Computer underground Digest    Sun Aug 16, 1992   Volume 4 : Issue 36

       Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
       Copy Editor: Etaion Shrdlu, III
       Archivist: Brendan Kehoe
       Shadow-Archivist: Dan Carosone

CONTENTS, #4.36 (Aug 16, 1992)
File 1--COMP.SOCIETY.CU-DIGEST CHANGE
File 2--Bell System Policies - in Re CuD 4.35
File 3--Bell System Policies (John's Response 1)
File 4--Bell System Policies (Jerry's Response 2)
File 5--Bell System Policies (John's Response 2)
File 6--Pacbell security - The Final Word
File 7--Brooks Statement on INSLAW Report
File 8--Special Investigator Requested for Inslaw (Press Release)
File 9--Summary of NBC's Coverage of Danny Casolaro/Inslaw
File 10--Re: Overstated? (Chic Tribune summary)
File 11--Elite Pirates? I think not.
File 12--Deferring the Piracy Debate until September
File 13--Software piracy in America's schools?

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be
contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at:
Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115.
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL0 and DL12 of TELECOM; on Genie in the PF*NPC RT
libraries; from America Online in the PC Telecom forum under
"computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; and by
anonymous ftp from ftp.eff.org (192.88.144.4) and ftp.ee.mu.oz.au
European distributor: ComNet in Luxembourg BBS (++352) 466893.

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted as long as the source
is cited.  Some authors do copyright their material, and they should
be contacted for reprint permission.  It is assumed that non-personal
mail to the moderators may be reprinted unless otherwise specified.
Readers are encouraged to submit reasoned articles relating to
computer culture and communication.  Articles are preferred to short
responses.  Please avoid quoting previous posts unless absolutely
necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

----------------------------------------------------------------------

Date:  Fri, 14 Aug, 1992 17:15:32 CDT
From: CuD Moderators <tk0jut2@mvs.cso.niu.edu>
Subject: File 1--COMP.SOCIETY.CU-DIGEST CHANGE

Chip Rosenthal reminds everybody:

     The comp.society.cu-digest newsgroup has been created.  Effective
     immediately, the CuD will be cross-posted into both the old alt
     group and the new comp group.  After about a month's time to
     allow for changeover, I will delete the old alt group and send it
     only to the comp group.

SO: If you're reading CuD as an ALT group, BE SURE TO unjoin and
join COMP.SOCIETY.CU-DIGEST instead.

Chip took the initiative for the change, managed the discussion on
newss.groups, and is making the transition smooth and easy.

THANKS CHIP!! NICE JOB!!

------------------------------

Date: Mon, 10 Aug 1992 15:51:38 GMT
From: jmcarli@SRV.PACBELL.COM(Jerry M. Carlin)
Subject: File 2--Bell System Policies - in Re CuD 4.35

((MODERATORS' COMMENT: We asked Jerry Carlin and John Higdon to frame
their discussion of Bell System/Bellcore policies as a
point-counterpoint exchange. We found their discussion exceptionally
informative and commend them for putting together a stimulating
sequence of posts)).

In CuD 4.35, John Higdon wrote:

>But the policy of "The Bell System" and now Bellcore and the RBOCs
>seems to be to do nothing about any such problems and wait for some
>phreak to get caught with a hand in the cookie jar...

I'm not going to argue history but John's contention that Bellcore and
the RBOCs are doing nothing is incorrect. BTW, I work for PacBell.
Some examples:

  Bellcore has issued "Technical Advisories" on the subject of
  security including FA-NWT-000835 "Generic Framework
  Requirements for Network Element and Network System Security
  Administration Messages" and FA-STS-001324 "Framework Generic
  Requirements for X Window System Security".

  They participate in security organizations such as IEEE P1003.6
  doing security standards for POSIX (UNIX) and ISO/IEC JTC1/SC27
  and ANSI X3T4 (a mouthful :-) I personally voted on the last
  draft of P1003.6, spending quite a bit of time to try to fathom
  a very large document.  Also, a set of Bellcore security
  requirements forms a large part of a draft NIST "Minimum
  Security Functionality Requirements for Multi-User Operating
  Systems" (MSFR) document designed to replace the DoD Orange
  Book.

  They are doing work on using Kerberos and exploring OSF/DCE
  security features to increase the robustness of distributed
  applications.

  We (Pacbell) have spent millions of dollars implementing
  various security measures including security packages (RACF for
  MVS) and in using Security Dynamics "SecureID" cards for dial
  access.

  We have been working on enhancing UNIX security. Bellcore has
  developed a UNIX Security Toolkit which added many features to
  the basic scripts first outlined in the book "UNIX System
  Security" by Wood & Kochan. They added a one-week course on
  UNIX security to their curriculum. We and they now have
  security components to reviews of applications. Bellcore
  developed a set of UNIX security requirements and asked all the
  major vendors to respond. Systems security is now part of the
  purchasing decisions.

Is all of this enough? Well, that is another argument but I hope it's
clear that Bellcore and Pacbell (and the other RBOCS) are "doing
something".

++++
Jerry M. Carlin   (510) 823-2441 jmcarli@srv.pacbell.com
Alchemical Engineer and Virtual Realist

------------------------------

Date: Mon, 10 Aug 92 17:37 PDT
From: john@ZYGOT.ATI.COM(John Higdon)
Subject: File 3--Bell System Policies (John's Response 1)

jmcarli@SRV.PACBELL.COM(Jerry M. Carlin) writes:

[Lots of stuff about how Bellcore and Pac*Bell give major lip service
to security.]

But the truth of the matter is that while Bellcore may have written a
book on the matter of security, it apparently forgot to read it. Even
to this day, it is more or less a trivial matter for a knowledgeable
person to get into things he shouldn't.

If you want to have a good horse laugh, you should read the COSMOS
training manual.  This system WAS so full of holes that you could
literally set up your own phone company using Pac*Bell's network with
the company becoming none the wiser.

This has been tightened up somewhat. And how did it get tightened up?
Go down to the LA area sometime and pull the microfilm on the LA Times
and the Orange County Register and see the pictures of the evil
desperados (a bunch of sixteen year old kids) who easily penetrated
Pac*Bell and set up all manner of telephonic conveniences for
themselves using COSMOS. This took place in the mid-eighties. Pac*Bell
should have been exceedingly embarrassed.

> Is all of this enough? Well, that is another argument but I hope it's
> clear that Bellcore and Pacbell (and the other RBOCS) are "doing
> something".

Dialups into CO switches used to have no password protection
whatsoever. Now they do. That's a start, folks. So you are now
thinking about security? Good for you. It is about time. Why has it
taken so long?

------------------------------

Date: Tue, 11 Aug 92 09:01:16 PDT
From: jmcarli@SRV.PACBELL.COM(Jerry M. Carlin)
Subject: File 4--Bell System Policies (Jerry's Response 2)

> From zygot!john@apple.com Mon Aug 10 17:48:25 1992
>
> jmcarli@SRV.PACBELL.COM(Jerry M. Carlin) writes:
> [Lots of stuff about how Bellcore and Pac*Bell give major lip service
> to security.]

I don't consider spending tens of millions of dollars over the past
few years as "lip service".  If you wonder what on: such things as RACF
for MVS is not cheap. SecureID cards cost quite a bit when multiplied by
10,000 people. Getting lots of shredders costs money. Could we have spent
it more wisely. Of course, but what else is new. IMHO we've done pretty well.

> But the truth of the matter is that while Bellcore may have written a
> book on the matter of security, it apparently forgot to read it. Even
> to this day, it is more or less a trivial matter for a knowledgeable
> person to get into things he shouldn't.

It's neither easy nor quick to plug all the holes in 'swiss cheese'. The
point I'm trying to make is that we've been working on it for a number
of years and are continuing to work on it and that we've made good progress.

> ... Good for you. It is about time. Why has it taken so long?

Some of the reasons are our fault and some are not.

We have been yelling at vendors to deliver operating systems with adequate
security features and bug fixes for a number of years now. I'm REALLY
tired of having stupidities like /etc/hosts.equiv "+" and initial ID's
without passwords forcing us to do work we should not have to do to clean
it up.

Some of the problems require new technology. We REALLY want Kerberos
and/or OSF DCE but they are not ready yet.  We're just getting to the
point of having secure SNMP. When the protocols are full of security holes
it makes it kind of difficult to have true security.

By the way, my personal opinion is that the biggest security problem is
people. We can have the most secure systems in the world, and they can
even be maintained in a secure state but one successful "social engineer"
can knock all of that into a cocked hat. It is a non-trivial problem to
make sure that all legitimate calls from one employee to another get
responded to without delay while at the same time catching all those
trying to talk employees out of confidential information or into opening
up some access in the name of a (bogus) emergency.

There is a public trust issue here. If someone gets the unlisted number
of a public figure and then uses that to harass the person, it's a serious
matter. If the 911 service is disrupted lives are at stake. If someone's
conversations are intercepted illegally, we've violated an expectation of
privacy if not various laws.

While I obviously believe that John is overemphasizing the negative, his
feeling that security is vital and that we need to finish the job is one
that I share. I think it is mandatory that we do so if we want to succeed
in the coming era where any customer will have a choice between several
vendors for basic dial tone. We're getting close now with cellular and
will get closer with the next generation mobile technology.  Even the
hard-wired local loop will be opened up. We can no longer be arrogant
since "we're the phone company, after all". It's not true now and it will
be less true in the future. We're "A" phone company not "THE" phone
company.

------------------------------

Date: Wed, 12 Aug 92 14:13 PDT
From: john@ZYGOT.ATI.COM(John Higdon)
Subject: File 5--Bell System Policies (John's Response 2)

jmcarli@SRV.PACBELL.COM(Jerry M. Carlin) responds:

> It's neither easy nor quick to plug all the holes in 'swiss cheese'. The
> point I'm trying to make is that we've been working on it for a number
> of years and are continuing to work on it and that we've made good progress.

Yes, and it is important to separate "inherent insecurity" from
"sloppiness". The matter of inband signaling (from which the
publication "2600" derives its name) involved an imbedded, virtually
uncorrectable security hole. Most of these, thank heaven, are becoming
history.

But Pac*Bell, among others, is still just a wee bit sloppy on the
administrative level. Just one example:

After having eight of my residence phone numbers changed, I suddenly
realized that my Pac*Bell Calling Card was invalid. I called the
business office and explained that I wanted a new card. No problem. In
fact, I could select my own PIN. And if I did so, the card would
become usable almost immediately.

Do you see where I am going with this? No effort was made to verify
that I was who I claimed to be, even though my accounts are all
flagged with a password. (When I reminded the rep that she forgot to
ask for my password, she was highly embarrassed.) If I had been Joe
Crook, I would have a nice new Calling Card, complete with PIN, of
which the bill-paying sucker (me) would not have had any knowledge. By
the time the smoke cleared, how many calls to the Dominican Republic
could have been made?

When will Pac*Bell do something about this wide, gaping security hole?
I will tell you: when losses become significant, and/or the press gets
wind of it and some notable, visible cases go to court. So, you want
to go into the "Call Back to your Homeland Cheap" business? Call the
Pac*Bell business office, tell the rep you want a calling card for a
particular number (perferably one you do not get the bill for) and
select your own PIN (one that you can easily remember :-).

So, Pac*Bell, do you want to sue me for publishing "sensitive"
information? Or do you want to plug the hole and fix the problem? I
think by now you get the point.

------------------------------

Date: Wed, 12 Aug 92 16:45:35 PDT
From: jmcarli@SRV.PACBELL.COM(Jerry M. Carlin)
Subject: File 6--Pacbell security - The Final Word

John writes:

> But Pac*Bell, among others, is still just a wee bit sloppy on the
> administrative level. Just one example:...
>
> Do you see where I am going with this? No effort was made to verify
> that I was who I claimed to be, even though my accounts are all flagged
> with a password. (When I reminded the rep that she forgot to ask for my
> password, she was highly embarrassed.)...
>
> When will Pac*Bell do something about this wide, gaping security hole?...

All I can say is that we're trying. As I pointed out earlier in this
conversation, it all comes down to people. A mistake was made, no
doubt about it.  Can be do a better job than we are doing? We're
trying to. Is being Ok enough? As the current advertising slogan says
"Good enough isn't". This slogan has to translate into real action.

As my part in this effort, I'm going to pass all of this along so that
management realizes that a mistake was made so that action can be
taken to minimize the chances of it reoccuring. At the very least we
can remind service reps that they need to remember to verify users and
to make sure that the procedures and training are up to snuff.

Even though it is uncomfortable to be the recipients of criticism, we
need to listen to our customers, especially knowedgeable ones like
John, otherwise they will go elsewhere as competition comes to the
business.

------------------------------

Date:     Fri, 14 Aug, 1992 17:15:32 CDT
From: CuD Moderators <tk0jut2@mvs.cso.niu.edu>
Subject: File 7--Brooks Statement on INSLAW Report

Statement of Chairman Jack Brooks
Committee on the Judiciary
re:   INSLAW Report
Tuesday, August 11, 1992

(MODERATORS' COMMENT: Following is the complete text of Jack Brooks
(Texas), chair of the House Judiciary Committee, summarizing the
findings of the Committee's investigation into the dispute between
INSLAW and the U.S. Department of Justice).

THE LAST ITEM ON OUR AGENDA TODAY IS THE CONSIDERATION OF THE
INVESTIGATIVE REPORT "THE INSLAW AFFAIR," WHICH WITHOUT OBJECTION WILL
BE CONSIDERED AS READ.

THIS REPORT DESCRIBES THE COMMITTEE'S INVESTIGATION INTO SERIOUS
ALLEGATIONS THAT HIGH-LEVEL DEPARTMENT OF JUSTICE OFFICIALS WERE
INVOLVED IN A CRIMINAL CONSPIRACY TO FORCE INSLAW, A SMALL COMPUTER
COMPANY, OUT OF BUSINESS AND STEAL ITS PRIMARY ASSET--A SOFTWARE
SYSTEM CALLED PROMIS.

BASED ON THE COMMITTEE'S INVESTIGATION AND TWO SEPARATE FEDERAL COURT
RULINGS, THE DRAFT REPORT CONCLUDES THAT HIGH-LEVEL DEPARTMENT OF
JUSTICE OFFICIALS DELIBERATELY IGNORED INSLAW'S PROPRIETARY RIGHTS IN
THE ENHANCED VERSION OF PROMIS AND MISAPPROPRIATED THIS SOFTWARE FOR
USE AT LOCATIONS NOT COVERED UNDER CONTRACT WITH THE COMPANY. JUSTICE
THEN PROCEEDED TO CHALLENGE INSLAW'S CLAIMS IN COURT EVEN THOUGH IT
KNEW THAT THESE CLAIMS WERE VALID AND THAT THE DEPARTMENT WOULD MOST
LIKELY LOSE IN COURT ON THIS ISSUE. AFTER ALMOST SEVEN YEARS OF
LITIGATION AND $1 MILLION IN COST, THE DEPARTMENT IS STILL DENYING ITS
CULPABILITY IN THIS MATTER.

UNFORTUNATELY, INSTEAD OF CONDUCTING AN INVESTIGATION INTO INSLAW'S
CLAIMS THAT CRIMINAL WRONGDOING BY HIGH-LEVEL GOVERNMENT OFFICIALS HAD
OCCURED, ATTORNEYS GENERAL MEESE AND THORNBURGH BLOCKED OR RESTRICTED
CONGRESSIONAL INQUIRIES INTO THE MATTER, IGNORED THE FINDINGS OF TWO
FEDERAL COURTS AND REFUSED TO SEEK THE APPOINTMENT OF AN INDEPENDENT
COUNSEL. THESE ACTIONS WERE TAKEN IN THE FACE OF A GROWING BODY OF
EVIDENCE THAT SERIOUS WRONGDOING HAD OCCURED WHICH REACHED THE HIGHEST
LEVELS OF THE DEPARTMENT. THE EVIDENCE RECEIVED BY THE COMMITTEE
DURING ITS INVESTIGATION CLEARLY RAISES SERIOUS CONCERNS ABOUT THE
POSSIBILITY THAT A HIGH-LEVEL CONSPIRACY AGAINST INSLAW DID EXIST AND
THAT GREAT EFFORTS HAVE BEEN EXPENDED BY THE DEPARTMENT TO BLOCK ANY
OUTSIDE INVESTIGATION INTO THE MATTER.

BASED ON THE EVIDENCE PRESENTED IN THIS REPORT, IT IS CLEAR THAT
EXTRAORDINARY STEPS ARE REQUIRED TO RESOLVE THE INSLAW ISSUE. THE
REPORT RECOMMENDS THAT THE ATTORNEY GENERAL TAKE IMMEDIATE STEPS TO
REMUNERATE INSLAW FOR THE HARM THE DEPARTMENT HAS EGREGIOUSLY CAUSED
THE COMPANY. IT ALSO RECOMMENDS THAT IN INDEPENDENT COUNSEL BE
APPOINTED WITH BROAD POWERS TO INVESTIGATE ALL MATTERS RELATED TO THE
ALLEGATIONS OF WRONGDOING IN THE INSLAW MATTER.

IN MY VIEW, CONGRESS AND THE EXECUTIVE BRANCH MUST TAKE IMMEDIATE AND
FORCEFUL STEPS TO RESTORE THE PUBLIC CONFIDENCE AND FAITH IN OUR
SYSTEM OF JUSTICE WHICH HAS BEEN SEVERELY ERODED BY THIS PAINFUL AND
UNFORTUNATE AFFAIR. I, THEREFORE URGE ALL MEMBERS TO SUPPORT THE
ADOPTION OF THIS REPORT.

              (end -- original report all in upper case)

------------------------------

Date: Fri, 14 Aug, 1992 19:52:31 PDT
From: pinknoiz@well.sf.ca.us
Subject: File 8--Special Investigator Requested for Inslaw (Press Release)

                       One Hundred Second Congress
                      Congress of the United States
                      U.S. House of Representatives
                        Committee on the Judiciary
                          Washington, D.C. 20515

                                             For Immediate Release
                                             August 11, 1992

NEWS RELEASE

         JUDICIARY COMMITTEE REPORT CALLS FOR INDEPENDENT COUNSEL TO
                INVESTIGATE THE INSLAW CONTROVERSY

By a vote of 21 to 13, the House Committee on the Judiciary today
voted to adopt an investigative report entitled, "The INSLAW Affair."
This report recommends that Attorney General Barr seek the
appointment of an Independent Counsel to investigate potential
criminal conduct of current and former Justice officials involved in
an alleged conspiracy to steal the PROMIS software system from
INSLAW, Inc.

     Congressman Jack Brooks (D-Tex.), Chairman of the full
     Committee, stated, "This report culminates the Committee's
     three-year investigation into serious allegations that
     high-level Department of Justice officials were involved in
     a criminal conspiracy to force INSLAW, a small computer
     company, out of business and steal its primary asset -- a
     software system called PROMIS. While the Department
     continues to attempt to describe its conflict with INSLAW as
     a simple contract dispute that has been blown out of
     proportion by the media, the Committee's investigation has
     uncovered information which suggests a much different,
     disturbing conclusion."

In March 1982, the Justice Department awarded INSLAW, Inc., a $10
million, three year contract to implement a case management software
system called PROMIS at 94 U.S. Attorney's offices across the country
and U.S. territories. While PROMIS could have gone a long way toward
correcting the Department's long- standing need for a standardized
case management system, the contract between INSLAW and Justice
quickly became embroiled in bitterness and controversy which has
lasted for almost a decade.

The report concludes that there appears to be strong evidence, as
indicated by the findings of two Federal court proceedings, as well as
by the Committee investigation, that the Department of Justice "acted
willfully and fraudulently," and "took, converted and stole" INSLAW's
Enhanced PROMIS by "trickery, fraud and deceit." The report finds that
these actions against INSLAW were implemented through the Project
Manager from the beginning of the contract and under the direction of
high-level Justice Department officials. The evidence presented in the
report demonstrates that high-level Department officials deliberately
ignored INSLAW's proprietary rights and misappropriated its PROMIS
software for use at locations not covered under contract with the
company. Justice then proceeded to challenge INSLAW's claims in court
even though its own internal deliberations had concluded that these
claims were valid and that the Department would most likely lose in
court on this issue.

     Brooks stated, "After almost seven years of litigation and
     $1 million in cost to the taxpayer, the Department is still
     trying to avoid accountability for the actions it took
     against INSLAW. It is time for Justice to recognize its
     mistakes and cut its losses and restore its moral standing
     as an enforcement agency, which is just as committed to
     living by the law as any other citizen."

According to the report, the second phase of the Committee's
investigation concentrated on the allegations that high-level
officials at the Department of Justice conspired to drive INSLAW into
insolvency and steal PROMIS. In this regard, the report states that
several individuals testified under oath that INSLAW's PROMIS software
was stolen and distributed internationally in order to provide
financial gain to associates of Justice Department officials and to
further intelligence and foreign policy objectives of the United
States. Additional corroborating evidence was uncovered by the
Committee which substantiated to varying degrees the information
provided by these individuals.

     Brooks stated, "It is unfortunate that the Department chose
     not to conduct a thorough investigation into INSLAW's
     allegations of criminal wrongdoing by high-level government
     officials. Although they were faced with a growing body of
     evidence that serious wrongdoing had occurred which reached
     to the highest levels of the Department, both Attorneys
     General Meese and Thornburgh blocked or restricted
     Congressional inquiries into this matter and in the case of
     Attorney General Thornburgh ignored the findings of two
     Federal courts and refused to seek the appointment of an
     Independent Counsel."

The report recommends that Attorney General Barr immediately settle
INSLAW's claims in a fair and equitable manner. The Committee report
also strongly recommends that the Department seek the appointment of
an Independent Counsel in accordance with 28 USC $$591-599 to conduct
a comprehensive investigation of the INSLAW allegations of a high
level conspiracy within the Justice Department to steal and distribute
the Enhanced PROMIS software.  According to the report, the
investigation should: (1) ascertain whether there was a strategy by
former Attorneys General and other Department officials to obstruct
this and other investigations through employee harassment and denial
of access to Department records; (2) determine whether current and
former Justice Department officials and others involved in the INSLAW
affair resorted to perjury and obstruction in order to cover-up their
misdeeds; (3) determine whether the documents subpoenaed by the
Committee and reported missing by the Department were stolen or
illegally destroyed; and, (4) determine if private sector individuals
participated in (a) the alleged conspiracy to steal INSLAW's PROMIS
software and distribute it to various locations domestically and
overseas, and (b) the alleged cover-up of this conspiracy through
perjury and obstruction.

Finally, the Committee report recommends that the Independent Counsel
investigate the mysterious death of reporter, Daniel Casolaro, who
died while conducting an investigation of the INSLAW matter. The
report notes that the suspicious circumstances surrounding his death
have led some law enforcement professionals and others to believe that
his death may not have been a suicide.

     Brooks concluded: "The conduct of the Department in the
     INSLAW affair has resulted in an erosion of the public's
     trust in the organization charged with enforcing our
     Nation's laws. In order to restore the public's confidence
     in the Department of Justice, there must be a full and open
     investigation into this matter. However, I'm skeptical that
     without the appointment of an individual to conduct this
     investigation who is not under the direct control of the
     Attorney General, this matter will ever be fully resolved."

------------------------------

From: ccb@MACBETH.UMD.EDU(Chrome Cboy)
Date: Wed, 12 Aug 1992 11:07:44 -0400
Subject: File 9--Summary of NBC's Coverage of Danny Casolaro/Inslaw

The NBC coverage of the Danny Casolaro death in the Inslaw case, which
aired last week, didn't seem to add many new facts, but I was
surprised to see that the incident hadn't been forgotten--in fact, it
seems to finally be making its way back into the spotlight.

Interviewed were Jack Anderson, a personal friend of Danny; Timothy
Hutton, who is playing Danny in a forthcoming HBO docu-drama; John
Connolly, the investigative reporter who has continued Danny's
research on behalf of HBO, and the chief counsel for INSLAW, an
ex-head of the Department of Justice who's name I can't remember.

Connolly felt that there wasn't an "Octopus" as Danny thought--eight
men at the highest levels of government, working in concert to further
their own desires. He did think, however, that these eight men were
involved in wrongdoings involving illegal aid to the Contras, the BCCI
scandal, the INSLAW theft, drug running, and possibly other things.
They simply weren't in cahoots.

There was also a taped interview with a forensic expert who claimed
that the entire autopsy was poorly performed, that it didn't follow
standard procedures, and that the report looked like the conclusion
regarding the cause of Danny's death had been reached a priori, and
that the rest of the report was then written to justify the
conclusion. Items that went unmentioned or were glossed over include:
multiple large contusions, including one to the head; that three of
Danny's fingernails had either been pulled off or were broken off
(possibly during a struggle); and that the wounds on his wrists were
deep and unhesitating, which is extremely rare in suicide victims. (In
fact, one of his wrists had been slashed eight times, cutting through
tendons all the way to the bone.)

It was Connolly's hypothesis that Danny had been jumped in his hotel
room in the early morning hours, subdued, interrogated (traces of
"strange drugs" were found in his system), and then killed. Adding to
the suspicions of foul play include the fact that none of Danny's
personal effects have been returned to the family, and that
investigators have been unable to view any of his personal effects,
reportedly including some notes that were found hidden in one of his
shoes. Also, his reporter's note are still missing.

I could probably flesh this out, add disclaimers, and touch it up if
you can't find anyone who managed to record the segment.

------------------------------

Date: Mon, 10 Aug 92 13:46:35 -0500
From: Neil W Rickert <rickert@CS.NIU.EDU>
Subject: File 10--Re: Overstated? (Chic Tribune summary)

>Computer underground Digest    Sun Aug 9, 1992   Volume 4 : Issue 35

>Sunday Tribune computer columnists Reid and Hume challenged what they
>call one of the software industry's "periodic public relations
>campaigns to get people to believe it's being robbed blind by software
>pirates."

I too was glad to see this column.

I remember an interview I heard on NPR ("All Things Considered") a few
years ago.  The industry representative asked the rhetorical question
"What would it be like if, for every car an auto dealer sells, two are
stolen?"  At the time, I thought the analogy was wonderful, except
that the industry rep had it slightly wrong.  He should have asked
"What would it be like if, for every car an auto dealer sells, two are
taken for test drives?"  And of course the answer would be "That
already happens."

The software piracy problem is, to a considerable extent, the natural
consequence of industry policies.  The software industry would have
you purchase software sight unseen, in shrink wrapped packaging,
without any knowledge of whether it will adequately serve your
purposes, and with no chance of a refund if the product proves
unsuitable or defective.  They exacerbate this problem further by
setting prices which bear little relation to their costs.  They
justify their costs on a "perceived value" basis, whereby they argue
about the financial value of say a spreadsheet package to an
accountancy firm.  This "perceived value" pricing might make sense if
they charged a much lower "perceived value" to the treasurer of a
small church who wished use the spreadsheet once per month to manage
the church books; but they don't.

In the book publishing industry, the price of a book is much closer to
the manufacturing cost, except for special topic books with limited
markets.  Natural market forces require this.  If publishers charged
too much other authors would write books of a somewhat similar nature,
and capture much of the market.  But, in an obvious attempt to defeat
such natural market forces, the software publishing industry uses its
"look and feel" lawsuits in an attempt to defeat the law of supply and
demand, and thereby maintain monopoly privileges for their products.

------------------------------

Date: 10 Aug 92 08:06:42 CDT (Mon)
From: peter@TARONGA.COM(Peter da Silva)
Subject: File 11--Elite Pirates? I think not.

Elite Pirates, as described in (Jim Thomas's article in CuD #4.35)
article, are virtually unknown: an endangered species at best, perhaps
by now simply a chimera...

>Reid and Hume continue, making several points that pirates would agree
>with:

Not the ones I know about.

>1. If you use a program, you should pay for it.

Maybe there's an elite among pirates who think this way, but the vast
majority pirate software because they need it and don't want to pay for
it. Virtually everyone I know who has pirated software has done so for
this reason. Many have purchased IBM PCs, as they earlier bought Apples,
because of the vast amount of pirate domain software available... the
biggest beneficiaries of piracy are clone vendors.

>2. Sharing software can enhance sales.

Only if most pirates go along with point 1.

>They also note that the shareware concept, based on free distribution
>of programs, has thrived and has made programmers quite successful.

Not really. The main success stories have been from people who have gone
commercial or switched to crippleware demos to "encourage" people to go
along with point 1.

>3. They, as do most elite pirates, strongly condemn the practice of
>copying an authorized program in a business and sharing it around to
>avoid the site license fees.

Most pirates I know wouldn't go that far, but they would "borrow" a copy
from the guy in the next office, which comes to much the same thing.

>4. The pre-purchase use of software is "not such a bad thing" because
>it can help sales. It also provides users a chance to compare the most
>expensive programs [...]

So would a software library, or software rental agencies... something I've
hoped would start showing up. They did for a while, but large-scale piracy
has so muddied the waters that there's no hope of them catching on until
software becomes as hard to copy as a book.

>The columnists fall short of advocating responsible piracy, and they
>make it clear that they oppose unauthorized copying for profit or
>"free use" simply to avoid paying for a product that will be used.

I suspect that they're simply unfamiliar with the normal corporate
environment, and think that their buddies counting coup on Lotus and
Borland are what the SPA is really concerned about. The pirate who does
it simply for the thrill of the chase is a rare bird indeed.

BUT, they do make great headlines when they get caught. Sorry if the small
time corporate thief has ruined your playground, but that's the way it goes
in the real world.

------------------------------

Date: Fri, 14 Aug, 1992 17:15:32 CDT
From: Jim Thomas <cudigest@mindvox.phantom.com>
Subject: File 12--Deferring the Piracy Debate until September

I partially agree with Peter: The pirate world has changed
dramatically in the past two years, and the "elite pirates" of the
1980s--those who enjoyed the thrill (albeit an anal-retentive one) of
the chase--are an endangered species. Peter and I will address this
issue in a near-future issue. The points I would make are that the
types, the motivations, and the consequences of creative software
sharing are not as clear-cut and certainly not as pernicious as the
SPA and other anti-piracy activists suggest.  I suspect the primary
difference between the positions of Peter and I are not that *some*
line must be drawn between acceptable and unacceptable "piracy," but
*where* that line should be drawn.

A spokesperson for the SPA has *tentatively* agree to participate in
the debate, and we hope to have at least one special issue in early
September on the pros/cons of the ethics, legality, and responses to
sharing unpurchased copyright software.

------------------------------

Date:     Wed, 12 Aug 1992 18:37 CDT
From:     <BOEHLEFELD@WISCSSC.BITNET>
Subject: File 13--Software piracy in America's schools?

In an advertising publication, CPR (Curriculum Product News),
distributed to school district administrators, an article, "Software
copying in schools:  a 1992 update," presents piracy problems within a
slightly different population than that which we normally see.

The article (unsigned) begins: "The last we heard from Captain
Diskcopy, a few years ago, she and her brash band of pirates were busy
encouraging educators to disregard the law that allows only one backup
copy for each program purchased. Their credo was 'copy, copy,
copy.'...[their] gospel: 'It's OK because you're doing it for the
kids!'"

It continues by detailing the lessening, but apparently still
troublesome, level of software copying in US school districts.  A
representative of the National School Boards Assn. (members include
more than 2000 districts from 50 states) is quoted as saying that
unauthorized copying has been greatly reduced in recent years.

The article continues by citing information from the SPA about the
dollars lost to piracy ($24 billion in 1990), and the availability of
the SPAudit program (30,000 distributed in 1991), as well as a
12-minute videotape, "It's Just Not Worth the Risk."  The tape is part
of an SPA "...public awareness and prevention campaign."

Also mentioned is the ICIA and its pamphlet of "...guidelines for
schools to follow, entitled, 'Should I Copy Micropcomputer Software.'
The guidelines are drawn from the Software Policy Statement published
in 1987 by ISTE (International Society for Technology in Education)...
." ISTE also distributes "A Code of Ethical Conduct for Computer-Using
Educators."

These progams, videos and publications are credited with decreasing
illegal copying in school districts.

The article then explains "lab packs," in which schools can obtain
multiple copies of software for educational purposes at special rates.
It notes that a few firms allow unlimited copying within a single
school building. (Rarely is an entire school district housed in a
single building, which can mean a district would have to buy multiple
lab packs for district use.) A smaller number of firms does offer
district-wide licenses, according to the article.

The article notes that the SPA has never sued a kindergarten through
high school (K-12) district, but does discuss a suit filed against the
University of Oregon's Continuation Center. A negotiated settlement
required the university to "...pay the SPA $130,000, launch a massive
on-campus campaign to educate students and faculty about lawful use of
copyrighted software, and host a national conference on 'Software and
the Law.'"

ICIA also asked its software publishing members to identify schools
which were copying software. An Ohio school district, described in the
article as "average sized," was mentioned frequently after the
campaign began, resulting in ICIA sending a cease and desist order to
the district.

A coordinator for instructional technology in an Indiana school
district then describes some of the problems she's had in purchasing
adequate software for her district's needs at a price that the
district can afford.

She says they are trying to comply with the law, but "'Even when I say
to a publisher that I'm willing to pay whatever you suggest is fair
for a building or district-wide license, they won't discuss it.'"

She also believes software publishers are not responsive to hardware
configurations in districts. Many, she says, have older hardware, and
are in transition periods to newer, but software companies won't allow
for these variations in selling their products. So districts can be
forced to buy multiple licensed copies or, as she suggests, revert to
piracy.

The article concludes with a remark paraphrased from "talking to...
educators" that flexible volume purchasing options would help to
further eliminate pirating in American schools.

The last page of the article (in a three column format) includes a
two-column ad from the SPA with a hotline number to report
"...unauthorized use of software including:
  "*bulletin boards
  "*unauthorized sales
  "*hard disk loading
  "*unauthorized internal copying[.]"
The ad also provides an address for obtaining a free pamphlet about
software and law.

A sidebar to the main story describes potential federal sentences and
fines for piracy, and notes that school districts are legally allowed
to lend software to students and staff unless that is "expressly
prohibited in the publisher's own licensing agreement." The sidebar
was credited to Mark Sherry, identified as president of Microease
Consulting, Inc., consultant with the Mecklenburger Group, and former
director of Software Evaluation for the EPIE Institute.

CURRICULUM PRODUCT NEWS  is a slick (paper-quality) magazine
containing articles, advertising, and the ubiquitous "Circle #xxx for
more information" at the end of the 'news' articles. Its subtitle is
"The Magazine for District-Level Administrators," and it is published
10 times a year by Educational Media, Inc., 992 High Ridge Rd.,
Stamford, CT 06905. The article recapped here was in the May issue,
Vol. 3, No. 9, pages 22-26.

The article was heavy on the industry side (articulation of the
problems of piracy came from trade and like organizations), but did
attempt to balance the concerns and problems of educators with those
of software publishers.  The article provides no specific information
about how much software piracy is going on in elementary and secondary
schools.

------------------------------

End of Computer Underground Digest #4.36
************************************