Date: Sun, 2 Aug 92 23:43 PDT
From: john@ZYGOT.ATI.COM(John Higdon)
Subject: File 3--Re: Another View of Bellcore vs. 2600

In Digest #4.34, Thomas Klotzbach gives a reasoned and rational view
of the responsibility of a free press as it relates to the computer
underground and specifically to the matter of recent publications by
2600 of Bellcore material. I could agree with every point except for
the fact that Mr. Klotzbach makes an invalid assumption upon which
hangs the balance of his piece. His assertion (and I assume his
belief) is that Bellcore has conducted its business in good faith and
corrected "holes" and shortcomings in a timely manner.

Nothing could be further from the truth. Since the days of "The Bell
System", AT&T and the Bell Operating Companies have been grossly
negligent in the matter of security. It would be my guess that the
term, "Security Through Obscurity", originated with Ma Bell. Rather
than create systems that used password security or handshaking
protocols, "the phone company" merely relied on the (mistaken) idea
that the public was too removed from the technical workings of the
nationwide telephone network to be a "threat" to the billing or
privacy integrity of the system as a hole.

The classic example is the use of inband signaling which provided
hundreds, if not thousands of enthusiasts (for want of a better
euphemism) the ability to travel around the world on Ma Bell's dime.
These people could literally control the network because of a serious,
inherent flaw built into the system. The band-aid fixes were too
little, too late and network security was severely compromised until
the inband signaling was replaced with CCIS and its progeny.

The Busy Verify Trunk and No. Test Trunk holes, which are the focus of
the 2600 fracas, are just a portion of dozens of similar such
vulnerabilities in our national telephone network. Those of us who are
intimately familiar (for legitimate reasons) with this network have
known about these things for a long, long time. I, for one, would like
to see them plugged. If the 2600 article manages to get one of them
out of the way, more power to it.

But the policy of "The Bell System" and now Bellcore and the RBOCs
seems to be to do nothing about any such problems and wait for some
phreak to get caught with a hand in the cookie jar. After all, why
bother to fix something if it is not a problem (yet)? It can become a
problem (or an embarrassment) in one of two ways. A publication such as
2600 can publicize the vulnerability situation; or someone can be
caught taking advantage of it. In either case, Bellcore swings into
action. For the former, threats of civil action for the publication of
"proprietary" data does the trick. In the latter case, it simply hauls
the perpetrator into court and garners as much publicity as possible.
This has the dual purpose of intimidating others who may follow suit,
and it obscures the fact that the whole problem was caused by
Bellcore's own negligence.

It has been my experience in cases brought against accused phreaks
that the prosecutors have not a clue what constitutes sensitive
material.  Bellcore exploits this to the hilt when it uses the long
arm of the law in lieu of properly imbedded security features. Just
ask Craig Neidorf.  In all fairness, that particular incident involved
an RBOC trying to fry Craig for something Bellcore was readily selling
over the counter.  And Bellcore is certainly not the only entity in
the nation, or perhaps the world, that gives security less than prime
consideration, just "hoping" that whatever is slapped together will be
good enough. But just because a practice may be widespread does not
make it legitimate.

The press has the right, nay the responsibility, to put these issues
before the public eye. We as a society have long since progressed
beyond the notion that there are just some things about which people
should not know, care, or ask. Security through obscurity no longer
can work in an enlightened society. A system or network is not safe if
the only thing keeping people out is the fact that a trivial entry
procedure is not widely known. Unfortunately, much of the nation's
telephone network can still be thusly described. If the only way to
get these holes plugged is to publicize them and literally force
Bellcore and the RBOCs to do their duty, then so be it. If prestigious
organizations such as Bellcore suffer a little embarrassment along the
way, just consider that the market force at work.

Downloaded From P-80 International Information Systems 304-744-2253