Chaos Digest Lundi 22 Fevrier 1993 Volume 1 : Numero 10 Editeur: Jean-Bernard Condat (jbcondat@attmail.com) Archiviste: Yves-Marie Crabbe Co-Redacteurs: Arnaud Bigare, Stephane Briere TABLE DES MATIERES, #1.10 (22 Fev 1993) File 1--Reseau de Donnees Scientifique Peruvien: RCP File 2--Denning's _Computers Under Attack_ (critique) File 3--Repondeur Telephonique sur Ligne Occupee (reprints) Chaos Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost from jbcondat@attmail.com. The editors may be contacted by voice (+33 1 47874083), fax (+33 1 47877070) or S-mail at: Jean-Bernard Condat, Chaos Computer Club France [CCCF], 47 rue des Rosiers, 93400 St-Ouen, France Issues of Chaos-D can also be found on some French BBS. Back issues of ChaosD can be found on the Internet as part of the Computer underground Digest archives. They're accessible using anonymous FTP from: * ftp.eff.org (192.88.144.4) in /pub/cud * red.css.itd.umich.edu (141.211.182.91) in /cud * halcyon.com (192.135.191.2) in /pub/mirror/cud * ftp.ee.mu.oz.au (128.250.77.2) in /pub/text/CuD * nic.funet.fi (128.214.6.100) in /pub/doc/cud CHAOS DIGEST is an open forum dedicated to sharing French information among computerists and to the presentation and debate of diverse views. ChaosD material may be reprinted for non-profit as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. Readers are encouraged to submit reasoned articles in French, English or German languages relating to computer culture and telecommunications. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Chaos Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: Wed Feb 17 11:43:24 EST 1993 From: js@rcp.pe (Jose Soriano ) Subject: File 1--Reseau de Donnees Scientifique Peruvien: RCP Bonjour, Je vous envoye le projet sur lequel nous sommes en train de travailler. En ce moment, nous installons notre "link" internationale avec satellite de 64 kbps dans Panamsat. Aussi, nous sommes en negociations avec la CEE pour etablir une connexion dediee vers l'Europe. ======================================================================= RED CIENTIFICA PERUANA (Peruvian Scientific Network) ======================================================================= INTRODUCTION The market entry of minicomputers, adjusted to the needs and sizes of the smallest research team, as well as the more recent spectacular development of microcomputers have changed traditionally used research work modes. The abundance of ever quicker perishable information sources and the increasing cost of the means to access them have evidenced the need for interinstitutional cooperation and for the rationalization of increasingly scarce resources, both in the national and international environment. Peruvian entities devoted to research and teaching, as well as state and private universities, non governmental organizations, industry, finance and commercial corporations are carrying on internal installation of communication networks (LANS), sharing the use of these resources for the purpose of more efficient results. The above described development, begun some years ago, is still on the run. The need to exploit expensive means (telecomunications with major research centers, access to international databases, access to focused resources) and the national and international reach of mutual scientific and technological cooperation among teams of researchers made the interconnection of these networks a must in both the national and international scope. To achieve this, by late 1991 many national organizations contributed to the establishment of RED CIENTIFICA PERUANA (Peruvian Scientific Network). Previous documents have described the history of this cooperative national network and the services it renders its users. We will now deal with its present technical structure and its growth plans for the current two year period. DESCRIPTION OF THE PERUVIAN SCIENTIFIC NETWORK Organization ------------ RCP is a low cost national network that has achieved high operational quality in short time, and so far links 132 institutions all over the country. The main services it provides, described in further detail are the following: electronic mail, access to distributed national listservers, software installation, technician and user training. It is organized as a non profit institution, and its body of members includes one representative from each participant organization. The staff, the Direction Committee and an Administrator are entitled by a General Assembly, the highest authority in the association. Under the coordination of the General Administrator reporting to the Direction Committee, a small staff including engineersand trainees are in charge of technical operation, node installation, administrator and user training, as well as of permanent support to final users. The Technical Committee, formed by representatives from member organizations, is the consulting entity in charge of the national network planning and development, as well as of the coordination of institutional developments related to the national network's prospective architecture. Financial resources ------------------- As an autonomous cooperative institution, RCP counts on funds provided by the its institutions in yearly contributions and monthly payments, all of which sum up to form its operational budget. RCP also aims at being granted donors' contributions and other kinds of physical of financial collaboration from national and international cooperation agencies. Infrastructure -------------- RCP is a dialup active node in the INTERNET organization, that uses the store and forward system of NOVELL networks, Tokenring, DOS PCs, VAX, SUN, DEC and other systems integrated in the national network, running on UNIX operative system. Its development is supported by the existing (or currently being installed) national telecommunications infrastructure, both public and private national and international telephone lines (CPT and ENTEL); national x25 network (Perunet); special circuits or dedicated lines (CPT and ENTEL); optic fiber network (RED DIGITAL ENTEL);cellular telephone networks (CPT and Celular 2000). It is also supported by the transponder in PANAMSAT I, belonging to the Ministry of Education as well as different international carriers rendering service in Peru. The main concentration node of the national network is accessed via two lines within the commuted telephone line (RTC 19,200 kbps), a space circuit x25 (Perunet 9,600 kbps) allowing for the simultaneous access of 16 users, a Netblazer router allowing for the (TCP/IP) network access through a special circuit (dedicated line) or through a commuted telephone line (RTC). International communications are held several times per day through international calls (IDD) generated by the m2xenix machine located in Oregon, United States, where they enter the international backbone of the National Science Foundation. THE NATIONAL NETWORK (RCP) General Information on the Project ---------------------------------- The organization and distribution of activities within the national system and the scientific and technological cooperation call for the constant exchange of information on the national, regional and international scopes. Electronic mail has allowed our researchers to get information which not long ago was inaccessible by other means. It has also contributed to the establishment of interinstitutional cooperation and coordination links which were until now beyond imagination. The current installation of referential data banks distributed all over the network, accessible via electronic mail (listservers), the establishment of thematic subnets (the health and the epidemiologic alert networks), the operation of more than 20 interest groups susbscribed in similar international lists all this generates a constant increase in the dataflow through the country and also internationally. The new needs lead us to the simultaneous development of a network architecture to allow for means of communication in different scopes: national (IP links), regional (IP links with our neighbors, especially Andean ones, and through them with the rest of LAC) and international (IP dedicated link with NSF). National Architecture --------------------- The dynamic development of this infrastructure is projected in two non-exclusive stages, the development of which can be partially or completely simultaneous. The first stage is currently being developed in the location of Lima, Peruvian's capital city, which gathers the majority of educational and research institutions. It projects the interconnection of 10 concentrator nodes (by locations and / or interest areas), linked by special circuits (64 or more kbit/s dedicated lines in the digital cable). First preliminary tests projected for 1992-1993. The second stage prioritizes the development of departmental nodes that geographically concentrate the traffic and allow for a reduction in the telecommunications costs of province located institutions. The establishment of special circuits is also aimed at with the main RCP node, located in Lima (x25 dedicated lines: 19,200 kbps, 64 kbit/s optic fiber; or others: 9,200 kbps). First preliminary tests projected for 1993-1994. RCP, based on its various national components, will enable the interactive access of final users to the resources available in the several institutions that form the network. Linkage of the same (IP) in the local networks existing in each campus will imply an efficient structure that will allow for their future evolution. Provincial nodes located in the country borders can ensure low cost link with neighbor countries, thus opening ways to enhance regional cooperation and the exploitment of mutually shared resources. First preliminary tests projected for 1993-1994. The above mentioned link will clearly allow for an improvement of research related communications and for a real development of regional science and technology. It thus represents the communications means that will be decisive in future industry, finance and trade. This national and regional development is necessarily supported by the establishment of a high quality linkage with the NSF international backbone in the United States. For this purpose, we intend to establish two 64 Kbit satellite channels, supported by the contract between Peru's Ministry of Education and Alpha Lyracom, which provides PAS I and PAS II (Panamsat) with a transponder. This does not exclude the possibility of using international carriers (Sprint and MCI, available in the local market). All the described development is a part of the original RCP project, elaborated in May, 1991 and later on improved through consecutive proposals and documents published by RCP along 1991 and 1992. Necessary Equipment for Project Implementation ---------------------------------------------- In order to implement the project in all its stages, the purchase of equipment and the acquisition of national and international telecommunications infrastructure is a must. This refers to both RCP infrastructure and the concentrator nodes of national scope. In most cases, RCP member institutions are financially able to afford these needs on their own. For other cases, cooperative solutions will be found, based on interinstitutional collaboration aiming at the purchase of necessary equipment. In most cases, RCP's task focuses on searching the best international prices for all the network member institutions, on the reception and entry of the equipment; but also consists essentially in providing orientation as for equipment characteristics, aiming at a better individual and common use of it. GENERAL OBJECTIVES 1. To provide the Peruvian academic community with better services in national communications, such as a better link with the international backbone of academic networks; 2. To develop a coherent national INTERNET network; 3. To increase inter-institutional cooperation in the national, regional and international scope; 4. To reduce the national research system's communication costs, and to allow for a future reduction of regional costs over the basis of cooperation; 5. To start an IP regional backbone that links Peru, Ecuador, Colombia, Bolivia, Chile; and, through the latter, Argentina, Uruguay and Brazil. SPECIFIC OBJECTIVES 1. To provide RCP, the Peruvian National Network, with equipment for the installation and implementation of a national IP network and an international link; 2. To provide RCP, the Peruvian National Network, and the regional networks with the equipment necessary to install and implement links with neighbor countries' networks; 3. To provide RCP, the Peruvian National Network, with the resources necessary to establish a lasting IP link with the international backbone (one cost time, or for a reasonable period of time); 4. To train human resources on the national and regional levels for using new equipments and technologies. National and regional level training and divulgation of new technologies. Jose Soriano Peruvian Scientific Network Administrator -- un abrazo Jose *********************************************************************** Jose Soriano - Red Cientifica Peruana - e-mail : js@rcp.pe Av. del Ejercito 1870 - San Isidro - Lima - Peru TE: ( 51 -14) 46 - 16 -95 / 36 89 89 anexo 527 / fax: 36 01 40 ----------------------------------------------------------------------- ------------------------------ Date: Fri Feb 19 14:33:00 -0600 1993 From: roberts@decus.arc.ab.ca ("Rob Slade, DECrypt Editor, VARUG NLC... ) Subject: File 2--Denning's _Computers Under Attack_ (critique) Copyright: Robert M. Slade, 1993 _Computers Under Attack: intruders, worms and viruses_ Peter J. Denning, ed. ACM Press (11 W. 42nd St., 3rd Floor, New York, NY 10036, 212-869-7440) ISBN 0-201-53067-8 This book is a very readable, enjoyable and valuable resource for anyone interested in "the computer world". That said, I must admit that I am still not sure what the central theme of this book is. Denning has brought together a collection of very high quality essays from experts in various fields, and at one point refers to it as a "forum". That it is, and with a very distinguished panel of speakers, but it is difficult to pin down the topic of the forum. Not all of the fields are in data security, nor even closely related to it. (Some of the works, early in the book, relating to what we now generally term "the Internet", do contain background useful in understanding later works regarding "cracking" intrusions and worm programs.) All, however, are interesting and sometimes seminal works. Some are classics, such as Ken Thompson's "Reflections on Trusting Trust" and Shoch and Hupp's "The Worm Programs". Others are less well known but just as good, such as the excellent computer virus primer by Spafford, Heaphy and Ferbrache. (Please do not consider my confusion over the subject to be a criticism, either. I do want to recommend the book. I just find myself wondering to whom to recommend it. Also, in fairness, I must say that Peter Denning, who has had a chance to respond to the first draft of this review as usual, doesn't consider it a review. Which, I suppose, makes us even :-) The book is divided into six sections. The first two deal with networks and network intrusions, the next two with worms and viral programs, and the last two with cultural, ethical and legal issues. While all of the topics have connections to data security, there are some significant "absences". (There is, for example, no discussion of the protection of data against "operational" damage, as in accidental deletions and failure to lock records under multiple access.) In addition to shortages of certain fields of study within data security, the treatment of individual topics shows imbalances as well. The division on worm programs contains seven essays. Six of these deal with the Internet/Morris worm. The seventh is the unquestionably important Shoch and Hupp work, but it is odd that there is so much material on the Internet/Morris worm and nothing on, say, the CHRISTMA EXEC. Sad to say, the essays are not all of equal calibre. This is only to be expected: not all technical experts have equal facility with langauge. However, in spite of the noted gaps, and the occasional "bumps" in the articles, most of the articles can be read by the "intelligent innocent" as well as the "power user". At the same time, there is much here that can be of use to the data security expert. At the very least, the book raises a number of ongoing issues that are, as yet, unresolved. What, then, is the book? It is not a data security manual: the technical details are not sufficient to be of direct help to someone who is responsible for securing a system. At the same time, a number of the essays raise points which would undoubtedly lead the average system administrator to consider security loopholes which could otherwise go unnoticed. Is it a textbook? While it would be a valuable resource for any data security course, the "missing" topics make it unsuitable as the sole reference for a course. The breadth of scope, and the quality of the compositions make it very appealing, as does the inclusion of the large social component. While the book won't have the popular appeal of a "Cuckoo's Egg", it is nevertheless a "good read" even for the non-technical reader. The section on international networks is particularly appropriate as society is becoming more interested in both email and "cyberspace". The overview it gives on related issues would benefit a great many writers who seem to have a lot of "profile" but little understanding. My initial reason for reviewing the book was primarily as a resource for those seeking an understanding of computer viral programs. As such, there are definite shortcomings in the coverage, although what is there is of very high quality. The additional topics, far from detracting from the viral field or clouding the issue, contribute to a fuller understanding of the place of viral programs in the scheme of computers and technology as a whole. Therefore, while it would be difficult to recommend this work as a "how to" for keeping a company (or home) safe from viral programs, it should be required reading for anyone seriously interested in studying the field. One point is raised by the inclusion of the cultural, social and legal essays within the book. It was with a trepidation growing almost to a sense of despair that I read the last two sections. Here we see again the same hackneyed phrases, and the same unmodified positions that have been a part of every discussion of computer ethics for the last twenty years. (Or more.) This is by no means to be held against Denning: on the contrary, it is the fact that he has selected from the best in the business that is so disheartening. Do we really have no more options than are listed here? Can we really come to no better conclusions? One illustration that is repeatedly used is that of credit reporting agencies. We feel that such entities must be watched. We note that the computer systems which they depend upon must be checked for anomalies, such as bad data or "key fields" which cross link bad data with good people. Still and all, we see them as a necessary evil. Breaking into such systems, however, is an invasion of privacy, and therefore wrong. Carried to its logical conclusion, this attitude states that "free" access to such semi-private information is wrong, but that it is "right" for companies to make money by "selling" such information. Of course the situation is not quite that simple. (It never is, is it?) After all, a large corporation needs the goodwill of the public for its continued existence. The corporation, therefore, has more of a vested interest in safeguarding confidential information than any random individual with a PC and a modem. This belief in the "enlightened self interest" of corporations, however, would seem to more properly belong to an earlier age: one in which corporations didn't go bankrupt and banks didn't fall like dominos. After all, it used to be that companies kept employees on for forty years before giving them the gold watch. Now even the most stable might lay off forty thousand in one year. A single thread runs through almost all sixteen articles, four statements and ten letters in the final two sections. It is a call, sometimes clarion, sometimes despairing, for "computer ethics". Not once is there proposed what such an animal might be. Even the NSF (National Science Foundation) and CPSR (Computer Professionals for Social Responsibility) statements only hint at some legalistic definitions, but never try to look at what a foundation for such "ethics" might be. With our society discarding moral bases as fast as possible, the most useful statement might be Dorothy Denning's, when, in conversation with Frank Drake, she states that, "The survival of humanity is going to demand a much greater level of caring for our fellow human beings ... than we have demonstrated so far." Still even the disappointments of this final part of the book are important. "Computers Under Attack" is a realistic overview of the current state of thinking in information technology, and the problems facing society as a whole. Far from the "gee whiz" of the futurist, and equally distanced from the sometimes dangerous "CH3CK 1T 0UT, D00DZ!" of the cyberpunk, Denning's collection of essays is important not only for the concerned computer user, but also for anyone concerned with the future of our increasingly technically driven society. ============== ______________________ Vancouver ROBERTS@decus.ca | | /\ | | swiped Institute for Robert_Slade@sfu.ca | | __ | | __ | | from Research into rslade@cue.bc.ca | | \ \ / / | | Mike User p1@CyberStore.ca | | /________\ | | Church Security Canada V7K 2G6 |____|_____][_____|____| @sfu.ca ------------------------------ Date: Fri Feb 19 08:56:55 EST 1993 From: robin@utafll.uta.edu (Robin Cover ) Subject: File 3--Repondeur Telephonique sur Ligne Occupee (reprints) Copyright: BT Plc , 1989 (pour le 1er), Whk Eng'g Corp., 1993 (le 2e) [Moderateur: Page 22 d' _Industries et Techniques_ no. 735 du 5 courant, une breve donne le texte suivant: "En Angleterre, Orpington a concu un repondeur qui prend des appels meme quand la ligne est occupee. Le CallMinder se branche sur le reseau telephonique sans equipement particulier (New Scientist 02/01)". Aucune trace d' "Orpington" sur l' annuaire electronique anglais, 3619 code GB1.] Stealing: A March on Thieves Swift, Peter British Telecom World PP: 44-45 Sep 1989 ISSN: 0953-8429 ABSTRACT: Auto Tracer, a new automobile security system, was developed by a UK businessman, Bernard Hunt. The system allows an automobile owner to reclaim a stolen car by dialing a secret paging number. This turns on the car's hazard lights and headlights, starts a siren, replaces the license plate with a message reading "stolen car," and stops the engine by eliminating the flow of gasoline. Telecom Security offers home protection with a system that has covered door sensors to detect forced entry, an infrared motion detector, a smoke sensor, an internal siren, a control keypad, and a master control panel. An external dummy bell box acts as a visual deterrent to criminals. Callminder, from Commtel, offers total control over all outgoing telephone calls except emergency, free-phone, and operator fault notification calls. GEOGRAPHIC NAMES: UK DESCRIPTORS: Security systems; Automobiles; Homes; Crime; Fire alarm systems; Detection alarms +++++++ UK: TELECOM WATCH - NEW TELEPHONE ANSWERING SERVICE - CALLMINDER Electronic Times (ELTIM) - January 14, 1993 Page: 8 By: Peta Firth Several months ago I was selected by BT to try out an intelligent network service before it went on sale. I was invited to apply to be connected free to test a proposed new service called Callminder. The invitation was couched in "while stocks last" and "first come first served" terms so I sent off the form not really expecting to hear much about it again. After all it seemed like a good offer. Callminder, a telephone answering system based at the local exchange, was something useful for nothing: always an attractive proposition, I thought. But I was selected, and soon received the literature on how to use it along with a personal identity code to access messages. On the morning the service was set to begin I rushed excitedly to the office to try it out. I called my home number but nothing happened. There was no answer. Disappointed, I called the enquiry number supplied by BT. But instead of an explanation I was given a "hotline" number to dial. This turned out to be hotter than expected: it was the British Gas emergency number. I called the first number again to check the hotline number was correct. After explaining that I doubted British Gas would be able to help I was politely put through to someone else in BT. The second BT person said: "Ah yes, You are ahead of us, you know." He suggested it might begin later that afternoon. It did, so I recorded my message to replace the computer generated one and cheerfully thought to myself: at last, I have an answering machine. But over the course of the next few weeks my opinion of the service slipped. For a start it kept breaking down. I would only find out when callers told me I must have been imagining I had an answering service because there was no answer when they tried to ring me. I explained to BT that if an answering machine was not working when I thought it was, it was causing more confusion than if I never had one in the first place. After this complaint BT agreed to at least tell me when the system had been out of action. When the system is working, which to be fair is most of the time, it still puts callers off. Even people who have overcome their dislike of answering machines are put off by the interruption after my recorded message of a brisk computer generated voice in school mistress tones demanding the caller's name and message. The final straw came when I discovered the service did not work in the small hours of the morning. BT suggested I might like to buy an answering machine to cover the period. This, of course, would make Callminder pointless. The reason I am telling you all of this is that the DTI issued a consultative document about intelligent networks just before Christmas. The document calls for comments from ptos, switch and computer manufacturers, service providers and users on how to liberalise intelligent network services. The plan is to take "exclusive control of the service away from the switch manufacturer" by creating a "generic software platform" which can be produced and implemented by an vendor. This could turn the fortunes of switch manufacturers on their head. It could destroy any hopes they may have had that pouring money into software development will maintain their market share. A host of tiny software houses will be able to undercut the giant switch manufacturers who are busy expanding their hardware expertise into software. If my experience with Callminder is anything to go by, that would be a great shame. because for me it turned out that if I want reliability I have to turn to an answering machine: dedicated hardware. ------------------------------ End of Chaos Digest #1.10 ************************************