---[ Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 16 of 17 -------------------------[ P H R A C K W O R L D N E W S --------[ Issue 51 0x1: Illinois man arrested after threatening Bill Gates 0x2: Man Arrested In Tokyo On Hacker Charges 0x3: FBI says hacker sold 100,000 credit card numbers 0x4: MS Security Plugs Not Airtight 0x5: BSA slams DTI's Encryption Plans 0x6: Teen bypasses blocking software 0x7: The Power to Moderate is the Power to Censor 0x8: AOL Users in Britain Warned of Surveillance 0x9: Georgia Expands the "Instruments of Crime" 0xa: NASA Nabs Teen Computer Hacker 0xb: Agriculture Dept. Web Site Closed after Security Breach 0xc: Hackers Smash US Government Encryption Standard 0xd: Hacker May Stolen JonBenet computer Documents 0xe: Hacker Vows 'Terror' for Pornographers 0xf: Mitnick Gets 22 Month Sentence 0x10: New York Judge Prohibits State Regulation of Internet 0x11: Breaking the Crypto Barrier 0x12: Setback in Efforts to Secure Online Privacy 0x13: Captain Crunch Web Site Now Moved 0x14: US Justive Dept. Investigating Network Solutions 0x15: Cyber Patrol Bans Crypt Newsletter 0x16: Some humor on media hacks and hackers 0x17: Court Mixes Internet Smut Provision 0x1: Book Title: Underground 0x2: Book Title: "Hackers" 0x1: Convention: Cybercrime Conference Announcement 0x2: Convention: Computers & The Law IV Symposium 0x1>------------------------------------------------------------------------- Title: Illinois man arrested after threatening Bill Gates Source: Reuter Author: unknown SEATTLE (Reuter) - An Illinois man has been arrested and charged with threatening to kill Microsoft Corp. Chairman Bill Gates in a $5 million extortion plot, authorities said on Friday. Adam Pletcher was arrested on May 9 in the Chicago suburb of Long Grove, where he lives with his parents, and charged with extortion, federal prosecutors said. He was freed on $100,000 bond and is due to appear in U.S. District Court in Seattle on Thursday for arraignment. According to court documents, Pletcher sent four letters to Gates, beginning in March, threatening to kill the software company founder and his wife, Melinda, unless payment of at least $5 million was made. The first letter was intercepted at the company's headquarters in Redmond, Washington, by corporate security officers, who contacted the FBI. Agents then used an America Online dating service specified by the author of the letters to track down Pletcher, described as a loner in his early 20s who spends much of his time in front of the computer. Authorities said they treated the threats seriously but did not believe Gates' life was ever in danger. "We generally think this was a kid with a rich fantasy life, just living that out," said Tom Ziemba, a spokesman for U.S. Attorney Katrina Pflaumer. "This was handled in a fairly routine fashion by Microsoft security and law enforcement agencies," Microsoft spokesman Mark Murray said. "At some point in the investigation Microsoft did make Bill aware of the situation." Pletcher's online activities have landed him in trouble before. In February the Illinois attorney general sued Pletcher, accusing him of defrauding consumers of thousands of dollars in an alleged Internet scam, according to a story in the Chicago Tribune. Several consumers complained they sent Pletcher up to $5,500 to find them a car deal and never got their money back. Despite his status as richest man in America, with a Microsoft stake valued at more than $30 billion, Gates is still known to travel alone on regularly scheduled flights. But Murray said the executive was well-protected. "We don't comment at all on Bill's security other than to say that there are extensive and appropriate security measures in place for Bill, for his family and for Microsoft facilities and personnel," Murray said. 0x2>------------------------------------------------------------------------- Title: Man Arrested In Tokyo On Hacker Charges Source: unknown Author: unknown TOKYO (May 23, 1997 10:31 a.m. EDT) - A 27-year-old Japanese man was arrested Friday on suspicion of breaking into an Internet home page of Asahi Broadcasting Corp. and replacing it with pornography, a police spokesman said. Koichi Kuboshima, a communications equipment firm employee from Saitama Prefecture, north of Tokyo, was arrested on charges of interrupting business by destroying a computer network. It was the first arrest related to illegal access to the information network, the police spokesman said, adding Kuboshima was also charged with displaying obscene pictures, the spokesman said. The suspect admitted to the crime, telling police he had done it for fun, police officials said. The Osaka-based broadcasting network blocked access to all of its home pages on Sunday immediately after it was notified of the offense by an Internet user. The Asahi home page is designed to allow users to download and upload information, which allowed Kuboshima to rewrite the contents, the spokesman said. 0x3>------------------------------------------------------------------------- Title: FBI says hacker sold 100,000 credit card numbers Source: unknown Author: unknown SAN FRANCISCO (May 23, 1997 10:13 a.m. EDT) -- A clever hacker slipped into a major Internet provider and gathered 100,000 credit card numbers along with enough information to use them, the FBI said Thursday. Carlos Felipe Salgado, Jr., 36, who used the online name "Smak," allegedly inserted a program that gathered the credit information from a dozen companies selling products over the Internet, said FBI spokesman George Grotz. [Secure electronic commerce is a novel idea.] Salgado allegedly tried to sell the credit information to an undercover agent for $260,000. He was arrested Wednesday and faces a maximum 15 years in prison and $500,000 in fines if convicted on charges of unauthorized access of computers and trafficking in stolen credit card numbers. "What is unique about this case is that this individual was able to hack into this third party, copy this information and encrypt it to be sold," Grotz said. [Since we know others have hacked in and stolen credit cards before, the unique part is him trying to sell them. That isn't in keeping with what federal agents love to say about hackers and credit card incidents. Convenient how they change things like that.] Had it succeeded, "at minimum we'd have 100,000 customers whose accounts could have been compromised and would not have known it until they got their bill at the end of the month," the FBI spokesman said. The scheme was discovered by the unidentified San Diego-based Internet provider during routine maintenance. Technicians found an intruder had placed a program in their server called a "packet sniffer," which locates specified blocks of information, such as credit card numbers. [Uh...more like they kept a nice ascii database full of the numbers that was copied with expert technique like "cp ccdb"...] The FBI traced the intruder program to Salgado, who was using an account with the University of California-San Francisco. A school spokeswoman said officials have not yet determined whether Salgado attended or worked at the school, or how he got access to the account. With the cooperation of a civilian computer user who was in communication with Salgado, the FBI arranged to have an undercover agent buy the stolen credit card information. After making two small buys, the FBI agents arranged to meet Salgado on Wednesday at San Francisco International Airport to pay $260,000 for 100,000 credit card numbers with credit limits that ranged up to $25,000 each. After decrypting and checking that the information was valid, Salgado was taken into custody at his parents' house in Daly City. Salgado waived his rights and acknowledged breaking into computers, including the San Diego company, according to the affidavit. The FBI has not found any evidence Salgado made any purchases with the numbers himself, the spokesman said, but the investigation is continuing. Salgado appeared before a federal magistrate Thursday and was released on a $100,000 personal bond. Grotz said that as a condition of bail, "the judge forbids him to come anywhere near a computer." 0x4>------------------------------------------------------------------------- Title: MS Security Plugs Not Airtight Source: unknown Author: Nick Wingfield (May 22, 1997, 12:45 p.m. PT) Microsoft (MSFT) is still struggling to completely patch Windows 95 and NT against Internet hacker attacks. The company has posted a software patch that protects Windows 95 users from an attack that can crash their computers. The company issued a similar patch for Windows NT last week. But both the Windows NT and 95 patches aren't complete prophylactics for so-called out-of-band data attacks since both platforms can still be crashed by hackers with Macintosh and Linux computers. Microsoft said today that it hopes to post new patches by tonight that remedy the vulnerability to Mac- and Linux-based attacks. The current Windows 95 patch--without protection for Mac and Linux attacks--can be downloaded for free from Microsoft's Web site. This year, Microsoft programmers have been forced to create a medicine chest of software remedies to fix potential security risks in everything from the Internet Explorer browser to PowerPoint to Windows itself. Some security experts believe the company is struggling with deep-rooted vulnerabilities in its OS and Internet technologies. It's clear that the Internet has made it much easier for enterprising bug-finders to broadcast their discoveries to the press and public over email lists and Web pages. This has put intense pressure on Microsoft's engineering groups to quickly come up with patches. Other companies, such as Sun Microsystems, have also had to release a number of patches for their technologies, but Microsoft has been especially hard-hit. A number of security experts believe that Microsoft would have had a hard time avoiding these security problems. "As a professional programmer, I have a real hard time saying that Microsoft should have seen this coming," said David LeBlanc, senior Windows NT security manager at Internet Security Systems, a developer of security software. "I get hit with this stuff too. With 20/20 hindsight, it's really obvious to see what we did wrong. Trying to take into account all the possibilities that can occur beforehand is not realistic." In order to exploit the latest vulnerability, Web sites must send a special TCP/IP command known as "out of band data" to port 139 of a computer running Windows 95 or NT. Hackers could also target users' PCs by using one of several programs for Windows, Unix, and Macintosh now circulating on the Net. With one program, called WinNuke, a hacker simply types a user's Internet protocol address and then clicks the program's "nuke" button in order to crash a PC over the Net. The company's original patch for Windows NT prevents attacks from Unix and other Windows computers. But because of a difference in the way Mac and Linux computers handle the TCP protocol, Microsoft's patch didn't squelch attacks from those operating systems. [Bullshit meter: ****- - In actuality, Microsoft just decided to filter hits on that port looking for a keyword included in the first 'winuke' script. By changing that word, 95 was once again vulnerable to these attacks. Good work Microsoft.] A number of users have sent email to CNET's NEWS.COM complaining that their computers were repeatedly crashed as they chatted in Internet relay chat groups. When users are nuked by a hacker, their computer screens often display an error message loosely known as the "blue screen of death." "The worst part about it is that the delinquents playing with this toy really like to play with it and keep on doing it," said Martin A. Childs, a law student at Louisiana State University in Baton Rouge. "The first time I got hit, I logged on six times before I managed to figure out what was going on." The original patches for Windows NT versions 4.0 and 3.51 are available on Microsoft's Web site. Last Thursday, the company also posted a collection of software patches, called service pack 3, that contains the NT out-of-band fix. The out-of-band data attacks also affect users of Windows 3.11, but a company spokeswoman said that Microsoft will not prepare a fix for that platform unless users request one. 0x5>------------------------------------------------------------------------- Title: BSA slams DTI's Encryption Plans Source: The IT Newspaper Author: unknown Date: 26th June 1997 Government Proposals on encryption are 'unworkable, unfar, unweildy, un-needed and frankly unacceptable', according to the British Software Alliance (BSA) and the British Interactive Multimedia Association (Bima), writes Tim Stammers. In a joint statement, the organizations claimed that encryption proposals from the DTI could 'cripple the growth of electronic comerce in the UK'. Tod Cohen, lawyer at Covington & Berling, council to the BSA, said: 'These proposals could be a disaster for both users and vendors'. The DTI's plan calls for UK organisations which want to encrypt email and data to supply copies of their encryption keys to third parties. Government agencies will then be able to demand access to copies of the keys. The DTI says the scheme aims to prevent criminal use of encryption by drug dealers and terrorists. But the BSA and BIMA claim that the proposed tystem will create a massive bureaucratic structure will criminals will ignore. 'The sheer number of electronic communications could easily overwhelm the system, without inreasing security or safety within the UK', their statement said. Sean Nye, executive member of Bima, said : 'In an age where personal data and information is increasingly threatened with unwarranted exposure, the DTI's proposals are a major step backwards'. Opposition to the so-called key escrow system suggested by the DTI has been widespread. Public opponents include Brian Gladman, former deputy director at Nato's labratories. The proposals where formulated under the last government, and a decision on their future is expected next month. The US government is easing encryption export controls for software companies which are prepared to back key escrow, but has met Senate opposition to its plans. 0x6>------------------------------------------------------------------------- Title: Teen bypasses blocking software Sounce: www.news.com Author: Courtney Macavinta Date: April 22, 1997, 5:30 p.m. PT A teenager is using his Web site to help others bypass one brand of filtering software intended to protect minors from illicit Net material. Using the "CYBERsitter codebreaker" from 18-year-old Bennett Haselton, surfers can now decode the list of all Net sites blocked by Solid Oak's Cybersitter software. Haselton--the founder of a teen organization called Peacefire that fights Net censorship--contends that the software violates free speech rights for adults and teen-agers. He claims the software is also falsely advertised because it promises parents the "ability to limit their children's access to objectionable material on the Internet," but also blocks other content on the Net. Haselton's campaign to get around Cybersitter has Solid Oak's president seeing red. Solid Oak denies Haselton's charges and is investigating the legality of the code-breaking program. "He doesn't know anything, and he's just a kid," Solid Oak President Brian Milburn said today. "We have never misrepresented our product--ever." Haselton's Cybersitter codebreaker can be used to crack a coded list of the sites that CYBERsitter blocks. The list is distributed to subscribers to notify users what sites are being blocked. Subscribers pay $39.95 for the software. The software blocks sites containing any words describing genitals, sex, nudity, porn, bombs, guns, suicide, racial slurs and other violent, sexual and derogatory terms. The list also blocks an array of sites about gay and lesbian issues, including PlanetOut and the International Gay and Lesbian Human Rights Commission . Cybersitter even blocks the National Organization for Women because it contains information about lesbianism, Solid Oak stated. "The NOW site has a bunch of lesbian stuff on it, and our users don't want it," said Milburn. The software also filters any site that contains the phrase "Don't buy CYBERsitter" as well as Haselton's own site and any reference to his name. Milburn says Haselton's campaign is hurting the product's marketability and hinted that the company will stop him, but wouldn't say exactly how. "We have users who think they purchased a secure product. This is costing us considerably," Milburn said. "But we're not going to let Bennett break the law." He did point out that Haselton's program to decode the software may violate its licensing agreement, which states: "Unauthorized reverse engineering of the Software, whether for educational, fair use, or other reason is expressly forbidden. Unauthorized disclosure of CYBERsitter operational details, hacks, work around methods, blocked sites, and blocked words or phrases are expressly prohibited." Haselton is undaunted by the suggestion of legal reprecussions. "I've talked to a lawyer who offered to represent me in the event that Cybersitter goes after me," he added. Haselton, a junior at Vanderbuilt University, argues that the software doesn't protect kids from smut, but just keeps them from learning new ideas. "Blocking software is not the solution to all of our problems. What's dangerous is not protecting [teenagers' free] speech on the Net as well," he said. "This is the age, when you form your opinions about social issues, human rights, and religion. We need to keep free ideas on the Net for people under 18." Haselton's organization is also a plaintiff in a lawsuit being argued today in New York, the American Library Association vs. Governor George Pataki. The case was filed to strike down a state law similar to the Communications Decency Act that prohibits making indecent material available to minors over the Net. 0x7>------------------------------------------------------------------------- Title: The Power to Moderate is the Power to Censor Source: unknown Author: Paul Kneisel Some 200+ new news groups have just been created on the UseNet part of the Internet. They are grouped under a new hierarchy. promises to "take democracy into cyberspace," according to the press release from the National Science Foundation.[1] "The U.S. government," said U.S. Vice President Al Gore of the GovNews project, "is taking a leadership role in providing technology that could change the face of democracy around the world."[2] The GovNews project repeatedly stresses how it will support and promote feedback between governments and citizens. "Millions of people will now be able to follow and comment on government activity in selected areas of interest...," the release stated, promising "a wide, cost-effective electronic dissemination and discussion...." Preston Rich, the National Science Foundation's leader of the International GovNews Project, described GovNews as "newsgroups logically organized by topic from privatization, procurements and emergency alerts to toxic waste and marine resources and include[s] the capability to discuss such information."[1] The vast majority of the new groups are moderated. The idea of the moderated news group is increasingly accepted on UseNet. Off-topic posts, flames, and spam have made many non-moderated groups effectively unreadable by most users. Moderated groups are one effective way around these problems. New groups created in the non- "Big 8" UseNet hierarchy have formal charters defining the group. If the group is moderated then the powers, identity, and qualifications of the moderators are also listed. Unmoderated groups might be likened to informal free-for-all debates where there is no check on who can participate or on the form or content of what is said. Moderated groups are far closer to a specially-defined meeting of citizens with a formal Chair, empowered to declare certain topics off-limits for discussion, and to call unruly participants to order. An unmoderated UseNet group dedicated to baking cookies might be flooded with posts advertising bunion cures, reports of flying saucers sighted over Buckingham Palace, or articles denouncing Hillary Clinton as a Satanist. A moderator for the group has the power to block all of these posts, ensuring that they are not sent to the UseNet feed and do not appear among the on-topic discussion of cookies. Certainly some moderators on UseNet groups abuse their powers (as do some Chairs at non-Internet meetings.) But reports of such abuse are relatively rare given the number of moderated groups. And, of course, many complaints come from the proverbial "net.kooks" or those who oppose moderation in general. Moderators in the "Big 8" UseNet hierarchy are "civilians," not government employees moderating government-related groups while collecting government paychecks. The hierarchy inferentially changes this. I write "inferentially" because the charters, names and qualifications of the moderators in the 200+ groups has not been formally announced. Nor do routine queries to members of the leading Hierarchial Coordinating Committee result in such detailed information. UseNet is not the entire Internet. Net-based technology like the World Wide Web and the "File Transfer Protocol" or FTP are designed for the one-way transmission of data. Few object to the _Congressional Record_ on-line or crop reports posted by the U.S. Department of Agriculture available on the Web or via FTP. But the news groups of UseNet are designed for two-way discussions, not spam-like one-way info-floods of data carefully selected by government bureaucrats. That creates an enormous problem when government employees moderate the discussion, regardless of how well, appropriately, or fairly the moderation is conducted. For government moderation of any discussion is censorship and it is wrong. Initial reports also indicate that most of the groups will be "robo [t]-moderated." In other words, specialized software programs will handle the bulk of the moderator's tasks. Robo-moderation, however, alters nothing. A good robo program may catch and eliminate 99% of the spam sent to the group or identify notorious flame-artists. But the power to robo-moderate remains the power to censor; the power to select one robo-moderator is the power to select another; the power to automatically remove bunion ads is simultaneously the power to eliminate all posts from Iraq in a political discussion or any message containing the string "Whitewater." In short, moderation on groups by government employees remains censorship whether conducted by software or humans, whether posts are approriately banned or the moderation places severe limits on free political speech. *Any* limitation of posts from any citizen by any government employee is censorship. It is also forbidden by law. FOOTNOTES [1] "GOVNEWS: N[ational] S[cience] F[oundation] Press Release for GovNews," 17 Mar 1997, , accessed 21 Mar 1997. [2] One wonders what technology Gore believes GovNews is providing. Certainly neither the Internet or UseNet is part of that technology for both existed long before GovNews.^Z 0x8>------------------------------------------------------------------------- Title: AOL Users in Britain Warned of Surveillance Source: unknown Author: CHristopher Johnston LONDON - Subscribers logging onto AOL Ltd. in Britain this week were greeted with news that the Internet-service provider was imposing a tough new contract giving it wide latitude to disclose subscribers' private E-mail and on-line activities to law enforcement and security agencies. The new contract also requires users to comply with both British and U.S. export laws governing encryption. AOL Ltd. is a subsidiary of AOL Europe, which is a joint venture between America Online Inc. of the United States and Germany's Bertelsmann GmbH. The contract notes in part that AOL ''reserves the right to monitor or disclose the contents of private communication over AOL and your data to the extent permitted or required by law.'' ''It's bad news,'' said Marc Rotenberg, director of the Electronic Privacy Information Center, a Washington-based civil liberties organization. ''I think AOL is putting up a red flag that their commitment to privacy is on the decline. It puts their users on notice that to the extent permitted by law, they can do anything they want.'' The contract also prohibits subscribers from posting or transmitting any content that is ''unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, seditious, blasphemous, hateful, racially, ethnically or otherwise objectionable.'' AOL and its competitors called the move part of a trend to protect on-line service providers from suits by users in case they are required to disclose subscribers' activities to law enforcement agencies. The contract also beefed up the legal wording relating to sensitive content such as pornography, and prohibiting the maintenance of links to obscene Web sites. The updated contract is also the first to inform subscribers that they are required to comply with both British and U.S. export laws governing encryption, or coding, a hot topic of debate recently between software publishers and security agencies. AOL Europe will provide similar contracts, which vary according to local law in each of the seven European countries in which the network operates. AOL executives denied any government pressure in updating the contract. 0x9>------------------------------------------------------------------------- Title: Georgia Expands the "Instruments of Crime" Source: fight-censorship@vorlon.mit.edu In Georgia it is a crime, punishable by $30K and four years to use in furtherance of a crime: * a telephone * a fax machine * a beeper * email The actual use of the law, I think, is that when a person is selling drugs and either is in possession of a beeper, or admits to using the phone to facilitate a meeting, he is charged with the additional felony of using a phone. This allows for selective enforcement of additional penalties for some people. O.C.G.A. 16-13-32.3. (a) It shall be unlawful for any person knowingly or intentionally to use any communication facility in committing or in causing or facilitating the commission of any act or acts constituting a felony under this chapter. Each separate use of a communication facility shall be a separate offense under this Code section. For purposes of this Code section, the term "communication facility" means any and all public and private instrumentalities used or useful in the transmission of writing, signs, signals, pictures, or sounds of all kinds and includes mail, telephone, wire, radio, computer or computer network, and all other means of communication. (b) Any person who violates subsection (a) of this Code section shall be punished by a fine of not more than $30,000.00 or by imprisonment for not less than one nor more than four years, or both. 0xa>------------------------------------------------------------------------- Title: NASA Nabs Teen Computer Hacker Source: Associated Press Author: unknown Date: Monday, June 2, 1997 WASHINGTON (AP) - A Delaware teen-ager who hacked his way into a NASA web site on the Internet and left a message berating U.S. officials is being investigated by federal authorities, agency officials said Monday. NASA Inspector General Robert Gross cited the incident - the most recent example of a computer invasion of a NASA web site - as an example of how the space agency has become ``vulnerable via the Internet.'' "We live in an information environment vastly different than 20 years ago," Gross said in a written statement. "Hackers are increasing in number and in frequency of attack." In the latest case, the Delaware teen, whose name, age and hometown were not released, altered the Internet web site for the Marshall Space Flight Center in Huntsville, Ala., according to the statement from the computer crimes division of NASA's Inspector General Office. "We own you. Oh, what a tangled web we weave, when we practice to deceive," the teen's message said, adding that the government systems administrators who manage the site were "extremely stupid." The message also encouraged sympathizers of Kevin Mitnick, a notorious computer hacker, to respond to the site. Mitnick was indicted last year on charges stemming from a multimillion-dollar crime wave in cyberspace. The altered message was noticed by the computer security team in Huntsville but the NASA statement did not mention how long the message was available to the public or exactly when it was discovered. NASA officials weren't made available to answer questions about the event. In the statement, NASA called the teen's hacking "a cracking spree" and said it was stopped May 26 when his personal computer was seized. Prosecutors from the U.S. Attorney's office in Delaware and Alabama are handling the case with NASA's computer crimes division. Last March, cyberspace invaders made their way into another NASA web site and threatened an electronic terrorist attack against corporate America. The group, which called itself ``H4G1S'' in one message and ``HAGIS'' in another, also called for some well-known hackers to be released from jail. Engineers at the Goddard Space Flight Center in Greenbelt, Md., quickly noticed the change and took the page off the Internet within 30 minutes. NASA officials said the agency installed electronic security measures designed to prevent a recurrence. 0xb>------------------------------------------------------------------------- Title: Agriculture Dept. Web Site Closed after Security Breach Source: Reuter Author: unknown WASHINGTON (June 11, 1997 00:08 a.m. EDT) - The U.S. Agriculture Department's Foreign Agricultural Service shut down access to its internet home page Tuesday after a major security breach was discovered, a department aide said. "It's a big, huge problem," Ed Desrosiers, a computer specialist in USDA's Farm Service Agency, told Reuters. "We can't guarantee anything's clean anymore." Someone broke into system and began "sending out a lot of messages" to other "machines" on the internet, Desrosiers said. The volume of traffic was so great, "we were taking down machines" and began receiving complaints, he said. "It's not worth our time to try to track down" the culprit, Desrosiers said. "Instead, we're just going to massively increase security." A popular feature on the FAS home page is the search function for "attache reports," which are filed by overseas personnel and provide assessments on crop conditions around the world. Although not official data, the reports provide key information that goes into USDA's monthly world supply-and-demand forecasts. It could be next week before the page is open to outside users again, Desrosiers said. 0xc>------------------------------------------------------------------------- Title: Hackers Smash US Government Encryption Standard Source: fight-censorship@vorlon.mit.edu Oakland, California (June 18, 1997)-The 56-bit DES encryption standard, long claimed "adequate" by the U.S. Government, was shattered yesterday using an ordinary Pentium personal computer operated by Michael K. Sanders, an employee of iNetZ, a Salt Lake City, Utah-based online commerce provider. Sanders was part of a loosely organized group of computer users responding to the "RSA $10,000 DES Challenge." The code-breaking group distributed computer software over the Internet for harnessing idle moments of computers around the world to perform a 'brute force' attack on the encrypted data. "That DES can be broken so quickly should send a chill through the heart of anyone relying on it for secure communications," said Sameer Parekh, one of the group's participants and president of C2Net Software, an Internet encryption provider headquartered in Oakland, California (http://www.c2.net/). "Unfortunately, most people today using the Internet assume the browser software is performing secure communications when an image of a lock or a key appears on the screen. Obviously, that is not true when the encryption scheme is 56-bit DES," he said. INetZ vice president Jon Gay said "We hope that this will encourage people to demand the highest available encryption security, such as the 128-bit security provided by C2Net's Stronghold product, rather than the weak 56-bit ciphers used in many other platforms." Many browser programs have been crippled to use an even weaker, 40-bit cipher, because that is the maximum encryption level the U.S. government has approved for export. "People located within the US can obtain more secure browser software, but that usually involves submitting an affidavit of eligibility, which many people have not done," said Parekh. "Strong encryption is not allowed to be exported from the U.S., making it harder for people and businesses in international locations to communicate securely," he explained. According to computer security expert Ian Goldberg, "This effort emphasizes that security systems based on 56-bit DES or "export-quality" cryptography are out-of-date, and should be phased out. Certainly no new systems should be designed with such weak encryption.'' Goldberg is a member of the University of California at Berkeley's ISAAC group, which discovered a serious security flaw in the popular Netscape Navigator web browser software. The 56-bit DES cipher was broken in 5 months, significantly faster than the hundreds of years thought to be required when DES was adopted as a national standard in 1977. The weakness of DES can be traced to its "key length," the number of binary digits (or "bits") used in its encryption algorithm. "Export grade" 40-bit encryption schemes can be broken in less than an hour, presenting serious security risks for companies seeking to protect sensitive information, especially those whose competitors might receive code-breaking assistance from foreign governments. According to Parekh, today's common desktop computers are tremendously more powerful than any computer that existed when DES was created. "Using inexpensive (under $1000) computers, the group was able to crack DES in a very short time," he noted. "Anyone with the resources and motivation to employ modern "massively parallel" supercomputers for the task can break 56-bit DES ciphers even faster, and those types of advanced technologies will soon be present in common desktop systems, providing the keys to DES to virtually everyone in just a few more years." 56-bit DES uses a 56-bit key, but most security experts today consider a minimum key length of 128 bits to be necessary for secure encryption. Mathematically, breaking a 56-bit cipher requires just 65,000 times more work than breaking a 40-bit cipher. Breaking a 128-bit cipher requires 4.7 trillion billion times as much work as one using 56 bits, providing considerable protection against brute-force attacks and technical progress. C2Net is the leading worldwide provider of uncompromised Internet security software. C2Net's encryption products are developed entirely outside the United States, allowing the firm to offer full-strength cryptography solutions for international communications and commerce. "Our products offer the highest levels of security available today. We refuse to sell weak products that might provide a false sense of security and create easy targets for foreign governments, criminals, and bored college students," said Parekh. "We also oppose so-called "key escrow" plans that would put everyone's cryptography keys in a few centralized locations where they can be stolen and sold to the highest bidder," he added. C2Net's products include the Stronghold secure web server and SafePassage Web Proxy, an enhancement that adds full-strength encryption to any security-crippled "export grade" web browser software. 0xd>------------------------------------------------------------------------- Title: Hacker May Stolen JonBenet computer Documents Source: Associated Press Author: Jennifer Mears BOULDER, Colo. (June 13, 1997 07:38 a.m. EDT) -- A computer hacker has infiltrated the system set aside for authorities investigating the slaying of JonBenet Ramsey, the latest blow to a heavily criticized inquiry. [...despite the computer not being online or connected to other computers..] Boulder police spokeswoman Leslie Aaholm said the computer was "hacked" sometime early Saturday. The incident was announced by police Thursday. "We don't believe anything has been lost, but we don't know what, if anything, has been copied," said Detective John Eller, who is leading the investigation into the slaying of the 6-year-old girl nearly six months ago. The computer is in a room at the district attorney's office that police share with the prosecutor's investigators. The room apparently had not been broken into. Computer experts with the Colorado Bureau of Investigations were examining equipment to determine what had been done. [Bullshit. It was later found out that the machine was not hacked at all.] 0xe>------------------------------------------------------------------------- Title: Hacker Vows 'Terror' for Pornographers Source: Wired Author: Steve Silberman After 17 years in the hacker underground, Christian Valor - well known among old-school hackers and phone phreaks as "Se7en" - was convinced that most of what gets written in the papers about computers and hacking is sensationalistic jive. For years, Valor says, he sneered at reports of the incidence of child pornography on the Net as "exaggerated/over-hyped/fearmongered/bullshit." Now making his living as a lecturer on computer security, Se7en claims he combed the Net for child pornography for eight weeks last year without finding a single image. That changed a couple of weeks ago, he says, when a JPEG mailed by an anonymous prankster sent him on an odyssey through a different kind of underground: IRC chat rooms with names like #littlegirlsex, ftp directories crammed with filenames like 6yoanal.jpg and 8&dad.jpg, and newsgroups like alt.binaries.pictures.erotica.pre-teen. The anonymous file, he says, contained a "very graphic" image of a girl "no older than 4 years old." On 8 June, Se7en vowed on a hacker's mailing list to deliver a dose of "genuine hacker terror" to those who upload and distribute such images on the Net. The debate over his methods has stirred up tough questions among his peers about civil liberties, property rights, and the ethics of vigilante justice. A declaration of war What Se7en tapped into, he says, was a "very paranoid" network of traders of preteen erotica. In his declaration of "public war" - posted to a mailing list devoted to an annual hacker's convention called DefCon - Se7en explains that the protocol on most child-porn servers is to upload selections from your own stash, in exchange for credits for more images. What he saw on those servers made him physically sick, he says. "For someone who took a virtual tour of the kiddie-porn world for only one day," he writes, "I had the opportunity to fully max out an Iomega 100-MB Zip disc." Se7en's plan to "eradicate" child-porn traders from the Net is "advocating malicious, destructive hacking against these people." He has enlisted the expertise of two fellow hackers for the first wave of attacks, which are under way. Se7en feels confident that legal authorities will look the other way when the victims of hacks are child pornographers - and he claims that a Secret Service agent told him so explicitly. Referring to a command to wipe out a hard drive by remote access, Se7en boasted, "Who are they going to run to? The police? 'They hacked my kiddie-porn server and rm -rf'd my computer!' Right." Se7en claims to have already "taken down" a "major player" - an employee of Southwestern Bell who Se7en says was "posting ads all over the place." Se7en told Wired News that he covertly watched the man's activities for days, gathering evidence that he emailed to the president of Southwestern Bell. Pseudonymous remailers like hotmail.com and juno.com, Se7en insists, provide no security blanket for traders against hackers uncovering their true identities by cracking server logs. Se7en admits the process of gaining access to the logs is time consuming, however. Even with three hackers on the case, it "can take two or three days. We don't want to hit the wrong person." A couple of days after submitting message headers and logs to the president and network administrators of Southwestern Bell, Se7en says, he got a letter saying the employee was "no longer on the payroll." The hacker search for acceptance Se7en's declaration of war received support on the original mailing list. "I am all for freedom of speech/expression," wrote one poster, "but there are some things that are just wrong.... I feel a certain moral obligation to the human race to do my part in cleaning up the evil." Federal crackdowns targeting child pornographers are ineffective, many argued. In April, FBI director Louis Freeh testified to the Senate that the bureau operation dubbed "Innocent Images" had gathered the names of nearly 4,000 suspected child-porn traffickers into its database. Freeh admitted, however, that only 83 of those cases resulted in convictions. (The Washington Times reports that there have also been two suicides.) The director's plan? Ask for more federal money to fight the "dark side of the Internet" - US$10 million. Pitching in to assist the Feds just isn't the hacker way. As one poster to the DefCon list put it, "The government can't enforce laws on the Internet. We all know that. We can enforce laws on the Internet. We all know that too." The DefCon list was not a unanimous chorus of praise for Se7en's plan to give the pornographers a taste of hacker terror, however. The most vocal dissenter has been Declan McCullagh, Washington correspondent for the Netly News. McCullagh is an outspoken champion of constitutional rights, and a former hacker himself. He says he was disturbed by hackers on the list affirming the validity of laws against child porn that he condemns as blatantly unconstitutional. "Few people seem to realize that the long-standing federal child-porn law outlawed pictures of dancing girls wearing leotards," McCullagh wrote - alluding to the conviction of Stephen Knox, a graduate student sentenced to five years in prison for possession of three videotapes of young girls in bathing suits. The camera, the US attorney general pointed out, lingered on the girls' genitals, though they remained clothed. "The sexual implications of certain modes of dress, posture, or movement may readily put the genitals on exhibition in a lascivious manner, without revealing them in a nude display," the Feds argued - and won. It's decisions like Knox v. US, and a law criminalizing completely synthetic digital images "presented as" child porn, McCullagh says, that are making the definition of child pornography unacceptably broad: a "thought crime." The menace of child porn is being exploited by "censor-happy" legislators to "rein in this unruly cyberspace," McCullagh says. The rush to revile child porn on the DefCon list, McCullagh told Wired News, reminded him of the "loyalty oaths" of the McCarthy era. "These are hackers in need of social acceptance," he says. "They've been marginalized for so long, they want to be embraced for stamping out a social evil." McCullagh knows his position is a difficult one to put across to an audience of hackers. In arguing that hackers respect the property rights of pornographers, and ponder the constitutionality of the laws they're affirming, McCullagh says, "I'm trying to convince hackers to respect the rule of law, when hacking systems is the opposite of that." But McCullagh is not alone. As the debate over Se7en's declaration spread to the cypherpunks mailing list and alt.cypherpunks - frequented by an older crowd than the DefCon list - others expressed similar reservations over Se7en's plan. "Basically, we're talking about a Dirty Harry attitude," one network technician/cypherpunk told Wired News. Though he senses "real feeling" behind Se7en's battle cry, he feels that the best way to deal with pornographers is to "turn the police loose on them." Another participant in the discussion says that while he condemns child porn as "terrible, intrinsically a crime against innocence," he questions the effectiveness of Se7en's strategy. "Killing their computer isn't going to do anything," he says, cautioning that the vigilante approach could be taken up by others. "What happens if you have somebody who doesn't like abortion? At what point are you supposed to be enforcing your personal beliefs?" Raising the paranoia level Se7en's loathing for aficionados of newsgroups like alt.sex.pedophilia.swaps runs deeper than "belief." "I myself was abused when I was a kid," Se7en told Wired News. "Luckily, I wasn't a victim of child pornography, but I know what these kids are going through." With just a few hackers working independently to crack server logs, sniff IP addresses, and sound the alarm to network administrators, he says, "We can take out one or two people a week ... and get the paranoia level up," so that "casual traders" will be frightened away from IRC rooms like "#100%preteensexfuckpics." It's not JPEGs of clothed ballerinas that raise his ire, Se7en says. It's "the 4-year-olds being raped, the 6-year-old forced to have oral sex with cum running down themselves." Such images, Se7en admits, are very rare - even in online spaces dedicated to trading sexual imagery of children. "I know what I'm doing is wrong. I'm trampling on the rights of these guys," he says. "But somewhere in the chain, someone is putting these images on paper before they get uploaded. Your freedom ends when you start hurting other people." 0xf>------------------------------------------------------------------------- Title: Mitnick Gets 22 Month Sentence Source: LA Times Author: Julie Tamaki Date: Tuesday, June 17, 1997 A federal judge indicated Monday that she plans to sentence famed computer hacker Kevin Mitnick to 22 months in prison for cellular phone fraud and violating his probation from an earlier computer crime conviction. The sentencing Monday is only a small part of Mitnick's legal problems. Still pending against him is a 25-count federal indictment accusing him of stealing millions of dollars in software during an elaborate hacking spree while he was a fugitive. A trial date in that case has yet to be set. U.S. District Judge Mariana R. Pfaelzer on Monday held off on formally sentencing Mitnick for a week in order to give her time to draft conditions for Mitnick's probation after he serves the prison term. Pfaelzer said she plans to sentence Mitnick to eight months on the cellular phone fraud charge and 14 months for violating his probation from a 1988 computer-hacking conviction, Assistant U.S. Atty. Christopher Painter said. The sentences will run consecutively. Mitnick faces the sentence for violating terms of his probation when he broke into Pac Bell voice mail computers in 1992 and used stolen passwords of Pac Bell security employees to listen to voice mail, Painter said. At the time, Mitnick was employed by Teltec Communications, which was under investigation by Pac Bell. 0x10>------------------------------------------------------------------------- Title: New York Judge Prohibits State Regulation of Internet Source: unknown Author: unknown Date: Friday, June 20, 1997 NEW YORK -- As the nation awaits a Supreme Court decision on Internet censorship, a federal district judge here today blocked New York State from enforcing its version of the federal Communications Decency Act (CDA). Ruling simultaneously in ACLU v. Miller, another ACLU challenge to state Internet regulation, a Federal District Judge in Georgia today struck down a law criminalizing online anonymous speech and the use of trademarked logos as links on the World Wide Web. In ALA v. Pataki, Federal District Judge Loretta A. Preska issued a preliminary injunction against the New York law, calling the Internet an area of commerce that should be marked off as a "national preserve" to protect online speakers from inconsistent laws that could "paralyze development of the Internet altogether." Judge Preska, acknowledging that the New York act was "clearly modeled on the CDA," did not address the First Amendment issues raised by the ACLU's federal challenge, saying that the Commerce Clause provides "fully adequate support" for the injunction and that the Supreme Court would address the other issues in its widely anticipated decision in Reno v. ACLU. (The Court's next scheduled decision days are June 23, 25 and 26.) "Today's decisions in New York and Georgia say that, whatever limits the Supreme Court sets on Congress's power to regulate the Internet, states are prohibited from acting to censor online expression," said Ann Beeson, an ACLU national staff attorney who argued the case before Judge Preska and is a member of the ACLU v. Miller and Reno v. ACLU legal teams. "Taken together, these decisions send a very important and powerful message to legislators in the other 48 states that they should keep their hands off the Internet," Beeson added. In a carefully reasoned, 62-page opinion, Judge Preska warned of the extreme danger that state regulation would pose to the Internet, rejecting the state's argument that the statute would even be effective in preventing so-called "indecency" from reaching minors. Further, Judge Preska observed, the state can already protect children through the vigorous enforcement of existing criminal laws. "In many ways, this decision is more important for the business community than for the civil liberties community," said Chris Hansen, a senior ACLU attorney on the ALA v. Pataki legal team and lead counsel in Reno v. ACLU. "Legislatures are just about done with their efforts to regulate the business of Internet 'sin,' and have begun turning to the business of the Internet itself. Today's decision ought to stop that trend in its tracks." Saying that the law would reduce all speech on the Internet to a level suitable for a six-year-old, the American Civil Liberties Union, the New York Civil Liberties Union, the American Library Association and others filed the challenge in January of this year. The law, which was passed by the New York legislature late last year, provides criminal sanctions of up to four years in jail for communicating so-called "indecent" words or images to a minor. In a courtroom hearing before Judge Preska in April, the ACLU presented a live Internet demonstration and testimony from plaintiffs who said that their speech had already been "chilled" by the threat of criminal prosecution. "This is a big win for the people of the state of New York," said Norman Siegel, Executive Director of the New York Civil Liberties Union. "Today's ruling vindicates what we have been saying all along to Governor Pataki and legislators, that they cannot legally prevent New Yorkers from engaging in uninhibited, open and robust freedom of expression on the Internet." The ALA v. Pataki plaintiffs are: the American Library Association, the Freedom to Read Foundation, the New York Library Association, the American Booksellers Foundation for Free Expression, Westchester Library System, BiblioBytes, Association of American Publishers, Interactive Digital Software Association, Magazine Publishers of America, Public Access Networks Corp. (PANIX), ECHO, NYC Net, Art on the Net, Peacefire and the American Civil Liberties Union. Michael Hertz and others of the New York firm Latham & Watkins provided pro-bono assistance to the ACLU and NYCLU; Michael Bamberger of Sonnenschein Nath & Rosenthal in New York is also co-counsel in the case. Lawyers from the ACLU are Christopher Hansen, Ann Beeson and Art Eisenberg, legal director of the NYCLU. 0x11>------------------------------------------------------------------------- Title: Breaking the Crypto Barrier Source: Wired Author: Chris Oakes Date: 5:03am 20.Jun.97.PDT Amid a striking convergence of events bearing on US encryption policy this week, one development underlined what many see as the futility of the Clinton administration's continuing effort to block the export of strong encryption: The nearly instantaneous movement of PGP's 128-bit software from its authorized home on a Web server at MIT to at least one unauthorized server in Europe. Shortly after Pretty Good Privacy's PGP 5.0 freeware was made available at MIT on Monday, the university's network manager, Jeffrey Schiller, says he read on Usenet that the software had already been transmitted to a foreign FTP server. Ban or no ban, someone on the Net had effected the instant export of a very strong piece of code. On Wednesday, Wired News FTP'd the software from a Dutch server, just like anyone with a connection could have. A Commerce Department spokesman said his office was unaware of the breach. The event neatly coincided with the appearance of a new Senate bill that seeks to codify the administration's crypto policy, and an announcement Wednesday that an academic/corporate team had succeeded in breaking the government's standard 56-bit code. The software's quick, unauthorized spread to foreign users might have an unexpected effect on US law, legal sources noted. "If [Phil] Zimmermann's [original PGP] software hadn't gotten out on the Internet and been distributed worldwide, unquestionably we wouldn't have strong encryption today," said lawyer Charles Merrill, who chairs his firm's computer and high-tech law-practice group. Actions like the PGP leak, he speculated, may further the legal flow of such software across international borders. Said Robert Kohn, PGP vice president and general counsel: "We're optimistic that no longer will PGP or companies like us have to do anything special to export encryption products." The Web release merely sped up a process already taking place using a paper copy of the PGP 5.0 source code and a scanner - reflecting the fact it is legal to export printed versions of encryption code. On Wednesday, the operator of the International PGP Home Page announced that he had gotten his hands on the 6,000-plus-page source code, had begun scanning it, and that a newly compiled version of the software will be available in a few months. Norwegian Stale Schumaker, who maintains the site, said several people emailed and uploaded copies of the program to an anonymous FTP server he maintains. But he said he deleted the files as soon as he was aware of them, because he wants to "produce a version that is 100 percent legal" by scanning the printed code. The paper copy came from a California publisher of technical manuals and was printed with the cooperation of PGP Inc. and its founder, Phil Zimmermann. Schumaker says he does not know who mailed his copy. "The reason why we publish the source code is to encourage peer review," said PGP's Kohn, "so independent cryptographers can tell other people that there are no back doors and that it is truly strong encryption." Schumaker says his intentions are farther-reaching. "We are a handful of activists who would like to see PGP spread to the whole world," his site reads, alongside pictures of Schumaker readying pages for scanning. "You're not allowed to download the program from MIT's Web server because of the archaic laws in the US. That's why we exported the source-code books." 0x12>------------------------------------------------------------------------- Title: Setback in Efforts to Secure Online Privacy Source: unknown Author: unknown Date: Thursday, June 19, 1997 WASHINGTON -- A Senate committee today setback legislative efforts to secure online privacy, approving legislation that would restrict the right of businesses and individuals both to use encryption domestically and to export it. On a voice vote, the Senate Commerce Committee adopted legislation that essentially reflects the Clinton Administration's anti-encryption policies. The legislation approved today on a voice vote by the Senate Commerce Committee was introduced this week by Senate Commerce Committee Chairman John McCain, Republican of Arizona, and co-sponsored by Democrats Fritz Hollings of South Carolina; Robert Kerry of Nebraska and John Kerry of Massachusetts. Encryption programs scramble information so that it can only be read with a "key" -- a code the recipient uses to unlock the scrambled electronic data. Programs that use more than 40 bits of data to encode information are considered "strong" encryption. Currently, unless these keys are made available to the government, the Clinton Administration bans export of hardware or software containing strong encryption, treating these products as "munitions." Privacy advocates continue to criticize the Administration's stance, saying that the anti-cryptography ban has considerably weakened U.S. participation in the global marketplace, in addition to curtailing freedom of speech by denying users the right to "speak" using encryption. The ban also violates the right to privacy by limiting the ability to protect sensitive information in the new computerized world. Today's committee action knocked out of consideration the so-called "Pro-CODE" legislation, a pro-encryption bill introduced by Senator Conrad Burns, Republican of Montana. Although the Burns legislation raised some civil liberties concerns, it would have lifted export controls on encryption programs and generally protected individual privacy. "Privacy, anonymity and security in the digital world depend on encryption," said Donald Haines, legislative counsel on privacy and cyberspace issues for the ACLU's Washington National Office. "The aim of the Pro-CODE bill was to allow U.S. companies to compete with industries abroad and lift restrictions on the fundamental right to free speech, the hallmark of American democracy." "Sadly, no one on the Commerce Committee, not even Senator Burns, stood up and defended the pro-privacy, pro-encryption effort," Haines added. In the House, however, strong encryption legislation that would add new privacy protections for millions of Internet users in this country and around the world has been approved by two subcommittees. The legislation -- H.R. 695, the "Security and Freedom Through Encryption Act" or SAFE -- would make stronger encryption products available to American citizens and users of the Internet around the world. It was introduced by Representative Robert W. Goodlatte, Republican of Virginia. "We continue to work toward the goal of protecting the privacy of all Internet users by overturning the Clinton Administration's unreasonable encryption policy," Haines concluded 0x13>------------------------------------------------------------------------- Title: Captain Crunch Web Site Now Moved Source: Telecom Digest 17.164 The Cap'n Crunch home page URL has been changed. The new URL is now http://crunch.woz.org/crunch I've made significant changes to the site, added a FAQ based on a lot of people asking me many questions about blue boxing, legal stuff, and hacking in general. The FAQ will be growing all the time, as I go through all the requests for information that many people have sent. "Email me" if you want to add more questions. Our new server is now available to host web sites for anyone who wants to use it for interesting projects. This is for Elite people only, and you have to send me a proposal on what you plan to use it for. [So now old John gets to decide who is elite and who isn't.] I'm open for suggestions, and when you go up to the WebCrunchers web site: http://crunch.woz.org You'll get more details on that. Our server is a Mac Power PC, running WebStar web server, connected through a T-1 link to the backbone. I know that the Mac Webserver might be slower, but I had security in mind when I picked it. Besides, I didn't pick it, Steve Wozniak did... :-) So please don't flame me for using a Mac. I know that Mac's are hated by hackers, but what the heck ... at least we got our OWN server now. I also removed all the blatant commercial hipe from the home page and put it elsewhere. But what the heck ... I should disserve to make SOME amount of money selling things like T-shirts and mix tapes. We plan to use it for interesting projects, and I want to put up some Audio files of Phone tones. For instance, the sound of a blue box call going through, or some old sounds of tandom stacking. If there are any of you old-timers out there that might have some interesting audio clips of these sounds, please get in touch with me. [There is already a page out there with those sounds and a lot more.. done by someone who discovered phreaking on their own. Little known fact because of all the obscurement: John Draper did not discover blue boxing. It was all taught to him.] Our new Domain name registration will soon be activated, and at that time our URL will be: http://www.webcrunchers.com - Our Web hosting server http://www.webcrunchers.com/crunch - Official Cap'n Crunch home page Regards, Cap'n Crunch 0x14>------------------------------------------------------------------------- Title: US Justive Dept. Investigating Network Solutions Source: New York Times Author: Agis Salpukas Date: 7 July '97 The Justice Department has begun an investigation into the practice of assigning Internet addresses to determine if the control that Network Solutions Inc. exercises over the process amounts to a violation of antitrust laws. The investigation was disclosed by the company Thursday in documents filed with the Securities and Exchange Commission. The filing came as part of a proposed initial stock offering that is intended to raise $35 million. The investigation was first reported in The Washington Post on Sunday. Network Solutions, which is based in Herndon, Va., and is a subsidiary of Science Applications International Corp., has been the target of a growing chorus of complaints and two dozen lawsuits as the Internet has expanded and the competition for these addresses, or domain names, has grown more intense. 0x15>------------------------------------------------------------------------- Title: Cyber Patrol Bans Crypt Newsletter Source: Crypt Newsletter Author: George Smith Date: June 19, 1997 Hey, buddy, did you know I'm a militant extremist? Cyber Patrol, the Net filtering software designed to protect your children from cyberfilth, says so. Toss me in with those who sleep with a copy of "The Turner Diaries" under their pillows and those who file nuisance liens against officials of the IRS. Seems my Web site is dangerous viewing. I discovered I was a putative militant extremist while reading a story on Net censorship posted on Bennett Haselton's PeaceFire Web site. Haselton is strongly critical of Net filtering software and he's had his share of dustups with vendors like Cyber Patrol, who intermittently ban his site for having the temerity to be a naysayer. Haselton's page included some links so readers could determine what other Web pages were banned by various Net filters. On a lark, I typed in the URL of the Crypt Newsletter, the publication I edit. Much to my surprise, I had been banned by Cyber Patrol. The charge? Militant extremism. Cyber Patrol also has its own facility for checking if a site is banned, called the CyberNOT list. Just to be sure, I double-checked. Sure enough, I was a CyberNOT. Now you can call me Ray or you can call me Joe, but don't ever call me a militant extremist! I've never even seen one black helicopter transporting U.N. troops to annex a national park. However, nothing is ever quite as it seems on the Web and before I went into high dudgeon over political censorship--the Crypt Newsletter has been accused of being "leftist" for exposing various government, academic, and software industry charlatans--I told some of my readership. Some of them wrote polite--well, almost polite--letters to Debra Greaves, Cyber Patrol's head of Internet research. And Greaves wrote back almost immediately, indicating it had all been a mistake. My Web site was blocked as a byproduct of a ban on another page on the same server. "We do have a [blocked] site off of that server with a similar directory. I have modified the site on our list to be more unique so as to not affect [your site] any longer," she wrote. Perhaps I should have been reassured that Cyber Patrol wasn't banning sites for simply ridiculing authority figures, a favorite American past time. But if anything, I was even more astonished to discover th company's scattershot approach to blocking. It doesn't include precise URLs in its database. Instead, it prefers incomplete addresses that block everything near the offending page. The one that struck down Crypt News was "soci.niu.edu/~cr," a truncated version of my complete URL. In other words: any page on the machine that fell under "~cr" was toast. Jim Thomas, a sociology professor at Northern Illinois University, runs this particular server, and it was hard to imagine what would be militantly extreme on it. Nevertheless, I ran the news by Thomas. It turns out that the official home page of the American Society of Criminology's Critical Criminology Division, an academic resource, was the target. It features articles from a scholarly criminology journal and has the hubris to be on record as opposing the death penalty but didn't appear to have anything that would link it with bomb-throwing anarchists, pedophiles, and pornographers. There was, however, a copy of the Unabomber Manifesto on the page. I told Thomas I was willing to bet $1,000 cash money that Ted Kaczynski's rant was at the root of Cyber Patrol's block. Thomas confirmed it, but I can't tell you his exact words. It might get this page blocked, too. What this boils down to is that Cyber Patrol is banning writing on the Web that's been previously published in a daily newspaper: The Washington Post. It can also be said the Unabomber Manifesto already has been delivered to every corner of American society. If the ludicrous quality of this situation isn't glaring enough, consider that one of Cyber Patrol's partners, CompuServe, promoted the acquisition of electronic copies of the Unabomber Manifesto after it published by the Post. And these copies weren't subject to any restrictions that would hinder children from reading them. In fact, I've never met anyone from middle-class America who said, "Darn those irresponsible fiends at the Post! Now my children will be inspired to retreat to the woods, write cryptic essays attacking techno-society, and send exploding parcels to complete strangers." Have you? So, will somebody explain to me how banning the Unabomber Manifesto, the ASC's Critical Criminology home page, and Crypt Newsletter protects children from smut and indecency? That's a rhetorical question. Cyber Patrol is strongly marketed to public libraries, and has been acquired by some, in the name of protecting children from Net depravity. Funny, I thought a public library would be one of the places you'd be more likely to find a copy of the Unabomber Manifesto. 0x16>------------------------------------------------------------------------- Title: Some humor on media hacks and hackers Source: Defcon Mailing List Author: George Smith / Crypt Newsletter In as fine a collection of stereotypes as can be found, the Associated Press furnished a story on July 14 covering the annual DefCon hacker get together in Las Vegas. It compressed at least one hoary cliche into each paragraph. Here is a summary of them. The lead sentence: "They're self-described nerds . . . " Then, in the next sentence, "These mostly gawky, mostly male teen-agers . . . also are the country's smartest and slyest computer hackers." After another fifty words, "These are the guys that got beat up in high school and this is their chance to get back . . . " Add a sprinkling of the obvious: "This is a subculture of computer technology . . ." Stir in a paraphrased hacker slogan: "Hacking comes from an intellectual desire to figure out how things work . . ." A whiff of crime and the outlaw weirdo: "Few of these wizards will identify themselves because they fear criminal prosecution . . . a 25-year-old security analyst who sports a dog collar and nose ring, is cautious about personal information." Close with two bromides that reintroduce the stereotype: "Hackers are not evil people. Hackers are kids." As a simple satirical exercise, Crypt News rewrote the Associated Press story as media coverage of a convention of newspaper editors. It looked like this: LAS VEGAS -- They're self-described nerds, dressing in starched white shirts and ties. These mostly overweight, mostly male thirty, forty and fiftysomethings are the country's best known political pundits, gossip columnists and managing editors. On Friday, more than 1,500 of them gathered in a stuffy convention hall to swap news and network. "These are the guys who ate goldfish and dog biscuits at frat parties in college and this is their time to strut," said Drew Williams, whose company, Hill & Knowlton, wants to enlist the best editors and writers to do corporate p.r. "This is a subculture of corporate communicators," said Williams. Journalism comes from an intellectual desire to be the town crier and a desire to show off how much you know, convention-goers said. Circulation numbers and ad revenue count for more than elegant prose and an expose on the President's peccadillos gains more esteem from ones' peers than klutzy jeremiads about corporate welfare and white-collar crime. One group of paunchy editors and TV pundits were overheard joking about breaking into the lecture circuit, where one well-placed talk to a group of influential CEOs or military leaders could earn more than many Americans make in a year. Few of these editors would talk on the record for fear of professional retribution. Even E.J., a normally voluble 45-year-old Washington, D.C., editorial writer, was reticent. "Columnists aren't just people who write about the political scandal of the day," E.J. said cautiously. "I like to think of columnists as people who take something apart that, perhaps, didn't need taking apart." "We are not evil people. We're middle-aged, professional entertainers in gray flannel suits." 0x17>------------------------------------------------------------------------- Title: Cellular Tracking Technologies Source: unknown Author: unknown A recent article from the San Jose Mercury News by Berry Witt ("Squabble puts non-emergency phone number on hold") raises several important questions -- questions I think are relavant to the CUD's readership... Does anybody remember the FBI's request that cell phone companies must build in tracking technology to their systems that allows a person's position to be pin pointed by authorities? That suggested policy resulted in a flurry of privacy questions and protests from the industry, suggesting such requirements would force them to be uncompetitive in the global marketplace. The article, dated July 20, (which was focused on 911 cellular liability issues) suggests federal authorities may have worked out an end run around the controversy. The article states: "The cellular industry is working to meet a federal requirement that by next spring, 911 calls from cellular phones provide dispatchers the location of the nearest cell site and that within five years, cellular calls provide dispatchers the location of the caller within a 125-meter radius. " On its face, this seems reasonable and it is a far cry from the real time tracking requirements of any cell phone that is turned on (The FBI's original request). But by next spring, this tracking system will be in place and on line. I have heard no public debate about the privacy implications regarding this "Federal Requirement", nor has there been any indication that this information will be restricted to 911 operators. Will this information be available to law enforcement officials if they have a warrant? If they don't have a warrant? Will this information be secured so enterprising criminals won't have access to it? Exactly WHAT kind of security is being implemented so it WON'T be accessible to the general public. This smacks of subterfuge. By cloaking the cellular tracking issue in the very real issue of the 911 location system, the federal government and law enforcement agencies have circumvented the legitimate privacy questions that arose from their initial Cellular tracking request. 0x18>------------------------------------------------------------------------- Title: Court Mixes Internet Smut Provision Source: Associated Press Author: unknown Date: June 26, 1997 WASHINGTON (AP) -- Congress violated free-speech rights when it tried to curb smut on the Internet, the Supreme Court ruled today. In its first venture into cyberspace law, the court invalidated a key provision of the 1996 Communications Decency Act. Congress' effort to protect children from sexually explicit material goes too far because it also would keep such material from adults who have a right to see it, the justices unanimously said. The law made it a crime to put adult-oriented material online where children can find it. The measure has never taken effect because it was blocked last year by a three-judge court in Philadelphia. ``We agree with the three-judge district court that the statute abridges the freedom of speech protected by the First Amendment,'' Justice John Paul Stevens wrote for the court. ``The (Communications Decency Act) is a content-based regulation of speech,'' he wrote. ``The vagueness of such a regulation raises special First Amendment concerns because of its obvious chilling effect on free speech.'' ``As a matter of constitutional tradition ... we presume that governmental regulation of the content of speech is more likely to interfere with the free exchange of ideas than to encourage it,'' Stevens wrote. Sexually explicit words and pictures are protected by the Constitution's First Amendment if they are deemed indecent but not obscene. 0x1>------------------------------------------------------------------------- Book Title: Underground Poster: Darren Reed A few people will have heard me mention this book already, but I think there are bits and pieces of this book which will surprise quite a few people. Most of us are used to reading stories about hacking by the people who did the catching of the hackers...this one is an ongoing story of the local hacker scene...with not so local contacts and exploits. Some of the important things to note are just how well they do work together, as well as competing with each other and what they do when they get pissed off with each other. Meanwhile most of the white hats are too busy trying to hoard information from the other white hats... Having been on the "victim" side in the past, it is quite frustrating when someone you've worked to have arrested gets off with a fine. Most of us would agree that they should be locked up somewhere, but according to what's in the book, most of them are suffering from either problems at home or other mental disorders (including one claim in court to being addicted to hacking). Anyone for a "Hackers Anonymous Association" for help in drying out from this nefarious activity ? At least in one case documented within the perpetrators get sentenced to time behind bars. It's somewhat comforting to read that people have actually broken into the machines which belong to security experts such as Gene Spafford and Matt Bishop, although I'd have preferred to have not read how they successfully broke into the NIC :-/ Don't know about you, but I don't care what motives they have, I'd prefer for them to not be getting inside machines which provide integral services for the Internet. For all of you who like to hide behind firewalls, in one instance a hacker comes in through X.25 and out onto the Internet. Nice and easy 'cause we don't need to firewall our X.25 connection do we ? :-) Oh, and just for all those VMS weenies who like to say "We're secure, we run VMS not Unix" - the first chapter of the book is on a VMS worm called "WANK" that came close to taking the NASA VMS network completely off air. I wonder how long it will take for an NT equivalent to surface... All in all, a pretty good read (one from which I'm sure hackers will learn just as much from as the rest of us). The book's details are: Title: UNDERGROUND - Tales of Hacking, madness and obsession on the Electronic Frontier ISBN 1-86330-595-5 Author: Suelette Dreyfus Publisher: Random House Publisher's address: 20 Alfred St, Milsons Point, NSW 2061, Australia Price: AUS$19.95 before I forget, the best URL for the book I've found is: http://www.underground-book.com (http://underground.org/book is a mirror) 0x2>------------------------------------------------------------------------- Book Title: "Hackers" Poster: Paul Taylor P.A.Taylor@sociology.salford.ac.uk There's an open invite for people to contact me and discuss the above and/or anything else that they think is relevant/important. Below is a brief overview of the eventual book's rationale and proposed structure. Hackers: a study of a technoculture Background "Hackers" is based upon 4 years PhD research conducted from 1989-1993 at the University of Edinburgh. The research focussed upon 3 main groups: the Computer Underground (CU); the Computer Security Industry (CSI); and the academic community. Additional information was obtained from government officials, journalists etc. The face-to-face interview work was conducted in the UK and the Netherlands. It included figures such as Rop Gongrijp of Hack-Tic magazine, Prof Hirschberg of Delft University, and Robert Schifreen. E-mail/phone interviews were conducted in Europe and the US with figures such as Prof Eugene Spafford of Purdue Technical University, Kevin Mitnick, Chris Goggans and John Draper. Rationale This book sets out to be an academic study of the social processes behind hacking that is nevertheless accessible to a general audience. It seeks to compensate for the "Gee-whiz" approach of many of the journalistic accounts of hacking. The tone of these books tends to be set by their titles: The Fugitive Game; Takedown; The Cyberthief and the Samurai; Masters of Deception - and so on ... The basic argument in this book is that, despite the media portrayal, hacking is not, and never has been, a simple case of "electronic vandals" versus the good guys: the truth is much more complex. The boundaries between hacking, the security industry and academia, for example, are often relatively fluid. In addition, hacking has a significance outside of its immediate environment: the disputes that surround it symbolise society's attempts to shape the values of the informational environments we will inhabit tomorrow. Book Outline Introduction - the background of the study and the range of contributors Chapter 1 - The cultural significance of hacking: non-fiction and fictional portrayals of hacking. Chapter 2 - Hacking the system: hackers and theories of technological change. Chapter 3 - Hackers: their culture. Chapter 4 - Hackers: their motivations Chapter 5 - The State of the (Cyber)Nation: computer security weaknesses. Chapter 6- Them and Us: boundary formation and constructing "the other". Chapter 7 - Hacking and Legislation. Conclusion 0x1>------------------------------------------------------------------------- Convention: Cybercrime Conference Announcement Date: Oct 29 - 31 Cybercrime; E-Commerce & Banking; Corporate, Bank & Computer Security; Financial Crimes and Information Warfare Conference will be held October 29, 30, & 31, 1997 (Washington, D.C.) and November 17 & 18 (New York City) for bankers, lawyers, information security directors, law enforcement, regulators, technology developers/providers. Responding to the global threat posed by advancing technology, senior level decision makers will join together to share remedies and solutions towards the ultimate protection of financial and intellectual property; and against competitive espionage and electronic warfare. An international faculty of 30 experts will help you protect your business assets, as well as the information infrastructure at large. There will also be a small technology vendor exhibition. Sponsored by Oceana Publications Inc. 50 year publisher of international law, in cooperation with the Centre for International Financial Crimes Studies, College of Law, University of Florida, and Kroll Associates, a leading investigative firm. For more information call 800/831-0758 or 914/693-8100; or e-mail: Oceana@panix.com. http://www.oceanalaw.com/seminar/sem_calendar.htm 0x2>------------------------------------------------------------------------- Convention: Computers & The Law IV Symposium Date: October 6-9, Boston Computers & The Law IV is the only event to bring together corporate decision-makers, computer professionals and legal experts to discuss Internet and Web technology in the eyes of the law. This conference provides a forum and educational opportunities for all those interested in keeping their system investment safe and within the law. Topics will include: * Corporate liablity on the Internet * Internet risk management in the enterprise * Hiring a SysAdmin you can trust * Legal risks of Internet commerce * Establishing a fair-use policy * Prosecuting system intruders * Communicating with your SysAdmin * Understanding copyright law * Assessing your exposure to hackers * Employee privacy vs. owner rights ... and much more! FOR MORE INFORMATION CONTACT The Sun User Group * 14 Harvard Ave, 2nd Floor * Allston, MA 02134 (617)787-2301 * conference@sug.org * http://www.sug.org/CL4 ----[ EOF