A - I n f o s
a multi-lingual news service by, for, and about anarchists
**
News in all languages
Last 30 posts (Homepage)
Last two
weeks' posts
The last 100 posts, according
to language
Castellano_
Català_
Deutsch_
English_
Français_
Italiano_
Português_
Russkyi_
Suomi_
Svenska_
Türkçe_
All_other_languages
{Info on A-Infos}
(en) Cu Digest, #10.11, Sun 15 Feb 98 -- selected articles
From
"Shawn Ewald" <shawn@wilshire.net>
Date
Tue, 17 Feb 1998 13:08:12 -0700
Comments
Authenticated sender is <shawn@mail.wilshire.net>
Priority
normal
________________________________________________
A - I N F O S N E W S S E R V I C E
http://www.ainfos.ca/
________________________________________________
[Not the complete text, only selected articles]
Computer underground Digest Sun Feb 15, 1998 Volume 11 :
Issue 11 ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Shadow Master: Stanton McCandlish
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Field Agent Extraordinaire: David Smith
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
CONTENTS, #11.11 (Sun, Feb 15, 1998)
File 1--AOL's insecurity complex
File 3--Policy Post 4.1 -- Digital Wiretap Law at Key Juncture
File 4--Solid Oak's mail bomb--a reply from Brain Milburn
File 6--CRYPT Additions to the Joseph K Guide to Tech Terminology
File 9--Cu Digest Header Info (unchanged since 7 May, 1997)
CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.
---------------------------------------------------------------------
Date: Fri, 6 Feb 1998 08:41:14 -0800
From: "James Galasyn" <a-jameg@microsoft.com>
Subject: File 1--AOL's insecurity complex
((CuD Moderators' Note: The following may not be reprinted
without permission of Salon)).
from http://www.salonmagazine.com/21st/
----------------------
AOL's insecurity complex
THE ONLINE SERVICE CAN'T EVEN KEEP
ITS OWN STAFF BULLETIN BOARDS PRIVATE.
BY DAVID CASSEL | You've probably heard about the "other" Timothy McVeigh --
the sailor who found himself the target of Navy discharge proceedings for
violating its "don't ask, don't tell" policy, after America Online divulged
the real-life name behind his online profile.
At this point, only a district judge has prevented the Navy from completing
the discharge. After a firestorm of press coverage, AOL CEO Steve Case
issued a special "Community Update" to try to mollify anger. "We have always
recognized that privacy was an absolutely central building block for this
medium," Case argued, "so from day one we've taken steps to build a secure
environment that our members can trust."
But Case's words rang hollow. The McVeigh affair wasn't an isolated
incident. In the ensuing coverage, other subscribers also came forward with
stories about AOL's loose lips. And only days after that controversy arose
came the latest in a long sequence of disturbing AOL security breaches,
undermining AOL's claim that it provides a "secure environment."
Around midnight Jan. 26, I received a mysterious e-mail message: "Before you
miss the whole thing, you should really try and check out keyword: TA."
Since I edit a mailing list about AOL, I sometimes receive tips about hacked
content. So I dutifully visited AOL's "Traveler's Advantage" area, which
normally promotes innocuous travel-related services. ("Win a romantic
Getaway for Two OR $5,000 CASH!")
It was different that Monday. As with many previous acts of high-tech
vandalism, the title of the window had been changed in the middle of the
night. Instead of "Welcome to AOL Travelers Advantage!" the page read,
"Lithium Node was here." (This wasn't the first time AOL had heard from
"Lithium Node": Last June, the same group converted AOL's "Academic
Assistance Center" into a kind of hacker resource center, complete with
manifesto.)
But this attack offered a new twist: Below the substitute title lay a menu
linked to dozens of AOL staff bulletin boards. Following the links led to
private boards reserved for conversations among AOL's online staff --
including staffers of "The Rosie O'Donnell Show" and AOL's own army of
volunteers. Ironically, one area included an essay on the word
"confidentiality," saying users should observe confidentiality policies, and
"we should take pride in our ability to do so, and set an example for other
staffs."
Though the material was apparently meant to be off-limits to the public, it
wasn't. A week later, one of the boards sported an announcement outlining a
pending policy change. Staffers were told that "Beginning February 4, 1998,
Keyword TCB will be viewruled." In other words, AOL was going to restrict
access to "The Community Building," a gathering place for AOL's online
staff. This tactic was "becoming increasingly important," the memo stated,
to assure that an area "is limited to its intended audience, and not
available for viewing by others."
The bulletin boards linked from the giant index that had appeared the week
before were soon to be roped off. But the obvious question -- why this
no-brainer protection wasn't already in place -- went unaddressed. The
announcement stated hopes that the board "remains a safe and secure area."
I can't say I was surprised by any of this; AOL has a long history of
security and privacy problems. In 1995 hackers accessed the e-mail of CEO
Case and other executives. One message -- describing AOL's meeting with the
FBI to crack down on hackers -- was even posted to Usenet newsgroups. The
hacks continued over the years, and grew more sophisticated. Last April my
mailing list uncovered a trick that allowed access to any subscriber's
credit card number if they'd revealed their password. AOL had stated this
wasn't possible.
While there's no information on how many subscribers were affected, an
omnipresent population of ill-wishers compounds any AOL security breach. In
September 1996 the Washington Post reported that AOL canceled 370,000
accounts in one three-month period for "credit card fraud, hacking, etc." I
once counted over 300 troublemakers massing in chat rooms for an en masse
demonstration of dissatisfaction.
What's making users uneasy is the realization that hackers aren't the only
threat to privacy. Last August a parody of AOL's CEO appeared in Mad
magazine, addressing concerns about high-tech burglar Kevin Mitnick: "My
subscribers' card numbers are accessible to someone far more dangerous than
him!" Case's parody doppelgnger commented. "ME!!"
In a scramble for profits, AOL itself has resorted to varying degrees of
invasiveness. In July, for instance, AOL faced controversy over plans to
sell subscribers' home phone numbers to telemarketers. AOL's compromise
solution wasn't as well publicized: Users will still receive unsolicited
calls, but only from AOL's own stable of telemarketers. In addition, when
customers now phone for technical support, staffers try to transfer them to
outside telemarketing firms at the end of the call.
AOL has faced questions about its privacy policies since 1994, when Rep. Ed
Markey, D-Mass., expressed concerns about AOL's plan to sell information
about customers to marketers. Three years later, privacy advocates at the
Electronic Privacy Information Center remain concerned. AOL recently
acknowledged that its current marketing plan includes gathering aggregate
information about customers' movement through the service, and then using
the information to sell more targeted advertisements. The existence of such
a database troubles privacy advocates, whether or not the information is
attached to a user's identity. And since a recent industry report calculate
s
that nearly 60 percent of the time Americans spend online is spent on AOL,
the company is in a unique position to compile records on how that time is
spent.
In the McVeigh incident, AOL originally stated it was confident that its
policies had been followed. Later, Case's "Community Update" conceded that
"this should not have happened, and we deeply regret it." He closed by
telling members that "AOL's commitment to protecting the privacy of our
members is stronger than ever." Ironically, Case's apology appeared above an
icon reading "Click Here to Keep Your Resolutions." It often seems that AOL
is more interested in appearing to honor privacy and security than in
actually providing it.
In the last 10 months, at least 28 areas of AOL have been altered by
hackers. Most fell to human error -- someone with "publishing rights"
divulged their password. But AOL's performance in the face of these problems
hasn't inspired confidence. Content partners say a memo distributed in
October acknowledged that one of AOL's own employees had lost control of a
privileged account. Seven areas were modified that night, including Reebok,
AOL's Jewish Community Area and even Case's Community Update. (Its second
page was retitled "Hey there, Sexy.")
The attacks are getting more sophisticated. After vandals left a manifesto
criticizing AOL's NetNoir area, its producer dispensed a carefully crafted
response to reporters. But the graffiti artists got a second chance -- weeks
s
later they returned on another purloined account and posted a rebuttal.
AOL has a ways to go before it regains my trust. By the morning after I
received that mysterious e-mail message, keyword "TA" had been restored to
its original travel pitches. But for nine days afterward, most of the staff
areas remained accessible to anyone who'd added them to their bookmark file
Case needs to work a little harder on his resolutions.
COPYRIGHT:
SALON | Feb. 6, 1998
(May not be reprinted without permisson)
------------------------------
Date: Fri, 6 Feb 1998 17:56:05 -0500
From: Graeme Browning <gbrowning@CDT.ORG>
Subject: File 3--Policy Post 4.1 -- Digital Wiretap Law at Key Juncture
((CuD MODERATORS' NOTE: The following post was edited down for parsimony))
The Center for Democracy and Technology /____/ Volume 4, Number 1
-----------------------------------------------------------------
A briefing on public policy issues affecting civil liberties online
---------------------------------------------------------------
CDT POLICY POST Volume 4, Number 1 February 6, 1998
** This document may be redistributed freely with this banner intact **
Excerpts may be re-posted with permission of <gbrowning@cdt.org>
__________________________________________________________
(1) DIGITAL WIRETAP STATUTE AT KEY JUNCTURE
What started as a law intended to preserve law enforcement's ability to
conduct wiretaps on digital networks is now being used by the FBI in an
effort to enhance its surveillance capabilities. The struggle over the
scope of the 1994 law is being waged in Congress, at the Federal
Communications Commission (FCC) and in negotiations between the telephone
industry and the FBI. The status of the debate and its implications for
privacy are reviewed in a recent CDT memo posted at
http://www.cdt.org/digi_tele/status.html.
(2) FBI PURSUES EXPANDED SURVEILLANCE CAPABILITIES
Congress enacted the Communications Assistance for Law Enforcement Act
(CALEA)--popularly called the 'digital telephony'law--in 1994. The FBI is
now trying to use the law to require special surveillance features in the
nation's land-based and wireless telephone systems. Telephone companies
have yielded to some of the FBI's demands and have resisted others, but now
face pressure to compromise further.
* Under pressure from the FBI, the wireless phone industry has agreed to
provide law enforcement with the capability to track the location of
cellular phone users.
* The telephone industry has also agreed that carriers using increasingly
common 'packet switching' protocols may provide to the government the full
content of customer communications even though the government is only
legally authorized to intercept the less sensitive addressing data that
indicates who is calling whom.
Despite these concessions, the FBI remains unsatisfied with the industry's
proposed compliance plan. The FBI continues its push for additional
surveillance features, including the ability to --
* continue monitoring parties on a conference call after the subject of
the wiretap order has dropped off the call;
* collect detailed information identifying each party on a call,
including parties not the subject of investigation; and
* receive instant notification when a customer has a voice mail waiting
or makes any changes in service.
The FBI also has proposed requiring carriers to install capacity for far
more surveillances than ever before. See
http://www.cdt.org/digi_tele/970218_comments.html.
(3) INDUSTRY - FBI NEGOTIATIONS: GOVERNMENT SEEKS SOMETHING FOR NOTHING
Congress set October 25, 1998 as the deadline for complying with CALEA. It
has been clear for some time that the deadline can't be met: the FBI's
insistence on adding surveillance functions outside the scope of the law
snarled the process of drafting technical standards. Congress foresaw that
compliance might take longer than expected, so it gave companies the right
to seek delays from the FCC or the courts.
The FBI, however, is offering carriers special extensions (called
'forbearances') if they agree to develop the additional surveillance
capabilities. Since the carriers are *already* entited to an extension of
time under CALEA, the FBI's negotiating ploy is seeking something for
nothing. Manufacturers or carriers may be tempted to accept the offer to
avoid the cost of litigation. They would do so, however, at the expense of
privacy and control over network design.
(4) CDT WILL URGE FCC TO INTERVENE TO PROTECT PRIVACY
CALEA gives the FCC an oversight role in how the law is applied, but the
Commission has been reluctant so far to intervene. In August 1997, the
cellular industry, CDT and the Electronic Frontier Foundation filed
pleadings at the FCC urging it to find that the FBI's demands for
additional surveillance capability go beyond the scope of CALEA. The
petitions are still pending. See http://www.cdt.org/digi_tele/#fcc.
Instead, the FCC in October began considering an FBI proposal to require
telephone company employees to undergo background investigations and to
sign nondisclosure agreements. The FBI is also urging the Commission to
limit the ability of telephone companies to verify the validity of
purported wiretap orders.
In comments to be filed on February 11, CDT will urge the FCC to balance
the interests of law enforcement with the interests of privacy and
technological innovation, as Congress intended. The full text of CDT's
comments will be posted at http://www.cdt.org.
(5) CDT'S PRIVACY RECOMMENDATIONS
CDT believes that several steps should be taken to restore CALEA to the
spirit of balance it originally incorporated. These steps would preserve
law enforcement's basic surveillance capability (without the specific and
highly detailed enhancements sought by the FBI), and yet would protect
privacy in the face of the increasing surveillance potential of the new
technology:
* Congress should put an end to the controversy over enhanced
surveillance capabilities and reaffirm its narrow intent for CALEA by
authorizing the FBI to begin reimbursing carriers and switch manufacturers
to implement the industry's interim standard, minus wireless phone tracking
and minus any premature treatment of packet switching systems that does not
require the separation of call content from addressing information.
* Congress should deny the FBI the ability to impose redundant capacity
requirements on carriers, by limiting expenditure of the capacity
reimbursement funds.
* Congress should extend the October 1998 deadline, so that the FBI
cannot use the threat of non-compliance sanctions to force industry to
capitulate. However, extension of the deadline should not be traded for
enhanced capability.
* The FCC should assure itself of the security of the networked
surveillance administration systems that carriers will be installing to
comply with CALEA.
* The FCC should drop its proposals for intrusive background
investigations of carrier personnel.
* The FCC and/or Congress should launch an inquiry into the privacy
implications of surveillance in a packet switching environment.
* Since developments in technology are already increasing surveillance
capabilities, a probable cause standard for government access to location
tracking information should be established.
* The standard for governmental access to other transactional information
(through pen registers and trap and trace devices) should be increased to
require an affirmative finding by a judge that the information sought is
relevant and material to an on-going investigation. (The current standard
reduces the role of the judge to a mere rubber-stamp.)
(6) CDT CALEA WEBSITE UPDATED
We have recently revamped and updated our CALEA website, at
http://www.cdt.org/digi_tele/
__________________________________________________________
(7) SUBSCRIPTION INFORMATION
<snip>
To subscribe to CDT's Policy Post list, send mail to
majordomo@cdt.org
in the BODY of the message (leave the SUBJECT LINE BLANK), type
subscribe policy-posts
If you ever wish to remove yourself from the list, send mail to the
above address with a subject of:
unsubscribe policy-posts
_____________________________________________________________
------------------------------
Date: Tue, 10 Feb 1998 16:23:35 -0700
From: joepublic@hypertouch.com
Subject: File 4--Solid Oak's mail bomb--a reply from Brain Milburn
I send a message to Solid Oak's official PR address
(pr@solidoak.com) asking about the mail bombing and got the attached reply.
My original email message is at the bottom.
The noteworthy parts (to me) of the reply were their distinction
between a "mail bomb" and this incident and that it was the work of an
individual employee and not of the company:
"The large number of e-mail messages she was sent (about 446)
were actually separate but multiple replies to her original
messages, not a mail-bomb, and were made by an obviously
frustrated and overworked technical support employee."
While I am pleased that Solid Oak does "not encourage or condone
this type of behavior" I am disappointed that they did not mention any
steps that they were taking to help their employees follow said policy.
One obvious step might be to teach their employees about .kill files.
Joe
--snip--
From--Brian Milburn <brian@solidoak.com>
Subject-- Re--Confirmation of mail bombing story
Date--Tue, 10 Feb 1998 12:52:20 -0800
Thank-you for your mail concerning recent events you have read about
on-line. The person mentioned is not and was not a potential customer
evaluating blocking software. And, as she operates a web site promoting
witchcraft and paganism, it is highly unlikely that she will ever purchase
or use any any content filtering product.
Additionally, she is an admitted member of a group that has been engaged in
a campaign of organized harassment against us for over 14 months. During
this time, we have received hundreds of e-mail messages from members of
this group as well as mail-bombs, "denial of service attacks" and "out of
band attacks". We have even received death threats sent via e-mail to
private accounts whose addresses are published by this group on their web
pages and in their membership newsletters.
This group has made their position on filtering software well known over
this time. We feel that their concerns have already been adequately
expressed. Many of the messages we have received have DEMANDED a response
and threaten disastrous consequences it we do not. We are under no
obligation whatsoever to respond to these messages, but we do have an
obligation to our customers to provide timely technical support and answers
to their questions.
This person sent 12 messages to these accounts even though she was asked
not to. Her ISP was contacted and their assistance was requested in
persuading her to cease her e-mail activities to us. They refused to
assist. The large number of e-mail messages she was sent (about 446) were
actually separate but multiple replies to her original messages, not a
mail-bomb, and were made by an obviously frustrated and overworked
technical support employee.
While we do not encourage or condone this type of behavior, we must
recognize the fact that our employees have to endure a great deal of abuse
from members of this group and it's supporters.
Thank-you
Solid Oak Software
On 02/10/98 12:19pm you wrote...
>
>Hello,
> I was writing because I was recently forwarded an account claiming
>that Solid Oak had mail bombed some woman for emailing a critical letter
>to Solid Oak's feedback email address. Since Solid Oak has been the subject
>of heated accusations in the past, I didn't want to propagate an erroneous
>story without checking its accuracy. Would you be able to tell me what, if
>anything happened? I believe the woman's name was something like "Sarah
>Salls."
>
>Thank you,
>
>Joe
--snip--
------------------------------
Date: Wed, 7 Jan 1998 23:32:22 -0500
From: "George Smith [CRYPTN]" <70743.1711@compuserve.com>
Subject: File 6--CRYPT Additions to the Joseph K Guide to Tech
Terminology
ADDITIONS TO THE JOSEPH K GUIDE TO TECH TERMINOLOGY: Another
brief in a very popular Crypt Newsletter continuing feature.
consultant: U.S. Department of Defense or civil service
free-lancer usually involved in a conflict of interest; or, a recently
downsized employee of corporate America.
Usage: The _consultant_ from Science Applications International
Corporation enjoyed writing policy papers for the Pentagon's Joint
Chiefs which always cleverly ensured more DoD business for his firm.
Usage: Two years after being downsized by Acme Data Systems,
Scroggins' carefree life as an Internet _consultant_ came to an end
when he declared bankruptcy, was divorced by his wife and lost
visitation rights to his children.
cutting edge: hackneyed usage meant to convey a quality of
hipness and intellectual excellence but, instead, standing for quite
the opposite.
Usage: One editor at a stodgy newspaper declared his business and
technology section _cutting edge_ even though everyone knew it was
only a forum for billionaire hagiography and rewritten press releases
issued by corporate America.
libertarian: once a handy political label for those who
believe in free markets and personal liberty; now a handy marketing
tool for those who wish to lower taxes, disarm government employees
and spend large amounts of money on anything published by Wired
Ventures, Inc.
Usage: The mighty publisher of WIRED magazine galvanized a
phalanx of Net _libertarians_ into sending a million
electronic mails to Congress in protest of Net censorship -- where
they were immediately deleted, unread, by college interns.
Netizen: formerly, a term meaning citizen of the Net;
now, an overused, unintentional pejorative describing a group of
annoying computing technology-obsessed, mostly white, mostly
male, blowhards.
Usage: _Netizen_ Kane stamped his foot in glee as he
used his skills in PC automation to send 1,000 e-mail copies of a
windy, libertarian rant to Congressmen, the President and the press,
where it was subsequently deleted, unread, by college interns.
Yes, you can contribute to the Joseph K Guide without fear of
professional retribution or stain upon your reputation. Send your
suggestions, definitions or usages to Crypt Newsletter!
=======================
Editor: George Smith, Ph.D.
INTERNET: 70743.1711@compuserve.com
crypt@sun.soci.niu.edu
http://www.soci.niu.edu/~crypt
Mail to:
Crypt Newsletter
1635 Wagner St.
Pasadena, CA 91106
ph: 626-568-1748
------------------------------
Date: Thu, 7 May 1997 22:51:01 CST
From: CuD Moderators <cudigest@sun.soci.niu.edu>
Subject: File 9--Cu Digest Header Info (unchanged since 7 May, 1997)
Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are
available at no cost electronically.
CuD is available as a Usenet newsgroup: comp.society.cu-digest
Or, to subscribe, send post with this in the "Subject:: line:
SUBSCRIBE CU-DIGEST
Send the message to: cu-digest-request@weber.ucsd.edu
DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS.
The editors may be contacted by voice (815-753-6436), fax
(815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology,
NIU, DeKalb, IL 60115, USA.
To UNSUB, send a one-line message: UNSUB CU-DIGEST
Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU
(NOTE: The address you unsub must correspond to your From: line)
Issues of CuD can also be found in the Usenet comp.society.cu-digest
news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of
LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in
the VIRUS/SECURITY library; from America Online in the PC Telecom
forum under "computing newsletters;" On Delphi in the General
Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020
(and via Ripco on internet); CuD is also available via Fidonet File
Request from 1:11/70; unlisted nodes and points welcome.
In ITALY: ZERO! BBS: +39-11-6507540
UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD
Web-accessible from: http://www.etext.org/CuD/CuD/
ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/
aql.gatech.edu (128.61.10.53) in /pub/eff/cud/
world.std.com in
/src/wuarchive/doc/EFF/Publications/CuD/
wuarchive.wustl.edu in /doc/EFF/Publications/CuD/
EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland)
ftp.warwick.ac.uk in pub/cud/ (United Kingdom)
The most recent issues of CuD can be obtained from the
Cu Digest WWW site at:
URL: http://www.soci.niu.edu/~cudigest/
COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing
information among computerists and to the presentation and debate of
diverse views. CuD material may be reprinted for non-profit as long
as the source is cited. Authors hold a presumptive copyright, and they
should be contacted for reprint permission. It is assumed that
non-personal mail to the moderators may be reprinted unless otherwise
specified. Readers are encouraged to submit reasoned articles
relating to computer culture and communication. Articles are
preferred to short responses. Please avoid quoting previous posts
unless absolutely necessary.
DISCLAIMER: The views represented herein do not necessarily represent
the views of the moderators. Digest contributors assume
all responsibility for ensuring that articles submitted do
not violate copyright protections.
------------------------------
End of Computer Underground Digest #10.11
************************************
------- Message History -------
Date: Tue, 17 Feb 98 00:43 CST
To: cu-digest@weber.ucsd.edu
From: Cu Digest (tk0jut2@mvs.cso.niu.edu)
<TK0JUT2@MVS.CSO.NIU.EDU> Subject: Cu Digest, #10.11, Sun 15 Feb
98
****** A-Infos News Service *****
News about and of interest to anarchists
Subscribe -> email MAJORDOMO@TAO.CA
with the message SUBSCRIBE A-INFOS
Info -> http://www.ainfos.ca/
Reproduce -> please include this section
