Computer underground Digest Sun May 11, 1997 Volume 9 : Issue 36 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Field Agent Extraordinaire: David Smith Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #9.36 (Sun, May 11, 1997) File 1--Credit Card Numbers put Online?? (fwd) File 2--Jim Tyre responds to CyberSitter's Brian Milburn File 3--TV interview w/2 hackers banned from computers File 4--Fwd: intellectual property and graduate students File 5--Georgia expands the "Instruments of Crime" File 6--More on Gov't Goofs on Virus Hoaxes (Crypt Reprint) File 7--Cu Digest Header Info (unchanged since 7 May, 1997) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Sat, 10 May 97 23:07:12 -0700 From: Joab Jackson@sun.soci.niu.edu, joabj@charm.net Subject: File 1--Credit Card Numbers put Online?? (fwd) Spider Came a Crawlin' From: April 30, 1997, The Baltimore City Paper "You mean my credit-card number is on the Internet?" Mike Donahue of the town of Lafayette State, Indiana, asks, rather surprised. I thought he knew. After all, that's where I got his name, his phone number, and his Visa number. Up until two weeks ago all anyone had to do to get info on Donahue's credit card-and the cards of at least 11 other people-was go to the Internet search engine Excite and type in "Holabird Sports," the name of a Baltimore sporting-goods store. Up popped what looked to be on-line order forms-credit-card numbers included. Whoops! Somebody messed up. Big time. When I called to get Donahue's reaction and that of others whose account numbers were on the Net, I was usually greeted with befuddlement. They wanted to know how the numbers they provided to a Web page in Maryland landed on a computer in California. The owner of Holabird Sports, David Hirshfeld, is at a loss too; in many ways he's also a victim, having angered his customers through no fault of his own. A lesson everyone learned is how rapidly the Internet can turn local mistakes into global ones. Nine months ago, Holabird Sports contracted Worldscape, a small local Web-presence provider headed by a former stockbroker named Morris Murray, to build and maintain a Web site. Holabird had been doing mail-order business for more than two decades, so it seemed natural to expand onto the Web. Hirshfeld didn't know much about the Internet, but with Worldscape handling the site, he wouldn't even need an Internet account. The on-line order forms filled out by customers would be automatically converted into faxes and sent to the sporting-goods store. On April 3 one of Holabird's Web customers, Florida resident Barbara Gehring, received an E-mail from an Internet user in St. Louis informing her that her credit-card information was on-line. Those fax files had become accessible. "I was horrified," Gehring tells me by phone. She called Holabird; on April 4, Murray removed the fax files as well as the entire Holabird Web site, then called the people whose account numbers and expiration dates were exposed. (Murray says he didn't phone those whose expiration dates were not exposed, such as Donahue and at least one other person I spoke with, because the lack of an expiration date would have kept scofflaws from illegally using the card numbers to make phone purchases.) What had gone wrong? Worldscape set up its Web servers incorrectly. The contents of any computer hooked to the Internet can be partitioned into sections-some restricted for private use, some accessible to others on the Net. Worldscape's restricted areas-at least the one holding those Holabird fax files-were misconfigured, making them accessible to the public. Murray maintains the mistake occurred in mid-March when his system administrator incorrectly linked two of Worldscape's file servers together. For a Web-presence provider, this is not a minor error. It's akin to a bank accidentally leaving its customers' money in the alley out back. But it was a little-traveled alley-the chance of someone stumbling across that information was pretty slim. Murray's real headache didn't begin until the records went onto Excite, a far more trafficked site. How did this happen? Excite's chief selling point is that it updates its summaries of 50 million Web sites every three weeks, the better to catch changes at frequently updated sites such as on-line magazines. It would be impossible for even a horde of librarians to catalog all the changes, so Excite uses a program called a spider to automatically travel through the pages, copying the text on each one and shipping it to Excite for indexing. The spider found the Holabird customers' numbers and put them up on the Web. Murray repeatedly asked Excite to erase the numbers from its database, and the company repeatedly said it could not-thus they stayed in view for nearly three weeks. According to Kris Carpenter, product manager at Mountain View, California-based Excite, all the information the search engine holds is linked. "The way the underlying algorithms [used to complete the Internet searches] are calculated is based on the entire collection of documents," she tells me by phone. "To pull even one throws off the calculation for the entire underlying collection." Excite's is an unusual design, and I wonder if it's a wise one. As Murray says, "This thing is like a piece of stone that you can't take any one part from. . . . What if there is a big problem?They'll have to shut down the entire service." In any event, the numbers disappeared from Excite by April 19, and Murray reports that none of the Holabird customers have informed him of any improper charges on their cards. So should we believe, as Murray tells me, that the mistake shouldn't be blown out of proportion? "The risk was very minimal," he says, likening the danger to that of a shopkeeper surreptitiously using a customer's credit-card number. But Murray is wrong. There is a major difference-the difference between a few people being privy to your credit-card information versus the entire world. ------------------------------ Date: Tue, 6 May 1997 14:49:59 -0400 From: Declan McCullagh <declan@well.com> Subject: File 2--Jim Tyre responds to CyberSitter's Brian Milburn Source - Fight-Censorship ((MODERATORS' NOTE: Brian Milburn's block software has been criticized for indiscriminate blocking of sites with minimal--if any--sexual content, and of sites with politics to which Milburn might object, including sites that criticize his software. Bennett Haselton has been especially vocal (see CuD 9.33), and Milburn has threatened him with litigation. The following is the response of Haselton's attorney to Milburn's threat)). Source - fight-censorship@vorlon.mit.edu Jim Tyre's response to Brian Milburn's letter is attached below. Milburn's "demand letter" sent on April 24 is at: http://www.peacefire.org/archives/SOS.letters/bm.2.bh.4.24.97.txt One of my articles about Milburn's earlier threats is at: http://cgi.pathfinder.com/netly/editorial/0,1012,453,00.html Netly's Censorware Search Engine is at: http://cgi.pathfinder.com/netly/spoofcentral/censored/ -Declan ************** May 5, 1997 Mr. Brian Milburn President, BY FAX TO Solid Oak Software, Inc. (805) 967-1614 P.O. Box 6826 AND BY CERTIFIED MAIL Santa Barbara, CA 93160 RETURN RECEIPT REQUESTED Re: April 24, 1997 Demand Letter to Bennett Haselton Dear Mr. Milburn: This law firm represents Bennett Haselton with respect to your April 24, 1997 demand letter to him, received on April 29, 1997. Any further communications concerning this matter should be directed to me, not to Mr. Haselton. It is not my custom to engage in lengthy discussions of the law with non-lawyers, and I shall not vary from that custom here. I would suggest that you have Solid Oak's attorneys contact me if there is reason to discuss this matter further. However, I will make the following remarks. ALLEGED COPYRIGHT INFRINGEMENT You write that: "You have posted a program on your web site called 'CYBERsitter filter file codebreaker'. This program illegally modifies and decodes data and source code protected by U.S. and International intellectual property laws. "This program performs this action without permission of the copyright owner. We demand that this program be removed immediately." You should be perfectly well aware that your assertion that Mr. Haselton's program modifies or decodes CYBERsitter source code is factually incorrect. Further, as you know, Mr. Haselton's program is not in any way a work-around of CYBERsitter, nor did Mr. Haselton hack into Solid Oak's computers in order to create the program. Mr. Haselton's program does indeed decode data from the CYBERsitter filter file. However, there is no basis in the law for your assertion that Mr. Haselton's program does so unlawfully. If Solid Oak's attorneys believe otherwise, I would be interested in their thoughts. In that regard, my personal observation is one of surprise at how basic was the encryption algorithm used for the CYBERsitter filter file. XORing each byte with a constant byte, such as Ox94, is a methodology which has been well known for many years, and which is detectable with great ease. Applied Cryptography (2nd edition) by Bruce Schneier is a standard reference. Mr. Schneier writes: "The simple-XOR algorithm is really an embarrassment; its nothing more than a Vigenere polyalphabetic cipher. Its here only because of its prevalence in commercial software packages, at least those in the MS-DOS and Macintosh worlds." He continues, commenting on a slightly more sophisticated variant than simple Ox94: "There's no real security here. This kind of encryption is trivial to break, even without computers. It will only take a few seconds with a computer." He concludes the discussion as follows: "An XOR might keep your kid sister from reading your files, but it won't stop a cryptanalyst for more than a few minutes." With XOR (Ox94) being the extent of the filter file encryption, it certainly should have been foreseeable to Solid Oak that the filter file would be decrypted into plaintext, and I am surprised that the algorithm was not publicized by people examining the program far earlier than was the case. Far more important, however, is that Mr. Haselton's program simply is not a violation of any copyright law or of any copyright which Solid Oak allegedly may have in the filter file. I suggest that Solid Oak's attorneys review and explain to you the following cases, among others: Vault Corp. v. Quaid Software Ltd., 847 F.2d 255 (5th Cir. 1988); Lewis Galoob Toys, Inc. v. Nintendo of America, Inc., 964 F.2d 965 (9th Cir. 1992); and Sega Enterprises Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th Cir. 1992). I would also commend that your attorneys explain to you the copyright doctrine of fair use, as set forth in 17 United States Code ("U.S.C.") =A7 107. One of the (nonexclusive) factors in determining whether the use of copyrighted material is fair concerns "the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes." Solid Oak cannot seriously assert that Mr. Haselton's program is of a commercial nature. On the other hand, Mr. Haselton can and will assert that his program is for a nonprofit educational purpose. Specifically, Solid Oak's stated blocking policy, at http://www.solidoak.com/cybpol.htm is as follows: CYBERsitter Site Filtering Policies CYBERsitter may filter web sites and/or news groups that contain information that meets any of the following criteria not deemed suitable for pre-teen aged children by a general consensus of reports and comments received from our registered users: - Adult and Mature subject matter of a sexual nature. - Homosexuality / Transgender sites. - Pornography or adult oriented graphics. - Drugs, Tobacco or alcohol. - Illegal activities. - Gross depictions or mayhem. - Violence or anarchy. - Hate groups. - Racist groups. - Anti-Semitic groups. - Sites advocating intolerance. - Computer hacking. - Advocating violation of copyright laws. - Displaying information in violation of intellectual property laws. - Information that may interfere with the legal rights and obligations of a parent or our customers. - Any site maintaining links to other sites containing any of the above content. - Any domain hosting more than one site containing any of the above content. - Any domain whose general policies allow any of the above content. The above criteria is subject to change without notice. Mr. Haselton has the right to test whether what CYBERsitter actually blocks comports with Solid Oak's stated criteria, particularly given some of the seemingly arbitrary decisions incorporated into CYBERsitter. Mr. Haselton has the First Amendment right to be critical of what CYBERsitter does and how it does it. Since the only way to fully test what CYBERsitter blocks and to comment critically on the functionality of CYBERsitter is to decrypt the filter file, Mr. Haselton's program falls squarely within the fair use doctrine of 17 U.S.C. =A7 107. Additional copyright arguments can be made, and, if necessary, will be made. However, I hope that this is enough to convince Solid Oak's attorneys that Solid Oak cannot prevail in an infringement action against Mr. Haselton. ALLEGED IMPERMISSIBLE LINKING You state that Mr. Haselton has placed links to various Solid Oak sites on the www.peacefire.org site. Of course you are correct, but your assertion that Mr. Haselton needed permission to do this is nonsense. A URL (the "U", of course, standing for "universal") is merely a machine readable encoding of a label identifying the work in the form how://where/what: It is no different than providing the card catalog number for a book already in the library. Solid Oak already is on the internet, where, by definition, its presence is public, regardless of whether Solid Oak is a public corporation or a private corporation. Mr. Haselton simply has told people where to find Solid Oak and given them the means to get there without having to type in a URL. Would you contend that Mr. Haselton needs your permission to write on the Peacefire site that "The URL for Solid Oak Software, Inc. is http://www.solidoak.com"? Would you contend that Mr. Haselton needs your permission to state that Solid Oak's address is P.O. Box 6826, Santa Barbara, CA 93160? That Solid Oak's telephone number is (805) 962-9853, or that its fax number is (805) 967-1614? Since you are in the business of making internet software products, no doubt you should appreciate that linking one web site to another, or to hundreds of others, which in turn could be linked to thousands of others, is the raison d'etre of the World Wide Web. If linking required permission (which it does not) or was unlawful (which it is not) then, as a practical matter, the web would die. Since Solid Oak's business depends on the web flourishing, I doubt that you would want to see that happen. However, regardless of what you might want, there is no law and there is no policy which prevents Mr. Haselton from including links to Solid Oak on the Peacefire site. The same is true for Solid Oak's email addresses, many of which are listed on Solid Oak's own web pages. Solid Oak's URLs are pure information, not protected under any intellectual property law of which I am aware. Disclosing and/or linking to them is neither trespass nor any other offense. Finally, although I consider the matter legally irrelevant, I note that Solid Oak's site includes links to each of: Parent Time http://pathfinder.com/ParentTime/Welcome/; Microsoft http://www.microsoft.com/; Quarterdeck http://www.quarterdeck.com/; Windows95.com http://www.windows95.com/; Berit's Best Sites for Children http://db.cochran.com/db_HTML:theopage.db; Discovery Channel http://www.discovery.com/; and Family.Com http://www.family.com/. If, prior to the date of your demand letter, you obtained written permission from each of these sites to link to them, I would be interested in seeing those writings. If, however, Solid Oak has not obtained written permission for those links, one might wonder as to your motivation in making your assertion that the links provided by Mr. Haselton are in any way improper. Perhaps I can understand your being upset with how easy it was for Mr. Haselton to lawfully decrypt the weakly encrypted CYBERsitter filter file. But being upset is one thing: accusing Mr. Haselton of criminal conduct and threatening him with legal action (as you have done publicly both recently and last December) is quite another. Mr. Haselton has no desire to institute legal proceedings against you or Solid Oak if this goes no further. Therefore, if you were just venting your frustration, say so now and we will be done with this. Otherwise, I am confident that Solid Oak's attorneys know where the proper court is, as do I. BIGELOW, MOORE & TYRE, LLP By: JAMES S. TYRE JST:hs cc: Mr. Bennett Haselton ------------------------------ Date: Tue, 06 May 1997 20:55:42 -0400 From: Minor Threat <mthreat@paranoia.com> Subject: File 3--TV interview w/2 hackers banned from computers TV.COM is a weekly, 30-minute television show devoted to topics of the Internet, online services, web pages and new computer technology. The May 17th show will feature interviews with two hackers who have been ordered by federal judges to stay away from computers after they were found guilty of committing computer and other crimes. Minor Threat will discuss the details of his ban from the Internet and how it will affect him when he is released and why he feels it is unfair. His crime was not computer-releated, but the judge believed he had the capability to electronically retaliate against the arresting officer by altering his credit rating and so, ordered an Internet ban placed on him. Minor Threat was interviewed early April at FCI Bastrop where he is currently serving a 70-month sentence. His web page is at www.paranoia.com/~mthreat/. Notorious computer hacker Kevin Poulsen was released from federal prison last summer after serving 51 months and is now struggling to cope with a life without computers. Having been surrounded by computers up until his capture in 1991, his life has drastically changed since he is currently prohibited from touching or being in the same room as one. He will discuss the difficulties he faces as a non-computer user in a high-tech environment. His web page is at www.catalog.com/kevin/. Please check the TV.COM web site (www.tv.com) for local time and channel listings in your area. ------------------------------ Date: Thu, 8 May 97 12:12:34 -0700 From: "Gordon R. Meyer" <grmeyer@apple.com> Subject: File 4--Fwd: intellectual property and graduate students Date--Thu, 1 May 1997 08:49:19 -0700 From--Tony Rosati <rosati@gusun.acc.georgetown.edu> Source - nagps-official@nagps.org Intellectual Property May Prove to Be the Pressing Graduate & Professional Student Concern at the Turn of the Century! Find Out How YOU Can Help NAGPS Prepare to Help Save YOUR Intellectual Property Rights! by Anthony Rosati NAGPS Information Exchange Coordinator Recently, at the Annual NAGPS Southeastern Regional Meeting, in Atlanta this past April 11-13, Anne Holt, former SE Regiona Coordinator for NAGPS & Speaker of the Congress of Graduate Students of Florida State University gave a presentation & presided over a Roundtable on Intellectual Property. Her findings shocked the entire room of attendees. She started off using her school, FSU, as a starting point. She pointed out that at FSU, graduate & professional students, and even undergraduate students, fall under the faculty guidelines for intellectual property, regardless of whether they are working for the university or simply matriculated. In addition, the FSU faculty handbook, in the section where IP issues are discussed, clearly points out that even in areas that are unrelated to the work done at the university and abny work done at home or after-business-hours is encompassed. It even explicitedly stated that AFTER one left the FSU, one's work, whether reklated to the support received from FSU or not, could be claimed by FSU and was, for all intents and purposes, theirs to lay claim to. We were all shocked. It basically stated that regardless of whether you were working on campus or not, working during business hours or not, working on something you were matriculated or hired for, if you came up with it, it belonged to the FSU. Anne mentioned several cases, including one of a Univ. of South Florida graduate student, who documented that he worked on a computer software package off-hours and at home, without any resources from the university, and yet is still sitting in a jail cell awaiting trial. Then Anne Holt began asking attendees what their schools' IP policies were. Only a handful of individuals could cite them, and even fewer realized that they may be covered by such policies. Anne Holt is now spearheading an investigation for NAGPS into what policies exist at different schools. She would like to collect as many policies as possible from different institutions. If you can, please send the relavent excerpts by e-mail to NAGPS-IP-CRISIS@NAGPS.ORG, or if transcribing that information into an e-mail message is too daunting or too large, please send a hardcopy or photocopy of the policy to Anthony V. Rosati NAGPS Information Exchange Coordinator 6630 Moly Drive Falls Church, VA 22046 ATTN: IP Crisis Anne & I will pour through the resulting collection and distill the results into a document for us by all NAGPS Members. Additionally, a recommended policy for Intellectual Property concerns between students and institutions of higher learning, as well as a draft position statement for the Association will be created and presented to the Membership at the New Orleans Meeting this coming October for amendment & ratification. Before parting, Anne & I wanted to remind all that with the future of Intellectual Property becoming unstable and confusing, only YOU can best protect your Intellectual Property by: (1) Knowing your rights under the contract(s) you signed when matriculating and/or accepting work with the university. (2) Knowing the current state & federal laws regarding the protection and claiming of Intellectual Property. (3) carefullly documenting the conditions, resources and chronology of your research and intellectual effort, regardless of its status. (4) Working with a strong advocacy group, like the AAUP, or the NAGPS, to ensure your rights are understood and addressed by local, regional & national legislatures. You can learn some more about Intellectual Property Rights by going to the NAGPS Web site at http://www.nagps.org/NAGPS/ and clicking on the Focus Issues link - from there, click on the Legislative Issues link and go to the bottom of the page. Regards, Anthony Rosati NAGPS Infromation Exchange Coordinator ------------------------------ Date: Fri, 02 May 1997 09:59:58 -0400 From: "Robert A. Costner" <pooh@efga.org> Subject: File 5--Georgia expands the "Instruments of Crime" Source - fight-censorship@vorlon.mit.edu +++++++++++++ In Georgia it is a crime, punishable by $30K and four years to use in furtherance of a crime: * a telephone * a fax machine * a beeper * email The actual use of the law, I think, is that when a person is selling drugs and either is in possession of a beeper, or admits to using the phone to facilitate a meeting, he is charged with the additional felony of using a phone. This allows for selective enforcement of additional penalties for some people. O.C.G.A. 16-13-32.3. (a) It shall be unlawful for any person knowingly or intentionally to use any communication facility in committing or in causing or facilitating the commission of any act or acts constituting a felony under this chapter. Each separate use of a communication facility shall be a separate offense under this Code section. For purposes of this Code section, the term "communication facility" means any and all public and private instrumentalities used or useful in the transmission of writing, signs, signals, pictures, or sounds of all kinds and includes mail, telephone, wire, radio, computer or computer network, and all other means of communication. (b) Any person who violates subsection (a) of this Code section shall be punished by a fine of not more than $30,000.00 or by imprisonment for not less than one nor more than four years, or both. ------------------------------ Date: Fri, 2 May 1997 15:08:43 -0500 (CDT) From: Crypt Newsletter <crypt@sun.soci.niu.edu> Subject: File 6--More on Gov't Goofs on Virus Hoaxes (Crypt Reprint) ((MODERATORS NOTE: For those unfamiliar with Crypt Magazine, you should check it out. The homepage is at: http://www.soci.niu.edu/~crypt - and the editor, George Smith, is to covering computer viruses what Brock Meeks and Declan McCullagh are to Net politics)). CRYPT NEWSLETTER 42 April -- May 1997 HOISTED ON THE PETARD OF PENPAL In an astonishing gaffe, government intelligence experts writing for the Moynihan Commission's recent "Report . . . on Protecting and Reducing Government Secrecy" reveal they've been hooked on one of the Internet's ubiquitous e-mail computer virus hoaxes known as "Penpal Greetings"! In a boldly displayed boxed-out quote (page 109) in a part of the report entitled "Information Age Insecurity" authors of the report proclaim: "Friendly Greetings? "One company whose officials met with the Commission warned its employees against reading an e-mail entitled Penpal Greetings. Although the message appeared to be a friendly letter, it contained a virus that could infect the hard drive and destroy all data present. The virus was self-replicating, which meant that once the message was read, it would automatically forward itself to any e-mail address stored in the recipients in-box." The Penpal joke is one in half-a-dozen or so permutations spun off the well-known GoodTimes e-mail virus hoax. Variations on GoodTimes have appeared at a steady rate over the past couple years. Real computer security experts -- as opposed to the Moynihan commission's -- now occasionally worry in the press that they spend more time clearing up confusion created by such tricks than destroying actual computer viruses. The report's authors come from what is known as "the Moynihan commission," a group of heavy Congressional and intelligence agency hitters tasked with critiquing and assessing the Byzantine maze of classification and secrecy regulation currently embraced by the U.S. government. The commission also devoted significant print space to the topic of information security and network intrusion. Among the commission's members are its chairman, Daniel Moynihan; vice-chairman Larry Combest, Jesse Helms, ex-CIA director John Deutch and Martin Faga, now at a MITRE Corporation facility in McLean, Virginia, but formerly a head of the super-secret, spy satellite-flying National Reconnaissance Office. The part of the commission's report dealing with "Information Age Insecurity" merits much more comment. But in light of the report's contamination by the Penpal virus hoax, two paragraphs from the March 4 treatise become unintentionally hilarious: "Traditionally, computer security focuses on containing the effects of malicious users or malicious programs. As programs become more complex, an additional threat arises: _malicious data_ [Crypt Newsletter emphasis added] . . . In general, the outlook is depressing: as the economic incentives increase, these vulnerabilities are likely to be exploited more frequently. ---W. Olin Sibert, 19th National Information Systems Security Conference (October 1996)" And, "Inspector General offices, with few exceptions, lack the personnel, skills, and resources to address and oversee information systems security within their respective agencies. The President cannot turn to an Information General and ask how U.S. investments in information technology are being protected from the latest viruses, terrorists, or hackers." Got that right, sirs. ---------------------- Notes: Other authors of the commission report include Maurice Sonnenberg, a member of the President's Foreign Intelligence Advisory Board; John Podesta, a White House Deputy Chief of Staff and formerly a visiting professor at Georgetown University's Cyberlaw Center; Ellen Hume, a media critic for CNN's "Reliable Sources" and former reporter for the Wall Street Journal and Los Angeles Times; and Alison Fortier, a former National Security Council staffer and current director of Missile Defense Programs in a Washington, D.C.-based arm of Lockheed Martin. The Penpal Greetings hoax appeared in November of 1996 which would seem to indicate the section of the report containing it was not written until a month or so before the report's publication on March 4 of this year. Unsurprisingly, much of the report appears to be written by staff members for the commission chairmen. An initial phone call to the commission was answered by a staffer who declined to name the author of the part of the report carrying the Penpal hoax. The staffer did, however, mention he would forward the information to the author. And he was as good as his word. The following week, Crypt Newsletter was told to get in touch with Alison Fortier by way of Jacques Rondeau, a U.S. Air Force colonel who served as a commission staff director and was instrumental in writing the chapter on "computer insecurity." Fortier was surprised by the information that Penpal Greetings was a hoax and could shed no light on the peer-review process that went into verifying items included as examples in the report. She said the process involved readings of the material by staffers to the commissioners. Examples were presented and this was one of the ones that was picked, apparently because it sounded good. At first, Fortier argued that Penpal Greetings, as an example, was difficult to distinguish from the truth. Indeed, Fortier wasn't even convinced it wasn't a real virus. And this demonstrates the thorny problem that arises when hoaxes work their way into the public record at a very high level of authority: Simply, there is a great reluctance to accept that they ARE rubbish, after the fact, because the hearsay has come from multiple, supposedly authoritative, sources. Crypt Newsletter then told Fortier that verification of whether or not Penpal was bogus could have been accomplished by spending five minutes of time on any of the Internet search engines and using it as a keyword ("Penpal Greetings" returns numerous cites indicating it is a hoax) and the Moynihan commissioner backed off on insistence that it might still be real. "It's unfortunate that this error occurred because it can interfere with the recommendations of the commission, which are still valid," Fortier said. "When policy meets science -- it's always an imperfect match." Crypt Newsletter also queried commissioner and ex-NRO director Martin Faga. "I've been aware of the error since shortly after publication of the report, but I'm not familiar with the background," Faga told Crypt. Commissioner Ellen Hume was also at a loss as to how Penpal Greetings had arrived in the report. Commission staff director Eric Biel had more to say on the subject in a letter to Crypt Newsletter dated April 24. In it, Biel wrote: "I am very frustrated that we failed to get our information correct in this regard; as you note, the error only adds to the confusion concerning a very complicated set of security issues. You are quite right when you indicate this portion of the report was added late in the day. We had been urged to provide some anecdotes to complement the narrative text; this example thus was added to give greater emphasis to the points already being described . . . Obviously, there was not an adequate fact-checking and verification process with respect to the Penpal information." Biel added that he was still confident of "the soundness of [the report's] findings and recommendations, including [those in the chapter 'Information Age Insecurity.']" Go ahead, contact the Moynihan Secrecy Commission at 202-776-8727 and verify for them that Penpal Greetings is a hoax. After all, it's your money, too. But hurry, they're moving out of the office by the middle of the month. Acknowledgment: A copy of the Moynihan Commission report is mirrored on the Federation of American Scientists' Website. Without FAS' timely and much appreciated efforts to make government reports and documents of strategic interest freely available to an Internet readership, Crypt Newsletter's rapid tracing of the travel of the Penpal hoax into the commission's record might not have been possible. WE ARE THE ENEMY: BUNKER MENTALITY IN USAF INFO-WAR KOOKS Just in case you've harbored the suspicion that Crypt Newsletter exaggerates the outright paranoia now gripping portions of the United States military with regards to the Internet, in this issue I've excerpted substantial portions of an article which appeared in a July 1996 issue of Intercom, an electronic publication published on a Web server out of Scott Air Force Base in Illinois. Intercom is a good source of US Air Force orthodoxy on the topic of information technology as it pertains to members of the service. In this article, the information airmen of Goodfellow AFB, Texas, tell us they're already under attack. Computer viruses, say soldiers, are continuously assaulting the base, leaving it in essentially a continual state of information war. While the article may appear reasonable to the principals who commissioned it, publishing it on the Internet has only served to reinforce the notion that some "info-warriors" in the U.S. military are starkly paranoid nutcases. It's a whole new realm of warfare and you're no longer safe at work or at home," said Lieutenant Randy Tullis, for Intercom. "As evidence of the increase in information warfare activity, communications officials at Goodfellow have logged 12 incidents of computer viruses in less than four months this year," said Sgt. Michael Minick. The Intercom feature continues, "In all of 1995, [Goodfellow] handled 14 cases [of computer virus infection.]" "While viruses are not an all-out war waged against the base with weapons of mass destruction, the results can be devastating," states the article, rather balefully. "Information warriors will try to deal heavy blows in future wars, and Goodfellow and its 315th Training Squadron is at the forefront in training defenders against these warriors," the article says. "The most popular aspect of [information war] is the process of attacking and protecting computer-based and communication information networks," said Goodfellow AFB's Captain Tim Hall. Hall had also advertised on the Internet in mid-November 1996 for an info-war instructor at Goodfellow. The job description called for a captain's rank to "[Create and develop] infowar curricula for all new USAF Intelligence personnel; Supervise IW Lab development, student training, infowar instructional methods and infowar exercises." "Some attacks are by people who unintentionally access networks and others are by those bent on destroying government computer data through use of devastating viruses and other means," said Hall. "Students also learn how other countries such as Russia, China and France plan to conduct [information warfare] operations," said Hall. "Indeed," said Crypt Newsletter. It's war -- war against hackers, say the information soldiers of Goodfellow. Instruction courses at the base are designed to inculcate "basic awareness in the defensive skills needed to recognize and defeat information warriors, <I>commonly called computer hackers</I>," Hall said for Intercom. Goodfellow is stepping up efforts to train its information warriors. "We are going to propose Team Goodfellow build an advanced [information warfare] course," said another soldier. "It will teach offensive and defensive concepts in a classroom and hands-on training in a lab environment," which is a tricky way of saying that soldiers think hacking the hackers, or whoever they think might be launching info-war attacks, is a savvy idea. Long-time Crypt Newsletter readers probably can't help but recognize trenchant similarities between the quote of Goodfellow info-warriors and examples of the paranoid rantings found sprinkled through the writings of teenager-composed 'zines from the computer underground ca. 1992. We'll kick them off Internet Relay Chat. They'll never get channel ops on our watch. Yeah, that's the ticket. ------------------------------ Date: Thu, 7 May 1997 22:51:01 CST From: CuD Moderators <cudigest@sun.soci.niu.edu> Subject: File 7--Cu Digest Header Info (unchanged since 7 May, 1997) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-6436), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. In ITALY: ZERO! BBS: +39-11-6507540 UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD Web-accessible from: http://www.etext.org/CuD/CuD/ ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #9.36 ************************************