Computer underground Digest Thu Feb 2, 1995 Volume 7 : Issue 08 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Retiring Shadow Archivist: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Copy Icecreamer: B. Robbins CONTENTS, #7.08 (Thu, Feb 2, 1995) File 1--U.S. Attorney decides not to appeal LaMacchia decision (fwd) File 2--Commentary of Debate on Clipper Chip File 3--Beta-testers : EFF-Austin Law Enforcement Incidence Database File 4--Open reply to Jerome Haden File 5--Re: File 5--Writer Seeks On-Line Crime Info (fwd) File 6--Re: The InterNewt File 7--CUD7.05, Article #2 (Newt Response) File 8--CIAC Bulletin F-09: Unix /bin/mail Vulnerability File 9--Re: Amateur Action BBS Update File 10--Tools For Privacy - New book by Lenard & Block (fwd) File 11--New Internet Virtual Democracy Software File 12--Cu Digest Header Information (unchanged since 25 Nov 1994) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. ---------------------------------------------------------------------- Date: Sun, 29 Jan 1995 14:41:41 -0600 (CST) From: David Smith Subject: File 1--U.S. Attorney decides not to appeal LaMacchia decision (fwd) ---------- Forwarded message ---------- From-- nat@zurich.ai.mit.edu (Natalya Cohen) Date-- 29 Jan 95 04--38--13 The U.S. Attorney's office in Boston announced on Friday, January 27, that it will not appeal the dismissal of its legal case against MIT student David LaMacchia. The case was dismissed by District Judge Richard G. Stearns on December 29. In announcing his decision, the U.S. Attorney Donald K. Stern underscored his intent to work toward initiating new legislation "which would remove any uncertainty that willful, multiple infringements of copyrighted software, even where there is no commercial motive, is illegal." Information about the case, including the most recent announcement by the U.S. Attorney, can be found on the David LaMacchia Defense Fund (DLDF) homepage, or by request. DLDF Trustees http://www-swiss.ai.mit.edu/dldf/home.html dldf@martigny.ai.mit.edu ------------------------------ Date: Sun, 22 Jan 1995 23:36:52 -0500 (EST) From: DaVe McComb Subject: File 2--Commentary of Debate on Clipper Chip Message-Id: The Clipper Chip: Should the Government Hold the Master Keys to Electronic Commerce? (A Public Debate of the Administration's Clipper Chip and Key Escrow Initiative) Thursday, January 19, 1995 The Association of the Bar of the City of New York 42 W. 44th Street NY, NY Speakers: PRO Clipper/Key Escrow Stewart Baker(SB) - Partner, Steptoe & Johnson; former General Couns el of the National Security Agency Michael Nelson(MN) - White House Office of Science and Technology Pol icy James Kellstrom (JK) - Special Operations, FBI, NY CON Clipper/Key Escrow Daniel Weitzner(DW) - Center for Democracy and Technology; formerly wi th the Electronic Frontier Foundation William Whitehurst(WW) - IBM Corporation - Security Officer Moderator: Albert Wells(AW) - Debevoise and Plimpton [Following is my review of the Clipper Chip public debate. I have attempted to be as accurate as possible, but have had to paraphrase the participants. My overall impressions from the pro-Clipper side were that Clipper Chip as a technology may be dead, but that key escrow by the government was moving forward. From the con-Clipper side, I was left wondering, would we agree to key escrow if cryptographic export controls were lifted? - DaVe McComb] [Opening Statements] SB: We need the Clipper Chip to stop threats to the US. DW: Clipper hasn't succeeded commercially. There are problems with export controls and privacy. The belief that terrorists and drug dealers will be stopped by Clipper is ridiculous; they won't use Clipper. I forsee a new field developing in the future; that of "Mob Cryptographer." JK: We have to protect ourselves and our children against terrorists, child pornographers, kidnappers, the selling of trade secrets, and drug dealers. Would you buy a car or house if you were told, "If you lose the keys, you can never get back in?" WW: There are many legitimate uses of cryptography. However, Clipper is not compatible with the installed base of software. Also, non-US firms will not embrace a technology that the US government has the keys to. MN: The federal government needs good cryptography to build the National Information Infrastructure. However, this cryptography must not affect law enforcement. We had three choices: weak crypto - easy wiretap; strong crypto - no wiretap; or Clipper - strong crypto with the capability for wiretaps. Clipper was designed for the government and is voluntary. Clipper only solves the problem of voice encryption and not data encryption. Also, it's in hardware and therefore more costly. [Start of debate] DW: Why should users turn down Clipper? Matt Blaze found a flaw in Capstone that cast doubt on the whole project. We shouldn't accept a "secret" algorithm; there's no confidence in the security of the algorithm. Also, for key escrow, the keys are held by two federal agencies. Why should we trust them? Both agencies are responsible to the president and there are no binding government statutes regulating access to the keys. MN: The government has to get a court order for a wiretap in order to get th e data before they even go to the key escrow agencies. Therefore, we now have two layers of protection: the wiretap order and obtaining the keys from the escrow agencies. Also, the Blaze attack only showed that by not using the LEAF, it was possible to undermine the authorities. SB: Who would you rather trust to hold the keys? Private business or a democratic system with automatic checks and balances. DW: New technology presents new problems. People already know about cryptography. And criminals won't go to Radio Shack to buy their "NSA Approved" crypto phone or modem. WW: This is not a US only problem. However, Clipper is a US solution to a vastly expanding global electronic marketplace. Would we trust other governments? No. Why should they trust the US government? I am part of the "Key Escrow Alternatives Working Group." We're a group of 50-60 industry representatives who are looking for alternatives. We're trying to work with the government, but having frustrating results. MN: The questions we've received from this group are being dealt with, howev er they directly impact the national security policy. One of these unanswered questions is: "Will the government allow exportation of cryptography if the keys are escrowed?" The goal of the government is to export cryptography only if national security is not compromised. We're working towards the ideal, but we're not there yet. Clipper helps to meet this goal. AW: Are there any concrete proposals to replace Clipper? MN: Some companies have proposed DES coupled with key escrow and the governm ent is talking about these concepts. However, it will take several months to review these new products. Clipper does have a secret algorithm, but it has been tested by a number of top cryptographers. DW: Here's the lesson of Clipper: the government should not be in the busin ess of designing cryptographic products. They should work out the legislative concerns, like exportation. Taking from Maria Cantwell's letter, we want any solution to be: unclas sified, voluntary, exportable, able to be implemented in software, have guarantees for the liability of the escrow agencies, and ensure the privacy of the escrow agencies. My personal top two concerns are: exportable and voluntary. When the 1968 Wiretap Bill was proposed, civil liberty groups felt that wiretaps constituted secret searches and violated the 4th Amendment. We should see that it is not an absolute right of the government to conduct searches. JK: The government has to protect the citizens. How would you feel if your child was enticed into some snuff film, or killed? MN: We are looking at other possible escrow agencies. The first two we chos e were for use by the government, so two other government agencies were picked. AW: How would the escrow agencies be regulated? What would happen if the ke y was improperly released? SB: It's difficult to say, especially if the government holds the keys. If they were held by private businesses, they would have direct liability. AW: As far as export controls go, cryptographic printed materials and Intern et traffic easily go overseas, yet software and hardware cannot. SB: In the 80's the government viewed cryptography in much the same way as atomic bomb making. It was put on the munitions list. However, in the last 10 years we have seen many commercial uses. Also, importing crypto into other countries is difficult a s well, especially France. WW: IBM invented the basic algorithm for DES as a result of a call by govern ment to protect both business and government data. As soon as it was made the standard, export controls were slapped on it. Now there are substantial implementations of DES by f oreign companies. IBM is not thrilled when we can't deliver DES solutions to a foreign company, and we lose the business to a foreign DES product. As for France, they don't have an import law, they have a registration law whereby the French government i ssues a registration certificate. The main export problem is the US laws, not foreign government import laws. DW: The Schneier book was allowed out of the country, and it contained C cod e in printed form. However, a disk with that same code would not be allowed out of the country. MN: There probably are cases where US companies lose business, but the government is accomplishing their goal of preventing the spread of this technology. We can ensure that Libya does not get the Clipper technology. [Closing Remarks] JK: As technology advances, there's no easy solution. Clipper was not the cure-all/end-all. Other technologies have the same problems: the picture phone is great until some pervert exposes himself to you and your family by using it. We can offer stron g crypto and the only people who have to fear us are the criminals. DW: Clipper as a policy solution is a dead end. We have to move on. Law enforcement is being unfairly advantaged and individuals lose their privacy. SB: When Clipper was announced, there was a great uproar. The administratio n is standing firm - We will not allow criminal activity on the Internet. The idea of escrow has slowly sunk in with business. As this goes on, we'll see a convergence of busine ss and government between escrow and the method of cryptography. WW: The government can relax export controls by loosening restrictions on exporting cryptography to "friendly" countries. For example, Ford in Germany can buy IBM cryptographic solutions, but Mercedes Benz cannot. Also, the users would like the freedom of choice to choose the best cryptographic product for them. We need cooperation between the private and public sector. MN: Everyone wants the following: easing export restrictions, a software solution, ease of use, inexpensive, public algorithm, and law enforcement. Clipper was the first step. We will now look at other escrow technology, as well as law enforcement and export issues. We are moving step-by-step towards new approaches. The Clinton administration is moving ahead. ------------------------------ Date: Tue, 24 Jan 1995 21:09:45 -0600 (CST) From: David Smith Subject: File 3--Beta-testers : EFF-Austin Law Enforcement Incidence Database CALL FOR "BETA" TESTERS EFF-Austin Law Enforcement Incidence Database January 24th, 1995 EFF-Austin is interested in creating and maintaining a database of search and seizures involving BBS systems / Internet sites. The intention of such a database is to: * provide a status of recent incidences of government search and seizures. A file is to be opened for each raid, and then tracked as it's case winds it's way through the legal system. Ex: what is the last we heard about the Rusty N Edie BBS case? * provide a historical record of past seizures. People new to the Net, for example, need to know about the Steve Jackson Games case, and other important cases. * track certain trends and trouble areas for civil libertarians, such as computers that are seized and never returned, people who are raided and never indicted, and the "downsizing" of draconian tactics, where those who are likely to cart stuff out the door are not the FBI, but rather state or local law enforcement. * provide primary and secondary documentation sources for journalists, students, activists, law enforcement, and anyone else interested in these issues. * track incidences that don't generate media coverage. SCHEDULE FOR IMPLEMENTATION (tentative) February -- Beta-testing : fields, forms, and designing a database application accessible via gopher/Web. This is about six weeks. March -- Start data entry on huge backlog of cases. Initial estimate : 150 to 200 cases to-date. -- Public "un-veiling" during 1995 CFP. Important to have a sizeable chunk done (50 to 70 or so). Also want to create a "Top 10 List" of important cases. WHAT WE NEED NOW IN TERMS OF BETA-TESTERS We have taken an initial stab at designing a report format that we think will cover all the bases, do what we want it to do, and be useful. We want feedback from : * People most likely to use the database (journalists, activists, students, law enforcement officials, lawyers, etc.) to examine the reports, make suggestions, and provide feedback on what information you would want from such a database. * People experienced in designing databases accessible via the Internet. This should be accessible via gopher and the World Wide Web, though we haven't selected a database engine yet. Since EFF-Austin is a non-profit, volunteer-run organization, we will need assistance from the entire online community in order to make this work. Anyone is eligible to contribute input or participate; you don't need to live in Austin or be a member of EFF-Austin. Send e-mail to bladex@bga.com if you have any questions, comments, or want to join the project. ------------------------------ Date: Sun, 29 Jan 1995 12:50:20 -0800 From: Bruce Jones Subject: File 4--Open reply to Jerome Haden I am concerned about the kinds of articles and books that get written about the net. I know how well yellow, sensationalist journalism sells, and I see just such a book coming out of Mr. Haden's work. Here is a copy of the message I sent to him, asking about his motives. >From bjones Sun Jan 29 12:45:33 1995 To--fmgg44a@prodigy.com Subject--Your book Mr. Haden, I saw your request for information reposted to an Internet mailing list. I have grown somewhat suspicious about such requests, given of the terrible, yellow, sensationalist journalism about the net that has been published in the last few months. Before I begin to post challenges to your request, wherein I question your morals, goals and motivations for requesting such information, I thought I would offer you an opportunity to explain the thrust of your work. Perhaps I am wrong, but your questions look suspiciously like those "answered" in works with similar titles in national magazines and newspapers. To be specific, do you plan to write more of the same "your children are in danger of being brutalized by computer bulletin board systems," of something different, better informed, and realistic (we are, after all, talking about virtual reality and not FTF, physical contact here). Curiously yours, Bruce Jones Department of Communication bjones@ucsd.edu University of California, San Diego (619) 534-0417/4410 9500 Gilman Drive FAX (619) 534-7315 La Jolla, Ca. 92093-0503 p.s. I am sending a copy of this message to the mailing list where I first saw your request. Be advised that I am not going to keep this "between you and me" and I will be posting copies of any mail you send to me to that list as well. ------------------------------ Date: Thu, 26 Jan 1995 20:49:28 -0500 From: Barak Pearlmutter Subject: File 5--Re: File 5--Writer Seeks On-Line Crime Info (fwd) That's funny, I'm writing a book called "Nearsighted and Dangerous: A Parents Guide to the Dangers of the Public Library" I am seeking real events that are "public record" (either newspaper articles or court documents) which involve the following criminal activity: 1.) Sexual predators who have commited sex crimes on minors with a connection to a public library or salacious book. 2.) Teenage readers who have been charged with any type of plagiarism, copyright violation, document forgery, unauthorized access to private university libraries, or similar crimes. 3.) Any teenagers involved in making explosives with information obtained from a book. 4.) Any selling of illegal drugs involving minors and books available in libraries. 5.) Any other crimes involving teenagers as either victims or perpetrators with the use of public libraries or written documents of any sort. Also would be interested in hearing from victims or perpetrators willing to be interviewed "off the record", and/or willing to appear on national talk shows. If you have any such information please contact me. ------------------------------ Date: 25 Jan 1995 20:05:37 GMT From: timk@YCRDI.COM(Tim King) Subject: File 6--Re: The InterNewt Larry Mulcahy wrote concerning David Batterson's article: > Why does this venemous screed deserve to be in CUD? In it, > Batterson only makes personal attacks against right wing > figures, saying nothing about issues. Funny, this is the same thought that came to my mind. But I considered the article more likely to be a lame attempt at poor humor, rather than a series of genuine personal attacks. So I let the matter drop. However, my feelings about the article are shared by others. And, more importantly, perhaps these others don't see the humor content. Therefore, maybe this blatantly offensive series of ramblings does deserve some response. David Batterson wrote, for example, that "we can expect the clueless Newtbies, chainsmoking Helmsmen and Rush dittohead dorks to increase their invasion of the Net." Now, I will reserve my personal opinions regarding Newt Gingrich, Jesse Helms, and Rush Limbaugh -- and Rush would probably be proud to make fun of David's article. I'll also fail to mention the obvious, that not every conservative is a replicant of one of these men. Nevertheless, if conservativism is what it claims to be, we should see the current government get out of the way of the Internet. Sometimes this means that the government refuses to step in when it should, but I think the Net is strong and organized enough so that this would not be a danger. In any case, subjects that have been recently most the rave -- things like escrowed encryption, digital telephony, and encryption export -- seem to cut across party boundaries. If memory serves, both democrats and republicans have taken both sides of these issues. Also, servers and newsgroups are already available for discussing silly sectional interests in a variety of fields. This is what we in the Net call "free speech." This necessarily means that some people post ridiculous articles about the holocaust, for example. But my experiences have shown me that such silliness rarely leads to mass conversion. Why not? Because "critics" also have access to the Internet, and they can post a rebuttal to anything they feel requires one. So it is abundantly clear to me that there is no danger, even if Jesse Helms does set up "a WWW home page for the tobacco industry, where we can view video clips on the joys of smoking." Thirdly, no congress, no matter how extreme, could possibly get away with requiring free citizens "to learn some new terminology," even if there is no "prison time for first time offenders who still use the old meanings." Anyway, it's idiotic to think that such "new terminology" would actually mock the government that created it! You know, recently, when Conan O'Brien and Andy Richter did a similar bit --Newt was giving the president commands that were patently absurd -- it was funny. I thought that, perhaps, it seemed funny because, in the bit, Clinton was a willing subservient in this ridiculous scenario. But, then again, David Batterson's article in a way is just as funny. He has the whole of the world, embodied in the Internet, being a willing subservient to such absurdities. So perhaps it is funny after all. ------------------------------ Date: Thu, 26 Jan 1995 21:39:43 -0500 From: anthec@LIBERTYNET.ORG(Charlie Anthe) Subject: File 7--CUD7.05, Article #2 (Newt Response) In his response to the critics of Newt Gingrinch found in CUD7.03, Mr. Mulcahy cites as an example of Speaker Gingrich's dedication to the voters the unveiling of the "Thomas" WWW server at the Library of Congress earlier this year. The article provied goes to great pains to point out that the server will provide the average voter with easy and instant access to the daily activities of Congress and of the legislation being debated, something that previously would have required enormous paperwork from the Library of Congress. What is not mentioned by either the article of Mr. Mulcahy's response is the fact that Speaker Gingrich probably had no influence whatsoever in the installation of the Thomas server. Obviously a computer system that was going to be unveiled to the entire nation and have such politically important imformation on it would have begun in the planning stages years ago, back when the Democrats were firmly in control of the Congress. Mr. Gingrich is just being sure to soak up the limelight and proclaiming the ideas and work of the Democrats as his own personal example of the Republican fulfillment of their "Contract With America". While the creation of the Thomas server as well as that of the House of Representatives own home page (available at http://www.house.gov) are certainly important milestones in the advancement of information to the public, let us not be so quick as to reward Mr. Gingrich with the fruits of another group's labor. ------------------------------ Date: Fri, 27 Jan 1995 10:44:31 -0800 From: Steve Weeber Subject: File 8--CIAC Bulletin F-09: Unix /bin/mail Vulnerability _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability _____________________________________________________ INFORMATION BULLETIN Unix /bin/mail Vulnerabilities January 27, 1995 1030 PST Number F-09 ___________________________________________________________________ PROBLEM: The Unix /bin/mail utility contains security vulnerabilities. PLATFORMS: DEC OSF/1 1.2, 1.3, and 2.0 DEC Ultrix 4.3, 4.3A, and 4.4 SCO Unix System V/386 Release 3.2 OS Version 4.2 SCO Open Desktop Lite Release 3.0 SCO Open Desktop Release 3.0 SCO Open Server Enterprise System Release 3.0 SCO Open Server Network System Release 3.0 Solbourne OS4.1x SunOS 4.x DAMAGE: Local users may gain privileged (root) access. SOLUTION: Apply appropriate vendor patch as described below. ___________________________________________________________________ VULNERABILITY The vulnerabilities in the /bin/mail program have been openly ASSESSMENT: discussed in several Internet forums, and automated scripts exploiting the vulnerabilities have been widely distributed. These tools have been used in many recent attacks. CIAC recommends sites install these patches as soon as possible. ___________________________________________________________________ Critical Information about Unix /bin/mail Vulnerabilities The /bin/mail utility on several Unix versions based on BSD 4.3 Unix contain a security vulnerability. The vulnerability is the result of race conditions that exist during the delivery of messages to local users. These race conditions will allow intruders to create or modify files on the system, resulting in privileged access to the system. Below is a summary of systems known to be either vulnerable or not vulnerable. If your vendor's name is not listed, please contact the vendor or CIAC for more information. Vendor or Source Status ---------------- ------------ Apple Computer, Inc. Not vulnerable Berkeley SW Design, Inc. (BSDI) Not vulnerable Cray Research, Inc. Not vulnerable Data General Corp. Not vulnerable Digital Equipment Corp. Vulnerable FreeBSD Not vulnerable Harris Not vulnerable IBM Not vulnerable NetBSD Not vulnerable NeXT, Inc. Not vulnerable Pyramid Not vulnerable The Santa Cruz Operation (SCO) Vulnerable Solbourne (Grumman) Vulnerable Sun Microsystems, Inc. SunOS 4.x vulnerable Solaris 2.x not vulnerable Patch Information ----------------- DEC The /bin/mail patch is a part of a comprehensive Security Enhanced Kit that addresses other security problems as well. This kit was released on May 17, 1994 and was described in DEC Security Advisory #0505 and CIAC Notes 94-03. OSF/1 users should upgrade to a minimum of version 2.0 and install Security Enhanced Kit CSCPAT_4061 v1.0. Ultrix users should upgrade to at least version 4.4 and install Security Enhanced Kit CSCPAT_4060 v1.0. Both kits are available from your Digital support channel or electronically by request via DSNlink. SCO Vulnerabilities in SCO's /bin/mail utility are removed by applying SCO's Support Level Supplement (SLS) uod392a. It is available via anonymous FTP from ftp.sco.com in the /SLS directory: Description Filename MD5 Checksum ------------ ------------- -------------------------------- Disk image uod392a.Z 2c26669d89f61174f751774115f367a5 Cover letter uod392a.ltr.Z 52db39424d5d23576e065af2b80aee49 Solbourne Grumman System Support Corporation now performs all Solbourne software and hardware support. Please contact them for further information: E-mail: support@nts.gssc.com Phone: 1-800-447-2861 FTP: ftp.nts.gssc.com Sun Sun has made patches available to remove vulnerabilities in /bin/mail. These patches address all vulnerabilities CIAC has seen exploited to date, and CIAC recommends they be installed. However, the patches will be updated again in the near future to remove additional vulnerabilities that have recently come to light. CIAC will announce the availability of the new patches when they are released. The patches may be obtained from your local Sun Answer Center or through anonymous FTP from sunsolve1.sun.com in the /pub/patches directory: SunOS Filename MD5 Checksum ------- --------------- -------------------------------- 4.1.x 100224-13.tar.Z 90a507017a1a40c4622b3f1f00ce5d2d 4.1.3U1 101436-08.tar.Z 0e64560edc61eb4b3da81a932e8b11e1 Alternative Solution -------------------- For those sites unable to obtain a vendor patch for a vulnerable version of /bin/mail, a replacement package called mail.local has been developed and made freely available on the Internet. The /bin/mail program is relatively complex software, serving both as a mail delivery agent and a user interface, allowing users to send and read E-mail messages. Complex system software, like /bin/mail, is more likely to exhibit security vulnerabilities. The mail.local package was written to perform only one task: the delivery of mail to local users. It is comparatively small, and the code has been examined carefully by experts in the security community. While it has not been formally evaluated, it is probable that mail.local addresses all vulnerabilities currently being exploited in /bin/mail. For more information, see the file README in the directory ftp://coast.cs.purdue.edu/pub/tools/unix/mail.local/. ___________________________________________________________________ CIAC wishes to acknowledge the contributions of the CERT Coordination Center in the construction of this bulletin. ___________________________________________________________________ For emergencies and off-hour assistance, DOE and DOE contractor sites can contact CIAC 24-hours a day via an integrated voicemail and SKYPAGE number. To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second PIN, 8550074 is for the CIAC Project Leader. CIAC's FAX number is 510-423-8002, and the STU-III number is 510-423-2604. Send E-mail to ciac@llnl.gov. Previous CIAC notices, anti-virus software, and other information are available on the Internet via anonymous FTP from ciac.llnl.gov (IP address 128.115.19.53). CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send requests of the following form: subscribe list-name LastName, FirstName PhoneNumber as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber." Send to: ciac-listproc@llnl.gov not to: ciac@llnl.gov e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address and initial PIN, and information on how to change either of them, cancel your subscription, or get help. ___________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ------------------------------ From: hkhenson@CUP.PORTAL.COM Subject: File 9--Re: Amateur Action BBS Update Date: Sat, 21 Jan 95 14:47:43 PST I have been keeping the net up on the AA BBS case since it started last year. Latest news (1/21/95) is that bail during appeal was denied by the Sixth Circuit, and that Robert is to report to federal prison Feb. 8, in Springfield, MO to serve 3 years, one month. I have no doubt that picking a place that far from his home and family was done on purpose as part of the punishment. Question for Mike Godwin: Who pays transport from Springfield back to Utah so Robert can be present for the bogus kiddy porn trial in a few months? Also being in prison will make it nearly impossible for him to prepare the .gif files his lawyer wants to present in his defense. They set the date (July 12) and place (Dublin, CA) for Carleen (Robert's wife). She is to serve 2 years, 2 months. I think the reason they are letting her start later is so she can be present when their oldest son graduates from high school. AA BBS is still up, and may well stay up for the whole time Robert is in prison. He has no other way to support his family or pay for legal defense. Also, outside of western TN, OK, Utah, and other backwards places, what he is selling is legal--even protected under the First Amendment. (Though some of it *is* kinda gross :-) ) AA BBS is up to about 25,000 files. There is a good chance that they will be available through the internet at some point. Trying to control information in the network age is about as sucessful as pissing into the wind. Keith Henson ------------------------------ Date: Mon, 30 Jan 1995 22:14:43 -0600 (CST) From: David Smith Subject: File 10--Tools For Privacy - New book by Lenard & Block (fwd) ---------- Forwarded message ---------- ANNOUNCING THE BETA-TEST RELEASE OF ... Tools For Privacy: How to outsmart the phone, fax, cellular, and computer snoopers A hyper-book by Lane Lenard & Will Block Check it out at the Smart Publications www homepage: ftp://ftp.crl.com:/users/ro/smart/SMART.html >From the introduction ... Our right to privacy is under concerted attack by authoritarians of every political stripe. Under the twin rubrics of the "War On Drugs" and "Stopping Child Pornography", the federal government in the United States is moving to gut the U.S. Constitution's guarantee of the right to privacy for every citizen. We believe that working "through the system" is a hopeless waste of time. This HyperBook is our effort to disseminate the vital information that you need to insure your privacy in communications, computing, banking, and your home. TABLE OF CONTENTS Introduction E-Mail Privacy Threats To E-Mail Privacy Outlaware: The Powerful Privacy Tool the Government Wants to Suppress A Brief History Of Crytography Conventional Cryptography Public Key Cryptography Encryption Always Wins: How RSA Works Hybrid Systems: The Best Of Both Worlds NSA Vs. RSA: Adventures In The Private Sector E-Mail Privacy - The Encryption Solution PGP: Military-Grade Encryption For The Masses Privacy Tips: Getting The Most Out Of PGP How To Get PGP Cracking Codes With The Codebreakers Steganography: For When You've Got Something To Hide E-Mail Privacy Product Reviews Telephone Privacy Threats To Telephone Privacy Snail-Mail Privacy Anonymous Mail Drops: How To Receive Your Snail-Mail Anonymously ******************************************************************** Smart Publications smart@crl.com ------------------------------ Date: Wed, 25 Jan 1995 15:10:26 -0700 From: myrna_bittner@CCINET.AB.CA(Myrna Bittner) Subject: File 11--New Internet Virtual Democracy Software Short-Circuit for the Virtual Democracy Backlash Those of little faith and traditional media who recently pandered to the same fear mongering tactics they accused special interest groups of, once again underestimated the sophistication and ingenuity of what they were messing with. "More hyper" ; ) Internet minds from Bittco Solutions have released Co-motion Lite for Internet, virtual democracy software that turns Internet connections into front row seats at activist round tables. Unplugged leaders can lose their fears about being "too plugged in" and manipulated by "push-button voting." "It compares to an interactive survey," says Myrna Bittner from Bittco. "In this case, the surveyor puts out one question and decides who in the world gets to participate, but after that participants can ask their own questions, tell the stories behind their solutions and concerns, interact with each other, and register their votes." All of the qualitative opinions are supported by quantitative results. And, every participant can print, analyze and distribute the results. Bittco is countering the hyper-backlash by widely distributing client applications free to Internet members interested in joining Keen Minds, a group that tackles all types of topical issues. MacintoshAE versions are available immediately and a Windows81 version is in the works. Virtual democracy is now an undeniable reality on the Internet. You'll find Keen Minds in the Info-Mac archives. The URL for the main archive is at ftp://ftp.sumex-aim.stanford.edu/info-mac/comm/tcp/keen-minds .hqx. This site is mirrored to many locations throughout the world. Contact Bittco for a comprehensive list of locations, session times and topics at 1-403-922-5514 or bittco@ccinet.ab.ca Bittco Solutions develops and publishes innovative real-time groupware for group decision support and collaborative brainstorming. Bittco also provides customized Internet solutions for collaborative environments ranging from online activism to distributed customer support. ------------------------------ ------------------------------ Date: Thu, 23 Oct 1994 22:51:01 CDT From: CuD Moderators Subject: File 12--Cu Digest Header Information (unchanged since 25 Nov 1994) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send a one-line message: SUB CUDIGEST your name Send it to LISTSERV@UIUCVMD.BITNET or LISTSERV@VMD.CSO.UIUC.EDU The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (203) 832-8441. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown) In ITALY: Bits against the Empire BBS: +39-461-980493 In LUXEMBOURG: ComNet BBS: +352-466893 UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/ ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ uceng.uc.edu in /pub/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/cud/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) JAPAN: ftp.glocom.ac.jp /mirror/ftp.eff.org/Publications/CuD ftp://www.rcac.tdi.co.jp/pub/mirror/CuD The most recent issues of CuD can be obtained from the NIU Sociology gopher at: URL: gopher://corn.cso.niu.edu:70/00/acad_dept/col_of_las/dept_soci COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #7.08 ************************************