Computer Underground Digest--Fri, Oct 4, 1991 (Vol #3.35) Moderators: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) CONTENTS, #3.35 ( October 4, 1991) Subject: File 1--Moderators' Corner Subject: File 2--Cyperpunk Author Responds to Mitnick Charges Subject: File 3--Computer Security Basics review Subject: File 4--Steam age cyberpunk Subject: File 5--Errata to "Practical Unix Security" Subject: File 6--Living with the Law -- A view from Finland Subject: File 7--Let's Get It Right. Subject: File 8--"Phone Gall" (AT&T sues users)(Infoworld reprint) Subject: File 9--Announcement Subject: File 10--Cyberspace Conference in Montreal Subject: File 11--Conference Info and Press Releases Issues of CuD can be found in the Usenet alt.society.cu-digest news group, on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM, on Genie, on the PC-EXEC BBS at (414) 789-4210, and by anonymous ftp from ftp.cs.widener.edu (147.31.254.20), chsun1.spc.uchicago.edu, and dagon.acc.stolaf.edu. To use the U. of Chicago email server, send mail with the subject "help" (without the quotes) to archive-server@chsun1.spc.uchicago.edu. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: 4 Oct 91 11:21:19 CDT From: Moderators <tk0jut2@mvs.cso.niu.edu> Subject: File 1--Moderators' Corner ++++++++++++++++++++++ WIDENER FTP SITE ADDRESS INFO ++++++++++++++++++++++ The latest change for the WIDENER FTP SITE: The IP for ftp.cs.widener.edu will continue to be the address 147.31.254.132 (not 147.31.254.20). Since it probably wasn't mentioned, the official transition is now 192.55.239.132 -> 147.31.254.132. ++++++++++++++++++ 'ZINE ALERT ++++++++++++++++++ 2600: THE HACKER QUARTERLY (summer, '91) is out and contains the the usual collection of excellent articles. Two of them are especially worth the sub price. "Where Have all the Hackers Gone," an editorial, argues that there are as many hackers around as ever, but are becoming invisible because of the abuse of law enforcement hysteria. A second piece, a letter by Kevin Mitnick, complains that Hafner and Markoff's _Cyberpunk_ was slanted against Mitnick because of his "refusal" to cooperate (see NEWSBYTE reprint this issue). Information on 2600 can be obtained from emmanuel@well.sf.ca.us or by writing to: 2600 Magazine; PO Box 752; Middle Island, NY 11953. +++++++++++ BOARDWATCH +++++++++++ We continue to be impressed with BOARDWATCH. Although not CU, it is the best BBS 'zine out, and the current issue (Sept '91) includes some first-rate articles on the international BBS scene, featuring boards in Mexico and an interview with Pete Perkins of JANUS BBS in Tokyo. There's also a nice piece on how to run a BBS for profit, along with the usual general news and blurbs of the "straight" BBS scene nationwide. $36 a year brings 12 issues, and you can sub by writing: Boardwatch Magazine; 5970 S. Vivian Street; Littleton, CO 80127. Or, drop a note to the editor, Jack Rickard at jack.rickard@csn.org +++++++++++++++++++ GERALDO AND THE CU +++++++++++++++++++ We've received a number of blurbs about the Geraldo schtick last week. Guests included Craig Neidorf, Emmanuel Goldsten (2600), Don Ingraham (Marin County, Calif, prosecutor), and, of course, Geraldo himself. CuD will run a special issue in a few weeks, but it sounds, from the reports we've received, like the usual Jerry Rivers sensationalism. We're told that Jerry/Geraldo referred to Craig as the "most notorious hacker in America," that Ingraham made remarks bordering on slander (of Craig), and that Craig's primary flaw was that he tried to be reasonable and display some class in what some described as a "swine pit of muck and lies." We'll try to extract the transcripts in CuD 3.36. ------------------------------ Date: Tue, 1 Oct 91 23:09 EST From: "NEWSBYTES" <mcmullen@well.sf.ca.us> Subject: File 2--Cyperpunk Author Responds to Mitnick Charges JEFFERSON VALLEY, NEW YORK, U.S.A., 1991 OCT 1 (NB) -- Cyberpunk co-author Katie Hafner, in an interview with Newsbytes, has responded to allegations of fabrication raised by Kevin Mitnick, one of the main subjects of the book. Cyberpunk: Outlaws and Hackers on the Computer Frontier (Katie Hafner and John Markoff; Simon & Schuster, 1991 - $22.95) devotes the first section of the book called "Kevin: The Dark Side Hacker" to the activities of Mitnick and his associates, Lenny DiCicco, "Susan Thunder" and "Roscoe" (the last two names are pseudonyms; the persons would be interviewed only under the protection of anonymity). Mitnick, who served a prison term related to his intrusions into Digital Equipment Corporation's systems, says in a letter to the Summer 1991 issue of 2600: The Hacker Quarterly that the section concerning him "is 20% fabricated and libelous." Mitnick, in the letter, suggests that the authors had motivation for the alleged unfairness. He said "It seems that the authors acted with malice to cause me harm after my refusal to cooperate. Interestingly, I did offer to participate as a factual information source if I was compensated for my time, but the authors refused, claiming it would taint my objectivity. So, consequently, I declined to cooperate." Hafner confirmed that Mitnick had refused cooperation after his offer to meet for pay was rejected but denied that his action caused any malicious or unfair behavior. She said "I feel that the payment of interview subjects is completely unethical and I have never been involved in such a thing and did not intend to start then. We mentioned in the book that Kevin had refused to cooperate but did not reveal that he had asked for payment. Since he has not brought the subject up, both in a call to the Tom Snyder radio show when I was on and in the 2600 letter, I will confirm the fact that his non-cooperation was due to our refusal to pay." Hafner continued "Mitnick's lack of cooperation certainly did not lead to any malice or bias directed toward him. Everything in the book is, to the best of my knowledge, factual and we did everything possible to insure its accuracy. We attempted to get a confirming source for everything we were told and interviewed dozens of persons for the Dark Hacker section alone." 'Kevin's lack of cooperation did make the job more difficult and, may have possibly hurt him. If he had been willing to talk, he would have had an opportunity to respond to other people's statements about him but, even though we sent him numerous "return receipt" and overnight letters asking him to meet with us, he refused. Two cases in point: in the 2600 letter, he says that we described him as always eating in a computer room while talking on the telephone to Bonnie, his future wife. He denies this and says that I was trying to 'paint an unsavory picture'. It was Bonnie who told us that he was always eating while he was talking -- we didn't make it up -- and without the ability to speak to him, we had to choose to go on." Hafner went on: "The second example is his statement that we said that he taunted USC's Mark Brown when, in fact, he 'never spoke with Mark Brown'. Brown says that he has definitely spoken to Mitnick and that he remembers the calls well and can call to mind details from them. If we had spoken to Mitnick, he would have had a chance to dispute such statements. In response to Mitnick's object to the authors' changing of items that would possibly identify DiCicco as an unemployment cheat, Hafner said "That was my call. We tried to protect identities wherever it was desired. Lenny asked us to change the name and we did just as we also used public aliases for 'Roscoe' and 'Susan Thunder' at their request. Contrary to Kevin's statement, Lenny has not been travelling around with us promoting the book and has received no benefit from it other than the ability to tell his story as he understands it." (Barbara E. McMullen & John F. McMullen/19911001) ------------------------------ Date: Tue, 17 Sep 91 11:24:04 CDT From: bei@DOGFACE.AUSTIN.TX.US(Bob Izenberg) Subject: File 3--Computer Security Basics --Review Just looking at the cover of Computer Security Basics (by Deborah Russell and G.T. Gangemi, Sr., published by O'Reilly & Associates, Inc.) tells you that something has changed at the publisher of the former Nutshell Handbook series. The traditional ORA mascot on the cover is replaced by an antique key. While such obvious symbolism can be forgiven, a book about security needs an animal on the cover... Something ferocious or watchful. Maybe a Doberman. Alas, this book should only get Spuds McKenzie. Spuds, as you recall, had even less claim to being a party animal humping a Budweiser Babe's leg. Spuds was in drag, a female dog labeled as a frat rat. Quel scandal! O'Reilly has become known for its how-to books for Unix programmers and programmer wannabees. Their choice of topics has been aimed at beginning to intermediate Unix users, with occasional surprises such as the book on Larry Wall's perl language. It's the past grounding in the practical workings of Unix's many moving parts that makes Computer Security Basics seem like such a leap into the troposphere. The intended audience seems to be not the user of small-to-medium Unix systems, but novices interested in a primer on U.S. Government security standards. It is a good enough buzzword lexicon to get somebody started on finding out more if the subject interests them. There are some things that should be taken with a grain of salt in the book, however. In the book's discussion of DES, for example, the authors downplay the concern over the NSA's limiting of the algorithm to 56 bit encoding by assuring us that no less august a scientific body than the U.S. Senate has "upheld the integrity of the DES." I don't mean to come down on one side of the DES standard issue or the other, and neither do the authors, apparently. The ambiguity that the reader might sense, in reading of the Senate's approval on one page and the NSA and ISO failure to adopt the standard on the next, will hopefully be a spur to do more reading on the subject. It skips lightly over the RSA algorithm, which is perhaps understandable if the patent-holders were in court when the book went to press. It also advocates use of Halon as a fire extinguishing gas, mentioning its toxicity to people but not its environmental effects. In short, it reads like a book written after a week spent at a security trade show. Hey, I've been there... After too many hospitality suites and pheromone-laced glossy brochures, a pencil sharpener driven by a Briggs and Stratton engine seems like it might just save the world. To those whose breathing becomes heavy just at the sight of numbered paragraphs or RFPs, these will seem to be empty quibbles. In sum, the book is a start for someone who needs to get the mindset of government-compliant security standards. For the faithful reader of other O'Reilly books, it may be akin to a Boston Marathon t-shirt on a flounder. ------------------------------ Date: Tue, 28 May 91 23:09 EST From: "Michael E. Marotta" <MERCURY@LCC.EDU> Subject: File 4--Steam age cyberpunk DIFFERENCE ENGINE, the May 1991 "steam punk" novel by William Gibson and Bruce Sterling, is a humorous and chilling historical fantasy. In this Britain of 1855 Charles Babbage's successful invention has made him a lord. Industries and individuals are controlled by ubiquitous engines. The best programmers call themselves "clackers" and the best clackers do graphics. Accelerated into explosive decline by exponential industrialization, London's ecology collapses in the Great Stink. There are subtler problems, too, and Lady Ada's mania for gambling is only one of them. The paleontologist spars with a copper: "If I model a phenomenon, does that mean I understand it? Or might it be simple coincidence, or an artifact of the technique? Of course, as an ardent simulationist, I put much faith in Engine-modeling. But the doctrine can be questioned, no doubt of it. Deep waters, Fraser! The sort of thing that Hume and Bishop Berkeley used to thrive on." Sterling and Gibson have modeled a cybernetic revolution. The steam-driven engines of Criminal Anthropometry, a section of the Bureau of Central Statistics, tag everyone in Britain --except for those people whose records have been expunged on secret orders, perhaps from Prime Minister Byron himself. More, clackers can, of course, be bribed, though it is far easier to _get_ information than to erase it. And yet, informatics and paleontology are not the whole of science. One character suffers from tertiary syphilis while his chiropractor treats him for "railway spine." Parents buy microscopes that allow clever children to see animicules even though this is considered of no practical use. While some newer lodgings have crappers, most people use chamber pots. The story's commoners wear fabrics with patterns created by engines -- complex, perhaps proto-fractal, some tagged with Lady Ada's name. Like those weaves, DIFFERENCE ENGINE, provides a woof and warp about life as it might have been. And yet, all stories are about Today. (Shakespeare's Julius Caesar was about his England and it will remain a popular story as long as there is government.) DIFFERENCE ENGINE reflects the sensibilities of our time. The patterns that evolve from this story include dark threads and bright. Criminals act as agents of the legislature and arcane programs crash mighty computers and radicals become the establishment. ------------------------------ Date: Sat, 28 Sep 91 20:52:41 EST From: Gene Spafford <spaf@CS.PURDUE.EDU> Subject: File 5--Errata to "Practical Unix Security" (See CUD 3.30 and 3.33 for reviews of this book, and comments.) O'Reilly & Associates has discovered that in the first printing of _Practical_UNIX_Security_ by Simson Garfinkel and Gene Spafford (June, 1991) a formatting error caused the grave quotes (%) in the shell scripts in our final PostScript files to be printed as forward quotes ('). Of course, this breaks the scripts and is certainly not what the authors, editor, or publisher intended. An errata sheet is available from the publisher that corrects the shell script examples and other minor technical errors found in the first printing. Please call O'Reilly & Associates at 1-800-338-6887 to obtain a copy of this sheet. Alternatively, you may send email to steph@ora.com, to request a copy of the errata sheet -- be sure to include your surface mail address. We apologize for any difficulties these errors may have caused. ------------------------------ Date: Sat, 14 Sep 1991 09:11:06 +0300 From: Jyrki Kuoppala <jkp@CS.HUT.FI> Subject: File 6--Living with the Law -- A view from Finland We live in a crazy society - every citizen is required to know the law and do nothing against the law, and simultaneously it's illegal for all practical purposes for citizens to copy the law without paying royalties to some organizations. This makes it very difficult to make free dissemination of the law via electronic media possible. In Finland, the law is published as collections of new laws given out by the government. I think this is the only official version of the law. The publications are printed by a company called The State Printing Center, which is a normal business-oriented company although owned by the government. The text of the law holds no copyright at this phase; I'm not sure if the Printing Center claims copyright to the format of the text. The trouble with these collections (Suomen S%%d|skokoelma), varying from a few pages to perhaps dozens of pages is that they're often %patches' to existing laws which state which paragraphs and sentences to be changed in a previous version of the law and so it's very difficult in practice to read the current law based on these. For example, to get the current patent law you need something like eight of these collections. The State Printing Center also publishes other documents. For example, to get the Finnish copyright law you can buy a book containing the current copyright law (and IC circuit model protection law). This book has all the patches collected into one document. But now, as the Printing Center is a business and the Finnish law has a %collection copyright', it is not legal to copy this book without the permission of the Printing Center. They claim copyright for the collection and perhaps also the layout/appearance of the book. From their point of view, this is understandable because they don't want anyone else to begin copying and selling the book - this would deprive them of some of their income. There's also another organization publishing the Finnish Law, %Suomen Lakimiesliitto', Finnish Lawyers' Union. Every two years, they publish a collection of all the laws. Now, they also want to make money and so claim copyright for their publication. I've been doing some investigations on getting the law on-line (for example to put it available via anonymous ftp) so everyone would get easy access to it. Now, the State Printing Center has the source for their publications on-line, and they are even willing to distribute the source, costing something like $15 / 1000 characters (just an estimate), covering the costs of processing of the text or something like that, with extra charges if extra work needs to be done (like for the patent law, for which they don't have a collection readily done but several different documents which need to be combined). The problem with this is that even if I buy the machine-readable text to the law, I'm not allowed to distribute it without permission from the Printing Center as they claim collection copyright (also copyright to the indices and such, but those are not essential). It's possible that I could get a permission for non-commercial distribution, but that's problematic - for example, is it then allowed to be put on a BBS which charges $10 / year as a membership fee? Or a BBS which charges $1/hour for connect time? As for the Finnish Lawyers Union, I inquired them about the availability of all of the law. This was my first phone call to them, and the person said that they will take appropriate action (I interpreted that to mean they will sue me ;-) if I distribute the publication (I talked about OCRing the book and taking only the portions that contain the law, not any others possibly written by the Union). Now, in principle there's no problem with this - all legal and clear, and I can of course OCR the official version of the law and apply the patches myself and put it up for anonymous ftp, but that'd be a hell of a lot of work. I suppose I could even get the text machine-readable for the processing fees from the Printing Center. But in practice, this would require a lot of work and then I could claim copyright for the collection and require licenses for everyone who uses this - one could argue I'd need to do that in order to get the money needed for all the work. The situation also raises some responsibility issues - as the official law is pretty much unusable, the law enforcement and the government probably uses the other publications from the State Printing Center and the Layers' Union. What if there's a misprint in one of these? What if someone deliberately changes something in the unofficial versions? Perhaps we should start lobbying a law to make the copyright for the law to be something like the GNU copyleft. ------------------------------ Date: Sun, 29 Sep 91 22:21:38 PDT From: halcyon!walter@SUMAX.SEATTLEU.EDU Subject: File 7--Let's Get It Right. ((Moderators' Note--Walter Scott is SysOp of a small semi-public BBS in Seattle called Writers Happy Hours. Writers Happy Hours is dedicated to serving literary writers and others with related interests)). Now that the dust has settled [just a bit] in the infamous "download tax" controversy coming out of New York state, it's time to take stock -- to analyze where we're at and what has happened. This is important for at least a couple of reasons. (1) Mistakes were made in this episode of telecomputing history. We must learn from them and not make them again. (2) We must sort out the real dangers from paranoia. In 1987, the telecomputing community rose up in an unprecedented manner to fight a proposed rulemaking which would remove a communications surcharge exemption for certain electronic data services. This would have ultimately made it more expensive for people to access ESP [ENHANCED SERVICE PROVIDER] electronic data services, of certain types, available by modem. At the time, CompuServe was at the center of activism -- mostly because CompuServe had a serious stake in the outcome of the NPRM [NOTICE FOR PROPOSED RULEMAKING] from the FCC. The NPRM would have implemented a surcharge on various ESPs (including CompuServe) if the rulemaking went unchallenged. Modem enthusiasts rallied in opposition to the surcharge from across the country. Their comments and actions played an important role in the eventual tabling of the NPRM by the FCC. After the surcharge incident, people who operate and/or use electronic bulletin board systems have become hyper-sensitive to any and all references made to modem-based telecommunications by government infrastructures or telephone companies. Unfortunately, that hyper-sensitivity has a disastrous downside. In the past 3 years, there have been recurring instances where the old surcharge case is somehow resurrected as though the FCC was "at it again". The same messages and references appear repeatedly. People like Jim Eason (cited as a source of information at KGO radio in San Francisco in many bogus alert files) are likely to be sick of the constant phone calls asking about a surcharge which Eason or his staff must explain is a matter of PAST history as looming threats go. Even the FCC has found it necessary to run ads in major daily newspapers to dispel rumor and/or innuendo. Also, some members of Congress probably receive mail on the surcharge in the present, and may receive mail on it in the future. As was in evidence through material appearing in CuD 3.34, it seems the New York state sales tax on prewritten software is yet another case where the fight/flight syndrome kicks in too easily. There is clear indication that many ASSUMPTIONS were made as opposed to very little careful verification of the facts. What makes this worse is that an ostensibly reputable SysOps organization in New York brought this matter into prominent exposure without properly investigating the facts. People panicked, and bureaucrats were besieged with phone calls from modemers and SsyOps who launched into tirades over a tax on things that were not and are not taxed in New York state. Legislators received the same kind of phone calls and mail. Their staff went to the trouble of contacting bureaucrats and verifying information passed on to them by irate modem users. Such activity will continue while messages and text files containing inaccurate information continue to proliferate. All this turns out to be as embarrassing as, if not more than, the recurring surcharge rumors. These incidents generate credibility issues. It was pointed out to me, by James Morris at the New York state Department of Taxation & Finance, that we, who use modems and run bulletin board systems, have a tremendous information network by which we keep each other informed and initiate action. No greater compliment can be paid to us as modem users and SysOps. We, as modem users and SysOps, have tremendous power due to the nature of the very medium we work and play in. Along with that power comes an equally awesome responsibility. Responsibility, thy name is "CREDIBILITY". We *MUST* be credible. We can collectively cry wolf so many times before those in the position to change things --politicians, judges, and bureaucrats -- will ignore us. If we're gonna do it, let's do it right. Let's be certain we have the FACTS before we sound the battle claxons. Let's empower each other with information that allows us to easily contact key sources of information to verify that information. Let's make certain that provided information is as accurate as possible when WE are the providers -- straight "from the horse's mouth", as it were. When it comes to empowering your fellow modem user with critical information requiring a pointed response in venues not limited to but generally separate from cyberspace itself, you should put on your JOURNALIST'S cap and wear it well. Ask and ask again? Verify and REverify. Whether our tremendous ability to network will be of any use to us depends on how credible we're assessed to be by those who generally don't hangout in cyberspace. Now, on to the second point. The same material in CuD gives us some gems in-the-rough. They're difficult to see since they're mixed in with misinformation and associated emotionally oriented calls for action. One of the dangers in situations, such as the software sales tax debacle, are tendencies to glide past issues that may be core issues but require CAREFUL THOUGHT AND ANALYSIS before one can conceptualize the importance of the issue. This seems to be happening in the New York state software sales tax debacle. Even though several people have pointed out a significant truth, which begs for action every bit as much as the purported "download tax", the BBS community of New York and the U.S. is not reacting with the tenacity it invoked over the possibility of taxation on systems supporting upload/download ratios. Thus, if this had been an attempt to use smoke and mirrors to deflect people from the REAL issues, it would have worked very nicely. As you may recall, the New York state Department of Taxation & Finance has asserted, without contradiction, that there is a longstanding sales tax on information services. This tax can be, has been, and probably will be, applied to electronic bulletin board systems in New York state. NYS T&F also does not claim that upload/download ratios won't be considered a taxable event IN THE FUTURE. NYS T&F Regulations Specialist James Morris went to greats pains in illustrating to me that standing tax codes certainly support such a FUTURE interpretation. Ergo, the sword precariously swings. Until modem users and SysOps of New York went into action, NYS T&F knew little or nothing of the BBS community. They are now ACUTELY aware of the BBS community and how it functions. NYS T&F can be likened to the giant in "Jack & The Beanstalk". For a time, the giant went unaware of Jack's presence. But when he finally became aware.... Well, we must remember that New York state is desperate for revenue. Will bulletin board systems become a means to help fill in financial gaps? To what extent? Should protective legislation be initiated? Should tax codes be more specific about who can be taxed and under what circumstances? What about the relationship of free speech via the various functions of bulletin board systems -- including file exchange of newsletters containing important information? [Note that CuD makes its way into a lot of download directories on bulletin board systems across the U.S.] Has anyone checked statutes in their own state to see if there might be a sleeping giant about to wake? ------------------------------ Date: Tue, 27 Aug 91 21:36 EDT From: "Silicon Surfer" <unixville@news.group.com> Subject: File 8--"Phone Gall" (AT&T sues users)(Infoworld reprint) Phone Gall InformationWeek, Aug. 26, 1991, pp.12-13 (By Mary E. Thyfault with Diane Medina and Bob Violino) AT&T has sued nearly 20 of its large business users for refusing to pay for calls made by hackers through their corporate telephone In recent months, the question of whether businesses victimized by phone hackers should be forced to pay for such calls has stirred acrimonious debate and prompted numerous actions before the Federal Communications Commission. Estimates of the corporate monies lost annually to phone hackers begin at $500 million and go into the billions. Now an InformationWeek investigation reveals a broad effort by AT&T to shift this debate to the courts. Among the corporations AT&T has quietly sued are Avis Rent-A-Car System Inc., FMC Corp., Citgo Petroleum Corp., Procter & Gamble Co., and Perkin-Elmer Corp. (see below). In the largest such lawsuit uncovered by IW, the United Nations was the victim of nearly $1 million in unauthorized calls. While the existence of these lawsuits remains unknown to most large users, AT&T has been playing legal hardball with corporate customers for at least a year, in most cases collecting fees in confidential, out-of-court settlements. It appears no case has yet reached the trial stage. The fact that users back down is no surprise; AT&T is a $36.11 billion behemoth with a crack legal staff. The mere threat of a lawsuit is enough to force most firms to pull out their checkbooks. "Who can afford to go to court with the phone company?" asks Roger Longtin, counsel for electronics component distributor Avnet Inc. in Great Neck, N.Y. , which is currently negotiating with AT&T over nearly $1 million in disputed charges. AT&T's long-distance rivals MCI Communications Corp. and US Sprint Communications Co. say they have not sued any users over this issue, and IW could find no evidence of any legal actions. Such a suit, explains a spokesman for MCI, "is a good way to lose a customer". One analyst argues, however, that MCI and Sprint can't afford to be nice guys much longer. "I'd be surprised if MCI and Sprint didn't file suits - uncollectibles have been a horrendous problem in the long-distance business," says John Bain, senior VP at Raymond James & Associates Inc. in St. Petersburg, Fla. One lawyer who has represented corporate victims of toll fraud says the out-of-court settlements always involve some payments by customers. AT&T typically starts negotiations by knocking 15% off the user's bill, he says; that's about the break-even point for AT&T's profit on long-distance calls, according to analysts. AT&T does not discuss litigation, a spokesman says. Some customers are enraged at AT&T and the telecom industry over this issue. They argue that the carriers and PBX vendors are not providing enough warning, training, or support. "The carriers should do away with the attitude of 'The customer should've known,'" charges Tim Honaker CFO for Dearborn Financial Publishing lnc. in Chicago, which has been hacked for $65,000. The telcom suppliers "come in with these great technologies and then say, 'By the way, you gotta figure out how to manage this thing on your own.' Well, we're not in that business." Suppliers should at least share in the responsibility and liability for phone fraud charges, according to victims. Vendors respond that telecom managers can virtually end fraud by properly managing their phone systems, particularly remote access features. Some users agree. Says Jay Silverberg, president of the National Rolm Users Group, "Although from a technical perspective the vendor has the responsibility to provide the ability to make a system secure, it's the user's responsibility to manage it." The software to monitor such systems isn't cheap, however-about $120,000 on average-and "it can only cut down the hemorrhaging, not eliminate hacking," says James Ross of Ross Engineering Inc., a software engineering firm in Sterling, Va. Most victims argue that carriers have the technology to detect hacking at their fingertips. While the victims' attorneys say AT&T hasn't improved its security measures, all the carriers and the major PBX vendors-Northern Telecom, Rolm Co., and the business telephone unit of AT&T-say they are putting increasing emphasis on helping users fight phone hacking. AT&T offers seminars at every user group meeting, for example, and Rolm announced in April it would begin assigning a security coordinator in each of its 31 branch locations. Currently, AT&T has seven fulltime staffers charged with educating customers and investigating fraud cases. Users claim that number is woefully low. (Meanwhile, the number of AT&T lawyers pursuing litigation in this area is, an AT&T spokesman admits, "probably in the tens.") AT&T has 40,000 PBX installations and 4 million business long-distance customers. "If they really want to protect the public, they need to hire more like 700 people," says Charles Helein, a Washington attorney who has represented several toll fraud victims. AT&T says it will add three more staffers next month. Some users even claim AT&T is not devoting more resources to ending toll fraud because it is making too much money on such calls-a charge AT&T vehemently denies. "If you significantly cut phone fraud, you have to wonder what kind of impact it would have on their revenue," says Thomas Crowe, attorney for Chartways Technologies Inc. in Rockville, Md., which suffered $81,789 in unauthorized calls. "That's ludicrous," says an AT&T spokesman. "AT&T devotes enormous resources to this." The company argues that it is doing more than required. On a weekly basis, AT&T monitors the three area codes in South America and Central America that receive the most illegal calls. When a sudden increase in volume is noted, AT&T tries to notify customers, reaching about 25%, of them before they themselves notice the break-in. "I can't tell you that every week we get to everyone, but we attempt to based on our resources," says Robert Carman, head of AT&T's corporate security division. Still, the FCC says all complaints filed to date by users over this issue have involved AT&T. Frank Chrz, VP of office services at ITT Consumer Financial Corp. in Minneapolis, says AT&T "was very responsive" in helping him detect and stop the hackers that penetrated his company's Rolm PBX, racking up $100,000 in charges. But that cooperation ended when the bill came due and ITT refused to pay. AT&T sued ITT, which promptly sued both Rolm and Rolm's PBX distributor. All four settled out of court. At least two other users have sued their PBX vendors after being sued by AT&T: New York City Human Resources Administration sued Northern Telecom Inc., and Western Diversified Life Insurance Co. in Deerfield, Ill., countersued AT&T as both its PBX supplier and long-distance carrier. In another twist, two corporations sued AT&T before AT&T could sue them: Mitsubishi International Corp. in New York (IW, June 24,p.14) and John D. Hollingsworth On Wheels Inc. in Greenville, S.C. Despite all the complex legal maneuvering, every case eventually comes down to finger-pointing. No one wants to accept responsibility for toll fraud. Until now, the FCC has typically ruled against users, but mounting corporate anger may mean the commission will impose some sort of liability ceiling. What is clear is that users and vendors will have to work together to solve the problem. "In no way are we inferring we can catch everything," says Bob Fox, Sprint's assistant VP of corporate security. "The majority of the time we're getting to the customer before he knows what's going on. But we're not going to catch everything every time. It takes teamwork. "The customer is going to get hurt if we do our thing but he doesn't do his, or vice versa." -Mary E. Thyfault with Diane Medina and Bob Violino ------------------------------ Date: Thu, 3 Oct 91 11:10:04 EDT From: server@STORMKING.COM(Storm King ListServ Account) Subject: File 9--Announcement NIA & Phrack Inc present: "It is useless to resist us." The second annual, X M A S C O N '91 Where: Houston, TX When: December 27th-29th 1991 Who: All Hackers, Journalists, Security Personnel and Federal Agents Well, it's getting closer.. HoHoCon is coming up and we plan on having the biggest gathering of Hackers ever! This event is going to be public. Sponsors include members of NIA Magazine, Phrack Inc, dFx/Neon Knights and cDc. Hotel and reservation information will be announced at a later date. Anyone is welcome to attend, and we encourage you to be there. Keep the Faith & cya' at HoHoCon! ------------------------------ Date: Sat, 21 Sep 91 18:52:56 EDT From: "Anonymous" <anonymous@noaddress.etc> Subject: File 10--Cyberspace Conference in Montreal THE THIRD INTERNATIONAL CONFERENCE ON CYBERSPACE MONTREAL, QUEBEC MAY 22-23, 1992 Sponsored and hosted by DEPARTMENT OF COMPARATIVE LITERATURE, UNIVERSITY OF MONTREAL and GROUP FOR THE STUDY OF VIRTUAL SYSTEMS, U.California, Santa Cruz ANNOUNCEMENT AND CALL FOR PAPERS The Third International Conference on Cyberspace will be held May 22--23 1992 at the University of Montreal. This is a call for abstracts, approximately fifteen of which will be selected for development and presentation at the Conference. All papers, and a number of selected abstracts, will be published in Proceedings, available late 1992. Abstracts should be between 600 and 1000 words, and are due by December 15, 1991. Submission of an abstract indicates the submitter's intention and capability to write and present the corresponding, full length paper, if chosen. Participation in the Conference is limited to 140 people in the following categories: 1. Participants who have been invited to present papers based on their abstracts. (Limit 15) 2. Participants who have submitted abstracts judged by the Program Committee to be of particular interest. (Limit 35) 3. Participants with creative and clearly stated interests in the topic who are involved with work on cyberspace in any capacity. (Limit 60) 4. Visitors & observers, who are not actively working in the field at this time but who have expressed interest in the subject. (Limit 30) Like the First Conference at Austin in 1990, and the Second International Conference in Santa Cruz in 1991, the Third International Conference on Cyberspace is not only about the enabling technology of virtual reality, 3-D user interfaces, networking, data visualization, or high speed computer graphics, but also the nature of cyberspace as such, conceived of as an independent realm, a shared virtual environment whose inhabitants, objects and spaces are data, but data which is visualized, heard and (perhaps) touched. It seeks to reach an understanding of how the components of cyberspace already "under construction" in the development and design of graphic user interfaces, scientific visualization techniques, video games, CAD, abstract architecture and architectural design theory, knowledge navigation, "cyberpunk" discourse, cultural studies, film and narrative theory, virtual and artificial reality systems, MUDs, INTERNET, USENET and other networks, groupware, and hypermedia might someday function together to create a true, public cyberspace, as well as private, special-purpose cyberspaces. ------------------------------ Date: Thu, 26 Sep 91 00:25:50 MDT From: mbarry@ISIS.CS.DU.EDU(Marshall Barry) Subject: File 11--Conference Info and Press Releases Contact: Terry Travis or Michelle Weisblat Telephone: (303) 426-1847 IBECC, a non-profit educational, literary and scientific society, is sponsoring the 1992 International BBSing and Electronic Commu- nications Conference to be held August 13-16, 1992 in Denver, Colorado. The theme of IBECC '92 will be "Socially Responsible Computing." There will be panels on such diverse topics as "Safe Computing" [How to Prevent the Spread of Computer Infection], "Why Kelly CAN Read" [Exploring Computers, BBSing, and Education], and "Staying Alive" [Computing and the Physically Challenged and Homebound]. Membership in IBECC, including the 1992 annual conference, is $80.00 (US) through September, 1991 and $125.00 from October 1, 1991 through May, 1992. Membership also includes the IBECC Newsletter, access to the IBECC Electronic Bulletin Board, and discounts on several services. The conference will be held at the Sheraton Denver West Hotel and Conference Center, Lakewood, Colorado. Room rates start at $62.00 (US + tax) per night; contact the hotel at 1-800-LAKEWOOD, or (303) 987-2000, for reservations. ------------------------------ End of Computer Underground Digest #3.35 ************************************