Chiba City News
Copyright 1993 IDG Communications, Inc. InfoWorld
December 13, 1993
Hackers and cyberpunks have received a lot of attention lately. From the Los Angeles Times to Newsweek, from the famous WarGames movie to the detailed exploits of Robert Morris, the Internet worm creator. Exposes of the computer underground are terrifying many individuals into a deep computer phobia. The perception is that bands of angry, antisocial adolescents are waiting in the wings to wreak havoc on the nation's nuclear arsenal, monetary supply, and space programs.
The reality is that there is a far greater information security risk from the administrative assistant whose insurance premium was bumped and wages frozen than from any Legion of Doom member.
In retailing, the greatest proportion of larceny occurs among internal employees. The same goes for IS and others who have access to information systems. The users who have privileges within accounting systems, databases, and confidential records are more apt to err or sabotage the system than a rogue hacker. Assuming that the network manager or MIS director has implemented sufficient security procedures and protocols (nonpublished dial-in numbers, adequate levels of password protection, delayed modem pickup, enforcement of good passwords, and timely password changes), for a vast majority of organizations, the threat of a hacker getting into the LAN is insignificant. It is the quiet end-user lurking in the inside who has the greatest potential for destruction.
For those who still have a fear of the cyberpunk, it is crucial to realize that the cyberpunk is interested in a few, select establishments. Organizations such as MITRE, NASA, FDIC, DOD, Blue Cross, SRI, Chemical Bank, and TRW are far more fascinating and alluring than the standard businesses that have no far-reaching impact.
Would you spend 12 hours attempting to penetrate the 10-user archaic LAN at Irving Tire & Auto? Most ordinary business LANs such as Irving Tire have nothing more than megabytes of boring memos, monotonous reports, and dull databases. No self-respecting hacker would spend an entire evening rummaging through such systems. There is simply no reward for the hacker in doing such. For the vast majority of American businesses that are not part of the Fortune 500 or defense contractors, the fear of a hacker is simply more hype than reality.
The real danger is perceiving the hype as reality. If an MIS staff spends its time chasing the nonexistent hacker, the real internal security breach will only continue to spread. That is one trojan horse that even the best security software couldn't identify.
Two critical and effective proactive measures in any info-security system are the distribution of a clear and understandable information systems policy manual and the separation of duties among staff.
Telltale signs, such as key technical or financial staff members who never take vacations or reject any concept of cross-training or promotion, are indicators that some time of indiscretion may be occurring. Cross-training and separation of duties are key steps to take to curtail any info-security predicament.
It is far more glamorous and exciting to chase a hacker across three continents with the NSA and Interpol at your side than to discipline a disgruntled data entry clerk on the seventh floor. Yet it must be realized that there is only one Clifford Stoll but thousands of perturbed employees and breaches that need to be mended. As soon as the hype is discarded and the dreams of being another James Bond are abandoned, one may finally tackle the real info-security issues. But until then, the losses mount and the breach grows and grows.
Copyright 1994 The Times-Picayune Publishing Co.
January 12, 1994 Wednesday, THIRD
In today's high-tech world, even small businesses have elaborate, computerized phone systems. Now the Better Business Bureau is warning of an increase in phone scams using these complex systems.
The BBB says the scams, which can run up thousands of dollars of long-distance telephone charges, are frequently the work of prison inmates who use various methods to gain access to an outside company's telephone lines in order to place the unauthorized calls.
In one scenario, the BBB says, an inmate calls the company, claiming to be a new employee who does not have an access code and needs an outside line. Once this information is given and he has an open line, the scam operator, many of whom are skilled computer hackers, are free to place calls across the country and world.
The company is unaware that anything is wrong until it receives an exceptionally high phone bill. In many cases, the businesses must pay for these calls, the BBB says.
The bureau advises businesses to understand all the capabilities of their elaborate phone systems by checking with the vendors who sold the equipment. Any vendor should be able to describe the fraud-defense features of its system, the BBB says.
Lighter recalled: In one of the worst marketing ideas of 1993, the New York Lighter Company Inc. manufactured disposable cigarette lighters decorated with troll designs.
Now the company is recalling 24,000 of its "Good Time Troll" lighters because they may tempt children to play with them.
The lighters sold for $3 each at convenience stores nationwide from January through July 1993.
Owners of the lighters can call the company at 1-800-6262-4732 to receive special pre-paid packaging and instructions for returning the lighters.
The company will send free gifts to consumers who return the lighters.
Casablanca fan recall: Casablanca Fan Co. is recalling about 3,264,000 ceiling fans, manufactured from 1981 through 1993. The fans, which sold for $200 to $2,500, can separate from the canopies on which they are mounted and fall, possibly injuring bystanders.
PAGE 163
The Times-Picayune, January 12, 1994
In addition, falling fans may expose wires that pose electric shock hazards.
The company has received at least 50 reports of fans falling from ceiling mountings.
The recalled fans can be identified by looking at the metal nameplates on the exterior of every Casablanca fan. A recalled fan will have "Casablanca" on the nameplate. Also, the second letter of the serial number on the name plate will be A,B,C,O,P,R,S,T,U,V,W,X or Y.
Casablanca has designed a retrofit part to be installed by the consumer to prevent the fan from falling from its mounting. For more information or to get the free kit, call 1-800-390-3131.
The company says consumers should stop using the fans and prevent anyone from walking, standing or sitting below them. If a fan falls, the circuit in which it is connected should be turned off.
If you have a question or problem, write to The People Helper at The Times-Picayune, 3800 Howard Ave., New Orleans, La. 70140, or call 821-1727. Consumer complaints about mail-order companies or local businesses must be in writing and should include copies, not originals, of the necessary documentation.
Copyright 1994 The Times-Picayune Publishing Co.
The Times-Picayune
January 12, 1994 Wednesday, THIRD
In today's high-tech world, even small businesses have elaborate, computerized phone systems. Now the Better Business Bureau is warning of an increase in phone scams using these complex systems.
The BBB says the scams, which can run up thousands of dollars of long-distance telephone charges, are frequently the work of prison inmates who use various methods to gain access to an outside company's telephone lines in order to place the unauthorized calls.
In one scenario, the BBB says, an inmate calls the company, claiming to be a new employee who does not have an access code and needs an outside line. Once this information is given and he has an open line, the scam operator, many of whom are skilled computer hackers, are free to place calls across the country and world.
The company is unaware that anything is wrong until it receives an exceptionally high phone bill. In many cases, the businesses must pay for these calls, the BBB says.
The bureau advises businesses to understand all the capabilities of their elaborate phone systems by checking with the vendors who sold the equipment. Any vendor should be able to describe the fraud-defense features of its system, the BBB says.
Lighter recalled: In one of the worst marketing ideas of 1993, the New York Lighter Company Inc. manufactured disposable cigarette lighters decorated with troll designs.
Now the company is recalling 24,000 of its "Good Time Troll" lighters because they may tempt children to play with them.
The lighters sold for $3 each at convenience stores nationwide from January through July 1993.
Owners of the lighters can call the company at 1-800-6262-4732 to receive special pre-paid packaging and instructions for returning the lighters.
The company will send free gifts to consumers who return the lighters.
Casablanca fan recall: Casablanca Fan Co. is recalling about 3,264,000 ceiling fans, manufactured from 1981 through 1993. The fans, which sold for $200 to $2,500, can separate from the canopies on which they are mounted and fall, possibly injuring bystanders.
In addition, falling fans may expose wires that pose electric shock hazards.
The company has received at least 50 reports of fans falling from ceiling mountings.
The recalled fans can be identified by looking at the metal nameplates on the exterior of every Casablanca fan. A recalled fan will have "Casablanca" on the nameplate. Also, the second letter of the serial number on the name plate will be A,B,C,O,P,R,S,T,U,V,W,X or Y.
Casablanca has designed a retrofit part to be installed by the consumer to prevent the fan from falling from its mounting. For more information or to get the free kit, call 1-800-390-3131.
The company says consumers should stop using the fans and prevent anyone from walking, standing or sitting below them. If a fan falls, the circuit in which it is connected should be turned off.
If you have a question or problem, write to The People Helper at The Times-Picayune, 3800 Howard Ave., New Orleans, La. 70140, or call 821-1727. Consumer complaints about mail-order companies or local businesses must be in writing and should include copies, not originals, of the necessary documentation.
Copyright 1994 Toronto Star Newspapers, Ltd.
The Toronto Star
January 11, 1994, Tuesday, FINAL EDITION
An Oshawa-area youth has been charged with defrauding the cellular telephone network run by Rogers Cantel Inc. of $ 500,000 worth of long-distance telephone calls.
The alleged theft took place last spring and fall, Cantel's director of fraud and security, Clive Woodrow, said in an interview yesterday.
The suspect cannot be identified because he was less than 17 years old at the time charges were laid.
The suspect allegedly charged long-distance calls to Cantel customers' phone numbers by using a computer to gain illegal access to their voice mailboxes and changing the greetings, Woodrow said.
The greetings were then apparently used to approve calls billed to the Cantel customers' numbers, Woodrow said.
A small number of customers were affected, he said. Some $ 200,000 worth of the calls were made to a single Cantel phone number over a 17-day period, he said.
Cantel blames Bell Canada's new automated long-distance billing service and is locked in a dispute with Bell over which firm should shoulder the bulk of the losses.
Since the alleged theft, Cantel has begun offering customers a service that prevents their cellular telephones from accepting third-party bills, he said.
Long-distance fraud costs North American firms an estimated $ 2 billion a year, telecommunications consultant Ian Angus said.
Much is conducted by computer hackers who gain illegal access to telephone networks by figuring out how to break the access codes.
Copyright 1993 Forbes, Inc.
Forbes
September 13, 1993
Hackers warn they'll either be working for you or against you. Can you believe anything they say?
SCOTT CHASIN is a young man working in what some people insist will be one of the growth jobs of the 1990s -- cracking and entering computer systems. He has remarkable qualifications, only some don't appear on his resume. A member of the Legion of Doom hacker group -- notorious for penetrating and disrupting telephone company systems -- Chasin, while never convicted, has had his brushes with the law. He now works full-time managing personal computer networks for Amoco in Houston.
Chasin claims that since his Legion of Doom days he hasn't done anything illegal. However, he still spends several hours a night exploring the computer underground. "I want to keep my hand in what's going on," he explains. "The technology changes incredibly fast." Chasin has good reason to stay on top of his game: He moonlights as a computer security consultant, he says, paid by clients to safeguard their computers from people . . . like he used to be.
Hackers are generally an annoyance to the business world, burrowing into corporate databases and leaving taunts -- or worse. In 1992 alone, U.S. companies were struck with more than $ 2 billion in unauthorized phone bills, according to Telecommunications Advisors, Inc. Now, however, a more pragmatic population of hackers is moving into its 20s and 30s. Like most people in that age group, they are looking for a little job security. Many, like Chasin and the self-proclaimed dean of hackers, Ian Murphy, say they intend to find it in the corporate world, preferably in a position that takes advantage of their unique skills. Whether as industrial spies or as computer security consultants, hackers say they are entering the work force to do good. Then again, they may be lying. Beats slinging hash at McDonald's There are a number of ways hackers can make money from their trade, and they seem to be exploring all of them. "These kids don't want to give up hacking to sling hash at a McDonald's" notes Gail Thackary, a deputy attorney for Maricopa County, Ariz., who became a well-known hacker-buster with the Philadelphia district attorney's office in the mid-1980s.
Some hackers hope to become software vendors, selling polished versions of programs they swap among themselves. One hacker, known as Video Vindicator, is preparing to distribute a program that scrambles confidential data files -- from marketing databases to a bookie's accounting records -- making them unreadable without the appropriate passwordlike code. A second program will help identify cellular phone transmission frequencies, a product, he notes, that will be of interest to drug dealers and other dubious characters looking for untappable phone lines. "I'm hoping to make a couple of million the first year," he says, without a trace of irony.
Fraud is another way to make hacking pay. Stealing credit card numbers from credit bureaus and other sources has long been a hacker mainstay. But as credit bureaus grow more adept at protecting card numbers and hackers' appetites for equipment and cushy lifestyles grow, other, more lucrative crimes are becoming attractive. Tapping into bank networks and electronically hijacking money is one increasingly popular undertaking. Counterfeiting money and negotiable securities with high-tech photocopying systems is another. "We're seeing the merging of criminal computer activity with more traditional criminal activity," says special agent John Lewis of the Secret Service, which along with the FBI investigates computer fraud.
Many hackers and some security professionals insist that companies have hired hackers to go after competitors. "It's absolutely true, and I know it from first-hand experience," says John O'Leary, director of education for the Computer Security Institute, San Francisco. "I can't say I've seen a contract, but I know of a company that has hired a hacker to break in."
The Secret Service's Lewis and supervisory special agent for the FBI's Economic Crime Unit, Harold Hendershot, both say the threat may be a real one. "Hackers have probably been hired for this," says Hendershot.
Competitive intelligence consultants comprise one rumored source of employment for industrial spy-hackers. These small firms are hired by larger companies to snoop out data on competitors, ostensibly via computer searches of publicly accessible databases and other legitimate sources. But by all accounts, some of these companies are hired on a no-questions-asked basis with the understanding that they'll do whatever it takes to get the goods. "Competitive intelligence companies are all sleazy; they're brokers for thieves," says Gary Johnson, senior investigator with the Harris County district attorney's office in Houston, who is experienced in hacker cases. He says managers could be buying information stolen by hackers without knowing it or being only dimly aware of the situation.
Hackers looking for employment opportunities can supposedly turn to the hacker-operated computer bulletin board services. These services are located throughout the United States and abroad, and are accessible by anyone with a computer and modem. Although most of the material posted on the hacker boards is juvenile blather about sex, computer games and societal ills, many of these boards have "elite" sections that can be entered only by proving one's hacking expertise via quizzes, references or phone interviews. It may be here that hackers get down to business.
"If I want information on XYZ Corp., all I have to do is post a note offering to swap a 359-megabyte hard drive in exchange," says Jim Kates, vice-president of Stamford, Conn.-based Janus, a computer security firm. Kates has learned how to bluff his way onto the elite boards and says he sees notes like that "all the time."
But none of the dozens of hackers, computer security consultants, corporate information systems managers or law enforcement agents specializing in computer crime who were interviewed for this article could provide any verifiable evidence of hacker espionage.
The larger, more established security consultants -- typically attached to Big Six accounting firms since their services grew out of financial auditing practices -- downplay the threat. "The mythical overseas hacker going after companies isn't a big problem," says Alan James, manager of information technology assurance services for Coopers & Lybrand in Los Angeles. "Generally speaking, employees accidentally deleting files is a bigger problem." Harry DeMaio, national marketing director of information protection services for Deloitte & Touche, Wilton, Conn., contends that his clients are much more concerned about the accessibility and accuracy of their data than they are about competitors getting their hands on it. "Defense contractors, credit bureaus, and toy and cosmetics manufacturers worry about the confidentiality of their data," he says. "But for most companies it's almost a negligible issue."
Hackers maintain that computer security professionals dismiss the threat of hired hackers either because they don't realize what's going on in the computer underground, or because they know they can't protect against it. To do so, they claim, you need to have been a hacker yourself. Jekyll or Hyde? Switching from malicious hacker to hackers' nemesis is a more natural transition then may at first seem likely. "It's almost a rite of passage to first be convicted of some computer crime and then try to find work as a computer security consultant," says Michael Alexander, editor-in-chief of Info-Security News, a bimonthly magazine for the computer security industry.
Although few hackers are known to have made it as security consultants, those who dream of being rewarded for shutting down their colleagues can find a role model of sorts in Ian Murphy. Captain Zap, as Murphy is known on the hacker bulletin boards, first won a name for himself with his 1981 bust for, among other things, breaking into the White House's computers.
Murphy claims to be hired on a regular basis to carry out various computer security chores for corporations. Most notably, he performs penetration tests, in which he attempts to break into clients' computers to identify their vulnerabilities to hacker attack. To get his hands on passwords and other computer documentation, he routinely sifts through dumpsters outside his clients' buildings, he claims, even going so far as to physically break into facilities, as he says he did at United Airlines' Saddlebrook, N.J., reservation center.
Needless to say, getting paid to break into a company's computers without risk of arrest is a hacker's fantasy, and Murphy loves to lord it over other hackers. "I'm the only hacker on the planet who's doing this sort of thing," he says. Adding to his hubris, People magazine ran a flattering profile of him, and the computer industry trade magazine Information Week put Murphy on the cover, unquestioningly reporting his self-described exploits and his claimed earnings of up to $ 500,000 a year. (Murphy repeatedly telephoned to push for the cover slot of this supplement.)
Murphy is a playfully obnoxious, pudgy 36-year-old who lives with his parents in their Philadelphia home. His phone conversations are punctuated by shouting matches with his mother, who becomes particularly riled when her son risks electrocution by staying on the phone during thunderstorms. (A budding romance with his Federal Express delivery-woman has kept the twice-divorced digital swashbuckler out of the home as of late.) At times, Murphy seems to have a little trouble separating fantasy from reality. He rants about building battery-powered devices that will wipe out all nearby electronic chips with a massive electromagnetic pulse. He says his company, IAM/Secure Data Systems, is being taken public. He brags about a lucrative book deal that never quite materializes. Murphy also refuses to provide the names of corporations on whose behalf he has supposedly hacked, claiming he is bound by nondisclosure agreements. He did participate in a Peat, Marwick & Mitchell-run penetration test fo the Philadelphia Savings Fund Society (now defunct) in 1986. "Ian performed in a satisfactory way," says a former partner of Peat, Marwick (not Peat Marwick KPMG). "But we kept a very close eye on him." The "backdoor" trick If Murphy is a role model, it is only for the dishonest hacker who is unsuitable for security work, fumes prosecutor Thackary. Rumor has it that Murphy has on occasion sent companies unsolicited information about other hackers along with a bill. "All that proves is that he's willing to sell out his friends in the underground," she says. (Murphy denies such marketing tactics and insists he doesn't turn in other hackers.) Not surprisingly, other law enforcement figures who have dedicated their careers to shutting down hackers are less than charmed by the notion of hiring exhackers to provide security. "Have you ever met one of these kids face-to-face? They're nerds," says Harris County's Johnson. "Even the mob wouldn't trust them."
But Johnson and Thackary's reaction to Murphy and his fellow hacker/consultants is mild compared to those of computer security professionals. When Scott Chasin and some of his Legion of Doom pals, including well-known hacker Chris Goggans, started up a Houston security consulting firm called Comsec in 1991, they were excoriated in articles and letters published in the computer trade press. Chasin claims one prominent security professional promised to call all of Comsec's prospective clients to warn them off. "How would you feel if some young guy who knew all the tricks was entering your line of work?"
Among the tricks hackers use to gain access to a company's computers is leaving a "backdoor" to the system -- a program or password that allows them to get back in at a latter time. "What happens if your relationship with a hacker sours?" asks the Computer Security Institute's O'Leary. "Now you've got somebody who has the keys to the kingdom and the motivation to do nasty things."
Hackers never truly reform, contends Thackary, especially when they hope to trade on their expertise. "If they're going to get good information from the underground on behalf of their clients, they have to be doing something in return," she says, such as providing information about their employers. Although hackers don't deny keeping their hands in the game, they claim there is not conflict. "You don't bite the hand that feeds you," Murphy says.
Such promises, though, smack of extortion: Hire me or I may rip you off. And not all hackers adhere to even this dubious guarantee. Harris County's Johnson uncovered a scam in which hackers searched out local corporations whose dial-in computer systems were protected by easily guessable passwords. They would leave a harmless virus on the system, contact the company to warn it about a virus that was "going around" and then offer a free security evaluation. If a company bit, the hackers would use the evaluation as a cover to gain access to all of the company's systems and then insert backdoors for later systems raiding. Clueless "Ken dolls" Ex-hackers concede their ethics aren't exactly mainstream, but insist they are a company's best bet. Conventional security consultants, they say, are simply clueless about how to defend against hackers. "The Big Six accounting firms send over people dressed to the nines like Ken dolls, with degrees in accounting and psychology, and they're generally incompetent," sneers Murphy. "While I'm jumping into dumpsters, they're presenting a report that highly recommends locking the door to the data center."
Chasin is equally contemptuous of the industry, claiming that one speaker at a security industry seminar spent several minutes explaining to the audience of computer security heads how to load software from a disk into a computer. "I just sat there thinking, 'No wonder it was so easy when we were hacking,'" he says.
But not all computer security professionals are gray-suit auditor types. A short, slightly balding man in his 40s with a friendly, soft-spoken air, Peter Goldis is the establishment's answer to hackers. He travels around the world breaking into clients' computer systems for $ 6,000 to $ 75,000. The jobs are often arranged by Coopers & Lybrand, among others, for whom he is a subcontractor. He carries with him a loose-leaf binder filled with short programs he has written to bypass the various security procedures implemented on mainframes. One program, entitled "Get Another User's Password in a Top Secret Shop," comprises 16 surprisingly simple lines, such as "LA 1,PARMS," that cause the computer to spit out the passwords of employees who are authorized to control all the machine's operations. By entering one of these passwords, Goldis can roam unimpeded throughout the corporate cyberspace.
Sometimes the job takes 20 minutes, other times a few days. Goldis says 56 of his 60 penetration tests have been successful, and those that have failed were retests for clients that had previously implemented his suggested security fixes. The ease with which he customarily breaks into systems often shocks his clients. "I was hired by a corporation in Australia, and within a few hours I was far enough into their accounting system to start cutting checks," he recalls. Janus' Jim Kates also performs penetration testing, as do most of the Big Six firms and even IBM, if pushed.
Though mainstream security professionals tend to downplay penetration testing as gimmicky, they point out that because legitimate professional can do the job, there's no need to even consider hiring a hacker. "Why hire a Chris Goggans when you can hire a Peter Goldis?" asks InfoSecurity News' Alexander.
But it's not clear that Peter Goldis or any other mainstream penetration testers can really simulate a serious hacker attack. Password cracking is, of course, where hackers shine. Murphy says he has snuck into executives' offices after hours dressed as a custodian and prowled through countless trash cans. Video Vindicator claims he and other hackers have a program that can automatically break passwords on some systems within 30 minutes by trying every word in the dictionary at a rate of 10,000 words per second.
Goldis and other security professionals concede that hackers are adept at breaking through password security. But they claim companies can't learn much from the experience because some employees will always be careless about keeping their passwords secret and there will always be ways to sneak into buildings. Goldis adds that hackers are most skilled at breaching security on PCs and Unix-based systems, while corporations' most vital data resides on mainframes.
But Murphy, Chasin and other hackers insist they can show companies how to make themselves invulnerable to password-prowling hackers. In addition, they say mainframe expertise can be gleaned from readily available sources. Goldis has himself picked up many of his best tricks from software manuals that companies were about to discard. At any rate, hackers probably need not worry about mastering mainframes. Corporations are moving at breakneck speed toward PC- and Unix-based systems in the form of client/server architectures, which may place professionals like Goldis and Kates at a disadvantage. Goldis says he's studying the subject.
If hackers to have an edge, why don't more companies hire them to provide penetration testing or other security services? Actually, say many hackers, they do -- they just won't admit it. Besides being generally reluctant to discuss security problems, corporate computer security managers recognize that there is nothing to gain, and a lot to lose, by admitting that they hire hackers. Michigan Bell was inundated with negative publicity when word leaked out in 1989 that it had hired hacker John Maxfield as a security consultant. The company now can't put enough distance between itself and the incident. "It was a poorly conceived idea by one of my ex-bosses," says Craig Granger, current director of computer security for the phone company. (The ex-boss is now an ex-employee, Granger adds.) And when Chasin and friends formed Comsec (which closed its doors last year), Computerworld, a trade publication, quoted Norman Sutton, a computer manager at high-tech manufacturer Leemah Datacom, as liking the idea of learning from hackers. Now Sutton refuses to discuss the issue, except to state that he never employed Comsec or any other hackers.
In any case, companies may be hiring hackers without realizing it. "I'm not sure I would present my credentials as a hacker if I were applying for a job," says Video Vindicator. Scott Chasin didn't; his boss at Amoco found out his promising young hiree was a nationally known hacker only when he saw Chasin on NBC's "Dateline" breaking into the network's computers. According to Chasin, his boss was "tickled." Computer security managers at Exxon might wonder exactly which possibilities were tickling him. WHY THE THREAT IS GROWING Companies now have more reason than ever before to fear hacker espionage, thanks to a number of trends. Among them: * GLOBALIZATION The pressures of international competition have spawned the best-known recent cases of industrial espionage. Earlier this year the CIA warned 49 U.S. defense contractors that the French government was preparing to spy on them, prompting the Pentagon to ask Hughes Aircraft, Lockheed and other aerospace companies not to participate in the Paris Air Show. And four giant Japanese corporations reportedly bought secret Star Wars computer code in 1990 from a scientist at a hightech defense contractor in California.
Multinational hacking is already part of the picture. German hackers are known to have attacked NASA databases, and law enforcement officials believe corporations are fair game. "If I were a developing Eastern European pharmaceutical company and I wanted a base of information," says Secret Service special agent John Lewis, "my choices would be to launch a lab program to develop it or to go somewhere it already existed. One way would be through computer intrusion." Harold Hendershop, supervisory special agent for the FBI's Economic Crime Unit, notes that Sweden-based hacker group the Dream Team (best known for cracking copy protection on commercial and game software and then distributing the programs on bulletin boards) is becoming increasingly brazen. Other hackers say the Dream Team has also begun to engage in corporate espionage; Hendershot doesn't rule out that possibility. * THE MOVE TO CLIENT/SERVER ARCHITECTURES Companies have traditionally kept most of their data either on mainframes, which can be guarded with security software, or on stand-alone PCs, which usually can't be accessed from the outside. But as client/server architectures become increasingly popular, both barriers are removed. Servers, which act as data hubs for groups of PCs, typically run the Unix operating system -- notorious for its lack of mainframe-style security features and a particular favorite of hackers, many of whom learned their trade on the Unix-based systems popular at high schools and universities. What's more, servers often provide dial-in ports; if a hacker reaches such a server, he or she would be able to access the attached PCs. * HACKERS' STEEP LEARNING CURVE Law enforcement agents all agree that hacker's obsession with sharing information via bulletin boards makes them better able to stay abreast of the latest tricks of the trade and corporate vulnerabilities than their adversaries. "Hackers use open communications as a weapon against us," says Jim Kates, vice-president of Stamford, Conn.-based computer security firm Janus. "Those of us in security don't like to talk about what we find out." TIGHTENING YOUR SECURITY Companies tend to rely heavily on password security to prevent their computer data from falling into the wrong hands, but hackers are adept at guessing or stealing passwords. Some additional, often overlooked, ways to protect systems include the following: * TURN PCs AND SERVERS OFF AT NIGHT People often let their machines run 24 hours a day, making them prime targets for after-hours hackers if the machines have modems or are connected to servers with dial-in ports. * INSTALL DIAL-BACK PROTECTION These devices allow modems to receive calls but remain connected only long enough for a caller to enter a password. The device then hangs up an calls the employee back at a preapproved phone number. To gain access to a system with dial-back protection, a hacker would have to be at a location with an approved phone number or reprogram the dial-back device with his or her own number -- a difficult task. * DISTRIBUTE ELECTRONIC AUTHENTICATORS TO EMPLOYEES WHO REQUIRE DIAL-IN ACCESS These card-deck-sized devices generate new passwords every few seconds in sync with a device attached to the dial-in system; all an employee has to do is type in the password displayed by the authenticator. Even the cleverest and luckiest hacker usually requires at least several hundred tries to correctly guess a password; the authenticator demands that you get it right the first time. And because the password is constantly changing, it can't be given out or stolen. * IF A COMPANY MUST RELY ON PASSWORDS, IT SHOULD ENCOURAGE EMPLOYEES TO SELECT THEM AS FOLLOWS Settle on a familiar phase, such as "Down and out in Beverly Hills"; then list the first letter of each word, capitalizing just one of them; finally, add a number to it. The resulting password -- something like "daoiBh6" -- is easy to remember but difficult to guess, even for hackers equipped with automated password guessers that try every word in the dictionary forwards and backwards. * RUN CONFIDENTIAL DATA FILES THROUGH ENCRYPTION SOFTWARE THAT STORES THEM IN SCRAMBLED FORM Although this doesn't make files any harder for hackers to steal, they won't be able to make sense of them if they do. THE PROS AND CONS OF HIRING HACKERS PROS * Hackers will usually know the latest tricks other hackers are using to break into systems and thus will be able to suggest ways to foil them. * Hackers may be able to pick up advance notice of hacker attacks via underground contacts or hacker bulletin boards. * Unlike conventional computer security professionals, hackers are particularly adept at dealing with PCs and Unix-based servers, which are increasingly where the action is. * Hackers can provide penetration tests as realistic as clients are likely to want. * Top-notch hackers can offer complete security evaluations -- including remedies -- for a fraction of the cost of a Big Six accounting firm. CONS * Reformed hackers may not be completely reformed. Whether from habit or paranoia, they could be tempted to leave "backdoors" in your systems that would allow them to break in at a later date. Consequently, if your relationship sours or they grow weary of being corporate players, your systems are sitting ducks. Alternatively, hired hackers may offer information about your systems to their cohorts in exchange for other information. * Hackers don't like to turn in other hackers. A hired hacker might help prevent a hacker attack but leave the attacker free to pry again. * Hackers usually don't have enough assets to make lawsuits worthwhile, nor is it likely they will be insured or bonded. Thus, companies shafted by hired hackers are left little recourse for compensation. * Most hackers don't know how to fit into the corporate scene. They may offend managers and other employees with arrogant and juvenile attitudes. And they might take it upon themselves to perform various acts of simulated theft or sabotage, ostensibly to raise awareness but needlessly inconveniencing and even frightening people in the process.
Copyright 1993 Newspaper Publishing PLC
The Independent
August 13, 1993, Friday
IN A BLUSTERY Dutch field, four metres below sea level and miles from anywhere, a man from the CIA was preaching last week to an audience of anarchists, hippies and computer security consultants.
Around them, hundreds of tents communed electronically with the rest of the world through telephone cable and sticky tape. Stories of global mayhem and local area networks mixed with Hendrix and Kraftwerk: ''Hacking at the End of the Universe'', the Hack-Tic computer club's 1993 Summer Congress, was underway.
The call to attend went out earlier this year across the Internet, the giant computer network which links academia, industry and individuals across the world. The intended recipients were those who inhabit the shadier areas of that network. Hackers, techno-anarchists and communications junkies were all specifically invited, as were the more esoteric ''warez dudes'' - software pirates - and ''phone phreaks'' - who make free telephone calls without the aid of 0800 numbers.
But anyone who got the message could come and security experts, police officers and others were made welcome. Between 500 and 1,000 members of this most improbable mix of people turned up from across Europe and the Americas. Spotty youths from Nottingham, interested in swapping numbers and tales of adolescent vandalism; slightly odd professional programmers; balding Dutch hackers in their thirties and forties, more interested in international public access data communications than online credit card fraud; corporate Americans in smart casuals and official haircuts, on expenses; long-haired goths in black leather, on grass.
A hallmark of the event was the male-to-female ratio: running at roughly 100:1, it did not bode well for the demise of the anorak. Even so, there was some evidence of the emergence of a hacker chic, with one of the few women sporting jewellery made from watch parts and hair decoration courtesy of an eviscerated floppy disk.
Efforts were made to address this problem: there were lectures in social engineering: ''the skill of manipulating people within bureaucracies'', according to the congress programme. This started with the basic theory that to get people's trust you had to smile and be pleasant and, if you were going to lie, you had to be consistent.
More advanced material was quoted from How to Win Friends and Influence People. ''It was really teaching introverted hackers how to be normal human beings and get themselves laid,'' an English attendee called John said approvingly. Although English was the lingua franca, discussions blew up in three or four languages at once - when you are arguing about Unix and Ethernet it scarcely matters whether you are all speaking the same tongue.
Names were optional. Once your 100 guilder ( pounds 36) entrance fee had been paid, a computer took your picture and printed it out on a badge; no further identification was required. There were two main strands to the event and by rights neither should have worked.
The technical side was a thing of wonder - a high-speed datalink to the Internet ran into a catholic collection of elderly hardware in a barn. PCs, Macs and Acorn Archimedes machines were linked to a vintage Sun workstation and thence out to the ''Intertent'', the ''first local area network installed in a field'' according to the organisers.
Strands of telephone cables snaked from tent to tent, across trees and down paths, providing those who had brought their own computers with a free Internet connection. For some this was enough - one group of English hackers was content to stay under canvas for the entire three days, communicating with their fellow cyberpunks entirely through electronic mail.
The random nature of the wiring and the unhealthy generator which powered the whole exercise made this a haphazard affair; at times, only one call in five could get through. If anything, the social side for those who left their tents was even more unlikely. For once, the idea of a global community seemed to work: litter was picked up, toilets cleaned and hands freely lent whenever the need arose.
There were about 120 computers on site, many of them exquisitely portable, yet not one theft was reported. Dutch common sense and amiability pervaded the event. Each day, four or five lectures, workshops or round-table discussions took place, ranging from computer art and law to radio networks and using digital telephone exchanges in inventive ways.
The impromptu workshops were as interesting to many as the scheduled events. Someone would sit down at a terminal and tap away for a few moments; a nugget of information would attract a gaggle of hackers who would gather around, scribbling in notebooks. Then they would break up and rush back to their tents, eager to try out the latest discovery.
One of the stars of the official show was Robert D Steele, ex-US Marine officer and ex-CIA operative, who wandered around the site in a green Chairman Mao cap with a Red Star badge.
He turned up as part of his campaign to persuade the US Government to spend a quarter of the CIA's budget on developing and supporting a public-access database filled with as much encyclopedic information as possible. His thesis, that the CIA does not know what data to gather and loses it anyway, was popular; the surreal aspects of watching him give a talk with a flipchart to a marqueeful of sundry hackers were heightened by the knowledge that he had given much the same lecture to large US defence companies and been funded as a result.
By bringing together the computer underground and mainstream, he contended, there would be a valuable cross-fertilisation of ideas. ''But the CIA are bastards!'' yelled one young Dutch hacker from the back of the room. ''Look at the Bay of Pigs! If we take their money away and put them out of business they'll hunt us down and kill us!'.
This mixture of paranoia and idealism was reminiscent of the hippy Sixties, as was the sharp anarchist commercialism that characterised the T-shirts, magazines and stickers on sale next to the beer and Jolt double-caffinated cola.
One T-shirt's design was the complete circuit diagram for a ''blue box'', an illegal device for making free telephone calls, another proudly advertised a US hacking group with their slogan ''Indict The Very Best!''. Grand ideas were in the air along with the occasional puff of hash smoke and the chatter of cellphone radio scanners.
In UK such a motley bunch of travellers would be shown the gate before they had unpacked their modems. Their image of themselves is of an international elite, unbounded by borders or irksome local rules; when someone who would have trouble getting served in a pub with a ''No Travellers'' sign can demonstrate his home-made secure radio data network - every bit as good as commercial products - it is hard not to see their point.
Like the hardware hackers of the Seventies who built the first personal computer, these new-age cyberpunks and digital crusties are pushing technology into the public arena as hard as they can.
Rupert Goodwins is a technical editor of PC Magazine.
Copyright 1993 American Lawyer Newspapers Group, Inc.
The Connecticut Law Tribune
August 9, 1993
You've probably never thought about how secure your computer systems are. But if your office is like many, it is possible for even rookie "crackers" (people who break into computer systems) to read electronic files, alter data or destroy files altogether. And they don't need high-tech equipment or sophistication to do it. Here are nine basic ways to protect yourself.
1. Lock and key. The most obvious but perhaps most dangerous cracker is someone who physically walks into your office and leaves with a computer, a few floppy disks or an external hard drive. He or she has instant access to all the information stored therein, and all the time in the world to find ways around whatever security software you might have installed.
Though it is easy to lock up computers, either by bolting them to the desk or, preferably, using strong cables and metal locks, many offices neglect to do so. Keys should be accessible only to the system administrators or other people who might need to move the machines. The most critical computers can even be wired to an alarm.
Portable laptop and notebook computers are obviously easy targets -- but then again, so is a briefcase. Portable computers should never be left alone in places where one wouldn't leave a briefcase. As a precaution, users should be trained to save their files on floppy disks rather than on the portables' hard drives (if the files are not too big to fit on a floppy) -- that way, even if the machine itself is stolen, the data is secure.
Floppy disks should be locked in secure containers and kept out of sight. Information that users have erased from floppy disks is easily recoverable using a number of common software programs, so disks that are no longer being used should be shredded or burned. (Any written records and magnetic media that contain security information should also be destroyed -- "dumpster diving" is a popular method of gaining computer passwords and other security information.) Any stolen hardware that is recovered should be checked thoroughly; the thief could have both altered data files and modified programs to break security. An example: A former systems administrator at a large law firm says that on a system he once recovered, he found a new program that would have recorded the passwords of the users and sent them via modem to the cracker who set the program up.
2. Be wary of outsiders. Just spending time in your office offers able crackers opportunities to break into your system. They can "shoulder surf" passwords by furtively watching authorized users log on to the system, for example, or peer through internal glass walls at users' keyboards. (Determined crackers will even try crawling through air ducts.)
The lesson is: Don't let outsiders get a good look at your operations. Try to have in-house, trusted staff members perform as many computer-related activities as possible. If a system has to be sent out for service, remove all its confidential files. Obviously, you will need outsiders for certain tasks, but choose consultants and service companies carefully. If you hire temporary employees and need to give them system access, delete their passwords as soon as they are gone -- and ask full-time employees who worked with or near the temps to change theirs.
3. Network cables can be trouble. Networks, with their multiple workstations and tangle of wiring, create additional security problems. A former systems administrator at a large New York firm tells of a break-in in the mid-eighties: During a check of the firm's systems, a computer staffer found a workstation in the rafters that was hooked up to the network and was "snarfing all the [data] and sending [it] to an outside number," the administrator recalls. "Near as they could tell, it had been there for at least six months." Fearing the loss of their jobs, the administrator says, the information systems department decided not to tell firm management about the leak; instead, they quietly dismantled the workstation, and after that checked the systems regularly.
Network cables that are hung from the ceiling -- the method of choice at many firms -- can be easily tapped or disabled. In a secure network, cables run though shielded electrical pipes, and the hubs (places where wiring comes together), file servers (large data storage drives), and modems -- the easiest places for a network to be infiltrated -- are placed behind locked doors and are checked regularly for signs of tampering. Firms for whom security is particularly important should consider using fiber optic cables, which are much more difficult to tap than standard wiring (though they are at least twice as expensive).
4. Modems are vulnerable. Network modems are particularly popular break-in places; because they are designed to serve as gateways to outside users, they are vulnerable to intruders. It is essential to prevent unauthorized users from logging on to the network from a remote location. The best deterrent is a callback modem. With this, a user calls the network (via a modem on a portable computer) and enters his or her login name and password. The answering modem, back at the office, then hangs up, finds the telephone number that corresponds to the person's login name, and calls the user's computer back. The system can be modified by the system administrator for lawyers who are traveling so they can call into the network from their hotel rooms.
Finding the network's modem number is a good part of breaking into the system, so experienced crackers will often dial all the numbers assigned to the building or office, noting which ones are answered with a standard modem carrier signal (a high-pitched long beep). To short-circuit this infiltration method, consider a silent modem, which does not signal that a connection has been made until the login process has actually begun. And for the highest security needs, considering creating a "firewall" system -- one that looks and acts like the system the cracker is trying to get into, but that contains no useful information (Authorized users use special logins and commands to access the real system.) Firewalls are expensive to build, but they are considered the most reliable method of modem protection.
5. Eavesdroppers are out there. Every electronic machine, from a typewriter to a computer screen, emits electromagnetic radiation. Eavesdroppers, using unsophisticated, homemade devices -- built for as little as $ 300 from parts available at any electronics store -- can intercept and decipher signals from computer monitors through walls and windows, from as far away as a van parked across the street. Vendors at computer security shows sometimes demonstrate this by intercepting signals emanating from competitors' computers.
In the 1950s the U.S. government established a program, called TEMPEST, to develop standards for technology that would contain or suppress signal emanations from electronic equipment to minimize the risk of eavesdropping. (Those standards are classified.) TEMPEST equipment, which is manufactured by about 50 companies -- including International Business Machines Corporation, Digital Equipment Corporation and UNISYS Corporation -- can only be sold to American companies for use in the United States, NATO signatory countries and a few other friendly nations such as Canada and Australia. TEMPEST products are generally about 80 percent more expensive than their nonshielded relatives, weigh more and take up more space.
6. Password protection. Most systems are set up so that doing almost anything requires a password. But a simple password can be cracked fairly quickly, using computer programs that try all the most common passwords -- words (in any language), names, numbers and simple variations of those, as well as a couple of thousand common nonsensical words. A good password contains both letters and numbers and is long -- a three-character password can be broken by a computer in less than an hour, while an eight-character password would take an average of 45 years, even with a powerful computer.
Avoid writing passwords down, especially on a desk or terminal, but if you must, do not identify it as such or indicate what system it is for. Passwords should never be entered while others are watching, and should never be sent anywhere via electronic mail. (One infamous cracker set up a system that scanned an entire network's e-mail for the word "password," then copied those message to a special file for later perusal.) Users should never share their passwords, even with secretaries or other support staff. And all users should change their password regularly, whether they think they have been compromised or not.
7. Use encryption. Encryption programs -- with which original information is transformed into what appears to be random, unintelligible character strings -- are another basic method for keeping data safe. Using a special password or "key," the user can reconstruct the original file in just a few seconds. This method is extremely effective: Even if computers, disks or hard drives are stolen, the thief will probably not be able to figure out what is in the files. There are a multitude of programs that will encrypt individual files, files created with a particular program, entire hard drives and disks, or even entire networks. Encryption is particularly useful -- indeed, even necessary -- for electronic mail, particularly when messages are being sent outside your own office's e-mail system.
8. Beware of dangerous insiders. The most important security aspect of any computer system is the people that are working on it. According to Computer Security Basics, published by O'Reilly & Associates, Inc., 80 percent of all security break-ins are by fully authorized users who abuse their system access. A disgruntled employee may seek revenge by disrupting operations; a gullible employee may be coerced into revealing passwords or data; an unscrupulous employee may take bribes. But the most dangerous insider is the user who is untrained in security matters -- or who is too lazy to follow the security rules.
The best preventive measure is a well-trained computer staff, one that can detect and head off security problems before they occur. The system administrator plays a big role in enforcing system security. If that person is inexperienced or improperly trained, he or she may leave holes in your security, or may fail to recognize symptoms of breached security.
The information systems director and firm management should set out a computer security policy in writing, and every employee should read it and sign a notice saying they understand it and agree to abide by it. People who are careless about locking up disks or protecting passwords should be reminded of the firm's policy. And users should have access only to the systems and files they actually need.
When an employee leaves the company, his or her access to the system should be removed immediately; the employee should be reminded in an exit interview to keep system security information confidential.
9. Plug your leaks aggressively. If a system is cracked, there are a few steps that should be taken. First, the leak should be plugged. If the in-house computer staff cannot figure out how it happened, the firm should hire an outside security expert immediately.
When the cracker is discovered, he or she should be prosecuted. Several federal laws prohibit cracking, and most states have also outlawed such acts. According to Computer Underground Digest, most computer crime goes unreported because companies are wary of admitting publicly that they have security problems.
Copyright 1993 The Times Mirror Company
Los Angeles Times
July 5, 1993, Monday, Home Edition
Among the many consequences of the personal computer over the last dozen years has been a staggering growth in computer crime, made easier by the proliferation of terminals at home.
Included in this category is illegal hacking -- using a computer and a telephone line to break into remote mainframes for mischief or malfeasance, usually the work of young men motivated by a desire to beat the system and show that it can be done.
From time to time, the computer underground has made it into the news, by cracking into and wandering around the computers of NASA and NORAD or by setting loose a computer virus that crippled the Internet, a network of computer networks.
More often, these computer capers have been played out less conspicuously, though they have captured the continuing attention of law-enforcement agencies around the world.
Paul Mungo and Bryan Clough flesh out many details of computer crime and computer criminals in "Approaching Zero," a book that argues that no electronic information held by banks, universities or government agencies is safe.
Mungo, a science writer, and Clough, a British expert on computer security who advises New Scotland Yard, provide details of how various computer crimes have been carried out and offer descriptions of the perpetrators.
"That some young men find computing a substitute for sexual activity is probably incontrovertible," the authors assert -- without any supporting evidence.
Despite such spicy claims, the book is somehow flat. It's not as if this is the first time these stories have been told. Some are new but many are familiar, and the overall effect is decidedly old hat.
Clifford Stoll gave chapter and verse of one hacker's activities in "The Cuckoo's Egg" (Doubleday, 1989); Steven Levy covered the landscape in "Hackers" (Doubleday, 1984), and Katie Hafner and John Markoff provided an excellent description in "Cyberpunk" (Simon & Schuster, 1991).
Although there are other hackers and new stories -- including much about computer viruses in Bulgaria, of all places -- there does not seem to be enough that's new to justify another book.
To be sure, Mungo and Clough add interesting details and observations. They argue that computer viruses were over-hyped for years before their threat became as serious as the hypists would have you believe.
They assert that this hyping was largely the work of people trying to sell anti-virus software.
But eventually, they concede, dire warnings about viruses came true. After spending many pages deriding the prophets of doom, Mungo and Clough eventually join the bandwagon.
"As the world population of computer viruses grows exponentially," they say, "so does the potential for real disaster. . . . A virus let loose in a hospital computer could harm vital records and might result in patients receiving the wrong dosages of medicine; workers could suffer job losses in virus-ravaged businesses; dangerous emissions could be released from nuclear power plants if the controlling computers were compromises and so on."
They also make a factual error about public knowledge of computer viruses, asserting that the first press report on the subject probably appeared in February, 1987, in the magazine Computers & Security. In fact, Discover magazine published a long report on computer viruses in November, 1984.
Mungo and Clough have adopted an annoying practice of recounting long, detailed stories of various computer crimes and then ending by saying that the alleged victim of the alleged crime denies that it ever took place.
For example, they say that the breakdown of the AT&T long-distance system in January, 1990, could have been caused by a computer bomb planted in the system, and they describe how that could have occurred.
They note that AT&T had received a threat of a computer bomb a short time before.
But after telling the story, they say, "There is absolutely no proof that it was a computer bomb, and AT&T's final, official explanation remains that the shutdown was caused by an errant piece of software."
Then there is a long story about two young hackers who used a complicated scheme and a Swiss bank account to filch more than $130,000 from Citibank.
After recounting this tale, the authors write, "You can believe this story or not, as you wish. Certainly Citibank doesn't believe a word of it; it has consistently denied that anything resembling the events described above have ever happened. . . ."
But you should never let the facts get in the way of a good story. PAGE 107
Copyright 1993 The Times Mirror Company
Los Angeles Times
July 5, 1993, Monday, Home Edition
Among the many consequences of the personal computer over the last dozen years has been a staggering growth in computer crime, made easier by the proliferation of terminals at home.
Included in this category is illegal hacking -- using a computer and a telephone line to break into remote mainframes for mischief or malfeasance, usually the work of young men motivated by a desire to beat the system and show that it can be done.
From time to time, the computer underground has made it into the news, by cracking into and wandering around the computers of NASA and NORAD or by setting loose a computer virus that crippled the Internet, a network of computer networks.
More often, these computer capers have been played out less conspicuously, though they have captured the continuing attention of law-enforcement agencies around the world.
Paul Mungo and Bryan Clough flesh out many details of computer crime and computer criminals in "Approaching Zero," a book that argues that no electronic information held by banks, universities or government agencies is safe.
Mungo, a science writer, and Clough, a British expert on computer security who advises New Scotland Yard, provide details of how various computer crimes have been carried out and offer descriptions of the perpetrators.
"That some young men find computing a substitute for sexual activity is probably incontrovertible," the authors assert -- without any supporting evidence.
Despite such spicy claims, the book is somehow flat. It's not as if this is the first time these stories have been told. Some are new but many are familiar, and the overall effect is decidedly old hat.
Clifford Stoll gave chapter and verse of one hacker's activities in "The Cuckoo's Egg" (Doubleday, 1989); Steven Levy covered the landscape in "Hackers" (Doubleday, 1984), and Katie Hafner and John Markoff provided an excellent description in "Cyberpunk" (Simon & Schuster, 1991).
Although there are other hackers and new stories -- including much about computer viruses in Bulgaria, of all places -- there does not seem to be enough that's new to justify another book.
To be sure, Mungo and Clough add interesting details and observations. They argue that computer viruses were over-hyped for years before their threat became as serious as the hypists would have you believe.
They assert that this hyping was largely the work of people trying to sell anti-virus software.
But eventually, they concede, dire warnings about viruses came true. After spending many pages deriding the prophets of doom, Mungo and Clough eventually join the bandwagon.
"As the world population of computer viruses grows exponentially," they say, "so does the potential for real disaster. . . . A virus let loose in a hospital computer could harm vital records and might result in patients receiving the wrong dosages of medicine; workers could suffer job losses in virus-ravaged businesses; dangerous emissions could be released from nuclear power plants if the controlling computers were compromises and so on."
They also make a factual error about public knowledge of computer viruses, asserting that the first press report on the subject probably appeared in February, 1987, in the magazine Computers & Security. In fact, Discover magazine published a long report on computer viruses in November, 1984.
Mungo and Clough have adopted an annoying practice of recounting long, detailed stories of various computer crimes and then ending by saying that the alleged victim of the alleged crime denies that it ever took place.
For example, they say that the breakdown of the AT&T long-distance system in January, 1990, could have been caused by a computer bomb planted in the system, and they describe how that could have occurred.
They note that AT&T had received a threat of a computer bomb a short time before.
But after telling the story, they say, "There is absolutely no proof that it was a computer bomb, and AT&T's final, official explanation remains that the shutdown was caused by an errant piece of software."
Then there is a long story about two young hackers who used a complicated scheme and a Swiss bank account to filch more than $130,000 from Citibank.
After recounting this tale, the authors write, "You can believe this story or not, as you wish. Certainly Citibank doesn't believe a word of it; it has consistently denied that anything resembling the events described above have ever happened. . . ."
But you should never let the facts get in the way of a good story. PAGE 107
Copyright 1993 The Times Mirror Company
Los Angeles Times
June 19, 1993, Saturday, Home Edition
For more than a year, computer virus programs that can wreak havoc with computer systems throughout the world were made available by a U.S. government agency to anyone with a home computer and a modem, officials acknowledged this week.
At least 1,000 computer users called a Treasury Department telephone number, spokesmen said, and had access to the virus codes by tapping into the Treasury's Automated Information System bulletin board before it was muzzled last month.
The bulletin board, run by a security branch of the Bureau of Public Debt in Parkersburg, W. Va., is aimed at professionals whose job it is to combat such malicious destroyers of computer files as "The Internet Worm," "Satan's Little Helper" and "Dark Avenger's Mutation Engine." But nothing blocked anyone else from gaining access to the information.
Before the practice was challenged by anonymous whistle-blowers, the bulletin board offered "recompilable disassembled virus source code" -- that is, programs manipulated to reveal their inner workings. The board also made available hundreds of "hackers' tools" -- the cybernetic equivalent of safecracking aids.
They included "password cracker" software -- various programs that generate huge volumes of letters and numbers until they find the combination that a computer is programmed to recognize as authorizing access to its contents -- and "war dialers," which call a vast array of telephone numbers and record those hooked to a computer.
The information was intended to educate computer security personnel, according to Treasury spokesmen. "Until you understand how penetration is done, you can't secure your system," said Kim Clancy, the bulletin board's operator.
But with this information, relative amateurs could create new viruses, according to software writers.
"I am dismayed that this type of activity is being condoned by an American governmental agency. I am extremely disturbed by the thought that my tax money is being used for what I consider unethical, immoral and possibly illegal activities," wrote an anonymous whistle-blower quoted in Risks Forum, a Silicon Valley-based electronic "magazine" where debate has raged on the issue since it surfaced last month.
"That's like leaving a loaded gun around and people saying: 'It's not my fault if someone picks it up and shoots himself in the head with it,' " said Paul Ferguson, a computer consultant upset by the Treasury Department's practices.
Treasury officials have little idea who has dialed up the bulletin board and what has been copied out of it, spokesman Peter Hollenbach said. Hence it is impossible to judge if any damage has been done.
Hollenbach and some computer professionals minimize the risk, saying the software on the bulletin board was acquired through the computer underground in the first place, and thus has always been available to miscreants with sufficient contacts, tenacity and skill.
"Hackers don't go to the Department of Treasury to get their hacking tools," Clancy said.
The Treasury Department became enmeshed in this controversy because it is one of the most intense users of computers in the federal government. All the billions of dollars of Treasury securities are handled, through the Bureau of Public Debt, on computer networks, Hollenbach said.
Copyright 1994 Reuters, Limited
January 19, 1994, Wednesday, BC cycle
Attorney General Janet Reno urged U.S. attorneys Wednesday to crack down on street violence, seeking maximum prison time for career criminals.
"Many people estimate that 10 percent of the criminals commit 40 percent of the crime," she told a U.S. Attorneys' National Conference.
"We need to identify those 10 percent in your communities, those violent career criminals, and working with local prosecutors ... (get) the longest possible sentence that will be a sentence actually served.
"If we can take them to federal court and get them off our streets, let's do it in every possible way we can."
She urged each of the U.S. attorneys from across the country to undertake violent crime initiatives, appointing specialists or combining with other U.S. attorneys in a region to carry out programs to get violent criminals off streets.
If local police or city prosecutors have taken an effective lead, follow them and don't worry about who gets credit, she told the federal prosecuting attorneys.
"We need to develop a plan to use all of our resources," she said.
Reno said prosecution of all other kinds of crime remained as important as ever, listing everything from organized crime and drug smuggling to problems on Indian reservations.
She also said technology crime, including young computer hackers disrupting major corporations for fun, will reshape U.S. attorneys' future case loads.
Copyright 1994 American Lawyer Media, L.P.
The Recorder
January 18, 1994, Tuesday
A Menlo Park man awaiting trial in San Jose federal court, in the first espionage case against an alleged computer hacker, will be transferred to Los Angeles to stand trial first on separate charges, a government prosecutor said.
Kevin Lee Poulsen, charged in a 14-count indictment with illegal possession of a computer tape containing classified military information, will face charges in Los Angeles that he used his hacking skills to rig radio call-in contests. Meanwhile, a government appeal of a recent ruling in the espionage case is pending in the Ninth Circuit U.S. Court of Appeals.
U.S. District Court Judge Ronald Whyte denied Poulsen's motion to be released on his own recognizance at a Friday bail hearing.
The government two weeks ago appealed a ruling by Whyte suppressing evidence taken in 1988 from computer tapes found in a Menlo Park storage locker rented by Poulsen. Whyte found police had conducted a warrantless search of the facility.
A dispute over whether the suppression ruling knocked out a key espionage charge was not resolved at Friday's hearing. But Whyte said that it appeared that the tape on which the spying charge was based has come from the storage locker. Poulsen's attorney, Paul Meltzer of Santa Cruz Meltzer & Leeming, said that lose of the espionage charge has essentially gutted the government's case against Poulsen.
But Assistant U.S. Attorney Robert Crowe has maintained that the crucial tape containing classified Air Force information came from a subsequent search of that he may seek a separate evidentiary hearing on the issue, if the government appeal is unsuccessful.
Poulsen faces up to 85 years in prison in convicted on all charges in the Northern California case and up to 100 years and $ 4 million in fines in the Los Angeles case.
A Menlo Park man awaiting trial in San Jose federal court, in the first espionage case against an alleged computer hacker, will be transferred to Los Angeles to stand trial first on separate charges, a government prosecutor said.
Kevin Lee Poulsen, charged in a 14-count indictment with illegal possession of a computer tape containing classified military information, will face charges in Los Angeles that he used his hacking skills to rig radio call-in contests. Meanwhile, a government appeal of a recent ruling in the espionage case is pending in the Ninth Circuit U.S. Court of Appeals.
U.S. District Court Judge Ronald Whyte denied Poulsen's motion to be released on his own recognizance at a Friday bail hearing.
The government two weeks ago appealed a ruling by Whyte suppressing evidence taken in 1988 from computer tapes found in a Menlo Park storage locker rented by Poulsen. Whyte found police had conducted a warrantless search of the facility.
A dispute over whether the suppression ruling knocked out a key espionage charge was not resolved at Friday's hearing. But Whyte said that it appeared that the tape on which the spying charge was based has come from the storage locker. Poulsen's attorney, Paul Meltzer of Santa Cruz Meltzer & Leeming, said that lose of the espionage charge has essentially gutted the government's case against Poulsen.
But Assistant U.S. Attorney Robert Crowe has maintained that the crucial tape containing classified Air Force information came from a subsequent search of that he may seek a separate evidentiary hearing on the issue, if the government appeal is unsuccessful.
Poulsen faces up to 85 years in prison in convicted on all charges in the Northern California case and up to 100 years and $ 4 million in fines in the Los Angeles case.
Copyright 1993 McGraw-Hill, Inc.
LAN Times
August 9, 1993
Should electronic bulletin boards -- either legitimate or underground -- be allowed to post and disseminate virus source code?
That question is generating heated debate, from the halls of Congress to the deepest recesses of the hacker underground. It was touched off in May when an anonymous message was posted on the Risks Digest, an electronic BBS in the Silicon Valley.
The author was upset that the U.S. Department of the Treasury's Bureau of Public Debt Automated Information System (AIS) BBS, which carries security-related information and is available to the general public, was posting a broad range of virus source code. The writer also complained about Kim Clancy, manager of AIS Security and an AIS BBS sysop.
"I am extremely disturbed by the thought that my tax money is being used for what I consider unethical, immoral, and possibly illegal activities," the anonymous poster wrote.
Clancy is a highly respected security administrator who has amassed a wealth of sources in both the legitimate security community and the hacker underground. As a result of her hacker contacts, groups like Phalcon/Skism have shared the tricks of their trade and even helped to disinfect the AIS BBS when it was invaded by a virus. CEASE AND DESIST. After the anonymous message sparked an anti-virus protest, Clancy's superiors directed her to remove all hacker files from the AIS BBS. These included virus source code and information on how to break into computers, networks, and PBXes. However, Clancy was not subjected to any disciplinary action.
"I was targeted by a self-elitist international group," Clancy said. "The only thing they're hurting is the legitimate community of security professionals." BIG NEWS. The debate became very public when The Washington Post ran a front-page article on June 19, 1993.
Rep. Ed Markey, chairman of the House Subcommittee on Telecommunications and Finance, then wrote to Lloyd Bentsen, secretary of the Department of the Treasury, asking for "the rationale behind making such potentially harmful information generally available."
Vesselin Vladimirov Bontchev, who heads the Virus Test Center of the University of Hamburg, Germany, threw in his two cents: "I am Bulgarian, and my country is known as the home of many productive virus writers," Bontchev said. "But at least our government has never officially distributed viruses."
As the debate raged on, everyone chose a side. Clancy and her supporters believe that the public's right to know far outweighs the "slim" chance that virus source code posted on a legitimate BBS will end up in the wrong hands. The opposition is just as righteous, taking the position that writing, posting, or disseminating any type of hacker files or virus source code should be outlawed. OLDIES, BUT GOODIES. Experts say there are well over 2,000 viruses in existence today. However, 90 percent of the damage is caused by the same five to 10 viruses. "Oldies," such as Jerusalem B and the Stoned virus, are still primary sources of infection.
A recent four-month online survey by the Computer Security BBS found that 64 percent of the respondents had experienced a computer virus attack in the past 12 months. Half of the infections were classified as minimal, but not everyone escaped unscathed.
Six percent of the virus victims reported losses of more than $ 100,000 and said it took them more than three days to recover.
While the number of viruses has increased, the technology behind viruses has advanced very little.
"Most of today's viruses are variations on the handful of originals or can be traced to a virus-generation toolkit," said GarbageHeap (GHeap), a member of the Phalcon/Skism group of virus writers and hackers that runs the 40Hex underground virus BBS.
According to GHeap, most of today's network administrators have effective anti-virus procedures in place.
"In the early days of viruses -- in the late 1980s and up until 1991 -- it took network administrators a while to detect them and then disinfect their networks," he said. "Nowadays, there's an anti-virus package out for almost every virus you can think of." PUBLIC SERVICE. As Clancy sees it, she was only performing a public service.
"If BBSes like the Computer Security BBS and the AIS didn't post virus source code or hacking programs, then only malicious hackers would have access to them," she said. "The legitimate security professionals would be left out in the cold."
Clancy and other security BBS sysops contend that high-level hackers don't need to access legitimate BBSes, since virus source code and hacking tools are readily available in the hacker underground.
"Some types of information may pose a risk if abused," said Jim Thomas, a sociology professor at DeKalb Northern Illinois University who, along with Gordon Meyers, runs the Computer Underground Digest, a BBS. "But in an open democracy, the potential for abuse has been neither a necessary nor a sufficient justification to silence those with whom we disagree."
Bill Strouse, president of Stoney River Networks, a Novell gold reseller in Sunnyvale, Calif., agrees -- so strongly that he is taking up where Clancy and the AIS BBS were forced to leave off.
"We are going to move all of the virus-commented source-code files, such as 40Hex, onto the Ring of Fire BBS," Strouse said. "The anti-virus community can pick on me all they want, but they can't censor me. I'm not doing anything illegal, and I'm not government-owned and sponsored."
Strouse, who heads up the Silicon Valley chapter of NetWare Users International (NUI), runs the Ring of Fire BBS, which is devoted to NetWare and legal issues.
"The real irony behind all this hype about the AIS BBS was that the virus code Clancy posted couldn't have been downloaded and used to infect networks," Strouse said. "She had removed the replication portion of the source code."
Unlike the AIS BBS, Ring Of Fire is not wide-open to the public. Members of any NUI branch get unlimited free access; nonmembers pay $ 25 per year for up to 90 minutes of access per day and unlimited downloads.
To get into the Computer Security area of Ring of Fire, would-be users have to specifically request access and have their identities, affiliations, and telephone numbers verified by Strouse. Additionally, first-time callers get access to only three public file areas and are limited to 20 minutes.
"We have no intention of putting a loaded gun into the hands of an unsuspecting user," Strouse said. "What we're doing is giving people the diagrams and blueprints of virus code and hacker files so they have the necessary tools and information to secure their networks."
The Ring of Fire BBS number is (408) 739-8753; the ComSec BBS number is (415) 495-4642.
Copyright 1993 Report From Japan, Inc. (A Yomiuri News Service)
Report From Japan
December 21, 1993
The number of reports of computer viruses increased again in November, hitting a total of 92 cases, including three viruses reported for the first time in Japan.
The figure was 54 greater than that for last November, and the total for the January-November period was by 550 cases from last year's 229, to a total of 779.
According to a report released Dec. 20 by the Information-Technology Promotion Agency (IPA), the number of different viruses reported in November was 19. Three of the viruses were reported for the first time in Japan.
The most common infection routes were through floppy discs brought from overseas, accounting for 45 percent of the cases. However, in about 46 percent of the cases, the infection routes could not be determined.
It is also important to properly secure hardware as well as floppy discs, the IPA warned.
The number of computer virus damage reports peaked in August and September at 120 cases. Although virus reports declined to 81 in October, they increased again in November.
The IPA has received 1,103 reports of computer virus damage since April 1990, when the reporting system was established by the International Trade and Industry Ministry.
Copyright 1993 National Thrift News, Inc.
National Mortgage News
December 20, 1993
The Office of Thrift Supervision has sent out warnings to its member institutions not to have unprotected data exchange with strangers --- one in particular.
The OTS was advised by the FBI that banks and thrifts in Pennsylvania, New Jersey, Maryland, and Kentucky have recently received computer disks in the mail from a person identifying himself as Master Fard Muhammed.
When the institutions loaded the disks into their computers a powerful computer virus infected all the systems connected to that local area computer network.
The virus, which authorities described as "not easily detectable by normal screening programs" caused an unspecified amount of data on the institution's computers to become unreadable.
"Should any department in your institution receive one of these packages in the mail, we recommend that the diskette not be inserted in any personal computer and that the FBI be notified," John Robinson, OTS regional director advised members.
Authorities say they no idea what the motive for the prank may be, but in the past couple of years both Federal and state authorities have passed strict laws against what some term high-tech terrorism.
Copyright 1993 Southam Inc.
Calgary Herald
December 16, 1993, Thursday, FINAL EDITION
While businesses and executives are increasingly dependent on computers, computer criminals have become increasingly more sophisticated.
Viruses, computer hackers, stolen equipment, tampering with data, illegal data transfer and desktop forgery are just a few of the computer-related crimes that have emerged in the high-tech age, said Wendi Harvey of the Council of Better Business Bureaus, based in Arlington, Va.
While computer theft has grown, so have non-property related crimes such as designing software "viruses" that crash systems and the illegal use of data bases by computer hackers. Other common crimes involve employees or repair technicians tampering with data and theft by data transfer and desktop forgery.
Computer theft and fraud might seem like problems that apply only to businesses, but many of those businesses pass the costs on to consumers as higher prices for their goods and services. So many firms now have policies and security programs to protect their computer systems.
International Business Machines Corp.'s research and development laboratory in Boca Raton, Fla., has installed anti-virus computer software and it periodically checks them for viruses, said Alan Macher, IBM spokesman.
In November of 1989, two employees at IBM in Boca Raton stole computer parts worth $ 1.8 million, one of the biggest thefts in the company's history. They were arrested when they tried to sell the stolen chips in Florida.
Boca Research Inc., a computer modem manufacturer in Boca Raton, has had problems with the computer virus Michelangelo.
A computer virus lies dormant until something triggers it, such as a date on the computer clock. Then the virus can wipe out all the computer's data. Michelangelo was activated on the artist's birthdate, March 6, in 1992.
Gail Blackburn, Boca Research's company spokeswoman, said she lost all her data when the virus invaded her computer. Since then, the company has installed anti-virus software, said Larry Steffann, vice- president of planning and development.
The company also does not permit employees to bring their own software to work. A lot of viruses are spread through personnel software that employees install on their business machines. PAGE 38
Copyright 1993 Predicasts, a Division of Ziff Communications Co.
DataTrends Publications, Inc
Report on IBM
December 15, 1993
IBM (Yorktown Heights, N.Y.) said last week it is now shipping an enhanced version of its IBM AntiVirus products, including protection for Novell NetWare LAN servers.
IBM AntiVirus version 1.04 provides comprehensive "install-and-forget" automatic protection against computer virus attacks in DOS, Windows, OS/2 and Novell NetWare computing environments.
IBM AntiVirus for NetWare uses the same state-of-the-art detection technology used throughout IBM AntiVirus products. It detects well over 2,000 known viruses as well as many viruses that have yet to be written, while virtually eliminating the false alarms that plague many other anti-virus products.
Real-time scanning enables the LAN server to protect itself immediately if a virus on a client PC is found trying to infect the LAN server. LAN administrators also can scan selected volumes on demand, or schedule a scan for particular times on selected days. If a virus is found, customized messages can be sent to the affected user and administrators, and any infected files can be locked to prevent the infection from spreading. IBM AntiVirus for NetWare is designed to have minimal impact on LAN server performance. Its automatic priority adjustment keeps the additional load to less than four percent for typical servers. Single copies of IBM AntiVirus for DOS, Windows and OS/2 systems are available for $29.95 by calling (800) 551-3579.
Copyright 1993 DataTrends Publications, Inc.
Copyright 1993 The Daily Telegraph plc
The Daily Telegraph
December 13, 1993, Monday
THERE have been 9,181 computer "disasters" in Britain over the past three years, according to the Survive! club of computer managers specialising in disaster recovery. A disaster is defined as inability to use a computer causing at least L10,000 of corporate damage, but excluding fraud. The largest individual case was the spectacular public fiasco of the Stock Exchange's Taurus system, which was aborted after years of fruitless work. That caused a loss of up to L400m, according to Survive! calculations. The biggest category of loss was theft, accounting for 37pc of cases. The stealing of desk-top computers is "reaching epidemic proportions". Almost 21pc of the cases were caused by viruses, though other recent reports have said most of these attacks were relatively benign and did not cause major damage. But Survive! reckons there is each year a 6pc chance of an organisation catching a computer virus, with the recovery costing between L10,000 and L250,000. The Institution of Analysts & Programmers reckons the virus danger is grossly exaggerated but half its members have at some stage encountered one. Most of the damage was done by just nine viruses, the commonest being one called Form. According to Survive! malicious damage accounted for nearly 9pc of the disasters it found. Many of these were in the form of "time bombs"-hidden program routine that causes damage to data at a pre-set time-and there are over 100 prosecutions pending. But there were also some terrorist bombs. After that, in descending order, came hardware faults, hacking, environment (power problems, air conditioning failure), software (Taurus comes into this category), and communications. Human error, negligence, natural disasters, water damage from cracked pipes and the like, and fire caused under 41/2pc of the instances between them. Statistics are notoriously mendacious but soon it will be possible to compare these figures with ones produced by the government. A national survey of 10,000 companies aims to identify the extent of computer security breaches over the past two years and the effect on business. Its findings are expected in early 1994. The survey will also invite organisations which have been hit to tell the rest of the world. A similar survey of computer security in 1991 found more than half of businesses had suffered from security problems, at a cost of Ll.1 billion a year. THE Data Protection Registrar has explained his view of the meaning of particular phrases used in enforcement notices, in particular about "residence", "family membership" and "name matching". The rules do not allow the extraction of personal information simply by reference to current or previous address. They also prevent the inclusion of information about any other individual who lives or has lived at the same address as the subject of the search.
Copyright 1993 Business Wire, Inc.
Business Wire
December 8, 1993, Wednesday
IBM is now shipping an enhanced version of its IBM AntiVirus products, including protection for Novell(a) NetWare(a) LAN servers.
IBM AntiVirus version 1.04 provides comprehensive "install-and-forget" automatic protection against computer virus attacks in DOS, Windows(b), OS/2(c) and Novell NetWare computing environments.
IBM AntiVirus for NetWare uses the same state-of-the-art detection technology used throughout IBM AntiVirus products. It detects well over 2,000 known viruses as well as many viruses that have yet to be written, while virtually eliminating the false alarms that plague many other anti-virus products.
Real-time scanning enables the LAN server to protect itself immediately if a virus on a client PC is found trying to infect the LAN server. LAN administrators also can scan selected volumes on demand, or schedule a scan for particular times on selected days. If a virus is found, customized messages can be sent to the affected user and administrators, and any infected files can be locked to prevent the infection from spreading. IBM AntiVirus for NetWare is designed to have minimal impact on LAN server performance. Its automatic priority adjustment keeps the additional load to less than 4% for typical servers.
IBM AntiVirus Services offers site licenses to all IBM AntiVirus products, monthly updates for newer viruses and rapid, reliable updates for viruses discovered in customer incidents.
Information on IBM AntiVirus for NetWare, site licensing and a full range of IBM's anti-virus services for enterprises is available by calling 800-742-2493. Single copies of IBM AntiVirus for DOS, Windows and OS/2 systems are available for $29.95 by calling 800/551-3579. (a) Novell and NetWare are trademarks of Novell Corp. (b) Windows is a trademark of Microsoft Corp. (c) OS/2 is a registered trademark of the International Business Machines Corp.
CONTACT: IBM Corporation, Yorktown Heights Andrea R. Minoff, 914/784-7428
Copyright 1994 South China Morning Post Ltd.
South China Morning Post
February 1, 1994
CAN a computer virus change its spots? Yes, say computer security experts.
Specialists have warned that a new breed of sophisticated computer virus that changes itself into multiple versions is becoming more common and that it can outwit some anti-virus software.
Known as polymorphic viruses, they are designed to hide from popular anti-virus programs by changing themselves slightly each time they replicate.
Businesses relying on older versions of anti-virus scanning software risk leaving their PCs open to infection from polymorphic viruses.
These can produce as many as 2.3 trillion versions of themselves, making them impossible to detect without the help of a new generation of anti-virus software.
"There is no question about it, polymorphic viruses are definitely the wave of the future," said Phil Talsky, product manager at leading US anti-virus software developer McAfee Associates.
Mr Talsky added that the most common polymorphic virus is the Satan Bug.
"It recently entered our top 10 list of most often reported viruses, at number nine," he said.
David Stang, head of US- based Norman Data Defence Systems and founder of the International Computer Security Association, agreed that the Satan Bug posed a security challenge.
He said: "We are hearing more reports daily of Satan Bug infections and it is a major problem for some organisations."
The Satan Bug has turned up at some US Government agencies. These include the Social Security Administration and the Army Corp of Engineers. There have also been reports that it had been detected in Europe, and that Tremors, another virus, is affecting PC users in Germany.
However, they should not panic, Mr Stang said.
"Becoming infected by any kind of virus is rare and coming across the Satan Bug is even rarer," he said.
The Satan Bug is not designed to erase data, but it interferes with users trying to connect to a local area network and will change file dates.
It replicates quickly and can travel across a local area network to infect other users.
Computer virus experts at IBM said polymorphic viruses should not trouble most users.
"If users take proper precautions, polymorphic viruses are easy to deal with," said Steve White, manager of the high integrity computing laboratory at the IBM Thomas J. Watson Research Centre.
"We have not found a very high infection rate among users by the Satan Bug and the whole issue of polymorphic viruses has received more attention than it deserves," he said.
Mr White and his colleagues at IBM have completed several detailed studies of how computer virus infections propagate. They were the first to label the Michelangelo virus scare two years ago as over-blown.
He pointed out that PC users faced about the same chance of a virus infection as they did of a hard disc failure, so proper back-up procedures should be routine.
To eliminate a virus, users must detect and often erase infected files and then reinstall them from an uninfected backup disk.
This can take several hours for each PC infected. The US Army Corps of Engineers estimates that it lost more than $ 12,000 per hour in trying to exorcise the Satan Bug.
McAfee's latest version of its ViruScan software can detect Satan Bug, but users must delete all infected files.
While Mr Stang said he developed an anti-virus program that could detect and erase the Satan Bug without requiring users to reinstall infected files, Mr Talsy said polymorphic viruses were more difficult to detect since they used encryption to hide from scanning software.
Researchers at IBM are working on an automatic system to detect and analyse new polymorphic viruses.
While computer virus experts concede that polymorphic viruses are written by talented programmers, the developer of the Satan Bug is believed to be a 16- year-old computer enthusiast who uses the pseudonym Hacker Life. There is no US law prohibiting the writing of a virus program.
Advancing computer technology could help solve this growing problem.
Western Digital, a US company making hard discs, has developed a chip, the Immuniser, designed to monitor system activity and to block any suspicious writing to the hard disc. The chip works only with certain newer PCs.
Mr Talsky warned that more polymorphic viruses were on the way.
While the risk from a PC virus infection is small, there are important safeguards all PC users should adopt. These include using the latest anti-virus software.
"We produce new versions of ViruScan every six weeks," said Talsky.
"But there are a lot of people using older versions and they will not get the full protection."
Any anti-virus software version written before August 1993, is unlikely to offer protection against polymorphic viruses. Users should update their software.
Mr Stang recommended that users with many PCs should decide on a computer security strategy.
"Some users apply the same security to all their systems. The problem with this approach is that some systems should be better protected while others may not need quite so much protection," he said.
Copyright 1993 The Buffalo News
The Buffalo News
November 28, 1993, Sunday, Final Edition
A new virus called "Satanbug" is reported to be spreading rapidly in the United States. The international virus watchdog publication, "Virus Bulletin," of Abingdon, England, said Satanbug is just one of several new viruses infecting the nation's computers.
Virus Bulletin said that it is costly for a number of U.S. companies, including Rockwell International, which recently revealed that it spent more than $ 44,000 to recover from an infection in April. The company told the publication that the incident was just one of more that 1,000 virus attacks it has dealt with since 1988.
Virus Bulletin said tests conducted at its offices in England indicate that companies such as Rockwell and even individuals are not as well armed against virus attacks as first thought.
In what the publication called a "shock," it discovered in a text of six leading anti-virus software products that all but one of the manufacturers are not updating the memory-resident portion of their products. According to the publication, despite the products' claims of being able to catch all-known viruses, many of the programs are allowing a large number of viruses to go undetected.
Anti-virus software usually consists of multiple components, including a scanner. The scanner typically runs each time a computer is turned on and scans memory, DOS and program files on a hard drive looking for viruses that have already infected a system. The program works to keep viruses from entering a system in the first place by staying in the computer's memory, watching for viruses trying to gain entrance.
Richard Ford, editor of Virus Bulletin, speculated as to why companies would make claims for complete detection when portions of their programs actually did not have the capability. "This difference may have been lost along the way between the technical people and the marketing people at the company," he said. "People might think twice if they knew."
According to Virus Bulletin tests, one company that claimed the industry's high level of virus detection was able to detect only 78.8 percent of the viruses tested against it.
The publication said two programs that showed good marks in the test were RG Software's Vi-Spy, which had a perfect score, and Dr. Solomon's Toolkit and Guard, which missed just a few.
Ford said the disparity between the products' claims and actual performance is causing anger among users.
"We transmit and receive electronic data to and from our clients every day," said David Merrill, vice president of a Manhattan executive search firm. "If I can't rely on my program to keep viruses out, I run the risk of infecting a dozen or so clients before my scanner tells me I have a problem the next day. I'm supposed to feel good about that type of protection? Who's writing anti-virus software -- Beavis and Butt-head?"
Charlie Atterbury, coordinator of micro computer security at a major company that operates 35,000 PCs, said: "I'm disappointed in some of the software vendors. They're taking the easy way out so they can use the marketing hype that 'my virus program takes less memory than the other guy's,' and the real reason is that they are not doing the job. I have to wonder what they are thinking."
Phil Talsky, a spokesman for McAfee Associates, apparently does not share the same concerns as the users, according to Virus Bulletin. He said the disparity is "not a problem" as long as users always run their scanner. He felt the publication's revelations are a "non-event."
Ray Glath, president of RG Software, Scottsdale, Ariz., developer of Vi-Spy, said, "Others have left holes because they can't pack as much virus detection in their TSR as they have in their scanner without bumping up against DOS' 640k memory barrier."
He said that forces some developers to make arbitrary decisions regarding which virus to leave their customers unprotected against. He added, "You hear of many situations where companies keep getting reinfected after they think they've cleaned up from a virus attack."
Virus Bulletin has been recognized as the foremost international publication on computer virus protection, detection and removal since 1989.
What is a Computer Virus?
A "virus" is a program that someone makes just to cause trouble. It's called a virus because it makes a computer "sick," the way a virus makes a person sick.
People design a computer virus to change bits of information in a program - or even wipe out a computer's memory. It does this by getting into the computer's operating system - the part that controls how it works.
Once inside, the virus program makes copies of itself. Then the virus can spread and "infect" other computers in the system. Most new computers, though, check every program to see if it contains a virus.
A computer virus won't make you sneeze and cough. But if you find that all your computer files have mysteriously disappeared, it might make you feel sick!
Copyright 1994 Reuters, Limited
January 28, 1994, Friday, BC cycle
With its acquisition of Brightworks Development, McAfee Associates Inc embarks on a new era that will launch it into the emerging market for network software and continue its strong earnings growth.
"We are entering a second stage of development," chief executive William Larsons told Reuters. "The acquisition would provide double-digit increases in revenue. But our intent is to grow the top line and the bottom line."
Tuesday, the company reported a 31 percent revenue increase and a 15 percent net income rise, 1993 over 1992.
Since 1986, Brightworks has developed and sold network management software, making it a prime conduit through which to sell McAfee's anti-virus programs to network managers.
McAfee owns about 67 percent of the anti-virus market, versus 14 percent for its major competitor, the Peter Norton division of Symantec Corp <SYMC.O>, Larson said.
Larson attributes McAffee's success to selling directly to large corporate customers like Ford Motor Co <F.N> and to government agencies, via electronic distribution.
Norton targets retail customers through traditional computer reseller channels, Larson said.
Larson said Norton is also targeting the area of network management in which to expand.
"Battle lines (for the market) are just now being drawn," Larson said. He added that, of the roughly 100 million personal computers worldwide, 30 million are linked to local area networks and only four percent of those utilize network management tools. International Data Corp forecasts that will grow to 14 percent by the end of 1994, according to Larson.
"Brightworks has one of the biggest shares of the (network tools) market, an award winning product list and a robust direct tele-sales operation," Larson said.
Among its products, Brightworks sells SiteMeter, software that monitors the number of times a software package is utilized on a network, and Network Remote, a diagnostics tool. To manage its entry, McAfee has hired Bob Chappelear, who ran the Peter Norton division of Symantec, Larson said. McAfee also is bringing on board Brightworks head Greg Gianforte and few, if any, staff cuts will take place. "The prime assets of the company are with the people," Larson said. Although he declined to price the deal, payment will be all cash -- no stock sales or new loans.
"We have $ 28 million in cash and all the money is coming from (that)," Larson said.
Larson said McAfee has money to look for other companies.
"We don't want to get too far ahead, but we certainly have the financial resources to continue to pursue (other acquisitions)," he said.
But company management is intent on not losing focus on its core business of selling anti-virus software for single-user computers. Virus complexity is ever increasing and the number of viruses infecting computers doubles every year, Larson said.
Larson said Brightworks, with its established telephone and direct sales network, will help McAfee begin competing head-to-head with Peter Norton for retail anti-virus business.
Copyright 1994 The Buffalo News
The Buffalo News
January 30, 1994, Sunday, Final Edition
As many readers know, a computer virus is pure misery for the home user. But it is even more devastating for a business. And the problem isn't going away.
For example, computer viruses have been spreading on networks. This means that every PC connected to an infected network is, in turn, in danger of being infected.
But peace of mind is available, according to Cheyenne Software Inc. of Roslyn Heights, a local area network software developer. The company has a product called "InocuLAN" that it claims will protect an entire computer system from a potentially devastating computer virus.
"Traditionally, password protection and a 'locked door' were enough to prevent unauthorized access to data," said Andrew Boyland, director of computer security products for Cheyenne Software. "But the most serious and potentially damaging security threat to hit LANs in recent years has been the computer virus. "
He said a study commissioned by the National Computer Securities Association and Dataquest in 1991 revealed that 63 percent of 600 companies responding had had an encounter with a computer virus.
Boyland noted that the virus problem, in general, has been getting worse over the past five years and said that the number of viruses "is roughly growing at the rate of 2 1/2 per day." He said he expected the rate to continue but pointed out that "there are new viruses that are constantly being written that are more complex than the old ones."
Years ago, a computer virus traveled from one floppy disk to another, making recovery time shorter and less expensive, according to Boyland.
He referred to InocuLAN as a "computer drug" that prevents a killer virus from invading a business network system.
Once a virus damages a computer system, it can be costly and time consuming to return it to a previrus environment, according to Boyland. But "InocuLAN protects both your file server and DOS work stations against viruses," he said.
Boyland said that there are roughly 2,000 viruses "in the world out there" and that about 100 of them are considered fairly prevalent. He said the general description of a virus writer "is a 17-year-old in high school or college. They begin tinkering with computers at generally a young age, and they decide that this is kind of a neat way to fool everybody.
"The hacking community is a very powerful one," Boyland said. "They share information with each other through what we call pirating bulletin boards, or bulletin boards where they exchange virus codes, information on how to break into the systems, weakness and insecurities in particular systems. Then they set out to attempt a virus.
"Most of the viruses that we have seen have clearly been written by people with lots of computer experience," Boyland said. "They move fast, they're hard to detect, and they are cleverly written. The poor viruses, the ones that are not well written, are the ones that we commonly see and hear about for a month or two."
According to Boyland, a graduate of the State University at Binghamton and the University of Copenhagen, a virus can spread with great speed. He said a company in France recently had 4,000 PCs infected within three hours after a virus entered the network.
Boyland said that situations like Michelangelo became bad virus incidences because by accident "somebody shipped out copies of their software with copies of the Michelangelo virus on it, so it was caused to spread that much faster."
He said users can call Cheyenne Software at (800) 243-9462 for information on disaster recovery, network back-up and anti-virus or network monitoring.
Personal Computers welcomes your questions and programs as well as advance notification of computer group meetings. Mail your correspondence to Lonnie Hudkins, The Buffalo News, P.O. Box 100, Buffalo, N.Y. 14240.
Copyright 1994 The Financial Times Limited;
Financial Times
January 25, 1994, Tuesday
Can a computer virus change its spots? Yes, say computer security experts, who warn that a new breed of sophisticated computer virus that changes itself into multiple versions is becoming more common and that it can outwit some anti-virus software.
Known as polymorphic viruses, they are designed to hide from popular anti-virus programs by changing themselves slightly each time they replicate.
Businesses relying on older versions of anti-virus scanning software risk leaving their PCs open to infection from polymorphic viruses. Such viruses can produce as many as 2.3 trillion versions of themselves, making them impossible to detect without the help of a new generation of anti-virus software.
'There is no question about it, polymorphic viruses are definitely the wave of the future,' says Phil Talsky, product manager at leading US anti-virus software developer McAfee Associates. Talsky adds that the most common polymorphic virus is the Satan Bug and it is infecting increasing numbers of PC users. 'It recently entered our top 10 list of most often reported viruses, at number nine.'
David Stang, head of US-based Norman Data Defense Systems and founder of the International Computer Security Association, agrees that the Satan Bug poses a computer security challenge. 'We are hearing more reports daily of Satan Bug infections and it is a major problem for some organisations.'
The Satan Bug has turned up at some US government agencies where it has infected several hundred PC systems. These include the Social Security Administration and the Army Corp of Engineers. There have also been reports that the Satan Bug has been found in European PC systems, and that Tremors, another polymorphic virus, is affecting PC users in Germany.
However, they should not panic, Stang says. 'Becoming infected by any kind of virus is rare and coming across the Satan Bug is even rarer. But if you are unlucky enough to get infected, it is going to be expensive.'
The Satan Bug is not designed to erase data like some viruses, such as Michelangelo, but it interferes with users trying to connect to a local area network and will change file dates. It replicates quickly and can travel across a local area network to infect other users.
Computer virus experts at IBM say polymorphic viruses should not trouble most users. 'If users take proper precautions, polymorphic viruses are easy to deal with,' says Steve White, manager of the high integrity computing laboratory at the IBM Thomas J. Watson Research Center. 'We have not found a very high infection rate among users by the Satan Bug and the whole issue of polymorphic viruses has received more attention than it deserves.'
White and his colleagues at IBM have completed several detailed studies of how computer virus infections propagate. They were the first to label the Michelangelo virus scare two years ago as overblown and correctly predicted that it would not cause much damage.
White points out that PC users face about the same chance of a virus infection as they do of a hard disc failure, so proper backup procedures should be a routine task. To eliminate a virus, users must detect and often erase infected files and then reinstall them from an uninfected backup disk.
This can take several hours for each PC infected. The US Army Corps of Engineers estimates that it lost more than Dollars 12,000 per hour in trying to exorcise the Satan Bug.
McAfee's latest version of its ViruScan software can detect Satan Bug, but users must delete all infected files.
While Stang says he has developed an anti-virus program that can detect and erase the Satan Bug without requiring users to reinstall infected files, Talsky says polymorphic viruses are more difficult to guard against since they use encryption to hide from virus scanning software. 'Polymorphic viruses are algorithm-based so we have to essentially crack their code first and produce algorithms to counter them. Normally, it takes our programmers one hour to modify our software to detect a regular virus, but with a polymorphic virus, it can take us 48 hours to develop software that can detect it.'
Researchers at IBM say they are working on an automatic system to detect and analyse new polymorphic viruses. This will enable a faster response in producing updates of anti-virus software and help slow their spread.
While computer virus experts concede that polymorphic viruses are written by very talented programmers, the developer of the Satan Bug is believed to be a 16-year-old computer enthusiast who uses the pseudonym Hacker4Life. There is no US law prohibiting the writing of a virus program and programmers often post their latest virus creation quite openly on local computer bulletin board systems. There are about 2,500 known PC viruses.
Advancing computer technology could help solve this growing problem. Western Digital, a US company making hard discs, has developed a chip, the Immunizer, designed to monitor system activity and to block any suspicious writing to the hard disc. However, the chip works only with certain newer PCs.
On the software side, companies are developing different types of anti-virus programs that, like the Immunizer chip, monitor what is happening within the PC. If the software detects suspicious activity, it blocks it and flags an alert.
Talsky warns that more polymorphic viruses are coming.
While the risk from a PC virus infection is small, there are important safeguards all PC users should adopt. These include using the latest anti-virus software. 'We produce new versions of ViruScan every six weeks,' says Talsky. 'But there are a lot of people using older versions and they won't get the full protection.' Any anti-virus software version written before August 1993 is unlikely to offer protection against polymorphic viruses. Users should contact their vendor and update their software.
All new software, no matter what its source, must be scanned for viruses. 'Most people avoid computer bulletin boards and shareware software, thinking that they might be infected. But most of our calls are from users that have been infected from commercial software, especially demo software disks,' says Talsky.
Stang recommends that users with many PCs decide on a computer security strategy. 'Some users apply the same security to all their systems. The problem with this approach is that some systems should be better protected while others may not need quite so much protection. If you tell each user that they must spend five to 10 minutes each day scanning for viruses, that translates into a huge cost in terms of staff time over the course of a year. That can turn out to be more expensive than dealing with a virus infection.'
Copyright 1994 Report From Japan, Inc. (A Yomiuri News Service)
Report From Japan
January 21, 1994
There were a total of 897 reported cases of damage to computers because of viruses in 1993, an increase of 154 percent over the 253 confirmed cases in the preceding year, the Information Technology Promotion Agency, Japan, (IPA) reported Jan. 21.
The 1993 total represented 73 percent of the total number of cases confirmed by the IPA from April 1990 to December 1993.
The sharp increase in 1993 was attributed to a rise in the number of viruses and an increase in computer users' awareness of the computer virus reporting system.
The IPA has been monitoring computer viruses in Japan since April 1990 under the auspices of the International Trade and Industry Ministry.
As of the end of 1993, 71 different computer viruses had been reported, including 66 that invade computers running MS-DOS, and five that infect Macintosh computers.
Twenty-one new viruses were detected for the first time by the IPA in 1993.
Of the cases reported in 1993, 359 were reported by corporations, 246 by the information industry, 238 by individuals, and 54 by schools and research institutes.
The Kanto region had the most cases at 499, followed by Kinki at 128, Chubu at 115, Tohoku and Kyushu at 41 each. There were 37 cases in Chugoku and 19 in Hokkaido.
Copyright 1994 Newspaper Publishing PLC
The Independent
January 3, 1994, Monday
COMPUTER experts have warned the public of a fresh computer virus threat affecting compact discs used to store vast catalogues of data.
The discs, known as CD-Roms compact disc read only memories , are an increasingly popular format for those who need to carry or archive large amounts of information.
One CD-Rom, resembling the more well-known shiny music platters, can replace an entire encyclopaedia, or carry detailed graphical and textual information on every painting in an art gallery's collection. Often the discs cost several thousand pounds.
But the data on a CD-Rom is designed only to be read, not altered. So a CD-Rom with a virus on it cannot be cleaned up in the same way as programs held on floppy disk. Richard Ford, editor of Virus Bulletin, said yesterday: ''The only use for an infected CD-Rom is as a frisbee.''
The problem is that a virus on a CD-Rom can spread to the computer system that reads it. Transmission can occur via small functional programs, such as routines that will speed up access to the information, included on the disc in addition to the bulk data itself.
During December, virus specialists heard of four separate reports of infected CD-Roms. They fear this is the start of a growing trend and are warning computer users to scan new CD-Roms for viruses just as they would ordinary software arriving on a floppy disk. Scanning will be a time-consuming process since CD-Roms hold huge amounts of data in hundreds of compressed files.
Computer viruses can cause relatively mild effects, such as messages flashed up on screen, or potential disasters if the rogue code disrupts or erases valuable data. The cases reported last month occured on discs carrying so-called ''shareware'', software that people try out before handing over a fee to its author.
Among computer hobbyists, shareware is a popular way of testing new computer programs. The difficulty is that shareware is often second-hand, copied and collated from electronic message centres, called bulletin-boards, which are renowned sources of virus infection. Mr Ford said: ''The larger reference discs produced by reputable companies are fairly reliable but it doesn't really matter where a CD-Rom comes from; it should always be checked.'' He added: ''Shareware discs are very risky indeed. I would advise people not to use these CD-Roms on machines that hold critical data.''
The reported infections include two shareware collections. The first is called Software Vault collection 2, published by the American Databank Corp, which was infected with a virus activated every day between 9am and 10am. This requires the user to enter the answer to a simple mathematical problem before they can use their computer.
The second is called Night Owl 10, infected with a relatively harmless virus called ''Lapse''. The manufacturers of both discs admit the infections and are expected to withdraw the CD-Roms.
Copyright 1993 Information Access Company;
Copyright Ziff-Davis Publishing Company 1993
PC Week
December 27, 1993
In 1986, the Brain virus emerged from its creator in Pakistan and spread on pirated copies of Lotus 1-2-3 and WordPerfect. Brain, the first full-fledged computer virus, replaced the contents of a PC's disk-boot sector with virus code and labeled three clusters as bad in the file allocation table.
As IS managers plan for a new year, there are more than 2,000 viruses capable of dashing those plans by doing everything from erasing a hard disk to altering their own signatures with each replication. As viruses evolve, anti-virus software is also changing to keep its footing on this treacherous landscape.
"We used to detect a virus by matching its signature against the actual virus, matching its code. Now programmers are writing viruses so that every time they infect a program, the virus changes its fingerprint so it can't be found by conventional means," said Bob Janacek, technical director for security products at Safetynet Inc., the Millburn, N.J., maker of Virus Net Pro. Virus Net Pro and other packages now use heuristics and algorithms to treat these polymorphic viruses.
Tremor, a polymorphic virus created with a mutation engine, can have more than 2 billion iterations, said Phil Talsky, product manager for ViruScan anti-virus software, from McAfee Associates Inc., in Santa Clara, Calif. Algorithms with complex mathematical procedures are now required to detect such iterations, Talsky said.
Also changing the virus outlook are anti-virus development kits, available on underground bulletin boards. "The virus construction kits make it much easier for less skilled people to write viruses that are more clever and deadly," said Tory Case, product marketing manager for Central Point Software Inc., in Beaverton, Ore. "I'm not a programmer, but with the Virus Creation Laboratory by hacker Nowhere Man,' I could create a virus simply by using pull-down menus and click-and-choose options."
Signature scans fall short
As a result, most anti-virus software developers have changed their approach; in addition to detecting known viruses, they screen for viruslike behaviors. "With the exponential growth of viruses, there is absolutely no way to always have a signature database that includes all known viruses," said Brian Sevy, product manager for Intel Corp.'s network management operations, in American Fork, Utah.
With its LAN Desk Virus Protect software, for example, Intel provides both a signature database and rules-based technology. These rules look for behavior that is characteristic of viruses, such as COM file growth.
This new emphasis on behavior-blocking techniques is bolstered by a study conducted by two captains at the Air Force Institute of Technology, in Huber Heights, Ohio. The study tested the effectiveness of anti-virus packages against both well-known viruses and those found on underground bulletin boards.
"The Air Force is a big consumer of computer software. Our goal was to get the virus protection that is the most effective," said Capt. Kevin Ziese, co-author of a report based on the study. "Instead of trying to keep up with the newest virus in town, you should monitor for virus behaviors."
Ziese found that two software packages -- Central Point Anti-Virus and the anti-virus utility in Microsoft Corp.'s MS-DOS 6.0 -- caught 100 percent of the viruses used in the study. Both products employ behavior blocking as well as signature scanning.
The most dreaded threat to an anti-virus software developer is a virus that attacks the anti-virus package itself.
" An anti-virus scanner can end up spreading a virus if it's a direct attack," said Frank Horwitz, president of Reflex Inc., the Brier, Wash., maker of Disknet anti-virus software. Tremor, for example, attacked the TSR (terminate-and-stay-resident) component of Central Point Anti-Virus; Central Point addressed this by adding detection for Tremor and altering the TSR in Version 2.0, which was released in May.
Copyright 1993 Kyodo News Service
Japan Economic Newswire
DECEMBER 22, 1993, WEDNESDAY
Damage caused to computer programs by harmful viruses more than tripled in Japan in 1993, and is expected to total about 900 cases by the year-end, a government-affiliated organization reported Wednesday.
The Information-Technology Promotion Agency, Japan (IPA), affiliated with the Ministry of International Trade and Industry, attributed the spread of viruses to growing sales of low-end machines compatible with those produced by U.S. computer giant International Business Machines Corp. (IBM).
Agency officials said a growing number of harmful programs produced overseas have been imported to Japan.
Viruses are computer programs which spread through floppy disks and other means and destroy healthy programs stored in computer systems.
The agency said there were only 14 cases of virus infection in 1990 when it began to take statistics on the trouble, but the number increased to 57 in 1991 and to 253 in 1992.
By the end of November this year, 779 cases had been reported to the agency.
Since a large number of virus infections are usually reported at around Christmas, the total number by the year-end is sure to hit 900, the agency said.
The most common virus in Japan is called a 'cascade' which caused information to run down on the screen like a waterfall, the agency said. The Associated Press February 2, 1994, Wednesday, PM cycle
A year-old computer network has become the communications backbone of Germany's neo-Nazi scene, with users sharing ideas on how to rid Germany of foreigners, coordinate illegal rallies and swap bomb-making recipes.
The "Thule Network," guarded by passwords and loyalty tests, consists of at least a dozen bulletin boards in three western states, according to law enforcement officials and computer experts. It is used by extreme rightists to avoid detection by police unfamiliar with new computer technology.
The network computers call one another nightly and exchange files. Important information - such as contact numbers for transportation on the eve of a big rally - can be disseminated in a few hours and without a paper trail.
The network's name derives from the small, elite 1920s movement considered the Nazi vanguard. Thule movement leaders included Hitler henchman Rudolf Hess, whose Aug. 14 birthday is marked annually by today's neo-Nazis.
With the network's aid, some 500 neo-Nazis formed a convoy that drove into the city of Fulda and rallied there unhindered on last year's anniversary. Demonstration bans and police dragnets had thwarted their plans to meet at Hess's grave in Bavaria.
But the Thule Network is much more than a place to look for rides to rallies.
It is a place where Russian ultranationalist Vladimir Zhirinovsky is commended as a "Robin Hood" who wants to protect the downtrodden and keep both Germany and Russia ethnically pure.
Suppose some young neo-Nazis want to put out a newspaper, for example, but lack the know-how. Just plug into "Resistance," one of the network's bulletin boards.
"A network-connected attorney can check the text, a graphics office can put together the newspaper," the Resistance host says in a digital preamble. The network is also a refuge - where a crowd closely watched by police can disappear into cyberspace. Technologically ahead of most police, network gatekeepers are having considerable success keeping out the law.
Not a single one has been prosecuted.
"German police don't know much about computers and bulletin boards. It's very new for them," said Uwe Kauss, editor of the Munich-based computer magazine Chip, which has penetrated the network through informants.
Chip estimates 1,500 of Germany's more than 40,000 right-wing extremists are active on the network. They also say its operators are seeking links with U.S. comrades such as Nebraska neo-Nazi Gary Lauck, who ships hate literature to Germany.
Along with mobile phones and answering machines, the Thule Network is helping a diverse neo-Nazi scene establish a united front - a phenomenon acknowledged by Germany's government.
"Previously, the scene had many loosely connected splinter groups. Now they are getting in touch more easily," said Matthias Schenk, spokesman for the Baden-Wuerttemburg agency that monitors enemies of the state.
All you need to visit Thule boards is a computer and a modem. But to hook up to the network, you must leave your name, phone number and address. You then receive a phone call and must pass a loyalty test to get full access.
Federal officials and law officers in Baden-Wuerttemburg, Bavaria and North Rhine-Westphalia states, where the Thule boards are located, won't say whether police agents have infiltrated the network.
But they speak with frustration of their inability so far to shut down even a single neo-Nazi bulletin board.
"This is a very difficult realm for gathering solid evidence," said Schenk, especially because members post messages and announcements under pseudonyms.
It's the same with the "infophones," answering machines where rightists leave messages about political foes. A Mainz man has twice been arrested for running one, but no charges have been filed and he has boasted he'll just start up another.
The extreme right has tapped the power of computer networking, creating a sophisticated breed of neo-Nazis, such as the publishers of Junge Freiheit, a 35,000-circulation weekly neo-Nazi newspaper in Potsdam.
In network forums, for example, racist tracts are allowed, but network operators immediately jump on anyone who boasts of beating up foreigners.
The heads of the bulletin boards, "Germania," "Elias" and "The Empire," say on introductory screens loaded with German flags and iron crosses that theirs is a network of "nonconformists" who oppose the "spirit of the times."
They post slogans such as "Give Peace a Chance" on their sign-off screens and include disclaimers denying any intention to violate the law.
But clever technophiles run these systems.
A police informant encountered a bomb-making manual on the Resistance system, located in Erlangen, but it was gone when the informant looked again two days later, said Ewald Behrschmidt, justice spokesman in nearby Nuremberg.
If police could determine who put it there - and prove that - they could have made an arrest, said Behrschmidt.
The Resistance operator, reportedly a Nuremberg computer science student, has introduced into a private message area an encryption program called Pretty Good Privacy that ensures electronic mail confidentiality.
The program is so airtight that U.S. authorities are investigating its Colorado author for possible export law violations because he sent it out publicly onto the Internet worldwide computer network.
Such encryption programs are considered weapons under U.S. law.
So, does that make them explosives in the hands of neo-Nazis?
Copyright 1993 Information Access Company;
Copyright Ziff-Davis Publishing Company 1993
PC-Computing
October, 1993
I've never had a sip of alcohol, nor any recreational drugs (not one puff to un-inhale), but, being 38 years old, I feel I was part of the hippie culture. I was young and rural in the sixties, but my formative years were spent listening to music created by people who chased the muse down many chemical alleys.
Top 40 radio blared that the government wasn't to be trusted. Dylan sang "Phone's tapped anyway," and his inflection said that was a bad thing. But even as I was sucking up the culture, my skeptical side said that all the "Tin soldiers and Nixon's coming . . ." stuff might be a little dramatic. Romanticizing living outside the law, coupled with the physiological effect of drugs, might be making these artists a little paranoid, a little nutty.
The joke was kinda on me. Paranoid or not, John Lennon was on Nixon and FBI hate lists, the Vietnam War probably was a very bad idea, and the Watergate break-in and subsequent cover-up really did happen. No government is to be trusted. I could have gotten a stronger lesson from the founding fathers, but they didn't have any records out. "You say you want a revolution?". . . "The government that governs least governs best."
Clinton is younger than any Rolling Stone (unless they replace Bill Wyman with a new bass player from his ex-wife's generation). It would seem that Bill Jefferson Clinton would share the mistrust of Big Brother that we tapped our collective foot to. But remember, he's not Bob Dylan and Neil Young--he's Kenny G and Fleetwood Mac. Watch him.
Willy picked up Bush's evil encryption Clipper Chip fascist football and ran with it ("Meet the new boss--same as the old boss"). The Clipper Chip is supposed to give us more privacy, which we need. An ex-friend of mine taped Madonna talking to her business manager on her cordless phone, and some punk ("punk" in the prison sense) broke into my Internet account and read my mail.
The Clipper Chip, which was designed by government engineers, would be used to scramble and decode information so that only the addressee could read it. The government would sell this chip below market value (some people believe they'd be getting something for nothing; some people believe Elvis put syringes in Pepsi), and we'd all have cheap privacy. Oh, by the way ("The large print giveth, the small print taketh away"), the government would keep all the keys so they could eavesdrop on might-be-bad-guys (with a subpoena, of course). PAGE 141
PC-Computing, October, 1993
What?!
The antiClipper Chip people sent me megs and megs of reasons why the Clipper Chip sucks (the information on how it works is kept secret, so private scientists wouldn't be able to check for mistakes; trade with other countries would be difficult; how safe could the codes be kept?; and so on). Big cheese computer people yapped against it, and it got shot down the first time around on the legislation front.
On the tech front, there is a great cypherpunk ("punk" in the rock and roll sense) alternative called Pretty Good Privacy, which is nongovernment and free. One of my math-hip friends explained public-key encryption to me, and it's pretty thinking; I'll try to explain it in a future column. There was even talk of making private encryption illegal (an evil idea, pure and simple).
The more research I did, the simpler it got. You have inalienable rights including life, liberty, and the pursuit of happiness. That's it. We have a right to communicate with anyone we choose without anyone listening in. The government works for us. Power to the people.
Look for the new Penn & Teller tour.
Copyright 1993 Information Access Company;
Copyright Ziff-Davis Publishing Company 1993
PC Week
September 27, 1993
A federal grand jury in San Jose, Calif., has subpoenaed information from a pair of software companies that distribute a public/private key encryption program called Pretty Good Privacy.
The program, distributed as freeware by Austin Code Works of Austin, Texas, is being readied in a licensed version for distribution in the United States and Canada by ViaCrypt, a division of Lemcom Systems Inc. of Phoenix.
The subpoenas require the companies to submit records related to the international distribution of PGP. The program -- which is more powerful than most encryption programs cleared for export beyond Canada -- has found its way into countries such as Finland.
The investigation is part of a complicated web of issues that encompass First Amendment rights and the use of encryption software to protect information.
"We are looking at a very early part of a very long process which involves ... changes in information and information flow," said Eben Moglen, a professor of law and legal history at Columbia University in New York.
Copyright 1993 Guardian Newspapers Limited
The Guardian
November 25, 1993
THE NEWS came, appropriately enough, over the electronic networks: Phil Zimmermann needs help. The details followed: the US Customs Department is investigating him to determine whether he was responsible for exporting full-strength encryption from the US. Under US law, strong encryption is classified as a munitions.
Zimmermann is the author of the first version of PGP, which stands for " Pretty Good Privacy" . The program runs on a variety of microcomputers and is widely available as freeware on online services all over the world, including Cix and CompuServe. In fact, the program is probably "exported" many times every day. Anyone can use it to make sure that their electronic communications are secure.
Zimmermann seems to have become interested in cryptography as early as junior school. Computers came into it later: after taking a computer science degree in Florida he became a computer consultant specialising in cryptography. It wasn't until 1991 that PGP 1.0, a DOS program, was released: one of the technical difficulties was learning how to get computers to do calculations involving 300-digit numbers. Since then others have built on Zimmermann's work; there are versions of the program for DEC VAX VMS, Unix and even Microsoft Windows. There have also been improved DOS versions: we are now up to 2.3.
PGP is based on the RSA encryption algorithm, named for its developers, Rivest, Shamir and Adelman. RSA relies on a system called public-key cryptography. The program starts by generating two keys, a public and a private one. Your private key is just that: private. You keep it safe and share it with no one. Your public key, however, you get digitally signed by people who know you and can attest that it's yours. After that you can distribute it as widely as you like by any method you like. There are already "key servers" - one of them at Demon Internet Limited in London - where public keys are available for downloading by anyone who wants them. But you will, of course, keep a "key ring" of your correspondents' public keys, which you will use to decrypt their messages.
Public-key cryptography has several elegant features. First, the encryption really is "industrial strength". Second, the keys authenticate messages as well as protect them from prying eyes: if a message can be decrypted using your public key, that's a guarantee that the message came from you - and you can't later disavow it.
Enter the cypherpunks, to whom Zimmermann is a hero. Instead of relying on data protection legislation and the goodwill of systems administrators, they argue, use the computer to give us back the privacy that computerised systems have taken away. Think of encryption as an envelope: you wouldn't want to send all your private mail on postcards, would you? The private nature of the act of writing electronic mail and messages makes it easy to forget how public they really are.
Protecting the privacy of correspondence is only the beginning. Other proposed uses for encryption include digital cash, which would allow you to pay for goods and services electronically and anonymously, and selective smart cards, which would only tell authorities the information they need and no more. For example, you could have a card that told the DSS you were entitled to benefit, but gave staff none of your personal details.
The fact that it's illegal to export strong encryption from the US does not make it illegal to use PGP in the UK. However, it has been technically illegal to use PGP inside the US, because the RSA algorithm is patented by RSA Data Security, a company set up to exploit RSA, which was developed at MIT with public funding.
Ironically this patent is not valid in the UK and other countries, because of prior publication in Scientific American. This situation may be changing: a commercial version of PGP is being released in the US, and the GATT talks may uphold such US patents. (Of course many cypherpunks argue that it should not be possible to patent an algorithm, any more than you should be allowed to patent the human genome or a compound's molecular structure.)
The present US Customs investigation doesn't deal with the patent issues, only the export question. But it's come at the same time as Clinton's Clipper Chip proposals and the Digital Telephony bill, both of which seek to limit the strength of encryption available within the US. This has a certain irony: encryption is too dangerous to be given to the American public, but anyone can have a gun.
The result has been to give Zimmermann some of the gloss of a folk hero: he is regarded as being the man who gave strong encryption to the masses.
Zimmermann contends that he did not export PGP. But win or lose, he will face the usual astronomical American legal bills, so a defense fund has been set up by his attorney (email: dubois@csn.org). And win or lose, the technology is out there now. No amount of scouring of the world's hard discs will ever bring it back under control.
Copyright 1993 Information Access Company;
Copyright Ziff-Davis Publishing Company 1993
PC Magazine
November 23, 1993
WHILE THE CONTROVERSY BREWING over the Clipper encryption chip focuses on individual privacy, the privacy issue extends far beyond the borders of your desktop to the global arena.
Software that includes strong encryption is subject to strict export controls in order to minimize the spread of technology that could undermine the government's ability to gather intelligence. In fact, cryptography is included on the State Department's list of weapons that could compromise the country's security.
Despite attempts to keep the technology stateside, 84 products that employ the Digital Encryption Standard (DES) are available overseas, says the Software Publishers Association. But the regulation has succeeded in keeping U.S. companies out of the global marketplace. And recently, the makers of a software encryption program called Pretty Good Privacy (PGP) have been investigated for possible export violations. (Both DES and PGP are available on the Internet.)
The American Civil Liberties Union has questioned the rule's constitutionality. "We think it's a violation of the First Amendment for the government to say you can't export those products because computer software is a form of speech that's given special protection," says Kate Martin, director of the ACLU's Center for National Security Studies.
Copyright 1993 New York Law Publishing Company
New York Law Journal
November 9, 1993, Tuesday
ALTHOUGH THE "data superhighway" planned by the current administration is not yet a reality, thousands of confidential documents and electronic mail messages are racing around the country, many of them between attorneys and their clients. Unfortunately, the security of these documents and messages is a matter of controversy and media attention.
Increasingly, attorneys and clients are staying in touch with each other via e-mail. In some cases documents or messages are transmitted over "dedicated lines" or telephone lines linked directly between client and attorney. These dedicated lines provide a high measure of security. However, most documents and messages are transmitted via third party e-mail service providers, who lease "mail boxes" to which subscribers can dial in to send and receive electronic mail. These mailboxes can direct mail to other service providers, so that potentially, a message or document may pass through several systems before it reaches the intended recipient.
Even if one does not consider malicious interference, the number of systems handling a document, and the increasing complexity of addressing an e-mail message greatly increases the likelihood of incorrectly addressed mail.
Ten years ago, when facsimile machines were relatively new, misdirected faxes was not a great concern. Today fax machines are so commonplace that law firms and businesses routinely place a confidentiality notice on the cover page. From this standpoint, there is far greater risk of an undetected misdirected e-mail than a fax. A misdialed fax must arrive at another fax machine or no transmission can occur. An incorrectly addressed e-mail message may be "bounced" and returned to the sender, or equally likely, may be sent to the wrong party, and the sender may never be aware of the mistake.
When "hackers and crackers" and other technological miscreants are added to the equation, the likelihood of an e-mail disaster in the legal profession looms ominously.
Computer experts have been concerned with e-mail and telecommunications security for many years. In addition to worrying about accidents and hackers, there is fear of unwarranted monitoring of e-mail communications by government agencies. And of course, government agencies (particularly the military) have been concerned about security since the beginning of telecommunications. PAGE 121
New York Law Journal, November 9, 1993
The solution is cryptography, the science of codes and ciphers, which for many years was a somewhat arcane field of mathematics.
Using "traditional" techniques, a confidential message or document would be encrypted pursuant to a complex series of mathematical algorithms. A single password would be used to both encrypt and decrypt the document or message.
This approach continues to be quite commonplace as a security measure in business and industry. Unfortunately, such an approach has certain difficulties and vulnerabilities.
A single password encryption scheme requires that both the sender and the receiver have the same password. However, the mechanism for transmitting the password is problematic. If any attorney is uncomfortable with the security associated with transmitting the document via e-mail, then e-mail would not be adequate means to convey the password.
Further, communicating the password via telephone or regular mail becomes cumbersome, especially if long or complex passwords are used. Finally, in a large organization, there may be many people who will be generating or receiving confidential materials. A single password system requires that each such person have access to that password and keep it confidential.
A solution to this problem was arrived at in the mid 1970s, when "public key cryptography" was developed. In brief, there are actually two "keys" or passwords in a public key cryptography scheme. One key, a public key, "locks" or encrypts documents. The other key, a private key, "unlocks" or decrypts the document. The keys are matched and generally quite large (they are long strings of apparently random characters, rather than the traditional one or two word password).
In using a public key cryptography system, a user generates a public key and a private key. The public key would then be made available to the world-at-large.
Anyone could then use the public key to encrypt documents, messages, etc. However, only the intended recipient could decrypt the message, using the private key.
Such a system solves many problems. Virtually anyone can securely send encrypted documents. If the documents are intercepted or routed to the wrong person, there is little anyone could do without the private key (short of using a supercomputer for long periods of time).
Perhaps even more exciting is the concept of a "digital signature" which public key cryptography creates. A unique aspect to certain public key cryptography systems is the ability to generate unique identifier codes or "signatures" which can be attached to documents, e-mail messages, etc. The digital signature can only be generated using the private key, and can only be confirmed as valid using the public key.
The result is that if someone distributes a document which purports to be "signed," the recipient can confirm the identity of the sender by testing the signature with the sender's public key. If the recipient is confident that the public key is genuine, she can validate the signature because only the corresponding private key can generate a digital signature which can be validated by the public key.
This technology opens entire new avenues for lawyers and business people, because, in essence, it permits truly "paperless" transactions. For many years, banking and securities institutions have authorized without a manual signature. However, in general, elaborate precautions were put in place, including dedicated lines, hardware access restrictions, etc. to prevent fraud. Lawyers and business people are generally unwilling to eliminate manual signatures because such procedures are too onerous. However, with the advent of public key cryptography, electronic "signatures" may become commonplace:
For example, the Securities and Exchange Commission is accepting electronically "signed" filings under its Electronic Data Gathering, Analysis and Retrieval (EDGAR) system. Manual signatures are not required for a valid filing, but must be maintained on file.
New word processing and e-mail software packages are now incorporating public key cryptography technology. It is therefore not unimaginable that in the near future, documents will be executed and delivered electronically, without the need for "hard copy."
Patent Controversy
However, at the same time this technology is opening up new legal vistas, it is being scrutinized. At the heart of the controversy is a software package called " Pretty Good Privacy" or PGP as it is generally known.
This package was written several years ago by Philip Zimmermann and distributed free to interested parties. Since that initial release PGP has been updated by others and is still available, free of charge, from many computer sources around the world.
The controversy initially concerned the issue of patent infringement. PGP was based on a series of algorithms developed at MIT by several researchers. Those algorithms were originally publicly published. Thereafter they were licensed to a private concern to be sold or licensed commercially. The private company which holds the license to the algorithms claimed that PGP infringed on its patents.
Recently, the company has agreed to sublicense the public key cryptography technology to a second company to develop a commercial version of PGP. Shortly after the infringement issue appeared to be resolved (or close to resolution) another, less mundane issue surfaced.
A federal grand jury subpoenaed both software companies, apparently concerned that the technology would be (or had been) illegally exported in violation of State Department regulations. The department regulates the export of weapons and other technology which might be a threat to national security. Cryptography software and technology is classified as such a potential threat, and therefore its export is subject to governmental regulation as a "munition." Unfortunately for the government, PGP is available world wide.
To add further controversy, the government proposed its own cryptography standard, incorporated in a tamper proof computer chip referred to as the "Clipper Chip." The proposal was made in response to concerns that cryptography technology generally available to the public (such as PGP) would cripple law enforcement agencies' ability to monitor phone conversations or data transmissions under a valid court order.
The Clipper Chip is designed to require two encryption keys which would be "escrowed" with two separate government agencies. Upon a court order, both government agencies would provide their keys to law enforcement agencies, which would then allow them to "crack" any transmissions made using that particular Clipper Chip.
The "Big Brother" aspect of the regulation of cryptography systems upset many in the computer and legal community concerned with privacy rights. Further, to date, the government is unwilling to publicly release the details of the Clipper Chip algorithms.
Cryptography experts and aficionados (cypherpunks) argue that without rigorous public scrutiny, there is no way of assuring that the Clipper Chip technology is truly secure, or worse, does not incorporate a secret "back door" under which someone could by-pass the security without the escrowed keys. The final evaluation and recommendation on the proposal by the government are pending.
Regardless of the outcome of both the PGP and Clipper Chip cases, however, it is apparent that cryptography is becoming an important tool in business and law. It is one of the few cases where an inability to understand what a lawyer says may be a good thing.
Copyright 1993 Network World, Inc.
Network World
November 8, 1993
On Sept. 17, bureaucrats claiming to act in your best interest again interfered with your ability to protect network transmissions using the best, most cost-effective encryption algorithms available. It's time for network managers to take action to stop government meddling in the business of privacy.
U.S. manufacturers are not permitted to export their most powerful encryption tools without a license. The difficulty of obtaining such export licenses forces U.S. manufacturers either to forego sales outside the U.S. and Canada or to produce a weaker version of their software for international distribution.
The costs of maintaining the different versions are paid for in higher prices for U.S. users. Similarly, giving away foreign markets also decreases the profits of U.S. firms and keeps prices higher than they could be if vigorous competition were the rule.
In addition, U.S. taxpayers have been paying bureaucrats' salaries to apply the International Traffic in Arms Regulations (ITAR) to encryption software. According to ITAR, the Office of Defense Trade Controls of the U.S. Department of State can define anything it wants as equivalent to munitions. There is nothing to stop the bureaucrats from adding the decoder rings found in popcorn boxes to the U.S. Munitions List and designating them as a restricted export.
Just because some paper-pusher claims that encryption is a munition shouldn't make it so. In the words of Lennart Benschop of Eindhoven University of Technology in the Netherlands, Making cryptographic software equivalent to munitions is just as foolish as making addictive crossword puzzles equivalent to drugs.''
The notion that the U.S. government should let alone can prevent foreign nationals from having access to encryption technology was never reasonable in the first place, but it's ludicrous today.
Trying to restrict the export of encryption programs in this age of the global Internet is about as useful as trying to keep cigarette smoke from drifting into the no-smoking zone in your favorite restaurant. Trying to control the flow of information via diskette or paper when data can travel unimpeded through the Internet is just plain dumb. How can a government official stop international users from using anonymous File Transfer Protocol to get a copy of any encryption algorithm found on a file server anywhere in the world?
ITAR's application to software is unenforceable and has been for years. One can already find encryption technology of the highest quality everywhere on the planet, ITAR notwithstanding.
On Sept. 17, the latest incident in which the federal government has attempted to enforce these ill-conceived regulations occurred. Grady Ward, president of Austin Code Works (ACW), a software firm in Austin, Texas, was ordered by a U.S. Customs special agent to turn over all paper and electronic documents pertaining to the distribution of ACW's encryption products.
Ward has compiled a 9M-byte anthology of already published encryption source code, which he called Moby Crypto.'' This collection includes no executable code only the algorithmic descriptions in C language that can be found (and exported) from scores of books and journals from the U.S. and elsewhere already freely distributed throughout the world.
Ward argued that the only difference between his cryptographic whale'' and other descriptions of encryption algorithms is that Moby Crypto'' is purely electronic, whereas textbooks and journal articles which are freely circulated internationally without interference from ITAR are printed on paper pulp.'' Even the Supreme Court, he continued, will provide its judgments in electronic form, and electronic White House records must be treated with the same respect as official paper documents.
Another software company, Phoenix-based ViaCrypt, was served with a similar subpoena because it recently contracted to sell a commercial version of Pretty Good Privacy (PGP), an encryption utility that has been circulated worldwide via the Internet. Although the first version of PGP was written in the U.S. by software author Phil Zimmermann, Version 2.0 of PGP came from the Netherlands, not the U.S.
The Electronic Freedom Foundation, which is dedicated to supporting the cause of liberty in cyberspace, has publicly announced its intention to support ACW and ViaCrypt, stating, Neither of these companies are engaged in the international distribution of any illegal materials... If Moby Crypto contains no executable code, it should be exportable under ITAR, just as textbooks containing such materials are exportable.'' A legal defense fund has been started to help defray the enormous costs that these two victims of bureaucratic meddling are likely to incur.
ITAR is not a dead letter either. The latest modifications to ITAR are reported in the July 22 issue of the Federal Register.
Network managers need encryption technology to secure transmissions against eavesdropping and stored data against unauthorized access. You should brook no interference with the natural evolution of this technology.
The House Foreign Affairs Committee, Subcommittee on Economic Policy, Trade and the Environment held a hearing on mass market cryptography and export controls on Oct. 12 at which speakers from industry expressed outrage over inclusion of cryptography in ITAR. Chairman Sam Gejdenson (D-Conn.) opened the hearing with a statement that summed up the situation pretty clearly: Just as in the case of telecommunications, the National Security Agency is attempting to put the genie back in the bottle. It won't happen; and a vibrant and productive sector of American industry may be sacrificed in the process.''
In (nearly) the words of former Canadian Prime Minister Pierre Trudeau, The government has no place in the file servers of the nation.'' Tell your congressional representatives to take cryptography out of ITAR.
2Kabay is director of education with the
Network World, November 8, 1993 National Computer Security Association in Carlisle, Pa. He can be reached on the Internet at 75300.3232@compuserve.com or by phone at (514) 931-6187.
Copyright 1993 McGraw-Hill, Inc.
Business Week
October 4, 1993
Philip Zimmermann wanted to strike a blow for freedom. To help computer users keep data safe from snoopers, the Boulder (Colo.) software consultant and self-described "privacy activist" wrote a program making it easy to encode messages with an all-but-unbreakable cipher. And he offered it free through the network known as the Internet.
Now, Zimmermann's gift to cyberspace has exposed an enormous gap in the Administration's vision of a high-tech future. The White House is promoting a data superhighway as a key to a competitive future. But the National Security Agency is trying to restrict the use of high-quality encryption, which experts believe business will need to take full advantage of the "information infrastructure."
The focus of the fight is a program Zimmermann calls " pretty good privacy" (PGP). On Sept. 9, two software companies in Texas and Arizona that have been involved in publishing PGP received federal grand-jury subpoenas requesting documents and information about the program. CRACKDOWN. Although the government won't discuss the investigation, the computer world has a pretty good idea what's going on. Because sophisticated encryption allows friends and foes alike to protect communications, the software is subject to the same export controls as munitions. But PGP has popped up all over the world. The probe, says Zimmermann's lawyer, Philip Dubois, is aimed at "finding out how it occurred and whether an offense was committed."
Oddly, the crackdown on software comes just as the Administration is loosening export controls on computer hardware. But the schizophrenia may be more apparent than real. "I don't think they've got the export policy together enough to be split," says a key congressional staffer. The underlying problem, explains Paul Freedenberg, a Washington attorney and export-control specialist, is that "Clinton is very cautious about dabbling in national security. This is an area that has essentially been turned over to the spooks."
Meanwhile, there is growing concern in Congress about possible damage to exports. Quality encryption software "is available from foreign manufacturers...and is easily transmitted using only a long-distance telephone line and a modem," complained Representative Sam Gejdenson (D-Conn.) and a high-powered bipartisan group of colleagues in a Sept. 20 letter to the President. "Yet the U.S. continues to control this computer software as a Munitions List item." Says Douglas Miller of the Software Publishers Assn.: "The U.S. government is succeeding only in crippling an American industry's exporting ability."
While the goal of the NSA and other security agencies -- keeping U.S. messages secure while allowing Uncle Sam to read those of both domestic and foreign bad guys -- is laudable, technology may be rendering it impossible. "Law enforcers no longer have the inside track," says Eben Moglen of Columbia University law school.
Experts agree that NSA officials are smart enough to see the writing on the wall, encrypted or not. But, says James Bitzos, president of RSA Data Security Inc. in Redwood City, Calif., the agency wants to maintain as much control as possible for as long as possible. Today, intelligence agencies still have a shot at finding "needles in the haystack," he says. "If they lift export controls, they might as well go home."
Still, the NSA can't stave off the inevitable for long. Gejdenson hopes to produce legislation by early next year to revamp government policy on high-tech exports. The result will probably include looser restrictions on encryption software -- and a victory for Phil Zimmermann in his battle to keep snoops out of his cyberspace.
Philip Zimmermann wanted to strike a blow for freedom. To help computer users keep data safe from snoopers, the Boulder (Colo.) software consultant and self-described "privacy activist" wrote a program making it easy to encode messages with an all-but-unbreakable cipher. And he offered it free through the network known as the Internet.
Now, Zimmermann's gift to cyberspace has exposed an enormous gap in the Administration's vision of a high-tech future. The White House is promoting a data superhighway as a key to a competitive future. But the National Security Agency is trying to restrict the use of high-quality encryption, which experts believe business will need to take full advantage of the "information infrastructure."
The focus of the fight is a program Zimmermann calls " pretty good privacy" (PGP). On Sept. 9, two software companies in Texas and Arizona that have been involved in publishing PGP received federal grand-jury subpoenas requesting documents and information about the program. CRACKDOWN. Although the government won't discuss the investigation, the computer world has a pretty good idea what's going on. Because sophisticated encryption allows friends and foes alike to protect communications, the software is subject to the same export controls as munitions. But PGP has popped up all over the world. The probe, says Zimmermann's lawyer, Philip Dubois, is aimed at "finding out how it occurred and whether an offense was committed."
Oddly, the crackdown on software comes just as the Administration is loosening export controls on computer hardware. But the schizophrenia may be more apparent than real. "I don't think they've got the export policy together enough to be split," says a key congressional staffer. The underlying problem, explains Paul Freedenberg, a Washington attorney and export-control specialist, is that "Clinton is very cautious about dabbling in national security. This is an area that has essentially been turned over to the spooks."
Meanwhile, there is growing concern in Congress about possible damage to exports. Quality encryption software "is available from foreign manufacturers...and is easily transmitted using only a long-distance telephone line and a modem," complained Representative Sam Gejdenson (D-Conn.) and a high-powered bipartisan group of colleagues in a Sept. 20 letter to the President. "Yet the U.S. continues to control this computer software as a Munitions List item." Says Douglas Miller of the Software Publishers Assn.: "The U.S. government is succeeding only in crippling an American industry's exporting ability."
While the goal of the NSA and other security agencies -- keeping U.S. messages secure while allowing Uncle Sam to read those of both domestic and foreign bad guys -- is laudable, technology may be rendering it impossible. "Law enforcers no longer have the inside track," says Eben Moglen of Columbia University law school.
Experts agree that NSA officials are smart enough to see the writing on the wall, encrypted or not. But, says James Bitzos, president of RSA Data Security Inc. in Redwood City, Calif., the agency wants to maintain as much control as possible for as long as possible. Today, intelligence agencies still have a shot at finding "needles in the haystack," he says. "If they lift export controls, they might as well go home."
Still, the NSA can't stave off the inevitable for long. Gejdenson hopes to produce legislation by early next year to revamp government policy on high-tech exports. The result will probably include looser restrictions on encryption software -- and a victory for Phil Zimmermann in his battle to keep snoops out of his cyberspace.
Copyright 1993 The Times Mirror Company
Los Angeles Times
October 3, 1993, Sunday, Home Edition
When Charles and Diana discovered millions of people were reveling in their most intimate telephone calls, the world's most public couple had to face the facts of private life in the electronic age.
In a world of cellular phones, computer networks, electronic mail and interactive TV, the walls might as well have ears.
With the explosion of such devices, more people and companies -- from banks to department stores -- seem to have more access to more information that someone wants to keep private. In response, computer users are devising their own electronic codes to protect such secrets as corporate records, personal mail or automated teller transactions.
Historically, the biggest ears have belonged to the federal government, which has used surveillance techniques designed to track down criminals and security risks to keep electronic tabs on subjects ranging from civil rights leaders to citizens making overseas calls.
But, today, federal officials are afraid that advanced technology, which for almost 50 years has allowed them to conduct surveillance on a global scale, is about to make such monitoring impossible.
Now, federal intelligence and law enforcement agencies are insisting on their right to eavesdrop.
The government is proposing a standardized coding, or encryption, system that would eliminate eavesdropping by anyone except the one holder of the code's key -- the government itself.
To ensure that federal agents and police can continue to wiretap communications, the National Institute of Standards and Technology (NIST) is introducing a national electronic code. It will cover all telephone systems and computer transmissions, with a built-in back door that police can unlock with a court order and an electronic key.
White House and FBI officials insist they have no way to force any company to adopt the new technology. They will not outlaw other forms of coding, they said.
But experts say a series of regulatory actions involving Congress, the State Department, the U.S. attorney general, export licensing restrictions and the purchasing power of the federal government will effectively force people to use the code.
The government's plan has triggered an outcry among computer users, civil rights groups and others. The American Civil Liberties Union and groups of computer professionals say the plan raises major constitutional questions. Federal laws are designed to limit the government's ability to wiretap, not guarantee it, they say.
"Where does the U.S. government get the right to understand everything that is transmitted?" asked Michel Kabay, director of education for the National Computer Security Assn. in Carlisle, Pa.
Not so many years ago, powerful encryption techniques were the monopoly of military and intelligence agencies. Over time, computer experts and corporate cryptographers created codes to protect their private communications. Some of these scramble electronic signals so thoroughly that even the supercomputers of the National Security Agency cannot decipher them. One of the best codes, called Pretty Good Privacy, is free and can be downloaded from computer network libraries around the world -- yet it still contains safeguards that protect its secrets from prying eyes.
Combined with advances in fiber optics and digital communications, these codes enable people to send electronic mail, computer files and faxes the government cannot read, and to make phone calls even the most sophisticated wiretapper cannot understand.
As new technologies converge to form the roadbed of a national information superhighway, the government faces the prospect of millions of people around the world communicating in the absolute privacy of the most secure codes science can devise.
At the same time, hundreds of phone companies channel calls through new digital switches into long-distance fiber-optic cables where, translated into light-speed laser pulses, they may elude interception more easily. Dozens of other companies are organizing global wireless digital networks to send phone calls, faxes and computer files over the airwaves to people no matter where they are or how often they move.
Given all this, NIST officials say the new code, called Skipjack, is the government's attempt to strike a balance between personal privacy and public safety.
They say it will protect people from illicit eavesdropping, while allowing an authorized government agent to unlock any scrambled call or encrypted computer message. It could be incorporated into virtually every computer modem, cellular phone and telecommunications system manufactured in the United States.
Designed by the National Security Agency, which conducts most of the country's communications surveillance, the code is one facet of an ambitious government blueprint for the new information age.
But critics say the code is just one of several steps by federal law enforcement groups and intelligence agencies to vastly expand their ability to monitor all telecommunications and to access computer databases.
Federal officials acknowledge that they are even considering the idea that foreign governments should be given the keys to unlock long-distance calls, faxes and computer transmissions from the United States. An international agency, supervised by the United Nations or Interpol, might be asked to hold in trust the keys to electronic codes, said Clint Brooks, a senior NSA technical adviser.
The Skipjack furor pits the White House, the FBI and some of the government's most secret agencies against privacy advocates, cipher experts, business executives and ragtag computer-zoids who say codes the government cannot break are the only way to protect the public from the expanding reach of electronic surveillance.
On the computer networks that link millions of users and self-styled Cypherpunks -- a group of encryption specialists -- the federal proposal has stirred fears of an electronic Big Brother and the potential abuse of power.
"It really is Orwellian when a scheme for surveillance is described as a proposal for privacy," said Marc Rotenberg, Washington director of Computer Professionals for Social Responsibility.
Encryption is the art of concealing information in the open by hiding it in a code. It is older than the alphabet, which is itself a code that almost everyone knows how to read.
Today, electronic codes conceal trade secrets, protect sensitive business calls and shelter personal computer mail. They also scramble pay-per-view cable television programs and protect electronic credit card transactions.
Everyone who uses an automated teller machine is entrusting financial secrets to an electronic code that scrambles transmissions between the automated teller and the bank's main computer miles away. One inter-bank network moves $1 trillion and 1 million messages around the world every day, swaddled in the protective cocoon of its code.
Nowhere has the demand for privacy grown so urgent as on the international confederation of computer systems known as the Internet. There, in a proving ground for the etiquette of electronic communication, millions of people in dozens of countries are adopting codes to protect their official business, swap gossip and exchange personal notes elbow-to-elbow in the same crowded electronic bazaar.
"People have been defending their own privacy for centuries with whispers, darkness, envelopes, closed doors, secret handshakes and couriers," said Eric Hughes, moderator of the Cypherpunks, an Internet group that specializes in encryption. "We are defending privacy with cryptography, with anonymous mail-forwarding systems, with digital signatures and with electronic money."
And it's working. The technology is leaving law enforcement behind.
Federal officials who defend the Skipjack plan say they are worried about too much privacy in the wrong hands.
"Are we going to let technology repeal this country's wiretap laws?" asked James K. Kallstrom, FBI chief of investigative technology. Under U.S. law, any wiretap not sanctioned by a court order is a felony.
Federal law enforcement agencies and intelligence groups were galvanized last fall when AT&T introduced the first inexpensive mass-market device to scramble phone calls. The scrambler contains a computer chip that generates an electronic code unique to each conversation.
FBI officials paled at what they said was the prospect of racketeers, drug dealers or terrorists being able to find sophisticated phone scramblers to code and decode calls at the nearest phone store.
National security analysts and Defense Department officials say U.S. intelligence agencies find the new generation of computer encryption techniques especially unsettling. It promises to make obsolete a multibillion-dollar investment in secret surveillance facilities and spy satellites.
"We would have the same concerns internationally that law enforcement would have domestically about uncontrolled encryption," said Stewart A. Baker, NSA general counsel.
NSA officials are reluctant to discuss their surveillance operations, but they said they would not want terrorists or anyone else "targeting the United States" to be able to communicate in the secrecy provided by unbreakable modern codes.
The Clinton Administration is expected to advise telecommunications and computer companies this fall to adopt the Skipjack code as a new national encryption standard used by the government, the world's largest computer user, and anyone who does business with it.
The government also will be spending billions in the next 10 years to promote a public network of telecommunications systems and computer networks called the National Information Infrastructure. Any firm that wants to join will have to adopt the Skipjack code.
Skipjack is being offered to the public embedded in a tamper-proof, $26 computer circuit called the Clipper Chip. It is produced by Mykotronx Inc., a computer company in Torrance.
To make it easier for agents to single out the proper conversation in a stream of signals, every Clipper Chip has its own electronic identity and broadcasts it in every message it scrambles.
Federal agents conducting a court-authorized wiretap can identify the code electronically and then formally request the special keys that allow an outsider to decipher what the chip has scrambled.
Federal officials say they expect companies to incorporate the chip into consumer phone scramblers, cellular phones and "secure" computer modems. Within a few years, FBI officials say, they expect the Skipjack code to be part of almost every encryption device available to the average consumer.
Many companies say they are leery of adopting the sophisticated electronic code, even though it could protect them from foreign intelligence agencies and competitors seeking their trade secrets. But AT&T, which has a long history of cooperating with the government on communications surveillance, has already agreed to recall the company's consumer scramblers and refit them this fall with the new chip.
Even without Skipjack and the Clipper Chip, advanced computers and electronic databases already have expanded government's ability to track and monitor citizens.
Searches of phone records, computer credit files and other databases are at an all-time high, and court-authorized wiretaps -- which listened in on 1.7 million phone conversations last year -- monitor twice as many conversations as a decade ago, federal records show.
The General Accounting Office says that federal agencies maintain more than 900 databanks containing billions of personal records about U.S. citizens.
This type of easy access to electronic information is addictive, critics contend.
Since the FBI set up its computerized National Criminal Information Center in 1967, for example, information requests have grown from 2 million a year to about 438 million last year, and the criminal justice database itself now encompasses 24 million files.
The FBI records system, like computer files at the Internal Revenue Service, is "routinely" used for unauthorized purposes by some federal, state and local law enforcement agencies, the General Accounting Office said.
GAO auditors found that some police agencies have used the FBI system to investigate political opponents. Others have sold FBI information to companies and private investigators. In Arizona, a former law enforcement official used it to track down his estranged girlfriend and kill her, the auditors reported.
What the government can't find in its own files, it can obtain from any one of hundreds of marketing firms that specialize in compiling electronic dossiers on citizens. The FBI is seeking authority from Congress to obtain those records without consulting a judge or notifying the individual involved, which is required now.
Information America, for example, offers data on the location and profiles of more than 111 million Americans, 80 million households and 61 million telephone numbers. Another firm specializes in gay men and lesbians.
A third, a service for doctors called Patient Select, singles out millions of people with nervous stomachs.
Computer experts say encryption can draw a curtain across such electronic windows into private life.
In fact, the FBI is planning to encrypt its criminal justice computer files.
"Recent years have seen technological developments that diminish the privacy available to the individual," said Whitfield Diffie, a pioneering computer scientist who helped invent modern cryptography. "Cameras watch us in the stores, X-ray machines search us at the airport, magnetometers look to see that we are not stealing from the merchants, and databases record our actions and transactions.
"Cryptography," he said, "is perhaps alone in its promise to give us more privacy rather than less."
NEXT: Inside the company that makes the secret chip. Scrambling for Privacy
As more people and companies adopt codes to protect their telephone calls, faxes and computer files, the federal government has proposed a national encryption standard that will allow people to protect their privacy while ensuring that law enforcement agents can still wiretap telecommunications. Here is how it would work:
1. When someone using a Skipjack-equipped secure phone calls another secure phone, chips inside the phone generate a unique electronic code to scramble the conservation.
2. The chip also broadcasts a unique identifying serial number.
3. If a law enforcement agent wants to listen in, he first must obtain a court order and the get the chip's serial number from the signal.
4. The agent obtains takes that number to the Treasury Department and the National Institute of Standards and Technology, which keep the government's digital keys to the chip.
5. The keys are combined to unscramble the conversation. When legal authorization for the wiretap expires, the keys are destroyed.
*
The Skipjack Code
Designer: The National Security Agency.
Manufacturer: Mykotronx Inc. in Torrance.
Users: Anyone who wants to make sure their telephone calls, faxes, electronic mail or computer transmissions are private.
When available: This fall from AT&T.
Cost: Available only on a tamper-proof $26 Clipper Chip.
Programming the Clipper Chip
Each Clipper Chip is permanently imprinted with a unique serial number, a unique key and a family key.
1. Two 80-digit random strings of zeros and ones are selected.
2. They are factored together to form the chip's unique key the key is then split in half.
3. Each half is paired with the serial number of the chip to form two keys.
5. One is kept by the Treasury Department and the other by the National Institute of Standards and Technology.
Sources: U.S. National Security Agency, Mykotronx Inc. Someone Is Listening
To eavesdrop on a telephone conversation, law enforcement agents must obtain a court order, but they can use other devices, such as so-called pen registers, that record incoming or outgoing telephone numbers without actually listening to the calls.
WIRETAP COURT ORDERS
From 1985 through 1991, court-ordered wiretaps resulted in 7,324 convictions and nearly $300 million in fines. A single court order can involve many telephones. This data includes federal and state orders, but does not include many national security wiretaps. 1985: 784 1986: 754 1987: 673 1988: 738 1989: 763 1990: 872 1991: 856 1992: 919 *
MONITORING PHONE ACTIVITY
Pen registers are devices that record only the outgoing numbers dialed on a telephone under surveillance. Below are the number of pen registers in use, by year. 1987: 1,682 1988: 1,978 1989: 2,384 1990: 2,353 1991: 2,445 1992: 3,145 Sources: Administrative Office of the U.S. Courts, U.S. Justice Department, House Judiciary Committee
In a decision with implications for free speech and data privacy, a US Federal grand jury has issued subpoenas to two software companies that sell versions of a popular data encryption program, according to a report in The New York Times.
The investigation seems to be focusing on whether the programs, based on the encryption software Pretty Good Privacy (PGP), have been exported in violation of State Department regulations controlling the sale of weapons and other technologies deemed to compromise national security.
ViaCrypt and Austin Code Works, the companies at the centre of the inquiry, intend to sell licensed versions of PGP to software developers for incorporation into their own programs. Under the terms of the subpoenas, the companies have had to submit all correspondence and records relating to the international distribution of their products, although both companies claim to have no intention to sell their products abroad. "I think their more concerned with our intentions than what we've done", said Leonard Mikus, president of Viacrypt. "They're on a fishing expedition, but this could become a landmark case that sets the limits that distinguish between electronic and conventional publishing".