Computer underground Digest Wed Nov 17 1993 Volume 5 : Issue 87 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Copy Editor: Etaoin Shrdlu, III CONTENTS, #5.87 (Nov 17 1993) File 1--Mike Godwin's Letter to Judge Stanton (in re phiber optik) File 2--Another Comment on Phiber sentencing File 3--CuD Commentary on Phiber Optik Sentencing File 4--CPSR Crypto Resolution File 5--Operation "Root Canal" File 6--ANNOUNCEMENT/Cyberculture Documenatary (fwd) File 7--Internet Encyclopedia (Interpedia) group project/mailing list File 8--Dos Bug (Re CuD 5.86) File 9--Students Suspended For Electronic Documents File 10--U.S. Law and the Constitution File 11--DES Key Search Paper Available Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG WHQ) (203) 832-8441 NUP:Conspiracy; RIPCO BBS (312) 528-5020 CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893; In ITALY: Bits against the Empire BBS: +39-461-980493 ANONYMOUS FTP SITES: AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. EUROPE: ftp.funet.fi in pub/doc/cud. (Finland) UNITED STATES: aql.gatech.edu (128.61.10.53) in /pub/eff/cud etext.archive.umich.edu (141.211.164.18) in /pub/CuD/cud ftp.eff.org (192.88.144.4) in /pub/cud halcyon.com( 202.135.191.2) in /pub/mirror/cud ftp.warwick.ac.uk in pub/cud (United Kingdom) KOREA: ftp: cair.kaist.ac.kr in /doc/eff/cud COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Mon, 15 Nov 1993 11:13:11 PST From: menomonic@well.sf.ca.us Subject: File 1--Mike Godwin's Letter to Judge Stanton (in re phiber optik) ((MODERATORS' NOTE: phiber optik's sentence includes 12 months incarceration and 600 hours of community service (see CuD 5.86). We have yet to see a cogent argument that could justify incarceration. The following letter by Mike Godwin to the sentencing judge provides a strong rationale for opposing incarceration. Sadly, the judge apparently ignored the substance of the following letter). +++++ Here's the letter I sent to Judge Stanton on Mark's behalf: ========= Washington, DC Tuesday, October 26, 1993 The Honorable Louis L. Stanton United States District Judge Southern District of New York 40 Center Street New York, New York 10007 Dear Judge Stanton: I am writing to you about an unusual case you currently have before you--the computer-crime case of Mark Abene. I understand you will be sentencing Mark this coming Wednesday, and it is my wish that you have the fullest knowledge and perspective on the significance of this case and of the particulars of this defendant. Let me take a moment to tell you about myself. I come to you not just as a concerned citizen who knows the particulars of this case, but also as a nationally recognized expert on computer crime and on computer-crime prosecutions; I am a lawyer who works on computer-crime issues as Legal Services Counsel for the Electronic Frontier Foundation, a public-policy organization based in Washington, D.C. I've delivered papers on computer-crime issues at the 4th Annual Virus Conference and the 50th Annual Meeting of the American Society of Criminologists, and I've spoken to law-enforcement groups, professional organizations, and the general public on the legal and policy issues that arise when society responds to the problems of computer crime. I've been quoted on computer-crime issues in publications such as Time, Newsweek, the Wall Street Journal, and The New York Times, and I have lectured FBI agents and federal prosecutors at Quantico. I am deeply familiar with the majority of computer-crime prosecutions that have taken place in the United States. It is because of my familiarity with this type of crime that I am able to say with some authority that Mark Abene deserves special consideration as he comes before you for sentencing. Mark Abene is a singular individual. I have known him over the last three years as someone who has been consistently driven by the desire for knowledge and for mastery of computer and communications technology, and not by any desire to cause harm to others, or to use his knowledge for personal gain. It is a measure of our trust in Mark that, when he requested it, we gave him a computer account on EFF's computer system, and it is equally a measure of Mark's trustworthiness that he has been employed since his indictment as a system administrator of ECHO, the most well-known and prestigious computer-conferencing system in New York City. He also has spoken in a number of forums against destructive computer hacking and in favor of improved system security--his reputation as a computer hacker himself gave him special credibility in those forums. Mark's passion for computer exploration, including the exploration of others' computers, led him to both a philosophy and a conduct of which you and I must perforce disapprove. But it is critical to note that, as wrong as Mark's conduct may have been, it was grounded in a code of ethics that prevented him from even considering action if it would hurt others, or their property or data. Mark, who himself has lectured on computer-crime and computer-security issues, has consistently spoken out against the use of computer-security information for pesonal gain. And a review of his financial situation will show that he has clearly not used this knowledge to gain money. Now, the prosecution in this case will assert a number of things about Mark. Please do not accept their comments uncritically. You may be told that, since Mark used certain kinds of phone service without paying for them, this is just the same as taking money or goods, and that he is therefore no different from an ordinary thief. But Mark came of age in subculture that told him consistently that this kind of use of phone service, like the non-malicious intrusion on others' computers, never directly cost anyone any money. Regardless of the truth or falsity of this proposition, I feel compelled to note that Mark believed it to be true, and that his code of ethics would have prevented him from engaging in this conduct if he had believed that conduct was harmful in any way. No one knows better than I do that many computer-crime defendants are driven by destructive or larcenous motives. It is appropriate in such cases to be appropriately severe in sentencing. But Mark's case is different. While his unauthorized intrusions into telephone and computer systems were wrong and clearly deserve punishment, you should take into account the fact that Mark's conduct was consistently informed by a code of ethics and that he was motivated by one of the highest values of our culture, the quest for understanding and mastery of complex technologies. You should also take into account, your honor, that we live in an age of transition. A decade ago, much of Mark's conduct was not against the law. Two decades ago, his acts were the stuff of science fiction. This means that the social consensus and social norms that we normally rely on to inform people about right and wrong have only just begun to catch up with the advances wrought by computing technology. The thing to remember about Mark is that his parents and his social environment never taught him that computer intrusion is a crime. Indeed, his parents didn't understand the technology well enough to tell him much of anything about it--nobody's parents know enough. When you and I were growing up, few people talked to us about computers much; certainly no one taught us, by word or example, that computer intrusion is wrong. To the extent that society has managed to come to grips with the moral issues at all, its messages have been ambiguous. Computer hackers have been consistently painted by the media as heroes, not only in fictional works (see, e.g., the movie "WarGames," the television show "The Whiz Kids") but also in journalistic treatments (see Steven Levy's book Hackers: Heroes of the Computer Revolution, and Jack Hitt and Paul Tough's articles on computer hackers for Harper's and Esquire). Our society has come to revere the founders of the personal computer industry, so it is worth mentioning that two of the most visible figures in the computer revolution, Apple Computer founders Steven Jobs and Steve Wozniak, got their start selling "blue boxes" designed to help college kids avoid long-distance charges. Given that the world keeps telling kids that nonmalicious computer and phone hacking is harmless, it's remarkable that we haven't seen even more computer crime before now. Who knows what might have happened had there been any adults available to him, or any positive examples in the media, who could have shown him that even nonmalicious computer intrusion is wrong? In spite of this lionizing of teenaged computer hackers, Mark managed to put some ethical constraints on his own behavior. He never used his talents to enrich himself, never knowingly caused damage or helped others to do so, and consistently told other young men that these activities are unacceptable. He was wrong not to see that all computer hacking is unacceptable, but the fact that he tried to limit the harmfulness of both his activities and others', together with the fact that he did not use his explorations for self-enrichment or to exert power over others, speaks well of Mark's intuitive moral sense. Mark comes to you with the disadvantage of being ahead of the curve. This young man, who has never been in trouble with the law except for his computer explorations, will be sentenced in a legal world that has little familiarity with computer-crime cases, even as it has a lot of fear about the dangers of computer crime. The government has already used this case to send the message that computer intrusion is wrong and should be punished, and for this it should be commended. And Mark, by admitting his own guilt and choosing to accept punishment for his actions, has sent a message to the world of would-be hackers: this kind of conduct is wrong, and it will be prosecuted. The message I hope you send, with your sentencing of Mark, is that this is the kind of defendant who deserves an appropriately measured punishment, grounded in the recognition that, while he broke the law, he neither intended harm nor knowingly did harm. To the extent possible, Judge Stanton, Mark deserves leniency. Giving this defendant a long prison term would send the wrong message. It would tell the very individuals who need guidance the most that our legal system refuses to make distinctions between the those who intend harm and those who, without intending harm, try to test the limits. If, in sentencing Mark, we show these computer hackers that the legal system is unfair, we will invite them to have contempt for the law in the future. And that would be a grave mistake. We've already let Mark down once, your honor. I ask that, as you prepare to sentence Mark, you keep our system from letting him down again. Mike Godwin Legal Services Counsel Electronic Frontier Foundation ------------------------------ Date: Mon, Nov 15 1993 12:07:22 PST From: Jack King Subject: File 2--Another Comment on Phiber sentencing I'd give my eye teeth to see the guidelines worksheets and Mr. Abene's presentence report. That was a great letter, Mike. I'm still having trouble comprehending the severity of his sentence. Looking at this sentence from another angle, I note without pleasure that someone in Mr. Abene's Criminal History Category (II) would have to steal or embezzle property valued between $70,001 to $120,000 before that individual would merit a mandatory 12 months in the slammer (offense level 12). See sentencing guideline secs. 2B1.1(b)(1) & 2F1.1, a.k.a. the "loss tables." If the defendant accepts responsibility for his crime, he may steal up to $350,000 before meriting 12 months incarceration. For a person with second offender status (Criminal History Category II) criminally negligent homicide (sec. 2A1.4, offense level 10) merits 8-14 months in federal prison. Accepting responsibility for the act brings sentencing range down to 4-10 months, which may be served at home or in a community correctional facility (halfway house). Obviously the judge believes Mr. Abene has been a very bad boy. Whatever he did, it was must have been a lot more serious than killing somebody on a federal reservation or defrauding elderly people of their life savings! That's the only message I'm getting out of this. ------------------------------ Date: Wed, 17 Nov 1993 21:15:10 CST From: Jim Thomas Subject: File 3--CuD Commentary on Phiber Optik Sentencing Mark Abene, aka phiber optik, has been sentenced to a year in prison for computer offenses occurring in 1991. According to a Newsbytes article (see CuD 5.86), Judge Louis Stanton said: A message must be sent that it is serious.. The defendant stands as a symbol because of his own efforts; therefore, he stands as a symbol here today. It appears that Abene's primary offense was not one of defying a statute, but rather of standing as a signifier of behaviors that threaten comfortable social boundaries between social order and cyber-anarchy. Abene, it seems, was offered up as a scapegoat in another punitive sacrifice on the judicial alters of vengeance. Most of us would agree that the offenses for which Abene was indicted (see CuD 4.31, file 1, 1992) are unacceptable, and most of us would agree that some form of social response for those involved in such offenses is necessary. However, prison IS NOT NECESSARY! Abene's sentencing must be placed in the broader context of social responses to crime. As CuD has argued previously, the U.S. is becoming a carceral nation, a nation of prisoners. As a society, we attempt to resolve social problems by criminalizing and imprisoning those whose behaviors we find offensive. U.S. Department of Justice statistics indicate that in the past five years, the federal prison population has increased by 70 percent (up from 49,928 in 1988), and the states' prison population approaches 900,000 (up by almost two-thirds since 1988). The per capita expenditures in the U.S. for corrections alone were, in 1992, calculated at $94.50. The cost of incarcerating Abene in a federal institution for one year would pay for a four year full college scholarship at a mid-range state university. Incarceration is unacceptably costly, and judges arguably violate the trust invested in their office when they needlessly incarcerate. If, in addition to the roughly 1.3 million inmates of the nation's prisons and jails, we add those on probation, parole, and other supervised forms of punishment, about 1 in 50 adults, and nearly 1 in 10 males between the ages of 17-30 are *currently* under some form of correctional supervision. When we add those who are no longer under supervision, and those likely to enter the system for the first time in the next two years, the number of (as well as the costs of processing) "criminals" skyrockets. The proposed amendments to pending federal anti-crime statutes continue this escalation of criminalization and increased punishments, and--if Illinois is typical of the rest of the the nation--the increasing tendency to address crime by creating more crimes and locking up more offenders will only add to the prison population without substantially reducing the crime rate. In fact, there is no strong evidence that the current incarceration policies have any substantial influence as a deterrent in reducing crime. Few would argue against some form of social response for computer violations. The question is what kinds of responses are appropriate for which offenses. We can start with: Decriminalizing the minor offenses and making them civil offenses. Current criminal law is far too broad in defining and classifying felonious behavior. Of the remainder, numerous options exist: 1) Fines (akin to traffic fines, jaywalking, public nuisance) 2) Probation 3) restitution programs 4) community service 5) work release 6) community corrections 7) Home incarceration 8) Split sentences 9) Boot camps All of the above carry a punitive burden, are relatively inexpensive, reduce taxpayer expense, have a sliding scale deterrent effect (to the extent that deterrence occurs at all), reduce the burden on the families of the offender, and are more humane. Some offenders, especially violent or career predators, require separation from society or the punishment of prisons. For most, however, prisons are counter-productive, both for the offender and the rest of us. For Mark Abene, there is simply no valid reason for incarceration when so many alternatives exist that would better satisfy the goals of "just desserts." So, I must agree with Judge Stanton: Abene does serve as a symbol: He serves as a symbol of an out-of-control system that unnecessarily locks up more of its citizens than any other country in the world. He serves as a symbol for a judicial philosophy that lacks the imagination, fortitude, and willingness to challenge the demagoguery of politicians who pander to fear of crime and posture with "tough-on-offender" rhetoric and legislation. He serves as a symbol of the failure of a society to humanely and reasonably deal with non-violent youthful offenders whose best interests are poorly served by incarceration. Perhaps Abene does, as Judge Stanton suggests, serve as a symbol of a form of offense that ought be sent a strong message. Perhaps. But, Abene's sentence also symbolizes an offensive carceral system that is far more destructive to the commonweal than any act in which Abene himself participated. ------------------------------ Date: Tue, 26 Oct 1993 21:40:51 EST From: Dave Banisar Subject: File 4--CPSR Crypto Resolution CPSR Crypto Resolution CPSR Cryptography Resolution Adopted by the CPSR Board of Directors, San Francisco, CA October 18, 1993 WHEREAS, Digital communications technology is becoming an increasingly significant component of our lives, affecting our educational, financial, political and social interaction; and The National Information Infrastructure requires high assurances of privacy to be useful; and Encryption technology provides the most effective technical means of ensuring the privacy and security of digital communications; and Restrictions on cryptography are likely to impose significant costs on scientific freedom, government accountability, and economic development; and The right of individuals to freely use encryption technology is consistent with the principles embodied in the Constitution of the United States; and The privacy and security of digital communications is essential to the preservation of a democratic society in our information age; and CPSR has played a leading role in many efforts to promote privacy protection for new communications technologies: BE IT RESOLVED THAT Computer Professionals for Social Responsibility supports the right of all individuals to design, distribute, obtain and use encryption technology and opposes any government attempt to interfere with the exercise of that right; and CPSR opposes the development of classified technical standards for the National Information Infrastructure. ------------------------------ Date: Mon, 15 Nov 1993 11:38:27 EST From: David Sobel Subject: File 5--Operation "Root Canal" New Documents Raise Questions about FBI Wiretap Claims In response to a CPSR Freedom of Information Act lawsuit, the FBI has released 185 pages of documents concerning the Bureau's Digital Telephony Initiative, code-named (according to the documents) Operation "Root Canal." The newly disclosed material raises serious doubts as to the accuracy of the FBI's claims that advances in telecommunications technology have hampered law enforcement efforts to execute court- authorized wiretaps. The FBI documents reveal that the Bureau initiated a well- orchestrated public relations campaign in support of "proposed legislation to compel telecommunications industry cooperation in assuring our digital telephony intercept requirements are met." A May 26, 1992, memorandum from the Director of the FBI to the Attorney General lays out a "strategy ... for gaining support for the bill once it reaches Congress," including the following: "Each FBI Special Agent in Charge's contacting key law enforcement and prosecutorial officials in his/her territory to stress the urgency of Congress's being sensitized to this critical issue; Field Office media representatives educating their contacts by explaining and documenting, in both local and national dimensions, the crisis facing law enforcement and the need for legislation; and Gaining the support of the professional associations representing law enforcement and prosecutors." However, despite efforts to obtain documentation from the field in support of Bureau claims of a "crisis facing law enforcement," the response from FBI Field Offices was that they experienced *no* difficulty in conducting electronic surveillance. For example, a December 3, 1992, memorandum from Newark reported the following: The Newark office of the Drug Enforcement Administration "advised that as of this date, the DEA has not had any technical problems with advanced telephone technology." The New Jersey Attorney General's Office "has not experienced any problems with the telephone company since the last contact." An agent from the Newark office of the Internal Revenue Service "advised that since the last time he was contacted, his unit has not had any problems with advanced telephony matters." An official of the New Jersey State Police "advised that as of this date he has had no problems with the present technology hindering his investigations." Likewise, a memorandum from the Philadelphia Field Office reported that the local offices of the IRS, Customs Service and the Secret Service were contacted and "experienced no difficulties with new technologies." Indeed, the newly-released documents contain no reports of *any* technical problems in the field. The documents also reveal the FBI's critical role in the development of the Digital Signature Standard (DSS), a cryptographic means of authenticating electronic communications that the National Institute of Standards and Technology (NIST) was expected to develop. In a memorandum to the Attorney General, the FBI Director describes the DSS as "the first phase of our strategy to address the encryption issue." The DSS was proposed in August 1991 by NIST, which later acknowledged that the National Security Agency (NSA) developed the standard. The newly disclosed documents appear to confirm speculation that the FBI and the NSA worked to undermine the independence of NIST in developing standards for the nation's communications infrastructure. CPSR intends to pursue further FOIA litigation to establish the extent of the FBI involvement in the development of the DSS and also to obtain a "cost-benefit" study discussed in one of the FBI Director's memos and other "Root Canal" documents the Bureau continues to withhold. For additional information concerning CPSR's work on digital telephony, encryption and network privacy issues, contact Dave Banisar . For general information concerning Computer Professionals for Social Responsibility, contact our National Office in Palo Alto . ------------------------------ Date: Thu, 11 Nov 1993 03:10:45 -0500 From: Richard Ginn Subject: File 6--ANNOUNCEMENT/Cyberculture Documentary (fwd) +---------- Forwarded message ---------- Date--Wed, 10 Nov 1993 15:49:17 -0500 >From--john sharp Subject--ANNOUNCEMENT/CALL FOR RESPONSE ****************************************************************** READ & DISTRIBUTE & READ & DISTRIBUTE & READ & DISTRIBUTE & READ & ****************************************************************** A CALL FOR INPUT, RESPONSE, PARTICIPATION We are creating a documentary film as part of a larger graduate research project which seeks to investigate the subculture sometimes referred to as "CYBERCULTURE". We are interested in exploring the many facets of electronic culture, and the various means of communication that have sprung up around it. Our interests also include topics such as digital art, net.surfing, net.speak, the interaction of persons on the net, the distribution and accessing of information via the net, and other related issues. Traditionally, the creation of a documentary project is limited by geographic/time/financial considerations. Through the unique qualities of the NET, we hope to surpass these boundaries, bringing together a wide, diverse range of thoughts, views, works, and perspectives. In essence, we will be an active part of the very topic we are examining. WHAT DO WE WANT FROM YOU? We hope to build a broad base of perspectives, viewpoints, and responses to "CYBERCULTURE" so that we can begin to piece together a glimpse of this cultural phenomenon. We welcome input from any and all who have or are exploring related issues, have comments on the feasibility of such a project, as well as any public-domain articles, FAQs, etc. We are looking for folks willing to be interviewed, contribute pertinent materials (info, artwork {written or visual}, commentary), and further avenues of investigation. We invite you to respond to our project with any/all relevant comments, materials, etc. Please feel free to distribute this post to any LISTs, Usenet groups, BBSs, etc. Net: jofsharp@bronze.ucs.indiana.edu mail: J. Sharp/M. Freeman Department of Art History Indiana University Bloomington IN 47405 ------------------------------ Date: Mon, 15 Nov 1993 15:21:59 -0800 (PST) From: DWILSON@CRC.SD68.NANAIMO.BC.CA(DOUGLAS P. WILSON) Subject: File 7--Internet Encyclopedia (Interpedia) project/mailing list This is to inform you about the proposed Internet Encyclopedia, or Interpedia and the mailing-list for discussion of it. The original idea, due to Rick Gates, was for volunteers to cooperatively write a new encyclopedia, put it in the public domain, and make it available on the Internet. Participants on the mailing-list have expanded the concept by noting that the bibliography entries and references provided with Interpedia articles could include hypertext links to other resources available on the Internet. Unlike any printed encyclopedia, the Interpedia could be kept completely up-to-date. Indeed, it could include hypertext links to ongoing discussions, and perhaps evolve into a general interface to all resources and activities on the Internet. If you find these ideas interesting, please join the Interpedia mailing-list by sending a message to interpedia-request@telerama.lm.com with the body of the message containing the word 'subscribe' and your e-mail address, as follows: subscribe your_username@your.host.domain ------------------------------ Date: Sun, 14 Nov 1993 19:18:34 GMT-0600 From: "Jeff Miller" Subject: File 8--Dos Bug (Re CuD 5.86) It should be noted that VSafe is a misnomer. There is code available that demonstrates how vulnerable VSafe is to a virus attack. The included checksum are no better protection, as if they are deleted, VSafe will just create new checksums, therefore allowing virii to circumvent the original checksum. I highly recommend NOT using VSafe (due both to the above problem, and the shortcomings I mentioned), and rather using f-prot, which is widely available, and free for personal use, and extremely inexpensive for business use. ------------------------------ From: kadie@CS.UIUC.EDU(Carl M Kadie) Subject: File 9--Students Suspended For Electronic Documents Date: Mon, 25 Oct 1993 02:13:03 GMT tk0jut2@mvs.cso.niu.edu writes: >Two Mount Olive (N.J.) High School freshmen have been given three days >of in school suspension for possession of documents protected under >the First Amendment. [...] Here is some information from the ACLU Handbook _The Rights of Students_ (3rd edition) by Janet R. Price, Alan H. Levine, and Eve Cary from ftp.eff.org:pub/academic/law/tinker_v_des_moines: +-------begin quote------- [question:] Can a school prohibit students from handing out all literature, including underground newspapers, on school property? [answer:] No. This would violate the Supreme Court's decision in _Tinker_. Literature may be barred from school property only if its distribution materially and substantially interferes with school activities,{32} and even some disruption in handing out the literature does not justify banning the literature completely. As one court said of students in a particular case, "It is their misconduct in the manner in which they distributed the paper which should have been stopped, not the idea of printing newspapers itself.{33} That same court emphasized that point that minor disruptions must be tolerated to accommodate the right of students to express their views. Since the "interruption of class periods caused by the 'newspaper' were minor and relatively few in number," the source said, the _Tinker_ standard of "material and substantial disruption" had not been met. A word of advice: Although a rule prohibiting all distribution of literature on school property is unconstitutional, you should ask school officials to change the rule before deciding to defy it. [Addendum to Chapter Two] As this book went to press, the United States Supreme Court, in _Hazelwood School District v. Kuhmeire_ (decided January 15, 1988), upheld the power of [high] school officials to control the content of school-financed newspapers. [...] As a result of the _Kuhmeire_ decision, school officials now may censor stories in official school publications so long as, in the words of the Supreme Court, "their actions are reasonably related to legitimate pedagogical concerns."[...] The Court's decision distinguished between student speech that is part of the school curriculum, such as official publications, theatrical productions, and other school-sponsored activities, and all other forms of student speech that take place on school property. The latter would include leaflets, buttons, unofficial, or so-called underground, newspapers, and other literature that is not school financed. As to all such forms of speech, the _Tinker_ standards discussed throughout this chapter continue to apply. In other words, _Kuhlmeier_ gives school officials no greater power to control either the content or form of such student speech than they had previously. Thus, school officials may _not_ censor such speech merely because they believe it to be biased, poorly written, vulgar, or unsuitable for immature students. Speech that is not part of the school curriculum may be prohibited only if there is evidence that it will materially and substantially disrupt the word of the school. [References] [_Tinker v. Des Moines Independent Community School Dist._, 393 U.S. 503 (1969)] {32} _Eisner v. Stamford Board of Education_, 440 F.2d 803 (2d Cir. 1971); _Quarterman v. Byrd_, 453 F.2d 54 (4th Cir. 1971); _Schanley v. Northeast Independent School District_, 462 F.2d 960 (5th Cir. 1972); _Scoville v. Board of Education of Joliet Township_, 425 F.2d 10 (7th Cir. 1970) {33} _Sullivan v. Houston Independent School District_, 307 F. Supp. 1328 (S.D. Tex. 1969). ------------------------------ Date: Mon, 25 Oct 1993 18:29:01 -0400 From: "Lee S. Parks" Subject: File 10--U.S. Law and the Constitution I'm afraid I don't have the time a lenghtly scholarly discourse on U.S. law and the constitution, but let me give you a very brief education. First, a founding principal of the legal system of the United States is that you do not need specific legal authorization to do specific act before you may legally perform such act. Certain acts may be regulated by the government and, under the constitution, the government may be prohibited from regulating certain acts without an amendment to the constitution. Certain actions, which may or may not be violations of law vis-a-vis the government, may be regulated between private parties under either statutory or common law. The law of negligence, for example. Now the case of regulating PGP or other information about cryptography raises serious constitutional questions under the first amendment to the U.S. constitution, in particular. The question revolves around issues of the definition of "speech" and the scope of prohibited speech. But one must remember that just because Congress has passed a law which has been signed by the President does not make that law legally binding if that law is otherwise a violation of the constitution. In particular, prior restraints against speech are almost never permitted, even if the speech is question is scandalous, libelous or falls within one of the narrow exceptions to the first amendment. Government actions which severely chill the exercise of the right of free speech (which could include the ITAR regulations in question) are also suspect. To get to the point. Its not clear the ITAR regulations are legally enforceable, nor is it clear that, even if enforceable, they were violated. There is also no requirement to give the letter of the law a wide berth because its improper to approach the limits of what is legal. Everyone should have some knowledge of basic constitutional protections because they form the basis for our society. I believe that ignorance in this area is extremely dangerous to the notions of an ordered liberty that underlie our legal system. If we do not exercise our rights, we may lose them. If we don't know what they are, how can we exercise them? Organizations such as the EFF exist to help make sure that our legal principals are properly applied in areas of new technology, and that requires seeking to ensure rights are protected and extended as appropriate. ------------------------------ Date: Mon, 15 Nov 1993 22:54:49 -0800 From: jonpugh@NETCOM.COM(Jon Pugh) Subject: File 11--DES Key Search Paper Available Now that I have my anonymous FTP directory set up and the CuD moderators are back, I should mention that I have made the paper "Efficient DES Key Search" by Michael J. Wiener available to the public in PostScript format. It's just over 150K compressed. netcom.com::/pub/jonpugh/des_key_search.ps.Z My comments about this paper garnered a few responses. Specifically, I stated: > Feel free to correct me if I am wrong, but I don't see the > applicability of this machine in decrypting DES encoded information > unless one is in possession of a "Rosetta Stone" using the same key, > and I think the chances of that are highly unlikely. Apparently, my Rosetta Stone reference left a few confused. The Rosetta Stone is a tablet which was found in Egypt in 1799 which contains a decree of Ptolemy V from 196 BC written in Greek, Egyptian hieroglyphics and demotic characters (the common people's Greek). Given that both the formal and informal Greek were known to scholars and that the hieroglyphics were a complete mystery, this stone provided the clue which led to the decyphering of the hieroglyphic language. Hopefully you see the essence of my reference now (well, OK, you already did, but those other dummies didn't ;). Despite the reference, many people claim that this machine could still decipher an arbitrary ciphertext. It is simple enough to guess at a word or phrase which may be present in the ciphertext amd use this in the deciphering machine to find a key which can then be used to decypher the message. Depending on the length of the ciphertext and the correctness of the guess, I believe that a search like this could still be a rather lengthy operation. Let's do a "back of the envelope" calculation. Let's assume that there is a "From" near the front of the message (not that I would be dumb enough to encode something as standardized as an email header, but I digress). Let's assume 4 hours per character (we can't assume any sort of alignment). A sample message in my mail file comes with a header of about 500 characters. That's roughly 2000 hours of computation, which comes out to about 83 days or almost 3 months. It doesn't sound terribly feasible, particularly considering that messages with this sort of standardized content would be avoided by anyone with half a gram of sense, making the computation required for 4K of text (almost 2 years) or a 10K message (4.5 years) patently excessive. Longer messages get more difficult. This doesn't even address the issue of false confirmations. The search engine merely looks for a key which can turn a plaintext into a given ciphertext. It is bound to give some false matches when guessing the plaintext. I would be curious to see this issue addressed in more detail. At any rate, computing power is on the rise, making secure encryption harder and harder to attain. Luckily, Skipjack will solve this problem for us. NOT! ;) ------------------------------ End of Computer Underground Digest #5.87 ************************************