Computer underground Digest Wed Aug 21, 1996 Volume 8 : Issue 61
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Shadow Master: Stanton McCandlish
Field Agent Extraordinaire: David Smith
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
CONTENTS, #8.61 (Wed, Aug 21, 1996)
File 1--Seeking opinions of Mankato State University email policy
File 2--Commends requested on Mankato "email" policy
File 3--DOJ homepage hacked!!!
File 4--Re: USDOJ Hacked
File 5--Microsoft Acknowledges Flaw in Internet Browser
File 6--Re: Cu Digest, #8.60--Sun, 18 Aug 96
File 7--Cu Digest Header Info (unchanged since 7 Apr, 1996)
CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.
---------------------------------------------------------------------
Date: Mon, 19 Aug 1996 10:30:32 -0500 (CDT)
From: "Robert A. Hayden" <hayden@krypton.mankato.msus.edu>
Subject: File 1--Seeking opinions of Mankato State University email policy
-----BEGIN PGP SIGNED MESSAGE-----
At the beginning of the year, Mankato State University adopted the
following "email policy". Being a member of the student senate, I
expressed my concerns to the student government about the policy
(particularily the prohibitions on "political" speech), but it wasn't
politically feasible to challenge the policy as the student government had
approved it prior to my election (ie, I don't really thing they knew what
it was they were signing/signing-away). When I did bring it up to the
administration of the university, it was basicly reduced to "well, the
Senate said it was ok, so stick it" (well, that's somewhat paraphrased
:-).
Anyways, I'd like some opinions about this, as, in light of the Princeton
case (and the ACLU's response), I think I would like to attack this
policy. I would just like a little better feeling about where this policy
stands than the general "yucky" feeling I get.
Thanks for your time.
Robert Hayden
- -----------------------------
Mankato State University
MANKATO STATE UNIVERSITY
ELECTRONIC MAIL TRANSMISSION REGULATION
Article I. Objective
To ensure that electronic mail transmissions between and among MSU
authorized "E-mail" users are consistent with state statutes limiting
the use of state services and equipment to state business purposes
only. This effort is consistent with existing practices governing
other forms of communication on campus including telephone calls,
bulletin board postings, the mass distribution of promotional flyers,
and the use of intra-campus mail services.
Minnesota Statutes Chapter 43A.38, Subd. 4 - Use of State Property
An employee shall not use or allow the use of state time, supplies
or state owned or leased property and equipment for the employee's
private interests or any other use not in the interest of the state,
except as provided by law.
Minnesota Statutes Chapter 43A.39, Subd. 2 - Noncompliance
Any employee who intentionally fails to comply with the provisions
of Chapter 43A shall be subject to disciplinary action and action
pursuant to Chapter 609. An appointing authority shall report in
writing to the legislative auditor when there is probable cause to
believe that a substantial violation has occurred. Any person
convicted of a crime based on violations of this chapter shall be
ineligible for appointment in the civil service for three years
following conviction.
Minnesota Statues Chapter 609.87 thru 609.8911 - Computer Crime
[Statute deals with definitions; destructive computer programs;
intentional damage to computers, computer systems, computer
networks, computer software, etc.; theft of services and equipment;
unauthorized computer access; gross misdemeanor and misdemeanor
criminal penalties; and reporting violations.]
University Facilities and Services - Restricted Use
Faculty and staff are to use University facilities and services for
University business only. [Mankato State's Employee Handbook -
General Policies Section]
Professional and Ethical Standards
University equipment shall not be used by employees for personal use
without notice to and the written consent of his/her employer . . .
. [State University System Regulations Article 2.4] Similar language
is contained in Articles 4 and 27 of the IFO Labor Agreement and
Article 20 Section C of the MSUAASF Agreement.
Students, who are not already on-campus part-time employees covered by
the above statute citations, shall adhere to all E-mail policies and
regulations contained herein. It is the intent of this E-mail
regulation to cover all E-mail users within the campus community.
Article II. Regulation
The electronic mailing privilege is provided to members of the
University community to enhance their ability to quickly and
conveniently send and receive written communications and documents for
the purpose of conducting University business. Use of the privileges
for personal gain and for non-University related business is
prohibited. (The University continues to invest significant amounts of
its budget in the maintenance and improvement of electronic
transmission capability, in addition to the enormous past outlays
which have been made for computer hardware, software, and cabling.)
SECTION 1. FOR PROFIT USE PROHIBITED : NONPROFIT USE REQUIRE PRIOR APPROVAL
For profit organizations are strictly prohibited from the use of
University electronic mail services. (University contract vendors like
Wallace's University Bookstore and the ARAMARK food service shall be
provided access to the University electronic mail system only upon
agreement to pay MSU for these state provided services.) Non-profit
organizations may be allowed access only if the transmission has been
approved in advance by the University Operations Vice President (or
designee). Authorization for such access by a non-profit organization
will hinge on how closely it relates to the "state business use"
standard and the organization's traditional or direct tie to the
University (e.g., Mankato State University Foundation, United Way,
etc.).
SECTION 2. ACADEMIC FREEDOM PRINCIPLES APPLY
Commonly understood principles of academic freedom shall be applied to
the administration of information transmitted by E-mail.
SECTION 3. EXTERNAL TRANSMISSIONS TO MSU E-MAIL USERS
The ability of the University to monitor and regulate incoming
Internet transmissions is almost impossible. If unsolicited or
unwanted Internet transmissions are received, E-mail users may contact
their mail system manager so that an effort can be made to ensure that
such transmissions do not reoccur from the same source.
SECTION 4. POLITICAL USE OF E-MAIL PROHIBITED
Political transmissions are prohibited. This would include
transmissions which advocate the election of particular candidates for
public office at either the federal, state, or local level. Also
banned are those messages that advocate support of or opposition to
any particular referendum proposal that will be decided by the voters
during a general or special election affecting the public at large.
SECTION 5. COLLECTIVE BARGAINING UNITS, RECOGNIZED STUDENT GROUPS - E-MAIL
TRANSMISSIONS ALLOWED
This regulation is not to be interpreted as prohibiting transmissions
protected by existing employee collective bargaining agreement
provisions dealing with mailing privileges nor shall it be used to
deny access to recognized student organizations and related student
service departments who wish to announce upcoming events that may be
of interest to members of the University community.
SECTION 6. GENERAL STANDARDS AND GUIDELINES
1. Personal uses of E-mail which are prohibited include, but are not
limited to: chain letters; recipes; "garage sale" announcements;
solicitation or requests for contributions (e.g.needy family,
special relief efforts, etc.); commercial advertisements; and
advertisements for events or items for sale or rent that result in
personal gain or revenue for non-University departments and
programs or unapproved organizations as prohibited by provisions
in Article II, Section 1 of this policy.
2. E-mail users are asked to take care in directing their messages to
large audiences and to avoid sending repeats of the same messages
as "reminders." Concerns also exist that many messages sent to all
MSU mail users could be better targeted to smaller groups of
users.
3. E-mail transmissions shall not be used in any way which violate
Higher Education Board or University policies regarding
harassment. The University is not responsible for transmissions
which are libelous or defamatory.
4. A user's password is the key to the E-mail network and as such
users are advised that they are responsible for the security of
their respective password. There are major risks when a user's
password is known to others. Transmission made using that password
are assumed to be initiated by the password's user, though
managers of E-mail systems who investigate complaints shall not
automatically assume that the author of an offending transmission
is the password's user.
5. It is not the intent of this regulation to interfere with private
communications between individuals.
6. E-mail managers and network system administrators are expected to
treat the contents of electronic files as private and
confidential. Any inspection of electronic files, and any action
based upon such inspection, shall be governed by applicable
federal and state laws and by University policies.
Article III. Sanctions for Violations
Complaints by any user receiving electronic transmissions through Data
General, Microsoft Mail, and existing VAX services may be submitted to
any manager of a major E-mail system or directly to the University
Operations Vice President's Office. An E-mail manager will investigate
the complaint and make a determination on its validity. If a violation
did occur the E-mail manager shall inform the employee's immediate
supervisor and make a recommendation to implement one of the following
sanctions. Severity of the sanction is dependent on the nature of the
violation and history, if any, of past violations. The employee's
supervisor has five work days in which to approve, and or modify, the
E-mail system manager's recommendation. If no action occurs the E-mail
manager's recommendation is forwarded to the University Operations
Vice President for disposition.
SANCTIONS - DEPENDENT ON SEVERITY OF VIOLATION AND/OR HISTORY OF PAST
VIOLATIONS
* Verbal warning.
* Discipline pursuant to appropriate collective bargaining or other
employment regulations; discipline pursuant to appropriate student
conduct codes.
* Warning letter to the violator formally notifying of additional
sanctions if violations continue.
* Suspension of electronic mail privileges for five work days. The
user would continue to receive electronic mail but would not be
able to read it until after the suspension of privileges is lifted
and a new electronic mail password is issued by the appropriate
E-mail manager.
* Penalty consistent with federal or state law and/or employee
collective bargaining agreements. (Could involve referral of
matter to criminal authorities..)
APPEALS
Applicable appeal procedures may be implemented consistent with
employee bargaining unit contracts or student conduct codes.
Article IV. Electronic Mail Oversight Team
The "Electronic Mail Oversight Team" shall review e-mail practices,
procedures and policies and may make recommendations for improvement
to the Vice President for University Operations. The ten member
oversight team include the managers of these major e-mail systems:
* University Operations server (Microsoft Mail)
* P.E.T. server (Microsoft Mail)
* Student Develop. Prgms. & Activities server (Microsoft Mail)
* MSUS/PALS servers (Microsoft Mail)
* College of Science, Eng. & Tech. server (Microsoft Mail)
* Krypton server (Academic DEC with Unix Operating System)
* AS/400 server (Academic IBM System)
* MSMail 4,5,6,7,8, Computer Svcs., ACTS, Admin., MSU Academic, &
Memorial Library servers (Microsoft Mail)
* VAX1 server (MSU Academic VAX)
* Data General server
The team shall be convened at least twice annually and chaired by a
member elected by and from among the panel members.
Article V. Confidentiality and/or Privacy
Users are advised that the privacy of data stored or sent on the
system cannot be guaranteed; furthermore, there are a number of
circumstances in which data stored on the system will be accessed by
authorized individuals. Those circumstances include, but are not
limited, to the following:
* Performing administrative tasks, such as: identifying and pursuing
breaches of security mechanisms; maintaining the integrity or
operational state of the E-mail and related computer systems;
collecting aggregate data; etc. The individual authorizing any
search of a user's data must have reasonable grounds for
suspecting that the search will reveal evidence that the user has
violated a specific University, Higher Education Board policy,
state or federal law, or has committed work related misconduct.
The search of a user's data must be reasonably related in scope to
the suspicion which generated this search.
* Monitoring use of the E-mail and related computer systems to
determine whether the polices of the University, Higher Education
Board, and/or state or federal law have been broken.
* Monitoring use of the E-mail and related computer systems when it
is necessary so that the University can provide its services or
protect the rights or property of the University.
Meet and Confers Held
Date Proposal Submitted/Reviewed
IFO Faculty Association September 14, 1995 and October 12, 1995
MSUAASF Meet and Confer September 18, 1995 and October 16, 1995
Classified Employee Meet and Confer September 28, 1995
Student Association Meet and Confer October 12, 1995
Approved
_____________________________________________ ___________________
Mankato State University President Date
Document signed by Richard R. Rush on 1/30/1996
------------------------------
Date: Tue, 20 Aug 1996 09:18:16 -0700 (PDT)
From: "Carl M. Kadie" <kadie@eff.org>
Subject: File 2--Commends requested on Mankato "email" policy
I've never seen such a contradictory academic policy.
It says that "private" use is allowed, but that "personal" use is banned.
It says that academic freedom principles prevail, but that political
use is banned.
It says that searches must be based on "reasonable grounds for
suspecting that the search will reveal evidence that the user has
violated a specific [policy]", but also allows general suspensionless
"monitoring use of the E-mail [...] to determin whether the [polices]
have been broken.
[There must be a very interesting story about the creation of
a policy that contracts itself in alternating paragraphs.]
In any case, I believe the policy as it stands is illegal because:
It is unconstitutionally vague (and contradictory). There is no
way that a reasonable person could know if he or she was
violating the policy.
It applies employment rules to students. Students are not employees.
(As the U. of Wisconsin and U. of Michican found out in federal
court).
It bans protected political speech. As the ACLU letter to Princeton
pointed out, political speech not on behalf of the university
can not be singled out censorship.
It seems to authorize illegal searches.
Why all this trouble? I'm sure the University already has general
rules for speech via University resoures, media, forums. Don't
make email a second-class citizen, treat the same as traditional
forums.
- Carl
ANNOTATED REFERENCES
(All these documents are available on-line. Access information follows.)
=================<a href="ftp://ftp.eff.org/pub/CAF/law/political-speech">
law/political-speech
=================</a>
* Expression -- Academic - Political Speech
A letter from the ACLU to Princeton University explaining why a ban on
on-line political speech is unnecessary and perhaps illegal.
=================<a href="http://www.eff.org/CAF/faq/email.privacy.html">
faq/email.privacy
=================</a>
* Email -- Privacy
q: Can (should) my university monitor my email?
a: Ethically (and perhaps legally) email communications should have
...
=================<a href="http://www.eff.org/CAF/faq/email.policies.html">
faq/email.policies
=================</a>
* Email -- Policies
q: Do any universities treat email and computer files as private?
a: Yes, many universities treat email and computer files as private.
...
=================
=================
If you have gopher, you can browse the CAF archive with the command
gopher gopher.eff.org
These document(s) are also available by anonymous ftp (the preferred
method) and by email. To get the file(s) via ftp, do an anonymous ftp
to ftp.eff.org, and then:
cd /pub/CAF/law
get political-speech
cd /pub/CAF/faq
get email.privacy
cd /pub/CAF/faq
get email.policies
To get the file(s) by email, send email to ftpmail@decwrl.dec.com
Include the line(s):
connect ftp.eff.org
cd /pub/CAF/law
get political-speech
cd /pub/CAF/faq
get email.privacy
cd /pub/CAF/faq
get email.policies
------------------------------
Date: Mon, 19 Aug 1996 05:29:19 -0700 (PDT)
From: Declan McCullagh <declan@eff.org>
Subject: File 3--DOJ homepage hacked!!!
((MODERATORS' NOTE: To see what the DoJ page looked like during
the "hack," point your browser to:
lynx http://www.doobie.com/~baby-x/usdoj ))
---
From--"L. G. Shirley" <lgshirley@mail.worldnet.att.net>
Date--17 Aug 1996 22:47:59 GMT
About 10PM last night I clicked on my bookmark for the Federal Gov't and
then selected, by random, the Dept of Justice.
http://justice2.usdoj.gov/
SURPRISE!!!!!!!!!! Someone had made a few changes, For one it is
now called the Department of Injustice. You are immediately
greeted by the Nazi swastika all over your screen's background.
A flag w/the symbol is apparent. George Washington's picture is
captioned with his words, "Move my grave to a free country! This
rolling is making me an insomniac".
Janet Reno's portrait has been replaced by Hitler's. And a flag
now bears the Nazi symbol. She is now called Attorney General
Furher.
There is plenty of nudity and the many links will take you to
places you may never have been before. I don't think we're in
Kansas anymore Toto!
I have no clues how it was done or when. My guess is someone
changed all the links to the DOJ page to another one, the one you
see when you click on the DOJ's homepage.
I worked today and when I came home and tried to get back to the
DOJ's page, no luck. Must be a major overload <grin> of people
trying to get to the link of women clad in, well, next to nothing
and tied with rope!
I don't think the author will make any brownie points w/women. He
hacked the homepage they have w/the DOJ on violence against
women. I'm not condoning such action and violence is a very
serious issue but whoever did the hack was also very serious.
He changed a Clinton speech on affirmative action and insulted
blacks with his choice of words. There is a lot of rambling about
the internet and the Gov't taking away our rights on it.
The author has a interesting slant on things. This should be
enough of a warning if you're easily offended by racism, hate,
foul language, porn on the net, and general crudeness. Don't go
there.
I would like to know just how this was done, any ideas? Is it
that easy to hack someones homepage?
I wonder how long it'll be before this homepage link is removed
and can they find who did the evil deed? Two months on the Net
and just when I think I'd seen it all, wow.
------------------------------
Date: Mon, 19 Aug 1996 04:49:58 -0700 (PDT)
From: Declan McCullagh <declan@eff.org>
Subject: File 4--Re: USDOJ Hacked
....<intro deleted -- cud>
August 18, 1996
Hacker Vandalizes Web Site
Of U.S. Justice Department
By JOHN O'NEIL
The New York Times / National News
WASHINGTON -- A computer hacker vandalized the Internet home
page of the Department of Justice on Friday night, posting
obscenities and anti-government graffiti, a department official
said Saturday.
The Justice Department's site on the World Wide Web was shut
down early Saturday after members of the public called to
report that the site had been altered, apprarently by a hacker
or hackers who posted nazi insignia, nude photographs and an
attack on the Communications Decency Act. A department
spokesman, Joe Krovisky, said that the site would remain off
line while the department's technical experts assess its
security.
Krovisky said that the system the hacker broke into was
separate from the department's internal computer system, which
contains highly sensitive information about criminal cases and
investigations. "There's no way that the internal department
information could have been affected" by a hacker who gained
access to the information presented on the web site, he said.
"That would have been impossible."
The hacker replaced information on the home page with
obscenities, graffiti and anti-government statements, he said,
but declined to give details.
The Associated Press reported that the site's title had been
changed to "United States Department of Injustice," next to a
red, black and white flag bearing a swastika. The text of the
page was written over a background of gray swastikas, and at
the top declared in red letters: "This page is in violation of
the Communications Decency Act."
The page included color pictures of George Washington, Adolf
Hitler, who is identified as the attorney general, and a
topless Jennifer Aniston, one of the stars of NBC's "Friends,"
the Associated Press said. Other sexually explicit images were
also shown.
[...]
------------------------------
Date: Sun, 18 Aug 1996 23:25:50 -0400 (EDT)
From: Noah <noah@enabled.com>
Subject: File 5--Microsoft Acknowledges Flaw in Internet Browser
From -Noah
---------- Forwarded message ----------
Date--Sun, 18 Aug 1996 13:00:21 -0500
From--Frosty <sotmesc@datasync.com>
The Sun Herald
18 August 1996
MICROSOFT ACKNOWLEDGES FLAW IN INTERNET BROWSER
Redmond, Wash. - Microsoft Corp.'s Internet Explorer 3.0, its
much-promoted new software for browsing the Internet, has a flaw
that affects its performance on some World Wide Web sites, a company
executive says.
The new version of the browser launched Monday to compete with
Netscape Communications Corp.'s Navigator, had been downloaded for
free by more than 100,000 people by Friday, said Bill Koszewski, a
Microsoft product manager.
The flaw is a bug in the software that will slow users trying
to access certain Web sites that require their name and a password,
he said.
-Commentary: Isn't this the same standard of slipshod performance
that the world expects form Microsoft ?!?!
------------------------------
Date: Mon, 19 Aug 1996 14:47:59 +0000
From: e.tan@UCL.AC.UK(Emerson Tan)
Subject: File 6--Re: Cu Digest, #8.60--Sun, 18 Aug 96
Re: CuD 8.60 File 6--UK ISPs Restrict cyberporn
>
>U.K. INTERNET PROVIDERS PLAN TO RESTRICT CYBERPORN
>
This issue seems to have finally pointed out to the public in the UK just
how difficult it is to stamp out internet pronography. It has also pointed
out a major deficency in the legal systems of the nations that are on the
net, namely that of cross border legisaltion. Without some kind of cross
border legislation it is impossible to control this kind of crime. It is up
to the governements and judical systems of the nation where these criminals
reside to adequately prosecute those that distribute illiegal porn. The
problem is that currently those in authority still veiw this a technical
problem for which there is an easy cheap technical fix.
Indeed there is a technical fix, but it runs counter to the entire idea of
the net and can be used for all manner of control purposes. This is to put
the entire nation behind a firewall as in the case of singapore. But still
the possiblity exists that illegal comunications links could spring up
using such things as satalites and dial up modems both legitimate
comunications technologies which are hard to regulate, without being
precieved as being excessive.
In short there is no other solution but to prosecute purveors of offensive
materials 'in real life' and the burden for this task falls on the
judicaries of the world. It also calls for unprecedented co-operation of
law enforcement agencies of the world, rather than increased pressure on
the internet service providers which will only serve to put in plave
legislation which could ultimately snuff out the cosmopolitain nature of
the net, replacing it with a bland set of corporate offerings.
------------------------------
Date: Thu, 21 Mar 1996 22:51:01 CST
From: CuD Moderators <cudigest@sun.soci.niu.edu>
Subject: File 7--Cu Digest Header Info (unchanged since 7 Apr, 1996)
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.
CuD is available as a Usenet newsgroup: comp.society.cu-digest
Or, to subscribe, send post with this in the "Subject:: line:
SUBSCRIBE CU-DIGEST
Send the message to: cu-digest-request@weber.ucsd.edu
DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.
The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.
To UNSUB, send a one-line message: UNSUB CU-DIGEST
Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU
(NOTE: The address you unsub must correspond to your From: line)
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on internet);
and on Rune Stone BBS (IIRGWHQ) (860)-585-9638.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.
EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown)
Brussels: STRATOMIC BBS +32-2-5383119 2:291/759@fidonet.org
In ITALY: ZERO! BBS: +39-11-6507540
In LUXEMBOURG: ComNet BBS: +352-466893
UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/CuD
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland)
ftp.warwick.ac.uk in pub/cud/ (United Kingdom)
The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
URL: http://www.soci.niu.edu/~cudigest/
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
------------------------------
End of Computer Underground Digest #8.61
************************************