Thornburgh ignored the findings of two Federal courts and refused to seek the appointment of an Independent Counsel." The report recommends that Attorney General Barr immediately settle INSLAW's claims in a fair and equitable manner. The Committee report also strongly recommends that the Department seek the appointment of an Independent Counsel in accordance with 28 USC $$591-599 to conduct a comprehensive investigation of the INSLAW allegations of a high level conspiracy within the Justice Department to steal and distribute the Enhanced PROMIS software. According to the report, the investigation should: (1) ascertain whether there was a strategy by former Attorneys General and other Department officials to obstruct this and other investigations through employee harassment and denial of access to Department records; (2) determine whether current and former Justice Department officials and others involved in the INSLAW affair resorted to perjury and obstruction in order to cover-up their misdeeds; (3) determine whether the documents subpoenaed by the Committee and reported missing by the Department were stolen or illegally destroyed; and, (4) determine if private sector individuals participated in (a) the alleged conspiracy to steal INSLAW's PROMIS software and distribute it to various locations domestically and overseas, and (b) the alleged cover-up of this conspiracy through perjury and obstruction. Finally, the Committee report recommends that the Independent Counsel investigate the mysterious death of reporter, Daniel Casolaro, who died while conducting an investigation of the INSLAW matter. The report notes that the suspicious circumstances surrounding his death have led some law enforcement professionals and others to believe that his death may not have been a suicide. Brooks concluded: "The conduct of the Department in the INSLAW affair has resulted in an erosion of the public's trust in the organization charged with enforcing our Nation's laws. In order to restore the public's confidence in the Department of Justice, there must be a full and open investigation into this matter. However, I'm skeptical that without the appointment of an individual to conduct this investigation who is not under the direct control of the Attorney General, this matter will ever be fully resolved." ------------------------------ From: ccb@MACBETH.UMD.EDU(Chrome Cboy) Date: Wed, 12 Aug 1992 11:07:44 -0400 Subject: File 9--Summary of NBC's Coverage of Danny Casolaro/Inslaw The NBC coverage of the Danny Casolaro death in the Inslaw case, which aired last week, didn't seem to add many new facts, but I was surprised to see that the incident hadn't been forgotten--in fact, it seems to finally be making its way back into the spotlight. Interviewed were Jack Anderson, a personal friend of Danny; Timothy Hutton, who is playing Danny in a forthcoming HBO docu-drama; John Connolly, the investigative reporter who has continued Danny's research on behalf of HBO, and the chief counsel for INSLAW, an ex-head of the Department of Justice who's name I can't remember. Connolly felt that there wasn't an "Octopus" as Danny thought--eight men at the highest levels of government, working in concert to further their own desires. He did think, however, that these eight men were involved in wrongdoings involving illegal aid to the Contras, the BCCI scandal, the INSLAW theft, drug running, and possibly other things. They simply weren't in cahoots. There was also a taped interview with a forensic expert who claimed that the entire autopsy was poorly performed, that it didn't follow standard procedures, and that the report looked like the conclusion regarding the cause of Danny's death had been reached a priori, and that the rest of the report was then written to justify the conclusion. Items that went unmentioned or were glossed over include: multiple large contusions, including one to the head; that three of Danny's fingernails had either been pulled off or were broken off (possibly during a struggle); and that the wounds on his wrists were deep and unhesitating, which is extremely rare in suicide victims. (In fact, one of his wrists had been slashed eight times, cutting through tendons all the way to the bone.) It was Connolly's hypothesis that Danny had been jumped in his hotel room in the early morning hours, subdued, interrogated (traces of "strange drugs" were found in his system), and then killed. Adding to the suspicions of foul play include the fact that none of Danny's personal effects have been returned to the family, and that investigators have been unable to view any of his personal effects, reportedly including some notes that were found hidden in one of his shoes. Also, his reporter's note are still missing. I could probably flesh this out, add disclaimers, and touch it up if you can't find anyone who managed to record the segment. ------------------------------ Date: Mon, 10 Aug 92 13:46:35 -0500 From: Neil W Rickert Subject: File 10--Re: Overstated? (Chic Tribune summary) >Computer underground Digest Sun Aug 9, 1992 Volume 4 : Issue 35 >Sunday Tribune computer columnists Reid and Hume challenged what they >call one of the software industry's "periodic public relations >campaigns to get people to believe it's being robbed blind by software >pirates." I too was glad to see this column. I remember an interview I heard on NPR ("All Things Considered") a few years ago. The industry representative asked the rhetorical question "What would it be like if, for every car an auto dealer sells, two are stolen?" At the time, I thought the analogy was wonderful, except that the industry rep had it slightly wrong. He should have asked "What would it be like if, for every car an auto dealer sells, two are taken for test drives?" And of course the answer would be "That already happens." The software piracy problem is, to a considerable extent, the natural consequence of industry policies. The software industry would have you purchase software sight unseen, in shrink wrapped packaging, without any knowledge of whether it will adequately serve your purposes, and with no chance of a refund if the product proves unsuitable or defective. They exacerbate this problem further by setting prices which bear little relation to their costs. They justify their costs on a "perceived value" basis, whereby they argue about the financial value of say a spreadsheet package to an accountancy firm. This "perceived value" pricing might make sense if they charged a much lower "perceived value" to the treasurer of a small church who wished use the spreadsheet once per month to manage the church books; but they don't. In the book publishing industry, the price of a book is much closer to the manufacturing cost, except for special topic books with limited markets. Natural market forces require this. If publishers charged too much other authors would write books of a somewhat similar nature, and capture much of the market. But, in an obvious attempt to defeat such natural market forces, the software publishing industry uses its "look and feel" lawsuits in an attempt to defeat the law of supply and demand, and thereby maintain monopoly privileges for their products. ------------------------------ Date: 10 Aug 92 08:06:42 CDT (Mon) From: peter@TARONGA.COM(Peter da Silva) Subject: File 11--Elite Pirates? I think not. Elite Pirates, as described in (Jim Thomas's article in CuD #4.35) article, are virtually unknown: an endangered species at best, perhaps by now simply a chimera... >Reid and Hume continue, making several points that pirates would agree >with: Not the ones I know about. >1. If you use a program, you should pay for it. Maybe there's an elite among pirates who think this way, but the vast majority pirate software because they need it and don't want to pay for it. Virtually everyone I know who has pirated software has done so for this reason. Many have purchased IBM PCs, as they earlier bought Apples, because of the vast amount of pirate domain software available... the biggest beneficiaries of piracy are clone vendors. >2. Sharing software can enhance sales. Only if most pirates go along with point 1. >They also note that the shareware concept, based on free distribution >of programs, has thrived and has made programmers quite successful. Not really. The main success stories have been from people who have gone commercial or switched to crippleware demos to "encourage" people to go along with point 1. >3. They, as do most elite pirates, strongly condemn the practice of >copying an authorized program in a business and sharing it around to >avoid the site license fees. Most pirates I know wouldn't go that far, but they would "borrow" a copy from the guy in the next office, which comes to much the same thing. >4. The pre-purchase use of software is "not such a bad thing" because >it can help sales. It also provides users a chance to compare the most >expensive programs [...] So would a software library, or software rental agencies... something I've hoped would start showing up. They did for a while, but large-scale piracy has so muddied the waters that there's no hope of them catching on until software becomes as hard to copy as a book. >The columnists fall short of advocating responsible piracy, and they >make it clear that they oppose unauthorized copying for profit or >"free use" simply to avoid paying for a product that will be used. I suspect that they're simply unfamiliar with the normal corporate environment, and think that their buddies counting coup on Lotus and Borland are what the SPA is really concerned about. The pirate who does it simply for the thrill of the chase is a rare bird indeed. BUT, they do make great headlines when they get caught. Sorry if the small time corporate thief has ruined your playground, but that's the way it goes in the real world. ------------------------------ Date: Fri, 14 Aug, 1992 17:15:32 CDT From: Jim Thomas Subject: File 12--Deferring the Piracy Debate until September I partially agree with Peter: The pirate world has changed dramatically in the past two years, and the "elite pirates" of the 1980s--those who enjoyed the thrill (albeit an anal-retentive one) of the chase--are an endangered species. Peter and I will address this issue in a near-future issue. The points I would make are that the types, the motivations, and the consequences of creative software sharing are not as clear-cut and certainly not as pernicious as the SPA and other anti-piracy activists suggest. I suspect the primary difference between the positions of Peter and I are not that *some* line must be drawn between acceptable and unacceptable "piracy," but *where* that line should be drawn. A spokesperson for the SPA has *tentatively* agree to participate in the debate, and we hope to have at least one special issue in early September on the pros/cons of the ethics, legality, and responses to sharing unpurchased copyright software. ------------------------------ Date: Wed, 12 Aug 1992 18:37 CDT From: Subject: File 13--Software piracy in America's schools? In an advertising publication, CPR (Curriculum Product News), distributed to school district administrators, an article, "Software copying in schools: a 1992 update," presents piracy problems within a slightly different population than that which we normally see. The article (unsigned) begins: "The last we heard from Captain Diskcopy, a few years ago, she and her brash band of pirates were busy encouraging educators to disregard the law that allows only one backup copy for each program purchased. Their credo was 'copy, copy, copy.'...[their] gospel: 'It's OK because you're doing it for the kids!'" It continues by detailing the lessening, but apparently still troublesome, level of software copying in US school districts. A representative of the National School Boards Assn. (members include more than 2000 districts from 50 states) is quoted as saying that unauthorized copying has been greatly reduced in recent years. The article continues by citing information from the SPA about the dollars lost to piracy ($24 billion in 1990), and the availability of the SPAudit program (30,000 distributed in 1991), as well as a 12-minute videotape, "It's Just Not Worth the Risk." The tape is part of an SPA "...public awareness and prevention campaign." Also mentioned is the ICIA and its pamphlet of "...guidelines for schools to follow, entitled, 'Should I Copy Micropcomputer Software.' The guidelines are drawn from the Software Policy Statement published in 1987 by ISTE (International Society for Technology in Education)... ." ISTE also distributes "A Code of Ethical Conduct for Computer-Using Educators." These progams, videos and publications are credited with decreasing illegal copying in school districts. The article then explains "lab packs," in which schools can obtain multiple copies of software for educational purposes at special rates. It notes that a few firms allow unlimited copying within a single school building. (Rarely is an entire school district housed in a single building, which can mean a district would have to buy multiple lab packs for district use.) A smaller number of firms does offer district-wide licenses, according to the article. The article notes that the SPA has never sued a kindergarten through high school (K-12) district, but does discuss a suit filed against the University of Oregon's Continuation Center. A negotiated settlement required the university to "...pay the SPA $130,000, launch a massive on-campus campaign to educate students and faculty about lawful use of copyrighted software, and host a national conference on 'Software and the Law.'" ICIA also asked its software publishing members to identify schools which were copying software. An Ohio school district, described in the article as "average sized," was mentioned frequently after the campaign began, resulting in ICIA sending a cease and desist order to the district. A coordinator for instructional technology in an Indiana school district then describes some of the problems she's had in purchasing adequate software for her district's needs at a price that the district can afford. She says they are trying to comply with the law, but "'Even when I say to a publisher that I'm willing to pay whatever you suggest is fair for a building or district-wide license, they won't discuss it.'" She also believes software publishers are not responsive to hardware configurations in districts. Many, she says, have older hardware, and are in transition periods to newer, but software companies won't allow for these variations in selling their products. So districts can be forced to buy multiple licensed copies or, as she suggests, revert to piracy. The article concludes with a remark paraphrased from "talking to... educators" that flexible volume purchasing options would help to further eliminate pirating in American schools. The last page of the article (in a three column format) includes a two-column ad from the SPA with a hotline number to report "...unauthorized use of software including: "*bulletin boards "*unauthorized sales "*hard disk loading "*unauthorized internal copying[.]" The ad also provides an address for obtaining a free pamphlet about software and law. A sidebar to the main story describes potential federal sentences and fines for piracy, and notes that school districts are legally allowed to lend software to students and staff unless that is "expressly prohibited in the publisher's own licensing agreement." The sidebar was credited to Mark Sherry, identified as president of Microease Consulting, Inc., consultant with the Mecklenburger Group, and former director of Software Evaluation for the EPIE Institute. CURRICULUM PRODUCT NEWS is a slick (paper-quality) magazine containing articles, advertising, and the ubiquitous "Circle #xxx for more information" at the end of the 'news' articles. Its subtitle is "The Magazine for District-Level Administrators," and it is published 10 times a year by Educational Media, Inc., 992 High Ridge Rd., Stamford, CT 06905. The article recapped here was in the May issue, Vol. 3, No. 9, pages 22-26. The article was heavy on the industry side (articulation of the problems of piracy came from trade and like organizations), but did attempt to balance the concerns and problems of educators with those of software publishers. The article provides no specific information about how much software piracy is going on in elementary and secondary schools. ------------------------------ End of Computer Underground Digest #4.36 ************************************