Computer Underground Digest--Sat Jul 13 01:10:10 CDT 1991 (Vol #3.25)

         Moderators: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)

Today's Contents:
          Moderators' Corner
          Spaf's Response to Bill Vajk
          Comments to Bill Vajk's posting in CuD #3.22 (T. Klotzbach)
          LOD Members for Comsec Computer Security (News Reprint)
          Alcor Email (ECPA) Case Settled (Keith Henson)
          NIST announces public-key digital signature standard (gnu)
          Secret Service Pays Hacker Call (Reprint from Newsbytes)

Administratia:

           ARCHIVISTS: ROB KRAUSE, BOB KUSUMOTO, AND BRENDAN KEHOE

CuD is available via electronic mail at no cost. Printed copies are
available by subscription.  Single copies are available for the costs
of reproduction and mailing.

Issues of CuD can be found in the Usenet alt.society.cu-digest news
group, on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG,
and DL0 and DL12 of TELECOM, by FidoNet file request from 1:100/345,
on Genie, on the PC-EXEC BBS at (414) 789-4210, and by anonymous ftp
from ftp.cs.widener.edu, chsun1.uchicago.edu, and
dagon.acc.stolaf.edu.  To use the U. of Chicago email server, send
mail with the subject "help" (without the quotes) to
archive-server@chsun1.uchicago.edu.

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted as long as the source
is cited.  Some authors do copyright their material, and they should
be contacted for reprint permission.  It is assumed that non-personal
mail to the moderators may be reprinted unless otherwise specified.
Readers are encouraged to submit reasoned articles relating to the
Computer Underground.  Articles are preferred to short responses.
Please avoid quoting previous posts unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
             responsibility for ensuring that articles submitted do not
             violate copyright protections.

----------------------------------------------------------------------

Date: July 13, 1991
From: From the Moderators
Subject: Moderators' Corner

We're experimenting with a new format to conform with RFC-1153 that we
hope will allow CuD to explode in most mailers.  Thanks to John
Stanley for his suggestions, and especially to an anonymous Texas
sysop (whose initials are BI and can be reached at
bei@dogface.austin.tx.us) for the patience to lead us by the hand in
explaining the procedure. Please let us know if it works (or if it
doesn't). If we can get it working properly, we will maintain both the
original format for files and the new one for mailers. So pass back
your suggestions and criticisms.

------------------------------

Date: Tue, 09 Jul 91 15:05:10 EST
From: Gene Spafford <spaf@CS.PURDUE.EDU>
Subject: Response to Bill Vajk

In an earlier digest, Bill Vajk responded to one of my messages with
lengthy commentary.

I agree with some of his points, disagree with others, and have no
opinion about most.  Most deserve and/or need no comment.  However,
there were a few of his statements (and his overall attitude) I feel I
should respond to somewhat; I won't dignify the obvious personal
insults with commentary, however.

He says: "I am concerned that Spafford's comments can be read to be
forgiving and conciliatory in nature where it regards errors made by
professional law enforcement."  He then goes on to criticize the case
in California described in CUD 3.15.  That juxtaposition was unfair,
and implied that I was in some way trying to excuse the actions of
Office Nemeth & company -- and that is most definitely not the case.
From what I have heard of that incident, the law enforcement personnel
acted like idiots.

As to being conciliatory and forgiving, I do not believe law
enforcement personnel are basically evil or out to deprive us of our
rights; I believe most law enforcement personnel are poorly educated
in the area and overworked.  I wish to improve that understanding, not
seek to portray law enforcement personnel as "the enemy."  I don't
approve of or agree with some of their actions, but neither do I feel
it inappropriate to try to see things from their point of view.


Later, he says:
>Yes, Gene. In article 5462@accuvax.nwu.edu you misspoke [sic] and assisted
>in proliferation of such incorrect reports :
>
> "The information I have available from various sources
>  indicates that the investigation is continuing, others
>  are likely to be charged, and there MAY be some national
>  security aspects to parts of the discussion that have
>  yet to be disclosed."
>
>Need I voice the obvious and ask how any "responsible" individual should
>handle errors they have made? Need I voice the obvious and ask a simple
>question.  What has Gene Spafford done to correct errors he has made? Has
>his behavior in these matters met the criteria for responsibility he demands
>from others?

Mr. Vajk (and others) appears to misunderstand my usage of words.  My
comment was not a misstatement.  I very carefully qualified it to
indicate that it was based on information available to me, and that it
was an indication, not a certainty.  The investigation did continue.
At the time, it seemed likely to my sources that others would be
charged.  And my use of the word MAY was to indicate that it was far
from certain.

I don't view this statement on this issue as erroneous, nor do I
believe I have anything to apologize for when making it.  Had I said
"The investigation shows these guys to be traitors and part of a
larger group that will all be arrested and charged." -- that would be
an incorrect statement and something I would need to retract.
However, I didn't make that statement.  I also "demand(s)" nothing of
others.   I admit errors when I make them.

Mr. Vajk then says a great deal about my statement that we should not
believe that everyone charged with computer offenses is innocent.  He
points out (correctly) that *in US law* people are innocent until
proven guilty.  HOWEVER, that does not make them innocent of having
committed an act.  If Joe Random were to shoot someone in front of a
crowd of witnesses, he would be innocent under the law until a jury
returned a verdict in a trial, but he would NOT be innocent of the
act.  Would any witness to the crime, or anyone who spoke to a
witness, then be equally condemned by Mr. Vajk for saying "Joe was not
innocent of murder" before the conclusion of a trial?

My point remains that claiming innocence (in the non-law sense) for
all individuals accused of computer-related crimes is obviously
incorrect and counter-productive.  It may be technically correct to
point out that a court has not convicted them yet, but that does not
mean we should trumpet their innocence.  Furthermore, implying that
law enforcement personnel are all pursuing power-trips and vendettas
against computer users is paranoid.  The law is important, and I
respect it, but I do not need a jury to verify that the sun rose this
morning.  Most people are able to distinguish between convicted and
guily; when too many people believe that the guilty are not being
convicted, repressive measures may get instituted.  If we intend to
fight for appropriate application of the laws to computing, we need to
keep this distinction in mind.

Following more insulting comments, Mr. Vajk then makes some mistaken
comments on copyright and trade secret (proprietary) rights.  Some of
these errors have been addressed already in a previous CUD: copyright
and trade secret rights may both be expressed on a document.

One thing that was not mentioned in the previous comments on copyright
is that there is, indeed, a Federal statute governing copyright
infringement. 2319 USC 18 provides for criminal penalties when a
copyright is infringed.  The copyright must be formally registered and
deposited with the Superintendent of Documents for this to take
effect, however, and the infringement must be willful.  I have heard
directly from Federal attorneys that this law can be used (and has
been used) against people copying source code or documentation (or
chip masks) they do not own.  Copyright is not always strictly a civil
issue.

Mr. Vajk then makes extensive comments on how he thinks copyright
should work, how source code should be valued, and how Federal law
should be applied in cases of interstate traffic in copyrighted
material.  This may or may not be of some interest to some readers,
but it does nothing to change the fact that Len Rose was charged with,
and plead guilty to, an offense based on his trafficking in
proprietary source code.  His attacks on my statement (and me, to some
extent) to that effect are directed at the wrong parties: he seems to
disagree with the way the law is written and/or applied, and that is
not my fault.

He is certainly correct, however, in his observation that the laws are
not adequate for our current technology: this is historically the case
with a great deal of technology, and certainly not restricted to
telecommunications and computing.  I have never disputed this point,
and have often propounded it.

Mr. Vajk continues by criticizing me for (in so many words) "making
statements without knowing the full background."  Interestingly
enough, he does this by assuming he knows what documentation and
information I have accessed, and by assuming that he knows the one,
full truth of the matter of Len Rose's actions and trial.
Furthermore, he then goes on to imply things about AT&T, Tim Foley,
the Illinois (?) prosecutor in the case, and potential witnesses to
the case based on circumstantial evidence.  Am I the only one who
finds such hypocrisy curious?

In the end, there is a fundamental difference of opinion between our
views and our approaches.  Mr. Vajk chose to personally insult me with
remarks in his commentary rather than address that difference.  For
instance, he states: "There has been movement by all branches at the
federal level of law enforcement to assume guilt before investigation
and to trample rights freely utilizing the immunity originally granted
in order to protect officers making honest mistakes as a standard
operating procedure instead of an exceptional circumstance."  I
believe there have been some misguided and ill-informed investigations
and prosecutions; I do not believe it an organized movement as does
(presumably) Mr. Vajk.

I still believe that the common person is not going to find the story
of Robert Morris or Len Rose to be particularly indicative of threats
to their freedoms.  Certainly some of the things done to Len were
inappropriate (the search, for instance).  However, the over-broad
search does not negate his guilty plea to a criminal act.  Although we
wish to guarantee the same Constitutional rights to everyone, we
should be somewhat cautious about the examples we pick to hold as
standards, and I do not believe Len is a particular good standard for
us to raise.

I also believe that rude behavior and insults directed towards people
with different opinions than one's own is counterproductive to having
one's own views respected and listened to with attentiveness.  Appeals
to reason are more likely to sway people to one's views.  That was the
central thesis of my original comments, and still is.

For us to secure a reasonable set of rights for all computer users, we
must realize that the issue is complex and has many different
perspectives, the legal community is not well-equipped to deal with
the issues based on prior experience, and that not everyone on the
electronic frontier is heroic in stature.  Most of us are still
learning as the situation changes. (My views on many things have
changed in the last few years, thankfully, and continues to evolve as
I learn more; we shouldn't criticize someone for developing new
attitudes with experience.).

Sometimes we will make mistakes as we go along, but some mistakes we
can avoid if we think about them first.  One common mistake in such
highly-charged issues is attributing to malice what may be caused by
ignorance.  Another is being abusive to others for having a different
set of views; one cannot champion the legal right to free speech
without also embracing the responsibility to respect others who choose
to exercise that right -- disagreement with views should not become
contempt for the people who (appear to) espouse them.

------------------------------

Date: Fri, 5 Jul 91 13:10 GMT
From: "Thomas J. Klotzbach" <0003751365@MCIMAIL.COM>
Subject: Comments to Bill Vajk's posting in CuD #3.22

I am posting to the CuD to address factual and other errors that Bill
Vajk made in his original posting to CuD #3.22.  I had hoped to avoid
this course of action, but feel it necessary due to the puzzling
actions of Mr Vajk.

I originally replied directly to Mr. Vajk with my concerns about his
posting.  He replied back to send him specific information or "retire
from the conversation".  I sent back the information he requested and
Mr. Vajk never responded.  I also sent two follow-up letters with
again, no response.  I came to the conclusion that Mr. Vajk was going
to make no attempt in the foreseeable future to address the errors in
his original posting to the CuD, so now I present them to the
readership.  My attempt is not to "bash" Mr. Vajk, but to hopefully
correct some of the disinformation that Mr. Vajk has posted to the
CuD.

   Bill writes:

   >If this is the case, then possession is not illegal, because
   >the text is protected by commercial exploitation by the
   copyright >laws and Len should have not been charged with
   criminal. Copyright is a >matter for civil suit...

   This is misleading, as it implies that copyright infringement may
not be remedied in criminal court.  There are also provisions for
criminal proceedings if a person willfully infringes a copyright for
among other things, private financial gain (17 USC 506 et seq.; 18 USC
2319).  This half-truth (copyright law only allows remedy in civil
court) seems to be circulating about the net with great frequency.  A
knowledgeable netter wrote to me and stated that the reason that the
government does not pursue more cases with the aforementioned statute
is that the criminal penalties are not as large as the interstate
transportation of stolen property and wire fraud statutes provide for
violators.

   Bill goes on:

   >...It seems that AT&T source code (according to one of the Foley
   >affidavits) bears legends which claim both proprietary rights and a
   >copyright.  You stipulate proprietary.  The dual labeling of the
   >original software should do a lot to remove it from consideration as
   >truly proprietary information.  The laws regarding copyrights require
   >that all copyright material is subject to deposit at the Library of
   >Congress, where any citizen has a right to read and review.

   The ownership of copyright is distinct from the ownership of
the object in which the work is embodied (17 USC 101 et seq.; 17 USC
202).  You imply that the dual labeling of the source code suggests
that the work is not truly proprietary information, by stating that
"the dual labeling of the original software should do a lot to remove
it from consideration as truly proprietary information".  Rubbish.
AT&T is within their rights to do what they did.  The notice of
copyright MAY be placed on publicly distributed copies of a work (17
USC 401).  Labeling a work as copyrighted does not imply a forfeiture
of any proprietary rights (17 USC 202 et seq.; 17 USC 401, also please
see Douglas v. Taylor, Tex.Civ.App. 497 S.W. 2d 308, 310 and Green v.
Lewis, 221 Va.  547, 272 S.E. 2d 181, 185).  In effect, proprietary
declares that you are the owner of the work.  You may also copyright
the work as well.  And what does the bit about "copyright material is
subject to deposit and any citizen has the right to review" about?
Are you implying that somehow Len Rose was within his rights to copy
the source code in an attempt to review it?  If you are, you are
incorrect.  Copyright law is fairly specific on the limitation of
exclusive rights as they pertain to computer programs (it is the
section that software makers refer to when they allow the owner of a
copy of software to make backup copies - 17 USC 117).

   Bill also writes:

   >Twice now, regarding the resultants of the E-911 case you've been long
   >on assumptions, short on proof.  Twice now, regarding the resultants of
   >the E-911 case you've been long on promises, short on results.  Given
   >this history, I ask, would a "responsible" man now seek truth and
   >publish it, or retire from this discussion.

   But Bill then states:

   >Thus far, it seems most computer laws have been written at the behest
   >of special interests instead of the public interest.  The laws already
   >inflict restrictions contrary to generally understood and accepted
   >constitutional provisions.

Well, Bill, would you please provide some "proof" for the
readership on the aforementioned statement?  YOU imply much while
proving little.

There are other errors in Mr Vajk's article to the CuD and I am
still in the process of researching them.  Again, I am not attempting
to split hairs, but Mr. Vajk has a responsibility to not put "spin" on
what the laws/statues/etc mean, a spin that distorts the facts at hand
and does a disservice to you and I, the readers of the CuD.

In closing:

   Bill Vajk writes:

   >...What has Gene Spafford done to correct errors he has made?  Has his
   >behavior in these matters met the criteria for responsibility he demands
   >from others?

I ask the same question of Bill Vajk.  What has he done to correct
the errors he has made in his posting to the CuD #3.22?

------------------------------

Date:     Fri,  5 Jul 1991 13:52 CDT
From:     "ROBERT G. HEARN" <9999AH02@UHDBIT.BITNET>
Subject: LOD Members for Comsec COmputer Security (News Reprint)

Reprint from Sunday, June 23, 1991 Houston Chronicle (1A, 15A)
By Joe Abernathy

           FORMER HACKERS OFFER SERVICES IN COMPUTER SECURITY

The most notorious force of computer hacking's heyday is asking
forgiveness and joining the forces of good.

The storied Legion of Doom, nemesis to the Secret Service, is forming
a computer security consulting firm in Houston.

Drawing members from around the nation and its name from comic book
villains, the youthful hackers' group dominated the underground
electronic landscape of the middle and late 1980s. Finally, a
controversial penetration of phone company computers landed several
members in jail.  According to documents, activities of the Legion of
Doom were a primary motivation for Operation Sun Devil, a nationwide
crackdown on computer crime coordinated by the U.S. Secret Service.

But remaining members in Austin and Houston, who disavowed any
connection with the phone company incident, now say they are on the
right side of the law and are offering their expertise on computer
security.

"People need us. We're the best," said Scott Chasin, known in his
hacking days by the computer handle Doc Holliday. "Ten years from now
we'll be the leaders in data security."

Computer security is a burgeoning field, but one that is almost
impossible to define in terms of dollars lost to penetrations or
dollars spent on security. Tales are plentiful among police of losses
in the six-figure range that went unprosecuted in order to spare the
affected firms embarrassment.  Estimates of the yearly loss to
industry from computer break-ins range from $500 million to more than
$2 billion -- much of it lost to long-distance phone service theft or
credit card fraud.

Some industry observers welcomed the creation of Comsec Computer
Security, as the new company will be known, while others derided it as
a new twist on a familiar theme.

"There's lots of precedent for that," said Richard A. Schaffer of New
York, editor of the industry publication ComputerLetter. "Crooks of
all types try to hire themselves out after the fact."

"So these guys are purporting to tell you how to protect against folks
like them," he mused. "It strikes me that people should refuse to hire
them just on principle...although from what I've seen they're
qualified."

But Linda Laskey of the Computer Security Institute in San Francisco
said she believes the firm will provide a valuable service.
"They know what they're doing as far as  doing as far as security
systems go," she said.

Laskey said the Computer Security Institute, a worldwide organization
of computer security professionals from business and government will
be among the first clients of Comsec.

The value of computer security is pitched now by those associated with
particular security products. Accounting firms also provide security
consulting.

By contrast, Comsec is banking on its past association with the
Legion, which gained a high profile from run-ins with the Secret
Service and BellSouth, one of the regional phone companies.

Robert J. Riggs, Franklin E. Dardin Jr. and Adam E. Grant were
sentenced on Nov. 16, 1990, in federal court in Atlanta for  breaking
into the computers of BellSouth and stealing a document on the
administration of the emergency 911 system.

Hacking grew up around the Legion, which wasn't content merely to
penetrate computer systems and networks. The deed wasn't finished
until the intimate details of each  system were written up and
electronically published.

Legion followers became associated with tutorials on obscure subjects,
such things as how to make nitroglycerin and drugs, and with
electronic documents on "social engineering," the fine art of the
scam.

Born in the swirling computer underground of the 1980s and named after
the minions of Superman archrival Lex Luthor, the Legion's
"educational services" ultimately helped reshape the online community
and gave the group a stature beyond its nominal activities.

But the best summary may have been written by Comsec principal Chris
Goggans, the historian of the Legion and only member associated with
it from its official founding in 1984 until it was disbanded late last
year.

"The Legion of Doom has been called everything from 'Organized Crime'
to 'a communist threat to national security' to 'an international
conspiracy of computer terrorists bent on destroying the nation's 911
service,'" he wrote under his pseudonym, Eric Bloodaxe. "Nothing comes
closer to the actual truth than 'bored adolescents with too much spare
time.'"

Now Sun Devil has put an end to hacking's innocence and perception of
among computer enthusiasts that it is a noble pursuit.

As for the Legion members, a few got busted, a few got bored, and the
rest are pondering a direction for their lives as young adults.

"I didn't want to be 30 years old and still breaking into systems,"
said Chasin, who is 21. "I want to be securing systems."

Chasin and Goggans, 22, will be joined in the firm by Ken Shulman, 21,
the son of Houston socialite Carolyn Farb, who is providing discounted
office space and other assistance.

Comsec will be managed by Robert Cupps, 24, a graduate of Emory
University and former securities trader.  Chasin and Goggans are
pursuing degrees at the University of Houston.

"From a marketing standpoint, we've got a real strong presentation,"
said Cupps, a Baytown native who does not consider himself a computer
expert. "What we will do is a brief demonstration. When you can walk
into someone's office and get root (administrative privileges) on
their system, that says something in itself, that maybe you're the
person they should be talking to about securing their systems."

The only member of Comsec who has faced criminal charges is Shulman,
known vicariously on computer networks as Malefactor, The Mentor, and
Jack the Ripper. He pleaded no contest in 1989 to misdemeanor charges
of credit card fraud, paid nearly $20,000 in restitution and was put
on a year's deferred adjudication -- meaning he emerged from probation
without a final conviction on his record.

"It was telephones, long distance calls," he said. "I quit everything
after that, and that was years ago."

Goggans has also had a run-in with the law, however. His Austin home
was raided on March 1, 1990, because he allegedly possessed the 911
document.  No charges have been filed.

Originally held forth as a life-threatening penetration of the 911
system, the document theft is now viewed by computer enthusiasts and
others as having been considerably overblown.

"The fact of the matter is that there was no damage to the system,"
acknowledged Scott Ticer, operations manager for BellSouth and
spokesman for the security team that lead the investigation. "But the
potential for damage was there."

"You just can't have people playing around in your network -- it's not
some high-tech toyland. This is the telecommunications system."

Would BellSouth hire the former hackers whose associates caused it so
much grief -- proving their expertise along the way?

"We don't use hackers as consultants, period," Ticer said. "Thanks but
no thanks."

------------------------------


------------------------------

Date: 5 Jul 91 07:10:45 GMT
From: hkhenson@cup.portal.com
Subject: Alcor Email (ECPA) Case Settled

The long running Alcor/email case against the County and City of
Riverside, CA was settled out of court in April of this year.  The
announcement was delayed until all parties had signed off, and the
check (for $30k) had cleared the bank :-).

The Alcor Life Extension Foundation (a non-profit cryonics
organization -- alcor@cup.portal.com) ran a BBS for members and
prospective members from early 1987 through January 12, 1988.  On that
day, the BBS computer was removed under a warrant to take the computer
(but no mention of any contained email) in connection with the
investigation into the death of 83-year-old Dora Kent.  (Mrs.  Kent
was placed into cryonic suspension by Alcor in December of 1987.
During and following the investigation, Alcor staff members were
publicly accused by county officials of murder, theft, and building
code violations.  No charges were ever filed and the investigation was
officially closed three years later.)

In December, 1988 Keith Henson filed a civil suit to force an
investigation of the apparent violations of the Electronic
Communication Privacy Act by the FBI, but the case was dismissed by
the now convicted Judge Aguilar.

In early 1990, just before the statute of limitations ran out, Henson
and 14 others (of the roughly 50 people who had email on the system)
filed a civil action against a number of officials and the County and
City of Riverside, CA under Section 2707 of the Electronic
Communication Privacy Act.

Some time after the case was filed, the Electronic Frontier Foundation
came into existence in response to law enforcement abuses involving a
wide spectrum of the online community.  EFF considered this case an
important one, and helped the plaintiffs in the case by locating pro
bono legal help.  While the case was being transferred, the County and
City offered a settlement which was close to the maximum damages which
could have been obtained at trial.  Although no precedent was set
because the case did not go to trial, considerable legal research has
been done, and one judgment issued in response to the Defendants'
Motion to Dismiss.  The legal filings and the responses they generated
from the law firm representing the County/City and officials are
available by email from mnemonic@eff.org or (with delay) from
hkhenson@cup.portal.com.  (They are also posted on Portal.)

The Plaintiffs were represented by Christopher Ashworth of Garfield,
Tepper, Ashworth and Epstein in Los Angeles (408-277-1981).  A summary
of the settlement agreement is attached.


SETTLEMENT AGREEMENT

   This agreement is made and entered into in Riverside, California,
this _____ day of ______ by and between [long list of defendants and
plaintiffs]

I.

FACTUAL RECITALS

   1.  This Agreement is executed with reference to the following
facts for purpose of this Agreement only.

   2.  On January 12, 1998, some of the Defendants, pursuant to a
search warrant, entered into the premises of Alcor Life Extension
Foundation in Riverside, California.

   3.  Upon entry into the property, some of the Defendants seized
various items, including electronic media containing E-mail owned by
the plaintiffs.

   4.  On or about January 11, 1990, plaintiffs commenced civil action
No.  SAC 90-021js in the United States District Court, Santa Ana ("the
Action"), against the defendants for injuries and damages allegedly
suffered as a result of the defendants' seizure of plaintiff's E-mail.

   5   It is now the desire and intention of plaintiffs, on the one
part, and defendants on the other part, to settle, compromise, and
resolve all the differences, disagreements, and disputes, which exist
and may exist, including those which are the subject matter of,
referred to, related to, or mentioned in the Action.  Pursuant to this
desire, and in consideration of the mutual promises contained herein,
the parties agree as follows.

II  CONSIDERATION

   6.  Upon the execution of this Agreement, defendants County of
Riverside shall pay to plaintiffs, by check, the total sum of Thirty
Thousand Dollars ($30,000), inclusive of attorney fees and cost.

------------------------------

Date: Thu, 27 Jun 91 11:39:59 -0700
From: gnu@TOAD.COM
Subject: NIST announces public-key digital signature standard

   Statement of Raymond G. Kammer, Deputy Director
   National Institute of Standards and Technology
   Before the Subcommittee on Technology and Competitiveness
   of the Committee on Science, Space, and Technology
   On Computer Security Implementation
   House of Representatives
   June 27, 1991

Digital Signature Standard

I know that you are interested in our progress in developing a federal
digital signature standard based upon the principles of public-key
cryptography.  I am pleased to tell you that we are working out the
final arrangements on the planned standard, and hope to announce later
this summer our selection of a digital signature standard based on a
variant of the ElGamal signature technique.

Our efforts in this area have been slow, difficult, and complex.  We
evaluated a number of alternative digital signature techniques, and
considered a variety of factors in this review: the level of security
provided, the ease of implementation in both hardware and software,
the ease of export from the U.S., the applicability of patents and the
level of efficiency in both the signature and verification functions
that the technique performs.

In selecting digital signature technique method [sic], we followed the
mandate contained in section 2 of the Computer Security Act of 1987 to
develop standards and guidelines that ". . . assure the cost-effective
security and privacy of sensitive information in Federal systems."  We
placed primary emphasis on selecting the technology that best assures
the appropriate security of Federal information.  We were also
concerned with selecting the technique with the most desirable
operating and use characteristics.

In terms of operating characteristics, the digital signature technique
provides for a less computational-intensive signing function than
verification function.  This matches up well with anticipated Federal
uses of the standard.  The signing function is expected to be
performed in a relatively computationally modest environment such as
with smart cards.  The verification process, however, is expected to
be implemented in a computationally rich environment such as on
mainframe systems or super-minicomputers.

With respect to use characteristics, the digital signature technique
is expected to be available on a royalty-free basis in the public
interest world-wide.  This should result in broader use by both
government and the private sector, and bring economic benefits to both
sectors.

A few details related to the selection of this technique remain to be
worked out.  The government is applying to the U.S. Patent Office for
a patent, and will also seek foreign protection as appropriate.  As I
stated, we intend to make the technique available world-wide on a
royalty-free basis in the public interest.

A hashing function has not been specified by NIST for use with the
digital signature standard.  NIST has been reviewing various candidate
hashing functions; however, we are not satisfied with any of the
functions we have studied thus far.  We will provide a hashing
function that is complementary to the standard.

I want to speak to two issues that have been raised in the public
debate over digital signature techniques.  One is the allegation that
a "trap door", a method for the surreptitious defeat of the security
of this system, has been built into the technique that we are
selecting.  I state categorically that no trap door has been designed
into this standard nor does the U.S. Government know of any which is
inherent in the ElGamal signature method that is the foundation of our
technique.

Another issue raised is the lack of public key exchange capabilities.
I believe that, to avoid capricious activity, Public Key Exchange
under control of a certifying authority is required for government
applications.  The details of such a process will be developed for
government/industry use.

NIST/NSA Technical Working Group

Aspects of digital signature standard were discussed by the NIST/NSA
Technical Working Group, established under the NIST/NSA Memorandum of
Understanding. The Working Group also discussed issues involving the
applicability of the digital signature algorithm to the classified
community, cryptographic key management techniques, and the hashing
function to be used in conjunction with the digital signature
standard.  Progress on these items has taken place; however, as with
the digital signature standard, non-technical issues such as patents
and exportability require examination, and this can be a lengthy
process.  We have found that working with NSA is productive.  The
Technical Working Group provides an essential mechanism by which NIST
and NSA can conduct the technical discussions and exchange
contemplated by the Computer Security Act and also allows us to
address important issues drawing upon NSA's expertise.

------------------------------

Date: July 8, 1991
From: Barbara E. McMullen & John F. McMullen
Subject: Secret Service Pays Hacker Call (Reprint from Newsbytes)

 SECRET SERVICE PAYS HACKER CALL 07/08/91

 NEW YORK, NEW YORK U.S.A., 1991 JULY 8 (NB) -- According to a
 Pennsylvania teenage "hacker" known as "Wing", agents of the United
 States Secret Service visited his home and that of some friends
 asking questions about rumors they had allegedly received about the
 planting of "July 4th logic bombs".

 Wing told Newsbytes that the agents arrived at his home and requested
 to talk to him about "rumors that he had planted logic bombs or
 viruses to go off on the 4th of July." Wing said that, on the advise
 of his father, he refused to discuss the matter with the agents, "The
 last time that the Secret Service was here my father told them not to
 come back again without a warrant so, when they did, I didn't talk to
 them. The whole thing is ridiculous anyhow. There was obviously no
 July 4th bombs and I certainly didn't plant any."

 Wing also said that agents visited friends of his and "made one who
 is new to computers feel that he was doing something wrong by trying
 to log onto bulletin boards."

 A Secret Service official, speaking to Newsbytes, confirmed that
 agents had attempted to interview Wing in relation to rumors of a
 July 4th attack on computer systems. The official also said that,
 because of Wing's juneville status, his parents have the right to
 deny the agents' request for an interview. The agent further said
 that, to his knowledge, there were no cases of computer attack on the
 4th of July.

 Other law enforcement officials had told Newsbytes, previous to the
 July 4th holiday, that they had received rumors of such a planned
 attack but that they had little substantive material upon which to
 base an investigation. There have also been recent reports to
 Newsbytes from sysops of university and foundation computer systems
 in the Boston, MA area of attempted unauthorized access by an
 individual purporting to be Wing.

------------------------------

Date: Tue, 09 Jul 91 05:56:11 CDT
From: Anonymous
Subject: Calling the kettle black

In an article in comp.org.eff.talk, David Turrell wrote,

>  Anyone caught using illegal copies of 1-2-3 who keeps on doing it
>  after being asked not to and at the same time expresses "utter
>  contempt" for Lotus' right should be made to wash lots and lots of
>  cars, and wax those that need it.

You'd be surprised who would have to come clean.  There's a very big
company that has provided technical opinions, albeit with a few
decimal places added, to Federal officials.  Would those Federal
officials turn on such a technical resource and accuse it of software
piracy?  Would they take the word of an ex-employee that the very big
company kept megabytes of pirated software on company computers?  That
managers within the company knew of those computers and used that
unlicensed software in furtherance of the company's business?  Would
it matter that a now-dead division of that very big company kept
archives of pilfered copies of (among other titles) Harvard Project
Manager, Microsoft Word, Procomm Plus, Lotus 1-2-3, and Word Perfect
for company use?  Within twenty feet of an ADAPSO/SPA anti-piracy
poster?  If there's one law enforcement official who wouldn't hesitate
to ask some hard questions of this very big company, I'd hope that
they'd come out of the electronic shadows in this forum, and declare
in front of all of us that Justice is for the Big as well as the
Small.

Sign me,
A Belated Whistle Blower

P.S. Bothered by my anonymity?  I am, too.  Truth is, I think that the
LE people who I'd hope to hear from will try and kick MY butt before
they'll go after the employer of so many "expert witnesses".  Wait and
see.


------------------------------

End of Computer Underground Digest #3.25
************************************