Copy Link
Add to Bookmark
Report
Computer Undergroud Digest Vol. 03 Issue 33
Computer Underground Digest--Fri Sept 14, 1991 (Vol #3.33)
Moderators: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET)
CONTENTS, #3.33 ( September 14, 1991)
File 1--Moderators' Corner
File 2--Clarification of "Boycott" Comment
File 3--How BellSouth Calculated $79,000
File 4--Houston Chronicle spacemail follow
File 5--More on Casolaro (INSLAW) Suicide (Mary McGrory reprint)
File 6--"Freaker's Bureau Incorporated" (FBI)
File 7--Review of Site Security Handbook (by Dark Adept)
File 8--Complain to Journalists
File 9--Spaf's Response to Reviews of _Unix Security_
Issues of CuD can be found in the Usenet alt.society.cu-digest news
group, on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG,
and DL0 and DL12 of TELECOM, on Genie, on the PC-EXEC BBS at (414)
789-4210, and by anonymous ftp from ftp.cs.widener.edu (147.31.254.20),
chsun1.spc.uchicago.edu, and dagon.acc.stolaf.edu. To use the U. of
Chicago email server, send mail with the subject "help" (without the
quotes) to archive-server@chsun1.spc.uchicago.edu.
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted as long as the source
is cited. Some authors do copyright their material, and they should
be contacted for reprint permission. It is assumed that non-personal
mail to the moderators may be reprinted unless otherwise specified.
Readers are encouraged to submit reasoned articles relating to the
Computer Underground. Articles are preferred to short responses.
Please avoid quoting previous posts unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume all
responsibility for ensuring that articles submitted do not
violate copyright protections.
----------------------------------------------------------------------
Date: 14 Sep 91 11:21:19 CDT
From: Moderators <tk0jut2@mvs.cso.niu.edu>
Subject: File 1--Moderators' Corner
++++++++++++
WIDENER FTP ADDRESS CHANGE
++++++++++++
The Internet address for ftp.cs.widener.edu (aka
ashley.cs.widener.edu) will be changing from its current of
192.55.239.132 to 147.31.254.20
+++++++++
INFO ON "OTHER VICTIMS" WANTED
+++++++++
We are putting together a story on the "other victims" of the 1990
searches/seizures by the Secret Service that focuses on the problems
various raids caused for those who where touched by, but not directly
involved in, those events. We're compiling a list of short, narrative
stories that can each be summarized in a few paragraphs.
If you or anybody you know was an indirect "victim," it would help if you
would send us their name and an email or voice phone means of contacting
them. If people have been victimized, but prefer anonymity, we can tell
the story without the name:
Jim Thomas
Co-editor, Computer underground Digest
Sociology / Northern Illinois University / DeKalb, IL 60115
email: tk0jut1@mvs.cso.niu.edu / jthomas@well.sf.ca.us
Voice: (815) 756-3839
+++++++++
PHRACK 33
+++++++++
Phrack 33 (release date 1 Sept, '91) is out and can be obtained from
the Cud archvives. FREE SPEECH BBS, Phrack's home board, will be up in
a week or so, but may periodically be down for maintenance while
testing some of the new features. The new number is (618) 549-4955.
++++++++++
NY BBS TAX
++++++++++
New York state has enacted a law that would appear to place a tax on
BBSs that sell or exchange software. Although there is some confusion
regarding the intent and applicability of the law, most agree that it
is, at best, a poor worded and potentially harmful piece of
legislation. The next Cu Digest (3.34) will be a special issue devoted
to the law.
+++++++
INFO ON THESES/DISSERTATIONS WANTED
+++++++
We've received a few responses from people working on graduate theses
or dissertations related to computer culture or computer crime. We'll
put out the information, along with a list of the few that have been
completed so far, but it appears that, to date, there are very, very
few. If you or somebody you know is working on a related project, let
us know in the next few weeks so we can include it in the
bibliography.
------------------------------
Date: 08 Sep 91 17:44:51 CDT
From: Jim Thomas <tk0jut1@mvs.cso.niu.edu>
Subject: File 2--Clarification of "Boycott" Comment
In my review of _Cyberpunk_ (CuD 3.32), I quoted a passage that
referred to a "national computer security expert's" call for a boycott
of any company that hired Robert Morris. In context, the passage would
appear to be less than charitable. Gene Spafford, the person
associated with the boycott call, never made this claim, and he has
tried without success to clarify what was actually said. He was
misquoted in a speech, and the misquote has become a reality of its
own. Although it seems like a relatively minor point, the continued
circulation of the quotation error perpetuates an unjustified aura of
extra-legal professional retaliation. Sometimes the slightest
transposition of words leads to quite different meanings, and it
appears that Gene is the victim of a shift of phrases that distorted
his message. We discussed this with him, and the following scenario
seems to be the source of the error. We have included a response he
wrote to the CACM to correct the error, but it was also garbled by the
editor to whom it was sent.
In March 1990 at the DPMA Computer Virus & Security Conference in NYC,
Gene gave the keynote address. He discussed community ethics
and made a statement like "We should boycott any company that hires
someone like Morris *because of* what he did." This was heard by at
least one person present as meaning, "Because of what he did, we
should boycott any company that hires Morris." What he meant, and
what he thought was clear from context, was "We should boycott any
company that believes what Morris did was a reason to hire him."
The quote was reported in CACM and Spaf wrote a letter (published in
the October 1990 issue) pointing out the error, but they misunderstood
the way it was supposed to have text boldfaced to indicate the emphasis.
The point did not get across clearly and was also incorrectly
paraphrased in Peter Denning's editorial in the August 1990 CACM.
Enclosed is the text of the letter he sent to CACM and which was
published in the September 1990 issue without the indicated emphasis:
[ The following uses TeX conventions: %%it text% is italics, and
%%bf text% is boldface.]
To the editor:
The May issue of %%it Communications% contained a %%News Track''
account of some of my remarks on hiring known hackers/crackers.
I believe the report was derived from my keynote presentation at
the 3rd DPMA Virus Workshop, held March 14 in New York.
Unfortunately, the item in question did not report the full
context of my remarks, and thus the actual intent was obscured.
It is my contention that we should not do business with companies
that hire known computer miscreants %%bf because of their
criminal escapades%. There are two reasons for this, one
grounded in good business sense, and the other grounded in
professional ethics.
From a business standpoint, hiring a known computer criminal
because of his criminal past is likely to be a liabilty. The
individual has already shown that he (or she) has not felt
constrained to respect legal and ethical boundaries, or that he
has exhibited poor judgment in not thinking about adverse
consequences. What indication is there that such behavior will
not be repeated? Furthermore, there is no indication that
someone who breaks into a system knows how to protect the system
or make it better -- he has only shown that he knows how to break
in. This is the origin of my %%arsonist'' statement, quoted in
the article. As a customer of such a firm, it is possible I
would never be as confident about the integrity of its products
as if the hacker had not been hired.
From a professional standpoint, I view the hiring of computer
criminals %%bf because of their notoriety or criminal success% to
be insulting and unconscionable. Consider that there are many
tens of thousands of people who have worked for years to become
knowledgeable and responsible members of the profession, and many
thousands more currently studying the discipline. What will it
mean to them if a criminal is hired to a position of
responsibility because of a violation of professional standards?
Should the rest of us seek distinguished appointments by
spectacular violations of the law? What would it say to all of
us that a business would value unethical behavior above a record
of accomplishment and professionalism? To ignore or accept such
behavior is to allow our profession to be besmirched. I view it
as an insult, and to acquiesce quietly would appear to be a
violation of our Code of Professional Conduct.
Note that I am %%bf not% in any way suggesting that we act to
prevent these individuals from being employed in a
computing-related profession. If the individual involved has the
necessary training and background, and is as qualified as other
applicants, then he should be treated as any other individual
applying for a position. This is especially true once an
individual has served a sentence for their [sic] crimes. Robert
T. Morris, for instance, has demonstrated a keen interest and
more than moderate facility with computers. To protest his
taking a computing-related job would be to unfairly embellish the
sentence already imposed by the federal court. We should not
seek to second-guess our legal system, nor extract revenge above
and beyond the punishment already meted out. To do so would be
petty and mean-spirited.
In summary, my remarks at the Virus Workshop argued that we
should protest if businesses reward these offenders for their
actions; I did not mean to suggest that we forbid these
individuals from ever working in computing-related jobs. I also
did not suggest that we devise any additional punishment for Mr.
Morris. He has been sentenced for his crime, and it is not for
us to seek to augment his punishment. It is time for all of us
to move on and put that whole incident behind us.
Eugene Spafford
Dept. of Computer Sciences
Purdue University
W. Lafayette, IN 47907-2004
spaf@cs.purdue.edu
------------------------------
Date: 24 Aug 91 00:33:31 GMT
From: eff@org
Subject: File 3--How BellSouth Calculated $79,000
(Moderators' note: The following article appeared in EFF 10 and
explains how those infamous E911 documents wound up with a value of
over $79,000. Guess it shows how figures lie and......)
WHY THE BELLSOUTH E911 DOCUMENT COST $79,000 TO PRODUCE
-==--==--==-<>-==--==--==-
IN OVER THEIR HEADS
--OR--
WHY THE 911 DOCUMENT COST $79,449 TO PRODUCE
AT BELLSOUTH
Over the months since it first came to light, many have wondered how
BellSouth could spend the immense amount of money that it claimed it
spent on producing the brochure known as the E911 document.
Now it can be told!
The following is BellSouth's actual estimate of its production costs
as sent to Bill Cook in January of 1990. We were amazed that the
company felt it necessary to add in the entire cost of a major
computer system, printer and software.
[Text of letter from K. Megahee to Bill Cook]
BellSouth
1155 Peachtree Street. N E
Atlanta, Georgia 30367 -6000
January 10, 1990
Bill Cook - Assistant United States Attorney
United States Attorney's Office
Chicago, Illinois
Dear Mr. Cook:
Per your request, I have attached a breakdown of the costs
associated with the production of the BellSouth Standard Practice
(BSP) numbered 660-225-104SV. That practice is BellSouth
Proprietary Information and is not for disclosure outside
BellSouth.
Should you require more information or clarification, please
contact my office at XXX-XXX-XXXX. FAX: XXX-XXX-XXXX
Sincerely,
Kimberly Megahee
Staff Manager - Security, Southern Bell
[Handwritten total]
17,099
37,850
24,500
------
79,449
[Attachment to letter itemizing expenses]
DOCUMENTATION MANAGEMENT
1. Technical Writer To Write/Research Document
-200 hrs x 35 = $7,000 (Contract Writer)
-200 hrs x 31 = $6,200 (Paygrade 3 Project Mgr)
2. Formatting/Typing Time
-Typing WS14 = 1 week = $721.00
-Formatting WS 14 = 1 week = $721.00
-Formatting Graphics WS16 = 1 week = $742.00
3. Editing Time
-PG2 = 2 days x $24.46 = $367
4. Order Labels (Cost) = $5.00
5. Prepare Purchase Order
-Blue Number Practice WS14 x 1 hr = $18.00
-Type PO WS10 x 1 hr = $17.00
-Get Signature (PG2 x 1 hr = $25.00)
(PG3 x lhr = $31.00)
(PG5 x 1 hr = $38.00)
6. Printing and Mailing Costs
Printing= $313.00
Mailing WS10 x 50 hrs = $858.00
(Minimum of 50 locations/ 1 hr per location/ 115 copies
7. Place Document on Index
-PG2 x 1 hr = $25.00
-WS14 x 1 hr = $18.00
Total Costs for involvement = $17,099.
HARDWARE EXPENSES
VT220 $850
Vaxstation II $31,000
Printer $6,000
Maintenance 10% of costs
SOFTWARE EXPENSES
Interleaf Software $22,000
VMS Software $2,500
//End of Document//
------------------------------
Date: Tue, 3 Sep 91 17:05:01 CDT
From: edtjda@MAGIC322.CHRON.COM(Joe Abernathy)
Subject: File 4--Houston Chronicle spacemail follow
This story appeared on Page 1A of the Houston Chronicle on Monday,
Sept. 2, 1991. Permission is granted for redistribution in the ACM
Risks Digest, Patrick Townson's Telecom Digest, the newsgroup
sci.space.shuttle, Computer Underground Digest, and the
interesting_people mailing list. Our thanks to these groups for their
ongoing contributions to the online community and our coverage of it.
Please send comments and suggestions to edtjda@chron.com.
NASA severs connection
on electronic mail linkup
By JOE ABERNATHY
Copyright 1991, Houston Chronicle
Although declaring the experiment a success, NASA has called a halt to
a project by which space shuttle astronauts briefly were linked with
the nation's computer networks through electronic mail.
The e-mail experiment, conducted during the recent flight of Atlantis,
was part of a larger effort to develop computer and communications
systems for the space station Freedom, which is to be assembled during
the late 1990s.
The National Aeronautics and Space Administration cited unauthorized
access as the reason for severing the network connection, but NASA
officials did not provide details.
The space agency initially attempted to carry out the project in
secrecy, but word leaked out on the nation's computer networks.
Details were closely guarded because of concerns over malicious
computer hacking and astronauts' privacy.
"Hello, Earth! Greetings from the STS-43 Crew! This is the first
Applelink from space. Having a GREAT time, wish you were here!" read
the first message home. It went from Atlantis astronauts Shannon Lucid
and James Adamson to Marcia Ivins, a shuttle communicator at Johnson
Space Center.
It was the use of AppleLink -- a commercial electronic mail network
connected to the global computer matrix -- that apparently contained
the seeds of trouble.
When an AppleLink electronic mail address for the shuttle was
distributed online and then published in the Houston Chronicle, it
generated about 80 responses from well-wishers.
Although the address was created just for this purpose, the flight
director nearly pulled the plug on the project, according to Debra
Muratore, the NASA experiment manager. The project was concluded as
scheduled and declared a success.
But ultimately, it was decided, at least for now, to cease all
interaction with public computer networks. The decision eventually
could mean that NASA's premier research facility, the space station,
may not have access to its premier research communications tool, the
NASA Science Internet -- the space agency's portion of the vast
Internet global computer network.
Electronic mail, which is becoming commonplace in offices, is simply
the transmission of messages via computers to one or more people,
using electronic addresses. Users linked to the right networks can
send electronic messages or other data to specific recipients nearly
anywhere in the world -- and for a short time, could send them to
space.
"The problem was that the information had gotten leaked prematurely.
There was no problem with security," Muratore said. Even previous to
the leak of the addresss, however, the experiment was structured in
such a way that it was vulnerable to hackers, she acknowledged.
"As a result of this whole experience, at least my project plans never
to use a public (electronic) mail system again," she said.
Muratore indicated that the space agency may explore other ways of
providing "connectivity" -- communication between orbiting astronauts
and NASA's broader collection of computerized resources -- which will
become increasingly important as the use of computerized information
grows.
The decision to sever the short-lived e-mail connection has drawn
strong criticism among computer security experts and other scientists,
who charge that NASA was attempting to design "security through
obscurity."
"This is another example of an ostrich-oriented protection policy --
stick your head in the sand and pretend no one will find out what you
know," wrote Peter G. Neumann, moderator of the Association for
Computing Machinery's RISKS Digest, a respected online publication
that assesses the risks posed by technology. "Things like that don't
stay 'secret' for very long."
NASA told Newsday, but would not confirm for the Chronicle, that more
than 80 "unauthorized" messages from around the world were sent to the
Atlantis address -- which a source told the Chronicle was set up
explicitly to handle public requests for a shuttle e-mail address.
Private addresses were used for the actual experiments.
"The old 'authorization' paradox has reared its ugly head again,"
wrote Neumann, who prepared a study for NASA on the security
requirements of the space station. " 'Threatened by unauthorized
e-mail,' eh? Sending e-mail to someone REQUIRES NO AUTHORIZATION."
Muratore defended the use of secrecy as a security tool.
"I feel that that was a viable option," she said. She said operators
of AppleLink told NASA that it was impossible to keep public e-mail
from being sent to the on-orbit address, so the only option was to try
to keep it secret.
But network users questioned this viewpoint.
"Why is an e-mail system 'in jeopardy' when it receives 80 messages?
And what is an 'unauthorized user?' " asked Daniel Fischer of the
Max-Planck-Institut feur Radioastronomie, in Bonn, Germany. "Once the
system is linked up to the real world, it should expect to receive
real mail from everyone.
"If NASA can't handle that, it really shouldn't get into e-mail at
all," added Fischer, writing in an online discussion group composed of
scientists involved with the space program. "Consider that (heavy
response) a success, NASA!"
The disposition of the electronic mail sent to Atlantis is still up in
the air. A Chronicle message was not acknowledged, and no one has
reported receiving a response.
+++++++++++++++++++++++++++++++++++
Chronicle reporter Mark Carreau contributed to this report.
------------------------------
Date: Tue, 27 Aug 91 21:36 EDT
From: "Silicon Surfer" <unixville@news.group.com>
Subject: File 5--More on Casolaro (INSLAW) Suicide (Mary McGrory reprint)
Tentacles of Scandal Touch Journalist's Mysterious "Suicide"
(By Mary McGrory, syndicated columnist)
One thing in the sad muck is clear: Before he died, Danny Casolaro saw
an octopus. He told his friend Bill Hamilton about it. The tentacles
reached into all the scandals we are grappling with in this summer of
conspiracies unlimited.
The body of investigative reporter Joseph Daniel Casolaro, 44, was found
in the bathtub of a West Virginia motel on Saturday, Aug. 10.
Martinsburg police pronounced it a suicide and proceeded to embalm the
body with extraordinary haste - before they got around to notifying
Casolaro's family, which finally heard the news on Monday, Aug 12.
His brother, Dr. Anthony Casolaro, doesn't believe it was a suicide.
Nor does anyone who knew him - or talked to him in his last days.
A crime reporter, Casolaro was a happy, outgoing, gregarious person, the
kind who cracks wise with secretaries and waitresses and endears himself
to children. The day before he died, according to the Martinsbug Morning
Journal, Casolaro told a Pizza Hut waitress that he liked her brown eyes
and that he was a member of the Edgar Allen Poe Society. He quoted "The
Great Gatsby" to her.
He told Hamilton, his brother, his girlfriend and others that he was on
the point of cracking the story that had absorbed him for a year. He
had begun investigating the Inslaw case, a tangled affair of government
perfidy and international intrigue that has been in litigation since
1983. In his explorations, he found out about related scandals - BCCI,
S&Ls, Iran-Contra, the October Surprise - but until last week, he found
nothing about Inslaw. Then he, joyfully said, he hit Bingo. One more
interview and the case was cracked.
Suicides do not tell their intimates day before taking the hemlock that
they are "ecstatic" or "euphoric". Casolaro did. Nor do they attend
family birthday parties, as Danny Casolaro was planning to do hours
before he died. The last known call he made was to his mother. He would
be late, but he was headed home. A manic-depressive might do that.
Nobody ever suggested that Danny Casolaro was one.
All the circumstances beg for disbelief, none more than the supposed
suicide note. "I'm sorry, especially to my son," from a man who lived by
words, just doesn't ring true. Casolaro wrote a novel, a children's
book. His prose style, at least as displayed in an outline submitted to
Little Brown of a book he proposed to write about the octopus called,
"Behold, A Pale Horse," is on the florid side. Such a terse farewell,
unless composed or dictated at gunpoint, is entirely unconvincing.
The man who could have resolved the Inslaw case, Richard Thornburgh,
resigned as attorney general the day the West Virginia police came
forward with an autopsy. Excess was the hallmark of his farewell
ceremony: an honor guard, a trooping of colors, superlatives from
subordinates. Willam P. Barr, his deputy and possible successor, spoke
of Thornburgh's "leadership, integrity, professionalism and fairness,"
none of which Thornburgh - now, by the way, a candidate for the Senate -
displayed in his handling of Inslaw.
Although the Inslaw case occurred in the time of Ed Meese, Thornburgh
took it to his busom. Bill Hamilton, a perfectly nice Midwesterner,
invented Promis, a computer software program specially adapted to crime
statistics, which he sold to the Justice Department. The second year,
Justice stopped paying the bill.
Hamilton and his wife, Nancy, believed that cronies of Meese got the
franchise to sell it around the world. Promis has turned up in Canada
and Pakistan. The link with the October Surprise is Earl Brian,
allegedly the agent who paid off the Iranians to keep the hostages. He
was paid back with huge profits from Promis.
Thornburgh refused to discuss the case with the Hamiltons or their
counsel, Elliot Richardson. He did not answer Richardson's letters. He
did not return his phone calls. He refused to receive his distinguished
predecessor.
The Hamiltons have been to court many times. Judges have recused
themselves, witnesses have disappeared or recanted. The man who knows
the most, Michael Riconosciuto, was picked up in Washington state on
drug charges and is in jail. What was merely sinister has now turned
deadly.
Thornburgh calls the Inslaw case "a little contract dispute." He refused
to testify about it to the House Judiciary Committee. Richardson thinks
it could be "dirtier than Watergate," and he should know.
Thornburgh's conduct is the most powerful argument for believing that
Danny Casolaro saw an octopus before he died.
------------------------------
Date: Fri, 13 Sep 91 16:37:57 EDT
From: pkumar@SUGRFX.ACS.SYR.EDU(Parvin Kumar)
Subject: File 6--"Freaker's Bureau Incorporated" (FBI)
You may, or may not have noticed a new magazine in the cyberworld:
FBI Presents. We at FBI are dedicated to bringing you the news, at
whatever the cost may be. We Specialize in Anarchy And Phreaking
files, but also attempt to bring you Hacking and Carding files
whenever we find them available.
Many of our articles deal with the rights of hackers and computer
users as a whole. So if you are interested in these, pick up a copy!
We are a monthly production, and we try to keep to our deadlines as
well as possible.
We are currently working on issue 3 of FBI Presents, It will include
such features as...
An Interview with Mitch Kapor of EFF,
How To mass Mail.
The Non-Box. (A box plan you will find VERY interesting!)
It will be available some time around the end of September.
So.. You can grab one of our previous issues at:
chsun1.spc.uchicago.edu
ashley.cs.widener.edu
IF you would like to submit an article, which I *HOPE* you will do, you can
send it to:
au530@cleveland.freenet.edu
You can also request an E-Mail subscription from this address.
So RUN to your local FTP or favorite P/H/A BBS and grab a copy of
F B I Presents.
------------------------------
Date: Tue, 10 Sep 91 11:45:43 PDT
From: Dark Adept <dadept@unixville.uunet.uu.net>TNET>
Subject: File 7--Review of Site Security Handbook (by Dark Adept)
(Reviewed by Dark Adept)
The RFC 1244 - Site Security Handbook Reviewed
The Dark Adept
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The RFC (Request for Comment series) has produced a new tome:
The Site Security Handbook. This little gem aired on July 26, 1991 on
the newsgroup comp.doc. At 250K+, it is a somewhat large file to
transfer around, but well worth it.
It has its good points and bad points, but the good seem to outweigh
the bad. So, saving the best for last, I will address some of the
major bad points first.
I. Stereotyping and other falsities
-----------------------------------
This document completely explodes hacker myths and stereotypes. Here
is an example:
"As an illustration of some of the issues that need to be dealt with
in security problems, consider the following scenarios (thanks to
Russell Brand [2, BRAND] for these):
- A system programmer gets a call reporting that a
major underground cracker newsletter is being
distributed from the administrative machine at his
center to five thousand sites in the US and
Western Europe.
Eight weeks later, the authorities call to inform
you the information in one of these newsletters
was used to disable "911" in a major city for
five hours." (RFC1244 p. 6)
Very cute. Very believeable. Very much impossible, and very much a
lie. I think we all know what this refers to (the Phrack/E911
incident), and I think that it is unprofessional of the editors of RFC
1244 to use this example which is nothing more than a scare tactic.
Also please note that all the examples, while not as blatant as this,
deal with someone on the outside breaking in. It makes one wonder why
this is true when later in the document the editors state:
"As an example, there is a great deal of publicity about intruders on
computers systems; yet most surveys of computer security show that for
most organizations, the actual loss from "insiders" is much greater."
(RFC1244 p. 10)
Why oh why, then, are all your examples so one-sided? Why the
stereotyping of intruders? Why the little E911 parody?
II. Relies more on accepted sources than reality
-------------------------------------------------
Over and over and over and over again, ad nauseum, this manual refers
to those security gods, CERT. Allow me to let you in on a little
secret. CERT has not said anything revolutionary. In fact, much of
what CERT says, and much of what is stated in this manual, has been
found in hacker G-Philes over the years.
examples:
"...the Computer Emergency Response Team/Coordination Center (CERT/CC)
at Carnegie-Mellon University (CMU) estimates that 80% or more of the
problems they see have to do with poorly chosen passwords." (RFC1244
p. 8)
Gee, does that sound familiar, or what? Every G-Phile around has in
bold-faced italicized triple underlined print: "Try his wife's maiden
name" or "try his name backwards" or "here is a list of common
passwords" or, more to the point "people are idiots when they choose
passwords" (hmm. I think that particular one was in one of my
previous CuD articles).
Here is another "cute" one:
"The Computer Emergency Response Team (CERT - see section 3.9.7.3.1)
has observed that well-known universities, government sites, and
military sites seem to attract more intruders." (RFC1244 p. 12)
Those veritable gods of observation! Gee, what would hackers break
into? Maybe John Doe's collection of x-rated .gifs? I doubt it. In
fact, 90% or more of every "hacker's atlas" (a G-Phile which is more
or less a phonebook of data lines and who owns them) consists of phone
numbers to the above named institutions.
The main point is that RFC1244 does nothing more than collect
statistics from G-Philes. This in itself is useful, however, but it
would be more beneficial if the editors read the G-Philes themselves
rather than using watered down information from CERT et al.
Now for the good points. There are so many that I dare not try to
list them all, just some highlights.
It contains an extensive overview of a step-by-step way to implement
security. From deciding who is to be involved to selecting a method
(or methods) of security, this document mentions it.
It has a list of many resources such as (ugh!) CERT, magazines
(on-line and printed), software companies, etc. This is good since it
provides the prospective securer with a starting point.
It deals with security issues not usually thought of until a disaster
happens, such as: how much should we tell the press? who should we
notify? etc.
This handbook is directed mainly at the Internet user/sysadmin, but it
can be applied to a PC in a dentist's office. For a security novice,
or someone who just wants to find out what real security entails, this
is the book, and it's free!
So, before you go hiring Tacky Thacky or ex-LoD, read this handbook
first. At least then you'll know what you're buying.
My rating: 3.5 hacks (out of 4). It loses the 0.5 for the
stereotypes and lack of first hand info, but otherwise something to
have around the office/terminal.
------------------------------
Date: Sun, 1 Sep 91 16:49:20 CDT
From: "John E. Mollwitz" <moll@MIXCOM.COM>
Subject: File 8--Complain to Journalists
The national convention of The Society of Professional Journalists,
an organization of roughly 18,000 members in the United States, Canada
and Japan, is meeting Oct. 17-19 in Cleveland. As part of that convention,
a seminar will be conducted on writing about computers and computer networks.
Since over the years, cyberspace travelers have bemoaned the accuracy of
articles relating to computers, computer networks and even telephones,
we ask that you email or snail mail examples of articles that you have
found solid and others that you have found less so. Please include a note
of explanation.
The panel then will try to compile the examples, and the comments
and produce a handout for discussion. Sometime in the week after the
convention, we will post the results of the session. The names of the
panelists will be disclosed at that time since it is possible that some of the
articles that may be submitted may have been written by a panelist.
Mail paper examples to me at the address below. Where possible, the
examples should include a copy of the article, the name of the publication
and _specific_ comments. If the article is dismissed simply as "nonsense,"
state that it is because paragraph 5 has failed to adequately explain a
concept, and that it would have been better to have said it this way or
that.
So, if you go into fits when you see the word "hacker" in print, please
mail by Sept. 30.
Thank you for your cooperation.
John E. Mollwitz,
Chair, Committee on New Information Technologies
The Society of Professional Journalists
c/o The Milwaukee Journal
P.O. Box 661
Milwaukee, WI 53201-0661
Electronic Mail--Usenet: moll@mixcom.com; CompuServe: 72240,131;
GEnie: J.Mollwitz; Prodigy: CKFB43A;
------------------------------
Date: Tue, 27 Aug 91 17:36:25 EST
From: Gene Spafford <spaf@CS.PURDUE.EDU>
Subject: File 9--Spaf's Response to Reviews of _Unix Security_
Just a couple of quick comments on some of the points made in the
reviews of "Practical Unix Security" in Volume #3.30.
Jim Thomas noted that we were brief in our explication of the laws
concerning computer intrusion. That was intended -- rather than giving
inexpert legal advice, we would prefer that the readers discover the
finer points through consultation with trained legal counsel. Although
we got advice from some experts in the area, we didn't feel up to a
formal treatment of the legal aspects related to security; we made
reference to other appropriate references in the appendix, and felt it
best left at that. Legal action is a serious step that should not be
undertaken solely on the basis of our treatment in the book!
Neil Rickert commented in his review about our recommendation not to
make the mail command the login shell on an account. He states that
the user would get the login shell using the shell escape (viz., doing
a % will result in a new invocation of mail), and this is not as clear
a problem.
On at least one system I have used, doing a "%!/bin/sh" has given me a
shell no matter what the login shell was. On some systems, escaping
into the editor with "%e" then allows the user to call up a shell. On
some versions (including SunOS), doing a "%:set SHELL=/bin/sh" lets me
bypass the current idea of login shell. Rather than give all the
what-ifs, we decided to recommend against the practice -- it is a major
accountability hole, too.
Neil caught an error with the statement about "su" -- we were both
thinking "suid" when we proofread it, and it slipped by. Mea culpa.
As for us making sound Unix scarier that it is, well, some versions of
Unix are pretty scary! We tried to keep the paranoia from overcoming
us, but after 500 pages of describing potential problems in all the
myriad forms of Unix, it became a losing battle. Then too, to get in
the proper frame of mind to do serious security work, one needs a touch
of paranoia.
That's probably one of the key concepts that we must not have stressed
enough later in the book -- not every system is vulnerable to every
problem we described. Some systems have been tightened up, and others
are like Swiss cheese.
Simson and I are grateful for any other comments people care to make,
here or in mail.
------------------------------
End of Computer Underground Digest #3.33
************************************