Computer underground Digest Thu Feb 2, 1995 Volume 7 : Issue 08

Computer underground Digest Thu Feb 2, 1995 Volume 7 : Issue 08
ISSN 1004-042X

Editors: Jim Thomas and Gordon Meyer ([email protected])
Archivist: Brendan Kehoe
Retiring Shadow Archivist: Stanton McCandlish
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Copy Icecreamer: B. Robbins

CONTENTS, #7.08 (Thu, Feb 2, 1995)

File 1--U.S. Attorney decides not to appeal LaMacchia decision (fwd)
File 2--Commentary of Debate on Clipper Chip
File 3--Beta-testers : EFF-Austin Law Enforcement Incidence Database
File 4--Open reply to Jerome Haden
File 5--Re: File 5--Writer Seeks On-Line Crime Info (fwd)
File 6--Re: The InterNewt
File 7--CUD7.05, Article #2 (Newt Response)
File 8--CIAC Bulletin F-09: Unix /bin/mail Vulnerability
File 9--Re: Amateur Action BBS Update
File 10--Tools For Privacy - New book by Lenard & Block (fwd)
File 11--New Internet Virtual Democracy Software
File 12--Cu Digest Header Information (unchanged since 25 Nov 1994)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.

----------------------------------------------------------------------

Date: Sun, 29 Jan 1995 14:41:41 -0600 (CST)
From: David Smith <[email protected]>
Subject: File 1--U.S. Attorney decides not to appeal LaMacchia decision (fwd)

---------- Forwarded message ----------
From-- [email protected] (Natalya Cohen)
Date-- 29 Jan 95 04--38--13

The U.S. Attorney's office in Boston announced on Friday, January 27,
that it will not appeal the dismissal of its legal case against MIT
student David LaMacchia. The case was dismissed by District Judge
Richard G. Stearns on December 29.

In announcing his decision, the U.S. Attorney Donald K. Stern
underscored his intent to work toward initiating new legislation
"which would remove any uncertainty that willful, multiple
infringements of copyrighted software, even where there is no
commercial motive, is illegal."

Information about the case, including the most recent announcement by
the U.S. Attorney, can be found on the David LaMacchia Defense Fund
(DLDF) homepage, or by request.

DLDF Trustees
http://www-swiss.ai.mit.edu/dldf/home.html
[email protected]

------------------------------

Date: Sun, 22 Jan 1995 23:36:52 -0500 (EST)
From: DaVe McComb <[email protected]>
Subject: File 2--Commentary of Debate on Clipper Chip
Message-Id: <[email protected]>

The Clipper Chip:
Should the Government Hold the Master Keys to Electronic Commerce?
(A Public Debate of the Administration's Clipper Chip and Key Escrow Initiative)

Thursday, January 19, 1995
The Association of the Bar of the City of New York
42 W. 44th Street
NY, NY

Speakers:
PRO Clipper/Key Escrow
Stewart Baker(SB) - Partner, Steptoe & Johnson; former General Counsel of the
National Security Agency
Michael Nelson(MN) - White House Office of Science and Technology Policy
James Kellstrom (JK) - Special Operations, FBI, NY

CON Clipper/Key Escrow
Daniel Weitzner(DW) - Center for Democracy and Technology; formerly with the
Electronic Frontier Foundation
William Whitehurst(WW) - IBM Corporation - Security Officer

Moderator: Albert Wells(AW) - Debevoise and Plimpton

[Following is my review of the Clipper Chip public debate. I have attempted to
be as accurate as possible, but have had to paraphrase the participants. My
overall impressions from the pro-Clipper side were that Clipper Chip as a
technology may be dead,
but that key escrow by the government was moving forward. From the con-Clipper
side, I was left wondering, would we agree to key escrow if cryptographic
export controls were lifted? - DaVe McComb]

[Opening Statements]

SB: We need the Clipper Chip to stop threats to the US.

DW: Clipper hasn't succeeded commercially. There are problems with export
controls and privacy. The belief that terrorists and drug dealers will be
stopped by Clipper is ridiculous; they won't use Clipper. I forsee a new field
developing in the future;
that of "Mob Cryptographer."

JK: We have to protect ourselves and our children against terrorists, child
pornographers, kidnappers, the selling of trade secrets, and drug dealers.
Would you buy a car or house if you were told, "If you lose the keys, you can
never get back in?"

WW: There are many legitimate uses of cryptography. However, Clipper is not
compatible with the installed base of software. Also, non-US firms will not
embrace a technology that the US government has the keys to.

MN: The federal government needs good cryptography to build the National
Information Infrastructure. However, this cryptography must not affect law
enforcement. We had three choices: weak crypto - easy wiretap; strong crypto
- no wiretap; or Clipper -
strong crypto with the capability for wiretaps. Clipper was designed for the
government and is voluntary. Clipper only solves the problem of voice
encryption and not data encryption. Also, it's in hardware and therefore more
costly.

[Start of debate]
DW: Why should users turn down Clipper? Matt Blaze found a flaw in Capstone
that cast doubt on the whole project. We shouldn't accept a "secret"
algorithm; there's no confidence in the security of the algorithm. Also, for
key escrow, the keys are held
by two federal agencies. Why should we trust them? Both agencies are
responsible to the president and there are no binding government statutes
regulating access to the keys.

MN: The government has to get a court order for a wiretap in order to get the
data before they even go to the key escrow agencies. Therefore, we now have
two layers of protection: the wiretap order and obtaining the keys from the
escrow agencies. Also,
the Blaze attack only showed that by not using the LEAF, it was possible to
undermine the authorities.

SB: Who would you rather trust to hold the keys? Private business or a
democratic system with automatic checks and balances.

DW: New technology presents new problems. People already know about
cryptography. And criminals won't go to Radio Shack to buy their "NSA
Approved" crypto phone or modem.

WW: This is not a US only problem. However, Clipper is a US solution to a
vastly expanding global electronic marketplace. Would we trust other
governments? No. Why should they trust the US government?

I am part of the "Key Escrow Alternatives Working Group." We're a group of
50-60 industry representatives who are looking for alternatives. We're trying
to work with the government, but having frustrating results.

MN: The questions we've received from this group are being dealt with, however
they directly impact the national security policy. One of these unanswered
questions is: "Will the government allow exportation of cryptography if the
keys are escrowed?" The
goal of the government is to export cryptography only if national security is
not compromised. We're working towards the ideal, but we're not there yet.
Clipper helps to meet this goal.

AW: Are there any concrete proposals to replace Clipper?

MN: Some companies have proposed DES coupled with key escrow and the government
is talking about these concepts. However, it will take several months to
review these new products. Clipper does have a secret algorithm, but it has
been tested by a number
of top cryptographers.

DW: Here's the lesson of Clipper: the government should not be in the business
of designing cryptographic products. They should work out the legislative
concerns, like exportation. Taking from Maria Cantwell's letter, we want any
solution to be: unclas
sified, voluntary, exportable, able to be implemented in software, have
guarantees for the liability of the escrow agencies, and ensure the privacy of
the escrow agencies. My personal top two concerns are: exportable and
voluntary. When the 1968 Wiretap
Bill was proposed, civil liberty groups felt that wiretaps constituted secret
searches and violated the 4th Amendment. We should see that it is not an
absolute right of the government to conduct searches.

JK: The government has to protect the citizens. How would you feel if your
child was enticed into some snuff film, or killed?

MN: We are looking at other possible escrow agencies. The first two we chose
were for use by the government, so two other government agencies were picked.

AW: How would the escrow agencies be regulated? What would happen if the key
was improperly released?

SB: It's difficult to say, especially if the government holds the keys. If they
were held by private businesses, they would have direct liability.

AW: As far as export controls go, cryptographic printed materials and Internet
traffic easily go overseas, yet software and hardware cannot.

SB: In the 80's the government viewed cryptography in much the same way as
atomic bomb making. It was put on the munitions list. However, in the last 10
years we have seen many commercial uses. Also, importing crypto into other
countries is difficult a
s well, especially France.

WW: IBM invented the basic algorithm for DES as a result of a call by government
to protect both business and government data. As soon as it was made the
standard, export controls were slapped on it. Now there are substantial
implementations of DES by f
oreign companies. IBM is not thrilled when we can't deliver DES solutions to a
foreign company, and we lose the business to a foreign DES product. As for
France, they don't have an import law, they have a registration law whereby the
French government i
ssues a registration certificate. The main export problem is the US laws, not
foreign government import laws.

DW: The Schneier book was allowed out of the country, and it contained C code in
printed form. However, a disk with that same code would not be allowed out of
the country.

MN: There probably are cases where US companies lose business, but the
government is accomplishing their goal of preventing the spread of this
technology. We can ensure that Libya does not get the Clipper technology.

[Closing Remarks]

JK: As technology advances, there's no easy solution. Clipper was not the
cure-all/end-all. Other technologies have the same problems: the picture
phone is great until some pervert exposes himself to you and your family by
using it. We can offer stron
g crypto and the only people who have to fear us are the criminals.

DW: Clipper as a policy solution is a dead end. We have to move on. Law
enforcement is being unfairly advantaged and individuals lose their privacy.

SB: When Clipper was announced, there was a great uproar. The administration is
standing firm - We will not allow criminal activity on the Internet. The idea
of escrow has slowly sunk in with business. As this goes on, we'll see a
convergence of busine
ss and government between escrow and the method of cryptography.

WW: The government can relax export controls by loosening restrictions on
exporting cryptography to "friendly" countries. For example, Ford in Germany
can buy IBM cryptographic solutions, but Mercedes Benz cannot. Also, the users
would like the freedom
of choice to choose the best cryptographic product for them. We need
cooperation between the private and public sector.

MN: Everyone wants the following: easing export restrictions, a software
solution, ease of use, inexpensive, public algorithm, and law enforcement.
Clipper was the first step. We will now look at other escrow technology, as
well as law enforcement and
export issues. We are moving step-by-step towards new approaches. The Clinton
administration is moving ahead.

------------------------------

Date: Tue, 24 Jan 1995 21:09:45 -0600 (CST)
From: David Smith <[email protected]>
Subject: File 3--Beta-testers : EFF-Austin Law Enforcement Incidence Database

CALL FOR "BETA" TESTERS

EFF-Austin Law Enforcement Incidence Database
January 24th, 1995

EFF-Austin is interested in creating and maintaining a database of
search and seizures involving BBS systems / Internet sites.

The intention of such a database is to:

* provide a status of recent incidences of government search and
seizures. A file is to be opened for each raid, and then tracked as
it's case winds it's way through the legal system. Ex: what is the last
we heard about the Rusty N Edie BBS case?

* provide a historical record of past seizures. People new to the Net,
for example, need to know about the Steve Jackson Games case, and other
important cases.

* track certain trends and trouble areas for civil libertarians, such as
computers that are seized and never returned, people who are raided and
never indicted, and the "downsizing" of draconian tactics, where those
who are likely to cart stuff out the door are not the FBI, but rather
state or local law enforcement.

* provide primary and secondary documentation sources for journalists,
students, activists, law enforcement, and anyone else interested in
these issues.

* track incidences that don't generate media coverage.

SCHEDULE FOR IMPLEMENTATION
(tentative)

February -- Beta-testing : fields, forms, and designing a database
application accessible via gopher/Web.
This is about six weeks.

March -- Start data entry on huge backlog of cases. Initial
estimate : 150 to 200 cases to-date.

-- Public "un-veiling" during 1995 CFP. Important to have
a sizeable chunk done (50 to 70 or so). Also want to
create a "Top 10 List" of important cases.

WHAT WE NEED NOW IN TERMS OF BETA-TESTERS

We have taken an initial stab at designing a report format that we think
will cover all the bases, do what we want it to do, and be useful.

We want feedback from :

* People most likely to use the database (journalists, activists,
students, law enforcement officials, lawyers, etc.) to examine the
reports, make suggestions, and provide feedback on what information
you would want from such a database.

* People experienced in designing databases accessible via the Internet.
This should be accessible via gopher and the World Wide Web, though we
haven't selected a database engine yet.

Since EFF-Austin is a non-profit, volunteer-run organization, we will
need assistance from the entire online community in order to make this
work. Anyone is eligible to contribute input or participate; you don't
need to live in Austin or be a member of EFF-Austin.

Send e-mail to [email protected] if you have any questions, comments, or
want to join the project.

------------------------------

Date: Sun, 29 Jan 1995 12:50:20 -0800
From: Bruce Jones <[email protected]>
Subject: File 4--Open reply to Jerome Haden

I am concerned about the kinds of articles and books that get
written about the net. I know how well yellow, sensationalist
journalism sells, and I see just such a book coming out of Mr.
Haden's work. Here is a copy of the message I sent to him, asking
about his motives.

>From bjones Sun Jan 29 12:45:33 1995
[email protected]
Subject--Your book

Mr. Haden,

I saw your request for information reposted to an Internet mailing
list. I have grown somewhat suspicious about such requests, given
of the terrible, yellow, sensationalist journalism about the net
that has been published in the last few months.

Before I begin to post challenges to your request, wherein I question
your morals, goals and motivations for requesting such information,
I thought I would offer you an opportunity to explain the thrust of
your work.

Perhaps I am wrong, but your questions look suspiciously like those
"answered" in works with similar titles in national magazines and
newspapers.

To be specific, do you plan to write more of the same "your children
are in danger of being brutalized by computer bulletin board
systems," of something different, better informed, and realistic (we
are, after all, talking about virtual reality and not FTF, physical
contact here).

Curiously yours,

Bruce Jones Department of Communication
[email protected] University of California, San Diego
(619) 534-0417/4410 9500 Gilman Drive
FAX (619) 534-7315 La Jolla, Ca. 92093-0503

p.s. I am sending a copy of this message to the mailing list where I
first saw your request. Be advised that I am not going to keep this
"between you and me" and I will be posting copies of any mail you
send to me to that list as well.

------------------------------

Date: Thu, 26 Jan 1995 20:49:28 -0500
From: Barak Pearlmutter <[email protected]>
Subject: File 5--Re: File 5--Writer Seeks On-Line Crime Info (fwd)

That's funny, I'm writing a book called

"Nearsighted and Dangerous:
A Parents Guide to the Dangers of the Public Library"

I am seeking real events that are "public record" (either newspaper
articles or court documents) which involve the following criminal
activity:

1.) Sexual predators who have commited sex crimes on minors with a
connection to a public library or salacious book.

2.) Teenage readers who have been charged with any type of plagiarism,
copyright violation, document forgery, unauthorized access to
private university libraries, or similar crimes.

3.) Any teenagers involved in making explosives with information
obtained from a book.

4.) Any selling of illegal drugs involving minors and books available
in libraries.

5.) Any other crimes involving teenagers as either victims or
perpetrators with the use of public libraries or written documents
of any sort.

Also would be interested in hearing from victims or perpetrators
willing to be interviewed "off the record", and/or willing to appear
on national talk shows.

If you have any such information please contact me.

------------------------------

Date: 25 Jan 1995 20:05:37 GMT
From: [email protected](Tim King)
Subject: File 6--Re: The InterNewt

Larry Mulcahy wrote concerning David Batterson's article:

> Why does this venemous screed deserve to be in CUD? In it,
> Batterson only makes personal attacks against right wing
> figures, saying nothing about issues.

Funny, this is the same thought that came to my mind. But I
considered the article more likely to be a lame attempt at poor humor,
rather than a series of genuine personal attacks. So I let the matter
drop. However, my feelings about the article are shared by others.
And, more importantly, perhaps these others don't see the humor
content. Therefore, maybe this blatantly offensive series of
ramblings does deserve some response.

David Batterson wrote, for example, that "we can expect the clueless
Newtbies, chainsmoking Helmsmen and Rush dittohead dorks to increase
their invasion of the Net." Now, I will reserve my personal opinions
regarding Newt Gingrich, Jesse Helms, and Rush Limbaugh -- and Rush
would probably be proud to make fun of David's article. I'll also
fail to mention the obvious, that not every conservative is a
replicant of one of these men.

Nevertheless, if conservativism is what it claims to be, we should see
the current government get out of the way of the Internet. Sometimes
this means that the government refuses to step in when it should, but
I think the Net is strong and organized enough so that this would not
be a danger. In any case, subjects that have been recently most the
rave -- things like escrowed encryption, digital telephony, and
encryption export -- seem to cut across party boundaries. If memory
serves, both democrats and republicans have taken both sides of these
issues.

Also, servers and newsgroups are already available for discussing
silly sectional interests in a variety of fields. This is what we in
the Net call "free speech." This necessarily means that some people
post ridiculous articles about the holocaust, for example. But my
experiences have shown me that such silliness rarely leads to mass
conversion. Why not? Because "critics" also have access to the
Internet, and they can post a rebuttal to anything they feel requires
one. So it is abundantly clear to me that there is no danger, even if
Jesse Helms does set up "a WWW home page for the tobacco industry,
where we can view video clips on the joys of smoking."

Thirdly, no congress, no matter how extreme, could possibly get away
with requiring free citizens "to learn some new terminology," even if
there is no "prison time for first time offenders who still use the
old meanings." Anyway, it's idiotic to think that such "new
terminology" would actually mock the government that created it!

You know, recently, when Conan O'Brien and Andy Richter did a similar
bit --Newt was giving the president commands that were patently absurd
-- it was funny. I thought that, perhaps, it seemed funny because, in
the bit, Clinton was a willing subservient in this ridiculous
scenario. But, then again, David Batterson's article in a way is just
as funny. He has the whole of the world, embodied in the Internet,
being a willing subservient to such absurdities. So perhaps it is
funny after all.

------------------------------

Date: Thu, 26 Jan 1995 21:39:43 -0500
From: [email protected](Charlie Anthe)
Subject: File 7--CUD7.05, Article #2 (Newt Response)

In his response to the critics of Newt Gingrinch found in CUD7.03,
Mr. Mulcahy cites as an example of Speaker Gingrich's dedication to the
voters the unveiling of the "Thomas" WWW server at the Library of Congress
earlier this year. The article provied goes to great pains to point out that
the server will provide the average voter with easy and instant access to
the daily activities of Congress and of the legislation being debated,
something that previously would have required enormous paperwork from the
Library of Congress.
What is not mentioned by either the article of Mr. Mulcahy's
response is the fact that Speaker Gingrich probably had no influence
whatsoever in the installation of the Thomas server. Obviously a computer
system that was going to be unveiled to the entire nation and have such
politically important imformation on it would have begun in the planning
stages years ago, back when the Democrats were firmly in control of the
Congress. Mr. Gingrich is just being sure to soak up the limelight and
proclaiming the ideas and work of the Democrats as his own personal example
of the Republican fulfillment of their "Contract With America".

While the creation of the Thomas server as well as that of the House
of Representatives own home page (available at http://www.house.gov) are
certainly important milestones in the advancement of information to the
public, let us not be so quick as to reward Mr. Gingrich with the fruits of
another group's labor.

------------------------------

Date: Fri, 27 Jan 1995 10:44:31 -0800
From: Steve Weeber <[email protected]>
Subject: File 8--CIAC Bulletin F-09: Unix /bin/mail Vulnerability

_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
_____________________________________________________

INFORMATION BULLETIN

Unix /bin/mail Vulnerabilities

January 27, 1995 1030 PST Number F-09
___________________________________________________________________

PROBLEM: The Unix /bin/mail utility contains security vulnerabilities.
PLATFORMS: DEC OSF/1 1.2, 1.3, and 2.0
DEC Ultrix 4.3, 4.3A, and 4.4
SCO Unix System V/386 Release 3.2 OS Version 4.2
SCO Open Desktop Lite Release 3.0
SCO Open Desktop Release 3.0
SCO Open Server Enterprise System Release 3.0
SCO Open Server Network System Release 3.0
Solbourne OS4.1x
SunOS 4.x
DAMAGE: Local users may gain privileged (root) access.
SOLUTION: Apply appropriate vendor patch as described below.
___________________________________________________________________

VULNERABILITY The vulnerabilities in the /bin/mail program have been openly
ASSESSMENT: discussed in several Internet forums, and automated scripts
exploiting the vulnerabilities have been widely distributed.
These tools have been used in many recent attacks. CIAC
recommends sites install these patches as soon as possible.
___________________________________________________________________

Critical Information about Unix /bin/mail Vulnerabilities

The /bin/mail utility on several Unix versions based on BSD 4.3 Unix contain
a security vulnerability. The vulnerability is the result of race conditions
that exist during the delivery of messages to local users. These race
conditions will allow intruders to create or modify files on the system,
resulting in privileged access to the system.

Below is a summary of systems known to be either vulnerable or not
vulnerable. If your vendor's name is not listed, please contact the vendor
or CIAC for more information.

Vendor or Source Status
---------------- ------------
Apple Computer, Inc. Not vulnerable
Berkeley SW Design, Inc. (BSDI) Not vulnerable
Cray Research, Inc. Not vulnerable
Data General Corp. Not vulnerable
Digital Equipment Corp. Vulnerable
FreeBSD Not vulnerable
Harris Not vulnerable
IBM Not vulnerable
NetBSD Not vulnerable
NeXT, Inc. Not vulnerable
Pyramid Not vulnerable
The Santa Cruz Operation (SCO) Vulnerable
Solbourne (Grumman) Vulnerable
Sun Microsystems, Inc. SunOS 4.x vulnerable
Solaris 2.x not vulnerable

Patch Information
-----------------

DEC The /bin/mail patch is a part of a comprehensive Security
Enhanced Kit that addresses other security problems as well.
This kit was released on May 17, 1994 and was described in
DEC Security Advisory #0505 and CIAC Notes 94-03.

OSF/1 users should upgrade to a minimum of version 2.0 and
install Security Enhanced Kit CSCPAT_4061 v1.0. Ultrix users
should upgrade to at least version 4.4 and install Security
Enhanced Kit CSCPAT_4060 v1.0.

Both kits are available from your Digital support channel or
electronically by request via DSNlink.

SCO Vulnerabilities in SCO's /bin/mail utility are removed by
applying SCO's Support Level Supplement (SLS) uod392a. It is
available via anonymous FTP from ftp.sco.com in the /SLS
directory:

Description Filename MD5 Checksum
------------ ------------- --------------------------------
Disk image uod392a.Z 2c26669d89f61174f751774115f367a5
Cover letter uod392a.ltr.Z 52db39424d5d23576e065af2b80aee49

Solbourne Grumman System Support Corporation now performs all Solbourne
software and hardware support. Please contact them for
further information:

E-mail: [email protected]
Phone: 1-800-447-2861
FTP: ftp.nts.gssc.com

Sun Sun has made patches available to remove vulnerabilities in
/bin/mail. These patches address all vulnerabilities CIAC has
seen exploited to date, and CIAC recommends they be installed.
However, the patches will be updated again in the near future
to remove additional vulnerabilities that have recently come
to light. CIAC will announce the availability of the new
patches when they are released.

The patches may be obtained from your local Sun Answer Center
or through anonymous FTP from sunsolve1.sun.com in the
/pub/patches directory:

SunOS Filename MD5 Checksum
------- --------------- --------------------------------
4.1.x 100224-13.tar.Z 90a507017a1a40c4622b3f1f00ce5d2d
4.1.3U1 101436-08.tar.Z 0e64560edc61eb4b3da81a932e8b11e1

Alternative Solution
--------------------

For those sites unable to obtain a vendor patch for a vulnerable version of
/bin/mail, a replacement package called mail.local has been developed and
made freely available on the Internet. The /bin/mail program is relatively
complex software, serving both as a mail delivery agent and a user interface,
allowing users to send and read E-mail messages. Complex system software,
like /bin/mail, is more likely to exhibit security vulnerabilities.

The mail.local package was written to perform only one task: the delivery
of mail to local users. It is comparatively small, and the code has been
examined carefully by experts in the security community. While it has not
been formally evaluated, it is probable that mail.local addresses all
vulnerabilities currently being exploited in /bin/mail.

For more information, see the file README in the directory
ftp://coast.cs.purdue.edu/pub/tools/unix/mail.local/.

___________________________________________________________________

CIAC wishes to acknowledge the contributions of the CERT Coordination
Center in the construction of this bulletin.
___________________________________________________________________

For emergencies and off-hour assistance, DOE and DOE contractor sites can
contact CIAC 24-hours a day via an integrated voicemail and SKYPAGE number.
To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The
primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second
PIN, 8550074 is for the CIAC Project Leader. CIAC's FAX number is
510-423-8002, and the STU-III number is 510-423-2604. Send E-mail to
[email protected].

Previous CIAC notices, anti-virus software, and other information are
available on the Internet via anonymous FTP from ciac.llnl.gov (IP address
128.115.19.53).

CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information, and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send requests of the following form:

subscribe list-name LastName, FirstName PhoneNumber

as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES,
SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for
"LastName" "FirstName" and "PhoneNumber." Send to: [email protected]
not to: [email protected]

e.g.,
subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address and initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
___________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
[email protected] with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.

------------------------------

From: [email protected]
Subject: File 9--Re: Amateur Action BBS Update
Date: Sat, 21 Jan 95 14:47:43 PST

I have been keeping the net up on the AA BBS case since it started
last year. Latest news (1/21/95) is that bail during appeal was
denied by the Sixth Circuit, and that Robert is to report to federal
prison Feb. 8, in Springfield, MO to serve 3 years, one month. I have
no doubt that picking a place that far from his home and family was
done on purpose as part of the punishment.

Question for Mike Godwin:

Who pays transport from Springfield back to Utah so Robert can be
present for the bogus kiddy porn trial in a few months? Also being in
prison will make it nearly impossible for him to prepare the .gif
files his lawyer wants to present in his defense.

They set the date (July 12) and place (Dublin, CA) for Carleen
(Robert's wife). She is to serve 2 years, 2 months. I think the
reason they are letting her start later is so she can be present when
their oldest son graduates from high school.

AA BBS is still up, and may well stay up for the whole time Robert is
in prison. He has no other way to support his family or pay for legal
defense. Also, outside of western TN, OK, Utah, and other backwards
places, what he is selling is legal--even protected under the First
Amendment. (Though some of it *is* kinda gross :-) )

AA BBS is up to about 25,000 files. There is a good chance that they
will be available through the internet at some point.

Trying to control information in the network age is about as sucessful
as pissing into the wind.

Keith Henson

------------------------------

Date: Mon, 30 Jan 1995 22:14:43 -0600 (CST)
From: David Smith <[email protected]>
Subject: File 10--Tools For Privacy - New book by Lenard & Block (fwd)

---------- Forwarded message ----------

ANNOUNCING THE BETA-TEST RELEASE OF ...

Tools For Privacy:
How to outsmart the phone, fax, cellular, and computer snoopers
A hyper-book by Lane Lenard & Will Block

Check it out at the Smart Publications www homepage:

ftp://ftp.crl.com:/users/ro/smart/SMART.html

>From the introduction ...

Our right to privacy is under concerted attack by authoritarians of every
political stripe. Under the twin rubrics of the "War On Drugs" and
"Stopping Child Pornography", the federal government in the United States
is moving to gut the U.S. Constitution's guarantee of the right to
privacy for every citizen.

We believe that working "through the system" is a hopeless waste of time.
This HyperBook is our effort to disseminate the vital information that
you need to insure your privacy in communications, computing, banking,
and your home.

TABLE OF CONTENTS

Introduction
E-Mail Privacy
Threats To E-Mail Privacy
Outlaware: The Powerful Privacy Tool the Government Wants to
Suppress
A Brief History Of Crytography
Conventional Cryptography
Public Key Cryptography
Encryption Always Wins: How RSA Works
Hybrid Systems: The Best Of Both Worlds
NSA Vs. RSA: Adventures In The Private Sector
E-Mail Privacy - The Encryption Solution
PGP: Military-Grade Encryption For The Masses
Privacy Tips: Getting The Most Out Of PGP
How To Get PGP
Cracking Codes With The Codebreakers
Steganography: For When You've Got Something To Hide
E-Mail Privacy Product Reviews
Telephone Privacy
Threats To Telephone Privacy
Snail-Mail Privacy
Anonymous Mail Drops: How To Receive Your Snail-Mail
Anonymously

********************************************************************
Smart Publications [email protected]

------------------------------

Date: Wed, 25 Jan 1995 15:10:26 -0700
From: [email protected](Myrna Bittner)
Subject: File 11--New Internet Virtual Democracy Software

Short-Circuit for the Virtual Democracy Backlash

Those of little faith and traditional media who recently pandered to the
same fear mongering tactics they accused special interest groups of, once
again underestimated the sophistication and ingenuity of what they
were messing with. "More hyper" ; ) Internet minds from Bittco
Solutions have released Co-motion Lite for Internet, virtual democracy
software that turns Internet connections into front row seats at
activist round tables.

Unplugged leaders can lose their fears about being "too plugged in"
and manipulated by "push-button voting." "It compares to an
interactive survey," says Myrna Bittner from Bittco. "In this case,
the surveyor puts out one question and decides who in the world gets
to participate, but after that participants can ask their own
questions, tell the stories behind their solutions and concerns,
interact with each other, and register their votes." All of the
qualitative opinions are supported by quantitative results. And,
every participant can print, analyze and distribute the results.

Bittco is countering the hyper-backlash by widely distributing client
applications free to Internet members interested in joining Keen
Minds, a group that tackles all types of topical issues. MacintoshAE
versions are available immediately and a Windows81 version is in the
works. Virtual democracy is now an undeniable reality on the
Internet.

You'll find Keen Minds in the Info-Mac archives. The URL for the main
archive is at
ftp://ftp.sumex-aim.stanford.edu/info-mac/comm/tcp/keen-minds .hqx.
This site is mirrored to many locations throughout the world. Contact
Bittco for a comprehensive list of locations, session times and topics
at 1-403-922-5514 or [email protected]

Bittco Solutions develops and publishes innovative real-time groupware
for group decision support and collaborative brainstorming. Bittco
also provides customized Internet solutions for collaborative
environments ranging from online activism to distributed customer
support.

------------------------------

------------------------------

Date: Thu, 23 Oct 1994 22:51:01 CDT
From: CuD Moderators <[email protected]>
Subject: File 12--Cu Digest Header Information (unchanged since 25 Nov 1994)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send a one-line message: SUB CUDIGEST your name
Send it to [email protected] or [email protected]
The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on internet);
and on Rune Stone BBS (IIRGWHQ) (203) 832-8441.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.

EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown)
In ITALY: Bits against the Empire BBS: +39-461-980493
In LUXEMBOURG: ComNet BBS: +352-466893

UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
uceng.uc.edu in /pub/wuarchive/doc/EFF/Publications/CuD/
wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
EUROPE: nic.funet.fi in pub/doc/cud/ (Finland)
ftp.warwick.ac.uk in pub/cud/ (United Kingdom)

JAPAN: ftp.glocom.ac.jp /mirror/ftp.eff.org/Publications/CuD
ftp://www.rcac.tdi.co.jp/pub/mirror/CuD

The most recent issues of CuD can be obtained from the NIU
Sociology gopher at:
URL: gopher://corn.cso.niu.edu:70/00/acad_dept/col_of_las/dept_soci

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.

------------------------------

End of Computer Underground Digest #7.08
************************************