Computer underground Digest Sun Jan 5, 1997 Volume 9 : Issue 02 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Field Agent Extraordinaire: David Smith Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #9.02 (Sun, Jan 5, 1997) File 1--Re: FBI Law & Enforcement Bulletin gulled by 'Net joke (fwd) File 2--The First 10 Seconds After The Big Bang File 3--Re: File 3--EDITORIAL: Troubles On The Net... File 4--Re: "News.groups reform" File 5--Teen Takes on CYBERsitter (From NetAction Notes #10) File 6--CWD--Howling at the Moon File 7--The CyberSitter Diaper Change, from The Netly News File 8--[krb5] krb5 v1.0 is released (fwd) File 9--Cu Digest Header Info (unchanged since 13 Dec, 1996) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Sat, 28 Dec 1996 12:18:48 -0600 From: jthomas2@SUN.SOCI.NIU.EDU(Jim Thomas) Subject: File 1--Re: FBI Law & Enforcement Bulletin gulled by 'Net joke (fwd) Original source comp.virus newsgroup: From George Smith (crypt@sun.soci.niu.edu) ---------------- In article <0001.01IDI7A9OVTK72PNOH@csc.canterbury.ac.nz you write: From the pages of Crypt Newsletter 40: Most wanderers of the Internet are familiar with the running joke concerning computer viruses with names of celebrities, politicians or institutions. The names and satirical content evoke a momentary smile or groan. For example: "Gingrich" randomly converts word processing files into legalese often found in contracts. Victims can combat this virus by typing their names at the bottom of infected files, thereby signing them, as if signing a contract. "Lecture" deliberately formats the hard drive, destroying all data, then scolds the user for not catching it. "Clinton" is designed to infect programs, but it eradicates itself when it cannot decide which program to infect. "SPA" examines programs on the hard disk to determine whether they are properly licensed. If the virus detects illegally copied software, it seizes the computer's modem, automatically dials 911, and asks for help. However, editors and writers for the Federal Bureau of Investigation's Law and Enforcement Bulletin, published monthly out of the organization's training academy in Quantico, Virginia, apparently think they are real. Writing in the December issue of the magazine, David L. Carter, Ph.D., and Andra J. Katz, Ph.D., respectively professors at Michigan State and Wichita State, cite them as real examples of "insidious" new computer viruses in the magazine's feature article entitled "Computer Crime: An Emerging Challenge for Law Enforcement." The authors seem to genuinely believe these computer viruses are in circulation, even to the point of citing the "Clinton" joke again in an paragraph attempting to explain the motivations of virus-writing, would-be system saboteurs. "Some employees could be motivated to infect a computer with a virus simply for purposes of gamesmanship. In these cases, the employees typically introduce a virus to play with the system without intending to cause permanent damage, as in the case of the 'Clinton' virus." Put in perspective, this is similar to reading a scientific paper on the behavior of elephants and suddenly running across a section that straightforwardly quotes from some elephant jokes as proof of what pachyderms really do when wandering the African veldt. Alert reader Joel McNamara hipped Crypt News to this Law & Enforcement Bulletin gem and wrote: "The two researchers with the Dr. in front of their names seem to be totally clueless that this was a tongue-and-cheek joke that is still floating around the 'Net. If they did know it was humor, they made no effort to inform readers - [readers] I highly doubt are technically adept enough to recognize it. "It's really telling that the world's lead law enforcement agency allows these types of inaccuracies to be widely distributed to police departments and agencies. "Unfortunately, to me this is another example of the credibility problem the FBI has when it comes to dealing with computer related issues." Neither authors nor editors of the Law and Enforcement Bulletin could be immediately reached for comment. The FBI's curious article can be found off the FBI home page on the Web: http://www.fbi.gov/leb/dec961.txt . This and the usual tales of computer-mediated intrigue, crime, shame and corporate assholio will be up for grabs in Crypt News 40, posted on my page sometime between Christmas and the coming of the new year. George Smith http://www.soci.niu.edu/~crypt ------------------------------ Date: Thu, 26 Dec 1996 19:20:12 -0500 From: PJNeal4176@AOL.COM Subject: File 2--The First 10 Seconds After The Big Bang The first 10 seconds after the big bang. A recient piece on The News Hour With Jim Lehrer (December 25, 1996) discussed the Internet, the past year and how it was affected by the Internet, and the growth of the Internet. The moderator was joined by Cliff Stoll, writer, astornomoer; A representative of Amazon.Com, a Mr. Beesos; Steven Levy, writer; and another women, who I, with much embarrassment, can not remember the name of and she was possibly the most intelligent and level minded person in the group. The host started out talking about pornography and the Internet, and the woman conveyed the fact that porn was also in the bookstores and on street coroners, and people could get it there. The host, in agreement, stated that it was on the Internet, but not thrust over the modem and onto peoples laps. She agreed. Next, the host started talking to Mr. Levy, and when he was about 10 seconds into his response, interrupted him to ask what E-Mail was (for those people who were unfamilure of the term...) I would say that was more for people who have been living under a rock for the last year plus. Mr. Stoll, a man who's work has taken him from the leading edge of technology, to the point where he is now: Left out to technologically die. He is now criticizing the Internet, what can be found on it, and what it is used for. (Because I can't fully portray Stolls views, I would suggest you read his book, Silicon Snake Oil, ISBN 0-385-4193-7) Mr. Beesos, the rep from Amazon.Com (www.amazon.com) was, in my view, not really needed. He seemed to distract from the main idea, and only offered a view into the business side of the Internet. One good conversation was started on the CDA, and the governments attempts to control free speach and the Internet. I feel that if the government is going to play with fire, they had better be prepared to be burnt. All in all, I feel that the News Hour embarrassed themselves and tarnished their reputations with this story, and needs to try harder. I will be entering the work force in a few years, and I hope to work in a technology-based company. If the masses fear this technology, which will come about from shotty reporting, I fear that I will not have any technology left to work with. I welcome any comments to my E-Mail address, and I will respond to them in full. pjneal4176@aol.com ------------------------------ Date: Fri, 20 Dec 1996 00:26:23 +0000 From: Joe Clark <jclark@supernet.net> Subject: File 3--Re: File 3--EDITORIAL: Troubles On The Net... > For instance, the Philadelphia Inquirer's article goes on to say > "In an ongoing investigation that has produced 80 arrests and 66 > convictions over the last three years, the FBI last week raided the > homes of Internet users suspected of downloading child pornography > in 20 cities in its crackdown on kiddie porn that is being > transmitted via online services and the Internet." And for that > effort, I must say that this is one good thing that the government > is doing in respect to the Internet. I'm not sure how much of a benefit these public servants have provided us. I think that same "Inkwire" article compared the 'net community to a small country (40-50 million, I think?). One has to wonder how the arrest rate for this horrific crime spree -- what's that, 0.0002%? -- compares with that of the offline population. As is often the case, law enforcement goes after the high-visibility stuff because that keeps the public off their backs and makes great fodder for budget requests. ------------------------------ From: Rich Graves <rcgraves@IX.NETCOM.COM> Subject: File 4--Re: "News.groups reform" Date: Thu, 05 Dec 1996 23:39:48 -0800 CU Digest #8.84 carried an article by Stanton McCandlish to which my response can be summarized as: YHBT. HAND. Stanton completely misunderstands Chris Stone's proposal for news.groups reform, its context, its prospects, and the reasons Paul Kneisel posted it to Cu Digest. It is always sad when a respected net.personality betrays his wilful ignorance. Had Stanton visited news.groups, he would have known that Chris Stone's proposal had been retracted weeks before Paul posted it to Cu Digest; that Russ's alternative proposals are the subject of healthy discussion; that Paul's posting of Chris's proposal is best viewed in the context of unreasonable personal attacks on Chris Stone; and that Paul Kniesel doesn't exactly share Stanton's views on the rec.music.white-power troll. Had Stanton had an advanced level of familiarity with Chris Stone, he would have recognized his self-deprecatory sarcasm, where appropriate. This thread is an excellent demonstration of the folly and danger of blind-forwarding articles where they are likely to be taken totally out of context, and where the author is unlikely to respond. As a further demonstration, I'll post Stanton's article to news.groups, where I expect it to be ridiculed quite severely. I am also Cc'ing this post to Stanton prior to publication in Cu Digest, a courtesy he apparently did not extend to Chris Stone. If you want to discuss news.groups, I would suggest, well, news.groups. >It would have been easy for me to just ignore this whole proposition, >since it will never fly and I have better things to do. With this sentence I agree. You have a lot of things to do; please don't make a fool of yourself, because I know you're not. ------------------------------ Date: Sat, 21 Dec 1996 00:24:47 -0800 (PST) From: Audrie Krause <akrause@igc.apc.org> Subject: File 5--Teen Takes on CYBERsitter (From NetAction Notes #10) Source - NetAction Notes No. 10 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Published by NetAction Issue No. 10 December 21, 1996 Repost where appropriate. Copyright and subscription info at end of message. ~~~ Teen Takes On CYBERsitter For the past couple of months, I have been corresponding with Bennett Haselton, the 18-year-old founder of Peacefire.org, which is a teen cyber-rights organizing project on the Web <http://www.peacefire.org>. The average age of Peacefire's membership is 15. Bennett is a junior at Vanderbilt University, where he is majoring in computer science and math. I met Bennett in cyberspace when he contacted me to ask what I thought about the IGC and NOW Web sites <http://www.igc.org> and <http://www.now.org> being blocked by CYBERsitter, a software program marketed by Solid Oak Software as a way to "protect" children from pornography on the Internet. Along with several other activists, I offered advice and encouragement to Bennett in drafting a letter of protest from representatives of the political and advocacy organizations whose Web sites were being blocked. When company officials learned that Bennett had posted information critical of CYBERsitter on the Peacefire Web site, they responded to his communication by suggesting he "Get a Life" and "hang out at the mall with the other kids." When that didn't discourage him, Solid Oak Software blocked Peacefire's domain and threatened to sue him. Bennett's experience is a good example of how activists can use the Internet for rapid mobilization around an issue. After Bennett notified me that a story about his dilemma was published by HotWired, <http://www.wired.com/news/story/901.html> I posted an alert about his predicament to several discussion lists that focused on cyberspace censorship and cyber-rights issues. Not long after the alert went out, activists from all over the United States began sending E-mail letters of protest to Solid Oak Software CEO Brian Milburn <bmilburn@solidoak.com>. The letters ran the gamut from politely-worded criticism to flames. Meanwhile, Bennett contacted attorneys at the ACLU, <http://www.aclu.org> the Electronic Privacy Information Center, <http://www.epic.org> and the Electronic Frontier Foundation <http://www.eff.org>. Mike Godwin of EFF quickly assured Bennett that he would represent him in the event Solid Oak followed through with the threatened lawsuit. And Ann Beeson invited Peacefire to participate as a plaintiff in the ACLU's challenge to New York state's version of the Communications Decency Act. Could this level of support have been mobilized as quickly without the Internet? Perhaps -- but it isn't likely. Free speech advocates rallied to the cause quickly because a community of people with an interest in the issue were already connected online through E-mail discussion and alert lists. Free speech advocates are ahead of the curve on using the Internet for activism because they organized around the unsuccessful effort to defeat enactment of the Communications Decency Act (CDA) provision of the Telecommunications Reform Act of 1996. But activists working on other issues are quickly catching up. E-mail discussion and alert lists are one of the most powerful tools available for mobilizing support. And as more people go online, it will become an even more important tool for organizing and outreach. As for Bennett, who had just turned 18 when Solid Oak threatened to sue him, speaking out about CYBERsitter has been a lesson in real-world politics. Bennett credits online news reports by Brock Meeks and Declan McCullough, and Jon Katz's article in Wired magazine on the rights of children in cyberspace, for sparking his interest in CYBERsitter and other blocking software programs. "Our organization was not founded on the principle of attacking blocking software," he told me when I asked what he had learned from the experience. "We started out as some lame 'young people for freedom of speech on the Internet' type of thing, and even someone on fight-censorship (an online discussion list) referred to us as a 'junior EFF' once -- I think meaning it as a compliment." When the CYBERsitter issue came up, Peacefire's members were asked to speak up if they didn't want to see the organization move in that direction. "In the end," Bennett said, "when we discovered the *kind of sites* that were blocked by Cyber Patrol and CYBERsitter, most members were convinced that more should be said publicly against this type of software." Thanks in large measure to Solid Oak's astonishingly belligerent response to this teen cyberspace activist, much more *has* been said. ================ For more information about NetAction, contact Audrie Krause: E-mail: akrause@igc.org * Phone: (415) 775-8674 * Web: http://www.netaction.org Or write to: NetAction 601 Van Ness Ave., No. 631 San Francisco, CA 94102 ------------------------------ Date: Fri, 20 Dec 1996 11:49:41 -0800 (PST) From: "Brock N. Meeks" <brock@well.com> To: fight-censorship@vorlon.mit.edu Subject: File 6--CWD--Howling at the Moon CyberWire Dispatch // Copyright (c) 1996 // December 20 Jacking in from the "Your Agenda is Showing" Port: Washington -- It's a long held maxim that technology is "agenda neutral." Until now. As an earlier Dispatch investigation proved, the so-called "blocking software" industry, praised for enabling parents, teachers and corporations to block porn from being sucked into the computers of those trolling the Web, often comes with a shrink-wrapped, encrypted agenda in the form of the database of web sites and newsgroups these programs actually block. Porn sites aren't the only ones blocked. Sites with decided political or activist agendas, such as the National Organization for Women (NOW) or animal rights groups, also are blocked. Trouble is, these blocking software programs don't make this known to the user. For some companies, shedding a spotlight on their underlying agenda, makes them sweat bullets or foam at the ascii mouth. Such is the case with Brian Milburn, president of Solid Oak Software, developer of an insipidly named blocking program called "Cybersitter." When confronted with his agenda ridden software, Milburn isn't shy about it, indeed, he was outright indignant when he originally told Dispatch: "If NOW doesn't like it, tough... We have not and will not bow to any pressure from any organization that disagrees with or philosophy." So when Bennett Haselton decided to put a sharp edge on this subject by focusing on Cybersitter with laser like precision, Milburn went off the charts. Milburn wrote to Media3, the ISP that houses Haselton's website <www.peacefire.org>, saying he was adding the entire domain of Media3 to the Cybersitter blocking database, in order to keep anyone using his company's product from gaining access to Haselton's article. Milburn ranted to Media3 that Haselton had made it "his mission in life to defame our product" exhibiting "extreme immaturity," by "routinely" publishing names of sites blocked by Cybersitter. Milburn claimed that Haselton may have "illegally reversed engineered" the Cybersitter database. Milburn has threatened legal action. Haselton, however, found a white knight. After hearing about Milburn's actions, Mike Godwin, legal counsel for the Electronic Frontier Foundation, decided to represent him. In an Email to Wired News correspondent Rebecca Vesely, who wrote about Milburn's beef with Haselton, Milburn said he was swamped with "geek-mail" from Wired News' "loyal following of pinhead idiots." Milburn characterized Haselton, "an aspiring felon" and said that he had confirmation that Haselton was the "ghost writer" for the original Dispatch article that broke the story of the hidden agendas in blocking software. All this bluster over Haselton, an 18-year-old with too much time on his hands. If right about now you're thinking that Milburn should pick on someone his own size, well, he's already "been there, done that" and got his ass kicked in the process. You see, after the first Dispatch article, Milburn sent us a saber-rattling Email. His Aug. 15th Email claimed that "your willful reverse engineering and subsequent publishing of software code is a clear violation" of copyright law. And although he claimed he was sure he could win a case in civil court, he was instead seeking "felony criminal prosecution" by going to the FBI with his beef. I referred Milburn to my lawyers at Baker & Hostetler, who promptly pointed out that Dispatch hadn't been the one to hack the cybersitter database. Further, our article was "protected by the full force of the First Amendment," our lawyers said. And because Dispatch only published "fragments" of the Cybersitter database (a word used first by Milburn in his own threatening letter), such publication "fits squarely within the fair use provisions" of the copyright act, our lawyers reminded Milburn. Finally, Milburn was left to chew on this: "If you persist in accusing [Dispatch] falsely of copyright infringement and if you proceed with your ill-conceived threat to encourage the FBI to commence activities... you should understand that, unless the information you provide is accurate and complete, you and your firm may be incurring liability of your own." Not a peep has been heard from Milburn since he received that letter, until he decided to pick on the kid. Milburn is apparently operating in some alternative reality. His so-called "confirmed sources" about Haselton "ghost writing" our original story are utterly false. Haselton had nothing to do with our article. Dispatch obtained the cracked code of Cybersitter and the other programs we mentioned from an entirely different source. Haselton did nothing but build on the work of our original story, but never wrote a single word of the article nor did he provide us with the hacked databases. All of Milburn's heartburn has me confused. Rather than try and slay Haselton, he should pay him for the right to reprint his article and findings. Milburn makes no apologies for his agenda; indeed, he is proud that one of his major distributors is "Focus on the Family" a conservative Christian organization. And for people that brook with the conservative, straight-arrow family values ideals that Focus on the Family advocates, Cybersitter is the perfect fit. Indeed, this is the free market working at its best. Products spring up in direct response to demand. Cybersitter fits that model for a particular segment of the society. You may not like it; I certainly wouldn't use a product with this built in agenda, but nobody is making us buy it. You would think that Milburn would eat up such "negative" press and wear it like a badge of honor. But he is too petty; too small minded. And when he discovers that Haselton did nothing more than run Cybersitter through its paces, much the same way that a reviewer for computer magazine might, and then report the findings, he'll have nobody left to harass. I hope he doesn't have a dog he can kick... Have a Merry Christmas, Mr. Milburn. Peace on Earth, Good Will to Men. Meeks out... ------------------------------ Date: Fri, 20 Dec 1996 12:53:58 -0800 (PST) From: Declan McCullagh <declan@well.com> Subject: File 7--The CyberSitter Diaper Change, from The Netly News Source - fight-censorship@vorlon.mit.edu [From this morning's Netly News. Check out the HTML version of the article at netlynews.com for links to the threatening letters, etc. --Declan] The Netly News http://netlynews.com/ December 20, 1996 The CyberSitter Diaper Change By Declan McCullagh (declan@well.com) Brian Milburn is angry. The president of Solid Oak Software, makers of the CyberSitter Net-filtering software, has seen his company's product come under heavy fire this year. Its offense? Critics say that CyberSitter has reached far beyond its mandate of porn-blocking and instead has censored innocuous, even invaluable web sites. I admit I'm one of its critics. In a CyberWire Dispatch that Brock Meeks and I published in July, we revealed that the censorware bans such places as the International Gay and Lesbian Human Rights Commission and the online home of the National Organization for Women. Our Dispatch showed the world -- or at least our readers -- that the makers of CyberSitter have a clear political agenda. The article prompted follow-ups in CyberTimes and the National Law Journal and an editorial in the Washington Post with an exchange of letters to the editor between a NOW executive and a representative of Focus on the Family, a conservative group that markets CyberSitter. To Milburn's mind, our act of revealing the truth about his company's product was, literally, criminal. In August, he told us that he had asked the U.S. Department of Justice to launch a criminal investigation into the publication of our article. He was particularly upset with one paragraph that included a fragment of his database demonstrating that CyberSitter expressly bans info about gay society and culture. He wrote: "Your willful reverse engineering and subsequent publishing of copyrighted source code is a clear violation of US Copyright law. While we would easily prevail in a civil court in seeking damages... we will seek felony criminal prosecution under 17 USCS sect 503(a) of the Copyright Act, and are preparing documentation to submit with the criminal complaint to FBI [sic]." Milburn was upset because CyberSitter's database is scrambled to prevent kiddies from grabbing addresses of porn sites from it. It's lightweight encryption, sure, but just enough to frustrate Junior. The scrambled database also allows Solid Oak to add and delete banned sites without the user's knowledge -- something that we believe is a dangerous practice. Now, I should point out here that neither I nor Brock did the actual decrypting; we had received a copy of the descrambled filter list from a confidential source. In any event, Dispatch's attorneys replied to Milburn, saying that the article was "protected by the full force of the First Amendment to the United States Constitution" and fell squarely within the copyright act's "fair use" provisions. We never heard back from him or the FBI. But that nastygram from Milburn wasn't his last. As criticism of CyberSitter becomes more intense, he's stepped up his counterattacks, threatening legal action, blocking critics' sites, or both. Take Bennett Haselton, a college student who cobbled together a site called Peacefire in August. This fall he started an anti-CyberSitter page that listed some of the more controversial actions of the software. Milburn complained. On December 6 he wrote to Haselton's Internet provider, Media3 Technologies, and tried to persuade them to give Peacefire the boot. His e-mail said: "One of your subscribers has made it his mission in life to defame our product as he appearantly [sic] has a problem with parents wishing to filter their children's access to the internet." Another charge was that Haselton had linked to a copy of our Dispatch. Solid Oak then added Peacefire and Media3 to its list of blocked sites. To Marc Kanter, Solid Oak's marketing director, it was necessary. "The site directly has links to areas that have our source code decoded on it.... There's no reason that our users should be able to go to sites that effectually inactivate our program," he said. Milburn also accused Haselton of reverse-engineering CyberSitter to get the text of its database -- that is, of being the confidential source for the CyberWire Dispatch. "Reverse engineering had to have been done in order to get the information, and we believe Mr. Haselton was the one who did it," Milburn wrote. Note to Millburn: Haselton wasn't our source. Then there's the case of Glen Roberts. His web page giving instructions on how to disable CyberSitter is now banned -- as is his Internet service provider. That's because CyberSitter differs from its competitors CyberPatrol and SurfWatch, which can restrict access by URL; instead, CyberSitter has to block access to the entire ripco.com domain. So what's my problem, really? If people don't want to use CyberSitter or other nanny apps, they don't have to. It's voluntary. It's effective. It protects children, and it sure is better than the Communications Decency Act. I have one major objection to all of the software filters currently on the market: Consumers have no way of knowing what's being blocked. Without knowing what's on the filter list, parents can't know what Junior will or won't be seeing. When reporters who try to reveal that information are faced with potential criminal investigations, the press's ability to shed light on these companies is threatened. Such programs also give parents near-complete control over what their children can and can't read. Traditionally, kids have been able to browse the stacks of a library away from parental supervision. But when the library is online, access can be completely controlled by censorware. Pity the closeted gay son of homophobic parents, prevented by CyberSitter from accessing soc.support.youth.lesbian-gay-bi. Finally, it's a kind of intellectual bait-and-switch. The "smut blockers" grab power by playing to porn, then they wield it to advance a right-wing, conservative agenda. Family values activists would never have been able to pass a law that blocks as many sites as CyberSitter does. Besides censoring alt.censorship, it also blocks dozens of ISPs and university sites such as well.com, zoom.com, anon.penet.fi, best.com, webpower.com, ftp.std.com, cts.com, gwis2.seas.gwu.edu, hss.cmu.edu, c2.org, echonyc.com and accounting.com. Now, sadly, some libraries are using it. Solid Oak claims 900,000 registered users. ------------------------------ Date: Fri, 20 Dec 1996 15:42:13 -0500 (EST) From: "noah@enabled.com" <noah@enabled.com> Subject: File 8--[krb5] krb5 v1.0 is released (fwd) From -Noah ------- start of forwarded message (RFC 934 encapsulation) ------- From--"Theodore Y. Ts'o" <tytso@MIT.EDU> Date--Fri, 20 Dec 1996 12:32:00 -0500 At long last, the MIT Kerberos Team is proud to announce the availability of MIT Kerberos V5 Release 1.0. This release includes everything you need to set up and use Kerberos, including: * The Kerberos server. * A full-featured Kerberos administration system, including support for password policies. * Secure, encrypting versions of common network utilities: telnet, rlogin, rsh, rcp, ftp. * All the libraries needed to integrate Kerberos security into new applications: GSS-API libraries, Kerberos 5 libraries, cryptographic algorithms, and more. This release is available both as source code and as pre-built binary distributions for a number of Unix platforms. To retrieve either the source or binary distriubtions, visit our new Kerberos web page: http://web.mit.edu/kerberos/www/index.html. (See below for instructions on obtaining the source distribution via FTP.) Warning: We are providing binary distributions for this release as a convenience to sites that are interested in experimenting with Kerberos for the first time, without needing to build it all from source. However, in general it is a very bad idea to run security software that you've downloaded from the net, since you have no way of knowing whether someone has left any "surprises" behind. If you are going to be using Kerberos V5 in production, we strongly recommend that you get the Krb5 sources and build the Krb5 distribution yourself." MIT Kerberos V5 1.0 has been tested on at least the following platforms: * Digital Unix (OSF/1) 3.2 * Digital Unix (OSF/1) 4.0 * HPUX 10 * FreeBSD 2.1 (i386) * Netbsd 1.x (i386, m68k, and sparc) * Linux 2.x (i386) * Ultrix 4.2 * Irix 5.3 * AIX 3.2.5 * SunOS 4.1 * Solaris 2.4 * Solaris 2.5.1 The Macintosh port is now fully functional, although the UI still leaves much to be desired. This will be the focus of future work on this platform. The Windows 16 port is also fully functional, although one major (but obvious and easy to correct) bug crept in at the last minute. (See our known bugs web page for more details.) One major difference from the previous Beta releases is that the DLL has been renamed from LIBKRB5.DLL to KRB5_16.DLL. This is to avoid conflicts with the a 32 bit version of the Krb5 DLL. Unfortunately delays with stablizing and integrating the NT release prevented us from shipping this functionality with the 1.0 release. We are making available, concurrent with the 1.0 release, an ALPHA snapshot (release WINNT_ALPHA1_SNAPSHOT). This should not be used in production, as it has several known problems: * The GSSAPI test application doesn't work, so the GSSAPI library has not been tested. * The GINA doesn't yet work. * Help files are not yet available The only working applications for Windows NT are the credentials manager and a telnet application. In addition, we are continueing to work on this release on an on-going basis, so if you plan to be doing any NT work, you should contact us at krbdev@mit.edu, so that we can more properly coordinate our work. NT support will be folded in to the mainline release before the next major release. Notes and Major Changes since Beta 7 - ------------------------------------ * We are now using the GNATS system to track bug reports for Kerberos V5. It is therefore helpful for people to use the krb5-send-pr program when reporting bugs. The old interface of sending mail to krb5-bugs@mit.edu will still work; however, bug reports sent in this fashion may experience a delay in being processed. * The default keytab name has changed from /etc/v5srvtab to /etc/krb5.keytab. * login.krb5 no longer defaults to getting krb4 tickets. * The Windows (win16) DLL, LIBKRB5.DLL, has been renamed to KRB5_16.DLL. This change was necessary to distinguish it from the win32 version, which will be named KRB5_32.DLL. Note that the GSSAPI.DLL file has not been renamed, because this name was specified in a draft standard for the Windows 16 GSSAPI bindings. (The 32-bit version of the GSSAPI DLL will be named GSSAPI32.DLL.) * The directory structure used for installations has changed. In particular, files previously located in $prefix/lib/krb5kdc are now normally located in $sysconfdir/krb5kdc. With the normal configure options, this means the KDC database goes in /usr/local/var/krb5kdc by default. If you wish to have the old behavior, then you would use a configure line like the following: configure --prefix=/usr/local --sysconfdir=/usr/local/lib * kshd has been modified to accept krb4 encrypted rcp connections; for this to work, the v4rcp program must be in the bin directory. Instructions for obtaining the release - -------------------------------------- Via the WEB: Go to the MIT Kerberos home page at: http://web.mit.edu/kerberos/www and click on the link: "Getting Kerberos from MIT". Via FTP: FTP to athena-dist.mit.edu, in /pub/kerberos. Get the file README.KRB5_R1.0. It will contain instructions on how to obtain the 1.0 release. >> << >> Please report any problems/bugs/comments using krb5-send-pr << >> << Acknowledgements - ---------------- Appreciation Time!!!! There are far too many people to try to thank them all; many people have contributed to the development of Kerberos V5. This is only a partial listing.... Thanks to Paul Vixie and the Internet Software Consortium for funding the work of Barry Jaspan. This funding was invaluable for the OV administration server integration, as well as the 1.0 release preparation process. Thanks to John Linn, Scott Foote, and all of the folks at OpenVision Technologies, Inc., who donated their administration server for use in the MIT release of Kerberos. Thanks to Jeff Bigler, Mark Eichin, Marc Horowitz, Nancy Gilman, Ken Raeburn, and all of the folks at Cygnus Support, who provided innumerable bug fixes and portability enhancements to the Kerberos V5 tree. Thanks especially to Jeff Bigler, for the new user and system administrator's documentation. Thanks to Doug Engert from ANL for providing many bug fixes, as well as testing to ensure DCE interoperability. Thanks to Ken Hornstein at NRL for providing many bug fixes and suggestions. Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for their many suggestions and bug fixes. Thanks to the members of the Kerberos V5 development team at MIT, both past and present: Jay Berkenbilt, Richard Basch, John Carr, Don Davis, Nancy Gilman, Sam Hartman, Marc Horowitz, Barry Jaspan, John Kohl, Cliff Neuman, Kevin Mitchell, Paul Park, Ezra Peisach, Chris Provenzano, Jon Rochlis, Jeff Schiller, Harry Tsai, Ted Ts'o, Tom Yu. ------------------------------ Date: Thu, 15 Dec 1996 22:51:01 CST From: CuD Moderators <cudigest@sun.soci.niu.edu> Subject: File 9--Cu Digest Header Info (unchanged since 13 Dec, 1996) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (860)-585-9638. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown) In ITALY: ZERO! BBS: +39-11-6507540 In LUXEMBOURG: ComNet BBS: +352-466893 UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/CuD ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #9.02 ************************************