Received: by lemuria.sai.com (/\==/\ Smail3.1.21.1 #21.11) id ; Mon, 12 Jul 93 09:12 EDT Received: from cmuvm.csv.cmich.edu by mv.MV.COM (5.67/1.35) id AA20317; Mon, 12 Jul 93 08:57:26 -0400 Message-Id: <9307121257.AA20317@mv.MV.COM> Received: from CMUVM.CSV.CMICH.EDU by CMUVM.CSV.CMICH.EDU (IBM VM SMTP V2R1) with BSMTP id 2117; Mon, 12 Jul 93 04:54:40 EDT Received: from CMUVM.CSV.CMICH.EDU (NJE origin LISTSERV@CMUVM) by CMUVM.CSV.CMICH.EDU (LMail V1.1d/1.7f) with BSMTP id 2451; Mon, 12 Jul 1993 04:38:00 -0400 Date: 11 Jul 1993 23:58:31 From: Cu-Digest Subject: Cu Digest, #5.51 -- The AIS BBS Incident To: legacy@CPU.CYBERPNK1.SAI.COM Comment: converted from NETDATA format at NIU Computer underground Digest Sun July 11 1993 Volume 5 : Issue 51 ISSN 1004-042X Editors: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) Archivist: Brendan Kehoe Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Copy Editor: Etaoin Shrdlu, Seniur CONTENTS, #5.51 (July 11 1993) File 1--Introduction to the AIS BBS Controversy File 2--Response to RISKS' Anonymous Post attacking AIS BBS File 3--Response to Anonymous: AIS BBS File 4--A User's View of AIS BBS File 5--Fear and Loathing: On the Virus Code Trail at AIS File 6--Media, Anti-virus personnel, Ethics, and AIS Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically from tk0jut2@mvs.cso.niu.edu. The editors may be contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115. Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG WHQ) (203) 832-8441 NUP:Conspiracy; RIPCO BBS (312) 528-5020 CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893; In ITALY: Bits against the Empire BBS: +39-461-980493 ANONYMOUS FTP SITES: UNITED STATES: ftp.eff.org (192.88.144.4) in /pub/cud uglymouse.css.itd.umich.edu (141.211.182.53) in /pub/CuD/cud halcyon.com( 202.135.191.2) in /pub/mirror/cud aql.gatech.edu (128.61.10.53) in /pub/eff/cud AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD. EUROPE: nic.funet.fi in pub/doc/cud. (Finland) ftp.warwick.ac.uk in pub/cud (United Kingdom) COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Thu, 8 July 1993 21:39:01 CDT From: Jim Thomas Subject: File 1--Introduction to the AIS BBS Controversy A recent (Vol 14, #58) issue of Risks Digest contained an anonymous post that attacked AIS BBS and it's sysop, Kim Clancy. The AIS board is a service of the U.S. Department of Treasury's Bureau of Public Debt. "AIS' is an acronym for "Automated Information System," and the board provides security-related information to its users. AIS downloadable files included a broad range of texts files related to computer security, "hacker" culture, and computer technology, along with other files readily available on any public access system. A few anti-virus folk complained about the virus source code that was available on the board. According to CuD sources, at least one British anti-virus specialist publicly condemned the board and urged colleagues to voice complaints. An "anonymous" poster, later revealed to be Paul Ferguson, an anti-virus specialist, wrote the anonymous Risks post. The story was picked up by Joel Garreau of the Washington Post a few weeks later, and on July 6 prompted Edward J. Markey, Chair of the House Subcommittee on Telecommunications and Finance, to contact Lloyd Bentsen, Secretary of the Department of the Treasury, to voice concerns (see forthcoming CuD 5.52 for comments from Rep. Markey's office) about the AIS BBS. In my view, this incident has been blown out of proportion by some of the anti-virus crowd and their supporters, by the media, and especially by Rep. Markey. In this issue, we examine the background of the incident as it began in Risks, and include some commentary. ------------------------------ Date: Mon, 21 Jun 93 22:54:12 CDT From: Jim Thomas Subject: File 2--Response to RISKS' Anonymous Post attacking AIS BBS ((The following appeared in Risks Digest, #14.68, ten issues after the original post appeared)). In Risks (Vol 14 #58) appeared a post, part of which is reprinted below, that makes us appreciate freedom of speech and information exchange we enjoy in the U.S. The primary risk I've learned after reading the post is that anonymous posters with an axe to grind are potential threats to freedom of expression. Two anonymous posters falsely depict AIS BBS, a bulletin board run by Dept of Treasury/Office of Public Debt personnel as a public information service, as a board engaged in "unethical, immoral, and possibly illegal activities:" >Date: Fri, 7 May 93 11:18:17 -0500 >From: Anonymous >X-Notice: This message was forwarded by a software- > automated anonymous remailing service. > >This text was forwarded to me by a friend and professional colleague >in the UK. I am dismayed that this type of activity is being condoned >by an American Governmental Agency. I can only hope that this >operation is shut down and the responsible parties are reprimanded. I >am extremely disturbed by the thought that my tax money is being used >for, what I consider, unethical, immoral and possibly illegal >activities. > > ---- begin forwarded message ------------- > >AIS BBS Capture log. > >To: all interested parties, especially Americans who may wish to ask >relevant questions of relevant people. > >Capture log from a BBS that claims to be run by the US Treasury >Department, Bureau of the Public Debt. Notice - I have not verified >that the US government is actually running this BBS, only that the BBS >claims that it is. The remainder of the anonymous post presents screen captures of directories and files to which the poster objects. Especially troublesome for the anonymous accusers are virus-oriented files. AIS is a reputable and professionally run open-access BBS. It has one of most extensive collections of text and other files related to all aspects of security in the country. Some may object to some of the materials, just as some might object to RISKS DIGEST or CuD being "funded" with taxpayers money. It strikes me as reprehensible to take selected material out of context and piece together an image of immorality or worse by presenting a misleading image of the materials on the BBS and the purposes for which those materials are intended. That the accusers make their claims while hiding behind the cloak of anonymity strikes me as the type of cowardice associated with witch hunts. The anonymous posters seem to be bothered by the existence of virus source code on the board. I wager one would learn far more about virus writing and distribution tactics from VIRUS-L than from the AIS files, but the two anonymous posters seem to be part of a handful of strident pseudo-moral entrepreneurs who feel that only the information they judge as appropriate for public consumption should be made available. I'm surprised that the anonymous critics did not also include a demand that public libraries also be closed. It is one thing to disagree with the position of another and raise the contentious issues as a matter of public debate. It is quite another to engage in the cowardly act of anonymously distorting the function of a legitimate and widely-used BBS by insinuating "unethical, immoral, and possibly illegal activities." CuD ran an interview with the AIS BBS personnel (CuD 4.37, 1992), and a few excerpts may put the purposes of AIS BBS in perspective: *** begin excerpts *** Q: What is this Board? (name, number, who runs it (dept & sysop). What kind of software are you using? When did the Board go on-line? A: The Bulletin Board System (BBS) is run by the Bureau of the Public Debt's, Office of Automated Information System's Security Branch. The mission of the Bureau is to administer Treasury's debt finance operations and account for the resulting debt. The OAIS security branch is responsible for managing Public Debt's computer systems security. The AIS BBS is open to the public and the phone number for the Board is (304) 420-6083. There are three sysops, who manage the Remote Access software. The BBS operates on a stand-alone pc and is not connected to any of other Public Debt systems. The Board is not used to disseminate sensitive information, and has been up operating for the past 15 months. <> Q: What are the goals and purposes of the Board? A: The BBS was established to help manage Public Debt's security program. Security managers are located throughout Public Debt's offices in Parkersburg, WV and Washington DC. The security programmers saw a need to disseminate large amounts of information and provide for communication between program participants in different locations. Because the Board was established for internal purposes, the phone number was not published. However, the number was provided to others in the computer security community who could provide information and make suggestions to help improve the bureau's security program. Gradually, others became aware of the Board's existence. Q: What kinds of files and/or programs do you have on the Board? Why/how do you choose the files you have on-line? A: There is a wide variety of files posted. In the beginning, we posted policy documents, newsletter articles from our internal security newsletter, bulletins issued by CERT, such as virus warnings, and others for internal use. I located some "underground" files that described techniques for circumventing security on one of the systems we manage. The information, from Phrack magazine, was posted for our security managers to use to strengthen security. When we were called by others with the same systems, we would direct them to those files as well. Unexpectedly, the "hacker" that had written the file contacted me through our BBS. In his article he mentioned several automated tools that had helped him take advantage of the system. I requested that he pass on copies of the programs for our use. He agreed. This is how our "hacker file areas" came to be. Other hackers have done the same, and have we also received many files that may be useful. It is, indeed, an unusual situation when hackers and security professionals work together to help secure systems. However, this communication has been beneficial in strengthening an already secure system. Q: How did you get the idea to set it up? A: The security branch accesses many BBSs on a daily basis for research purposes, information retrieval and to communicate with others. Since our security program is decentralized, the BBS seemed to be an effective way of communicating with program participants in diverse locations. Perhaps the anonymous accusers are correct: Some types of information may pose a risk if abused. But, in an open democracy, the potential for abuse has been neither a necessary nor a sufficient justification to silence those with whom we disagree. If potential for abuse were a primary criterion for suppressing the flow of information and freedom of expression, we would live in a rather silent world, and there would likely be no RISKS digest (which arguably subverts the national interest by undermining faith in computers and in government, all of which is largely done with public funding). Hiding behind anonymity to reduce the risks of accounting for their accusations, the anonymous posters call not only for silencing, but for sanctions against the sysops. This suggests several risks: 1) Posters who are unwilling to accept responsibility for their claims are more able to distort information in ways that leave the target vulnerable and unable to face their accusers. 2) Anonymous posters who call for silencing and sanctions on the basis of unexamined and questionable claims create a chilling effect on freedom of expression. 3) Anonymous posters with an apparent axe to grind contribute to poisoning the well of free information and reduce the opportunity to openly discuss and debate issues. Our society can far more readily tolerate the existence of information that some may find inappropriate than we can risk the censorship of information because it offends a few zealots engaged in a form of cyber-guerilla warfare by making anonymous claims. Jim Thomas Cu-Digest Sociology/Criminal Justice Northern Illinois University DeKalb, IL 60115 ------------------------------ Date: Thu, 13 May 93 12:46:19 EDT From: Frank Tirado Subject: File 3--Response to Anonymous: AIS BBS I'm concerned about the implications of message contributed by "Anonymous" on the AIS BBS. The message implies that surely any "right-thinking" person would agree with the statements presented. So sorry! I have a totally different opinion as regards the conclusions presented by "Anonymous". First, lets get a few things out in the open: a. The AIS BBS is a real BBS run by the Bureau of Public Debt. b. Its phone number is (304)420-6083 c. While the BBS does post virus source code, these comprise at most about 40 files, a minute fraction of the files available on the board. (In fact, I have several HUNDRED virus sources in my collection, none of them acquired from the AIS BBS) Both "Anonymous" and his/her UK colleague decry the fact that virus source code is available from the BBS and label it a virus exchange board. The truth is that the board provides these and other files to individuals who are for the most part security professionals who have a very real interest in the workings of viruses and other types of underground activities. "But", you say, "there's no security! Anyone could get on the board and get access to all that nasty source code!" Well, its possible but so what? What about all those underground boards where it is possible to leech entire file bases of virus source code AND live viruses?! By comparison, attacking a board which serves mainly security professionals is a purely picayune endeavor. Besides, almost to a one those who frequent virus exchange boards are leery of the AIS BBS because its a FEDERAL BOARD! It just HAS to be a sting! "Anonymous" expresses concern about what he/she considers "unethical, immoral and possibly illegal activities". This is simply an opinion; obviously, my opinion is diametrically opposite, and just as strongly held as that of "Anonymous". Who's to say who's right, who's wrong? Besides, the law that says viruses are illegal has yet to be passed, not to mention formulated, here in the US. In addition, "Anonymous" neglects to point out in what way virus source code is immoral and unethical. I imagine that falls under the category of what every right-thinking person "knows". "Anonymous" and his/her colleague pretend to remain anonymous for reasons of privacy and fear of reprisals. Let's be real here! Is the Bureau of Public Debt going to send the BBS police to their homes to rip out their PC's?; hire a squad of Palestinian hitmen to shoot them full of holes? For having simply expressed their opinions? Not at all. The only possible reason for anonymity is that they have some kind of vested interest in shutting down this BBS. The original message was forwarded to "Anonymous" by his/her colleague in the UK. The UK? Gee, that's odd. At a recent conference in New York, Alan Solomon specifically targeted the AIS BBS. Could it be these two individuals are one and the same?....... Perhaps if "Anonymous" and colleague reveal their real names we'll have a better idea of their true motives. Then again, maybe I'm the one who's wrong. I should join them and after we shut down the AIS BBS we can shut down the boards which carry hacker files. We can follow that up by shutting down the ones which provide information on how to build explosive devices. We can continue with the libraries, because they're bound to have something offensive, too. Knowledge is not going to go away just because we don't like it or because we don't want it in someone else's hands. Shutting down a BBS simply because it carries source code is, in this case, at best petty. Shutting down the AIS BBS for this reason will deny security professionals a valuable resource. Most importantly, shutting down the AIS BBS will do nothing to stop the proliferation of virus source and live viruses. "Anonymous" and his/her colleague will have achieved nothing, no one will have benefited. ------------------------------ Date: Thu, 20 May 93 11:52:18 EDT From: Paul Melka Subject: File 4--A User's View of AIS BBS After reading the Risks 14.58 issue concerning the US Treasury Department's Bureau of Public Debt BBS, AIS BBS, I feel like I must respond to some of the claims of the anonymous writer. First, as a security professional, I have found the information on the AIS BBS extremely helpful to me in the performance of my job. This information is provided primarily for the use of the BPD, and is made available upon request to other interested parties. This board is not the only security-related board in the country. There are a number of other boards, such as ComSec, that provide similar information to security professionals. Second, although the board does provide virus disassemblies and hacker files, this information is for the use of security professionals to help in their understanding of the inner workings of viruses, or to see possible security holes in their systems that are common knowledge to crackers and phreakers. This information is of little or no use to budding virus writers or hackers because there already are a plethora of virus exchange boards or hacking boards that are very easy to get access to. In fact you can go to your local book store and order a copy of Mark Ludwig's Little Black Book of Computer Viruses. This book would be much more helpful in learning about how to write a computer virus, than any disassembly could possibly be. Maybe we should go back to book burnings too! Third, the board provides a neutral area for security professionals and "hackers" to have the opportunity to exchange view points. All someone has to do is scan the user list to see the number of security professionals and anti-virus professionals that have been on the board. If this board is so tainted, what are all these respected professionals doing on the board? Finally, the anonymous writer's fear of reprisal is ridiculous. The last thing that the FBI or Secret Service or anyone else is going to worry about is a board that is legitimately helping to increase the level of security awareness among professionals. What is the Treasury Department going to do to this individual - raise his taxes? This board is very professionally run and is one of the most positive benefits of my tax dollars that I have seen. The anonymous sender ends by asking, "Who watches the watchers?" and I can only respond, each and every one of us. If this board were as evil as we are led to believe, there would be such an outcry from security professionals all over the country to shut it down. But when hundreds of people are getting positive benefits from it and only a handful of people have a problem with it, I say leave it alone. The AIS BSS was designed to be used by security professionals and security professionals are benefiting from it. Certainly the anonymous sender is entitled to his opinion and feelings, but so are the rest of us. ------------------------------ Date: Mon, 21 Jun 93 21:18:31 EDT From: Urnst Kouch <70743.1711@COMPUSERVE.COM> Subject: File 5--Fear and Loathing: On the Virus Code Trail at AIS ((Urnst Kouch is editor of CRYPT NEWSLETTER. Additional details on the background of the incident and those involved can be found in CRYPT NEWSLETTER #16)). FEAR AND LOATHING: ON THE VIRUS CODE TRAIL AT AIS On Saturday, June 19, the national press suddenly reared up and without warning, mangled the reputation of one of the finest, most professional security experts I know, Kim Clancy of the Bureau of Public Debt's Security Branch. I rolled out of bed Saturday morning, plugged into Compuserve's Today's News and was promptly crushed by the brazen stupidity of reporter Charles Bowen's newspiece, "GOVERNMENT BBS SAID TO HAVE AIDED COMPUTER INTRUDERS AND VANDALS". Bowen plagiarized the lead, "A government spokesman says an obscure bulletin board system run by a federal agency apparently helped computer vandals commit electronic sabotage," directly from a same-day Associated Press story called "Dial-A-Virus". But neither Bowen nor the AP offered a solitary shred of proof, other than this outrageously leading statement, loosely attributed to Public Debt spokesman Peter Hollenbach, that Kim Clancy's AIS BBS has ever been responsible for abetting documented cases of hacker intrusion or computer vandalism by virus. Further, Bowen reported, "The [Washington] Post says that among the visitors to the system were computerists using handles such as 'The Internet Worm,' 'Satan's Little Helper' and 'Dark Avenger's Mutation Engine.'" The Washington Post story, reported by Joel Garreau, said nothing of the kind, leading me to believe Bowen is either a functional illiterate or willfully slack. Indeed, anyone who has visited AIS knows beyond a shadow of a doubt that the system NEVER supported handles of such nature. [Of course, Bowen can respond by blaming it on a copy editor and/or tight deadline, the last, best defense of lazy, inaccurate newsmen the country over.] These vague insinuations, however, were as nothing compared to the wellspring of the controversy, Garreau's "Treasury Exposed Computer Virus Info; Whistleblowers Halted Display Available To Anyone With A Modem" which brought into the public glare the chain of events that resulted in the removal of hacker tools, text files and commented virus source code from AIS. Although Garreau's story attempted to present a number of sides it was packaged so that a general reader would get a picture of a mad-dog government agency, finally "muzzled" after distributing dangerous code to "every maladjusted sociopath with Coke-bottle-bottom glasses." More savagely irresponsible was the sideborn statement that treasury officials had neglected to "discipline" Clancy, instead merely removing the dangerous information from her system. It was a real rabbit punch; a cheapjack, ham-handed slam on Kim Clancy, successful in portraying her as someone who spends her worktime beta-testing intrusion software against her own department so that hackers might optimize their methods for computer subversion and vandalism. This is hair-raising stuff, to be sure, for a general readership, but not the real truth. It is my understanding, and something I've seen Kim Clancy make clear in lectures to many computer workers, that the whole point of working with hackers on the development of "Tone-Loc" software was so that it COULD and WOULD be supplied to interested security personnel who would use it to gain an understanding of how to harden their systems against tools employing similar technology. This is emphatically not the handiwork of someone who should be disciplined or professionally tarred, but the work of someone who Bruce Sterling, not me, says is "probably THE BEST THERE IS [emphasis mine] in the federal government who's not military or NSA. Probably better than most CIA." Unfortunately, Sterling's appraisal was buried near the end of the story, after all the cracked shouting about aiding hackers and computer criminals. But I've walked away from the real nut of the matter: the presence of commented virus source code at AIS. The significance of this is, in my opinion, beyond the current ability of mainstream journalists to evaluate simply because the vast majority of them have little technical grasp of the byzantine reality of computer security, what viruses are, how they work and don't work and where you find virus source code. Certainly, The Washington Post story did nothing to convince otherwise. Consider these statements from The Post and some stony facts: >>According to software writers, with the AIS information "relative amateurs, could create new viruses." This is dangerously misleading. As point of fact, relative amateurs DO, not could, create new viruses from source code and they've done so for a long time before the advent of AIS. That AIS would be responsible for such a development, which is already fact, is frankly idiotic. >>Virus source code at AIS "is worse than making live viruses available. A person without the skill to write a brand new virus could nonetheless produce a variation on an existing one . . . If sufficiently mutated, the virus might slip past anti-virus programs designed to look for known products." This presumes that most virus-writers, would-be virus-writers and "Coke-bottle glasses-variety sociopaths" have little access to source code. This is not even close to being true. Virus source code is now commonplace on professional, semi-professional and amateur BBS's run by every stripe of user across the country. In fact, it is almost as common as pirated software and pornography in some locales. Surprisingly, the higher quality virus disassemblies stocked on such BBS's are often the handiwork of anti-virus researchers and software developers. Strangely, this has never been reported by a mainstream newsman, perhaps because "designated experts" often come from the same pool of researchers and developers. ". . . some computer professionals minimize the risk, saying the software on [AIS] was acquired through the computer underground in the first place, and thus has always been available to miscreants with sufficient contacts, tenacity and skill." This is a particularly nasty one because its presented as justification by those attacked and seems true. It's not. It requires NO tenacity or particular skill to get hundreds of viruses and assorted source code listings. Unlike the stunt of hacking a mainframe from a dial-up, which often requires great patience, a brute-force approach or some technical skill as substitute, from teenagers to middle-age men, anyone with a PC and a modem can dig up a BBS devoted to virus code in almost no time. Yes, they are that common. Why should this be? Where have all those live viruses come from? Paradoxically, many of the virus files on these BBS's bear the electronic mark of software developers like Certus International, S&S International and security organizations such as the National Computer Security Association. Damn. How DO "relative amateurs" get ahold of those samples? Of course, they could all be forgeries, the work of some dangerous psychopath. Yeah, right. In any case, the only people who can't access the hacker files anymore are the security people. And the real story may boil down to what I call the "You dunno this information, it's too dangerous and and you don't have any business knowing about viruses and hacker files so leave it to us anonymous security experts and anti-virus researchers because we're here to serve and protect and we'll take care of all that stuff, thank you" explanation. It is the very essence of professional arrogance and hubris, in my estimation. There is, obviously, much more which should have been addressed by the mainstream media. Why hasn't it, then? Because it's not as sexy a story as the visceral blurt of noble civil servant whistleblowers bringing down a renegade government security BBS pursuing new ways to pervert the public trust out on the rim of cyberspace. And it would take time; it's a story that couldn't be researched and rushed into print in a week. It's complex, you see, and would be a great deal longer than the piece which ran in America's finest newspaper, The Washington Post. So maybe we should all forget about fairness, because if it can't get into print at The Post, where will it? I hope Kim can continue her fine work and I'm angry at the stupid treatment this controversy has received at the hands of the newsmedia, so I'm writing to you about it because if I don't, I just might have to scream. ------------------------------ Date: Thu, 9 July 1993 23:11:17 CDT From: Jim Thomas Subject: File 6--Media, Anti-virus personnel, Ethics, and AIS There are no winners in the AIS BBS incident. The sysop, considered an exceptionally professional and helpful security specialist, is known for attempting to bridge barriers between competing groups, such as law enforcement and "hackers," in the belief that one way to reduce abuses by all sides is through education. The anonymous poster(s) won a short-term victory in that the "underground" files were removed from the board. Peter Hollenbeck, Department of Treasury spokesperson for the incident, indicated that there were no plans to take the board down. However, he explained that after a review of the board's mission, it was decided that "underground" files, which included Cu Digest, would be removed. As of 11 July, AIS was still functioning, and the following log-in screen appeared: +++ begin login screen +++ immmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm< > U.S. Department of the Treasury > mmmmmmmmmm9 Bureau of the Public Debt lmmmmmmmmmm > Office of Automated Information Systems > mmmmmmmmmm9 A.I.S. Security Branch lmmmmmmmmmm > On-Line Information System > mmmmmmmmmm9 (call 304-480-6083 after 6/21/93) lmmmmmmmmmm hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm# We recently reviewed the information posted on this bulletin board. As a result of this review we have decided to remove the "underground" files and will not post similar information in the future. We concluded that making this type of information available through this facility is not in the best interest of the Bureau of the Public Debt. +++ end login screen +++ Should the AIS BBS have made available to the public so-called "underground" files that included virus source code? Persuasive arguments can be made on both sides. My intent here isn't to recreate those arguments, but to briefly examine the process by which the incident evolved. Here are a few points overlooked by the media and others. First, according to CuD sources, attacks on the AIS BBS began as early as March, 1993, at the IEEE Computer Security seminar in New York City. One vocal participant, believed by many to be one of the anonymous Risks Digest posters, encouraged his listeners to "do something" about AIS BBS. The tandem "anonymous" posts were less than honest to the extent that, according to one AIS BBS user who did periodic log captures, the name of at least one of the posters, Paul Ferguson, had been listed in user files well before the anonymous post. Assuming that the "Paul Ferguson" on AIS BBS and the Paul Ferguson of the anonymous post are the same, the cryptic posturing of the anonymous Risks posts would seem dramatically deceptive. The feigned ignorance about aspects of the BBS, the professed fear of "retaliation," and the vengeful (and anonymous) call for punitive sanctions against the sysop seem more in line with an intentionally planned assault than with an ethical attempt to raise issues and generate debate. No doubt that Paul Ferguson is sincere in his concerns about the "ethics" of making certain types of files available on a government BBS. However, it should also be noted that Paul Ferguson may stretch the ethical boundaries of truth when it suits him. For example, CuD has been informed that a letter over the sig of "Paul Ferguson" in which "reply" reached the same Paul Ferguson who acknowledged writing the anonymous Risks post, appeared to misrepresent himself in attempting to solicit information from a government employee. To establish credibility, he allegedly claimed to be working with the EFF and CPSR on issues that affect the computer and networking public at large. CuD contacted officials in both organizations, and the responses ranged form "we don't know him" to "it's news to us." Anonymous postings calling for retributive sanctions and seemingly false misrepresentation of affiliations do not generally give one credibility. A Fidonet reader forwarded a post that we find interesting. In a FIDO Virus_Info post under Paul Ferguson's header, the following appeared in response to a CRYPT NEWSLETTER article: Date: 12:38 pm Sun Jun 27, 1993 Number : 408 of 418 From: Paul Ferguson Base : FIDO - VIRUS_INFO To : All Refer #: None Subj: AIS debate (part 1) Replies: None Stat: Sent Origin : 26 Jun 93 00:45:00 Mr. Corey Tucker sent an "advance" copy article written by George Smith (aka Urnst Kouch) which implied several items which were conjectured and seemingly allusions. I posted a prior response, but additionally, I'd like to post an article also written by Kouch which outlines Clancy in the CRYPT newsletter #13, in which more altruistic mentalities are discussed. I believe this is valid; it reflects the entirety in which this whole fiasco existed. Additionally, I am also posting the Washington Post article, in its entirety, for information purposes. If the truth be known, Mr. Smith did the most damage to Kim Clancy's underground organiztion (and BBS) than anyone who maay have followed, by the publication of this very article. No need to call this number, it ain't there anymore. Not only did Mr. Smith (Kouch) nail Clancy's coffin, he enabled others to do so on his behalf. Several questions arise, including the following: First, what is the "underground organization" that Kim Clancy allegedly "has"? From law enforcement indictments, search/seizure affidavits and warrants, and press releases that we have seen in the past, such a phrase could, for the clueless, constitute felonious conspiracy. This is neither neutral nor innocent wording. It is the type of irresponsible accusation that (as we've seen from media accounts such as the Washington Post or Rep. Markey's letter to Secretary Bentsen) assumes a reality of its own. Is Paul Ferguson suggesting, as the post implies, that Kim Clancy runs an "underground" organization? Does Paul Ferguson actually believe that Kim Clancy is involved with illegal activity? Judging from his anonymous post, he actually so-believes. If so, perhaps he could present evidence of illegal activity or "underground" leadership as he implies. If he cannot, then he owes Kim Clancy a public apology for subjecting her to the type of innuendo that has tarnished the reputation and threatened the career of a dedicated civil servant. Second, Paul Ferguson strongly suggests that the board is no longer in service. Consider this wording: No need to call this number, it ain't there anymore. Not only did Mr. Smith (Kouch) nail Clancy's coffin, he enabled others to do so on his behalf. Let's keep some facts straight. "Mr. Smith (Kouch)" did *not* "nail Clancy's coffin." Paul Ferguson and his friends did with anonymous inflammatory posts and with other posts that irresponsibly suggest illegal and "underground" activity. Contrary to Paul Ferguson's claim, the board remains operative. Notices, announcements, and other information sources over the past few months alerted callers to the Parkersburg Bureau of Public Debt offices that the old prefix would be changed to "480." One CuD informant indicated that Ferguson knew of this change prior to the date listed on the above post. If so, the wording of the passage cited above is duplicitous. If Paul Ferguson did not know of the change, then his professed knowledge of AIS BBS is less than credible. Now, let's examine the Washington Post article (June 19, P. 1) that covered the story. Joel Garreau, the author, is reputable and has established his credentials as a fair journalist. We have no doubt that he tried to present a balanced view of what he considered a newsworthy story. However, there are several troubling aspects of the story. The story begins: *Treasury* Told Computer Virus Secrets Whistleblowers Halted Display Available to Anyone With a Modem. The Washington Post, June 19, 1993, FINAL Edition By: Joel Garreau, Washington Post Staff Writer Section: A SECTION, p. a01 For more than a year, computer virus programs that can wreak havoc with computer systems throughout the world were made available by a U.S. government agency to anyone with a home computer and a modem, officials acknowledged this week. At least 1,000 computer users called a Treasury Department telephone number, spokesmen said, and had access to the virus codes by tapping into the department's Automated Information System bulletin board before it was muzzled last month. The bulletin board, run by a security branch of the Bureau of Public Debt in Parkersburg, W.Va., is aimed at professionals whose job it is to combat such malicious destroyers of computer files as "The Internet Worm," "Satan's Little Helper" and "Dark Avenger's Mutation Engine." But nothing blocked anyone else from gaining access to the information. Let's look at just a few issues. First, there is considerable room for legitimate disagreement over whether this is a newsworthy story. However, if it is deemed newsworthy that one government agency provides information that some see as "dangerous," then the same standards of newsworthyness ought be applied to all other government agencies that release "sensitive" information in a variety of documents that is equally "dangerous." In fact, what the reporter completely ignored in the story is the issue of accessibility to all types of information. If we are going to "muzzle" a single information source, then why not "muzzle" government-funded libraries as well? Where does the "muzzling" line end? Who makes the decisions and by what criteria? Second, the story emphasizes the concerns of AIS critics and despite interviews with persons who minimized the dangers and significance of the AIS BBS files, the counter interpretation was considerably downplayed. Third, this was not a "whistleblowing" incident any more than would be a similar incident when an irate member of the public complains anonymously about the local public library carrying Playboy. Framing it as such distorts events. Fourth, and although minor but not insignificant, the wording of the article is less than neutral. Exaggerating the "virus" dangers, framing the incident as "whistleblowing," referring to "hacker tools" without also explaining their relatively innocuous nature and public availability of these specific "tools," and other rhetorical ploys seemed to pander to public virus hysteria. Further, although a small point, it is not insignificant that a major quote was wrong. The anonymous post in the Post article was reprinted as follows: "I am dismayed that this type of activity is being condoned by an American governmental agency. I am extremely disturbed by the thought that my tax money is being used for what I consider unethical, immoral and possibly illegal activities...." The original post read: I am dismayed that this type of activity is being condoned by an American Governmental Agency. I can only hope that this operation is shut down and the responsible parties are reprimanded. I am extremely disturbed by the thought that my tax money is being used for, what I consider, unethical, immoral and possibly illegal activities. A seemingly minor alteration, but the elimination of the second sentence (without an elide or other indication) that calls for silencing and sanctions against the sysop omits a crucial bit of information. It's also worth noting that the story refers to CuD as The magazine "...followed by those interested in the murky world of "hackers, crackers and phone phreaks. It is edited by Jim Thomas, of the sociology and criminal justice department of Northern Illinois University." This would be akin to saying that The Washington Post is the preferred paper of drug kingpins interested in following the predatory exploits of their competition....while perhaps true in some vague sense, it conveys a grossly inaccurate image of both publications. CuD, as I carefully explained to the reporter, is read by a conservatively estimated readership of 80,000, most of whom are computer professionals, journalists, attorneys, academics, law enforcement, and others who are primarily interested in computer culture. CuD is read, as near as I can determine, by those looking for news, book reviews, conference information, research articles, debates, computer-related legislation, and information on virtually *all* aspects of computer culture. And, "Jim Thomas" and not simply "of" the sociology/criminal justice department at NIU, but a full professor with a credible list of books and articles on his vita, which I explicitly told the reporter. I'm normally quite modest about such things. However, the wording of the Post article is deceptively glib and irresponsibly distorts both the editorial purpose and content of CuD and the editor's status. This might sound picky. Sadly, we've seen the Post article cited in Rep. Markey's letter to Treasury Secretary Bentsen, and I'd hate to have some "whistleblower" come unglued thinking that NIU is making hacker information (or worse) available to the public. The story also errs (despite information the reporter was given) in claiming that the AIS BBS revealed its number in CuD last November. This is simply wrong. CuD possessed the number and contacted board personnel for an interview. The interview was cleared through the appropriate supervisors and spokespersons prior to publishing, and it was *NOT* revealed at the initiative of AIS personnel as the story claims. The reporter presumably had this information. Another small error, but one recreated in Rep. Markey's letter to Treasury Secretary Bentsen with a demand for accountability for the act, which in fact did not occur. These are not the only errors or problems with the story. Individually, they are relatively minor faux pas. But, in the aggregate, they create an inaccurate image of events and exaggerate the significance of the "story." Because of the visibility of the Post, the story became national news and was carried on, among other outlets, CNN and the Associated Press wires. For some, appearance of "facts" in national media are sufficient to verify accuracy, and little attempt is made to dig below the surface. Although the Post reporter was far more conscientious than most media folk, and although he was sincere in his attempt to present a balanced story, the final product was questionable. To my mind, this may say more about the nature of media and the emphasis on a "sexy" slant and the appropriate discourse for such a slant than on the abilities of the reporter, Joel Garreau, for whom I have considerable personal and professional respect. A final point is worth noting. The Post article quotes the anonymous risk poster (Paul Ferguson) early in the story. Then, in the paragraph immediately following, it quotes Paul Ferguson to give credibility to and elaborate on the anonymous post without mentioning that Paul Ferguson was the anonymous poster. The reporter was told by voice and by e-mail *prior* to the story that Ferguson and the anonymous poster were the same. Yet, no mention was made, and the two quotes were sequenced as if they were separate voices. Others can judge the ethical implications of this for themselves. Because of the Risks post and the Post story, the AIS BBS incident has assumed a significance beyond any reasonable reality. One writer of "cyberspace" fiction and non-fiction reportedly called Kim Clancy the "Cyber Joan of Arc." It fits. Ms. Clancy is not a politician, not a political activist, and not a trouble-making bureaucrat. She is a sensitive, dedicated government official who believes that sharing legal information and engaging in dialogue is the best way to curtail computer abuse. Her "crime" was in over-estimating the good-will of others and in assuming that her critics preferred dialogue to mean-spirited action. This incident is not one of a "victimized" class resisting the tyrany of a powerful government official. Instead, it reflects a sad situation in which some persons, both intentionally and inadvertently, combined to create a nasty situation based on innuendo and misinformation to create a drama in which there are only losers. Sadly, I must make one final comment. It's said that some people, angered at this affair, are planning to retaliate against those judged responsible. This would be an ethically bankrupt response. Predatory behavior decivilizes cyberspace just as it does the "real world." The best response to cyber-conflict usually is to air disputes in public and debate them aggressively and honestly. We need fewer, not more, razorblades in the sand if we're to create a civilized environment. ------------------------------ End of Computer Underground Digest #5.51 ************************************