Computer underground Digest    Wed  Nov 17 1993   Volume 5 : Issue 87
                           ISSN  1004-042X

       Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
       Archivist: Brendan Kehoe
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Copy Editor: Etaoin Shrdlu, III

CONTENTS, #5.87 (Nov 17 1993)
File 1--Mike Godwin's Letter to Judge Stanton (in re phiber optik)
File 2--Another Comment on Phiber sentencing
File 3--CuD Commentary on Phiber Optik Sentencing
File 4--CPSR Crypto Resolution
File 5--Operation "Root Canal"
File 6--ANNOUNCEMENT/Cyberculture Film Documentary (fwd)
File 7--Internet Encyclopedia (Interpedia) group project/mailing list
File 8--Dos Bug (Re CuD 5.86)
File 9--Students Suspended For Electronic Documents
File 10--U.S. Law and the Constitution
File 11--DES Key Search Paper Available

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The
editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at:  Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115.

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG
WHQ) (203) 832-8441 NUP:Conspiracy; RIPCO BBS (312) 528-5020
CuD is also available via Fidonet File Request from 1:11/70; unlisted
nodes and points welcome.
EUROPE:   from the ComNet in LUXEMBOURG BBS (++352) 466893;
          In ITALY: Bits against the Empire BBS: +39-461-980493

ANONYMOUS FTP SITES:
  AUSTRALIA:      ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD.
  EUROPE:         ftp.funet.fi in pub/doc/cud. (Finland)
  UNITED STATES:
                  aql.gatech.edu (128.61.10.53) in /pub/eff/cud
                  etext.archive.umich.edu (141.211.164.18)  in /pub/CuD/cud
                  ftp.eff.org (192.88.144.4) in /pub/cud
                  halcyon.com( 202.135.191.2) in /pub/mirror/cud
                  ftp.warwick.ac.uk in pub/cud (United Kingdom)
  KOREA:          ftp: cair.kaist.ac.kr in /doc/eff/cud

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission.  It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified.  Readers are encouraged to submit reasoned articles
relating to computer culture and communication.  Articles are
preferred to short responses.  Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

----------------------------------------------------------------------

Date: Mon, 15 Nov 1993 11:13:11 PST
From: menomonic@well.sf.ca.us
Subject: File 1--Mike Godwin's Letter to Judge Stanton (in re phiber optik)

((MODERATORS' NOTE: phiber optik's sentence includes 12 months
incarceration and 600 hours of community service (see CuD 5.86).
We have yet to see a cogent argument that could justify incarceration.
The following letter by Mike Godwin to the sentencing judge provides
a strong rationale for opposing incarceration. Sadly, the judge
apparently ignored the substance of the following letter).

+++++

Here's the letter I sent to Judge Stanton on Mark's behalf:

=========

Washington, DC
Tuesday, October 26, 1993


The Honorable Louis L. Stanton
United States District Judge
Southern District of New York
40 Center Street
New York, New York  10007


Dear Judge Stanton:


I am writing to you about an unusual case you currently have before
you--the computer-crime case of Mark Abene. I understand you will be
sentencing Mark this coming Wednesday, and it is my wish that you have the
fullest knowledge and perspective on the significance of this case and of
the particulars of this defendant.


Let me take a moment to tell you about myself. I come to you not just as a
concerned citizen who knows the particulars of this case, but also as a
nationally recognized expert on computer crime and on computer-crime
prosecutions; I am a lawyer who works on computer-crime issues as Legal
Services Counsel for the Electronic Frontier Foundation, a public-policy
organization based in Washington, D.C. I've delivered papers on
computer-crime issues at the 4th Annual Virus Conference and the 50th
Annual Meeting of the American Society of Criminologists, and I've spoken
to law-enforcement groups, professional organizations, and the general
public on the legal and policy issues that arise when society responds to
the problems of computer crime. I've been quoted on computer-crime issues
in publications such as Time, Newsweek, the Wall Street Journal, and The
New York Times, and I have lectured FBI agents and federal prosecutors at
Quantico. I am deeply familiar with the majority of computer-crime
prosecutions that have taken place in the United States.


It is because of my familiarity with this type of crime that I am able to
say with some authority that Mark Abene deserves special consideration as
he comes before you for sentencing.


Mark Abene is a singular individual. I have known him over the last three
years as someone who has been consistently driven by the desire for
knowledge and for mastery of computer and communications technology, and
not by any desire to cause harm to others, or to use his knowledge for
personal gain. It is a measure of our trust in Mark that, when he
requested it, we gave him a computer account on EFF's computer system, and
it is equally a measure of Mark's trustworthiness that he has been
employed since his indictment as a system administrator of ECHO, the most
well-known and prestigious computer-conferencing system in New York City.
He also has spoken in a number of forums against destructive computer
hacking and in favor of improved system security--his reputation as a
computer hacker himself gave him special credibility in those forums.

Mark's passion for computer exploration, including the exploration of
others' computers, led him to both a philosophy and a conduct of which you
and I must perforce disapprove. But it is critical to note that, as wrong
as Mark's conduct may have been, it was grounded in a code of ethics that
prevented him from even considering action if it would hurt others, or
their property or data. Mark, who himself has lectured on computer-crime
and computer-security issues, has consistently spoken out against the use
of computer-security information for pesonal gain. And a review of his
financial situation will show that he has clearly not used this knowledge
to gain money.


Now, the prosecution in this case will assert a number of things about
Mark. Please do not accept their comments uncritically. You may be told
that, since Mark used certain kinds of phone service without paying for
them, this is just the same as taking money or goods, and that he is
therefore no different from an ordinary thief. But Mark came of age in
subculture that told him consistently that this kind of use of phone
service, like the non-malicious intrusion on others' computers, never
directly cost anyone any money. Regardless of the truth or falsity of this
proposition, I feel compelled to note that Mark believed it to be true,
and that his code of ethics would have prevented him from engaging in this
conduct if he had believed that conduct was harmful in any way.


No one knows better than I do that many computer-crime defendants are
driven by destructive or larcenous motives. It is appropriate in such
cases to be appropriately severe in sentencing.  But Mark's case is
different. While his unauthorized intrusions into telephone and computer
systems were wrong and clearly deserve punishment, you should take into
account the fact that Mark's conduct was consistently informed by a code
of ethics and that he was motivated by one of the highest values of our
culture, the quest for understanding and mastery of complex technologies.


You should also take into account, your honor, that we live in an age of
transition. A decade ago, much of Mark's conduct was not against the law.
Two decades ago, his acts were the stuff of science fiction. This means
that the social consensus and social norms that we normally rely on to
inform people about right and wrong have only just begun to catch up with
the advances wrought by computing technology. The thing to remember about
Mark is that his parents and his social environment never taught him that
computer intrusion is a crime.


Indeed, his parents didn't understand the technology well enough to tell
him much of anything about it--nobody's parents know enough. When you and
I were growing up, few people talked to us about  computers much;
certainly no one taught us, by word or example, that computer intrusion is
wrong.


To the extent that society has managed to come to grips with the moral
issues at all, its messages have been ambiguous. Computer hackers have
been consistently painted by the media as heroes, not only in fictional
works (see, e.g., the movie "WarGames," the television show "The Whiz
Kids") but also in journalistic treatments (see Steven Levy's book
Hackers: Heroes of the Computer Revolution, and Jack Hitt and Paul Tough's
articles on computer hackers for Harper's and Esquire).


Our society has come to revere the founders of the personal computer
industry, so it is worth mentioning that two of the most visible figures
in the computer revolution, Apple Computer founders Steven Jobs and Steve
Wozniak, got their start selling "blue boxes" designed to help college
kids avoid long-distance charges. Given that  the world keeps telling kids
that nonmalicious computer and phone hacking is harmless, it's remarkable
that we haven't seen even more computer crime before now. Who knows what
might have happened had there been any adults available to him, or any
positive examples in the media, who could have shown him that even
nonmalicious computer intrusion is wrong?


In spite of this lionizing of teenaged computer hackers, Mark managed to
put some ethical constraints on his own behavior. He never used his
talents to enrich himself, never knowingly caused damage or helped others
to do so, and consistently told other young men that these activities are
unacceptable. He was wrong not to see that all computer hacking is
unacceptable, but the fact that he tried to limit the harmfulness of both
his activities and others', together with the fact that he did not use his
explorations for self-enrichment or to exert power over others, speaks
well of Mark's intuitive moral sense.


Mark comes to you with the disadvantage of being ahead of the curve. This
young man, who has never been in trouble with the law except for his
computer explorations, will be sentenced in a legal world that has little
familiarity with computer-crime cases, even as it has a lot of fear about
the dangers of computer crime.


The government has already used this case to send the message that
computer intrusion is wrong and should be punished, and for this it should
be commended. And Mark, by admitting his own guilt and choosing to accept
punishment for his actions, has sent a message to the world of would-be
hackers: this kind of conduct is wrong, and it will be prosecuted.


The message I hope you send, with your sentencing of Mark, is that this is
the kind of defendant who deserves an appropriately measured punishment,
grounded in the recognition that, while he broke the law, he neither
intended harm nor knowingly did harm.


To the extent possible, Judge Stanton, Mark deserves leniency. Giving this
defendant a long prison term would send the wrong message. It would tell
the very individuals who need guidance the most that our legal system
refuses to make distinctions between the those who intend harm and those
who, without intending harm, try to test the limits. If, in sentencing
Mark, we show these computer hackers that the legal system is unfair, we
will invite them to have contempt for the law  in the future. And that
would be a grave mistake.


We've already let Mark down once, your honor. I ask that, as you prepare
to sentence Mark, you keep our system from letting him down again.



Mike Godwin
Legal Services Counsel
Electronic Frontier Foundation

------------------------------

Date: Mon, Nov 15 1993 12:07:22 PST
From: Jack King <gjk@well.sf.ca.us>
Subject: File 2--Another Comment on Phiber sentencing

I'd give my eye teeth to see the guidelines worksheets and Mr. Abene's
presentence report.  That was a great letter, Mike.

I'm still having trouble comprehending the severity of his sentence.
Looking at this sentence from another angle, I note without pleasure that
someone in Mr. Abene's Criminal History Category (II) would have to steal or
embezzle property valued between $70,001 to $120,000 before that individual
would merit a mandatory 12 months in the slammer (offense level 12). See
sentencing guideline secs. 2B1.1(b)(1) & 2F1.1, a.k.a. the "loss tables." If
the defendant accepts responsibility for his crime, he may steal up to
$350,000 before meriting 12 months incarceration.

 For a person with second offender status (Criminal History Category II)
criminally negligent homicide (sec. 2A1.4, offense level 10) merits 8-14
months in federal prison. Accepting responsibility for the act brings
sentencing range down to 4-10 months, which may be served at home or in a
community correctional facility (halfway house).

  Obviously the judge believes Mr. Abene has been a very bad boy.  Whatever
he did, it was must have been a lot more serious than killing somebody on a
federal reservation or defrauding elderly people of their life savings!
That's the only message I'm getting out of this.

------------------------------

Date: Wed, 17 Nov 1993 21:15:10 CST
From: Jim Thomas <tk0jut2@mvs.cso.niu.edu>
Subject: File 3--CuD Commentary on Phiber Optik Sentencing

Mark Abene, aka phiber optik, has been sentenced to a year in prison
for computer offenses occurring in 1991.  According to a Newsbytes
article (see CuD 5.86), Judge Louis Stanton said:

     A message must be sent that it is serious.. The defendant
     stands as a symbol because of his own efforts; therefore, he
     stands as a symbol here today.

It appears that Abene's primary offense was not one of defying a
statute, but rather of standing as a signifier of behaviors that
threaten comfortable social boundaries between social order and
cyber-anarchy.  Abene, it seems, was offered up as a scapegoat in
another punitive sacrifice on the judicial alters of vengeance.  Most
of us would agree that the offenses for which Abene was indicted (see
CuD 4.31, file 1, 1992) are unacceptable, and most of us would agree
that some form of social response for those involved in such offenses
is necessary.  However, prison IS NOT NECESSARY!

Abene's sentencing must be placed in the broader context of social
responses to crime. As CuD has argued previously, the U.S. is becoming
a carceral nation, a nation of prisoners. As a society, we attempt to
resolve social problems by criminalizing and imprisoning those whose
behaviors we find offensive. U.S. Department of Justice statistics
indicate that in the past five years, the federal prison population
has increased by 70 percent (up from 49,928 in 1988), and the states'
prison population approaches 900,000 (up by almost two-thirds since
1988).  The per capita expenditures in the U.S. for corrections alone
were, in 1992, calculated at $94.50. The cost of incarcerating Abene
in a federal institution for one year would pay for a four year full
college scholarship at a mid-range state university.  Incarceration is
unacceptably costly, and judges arguably violate the trust invested in
their office when they needlessly incarcerate.

If, in addition to the roughly 1.3 million inmates of the nation's
prisons and jails, we add those on probation, parole, and other
supervised forms of punishment, about 1 in 50 adults, and nearly 1 in
10 males between the ages of 17-30 are *currently* under some form of
correctional supervision. When we add those who are no longer under
supervision, and those likely to enter the system for the first time
in the next two years, the number of (as well as the costs of processing)
"criminals" skyrockets.  The proposed amendments to pending federal
anti-crime statutes continue this escalation of criminalization and
increased punishments, and--if Illinois is typical of the rest of the
the nation--the increasing tendency to address crime by creating more
crimes and locking up more offenders will only add to the prison
population without substantially reducing the crime rate. In fact,
there is no strong evidence that the current incarceration policies
have any substantial influence as a deterrent in reducing crime.

Few would argue against some form of social response for computer
violations. The question is what kinds of responses are appropriate
for which offenses. We can start with:

Decriminalizing the minor offenses and making them civil offenses.
Current criminal law is far too broad in defining and classifying
felonious behavior.

Of the remainder, numerous options exist:

1) Fines (akin to traffic fines, jaywalking, public nuisance)
2) Probation
3) restitution programs
4) community service
5) work release
6) community corrections
7) Home incarceration
8) Split sentences
9) Boot camps

All of the above carry a punitive burden, are relatively inexpensive,
reduce taxpayer expense, have a sliding scale deterrent effect (to the
extent that deterrence occurs at all), reduce the burden on the
families of the offender, and are more humane.

Some offenders, especially violent or career predators, require
separation from society or the punishment of prisons. For most,
however, prisons are counter-productive, both for the offender and the
rest of us.  For Mark Abene, there is simply no valid reason for
incarceration when so many alternatives exist that would better satisfy
the goals of "just desserts."

So, I must agree with Judge Stanton:  Abene does serve as a symbol: He
serves as a symbol of an out-of-control system that unnecessarily
locks up more of its citizens than any other country in the world. He
serves as a symbol for a judicial philosophy that lacks the
imagination, fortitude, and willingness to challenge the demagoguery
of politicians who pander to fear of crime and posture with
"tough-on-offender" rhetoric and legislation. He serves as a symbol of
the failure of a society to humanely and reasonably deal with
non-violent youthful offenders whose best interests are poorly served
by incarceration. Perhaps Abene does, as Judge Stanton suggests, serve
as a symbol of a form of offense that ought be sent a strong message.
Perhaps. But, Abene's sentence also symbolizes an offensive carceral
system that is far more destructive to the commonweal than any act in
which Abene himself participated.

------------------------------

Date: Tue, 26 Oct 1993 21:40:51 EST
From: Dave Banisar <banisar@WASHOFC.CPSR.ORG>
Subject: File 4--CPSR Crypto Resolution

                        CPSR Crypto Resolution
                     CPSR Cryptography Resolution

Adopted by the CPSR Board of Directors, San Francisco, CA October 18,
1993

WHEREAS,

Digital communications technology is becoming an increasingly
significant component of our lives, affecting our educational,
financial, political and social interaction; and

The National Information Infrastructure requires high assurances of
privacy to be useful; and

Encryption technology provides the most effective technical means of
ensuring the privacy and security of digital communications; and

Restrictions on cryptography are likely to impose significant costs on
scientific freedom, government accountability, and economic
development; and

The right of individuals to freely use encryption technology is
consistent with the principles embodied in the Constitution of the
United States; and

The privacy and security of digital communications is essential to the
preservation of a democratic society in our information age; and

CPSR has played a leading role in many efforts to promote privacy
protection for new communications technologies:

BE IT RESOLVED THAT

Computer Professionals for Social Responsibility supports the right of
all individuals to design, distribute, obtain and use encryption
technology and opposes any government attempt to interfere with the
exercise of that right; and

CPSR opposes the development of classified technical standards for the
National Information Infrastructure.

------------------------------

Date: Mon, 15 Nov 1993 11:38:27 EST
From: David Sobel <dsobel@WASHOFC.CPSR.ORG>
Subject: File 5--Operation "Root Canal"

        New Documents Raise Questions about FBI Wiretap Claims


     In response to a CPSR Freedom of Information Act lawsuit, the FBI
has released 185 pages of documents concerning the Bureau's Digital
Telephony Initiative, code-named (according to the documents) Operation
"Root Canal." The newly disclosed material raises serious doubts as to
the accuracy of the FBI's claims that advances in telecommunications
technology have hampered law enforcement efforts to execute court-
authorized wiretaps.

     The FBI documents reveal that the Bureau initiated a well-
orchestrated public relations campaign in support of "proposed
legislation to compel telecommunications industry cooperation in
assuring our digital telephony intercept requirements are met."  A
May 26, 1992, memorandum from the Director of the FBI to the
Attorney General lays out a "strategy ... for gaining support for
the bill once it reaches Congress," including the following:

     "Each FBI Special Agent in Charge's contacting key law
     enforcement and prosecutorial officials in his/her territory
     to stress the urgency of Congress's being sensitized to this
     critical issue;

     Field Office media representatives educating their contacts
     by explaining and documenting, in both local and national
     dimensions, the crisis facing law enforcement and the need
     for legislation; and

     Gaining the support of the professional associations
     representing law enforcement and prosecutors."

     However, despite efforts to obtain documentation from the field in
support of Bureau claims of a "crisis facing law enforcement," the
response from FBI Field Offices was that they experienced *no*
difficulty in conducting electronic surveillance.  For example, a
December 3, 1992, memorandum from Newark reported the following:

     The Newark office of the Drug Enforcement Administration
     "advised that as of this date, the DEA has not had any
     technical problems with advanced telephone technology."

     The New Jersey Attorney General's Office "has not experienced
     any problems with the telephone company since the last
     contact."

     An agent from the Newark office of the Internal Revenue
     Service "advised that since the last time he was contacted,
     his unit has not had any problems with advanced telephony
     matters."

     An official of the New Jersey State Police "advised that
     as of this date he has had no problems with the present
     technology hindering his investigations."

Likewise, a memorandum from the Philadelphia Field Office reported
that the local offices of the IRS, Customs Service and the Secret
Service were contacted and "experienced no difficulties with new
technologies."  Indeed, the newly-released documents contain no
reports of *any* technical problems in the field.

     The documents also reveal the FBI's critical role in the
development of the Digital Signature Standard (DSS), a cryptographic
means of authenticating electronic communications that the National
Institute of Standards and Technology (NIST) was expected to develop.
In a memorandum to the Attorney General, the FBI Director describes the
DSS as "the first phase of our strategy to address the encryption
issue."  The DSS was proposed in August 1991 by NIST, which later
acknowledged that the National Security Agency (NSA) developed the
standard.  The newly disclosed documents appear to confirm speculation
that the FBI and the NSA worked to undermine the independence of NIST
in developing standards for the nation's communications
infrastructure.

     CPSR intends to pursue further FOIA litigation to establish the
extent of the FBI involvement in the development of the DSS and also to
obtain a "cost-benefit" study discussed in one of the FBI Director's
memos and other "Root Canal" documents the Bureau continues to withhold.

     For additional information concerning CPSR's work on digital
telephony, encryption and network privacy issues, contact Dave Banisar
<banisar@washofc.cpsr.org>.  For general information concerning Computer
Professionals for Social Responsibility, contact our National Office in
Palo Alto <cpsr@cpsr.org>.

------------------------------

Date: Thu, 11 Nov 1993 03:10:45 -0500
From: Richard Ginn <rlg1@CORNELL.EDU>
Subject: File 6--ANNOUNCEMENT/Cyberculture Film Documentary (fwd)

+---------- Forwarded message ----------
Date--Wed, 10 Nov 1993 15:49:17 -0500
>From--john sharp <jofsharp@silver.ucs.indiana.edu>
Subject--ANNOUNCEMENT/CALL FOR RESPONSE

******************************************************************
READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE & READ &
******************************************************************

A CALL FOR INPUT, RESPONSE, PARTICIPATION

We are creating a documentary film as part of a larger graduate
research project which seeks to investigate the subculture sometimes
referred to as "CYBERCULTURE".  We are interested in exploring the
many facets of electronic culture, and the various means of
communication that have sprung up around it.  Our interests also
include topics such as digital art,
 net.surfing, net.speak, the interaction of persons on the net, the
 distribution and accessing of information via the net, and other
 related issues.  Traditionally, the creation of a documentary project
 is limited by geographic/time/financial considerations.  Through the
 unique qualities of the NET, we hope to surpass these boundaries,
 bringing together a wide, diverse range of thoughts, views, works,
 and perspectives.  In essence, we will be an active part of the very
 topic we are examining.

WHAT DO WE WANT FROM YOU?

We hope to build a broad base of perspectives, viewpoints, and
responses to "CYBERCULTURE" so that we can begin to piece together a
glimpse of this cultural phenomenon.  We welcome input from any and
all who have or are exploring related issues, have comments on the
feasibility of such a project, as well as any public-domain articles,
FAQs, etc.  We are looking for folks willing to be interviewed,
contribute pertinent materials (info, artwork %written or visual%,
commentary), and further avenues of investigation.

We invite you to respond to our project with any/all relevant
comments, materials, etc.

Please feel free to distribute this post to any LISTs, Usenet groups,
BBSs, etc.
            Net: jofsharp@bronze.ucs.indiana.edu
           mail: J. Sharp/M. Freeman
            Department of Art History
            Indiana University
            Bloomington  IN  47405

------------------------------

Date:    Mon, 15 Nov 1993 15:21:59 -0800 (PST)
From: DWILSON@CRC.SD68.NANAIMO.BC.CA(DOUGLAS P. WILSON)
Subject: File 7--Internet Encyclopedia (Interpedia) project/mailing list

This is to inform you about the proposed Internet Encyclopedia, or
Interpedia and the mailing-list for discussion of it.

The original idea, due to Rick Gates, was for volunteers to
cooperatively write a new encyclopedia, put it in the public domain,
and make it available on the Internet.   Participants on the
mailing-list have expanded the concept by noting that the bibliography
entries and references provided with Interpedia articles could include
hypertext links to other resources available on the Internet.  Unlike
any printed encyclopedia, the Interpedia could be kept completely
up-to-date.  Indeed, it could include hypertext links to ongoing
discussions, and perhaps evolve into a general interface to all
resources and activities on the Internet.

If you find these ideas interesting, please join the Interpedia
mailing-list by sending a message to interpedia-request@telerama.lm.com
with the body of the message containing the word 'subscribe' and your
e-mail address, as follows:

subscribe your_username@your.host.domain

------------------------------

Date:         Sun, 14 Nov 1993 19:18:34 GMT-0600
From: "Jeff Miller" <JMILLER@TERRA.COLOSTATE.EDU>
Subject: File 8--Dos Bug (Re CuD 5.86)

It should be noted that VSafe is a misnomer.  There is code available
that demonstrates how vulnerable VSafe is to a virus attack.  The
included checksum are no better protection, as if they are deleted,
VSafe will just create new checksums, therefore allowing virii to
circumvent the original checksum.

I highly recommend NOT using VSafe (due both to the above problem, and
the shortcomings I mentioned), and rather using f-prot, which is
widely available, and free for personal use, and extremely inexpensive
for business use.

------------------------------

From: kadie@CS.UIUC.EDU(Carl M Kadie)
Subject: File 9--Students Suspended For Electronic Documents
Date: Mon, 25 Oct 1993 02:13:03 GMT

tk0jut2@mvs.cso.niu.edu writes:

>Two Mount Olive (N.J.) High School freshmen have been given three days
>of in school suspension for possession of documents protected under
>the First Amendment.
[...]

Here is some information from the ACLU Handbook _The Rights of
Students_ (3rd edition) by Janet R. Price, Alan H. Levine, and Eve
Cary from ftp.eff.org:pub/academic/law/tinker_v_des_moines:

-------begin quote-------

[question:] Can a school prohibit students from handing out all literature,
including underground newspapers, on school property?

[answer:] No. This would violate the Supreme Court's decision in
_Tinker_. Literature may be barred from school property only if its
distribution materially and substantially interferes with school
activities,%32% and even some disruption in handing out the literature
does not justify banning the literature completely. As one court said
of students in a particular case, "It is their misconduct in the
manner in which they distributed the paper which should have been
stopped, not the idea of printing newspapers itself.%33%

That same court emphasized that point that minor disruptions must be
tolerated to accommodate the right of students to express their views.
Since the "interruption of class periods caused by the 'newspaper'
were minor and relatively few in number," the source said, the
_Tinker_ standard of "material and substantial disruption" had not
been met. A word of advice: Although a rule prohibiting all
distribution of literature on school property is unconstitutional, you
should ask school officials to change the rule before deciding to defy
it.

[Addendum to Chapter Two]

As this book went to press, the United States Supreme Court, in
_Hazelwood School District v. Kuhmeire_ (decided January 15, 1988),
upheld the power of [high] school officials to control the content of
school-financed newspapers.  [...]  As a result of the _Kuhmeire_
decision, school officials now may censor stories in official school
publications so long as, in the words of the Supreme Court, "their
actions are reasonably related to legitimate pedagogical
concerns."[...]

The Court's decision distinguished between student speech that is part
of the school curriculum, such as official publications, theatrical
productions, and other school-sponsored activities, and all other
forms of student speech that take place on school property. The latter
would include leaflets, buttons, unofficial, or so-called underground,
newspapers, and other literature that is not school financed. As to
all such forms of speech, the _Tinker_ standards discussed throughout
this chapter continue to apply. In other words, _Kuhlmeier_ gives
school officials no greater power to control either the content or
form of such student speech than they had previously. Thus, school
officials may _not_ censor such speech merely because they believe it
to be biased, poorly written, vulgar, or unsuitable for immature
students. Speech that is not part of the school curriculum may be
prohibited only if there is evidence that it will materially and
substantially disrupt the word of the school.

[References]

[_Tinker v. Des Moines Independent Community School Dist._, 393 U.S.
503 (1969)]

%32% _Eisner v. Stamford Board of Education_, 440 F.2d 803 (2d Cir.
1971); _Quarterman v. Byrd_, 453 F.2d 54 (4th Cir. 1971); _Schanley v.
Northeast Independent School District_, 462 F.2d 960 (5th Cir. 1972);
_Scoville v. Board of Education of Joliet Township_, 425 F.2d 10 (7th
Cir. 1970)

%33% _Sullivan v. Houston Independent School District_, 307 F. Supp.
1328 (S.D. Tex. 1969).

------------------------------

Date: Mon, 25 Oct 1993 18:29:01 -0400
From: "Lee S. Parks" <lsp@PANIX.COM>
Subject: File 10--U.S. Law and the Constitution

I'm afraid I don't have the time a lenghtly scholarly discourse on
U.S. law and the constitution, but let me give you a very brief
education.  First, a founding principal of the legal system of the
United States is that you do not need specific legal authorization to
do specific act before you may legally perform such act.  Certain acts
may be regulated by the government and, under the constitution, the
government may be prohibited from regulating certain acts without an
amendment to the constitution.  Certain actions, which may or may not
be violations of law vis-a-vis the government, may be regulated
between private parties under either statutory or common law.  The law
of negligence, for example.

Now the case of regulating PGP or other information about cryptography
raises serious constitutional questions under the first amendment to
the U.S. constitution, in particular.  The question revolves around
issues of the definition of "speech" and the scope of prohibited
speech.  But one must remember that just because Congress has passed a
law which has been signed by the President does not make that law
legally binding if that law is otherwise a violation of the
constitution.  In particular, prior restraints against speech are
almost never permitted, even if the speech is question is scandalous,
libelous or falls within one of the narrow exceptions to the first
amendment.  Government actions which severely chill the exercise of
the right of free speech (which could include the ITAR regulations in
question) are also suspect.

To get to the point.  Its not clear the ITAR regulations are legally
enforceable, nor is it clear that, even if enforceable, they were
violated.  There is also no requirement to give the letter of the law
a wide berth because its improper to approach the limits of what is
legal.  Everyone should have some knowledge of basic constitutional
protections because they form the basis for our society.  I believe
that ignorance in this area is extremely dangerous to the notions of
an ordered liberty that underlie our legal system.  If we do not exercise
our rights, we may lose them.  If we don't know what they are, how can
we exercise them?

Organizations such as the EFF exist to help make sure that our legal
principals are properly applied in areas of new technology, and that
requires seeking to ensure rights are protected and extended as
appropriate.

------------------------------

Date: Mon, 15 Nov 1993 22:54:49 -0800
From: jonpugh@NETCOM.COM(Jon Pugh)
Subject: File 11--DES Key Search Paper Available

Now that I have my anonymous FTP directory set up and the CuD
moderators are back, I should mention that I have made the paper
"Efficient DES Key Search" by Michael J. Wiener available to the
public in PostScript format.  It's just over 150K compressed.

    netcom.com::/pub/jonpugh/des_key_search.ps.Z

My comments about this paper garnered a few responses. Specifically, I
stated:

> Feel free to correct me if I am wrong, but I don't see the
> applicability of this machine in decrypting DES encoded information
> unless one is in possession of a "Rosetta Stone" using the same key,
> and I think the chances of that are highly unlikely.

Apparently, my Rosetta Stone reference left a few confused.  The
Rosetta Stone is a tablet which was found in Egypt in 1799 which
contains a decree of Ptolemy V from 196 BC written in Greek, Egyptian
hieroglyphics and demotic characters (the common people's Greek).
Given that both the formal and informal Greek were known to scholars
and that the hieroglyphics were a complete mystery, this stone
provided the clue which led to the decyphering of the hieroglyphic
language.  Hopefully you see the essence of my reference now (well,
OK, you already did, but those other dummies didn't ;).

Despite the reference, many people claim that this machine could still
decipher an arbitrary ciphertext.  It is simple enough to guess at a
word or phrase which may be present in the ciphertext amd use this in
the deciphering machine to find a key which can then be used to
decypher the message.  Depending on the length of the ciphertext and
the correctness of the guess, I believe that a search like this could
still be a rather lengthy operation.

Let's do a "back of the envelope" calculation.  Let's assume that
there is a "From" near the front of the message (not that I would be
dumb enough to encode something as standardized as an email header,
but I digress).  Let's assume 4 hours per character (we can't assume
any sort of alignment).  A sample message in my mail file comes with a
header of about 500 characters.  That's roughly 2000 hours of
computation, which comes out to about 83 days or almost 3 months.  It
doesn't sound terribly feasible, particularly considering that
messages with this sort of standardized content would be avoided by
anyone with half a gram of sense, making the computation required for
4K of text (almost 2 years) or a 10K message (4.5 years) patently
excessive.  Longer messages get more difficult.

This doesn't even address the issue of false confirmations.  The
search engine merely looks for a key which can turn a plaintext into a
given ciphertext.  It is bound to give some false matches when
guessing the plaintext.  I would be curious to see this issue
addressed in more detail.

At any rate, computing power is on the rise, making secure encryption
harder and harder to attain.

Luckily, Skipjack will solve this problem for us.  NOT!  ;)

------------------------------

End of Computer Underground Digest #5.87
************************************