Received: by lemuria.sai.com (/\==/\ Smail3.1.21.1 #21.11) id ; Thu, 21 Jan 93 08:04 EST Received: from uicvm.uic.edu by mv.MV.COM (5.65/1.35) id AA29813; Thu, 21 Jan 93 07:30:35 -0500 Message-Id: <9301211230.AA29813@mv.MV.COM> Received: from NIU.BITNET by UICVM.UIC.EDU (IBM VM SMTP V2R1) with BSMTP id 8383; Thu, 21 Jan 93 06:34:20 CST Date: Thu, 21 Jan 93 02:30 CST To: TK0JUT1@NIU.BITNET From: Cu-Digest (tk0jut2@mvs.cso.niu.edu) Subject: Cu Digest, #5.05 Computer underground Digest Wed Jan 20, 1993 Volume 5 : Issue 05 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Coyp Editor: Etaion Shrdlu, Junior CONTENTS, #5.05 (Jan 20, 1993) File 1--Balancing Computer Crime Statutes and Freedom File 2--Encryption issues File 3--Response to Mark Carter in CuD #5.02 and #5.03 File 4--Released GSA Docs Slam FBI Wiretap Proposal File 5--Attempted Mindvox Break-in File 6--Keyboarding Explosive Data for Homemade Bombs Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; in Europe from the ComNet in Luxembourg BBS (++352) 466893; and using anonymous FTP on the Internet from ftp.eff.org (192.88.144.4) in /pub/cud, red.css.itd.umich.edu (141.211.182.91) in /cud, halcyon.com (192.135.191.2) in /pub/mirror/cud, and ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. European readers can access the ftp site at: nic.funet.fi pub/doc/cud. Back issues also may be obtained from the mail server at mailserv@batpad.lgb.ca.us. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: 22 Dec 92 15:31:52 EST From: Ken Citarella <70700.3504@COMPUSERVE.COM> Subject: File 1--Balancing Computer Crime Statutes and Freedom Computer Crime, Computer Security and Human Values - The Prosecutor's Perspective - Kenneth C. Citarella Assistant District Attorney, Westchester County copyright 1991 I am a prosecutor. I specialize in white collar crime, and more particularly in computer crime and telecommunication fraud. My professional interest regarding computer crime, computer security, and the human values involved with them comes from that perspective. I study motive, intent, criminal demographics, software security and other topics to help me identify, investigate, and prosecute a criminal. A crime is an act prohibited by law. Criminal statutes define acts deemed so inimical to the public that they warrant the application of the police power of the state. Computer crimes only exist because the legislature has determined that computers and what they contain are important enough, like your house, money and life, that certain acts directed against them merit the application of that power. A curious distinction arises with regard to computers, however. Your house can be burglarized even if you leave the door open. If you drop your money on the street, a finder who keeps it may still be a thief. The foolish trust you place in an investment swindler does not absolve him of guilt for his larceny. Yet much of the discussion on what constitutes computer crime, and even the computer crime statutes of many states, place a responsibility on the computer owner to secure the system. Indeed, in New York State, unless an unauthorized user is clearly put on notice that he is not wanted in the system, the penetrated system falls outside the protection of several of the computer crime statutes. The intrusion, no matter how unwanted by the system owner, has actually been legitimized by the legislature. Since I participated in the writing of the New York computer crime statutes, I can attest to the desire of legislative counsel to force the computer owner to declare his system off limits. So the societal debate over how much protection to afford computers has very practical consequences in the criminal arena. Commentators frequently address with much anguish whether computer intruders are truly to be blamed for breaking into a computer system. They treat such people as a new phenomenon for whom new rules must be established. ("Hacking" and "hackers" are terms that have become so romanticized and distorted from their original context, that I refuse to use them; they simply do not describe the behavior which is of interest.) I suggest, to the contrary, that examining the victim impact of computer intrusions provides a more meaningful analysis. Consider some examples of the facts typically presented to law enforcement. A computer intruder penetrates the system of a telecommunications carrier and accesses valid customer access codes. She distributes these codes to a bulletin board host who posts them for the use of his readership. Within 48 hours, the numbers are being used throughout the United States. The carrier experiences $50,000.00 in fraudulent calls before the next billing cycle alerts the customers to the misuse of their numbers. Or, they could be credit card numbers taken from a bank and used for hundreds of thousands of dollars of larcenous purchases. Or, it could be experimental software stolen from a developer who now faces ruin. Stories like these have something in common with all criminal activity, computer based or not. The criminal obtains that which is not his, violating one of the lessons we all should have learned in childhood. The computer intruder ignores that lesson and substitutes a separate moral imperative: I can, therefore, I may; or, might makes right. The arguments about exposing system weaknesses, or encouraging the development of youthful computer experts, amount to little more than endorsing these behavioral norms. These norms, of course, we reject in all other aspects of society. The majority may not suppress the minority just because they have the numbers to do so. The mob cannot operate a protection racket just because it has the muscle to do so. The healthy young man may not remove an infirm one from a train seat just because he can. Instead, we have laws against discrimination, police to fight organized crime, and seats reserved for the handicapped. I suspect that part of our reluctance to classify many computer intrusions as crimes arises from a reluctance to recognize that some of our bright youths are engaging in behavior which in a non-computer environment we would unhesitatingly punish as criminal. The fact they are almost uniformly the white, middle class, and articulate offspring of white middle class parents makes us less ready to see them as criminals. Although there are questions to be resolved about computer crime, we are sadly mistaken to focus on what may be different about computer crime, to the exclusion of what it has in common with all other criminal conduct. Refer back to the simple scenarios outlined above. The computer intruder may have all the attributes some commentators find so endearing: curiosity, skill, determination, etc. The victims have only financial losses, an enormous diversion of resources to identify and resolve the misdeeds, and a lasting sense of having been violated. They are just like the victims of any other crime. Of course, there are computer intruders who take nothing from a penetrated system. They break security, peruse a system, perhaps leaving a mystery for the sysop to puzzle over. Would any computer intruder be as pleased to have a physical intruder enter his or her house, and rearrange their belongings as he toured the residence? The distinctions on the intruders' part are basically physical ones: location, movement, physical contact, manner of penetration, for example. The victims' perspectives are more similar: privacy and security violated, unrest regarding future intrusions, and a feeling of outrage. Just as a person can assume the law protects his physical possession of a computer, whether he secures it or not, why can he not assume the same for its contents? What after all is the intent of the intruder in each situation? To be where he should not be and alter the property that is there without the approval of its owner. Each case disregards approved behavior and flaunts the power to do so. Of course, computer intrusions have many levels of seriousness, just as other crimes do. A simple trespass onto property is not a burglary; an unauthorized access is not software vandalism. The consequences must fit the act. Prosecutors and police must exercise the same discretion and common sense with computer intruders they do regarding conventional criminals. No reasonable law enforcement official contends that every computer intrusion must be punished as a criminal act. Youth officers and family courts commonly address the same behavior in juveniles that other agencies address in adults. Sometimes a youth is warned, or his parents are advised about his behavior, and that is the best response. But to insist that some computer intrusions are to be legitimized, assumes that law enforcement lacks the common sense and discretion to sort out prosecutable incidents from those best handled less formally. If we choose not to trust the discretion and experience in our law enforcement authorities regarding computer crime, then how can we trust these same people to decide what drug trafficker to deal with to get someone worse, or to decide which child has been abused and which was properly disciplined. The point is that law enforcement makes far more critical decisions outside of the context of computer crime than within. The people involved are trained and have the experience to make those decisions. Yet much of the debate over computer crime assumes just the opposite. In my personal experience, prosecutorial discretion has worked just as well in computer crimes as it has regarding other criminal behavior. Some complaints result in a prosecution; some are investigated and no charges filed; some are not even entertained. Lastly, I should point out that frequently computer intruders are also involved in a variety of other crimes. Typically, credit card fraud and software piracy are in their repertoire. And, let us not forget that the telecommunication charges for all their long distance calls are being borne by the carrier or the corporate PBX they have compromised. With telecommunication fraud exceeding a billion dollars a year, the societal cost of tolerating these intruders is too large to be blindly accepted. If the challenge of penetrating a system you do not belong on is an essential way of developing computer skills, as some people contend, then let computer curricula include such tests on systems specifically designed for that. Surgeons develop their skills on cadavers, not the unsuspecting. Pilots use simulators. Why should computer specialists practice on someone else's property at someone else's expense? There are privacy and Fourth Amendment issues involved in computer crime. But they are the same issues involved in any other criminal investigation. The public debate is needed and cases must go to court as has always been the case with constitutional aspects of criminal law. Whenever law enforcement follows criminal activity into a new arena, problems arise. It is as true with computer crime as it was with rape and child abuse cases. The answers lie in understanding the common forest of all criminal behavior not in staring at the trees of computer crime. (Adapted from a paper presented at the National Conference on Computing and Values, Southern Connecticut State University, August 14, 1991) ------------------------------ Date: Sun, 13 Dec 92 22:38 EST From: "Michael E. Marotta" Subject: File 2--Encryption issues ENCRYPTION ISSUES FOR THE NET COMMUNITY by Michael E. Marotta, mercury@well.sf.ca.us, mercury@lcc.edu Your use of privacy tools for telecom is defined by three issues. (1) The Government wants to read all messages. (2) Some networks prohibit encrypted messages. (3) The weakest feature of a crytosystem is transporting the key. These issues are broad. For example, the "government" is more than Bill Clinton. Employers, spouses, parents and neighbors often display severe cases of "Govern Mentality." Also, networks include four-station LANs and the Internet itself. Needing to send encoded messages to the person at the next desk is unusual. (1) In 1976, the Department of Commerce issued requests for the Data Encryption Standard and Data Encryption Algorithm and the original entry from IBM was too hard for the NSA to crack. So, the current 64-bit system was adopted. Now the FBI wants telephone companies to make digital signals tappable. When the USA entered World War I, Woodrow Wilson (a liberal, a Democrat and former president of Princeton) ordered the seizure of all radio transmitters and receivers. Back in 1991, then-senator Albert Gore and the Bush White House worked to create the legislation enabling the National Research & Education Network. This multi-gigabyte superhighway will eventually link thousands of universities and hundreds of lesser networks. Starting in 1992, cable TV operators are liable for the content of "wayne's world" public-access programming. Prodigy and FidoNet are well-known for their heavy handed rules. Overall, if you want to send a secure message, you have to think through all of the ramifications of your actions. (2) Fidonet policy forbids encryption and allows the review of mail to ensure that the system is not being used for "illegal" purposes. FidoNet policies identify English as the "official" language and FidoNet moderators often forbid ANY message not in English. FidoNet policy severely defines "private netmail" pointing out (reasonably enough) that you never know who a message is passed to as it is routed. These restrictions are not limited to FidoNet. Universities, corporations, and government agencies have similar rules and there is no single standard. (3) The art of hiding a message is called "steganography." Back in 1978, I suggested using rock cassettes for TRS-80 data and ever since, the FBI seizes music when they arrest hackers. Sooner or later, though, you have to transmit the key. Ideally, you send the key in a different manner than the message. This is not perfect. Public keys eliminate the need for transporting the key. The RSA Crytosystem is the best known public key cipher. It is not known to be compromisable. (By contrast, the DES is known to have weaknesses.) RSA was developed by Drs. Ronald Rivest, Adi Shamir and Lenard Adleman when they were at MIT. Today, RSA Data Security, Inc., is at 100 Marine Parkway, Redwood City, CA 94066. The company has developed several commercial products for Apple Macintosh and other systems. This last development opens the door to widespread data security. As Apple and others deliver encryption with their operating systems, no rules or laws or policies can prevent the use of these tools. In fact, there is a form of data encypherment that is widely accepted -- even on Fidonet: compression. ARC, ZIP, PAK, LZH, SQZ, you name it, there are many ways to shrink a file and all them turn plaintext into gobbledegook. If you want to build your own encypherment -- I mean, compression -- algorithm, a quick literature search on Limpel-Ziv, Huffman, and Nyquist will point you in the right direction. There are books on the subject, also. Be aware that as a CIPHER, a compressor can be analyzed and deciphered. My favorite method for sending secrets is the "Richelieu Grid." You send a plaintext message and within this, by agreement, a running set of letters creates a secret message. Edgar Allen Poe's "Valentine" to St. Joan is a simple example. The question is, "From whom are you keeping your secrets?" The NSA? Forget it, unless you are the KGB. From your Mom? A=Z, B=Y, C=X will work just fine! * I am the author of THE CODE BOOK sold by Loompanics, P. O. Box 1197, Port Townsend, WA 98368. Their catalog costs $5. * ------------------------------ Date: Wed, 20 Jan 1993 02:34:41 -0500 (EST) From: Kenneth Werneburg Subject: File 3--Response to Mark Carter in CuD #5.02 and #5.03 Submitted by: Derek A. Borgford (s9546284@Sandcastle.cosc.BrockU.CA) Frederick J. Vanderzwaag (Fvanderz@Spartan.ac.BrockU.CA) Kenneth Werneburg (Johnston@Spartan.ac.BrockU.CA) RE: CuD #5.02 "Any one Who Owns a Scanner is a Hacker, or..." RE: CuD #5.03 File 9--Canadian Media and BBSes With all due respect to Mark Carter and his two submissions to CuD, we fail to see what new light he has shed on the articles that were published in the St. Catharines Standard. Although his article pointed out that the Standard's depiction of the BBS community in the Niagara Region was less than accurate, his pre-occupation with FidoNet boards in the area would seem to have clouded his judgement somewhat. His submission would indicate that FidoNet boards in the area are regarded as a higher class of BBS, and his comments concerning non-FidoNet BBSes indicate his own negative prejudice towards these independent boards. After reading Mark Carter's comments, we have found his remarks to be lacking in substance. We are also familiar with, and active in, the Niagara region BBS community; and currently run a local BBS called the Steam Tunnels BBS (FidoNet 1:247/133). Also, Kenneth Werneburg was the sysop of Alleycat's Emporium 'o' Toads BBS, as well as co-sysop of numerous boards in the Niagara area. We agree that the St. Catharines Standard's article was replete with misquotes, misinformation and misrepresentations, which would indicate their lack of understanding of the local BBS community as a whole. It seemed to indicate that the authors had their own agenda which focused on the dark side of BBSing, and failed to highlight any of the positive aspects, which boards in general offer to the community. What we fail to see is how Mark Carter's commentary on the subject has elucidated the topic, adding any response to the Standard's inadequate coverage which bordered on sensationalism. The primary focus of the article entitled "Limits Set On Access to Computer Porn: But Explicit Images, Stories Still Available" (by Paul Forsyth and Andrew Lundy, Standard Staff) centred on two interviews. One with Kenneth Werneburg, and the other with the co-sysop of a popular BBS in the Niagara region, called Interzone. Mark Carter cited Interzone as "hardly a good example of local boards," and yet it has a wide user list which would denote it as the second most popular board in the region. Ads posted around the region about Interzone boast 600 callers per week on three nodes, without the benefit of being connected to any of the local echomail networks. According to Mark Carter, Interzone's non-affiliation with FidoNet would indicate "that the message areas it has are basically filled with obscenities...," however, as users to this board will attest, frequent use of obscenities are not as prevalent he suggests. Moderators of the local FidoNet echoes have imposed restrictions on language used; because of the wide distribution throughout the region, and public nature of such echoes as the Niagara Chatter Echo. Some of the sysops in the area had expressed concern over younger users being exposed to offensive language in these public echoes and subsequently it was agreed that use of profanity would be limited to inference by substitution of asterixes, in place of certain letters. Interzone, because of the privacy maintained by not joining FidoNet, does not have the same constraints placed on it. Instead, both the sysop and co-sysop encourage a relaxed atmosphere which tends towards a homey, "Interzone family" feel. Most of the users enjoy a camaraderie in the message base which is primarily based on light hearted discussions, on a broad range of topics. Another inconsistency in Mark Carter's remarks, pertains to Interzone's alleged "commercial interests". According to Mark Carter "it (Interzone) is sponsored by a commercial interest, which pays the phone bills," however, we have found this to be inaccurate. Of the three nodes which comprise Interzone, only one of these nodes is sponsored by commercial interests, through a local CD store. Mark Carter is illustrating an uninformed viewpoint, which is factually inaccurate. His treatment of Alleycat's Emporium 'o' Toads also suffers from the same "factual inaccuracies and narrow-minded presentation" which typify Mark Carter's statements. He refers with condescension to a board which he himself knows of only through second hand information. Alleycat's Emporium 'o' Toads had a message base far outstripping any of the FidoNet boards that he so covets. The second article in the St. Catharines Standard was spawned from a letter to the editor, written by the co-sysop of this BBS. We fail to understand Mark Carter's implicated hierarchal delineation regarding the relative worth of BBSes in the Niagara region. He exemplifies an attitude which ranks FidoNet boards as superior, while denigrating all non-FidoNet BBSes. We would find that Mark Carter's comments regarding boards that are not affiliated with FidoNet represent a "narrow-minded" prejudice on his own behalf; due in part to his own pre-occupation and involvement in FidoNet. His articles maintain an attitude which is not indicative of the general BBSing community. Most of Mark Carter's comments would indicate that he has missed the point of the articles, and has obviously trivialized them. Contrary to his comments, FidoNet boards were also cited in the articles, although they remained un-named. One must question Mark Carter's motivation for writing these remarks, as it seems that his role in FidoNet is more weighty to him than any genuine concern over the issues. The primary issue dealt with by the Standard, is that of pornography and its accessability by minors. Although the Standard demonstrates that there is willingness on behalf of the regional sysops to place restrictions on the distribution of adult material, they couch this in a sensationalist criticism of local BBSes. Contrary to what Forsyth and Lundy maintain, sysops had been imposing restrictions long before these articles were written. Their articles would indicate that it was solely through their intervention that there were "limits set on access to computer porn." However, most of the sysops in the area have exercised common sense when granting access to users on their boards. In fact, not all boards in the area even carry adult material. Obviously the problem is not as severe as the Standard has portrayed. Had they seriously researched the boards in the area they would have found that pornography is not a primary feature. Although there is currently no legislation in Canada governing the distribution of pornographic material through this electronic medium, the writers in the Standard would indicate that there is a need for legal intervention. They seem to feel that most BBSes are best typified as distribution sites, where minors have access to pornographic material. Clearly, however, this is not the case. In comparison with other media, the amount of pornography distributed through bulletin boards is relatively minor. Any youth is capable of accessing this material through means far more readily available to them. In the main, when one logs on to a board in the Niagara region, one would find little difference between that and any other board in North America. Although adult files remain some of the most popular items transferred over the boards, this is not to say that this is all they have to offer. It is not fair to say that focusing on two boards in the region is a fair indication of what is available. It must be clarified, however, that the existence and popularity of this type of material is a reflection of a tendency in the userbase which indicates a genuine demand for these items. This is not to say that these materials are accessible to the general user without some restrictions. In response to the second article in the St. Catharines Standard, some of the local sysops banded together in an organization named S.O.A.P. (System Operators Against Pornography) which provides parents the certitude that their child can call their board without being exposed to pornographic material, or any obscenities, either in the message base or file areas. Many of these boards had not carried any of these materials previously, for example, the originator of the organization, Clayton Matattal of InfoTech. Other sysops who have joined SOAP, formerly carried pornographic materials, which have since been removed from their BBSes, and they claim to not offer these files to their users. This has not been without controversy in the local echoes, as this has been seen by some to be a show of blatant hypocrisy. Some of the controversy has centred around a dispute between boards which are affiliated with SOAP and those who are not, and the self-righteous attitudes displayed by some of the former. This was not the intended purpose of this organization, but was in response to various boards joining SOAP, whose names had previously been synonymous with adult material. According to recent messages in the Niagara FidoNet Chatter echo, the St. Catharines Standard has plans to publish another feature article on bulletin boards on January 23, 1993 in an attempt to highlight their positive aspects. It remains to be seen whether this will reflect a more accurate portrayal of BBSes in our community, seeing that it is due to be edited by the same Paul Forsyth and Andrew Lundy who wrote the original two articles. If past articles are any indication of what they intend to write in this future publication, then it is sure to be based on a "narrow-minded," sensationalist portrayal, featuring only a few boards in the region. ------------------------------ Date: Fri, 15 Jan 1993 23:22:47 -0500 From: Dave Banisar Subject: File 4--Released GSA Docs Slam FBI Wiretap Proposal "GSA Memos Reveal that FBI Wiretap Plan was Opposed by Government's Top Telecomm Purchaser" The New York Times reported today on a document obtained by CPSR through the Freedom of Information Act. ("FBI's Proposal on Wiretaps Draws Criticism from G.S.A.," New York Times, January 15, 1993, p. A12) The document, an internal memo prepared by the General Services Administration, describes many problems with the FBI's wiretap plan and also shows that the GSA strongly opposed the sweeping proposal. The GSA is the largest purchaser of telecommunications equipment in the federal government. The FBI wiretap proposal, first announced in March of 1992, would have required telephone manufacturers to design all communications equipment to facilitate wire surveillance. The proposal was defeated last year. The FBI has said that it plans to reintroduce a similar proposal this year. The documents were released to Computer Professionals for Social Responsibility, a public interest organization, after CPSR submitted Freedom of Information Act requests about the FBI's wiretap plan to several federal agencies last year. The documents obtained by CPSR reveal that the GSA, which is responsible for equipment procurement for the Federal government, strongly opposed two different versions of the wiretap plan developed by the FBI. According to the GSA, the FBI proposal would complicate interoperability, increase cost, and diminish privacy and network security. The GSA also stated that the proposal could "adversely _affect national security._" In the second memo, the GSA concluded that it would be a mistake to give the Attorney General sole authority to waive provisions of the bill. The GSA's objections to the proposal were overruled by the Office of Management and Budget, a branch of the White House which oversees administrative agencies for the President. However, none of GSA's objections were disclosed to the public or made available to policy makers in Washington. Secrecy surrounds this proposal. Critical sections of a report on the FBI wiretap plan prepared by the General Accounting Office were earlier withhold after the FBI designated these sections "National Security Information." These sections included analysis by GAO on alternatives to the FBI's wiretap plan. CPSR is also pursuing a FOIA lawsuit to obtain the FBI's internal documents concerning the wiretap proposal. The GSA memos, the GAO report and others that CPSR is now seeking indicate that there are many important documents within the government which have still not been disclosed to the public. Marc Rotenberg CPSR Washington office rotenberg@washofc.cpsr.org Note: Underscores indicate underlining in the original text. Dashes that go across pages indicate page breaks. [Computer Professionals for Social Responsibility is a non-profit, public interest membership organization. For membership information about CPSR, contact cpsr@csli.stanford.edu or call 415/322-3778. For information on CPSR's FOIA work, contact David Sobel at 202/544-9240 (sobel@washofc.cpsr.org).] +++++++++++++++++++++++++++++++++++++++++ (#4A) Control No. X92050405 Due Date: 5/5/92 Brenda Robinson (S) After KMR consultations, we still _"cannot support"_ Draft Bill. No. 118 as substantially revised by Justice after its purported full consideration of other agencies' "substantive concerns." Aside from the third paragraph of our 3/13/92 attachment response for the original draft bill, which was adopted as GSA's position (copy attached), Justice has failed to fully address other major GSA concerns (i.e., technological changes and associated costs). Further, by merely eliminating the FCC and any discussion of cost issues in the revision, we can not agree as contended by Justice that it now " ... takes care of kinds of problems raised by FCC and others ...." Finally, the revision gives Justice sole unilateral exclusive authority to enforce and except or waive the provisions of any resultant Iaw in Federal District Courts. Our other concerns are also shown in the current attachment for the revised draft bill. Once again OMB has not allowed sufficient time for a more through review, a comprehensive internal staffing, or a formal response. /Signature/ Wm. R. Loy KMR 5/5/92 Info: K(Peay),KD,KA,KB,KE,KG,KV,KM,KMP,KMR,R/F,LP-Rm.4002 (O/F) - 9C1h (2) (a) - File (#4A) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ATTACHMENT REVISED JUSTICE DRAFT BILL DIGITAL TELEPHONY The proposed legislation could have a widespread impact on the government's ability to acquire _new_ telecommunications equipment and provide electronic communications services. _Existing_ Federal government telecommunications resources will be affected by the proposed new technology techniques and equipment. An incompatibility and interoperability of existing Federal government telecommunications system, and resources would result due to the new technological changes proposed. The Federal Communications Commission (FCC) has been removed from the legislation, but the Justice implementation may require modifications to the "Communications Act of 1934," and other FCC policies and regulations to remove inconsistencies. This could also cause an unknown effect on the wire and electronic communications systems operations, services, equipment, and regulations within the Federal government. Further, to change a major portion of the United States telecommunications infrastructure (the public switched network within eighteen months and others within three years) seems very optimistic, no matter how trivial or minimal the proposed modifications are to implement. In the proposed legislation the Attorney General has sole _unilateral exclusive_ authority to enforce, grant exceptions or waive the provisions of any resultant law and enforce it in Federal District Courts. The Attorney General would, as appropriate, only "consult" with the FCC, Department of Commerce, or Small Business Administration. The Attorney General has exclusive authority in Section 2 of the legislation; it appears the Attorney General has taken over several FCC functions and placed the FCC in a mere consulting capacity. The proposed legislation would apply to all forms of wire and electronic communications to include computer data bases, facsimile, imagery etc., as well as voice transmissions. The proposed legislation would assist eavesdropping by law enforcement, but it would also apply to users who acquire the technology capability and make it easier for criminals, terrorists, foreign intelligence (spies) and computer hackers to electronically penetrate the public network and pry into areas previously not open to snooping. This situation of easier access due to new technology changes could therefore affect _national security_. (1) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ The proposed legislation does not address standards and specifications for telecommunications equipment nor security considerations. These issues must be addressed as they effect both the government and private industry. There are also civil liberty implications and the public's constitutional rights to privacy which are not mentioned. it must be noted that equipment already exists that can be used to wiretap the digital communications lines and support court- authorized wiretaps, criminal investigations and probes of voice communications. The total number of interception applications authorized within the United States (Federal and State) has been averaging under nine hundred per year. There is concern that the proposed changes are not cost effective and worth the effort to revamp all the existing and new telecommunications systems. The proposed bill would have to have the FCC or another agency approve or reject new telephone equipment mainly on the basis of whether the FBI has the capability to wiretap it. The federal- approval process is normally lengthy and the United States may not be able to keep pace with foreign industries to develop new technology and install secure communications. As a matter of interest, the proposed restrictive new technology could impede the United States' ability to compete in digital telephony and participate in the international trade arena. Finally, there will be unknown associated costs to implement the proposed new technological procedures and equipment. These costs would be borne by the Federal government, consumers, and all other communications ratepayers to finance the effort. Both the Federal government and private industry communications regular phone service, data transmissions, satellite and microwave transmissions, and encrypted communications could be effected at increased costs. (2) ============================================================= Documents disclosed to Computer Professionals for Social Responsibility (CPSR), under the Freedom of Information Act December 1992 ------------------------------ Date: Mon, 18 Jan 93 13:55:17 EST From: mcmullen@MINDVOX.PHANTOM.COM(John F. McMullen) Subject: File 5--Attempted Mindvox Break-in The following appeared on Newsbytes, a copyrighted commercial service, on January 18, 1993. It is republished here with the express consent of the authors: Phantom Access Foils Cracking Attempt 01/18/93 NEW YORK, NEW YORK, U.S.A.,1993 JAN 18 (NB) -- An attempt to illegally break into, or "crack" the "Mindvox" conferencing stem contained in Phantom Access, a flat-rate New York-based online service recently featured in various news publications, was detected and rebuffed. Bruce Fancher, co-owner of Phantom Access, told Newsbytes, "There was no real damage and we have notified all of our users about the attempt in the hope that they will be even more conscious of security. The nature of this attempt points out one of the things that users of any on-line system must be aware of in order to protect her/his privacy." The attempt came to the attention of the owners of the system, Fancher and Patrick Kroupa, when subscribers reported receiving the following message: "It has been brought to my attention that your account has been 'hacked' by an outside source. The charges added were quite significant which is how the error was caught. Please temporarily change your password to 'DPH7' so that we can judge the severity of the intrusion. I will notify you when the problems has been taken care of. Thank you for your help in this matter. -System Administrator" The system owners immediately sent a message to all subscribers declaring the message to be fraudulent. In addition to pointing out the textual errors in the message -- for example, Mindvox is a "flat rate" system and charges are not accumulated -- the owners admonished users to both safeguard their passwords and insure that they are not easy to decipher. Fancher told Newsbytes that the review of Mindvox in a recent issue of Mondo 2000, its mention in an issue of Forbes, and his speaking engagements on behalf of the system have led to more rapid growth than had been anticipated. He said, "We are moving to larger space on February 1st and will be upgrading our equipment from a single Next system to multiple Suns. We will also increase the number of dial-in ports and greatly increase the speed of our Internet connection. We are very grateful for the user response to date." (Barbara E. McMullen & John F. McMullen/Press Contact: Bruce Fancher, Phantom Access, dead@phantom.com (e-mail), 212-254-3226, voice/19930115) ------------------------------ Date: Thu, 14 Jan 93 18:13:13 EST From: sc03281@LLWNET.LINKNET.COM(Cheshire HS) Subject: File 6--Keyboarding Explosive Data for Homemade Bombs Sunday, January 10, 1993 Hartford Courant (Connecticut Newspaper) KEYBOARDING EXPLOSIVE DATA FOR HOMEMADE BOMBS Bomb Recipes Just a Keystroke Away By Tracy Gordon Fox, Courant Staff Writer They use names like Wizard and Warrior and they talk via computer networks. They are usually high school kids, but their keyboard conversations are not about girls or homework: They trade recipes for homemade bombs. Teenagers learning how to manufacture bombs through home or school computers have contributed to the nearly 50% increase in the number of homemade explosives discovered last year by state police, authorities said. "It's been a hellish year," said Sgt. Kenneth Startz of the state police emergency services division, based at the Colchester barracks. "Our technicians worked on 52 of them: a real bomb on an average of one per week. This is a marked increase from other years." In addition to the misguided computer hackers, local experts attribute the state's vast increase in improvised explosive devices to growing urban and suburban violence and bad economic times. "The number one reason for someone leaving a bomb is vandalism, and the next is revenge," Startz said. "There have been significant layoffs and companies going out of business and they make targets for revenge." Recently, state police and federal authorities confiscated 3 pipe bombs that were destined for members of the street gang, the Almighty Latin King Nation, in Meriden, Startz said. "This is a weapon of intimidation," he said, holding a foot-long, 2-inch-wide bomb made from household piping. "Pipe bombs will send out shrapnel just like a hand grenade will." And while bombs may be associated most often with terrorists, "the vast majority of bombings are done by the guy next door," said Det. Thomas M. Goodrow, who heads Hartford Police Department's bomb squad. The state police emergency services unit handles bomb calls in nearly every town in the state, except in the Hartford area, which is handled by Hartford's unit. Making bombs is not a new phenomenon, but the computer age has brought the recipes for the explosives to the fingertips of anyone with a little computer knowledge and a modem. University of Connecticut police say they do not know if computers were the source for a series of soda-bottle bombs that exploded outside a dormitory last February. Police have dubbed these explosives "MacGyver bombs" because they were apparently made popular in the television detective show, "MacGyver." Two-liter soda bottles are stuffed with volatile chemicals that cause pressure to build until the plastic bursts. The bombs explode either from internal pressure or on impact. "There were a number of students involved in making the soda bottle bombs. They knew what ingredients to mix," said Capt. Fred Silliman. "They were throwing them out the dorm windows and they made a very large boom, a loud explosion." No one was injured, but Silliman said UConn police took the pranks very seriously, calling in the state police bomb squad "to render a number of these safe for us." Several pipe bombs were discovered in a school in southeastern Connecticut, Startz said, and police found several more at the home of the student who made them. "Our increase, in part, seems to be kids experimenting with explosives," Startz said. As one of the first police officers in the area to discover that computers were being used by teenagers to find bomb-making recipes, Goodrow has a stereotype of these computer hackers. Typically, they are loners, who are socially dysfunctional, excel in mathematics and science, and are "over motivated in one area," he said. In a West Hartford case four years ago, the teenager had made a bomb factory in his basement, and had booby-trapped the door and his work room. "This shows the ability kids have," Goodrow said. Goodrow said he was at first amazed when teenage suspects showed him the information they could get by hooking on to computer bulletin boards. Incidents in which bombs actually exploded increased by 133% in 1992, according to state police statistics. Bomb technicians responded to 14 post-blast investigations last year, compared with only 6 in 1991, Startz said. Hartford has also seen an increase in explosive and incendiary devices, Goodrow said. Their technicians responded to 85 incidents in 1992, compared with 73 in the prior year. The trend has been seen around the country. The 958 bombing incidents reported nationally to the federal Bureau of Alcohol, Tobacco and Firearms was the highest in 15 years, ATF authorities said. ------------------------------ End of Computer Underground Digest #5.05 ************************************