Received: by lemuria.sai.com (/\==/\ Smail3.1.21.1 #21.11) id ; Mon, 2 Aug 93 05:57 EDT Received: from cmuvm.csv.cmich.edu by mv.MV.COM (5.67/1.35) id AA09486; Mon, 2 Aug 93 05:28:52 -0400 Message-Id: <9308020928.AA09486@mv.MV.COM> Received: from CMUVM.CSV.CMICH.EDU by CMUVM.CSV.CMICH.EDU (IBM VM SMTP V2R1) with BSMTP id 9652; Mon, 02 Aug 93 04:09:25 EDT Received: from CMUVM.CSV.CMICH.EDU (NJE origin LISTSERV@CMUVM) by CMUVM.CSV.CMICH.EDU (LMail V1.1d/1.7f) with BSMTP id 4579; Mon, 2 Aug 1993 03:57:02 -0400 Date: Sun, 1 Aug 1993 23:59:22 CDT From: Cu-Digest Subject: Cu Digest, #5.57 To: legacy@CPU.CYBERPNK1.SAI.COM Comment: converted from NETDATA format at NIU Computer underground Digest Sun Aug 1 1993 Volume 5 : Issue 57 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Coop Eitidor: Etaoin Shrdlu, Senior CONTENTS, #5.57 ( Aug 1 1993) File 1--Re: Hacker sentencing File 2--Criminal Records Subject to Abuse File 3--UPDATE: Ideas-Exchange listserv/ Legis Data Programmers File 4--Observations from a "non-cyberhead" File 5--Response to "Observations from a 'non-cyberhead'" File 6--Rep. Markey's Letter in re AIS BBS File 7--Response to Rep. Markey's Letter Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG WHQ) (203) 832-8441 NUP:Conspiracy; RIPCO BBS (312) 528-5020 CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893; In ITALY: Bits against the Empire BBS: +39-461-980493 ANONYMOUS FTP SITES: UNITED STATES: ftp.eff.org (192.88.144.4) in /pub/cud uglymouse.css.itd.umich.edu (141.211.182.53) in /pub/CuD/cud halcyon.com( 202.135.191.2) in /pub/mirror/cud aql.gatech.edu (128.61.10.53) in /pub/eff/cud AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. EUROPE: nic.funet.fi in pub/doc/cud. (Finland) ftp.warwick.ac.uk in pub/cud (United Kingdom) COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Fri, 30 Jul 1993 13:41:55 -0700 From: mcmullen@MINDVOX.PHANTOM.COM(John F. McMullen) Subject: File 1--Re: Hacker sentencing The following appeared on Newsbytes, a commercial copyrighted international news service on July 29th. It is reposted here with the express consent of the author (This notice must accompany any subsequent re-postings which I am authorizing here) ======================================================================== (EDITORIAL) (GOVERN) (NYC) Reflections On Hacker Sentencing 07/29/93 NEW YORK, NEW YORK, U.S.A.(NB) 072993 -- I sat in federal court this week and watched two young men be sentenced to prison. It was not a pleasant experience. The young men, Elias Ladopoulos, known in the hacker world as "Acid Phreak", and Paul Stira, a/k/a "Scorpion", were each sentenced to six months imprisonment, six months home detention, seven hundred fifty hours of community service, and $50 assessment charge for conspiracy to commit computer crimes. Both had pled guilty on March 17th on this charge so there was not a question of guilt or innocence. The six months imprisonment also does not seem draconian -- six months doesn't seem very long unless you happen to be the one serving it. Time is extremely relative as I found out when I spent five years at Fort Sill, Oklahoma between January 1963 and April 1963. It is safe to say that these young men will find the six months loss of freedom to be a very long period. The penalty, however, may be reasonable. It is certainly well within the sentencing guidelines for the infraction (The maximum sentence quoted for the crime pled to is five years in prison and a $250,000 fine). If I think that the sentencing may be just, or at least defensible, then what is the problem? Well, first, I have known the young men for over three years and like them both. I would have preferred that they not go to prison. I also personally feel that Stira never should have been a part of the indictment; a view shared by some law enforcement folks that I have spoken to (he is only mentioned in the papers twice and any illegal activities seeming stopped in January 1990; the activities enumerated involved possession a "trap door" program and a list of user passwords to systems). I recognize that is a personal feeling and that all people want their friends not to bear hardship. Some place Ted Bundy probably had a friend who wanted him loose and running around. Another problem relates to the procedures that got the defendants to the sentence. Stira and Ladopoulos (along with Mark Abene a/k/a "Phiber Optik") were the subjects of a search and seizure by Secret Service agents in January 1990. Stira and Ladopoulos' fate then languished until July 1992 when they were indicted along with Abene and two new players, John Lee a/k/a "Corrupt" and Julio Fernandez a/k/a "Outlaw", on conspiracy to commit computer crimes. During the over three years that have gone by, Stira and Ladopoulos have undergone changes. They are both college students -- Stira would have graduated had his college not pulled his computer account when he pled guilty; an action which prevented him from completing his last course requirement. Both have performed community service through contacts provided by Robert Ambrose, a director of the New York Amateur Computer Club (NYACC). Ladopoulos is employed by a major New York broadcasting company and has impressed his employer to the extent that the employer wrote a letter to the judge, asking for leniency, and came to the sentencing. Ladopoulos' attorney, Scott Tulman, speaking at the hearing, said "He goes to school, works and donates time to working with the handicapped, teaching them to use computers. He acknowledges his culpability and has been attempting to atone for it. His probation officer noted his sincere efforts to rehabilitate himself. The stupid young person, 'Acid Phreak', who was involved with other person's computers no longer exists. It is Elias Ladopoulos who will be sentenced and that will cause a hardship to his family." There are those who may say "It doesn't matter how long ago they did something wrong. They did it and they have to pay the piper." They may well be right in some cases but these are not past serial killers; they are two young men who have been under tremendous pressure for a substantial part of their lives (3 years out of 21 is significant) since the indictment. Perhaps that should have been considered sufficient punishment. There is, further, an overriding problem. From day 1 of the case, the judge, Richard Owen, showed a complete lack of understanding of the technology related to the case. At the initial scheduling meeting, then- Assistant US Attorney Steve Fishbein pointed out that the discovery process might take a long time as the government had intercepted over "50 megabytes" of electronic evidence. The judge asked what a megabyte was and, when told it was a million characters, seemed to look rather panicked when he said "You're not going to show all that to a jury are you?" Fishbein assured him that he would not. It seemed obvious to those of us in attendance that Judge Owen had visions of 50 million pieces of paper being delivered to a jury. He was understandably concerned. That was only day one and a federal judge may not be computer literate at the start of such a case. That would certainly be a lot to expect. One might expect, however, that, a year later, at the conclusion of the case, knowledge would have been acquired. Sadly, that did not seem to be the case. One of the charges made against Stira and Ladopoulos (and Abene) was that they both pulled a prank and caused damage to a computer system belong to WNET, the PBS television channel in New York. While Stira and Ladopoulos admitted being on the system, both deny causing any damage (it is a common belief that another hacker, known for malicious actions, left unindicted by the federal government because of his age, knowingly committed the damage). A major part of the sentencing dialogue between Ladopoulos and Judge Owen had to do with this incident. Newsbytes reported it this way: "In response to questions from Judge Owen concerning his involvement with the damage to the WNET system, Ladopoulos said 'Another hacker whose name I have already provided to the government was the one who took the system down. When I saw the problem, I called the station and left my own phone number and offered to help. If I had caused the damage, I would not have done that. The person who caused the damage is a very deranged person.' "Owen said that he could not believe that it was merely a coincidence that the damage was done to the WNET system in the same time frame that Ladopoulos was on the system. Ladopoulos replied by saying that the system log showed that he was off the system when the damage occurred. A discussion followed on the entire incident." The discussion actually had knowledgeable persons in the court room shaking their heads. The judge didn't understand. He said that there was too much work for this mysterious hacker to have done to copy messages from Ladopoulos, add destructive material to it and shut down the system all on the same day -- just too much typing. Ladopoulos tried to explain about capture routines, editors, etc. and then, seeming to realize the futility of it, just gave up. Speaking later to Newsbytes about the experience, Ladopoulos said "It was terribly frustrating. The judge just didn't understand about WNET. I tried to explain that I did not damage the system but he didn't understand." Now it certainly is not clear that the judge based his sentencing on the WNET episode. He may not have -- at John Lee's sentencing, the same judge mentioned that evidence showed that Lee had insulted someone's mother on the net. One suspects and hopes that this social transgression played no part in Lee's yearand-a-day sentence; there were, after all, substantive charges against Lee. We will never know whether or how much this misunderstanding influenced the sentence -- and it is a light sentence under the guidelines. So, perhaps, no harm was done. No harm? Not quite! At a minimum, the dialogue shook the confidence of everyone in the room about the sentence. Perhaps the prosecution was satisfied because the defendants were being punished for their illegal acts -- perhaps the defense took it in stride because of the relative lightness of the sentence -- perhaps it was a good sentence. However, any one with an understanding of computers and telecommunications had to feel that the judge had no grasp of these issues. So what happens next? Organizations like the Electronic Frontier Foundation (EFF), the Society for Electronic Access (SEA), and Computer Professionals for Social Responsibility (CPSR) are trying to close the knowledge gap between public officials and technologists. Congress is holding hearings on technology issues. There is recognition at the national level on the importance of understanding the changes that the telecommunications revolution has brought. Progress may be made. I hope so. Can you imagine if it were your case -- or that of a member of your family being sentencing? Scary, isn't it? John F. McMullen/19930729) John F. McMullen mcmullen@mindvox.phantom.com Consultant, knxd@maristb.bitnet mcmullen@well.sf.ca.us Writer, 70210.172@compuserve.com mcmullen@panix.com Student, GEnie - nb.nyc mcmullen@eff.org Teacher ------------------------------ Date: Thu, 29 Jul 93 21:21:45 EDT From: trader@CELLAR.ORG Subject: File 2--Criminal Records Subject to Abuse I thought that this might interest you and other CuD readers. Philadelphia Inquirer - 07/29/93 CRIMINAL RECORDS ARE VULNERABLE TO ABUSE, CONGRESS IS WARNED Sometimes the information is for sale, the GAO said. It called for greater security. By Lawrence L. Knutson ASSOCIATED PRESS WASHINGTON -- In Arizona, a former police officer gained access to print-outs from the FBI's National Crime Information Center, tracked down his estranged girlfriend and murdered her. In Pennsylvania, a computer operator used the system to conduct background searches for her drug-dealer boyfriend, who wanted to learn if new clients were undercover agents. In colorado, Connecticut, Florida, Maryland and other states, private investigators bought data from insiders with authorized access to the criminal-record system. These examples were presented to the House Judiciary and Government Operations Committees yesterday by the General Accounting Office, which con-cluded that the criminal-records system is vulnerable to widespread misuse. The GAO recommended that Congress enact legislation with "strong criminal sanctions" barring the misuse of the criminal record files and that the FBI encourage state users to enhance security. Laurie E. Ekstrand, the GAO's associate director for administration of justice issues, said that while the FBI and the states do not keep adequate records, "we did obtain sufficient examples of misuse to indicate that such misuse occurred throughout the system." "Furthermore, all the reported misuse incidents involve insiders, while none involved outside [computer] hackers," she said. "It appears that there are employers, insurers, lawyers or investigators who are willing to pay for illegal access to personal information, and there are insiders who are willing to supply the data," said Rep. Gary Condit (D., Calif.) summing up the GAO's findings. The National Crime Information Center, with 24 million records, is the nation's largest computerized criminal justice information system. Its 14 separate files contain an extensive range of data, including information about fugitives, stolen vehicles and missing persons. The largest single file, known as "the III file" gives users access to 17 million criminal-history information records maintained in separate state systems. The GAO said more than 19,000 federal, state and local law enforcement agencies in the U.S. and Canada, using 97,000 terminals, have direct access to the system. The GAO called the Arizona case the most extreme example of misuse it uncovered. The agency said investigators learned that the former police officer was able to locate his estranged girlfriend using data provided from the national records system by three people working in different law enforcement agencies. "After an investigation, the printouts provided by the three individuals were discovered and they were identified, prosecuted and convicted," the GAO said. Other examples provided by the GAO: - In Maine, a police officer used the system to conduct a background check on one of his wife's employees who was then fired for not disclosing his criminal record - In Iowa, a dozen cases of misuse were reported over the last two years. All involved computer operators conducting background searches on friends or relatives. - In New York state, an employee of a law enforcement agency provided criminal history information to be used by a local politician against political opponents. - In Pennsylvania, a police officer "accessed and widely disseminated" a fellow officer's criminal history record. - In South Carolina, a law enforcement agency conducted background searches on members of the City Council. ------------------------------ Date: Fri, 30 Jul 1993 16:29:35 -0700 From: Jim Warren Subject: File 3--UPDATE: Ideas-Exchange listserv/ Legis Data Programmers July 30, 1993 On July 22nd, I broadcast details [Update #19] about a number of sample files of legislative data, in the various forms used internally by the Legislative Data Center and Office of State Printing, that are available for anonymous ftp, with which volunteer-programmers could begin experimenting. Just before flying off to a tele-community conference in Colorado, Al Whaley of cpsr.org (one of the volunteers) proposed an online discussion group to facilitate the shared programming effort - excellent idea! I had planned on broadcasting this message before now, but was first distracted by the c onference, then came home with a massive head code. Blushing apologies! LEGISLATIVE-DATA PROGRAMMERS' INFORMATION EXCHANGE This list is intended only for those who are developing software to process the state legislative data - display it, print it, index it, etc. Anyone, including non-subscribers, can send to this list. Neither subscribers nor submissions are moderated. Subscribers' identities are not currently concealed, but can be after subscribing. TO SUBSCRIBE: Send email to listserv@cpsr.org. (The Subject is ignored.) The email message should state: SUBSCRIBE LDC-SW firstname lastname where firstname and lastname are, of course, yours. FOR HELP: Send email as above, with the message HELP Note: ldc-sw-request@cpsr.org is equivalent to listserv@cpsr.org. SOFTWARE SUCCESSES WOULD BE HELPFUL AT AUGUST 18th HEARING It would be *great* to flaunt printouts of the sample legislative data along with a listing of the freeware source-code that created them at the Aug. 18th Senate Rules Committee. ------------------------------ Date: Tue, 27 Jul 93 06:47:00 EST From: "Straw, Scott F." Subject: File 4--Observations from a "non-cyberhead" With reference to the FOIA inquiry and the USSS affidavit response, what is "the 2600 case?" (CuD 5.52) Having only subscribed since issue 5.51, I probably just missed this important filler info. You might consider the journalistic practice of briefing newcomers to background material, even if only a sentence. With regard to the E-fingerprinting of welfare recipients, and its potential long range spread to other social service provisions, I say here, here! Would we hesitate to issue a photo-ID to these individuals to verify that the intended recipient is actually receiving the aid? If not, why not a fingerprint record? More unique than a photograph, and infinitely easier to store electronically (being quasi-two dimensional and devoid of subtle nuances of character), fingerprinting will allow positive, definitive identification. Yes, it will detect and deter "double-dipping" fraud, but it will also prevent unauthorized procurement/theft as well. I would hope that CPSR (Computer Professionals for Social Responsibility) would reconsider their stance in light of their tenet that reads: "We encourage the use of computer technology to improve the quality of life." - Principle #5, CuD 5.55, File 1 (What is CPSR and how can we join?) If the social service recipient were, by the use of this technology to eliminate fraud and theft (and because of the elimination of these losses) able to receive a higher, more focused and therefore, enhanced level of service, that could have strong positive implications on that recipients quality of life. I fail to see this as a "Big Brother" issue. After all, isn't the goal of social services in a majority of the cases to provide assistance temporarily? Once the assistance is no longer needed, the recipient is no longer tracked. ------------------------------ ((MODERATORS' NOTE: Jim Davis's reply clarifies the relevance of computer technology as a cyberspace concern. The issues include the power of technology to invade privacy and the problem of using technology on groups lacking a strong constituency to protect themselves. The fingerprinting policy seems to isolate a particular group for more stringent monitoring. And, the possibility that discretionary fingerprint IDS might spread to other states is noted by joec@CFCSYS.LINET.ORG(Joseph Christie): I noticed the article on fingerprinting public assistance recipients in the San Francisco area and just wanted to report that Suffolk County, New York is also considering setting up a similar system and they are using the "phenomenal" savings by the LA system as justification. +++++ Date: Wed, 28 Jul 1993 10:47:50 -0700 From: "James I. Davis" Subject: File 5--Response to "Observations from a 'non-cyberhead'" People concerned with privacy have always resisted the idea of a national ID card, no matter how technically efficient it is. One could possibly argue that having and requiring a positive ID for all social transactions wd improve the quality of life, but I "using technology to eliminate fraud wd result in a higher quality of life" could include universal activities like shopping (more technology to prevent shoplifting), recreation (more technology to monitor parks and streets) or work (more technology to combat employee theft of employers' supplies, "time", computer resources, etc.) and so on. People who don't steal and don't defraud might enjoy cheaper goods, safer streets and parks; and for the employers', higher profits; everyone else could be put in prison or unemployment lines (a detour on the way to prison). The question becomes how do we want to balance the right to privacy and the freedom to go about our lives with a desire to combat fraud and theft? At what point do we say, "this looks like the road to a police state"? As to whether such technology should be used only for poor people, or only for people who need public assistance, it raises some obvious problems about singling out a particular section of the population for "special treatment." Lest one should say, "well, they're only welfare recipients; what's that got to do with me" (ignoring for the moment what a brutal and short-sighted statement that would be), one should keep in mind that some of the most serious breaches in overall privacy vis-a-vis computer systems have started with the bogeyman of welfare fraud, and then extended to more general use after the precedence is set. Jeffrey Rothfeder, in _Privacy_at_Risk_, describes how federal computer matching, where agencies go on data-fishing expeditions by matching up different government databases, was initially considered outside of what was allowed under the 1974 Privacy Act. Pressure from the Department of Health, Education and Welfare under the Carter administration stretched the rules, so to speak, to allow them to hunt for people "double-dipping." The program was later extended to other types of matches, including matching IRS returns and Social Security records. All along, the benefits from these dragnet searches have been questionable. In 1988, the House Committee on Government Operations noted that "the cost-effectiveness of computer matching has yet to be demonstrated." (Rothfeder pp 140 - 146) "Cost-effectiveness" of course does not include the additional cost of the loss of privacy such searches imply. ------------------------------ Date: Thu, 21 July 1993 17:51:21 CDT From: CuD Moderators Subject: File 6--Rep. Markey's Letter in re AIS BBS ((MODERATORS' NOTE: Like the flooding Mississippi, the AIS BBS incident just keeps over-flowing the levees and spreading beyond reasonable boundaries. CuD readers will recall that AIS ("Automated Information Systems," a BBS operated by the Treasury Department's Bureau of Public Debt) was the target of an "anonymous" posting in RISKS Digest. The poster objected particularly to the availability of virus source code on the board. The post was routed to government officials (see Crypt Newsletter #16 for details) and the offending files, along with "underground" text files--including CuD--were removed from the board. Perhaps, thanks to media hyperbole, CuDs are perceived as nearly as dangerous as virus source code. That should have ended the matter. Sadly, the Washington Post picked up on the story and printer a slanted, simplistic, and rather hyperbolic version of events in an account that raises serious questions of journalistic ethics (see CuD #5.51). Even that should have ended things. However, Rep. Edward J. Markey (D., Mass), Chair of the House Committee on Energy and Commerce's Subcommittee on Telecommunications and Finance, read the Post article and was sufficiently concerned to write Lloyd Bentsen, Secretary of the Treasury, demanding to know why AIS made certain types of files available. Rep. Markey linked the AIS BBS files with other security issues that the GAO found--even though the other alleged problems were unrelated to the board. The impetus for the article, according to Markey staffer Jeff Duncan, was the Washington Post depiction of events, and the letter builds on the Post's narrative to substantiate its own concerns. The letter assumes "guilt" without looking beyond the media depiction. Sadly, it does not reflect well on the knowledge of Rep. Markey or his staffers either about the technology or the broader issues of freedom of information. We reprint below the relevant two pages of the four page letter)). +++++ U.S. House of Representatives Committee on Energy and Commerce SUBCOMMITTEE ON TELECOMMUNICATIONS AND FINANCE Washington, DC 20515-6119 July 6, 1993 The Honorable Lloyd Bentsen Secretary Department of the Treasury 1300 Pennsylvania Ave., N.W. Washington, D.C. 20220 Dear Mr.Secretary: I am writing with regard to recent reports about a computer bulletin board service run under the auspices of the Department's Bureau of Public Debt in Parkersburg, W.V. The Washington Post reported on June 19, 1993, that the now-terminated service made publicly available information about computer viruses and other "hacker" information that could potentially inflict damage on computer systems and data. On June 9, 1993, the Subcommittee held a hearing on data and network security. Testimony received by the Subcommittee at that time revealed that the computer hacking and telecommunications toll fraud problem in the United States is increasing. In addition, the average computer site will spend more than $176,000 on computer virus clean-up and the cost of virus damage to all U.S. computer users has been over a Billion dollars over the last three years. While it is true that many such virus programs as well as hacker and "phone phreak" information is available on other bulletin board systems, I am troubled that the Treasury Department would play a role in disseminating such information publicly, especially in light of the fact that viruses and toll fraud together are estimated to inflict $4 to $6 Billion in economic loss annually to U.S. consumers and industry. Such dissemination goes well beyond any precautionary security measure the Department might take in testing the integrity of its computer systems. Moreover, in a recent report to Congress, the General Accounting Office (GAO) raised concerns that the Department's Treasury Automated Auction Processing System (TAAPS) had "skipped certain system development steps necessary to ensure that the risks associated with building and operating a system are adequately controlled" and may not achieve anticipated benefits such as reducing auction processing time. Specifically, the GAO The Honorable Lloyd Bentsen July 6, 1993 Page 2 raised concerns about the fact that neither the Department nor the Federal Reserve Bank of New York (FRBNY) -- which serves as Treasury's agent in conducting the auctions -- had performed risk analysis, documented detailed functional requirements, or tested the TAAPS system thoroughly. In addition, GAO questioned whether the system would reduce the time it takes Treasury to process auctions and announce winners. Treasury's willingness to disseminate data regarding computer viruses and other hacker information is particularly troubling in light of its failure to perform a full risk analysis of its automated auction system. Any catastrophic failure of this system, or branch of its security by computer hackers or viruses, could have a serious adverse effect on the orderly functioning of the secondary market for Treasury securities. As the country embarks on plans to upgrade the national telecommunications infrastructure over the next few years, data and network security issues will increasingly need to be addressed. To assist the subcommittee in its ongoing analysis of these issues and its ongoing oversight and legislative activities, please respond to the following questions by July 27, 1993: 1. Why was the Department's Automated Information System bulletin board, where the virus codes were resident, advertised as "open to the public" and the telephone number for the board made publicly available through a listing in the Computer Underground Digest? What was the rationale behind making such potentially harmful information generally available? 2. Why were "dissected" viruses, which may be easily altered to produce variations capable of eluding current virus detection tools, also made publicly available? 3. Why were steps not taken to limit access to the bulletin board services? For instance, why were steps not taken to limit or effectively prohibit the ability of individuals to download information off the bulletin board? Were passwords needed to access data? If not, why not? 4. GAO reports that neither the Department nor the FRBNY performed a risk assessment of TAAPS because "they believed the Federal Reserve telecommunication and computer system selected for the system is already safe and secure." GAO further reports that shortly before issuance of its report, the FRBNY provided the GAO with a "risk assessment" which "did not contain many of the key elements of a risk assessment such as valuation of The Honorable Lloyd Bentsen July 6, 1993 Page 3 assets, probability of risk occurrance, and annualized loss expectancy." In addition, the report "did not describe how risks would be adequately controlled." Please provide responses to the following questions: Thank you in advance for our time and attention in responding to this request. If you have any questions, please have your staff contact Jeff Duncan or Colin Crowell of the Subcommittee staff at 226-2424. Sincerely, Edward J. Markey Chairman ------------------------------ Date: Thu, 21 July 1993 22:51:01 EDT From: Jim Thomas Subject: File 7--Response to Rep. Markey's Letter 18 July, 1993 Representative Edward J. Markey Chair, Subcommittee on Telecommunications and Finance Committee on Energy and Commerce U.S. House of Representatives 2133 Rayburn Building Washington, DC 10515-2107 Dear Representative Markey: I am writing in response to your letter of 6 July, 1993 to Secretary of Treasury Lloyd Bentsen. In that letter, you expressed concerns about available files on the AIS BBS, a computer bulletin board run by the Department of Treasury's Bureau of Public Debt. I am informed by Jeff Duncan, a staff contact for questions regarding your letter, that the primary, indeed the only, basis for your letter was an article authored by Joel Garreau that appeared in the Washington Post on June 19, 1993. As we wrote in a recent issue of Cu Digest, the Post article suffered from hyperbole and misinformation. It also raised serious issues of journalistic ethics (See CuD 5.51). Because Computer underground Digest (or CuD, of which I am co-editor) is named in both the Post article and in your letter, I feel compelled clarify several issues. You pose several questions in your letter. The first, in which you mentioned Cu Digest, states: 1. Why was the Department's Automated Information System bulletin board, where the virus codes were resident, advertised as "open to the public" and the telephone number for the board made publicly available through a listing in the Computer Underground Digest? What was the rationale behind making such potentially harmful information generally available? As I am sure you are aware, there are many government BBSes open to the public that provide access to files. I myself have used several that have been invaluable in my work as a criminal justice professional. The available resources, in the form of software programs, text files, press releases, and a broad menu of other services, vary. The available information on other public government boards, which some might argue could help drug dealers, fraud perpetrators, and others, is by some standards as "sensitive" as the information to which you allude on the AIS BBS. However, if one applies the same standards to these boards as you would apply to the AIS BBS, questions of propriety of the accessible information could be raised of all of them. There is nothing unusual about an open and public BBS being run by the government. What strikes me as unusual is to single out one particular BBS and demand a justification for a common practice. It should also be noted that at the time we wrote our story on the AIS BBS (20 August, 1992, CuD #4.37/File 4), we were impressed with the professionalism and competence by which the board was run. At the time of our calls, users were required to sign on, were not given immediate access (as they are to some government boards, such as the Bureau of Justice Statistics' BBS), and--contrary to some media reports--real names, not "handles," were required. Both the Post article and your letter indicate that AIS BBS personnel "advertised" the board in CuD, and your letter demands an explanation. However, contrary to the report in the Washington Post and the wording of your letter, AIS BBS personnel did not make the number available to CuD. Nor did AIS BBS personnel solicit publicity or advertise that the board was public. I came across the BBS through my professional activities. Ironically, my initial interest in AIS BBS occurred because of rumors that it was a U.S. Secret Service "sting" operation created to identify and apprehend callers. After calling the board, I found it potentially helpful in my own sphere of academia, which includes computer crime/security/culture, and I requested more information from AIS BBS personnel. They agreed to a short interview. Had they not agreed, we still would have run a story. In fact, had your staff engaged in minimal research, the answers to the bulk of the AIS-related questions you pose were published in CuD #4.37/File 4. It strikes me as odd that you would demand an accounting from a government official explaining the motivation and content of a media story that AIS BBS personnel did not initiate and over which they had no control. This poses a chilling effect to free speech by intimidating the legitimate flow of information and by implicitly self-censoring journalists and others lest even an innocent story have repercussions for the subordinates of government officials who may not like what is written. An example of this "chilling effect" in fact occurred with AIS BBS. The apparent fear of repercussions for carrying so-called "underground" electronic publications and other files, most of which were of no value for criminal activity, but of considerable value to computer professionals and scholars, were removed. Cu Digest, classified as an "underground" publication (presumably because of the name), was among them. When removal of legitimate publications occurs because because of subtle intimidation, valuable sources of information are lost through informal (albeit "voluntary") censorship. Both the tone and content of your letter contribute to this form of censorship. The stigma attached to certain types of electronic messages, created by an apparent lack of understanding of their content, spills over into other forums and shapes policies, public images, and law in ways that subvert freedom of speech in electronic media. Your letter also expresses concern for some of the files, including virus source code, found on the AIS BBS. There is considerable room for honest disagreement over the "dangerousness" of such files. I tend to find the concern grossly exaggerated. Yes, it is always possible for isolated individuals to abuse information. However, if we are to stifle the flow of information because of the excesses of the occasional predator, then we ought also be concerned about government-funded public libraries, computer science and other courses in public institutions, and other sources of information that might be twisted for the perverse ends of a rare malcontent. There is considerable evidence that users of AIS BBS found the available files to be significant in enhancing computer security and performing other computer-related functions. To assume that useful information in so-called "underground" files ought be restricted because some may find that information objectionable seems a dangerous precedent that restricts freedom of speech and information flow in electronic media. The intimidation created by the accusatory nature of your letter suppresses both information and public dialogue of what is or is not appropriate by imposing an arbitrary litmus test of "correctness." In sum, I am concerned about several issues raised by your letter. First, your staff's understanding of AIS BBS and its files seems partial. Basing an accusatory letter of inquiry on an unchecked media source and linking disparate security issues in the letter raises serious concerns about the credibility of your staff's competency in matters of computer security and technology. Your staff apparently did not do its homework. Second, your letter seems to close off debate about the role of the government in information dissemination, rather than invite rigorous discussion of the issues. It assumes impropriety rather than invite discussion about the role of government BBSes and the nature of information that ought be made available to the public. Finally, your letter suggests that you extend to electronic media a lower threshold of protection of information dissemination than hardprint media, such as can be found in libraries or government documents. Am I incorrect in inferring from your letter that you do not extend to "cyberspace" the same First Amendment and other protections granted print media? As a taxpayer and as a criminal justice professional, I am disturbed by the implications of your letter, and especially by its failure to recognize the technological and social issues it raises. In my opinion, by isolating and attacking AIS BBS for carrying electronic versions of hardprint information available through other government sources, you seem to be discriminating against electronic media in general and AIS BBS in particular in a way that potentially limits Constitutional rights in what is known as "cyberspace." The underlying concerns you raise in your letter are legitimate, but the implications of the manner in which you raise them and the assumptions you appear to make may have the unanticipated consequence of contributing to dangerous precedents in the relationship between government control and freedom of information. Sincerely, Jim Thomas, Professor Sociology/Criminal Justice Co-editor, Cu Digest Northern Illinois University DeKalb, IL 60115 Voice: (815) 756-3839 / Fax: (815) 753-6302 Internet: tk0jut1@mvs.cso.niu.edu / jthomas@well.sf.ca.us ------------------------------ End of Computer Underground Digest #5.57 ************************************