**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 3, Issue #3.13 (April 20, 1991) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet) ARCHIVISTS: Bob Krause / Alex Smith / Bob Kusumoto POETICA OBSCIVORUM REI: Brendan Kehoe +++++ +++++ +++++ +++++ +++++ CONTENTS THIS ISSUE: File 1: From the Mailbag File 2: Response to RISKS DIGEST (#11.43-- Len Rose Case) File 3: Response to recent comments concerning Len Rose File 4: CU News +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ USENET readers can currently receive CuD as alt.society.cu-digest. Back issues are also available on Compuserve (in: DL0 of the IBMBBS sig), PC-EXEC BBS (414-789-4210), and at 1:100/345 for those on FIDOnet. Anonymous ftp sites: (1) ftp.cs.widener.edu (192.55.239.132); (2) cudarch@chsun1.uchicago.edu; (3) dagon.acc.stolaf.edu (130.71.192.18). E-mail server: archive-server@chsun1.uchicago.edu. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors, however, do copyright their material, and those authors should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: Various Subject: From the Mailbag Date: 20 April, 1991 ******************************************************************** *** CuD #3.13: File 1 of 4: From the Mailbag *** ******************************************************************** From: dogface!bei@CS.UTEXAS.EDU(Bob Izenberg) Subject: Inslaw & Uncle Sam Date: Mon, 15 Apr 91 19:06:44 CDT A friend who just got CUD 3.12 passed along this comment, posed in typically to-the-point fashion ;-) and I said I'd buck it to you. His email address is: cs.utexas.edu!dogface!Tristan!dice [ start of Steve Meade's email message ] Subject: Re: Inslaw vs US Attorney's Office Inslaw wrote a case tracking program and sold it to the US attorneys office. To the tune of $10 million (not exactly Yankee Doodle). They reneged on the deal but every Federal District still uses it. It gets better. Last Administration, US Attorney General gives it to a hacker and sets him up on an Indian Reservation to "improve on the product". Due to territorial law on the reservation he can do things he cant do in say, Chicago. [ heh heh heh --Bob ] This improvement finds its way into the hands of the Israeli Secret Service because in the mean time Inslaw has sold the product internationally and now the Jews are using the modified form to "look into" some of the foreign nationals files. You know how justifiably paranoid they are. Inslaw sues for the ten mil and the hacker spills for the plaintiff a week after he swears a deposition that the US Attorneys office has threatened him and his dad if he talks. He talks and talks anyway and... (Baddabing Badda boom!) HE gets busted for drug possession. (by a dozen agents one of whom reads him an abbreviated Miranda (the part about keeping his BIG Mouth SHUTTTT!!!!)) The only place I've been able to get any info is Computerworld. Maybe the last 3 or 4 issues (comes out weekly) I think that guy who plays booger in revenge of the nerds ought to get the part of the hacker, Meryl Streep could probably land the part of the Israeli SS and Klaus Von Bulow could do the US D.A. in charge of the obfuscation. Maybe we could get Saddam Husein to play Ed Meese. Check it out. and then better start learning all the verses to Amazing Grace. Stephen, WeeBee, RammaBabba, and Ms. Dos (Jeez! I thought I had Kuntzler's phone number here on the coffee table a minute ago...) "tadadadada Amerika! tadadadada Amerika" -from the remake of West Side Story [ end of the Meade-ogram ] For the uninitiated - and I may be among them, this is cryptic stuff - the four names at the end bear a 25% relationship to reality. He is, in fact, Stephen, but he's added one nickname a week for everyone in his house. WeeBee, my favorite name, is one of his sons. Short for WeeBee Jammin' was my guess, but the sonofabitch will neither confirm nor deny. Side, ass-covering note: He's an old friend, and former co-worker from the AT&T days. He has requested my assistance in resolving network problems on AT&T machines in Salt Lake City. I have not dialed into those machines, but I have set up uucp connections between his 3B2/400 at home and my DOS box, at his request. These machines that he has are exact duplicates of functioning AT&T Communications Outbound Call Management sites in Utah, and so were good guinea pigs for troubleshooting. Steve tried the official company paths for obtaining technical assistance, and was referred to idiot after idiot until he talked to me about it. We found the (hardware) problem in two days of not looking very hard... Salt Lake is happy, Steve's happy, and any Federal agents had damned well better be happy, because I was helping their people out at their behest. Nobody gave me any dinero to do this, he's a pal and I helped him out. Likewise, no non-disclosure agreements were even mentioned. I know that it'll be tough for a Fed or prosecutor to get their mind around, but I'm doing this for no money, just good will. This is the third time after I left AT&T that their employees or contractors have asked me to assist in resolving technical problems. Each one of them knew what happened here on February 20th, in agonizing detail. Bill Kennedy and I have talked about this, and he thinks that I'm being incautious by not telling Steve or whoever to get formal paperwork put through to cover my presence. Bill, however, has always been outside AT&T, and hasn't seen the way the company will leap up its own behind to avoid making progress. When a project I worked on closed down, the developers were dispersed to the four winds.. John Macchione, one of the first guys to start work on the project, had left for other contract work. In order to get our technical questions answered, Tom Wynne, the project manager from AT&T Federal Systems, snuck John in after 5 P.M. once or twice a week for technical Q&A sessions. He was paid out of discretionary funds on Tom Wynne's budget. Macchione already had a job, and they would have been somewhat unhappy to hear that he was going back to an old client to do work without paying his contracting company their cut. Wynne would have had to get a contract position approved, which wasn't what Macchione wanted, and would have taken at least a month. So they did it under the table, and got us the support we needed. Steve is doing the same thing here. So if some SS or related Nazi says that, now or back in 1989, I illegally accessed AT&T computers, you should damned well scream at the top of your electronic lungs that AT&T makes it so difficult for their own people to get technical help that they'll be forced to go outside the system for answers. And that, then as now, I won't turn down someone with a problem because they haven't given every mid-level paper pusher their crack at nixing the help that they need now, not two months from now. Doesn't make a damn bit of difference whether you're my best friend or, like this Navy contractor who's trying to set up his PC at home to run the same uucp clone that I do, someone that I just met. I'm not so stuck up on myself that I can't lend people a hand. If that means that some Brown Shirt sucking off the public tit doesn't understand why I might donate some of my time to solving problems, well, that's life. And if they ask, well, why not volunteer at a recycling center or some-such, well, I answer only that I'd rather recycle my knowledge than soda bottles and tin cans. Jeez, you can get really dizzy standing on these soapboxes, ya know? ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: hkhenson@CUP.PORTAL.COM Subject: reply to ATT letter responses Date: Tue, 16 Apr 91 19:52:24 PDT In CuD 3.12 peter@TARONGA.HACKERCORP.COM(Peter da Silva) notes: >Finally, I would like to note that unlike many of the posters >here I'm not going to try to excuse Rose's adding trapdoors to >login.c as either educational or providing support to AT&T >customers. His posession of this code was definitely illegal. >His use of it was, while perhaps protected under the first >amendment, hardly wise. I think all involved, especially Len Rose would agree with the last statement! I also agree with with Peter the posession of the source code was also illegal, but there is illegal and illegal. Copyright violation (which is a _civil_ matter) would have been the proper approach for ATT to take in the Len Rose case. However, ATT folks convinced agents of the US Government to make what should have been a civil case into a federal wire fraud case, with as much jail time as second degree murder. Now, if Len had profited in any significant way from his use of widely available source code, I could perhaps support making it into wire fraud. But next time you copy more than a page or two from a book in the library, look over your shoulder. If the publisher of the book can get the government to go after you . . . . In the same issue jrbd@CRAYCOS.COM(James Davies) complains >The press release published earlier in the same CuD issue makes >it clear that Rose's intent was to steal passwords and invade >systems. While the possession of AT&T source code was the charge >of which Rose was convicted, his actual crime (in a moral sense) >was the equivalent of manufacturing burglar's tools, or perhaps >of breaking and entering (although there isn't any evidence that >he actually did any of this, his intent was clearly to help >others do so). Nothing makes this more obvious than Rose's own >words, as quoted from the comments in his modified login.c by >the Secret Service press release: [quotes press release comments] And goes on: >I'm sorry, but these aren't the words of an innocent man. >Personally, I think that Rose is guilty of the exact same sort >of behaviour that gives hackers a bad name in the press, and I >think that you're crazy to be supporting him in this. Save your >indignation for true misjustices, ok? I'm sorry, but you are wrong. In *this* country, a person cannot be convicted on the basis of what they write, only on their actions. Otherwise, there could be no mystery stories. Len was never accused of breaking into any system. Why should he? He was *given* accounts on systems far and wide across the net, and *given* source code by ATT employees. The only reason Len came to the attention of ATT was through the SS/Bell South searching an electronic publisher's email (think about that.) For all the BS in the login.c comments, I consider Len to have been a positive element in the computer underground, influencing young explorers to respect and not damage data. (See the moderators papers on socializing forces in the Computer Underground.) Keith Henson PS You might want to consider the consequences of big companies geting in the habit of saving money on civil suits by using the Federal Government to harass and jail people they are unhappy with. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: scubed!pro-harvest.cts.com!wlup69%das@HARVUNXW.BITNET(Rob Heins) Subject: Response to article in CuD 3.12 Date: Tue, 16 Apr 91 19:05:45 CDT In CuD 3.12, Bernie Cosell (cosell@BBN.COM) writes: |Consider: it is the middle of summer and you happen to be climbing in |the mountains and see a pack of teenagers roaming around an |abandoned-until-snow ski resort. There is no question of physical |harm to a person, since there will be no people around for months. |They are methodically searching EVERY truck, building, outbuilding, |shed, etc,. Trying EVERY window, trying to pick EVERY lock. When they |find something they can open, they wander into it, and emerge a while |later. From your vantage point, you can see no actual evidence of any |theft or vandalism, but then you can't actually see what they're doing |while they're inside whatever-it-is. | |Should you call the cops? What should the charge be? Of course you should call the cops. Unless they are authorized to be on the property, (by the owner) they are trespassing, and in the case of picking locks, breaking and entering. However, you're trying to equate breaking into a ski resort with breaking into a computer system. The difference being:99 times out of 100, the people breaking into a computer system only want to learn, have forgotten a password, etc...99 times out of 100, the people breaking into the ski resort are out for free shit. That's why it's such a good idea to have a chat with an unknown account on your system, to determine if they're there to destroy the place, or if they only want to see how Unix ticks...A wise person once said, "If they can do it once, chances are, they can do it again. |Would the answer be different if it were YOUR stuff they were sifting |through? The answer, of course, is no. Reason being that I've got the brains not leave data lying around a system with a dial-up that I don't want anyone to see. (Check out my directory at Pro-Harvest...All I have are a couple of CuD backissues, my sig file, and an ad for a hard drive that I forgot to respond to...) |2) I'm just as happy having that kind of "finding out" done by the |police and the courts --- that's their job and I'd just as soon not |get involved in the messy business [even if I could spare the time]. |If you can't learn to act like a reasonable member of society for its |own sake, perhaps somewhat more painful measures will dissuade you |from "doing it again". Yeah...good philosophy. "Let's spend a couple hundred grand investigating something that the local sysop could take care of in two minutes of his 'Precious Time'". It seems to me that if you have the time to run a BBS, you have the time to perform ALL the duties a sysop with a couple of working brain cells should have...(Including the two minutes to write a 200 byte email note to somebody who's probably harmless. If they don't respond, then delete them. That's what, a three step procedure with about 5 minutes of cumulative "work" involved? (Even you can understand.) If you really want to keep someone out, set it up so that only root can create accounts.) If ol' Bernie wants to defend people's rights, maybe he should stick to his own, and leave mine and my non-crotchety-old-man friends' alone. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: mnemonic (Mike Godwin) Subject: Response to RISKS DIGEST (#11.43-- Len Rose Case) Date: Wed, 10 Apr 91 22:18:43 EDT ******************************************************************** *** CuD #3.13: File 2 of 4: Response to Len Rose Article (1) *** ******************************************************************** {Moderators' Note: The following article was written by Mike Godwin in response to a post by Jerry Leichter in RISKS #11.43.} ++++ Jerry Leichter writes the following: >With all the verbiage about whether Len Rose was a "hacker" and why he did >what he in fact did, everyone has had to work on ASSUMPTIONS. This is false. I have worked closely on Len's case, and have access to all the facts about it. >Well, it turns >out there's now some data: A press release from the US Attorney in Chicago, >posted to the Computer Underground Digest by Gene Spafford. In general, a press release is not data. A press release is a document designed to ensure favorable press coverage for the entity releasing it. There are a few facts in the press release, however, and I'll deal with them below. [Jerry quotes from the press release:] > In pleading guilty to the Chicago charges, Rose acknowledged that when > he distributed his trojan horse program to others he inserted several > warnings so that the potential users would be alerted to the fact that > they were in posession of proprietary AT&T information. In the text of > the program Rose advised that the source code originally came from > AT&T "so it's definitely not something you wish to get caught with." > and "Warning: This is AT&T proprietary source code. DO NOT get caught > with it." Although I am a lawyer, it does not take a law degree to see that this paragraph does not support Jerry's thesis--that Len Rose is interested in unauthorized entry into other people's computers. What it does show is that Len knew that he had no license for the source code in his possession. And, in fact, as a careful reader of the press release would have noted, Len pled guilty only to possession and transmission of unlicensed source, not to *any* unauthorized entry or any scheme for unauthorized entry, in spite of what is implied in the press release. [Jerry quotes "Terminus's" comments in the modified code:] >Hacked by Terminus to enable stealing passwords. >This is obviously not a tool to be used for initial >system penetration, but instead will allow you to >collect passwords and accounts once it's been >installed. (I)deal for situations where you have a >one-shot opportunity for super user privileges.. >This source code is not public domain..(so don't get >caught with it). > >I can't imagine a clearer statement of an active interest in breaking into >systems, along with a reasonable explanation of how and when such code could >be effective. Indeed, it *can* be interpreted as a clear statement of an active interest in breaking into systems. What undercuts that interpretation, however, is that there is no evidence that Len Rose ever broke into any systems. Based on all the information available, it seems clear that Rose had authorized access in every system for which he sought it. What's more, there is no evidence that anyone ever took Rose's code and used it for hacking. There is no evidence that anyone ever took any *other* code of Rose's and used it for hacking. What Rose did is demonstrate that he could write a password-hacking program. Jerry apparently is unaware that some computer programmers like to brag about the things they *could* do--he seems to interpret such bragging as evidence of intent to do illegal acts. But in the absence of *any* evidence that Rose ever took part in unauthorized entry into anyone's computers, Jerry's interpretation is unfounded, and his posted speculations here are both irresponsible and cruel, in my opinion. Rose may have done some foolish things, but he didn't break into people's systems. >The only thing that will convince me, after reading this, that Rose was NOT an >active system breaker is a believable claim that either (a) this text was not >quoted correctly from the modified login.c source; or (b) Rose didn't write >the text, but was essentially forced by the admitted duress of his situation >to acknowledge it as his own. In other words, Jerry says, the fact that Rose never actually tried to break into people's systems doesn't count as evidence "that Rose was NOT an active system breaker." This is a shame. One would hope that even Jerry might regard this as a relevant fact. Let me close here by warning Jerry and other readers not to accept press releases--even from the government--uncritically. The government has a political stake in this case: it feels compelled to show that Len Rose was an active threat to other people's systems, so it has selectively presented material in its press release to support that interpretation. But press releases are rhetorical devices. They are designed to shape opinion. Even when technically accurate, as in this case, they can present the facts in a way that implies that a defendant was far more of a threat than he actually was. This is what happened in Len Rose's case. It bears repeating: there was no evidence, and the government did not claim, that Len Rose had ever tried to break into other people's systems, or that he took part in anyone else's efforts to do so. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: louisg Subject: Response to recent comments concerning Len Rose Date: Wed, 17 Apr 91 23:53:44 CDT ******************************************************************** *** CuD #3.13: File 3 of 4: Response to Len Rose Article (2) *** ******************************************************************** In CuD 312 Mr. James Davies wrote a letter expressing his feelings on the Len Rose case. I feel that he and many others are missing the larger point of the issue, as I will try to describe. >Subject: Len Rose >From: jrbd@CRAYCOS.COM(James Davies) >Keith Hansen and Arel Lucas in CuD #3.11 shared with us their letter >to AT&T expressing their anger at the arrest and conviction of Len >Rose (among other things). Well, I have to disagree with their >conclusions in this case -- Len Rose is not an innocent martyr, >crucified by an evil corporation for benevolently giving unpaid >support to AT&T software users, as Hansen and Lucas attempted to >portray him. Mr. Davies is quite correct when he states that Len was not innocent of certain criminal acts as defined by current law. The trial has come and gone, and Len pleaded guilty. Mr. Davies even provides evidence of Mr. Rose's intent. Whether it is 'court-quality' evidence or not, it should convince the reader that Len was guilty of something or other. By checking the references that Mr. Davies provides, his case of Rose's guilt is made even stronger. I am stating this since I want to make it *clear* that I am NOT questioning the guilt of Mr. Rose. What I must question, however, is what happened to Mr. Rose. Mr. Rose commited white-collar crimes. He did not physically injure or maim or kill anyone. His crime was money-related. He did not steal from a 75 year-old on social security, giving her a kick in the ribs for good luck on his way out. The way he was treated, however, suggests that he committed a crime of the most heinous nature. For a felony violent crime, I could understand and even in some cases promote strict treatment of the accused before the trial. For a white collar crime that does not threaten the solvency of a company or persons I cannot. Len Rose posed a risk to no person or company after his warrant was served. Before he was even put on trial, he had almost all of his belongings taken away, was harassed (in my opinion) by the authorities, and left without a means for supporting himself and his family. Why? Because he had Unix source code. Does this seem just to you? It would be very different if he had 55 warrants for rape and murder in 48 states listing him as the accused, but he didn't. He lost everything *before* the trial, and, as a result, was almost forced into pleading guilty. All this for copyright violations, as I see it, or felony theft as others may see it. The problem here is the *same* as in the Steve Jackson case. The person who was served the warrant (he wasn't even charged yet!!!!) lost everything. They were punished not only before a conviction, before a trial, but before they were even charged with a crime!!! This, for a non-violent, white-collar crime that did not directly threaten a person or company with bankruptcy. In Jackson's case, he was even innocent! >Personally, I think that Rose is guilty of the exact same sort of >behaviour that gives hackers a bad name in the press, and I think that >you're crazy to be supporting him in this. Save your indignation for >true misjustices, ok? If this isn't an injustice, then I don't know what is. If this sort of treatment of the accused seems just to you, Mr. Davies, then may I suggest a position in the secret police of some Fascist country as a fitting career move on your part. The fact that Len was guilty does not nullify the maltreatment of him, his family, and his equipment before his trial. It in no wise makes it right. This sort of action gives law enforcement a bad name. I'm sure that I would share your views if the accused was a habitual criminal and he presented a threat to the public. He wasn't, and presented little or no threat at the time of the warrant. Law enforcement is there to protect the public, and not to convict the guilty. That is a job for the courts and a jury of one's peers as stipulated in the U.S. Constitution. I suggest you glance at it before you restate that there was no "misjustice" (sic) here. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: Various Subject: CU News Date: April 20, 1991 ******************************************************************** *** CuD #3.13: File 4 of 4: The CU in the News *** ******************************************************************** From: Anonymous Subject: Newsweek article--Cyberpunks and Constitution Date: Wed, 9 Apr 91 16:22:18 EST Cyberpunks and the Constitution The fast-changing technologies of the late 20th century pose a challenge to American laws and principles of ages past By PHILLIP ELMER-DEWITT SAN FRANCISCO Armed with guns and search warrants, 150 Secret Service agents staged surprise raids in 14 American cities one morning last May, seizing 42 computers and tens of thousands of floppy disks. Their target: a loose-knit group of youthful computer enthusiasts suspected of trafficking in stolen credit-card numbers, telephone access codes and other contraband of the information age. The authorities intended to send a sharp message to would-be digital desperadoes that computer crime does not pay. But in their zeal, they sent a very different message - one that chilled civil libertarians. By attempting to crack down on telephone fraud, they shut down dozens of computer bulletin boards that may be as fully protected by the U.S. Constitution as the words on this page. Do electronic bulletin boards that may list stolen access codes enjoy protection under the First Amendment? That was one of the thorny questions raised last week at an unusual gathering of computer hackers, law-enforcement officials and legal scholars sponsored by Computer Professionals for Social Responsibility. For four days in California's Silicon Valley, 400 experts struggled to sort out the implications of applying late-18th century laws and legal principles to the fast-changing technologies of the late 20th century. While the gathering was short on answers, it was long on tantalizing questions. How can privacy be ensured when computers record every phone call, cash withdrawal and credit-card transaction? What "property rights" can be protected in digital electronic systems that can create copies that are indistinguishable from the real thing? What is a "place" in cyberspace, the universe occupied by audio and video signals traveling across state and national borders at nearly the speed of light? Or as Harvard law professor Laurence Tribe aptly summarized, "When the lines along which our Constitution is drawn warp or vanish, what happens to the Constitution itself?" Tribe suggested that the Supreme Court may be incapable of keeping up with the pace of technological change. He proposed what many will consider a radical solution: a 27th Amendment that would make the information-related freedoms guaranteed in the Bill of Rights fully applicable "no matter what the technological method or medium" by which that information is generated, stored or transmitted. While such a proposal is unlikely to pass into law, the fact that one of the country's leading constitutional scholars put it forward may persuade the judiciary to focus on the issues it raises. In recent months, several conflicts involving computer-related privacy and free speech have surfaced: -- When subscribers to Prodigy, a 700,000-member information system owned by Sears and IBM, began posting messages protesting a rate hike, Prodigy officials banned discussion of the topic in public forums on the system. After protesters began sending private mail messages to other members - and to advertisers - they were summarily kicked off the network. -- When Lotus Development Corp. of Cambridge, Mass., announced a joint venture with Equifax, one of the country's largest credit-rating bureaus, to sell a personal-computer product that would contain information on the shopping habits of 120 million U.S. households, it received 30,000 calls and letters from individuals asking that their names be removed from the data base. The project was quietly canceled in January. -- When regional telephone companies began offering Caller ID, a device that displays the phone numbers - including unlisted ones - of incoming calls, many people viewed it as an invasion of privacy. Several states have since passed laws requiring phone companies to offer callers a "blocking" option so that they can choose whether or not to disclose their numbers. Pennsylvania has banned the service. But the hacker dragnets generated the most heat. Ten months after the Secret Service shut down the bulletin boards, the government still has not produced any indictments. And several similar cases that have come before courts have been badly flawed. One Austin-based game publisher whose bulletin-board system was seized last March is expected soon to sue the government for violating his civil liberties. There is certainly plenty of computer crime around. The Secret Service claims that U.S. phone companies are losing $1.2 billion a year anc credit-card providers another $1 billion, largely through fraudulent use of stolen passwords and access codes. It is not clear, however, that the cyberpunks rounded up in dragnets like last May's are the ones committing the worst offenses. Those arrested were mostly teenagers more intent on showing off their computer skills than padding their bank accounts. One 14-year-old from New York City, for instance, apparently specialized in taking over the operation of remote computer systems and turning them into bulletin boards - for his friends to play on. Among his targets, say police, was a Pentagon computer belonging to the Secretary of the Air Force. "I regard unauthorized entry into computer systems as wrong and deserving of punishment," says Mitch Kapor, the former president of Lotus. And yet Kapor has emerged as a leading watchdog for freedom in the information age. He views the tiny bulletin-board systems as the forerunners of a public computer network that will eventually connect households across the country. Kapor is worried that legal precedents set today may haunt all Americans in the 21st century. Thus he is providing funds to fight for civil liberties in cyberspace the best way he knows how - one case at a time. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: Cyber City Public Access BBS * Toronto, Canada * 416/593-6000 Subject: Canada is Accused of using Stolen Software Date: Wed, 10 Apr 91 11:19:48 EDT (Reprinted with permission: 1. The article must be reproduced in full 2. The Financial Post must be credited somewhere in the article. The article's date was Friday, April 5th, 1991.) CANADA IS ACCUSED OF USING STOLEN SOFTWARE By Eric Reguly and Alan Friedman Financial Post and Financial Times of London NEW YORK -- Government agencies in Canada and other countries are using computer software that was stolen from a Washington-based company by the U.S. Department of Justice, according to affidavits filed in a U.S. court case. In a complex case, several nations, as well as some well-known Washington insiders - including the national security advisor to former President Ronald Reagan, Robert McFarlane - are named as allegedly playing a role. The affidavits were filed in recent weeks in support of a Washington-based computer company called Inslaw Inc., which claims that its case-tracking software, known as Promis, was stolen by the U.S. Department of Justice and eventually ended up in the hands of the governments of Israel, Canada and Iraq. NEW MOTION Yesterday, lawyers for Inslaw filed a new motion in federal bankruptcy court in Washington demanding the power to subpoena information from the Canadian government on how Ottawa came to acquire Promis software. The motion states, "The evidence continues to mount that Inslaw's proprietary software is in Canada." The affidavits allege that Promis - designed to keep track of cases and criminals by government agencies - is in use by the RCMP and the Canadian Security Intelligence Service. The Canadian Department of Communications is referring calls on the subject to the department's lawyer, John Lovell in Ottawa, while a CSIS spokesman will not confirm or deny whether the agency uses the software. "No one is aware of the program's existence here," Corporal DEnis Deveau, Ottawa-based spokesman for the RCMP, said yesterday. The case of Inslaw, which won a court victory against the Justice Department in 1987, at first glance appears to be an obscure lawsuit by a small business that was forced into bankruptcy because of the loss of its proprietary software. But several members of the Washington establishment are suggesting Inslaw may have implications for U.S. foreign policy in the Middle East. The Case already has some unusual aspects. At least one judge has refused to handle it because of potential conflicts of interest, and a key lawyer representing Inslaw is Elliot Richardson, a former U.S. attorney general and ambassador to Britain who is remembered for his role in standing up to Richard Nixon during the Watergate scandal. Richardson yesterday told the Financial Times of London and The Financial Post that: "Evidence of the widespread ramifications of the Inslaw case comes from many sources and keeps accumulating." A curious development in the Inslaw case is that the Department of Justice has refused to provide documents relating to Inslaw to Jack Brook, chairman of the Judiciary Committee of the House of Representatives. Richardson said, "It remains inexplicable why the Justice Department consistently refuses to pursue this evidence and resists co-operation with the Judiciary Committee of the House of Representatives." The Inslaw case began in 1982 when the company accepted a US $10-million contract to install its Promis case management software at the Department of Justice. In 1983 the government agency stopped paying Inslaw and the firm went into Chapter 11 bankruptcy proceedings. Inslaw sued Justice in 1986 and the trial took place a year later. The result of the trial in 1987 was a ruling by a federal bankruptcy court in Inslaw's favor. The ruling said that the Justice Department "took, converted, stole" Promis software through "trickery, fraud and deceit" and then conspired to drive Inslaw out of business. That ruling, which received little publicity at the time, was upheld by the U.S. District Court in Washington in 1989, but Justice lodged an appeal last year in an attempt to overturn the judgement that it must pay Inslaw US $6.1 million (C $7.1 million) in damages and US $1.2 million in legal fees. The affidavits filed in recent weeks relate to an imminent move by Richardson on behalf of Inslaw to obtain subpoena power in order to demand copies of the Promis software that the company alleges are being used by the Central Intelligence Agency and other U.S. intelligence services that did not purchase the technology from Inslaw. In the affidavit relating to McFarlane that was filed on March 21, Ari Ben-Menashe, a former Israeli intelligence officer, claims that McFarlane had a "special" relationship with Israeli intelligence officials. Ben-Menashe alleges that in a 1982 meeting in Tel Aviv, he was told that Israeli intelligence received the software from McFarlane. FLORIDA COMPANY McFarlane has stated that he is "very puzzled" by the allegations that he passed any of the software to Israel. He has termed the claims "absolutely false". Another strange development is the status of Michael Riconosciuto, a potential witness for Inslaw who once worked with a Florida company that sought to develop weapons, including fuel-air explosives and chemical agents. Riconosciuto claimed in his affidavit that in February he was called by a former Justice Department official who warned him against co-op with the House Judiciary Committee's investigation into Inslaw. Riconosciuto was arrested last weekend on drug charges, but claimed he had been "set up". In his March 21 affidavit, Riconosciuto says he modified Promis software for law enforcement and intelligence agencies. "Some of the modifications that I made were specifically designed to facilitate the implementation of Promis within two agencies of the government of Canada... The propriety (sic) version of Promis, as modified by me, was, in fact, implemented in both the RCMP and the CSIS in Canada." On Monday, Richardson and other lawyers for Inslaw will file a motion in court seeking the power to subpoena copies of the Promis software from U.S. Intelligence agencies. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ From: fitz@WANG.COM(Tom Fitzgerald) Subject: Police confiscate computer equipment dialing wrong number Date: Mon, 15 Apr 91 19:11:51 EDT <><><><><><><> T h e V O G O N N e w s S e r v i c e <><><><><><><><> Edition : 2301 Monday 15-Apr-1991 Circulation : 8526 [Mike Taylor, VNS Correspondent] [Littleton, MA, USA ] Police Confiscate Computer Equipment Dialing Wrong Number SAN LUIS OBISPO, CALIFORNIA, U.S.A., 1991 APR 3 (NB) --Ron Hopson got a call at work from his neighbor who informed him police broke down his front door, and were confiscating his computer equipment. The report, in the San Luis Obispo (SLO) Telegram-Tribune, quoted Hopson as saying, "They took my stuff, they rummaged through my house, and all the time I was trying to figure out what I did, what this was about. I didn't have any idea." According to the Telegram-Tribune, Hopson and three others were accused by police of attempting to break into the bulletin board system (BBS) containing patient records of SLO dermatologists Longabaugh and Herton. District Attorney Stephen Brown told Newsbytes that even though the suspects (two of which are Cal Poly students) did not know each other, search warrants were issued after their phone numbers were traced by police as numbers attempting access to the dermatologists' system by modem "more than three times in a single day." Brown told Newsbytes the police wouldn't have been as concerned if it had been the BBS of a non-medical related company, but faced with people trying to obtaining illegal narcotics by calling pharmacies with fraudulent information... What the suspects had in common was the dermatologists' BBS phone number programmed into their telecommunications software as the Cygnus XI BBS. According to John Ewing, secretary of the SLO Personal Computer Users Group (SLO PC UG), the Cygnus XI BBS was a public BBS that operated in SLO, but the system operator (sysop) moved less than a year ago and discontinued the board. It appears the dermatologists inherited the number. John Ewing, SLO PCUG editor, commented in the SLO PC UG newsletter, "My personal opinion is that the phone number [for the Cygnus XI BBS] is still listed in personal dialing directories as Cygnus XI, and people are innocently calling to exchange information and download files. These so-called hackers know that the password they used worked in the past and attempt to connect several times. The password may even be recorded as a script file [an automatic log-on file]. If this is the case, my sympathies go out to those who have had their hardware and software confiscated." Bob Ward, secretary of the SLO PC UG, told Newsbytes, "The number [for Cygnus XI] could have been passed around the world. And, as a new user, it would be easy to make three mistaken calls. The board has no opening screen, it just asks for a password. So, you call once with your password, once more trying the word NEW, and again to try GUEST." {contributed by Barry Wright to RISKS-FORUM Digest V4.38} {contributed by Wes Plouff} <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> Please send subscription and backissue requests to CASEE::VNS Permission to copy material from this VNS is granted (per DIGITAL PP&P) provided that the message header for the issue and credit lines for the VNS correspondent and original source are retained in the copy. <><><><><><><> VNS Edition : 2301 Monday 15-Apr-1991 <><><><><><><> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++===== From: Gordon Meyer <72307.1502@COMPUSERVE.COM> Subject: The CU in South Africa (Reprint from Mondo) Date: 10 Apr 91 01:24:37 EDT This 'letter to the editor' appeared in the Winter '91 issue of _Mondo 2000_. It provides insight and a first hand account of CU interest in South Africa. ------- Great that you could help us information hackers down here in South Africa. Things are probably a lot more simple in our country than yours - recent events such as a march on the South Africa Broadcasting Corporation SABC, demanding that they free the airwaves will recall similar events in the 60's USA. Our brains have stagnated in a cultural wilderness which has more in common with your local totalitarian bananastate than the subtle manipulations of western 'democracy.' Anyway, I mean 'simple' in the sense that two thirds of our population has no electricity. Solution = give them electricity. Our country produces 60% of Africa's electric output so there is more than enough. But here's where you people are important: tho achieve any of the seemingly simple goals of basic human rights we need to know how to hack information really well. High tech has the capability of processing and transmitting large amounts of info, a characteristic that the security branch and Dept. for Information found really useful in tracking down radicals. Example: in one case someone on the run used his Autobank ATM card - it was promptly swallowed and when he enquired as to the reason at his friendly bank - he was promptly arrested - yes, they actually programmed the ATM to trap those in the underground. Now activists have realized that to counter such a monopoly on tech-know-how and manipulation, they have to become techno-radicals, hackers of the establishments of knowledge, etc. We're working with a group of former teachers who have been given computers by the government in 1985 to appease the local community (a rather pathetic attempt) who then subsequently decided to use those 'gifts' against the very people who had given them - by radicalizing computers and spreading this knowledge. We have made copies of your very relevant mag and distributed to those individuals able to carry out hacking attempts. You're important players in the process of spreading the hacking ethic via the print media - something which should not be under-estimated, especially in a country such as ours where merely being able to read is in itself a revolutionary act. The Kagenna project is one which has attempted to use the ethic - by letting information loose into a stagnant society - anything can happen. The green hue is both important and convenient - in a country of many barriers, it is one of the few topics which cuts across all prejudices of race and class. We probably seem pretty tame to you folks, but in the absence of independent media, we tread a fine line. So if you keep sending us the MONDOs, we will Kagenna plus updates on hacking here and any interesting info we come across - let us know whether this is fine with you. We await the birth of the African Cyberpunk Hacker Movement - a somewhat difficult labour. Yours in solidarity, Ted Head (kagenna techno-peasant) PO Box 4713 Cape Town 8000 New South Africa. SOURCE: MONDO 2000 #3 (Winter 1991) pp 14-15 "Letters/FAX/Email" ******************************************************************** ------------------------------ **END OF CuD #3.13** ********************************************************************