Computer underground Digest Sun Jan 5, 1997 Volume 9 : Issue 02

Computer underground Digest Sun Jan 5, 1997 Volume 9 : Issue 02
ISSN 1004-042X

Editor: Jim Thomas ([email protected])
News Editor: Gordon Meyer ([email protected])
Archivist: Brendan Kehoe
Shadow Master: Stanton McCandlish
Field Agent Extraordinaire: David Smith
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest

CONTENTS, #9.02 (Sun, Jan 5, 1997)
File 1--Re: FBI Law & Enforcement Bulletin gulled by 'Net joke (fwd)
File 2--The First 10 Seconds After The Big Bang
File 3--Re: File 3--EDITORIAL: Troubles On The Net...
File 4--Re: "News.groups reform"
File 5--Teen Takes on CYBERsitter (From NetAction Notes #10)
File 6--CWD--Howling at the Moon
File 7--The CyberSitter Diaper Change, from The Netly News
File 8--[krb5] krb5 v1.0 is released (fwd)
File 9--Cu Digest Header Info (unchanged since 13 Dec, 1996)

CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.

---------------------------------------------------------------------

Date: Sat, 28 Dec 1996 12:18:48 -0600
From: [email protected](Jim Thomas)
Subject: File 1--Re: FBI Law & Enforcement Bulletin gulled by 'Net joke (fwd)

Original source comp.virus newsgroup:
From George Smith ([email protected])

----------------

In article <[email protected] you write:
From the pages of Crypt Newsletter 40:

Most wanderers of the Internet are familiar with the running
joke concerning computer viruses with names of celebrities, politicians
or institutions.

The names and satirical content evoke a momentary smile or groan.

For example:

"Gingrich" randomly converts word processing files into
legalese often found in contracts. Victims can combat this virus
by typing their names at the bottom of infected files, thereby
signing them, as if signing a contract.

"Lecture" deliberately formats the hard drive, destroying all
data, then scolds the user for not catching it.

"Clinton" is designed to infect programs, but it eradicates
itself when it cannot decide which program to infect.

"SPA" examines programs on the hard disk to determine whether
they are properly licensed. If the virus detects illegally copied
software, it seizes the computer's modem, automatically dials
911, and asks for help.

However, editors and writers for the Federal Bureau of Investigation's
Law and Enforcement Bulletin, published monthly out of the organization's
training academy in Quantico, Virginia, apparently think they are real.

Writing in the December issue of the magazine, David L. Carter, Ph.D.,
and Andra J. Katz, Ph.D., respectively professors at Michigan State and
Wichita State, cite them as real examples of "insidious" new computer
viruses in the magazine's feature article entitled "Computer Crime: An
Emerging Challenge for Law Enforcement."

The authors seem to genuinely believe these computer viruses are in
circulation, even to the point of citing the "Clinton" joke
again in an paragraph attempting to explain the motivations of
virus-writing, would-be system saboteurs.

"Some employees could be motivated to infect a computer with a
virus simply for purposes of gamesmanship. In these cases, the
employees typically introduce a virus to play with the system
without intending to cause permanent damage, as in the case of
the 'Clinton' virus."

Put in perspective, this is similar to reading a scientific
paper on the behavior of elephants and suddenly running across a
section that straightforwardly quotes from some elephant jokes as
proof of what pachyderms really do when wandering the African veldt.

Alert reader Joel McNamara hipped Crypt News to this Law & Enforcement
Bulletin gem and wrote:

"The two researchers with the Dr. in front of their names seem to be
totally clueless that this was a tongue-and-cheek joke that is still
floating around the 'Net. If they did know it was humor, they made no
effort to inform readers - [readers] I highly doubt are technically
adept enough to recognize it.

"It's really telling that the world's lead law enforcement agency
allows these types of inaccuracies to be widely distributed to police
departments and agencies.

"Unfortunately, to me this is another example of the credibility
problem the FBI has when it comes to dealing with computer related
issues."

Neither authors nor editors of the Law and Enforcement Bulletin could
be immediately reached for comment.

The FBI's curious article can be found off the FBI home page on
the Web:

http://www.fbi.gov/leb/dec961.txt .

This and the usual tales of computer-mediated intrigue, crime, shame and
corporate assholio will be up for grabs in Crypt News 40, posted on my
page sometime between Christmas and the coming of the new year.

George Smith
http://www.soci.niu.edu/~crypt

------------------------------

Date: Thu, 26 Dec 1996 19:20:12 -0500
From: [email protected]
Subject: File 2--The First 10 Seconds After The Big Bang

The first 10 seconds after the big bang.

A recient piece on The News Hour With Jim Lehrer (December 25,
1996) discussed the Internet, the past year and how it was
affected by the Internet, and the growth of the Internet. The
moderator was joined by Cliff Stoll, writer, astornomoer; A
representative of Amazon.Com, a Mr. Beesos; Steven Levy, writer;
and another women, who I, with much embarrassment, can not
remember the name of and she was possibly the most intelligent
and level minded person in the group.

The host started out talking about pornography and the
Internet, and the woman conveyed the fact that porn was also in
the bookstores and on street coroners, and people could get it
there. The host, in agreement, stated that it was on the
Internet, but not thrust over the modem and onto peoples laps.
She agreed.

Next, the host started talking to Mr. Levy, and when he was
about 10 seconds into his response, interrupted him to ask what
E-Mail was (for those people who were unfamilure of the term...)
I would say that was more for people who have been living under a
rock for the last year plus.

Mr. Stoll, a man who's work has taken him from the leading edge
of technology, to the point where he is now: Left out to
technologically die. He is now criticizing the Internet, what
can be found on it, and what it is used for. (Because I can't
fully portray Stolls views, I would suggest you read his book,
Silicon Snake Oil, ISBN 0-385-4193-7)

Mr. Beesos, the rep from Amazon.Com (www.amazon.com) was, in my
view, not really needed. He seemed to distract from the main
idea, and only offered a view into the business side of the
Internet.

One good conversation was started on the CDA, and the
governments attempts to control free speach and the Internet. I
feel that if the government is going to play with fire, they had
better be prepared to be burnt.

All in all, I feel that the News Hour embarrassed themselves
and tarnished their reputations with this story, and needs to try
harder. I will be entering the work force in a few years, and I
hope to work in a technology-based company. If the masses fear
this technology, which will come about from shotty reporting, I
fear that I will not have any technology left to work with.

I welcome any comments to my E-Mail address, and I will respond
to them in full. [email protected]

------------------------------

Date: Fri, 20 Dec 1996 00:26:23 +0000
From: Joe Clark <[email protected]>
Subject: File 3--Re: File 3--EDITORIAL: Troubles On The Net...

> For instance, the Philadelphia Inquirer's article goes on to say
> "In an ongoing investigation that has produced 80 arrests and 66
> convictions over the last three years, the FBI last week raided the
> homes of Internet users suspected of downloading child pornography
> in 20 cities in its crackdown on kiddie porn that is being
> transmitted via online services and the Internet." And for that
> effort, I must say that this is one good thing that the government
> is doing in respect to the Internet.

I'm not sure how much of a benefit these public servants have
provided us. I think that same "Inkwire" article compared the 'net
community to a small country (40-50 million, I think?). One has to
wonder how the arrest rate for this horrific crime spree -- what's
that, 0.0002%? -- compares with that of the offline population. As
is often the case, law enforcement goes after the high-visibility
stuff because that keeps the public off their backs and makes great
fodder for budget requests.

------------------------------

From: Rich Graves <[email protected]>
Subject: File 4--Re: "News.groups reform"
Date: Thu, 05 Dec 1996 23:39:48 -0800

CU Digest #8.84 carried an article by Stanton McCandlish to which my
response can be summarized as:

YHBT.

HAND.

Stanton completely misunderstands Chris Stone's proposal for news.groups
reform, its context, its prospects, and the reasons Paul Kneisel posted
it to Cu Digest.

It is always sad when a respected net.personality betrays his wilful
ignorance. Had Stanton visited news.groups, he would have known that
Chris Stone's proposal had been retracted weeks before Paul posted it to
Cu Digest; that Russ's alternative proposals are the subject of healthy
discussion; that Paul's posting of Chris's proposal is best viewed in
the context of unreasonable personal attacks on Chris Stone; and that
Paul Kniesel doesn't exactly share Stanton's views on the
rec.music.white-power troll.

Had Stanton had an advanced level of familiarity with Chris Stone, he
would have recognized his self-deprecatory sarcasm, where appropriate.

This thread is an excellent demonstration of the folly and danger of
blind-forwarding articles where they are likely to be taken totally out
of context, and where the author is unlikely to respond.

As a further demonstration, I'll post Stanton's article to news.groups,
where I expect it to be ridiculed quite severely. I am also Cc'ing this
post to Stanton prior to publication in Cu Digest, a courtesy he
apparently did not extend to Chris Stone.

If you want to discuss news.groups, I would suggest, well, news.groups.

>It would have been easy for me to just ignore this whole proposition,
>since it will never fly and I have better things to do.

With this sentence I agree. You have a lot of things to do; please don't
make a fool of yourself, because I know you're not.

------------------------------

Date: Sat, 21 Dec 1996 00:24:47 -0800 (PST)
From: Audrie Krause <[email protected]>
Subject: File 5--Teen Takes on CYBERsitter (From NetAction Notes #10)

Source - NetAction Notes No. 10
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Published by NetAction Issue No. 10 December 21, 1996
Repost where appropriate. Copyright and subscription info at end of message.

~~~ Teen Takes On CYBERsitter

For the past couple of months, I have been corresponding with Bennett
Haselton, the 18-year-old founder of Peacefire.org, which is a teen
cyber-rights organizing project on the Web <http://www.peacefire.org>. The
average age of Peacefire's membership is 15. Bennett is a junior at
Vanderbilt University, where he is majoring in computer science and math.

I met Bennett in cyberspace when he contacted me to ask what I thought about
the IGC and NOW Web sites <http://www.igc.org> and <http://www.now.org>
being blocked by CYBERsitter, a software program marketed by Solid Oak
Software as a way to "protect" children from pornography on the Internet.
Along with several other activists, I offered advice and encouragement to
Bennett in drafting a letter of protest from representatives of the
political and advocacy organizations whose Web sites were being blocked.

When company officials learned that Bennett had posted information critical
of CYBERsitter on the Peacefire Web site, they responded to his
communication by suggesting he "Get a Life" and "hang out at the mall with
the other kids." When that didn't discourage him, Solid Oak Software
blocked Peacefire's domain and threatened to sue him.

Bennett's experience is a good example of how activists can use the Internet
for rapid mobilization around an issue.

After Bennett notified me that a story about his dilemma was published by
HotWired, <http://www.wired.com/news/story/901.html> I posted an alert about
his predicament to several discussion lists that focused on cyberspace
censorship and cyber-rights issues. Not long after the alert went out,
activists from all over the United States began sending E-mail letters of
protest to Solid Oak Software CEO Brian Milburn <[email protected]>.
The letters ran the gamut from politely-worded criticism to flames.

Meanwhile, Bennett contacted attorneys at the ACLU, <http://www.aclu.org>
the Electronic Privacy Information Center, <http://www.epic.org> and the
Electronic Frontier Foundation <http://www.eff.org>. Mike Godwin of EFF
quickly assured Bennett that he would represent him in the event Solid Oak
followed through with the threatened lawsuit. And Ann Beeson invited
Peacefire to participate as a plaintiff in the ACLU's challenge to New York
state's version of the Communications Decency Act.

Could this level of support have been mobilized as quickly without the
Internet? Perhaps -- but it isn't likely. Free speech advocates rallied to
the cause quickly because a community of people with an interest in the
issue were already connected online through E-mail discussion and alert lists.

Free speech advocates are ahead of the curve on using the Internet for
activism because they organized around the unsuccessful effort to defeat
enactment of the Communications Decency Act (CDA) provision of the
Telecommunications Reform Act of 1996. But activists working on other issues
are quickly catching up. E-mail discussion and alert lists are one of the
most powerful tools available for mobilizing support. And as more people go
online, it will become an even more important tool for organizing and outreach.

As for Bennett, who had just turned 18 when Solid Oak threatened to sue him,
speaking out about CYBERsitter has been a lesson in real-world politics.

Bennett credits online news reports by Brock Meeks and Declan McCullough,
and Jon Katz's article in Wired magazine on the rights of children in
cyberspace, for sparking his interest in CYBERsitter and other blocking
software programs.

"Our organization was not founded on the principle of attacking blocking
software," he told me when I asked what he had learned from the experience.
"We started out as some lame 'young people for freedom of speech on the
Internet' type of thing, and even someone on fight-censorship (an online
discussion list) referred to us as a 'junior EFF' once -- I think meaning it
as a compliment."

When the CYBERsitter issue came up, Peacefire's members were asked to speak
up if they didn't want to see the organization move in that direction.

"In the end," Bennett said, "when we discovered the *kind of sites* that
were blocked by Cyber Patrol and CYBERsitter, most members were convinced
that more should be said publicly against this type of software."

Thanks in large measure to Solid Oak's astonishingly belligerent response to
this teen cyberspace activist, much more *has* been said.

================

For more information about NetAction, contact Audrie Krause:
E-mail: [email protected] * Phone: (415) 775-8674 * Web: http://www.netaction.org
Or write to: NetAction 601 Van Ness Ave., No. 631 San Francisco, CA 94102

------------------------------

Date: Fri, 20 Dec 1996 11:49:41 -0800 (PST)
From: "Brock N. Meeks" <[email protected]>
To: [email protected]
Subject: File 6--CWD--Howling at the Moon

CyberWire Dispatch // Copyright (c) 1996 // December 20

Jacking in from the "Your Agenda is Showing" Port:

Washington -- It's a long held maxim that technology is "agenda
neutral." Until now.

As an earlier Dispatch investigation proved, the so-called "blocking
software" industry, praised for enabling parents, teachers and
corporations to block porn from being sucked into the computers of those
trolling the Web, often comes with a shrink-wrapped, encrypted agenda in
the form of the database of web sites and newsgroups these programs
actually block.

Porn sites aren't the only ones blocked. Sites with decided political
or activist agendas, such as the National Organization for Women (NOW)
or animal rights groups, also are blocked. Trouble is, these blocking
software programs don't make this known to the user. For some
companies, shedding a spotlight on their underlying agenda, makes them
sweat bullets or foam at the ascii mouth. Such is the case with Brian
Milburn, president of Solid Oak Software, developer of an insipidly
named blocking program called "Cybersitter."

When confronted with his agenda ridden software, Milburn isn't shy about
it, indeed, he was outright indignant when he originally told Dispatch:
"If NOW doesn't like it, tough... We have not and will not bow to any
pressure from any organization that disagrees with or philosophy."

So when Bennett Haselton decided to put a sharp edge on this subject by
focusing on Cybersitter with laser like precision, Milburn went off the
charts.

Milburn wrote to Media3, the ISP that houses Haselton's website
<www.peacefire.org>, saying he was adding the entire domain of Media3 to
the Cybersitter blocking database, in order to keep anyone using his
company's product from gaining access to Haselton's article.

Milburn ranted to Media3 that Haselton had made it "his mission in life
to defame our product" exhibiting "extreme immaturity," by "routinely"
publishing names of sites blocked by Cybersitter. Milburn claimed that
Haselton may have "illegally reversed engineered" the Cybersitter
database. Milburn has threatened legal action. Haselton, however, found a
white knight. After hearing about Milburn's actions, Mike Godwin, legal
counsel for the Electronic Frontier Foundation, decided to represent him.

In an Email to Wired News correspondent Rebecca Vesely, who wrote about
Milburn's beef with Haselton, Milburn said he was swamped with
"geek-mail" from Wired News' "loyal following of pinhead idiots."
Milburn characterized Haselton, "an aspiring felon" and said that he had
confirmation that Haselton was the "ghost writer" for the original
Dispatch article that broke the story of the hidden agendas in blocking
software.

All this bluster over Haselton, an 18-year-old with too much time on his
hands. If right about now you're thinking that Milburn should pick on
someone his own size, well, he's already "been there, done that" and got
his ass kicked in the process.

You see, after the first Dispatch article, Milburn sent us a
saber-rattling Email. His Aug. 15th Email claimed that "your willful
reverse engineering and subsequent publishing of software code is a
clear violation" of copyright law. And although he claimed he was sure
he could win a case in civil court, he was instead seeking "felony
criminal prosecution" by going to the FBI with his beef.

I referred Milburn to my lawyers at Baker & Hostetler, who promptly
pointed out that Dispatch hadn't been the one to hack the cybersitter
database. Further, our article was "protected by the full force of the
First Amendment," our lawyers said.

And because Dispatch only published "fragments" of the Cybersitter
database (a word used first by Milburn in his own threatening letter),
such publication "fits squarely within the fair use provisions" of the
copyright act, our lawyers reminded Milburn.

Finally, Milburn was left to chew on this: "If you persist in accusing
[Dispatch] falsely of copyright infringement and if you proceed with
your ill-conceived threat to encourage the FBI to commence activities...
you should understand that, unless the information you provide is
accurate and complete, you and your firm may be incurring liability of
your own."

Not a peep has been heard from Milburn since he received that letter,
until he decided to pick on the kid.

Milburn is apparently operating in some alternative reality. His
so-called "confirmed sources" about Haselton "ghost writing" our
original story are utterly false.

Haselton had nothing to do with our article. Dispatch obtained the
cracked code of Cybersitter and the other programs we mentioned from an
entirely different source. Haselton did nothing but build on the work
of our original story, but never wrote a single word of the article nor did
he provide us with the hacked databases.

All of Milburn's heartburn has me confused. Rather than try and slay
Haselton, he should pay him for the right to reprint his article and
findings. Milburn makes no apologies for his agenda; indeed, he is
proud that one of his major distributors is "Focus on the Family" a
conservative Christian organization.

And for people that brook with the conservative, straight-arrow family
values ideals that Focus on the Family advocates, Cybersitter is the
perfect fit. Indeed, this is the free market working at its best.
Products spring up in direct response to demand. Cybersitter fits that
model for a particular segment of the society. You may not like it; I
certainly wouldn't use a product with this built in agenda, but nobody
is making us buy it.

You would think that Milburn would eat up such "negative" press and wear
it like a badge of honor. But he is too petty; too small minded. And
when he discovers that Haselton did nothing more than run Cybersitter
through its paces, much the same way that a reviewer for computer
magazine might, and then report the findings, he'll have nobody left to
harass. I hope he doesn't have a dog he can kick...

Have a Merry Christmas, Mr. Milburn. Peace on Earth, Good Will to Men.

Meeks out...

------------------------------

Date: Fri, 20 Dec 1996 12:53:58 -0800 (PST)
From: Declan McCullagh <[email protected]>
Subject: File 7--The CyberSitter Diaper Change, from The Netly News

Source - [email protected]

[From this morning's Netly News. Check out the HTML version of the article
at netlynews.com for links to the threatening letters, etc. --Declan]

The Netly News
http://netlynews.com/
December 20, 1996

The CyberSitter Diaper Change
By Declan McCullagh ([email protected])

Brian Milburn is angry. The president of Solid Oak Software,
makers of the CyberSitter Net-filtering software, has seen his
company's product come under heavy fire this year. Its offense?
Critics say that CyberSitter has reached far beyond its mandate of
porn-blocking and instead has censored innocuous, even invaluable web
sites.

I admit I'm one of its critics. In a CyberWire Dispatch that
Brock Meeks and I published in July, we revealed that the censorware
bans such places as the International Gay and Lesbian Human Rights
Commission and the online home of the National Organization for Women.
Our Dispatch showed the world -- or at least our readers -- that the
makers of CyberSitter have a clear political agenda. The article
prompted follow-ups in CyberTimes and the National Law Journal and an
editorial in the Washington Post with an exchange of letters to the
editor between a NOW executive and a representative of Focus on the
Family, a conservative group that markets CyberSitter.

To Milburn's mind, our act of revealing the truth about his
company's product was, literally, criminal. In August, he told us that
he had asked the U.S. Department of Justice to launch a criminal
investigation into the publication of our article. He was particularly
upset with one paragraph that included a fragment of his database
demonstrating that CyberSitter expressly bans info about gay society
and culture.

He wrote: "Your willful reverse engineering and subsequent
publishing of copyrighted source code is a clear violation of US
Copyright law. While we would easily prevail in a civil court in
seeking damages... we will seek felony criminal prosecution under 17
USCS sect 503(a) of the Copyright Act, and are preparing documentation
to submit with the criminal complaint to FBI [sic]."

Milburn was upset because CyberSitter's database is scrambled to
prevent kiddies from grabbing addresses of porn sites from it. It's
lightweight encryption, sure, but just enough to frustrate Junior. The
scrambled database also allows Solid Oak to add and delete banned
sites without the user's knowledge -- something that we believe is a
dangerous practice. Now, I should point out here that neither I nor
Brock did the actual decrypting; we had received a copy of the
descrambled filter list from a confidential source.

In any event, Dispatch's attorneys replied to Milburn, saying
that the article was "protected by the full force of the First
Amendment to the United States Constitution" and fell squarely within
the copyright act's "fair use" provisions. We never heard back from
him or the FBI.

But that nastygram from Milburn wasn't his last. As criticism of
CyberSitter becomes more intense, he's stepped up his counterattacks,
threatening legal action, blocking critics' sites, or both.

Take Bennett Haselton, a college student who cobbled together a
site called Peacefire in August. This fall he started an
anti-CyberSitter page that listed some of the more controversial
actions of the software.

Milburn complained. On December 6 he wrote to Haselton's Internet
provider, Media3 Technologies, and tried to persuade them to give
Peacefire the boot. His e-mail said: "One of your subscribers has made
it his mission in life to defame our product as he appearantly [sic]
has a problem with parents wishing to filter their children's access
to the internet." Another charge was that Haselton had linked to a
copy of our Dispatch.

Solid Oak then added Peacefire and Media3 to its list of blocked
sites. To Marc Kanter, Solid Oak's marketing director, it was
necessary. "The site directly has links to areas that have our source
code decoded on it.... There's no reason that our users should be able
to go to sites that effectually inactivate our program," he said.

Milburn also accused Haselton of reverse-engineering CyberSitter
to get the text of its database -- that is, of being the confidential
source for the CyberWire Dispatch. "Reverse engineering had to have
been done in order to get the information, and we believe Mr. Haselton
was the one who did it," Milburn wrote.

Note to Millburn: Haselton wasn't our source.

Then there's the case of Glen Roberts. His web page giving
instructions on how to disable CyberSitter is now banned -- as is his
Internet service provider. That's because CyberSitter differs from its
competitors CyberPatrol and SurfWatch, which can restrict access by
URL; instead, CyberSitter has to block access to the entire ripco.com
domain.

So what's my problem, really? If people don't want to use
CyberSitter or other nanny apps, they don't have to. It's voluntary.
It's effective. It protects children, and it sure is better than the
Communications Decency Act.

I have one major objection to all of the software filters
currently on the market: Consumers have no way of knowing what's being
blocked. Without knowing what's on the filter list, parents can't know
what Junior will or won't be seeing. When reporters who try to reveal
that information are faced with potential criminal investigations, the
press's ability to shed light on these companies is threatened.

Such programs also give parents near-complete control over what
their children can and can't read. Traditionally, kids have been able
to browse the stacks of a library away from parental supervision. But
when the library is online, access can be completely controlled by
censorware. Pity the closeted gay son of homophobic parents, prevented
by CyberSitter from accessing soc.support.youth.lesbian-gay-bi.

Finally, it's a kind of intellectual bait-and-switch. The "smut
blockers" grab power by playing to porn, then they wield it to advance
a right-wing, conservative agenda. Family values activists would never
have been able to pass a law that blocks as many sites as CyberSitter
does. Besides censoring alt.censorship, it also blocks dozens of ISPs
and university sites such as well.com, zoom.com, anon.penet.fi,
best.com, webpower.com, ftp.std.com, cts.com, gwis2.seas.gwu.edu,
hss.cmu.edu, c2.org, echonyc.com and accounting.com. Now, sadly, some
libraries are using it. Solid Oak claims 900,000 registered users.

------------------------------

Date: Fri, 20 Dec 1996 15:42:13 -0500 (EST)
From: "[email protected]" <[email protected]>
Subject: File 8--[krb5] krb5 v1.0 is released (fwd)

From -Noah

------- start of forwarded message (RFC 934 encapsulation) -------
From--"Theodore Y. Ts'o" <[email protected]>
Date--Fri, 20 Dec 1996 12:32:00 -0500

At long last, the MIT Kerberos Team is proud to announce the
availability of MIT Kerberos V5 Release 1.0. This release includes
everything you need to set up and use Kerberos, including:

* The Kerberos server.

* A full-featured Kerberos administration system, including
support for password policies.

* Secure, encrypting versions of common network utilities:
telnet, rlogin, rsh, rcp, ftp.

* All the libraries needed to integrate Kerberos security into
new applications: GSS-API libraries, Kerberos 5 libraries,
cryptographic algorithms, and more.

This release is available both as source code and as pre-built binary
distributions for a number of Unix platforms. To retrieve either the
source or binary distriubtions, visit our new Kerberos web page:
http://web.mit.edu/kerberos/www/index.html. (See below for
instructions on obtaining the source distribution via FTP.)

Warning: We are providing binary distributions for this release
as a convenience to sites that are interested in experimenting with
Kerberos for the first time, without needing to build it all from
source. However, in general it is a very bad idea to run security
software that you've downloaded from the net, since you have no way of
knowing whether someone has left any "surprises" behind. If you are
going to be using Kerberos V5 in production, we strongly recommend
that you get the Krb5 sources and build the Krb5 distribution
yourself."

MIT Kerberos V5 1.0 has been tested on at least the following
platforms:

* Digital Unix (OSF/1) 3.2
* Digital Unix (OSF/1) 4.0
* HPUX 10
* FreeBSD 2.1 (i386)
* Netbsd 1.x (i386, m68k, and sparc)
* Linux 2.x (i386)
* Ultrix 4.2
* Irix 5.3
* AIX 3.2.5
* SunOS 4.1
* Solaris 2.4
* Solaris 2.5.1

The Macintosh port is now fully functional, although the UI still
leaves much to be desired. This will be the focus of future work on
this platform.

The Windows 16 port is also fully functional, although one major (but
obvious and easy to correct) bug crept in at the last minute. (See
our known bugs web page for more details.) One major difference from
the previous Beta releases is that the DLL has been renamed from
LIBKRB5.DLL to KRB5_16.DLL. This is to avoid conflicts with the a 32
bit version of the Krb5 DLL.

Unfortunately delays with stablizing and integrating the NT release
prevented us from shipping this functionality with the 1.0 release.
We are making available, concurrent with the 1.0 release, an ALPHA
snapshot (release WINNT_ALPHA1_SNAPSHOT). This should not be used in
production, as it has several known problems:

* The GSSAPI test application doesn't work, so the GSSAPI
library has not been tested.
* The GINA doesn't yet work.
* Help files are not yet available

The only working applications for Windows NT are the credentials
manager and a telnet application.

In addition, we are continueing to work on this release on an on-going
basis, so if you plan to be doing any NT work, you should contact us
at [email protected], so that we can more properly coordinate our work.
NT support will be folded in to the mainline release before the next
major release.

Notes and Major Changes since Beta 7
- ------------------------------------

* We are now using the GNATS system to track bug reports for Kerberos
V5. It is therefore helpful for people to use the krb5-send-pr
program when reporting bugs. The old interface of sending mail to
[email protected] will still work; however, bug reports sent in this
fashion may experience a delay in being processed.

* The default keytab name has changed from /etc/v5srvtab to
/etc/krb5.keytab.

* login.krb5 no longer defaults to getting krb4 tickets.

* The Windows (win16) DLL, LIBKRB5.DLL, has been renamed to
KRB5_16.DLL. This change was necessary to distinguish it from the
win32 version, which will be named KRB5_32.DLL. Note that the
GSSAPI.DLL file has not been renamed, because this name was specified
in a draft standard for the Windows 16 GSSAPI bindings. (The 32-bit
version of the GSSAPI DLL will be named GSSAPI32.DLL.)

* The directory structure used for installations has changed. In
particular, files previously located in $prefix/lib/krb5kdc are now
normally located in $sysconfdir/krb5kdc. With the normal configure
options, this means the KDC database goes in /usr/local/var/krb5kdc by
default. If you wish to have the old behavior, then you would use a
configure line like the following:

configure --prefix=/usr/local --sysconfdir=/usr/local/lib

* kshd has been modified to accept krb4 encrypted rcp connections; for
this to work, the v4rcp program must be in the bin directory.

Instructions for obtaining the release
- --------------------------------------

Via the WEB:

Go to the MIT Kerberos home page at:

http://web.mit.edu/kerberos/www

and click on the link: "Getting Kerberos from MIT".

Via FTP:

FTP to athena-dist.mit.edu, in /pub/kerberos. Get the file
README.KRB5_R1.0. It will contain instructions on how to
obtain the 1.0 release.

>> <<
>> Please report any problems/bugs/comments using krb5-send-pr <<
>> <<

Acknowledgements
- ----------------

Appreciation Time!!!! There are far too many people to try to thank
them all; many people have contributed to the development of Kerberos
V5. This is only a partial listing....

Thanks to Paul Vixie and the Internet Software Consortium for funding
the work of Barry Jaspan. This funding was invaluable for the OV
administration server integration, as well as the 1.0 release
preparation process.

Thanks to John Linn, Scott Foote, and all of the folks at OpenVision
Technologies, Inc., who donated their administration server for use in
the MIT release of Kerberos.

Thanks to Jeff Bigler, Mark Eichin, Marc Horowitz, Nancy Gilman, Ken
Raeburn, and all of the folks at Cygnus Support, who provided
innumerable bug fixes and portability enhancements to the Kerberos V5
tree. Thanks especially to Jeff Bigler, for the new user and system
administrator's documentation.

Thanks to Doug Engert from ANL for providing many bug fixes, as well
as testing to ensure DCE interoperability.

Thanks to Ken Hornstein at NRL for providing many bug fixes and
suggestions.

Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for
their many suggestions and bug fixes.

Thanks to the members of the Kerberos V5 development team at MIT, both
past and present: Jay Berkenbilt, Richard Basch, John Carr, Don
Davis, Nancy Gilman, Sam Hartman, Marc Horowitz, Barry Jaspan, John
Kohl, Cliff Neuman, Kevin Mitchell, Paul Park, Ezra Peisach, Chris
Provenzano, Jon Rochlis, Jeff Schiller, Harry Tsai, Ted Ts'o, Tom Yu.

------------------------------

Date: Thu, 15 Dec 1996 22:51:01 CST
From: CuD Moderators <[email protected]>
Subject: File 9--Cu Digest Header Info (unchanged since 13 Dec, 1996)

Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.

CuD is available as a Usenet newsgroup: comp.society.cu-digest

Or, to subscribe, send post with this in the "Subject:: line:

SUBSCRIBE CU-DIGEST
Send the message to: [email protected]

DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.

The editors may be contacted by voice (815-753-0303), fax (815-753-6302)
or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL
60115, USA.

To UNSUB, send a one-line message: UNSUB CU-DIGEST
Send it to [email protected]
(NOTE: The address you unsub must correspond to your From: line)

Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT
libraries and in the VIRUS/SECURITY library; from America Online in
the PC Telecom forum under "computing newsletters;"
On Delphi in the General Discussion database of the Internet SIG;
on RIPCO BBS (312) 528-5020 (and via Ripco on internet);
and on Rune Stone BBS (IIRGWHQ) (860)-585-9638.
CuD is also available via Fidonet File Request from
1:11/70; unlisted nodes and points welcome.

EUROPE: In BELGIUM: Virtual Access BBS: +32-69-844-019 (ringdown)
In ITALY: ZERO! BBS: +39-11-6507540
In LUXEMBOURG: ComNet BBS: +352-466893

UNITED STATES: etext.archive.umich.edu (192.131.22.8) in /pub/CuD/CuD
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/
wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland)
ftp.warwick.ac.uk in pub/cud/ (United Kingdom)

The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
URL: http://www.soci.niu.edu/~cudigest/

COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and
they should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.

DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.

------------------------------

End of Computer Underground Digest #9.02
************************************