Computer Underground Digest--Fri, Oct 4, 1991 (Vol #3.35)

       Moderators: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)

CONTENTS, #3.35 ( October 4, 1991)
Subject: File 1--Moderators' Corner
Subject: File 2--Cyperpunk Author Responds to Mitnick Charges
Subject: File 3--Computer Security Basics review
Subject: File 4--Steam age cyberpunk
Subject: File 5--Errata to "Practical Unix Security"
Subject: File 6--Living with the Law -- A view from Finland
Subject: File 7--Let's Get It Right.
Subject: File 8--"Phone Gall" (AT&T sues users)(Infoworld reprint)
Subject: File 9--Announcement
Subject: File 10--Cyberspace Conference in Montreal
Subject: File 11--Conference Info and Press Releases

Issues of CuD can be found in the Usenet alt.society.cu-digest news
group, on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG,
and DL0 and DL12 of TELECOM, on Genie, on the PC-EXEC BBS at (414)
789-4210, and by anonymous ftp from ftp.cs.widener.edu (147.31.254.20),
chsun1.spc.uchicago.edu, and dagon.acc.stolaf.edu.  To use the U. of
Chicago email server, send mail with the subject "help" (without the
quotes) to archive-server@chsun1.spc.uchicago.edu.

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted as long as the source
is cited.  Some authors do copyright their material, and they should
be contacted for reprint permission.  It is assumed that non-personal
mail to the moderators may be reprinted unless otherwise specified.
Readers are encouraged to submit reasoned articles relating to the
Computer Underground.  Articles are preferred to short responses.
Please avoid quoting previous posts unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

----------------------------------------------------------------------

Date: 4 Oct 91 11:21:19 CDT
From: Moderators <tk0jut2@mvs.cso.niu.edu>
Subject: File 1--Moderators' Corner

++++++++++++++++++++++
WIDENER FTP SITE ADDRESS INFO
++++++++++++++++++++++

The latest change for the WIDENER FTP SITE: The IP for
ftp.cs.widener.edu will continue to be the address 147.31.254.132 (not
147.31.254.20).  Since it probably wasn't mentioned, the official
transition is now 192.55.239.132 -> 147.31.254.132.

++++++++++++++++++
'ZINE ALERT
++++++++++++++++++

2600: THE HACKER QUARTERLY (summer, '91) is out and contains the the
usual collection of excellent articles. Two of them are especially
worth the sub price. "Where Have all the Hackers Gone," an editorial,
argues that there are as many hackers around as ever, but are becoming
invisible because of the abuse of law enforcement hysteria.  A second
piece, a letter by Kevin Mitnick, complains that Hafner and Markoff's
_Cyberpunk_ was slanted against Mitnick because of his "refusal" to
cooperate (see NEWSBYTE reprint this issue).  Information on 2600 can
be obtained from emmanuel@well.sf.ca.us or by writing to: 2600
Magazine; PO Box 752; Middle Island, NY 11953.

+++++++++++
BOARDWATCH
+++++++++++

We continue to be impressed with BOARDWATCH. Although not CU, it is
the best BBS 'zine out, and the current issue (Sept '91) includes some
first-rate articles on the international BBS scene, featuring boards
in Mexico and an interview with Pete Perkins of JANUS BBS in Tokyo.
There's also a nice piece on how to run a BBS for profit, along with
the usual general news and blurbs of the "straight" BBS scene
nationwide. $36 a year brings 12 issues, and you can sub by writing:
Boardwatch Magazine; 5970 S. Vivian Street; Littleton, CO 80127. Or,
drop a note to the editor, Jack Rickard at jack.rickard@csn.org

+++++++++++++++++++
GERALDO AND THE CU
+++++++++++++++++++

We've received a number of blurbs about the Geraldo schtick last week.
Guests included Craig Neidorf, Emmanuel Goldsten (2600), Don Ingraham
(Marin County, Calif, prosecutor), and, of course, Geraldo himself.
CuD will run a special issue in a few weeks, but it sounds, from the
reports we've received, like the usual Jerry Rivers sensationalism.
We're told that Jerry/Geraldo referred to Craig as the "most notorious
hacker in America," that Ingraham made remarks bordering on slander
(of Craig), and that Craig's primary flaw was that he tried to be
reasonable and display some class in what some described as a "swine
pit of muck and lies." We'll try to extract the transcripts in CuD
3.36.

------------------------------

Date: Tue, 1 Oct 91 23:09 EST
From: "NEWSBYTES" <mcmullen@well.sf.ca.us>
Subject: File 2--Cyperpunk Author Responds to Mitnick Charges

JEFFERSON VALLEY, NEW YORK, U.S.A., 1991 OCT 1 (NB) -- Cyberpunk
co-author Katie Hafner, in an interview with Newsbytes, has responded
to allegations of fabrication raised by Kevin Mitnick, one of the main
subjects of the book.

Cyberpunk: Outlaws and Hackers on the Computer Frontier (Katie Hafner
and John Markoff; Simon & Schuster, 1991 - $22.95) devotes the first
section of the book called "Kevin: The Dark Side Hacker" to the
activities of Mitnick and his associates, Lenny DiCicco, "Susan
Thunder" and "Roscoe" (the last two names are pseudonyms; the persons
would be interviewed only under the protection of anonymity). Mitnick,
who served a prison term related to his intrusions into Digital
Equipment Corporation's systems, says in a letter to the Summer 1991
issue of 2600: The Hacker Quarterly that the section concerning him
"is 20% fabricated and libelous."

Mitnick, in the letter, suggests that the authors had motivation for
the alleged unfairness. He said  "It seems that the authors acted with
malice to cause me harm after my refusal to cooperate. Interestingly,
I did offer to participate as a factual information source if I was
compensated for my time, but the authors refused, claiming it would
taint my objectivity. So, consequently, I declined to cooperate."

Hafner confirmed that Mitnick had refused cooperation after his offer
to meet for pay was rejected but denied that his action caused any
malicious or unfair behavior. She said "I feel that the payment of
interview subjects is completely unethical and I have never been
involved in such a thing and did not intend to start then. We
mentioned in the book that Kevin had refused to cooperate but did not
reveal that he had asked for payment. Since he has not brought the
subject up, both in a call to the Tom Snyder radio show when I was on
and in the 2600 letter, I will confirm the fact that his
non-cooperation was due to our refusal to pay."

Hafner continued "Mitnick's lack of cooperation certainly did not lead
to any malice or bias directed toward him. Everything in the book is,
to the best of my knowledge, factual and we did everything possible to
insure its accuracy. We attempted to get a confirming source for
everything we were told and interviewed dozens of persons for the Dark
Hacker section alone."

'Kevin's lack of cooperation did make the job more difficult and, may
have possibly hurt him. If he had been willing to talk, he would have
had an opportunity to respond to other people's statements about him
but, even though we sent him numerous "return receipt" and overnight
letters asking him to meet with us, he refused. Two cases in point: in
the 2600 letter, he says that we described him as always eating in a
computer room while talking on the telephone to Bonnie, his future
wife. He denies this and says that I was trying to 'paint an unsavory
picture'. It was Bonnie who told us that he was always eating while he
was talking -- we didn't make it up -- and without the ability to
speak to him, we had to choose to go on."

Hafner went on: "The second example is his statement that we said that
he taunted USC's Mark Brown when, in fact, he 'never spoke with Mark
Brown'. Brown says that he has definitely spoken to Mitnick and that he
remembers the calls well and can call to mind details from them. If we
had spoken to Mitnick, he would have had a chance to dispute such
statements.

In response to Mitnick's object to the authors' changing of items that
would possibly identify DiCicco as an unemployment cheat, Hafner said
"That was my call. We tried to protect identities wherever it was
desired. Lenny asked us to change the name and we did just as we
also used public aliases for 'Roscoe' and 'Susan Thunder' at their
request. Contrary to Kevin's statement, Lenny has not been travelling
around with us promoting the book and has received no benefit from it
other than the ability to tell his story as he understands it."

(Barbara E. McMullen & John F. McMullen/19911001)

------------------------------

Date: Tue, 17 Sep 91 11:24:04 CDT
From: bei@DOGFACE.AUSTIN.TX.US(Bob Izenberg)
Subject: File 3--Computer Security Basics --Review

Just looking at the cover of Computer Security Basics (by Deborah
Russell and G.T. Gangemi, Sr., published by O'Reilly & Associates,
Inc.) tells you that something has changed at the publisher of the
former Nutshell Handbook series.  The traditional ORA mascot on the
cover is replaced by an antique key.  While such obvious symbolism can
be forgiven, a book about security needs an animal on the cover...
Something ferocious or watchful.  Maybe a Doberman.  Alas, this book
should only get Spuds McKenzie.  Spuds, as you recall, had even less
claim to being a party animal humping a Budweiser Babe's leg.  Spuds
was in drag, a female dog labeled as a frat rat.  Quel scandal!

O'Reilly has become known for its how-to books for Unix programmers
and programmer wannabees.  Their choice of topics has been aimed at
beginning to intermediate Unix users, with occasional surprises such
as the book on Larry Wall's perl language.  It's the past grounding in
the practical workings of Unix's many moving parts that makes Computer
Security Basics seem like such a leap into the troposphere.  The
intended audience seems to be not the user of small-to-medium Unix
systems, but novices interested in a primer on U.S. Government
security standards.  It is a good enough buzzword lexicon to get
somebody started on finding out more if the subject interests them.

There are some things that should be taken with a grain of salt in the
book, however.  In the book's discussion of DES, for example, the
authors downplay the concern over the NSA's limiting of the algorithm
to 56 bit encoding by assuring us that no less august a scientific
body than the U.S. Senate has "upheld the integrity of the DES."  I
don't mean to come down on one side of the DES standard issue or the
other, and neither do the authors, apparently.  The ambiguity that the
reader might sense, in reading of the Senate's approval on one page
and the NSA and ISO failure to adopt the standard on the next, will
hopefully be a spur to do more reading on the subject.  It skips
lightly over the RSA algorithm, which is perhaps understandable if the
patent-holders were in court when the book went to press.  It also
advocates use of Halon as a fire extinguishing gas, mentioning its
toxicity to people but not its environmental effects.  In short, it
reads like a book written after a week spent at a security trade show.
Hey, I've been there...  After too many hospitality suites and
pheromone-laced glossy brochures, a pencil sharpener driven by a
Briggs and Stratton engine seems like it might just save the world.
To those whose breathing becomes heavy just at the sight of numbered
paragraphs or RFPs, these will seem to be empty quibbles.

In sum, the book is a start for someone who needs to get the mindset
of government-compliant security standards.  For the faithful reader
of other O'Reilly books, it may be akin to a Boston Marathon t-shirt
on a flounder.

------------------------------

Date: Tue, 28 May 91 23:09 EST
From: "Michael E. Marotta" <MERCURY@LCC.EDU>
Subject: File 4--Steam age cyberpunk

DIFFERENCE ENGINE, the May 1991 "steam punk" novel by William Gibson
and Bruce Sterling, is a humorous and chilling historical fantasy.  In
this Britain of 1855 Charles Babbage's successful invention has made
him a lord.  Industries and individuals are controlled by ubiquitous
engines. The best programmers call themselves "clackers" and the best
clackers do graphics.

Accelerated into explosive decline by exponential industrialization,
London's ecology collapses in the Great Stink.  There are subtler
problems, too, and Lady Ada's mania for gambling is only one of them.

The paleontologist spars with a copper: "If I model a phenomenon, does
that mean I understand it?  Or might it be simple coincidence, or an
artifact of the technique?   Of course, as an ardent simulationist, I
put much faith in Engine-modeling.  But the doctrine can be questioned,
no doubt of it.  Deep waters, Fraser!  The sort of thing that Hume and
Bishop Berkeley used to thrive on."  Sterling and Gibson have modeled
a cybernetic revolution.

The steam-driven engines of Criminal Anthropometry, a section of the
Bureau of Central Statistics, tag everyone in Britain --except for
those people whose records have been expunged on secret orders,
perhaps from Prime Minister Byron himself.  More, clackers can, of
course, be bribed, though it is far easier to _get_ information than
to erase it.

And yet, informatics and paleontology are not the whole of science.
One character suffers from tertiary syphilis while his chiropractor
treats him for "railway spine."  Parents buy microscopes that allow
clever children to see animicules even though this is considered of no
practical use.  While some newer lodgings have crappers, most people
use chamber pots.

The story's commoners wear fabrics with patterns created by engines --
complex, perhaps proto-fractal, some tagged with Lady Ada's name. Like
those weaves, DIFFERENCE ENGINE, provides a woof and warp about life
as it might have been.  And yet, all stories are about Today.
(Shakespeare's Julius Caesar was about his England and it will remain
a popular story as long as there is government.)  DIFFERENCE ENGINE
reflects the sensibilities of our time.  The patterns that evolve from
this story include dark threads and bright.  Criminals act as agents
of the legislature and arcane programs crash mighty computers and
radicals become the establishment.

------------------------------

Date: Sat, 28 Sep 91 20:52:41 EST
From:         Gene Spafford <spaf@CS.PURDUE.EDU>
Subject: File 5--Errata to "Practical Unix Security"

(See CUD 3.30 and 3.33 for reviews of this book, and comments.)

O'Reilly & Associates has discovered that in the first printing of
_Practical_UNIX_Security_ by Simson Garfinkel and Gene Spafford (June,
1991) a formatting error caused the grave quotes (%) in the shell
scripts in our final PostScript files to be printed as forward quotes
(').  Of course, this breaks the scripts and is certainly not what the
authors, editor, or publisher intended.

An errata sheet is available from the publisher that corrects the
shell script examples and other minor technical errors found in the
first printing.  Please call O'Reilly & Associates at 1-800-338-6887
to obtain a copy of this sheet.  Alternatively, you may send email to
steph@ora.com, to request a copy of the errata sheet -- be sure to
include your surface mail address.

We apologize for any difficulties these errors may have caused.

------------------------------

Date: Sat, 14 Sep 1991 09:11:06 +0300
From: Jyrki Kuoppala <jkp@CS.HUT.FI>
Subject: File 6--Living with the Law -- A view from Finland

We live in a crazy society - every citizen is required to know the law
and do nothing against the law, and simultaneously it's illegal for
all practical purposes for citizens to copy the law without paying
royalties to some organizations.  This makes it very difficult to make
free dissemination of the law via electronic media possible.

In Finland, the law is published as collections of new laws given out
by the government.  I think this is the only official version of the
law.  The publications are printed by a company called The State
Printing Center, which is a normal business-oriented company although
owned by the government.  The text of the law holds no copyright at
this phase; I'm not sure if the Printing Center claims copyright to
the format of the text.

The trouble with these collections (Suomen S%%d|skokoelma), varying
from a few pages to perhaps dozens of pages is that they're often
%patches' to existing laws which state which paragraphs and sentences
to be changed in a previous version of the law and so it's very
difficult in practice to read the current law based on these.  For
example, to get the current patent law you need something like eight
of these collections.

The State Printing Center also publishes other documents.  For
example, to get the Finnish copyright law you can buy a book
containing the current copyright law (and IC circuit model protection
law).  This book has all the patches collected into one document.  But
now, as the Printing Center is a business and the Finnish law has a
%collection copyright', it is not legal to copy this book without the
permission of the Printing Center.  They claim copyright for the
collection and perhaps also the layout/appearance of the book.  From
their point of view, this is understandable because they don't want
anyone else to begin copying and selling the book - this would deprive
them of some of their income.

There's also another organization publishing the Finnish Law, %Suomen
Lakimiesliitto', Finnish Lawyers' Union.  Every two years, they
publish a collection of all the laws.  Now, they also want to make
money and so claim copyright for their publication.

I've been doing some investigations on getting the law on-line (for
example to put it available via anonymous ftp) so everyone would get
easy access to it.  Now, the State Printing Center has the source for
their publications on-line, and they are even willing to distribute
the source, costing something like $15 / 1000 characters (just an
estimate), covering the costs of processing of the text or something
like that, with extra charges if extra work needs to be done (like for
the patent law, for which they don't have a collection readily done
but several different documents which need to be combined).

The problem with this is that even if I buy the machine-readable text
to the law, I'm not allowed to distribute it without permission from
the Printing Center as they claim collection copyright (also copyright
to the indices and such, but those are not essential).  It's possible
that I could get a permission for non-commercial distribution, but
that's problematic - for example, is it then allowed to be put on a
BBS which charges $10 / year as a membership fee?  Or a BBS which
charges $1/hour for connect time?

As for the Finnish Lawyers Union, I inquired them about the
availability of all of the law.  This was my first phone call to them,
and the person said that they will take appropriate action (I
interpreted that to mean they will sue me ;-) if I distribute the
publication (I talked about OCRing the book and taking only the
portions that contain the law, not any others possibly written by the
Union).

Now, in principle there's no problem with this - all legal and clear,
and I can of course OCR the official version of the law and apply the
patches myself and put it up for anonymous ftp, but that'd be a hell
of a lot of work.  I suppose I could even get the text
machine-readable for the processing fees from the Printing Center.
But in practice, this would require a lot of work and then I could
claim copyright for the collection and require licenses for everyone
who uses this - one could argue I'd need to do that in order to get
the money needed for all the work.

The situation also raises some responsibility issues - as the official
law is pretty much unusable, the law enforcement and the government
probably uses the other publications from the State Printing Center
and the Layers' Union.  What if there's a misprint in one of these?
What if someone deliberately changes something in the unofficial
versions?

Perhaps we should start lobbying a law to make the copyright for the
law to be something like the GNU copyleft.

------------------------------

Date: Sun, 29 Sep 91 22:21:38 PDT
From: halcyon!walter@SUMAX.SEATTLEU.EDU
Subject: File 7--Let's Get It Right.

((Moderators' Note--Walter Scott is SysOp of a small semi-public BBS
in Seattle called Writers Happy Hours.  Writers Happy Hours is
dedicated to serving literary writers and others with related
interests)).

Now that the dust has settled [just a bit] in the infamous "download
tax" controversy coming out of New York state, it's time to take stock
-- to analyze where we're at and what has happened. This is important
for at least a couple of reasons. (1) Mistakes were made in this
episode of telecomputing history. We must learn from them and not make
them again. (2) We must sort out the real dangers from paranoia.

In 1987, the telecomputing community rose up in an unprecedented
manner to fight a proposed rulemaking which would remove a
communications surcharge exemption for certain electronic data
services. This would have ultimately made it more expensive for people
to access ESP [ENHANCED SERVICE PROVIDER] electronic data services, of
certain types, available by modem. At the time, CompuServe was at the
center of activism -- mostly because CompuServe had a serious stake in
the outcome of the NPRM [NOTICE FOR PROPOSED RULEMAKING] from the FCC.
The NPRM would have implemented a surcharge on various ESPs (including
CompuServe) if the rulemaking went unchallenged.

 Modem enthusiasts rallied in opposition to the surcharge from across
the country. Their comments and actions played an important role in
the eventual tabling of the NPRM by the FCC. After the surcharge
incident, people who operate and/or use electronic bulletin board
systems have become hyper-sensitive to any and all references made to
modem-based telecommunications by government infrastructures or
telephone companies. Unfortunately, that hyper-sensitivity has a
disastrous downside.

In the past 3 years, there have been recurring instances where the old
surcharge case is somehow resurrected as though the FCC was "at it
again". The same messages and references appear repeatedly. People
like Jim Eason (cited as a source of information at KGO radio in San
Francisco in many bogus alert files) are likely to be sick of the
constant phone calls asking about a surcharge which Eason or his staff
must explain is a matter of PAST history as looming threats go. Even
the FCC has found it necessary to run ads in major daily newspapers to
dispel rumor and/or innuendo. Also, some members of Congress probably
receive mail on the surcharge in the present, and may receive mail on
it in the future.

As was in evidence through material appearing in CuD 3.34, it seems
the New York state sales tax on prewritten software is yet another
case where the fight/flight syndrome kicks in too easily. There is
clear indication that many ASSUMPTIONS were made as opposed to very
little careful verification of the facts. What makes this worse is
that an ostensibly reputable SysOps organization in New York brought
this matter into prominent exposure without properly investigating the
facts. People panicked, and bureaucrats were besieged with phone calls
from modemers and SsyOps who launched into tirades over a tax on
things that were not and are not taxed in New York state.  Legislators
received the same kind of phone calls and mail.  Their staff went to
the trouble of contacting bureaucrats and verifying information passed
on to them by irate modem users. Such activity will continue while
messages and text files containing inaccurate information continue to
proliferate.

All this turns out to be as embarrassing as, if not more than, the
recurring surcharge rumors. These incidents generate credibility
issues. It was pointed out to me, by James Morris at the New York
state Department of Taxation & Finance, that we, who use modems and
run bulletin board systems, have a tremendous information network by
which we keep each other informed and initiate action. No greater
compliment can be paid to us as modem users and SysOps.

We, as modem users and SysOps, have tremendous power due to the nature
of the very medium we work and play in.  Along with that power comes
an equally awesome responsibility. Responsibility, thy name is
"CREDIBILITY".  We *MUST* be credible. We can collectively cry wolf so
many times before those in the position to change things
--politicians, judges, and bureaucrats -- will ignore us. If we're
gonna do it, let's do it right.

Let's be certain we have the FACTS before we sound the battle claxons.
Let's empower each other with information that allows us to easily
contact key sources of information to verify that information. Let's
make certain that provided information is as accurate as possible when
WE are the providers -- straight "from the horse's mouth", as it were.
When it comes to empowering your fellow modem user with critical
information requiring a pointed response in venues not limited to but
generally separate from cyberspace itself, you should put on your
JOURNALIST'S cap and wear it well. Ask and ask again? Verify and
REverify.  Whether our tremendous ability to network will be of any
use to us depends on how credible we're assessed to be by those who
generally don't hangout in cyberspace.

Now, on to the second point. The same material in CuD gives us some
gems in-the-rough. They're difficult to see since they're mixed in
with misinformation and associated emotionally oriented calls for
action. One of the dangers in situations, such as the software sales
tax debacle, are tendencies to glide past issues that may be core
issues but require CAREFUL THOUGHT AND ANALYSIS before one can
conceptualize the importance of the issue. This seems to be happening
in the New York state software sales tax debacle.  Even though several
people have pointed out a significant truth, which begs for action
every bit as much as the purported "download tax", the BBS community
of New York and the U.S. is not reacting with the tenacity it invoked
over the possibility of taxation on systems supporting upload/download
ratios. Thus, if this had been an attempt to use smoke and mirrors to
deflect people from the REAL issues, it would have worked very nicely.

As you may recall, the New York state Department of Taxation & Finance
has asserted, without contradiction, that there is a longstanding
sales tax on information services. This tax can be, has been, and
probably will be, applied to electronic bulletin board systems in New
York state. NYS T&F also does not claim that upload/download ratios
won't be considered a taxable event IN THE FUTURE.  NYS T&F
Regulations Specialist James Morris went to greats pains in
illustrating to me that standing tax codes certainly support such a
FUTURE interpretation. Ergo, the sword precariously swings. Until
modem users and SysOps of New York went into action, NYS T&F knew
little or nothing of the BBS community. They are now ACUTELY aware of
the BBS community and how it functions.

NYS T&F can be likened to the giant in "Jack & The Beanstalk". For a
time, the giant went unaware of Jack's presence. But when he finally
became aware.... Well, we must remember that New York state is
desperate for revenue.  Will bulletin board systems become a means to
help fill in financial gaps? To what extent? Should protective
legislation be initiated? Should tax codes be more specific about who
can be taxed and under what circumstances? What about the relationship
of free speech via the various functions of bulletin board systems --
including file exchange of newsletters containing important
information?  [Note that CuD makes its way into a lot of download
directories on bulletin board systems across the U.S.] Has anyone
checked statutes in their own state to see if there might be a
sleeping giant about to wake?

------------------------------

Date:     Tue, 27 Aug 91 21:36 EDT
From: "Silicon Surfer" <unixville@news.group.com>
Subject: File 8--"Phone Gall" (AT&T sues users)(Infoworld reprint)

                              Phone Gall
               InformationWeek, Aug. 26, 1991, pp.12-13
       (By Mary E. Thyfault with Diane Medina and Bob Violino)

AT&T has sued nearly 20 of its large business users for refusing to pay
for calls made by hackers through their corporate telephone In recent
months, the question of whether businesses victimized by phone hackers
should be forced to pay for such calls has stirred acrimonious debate
and prompted numerous actions before the Federal Communications
Commission. Estimates of the corporate monies lost annually to phone
hackers begin at $500 million and go into the billions.

Now an InformationWeek investigation reveals a broad effort by AT&T to
shift this debate to the courts. Among the corporations AT&T has quietly
sued are Avis Rent-A-Car System Inc., FMC Corp., Citgo Petroleum Corp.,
Procter & Gamble Co., and Perkin-Elmer Corp. (see below). In the largest
such lawsuit uncovered by IW, the United Nations was the victim of
nearly $1 million in unauthorized calls.

While the existence of these lawsuits remains unknown to most large
users, AT&T has been playing legal hardball with corporate customers for
at least a year, in most cases collecting fees in confidential,
out-of-court settlements. It appears no case has yet reached the trial
stage.

The fact that users back down is no surprise; AT&T is a $36.11 billion
behemoth with a crack legal staff. The mere threat of a lawsuit is
enough to force most firms to pull out their checkbooks.

"Who can afford to go to court with the phone company?" asks Roger
Longtin, counsel for electronics component distributor Avnet Inc. in
Great Neck, N.Y. , which is currently negotiating with AT&T over nearly
$1 million in disputed charges.

AT&T's long-distance rivals MCI Communications Corp. and US Sprint
Communications Co. say they have not sued any users over this issue, and
IW could find no evidence of any legal actions. Such a suit, explains a
spokesman for MCI, "is a good way to lose a customer".

One analyst argues, however, that MCI and Sprint can't afford to be nice
guys much longer. "I'd be surprised if MCI and Sprint didn't file suits
- uncollectibles have been a horrendous problem in the long-distance
business," says John Bain, senior VP at Raymond James & Associates Inc.
in St. Petersburg, Fla. One lawyer who has represented corporate victims
of toll fraud says the out-of-court settlements always involve some
payments by customers. AT&T typically starts negotiations by knocking
15% off the user's bill, he says; that's about the break-even point for
AT&T's profit on long-distance calls, according to analysts. AT&T does
not discuss litigation, a spokesman says.

Some customers are enraged at AT&T and the telecom industry over this
issue. They argue that the carriers and PBX vendors are not providing
enough warning, training, or support. "The carriers should do away with
the attitude of 'The customer should've known,'" charges Tim Honaker CFO
for Dearborn Financial Publishing lnc. in Chicago, which has been hacked
for $65,000. The telcom suppliers "come in with these great technologies
and then say, 'By the way, you gotta figure out how to manage this thing
on your own.' Well, we're not in that business." Suppliers should at
least share in the responsibility and liability for phone fraud charges,
according to victims.

Vendors respond that telecom managers can virtually end fraud by
properly managing their phone systems, particularly remote access
features. Some users agree. Says Jay Silverberg, president of the
National Rolm Users Group, "Although from a technical perspective the
vendor has the responsibility to provide the ability to make a system
secure, it's the user's responsibility to manage it."

The software to monitor such systems isn't cheap, however-about $120,000
on average-and "it can only cut down the hemorrhaging, not eliminate
hacking," says James Ross of Ross Engineering Inc., a software
engineering firm in Sterling, Va. Most victims argue that carriers have
the technology to detect hacking at their fingertips.

While the victims' attorneys say AT&T hasn't improved its security
measures, all the carriers and the major PBX vendors-Northern Telecom,
Rolm Co., and the business telephone unit of AT&T-say they are putting
increasing emphasis on helping users fight phone hacking. AT&T offers
seminars at every user group meeting, for example, and Rolm announced in
April it would begin assigning a security coordinator in each of its 31
branch locations.

Currently, AT&T has seven fulltime staffers charged with educating
customers and investigating fraud cases. Users claim that number is
woefully low. (Meanwhile, the number of AT&T lawyers pursuing litigation
in this area is, an AT&T spokesman admits, "probably in the tens.") AT&T
has 40,000 PBX installations and 4 million business long-distance
customers. "If they really want to protect the public, they need to hire
more like 700 people," says Charles Helein, a Washington attorney who
has represented several toll fraud victims.  AT&T says it will add three
more staffers next month.  Some users even claim AT&T is not devoting
more resources to ending toll fraud because it is making too much money
on such calls-a charge AT&T vehemently denies.

"If you significantly cut phone fraud, you have to wonder what kind of
impact it would have on their revenue," says Thomas Crowe, attorney for
Chartways Technologies Inc. in Rockville, Md., which suffered $81,789 in
unauthorized calls.

"That's ludicrous," says an AT&T spokesman. "AT&T devotes enormous
resources to this." The company argues that it is doing more than
required. On a weekly basis, AT&T monitors the three area codes in South
America and Central America that receive the most illegal calls.  When a
sudden increase in volume is noted, AT&T tries to notify customers,
reaching about 25%, of them before they themselves notice the break-in.

"I can't tell you that every week we get to everyone, but we attempt to
based on our resources," says Robert Carman, head of AT&T's corporate
security division. Still, the FCC says all complaints filed to date by
users over this issue have involved AT&T.

Frank Chrz, VP of office services at ITT Consumer Financial Corp. in
Minneapolis, says AT&T "was very responsive" in helping him detect and
stop the hackers that penetrated his company's Rolm PBX, racking up
$100,000 in charges. But that cooperation ended when the bill came due
and ITT refused to pay. AT&T sued ITT, which promptly sued both Rolm and
Rolm's PBX distributor. All four settled out of court. At least two
other users have sued their PBX vendors after being sued by AT&T:  New
York City Human Resources Administration sued Northern Telecom Inc., and
Western Diversified Life Insurance Co. in Deerfield, Ill., countersued
AT&T as both its PBX supplier and long-distance carrier.

In another twist, two corporations sued AT&T before AT&T could sue them:
Mitsubishi International Corp. in New York (IW, June 24,p.14) and John
D. Hollingsworth On Wheels Inc. in Greenville, S.C.

Despite all the complex legal maneuvering, every case eventually comes
down to finger-pointing. No one wants to accept responsibility for toll
fraud. Until now, the FCC has typically ruled against users, but
mounting corporate anger may mean the commission will impose some sort
of liability ceiling. What is clear is that users and vendors will have
to work together to solve the problem.

"In no way are we inferring we can catch everything," says Bob Fox,
Sprint's assistant VP of corporate security. "The majority of the time
we're getting to the customer before he knows what's going on. But we're
not going to catch everything every time. It takes teamwork.

"The customer is going to get hurt if we do our thing but he doesn't do
his, or vice versa." -Mary E. Thyfault with Diane Medina and Bob Violino

------------------------------

Date: Thu, 3 Oct 91 11:10:04 EDT
From: server@STORMKING.COM(Storm King ListServ Account)
Subject: File 9--Announcement

NIA & Phrack Inc present:

                        "It is useless to resist us."

                              The second annual,
                              X M A S C O N  '91

                              Where: Houston, TX
                         When: December 27th-29th 1991

     Who: All Hackers, Journalists, Security Personnel and Federal Agents

     Well, it's getting closer.. HoHoCon is coming up and we plan on having
     the biggest gathering of Hackers ever!

     This event is going to be public.  Sponsors include members of NIA
     Magazine, Phrack Inc, dFx/Neon Knights and cDc.

     Hotel and reservation information will be announced at a later date.
     Anyone is welcome to attend, and we encourage you to be there.

     Keep the Faith & cya' at HoHoCon!

------------------------------

Date: Sat, 21 Sep 91 18:52:56 EDT
From: "Anonymous" <anonymous@noaddress.etc>
Subject: File 10--Cyberspace Conference in Montreal

           THE THIRD INTERNATIONAL CONFERENCE ON CYBERSPACE
                           MONTREAL, QUEBEC
                           MAY 22-23, 1992

                       Sponsored and hosted by
   DEPARTMENT OF COMPARATIVE LITERATURE, UNIVERSITY OF MONTREAL and
   GROUP FOR THE STUDY OF VIRTUAL SYSTEMS, U.California, Santa Cruz

                       ANNOUNCEMENT AND CALL FOR PAPERS

The Third International Conference on Cyberspace will be held May
22--23 1992 at the University of Montreal.  This is a call for
abstracts, approximately fifteen of which will be selected for
development and presentation at the Conference.  All papers, and a
number of selected abstracts, will be published in Proceedings,
available late 1992.

Abstracts should be between 600 and 1000 words, and are due by
December 15, 1991.  Submission of an abstract indicates the
submitter's intention and capability to write and present the
corresponding, full length paper, if chosen.

Participation in the Conference is limited to 140 people in the
following  categories:

1.  Participants who have been invited to present papers based on
their abstracts.  (Limit 15)

2.  Participants who have submitted abstracts judged by the Program
Committee to be of particular interest.  (Limit 35)

3.  Participants with creative and clearly stated interests in the
topic who  are involved with work on cyberspace in any capacity.
(Limit 60)

4.  Visitors & observers, who are not actively working in the field at
this  time but who have expressed interest in the subject.  (Limit 30)

Like the First Conference at Austin in 1990, and the Second
International  Conference in Santa Cruz in 1991, the Third
International Conference on Cyberspace is not only about the enabling
technology of virtual reality, 3-D user interfaces, networking, data
visualization, or high speed computer graphics, but also the  nature
of cyberspace as such, conceived of as an independent realm, a shared
virtual  environment whose inhabitants, objects and spaces are data,
but data which is visualized, heard and (perhaps) touched.   It  seeks
to reach an understanding of  how the components of cyberspace already
"under construction" in the  development and design of graphic user
interfaces, scientific visualization  techniques, video games, CAD,
abstract architecture and architectural  design theory, knowledge
navigation, "cyberpunk" discourse, cultural  studies, film and
narrative theory, virtual and artificial reality systems,  MUDs,
INTERNET, USENET and other networks, groupware, and hypermedia might
someday  function together to create a true, public cyberspace, as
well as private,  special-purpose cyberspaces.

------------------------------

Date: Thu, 26 Sep 91 00:25:50 MDT
From: mbarry@ISIS.CS.DU.EDU(Marshall Barry)
Subject: File 11--Conference Info and Press Releases

                        Contact: Terry Travis or Michelle Weisblat
                                         Telephone: (303) 426-1847

 IBECC, a non-profit educational, literary and scientific society,
 is sponsoring the 1992 International BBSing and Electronic Commu-
 nications Conference to be held August 13-16, 1992 in Denver,
 Colorado.  The theme of IBECC '92 will be "Socially Responsible
 Computing."

 There will be panels on such diverse topics as "Safe Computing" [How
 to Prevent the Spread of Computer Infection], "Why Kelly CAN Read"
 [Exploring Computers, BBSing, and Education], and "Staying Alive"
 [Computing and the Physically Challenged and Homebound].

 Membership in IBECC, including the 1992 annual conference, is $80.00
 (US) through September, 1991 and $125.00 from October 1, 1991 through
 May, 1992.  Membership also includes the IBECC Newsletter, access to
 the IBECC Electronic Bulletin Board, and discounts on several
 services.

 The conference will be held at the Sheraton Denver West Hotel and
 Conference Center, Lakewood, Colorado.  Room rates start at $62.00
 (US + tax) per night; contact the hotel at 1-800-LAKEWOOD, or (303)
 987-2000, for reservations.

------------------------------

End of Computer Underground Digest #3.35
************************************