Computer underground Digest Sat, Oct 19, 1991 Volume 3 : Issue 37 Moderators: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) **** SPECIAL ISSUE: "GERALDO AND THE MAD HACKERS'S KEY PARTY" **** CONTENTS, #3.37 ( October 19, 1991) File 1: Summary of Geraldo's _Now it can be Told_ File 2: Excerpts from "Mad Hacker's Key Party" File 3: Review_of_Now_It_Can_Be_Told_ File 4: Geraldo Rivera show on "Hacking" File 5: The_RISKS_of_Geraldo File 6: 2600 Magazine Exposes Security Holes (NEWSBYTE reprint) Issues of CuD can be found in the Usenet alt.society.cu-digest news group, on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM, on Genie, on the PC-EXEC BBS at (414) 789-4210, and by anonymous ftp from ftp.cs.widener.edu (147.31.254.20), chsun1.spc.uchicago.edu, and dagon.acc.stolaf.edu. To use the U. of Chicago email server, send mail with the subject "help" (without the quotes) to archive-server@chsun1.spc.uchicago.edu. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: 12 Oct 91 11:21:19 CDT From: Moderators <tk0jut2@mvs.cso.niu.edu> Subject: File 1-- Summary of Geraldo's _Now it can be Told_ On Sept 30, Geraldo Rivera's show focused on "hackers." Not surprisingly, the commentary was closer to sensationalistic fiction than fact. Those who saw the original airing described Rivera's framing of the issue as reprehensible, and his comments about Craig Neidorf were described as potentially slanderous. Even by Geraldo standards, Craig could not have expected the grotesque insults to which he was subjected and the bullying and inaccuracies that he endured, according to observers, with reserved dignity. We are indebted to an anonymous reader who provided us with excerpts from the transcripts. They reveal a consistent pattern of sensationalism--not surprising--but they also reflect that Rivera had little interest in accuracy and instead resorted to fabrication bordering on lies to depict Craig as a "Mad Hacker." His task was made considerably easier by Alameda County (California) prosecutor Don Ingraham, who contributed to the misconceptions of Craig and played into the sensationalistic "mad hacker" motif that was the format of the show. Those who viewed the program report, and the transcripts confirm, that the initial portion focused on the potential dangers of hacking to national security, and skillfully juxtaposed film images of terrorism and military violence with discussions and images of hackers. Rivera continually referred to Craig as the "Mad Hacker," described him as Ingraham's "arch-rival," and used the term "notorious hacker" to remind the audience that his guest was not some run of the mill evil-doer, but "mad," "notorious," and America's "most wanted" hacker. Ingraham implied that Craig was responsible for breaking into and endangering the nation's E911 system, but backed off slightly while leaving the connection between E911 and national security intact. Ingraham's analogy of rape and hacking was in poor taste, and he seemed to join Rivera in competing for outlandish sound-byte of the day. The media has played a major role in contributing to hacker hysteria by grossly exaggerating the exploits of suspects and defendants. Rivera has taken hyperbole to a new level by imputing dangers where none exist, by fabricating facts, and by leaving the audience with the impression that--in this case--Craig had actually broken into the E911 system. In a time which Constitutionally protected liberties are threatened, when demogogues enact anti-crime legislation that expands definitions of punishable behavior and increases penalties for offenses, and when the public--still largely technophobic--does not understand hacking, Geraldo's portrayal is recklessly dangerous and unconscionably irresponsible. It is one thing to engage in self-serving sleaze for ratings. It is quite another to distort truth in ways that create false impressions and tarnish reputations by name-calling. We suggest that Geraldo Rivera has far more in common, both in his actions and in his consequences, with terrorists than do hackers. Rivera, like terrorists, seems to have no hesitation in doing violence if it serves his own narrow interests. On balance, society can survive a "hacker menace" far more easily than it can survive callous disregard of truth. ------------------------------ Date: Thu, 17 Oct 91 7:41:43 CDT From: anonymous@viewer Subject: File 2-- Excerpts from "Mad Hacker's Key Party" Excerpts from: _Now_It_Can_Be_Told_: "Mad Hackers' Key Party" Hosted by Geraldo Rivera (Sept. 30, 1991) Geraldo: I'm Geraldo rivera. And now, It can be told. <First part of the program includes comments and interviews with Emmanuel Goldstein, Krista Bradford, Cliff Stoll, Phiber Optik, Winn Schwartau, and other bit players. Focus of discussion is on hacking as "terrorism" and generous film and news clips of terrorism and war scenes interwoven amongst discussion of dangers of hackers to national security. We pick up the dialogue when Don Ingraham (Alameda County (Calif.) prosecutor and Craig Neidorf (former editor of PHRACK) join in> Geraldo: Joining us now via satellite from Oakland, CA is the Assistant District Attorney Don Ingraham ... for Alameda County and he has been prosecuting computer hackers for years. <Don is in the TV box, between Geraldo and Craig [KL]> Geraldo: Don, how do you respond to the feeling common among so many hackers that what they're doing is a public service; they're exposing the flaws in our security systems? Don: Right, and just like the people who rape a coed on campus are exposing the flaws in our nation's higher education security. It's absolute nonsense. They are doing nothing more than showing off to each other, and satisfying their own appetite to know something that is not theirs to know. Geraldo: Don, you stand by, Craig as well. And when we come back we'll hear more from prosecutor Ingraham and from, I guess his archrival here, the Mad Hacker Craig Neidorf. <Commercial> Geraldo: We're back with Craig Neidorf, a former University of Missouri student who ran a widely distributed electronic newsletter for computer hackers. He is so proud of being America's Most Wanted computer hacker that he has put together this very impressive scrapbook. <Geraldo holds up a colorful scrapbook..On the left page shows a lightning bolt hitting what looks to be a crown [Knight Lightning] ...And on the right it looks like a graphic saying "Knight Lightning" and below that is a black circle with a white lightning bolt, and next to that is a triangle that looks very similar to the triangle with an eye that appeared on the cover of _GURPS_Cyberpunk_ [which said in it, the book that was seized by the Secret Service! see page 4...- but the one on KL is illegible]> Geraldo: Knight Lightning I guess that was your code? KL: It was my editor handle. Geraldo: That's your handle. OK. And from Oakland, CA we are talking with the Assistant District Attorney Don Ingraham, who is hard driven, you might say, to put people like Craig behind bars. Don, do you think Craig's lucky that he's not behind bars right now? Don: Yes, I think he's extraordinarily lucky. He was part of a conspiracy, in my opinion, to take property that wasn't his and share it with others. They charged him with interstate transport of stolen property - couldn't make the threshold -and it came out that it had been compromised by, unfortunately, released by another Bellcore subsidiary. But was certainly not through any doing of HIS that he is a free man. Geraldo: So you think that his activities stink, then. Don: Absolutely. No Question about it. Geraldo: Craig, you wanna respond? Are you doing something for the greater good of society? KL: Well I was merely publishing a newsletter. I didn't go out and find this document. Rather it was sent to me. In many ways it could be compared to Daniel Ellsberg sending the Pentagon Papers to the New York Times. Geraldo: Do you figure it that way Don? Is he like Daniel Ellsberg? Don: No, Ellsberg went to court to deal with it. Daniel Ellsberg's release of the Pentagon Papers is the subject of a published court decision to point out it was a matter of national security and national interest. The E911 codes, which is the citizen's link to the police department are not a matter of national security. They're a matter of the central service to the community....... Geraldo: You broke into the 911 system? He broke into the 911 system! KL: No, that's not correct. I never entered any 911 telephone system. Don: I didn't say he entered into it. What I said was that he and Riggs conspired together to take a code that they knew was necessary to 911 and to take it apart to see how it worked. They never had the owner's permission, they never asked for it. Geraldo: Alright, lemme ask you this.... KL: The court found that there was no conspiracy here. Geraldo: You were acquitted. You were vindicated at least from criminal responsibility. Lemme just quickly ask you this: hackers have been inside the White House computer. KL: Yes they have. Geraldo: And they've been inside the Pentagon computer. KL: Yes. Geraldo: And if Saddam Hussein hired some hackers whether they're from Holland or any other place, he could've gotten into these computers, presumably. KL: Presumably, he could've. Geraldo: And gotten some valuable information. KL: It's definitely possible. Geraldo: And you still think hackers are performing a public service? KL: That's not what I said. I think that those kind of activities are wrong. But by the same token, the teenagers, or some of the people here that are not performing malicious acts, while they should be punished should not be published as extreme as the law currently provides. Geraldo: You're response to that Don? Don: I don't think they're being punished very much at all. We're having trouble even taking away their gear. I don't know one of them has done hard time in a prison. The book, Hafner's book on _Cyberpunk_, points out that even Mitnick who is a real electronic Hannibal Lecter ... did not get near any of the punishment that what he was doing entitled him to. Geraldo: <laughing> An electronic Hannibal Lecter. OK, stand by, we'll be back with more of this debate in a moment... <commercials> Geraldo: Back with Craig Neidorf and prosecutor Don Ingraham. Craig, do you think hackers are voyeurs or are they potentially terrorists? KL: I think they resemble voyeurs more than terrorists. They are often times looking at places where they don't belong, but most hackers do not intend to cause any damage. Geraldo: Do you buy that Don? Don: If they stopped at voyeurism they would be basically sociopathic, but not doing near the harm they do now. But they don't stop at looking, that's the point. They take things out and share them with others, and they are not being accountable and being responsible as to whom they are sharing this information. That is the risk. Geraldo: Can they find out my credit rating? I know that's not a national security issue, but I'm concerned about it. Don: Piece of cake. Geraldo: No problem. Don: Assuming.... Geraldo: Go ahead. Assuming I have a credit rating...hahahah.... Don: Assume that the credit is not carried by someone who is using adequate security. Geraldo: But you think Craig it's not problem. KL: I think it's no problem. Geraldo: Give me quickly the worst case scenario. Say Abu Nidal had you working for him. KL: I'm sorry? Geraldo: Abu Nidal, notorious ..... KL: As far as your credit rating? Geraldo: No, not as far as my credit rating.. The world, national security. KL: Well, hackers have gotten into computer systems owned by the government before. At this point they've never acknowledged that it was anything that was ever classified. But even some unclassified information could be used to the detriment of our country. Geraldo: Like the counter-terrorist strategy on January 15th, the day of the deadline expired in the Persian Gulf. KL: Perhaps if Saddam Hussein had somehow known for sure that we were going to launch an attack, it might have benefited him in some way, but I'm really not sure. Geraldo: Don, worst case scenario, 30 seconds? Don: They wipe out our communications system. Rather easily done. Nobody talks to anyone else, nothing moves, patients don't get their medicine. We're on our knees. Geraldo: What do you think of Craig, quickly, and people like him? Don: What do I think of Craig? I have a lot of respect for Craig, I think he's probably going to be an outstanding lawyer someday. But he is contributing to a disease, and a lack of understanding ethically, that is causing a lot of trouble. Geraldo: One word answer. As the computer proliferate won't hackers also proliferate? Won't there be more and more people like you to deal with? Knight Lightning: I think we're seeing a new breed of hacker. And some of them will be malicious. Geraldo: Some of them will be malicious. Yes, well, that's it...for now. I'm Geraldo Rivera. [End of Program] ------------------------------ Date: Wed, 16 Oct 91 18:42:51 MDT From: ahawks@ISIS.CS.DU.EDU.CS.DU.EDU(Andy Hawks) Subject: File 3-- Review_of_Now_It_Can_Be_Told_ If you look past the obvious sensationalism (hey, what do you expect from Geraldo?) the ''Now It can Be Told'' program on hackers was actually quite good, and quite informative. However, as expected, the program served to enhance the stereotypes that hackers are always destroyers of information. Words such as terrorist, thief, mad hacker, notorious, sociopath, et al were often substituted for ''hacker''. From a hacker's point of view, the show was great. First we see ''home video'' of Dutch hackers hacking into US Department of Defense (military) computers. Emmanuel Goldstein (editor of 2600) is present among them, and describes in-depth what they are doing, and how they are getting into these computers. The Dutch hackers success rate was astounding! Goldstein says that they "literally picked a computer at random among a list and used various means to get in". First, they fail with a login of guest. Then, they succeeded in gaining superuser privileges with the sync login and proceeded to create a new account under the name Dan Quayle, and gave him superuser privileges. I thought Emmanuel Goldstein was an excellent defender of the hacker's position, successfully refuting Cliff Stoll's comment that compared hackers to thieves breaking into someone's house (yaaaaaawwwwwwwnnnnnnnnn.......) by stating hackers are not interested in personnel files - they're interested in huge databases and computer systems. Hopefully, (however doubtful) Emmanuel Goldstein has forever put the "breaking into a house" argument to rest. Next we see a scene that is truly cyberpunk: Japanese Kanji characters in neon colors spread over the screen as we hear a voice say "My handle is Phiber Optik. I'm a computer hacker from the East Coast.", standing on a dimly lit street in the middle of the night. The Phiber Optik portion of the program is interesting, and shows (for the first time?) hacking from a pay-phone with a laptop. (Note: if you freeze-frame at the right moment, you can see Emmanuel Goldstein and a g-man type in sunglasses [??] during this segment.) Phiber Optik: "The Hacker's goal is to become one with the machine" The next segment features an anonymous hacker (most likely Phiber) who says "we'd just be coexisting with the other users of the machine" and states once again that hackers are not interested in personal files. We also learn that this hackers has most likely entered the White House systems. What follows the hacker profiles is a segment on computer-terrorism, which focuses on viruses, interception, ''computer guns'', and eavesdropping. Emmanuel Goldstein: "The computer is a tool. And any tool can be used as a weapon." A. Hacker: "I wouldn't so much call it a weapon as an extension of one's own mind;" This segment somewhat vaguely attempts to separate hackers from terrorists, but since the distinction is not made clear, it is obvious that the makers of the show think that some hackers would qualify under this category. Krista Bradford hints that these activities are done by our own government, as well. A neat demonstration is given by Winn Schwartau, an information security expert, who demonstrates TEMPEST technology (picking up the radio waves from a monitor, and being able to display what's being typed up to 1.5 miles away). In this fake scenario, credit information is being intercepted. It is most unlikely that hackers would use this type of interception, since it requires a lot of expensive equipment. (In case your interested, the frequency the signal was picked up on is 19.9217) Intermixed in this segment are clips from Die Hard II (remember, the terrorists take over the airport computers). The third segment involves a 'debate' between Craig Neidorf (Knight Lightning of Phrack fame) and Don Ingraham, an assistant District Attorney in California. Geraldo informs us that Craig Neidorf is a ''mad hacker'' who is proud of his hacking achievements. Geraldo holds up an interesting portfolio that CRaig Neidorf has created, which hackers might find interesting, if you can get your hands on it. Geraldo engages in his usual sensationalism. He wrongly assumes that Craig Neidorf 'broke into' the 911 system. He wants to confirm that hackers have broken into the White House and Pentagon, and tries to put terror into the hearts of the masses. One of the great shames of this program is that the host is nothing more than a sensationalist seeking to get ratings, and doesn't care one bit about the truth, which only serves to further the stereotypes all hackers have been stuck with. Don Ingraham is there, basically representing the Operation Sundevil opinion. He thinks that hackers have not been punished enough, and that their crimes are very serious. It is obvious that Mr. Ingraham has never even considered for a moment the idea that hackers are only interested in knowledge and most of them would not knowingly harm systems or files. He ought to take a look at the other side before forming his ignorant opinions. In my opinion, Craig Neidorf does not represent the common hacker as well as he is capable of in this program. But, obviously he was constrained by the format of the show and the ignorance he was forced to deal with on behalf of the host and Mr. Ingraham. He is not given opportunity to explain that not all hackers are malicious, and the subject of hackers informing system administrators of security flaws in their systems is not even brought up. In summary, the Now It Can Be Told program contained sensationalist aspects that was to be expected. However, from a hacker's point of view it was interesting to see the exploits of other hackers. Most interesting was the cyberpunk atmosphere of Phiber Optik hacking, as well as the home video of the Dutch hackers and their exploits. It was encouraging to hear Emmanuel Goldstein's opinions on hackers and he did well to represent them; he did not make them out to be saints, yet he defended them from the stereotype of being destructive. Cliff Stoll got one or two sentences in, which is all he deserved, IMHO. He only spews out the rhetoric we've all heard time and time again. The segment on computer terrorism was interesting, but not of much use to hackers; the demonstration on eavesdroppping was especially worth watching. The final segment, the 'debate' between Craig Neidorf and Don Ingraham was not as interesting as it could've (SHOULD'VE) been. Geraldo succeeded in disallowing Craig Neidorf to make the points it appeared he wished to make, and Mr. Ingraham succeeded in perpetuating stereotypes of hackers. Craig Neidorf ended the show by saying "We're seeing a new breed of hacker." And if you look past the obvious sensationalism of Now It Can Be Told, that new breed of hacker was well profiled. ------------------------------ Date: Fri, 18 Oct 91 2:33:25 CDT From: bei@DOGFACE.AUSTIN.TX.US(Bob Izenberg) Subject: File 4-- Geraldo Rivera show on "Hacking" <The Geraldo show on hacking was> a piece of tripe! Sorry, this just isn't journalism. It's barely in the back-fence gossip class. Here's my favorite part: > KL: Well I was merely publishing a newsletter. I didn't go out and > find this document. Rather it was sent to me. In many ways it could > be compared to Daniel Ellsberg sending the Pentagon Papers to the New > York Times. > > Geraldo: Do you figure it that way Don? Is he like Daniel Ellsberg? > > Don: No, Ellsberg went to court to deal with it. Daniel Ellsberg's > release of the Pentagon Papers is the subject of a published court > decision to point out it was a matter of national security and > national interest. The E911 codes, which is the citizen's link to the > police department are not a matter of national security. They're a > matter of the central service to the community....... Right, not a matter of national security. It's not the size of the sacred cow that you gore, it's how loud it bellows that gets attention. > Don: I don't think they're being punished very much at all. We're > having trouble even taking away their gear. Yeah, that due process sure gets in the way. > I don't know one of them > has done hard time in a prison. Maybe he doesn't know John Draper, who in addition to his tone stuff played with Apple ][s quite a bit... He and others did some very interesting things with the DTMF capabilities of the early MicroModem ][s... > The book, Hafner's book on > _Cyberpunk_, points out that even Mitnick who is a real electronic > Hannibal Lecter ... did not get near any of the punishment that what > he was doing entitled him to. Judge, jury and executioner... Somebody might want to tell this gentleman that he's in the 20th century, and is not a judge. > Don: If they stopped at voyeurism they would be basically > sociopathic, but not doing near the harm they do now. But they don't > stop at looking, that's the point. They take things out and share > them with others, and they are not being accountable and being > responsible as to whom they are sharing this information. That is the > risk. If, if, if. It's the potential crime that he's interested in. Off with their heads! Sentence first, trial later, and the crime done last if done at all. > Geraldo: Can they find out my credit rating? I know that's not a > national security issue, but I'm concerned about it. > Don: They wipe out our communications system. Rather easily done. > Nobody talks to anyone else, nothing moves, patients don't get their > medicine. We're on our knees. Worst case scenario: They disable all billing mechanisms, letting everyone make free calls (if only for a day) and the phone company forgets all about being a public utility, closes its doors and gets nationalized ten minutes later. Bob Allen goes up the river, along with his MCI and Sprint counterparts, or moves on to a real job destroying the environment for Union Carbide or somebody... PUCs all over the country have 75% work force cuts, with their biggest time-waster (and source of perqs) gone. But, worst case for whom? Cheech and Chong had this boy pegged. What a job they could do on "Gerondo Revolver" now... ;-) ------------------------------ Date: Wed, 16 Oct 91 18:41:23 MDT From: ahawks@ISIS.CS.DU.EDU.CS.DU.EDU(Andy Hawks) Subject: File 5-- The_RISKS_of_Geraldo I'm sure many of you saw or have heard/read about Geraldo Rivera's Now It Can Be Told Program which featured a show on hackers a couple of weeks or so ago. Well, by airing this program, it appears that Geraldo (or actually the producers/editors of the show) have put at least one military computer at risk. One segment of the program featured a "home video" of Dutch teenagers hacking. This home video would occasionally focus in on the computer screen as the hackers hacked. As reporter Krista Bradford describes what is going on, the screen shows: > | quit | 221 Goodbye. | rugrcx> | telnet tracer.army.mil | Trying 192.33.5.135.... | Connected to tracer.army.mil | Escape character is '^]'. | | | | Xenix K3-4 (tracer.army.mil) | | | | login: | dquayle | Password:_ > Then we learn that previously, the hackers have gained superuser privileges to the system. As Krista Bradford is describing the superuser access, we see the computer screen again and the hackers are attempting to login to the same site with the 'sync' login (so, this is apparently how they gained superuser access). Later in the show (about 1 minute or so after the hackers have gained superuser privileges) Emmanuel Goldstein (2600) states that the hackers proceeded to create a new account. The account they create is 'dquayle' (Dan Quayle) and has superuser privileges. Then, the screen focuses in on the new record in /etc/passwd for 'dquayle', and Mr. Goldstein tells us that the new account has no password (the screen focuses in on: "dquayle::") Thus, anyone who has telnet access could've repeated this same process, logging in to this tracer.army.mil site with the username 'dquayle' (and no password) and would have gained superuser access. It is obvious that in this situation, whoever allowed the show to be aired in its final form had no knowledge of the Internet, otherwise this definite "how to hack" security breach would have been omitted. Thanks Geraldo, for showing all of us how to hack into military computers. (Note: I avoided sending this in for submission earlier to prevent any other hackers from repeating the same experiment. Hopefully, tracer.army.mil has now had enough time to plug up the obvious hole.) ------------------------------ Date: Sat, 19 Oct 91 11:12:11 CDT From: jmcmullen@well.sf.ca.us(John McMullen) Subject: File 6-- 2600 Magazine Exposes Security Holes (NEWSBYTE reprint) 2600 Magazine Exposes Security Holes 10/18/91 ARMONK, NEW YORK, U.S.A., 1991 OCT 18 (NB) -- Supported by videotape examples, Emmanuel Goldstein, editor and publisher of 2600 Magazine: The Hacker Quarterly, told those in attendance at an October 17th New York City press conference that "the American public is often lulled into a false sense of security; a security that is often not supported by the facts of specific cases." The videotapes, produced by 2600 and provided to the press show both the intrusion of a Dutch "hacker" in to United States Military computers and what Goldstein alleges is the fallability of a brand of mechanical, pushbutton locks used by, among others, New York State University sites, Federal Express, United Parcel Service, JFK International Airport, IBM and NASA. Goldstein told Newsbytes "We invested considerable time and money to wake people up to the fact that we have a false sense of security when it comes not only to computer networks but to physical safety as well." The tape of the Dutch "hacker" was made by Goldstein while in Europe. and shows the intrusion into a Unites States Army computer system. The intruder was able to set up a fictitious account called "danquayle" and, once into the system, was able to obtain "root" privileges thus giving him total control of the workings of the system. A portion of this tape had previously been shown with Goldstein's approval on an episode of the Gerald Rivera television show "Now It Can Be Told". Goldstein told Newsbytes that one reason for his release of the entire tape to the press was his feeling that the Rivera episode entitled "The Mad Hacker's Key Party" had distorted the message of the tape - "This was not a case of a terrorist break-in but was rather simply a demonstration of the lack of security of our systems. To find root accounts with password like "Kuwait" and lack of sophisticated security in our military computers should be of real concern and should not be lost in an explotation of the 'hacker' issue." A background paper provided at the conference by 2600 explains the entire intrusion effort in detail and states "The purpose of this demonstration is to show just how easy it really was. Great care was taken to ensure that no damage or alteration of data occurred on this particular system. No military secrets were taken and no files were saved to a disk by the hackers. What is frightening is that nobody knows who else has access to this information or what their motivations might be. This is a warning that cannot be taken lightly." The second videotape show Goldstein and other 2600 staff opening seemingly at will locks manufactured by Simplex Security Systems. The locks of the mechanical pushbutton combination variety were shown to be installed at the State of New York University at Stony Brook, JFK International Airport and on Federal Express and United Parcel pick-up boxes throughout the New York Metropolitan area. In the film, Goldstein is shown filling out a Federal Express envelope for delivery to 2600 Magazine and inserting in the Fedex dropbox. He then lifts the weather protection cover on the box's lock and keys a combination that allows him to open the lock and remove his envelope. Scott Skinner, a SUNY student and 2600 staff member told Newsbytes that it had actually taken the staff 10 minutes to determine the proper code combinations to open the lock. Skinner explained, "While Simplex prefers people to think that there is an endless number of permutations to the lock, there are actually only 1,085. In most cases, even this number is greatly reduced -- if one knows that only three buttons are being used, it reduces the possibilities to 135. Additionally, we found that, once we had the combination to one Federal Express dropbox, it worked in every other one that we tried in the New York area." Goldstein told Newsbytes "When we contacted Simplex, they first denied that the locks were unsafe and then said that the permutations were much greater. After some discussion, they admitted that the 1,085 figure was correct but said that it would take a person with a complete listing of the combinations over four hours to try them all. Our experience obviously shows that they may be opened in a much shorter time than that." Goldstein also pointed out that, "although a $5 Master combination lock may be broken by a crowbar, it is a much more secure combination device. It has 64,000 combinations compared to the 1,085 with the Simplex." Goldstein continued, "One of the real problems is that, should a person have the misfortune to be robbed, entry due to a failure of the Simplex lock gives no evidence of a forcible break-in and police and insurance companies often put the blame on the homeowner or office manager for 'giving away the combination.' It really can create a problem." Skinner told Newsbytes "I'm really concerned about this. I'm a student at SUNY, Stony Brook and all our dormitories use these locks as the only means of security. I've shown the problem to Scott Law who is responsible for residence security but he has discounted the problem and said that the locks were installed at the recommendation of the campus locksmith. The locksmith, Garry Lenox contradicts Law and says that he recommended against these locks years ago and said that they were not secure for dormitory use." Skinner said that he will write an article for the college newspaper in an attempt to raise consciousness about this problem. Goldstein also said that he intends to publish the list of valid combinations in an up-coming issue of 2600 to demonstrate to the public the problems with the lock. He further said that he will raise the issue on his weekly radio show, "Off The Hook", heard on New York's WBAI-FM. In response to a Newsbytes question concerning how the 2600 staff happened to become involved in a problem with locks, Goldstein said, "We're hackers and when we see something with buttons on it, whether it's a computer or not, we tend to try it. While the average person tends to accept that things are secure just because he is told that they are, hackers will usually try them out. It's because of this 'trying out' that we can point out the problems with both the US military computer security and this lock -- and we feel that, in both cases, we have performed a service. People should be aware when they are at risk so that they may take action to correct it." (Barbara E. McMullen & John F. McMullen/Press Contact: Emmanuel Goldstein, 2600 Magazine., 516-751-2749/19911018) ------------------------------ End of Computer Underground Digest #3.37 ************************************