Computer underground Digest    Tue July 21, 1992   Volume 4 : Issue 32

       Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
       Copy Editor: Etaion Shrdlu, Jr.
       Archivist: Brendan Kehoe
       Archivist in spirit: Bob Kusumoto
       Shadow-Archivist: Dan Carosone

CONTENTS, #4.32 (July 21, 1992)
File 1--The NSA Papers
File 2--CPSR Challenges Virginia SS
File 3--EFF hires Cliff Figallo as director of Cambridge office
File 4--New York Hackers Plead Not Guilty (NEWSBYTES REPRINT)
File 5--Time Magazine Computer Analyst Arrested for Alleged Faud

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost at tk0jut2@mvs.cso.niu.edu. The editors may be
contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail to:
Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115.
Issues of CuD can also be found in the Usenet alt.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL0 and DL12 of TELECOM; on Genie in the PF*NPC RT
libraries; from American Online in the PC Telecom forum under
"computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; and by
anonymous ftp from ftp.eff.org (192.88.144.4) and ftp.ee.mu.oz.au
European distributor: ComNet in Luxembourg BBS (++352) 466893.

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted as long as the source
is cited.  Some authors do copyright their material, and they should
be contacted for reprint permission.  It is assumed that non-personal
mail to the moderators may be reprinted unless otherwise specified.
Readers are encouraged to submit reasoned articles relating to
computer culture and communication.  Articles are preferred to short
responses.  Please avoid quoting previous posts unless absolutely
necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

----------------------------------------------------------------------

Date: Wed, 24 Jun 92 18:10:02 CDT
From: Joe.Abernathy@HOUSTON.CHRON.COM(Joe Abernathy)
Subject: File 1--The NSA Papers

  The following is the written response to my request for an intereview
with the NSA. To the best of my knowledge, and according to their
claims, it is the government's first complete answer to the many
questions and allegations that have been made in regards to the matter
of cryptography.

   I would like to invite reaction from any qualified readers who care
to address any of the issues raised herein. Please mail to
edtjda@chron.com (713) 220-6845.



   NATIONAL SECURITY AGENCY
   CENTRAL SECURITY SERVICE
   Serial: Q43-11-92 9


10 June 1992
Mr. Joe Abernathy
Houston Chronicle
P.O. Box 4260
Houston, TX 77210


 Dear Mr. Abernathy:


   Thank you for your inquiry of 3 June 1992 on the

subject of cryptography. Attached please find answers

to the questions that you provided our Agency. If

any further assistance is needed, please feel free

to contact me or Mr. Jerry Volker of my staff on (xxx)

xxx-xxxx.


   Sincerely,


   MICHAEL S.CONN

   Chief
   Information Policy

ENCL:


   1. Has the NSA ever imposed or attempted to impose
a weakness on any cryptographic code to see if it
can thus be broken?

   One of NSA's missions is to provide the means for
protecting U.S. government and military communications
and information systems related to national security.
In fulfilling this mission we design cryptologic codes
based on an exhaustive evaluation process to ensure
to the maximum extent possible that information systems
security products that we endorse are free from any
weaknesses. Were we to intentionally impose weaknesses
on cryptologic codes for use by the U.S. government,
we would not be fulfilling our mission to provide
the means to protect sensitive U.S. government and
military communications and our professional integrity
would be at risk.

   2. Has the NSA ever imposed or attempted
to impose a weakness on the DES or DSS?

   Regarding the Data Encryption Standard (DES), we
believe that the public record from the Senate Committee
for Intelligence's investigation in 1978 into NSA's
role in the development of the DES is responsive to
your question. That committee report indicated that
NSA did not tamper with the design of the algorithm
in any way and that the security afforded by the
DES was more than adequate for at least a 5-10 year
time span for the unclassified data for which it was
intended. In short, NSA did not impose or attempt
to impose any weakness on the DES.

   Regarding the draft Digital Signature Standard
(DSS), NSA never imposed any weakness or attempted
to impose any weakness on the DSS.

    3. Is the NSA aware of any weaknesses in the
DES or the DSS? The RSA?

   We are unaware of any weaknesses in the DES or
the DSS when properly implemented and used for the
purposes for which they both are designed. We do not
comment on nongovernment systems.

   Regarding the alleged trapdoor in the DSS. We
find the term trapdoor somewhat misleading since
it implies that the messages sent by the DSS are encrypted
and with access via a trapdoor one could somehow decrypt
(read) the message without the sender's knowledge.
The DSS does not encrypt any data. The real issue
is whether the DSS is susceptible to someone forging
a signature and therefore discrediting the entire
system. We state categorically that the chances of
anyone - including NSA - forging a signature with
the DSS when it is properly used and implemented is
infinitesimally small.

   Furthermore, the alleged trapdoor vulnerability
is true for ANY public key-based authentication system,
including RSA. To imply somehow that this only affects
the DSS (a popular argument in the press) is totally
misleading. The issue is one of implementation and
how one goes about selecting prime numbers. We call
your attention to a recent EUROCRYPT conference which
had a panel discussion on the issue of trapdoors in
the DSS. Included on the panel was one of the Bellcore
researchers who initially raised the trapdoor allegation,
and our understanding is that the panel - including
the person from Bellcore - concluded that the alleged
trapdoor was not an issue for the DSS. Furthermore,
the general consensus appeared to be that the trapdoor
issue was trivial and had been overblown in the press.
However, to try to respond to the trapdoor allegation,
at NIST's request, we have designed a prime generation
process which will ensure that one can avoid selection
of the relatively few weak primes which could lead
to weakness in using the DSS. Additionally, NIST intends
to allow for larger modulus sizes up to 1024 which
effectively negates the need to even use the prime
generation process to avoid weak primes. An additional
very important point that is often overlooked is that
with the DSS the primes are PUBLIC and therefore can
be subject to public examination. Not all public key
systems provide for this same type of examination.

   The integrity of any information security system
requires attention to proper implementation. With
the myriad of vulnerabilities possible given the differences
among users, NSA has traditionally insisted on centralized
trusted centers as a way to minimize risk to the system.
While we have designed technical modifications to
the DSS to meet NIST's requests for a more decentralized
approach, we still would emphasize that portion of
the Federal Register notice for the DSS which states:
While it is the intent of this standard to specify
general security requirements for generating digital
signatures, conformance to this standard does not assure
that a particular implementation is secure. The responsible
authority in each agency or department shall assure
that an overall implementation provides an acceptable
level of security. NIST will be working with government
users to ensure appropriate implementations.

   Finally, we have read all the arguments purporting
insecurities with the DSS, and we remain unconvinced
of their validity. The DSS has been subjected to intense
evaluation within NSA which led to its being endorsed
by our Director of Information Systems Security for
use in signing unclassified data processed in certain
intelligence systems and even for signing classified
data in selected systems. We believe that this approval
speaks to the lack of any credible attack on the
integrity provided by the DSS given proper use and
implementation. Based on the technical and security
requirements of the U.S. government for digital signatures,
we believe the DSS is the best choice. In fact, the
DSS is being used in a pilot project for the Defense
Message System to assure the authenticity of electronic
messages of vital command and control information.
This initial demonstration includes participation from
the Joint Chiefs of Staff, the military services,
and Defense Agencies and is being done in cooperation
with NIST.

      4. Has the NSA ever taken advantage of
any weaknesses in the DES or the DSS?

   We are unaware of any weaknesses in the DSS or
in the DES when properly implemented and used for the
purposes for which they both are designed.

 5. Did the NSA play a role in designing the DSS? Why, in the
NSA's analysis, was it seen as desirable to create
the DSS when the apparently more robust RSA already
stood as a de facto standard?

   Under the Computer Security Act of 1987, NIST is
to draw upon computer systems technical security guidelines
of NSA where appropriate and to coordinate closely
with other agencies, including NSA, to assure:

   a. maximum use of all existing and planned programs,
materials, and reports relating to computer systems
security and privacy, in order to avoid unnecessary
and costly duplication of effort; and

   b. that standards developed by NIST are consistent
and compatible with standards and procedures developed
for the protection of classified systems.

   Consistent with that law and based on a subsequent
Memorandum of Understanding (MOU) between NSA and NIST,
NSA's role is to be responsive to NIST's requests
for assistance in developing, evaluating, or researching
cryptographic algorithms and techniques. (See note
at end). In 19??, NIST requested that NSA evaluate
candidate algorithms proposed by NIST for a digital
signature standard and that NSA provide new algorithms
when existing algorithms did not meet U.S. government
requirements. In the two-year process of developing
a digital signature for U.S. government use, NIST
and NSA examined various publicly-known algorithms
and their variants, including RSA. A number of techniques
were deemed to provide appropriate protection for
Federal systems. The one selected by NIST as the draft
Digital Signature Standard was determined to be the
most suitable for reasons that were set forth in the
Federal Register announcement. One such reason was
to avoid issuance of a DSS that would result in users
outside the government having to pay royalties. Even
though the DSS is targeted for government use, eliminating
potential barriers for commercial applications is
useful to achieve economies of scale. Additionally,
there are features of the DSS which make it more attractive
for federal systems that need to have a digital signature
capability for large numbers of users. Chief mong
them are the number of trusted operation points and
system management overhead that are minimized with
the NIST proposed technique.

 6. What national interests are served by limiting the
power of cyptographic schemes used by the public?

   We call your attention to the House Judiciary committee
hearing of 29 April 1992. The Director of the FBI
expressed his concerns that law enforcement interests
in meeting responsibilities given to them by Congress
could be affected unless they had access to communications,
as was given to them by statute in 1968 (court monitored,
court sponsored, court reviewed and subject to Congressional
oversight).

   The National Security Agency has no role in limiting
the power of cryptographic schemes used by the public
within the U.S. We have always been in favor of the
use of information security technologies by U.S. businesses
to protect their proprietary information, and when
we had an information security role with private industry
(prior to the Computer Security Act of 1987), we actively
advocated use of such technologies.

    7. What national interests are served by limiting the
export of cryptographic technology?

   Cryptographic technology is deemed vital to national
security interests. This includes economic, military,
and foreign policy interests.

   We do not agree with the implications from the
House Judiciary Committee hearing of 7 May 1992 and
recent news articles that allege that U.S. export
laws prevent U.S. firms' manufacture and use of top
encryption equipment. We are unaware of any case where
a U.S. firm has been prevented from manufacturing
and using encryption equipment within this country
or for use by the U.S. firm or its subsidiaries in
locations outside the U.S. because of U.S. export restrictions.
In fact, NSA has always supported the use of encryption
by U.S. businesses operating domestically and overseas
to protect sensitive information.

   For export to foreign countries, NSA as a component
of the Department of Defense (along with the Department
of State and the Department of Commerce) reviews export
licenses for information security technologies controlled
by the Export Administration Regulations or the international
Traffic in Arms Regulations. Similar export control
systems are in effect in all the Coordinating Committee
for Multilateral Export Controls (CoCom) countries
as well as many non-CoCom countries as these technologies
are universally considered as sensitive. Such technologies
are not banned from export and are reviewed on a case-by-case
basis. As part of the export review process, licenses
may be required for these systems and are reviewed
to determine the effect such export could have on
national security interests - including economic,
military, and political security interests. Export
licenses are approved or denied based upon the type
of equipment involved, the proposed end-use and the
end-user.

   Our analysis indicates that the U.S. leads the
world in the manufacture and export of information
security technologies. Of those cryptologic products
referred to NSA by the Department of State for export
licenses, we consistently approve over 90%. Export
licenses for information security products under the
jurisdiction of the Department of Commerce are processed
and approved without referral to NSA or DoD. This includes
products using such techniques as the DSS and RSA
which provide authentication and access control to
computers or networks. In fact, in the past NSA has
played a major role in successfully advocating the
relaxation of export controls on RSA and related technologies
for authentication purposes. Such techniques are extremely
valuable against the hacker problem and unauthorized
use of resources.

      8. What national interests are at
risk, if any, if secure cryptography is widely available?

   Secure cryptography widely available outside the
United States clearly has an impact on national security
interests including economic, military, and political.

   Secure cryptography within the United States may
impact law enforcement interests.

    9. What does the NSA see as its legitimate interests in
the area of cryptography?  Public cryptography?

   Clearly one of our interests is to protect U.S.
government and military communications and information systems
related to national security. As part of that mission,
we stay abreast of activities in public cryptography.

   10. How did NSA enter into negotiations with the Software
Publishers Association regarding the export of products
utilizing cryptographic techniques? How was this group
chosen, and to what purpose? What statute or elected
representative authorized the NSA to engage in the
discussions?

   The Software Publishers Association (SPA) went
to the National Security Advisor to the President
to seek help from the Administration to bring predictability,
clarity, and speed to the process for exporting mass
market software with encryption. The National Security
Advisor directed NSA to work wth the mass market software
representatives on their request.

 ii. What is the status of these negotiations?

   These negotiations are ongoing.

 12. What is the status of export controls on products using
cryptographic techniques? How would you respond to those who
point to the fact that the expot of RSA from the U.S. is
controlled, but that its import into the U.S. is not?

   To the best of our knowledge, most countries who
manufacture cryptographic products regulate the export
of such products from their countries by procedures
similar to those existing within the U.S. Some even
control the import into their countries. The U.S.
complies with the guidelines established by CoCom
for these products.

   Regarding the export of RSA from the U.S., we are
unaware of any restrictions that have been placed
on the export of RSA for authentication purposes.

13. What issues would you like to discuss that I have
not addressed?

   None.

 14. What question or questions would you
like to pose of your critics?

   None.

 NOTE: To clarify misunderstandings regarding
this Memorandum of Understanding (MOU); this MOU does
not provide NSA any veto power over NIST proposals.
As was discussed publicly in 1989, the MOU provides
that if there is an issue that can not be resolved
between the two agencies, then such an issue may be
referred to the President for resolution. Enclosed
please find a copy of subject MOU which has been made
freely available in the past by both NSA and NIST
to all requestors. At the House Judiciary Committee
hearings on 7 May 1992, the Director of NIST responded
that he had never referred an issue to the White House
since his assumption of Directorship in 1990.

   MEMORANDUM OF UNDERSTANDING

   BETWEEN

   THE DIRECTOR OF THE NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY

   AND

   THE DIRECTOR OF THE NATIONAL SECURITY AGENCY

   CONCERNING

   THE IMPLEMENTATION OF PUBLIC LAW 100-235 Recognizing
that:

   A. Under Section 2 of the Computer Security Act
of 1987 (Public Law 100-235), (the Act), the National
Institute of Standards and Technology (NIST) has the
responsibility within the Federal Government for:

   1. Developing technical, management, physical,
and administrative standards and guidelines for the
cost-effective security ad privacy of sensitive information
in Federal computer systems as defined in the Act;
and,

   2. Drawing on the computer system technical security
guidelines of the National Security Agency (NSA) in
this regard where appropriate.

   B. Under Section 3 of the Act, the NIST is to coordinate
closely with other agencies and offices, including
the NSA, to assure:

   1. Maximum use of all existing and planned programs,
materials, studies, and reports relating to computer
systems security and privacy, in order to avoid unnecessary
and costly duplication of effort; and, - 2. To the
maximum extent feasible, that standards developed
by the NIST under the Act are consistent and compatible
with standards and procedures developed for the protection
of classified information in Federal computer systems.

   C. Under the Act, the Secretary of Commerce has
the responsibility, which he has delegated to the
Director of NIST, for appointing the members of the
Computer System Security and Privacy Advisory Board,
at least one of whom shall be from the NSA. Therefore,
in furtherance of the purposes of this MOU, the Director
of the NIST and the Director of the NSA hereby agree
as follows:

   The NIST will:

   1. Appoint to the Computer Security and Privacy
Advisory Board at least one representative nominated by
the Director of the NSA.

   2. Draw upon computer system technical security
guidelines developed by the NSA to the extent that the NIST
determines that such guidelines are consistent with the requirements
tor protecting sensitive information in Federal computer
systems.

   3. Recognize the NSA-certified rating of evaluated
trusted systems under the Trusted Computer Security Evaluation
Criteria Program without requiring additional evaluation.

   4. Develop telecommunications security standards
for protecting sensitive unclassified computer data, drawing
upon the expertise and products of the National Security
Agency, to the ratest extent possible, in meeting
these responsibilities in a timely and cost effective manner

   5. Avoid duplication where possible in entering
into mutually agreeable arrangements with the NSA for
the NSA support.

   6. Request the NSA's assistance on all matters
related to cryptographic algorithms and cryptographic techniques
including but not limited to research, development valuation,
or endorsement. . - I

   II. The NSA will:

   1. Provide the NIST with technical guidelines in
trusted technology, telecommunications security, and personal
-identification that may be used in cost-effective
systems for protecting sensitive computer data.

   2. Conduct or initiate research and development
programs in trusted technology, telecommunications security,
cryptographic techniques and personal identification methods.

   3. Be responsive to the NIST's requests for assistance
in respect to all matters related to cryptographic
algorithms and cryptographic techniques including but not limited
to research, development, evaluation, or endorsement.

   4. Establish the standards and endorse products
for application to secure systems covered in 10 USC
Section 2315 (the  Warner Amendment).

   5 Upon request by Federal agencies5 their contractors
and other government-sponsored entities, conduct assessments
of the hostile intelligence threat to federal information
systems, and provide technical assistance and recommend endorsed
products for application to secure systems against that threat.

   iii. The NIST and the NSA shall:

   1. Jointly review agency plans for the security and
-privacy of computer systems submitted to NIST and NSA pursuant
to section 6(b) of the Act.'

   2. Exchange technical standards and guidelines
as necessary to achieve the purposes of the Act.

   3. Work together to achieve the purposes of this
memorandum with the greatest efficiency possible, avoiding
unnecessary duplication of effort.

   4. Maintain an ongoing, open dialogue to ensure
that each organization remains abreast of emerging technologies
and issues effecting automated information system security
in computer-based systems.

   5. Establish a Technical Working Group to review
and analyze issues of mutual interes pertinent to protection
of systems that process sensitive or other unclassified-information.
The Group shall be composed of six federal employees, three
each selected by NIST and NSA and to be augmented as necessary by
representatives of other agencies. Issues may be referred to the
group by either  the NSA Deputy Director for Information Security
or the NIST Deputy Director or may be generated -and addressed
by the group upon approval by the NSA DDI or NIST Deputy Director.
Within days of the referral of an issue to the Group by
either the NSA Deputy Director for Information Security or the
NIST Deputy .Director, the Group will respond with
a progress report and pan for further analysis, if any.

   6. Exchange work plans on an annual basis on all
research and development projects pertinent to protection
of systems that process sensitive or other unclassified information,
including trusted technology, technology for protecting the
integrity and availability of data, telecommunications security
and personal identification methods. Project updates will be
exchanged quarterly, and project reviews will be provided
by either party upon request of he other party.

   7. Ensure the Technical Working Group reviews prior
to public disclosure all matters regarding technical_systems
security techniques to be developed for use in protecting
sensitive information in federal computer systems to ensure
they are consistant with the national security of the
United States. If NIST and NSA are unable to resolve
such an issue within 60 days, either _ agency may elect
to raise the issue to the Secretary of Defense and
the Secretary of Commerce. It is recognized that such
an issue may be referred to the President through
the NSC for resolution. No action shall be taken on
such an issue until it is resolved.

   8. Specify additional operational agreements in
annexes to this MOU as they. are agreed to by NSA
and NIST.

   IV. Either party may elect to terminate this MOU
upon six months written notice. This MO& is effective
upon approval of both signatories.

   RAYMOND G. KAMMER W. 0. STUDEMAN

   Acting Director Vice Admiral, U.S. Navy National
Institut of Director Standards and Technology National
Security Agency

------------------------------

From: David Sobel <dsobel@WASHOFC.CPSR.ORG>
Date: Tue, 30 Jun 1992 17:29:04 EDT
Subject: File 2--CPSR Challenges Virginia SS

June 30, 1992

                CPSR Challenges Virginia SSN Practice
PRESS RELEASE

WASHINGTON, DC -- A  national public interest organization has filed a
"friend of the court" brief in the federal court of appeals, calling
into question the Commonwealth of Virginia's practice of requiring
citizens to provide their Social Security numbers in order to vote.
Computer Professionals for Social Responsibility (CPSR) alleges that
Virginia is violating constitutional rights and creating an
unnecessary privacy risk.

The case arose when a Virginia resident refused to provide his Social
Security number (SSN) to a county registrar and was denied the right
to register to vote.  Virginia is one of a handful of states that
require voters to provide an SSN as a condition of registration.
While most states that require the number impose some restrictions on
its public dissemination, Virginia allows unrestricted public
inspection  of voter registration data -- including the SSN.  Marc A.
Greidinger, the plaintiff in the federal lawsuit, believes that the
state's registration requirements violate his privacy and impose an
unconstitutional burden on his exercise of the right to vote.

The CPSR brief, filed in the Fourth Circuit Court of Appeals in
Richmond, supports the claims made by Mr. Greidinger.  CPSR notes the
long-standing concern of the  computing community to design safe
information systems, and the particular effort of Congress to control
the misuse of the SSN.   The organization cites federal statistics
showing that the widespread use of SSNs has led to a proliferation of
fraud by criminals using the numbers to gain driver's licenses, credit
and federal benefits.  The CPSR brief further describes current
efforts in other countries to control the misuse of national
identifiers, like the Social Security number.

Marc Rotenberg, the Director of the CPSR Washington Office said that
"This is a privacy issue of constitutional dimension.  The SSN
requirement is not unlike the poll taxes that were struck down as
unconstitutional in the 1960s.  Instead of demanding the payment of
money, Virginia is requiring citizens to relinquish their privacy
rights before being allowed in the voting booth."

CPSR argues in its brief that the privacy risk created by Virginia's
collection and disclosure of Social Security numbers is unnecessary.
The largest states in the nation, such as California, New York and
Texas, do not require SSNs for voter registration.  CPSR points out
that California, with 14 million registered voters, does not need to
use the SSN to administer its registration system, while Virginia,
with less than 3 million voters, insists on its need to demand the
number.

David Sobel, CPSR Legal Counsel, said "Federal courts have generally
recognized that there is a substantial privacy interest involved when
Social Security numbers are disclosed.  We are optimistic that the
court of appeals will require the state to develop a safer method of
maintaining voting records."

CPSR has led a national campaign to control the misuse of the Social
Security Number.   Earlier this year the organization testified at a
hearing in Congress on the use of the  SSN as a National Identifier.
CPSR urged lawmakers to respect the restriction on the SSN and to
restrict its use in the private sector.   The group also participated
in a federal court challenge to the Internal Revenue Service's
practice of displaying taxpayers' SSNs on mailing labels.  CPSR is
also undertaking a campaign to advise  individuals not to disclose
their Social Security numbers unless provided with the legal reason
for the request.

CPSR is a national membership organization, with 2,500 members, based
in Palo Alto, CA.  For membership information contact CPSR, P.O. Box
717, Palo Alto, CA 94303, (415) 322-3778, cpsr@csli.  stanford.edu.


For more information contact:

Marc Rotenberg, Director
David Sobel, Legal Counsel
CPSR Washington Office
(202) 544-9240
rotenberg@washofc.cpsr.org
sobel@washofc.cpsr.org

Paul Wolfson, attorney for Marc A. Greidinger
Public Citizen Litigation Group
(202) 833-3000

------------------------------

Date: Tue, 14 Jul 1992 21:05:54 -0400
From: Christopher Davis <ckd@EFF.ORG>
Subject: File 3--EFF hires Cliff Figallo as director of Cambridge office

+=========+=================================================+===========+
|  F.Y.I. |Newsnote from the Electronic Frontier Foundation|July 14,1992|
+=========+=================================================+===========+

   CLIFF FIGALLO OF THE WELL NAMED DIRECTOR OF EFF's CAMBRIDGE OFFICE

Cambridge, Massachusetts                                    July 14,1992

Cliff Figallo, former director of the Whole Earth 'Lectronic Link (The
WELL), has accepted the position of Director of the Electronic Frontier
Foundation's Cambridge office. His duties will include developing that
office's outreach programs, increasing active EFF membership, and
expanding overall awareness of EFF's programs in the computer-
conferencing community and the world at large.

In announcing the appointment today, Mitchell Kapor, President of EFF,
said: "I'm delighted that Cliff Figallo will be joining the EFF to head
its Cambridge office.  Cliff brings 20 years of experience in forming
both intentional and virtual communities. We know he will put these
skills to excellent use in helping EFF build its ties to the online
community.We're all looking forward to working with him closely."

Figallo is well-known in computer conferencing circles as the one who
from 1986 to the present guided the WELL through its formative years.
Working with a small staff, many volunteers and limited funding, he
helped develop the WELL into one of the world's most influential
computer conferencing systems. When EFF was founded it used the WELL as
its primary means of online communication.

Commenting on the appointment of Figallo, Stewart Brand, creator of The
Whole Earth Catalogue, one of the founders of The WELL and a member of
the EFF Board of Directors, said: "As an exemplary manager of EFF's
initial habitat, the WELL, Cliff brings great contextual experience to
his new job.  Best of all for us on the WELL, he won't even be leaving,
electronically speaking. Cambridge is only several keystrokes from
Sausalito."

Contacted at his home in Mill Valley today, Figallo stated: "I'm very
thankful for the opportunity to take part one of the critical missions
of our time -- the opening of new channels of person-to-person
communication in the world, and the protection of existing channels from
naive or excessive regulation and restriction.

"Pioneers in electronic or telecommunications media are establishing new
definitions and structures for education, community, and co-operation
every day. They are developing tools and systems which may prove to be
vital to the salvation of the planet. This work must go on.

"I look forward to helping EFF communicate the importance of events on
the Electronic Frontier to current and future settlers, and to those who
would, through unwise use of power, stifle the continued exploration and
settling of this new realm of the mind and the human spirit."

Figallo will assume his duties in September of this year.

For more information contact:
Gerard Van der Leun
Electronic Frontier Foundation
155 Second Street
Cambridge, MA 02141
Phone: +1 617 864 0665
FAX:   +1 617 864 0866
Internet: van@eff.org

+=====+===================================================+=============+
| EFF |155 Second Street, Cambridge MA 02141 (617)864-0665| eff@eff.org |
+=====+===================================================+=============+

------------------------------

Date: 18 Jul 92 18:29:39 CDT
From: mcmullen@well.sf.ca.us
Subject: File 4--New York Hackers Plead Not Guilty (NEWSBYTES REPRINT)

NEW YORK, N.Y., U.S.A., 1992 JULY 17 (NB) --At an arraignment in New
York Federal Court on Thursday, July 16th, the five New York
"hackers", recently indicted on charges relating to alleged computer
intrusion, all entered pleas of not guilty and were released after
each signed a personal recognizance (PRB) bond of $15,000 to guarantee
continued appearances in court.

The accused, Mark Abene also known as"Phiber Optik"; Julio Fernandez
a/k/a "Outlaw"; Elias Ladopoulos a/k/a "Acid Phreak"; John Lee a/k/a
"Corrupt"; and Paul Stira a/k/a "Scorpion", were indicted on July 8th
on 11 counts alleging various computer and communications related
crimes --although all five were indicted together, each in not named
in all eleven counts and the maximum penalties possible under the
charges vary from 5 years imprisonment and a $250,000 fine (Stira) to
40 years imprisonment and a $2 million fine (Lee).

As part of the arraignment process, United States District Judge
Richard Owen was assigned as the case's presiding judge and a
pre-trial meeting between the judge and the parties involved.

Charles Ross, attorney for John Lee, told Newsbytes "John Lee entered
a not guilty plea and we intend to energetically and aggressively
defend against the charges made against him."

Ross also explained the procedures that will be in effect in the case,
saying "We will meet with the judge and he will set a schedule for
discovery and the filing of motions. The defense will have to review
the evidence that the government has amassed before it can file
intelligent motions and the first meeting is simply a scheduling one."

Marjorie Peerce, attorney for Stira, told Newsbytes "Mr. Stira has
pleaded not guilty and will continue to plead not guilty. I am sorry
to see the government indict a 22 year old college student for acts
that he allegedly committed as a 19 year old."

The terms of the PRB signed by the accused require them to remain
within the continental United States. In requesting the bond
arrangement, Assistant United States Attorney Stephen Fishbein
referred to the allegations as serious and requested the $15,000 bond
with the stipulation that the accused have their bonds co-signed by
parents. Abene, Fernandez and Lee, through their attorneys, agreed to
the bond as stipulated while the attorneys for Ladopoulos and Stira
requested no bail or bond for their clients, citing the fact that
their clients have been available, when requested by authorities, for
over a year. After consideration by the judge, the same $15,000 bond
was set for Ladopoulos and Stira but no co-signature was required.

(Barbara E. McMullen & John F. McMullen//19920717)

------------------------------

Date: 21 Jul 92 19:21:06 EDT
From: Gordon Meyer <72307.1502@COMPUSERVE.COM>
Subject: File 5--Time Magazine Computer Analyst Arrested for Alleged Faud

((A little news tidbit to take in consideration next time we hear, a la
operation SunDevil, of all the 'hackers' that are active in CC fraud)).

       Time Magazine Computer Analyst Arrested for Alleged Faud

A computer analyst, Thomas Ferguson, 44, who worked at Time magazine's
Tampa, Fla., customer service headquarters has been arrested after
allegations he sold thousands of subscribers' credit card numbers for
$1 apiece.  Ferguson has been with the magazine for 18 months, faces
four counts of trafficking in credit cards, authorities said.

Police found computer disks containing the credit card numbers of
about 80,000 subscribers at Ferguson's Clearwater, Fla., home.
Authorities said they met Ferguson four times to buy about 3,000
credit card numbers since being tipped off to the scheme in June.

Time executives say that all credit card customers should examine
their credit card bills closely.  If unauthorized purchases show up,
they should call the financial institution that issued the card.
           (Reprinted from STReport 8.29 with permission.)

------------------------------

End of Computer Underground Digest #4.32