Computer underground Digest Wed Feb 17, 1993 Volume 5 : Issue 14 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Copy Editor: Etaion Shrdlu, Seniur CONTENTS, #5.14 (Feb 17, 1993) File 1--Re: CuD, #5.11 - SPA's Piracy Estimates File 2--Cu News: Pirate Amnesty, Toll Fraud Decline, etc File 3--Re: EFF in Time's Cyberpunk Article File 4--Behar's Response to Godwin File 5--Censorship in Cyberspace File 6--Undercover Rambos?? (NYT Story on "Hakr Trakr") File 7--Social Engineering (Re: CuD #.13) File 8--Cybersmut is Good File 9--Suggestions For a Hi-tech Crime-investigators' Seminar? File 10--Re: Unemployed Programmers Turning Talents to Evil (#5.13) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; in Europe from the ComNet in Luxembourg BBS (++352) 466893; and using anonymous FTP on the Internet from ftp.eff.org (192.88.144.4) in /pub/cud, red.css.itd.umich.edu (141.211.182.91) in /cud, halcyon.com (192.135.191.2) in /pub/mirror/cud, and ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. European readers can access the ftp site at: nic.funet.fi pub/doc/cud. Back issues also may be obtained from the mail server at mailserv@batpad.lgb.ca.us. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Sat, 13 Feb 93 18:56 CST From: gordon@SNEAKY.LONESTAR.ORG(Gordon Burditt) Subject: File 1--Re: CuD, #5.11 - SPA's Piracy Estimates ((In CuD 5.11, tk0jut2@mvs.cso.niu.edu summarized the Software Publishing Association's methodology, and wrote:)) > The third set of facts is the average number of applications that > users are estimated to have on their personal computers. This body of > data comes from member research that is sent back to the SPA. The > members obtain this information from several sources, including > surveys of their own customer base and from returned registration > cards. The SPA estimates that the typical DOS (or Intel-based) PC user > has three applications, and the typical MacIntosh user has five. How does the SPA calculate the effect of system hardware upgrades by replacing the whole system? Often a system is not worth repairing, and when it breaks or gets too obsolete, it's replaced with another new system, and the old one is thrown out or broken down for spare parts. Now, not all replaced systems will be discarded - they may get passed on to someone else - but eventually a system isn't worth repairing, isn't repairable, or it's just too slow or obsolete, and it's no longer used. This is the situation I'm talking about. Most of the 8086-based systems sold went out of service somehow. How does this affect the piracy estimate? Well, you get one current-year system sale. It's quite possible that the system owner transfers his old applications to the new system. This is allowed under most licenses. The owner might upgrade applications as well, but most of the speed improvement for going, say, from a 286 to a 486 is in the hardware, not getting a [34]86-specific application. You get zero new applications purchased for the new system, implying, incorrectly, piracy of 3 applications. What about the old system? Nobody buys applications for a system no longer used as a system. The estimate correctly handles the case of passing the old system on to someone else, who uses it as a system. If the applications are erased from the old system, the new owner will buy some. If the applications are not erased AND transferred to the new system, this is piracy and counts as such. If the applications stay with the old system, the new system owner will buy new ones. Will a new owner of an already-obsolete system buy as many applications as a new owner of a new system? I suppose this depends on how business-use applications count vs. games and personal-use applications. But a survey of applications will look at the applications on the NEW hardware, not the newly-acquired obsolete hardware, making the applications-per-system number higher than it should be. I wonder also how the estimates count non-DOS applications. It's practically impossible to buy a whole system without getting DOS bundled into the price, whether you intend to run DOS or not (Yes, I realize operating systems don't count as applications). Now, if I buy a 486 system, UNIX, and 3 UNIX applications, do they count as applications sold? Or do the UNIX applications count at all? How about if one of the applications is in source form, so the vendor doesn't know that it's for a 386 system? Accuracy test: Take the formula for piracy, plug in a piracy amount of zero (unrealistic, I know), and calculate applications-per-system. Subtract the SPA estimate of applications-per-system, which, as I understand it from this article, is 3.000000000000000 for IBM-PC-based systems. How much of an error in applications-per-system do you need to bring the piracy estimate to 0? Using the 1991 estimate of 22%, this would come to an error of 0.66. I am very suspicious of 2 applications-per-system estimates that come out even integers, if that's the actual number and it wasn't just rounded for reporting. ------------------------------ Date: 04 Feb 93 18:28:52 EST From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: File 2--Cu News: Pirate Amnesty, Toll Fraud Decline, etc Computer Associates, based in Islandia, NY, estimates there are 150,000 illegal copies of its CPA-BPI II accounting software in use. In an attempt to legitimize these users they are offering a $209. upgrade to a full, and legal, package. CA's director of financial products, David Duplisea, is quoted as saying "You can't stop people from doing something like this {pirating software} unless you provide them with a reason not to do it. The responsible approach is to provide a better alternative to piracy." {Moderators Note - If just 1200 people take them up on this offer, or less than 10 percent of the estimated illegal users, it will result in a quarter million dollars in revenue.} (Information Week. Jan 11, 1993 page 14) +++++++++++++ Toll Fraud Declines Every major long distance carrier is reporting a decrease in toll fraud losses in 1992, as compared to 1991. Sprint says fraud against business customers has fallen 96%. AT&T reports only 1/8 the number of toll fraud incidents it had previously, and MCI echoes they too are seeing fewer reported cases. (Information Week. Jan 25, 1993 page 16) +++++++++++++ Hacking the Internet By using a dormant account at the University of California Davis, over 100 hackers from all over the world were able to "raid" systems belonging to NASA, CIA, and DoD contractors. John Crowell, manager of workstation support at UC Davis, says no arrests have been made pending a formal investigation. The hackers were detected in October of 1992, and range in age from 12 to 22 years of age. {Moderators' Note: The news blurb does not indicate how details about the suspects are known without the benefit of a formal investigation.} (Information Week Feb 1, 1993 pg. 16) +++++++++++++ The New York Times (Jan 26, 1993 pg B1) features an article on an undercover agent working with authorities in 28 states. See "Going Undercover In The Computer Underworld" by Ralph Blumenthal for details. ------------------------------ Date: Wed, 3 Feb 1993 23:22:02 GMT From: mnemonic@eff.org (Mike Godwin) Subject: File 3--Re: EFF in Time's Cyberpunk Article ((MODERATORS' COMMENT: The following was written to TIME magazine in response to their cover story on Cyberpunk (8 Feb., '93) that, in a sidebar, identified the EFF as being a "group that defends exploratory hacking)). February 3, 1993 TIME Magazine Letters Time & Life Building 7 Rockefeller Center New York, NY 10020 Fax number: 212-522-0601 In his sidebar to your cover story on the cyberpunk phenomenon ["Surfing Off The Edge," Feb. 8], Richard Behar quotes me accurately, but he grossly misrepresents my organization, the Electronic Frontier Foundation, as "a group that defends exploratory hacking." In fact, we have always condemned even nonmalicious computer intrusion as ethically unacceptable, and we have always insisted that such intrusion should be illegal. What makes Behar's comment particularly odd is the fact that, just two weeks before this story, TIME correctly identified EFF as "a not-for-profit group devoted to protecting the civil liberties of people using electronic networks." ["Who's Reading Your Screen?" Jan. 18.] Even the most minimal research on TIME's part would have shown that we're no hacker defense fund; our efforts range from supporting appropriate computer-crime legislation to promoting the growth of, and public access to, our nation's emerging information infrastructure--including what Vice President Al Gore has called "high-speed data highways." Occasionally our civil-liberties mission requires us to be involved in computer-crime cases, much as the ACLU may involve itself in other kinds of criminal cases. But it's inexcusable of TIME to mischaracterize our organization's efforts to protect defendants' rights as a defense of computer crime itself. Your magazine seems to have forgotten that it is perfectly possible to oppose computer crime at the same time one supports civil liberties--as one of our founders, Mitchell Kapor, writes in the September 1991 issue of Scientific American, "It is certainly proper to hold hackers accountable for their offenses, but that accountability should never entail denying defendants the safeguards of the Bill of Rights, including the rights to free expression and association and to freedom from unreasonable searches and seizures." TIME's misrepresentation of EFF in Behar's article is likely to damage both our reputation and our effectiveness. TIME owes EFF an apology and its readers a correction. Mike Godwin Work: 617-864-0665 Legal Services Counsel Electronic Frontier Foundation Cambridge, Massachusetts ------------------------------ Date: Wed, 17 Feb 92 18:11:22 CST From: Jim Thomas Subject: File 4--Behar's Response to Godwin Mike Godwin's response to Richard Behar refers to a single, but damaging, sentence in the TIME (8 Feb, '93) Cyberpunk article in which Behar writes: "Being arrogant and obnoxious is not a crime," argues attorney Michael Godwin of the Electronic Frontier Foundation, a group that defends exploratory hacking (p. 65). Even those minimally familiar with EFF's position know that EFF has never defended computer intrusion, and there is sufficient evidence from EFF personnel and the texts of EFFector, among other sources, that Behar's claim signifies another example incompetent journalism. It is one thing to distort a position. It is another to create a position contrary to what a subject holds. How does Behar respond when alerted to his error? Richard Behar responded to Mike Godwin's letter in the most curious way. We reprint it below. Although we agree with those who argue that public postings of private communications generally violate courtesy norms, we make an exception in this case for several reasons. First, because Behar made a demonstrably inaccurate and damaging claim against EFF, his response is relevant to placing Behar's offensive claims in context. Second, Behar's claim reflects insights into an individual reporter's mindset, and as suggested by the commets below, this mindset can reflect an abysmal disregard of facts. Third, Behar's response suggests a self-serving rationale and an unwillingness to assume responsibility for irresponsible reporting. Finally, as an issue of fairness, reprinting Behar's letter avoids any possibility of misrepresentation of a summarized condensation. +++++ February 8, 1993 Mr. Michael Godwin Electronic Frontier Foundation 155 Second Street Cambridge, MA 02141 Dear Michael: After our conversation last week, I went back and reviewed the notes of our initial interview, as well as other materials in my file. I also gave the subject of EFF a great deal of thought and came away with the conclusion that you are trying to have it both ways. For example, Mitch Kapor has stated that while it's proper to hold hackers accountable for their offenses, we should view exploratory hacking as something akin to "non-criminal trespass." To me, this is not a sanction or a blessing, but it certainly barks and quacks and smells like a defense. Michael, you admitted that EFF has worked closely with hacker defense lawyers, although "not publicly." Well, could the reason for the secretiveness be that EFF is, as you put it, "an inch away" from gaining credibility on Capitol Hill as a mainstream group? You referred to the MODsters as "kids" whose alleged crimes are "pretty innocuous" (with the exception of the TRW and Learning Link incidents). You stated that one way America deals with its fears about computer power is to "attack post-adolescent computer explorers and paint them as thugs." If this doesn't amount to a defense of hackers, I don't know what does. In closing, if there is any murkiness about the work of EFF, let me suggest that the organization itself -- and not the press --is the source of the murk. Sincerely yours, Richard Behar cc/Mitch Kapor ++++ As others have pointed out, Behar's defense of his inaccuracy draws from a conversation with Mike Godwin *after* the article was printed. Behar never alludes to any evidence in his possession prior to writing the article, but skirts the issue by alluding to the conversation with Godwin *after* publication. Behar appears to have written his commentary without possession of facts. Behar also accuses EFF of "wanting it both ways" because Mitch Kapor is uncomfortable with criminalizing generally juvenile exploration. Behar glibly asserts that "if it quacks like a duck...." it must be a defense. Can Behar not recognize that one can oppose computer trespass, as EFF's public statements have consistently done, and oppose draconian criminal sanctions, as EFF's public statements have consistently done, without advocacy? Does Behar not recognize that there is a long, visible, and explicit public record of EFF statements that explicitly disavow "exploratory hacking?" Does Behar not recognize that to oppose criminalization of some behaviors hardly means that one necessarily defends those behaviors? Behar suggests that EFF is disingenuous in its view of hackers because it is trying to establish credibility on "Capitol Hill" as a "mainstream group." Behar's evidence for this, according to his letter, is Godwin's claim that EFF has worked "not publicly" with defense lawyers. Using this logic, would Behar also claim that any attorney who gave advice to a defense team defending a murderer or an arsonist is therefore defending murder or arson? Is objection to law enforcement depiction of "hackers" as demons and threats to national security, as has demonstrably occured in the PHRACK trial (and others) tantamount to defending computer intrusion? If so, then paralogia must be a virtue for TIME reporters. Behar concludes with the claim that EFF, not he, is at fault for distorting EFF's position on "hackers." Despite ample and easily accessible evidence to the contrary, Behar just doesn't seem to understand that maybe he didn't get it right. Behar simply didn't do his homework. He was wrong. Flat out wrong. Worse, rather than apologize, his letter suggests he is blaming is victim for his own incompetency. Neither his article nor his letter produces any factual justification, and his attempt to rationalize an egregious error by adducing post-publication information (which is neither substantive nor convincing) resembles the defense of someone caught red-handed with their hand in the cookie jar. Behar's reporting and his subsequent response severely damage the credibility of TIME. ------------------------------ Date: Thu, 11 Feb 93 20:17 EST From: "Michael E. Marotta" Subject: File 5--Censorship in Cyberspace Excerpts from "Censorship in Cyberspace" (c) 1993 by Michael E. Marotta the complete text (2000 words) appears in the ($5) 1993 Retail Catalog of Loompanics, P. O. Box 1197, Port Townsend, WA 98368. Founded in 1974, Loompanics, publishers of unusual books, features about 300 titles on privacy, underground income, self-defense, etc. +++++ As Ayn Rand noted, when people abandon money, their only alternative when dealing with each other is to use guns. Yet, the anti-capitalist mentality permeates cyberspace. Most public systems and networks actually forbid commercial messages. So, computer sysops and network moderators are reduced to cavalier enforcement of their personal quirks. When Tom Jennings created Fidonet, Omni magazine called him an "online anarchist." Since then, Fidonet has developed a governing council and lost Jennings. Over the last two years, I have been banished from these Fidonet echoes: * Stock Market for saying that Ivan Boesky is a political prisoner * Virus for saying that viruses could be useful * Communications for saying that telephone service should not be regulated by the government * International Chat for asking "How are you" in Hebrew and Japanese. Kennita Watson, whom I met on Libernet, told me this story: When I was at Pyramid, I came in one day and "fortune" had been disabled. I complained to Operations, and ended up in a personal meeting with the manager. He showed me a letter from the NAACP written to Pyramid threatening to sue if they didn't stop selling racist material on their machines. They cited a black woman who had found the "...there were those whose skins were black... and their portion was niggardly.... 'Let my people go to the front of the bus'..." fortune, and complained to the NAACP. I suspect that she (and the NAACP) were clueless as to the meaning of the term "niggardly". I (as a black woman) was embarrassed and outraged. Because of the stupidity of a bunch of paranoid people, I couldn't read my fortune when I logged out any more. " It is important to bear in mind that to the censor, censorship, like all evils, is always an unpleasant but necessary means to achieve a good result. Robert Warren is a sysop who replied to an article of mine on Computer Underground Digest. He said: ... People have a right to say what they want in public, but some don't care about the responsibility that comes with it. So you zap 'em." Now, there is no argument with his basic premise: Since he owns the equipment, he has the final say in its use. This is his right. Likewise, the administrators of publicly-funded university computers also engage in censorship under a mandate to serve the people who pay taxes. "All power tends to corrupt and absolute power corrupts absolutely," the historian John E. E. Acton said. It is no surprise that this applies in cyberspace. Political and social freedom have little to do with constitutions or elections. Congress could choose a new prime minister every day or the people could elect the secretary of state to a three year term. The details are unimportant. Some places are free and some places are controlled because the people in those places need freedom or accept oppression. It always comes back to the individual. Dehnbase Emerald BBS is home to libertarian and objectivist discussions and is a vital link in Libernet. The number is (303) 972-6575. Joseph Dehn is not interested in enforcing rules. Albert Gore and George Bush agreed on the need for a "data superhighway." The Electronic Frontier Foundation has recommended that this national network be open to commercial enterprises. This is good. An open market is the best protection against power and corruption. ------------------------------ Date: Sat, 6 Feb 93 09:28:01 PST From: anonymous@by.request.com Subject: File 6--Undercover Rambos?? (NYT Story on "Hakr Trakr") >From the New York Times, Tues. Jan 26 (A-20 of the Midwest Edition) comes a piece by Ralph Blumenthal: "Officers Go Undercover to Battle Computer Underworld." The piece begins: >NEW YORK, Jan. 25 -- He patrols the back alleys of cyberspace at >the edge of the electronic frontier. Traveling on eams of >electrons, he is invisible, formless--the ultimate undercover >agent. > >He's "Phrakr Trakr" of the Hi-Tech Crime Network. But don't look >for him in comic books or the video store. He's real. The piece continues by explaining that his takes in "the thousands" of BBSes that are generally law-abiding but "increasingly....have become underground marketplaces for stolen telephone access codes and credit card numbers, along with child pornography and other contraband." The agent's network, says the piece, spans 28 states and he puts out a newsletter called "FBI" (for "Find um, Bust um, Incarcerate um." In June, he uploaded a taunt on BBSes from a Police song: Every move you make, Every brath you take, We'll be watching you. His goal, according to the article, was to sow "anarchy, chaos, mistrust and fear" in the "phracker community." The article indicates that the agent has spent around $4,000 of his on money on computer equipment and telephone bills. >Though his investigations have yet to yield arrests, he said >he is studying nilne boards and building cases with officers >in three other states. The agent is reported as claiming that PERHAPS 10 PERCENT OF THE NATION'S ESTIMATED 30,000 ELECTRONIC BULLETIN BOARDS TRAFFIC IN STOLEN INFORMATION, CHILD PORNOGRAPHY, POISON RECIPES, AND BOMB-MAKING INSTRUCTIONS. >To get onto a bulletin board, a computer users needs only a >communications program like Crosstalk and a modem that will send >and receive signals over a phone line.... >But so-called underground boards offering illicit services >require secret passwords, usually granted only to those who >attend face-to-face meetings intended to weed out the police..... The article reports that the officer used a software program on an IBM clone and a modem to get on a board. >He did this byusing false identification and access >passwords he had acquired by satisfying a series of questions >testing is authenticity. >He was scanning the messages when the systems operator who >policed the board broke in: "What's up need any help?" > >"Yo dude," he typed out, "looking fer AT&Ts got any?" > >The operator provided the handle, or nickname, of someone who >might have credit-card calling numbers. > >Phrakr Trakr left a message for hilm and addressed the operator. >"thanks for the codez," he typed, ading: "You only one getting >any." A cop copping an attitude like 12 year old kids usually winds up chasing 12 year old kids. Here's one cop who sounds like he needs a long vacation, a stint in Kevin Mitnick's Hacker's Anonymous spa, or a strong does of reality pills. We have a Barney Fife with an identity crisis and too much free time on his hands. We have another clueless reporter who doesn't know what questions to ask or what's important to report. We have another plot and superhero for a resurrected "phrakr trakr chronicles." Mostly, we have another example of why the media needs remedial education on cyberspace issues. It's up-hill all the way, ain't it??? ------------------------------ Date: Mon, 15 Feb 93 17:23:33 EST From: Cal Subject: File 7--Social Engineering (Re: CuD #.13) In reading again in CuD 5.13 of the exploits of Mitnick and DiCiccio described as social engineering I was reminded of an earlier generation of confidence men described in some books published perhaps fifty years ago. The only one that comes immediately to mind describes the exploits of Yellow Kid Weil in operating both what they called the "Big Store" or short cons. The Pigeon Drop is the classic short con that can be worked on a street corner by two knowledgeable cons (not always men; women are good at the scam). We have a woman in our neighborhood who comes around with a "tale" about being a neighbor (often using a real neighbor's name) who needs $9.75 for asthma medicine for her sick child. She promises to return the money when her husband comes home. People are being taken by this probable sounding tale; if you ask to see the child there is one in a stroller on the sidewalk. I was reminded further of a twelve year old of my acquaintance whose voice had changed early who called a small town bank and told them that he was laid up and would be sending his son down with a check that he needed to cash. Unfortunately for the boy his handwriting hadn't kept up with his voice and sophistication on the phone. If he had been able to write just a bit less like a child the bank would likely have cashed the check. I don't know how much direct relevance any of this has to do with computer security; just thought it might be useful to place the whole matter in a larger context. ------------------------------ Date: Thu, 11 Feb 93 20:20 EST From: "Michael E. Marotta" Subject: File 8--Cybersmut is Good GRID News. February 10, 1993. ISSN 1054-9315. vol 4 nu 1. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ (57 lines) "Cybersmut is Good" by Michael E. Marotta The 1993 Retail Catalog of Loompanics Unlimited is available for $5 from Loompanics, P.O. Box 1197, Port Townsend, WA 98368. Loompanics, sellers of unusual books since 1974, offers about 300 titles on alternative ID, weaponry, warfare, healthcare, etc. The catalog also features original essays and fiction, including my article on "Censorship in Cyberspace" and Butler Schaffer's "The Anti-Sex League: The New Ruling Class." Schaffer's thesis is that sex is a profoundly personal pleasure and would-be rulers can't stand that. Schaffer's argumentation is closely-reasoned and draws from broad sources. Anyone who values their personal liberty will profit from reading this essay. Ayn Rand noted that when you compromise with someone who won't compromise, they win and you lose. Here in cyberspace, we have devoted gigabytes of storage to denouncing the Secret Service for raiding Steve Jackson or for persecuting so-called "hackers" and so on. Yet, time and again, we also allocate storage to the idea that sexual material is evil. "Children should not access adult GIFs." If you accept that premise, there is no way to reasonably draw the line. On Michigan Echo, libertarians and conservatives are in the majority and disrespect for "poli-crooks and congress-critters" is the norm. Isn't this DISRESPECT FOR AUTHORITY also DAMAGING TO YOUNG MINDS? Should children be allowed to access adult politics? Once you make exceptions to freedom, the list grows to include everyone. Now, you may say that you don't want YOUR CHILDREN accessing adult GIFs. That is your choice, to be handled in your home, just as you might insist that your children dry the dishes to earn their allowance as means of building character. You can't reasonably insist that no BBS carry information about other children who get their allowance without working for it. Likewise, you can be embarrassed by sex. That is your right. You have no right to demand that other people be equally embarrassed. If you allow in your mind that the police have the right to stop BBSes from providing sexually explicit material, where do you draw the line? If you stop pictures, can you also stop text? Anyone who fears sexually-explicit reading material had better avoid the writings of Solomon. Without sex, there is no life at the human scale. In fact, without sex, life might not have evolved past the single cell. Those who hate and fear sex, actually hate and fear life. The atrocities we witness on the news are not committed by self-indulgent hedonists. Cybersmut, adult GIFs, sexually explicit material, is good. You may not agree. You have no right to stop those who do. (GRID News is FREQable from 1:159/450, the Beam Rider BBS) ------------------------------ Date: Thu, 4 Feb 93 14:05:08 PST From: jwarren@AUTODESK.COM(Jim Warren) Subject: File 9--Suggestions For a Hi-tech Crime-investigators' Seminar? I have been invited to give (or organize) a 4-hour seminar presenting civil liberties perspectives and concerns to a group of 40-60 high-tech criminal investigators on the first day of the HTCIA Northern California 3-day workshop in April (High Tech Criminal Investigators Association). They are expecting attendees from Nor Cal and from beyond. My understanding is that most of the members are sworn peace officers who are specializing in investigating high-tech crime; a minority are corporate and agency computer security officers. Most will attend the seminar (only one seminar per time-period). I see it as an *outstanding* opportunity to (a) open [more] communication channels between in-the-trenches law enforcement officials and civlibbies, (b) learn more of their concerns and problems, (c) enhance the chances of additional similar and expanded exchanges at future law-enforcement meetings through *nonconfrontational*, well-informed, candid discourse, and (d) better inform law enforcement folks of the complexities, styles and trade-offs in "cyberspace," and their ramifications for law enforcement's legitimate and significant concerns. [And -- heh! -- it will give "them" a chance to harangue "us" civlib types; equitable role-reversal for those cops who have entered the lion's den by attending any of the Computers, Freedom & Privacy conferences of the last several years.] I have invited an attorney who is specializing in these issues to join me in organizing and presenting this seminar, and am in hopes that her organization will support her participation. She has been closely monitoring related legislation in Washington, DC, and has also been directly involved in a major computer-search case currently being litigated in Texas. Query/request: I have a number of ideas for topics and perspectives to present/cover, and have several documents I plan to provide as handouts. But, I am very-much interested in receiving suggestions and/or papers/handouts that might be appropriate for presentation/distribution at a regional meeting of high tech criminal investigators [long on meat; short on emotion and opinion, please]. Please forward comments, suggestions and copies (ideally e-copies for reformatting and printing in a combined handout, including a note permitting reproduction for this purpose). [Confidentiality of sources and suggesters will be protected, upon request.] --jim [forward or post elsewhere, as desired] Jim Warren, 345 Swett Rd., Woodside CA 94062; 415-851-7075 jwarren@well.sf.ca.us -or- jwarren@autodesk.com [for identification purposes only: founder and Chair, 1991 First Conference on Computers, Freedom & Privacy; a recipient, 1992 Electronic Frontier Foundation Pioneer Awards; "futures" columnist, MicroTimes; member, Autodesk Bd.of Dirs.] ------------------------------ Date: Tue, 16 Feb 1993 23:58:42 -0700 From: martin@CS.UALBERTA.CA(Tim Martin; FSO; Soil Sciences) Subject: File 10--Re: Unemployed Programmers Turning Talents to Evil (#5.13) Anyone who has been following the comp.virus (VIRUS-L) network news group over the past two years will recognize that Mungo and Clough's article on East-European computer virus writers, in the February issue of Discover, is shamefully out of date. I was quite surprised to see it's most obvious errors summarized in comp.society.cu-digest, as if they were both true and news. Gordon Meyer (tk0jut2@mvs.cso.niu.edu) writes: > Computer hackers in former communist countries are creating > mischievous and sometimes costly viruses that threaten computers > around the world. > .... > Investigators say Bulgaria is the source of more than 200 viruses > that threaten Western computers > .... > The Bulgarian virus industry developed, Pierce says, because > programmers there have a lot of knowledge and skill but no market > for their services in the economically depressed country. These ideas were published by Vesselin Bontchev about two years ago, His paper on "The Bulgarian Virus Factory" is available from many ftp servers, and has been for some time. Bulgaria has not been a significant source of viruses in over half a year, as far as I know. I'm sure Vesselin will correct me if I am wrong. > Paul Mungo and Bryan Clough, in the February issue of Discover > magazine, say an unidentified East Coast company lost $1 million > because of a virus created by a Bulgarian known as the Dark Avenger. > > The article, excerpted from an upcoming book, describes the > electronic exploits of the Avenger, whose work is known to Western > police agencies. > > The authors call 1 of his latest creations, Mutating Engine, "the > most dangerous virus ever" because it can disguise itself 4 billion > ways and has no constant characteristic that would let anti-virus > scanners detect it. The Mutating Engine (MtE) is a year old now, has been thoroughly analyzed by virus experts, and discussed almost ad-nauseam on the comp.virus newsgroup. The MtE is not a virus at all, but a subroutine that can be linked to a virus to make the virus polymorphic. While it cannot be detected by scan strings, algorithmic methods can detect all viruses that use the MtE. Most anti-virus software packages worth consideration have been able to detect MtE-based viruses for some months. Few virus writers are using it. In part this might be because it takes a skilled programmer to use, and partially because it is so readily detected by modern scanners. Four concerns have superceded the MtE, in DOS anti-virus circles. One is the emergence of MtE clones, such as the TridenT Polymorphic Engine (TPE), by one who calls himself Masud Khafir. Here the concern is that it takes several months to develop effective algorithmic analysis techniques to identify each new polymorphic engine. Second is the emergence of "User-friendly" virus development environments. The Virus Creation Laboratory, by Nowhere Man, of [NuKE] WaReZ, is a menu-driven virus-writing environment that requires no virus writing ability on the part of the user. Fortunately it doesn't work. But the more recent PS-MPC, from the Phalcon/Skism virus writing club, is only slightly less user-friendly, but much more effective. Third, several months ago the Dark Avenger released the bomber virus, which demonstrates that a single virus might be distributed randomly throughout an infected program, rather than prepended or appended to it. This means that scanners must scan the entire program, to look for the characteristic virus code. The fourth major problem is the overwhelming number of new viruses discovered, dozens per week, written by dark-avenger-wannabes. Almost all of these are trivial modifications of already existant viruses, but for each one, authors of virus scanning software must disassemble the code to find an effective scan string. These problems have led most researchers to the conclusion that, for DOS computers at least, a scanner-based defense is rapidly becoming unmanageable. Unfortunately it is still the most popular form of defense. > Little is known of the Avenger, the authors say, except that he > probably graduated from Sofia University in math or science, needs > money and is infatuated with Diana, princess of Wales, whose name > pops up in some of his viruses. Interviews with the Dark Avenger, by Sara Gordon, are currently being published in Virus News International, and have been the topic of much discussion over the past month, in the newsgroup alt.security. A lot is known about the man, including the fact that the Diana P. he is (or was once) somewhat taken by is not the Princess of Wales. > Mungo and Clough chronicle the Dark Avenger's appearances on > international computer bulletin boards. One Bulgarian-based > board, they say, has been set up just to exchange viruses. The Bulgarian-based Virus-Exchange BBS has been out of operation for over a year. Today the most active virus exchange Bulletin Boards are in The United States, Canada, and throughout the Western World. They are interconnected through what Sara Gordon has called the vXnet, a FidoNet-like virus exchange system. > Pierce says most viruses written in Bulgaria and Russia are not > actually "out in the wild," where they can get into foreign > computers. Most of them are on the above mentioned electronic bulletin boards. This means these viruses can show up in the wild anywhere in the world, at any time. It is understandable that a book might be one to two years out of date, by the time it is published, but I would have thought Discover Magazine could do better. I know comp.society.cu-digest can. ------------------------------ End of Computer Underground Digest #5.14 ************************************