Copy Link
Add to Bookmark
Report
Computer Undergroud Digest Vol. 02 Issue 09
****************************************************************************
>C O M P U T E R U N D E R G R O U N D<
>D I G E S T<
*** Volume 2, Issue #2.09 (October 27, 1990) **
****************************************************************************
MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet)
ARCHIVISTS: Bob Krause / Alex Smith
USENET readers can currently receive CuD as alt.society.cu-digest.
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted as long as the source is
cited. It is assumed that non-personal mail to the moderators may be
reprinted, unless otherwise specified. Readers are encouraged to submit
reasoned articles relating to the Computer Underground.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DISCLAIMER: The views represented herein do not necessarily represent the
views of the moderators. Contributors assume all responsibility
for assuring that articles submitted do not violate copyright
protections.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CONTENTS:
File 1: Moderators' Corner
File 2: Len Rose Arrest
File 3: Mars was not "Censored"
File 4: Response to Mars "Censoring"
File 5: Steve Jackson Games (SJG) Update
File 6: The Future of Hacking and the System Security Profession
File 7: The Ultimate Interface: Hackers and the Private Sector
File 8: CU in the News: "Hackers" and Bank Blackmail in England
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
----------------------------------------------------------------------
********************************************************************
*** CuD #2.09, File 1 of 8: Moderator's corner ***
********************************************************************
From: Moderators
Subject: Moderators' Corner
Date: October 27, 1990
++++++++++
In this file:
1. COPYRIGHT ARTICLE INFORMATION
2. BIBLIOGRAPHIC RESOURCES
+++++++++++++++
Copyright Article Information
+++++++++++++++
CuD is *NOT* copyright, and articles by moderators, anonymous articles, and
other articles may be reprinted as long as the source is attributed.
However, occasionally an individual article is copyright protected. The
article in CuD 2.08 by Jim Warren on "PCs and Political Organizing" is an
example of a submission that is copyprotected but remains freely available
for others' use. We have heard horror tales of authors who make public
posts and then later find their material plagiarized and copyright
protected under another's name. So, do not copyright others' material as
your own. That's tacky--very, very tacky. If a CuD article is listed as
copyright (this notice was excluded from Jim Warren's article), you should
check directly with that author (not CuD) for permission to reprint it.
++++++++++++++++++
Bibliographic Resources
+++++++++++++++++++
We are trying to compile a list of bibliographic sources related to the CU
to eventually place in the archives. If you are writing term paper,
conference papers, or articles, or if you come across books, legal cases,
or other references that seem relevant, send the full citation over to us.
If you come across new books, or better, if you do a book review, send the
titles or the review along as well.
********************************************************************
>> END OF THIS FILE <<
***************************************************************************
------------------------------
From: Moderators
Subject: Len Rose Arrest
Date: October 26, 1990
********************************************************************
*** CuD #2.09: File 2 of 8: Len Rose Arrest ***
********************************************************************
Len Rose was arrested on state charges of "computer tampering" in
Naperville, Ill., Naperville police confirmed Monday night. Len obtained
a job at Interactive Systems Corporation, a software consulting firm, in
Naperville and began Monday, October 15. Friday, he was fired. Bail was
initially set at $50,000, and as of late Friday afternoon, he remained
in jail.
Len's wife speaks little English and is stuck in Naperville, lacking both
friends and resources. Len currently has no money to post bond, and this
leaves he and his family in a dreadful situation.
We caution readers to remember that, under our Constitution, Len is
*innocent* unless proven otherwise, but there is something quite
troublesome about this affair. Hopefully, we'll soon learn what specific
charges and what evidence led to those charges. Even if a "worst case"
scenario evolves, there are surely better ways to handle such cases in less
intrusive and devastating ways. Devastated lives and full invocation of
the CJ process are simply not cost effective for handling these types of
situations.
********************************************************************
>> END OF THIS FILE <<
***************************************************************************
------------------------------
From: Gene Spafford <spaf@CS.PURDUE.EDU>
Subject: Mars was not "Censored"
Date: Sat, 20 Oct 90 14:11:52 EST
********************************************************************
*** CuD #2.09: File 3 of 8: Mars was not "Censored" ***
********************************************************************
I'm against censorship in pretty much any guise. I'm opposed to people who
try to have gif images pulled from sites soley because of their
sexually-oriented content.
However, if I were running a news site, I would not carry the current
alt.sex.pictures newsgroup, nor would I have an archive of the images.
This is not a contradiction in terms.
First off, I am not trying to have anyone else's collection of images
pulled because of the subject matter, nor am I trying to prevent others
from seeing those images.
So, if I'm not against the subject matter of the material, why would I
prevent their transmission through my site and storage on my disk?
Reason number 1 is most of those images were scanned in from magazines and
films that have active copyright protection. Scanning them in and
transmitting them around is a violation of copyright. Not only is that not
legal, I don't view it as proper to infringe on copyright. Storing those
images is an infringement.
Reason #2 is the quality of most of those images is poor compared with the
original. If you want stuff like that, almost any bookstore or videotape
rental place has the originals. Or, you can order by mail. I don't see
the value of tying up bandwidth and storage to transmit poor copies of
material that is generally available elsewhere.
If the machine was a personal machine, I wouldn't keep the images because I
have no use for them. They may (or may not) be interesting to look at some
of them once, but after that I don't see any use for them. And as things
go, I barely have enough free disk on most of machines as it is. If the
machine was a shared machine, this reason would need to be explored with
the other users, but it holds with most people I've talked with about these
images.
The bottom line is that there may be legitimate reasons not to have these
images or carry newsgroups or mailing lists containing them. I think
prudes are dangerous, but I also realize that everyone declining to have
these images online is not automatically bowing to censorship or forbidding
their presence because of content.
********************************************************************
>> END OF THIS FILE <<
***************************************************************************
------------------------------
From: portal!cup.portal.com!dan-hankins@SUN.COM
Subject: Response to Mars "Censoring"
Date: Sun, 21 Oct 90 00:04:25 PDT
********************************************************************
*** CuD #2.09: File 4 of 8: Response to Mars "Censoring" ***
********************************************************************
In article <CuD #2.08 #3>, Karl Lehenbauer <karl@sugar.hackercorp.com> writes,
>I used Prodigy several times, and it is a heavily censored system,...
This is inaccurate. Prodigy is not censored, it is _edited_. There is a
significant difference. When newspaper articles are removed by government
order, that's censorship. When the newspaper owners decide to not run an
article because it is counter to their editorial policies (or personal
prejudices), then that's editing.
The difference is that in the first case, the State is telling a citizen (by
threat of force) what she can and cannot do with her own property. In the
second, a citizen is disposing of his property as he sees fit.
The Prodigy situation is far more like the second case than the first.
Prodigy resources are owned by IBM and Sears. Since Prodigy is their
property, they may dispose of it as they see fit. This includes editing their
databases to remove any information inconsistent with their policies.
Some may argue that the $10 a month (plus fees for other services provided)
gives the Prodigy subscriber the right to post anything she desires. This
isn't the case. The subscriber is paying for the right to use the resources
as provided for in the contract. Unless IBM and Sears agree in the contract
not to edit or abridge information residing on Prodigy, they continue to have
the right, both morally and legally, to do so.
Censorship is when some organization says, "You may not say X.". Editing is
when some organization says, "You may not use _my property_ to say X." This
is an important distinction to make explicit; there is an increasing tendency
for people to believe that they have not only the right to say whatever they
want, but also the unlimited right to use the property of others to do so.
Mr. Lehenbauer also writes,
>If this is IBM's view of the future of personal electronic communications...
>it is a bleak future indeed... every message must be so inoffensive that
>*nobody* is going to be offended by it... and that is censorship.
IBM doesn't control electronic communications in this country; the Prodigy
subscriber is certainly free to go elsewhere to express his views. This is
what many of them are doing. BIX is getting a lot of former Prodigy users
these days.
It's not censorship.
It's also worth mentioning here that although the Prodigy bulletin board
system is edited, Sears and IBM have agreed to not edit email. Users are free
to form email groups (like Internet mailing lists) to discuss whatever they
want, from sex to explosives. They just have to pay extra for it.
In article <CuD #2.08 #4), the moderators write,
>In the MARS incident, the NSF flexed its fiscal muscles (according to those
>on the receiving end).
This is again not censorship. The NSF pays for the Internet, and has the
right to say how those monies are spent. Since MARS resided on an Internet
node, the NSF had the right to refuse to pay for those files to be transmitted
across its network. In fact, the NSF has the right to refuse to pay for
network connections for any site for any reason whatsoever, unless it has made
a contract to the contrary. If this is "flexing its fiscal muscles", then so
be it.
The quoted article quotes some other postings. I reproduce here the relevant
portions:
>I also don't like the idea of the university having to censor this board to
>suit the narrow-minded leanings of a few people...
>Again i am sorry that CENSORSHIP found its way into another democratic haven
>of society...
This is just more of the sort of illogic I referred to earlier. If these
folks want their X-rated pictures, then they can have them. They just can't
expect somebody else (the NSF or their University) to pay for them. They are
certainly free to start their own BBS or post the material on a private BBS or
Usenet mail server that allows such stuff.
>Can a few angry letters to a federal bureaucrat invoke threats of fiscal
>blackmail?
If I boycott your business because I find some of your activities
objectionable, am I threatening you with fiscal blackmail? Why should the
NSF or a university be any different? The NSF is just boycotting sites that
carry material it finds offensive, and the universities are just exercising
their right to control use of their property.
>It would seem that officials could confiscate the equipment of a sysop who
>maintained adult .gif/.gl files.
If you are concluding this on the basis of the "federal prosecutions and
application of RICO" referred to earlier, then I agree with you that it's
something to be worried about. It would be a violation of various First
Amendment rights.
If you're concluding this by extension from the NSF actions, I must
disagree. A government agency deciding what it wants to spend its money on is
hardly analogous to confiscating someone's property. The legal right to do
one does not provide the legal right to do the other.
>A recent article... raised the spectre of "licensing" BBSs.
Now _this_ is something to worry about. This reminds me of the situation
in oppressive regimes, where printing presses and photocopiers are "licensed".
Somehow I don't think they'll get away with this one. Any such regulation
would be a clear violation of First (and other) Amendment rights.
CLARIFICATION:
When an organization is funded by extortion (i.e. taxes), those who fund it
have a moral right to say how those funds will be spent, over and above the
organization's aims. The receivers of the service _still_ don't have any
rights of control, unless they have entered into a contract with the provider
that gives them that right.
In a constitutionally limited republic such as ours, that taxpayer control is
exerted in one of two ways. The first is by electing to government those we
believe will implement the policies we want. The second (and far more rare
option) is referendum.
As long as its decisions remain within the policies set for it by elected
officials and referendum, the NSF has the right to spend (or refuse to spend)
its money as it likes.
If the article I read in CuD is any indication, the purpose of the NSFnet is
to only support the exchange of "scholarly" information. X-rated GIFs don't
belong in that category, in most folks' eyes.
:END CLARIFICATION
By the way, with PC-Pursuit costs, I pay $40 a month for Net access. Yet at
work there is an Internet gateway I could sign up for access to and use to
make my posts (for free!). The reason I don't is that I don't think it's
moral to use IBM resources for purposes IBM wouldn't approve of, such as
expressing disapproval of their policies; it's their property. So I'm not
just spouting rhetoric that doesn't cost me anything.
+++++++++
Dan Hankins
dan-hankins@cup.portal.com
dan-hankins@pro-realm.cts.com
Complete the following: Pro is to Con as Progress is to ________.
Disclaimer: I don't work for the NSF or Sears. Although I have a contract
with IBM to provide programming services to them in return for a salary, this
does not constitute approval for their policies. In particular, I think that
their Prodigy policies, while not immoral, are particularly stupid. The kind
of editing they do on the bulletin board, their ridiculously high email
charges, and their complete lack of upload/download capability will simply
drive customers to other services. I am not a Prodigy subscriber, nor do I
intend to become one. For the same $10 a month, I like Portal much better.
And I post things in alt.individualism that you'd never see on Prodigy BBS.
I defend your right to freedom of expression. Just don't ask me or anyone
else to foot the bill.
********************************************************************
>> END OF THIS FILE <<
***************************************************************************
------------------------------
From: Steve Jackson
Subject: Steve Jackson Games (SJG) Update
Date: October 23, 1990
********************************************************************
*** CuD #2.09: File 5 of 8: Steve Jackson Games Update ***
********************************************************************
%The following, by Steve Jackson, is reprinted with permission
from two posts on The Well--moderators%.
++++++++++++
UPDATE ON SJ GAMES
++++++++++++
We were raided on March 1. Most people here have heard that story, though
I'm working on an article for upload. This is an excerpt, because I don't
know when I'll have time to finish the whole thing.
The brief story: The Secret Service took 3 computers, a laser printer, lots
of assorted hardware, lots of disks and papers, and lots of my business
data. In particular, they took every current copy, on paper or disk, of
the new book we were about to send to the printer.
Because of the confiscation of the GURPS Cyberpunk book, our business came
to a standstill for six weeks - the time it took us to reconstruct it and
get it to the printer.
THE RETURN
In early June, we started talking to the people setting up the EFF, and
word leaked out; I got several inquiries from reporters. On June 20, quite
suddenly, the Secret Service called to say we could have our property back.
So we went to pick it up. They really did give most of our stuff back. They
kept one hard disk and some assorted hardware, as well as some papers. Of
the things they returned, one computer required $200 in repairs before it
would work. Another has so much visible damage that I don't even want to
turn it on.
Loyd hasn't gotten ANY of his things back.
And we still don't know why they raided us. They took our book; they took
our BBS computer; they took a lot of things. And their application for a
search warrant is STILL sealed. So we can speculate, but that's all.
Nobody connected with the business has been arrested. Nobody has been
indicted. Nobody has been charged. Nobody has even been QUESTIONED again.
And these guys are still saying "No comment." Well, if I were in their
shoes, I wouldn't have any comment, either.
OUR CURRENT STATUS (SIGH)
We're not a big business, and the cost of the raid (now well over $125,000)
pushed us to the wall. We have been squeaking by ever since then -
sometimes things look more hopeful, sometimes less. The problem is cash
flow.
We have kept up with our long-term debt (in fact, we've cleared all but
$50K of it up, making most payments on the last day of the grace period),
but we have been very slow-paying with current suppliers. We simply have no
margin for error; any unexpected expense or failure of income will knock us
off. As I write this, a couple of big receivables didn't come in when they
should have; we're about to default on a note payment, and our big printers
are demanding CASH NOW OR NO MORE PRINTING, for which I can't blame them.
So the current news is not good. We should still be all right if we make it
into 1991, but current cash is tighter than it has been for months.
+++++++++++++
SIGNIFICANT STATUS UPDATE:
+++++++++++++
The warrant application under which my offices were raided has been
unsealed. It was unsealed a month ago! Apparently this was just after the
last request from Silverglate and Good, but they were not informed that it
had been unsealed. (Question of etiquette here?)
At any rate, I got a copy today in a package from Senator Bentsen's office,
in reply to my last letter asking if the Senator could help get this
information. He could and did.
Ver-r-r-r-y interesting. A copy has gone to Silverglate and Good, who
should have comments shortly. Brief answers to oft-repeated questions, now
that I really do know what's going on:
Yes, this was connected to the Neidorf case. Specifically, my managing
editor was being "accused" of receiving a copy of the Phrack issue with the
E911 file and posting it on the BBS, Phoenix Project. The description of
the E911 file included the same wild allegations that were exploded during
the Phrack trial.
No, there is nothing in the application to indicate that the GURPS
CYBERPUNK game was a target when they came in the door (which does not
mitigate the seriousness of their effective suppression of the text).
Yes, they definitely knew that they were raiding a BBS system; it was one
of the things they were after. The application specifically defined what a
BBS is - though it did not mention the ECPA or the protections granted
therein.
No, they alleged no criminal behavior on my part or on the company's part.
SJ Games was invaded because Loyd Blankenship was an employee and a
co-sysop and frequent user of our BBS.
No, there's nothing there to change my attitude toward Loyd. He is a valued
employee, innocent until proven guilty, and they haven't even STARTED to
prove anything.
I am, no doubt, oversimplifying in my attempt to boil a large stack of
paper down to a short update - but that does seem to me to be the gist of
it. I'm sure the attorneys will have more to add soon.
********************************************************************
>> END OF THIS FILE <<
***************************************************************************
------------------------------
From: BORGVM
Subject: The Future of Hacking and the System Security Profession
Date: 22 Oct., '90
********************************************************************
*** CuD #2.09: File 6 of 8: Hacking and System Security ***
********************************************************************
Before I begin the discussion of my views on the future of hacking and the
system security profession, I feel it necessary to offer an introduction
which I hope will aid in the understanding of my views. I am an ex-hacker,
yet in saying so I do not rule out a few things which I associate with my
personal perspective on hacking. To begin with, I have always associated
hacking with a genuine lust for knowledge. Whether or not that knowledge
was restricted solely depends on the views of the individual. For me,
however, hacking was an acquisition of knowledge a form the military likes
to give as a good reason to join it. You know, hands-on training, of
course!
It was an attempt to learn as many operating systems as possible. Their
strengths in comparison to one another, their weaknesses, and their
nuances. When I was hacking, data was sacred. It was something which
must not be harmed. I can say with genuine conviction that every time I
heard of destructive viruses, malicious crashes, or the like, I would
become enraged far more than would your common security professional, who
would most likely eye the event as a possibility to acquire cash,
reputation in the foiling of the plot, or as leverage to gain funding and
public support.
Although my respect towards data is still very healthy, my urge to hack is
not. After entering higher education, I have been granted an account on
the mainframe with internet and bitnet access. This situation had served
as a fuel towards my already healthy paranoia of law enforcement and their
new technologies: its just not worth the risk.
After my 'retirement', however, I began to ponder the devices available
during the apex of my hacking career such as ANI (Automatic Number
Identification) and CLID (Caller Line Identification) which could
instantaneously register the number of any 800 caller, and processes
inherent in some digital switching systems which register calls to local
packet-switched networks, that about 20% of my hacks could be traced right
to my doorstep by the right investigator.
I also noted the increase in these types of investigators and the
development of more organized computer-security networks involving FBI,
Secret Service, and private computer security enterprises which developed
highly efficient training methods: the numbers of security representatives
in the telephone companies and computer networks has increased
dramatically, and to a point where telephone company toll fraud is no
longer convenient, for danger and convenience rarely coexist.
I believe that the future will offer much protection from hacking, but only
to a certain extent. One needs only to examine the header of a message
originating from some microcomputer host which UUCP's it through half a
dozen Usenet sites, the Internet, and finally to its BITNET destination to
visualize, quite realistically, a phone number tagged onto the end of the
originating userid.
With digital technology advancing at its current rate, the possibilities
are endless. It is for these reasons that the private computer security
profession (at its current size) is only a short-term success sparked by
mass press-generated hysteria, and blatant disinformation. The computer
security profession did not receive its recognition from the voices of
concerned individuals or even gluttonous corporations: it received the
necessary attention and nurturing due to the paranoias of a corrupt
military-minded government which knows exactly what it keeps on its systems
and exactly why no one else must. You see, its a matter of 'national'
security! Any good real hacker who has been around a few nets knows this.
The time will come when a hacker will sit down at his terminal to hack a
computer somewhere far away. This hacker might dial up a local network
such as Tymnet or Telenet and connect to a computer somewhere. That remote
computer's standard issue security drivers will sense an intrusion (user
John Doe calling form a network address originating in California which is
inconsistent with Mr. Doe's schedule,) request the network's CLID result,
and forward the information directly to Mr. Hacker's local police
department which is, in this day and age, fully equipped with the ability
to centrally tap telco lines (data or otherwise.) The expert system at
the police department verifies that the local data tap is indeed consistent
with the victim computer's John Doe Session and sends out a dispatch.
Sound like fantasy? Every bit of it is perfectly possible with our
existing technology, and upon review of the chronology of computer security
over the last three years, certainly probable.
Data security professionals are as easily replacable by computers as are
assembly-line workers. In this day (which will be, incidentally, just
prior to the banning of Orwell's "1984") there will be a small but very
knowledgeable and powerful group of hackers able to circumvent some of
these security mechanisms. A group of hackers not large enough to present
an obvious threat, but powerful enough to give a self-perpetuating
technological dictatorship and its docile society a nice, re-asserting slap
on the rear.
********************************************************************
>> END OF THIS FILE <<
***************************************************************************
------------------------------
Subject: The Ultimate Interface: Hackers and the Private Sector
From: Dark Adept
Date: Tue, 23 Oct 90 22:19 CDT
********************************************************************
*** CuD #2.09: File 7 of 8: Hackers and the Private Sector ***
********************************************************************
The Ultimate Interface: Hackers and The Private Sector
A major problem in Cyberspace is the lack of communication between hackers
and non-hackers. Corporations are fully entitled to their privacy, and so
they feel threatened by the hacker "menace." They view the hacker as the
enemy, and so they persecute him. This is a valid belief since history
shows that when a group does not understand another group, they try to
destroy it. Saying this is valid does not make it right. If hackers and
corporations and security companies and software companies, etc., etc.,
etc. were to overcome their differences much could be done. By trading
bits and pieces of knowledge, the two opposing groups could together
develop revolutionary advances in computing that would benefit all. The
problem is to get the two groups to trust one another. In some upcoming
G-Philes and submissions to CuD, I hope to break down this barrier of
resentment by crossing over the lines of the Underground into the "real"
world and providing valuable information about systems, security,
interfacing, etc. from a hacker's/member-of-the-underground's point of
view. I hope others will follow suit, and that the private sector will
reciprocate by allowing technical information to flow into the Underground.
Ultimately, I hope that there will be a rapport between hackers and members
of the private sector so that we may learn from each other and make the
best use possible of this greatest of inventions, the computer. Without
further delay, then, I present the first of what I hope will be a long and
successful series of articles. These must be short since they are merely
articles, but I have planned a few full-length works that will be more
in-depth; I will send them to the CuD archives as they become available. I
hope you enjoy them.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
System Security: Security Levels and Partitioning
by The Dark Adept
Traditionally, security levels are used to prevent a user from gaining
access to areas where he lacked legitimate interest. They also have
another very useful purpose that is seldom recognized. They can be used as
a firewall of sorts to stop the spread of viruses and the destruction of
files by an intruder. A good analogy of this theory is ship design. When
a ship is designed, the lower compartments are designed separate from each
other so that if the hull is punctured, the flooding compartment may be
sealed off thus localizing the damage and stopping the ship from sinking.
In the same way accounts should be assigned security levels. However, if
the accounts are fully isolated from one another, it is too restrictive to
be of any real use. A user in Accounting would not be able to access the
records from Personnel to find an employee's rate of pay, for example.
Optimally, then, one would want a balance between freedom and security.
This optimal assignment of security levels is accomplished through a
two-stage step.
The first stage is the creation of generic accounts. Many computer
systems, such as those of schools, use generic accounts as their sole
source of security. This is VERY dangerous. By generic accounts, I mean a
set of basic accounts where each member has certain privileges assigned to
it that differ from the other members. For example, in schools the
teachers often receive one type of account, and students another. Besides
the systems operator's account, these are the only two types of accounts
available. The teachers have a wide-range of freedoms including being able
to look into files that don't belong to their department since they can be
trusted. The students have a limited amount of ability, mostly restricted
to accessing their files only. But what happens if an intruder grabs a
teacher's account? You got it, he has access to A LOT of stuff!
Obviously, this won't do. However, generic accounts are useful if used in
combination with other devices. This leads to the implementation of the
second stage: security levels.
Example: Let X, Y, and Z be generic accounts in system S with the
following maximum abilities:
X can access file areas A, B, C, D
Y can access file areas B, D, J, K
Z can access file areas B, C, J, L
Assume some User, u, needs access to file areas B and L alone. Assign him
account type Z with security modifications such that he may access only
file areas B and L.
This results in User u being restricted to the proper file areas, B and L,
but allows ease of modification later if he needs access to areas C or J.
It also allows for the greatest amount of security since his account type
is Z so by definition he cannot access file areas A, D, or K without
receiving a new account. Therefore, if an intruder takes control of
account u, he cannot destroy more than areas B and L without modification.
The most he can modify account u to have access to is areas B, C, J, and L.
Therefore the damage will be localized to file areas B, C, J, and L. The
only way he can enter the other areas is to get a new account. This is much
more difficult than modifying one he already has.
The same sort of setup may be applied to commands, usage times, dialup
ports, etc. For example, say the editor of a newspaper has account Z that
has maximum port capability of T, t1, t2, t3 where T is a terminal in his
office and t1, t2, and t3 are outside lines. At first he is assigned a
security level that allows access to T only so his account cannot be
accessed from intruders outside thus stopping someone from deleting all of
tomorrow's edition. Now, if he must go on location somewhere, it would be
a simple matter to modify his account to give him access to t1 so he can
call up and review the submissions. Yet, again, if there exist ports t4,
t5, etc., these would NEVER be able to access the files since account type
Z is incapable of being accessed through these ports.
What follows here is a mathematical model of account partitioning using
concepts of discrete mathematics. Since this is a text file and cannot use
graphics characters, some common mathematical symbols must be defined using
regular characters.
Symbols:
--------
| = "such that" (ordinarily a vertical bar)
%e% = "is an element of" (ordinarily an emphasized epsilon)
<==> = "if and only if"
Model:
-----
Let S represent a computer system.
Let S1 be a set of different areas of interest in a computer system. This
is modelled by S1=%a1,a2,a3,...,an% where n is some integer, and a1,a2,
a3,... are the areas of interest in S.
Let S2 be a set of different user accounts in a computer system. This is
modelled by S2=%u1,u2,u3,...,uq% where q is some integer, and u1,u2,
u3,... are the user accounts in S.
Let x %e% S2. Let y %e% S1. Let r be a relation on S defined as this:
xry <==> x %e% S2 | x has access to y.
Now r becomes a partitioning relation on S2. The function that defines r
is determined by how the operator wants his accounts set up.
Further, the equivalence class of x, [x], defines the generic account.
Example: Say S has accounts u1, and u2. It also has areas of interest a1,
a2,a3. Now say the operator wants u1 to have access to a1 and a2, and u2 to
have access to a1 and a3. By defining r in the proper manner he gets:
r =%(u1,a1), (u1,a2), (u2,a1), (u2,a3)%. Now [u1]=%a1, a2% and
[u2] = %a2, a3%. Thereby defining the generic accounts.
Now let G be the set of all of the equivalence classes determined by xry
that define generic accounts in S. This is seen as G=%[x]|x /e/ S2%.
For clarity, let g1 = [u1], g2 = [u2], ... so we have G=%g1,g2,...gq% where
q is some integer.
Now let d %e% G. We define w to be a relation as such:
dwy <==> d %e% G | d has access to y.
Now w becomes a partitioning relation on G. The function that defines w
is determined by how the operator wants to implement a generic account
for a particular user.
Further, the equivalence class of d, [d], defines the specific user
account.
Example: Say S has generic account g1 set up. It has areas of interest
a1, a2, and a3. g1 is partitioned in such a way that it can only access a1
and a3. Now say the operator wants a certain holder of a generic account
type g1 to have access only to a1. By defining w in the proper manner he
obtains: w=%(g1,a1)%. Now [g1]=%a1% thereby defining an appropriate user
account.
As some may have noticed, accounts can be partitioned ad infinitum. In
most cases I have found two partitions to be sufficient. An interesting
adaptation is also to use this method to define what users have access to
which commands. It again allows much room for change while keeping things
safely separate.
The ultimate safety would come when the first partition is defined in the
operating/timesharing system itself. For example, if Unix (Tm of AT&T)
came with say 30 different file areas and accounts accessing those areas in
specialized ways, then even if an intruder grabbed the root account, he
could not change the first level of partitioning to access all those
accounts.
As I hope I have shown, the proper use of generic accounts and security
levels allows the optimum balance of security and ability. By properly
partitioning accounts, the system operator can isolate a problem to a
relatively small area allowing faster restructuring afterward.
I hope you have enjoyed this article. I can be reached for comments,
criticism, and E-mail bombs at Ripco BBS (312)-528-5020. Also, if you
liked this article, you may comment to Jim Thomas (editor of CuD) and he
can pass the general reception on to me.
Written 10/21/90 in Chicago, IL -- The Dark Adept
********************************************************************
>> END OF THIS FILE <<
***************************************************************************
------------------------------
From: P.A.Taylor@EDINBURGH.AC.UK
Subject: CU in the News: "Hackers" and Bank Blackmail in England
Date: 24 Oct 90 12:59:34 bst
********************************************************************
*** CuD #2.09: File 8 of 8: CU in the News: Hackers/English Banks**
********************************************************************
Taken from: "The Independent On Sunday," October 14, '90:
Mysterious computer experts demand money to reveal how they penetrated
sophisticated security.
HACKERS BLACKMAIL FIVE BANKS by Richard Thomson
At least four British clearing banks and one merchant bank in the City are
being blackmailed by a mysterious group of computer hackers who have broken
into their central computer systems over the last six months. These
breaches of computer security may be the largest and most sophisticated
ever among British Banks.
The electronic break-ins which began last May, could cause chaos for the
banks involved. Once inside their systems, the hackers could steal
information or indulge in sabotage, such as planting false data or damaging
complex computer programs.It is unlikely, however, they would be able to
steal money. So far, the hackers have contented themselves with demanding
substantial sums of money in return for showing the banks how their systems
where penetrated. None of the banks has yet paid.
The break-ins are evidence of the rapid growth in computer fraud and
manipulation in Britain. Although most hacking is relatively trivial, the
latest cases show much sophistication. The hackers have concentrated on
tapping the banks' electronic switching systems which, among other things,
control the routing of funds around the world.
Some of the hackers are in contact with each other, but they are believed
to be operating individually. One computer expert described their level of
expertise and knowledge of the clearing bank computer systems as "truly
frightening". They are not believed to have links with organised crime,
which has become heavily involved in computer hacking in the US over the
last two to three years.
It is a severe embarrassment for the banking community which is frightened
that public awareness of the security breach could undermine public
confidence. As a result, they have not called in the police but have hired
a firm of private investigators, Network Security Management, which is
owned by Hambros Bank and specialises in computer fraud. It is common for
banks not to report fraud and security failures to the police for fear of
damaging publicity.
All the banks approached either denied that they were victims of the
blackmail attempt or refused to comment. The hunt for the hackers is being
led by David Price, managing director of NSM, who confirmed his firm was
investigating computer security breaches at five British banks. "I am
confident of success in catching the hackers," he said. "The amount of
information they can get from the banks will vary depending on the computer
systems and the ways the hackers broke into them," he added. "They could
go back in and sabotage the systems, but they are not threatening to do
so."
The ease with which the hackers appear to have penetrated the systems
highlights the vulnerability of the computer data. Clearing banks in
particular rely on huge computer systems to control their operations, from
cash dispenser payments to massive international transfers of funds.
Security measures were tightened after a large computer fraud at a leading
City bank three years ago Although the bank involved was never named, it is
understood the money was never recovered.
Nevertheless, the speed with which computer technology has developed in the
last few years has made the detection of security breaches more difficult.
According to an expert, who recently advised one of the big four clearers
on its computer systems, there are few people who understand the banks
system well enough even to detect a break-in.
Computer-related fraud has boomed over the last decade as businesses have
come to rely more heavily on electronic information. According to some
reputable UK and US estimates, up to 5% of the gross national product of
western economies disappears in fraud. Experts say that the senior managers
of many companies simply do not appreciate the need for tight security.
The British legal system has been slow to respond. The Computer Misuse Act
which makes it illegal to access a computer without authorisation, came
into effect only at the end of August this year.
(end article)
++++++++++++++++++++++++++++++++++++++++++++
The follow-up article (from The Independent on Oct 21), also by Richard
Thomson, is basically much of the same thing. He quotes a hacker from the
US who's computer "nom de guerre" is Michael Jordan who makes the following
points.
1.One large US bank is notorious for lax security and it has effectively
become a training ground for hackers.
2. Guessing passwords is sometimes "absurdly simple", they tend to choose
words like "Sex, Porsche, or Password"
3.Social Engineering techniques are used and he would spend approx 6 weeks
trying to suss out from a manager's secretary etc. anything he could find
out that would help him have a better chance of accessing a bank's system.
The main body of the article is pretty glib; it has the usual stock phrases
like..."Hackers and Bank employees have always been a danger, but now there
are signs that yesterdays bank robbers have hung up their sawn-off
shot-guns and are turning to computers instead." and even more hypey is ...
" Mr Jordan claims to have been shown pictures of people in organised
crime.
"They're East End lads who've become more sophisticated now. I've been told
that if they ask you to help them and you refuse, it's baseball bats at
dawn."
There's also a discussion of the reliability of fraud figures, a mention of
how various definitions can exaggerate the actual role played by the
computer. Detective Chief Superintendent Perry Nove head of the city fraud
squad defines "computer fraud" as ... "It is when the computer system
itself is attacked rather than just used to facilitate an offence" The main
conclusion on the whole area of fraud is "...the subject remains cloaked in
mythology and mystery.Naturally, no one knows how many frauds are commited
that are never discovered. Matters are further obscured because banks
fearful of bad publicity, sometimes do not report frauds to the police- a
situation that Mr Nove accepts with resignation. There is general agreement
among hackers and other experts that it is more widespread and more
sophisticated in the US, that it is growing in Britain, but that British
Banks are more secure than those in America and the Continent. That is
about as reliable as the detailed information gets."
I hope I've summed up the general tone of the whole article, it was in the
business section of The Independent On Sunday, 21st Oct. The paper's
normally a very good one, so the generally bad coverage this bloke Thomson
gave to the subject of hacking, and the amount of what I'd call "casual
empiricism" he used to back up his arguments, is sadly probably indicative
of what the CU is up against in the way of ignorance and bad reporting. I
thought it was quite ironic that he recognised the role of mystery and
mythology, since he seemed to be doing his best to add to it. Finally, if
he'd of mentioned the word expert once more ..grrrrrrr.... Cheers for now,
P.A.T.
********************************************************************
------------------------------
**END OF CuD #2.09**
********************************************************************