Computer underground Digest Wed May 13, 1998 Volume 10 : Issue 29 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Field Agent Extraordinaire: David Smith Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #10.29 (Wed, May 13, 1998) File 1--Re: File 8--Re: technical solutions to spam problem File 2--Re: Technical Solutions to Spam (Cu Digest, #10.28) File 3--Re: Technical solutions to spam (follow-up) File 4--1st Amendment Debated in Porn Case (AP fwd) File 5--POLICY POST 4.11: Pro-Encryption Bill File 6--Fwd: Secure Cyberspace Crime-Fighting Tool from GTE... File 7--"Electronic Civil Disobedience" File 8--POLICY POST 4.9: FCC Launches Inquiry Into Wiretap Law File 9--REVIEW: "Intranet Security", John Vacca File 10--Cu Digest Header Info (unchanged since 25 Apr, 1998) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Thu, 07 May 1998 15:03:26 -0500 From: Neil W Rickert <rickert@CS.NIU.EDU> Subject: File 1--Re: File 8--Re: technical solutions to spam problem "Vladimir Z. Nuri" <vznuri@netcom.com> writes: >In CuD #10.25, Neil Rickert responds to my post, "technical >solutions to the spam problem" in #10.24. He writes that I have >"misdiagnosed the problem" in referring to SendMail. Obviously Vladimir and I have a serious disagreement on what to do about the spam problem. Rather than respond point-by-point to Vladimir's latest message, let me try to clarify what are our differences. The original ideal of email is that any person should be able to send any message to any other person, using any available machine to send the message. For most of the history of email, the work has been on achieving the degree of connectivity and interoperability required to reach this ideal. Now we discover that we are receiving email that we do not want (spam, for example). So the question is to decide what to do about this. I can think of three general approaches: The private or individual solution: Each person deletes/discards undesired messages. This could either be done manually, or with some kind of AI software used and configured by the user. The technical solution: System software (spam filters, etc) are put in place to refuse to accept certain types of message. The social solution: A system of social constraints is used so that very few undesired messages are sent in the first place. Both the private solution and the social solution are completely consistent with the original ideal of email. Vladimir favors the technical solution. What concerns me is that the technical solution essentially eliminates the original ideal. It replaces the original ideal with the one that says big brother or software nanny (in the form of spam filters) is watching, and the only messages that can be sent are those that meet the approval of big brother. The problem with spam arises, I suggest, because the network gives people such a sense of anonymity that ordinary social constraints break down. Rather than have a technological big brother or software nanny controlling what email can be sent, I think we should be working to find ways of reintroducing social constraints to the net. =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940 ------------------------------ Date: Mon, 4 May 1998 04:06:32 -0700 (PDT) From: Troy <tk@www.alliancestudio.com> Subject: File 2--Re: Technical Solutions to Spam (Cu Digest, #10.28) Re: technical solutions to SPAM I thought you might be interested in my internal solutions to SPAM control. I am in charge of a few Linux based systems with a rather large volume of email traffic. The problem from my perspective was that people were using my machines as relays for sending email. The first solution was to deny relaying from machines not on an IP address associated with one of our legitimate domains. Once this was done, relaying by non-customers was effectively denied. The next problem was spam from dial-up users who were allowed to use the mail server for relaying mail. These people have the right to send mail, but not the right to send spam. I figured there were two potential solutions to this problem: 1. check their password. 2. limit the amount of email they can send in a certain time period. Checking a password would be the ideal solution. However, this would have involved too much training of users, so it is not a currently workable solution. (POP servers have the ability to send mail, so the potential is there.) I opted for limiting the number of emails a user can send. To implement the solution, I wrote some extra functions and compiled them with sendmail. The solution has worked well for a while now, with only one complaint, from a user I still think was a spammer in denial. The solution is simple: I check for the connecting machine's domain name first. Then I create a file which is based on that name. I use the file as a counter to figure out how many emails the user has sent in a predefined time period. If they have exceeded their limit, I give them a message which tells them they have exceeded their limit. I found that 15 emails in a 10 minutes is a good compromise. I count multiple recipients in one email, as well as recipients in separate emails. There is also a function to limit the daily total. I have this one disabled, but it could be used, if necessary. If I started receiving complaints, I would consider raising the 10 min. limit to 30 and the daily total to 100; but without complaints, I don't see a reason to do that. I would be interested in hearing about other peoples' internal solutions, or if anyone disagrees with my solution. ------------------------------ Date: Mon, 11 May 1998 10:15:19 -0700 (PDT) From: Troy <tk@www.alliancestudio.com> Subject: File 3--Re: Technical solutions to spam (follow-up) I wanted to mention, in relation to spam control, that it is always possible for a spammer to send mail without using the services of a mail relay by setting up his/her own server behind a dial-up link. Because of this, no amount of changes to sendmail will prevent spammers from operating. The real solution to totally controlling the flow of spam for ISPs is one of the following: (There might be other solutions, but these are the ones I can think of.) Solution 1. Implement a filter on dial-up servers which blocks transmissions of TCP/IP packages which contain mail messages not headed for the ISP's own mail relay. Then implement strict controls on the type of activity that is allowed on the mail server (limit number of emails, etc.). Solution 2. Refuse mail from hosts which do not have a valid domain name, and whose host name does not contain an smtp suffix. A dial-up connection will usually resolve to a valid host name, so unless there is some standard (e.g. smtp.myhost.com) to naming smtp servers, spammers can still use mail servers who only check for a valid domain name. On the other hand, requiring an smtp suffix would make it impossible for a spammer to send mail from their own machine without having control of the domain, forcing them to use a mail relay of their ISP's. If the ISP then enforces strict controls on mailing activity, they can prevent spam for all their users. Solution 3. Authenticate all mail servers through another protocol, using another registration system similar to DNS, where a mail server cannot be used until it has been registered. The have every machine run the server, so results can be cached and resources distributed (similar to DNS). To prevent a legal and financial mess such as InterNIC from occurring, I would recommend a distributed system where name servers query a much larger number of voluntary central servers, and where a server can be registered with any of those central servers (DNS requires a name server to know about several central servers, but registration can only be done with one of them, which is utterly silly, although a great money making strategy). Each local server could decide which central server to use by their geographic (traceroute based) location. When either one of the above solutions is combined with denying service to mail servers of ISPs who refuse to implement spam controls, spam can be eliminated (until we find a smarter, more advanced breed of a spammer). I would like to add that a MUCH bigger threat to the Internet community than spammers would be if large ISPs/online service providers denied mail service to small ISPs for some reason that is beyond the control of the small ISPs. E.g. business reasons such as promoting a friendly company's mail server product or only accepting mail from ISPs who belong to Organization X, or some other reason other than valid reasons such as the ISP being the source of vast amounts of SPAM. ------------------------------ Date: Wed, 29 Apr 1998 17:03:43 EDT From: Cu digest <Cudigest@aol.com> Subject: File 4--1st Amendment Debated in Porn Case (AP fwd) 1st Amendment Debated in Porn Case By RAJU CHEBIUM (Associated Press) BALTIMORE (AP) - Journalist Larry Matthews says he was researching a story on the explosion of child pornography in cyberspace when he logged into Internet chat groups and received and sent images depicting children in sexually explicit situations. Story or no story, federal prosecutors say it's still child pornography and what Matthews did is illegal. The case has spurred a debate over the freedom of the press and government controls on information, and Matthews could end up in prison. Matthews, 54, and media organizations maintain he has a First Amendment right to do research on a controversial subject. <snip> Prosecutors say the law makes no exceptions for journalists or anyone else. They also say they don't believe Matthews' interest was merely professional, and they are trying to prevent him from invoking a freedom-of-the-press argument. <snip> ------------------------------ Date: Tue, 12 May 1998 13:55:25 -0400 From: Graeme Browning <gbrowning@CDT.ORG> Subject: File 5--POLICY POST 4.11: Pro-Encryption Bill Source: The Center for Democracy and Technology - Volume 4, Number11 ---------------------------------------------------------------------------- A briefing on public policy issues affecting civil liberties online ---------------------------------------------------------------------------- CDT POLICY POST Volume 4, Number 11 May 12, 1998 CONTENTS: (1) Senators Introduce Pro-Privacy Encryption Bill, In Stark Contrast to Administration Position (2) How to Subscribe/Unsubscribe (3) About CDT, Contacting us ** This document may be redistributed freely with this banner intact ** Excerpts may be re-posted with permission of gbrowning@cdt.org |PLEASE SEE END OF THIS DOCUMENT FOR INFORMATION ABOUT HOW TO SUBSCRIBE, AND HOW TO UN-SUBSCRIBE| _____________________________________________________________________________ (1) SENATORS INTRODUCE PRO-PRIVACY ENCRYPTION BILL, IN STARK CONTRAST TO ADMINISTRATION POSITION A new weapon in the arsenal against misguided U.S. encryption policy arrives today as Sens. John Ashcroft (R-Mo.) and Patrick J. Leahy (D-Vt.) introduce their new encryption bill , which lays out a pro-privacy approach to computer security that contrasts starkly with the Clinton Administration's approach. The new bill, the E-PRIVACY Act, protects the privacy of all Americans by: ** protecting the domestic use of strong encryption without "key recovery" back doors for government eavesdropping; ** easing export controls to allow U.S. companies to sell their encryption products overseas; ** strengthening protections from government access to decryption keys; and ** creating unprecedented new protections for data stored in networks and cell phone location information. A section-by-section analysis of the bill is available online at http://www.cdt.org/crypto CDT is concerned about several features in the E-PRIVACY Act that create new threats to privacy online. The bill establishes a new research center to assist federal, state and local police in dealing with encrypted data. The bill also makes it a crime to use encryption to obstruct justice. Implementing these provisions will require intensive oversight and public comment. Overall, the E-PRIVACY Act presents a strong pro-privacy approach to the encryption issue, in marked contrast to the export controls and mandatory backdoors embraced by the Clinton Administration. The bill makes more encryption, more accessible, to many more people. It also creates new privacy protections for data stored on networks - protections that will become increasingly important as more people go online. Major provisions of the new bill would: *** Prevent the federal government from requiring back door access to encrypted communications and files: The bill reaffirms the right to use strong encryption domestically without the 'key recovery' back doors supported by the Administration. It also prohibits the federal government from creating regulations or standards designed to coerce public use of key recovery. To further limit the government's ability to force people to use key recovery, the bill requires that government key recovery systems be interoperable with non-key-recovery systems. *** Ease export restrictions: The E-PRIVACY Act would remove most export controls on generally available and mass market encryption software and hardware. PGP, or 128-bit Netscape and Internet Explorer, would be readily exportable to all but a handful of countries. Custom encryption products would be exportable to countries where comparable products are commercially available. *** Establish privacy protections for encryption keys entrusted to third parties: Today, a decryption key entrusted to a third party receives little protection. Such keys can be demanded by the federal government with a mere subpoena, without the supervision of a judge or any notice to the key's owner. The bill would give decryption keys in the hands of third parties the same protections they would have if they were retained by the key owners. Such keys could only be retrieved by the government with a "probable cause" court order, or with a subpoena served on the key owner with a meaningful opportunity for the key owner to challenge it. This provision could prove extremely important if encryption users voluntarily choose to use key recovery, as many are expected to do. *** Strengthen privacy protections for data stored in networks: In the future world of networked computing people will increasingly store sensitive data outside of their homes. Under current law, data stored on computer networks outside of a person's possession may receive limited privacy protections. This data may be accessible to government officials without the owner's knowledge and without supervision by the courts. The E-PRIVACY Act would create new standards protecting networked data as if it were stored in an individual's possession. The act would require a court order based upon probable cause, or a subpoena that the information's owner has a meaningful opportunity to challenge. *** Strengthen privacy protections for cellular phone location information and other data: The bill would also strengthen protections for cellular phone location information,requiring a court order based upon probable cause before sensitive physical location data could be turned over to the government. The bill also gives judges more authority in reviewing government requests to install "trap and trace devices" and "pen registers," commonly used surveillance devices that record revealing data about a person's telephone usage. The new bill also contains provisions designed to address law enforcement concerns with encryption. An "obstruction of justice" encryption crime is included, similar to the narrow provision found in the House SAFE bill. The bill also establishes a new "Net Center" designed to improve federal, state, and local resources for dealing with encryption. CDT believes that both of these provisions are cause for concern and their implementation will need to be closely monitored to ensure that they do not create new burdens on the privacy of individuals using encryption. CDT applauds Senators Ashcroft, Leahy, Burns, Boxer, and the bill's other cosponsors for their forward-looking view of privacy and security online. The E-PRIVACY Act represents a milestone in the hard-fought congressional debate on encryption. While the Administration and some in the Senate have continued to push for key recovery, the bill presents a diametrically opposed approach, giving individuals and companies the technical tools and legal protections needed to protect their security. On balance, the E-PRIVACY Act would be a major step forward for individual privacy in the Information Age. More information about the encryption issue is available at CDT's Web site, at http://www.cdt.org/crypto If you're interested in becoming more involved in the encryption debate, please visit CDT's "Adopt Your Legislator" campaign at: http://www.crypto.com _______________________________________________________________________ (2) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 13,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to majordomo@cdt.org in the BODY of the message (leave the SUBJECT LINE BLANK), type subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with NOTHING IN THE SUBJECT LINE AND a BODY TEXT of: unsubscribe policy-posts _____________________________________________________________________________ (3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info@cdt.org World Wide Web: http://www.cdt.org/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ------------------------------ Date: Wed, 29 Apr 1998 17:01:04 EDT From: AOL News <AOLNews@aol.com> Subject: File 6--Fwd: Secure Cyberspace Crime-Fighting Tool from GTE... Secure Cyberspace Crime-Fighting Tool from GTE Eliminates Geographical Boundaries, Allows Police Officers to Collaborate on the Web to Solve Cases Involving Gangs, Drug Trafficking and More ST. LOUIS--(BUSINESS WIRE)--April 27, 1998--Captain Wade Goolsby of the Coppell Police Department in Texas meets daily with more than 50 officers from seven law enforcement agencies to discuss forgeries, burglaries, sexual assaults and homicides in the north central Texas region. He does this by joining the others in a cyberspace "meeting" where entry is protected by an electronic version of passing through numerous security checks. Goolsby and others use The Bastille(SM) service by GTE (www.bastilleinfo.com), a highly secured Internet application permitting real time sharing of information among agencies on a local, regional, national and international basis. The crime-fighting system is being introduced to federal and regional law enforcement agencies attending the 1998 Economic Crime Summit here this week. Law enforcement agencies may either subscribe monthly for $199, or sign a three-year contract for $189 per month. Unlike popular depictions on police television shows, computer systems are not in place today that allow criminal investigative offices to share crime reports and investigative information on a city-to-city or state-to-state basis. Taking advantage of the ubiquitous availability of the Internet, The Bastille service will provide law enforcement officers an electronic forum for the exchange of vital information using the latest emerging telecommunications and security technologies. "Crime occurs in all areas without regard to geographical boundaries," said Dave Watkins, general manager -- law enforcement services for GTE Enterprise Solutions, a division of GTE Corp. "With The Bastille, law enforcement agencies can cross those same boundaries to keep criminals off the street and behind bars." During a six-month pilot in Texas that just ended, officers from seven police departments including the cities of Coppell, Richardson, Irving, Carrollton, Plano, Lewisville and Flower Mound, provided direct input into the system's design and features. The officers recommended that many safeguards be included to keep hackers out, according to Goolsby. "You pass through multiple layers of security to get to The Bastille, and it has highly secured encrypted databases to protect the information." Of critical importance was creating a system to communicate and exchange information without having to worry about the security risk of using telephones, fax machines, cellular phones or 800 MHz radios -- all of which can be monitored by various public scanner devices. One of The Bastille's popular applications -- the Chat Room -- provides a toll-free opportunity to exchange secured communications via animated desktop icons known as avatars that "talk." "With The Bastille, we're getting information that we didn't have before," Goolsby explained, "because it tended to remain within an agency and was not shared. Now I can search for up-to-date information and see if a city close by arrested someone I was investigating." The central core of The Bastille system is the File Room, a rich database of offenses and photos of suspects input by the officers themselves. "We'll see more clearance rates, property recoveries, arrests and convictions as each agency adds information about their investigations," Goolsby said. "The more information in the database, the more useful and valuable it becomes." "We're using the World Wide Web as well as old-fashioned shoe leather to solve crimes," Watkins added. "In order to do this, police officers must talk to each other, and The Bastille helps them do this in cyberspace without the constraints of geography or time." Law enforcement agencies that want to subscribe to The Bastille may call toll-free 888/483-4700, or visit its Web site at http://www.bastilleinfo.com, access the file cabinet and click on "contact" to leave their contact information. With 1997 revenues of more than $23 billion, GTE is one of the world's largest telecommunications companies and a leading provider of integrated telecommunications services. In the United States, GTE provides local service in 28 states and wireless service in 17 states; nationwide long-distance and internetworking services ranging from dial-up Internet access for residential and small-business consumers to Web-based applications for Fortune 500 companies; as well as video service in selected markets. Outside the United States, the company serves more than 7 million telecommunications customers. GTE is also a leader in government and defense communications systems and equipment, directories and telecommunications-based information services, and aircraft-passenger telecommunications. CONTACT: GTE Bill Kula, 972/718-6924 E-mail: william.kula@telops.gte.com or Cristina Coffin, 888/GTE-Media (888/483-6334) E-mail: coffin@gte.net ------------------------------ Date: Mon, 04 May 1998 11:39:59 -0400 From: Jamie McCarthy <jamie@mccarthy.org> Subject: File 7--"Electronic Civil Disobedience" Source - fight-censorship@vorlon.mit.edu This from the May 1st New York Times, copied without permission. http://www.nytimes.com/library/tech/98/05/cyber/cyberlaw/01law.html > For Their Civil Disobedience, the 'Sit-In' Is Virtual > > By CARL KAPLAN > > Don't call them hackers. Ricardo Dominguez and Stefan Wray consider > themselves theorists and practitioners of "electronic civil > disobedience." > > And they plan to show what that newly coined term means in an online > protest on May 10, on behalf of embattled Indian rebels in Mexico. On > that day they will try to rally supporters around the world to > temporarily disrupt -- but not destroy -- a still-to-be-determined Web > site in Mexico or elsewhere in North America supportive of the policies > of the Mexican government. > > "A cyber-terrorist acts anonymously and destructively a great deal of > the time," said Dominguez, 39, a soft-spoken New York-based political > activist, artist and computer technician. "But electronic civil > disobedience, like its [real-world] antecedents, is about putting > yourself on the line in a nonviolent way." [...] > Dominguez and two colleagues, including Brett Stalbaum, an artist and > programmer based in San Jose, quickly designed a Web site called Flood > Net, which automates the process of the virtual sit-in. > > The way it works is simple: a Web surfer connects to Flood Net, which > appears on the Internet only at an appointed time, so as to avoid > detection. Flood Net automatically connects the surfer to a pre-selected > Web site, and the software automatically hits the selected site's reload > button every seven seconds. If thousands of surfers connect with Flood > Net during a particular day, the mass of activists could disrupt the > operations of the particular site. > > In an early test of their system, Dominguez and Wray posted messages in > the Zapatista networks in early April, calling for colleagues to link to > Flood Net on April 10. The target that day was the Web site of President > Ernesto Zedillo of Mexico. According to Dominguez, 8,141 surfers around > the world connected to Flood Net that day, which resulted in some > slowing down and interruption of the Zedillo site. Dominguez added that > a computer from Mexico tried to hack into Flood Net and disable its > program, but was unsuccessful. Interesting. The difference between electronic terrorism and mere electronic access, on this net we've built, is only one of quantity. One email is perfectly all right; a million emails is a denial of service attack, censorship. How about asking a million people if they'd be willing to send one email? Or in this case, asking 8,000 people to hit a website 500 times over the course of an hour? Maybe the line between access and terrorism is drawn depending on how well-connected the target site is. It isn't hard to decide what's censorship, of course; if the intent is to block someone's access or make it more difficult to access, it's censorship. And for the hour that they've asked people to hit their Reload buttons, if they get enough people signed up, the site will be more difficult to access if not impossible. Of course, the point of this is not to crash the server but to draw attention to what's being said and done by the people who run it. At least that's what Dominguez and Wray say, and I believe them. If that's their goal, I think the term and the use of "electronic civil disobedience" will never become popular. Unlike a real sit-in, nobody sees an "electronic sit-in" except the site's admin as s/he goes through the logs. It's only good for publicity right now because nobody's ever done it before. The second and third time people try it, not a soul in the world will care, and if anyone does notice, it will only be to shake their heads at the sorry state of "activism." From Thoreau to King, civil disobedience has merited jail time: handcuffs, bars, stone, judges, and your meals on a tray. Now it means idly tapping your Reload button while watching the hockey game...and, for the activist whose index finger gets tired, they're writing software to tap Reload _for_ you. Who the hell could possibly _care_?! (The NYT article mentions the possibility that people at the "electronic sit-in" might be arrested under 18 USC 1030. Right. What a thrill of danger! The dirty establishment! They're getting out their electronic water cannons and electronic rubber bullets! "We shall overcome...") ------------------------------ Date: Fri, 24 Apr 1998 16:03:30 -0400 From: Graeme Browning <gbrowning@CDT.ORG> Subject: File 8--POLICY POST 4.9: FCC Launches Inquiry Into Wiretap Law CDT POLICY POST Volume 4, Number 9 April 24, 1998 CONTENTS: (1) FCC Launches Inquiry Into Digital Wiretap Law (2) Cellular Phone Industry Files Suit Challenging FBI Efforts to Shift Costs ** This document may be redistributed freely with this banner intact ** Excerpts may be re-posted with permission of <gbrowning@cdt.org> |PLEASE SEE END OF THIS DOCUMENT FOR INFORMATION ABOUT HOW TO SUBSCRIBE, AND HOW TO UN-SUBSCRIBE| ________________________________________________________ (1) FCC LAUNCHES INQUIRY INTO DIGITAL WIRETAP LAW In the wake of the filing last month of petitions by the Center for Democracy and Technology (CDT), the FBI and the telecommunications industry, the Federal Communications Commission (FCC) has launched a full-scale inquiry into the FBI's efforts to require enhanced surveillance capabilities in the nation's telecommunications systems. The Commission issued a notice April 20 soliciting public comment on all the issues that CDT, the FBI and the industry have raised about the implementation of the 1994 Communications Assistance for Law Enforcement Act (CALEA), also called the 'digital wiretapping' law. This is the first time since Congress passed CALEA that the FBI's expansive reading of the law has been challenged directly. For a copy of the FCC's notice, see: http://www.fcc.gov/Bureaus/Common_Carrier/Public_Notices/1998/da980762.txt CALEA was originally intended to preserve wiretapping in new digital networks, but the FBI is now attempting to use the law improperly to expand its surveillance capabilities, CDT argued in a March 26 petition to the FCC. The privacy interests of all Americans have been overlooked in disputes between industry and law enforcement over the implementation of CALEA, CDT stressed. CDT's petition can be found at: http://www.cdt.org/digi_tele/980426_fcc_calea.html CALEA calls for the telecommunications industry to comply with its terms by Oct. 25, 1998. CDT argued, however, that compliance with the law is not reasonably achievable by that date and should be delayed while the FBI's demands are scaled back. The day after CDT filed its petition, the FBI asked the Commission to require telecommunications companies to add even more monitoring capabilities to their network switches than they have agreed to add so far. Later, telecommunications companies and industry associations also filed petitions with the FCC, arguing that they cannot meet the digital wiretapping law's October deadline because disputes with the FBI about CALEA's meaning have delayed their ability to design ways to comply with the law. In its notice, the FCC requested that interested parties explain their views of CALEA 'based on existing privacy laws and their legislative history.' This request means that CDT will now have the opportunity to demonstrate how privacy principles require a narrow interpretation of CALEA -- in other words, an interpretation that excludes the enhancements sought by the FBI. The Commission set short deadlines for comment on the issues raised by the implementation of CALEA. Comments on the difficulty of meeting the compliance date are due by May 8. Comments on the privacy issues are due by May 20. _________ (2) CELLULAR PHONE INDUSTRY FILES SUIT CHALLENGING FBI EFFORTS TO SHIFT COSTS The FCC's action isn't the only recent movement on the CALEA front, however. Today -- Friday, April 24 -- the cellular telephone industry filed suit in federal district court in Washington challenging the FBI's efforts to avoid paying telecommunications companies, or "carriers," for the costs of retrofitting their existing equipment to bring it into compliance with CALEA. The cost issue raised in the carriers' suit has direct impact on privacy. Congress wanted the federal government to bear the costs of retrofitting as a way of constraining the breadth of the FBI's demands. If the FBI can shift the cost of compliance to the carriers, then there is no budgetary limitation on the FBI's surveillance proposals. Congress has only appropriated $102 million of the $500 million authorized for CALEA compliance, precisely because Congress has been concerned about the FBI's overreaching and its mismanagement of the process. But if the FBI, through the reimbursement rules, can shift the cost to carriers, Congress' control over the purse strings becomes irrelevant and the FBI can evade one of the central constraints built into CALEA. __________________________________________________________ (3) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 13,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to majordomo@cdt.org in the BODY of the message (leave the SUBJECT LINE BLANK), type subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with NOTHING IN THE SUBJECT LINE AND a BODY TEXT of: unsubscribe policy-posts _______________________________________________________________ (4) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info@cdt.org World Wide Web: http://www.cdt.org/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ------------------------------ Date: Tue, 28 Apr 1998 08:23:33 -0800 From: "Rob Slade" <rslade@sprint.ca> Subject: File 9--REVIEW: "Intranet Security", John Vacca BKINTRAS.RVW 980206 "Intranet Security", John Vacca, 1997, 1-886801-56-8, U$49.95 %A John Vacca jvacca@hti.net %C 403 VFW Drive, PO Box 417, Rockland, MA 02370 %D 1997 %G 1-886801-56-8 %I Charles River Media %O U$49.95 800-382-8505 617-871-4184 fax 617-871-4376 %O chrivmedia@aol.com www.charlesriver.com %P 506 p. + CD-ROM %T "Intranet Security" While the author seems to be sincerely motivated by a concern for security, this book badly needs more discipline, more material, and more fact checking. Not to mention a closer alignment with the stated topic. Part one is a general guide to data security. Chapter one, although titled "Intranet Security Trends," provides an overview of vulnerabilities, means to address them, and security policies. Security policies are covered in more depth in chapter two, and then really again in chapter three, although there are slight variations in emphasis. Chapter four introduces Internet (TCP/IP) specific topics, but still is dealing at the level of policy. Part one closes with a look at hiring or being hired (it's a bit difficult to tell) for a security position. Part two is said to address intranet security threats, but starts out with a look at security protection tools in chapter six. (More specifically, chapter six presents a kind of extended case study of the work at Portland State University.) Chapter seven discusses security applications again, in part more generally, and in part mentioning specific proprietary programs. Chapter eight does the same thing. Finally, chapter nine does look at a variety of risks associated with Internet use, although it seems to keep lapsing into a discussion of encryption as a security tool. (There is also a rather odd statement about using antiviral software to protect confidential documents.) Identification of computer viruses, in chapter ten, contains generally good advice, but some extremely suspect assertions in the background discussion. Chapter eleven is supposed to talk about antivirus software, but after a non-sensical description of an almost unknown "type" of antiviral software, the rest of the chapter meanders around oddball virus related topics without divulging too much useful information. (This emphasis on viruses is, of course, rather gratifying from my perspective, but doesn't seem to have much to do with the stated topic of intranets. In terms of intranets, the gravest viral danger is probably that of the MS Word macro viruses, which get some space, but don't seem to be a priority.) Disaster avoidance, in part three, would seem to be what computer security is all about. The recovery part seems to be primarily physical, since chapter twelve stresses redundant hardware and hot sites. Part four discusses development, implementation, and management of security. Chapter thirteen reprises some of the information from part one in reference to workstations. Database security is important, but chapter fourteen does not provide enough coverage to really get down to work on it. Chapter fifteen looks briefly, but not in much detail, at security for remote users. Policy is revisited in chapter sixteen. Part five is supposed to look to the future, but chapter seventeen is little more than a collection of computer crime war stories. Chapter eighteen proposes that the Year 2000 problem might raise security issues, but is short on specifics. Internet security related issues are once again discussed briefly in chapter nineteen. Chapter twenty is supposed to be a summary and recommendations, but seems to be simply a rather random assortment of additional security related bits. Although there is some general security related material in this book, almost nothing relates directly or particularly to intranets. The security content is not too bad as far as generic advice is concerned, but isn't anything too significant, either. Overall the book is woefully short in some areas, redundant in others, and badly disorganized. For standard security advice the reader can easily do better. copyright Robert M. Slade, 1998 BKINTRAS.RVW 980206 ------------------------------ Date: Thu, 25 Apr 1998 22:51:01 CST From: CuD Moderators <cudigest@sun.soci.niu.edu> Subject: File 10--Cu Digest Header Info (unchanged since 25 Apr, 1998) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-6436), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) CuD is readily accessible from the Net: UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD Web-accessible from: http://www.etext.org/CuD/CuD/ ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #10.29 ************************************