Chaos Digest             Lundi 22 Fevrier 1993        Volume 1 : Numero 10

       Editeur: Jean-Bernard Condat (jbcondat@attmail.com)
       Archiviste: Yves-Marie Crabbe
       Co-Redacteurs: Arnaud Bigare, Stephane Briere

TABLE DES MATIERES, #1.10 (22 Fev 1993)
File 1--Reseau de Donnees Scientifique Peruvien: RCP
File 2--Denning's _Computers Under Attack_ (critique)
File 3--Repondeur Telephonique sur Ligne Occupee (reprints)

Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost from jbcondat@attmail.com. The editors may be
contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at:
Jean-Bernard Condat, Chaos Computer Club France [CCCF], 47 rue des Rosiers,
93400 St-Ouen, France

Issues of Chaos-D can also be found on some French BBS. Back issues of
ChaosD can be found on the Internet as part of the Computer underground
Digest archives.  They're accessible using anonymous FTP from:

        * ftp.eff.org (192.88.144.4) in /pub/cud
        * red.css.itd.umich.edu (141.211.182.91) in /cud
        * halcyon.com (192.135.191.2) in /pub/mirror/cud
        * ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD
        * nic.funet.fi (128.214.6.100) in /pub/doc/cud

CHAOS DIGEST is an open forum dedicated to sharing French information among
computerists and to the presentation and debate of diverse views. ChaosD
material may be reprinted for non-profit as long as the source is cited.
Some authors do copyright their material, and they should be contacted for
reprint permission.  Readers are encouraged to submit reasoned articles in
French, English or German languages relating to computer culture and
telecommunications.  Articles are preferred to short responses.  Please
avoid quoting previous posts unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
            the views of the moderators. Chaos Digest contributors
            assume all responsibility for ensuring that articles
            submitted do not violate copyright protections.

----------------------------------------------------------------------

Date: Wed Feb 17 11:43:24 EST 1993
From: js@rcp.pe (Jose Soriano )
Subject: File 1--Reseau de Donnees Scientifique Peruvien: RCP


Bonjour,

     Je vous envoye le projet sur lequel nous sommes en train de
travailler.  En ce moment, nous installons notre "link" internationale
avec satellite de 64 kbps dans Panamsat. Aussi, nous sommes en
negociations avec la CEE pour etablir une connexion dediee vers
l'Europe.


=======================================================================
                     RED CIENTIFICA PERUANA
                  (Peruvian Scientific Network)
=======================================================================

INTRODUCTION

     The market entry of minicomputers, adjusted to the needs and sizes
of the smallest research team, as well as the more recent spectacular
development of microcomputers have changed traditionally used research
work modes.

     The abundance of ever quicker perishable information sources and
the increasing cost of the means to access them have evidenced the need
for interinstitutional cooperation and for the rationalization of
increasingly scarce resources, both in the national and international
environment.

     Peruvian entities devoted to research and teaching, as well as
state and private universities, non governmental organizations, industry,
finance and commercial corporations are carrying on internal installation
of communication networks (LANS), sharing the use of these resources for
the purpose of more efficient results.

     The above described development, begun some years ago, is still on
the run.  The need to exploit expensive means (telecomunications with
major research centers, access to international databases, access to
focused resources) and the national and international reach of mutual
scientific and technological cooperation among teams of researchers
made the interconnection of these networks a must in both the national
and international scope.  To achieve this, by late 1991 many national
organizations contributed to the establishment of RED CIENTIFICA PERUANA
(Peruvian Scientific Network).

     Previous documents have described the history of this cooperative
national network and the services it renders its users.  We will now
deal with its present technical structure and its growth plans for the
current two year period.



           DESCRIPTION OF THE PERUVIAN SCIENTIFIC NETWORK


Organization
------------

     RCP is a low cost national network that has achieved high
operational quality in short time, and so far links 132 institutions all
over the country.  The main services it provides, described in further
detail are the following: electronic mail, access to distributed national
listservers, software installation, technician and user training.

     It is organized as a non profit institution, and its body of members
includes one representative from each participant organization. The staff,
the Direction Committee and an Administrator are entitled by a General
Assembly, the highest authority in the association.

     Under the coordination of the General Administrator reporting to the
Direction Committee, a small staff including engineersand trainees are in
charge of technical operation, node installation, administrator and user
training, as well as of permanent support to final users.

     The Technical Committee, formed by representatives from member
organizations, is the consulting entity in charge of the national network
planning and development, as well as of the coordination of institutional
developments related to the national network's prospective architecture.


Financial resources
-------------------

     As an autonomous cooperative institution, RCP counts on funds
provided by the its institutions in yearly contributions and monthly
payments, all of which sum up to form its operational budget.  RCP also
aims at being granted donors' contributions and other kinds of physical
of financial collaboration from national and international cooperation
agencies.


Infrastructure
--------------

     RCP is a dialup active node in the INTERNET organization, that
uses the store and forward system of NOVELL networks, Tokenring, DOS
PCs, VAX, SUN, DEC and other systems integrated in the national network,
running on UNIX operative system.

     Its development is supported by the existing (or currently being
installed) national telecommunications infrastructure, both public and
private national and international telephone lines (CPT and ENTEL);
national x25 network (Perunet); special circuits or dedicated lines (CPT
and ENTEL); optic fiber network (RED DIGITAL ENTEL);cellular telephone
networks (CPT and Celular 2000).  It is also supported by the transponder
in PANAMSAT I, belonging to the Ministry of Education as well as
different international carriers rendering service in Peru.

     The main concentration node of the national network is accessed via
two lines within the commuted telephone line (RTC 19,200 kbps), a space
circuit x25 (Perunet 9,600 kbps) allowing for the simultaneous access of
16 users, a Netblazer router allowing for the (TCP/IP) network access
through a special circuit (dedicated line) or through a commuted
telephone line (RTC).

     International communications are held several times per day through
international calls (IDD) generated by the m2xenix machine located in
Oregon, United States, where they enter the international backbone of
the National Science Foundation.



                     THE NATIONAL NETWORK (RCP)


General Information on the Project
----------------------------------

     The organization and distribution of activities within the
national system and the scientific and technological cooperation call
for the constant exchange of information on the national, regional and
international scopes.

     Electronic mail has allowed our researchers to get information
which not long ago was inaccessible by other means.  It has also
contributed to the establishment of interinstitutional cooperation and
coordination links which were until now beyond imagination.

     The current installation of referential data banks distributed all
over the network, accessible via electronic mail (listservers), the
establishment of thematic subnets (the health and the epidemiologic
alert networks), the operation of more than 20 interest groups
susbscribed in similar international lists all this generates a constant
increase in the dataflow through the country and also internationally.

     The new needs lead us to the simultaneous development of a network
architecture to allow for means of communication in different scopes:
national (IP links), regional (IP links with our neighbors, especially
Andean ones, and through them with the rest of LAC) and international
(IP dedicated link with NSF).


National Architecture
---------------------

     The dynamic development of this infrastructure is projected in two
non-exclusive stages, the development of which can be partially or
completely simultaneous.

     The first stage is currently being developed in the location of
Lima, Peruvian's capital city, which gathers the majority of educational
and research institutions.  It projects the interconnection of 10
concentrator nodes (by locations and / or interest areas), linked by
special circuits (64 or more kbit/s dedicated lines in the digital cable).
First preliminary tests projected for 1992-1993.

     The second stage prioritizes the development of departmental nodes
that geographically concentrate the traffic and allow for a reduction in
the telecommunications costs of province located institutions.  The
establishment of special circuits is also aimed at with the main RCP node,
located in Lima (x25 dedicated lines:  19,200 kbps, 64 kbit/s optic
fiber; or others: 9,200 kbps).  First preliminary tests projected for
1993-1994.

     RCP, based on its various national components, will enable the
interactive access of final users to the resources available in the
several institutions that form the network.  Linkage of the same (IP) in
the local networks existing in each campus will imply an efficient
structure that will allow for their future evolution.

     Provincial nodes located in the country borders can ensure low cost
link with neighbor countries, thus opening ways to enhance regional
cooperation and the exploitment of mutually shared resources.  First
preliminary tests projected for 1993-1994.

     The above mentioned link will clearly allow for an improvement of
research related communications and for a real development of regional
science and technology.  It thus represents the communications means that
will be decisive in future industry, finance and trade.

     This national and regional development is necessarily supported by
the establishment of a high quality linkage with the NSF international
backbone in the United States.  For this purpose, we intend to establish
two 64 Kbit satellite channels, supported by the contract between Peru's
Ministry of Education and Alpha Lyracom, which provides PAS I and PAS II
(Panamsat) with a transponder.  This does not exclude the possibility of
using international carriers (Sprint and MCI, available in the local
market).

     All the described development is a part of the original RCP project,
elaborated in May, 1991 and later on improved through consecutive
proposals and documents published by RCP along 1991 and 1992.


Necessary Equipment for Project Implementation
----------------------------------------------

     In order to implement the project in all its stages, the purchase
of equipment and the acquisition of national and international
telecommunications infrastructure is a must. This refers to both RCP
infrastructure and the concentrator nodes of national scope.

     In most cases, RCP member institutions are financially able to
afford these needs on their own.  For other cases, cooperative solutions
will be found, based on interinstitutional collaboration aiming at the
purchase of necessary equipment.  In most cases, RCP's task focuses on
searching the best international prices for all the network member
institutions, on the reception and entry of the equipment; but also
consists essentially in providing orientation as for equipment
characteristics, aiming at a better individual and common use of it.



                        GENERAL OBJECTIVES


1.  To provide the Peruvian academic community with better services in
    national communications, such as a better link with the
    international backbone of academic networks;

2.  To develop a coherent national INTERNET network;

3.  To increase inter-institutional cooperation in the national,
    regional and international scope;

4.  To reduce the national research system's communication costs, and to
    allow for a future reduction of regional costs over the basis of
    cooperation;

5.  To start an IP regional backbone that links Peru, Ecuador, Colombia,
    Bolivia, Chile; and, through the latter, Argentina, Uruguay and
    Brazil.


                          SPECIFIC OBJECTIVES

1.  To provide RCP, the Peruvian National Network, with equipment
    for the installation and implementation of a national IP network and
    an international link;

2.  To provide RCP, the Peruvian National Network, and the regional
    networks with the equipment necessary to install and implement links
    with neighbor countries' networks;

3.  To provide RCP, the Peruvian National Network, with the resources
    necessary to establish a lasting IP link with the international
    backbone (one cost time, or for a reasonable period of time);

4.  To train human resources on the national and regional levels for
    using new equipments and technologies.  National and regional level
    training and divulgation of new technologies.


Jose Soriano
Peruvian Scientific Network Administrator
--
un abrazo
Jose
***********************************************************************
Jose Soriano   - Red Cientifica Peruana - e-mail : js@rcp.pe
Av. del Ejercito 1870 - San Isidro - Lima - Peru
TE: ( 51 -14) 46 - 16 -95 / 36 89 89 anexo 527 / fax:  36 01 40
-----------------------------------------------------------------------

------------------------------

Date: Fri Feb 19 14:33:00 -0600 1993
From: roberts@decus.arc.ab.ca ("Rob Slade, DECrypt Editor, VARUG NLC... )
Subject: File 2--Denning's _Computers Under Attack_ (critique)
Copyright: Robert M. Slade, 1993


          _Computers Under Attack: intruders, worms and viruses_
                         Peter J. Denning, ed.

ACM Press (11 W. 42nd St., 3rd Floor, New York, NY 10036, 212-869-7440)
                          ISBN 0-201-53067-8

This book is a very readable, enjoyable and valuable resource for anyone
interested in "the computer world".

That said, I must admit that I am still not sure what the central theme of
this book is.  Denning has brought together a collection of very high
quality essays from experts in various fields, and at one point refers to
it as a "forum".  That it is, and with a very distinguished panel of
speakers, but it is difficult to pin down the topic of the forum.  Not all
of the fields are in data security, nor even closely related to it.  (Some
of the works, early in the book, relating to what we now generally term
"the Internet", do contain background useful in understanding later works
regarding "cracking" intrusions and worm programs.)

All, however, are interesting and sometimes seminal works.  Some are
classics, such as Ken Thompson's "Reflections on Trusting Trust" and Shoch
and Hupp's "The Worm Programs".  Others are less well known but just as
good, such as the excellent computer virus primer by Spafford, Heaphy and
Ferbrache.

(Please do not consider my confusion over the subject to be a criticism,
either.  I do want to recommend the book.  I just find myself wondering to
whom to recommend it.  Also, in fairness, I must say that Peter Denning,
who has had a chance to respond to the first draft of this review as
usual, doesn't consider it a review.  Which, I suppose, makes us even  :-)

The book is divided into six sections.  The first two deal with networks
and network intrusions, the next two with worms and viral programs, and
the last two with cultural, ethical and legal issues.  While all of the
topics have connections to data security, there are some significant
"absences".  (There is, for example, no discussion of the protection of
data against "operational" damage, as in accidental deletions and failure
to lock records under multiple access.)

In addition to shortages of certain fields of study within data security,
the treatment of individual topics shows imbalances as well.  The division
on worm programs contains seven essays.  Six of these deal with the
Internet/Morris worm.  The seventh is the unquestionably important Shoch
and Hupp work, but it is odd that there is so much material on the
Internet/Morris worm and nothing on, say, the CHRISTMA EXEC.

Sad to say, the essays are not all of equal calibre.  This is only to be
expected: not all technical experts have equal facility with langauge.
However, in spite of the noted gaps, and the occasional "bumps" in the
articles, most of the articles can be read by the "intelligent innocent"
as well as the "power user".  At the same time, there is much here that
can be of use to the data security expert.  At the very least, the book
raises a number of ongoing issues that are, as yet, unresolved.

What, then, is the book?  It is not a data security manual: the technical
details are not sufficient to be of direct help to someone who is
responsible for securing a system.  At the same time, a number of the
essays raise points which would undoubtedly lead the average system
administrator to consider security loopholes which could otherwise go
unnoticed.

Is it a textbook?  While it would be a valuable resource for any data
security course, the "missing" topics make it unsuitable as the sole
reference for a course.  The breadth of scope, and the quality of the
compositions make it very appealing, as does the inclusion of the large
social component.

While the book won't have the popular appeal of a "Cuckoo's Egg", it is
nevertheless a "good read" even for the non-technical reader.  The
section on international networks is particularly appropriate as society
is becoming more interested in both email and "cyberspace".  The overview
it gives on related issues would benefit a great many writers who seem to
have a lot of "profile" but little understanding.

My initial reason for reviewing the book was primarily as a resource for
those seeking an understanding of computer viral programs.  As such,
there are definite shortcomings in the coverage, although what is there
is of very high quality.  The additional topics, far from detracting
from the viral field or clouding the issue, contribute to a fuller
understanding of the place of viral programs in the scheme of computers
and technology as a whole.  Therefore, while it would be difficult to
recommend this work as a "how to" for keeping a company (or home) safe
from viral programs, it should be required reading for anyone seriously
interested in studying the field.

One point is raised by the inclusion of the cultural, social and legal
essays within the book.  It was with a trepidation growing almost to a
sense of despair that I read the last two sections.  Here we see again
the same hackneyed phrases, and the same unmodified positions that have
been a part of every discussion of computer ethics for the last twenty
years.  (Or more.)  This is by no means to be held against Denning: on
the contrary, it is the fact that he has selected from the best in the
business that is so disheartening.  Do we really have no more options
than are listed here?  Can we really come to no better conclusions?

One illustration that is repeatedly used is that of credit reporting
agencies.  We feel that such entities must be watched.  We note that
the computer systems which they depend upon must be checked for
anomalies, such as bad data or "key fields" which cross link bad data
with good people.  Still and all, we see them as a necessary evil.
Breaking into such systems, however, is an invasion of privacy, and
therefore wrong.  Carried to its logical conclusion, this attitude
states that "free" access to such semi-private information is wrong,
but that it is "right" for companies to make money by "selling" such
information.

Of course the situation is not quite that simple.  (It never is, is it?)
After all, a large corporation needs the goodwill of the public for its
continued existence.  The corporation, therefore, has more of a vested
interest in safeguarding confidential information than any random
individual with a PC and a modem.  This belief in the "enlightened self
interest" of corporations, however, would seem to more properly belong
to an earlier age: one in which corporations didn't go bankrupt and
banks didn't fall like dominos.  After all, it used to be that
companies kept employees on for forty years before giving them the gold
watch.  Now even the most stable might lay off forty thousand in one
year.

A single thread runs through almost all sixteen articles, four
statements and ten letters in the final two sections.  It is a call,
sometimes clarion, sometimes despairing, for "computer ethics".  Not
once is there proposed what such an animal might be.  Even the NSF
(National Science Foundation) and CPSR (Computer Professionals for
Social Responsibility) statements only hint at some legalistic
definitions, but never try to look at what a foundation for such
"ethics" might be.  With our society discarding moral bases as fast as
possible, the most useful statement might be Dorothy Denning's, when,
in conversation with Frank Drake, she states that, "The survival of
humanity is going to demand a much greater level of caring for our
fellow human beings ... than we have demonstrated so far."

Still even the disappointments of this final part of the book are
important.  "Computers Under Attack" is a realistic overview of the
current state of thinking in information technology, and the problems
facing society as a whole.  Far from the "gee whiz" of the futurist, and
equally distanced from the sometimes dangerous "CH3CK 1T 0UT, D00DZ!" of
the cyberpunk, Denning's collection of essays is important not only for
the concerned computer user, but also for anyone concerned with the
future of our increasingly technically driven society.


==============                      ______________________
Vancouver      ROBERTS@decus.ca    |    |     /\     |    | swiped
Institute for  Robert_Slade@sfu.ca |    | __ |  | __ |    | from
Research into  rslade@cue.bc.ca    |    | \ \    / / |    | Mike
User           p1@CyberStore.ca    |    | /________\ |    | Church
Security       Canada V7K 2G6      |____|_____][_____|____| @sfu.ca


------------------------------

Date: Fri Feb 19 08:56:55 EST 1993
From: robin@utafll.uta.edu (Robin Cover )
Subject: File 3--Repondeur Telephonique sur Ligne Occupee (reprints)
Copyright: BT Plc , 1989 (pour le 1er), Whk Eng'g Corp., 1993 (le 2e)

[Moderateur: Page 22 d' _Industries et Techniques_ no. 735 du 5 courant,
une breve donne le texte suivant: "En Angleterre, Orpington a concu un
repondeur qui prend des appels meme quand la ligne est occupee. Le
CallMinder se branche sur le reseau telephonique sans equipement
particulier (New Scientist 02/01)". Aucune trace d' "Orpington" sur l'
annuaire electronique anglais, 3619 code GB1.]


Stealing:  A March on Thieves
Swift, Peter
British Telecom World  PP: 44-45  Sep 1989 ISSN: 0953-8429


ABSTRACT: Auto Tracer, a new automobile security system, was developed by a
UK  businessman,  Bernard  Hunt.  The  system allows an automobile owner to
reclaim  a  stolen car by dialing a secret paging number. This turns on the
car's  hazard  lights  and headlights, starts a siren, replaces the license
plate  with  a  message  reading  "stolen  car,"  and  stops  the engine by
eliminating  the  flow of gasoline. Telecom Security offers home protection
with  a  system  that  has  covered door sensors to detect forced entry, an
infrared  motion  detector,  a  smoke  sensor, an internal siren, a control
keypad,  and  a  master control panel. An external dummy bell box acts as a
visual  deterrent  to  criminals.  Callminder,  from  Commtel, offers total
control over all outgoing telephone calls except emergency, free-phone, and
operator fault notification calls.

GEOGRAPHIC NAMES: UK
DESCRIPTORS: Security systems; Automobiles; Homes; Crime; Fire alarm
   systems; Detection alarms

+++++++

UK: TELECOM WATCH - NEW TELEPHONE ANSWERING SERVICE - CALLMINDER
Electronic Times (ELTIM) - January 14, 1993  Page: 8
By: Peta Firth


Several months ago I was selected by BT to try out an intelligent network
service before it went on sale. I was invited to apply to be connected
free to test a proposed new service called Callminder.

   The invitation was couched in "while stocks last" and "first come first
served" terms so I sent off the form not really expecting to hear much
about it again. After all it seemed like a good offer. Callminder, a
telephone answering system based at the local exchange, was something
useful for nothing: always an attractive proposition, I thought.

   But I was selected, and soon received the literature on how to use it
along with a personal identity code to access messages.

   On the morning the service was set to begin I rushed excitedly to the
office to try it out. I called my home number but nothing happened. There
was no answer. Disappointed, I called the enquiry number supplied by BT.
But instead of an explanation I was given a "hotline" number to dial. This
turned out to be hotter than expected: it was the British Gas emergency
number. I called the first number again to check the hotline number was
correct. After explaining that I doubted British Gas would be able to help
I was politely put through to someone else in BT.

   The second BT person said: "Ah yes, You are ahead of us, you know." He
suggested it might begin later that afternoon.

   It did, so I recorded my message to replace the computer generated one
and cheerfully thought to myself: at last, I have an answering machine.

   But over the course of the next few weeks my opinion of the service
slipped. For a start it kept breaking down. I would only find out when
callers told me I must have been imagining I had an answering service
because there was no answer when they tried to ring me. I explained to BT
that if an answering machine was not working when I thought it was, it was
causing more confusion than if I never had one in the first place. After
this complaint BT agreed to at least tell me when the system had been out
of action.

   When the system is working, which to be fair is most of the time, it
still puts callers off. Even people who have overcome their dislike of
answering machines are put off by the interruption after my recorded
message of a brisk computer generated voice in school mistress tones
demanding the caller's name and message.

   The final straw came when I discovered the service did not work in the
small hours of the morning. BT suggested I might like to buy an answering
machine to cover the period. This, of course, would make Callminder
pointless.

   The reason I am telling you all of this is that the DTI issued a
consultative document about intelligent networks just before Christmas.
The document calls for comments from ptos, switch and computer
manufacturers, service providers and users on how to liberalise
intelligent network services. The plan is to take "exclusive control of
the service away from the switch manufacturer" by creating a "generic
software platform" which can be produced and implemented by an vendor.

   This could turn the fortunes of switch manufacturers on their head. It
could destroy any hopes they may have had that pouring money into software
development will maintain their market share. A host of tiny software
houses will be able to undercut the giant switch manufacturers who are
busy expanding their hardware expertise into software.

   If my experience with Callminder is anything to go by, that would be a
great shame. because for me it turned out that if I want reliability I
have to turn to an answering machine: dedicated hardware.

------------------------------

End of Chaos Digest #1.10
************************************

Downloaded From P-80 International Information Systems 304-744-2253