Computer underground Digest Sun Aug 1 1993 Volume 5 : Issue 57
ISSN 1004-042X
Editors: Jim Thomas and Gordon Meyer ([email protected])
Archivist: Brendan Kehoe
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Coop Eitidor: Etaoin Shrdlu, Senior
CONTENTS, #5.57 ( Aug 1 1993)
File 1--Re: Hacker sentencing
File 2--Criminal Records Subject to Abuse
File 3--UPDATE: Ideas-Exchange listserv/ Legis Data Programmers
File 4--Observations from a "non-cyberhead"
File 5--Response to "Observations from a 'non-cyberhead'"
File 6--Response to Rep. Markey's Letter
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically from [email protected]. The
editors may be contacted by voice (815-753-6430), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115.
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on the PC-EXEC BBS at (414) 789-4210; and on: Rune Stone BBS (IIRG
WHQ) (203) 832-8441 NUP:Conspiracy; RIPCO BBS (312) 528-5020
CuD is also available via Fidonet File Request from 1:11/70; unlisted
nodes and points welcome.
EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893;
In ITALY: Bits against the Empire BBS: +39-461-980493
ANONYMOUS FTP SITES:
UNITED STATES: ftp.eff.org (192.88.144.4) in /pub/cud
uglymouse.css.itd.umich.edu (141.211.182.53) in /pub/CuD/cud
halcyon.com( 202.135.191.2) in /pub/mirror/cud
aql.gatech.edu (128.61.10.53) in /pub/eff/cud
AUSTRALIA: ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD.
EUROPE: nic.funet.fi in pub/doc/cud. (Finland)
ftp.warwick.ac.uk in pub/cud (United Kingdom)
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
The following appeared on Newsbytes, a commercial copyrighted
international news service on July 29th. It is reposted here with the
express consent of the author (This notice must accompany any subsequent
re-postings which I am authorizing here)
========================================================================
(EDITORIAL) (GOVERN) (NYC)
Reflections On Hacker Sentencing 07/29/93
NEW YORK, NEW YORK, U.S.A.(NB) 072993 -- I sat in federal court
this week and watched two young men be sentenced to prison. It was not a
pleasant experience.
The young men, Elias Ladopoulos, known in the hacker world as "Acid
Phreak", and Paul Stira, a/k/a "Scorpion", were each sentenced to six
months imprisonment, six months home detention, seven hundred fifty
hours of community service, and $50 assessment charge for conspiracy to
commit computer crimes. Both had pled guilty on March 17th on this
charge so there was not a question of guilt or innocence.
The six months imprisonment also does not seem draconian -- six months
doesn't seem very long unless you happen to be the one serving it. Time is
extremely relative as I found out when I spent five years at Fort Sill,
Oklahoma between January 1963 and April 1963. It is safe to say that these
young men will find the six months loss of freedom to be a very long
period.
The penalty, however, may be reasonable. It is certainly well within the
sentencing guidelines for the infraction (The maximum sentence quoted for
the crime pled to is five years in prison and a $250,000 fine).
If I think that the sentencing may be just, or at least defensible, then
what is the problem? Well, first, I have known the young men for over
three years and like them both. I would have preferred that they not go to
prison. I also personally feel that Stira never should have been a part of
the indictment; a view shared by some law enforcement folks that I have
spoken to (he is only mentioned in the papers twice and any illegal
activities seeming stopped in January 1990; the activities enumerated
involved possession a "trap door" program and a list of user passwords to
systems).
I recognize that is a personal feeling and that all people want their
friends not to bear hardship. Some place Ted Bundy probably had a friend
who wanted him loose and running around.
Another problem relates to the procedures that got the defendants to the
sentence. Stira and Ladopoulos (along with Mark Abene a/k/a "Phiber Optik")
were the subjects of a search and seizure by Secret Service agents in
January 1990. Stira and Ladopoulos' fate then languished until July 1992
when they were indicted along with Abene and two new players, John Lee
a/k/a "Corrupt" and Julio Fernandez a/k/a "Outlaw", on conspiracy to
commit computer crimes.
During the over three years that have gone by, Stira and Ladopoulos have
undergone changes. They are both college students -- Stira would have
graduated had his college not pulled his computer account when he pled
guilty; an action which prevented him from completing his last course
requirement.
Both have performed community service through contacts provided by
Robert Ambrose, a director of the New York Amateur Computer Club
(NYACC). Ladopoulos is employed by a major New York broadcasting
company and has impressed his employer to the extent that the employer
wrote a letter to the judge, asking for leniency, and came to the sentencing.
Ladopoulos' attorney, Scott Tulman, speaking at the hearing, said "He goes
to school, works and donates time to working with the handicapped,
teaching them to use computers. He acknowledges his culpability and has
been attempting to atone for it. His probation officer noted his sincere
efforts to rehabilitate himself. The stupid young person, 'Acid Phreak',
who was involved with other person's computers no longer exists. It is
Elias Ladopoulos who will be sentenced and that will cause a hardship to
his family."
There are those who may say "It doesn't matter how long ago they did
something wrong. They did it and they have to pay the piper." They may
well be right in some cases but these are not past serial killers; they
are two young men who have been under tremendous pressure for a
substantial part of their lives (3 years out of 21 is significant) since
the indictment. Perhaps that should have been considered sufficient
punishment.
There is, further, an overriding problem. From day 1 of the case, the
judge, Richard Owen, showed a complete lack of understanding of the
technology related to the case. At the initial scheduling meeting, then-
Assistant US Attorney Steve Fishbein pointed out that the discovery
process might take a long time as the government had intercepted over "50
megabytes" of electronic evidence. The judge asked what a megabyte was
and, when told it was a million characters, seemed to look rather panicked
when he said "You're not going to show all that to a jury are you?"
Fishbein assured him that he would not.
It seemed obvious to those of us in attendance that Judge Owen had visions
of 50 million pieces of paper being delivered to a jury. He was
understandably concerned.
That was only day one and a federal judge may not be computer literate at
the start of such a case. That would certainly be a lot to expect. One
might expect, however, that, a year later, at the conclusion of the case,
knowledge would have been acquired. Sadly, that did not seem to be the
case.
One of the charges made against Stira and Ladopoulos (and Abene) was
that they both pulled a prank and caused damage to a computer system
belong to WNET, the PBS television channel in New York. While Stira and
Ladopoulos admitted being on the system, both deny causing any damage
(it is a common belief that another hacker, known for malicious actions,
left unindicted by the federal government because of his age, knowingly
committed the damage). A major part of the sentencing dialogue between
Ladopoulos and Judge Owen had to do with this incident. Newsbytes
reported it this way:
"In response to questions from Judge Owen concerning his involvement with
the damage to the WNET system, Ladopoulos said 'Another hacker whose name
I have already provided to the government was the one who took the system
down. When I saw the problem, I called the station and left my own phone
number and offered to help. If I had caused the damage, I would not have
done that. The person who caused the damage is a very deranged person.'
"Owen said that he could not believe that it was merely a coincidence that
the damage was done to the WNET system in the same time frame that
Ladopoulos was on the system. Ladopoulos replied by saying that the
system log showed that he was off the system when the damage occurred. A
discussion followed on the entire incident."
The discussion actually had knowledgeable persons in the court room
shaking their heads. The judge didn't understand. He said that there was
too much work for this mysterious hacker to have done to copy messages
from Ladopoulos, add destructive material to it and shut down the system
all on the same day -- just too much typing. Ladopoulos tried to explain
about capture routines, editors, etc. and then, seeming to realize the
futility of it, just gave up.
Speaking later to Newsbytes about the experience, Ladopoulos said "It was
terribly frustrating. The judge just didn't understand about WNET. I tried
to explain that I did not damage the system but he didn't understand."
Now it certainly is not clear that the judge based his sentencing on the
WNET episode. He may not have -- at John Lee's sentencing, the same
judge mentioned that evidence showed that Lee had insulted someone's
mother on the net. One suspects and hopes that this social transgression
played no part in Lee's yearand-a-day sentence; there were, after all,
substantive charges against Lee.
We will never know whether or how much this misunderstanding influenced
the sentence -- and it is a light sentence under the guidelines. So,
perhaps, no harm was done.
No harm? Not quite! At a minimum, the dialogue shook the confidence of
everyone in the room about the sentence. Perhaps the prosecution was
satisfied because the defendants were being punished for their illegal
acts -- perhaps the defense took it in stride because of the relative
lightness of the sentence -- perhaps it was a good sentence. However, any
one with an understanding of computers and telecommunications had to feel
that the judge had no grasp of these issues.
So what happens next? Organizations like the Electronic Frontier
Foundation (EFF), the Society for Electronic Access (SEA), and Computer
Professionals for Social Responsibility (CPSR) are trying to close the
knowledge gap between public officials and technologists. Congress is
holding hearings on technology issues. There is recognition at the
national level on the importance of understanding the changes that the
telecommunications revolution has brought.
Progress may be made. I hope so. Can you imagine if it were your case --
or that of a member of your family being sentencing? Scary, isn't it?
Date: Thu, 29 Jul 93 21:21:45 EDT
From: [email protected]
Subject: File 2--Criminal Records Subject to Abuse
I thought that this might interest you and other CuD readers.
Philadelphia Inquirer - 07/29/93
CRIMINAL RECORDS ARE VULNERABLE TO ABUSE, CONGRESS IS WARNED
Sometimes the information is for sale, the GAO said. It called for
greater security.
By Lawrence L. Knutson
ASSOCIATED PRESS
WASHINGTON -- In Arizona, a former police officer gained access to
print-outs from the FBI's National Crime Information Center, tracked
down his estranged girlfriend and murdered her.
In Pennsylvania, a computer operator used the system to conduct
background searches for her drug-dealer boyfriend, who wanted to learn
if new clients were undercover agents.
In colorado, Connecticut, Florida, Maryland and other states, private
investigators bought data from insiders with authorized access to the
criminal-record system.
These examples were presented to the House Judiciary and Government
Operations Committees yesterday by the General Accounting Office,
which con-cluded that the criminal-records system is vulnerable to
widespread misuse.
The GAO recommended that Congress enact legislation with "strong
criminal sanctions" barring the misuse of the criminal record files
and that the FBI encourage state users to enhance security.
Laurie E. Ekstrand, the GAO's associate director for administration of
justice issues, said that while the FBI and the states do not keep
adequate records, "we did obtain sufficient examples of misuse to
indicate that such misuse occurred throughout the system."
"Furthermore, all the reported misuse incidents involve insiders,
while none involved outside [computer] hackers," she said.
"It appears that there are employers, insurers, lawyers or
investigators who are willing to pay for illegal access to personal
information, and there are insiders who are willing to supply the
data," said Rep. Gary Condit (D., Calif.) summing up the GAO's
findings.
The National Crime Information Center, with 24 million records, is the
nation's largest computerized criminal justice information system.
Its 14 separate files contain an extensive range of data, including
information about fugitives, stolen vehicles and missing persons.
The largest single file, known as "the III file" gives users access to
17 million criminal-history information records maintained in separate
state systems.
The GAO said more than 19,000 federal, state and local law enforcement
agencies in the U.S. and Canada, using 97,000 terminals, have direct
access to the system.
The GAO called the Arizona case the most extreme example of misuse it
uncovered.
The agency said investigators learned that the former police officer
was able to locate his estranged girlfriend using data provided from
the national records system by three people working in different law
enforcement agencies.
"After an investigation, the printouts provided by the three
individuals were discovered and they were identified, prosecuted and
convicted," the GAO said.
Other examples provided by the GAO:
- In Maine, a police officer used the system to conduct a background
check on one of his wife's employees who was then fired for not
disclosing his criminal record
- In Iowa, a dozen cases of misuse were reported over the last two
years. All involved computer operators conducting background
searches on friends or relatives.
- In New York state, an employee of a law enforcement agency provided
criminal history information to be used by a local politician against
political opponents.
- In Pennsylvania, a police officer "accessed and widely disseminated"
a fellow officer's criminal history record.
- In South Carolina, a law enforcement agency conducted background
searches on members of the City Council.
------------------------------
Date: Fri, 30 Jul 1993 16:29:35 -0700
From: Jim Warren <[email protected]>
Subject: File 3--UPDATE: Ideas-Exchange listserv/ Legis Data Programmers
July 30, 1993
On July 22nd, I broadcast details [Update #19] about a number of
sample files of legislative data, in the various forms used internally
by the Legislative Data Center and Office of State Printing, that are
available for anonymous ftp, with which volunteer-programmers could
begin experimenting.
Just before flying off to a tele-community conference in Colorado, Al
Whaley of cpsr.org (one of the volunteers) proposed an online
discussion group to facilitate the shared programming effort -
excellent idea! I had planned on broadcasting this message before
now, but was first distracted by the c onference, then came home with
a massive head code. Blushing apologies!
LEGISLATIVE-DATA PROGRAMMERS' INFORMATION EXCHANGE
This list is intended only for those who are developing software to
process the state legislative data - display it, print it, index it,
etc. Anyone, including non-subscribers, can send to this list.
Neither subscribers nor submissions are moderated. Subscribers'
identities are not currently concealed, but can be after subscribing.
TO SUBSCRIBE:
Send email to [email protected].
(The Subject is ignored.)
The email message should state:
SUBSCRIBE LDC-SW firstname lastname
where firstname and lastname are, of course, yours.
FOR HELP:
Send email as above, with the message HELP
SOFTWARE SUCCESSES WOULD BE HELPFUL AT AUGUST 18th HEARING
It would be *great* to flaunt printouts of the sample legislative data
along with a listing of the freeware source-code that created them at the
Aug. 18th Senate Rules Committee.
------------------------------
Date: Tue, 27 Jul 93 06:47:00 EST
From: "Straw, Scott F." <[email protected]>
Subject: File 4--Observations from a "non-cyberhead"
With reference to the FOIA inquiry and the USSS affidavit
response, what is "the 2600 case?" (CuD 5.52) Having only subscribed
since issue 5.51, I probably just missed this important filler info.
You might consider the journalistic practice of briefing newcomers to
background material, even if only a sentence.
With regard to the E-fingerprinting of welfare recipients, and
its potential long range spread to other social service provisions, I
say here, here! Would we hesitate to issue a photo-ID to these
individuals to verify that the intended recipient is actually
receiving the aid? If not, why not a
fingerprint record? More unique than a photograph, and infinitely easier to
store electronically (being quasi-two dimensional and devoid of subtle
nuances of character), fingerprinting will allow positive, definitive
identification. Yes, it will detect and deter "double-dipping" fraud, but it
will also prevent unauthorized procurement/theft as well.
I would hope that CPSR (Computer Professionals for Social
Responsibility) would reconsider their stance in light of their tenet that
reads:
"We encourage the use of computer technology to improve the
quality of life." - Principle #5, CuD 5.55, File 1 (What is
CPSR and how can we join?)
If the social service recipient were, by the use of this
technology to eliminate fraud and theft (and because of the
elimination of these losses) able to receive a higher, more focused
and therefore, enhanced level of service, that could have strong
positive implications on that recipients quality of life.
I fail to see this as a "Big Brother" issue. After all, isn't
the goal of social services in a majority of the cases to provide
assistance temporarily? Once the assistance is no longer needed, the
recipient is no longer tracked.
------------------------------
((MODERATORS' NOTE: Jim Davis's reply clarifies the relevance of
computer technology as a cyberspace concern. The issues include the
power of technology to invade privacy and the problem of using
technology on groups lacking a strong constituency to protect
themselves. The fingerprinting policy seems to isolate a particular
group for more stringent monitoring. And, the possibility that
discretionary fingerprint IDS might spread to other states is noted by
[email protected](Joseph Christie):
I noticed the article on fingerprinting public assistance
recipients in the San Francisco area and just wanted to
report that Suffolk County, New York is also considering
setting up a similar system and they are using the
"phenomenal" savings by the LA system as justification.
+++++
Date: Wed, 28 Jul 1993 10:47:50 -0700
From: "James I. Davis" <[email protected]>
Subject: File 5--Response to "Observations from a 'non-cyberhead'"
People concerned with privacy have always resisted the idea of a
national ID card, no matter how technically efficient it is. One could
possibly argue that having and requiring a positive ID for all social
transactions wd improve the quality of life, but I "using technology
to eliminate fraud wd result in a higher quality of life" could
include universal activities like shopping (more technology to prevent
shoplifting), recreation (more technology to monitor parks and
streets) or work (more technology to combat employee theft of
employers' supplies, "time", computer resources, etc.) and so on.
People who don't steal and don't defraud might enjoy cheaper goods,
safer streets and parks; and for the employers', higher profits;
everyone else could be put in prison or unemployment lines (a detour
on the way to prison). The question becomes how do we want to balance
the right to privacy and the freedom to go about our lives with a
desire to combat fraud and theft? At what point do we say, "this looks
like the road to a police state"?
As to whether such technology should be used only for poor people, or
only for people who need public assistance, it raises some obvious
problems about singling out a particular section of the population for
"special treatment."
Lest one should say, "well, they're only welfare recipients; what's
that got to do with me" (ignoring for the moment what a brutal and
short-sighted statement that would be), one should keep in mind that
some of the most serious breaches in overall privacy vis-a-vis
computer systems have started with the bogeyman of welfare fraud, and
then extended to more general use after the precedence is set. Jeffrey
Rothfeder, in _Privacy_at_Risk_, describes how federal computer
matching, where agencies go on data-fishing expeditions by matching up
different government databases, was initially considered outside of
what was allowed under the 1974 Privacy Act. Pressure from the
Department of Health, Education and Welfare under the Carter
administration stretched the rules, so to speak, to allow them to hunt
for people "double-dipping." The program was later extended to other
types of matches, including matching IRS returns and Social Security
records. All along, the benefits from these dragnet searches have been
questionable. In 1988, the House Committee on Government Operations
noted that "the cost-effectiveness of computer matching has yet to be
demonstrated." (Rothfeder pp 140 - 146) "Cost-effectiveness" of course
does not include the additional cost of the loss of privacy such
searches imply.
------------------------------
Date: Mon, 26 Jul 1993 19:21:33
From: CuD Moderators <[email protected]>
Subject: Representative Markey's Letter in re AIS BBS
((MODERATORS' NOTE: Like the flooding Mississippi, the AIS BBS
incident just keeps over-flowing the levees and spreading beyond
reasonable boundaries. CuD readers will recall that AIS ("Automated
Information Systems," a BBS operated by the Treasury Department's
Bureau of Public Debt) was the target of an "anonymous" posting in
RISKS Digest. The poster objected particularly to the availability of
virus source code on the board. The post was routed to government
officials (see Crypt Newsletter #16 for details) and the offending
files, along with "underground" text files--including CuD--were
removed from the board. Perhaps, thanks to media hyperbole, CuDs are
perceived as nearly as dangerous as virus source code.
That should have ended the matter. Sadly, the Washington Post picked
up on the story and printer a slanted, simplistic, and rather
hyperbolic version of events in an account that raises serious
questions of journalistic ethics (see CuD #5.51). Even that should
have ended things. However, Rep. Edward J. Markey (D., Mass), Chair of
the House Committee on Energy and Commerce's Subcommittee on
Telecommunications and Finance, read the Post article and was
sufficiently concerned to write Lloyd Bentsen, Secretary of the
Treasury, demanding to know why AIS made certain types of files
available. Rep. Markey linked the AIS BBS files with other security
issues that the GAO found--even though the other alleged problems were
unrelated to the board. The impetus for the article, according to
Markey staffer Jeff Duncan, was the Washington Post depiction of
events, and the letter builds on the Post's narrative to substantiate
its own concerns. The letter assumes "guilt" without looking beyond
the media depiction. Sadly, it does not reflect well on the knowledge
of Rep. Markey or his staffers either about the technology or the
broader issues of freedom of information. We reprint below the
relevant two pages of the
four page letter)).
+++++
U.S. House of Representatives
Committee on Energy and Commerce
SUBCOMMITTEE ON TELECOMMUNICATIONS AND FINANCE
Washington, DC 20515-6119
July 6, 1993
The Honorable Lloyd Bentsen
Secretary
Department of the Treasury
1300 Pennsylvania Ave., N.W.
Washington, D.C. 20220
Dear Mr.Secretary:
I am writing with regard to recent reports about a computer
bulletin board service run under the auspices of the Department's
Bureau of Public Debt in Parkersburg, W.V. The Washington Post
reported on June 19, 1993, that the now-terminated service made
publicly available information about computer viruses and other
"hacker" information that could potentially inflict damage on
computer systems and data.
On June 9, 1993, the Subcommittee held a hearing on data and
network security. Testimony received by the Subcommittee at that
time revealed that the computer hacking and telecommunications
toll fraud problem in the United States is increasing. In
addition, the average computer site will spend more than
$176,000 on computer virus clean-up and the cost of virus damage
to all U.S. computer users has been over a Billion dollars over
the last three years.
While it is true that many such virus programs as well as
hacker and "phone phreak" information is available on other
bulletin board systems, I am troubled that the Treasury
Department would play a role in disseminating such information
publicly, especially in light of the fact that viruses and
toll fraud together are estimated to inflict $4 to $6 Billion in
economic loss annually to U.S. consumers and industry. Such
dissemination goes well beyond any precautionary security measure the
Department might take in testing the integrity of its computer
systems.
Moreover, in a recent report to Congress, the General Accounting
Office (GAO) raised concerns that the Department's Treasury
Automated Auction Processing System (TAAPS) had "skipped certain
system development steps necessary to ensure that the risks
associated with building and operating a system are adequately
controlled" and may not achieve anticipated benefits such as
reducing auction processing time. Specifically, the GAO
The Honorable Lloyd Bentsen
July 6, 1993
Page 2
raised concerns about the fact that neither the Department nor
the Federal Reserve Bank of New York (FRBNY) -- which serves as
Treasury's agent in conducting the auctions -- had performed risk
analysis, documented detailed functional requirements, or tested
the TAAPS system thoroughly. In addition, GAO questioned whether
the system would reduce the time it takes Treasury to process
auctions and announce winners.
Treasury's willingness to disseminate data regarding computer
viruses and other hacker information is particularly troubling in
light of its failure to perform a full risk analysis of its
automated auction system. Any catastrophic failure of this
system, or branch of its security by computer hackers or viruses,
could have a serious adverse effect on the orderly functioning
of the secondary market for Treasury securities.
As the country embarks on plans to upgrade the national
telecommunications infrastructure over the next few years, data
and network security issues will increasingly need to be
addressed. To assist the subcommittee in its ongoing analysis of
these issues and its ongoing oversight and legislative
activities, please respond to the following questions by July 27,
1993:
1. Why was the Department's Automated Information System bulletin
board, where the virus codes were resident, advertised as "open
to the public" and the telephone number for the board made publicly
available through a listing in the Computer Underground Digest?
What was the rationale behind making such potentially harmful
information generally available?
2. Why were "dissected" viruses, which may be easily altered to
produce variations capable of eluding current virus detection
tools, also made publicly available?
3. Why were steps not taken to limit access to the bulletin board
services? For instance, why were steps not taken to limit or
effectively prohibit the ability of individuals to download
information off the bulletin board? Were passwords needed to
access data? If not, why not?
4. GAO reports that neither the Department nor the FRBNY
performed a risk assessment of TAAPS because "they believed the
Federal Reserve telecommunication and computer system selected
for the system is already safe and secure." GAO further reports that
shortly before issuance of its report, the FRBNY provided the GAO with a
"risk assessment" which "did not contain many of the key elements of a
risk assessment such as valuation of
The Honorable Lloyd Bentsen
July 6, 1993
Page 3
assets, probability of risk occurrance, and annualized loss
expectancy." In addition, the report "did not describe how risks would
be adequately controlled." Please provide responses to the following
questions:
<Eight questions on pages 3 and 4 of letter related to TAAPS deleted>
Thank you in advance for our time and attention in responding to this
request. If you have any questions, please have
your staff contact Jeff Duncan or Colin Crowell of the
Subcommittee staff at 226-2424.
Sincerely,
Edward J. Markey
Chairman
------------------------------
Date: Thu, 21 July 1993 22:51:01 EDT
From: Jim Thomas <[email protected]>
Subject: File 6--Response to Rep. Markey's Letter
18 July, 1993
Representative Edward J. Markey
Chair, Subcommittee on Telecommunications and Finance
Committee on Energy and Commerce
U.S. House of Representatives
2133 Rayburn Building
Washington, DC 10515-2107
Dear Representative Markey:
I am writing in response to your letter of 6 July, 1993 to
Secretary of Treasury Lloyd Bentsen. In that letter, you
expressed concerns about available files on the AIS BBS, a
computer bulletin board run by the Department of Treasury's
Bureau of Public Debt. I am informed by Jeff Duncan, a staff
contact for questions regarding your letter, that the primary,
indeed the only, basis for your letter was an article authored
by Joel Garreau that appeared in the Washington Post on June 19,
1993. As we wrote in a recent issue of Cu Digest, the Post
article suffered from hyperbole and misinformation. It also
raised serious issues of journalistic ethics (See CuD 5.51).
Because Computer underground Digest (or CuD, of which I am
co-editor) is named in both the Post article and in your letter,
I feel compelled clarify several issues.
You pose several questions in your letter. The first, in which
you mentioned Cu Digest, states:
1. Why was the Department's Automated Information System
bulletin board, where the virus codes were resident,
advertised as "open to the public" and the telephone
number for the board made publicly available through a
listing in the Computer Underground <sic> Digest? What was
the rationale behind making such potentially harmful
information generally available?
As I am sure you are aware, there are many government BBSes open
to the public that provide access to files. I myself have used
several that have been invaluable in my work as a criminal
justice professional. The available resources, in the form of
software programs, text files, press releases, and a broad menu
of other services, vary. The available information on other
public government boards, which some might argue could help drug
dealers, fraud perpetrators, and others, is by some standards as
"sensitive" as the information to which you allude on the AIS
BBS. However, if one applies the same standards to these boards
as you would apply to the AIS BBS, questions of propriety of the
accessible information could be raised of all of them.
There is nothing unusual about an open and public BBS being run
by the government. What strikes me as unusual is to single out
one particular BBS and demand a justification for a common
practice. It should also be noted that at the time we wrote our
story on the AIS BBS (20 August, 1992, CuD #4.37/File 4), we
were impressed with the professionalism and competence by which
the board was run. At the time of our calls, users were required
to sign on, were not given immediate access (as they are to some
government boards, such as the Bureau of Justice Statistics'
BBS), and--contrary to some media reports--real names, not
"handles," were required.
Both the Post article and your letter indicate that AIS BBS
personnel "advertised" the board in CuD, and your letter demands
an explanation. However, contrary to the report in the
Washington Post and the wording of your letter, AIS BBS
personnel did not make the number available to CuD. Nor did AIS
BBS personnel solicit publicity or advertise that the board was
public. I came across the BBS through my professional
activities. Ironically, my initial interest in AIS BBS occurred
because of rumors that it was a U.S. Secret Service "sting"
operation created to identify and apprehend callers. After
calling the board, I found it potentially helpful in my own
sphere of academia, which includes computer
crime/security/culture, and I requested more information from
AIS BBS personnel. They agreed to a short interview. Had they
not agreed, we still would have run a story. In fact, had your
staff engaged in minimal research, the answers to the bulk of
the AIS-related questions you pose were published in CuD
#4.37/File 4.
It strikes me as odd that you would demand an accounting from a
government official explaining the motivation and content of a
media story that AIS BBS personnel did not initiate and over
which they had no control. This poses a chilling effect to free
speech by intimidating the legitimate flow of information and by
implicitly self-censoring journalists and others lest even an
innocent story have repercussions for the subordinates of
government officials who may not like what is written. An
example of this "chilling effect" in fact occurred with AIS BBS.
The apparent fear of repercussions for carrying so-called
"underground" electronic publications and other files, most of
which were of no value for criminal activity, but of
considerable value to computer professionals and scholars, were
removed. Cu Digest, classified as an "underground" publication
(presumably because of the name), was among them. When removal
of legitimate publications occurs because because of subtle
intimidation, valuable sources of information are lost through
informal (albeit "voluntary") censorship. Both the tone and
content of your letter contribute to this form of censorship.
The stigma attached to certain types of electronic messages,
created by an apparent lack of understanding of their content,
spills over into other forums and shapes policies, public
images, and law in ways that subvert freedom of speech in
electronic media.
Your letter also expresses concern for some of the files,
including virus source code, found on the AIS BBS. There is
considerable room for honest disagreement over the
"dangerousness" of such files. I tend to find the concern
grossly exaggerated. Yes, it is always possible for isolated
individuals to abuse information. However, if we are to stifle
the flow of information because of the excesses of the
occasional predator, then we ought also be concerned about
government-funded public libraries, computer science and other
courses in public institutions, and other sources of information
that might be twisted for the perverse ends of a rare
malcontent. There is considerable evidence that users of AIS BBS
found the available files to be significant in enhancing
computer security and performing other computer-related
functions. To assume that useful information in so-called
"underground" files ought be restricted because some may find
that information objectionable seems a dangerous precedent that
restricts freedom of speech and information flow in electronic
media. The intimidation created by the accusatory nature of your
letter suppresses both information and public dialogue of what
is or is not appropriate by imposing an arbitrary litmus test of
"correctness."
In sum, I am concerned about several issues raised by your
letter. First, your staff's understanding of AIS BBS and its
files seems partial. Basing an accusatory letter of inquiry on
an unchecked media source and linking disparate security issues
in the letter raises serious concerns about the credibility of
your staff's competency in matters of computer security and
technology. Your staff apparently did not do its homework.
Second, your letter seems to close off debate about the role of
the government in information dissemination, rather than invite
rigorous discussion of the issues. It assumes impropriety
rather than invite discussion about the role of government BBSes
and the nature of information that ought be made available to
the public.
Finally, your letter suggests that you extend to electronic
media a lower threshold of protection of information
dissemination than hardprint media, such as can be found in
libraries or government documents. Am I incorrect in inferring
from your letter that you do not extend to "cyberspace" the same
First Amendment and other protections granted print media?
As a taxpayer and as a criminal justice professional, I am
disturbed by the implications of your letter, and especially by
its failure to recognize the technological and social issues it
raises. In my opinion, by isolating and attacking AIS BBS for
carrying electronic versions of hardprint information available
through other government sources, you seem to be discriminating
against electronic media in general and AIS BBS in particular in
a way that potentially limits Constitutional rights in what is
known as "cyberspace." The underlying concerns you raise in your
letter are legitimate, but the implications of the manner in
which you raise them and the assumptions you appear to make may
have the unanticipated consequence of contributing to dangerous
precedents in the relationship between government control and
freedom of information.
Sincerely,
Jim Thomas, Professor
Sociology/Criminal Justice
Co-editor, Cu Digest
Northern Illinois University
DeKalb, IL 60115
Voice: (815) 756-3839 / Fax: (815) 753-6302
Internet: [email protected] / [email protected]
------------------------------
End of Computer Underground Digest #5.57
************************************
