human-nets@ucbvax.ARPA (08/04/85)
From: Charles McGrew (The Moderator) <Human-Nets-Request@Rutgers>
HUMAN-NETS Digest Saturday, 3 Aug 1985 Volume 8 : Issue 25
Today's Topics:
Query - Ted Nelson and Xanadu,
Response to Query - Publishing Net Messages,
Computers and the Law - The "Plainfield 7" (3 msgs)
----------------------------------------------------------------------
Date: Fri, 26 Jul 85 12:03:32 EDT
From: Michael_D'Alessandro%Wayne-MTS%UMich-MTS.Mailnet@MIT-MULTICS.ARP
From: A
Subject: Ted Nelson and Project Xanadu: Where are they now?
Can anyone out there tell me what Ted Nelson is up to now, and what is
the status of his Xanadu Hypertext Network?
Michael D'Alessandro
<<Internet>>:
MPD%Wayne-MTS%UMich-MTS.Mailnet@MIT-Multics.ARPA
<<UUCP>>:
...ihnp4!ucbvax!MPD%Wayne-MTS%UMich-MTS.Mailnet@MIT-Multics.ARPA
------------------------------
Date: Sun 21 Jul 85 15:51:15-CDT
From: Werner Uhrig <CMP.WERNER@UTEXAS-20.ARPA>
Subject: Re: Publishing Query
To: WBD.TYM@OFFICE-2.ARPA
I think the best approach would be to forget it. it would only raise
questions better not raised and result in answers and other possible
consequences, probably detrimental to the "relaxed" atmosphere in the
area of copyrighted materials.
In regards to my contributions to the net, I either have indicated
sources, which, in all likelihood, may not regard even my posting as
proper, or, if asked, would not consider favorably a request to allow
someone else to use their efforts in a profit-making venture.
And if I ever made any "original" contributions to the net which
anyone may consider useful in a "profitable" enterprise, I would, of
course, be flattered by that, but would like you to consider that I
(and many others) contribute here in the spirit of cooperative,
non-profit atmosphere I perceive to exist on the electronic
bulletin-board systems and would like the world of "profit" to stay as
far removed as possible from them.
Given that I don't know if I ever preserved any legal rights to my
public mumblings, and don't really care to do the necessary legal
voodoo that has the proper effect, it occurs to me that what's needed,
is a statement of some kind, which, in effect, creates some kind of
"blanket cover" for everything posted, making it unnecessary that each
individual message has to have "voodoo".
Any "legal eagles" out there, that can achieve that with a swift
stroke of the (ahem) .... keyboard (and mouse (-: ) ??? Something in
effect guaranteeing that everything is protected from being used *FOR
PROFIT* by anyone else but the author himself (if he so desires *AND*
really has the legal rights to it, anyway). If, at the same time, it
can be made clear that anything posted is the sole responsibility of
the poster, and not anyone else cooperating in maintaining the
communication-channels, that would be fantastic - but then, of course,
I am under the distinct impression, that a couple of hundred lawyers
are going to make a good living of studying that legal "snake-pit"
..., sighhhhh ...
Cheers, Werner
------------------------------
Date: Sun, 21-Jul-85 09:13:30 PDT
From: vortex!lauren@rand-unix (Lauren Weinstein)
Subject: press conferences
While it is unfortunate when authorities get "heavy-handed" about the
way they handle such things, I don't believe that there is any
requirement that the general public be allowed to attend press
briefings/conferences. Many (if not most) such events are limited to
accredited press members--that's part of what press credentials are
all about. You think that just anyone off the street can walk into
any old State Dept. press conference? No way. Such events would just
turn into giant shouting matches if such were allowed. Press
conferences are not "public" events in the normal sense--they are
"invited" events. Now, if a properly accredited press person were
denied access to a press conference without good reason, that would be
a different matter entirely.
---
On the subject of the NJ BBS case... recent information indicates that
at least some of the involved BBS's were being used to pass around
information on stolen phone and non-phone credit cards. Freedom of
speech is not absolute--and starts to get complicated when behaviors
can be viewed as "aiding and abetting" in the commission of a crime.
Given that some BBS operators are probably truly ignorant of some of
the material people are publicly posting on their boards, it still
presents a substantial problem. What if someone started posting lists
of when people were away from their homes, so that they could be
easily robbed? Such behavior would almost certainly be viewed as
something on the order of conspiracy to commit a crime.
The BBS operators really only have two choices to protect themselves
in the long run (assuming we're talking about honest ones).
1) They can pass, as moderators, on public messages before allowing
them to be publicly displayed.
2) They can keep verified information regarding the name, address,
etc. of each submitter to their system. Such information need not
be publicly available or even used on messages--it should just be
around so that people who post such messages can be held
accountable for their messages.
I predict that unless actions like these are taken, very restrictive
laws will be passed to control what is perceived as a growing BBS
problem. The right to *anonymous* freedom of speech is not absolute,
and I'm convinced that such BBS-related laws could be framed and
enacted in manners that would be ultimately upheld in court. Perhaps
voluntary actions on the part of honest BBS operators can still help
to make such laws unnecessary.
--Lauren--
------------------------------
Date: 22 Jul 85 20:05:59 EDT
From: AWALKER@RUTGERS.ARPA
Subject: Bletch!!
To: "Inquiring Minds Reject Cruft Like This": ;
Reply-To: AWalker@RUTGERS.ARPA
[From the Star-Ledger, Sunday 21-Jul-85, section 1 page 12,
forwarded without any associated red tape.]
Genius or mania, firms fear compter 'hacking'
by KITTA MacPHERSON
They have been painted as the newest darlings of our technology-driven
era, beating computers at their own game with their brilliance. They
have also been depicted as teenages social outcasts on some kind of
weird power trip, manipulating computer data banks out of pure malice.
But to those who know these young computer "hackers", or "crackers" as
the "straight" computer hobbyists prefer to call them, they are
probably a little bit of both.
No one yet knows whether the charges are true against New Jersey's
"Computer Seven", a group of teenaged boys arrested by South
Plainfield police last week for allegedly using their computers to
steal telephone services and get stolen credit card numbers to buy
merchandise.
But the mere possibility that they may be -- that satellites relaying
long- distance telephone calls were reprogrammed, that defense
department computers were penetrated and that stolen credit card
numbers were openly exchanged -- is sending shock waves through the
business community and forcing some if its members to reevaulate the
security measures of their databases.
"The personal computer is invading corporate America and they don't
understand it," said 28-year-old Ian Murphy, alias "Captain Zap", an
avowed hacker-turned- computer security expert living in Pennsylvania.
"I have a single-spaced, typed list of major corporations, newspapers,
banks, you name it, and the dial-up numbers of their computers. What
it comes down to is that most of these companies have systems that are
actually accessible and they don't believe it."
But some see a deeper issue. "The real issue is not lack of
security," said David Gould, the president of MicroFrame, Inc., a
computer security firm in New Brunswick.
"The real issue is that there is no way in the world that we can close
off our data bases. The nature of information is dissemination and
we, as a society, have decided that information shall be available."
When systems are penetrated, the hacker may be a voyeur, just looking
to see what is there and then mysteriously signing his computer alias.
One systems manager of a large corporation in New Jersey said that
when he logs on to his system in the morning he always finds a message
from "Moonraker" who has been in and out of the system during the
night.
Hackers may enter a system for private gain, perhaps altering a bill
or maliciously charging it to the account of an enemy. With thousands
of entries in a system, data managers find it difficult to catch a
slight change in the records.
Although hackers are often portrayed as lonely geniuses, Murphy and
the others contend that breaking into private data systems is child's
play.
For equipment, you need a computer, a modem which connects two
computers by telephone and a program which will make successive phone
calls.
This program, known as the "demon dialer", can be set up to call every
variation of a four-digit telephone number in a given telephone
exchange. When it connects with another computer during a phone call
-- it will know this when the receiver at the other end answers with a
long "beep" tone -- it will make a notation on its printout.
Now what the hacker sees as the challenge of it all begins. He calls
the computer discovered through the search and begins to guess
passwords. Impossible, right? Wrong.
"Almost everything about computers is logical, that's what we're
always taught," said a systems manager at an Essex County firm.
"But passwords are the exception. People are completely emotional
about it. They use their wives' or childrens' names, something very
personal. Or they are very obvious about it like someone at a
hospital using the word 'nurse'."
Of course, it is also always helpful to have friends on the inside of
a company who can tell you a bit about the person who conjured up a
password giving access to high-level files. Or he can read off the
password -- often taped on an index card to computer terminals or on a
nearby desk.
The trash can has been known to help.
"I can know everything about a company in two or three nights of
'trashing'," said Murphy, whose 1981 arrest by FBI agents for hacking
was one of the first ever in the country.
"There is more information in trash cans. And these companies -- if
they knew, they would say 'Oh my Gosh!'"
Most officials in charge of security at firms say they are faced with
a paradox. Companies want systems that are both secure and easily
accessible to employees.
"It's the old 'user-friendly' problem," said George Lane, director of
planning for Datapro Research Corp. in Delran, which advises clients
on security management.
"People have trouble remembering their passwords. And if you make it
too complicated, they will write it down somewhere nearby for help, or
it may just take too long to get in the system."
Even if companies work at developing intricate passwords, one leak can
doom the integrity of the system. This is because of the existence of
computer bulletin boards -- a computer equipped to answer the
telephone and exchange messages with other computers.
Commercial bulletin boards, operated by firms like Dow Jones and
CompuServe, charge a fee for their use. But there are thousands of
private bulletin boards operated by a hobbyist for a particular
community, for example, users of a particular brand of computer.
It is within these systems that "pirate boards" -- bulletin boards
dedicated to distributing passwords, methods for breaking into private
data systems and stolen credit card numbers -- proliferate.
"I have seen just tons of stolen credit card numbers on some of these
boards," said a 17-year-old Dover youth who was one of those arrested
as the "Computer Seven". "They are traded like baseball cards."
The youth operated a bulletin board called "Private Sector" out of his
home for computer hobbyists interested in telecommunications and
following developments in telephone companies in the post-divestiture
environment.
"To my knowledge, I didn't have anything illegal in my bulletin
board," he said, adding that if he found anything illegal during his
nightly scans of the system, he would delete it.
Police were led to the youth after finding his bulletin board phone
number in the computer file of another of the arrested youths.
Law enforcement officials say it is difficult to pinpoint how many
hackers there may be in the country. But at least 10 million
Americans have purchased personal computers since the beginning of the
computer explosion during the mid-seventies and 10 percent of the
owners are believed to own modems.
Hackers don't necessarily have to be rich -- the price of personal
computers has dropped substantially since their introduction. But
most experts agree that hackers have to have a lot of time on their
hands to explore the hundreds of bulletin boards available and make
the kind of repetitious searches necessary to data break-ins.
Alienated teenagers often fit that bill.
"Computers have a real attraction for people who have problems dealing
with people," said Jonathan Rotenberg, the 22-year-old president of
the Boston Computer Society, the nation's largest computer user group.
"It provides a powerful kind of escape because the computer gives you
immediate approval when people may not. It's an ideal companion and
people get more and more isolated and get wrapped up in the world of
bits and bytes."
Rotenberg, a former "addict" himself, believes the act of hacking
provides a feeling of control that other activities may not offer.
"There is a real sense of power in doing something really impressive
like breaking into a certain data bank," Rotenberg said. "It excites
people who probably haven't been particularly successful in other
things in their lives."
Murphy started fooling around with his Apple ][ in 1973. "I had been
through model rockets and ham radio so it was the next thing in
scientific curiosity," said Murphy, who was sentenced to two and a
half years probation and a $1000 fine for stealing about $300,000 in
phone services.
But the spreading use of easily accessed computer systems has created
an almost irresistible opportunity for experimentation for some of the
hackers.
"I think in most cases these are people who have no intention of
bringing about great harm," Rotenberg said. "It's just an incredibly
exciting puzzle for them to break."
Law enforcement officials fume over this view because this computer
curiosity almost inevitably leads to theft.
"A lot of time spent on computer bulletin boards which is done over
phone lines can often cost a lot of money," said a systems manager for
a university- run computer department in the state. "So, the first
thing you have to do is break the phone company."
First there were the "blue boxes" in the early 1970's, illegally
constructed devices which mimicked the set of tones that directs a
phone call into the long-distance network. AT&T engineers have since
defeated the technology.
But there are new tricks, which are keeping security managers hopping.
"Our switching system is one gigantic computer, which is generally a
closed system and we do build in security measures," said Neal Norman,
district manager for corporate security for AT&T Communications in
Basking Ridge.
"But we have to maintain a certain degree of openness for customers.
If we make it so secure our customers can't use it, we'll be out of
business."
AT&T scientists have developed a system which can tell the difference
between real tones and blue-box generated ones. But this has meant
that hackers have gravitated toward an easier method of fraud -- using
stolen telephone credit card numbers.
Norman said a customer education program has been started warning
credit card users to memorize their number and not carry it around
with them, not to write it down on scraps of paper or on the walls of
a phone booth, and be careful who may be listening if an operator asks
for a recitation of the number in a public place.
The problem of computer hackers attempting to misuse telephone
facilities is a growing one. But Norman said that efforts by his
company and other firms through the newly created Communication Fraud
Control Association may be controlling efforts at a certain level.
Telecommunications companies are not the only ones fighting back.
Hosts of small companies providing equipment and advice to secure data
systems are growing.
Whatever man does, man can undo," said MicroFrame's Gould. What we've
done is we've taken the security requirements of today and we've
introduced sophisticated hardware technology that seems to solve the
problem."
But Gould admits that the persistence of hackers may make the process
an endless one.
"The problem is society has made a very conscious decision to allow
information to be disseminated at a massive level," Gould said.
"Our only alternative may be to get into this leapfrog game where we
have to strive to constantly stay ahead."
------------------------------
Date: Mon, 22 Jul 85 11:35 EST
From: thompson%umass-cs.csnet@csnet-relay.arpa
With regard to the problem of credit card carbons, I see two
possible solutions, one short term and one long term, to prevent
people from getting your number.
Short Term: Simply ask for the carbons from any transaction
you make. You can then render them unreadable yourself. Perhaps, if
you explain to the proprietor why you want them, he won't be
suspicious (assuming of course she is).
Long Term: Use carbonless forms, if these will work in credit
card machines. I don't see why they wouldn't.
Roger Thompson
Thompson@Umass
------------------------------
End of HUMAN-NETS Digest
************************