Computer underground Digest    Sun  Mar 27, 1994   Volume 6 : Issue 27
                           ISSN  1004-042X

       Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
       Archivist: Brendan Kehoe (He's Baaaack)
       Acting Archivist: Stanton McCandlish
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Koppa Ediqor:       Phirho Shrdlu

CONTENTS, #6.27 (Mar 27, 1994)
File 1--A JT Apology for CFP No-Show and Deleted CuD Mail
File 2--Some thoughts on piracy, hacking and phreaking.
File 3--Lopez's reply to "Rape in Cyberspace"
File 4--Re: Village Voice & Phlogiston

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send a one-line message:  SUB CUDIGEST  your name
Send it to LISTSERV@UIUCVMD.BITNET or LISTSERV@VMD.CSO.UIUC.EDU
The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at:  Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on  internet);
and on Rune Stone BBS (IIRGWHQ) (203) 832-8441.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.

EUROPE:   from the ComNet in LUXEMBOURG BBS (++352) 466893;
          In ITALY: Bits against the Empire BBS: +39-461-980493

FTP:   UNITED STATES:  etext.archive.umich.edu (141.211.164.18)  in /pub/CuD/
                       aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
  EUROPE:         nic.funet.fi in pub/doc/cud/ (Finland)
                  nic.funet.fi
                  ftp.warwick.ac.uk in pub/cud/ (United Kingdom)

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission.  It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified.  Readers are encouraged to submit reasoned articles
relating to computer culture and communication.  Articles are
preferred to short responses.  Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

----------------------------------------------------------------------

Date: Sun 27 Mar 1994 15:32:54 CST
From: Jim Thomas <jthomas@well.sf.ca.us>
Subject: File 1--A JT Apology for CFP No-Show and Deleted CuD Mail

Notes are filtering in from folks who are wondering why I was a
no-show at CFP '94 this past week. I apologize for the absence, but it
seemed necesssary. I spent the week at my father's side and was with
him when he died friday noon.

Thanks to Netta Gilboa who gave a precis of my paper at the conference
and who, from incoming reports, did a better job of making sense of it
than it probably deserved. Thanks also to Bruce Umbaugh who filled in
as session chair at the last minute.

I probably shouldn't have tried to wade through the backlog of CuD
mail late Friday night when I returned, but a sense of returning to a
normal routine seemed necessary. Unfortunately, the mail wasn't
managed normally---I accidentally deleted many posts---I'm not sure
how many, but it was a substantial number.  So, if you subbed, sent
articles or comments, or whatever, and if you haven't received a
response, please resend. Sorry 'bout that.

Jim Thomas

------------------------------

Date: Wed, 9 Mar 1994 14:13:30 -0500
From: Dennis Shayne Weyker <weyker@WAM.UMD.EDU>
Subject: File 2--Some thoughts on piracy, hacking and phreaking.

The following is a long response I've had laying around to Emmanuel
Goldstein's testimony to congress last summer. I think the issues
mentioned are still relevant, so I've decided to finish the thing and
send it in.

I come across sounding a bit like a phone-company advocate, but I
don't really think I am. My real reason for writing was to counter
what I thought were some poorly thought-out anarchist and
libertarian-flavored arguments that hackers and phreaks use to justify
behaviors that don't seem justifiable to me.

Comments are welcome.

Shayne Weyker
weyker@wam.umd.edu

+>Date:   Thu, 10 Jun 1993 16:53:48 -0700
+>From: Emmanuel Goldstein <emmanuel@WELL.SF.CA.US>
>     It is easy to see this when we are talking about crimes that we
>understand as crimes. But then there are the more nebulous crimes; the
>ones where we have to ask ourselves: "Is this really a crime?" Copying
>software is one example. We all know that copying a computer program
>and then selling it is a crime. . . .  organizations like
>the Software Publishers Association have gone on record as saying that
>it is illegal to use the same computer program on more than one
>computer in your house. They claim that you must purchase it again or
>face the threat of federal marshals kicking in your door. That is a
>leap of logic.

I don't like or agree with the SPA's position, but I also think that
users who copy copyrighted non-shareware software and get significant
productive use or entertainment out of the software should buy it, and
be liable for fines and forced purchase if they don't buy it.

The problem with enforcing this is that you can't determine usefulness
or entertainment value to the user by auditing their hard drive. And
fining them for possessing copyrighted software they don't use is
unfair, (in cases where businesses are the target of the software
audit the company may not even know it has the software). This doesn't
bother the SPA, but if it bothers readers out there in net.land they
should get working on ideas for metering the use of software that
might be included in every program and that could be reset only the
first time its installed on a new storage device (hmm. that might have
some of the same hassles as old copy protection schemes).

>     It is a leap of logic to assume that because a word processor
>costs $500, a college student will not try to make a free copy in
>order to write and become a little more computer literate.

Students don't pirate WordPerfect to become computer literate, they
pirate it to write papers. In using the program they may become more
computer literate.

>Do we punish this student for breaking a rule? Do we charge him with
>stealing $500?

Certainly not $500, because WP isn't out the cost of manuals, disks,
distribution, or free tech support. They are losing a chunk of income
of the cost of developing the software, but this loss is compensated
for at least partly by the fact that WordPerfect Corp.'s future market
share goes up because pirated WP is so widely available and thus
becomes the only word processor many people ever bother to learn to
use. I would hope they would stick to trying to nail businesses and
leave individuals (other than those who resell pirated software) alone
as not worth the trouble. WP (like Microsoft) is a very rich and
successful software company whom the status quo has served quite well
and massive anti-piracy campaigns seem motivated by profit-motive
rather than economic self-defense.

But the problem remains that those who buy WP are paying for the
development of the program while those who pirate are not. The pirates
are freeloading by using a good (use of a program that cost millions
to develop) and not helping to reimburse the company for the costs of
development. This seems not so much like theft as being delinquent on
club dues, homeowners association fees, etc. Maybe assigning deadbeats
to bill collectors would be a good model for punish piracy. In a
perfect world, everything would be shareware, and there would the use
verification schemes so that everybody who used would pay up. To the
extent that those who pirate WP now get just as much productive use
out of it as paid users, pirates are transferring wealth from the paid
users to themselves (they both get use of the program, and the
legitimate user has to pay for them both).  Pirates may also be
transferring wealth from WP's employees and stockholders too.

Two questions arise:  1) "What gives the pirate the moral right to
freeload on the development cost of the software and transfer wealth
too themselves from others?" And 2) "We are all (except in dire cases
like Nazi Germany) morally bound to obey the law, except where one
*publicly* protests the law by deed and is willing to make oneself a
test-case to get the law changed (ala Doc Kervorkian). So where do
pirates get off claiming all by themselves that laws protecting the
intellectual property rights of software companies are void and that
they can go around violating the law covertly at little risk to
themselves just because they don't like it?"

Now if society decides it is willing to allow these unfair transfers
of wealth in return for a more computer literate and productive
workforce then okay. We allow what some think are unfair disparities
of wealth in order to help assure a productive workforce already.

But those in favor of punishing piracy could just as easily make
libertarian arguments that transfers of wealth that aren't explicitly
consented to by the person losing wealth is unjust, and that justice
is a higher goal than a somewhat more computer-literate and productive
society.

>Of course, this represents a fundamental change in our society's
>outlook. Technology as a way of life, not just another way to make
>money.

Does this mean that because its your way of life you shouldn't have to
pay for it? (see comments below about phreaking) That because
technology is your way of life, other people who make their living
producing technology shouldn't be able to make money off of you? Why
is technology different than all other categories of commodity to be
traded in the marketplace? Don't get me wrong, I have my beefs with
capitalism and I like Bruce Sterling's concept of money moving in to
control everything in "Green Days in Brunei". But I get the feeling
that, deep down, you deny others' right to make money off of you and
those like you (making you pay for all long distance, cable TV, fancy
telephone services, and all the software that you use regularly)
because you couldn't afford it and you wouldn't be able to make as
much use of technology (consume as many technological goods) as you
would like.

I doubt that using your technical skill to cheat the marketplace is a
morally acceptable form of protesting the restraints a capitalist
system places on you.

>After all, we encourage people to read books even if they can't
>pay for them because to our society literacy is a very important goal.

True, but libraries pay for their copies of books and it is neither
encouraged nor legal to photocopy entire books. It's gonna be
interesting to see what happens when libraries turn into big full-text
on-line databases and as many people can download a particular text as
can call in. Like a guy said in Wired 1.1, if the libraries don't
charge for this, it might put book publishers out of business. If that
happens, who's going to pay authors to write books?

>If we succeed in convincing people
>that copying a file is the same as physically stealing something, we
>can hardly be surprised when the broad-based definition results in
>more overall crime. Blurring the distinction between a virtual
>infraction and a real-life crime is a mistake.

There is a kind of prohibition-era effect that current law (as SPA
interprets it) makes petty criminals out of a lot of people. But, the
SPA members may feel the opposite way, that if people are made to feel
criminal/guilty/fearful for copying software (regardless of whether
they get productive use or entertainment out of it) they will copy a
lot less and buy a little more. You certainly wouldn't respond this
way, but John Q. User might be a different story.

A big reduction in the distribution of pirated software is bad for the
user (less ability to evaluate before buying, less chance to use new
software or software of tangential to one's business) but good for the
software companies (more profits for the software industry and
possibly more wealth trickling down to those who work for it). SPA is
intentionally shortsighted as to the benefits of piracy for users as a
whole. Pirates are shortsighted about the justifiably expected
economic return for those who invested their money or labor so that
MondoBase+ 2.0 has lots of cool features, runs fast and bug free, and
comes out before 1996.

>LEGISLATION FOR COMPUTER AGE CRIME
>Is mere unauthorized access to a computer worthy of
>federal indictments, lengthy court battles, confiscation of equipment,
>huge fines, and years of prison time?

It depends on who's computer you mess with, generally no. Whether they
look at restricted information or not the state might have a
legitimate interest in making an example of someone who was playing
around in 911 computers or computers with honest-to-goodness sensitive
911-related information, the National Crime Information Center,
Department of Defense, IRS, Department of State, Nuke power plants,
hospitals, city electrical grid controls, etc. I want people to stay
the hell out of critical systems like that. But this hasn't been the
kind of hacking most folks have been busted for... I agree the
government has been clumsy and techno-illiterate in its response and
has stomped on more than a few people's rights.

>Or is it closer to a case of trespassing, which in the real world is usually
>punished by a simple warning? "Of course not," some will say, "since accessing
>a computer is far more sensitive than walking into an unlocked office
>building." If that is the case, why is it still so easy to do?

However, I think the analogy to an unlocked office building is a bad
one. It more like entering the office building through city sewers or
steam tunnels or looking for a forgotten unlocked window to crawl
through. Hackers don't just wander into a system, it takes effort and
some applied skill. If somebody had a really wimpy lock on their front
door you could open with a credit card, I think it would still be
breaking and entering to do so. And I wouldn't expect any thanks for
demonstrating how bad their security is.

>If it's possible for somebody to easily gain unauthorized access to a computer
>that has information about me, I would like to know about it.

Are you saying that you would only hack into a system that you knew or
expected held information about you personally? I'm guessing that you
would extend this argument that held information about other people,
any people, and that you would be doing them a service by showing them
if their system is insecure. If your reason for penetrating computers
reduces to nothing more than to show it can be done, thereby
marginally improving someone's (not necessarily your) privacy, then
issues of protecting people's privacy as a motive for your hacking
recede into the background.

I firmly believe that hackers hack because they like the challenge,
the ego boost, the subversive feel of it, the feeling of power, etc.
They may wind up goading sysadmins into producing more secure systems,
but I doubt that's their motive. If that were so, they would
anonymously inform sysadmins of holes as soon as they found them. If
the admin doesn't fix the hole then warn the admin "the hole will be
disseminated to others soon, get on the ball or else". I've gotten the
impression that hackers actually penetrate a system repeatedly the
same way just so they can do fun superuser kinds of things and try to
conceal their penetrations for as long as possible rather than inform
the sysadmin of the hole.

Goofing around or inviting others into the system and leaving the
admin to discover unauthorized highly priviledged users, degraded
system performance, or damage to files may get a faster closure of the
hole, but is unethical and unnecessary if the real goal is protecting
the system's users' privacy.

>But somehow I don't think the company or agency running the system would tell
>me that they have gaping security holes. Hackers, on the other hand, are
>very open about what they discover which is why large corporations
>hate them so much.

And they hate you for "being open" because it makes extra work for the
sysadmins, and broadcasts the presence of security holes to malicious
as well as non-malicious hackers, thereby increasing the chance that a
malicious hacker will get in and do some real damage before the hole
is fixed. The increased security of systems is a nice side-effect of
hacking, but as long as hackers keep publishing holes there are going
to be some poor schmuck sysadmins who get or act on the news a bit
later than some malicious hacker, and get their systems' users get
hurt.

>THE DANGERS OF UNINFORMED CONSUMERS
>In 1984 hackers were instrumental in showing the world how TRW kept credit
>files on millions of Americans. Most people had never even heard of a
>credit file until this happened.  Passwords were very poorly guarded -
>in fact, credit reports had the password printed on the credit report
>itself. . . . More recently, hackers found that MCI's Friends and Family
>program allowed anybody to call an 800 number and find out the numbers
>of everyone in a customer's "calling circle".  In both the TRW and MCI
>cases, hackers were ironically accused of being the ones to invade
>privacy. What they really did was help to educate the American
>consumer.

I believe they actually did both. They read and in some cases altered
people's credit records. And I'm guessing they fooled around with
playing see-who's-in-so-and-so's calling circle for a while until they
got bored.  Nevertheless, these were cases were hackers' activity was
eventually socially useful.  Phreakers' much more common activity of
toll fraud driving up everyone else's phone rates is not socially
useful. Hackers blowing into local business and university computers
and grabbing "trophies" to show each other and changing the system
passwords so the sysadmin can't get in, is not socially useful.

>the local phone companies take advantage of consumers. Here are a few
>examples:
>     Charging a fee for touch tone service. This is a misnomer.  It
>actually takes extra effort to tell the computer to ignore the tones
>that you produce. Everybody already has touch tone capability but we
>are forced to pay the phone company not to block it. While $1.50 a
>month may not seem like much, when added together the local companies
>that still engage in this practice are making millions of dollars a
>year for absolutely nothing. Why do they get away with it?

Because they justify it as recouping the cost of buying and installing
the DTMF equipment that lets them offer touch tone service. If they
have long since gotten back their investment in the equipment the
charge should be dropped. And they way to do that is get a group of
people or a lawyer upset about it and then to go to the appropriate
regulatory agency and say "look how this monopoly is gouging
consumers".

>Other examples abound: being charged extra not to have your name
>listed in the telephone directory, a monthly maintenance charge if you
>select your own telephone number,

Both of these require the phone company to break with normal routines,
thereby becoming a bit less productive and spending a bit more money.
In their preparation of the phone book and of assigning new numbers,
they use more labor to serve your wants relative to those of other
phone customers. (Of course, this is also true as a class of people
who live in the rural/low population density areas, but they're
subsidized by the taxpayers.)

If you're unlisted they have to insert a few extra steps into the
production of the phonebook before it goes to press to make positively
sure you're not in it.  If you're not in information, they probably
have to 1) make a (probably trivial) change in your computer record
and 2) make (less trivial) allowances in the programming/design of the
information assistance software for people desiring un-assistable
numbers. If you have a custom phone number they have to check that 1)
its not being used (trivial) and 2) make allowances in their
planning/programming of the number assigning system for numbers
(re)entering service sooner than would have been expected if numbers
had been moved in and out of use according to plan rather than by
customer whims. Some people will pick custom numbers which they could
have gotten by normal assignment, which eliminates the second reason,
but for efficiency in billing and fair/equal treatment of those who
want custom numbers, all should be charged the same.

The main point here is that somebody had to make the design changes in
how the phonebook is produced and in the computer systems that manage
information assistance and number allocation to accommodate these
requests for additional privacy/customization, and those changes cost
money to design and implement and cost a (tiny) bit more in operating
costs/maintenance/upgrades each year than one which didn't have to
make allowances for privacy and custom phone numbers.

Of course, that doesn't answer the question of why individuals who
want privacy should have to bear the costs rather than the entire
phone-using community . .  . but again (like with the issue of earning
back the cost of installing touch-tone equipment) this is something to
take up with the agency who regulates the telco or an interested
legislator.

>the fact that calling information to get a number now costs more than calling
>the number itself.

Directory assistance requires the use of human operators and the
creation and maintenance of a particular subset of the phone company's
computer database system for public access. Placing a normal
direct-dial call requires neither.  Lazy people who create more demand
for this service by not looking up numbers in the phone book should
pay more (remember assistance at payphones, where you may not have a
book, is free). Ideally getting information for numbers that have been
added since the book came out should be free as well, but the added
administrative cost of doing that is probably prohibitive.

>More recently, we have become acquainted with a new standard
>called Signalling System Seven or SS7. Through this system it is
>possible for telephones to have all kinds of new features: Caller ID,
>Return Call, Repeat Calling to get through a busy signal, and more.
>But again, we are having the wool pulled over our eyes. For instance,
>if you take advantage of Call Return in New York (which will call the
>last person who dialed your number), you are charged 75 cents on top
>of the cost of the call itself.
**>Obviously, there is a cost involved when new technologies are introduced.
>But there is no additional
>equipment, manpower, or time consumed when you dial *69 to return a
>call. It's a permanent part of the system. As a comparison, we could
>say that it also costs money to install a hold button. Imagine how we
>would feel if we were charged a fee every time we used it.

The cost of a hold button is paid for all at once in the price of your
phone, and it costs the phone company nothing to maintain. There was
probably a time when hold buttons were a hot new feature and phones
with them cost significantly more.

The tens of millions (I'm guessing) of dollars in electronics and
human labor that went into making SS7 go from an IDEA in some Bellcore
engineer's mind to DESIGN then to PROTOTYPE then to PRODUCTION then to
INSTALLED EQUIPMENT came from somewhere, and those people want their
money back, with interest. So the phone company recoups their cost.
And they do it from those who actually use the SS7 services, which
seems fair. Again, they phone company should not be allowed to make
undue profits off of SS7 services, but merely charging for them is
okay.

There is an issue of information-technology haves and have-nots here
though. If all these cool SS7 options are expensive then only rich
people will be able to afford them easily and middle-class people on
down will have to make decisions about what they'll give up each month
in order to afford the SS7 services. You may not like it, I may not
like it, but that's how capitalism works. Including the cost of SS7 in
basic rates would be unfair to the poor since I suspect they as a
group would be significantly less likely to use the services than the
rich and middle class but would then be paying for the SS7 services
they don't use as well.

>The local companies are not the only offenders but it is
>particularly bad in their case because, for the vast majority of
>Americans, there is no competition on this level.

If they're a monopoly, someone outside their company has to approve
their rate schedule. Mobilize a group, find that someone who regulates
rates, and complain, or write your congressman. If there were
competition, all providers might still charge for SS7 services the
same way since customers choosing a local phone company would probably
be most price sensitive about the basic monthly rate rather than the
bells and whistles. Telcomm-power-users are not a big enough group to
be the bread and butter of you local telco.

It might be that the phone company is getting lots of profits off of
SS7 and using that to subsidize the basic rate for everyone,
effectively shifting some costs from all users to "power-users" of the
phone system. This may or may not be fair, but it is not the same
thing as the phone company ripping you off.  Cross-subsidy is a way of
life.

It might also be that since its a new technology, there is a
relatively limited supply of SS7 equipment out there to be bought by
telco's and the installed base of SS7 equipment in your area can only
handle so much usage.  Microeconomics 101 Solution: Charge a mint for
the SS7 services and demand will stay manageable despite the wonderful
convenience it offers. Once again, capitalism at work.

>AT&T, MCI, and Sprint all encourage the use of calling cards.
>Yet each imposes a formidable surcharge each and every time they're used.
>there is no extra work necessary to complete a calling card call - at least >
>not on the phone company's part. . . .  But billing is accomplished merely by
>computers sending data to each other.  . . . Everything is
>accomplished quickly, efficiently, and cheaply by computer. Therefore,
>these extra charges are outdated.

I bet a bunch of phone co. programmers and EE's had to write a lot of
code and design and install networks that upgraded the phone company's
computerized billing system to handle calling cards. See the above
comments on SS7 for what this means. And let's not forget calling card
fraud and the investments in security to control it, an unfortunate
side-effect of offering card-calling.  Who should bear that cost? All
customers, or those that use the calling cards?  You might say, why
not the employees and shareholders of the phone company for not having
a more secure calling card system? Sometimes they do: phreakers ran
Metrophone out of business if I remember right. But if phone companies
gave individuals pass-numbers that didn't include their phone numbers
and were much harder to memorize, people would either change phone
companies or raise holy hell with the regulatory agency to get them to
undo it. Computerized calling-card identification by voiceprint might
crush toll-fraud, but who is going to pay to design, build, install,
and maintain the system?

Phreakers seem to feel that their consumption of time on phone company
lines and equipment without paying for them is like hackers breaking
in and using otherwise-unused CPU time on some company's computer.

First, I'm not too sure that hackers don't degrade performance of
systems they invade if only by soaking up the labor of system
administrators who could be doing other things besides constantly
updating and improving system security.  To which you'd say "we're not
making work for them, we're keeping them from being complacent and
becoming sitting ducks for industrial espionage and malicious
hackers." Maybe so, but you're also taking time away from their
efforts to make their systems faster, more reliable, friendlier, etc.
And what is the Hacker community's record with regard to malicious
hackers who trash companies systems? Do they actively try to find out
these guys and inform on them? I doubt it, although I'd be happy to
learn otherwise. If non-malicious hackers' real purpose is to help
companies to defend themselves against malicious hackers, then they
probably should as a rule inform on malicious hackers.

But is phreaking morally equivalent to hacking? Is it just using
left-over bandwidth, which can be thought of as being like unused CPU
cycles? I don't know. I can imagine scenarios where because of the
additional demand for services created by phreakers, more switching
equipment and programmer-hours have to be bought which might not have
been bought otherwise. And there is still the issue of making work for
phone system admins trying to catch people stealing long distance. Not
to mention making work for the customer service reps who have to
rectify some poor customer's $7000 phone bill. Fooling around with
satellites thousands of people depend on is definitely not ok.
Phreaking at off-times where there's lots of slack in the phone system
and doesn't create pressures for new equipment is more tolerable, but
still creates non-profit-making work for customer service, security,
and sysadmins in reacting to the threat that drives up the company's
operating costs, and, probably, everyone's rates.

>SOCIAL INJUSTICES OF TECHNOLOGY
>     The way in which we have allowed public telephones to be operated
>is particularly unfair to those who are economically disadvantaged. A
>one minute call to Washington DC can cost as little as 12 cents from
>the comfort of your own home. However, if you don't happen to have a
>phone, or if you don't happen to have a home, that same one minute
>call will cost you $2.20. That figure is the cheapest rate there is
>from a Bell operated payphone. With whatever kind of logic was used to
>set these prices, the results are clear. We have made it harder and
>more expensive for the poor among us to gain access to the telephone
>network. Surely this is not something we can be proud of.
>     A direct result of this inequity is the prevalence of red boxes.
>Red boxes are nothing more than tone generators that transmit a quick
>burst of five tones which convince the central office that a quarter
>has been deposited. It's very easy and almost totally undetectable.
>It's also been going on for decades.  Neither the local nor long
>distance companies have expended much effort towards stopping red
>boxes, which gives the impression that the payphone profits are still
>lucrative, even with this abuse. But even more troubling is the
>message this is sending.  Think of it. For a poor and homeless person
>to gain access to something that would cost the rest of us 12 cents,
>they must commit a crime and steal $2.20. This is not equal access.

In theory I think you're absolutely right, there shouldn't be this
massive surcharge on LD pay-phone calls. However, it may not be true
that redboxing truly serves to rectify this inequity for those it
hurts the worst. I'd guess that in practice very poor people who can't
afford homes and phones also can't afford hand-held cassette players
either, nor are they good friends with some phreak who will do it for
them on a regular basis, thus the poor aren't in a position to do
redboxing. Redboxing doesn't really do anything about the
price-inequity unless poor folks actually make use of it. Now if the
poor are out of the picture, it looks more like the phreaks are just
mad at the telco for price-gouging and decide to rip off said telco
because of it.

I wonder though: how much of high pay-phone prices are due to the
telco trying to recover losses from payphones due to redboxing?

Call-Sell operations using cloned cellular phones might be better able
to use your argument about compensating for price-inequity than
redboxing since it seems (based on some recent testimony I read) to be
pretty widely available to at least the urban poor on an as-needed
basis. Call-selling has at least a potential a wealth-redistributing
effect from relatively rich legitimate cell-phone users to poor folks
without phones (especially immigrants w/lots of relatives to reach out
and touch back home) and the Call-Sell operators. Note though, to the
extent that call-selling serves middle-class people who already own
phones and not the poor and phoneless it serves merely to redistribute
wealth from the users who use their cell-phones legitimately and the
telco, and transfer it to users who choose not to use their legitimate
phone and to use call-sell service instead, as well as the call-sell
operators. This kind of redistribution cannot rely on social justice
arguments and is just massive toll-fraud.

>CORPORATE RULES
>. . . This puts us at direct odds with many organizations, who believe
>that everything they do is "proprietary" and that the public has no
>right to know how the public networks work. In July of 1992 we were
>threatened with legal action by Bellcore (the research arm of the
>Regional Bell Operating Companies) for revealing security weaknesses
>inherent in Busy Line Verification (BLV) trunks. The information had
>been leaked to us and we did not feel compelled to join Bellcore's
>conspiracy of silence.

See my earlier comments about publishing security holes or sharing
them with hackers before letting the sysadmins have adequate warning
and time to fix the hole. Instant publication of holes is not socially
responsible.

Also, publishing one company's private data can in some cases create a
competitive disadvantage relative to that company's competitors with
real economic effects. If Phrack runs a long series of articles about
"how to hack the new Fujitsu switches", the communications engineer at
BellAtlantic deciding what brand of switch to buy may decide to buy
some other brand of switch besides Fujitsu. And he might be doing this
solely of the publication of those articles makes him think (rightly
or wrongly) that the Fujitsu's switch is more likely to get hacked
into than, say, Northern Telecom's. Phrack has just transferred wealth
from Fujitsu to Northern Telecom and possibly influenced the telco
into buying the less competitive switch (which could wind up
increasing telco operating costs and users' rates) out of fear of
getting hacked.

Moral: not all arguments about the social and commercial value of
keeping proprietary information secret are bogus.

>In April of this year, we were threatened with
>legal action by AT&T for printing proprietary information of theirs.
>The information in question was a partial list of the addresses of
>AT&T offices.  It's very hard for us to imagine how such information
>could be considered secret. But these actions are not surprising.

I'd bet money those addresses were sensitive because they would be
very useful to someone trying to con, misrepresent, and
social-engineer their way into the telco's computers. What possible
use there would be to the non-hacker/phreaker member of the public for
obscure telco-bureaucracy addresses and phone #s the phone company
decides not to let out to the general public eludes me.

>This in itself is wrong; a publication must have
>the same First Amendment rights regardless of whether it is printed
>electronically or on paper. As more online journals appear, this basic
>tenet will become increasingly critical to our nation's future as a
>democracy.

I couldn't agree more.

The government promptly dropped its case against
>the publisher who, to this day, is still paying back $100,000 in legal
>fees.

This sucks. The gov't/telco should have had to eat the defense's legal fees.

>As further evidence of the inequity between individual justice
>and corporate justice, Bell South was never charged with fraud for its
>claim that a $14 document was worth nearly $80,000. Their logic, as
>explained in a memo to then Assistant U.S. Attorney Bill Cook, was
>that the full salaries of everyone who helped write the document, as
>well as the full cost of all hardware and software used . . .

The Phrack/E911 case is one of the worst abuses of rights to date.

However, please let my speculate for a moment, working from the assumptions
that
1) The document was not expected to diffuse into the hands of hackers.
The "catalog anyone could order the document from" was, I suspect,
used only by and intended only for vendors and employees.
2) That possession of the E911 document would at least marginally aid
in the efforts of those who were interested in hacking into 911.

Granted, if both #1 and #2 are true then it could mean that BellSouth
had negligent security practices and deserved what it got. It might
also be the case that #2 is simply not true (I just can't say one way
or another due to not having read the document closely and lacking the
knowledge needed to understand the significance of everything was said
in the document). If #2 is false the following argument can be
ignored.

It seems to me that there could be an economic cost to Bell South
*because of the publication of that document in the hacker community*.
If Bellcore has to devote additional resources to beefing up E911
security solely because certain features of the E911 system are now
much more widely known to the hacker community (and thus more likely
to be attacked) than before the publication of the document in Phrack,
then Phrack has done BellSouth economic harm (and may also have
indirectly contributed to the risk of a breach of security in E911
until their new security measures kick in). It think it the case that
protecting the first amendment requires us to ignore such economic
harm and not make it legally actionable, but I believe that the "cost"
to BellSouth of the publication of that document in Phrack was
probably much greater than a few lost sales of the document's physical
incarnation.

The added short-term risk of a breach in 911 security due to the
publication of the document might have slightly more weight against
first-amendment claims but would probably still be outweighed by
freedom of speech. I could imagine a case though, where publication
(especially quiet publication within the hacker community so that the
average telco security person and E911 sysadmin person might not hear
about the publication for a few weeks) of the factory-default
passwords and dialup numbers for E911 computers would be great enough
a risk to public safety as to merit strong punishments and prior
restraint.

I hope the above article has provided some new middle-ground between
anti-establishment and establishment people to stand on and discuss
piracy, hacking and phreaking. I hope also that some hackers and
phreakers will use to above to re-examine wether they are, as claimed,
actually doing society a favor, and if not, how they could change
their ways so as to be a positive force.

Shayne Weyker
weyker@wam.umd.edu

------------------------------

Date: Fri, 25 Mar 94 01:45:40 EST
From: shadow@VORTEX.ITHACA.NY.US(bruce edwards)
Subject: File 3--Lopez's reply to "Rape in Cyberspace"

 Andy Lopez demonstrates an all too common deficit of civility in his
critique of Julian Dibbell's Voice article [Cu Digest, #6.21;6.26] --

AL> The December 21, 1993 Village Voice is a case in point.  However,
AL> as old Voices aren't normally found outside of fish markets, ...

-- as well as little knowledge of libraries.

 To relieve the reader of at-length quoting both of Mr. Dibbell's
article and Mr. Lopez's analysis, I'll try and summarize each:

 Dibbell's premise was that acts committed in virtual reality (VR),
acts having no "real life" component themselves, are nonetheless
(virtually) actionable on the ground that said acts have real life
(RL) consequence.  He went further by proposing that lessons learned
in VR may be ported to RL.  I have seen an RL event unfold much like
the one Mr. Bungle reportedly perpetrated on LamdaMOO.  The
perpetrators actions there (child abuse) were not verbal, but
physical.  This real life Bungle, too, had reasons why the community
ought not "toad" him, though the toading would have been of the
banishing, not the annihilating sort (the legal processes were already
complete).  The community involved agonized in much the same way the
members of LamdaMOO did.  In the end, there was no Wizard to act, and
there was little resolution, but there was experience to be archived.
Had these people the previous experience of the players on the MOO at
adjudicating communal threat, I believe that they would have been able
to relate with greater precision to their real life dilemma.  This is
the value of simulation, is it not?

 Mr. Lopez derides the concept of role-playing VR:

AL> For the blissfully ignorant, a MUD is a Multi-User Dungeon, a
AL> glorified electronic role-playing program.  On MUDs such as
AL> LambdaMOO, you can choose your name and appearance and _interact_
AL> <gag> in a digitized world with other characters.  Personally, I
AL> find them identical to the old-fashioned, word-based role-playing
AL> games - such as the Dungeons & Dragons abomination - only more
AL> boring and repetitive.

 Personally I have played neither, but find Lopez's comments oddly out
of perspective.  The cyberspace experience -- email, bulletin boards,
the USENET -- is entirely digitized interactivity.  Lopez goes on to
interpret Dibbell's use of netsex as an example of the involvement
MUDers experience in the VR world --

[Dibble:]
"Netsex, tiny-sex, virtual sex - however you name it, in real-life
reality it's nothing more than a 900-line encounter stripped of even
the vestigial physicality of the voice.  And yet, as any but the most
inhibited newbie can tell you, it's possibly the headiest experience
the very heady world of MUDs has to offer . . . Small wonder, then,
that a newbie's first taste of MUD sex is often also the first time
she or he surrenders wholly to the slippery terms of MUDish ontology,
recognizing in a full-bodied way that what happens in a MUD-made world
is neither exactly real nor exactly make-believe, but profoundly,
compellingly, and emotionally meaningful."

-- in what seems to me to be an intentionally myopic manner:

AL> [Really incredible.  Dibbel almost seems to be saying that the
AL> MUD means so much to people because it's a way to get off.  I
AL> stand amazed.]

  Of course, Dibbell implies no such thing.  He plainly means to say
that a MUD's power is in its ability to invoke an imaginative process
imparting kinesthetic, emotional, and intellectual verity.  A MUD may
establish a real -- not a "virtually" real -- web of interconnectivity
among its players.  That there is no physical connection (required)
among the parties is certainly no block to genuine experience.  If Mr.
Lopez, for example, were to be called intellectually deficient and
disingenuous in his post, and if he were to experience an emotional
reaction as a result of being labeled a dolt, would the fact that his
emotion was generated via cybertext make the experience itself
invalid?  Does he say words are without power?

 I really can't delve Lopez's difficulty.  Is he offended by the
seriousness the players exhibit, by the reality they say suffuses
their MUD?  After reading his post several times, it seems only an
exercise to excoriate the idea of fantasy play and belittle Dibbell's
concepts.  Is it that the players do not detach from their experience
sufficiently to gain his approval?  He lastly proclaims:

AL> Dibbel draws flabbergasting conclusions about the future of
AL> society and he writes about it in this prose:

" . . . the commands you type into a computer are a kind of speech
that doesn't so much communicate as _make_things_happen_, directly and
ineluctably, the same way pulling a trigger does.  They are
incantations, in other words, and anyone attuned to the techno-social
megatrends of the moment - from the growing dependence of economies on
the global flow of intensely fetishized words and numbers to the
burgeoning ability of bioengineers to speak the spells written in the
four-letter text of DNA - knows that the logic of the incantation is
rapidly permeating the fabric of our lives."

AL> Just what is needed!  Cyberspace is already filled with shysters,
AL> hucksters, idiots, and clowns. Now we start collecting animists.

---
animism (an'uh-mizuhm)

--noun
Belief that natural phenomena and inanimate things have souls.

[< Lat. anima, soul]
---
 No reading of Dibbell can support the allegation of animism.  Lopez's
article is weak, mean-spirited, and indicative of one of the major
problems (a *real* problem) in cyberspace:  when insulated by the
abstractness of this world, people shed their civil reticence.  There
is talk here that would not pass in the world with which I am most
familiar, that of the street.  I doubt Mr. Lopez would be quite so
free with his language in that instance;  but even that restraint,
enforced by threat of immediate physical retaliation, is a lacking
sort of restraint.  The real need is for true respect, even in -- no,
particularly in -- disagreement, that of individual for individual,
engendered through recognition of shared humanity.  Perhaps finding
that on a MUD, however virtual it may be, is a better start than smug
superiority.

 --
bruce edwards - shadow@vortex.ithaca.ny.us
The Total Perspective Vortex BBS, Ithaca, NY

------------------------------

Date: Sat, 26 Mar 94 10:44 WET
From: jwtlai@IO.ORG(GrimJim)
Subject: File 4--Re: Village Voice & Phlogiston

In response to CuD #6.26 ("Village Voice and Phlogiston"):

>"Village Voice Perfects Phlogiston Synthesis in Coverage of Cyberspace"

>by  Mr. Badger (Andy Lopez)

>[...]  The author [of an article in the Village Voice], Julian Dibbell,
>has been a frequent user of the LambdaMOO, a MUD run inside of Xerox's
>Palo Alto research computer.

>For the blissfully ignorant, a MUD is a Multi-User Dungeon, a
>glorified electronic role-playing program.  On MUDs such as LambdaMOO,
>you can choose your name and appearance and _interact_ <gag> in a
>digitized world with other characters.  [...]
>What followed can only be understood if you accept that the game is a
>reality, of sorts, for most of its users.

>You might think that the offended parties simply arranged to have the
>offender kicked off the system, [...]
>In short, those who ran the game didn't want to ruin it by taking drastic
>action and those who played the game wanted the user removed.  [...]

Yes, it sounds like people take things rather seriously.  But the sense
of reality these players express has an analog in the artistic world.
Their behavior can be easily understood in this context.

>This being cyberspace, there were conflicting views.

Replacing "cyberspace" with "a society" reveals the true nature of the
event.

>Why didn't the other users simply use the command that would have
>blotted Mr. Bungle's messages from their screens?  Was it really that
>serious anyway?

Using a filter might remove said Bungle from your sight, but it does not
keep Bungle from using his (or her?) coded toy from impersonating you
before a third-party.  To use Usenet as an analogy, Bungle performed
the equivalent of forging obnoxious messages in other peoples' names;
many people have taken forged messages quite seriously in the past.  It
should be obvious that the main issue actually has little to do with games.

Dibbell's analysis of the situation is incorrect, but so is Badger's
dismissal.  By acting out roles, players are investing time and effort in
the creation of characters.  It's a cross between acting and literature;
in the former, roles (characters) are made visible to others by
performance; in the latter, the character is revealed through text.
One could say that Bungle disregarded the authors' right to control their
literary creations, their intellectual property.  The "social way to
behave" is to be a collaborator with other authors, not to usurp them.

>Where does the body stop and the mind begin?  What is the nature of
>reality?  The arguments were going in circles during an extended
>meeting of up to thirty - count 'em, thirty - users.  In the middle of
>the online babble, Mr. Bungle appeared and offered his defense:  He
>was simply experimenting with users' reactions to extreme events.

I think there is a simple guideline to such social games: "If you can't
play by the rules, you can't play the game."  I might add that the "I was
just experimenting on you (without your prior knowledge or consent)"
defense has also shown up on Usenet as (poor) explanation for deliberately
offensive posts.

>What followed was the institutionalization of a process whereby users
>could have more input into controlling the MUD.  To cap things, Mr.
>Bungle reincarnated as a new, chastened character.

In other words, the rules of the game were changed to handle disruptive
players.  A sociological analysis of how the game's society reacted and
adapted to the situation might have been useful, but what can one really
expect out of sensationalist media?

>Dibbell draws flabbergasting conclusions about the future of society [...]
>Cyberspace is already filled with shysters,
>hucksters, idiots, and clowns. Now we start collecting animists.

And cynics, judging from Badger's snide tone.

I found Dibbell's quoted and paraphrased words were often irrelevant.
Alas, the obsession with electronic sex and superficial philosophical
rambling is all too trendy.  This "cyberspace" thing isn't about games
or virtual sex, it's about people and the societies they create.  Don't
lose track of the message/forest for the medium/trees.

------------------------------

End of Computer Underground Digest #6.27
************************************