Computer underground Digest    Sun  May 11, 1997   Volume 9 : Issue 36
                           ISSN  1004-042X

       Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
       News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
       Archivist: Brendan Kehoe
       Shadow Master: Stanton McCandlish
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Field Agent Extraordinaire:   David Smith
       Cu Digest Homepage: http://www.soci.niu.edu/~cudigest

CONTENTS, #9.36 (Sun, May 11, 1997)

File 1--Credit  Card Numbers put Online?? (fwd)
File 2--Jim Tyre responds to CyberSitter's Brian Milburn
File 3--TV interview w/2 hackers banned from computers
File 4--Fwd: intellectual property and graduate students
File 5--Georgia expands the "Instruments of Crime"
File 6--More on Gov't Goofs on Virus Hoaxes (Crypt Reprint)
File 7--Cu Digest Header Info (unchanged since 7 May, 1997)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.

---------------------------------------------------------------------

Date: Sat, 10 May 97 23:07:12 -0700
From: Joab Jackson@sun.soci.niu.edu, joabj@charm.net
Subject: File 1--Credit  Card Numbers put Online?? (fwd)

Spider Came a Crawlin'
From: April 30, 1997, The Baltimore City Paper

"You mean my credit-card number is on the Internet?" Mike Donahue
of the town of Lafayette State, Indiana, asks, rather surprised.

I thought he knew. After all, that's where I got his name, his
phone number, and his Visa number.

Up until two weeks ago all anyone had to do to get info on
Donahue's credit card-and the cards of at least 11 other
people-was go to the Internet search engine Excite and type in
"Holabird Sports," the name of a Baltimore sporting-goods store.
Up popped what looked to be on-line order forms-credit-card
numbers included.

Whoops! Somebody messed up. Big time.

When I called to get Donahue's reaction and that of others whose
account numbers were on the Net, I was usually greeted with
befuddlement. They wanted to know how the numbers they provided to
a Web page in Maryland landed on a computer in California. The
owner of Holabird Sports, David Hirshfeld, is at a loss too; in
many ways he's also a victim, having angered his customers through
no fault of his own.

A lesson everyone learned is how rapidly the Internet can turn
local mistakes into global ones.

Nine months ago, Holabird Sports contracted Worldscape, a small
local Web-presence provider headed by a former stockbroker named
Morris Murray, to build and maintain a Web site. Holabird had been
doing mail-order business for more than two decades, so it seemed
natural to expand onto the Web.  Hirshfeld didn't know much about
the Internet, but with Worldscape handling the site, he wouldn't
even need an Internet account. The on-line order forms filled out
by customers would be automatically converted into faxes and sent
to the sporting-goods store.

On April 3 one of Holabird's Web customers, Florida resident
Barbara Gehring, received an E-mail from an Internet user in St.
Louis informing her that her credit-card information was on-line.
Those fax files had become accessible.

"I was horrified," Gehring tells me by phone. She called Holabird;
on April 4, Murray removed the fax files as well as the entire
Holabird Web site, then called the people whose account numbers
and expiration dates were exposed. (Murray says he didn't phone
those whose expiration dates were not exposed, such as Donahue and
at least one other person I spoke with, because the lack of an
expiration date would have kept scofflaws from illegally using the
card numbers to make phone purchases.)

What had gone wrong? Worldscape set up its Web servers
incorrectly. The contents of any computer hooked to the Internet
can be partitioned into sections-some restricted for private use,
some accessible to others on the Net. Worldscape's restricted
areas-at least the one holding those Holabird fax files-were
misconfigured, making them accessible to the public. Murray
maintains the mistake occurred in mid-March when his system
administrator incorrectly linked two of Worldscape's file servers
together.

For a Web-presence provider, this is not a minor error. It's akin
to a bank accidentally leaving its customers' money in the alley
out back. But it was a little-traveled alley-the chance of someone
stumbling across that information was pretty slim. Murray's real
headache didn't begin until the records went onto Excite, a far
more trafficked site.

How did this happen? Excite's chief selling point is that it
updates its summaries of 50 million Web sites every three weeks,
the better to catch changes at frequently updated sites such as
on-line magazines. It would be impossible for even a horde of
librarians to catalog all the changes, so Excite uses a program
called a spider to automatically travel through the pages, copying
the text on each one and shipping it to Excite for indexing.  The
spider found the Holabird customers' numbers and put them up on
the Web.  Murray repeatedly asked Excite to erase the numbers from
its database, and the company repeatedly said it could not-thus
they stayed in view for nearly three weeks.

According to Kris Carpenter, product manager at Mountain View,
California-based Excite, all the information the search engine
holds is linked. "The way the underlying algorithms [used to
complete the Internet searches] are calculated is based on the
entire collection of documents," she tells me by phone. "To pull
even one throws off the calculation for the entire underlying
collection."

Excite's is an unusual design, and I wonder if it's a wise one. As
Murray says, "This thing is like a piece of stone that you can't
take any one part from. . . . What if there is a big
problem?They'll have to shut down the entire service."

In any event, the numbers disappeared from Excite by April 19, and
Murray reports that none of the Holabird customers have informed
him of any improper charges on their cards. So should we believe,
as Murray tells me, that the mistake shouldn't be blown out of
proportion? "The risk was very minimal," he says, likening the
danger to that of a shopkeeper surreptitiously using a customer's
credit-card number. But Murray is wrong.  There is a major
difference-the difference between a few people being privy to your
credit-card information versus the entire world.

------------------------------

Date: Tue, 6 May 1997 14:49:59 -0400
From: Declan McCullagh <declan@well.com>
Subject: File 2--Jim Tyre responds to CyberSitter's Brian Milburn

Source  - Fight-Censorship

((MODERATORS' NOTE: Brian Milburn's block software has been
criticized for indiscriminate blocking of sites with minimal--if
any--sexual content, and of sites with politics to which Milburn
might object, including sites that criticize his software.
Bennett Haselton has been especially vocal (see CuD 9.33), and
Milburn has threatened him with litigation. The following is the
response of Haselton's attorney to Milburn's threat)).

Source -  fight-censorship@vorlon.mit.edu

Jim Tyre's response to Brian Milburn's letter is attached below.

Milburn's "demand letter" sent on April 24 is at:
  http://www.peacefire.org/archives/SOS.letters/bm.2.bh.4.24.97.txt

One of my articles about Milburn's earlier threats is at:
  http://cgi.pathfinder.com/netly/editorial/0,1012,453,00.html

Netly's Censorware Search Engine is at:
  http://cgi.pathfinder.com/netly/spoofcentral/censored/

-Declan

**************

May 5, 1997


Mr. Brian Milburn
President,                              BY FAX TO
Solid Oak Software, Inc.                (805) 967-1614
P.O. Box 6826                           AND BY CERTIFIED MAIL
Santa Barbara, CA 93160                 RETURN RECEIPT REQUESTED


        Re:     April 24, 1997 Demand Letter to Bennett Haselton


Dear Mr. Milburn:

This law firm represents Bennett Haselton with respect to your April 24,
1997 demand letter to him, received on April 29, 1997.  Any further
communications concerning this matter should be directed to me, not to
Mr. Haselton.

It is not my custom to engage in lengthy discussions of the law with
non-lawyers, and I shall not vary from that custom here.  I would
suggest that you have Solid Oak's attorneys contact me if there is
reason to discuss this matter further.  However, I will make the
following remarks.


                      ALLEGED COPYRIGHT INFRINGEMENT

You write that:

"You have posted a program on your web site called 'CYBERsitter filter
file codebreaker'.  This program illegally modifies and decodes data and
source code protected by U.S. and International intellectual property
laws.

"This program performs this action without permission of the copyright
owner. We demand that this program be removed immediately."

You should be perfectly well aware that your assertion that Mr.
Haselton's program modifies or decodes CYBERsitter source code is
factually incorrect.  Further, as you know, Mr. Haselton's program is
not in any way a work-around of CYBERsitter, nor did Mr. Haselton hack
into Solid Oak's computers in order to create the program.

Mr. Haselton's program does indeed decode data from the CYBERsitter
filter file.  However, there is no basis in the law for your assertion
that Mr. Haselton's program does so unlawfully.  If Solid Oak's
attorneys believe otherwise, I would be interested in their thoughts.
In that regard, my personal observation is one of surprise at how basic
was the encryption algorithm used for the CYBERsitter filter file.
XORing each byte with a constant byte, such as Ox94, is a methodology
which has been well known for many years, and which is detectable with
great ease.

Applied Cryptography (2nd edition) by Bruce Schneier is a standard
reference.  Mr. Schneier writes:

"The simple-XOR algorithm is really an embarrassment; its nothing more
than a Vigenere polyalphabetic cipher. Its here only because of its
prevalence in commercial software packages, at least those in the MS-DOS
and Macintosh worlds."

He continues, commenting on a slightly more sophisticated variant than
simple Ox94:

"There's no real security here. This kind of encryption is trivial to
break, even without computers. It will only take a few seconds with a
computer."

He concludes the discussion as follows:

"An XOR might keep your kid sister from reading your files, but it won't
stop a cryptanalyst for more than a few minutes."

With XOR (Ox94)  being the extent of the filter file encryption, it
certainly should have been foreseeable to Solid Oak that the filter file
would be decrypted into plaintext, and I am surprised that the algorithm
was not publicized by people examining the program far earlier than was
the case.

Far more important, however, is that Mr. Haselton's program simply is
not a violation of any copyright law or of any copyright which Solid Oak
allegedly may have in the filter file.  I suggest that Solid Oak's
attorneys review and explain to you the following cases, among others:
Vault Corp. v. Quaid Software Ltd., 847 F.2d 255 (5th Cir. 1988); Lewis
Galoob Toys, Inc. v. Nintendo of America, Inc., 964 F.2d 965 (9th Cir.
1992); and Sega Enterprises Ltd. v. Accolade, Inc., 977 F.2d 1510 (9th
Cir. 1992).

I would also commend that your attorneys explain to you the copyright
doctrine of fair use, as set forth in 17 United States Code ("U.S.C.") =A7
107.  One of the (nonexclusive) factors in determining whether the use
of copyrighted material is fair concerns  "the purpose and character of
the use, including whether such use is of a commercial nature or is for
nonprofit educational purposes."

Solid Oak cannot seriously assert that Mr. Haselton's program is of a
commercial nature.  On the other hand, Mr. Haselton can and will assert
that his program is for a nonprofit educational purpose.  Specifically,
Solid Oak's stated blocking policy, at
http://www.solidoak.com/cybpol.htm is as follows:

CYBERsitter Site Filtering Policies

CYBERsitter may filter web sites and/or news groups that contain
information that meets any of the following criteria not deemed suitable
for pre-teen aged children by a general consensus of reports and
comments received from our registered users:


     - Adult and Mature subject matter of a sexual nature.
     - Homosexuality / Transgender sites.
     - Pornography or adult oriented graphics.
     - Drugs, Tobacco or alcohol.
     - Illegal activities.
     - Gross depictions or mayhem.
     - Violence or anarchy.
     - Hate groups.
     - Racist groups.
     - Anti-Semitic groups.
     - Sites advocating intolerance.
     - Computer hacking.
     - Advocating violation of copyright laws.
     - Displaying information in violation of intellectual property
laws.
     - Information that may interfere with the legal rights and
obligations of a parent or our customers.
     - Any site maintaining links to other sites containing any of the
above content.
     - Any domain hosting more than one site containing any of the above
content.
     - Any domain whose general policies allow any of the above content.

      The above criteria is subject to change without notice.


Mr. Haselton has the right to test whether what CYBERsitter actually
blocks comports with Solid Oak's stated criteria, particularly given
some of the seemingly arbitrary decisions incorporated into
CYBERsitter.  Mr. Haselton has the First Amendment right to be critical
of what CYBERsitter does and how it does it.  Since the only way to
fully test what CYBERsitter blocks and to comment critically on the
functionality of CYBERsitter is to decrypt the filter file, Mr.
Haselton's program falls squarely within the fair use doctrine of 17
U.S.C. =A7 107.

Additional copyright arguments can be made, and, if necessary, will be
made.  However, I hope that this is enough to convince Solid Oak's
attorneys that Solid Oak cannot prevail in an infringement action
against Mr. Haselton.


                      ALLEGED IMPERMISSIBLE LINKING

You state that Mr. Haselton has placed links to various Solid Oak sites
on the www.peacefire.org site.  Of course you are correct, but your
assertion that Mr. Haselton needed permission to do this is nonsense.  A
URL (the "U", of course, standing for "universal") is merely a machine
readable encoding of a label identifying the work in the form
how://where/what:  It is no different than providing the card catalog
number for a book already in the library.  Solid Oak already is on the
internet, where, by definition, its presence is public, regardless of
whether Solid Oak is a public corporation or a private corporation.  Mr.
Haselton simply has told people where to find Solid Oak and given them
the means to get there without having to type in a URL.  Would you
contend that Mr. Haselton needs your permission to write on the
Peacefire site that "The URL for Solid Oak Software, Inc. is
http://www.solidoak.com"?  Would you contend that Mr. Haselton needs
your permission to state that Solid Oak's address is P.O. Box 6826,
Santa Barbara, CA 93160?  That Solid Oak's telephone number is (805)
962-9853, or that its fax number is (805) 967-1614?

Since you are in the business of making internet software products, no
doubt you should appreciate that linking one web site to another, or to
hundreds of others, which in turn could be linked to thousands of
others, is the raison d'etre of the World Wide Web.  If linking required
permission (which it does not) or was unlawful (which it is not) then,
as a practical matter, the web would die.  Since Solid Oak's business
depends on the web flourishing, I doubt that you would want to see that
happen.

However, regardless of what you might want, there is no law and there is
no policy which prevents Mr. Haselton from including links to Solid Oak
on the Peacefire site.  The same is true for Solid Oak's email
addresses, many of which are listed on Solid Oak's own web pages.  Solid
Oak's URLs are pure information, not protected under any intellectual
property law of which I am aware.  Disclosing and/or linking to them is
neither trespass nor any other offense.

Finally, although I consider the matter legally irrelevant, I note that
Solid Oak's site includes links to each of:

Parent Time http://pathfinder.com/ParentTime/Welcome/;
Microsoft http://www.microsoft.com/;
Quarterdeck http://www.quarterdeck.com/;
Windows95.com http://www.windows95.com/;
Berit's Best Sites for Children
http://db.cochran.com/db_HTML:theopage.db;
Discovery Channel http://www.discovery.com/; and
Family.Com http://www.family.com/.

If, prior to the date of your demand letter, you obtained written
permission from each of these sites to link to them, I would be
interested in seeing those writings.  If, however, Solid Oak has not
obtained written permission for those links, one might wonder as to your
motivation in making your assertion that the links provided by Mr.
Haselton are in any way improper.


Perhaps I can understand your being upset with how easy it was for Mr.
Haselton to lawfully decrypt the weakly encrypted CYBERsitter filter
file.  But being upset is one thing: accusing Mr. Haselton of criminal
conduct and threatening him with legal action (as you have done publicly
both recently and last December) is quite another.  Mr. Haselton has no
desire to institute legal proceedings against you or Solid Oak if this
goes no further.  Therefore, if you were just venting your frustration,
say so now and we will be done with this.  Otherwise, I am confident
that Solid Oak's attorneys know where the proper court is, as do I.



                                      BIGELOW, MOORE & TYRE, LLP




                                      By:
                                              JAMES S. TYRE

JST:hs

cc:     Mr. Bennett Haselton

------------------------------

Date: Tue, 06 May 1997 20:55:42 -0400
From: Minor Threat <mthreat@paranoia.com>
Subject: File 3--TV interview w/2 hackers banned from computers

TV.COM is a weekly, 30-minute television show devoted to topics of
the Internet, online services, web pages and new computer
technology. The May 17th show will feature interviews with two
hackers who have been ordered by federal judges to stay away from
computers after they were found guilty of committing computer and
other crimes.

Minor Threat will discuss the details of his ban from the Internet
and how it will affect him when he is released and why he feels it
is unfair. His crime was not computer-releated, but the judge
believed he had the capability to electronically retaliate against
the arresting officer by altering his credit rating and so,
ordered an Internet ban placed on him.  Minor Threat was
interviewed early April at FCI Bastrop where he is currently
serving a 70-month sentence. His web page is at
www.paranoia.com/~mthreat/.

Notorious computer hacker Kevin Poulsen was released from federal
prison last summer after serving 51 months and is now struggling
to cope with a life without computers. Having been surrounded by
computers up until his capture in 1991, his life has drastically
changed since he is currently prohibited from touching or being in
the same room as one. He will discuss the difficulties he faces as
a non-computer user in a high-tech environment.  His web page is
at www.catalog.com/kevin/.

Please check the TV.COM web site (www.tv.com) for local time and
channel listings in your area.

------------------------------

Date: Thu, 8 May 97 12:12:34 -0700
From: "Gordon R. Meyer" <grmeyer@apple.com>
Subject: File 4--Fwd: intellectual property and graduate students

Date--Thu, 1 May 1997 08:49:19 -0700
From--Tony Rosati <rosati@gusun.acc.georgetown.edu>

Source -  nagps-official@nagps.org

Intellectual Property May Prove to Be the Pressing Graduate &
Professional Student Concern at the Turn of the Century!

Find Out How YOU Can Help NAGPS Prepare to Help Save YOUR Intellectual
Property Rights!

by Anthony Rosati
NAGPS Information Exchange Coordinator

Recently, at the Annual NAGPS Southeastern Regional Meeting, in Atlanta
this past April 11-13, Anne Holt, former SE Regiona Coordinator for
NAGPS & Speaker of the Congress of Graduate Students of Florida State
University gave a presentation & presided over a Roundtable on
Intellectual Property. Her findings shocked the entire room of attendees.

She started off using her school, FSU, as a starting point. She pointed
out that at FSU, graduate & professional students, and even undergraduate
students, fall under the faculty guidelines for intellectual property,
regardless of whether they are working for the university or simply
matriculated. In addition, the FSU faculty handbook, in the section where
IP issues are discussed, clearly points out that even in areas that are
unrelated to the work done at the university and abny work done at home or
after-business-hours is encompassed. It even explicitedly stated that
AFTER one left the FSU, one's work, whether reklated to the support
received from FSU or not, could be claimed by FSU and was, for all intents
and purposes, theirs to lay claim to. We were all shocked. It basically
stated that regardless of whether you were working on campus or not,
working during business hours or not, working on something you were
matriculated or hired for, if you came up with it, it belonged to the FSU.

Anne mentioned several cases, including one of a Univ. of South Florida
graduate student, who documented that he worked on a computer software
package off-hours and at home, without any resources from the university,
and yet is still sitting in a jail cell awaiting trial.

Then Anne Holt began asking attendees what their schools' IP policies
were. Only a handful of individuals could cite them, and even fewer
realized that they may be covered by such policies.

Anne Holt is now spearheading an investigation for NAGPS into what
policies
exist at different schools. She would like to collect as many policies as
possible from different institutions. If you can, please send the relavent
excerpts by e-mail to NAGPS-IP-CRISIS@NAGPS.ORG, or if transcribing that
information into an e-mail message is too daunting or too large, please
send a hardcopy or photocopy of the policy to

	Anthony V. Rosati
	NAGPS Information Exchange Coordinator
	6630 Moly Drive
	Falls Church, VA 22046
	ATTN: IP Crisis

Anne & I will pour through the resulting collection and distill the
results into a document for us by all NAGPS Members. Additionally,
a recommended policy for Intellectual Property concerns between students
and institutions of higher learning, as well as a draft position statement
for the Association will be created and presented to the Membership at the
New Orleans Meeting this coming October for amendment & ratification.

Before parting, Anne & I wanted to remind all that with the future of
Intellectual Property becoming unstable and confusing, only YOU can
best protect your Intellectual Property by:

	(1) Knowing your rights under the contract(s) you signed when
	    matriculating and/or accepting work with the university.
	(2) Knowing the current state & federal laws regarding the
	    protection and claiming of Intellectual Property.
	(3) carefullly documenting the conditions, resources and
	    chronology of your research and intellectual effort,
	    regardless of its status.
	(4) Working with a strong advocacy group, like the AAUP, or
	    the NAGPS, to ensure your rights are understood and
	    addressed by local, regional & national legislatures.

You can learn some more about Intellectual Property Rights by going to the
NAGPS Web site at http://www.nagps.org/NAGPS/ and clicking on the Focus
Issues link - from there, click on the Legislative Issues link and go to
the bottom of the page.

Regards,

Anthony Rosati
NAGPS Infromation Exchange Coordinator

------------------------------

Date: Fri, 02 May 1997 09:59:58 -0400
From: "Robert A. Costner" <pooh@efga.org>
Subject: File 5--Georgia expands the "Instruments of Crime"

Source -  fight-censorship@vorlon.mit.edu

     +++++++++++++

In Georgia it is a crime, punishable by $30K and four years to use in
furtherance of a crime:

 * a telephone
 * a fax machine
 * a beeper
 * email

The actual use of the law, I think, is that when a person is selling drugs
and either is in possession of a beeper, or admits to using the phone to
facilitate a meeting, he is charged with the additional felony of using a
phone.  This allows for selective enforcement of additional penalties for
some people.

  O.C.G.A. 16-13-32.3.

  (a) It shall be unlawful for any person knowingly or intentionally to
  use any communication facility in committing or in causing or
  facilitating the commission of any act or acts constituting a felony
  under this chapter. Each separate use of a communication facility
  shall be a separate offense under this Code section.  For purposes of
  this Code section, the term "communication facility" means any and all
  public and private instrumentalities used or useful in the
  transmission of writing, signs, signals, pictures, or sounds of all
  kinds and includes mail, telephone, wire, radio, computer or computer
  network, and all other means of communication.

  (b) Any person who violates subsection (a) of this Code section shall
  be punished by a fine of not more than $30,000.00 or by imprisonment
  for not less than one nor more than four years, or both.

------------------------------

Date: Fri, 2 May 1997 15:08:43 -0500 (CDT)
From: Crypt Newsletter <crypt@sun.soci.niu.edu>
Subject: File 6--More on Gov't Goofs on Virus Hoaxes (Crypt Reprint)

((MODERATORS NOTE:  For those unfamiliar with Crypt Magazine,
you should check it out. The homepage is at:
http://www.soci.niu.edu/~crypt - and the editor, George Smith,
is to covering computer viruses what Brock Meeks and
Declan McCullagh are to Net politics)).


CRYPT NEWSLETTER 42
April -- May 1997


HOISTED ON THE PETARD OF PENPAL

In an astonishing gaffe, government intelligence experts writing
for the Moynihan Commission's recent "Report . . . on Protecting
and Reducing Government Secrecy" reveal they've been hooked on one
of the Internet's ubiquitous e-mail computer virus hoaxes
known as "Penpal Greetings"!

In a boldly displayed boxed-out quote (page 109) in a part of the
report entitled "Information Age Insecurity" authors of the report
proclaim:

"Friendly Greetings?

"One company whose officials met with the Commission warned its
employees against reading an e-mail entitled Penpal Greetings.
Although the message appeared to be a friendly letter, it
contained a virus that could infect the hard drive and destroy all
data present. The virus was self-replicating, which meant that
once the message was read, it would automatically forward itself
to any e-mail address stored in the recipients in-box."

The Penpal joke is one in half-a-dozen or so permutations spun
off the well-known GoodTimes e-mail virus hoax.  Variations on
GoodTimes have appeared at a steady rate over the past couple
years. Real computer security experts -- as opposed to the
Moynihan commission's -- now occasionally worry in the press that
they spend more time clearing up confusion created by such
tricks than destroying actual computer viruses.

The report's authors come from what is known as "the Moynihan
commission," a group of heavy Congressional and intelligence
agency hitters tasked with critiquing and assessing the Byzantine
maze of classification and secrecy regulation currently embraced by
the U.S. government. The commission also devoted significant print
space to the topic of information security and network intrusion.

Among the commission's members are its chairman, Daniel Moynihan;
vice-chairman Larry Combest, Jesse Helms, ex-CIA director John
Deutch and Martin Faga, now at a MITRE Corporation facility in McLean,
Virginia, but formerly a head of the super-secret, spy satellite-flying
National Reconnaissance Office.

The part of the commission's report dealing with "Information Age
Insecurity" merits much more comment.  But in light of the report's
contamination by the Penpal virus hoax, two paragraphs from the March 4
treatise become unintentionally hilarious:

"Traditionally, computer security focuses on containing the effects of
malicious users or malicious programs. As programs become more complex,
an additional threat arises: _malicious data_ [Crypt Newsletter emphasis
added] . . . In general, the outlook is depressing: as the economic
incentives increase, these vulnerabilities are likely to be
exploited more frequently.

---W. Olin Sibert, 19th National Information Systems Security
Conference (October 1996)"

And,

"Inspector General offices, with few exceptions, lack the personnel,
skills, and resources to address and oversee information systems
security within their respective agencies. The President cannot turn to
an Information General and ask how U.S. investments in information
technology are being protected from the latest viruses, terrorists, or
hackers."

Got that right, sirs.
  ----------------------

Notes: Other authors of the commission report include Maurice
Sonnenberg, a member of the President's Foreign Intelligence Advisory
Board; John Podesta, a White House Deputy Chief of Staff and
formerly a visiting professor at Georgetown University's Cyberlaw
Center; Ellen Hume, a media critic for CNN's "Reliable Sources"
and former reporter for the Wall Street Journal and Los Angeles Times;
and Alison Fortier, a former National Security Council staffer and
current director of Missile Defense Programs in a Washington,
D.C.-based arm of Lockheed Martin.

The Penpal Greetings hoax appeared in November of 1996 which would
seem to indicate the section of the report containing it was not written
until a month or so before the report's publication on March 4 of
this year.

Unsurprisingly, much of the report appears to be written by staff
members for the commission chairmen.  An initial phone call to
the commission was answered by a staffer who declined to name the
author of the part of the report carrying the Penpal hoax. The
staffer did, however, mention he would forward the information to
the author.  And he was as good as his word.  The following week,
Crypt Newsletter was told to get in touch with Alison Fortier
by way of Jacques Rondeau, a U.S. Air Force colonel who served as
a commission staff director and was instrumental in writing the
chapter on "computer insecurity."

Fortier was surprised by the information that Penpal Greetings
was a hoax and could shed no light on the peer-review process that
went into verifying items included as examples in the report.  She
said the process involved readings of the material by staffers to
the commissioners.  Examples were presented and this was one of
the ones that was picked, apparently because it sounded good.

At first, Fortier argued that Penpal Greetings, as an example,
was difficult to distinguish from the truth. Indeed, Fortier wasn't
even convinced it wasn't a real virus. And this demonstrates the thorny
problem that arises when hoaxes work their way into the public
record at a very high level of authority: Simply, there is a great
reluctance to accept that they ARE rubbish, after the fact, because the
hearsay has come from multiple, supposedly authoritative, sources.

Crypt Newsletter then told Fortier that verification of whether or
not Penpal was bogus could have been accomplished by spending five
minutes of time on any of the Internet search engines and using it
as a keyword ("Penpal Greetings" returns numerous cites indicating
it is a hoax) and the Moynihan commissioner backed off on insistence
that it might still be real.

"It's unfortunate that this error occurred because it can interfere
with the recommendations of the commission, which are still valid,"
Fortier said.  "When policy meets science -- it's always an imperfect
match."

Crypt Newsletter also queried commissioner and ex-NRO director Martin
Faga. "I've been aware of the error since shortly after
publication of the report, but I'm not familiar with the background," Faga
told Crypt.

Commissioner Ellen Hume was also at a loss as to how Penpal Greetings
had arrived in the report.

Commission staff director Eric Biel had more to say on the subject in a
letter to Crypt Newsletter dated April 24. In it, Biel wrote: "I am
very frustrated that we failed to get our information correct in
this regard; as you note, the error only adds to the confusion
concerning a very complicated set of security issues.  You are quite
right when you indicate this portion of the report was added late
in the day.  We had been urged to provide some anecdotes to complement
the narrative text; this example thus was added to give greater
emphasis to the points already being described . . . Obviously, there
was not an adequate fact-checking and verification process with
respect to the Penpal information."

Biel added that he was still confident of "the soundness of [the
report's] findings and recommendations, including [those in the chapter
'Information Age Insecurity.']"

Go ahead, contact the Moynihan Secrecy Commission at 202-776-8727
and verify for them that Penpal Greetings is a hoax. After all, it's your
money, too.  But hurry, they're moving out of the office by the middle
of the month.

Acknowledgment: A copy of the Moynihan Commission report is mirrored
on the Federation of American Scientists' Website. Without FAS' timely
and much appreciated efforts to make government reports and documents
of strategic interest freely available to an Internet readership, Crypt
Newsletter's rapid tracing of the travel of the Penpal hoax into the
commission's record might not have been possible.


WE ARE THE ENEMY: BUNKER MENTALITY IN USAF INFO-WAR KOOKS

Just in case you've harbored the suspicion that Crypt Newsletter
exaggerates the outright paranoia now gripping portions of the
United States military with regards to the Internet, in this
issue I've excerpted substantial portions of an article which
appeared in a July 1996 issue of Intercom, an electronic
publication published on a Web server out of Scott Air Force Base in
Illinois. Intercom is a good source of US Air Force orthodoxy on the
topic of information technology as it pertains to members of the
service.

In this article, the information airmen of Goodfellow AFB,
Texas, tell us they're already under attack.  Computer viruses,
say soldiers, are continuously assaulting the base, leaving it
in essentially a continual state of information war.  While the
article may appear reasonable to the principals who commissioned it,
publishing it on the Internet has only served to reinforce the
notion that some "info-warriors" in the U.S. military are starkly
paranoid nutcases.

It's a whole new realm of warfare and you're no longer safe at work
or at home," said Lieutenant Randy Tullis, for Intercom.

"As evidence of the increase in information warfare activity,
communications officials at Goodfellow have logged 12 incidents of
computer viruses in less than four months this year," said
Sgt. Michael Minick.

The Intercom feature continues, "In all of 1995,
[Goodfellow] handled 14 cases [of computer virus infection.]"

"While viruses are not an all-out war waged against the base with
weapons of mass destruction, the results can be devastating," states
the article, rather balefully.

"Information warriors will try to deal heavy blows in future wars,
and Goodfellow and its 315th Training Squadron is at the forefront in
training defenders against these warriors," the article says.

"The most popular aspect of [information war] is the process of
attacking and protecting computer-based and communication information
networks," said Goodfellow AFB's Captain Tim Hall.

Hall had also advertised on the Internet in mid-November 1996 for
an info-war instructor at Goodfellow.  The job description called
for a captain's rank to "[Create and develop] infowar curricula for all
new USAF Intelligence personnel;  Supervise IW Lab development, student
training, infowar instructional methods and infowar exercises."

"Some attacks are by people who unintentionally access networks and
others are by those bent on destroying government computer data
through use of devastating viruses and other means," said Hall.

"Students also learn how other countries such as Russia, China and
France plan to conduct [information warfare] operations," said Hall.

"Indeed," said Crypt Newsletter.

It's war -- war against hackers, say the information soldiers of
Goodfellow.

Instruction courses at the base are designed to inculcate "basic
awareness in the defensive skills needed to recognize and defeat
information warriors, <I>commonly called computer hackers</I>," Hall
said for Intercom.

Goodfellow is stepping up efforts to train its information warriors.
"We are going to propose Team Goodfellow build an advanced [information
warfare] course," said another soldier. "It will teach offensive and
defensive concepts in a classroom and hands-on training in a lab
environment," which is a tricky way of saying that soldiers
think hacking the hackers, or whoever they think might be launching
info-war attacks, is a savvy idea.

Long-time Crypt Newsletter readers probably can't help but
recognize trenchant similarities between the quote of Goodfellow
info-warriors and examples of the paranoid rantings found sprinkled
through the writings of teenager-composed 'zines from the computer
underground ca. 1992.

We'll kick them off Internet Relay Chat.  They'll never get
channel ops on our watch.  Yeah, that's the ticket.

------------------------------

Date: Thu, 7 May 1997 22:51:01 CST
From: CuD Moderators <cudigest@sun.soci.niu.edu>
Subject: File 7--Cu Digest Header Info (unchanged since 7 May, 1997)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send post with this in the "Subject:: line:

     SUBSCRIBE CU-DIGEST
Send the message to:   cu-digest-request@weber.ucsd.edu

DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.

The editors may be contacted by voice (815-753-6436), fax (815-753-6302)
or U.S. mail at:  Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

To UNSUB, send a one-line message:   UNSUB CU-DIGEST
Send it to  CU-DIGEST-REQUEST@WEBER.UCSD.EDU
(NOTE: The address you unsub must correspond to your From: line)

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on  internet);
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.

         In ITALY: ZERO! BBS: +39-11-6507540

  UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD
    Web-accessible from: http://www.etext.org/CuD/CuD/
                  ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
                  aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
                  world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
                  wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
  EUROPE:         nic.funet.fi in pub/doc/CuD/CuD/ (Finland)
                  ftp.warwick.ac.uk in pub/cud/ (United Kingdom)


The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
  URL: http://www.soci.niu.edu/~cudigest/

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission.  It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified.  Readers are encouraged to submit reasoned articles
relating to computer culture and communication.  Articles are
preferred to short responses.  Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

------------------------------

End of Computer Underground Digest #9.36
************************************