Computer underground Digest Sun Mar 27, 1994 Volume 6 : Issue 27 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe (He's Baaaack) Acting Archivist: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Koppa Ediqor: Phirho Shrdlu CONTENTS, #6.27 (Mar 27, 1994) File 1--A JT Apology for CFP No-Show and Deleted CuD Mail File 2--Some thoughts on piracy, hacking and phreaking. File 3--Lopez's reply to "Rape in Cyberspace" File 4--Re: Village Voice & Phlogiston Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send a one-line message: SUB CUDIGEST your name Send it to LISTSERV@UIUCVMD.BITNET or LISTSERV@VMD.CSO.UIUC.EDU The editors may be contacted by voice (815-753-0303), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); and on Rune Stone BBS (IIRGWHQ) (203) 832-8441. CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893; In ITALY: Bits against the Empire BBS: +39-461-980493 FTP: UNITED STATES: etext.archive.umich.edu (141.211.164.18) in /pub/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ EUROPE: nic.funet.fi in pub/doc/cud/ (Finland) nic.funet.fi ftp.warwick.ac.uk in pub/cud/ (United Kingdom) COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Sun 27 Mar 1994 15:32:54 CST From: Jim Thomas Subject: File 1--A JT Apology for CFP No-Show and Deleted CuD Mail Notes are filtering in from folks who are wondering why I was a no-show at CFP '94 this past week. I apologize for the absence, but it seemed necesssary. I spent the week at my father's side and was with him when he died friday noon. Thanks to Netta Gilboa who gave a precis of my paper at the conference and who, from incoming reports, did a better job of making sense of it than it probably deserved. Thanks also to Bruce Umbaugh who filled in as session chair at the last minute. I probably shouldn't have tried to wade through the backlog of CuD mail late Friday night when I returned, but a sense of returning to a normal routine seemed necessary. Unfortunately, the mail wasn't managed normally---I accidentally deleted many posts---I'm not sure how many, but it was a substantial number. So, if you subbed, sent articles or comments, or whatever, and if you haven't received a response, please resend. Sorry 'bout that. Jim Thomas ------------------------------ Date: Wed, 9 Mar 1994 14:13:30 -0500 From: Dennis Shayne Weyker Subject: File 2--Some thoughts on piracy, hacking and phreaking. The following is a long response I've had laying around to Emmanuel Goldstein's testimony to congress last summer. I think the issues mentioned are still relevant, so I've decided to finish the thing and send it in. I come across sounding a bit like a phone-company advocate, but I don't really think I am. My real reason for writing was to counter what I thought were some poorly thought-out anarchist and libertarian-flavored arguments that hackers and phreaks use to justify behaviors that don't seem justifiable to me. Comments are welcome. Shayne Weyker weyker@wam.umd.edu +>Date: Thu, 10 Jun 1993 16:53:48 -0700 +>From: Emmanuel Goldstein > It is easy to see this when we are talking about crimes that we >understand as crimes. But then there are the more nebulous crimes; the >ones where we have to ask ourselves: "Is this really a crime?" Copying >software is one example. We all know that copying a computer program >and then selling it is a crime. . . . organizations like >the Software Publishers Association have gone on record as saying that >it is illegal to use the same computer program on more than one >computer in your house. They claim that you must purchase it again or >face the threat of federal marshals kicking in your door. That is a >leap of logic. I don't like or agree with the SPA's position, but I also think that users who copy copyrighted non-shareware software and get significant productive use or entertainment out of the software should buy it, and be liable for fines and forced purchase if they don't buy it. The problem with enforcing this is that you can't determine usefulness or entertainment value to the user by auditing their hard drive. And fining them for possessing copyrighted software they don't use is unfair, (in cases where businesses are the target of the software audit the company may not even know it has the software). This doesn't bother the SPA, but if it bothers readers out there in net.land they should get working on ideas for metering the use of software that might be included in every program and that could be reset only the first time its installed on a new storage device (hmm. that might have some of the same hassles as old copy protection schemes). > It is a leap of logic to assume that because a word processor >costs $500, a college student will not try to make a free copy in >order to write and become a little more computer literate. Students don't pirate WordPerfect to become computer literate, they pirate it to write papers. In using the program they may become more computer literate. >Do we punish this student for breaking a rule? Do we charge him with >stealing $500? Certainly not $500, because WP isn't out the cost of manuals, disks, distribution, or free tech support. They are losing a chunk of income of the cost of developing the software, but this loss is compensated for at least partly by the fact that WordPerfect Corp.'s future market share goes up because pirated WP is so widely available and thus becomes the only word processor many people ever bother to learn to use. I would hope they would stick to trying to nail businesses and leave individuals (other than those who resell pirated software) alone as not worth the trouble. WP (like Microsoft) is a very rich and successful software company whom the status quo has served quite well and massive anti-piracy campaigns seem motivated by profit-motive rather than economic self-defense. But the problem remains that those who buy WP are paying for the development of the program while those who pirate are not. The pirates are freeloading by using a good (use of a program that cost millions to develop) and not helping to reimburse the company for the costs of development. This seems not so much like theft as being delinquent on club dues, homeowners association fees, etc. Maybe assigning deadbeats to bill collectors would be a good model for punish piracy. In a perfect world, everything would be shareware, and there would the use verification schemes so that everybody who used would pay up. To the extent that those who pirate WP now get just as much productive use out of it as paid users, pirates are transferring wealth from the paid users to themselves (they both get use of the program, and the legitimate user has to pay for them both). Pirates may also be transferring wealth from WP's employees and stockholders too. Two questions arise: 1) "What gives the pirate the moral right to freeload on the development cost of the software and transfer wealth too themselves from others?" And 2) "We are all (except in dire cases like Nazi Germany) morally bound to obey the law, except where one *publicly* protests the law by deed and is willing to make oneself a test-case to get the law changed (ala Doc Kervorkian). So where do pirates get off claiming all by themselves that laws protecting the intellectual property rights of software companies are void and that they can go around violating the law covertly at little risk to themselves just because they don't like it?" Now if society decides it is willing to allow these unfair transfers of wealth in return for a more computer literate and productive workforce then okay. We allow what some think are unfair disparities of wealth in order to help assure a productive workforce already. But those in favor of punishing piracy could just as easily make libertarian arguments that transfers of wealth that aren't explicitly consented to by the person losing wealth is unjust, and that justice is a higher goal than a somewhat more computer-literate and productive society. >Of course, this represents a fundamental change in our society's >outlook. Technology as a way of life, not just another way to make >money. Does this mean that because its your way of life you shouldn't have to pay for it? (see comments below about phreaking) That because technology is your way of life, other people who make their living producing technology shouldn't be able to make money off of you? Why is technology different than all other categories of commodity to be traded in the marketplace? Don't get me wrong, I have my beefs with capitalism and I like Bruce Sterling's concept of money moving in to control everything in "Green Days in Brunei". But I get the feeling that, deep down, you deny others' right to make money off of you and those like you (making you pay for all long distance, cable TV, fancy telephone services, and all the software that you use regularly) because you couldn't afford it and you wouldn't be able to make as much use of technology (consume as many technological goods) as you would like. I doubt that using your technical skill to cheat the marketplace is a morally acceptable form of protesting the restraints a capitalist system places on you. >After all, we encourage people to read books even if they can't >pay for them because to our society literacy is a very important goal. True, but libraries pay for their copies of books and it is neither encouraged nor legal to photocopy entire books. It's gonna be interesting to see what happens when libraries turn into big full-text on-line databases and as many people can download a particular text as can call in. Like a guy said in Wired 1.1, if the libraries don't charge for this, it might put book publishers out of business. If that happens, who's going to pay authors to write books? >If we succeed in convincing people >that copying a file is the same as physically stealing something, we >can hardly be surprised when the broad-based definition results in >more overall crime. Blurring the distinction between a virtual >infraction and a real-life crime is a mistake. There is a kind of prohibition-era effect that current law (as SPA interprets it) makes petty criminals out of a lot of people. But, the SPA members may feel the opposite way, that if people are made to feel criminal/guilty/fearful for copying software (regardless of whether they get productive use or entertainment out of it) they will copy a lot less and buy a little more. You certainly wouldn't respond this way, but John Q. User might be a different story. A big reduction in the distribution of pirated software is bad for the user (less ability to evaluate before buying, less chance to use new software or software of tangential to one's business) but good for the software companies (more profits for the software industry and possibly more wealth trickling down to those who work for it). SPA is intentionally shortsighted as to the benefits of piracy for users as a whole. Pirates are shortsighted about the justifiably expected economic return for those who invested their money or labor so that MondoBase+ 2.0 has lots of cool features, runs fast and bug free, and comes out before 1996. >LEGISLATION FOR COMPUTER AGE CRIME >Is mere unauthorized access to a computer worthy of >federal indictments, lengthy court battles, confiscation of equipment, >huge fines, and years of prison time? It depends on who's computer you mess with, generally no. Whether they look at restricted information or not the state might have a legitimate interest in making an example of someone who was playing around in 911 computers or computers with honest-to-goodness sensitive 911-related information, the National Crime Information Center, Department of Defense, IRS, Department of State, Nuke power plants, hospitals, city electrical grid controls, etc. I want people to stay the hell out of critical systems like that. But this hasn't been the kind of hacking most folks have been busted for... I agree the government has been clumsy and techno-illiterate in its response and has stomped on more than a few people's rights. >Or is it closer to a case of trespassing, which in the real world is usually >punished by a simple warning? "Of course not," some will say, "since accessing >a computer is far more sensitive than walking into an unlocked office >building." If that is the case, why is it still so easy to do? However, I think the analogy to an unlocked office building is a bad one. It more like entering the office building through city sewers or steam tunnels or looking for a forgotten unlocked window to crawl through. Hackers don't just wander into a system, it takes effort and some applied skill. If somebody had a really wimpy lock on their front door you could open with a credit card, I think it would still be breaking and entering to do so. And I wouldn't expect any thanks for demonstrating how bad their security is. >If it's possible for somebody to easily gain unauthorized access to a computer >that has information about me, I would like to know about it. Are you saying that you would only hack into a system that you knew or expected held information about you personally? I'm guessing that you would extend this argument that held information about other people, any people, and that you would be doing them a service by showing them if their system is insecure. If your reason for penetrating computers reduces to nothing more than to show it can be done, thereby marginally improving someone's (not necessarily your) privacy, then issues of protecting people's privacy as a motive for your hacking recede into the background. I firmly believe that hackers hack because they like the challenge, the ego boost, the subversive feel of it, the feeling of power, etc. They may wind up goading sysadmins into producing more secure systems, but I doubt that's their motive. If that were so, they would anonymously inform sysadmins of holes as soon as they found them. If the admin doesn't fix the hole then warn the admin "the hole will be disseminated to others soon, get on the ball or else". I've gotten the impression that hackers actually penetrate a system repeatedly the same way just so they can do fun superuser kinds of things and try to conceal their penetrations for as long as possible rather than inform the sysadmin of the hole. Goofing around or inviting others into the system and leaving the admin to discover unauthorized highly priviledged users, degraded system performance, or damage to files may get a faster closure of the hole, but is unethical and unnecessary if the real goal is protecting the system's users' privacy. >But somehow I don't think the company or agency running the system would tell >me that they have gaping security holes. Hackers, on the other hand, are >very open about what they discover which is why large corporations >hate them so much. And they hate you for "being open" because it makes extra work for the sysadmins, and broadcasts the presence of security holes to malicious as well as non-malicious hackers, thereby increasing the chance that a malicious hacker will get in and do some real damage before the hole is fixed. The increased security of systems is a nice side-effect of hacking, but as long as hackers keep publishing holes there are going to be some poor schmuck sysadmins who get or act on the news a bit later than some malicious hacker, and get their systems' users get hurt. >THE DANGERS OF UNINFORMED CONSUMERS >In 1984 hackers were instrumental in showing the world how TRW kept credit >files on millions of Americans. Most people had never even heard of a >credit file until this happened. Passwords were very poorly guarded - >in fact, credit reports had the password printed on the credit report >itself. . . . More recently, hackers found that MCI's Friends and Family >program allowed anybody to call an 800 number and find out the numbers >of everyone in a customer's "calling circle". In both the TRW and MCI >cases, hackers were ironically accused of being the ones to invade >privacy. What they really did was help to educate the American >consumer. I believe they actually did both. They read and in some cases altered people's credit records. And I'm guessing they fooled around with playing see-who's-in-so-and-so's calling circle for a while until they got bored. Nevertheless, these were cases were hackers' activity was eventually socially useful. Phreakers' much more common activity of toll fraud driving up everyone else's phone rates is not socially useful. Hackers blowing into local business and university computers and grabbing "trophies" to show each other and changing the system passwords so the sysadmin can't get in, is not socially useful. >the local phone companies take advantage of consumers. Here are a few >examples: > Charging a fee for touch tone service. This is a misnomer. It >actually takes extra effort to tell the computer to ignore the tones >that you produce. Everybody already has touch tone capability but we >are forced to pay the phone company not to block it. While $1.50 a >month may not seem like much, when added together the local companies >that still engage in this practice are making millions of dollars a >year for absolutely nothing. Why do they get away with it? Because they justify it as recouping the cost of buying and installing the DTMF equipment that lets them offer touch tone service. If they have long since gotten back their investment in the equipment the charge should be dropped. And they way to do that is get a group of people or a lawyer upset about it and then to go to the appropriate regulatory agency and say "look how this monopoly is gouging consumers". >Other examples abound: being charged extra not to have your name >listed in the telephone directory, a monthly maintenance charge if you >select your own telephone number, Both of these require the phone company to break with normal routines, thereby becoming a bit less productive and spending a bit more money. In their preparation of the phone book and of assigning new numbers, they use more labor to serve your wants relative to those of other phone customers. (Of course, this is also true as a class of people who live in the rural/low population density areas, but they're subsidized by the taxpayers.) If you're unlisted they have to insert a few extra steps into the production of the phonebook before it goes to press to make positively sure you're not in it. If you're not in information, they probably have to 1) make a (probably trivial) change in your computer record and 2) make (less trivial) allowances in the programming/design of the information assistance software for people desiring un-assistable numbers. If you have a custom phone number they have to check that 1) its not being used (trivial) and 2) make allowances in their planning/programming of the number assigning system for numbers (re)entering service sooner than would have been expected if numbers had been moved in and out of use according to plan rather than by customer whims. Some people will pick custom numbers which they could have gotten by normal assignment, which eliminates the second reason, but for efficiency in billing and fair/equal treatment of those who want custom numbers, all should be charged the same. The main point here is that somebody had to make the design changes in how the phonebook is produced and in the computer systems that manage information assistance and number allocation to accommodate these requests for additional privacy/customization, and those changes cost money to design and implement and cost a (tiny) bit more in operating costs/maintenance/upgrades each year than one which didn't have to make allowances for privacy and custom phone numbers. Of course, that doesn't answer the question of why individuals who want privacy should have to bear the costs rather than the entire phone-using community . . . but again (like with the issue of earning back the cost of installing touch-tone equipment) this is something to take up with the agency who regulates the telco or an interested legislator. >the fact that calling information to get a number now costs more than calling >the number itself. Directory assistance requires the use of human operators and the creation and maintenance of a particular subset of the phone company's computer database system for public access. Placing a normal direct-dial call requires neither. Lazy people who create more demand for this service by not looking up numbers in the phone book should pay more (remember assistance at payphones, where you may not have a book, is free). Ideally getting information for numbers that have been added since the book came out should be free as well, but the added administrative cost of doing that is probably prohibitive. >More recently, we have become acquainted with a new standard >called Signalling System Seven or SS7. Through this system it is >possible for telephones to have all kinds of new features: Caller ID, >Return Call, Repeat Calling to get through a busy signal, and more. >But again, we are having the wool pulled over our eyes. For instance, >if you take advantage of Call Return in New York (which will call the >last person who dialed your number), you are charged 75 cents on top >of the cost of the call itself. **>Obviously, there is a cost involved when new technologies are introduced. >But there is no additional >equipment, manpower, or time consumed when you dial *69 to return a >call. It's a permanent part of the system. As a comparison, we could >say that it also costs money to install a hold button. Imagine how we >would feel if we were charged a fee every time we used it. The cost of a hold button is paid for all at once in the price of your phone, and it costs the phone company nothing to maintain. There was probably a time when hold buttons were a hot new feature and phones with them cost significantly more. The tens of millions (I'm guessing) of dollars in electronics and human labor that went into making SS7 go from an IDEA in some Bellcore engineer's mind to DESIGN then to PROTOTYPE then to PRODUCTION then to INSTALLED EQUIPMENT came from somewhere, and those people want their money back, with interest. So the phone company recoups their cost. And they do it from those who actually use the SS7 services, which seems fair. Again, they phone company should not be allowed to make undue profits off of SS7 services, but merely charging for them is okay. There is an issue of information-technology haves and have-nots here though. If all these cool SS7 options are expensive then only rich people will be able to afford them easily and middle-class people on down will have to make decisions about what they'll give up each month in order to afford the SS7 services. You may not like it, I may not like it, but that's how capitalism works. Including the cost of SS7 in basic rates would be unfair to the poor since I suspect they as a group would be significantly less likely to use the services than the rich and middle class but would then be paying for the SS7 services they don't use as well. >The local companies are not the only offenders but it is >particularly bad in their case because, for the vast majority of >Americans, there is no competition on this level. If they're a monopoly, someone outside their company has to approve their rate schedule. Mobilize a group, find that someone who regulates rates, and complain, or write your congressman. If there were competition, all providers might still charge for SS7 services the same way since customers choosing a local phone company would probably be most price sensitive about the basic monthly rate rather than the bells and whistles. Telcomm-power-users are not a big enough group to be the bread and butter of you local telco. It might be that the phone company is getting lots of profits off of SS7 and using that to subsidize the basic rate for everyone, effectively shifting some costs from all users to "power-users" of the phone system. This may or may not be fair, but it is not the same thing as the phone company ripping you off. Cross-subsidy is a way of life. It might also be that since its a new technology, there is a relatively limited supply of SS7 equipment out there to be bought by telco's and the installed base of SS7 equipment in your area can only handle so much usage. Microeconomics 101 Solution: Charge a mint for the SS7 services and demand will stay manageable despite the wonderful convenience it offers. Once again, capitalism at work. >AT&T, MCI, and Sprint all encourage the use of calling cards. >Yet each imposes a formidable surcharge each and every time they're used. >there is no extra work necessary to complete a calling card call - at least > >not on the phone company's part. . . . But billing is accomplished merely by >computers sending data to each other. . . . Everything is >accomplished quickly, efficiently, and cheaply by computer. Therefore, >these extra charges are outdated. I bet a bunch of phone co. programmers and EE's had to write a lot of code and design and install networks that upgraded the phone company's computerized billing system to handle calling cards. See the above comments on SS7 for what this means. And let's not forget calling card fraud and the investments in security to control it, an unfortunate side-effect of offering card-calling. Who should bear that cost? All customers, or those that use the calling cards? You might say, why not the employees and shareholders of the phone company for not having a more secure calling card system? Sometimes they do: phreakers ran Metrophone out of business if I remember right. But if phone companies gave individuals pass-numbers that didn't include their phone numbers and were much harder to memorize, people would either change phone companies or raise holy hell with the regulatory agency to get them to undo it. Computerized calling-card identification by voiceprint might crush toll-fraud, but who is going to pay to design, build, install, and maintain the system? Phreakers seem to feel that their consumption of time on phone company lines and equipment without paying for them is like hackers breaking in and using otherwise-unused CPU time on some company's computer. First, I'm not too sure that hackers don't degrade performance of systems they invade if only by soaking up the labor of system administrators who could be doing other things besides constantly updating and improving system security. To which you'd say "we're not making work for them, we're keeping them from being complacent and becoming sitting ducks for industrial espionage and malicious hackers." Maybe so, but you're also taking time away from their efforts to make their systems faster, more reliable, friendlier, etc. And what is the Hacker community's record with regard to malicious hackers who trash companies systems? Do they actively try to find out these guys and inform on them? I doubt it, although I'd be happy to learn otherwise. If non-malicious hackers' real purpose is to help companies to defend themselves against malicious hackers, then they probably should as a rule inform on malicious hackers. But is phreaking morally equivalent to hacking? Is it just using left-over bandwidth, which can be thought of as being like unused CPU cycles? I don't know. I can imagine scenarios where because of the additional demand for services created by phreakers, more switching equipment and programmer-hours have to be bought which might not have been bought otherwise. And there is still the issue of making work for phone system admins trying to catch people stealing long distance. Not to mention making work for the customer service reps who have to rectify some poor customer's $7000 phone bill. Fooling around with satellites thousands of people depend on is definitely not ok. Phreaking at off-times where there's lots of slack in the phone system and doesn't create pressures for new equipment is more tolerable, but still creates non-profit-making work for customer service, security, and sysadmins in reacting to the threat that drives up the company's operating costs, and, probably, everyone's rates. >SOCIAL INJUSTICES OF TECHNOLOGY > The way in which we have allowed public telephones to be operated >is particularly unfair to those who are economically disadvantaged. A >one minute call to Washington DC can cost as little as 12 cents from >the comfort of your own home. However, if you don't happen to have a >phone, or if you don't happen to have a home, that same one minute >call will cost you $2.20. That figure is the cheapest rate there is >from a Bell operated payphone. With whatever kind of logic was used to >set these prices, the results are clear. We have made it harder and >more expensive for the poor among us to gain access to the telephone >network. Surely this is not something we can be proud of. > A direct result of this inequity is the prevalence of red boxes. >Red boxes are nothing more than tone generators that transmit a quick >burst of five tones which convince the central office that a quarter >has been deposited. It's very easy and almost totally undetectable. >It's also been going on for decades. Neither the local nor long >distance companies have expended much effort towards stopping red >boxes, which gives the impression that the payphone profits are still >lucrative, even with this abuse. But even more troubling is the >message this is sending. Think of it. For a poor and homeless person >to gain access to something that would cost the rest of us 12 cents, >they must commit a crime and steal $2.20. This is not equal access. In theory I think you're absolutely right, there shouldn't be this massive surcharge on LD pay-phone calls. However, it may not be true that redboxing truly serves to rectify this inequity for those it hurts the worst. I'd guess that in practice very poor people who can't afford homes and phones also can't afford hand-held cassette players either, nor are they good friends with some phreak who will do it for them on a regular basis, thus the poor aren't in a position to do redboxing. Redboxing doesn't really do anything about the price-inequity unless poor folks actually make use of it. Now if the poor are out of the picture, it looks more like the phreaks are just mad at the telco for price-gouging and decide to rip off said telco because of it. I wonder though: how much of high pay-phone prices are due to the telco trying to recover losses from payphones due to redboxing? Call-Sell operations using cloned cellular phones might be better able to use your argument about compensating for price-inequity than redboxing since it seems (based on some recent testimony I read) to be pretty widely available to at least the urban poor on an as-needed basis. Call-selling has at least a potential a wealth-redistributing effect from relatively rich legitimate cell-phone users to poor folks without phones (especially immigrants w/lots of relatives to reach out and touch back home) and the Call-Sell operators. Note though, to the extent that call-selling serves middle-class people who already own phones and not the poor and phoneless it serves merely to redistribute wealth from the users who use their cell-phones legitimately and the telco, and transfer it to users who choose not to use their legitimate phone and to use call-sell service instead, as well as the call-sell operators. This kind of redistribution cannot rely on social justice arguments and is just massive toll-fraud. >CORPORATE RULES >. . . This puts us at direct odds with many organizations, who believe >that everything they do is "proprietary" and that the public has no >right to know how the public networks work. In July of 1992 we were >threatened with legal action by Bellcore (the research arm of the >Regional Bell Operating Companies) for revealing security weaknesses >inherent in Busy Line Verification (BLV) trunks. The information had >been leaked to us and we did not feel compelled to join Bellcore's >conspiracy of silence. See my earlier comments about publishing security holes or sharing them with hackers before letting the sysadmins have adequate warning and time to fix the hole. Instant publication of holes is not socially responsible. Also, publishing one company's private data can in some cases create a competitive disadvantage relative to that company's competitors with real economic effects. If Phrack runs a long series of articles about "how to hack the new Fujitsu switches", the communications engineer at BellAtlantic deciding what brand of switch to buy may decide to buy some other brand of switch besides Fujitsu. And he might be doing this solely of the publication of those articles makes him think (rightly or wrongly) that the Fujitsu's switch is more likely to get hacked into than, say, Northern Telecom's. Phrack has just transferred wealth from Fujitsu to Northern Telecom and possibly influenced the telco into buying the less competitive switch (which could wind up increasing telco operating costs and users' rates) out of fear of getting hacked. Moral: not all arguments about the social and commercial value of keeping proprietary information secret are bogus. >In April of this year, we were threatened with >legal action by AT&T for printing proprietary information of theirs. >The information in question was a partial list of the addresses of >AT&T offices. It's very hard for us to imagine how such information >could be considered secret. But these actions are not surprising. I'd bet money those addresses were sensitive because they would be very useful to someone trying to con, misrepresent, and social-engineer their way into the telco's computers. What possible use there would be to the non-hacker/phreaker member of the public for obscure telco-bureaucracy addresses and phone #s the phone company decides not to let out to the general public eludes me. >This in itself is wrong; a publication must have >the same First Amendment rights regardless of whether it is printed >electronically or on paper. As more online journals appear, this basic >tenet will become increasingly critical to our nation's future as a >democracy. I couldn't agree more. The government promptly dropped its case against >the publisher who, to this day, is still paying back $100,000 in legal >fees. This sucks. The gov't/telco should have had to eat the defense's legal fees. >As further evidence of the inequity between individual justice >and corporate justice, Bell South was never charged with fraud for its >claim that a $14 document was worth nearly $80,000. Their logic, as >explained in a memo to then Assistant U.S. Attorney Bill Cook, was >that the full salaries of everyone who helped write the document, as >well as the full cost of all hardware and software used . . . The Phrack/E911 case is one of the worst abuses of rights to date. However, please let my speculate for a moment, working from the assumptions that 1) The document was not expected to diffuse into the hands of hackers. The "catalog anyone could order the document from" was, I suspect, used only by and intended only for vendors and employees. 2) That possession of the E911 document would at least marginally aid in the efforts of those who were interested in hacking into 911. Granted, if both #1 and #2 are true then it could mean that BellSouth had negligent security practices and deserved what it got. It might also be the case that #2 is simply not true (I just can't say one way or another due to not having read the document closely and lacking the knowledge needed to understand the significance of everything was said in the document). If #2 is false the following argument can be ignored. It seems to me that there could be an economic cost to Bell South *because of the publication of that document in the hacker community*. If Bellcore has to devote additional resources to beefing up E911 security solely because certain features of the E911 system are now much more widely known to the hacker community (and thus more likely to be attacked) than before the publication of the document in Phrack, then Phrack has done BellSouth economic harm (and may also have indirectly contributed to the risk of a breach of security in E911 until their new security measures kick in). It think it the case that protecting the first amendment requires us to ignore such economic harm and not make it legally actionable, but I believe that the "cost" to BellSouth of the publication of that document in Phrack was probably much greater than a few lost sales of the document's physical incarnation. The added short-term risk of a breach in 911 security due to the publication of the document might have slightly more weight against first-amendment claims but would probably still be outweighed by freedom of speech. I could imagine a case though, where publication (especially quiet publication within the hacker community so that the average telco security person and E911 sysadmin person might not hear about the publication for a few weeks) of the factory-default passwords and dialup numbers for E911 computers would be great enough a risk to public safety as to merit strong punishments and prior restraint. I hope the above article has provided some new middle-ground between anti-establishment and establishment people to stand on and discuss piracy, hacking and phreaking. I hope also that some hackers and phreakers will use to above to re-examine wether they are, as claimed, actually doing society a favor, and if not, how they could change their ways so as to be a positive force. Shayne Weyker weyker@wam.umd.edu ------------------------------ Date: Fri, 25 Mar 94 01:45:40 EST From: shadow@VORTEX.ITHACA.NY.US(bruce edwards) Subject: File 3--Lopez's reply to "Rape in Cyberspace" Andy Lopez demonstrates an all too common deficit of civility in his critique of Julian Dibbell's Voice article [Cu Digest, #6.21;6.26] -- AL> The December 21, 1993 Village Voice is a case in point. However, AL> as old Voices aren't normally found outside of fish markets, ... -- as well as little knowledge of libraries. To relieve the reader of at-length quoting both of Mr. Dibbell's article and Mr. Lopez's analysis, I'll try and summarize each: Dibbell's premise was that acts committed in virtual reality (VR), acts having no "real life" component themselves, are nonetheless (virtually) actionable on the ground that said acts have real life (RL) consequence. He went further by proposing that lessons learned in VR may be ported to RL. I have seen an RL event unfold much like the one Mr. Bungle reportedly perpetrated on LamdaMOO. The perpetrators actions there (child abuse) were not verbal, but physical. This real life Bungle, too, had reasons why the community ought not "toad" him, though the toading would have been of the banishing, not the annihilating sort (the legal processes were already complete). The community involved agonized in much the same way the members of LamdaMOO did. In the end, there was no Wizard to act, and there was little resolution, but there was experience to be archived. Had these people the previous experience of the players on the MOO at adjudicating communal threat, I believe that they would have been able to relate with greater precision to their real life dilemma. This is the value of simulation, is it not? Mr. Lopez derides the concept of role-playing VR: AL> For the blissfully ignorant, a MUD is a Multi-User Dungeon, a AL> glorified electronic role-playing program. On MUDs such as AL> LambdaMOO, you can choose your name and appearance and _interact_ AL> in a digitized world with other characters. Personally, I AL> find them identical to the old-fashioned, word-based role-playing AL> games - such as the Dungeons & Dragons abomination - only more AL> boring and repetitive. Personally I have played neither, but find Lopez's comments oddly out of perspective. The cyberspace experience -- email, bulletin boards, the USENET -- is entirely digitized interactivity. Lopez goes on to interpret Dibbell's use of netsex as an example of the involvement MUDers experience in the VR world -- [Dibble:] "Netsex, tiny-sex, virtual sex - however you name it, in real-life reality it's nothing more than a 900-line encounter stripped of even the vestigial physicality of the voice. And yet, as any but the most inhibited newbie can tell you, it's possibly the headiest experience the very heady world of MUDs has to offer . . . Small wonder, then, that a newbie's first taste of MUD sex is often also the first time she or he surrenders wholly to the slippery terms of MUDish ontology, recognizing in a full-bodied way that what happens in a MUD-made world is neither exactly real nor exactly make-believe, but profoundly, compellingly, and emotionally meaningful." -- in what seems to me to be an intentionally myopic manner: AL> [Really incredible. Dibbel almost seems to be saying that the AL> MUD means so much to people because it's a way to get off. I AL> stand amazed.] Of course, Dibbell implies no such thing. He plainly means to say that a MUD's power is in its ability to invoke an imaginative process imparting kinesthetic, emotional, and intellectual verity. A MUD may establish a real -- not a "virtually" real -- web of interconnectivity among its players. That there is no physical connection (required) among the parties is certainly no block to genuine experience. If Mr. Lopez, for example, were to be called intellectually deficient and disingenuous in his post, and if he were to experience an emotional reaction as a result of being labeled a dolt, would the fact that his emotion was generated via cybertext make the experience itself invalid? Does he say words are without power? I really can't delve Lopez's difficulty. Is he offended by the seriousness the players exhibit, by the reality they say suffuses their MUD? After reading his post several times, it seems only an exercise to excoriate the idea of fantasy play and belittle Dibbell's concepts. Is it that the players do not detach from their experience sufficiently to gain his approval? He lastly proclaims: AL> Dibbel draws flabbergasting conclusions about the future of AL> society and he writes about it in this prose: " . . . the commands you type into a computer are a kind of speech that doesn't so much communicate as _make_things_happen_, directly and ineluctably, the same way pulling a trigger does. They are incantations, in other words, and anyone attuned to the techno-social megatrends of the moment - from the growing dependence of economies on the global flow of intensely fetishized words and numbers to the burgeoning ability of bioengineers to speak the spells written in the four-letter text of DNA - knows that the logic of the incantation is rapidly permeating the fabric of our lives." AL> Just what is needed! Cyberspace is already filled with shysters, AL> hucksters, idiots, and clowns. Now we start collecting animists. --- animism (an'uh-mizuhm) --noun Belief that natural phenomena and inanimate things have souls. [< Lat. anima, soul] --- No reading of Dibbell can support the allegation of animism. Lopez's article is weak, mean-spirited, and indicative of one of the major problems (a *real* problem) in cyberspace: when insulated by the abstractness of this world, people shed their civil reticence. There is talk here that would not pass in the world with which I am most familiar, that of the street. I doubt Mr. Lopez would be quite so free with his language in that instance; but even that restraint, enforced by threat of immediate physical retaliation, is a lacking sort of restraint. The real need is for true respect, even in -- no, particularly in -- disagreement, that of individual for individual, engendered through recognition of shared humanity. Perhaps finding that on a MUD, however virtual it may be, is a better start than smug superiority. -- bruce edwards - shadow@vortex.ithaca.ny.us The Total Perspective Vortex BBS, Ithaca, NY ------------------------------ Date: Sat, 26 Mar 94 10:44 WET From: jwtlai@IO.ORG(GrimJim) Subject: File 4--Re: Village Voice & Phlogiston In response to CuD #6.26 ("Village Voice and Phlogiston"): >"Village Voice Perfects Phlogiston Synthesis in Coverage of Cyberspace" >by Mr. Badger (Andy Lopez) >[...] The author [of an article in the Village Voice], Julian Dibbell, >has been a frequent user of the LambdaMOO, a MUD run inside of Xerox's >Palo Alto research computer. >For the blissfully ignorant, a MUD is a Multi-User Dungeon, a >glorified electronic role-playing program. On MUDs such as LambdaMOO, >you can choose your name and appearance and _interact_ in a >digitized world with other characters. [...] >What followed can only be understood if you accept that the game is a >reality, of sorts, for most of its users. >You might think that the offended parties simply arranged to have the >offender kicked off the system, [...] >In short, those who ran the game didn't want to ruin it by taking drastic >action and those who played the game wanted the user removed. [...] Yes, it sounds like people take things rather seriously. But the sense of reality these players express has an analog in the artistic world. Their behavior can be easily understood in this context. >This being cyberspace, there were conflicting views. Replacing "cyberspace" with "a society" reveals the true nature of the event. >Why didn't the other users simply use the command that would have >blotted Mr. Bungle's messages from their screens? Was it really that >serious anyway? Using a filter might remove said Bungle from your sight, but it does not keep Bungle from using his (or her?) coded toy from impersonating you before a third-party. To use Usenet as an analogy, Bungle performed the equivalent of forging obnoxious messages in other peoples' names; many people have taken forged messages quite seriously in the past. It should be obvious that the main issue actually has little to do with games. Dibbell's analysis of the situation is incorrect, but so is Badger's dismissal. By acting out roles, players are investing time and effort in the creation of characters. It's a cross between acting and literature; in the former, roles (characters) are made visible to others by performance; in the latter, the character is revealed through text. One could say that Bungle disregarded the authors' right to control their literary creations, their intellectual property. The "social way to behave" is to be a collaborator with other authors, not to usurp them. >Where does the body stop and the mind begin? What is the nature of >reality? The arguments were going in circles during an extended >meeting of up to thirty - count 'em, thirty - users. In the middle of >the online babble, Mr. Bungle appeared and offered his defense: He >was simply experimenting with users' reactions to extreme events. I think there is a simple guideline to such social games: "If you can't play by the rules, you can't play the game." I might add that the "I was just experimenting on you (without your prior knowledge or consent)" defense has also shown up on Usenet as (poor) explanation for deliberately offensive posts. >What followed was the institutionalization of a process whereby users >could have more input into controlling the MUD. To cap things, Mr. >Bungle reincarnated as a new, chastened character. In other words, the rules of the game were changed to handle disruptive players. A sociological analysis of how the game's society reacted and adapted to the situation might have been useful, but what can one really expect out of sensationalist media? >Dibbell draws flabbergasting conclusions about the future of society [...] >Cyberspace is already filled with shysters, >hucksters, idiots, and clowns. Now we start collecting animists. And cynics, judging from Badger's snide tone. I found Dibbell's quoted and paraphrased words were often irrelevant. Alas, the obsession with electronic sex and superficial philosophical rambling is all too trendy. This "cyberspace" thing isn't about games or virtual sex, it's about people and the societies they create. Don't lose track of the message/forest for the medium/trees. ------------------------------ End of Computer Underground Digest #6.27 ************************************ .