****************************************************************************
                  >C O M P U T E R   U N D E R G R O U N D<
                                >D I G E S T<
              ***  Volume 2, Issue #2.10 (November 2, 1990)   **
  ****************************************************************************

MODERATORS:   Jim Thomas / Gordon Meyer  (TK0JUT2@NIU.bitnet)
ARCHIVISTS:   Bob Krause / Alex Smith
USENET readers can currently receive CuD as alt.society.cu-digest.

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may be reprinted as long as the source is
cited.  It is assumed that non-personal mail to the moderators may be
reprinted, unless otherwise specified. Readers are encouraged to submit
reasoned articles relating to the Computer Underground.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DISCLAIMER: The views represented herein do not necessarily represent the
            views of the moderators. Contributors assume all responsibility
            for assuring that articles submitted do not violate copyright
            protections.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

CONTENTS:
File 1: Moderators' Corner
File 2: Len Rose Funds--A Humanitarian Necessity
File 3: EFF Seeks Executive Director (Job Announcement)
File 4: Massachusetts Computer Crime Bill
File 5: Re: C-u-D, #2.09 Censoring of gif's
File 6: The Piratical Dilemma
File 7: Obtaining Identification Cards
File 8: Logisticon vs. Revlon
File 9: In-House Security Problems

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

----------------------------------------------------------------------

********************************************************************
***  CuD #2.10, File 1 of 9: Moderator's corner                  ***
********************************************************************

From:      Moderators
Subject:   Moderators' Corner
Date:      November 2, 1990

++++++++++
In this file:
1. CuD TAKING A FEW WEEKS OFF
2. RE-SENDING ATI #51
3. MULTIPLE MAILINGS OF CuD
4. FOREIGN BBSs

+++++++++++++++
An Hiatus of CuD
+++++++++++++++

CuD will be taking a bit of time off. Gordon is off to Texas for a few weeks
to his company's training grounds. Jim will be at the national criminology
conference for a week, and then spending a week catching up on matters past
deadline. The next issue should be about November 17. If you have articles,
keep them coming, and be sure to send along papers you come across at
conferences or elsewhere for the archives.

++++++++++++++
ATI #51 will be Resent
++++++++++++++

Those who received ATI #51 from the nets noticed that it was about a third as
long as it should be. The reason was a formatting problem (periods in the
first column between files truncated the remaining files). We have corrected
this in the archives, but if you want to receive the corrected version,
contact the ATI folks.

+++++++++++
Receiving Multiple Copies of CuD
+++++++++++

Some readers have received as many as ten identical copies of a single CuD
issue. No, we do not send out 10 copies. The problem is that some mailers
receive a copy for an address, but then kick it back to each of the other
addresses listed in the blind carbon copy line. Sometimes we receive a
returned issue as "non deliverable mail," even though the posting actually
made it through. We have no way of knowing which bounces are accidents and
which are real, so we re-send, and this sometimes leads to duplicate copies.
Sorry 'bout that.

+++++++++++++++++
Foreign BBSs
+++++++++++++++++

We've received a few letters in the past week from Europe, Australia, New
Zealand, and England (yeh, ok, it's part of Europe) indicating that the
BBS/net world there should be addressed. We agree. SEND ALONG ARTICLES ON THE
non-U.S. scene describing the net culture, what the BBSs are like, or any
other news.

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From:      Moderators
Subject:   Len Rose Funds--A Humanitarian Necessity
Date:      November 2, 1990

********************************************************************
***  CuD #2.10: File 2 of 9: Len Rose Funds--Humanitarianism     ***
********************************************************************

Len Rose has been released from DuPage County Jail through the successful
efforts of Sheldon Zenner to reduce the original $50,000 bond to $10,000.  An
anonymous benefactor posted the bond.

Many of us feel that Len has, for some reason, been the victim of law
enforcement excesses in "hacker-hunting." He had begun to put his life back
together and had obtained a job with Interactive Systems Corporation. He
worked there a week before being terminated for reasons that are not yet
clear.

Len remains in Naperville, Ill., without a job. He is eligible for minimal
social service benefits. However, he is currently unable to afford even the
fare for public transportation between Naperville and his attorney in
Chicago. Although there are individuals who have taken an interest in the
legal issues involved in his situation, he has no means of providing for his
wife and two young children. The holiday season is a lousy time to be in this
situation.

Sheldon Zenner, the attorney who successfully defended Craig Neidorf, has
agreed to channel donations to Len for those wishing to support him.  *THIS IS
NOT* a legal defense fund, but humanitarian assistance to provide food, rent,
and utilities for wife and family.  Contributing even a few dollars, the cost
of renting a video tape, is one means of supporting one who appears to be
bearing the brunt of the hostility of government toward the CU.

                 Len Rose Donation
                 c/o Sheldon Zenner
                 c/o Katten, Muchin and Zavis
                 525 W. Monroe, Suite 1600
                 Chicago, IL  60606

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From:      Public Posting
Subject:   EFF Seeks Executive Director (Job Announcement)
Date:      October 31, 1990

********************************************************************
***  CuD #2.10: File 3 of 9: EFF Job Announcement                ***
********************************************************************

 JOB ANNOUNCEMENT

 The Electronic Frontier Foundation, Inc.  Executive Director

 The Electronic Frontier Foundation (EFF) is conducting a search for an
 Executive Director.   This is a full-time position, based in Cambridge,
 Massachusetts.  The Executive Director will have overall responsibility for
 the operation of the EFF  and will work closely with its five person Board of
 Directors.

 About the EFF

 The Electronic Frontier Foundation, Inc. is an operating foundation which
 engages in public education and legal programs to increase popular
 understanding of the social opportunities and challenges posed by
 developments in computing and telecommunications.  It seeks the development
 of  a new cultural and legal consensus in this country regarding  digital
 media to benefit the lives of  all people and preserve and protect the
 constitutionally guaranteed civil liberties of its citizens.

 Responsibilities

 The Executive Director will provide the overall management and leadership of
 the EFF's programs and activities, as supported closely by the EFF's Board.

 Specifically, he or she will direct the EFF's public education and
 communications programs and will serve as a spokesperson and coordinator with
 the news media, other public interest organizations concerned with the social
 impact of technology, relevant professional societies, industry trade
 associations, government officials, law enforcement agencies, and other
 constituencies.

 He or she will oversee the ongoing activities of the EFF's staff counsel and
 outside attorneys.

 The Director will be responsible for  the internal administration of EFF
 activities, including budgeting and financial management.

 The Director will also be responsible for defining and initiating activities
 such as the EFF  membership and fund raising programs.

 Skills

 An applicant should have relevant experience and accomplishments in the
 leadership and management of  public sector and/or entrepreneurial
 organizations or activities.  He or she should possess very strong oral and
 written communication skills and be both comfortable and proficient as a user
 of computer technology.  A strong interest in public policy, technology, and
 civil liberties is a must.  The ideal candidate will be a highly focused and
 self-motivated individual with an inclusive personal style.

 Compensation is $42,000-$48,000, depending on experience.   A strong benefits
 package is included.

 To apply, please send a resume and a statement of qualifications to:

 Mitchell Kapor, Chairman The Electronic Frontier Foundation, Inc.  155
 Second St.  Cambridge, Massachusetts 02141

 (617) 864-1550 (617) 864-0866 (fax) mkapor@well.sf.ca.us

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From:    Mitch Kapor
Subject: Massachusetts Computer Crime Bill
Date:    Mon, Oct 29, 1990

********************************************************************
***  CuD #2.10: File 4 of 9: Massachusetts Computer Crime Bill  ***
********************************************************************

%The following summary is reprinted with permission from The Well--
Moderators%.

 Background
 ***********

 The EFF has, for the past three months, been involved with an extensive series
 of events  concerning pending legislation in the state of Massachusetts
 concerning computer crime.   Unbeknownst to almost everyone a computer crime
 bill had passed both houses of the Massachusetts legislature and was sitting
 on the Governor's desk awaiting signature.
 The original bill had a number of fundamental flaws, not the least of which
 was the unproven assumption that a bill which broadly criminalized whole
 ranges of computer-related activities was even called for.  In fact, the bill
 appeared to operate from the same set of assumptions that we have seen too
 often in other EFF activities:  an untested belief that more regulation is
 necessarily better and a disregard for the consequences of such an approach in
 stifling free speech and ordinary commerce.  The result was a bill which was
 both unwise as well as unconstitutional.

 The bill, while arguably well-intentioned, would have had severe unintended
 consequences such as  making it a criminal act to teach a course in computer
 security and making a criminal of  a software customer who failed to renew a
 license agreement.

 In addition, there was virtually no real input into the process which led to
 the bill's passage, although the formalities were followed.

 For these reasons the EFF joined with the Software Council in requesting the
 Governor veto the bill.  Through a series of meetings with the Governor, his
 staff, the Attorney General, the Bar Association, and members of the Council,
 we were able to work out a compromise.  It can be said without exaggeration
 that the EFF played the key role in this process.  Sharon Beckman, in
 particular, was invaluable in spearheading the legal work, including the
 drafting of a replacement bill.

 The Bill Itself
 *************

 The language of the bill now balances property and free speech interests, and
 is the first such legislation to do so, as far as we know.  As such, after its
 passage, it can serve as model legislation for other states as well as the
 country as a whole.

 The preamble of the bill  explicitly recognizes that the integrity of computer
 systems must be protected in a way which does not infringe on the rights of
 users of computer technology, including freedoms of speech, association, and
 privacy.

 In its first provision, the bill makes it a crime to knowingly and without
 authorization access a controlled computer system with the intention of
 causing damage and actually cause damage in excess of $10,000.  The second
 provision of the bill is identical to the one above except that it covers
 activities undertaken with reckless disregard of the consequences as opposed
 to intent to cause damage and carries a lesser penalty.

 The bill breaks new ground is in the area of enforcement.  Prosecutions may be
 brought only by the Attorney General and only after guidelines are established
 regarding the conduct of search and seizure operations.  These guidelines must
 be consistent with the concerns stated in the preamble.

 The bill also establishes a 17 person commission charged with recommending
 future legislation in this area.

 The Task Ahead
 ***************

 Now that the Governor has sent a revised bill back to the Legislature, it is
 up to them.  We will be meeting with the Legislative co-sponsors of the bill
 in the next few weeks to find out where they stand and, we hope, gather their
 support.

 Here is the text of the bill itself

 Proposed text of Mass. Computer Crime Bill


   Carefully balancing the need to make unlawful entry into
   computer systems a criminal offense against the need to protect
   the privacy and First Amendment rights of users of computers
   has, and remains, a basic tenet guiding Massachusetts efforts
   to prevent computer crime.  To better strike this vital
   balance, and pursuant to authority vested in me by Article LVI
   of the Amendments to the Massachusetts Constitution, I am
   returning for amendment S.1543, "An Act Prohibiting Certain
   Acts Relative to Computers, Computer Data and Computer
   Systems".

   S.1543 would have the unintended effect of restricting access
   to computers by legitimate users.  Such restricted access would
   inadvertently chill the energy and creativity which are the
   hallmarks of Massachusetts business and industry.
   I agree with the bill's sponsors that there is a need for
   Massachusetts to make more clear that it is a crime to
   unlawfully enter some one else's computer system and through
   reckless or intentional behavior cause harm or damage.
   Therefore, in lieu of vetoing S. 1543, I recommend that it be
   amended by striking the language of the bill in its entirety
   and substituting in its place the following:


   AN ACT PROHIBITING CERTAIN ACTS RELATIVE TO COMPUTERS AND
   COMPUTER SYSTEMS.

   Be it enacted by the Senate and House of Representatives in
   General Court assembled and by the authority of same, as
   follows:

 SECTION 1.      The General Court hereby finds and declares that the
 development of computer technology has given rise to new communication,
 privacy and property interests of importance to individuals,
 businesses, and government agencies in this Commonwealth.  The
 protection of computer systems is therefore vital to the welfare of
 individuals and businesses in the Commonwealth.

   The General court also finds and declares that computers and
   computer networks have enabled new forms of communication,
   including electronic publications, electronic bulletin boards,
   electronic conferences, and electronic mail,m which are
   protected by fundamental rights, including freedom of speech
   and association and freedom from unreasonable governmental
   intrusion.

   It is the intention of this act to protect the integrity of
   computer systems without infringing on the rights described
   above and without impeding the use and development of computer
   and communications technology.

 Therefore, the General Laws are hereby amended by inserting after
 chapter 266 the following chapter:

               Chapter 266A.
 SECTION: 1.

 (A)     Whoever knowingly accesses a controlled access computer system
 knowing such access to be without authorization and knowingly causes
 the transmission of a program, information, code or command to a
 computer or computer system, without authorization and intending that
 such program, information, code or command will damage or cause damage
 to a computer, computer system, network, information, data or program,
 or withhold or deny, or cause the withholding or denial, of the use of a
 computer, computer services, system or network, information, data or
 program, and thereby causes loss or damage to one or more other persons
 of $10,000 or more shall be punished by imprisonment in a jail or house
 of correction for not more that 2 1/2 years, or a fine of not more than
 25,000 or both.

 (B)     Whoever knowingly accesses a controlled access computer system
 knowing such access to be  without authorization and knowingly causes
 the transmission of a program, information, code or command to a
 computer or computer system, without authorization and with  reckless
 disregard of a substantial and unjustifiable risk that such program,
 information, code or command will damage or cause damage to a computer,
 computer system, network, information, data or program, or withhold or
 deny, or cause the withholding or denial, of the use of a computer,
 computer services, system, or network, information, data or program,
 and thereby causes loss or damage to one or more other persons of
 $10,000 or more shall be punished by imprisonment in a jail or house of
 corrections for not more than 1 year, or a fine of not more than $5000,
 or both.

 (C)     Prosecutions, Investigations, and Reporting by the Attorney
 General

   (1) Prosecutions under this section shall be brought only by
   the Attorney General.

   (2)  Any Application for a warrant to conduct a search or
   seizure of a computer, computer system, or electronic
   communication system under this section must be approved by the
   Attorney General or an Assistant Attorney General.

   (3)  The Attorney General shall, within six months of the
   effective data of this Act, issue guidelines for the procedures
   governing the investigation and prosecution of an offense under
   this section, incorporating in such guidelines a requirement
   that violations of this section be investigated by methods that
   are least restrictive of the rights of freedom of speech and
   association and the right to privacy implicated in computer
   systems, and least disruptive to legitimate use of computer
   systems, without jeopardizing compelling law enforcement
   interests.

      Such guidelines shall not provide a basis for dismissal
      of an otherwise proper complaint brought under this
      sections or for exclusion of evidence that is otherwise
      admissible in a proceeding under this section.

   (4)     The Attorney General shall collect and compile
   information on, and report to the General Court annually on,
   searches, seizures, and prosecutions commenced pursuant to this
   section.

 SECTION:        2.
      There is hereby established a study commission on
      computer technology and the law.  The Commission shall
      consist of sixteen members who shall serve without
      compensation.  Notwithstanding any provision of section
      six of chapter two hundred and sixty-eight A to the
      contrary, the commission shall consist of the attorney
      general or his designee who shall be chairman, the
      secretary of the executive office of economic affairs
      or his designee, the senate chair of the joint
      committee on criminal justice, the house chair of the
      joint committee on criminal justice, and twelve persons
      appointed by the governor, including two
      representatives from the Massachusetts Software Council
      and one representative of each of the following
      organizations, to be selected from a list of
      recommendations provided by that organization: the
      Massachusetts Bar Association, the Boston Bar
      Association, the state council of the AFL-CIO, the
      Boston Computer Society, and one representative from
      the computer hardware industry, one r

   Said Commission shall investigate the legitimate communication,
   privacy, and property interests of individuals, businesses, and
   government agencies within this Commonwealth implicated by new
   computer technologies and shall evaluate the sufficiency of
   existing Massachusetts law to protect and preserve those
   interests.

   The Commission shall report to the General Court the results of
   its investigation and study, and its recommendations, together
   with drafts of legislation to carry its recommendations into
   effect, by filing its report with the clerk of the house of
   representatives and with the clerk of the senate on or
   before____.


 Makes it a felony intentionally to cause harm to a computer or the
 information stored in it by transmitting a computer program or code
 (including computer viruses) without the knowledge and authorization of
 the person responsible for the computer attacked.

 Makes it a misdemeanor recklessly to cause harm to a computer or the
 information stored in it by transmitting a computer program or code
 (including computer viruses) without the knowledge and authorization of
 the person responsible for the computer attacked.

 JURISDICTION
 Covers harm to any computer or program that involves $1,000 worth of
 damage or tampering with medical records.

 PENALTY
 Find and/or imprisonment for up to five years for the felony.  Fine and/or
 imprisonment for up to one yer for the misdemeanor.

 CIVIL CAUSE OF ACTION
 Creates a new, civil cause of action for those harmed by a violation of the
 Act for compensatory or injunctive relief.

 DEFINITION OF "ACCESS"
 Defines "access" -- a term used throughout the Computer Fraud and
 Abuse Act -- to cover the remote transmission of a program to affect a
 computer or the information stored in it.

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From:         Alfred Heitink <U251010@HNYKUN11.BITNET>
Subject:      Re: C-u-D, #2.09 Censoring of gif's
Date:         Tue, 30 Oct 90 09:56:55 MET

********************************************************************
***  CuD #2.10: File 5 of 9: Censorship outside the U.S.        ***
********************************************************************

The discussion so far has been concentrated on North America, but I would like
to maken another point. In the USA a lot of BBS are censored. But because all
those networks are interconnected and the NSF is an American organisation the
'American' problem is exported, the values and American way of life are
exported. It isn't simply owning the computers or networks or not.

It isn't possible for me as a European to download X rated pictures.  from
European sites. Everybody must be able to get access to information,
uncensored. I don't like that people with other ideas are modifying my
information. No access to X rated pictures? So what?... But what is next ....
You can point out that it is only a technical problem.  simply ignored.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
some messages from ip sites in finland.

-=-=-=-JYU.FI                     -=-=-=-

Sorry, we had to remove the gifs.
NSFnet people complained that this activity is overloading the
NA <-> Scandinavia line.

I'll check if it is possible to make GIFs available for scandinavian sites
or just for Finnish sites.

-jme

-=-=-=-=-=-=-=-=-=-=- JYU.FI =-=-=-=-=-=-=-=-=-=-

The average usage of the Finland/Sweden 64kb line has lately been over 70% --
this means that it will have to be upgraded to a 2M line (costing over k$25
per month) very shortly.  Even one ftp connection will eat up the available
bandwidth very effectively.

Finland is supposedly the only Scandinavian country with more stuff being
sent out than being pumped in.  A recent traffic study of the Australia-USA
line showed that a major portion of the traffic was actually ftps to a big
GIF site in Finland !

Of course, one can argue that this is the American's problem, why did they
have to go and censor all their GIF sites, forcing everyone from the rest of
the world to crowd here to get their pictures ?

The people at NSFNet have informed us in no uncertain terms that if we don't
do anything about it, they will pull our plug -- permanently.  With these kinds
of terrorist tactics, we have no choice but to close the GIF archives...

-=-=-=-=-=-=-=-=-= LUT.FI  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

I have been TOLD to remove all GIF pictures on LUT.FI and have also done that.
This is all due to overload on our local line from Lappeenranta to Espoo and
from thereon to the States and Australia.

Please, DO NOT upload pictures here any more.  All pictures will be removed as
soon as they are found.

Kimmo Suominen
System Manager
E-mail: Kimmo.Suominen@lut.fi
                      (end of mail messages/end of file)

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From:    "The Butler"
Subject: The Piratical Dilemma
Date:    Thu, 01 Nov 90 18:59 CST

********************************************************************
***  CuD #2.10: File 6 of 9: The Piratical Dilemma              ***
********************************************************************

LEGAL ISSUE

With new laws concerning computer software being changed on a regular basis to
keep users from making copies and "PIRATING" programs I am starting to feel
guilty every time I make a backup of something.  It is so easy to just make a
copy of a program and give it to a friend or to just buy one copy of something
and install it on two computers.

I am between a rock and a hard place.  My situation is that I work for a fairly
good size law firm that has several PCs.  Well the practice of this particular
law firm is to buy three or four copies of a software package and ask me to
install it on 75 machines.  Well I don't quite agree with this but, I also don't
agree with the prices we have to pay for some software.

My dilemma and worry is that if this firm is ever caught and prosecuted can I be
held responsible for doing something I was told to do???

I also have to wonder what kind of society this is when people who practice LAW
don't even abide by it.  What is the point of me obeying the law if, FOR GOD'S
SAKE, my lawyer doesn't?

Someone should check into the firm that is prosecuting Len Rose and any other
hacker for that matter and see if they have purchased every copy of software
installed in their offices.  I bet we could get several cases dropped!!!

                                        The Butler....

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From: Anonymous
Subject: Obtaining Identification Cards
Date:    Fri, 02 Nov 90 15:43 CST

********************************************************************
***  CuD #2.10: File 7 of 9: Obtaining "Identification Cards"   ***
********************************************************************

%An anonymous poster sent this in from the nets. He did not know
the original poster--moderators%.

This from the Federal Register published 11-28-73, amended to 4-29-86:

"Section 16.32,  Procedure to obtain an identification record.

The subject of an identification record may obtain a copy thereof by
submitting a written request via the U.S. mails directly to the FBI,
Identification Division, Washington, D.C. 20537-9700, or may present his/her
written request in person during regular business hours to the FBI
Identification Division, Room 11262, J. Edgar Hoover FBI Building, Tenth
Street and Pennsylvania Avenue, NW., Washington, DC. Such request must be
accompanied by satisfactory proof of identity, which shall consist of name,
date and place of birth and a set of rolled-inked fingerprint impressions
placed upon fingerprint cards or forms commonly utilized for applicant or law
enforcement purposes by law enforcement agencies."

"An FBI identification record, often referred to as a "rap sheet", is a
listing of certain information taken from fingerprint cards submitted to and
retained by the FBI  in connection with arrests and in some instances,
includes information taken from fingerprint cards submitted in connection with
Federal employment, naturalization, or military service..."

The fee for this exercise was, in 1986, $14.00; payable in the form a
certified check or money order to the Treasury of the United States. A
provision for waiver of this fee is available on proof of indigency. The
report and the submitted fingerprint card are returned to the requestor by
regular mail in approximately two weeks after receipt.

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From: fitz@WANG.COM(Tom Fitzgerald)
Subject: Logisticon vs. Revlon
Date: Thu, 1 Nov 90 11:01:59 EST

********************************************************************
***  CuD #2.10: File 8 of 9: Logisticon vs. Revlon               ***
********************************************************************

Hello, I got this forwarded to me from DEC's Vogon news service.  If
Logisticon gets away with this, it's going to put some real knots in any
future anti-hacking statutes.

<><><><><><><>  T h e   V O G O N   N e w s   S e r v i c e  <><><><><><><>

Edition : 2182               Friday 26-Oct-1990            Circulation :  8434

Logisticon - Repossesses some programs electronically over payment dispute

        %The Wall Street Journal, 25-Oct-90, p. A5%

  Logisticon, a tiny Silicon Valley software maker has lent new meaning to the
term repossession, using phone lines to tap into Revlon Inc. computers and
disable programs that the software company claims Revlon didn't properly [sic
- pay (?) TT] for properly. Revlon sued Logisticon in a California state
court Monday, charging that Revlon suffered financial loss when two warehouses
couldn't ship products because of the disabled software. A Revlon spokesman
said the company withheld payment from Logisticon because the software had
bugs and didn't perform as promised. Logisticon president Don Gallagher calls
his company's action "repossession." Revlon, in its suit, calls it "an
extortion attempt." The software spat, first reported in the San Jose Mercury
News, illustrates a new use of the controversial practice of "hacking," in
which computer sleuths use phone lines to enter computers with the knowledge
of the computers' owner. It also shows the lengths to which a software company
may have to go to protect what it sees as its intellectual property rights.
"Software companies have to protect themselves," said Mr. Gallagher.

Logisticon sells inventory-management software around the world to such
companies as Ford Motor Co., Federal Express and Abbott Laboratories. Mr.
Gallagher said he received a letter Oct. 15 from Revlon saying that it
wouldn't pay $180,000 remaining on a $1.2 million contract to supply
warehouse-management software for Revlon warehouses in Phoenix, Ariz., and
Edison, N.J.. Revlon also canceled a $500,000 second phase, he said. As a
condition for payment of the $180,000, Revlon demanded that Logisticon give
Revlon free access to the basic software called source code, Mr. Gallagher
said. That would have allowed Revlon to freely duplicate Logisticon software
that would normally sell for millions of dollars, he said. The bugs in the
software were "minimal" and didn't hamper the operation of the system, he
maintained. When Revlon refused to settle the issue, Mr. Gallagher said, he
had employees use phone lines on Oct. 15 to disable Logisticon's software in
the Revlon warehouses "in such a way to render the total system inoperable,"
without harming Revlon's data. "We determined we had no recourse remaining,"
he said. Logisticon switched the software back on three days later. Revlon, in
its suit, charges that it wasn't able to ship products between Oct. 16 and
Oct. 19 while the system was off. Logisticon, Revlon said, used its
"familiarity with Revlon's system to commit ... extortionate acts." Logisticon
planted viruses in the program that it later activated, the suit claims.

> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
>         Please send subscription and back issue requests to CASEE::VNS
>
>     Permission to copy material from this VNS is granted (per DIGITAL PP&P)
>     provided that the message header for the issue and credit lines for the
>     VNS correspondent and original source are retained in the copy.
>
> <><><><><><>   VNS Edition : 2182      Friday 26-Oct-1990   <><><><><><><>

********************************************************************
                           >> END OF THIS FILE <<
***************************************************************************

------------------------------

From: Dark Adept (Ripco BBS)
Subject: In-House Security Problems
Date: Thu, 1 Nov 90 01:37 CST

********************************************************************
***  CuD #2.10: File 9 of 9: In-House Security Problems         ***
********************************************************************

Crossing the barriers of the Underground....

                  In-House Security Problems
                             by
                       The Dark Adept

While the current anti-hacker fervor causes many people to think that hackers
are the number one intruders into computer systems, this isn't the case.  The
foremost security problem is with employees.  Many companies overlook what the
possible consequences are for giving an employee computer access.  Often times
employees are given too much trust.  This leads to problems in the long run.
This article will attempt to entreat the common mistakes made by companies
when dealing with their employees.

Employee Carelessness and Laziness
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Most people are lax when it comes to protecting something that is not their
own.  The system operator assumes that an employee will diligently memorize
his ID and password and throw the paper away.  This is usually not the case.
Most people, being too lazy to memorize the password (or, after changing it,
to memorize the new one), will keep a written copy of their password
somewhere.  If a fellow employee finds it, he is given the opportunity to
cause untraceable havoc.  Since the owner of the password knows nothing about
these actions, the system operator will often assume that it's a hacker
causing the trouble when it's not.

Another problem that employees create is not disposing of garbage properly.  A
hacker who goes trashing (digging through your garbage to find items of value)
can find many printouts, manuals, and even passwords that employees have
indiscriminately thrown away without censoring.  The best practice is to shred
all documents relating to computer transactions and send the shreddings to a
recycling center.  This helps the community and secures the information.
Locked trash receptacles may be picked and/or broken into, and hackers have
been known to go to the dump/processing center to grab trash.  Even the most
innocent printout should be destroyed.  For example, a core dump off of an IBM
360/370 architecture mainframe will give a hacker the following information:
System name          Type of Operating System
Node name             Various file/dataset names
User ID                   Printer ID's
JCL version            etc., etc., etc.
Volume names
Unit names
Type of system

That's a lot of information to hand out free to the "enemy"!  Of course, a
core dump is an extreme example, but any information regarding your system may
be used by a hacker to his benefit.  If he knows that you are running Unix (Tm
AT&T), he can tailor his tactics to fit that type of system.  If you are
running MUSIC (Tm McGraw-Hill)  he can adjust to that.

Some operators require employees to change their passwords at least every six
months or so.  This effort should be applauded.  But what they don't realize
is that many employees change them for a couple of days, and then they change
them back because they are too lazy to memorize a new one.  A hacker, if he
has access to an account and the password changes, will almost always wait for
the password to change back, and it usually does.  System operators should
have a utility to check and see if the password is changed and remains
changed.

B
Systems Operators
-=-=-=-=-=-=-=-=-=-

While a system operator has many responsibilities, the most important is
account maintainance.  When an employee is terminated, his account should be
revoked IMMEDIATELY!  Whether his termination was voluntary, requested, or
involuntary, the account should be done away with instantaneously.  If you
don't, the results could be catastrophic.  It would be comparable to firing
someone but letting him keep a key to the store.  He could walk in at any time
and destroy files.  If the system operator himself is terminated, the new
system operator should go through the system with a fine-toothed comb.  He
must look for any method the ex-operator has of getting into his old account.
Often times system operators either let the account self-destruct from lack of
use, or they allow the termination notices to pile up in anticipation of doing
one large purge at the end of the month.  Obviously 30 days is more than
enough time to destroy and/or copy a large portion of files.

For any employee, all his programs and files must be searched for trap doors,
viruses, etc.  Anything that could be used to gain entrance to the system must
be destroyed.  And, again, if he has a fellow employee's password, then there
will be much trouble.

The system operator should also keep an eye on the log files and note attempts
at unauthorized access by employees.  Once on the inside, an unscrupulous
person can cause more trouble than a run-of-the-mill hacker.  Having access to
any account is more than halfway to gaining access to the operator level.
Most of the time employees are just poking around to see what's on the system
(not much different from what hackers do!), and they won't cause any harm.
But when there is a pattern of attempts to access something by a single
employee, you can bet your bottom dollar that he is up to no good.

Social Engineering
-=-=-=-=-=-=-=-=-=-

One term that often appears in hacking papers is "social engineering".  What
this is, basically, is bullshipping your way into a computer system.  It is
easier done than explained.  All one has to do is find someone who loves his
work.  Pretend there is a business called BusinessCoInc.  It hires a system
operator whose life is computers.  The SysOp lives, eats, sleeps, breathes
computers (gee, sounds like a hacker so far!).  Well, say he goes to a
computer conference.  Now this chump is sitting at a conference, and some guy
next to him starts talking about security.  WOW! This idiot gets all excited
and starts blabbing "Yeah!  That's cool, but I have a Shayes callback modem
hooked up to a Eunichs system running Try2HackMe security software.  The only
problem we had was...."  The pinhead in question just told the guy how to get
into his system.  What's really funny is that the SysOp was just talking about
something he loved.  He got all excited to find someone else that shared the
same interests that he lost his head and blabbed.

One of my buddies whom I've known since grade school currently attends Notre
Dame University and is a business major.  During summer break, he related to
me a bit of advice one of his finance professors gave the class.  He said,
"Boys, the most important thing you'll learn in college is how to drink.  More
business deals have been made and more idiots taken advantage of over drinks
than on the 18th hole.  If you can't hold your liquor, sooner or later someone
will take advantage of you."  Now some people don't even need alcohol to get
talking, but this is another aspect of social engineering.   Basically, all
social engineering is can be summed up as "Loose lips sink ships".  And most
businesses are half-submerged if this is true.

Another problem that relates to social engineering involves choosing
passwords.  Employees often choose passwords such as their wife's maiden name.
A friend of an employee who does this has a greater chance of figuring out
their password since they know something about the employee.  Even if a word
is chosen at random, a hacker can write a program that tries every word in his
word processor's dictionary file until it finds the proper one.  There is a
greater chance of picking out "battle" using this type of program than
"98^Y&$" using a sequential test program (one that tries every possible
permutation of, say, a 10 character or less field from 512 possible
characters).

To sum up, the most dangerous chinks in system security armor do not exist in
the security system itself, but in the people who use the system.  Laziness
and carelessness of employees cause most security breeches, and most system
breeches are inside jobs.  The myth of the evil hacker sitting there
destroying files is just that: a myth.  The real problem is not the hackers;
the real problem is the people who use the system.

Written 10/31/90 in Chicago, IL  --  The Dark Adept

------------------------------

                           **END OF CuD #2.10**
********************************************************************