Computer underground Digest Thu Aug 18, 1994 Volume 6 : Issue 74

Computer underground Digest Thu Aug 18, 1994 Volume 6 : Issue 74
ISSN 1004-042X

Editors: Jim Thomas and Gordon Meyer ([email protected])
Archivist: Brendan Kehoe
Retiring Shadow Archivist: Stanton McCandlish
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Campy Editor: Shrdlu Etaionsky

CONTENTS, #6.74 (Thu, Aug 18, 1994)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send a one-line message: SUB CUDIGEST your name
Send it to [email protected] or [email protected]
The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on internet);
and on Rune Stone BBS (IIRGWHQ) (203) 832-8441.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.

EUROPE: from the ComNet in LUXEMBOURG BBS (++352) 466893;
In ITALY: Bits against the Empire BBS: +39-461-980493
In BELGIUM: Virtual Access BBS: +32.69.45.51.77 (ringdown)

UNITED STATES: etext.archive.umich.edu (141.211.164.18) in /pub/CuD/
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD
aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
uceng.uc.edu in /pub/wuarchive/doc/EFF/Publications/CuD/
wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
EUROPE: nic.funet.fi in pub/doc/cud/ (Finland)
ftp.warwick.ac.uk in pub/cud/ (United Kingdom)

JAPAN: ftp.glocom.ac.jp /mirror/ftp.eff.org/

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.

----------------------------------------------------------------------

Date: 10 Aug 1994 16:58:23 -0500
From: [email protected] (Stanton McCandlish)
Subject: EFF Analysis of Leahy/Edwards Digital Telephony Bill

EFF SUMMARY OF THE EDWARDS/LEAHY DIGITAL TELEPHONY BILL
=======================================================

OVERVIEW
--------

The Edwards/Leahy Digital Telephony bill places functional
requirements on telecommunications carriers in order to enable law
enforcement to continue to conduct authorized electronic surveillance. It
allows a court to impose fines on carriers that violate the requirements,
and mandates that the processes for determining capacity requirements and
technical standards be open and public. The bill also contains significant
new privacy protections; including an increased standard for government
access to transactional data (such as addressing information contained in
electronic mail logs), a requirement that information acquired through the
use of pen registers or trap and trace devices not disclose the physical
location of an individual, and an expansion of current law to protect the
radio portion of cordless telephone conversations from unauthorized
surveillance.

SCOPE OF THE BILL. WHO IS COVERED?
-----------------------------------

The requirements of the bill apply to "telecommunications carriers", which
are defined as any person or entity engaged in the transmission or
switching of wire or electronic communications as a common carrier for hire
(as defined by section 3 (h) of the Communications Act of 1934), including
commercial mobile services (cellular, PCS, etc.). The bill also applies to
those persons or entities engaged in providing wire or electronic
communication switching or transmission service to the extent
that the FCC finds that such service is a replacement for a substantial
portion of the local telephone exchange.

The bill does not apply to online communication and information services
such as Internet providers, Compuserve, AOL, Prodigy, and BBS's. It also
excludes private networks, PBX's, and facilities which only interconnect
telecommunications carriers or private networks (such as most long
distance service).

REQUIREMENTS IMPOSED ON CARRIERS
--------------------------------

Telecommunications carriers would be required to ensure that they
possess sufficient capability and capacity to accommodate law enforcement's
needs. The bill distinguishes between capability and capacity
requirements, and ensures that the determination of such requirements occur
in an open and public process.

CAPABILITY REQUIREMENTS
-----------------------

A telecommunications carrier is required to ensure that, within four years
from the date of enactment, it has the capability to:

1. expeditiously isolate the content of a targeted communication
within its service area;

2. isolate call-identifying information about the origin and
destination of a targeted communication;

3. enable the government to access isolated communications at a point away
from the carrier's premises and on facilities procured by the
government, and;

4. to do so unobtrusively and in such a way that protects the privacy and
security of communications not authorized to be intercepted (Sec.
2601).

However, the bill does not permit law enforcement agencies or officers to
require the specific design of features or services, nor does it prohibit a
carrier from deploying any feature or service which does not meet the
requirements outlined above.

CAPACITY REQUIREMENTS
---------------------

Within 1 year of enactment of the bill, the Attorney General must
determine the maximum number of intercepts, pen register, and trap and
trace devices that law enforcement will require four years from the date of
enactment. Notices of capacity requirements must be published in the
Federal Register (Sec. 2603). Carriers have 4 years to comply with
capacity requirements.

PROCESS FOR DETERMINING TECH. STANDARDS TO IMPLEMENT CAPABILITY REQUIREMENTS
----------------------------------------------------------------------------

Telecommunications carriers, through trade associations or standards
setting bodies and in consultation with the Attorney General, must
determine the technical specifications necessary to implement the
capability requirements (Sec. 2606).

The bill contains a 'safe harbor' provision, which allows a carrier to meet
its obligations under the legislation if it is in compliance with publicly
available standards set through this process. A carrier may deploy a
feature or service in the absence of technical standards, although in such
a case the carrier would not be covered by the safe harbor provision and
may be found in violation.

Furthermore, the legislation allows any one to file a motion at the FCC in
the event that a standard violates the privacy and security of
telecommunications networks or does not meet the requirements of the bill
(Sec. 2606). If petitioned under this section, the FCC may establish
technical requirements or standards that:

1) meet the capability requirements (in Sec. 2602);

2) protect the privacy and security of communications not authorized
to be intercepted, and;

3) encourage the provision of new technologies and services to the public.

ENFORCEMENT AND PENALTIES
-------------------------

In the event that a court or the FCC deems a technical standard to be
insufficient, or if law enforcement finds that it is unable to conduct
authorized surveillance because a carrier has not met the requirements of
this legislation, the Attorney General can request that a court issue an
enforcement order (an order directing a carrier to comply), and/or a fine
of up to $10,000 per day for each day in violation (Sec. 2607). However, a
court can issue an enforcement order or fine a carrier only if it can be
determined that no other reasonable alternatives are available to law
enforcement. This provision allows carriers to deploy features and
services which may not meet the requirements of the bill. Furthermore,
this legislation does not permit the government to block the adoption or
use of any feature or service by a telecommunications carrier which does
not meet the requirements.

The bill requires the government to reimburse carriers for all reasonable
costs associated with complying with the capacity requirements. In other
words, the government will pay for upgrades of current features or
services, as well as any future upgrades which may be necessary, pursuant
to published notices of capacity requirements (Sec. 2608).

There is $500,000,000 authorized for appropriation to cover the costs of
government reimbursements to carriers. In the event that a smaller sum is
actually appropriated, the bill allows a court to determine whether a
carrier must comply (Sec. 2608 (d)). This section recognizes that
telecommunications carriers may not be responsible for meeting the
requirements if the government does not cover reasonable costs.

The government is also required to submit a report to congress within four
years describing all costs paid to carriers for upgrades (Sec. 4).

ENHANCED PRIVACY PROTECTIONS
----------------------------

The legislation contains enhanced privacy protections for transactional
information (such as telephone toll records and electronic mail logs)
generated in the course of completing a communication. Current law permits
law enforcement to gain access to transactional information through a
subpoena. The bill establishes a higher standard for law enforcement
access to transactional data contained electronic mail logs and other
online records. Telephone toll records would still be available through a
subpoena. Under the new standard, law enforcement is required to obtain a
court order by demonstrating specific and articulable facts that electronic
mail logs and other online transactional records are relevant and material
to an ongoing criminal investigation (Sec. 10).

Law enforcement is also prohibited from remotely activating any
surveillance capability. All intercepts must be conducted with the
affirmative consent of a telecommunications carrier and activated by a
designated employee of the carrier within the carrier's facilities (Sec.
2604).

The bill further requires that, when using pen registers and trap and trace
devices, law enforcement will use, when reasonably available, devices which
only provide call set up and dialed number information (Sec. 10). This
provision will ensure that as law enforcement employs new technologies in
pen register and trap and trace devices, it will not gain access to
additional call setup information beyond its current authority.

Finally, the bill extends the Electronic Communications Privacy Act (ECPA)
protections against interception of wireless communications to cordless
telephones, making illegal the intentional interception of the radio
portion of a cordless telephone (the transmission between the handset
and the base unit).

CELLULAR SCANNERS
-----------------

The bill makes it a crime to possess or use an altered telecommunications
instrument (such as a cellular telephone or scanning receiver) to obtain
unauthorized access to telecommunications services (Sec. 9). This
provision is intended to prevent the illegal use of cellular and other
wireless communications services. Violations under this section face
imprisonment for up to 15 years and a fine of up to $50,000.

IMPROVEMENTS OF THE EDWARDS/LEAHY BILL OVER PREVIOUS FBI PROPOSALS
------------------------------------------------------------------

The Digital Telephony legislative proposal was first offered in 1992 by the
Bush Administration. The 1992 version of the bill:

* applied to all providers of wire or electronic communications
services (no exemptions for information services, interexchange
carriers or private networks);

* gave the government the explicit authority to block or enjoin a
feature or service that did not meet the requirements;

* contained no privacy protections;

* contained no public process for determining the capacity
requirements;

* contained no government reimbursement (carriers were responsible
for meeting all costs);

* would have allowed remote access to communications by law
enforcement, and;

* granted telecommunications carriers only 18 months to comply.

The Bush Administration proposal was offered on capitol hill for almost a
year, but did attract any congressional sponsors.

The proposal was again offered under the Clinton Administration's FBI in
March of 1993. The Clinton Administration's bill was a moderated version
of the original 1992 proposal:

* It required the government to pay all reasonable costs incurred by
telecommunications carriers in retrofitting their facilities in
order to correct existing problems;

* It encouraged (but did not require), the Attorney General to consult
with telecommunications industry representatives and standards
bodies to facilitate compliance,

* It narrowed the scope of the legislation to common carriers, rather
than all providers of electronic communications services.

Although the Clinton Administration version was an improvement
over the Bush Administration proposal, it did not address the
larger concerns of public interest organizations or the
telecommunications industry. The Clinton Administration version:

* did not contain any protections for access to transactional
information;

* did not contain any public process for determining the capability
requirements or public notice of law enforcement's capacity needs;

* would have allowed law enforcement to dictate system design and
bar the introduction of features and services which did not meet
the requirements, and;

* would have allowed law enforcement to use pen registers and trap and
trace devices to obtain tracking or physical location information.

* * *

Locating Relevant Documents
===========================

** Original 1992 Bush-era draft **

ftp.eff.org, /pub/EFF/Policy/FBI/Old/digtel92_old_bill.draft
gopher.eff.org, 1/EFF/Policy/FBI/Old, digtel92_old_bill.draft
http://www.eff.org/pub/EFF/Policy/FBI/Old/digtel92_old_bill.draft
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital
Telephony; file: digtel92.old

** 1993/1994 Clinton-era draft **

ftp.eff.org, /pub/EFF/Policy/FBI/digtel94_bill.draft
gopher.eff.org, 1/EFF/Policy/FBI, digtel94_bill.draft
http://www.eff.org/pub/EFF/Policy/FBI/digtel94_bill.draft
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital
Telephony; file: digtel94.dft

** 1994 final draft, as sponsored **

ftp.eff.org, /pub/EFF/Policy/FBI/digtel94.bill
gopher.eff.org, 1/EFF/Policy/FBI, digtel94.bill
http://www.eff.org/pub/EFF/Policy/FBI/digtel94.bill
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital
Telephony; file: digtel94.bil

** EFF Statement on sponsored version **

ftp.eff.org, /pub/EFF/Policy/FBI/digtel94_statement.eff
gopher.eff.org, 1/EFF/Policy/FBI, digtel94_statement.eff
http://www.eff.org/pub/EFF/Policy/FBI/digtel94_statement.eff
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital
Telephony; file: digtel94.eff

=========================================================================
From: [email protected] (Stanton McCandlish)
Subject: EFF Analysis of Leahy/Edwards Digital Telephony Bill
Date: 10 Aug 1994 16:58:23 -0500

EFF SUMMARY OF THE EDWARDS/LEAHY DIGITAL TELEPHONY BILL
=======================================================

OVERVIEW
--------

The Edwards/Leahy Digital Telephony bill places functional
requirements on telecommunications carriers in order to enable law
enforcement to continue to conduct authorized electronic surveillance. It
allows a court to impose fines on carriers that violate the requirements,
and mandates that the processes for determining capacity requirements and
technical standards be open and public. The bill also contains significant
new privacy protections; including an increased standard for government
access to transactional data (such as addressing information contained in
electronic mail logs), a requirement that information acquired through the
use of pen registers or trap and trace devices not disclose the physical
location of an individual, and an expansion of current law to protect the
radio portion of cordless telephone conversations from unauthorized
surveillance.

SCOPE OF THE BILL. WHO IS COVERED?
-----------------------------------

The requirements of the bill apply to "telecommunications carriers", which
are defined as any person or entity engaged in the transmission or
switching of wire or electronic communications as a common carrier for hire
(as defined by section 3 (h) of the Communications Act of 1934), including
commercial mobile services (cellular, PCS, etc.). The bill also applies to
those persons or entities engaged in providing wire or electronic
communication switching or transmission service to the extent
that the FCC finds that such service is a replacement for a substantial
portion of the local telephone exchange.

The bill does not apply to online communication and information services
such as Internet providers, Compuserve, AOL, Prodigy, and BBS's. It also
excludes private networks, PBX's, and facilities which only interconnect
telecommunications carriers or private networks (such as most long
distance service).

REQUIREMENTS IMPOSED ON CARRIERS
--------------------------------

Telecommunications carriers would be required to ensure that they
possess sufficient capability and capacity to accommodate law enforcement's
needs. The bill distinguishes between capability and capacity
requirements, and ensures that the determination of such requirements occur
in an open and public process.

CAPABILITY REQUIREMENTS
-----------------------

A telecommunications carrier is required to ensure that, within four years
from the date of enactment, it has the capability to:

1. expeditiously isolate the content of a targeted communication
within its service area;

2. isolate call-identifying information about the origin and
destination of a targeted communication;

3. enable the government to access isolated communications at a point away
from the carrier's premises and on facilities procured by the
government, and;

4. to do so unobtrusively and in such a way that protects the privacy and
security of communications not authorized to be intercepted (Sec.
2601).

However, the bill does not permit law enforcement agencies or officers to
require the specific design of features or services, nor does it prohibit a
carrier from deploying any feature or service which does not meet the
requirements outlined above.

CAPACITY REQUIREMENTS
---------------------

Within 1 year of enactment of the bill, the Attorney General must
determine the maximum number of intercepts, pen register, and trap and
trace devices that law enforcement will require four years from the date of
enactment. Notices of capacity requirements must be published in the
Federal Register (Sec. 2603). Carriers have 4 years to comply with
capacity requirements.

PROCESS FOR DETERMINING TECH. STANDARDS TO IMPLEMENT CAPABILITY REQUIREMENTS
----------------------------------------------------------------------------

Telecommunications carriers, through trade associations or standards
setting bodies and in consultation with the Attorney General, must
determine the technical specifications necessary to implement the
capability requirements (Sec. 2606).

The bill contains a 'safe harbor' provision, which allows a carrier to meet
its obligations under the legislation if it is in compliance with publicly
available standards set through this process. A carrier may deploy a
feature or service in the absence of technical standards, although in such
a case the carrier would not be covered by the safe harbor provision and
may be found in violation.

Furthermore, the legislation allows any one to file a motion at the FCC in
the event that a standard violates the privacy and security of
telecommunications networks or does not meet the requirements of the bill
(Sec. 2606). If petitioned under this section, the FCC may establish
technical requirements or standards that:

1) meet the capability requirements (in Sec. 2602);

2) protect the privacy and security of communications not authorized
to be intercepted, and;

3) encourage the provision of new technologies and services to the public.

ENFORCEMENT AND PENALTIES
-------------------------

In the event that a court or the FCC deems a technical standard to be
insufficient, or if law enforcement finds that it is unable to conduct
authorized surveillance because a carrier has not met the requirements of
this legislation, the Attorney General can request that a court issue an
enforcement order (an order directing a carrier to comply), and/or a fine
of up to $10,000 per day for each day in violation (Sec. 2607). However, a
court can issue an enforcement order or fine a carrier only if it can be
determined that no other reasonable alternatives are available to law
enforcement. This provision allows carriers to deploy features and
services which may not meet the requirements of the bill. Furthermore,
this legislation does not permit the government to block the adoption or
use of any feature or service by a telecommunications carrier which does
not meet the requirements.

The bill requires the government to reimburse carriers for all reasonable
costs associated with complying with the capacity requirements. In other
words, the government will pay for upgrades of current features or
services, as well as any future upgrades which may be necessary, pursuant
to published notices of capacity requirements (Sec. 2608).

There is $500,000,000 authorized for appropriation to cover the costs of
government reimbursements to carriers. In the event that a smaller sum is
actually appropriated, the bill allows a court to determine whether a
carrier must comply (Sec. 2608 (d)). This section recognizes that
telecommunications carriers may not be responsible for meeting the
requirements if the government does not cover reasonable costs.

The government is also required to submit a report to congress within four
years describing all costs paid to carriers for upgrades (Sec. 4).

ENHANCED PRIVACY PROTECTIONS
----------------------------

The legislation contains enhanced privacy protections for transactional
information (such as telephone toll records and electronic mail logs)
generated in the course of completing a communication. Current law permits
law enforcement to gain access to transactional information through a
subpoena. The bill establishes a higher standard for law enforcement
access to transactional data contained electronic mail logs and other
online records. Telephone toll records would still be available through a
subpoena. Under the new standard, law enforcement is required to obtain a
court order by demonstrating specific and articulable facts that electronic
mail logs and other online transactional records are relevant and material
to an ongoing criminal investigation (Sec. 10).

Law enforcement is also prohibited from remotely activating any
surveillance capability. All intercepts must be conducted with the
affirmative consent of a telecommunications carrier and activated by a
designated employee of the carrier within the carrier's facilities (Sec.
2604).

The bill further requires that, when using pen registers and trap and trace
devices, law enforcement will use, when reasonably available, devices which
only provide call set up and dialed number information (Sec. 10). This
provision will ensure that as law enforcement employs new technologies in
pen register and trap and trace devices, it will not gain access to
additional call setup information beyond its current authority.

Finally, the bill extends the Electronic Communications Privacy Act (ECPA)
protections against interception of wireless communications to cordless
telephones, making illegal the intentional interception of the radio
portion of a cordless telephone (the transmission between the handset
and the base unit).

CELLULAR SCANNERS
-----------------

The bill makes it a crime to possess or use an altered telecommunications
instrument (such as a cellular telephone or scanning receiver) to obtain
unauthorized access to telecommunications services (Sec. 9). This
provision is intended to prevent the illegal use of cellular and other
wireless communications services. Violations under this section face
imprisonment for up to 15 years and a fine of up to $50,000.

IMPROVEMENTS OF THE EDWARDS/LEAHY BILL OVER PREVIOUS FBI PROPOSALS
------------------------------------------------------------------

The Digital Telephony legislative proposal was first offered in 1992 by the
Bush Administration. The 1992 version of the bill:

* applied to all providers of wire or electronic communications
services (no exemptions for information services, interexchange
carriers or private networks);

* gave the government the explicit authority to block or enjoin a
feature or service that did not meet the requirements;

* contained no privacy protections;

* contained no public process for determining the capacity
requirements;

* contained no government reimbursement (carriers were responsible
for meeting all costs);

* would have allowed remote access to communications by law
enforcement, and;

* granted telecommunications carriers only 18 months to comply.

The Bush Administration proposal was offered on capitol hill for almost a
year, but did attract any congressional sponsors.

The proposal was again offered under the Clinton Administration's FBI in
March of 1993. The Clinton Administration's bill was a moderated version
of the original 1992 proposal:

* It required the government to pay all reasonable costs incurred by
telecommunications carriers in retrofitting their facilities in
order to correct existing problems;

* It encouraged (but did not require), the Attorney General to consult
with telecommunications industry representatives and standards
bodies to facilitate compliance,

* It narrowed the scope of the legislation to common carriers, rather
than all providers of electronic communications services.

Although the Clinton Administration version was an improvement
over the Bush Administration proposal, it did not address the
larger concerns of public interest organizations or the
telecommunications industry. The Clinton Administration version:

* did not contain any protections for access to transactional
information;

* did not contain any public process for determining the capability
requirements or public notice of law enforcement's capacity needs;

* would have allowed law enforcement to dictate system design and
bar the introduction of features and services which did not meet
the requirements, and;

* would have allowed law enforcement to use pen registers and trap and
trace devices to obtain tracking or physical location information.

* * *

Locating Relevant Documents
===========================

** Original 1992 Bush-era draft **

ftp.eff.org, /pub/EFF/Policy/FBI/Old/digtel92_old_bill.draft
gopher.eff.org, 1/EFF/Policy/FBI/Old, digtel92_old_bill.draft
http://www.eff.org/pub/EFF/Policy/FBI/Old/digtel92_old_bill.draft
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital
Telephony; file: digtel92.old

** 1993/1994 Clinton-era draft **

ftp.eff.org, /pub/EFF/Policy/FBI/digtel94_bill.draft
gopher.eff.org, 1/EFF/Policy/FBI, digtel94_bill.draft
http://www.eff.org/pub/EFF/Policy/FBI/digtel94_bill.draft
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital
Telephony; file: digtel94.dft

** 1994 final draft, as sponsored **

ftp.eff.org, /pub/EFF/Policy/FBI/digtel94.bill
gopher.eff.org, 1/EFF/Policy/FBI, digtel94.bill
http://www.eff.org/pub/EFF/Policy/FBI/digtel94.bill
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital
Telephony; file: digtel94.bil

** EFF Statement on sponsored version **

ftp.eff.org, /pub/EFF/Policy/FBI/digtel94_statement.eff
gopher.eff.org, 1/EFF/Policy/FBI, digtel94_statement.eff
http://www.eff.org/pub/EFF/Policy/FBI/digtel94_statement.eff
bbs: +1 202 638 6120 (8N1, 300-14400bps), file area: Privacy - Digital
Telephony; file: digtel94.eff

------------------------------

Date: 10 Aug 1994 13:33:30 -0500
From: [email protected] (Mark Stahlman (via RadioMail))
Subject: Re: EFF Statement on Leahy/Edwards Digital Telephony Bill

Jerry, Danny, Stanton, et al:

Well, what a fine kettle of fish you've gotten yourselves into this time.
EFF "supports" a Digital Telephony (wiretap) bill. Quick, who's got the
smelling salts?

You've gone from "Jackboots on the InfoBahn" to "substantially less
intrusive", "significant privacy advances" and "enhanced protection." And,
just whose picture is that in the dictionary next to the definition of
"cyberdupes" anyway?

After successfully defeating draconian legislation for years, EFF now helps
to . . . draft the kinder-gentler wiretap bill. Because Leahy and Edwards
"concluded that the passage of such a bill was inevitable this year", EFF
is called upon to perform the one-eyed act in the land of the blind.

What happened from last year to this? Why was any bill "inevitable" in
this Congress? Did EFF lose it's clout? Did the Information-SuperHypeway
blitz (that EFF cynically fanned) help tip the balance?

I have no doubt that this bill is "better" than the FBI's proposal. I also
have no doubt that the FBI knew that it's bill was only the starting point
for the negotiations. And, if passed, this bill will certainly deliver to
the FBI everything that it wants. That's the way Washington works. Wake
up.

As I've said all along, EFF made themselves part of a process far larger,
more powerful and more professional than they could ever become when they
scrapped the chapters and moved to DC to become lobbyists. And, since the
"groups" that EFF "represents" are not particularly powerful, EFF's efforts
will inevitably be confined to providing language that helps the truly
powerful groups (like the FBI -- which lest we forget is just the Clinton
administration) get their way.

But don't be fooled. EFF is not an "opposition" group wrestling with the
weighty issues of cyberspace politics. Despite the advertisements, EFF is
not "hacking politics and then fixing it." They have opted to become an
integral part of the "system". Is that a bad thing? Certainly not. The
"system" delivers enormous benefits to most of it's citizens. And, it
needs it's functionaries -- like EFF.

But, as Toffler would have put it, ours is a completely obsolete Second
Wave "system" which needs to be radically transformed. Reread the
concluding section of Toffler's "Third Wave" on 21st Century Democracy.
Published in 1980, this book lays out the issues and predicts the outcomes
that are still worthy of very serious debate, study and action.

The technologies we are so intimately involved with will inevitably lead to
profound social and psychological changes which in turn will force the
development of something akin to Toffler's "Third Wave" government. I
don't know if it will be 20% or 50% the size of current government but it
certainly won't tolerate anything like Gore's NII or this administration's
Information Industrial Policy initiatives. Nor will it support a police
force bent on wiretaps to catch electronic tax cheats -- a far more
plausible motivation for this legislation than hunting
porno-smuggling-kiddie-grabbing-terror-toting hairballs.

We need organizations (and individuals) which are dedicated to working on
the thorny problems of inventing a new government which will be capable of
supporting and defending a cyberspace economy. This is a process which is
probably best conducted *outside* of the current "system". As EFF has
shown us, the talk-show temptations of being an "insider" are just too
powerful to be resisted. Principles don't matter when you're on the
"inside". Clear, careful and even "radical" thinking doesn't help when the
horse-trading takes over.

Re-read the EFF's founding principles, re-read "Across The Electronic
Frontier." Then, compare the text with the reality. Take it as an object
lesson in politics. Disappointed? Well, maybe that's part of growing up.

Hopefully, EFF will take up the case of the Milpitas porn-BBS conviction on
appeal. Now that's real cyberspace politics! This administration (yes,
they still run the DoJ) decided to attack cyberspace information rights by
trying to impose the "community standards" of Memphis on all of cyberspace.
A non-Internet connected private board with $99 annual fees was convicted
of 11 counts of delivering porn over the phone (and acquitted of a kiddie
porn count because the board refused to post the kiddie-GIFs the Feds sent
them). Yes, there's plenty of important work left for EFF to do.

And, what about you? Start something new, something bold. Have the
courage to just say no to cyber-crats and digital control freaks. Forget
mortibund ideologies. Stop trying to summon Jefferson's (or Marx's or
Rand's) ghost from the grave. Face up to the fact that we already live in
a networked economy and that millions of people have already entered into
Toffler's new "psycho-sphere". Pick up the tools at hand and take
responsibility to invent the future. Your Softbot descendants will honor
you for your valor.

Mark Stahlman
New Media Associates
New York City
[email protected]

------------------------------

Date: Thu, 18 Aug 1994 14:25:22 -0600 (MDT)
From: "Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067"
Subject: "Secrets of a Super Hacker" by Fiery

BKSCSUHK.RVW 940609

Loompanics Unlimited
P.O. Box 1197
Port Townsend, WA 98368 206/385-5087 fax 206/385-7785
[email protected]
"secrets of a super hacker",
Fiery, 1994; 1-55950-106-5, U$19.95

Despite Loompanics' reputation as a "dark side" publisher, this may be
a very good book. It deals primarily with social engineering, despite
the purported coverage of other topics. It would therefore be
valuable reading material around corporate lunchrooms, since
forewarned is just a little bit more paranoid and, therefore,
forearmed. As those involved with data security in the real world
well know, cracking is basically a con job. Thus, The Knightmare, if
he really is "super", is a con artist par excellence--and is pulling
off a really great con here!

Revealing the secrets of social engineering poses very little threat
to security. Con men already exist and will continue to exist.
Cracker wannabes are unlikely to be able to carry off a successful con
if they need to rely on canned advice like this. On the other hand,
it is much more likely to shock naive and non-technical users into an
awareness of the need for suspicion and proper procedures--albeit
possibly only temporarily. Thus, this information is almost
inherently of more use in data protection than in data penetration.

As for technical help for the cracker; well, are you really expecting
great technical revelations from someone who knows there is a
difference between baud and bits per second--and gets it backwards?
Or, who thinks 140 and 19,900 baud are standard modem speeds? Who
thinks Robert Morris' worm found "original" bugs? (And who doesn't
know the difference between "downgrade" and "denigrate"?) All the
successful hacks in the book rely on social engineering rather than
technology. Lots of jargon is thrown in along the lines of, "You need
X," but without saying what X really is, where to get it, or how to
use it.

The official definition of a hacker in the book is of the "good side"
seeker after knowledge. As it is stated early on, a hacker *could* do
lots of mischief--but doesn't. In the course of the text, though, the
image is much more convoluted. The book almost seems to be written by
two people; one who is within the culture and has the standard
confused cracker viewpoint, and another, sardonically aware of pulling
the wool over all the wannabes' eyes. The chapter on contacting the
*true* hacker community is EST-like in its refusal to define when you
might have made it, or how.

Like I said, buy it for the corporate or institutional lunchroom.
Make sure that the non-techies get first crack at it. If you'll
pardon the expression.

copyright Robert M. Slade, 1994 BKSCSUHK.RVW 940609

======================
DECUS Canada Communications, Desktop, Education and Security group newsletters
Editor and/or reviewer [email protected], [email protected], Rob Slade at 1:153/733
DECUS Symposium '95, Toronto, ON, February 13-17, 1995, contact: [email protected]

------------------------------

End of Computer Underground Digest #6.74
************************************