Computer Underground Digest--Sat Jul 13 01:10:10 CDT 1991 (Vol #3.25) Moderators: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Today's Contents: Moderators' Corner Spaf's Response to Bill Vajk Comments to Bill Vajk's posting in CuD #3.22 (T. Klotzbach) LOD Members for Comsec Computer Security (News Reprint) Alcor Email (ECPA) Case Settled (Keith Henson) NIST announces public-key digital signature standard (gnu) Secret Service Pays Hacker Call (Reprint from Newsbytes) Administratia: ARCHIVISTS: ROB KRAUSE, BOB KUSUMOTO, AND BRENDAN KEHOE CuD is available via electronic mail at no cost. Printed copies are available by subscription. Single copies are available for the costs of reproduction and mailing. Issues of CuD can be found in the Usenet alt.society.cu-digest news group, on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM, by FidoNet file request from 1:100/345, on Genie, on the PC-EXEC BBS at (414) 789-4210, and by anonymous ftp >from ftp.cs.widener.edu, chsun1.uchicago.edu, and dagon.acc.stolaf.edu. To use the U. of Chicago email server, send mail with the subject "help" (without the quotes) to archive-server@chsun1.uchicago.edu. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: July 13, 1991 From: From the Moderators Subject: Moderators' Corner We're experimenting with a new format to conform with RFC-1153 that we hope will allow CuD to explode in most mailers. Thanks to John Stanley for his suggestions, and especially to an anonymous Texas sysop (whose initials are BI and can be reached at bei@dogface.austin.tx.us) for the patience to lead us by the hand in explaining the procedure. Please let us know if it works (or if it doesn't). If we can get it working properly, we will maintain both the original format for files and the new one for mailers. So pass back your suggestions and criticisms. ------------------------------ Date: Tue, 09 Jul 91 15:05:10 EST From: Gene Spafford Subject: Response to Bill Vajk In an earlier digest, Bill Vajk responded to one of my messages with lengthy commentary. I agree with some of his points, disagree with others, and have no opinion about most. Most deserve and/or need no comment. However, there were a few of his statements (and his overall attitude) I feel I should respond to somewhat; I won't dignify the obvious personal insults with commentary, however. He says: "I am concerned that Spafford's comments can be read to be forgiving and conciliatory in nature where it regards errors made by professional law enforcement." He then goes on to criticize the case in California described in CUD 3.15. That juxtaposition was unfair, and implied that I was in some way trying to excuse the actions of Office Nemeth & company -- and that is most definitely not the case. >From what I have heard of that incident, the law enforcement personnel acted like idiots. As to being conciliatory and forgiving, I do not believe law enforcement personnel are basically evil or out to deprive us of our rights; I believe most law enforcement personnel are poorly educated in the area and overworked. I wish to improve that understanding, not seek to portray law enforcement personnel as "the enemy." I don't approve of or agree with some of their actions, but neither do I feel it inappropriate to try to see things from their point of view. Later, he says: >Yes, Gene. In article 5462@accuvax.nwu.edu you misspoke [sic] and assisted >in proliferation of such incorrect reports : > > "The information I have available from various sources > indicates that the investigation is continuing, others > are likely to be charged, and there MAY be some national > security aspects to parts of the discussion that have > yet to be disclosed." > >Need I voice the obvious and ask how any "responsible" individual should >handle errors they have made? Need I voice the obvious and ask a simple >question. What has Gene Spafford done to correct errors he has made? Has >his behavior in these matters met the criteria for responsibility he demands >from others? Mr. Vajk (and others) appears to misunderstand my usage of words. My comment was not a misstatement. I very carefully qualified it to indicate that it was based on information available to me, and that it was an indication, not a certainty. The investigation did continue. At the time, it seemed likely to my sources that others would be charged. And my use of the word MAY was to indicate that it was far >from certain. I don't view this statement on this issue as erroneous, nor do I believe I have anything to apologize for when making it. Had I said "The investigation shows these guys to be traitors and part of a larger group that will all be arrested and charged." -- that would be an incorrect statement and something I would need to retract. However, I didn't make that statement. I also "demand(s)" nothing of others. I admit errors when I make them. Mr. Vajk then says a great deal about my statement that we should not believe that everyone charged with computer offenses is innocent. He points out (correctly) that *in US law* people are innocent until proven guilty. HOWEVER, that does not make them innocent of having committed an act. If Joe Random were to shoot someone in front of a crowd of witnesses, he would be innocent under the law until a jury returned a verdict in a trial, but he would NOT be innocent of the act. Would any witness to the crime, or anyone who spoke to a witness, then be equally condemned by Mr. Vajk for saying "Joe was not innocent of murder" before the conclusion of a trial? My point remains that claiming innocence (in the non-law sense) for all individuals accused of computer-related crimes is obviously incorrect and counter-productive. It may be technically correct to point out that a court has not convicted them yet, but that does not mean we should trumpet their innocence. Furthermore, implying that law enforcement personnel are all pursuing power-trips and vendettas against computer users is paranoid. The law is important, and I respect it, but I do not need a jury to verify that the sun rose this morning. Most people are able to distinguish between convicted and guily; when too many people believe that the guilty are not being convicted, repressive measures may get instituted. If we intend to fight for appropriate application of the laws to computing, we need to keep this distinction in mind. Following more insulting comments, Mr. Vajk then makes some mistaken comments on copyright and trade secret (proprietary) rights. Some of these errors have been addressed already in a previous CUD: copyright and trade secret rights may both be expressed on a document. One thing that was not mentioned in the previous comments on copyright is that there is, indeed, a Federal statute governing copyright infringement. 2319 USC 18 provides for criminal penalties when a copyright is infringed. The copyright must be formally registered and deposited with the Superintendent of Documents for this to take effect, however, and the infringement must be willful. I have heard directly from Federal attorneys that this law can be used (and has been used) against people copying source code or documentation (or chip masks) they do not own. Copyright is not always strictly a civil issue. Mr. Vajk then makes extensive comments on how he thinks copyright should work, how source code should be valued, and how Federal law should be applied in cases of interstate traffic in copyrighted material. This may or may not be of some interest to some readers, but it does nothing to change the fact that Len Rose was charged with, and plead guilty to, an offense based on his trafficking in proprietary source code. His attacks on my statement (and me, to some extent) to that effect are directed at the wrong parties: he seems to disagree with the way the law is written and/or applied, and that is not my fault. He is certainly correct, however, in his observation that the laws are not adequate for our current technology: this is historically the case with a great deal of technology, and certainly not restricted to telecommunications and computing. I have never disputed this point, and have often propounded it. Mr. Vajk continues by criticizing me for (in so many words) "making statements without knowing the full background." Interestingly enough, he does this by assuming he knows what documentation and information I have accessed, and by assuming that he knows the one, full truth of the matter of Len Rose's actions and trial. Furthermore, he then goes on to imply things about AT&T, Tim Foley, the Illinois (?) prosecutor in the case, and potential witnesses to the case based on circumstantial evidence. Am I the only one who finds such hypocrisy curious? In the end, there is a fundamental difference of opinion between our views and our approaches. Mr. Vajk chose to personally insult me with remarks in his commentary rather than address that difference. For instance, he states: "There has been movement by all branches at the federal level of law enforcement to assume guilt before investigation and to trample rights freely utilizing the immunity originally granted in order to protect officers making honest mistakes as a standard operating procedure instead of an exceptional circumstance." I believe there have been some misguided and ill-informed investigations and prosecutions; I do not believe it an organized movement as does (presumably) Mr. Vajk. I still believe that the common person is not going to find the story of Robert Morris or Len Rose to be particularly indicative of threats to their freedoms. Certainly some of the things done to Len were inappropriate (the search, for instance). However, the over-broad search does not negate his guilty plea to a criminal act. Although we wish to guarantee the same Constitutional rights to everyone, we should be somewhat cautious about the examples we pick to hold as standards, and I do not believe Len is a particular good standard for us to raise. I also believe that rude behavior and insults directed towards people with different opinions than one's own is counterproductive to having one's own views respected and listened to with attentiveness. Appeals to reason are more likely to sway people to one's views. That was the central thesis of my original comments, and still is. For us to secure a reasonable set of rights for all computer users, we must realize that the issue is complex and has many different perspectives, the legal community is not well-equipped to deal with the issues based on prior experience, and that not everyone on the electronic frontier is heroic in stature. Most of us are still learning as the situation changes. (My views on many things have changed in the last few years, thankfully, and continues to evolve as I learn more; we shouldn't criticize someone for developing new attitudes with experience.). Sometimes we will make mistakes as we go along, but some mistakes we can avoid if we think about them first. One common mistake in such highly-charged issues is attributing to malice what may be caused by ignorance. Another is being abusive to others for having a different set of views; one cannot champion the legal right to free speech without also embracing the responsibility to respect others who choose to exercise that right -- disagreement with views should not become contempt for the people who (appear to) espouse them. ------------------------------ Date: Fri, 5 Jul 91 13:10 GMT From: "Thomas J. Klotzbach" <0003751365@MCIMAIL.COM> Subject: Comments to Bill Vajk's posting in CuD #3.22 I am posting to the CuD to address factual and other errors that Bill Vajk made in his original posting to CuD #3.22. I had hoped to avoid this course of action, but feel it necessary due to the puzzling actions of Mr Vajk. I originally replied directly to Mr. Vajk with my concerns about his posting. He replied back to send him specific information or "retire >from the conversation". I sent back the information he requested and Mr. Vajk never responded. I also sent two follow-up letters with again, no response. I came to the conclusion that Mr. Vajk was going to make no attempt in the foreseeable future to address the errors in his original posting to the CuD, so now I present them to the readership. My attempt is not to "bash" Mr. Vajk, but to hopefully correct some of the disinformation that Mr. Vajk has posted to the CuD. Bill writes: >If this is the case, then possession is not illegal, because >the text is protected by commercial exploitation by the copyright >laws and Len should have not been charged with criminal. Copyright is a >matter for civil suit... This is misleading, as it implies that copyright infringement may not be remedied in criminal court. There are also provisions for criminal proceedings if a person willfully infringes a copyright for among other things, private financial gain (17 USC 506 et seq.; 18 USC 2319). This half-truth (copyright law only allows remedy in civil court) seems to be circulating about the net with great frequency. A knowledgeable netter wrote to me and stated that the reason that the government does not pursue more cases with the aforementioned statute is that the criminal penalties are not as large as the interstate transportation of stolen property and wire fraud statutes provide for violators. Bill goes on: >...It seems that AT&T source code (according to one of the Foley >affidavits) bears legends which claim both proprietary rights and a >copyright. You stipulate proprietary. The dual labeling of the >original software should do a lot to remove it from consideration as >truly proprietary information. The laws regarding copyrights require >that all copyright material is subject to deposit at the Library of >Congress, where any citizen has a right to read and review. The ownership of copyright is distinct from the ownership of the object in which the work is embodied (17 USC 101 et seq.; 17 USC 202). You imply that the dual labeling of the source code suggests that the work is not truly proprietary information, by stating that "the dual labeling of the original software should do a lot to remove it from consideration as truly proprietary information". Rubbish. AT&T is within their rights to do what they did. The notice of copyright MAY be placed on publicly distributed copies of a work (17 USC 401). Labeling a work as copyrighted does not imply a forfeiture of any proprietary rights (17 USC 202 et seq.; 17 USC 401, also please see Douglas v. Taylor, Tex.Civ.App. 497 S.W. 2d 308, 310 and Green v. Lewis, 221 Va. 547, 272 S.E. 2d 181, 185). In effect, proprietary declares that you are the owner of the work. You may also copyright the work as well. And what does the bit about "copyright material is subject to deposit and any citizen has the right to review" about? Are you implying that somehow Len Rose was within his rights to copy the source code in an attempt to review it? If you are, you are incorrect. Copyright law is fairly specific on the limitation of exclusive rights as they pertain to computer programs (it is the section that software makers refer to when they allow the owner of a copy of software to make backup copies - 17 USC 117). Bill also writes: >Twice now, regarding the resultants of the E-911 case you've been long >on assumptions, short on proof. Twice now, regarding the resultants of >the E-911 case you've been long on promises, short on results. Given >this history, I ask, would a "responsible" man now seek truth and >publish it, or retire from this discussion. But Bill then states: >Thus far, it seems most computer laws have been written at the behest >of special interests instead of the public interest. The laws already >inflict restrictions contrary to generally understood and accepted >constitutional provisions. Well, Bill, would you please provide some "proof" for the readership on the aforementioned statement? YOU imply much while proving little. There are other errors in Mr Vajk's article to the CuD and I am still in the process of researching them. Again, I am not attempting to split hairs, but Mr. Vajk has a responsibility to not put "spin" on what the laws/statues/etc mean, a spin that distorts the facts at hand and does a disservice to you and I, the readers of the CuD. In closing: Bill Vajk writes: >...What has Gene Spafford done to correct errors he has made? Has his >behavior in these matters met the criteria for responsibility he demands >from others? I ask the same question of Bill Vajk. What has he done to correct the errors he has made in his posting to the CuD #3.22? ------------------------------ Date: Fri, 5 Jul 1991 13:52 CDT From: "ROBERT G. HEARN" <9999AH02@UHDBIT.BITNET> Subject: LOD Members for Comsec COmputer Security (News Reprint) Reprint from Sunday, June 23, 1991 Houston Chronicle (1A, 15A) By Joe Abernathy FORMER HACKERS OFFER SERVICES IN COMPUTER SECURITY The most notorious force of computer hacking's heyday is asking forgiveness and joining the forces of good. The storied Legion of Doom, nemesis to the Secret Service, is forming a computer security consulting firm in Houston. Drawing members from around the nation and its name from comic book villains, the youthful hackers' group dominated the underground electronic landscape of the middle and late 1980s. Finally, a controversial penetration of phone company computers landed several members in jail. According to documents, activities of the Legion of Doom were a primary motivation for Operation Sun Devil, a nationwide crackdown on computer crime coordinated by the U.S. Secret Service. But remaining members in Austin and Houston, who disavowed any connection with the phone company incident, now say they are on the right side of the law and are offering their expertise on computer security. "People need us. We're the best," said Scott Chasin, known in his hacking days by the computer handle Doc Holliday. "Ten years from now we'll be the leaders in data security." Computer security is a burgeoning field, but one that is almost impossible to define in terms of dollars lost to penetrations or dollars spent on security. Tales are plentiful among police of losses in the six-figure range that went unprosecuted in order to spare the affected firms embarrassment. Estimates of the yearly loss to industry from computer break-ins range from $500 million to more than $2 billion -- much of it lost to long-distance phone service theft or credit card fraud. Some industry observers welcomed the creation of Comsec Computer Security, as the new company will be known, while others derided it as a new twist on a familiar theme. "There's lots of precedent for that," said Richard A. Schaffer of New York, editor of the industry publication ComputerLetter. "Crooks of all types try to hire themselves out after the fact." "So these guys are purporting to tell you how to protect against folks like them," he mused. "It strikes me that people should refuse to hire them just on principle...although from what I've seen they're qualified." But Linda Laskey of the Computer Security Institute in San Francisco said she believes the firm will provide a valuable service. "They know what they're doing as far as doing as far as security systems go," she said. Laskey said the Computer Security Institute, a worldwide organization of computer security professionals from business and government will be among the first clients of Comsec. The value of computer security is pitched now by those associated with particular security products. Accounting firms also provide security consulting. By contrast, Comsec is banking on its past association with the Legion, which gained a high profile from run-ins with the Secret Service and BellSouth, one of the regional phone companies. Robert J. Riggs, Franklin E. Dardin Jr. and Adam E. Grant were sentenced on Nov. 16, 1990, in federal court in Atlanta for breaking into the computers of BellSouth and stealing a document on the administration of the emergency 911 system. Hacking grew up around the Legion, which wasn't content merely to penetrate computer systems and networks. The deed wasn't finished until the intimate details of each system were written up and electronically published. Legion followers became associated with tutorials on obscure subjects, such things as how to make nitroglycerin and drugs, and with electronic documents on "social engineering," the fine art of the scam. Born in the swirling computer underground of the 1980s and named after the minions of Superman archrival Lex Luthor, the Legion's "educational services" ultimately helped reshape the online community and gave the group a stature beyond its nominal activities. But the best summary may have been written by Comsec principal Chris Goggans, the historian of the Legion and only member associated with it from its official founding in 1984 until it was disbanded late last year. "The Legion of Doom has been called everything from 'Organized Crime' to 'a communist threat to national security' to 'an international conspiracy of computer terrorists bent on destroying the nation's 911 service,'" he wrote under his pseudonym, Eric Bloodaxe. "Nothing comes closer to the actual truth than 'bored adolescents with too much spare time.'" Now Sun Devil has put an end to hacking's innocence and perception of among computer enthusiasts that it is a noble pursuit. As for the Legion members, a few got busted, a few got bored, and the rest are pondering a direction for their lives as young adults. "I didn't want to be 30 years old and still breaking into systems," said Chasin, who is 21. "I want to be securing systems." Chasin and Goggans, 22, will be joined in the firm by Ken Shulman, 21, the son of Houston socialite Carolyn Farb, who is providing discounted office space and other assistance. Comsec will be managed by Robert Cupps, 24, a graduate of Emory University and former securities trader. Chasin and Goggans are pursuing degrees at the University of Houston. "From a marketing standpoint, we've got a real strong presentation," said Cupps, a Baytown native who does not consider himself a computer expert. "What we will do is a brief demonstration. When you can walk into someone's office and get root (administrative privileges) on their system, that says something in itself, that maybe you're the person they should be talking to about securing their systems." The only member of Comsec who has faced criminal charges is Shulman, known vicariously on computer networks as Malefactor, The Mentor, and Jack the Ripper. He pleaded no contest in 1989 to misdemeanor charges of credit card fraud, paid nearly $20,000 in restitution and was put on a year's deferred adjudication -- meaning he emerged from probation without a final conviction on his record. "It was telephones, long distance calls," he said. "I quit everything after that, and that was years ago." Goggans has also had a run-in with the law, however. His Austin home was raided on March 1, 1990, because he allegedly possessed the 911 document. No charges have been filed. Originally held forth as a life-threatening penetration of the 911 system, the document theft is now viewed by computer enthusiasts and others as having been considerably overblown. "The fact of the matter is that there was no damage to the system," acknowledged Scott Ticer, operations manager for BellSouth and spokesman for the security team that lead the investigation. "But the potential for damage was there." "You just can't have people playing around in your network -- it's not some high-tech toyland. This is the telecommunications system." Would BellSouth hire the former hackers whose associates caused it so much grief -- proving their expertise along the way? "We don't use hackers as consultants, period," Ticer said. "Thanks but no thanks." ------------------------------ ------------------------------ Date: 5 Jul 91 07:10:45 GMT From: hkhenson@cup.portal.com Subject: Alcor Email (ECPA) Case Settled The long running Alcor/email case against the County and City of Riverside, CA was settled out of court in April of this year. The announcement was delayed until all parties had signed off, and the check (for $30k) had cleared the bank :-). The Alcor Life Extension Foundation (a non-profit cryonics organization -- alcor@cup.portal.com) ran a BBS for members and prospective members from early 1987 through January 12, 1988. On that day, the BBS computer was removed under a warrant to take the computer (but no mention of any contained email) in connection with the investigation into the death of 83-year-old Dora Kent. (Mrs. Kent was placed into cryonic suspension by Alcor in December of 1987. During and following the investigation, Alcor staff members were publicly accused by county officials of murder, theft, and building code violations. No charges were ever filed and the investigation was officially closed three years later.) In December, 1988 Keith Henson filed a civil suit to force an investigation of the apparent violations of the Electronic Communication Privacy Act by the FBI, but the case was dismissed by the now convicted Judge Aguilar. In early 1990, just before the statute of limitations ran out, Henson and 14 others (of the roughly 50 people who had email on the system) filed a civil action against a number of officials and the County and City of Riverside, CA under Section 2707 of the Electronic Communication Privacy Act. Some time after the case was filed, the Electronic Frontier Foundation came into existence in response to law enforcement abuses involving a wide spectrum of the online community. EFF considered this case an important one, and helped the plaintiffs in the case by locating pro bono legal help. While the case was being transferred, the County and City offered a settlement which was close to the maximum damages which could have been obtained at trial. Although no precedent was set because the case did not go to trial, considerable legal research has been done, and one judgment issued in response to the Defendants' Motion to Dismiss. The legal filings and the responses they generated >from the law firm representing the County/City and officials are available by email from mnemonic@eff.org or (with delay) from hkhenson@cup.portal.com. (They are also posted on Portal.) The Plaintiffs were represented by Christopher Ashworth of Garfield, Tepper, Ashworth and Epstein in Los Angeles (408-277-1981). A summary of the settlement agreement is attached. SETTLEMENT AGREEMENT This agreement is made and entered into in Riverside, California, this _____ day of ______ by and between [long list of defendants and plaintiffs] I. FACTUAL RECITALS 1. This Agreement is executed with reference to the following facts for purpose of this Agreement only. 2. On January 12, 1998, some of the Defendants, pursuant to a search warrant, entered into the premises of Alcor Life Extension Foundation in Riverside, California. 3. Upon entry into the property, some of the Defendants seized various items, including electronic media containing E-mail owned by the plaintiffs. 4. On or about January 11, 1990, plaintiffs commenced civil action No. SAC 90-021js in the United States District Court, Santa Ana ("the Action"), against the defendants for injuries and damages allegedly suffered as a result of the defendants' seizure of plaintiff's E-mail. 5 It is now the desire and intention of plaintiffs, on the one part, and defendants on the other part, to settle, compromise, and resolve all the differences, disagreements, and disputes, which exist and may exist, including those which are the subject matter of, referred to, related to, or mentioned in the Action. Pursuant to this desire, and in consideration of the mutual promises contained herein, the parties agree as follows. II CONSIDERATION 6. Upon the execution of this Agreement, defendants County of Riverside shall pay to plaintiffs, by check, the total sum of Thirty Thousand Dollars ($30,000), inclusive of attorney fees and cost. ------------------------------ Date: Thu, 27 Jun 91 11:39:59 -0700 From: gnu@TOAD.COM Subject: NIST announces public-key digital signature standard Statement of Raymond G. Kammer, Deputy Director National Institute of Standards and Technology Before the Subcommittee on Technology and Competitiveness of the Committee on Science, Space, and Technology On Computer Security Implementation House of Representatives June 27, 1991 Digital Signature Standard I know that you are interested in our progress in developing a federal digital signature standard based upon the principles of public-key cryptography. I am pleased to tell you that we are working out the final arrangements on the planned standard, and hope to announce later this summer our selection of a digital signature standard based on a variant of the ElGamal signature technique. Our efforts in this area have been slow, difficult, and complex. We evaluated a number of alternative digital signature techniques, and considered a variety of factors in this review: the level of security provided, the ease of implementation in both hardware and software, the ease of export from the U.S., the applicability of patents and the level of efficiency in both the signature and verification functions that the technique performs. In selecting digital signature technique method [sic], we followed the mandate contained in section 2 of the Computer Security Act of 1987 to develop standards and guidelines that ". . . assure the cost-effective security and privacy of sensitive information in Federal systems." We placed primary emphasis on selecting the technology that best assures the appropriate security of Federal information. We were also concerned with selecting the technique with the most desirable operating and use characteristics. In terms of operating characteristics, the digital signature technique provides for a less computational-intensive signing function than verification function. This matches up well with anticipated Federal uses of the standard. The signing function is expected to be performed in a relatively computationally modest environment such as with smart cards. The verification process, however, is expected to be implemented in a computationally rich environment such as on mainframe systems or super-minicomputers. With respect to use characteristics, the digital signature technique is expected to be available on a royalty-free basis in the public interest world-wide. This should result in broader use by both government and the private sector, and bring economic benefits to both sectors. A few details related to the selection of this technique remain to be worked out. The government is applying to the U.S. Patent Office for a patent, and will also seek foreign protection as appropriate. As I stated, we intend to make the technique available world-wide on a royalty-free basis in the public interest. A hashing function has not been specified by NIST for use with the digital signature standard. NIST has been reviewing various candidate hashing functions; however, we are not satisfied with any of the functions we have studied thus far. We will provide a hashing function that is complementary to the standard. I want to speak to two issues that have been raised in the public debate over digital signature techniques. One is the allegation that a "trap door", a method for the surreptitious defeat of the security of this system, has been built into the technique that we are selecting. I state categorically that no trap door has been designed into this standard nor does the U.S. Government know of any which is inherent in the ElGamal signature method that is the foundation of our technique. Another issue raised is the lack of public key exchange capabilities. I believe that, to avoid capricious activity, Public Key Exchange under control of a certifying authority is required for government applications. The details of such a process will be developed for government/industry use. NIST/NSA Technical Working Group Aspects of digital signature standard were discussed by the NIST/NSA Technical Working Group, established under the NIST/NSA Memorandum of Understanding. The Working Group also discussed issues involving the applicability of the digital signature algorithm to the classified community, cryptographic key management techniques, and the hashing function to be used in conjunction with the digital signature standard. Progress on these items has taken place; however, as with the digital signature standard, non-technical issues such as patents and exportability require examination, and this can be a lengthy process. We have found that working with NSA is productive. The Technical Working Group provides an essential mechanism by which NIST and NSA can conduct the technical discussions and exchange contemplated by the Computer Security Act and also allows us to address important issues drawing upon NSA's expertise. ------------------------------ Date: July 8, 1991 From: Barbara E. McMullen & John F. McMullen Subject: Secret Service Pays Hacker Call (Reprint from Newsbytes) SECRET SERVICE PAYS HACKER CALL 07/08/91 NEW YORK, NEW YORK U.S.A., 1991 JULY 8 (NB) -- According to a Pennsylvania teenage "hacker" known as "Wing", agents of the United States Secret Service visited his home and that of some friends asking questions about rumors they had allegedly received about the planting of "July 4th logic bombs". Wing told Newsbytes that the agents arrived at his home and requested to talk to him about "rumors that he had planted logic bombs or viruses to go off on the 4th of July." Wing said that, on the advise of his father, he refused to discuss the matter with the agents, "The last time that the Secret Service was here my father told them not to come back again without a warrant so, when they did, I didn't talk to them. The whole thing is ridiculous anyhow. There was obviously no July 4th bombs and I certainly didn't plant any." Wing also said that agents visited friends of his and "made one who is new to computers feel that he was doing something wrong by trying to log onto bulletin boards." A Secret Service official, speaking to Newsbytes, confirmed that agents had attempted to interview Wing in relation to rumors of a July 4th attack on computer systems. The official also said that, because of Wing's juneville status, his parents have the right to deny the agents' request for an interview. The agent further said that, to his knowledge, there were no cases of computer attack on the 4th of July. Other law enforcement officials had told Newsbytes, previous to the July 4th holiday, that they had received rumors of such a planned attack but that they had little substantive material upon which to base an investigation. There have also been recent reports to Newsbytes from sysops of university and foundation computer systems in the Boston, MA area of attempted unauthorized access by an individual purporting to be Wing. ------------------------------ Date: Tue, 09 Jul 91 05:56:11 CDT From: Anonymous Subject: Calling the kettle black In an article in comp.org.eff.talk, David Turrell wrote, > Anyone caught using illegal copies of 1-2-3 who keeps on doing it > after being asked not to and at the same time expresses "utter > contempt" for Lotus' right should be made to wash lots and lots of > cars, and wax those that need it. You'd be surprised who would have to come clean. There's a very big company that has provided technical opinions, albeit with a few decimal places added, to Federal officials. Would those Federal officials turn on such a technical resource and accuse it of software piracy? Would they take the word of an ex-employee that the very big company kept megabytes of pirated software on company computers? That managers within the company knew of those computers and used that unlicensed software in furtherance of the company's business? Would it matter that a now-dead division of that very big company kept archives of pilfered copies of (among other titles) Harvard Project Manager, Microsoft Word, Procomm Plus, Lotus 1-2-3, and Word Perfect for company use? Within twenty feet of an ADAPSO/SPA anti-piracy poster? If there's one law enforcement official who wouldn't hesitate to ask some hard questions of this very big company, I'd hope that they'd come out of the electronic shadows in this forum, and declare in front of all of us that Justice is for the Big as well as the Small. Sign me, A Belated Whistle Blower P.S. Bothered by my anonymity? I am, too. Truth is, I think that the LE people who I'd hope to hear from will try and kick MY butt before they'll go after the employer of so many "expert witnesses". Wait and see. ------------------------------ End of Computer Underground Digest #3.25 ************************************