########## | Volume I July 26,1991 Number 9 | ########## | | ### | EFFECTOR ONLINE | ####### | | ####### | | ### | | ########## | The Electronic Newsletter of | ########## | The Electronic Frontier Foundation | | (eff.org) | ########## | | ########## | | ### | Staff: | ####### | Gerard Van der Leun (van@eff.org) | ####### | Mike Godwin (mnemonic@eff.org) | ### | Mitchell Kapor (mkapor@eff.org) | ### | Chris Davis (ckd@eff.org) | ### | Helen Rose (hrose@eff.org) | | | ########## | Reproduction of Effector Online via all | ########## | electronic media is encouraged.. | ### | To reproduce signed articles individually | ####### | please contact the authors for their express | ####### | permission.. | ### | | ### | Published Fortnightly by | ### | The Electronic Frontier Foundation (eff.org) | effector n, Computer Sci. A device for producing a desired change. -==--==--==-<>-==--==--==- WE WUZ HACKED! As Monty Python has wisely noted, "NOBODY expects the Spanish Inquisition!" In like manner, nobody expects people to crack their system in quite the way that they *are* cracked. After all, if you knew about an unlocked door in your system, you'd lock it. Right? As soon as you could get around to it, of course. One of the machines here at eff.org is named "black-cube". As you might suspect, that machine is a NeXT. A remote execution daemon called "rexd" that runs on the NeXT (and many other machines) has an authentication routine that is effectively brain dead, and is automatically turned on with a new installation (NeXT Operators Take Note!). Those who know that one of the eff.org machines is a NeXT, or who might guess it by seeing the name "black-cube" can exploit the weakness of "rexd" to gain entry into the system. On July 1, this happened to us. If you run a NeXT, or even if you don't, it could happen to you. The sequence of events, as detailed in Chris Davis' report on the incident was as follows: "At about 1 am on July 1, the NeXT was breached by an intruder using the rexd remote execution daemon. The following things happened, in uncertain but approximate order: "(1) rexd mounted file systems from 'kropotkin.gnu.ai.mit.edu'. Only that, the local disk, and the /home partition from the Sun were mounted. "(2) the /etc/inetd.conf internet daemon configuration file was edited, as user mkapor, to allow rexecd to be run. "(3) the /etc/nu.cf new user program configuration file was edited or modified in an unknown fashion as user mkapor (it's possible that only the modification date was changed). "(4) a file 'rc', a 16K Mach executable, was created in mkapor's home directory, as mkapor. "(5) the /etc/wtmp file was overwritten with an empty file, removing login accounting timestamps "User 'mycroft' was logged into kropotkin.gnu.ai.mit.edu at the appropriate time, and admits entering the machine, but denies 2, 3, 4, and 5." We note that "mycroft" was the name of Sherlock Holmes' older brother. He was said to be even more brilliant that Holmes himself. But it doesn't take great brilliance to crack a machine, only weak routines, a certain specific knowledge, and the willingness to wander around in other peoples' homes without being invited. The security hole was apparently known to CERT (Computer Emergency Response Team), but the alert was netcast before we owned the NeXT so we were not aware of it. We've retired black-cube from active service and have reviewed all other security programs and measures. We were very careful to close all known security holes on our principal machine. We were not quite careful enough to apply the same level of discipline with black-cube. Eternal vigilance is the price of network security. -==--==--==-<>-==--==--==- "When the 'oppressors' become too strict, we have what is known as a police state, wherein all dissent is forbidden, as is chuckling, showing up in a bow tie, or referring to the mayor as 'Fats.' Civil liberties are greatly curtailed in a police state, and freedom of speech is unheard of, although one is allowed to mime to a record. Opinions critical of the government are not tolerated, particularly about their dancing. Freedom of the press is also curtailed and the ruling party 'manages' the news, permitting the citizens to hear only acceptable political ideas and ball scores that will not cause unrest." Woody Allen, "Without Feathers" (Ballentine,1972) -==--==--==-<>-==--==--==- THE AUSTIN EFF ORGANIZATIONAL MEETING by Steve Jackson An Austin meeting for those interested in the EFF and its mission was held July 19 at the offices of Steve Jackson Games. About 60 people (50 or so actively interested, and another 10 along for the ride) attended to cook hot dogs, drink sodas and beer, and talk about Constitutional freedoms in the electronic age. The meeting had been publicized almost exclusively over the net and local BBSs; some attendees read about it first on the Well. Local media were informed, but as far as we know, none mentioned it. I introduced the idea of an Austin EFF chapter by pointing out that the EFF *has* no local chapters, and one of the first missions of an Austin group - if we started one - would be to find out what a local chapter was good for. Suggestions from the group included: * Liaison with local law enforcement groups, both to influence their attitudes and to offer expert assistance and cooperation. * Liaison with media: offering information, correcting errors, and if necessary being ready to go to editorial boards if facts are consistently misrepresented. * Education and communication with others: speaking at schools and club meetings, writing opinion pieces for newspapers, and so on. * Education and communication among ourselves. The issue of ``Just what ARE the laws regarding sysop liability?" was specifically raised. * Direct political action: querying candidates on their stands on EFF-related issues, and initiating legislation to preserve civil rights in the high-tech age. * More organized input into national EFF concerns, especially creation of "ethical standards and practices." * Recruitment of members for the national EFF. * General networking among people with common interests. (Earl Cooley, sysop of SMOF - an old and respected, but underutilized, local board - volunteered to host a local EFF discussion. SMOF, the `World's Oldest Online SF Convention,' can be reached at 512-467-7317.) Four people - Bruce Sterling, John Quarterman, Matt Lawrence and myself - expressed willingness to serve on a local EFF board "provided no one of us has to do all the work." Four seems to be about the *minimum* workable number; we'll certainly be looking for more organizers. Another attendee was a Houston civil-libertarian, representing a group of about 20 like-minded computer users; a Houston EFF chapter is probably in the offing. 10 people signed up as national EFF members at the meeting (several others had already joined), and many more membership forms were distributed. A signup sheet was passed around so that everyone could be contacted directly for further meetings. And there will be more meetings; the "sense of the crowd" was clear on that. Our four volunteers will now have to discuss the next step. Thanks go to Loyd Blankenship, for making sure that all the food, drink and furniture arrived at the right time and place; to Monica Stephens, Mike and Brenda Hurst, and John Quarterman for assorted help with cooking, cleanup and publicity; and to everyone who brought chairs and food! ********************* "Think Globally, Act Locally" We are really encouraged and a bit overwhlemed by the spontaneous interest in forming chapters. In comp.org.eff.talk several other individuals offered to help organize local chapters in different parts of the country. Local activities to promote EFF causes can be a major factor in civilizing the frontier. Over the summer we will be thinking about what constitutes a good set of ground rules for chapters and how to coordinate and support activities from the already-busy EFF office. We'd certainly like to see more discussion on comp.org.eff.talk about possible roles for local chapters. Thanks to Steve Jackson for getting the ball rolling. -==--==--==-<>-==--==--==- MORE TITLES ON THE EFF MAGAZINE STAND INTERTEXT, an electronic magazine devoted to fiction, is published bi-monthly by Jason Snell (jsnell@ucsd.edu). Although primarily established as a place on the net to publish genres other than sci-fi/fantasy, it does still contain some. The quality of the fiction is about that of what you would find in alt.prose. Jason welcomes submissions of all genres. INTERTEXT is also available by e-mail subscription and is primarily archived on network.ucsd.edu. QUANTA is the electronically distributed journal of Science Fiction and Fantasy. As such, each issue contains fiction by amateur authors as well as articles, reviews, and other items of interest. You'll find pretty standard sci-fi/fantasy in QUANTA, with an occasional gem or two. The editors of INTERTEXT and QUANTA are friends and they tend to use some of the same editorial policies: they publish just about whatever they get and they publish their favorite writers all the time. QUANTA is much sharper in format than INTERTEXT. QUANTA is edited by Daniel Applequist (daln@andrew.cmu.edu). Submissions should be sent to quanta@andrew.cmu.edu. Subscription requests should be sent to quanta+requests-acii@andrew.cmu.edu. PARSONS MESSENGER AND INTELLIGENCER is a fictional small-town newspaper consisting primarily of editorials written by the fictional residents of Parsons, MidWest, USA. The Editor, Jane Smith, is also fictional. Most of the letters and opinions etc. are stock stereotypes, but a few are creative and interesting. It's a fresh idea, but it stales too quickly. THE UNPLASTIC NEWS is a brand new little magazine of quips and quotes from anywhere and everywhere. It's published by Todd Tibbetts (tibbetts@hsi.hsi.com), who is new to the net and hasn't quite figured out how to effectively distribute Unplastic yet. Unplastic's first issue is a collection of fully documented quotes >from sources outside the net. I get the impression that Todd wants to collect brilliant offerings from the net for future issues and mix them in heavily with the quotes from other sources. If he can pull this off successfully, THE UNPLASTIC NEWS will be one cutting-edge pub. All four titles are available via anonymous ftp from eff.org. They are to be found in the Journals Directory. -==--==--==-<>-==--==--==- Paraphrased from Time magazine: President Bush is finally switching from his manual typewriter to a personal computer, and taking lessons on how to use it. But he hasn't set his sights too high. "I don't expect this to teach me how to set the clock on the VCR or anything complicated," says the President. -- Denis Coskun, Alias Research Inc., Toronto Canada dcoskun@alias.com -==--==--==-<>-==--==--==- HACKER HYSTERIA DOWNUNDER by Mike Godwin, Staff Counsel, EFF I had just begun to think we had been making progress against the reflexive prejudice that so often afflicts the policy debates about hackers and computer crime. Then I read Tom Forester's recent distressing article about the need to "clamp down" on hackers. It's not that I disagree with Forester about the principle that computer intrusion and vandalism should be illegal. But I was astonished at both at the moral simplicity and the factual inaccuracy of Tom Forester's newspaper column. The article, "Hackers:Clamp Down Now", appeared in an Australian newspaper earlier this summer. I had expected a well-reasoned article from Forester, who co-authored COMPUTER ETHICS: CAUTIONARY TALES AND ETHICAL DILEMMAS IN COMPUTING (Blackwell / Allen & Unwin, 1990). After all, it was a book I had reviewed favorably for WHOLE EARTH REVIEW's Summer 1991 issue. But "Hackers:Clamp Down Now" turned out to be a potpourri of various statements and misperceptions regarding hackers that were common in the American media a year ago and still persist in many quarters. It was painful and infuriating to see them surface again in Australia. Especially when written by someone who should know better. Among other things, Forester writes: >Breaking into a computer is no different from breaking into your >neighbour's house. It is burglary plain and simple - though often >accompanied by malicious damage and theft of information. Yet nothing is "plain" or "simple" about analogizing computer trespass to burglary. The English common law that informs the British, American, and Australian legal systems has always treated burglary harshly, primarily because it involves a threat to the victim's *residence* and to his *person*. But computer intrusion in general, and the cases Forester discusses in particular, pose neither threat. A mainframe computer at a university or business, while it clearly ought to be protected "space" under the law, is not a house "plain and simple." The kind of invasion and the potential threat to traditional property interests is not the same. Consider this: anyone who has your phone number can dial your home-- can cause an electronic event to happen *inside your house*. That "intruder" can even learn things about you from the attempt (especially if you happen to answer, in which case he learns your whereabouts). Do we call this attempted burglary? Do we call it spying or information theft? Of course not--because we're so comfortable with telephone technology that we no longer rely on metaphors to do our thinking for us. This is not to say that all computer intrusion is innocuous. Some of it is quite harmful--as when a true "vandal" runs programs that damage or delete important information. But it is important to continue to make moral and legal distinctions, based on the intent of the actor and the character of the damage. Tom Forester seems to want to turn his back on making such distinctions. This, to me, is a shameful position to take. Forester supported his oddly simplistic moral stance with some odder factual errors. Here are some of the more egregious ones. >Last year, the so-called 'Legion of Doom' managed to completely >stuff up the 911 emergency phone system in nine US states, thus >endangering human life. They were also later charged with trading >in stolen credit card numbers, long-distance phone card numbers >and information about how to break into computers. Only a person who is willfully ignorant of the record could make these statements. The so-called Legion of Doom never damaged or threatened to damage the E911 system. If Forester had done even minimal research, he could have discovered this. What they did, of course, was copy a bureaucratic memo from an insecure Bell South computer and show it to each other. At the trial of Craig Neidorf, who was charged along with Legion of Doom members, it was revealed that the information in that memo was publicly available in print. Thus, there was no proprietary information involved, much less a threat to the E911 system. Forester is simply inventing facts in order to support his thesis. For an academic, this is the gravest of sins. >Leonard Rose Jr. was charged with selling illegal >copies of a US $77,000 AT&T operating system. Len Rose was never charged with "selling" anything. His crime concerned his possession of the expensive source code, which he, like many other Unix consultants, used in his work. >Robert Morris, who launched the disastrous Internet worm, got a >mere slap on the wrist in the form of a US $10,000 fine and 400 >hours' community service. If Forester had investigated the case, he might have discovered an explanation for the lightness of Robert Morris Jr.'s sentence: that Morris never intended to cause any damage to the networks. In any case, Morris hardly qualifies as a "hacker" in the sense that Forester uses the word; by all accounts, he was interested neither in "theft" nor "burglary" nor "vandalism." Of course, making such subtle distinctions would only blunt the force of Forester's thesis, so he chooses to ignore them. >Instead, [the hacker] tends to spend his time with the computer, >rising at 2pm, then working right through to 6am,, consuming mountains >of delivered pizza and gallons of soft drink. This is the kind of stereotyping that Forester should be embarrassed to parrot in a public forum. >Some suffer from what Danish doctors are now calling "computer >psychosis" - an inability to distinguish between the real world >and the world inside the screen. > >For the hacker, the machine becomes a substitute for human >contact, because it responds in rational manner, uncomplicated by >feelings and emotions. And here Forester diagnoses people whom he has never met. One is forced to wonder where Forester acquired his medical or psychiatric training. Of the people whose names he blithely cites, I have met or spoken to half a dozen. None of them has been confused about the difference between computers and reality, although it may be understandable that they prefer working with computers to working with people who prejudge them out of hatred, ignorance, or fear. >One day, these meddlers will hack into a vital military, utility >or comms system and cause a human and social catastrophe. It's >time we put a stop to their adolescent games right now. History suggests that we have far more to fear from badly designed or overly complex software than from hackers. Recent failures of phone networks in the United States, for example, have been traced to software failures. Even if we grant that there are some hackers with the ability to damage critical systems, the question Forester fails to ask is this: Why hasn't it happened already? The answer seems to be that few hackers have the skill or desire to damage or destroy the very thing they are interested in exploring. Of course, there are some "vandals" out there, and they should be dealt with harshly. But there are far more "hackers" interested in exploring and understanding systems. While they may well violate the law now and then, the punishments they earn should take into account both their intentions and their youth. It has been noted many times that each generation faces the challenge of socializing a wave of barbarians--its own children. We will do our society little good if we decide to classify all our half-socialized children into criminals. For an ethicist, Forester seems to have given little thought to the ethics of lumping all computer trespass into one category of serious crime. -==--==--==-<>-==--==--==- "Twas midnight, and the UNIX hacks Did gyre and gimble in their cave All mimsy was the CS-VAX And Cory raths outgrave. "Beware the software rot, my son! The faults that bite, the jobs that thrash! Beware the broken pipe, and shun The frumious system crash!" -==--==--==-<>-==--==--==- STUDENT SUSPENDED FOR MAILING PASSWORDS by Rita Rouvalis The University of Georgia's (UGA) Student Judiciary has recently sentenced a student to two quarters suspension for e-mailing Athena's /etc/passwd file to an unauthorized user who wanted to break into the system. Intense debate ensued when the following post was made to eff.talk: >The University will soon be issuing a news release about this incident. >In the meantime, here is a summary: >(1) A number of unauthorized users have been using various University >of Georgia computers. Most of them have left much more of a trail than >they realized and will be hearing from us. >(2) The first person actually caught as part of this incident has now >been sentenced to 2 quarters' suspension, plus a probated expulsion, >by the Student Judiciary. This was a U.Ga. student whose name cannot >be released due to confidentiality of educational records. What this >student did was mail a copy of /etc/passwd from athena.cs.uga.edu to a >"hacker" who had already penetrated another system, and who wanted to >use a password-guessing program to break into athena. The student was >fully aware that he was assisting in a break-in. > -- Michael Covington, sysadmin UGA Discussion was muddied considerably by confusion with other threads, and opinions were posted without factual basis. If one looks at the facts, one finds the student received surprisingly fair treatment from the University of Georgia, whether or not one agrees with the actual sentence. Upon investigating an intrusion into one of the AI Lab's machines, the sysadmin for the AI lab found that the intruder had saved, on disk, a copy of Athena's /etc/passwd file with an email header indicating it had come from the student in question's account on Athena. Assuming at first that either the e-mail header was bogus, or that the student's account had also been hacked, the Athena sysadmins deactivated the account. Notice that this was a file saved under an unauthorized username; no e-mail was ever intercepted. Upon further investigation, the student admitted to being the owner/sender of this e-mail message. He also apparently admitted to being a member of an "elite group of hackers/phreakers," and knowing that the /etc/passwd file would be used to try to crack Athena. When the matter came before them, UGA officials felt the needs of the student would be better served if he/she was brought before the Student Judiciary instead of filing criminal charges. The only punishments the Student Judiciary can hand out are expulsion, suspension, and community service; all proceedings are kept confidential as required by federal law. According to UGA Student Judiciary policy, a student can choose either an administrative hearing, or a student court hearing before three specially trained students. In either case, the student is assisted by a trained defender (also a student) and has the right to have other people present for his defense. The hearing is supervised by UGA's staff of Judicial Programs and follow the same rules of evidence and procedure as a courtroom trial. If convicted, the student can appeal to the Vice President and to the President (which this student has done). Despite protests from a few netters about the sentence the student received, it is clear that the student court carefully considered the intent and personality of the student when handing down the sentence -- a consideration not taken in too many hacker cases. Officials felt that two quarters suspension would effectively remove the student from the influence of the hackers/phreakers and realign his priorities. Community service involving computers was not chosen for the express reason of not encouraging hacking to prove ability. While some netters may disagree with the sentence handed down, they should agree that this case was fairly and thoroughly handled by UGA officials. Their measured deliberation of all the issues involved should be used as an example in this era of hacker hysteria. EFFector Online will keep you posted as the case progresses... Portions of postings by Michael Covington, sysadmin of one of the UGA machines involved, are reproduced by permission. -==--==--==-<>-==--==--==- Letters From The Sun From: mib@gnu.ai.mit.edu (Michael I Bushnell) To: editors@eff.org Subject: Free software and electronic freedom There is a convergence of interests between advocates of free software and the EFF, which I think bears some examination. I think we can "assist" the government, the police, the media, and the courts by stressing that what is happening to computers is by no means new. I do not believe that education (though it will help) can solve our problem. The people from AT&T who assign $50,000 price tags to login.c and claim millions of dollars of damage done by Riggs, Darden, and Grant are completely aware of the real nature of what was done. The same is certainly true of Apple's claim that irrevocable damage was done by the distribution of NuPrometheus. We can end, through education, damage to people like Steve Jackson wrought by overzealous police. But the damage done by the false claims of knowledgeable people seeking money and victims will not be ended solely be education. The possiblility of perjury suits should be considered, of course, but that is not the only way to end the problem. The computer shares with certain other inventions several important characteristics: it is cheaper than older alternatives; it is faster; and it offers new ways of thinking about the world. The most obvious invention in the past with these characteristics is the movable-type printing press. Suddenly books could be published by only a few people, rather than requiring laborious copying. Printing presses were cheaper than the hundreds of copyists previously required. And, perhaps most importantly, the availability of books encouraged people to see the world as somewhat smaller, as information could suddenly be transmitted more quickly. Gutenberg's first book was the Bible, published in German translation, and the Church reacted vehemently to this new "problem". Its monopoly on Biblical interpretation suddenly ended, and the Church quickly realized that something "needed" to be done. The index of prohibited books became its most effective tool. Those who assisted in the production of unauthorized books (rulers who refused to arrest recalcitrant printers, for example) would be in turn vilified or even excommunicated. Even today, in many countries, access to the printed word is difficult and managed by the state. Those we are fighting must be more visibly compared with past opponents to free speech. We must be more vocal in admitting and even pointing out that, yes, the computer is powerful and dangerous, and in precisely the same ways cheap printing is powerful and dangerous. We do not believe, in this country, that access to printing presses should be carefully managed and regulated by the government to ensure the safe use of this power. Instead, thanks to the wisdom of Voltaire, and his ultimate victory over Rousseau, we recognize that the solution to the printing of falsehood is the printing of truth. We must encourage the same attitude in the public towards computers: that computers, and associated networks, must be encouraged to grow without regulation and forced record-keeping. Yes, computers are dangerous. But they are only dangerous to those who hide in shadows and plot power in the dark of night, for they are tools for light if available to all. -==--==--==-<>-==--==--==- "I'm hosed." -- Steve Jobs, after his NeXT machine froze up during a demonstration to 500 people at Lotus last year. -==--==--==-<>-==--==--==- MEMBERSHIP IN THE ELECTRONIC FRONTIER FOUNDATION If you support the goals and work of EFF, you can show that support by becoming a member now. Members receive our quarterly newsletter, EFFECTOR, our bi-weekly electronic newsletter, EFFector Online (if you have an electronic address that can be reached through the Net), and special releases and other notices on our activities. But because we believe that support should be freely given, you can receive these things even if you do not elect to become a member. Your membership/donation is fully tax deductible. Our memberships are $20.00 per year for students, $40.00 per year for regular members. You may, of course, donate more if you wish. >>>---------------- EFF@eff.org MEMBERSHIP FORM ---------------<<< Mail to: The Electronic Frontier Foundation, Inc. Online Office Nine 155 Second St. Cambridge,MA 02141 I wish to become a member of the EFF I enclose:$__________ $20.00 (student or low income membership) $40.00 (regular membership) [ ] I enclose an additional donation of $___________ Name:______________________________________________________ Organization:______________________________________________ Address: __________________________________________________ Town: _____________________________________________________ State:_______Zip:________Phone:( )_____________(optional) FAX:( )____________________(optional) Email address: ______________________________ I enclose a check [ ]. Please charge my membership in the amount of $_____________ to my Mastercard [ ] Visa [ ] American Express [ ] Number:____________________________________________________ Expiration date: ____________ Signature: ________________________________________________ Date:______________________ I hereby grant permission to the EFF to share my name with other non-profit groups from time to time as it deems appropriate [ ]. Initials:___________________________ **OUR PRIVACY POLICY: The Electronic Frontier Foundation will never, under any circumstances, sell any part of its membership list. We will, >from time to time, share this list with other non-profit organizations whose work we determine to be in line with our goals. But with us, member privacy is the default. This means that you must actively grant us permission to share your name with other groups. If you do not grant explicit permission, we assume that you do not wish your membership disclosed to any group for any reason.** The EFF is a non-profit, 501c3 organization. Donations to the EFF are tax-deductible. ******************************************************************