Computer underground Digest    Wed  May 13, 1998   Volume 10 : Issue 29
                           ISSN  1004-042X

       Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
       News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
       Archivist: Brendan Kehoe
       Shadow Master: Stanton McCandlish
       Shadow-Archivists: Dan Carosone / Paul Southworth
                          Ralph Sims / Jyrki Kuoppala
                          Ian Dickinson
       Field Agent Extraordinaire:   David Smith
       Cu Digest Homepage: http://www.soci.niu.edu/~cudigest

CONTENTS, #10.29 (Wed, May 13, 1998)

File 1--Re: File 8--Re: technical solutions to spam problem
File 2--Re: Technical Solutions to Spam (Cu Digest, #10.28)
File 3--Re: Technical solutions to spam (follow-up)
File 4--1st Amendment Debated in Porn Case  (AP fwd)
File 5--POLICY POST 4.11: Pro-Encryption Bill
File 6--Fwd: Secure Cyberspace Crime-Fighting Tool from GTE...
File 7--"Electronic Civil Disobedience"
File 8--POLICY POST 4.9: FCC Launches Inquiry Into Wiretap Law
File 9--REVIEW: "Intranet Security", John Vacca
File 10--Cu Digest Header Info (unchanged since 25 Apr, 1998)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.

---------------------------------------------------------------------

Date: Thu, 07 May 1998 15:03:26 -0500
From: Neil W Rickert <rickert@CS.NIU.EDU>
Subject: File 1--Re: File 8--Re: technical solutions to spam problem

"Vladimir Z. Nuri" <vznuri@netcom.com> writes:

>In CuD #10.25, Neil Rickert responds to my post, "technical
>solutions to the spam problem" in #10.24. He writes that I have
>"misdiagnosed the problem" in referring to SendMail.

Obviously Vladimir and I have a serious disagreement on what to do
about the spam problem.  Rather than respond point-by-point to
Vladimir's latest message, let me try to clarify what are our
differences.

The original ideal of email is that any person should be able to send
any message to any other person, using any available machine to send
the message.  For most of the history of email, the work has been on
achieving the degree of connectivity and interoperability required to
reach this ideal.

Now we discover that we are receiving email that we do not want
(spam, for example).  So the question is to decide what to do about
this.

I can think of three general approaches:

  The private or individual solution:  Each person deletes/discards
    undesired messages.  This could either be done manually, or with
    some kind of AI software used and configured by the user.

  The technical solution:  System software (spam filters, etc) are
    put in place to refuse to accept certain types of message.

  The social solution:  A system of social constraints is used so
    that very few undesired messages are sent in the first place.

Both the private solution and the social solution are completely
consistent with the original ideal of email.  Vladimir favors the
technical solution.  What concerns me is that the technical solution
essentially eliminates the original ideal.  It replaces the original
ideal with the one that says big brother or software nanny (in the
form of spam filters) is watching, and the only messages that can be
sent are those that meet the approval of big brother.

The problem with spam arises, I suggest, because the network gives
people such a sense of anonymity that ordinary social constraints
break down.  Rather than have a technological big brother or software
nanny controlling what email can be sent, I think we should be
working to find ways of reintroducing social constraints to the net.

=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
  Neil W. Rickert, Computer Science               <rickert@cs.niu.edu>
  Northern Illinois Univ.
  DeKalb, IL 60115                                   +1-815-753-6940

------------------------------

Date: Mon, 4 May 1998 04:06:32 -0700 (PDT)
From: Troy <tk@www.alliancestudio.com>
Subject: File 2--Re: Technical Solutions to Spam (Cu Digest, #10.28)

Re: technical solutions to SPAM
I thought you might be interested in my internal solutions to SPAM
control.

I am in charge of a few Linux based systems with a rather large
volume of email traffic. The problem from my perspective was that
people were using my machines as relays for sending email.

The first solution was to deny relaying from machines not on an IP
address associated with one of our legitimate domains. Once this
was done, relaying by non-customers was effectively denied.

The next problem was spam from dial-up users who were allowed to
use the mail server for relaying mail.  These people have the
right to send mail, but not the right to send spam.

I figured there were two potential solutions to this problem:  1.
check their password.  2. limit the amount of email they can send
in a certain time period.

Checking a password would be the ideal solution. However, this
would have involved too much training of users, so it is not a
currently workable solution. (POP servers have the ability to send
mail, so the potential is there.)

I opted for limiting the number of emails a user can send.  To
implement the solution, I wrote some extra functions and compiled
them with sendmail. The solution has worked well for a while now,
with only one complaint, from a user I still think was a spammer
in denial.

The solution is simple:  I check for the connecting machine's
domain name first. Then I create a file which is based on that
name. I use the file as a counter to figure out how many emails
the user has sent in a predefined time period. If they have
exceeded their limit, I give them a message which tells them they
have exceeded their limit. I found that 15 emails in a 10 minutes
is a good compromise. I count multiple recipients in one email, as
well as recipients in separate emails.

There is also a function to limit the daily total. I have this one
disabled, but it could be used, if necessary. If I started
receiving complaints, I would consider raising the 10 min. limit
to 30 and the daily total to 100; but without complaints, I don't
see a reason to do that.

I would be interested in hearing about other peoples' internal
solutions, or if anyone disagrees with my solution.

------------------------------

Date: Mon, 11 May 1998 10:15:19 -0700 (PDT)
From: Troy <tk@www.alliancestudio.com>
Subject: File 3--Re: Technical solutions to spam (follow-up)

I wanted to mention, in relation to spam control, that it is
always possible for a spammer to send mail without using the
services of a mail relay by setting up his/her own server behind a
dial-up link.

Because of this, no amount of changes to sendmail will prevent
spammers from operating.

The real solution to totally controlling the flow of spam for ISPs
is one of the following:  (There might be other solutions, but
these are the ones I can think of.)

Solution 1.
   Implement a filter on dial-up servers which blocks transmissions
   of TCP/IP packages which contain mail messages not headed for the ISP's
   own mail relay. Then implement strict controls on the type
   of activity that is allowed on the mail server (limit number of emails,
   etc.).

Solution 2.
   Refuse mail from hosts which do not have a valid domain name,
   and whose host name does not contain an smtp suffix.
   A dial-up connection will usually resolve to a valid host name,
   so unless there is some standard (e.g. smtp.myhost.com)
   to naming smtp servers, spammers can still use mail servers
   who only check for a valid domain name. On the other hand,
   requiring an smtp suffix would make it impossible for a spammer
   to send mail from their own machine without having control of the
   domain, forcing them to use a mail relay of their ISP's.
   If the ISP then enforces strict controls on mailing activity,
   they can prevent spam for all their users.

Solution 3.
   Authenticate all mail servers through another protocol,
   using another registration system similar to DNS, where
   a mail server cannot be used until it has been registered.
   The have every machine run the server, so results can be cached
   and resources distributed (similar to DNS).

   To prevent a legal and financial mess such as InterNIC from occurring,
   I would recommend a distributed system where name servers query a much
   larger number of voluntary central servers, and where a server can be
   registered with any of those central servers (DNS requires a name server
   to know about several central servers, but registration can only be done
   with one of them, which is utterly silly, although a great money making
   strategy). Each local server could decide which central server to use by
   their geographic (traceroute based) location.

When either one of the above solutions is combined with denying service
to mail servers of ISPs who refuse to implement spam controls,
spam can be eliminated (until we find a smarter, more advanced breed of a
spammer).

I would like to add that a MUCH bigger threat to the Internet community
than spammers would be if large ISPs/online service providers denied
mail service to small ISPs for some reason that is beyond the control
of the small ISPs. E.g. business reasons such as promoting a friendly
company's mail server product or only accepting mail from ISPs
who belong to Organization X, or some other reason other than
valid reasons such as the ISP being the source of vast amounts of
SPAM.

------------------------------

Date: Wed, 29 Apr 1998 17:03:43 EDT
From: Cu digest <Cudigest@aol.com>
Subject: File 4--1st Amendment Debated in Porn Case  (AP fwd)

1st Amendment Debated in Porn Case
By RAJU CHEBIUM
(Associated Press)

BALTIMORE (AP) - Journalist Larry Matthews says he was researching
a story on the explosion of child pornography in cyberspace when
he logged into Internet chat groups and received and sent images
depicting children in sexually explicit situations.

Story or no story, federal prosecutors say it's still child
pornography and what Matthews did is illegal. The case has spurred
a debate over the freedom of the press and government controls on
information, and Matthews could end up in prison.

Matthews, 54, and media organizations maintain he has a First
Amendment right to do research on a controversial subject.

<snip>

Prosecutors say the law makes no exceptions for journalists or
anyone else.  They also say they don't believe Matthews' interest
was merely professional, and they are trying to prevent him from
invoking a freedom-of-the-press argument.

<snip>

------------------------------

Date: Tue, 12 May 1998 13:55:25 -0400
From: Graeme Browning <gbrowning@CDT.ORG>
Subject: File 5--POLICY POST 4.11: Pro-Encryption Bill

Source: The Center for Democracy and Technology - Volume 4, Number11
----------------------------------------------------------------------------
      A briefing on public policy issues affecting civil liberties online
----------------------------------------------------------------------------
CDT POLICY POST Volume 4, Number 11                         May 12, 1998

CONTENTS: (1) Senators Introduce Pro-Privacy Encryption Bill,
                 In Stark Contrast to Administration Position
          (2) How to Subscribe/Unsubscribe
          (3) About CDT, Contacting us

   ** This document may be redistributed freely with this banner intact **
        Excerpts may be re-posted with permission of gbrowning@cdt.org

      |PLEASE SEE END OF THIS DOCUMENT FOR INFORMATION ABOUT HOW TO
                SUBSCRIBE, AND HOW TO UN-SUBSCRIBE|
_____________________________________________________________________________

(1) SENATORS INTRODUCE PRO-PRIVACY ENCRYPTION BILL, IN STARK CONTRAST TO
                   ADMINISTRATION POSITION

A new weapon in the arsenal against misguided U.S. encryption policy
arrives today as Sens. John Ashcroft (R-Mo.) and Patrick J. Leahy (D-Vt.)
introduce their new encryption bill , which lays out a pro-privacy approach
to computer security that contrasts starkly with the Clinton
Administration's approach. The new bill, the E-PRIVACY Act, protects the
privacy of all Americans by:
  ** protecting the domestic use of strong encryption without  "key
recovery" back doors for government eavesdropping;
  ** easing export controls to allow U.S. companies to sell their
encryption products overseas;
  ** strengthening protections from government access to decryption keys; and
  ** creating unprecedented new protections for data stored in networks and
cell phone location information.

A section-by-section analysis of the bill is available online at
http://www.cdt.org/crypto

CDT is concerned about several features in the E-PRIVACY Act  that create
new threats to privacy online.  The bill establishes a new research center
to assist federal, state and local police in dealing with encrypted data.
The bill also makes it a crime to use encryption to obstruct justice.
Implementing these provisions will require intensive oversight and public
comment.

Overall, the E-PRIVACY Act presents a strong pro-privacy approach to the
encryption issue, in marked contrast to the export controls and mandatory
backdoors embraced by the Clinton Administration. The bill makes more
encryption, more accessible, to many more people. It also creates new
privacy protections for data stored on networks - protections that will
become increasingly important as more people go online.

Major provisions of the new bill would:

 *** Prevent the federal government from requiring back door access to
encrypted  communications and files:
     The bill reaffirms the right to use strong encryption domestically
without the 'key recovery' back doors supported by the Administration.  It
also prohibits the federal government from creating regulations or
standards designed to coerce public use of key recovery. To further limit
the government's ability to force people to use key recovery, the bill
requires that government key recovery systems be interoperable with
non-key-recovery systems.

 *** Ease export restrictions:
     The E-PRIVACY Act would remove most export controls on generally
available and mass market encryption software and hardware. PGP, or 128-bit
Netscape and Internet Explorer, would be readily exportable to all but a
handful of countries. Custom encryption products would be exportable to
countries where comparable products are commercially available.

 *** Establish privacy protections for encryption keys entrusted to third
parties:
     Today, a decryption key entrusted to a third party receives little
protection. Such keys can be demanded by the federal government with a mere
subpoena, without the supervision of a judge or any notice to the key's
owner. The bill would give decryption keys in the hands of third parties
the same protections they would have if they were retained by the key
owners. Such keys could only be retrieved by the government with a
"probable cause" court order, or with a subpoena served on the key owner
with a meaningful opportunity for the key owner to challenge it. This
provision could prove extremely important if encryption users voluntarily
choose to use key recovery, as many are expected to do.

 *** Strengthen privacy protections for data stored in networks:
     In the future world of networked computing people will increasingly
store sensitive data outside of their homes. Under current law, data stored
on computer networks outside of a person's possession may receive limited
privacy protections.  This data may be accessible to government officials
without the owner's knowledge and without supervision by the courts. The
E-PRIVACY Act would create new standards protecting networked data as if it
were stored in an individual's possession.  The act would require a court
order based upon probable cause, or a subpoena that the information's owner
has a meaningful opportunity to challenge.

 *** Strengthen privacy protections for cellular phone location information
and other data:
     The bill would also strengthen protections for cellular phone location
information,requiring a court order based upon probable cause before
sensitive physical location data could be turned over to the government.
The bill also gives  judges more authority in reviewing government requests
to install "trap and trace devices" and "pen registers," commonly used
surveillance devices that record revealing data about a person's telephone
usage.

The new bill also contains provisions designed to address law enforcement
concerns with encryption. An "obstruction of justice" encryption crime is
included, similar to the narrow provision found in the House SAFE bill. The
bill also establishes a new "Net Center" designed to improve federal,
state, and local resources for dealing with encryption. CDT believes that
both of these provisions are cause for concern and their implementation
will need to be closely monitored to ensure that they do not create new
burdens on the privacy of individuals using encryption.

CDT applauds Senators Ashcroft, Leahy, Burns, Boxer, and the bill's other
cosponsors for their forward-looking view of privacy and security online.
The E-PRIVACY Act represents a milestone in the hard-fought congressional
debate on encryption. While the Administration and some in the Senate have
continued to push for key recovery, the bill presents a diametrically
opposed approach, giving individuals and companies the technical tools and
legal protections needed to protect their security. On balance, the
E-PRIVACY Act would be a major step forward for individual privacy in the
Information Age.

More information about the encryption issue is available at CDT's Web site,
at http://www.cdt.org/crypto If you're interested in becoming more involved
in the encryption debate, please visit CDT's "Adopt Your Legislator"
campaign at: http://www.crypto.com

   _______________________________________________________________________

(2) SUBSCRIPTION INFORMATION

Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list.  CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
more than 13,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.

To subscribe to CDT's Policy Post list, send mail to

                majordomo@cdt.org

in the BODY of the message (leave the SUBJECT LINE BLANK), type

     subscribe policy-posts


If you ever wish to remove yourself from the list, send mail to the above
address with NOTHING IN THE SUBJECT LINE AND a BODY TEXT of:

    unsubscribe policy-posts

_____________________________________________________________________________

(3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US

The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.

Contacting us:

General information:  info@cdt.org
World Wide Web:       http://www.cdt.org/


Snail Mail:  The Center for Democracy and Technology
             1634 Eye Street NW * Suite 1100 * Washington, DC 20006
             (v) +1.202.637.9800 * (f) +1.202.637.0968





------------------------------

Date: Wed, 29 Apr 1998 17:01:04 EDT
From: AOL News <AOLNews@aol.com>
Subject: File 6--Fwd: Secure Cyberspace Crime-Fighting Tool from GTE...

Secure Cyberspace Crime-Fighting Tool from GTE Eliminates
Geographical Boundaries, Allows Police Officers to Collaborate on
the Web to Solve Cases Involving Gangs, Drug Trafficking and More

    ST. LOUIS--(BUSINESS WIRE)--April 27, 1998--Captain Wade
Goolsby of the Coppell Police Department in Texas meets daily with
more than  50 officers from seven law enforcement agencies to
discuss forgeries, burglaries, sexual assaults and homicides in
the north central Texas  region.

    He does this by joining the others in a cyberspace "meeting"
where entry is protected by an electronic version of passing
through  numerous security checks.

    Goolsby and others use The Bastille(SM) service by GTE
(www.bastilleinfo.com), a highly secured Internet application
permitting real time sharing of information among agencies on a
local, regional, national and international basis.  The
crime-fighting system is being introduced to federal and regional
law enforcement agencies attending the 1998 Economic Crime Summit
here  this week.  Law enforcement agencies may either subscribe
monthly for $199, or sign a three-year contract for $189 per
month.

    Unlike popular depictions on police television shows, computer
systems are not in place today that allow criminal investigative
offices to share crime reports and investigative information on a
city-to-city or state-to-state basis.  Taking advantage of the
ubiquitous availability of the Internet, The Bastille service will
provide law enforcement officers an electronic forum for the
exchange of vital information using the latest emerging
telecommunications and security technologies.

    "Crime occurs in all areas without regard to geographical
boundaries," said Dave Watkins, general manager -- law enforcement
services for GTE Enterprise Solutions, a division of GTE Corp.
"With The Bastille, law enforcement agencies can cross those same
boundaries to keep criminals off the street and behind bars."

    During a six-month pilot in Texas that just ended, officers
from  seven police departments including the cities of Coppell,
Richardson, Irving, Carrollton, Plano, Lewisville and Flower
Mound, provided  direct input into the system's design and
features.

    The officers recommended that many safeguards be included to
keep hackers out, according to Goolsby.  "You pass through
multiple layers of security to get to The Bastille, and it has
highly secured  encrypted databases to protect the information."

    Of critical importance was creating a system to communicate
and  exchange information without having to worry about the
security risk  of using telephones, fax machines, cellular phones
or 800 MHz radios

-- all of which can be monitored by various public scanner
devices.   One of The Bastille's popular applications -- the Chat
Room --  provides a toll-free opportunity to exchange secured
communications  via animated desktop icons known as avatars that
"talk."

    "With The Bastille, we're getting information that we didn't
have before," Goolsby explained, "because it tended to remain
within an  agency and was not shared.  Now I can search for
up-to-date  information and see if a city close by arrested
someone I was  investigating."

    The central core of The Bastille system is the File Room, a
rich  database of offenses and photos of suspects input by the
officers  themselves.  "We'll see more clearance rates, property
recoveries,  arrests and convictions as each agency adds
information about their  investigations," Goolsby said.  "The more
information in the  database, the more useful and valuable it
becomes."

    "We're using the World Wide Web as well as old-fashioned shoe
leather to solve crimes," Watkins added.  "In order to do this,
police officers must talk to each other, and The Bastille helps
them  do this in cyberspace without the constraints of geography
or time."

    Law enforcement agencies that want to subscribe to The
Bastille  may call toll-free 888/483-4700, or visit its Web site
at  http://www.bastilleinfo.com, access the file cabinet and click
on  "contact" to leave their contact information.

    With 1997 revenues of more than $23 billion, GTE is one of the
world's largest telecommunications companies and a leading
provider  of integrated telecommunications services.  In the
United States, GTE provides local service in 28 states and
wireless service in 17  states; nationwide long-distance and
internetworking services ranging from dial-up Internet access for
residential and small-business  consumers to Web-based
applications for Fortune 500 companies; as  well as video service
in selected markets.  Outside the United States, the company
serves more than 7 million telecommunications  customers.  GTE is
also a leader in government and defense  communications systems
and equipment, directories and  telecommunications-based
information services, and aircraft-passenger telecommunications.

CONTACT:

GTE

Bill Kula, 972/718-6924

E-mail: william.kula@telops.gte.com

or

Cristina Coffin, 888/GTE-Media (888/483-6334)

E-mail: coffin@gte.net

------------------------------

Date: Mon, 04 May 1998 11:39:59 -0400
From: Jamie McCarthy <jamie@mccarthy.org>
Subject: File 7--"Electronic Civil Disobedience"

Source -  fight-censorship@vorlon.mit.edu

This from the May 1st New York Times, copied without permission.

http://www.nytimes.com/library/tech/98/05/cyber/cyberlaw/01law.html

> For Their Civil Disobedience, the 'Sit-In' Is Virtual
>
> By CARL KAPLAN
>
> Don't call them hackers. Ricardo Dominguez and Stefan Wray consider
> themselves theorists and practitioners of "electronic civil
> disobedience."
>
> And they plan to show what that newly coined term means in an online
> protest on May 10, on behalf of embattled Indian rebels in Mexico. On
> that day they will try to rally supporters around the world to
> temporarily disrupt -- but not destroy -- a still-to-be-determined Web
> site in Mexico or elsewhere in North America supportive of the policies
> of the Mexican government.
>
> "A cyber-terrorist acts anonymously and destructively a great deal of
> the time," said Dominguez, 39, a soft-spoken New York-based political
> activist, artist and computer technician. "But electronic civil
> disobedience, like its [real-world] antecedents, is about putting
> yourself on the line in a nonviolent way."

[...]

> Dominguez and two colleagues, including Brett Stalbaum, an artist and
> programmer based in San Jose, quickly designed a Web site called Flood
> Net, which automates the process of the virtual sit-in.
>
> The way it works is simple: a Web surfer connects to Flood Net, which
> appears on the Internet only at an appointed time, so as to avoid
> detection. Flood Net automatically connects the surfer to a pre-selected
> Web site, and the software automatically hits the selected site's reload
> button every seven seconds. If thousands of surfers connect with Flood
> Net during a particular day, the mass of activists could disrupt the
> operations of the particular site.
>
> In an early test of their system, Dominguez and Wray posted messages in
> the Zapatista networks in early April, calling for colleagues to link to
> Flood Net on April 10. The target that day was the Web site of President
> Ernesto Zedillo of Mexico. According to Dominguez, 8,141 surfers around
> the world connected to Flood Net that day, which resulted in some
> slowing down and interruption of the Zedillo site. Dominguez added that
> a computer from Mexico tried to hack into Flood Net and disable its
> program, but was unsuccessful.

Interesting.  The difference between electronic terrorism and mere
electronic access, on this net we've built, is only one of quantity.
One email is perfectly all right;  a million emails is a denial of
service attack, censorship.  How about asking a million people if
they'd be willing to send one email?

Or in this case, asking 8,000 people to hit a website 500 times
over the course of an hour?

Maybe the line between access and terrorism is drawn depending on
how well-connected the target site is.

It isn't hard to decide what's censorship, of course;  if the intent
is to block someone's access or make it more difficult to access,
it's censorship.  And for the hour that they've asked people to hit
their Reload buttons, if they get enough people signed up, the site
will be more difficult to access if not impossible.

Of course, the point of this is not to crash the server but to draw
attention to what's being said and done by the people who run it.
At least that's what Dominguez and Wray say, and I believe them.

If that's their goal, I think the term and the use of "electronic
civil disobedience" will never become popular.  Unlike a real sit-in,
nobody sees an "electronic sit-in" except the site's admin as s/he
goes through the logs.  It's only good for publicity right now
because nobody's ever done it before.  The second and third time
people try it, not a soul in the world will care, and if anyone does
notice, it will only be to shake their heads at the sorry state of
"activism."  From Thoreau to King, civil disobedience has merited
jail time:  handcuffs, bars, stone, judges, and your meals on a tray.
Now it means idly tapping your Reload button while watching the
hockey game...and, for the activist whose index finger gets tired,
they're writing software to tap Reload _for_ you.

Who the hell could possibly _care_?!

(The NYT article mentions the possibility that people at the
"electronic sit-in" might be arrested under 18 USC 1030.  Right.
What a thrill of danger!  The dirty establishment!  They're getting
out their electronic water cannons and electronic rubber bullets!
"We shall overcome...")

------------------------------

Date: Fri, 24 Apr 1998 16:03:30 -0400
From: Graeme Browning <gbrowning@CDT.ORG>
Subject: File 8--POLICY POST 4.9: FCC Launches Inquiry Into Wiretap Law

 CDT POLICY POST Volume 4, Number 9                   April 24, 1998

 CONTENTS: (1) FCC Launches Inquiry Into Digital Wiretap Law
           (2) Cellular Phone Industry Files Suit Challenging FBI Efforts to
                  Shift Costs

  ** This document may be redistributed freely with this banner intact **
        Excerpts may be re-posted with permission of <gbrowning@cdt.org>

      |PLEASE SEE END OF THIS DOCUMENT FOR INFORMATION ABOUT HOW TO
                SUBSCRIBE, AND HOW TO UN-SUBSCRIBE|
 ________________________________________________________

(1) FCC LAUNCHES INQUIRY INTO DIGITAL WIRETAP LAW

In the wake of the filing last month of petitions by the Center for
Democracy and Technology (CDT), the FBI and the telecommunications
industry, the Federal Communications Commission (FCC) has launched a
full-scale inquiry into the FBI's efforts to require enhanced surveillance
capabilities in the nation's telecommunications systems.

The Commission issued a notice April 20 soliciting public comment on all
the issues that CDT, the FBI and  the industry have raised about the
implementation of the 1994 Communications Assistance for Law Enforcement
Act (CALEA), also called the 'digital wiretapping' law. This is the first
time since Congress passed CALEA that the FBI's expansive reading of the
law has been challenged directly. For a copy of the FCC's notice, see:
http://www.fcc.gov/Bureaus/Common_Carrier/Public_Notices/1998/da980762.txt

CALEA was originally intended to preserve wiretapping in new digital
networks, but the FBI is now attempting to use the law improperly  to
expand its surveillance capabilities, CDT argued in a March 26 petition to
the FCC. The privacy interests of all Americans have been overlooked in
disputes  between industry and law enforcement over the implementation of
CALEA, CDT stressed. CDT's petition can be found at:
http://www.cdt.org/digi_tele/980426_fcc_calea.html

CALEA calls for the telecommunications industry to comply with its terms by
Oct. 25, 1998.  CDT argued, however, that compliance with the law is not
reasonably achievable by that date and should be delayed while the FBI's
demands are scaled back.

The day after CDT filed its petition, the FBI asked the Commission to
require telecommunications companies to add even more monitoring
capabilities to their network switches than they have agreed to add so far.
Later, telecommunications companies and industry associations also filed
petitions with the FCC, arguing that they cannot meet the digital
wiretapping law's October deadline because disputes with the FBI about
CALEA's meaning have delayed their ability to design ways to comply with
the law.

In its notice, the FCC requested that interested parties explain their
views of CALEA 'based on existing privacy laws and their legislative
history.'  This request means that CDT will now have the opportunity to
demonstrate how privacy principles require a narrow interpretation of CALEA
-- in other words, an interpretation that excludes the enhancements sought
by the FBI.

The Commission set short deadlines for comment on the issues raised by the
implementation of CALEA. Comments on the difficulty of meeting the
compliance date are due by May 8.  Comments on the privacy issues are due
by May 20.
  _________

(2) CELLULAR PHONE INDUSTRY FILES SUIT CHALLENGING FBI EFFORTS TO SHIFT COSTS

The FCC's action isn't the only recent movement on the CALEA front,
however. Today -- Friday, April 24 -- the cellular telephone industry filed
suit in federal district court in Washington challenging the FBI's efforts
to avoid paying telecommunications companies, or "carriers," for the costs
of retrofitting their existing equipment to bring it into compliance with
CALEA.

The cost issue raised in the carriers' suit has direct impact on privacy.
Congress wanted the federal government to bear the costs of retrofitting as
a way of constraining the breadth of the FBI's demands. If the FBI can
shift the cost of compliance to the carriers, then there is no budgetary
limitation on the FBI's surveillance proposals.

Congress has only appropriated $102 million of the $500 million authorized
for CALEA compliance, precisely because Congress has been concerned about
the FBI's overreaching and its mismanagement of the process.  But if the
FBI, through the reimbursement rules, can shift the cost to carriers,
Congress' control over the purse strings becomes irrelevant and the FBI can
evade one of the central constraints built into CALEA.
  __________________________________________________________

(3) SUBSCRIPTION INFORMATION

Be sure you are up to date on the latest public policy issues affecting
civil liberties online and how they will affect you! Subscribe to the CDT
Policy Post news distribution list.  CDT Policy Posts, the regular news
publication of the Center For Democracy and Technology, are received by
more than 13,000 Internet users, industry leaders, policy makers and
activists, and have become the leading source for information about
critical free speech and privacy issues affecting the Internet and other
interactive communications media.

To subscribe to CDT's Policy Post list, send mail to

                majordomo@cdt.org

in the BODY of the message (leave the SUBJECT LINE BLANK), type

     subscribe policy-posts


If you ever wish to remove yourself from the list, send mail to the above
address with NOTHING IN THE SUBJECT LINE AND a BODY TEXT of:

    unsubscribe policy-posts

   _______________________________________________________________

(4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US

The Center for Democracy and Technology is a non-profit public interest
organization based in Washington, DC. The Center's mission is to develop
and advocate public policies that advance democratic values and
constitutional civil liberties in new computer and communications
technologies.

Contacting us:

General information:  info@cdt.org
World Wide Web:       http://www.cdt.org/


Snail Mail:  The Center for Democracy and Technology
             1634 Eye Street NW * Suite 1100 * Washington, DC 20006
             (v) +1.202.637.9800 * (f) +1.202.637.0968

------------------------------

Date: Tue, 28 Apr 1998 08:23:33 -0800
From: "Rob Slade" <rslade@sprint.ca>
Subject: File 9--REVIEW: "Intranet Security", John Vacca

BKINTRAS.RVW   980206

"Intranet Security", John Vacca, 1997, 1-886801-56-8, U$49.95
%A   John Vacca jvacca@hti.net
%C   403 VFW Drive, PO Box 417, Rockland, MA   02370
%D   1997
%G   1-886801-56-8
%I   Charles River Media
%O   U$49.95 800-382-8505 617-871-4184 fax 617-871-4376
%O   chrivmedia@aol.com www.charlesriver.com
%P   506 p. + CD-ROM
%T   "Intranet Security"

While the author seems to be sincerely motivated by a concern for
security, this book badly needs more discipline, more material, and
more fact checking.  Not to mention a closer alignment with the stated
topic.

Part one is a general guide to data security.  Chapter one, although
titled "Intranet Security Trends," provides an overview of
vulnerabilities, means to address them, and security policies.
Security policies are covered in more depth in chapter two, and then
really again in chapter three, although there are slight variations in
emphasis.  Chapter four introduces Internet (TCP/IP) specific topics,
but still is dealing at the level of policy.  Part one closes with a
look at hiring or being hired (it's a bit difficult to tell) for a
security position.

Part two is said to address intranet security threats, but starts out
with a look at security protection tools in chapter six.  (More
specifically, chapter six presents a kind of extended case study of
the work at Portland State University.)  Chapter seven discusses
security applications again, in part more generally, and in part
mentioning specific proprietary programs.  Chapter eight does the same
thing.  Finally, chapter nine does look at a variety of risks
associated with Internet use, although it seems to keep lapsing into a
discussion of encryption as a security tool.  (There is also a rather
odd statement about using antiviral software to protect confidential
documents.)  Identification of computer viruses, in chapter ten,
contains generally good advice, but some extremely suspect assertions
in the background discussion.  Chapter eleven is supposed to talk
about antivirus software, but after a non-sensical description of an
almost unknown "type" of antiviral software, the rest of the chapter
meanders around oddball virus related topics without divulging too
much useful information.  (This emphasis on viruses is, of course,
rather gratifying from my perspective, but doesn't seem to have much
to do with the stated topic of intranets.  In terms of intranets, the
gravest viral danger is probably that of the MS Word macro viruses,
which get some space, but don't seem to be a priority.)

Disaster avoidance, in part three, would seem to be what computer
security is all about.  The recovery part seems to be primarily
physical, since chapter twelve stresses redundant hardware and hot
sites.

Part four discusses development, implementation, and management of
security.  Chapter thirteen reprises some of the information from part
one in reference to workstations.  Database security is important, but
chapter fourteen does not provide enough coverage to really get down
to work on it.  Chapter fifteen looks briefly, but not in much detail,
at security for remote users.  Policy is revisited in chapter sixteen.

Part five is supposed to look to the future, but chapter seventeen is
little more than a collection of computer crime war stories.  Chapter
eighteen proposes that the Year 2000 problem might raise security
issues, but is short on specifics.  Internet security related issues
are once again discussed briefly in chapter nineteen.  Chapter twenty
is supposed to be a summary and recommendations, but seems to be
simply a rather random assortment of additional security related bits.

Although there is some general security related material in this book,
almost nothing relates directly or particularly to intranets.  The
security content is not too bad as far as generic advice is concerned,
but isn't anything too significant, either.  Overall the book is
woefully short in some areas, redundant in others, and badly
disorganized.  For standard security advice the reader can easily do
better.

copyright Robert M. Slade, 1998   BKINTRAS.RVW   980206

------------------------------

Date: Thu, 25 Apr 1998 22:51:01 CST
From: CuD Moderators <cudigest@sun.soci.niu.edu>
Subject: File 10--Cu Digest Header Info (unchanged since 25 Apr, 1998)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send post with this in the "Subject:: line:

     SUBSCRIBE CU-DIGEST
Send the message to:   cu-digest-request@weber.ucsd.edu

DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.

The editors may be contacted by voice (815-753-6436), fax (815-753-6302)
or U.S. mail at:  Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

To UNSUB, send a one-line message:   UNSUB CU-DIGEST
Send it to  CU-DIGEST-REQUEST@WEBER.UCSD.EDU
(NOTE: The address you unsub must correspond to your From: line)

CuD is readily accessible from the Net:
  UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD
    Web-accessible from: http://www.etext.org/CuD/CuD/
                  ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
                  aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
                  world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
                  wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
  EUROPE:         nic.funet.fi in pub/doc/CuD/CuD/ (Finland)
                  ftp.warwick.ac.uk in pub/cud/ (United Kingdom)


The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
  URL: http://www.soci.niu.edu/~cudigest/

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.  CuD material may  be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission.  It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified.  Readers are encouraged to submit reasoned articles
relating to computer culture and communication.  Articles are
preferred to short responses.  Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Digest contributors assume all
            responsibility for ensuring that articles submitted do not
            violate copyright protections.

------------------------------

End of Computer Underground Digest #10.29
************************************