****************************************************************************
>C O M P U T E R U N D E R G R O U N D<
>D I G E S T<
*** Volume 1, Issue #1.12 (June 10, 1990) **
****************************************************************************
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views.
--------------------------------------------------------------------
DISCLAIMER: The views represented herein do not necessarily represent the
views of the moderators. Contributors assume all responsibility
for assuring that articles submitted do not violate copyright
protections.
--------------------------------------------------------------------
In This Issue:
File 1: Moderators' Corner (news and notes)
File 2: From the Mail Bag
File 3: Another CUCKOO'S EGG Review (By Charles Stanford)
File 4: Pat Townson Interview with David Tomkin (reprint)
File 5: Where are they Now? (Tracing CU Magazines)
--------------------------------------------------------------------
You can get a directory by specifying the CuD directory
in the path (ie... ftp> dir tmp/ftp/CuD.)
# ftp 128.95.136.2
Connected to 128.95.136.2.
220 blake FTP server (Version 4.174 Sat Apr 1 06:11:40 PST 1989) ready.
Name (128.95.136.2:llo): anonymous
331 Guest login ok, send ident as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> bin
200 Type set to I.
ftp> mget tmp/ftp/CuD/*
ftp> bye
221 Goodbye.
# uncompress CuD_1.*
That should do it.
:NOTE: The above command 'mget CuD*' will retrieve all of that publication.
You could just as easily type: 'cd tmp/ftp/CuD' and then 'ls' or 'dir' to
see the files available to choose from.
We remind contributors to be sure that copyrights are not violated. We
have been unable to reprint some news stories because they risk going
beyond fair use doctrine on copyright stories. For the time being, we are
also restricting some files until legal issues surrounding them are
resolved. Unfortunately, prosecutors are less than open about what
constitutes an "illegal file," so we are erring on the side of caution.
This is one example of the CHILLING EFFECT. The legality of information
dissemination is decided after the fact, leaving sysops, moderators, and
others, in a rather precarious state.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+ END THIS FILE +
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+===+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
----------
IN THIS FILE:
1) Clarifying the CU
2) State of CU law in Canada
------------
-----------
%The author of this note requested anonymity. His comments indicate
the importance of clarifying what computer hobbyists are all about.%
------------
It is kinda strange,the first thing I read about hacking was Stoll's
"Cuckoo's Egg" and while reading I felt uncomfortably torn between these
"monster's and ogres" as he called them and my sense of right and wrong. I
definately felt drawn toward the hackers, but felt as if I was wrong for
feeling that way. Everything I have ever heard about hacking was put in a
negative light. Criminals, vandals etc.
My recent exposure to the world of computers has been, in retrospect, very
enlightening. I immediately upon working with computers at work dove into
books about DOS and such. I constantly sought ways around our menu system,
although the techniques I used were very very elementary, I felt a sense of
accomplishment when being able to circumnavigate this login program. I also
messed a lot with setting things up to happen when certain people logged on
- practical jokes self deleting batch files and shit like that. I guess
what I am trying say is that I never equated myself with hackers. The
media has done a good job of controlling my thoughts about hackers, I have
thought of them as criminals, and deviants who break in to systems and at
times mess with other people lives, as in the case of Stoll's book as he
described the medical research systems break in. Don't get me wrong - I am
not saying that I am a Hacker but was not aware of it, I am saying that I
seem to have the same drives and motivations. I think to be a hacker that
it requires a lot of time and dedication, something to work towards. That is
something I plan to work on <grin>.
All in all, I just wanted to say I am glad I found a CUD issue on a local
(so called respectable) bbs. It has opened a whole new world to me, where I
already feel at home. I have a long way to go and a lot to learn, but that's
all right. The only thing that concerns me is that it is very difficult to
not feel the paranoia with all the busts. However, if I use my head and not
be foolish, I think I will be all right. There are a lot of good guys out
there who are helping me out. It is hard to establish trust. Some doubt has
been thrown my way, in my defense I was going to reply that the SS won't
ask the naive questions that I ask at times, but from all I here about the
SS, they don't seem to bright :-)
If your Digest has done anything to change peoples perception about the
current state of affairs concerning the world of hacking, it has changed
mine. Thank you.
---------------------------
State of the Law in Canada
----------------------------
Here are several excerpts from an article, titled: The Changing Face of
Computer Crime, appearing in the May, 1990 issue of Toronto Computes!.
"Time is also in favour of the culprit," says Sgt. Greg Quesnelle of
the anti-rackets branch of the Ontario Provincial Police. "A computer
crime committed years ago may go unnoticed or unreported. As a result
physical evidence could have been removed or destroyed. If witnesses
are available and can be located it is very difficult to obtain
information from people who can no longer recall events as they
occurred.
"The police investigator is bound by the rules of evidence according
to law when investigating computer crimes whereas the criminal has no
such restrictions. In order to obtain information pertaining to a
suspect located on a computer data base a Criminal Code search warrant
must be authorized, whereas a culprit may quickly and illegally hack
access to information located on a computer mainframe," says Sgt.
Quesnelle.
--------------
A little further on in the article we have comments attributed to a
spokesperson from the Royal Canadian Mounted Police. . . . .
--------------
If a suspect can be traced, things don't become much easier for law
enforcement officers. Unlike laws regarding drugs or a stolen car,
there is no legislation to prosecute someone simply because they
possess stolen data, says Sgt. King.
--------------
That's the state of things in Canada. This should be taken, however, to
mean that there are no means to fight _computer_ crime. Getting caught in
the act of taking data without authorization would most probably leading to
criminal proceedings and/or civil suit.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+ END THIS FILE +
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+===+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Stoll, Clifford. The Cuckoo's Egg. Doubleday, 1989. 326 pp.
(Reviewed by Charles Stanford)
Stoll's work has received extremely mixed reviews, and most of the
reviews were based on the reviewers' personal attitudes towards computer
use. This review is no exception, but it does attempt to address some of
the literary concerns that should arise in a book review.
Stoll takes us on a "spy hunt" -- it is not a fluke that the book is
located right next to "I Led Three Lives" and other laughable works of
espionage fiction disguised as reporting. His grant money "ran out" and
so, to keep eating, he begins to work for the computer center in Berkeley.
(No explanation of why it "ran out." Did he complete the work? Was his
renewal rejected through the "peer review process?" Did he even try to
renew?) There is a 75 cent shortfall and he is given the task of finding
out where that 75 cents went. He describes his subsequent activity with
remarkable candor, guilty as he may be of committing several crimes
himself. He finally gives information leading to the arrest, but not
necessarily the conviction, of a "hacker." That's about it.
One of the most annoying aspects of the book is not, however, Stoll's
pursuit of the hacker but his interminable self-justification and annoying
self-description.. One has the feeling that Stoll himself knows that his
activity was obsessive and nearly insane because he so often attempts to
justify it, painting himself as a liberal hippie type wearing blue-jeans
and complete with long hair and a "sweetheart" who can beat him at
wrestling. How cool it all is! Like, man, geez, like. We learn of him
putting his tennis shoes in the micro-wave and how he rides a bicycle to
work uphill and how he believes in love and trust and the Grateful Dead and
how he and his "sweetheart" eventually get married and live happily ever
after. He grows up, you see. Not since "Love Story" by Eric Seal have I
seen such a vapid piece of self-indulgence. I was about to say at least
Eric Segal . . . , but really could not think of anything that would
differentiate the two.
Almost at random, we can look at some of his less personal statements
and see this same thread: "As pure scientists, we're encouraged to
research any curious phenomena, and can always publish our results." (P.
15) Unfortunate that this particular "pure scientist" lost his grant. But
what about that curious phenomena? What about a strange computer or a new
computer? Is that not curious phenomena? No, because the "varmit" was a
"hacker" and therefore wearing a "black hat." No, I am not paraphrasing,
these are Stoll's actual words. He really isn't a hippy after all -- he is
a frustrated Hopalong Cassidy, the Lone Ranger with his faithful sidekick
"sweetheart," tracking down the varmits, by gum!
I have also heard that some of the techniques he describes in the book
have been used by "hackers" to gain access to mainframe computers but,
before you run out and buy the book on that account, allow me to present
some of the information Stoll gives. He starts out by trying to monitor
every single call coming into the computer, grabbing P.C.s from offices for
that purpose. He finally applies his expertise. He notices that the calls
come in at 1200 baud and are therefore from outside and would therefore
come in only on certain lines. Amazing bit of deduction, wouldn't you say?
You see, he points out, 1200 baud is a slower rate of transfer than 9600 or
more. And he even explains what "baud" is. With such esoteric information
as this getting out all over the country, I wonder why this book hasn't
been suppressed. We also learn that Kermit is a file transfer protocol.
Of course there are some things in the book that the normal 12 year
old with a Commodore 64 might not have known and this book is conveniently
written on that level. For example, if you want to logon to a Unix system,
try the password "root," logon "root." If that doesn't work, try "guest."
If that doesn't work, try UUCP. If you are 12, perhaps Stoll has sent you
on to a life of crime. On a VAX, try "system" account, password "manager,
"field, "service," and "user," "user." (p.132). And don't forget the
Gnu-Emacs hole (132-133). Of course, one would be much better off in
simply getting hold of a UNIX manual and reading it, but then he would not
have had the fun of learning all about "sweetheart" and her halloween
parties as well. I'd put the money on the manual. Actually, of far more
interest in this area would be the article he published on the subject
which is cited in the book ("Stalking the Wily Hacker," Communications of
the ACM, May, 1988).
More troubling is Stoll's use of the term "hacker." He uses it in its
popular, media, law-enforcement definition which is, loosely put, "varmit."
According to the HACKERS DICTIONARY, available from listserve@uicvm, this
is the definition of a Hacker:
HACKER (originally, someone who makes furniture with an axe n. 1. A person
who enjoys learning the details of programming systems and how to stretch
their capabilities, as opposed to most users who prefer to learn only the
minimum necessary. 2. One who programs enthusiastically, or who enjoys
programming rather than just theorizing about programming. 3. A person
capable of appreciating hack value (q.v.). 4. A person who is good at
programming quickly. Not everything a hacker produces is a hack. 5. An
expert at a particular program, or one who frequently does work using it or
on it . . . . 6. A malicious or inquisitive meddler who tries to discover
information be poking around.
Obviously, only the last, and least used, definition even remotely
approaches the term "varmit." Unfortunately, many hackers, when approached
by law enforcement officers, will readily admit to being hackers when
questioned about it. Don't make that mistake, varmits.
As a self-proclaimed hippie-type, Stoll has his greatest trouble in
explaining why he is so close to the CIA and FBI (which, by the way, had
the most sensible approach to this whole episode). Now what could you
possibly come up with to explain that sort of activity. Unfortunately,
being a hippie by self-definition, he could not use patriotism. He
couldn't say he was in it for the money (which he is, despite his
protestations to the contrary) since that is not hippieish -- it is
"uncool." He comes up with "trust." A nice, honorable, clean sounding
term. Yes, trust it shall be. You see, all the network users trust each
other, now don't they? The proposition is almost laughable to anyone who
has ever been on a network, but Stoll will talk about the community of
trust that has been established, a trust that is being destroyed and eroded
by varmits. His appropriation of that word is almost obscene when one
considers what his self-aggrandizement has done to that very trust he so
values.
One argument he uses to support his activities is that your own credit
information is in one of those systems. Now you wouldn't want that
available to the general public would you? Would you want a 12 year old to
know your buying habits? The fact is that corporate America knows this and
wants to keep it their exclusive domain. Whether the information is false
or not, they do not want you to know about it, but they will share it
amongst themselves. Sometimes they sell the information back and forth. I
think there is far more danger from that than there is from some "varmit,"
peeking into one of their systems. Those lily-livered, sap sucking,
sidewinders (sorry, couldn't help it).
Clifford Stoll now "... lives in Cambridge with his wife, Martha
Matthews, and two cats he pretends to dislike." (p.327) I think that is a
very touching, cute, detail about him, perfect to end the book because it
is typical of the sorts of things he litters the manuscript with
throughout.
This is where the review should end. It is neat, compact, obligatory
description, sustained attack, and has a cute ending to wrap things up, and
this is how I would end it if I were getting paid to write the review.
However, since I am not getting anything out of this, I feel free to add a
bit more, also gratis.
Since Stoll lists his E-Mail address, and since I like to be
thorough, I decided to write him a note and see what would happen. Why
should I just decided that he is posturing? Why not find out for sure?
Maybe the address does not work. What could be lost by trying? (Well, I
could have the three letter agencies after me but the pursuit of truth and
so on is more important --well, perhaps.)
At any rate, I had two major questions lingering in my mind: just
what was this grant all about and does he get much nuisance mail as a
result of publishing his E-Mail address. I sent the questions to his
number at about 3:30 my time and started to pack for a trip out of town.
Shortly thereafter, I logged on again to check last minute mail and to
delete a bunch of stuff and found this on my screen: "56 30 May
[email protected] Re: questions". Well, I could not just leave at that
point. Frankly, I was a bit surprised. I had expected to get some note
from somewhere along the networks to the effect that the user was unknown
or perhaps some indication that a trace had been started by some illiterate
narc.
Instead, Stoll had replied, almost immediately, to my note. Hm, he
seems to attend to his E-mail they same way I do mine. This is how he
answered the first question:
Grant money ran out? In short, the project moved to Hawaii. I
was on the design team for the Keck Observatory Ten Meter
Telescope. The Science Office, at LBL, designed the instrument.
As the design progressed into construction, there was less
research to do and more contract oversight. This, in turn, meant
that our grant money ran thin. So I began working part time at
the computing center.
And so, for lack of proper federal funding, the entire spy/witch hunt
began.
An interesting thing about this is what kind of astronomy is being
done? It reminds me of wanting at one time to be a cosmologist and being
deflected time and time again by other considerations. Stoll may have
started with an interest in the stars, perhaps in the origin of the
universe, but wound up working with the computers instead. Oh well,
nothing wrong with that, but interesting just the same. I wonder when he
last was able actually to look through a telescope.
The next question was a bit loaded as I knew he had gotten not only
nuisance mail but some pretty nasty threats. I also knew of some other
attempts, but no matter. His response is interesting:
Nuisance mail? Yes, a few morons send anonymous mail; I've
received threatening phone calls and such not. Compared to the
mountain of nice mail I've received, I'm happy that I published
my e-mail address. In fact, the best part of publishing the book
has been the letters. I answer each one personally - no form
letters or macros.
Cheers,
Cliff Stoll
So what does this indicate? He was not posturing! I remembered then
seeing him on CSPAN, an hour long interview with no commercial
interruptions and, at that time, I found it difficult to believe that he
was posturing, but now I'm even more certain. In short, he actually
believes what he wrote. There is probably not one false note in the book.
Which raises an even more troubling problem. I am able to understand
someone who pretends to be for such issues as "trust" in order to gain
acceptance -- almost every politician falls into this category and I grew
up in Chicago when Daley Sr. was Mayor. What is almost frightening is
someone who actually believes that he is making the world safe for
democracy, freedom, and the American way by camping out under his desk at
the computer lab with sixteen P.C.'s whirring away monitoring the
mainframe, rigging up a pager so that every time a call came in he could
peddle uphill in hopes of catching the miscreant.
But there is more. I wrote him another note. I wanted to
clarify a few other things. For example, I found the personal
parts of the narrative problematic. I told him so and asked him
if they were his idea or forced upon him by a zealous editor. I
asked a few other questions as well and he responded. However, I
also asked for permission to reprint his answers verbatim, but he
either overlooked the request or thought it irrelevant
considering his response which was, basically, to the effect that
I should go ahead with the review based on my response, not his
replies.
At any rate, the gist of the letter, a rather lengthy one, was that
one thing lacking in our culture is a popular literature relating to
technology and that he wanted to help correct this deficiency. In other
words, the book is not written for people who already know about computers
(indeed, this seems to be a major source of confusion on the matter), but
for the general public, the lay folk out there, who know nothing about
networks. The people who think anyone who works with computers is some
sort of recluse, a demented misfit. (Gordon Meyer's infamous Masters
Thesis comes to mind here.)
Stoll has an excellent point here -- we do lack such a
literature. Certainly, the work of Carl Sagan and earlier Isaac Asimov
served somewhat to breach this gap, but not the way Stoll's does. In fact,
I have already begun work on one of my own, tentatively titled "Cops,
Cuckoos, and Computer Jurisprudence."
In short, if you know a bit about computers and computer networks, are
familiar with UNIX and a few operating systems, you already know too much
to enjoy this book. If you are entirely ignorant of them and if you liked
Love Story, this is the book for you.
Charles Stanford
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+ END THIS FILE +
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+===+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
Date: Thu, 7 Jun 90 0:21:34 CDT
From: TELECOM Moderator <[email protected]>
Subject: Crackers, Kapor and Len Rose
I have been deliberating holding messages on Kapor and the cracker
situation which have arrived this week. Thursday evening there will be at
least two special issues devoted to this topic, and I will be picking
several messages to include. I was going to have one special issue, and
that would have accomodated only a few letters. A second issue will allow
me to include a couple lengthy replies. Because the topic is starting to
stray far away from telecom and into areas of the law and computer
security, etc, this will be the last batch I can print. Several of these
items Thursday night will be replies to me, which is the main reason I am
running them ... and I won't even be able to include all of them, so heavy
is the flow.
Late Tuesday night, David Tamkin and I had a chance to speak at length with
someone close to the scene involving Len Rose. Some things were off the
record, at the request of Mr. Rose's attorney, and I agreed to honor that
request.
Apparently the Secret Service seized *every single electronic item* in his
household -- not just his computers. I am told they even took away a box
containing his Army medals, some family pictures, and similar. It is my
understanding his attorney has filed a motion in court to force the Secret
Service to return at least *some* of his computer equipment, since without
any of it, he is unable to work for any of his clients at all without at
least one modem and computer.
I am told the Secret Service broke down some doors to a storage area in the
basement rather than simply have him unlock the area with a key. I am told
further that he was advised he could pick up his fax machine (which had
been seized, along with boxes and boxes of technical books, etc), but that
when he did so, he was instead arrested and held for several hours in the
County Jail there.
Mr. Rose believes he will be found innocent of charges (rephrased) that he
was the 'leader of the Legion of Doom', and that he had broken into
'numerous computers over the years'.
I invited Mr. Rose and/or his attorney to issue a detailed statement to the
Digest, and promised that upon receipt it would be run promptly. I don't
think such a statement will be coming any time soon since his attorney has
pretty much ordered him to be silent on the matter until the trial.
If the things he says about the Secret Service raid on his home are
determined to be factual, then combined with complaints of the same nature
where Steve Jackson Games is concerned I would have to say it seems to me
the Secret Service might have been a bit less zealous.
The revelations in the weeks and months ahead should be very interesting.
One of the items I will include in the special issues on Thursday night is
the report which appeared in the %Baltimore Sun% last weekend. This case
seems to get more complicated every day.
PT
------------------------------End of TELECOM Digest V10 #418
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+ END THIS FILE +
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+===+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
We're periodically asked what's happened to the various CU magazines that
have appeared over the years. Many were short-lived, others are still
going. We can't list them all, but here's a list of the most prominent:
2600 MAGAZINE: Probably the best of its kind, 2600 is still going strong.
2600 MAGAZINE is the primary source of information into the worldwide
hacking scene. From information on the inner workings of phone companies to
the latest security breaches on computer operating systems to the abuse of
technology BY the authorities, 2600 is a vital tool for anyone who wants to
know what is REALLY going on. Written by hackers for hackers and anyone who
wants to learn a thing or two.
Subscriptions are $18 US per year in U.S. and Canada for individuals; $45
for corporations and institutions; $30 individuals overseas; $65
corporations/institutions overseas. Back issues are available from 1984 for
$25 per year, $30 per year overseas.
The address of 2600 MAGAZINE is: 2600, PO Box 752, Middle Island, NY
11953. Telephone: (516) 751-2600, FAX (516) 751-2608.
------------
TAP: TAP, too, is still going. It's "anarchist" thrust seems to have
mellowed, but it is still a fine source of information. Copies are
available by sending a stamped, self-addressed envelope (or on some blurbs
just a stamp) to:
TAP P.O. Box 20264 Louisville, KY 40220
------------
PHRACK: Begun in November, 1986, PHRACK was the primary phreak/hacker
magazine. It was more than just a technical journal. Its profiles, world
news, and occasional pieces of satirical fiction made it the premier outlet
of its kind. Those who see it only as a primer for hacking have obviously
failed to read the entire work, and its "world news" alone was worth a
download. Thirty issues were put out before the January, 1990, indictment
of one of the co-editors, but it has since been resurrected (*NOT* by the
original editors) and PHRACK 31 appeared in late May, '90.
------------
PIRATE: Although only five issues have appeared to date, PIRATE provided
the most sophisticated overview of what pirating is. Apparently internal
disputes over whether it should be a broad-based journal or a "how to"
manual led to the original editors and contributors (who favored discussing
broad issues) leaving, and to our knowledge, #5 is the latest, and perhaps
last.
-----------
ATI: Anarchist Times, Inc., appears periodically. It is a cross between
PHRACK and TAP, and perhaps the most politically oriented of any of the
magazines. ATI can be downloaded from most good boards or from The Red
Board, its home base. To date, 48 issues have appeared.
-----------
SYNDICATE REPORTS: The Sensei are apparently still putting this out, and it
is available on the better boards. It should be added to our archives
within the next few weeks.
----------
P/Hun: A technical/anarchist type journal, P/Hun is a primer of sorts.
Although lacking the broad coverage of PHRACK, it provides an interesting
document for those interested in understanding this aspect of the CU. Issue
#5 appeared in May, '90.
-----------
LoD/H Technical Journal: The title is obvious. Only three issues appeared
(despite a typo in an earlier CuD). Issue #4 was aborted because of the
raids. It can be found on most CU boards.
---------
Other groups have put out editions. PTL's cracking manual, an ambitious
book-length primer on cracking tips, was intended to be followed by others,
but to our knowledge none have appeared. INC puts out an occasional
newsletter, most recently in a rather glitzy, but fun, .exe format.
"Hackers R Us" intended to publish a magazine, but we have seen nothing
after the initial issues. Cybertek (not the original) focuses on what its
name implies. Cybertek is available at Trash American Style, Milltown Rd.,
Danbury CT. The second issue should have appeared by now. Cult of the
Dead Cow (CDC) blurbs appear periodically, but the contents are usually of
little interest to any but a small group of dedicated heavy metal loving
anarchists. There are many, many others, but these seem to be the most
popular and widely disseminated.
--------------
Two Electronic mail digests also provide occasional, but limited, debates
and commentary on CU-related issues:
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
+ END THIS FILE +
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+===+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
