Editors: Jim Thomas and Gordon Meyer ([email protected])
Archivist: Brendan Kehoe
Shadow-Archivist: Dan Carosone
Copy Editor: Rtaion Shrdleau, Esq.
CONTENTS, #4.47 (Sep 30, 1992)
File 1--Statement of Principle
File 2--NEW WINDO BILL (HR 5983)
File 3--"In House Hackers" (Excerpts from the WSJ)
File 4--Software Piracy: A Felony?
File 5--Hacker hits Cincinnati Phones
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost from [email protected]. The editors may be
contacted by voice (815-753-6430), fax (815-753-6302) or U.S. mail at:
Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115.
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL0 and DL12 of TELECOM; on Genie in the PF*NPC RT
libraries; from America Online in the PC Telecom forum under
"computing newsletters;" on the PC-EXEC BBS at (414) 789-4210; and by
anonymous ftp from ftp.eff.org (192.88.144.4) and ftp.ee.mu.oz.au
Back issues also may be obtained from the mail server at
[email protected]
European distributor: ComNet in Luxembourg BBS (++352) 466893.
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Some authors do copyright their material, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
Bruce Sterling
[email protected]
Catscan 10
From SCIENCE FICTION EYE #10
A STATEMENT OF PRINCIPLE
I just wrote my first nonfiction book. It's called THE HACKER
CRACKDOWN: LAW AND DISORDER ON THE ELECTRONIC FRONTIER. Writing
this book has required me to spend much of the past year and a half in
the company of hackers, cops, and civil libertarians.
I've spent much time listening to arguments over what's legal, what's
illegal, what's right and wrong, what's decent and what's despicable,
what's moral and immoral, in the world of computers and civil
liberties. My various informants were knowledgeable people who cared
passionately about these issues, and most of them seemed
well-intentioned. Considered as a whole, however, their opinions were
a baffling mess of contradictions.
When I started this project, my ignorance of the issues involved was
genuine and profound. I'd never knowingly met anyone from the
computer underground. I'd never logged-on to an underground
bulletin-board or read a semilegal hacker magazine. Although I did
care a great deal about the issue of freedom of expression, I knew
sadly little about the history of civil rights in America or the legal
doctrines that surround freedom of the press, freedom of speech, and
freedom of association. My relations with the police were firmly
based on the stratagem of avoiding personal contact with police to the
greatest extent possible. I didn't go looking for this project.
This project came looking for me. I became inextricably involved when
agents of the United States Secret Service, acting under the guidance
of federal attorneys from Chicago, came to my home town of Austin on
March 1, 1990, and confiscated the computers of a local science
fiction gaming publisher. Steve Jackson Games, Inc., of Austin, was
about to publish a gaming-book called GURPS Cyberpunk. When the
federal law-enforcement agents discovered the electronic manuscript of
CYBERPUNK on the computers they had seized from Mr. Jackson's
offices, they expressed grave shock and alarm. They declared that
CYBERPUNK was "a manual for computer crime."
It's not my intention to reprise the story of the Jackson case in this
column. I've done that to the best of my ability in THE HACKER
CRACKDOWN; and in any case the ramifications of March 1 are far from
over.
Mr Jackson was never charged with any crime. His civil suit against
the raiders is still in federal court as I write this.
I don't want to repeat here what some cops believe, what some hackers
believe, or what some civil libertarians believe. Instead, I want to
discuss my own moral beliefs as a science fiction writer -- such as
they are. As an SF writer, I want to attempt a personal statement of
principle.
It has not escaped my attention that there are many people who believe
that anyone called a "cyberpunk" must be, almost by definition,
entirely devoid of principle. I offer as evidence an excerpt from
Buck BloomBecker's 1990 book, SPECTACULAR COMPUTER CRIMES. On page
53, in a chapter titled "Who Are The Computer Criminals?", Mr.
BloomBecker introduces the formal classification of "cyberpunk"
criminality.
"In the last few years, a new genre of science fiction has arisen
under the evocative name of 'cyberpunk.' Introduced in the work of
William Gibson, particularly in his prize-winning novel NEUROMANCER,
cyberpunk takes an apocalyptic view of the technological future. In
NEUROMANCER, the protagonist is a futuristic hacker who must use the
most sophisticated computer strategies to commit crimes for people who
offer him enough money to buy the biological creations he needs to
survive. His life is one of cynical despair, fueled by the desire to
avoid death. Though none of the virus cases actually seen so far have
been so devastating, this book certainly represents an attitude that
should be watched for when we find new cases of computer virus and try
to understand the motivations behind them.
"The New York Times's John Markoff, one of the more perceptive and
accomplished writers in the field, has written than a number of
computer criminals demonstrate new levels of meanness. He
characterizes them, as do I, as cyberpunks."
Those of us who have read Gibson's NEUROMANCER closely will be aware
of certain factual inaccuracies in Mr. BloomBecker's brief review.
NEUROMANCER is not "apocalyptic." The chief conspirator in
NEUROMANCER forces Case's loyalty, not by buying his services, but by
planting poison-sacs in his brain. Case is "fueled" not by his greed
for money or "biological creations," or even by the cynical "desire to
avoid death," but rather by his burning desire to hack cyberspace.
And so forth.
However, I don't think this misreading of NEUROMANCER is based on
carelessness or malice. The rest of Mr. BloomBecker's book generally
is informative, well-organized, and thoughtful. Instead, I feel that
Mr. BloomBecker manfully absorbed as much of NEUROMANCER as he could
without suffering a mental toxic reaction. This report of his is what
he actually *saw* when reading the novel.
NEUROMANCER has won quite a following in the world of computer crime
investigation. A prominent law enforcement official once told me
that police unfailingly conclude the worst when they find a teenager
with a computer and a copy of NEUROMANCER. When I declared that I
too was a "cyberpunk" writer, she asked me if I would print the recipe
for a pipe-bomb in my works. I was astonished by this question, which
struck me as bizarre rhetorical excess at the time. That was before I
had actually examined bulletin-boards in the computer underground,
which I found to be chock-a-block with recipes for pipe-bombs, and
worse. (I didn't have the heart to tell her that my friend and
colleague Walter Jon Williams had once written and published an SF
story closely describing explosives derived from simple household
chemicals.)
Cyberpunk SF (along with SF in general) has, in fact, permeated the
computer underground. I have met young underground hackers who use
the aliases "Neuromancer," "Wintermute" and "Count Zero." The Legion
of Doom, the absolute bete noire of computer law-enforcement, used to
congregate on a bulletin-board called "Black Ice."
In the past, I didn't know much about anyone in the underground, but
they certainly knew about me. Since that time, I've had people
express sincere admiration for my novels, and then, in almost the same
breath, brag to me about breaking into hospital computers to chortle
over confidential medical reports about herpes victims.
The single most stinging example of this syndrome is "Pengo," a member
of the German hacker-group that broke into Internet computers while in
the pay of the KGB. He told German police, and the judge at the
trial of his co-conspirators, that he was inspired by NEUROMANCER and
John Brunner's SHOCKWAVE RIDER.
I didn't write NEUROMANCER. I did, however, read it in manuscript
and offered many purportedly helpful comments. I praised the book
publicly and repeatedly and at length. I've done everything I can to
get people to read this book.
I don't recall cautioning Gibson that his novel might lead to
anarchist hackers selling their expertise to the ferocious and
repulsive apparat that gave the world the Lubyanka and the Gulag
Archipelago. I don't think I could have issued any such caution, even
if I'd felt the danger of such a possibility, which I didn't. I still
don't know in what fashion Gibson might have changed his book to avoid
inciting evildoers, while still retaining the integrity of his vision
-- the very quality about the book that makes it compelling and
worthwhile.
This leads me to my first statements of moral principle.
As a "cyberpunk" SF writer, I am not responsible for every act
committed by a Bohemian with a computer. I don't own the word
"cyberpunk" and cannot help where it is bestowed, or who uses it, or
to what ends.
As a science fiction writer, it is not my business to make people
behave. It is my business to make people imagine. I cannot control
other people's imaginations -- any more than I would allow them to
control mine.
I am, however, morally obliged to speak out when acts of evil are
committed that use my ideas or my rhetoric, however distantly, as a
justification.
Pengo and his friends committed a grave crime that was worthy of
condemnation and punishment. They were clever, but treacherously
clever.
They were imaginative, but it was imagination in a bad cause. They
were technically accomplished, but they abused their expertise for
illicit profit and to feed their egos. They may be "cyberpunks" --
according to many, they may deserve that title far more than I do --
but they're no friends of mine.
What is "crime"? What is a moral offense? What actions are evil and
dishonorable? I find these extraordinarily difficult questions. I
have no special status that should allow me to speak with authority on
such subjects. Quite the contrary. As a writer in a scorned popular
literature and a self-professed eccentric Bohemian, I have next to no
authority of any kind. I'm not a moralist, philosopher, or prophet.
I've always considered my "moral role," such as it is, to be that of
a court jester -- a person sometimes allowed to speak the unspeakable,
to explore ideas and issues in a format where they can be treated as
games, thought-experiments, or metaphors, not as prescriptions, laws,
or sermons.
I have no religion, no sacred scripture to guide my actions and
provide an infallible moral bedrock. I'm not seeking political
responsibilities or the power of public office. I habitually
question any pronouncement of authority, and entertain the liveliest
skepticism about the processes of law and justice. I feel no urge to
conform to the behavior of the majority of my fellow citizens. I'm a
pain in the neck.
My behavior is far from flawless. I lived and thrived in Austin,
Texas in the 1970s and 1980s, in a festering milieu of arty
crypto-intellectual hippies. I've committed countless "crimes,"
like millions of other people in my generation. These crimes were
of the glamorous "victimless" variety, but they would surely have
served to put me in prison had I done them, say, in front of the State
Legislature.
Had I lived a hundred years ago as I live today, I would probably have
been lynched by outraged fellow Texans as a moral abomination. If I
lived in Iran today and wrote and thought as I do, I would probably be
tried and executed.
As far as I can tell, moral relativism is a fact of life. I think it
might be possible to outwardly conform to every jot and tittle of the
taboos of one's society, while feeling no emotional or intellectual
commitment to them. I understand that certain philosophers have
argued that this is morally proper behavior for a good citizen. But
I can't live that life. I feel, sincerely, that my society is
engaged in many actions which are foolish and shortsighted and likely
to lead to our destruction. I feel that our society must change, and
change radically, in a process that will cause great damage to our
present system of values.
This doesn't excuse my own failings, which I regret, but it does
explain, I hope, why my lifestyle and my actions are not likely to
make authority feel entirely comfortable.
Knowledge is power. The rise of computer networking, of the
Information Society, is doing strange and disruptive things to the
processes by which power and knowledge are currently distributed.
Knowledge and information, supplied through these new conduits, are
highly corrosive to the status quo. People living in the midst of
technological revolution are living outside the law: not necessarily
because they mean to break laws, but because the laws are vague,
obsolete, overbroad, draconian, or unenforceable. Hackers break laws
as a matter of course, and some have been punished unduly for
relatively minor infractions not motivated by malice. Even computer
police, seeking earnestly to apprehend and punish wrongdoers, have
been accused of abuse of their offices, and of violation of the
Constitution and the civil statutes. These police may indeed have
committed these "crimes." Some officials have already suffered grave
damage to their reputations and careers -- all the time convinced that
they were morally in the right; and, like the hackers they pursued,
never feeling any genuine sense of shame, remorse, or guilt.
I have lived, and still live, in a counterculture, with its own
system of values. Counterculture -- Bohemia -- is never far from
criminality. "To live outside the law you must be honest" was Bob
Dylan's classic hippie motto. A Bohemian finds romance in the notion
that "his clothes are dirty but his hands are clean." But there's
danger in setting aside the strictures of the law to linchpin one's
honor on one's personal integrity. If you throw away the rulebook to
rely on your individual conscience you will be put in the way of
temptation.
And temptation is a burden. It hurts. It is grotesquely easy to
justify, to rationalize, an action of which one should properly be
ashamed. In investigating the milieu of computer-crime I have come
into contact with a world of temptation formerly closed to me.
Nowadays, it would take no great effort on my part to break into
computers, to steal long-distance telephone service, to ingratiate
myself with people who would merrily supply me with huge amounts of
illicitly copied software. I could even build pipe-bombs. I haven't
done these things, and disapprove of them; in fact, having come to
know these practices better than I cared to, I feel sincere revulsion
for them now. But this knowledge is a kind of power, and power is
tempting. Journalistic objectivity, or the urge to play with ideas,
cannot entirely protect you. Temptation clings to the mind like a
series of small but nagging weights. Carrying these weights may make
you stronger. Or they may drag you down.
"His clothes are dirty but his hands are clean." It's a fine ideal,
when you can live up to it. Like a lot of Bohemians, I've gazed with
a fine disdain on certain people in power whose clothes were clean but
their hands conspicuously dirty. But I've also met a few people
eager to pat me on the back, whose clothes were dirty and their hands
as well. They're not pleasant company.
Somehow one must draw a line. I'm not very good at drawing lines.
When other people have drawn me a line, I've generally been quite
anxious to have a good long contemplative look at the other side. I
don't feel much confidence in my ability to draw these lines. But I
feel that I should. The world won't wait. It only took a few guys
with poolcues and switchblades to turn Woodstock Nation into
Altamont. Haight-Ashbury was once full of people who could trust
anyone they'd smoked grass with and love anyone they'd dropped acid
with -- for about six months. Soon the place was aswarm with
speed-freaks and junkies, and heaven help us if they didn't look just
like the love-bead dudes from the League of Spiritual Discovery.
Corruption exists, temptation exists. Some people fall. And the
temptation is there for all of us, all the time.
I've come to draw a line at money. It's not a good line, but it's
something. There are certain activities that are unorthodox,
dubious, illegal or quasi-legal, but they might perhaps be justified
by an honest person with unconventional standards. But in my
opinion, when you're making a commercial living from breaking the
law, you're beyond the pale. I find it hard to accept your
countercultural sincerity when you're grinning and pocketing the cash,
compadre.
I can understand a kid swiping phone service when he's broke,
powerless, and dying to explore the new world of the networks. I
don't approve of this, but I can understand it. I scorn to do this
myself, and I never have; but I don't find it so heinous that it
deserves pitiless repression. But if you're stealing phone service
and selling it -- if you've made yourself a miniature phone company
and you're pimping off the energy of others just to line your own
pockets -- you're a thief. When the heat comes to put you away,
don't come crying "brother" to me.
If you're creating software and giving it away, you're a fine human
being. If you're writing software and letting other people copy it
and try it out as shareware, I appreciate your sense of trust, and if
I
like your work, I'll pay you. If you're copying other people's
software and giving it away, you're damaging other people's interests,
and should be ashamed, even if you're posing as a glamorous
info-liberating subversive. But if you're copying other people's
software and selling it, you're a crook and I despise you.
Writing and spreading viruses is a vile, hurtful, and shameful
activity that I unreservedly condemn.
There's something wrong with the Information Society. There's
something wrong with the idea that "information" is a commodity like a
desk or a chair. There's something wrong with patenting software
algorithms. There's something direly mean-spirited and ungenerous
about inventing a language and then renting it out to other people to
speak. There's something unprecedented and sinister in this process
of creeping commodification of data and knowledge. A computer is
something too close to the human brain for me to rest entirely content
with someone patenting or copyrighting the process of its thought.
There's something sick and unworkable about an economic system which
has already spewed forth such a vast black market. I don't think
democracy will thrive in a milieu where vast empires of data are
encrypted, restricted, proprietary, confidential, top secret, and
sensitive. I fear for the stability of a society that builds
sandcastles out of databits and tries to stop a real-world tide with
royal commands.
Whole societies can fall. In Eastern Europe we have seen whole
nations collapse in a slough of corruption. In pursuit of their
unworkable economic doctrine, the Marxists doubled and redoubled their
efforts at social control, while losing all sight of the values that
make life worth living. At last the entire power structure was so
discredited that the last remaining shred of moral integrity could
only be found in Bohemia: in dissidents and dramatists and their
illegal samizdat underground fanzines. Their clothes were dirty but
their hands were clean. The only agitprop poster Vaclav Havel needed
was a sign saying *Vaclav Havel Guarantees Free Elections.* He'd
never held power, but people believed him, and they believed his
Velvet Revolution friends.
I wish there were people in the Computer Revolution who could inspire,
and deserved to inspire, that level of trust. I wish there were
people in the Electronic Frontier whose moral integrity unquestionably
matched the unleashed power of those digital machines. A society is
in dire straits when it puts its Bohemia in power. I tremble for my
country when I contemplate this prospect. And yet it's possible. If
dire straits come, it can even be the last best hope.
The issues that enmeshed me in 1990 are not going to go away. I
became involved as a writer and journalist, because I felt it was
right. Having made that decision, I intend to stand by my commitment.
I expect to stay involved in these issues, in this debate, for the
rest of my life. These are timeless issues: civil rights,
knowledge, power, freedom and privacy, the necessary steps that a
civilized society must take to protect itself from criminals. There
is no finality in politics; it creates itself anew, it must be dealt
with every day.
The future is a dark road and our speed is headlong. I didn't ask
for power or responsibility. I'm a science fiction writer, I only
wanted to play with Big Ideas in my cheerfully lunatic sandbox. What
little benefit I myself can contribute to society would likely be best
employed in writing better SF novels. I intend to write those better
novels, if I can. But in the meantime I seem to have accumulated a
few odd shreds of influence. It's a very minor kind of power, and
doubtless more than I deserve; but power without responsibility is a
monstrous thing.
In writing HACKER CRACKDOWN, I tried to describe the truth as other
people saw it. I see it too, with my own eyes, but I can't yet
pretend to understand what I'm seeing. The best I can do, it seems to
me, is to try to approach the situation as an open-minded person of
goodwill. I therefore offer the following final set of principles,
which I hope will guide me in the days to come.
I'll listen to anybody, and I'll try to imagine myself in their
situation.
I'll assume goodwill on the part of others until they fully earn my
distrust.
I won't cherish grudges. I'll forgive those who change their minds
and actions, just as I reserve the right to change my own mind and
actions.
I'll look hard for the disadvantages to others, in the things that
give me advantage. I won't assume that the way I live today is the
natural order of the universe, just because I happen to be benefiting
from it at the moment.
And while I don't plan to give up making money from my ethically
dubious cyberpunk activities, I hope to temper my impropriety by
giving more work away for no money at all.
Re--HR 5983, legislation to provide online access to
federal information
(Successor to Gateway/WINDO bills)
Date--September 23, 1992, Washington, DC.
On Wednesday, September 23, the House Administration Committee
unanimously approved H.R. 5983, the "Government Printing Office (GPO)
Electronic Information Access Enhancement Act of 1992." The bill,
which had been introduced the day before, was cosponsored by committee
chairman Charlie Rose (D-NC), ranking minority member William Thomas
(R-CA) and Pat Roberts (R-KA). The measure was a watered down version
of the GPO Gateway/WINDO bills (S. 2813, HR 2772), which would provide
one-stop-shopping online access to hundreds of federal information
systems and databases.
The new bill was the product of negotiations between
Representative Rose and the republican members of the House
Administration Committee, who had opposed the broader scope of the
Gateway/WINDO bills. Early responses to the new bill are mixed.
Supporters of the Gateway/WINDO bill were disappointed by the narrower
scope of the bill, but pleased that the legislation retained the
Gateway/WINDO policies on pricing of the service (free use by
depository libraries, prices equal to the incremental cost of
dissemination for everyone else). On balance, however, the new bill
would substantially broaden public access to federal information
systems and databases, when compared to the status quo.
WHAT HR 5983 DOES
The bill that would require the Government Printing Office (GPO) to
provide public online access to:
- the Federal Register
- the Congressional Record
- an electronic directory of Federal public information
stored electronically,
- other appropriate publications distributed by the
Superintendent of Documents, and
- information under the control of other federal
departments or agencies, when requested by the
department or agency.
The Superintendent of Documents is also required to undertake a
feasibility study of further enhancing public access to federal
electronic information, including assessments the feasibility of:
- public access to existing federal information systems,
- the use of computer networks such as the Internet and
NREN, and
- the development (with NIST and other agencies) of
compatible standards for disseminating electronic
information.
There will also be studies of the costs, cost savings, and
utility of the online systems that are developed, including an
independent study of GPO's services by GAO.
WHAT HR 5983 DOESN'T DO
The new bill discarded the names WINDO or Gateway without a
replacement. The new system is simply called "the system," a
seemingly minor change, but one designed to give the service a
lower profile.
A number of other features of the Gateway/WINDO legislation were
also lost.
- While both S. 2813 and HR 2772 would have required GPO to
provide online access through the Internet, the new bill
only requires that GPO study the issue of Internet access.
- The Gateway/WINDO bills would have given GPO broad authority
to publish federal information online, but the new bill
would restrict such authority to documents published by the
Superintendent of Documents (A small subset of federal
information stored electronically), or situations where the
agency itself asked GPO to disseminate information stored in
electronic formats. This change gives agencies more
discretion in deciding whether or not to allow GPO to
provide online access to their databases, including those
cases where agencies want to maintain control over databases
for financial reasons (to make money off the data).
- The republican minority insisted on removing language that
would have explicitly allowed GPO to reimburse agencies for
their costs in providing public access. This is a
potentially important issue, since many federal agencies
will not work with GPO to provide public access to their own
information systems, unless they are reimbursed for costs
that they incur. Thus, a major incentive for federal
agencies was eliminated.
- S. 2813 and HR 2772 would have required GPO to publish an
annual report on the operation of the Gateway/WINDO and
accept and consider *annual* comments from users on a wide
range of issues. The new bill only makes a general
requirement that GPO "consult" with users and data vendors.
The annual notice requirement that was eliminated was
designed to give citizens more say in how the service
evolves, by creating a dynamic public record of citizen
views on topics such as the product line, prices, standards
and the quality of the service. Given the poor record of
many federal agencies in addressing user concerns, this is
an important omission.
- S. 2813 would have provided startup funding of $3 million in
fy 92 and $10 million in fy 93. The new bill doesn't
include any appropriation at all, causing some observers to
wonder how GPO will be able to develop the online
Congressional Record, Federal Register, and directory of
databases, as required by the bill.
WHAT HAPPENED?
The bill which emerged from Committee on Wednesday substantially
reflected the viewpoints of the republicans on the House
Administration Committee. The republican staffers who negotiated
the new bill worked closely with lobbyists for the Industry
Information Association (IIA), a trade group which represents
commercial data vendors, and who opposed the broader
dissemination mandates of the Gateway/WINDO bills.
Why did WINDO sponsor Charlie Rose, who is Chair of the House
Administration Committee, give up so much in the new bill?
Because Congress is about to adjourn, and it is difficult to pass
any controversial legislation at the end of a Congressional
session. The failure to schedule earlier hearings or markups on
the WINDO legislation (due largely to bitter partisan battles
over the House bank and post office, October Surprise and
campaign financing reform) gave the republican minority on the
committee enormous clout, since they could (and did) threaten to
kill the bill.
Rose deserves credit, however, for being the first member of
congress to give the issue of citizen online access to federal
information systems and databases such high prominence, and his
promise to revisit the question next session is very encouraging.
PROSPECTS FOR PASSAGE
The new bill has a long way to go. It must be scheduled for a
floor vote in the House and a vote in the Senate. The last step
will likely be the most difficult. In the last few weeks of a
Congressional session, any member of the Senate can put a "hold"
on the bill, preventing it from receiving Senate approval this
year, thus killing the bill until next legislative session. OMB
and the republican minority on the House Administration Committee
have both signed off on the bill, but commercial data vendors
would still like to kill the bill. There's a catch, however.
Rose's staff has reportedly told the Information Industry
Association (IIA) that if it kills HR 5983, it will see an even
bolder bill next year. Since IIA was an active participant in
the negotiations over the compromise bill, any effort to kill the
bill will likely antagonize Rose. Of course, some observers
think that an individual firm, such as Congressional Quarterly,
may try to kill the bill. Only time will tell.
IS THE GLASS HALF EMPTY OR HALF FULL?
Despite the many changes that have weakened the bill, HR 5983 is
still an important step forward for those who want to broaden
public access to federal information systems and databases. Not
only does the bill require GPO to create three important online
services (the directory, the Congressional Record and the Federal
Register), but it creates a vehicle that can do much more.
Moreover, HR 5983 would provide free online access for 1,400
federal depository libraries, and limit prices for everyone else
to the incremental cost of dissemination. These pricing rules
are far superior to those used by NTIS, or line agencies like
NLM, who earn substantial profits on the sale of electronic
products and services.
WHAT YOU CAN DO
Urge your Senators and Representatives to support passage of HR
5983, quickly, before Congress adjourns in October. All members
of Congress can be reached by telephone at 202/224-3121, or by
mail at the following addresses:
Senator John Smith Representative Susan Smith
US Senate US House of Representatives
Washington, DC 20510 Washington, DC 21515
The most important persons to contact are your own delegation, as
well as Senators George Mitchell (D-ME) and Bob Dole (R-KA).
For more information, contact the American Library Association at
202/547-4440 or the Taxpayer Assets Project at 215-658-0880. For a
copy of HR 5983 or the original Gateway/WINDO bills, send an email
message to [email protected].
------------------------------
Date: Sun, 30 Aug 92 05:19:34 EDT
From: [email protected]
Subject: File 3--"In House Hackers" (Excerpts from the WSJ)
Although cyber-surfing computer explorers receive the bulk of media
attention, there is little evidence that they comprise the greatest
danger to corporate computers or other resources. Confirming what
some observers have been saying for years, the Wall Street Journal
recently reported on the dangers of in-house hackers to corporate
computer security.
Summary of: "In House Hackers"
From: THE WALL STREET JOURNAL (Thursday, Aug. 27, 1992)
At its London office, American Telephone and Telegraph Co. says
three technicians used a computer to funnel company funds into
their own pockets. At General Dynamics Corp.'s space division in
San Diego, an employee plotted to sabotage the company by wiping
out a computer program used to build missiles. And at Charles
Schwab & CO. headquarters in San Francisco, some employees used
the stock brokerage firm's computer system to buy and sell
cocaine.
As these examples suggest, employees are finding increasingly
ingenious ways to misuse their companies' computer systems.
Although publicity about computer wrongdoing has often focused on
outside hackers gaining entry to systems to wreak havoc, insiders
are proving far more adept at creating computer mayhem.
Workers may use company computer system to line their own
pockets, to seek revenge because they didn't get a promotion or
because of other perceived slights. Whatever the motive,
high-tech misdeeds are creating significant problems for
companies large and small.
MEANS AND MOTIVE
Although figures for damages from computer abuse are scarce, some
companies report internal frauds involving losses of more than $1
million. Even more costly are losses from disrupted operations
or form repairing the damage.
"Employees are the ones with the skill, the knowledge and the
access to do bad things," says Donn Parker, an expert on computer
security at SRI International, Menlo Park, Calif. "They're the
ones, for example, who can most easily plant a which can crash
your entire computer system." Most companies quietly fire the
culprits without publicity, Mr. Parker adds. Dishonest or
disgruntled employees pose "a far greater problem than most
people realize."
The story reports interviews with various security experts who agree
that the increase of computer use also creates risks of unauthorized
computer access and tampering within a company. According to the
story, laptops cause special concern because of their flexibility and
power, which make it easier for employees to steal trade secrets.
Companies are beginning to recognize the need to develop increased
security measures to protect themselves from INTERNAL security
breaches. These include closer monitoring of who has access to
systems, encryption of sensitive files, and more carefully protecting
systems against unauthorized company users.
The story summarizes the AT&T trojan in England last year, in which
three AT&T technicians were charged with unauthorized modification of
computers and conspiracy to defraud. Although the case was later
dropped because of legal technicalities, it underscores the dangers of
the potential for inhouse crime.
The story summarizes the case of Michael Lauffenburger, a 31 year old
General Dynamics programmer in California, who was indicted in federal
court for trying to destroy parts of a computer program, quit the
company, and then get rehired as a well-paid consultant to rebuild the
program:
The plot, the indictment alleges, went like this: In March last
year, Mr. Lauffenburger created a second computer program, this
one a logic bomb called "Cleanup." It would totally erase the
original parts program starting at 6 p.m. May 24, the beginning
of the Memorial Day weekend, when few would be around to notice.
When the bomb went off, Mr Lauffenburger wouldn't be around
either; he quit March 29.
Lauffenburger pleaded guilty to computer tampering in early 1992 and
was fined $5,000 and required to perform community service.
The story lists another company, Pinkerton Security and
Investigation Services, that was victimized by an Employee. Tammy
Juse, 48, used the name "Tammy Gonzalez" to obtain a position in the
accounting department in 1988. She accessed Pinkerton accounts at
Security Pacific National Bank, and was discovered in 1990 to be
embezzling from the accounts. She was sentenced to 27 months in prison
for embezzling over $1 from the company:
Normally, a reconciliation of accounts would have caught the
discrepancies. But Ms. Gonzalez was also supposed to do the
reconciling, and somehow she didn't get around to it. At one
point, it was nearly two years behind.
The story lists the usual dangers of security lapses in companies,
including password problems, open computers, and other "people
problems" that leave systems vulnerable. It also identifies illegal
uses of company computers as a potential problem:
Sometimes it is the very advantages of computers, including speed
and convenience of communication, that make them tempting tools
of abuses. Late last year, officials at Charles Schwab, got a
tip that a cocaine ring was flourishing among its headquarters
employees in San Francisco. Hal Lipset, a private investigator
hired by Schwab, soon discovered that sales were being arranged
over Schwab's computer communications system.
Schwab officials secretly began monitoring the messages and
copying them for evidence. Two employees who allegedly were
selling drugs masked their messages by seeming to talk of tickets
to sports events or about a game of pool called eightball. But
according to one investigator, a "ticket" represented a half gram
of cocaine for $40, and "eightball" represented 3 grams for about
$280.
..............
An undercover man working for Mr. Lipset, in cooperation with San
Francisco police, began buying cocaine to gather more evidence.
In April, the police arrested two back-office workers at Schwab
for drug dealing. Both pleaded guilty. Schwab has fired them as
well as two others allegedly in the drug ring.
The WSJ story nicely details the threats to security from those within
the company entrusted to use and maintain them. Most "hackers"
operating from the outside agree that poor security rather than
external explorers are the greatest threat to company systems. It is
refreshing to see the media recognize that the greatest potential for
abuse comes from inside, and that the costs of computer crime are
overwhelming created not by curious teenagers, but by predators who
betray an employees trust.
------------------------------
Date: 27 Sep 92 22:59:05 EDT
From: Gordon Meyer <[email protected]>
Subject: File 4--Software Piracy: A Felony?
Washington is currently considering a bill, S.893, which would expand
felony provisions to all copyrighted materials, including computer
software. The bill provides for felony convictions punishable by up
to $250,000 in fines and two years in prison for willfully infringing
on software copyrights in amounts exceeding retail amounts of $5,000.
The bill is currently under consideration by the House Intellectual
Property and Judicial Administration Subcommittee, chaired by Rep.
William Hughes. For more details see 'A Felonious Crime', Amy
Cortese, INFORMATION WEEK, Sept 14,1992, p14
VIRUS SPREAD LESS THAN EXPECTED
A report released by IBM's High Integrity Computing Laboratory says
that computer viruses are spreading slower than expected because
assumptions made in earlier estimates haven't held true. Virus
epidemics were predicted based on a "homogeneous mixing" theory
modeled after the way diseases spread in humans. It turns out that
despite all the computer networks, most viruses are spread via shared
diskettes, which limits each computer's risk of exposure. (As
reported in INFORMATION WEEK, Sept 14, 1992, p16)
A computer hacker apparently in the New York area broke the code into
one of the Cincinnati, Ohio, phone trunk lines, building up a $65,000
phone bill. Cincinnati city officials say the unknown invader racked
up the charges last winter and spring by placing calls around the
world.
David Chapman, the city's assistant superintendent for
telecommunica-tions, said that investigators think the tap originated
in the New York-New Jersey area, but they have no suspects and the
investigation is considered closed.
Chapman added, "Apparently these people were pretty darn slick, but
talking to the Secret Service, we were small potatoes. I understand
there have been some major companies hit." (reprinted from STReport
#8.38 with permission)
COMPUTER EXEC'S ENDORSE CLINTON FOR PRESIDENT
Thirty executives at a number of high-tech Silicon Valley firms
--including Apple Computer, Hewlett Packard, National Semiconductor,
Oracle Systems and Link Technologies -- have endorsed Democrat Bill
Clinton in his bid for the White House.
"Many of us here are actually not Democrats but Republicans," said
Apple CEO John Sculley. Sculley added the group believes Clinton can
put the country "back in the forefront of leading the world again."
Oracle Systems CEO Lawrence Ellison said that the Democrat's economic
plan is "why I am departing this year from my life-long support of the
Republican Party to endorse the Clinton-Gore ticket."
Besides Sculley and Ellison, those endorsing Clinton include HP
President/CEO John Young, as well as Gil Amelio, CEO of National
Semiconductor; Dave Barram, vice president of Apple Computers; Gerry
Beemiller, CEO of Infant Advantage; Chuck Boesenberg, CEO of Central
Point Software; Dick Brass, president of Oracle Data Publishing; Chuck
Comiso, president of Link Technologies.
Also: Gloria Rose Ott, president of GO Strategies; Ed McCracken, CEO
of Silicon Graphics; Regis McKenna, chairman of Regis McKenna; Bill
Miller, former CEO of SRI international, Sandy Robertson, general
partner of Roberston, Colman and Stephans. (Reprinted from STReport
#8.38 with permission)
------------------------------
End of Computer Underground Digest #4.47
************************************
