Computer underground Digest Thu Aug 18, 1994 Volume 6 : Issue 74 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Retiring Shadow Archivist: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Campy Editor: Shrdlu Etaionsky CONTENTS, #6.74 (Thu, Aug 18, 1994) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send a one-line message: SUB CUDIGEST your name Send it to LISTSERV@UIUCVMD.BITNET or LISTSERV@VMD.CSO.UIUC.EDU The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (203) 832-8441. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893; In ITALY: Bits against the Empire BBS: +39-461-980493 In BELGIUM: Virtual Access BBS: +32.69.45.51.77 (ringdown) UNITED STATES: etext.archive.umich.edu (141.211.164.18) in /pub/CuD/ ftp.eff.org (192.88.144.4) in /pub/Publications/CuD aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ uceng.uc.edu in /pub/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/cud/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) JAPAN: ftp.glocom.ac.jp /mirror/ftp.eff.org/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: 10 Aug 1994 16:58:23 -0500 From: mech@eff.org (Stanton McCandlish) Subject: EFF Analysis of Leahy/Edwards Digital Telephony Bill EFF SUMMARY OF THE EDWARDS/LEAHY DIGITAL TELEPHONY BILL ======================================================= OVERVIEW -------- The Edwards/Leahy Digital Telephony bill places functional requirements on telecommunications carriers in order to enable law enforcement to continue to conduct authorized electronic surveillance. It allows a court to impose fines on carriers that violate the requirements, and mandates that the processes for determining capacity requirements and technical standards be open and public. The bill also contains significant new privacy protections; including an increased standard for government access to transactional data (such as addressing information contained in electronic mail logs), a requirement that information acquired through the use of pen registers or trap and trace devices not disclose the physical location of an individual, and an expansion of current law to protect the radio portion of cordless telephone conversations from unauthorized surveillance. SCOPE OF THE BILL. WHO IS COVERED? ----------------------------------- The requirements of the bill apply to "telecommunications carriers", which are defined as any person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire (as defined by section 3 (h) of the Communications Act of 1934), including commercial mobile services (cellular, PCS, etc.). The bill also applies to those persons or entities engaged in providing wire or electronic communication switching or transmission service to the extent that the FCC finds that such service is a replacement for a substantial portion of the local telephone exchange. The bill does not apply to online communication and information services such as Internet providers, Compuserve, AOL, Prodigy, and BBS's. It also excludes private networks, PBX's, and facilities which only interconnect telecommunications carriers or private networks (such as most long distance service). REQUIREMENTS IMPOSED ON CARRIERS -------------------------------- Telecommunications carriers would be required to ensure that they possess sufficient capability and capacity to accommodate law enforcement's needs. The bill distinguishes between capability and capacity requirements, and ensures that the determination of such requirements occur in an open and public process. CAPABILITY REQUIREMENTS ----------------------- A telecommunications carrier is required to ensure that, within four years from the date of enactment, it has the capability to: 1. expeditiously isolate the content of a targeted communication within its service area; 2. isolate call-identifying information about the origin and destination of a targeted communication; 3. enable the government to access isolated communications at a point away from the carrier's premises and on facilities procured by the government, and; 4. to do so unobtrusively and in such a way that protects the privacy and security of communications not authorized to be intercepted (Sec. 2601). However, the bill does not permit law enforcement agencies or officers to require the specific design of features or services, nor does it prohibit a carrier from deploying any feature or service which does not meet the requirements outlined above. CAPACITY REQUIREMENTS --------------------- Within 1 year of enactment of the bill, the Attorney General must determine the maximum number of intercepts, pen register, and trap and trace devices that law enforcement will require four years from the date of enactment. Notices of capacity requirements must be published in the Federal Register (Sec. 2603). Carriers have 4 years to comply with capacity requirements. PROCESS FOR DETERMINING TECH. STANDARDS TO IMPLEMENT CAPABILITY REQUIREMENTS ---------------------------------------------------------------------------- Telecommunications carriers, through trade associations or standards setting bodies and in consultation with the Attorney General, must determine the technical specifications necessary to implement the capability requirements (Sec. 2606). The bill contains a 'safe harbor' provision, which allows a carrier to meet its obligations under the legislation if it is in compliance with publicly available standards set through this process. A carrier may deploy a feature or service in the absence of technical standards, although in such a case the carrier would not be covered by the safe harbor provision and may be found in violation. Furthermore, the legislation allows any one to file a motion at the FCC in the event that a standard violates the privacy and security of telecommunications networks or does not meet the requirements of the bill (Sec. 2606). If petitioned under this section, the FCC may establish technical requirements or standards that: 1) meet the capability requirements (in Sec. 2602); 2) protect the privacy and security of communications not authorized to be intercepted, and; 3) encourage the provision of new technologies and services to the public. ENFORCEMENT AND PENALTIES ------------------------- In the event that a court or the FCC deems a technical standard to be insufficient, or if law enforcement finds that it is unable to conduct authorized surveillance because a carrier has not met the requirements of this legislation, the Attorney General can request that a court issue an enforcement order (an order directing a carrier to comply), and/or a fine of up to $10,000 per day for each day in violation (Sec. 2607). However, a court can issue an enforcement order or fine a carrier only if it can be determined that no other reasonable alternatives are available to law enforcement. This provision allows carriers to deploy features and services which may not meet the requirements of the bill. Furthermore, this legislation does not permit the government to block the adoption or use of any feature or service by a telecommunications carrier which does not meet the requirements. The bill requires the government to reimburse carriers for all reasonable costs associated with complying with the capacity requirements. In other words, the government will pay for upgrades of current features or services, as well as any future upgrades which may be necessary, pursuant to published notices of capacity requirements (Sec. 2608). There is $500,000,000 authorized for appropriation to cover the costs of government reimbursements to carriers. In the event that a smaller sum is actually appropriated, the bill allows a court to determine whether a carrier must comply (Sec. 2608 (d)). This section recognizes that telecommunications carriers may not be responsible for meeting the requirements if the government does not cover reasonable costs. The government is also required to submit a report to congress within four years describing all costs paid to carriers for upgrades (Sec. 4). ENHANCED PRIVACY PROTECTIONS ---------------------------- The legislation contains enhanced privacy protections for transactional information (such as telephone toll records and electronic mail logs) generated in the course of completing a communication. Current law permits law enforcement to gain access to transactional information through a subpoena. The bill establishes a higher standard for law enforcement access to transactional data contained electronic mail logs and other online records. Telephone toll records would still be available through a subpoena. Under the new standard, law enforcement is required to obtain a court order by demonstrating specific and articulable facts that electronic mail logs and other online transactional records are relevant and material to an ongoing criminal investigation (Sec. 10). Law enforcement is also prohibited from remotely activating any surveillance capability. All intercepts must be conducted with the affirmative consent of a telecommunications carrier and activated by a designated employee of the carrier within the carrier's facilities (Sec. 2604). The bill further requires that, when using pen registers and trap and trace devices, law enforcement will use, when reasonably available, devices which only provide call set up and dialed number information (Sec. 10). This provision will ensure that as law enforcement employs new technologies in pen register and trap and trace devices, it will not gain access to additional call setup information beyond its current authority. Finally, the bill extends the Electronic Communications Privacy Act (ECPA) protections against interception of wireless communications to cordless telephones, making illegal the intentional interception of the radio portion of a cordless telephone (the transmission between the handset and the base unit). CELLULAR SCANNERS ----------------- The bill makes it a crime to possess or use an altered telecommunications instrument (such as a cellular telephone or scanning receiver) to obtain unauthorized access to telecommunications services (Sec. 9). This provision is intended to prevent the illegal use of cellular and other wireless communications services. Violations under this section face imprisonment for up to 15 years and a fine of up to $50,000. IMPROVEMENTS OF THE EDWARDS/LEAHY BILL OVER PREVIOUS FBI PROPOSALS ------------------------------------------------------------------ The Digital Telephony legislative proposal was first offered in 1992 by the Bush Administration. The 1992 version of the bill: * applied to all providers of wire or electronic communications services (no exemptions for information services, interexchange carriers or private networks); * gave the government the explicit authority to block or enjoin a feature or service that did not meet the requirements; * contained no privacy protections; * contained no public process for determining the capacity requirements; * contained no government reimbursement (carriers were responsible for meeting all costs); * would have allowed remote access to communications by law enforcement, and; * granted telecommunications carriers only 18 months to comply. The Bush Administration proposal was offered on capitol hill for almost a year, but did attract any congressional sponsors. The proposal was again offered under the Clinton Administration's FBI in March of 1993. The Clinton Administration's bill was a moderated version of the original 1992 proposal: * It required the government to pay all reasonable costs incurred by telecommunications carriers in retrofitting their facilities in order to correct existing problems; * It encouraged (but did not require), the Attorney General to consult with telecommunications industry representatives and standards bodies to facilitate compliance, * It narrowed the scope of the legislation to common carriers, rather than all providers of electronic communications services. Although the Clinton Administration version was an improvement over the Bush Administration proposal, it did not address the larger concerns of public interest organizations or the telecommunications industry. The Clinton Administration version: * did not contain any protections for access to transactional information; * did not contain any public process for determining the capability requirements or public notice of law enforcement's capacity needs; * would have allowed law enforcement to dictate system design and bar the introduction of features and services which did not meet the requirements, and; * would have allowed law enforcement to use pen registers and trap and trace devices to obtain tracking or physical location information. * * * Locating Relevant Documents =========================== ** Original 1992 Bush-era draft ** ftp.eff.org, /pub/EFF/Policy/FBI/Old/digtel92_old_bill.draft gopher.eff.org, 1/EFF/Policy/FBI/Old, digtel92_old_bill.draft http://www.eff.org/pub/EFF/Policy/FBI/Old/digtel92_old_bill.draft bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital Telephony; file: digtel92.old ** 1993/1994 Clinton-era draft ** ftp.eff.org, /pub/EFF/Policy/FBI/digtel94_bill.draft gopher.eff.org, 1/EFF/Policy/FBI, digtel94_bill.draft http://www.eff.org/pub/EFF/Policy/FBI/digtel94_bill.draft bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital Telephony; file: digtel94.dft ** 1994 final draft, as sponsored ** ftp.eff.org, /pub/EFF/Policy/FBI/digtel94.bill gopher.eff.org, 1/EFF/Policy/FBI, digtel94.bill http://www.eff.org/pub/EFF/Policy/FBI/digtel94.bill bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital Telephony; file: digtel94.bil ** EFF Statement on sponsored version ** ftp.eff.org, /pub/EFF/Policy/FBI/digtel94_statement.eff gopher.eff.org, 1/EFF/Policy/FBI, digtel94_statement.eff http://www.eff.org/pub/EFF/Policy/FBI/digtel94_statement.eff bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital Telephony; file: digtel94.eff ========================================================================= Received: (from NIUCS for via BSMTP) Received: (from A01MLRV@NIUCS for MAILER@NIU via NJE) (UCLA/Mail V1.500 M-RSCS1636-1636-341); Thu, 11 Aug 94 00:35:23 CDT Received: from NIUCS by NIUCS (Mailer R2.10 ptf000) with BSMTP id 4395; Thu, 11 Aug 94 00:35:14 CDT Received: from mp.cs.niu.edu by vm.cso.niu.edu (IBM VM SMTP V2R2) with TCP; Thu, 11 Aug 94 00:35:11 CDT Received: by mp.cs.niu.edu id AA07673 (5.67a/IDA-1.5 for tk0jut1@niu.bitnet); Thu, 11 Aug 1994 00:34:11 -0500 Date: Thu, 11 Aug 1994 00:34:11 -0500 From: jim thomas Message-Id: <199408110534.AA07673@mp.cs.niu.edu> To: tk0jut1@MVS.CSO.NIU.EDU Article 38013 of comp.org.eff.talk: Xref: mp.cs.niu.edu comp.org.eff.news:251 comp.org.eff.talk:38013 Path: mp.cs.niu.edu!vixen.cso.uiuc.edu!newsfeed.ksu.ksu.edu!moe.ksu.ksu.edu!hobbes.ph ysics.uiowa.edu!math.ohio-state.edu!cs.utexas.edu!not-for-mail From: mech@eff.org (Stanton McCandlish) Newsgroups: alt.activism.d,alt.politics.datahighway,comp.org.eff.news,comp.org.eff.talk Subject: EFF Analysis of Leahy/Edwards Digital Telephony Bill Date: 10 Aug 1994 16:58:23 -0500 Organization: UTexas Mail-to-News Gateway Lines: 303 Sender: nobody@cs.utexas.edu Approved: mech@eff.org Distribution: inet Message-ID: <199408102158.RAA13003@eff.org> NNTP-Posting-Host: news.cs.utexas.edu EFF SUMMARY OF THE EDWARDS/LEAHY DIGITAL TELEPHONY BILL ======================================================= OVERVIEW -------- The Edwards/Leahy Digital Telephony bill places functional requirements on telecommunications carriers in order to enable law enforcement to continue to conduct authorized electronic surveillance. It allows a court to impose fines on carriers that violate the requirements, and mandates that the processes for determining capacity requirements and technical standards be open and public. The bill also contains significant new privacy protections; including an increased standard for government access to transactional data (such as addressing information contained in electronic mail logs), a requirement that information acquired through the use of pen registers or trap and trace devices not disclose the physical location of an individual, and an expansion of current law to protect the radio portion of cordless telephone conversations from unauthorized surveillance. SCOPE OF THE BILL. WHO IS COVERED? ----------------------------------- The requirements of the bill apply to "telecommunications carriers", which are defined as any person or entity engaged in the transmission or switching of wire or electronic communications as a common carrier for hire (as defined by section 3 (h) of the Communications Act of 1934), including commercial mobile services (cellular, PCS, etc.). The bill also applies to those persons or entities engaged in providing wire or electronic communication switching or transmission service to the extent that the FCC finds that such service is a replacement for a substantial portion of the local telephone exchange. The bill does not apply to online communication and information services such as Internet providers, Compuserve, AOL, Prodigy, and BBS's. It also excludes private networks, PBX's, and facilities which only interconnect telecommunications carriers or private networks (such as most long distance service). REQUIREMENTS IMPOSED ON CARRIERS -------------------------------- Telecommunications carriers would be required to ensure that they possess sufficient capability and capacity to accommodate law enforcement's needs. The bill distinguishes between capability and capacity requirements, and ensures that the determination of such requirements occur in an open and public process. CAPABILITY REQUIREMENTS ----------------------- A telecommunications carrier is required to ensure that, within four years from the date of enactment, it has the capability to: 1. expeditiously isolate the content of a targeted communication within its service area; 2. isolate call-identifying information about the origin and destination of a targeted communication; 3. enable the government to access isolated communications at a point away from the carrier's premises and on facilities procured by the government, and; 4. to do so unobtrusively and in such a way that protects the privacy and security of communications not authorized to be intercepted (Sec. 2601). However, the bill does not permit law enforcement agencies or officers to require the specific design of features or services, nor does it prohibit a carrier from deploying any feature or service which does not meet the requirements outlined above. CAPACITY REQUIREMENTS --------------------- Within 1 year of enactment of the bill, the Attorney General must determine the maximum number of intercepts, pen register, and trap and trace devices that law enforcement will require four years from the date of enactment. Notices of capacity requirements must be published in the Federal Register (Sec. 2603). Carriers have 4 years to comply with capacity requirements. PROCESS FOR DETERMINING TECH. STANDARDS TO IMPLEMENT CAPABILITY REQUIREMENTS ---------------------------------------------------------------------------- Telecommunications carriers, through trade associations or standards setting bodies and in consultation with the Attorney General, must determine the technical specifications necessary to implement the capability requirements (Sec. 2606). The bill contains a 'safe harbor' provision, which allows a carrier to meet its obligations under the legislation if it is in compliance with publicly available standards set through this process. A carrier may deploy a feature or service in the absence of technical standards, although in such a case the carrier would not be covered by the safe harbor provision and may be found in violation. Furthermore, the legislation allows any one to file a motion at the FCC in the event that a standard violates the privacy and security of telecommunications networks or does not meet the requirements of the bill (Sec. 2606). If petitioned under this section, the FCC may establish technical requirements or standards that: 1) meet the capability requirements (in Sec. 2602); 2) protect the privacy and security of communications not authorized to be intercepted, and; 3) encourage the provision of new technologies and services to the public. ENFORCEMENT AND PENALTIES ------------------------- In the event that a court or the FCC deems a technical standard to be insufficient, or if law enforcement finds that it is unable to conduct authorized surveillance because a carrier has not met the requirements of this legislation, the Attorney General can request that a court issue an enforcement order (an order directing a carrier to comply), and/or a fine of up to $10,000 per day for each day in violation (Sec. 2607). However, a court can issue an enforcement order or fine a carrier only if it can be determined that no other reasonable alternatives are available to law enforcement. This provision allows carriers to deploy features and services which may not meet the requirements of the bill. Furthermore, this legislation does not permit the government to block the adoption or use of any feature or service by a telecommunications carrier which does not meet the requirements. The bill requires the government to reimburse carriers for all reasonable costs associated with complying with the capacity requirements. In other words, the government will pay for upgrades of current features or services, as well as any future upgrades which may be necessary, pursuant to published notices of capacity requirements (Sec. 2608). There is $500,000,000 authorized for appropriation to cover the costs of government reimbursements to carriers. In the event that a smaller sum is actually appropriated, the bill allows a court to determine whether a carrier must comply (Sec. 2608 (d)). This section recognizes that telecommunications carriers may not be responsible for meeting the requirements if the government does not cover reasonable costs. The government is also required to submit a report to congress within four years describing all costs paid to carriers for upgrades (Sec. 4). ENHANCED PRIVACY PROTECTIONS ---------------------------- The legislation contains enhanced privacy protections for transactional information (such as telephone toll records and electronic mail logs) generated in the course of completing a communication. Current law permits law enforcement to gain access to transactional information through a subpoena. The bill establishes a higher standard for law enforcement access to transactional data contained electronic mail logs and other online records. Telephone toll records would still be available through a subpoena. Under the new standard, law enforcement is required to obtain a court order by demonstrating specific and articulable facts that electronic mail logs and other online transactional records are relevant and material to an ongoing criminal investigation (Sec. 10). Law enforcement is also prohibited from remotely activating any surveillance capability. All intercepts must be conducted with the affirmative consent of a telecommunications carrier and activated by a designated employee of the carrier within the carrier's facilities (Sec. 2604). The bill further requires that, when using pen registers and trap and trace devices, law enforcement will use, when reasonably available, devices which only provide call set up and dialed number information (Sec. 10). This provision will ensure that as law enforcement employs new technologies in pen register and trap and trace devices, it will not gain access to additional call setup information beyond its current authority. Finally, the bill extends the Electronic Communications Privacy Act (ECPA) protections against interception of wireless communications to cordless telephones, making illegal the intentional interception of the radio portion of a cordless telephone (the transmission between the handset and the base unit). CELLULAR SCANNERS ----------------- The bill makes it a crime to possess or use an altered telecommunications instrument (such as a cellular telephone or scanning receiver) to obtain unauthorized access to telecommunications services (Sec. 9). This provision is intended to prevent the illegal use of cellular and other wireless communications services. Violations under this section face imprisonment for up to 15 years and a fine of up to $50,000. IMPROVEMENTS OF THE EDWARDS/LEAHY BILL OVER PREVIOUS FBI PROPOSALS ------------------------------------------------------------------ The Digital Telephony legislative proposal was first offered in 1992 by the Bush Administration. The 1992 version of the bill: * applied to all providers of wire or electronic communications services (no exemptions for information services, interexchange carriers or private networks); * gave the government the explicit authority to block or enjoin a feature or service that did not meet the requirements; * contained no privacy protections; * contained no public process for determining the capacity requirements; * contained no government reimbursement (carriers were responsible for meeting all costs); * would have allowed remote access to communications by law enforcement, and; * granted telecommunications carriers only 18 months to comply. The Bush Administration proposal was offered on capitol hill for almost a year, but did attract any congressional sponsors. The proposal was again offered under the Clinton Administration's FBI in March of 1993. The Clinton Administration's bill was a moderated version of the original 1992 proposal: * It required the government to pay all reasonable costs incurred by telecommunications carriers in retrofitting their facilities in order to correct existing problems; * It encouraged (but did not require), the Attorney General to consult with telecommunications industry representatives and standards bodies to facilitate compliance, * It narrowed the scope of the legislation to common carriers, rather than all providers of electronic communications services. Although the Clinton Administration version was an improvement over the Bush Administration proposal, it did not address the larger concerns of public interest organizations or the telecommunications industry. The Clinton Administration version: * did not contain any protections for access to transactional information; * did not contain any public process for determining the capability requirements or public notice of law enforcement's capacity needs; * would have allowed law enforcement to dictate system design and bar the introduction of features and services which did not meet the requirements, and; * would have allowed law enforcement to use pen registers and trap and trace devices to obtain tracking or physical location information. * * * Locating Relevant Documents =========================== ** Original 1992 Bush-era draft ** ftp.eff.org, /pub/EFF/Policy/FBI/Old/digtel92_old_bill.draft gopher.eff.org, 1/EFF/Policy/FBI/Old, digtel92_old_bill.draft http://www.eff.org/pub/EFF/Policy/FBI/Old/digtel92_old_bill.draft bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital Telephony; file: digtel92.old ** 1993/1994 Clinton-era draft ** ftp.eff.org, /pub/EFF/Policy/FBI/digtel94_bill.draft gopher.eff.org, 1/EFF/Policy/FBI, digtel94_bill.draft http://www.eff.org/pub/EFF/Policy/FBI/digtel94_bill.draft bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital Telephony; file: digtel94.dft ** 1994 final draft, as sponsored ** ftp.eff.org, /pub/EFF/Policy/FBI/digtel94.bill gopher.eff.org, 1/EFF/Policy/FBI, digtel94.bill http://www.eff.org/pub/EFF/Policy/FBI/digtel94.bill bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital Telephony; file: digtel94.bil ** EFF Statement on sponsored version ** ftp.eff.org, /pub/EFF/Policy/FBI/digtel94_statement.eff gopher.eff.org, 1/EFF/Policy/FBI, digtel94_statement.eff http://www.eff.org/pub/EFF/Policy/FBI/digtel94_statement.eff bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital Telephony; file: digtel94.eff ------------------------------ Date: 10 Aug 1994 13:33:30 -0500 From: stahlman@radiomail.net (Mark Stahlman (via RadioMail)) Subject: Re: EFF Statement on Leahy/Edwards Digital Telephony Bill Jerry, Danny, Stanton, et al: Well, what a fine kettle of fish you've gotten yourselves into this time. EFF "supports" a Digital Telephony (wiretap) bill. Quick, who's got the smelling salts? You've gone from "Jackboots on the InfoBahn" to "substantially less intrusive", "significant privacy advances" and "enhanced protection." And, just whose picture is that in the dictionary next to the definition of "cyberdupes" anyway? After successfully defeating draconian legislation for years, EFF now helps to . . . draft the kinder-gentler wiretap bill. Because Leahy and Edwards "concluded that the passage of such a bill was inevitable this year", EFF is called upon to perform the one-eyed act in the land of the blind. What happened from last year to this? Why was any bill "inevitable" in this Congress? Did EFF lose it's clout? Did the Information-SuperHypeway blitz (that EFF cynically fanned) help tip the balance? I have no doubt that this bill is "better" than the FBI's proposal. I also have no doubt that the FBI knew that it's bill was only the starting point for the negotiations. And, if passed, this bill will certainly deliver to the FBI everything that it wants. That's the way Washington works. Wake up. As I've said all along, EFF made themselves part of a process far larger, more powerful and more professional than they could ever become when they scrapped the chapters and moved to DC to become lobbyists. And, since the "groups" that EFF "represents" are not particularly powerful, EFF's efforts will inevitably be confined to providing language that helps the truly powerful groups (like the FBI -- which lest we forget is just the Clinton administration) get their way. But don't be fooled. EFF is not an "opposition" group wrestling with the weighty issues of cyberspace politics. Despite the advertisements, EFF is not "hacking politics and then fixing it." They have opted to become an integral part of the "system". Is that a bad thing? Certainly not. The "system" delivers enormous benefits to most of it's citizens. And, it needs it's functionaries -- like EFF. But, as Toffler would have put it, ours is a completely obsolete Second Wave "system" which needs to be radically transformed. Reread the concluding section of Toffler's "Third Wave" on 21st Century Democracy. Published in 1980, this book lays out the issues and predicts the outcomes that are still worthy of very serious debate, study and action. The technologies we are so intimately involved with will inevitably lead to profound social and psychological changes which in turn will force the development of something akin to Toffler's "Third Wave" government. I don't know if it will be 20% or 50% the size of current government but it certainly won't tolerate anything like Gore's NII or this administration's Information Industrial Policy initiatives. Nor will it support a police force bent on wiretaps to catch electronic tax cheats -- a far more plausible motivation for this legislation than hunting porno-smuggling-kiddie-grabbing-terror-toting hairballs. We need organizations (and individuals) which are dedicated to working on the thorny problems of inventing a new government which will be capable of supporting and defending a cyberspace economy. This is a process which is probably best conducted *outside* of the current "system". As EFF has shown us, the talk-show temptations of being an "insider" are just too powerful to be resisted. Principles don't matter when you're on the "inside". Clear, careful and even "radical" thinking doesn't help when the horse-trading takes over. Re-read the EFF's founding principles, re-read "Across The Electronic Frontier." Then, compare the text with the reality. Take it as an object lesson in politics. Disappointed? Well, maybe that's part of growing up. Hopefully, EFF will take up the case of the Milpitas porn-BBS conviction on appeal. Now that's real cyberspace politics! This administration (yes, they still run the DoJ) decided to attack cyberspace information rights by trying to impose the "community standards" of Memphis on all of cyberspace. A non-Internet connected private board with $99 annual fees was convicted of 11 counts of delivering porn over the phone (and acquitted of a kiddie porn count because the board refused to post the kiddie-GIFs the Feds sent them). Yes, there's plenty of important work left for EFF to do. And, what about you? Start something new, something bold. Have the courage to just say no to cyber-crats and digital control freaks. Forget mortibund ideologies. Stop trying to summon Jefferson's (or Marx's or Rand's) ghost from the grave. Face up to the fact that we already live in a networked economy and that millions of people have already entered into Toffler's new "psycho-sphere". Pick up the tools at hand and take responsibility to invent the future. Your Softbot descendants will honor you for your valor. Mark Stahlman New Media Associates New York City stahlman@radiomail.net ------------------------------ Date: Thu, 18 Aug 1994 14:25:22 -0600 (MDT) From: "Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067" Subject: "Secrets of a Super Hacker" by Fiery BKSCSUHK.RVW 940609 Loompanics Unlimited P.O. Box 1197 Port Townsend, WA 98368 206/385-5087 fax 206/385-7785 loompanx@pt.olympus.net "secrets of a super hacker", Fiery, 1994; 1-55950-106-5, U$19.95 Despite Loompanics' reputation as a "dark side" publisher, this may be a very good book. It deals primarily with social engineering, despite the purported coverage of other topics. It would therefore be valuable reading material around corporate lunchrooms, since forewarned is just a little bit more paranoid and, therefore, forearmed. As those involved with data security in the real world well know, cracking is basically a con job. Thus, The Knightmare, if he really is "super", is a con artist par excellence--and is pulling off a really great con here! Revealing the secrets of social engineering poses very little threat to security. Con men already exist and will continue to exist. Cracker wannabes are unlikely to be able to carry off a successful con if they need to rely on canned advice like this. On the other hand, it is much more likely to shock naive and non-technical users into an awareness of the need for suspicion and proper procedures--albeit possibly only temporarily. Thus, this information is almost inherently of more use in data protection than in data penetration. As for technical help for the cracker; well, are you really expecting great technical revelations from someone who knows there is a difference between baud and bits per second--and gets it backwards? Or, who thinks 140 and 19,900 baud are standard modem speeds? Who thinks Robert Morris' worm found "original" bugs? (And who doesn't know the difference between "downgrade" and "denigrate"?) All the successful hacks in the book rely on social engineering rather than technology. Lots of jargon is thrown in along the lines of, "You need X," but without saying what X really is, where to get it, or how to use it. The official definition of a hacker in the book is of the "good side" seeker after knowledge. As it is stated early on, a hacker *could* do lots of mischief--but doesn't. In the course of the text, though, the image is much more convoluted. The book almost seems to be written by two people; one who is within the culture and has the standard confused cracker viewpoint, and another, sardonically aware of pulling the wool over all the wannabes' eyes. The chapter on contacting the *true* hacker community is EST-like in its refusal to define when you might have made it, or how. Like I said, buy it for the corporate or institutional lunchroom. Make sure that the non-techies get first crack at it. If you'll pardon the expression. copyright Robert M. Slade, 1994 BKSCSUHK.RVW 940609 ====================== DECUS Canada Communications, Desktop, Education and Security group newsletters Editor and/or reviewer ROBERTS@decus.ca, RSlade@sfu.ca, Rob Slade at 1:153/733 DECUS Symposium '95, Toronto, ON, February 13-17, 1995, contact: rulag@decus.ca ------------------------------ End of Computer Underground Digest #6.74