Computer underground Digest Tue July 21, 1992 Volume 4 : Issue 32 Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Copy Editor: Etaion Shrdlu, Jr. Archivist: Brendan Kehoe Archivist in spirit: Bob Kusumoto Shadow-Archivist: Dan Carosone CONTENTS, #4.32 (July 21, 1992) File 1--The NSA Papers File 2--CPSR Challenges Virginia SS File 3--EFF hires Cliff Figallo as director of Cambridge office File 4--New York Hackers Plead Not Guilty (NEWSBYTES REPRINT) File 5--Time Magazine Computer Analyst Arrested for Alleged Faud Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost at tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail to: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet alt.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM; on Genie in the PF*NPC RT libraries; from American Online in the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; and by anonymous ftp from ftp.eff.org (192.88.144.4) and ftp.ee.mu.oz.au European distributor: ComNet in Luxembourg BBS (++352) 466893. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Wed, 24 Jun 92 18:10:02 CDT From: Joe.Abernathy@HOUSTON.CHRON.COM(Joe Abernathy) Subject: File 1--The NSA Papers The following is the written response to my request for an intereview with the NSA. To the best of my knowledge, and according to their claims, it is the government's first complete answer to the many questions and allegations that have been made in regards to the matter of cryptography. I would like to invite reaction from any qualified readers who care to address any of the issues raised herein. Please mail to edtjda@chron.com (713) 220-6845. NATIONAL SECURITY AGENCY CENTRAL SECURITY SERVICE Serial: Q43-11-92 9 10 June 1992 Mr. Joe Abernathy Houston Chronicle P.O. Box 4260 Houston, TX 77210 Dear Mr. Abernathy: Thank you for your inquiry of 3 June 1992 on the subject of cryptography. Attached please find answers to the questions that you provided our Agency. If any further assistance is needed, please feel free to contact me or Mr. Jerry Volker of my staff on (xxx) xxx-xxxx. Sincerely, MICHAEL S.CONN Chief Information Policy ENCL: 1. Has the NSA ever imposed or attempted to impose a weakness on any cryptographic code to see if it can thus be broken? One of NSA's missions is to provide the means for protecting U.S. government and military communications and information systems related to national security. In fulfilling this mission we design cryptologic codes based on an exhaustive evaluation process to ensure to the maximum extent possible that information systems security products that we endorse are free from any weaknesses. Were we to intentionally impose weaknesses on cryptologic codes for use by the U.S. government, we would not be fulfilling our mission to provide the means to protect sensitive U.S. government and military communications and our professional integrity would be at risk. 2. Has the NSA ever imposed or attempted to impose a weakness on the DES or DSS? Regarding the Data Encryption Standard (DES), we believe that the public record from the Senate Committee for Intelligence's investigation in 1978 into NSA's role in the development of the DES is responsive to your question. That committee report indicated that NSA did not tamper with the design of the algorithm in any way and that the security afforded by the DES was more than adequate for at least a 5-10 year time span for the unclassified data for which it was intended. In short, NSA did not impose or attempt to impose any weakness on the DES. Regarding the draft Digital Signature Standard (DSS), NSA never imposed any weakness or attempted to impose any weakness on the DSS. 3. Is the NSA aware of any weaknesses in the DES or the DSS? The RSA? We are unaware of any weaknesses in the DES or the DSS when properly implemented and used for the purposes for which they both are designed. We do not comment on nongovernment systems. Regarding the alleged trapdoor in the DSS. We find the term trapdoor somewhat misleading since it implies that the messages sent by the DSS are encrypted and with access via a trapdoor one could somehow decrypt (read) the message without the sender's knowledge. The DSS does not encrypt any data. The real issue is whether the DSS is susceptible to someone forging a signature and therefore discrediting the entire system. We state categorically that the chances of anyone - including NSA - forging a signature with the DSS when it is properly used and implemented is infinitesimally small. Furthermore, the alleged trapdoor vulnerability is true for ANY public key-based authentication system, including RSA. To imply somehow that this only affects the DSS (a popular argument in the press) is totally misleading. The issue is one of implementation and how one goes about selecting prime numbers. We call your attention to a recent EUROCRYPT conference which had a panel discussion on the issue of trapdoors in the DSS. Included on the panel was one of the Bellcore researchers who initially raised the trapdoor allegation, and our understanding is that the panel - including the person from Bellcore - concluded that the alleged trapdoor was not an issue for the DSS. Furthermore, the general consensus appeared to be that the trapdoor issue was trivial and had been overblown in the press. However, to try to respond to the trapdoor allegation, at NIST's request, we have designed a prime generation process which will ensure that one can avoid selection of the relatively few weak primes which could lead to weakness in using the DSS. Additionally, NIST intends to allow for larger modulus sizes up to 1024 which effectively negates the need to even use the prime generation process to avoid weak primes. An additional very important point that is often overlooked is that with the DSS the primes are PUBLIC and therefore can be subject to public examination. Not all public key systems provide for this same type of examination. The integrity of any information security system requires attention to proper implementation. With the myriad of vulnerabilities possible given the differences among users, NSA has traditionally insisted on centralized trusted centers as a way to minimize risk to the system. While we have designed technical modifications to the DSS to meet NIST's requests for a more decentralized approach, we still would emphasize that portion of the Federal Register notice for the DSS which states: While it is the intent of this standard to specify general security requirements for generating digital signatures, conformance to this standard does not assure that a particular implementation is secure. The responsible authority in each agency or department shall assure that an overall implementation provides an acceptable level of security. NIST will be working with government users to ensure appropriate implementations. Finally, we have read all the arguments purporting insecurities with the DSS, and we remain unconvinced of their validity. The DSS has been subjected to intense evaluation within NSA which led to its being endorsed by our Director of Information Systems Security for use in signing unclassified data processed in certain intelligence systems and even for signing classified data in selected systems. We believe that this approval speaks to the lack of any credible attack on the integrity provided by the DSS given proper use and implementation. Based on the technical and security requirements of the U.S. government for digital signatures, we believe the DSS is the best choice. In fact, the DSS is being used in a pilot project for the Defense Message System to assure the authenticity of electronic messages of vital command and control information. This initial demonstration includes participation from the Joint Chiefs of Staff, the military services, and Defense Agencies and is being done in cooperation with NIST. 4. Has the NSA ever taken advantage of any weaknesses in the DES or the DSS? We are unaware of any weaknesses in the DSS or in the DES when properly implemented and used for the purposes for which they both are designed. 5. Did the NSA play a role in designing the DSS? Why, in the NSA's analysis, was it seen as desirable to create the DSS when the apparently more robust RSA already stood as a de facto standard? Under the Computer Security Act of 1987, NIST is to draw upon computer systems technical security guidelines of NSA where appropriate and to coordinate closely with other agencies, including NSA, to assure: a. maximum use of all existing and planned programs, materials, and reports relating to computer systems security and privacy, in order to avoid unnecessary and costly duplication of effort; and b. that standards developed by NIST are consistent and compatible with standards and procedures developed for the protection of classified systems. Consistent with that law and based on a subsequent Memorandum of Understanding (MOU) between NSA and NIST, NSA's role is to be responsive to NIST's requests for assistance in developing, evaluating, or researching cryptographic algorithms and techniques. (See note at end). In 19??, NIST requested that NSA evaluate candidate algorithms proposed by NIST for a digital signature standard and that NSA provide new algorithms when existing algorithms did not meet U.S. government requirements. In the two-year process of developing a digital signature for U.S. government use, NIST and NSA examined various publicly-known algorithms and their variants, including RSA. A number of techniques were deemed to provide appropriate protection for Federal systems. The one selected by NIST as the draft Digital Signature Standard was determined to be the most suitable for reasons that were set forth in the Federal Register announcement. One such reason was to avoid issuance of a DSS that would result in users outside the government having to pay royalties. Even though the DSS is targeted for government use, eliminating potential barriers for commercial applications is useful to achieve economies of scale. Additionally, there are features of the DSS which make it more attractive for federal systems that need to have a digital signature capability for large numbers of users. Chief mong them are the number of trusted operation points and system management overhead that are minimized with the NIST proposed technique. 6. What national interests are served by limiting the power of cyptographic schemes used by the public? We call your attention to the House Judiciary committee hearing of 29 April 1992. The Director of the FBI expressed his concerns that law enforcement interests in meeting responsibilities given to them by Congress could be affected unless they had access to communications, as was given to them by statute in 1968 (court monitored, court sponsored, court reviewed and subject to Congressional oversight). The National Security Agency has no role in limiting the power of cryptographic schemes used by the public within the U.S. We have always been in favor of the use of information security technologies by U.S. businesses to protect their proprietary information, and when we had an information security role with private industry (prior to the Computer Security Act of 1987), we actively advocated use of such technologies. 7. What national interests are served by limiting the export of cryptographic technology? Cryptographic technology is deemed vital to national security interests. This includes economic, military, and foreign policy interests. We do not agree with the implications from the House Judiciary Committee hearing of 7 May 1992 and recent news articles that allege that U.S. export laws prevent U.S. firms' manufacture and use of top encryption equipment. We are unaware of any case where a U.S. firm has been prevented from manufacturing and using encryption equipment within this country or for use by the U.S. firm or its subsidiaries in locations outside the U.S. because of U.S. export restrictions. In fact, NSA has always supported the use of encryption by U.S. businesses operating domestically and overseas to protect sensitive information. For export to foreign countries, NSA as a component of the Department of Defense (along with the Department of State and the Department of Commerce) reviews export licenses for information security technologies controlled by the Export Administration Regulations or the international Traffic in Arms Regulations. Similar export control systems are in effect in all the Coordinating Committee for Multilateral Export Controls (CoCom) countries as well as many non-CoCom countries as these technologies are universally considered as sensitive. Such technologies are not banned from export and are reviewed on a case-by-case basis. As part of the export review process, licenses may be required for these systems and are reviewed to determine the effect such export could have on national security interests - including economic, military, and political security interests. Export licenses are approved or denied based upon the type of equipment involved, the proposed end-use and the end-user. Our analysis indicates that the U.S. leads the world in the manufacture and export of information security technologies. Of those cryptologic products referred to NSA by the Department of State for export licenses, we consistently approve over 90%. Export licenses for information security products under the jurisdiction of the Department of Commerce are processed and approved without referral to NSA or DoD. This includes products using such techniques as the DSS and RSA which provide authentication and access control to computers or networks. In fact, in the past NSA has played a major role in successfully advocating the relaxation of export controls on RSA and related technologies for authentication purposes. Such techniques are extremely valuable against the hacker problem and unauthorized use of resources. 8. What national interests are at risk, if any, if secure cryptography is widely available? Secure cryptography widely available outside the United States clearly has an impact on national security interests including economic, military, and political. Secure cryptography within the United States may impact law enforcement interests. 9. What does the NSA see as its legitimate interests in the area of cryptography? Public cryptography? Clearly one of our interests is to protect U.S. government and military communications and information systems related to national security. As part of that mission, we stay abreast of activities in public cryptography. 10. How did NSA enter into negotiations with the Software Publishers Association regarding the export of products utilizing cryptographic techniques? How was this group chosen, and to what purpose? What statute or elected representative authorized the NSA to engage in the discussions? The Software Publishers Association (SPA) went to the National Security Advisor to the President to seek help from the Administration to bring predictability, clarity, and speed to the process for exporting mass market software with encryption. The National Security Advisor directed NSA to work wth the mass market software representatives on their request. ii. What is the status of these negotiations? These negotiations are ongoing. 12. What is the status of export controls on products using cryptographic techniques? How would you respond to those who point to the fact that the expot of RSA from the U.S. is controlled, but that its import into the U.S. is not? To the best of our knowledge, most countries who manufacture cryptographic products regulate the export of such products from their countries by procedures similar to those existing within the U.S. Some even control the import into their countries. The U.S. complies with the guidelines established by CoCom for these products. Regarding the export of RSA from the U.S., we are unaware of any restrictions that have been placed on the export of RSA for authentication purposes. 13. What issues would you like to discuss that I have not addressed? None. 14. What question or questions would you like to pose of your critics? None. NOTE: To clarify misunderstandings regarding this Memorandum of Understanding (MOU); this MOU does not provide NSA any veto power over NIST proposals. As was discussed publicly in 1989, the MOU provides that if there is an issue that can not be resolved between the two agencies, then such an issue may be referred to the President for resolution. Enclosed please find a copy of subject MOU which has been made freely available in the past by both NSA and NIST to all requestors. At the House Judiciary Committee hearings on 7 May 1992, the Director of NIST responded that he had never referred an issue to the White House since his assumption of Directorship in 1990. MEMORANDUM OF UNDERSTANDING BETWEEN THE DIRECTOR OF THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY AND THE DIRECTOR OF THE NATIONAL SECURITY AGENCY CONCERNING THE IMPLEMENTATION OF PUBLIC LAW 100-235 Recognizing that: A. Under Section 2 of the Computer Security Act of 1987 (Public Law 100-235), (the Act), the National Institute of Standards and Technology (NIST) has the responsibility within the Federal Government for: 1. Developing technical, management, physical, and administrative standards and guidelines for the cost-effective security ad privacy of sensitive information in Federal computer systems as defined in the Act; and, 2. Drawing on the computer system technical security guidelines of the National Security Agency (NSA) in this regard where appropriate. B. Under Section 3 of the Act, the NIST is to coordinate closely with other agencies and offices, including the NSA, to assure: 1. Maximum use of all existing and planned programs, materials, studies, and reports relating to computer systems security and privacy, in order to avoid unnecessary and costly duplication of effort; and, - 2. To the maximum extent feasible, that standards developed by the NIST under the Act are consistent and compatible with standards and procedures developed for the protection of classified information in Federal computer systems. C. Under the Act, the Secretary of Commerce has the responsibility, which he has delegated to the Director of NIST, for appointing the members of the Computer System Security and Privacy Advisory Board, at least one of whom shall be from the NSA. Therefore, in furtherance of the purposes of this MOU, the Director of the NIST and the Director of the NSA hereby agree as follows: The NIST will: 1. Appoint to the Computer Security and Privacy Advisory Board at least one representative nominated by the Director of the NSA. 2. Draw upon computer system technical security guidelines developed by the NSA to the extent that the NIST determines that such guidelines are consistent with the requirements tor protecting sensitive information in Federal computer systems. 3. Recognize the NSA-certified rating of evaluated trusted systems under the Trusted Computer Security Evaluation Criteria Program without requiring additional evaluation. 4. Develop telecommunications security standards for protecting sensitive unclassified computer data, drawing upon the expertise and products of the National Security Agency, to the ratest extent possible, in meeting these responsibilities in a timely and cost effective manner 5. Avoid duplication where possible in entering into mutually agreeable arrangements with the NSA for the NSA support. 6. Request the NSA's assistance on all matters related to cryptographic algorithms and cryptographic techniques including but not limited to research, development valuation, or endorsement. . - I II. The NSA will: 1. Provide the NIST with technical guidelines in trusted technology, telecommunications security, and personal -identification that may be used in cost-effective systems for protecting sensitive computer data. 2. Conduct or initiate research and development programs in trusted technology, telecommunications security, cryptographic techniques and personal identification methods. 3. Be responsive to the NIST's requests for assistance in respect to all matters related to cryptographic algorithms and cryptographic techniques including but not limited to research, development, evaluation, or endorsement. 4. Establish the standards and endorse products for application to secure systems covered in 10 USC Section 2315 (the Warner Amendment). 5 Upon request by Federal agencies5 their contractors and other government-sponsored entities, conduct assessments of the hostile intelligence threat to federal information systems, and provide technical assistance and recommend endorsed products for application to secure systems against that threat. iii. The NIST and the NSA shall: 1. Jointly review agency plans for the security and -privacy of computer systems submitted to NIST and NSA pursuant to section 6(b) of the Act.' 2. Exchange technical standards and guidelines as necessary to achieve the purposes of the Act. 3. Work together to achieve the purposes of this memorandum with the greatest efficiency possible, avoiding unnecessary duplication of effort. 4. Maintain an ongoing, open dialogue to ensure that each organization remains abreast of emerging technologies and issues effecting automated information system security in computer-based systems. 5. Establish a Technical Working Group to review and analyze issues of mutual interes pertinent to protection of systems that process sensitive or other unclassified-information. The Group shall be composed of six federal employees, three each selected by NIST and NSA and to be augmented as necessary by representatives of other agencies. Issues may be referred to the group by either the NSA Deputy Director for Information Security or the NIST Deputy Director or may be generated -and addressed by the group upon approval by the NSA DDI or NIST Deputy Director. Within days of the referral of an issue to the Group by either the NSA Deputy Director for Information Security or the NIST Deputy .Director, the Group will respond with a progress report and pan for further analysis, if any. 6. Exchange work plans on an annual basis on all research and development projects pertinent to protection of systems that process sensitive or other unclassified information, including trusted technology, technology for protecting the integrity and availability of data, telecommunications security and personal identification methods. Project updates will be exchanged quarterly, and project reviews will be provided by either party upon request of he other party. 7. Ensure the Technical Working Group reviews prior to public disclosure all matters regarding technical_systems security techniques to be developed for use in protecting sensitive information in federal computer systems to ensure they are consistant with the national security of the United States. If NIST and NSA are unable to resolve such an issue within 60 days, either _ agency may elect to raise the issue to the Secretary of Defense and the Secretary of Commerce. It is recognized that such an issue may be referred to the President through the NSC for resolution. No action shall be taken on such an issue until it is resolved. 8. Specify additional operational agreements in annexes to this MOU as they. are agreed to by NSA and NIST. IV. Either party may elect to terminate this MOU upon six months written notice. This MO& is effective upon approval of both signatories. RAYMOND G. KAMMER W. 0. STUDEMAN Acting Director Vice Admiral, U.S. Navy National Institut of Director Standards and Technology National Security Agency ------------------------------ From: David Sobel <dsobel@WASHOFC.CPSR.ORG> Date: Tue, 30 Jun 1992 17:29:04 EDT Subject: File 2--CPSR Challenges Virginia SS June 30, 1992 CPSR Challenges Virginia SSN Practice PRESS RELEASE WASHINGTON, DC -- A national public interest organization has filed a "friend of the court" brief in the federal court of appeals, calling into question the Commonwealth of Virginia's practice of requiring citizens to provide their Social Security numbers in order to vote. Computer Professionals for Social Responsibility (CPSR) alleges that Virginia is violating constitutional rights and creating an unnecessary privacy risk. The case arose when a Virginia resident refused to provide his Social Security number (SSN) to a county registrar and was denied the right to register to vote. Virginia is one of a handful of states that require voters to provide an SSN as a condition of registration. While most states that require the number impose some restrictions on its public dissemination, Virginia allows unrestricted public inspection of voter registration data -- including the SSN. Marc A. Greidinger, the plaintiff in the federal lawsuit, believes that the state's registration requirements violate his privacy and impose an unconstitutional burden on his exercise of the right to vote. The CPSR brief, filed in the Fourth Circuit Court of Appeals in Richmond, supports the claims made by Mr. Greidinger. CPSR notes the long-standing concern of the computing community to design safe information systems, and the particular effort of Congress to control the misuse of the SSN. The organization cites federal statistics showing that the widespread use of SSNs has led to a proliferation of fraud by criminals using the numbers to gain driver's licenses, credit and federal benefits. The CPSR brief further describes current efforts in other countries to control the misuse of national identifiers, like the Social Security number. Marc Rotenberg, the Director of the CPSR Washington Office said that "This is a privacy issue of constitutional dimension. The SSN requirement is not unlike the poll taxes that were struck down as unconstitutional in the 1960s. Instead of demanding the payment of money, Virginia is requiring citizens to relinquish their privacy rights before being allowed in the voting booth." CPSR argues in its brief that the privacy risk created by Virginia's collection and disclosure of Social Security numbers is unnecessary. The largest states in the nation, such as California, New York and Texas, do not require SSNs for voter registration. CPSR points out that California, with 14 million registered voters, does not need to use the SSN to administer its registration system, while Virginia, with less than 3 million voters, insists on its need to demand the number. David Sobel, CPSR Legal Counsel, said "Federal courts have generally recognized that there is a substantial privacy interest involved when Social Security numbers are disclosed. We are optimistic that the court of appeals will require the state to develop a safer method of maintaining voting records." CPSR has led a national campaign to control the misuse of the Social Security Number. Earlier this year the organization testified at a hearing in Congress on the use of the SSN as a National Identifier. CPSR urged lawmakers to respect the restriction on the SSN and to restrict its use in the private sector. The group also participated in a federal court challenge to the Internal Revenue Service's practice of displaying taxpayers' SSNs on mailing labels. CPSR is also undertaking a campaign to advise individuals not to disclose their Social Security numbers unless provided with the legal reason for the request. CPSR is a national membership organization, with 2,500 members, based in Palo Alto, CA. For membership information contact CPSR, P.O. Box 717, Palo Alto, CA 94303, (415) 322-3778, cpsr@csli. stanford.edu. For more information contact: Marc Rotenberg, Director David Sobel, Legal Counsel CPSR Washington Office (202) 544-9240 rotenberg@washofc.cpsr.org sobel@washofc.cpsr.org Paul Wolfson, attorney for Marc A. Greidinger Public Citizen Litigation Group (202) 833-3000 ------------------------------ Date: Tue, 14 Jul 1992 21:05:54 -0400 From: Christopher Davis <ckd@EFF.ORG> Subject: File 3--EFF hires Cliff Figallo as director of Cambridge office +=========+=================================================+===========+ | F.Y.I. |Newsnote from the Electronic Frontier Foundation|July 14,1992| +=========+=================================================+===========+ CLIFF FIGALLO OF THE WELL NAMED DIRECTOR OF EFF's CAMBRIDGE OFFICE Cambridge, Massachusetts July 14,1992 Cliff Figallo, former director of the Whole Earth 'Lectronic Link (The WELL), has accepted the position of Director of the Electronic Frontier Foundation's Cambridge office. His duties will include developing that office's outreach programs, increasing active EFF membership, and expanding overall awareness of EFF's programs in the computer- conferencing community and the world at large. In announcing the appointment today, Mitchell Kapor, President of EFF, said: "I'm delighted that Cliff Figallo will be joining the EFF to head its Cambridge office. Cliff brings 20 years of experience in forming both intentional and virtual communities. We know he will put these skills to excellent use in helping EFF build its ties to the online community.We're all looking forward to working with him closely." Figallo is well-known in computer conferencing circles as the one who from 1986 to the present guided the WELL through its formative years. Working with a small staff, many volunteers and limited funding, he helped develop the WELL into one of the world's most influential computer conferencing systems. When EFF was founded it used the WELL as its primary means of online communication. Commenting on the appointment of Figallo, Stewart Brand, creator of The Whole Earth Catalogue, one of the founders of The WELL and a member of the EFF Board of Directors, said: "As an exemplary manager of EFF's initial habitat, the WELL, Cliff brings great contextual experience to his new job. Best of all for us on the WELL, he won't even be leaving, electronically speaking. Cambridge is only several keystrokes from Sausalito." Contacted at his home in Mill Valley today, Figallo stated: "I'm very thankful for the opportunity to take part one of the critical missions of our time -- the opening of new channels of person-to-person communication in the world, and the protection of existing channels from naive or excessive regulation and restriction. "Pioneers in electronic or telecommunications media are establishing new definitions and structures for education, community, and co-operation every day. They are developing tools and systems which may prove to be vital to the salvation of the planet. This work must go on. "I look forward to helping EFF communicate the importance of events on the Electronic Frontier to current and future settlers, and to those who would, through unwise use of power, stifle the continued exploration and settling of this new realm of the mind and the human spirit." Figallo will assume his duties in September of this year. For more information contact: Gerard Van der Leun Electronic Frontier Foundation 155 Second Street Cambridge, MA 02141 Phone: +1 617 864 0665 FAX: +1 617 864 0866 Internet: van@eff.org +=====+===================================================+=============+ | EFF |155 Second Street, Cambridge MA 02141 (617)864-0665| eff@eff.org | +=====+===================================================+=============+ ------------------------------ Date: 18 Jul 92 18:29:39 CDT From: mcmullen@well.sf.ca.us Subject: File 4--New York Hackers Plead Not Guilty (NEWSBYTES REPRINT) NEW YORK, N.Y., U.S.A., 1992 JULY 17 (NB) --At an arraignment in New York Federal Court on Thursday, July 16th, the five New York "hackers", recently indicted on charges relating to alleged computer intrusion, all entered pleas of not guilty and were released after each signed a personal recognizance (PRB) bond of $15,000 to guarantee continued appearances in court. The accused, Mark Abene also known as"Phiber Optik"; Julio Fernandez a/k/a "Outlaw"; Elias Ladopoulos a/k/a "Acid Phreak"; John Lee a/k/a "Corrupt"; and Paul Stira a/k/a "Scorpion", were indicted on July 8th on 11 counts alleging various computer and communications related crimes --although all five were indicted together, each in not named in all eleven counts and the maximum penalties possible under the charges vary from 5 years imprisonment and a $250,000 fine (Stira) to 40 years imprisonment and a $2 million fine (Lee). As part of the arraignment process, United States District Judge Richard Owen was assigned as the case's presiding judge and a pre-trial meeting between the judge and the parties involved. Charles Ross, attorney for John Lee, told Newsbytes "John Lee entered a not guilty plea and we intend to energetically and aggressively defend against the charges made against him." Ross also explained the procedures that will be in effect in the case, saying "We will meet with the judge and he will set a schedule for discovery and the filing of motions. The defense will have to review the evidence that the government has amassed before it can file intelligent motions and the first meeting is simply a scheduling one." Marjorie Peerce, attorney for Stira, told Newsbytes "Mr. Stira has pleaded not guilty and will continue to plead not guilty. I am sorry to see the government indict a 22 year old college student for acts that he allegedly committed as a 19 year old." The terms of the PRB signed by the accused require them to remain within the continental United States. In requesting the bond arrangement, Assistant United States Attorney Stephen Fishbein referred to the allegations as serious and requested the $15,000 bond with the stipulation that the accused have their bonds co-signed by parents. Abene, Fernandez and Lee, through their attorneys, agreed to the bond as stipulated while the attorneys for Ladopoulos and Stira requested no bail or bond for their clients, citing the fact that their clients have been available, when requested by authorities, for over a year. After consideration by the judge, the same $15,000 bond was set for Ladopoulos and Stira but no co-signature was required. (Barbara E. McMullen & John F. McMullen//19920717) ------------------------------ Date: 21 Jul 92 19:21:06 EDT From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: File 5--Time Magazine Computer Analyst Arrested for Alleged Faud ((A little news tidbit to take in consideration next time we hear, a la operation SunDevil, of all the 'hackers' that are active in CC fraud)). Time Magazine Computer Analyst Arrested for Alleged Faud A computer analyst, Thomas Ferguson, 44, who worked at Time magazine's Tampa, Fla., customer service headquarters has been arrested after allegations he sold thousands of subscribers' credit card numbers for $1 apiece. Ferguson has been with the magazine for 18 months, faces four counts of trafficking in credit cards, authorities said. Police found computer disks containing the credit card numbers of about 80,000 subscribers at Ferguson's Clearwater, Fla., home. Authorities said they met Ferguson four times to buy about 3,000 credit card numbers since being tipped off to the scheme in June. Time executives say that all credit card customers should examine their credit card bills closely. If unauthorized purchases show up, they should call the financial institution that issued the card. (Reprinted from STReport 8.29 with permission.) ------------------------------ End of Computer Underground Digest #4.32