home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Textfiles
/
zines
/
Phrack
/
Phrack Issue 51.sit
/
Phrack51
/
P51-16
< prev
next >
Wrap
Text File
|
1997-09-01
|
83KB
|
1,831 lines
---[ Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 16 of 17
-------------------------[ P H R A C K W O R L D N E W S
--------[ Issue 51
0x1: Illinois man arrested after threatening Bill Gates
0x2: Man Arrested In Tokyo On Hacker Charges
0x3: FBI says hacker sold 100,000 credit card numbers
0x4: MS Security Plugs Not Airtight
0x5: BSA slams DTI's Encryption Plans
0x6: Teen bypasses blocking software
0x7: The Power to Moderate is the Power to Censor
0x8: AOL Users in Britain Warned of Surveillance
0x9: Georgia Expands the "Instruments of Crime"
0xa: NASA Nabs Teen Computer Hacker
0xb: Agriculture Dept. Web Site Closed after Security Breach
0xc: Hackers Smash US Government Encryption Standard
0xd: Hacker May Stolen JonBenet computer Documents
0xe: Hacker Vows 'Terror' for Pornographers
0xf: Mitnick Gets 22 Month Sentence
0x10: New York Judge Prohibits State Regulation of Internet
0x11: Breaking the Crypto Barrier
0x12: Setback in Efforts to Secure Online Privacy
0x13: Captain Crunch Web Site Now Moved
0x14: US Justive Dept. Investigating Network Solutions
0x15: Cyber Patrol Bans Crypt Newsletter
0x16: Some humor on media hacks and hackers
0x17: Court Mixes Internet Smut Provision
0x1: Book Title: Underground
0x2: Book Title: "Hackers"
0x1: Convention: Cybercrime Conference Announcement
0x2: Convention: Computers & The Law IV Symposium
0x1>-------------------------------------------------------------------------
Title: Illinois man arrested after threatening Bill Gates
Source: Reuter
Author: unknown
SEATTLE (Reuter) - An Illinois man has been arrested and charged with
threatening to kill Microsoft Corp. Chairman Bill Gates in a $5
million extortion plot, authorities said on Friday.
Adam Pletcher was arrested on May 9 in the Chicago suburb of Long
Grove, where he lives with his parents, and charged with extortion,
federal prosecutors said. He was freed on $100,000 bond and is due to
appear in U.S. District Court in Seattle on Thursday for arraignment.
According to court documents, Pletcher sent four letters to Gates,
beginning in March, threatening to kill the software company founder
and his wife, Melinda, unless payment of at least $5 million was made.
The first letter was intercepted at the company's headquarters in
Redmond, Washington, by corporate security officers, who contacted the
FBI.
Agents then used an America Online dating service specified by the
author of the letters to track down Pletcher, described as a loner in
his early 20s who spends much of his time in front of the computer.
Authorities said they treated the threats seriously but did not
believe Gates' life was ever in danger.
"We generally think this was a kid with a rich fantasy life, just
living that out," said Tom Ziemba, a spokesman for U.S. Attorney
Katrina Pflaumer.
"This was handled in a fairly routine fashion by Microsoft security
and law enforcement agencies," Microsoft spokesman Mark Murray said.
"At some point in the investigation Microsoft did make Bill aware of
the situation."
Pletcher's online activities have landed him in trouble before.
In February the Illinois attorney general sued Pletcher, accusing him
of defrauding consumers of thousands of dollars in an alleged Internet
scam, according to a story in the Chicago Tribune. Several consumers
complained they sent Pletcher up to $5,500 to find them a car deal and
never got their money back.
Despite his status as richest man in America, with a Microsoft stake
valued at more than $30 billion, Gates is still known to travel alone
on regularly scheduled flights. But Murray said the executive was
well-protected.
"We don't comment at all on Bill's security other than to say that
there are extensive and appropriate security measures in place for
Bill, for his family and for Microsoft facilities and personnel,"
Murray said.
0x2>-------------------------------------------------------------------------
Title: Man Arrested In Tokyo On Hacker Charges
Source: unknown
Author: unknown
TOKYO (May 23, 1997 10:31 a.m. EDT) - A 27-year-old Japanese man was
arrested Friday on suspicion of breaking into an Internet home page of
Asahi Broadcasting Corp. and replacing it with pornography, a police
spokesman said.
Koichi Kuboshima, a communications equipment firm employee from Saitama
Prefecture, north of Tokyo, was arrested on charges of interrupting
business by destroying a computer network.
It was the first arrest related to illegal access to the information
network, the police spokesman said, adding Kuboshima was also charged
with displaying obscene pictures, the spokesman said.
The suspect admitted to the crime, telling police he had done it for
fun, police officials said.
The Osaka-based broadcasting network blocked access to all of its home
pages on Sunday immediately after it was notified of the offense by an
Internet user.
The Asahi home page is designed to allow users to download and upload
information, which allowed Kuboshima to rewrite the contents, the
spokesman said.
0x3>-------------------------------------------------------------------------
Title: FBI says hacker sold 100,000 credit card numbers
Source: unknown
Author: unknown
SAN FRANCISCO (May 23, 1997 10:13 a.m. EDT) -- A clever hacker slipped
into a major Internet provider and gathered 100,000 credit card
numbers along with enough information to use them, the FBI said
Thursday.
Carlos Felipe Salgado, Jr., 36, who used the online name "Smak,"
allegedly inserted a program that gathered the credit information from
a dozen companies selling products over the Internet, said FBI
spokesman George Grotz.
[Secure electronic commerce is a novel idea.]
Salgado allegedly tried to sell the credit information to an
undercover agent for $260,000. He was arrested Wednesday and faces a
maximum 15 years in prison and $500,000 in fines if convicted on
charges of unauthorized access of computers and trafficking in stolen
credit card numbers.
"What is unique about this case is that this individual was able to
hack into this third party, copy this information and encrypt it to be
sold," Grotz said.
[Since we know others have hacked in and stolen credit cards before,
the unique part is him trying to sell them. That isn't in keeping
with what federal agents love to say about hackers and credit card
incidents. Convenient how they change things like that.]
Had it succeeded, "at minimum we'd have 100,000 customers whose
accounts could have been compromised and would not have known it until
they got their bill at the end of the month," the FBI spokesman said.
The scheme was discovered by the unidentified San Diego-based Internet
provider during routine maintenance. Technicians found an intruder had
placed a program in their server called a "packet sniffer," which
locates specified blocks of information, such as credit card numbers.
[Uh...more like they kept a nice ascii database full of the numbers
that was copied with expert technique like "cp ccdb"...]
The FBI traced the intruder program to Salgado, who was using an
account with the University of California-San Francisco.
A school spokeswoman said officials have not yet determined whether
Salgado attended or worked at the school, or how he got access to the
account.
With the cooperation of a civilian computer user who was in
communication with Salgado, the FBI arranged to have an undercover
agent buy the stolen credit card information.
After making two small buys, the FBI agents arranged to meet Salgado
on Wednesday at San Francisco International Airport to pay $260,000
for 100,000 credit card numbers with credit limits that ranged up to
$25,000 each.
After decrypting and checking that the information was valid, Salgado
was taken into custody at his parents' house in Daly City. Salgado
waived his rights and acknowledged breaking into computers, including
the San Diego company, according to the affidavit.
The FBI has not found any evidence Salgado made any purchases with the
numbers himself, the spokesman said, but the investigation is
continuing.
Salgado appeared before a federal magistrate Thursday and was released
on a $100,000 personal bond. Grotz said that as a condition of bail,
"the judge forbids him to come anywhere near a computer."
0x4>-------------------------------------------------------------------------
Title: MS Security Plugs Not Airtight
Source: unknown
Author: Nick Wingfield
(May 22, 1997, 12:45 p.m. PT) Microsoft (MSFT) is still struggling to
completely patch Windows 95 and NT against Internet hacker attacks.
The company has posted a software patch that protects Windows 95 users
from an attack that can crash their computers. The company issued a
similar patch for Windows NT last week.
But both the Windows NT and 95 patches aren't complete prophylactics for
so-called out-of-band data attacks since both platforms can still be
crashed by hackers with Macintosh and Linux computers. Microsoft said
today that it hopes to post new patches by tonight that remedy the
vulnerability to Mac- and Linux-based attacks.
The current Windows 95 patch--without protection for Mac and Linux
attacks--can be downloaded for free from Microsoft's Web site.
This year, Microsoft programmers have been forced to create a medicine
chest of software remedies to fix potential security risks in everything
from the Internet Explorer browser to PowerPoint to Windows itself. Some
security experts believe the company is struggling with deep-rooted
vulnerabilities in its OS and Internet technologies.
It's clear that the Internet has made it much easier for enterprising
bug-finders to broadcast their discoveries to the press and public over
email lists and Web pages. This has put intense pressure on
Microsoft's engineering groups to quickly come up with patches.
Other companies, such as Sun Microsystems, have also had to release a
number of patches for their technologies, but Microsoft has been
especially hard-hit.
A number of security experts believe that Microsoft would have had a
hard time avoiding these security problems.
"As a professional programmer, I have a real hard time saying that
Microsoft should have seen this coming," said David LeBlanc, senior
Windows NT security manager at Internet Security Systems, a developer of
security software. "I get hit with this stuff too. With 20/20 hindsight,
it's really obvious to see what we did wrong. Trying to take into
account all the possibilities that can occur beforehand is not
realistic."
In order to exploit the latest vulnerability, Web sites must send a
special TCP/IP command known as "out of band data" to port 139 of a
computer running Windows 95 or NT. Hackers could also target users' PCs
by using one of several programs for Windows, Unix, and Macintosh now
circulating on the Net. With one program, called WinNuke, a hacker
simply types a user's Internet protocol address and then clicks the
program's "nuke" button in order to crash a PC over the Net.
The company's original patch for Windows NT prevents attacks from Unix
and other Windows computers. But because of a difference in the way
Mac and Linux computers handle the TCP protocol, Microsoft's patch
didn't squelch attacks from those operating systems.
[Bullshit meter: ****- - In actuality, Microsoft just decided to
filter hits on that port looking for a keyword included in the
first 'winuke' script. By changing that word, 95 was once again
vulnerable to these attacks. Good work Microsoft.]
A number of users have sent email to CNET's NEWS.COM complaining that
their computers were repeatedly crashed as they chatted in Internet
relay chat groups. When users are nuked by a hacker, their computer
screens often display an error message loosely known as the "blue screen
of death."
"The worst part about it is that the delinquents playing with this toy
really like to play with it and keep on doing it," said Martin A.
Childs, a law student at Louisiana State University in Baton Rouge. "The
first time I got hit, I logged on six times before I managed to figure
out what was going on."
The original patches for Windows NT versions 4.0 and 3.51 are available
on Microsoft's Web site. Last Thursday, the company also posted a
collection of software patches, called service pack 3, that contains the
NT out-of-band fix.
The out-of-band data attacks also affect users of Windows 3.11, but a
company spokeswoman said that Microsoft will not prepare a fix for that
platform unless users request one.
0x5>-------------------------------------------------------------------------
Title: BSA slams DTI's Encryption Plans
Source: The IT Newspaper
Author: unknown
Date: 26th June 1997
Government Proposals on encryption are 'unworkable, unfar, unweildy,
un-needed and frankly unacceptable', according to the British Software
Alliance (BSA) and the British Interactive Multimedia Association (Bima),
writes Tim Stammers.
In a joint statement, the organizations claimed that encryption
proposals from the DTI could 'cripple the growth of electronic comerce in
the UK'.
Tod Cohen, lawyer at Covington & Berling, council to the BSA, said:
'These proposals could be a disaster for both users and vendors'.
The DTI's plan calls for UK organisations which want to encrypt email
and data to supply copies of their encryption keys to third parties.
Government agencies will then be able to demand access to copies of the
keys. The DTI says the scheme aims to prevent criminal use of encryption
by drug dealers and terrorists.
But the BSA and BIMA claim that the proposed tystem will create a
massive bureaucratic structure will criminals will ignore.
'The sheer number of electronic communications could easily overwhelm
the system, without inreasing security or safety within the UK', their
statement said.
Sean Nye, executive member of Bima, said : 'In an age where personal
data and information is increasingly threatened with unwarranted
exposure, the DTI's proposals are a major step backwards'.
Opposition to the so-called key escrow system suggested by the DTI has
been widespread. Public opponents include Brian Gladman, former deputy
director at Nato's labratories.
The proposals where formulated under the last government, and a
decision on their future is expected next month.
The US government is easing encryption export controls for software
companies which are prepared to back key escrow, but has met Senate
opposition to its plans.
0x6>-------------------------------------------------------------------------
Title: Teen bypasses blocking software
Sounce: www.news.com
Author: Courtney Macavinta
Date: April 22, 1997, 5:30 p.m. PT
A teenager is using his Web site to help others bypass one brand
of filtering software intended to protect minors from illicit Net
material.
Using the "CYBERsitter codebreaker" from 18-year-old Bennett
Haselton, surfers can now decode the list of all Net sites
blocked by Solid Oak's Cybersitter software.
Haselton--the founder of a teen organization called Peacefire
that fights Net censorship--contends that the software violates
free speech rights for adults and teen-agers. He claims the
software is also falsely advertised because it promises parents
the "ability to limit their children's access to objectionable
material on the Internet," but also blocks other content on the
Net.
Haselton's campaign to get around Cybersitter has Solid Oak's
president seeing red.
Solid Oak denies Haselton's charges and is investigating the
legality of the code-breaking program. "He doesn't know anything,
and he's just a kid," Solid Oak President Brian Milburn said
today. "We have never misrepresented our product--ever."
Haselton's Cybersitter codebreaker can be used to crack a coded
list of the sites that CYBERsitter blocks. The list is
distributed to subscribers to notify users what sites are being
blocked. Subscribers pay $39.95 for the software.
The software blocks sites containing any words describing
genitals, sex, nudity, porn, bombs, guns, suicide, racial slurs
and other violent, sexual and derogatory terms.
The list also blocks an array of sites about gay and lesbian
issues, including PlanetOut and the International Gay and Lesbian
Human Rights Commission . Cybersitter even blocks the National
Organization for Women because it contains information about
lesbianism, Solid Oak stated. "The NOW site has a bunch of
lesbian stuff on it, and our users don't want it," said Milburn.
The software also filters any site that contains the phrase
"Don't buy CYBERsitter" as well as Haselton's own site and any
reference to his name.
Milburn says Haselton's campaign is hurting the product's
marketability and hinted that the company will stop him, but
wouldn't say exactly how.
"We have users who think they purchased a secure product. This is
costing us considerably," Milburn said. "But we're not going to
let Bennett break the law."
He did point out that Haselton's program to decode the software
may violate its licensing agreement, which states: "Unauthorized
reverse engineering of the Software, whether for educational,
fair use, or other reason is expressly forbidden. Unauthorized
disclosure of CYBERsitter operational details, hacks, work around
methods, blocked sites, and blocked words or phrases are
expressly prohibited."
Haselton is undaunted by the suggestion of legal reprecussions.
"I've talked to a lawyer who offered to represent me in the event
that Cybersitter goes after me," he added.
Haselton, a junior at Vanderbuilt University, argues that the
software doesn't protect kids from smut, but just keeps them from
learning new ideas.
"Blocking software is not the solution to all of our problems.
What's dangerous is not protecting [teenagers' free] speech on
the Net as well," he said. "This is the age, when you form your
opinions about social issues, human rights, and religion. We need
to keep free ideas on the Net for people under 18."
Haselton's organization is also a plaintiff in a lawsuit being
argued today in New York, the American Library Association vs.
Governor George Pataki. The case was filed to strike down a state
law similar to the Communications Decency Act that prohibits
making indecent material available to minors over the Net.
0x7>-------------------------------------------------------------------------
Title: The Power to Moderate is the Power to Censor
Source: unknown
Author: Paul Kneisel
Some 200+ new news groups have just been created on the UseNet part of the
Internet. They are grouped under a new <gov.*> hierarchy.
<gov.*> promises to "take democracy into cyberspace," according to the
press release from the National Science Foundation.[1] "The U.S.
government," said U.S. Vice President Al Gore of the GovNews project, "is
taking a leadership role in providing technology that could change the face
of democracy around the world."[2]
The GovNews project repeatedly stresses how it will support and promote
feedback between governments and citizens. "Millions of people will now be
able to follow and comment on government activity in selected areas of
interest...," the release stated, promising "a wide, cost-effective
electronic dissemination and discussion...."
Preston Rich, the National Science Foundation's leader of the International
GovNews Project, described GovNews as "newsgroups logically organized by
topic from privatization, procurements and emergency alerts to toxic waste
and marine resources and include[s] the capability to discuss such
information."[1]
The vast majority of the new <gov.*> groups are moderated.
The idea of the moderated news
group is increasingly accepted on UseNet. Off-topic posts, flames, and spam
have made many non-moderated groups effectively unreadable by most users.
Moderated groups are one effective way around these problems. New groups
created in the non-<gov.*> "Big 8" UseNet hierarchy have formal charters
defining the group. If the group is moderated then the powers, identity,
and qualifications of the moderators are also listed. Unmoderated groups
might be likened to informal free-for-all debates where there is no check
on who can participate or on the form or content of what is said. Moderated
groups are far closer to a specially-defined meeting of citizens with a
formal Chair, empowered to declare certain topics off-limits for
discussion, and to call unruly participants to order.
An unmoderated UseNet group dedicated to baking cookies might be flooded
with posts advertising bunion cures, reports of flying saucers sighted over
Buckingham Palace, or articles denouncing Hillary Clinton as a Satanist. A
moderator for the group has the power to block all of these posts, ensuring
that they are not sent to the UseNet feed and do not appear among the
on-topic discussion of cookies.
Certainly some moderators on UseNet groups abuse their powers (as do some
Chairs at non-Internet meetings.) But reports of such abuse are relatively
rare given the number of moderated groups. And, of course, many complaints
come from the proverbial "net.kooks" or those who oppose moderation in
general.
Moderators in the "Big 8" UseNet hierarchy are "civilians," not government
employees moderating government-related groups while collecting government
paychecks.
The <gov.*> hierarchy inferentially changes this. I write "inferentially"
because the charters, names and qualifications of the moderators in the
200+ groups has not been formally announced. Nor do routine queries to
members of the <gov.*> leading Hierarchial Coordinating Committee result in
such detailed information.
UseNet is not the entire Internet. Net-based technology like the World Wide
Web and the "File Transfer Protocol" or FTP are designed for the one-way
transmission of data. Few object to the _Congressional Record_ on-line or
crop reports posted by the U.S. Department of Agriculture available on the
Web or via FTP. But the news groups of UseNet are designed for two-way
discussions, not spam-like one-way info-floods of data carefully selected
by government bureaucrats.
That creates an enormous problem when government employees moderate the
discussion, regardless of how well, appropriately, or fairly the moderation
is conducted.
For government moderation of any discussion is censorship and it is wrong.
Initial reports also indicate that most of the <gov.*> groups will be "robo
[t]-moderated." In other words, specialized software programs will handle
the bulk of the moderator's tasks. Robo-moderation, however, alters
nothing. A good robo program may catch and eliminate 99% of the spam sent
to the group or identify notorious flame-artists. But the power to
robo-moderate remains the power to censor; the power to select one
robo-moderator is the power to select another; the power to automatically
remove bunion ads is simultaneously the power to eliminate all posts from
Iraq in a political discussion or any message containing the string
"Whitewater."
In short, moderation on <gov.*> groups by government employees remains
censorship whether conducted by software or humans, whether posts are
approriately banned or the moderation places severe limits on free
political speech. *Any* limitation of posts from any citizen by any
government employee is censorship.
It is also forbidden by law.
FOOTNOTES
[1] "GOVNEWS: N[ational] S[cience] F[oundation] Press Release for GovNews,"
17 Mar 1997, <http://www.govnews.org/govnews/info/press.html>, accessed 21
Mar 1997.
[2] One wonders what technology Gore believes GovNews is providing.
Certainly neither the Internet or UseNet is part of that technology for
both existed long before GovNews.^Z
0x8>-------------------------------------------------------------------------
Title: AOL Users in Britain Warned of Surveillance
Source: unknown
Author: CHristopher Johnston
LONDON - Subscribers logging onto AOL Ltd. in Britain this week
were greeted with news that the Internet-service provider was
imposing a tough new contract giving it wide latitude to disclose
subscribers' private E-mail and on-line activities to law
enforcement and security agencies.
The new contract also requires users to comply with both British
and U.S. export laws governing encryption. AOL Ltd. is a
subsidiary of AOL Europe, which is a joint venture between
America Online Inc. of the United States and Germany's
Bertelsmann GmbH.
The contract notes in part that AOL ''reserves the right to
monitor or disclose the contents of private communication over
AOL and your data to the extent permitted or required by law.''
''It's bad news,'' said Marc Rotenberg, director of the
Electronic Privacy Information Center, a Washington-based civil
liberties organization. ''I think AOL is putting up a red flag
that their commitment to privacy is on the decline. It puts
their users on notice that to the extent permitted by law, they
can do anything they want.''
The contract also prohibits subscribers from posting or
transmitting any content that is ''unlawful, harmful,
threatening, abusive, harassing, defamatory, vulgar, obscene,
seditious, blasphemous, hateful, racially, ethnically or
otherwise objectionable.''
AOL and its competitors called the move part of a trend to
protect on-line service providers from suits by users in case
they are required to disclose subscribers' activities to law
enforcement agencies.
The contract also beefed up the legal wording relating to
sensitive content such as pornography, and prohibiting the
maintenance of links to obscene Web sites.
The updated contract is also the first to inform subscribers that
they are required to comply with both British and U.S. export
laws governing encryption, or coding, a hot topic of debate
recently between software publishers and security agencies.
AOL Europe will provide similar contracts, which vary according
to local law in each of the seven European countries in which the
network operates.
AOL executives denied any government pressure in updating the
contract.
0x9>-------------------------------------------------------------------------
Title: Georgia Expands the "Instruments of Crime"
Source: fight-censorship@vorlon.mit.edu
In Georgia it is a crime, punishable by $30K and four years to use in
furtherance of a crime:
* a telephone
* a fax machine
* a beeper
* email
The actual use of the law, I think, is that when a person is selling drugs
and either is in possession of a beeper, or admits to using the phone to
facilitate a meeting, he is charged with the additional felony of using a
phone. This allows for selective enforcement of additional penalties for
some people.
O.C.G.A. 16-13-32.3.
(a) It shall be unlawful for any person knowingly or intentionally to
use any communication facility in committing or in causing or
facilitating the commission of any act or acts constituting a felony
under this chapter. Each separate use of a communication facility
shall be a separate offense under this Code section. For purposes of
this Code section, the term "communication facility" means any and all
public and private instrumentalities used or useful in the
transmission of writing, signs, signals, pictures, or sounds of all
kinds and includes mail, telephone, wire, radio, computer or computer
network, and all other means of communication.
(b) Any person who violates subsection (a) of this Code section shall
be punished by a fine of not more than $30,000.00 or by imprisonment
for not less than one nor more than four years, or both.
0xa>-------------------------------------------------------------------------
Title: NASA Nabs Teen Computer Hacker
Source: Associated Press
Author: unknown
Date: Monday, June 2, 1997
WASHINGTON (AP) - A Delaware teen-ager who hacked his way into a
NASA web site on the Internet and left a message berating U.S.
officials is being investigated by federal authorities, agency
officials said Monday.
NASA Inspector General Robert Gross cited the incident - the most
recent example of a computer invasion of a NASA web site - as an
example of how the space agency has become ``vulnerable via the
Internet.''
"We live in an information environment vastly different than 20
years ago," Gross said in a written statement. "Hackers are
increasing in number and in frequency of attack."
In the latest case, the Delaware teen, whose name, age and
hometown were not released, altered the Internet web site for the
Marshall Space Flight Center in Huntsville, Ala., according to
the statement from the computer crimes division of NASA's
Inspector General Office.
"We own you. Oh, what a tangled web we weave, when we practice to
deceive," the teen's message said, adding that the government
systems administrators who manage the site were "extremely
stupid."
The message also encouraged sympathizers of Kevin Mitnick, a
notorious computer hacker, to respond to the site. Mitnick was
indicted last year on charges stemming from a multimillion-dollar
crime wave in cyberspace.
The altered message was noticed by the computer security team in
Huntsville but the NASA statement did not mention how long the
message was available to the public or exactly when it was
discovered. NASA officials weren't made available to answer
questions about the event.
In the statement, NASA called the teen's hacking "a cracking
spree" and said it was stopped May 26 when his personal computer
was seized.
Prosecutors from the U.S. Attorney's office in Delaware and
Alabama are handling the case with NASA's computer crimes
division.
Last March, cyberspace invaders made their way into another NASA
web site and threatened an electronic terrorist attack against
corporate America. The group, which called itself ``H4G1S'' in
one message and ``HAGIS'' in another, also called for some
well-known hackers to be released from jail.
Engineers at the Goddard Space Flight Center in Greenbelt, Md.,
quickly noticed the change and took the page off the Internet
within 30 minutes. NASA officials said the agency installed
electronic security measures designed to prevent a recurrence.
0xb>-------------------------------------------------------------------------
Title: Agriculture Dept. Web Site Closed after Security Breach
Source: Reuter
Author: unknown
WASHINGTON (June 11, 1997 00:08 a.m. EDT) - The U.S. Agriculture
Department's Foreign Agricultural Service shut down access to its
internet home page Tuesday after a major security breach was
discovered, a department aide said.
"It's a big, huge problem," Ed Desrosiers, a computer specialist
in USDA's Farm Service Agency, told Reuters. "We can't guarantee
anything's clean anymore."
Someone broke into system and began "sending out a lot of
messages" to other "machines" on the internet, Desrosiers said.
The volume of traffic was so great, "we were taking down machines"
and began receiving complaints, he said.
"It's not worth our time to try to track down" the culprit,
Desrosiers said. "Instead, we're just going to massively increase
security."
A popular feature on the FAS home page is the search function for
"attache reports," which are filed by overseas personnel and
provide assessments on crop conditions around the world. Although
not official data, the reports provide key information that goes
into USDA's monthly world supply-and-demand forecasts.
It could be next week before the page is open to outside users
again, Desrosiers said.
0xc>-------------------------------------------------------------------------
Title: Hackers Smash US Government Encryption Standard
Source: fight-censorship@vorlon.mit.edu
Oakland, California (June 18, 1997)-The 56-bit DES encryption
standard, long claimed "adequate" by the U.S. Government, was
shattered yesterday using an ordinary Pentium personal computer
operated by Michael K. Sanders, an employee of iNetZ, a Salt Lake
City, Utah-based online commerce provider. Sanders was part of a
loosely organized group of computer users responding to the "RSA
$10,000 DES Challenge." The code-breaking group distributed computer
software over the Internet for harnessing idle moments of computers
around the world to perform a 'brute force' attack on the encrypted
data.
"That DES can be broken so quickly should send a chill through the
heart of anyone relying on it for secure communications," said Sameer
Parekh, one of the group's participants and president of C2Net
Software, an Internet encryption provider headquartered in Oakland,
California (http://www.c2.net/). "Unfortunately, most people today
using the Internet assume the browser software is performing secure
communications when an image of a lock or a key appears on the
screen. Obviously, that is not true when the encryption scheme is
56-bit DES," he said.
INetZ vice president Jon Gay said "We hope that this will encourage
people to demand the highest available encryption security, such as
the 128-bit security provided by C2Net's Stronghold product, rather
than the weak 56-bit ciphers used in many other platforms."
Many browser programs have been crippled to use an even weaker, 40-bit
cipher, because that is the maximum encryption level the
U.S. government has approved for export. "People located within the US
can obtain more secure browser software, but that usually involves
submitting an affidavit of eligibility, which many people have not
done," said Parekh. "Strong encryption is not allowed to be exported
from the U.S., making it harder for people and businesses in
international locations to communicate securely," he explained.
According to computer security expert Ian Goldberg, "This effort
emphasizes that security systems based on 56-bit DES or
"export-quality" cryptography are out-of-date, and should be phased
out. Certainly no new systems should be designed with such weak
encryption.'' Goldberg is a member of the University of California at
Berkeley's ISAAC group, which discovered a serious security flaw in
the popular Netscape Navigator web browser software.
The 56-bit DES cipher was broken in 5 months, significantly faster
than the hundreds of years thought to be required when DES was adopted
as a national standard in 1977. The weakness of DES can be traced to
its "key length," the number of binary digits (or "bits") used in its
encryption algorithm. "Export grade" 40-bit encryption schemes can be
broken in less than an hour, presenting serious security risks for
companies seeking to protect sensitive information, especially those
whose competitors might receive code-breaking assistance from foreign
governments.
According to Parekh, today's common desktop computers are tremendously
more powerful than any computer that existed when DES was
created. "Using inexpensive (under $1000) computers, the group was
able to crack DES in a very short time," he noted. "Anyone with the
resources and motivation to employ modern "massively parallel"
supercomputers for the task can break 56-bit DES ciphers even faster,
and those types of advanced technologies will soon be present in
common desktop systems, providing the keys to DES to virtually
everyone in just a few more years."
56-bit DES uses a 56-bit key, but most security experts today consider
a minimum key length of 128 bits to be necessary for secure
encryption. Mathematically, breaking a 56-bit cipher requires just
65,000 times more work than breaking a 40-bit cipher. Breaking a
128-bit cipher requires 4.7 trillion billion times as much work as one
using 56 bits, providing considerable protection against brute-force
attacks and technical progress.
C2Net is the leading worldwide provider of uncompromised Internet
security software. C2Net's encryption products are developed entirely
outside the United States, allowing the firm to offer full-strength
cryptography solutions for international communications and
commerce. "Our products offer the highest levels of security available
today. We refuse to sell weak products that might provide a false
sense of security and create easy targets for foreign governments,
criminals, and bored college students," said Parekh. "We also oppose
so-called "key escrow" plans that would put everyone's cryptography
keys in a few centralized locations where they can be stolen and sold
to the highest bidder," he added. C2Net's products include the
Stronghold secure web server and SafePassage Web Proxy, an enhancement
that adds full-strength encryption to any security-crippled "export
grade" web browser software.
0xd>-------------------------------------------------------------------------
Title: Hacker May Stolen JonBenet computer Documents
Source: Associated Press
Author: Jennifer Mears
BOULDER, Colo. (June 13, 1997 07:38 a.m. EDT) -- A computer hacker has
infiltrated the system set aside for authorities investigating the slaying
of JonBenet Ramsey, the latest blow to a heavily criticized inquiry.
[...despite the computer not being online or connected to other computers..]
Boulder police spokeswoman Leslie Aaholm said the computer was "hacked"
sometime early Saturday. The incident was announced by police Thursday.
"We don't believe anything has been lost, but we don't know what, if
anything, has been copied," said Detective John Eller, who is leading the
investigation into the slaying of the 6-year-old girl nearly six months ago.
The computer is in a room at the district attorney's office that police
share with the prosecutor's investigators. The room apparently had not been
broken into. Computer experts with the Colorado Bureau of Investigations
were examining equipment to determine what had been done.
[Bullshit. It was later found out that the machine was not hacked at all.]
0xe>-------------------------------------------------------------------------
Title: Hacker Vows 'Terror' for Pornographers
Source: Wired
Author: Steve Silberman
After 17 years in the hacker underground, Christian Valor - well known
among old-school hackers and phone phreaks as "Se7en" - was convinced
that most of what gets written in the papers about computers and hacking
is sensationalistic jive. For years, Valor says, he sneered at reports
of the incidence of child pornography on the Net as
"exaggerated/over-hyped/fearmongered/bullshit."
Now making his living as a lecturer on computer security, Se7en claims
he combed the Net for child pornography for eight weeks last year
without finding a single image.
That changed a couple of weeks ago, he says, when a JPEG mailed by an
anonymous prankster sent him on an odyssey through a different kind of
underground: IRC chat rooms with names like #littlegirlsex, ftp
directories crammed with filenames like 6yoanal.jpg and 8&dad.jpg, and
newsgroups like alt.binaries.pictures.erotica.pre-teen. The anonymous
file, he says, contained a "very graphic" image of a girl "no older
than 4 years old."
On 8 June, Se7en vowed on a hacker's mailing list to deliver a dose of
"genuine hacker terror" to those who upload and distribute such images
on the Net. The debate over his methods has stirred up tough questions
among his peers about civil liberties, property rights, and the ethics
of vigilante justice.
A declaration of war
What Se7en tapped into, he says, was a "very paranoid" network of
traders of preteen erotica. In his declaration of "public war" -
posted to a mailing list devoted to an annual hacker's convention
called DefCon - Se7en explains that the protocol on most child-porn
servers is to upload selections from your own stash, in exchange for
credits for more images.
What he saw on those servers made him physically sick, he says. "For
someone who took a virtual tour of the kiddie-porn world for only one
day," he writes, "I had the opportunity to fully max out an Iomega
100-MB Zip disc."
Se7en's plan to "eradicate" child-porn traders from the Net is
"advocating malicious, destructive hacking against these people." He
has enlisted the expertise of two fellow hackers for the first wave of
attacks, which are under way.
Se7en feels confident that legal authorities will look the other way
when the victims of hacks are child pornographers - and he claims that
a Secret Service agent told him so explicitly. Referring to a command
to wipe out a hard drive by remote access, Se7en boasted, "Who are
they going to run to? The police? 'They hacked my kiddie-porn server
and rm -rf'd my computer!' Right."
Se7en claims to have already "taken down" a "major player" - an
employee of Southwestern Bell who Se7en says was "posting ads all over
the place." Se7en told Wired News that he covertly watched the man's
activities for days, gathering evidence that he emailed to the
president of Southwestern Bell. Pseudonymous remailers like
hotmail.com and juno.com, Se7en insists, provide no security blanket
for traders against hackers uncovering their true identities by
cracking server logs. Se7en admits the process of gaining access to
the logs is time consuming, however. Even with three hackers on the
case, it "can take two or three days. We don't want to hit the wrong
person."
A couple of days after submitting message headers and logs to the
president and network administrators of Southwestern Bell, Se7en says,
he got a letter saying the employee was "no longer on the payroll."
The hacker search for acceptance
Se7en's declaration of war received support on the original mailing
list. "I am all for freedom of speech/expression," wrote one poster,
"but there are some things that are just wrong.... I feel a certain
moral obligation to the human race to do my part in cleaning up the
evil."
Federal crackdowns targeting child pornographers are ineffective, many
argued. In April, FBI director Louis Freeh testified to the Senate
that the bureau operation dubbed "Innocent Images" had gathered the
names of nearly 4,000 suspected child-porn traffickers into its
database. Freeh admitted, however, that only 83 of those cases
resulted in convictions. (The Washington Times reports that there have
also been two suicides.)
The director's plan? Ask for more federal money to fight the "dark
side of the Internet" - US$10 million.
Pitching in to assist the Feds just isn't the hacker way. As one
poster to the DefCon list put it, "The government can't enforce laws
on the Internet. We all know that. We can enforce laws on the
Internet. We all know that too."
The DefCon list was not a unanimous chorus of praise for Se7en's plan
to give the pornographers a taste of hacker terror, however. The most
vocal dissenter has been Declan McCullagh, Washington correspondent
for the Netly News. McCullagh is an outspoken champion of
constitutional rights, and a former hacker himself. He says he was
disturbed by hackers on the list affirming the validity of laws
against child porn that he condemns as blatantly unconstitutional.
"Few people seem to realize that the long-standing federal child-porn
law outlawed pictures of dancing girls wearing leotards," McCullagh
wrote - alluding to the conviction of Stephen Knox, a graduate student
sentenced to five years in prison for possession of three videotapes
of young girls in bathing suits. The camera, the US attorney general
pointed out, lingered on the girls' genitals, though they remained
clothed. "The sexual implications of certain modes of dress, posture,
or movement may readily put the genitals on exhibition in a lascivious
manner, without revealing them in a nude display," the Feds argued -
and won.
It's decisions like Knox v. US, and a law criminalizing completely
synthetic digital images "presented as" child porn, McCullagh says,
that are making the definition of child pornography unacceptably
broad: a "thought crime."
The menace of child porn is being exploited by "censor-happy"
legislators to "rein in this unruly cyberspace," McCullagh says. The
rush to revile child porn on the DefCon list, McCullagh told Wired
News, reminded him of the "loyalty oaths" of the McCarthy era.
"These are hackers in need of social acceptance," he says. "They've
been marginalized for so long, they want to be embraced for stamping
out a social evil." McCullagh knows his position is a difficult one to
put across to an audience of hackers. In arguing that hackers respect
the property rights of pornographers, and ponder the constitutionality
of the laws they're affirming, McCullagh says, "I'm trying to convince
hackers to respect the rule of law, when hacking systems is the
opposite of that."
But McCullagh is not alone. As the debate over Se7en's declaration
spread to the cypherpunks mailing list and alt.cypherpunks -
frequented by an older crowd than the DefCon list - others expressed
similar reservations over Se7en's plan.
"Basically, we're talking about a Dirty Harry attitude," one network
technician/cypherpunk told Wired News. Though he senses "real feeling"
behind Se7en's battle cry, he feels that the best way to deal with
pornographers is to "turn the police loose on them." Another
participant in the discussion says that while he condemns child porn
as "terrible, intrinsically a crime against innocence," he questions
the effectiveness of Se7en's strategy.
"Killing their computer isn't going to do anything," he says,
cautioning that the vigilante approach could be taken up by others.
"What happens if you have somebody who doesn't like abortion? At what
point are you supposed to be enforcing your personal beliefs?"
Raising the paranoia level
Se7en's loathing for aficionados of newsgroups like
alt.sex.pedophilia.swaps runs deeper than "belief." "I myself was
abused when I was a kid," Se7en told Wired News. "Luckily, I wasn't a
victim of child pornography, but I know what these kids are going
through."
With just a few hackers working independently to crack server logs,
sniff IP addresses, and sound the alarm to network administrators, he
says, "We can take out one or two people a week ... and get the
paranoia level up," so that "casual traders" will be frightened away
from IRC rooms like "#100%preteensexfuckpics."
It's not JPEGs of clothed ballerinas that raise his ire, Se7en says.
It's "the 4-year-olds being raped, the 6-year-old forced to have oral
sex with cum running down themselves." Such images, Se7en admits, are
very rare - even in online spaces dedicated to trading sexual imagery
of children.
"I know what I'm doing is wrong. I'm trampling on the rights of these
guys," he says. "But somewhere in the chain, someone is putting these
images on paper before they get uploaded. Your freedom ends when you
start hurting other people."
0xf>-------------------------------------------------------------------------
Title: Mitnick Gets 22 Month Sentence
Source: LA Times
Author: Julie Tamaki
Date: Tuesday, June 17, 1997
A federal judge indicated Monday that she plans to sentence famed computer
hacker Kevin Mitnick to 22 months in prison for cellular phone fraud and
violating his probation from an earlier computer crime conviction.
The sentencing Monday is only a small part of Mitnick's legal problems.
Still pending against him is a 25-count federal indictment accusing him of
stealing millions of dollars in software during an elaborate hacking spree
while he was a fugitive. A trial date in that case has yet to be set.
U.S. District Judge Mariana R. Pfaelzer on Monday held off on formally
sentencing Mitnick for a week in order to give her time to draft conditions
for Mitnick's probation after he serves the prison term.
Pfaelzer said she plans to sentence Mitnick to eight months on the cellular
phone fraud charge and 14 months for violating his probation from a 1988
computer-hacking conviction, Assistant U.S. Atty. Christopher Painter said.
The sentences will run consecutively.
Mitnick faces the sentence for violating terms of his probation when he
broke into Pac Bell voice mail computers in 1992 and used stolen passwords
of Pac Bell security employees to listen to voice mail, Painter said. At the
time, Mitnick was employed by Teltec Communications, which was under
investigation by Pac Bell.
0x10>-------------------------------------------------------------------------
Title: New York Judge Prohibits State Regulation of Internet
Source: unknown
Author: unknown
Date: Friday, June 20, 1997
NEW YORK -- As the nation awaits a Supreme Court decision on
Internet censorship, a federal district judge here today blocked
New York State from enforcing its version of the federal
Communications Decency Act (CDA).
Ruling simultaneously in ACLU v. Miller, another ACLU challenge to
state Internet regulation, a Federal District Judge in Georgia
today struck down a law criminalizing online anonymous speech and
the use of trademarked logos as links on the World Wide Web.
In ALA v. Pataki, Federal District Judge Loretta A. Preska issued
a preliminary injunction against the New York law, calling the
Internet an area of commerce that should be marked off as a
"national preserve" to protect online speakers from inconsistent
laws that could "paralyze development of the Internet altogether."
Judge Preska, acknowledging that the New York act was "clearly
modeled on the CDA," did not address the First Amendment issues
raised by the ACLU's federal challenge, saying that the Commerce
Clause provides "fully adequate support" for the injunction and
that the Supreme Court would address the other issues in its
widely anticipated decision in Reno v. ACLU. (The Court's next
scheduled decision days are June 23, 25 and 26.)
"Today's decisions in New York and Georgia say that, whatever
limits the Supreme Court sets on Congress's power to regulate the
Internet, states are prohibited from acting to censor online
expression," said Ann Beeson, an ACLU national staff attorney who
argued the case before Judge Preska and is a member of the ACLU v.
Miller and Reno v. ACLU legal teams.
"Taken together, these decisions send a very important and
powerful message to legislators in the other 48 states that they
should keep their hands off the Internet," Beeson added.
In a carefully reasoned, 62-page opinion, Judge Preska warned of
the extreme danger that state regulation would pose to the
Internet, rejecting the state's argument that the statute would
even be effective in preventing so-called "indecency" from
reaching minors. Further, Judge Preska observed, the state can
already protect children through the vigorous enforcement of
existing criminal laws.
"In many ways, this decision is more important for the business
community than for the civil liberties community," said Chris
Hansen, a senior ACLU attorney on the ALA v. Pataki legal team and
lead counsel in Reno v. ACLU. "Legislatures are just about done
with their efforts to regulate the business of Internet 'sin,' and
have begun turning to the business of the Internet itself. Today's
decision ought to stop that trend in its tracks."
Saying that the law would reduce all speech on the Internet to a
level suitable for a six-year-old, the American Civil Liberties
Union, the New York Civil Liberties Union, the American Library
Association and others filed the challenge in January of this
year.
The law, which was passed by the New York legislature late last
year, provides criminal sanctions of up to four years in jail for
communicating so-called "indecent" words or images to a minor.
In a courtroom hearing before Judge Preska in April, the ACLU
presented a live Internet demonstration and testimony from
plaintiffs who said that their speech had already been "chilled"
by the threat of criminal prosecution.
"This is a big win for the people of the state of New York," said
Norman Siegel, Executive Director of the New York Civil Liberties
Union. "Today's ruling vindicates what we have been saying all
along to Governor Pataki and legislators, that they cannot legally
prevent New Yorkers from engaging in uninhibited, open and robust
freedom of expression on the Internet."
The ALA v. Pataki plaintiffs are: the American Library
Association, the Freedom to Read Foundation, the New York Library
Association, the American Booksellers Foundation for Free
Expression, Westchester Library System, BiblioBytes, Association
of American Publishers, Interactive Digital Software Association,
Magazine Publishers of America, Public Access Networks Corp.
(PANIX), ECHO, NYC Net, Art on the Net, Peacefire and the American
Civil Liberties Union.
Michael Hertz and others of the New York firm Latham & Watkins
provided pro-bono assistance to the ACLU and NYCLU; Michael
Bamberger of Sonnenschein Nath & Rosenthal in New York is also
co-counsel in the case. Lawyers from the ACLU are Christopher
Hansen, Ann Beeson and Art Eisenberg, legal director of the NYCLU.
0x11>-------------------------------------------------------------------------
Title: Breaking the Crypto Barrier
Source: Wired
Author: Chris Oakes
Date: 5:03am 20.Jun.97.PDT
Amid a striking convergence of events bearing on
US encryption policy this week, one development underlined what many see
as the futility of the Clinton administration's continuing effort to
block the export of strong encryption: The nearly instantaneous movement
of PGP's 128-bit software from its authorized home on a Web server at
MIT to at least one unauthorized server in Europe.
Shortly after Pretty Good Privacy's PGP 5.0 freeware was made available
at MIT on Monday, the university's network manager, Jeffrey Schiller,
says he read on Usenet that the software had already been transmitted to
a foreign FTP server. Ban or no ban, someone on the Net had effected the
instant export of a very strong piece of code. On Wednesday, Wired News
FTP'd the software from a Dutch server, just like anyone with a
connection could have.
A Commerce Department spokesman said his office was unaware of the
breach.
The event neatly coincided with the appearance of a new Senate bill that
seeks to codify the administration's crypto policy, and an announcement
Wednesday that an academic/corporate team had succeeded in breaking the
government's standard 56-bit code.
The software's quick, unauthorized spread to foreign users might have an
unexpected effect on US law, legal sources noted.
"If [Phil] Zimmermann's [original PGP] software hadn't gotten out on the
Internet and been distributed worldwide, unquestionably we wouldn't have
strong encryption today," said lawyer Charles Merrill, who chairs his
firm's computer and high-tech law-practice group. Actions like the PGP
leak, he speculated, may further the legal flow of such software across
international borders.
Said Robert Kohn, PGP vice president and general counsel: "We're
optimistic that no longer will PGP or companies like us have to do
anything special to export encryption products."
The Web release merely sped up a process already taking place using a
paper copy of the PGP 5.0 source code and a scanner - reflecting the
fact it is legal to export printed versions of encryption code.
On Wednesday, the operator of the International PGP Home Page announced
that he had gotten his hands on the 6,000-plus-page source code, had
begun scanning it, and that a newly compiled version of the software
will be available in a few months.
Norwegian Stale Schumaker, who maintains the site, said several people
emailed and uploaded copies of the program to an anonymous FTP server he
maintains. But he said he deleted the files as soon as he was aware of
them, because he wants to "produce a version that is 100 percent legal"
by scanning the printed code.
The paper copy came from a California publisher of technical manuals and
was printed with the cooperation of PGP Inc. and its founder, Phil
Zimmermann. Schumaker says he does not know who mailed his copy.
"The reason why we publish the source code is to encourage peer review,"
said PGP's Kohn, "so independent cryptographers can tell other people
that there are no back doors and that it is truly strong encryption."
Schumaker says his intentions are farther-reaching.
"We are a handful of activists who would like to see PGP spread to the
whole world," his site reads, alongside pictures of Schumaker readying
pages for scanning. "You're not allowed to download the program from
MIT's Web server because of the archaic laws in the US. That's why we
exported the source-code books."
0x12>-------------------------------------------------------------------------
Title: Setback in Efforts to Secure Online Privacy
Source: unknown
Author: unknown
Date: Thursday, June 19, 1997
WASHINGTON -- A Senate committee today setback legislative efforts to
secure online privacy, approving legislation that would restrict the right
of businesses and individuals both to use encryption domestically and to
export it.
On a voice vote, the Senate Commerce Committee adopted legislation that
essentially reflects the Clinton Administration's anti-encryption policies.
The legislation approved today on a voice vote by the Senate Commerce
Committee was introduced this week by Senate Commerce Committee Chairman
John McCain, Republican of Arizona, and co-sponsored by Democrats Fritz
Hollings of South Carolina; Robert Kerry of Nebraska and John Kerry of
Massachusetts.
Encryption programs scramble information so that it can only be read
with a "key" -- a code the recipient uses to unlock the scrambled
electronic data. Programs that use more than 40 bits of data to encode
information are considered "strong" encryption. Currently, unless these
keys are made available to the government, the Clinton Administration bans
export of hardware or software containing strong encryption, treating
these products as "munitions."
Privacy advocates continue to criticize the Administration's
stance, saying that the anti-cryptography ban has considerably
weakened U.S. participation in the global marketplace, in addition
to curtailing freedom of speech by denying users the right to "speak"
using encryption. The ban also violates the right to privacy by
limiting the ability to protect sensitive information in the new
computerized world.
Today's committee action knocked out of consideration the so-called
"Pro-CODE" legislation, a pro-encryption bill introduced by Senator
Conrad Burns, Republican of Montana. Although the Burns legislation
raised some civil liberties concerns, it would have lifted export
controls on encryption programs and generally protected individual
privacy.
"Privacy, anonymity and security in the digital world depend on
encryption," said Donald Haines, legislative counsel on privacy and
cyberspace issues for the ACLU's Washington National Office. "The aim
of the Pro-CODE bill was to allow U.S. companies to compete with
industries abroad and lift restrictions on the fundamental right to
free speech, the hallmark of American democracy."
"Sadly, no one on the Commerce Committee, not even Senator Burns,
stood up and defended the pro-privacy, pro-encryption effort," Haines
added.
In the House, however, strong encryption legislation that would add
new privacy protections for millions of Internet users in this country and
around the world has been approved by two subcommittees.
The legislation -- H.R. 695, the "Security and Freedom Through
Encryption Act" or SAFE -- would make stronger encryption products
available to American citizens and users of the Internet around the
world. It was introduced by Representative Robert W. Goodlatte, Republican
of Virginia.
"We continue to work toward the goal of protecting the privacy of all
Internet users by overturning the Clinton Administration's unreasonable
encryption policy," Haines concluded
0x13>-------------------------------------------------------------------------
Title: Captain Crunch Web Site Now Moved
Source: Telecom Digest 17.164
The Cap'n Crunch home page URL has been changed. The new URL is now
http://crunch.woz.org/crunch
I've made significant changes to the site, added a FAQ based on a lot
of people asking me many questions about blue boxing, legal stuff, and
hacking in general. The FAQ will be growing all the time, as I go
through all the requests for information that many people have sent.
"Email me" if you want to add more questions.
Our new server is now available to host web sites for anyone who wants
to use it for interesting projects. This is for Elite people only,
and you have to send me a proposal on what you plan to use it for.
[So now old John gets to decide who is elite and who isn't.]
I'm open for suggestions, and when you go up to the WebCrunchers web
site: http://crunch.woz.org
You'll get more details on that. Our server is a Mac Power PC,
running WebStar web server, connected through a T-1 link to the
backbone. I know that the Mac Webserver might be slower, but I had
security in mind when I picked it. Besides, I didn't pick it, Steve
Wozniak did... :-) So please don't flame me for using a Mac.
I know that Mac's are hated by hackers, but what the heck ... at least
we got our OWN server now.
I also removed all the blatant commercial hipe from the home page and
put it elsewhere. But what the heck ... I should disserve to make
SOME amount of money selling things like T-shirts and mix tapes.
We plan to use it for interesting projects, and I want to put up some
Audio files of Phone tones. For instance, the sound of a blue box
call going through, or some old sounds of tandom stacking. If there
are any of you old-timers out there that might have some interesting
audio clips of these sounds, please get in touch with me.
[There is already a page out there with those sounds and a lot more..
done by someone who discovered phreaking on their own. Little known
fact because of all the obscurement: John Draper did not discover
blue boxing. It was all taught to him.]
Our new Domain name registration will soon be activated, and at that
time our URL will be:
http://www.webcrunchers.com - Our Web hosting server
http://www.webcrunchers.com/crunch - Official Cap'n Crunch home page
Regards,
Cap'n Crunch
0x14>-------------------------------------------------------------------------
Title: US Justive Dept. Investigating Network Solutions
Source: New York Times
Author: Agis Salpukas
Date: 7 July '97
The Justice Department has begun an investigation into the
practice of assigning Internet addresses to determine if the
control that Network Solutions Inc. exercises over the process
amounts to a violation of antitrust laws.
The investigation was disclosed by the company Thursday in
documents filed with the Securities and Exchange Commission. The
filing came as part of a proposed initial stock offering that is
intended to raise $35 million.
The investigation was first reported in The Washington Post on
Sunday.
Network Solutions, which is based in Herndon, Va., and is a
subsidiary of Science Applications International Corp., has been
the target of a growing chorus of complaints and two dozen
lawsuits as the Internet has expanded and the competition for
these addresses, or domain names, has grown more intense.
0x15>-------------------------------------------------------------------------
Title: Cyber Patrol Bans Crypt Newsletter
Source: Crypt Newsletter
Author: George Smith
Date: June 19, 1997
Hey, buddy, did you know I'm a militant extremist? Cyber Patrol, the
Net filtering software designed to protect your children from
cyberfilth, says so. Toss me in with those who sleep with a copy of
"The Turner Diaries" under their pillows and those who file nuisance
liens against officials of the IRS. Seems my Web site is dangerous
viewing.
I discovered I was a putative militant extremist while reading a
story on Net censorship posted on Bennett Haselton's PeaceFire
Web site. Haselton is strongly critical of Net filtering software and
he's had his share of dustups with vendors like Cyber Patrol, who
intermittently ban his site for having the temerity to be a naysayer.
Haselton's page included some links so readers could determine what
other Web pages were banned by various Net filters. On a lark, I typed
in the URL of the Crypt Newsletter, the publication I edit. Much to my
surprise, I had been banned by Cyber Patrol. The charge? Militant
extremism. Cyber Patrol also has its own facility for checking if a
site is banned, called the CyberNOT list. Just to be sure, I
double-checked. Sure enough, I was a CyberNOT.
Now you can call me Ray or you can call me Joe, but don't ever call me
a militant extremist! I've never even seen one black helicopter
transporting U.N. troops to annex a national park.
However, nothing is ever quite as it seems on the Web and before I
went into high dudgeon over political censorship--the Crypt Newsletter
has been accused of being "leftist" for exposing various
government, academic, and software industry charlatans--I told some of
my readership. Some of them wrote polite--well, almost polite--letters
to Debra Greaves, Cyber Patrol's head of Internet research. And
Greaves wrote back almost immediately, indicating it had all been a
mistake.
My Web site was blocked as a byproduct of a ban on another page on the
same server. "We do have a [blocked] site off of that server with a
similar directory. I have modified the site on our list to be more
unique so as to not affect [your site] any longer," she wrote.
Perhaps I should have been reassured that Cyber Patrol wasn't banning
sites for simply ridiculing authority figures, a favorite American
past time. But if anything, I was even more astonished to discover th
company's scattershot approach to blocking. It doesn't include precise
URLs in its database. Instead, it prefers incomplete addresses that
block everything near the offending page. The one that struck down
Crypt News was "soci.niu.edu/~cr," a truncated version of my complete
URL. In other words: any page on the machine that fell under "~cr" was
toast.
Jim Thomas, a sociology professor at Northern Illinois University,
runs this particular server, and it was hard to imagine what would be
militantly extreme on it. Nevertheless, I ran the news by Thomas. It
turns out that the official home page of the American Society of
Criminology's Critical Criminology Division, an academic resource,
was the target. It features articles from a scholarly criminology
journal and has the hubris to be on record as opposing the death
penalty but didn't appear to have anything that would link it with
bomb-throwing anarchists, pedophiles, and pornographers.
There was, however, a copy of the Unabomber Manifesto on the page.
I told Thomas I was willing to bet $1,000 cash money that Ted
Kaczynski's rant was at the root of Cyber Patrol's block.
Thomas confirmed it, but I can't tell you his exact words. It
might get this page blocked, too.
What this boils down to is that Cyber Patrol is banning writing on the
Web that's been previously published in a daily newspaper: The
Washington Post. It can also be said the Unabomber Manifesto already
has been delivered to every corner of American society.
If the ludicrous quality of this situation isn't glaring enough,
consider that one of Cyber Patrol's partners, CompuServe, promoted the
acquisition of electronic copies of the Unabomber Manifesto after it
published by the Post. And these copies weren't subject to any
restrictions that would hinder children from reading them. In fact,
I've never met anyone from middle-class America who said, "Darn those
irresponsible fiends at the Post! Now my children will be inspired to
retreat to the woods, write cryptic essays attacking techno-society,
and send exploding parcels to complete strangers."
Have you?
So, will somebody explain to me how banning the Unabomber Manifesto,
the ASC's Critical Criminology home page, and Crypt Newsletter
protects children from smut and indecency? That's a rhetorical
question.
Cyber Patrol is strongly marketed to public libraries, and has been
acquired by some, in the name of protecting children from Net
depravity.
Funny, I thought a public library would be one of the places you'd be
more likely to find a copy of the Unabomber Manifesto.
0x16>-------------------------------------------------------------------------
Title: Some humor on media hacks and hackers
Source: Defcon Mailing List
Author: George Smith / Crypt Newsletter
In as fine a collection of stereotypes as can be found, the
Associated Press furnished a story on July 14 covering the annual
DefCon hacker get together in Las Vegas. It compressed at least
one hoary cliche into each paragraph.
Here is a summary of them.
The lead sentence: "They're self-described nerds . . . "
Then, in the next sentence, "These mostly gawky, mostly male
teen-agers . . . also are the country's smartest and slyest computer
hackers."
After another fifty words, "These are the guys that got beat up in
high school and this is their chance to get back . . . "
Add a sprinkling of the obvious: "This is a subculture of
computer technology . . ."
Stir in a paraphrased hacker slogan: "Hacking comes from an
intellectual desire to figure out how things work . . ."
A whiff of crime and the outlaw weirdo: "Few of these wizards will
identify themselves because they fear criminal prosecution . . . a
25-year-old security analyst who sports a dog collar and nose ring, is
cautious about personal information."
Close with two bromides that reintroduce the stereotype:
"Hackers are not evil people. Hackers are kids."
As a simple satirical exercise, Crypt News rewrote the Associated
Press story as media coverage of a convention of newspaper editors.
It looked like this:
LAS VEGAS -- They're self-described nerds, dressing in starched
white shirts and ties.
These mostly overweight, mostly male thirty, forty and
fiftysomethings are the country's best known political pundits,
gossip columnists and managing editors. On Friday, more than 1,500 of
them gathered in a stuffy convention hall to swap news and network.
"These are the guys who ate goldfish and dog biscuits at frat parties
in college and this is their time to strut," said Drew Williams,
whose company, Hill & Knowlton, wants to enlist the best editors
and writers to do corporate p.r.
"This is a subculture of corporate communicators," said Williams.
Journalism comes from an intellectual desire to be the town crier
and a desire to show off how much you know, convention-goers said.
Circulation numbers and ad revenue count for more than elegant prose
and an expose on the President's peccadillos gains more esteem from
ones' peers than klutzy jeremiads about corporate welfare and
white-collar crime.
One group of paunchy editors and TV pundits were overheard
joking about breaking into the lecture circuit, where one
well-placed talk to a group of influential CEOs or military
leaders could earn more than many Americans make in a year.
Few of these editors would talk on the record for fear of
professional retribution. Even E.J., a normally voluble
45-year-old Washington, D.C., editorial writer, was reticent.
"Columnists aren't just people who write about the political
scandal of the day," E.J. said cautiously. "I like to think of
columnists as people who take something apart that, perhaps,
didn't need taking apart."
"We are not evil people. We're middle-aged, professional
entertainers in gray flannel suits."
0x17>-------------------------------------------------------------------------
Title: Cellular Tracking Technologies
Source: unknown
Author: unknown
A recent article from the San Jose Mercury News by Berry Witt ("Squabble
puts non-emergency phone number on hold") raises several important
questions -- questions I think are relavant to the CUD's readership...
Does anybody remember the FBI's request that cell phone companies must
build in tracking technology to their systems that allows a person's
position to be pin pointed by authorities? That suggested policy resulted
in a flurry of privacy questions and protests from the industry, suggesting
such requirements would force them to be uncompetitive in the global
marketplace. The article, dated July 20, (which was focused on 911
cellular liability issues) suggests federal authorities may have worked out
an end run around the controversy. The article states:
"The cellular industry is working to meet a federal requirement that by
next spring, 911 calls from cellular phones provide dispatchers the
location of the nearest cell site and that within five years, cellular
calls provide dispatchers the location of the caller within a 125-meter
radius. "
On its face, this seems reasonable and it is a far cry from the real time
tracking requirements of any cell phone that is turned on (The FBI's
original request). But by next spring, this tracking system will be in
place and on line. I have heard no public debate about the privacy
implications regarding this "Federal Requirement", nor has there been any
indication that this information will be restricted to 911 operators.
Will this information be available to law enforcement officials if they
have a warrant? If they don't have a warrant? Will this information be
secured so enterprising criminals won't have access to it? Exactly WHAT
kind of security is being implemented so it WON'T be accessible to the
general public.
This smacks of subterfuge. By cloaking the cellular tracking issue in the
very real issue of the 911 location system, the federal government and law
enforcement agencies have circumvented the legitimate privacy questions
that arose from their initial Cellular tracking request.
0x18>-------------------------------------------------------------------------
Title: Court Mixes Internet Smut Provision
Source: Associated Press
Author: unknown
Date: June 26, 1997
WASHINGTON (AP) -- Congress violated free-speech rights when it
tried to curb smut on the Internet, the Supreme Court ruled today.
In its first venture into cyberspace law, the court invalidated a
key provision of the 1996 Communications Decency Act.
Congress' effort to protect children from sexually explicit
material goes too far because it also would keep such material
from adults who have a right to see it, the justices unanimously
said.
The law made it a crime to put adult-oriented material online
where children can find it. The measure has never taken effect
because it was blocked last year by a three-judge court in
Philadelphia.
``We agree with the three-judge district court that the statute
abridges the freedom of speech protected by the First Amendment,''
Justice John Paul Stevens wrote for the court.
``The (Communications Decency Act) is a content-based regulation
of speech,'' he wrote. ``The vagueness of such a regulation raises
special First Amendment concerns because of its obvious chilling
effect on free speech.''
``As a matter of constitutional tradition ... we presume that
governmental regulation of the content of speech is more likely to
interfere with the free exchange of ideas than to encourage it,''
Stevens wrote.
Sexually explicit words and pictures are protected by the
Constitution's First Amendment if they are deemed indecent but not
obscene.
0x1>-------------------------------------------------------------------------
Book Title: Underground
Poster: Darren Reed
A few people will have heard me mention this book already, but I think
there are bits and pieces of this book which will surprise quite a few
people. Most of us are used to reading stories about hacking by the
people who did the catching of the hackers...this one is an ongoing
story of the local hacker scene...with not so local contacts and exploits.
Some of the important things to note are just how well they do work
together, as well as competing with each other and what they do when
they get pissed off with each other. Meanwhile most of the white hats
are too busy trying to hoard information from the other white hats...
Having been on the "victim" side in the past, it is quite frustrating
when someone you've worked to have arrested gets off with a fine. Most
of us would agree that they should be locked up somewhere, but
according to what's in the book, most of them are suffering from either
problems at home or other mental disorders (including one claim in court
to being addicted to hacking). Anyone for a "Hackers Anonymous Association"
for help in drying out from this nefarious activity ? At least in one
case documented within the perpetrators get sentenced to time behind bars.
It's somewhat comforting to read that people have actually broken into
the machines which belong to security experts such as Gene Spafford and
Matt Bishop, although I'd have preferred to have not read how they
successfully broke into the NIC :-/ Don't know about you, but I don't
care what motives they have, I'd prefer for them to not be getting inside
machines which provide integral services for the Internet.
For all of you who like to hide behind firewalls, in one instance a hacker
comes in through X.25 and out onto the Internet. Nice and easy 'cause
we don't need to firewall our X.25 connection do we ? :-)
Oh, and just for all those VMS weenies who like to say "We're secure,
we run VMS not Unix" - the first chapter of the book is on a VMS worm
called "WANK" that came close to taking the NASA VMS network completely
off air. I wonder how long it will take for an NT equivalent to surface...
All in all, a pretty good read (one from which I'm sure hackers will learn
just as much from as the rest of us).
The book's details are:
Title: UNDERGROUND - Tales of Hacking, madness and obsession on the
Electronic Frontier
ISBN 1-86330-595-5
Author: Suelette Dreyfus
Publisher: Random House
Publisher's address: 20 Alfred St, Milsons Point, NSW 2061, Australia
Price: AUS$19.95
before I forget, the best URL for the book I've found is:
http://www.underground-book.com (http://underground.org/book is a mirror)
0x2>-------------------------------------------------------------------------
Book Title: "Hackers"
Poster: Paul Taylor P.A.Taylor@sociology.salford.ac.uk
There's an open invite for people to contact me and discuss the
above and/or anything else that they think is relevant/important.
Below is a brief overview of
the eventual book's rationale and proposed structure.
Hackers: a study of a technoculture
Background
"Hackers" is based upon 4 years PhD research conducted from
1989-1993 at the University of Edinburgh. The research focussed
upon 3 main groups: the Computer Underground (CU); the Computer
Security Industry (CSI); and the academic community. Additional
information was obtained from government officials, journalists
etc.
The face-to-face interview work was conducted in the UK and the
Netherlands. It included figures such as Rop Gongrijp of
Hack-Tic magazine, Prof Hirschberg of Delft University, and
Robert Schifreen. E-mail/phone interviews were conducted in
Europe and the US with figures such as Prof Eugene Spafford of
Purdue Technical University, Kevin Mitnick, Chris Goggans and
John Draper.
Rationale
This book sets out to be an academic study of the social
processes behind hacking that is nevertheless accessible to a
general audience. It seeks to compensate for the "Gee-whiz"
approach of many of the journalistic accounts of hacking. The
tone of these books tends to be set by their titles: The Fugitive
Game; Takedown; The Cyberthief and the Samurai; Masters of
Deception - and so on ...
The basic argument in this book is that, despite the media
portrayal, hacking is not, and never has been, a simple case of
"electronic vandals" versus the good guys: the truth is much more
complex. The boundaries between hacking, the security industry
and academia, for example, are often relatively fluid. In
addition, hacking has a significance outside of its immediate
environment: the disputes that surround it symbolise society's
attempts to shape the values of the informational environments we
will inhabit tomorrow.
Book Outline
Introduction - the background of the study and the range of
contributors
Chapter 1 - The cultural significance of hacking: non-fiction and
fictional portrayals of hacking.
Chapter 2 - Hacking the system: hackers and theories of technological change.
Chapter 3 - Hackers: their culture.
Chapter 4 - Hackers: their motivations
Chapter 5 - The State of the (Cyber)Nation: computer security weaknesses.
Chapter 6- Them and Us: boundary formation and constructing "the other".
Chapter 7 - Hacking and Legislation.
Conclusion
0x1>-------------------------------------------------------------------------
Convention: Cybercrime Conference Announcement
Date: Oct 29 - 31
Cybercrime; E-Commerce & Banking; Corporate, Bank & Computer
Security; Financial Crimes and Information Warfare Conference
will be held October 29, 30, & 31, 1997 (Washington, D.C.) and
November 17 & 18 (New York City) for bankers, lawyers,
information security directors, law enforcement, regulators,
technology developers/providers.
Responding to the global threat posed by advancing technology,
senior level decision makers will join together to share remedies
and solutions towards the ultimate protection of financial and
intellectual property; and against competitive espionage and
electronic warfare. An international faculty of 30 experts will
help you protect your business assets, as well as the information
infrastructure at large.
There will also be a small technology vendor exhibition.
Sponsored by Oceana Publications Inc. 50 year publisher of
international law, in cooperation with the Centre for
International Financial Crimes Studies, College of Law,
University of Florida, and Kroll Associates, a leading
investigative firm. For more information call
800/831-0758 or
914/693-8100; or e-mail: Oceana@panix.com.
http://www.oceanalaw.com/seminar/sem_calendar.htm
0x2>-------------------------------------------------------------------------
Convention: Computers & The Law IV Symposium
Date: October 6-9, Boston
Computers & The Law IV is the only event to bring together corporate
decision-makers, computer professionals and legal experts to discuss
Internet
and Web technology in the eyes of the law. This conference provides a
forum and educational opportunities for all those interested in
keeping their system investment safe and within the law.
Topics will include:
* Corporate liablity on the Internet
* Internet risk management in the enterprise
* Hiring a SysAdmin you can trust
* Legal risks of Internet commerce
* Establishing a fair-use policy
* Prosecuting system intruders
* Communicating with your SysAdmin
* Understanding copyright law
* Assessing your exposure to hackers
* Employee privacy vs. owner rights
... and much more!
FOR MORE INFORMATION CONTACT
The Sun User Group * 14 Harvard Ave, 2nd Floor * Allston, MA 02134
(617)787-2301 * conference@sug.org * http://www.sug.org/CL4
----[ EOF
