****************************************************************************
                  >C O M P U T E R   U N D E R G R O U N D<
                                >D I G E S T<
              ***  Volume 2, Issue #2.01 (Aug 31, 1990)   **
  ****************************************************************************

MODERATORS:   Jim Thomas / Gordon Meyer  (TK0JUT2@NIU.bitnet)
ARCHIVISTS:   Bob Krause / Alex Smith
USENET readers can currently receive CuD as alt.society.cu-digest.

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may be reprinted as long as the source is
cited.  It is assumed that non-personal mail to the moderators may be
reprinted, unless otherwise specified. Readers are encouraged to submit
reasoned articles relating to the Computer Underground.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DISCLAIMER: The views represented herein do not necessarily represent the
            views of the moderators. Contributors assume all responsibility
            for assuring that articles submitted do not violate copyright
            protections.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CONTENTS:
File 1: Moderators' Corner
File 2: Proposed changees in Computer Abuse Act (S.2476)
File 3: CPSR Seeks FBI data on Bulletin Board Monitoring
File 4: Computers, Social Responsibility, and Political Action
File 5: Another experience with the SS
File 6: CU in the News

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

----------------------------------------------------------------------

********************************************************************
***  CuD #2.01, File 1 of 6: Moderator's corner                  ***
********************************************************************

Date:      August 31, 1990
From:      Moderators
Subject:   Moderators' Corner

++++++++++
In this file:
  1) ERRATA (National Computer Security Conference)
  2) LAW ENFORCEMENT POLICY OF "FORFEITURE DEALS"

++++++++++++++++++
Errata: National Computer Security Conference
++++++++++++++++++

In CuD 2.00, a typo occured indicating that "Dorothy Denning will present
my paper on computer hackers." This *should have read* that Dorothy Denning
will present *her* paper on computer hackers. We regret the error, even
though it could have padded our vitas.

++++++++++++++++++++
Law Enforcement Forfeiture "Deals"
++++++++++++++++++++


The recent crackdowns by law enforcement on computer hackers raise serious
questions about Constitutional protections in investigations.  One of the
most troublesome practices is that of confiscating all computer and in some
cases non-computer equipment, including printers, telephone answering
machines, cassette tapes, books, personal papers, and other articles
totally unrelated to the alleged offense. Some of the victims of
confiscations have neither been indicted nor are under suspicion for
wrong-doing. Others alleged to have infringed on the law have lost material
unrelated to the offense of which they are suspected.

A troublesome practice seems to be emerging from the confiscations.  The
victims are offered a  "deal" in which they must choose between having
their equipment forfeited in exchange either for a guilty plea or the
dropping of charges and suffering only a material loss, or fighting the
charges and, even if innocent, running the risk of lengthy delays in the
return of the equipment. For those whose livelihood is invested in the lost
articles, this is not a pleasant choice.  The costs of fighting charges,
especially if one is innocent (and we still have a judicial system
supposedly based on presumptive innocence), can far exceed the value of the
equipment.  Even if all charges are dropped in exchange for forfeiture, the
result is punishment without trial.  Law enforcement officials may argue
that the choice is voluntary, but such a choice is coercive, and a coercive
choice is not a voluntary choice.

The irony of this new version of "Let's Make a Deal" is that those
entrusted to protect the Constitution seem to be hell-bent on subverting
it. The Fourth, Sixth, and Seventh Amendments guarantee protection of
property against unreasonable seizure, and due process protections,
including a trial.  It seems that the "forfeiture deals" are justice at its
worst, and the due process model of justice embodied by Constitution
principles has broken down. Agents seem to be trying cases in the media
with hyperbole, disinformation, and distortion, and are abusing their power
and status to punish by forfeiture what they cannot punish in court.  It's
a no-win situation for victims, but even worse, it erodes respect for law
and law enforcement by creating a new form of social control by police that
has historically been the domain of the courts. To my mind, the forfeiture
practice is an abuse of law and perhaps even borders on lawlessness.

Jim Thomas

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

Date:      August 15, 1990
From:      Moderators
Subject:   Proposed changees in Computer Abuse Act (S.2476)

********************************************************************
***  CuD #2.01: File 2 of 6: Computer Abuse Act Amendment        ***
********************************************************************

+++++++++++++++++++++++++
Proposed amendments in the computer abuse act, reported previously in CuD,
do not seem to go far enough in removing the ambiguity from the language of
the Act that currently gives broad powers to federal agents to target those
they perceive as "dangerous" who in fact may not be. Following is the text
of the revision. We invite responses (moderators).
++++++++++++++++++++++++


*******************************************************************
The following is the text of S.2476, a bill proposed to amend
Title 18. For more information, contact:
  Committee on the Judiciary
  United States Senate
  Washington, DC 20510-6275

A summary of the changes follows the text of the bill.
*******************************************************************

101st CONGRESS
   2D Session                 S.2476


   To amend title 18 of the United States Code to clarify and expand legal
                     prohibitions against computer abuse

                     ------------------------------------

                      IN THE SENATE OF THE UNITED STATES

                            April 19 (legislative day, April 18), 1990
Mr. Leahy (for himself, Mr. Humphrey, and Mr. Kohl) introduced the
following bill; which was read twice and referred to the Committee
on the Judiciary

                     ------------------------------------


                                    A BILL
          To amend title 18 of the United States Code to clarify and
               expand legal prohibitions against computer abuse.

 1         Be it enacted by the Senate and House of Representa-
 2    tives of the United States of America in Congress assembled,
 3    SECTION 1. SHORT TITLE.
 4    This Act may be cited as the "Computer Abuse Amend-
 5    mends Act of 1990".
 6    SEC.2. FINDINGS.
 7         The Congress finds that--
 8             (1) the maintenance of the security and integrity
 9         computer systems has become increasingly critical to
10         national security, interstate and foreign commerce,
                                    - 2 -
1         communications, education, science, and technology in
2         the United States;
3             (2) the deliberate abuse of computers and comput-
4         er systems to cause damage, disruption, and interfer-
5         ence with the efficient functioning of computer systems
6         has created significant problems for both government
7         and nongovernment computer systems, and such abuse
8         creates real and potential problems for national securi-
9         ty, commerce, business, science, and education, and
10        imposes significant burdens on interstate and foreign
11        commerce;
12           (3) in light of rapid developments in computer
13        technology, it is necessary to revise and clarify existing
14        Federal laws governing computer security and abuse to
15        assure that novel forms of serious computer abuse are
16        clearly prohibited; and
17             (4) it is the intent of this Act to exercise the full
18        scope of the powers of Congress under the Commerce
19        Clause of the United States Constitution to regulate
20        forms of computer abuse which arise in connection
21        with, and have a significant effect upon, interstate or
22        foreign commerce.
                                         - 3 -
 1    SEC.3. AMENDMENTS TO THE COMPUTER FRAUD AND ABUSE
 2                ACT.
 3         (a) PROHIBITION.--Section 1030)(a)(5) of title 18,
 4    United States Code, is amended to read as follows:
 5              "(5)(A) through means of or in a manner affecting
 6         a computer used in interstate commerce or communica-
 7         tions, knowingly causes the transmission of a program,
 8         information, code, or command to a computer or
 9         a computer system if the person causing the transmission
 10        intends that such program, information, code or
 11        command will damage, disrupt, alter, destroy, or mis-
 12        appropriate the functioning, use, programs, systems,
 13        databases, or other information of or contained in the
 14        affected computer or computer system and the trans-
 15        mission of the harmful component of the program,
 16        information, code, or command--
 17                  "(i) occured without the knowledge and au-
 18             thorization of the persons or entities who own or
 19             are responsible for the computer system receiving
 20             the program, information, code, or command; and
 21                  "(ii)(I) causes loss or damage to one or more
 22             other persons of a value aggregating $1,000 or
 23             more during any one-year period; or
 24                 "(II) modifies or impairs, or potentially modi-
 25             fies or impairs, the medical examination, medical
                                    - 4 -
 1                    diagnosis, medical treatment, or medical care of
 2                    one or more individuals; or
 3                    "(B) through means of or in a manner affecting a
 4                    computer used in interstate commerce or communica-
 5                    tions, knowingly causes the transmission of a program,
 6                    information, code or command to a computer or com-
 7                    puter system if the person caused the transmission with
 8                    reckless disregard for whether the transmission will
 9                    damage, disrupt, alter, destroy or misappropriate the
10                    functioning, use programs, systems, databases, or other
11                    information of or contained in the affected computer or
12                    computer system and the transmission of the harmful
13                    component of the program, information, code, or com-
14                    mand--
15                             "(i) occured without the knowledge and au-
16              thorization of the persons or entities who own or
17              are responsible for the computer system receiving
18              the program, information, code, or command; and
19                      "(ii)(I) causes loss or damage to one or more
20              other persons of a value aggregating $1,000 or
21              more during any one-year period; or
22                  "(II) modifies or impairs, or potentially modi-
23              fies or impairs, the medical examination, medical
24              diagnosis, medical treatment, or medical care of
25              one or more individuals; or".
                                    - 5 -
 1     (b) PENALTY.--Section 1030(c) of title 18, United
 2States Code is amended--
 3          (1) by striking "and" after the semicolon at the
 4     end of paragraph (2)(B);
 5          (2) in paragraph (3)(A) by inserting "(A)" after
 6     "(a)(5)"; and
 7          (3) in paragraph (3)(B) by striking the period at
 8     the end thereof and inserting "; and"; and
 9          (4) inserting at the end thereof the following:
10          "(4) a fine under this title or imprisonment for not
11     more than 1 year, or both, in the case of an offense
12     under subsection (a)(5)(B).".
13     (c) DEFINITION.--Section 1030(e) of title 18, United
14States Code, is amended--
15         (1) in paragraph (6), by striking "and" after the
16     semicolon;
17         (2) in paragraph (7), by striking the period and in-
18     serting "; and";
19         (3) by adding after paragraph (7) the following
20     new paragraph:
21         "(8) the term 'access' means--
22               "(A) to gain access to the stored or displayed
23         information or to the functions of a computer or
24         computer system in such a way that infor-
                                    - 6 -
 1              mation can be seen or otherwise deciphered or
 2              such functions can be performed; or
 3                   "(B) to transmit, or cause the transmission
 4              of, a program, information, code, or command to a
 5              computer or computer system under circumstances
 6              where the person causing the transmission in-
 7              tends, or reasonably  expects, that such program,
 8              information, or command will significantly
 9              damage, disrupt, alter, destroy, or misappropriate
10              the functioning, use, programs, systems, data-
11              bases, or other information of or contained in that
12              computer or computer systems, whether or not
13              the persons causing th transmission gains access
14              in the manner described in subparagraph (A).".
15         (d) CIVIL ACTION.--Section 1 3  of title 18, United
16    States Code, is amended by adding at the end thereof the
17    following new subsection:
18         "(g) Any person who suffers damage or loss by reason
19    of a violation of this section may maintain a civil action against
20    the violator to obtain compensatory damages and injunctive
21    relief or other equitable relief.".
                                   <<END>>

********************************************************************
SUMMARY OF LEAHY/HUMPHREY COMPUTER ABUSE AMENDMENTS ACT OF 1990
(Provided by Senator Leahy's office)
********************************************************************

NEW CRIME

Makes it a felony intentionally to cause harm to a computer or the information
stored in it by transmitting a computer program or code (including computer
viruses) without the knowledge and authorization of the person responsible for
the computer attacked.

Makes it a misdemeanor recklessly to cause harm to a computer or the
information stored in it by transmitting a computer program or code (including
computer viruses) without the knowledge and authorization of the person
responsible for the computer attacked.

JURISDICTION

Covers harm to any computer or program that involves $1,000 worth of damage or
tampering with medical records.

PENALTY

Find and/or imprisonment for up to five years for the felony.  Fine and/or
imprisonment for up to one yer for the misdemeanor.

CIVIL CAUSE OF ACTION

Creates a new, civil cause of action for those harmed by a violation of the
Act for compensatory or injunctive relief.

DEFINITION OF "ACCESS"

Defines "access" -- a term used throughout the Computer Fraud and Abuse Ace --
to cover the remote transmission of a program to affect a computer or the
information stored in it.

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

Date:      July 24, 1990
From:      Computer Professionals for Social Responsibility
Subject:   CPSR Seeks FBI data on Bulletin Board Monitoring

********************************************************************
***  CuD #2.01: File 3 of 6: CPSR Seeks FBI BBS monitoring data  ***
********************************************************************

+++++++++++++
The following notice from CPSR is reprinted with permission.
+++++++++++++


          LAWSUIT SEEKS FBI RECORDS ON COMPUTER MONITORING

Computer Professionals for Social Responsibility filed a lawsuit in
Federal District Court today to obtain information from the FBI about the
monitoring of computer bulletin boards.

Marc Rotenberg, director of the CPSR Washington Office, said that the
disclosure of the records would provide a starting point for an informed
discussion about the proper scope of computer crime investigations.  He
said that the FBI's failure to respond to CPSR's original Freedom of
Information Act request made the lawsuit necessary.

A computer bulletin board is a publicly accessible computer system that is
designed to promote the exchange of views and information.  Computer
bulletin boards are also used for confidential communications that are
directed to one or more specific parties.

The Freedom of Information Act provides a legal right for individuals to
obtain records held by government agencies.  Under the law, agencies are
required to respond within ten working days.  When agencies fail to respond
within a reasonable period of time, requesters often begin legal
proceedings to obtain the information.

CPSR filed the original FOIA request in August, 1989.  After a series of
letters from CPSR to the FBI failed to produce a response, the FOIA request
was considered at a Congressional hearing in February, 1990.  A subsequent
letter from the Treasury Department revealed that the Secret Service was in
fact monitoring computer bulletin boards.  The FBI's activities are still
not known.

The lawsuit comes at a time of growing concern over the conduct of
computer crime investigations directed toward "computer hackers." In one
case, charges were dropped against a newsletter publisher after claims that
a confidential  business document was disclosed turned out to be false.  In
another case a game manufacturer in Austin, Texas suffered substantial
business losses after a Secret Service raid earlier this year, though no
charges were ever brought against the owner or his company.

The case is CPSR v. FBI. Civil Action No. 90-2096, U.S. District Court for
the District of Columbia, August 28.

For more information contact, the CPSR Washington Office, 1025 Connecticut
Ave., NW, Suit 1015, Washington DC 20036 (202) 775-1588 or
rotenberg@csli.stanford.edu.


********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

Date:      19 August, 1990
From:      Bob Gleason
Subject:   Computers, Social Responsibility, and Political Action

********************************************************************
***  CuD #2.01: File 4 of 6: Computers, Social Responsibility    ***
********************************************************************

++++++++++++++++++++++++++
In a recent discussion on The Well, there have been debates about how to
respond to law enforcement attacks on "hackers." Topics incuded how to
educate the public, whether it is better to use the metaphor of "war" or
"peace" in responding, and how, in general, does one mobilize a large group
to address what are perceived to be threats to civil liberties. George
Gleason argues for conciliation, but recognizes that the resolution lies
in the broader problem of public apathy and wider social issues.
+++++++++++++++++++++++++++++++

 Twenty-five percent of Americans own personal computers.  It is most
 likely that these individuals come almost entirely from the more
 privileged half of society.  Most of the people who use computers do so in
 routine capacities such as clerical jobs or academic writing.  Awareness
 of the political and personal empowerment possibilities of the computer,
 is limited to a small subculture, many of whose members are concentrated
 in the Bay Area and the urban Northeast.

 The fine points on which our arguments rest lie outside of the
 experience of most of the population.  We are talking about specialised
 knowledge, and even though it has broad implications, it is difficult to
 understand without at least a certain familiarity with some of this
 specialised knowlede base.  The position is similar to that of geneticists
 engaged in engineering microbes to alter plant behavior, and faced with
 public opposition to improbable consequences of their work.

 The other face of the debate over "elitism" rests on the contents of my
 statement, to which I next turn.

 Here we see a mainstream culture which is engaged in behavior that is
 ecologically and in other ways non-sustainable.  We also see a vast scale
 of aacquiescence in a political agenda of creeping authoritarianism.  We
 also see the continuation of cultural norms that support greed and
 self-centeredness to the exclusion of other values.

 A person can take an attitude of support for these cultural norms, or of
 mere acceptance of them, or of opposition to them.  Those who support can
 be seen as doing so out of commitment to either an actual or potential
 benefit they may realize from their position: for instance a high-paying
 job in the military-industrial bureaucracy, or the symbolic identification
 with nationalistic themes, etc.  More typical, and in fact the large
 majority by most measures, is a mood of acquiescence, plus or minus some
 grumbling.  My argument is based on the position that acquiescence is
 nearly as problematic as active malice, and that acquiescence represents
 the utter abdication of personal responsibility for ethical choice.

 Now for any given individual, one or more of the following can be true:
 -He or she is being manipulated by the media or other large institutions.
 -He or she is more interested in personal gain than in public issues which
 involve consequences to others.  -He or she is under sufficient pressure
 of circumstance as to have no opportunity to engage in various acts of
 personal liberation, public opposition, or even basic creativity.  (For
 example, parenthood plus a full-time job).

 In the last case we can see at minimum the decision that the status quo is
 better than taking a chance on the unknown.  Whether this decision is
 "right" or "wrong" isn't up to me.  The question I have to raise though
 is, "How bad do things have to get before people rise up?"  The extreme
 case can be seen in the black community: economic oppression, the
 destruction of an entire generation by drugs, poverty, violence, etc. One
 wonders why the signs of collective outrage have not become more evident
 in that community: the history of the political repression in the 60s
 supplies part of the answer.

 However, most people in the mainstream aren't under that kind of extreme
 pressure of circumstances.  For them, acquiescence is either a matter of
 being manipulated or being selfish.

 Are we going to say that the public are brainwashed?  Does this imply that
 we ourselves are relatively free of brainwashing?  That would be awfully
 elitist, wouldn't it?; and as well, would create a mass "victim" role.  If
 we truly believe that brainwashing by TV and so on is the cause of the
 predicament, we are left facing a force that is so powerful as to be
 unstoppable: How can our calls to freedom and lofty ideals ever begin to
 compete with the pleasures of the shopping mall and consumption lifestyle?
 How can our press conferences and pamphlets be heard and seen above the
 din of commercial jingles and junk mail?  What have we to offer that can
 satisfy basic needs and desires?  A meager existence in cramped housing
 and on a hippie diet, made tolerable by an ethic of sustainability?  There
 is no substantial alternative economy anywhere in view.  Our alternative
 culture is either barely able to survive or supported by rare cases of
 vast success whose effects even so are not able to build a truly
 large-scale example which can become self-supporting.

 Instead, are we going to say that the public are acting selfishly?  That
 would cast the majority in a moderate version of the role of "Good
 Germans."  Instead of an absence of insight and will, there would be an
 absence of ethics and basic compassion.  The result of this is even more
 dire: it is not that people don't know what they want, it's that they want
 more or less what they're getting, *including* the consequences of
 intolerance and repression and injustice.  In that case, what alternative
 have we to offer?  Simulations of public executions, to stem the desire
 for the real thing?  Simulations of other forms of evil, which serve to
 disguise good done in secret?  That appears rather Machiavellian.  Or
 instead should we fold inwardly and hide from the rising tide?  A limited
 escape if that.

 Sixty percent of the public don't vote.  Sixty five percent of people
 under 35 years of age don't read newspapers or watch broadcast news
 (source Newsweek poll a few weeks ago).  When "don't know" is compounded
 with "don't care," we are in deep shit.

 Fact is, I believe that there may be some way out.  As Huxley said,
 "Nothing less than everything is truly sufficient."  It does cause me much
 despair to see that the vast majority of our resources are committed to
 fighting a holding action where success is measured in the absence of
 defeat.  I believe that a key element in the overall solution needs to
 take the form of cohesive examples of alternative economic and cultural
 entities.  Integral neighborhoods, intentional communities (not the same
 as "hippie communes" thank you), cooperative enterprises; generating a
 sustainable *and* prosperous way of living by higher ideals and deeply
 considered values.  Not isolated on little islands, but integrated with
 the overall economic and cultural sphere while retaining distinct
 identity.  And of course, publicized as such, to provide accessible models
 from which to proceed further. . . .

 We all have our cynical moods.  Contemplating the overall scale of the
 predicament of what used to be called "civilization," is frightening and
 can as easily give rise to despair as it does inspiration and hope for
 change.  I think one thing we all share here is a commitment to creating a
 better world in many ways.  Argument and debate are valuable ways of
 clarifying views and reaching a more cohesive synthesis.

 My cause of despair is that a huge amount of talent and energy and
 resources are going into what is basically the equivalent of defence
 expenditures.  On very many fronts.  Realistically I'd like to suggest a
 concentration of political effort in one specific geographic area, to
 create and maintain an area which is conducive toward the creation of real
 alternative institutions of all kinds.  From a strong and solid base like
 that, we can move outward and affect other areas.  There are plenty of
 other ways to get at an agenda that actually moves forward instead of
 fighting defensively.  I think the people who talk in terms of educating
 our opponents are on the right track: not us/them, but "all of us," and
 solving problems together.  "Nothing less than everything is truly
 sufficient," isn't a cry of despair but an affirmation of the need for
 everyone to play whatever part their conscience moves them toward.

 Forward!

***************


********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

Subject: Another experience with the SS
From: Anonymous, somewhere in Texas
Date: Tue, 28 Aug 90 21:14:19 CDT

********************************************************************
***  CuD #2.01: File 5 of 6: Another Experience with the SS      ***
********************************************************************

++++++++++++++++++++++++++++++++++
%The moderators deleted the identity of the following article's author because
of legitimate concerns for his welfare. He is considered by those familiar
with his situation to be another victim of recent SS activity, and the need
to conceal his identity further illustrates the chilling effect on freedom
of speech that the SS has created--moderators.%

+++++++++++++++++++++++++++++++++++++++++

I just remembered a Texas tie-in to the LOD name.  I found this in Mike
Cochran's book "And deliver us from evil," from Texas Monthly Press.  In
the concluding essay, he wrote,

	And, if there was a roll call for bizarre Texas crime, it surely
	would include:

[ (accounts of mayhem removed)

	-- The Legion of Doom, an up-scale group of student vigilantes who
	used dead cats, car bombs, and other forms of intimidation to shape
	up the riffraff at Fort Worth's Paschal High.  Their misguided crusade
	got them in a heap of trouble, but they all escaped jail.

Speaking of reading... I re-read CUD 1.18 today.  There are parts of John R.
Simpson's response to Representative Don Edwards' FOI inquiry that, ahem, do
not compute.  Like this:

	"We do not keep records of the bulletin boards which we have
	monitored but we can provide information concerning a particular
	board if we are given the name of the board."

Well, maybe they'd go check the board out again.  But, as "records of the
bulletin boards which we have monitored" may include communications program
dialing directories and call logs, as well as telephone records of outgoing
calls, I know that what Simpson has said isn't true.  Let's see what's on
those disks and phone bills, Uncle Sam!

But the real corker is:

	"No, the U.S. Secret Service has not created a computer bulletin
	board nor a network which was offered to members of the public.  We
	have created an undercover bulletin board which was offered to a select
	number of individuals who had demonstrated an interest in conducting
	criminal activities.  This was done with the guidance of the U.S.
	Attorney's Office and was consistent with the Electronic Communications
	Privacy Act."

When I was interviewed by the Secret Service in early 1990, SS Agent Timothy
Foley discussed the UNIX system known as "attctc", formerly called "killer."
Agent Foley discussed the status of jolnet and attctc, claiming that "I own
jolnet" and "I own attctc."  He also asked me why I thought AT&T would fund
attctc.  His answer to his own question was that attctc existed "for the
"for the purpose of monitoring the hacker community."  When it was still
running,  attctc was once referred to as "the largest mail hub in the
Southwest."  Did AT&T provide Secret Service agents with access to attctc?  I
had this view of attctc as a kink in the image of AT&T as an all-devouring
monopoly, and approved of it as good for the image of AT&T.  But if it was a
listening post, well, I take it all back.  It was >very< available to the
public.
What role did Uncle Sam and the Secret Service have in the management, funding
and operation of attctc?


********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

Date: August 30, 1990
From: <Michael.Rosen@SAMBA.ACS.UNC.EDU>
Subject: CU in the News

********************************************************************
***  CuD #2.01: File 6 of 6: The CU in the News                  ***
********************************************************************

Source: Computerworld, Aug. 27, 1990, pg. 6, News Shorts

"NSA Denise Killing Security Center"

The National Security Agency (NSA) last week denied a published account
that said the agency is dismantling its National Computer Security Center,
a semipublic unit of the supersecret agency that was established by the
U.S. Department of Defense in 1982 to evaluate and certify the security, or
levels of trust, of computer systems.  A spokeswoman for NSA said the
center is being restructured to align its activities more closely with
NSA's communications security work.  The move was prompted by the blurring
of distinction between telecommunications and computer systems, she said.
Patrick Gallagher will remain director of the center, and the center will
continue to meet its commitments to industry for product evaluation and
certification, the spokeswoman said.

************************************************************


Source: Computerworld, Aug 20, 1990, p. 74:

"Bozhe Moy!  Hackers and viruses already plague Soviets"

There have already been computer crimes and virus attacks in the USSR.
Over the last several years, the number of incidents has appeared to
increase along with other forms of crime.

One of the earliest cases of a computer virus in the USSR occurred in 1988
when an unidentified programmer at the Gorky Automobile Works on the Volga
River was charged with deliberately using a virus to shut down an assembly
line in a dispute over work conditions.  The man was convicted under
Article 206, the so-called hooliganism law, which provides for a jail term
of up to six years for "violating public order in a coarse manner and
expressing a clear disrespect toward society."

The comments about viruses heard at a number of meetings are worth
reporting:"We are ready to meet the problem." (Moscow State University);
"Viruses come from international exchanges but some day soon come from
here." (National Academy of Economics); "The USSR recently joined Interpol.
A requirement of that organization is that member states' police
departments must ensure date security.  The result has been that the police
management has now become sensitized to that issue." (National Academy of
Economics); "On the physical side [of security], we close what needs to be
closed.  Some say that only a sentry will be sufficient." (A Soviet bank
security official); "How have we responded to viruses?  Up until now we
suffer." (Institute for Information Problems in the Information Sciences
Department of the Academy of Sciences of the USSR).

According to various Westerners, pirated software is all over the USSR, and
the Soviets often get hit with viruses when they buy these "forbidden
fruits" via the Hong Kong or Swiss connections.  A number of the 70 known
Bulgarian viruses also appear to be prevalent, along with two Soviet
strains: Victor and a variant of the Vienna virus.

According to Aryeh Goretsky at McAffee Associates, a computer security
firm, other viruses that have been confirmed by Soviet and Eastern European
antiviral programmers include the following: Yankee Doodle, Vacsina,
Microsoft88 (534), Sunday, Amstrad or Pixel, Disk Killer 170X, Stoned, Ping
Pong, Vienna, Jerusalem, Friday the 13th COM, Pakistani Brain, Disk Killer
and W-13.   Programs available to combat viruses are Aidstest by Lozynky
and Anti-Kot and Anti-Kor by Kotik.  Some Western antivirus programs and
some homegrown versions were also found at various Soviet sites.

It is noteworthy that viruses are increasing, even though a form of data
security exists in the Soviet Union.  This security is of the most basic
type:  It is largely composed of guards and locked doors restricting
access to computer rooms.

Other simple measures are used, such as limiting links between computers
and systems and access controls to files.  These measures are far from
adequate,however, given the pressure to acquire and distribute
microcomputers and to establish networks.

What makes the situation worse is the lack of trained data security
personnel, data security standards and tools, data security supports and,
in some instances (but not in others), lack of knowledge of security
techniques beyond basic approaches.

Sadly, it appears certain that there will be an onslaught of computer
crimes and virus attacks in the near future.  If (and when) perestroika can
lead to computer linkages of even a minimal sort, the types of crime and
abuse problems that have become part of life in the West will be found in
the USSR.  A mixture of homegrown hackers, outsiders and even some business
managers will create what could be a very fearful situation for the Soviet
authorities.  How they will respond to this challenge is, to a large
degree, based on what authority will be functioning in the near future.

Decisions about what information to protect and how to do it are not being
developed in the USSR today.  Unfortunately, it appears that these
decisions will be put off there as they were in the U.S. for too long.

Soviet computerists, both in state enterprises and the fledgling private
sector, can learn about information security from U.S. experiences.  The
main issue is to try to be like us while avoiding the many problems
(including security problems) that we developed in association with
computerization.

-Sanford Sherizen

********************************************************************

Source: Computerworld, August 20, 1990, pg. 102, Inside Lines:

When a young computer hacker broke into an unclassified computer at the
Pentagon last November, the U.S. Air Force was quick to draw a bead on him.
The Air Force's Office of Special Investigations (OSI) is the only federal
agency with a full-time staff of computer crime investigators, according
to the OSI.  There are 14 Air Force computer crime cops stationed
at air bases around the world.  The group was instrumental in tracking
down the Hannover hacker, profiled in _The Cuckoo's Egg_ by Clifford Stoll.

Talk with Soviet users

From Computerworld, August 20, 1990, pg. 74, no author.

Network connections to and from the USSR are few but growing all the time.
Some of the choices include a bulletin board that provides electronic mail
and teleconferencing with Soviet computer users called the San Francisco/
Moscow Teleport located at 3278 Sacramento St., San Francisco, Calif. 94115
(415) 931-8500.  Another connection is through Peacenet via Jeff Sears,
(415) 923-0900.

   A Russian text processing mailing list, Rustex-L, is also available.
It is administered by Dimitri Vulius, Department of Mathematics, City
University of New York Graduate Center, who can be contacted at
DLV%CUNYVMS1.BITNET@cunyvm.cuny.edu.

   An excellent overview of Soviet technological growth is provided
in a book entitled _Chip in the Curtain: Computer Technology in the
Soviet Union_ by David A. Wellman, Washington, D.C., National Defense
University Press, 1989.  (202) 475-0948.

From Computerworld, August 20, 1990, pg. 74, no author.

********************************************************************

------------------------------

                           **END OF CuD #2.01**
********************************************************************
!