gcm@mtgzz.UUCP (g.c.mccoury) (06/18/87)
Wonder why we have so many security problems at our comp centers -
read on.
************************************
From Asbury Park Press (week of 6/15)
************************************
APPLE FOUNDER OFFERS SCHOLARSHIP FOR HACKERS
- Associated Press
Boulder, CO - Computer whiz Stephen Wozniak has donated $100,000 for
a University of Colorado scholarship aimed at developing excellence in
computer hackers at his alma mater.
"The value of cracking security codes and understanding them is that
generates incredible knowledge," said Wozniak, one of the original hackers
and co-founder of Apple Computer Inc.
Wozniak said he actually encourages the "mildly" social deviants" to
break access and security codes as a way to learn.
The "Woz" scholarship program is twofold: a tuition grant and a job
working with the computer science department.
"There is a misconception that hackers are dangerous to society,"
Wozniak said. "They are just trying to do things that they are not supposed
to be able to do."
As a freshman at CU in 1969, Wozniak tapped into the university's
computer system to print out reams of mathematical information. Angry
university officials placed him on probation, and, he said, on the road to
Apple Computer.
...nuff said.
/***************************************************************************
* *
* e N Grover McCoury *
* B o ATT Laboratories(?) [was ISL] *
* y r m a l ?? ...!ihnp4!mtgzz!gcm *
* h *
* W I refuse to have a battle of wits *
* with an unarmed person... *
* *
****************************************************************************/andys@genesis.UUCP (a.b.sherman) (06/18/87)
In article <2757@mtgzz.UUCP>, gcm@mtgzz.UUCP writes: > > Wonder why we have so many security problems at our comp centers - > read on. > > ************************************ > From Asbury Park Press (week of 6/15) > ************************************ > > APPLE FOUNDER OFFERS SCHOLARSHIP FOR HACKERS > - Associated Press > > Boulder, CO - Computer whiz Stephen Wozniak has donated $100,000 for > a University of Colorado scholarship aimed at developing excellence in > computer hackers at his alma mater. > "The value of cracking security codes and understanding them is that > generates incredible knowledge," said Wozniak, one of the original hackers > and co-founder of Apple Computer Inc. > Wozniak said he actually encourages the "mildly" social deviants" to > break access and security codes as a way to learn. > As a freshman at CU in 1969, Wozniak tapped into the university's > computer system to print out reams of mathematical information. Angry > university officials placed him on probation, and, he said, on the road to > Apple Computer. > > ...nuff said. First, I think that used to be done here with blue-boxers. However toll fraud is now a multi-million dollar industry that is no longer cute, no longer funny and no longer tolerable to our business. Second, I think the social deviance is more than mild when people hack away at other people's work or learning environment. It is one thing to figure out how to become root. It is quite another to use that knowledge to make it impossible for other people (NOT faceless representatives of Ma Bell, but PEOPLE) to do their work. Somebody who thinks it's cute to cream the root file system of somebody else's computer is extremely anti-social. Real people have their livelihoods, and professional reputations tied up with the data that is lost, and suffer from real depression and frustration when it happens. Screw Wozniak and send the bastards to jail. -- andy sherman / at&t bell laboratories (medical diagnostic systems) room 2h-097 / 480 red hill road / middletown, nj 07748 (201) 615-5708 / andys@shlepper.ATT.COM ...The views and opinions are my own. Who else would want them?
mel1@houxa.UUCP (06/19/87)
I agree with much of what Andy says, but feel that his anger should mostly be directed to the people who consciously allow the hackers to do so much damage. Woz's work was done several generations of system software and hardware ago. The holes were well know then and still allowed to exist. They exist now and are still allowed to exist. Why? Who makes these decisions? Why? The DES algorithm is now quite old, but still not used in computer hardware. Why? Call back and random password techniques are readily available, but aren't used. Why? Data communication protocols are well into the standards making procedure, but don't include encryption capabilities. Why? Our computer systems can be designed to be reliable and fault tolerant, but still require "superuser" gurus to administer them. Why? I think the damage is being done by the people who bury their heads in the sand and foist these security horrors onto the public, not the college kid hackers. Make it so that nothing gets onto any storage hardware in clear text. Don't allow anyone to get access to the system without their handy-dandy vest pocket gadget. Don't put anything over any line or cable in clear text. Don't let anybody, ever, get into the system with "privileged" access. ---- Then, do as Woz suggests, and pay the brightest and best to find holes in the defenses. And pay rewards for being a hacker and learning the next generation of techniques to cause problems. ---- Then DO SOMETHING about the problems, don't let another 12 years or so go by with heads buryed. Mel Haas , odyssey!mel
gnu@hoptoad.uucp (John Gilmore) (06/19/87)
A.B.Sherman, apparantly from AT&T, complained about Steve Wozniak giving a $100K/yr scholarship for young hackers. [I can't cross-post to att.workplace from here, sorry.] Indeed, Woz used to hack the phone system. But I don't think he committed much "toll fraud" in the sense of getting communications service for free. Just like many people who use other peoples' computers don't use them to make money, just use them to learn on. This is often encouraged in the computer community; we all learn faster, and bright kids get to play with 'the real stuff' so by the time they get a job they will know a lot about what's going on. Woz was exploring how the phone network is built, as we might explore the wonders of tty handling, the contents of /lib, or the rare treasures of comp.binaries.ibm.pc. > It is one > thing to figure out how to become root. It is quite another to use > that knowledge to make it impossible for other people (NOT faceless > representatives of Ma Bell, but PEOPLE) to do their work. Somebody > who thinks it's cute to cream the root file system... Woz's comments in the article were pretty clear. "There is a misconception that hackers are dangerous to society," Wozniak said. "They are just trying to do things that they are not supposed to be able to do." He wants to reward young people who explore the limits of today's technology and find its weaknesses. (It's up to us, who develop tomorrow's technology, to fix what they find. You can't claim somebody is ripping you off if you leave your door wide open. The kids will probably be glad to help us.) Woz is not out to teach kids how to destroy a system, but how to learn about a system. That knowledge can be used for Good or E-vill as can all knowledge. Nobody will be teaching how to cream root file systems. > However toll fraud is now a multi-million dollar industry that is no > longer cute, no longer funny and no longer tolerable to our > business. OK, toll fraud is no longer tolerable to your business. Why don't you stop it? Stop assigning account numbers that are printed in directories in every home. Stop printing the security code (password) on the credit card. Allow the user to change the password. Basically, treat it like an access control rather than an unchecked billing number. About 1980, Sprint was massively hacked by youngsters. They were using 5-digit account numbers and assigning them in groups; with 15 minutes' work at a touchtone pad you could come up with 3 or 4 account numbers that worked fine for 'toll fraud'. After a year or two of this, Sprint wised up, lengthened the numbers, assigned them at random, and tacked on 2 more digits if you were not using your 'home CO', making brute force attack impractical. They didn't go yelling about blue boxes or buying congressmen to make 'hurting the phone company' a criminal offense, they fixed the problem. Why hasn't AT&T done this? -- {sun,ptsfa,lll-crg,ihnp4,ucbvax}!hoptoad!gnu gnu@ingres.berkeley.edu Kudos to Stargate for permitting redistribution. May the Source be with you!
baum@apple.UUCP (Allen J. Baum) (06/19/87)
-------- [] >In article <345@genesis.UUCP> andys@genesis.UUCP (a.b.sherman) writes: >In article <2757@mtgzz.UUCP>, gcm@mtgzz.UUCP writes: >> >> >> APPLE FOUNDER OFFERS SCHOLARSHIP FOR HACKERS >> - Associated Press >> >> Boulder, CO - Computer whiz Stephen Wozniak has donated $100,000 for >> a University of Colorado scholarship aimed at developing excellence in >> computer hackers at his alma mater......... >> "The value of cracking security codes and understanding them is that >> generates incredible knowledge," said Wozniak, one of the original hackers >> and co-founder of Apple Computer Inc. > >....... I think the social deviance is more than mild when people >hack away at other people's work or learning environment. It is one >thing to figure out how to become root. It is quite another to use >that knowledge to make it impossible for other people (NOT faceless >representatives of Ma Bell, but PEOPLE) to do their work. Somebody >who thinks it's cute to cream the root file system of somebody >else's computer is extremely anti-social. Real people have their >livelihoods, and professional reputations tied up with the data that >is lost, and suffer from real depression and frustration when it >happens. > >Screw Wozniak and send the bastards to jail. I don't believe Woz is advocating creaming a file system. He is advocating breaking the file system security, and learning a lot about the guts of the system in the process (like he did). He believes this kind of hands-on experience is the best way to learn, and that people are responsible and wouldn't abuse this system of learning (I didn't say he wasn't naive and idealistic) -- {decwrl,hplabs,ihnp4}!nsc!apple!baum (408)973-3385
hah@isum.intel.com (Hans Hansen) (06/20/87)
In article <345@genesis.UUCP> andys@genesis.UUCP (a.b.sherman) writes: >In article <2757@mtgzz.UUCP>, gcm@mtgzz.UUCP writes: >> >> Wonder why we have so many security problems at our comp centers - >> read on. >> >> ************************************ >> From Asbury Park Press (week of 6/15) >> ************************************ >> >> APPLE FOUNDER OFFERS SCHOLARSHIP FOR HACKERS >> - Associated Press >> >First, I think that used to be done here with blue-boxers. >However toll fraud is now a multi-million dollar industry that is no >longer cute, no longer funny and no longer tolerable to our >business. > >Second, I think the social deviance is more than mild when people >hack away at other people's work or learning environment. It is one >thing to figure out how to become root. It is quite another to use >that knowledge to make it impossible for other people (NOT faceless >representatives of Ma Bell, but PEOPLE) to do their work. Somebody >who thinks it's cute to cream the root file system of somebody >else's computer is extremely anti-social. Real people have their >livelihoods, and professional reputations tied up with the data that >is lost, and suffer from real depression and frustration when it >happens. > >Screw Wozniak and send the bastards to jail. >-- >andy sherman Its too bad that you failed to fully reason this out before firing off your followup. What Woz is trying to do will IMPROVE systems security not destroy it. As more holes are found and plugged all computer users will benifit, INCLUDING Ma Bell! If anything all security conscious companies should follow Woz's lead. The fact that it is so easy to rip off the Phone Company should SHOUT that you have major problems. Don't stick your head in the sand and expect the problems to go away! Donate computer systems with your latest software to schools and have them HACK away in a controlled environment. Find your BACK DOORS and put locks on them! If this is handled correctly it can be a BIG win for the whole computer using society. As far as Woz being ANTI-SOCIAL, I think if you just calm down and reasses his true intent you will come to the conclusion that he is a real leader! Hans
apc@cblpe.UUCP (06/20/87)
In article <2318@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes: >You can't claim somebody >is ripping you off if you leave your door wide open. > Why the 'ell not! It is my stuff inside my house, you know it, and I know it. Just cause I leave my door wide open, is NOT a statment of lack of ownership. Jeez, what is today's society comming to if it can only be considered theft if you break through six locks, three alarm systems, kill four guard dogs, etc. Mine is mine, not yours!!! (I am upset, obviously!) -- "Are you sure you won't change your mind?" | Alan P. Curtis "Is there something wrong with the one I have?" | AT&T,BTL,CB -----------------------------------------------------| apc@cblpe.ATT.COM Copyright (c) 1987. Use for profit not allowed. | !cbosgd!cblpe!apc
jdia@osiris.UUCP (Josh Diamond) (06/20/87)
In article <532@houxa.UUCP>, mel1@houxa.UUCP (M.HAAS) writes: ... > The DES algorithm is now quite old, but still not used in computer > hardware. Why? ... > Mel Haas , odyssey!mel According to many, the DES algorithm is not used because the feds designed it so that THEY could break it. The NSA doesn't want any codes being used that they can't break. This is why people who really want to seriously encrypt their messages/data use RSA public key encryption. This supposedly beats DES any day. 31 Bit key for DES vs. huge (50 deciman digit) prime for RSA. RSA wins. BTW, I don't think NSA / DOD / CIA super secret goop is done using DES. Nonetheless, there is no excuse for not using some standard kind of encryption for each system, especially sensitive network links. Spidey! -- DON'T PANIC!!! \_\ /_/ Yes, it is _[*]_ supposed to A message from Spidey, and the Spidey Team. ------>>>> / / \ \ look like a Reachable via UUCP: ...[seismo,mimsy]!jhu!osiris!jdia spider!
worley@dana.UUCP (John Worley) (06/21/87)
Mel Haas (odessy!mel) writes: > The holes were well know then > and still allowed to exist. They exist now and are still allowed > to exist. Why? Who makes these decisions? Why? Can you say $$$,$$$,$$$? I thought you could. > The DES algorithm is now quite old, but still not used in computer > hardware. Why? Call back and random password techniques are readily > available, but aren't used. Why? Data communication protocols are > well into the standards making procedure, but don't include > encryption capabilities. Why? Our computer systems can be designed > to be reliable and fault tolerant, but still require "superuser" > gurus to administer them. Why? > > I think the damage is being done by the people who bury their heads > in the sand and foist these security horrors onto the public, not > the college kid hackers. FLAME ON! ARGH!! This is equivalent to suggesting personal armor is the solution to violent crime!! Are victims of muggings, rape, murder, etc., at fault because they "bury their heads in the sand" and expect reasonable behavior from their fellow humans?! FLAME OFF (heat still on) When I was at UCLA, there was an freshman who managed to get access to our 4.1 UNIX system, and proceeded to go traipsing all over the ARPA net using well-known security holes. This twit was far from "the best and the brightest" - he was a fool was got off on stealing other peoples accounts. To the best of my knowledge, he ended up doing community service, and I say AMEN! HE PAID FOR HIS CRIME! "Kid hackers" are not doing anything constructive, adventurous, or even cute, any more than the kid trying to break into your car to take it for a joy ride (In fact, the California penal code makes no distinction between the taking of another's car temporarily or permanently). A computer system, whether private, corporate or academic, is as much private property as your house, car or stereo. If you leave your front door unlocked, is it OK for anyone off the street to just walk right in? If you leave your bicycle for a few minutes, is it OK for anyone to just walk up and borrow it? Breaking system security is a malicious activity and a direct, deliberate violation of private property! As Andy Sherman (andys@shlepper.ATT.COM) said: Screw Wozniak and send the bastards to jail! John Worley hplabs!dana!worley Disclaimer: The opinions expressed herein are mine soley and do not reflect those of Dana Computer, its other employees, or its customers.
edw@ius2.cs.cmu.edu (Eddie Wyatt) (06/22/87)
Mel Hass seems to advocate the philosophy similiar to if you don't protect yourself then you deserve what you get. I don't think most people would say that just because you make yourself vulnerable you deserve to become a victim. There are measures one can take to prevent becoming a victim however, and this is the stand I believe Wozniak is taking. As an example - just because you leave you car unlock doesn't mean that are asking someone the steal your car, but also you should realize that the chances of it getting stolen are greater. If you install a alarm system or steering wheel lock then the chances of it getting stolen are less. To install an alarm system, so to speak, in a computer system you must first understand how the thief is breaking the existing security features. As others have pointed out, the problem of hackers breaking your systems won't go away with a wave of legislation's magic wand. The computer science community should do everything posible to improve security. The first step in this process is to find the loop holes in existing systems. Second fix these loop holes. And finally incorperate these changes in new systems. This method of course has some practicle throw backs, such as in finding loop holes in a system, any other company that owns such a system in now vulnerable if such knowledge is made publicly availible. Let me share three case of security problems I know of. case 1. (Source OS class) Linear password decomposition algorithm. Two very interesting utilities in a certain unknown OS combined to provide a technique of decoding any password in linear time respective of the length of the password. The utilities were a facility for determining when a page fault occurred in a application program so that the user could finely tune a program preformance and the other happened to be the password untility and the way in which it was coded. The password function read in a character at a time and compared it to the system password. If the given character didn't match, the password function would jump to another place in the program causing a page fault, then continue reading the rest of the password. One can obviously see how the method works. Type in a character, see if there is a page fault. If so, start again with new character else look for next character in password. The fix to the problem is also obvious, that is read the whole password before testing to see if it matches the system password. case 2. (Source the University I use to attend) Reduced search space algorithm. At the university I use to attend, they use to issue the initial passwords to the user's birthday. Well, this made a brute force attempt at decoding passwords feasible, I need not say more. The fix here was to initialize the passwords to some 7 digit random number. case 3. (Source the University I use to attend and a high school near where I lived - 2 different systems) I don't know what the actual bug in each system was, but I do know of the results. Someone, had access to the grade accounts and for a small fee, would change that D or F to a B or A. As I understand this may have been going on for years. At the high school the person that committed the act was caught and was only expelled for a year. At the university, as far as I know no-one was caught for grade changing. The person that pointed out the problem, by actually committing the act for the administration to see, caught an unreasonable amount a flack and may have had charges brought against him/her. -- Eddie Wyatt e-mail: edw@ius2.cs.cmu.edu terrorist, cryptography, DES, drugs, cipher, secret, decode, NSA, CIA, NRO.
mwm@eris.BERKELEY.EDU (Mike (My watch has windows) Meyer) (06/22/87)
In article <532@houxa.UUCP> mel1@houxa.UUCP (M.HAAS) writes:
<to exist. Why? Who makes these decisions? Why?
The people who design computer systems make some of them, the people
who run them make others.
<Why? Call back and random password techniques are readily
<available, but aren't used. Why?
Sorry, but call back and random password technology *are* used. Just
not widely. Why? Because they tend to cost more, and are make getting
to a system harder for the legitimate users as well as crackers (*not*
hackers - hackers you put on your payroll and let them make your
system a nicer place to be).
<Why? Our computer systems can be designed to be reliable and fault
<tolerant, but still require "superuser" gurus to administer them.
Reliable and fault tolerant? Hmmm. The few I know of that actually are
cost lots of extra $$$s.
As for needing gurus, simple systems (a Macintosh, say) don't require
gurus to administer them. But a box that supports 20+ users is
noticably more complicated than a Macintosh, so you expect it to be
more complicated to run.
<I think the damage is being done by the people who bury their heads
<in the sand and foist these security horrors onto the public, not
<the college kid hackers.
Oh, horse pucky. You can buy secure systems if you want to. But they
cost (and cost, and cost). The public (since individuals very seldom
buy multi-user boxes, "the public" is actually closer to "corporate
america") chooses to spend fewer dollars for less security.
<Make it so that nothing gets onto any storage hardware in clear text.
How much extra will this cost? And what do you do about moving things
to other sites with different hardware and character sets?
<Don't allow anyone to get access to the system without their handy-dandy
<vest pocket gadget.
How much more does this cost than a simple lock? How about the extra
inconvenience of having to carry a passcard and a key?
<Don't put anything over any line or cable in clear text.
How much does it cost? What do you do for dialin lines?
<Don't let anybody, ever, get into the system with "privileged" access.
So how do you do maintenance things that require privileges, like
reading all the files to back them up to tape? Privileged programs? So
who gets the privs needed to create those? The vendor supplies them
all (snicker)?
<Then, do as Woz suggests, and pay the
<brightest and best to find holes in the defenses. And pay rewards
<for being a hacker and learning the next generation of techniques to
<cause problems. ---- Then DO SOMETHING about the problems, don't let
<another 12 years or so go by with heads buryed.
All of which costs money. This cost gets passed back to your
customers. Pretty soon, most of your customers have gone to a less
secure and less costly system.
You forgot some important things, though. Make sure that *no* lines
carrying data go outside the machine/terminal rooms. Make sure both
rooms are EMF tight, including filtering on the power line. Of course,
that all costs mone too.
Face it: what people are willing to spend on security is less than the
percieved costs of having a system broken into. For most people,
that's significantly less than what real security costs, so they
settle for a placebo.
"The only secure computer is one that's turned off."
<mike
--
How many times do you have to fall Mike Meyer
While people stand there gawking? mwm@berkeley.edu
How many times do you have to fall ucbvax!mwm
Before you end up walking? mwm@ucbjade.BITNETroger@celtics.UUCP (Roger B.A. Klorese) (06/22/87)
In article <532@houxa.UUCP> mel1@houxa.UUCP (M.HAAS) writes: >I think the damage is being done by the people who bury their heads >in the sand and foist these security horrors onto the public, not >the college kid hackers. > And, in the same vein: - Don't blame the burglar, blame the guy with inadequate alarms. - Don't blame the murderer, blame the guy who goes out without suitable body armor. - Don't blame the rapist, blame the woman who's "asking for it"... >Make it so that nothing gets onto any storage hardware in clear text. >Don't allow anyone to get access to the system without their handy-dandy >vest pocket gadget. Don't put anything over any line or cable in >clear text. Don't let anybody, ever, get into the system with >"privileged" access. Don't walk down the street at night. Don't answer your door. Don't answer your phone. Lock up your daughters... >---- Then, do as Woz suggests, and pay the >brightest and best to find holes in the defenses. And pay rewards >for being a hacker and learning the next generation of techniques to >cause problems. ---- Then DO SOMETHING about the problems, don't let >another 12 years or so go by with heads buryed. Why do people seem to think that the advent of computers has liberated them from moral education? Electronic crime is still crime. Would you papplaud your local police picking up street gang members, and, instead of punishing them, paying them to teach how to perform assaults? I agree that it is important to beef up security... but this "aren't hackers cute?" mentality is the MAJOR threat. Someone who destroys a financial record should be jailed for robbery. It's THAT simple. I don't care if your tool is a jimmy or a keyboard. Scum is scum, no matter how high-tech the pond it's floating atop. -- ///==\\ (No disclaimer - nobody's listening anyway.) /// Roger B.A. Klorese, CELERITY (Northeast Area) \\\ 40 Speen St., Framingham, MA 01701 +1 617 872-1552 \\\==// celtics!roger@seismo.CSS.GOV - seismo!celtics!roger
roger@celtics.UUCP (Roger B.A. Klorese) (06/22/87)
In article <2318@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes: >(It's up to us, who develop tomorrow's technology, to fix what they find. >You can't claim somebody is ripping you off if you leave your door wide open.) You certainly can. You can't accuse them of illegal entry (and if you post a warning about illegal entry at login, you CAN accuse them of it if they stay), but if they steal or destroy anything, they are thieves and vandals, even if the door was open. -- ///==\\ (No disclaimer - nobody's listening anyway.) /// Roger B.A. Klorese, CELERITY (Northeast Area) \\\ 40 Speen St., Framingham, MA 01701 +1 617 872-1552 \\\==// celtics!roger@seismo.CSS.GOV - seismo!celtics!roger
roger@celtics.UUCP (Roger B.A. Klorese) (06/22/87)
In article <2318@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes: >They didn't go yelling about blue boxes or buying congressmen to make >'hurting the phone company' a criminal offense, they fixed the problem. No, they haven't. The problem is not that people CAN steal phone service, but that they DO. 'Hurting' ANYONE already IS a criminal offense. It's just that information-age dreamers seem to feel that, if it's magnetic, it belongs to the world, and the burden of security is on the owner. Well, the burden of morality is on each of us. Teach these kids morals, teach them the rights of property and privacy... then turn them loose. If they find that they can get somewhere they shouldn't, teach them that their first and only obligation is to report the holes. Then reward the ones who do, not because they're caught but because they know it's the right thing to do. -- ///==\\ (No disclaimer - nobody's listening anyway.) /// Roger B.A. Klorese, CELERITY (Northeast Area) \\\ 40 Speen St., Framingham, MA 01701 +1 617 872-1552 \\\==// celtics!roger@seismo.CSS.GOV - seismo!celtics!roger
sl@van-bc.UUCP (Stuart Lynne) (06/23/87)
In article <497@cblpe.ATT.COM> apc@cblpe.ATT.COM (55212-Alan Curtis) writes: >In article <2318@hoptoad.uucp> gnu@hoptoad.uucp (John Gilmore) writes: >>You can't claim somebody >>is ripping you off if you leave your door wide open. >> > >Why the 'ell not! It is my stuff inside my house, you know it, >and I know it. Just cause I leave my door wide open, is NOT >a statment of lack of ownership. > >Jeez, what is today's society comming to if it can only be considered >theft if you break through six locks, three alarm systems, kill >four guard dogs, etc. > >Mine is mine, not yours!!! > >(I am upset, obviously!) >-- In this case the analogy (metaphor) used is a very poor one. Walking into someone's house and taking something is theft. It is a crimininal act. This is because most civilized states pass law's making it so. Unfortunately "breaking" into a computer system is not covered by these same laws. Until specific laws are passed making it illegal and criminal it simply isn't. (Fortunately this is SLOWLY happening!) Until such time as there are straight forward criminal statutes covering illegal access to computer services you will only have recourse via a civil suit against the parties involved. Some of the differences of civil vs. criminal proceedings do have to do with how well you have protected yourself. If you don't take reasonable precautions to prevent people from damaging your property you cannot expect the courts to do so. As technology improves the amount of protection you must undertake also increases, simply because it is more reasonable to do so. An extreme but related example of this type of suit is the current practice of the courts to lower awards to accident victims who did not wear their seat belts (at least in Canada). If the plaintiff was awarded (for example) $1 million, this will be reduced (for example) by 33% if the court feels that this is the amount of additional damages that were received due to not wearing the seat belt. The bottom line is that you cannot equate (as many people do) the civil and criminal justice systems. Different principles apply, different precendants and procedures. For the most part criminal proceedings are largely based on statute law, civil suits are judged on case or precendant law. And until something is covered by criminal law your only recourse will be the civil courts. And they simply operate under different assumptions. Just because you want it to be against the law doesnt' make it so. And just because it isn't against the law doesn't mean you can't sue them if the damage your property. Aside: The level of proof is often lower in civil suits. While in criminal actions the must be no uncertainty (because of the harsh remedies), civil law often only requires preponderance of the evidence. So it may actually be easier to get a favourable ruling in a civil court where you wouldn't in a criminal action. -- Stuart Lynne ihnp4!alberta!ubc-vision!van-bc!sl Vancouver,BC,604-937-7532
gls@odyssey.UUCP (06/23/87)
In article <345@genesis.UUCP>, andys@genesis.UUCP (a.b.sherman) writes: > > Screw Wozniak and send the bastards to jail. That's too lenient. Instead, we'll make them all SYSTEM ADMINISTRATORS! "Hey, Rocky! Watch me pull a UNIX program out of my source directory!" "AGAIN?" "Nothin' up my sleeve ... PRESTO!" IDENTIFICATION DIVISION. PROGRAM-ID. PROCESS-DATA. AUTHOR-NAME. B. J. MOOSE, FROSTBYTE DATA SYS. SOURCE-COMPUTER. IBM-7044. OBJECT-COMPUTER. IBM-7044. . . . "No doubt about it--I gotta get a new source directory!" -- Col. G. L. Sicherman ...!ihnp4!odyssey!gls
tim@ism780c.UUCP (Tim Smith) (06/23/87)
In article <2757@mtgzz.UUCP> gcm@mtgzz.UUCP (g.c.mccoury) writes:
<
< Wonder why we have so many security problems at our comp centers -
< read on.
You have so many security problems because you have idiots running
your comp centers.
--
Tim Smith, Knowledgian {sdcrdcf,seismo}!ism780c!timtim@ism780c.UUCP (Tim Smith) (06/23/87)
In article <497@cblpe.ATT.COM> apc@cblpe.ATT.COM (55212-Alan Curtis) writes:
< Why the 'ell not! It is my stuff inside my house, you know it,
< and I know it. Just cause I leave my door wide open, is NOT
< a statment of lack of ownership.
No, but it is a statement of lack of intelligence. If I have a computer
with important stuff on it, and if I have a security problem, I would
rather find out about it by having someone break in for fun and tell me
about it rather than by having someone who wants to do damage break in
and destroy things.
--
Tim Smith, Knowledgian {sdcrdcf,seismo}!ism780c!timtim@ism780c.UUCP (Tim Smith) (06/23/87)
In article <183@dana.UUCP> worley@dana.UUCP (John Worley) writes:
<
< ARGH!! This is equivalent to suggesting personal armor is the solution
< to violent crime!! Are victims of muggings, rape, murder, etc., at fault
< because they "bury their heads in the sand" and expect reasonable behavior
< from their fellow humans?!
If you walk through a neighborhood that is known to have a high crime rate,
holding a few thousand-dollar bills visable in your hands, alone, and
you get robbed, I am not going to have much sympathy for you.
There are unreasonable people in the world. Expecting reasonable behavior
from everyone is ignoring reality, which is rarely a good idea.
--
Tim Smith, Knowledgian {sdcrdcf,seismo}!ism78 +y on barmar@think.uucp (Barry Margolin) (06/24/87)
In article <1594@celtics.UUCP> roger@celtics.UUCP (Roger B.A. Klorese) writes: > Would you >papplaud your local police picking up street gang members, and, instead of >punishing them, paying them to teach how to perform assaults? Often the "punishment" for some crimes is community service. These gang menbers might be good candidates for teaching self-defense at the Y. I agree >that it is important to beef up security... but this "aren't hackers >cute?" mentality is the MAJOR threat. Someone who destroys a financial >record should be jailed for robbery. It's THAT simple. I don't care >if your tool is a jimmy or a keyboard. Scum is scum, no matter how >high-tech the pond it's floating atop. I don't think anyone who destroys financial records will be awarded one of Woz's scholarship. The candidates will more likely be the ones who bring an administrator over to their terminal and say, "All I have to do is type '...' and your financial records would be ruined; however, if you had done X I wouldn't be able to do it." What this discussion needs is another good analogy. Many techniques can be used for good and evil. Locksmithing is an important profession; isn't Woz's scholarship similar to a locksmith school giving scholarships to people who have demonstrated talent in picking locks? I'm sure most locksmiths and many stage magicians started out by picking locks. Yes, there are problems if people with these talents have moral problems. I think it was once said that we were lucky that Houdini never turned to crime, because no handcuffs or prison could hold him. But if you were looking for someone to put on a show, there was none finer. Another analogy: the technology that is used to build nuclear reactors is the same as that for atomic bombs. Should the study of nuclear physics be disallowed because it might be used to destroy the world?
ken@argus.UUCP (Kenneth Ng) (06/24/87)
In article <6677@ism780c.UUCP>, tim@ism780c.UUCP (Tim Smith) writes: > In article <497@cblpe.ATT.COM> apc@cblpe.ATT.COM (55212-Alan Curtis) writes: > < Why the 'ell not! It is my stuff inside my house, you know it, > < and I know it. Just cause I leave my door wide open, is NOT > < a statment of lack of ownership. > No, but it is a statement of lack of intelligence. If I have a computer > with important stuff on it, and if I have a security problem, I would > rather find out about it by having someone break in for fun and tell me > about it rather than by having someone who wants to do damage break in > and destroy things. > Tim Smith, Knowledgian {sdcrdcf,seismo}!ism780c!tim I don't see how this is relevant the hacker scholarships. A hacker is one who explores the universe and fixes bugs. By that very definition the creeps that go around and destroy systems are no different than vandels or other common thieves. Let's get the definiton of 'hacker' correct. ... This signature was put in in a way to bypass the ... bogus artificial line limit on the .signature file. ... Also, by its length it adds fodder to help avoid having ... my followups being bounced due to the restriction on ... followup articles. Kenneth Ng: Post office: NJIT - CCCC, Newark New Jersey 07102 uucp !ihnp4!allegra!bellcore!argus!ken *** NOT ken@bellcore.uucp *** bitnet(prefered) ken@orion.bitnet
ken@argus.UUCP (Kenneth Ng) (06/24/87)
In article <1594@celtics.UUCP>, roger@celtics.UUCP (Roger B.A. Klorese) writes: >.. but this "aren't hackers > cute?" mentality is the MAJOR threat. Someone who destroys a financial > record should be jailed for robbery. But by definition these people aren't hackers, they are just scum. The true definition of a hacker is one who explores and *FIXES* problems. ... This signature was put in in a way to bypass the ... bogus artificial line limit on the .signature file. ... Also, by its length it adds fodder to help avoid having ... my followups being bounced due to the restriction on ... followup articles. Kenneth Ng: Post office: NJIT - CCCC, Newark New Jersey 07102 uucp !ihnp4!allegra!bellcore!argus!ken *** NOT ken@bellcore.uucp *** bitnet(prefered) ken@orion.bitnet
dlo@drutx.ATT.COM (OlsonDL) (06/24/87)
[] In article <871@van-bc.UUCP>, sl@van-bc.UUCP (Stuart Lynne) writes: > Walking into someone's house and taking something is theft. It is a > crimininal act. This is because most civilized states pass law's making it so. > Unfortunately "breaking" into a computer system is not covered by these same > laws. Until specific laws are passed making it illegal and criminal it > simply isn't. (Fortunately this is SLOWLY happening!) Are you sure about that? My understanding is that it is definately illegal. I don't know the details, but I heard that recently someone was caught breaking into SPRINT and got his butt carted off to jail. David Olson ..!ihnp4!drutx!dlo "Eliminate the impossible, my dear doctor, and whatever remains, however improbable, must be the truth." -- Sherlock Holmes
atsg@ssc-vax.UUCP (Dennis P. McClure) (06/24/87)
That was worth about 2 cents (or less).
rha@bunker.UUCP (The Minister of Myrth) (06/24/87)
In article <871@van-bc.UUCP> sl@van-bc.UUCP (Stuart Lynne) writes: >Walking into someone's house and taking something is theft. It is a >crimininal act. This is because most civilized states pass law's making it so. >Unfortunately "breaking" into a computer system is not covered by these same >laws. Until specific laws are passed making it illegal and criminal it >simply isn't. (Fortunately this is SLOWLY happening!) >Some of the differences of civil vs. criminal proceedings do have to do with >how well you have protected yourself. If you don't take reasonable >precautions to prevent people from damaging your property you cannot expect >the courts to do so. As technology improves the amount of protection you >must undertake also increases, simply because it is more reasonable to do >so. If I admit someone into my home and this person walks into my bedroom while I'm in the bathroom and steals my wife's necklace from her jewelry box, this person is guilty of larceny. If my office has no reception area but someone walks in and takes some files out of my file cabinet without my consent, that person is guilty of larceny. Electronically stored information should be no different from any other tangible good. If a computer system has even basic security features and this security is violated by someone who is not authorized, then this person should be guilty of either larceny or breaking and entering, whichever is more applicable to the particular circumstance. I defend the Freedom of Information Act with all that I have. However, there are normal, accepted channels for acquiring this information. These channels DO NOT include hacking. ...just one man's opinion. -- {yale!,decvax!,philabs!}bunker!rha Bob "Such a Deal" Averack Bunker Ramo, an Olivetti Company Two Enterprise Drive - Shelton, Connecticut 06484
mel1@houxa.UUCP (M.HAAS) (06/25/87)
In article <2240@bunker.UUCP>, rha@bunker.UUCP (The Minister of Myrth) writes: > Electronically stored information should be no different from any other > tangible good. If a computer system has even basic security features and > this security is violated by someone who is not authorized, then this person > should be guilty of either larceny or breaking and entering, whichever is > more applicable to the particular circumstance. Here is the statement I agree with. But, note the operative phrase, "If a computer system has even basic security features". The punk who steals your car is a criminal and should be punished. But, how about the car maker that sold you the car but didn't supply adequate locks? or worse, put in fake locks that looked OK but aren't effective in keeping the door closed or the ignition inoperative or the steering locked? Closer to the point, how about the bank that stores your valuables in what looks like a vault, but is actually made of plaster? Mel Haas , attmail!mel
apc@cblpe.ATT.COM (Alan Curtis) (06/25/87)
In article <4332@drutx.ATT.COM> dlo@drutx.ATT.COM (OlsonDL) writes: >In article <871@van-bc.UUCP>, sl@van-bc.UUCP (Stuart Lynne) writes: >> Unfortunately "breaking" into a computer system is not covered by these same >> laws. Until specific laws are passed making it illegal and criminal it >> simply isn't. (Fortunately this is SLOWLY happening!) > >Are you sure about that? My understanding is that it is definately >illegal. I don't know the details, but I heard that recently someone >was caught breaking into SPRINT and got his butt carted off to jail. > This morning, I was greeted with the following message, from /etc/motd: (message of the day, for non unix machines/people) Oh, it has been the motd for about two months, not just today, not since the dawn of time (You know, back in 1970 :-)) ***************************************************************************** >>>> NOTICE <<<< >>>> This system is restricted to AT&T authorized users for <<<< >>>> legitimate AT&T business purposes and is subject to audit. <<<< >>>> The unauthorized access, use, or modification of computer <<<< >>>> systems or the data contained therein or in transit <<<< >>>> to/from,is a criminal violation of federal and state laws. <<<< ***************************************************************************** Would we lie? -- "Are you sure you won't change your mind?" | Alan P. Curtis "Is there something wrong with the one I have?" | AT&T,BTL,CB -----------------------------------------------------| apc@cblpe.ATT.COM Kudos to stargate for redistribution rights | !cbosgd!cblpe!apc
gertler@mtuxo.UUCP (D.GERTLER) (06/25/87)
In article <915@argus.UUCP>, ken@argus.UUCP (Kenneth Ng) writes: > But by definition these people aren't hackers, they are just scum. Which definition of "scum" are you talking about?
daveb@rtech.UUCP (Dave Brower) (06/25/87)
In article <2240@bunker.UUCP> rha@bunker.UUCP (The Minister of Myrth) writes: >In article <871@van-bc.UUCP> sl@van-bc.UUCP (Stuart Lynne) writes: > >>Walking into someone's house and taking something is theft.... >>This is because most civilized states pass law's making it so... > > If I admit someone into my home and this person walks into my bedroom >while I'm in the bathroom and steals my wife's necklace from her jewelry box, >this person is guilty of larceny. If my office has no reception area but >someone walks in and takes some files out of my file cabinet without my >consent, that person is guilty of larceny. > > Electronically stored information should be no different from any other >tangible good. If a computer system has even basic security features and >this security is violated by someone who is not authorized, then this person >should be guilty of either larceny or breaking and entering, whichever is >more applicable to the particular circumstance. Ah, we're talking hypotheticals and analogies. I have a house and garden next to a city park. There is no fence between them, and no 'no trespassing' signs. * Some people walk in to my garden. Can they be convicted of trespassing? (Not likely) Can I collect civil damages for 'invasion of my space'? (I doubt it.). * Someone reads my tax return that I have left on the picnic table. Can they be convicted of any crime? (I can't think of one). Can I collect any civil damages? (I can't see why). * Someone reads a document showing how my company is going to go chapter 7 next week. This person shorts a bunch of stock. Can he be convicted of anything? (Don't know?) Can I? (Maybe I'm in trouble with the SEC for not adequately protecting sensitive information). * They cut some roses from my bush. Can they be convicted for theft? (Possibly). Can I collect civil damages? (Maybe). * They smash my Mickey Mouse statue. Can they be be convicted of vandalism, or whatever? (Probably). Can collect civil damages? (Probably). * They take my barbecue pit. Can they be convicted of theft? (Probably). Can I collect civil damages if it is not recovered? (Possibly). It seems to make a lot of difference how 'secure' my back yard is from someone doing reasonable and legal activities. If the trespassers do only innocuous actions, it will be difficult for me to collect any civil damages, since I haven't really been hurt. Trespassing may or may not be criminal depending on the law and how well I have held my part of the bargain to deter people from entering. If there is no sign and no fence, I may be out of luck. With the more serious criminal charges, the individuals are probably culpable because their activity is illegal, period. As a reasonable man, I cannot expect the law to protect my rights and property before I suffer harm. I may hope that the existance of law is going to deter illegal actions against me, but I cannot assume this will work. I can hope that the perpetrators are prosecuted to "the full extent of the law." If I want people out of my garden, and don't want my precious Mickey to be at risk of random vandalism, I had better put up an fence adequate to the neighborhood. This isn't a question of legality, but of prudence. The analogies to computer security are clear. If electronic tresspassing is illegal (as I think may be the case), I had better put up whatever 'fences' the law requires for me to fall under it's protection. I cannot expect this law to protect my system from illegal access. If I want to protect my data from destruction or dissemination, I should plug whatever holes places them in jeapordy. I am responsible for it because it is my data. I see Jobs' "scholarship" as inviting people to locate potential problems, in a way that will not greatly endanger the real security of the the systems in question. This does not seem cause for villification. -dB -- {amdahl, cbosgd, mtxinu, ptsfa, sun}!rtech!daveb daveb@rtech.uucp
gcm@mtgzz.UUCP (g.c.mccoury) (06/26/87)
In article <6674@ism780c.UUCP>, tim@ism780c.UUCP writes: > In article <2757@mtgzz.UUCP> gcm@mtgzz.UUCP (g.c.mccoury) writes: > < > < Wonder why we have so many security problems at our comp centers - > < read on. > > You have so many security problems because you have idiots running > your comp centers. > -- > Tim Smith, Knowledgian {sdcrdcf,seismo}!ism780c!tim I was speaking about comp centers in general - I should have made that clear in the initial article(Hacker Scholarship) I posted. By the way, on what information do you base your accusations about the lack of competence of our comp centers employees?? /*************************************************************************** * * * e N Grover McCoury * * B o ATT Laboratories(?) [was ISL] * * y r m a l ?? ...!ihnp4!mtgzz!gcm * * h * * W I refuse to have a battle of wits * * with an unarmed person... * * * ****************************************************************************/
michael@stb.UUCP (Michael) (06/27/87)
Well, from personal experience, I learned a lot by screwing around. Sometimes on my system, sometimes on other people system (the security holes were truck sized). Damage anything? Never. Steal unused cycles? A few. Belive me, if the people are not ?ssholes, then it does work. -- : Michael Gersten seismo!scgvaxd!stb!michael : Monsters from outta space -- 3-11-2
peter@sugar.UUCP (Peter DaSilva) (06/28/87)
In article <532@houxa.UUCP>, mel1@houxa.UUCP (M.HAAS) writes: > I agree with much of what Andy says, but feel that his anger should > mostly be directed to the people who consciously allow the hackers > to do so much damage. Woz's work was done several generations of > system software and hardware ago. The holes were well know then > and still allowed to exist. They exist now and are still allowed > to exist. Why? Who makes these decisions? Why? The "holes" still exist because the solutions to them usually cause more problems than the holes themselves do. These solutions all serve to further distance the user from the computer, and make the computer less of a useful tool. If Wozniak was really thinking about the situation rather than mouthing sixties platitudes, then he would realise that if people took him seriously the situation would worsen. The United States is a society based on free (that is, unregulated) transfer of goods and services. Anything that serves to interrupt that hurts the country. And... you can find and fix loopholes without becoming a cracker. While I was at Berkeley I discovered a couple of holes in the EECS machine. Both were minor and temporary, but rather than screwing things up and encouraging paranoid measures, I plugged them and left mail to someone responsible. > The DES algorithm is now quite old, but still not used in computer > hardware. Why? The DES algorithm is used in computer hardware where security is important. The UNIX password encryption technique is a deliberately mutated version of the DES algorithm... mutated so that DES chips can't be used in an exhaustive search of likely name spaces. > Call back and random password techniques are readily available, but aren't > used. Why? Because they're a pain. People do not like to remember random passwords, and are more likely to write them down somewhere... which would actually reduce security. Callback is used where necessary, but most of the time users of a machine need to be able to call from multiple and unpredictable places. For example... reporters phoning in a story from a hotel room. > Data communication protocols are well into the standards making procedure, > but don't include encryption capabilities. Why? Because it's neither a necessary nor sufficient technique. It's not necessary because you can always encrpt your data at a higher level, and it's not sufficient because all systems still have to have the keys. If security is broken at one site and the key is discovered you will now be completely open... while still thinking you're secure. On the other hand individual files and parts of files canm be encrypted using a key that's not even stored permanently online *anywhere*. > Our computer systems can be designed to be reliable and fault tolerant, but > still require "superuser" gurus to administer them. Why? Because the set of things that can go wrong is larger than the set of things that can be predicted to go wrong, and because a human is still cheaper than a 500 megabyte AI system. > I think the damage is being done by the people who bury their heads > in the sand and foist these security horrors onto the public, not > the college kid hackers. While you didn't mean that the way I would, I'd have to agree with you. The damage is being done by the people who want to foist excessive security measures onto the public. > Make it so that nothing gets onto any storage hardware in clear text. > Don't allow anyone to get access to the system without their handy-dandy > vest pocket gadget. Don't put anything over any line or cable in > clear text. Don't let anybody, ever, get into the system with > "privileged" access. There are systems that do this. They tend to be slow, cumbersome to use, and at Government sites. > ---- Then, do as Woz suggests, and pay the brightest and best to find holes > in the defenses. This is also done. Have you ever heard of the Navy's "Tiger Teams"? > And pay rewards for being a hacker and learning the next generation of > techniques to cause problems. Pay rewards for reporting problems, not for taking advantage of them... and don't pay so much that you divert too many resources into security. A computer is primarily a tool, not a place to play "wheel wars". > ---- Then DO SOMETHING about the problems, don't let another 12 years or > so go by with heads buryed. That's "buried". Before you do something about the problem, make sure it's costing you more than the solution. Shoplifting could be solved by doing strip- searches of all customers before they leave the store, but it would probably not turn out to be a wise investment. > Mel Haas , odyssey!mel -- -- Peter da Silva `-_-' ...!seismo!soma!uhnix1!sugar!peter (I said, NO PHOTOS!) -- -- Peter da Silva `-_-' ...!seismo!soma!uhnix1!sugar!peter (I said, NO PHOTOS!)
robertl@killer.UUCP (Robert Lord) (06/28/87)
Look..There has ben alot of talk floating around about hackers and such
beeing 'scum' and other derogatory types of life. 90% of hackers are just
computer buffs who have no other way of getting computer time. They have
there Apple //e's with thier modems, and they want to expand and learn more.
How do you expect them to do this? Go to there scholl where they can teach
the teacher, and have the same computers as thsi little hacker does at home?
Naturally, the hacker goes looking for bigger and better systems to play
with, and along the line learns about security flaws to get accses. Also,
occasionally, he will make a mistake and wipe out some data..I agree this
is unexcusible, but there should have been more security on the system. I
speak from experiance when I say that there are less that 1,000 real 'hackers'
out there, that only hack to learn, and know how to take down a system but
never do. The rest of the so called hackers are just rodents who think there
cool by hacking, and at the first chance they have will nuke a system. There
are bulletin boards all over the country catering to these people, and there
is a close nit community for the real hackers. I should know, I've been there.
I was once in the not too distant past a 'real hacker'. How do you think
I learned all that I know? (well, you don't know how much I know...oh well).
My speciallty was unix systems, ans I can tell you right now a few easy steps
to make your system less vunerable.
1) PUT PASSWORDS on you system!!!! Noone does this, and it makes it easy.
I have gotten into systems that were connected up to a modem, and
no password on the root account!
2) Protect your uucp network. Most system administrators think the uucp
account is not important, so they don't protect it. Well, I have news
for you, it is very important if you belong to a network. Once I
broke into one system, that lead to a whole slew of unix computers
around the country. A friend of mine and I broke into every one of them!
3) Protect your information! Many systems have mail that is readable
by everyone. Most of the audit files (such as the modem logs) are
writeable by everyone, so if I used the 'cu' command to call a few
other comuters I could just edit the audit files...Not smart!
These are a few of the major points of security, and they run rampent on
almost all systems around the world. Your first line of defense are the
passwords. Make sure every one on your system has a password, otherwise
it is fairly simple to get accses to the system. If the hacker only
has one account, all he has to do is to look at the /etc/passwd file and
get at least 3-4 more accounts without a pass. Also, make sure you
backup your system reguarly (like a full backup once a week...archive it
every day). This will prevent major damage in case a rodent decidedes to
try and take out your system.
If you are setting up a new system, then give one of your friendly
unix gurus a call, and he will be happy to help you with the security of your
system.
In summary....Really, the real hackers are nice people (take me for an
example). They don't try to hurt systems, but infact are just trying to
learn everything they can about something they love - Computers.
Robert Lord, Hacker Extrodinare (retired)
ihnp4!killer!robertl
P.S. I retired for a few reasons...Namely it got boring. I decided to go into
comercial programing...and am dooing pretty well considering I'm still
in high school.
jdia@osiris.UUCP (Josh Diamond) (06/29/87)
In article <1594@celtics.UUCP>, roger@celtics.UUCP (Roger B.A. Klorese) writes: > ... > Why do people seem to think that the advent of computers has liberated > them from moral education? Electronic crime is still crime. Would you > papplaud your local police picking up street gang members, and, instead of > punishing them, paying them to teach how to perform assaults? I agree > that it is important to beef up security... but this "aren't hackers > cute?" mentality is the MAJOR threat. Someone who destroys a financial > record should be jailed for robbery. It's THAT simple. I don't care > if your tool is a jimmy or a keyboard. Scum is scum, no matter how > high-tech the pond it's floating atop. I seem to recall that there was an episode of Max Headroom where someone describes computer/credit fraud as being "worse than murder". There also was a story written by Isaac Asimov (I think) about someone in a ultra-computerized society who commited computer fraud. His punishment was to be prevented to from using a computer for a year. He was conditioned psychologically to vomit every time he ouched a computer device of any type. I my opinion, a little of all aspects of protection is necessary. A combination of stiffer penalties for computer fraud/vandalism/theft, strong education on the fact that these actions are immoral (or at least illegal -- no flames about "morality" please), and better security procedures. With regards to maintaining better security procedures, these could include (but in no means be limited to) the following ideas: 1) Distribution of random letter combination privaledged passwords at random intervals through secure communication channels. 2) Forcing users to change their passwords regularly. 3) Callback systems to verify the system is being accessed from a known terminal. 4) Implementation of a key card system, in which the user must insert his/her card into a slot in the terminal so that it can be read and verified. Login name and password would still be required, but this would help prevent users from looking over someones shoulder to find out their password and get onto the system. (I believe that IBM already implemented a system like this as an option on their 3270 series terminals). 5) Use of encryption systems (RSA public key preferably) for communication and storage of private data/messages. 6) Keep accurate accounting files tracking all commands/system calls executed. 7) Make sure that all acounts autologout after a relatively short period of idle time (perhaps send a warning message after 30 seconds idle time, then autologout if still no key hit within 30 seconds). This would prevent the "root forgot to log out and left an open terminal as superuser" problem. At one system that I know of, new student and faculty user id's are posted in the computer center. The initial password is always the person's social security number. There are always those users who never change their passwords, leaving a gaping hole in security. There are others who never use their account, leaving it open to anyone who takes the time to figure out the users social security number (not very difficult at a university where SS# doubles as school id number). Spidey! -- DON'T PANIC!!! /\ Josh /\ At last! a //\\ .. //\\ spider that A message from Spidey, and the Spidey Team. ----->>> //\(( ))/\\ looks like Available via UUCP: ...[seismo,mimsy]!jhu!osiris!jdia / < `' > \ a spider!
rem@remsit.UUCP (Roger Murray) (06/30/87)
In article <1610@stb.UUCP>, michael@stb.UUCP (Michael) writes: > Well, from personal experience, I learned a lot by screwing around. Sometimes > on my system, sometimes on other people system (the security holes were truck > sized). Damage anything? Never. Steal unused cycles? A few. > > Belive me, if the people are not ?ssholes, then it does work. For example, when Michael was running his BBS on his TRS-80 Model I, we would spend hours thinking of ways of getting into BASIC, modifying the program, etc. They ranged from the very basic (password hacking, etc) to the very complex (replacing SYS files, replacing the RS232 driver, sending a stream of ^S's). But every time we managed to do something, we told him. Well, there was that one time..... :-) Now it's running on a Model 16. Streams of ^S's don't do it anymore, but wait till he gets a load of the new /xenix I installed! :-) :-) :-) Enter your name (or handle)? BASIC/CMD ... Delete this? Y Ah, those were the days! -- Roger Murray UUCP: ...!{ihnp4,randvax,sdcrdcf,ucbvax}!ucla-cs!cepu!ucla-an!remsit!rem ARPA: cepu!ucla-an!remsit!rem@LOCUS.UCLA.EDU
worley@dana.UUCP (John Worley) (06/30/87)
daveb@rtech writes: > Ah, we're talking hypotheticals and analogies. > > I have a house and garden next to a city park. There is no fence > between them, and no 'no trespassing' signs. Your analogy is already faulty. The "fence" here is the phone number you must dial to get access to the computer in the first place. Like a good fence, it requires a positive action to "cross". The "lock" or "no trepassing" sign is played by the login routine, which normally requires the user to identify himself/herself and supply a secret comfirmation code (password). So, by dailing up and logging in, the security breaker has overcome three explicit and unavoidable barriers. Further, he/she has misrepresented himself/ herself to the system to gain unauthorized access. [ Scenarios of "if they ... can I" deleted ] > > The analogies to computer security are clear. If electronic > tresspassing is illegal (as I think may be the case), I had better put > up whatever 'fences' the law requires for me to fall under it's > protection. I cannot expect this law to protect my system from illegal > access. > Ref. above - the 'fences' are already there. The intent of the system owner is clear, as is the intent of the electronic tresspasser. > If I want to protect my data from destruction or dissemination, I should > plug whatever holes places them in jeapordy. I am responsible for it > because it is my data. For every lock ever built, there is a way to open it w/o the proper key. It is irrelevant that the lock can be picked, or even that the method to do so is well known. By locking your garage, house, car, bike, you have proven your intent to secure your possesion against unauthorized use; by overcoming the lock, no matter how simple, the thief has demonstrated his/her intent to violate your property. > I see Jobs' "scholarship" as inviting people to locate potential > problems, in a way that will not greatly endanger the real security of > the the systems in question. This does not seem cause for > villification. It's Wozniak, not Jobs. I see his scholarship as an attempt to legitimize the criminal activity of breaking system security. If a computer house wants to test its security, it will authorize someone to try. Abetting, yes even financing, a criminal action is certainly cause for vilification, especially for someone of Steve Wozniak's position of community leader - a position now in great doubt in my mind. John Worley hplabs!dana!worley
edw@ius2.cs.cmu.edu (Eddie Wyatt) (06/30/87)
In article <1226@osiris.UUCP>, jdia@osiris.UUCP (Josh Diamond) writes: > > I my opinion, a little of all aspects of protection is necessary. A > combination of stiffer penalties for computer fraud/vandalism/theft, strong > education on the fact that these actions are immoral (or at least illegal -- > no flames about "morality" please), and better security procedures. You have to be able to catch them first. Not a simple problem. > > With regards to maintaining better security procedures, these could include > (but in no means be limited to) the following ideas: > > 1) Distribution of random letter combination privaledged passwords at random > intervals through secure communication channels. > 2) Forcing users to change their passwords regularly. > 3) Callback systems to verify the system is being accessed from a known > terminal. > 4) Implementation of a key card system, in which the user must insert his/her > card into a slot in the terminal so that it can be read and verified. > Login name and password would still be required, but this would help > prevent users from looking over someones shoulder to find out their > password and get onto the system. (I believe that IBM already implemented > a system like this as an option on their 3270 series terminals). > 5) Use of encryption systems (RSA public key preferably) for communication and > storage of private data/messages. > 6) Keep accurate accounting files tracking all commands/system calls executed. > 7) Make sure that all acounts autologout after a relatively short period > of idle time (perhaps send a warning message after 30 seconds idle time, > then autologout if still no key hit within 30 seconds). This would prevent > the "root forgot to log out and left an open terminal as superuser" problem. > > Spidey! > > > > > -- > DON'T PANIC!!! /\ Josh /\ At last! a > //\\ .. //\\ spider that > A message from Spidey, and the Spidey Team. ----->>> //\(( ))/\\ looks like > Available via UUCP: ...[seismo,mimsy]!jhu!osiris!jdia / < `' > \ a spider! 1) Not really save. If someone knows what the procedure is then they will be able to use the passwords. 2) If you force users to change their passwords regularly then - 1. you'll have your users forgetting their passwords regularly, 2. have a less friendly system, 3 probably have the user cycle between two different passwords. 3) Is only as safe as the phone lines. If you have broken Ma'bell, you could probably fool this mechanism. 4) This is only as safe as an extra password. At some level this will get turned into a bit stream. 5) Isn't one of the problems with data encryption for communications, the fact that the both systems have to agree on the key? And hence the key must be transmitted. 6) is easy to break, what if someone writes this loop - while (1) logged_system_call(); when the log file is filled (ie. no more disk space) does your system come to a grinding halt or do you truncate the log file. Either solution is unexpectable. 7) easy to fool, plus makes the system very unfriendly. You'll find users writing little programs like while (1) { printf("Hello\n"); sleep(29); } Theses are a start though and will help keep the novice from doing damage, but if someone wants to get onto your system, I'm sure they'll find away around those security measures. -- Eddie Wyatt e-mail: edw@ius2.cs.cmu.edu terrorist, cryptography, DES, drugs, cipher, secret, decode, NSA, CIA, NRO.
davidsen@steinmetz.steinmetz.UUCP (William E. Davidsen Jr) (06/30/87)
In article <1226@osiris.UUCP> jdia@osiris.UUCP (Josh Diamond) writes: >... >There also was a story written by Isaac Asimov (I think) about someone >in a ultra-computerized society who commited computer fraud. His punishment >was to be prevented to from using a computer for a year. He was conditioned >psychologically to vomit every time he ouched a computer device of any type. > Several members of my family feel that way. Could they have been convicted of computer crime? -- bill davidsen (wedu@ge-crd.arpa) {chinet | philabs | sesimo}!steinmetz!crdos1!davidsen "Stupidity, like virtue, is its own reward" -me
dougs@sequent.UUCP (Doug Schwartz) (07/01/87)
In article <4332@drutx.ATT.COM>, dlo@drutx.ATT.COM (OlsonDL) writes: > I don't know the details, but I heard that recently someone > was caught breaking into SPRINT and got his butt carted off to jail. I believe the charge was "theft of services", analagous to tapping into HBO and not paying for the service. Doug Schwartz Sequent Computer ...!tektronix!ogcvax!sequent!dougs
forys@sigi.Colorado.EDU (Jeff Forys) (07/01/87)
In article <2780@mtgzz.UUCP> gcm@mtgzz.UUCP (g.c.mccoury) writes: >>In article <2757@mtgzz.UUCP> gcm@mtgzz.UUCP (g.c.mccoury) writes: >> Wonder why we have so many security problems at our comp centers - > > I was speaking about comp centers in general - I should have > made that clear in the initial article (Hacker Scholarship) I posted. I work for the Computer Center at the University of Colorado @ Boulder. I am also an indirect beneficiary of the Wozniak Scholarship. I receive one of these `hacker's to delegate some of my workload to and, in return, the `hacker' has an excellent opportunity to learn. In retrospect, I was lucky enough to get the same breaks when I was younger... The term `hacker', as used here, is a person who is seriously interested in learning more about computers as opposed to "just knowing enough to get by". Perhaps this is what some people are afraid of, I dont know. Anyways, to be selected, they must have a `decent' GPA and have some "special quality" (loosely defined by an *equally* special selection committee). In answer to your question, our group is looking forward to their arrival. I myself, will probably learn a couple things too, uh, but dont tell anyone that... :-) --- Jeff Forys @ UC/Boulder Engineering Research Comp Cntr (303-492-4991) forys@Boulder.Colorado.EDU -or- ..!{hao|nbires}!boulder!forys
msf@amelia (Michael S. Fischbein) (07/03/87)
One point that no one seems to have brought up yet in this discussion is the "attractive nuisance" laws. As I understand them (ie, my nodding acquaintance with the topic), some items (such as a swimming pool) are "attractive nuisances" and it is the owner's responsibility to set up security measures (such as a fence to prevent the local toddlers from drowning). Given the current state of US culture (no pro or con arguments, just let it be there), maintaining a computer system without minimal security is certainly an attraction, both to the irresponsible `crackers' and the curious 'hackers'. Extending this sort of opportunity might even be contributing to the delinquency of a minor, or something. No, people should not have to triple lock their doors, hire armed guards, etc. But bank vaults should. Not all computers need call back modems, multiple encryption schemes, etc. But some do. If you leave your door open and someone steals your stereo, you were not quite brilliant for leaving it open, but the thief is just that, a thief. If you leave your stereo on the curb and someone picks it up thinking you are throwing it away, what then? How about if you leave it in a public area, unsecured, for several days? Computer breakins are just a phone call away -- if someone calls your home phone and you don't want to talk to them, are they stealing your telephone access? If so, what sort of penalty should be imposed? How does this impact direct telephone marketers? If someone calls your computer, that you want to keep secure, and you don't have at least a non-well-known account/password combination, you have left your data in a public place (the telephone exchange) without even a sign on it that says "mine." There is a big difference between someone tapping a phone or committing b&e to get a password to enter a nominally secure system and someone who connects to a modem tone and gets "Welcome to the Whizzo Co orders database" without being asked for id. I don't know of any multi-user computer system capable of remote access that doesn't offer that level of security for free. Yes, it requires a system administrator with an IQ > 50. Yes, it can be broken in several ways, depending on the specific system. But if you park your car with the window down and the engine running, it may get stolen. Lock it, it might still be stolen but the chances are less -- and there is next to no chance that it will be stolen on a lark, by someone out for a joyride rather than profit. mike (maybe I should have said LaRC? :-))
edw@ius2.cs.cmu.edu (Eddie Wyatt) (07/04/87)
In article <2231@ames.arpa>, msf@amelia (Michael S. Fischbein) writes: > One point that no one seems to have brought up yet in this discussion is > the "attractive nuisance" laws. As I understand them (ie, my nodding > acquaintance with the topic), some items (such as a swimming pool) are > "attractive nuisances" and it is the owner's responsibility to set up > security measures (such as a fence to prevent the local toddlers from > drowning) Attractive nuisance laws where made to protect people from hazardous areas that are readily accessable to the public. In the case of a pool, you are require to put up a fence around it even though it is your own property because any child could accidently fall into the pool. Instead you having the owner of the pool put the blame on the child for trespassing, the blame is on the owner of the pool for not taking some sort of protective measure. I do not see why attractive nuisance laws extend here since the aim of the law was not to put the blame on the victum of a crime because he didn't protect himself, but to have people exercise more caution in instances where OTHERS MAY BE INDANGERED (in the above example the pool owner was a victum of trespassing). This is not the case with publicly accessable computers. No one is physically or mentally at wrisk by there existance! > Given the current state of US culture (no pro or con arguments, just > let it be there), maintaining a computer system without minimal > security is certainly an attraction, both to the irresponsible > `crackers' and the curious 'hackers'. Extending this sort of > opportunity might even be contributing to the delinquency of a minor, > or something. The analogy you are trying to draw generizes to , if you are a victum of property crime then its not the fault of the criminal, its your fault, you were temping him too much. That is unless you can show you've excessively protected yourself. If not, show me where your attitude differs. > If you leave your stereo on the curb and someone picks it up > thinking you are throwing it away, what then? How about if you leave > it in a public area, unsecured, for several days? He is guilty of theft. He would be guilty of theft even if he was taking out of your garbage. If you find property, you are legally responsible for reporting it to the police. If no one claims it after n number of days, they may give it to you. As simple as that. Are you advocating - finders keeper, loosers weepers? [a lot of bad analogies] Lets consider all of us adopt your policies, which I'm intepreting as : computer owners must take preventive measures to protect access to their computers, otherwise hackers that invade their system would not be consider responsible for their actions. I have a hacker trash my disk system and he is caught. What do I have to do to show that I was not negliable in protecting my system? > mike > > (maybe I should have said LaRC? :-)) -- Eddie Wyatt e-mail: edw@ius2.cs.cmu.edu terrorist, cryptography, DES, drugs, cipher, secret, decode, NSA, CIA, NRO.
ken@rochester.arpa (Ken Yap) (07/05/87)
| case 1. (Source OS class) Linear password decomposition algorithm. | | Two very interesting utilities in a certain unknown OS combined to | provide a technique of decoding any password in linear time respective | of the length of the password. The utilities were a facility | for determining when a page fault occurred in a application | program so that the user could finely tune a program preformance | and the other happened to be the password untility and the way | in which it was coded. The password function read in a character | at a time and compared it to the system password. If the given | character didn't match, the password function would jump to another | place in the program causing a page fault, then continue reading the | rest of the password. One can obviously see how the method | works. Type in a character, see if there is a page fault. | If so, start again with new character else look for next | character in password. The fix to the problem is also obvious, | that is read the whole password before testing to see if it | matches the system password. This is described in Hints for System Designers by Butler Lampson. Ken
tim@ism780c.UUCP (Tim Smith) (07/07/87)
In article <2780@mtgzz.UUCP> gcm@mtgzz.UUCP (g.c.mccoury) writes: < In article <6674@ism780c.UUCP>, tim@ism780c.UUCP writes: < > In article <2757@mtgzz.UUCP> gcm@mtgzz.UUCP (g.c.mccoury) writes: < > < Wonder why we have so many security problems at our comp centers - < > < read on. < > You have so many security problems because you have idiots running < > your comp centers. < I was speaking about comp centers in general - I should have < made that clear in the initial article(Hacker Scholarship) I posted. < By the way, on what information do you base your accusations about < the lack of competence of our comp centers employees?? It was clear that you were talking about comp centers in general. My answer was about comp centers in general. Since you used "we" to refer to comp centers in general, it seemed appropriate to use "you" to respond. I wasn't talking about your specific comp center. -- Tim Smith, Knowledgian {sdcrdcf,seismo}!ism780c!tim
batie@agora.UUCP (Alan Batie) (07/08/87)
In article <1063@killer.UUCP> robertl@killer.UUCP (Robert Lord) writes: > > >Look..There has ben alot of talk floating around about hackers and such >beeing 'scum' and other derogatory types of life. 90% of hackers are just >computer buffs who have no other way of getting computer time. They have >there Apple //e's with thier modems, and they want to expand and learn more. >How do you expect them to do this? Go to there scholl where they can teach >the teacher, and have the same computers as thsi little hacker does at home? This is a bad argument for two reasons: 1. It's no justification. I present the time honored analogy of stealing (actually "joyriding") a car: "I don't have any way of getting there, so I'll use this here car (gee, they even left the keys in it, but it would have been easy to hot wire anyhow). It's the middle of the night, and the owner isn't using it now; I'll have it back by morning -- he'll never know I used it. I'll learn more about driving in the process, and well, if I wreck it, gee, I'm so sorry." Most people I know would be upset if someone did this. 2. It's false. There are public access Unix systems all over the place now where one can get free access to do everything you're trying to accomplish (except cracking the system). I run one myself (agora, 503-640-4262) -- there's absolutely no need to crack a system to expand your horizons, unless you're such a twit that no one will give you an account (and I doubt that). -- Alan Batie batie@agora tektronix!reed!percival!agora!batie
biff@nuchat.UUCP (Brad Daniels) (07/11/87)
In article <2240@bunker.UUCP>, rha@bunker.UUCP (The Minister of Myrth) writes: > Electronically stored information should be no different from any other > tangible good. If a computer system has even basic security features and > this security is violated by someone who is not authorized, then this person > should be guilty of either larceny or breaking and entering, whichever is > more applicable to the particular circumstance. I don't think this is an accurate assessment. You could possibly argue that breaking into a computer system (with or without security) is the moral equivalent of breaking and entering or maybe trespassing, but the fact remains that that is not what the person is actually doing. Nobody is physically entering your property or breaking your locks. Similarly, "stealing" information is not strictly "stealing".... If you leave me alone in your office and leave confidential information where I can get at it, and then I take pictures of that information to look at later, I am hardly stealing anything. You would still have the information, but I would now have it also. Granted, it seems that there is something morally wrong with doing such things, but it certainly doesn't qualify as larceny. I agree that some methods of obtaining information are acceptable, while others aren't. I certainly do not want people randomly invading computers and discovering information which I would prefer to keep confidential. However, the information is not a "tangible good." The person obtaining the information can and should only be punished if a law was broken in obtaining the information. I firmly believe that unauthorized possession of confidential infor- mation should not constitute a crime. As for the issue of accessing computers without authorization, I agree that there should be some law against it. I do not, however, believe that it is breaking and entering. what I am trying to say is that the issue is not at all cut-and-dried. Should we treat a kid who just wants to see if he can get into a real computer the same as we treat a professional thief who is trying to make a companies computer mail him money? At present, people can only be punished if they commit a crime (such as toll fraud, embezzlement, etc.) when they break into a system. Perhaps that is how things should remain. - Brad -- Brad Daniels ...!soma!eyeball!biff Now that I have my own account, biff@tethys.rice.edu I don't NEED a disclaimer. ...!uhnix1!nuchat!biff
karl@ddsw1.UUCP (Karl Denninger) (07/15/87)
In article <555@agora.UUCP>, batie@agora.UUCP (Alan Batie) writes: > In article <1063@killer.UUCP> robertl@killer.UUCP (Robert Lord) writes: > > (Dissertation comparing hacking to joyriding deleted) > > > 2. It's false. There are public access Unix systems all over the place > now where one can get free access to do everything you're trying to accomplish > (except cracking the system). I run one myself (agora, 503-640-4262) -- > there's absolutely no need to crack a system to expand your horizons, unless > you're such a twit that no one will give you an account (and I doubt that). > -- True -- in the Chicago area, there are at least five public-access Unix systems I know of, and probably a few I don't know about. Nice, inexpensive systems like the 7300 and Microport's proliferation have been largely responsible for this (heck, we run it here). We permit public access to our system (in a limited manner). Some other sites are much more open than we are (although they do not have the diverse choice of facilities and software available that we do). Also, gaining what essentially amounts to full access here requires only a modest contribution to help us maintain our phone lines, etc.... In short -- you want to learn Unix, learn. If you're going to hack (be destructive and/or invasive), you're way out of line. (Modem number below is public access line) -- Karl Denninger UUCP : ...ihnp4!ddsw1!karl Macro Computer Solutions Dial : +1 (312) 566-8909 (300-1200) "Quality solutions at a fair price" Voice: +1 (312) 566-8910 (24 hrs)
elg@killer.UUCP (Eric Green) (07/18/87)
in article <225@ddsw1.UUCP>, karl@ddsw1.UUCP (Karl Denninger) says: > In article <555@agora.UUCP>, batie@agora.UUCP (Alan Batie) writes: >> In article <1063@killer.UUCP> robertl@killer.UUCP (Robert Lord) writes: >> > (Dissertation comparing hacking to joyriding deleted) >> > >> 2. It's false. There are public access Unix systems all over the place >> now where one can get free access to do everything you're trying to accomplish >> (except cracking the system). I run one myself (agora, 503-640-4262) -- >> there's absolutely no need to crack a system to expand your horizons, unless >> you're such a twit that no one will give you an account (and I doubt that). >> -- > > True -- in the Chicago area, there are at least five public-access Unix > systems I know of, and probably a few I don't know about. Nice, inexpensive > systems like the 7300 and Microport's proliferation have been largely > responsible for this (heck, we run it here). Free public-access systems are a recent innovation, driven by the declining price of hardware. Until recently, the only available public access systems were "for-pay" systems like Compuserve or The Source, due to the high cost of the necessary hardware. For example, a friend has some '70s vintage 80-meg hard drives designed for a DEC minicomputer... the size of a washing machine, consumes 1000 watts of power. Cost probably in the 10s of thousands originally (altho he didn't pay that much, of course, since it was being scrapped... he's STILL trying to figure out what he's going to do with those three PDP-8's that he salvaged!). Needless to say, if you've got 10 or 15 of those on-line, you have a pretty hefty A/C system, and a lot of free space (like, WASHATERIA-size!). Ain't no way someone would run such a system as a hobby. Nowadays, I could get an 80 meg drive for a Pee-Cee for $900 (and the AT clone with Microport Unix for less than $3,000). I would venture to say that for-pay on-line systems are the most common victims of "hacking" (in the news-media sense of the word, not in MY sense of the word!). For example, one popular gambit on Quantum Link (a Commodore on-line system) is for people to log on with a forged certificate number and fake credit card number... a month later, the account is deleted, upon which they log in under yet another forged number.... Also needless to say, until the recent proliferation of powerful microcomputers such as the Commodore Amiga, or the IBM AT clone running Microport, the only way that a high schooler could get access to a "real" system would be to get it illegally. Most schools still have an Apple ][ as their most powerful computer (suburban schools, that is -- inner-city schools don't have computers, because they don't have enough money, because school systems are funded by sick racists). What would YOU say if you're Joe Public, and your kid says "Hi, Dad, I'd like you to give me $400/month to use The Source, so I can learn how to program"? Hell, most people won't even give their kids money to buy programming books or any OTHER educational book! I can't count the number of times that I've answered chat on my BBS, to find it's a kid asking simple programming questions... and when I recommend that they get some particular book (e.g., if they're trying to program in assembler, the SAMS book _C-64 Assembly Language Programming_), "uh, how much is it? I don't have the money right now..." and when I tell'em "why don't you ask your parents, they'll probably be glad that you want to learn something" but usually their parent's answer is "no! Now go back to your room, I don't want to be bothered with miserable little snivelly kids underfoot while I'm watching nighttime soap operas!". It's amazing how little time and money that most modern parents spend on their children's growth, development, and education... usually, "here, here's $400 worth of toys, get to your room out of sight because I don't want to be bothered with the sight of you while I'm conspicuously consuming." (cut to boxed C-64 with 1541 and disk drive and modem). -- Eric Green elg%usl.CSNET Ron Headrest: A President {cbosgd,ihnp4}!killer!elg for the Electronic Age! Snail Mail P.O. Box 92191 Lafayette, LA 70509 BBS phone #: 318-984-3854 300/12 fli fli