Computer underground Digest Tue Aug 24 1993 Volume 5 : Issue 65 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Copy Ediot: Etaoin Shrdlu, III CONTENTS, #5.65 (Aug 24 1993) File 1--Report on Summer Hack-Tic Conference in the Netherlands File 2--Another View of the Hack-tic '93 Conference File 3--Computer Culture and Media Images File 4--Media Images of Cu Digest - CuD Response to SunWorld File 5--CORRECTION on Graduate Paper Competition for CFP-'94 Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG WHQ) (203) 832-8441 NUP:Conspiracy; RIPCO BBS (312) 528-5020 CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893; In ITALY: Bits against the Empire BBS: +39-461-980493 ANONYMOUS FTP SITES: UNITED STATES: ftp.eff.org (192.88.144.4) in /pub/cud etext.archive.umich.edu (141.211.164.18) in /pub/CuD/cud halcyon.com( 202.135.191.2) in /pub/mirror/cud aql.gatech.edu (128.61.10.53) in /pub/eff/cud AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. EUROPE: nic.funet.fi in pub/doc/cud. (Finland) ftp.warwick.ac.uk in pub/cud (United Kingdom) COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Wed, Aug 11, '93 04:28:01 PDT From: Robert David Steele Subject: File 1--Report on Summer Hack-Tic Conference in the Netherlands ((MODERATORS' NOTE: Newsweek (July 26, 1993: 58) billed the Hack-tic conference in Lelystad, the Netherlands, on August 3-6 as "Woodstock for the Nintendo generation." There's no guarantee of a large turn-out, but if thousands show up, it may help demonstrate just how far hacking has moved out of the bedrooms of smelly adolescents. If so, there's likely to be less geeking and more dancing in the Dutch summer night. Programmers may one day be able to lean back from their terminals, pat their pocket protectors and say, "I was there." The following two reports by attendees Robert D. Steeler and Emmanuel Goldstein, editor of 2600 Maazine, $suggest that the techno-phreak gathering was a success)). ++++ Here is a brief report (on the Hack-tic conference: Roughly 150 people endured the rigors of camping out in a damp environment with no showers and minimal toilet facilities. The food provided and cooked by volunteers was wholesome but plain (lots of rice and beans). The Hack-tic organizers did a great job of setting up a main tent and two smaller workshop tents, as well as a full local net (which may not have hooked up to INTERNET as intended). Some sexy products and literature, but on the whole it was a mind-link event. (I had bronchitis and stayed in a local hotel on advice of doctor, so I missed most of the late night workshops. Here are a few highlights, mostly an outline of what took place with some follow-up contacts and one or two editorial comments: "Networking for the Masses". Main tent, 75 or so in audience. Talked about obstacles to free flow of information, main being that "the masses" aren't even close to understanding the technologies and the obscure mediocre user interfaces and complex unintegratable applications. For more info: ted@nluug.nl (Ted Lindgreen, Manager of nlnet) peter@hacktic.nl (Peter von der Pouw Kraan, involved in squat movement newsletters Blurf and NN) maja@agenda.hacktic.nl (Maja van der Velden, Agenda Foundation) nonsenso@utopia.hacktic.nl (Felipe Rodriguez from Hack-Tic Network which spun out of Dutch computer underground) zabkar@roana.hacktic.nl (Andre Blum, expert in wireless communications). A few others: "Phreaking the Phone" I missed this one, which was surely very interesting. Emmanuel can comment. For more info: bill@tech.hacktic.nl (Billsf, one of the world's best... "Hacking and the Law" Very important discussion of whether the laws are out-dated or retarded (to which I would also add my standard comment that law is not a good substitute for engineering oversights). More info: fridge@cri.hacktic.nl (Harry Onderwater, technical EDP auditor at Dutch National Criminal Intelligence Service) herschbe@dutiws.twi.tudelft.nl (Professor Bob Herschberg, lectures on computer insecurity and unprivacy) rgb@tracer.hacktic.nl (Ronald RGB O., the only Dutch hacker arrested both before and after new law in effect, self-taught writer and author for Hack-tic Magazine) andy@cccbln.ccc.de (andy Mueller-Maguhn, from German Chaos Computer Club) emmanuel@eff.org (our ((The Well's)) own) kaplan@bpa.arizona.edu (Ray Kaplan, computer security consultants, hosts "meet the enemy" sessions" rop@hacktic.nl (Rop Gonggrijp, was involved in some of the first computer break-ins om 80's, editor of Hacktic Magazine, and a VERY hard worker and leader of the team that put this conference together. I have guaranteed his expenses and am hosting his participation, and emmanuels, in my symposium in November whose secret title is "hacking the intelligence community". A number of technical workshops, modest participation. The most impressive workshop, which drew a lot of people and had continuous spin-off conversations the next day, was led by David Chaum of DigiCash, address Kruislaan 419, 1098 VA Amsterdam, The Netherlands, phone +31 20 665-2611 fax +31 20 668-5486 email david@digicash.nl. This guy, either English or England trained, is a heavy duty dude who appears to be on the bleeding edge (actually he's holding the knife) in the areas of smart cash, undeniable signatures, untraceable electronic mail, zero-knowledge signatures and zero information circuits, privacy protected payments, and so on. I was very impressed.--not my thing, but a class act. My next (separate response) contains my outline for the workshop, "Hacking the Intelligence Community: Increasing Citizens' Access to Intelligence in the Age of Information Warfare". ++++++++++++++++++++++++ Outline of Hack-tic Workshop 6 August, Holland "Hacking the Intelligence Community: Increasing Citizens' Access to Intelligence in the Age of Information Warfare" - What IS intelligence? Data, Info, Intel - Why Hack the Intelligence Community? - Age of Info, InfoWar, InfoEcon - Empower CITIZENS, the "troops" - Move $1-5 billion from U.S. Intel Budget (per year, there is a draft bill I wrote circulating for comment, to create a National Knowledge Foundation) - Salute to Hackers--The Trail Blazers - Mile in My Shoes - Intel Experience -$10M mistake (USMC Intel Ctr built Top Secret system to get into CIA data, etc., only to find database empty of useful Third World info--and the system isn't allowed to go into open source databases by security regulations) - Explode the Myth of Intelligence - Collection failures (less than 10%) - Production failures (90% or more of what a policy maker reads/listens to is UNCLASSIFIED and UNANALYZED) - Production types & limits (too much, too late, too secret) Dinosaur/Cadilac Analogy (We've spent billions building a superhighway between Mosco and Washington, and a single Cadillac, when what we really need now is many many off-road vehicles--five jeeps, 100 motorcycles, 1000 bikes) - BENCHMARKING (Get consumers of intelligence to give same question to library as to intel--one general got an answer from library in 45 minutes and it was of course unclassified; intel community came back in two days, SAME answer, classified) - Power in the Age of Information - Information Continuum (K-12, univ, lib, businesses, private investigators-info brokers, media, government, defense-intel) - Barriers--Iron Curtains between sectors, Bamboo Curtains between institutions within sectors, plastic curtains between individuals within institutions. - Hackers helping poke holes in the curtains. INFORMATION COMMONS Need to break down curtains SHARED collection responsibilities DISTRIBUTED analysis & production Age of "central" intelligence is OVER!! Direct "mind-links" in real time between consumer w/question and expert w/answer Old linear paradigm dead (consumer to analyst to collector to source and back) New diamond paradigm (all four all ways) Must empower the citizen with intelligence -- as a voter -- as an investor -- as an entrepreneur -- as scientist -- as social thinker New Security Concepts: Focus on connectivity and speed, NOT on restricting dissem or even bothering to decrypt Need a NATIONAL KNOWLEDGE STRATEGY God Bless Al Gore BUT he is "all connectivity and no content" Need to free up unclassified information wrapped in the "cement overcoat" of peripheral classified information Need a national program to break down curtains and increase sharing of original unclassified source material Need a national cooperative R&D effort to avoid waste (I believe the intelligence community wastes $100 million a year at least, from having at least ten different "black" programs each trying to build the ultimate all source analysts workstation in isolation--and this is just one small example of waste from compartmentation) Intelligence for the Masses Lots of good Q&A. ------------------------------ Date: Wed, 11 Aug 1993 18:21:43 PDT From: Emmanuel Goldstein, 2600 Magazine Subject: File 2--Another View of the Hack-tic '93 Conference Actually, attendance was estimated by the organizers at around 1,000. It was bigger than the Galactic Hacker Party and, in my opinion, more interesting. Too bad so few Americans showed up - tons of media though. Some of the highlights for me: the "stone" keyboard - somebody set up a computer on the grass with a keyboard made of stones and, yes, it worked; the room filled with computers from all over the world tied into a giant ethernet and then further tied to all of the computers in tents on the field; the social engineering workshop where people from all corners of the globe shared stories; and the overall Woodstock atmosphere of the whole thing. It's incredible how you can just pull things like this off over there with a minimum of hassle. In the States there are literally dozens of reasons why such an event wouldn't work. Despite that, we're going to try to do something next summer for the tenth anniversary of 2600. We need two things: a warehouse and some network experts to be creative. Plus a whole lot of good karma. P.S. United States Customs took one look at my passport and pulled me aside yet again. The usual: bags searched, interrogation as to what kind of magazine I write for, and a 25 minute wait while they "check" my name. This has happened to me so many times now that I can hardly consider it coincidence anymore. It's pure harassment and it's garbage like this that makes it an embarrassment to be an American these days. I guess I can expect to disappear now having spoken against the state. ------------------------------ Date: 20 Aug 93 19:28:52 EDT From: george c smith <70743.1711@COMPUSERVE.COM> Subject: File 3--Computer Culture and Media Images Computer Culture and Media Images (By George C. Smith) "I've had enough of that crummy stuff. Crummy stuff, crummy stuff, crummy, crummy, crummy, crummy, crummy stuff." (from "Crummy Stuff," by The Ramones) After reviewing numerous stories on the computer underground dating back to 1990, Mike Liedtke's Contra Costa Times piece on the NIRVANAnet BBS's comes off as another example of the genre: paint-by-numbers journalism, so predictable it's a cliche. The locales shift, the names change, the breathless "maybe something shady's going on here" tone stays the same. Unfortunately, so does the expertise of the reporters. Seemingly locked into some kind of "computer neophyte from Hell" never-never land, there never seems to be a lack of writers who turn in stories which are painfully unsophisticated, sensational and . . . crummy. It's damnable, because the picture which emerges is one of mainstream journalists who ought to be starting to get the lay of the land, but aren't. By contrast, this lack of know-how hasn't stopped reporters, or even slowed them down, in generation of countless fluffy, trend stories on the information superhighway, this year's bright and shiny cliche. So, that the users of the NIRVANAnet systems think the news media arrogant is not a scream of wounded pride or the surprised squeak of slimy characters exposed when their rock is turned over. It's justified. Why? Take for example a news piece which appeared in 1990 in The Morning Call newspaper of Allentown, PA, a continent and three years away. The Call had discovered a now long gone "underground" bulletin board in nearby Easton, PA. I lived in the area at the time and Liedtke's Contra Costa Times piece was uncannily similar to the one Morning Call reporter Carol Cleaveland delivered for the Call's readership. The same ingredients were in the mix: a couple of textfiles on how to make bombs, a regional lawman explaining about how hard it is to nail people for computer crime and a tut-tutting sysop of another local "public domain" system acting as a tipster, warning concerned readers that he sure as Hell wouldn't want such a system in his backyard. Just like Liedtke's Contra Costa Times piece, there was not a shred of comment from the sysop whose system was being profiled. Nothing ever came of the nonsense. The system continued online for a couple of more years, no criminal charges were filed, and the local businesses appeared not to go up in flames at the hands of unknown hackers or bomb-throwing, masked anarchists. So, this was news? Now, fast forward to The New York Times on January 25 of this year. In an 'A' section article, reporter Ralph Blumenthal profiled "Phrakr Trakr," a federal undercover man keeping our electronic streets safe from cybernetic hoodlums too numerous to mention singly. A quick read shows the reporter another investigator from the mainstream who hadn't gotten anything from underground BBS's first-hand, relying instead on the Phrakr Trakr's tales of nameless computer criminals trafficking in "stolen information, poison recipes and _bomb-making_ [emphasis MINE] instructions." While not dwelling on or minimizing the issue of phone-related phraud and the abuse of credit card numbers on underground BBS's (which has been established), Blumenthal's continued attention to text files for "turning household chemicals into deadly poisons, [or] how to build an 'Assassin Box' to supposedly send a lethal surge through a telephone line" was more of the same. It was the kind of news which furthers the perception on the nets that reporters are rubes, reluctant to use their mental faculties to analyze material of dubious nature. Most anyone from teenagers to the college educated on-line seem to recognize text files on a BBS as usually menacingly written trivial crap or bowdlerized, error-filled reprints from engineering, biology and chemistry books. In either case, hardly noteworthy unless you're one who can't tell the difference between comic books and real news. So why can't we, make that why SHOULDN'T we, expect the same critical ability from mainstream journalists? Of course, we should. And it's not only the on-line community which is getting mugged. Just about every sentient, reading mammal in North America was fed a continuous line on the Michelangelo virus for the first three months of 1992 courtesy of the mainstream press. In the aftermath, the perception seeped in that inadvertently or not, most reporters had been played for suckers by software developers. However, there was no informed skepticism when it counted. Recall, newspapers around the country ran headlines warning of imminent disaster. "Thousands of PC's could crash Friday," said USA Today. "Deadly Virus Set to Wreak Havoc Tomorrow," said the Washington Post. "Paint It Scary," said the Los Angeles Times. Weeks after the grand viral no-show on March 6th, reporters still insisted the hysterical coverage prevented thousands of computers from losing data. John Schneidawind of USA Today claimed "everyone's PC's would have crashed" in interview for the American Journalism Review but was unable to provide any evidence to back it up. Even The San Jose Mercury News credited the publicity with saving the day. There was, however, little mention that corporate wallets were swollen with payouts from worried consumers or that most of the experts used as sources came from the same circle of businessmen benefiting from the panic. In the aftermath everyone blamed John McAfee, the nation's leading antiviral software manufacturer. After all, it was McAfee who told many reporters that as many as 5 million computers were at risk, wasn't it? However, a look back at some of his comments to American Journalism Review in May 1992 expands the limelight a little. "I told reporters all along that estimates ranged from 50,000 to 5 million," he said. "I said, '50,000 to 5 million, take your pick,' and they did." "I never contacted a single reporter, I never sent out a press release, I never wrote any articles," he continued. "I was just sitting here doing my job and people started calling." "Before the media starts to crucify the antivirus community," he continued, "they should look in the mirror and see how much [of the coverage] came from their desire to make it a good story. Not that I'm a press-basher." Why does this happen? What drives one of these "good stories"? John Schneidawind of USA Today, when interviewed shortly after Michelangelo said John McAfee was always available to explain things from the early days of the Silicon Valley. There was a sense, said Schneidawind, that "we owed him." That's even-handed reporting! Obviously, a great many news stories are hung on a sexy hook, too. Often this has little to do with reality. Put yourself in a reporter's shoes, fire-balling these leads past an editor. Techno-kids running amok in cyberspace, crashing the accounts of hapless businessmen, playing fast and loose with the law, fostering the dissolution of community in the suburbs! Or, computer virus plague set to incinerate data world wide! Or, government BBS flouts public interest, aids computer vandals in high-tech predation of nation's information superhighways! Whoosh! Bang! Who wouldn't bite? Now imagine trying to sell an on-going series dealing with the warp and weave of the networks, touching on everything from dating BBS's to encryption to virus distribution to electronic publishing, copyright law and free speech. Frequently, you'll need more than 40 column inches per topic to do it right. If you're a reporter you might hear these responses as reasons NOT to get into such a project. 1. We don't have the space. (There will, however, always be 40 inches of space for the latest equivalent of "Jurassic Park.") 2. We can get that off the wire. We can't afford to get involved in specialty journalism. 3. No more long stories - our readership won't follow them. (Policy at USA Today.) 4. No one is interested in computers. (Believe it or not, this was a popular one in 1992 at The Morning Call in Allentown, PA.) 5. I don't understand all that, our readers won't either. 6. Where's the hook? So, proactive news stories, particularly on computers, are a hard sell many reporters aren't up to. Conversely, most have no trouble selling what Carl Jensen, journalism prof at Sonoma State in California, calls "junk food news." Junk food news is, he writes, "sensationalized, personalized, homogenized trivia . . . generic to [some] of the following categories: Madonna's latest sexscapades . . . the newest diet craze, fashion craze, dance craze, sports craze, video game craze . . . the routine freeway pile-up . . . the torrents of rhetoric pouring from the mouths of candidates, pledging to solve unemployment, reduce the deficit, lower prices, [and] defy foreign invaders . . ." Junk food news soaks up a lot of effort on the part of reporters. And there is no shortage of junk food computer news, either. Take, for instance, almost anything using the word "cyber." The August 15th issue of The L.A. Times Sunday Magazine devoted three-quarters of a page to "Hack Attack - Cybersex." "Cybersex," in the finest gosh-oh-jeekers style, went on about yet another budding entrepreneur who's puzzled out there's a market in putting $70 worth of sex animation on CD-ROM. Only such a junk food news piece _could_ close with a quote from the businessman so ludicrous it would be laughed off the table in any self-respecting barroom. "This is a powerful medium," said the computer sex movie-maker. "The potential is there for people prone to become alienated to become alienated. But we also envision virtual reality sex as a vehicle for people to interact with others in a way they might not feel comfortable in reality." The week before, the same magazine ran a story on cyberpunk Billy Idol and how callers to The Well were dissing him for being a phony. That's news! Other computer junk food news stories include, but are by no means limited to: --Just about anything on Jaron Lanier and data gloves. --Tittering, voyeuristic "human interest" pieces on local lonely-hearts BBS's that DON'T mention that 50 percent of the data storage is devoted to color photos of hideously obese men and women screwing, young models licking each other's private parts and other similar stuff which, if warehoused as magazines in a windowless, beige-colored building on the publisher's block, would be the target of a picketing team from the metro section of the same newspaper. --Flogging the latest Steven Spielberg project which involves using 50-gazillion megabytes of computer power and more cash than the gross national product of the Ukraine to make a TV show on some kind of virtual reality living submarine with tentacular arms and talking porpoise sidekicks. --Anything on the information superhighway with the usual pro forma hey-even-I-could-think-of-that quotes from Ed Markey and Mitch Kapor. --Gadget stories - actually, unpaid advertisements - on the newest computer-chip controlled stun gun, the newest computer-driven home studio, the newest useless morphing software for amusing and cowing your friends, the newest wallet-sized computer which doesn't exist, the newest whatever-press-release-selling-it-came-in -through-the-fax-machine-today device. Ah, but these are easy shots to take, being mostly the handiwork of features and entertainment reporters, long regarded as the soft white underbelly of the news media. What about front page news? Take a look back at Joel Garreau's Washington Post expose of Kim Clancy and the AIS system. It's reliance on the usual he said/she said reporting resulted in the trotting out of source Paul Ferguson who was able to pose as two people at once. This, perhaps, would not have happened had Garreau been more familiar with the complexities of computer security. As it was, the pursuit of the news from a human interest angle resulted in a set-up, or "official scandal" as its called by Martin Lee and Norman Solomon in a devastating criticism of journalistic methods, "Unreliable Sources: A Guide To Detecting Bias in Newsmedia" (1990, Lyle Stuart). According to Lee and Solomon, "official" scandals as reported by the press, have certain hallmarks. 1. "The 'scandal' [came] to light much later than it could have." So it was with AIS: The hacker files were removed from the BBS weeks before the story was retold by The Washington Post. 2. "The focus is on scapegoats, fallguys, as though remedial action amounts to handing the public a few heads on a platter." Kim Clancy, the administrator of AIS, was the fallguy, er, fall-lady, here. 3. "Damage control keeps the media barking but at bay. The press is so busy chewing on scraps near the outer perimeter that it stays away from the chicken house." While the news media was chewing on AIS, it neglected to discover Paul Ferguson doing double-duty, anti-virus researchers helping themselves to dangerous code on AIS while complaining about it to others, and the ugly truth that much of the virus code and live viruses on amateur BBS's throughout the U.S. can be traced to AIS's opponents, a few of the same complaining researchers. 4. "Sources on the inside supply tidbits of information to steer reporters in certain directions -- and away from others." 5. "The spotlight is on outraged officials." In this case, "anonymous", Paul Ferguson, Ed Markey, etc., -- asking tough, but not TOO tough, questions. Because it ran in The Washington Post, Garreau's story immediately touched off a wave of pack journalism. The Associated Press digested all the wrong, flashy aspects of Garreau's work. Specialty publications catering to corporate computer users published weird, warped tales on AIS, culminating in Laura Didio's August 9th feature in LAN Times which called Computer underground Digest "a BBS" and had the ubiquitous Ed Markey claiming that the AIS system had infected itself with a virus, a serious falsehood. This from a reporter, no, make that a _bureau chief_, who works for a computer publication! So if the NIRVANAnet BBS operators are angry with Mike Liedtke for blind-siding them in the pages of The Contra Costa Times, good for them. If they think mainstream journalists have been doing a rotten job on computer stories, they have the ammunition to prove it. It is right for them to expect more from journalists than the passing on of whatever received wisdom is currently circulating about the computer underground. It's perfectly legitimate to expect more from reporters than junk food computer news or dressed-up press releases. They're right if they think they're being patronized by news organizations which assign reporters who don't know what a modem is, have only been Prodigy members or who believe that being a "people" person is sufficient qualification to report in this beat. Good journalists are obliged to be responsive and receptive to the beats and communities they cover. So it should be with the computer underground. It is not considered cool to use ignorance or inexperience as an excuse for slipshod work, to take the path of least resistance, to rely only upon sources who are mainstream professional acquaintances or whose names are right near the telephone. Those who think otherwise are jerks. ------------------------------ Date: Tue, 17 Aug 1993 13:39:27 CDT From: CuD Moderators Subject: File 4--Media Images of Cu Digest - CuD Response to SunWorld ((MODERATORS' NOTE: Media misrepresentations directly affect CuD. We are periodically depicted as a "BBS" or a "system." When a reporter from New Jersey writing on computer crime called me in early August, I found it impossible to explain an electronic journal to her--incredibly, she not only did NOT know about Internet or BBSes, but DID NOT KNOW WHAT A MODEM WAS! The problem grows more serious when CuD is misrepresented in a way that depicts us as advocating illegal activity, abetting computer intrusion, or suggesting that we advocate chaos or disorder. Because such articles generally do not appear in national media, we don't see them unless readers send us a copy. The following SunWorld article is such an example. Although CuD was referenced just once in a single sentence, the phrasing carried discomforting implications. We could not let this one go without a response. We reproduce this material as an example of the difficulties we all continue to confront in "educating" the media, and to illustrate the generally unintended genesis of twists of phrase that become self-perpetuating in the game of "catch-up to the facts." What follows is, first, our letter to the author of the SunWorld piece, Phillip Moyer. Second, we summarize our e-mail responses to him. Finally, because we do not how our final response to SunWorld will appear after editing, we include the entire letter. CuD has continually argued that most editors and reporters are quite amenable to receiving criticisms. Phillip Moyer's response was civil and cooperative. We were especially impressed with SunWorld editor Mark Cappel's attitude, which was cordial, cooperative, and--while he deferred judgment until "the facts were in"--he was fully amendable to listening without defensiveness and to consider our complaint. However, such courtesy is what we'd expect from one originally from our University town of DeKalb, Ill. ++++ (Original letter to the author) ++++ Date--Fri, 9 Jul 93 1:26 CDT To--PRM@ECN.PURDUE.EDU From--Cu-Digest (tk0jut2@mvs.cso.niu.edu) Subject--Response to your SunWorld (July '93) piece Dear Phillip Moyer: I am stunned by your description of Cu Digest in the July, '93, issue of SunWorld. Among other things, you write: "If you have reason to look in a novice's account, you will probably find copies of Phrack, the Computer Underground Digest, and the Legion of Doom's Technical Journals, all of which have information novices (and more advanced crackers) find useful (p. 101). My complaint centers on your CuD comments. CuD does not cater to "crackers," and if you had bothered to read CuD you would note the editorial philosophy in the header. We have *never*, not once, published cracking material or any material that could even remotely be described as "helpful to 'crackers'". If you believe I am mistaken, please cite a specific article. If not, I request an explicit correction and an apology for your misrepresentation. CuD is a legitimate electronic newsletter/journal. Relatively few of our 80,000+ readers are students, let alone "crackers." Most are academics, computer specialists, journalists, attorneys, and others interested in a variety of legal, ethical, social, political, and scholarly issues surrounding computer culture. Had you looked at past issues, you would see book reviews, debates, news, legal documents, legislative information, conference announcements and summaries, and a broad range of other information that covers "cyberspace." Further, had you bothered to examine the CuD ftp sites, you would note that we maintain directories of a variety of Electronic newsletters, academic papers, state and federal computer laws, and other archival invaluable. We have worked hard to establish a reputation as a forum for debate that allows diversity of views. To have our reputation tarnished with public claims insinuating collusion in illegal or unethical conduct is intolerable. We have consistently gone on record publicly and privately to oppose all forms of predatory behavior, including unauthorized computer intrusion. For those unfamiliar with CuD, your article both misrepresents our purpose and impugns our integrity. As a criminal justice professor, I'm not inclined let such a reckless disregard for truth pass lightly. I trust that we can resolve your misrepresentation amicably, and an apology and retraction in a forthcoming issue of SunWorld would suffice. +++ Phillip Moyer replied with an explanation. He also identified several articles that he thought would be helpful to hackers. Because CuD has never published "hacking" information, we were compelled to respond. This issue strikes is as critical, because when other read the article, such as law enforcement agents or our University personnel, the CuD editors are placed in jeapordy. The following are excerpts from our correspondence to him. We summarize his comments, to which we are responding: ((In his response, Mr. Moyer indicated that his CuD description was based on personal experience of network intruders into his site, where his "investigations" reveal multiple copies of CuD, Phrack, and LOD/TJ. The CuD response: Connecting CuD to "hackers" in this manner is quite a leap of logic. You could also make the same statement about CuD being carried and read by law enforcement. From our estimate, thousands of BBSes, public access systems, ftp, and other sites carry CuD. Finding CuD amongst "hackers" is no more surprising than finding O'Reilly's books (eg, "Practical Unix Security" or "The Whole Internet") in "hacker" libraries. Your twist of phrase is neither innocent nor neutral, and the implications are quite clear. I'm pleased that "hackers" read CuD just as I am that law enforcement reads it. Perhaps the former will learn from it that computer intrusion and predatory behavior are uncool, just as we hope the latter will learn that civil liberties and common sense extend to "cyberspace." You identify several categories of information "useful" to "hackers." 1. "Cult" information about famous cracking groups. 2. Technical cracking information. 3. Information about networks in general, and how to move around... 4. Information about cracker activities/clubs/busts. 5. Cyberpunk related articles. Guilty as charged, with the exception of #2, which we have *never* published. We publish news. So what? So does the New York Times, SunWorld, and other sources. The list you identify is a miniscule fraction of our contents. EFFector publishes similar, but more narrow, material. I find your list quite disingenuous. Please re-read your own article: You write about hackers and where they obtain their skills. In that context, you list CuD along with two other E-'Zines specifically devoted to developing skills. You falsely categorize us, tarnish us by "guilt by association," and in the context of your article you paint us as a "hacker" source. You made a mistake, and I would think it more honorable that you acknowledge it rather than glibly try to engage in word games and further insult me with sloppy logic. ((Mr. Moyer suggests that "hackers" are interested in more than "how to" documents, which may be why they "insist" on keeping copies of CuD in their "stolen accounts.")) You continue with your "guilt by association" rationale. Your wording is curious: I'm not sure why you use the term "insist," and perhaps it reflects more about your own attempts to impute motives to others as you have attributed false meaning to CuD. From my experience, few "hackers" keep things in "stolen accounts," but that's a trivial issue. More to the point is your continued insistence on linking CuD with "stolen accounts" and other illegal behavior. Please remember that your article made no mention of "other" information, but in context focused on the "how to" aspect. And, the fact that CuDs may be "of interest" does not lead to the conclusion that they are helpful for "hacking," as you strongly suggest. I challenged you to list an article that is "helpful" for "hackers" or "hacking," and you identify the following: > CuD #2.14, file 7: Don't Talk to Cops > >This one lists security problems that novice crackers may >not have thought about, and therefore gives them avenues of >attack which they may otherwise have overlooked: ((MODERATORS' NOTE: Because of ambiguity of wording, it appeared that the reporter's description of file the "Security on the Net" File referred to the "Don't Talk to Cops" article. The CuD letter describes the following, not the previous issue. There was no explanation given for why "Don't Talk" was used as an example)). Astounding! This file says no such thing. It was written in response to abuses by law enforcement in overstepping their bounds in investigations. The Phrack and Steve Jackson cases, of which I assume you're aware, typify such excesses. You'll recall that in many of the so-called "Bill Cook" and "Sun Devil" cases of early 1990, at which time that file was written, investigators were rather zealous in their techniques. This file was written by an attorney for *all* readers. Even CuD editors were concerned about the "knock on the door." I'm stunned that you saw in that article anything related to "security problems that novice crackers may not have thought about, and therefore gives them avenues of attack which they may otherwise have overlooked." The article says no such thing and casts serious credibility on your claim to have read CuD, let alone this article. The article is simply not about what you claim. Period! > CuD #3.00, file 5: Security on the Net Again, I'm appalled at your interpretation. This article was written by a system administrator who was once active on the nets and whose name you might recognize. It is essentially a summary of survey responses, which strikes me as fully legitimate. If you see in that something "of interest" to hackers that would aid them in intrusion (and that was, after all, my query to you), then your own SunWorld piece must surely be classified as a primer for novice hackers. This is another article which it seems you have not read. >For true novices who haven't figured out how to forge >mail yet, there's: > CuD #1.06, file 5: SMPT (sic) Sorry, but mail forging is hardly a "hacking" tactic and is of no use in system intrusion. Even for those who would attempt to use that file to forge mail, they would find that it wouldn't work. Even if I were to concede (which I don't) that such an article is of technical interest to hackers, it is of such inconsequential value and was (even at that time) so well-known that it's odd that you would consider it in your list. I should also add that (if my recollection is correct) it was written by a computer professional as a bit of a prank because of it's useless value, and we ran it as a bit of a spoof. Sorry, but you get no points for this one. >For a number of system-level penetration ideas, mostly to do >with poor memory protection, check out > Cud #1.07, file 4: article forwarded from alt.security Again, there is nothing technical in this post. An "old time" hacker reflects on the past and, if anything, bemoans the direction of irresponsible newcomers. We've posted many such pieces, pro and con. That you adduce this as evidence of a hacking aid, which was what I asked you to produce, suggests that my original claim was correct: You can find no articles to substantiate the inference in your article. We have published about 200 issues of Cu Digest, which comes to over 1,000 articles, almost 8 megs of text files, and many reams of printouts. You have failed to substantiate your claim other than with some vague allusion to "of interest" to hackers, which by you definition, includes a range of articles so diverse as to defy credibility. ((Are CuD editors merely bickering over terminology??)) I don't see this as mere bickering. Your claims in the SunWorld article were clear and tarnished our professional reputations. Your words in the article were not conditional, were not qualified, and explicitly linked CuD with other media that were targeted to a teenage hacker audience and included considerable, although generally publicly available, technical "how to" information. Your inability to make your case, your "guilt by association" approach, and your apparent inability to see that as anything more than mere "bickering" of words is shocking. ((The following is the public letter we finally submitted to SunWorld)): +++++ Date: Tue, 20 Jul 93 2:24 CDT To: mark.cappel@sunworld.com From: Jim Thomas (tk0jut1@mvs.cso.niu.edu) Subject--Response to SunWorld article of July 23, '93 from Cu Digest CC: PRM@ECN.PURDUE.EDU,GRMEYER@GENIE.GEIS.COM 18 July, 1993 To: Mark Cappel, Editor SunWorld In the July, 1993, issue of SunWorld, Phillip Moyer's piece on computer "hackers" ("Defending the Realm") referred to Computer underground Digest (CuD) with an unfortunate choice of words: "If you have reason to look in a novice's account, you will probably find copies of Phrack, the Computer Underground (sic) Digest, and the Legion of Doom's Technical Journals, all of which have information novices (and more advanced crackers) find useful (p. 101). Although probably unintended, the phrasing might lead those unfamiliar with CuD to mistakenly infer that it is a "hacker" journal that encourages "hacking" and publishes "how to 'crack'" information. Although we're pleased that hackers are among those who find CuD of interest, the usefulness of our articles does not include any technical or other "how to" information, and CuD is not aimed at a "hacker" audience. CuD is an electronic journal/newsletter available at no cost to anybody with an internet mailing address. We have at least 80,000 readers world-wide. The audience is primarily computer professionals, academics, attorneys, journalists, students, and others who are interested in computer culture. Articles include research papers, legal and legislative summaries, conferences news and excerpts, book reviews, interviews, news, debates of current issues related to "cyberspace" and "virtual reality," and other information aimed at a diverse readership. We have never published technical information helpful for "hacking/cracking" and have consistently criticized all forms of computer abuse. The emphasis on a "hacker" culture and related articles derives in part from the editors' criminal justice background, and in part from CuD's original goal, begun in March, 1990, as what at the time was conceived as a temporary service to publish overflow pieces from Telecom Digest related to the 1990 "hacker crackdown." We recognize any writer's difficulty in choosing words that will please everybody, and we sympathize with what may seem to the SunWorld author (and others) as simply bickering over phrasing. However, given the power of labels and the potential harm that might result from being construed as a medium that abets criminal activity, we assure SunWorld readers that, although we're pleased that CuDs can be found in the files of "hackers" (as well as law enforcement, thousands of BBSes and public access systems, ftp sites, and elsewhere), CuD is of no more of use to "hackers/crackers" than a SunWorld article describing specific techniques that curious potential intruders might try. ((Final comment: We reproduce this not out of self-indulgence, but to show how easily articles might be misconstrued. There is also an apparent double-standard operating: An obscure CuD piece can be given a "helpful to hacker's" gloss while explicitly technical details found in security manuals, technical volumes, or even classbooks, are not. Even though reporters see their comments as innocent, and even though they may judge our comments as excessively thin-skinned, we can envision a reader of such articles writing an irate letter to an employer, university administrator, congressional rep, or law enforcement agent, wondering "why taxpayer dollars are being used to fund 'hacking' at a public university." We're obligated to stifle such misinformation when it's brought to our attention. If CuD readers come across similar articles in trade journals or other media, let us know. For media folk wanting to know what a "CuD" is, we suggest the "Frequently Asked Questions" list that we include with new subscriptions. ------------------------------ Date: Fri, 20 Aug 1993 18;21:43 EDT From: CuD Moderators