Computer underground Digest Sun, Nov 10, 1991 Volume 3 : Issue 40 Moderators: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) CONTENTS, #3.40 ( November 10, 1991) File 1: Rhetoric and CuD File 2: Re: Comments on J Thomas's Ingraham post in CuD #3.38 File 3: Response to Ingraham Criticisms File 4: Draft of BBS warnings to Law Enforcement Agents File 5: CU Bibliography Update File 6: Senate Bill 516 : Electronic Privacy in the Workplace File 7: Letter from Prison (part 2 of 2) File 8: "Password violations helped Hill hacker" Issues of CuD can be found in the Usenet alt.society.cu-digest news group, on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM, on Genie, on the PC-EXEC BBS at (414) 789-4210, and by anonymous ftp from ftp.cs.widener.edu (147.31.254.20), chsun1.spc.uchicago.edu, and dagon.acc.stolaf.edu. To use the U. of Chicago email server, send mail with the subject "help" (without the quotes) to archive-server@chsun1.spc.uchicago.edu. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- From: Mike Godwin Subject: File 1-- Rhetoric and CuD Date: Thu, 7 Nov 91 9:39:58 EST I notice (in CuD 3.38) that you call those who work with Don Ingraham "brownshirts" and compare him to Gacy and Dahmer. I think you are correct to be critical of Ingraham's comments about Neidorf. But I'm concerned with the degradation of discourse that comparisons to "brownshirts" and to mass murderers will cause. When you invoke Gacy, or Dahmer, or genocidal fascists, you trivialize the deaths they caused. You turn their real deaths into metaphorical fodder for your own angry postings. Such metaphors suggest, whether you mean to or not, that you have no sense of the actual horror caused by those people. It cheapens this horror to convert it into an insult. I know what your motive was--to express your sense of the viciousness of Ingraham's comments--but that doesn't excuse it. The people who were killed by Dahmer and Gacy didn't die to provide us with a handy metaphor. ------------------------------ Date: Thu, 7 Nov 91 14:49 GMT From: "Thomas J. Klotzbach" <0003751365@MCIMAIL.COM> Subject: File 2-- Re: Comments on J Thomas's Ingraham post in CuD #3.38 Before I start, I just want to say that I think that the CuD is a first-rate publication. Thanks for making it available. That said, I was shocked by your article about how Craig Neidorf was "massacred" by Don Ingraham on the September 30, 1991 "Geraldo" show. I'm sure that the people in law enforcement agencies that subscribe to the CuD were real impressed with your outbursts. What does Craig Neidorf having yet to receive an apology from various people have to do with squat? Do you think you will ever get an apology? Why does it matter? The fact is it does not matter. The incidents surrounding Craig are well engraved in the minds of people following his situation (i.e. the government gaffed). Your dribble about no apology being rendered just detracts from the constant, ongoing battle that the "Computer Underground" must fight everyday for respect and understanding by constant, consistent, and structured means. I am equally shocked that Craig Neidorf was expecting a "legitimate discussion" with Don Ingraham and equally shocked that you expected that also. Are you both ignorant of what media shows like Geraldo do? They use shock media as a tool to get the attention of the viewing audience that is flipping through channels after a day of work. No matter what the staff of the show said, Neidorf should have been prepared for a rough, nasty discussion that would digress from the real issues at hand. It would have been Craig's job to help steer the discussion back on to HIS track. But you and Craig (and I gather many people) feel that Craig was bushwhacked. More dribble. He was hurt because he failed to adequately control the agenda (and before you start to whine about he could not control the agenda, look at any Pro-Life/Pro-choice debate on one of these shows - they are real pro's). Your other comments gave credibility to the "Computer Underground" as well: "...when Ingraham and his brownshirts try to grab suspects equipment..." "...he (Geraldo) night have toyed with Ingrahams' hyperbolic analogy to rape by alluding to a few other examples of older men who've done hatchet jobs on young males. Like John Gacy and Jeffrey Dahmer. They, too, felt no need to apologize to their victims." My, those statements really are thought provoking aren't they? You and all the rest of us have to fight and fight hard to maintain credibility. We don't do any favors for the "cause" when we cry foul and start to spew commentary in the CuD that makes us look like spoiled children. We need to work smart, not work hard! We need to stop tilting at windmills and start learning what makes the windmill work so that we can change the way it works or change the direction the wind blows (if at all). No, it may not be fair and it may not be easy, but it is reality. ------------------------------ Date: 9 Nov 91 11:29:54 CDT From: Jim Thomas Subject: File 3-- Response to Ingraham Criticisms The above criticisms of the language of my commentary about prosecutor Don Ingraham's treatment of Craig Neidorf on Geraldo's "Mad Hacker" segment of _Now it can be Told_ have merit, and I am not in total disagreement. Each of the above posts raises several issues that deserve a response. Both posts suggest that excessive rhetoric reduces the effectiveness of criticism of law enforcement agents by de-valuing the currency of language and subverting the credibility of those attempting to assure that rights in cyberspace are given the same Constitutional protections as in other realms of social life. Both posters, while supporting the principle of civil liberties, remind us that no all sympathizers share the same tactics, perspective, or rhetoric of others working toward the same goal. This raises a number of issues, but I'll address only a few. First is the goal of CuD. We estimate the combined readership of CuD (including the mailing list, Usenet, and BBS downloads) to range between 16,000-20,000. The readership is diverse, and we try to tailor articles to an ambiguous happy medium. As with all co-edited outlets, the two CuD co-editors are not always in total accord on acceptable levels of stridency. Therefore, articles that are personal opinions are written under our own names (rather than "moderators") and posted from our private e-mail addresses. As Tom argued above, there is a danger that some might see the post of a single individual as shared by *all* readers. This would obviously be a gross error, and it is crucial that those who disagree recognize that they have the obligation to respond, as the above posters have done. Second, if the above critics were uncomfortable with my language, it is safe to assume that others were also disturbed. This raises the issue of readers' responses. Sometimes readers may not respond because they are leery of becoming the targets of flames or because they think others will respond. Sometimes readers are simply not sure what to say. As a forum for debate, we *strongly* encourage readers to be as critical of CuD's position and posts as they feel appropriate. Except in the most unusual of situations (such as this one), we do not respond, but simply print the posts. Even if readers respond with only a one-line comment, it provides an idea of where people stand on an issue and helps us direct our attention to readers' interests and concerns. We cannot print all the comments we receive, and we prefer longer, well-reasoned responses for publication. But, we commonly print shorter posts, especially when they summarize others' concerns. Both co-editors see CuD as a means of raising issues, provoking when necessary, and trying to deliver the same message in several different ways. Sometimes this takes the form of fairly reasoned commentary. At other times, the message may be reflect the tenor of the tone created by the target. In this case, the language reflected the tone sent by Don Ingraham. The use of dramatic terrorist imagery and Ingraham's invocation of the metaphor of rape in alluding to computer intruders, coupled with Geraldo's sensationalistic style, triggered the metaphors I used in my post. I did not seek them; they were created by the show's participants and handed to me. I fully agree that the language was strident. However, strident language-in-kind strikes me as occasionally appropriate to dramatize the images and inaccuracies created by--in this case--a nationally known prosecutor who appears unaccountable for his own excesses. Sometimes diplomatic discourse seems ineffective, and other than short posts criticizing the Geraldo show, we have seen no extended commentary that could be published. So, I filled what I perceived to be a void. Communication needn't be a solemn affair. Occasional violation of the norms of good-taste can be a fully legitimate form of response to illustrate the base level of discourse in which solemn idea discussed. Sometimes hyperbole is the best way of saying serious things, as long as hyperbole isn't the norm. Do I agree with the posts of Mike and Tom? Yes. Do I still justify my original post? I am reminded of the response by French philosopher Albert Camus when asked how, as a pacifist, he could justify violence against Nazi Invaders: "I do not justify it. It is simply necessary." ------------------------------ From: hkhenson@CUP.PORTAL.COM Subject: File 4-- Draft of BBS warnings to Law Enforcement Agents Date: Mon, 28 Oct 91 10:26:22 PST ((Moderators' note: Keith Henson sent the following draft over for comments. The intent of such notes is as much symbolic as instrumental, and is targeted especially at local enforcement agents who may be unaware of existing laws. Any comments for for revision can be sent directly to Keith or back to CuD)). In a recent conversation with a person who has a lot of erotic GIF on his bbs, I came up with a few legal stumbleing blocks to make the cops think twice before they break in and bust up his bbs. Modify the numbers as appropriate to fit your bbs if you want to use this. In addition, you might want to get signed agreements in advance from your users. Such agreements might assign a portion of their minimum awards to you to compensate for the hassle, lost time, and busted up equipment you can expect in a raid. Whatever agreement terms you come up with should be reviewed by a lawyer. You might require users to keep a minimum amount of stored email just to invoke the Electronic Communication Privacy Act (ECPA). Unlike a booby traps, this one should be clearly marked, at least with a pointer into this file from the logon screen: ++++ cut here ++++ NOTICE TO LAW ENFORCEMENT AGENTS: The owners and users of this system are exercising First Amendment rights. Some material on this system is in preparation for public disemination and is "work product material" protected under USC 42, Section 2000aa. Note that this is a civil statute. Violation of this statute by law enforcement agents is very likely to result in a civil suit. Each and every person who has "work product material" stored on this system is entitled to recover at least minimum damages of $1000 *plus all legal expenses.* Agents may not be protected from personal civil liability if they violate this statute. In addition, there is email, i.e., "stored electronic communications" which has been in storage less than 180 days on this system. Such stored electronic communications are protected from seizure or even "preventing authorized access" without a warrant specific to each person's email. Again, this is protected under civil action in USC 18, 2704. On this system you can expect up to xxxx people to have stored email. Each of them is entitled to collect $1000 *plus all legal expenses* for violations. While the agency you work for *might* pay your legal fees and judgements against you, why take chances? If you feel the need to go after email, or take actions which would deny email access to our users, get appropriate warrants. It is the policy of the sysop(s) of this system to cooperate with law enforcement agents--though we will not be involved in entrapments. Please bring it to my (our) attention if you discover illegal activities on this board. **(End of Keith Henson's post) ((Moderators' note: PC-Exec in Milwaukee has an X-rated GIF section, and sysop Bob Mahoney has resolved the access problem with the following post received when one attempts to access the section prior to registering)): C O L L E C T I O N S E L E C T I O N >>Full Access Paid Caller<< OK? Collection Description --- --------------------------------------------------------- DUC Mahoney MS-DOS Collection D !FREE TO ALL CALLERS- LISTS OF FILES FOR DOWNLOAD! D !FREE TO ALL CALLERS- UTILITIES AND VARIETY! D PC-SIG California Collection DUC MS Windows DUC OS/2 DU UNIX / XENIX DUC Adult Pictures & Files, rated PG or higher DUC Picture files (.GIF .MAC .PIC, etc.) D C Apple Copyright Software DUC Macintosh Collection DUC Amiga Collection DUC Atari ST Collection DUC CoCo RSDOS & OS9 Collection D Chat System File H Selected: Adult Pictures & Files, rated PG or higher >> This file collection contains 6,144 great files at this time! >> Sorry, this collection requires you to fill out a permission form. >> Please go to subscribe menu and select 'Adult' option. >> If you prefer to NOT have this collection show up as an option, >> please go to TOP:ENVIRONMENT menu and turn off ADULT options. We can appreciate your frustration with the new release form required for access to the Adult file collection here. We hate paperwork too, but after discussing it with our attorney, this is the only way we can *legally* offer adult pictures & files on this system. So if we are to stay in business to serve you long into the future, we must obey the law. ((End of PC-Exec warning)) ------------------------------ Date: 9 Nov 91 11:29:54 CDT From: Moderators Subject: File 5-- CU Bibliography Update Gene Spafford, Dave Appel, Ben Discoe, Jerry Carlin and a few others suggested that the following be added to the CU bibliography: The January 1992 issue of "Journal of Systems and Software:" It is a special issue devoted to ethics and computing, including break-ins and property. "The Shockwave Rider" by John Brunner, 1975, published by Ballantine Books, the first novel that that dealt with "hacking" and computer worms (This was left off the original list). Other science fiction works by John Brunner are "Stand on Zanzibar", 1968, and "The Sheep Look Up" in 1972. One reader wrote: " I'm upset that the Books for Fun Reading list recently appearing in this group totally forget Rudy Rucker, a grand originator of much of the FUN side of tech and now an establish cyber persona." Another reader suggested that True Names by Vernor Vinge (sp?) is archetypical and should be included. There are others, and when you come across a title, send it over. If it's a new book, feel free to write a short (50-200 line) review. ------------------------------ Date: 9 Nov 91 11:29:54 CDT From: Moderators Subject: File 6-- Senate Bill 516 -- Electronic Privacy in the Workplace Senator Paul Simon (Dem, Ill) introduced Senate Bill 516 intended to curtail abuses of covert electronic monitoring in the workplace by requiring employers to notify employees of the existence, extent, and uses of surveillance and the information obtained. Contrary to rumors, the Bill *DOES NOT* prohibit electronic monitoring of employees. It simply extends principles of privacy into a domain where the dangers of covert intrusion are becoming increasing sophisticated. Criticisms against the bill include: a) The government has no place in legislating what employees may or may not do in the workplace; b) The Bill would appear to cover a broad range of potential mechanisms of surveillance not originally intended (such as Unix commands that allow monitoring of account use or telephone systems that record the number of calls to specific individuals) As one commentator observed, there are also problems of scope. For example, section (b)(2) doesn't mention civil "prosecutions". If a criminal investigation is resolved through civil charges, is it still a criminal investigation? Deciding civil liability, as in cases of seizure and forfeiture without criminal prosecution, seems to leave a gap in the existing language. Section (b)(3) seems to cover the exceptions to the second and provide a glaring exception that can readily be circumvented. In the main, the Bill is the right step toward recognizing the dangers of the abuse of technology to intrude into privacy. However, the language of the Bill needs clarification of the ambiguous language of scope and redress. If there is sufficient response from readers, we will devote a special issue to readers' comments and forward them to Senator Simon's office. The Bill has been sent to committee, so there is time to communicate concerns. +++ S 516 follows +++ 102d CONGRESS 1st SESSION S. 516 To prevent potential abuses of electronic monitoring in the workplace. ______________________________ IN THE SENATE OF THE UNITED STATES February 27 (Legislative day, February 6) 1991 Mr. Simon introduced the following bill; which was read twice and referred to the Committee on Labor and Human Resources ______________________________ A BILL To prevent potential abuses of electronic monitoring in the workplace the United States of American assembled,_ SECTION 1. SHORT TITLE. This Act may be cited as the "Privacy for Consumers and Workers Act". SEC. 2. DEFINITIONS. As used in this Act-- (1) the term "electronic monitoring" means the collection, storage, analysis, and reporting of information concerning an employee's activities by means of a computer, electronic observation and supervision, - 2 - remote telephone surveillance telephone call accounting, or other form of visual, auditory, or computer-based surveillance conducted by any transfer of sings, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic, or photo-optical system; (2) the term "employee" means any current or former employee of an employer; (3) the term "employer" means any person who employs employees, and includes any individual, corporation, partnership, labor organization, unincorporated association, or any other leal business, the Federal Government, any State (or political subdivision thereof), and any agent of the employer. (4) the term "personal data" means any information concerning an employee which, because of name, identifying number, mark, or description, can be readily associated with a particular individual, and such term includes information contained in printouts, forms, or written analyses or evaluations; (5) the term "prospective employee" means an individual who has applied for a position of employment with an employer and - 2 - (6) the term "Secretary" means the Secretary of Labor. SEC.3.NOTICE (a) IN GENERAL.--Each employer who engages in electronic monitoring shall provide each affected employee with prior written notice describing the following regarding the electronic monitoring directly affecting the employee: (1) The forms of electronic monitoring used. (2) The personal data to be collected. (3) The frequency of each form of electronic monitoring which will occur. (4) The use of personal data collected. (5) Interpretation of printouts of statistics or other records of information collected through electronic monitoring. (6) Existing production standards and work performance expectations. (7) Methods for determining production standards and work performance expectations based on electronic monitoring statistics. (b) NOTICE CONCERNING EXISTING FORMS OF ELECTRONIC MONITORING.--(1) Each employer shall notify a prospective employee at any personal interview or meeting of existing forms of electronic monitoring which may directly - 3 - affect the prospective employee if such employee is hired by the employer. (2) Each employer, upon request by a prospective employee, shall provide the prospective employee with the written notice described in subsection (a) regarding existing forms of electronic monitoring which may directly affect the prospective employee if such employee is hired by the employer. (3) Each employer who engages in electronic monitoring shall provide the affected employee with a signal light, beeping tone, verbal notification, or other form of visual or aural notice, at periodic intervals, that indicates that electronic monitoring is taking place. If the electronic monitoring is conducted on a continuous basis during each of the employee's shift, such notice need not be provided at periodic intervals. (4) An employer who engages in telephone service observation shall provide the affected customer with a signal light, beeping tone, verbal notification, or other form of visual or aural notice, at periodic intervals, indicating that the telephone service observation is taking place. (c) NOTICE TO CURRENTLY AFFECTED EMPLOYEES.--Notwithstanding subsection (a), an employer who is engaged in electronic monitoring on the effective date of this Act shall have 90 days after such date to provide each affected employee with the required written notice. - 4 - SEC.4.ACCESS TO RECORDS. Each employer shall permit an employee (or the employee's authorized agent) to have access to all personal data obtained by electronic monitoring of the employee's work. SEC.5.PRIVACY PROTECTIONS. (a) RELEVANCY REQUIRED.--An Employer shall not collect personal data on an employee through electronic monitoring which is not relevant to the employee's work performance. (b) DISCLOSURE LIMITED.--An employer shall not disclose personal data obtained by electronic monitoring to any person or busness entity except to (or with the prior written consent of) the individual employee to whom the data pertains, unless the disclosure would be-- (1) to officers and employees of the employer who have a legitimate need for information in the performance of their duties; (2) to a law enforcement agency in connection with a criminal investigation or prosecution; or (3) pursuant to the order of a court of competent jurisdiction. SEC.6.USE OF DATA COLLECTED BY ELECTRONIC MONITORING. (a) DATA MAY NOT BE USED AS A SOLE BASIS FOR EVALUATION.--An employer shall not use personal data obtained by electronic monitoring as the exclusive basis for indi- - 5 - vidual employee performance evaluation or disciplinary action, unless the employee is provided with an opportunity to review the personal data with a reasonable time after such data is obtained. (b) DATA MAY NOT BE USED AS SOLE BASIS FOR PRODUCTION QUOTAS.--An employer shall not use personal data or collective data obtained by electronic monitoring data as the sole basis for setting production quotas or work performance expectations. (c) DATA MAY NOT DISCLOSE EMPLOYEE'S EXERCISE OF CONSTITUTIONAL RIGHTS.--An employer shall not maintain, collect, use, or disseminate personal data obtained by electronic monitoring which describes how an employee exercises rights guaranteed by the First Amendment unless such use is expressly authorized by statute or by the employee to whom the data relates or unless pertinent to and within the scope of, an authorized law enforcement activity. SEC.7.ENFORCEMENT PROVISIONS.--(1) Subject to paragraph (2), any employer who violates any provision of this Act may be assessed a civil penalty of not more that $10,000. (2) In determining the amount of any penalty under paragraph (1), the Secretary shall take into account the previous record of the person in terms of compliance with this Act and the gravity of the violation. - 6 - (3) Any civil penalty assessed under this subsection shall be collected in the same manner as is required by subsections (b) through (e) of section 503 of the Migrant and Seasonal Agricultural Worker Protection Act (29 U.S.C. 1853) with respect to civil penalties assessed under subsection (a) of such section. (b) INJUNCTIVE ACTIONS BY THE SECRETARY.--The Secretary may bring an action under this section to restrain violations of this Act. The Solicitor of Labor may appear for and represent the Secretary in any litigation brought under this Act. In any action brought under this section, the district courts of the United States shall have jurisdiction, for cause shown, to issue temporary or permanent restraining orders and injunctions to require compliance with this Act, including such legal or equitable relief incident thereto as may be appropriate, including employment, reinstatement, promotion, and the payment of lost wages and benefits. (c) PRIVATE CIVIL ACTIONS.--(1) An employer who violates this Act shall be liable to the employee or prospective employee affected by such violation. Such employer shall be liable for such legal or equitable relief as may be appropriate, including employment, reinstatement, promotion, and the payment of lost wages and benefits. (2) An action to recover the liability prescribed in paragraph (1) may be maintained against the employer in any - 7 - Federal or State court of competent jurisdiction by an employee or prospective employee for or on behalf of such employee, prospective employee, and for other employees or prospective employees similarly situated. No such action may be commenced more than 3 years after the date of the alleged violation. (3) The court, in its discretion, may allow the prevailing (other than the United States) reasonable costs, including attorney's fees. (d) WAIVER OF RIGHTS PROHIBITED.--The rights and procedures provided by this Act may not be waived by contract or otherwise, unless such a waiver is part of a written settlement agreed to and signed by the parties to the pending action or complaint under this Act. SEC.8.REGULATIONS. The Secretary shall, within 6 months after the date of the enactment of this Act, issue rules and regulations to carry out the provisions of this Act. SEC.8.INAPPLICABL AGENCIES. This At shall not apply to electronic monitoring administered by law enforcement agencies as may otherwise be permitted in criminal investigations. -- end S516 -- ------------------------------ Date: 9 Nov 91 11:29:54 CDT From: Len Rose Subject: File 7-- Letter from Prison (part 2 of 2) Following is the second of the two-part letter by Len Rose. It reinforces our own view that there is no such place as an "easy time" prison. Len is no different than many other first-time, non-violent offenders: Loneliness and emotional deprivation border on "cruel and unusual punishment." It is not the loss of freedom, but the disruption of family and consequences of incarceration on the innocent that make prisons especially hard for offenders. Those wishing a chronology and background of Len's case can obtain it from the Len Rose file in the CuD ftp archives at widener or uchicago. Sheldon Zenner, Len's former attorney, has agreed to serve as a conduit for funds to help Len's family. Checks or money orders (*NO CASH*) should be made out to: Sheldon T. Zenner RE: Len Rose Katten, Muchin, and Zavis 525 West Monroe Street (Suite 1600) Chicago, IL 60606-3693 BE SURE TO PUT LEN'S NAME ON THE CHECK AND AN INDICATION IN THE MEMO SECTION THAT IT'S FOR LEN ROSE so it may be directed properly. Len's address for those who've missed it: Len Rose (27154-037) FPC Seymour Johnson AFB Caller Box 8004 PMB 187 Goldsboro, NC 27531-8004 He would appreciate a letter or post card. +++ Len's letter follows +++ I am desperate for my family. My wife has run out of money, and she is on her own. Normally, this wouldn't be that serious, but she is handicapped by lack of English skills, and no marketable job skills. She has two small children to care for, ages six and three, and can't afford day care/baby sitters if she did obtain minimum wage employment. I was able to raise $5,000 from the sale of some of the equipment that was kindly returned to me by the Secret Service. It was not enough. She receives some public assistance, but it isn't enough to sustain them. I understand that she is on a waiting list for subsidy for public housing, but was also told there is a two-year backlog. Since we cannot conduct a useful correspondence via written medium, and cannot afford to telephone, we are virtually cut-off from each other. The phone bill has not been paid, and it looks like that will soon be cut off (We are only allowed to make collect calls here). My wife has bravely survived for four months, and I feel very lucky to be married to her. She has endured so much these last two years. I am proud of her. They are the ones who are really being punished. I am quite capable of serving my 10 and a half month sentence. It is mental hell, but I can handle it. They however, may not. If I could be released to home detention or perhaps a halfway house, I could return to the work force and support them. I can only wonder at the logic behind my sentence, but at this point I am no longer bitter. I am in stasis. I cannot and will not allow myself to think of what was or might have been. To indulge in such opens the door to thoughts which are at this point self-destructive. I have learned that when survival is pitted against pride, instincts take over. I have become (I hope) a model prisoner. I work hard. I do what I am told, and smile. I am pleasant and respectful. I have only one desire. I must be free. My family's survival--my children--depend on me. Things look very bleak now. I have put my faith in God that I can get out before they are on the street, are taken away and placed in foster care. I have received so much help from various people. They know who they are. More thanks are not enough, and if I am ever fortunate enough to be a success again, they will be repaid. Right now, it looks like my family doesn't stand much of a chance. If I can be released in time, I can save them from a very harsh fate. Prison has enlightened me in several ways. Loneliness--I never dreamt that it had such depths. I am never alone here, yet I am extremely lonely for my wife, Sun. After 11 years (soon to be 12!) of marriage, she has become part of me. I don't feel whole. It's also bizarre how much I came to depend on my children. My three year old daughter warmed my heart like nothing else could. My son, six years old, had finally grown to the point where he had become a friend. I could spend hours with him just talking. Being separated from them has been the worst punishment. I think that is the key to being in prison: It is not the conditions or physical confinement. Being cut off from loved ones is terrible. Especially when they need you. My wife is serving my prison sentence. My children are also. Me? I am fine, I suppose. If I were single, I could stay here and eventually cope. I have all my needs provided for. I don't have to worry about next month's rent, or food, or having the electricity cut off in the middle of winter. My wife does. My loneliness for my wife is the harshest part of my imprisonment. Since we cannot write each other (as in meaningful communication), it's been sheer torture for me, and I'm sure for her as well. Before you accuse me of complaining, I'd like to say that I accept what has happened to me. I have learned to live with my fate. It took a long time for that, believe me. At this point in my life, I only wish to return to my family. I'd like to resume a normal life and hopefully earn a decent living. Perhaps, in time, I can heal my family's wounds. I am very proud of my wife. She has been the source of my resolve. Her loyalty and her strength have kept me going. She has seen her world crumble, and she still keeps a brave face on life. I pray for them every night and also pray for my release. Some people have told me that prison will force you to learn more about yourself. I have learned a great deal. I know that I have discovered that I really do love my wife. I took so many things for granted before. Len ------------------------------ Date: 23 Oct 91 19:08:41 EDT From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: File 8-- "Password violations helped Hill hacker" "Password violations helped Hill hacker" Ogden Standard-Examiner Wednesday, Oct 9, 1991 Page 3C (Utah/Local) SALT LAKE CITY (AP) - A military auditor had little difficulty breaking into restricted Hill Air Force Base computer files and using them to leapfrog into other Air Force computers in Texas, Georgia and Ohio, according to an Air Force Audit Agency report. The auditor's secret to access was taking advantage of procedural violations, the audit said. When prompted for a password by the Hill computer, he typed the first or last name of people who worked on the computers. Under Air Force regulation, names are not supposed to be used for such passwords. In a copyright story Tuesday, the Desert News [of Salt Lake City, Utah] reported that the agency also said inspection of computers at Hill showed some people had installed "pirated" software programs illegally, and others improperly used commercial programs that had not been inspected for possible computer viruses that could destroy important files. The auditor decided to test computer security at Hill's Ogden Air Logistics Center - on of five centers that order supplies for the Air Force - by obtaining a list of people who worked on computers there and trying to gain access using their names. "Systems-user-created passwords related to the personal identity in three of four systems reviewed, enabling the auditor to make unauthorized entries into 13 (total) systems," he wrote. One of the passwords he discovered was for a systems programmer, which gave the auditor access to virtually ever file in that system. It also allowed him to compromise "almost all" of the passwords there - some of which were good on other systems, too, the report said. With that, he said he was able to raid restricted systems around Hill that contained information on contracts, orders, material needs and electronic mail for base personnel. "Potential existed (for) ... manipulation or destruction of sensitive data," he wrote. The auditor noted all users have since been instructed about proper selection of passwords, and new software has been installed in some systems to automatically stop use of names. Hill spokesman Len Barry added that new systems require use of both numbers and letter for passwords. Further, programs do not allow the same password to be used in more than one system. ------------------------------ End of Computer Underground Digest #3.40 ************************************