Computer underground Digest Sun Nov 17, 1996 Volume 8 : Issue 81 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Field Agent Extraordinaire: David Smith Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #8.81 (Sun, Nov 17, 1996) File 1--Review of Charles Platt's ANARCHY ONLINE File 2--Some Excerpts from ANARCHY ONLINE File 3--"NetLaw: Your Rights in the Online World" by Lance Rose File 4-- Three New WEBMASTER/WEB-DEVELOPERS Books & stuff from O'Reilly File 5--USENIX Annual Conference & USELINUX, January 6-10, 1997 (fwd) File 6--Cu Digest Header Info (unchanged since 17 Nov, 1996) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Sat, 16 Nov 96 15:53 CST From: Cu Digest Subject: File 1--Review of Charles Platt's ANARCHY ONLINE ANARCHY ONLINE. By Charles Platt. New York: Black Sheep Books. 368 pp. $24.95 (cloth). Those wishing to understand the history, development, and background of the "computer underground" generally refer to Cliff Stoll's THE CUCKOO'S EGG, Katie Hafner and John Markoff's CYBERPUNK, and Bruce Sterling's HACKER CRACKDOWN as among the most useful. Now, Platt's ANARCHY ONLINE joins this select set. Unlike the other volumes, which use the story of legal entanglements to organize the information in chronological sequence, Platt provides a smorgasbord of narratives covering topics (piracy, net porn), politics (legislative battles), law (suits and prosecutions), personalities (pick your favorite), events, movements, and history. Dividing his material into two sections, "Newcrime" and "NetSpeech," Platt offers the reader nearly 100 narratives mixed with rich description, occasional political commentary, and a dose of social critique as way of describing salient issues in Cyberspace. His introductory chapter of "A typical hacker bust" describes in a few pages the apprehension of the "dreaded Hollywood Hacker," whose home was raided in 1990 by law enforcement agents, guns drawn with a television crew in tow, for the heinous crime of "borrowing" an acquaintance's password and logging into a computer account without authorization. Although the "Hollywood Hacker's" offense was trivial, the incident illustrates the abysmal lack of familiarity of computer technology and "hacking" by law enforcement agents. It also provides Platt with an effective entry point into the emergence of the "computer underground." With Platt as our tour guide, our journey through the underground includes a panorama of "hacker BBSes, some we see from afar, some from the inside. Occasionally, we stop long enough to meet former "hackers" ("Dark Phiber," "Lord Digital," "Dead Lord," "Seth") and "hacker"-chasing agents (Scott Charney); Security wizards (Crypto-guru Phil Zimmermann, Dan Farmer, Robert Steele, the original "agent Steele" of CIA, not "hacking," fame, as federal agents learned to their confused embarrassment at a CFP conference several years ago); and an array of Net personalities. Platt provides information from Kevin Mitnick's some-time partner "Roscoe," who suggests that much of the personal information in CYBERPUNK was a spoof concocted by Mitnick and "Roscoe." He examines how state laws have curtailed Net liberties. He brings back names from the past, including Lorne Shantz, Bob Emerson, and Jake Baker. Martin Rimm returns in a scathing section that describes his "Netporn study" and Mike Godwin's perseverance in destroying the credibility of both the study and the author. Particularly interesting are the dozens of photographs of previously faceless Net personalities. Hackers, law enforcement agents, and others ranging from Cyberporn protagonists Philip Elmer-Dewitt/Martin Rimm and Godwin/Donna Hoffman; Anti-indecency warrior Cyberangel Colin (Gabriel) Hatcher and free-speech advocate Declan McCullagh; Joel Furr (sans t-shirt); and many, many others. Given Platt's literary and extensive writing background, it's not surprising that ANARCHY ONLINE is exceptionally well written, and while he on occasion seems tempted to move into political polemics, he is generally successful in pulling back. Given the magnitude of detail he presents, his accuracy is impressive, perhaps because he took pains to contact many of his subjects before publication to review his commentary. Readers who prefer extended symphonies to short riffs and three minute air-play routines might find the staccato style of brief tastes and images frustrating (Platt, I should mention, never mixes metaphors). But, the breadth and detail of this volume makes it well worth reading, and it will prove an invaluable reference source. And, it's currently reasonably priced. The is one problem with obtaining the book. ANARCHY ONLINE's hardcover edition is available by mail order only. FOR *CREDIT CARD ORDERS ONLY* DIAL 1-800-879-4214. Cover price is $24.95. BUT netizens get almost a 50 percent discount! If you say "I heard about it through the Internet" you pay only $12.95 (plus shipping). Extracts from the book are freely available for inspection at http://charlesplatt.com The paperback will be out next March from HarperCollins and will be distributed through regular bookstores. (But it will probably cost more than $12.95). It would make a great Christmas present or, better, a supplemental text for the classroom. ------------------------------ Date: Sat, 16 Nov 96 15:43 CST From: Cu Digest Subject: File 2--Some Excerpts from ANARCHY ONLINE The is one problem with obtaining the book. ANARCHY ONLINE's +-----------------------------------------------------+ Maverick Security Expert Advocates Government Intervention to Secure the Internet Robert Steele spent most of his working life in various sections of the government bureaucracy until, at the age of forty-two, he finally decided to go it alone. "I was deputy director at the Marine Corps Intelligence Center," he says, relaxing on the couch in the comfortable, traditionally furnished living room of his home, which is nestled in wooded country in Oakton, Virginia. With nicely bound books, a couple of antique clocks, and elegant furniture, it's a peaceful refuge within easy reach of his former employers at the CIA, and no more than an hour's drive from the center of Washington, D.C. But there is nothing peaceful or genteel about Steele himself. "I had spent eighteen years as a professional intelligence officer," he says, "and discovered that a whole lot of classified data wasn't really there. We just had a whole bunch of facts about Soviet missile silos. Nothing on the Third World, for instance. At the Marine Corps Intelligence Center we were spending $3 million a year on a system for accessing classified data from the CIA, NSA [National Security Agency], and DIA [Defense Intelligence Agency]--and I found that for $25,000 a year I could get better data from open sources." By "open sources" he means academic studies, published papers, books, and databases accessible by private citizens via the Internet, with no security clearance necessary. "In 1992," Steele continues in an abrasive, rapid-fire style, "I had made open sources a policy issue at congressional level by working with Hill staffers who then forced Bob Gates, director of Central Intelligence [DCI], to set up an open-sources task force to review how he did things and come up with recommendations for improving them." Disgusted by the report that resulted, Stele quit and decided to go it alone. He started sponsoring his own conferences, the first of which was hugely successful. Among the speakers were the chief of staff of the Defense Intelligence Agency, a former science advisor to the President, and the deputy director of the CIA. Attendees included people from the intelligence community, John Perry Barlow (cofounder of the Electronic Frontier Foundation), and an assortment of hackers. The event gave Steele instant notoriety. "I became a public figure," he says. Encouraged by his successes, he became more ambitious. "My vision expanded," he says. "I wanted to help the American economy make better use of open sources. I became concerned with information security. Finally it seemed to me that the only answer was to devise and implement a national information strategy. I'm hoping that Gingrich or Gore is going to use that phrase--"national information strategy"--in a speech within the next two months, because I'm working with various staffers on the Hill and in the administration whom I really respect. My ideas are bipartisan." Even though Steele became personally disillusioned with his area of government, he still sees government policy as the only way of taming anarchy online and safeguarding systems from intruders. "The role of government is to inform the citizenry about security problems that exist," he says. "Then it can establish standards to which the computer industry can rise." But why is a government policy needed? Why can't this problem be tackled by private industry? "The communications and computing industries have been criminally negligent, have not been held to any standards of adequate engineering. If we don't have a national information strategy that provides standards and due diligence law, we will never be able to protect ourselves. The first fundamental step is that our nation as a whole must be committed to communications security." I'm beginning to feel stuck in government-speak. What exactly does he mean by due diligence? "Due diligence is defined by regulation. Right now there is no due diligence requirement for communications and computing security. Stockholders are being screwed. They don't realize it, but they're paying a price for corporate management not protecting proprietary information properly. There's no law, no regulations, and no public perception." He pauses for emphasis. "This, I think, is the most fundamental single weakness in this nation." There's not a hint of doubt in Steele, and not a lot of false modesty, either. In 1994 he wrote a bill that was introduced in the Senate to establish his national information strategy, which would be managed by a chief information officer to be appointed by the Vice President. Steele would have liked Paul Strassman to hold that position. For himself he thought that a suitable title might be director of national intelligence, with a subordinate director of classified intelligence and a subordinate coordinator for public information who would also be director of a national information foundation that would encourage the free flow and accessibility of data through the nation. The whole package was supposed to cost half a billion dollars in the first year, rising to two billion in the fourth year and maintaining that level thereafter. The bill, of course, was never signed into law, and Steele admits that it had "zero impact." I suggest to him that the cost of it alone made it impractical, but he waves aside that objection. "If you're not talking in billions, no one takes you seriously. When you have trillion-dollar federal budgets, a program worth less than a billion is not significant because it's not going to have an impact on the nation as a whole. "The typical computer network," he goes on, "isn't like a house with windows, doors, and locks. It's more like a gauze tent encircled by a band of drunk teenagers with lit matches." At the same time, though, he still insists that hackers are not a cause for concern. "It is clear that eighty percent of bad things happening to computers are being done by authorized users doing unauthorized things. This was the conclusion reached by the Department of Defense during a one- year study. Hackers are just our warning signal, the sneeze that tells you you have a cold. Hackers are not a threat. Ignorance is the greatest threat. The individual, the organization, the nation that doesn't understand its electronic vulnerabilities is essentially placing itself at risk." Once again he stresses the need for a national policy to establish security standards. In the meantime, while we're waiting for government to implement his vision, he's scathing about institutions that don't take proper steps to protect [Sorry, but to view the rest of this text you'll have to read the book!] +------------------------------------------------------+ Pirate Boards: A Vanishing Species Only a few pirates still deal in warez--just for the fun of it. In the following case history, the pirate's real name has been changed at his request. "My handle was Axeman," says Mike Wollenski. "I used to run a BBS called the GrindStone. I started it when I was fifteen. It was a good ol' boys board, meaning that it only served people I knew by reputation, or personally. I had one phone lineand eighty megs of storage." According to Mike, he never charged anyone for membership or downloads. The operation was just a hobby. "Making money off stolen software is a fantastic way to have the feds come gunning after your ass," he says. The board ran without trouble for three years, serving a maximum of 150 users. In 1994 Mike went to college and set up a new version of his BBS from there. Still there were no problems, even though he was now dealing more heavily in stolen software. "I got back into the pirate scene big time," he says. "I loved getting uploads, especially uploads that were less than three days old. I used to have a contact at IBM who would be able to get us the latest OS/2 beta source codes for device drivers and utilities. He'd send it up and some guys would download it and it would spread from there." At Christmas break, Mike moved the BBS back home again and took things one notch farther. "Right around this time," he recalls, "in my AC [area code], 914, an interest in H/P/V/C/A started." H/P/V/C/A stands for Hacking, Phreaking, Viruses, Cracking (or Carding, depending on who you ask), and Anarchy. "Me, being the information hound that I was, decided to join a mail network called MOBNet." This was an informal store-and-forward message system. Mike would accumulate a bunch of BBS messages or other data, reduce their size with a file compression utility such as PKZip, then pass them to another BBS. He received material on the same basis. "On a good day," says Mike, "I would get in a couple hundred mes-sages, all dealing with hacking into systems, how to crack password files on Unix hosts, how and where to find credit card numbers, and, more importantly, how to protect yourself from these things happening to you. So here I was, a pirate board in 914--rather successful, as far as this area code goes--getting pretty new files, and a ton of information daily about the `darker sciences.'" On Christmas Eve Mike received a warning. "I get a call from a friend of mine, telling me, `Dude, shut it down! Kill it! Nuke everything, and close everything up! Some kid just got popped for credit card fraud, and he's telling the cops that he got it from you.' Needless to say, I freaked. I immediately took it down." Foolishly, though, after a couple of days he put everything back online. A couple more days after that, he was raided. "I'd been to the movies with my younger brother and a friend of ours from school. I think it was at ten-thirty or so. On our way back to my house, the car phone rings. Understand, it was my parents' car; I had to raid the change bin for the money to see the movie. My bro picks it up, says, `Yeah? Uh-huh. Hmmm. Uh . . . okay. Bye.' He turns to me and says, rather loudly, `You're going to jail! The cops came over to the house with a search warrant and took your computer and stuff. Mom and Dad are pissed!'" When Mike got home he found that state police had taken his 486SX/33 IBM-compatible computer, the monitor, keyboard, modem, mouse, and all his software--"including the stuff I had bought!" he says with a tone of wounded disbelief. "They also took most of my parents' software. They tried to take my mom's computer as well; I gather yelling ensued, and that computer never left the house." Mike was only a few days over eighteen. The police promised that if he cooperated, he'd be charged as a juvenile, there would be no felony charges, and his identity would be kept secret. This sounded like a good deal, so he supplied the password to unlock his system. According to Mike, the cops then proceeded to betray him. In February 1995 a local newspaper ran a two-part article on hacking in which Mike was the only person identified under his real name. A few months later, when Mike came home from the spring college semester, he found himself charged as an adult, with two class-E felonies carrying more than ten years of potential jail time. He was horrified. "In the end," he says, "my lawyer talked them down to a violation--disorderly conduct--with a $250 fine and twenty- five hours community service. But I had been so worried about the case, I couldn't finish my semester at school. The cops had lied to me outright in front of me and my lawyer, so I had no idea what they were going to do next, and I basically panicked." He regrets now that he cooperated. "I should have told them to go fuck themselves silly. But I gave them access to my files, and because of that, a good friend of mine also got busted. For all I know he went to jail; I don't really want to know." The main reason for police action against Mike's board was not the software but the file containing credit card numbers. "Most of them I got from a friend," he says, "but some of them came from carbon copies in trash bins outside the mall. It's easy to get them; you just go down there at two A.M. when all the rent-a-cops are enjoying their doughnuts." He insists, however, he had no interest in the numbers. "Once I had them--okay, great, now what? I never used any of 'em, because I have parents. They are better than any credit card I know of. I don't have to pay interest, I don't have a spending limit--hell, I don't even have to pay them back! So did I sell card numbers? No. Did I give them to people? No. Were they available if people left a message on my board? Yes. Just like they are available anywhere else in life. What it comes down to is that I was busted because I let people do what they wished with my hard-drive space. I think that what people did with my board was their own business. The police came in and violated that right." Mike's parents imposed some limits for a while: no modem usage, and he had to ask permission to make phone calls. Eventually he got his computer system back from the police-- everything except the hard drive--and computers are still his main interest. He's hoping to make a career out of them as a network technician. Meanwhile, he says, pirate boards are scarcer than ever. "After I was busted, all the local boards disappeared. As far as I know, there's only one board left in 914. There are still boards in other areas with a couple thousand people on 'em, but most are in the Midwest, where people are naturally [Sorry, but to view the rest of this text you'll have to read the book!] ------------------------------ Date: Wed, 06 Nov 1996 14:00:37 EST From: "Rob Slade, doting grandpa of Ryan & Trevor" Subject: File 3--"NetLaw: Your Rights in the Online World" by Lance Rose BKNETLAW.RVW 950406 "NetLaw: Your Rights in the Online World", Lance Rose, 1995, 0-07-882077-4, U$19.95 %A Lance Rose %C 2600 Tenth St., Berkeley, CA 94710 %D 1995 %G 0-07-882077-4 %I McGraw-Hill %O U$19.95 510-548-2805 800-227-0900 lkissing@osborne.mhs.compuserve.com %O pmon@osborne.mhs.compuserve.com %P 372 %T "NetLaw: Your Rights in the Online World" Very similar to his earlier "Syslaw" (cf. BKSYSLAW.RVW), this is a general guide to various legal aspects of life online. The major changes are the broadening of the scope from BBS level systems to include online services and the Internet, and very handy (and interesting) sidebars, which give a thumbnail sketch version of the topic under discussion. These usually include a reference to some specific case. Chapters address the issues of censorship, contracts, commerce, and copyright. Chapter four, which deals with the responsibility of the system operator in light of online dangers, does touch on the topic of malicious software. I was disappointed that this is limited to a not terribly accurate defining of terms, and almost no discussion of the admittedly confused legal situation. Further chapters cover privacy, crime, search and seizure, and a rather disappointing chapter on obscenity. Appendices include some very useful sample contracts, and various US laws. Given recent developments which have strongly indicated the international nature of the net and international legal ramifications, it is discouraging to see that Rose still presents only a limited and US-centric view. However, the general principles he describes are held in common law, and this book should at least provide guidance for the broader online world. copyright Robert M. Slade, 1995 BKNETLAW.RVW 950406 ============== Vancouver ROBERTS@decus.ca | "Daughters of feminists love to wear Institute for Robert_Slade@sfu.ca | pink and white short frilly dresses Research into rslade@cyberstore.ca| and talk of successes with boys/ User rslade@sfu.ca | It annoys/ Security Canada V7K 2G6 | Their Mums ..." - Nancy White ------------------------------ Date: Wed, 30 Oct 1996 16:14:58 -0800 From: Sara Winge Subject: File 4-- Three New WEBMASTER/WEB-DEVELOPERS Books & stuff from O'Reilly FOR IMMEDIATE RELEASE October 30, 1996 PRESS ONLY--FOR REVIEW COPIES, CONTACT: Sara Winge 707/829-0515 sara@ora.com O'REILLY PUBLISHES "WEBMASTER IN A NUTSHELL" Quick Reference Guide Covers HTML, CGI, Server Configuration, and More SEBASTOPOL, CA--The latest addition to O'Reilly's best-selling "in a Nutshell" quick reference series is "WebMaster in a Nutshell." This new book takes all the essential reference information for the Web and pulls it together into one slim volume. With a clean layout featuring easy-to-browse entries and a lay-flat binding, this book is a vital desktop reference for anyone who does work on the Web--content providers, programmers, and administrators alike. "WebMaster in a Nutshell" covers: > HTML 3.2, the markup language for Web documents > CGI, for creating interactive content on the Web > JavaScript, a scripting language that can be embedded directly into HTML > HTML extensions by Netscape Navigator 3.0 and Microsoft Internet Explorer 3.0 > Examples and descriptions of the HTML tags for creating frames, tables, and fill-in forms > HTTP 1.1, the underlying protocol that drives the Web > Configuration for the Apache, NCSA, CERN, Netscape, and WebSite servers > Perl 5, the programming language used most often for CGI > WinCGI, the CGI interface for Windows-based programming languages > Cookies, for maintaining state between multiple instances of CGI, Java and JavaScript programs > Server Side Includes, for embedding dynamic data into Web pages "WebMaster in a Nutshell" breaks up these topics into concise, distinct chapters, designed to make it easy to find the information you want at a moment's notice. This is a book that anyone working seriously on the Web will find indispensable. ### WebMaster in a Nutshell: A Desktop Quick Reference By Stephen Spainhour & Valerie Quercia 1st Edition October 1996 378 pages, ISBN: 1-56592-229-8, $19.95 ============================ For Review Copies Contact Kathleen Quirk (508)287-1882 kquirk@powersoft.com O'REILLY PARTNERS WITH SYBASE TO REACH WEB DEVELOPERS WebSite 1.1 Included in Internet Developer Toolkit for PowerBuilder 5.0 Sebastopol, CA, October 28, 1996 - O'Reilly & Associates, a leading Internet software developer and book publisher, has announced that it is partnering with Sybase to provide developers with tools for creating Internet and intranet business applications. O'Reilly's award-winning WebSite 1.1(TM), heralded for its features, ease of use and documentation, is now included in the Internet Developer Toolkit, a new product of Sybase's Powersoft development tools division. Internet Developer Toolkit, a companion product for PowerBuilder 5.0 for Windows, enables developers to quickly extend their current applications to the Web, as well as to build a new class of dynamic server-based applications. WebSite 1.1, winner of the Dvorak Award for Outstanding Server Software, is a 32-bit multithreaded Web server for Windows NT 3.51 or higher and Windows 95 platforms, which lets users maintain a set of Web documents, control access to a site, index desktop directories, and use a CGI program to display data from applications such as Excel, Access, and SQL Anywhere. WebSite 1.1 includes WebView(TM), a powerful Web management tool that provides a graphical display of all documents and links on the server. WebSite features a graphical interface for creating virtual servers, server side includes (SSI), and a framework which significantly improves the speed and efficiency of working with spreadsheets, databases, and other programs in environments such as PowerBuilder. Powersoft's Internet Developer Toolkit is currently available for the North American retail list price of $99. The product is available directly from Sybase, Inc. and its worldwide network of resellers and distributors. To locate the nearest reseller, interested individuals can call 1-800-395-3525. In addition to WebSite 1.1, Internet Developer tool kit includes Web.PB, based on the PowerBuilder development environment; the PowerBuilder Window Plug-in for running PowerBuilder applications in a Web browser; the DataWindow Plug-in, for manipulating and presenting database information; and Internet Class Libraries, enabling developers to maintain session or state information across HTML pages. ABOUT O'REILLY & ASSOCIATES, INC. Founded in 1978, O'Reilly & Associates is recognized worldwide for its definitive books on the Internet and UNIX, and for its development of online content and software. O'Reilly developed the Global Network Navigator (GNN), a pioneering web-based publication which it sold to America Online in June, 1995. In addition to WebSite 1.1, the company's other software products include second-generation server WebSite Professional(TM), WebBoard(TM), a web-based multi-threaded conferencing system, and PolyForm(TM), a web forms construction kit. Statisphere(TM), a Web traffic analyzer, will be the company's newest software product when it is released this Winter. O'Reilly & Associates' affiliate companies include Songline Studios, an innovative content developer for online audiences, and Travelers Tales, an award-winning travel book publisher. The company's Internet addresses are http://www.ora.com/ and http://software.ora.com/. ABOUT SYBASE, INC. Headquartered in Emeryville, CA, Sybase, Inc., is a worldwide leader in distributed computing solutions, with record revenues in 1995 of $957 million. The company provides customers and partners with software and services to create information management solutions, integrate information assets across heterogeneous systems, and communicate information throughout and beyond the enterprise. The company's product groups design and develop databases, middleware, application development tools and languages to reduce the cost and complexity of distributed computing, to create business applications for the Internet and intranets, and to build distributed data marts and warehouses. The company's Internet addresses are http://www.sybase.com/ and http://www.powersoft.com/. WebSite, WebSite Professional, WebBoard, Polyform and Statisphere are trademarks of O'Reilly & Associates, Inc. All other names may be registered trademarks or trademarks of their respective companies. ====================================== "BUILDING AN INDUSTRIAL STRENGTH WEB" IS FOCUS OF ISSUE 4 OF THE "WORLD WIDE WEB JOURNAL" SEBASTOPOL, CA--The World Wide Web Consortium (W3C) and O'Reilly & Associates announce the publication of Issue 4 of the "World Wide Web Journal." This issue focuses on the infrastructure needed to create and maintain an "Industrial Strength Web," from network protocols to application design. Over a year ago, the http protocol on the Web surpassed the file transfer protocol as the largest application load on the Internet. As a result, Internet performance is crumbling in many locations, network addresses are being consumed at a prodigious rate, and the extraordinary popularity of a handful of pages is crowding out the rest of the Web. This issue takes a detailed look at the technology--present and future--that's required to scale the Web to work for millions of hosts, tens of millions of users, and billions of pages. The papers in this issue shed light on these challenges, and offer state-of-the-art remedies. The "W3C Reports" section features papers from two workshops: the Joint W3C/OMG Workshop on Distributed Objects and Mobile Code and the Meeting on Distributed AW..