Date: Wed, 6 May 92 07:27 GMT

Date: Wed, 6 May 92 07:27 GMT
From: Jean-Bernard Condat <[email protected]>
Subject: File 4--Chaos Computer Club France's hackers bibliography

Enclosed one bibliography that all the CCCF's members read all the
time in France...

Sincerely yours,

Jean-Bernard Condat
Chaos Computer Club France [CCCF]
B.P. 8005
69351 Lyon Cedex 08, France
Phone: +33 1 47 87 40 83, Fax.: +33 1 47 87 70 70.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

File x: Chaos Computer Club France's hackers bibliography

Nelson, B. [Univ. of Southern California, Los Angeles, CA, USA]:
"Straining the capacity of the law: the idea of computer crime in
the age of the computer worm
In: Computer/Law Journal (April 1991) vol.11, no.2, pp.299-321
Considers whether traditional justifications for the
criminalization of conduct are adequate to encompass new forms of
'criminal' behavior arising out of advanced computer technology.
Describes the reactions of legislator, computer designers and
users, and members of the general public who have opposed Robert
Tappan Morris's trial a nd conviction. Two prominent and
competing theories, retribution and utilitarianism,are useful in
helping understand the conflict between two sets of social values:
those we seek to protect by means of a criminal justice system and
those associated with the basic principles of freedom. Nonetheless,
neither traditional retributive nor utilitarian theory provides a
clear justification for the imposition of
criminal punishment in the case of the 'crime' that Morris committed when
he introduced the Internet worm. (61 Refs)

Spafford, E.H.[Dept. of Comput. Sci., Purdue Univ., West Lafayette, IN,
USA]: "Are computer hacker break-ins ethical?"
In: Journal of Systems and Software (Jan. 1992) vol.17, no.1; pp.41-7
Recent incidents of unauthorized computer intrusion have brought about
discussion of the ethics of breaking into computers. Some individuals have
argued that as long as no significant damage results, break-ins may serve a
useful purpose. Others counter that the break-ins are almost always harmful
and wrong. This article lists and refutes many of the reasons given to
justify computer intrusions. It is the author's contention that break-ins
are ethical only in extreme situations, such as a life-critical emergency.
The article also discusses why no break-in is 'harmless'. (17 Refs)

Kluepfel, H.M.: "In search of the cuckoo's nest-an auditing framework for
evaluating the security of open networks"
In: EDP Auditor Journal (1991) vol.3; pp.36-48
In Clifford Stoll's best-selling book "The Cuckoo's Egg" he describes the
pursuit of a computer hacker who, like the cuckoo, left something in the
computing nests of other users. The paper provides a perspective on
auditing networked systems to find the nest which may have an extra 'egg'
in it or is inviting one because of a breakdown in security design or
practice. It focuses on: the security implications for an increasingly
open network architecture; the lessons learned from performing intrusion
post-mortems; the need for architecture plans and systems engineering
for security; an audit framework for evaluating security. (26 Refs)

Raymond, E.S.: "New Hacker's dictionary"
Publisher: MIT Press, London, UK (1991); xx+433 pp.
From ack to zorch (and with hundreds of other entries in between) The New
acker's Dictionary is a compendium of the remarkable slang used by today's
computer hackers. Although it is organized in reference form, it is not
a mere technical dictionary or a dry handbook of terms; rather, it offers
the reader a tour of hackerdom's myths, heroes, folk epics, in-jokes
taboos, and dreams-an unveiling of the continent-spanning electronic
communities that knit hackers together.Appendixes include a selection of
classic items of hacker folklore and humor, a composite portrait of 'J.
Random Hacker' assembled from the comments of over one hundred respondents,
and a bibliography of nontechnical works that have either influenced
or described the hacker culture. (12 Refs)

Arnold, A.G.; Roe, R.A.[Dept. of Philosophy & Tech. Social Sci., Delft Univ
of Technol., Netherlands]: "Action facilitation; a theoretical concept and
its use in user interface design"
In: Work With Computers: Organizational, Management, Stress and Health
Aspects. Proceedings of the Third Conference on Human-Computer Interaction.
Vol.1, pp.191-9
Editor(s): Smith, M.J.; Salvendy, G.; Elsevier, Amsterdam; xii+698 pp.
The concept of action facilitation, derived from Hacker's theory of
goal-directed action, can be defined as an improvement or maintenance
of performance under conditions of decreasing mental and/or physical
effort. This concept applies to any kind of work, including work with
computers. A method for operationalizing this concept in the context of
human-computer interaction is discussed, and it is shown how this method
can be applied to the evaluation and design of user interfaces for office
systems. (20 Refs)

Menkus, B.: "'Hackers': know the adversary"
In: Computers & Security (Aug. 1991) vol.10, no.5; pp.405-9
Abstract: Confusion appears to continue among many of those concerned
about computer security about who hackers are, what they do and why they
are doing it. The author clarifies some of the terms, concepts, and motives
involved in the hacker phenomenon. The author discusses the hackers'
objectives and their methods. He discusses some of the problems that need
to be resolved to in order to tackle hackers' activities. Implementing an
effective counter hacker strategy rests on the recognition that access to
information is only granted to aid in tasks of value to the organizatio
and that an organizatio does have the right to own and use legitimate
information. He concludes that three tactics should be employed: initiation
of active lobbying by the targets of hacker activity; improved personnel
attribute verification on access; and tracing system use activity on a
real-time basis. (3 Refs)

Cook, W.J.: "Costly callers: prosecuting voice mail fraud"
In: Security Management (July 1991) vol.35, no.7; pp.40-5
Abstract: On August 17, 1990, Leslie Lynne Doucette was sentenced to 27
months in prison. Her sentence, one of the most severe ever given to a
computer hacker in the United States, was based on her role as the head of
a nationwide voice mail computer fraud scheme and her unauthorized
possession of 481 access codes as part of that scheme. Evidence developed
during the investigation and disclosed in pretrial proceedings, revealed
that the case was part of a broader trend toward voice mail computer abuse
by hackers. This article examines the telecommunication technology involved
and the ways computer hackers use and abuse that technology, and it
summarizes the investigation that led to Doucette's conviction and the
convictions of other hackers in her group.

Myong, A.M.; Forcht, K.A.[James Madison Univ., Harrisonburg, VA, USA]: "The
computer hacker: friend or foe?"
In: Journal of Computer Information Systems (Winter 1990-1991) vol.31,
no.2; pp.47-9
Abstract: To most people, the hacker seems somewhat harmless but the
reality is quite the contrary. Quite often, extremely sensitive data is
accessed by hackers and tampering of any kind can cause irreversible
damage. Although this situation is causing great concern, the hacker is not
seen as the hardened criminal, and laws dealing with this kind of
'technological trespass' poses the question: 'is the hacker a friend or
foe?' Obviously, these hackers violate the security and privacy of many
individuals, but by doing so, vulnerabilities in the systems are showcased,
alerting the need for increased security. Paradoxically, by committing
computer crimes, these 'hackers' could be doing society an indirect favor.
The authors give a profile of a hacker and explain how some users and
systems make it easy for one to break into their system. Various actual
hacks are also presented. (13 Refs)

Koseki, J.: "Security measures for information and communication networks"
In: Data Communication and Processing, (1991) vol.22, no.4; pp.38-46
Abstract: The causes of interruptions of the information/communication
system can be classified roughly into accidents and crime. The factors of
disturbing system operations include reduction of system functions due to
traffic congestion. While accidents occur due to unexpected natural
phenomena or human errors, crimes are failures based on intentional human
behavior, unjust utilization and destruction of the system involving the
hacker and computer virus. In order to complete the security for
information and communication networks and eliminate the risk of accidents
and crime, it is necessary to improve system functions and take harmonious
measures viewed from human and legal factors as well as a technological
standpoint.

Zajac, B.P., Jr.[ABC Rail Corp. Chicago, IL, USA]: "Interview with Clifford
Stoll (computer crime)"
In: Computers & Security (Nov. 1990) vol.9, no.7; pp.601-3
Abstract: Concerns the trials of Clifford Stoll, tracking a hacker that
was looking for US military information and then trying to convince the
Federal Bureau of Investigation that he had an international computer spy
on his hands. As the system manager, he was to track down a $0.75
discrepancy in one of the accounting systems. In his quest Stoll discovered
that this was not the simple theft of some computer time but was something
far greater-international computer espionage aimed at US military
computers.

"IT security"
In: Wharton Report (Aug. 1990) no.144; pp.1-8
Abstract: As our reliance on computer systems increases so too does the
risk of data loss. A computer can be insecure in many ways: a clever
hacker, a virus, a careless employee or a vandal can steal, destroy, alter
or read data with relative ease. In addition to this, the proliferation of
networks and the increasing number of tasks given over to a company's
central computer have, while helping us achieve higher degrees of output,
made our data even more insecure. The trend towards open systems will also
bring us security problems.

Schneider, E.W.[Peacham Pedagogics, Madison, NJ, USA]: "Progress and the
hacker ethic (in educational computing)"
In: Educational Technology (Aug. 1990) vol.30, no.8; pp.52-6
Abstract: A hacker is someone who writes clever code on a small machine
in something very close to machine language so that the small machine does
things that would be impressive on a big time-sharing machine.
Microcomputers were introduced into schools by teachers who were also
electronic hobbyists. Some of these teachers went on to learn programming,
becoming true hackers. Due to unprecedented demand from industry, true
hackers in education are an extinct species. Other teachers developed
skills in keeping the machine running, and ordering the latest and
greatest; they form a group that is peculiar to education: the
pseudo-hackers. Most computer applications in higher education have adopted
a hacker ethic. They act as if educational research and medical research
used the same way of determining needs, funding, and performing research,
and disseminating the results. They expect teachers to be as motivated as
doctors, learning about the latest techniques and adopting them as quickly
as possible. That may well be the way it ought to be, but that certainly
isn't the way that it is.

Cook, W.J.: Uncovering the mystery of Shadowhawk
In: Security Management (May 1990) vol.34, no.5; pp.26-32
Abstract: How can a juvenile infiltrate some of the country's most
classified and secured datafiles? Easy-with his home PC. On February 14,
1989, a hacker was sentenced to nine months in prison, to be followed by
two and a half years' probation, and was ordered to pay restitution
totaling $10000. On February 28, 1989, he started serving his prison term
in a prison in South Dakota. If the hacker had been 18 when he committed
these crimes, he would have faced a possible 13-year prison sentence and
fines totaling $800000. Facts developed during a one-week trial established
that between July and September 1987, the hacker, under the code name
Shadowhawk, used a modem on his home computer to gain unauthorized remote
access to AT&T computers in Illinois, New Jersey, North Carolina, and
Georgia and stole copies of copyrighted AT&T source code worth over
$1,120,000. (7 Refs)

Greenleaf, G.: "Computers and crime-the hacker's new rules"
In: Computer Law and Security Report (July-Aug. 1990) vol.6, no.2; p.21-2
Abstract: The author reflects on the international response to the case
of Robert Morris, a US hacker. He looks at recent Australian legislation on
computer crime and some legal definitions from England.

Kluepfel, H.M. [Bellcore, Morristown, NJ, USA]: Foiling the wily hacker:
more than analysis and containment
Conference Title: Proceedings. 3-5 Oct. 1989 International Carnahan Conf.
Security Technology; pp.15-21
Publisher: ETH Zentrum-KT, Zurich, Switzerland; 1989; 316 pp.
Abstract: The author looks at the methods and tools used by system
intruders. He analyzes the development of the hacker, his motivation, his
environment, and the tools used for system intrusion. He probes the nature
of the vulnerable networking environments that are the target of
intrusions. The author addresses how to turn the tables on these intruders
with their own tools and techniques. He points out that there are many
opportunities to learn from the intruders and design that knowledge into
defensive solutions for securing computer-based systems. The author then
presents a strategy to defend and thwart such intrusions. (16 Refs)

Dehnad, K. [Columbia Univ., New York, NY, USA] : "A simple way of improving
the login security"
In: Computers & Security (Nov. 1989) vol.8, no.7; pp.607-11
Abstract: The login procedure is formulated as a test of hypothesis. The
formulation is used to show that the commonly used procedure provides
valuable information to a hacker which enables him to use trial and error
to gain access to a computer system. A general method for reducing this
information is described and its properties studied. The method introduces
randomness into the procedure, thus denying a hacker the luxury of trial
and error. (6 Refs)

Earley, J.: "Supplier's view-considering dial-up (hacker prevention)"
In: Computer Fraud & Security Bull. (Oct. 1989) vol.11, no.12; pp.15-18
Abstract: Discusses the practicalities of hacker prevention. Password
protection, data encryption algorithms and the combination of data
encryption and access control are briefly considered. The Horatius access
control system and Challenge Personal Authenticator are discussed.

Lubich, H.P.: "Computer viruses, worms, and other animals: truth & fiction"
In: Output (5 April 1989) vol.18, no.4; pp.31-4
Abstract: Computer viruses can be classified according to
characteristics, especially their effects and their propagation mechanisms.
Harmless and destructive viruses and their propagation in computer systems
are discussed. Related definitions of virus, worm, mole, Trojan horse,
trapdoor, logic bomb, time bomb, sleeper, hole, security gap, leak, hacker,
and cracker are explained. System penetration by hackers or viruses has
been aided by lack of system security consciousness, and by security
deficiencies in hardware and software supplied by manufacturers.
Countermeasures discussed include care in software purchase, use of test
programs, use of special security measures, and recourse to legislation.

Brunnstein, K.: "Hackers in the shadow of the KGB"
In: Chip (May 1989) no.5; pp.14-19
Abstract: The author examines the question of whether hackers are
criminals or idealists. He sketches a profile of a typical hacker (which
turns out to be similar to that of a professional programmer) and looks at
hackers' work methods, clubs and motives. He outlines some of their more
wellknown cases (e.g. the Chaos club, the Hannover hacker, the involvement
of Russia in buying stolen technical secrets) and comments on the measures
being taken to prevent hackers getting in and to make computer systems
'secure'.

Campbell, D.E. [PSI Int., Fairfax, VA, USA]: "The intelligent threat
(computer security)"
In: Security Management (Feb. 1989) vol.33, no.2; pp.19A-22
Abstract: This article is about the hacker as an external threat, a
terrorist, a person who destroys information for spite, revenge, some
get-rich-quick scheme, or some ideological reason-but always with physical
or electronic destruction or modification of data as a possible end result.
The hacker as a destructive force is the external threat all information
systems are faced with, and as a manager of these systems, your job may
depend on how well you defend your data against such a force.

Samid, G.: "Taking uncommon-but effective-steps for computer security"
In: Computers in Banking (March 1989) vol.6, no.3; pp.22, 61-2
Abstract: System managers and security officials should take the time to
familiarize themselves with the hackers job. Only then will they develop a
sense of their system's vulnerability. Such awareness is a prerequisite for
installation of a heavy-duty defense. No computer system is break-safe.
Therefore computer security starts with identifying who will benefit the
most from breaking in. Then the analysis should assess the value of
breaking in for the intruder. That value should be less than the effort or
cost of accomplishing the intrusion. As long as the balance cost/benefit is
kept unfavorable to the would-be intruder, the system is virtually
break-safe.

Wilding, E.: "Security services shaken by UK hacker's claims"
In: Computer Fraud & Security Bulletin; (Jan. 1989) vol.11, no.3; pp.1-5
Abstract: Discusses the case of Edward Austin Singh, the UK hacker
reported in October to have accessed some 250 academic, commercial,
government and military networks worldwide. This case serves as a useful
framework for discussing legal issues related to computer hacking in the
UK.

Gliss, H.: "US research systems attacked by German student"
In: Computer Fraud & Security Bulletin (July 1988) vol.10, no.9; pp.1-3
Abstract: A researcher with 'a hacker's mentality' caught a German
computer science student from Hanover. The researcher, Clifford Stoll from
Lawrence Berkeley Laboratory (LBL), trapped the student by a trace
connection over the US data networks into Bremen University (West Germany)
and from there through DATEX-P to the individual telephone from which the
hacker did his job. The author gives a comprehensive overview about Stoll's
successful approach, and the lessons which LBL management drew from the
case.

Beale, I.: Computer eavesdropping-fact or fantasy
In: EDP Auditor Journal (1988) vol.3; pp.39-42
Abstract: Equipped with a black and white television set, an antenna and
a small amount of electronics equipment it is possible to display the
information from the screen of a terminal located in a building over 300
metres away. This shows how easy eavesdropping can be, how inexpensive the
necessary equipment is and how readable the data received is. Clearly then,
senior management within many companies should be concerned about the
vulnerability of their systems and the information contained within them. A
broad range of information currently processed on computer systems is of a
confidential nature and needs to be stored and processed within a secure
environment. This type of information includes financial data, financial
projections, design data for new products, personnel records, bank
accounts, sensitive correspondence and competitive contract bids. Any of
this information may be valuable to eavesdroppers either for their own use,
or so that they can sell it to a third party. Another interested party in
this technology is the would-be hacker. By using eavesdropping techniques,
the hacker will be able to readily identify user ids and passwords which
are valid on client computer systems. This will be much more efficient than
the techniques currently used by hackers to identify valid user id and
password combinations.

Stoll, C.: "Stalking the wily hacker"
In: Communications of the ACM (May 1988) vol.31, no.5; pp.484-97
Abstract: In August 1986 a persistent computer intruder attacked the
Lawrence Berkeley Laboratory (LBL). Instead of trying to keep the intruder
out, LBL took the novel approach of allowing him access while they printed
out his activities and traced him to his source. This trace back was harder
than expected, requiring nearly a year of work and the cooperation of many
organizations. This article tells the story of the break-ins and the trace,
and sums up what was learned. (49 Refs)

Schechter, H.: "Dial-up network management-more than just security!"
Conference Title: SECURICOM 86. 4th Worldwide Congress on Computer and
Communications Security and Protection; pp.173-8
Publisher: SEDEP, Paris, France; date: 1986; 476 pp; date: 4-6 March 1986
Abstract: During the last few years, worldwide data communications
networks have been besieged by terrorist attacks, the personal computer
hacker. As businesses have aggressively pursued the use of the PC and
dial-up services, they have found that they must guard their networks and
data, and at the same time manage this dial-up network like they manage
leased line networks. The paper analyzes the needs and components of
dial-up network management and security.

Troy, E.F.: "Security for dial-up lines"
Issued by: Nat. Bur. Stand., Washington, DC, USA; May 1986; vi+60 pp.
Abstract: This publication describes the problem of intrusion into
government and private computers via dial-up telephone lines, the so-called
'hacker problem'. There is a set of minimum protection techniques against
these people and more nefarious intruders which should be used in all
systems which have dial-up communications. These techniques can be provided
by a computer's operating system, in the best case. If the computer does
not have the capability to give adequate protection against dialup
intruders, then other means should be used to shore up the system's access
control security. There are a number of hardware devices which can be
fitted to computers or used with their dial-up terminals and which provide
additional communications protection for nonclassified computer systems.
This publication organizes these devices into two primary categories and
six subcategories in order to describe their characteristics and the ways
in which they can be used effectively in dial-up computer communications. A
set of evaluative questions and guidelines is provided for system managers
to use in selecting the devices which best fit the need. A set of four
tables is included which lists all known devices in the four primary
categories, along with vendor contact information. No attempt is made to
perform any qualitative evaluation of the devices individually. (41 Refs)

Roberts, W. [Dept. of Comput. Sci., Queen Mary Coll., London, UK]: "'Re-
member to lock the door': MMI and the hacker"
Conference Title: System Security: Confidentiality, Integrity,
Continuity. Proceedings of the International Conference; pp.107-14
Publisher: Online Publications, Pinner, UK; date: 1986; xii+232 pp.
Conference date: Oct. 1986; London, UK
Abstract: Increasing emphasis is being placed on the importance of man
machine interface (MMI) issues in modern computer systems. This paper
considers the ways in which common MMI features can help intruders to
breach the security of a system, and suggests methods for enhancing system
security and data integrity by careful MMI design, aiding both the user and
the system administrator.

Murphy, I. [Secure Data Syst., Philadelphia, PA, USA]: "Aspects of hacker
crime: high-technology tomfoolery or theft?"
In: Information Age (April 1986) vol.8, no.2; pp.69-73
Abstract: Computer crime is an increasingly common problem worldwide.
Perpetrated by a growing band of people known as hackers, it is exacerbated
by the ease with which hackers communicate over clandestine bulletin
boards. The types of information contained in these boards is reviewed, and
a parallel is drawn with the problem of telephone fraud also rampant in the
USA. The author looks at the problem of unauthorized access to telephone
lines and personal data. (1 Ref)

Shain, M.: "Software protection-myth or reality?"
Conference Title: Protecting and Licensing Software and Semiconductor
Chips in Europe; 30 pp.
Publisher: Eur. Study Conferences, Uppingham, Rutland, UK; 1985; 273 pp.
Conference date: 7-8 Nov. 1985; Amsterdam, Netherlands
Abstract: The article reviews the motives people have for copying
software and estimates the size of the revenue loss due to this. Commercial
software protection schemes are reviewed and an account of microcomputer
fundamentals is given for those with no prior knowledge. The techniques
used by the software hacker are analyzed and a view is taken as to whether
software protection is a myth or reality.

Mullen, J.B.: "Online system reviews: controls and management concerns"
In: Internal Auditor (Oct. 1985) vol.42, no.5; pp.77-82
Abstract: The generally accepted controls for online systems can be
divided into three categories: preventive; detective; and corrective. The
preventive controls include sign-on key and passwords. The periodic
changing of these controls and other preventive access controls may prevent
a hacker from learning the access system via observation. The detective
controls include: line protocol, which defines the method of data
transmission; front-end edits, routines within the online-application
programs to detect errors in critical fields; and authorization files,
online files containing user passwords. Corrective controls include:
transaction logging; online training, security software; audit caveats;
audit procedures and effectiveness.

Rous, C.C. [Cerberus Comput. Security Inc., Toronto, Ont., Canada]: "What
makes hackers tick? A computer owner's guide"
In: CIPS Review (July-Aug. 1985) vol.9, no.4; pp.14-15
Abstract: Harmless pranksters or malicious wrongdoers? A computer
security expert points out the differences and similarities-and offers
preventative tips. A major concern of most data processors today is the
threat of 'The Hacker'. This article attempts to de-mystify the breed by
examining hacker psychology. The focus is on the distinction between
frivolous and serious, or benign and malicious, hackers. While the
distinction is valid, it is equally important to recognize the fundamental
similarities between the two. In addition, no matter how benign the hacker
who penetrates a system, if he or she has done so a more malicious one
presumably could too. The author goes on to list the different types of
hacker and provides a detailed analysis of each one. Finally, some lessons
for owners and operators of computer systems are offered.

Haight, R.C.: "My life as a hacker" Conference Title: ACC '84. Proceedings
of the Australian Computer Conference; pp.205-12 Editor(s): Clarke, R.
Publisher: Austr. Comput. Soc, Sydney, NSW, Australia; 1984; xx+672 pp.
Conference date: 4-9 Nov. 1984; Location: Sydney, NSW, Australia Abstract:
The author has been programming and supervising programmers since 1961.
His experiences and personal viewpoint are described.

Downloaded From P-80 International Information Systems 304-744-2253