Computer underground Digest Sun May 17, 1992 Volume 4 : Issue 22 Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Associate Editor: Etaion Shrdlu, Jr. Arcmeisters: Brendan Kehoe and Bob Kusumoto CONTENTS, #4.22 (May 17, 1992) File 1--Some Corrections to '90 Bust Story in CuD 4.21 File 2--The Defense of Entrapment (Reprint) File 3--COCOTS and the Salvation Army (Follow-up) File 4--Chaos Computer Club France's hackers bibliography Issues of CuD can be found in the Usenet alt.society.cu-digest news group, on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM, on Genie in the PF*NPC RT libraries, on the PC-EXEC BBS at (414) 789-4210, and by anonymous ftp from ftp.eff.org (192.88.144.4), chsun1.spc.uchicago.edu, and ftp.ee.mu.oz.au. To use the U. of Chicago email server, send mail with the subject "help" (without the quotes) to archive-server@chsun1.spc.uchicago.edu. European distributor: ComNet in Luxembourg BBS (++352) 466893. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Tue, 12 May 92 01:14:12 CST From: anonymous@anon.edu Subject: File 1--Some Corrections to '90 Bust Story in CuD 4.21 The following clarifications should be noted in reference to the article in Cu Digest, #4.21, in the Steve Jackson Games section: >In July of 1989, Secret Service agents were examining electronic >mail records of a privately-owned computer system in Illinois >owned by Rich Andrews. Those records, which contained the >computer equivalent of a list of all mail sent through a >particular post office, showed that a copy of a newsletter called >"Phrack" had been sent to Loyd Blankenship, the managing editor >at Steve Jackson Games, Loyd Blankenship, in late February of >1989. Actually, the records showed that Loyd Blankenship *sent* a copy of Phrack 24 to someone on Jolnet. He received his own copy directly >from Craig. The source was not Jolnet. >1/90: Bell Communications Research security manager Henry M. >Kluepfel dials into Loyd Blankenship's home BBS, the Phoenix >Project, under his real name. Mr. Kluepfel was never on Phoenix Project under his real name, according to userlogs from the day the system was taken down. He certainly would have been *welcome* on -- The Phoenix Project had several phone security officers and law enforcement agents already. CuD moderators reportedly possess userlogs from TPP during its history and can verify that there is no "Kluepfel" among the users on any of those logs. >2/90: Search warrants are given for the residences of Bob Izenberg >(2/20), Loyd Blankenship (2/28) and Chris Goggans (2/28), and at >the office of Steve Jackson Games (2/28). The SJG warrant is >unsigned; the other warrants are signed by U.S. Magistrate >Stephen H. Capelle on the day that they're served. Bob Izenberg was raided in 2/90. Goggans, Loyd Blankenship and SJG were raided in 3/90. The warrant for Loyd was also unsigned, as was (if previous reports are correct) the warrant for Chris. >Three hours after the raid at another, Secret Service agents have >called Austin computer store owner Rick Wallingford at home, to >verify that he sold a pinball machine to one of the warrant >subjects. It was a PacMan machine. >CHRIS GOGGANS: Former employee of Steve Jackson Games. >Unavailable for comment. Chris Goggans was never an employee of Steve Jackson Games. These may seem trivial corrections, but because of the rumors and inaccurate information about the case and its particulars, we should assure that even minor details are correct. ------------------------------ Date: 10 May 92 20:48:10 EDT From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: File 2--The Defense of Entrapment (Reprint) The Defense of Entrapment As it Applies to Bulletin Board System Operators By Randy B. Singer, Esq. For now, it is unclear how the law applies to protect speech communicated through electronic bulletin boards. There are hundreds, maybe thousands, of enthusiast-run bulletin boards across the country provided for the free use of the public to exchange ideas and publicly distributable software. The system operators of these bulletin boards are providing a wonderful public service, out of the goodness of their hearts, usually for no monetary gain (in fact, often at a considerable loss). These sysops cannot afford to fall into a gray area of the law and find themselves having to defend an expensive criminal suit or having to do without their computer equipment because it has been confiscated by the police as evidence. Running a public bulletin board can expose a system operator (sysop) to all sorts of legal problems that have yet to be adequately defined. For instance: What happens if one user posts slanderous/libelous information about another user? Is the sysop liable? Is a bulletin board more like a newspaper in this regard or is it more like a meeting hall? What happens if a user uploads something clearly illegal, like child pornography, which other users download before the sysop has a chance to review the material? Is the sysop liable? What is the liability of the sysop if he runs a bulletin board in his/her back room and he/she almost never monitors the activity on it? Is the sysop required to constantly monitor the goings-on on their board to prevent illegal activity? It is therefore understandable that sysops have tried to protect themselves legally the best that they have known how. Unfortunately, there has been a lot of misinformation spread about what the law is and how it pertains to the community of bulletin board users and operators. Hopefully this text file will clear up one of the most common legal misconceptions that is going around. I have often seen posts that evidence a complete misunderstanding of what constitutes the defense of entrapment. As an attorney I would like to explain this law and its application, especially as it pertains to electronic bulletin board operators. Entrapment is a complete defense to a crime that a person has been charged with. It varies in how it is interpreted in each state, and on the federal level, but generally it is as I have defined it here. Entrapment only exists when the crime involved is the creative product of the police. (That is, the idea to commit this crime came from a police officer, or an agent of the police. The alleged criminal never would have thought of committing this crime if it hadn't been suggested to him by the police, or if the means to commit the crime had not been offered to the alleged criminal by the police.) AND the accused was not otherwise predisposed to commit the crime involved. (That is, the accused probably wouldn't have committed this or any other similar crime if the police had never been involved.) BOTH elements must exist for the defense of entrapment to apply. For instance: When John DeLorean, owner of the (then about to fail) DeLorean Motor Company, was arrested and tried for selling cocaine, he was found not guilty by reason of the defense of entrapment because, the jury determined, the police took advantage of the fact that his failing company made him a desperate individual. The police sent in an undercover officer to offer him a bag of cocaine to sell to raise money to save his company. The entire idea for the crime came from the police; they provided the instrumentality (the coke); and John DeLorean probably would never in his life have sold drugs to anybody if the police hadn't shown up to offer him the drugs to sell at the exact right time. The reason for the law is obvious: we don't want the police setting up desperate people to get busted just because those people are unfortunate enough to find themselves in desperate situations. In fact, we don't want the cops to set up any law abiding citizens, even if they are not desperate. Tempting people who would not ordinarily commit a crime is not what we want police officers to do. Now that you have the definition of entrapment, let's talk about what entrapment is NOT. I've read a lot of posts from people on boards who think that entrapment exists when a police officer goes undercover and does not reveal his true identity when asked. This is NOT covered by the defense of entrapment per se. The defense of entrapment does NOT require a police officer to reveal himself when asked. Going undercover is something that the police do all the time, and there is nothing that prohibits them from doing so. If you are predisposed to commit a crime (e.g., you are already engaged in illegal activity before an undercover police officer comes on the scene), and an undercover police officer simply gathers evidence to convict you, the defense of entrapment does not apply. So, for instance, if an undercover police officer logs onto a bulletin board and lies and says that he/she is not a police officer when asked, and he/she finds illegal material or goings-on on this bulletin board, then whatever he/she collects and produces against the system operator as evidence towards a criminal conviction is not precluded >from being used against the sysop in court. At least it is not excluded by the defense of entrapment, because in this instance the defense of entrapment does not apply. The police officer is allowed to act undercover, and the illegal acts were not the creative product of the police. Also remember that the defense of entrapment is a COMPLETE defense. So it does not act to exclude evidence, but rather it acts towards one of three things: having a grand jury find that there is not sufficient evidence that a conviction could be obtained to proceed to a criminal trial against the sysop; having the case dismissed before trial; or a finding of 'not guilty' after a criminal trial. The defense of entrapment also doesn't necessarily apply if the police officer simply asks the system operator to do something illegal and he does it. In this case the district attorney would argue that the sysop was predisposed to commit the illegal act, especially if the illegal act was already going on in one form or another on the board. For instance, if the police officer asks the sysop to download to him some commercial software, the defense of entrapment will not apply if there is already commercial software available in the files section of the bulletin board. What would probably be required for the defense of entrapment to apply would be for the police officer to have enticed or misled the system operator into doing the illegal act, and it would have had to have been an illegal act that wasn't already going on on this bulletin board. This MAY allow the use of the defense of entrapment. I say "may" because it depends on the facts in each individual situation to see how closely they meet the requirements for the defense of entrapment to apply. You may surmise from my reticence to commit to saying that the defense of entrapment definitely WOULD apply that the defense of entrapment is not a defense that I recommend that you rely on. I've seen some bulletin boards say something to this effect in their logon screen: "Access restricted. Police officers must identify themselves, and are forbidden from gaining entry to this bulletin board." This type of message not only does not protect a bulletin board from the police (assuming that there is something that might be interpreted as illegal going on on this board), but it actually alerts any police officer who may casually log on to this board to immediately suspect the worst about this board and its system operator. There is nothing that I know of that would keep an agent of the police from lying about his/her status and logging on as a new user and gathering evidence to use against the sysop. In fact, I'm not sure, but I would not be surprised to find in the current legal climate that such a logon message is enough evidence to get a search warrant to seize the computer equipment of the system operator of this bulletin board to search for evidence of illegal activity! At some future date I hope to write a file that will detail how sysops can protect themselves from legal liability. (That is, by avoiding participating in arguably illegal activity, and by avoiding liability for the uncontrollable illegal acts of others. I have no interest in telling sysops how to engage in illegal acts and not get caught.) But for now, I hope that this file will give sysops a better understanding of the law and how one aspect of it applies to them. Disclaimer: The information provided in this document is not to be considered legal advice that you can rely upon. This information is provided solely for the purpose of making you aware of the issues and should be utilized solely as a starting point to decide which issues you must research to determine your particular legal status, exposure, and requirements, and to help you to intelligently consult with an attorney. No warrantees, express or implied, are provided in connection with the information provided in this document. This document is provided as is, and the reader uses the information provided here at their own risk. (Sorry for the necessity of covering my behind! Just remember, you get what you pay for, so I cannot guarantee anything I have written here. If you want legal advice that you can take to the bank, you should hire an attorney. Besides, just like everyone these days, we need the work!) About the Author: Randy B. Singer is an attorney in the San Francisco bay area. He does business law, personal injury, computer law, and Macintosh consulting. He also gives seminars at the Apple offices in downtown San Francisco for attorneys and others who are interested in learning about the Macintosh computer. He can be reached at 788-21st Avenue, San Francisco, CA 94121; (415) 668-5445. Copyright (C) 1992 Randy B. Singer. All rights reserved. This document may be freely distributed as long as it is not for monetary gain or as part of any package for sale. This work may not be modified in any way, condensed, quoted, abstracted or incorporated into any other work, without the author's express written permission. This reprint taken from ST Report #8.19, used with permission ------------------------------ Date: Fri, 15 May 92 16:41:38 CST From: moderators Subject: File 3--COCOTS and the Salvation Army (Follow-up) In Cu Digest 4.20, we related the problems of a COCOT (Coin-operated, Customer-owned Telephone) installed at the Salvation Army Freedom Center in Chicago. In brief, The SAFC, a community release center for recently-released state and federal prisoners, had installed COCOTS that were charging prisoners, who generally come from low-income populations, significantly higher rates than conventional carriers. The COCOTS utilize long distance carriers that are demonstrably not in compliance with federal law (PL 101-435). In the next issue, we will provide a follow-up to the lack of responsiveness of the carriers (U.S. Long Distance) and the billing agents (Zeroplus Dialing and GTE). This note summarizes the response of the Salvation Army, which was the only organization that took the problem seriously and acted upon it. When we summarized events in 4.20, we had been unable to obtain consistent information from the telecos because of multiple layers of billing accountability and significant contradictions in information that we were given. We were also, at that time, unable to reach anybody at the SAFC who could provide us with information. So, we expressed our frustration by raising questions that we would have asked SAFC officials. Since then, we have talked with several SAFC personnel, and without exception they were deeply concerned about the problem. They had received numerous complaints from ex-offender customers about the technical service of the COCOTS, but they were not aware of the long distance tolls until we brought it to their attention. They emphasized that it was neither their intent nor their practice to profit from telephone services. The information they provided supports their community reputation as a viable and dedicated organization committed to helping ex-offenders return to the community. In response to our questions, we were told the following: The SAFC *does not* itself own the COCOTS, and the COCOTS there are fairly new. The Salvation Army recently signed a contract with a company that promised to deliver services identical to the previous system, Illinois Bell, at no extra cost to the users. The SAFC signed a contract when told they would receive a better commission with equal service and no increased rates. Some sources indicated that the COCOT phones did not, in fact, provide better service, and there was some concern expressed by ex-offenders and others that the COCOT was, in fact, *more expensive* for users than the previous carrier. Our own experience suggested that, for long distance rates at least, this complaint has substance. The SAFC center does receive a monetary return from COCOT use. The return is accumulated for the residents' benefit fund. This fund is used to replace equipment, provide amenities (such as tv sets), defray costs for special events such as the annual Christas part, and provide modest resources for indigent prisoners in emergencies. The profits from the COCOT are ultimately returned directly to the prisoners, and the SAFC itself does not profit. SAFC personell emphasized that there are still alternative (RBOC) telephones available, and at least one telephone is available at no charge for important calls such as obtaining job interviews. Because the SAFC is bound by contract to their current COCOT owner, they are not sure of their options for the long run. Over the short run, however, they indicated that they will address the problem in two ways. First, they will discuss the problems with the owner and attempt to assure that the terms of the contract--equal service at no higher costs--are met. Second, they will emphasize "consumer literacy" and assure that their clients are aware of the differences in especially long distance rates between the various long distance service providers and explain that users are legally entitled to place calls to alternative carriers if the one to which they initially connect is not to their liking. We have sent them a copy of PL 101-435 to assist them in their discussions with the COCOT owner and to provide their consumers with adequate information. We commend the SAFC for its handling of the situation. Salvation Army officials were concerned that our previous post would communicate erroneous information about the nature of the SAFC and its operation. Both they, and others, affirmed that the SAFC is a successful, exceptionally beneficial, and highly reputable program with only one end in mind: To help ex-offenders. If our previous remarks were excessively strident, we apologize. They have displayed both honor and initiative in protecting prisoners from exploitation, and we thank them for their concern. It is unfortunate that GTE, USLD, and Zeroplus cannot follow their example. ------------------------------ Date: Wed, 6 May 92 07:27 GMT From: Jean-Bernard Condat <0005013469@MCIMAIL.COM> Subject: File 4--Chaos Computer Club France's hackers bibliography Enclosed one bibliography that all the CCCF's members read all the time in France... Sincerely yours, Jean-Bernard Condat Chaos Computer Club France [CCCF] B.P. 8005 69351 Lyon Cedex 08, France Phone: +33 1 47 87 40 83, Fax.: +33 1 47 87 70 70. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ File x: Chaos Computer Club France's hackers bibliography Nelson, B. [Univ. of Southern California, Los Angeles, CA, USA]: "Straining the capacity of the law: the idea of computer crime in the age of the computer worm In: Computer/Law Journal (April 1991) vol.11, no.2, pp.299-321 Considers whether traditional justifications for the criminalization of conduct are adequate to encompass new forms of 'criminal' behavior arising out of advanced computer technology. Describes the reactions of legislator, computer designers and users, and members of the general public who have opposed Robert Tappan Morris's trial a nd conviction. Two prominent and competing theories, retribution and utilitarianism,are useful in helping understand the conflict between two sets of social values: those we seek to protect by means of a criminal justice system and those associated with the basic principles of freedom. Nonetheless, neither traditional retributive nor utilitarian theory provides a clear justification for the imposition of criminal punishment in the case of the 'crime' that Morris committed when he introduced the Internet worm. (61 Refs) Spafford, E.H.[Dept. of Comput. Sci., Purdue Univ., West Lafayette, IN, USA]: "Are computer hacker break-ins ethical?" In: Journal of Systems and Software (Jan. 1992) vol.17, no.1; pp.41-7 Recent incidents of unauthorized computer intrusion have brought about discussion of the ethics of breaking into computers. Some individuals have argued that as long as no significant damage results, break-ins may serve a useful purpose. Others counter that the break-ins are almost always harmful and wrong. This article lists and refutes many of the reasons given to justify computer intrusions. It is the author's contention that break-ins are ethical only in extreme situations, such as a life-critical emergency. The article also discusses why no break-in is 'harmless'. (17 Refs) Kluepfel, H.M.: "In search of the cuckoo's nest-an auditing framework for evaluating the security of open networks" In: EDP Auditor Journal (1991) vol.3; pp.36-48 In Clifford Stoll's best-selling book "The Cuckoo's Egg" he describes the pursuit of a computer hacker who, like the cuckoo, left something in the computing nests of other users. The paper provides a perspective on auditing networked systems to find the nest which may have an extra 'egg' in it or is inviting one because of a breakdown in security design or practice. It focuses on: the security implications for an increasingly open network architecture; the lessons learned from performing intrusion post-mortems; the need for architecture plans and systems engineering for security; an audit framework for evaluating security. (26 Refs) Raymond, E.S.: "New Hacker's dictionary" Publisher: MIT Press, London, UK (1991); xx+433 pp. From ack to zorch (and with hundreds of other entries in between) The New acker's Dictionary is a compendium of the remarkable slang used by today's computer hackers. Although it is organized in reference form, it is not a mere technical dictionary or a dry handbook of terms; rather, it offers the reader a tour of hackerdom's myths, heroes, folk epics, in-jokes taboos, and dreams-an unveiling of the continent-spanning electronic communities that knit hackers together.Appendixes include a selection of classic items of hacker folklore and humor, a composite portrait of 'J. Random Hacker' assembled from the comments of over one hundred respondents, and a bibliography of nontechnical works that have either influenced or described the hacker culture. (12 Refs) Arnold, A.G.; Roe, R.A.[Dept. of Philosophy & Tech. Social Sci., Delft Univ of Technol., Netherlands]: "Action facilitation; a theoretical concept and its use in user interface design" In: Work With Computers: Organizational, Management, Stress and Health Aspects. Proceedings of the Third Conference on Human-Computer Interaction. Vol.1, pp.191-9 Editor(s): Smith, M.J.; Salvendy, G.; Elsevier, Amsterdam; xii+698 pp. The concept of action facilitation, derived from Hacker's theory of goal-directed action, can be defined as an improvement or maintenance of performance under conditions of decreasing mental and/or physical effort. This concept applies to any kind of work, including work with computers. A method for operationalizing this concept in the context of human-computer interaction is discussed, and it is shown how this method can be applied to the evaluation and design of user interfaces for office systems. (20 Refs) Menkus, B.: "'Hackers': know the adversary" In: Computers & Security (Aug. 1991) vol.10, no.5; pp.405-9 Abstract: Confusion appears to continue among many of those concerned about computer security about who hackers are, what they do and why they are doing it. The author clarifies some of the terms, concepts, and motives involved in the hacker phenomenon. The author discusses the hackers' objectives and their methods. He discusses some of the problems that need to be resolved to in order to tackle hackers' activities. Implementing an effective counter hacker strategy rests on the recognition that access to information is only granted to aid in tasks of value to the organizatio and that an organizatio does have the right to own and use legitimate information. He concludes that three tactics should be employed: initiation of active lobbying by the targets of hacker activity; improved personnel attribute verification on access; and tracing system use activity on a real-time basis. (3 Refs) Cook, W.J.: "Costly callers: prosecuting voice mail fraud" In: Security Management (July 1991) vol.35, no.7; pp.40-5 Abstract: On August 17, 1990, Leslie Lynne Doucette was sentenced to 27 months in prison. Her sentence, one of the most severe ever given to a computer hacker in the United States, was based on her role as the head of a nationwide voice mail computer fraud scheme and her unauthorized possession of 481 access codes as part of that scheme. Evidence developed during the investigation and disclosed in pretrial proceedings, revealed that the case was part of a broader trend toward voice mail computer abuse by hackers. This article examines the telecommunication technology involved and the ways computer hackers use and abuse that technology, and it summarizes the investigation that led to Doucette's conviction and the convictions of other hackers in her group. Myong, A.M.; Forcht, K.A.[James Madison Univ., Harrisonburg, VA, USA]: "The computer hacker: friend or foe?" In: Journal of Computer Information Systems (Winter 1990-1991) vol.31, no.2; pp.47-9 Abstract: To most people, the hacker seems somewhat harmless but the reality is quite the contrary. Quite often, extremely sensitive data is accessed by hackers and tampering of any kind can cause irreversible damage. Although this situation is causing great concern, the hacker is not seen as the hardened criminal, and laws dealing with this kind of 'technological trespass' poses the question: 'is the hacker a friend or foe?' Obviously, these hackers violate the security and privacy of many individuals, but by doing so, vulnerabilities in the systems are showcased, alerting the need for increased security. Paradoxically, by committing computer crimes, these 'hackers' could be doing society an indirect favor. The authors give a profile of a hacker and explain how some users and systems make it easy for one to break into their system. Various actual hacks are also presented. (13 Refs) Koseki, J.: "Security measures for information and communication networks" In: Data Communication and Processing, (1991) vol.22, no.4; pp.38-46 Abstract: The causes of interruptions of the information/communication system can be classified roughly into accidents and crime. The factors of disturbing system operations include reduction of system functions due to traffic congestion. While accidents occur due to unexpected natural phenomena or human errors, crimes are failures based on intentional human behavior, unjust utilization and destruction of the system involving the hacker and computer virus. In order to complete the security for information and communication networks and eliminate the risk of accidents and crime, it is necessary to improve system functions and take harmonious measures viewed from human and legal factors as well as a technological standpoint. Zajac, B.P., Jr.[ABC Rail Corp. Chicago, IL, USA]: "Interview with Clifford Stoll (computer crime)" In: Computers & Security (Nov. 1990) vol.9, no.7; pp.601-3 Abstract: Concerns the trials of Clifford Stoll, tracking a hacker that was looking for US military information and then trying to convince the Federal Bureau of Investigation that he had an international computer spy on his hands. As the system manager, he was to track down a $0.75 discrepancy in one of the accounting systems. In his quest Stoll discovered that this was not the simple theft of some computer time but was something far greater-international computer espionage aimed at US military computers. "IT security" In: Wharton Report (Aug. 1990) no.144; pp.1-8 Abstract: As our reliance on computer systems increases so too does the risk of data loss. A computer can be insecure in many ways: a clever hacker, a virus, a careless employee or a vandal can steal, destroy, alter or read data with relative ease. In addition to this, the proliferation of networks and the increasing number of tasks given over to a company's central computer have, while helping us achieve higher degrees of output, made our data even more insecure. The trend towards open systems will also bring us security problems. Schneider, E.W.[Peacham Pedagogics, Madison, NJ, USA]: "Progress and the hacker ethic (in educational computing)" In: Educational Technology (Aug. 1990) vol.30, no.8; pp.52-6 Abstract: A hacker is someone who writes clever code on a small machine in something very close to machine language so that the small machine does things that would be impressive on a big time-sharing machine. Microcomputers were introduced into schools by teachers who were also electronic hobbyists. Some of these teachers went on to learn programming, becoming true hackers. Due to unprecedented demand from industry, true hackers in education are an extinct species. Other teachers developed skills in keeping the machine running, and ordering the latest and greatest; they form a group that is peculiar to education: the pseudo-hackers. Most computer applications in higher education have adopted a hacker ethic. They act as if educational research and medical research used the same way of determining needs, funding, and performing research, and disseminating the results. They expect teachers to be as motivated as doctors, learning about the latest techniques and adopting them as quickly as possible. That may well be the way it ought to be, but that certainly isn't the way that it is. Cook, W.J.: Uncovering the mystery of Shadowhawk In: Security Management (May 1990) vol.34, no.5; pp.26-32 Abstract: How can a juvenile infiltrate some of the country's most classified and secured datafiles? Easy-with his home PC. On February 14, 1989, a hacker was sentenced to nine months in prison, to be followed by two and a half years' probation, and was ordered to pay restitution totaling $10000. On February 28, 1989, he started serving his prison term in a prison in South Dakota. If the hacker had been 18 when he committed these crimes, he would have faced a possible 13-year prison sentence and fines totaling $800000. Facts developed during a one-week trial established that between July and September 1987, the hacker, under the code name Shadowhawk, used a modem on his home computer to gain unauthorized remote access to AT&T computers in Illinois, New Jersey, North Carolina, and Georgia and stole copies of copyrighted AT&T source code worth over $1,120,000. (7 Refs) Greenleaf, G.: "Computers and crime-the hacker's new rules" In: Computer Law and Security Report (July-Aug. 1990) vol.6, no.2; p.21-2 Abstract: The author reflects on the international response to the case of Robert Morris, a US hacker. He looks at recent Australian legislation on computer crime and some legal definitions from England. Kluepfel, H.M. [Bellcore, Morristown, NJ, USA]: Foiling the wily hacker: more than analysis and containment Conference Title: Proceedings. 3-5 Oct. 1989 International Carnahan Conf. Security Technology; pp.15-21 Publisher: ETH Zentrum-KT, Zurich, Switzerland; 1989; 316 pp. Abstract: The author looks at the methods and tools used by system intruders. He analyzes the development of the hacker, his motivation, his environment, and the tools used for system intrusion. He probes the nature of the vulnerable networking environments that are the target of intrusions. The author addresses how to turn the tables on these intruders with their own tools and techniques. He points out that there are many opportunities to learn from the intruders and design that knowledge into defensive solutions for securing computer-based systems. The author then presents a strategy to defend and thwart such intrusions. (16 Refs) Dehnad, K. [Columbia Univ., New York, NY, USA] : "A simple way of improving the login security" In: Computers & Security (Nov. 1989) vol.8, no.7; pp.607-11 Abstract: The login procedure is formulated as a test of hypothesis. The formulation is used to show that the commonly used procedure provides valuable information to a hacker which enables him to use trial and error to gain access to a computer system. A general method for reducing this information is described and its properties studied. The method introduces randomness into the procedure, thus denying a hacker the luxury of trial and error. (6 Refs) Earley, J.: "Supplier's view-considering dial-up (hacker prevention)" In: Computer Fraud & Security Bull. (Oct. 1989) vol.11, no.12; pp.15-18 Abstract: Discusses the practicalities of hacker prevention. Password protection, data encryption algorithms and the combination of data encryption and access control are briefly considered. The Horatius access control system and Challenge Personal Authenticator are discussed. Lubich, H.P.: "Computer viruses, worms, and other animals: truth & fiction" In: Output (5 April 1989) vol.18, no.4; pp.31-4 Abstract: Computer viruses can be classified according to characteristics, especially their effects and their propagation mechanisms. Harmless and destructive viruses and their propagation in computer systems are discussed. Related definitions of virus, worm, mole, Trojan horse, trapdoor, logic bomb, time bomb, sleeper, hole, security gap, leak, hacker, and cracker are explained. System penetration by hackers or viruses has been aided by lack of system security consciousness, and by security deficiencies in hardware and software supplied by manufacturers. Countermeasures discussed include care in software purchase, use of test programs, use of special security measures, and recourse to legislation. Brunnstein, K.: "Hackers in the shadow of the KGB" In: Chip (May 1989) no.5; pp.14-19 Abstract: The author examines the question of whether hackers are criminals or idealists. He sketches a profile of a typical hacker (which turns out to be similar to that of a professional programmer) and looks at hackers' work methods, clubs and motives. He outlines some of their more wellknown cases (e.g. the Chaos club, the Hannover hacker, the involvement of Russia in buying stolen technical secrets) and comments on the measures being taken to prevent hackers getting in and to make computer systems 'secure'. Campbell, D.E. [PSI Int., Fairfax, VA, USA]: "The intelligent threat (computer security)" In: Security Management (Feb. 1989) vol.33, no.2; pp.19A-22 Abstract: This article is about the hacker as an external threat, a terrorist, a person who destroys information for spite, revenge, some get-rich-quick scheme, or some ideological reason-but always with physical or electronic destruction or modification of data as a possible end result. The hacker as a destructive force is the external threat all information systems are faced with, and as a manager of these systems, your job may depend on how well you defend your data against such a force. Samid, G.: "Taking uncommon-but effective-steps for computer security" In: Computers in Banking (March 1989) vol.6, no.3; pp.22, 61-2 Abstract: System managers and security officials should take the time to familiarize themselves with the hackers job. Only then will they develop a sense of their system's vulnerability. Such awareness is a prerequisite for installation of a heavy-duty defense. No computer system is break-safe. Therefore computer security starts with identifying who will benefit the most from breaking in. Then the analysis should assess the value of breaking in for the intruder. That value should be less than the effort or cost of accomplishing the intrusion. As long as the balance cost/benefit is kept unfavorable to the would-be intruder, the system is virtually break-safe. Wilding, E.: "Security services shaken by UK hacker's claims" In: Computer Fraud & Security Bulletin; (Jan. 1989) vol.11, no.3; pp.1-5 Abstract: Discusses the case of Edward Austin Singh, the UK hacker reported in October to have accessed some 250 academic, commercial, government and military networks worldwide. This case serves as a useful framework for discussing legal issues related to computer hacking in the UK. Gliss, H.: "US research systems attacked by German student" In: Computer Fraud & Security Bulletin (July 1988) vol.10, no.9; pp.1-3 Abstract: A researcher with 'a hacker's mentality' caught a German computer science student from Hanover. The researcher, Clifford Stoll from Lawrence Berkeley Laboratory (LBL), trapped the student by a trace connection over the US data networks into Bremen University (West Germany) and from there through DATEX-P to the individual telephone from which the hacker did his job. The author gives a comprehensive overview about Stoll's successful approach, and the lessons which LBL management drew from the case. Beale, I.: Computer eavesdropping-fact or fantasy In: EDP Auditor Journal (1988) vol.3; pp.39-42 Abstract: Equipped with a black and white television set, an antenna and a small amount of electronics equipment it is possible to display the information from the screen of a terminal located in a building over 300 metres away. This shows how easy eavesdropping can be, how inexpensive the necessary equipment is and how readable the data received is. Clearly then, senior management within many companies should be concerned about the vulnerability of their systems and the information contained within them. A broad range of information currently processed on computer systems is of a confidential nature and needs to be stored and processed within a secure environment. This type of information includes financial data, financial projections, design data for new products, personnel records, bank accounts, sensitive correspondence and competitive contract bids. Any of this information may be valuable to eavesdroppers either for their own use, or so that they can sell it to a third party. Another interested party in this technology is the would-be hacker. By using eavesdropping techniques, the hacker will be able to readily identify user ids and passwords which are valid on client computer systems. This will be much more efficient than the techniques currently used by hackers to identify valid user id and password combinations. Stoll, C.: "Stalking the wily hacker" In: Communications of the ACM (May 1988) vol.31, no.5; pp.484-97 Abstract: In August 1986 a persistent computer intruder attacked the Lawrence Berkeley Laboratory (LBL). Instead of trying to keep the intruder out, LBL took the novel approach of allowing him access while they printed out his activities and traced him to his source. This trace back was harder than expected, requiring nearly a year of work and the cooperation of many organizations. This article tells the story of the break-ins and the trace, and sums up what was learned. (49 Refs) Schechter, H.: "Dial-up network management-more than just security!" Conference Title: SECURICOM 86. 4th Worldwide Congress on Computer and Communications Security and Protection; pp.173-8 Publisher: SEDEP, Paris, France; Date: 1986; 476 pp; Date: 4-6 March 1986 Abstract: During the last few years, worldwide data communications networks have been besieged by terrorist attacks, the personal computer hacker. As businesses have aggressively pursued the use of the PC and dial-up services, they have found that they must guard their networks and data, and at the same time manage this dial-up network like they manage leased line networks. The paper analyzes the needs and components of dial-up network management and security. Troy, E.F.: "Security for dial-up lines" Issued by: Nat. Bur. Stand., Washington, DC, USA; May 1986; vi+60 pp. Abstract: This publication describes the problem of intrusion into government and private computers via dial-up telephone lines, the so-called 'hacker problem'. There is a set of minimum protection techniques against these people and more nefarious intruders which should be used in all systems which have dial-up communications. These techniques can be provided by a computer's operating system, in the best case. If the computer does not have the capability to give adequate protection against dialup intruders, then other means should be used to shore up the system's access control security. There are a number of hardware devices which can be fitted to computers or used with their dial-up terminals and which provide additional communications protection for nonclassified computer systems. This publication organizes these devices into two primary categories and six subcategories in order to describe their characteristics and the ways in which they can be used effectively in dial-up computer communications. A set of evaluative questions and guidelines is provided for system managers to use in selecting the devices which best fit the need. A set of four tables is included which lists all known devices in the four primary categories, along with vendor contact information. No attempt is made to perform any qualitative evaluation of the devices individually. (41 Refs) Roberts, W. [Dept. of Comput. Sci., Queen Mary Coll., London, UK]: "'Re- member to lock the door': MMI and the hacker" Conference Title: System Security: Confidentiality, Integrity, Continuity. Proceedings of the International Conference; pp.107-14 Publisher: Online Publications, Pinner, UK; Date: 1986; xii+232 pp. Conference Date: Oct. 1986; London, UK Abstract: Increasing emphasis is being placed on the importance of man machine interface (MMI) issues in modern computer systems. This paper considers the ways in which common MMI features can help intruders to breach the security of a system, and suggests methods for enhancing system security and data integrity by careful MMI design, aiding both the user and the system administrator. Murphy, I. [Secure Data Syst., Philadelphia, PA, USA]: "Aspects of hacker crime: high-technology tomfoolery or theft?" In: Information Age (April 1986) vol.8, no.2; pp.69-73 Abstract: Computer crime is an increasingly common problem worldwide. Perpetrated by a growing band of people known as hackers, it is exacerbated by the ease with which hackers communicate over clandestine bulletin boards. The types of information contained in these boards is reviewed, and a parallel is drawn with the problem of telephone fraud also rampant in the USA. The author looks at the problem of unauthorized access to telephone lines and personal data. (1 Ref) Shain, M.: "Software protection-myth or reality?" Conference Title: Protecting and Licensing Software and Semiconductor Chips in Europe; 30 pp. Publisher: Eur. Study Conferences, Uppingham, Rutland, UK; 1985; 273 pp. Conference Date: 7-8 Nov. 1985; Amsterdam, Netherlands Abstract: The article reviews the motives people have for copying software and estimates the size of the revenue loss due to this. Commercial software protection schemes are reviewed and an account of microcomputer fundamentals is given for those with no prior knowledge. The techniques used by the software hacker are analyzed and a view is taken as to whether software protection is a myth or reality. Mullen, J.B.: "Online system reviews: controls and management concerns" In: Internal Auditor (Oct. 1985) vol.42, no.5; pp.77-82 Abstract: The generally accepted controls for online systems can be divided into three categories: preventive; detective; and corrective. The preventive controls include sign-on key and passwords. The periodic changing of these controls and other preventive access controls may prevent a hacker from learning the access system via observation. The detective controls include: line protocol, which defines the method of data transmission; front-end edits, routines within the online-application programs to detect errors in critical fields; and authorization files, online files containing user passwords. Corrective controls include: transaction logging; online training, security software; audit caveats; audit procedures and effectiveness. Rous, C.C. [Cerberus Comput. Security Inc., Toronto, Ont., Canada]: "What makes hackers tick? A computer owner's guide" In: CIPS Review (July-Aug. 1985) vol.9, no.4; pp.14-15 Abstract: Harmless pranksters or malicious wrongdoers? A computer security expert points out the differences and similarities-and offers preventative tips. A major concern of most data processors today is the threat of 'The Hacker'. This article attempts to de-mystify the breed by examining hacker psychology. The focus is on the distinction between frivolous and serious, or benign and malicious, hackers. While the distinction is valid, it is equally important to recognize the fundamental similarities between the two. In addition, no matter how benign the hacker who penetrates a system, if he or she has done so a more malicious one presumably could too. The author goes on to list the different types of hacker and provides a detailed analysis of each one. Finally, some lessons for owners and operators of computer systems are offered. Haight, R.C.: "My life as a hacker" Conference Title: ACC '84. Proceedings of the Australian Computer Conference; pp.205-12 Editor(s): Clarke, R. Publisher: Austr. Comput. Soc, Sydney, NSW, Australia; 1984; xx+672 pp. Conference Date: 4-9 Nov. 1984; Location: Sydney, NSW, Australia Abstract: The author has been programming and supervising programmers since 1961. His experiences and personal viewpoint are described. ------------------------------ End of Computer Underground Digest #4.22 ************************************