gsmith@brahms.UUCP (04/18/87)
Oh dear! There I was, snidely implying that Foothead might not understand the net and UNIX(*) that well, and in particular might not understand the implications of the phony arndt@prometheus appearing from daemon@ucbvax. Wrong, wrong, wrongo--and my sincere apologies. Obviously Foothead knew about all this. He must have. Because Foothead IS the phony Ken Arndt. This would explain why he was so annoyed at my original pointing out of this, above and beyond the standard Foothead irritabilities. Now, I posted an article yesterday "speculating" that this was true, as a counter to Foothead's duplicitous "speculations". As stated, this was based on mere stylistic analyses. But in fact, we had done some more checking, and already knew that Foothead was indulging in a "pseudoposition" of his own. To use George Greene's more accurate and assertive formulation, Foothead is a damn liar. Either that, or he is indeed the biggest master baiter on talk.religion.misc. First: where are the arndt@prometheus articles really coming from? Would you believe, Rich Rosen? No, not exactly. Specifically they come from the account rlr@borax.lcs.mit.edu. We have the following from the ucbvax news log: Apr 16 06:49:20 ucbvax sendmail[7351]: AA07351: message-id=<666@prometheus.UUCP> Apr 16 06:49:20 ucbvax sendmail[7351]: AA07351: from=<rlr@BORAX.LCS.MIT.EDU>, size=5888, class=0 Apr 16 06:49:38 ucbvax sendmail[7371]: AA07351: to=XXXX, delay=00:00:53, stat=Sent And for confirmation, over at borax: Apr 16 10:45:53 borax.lcs.mit.edu: 27885 sendmail: AA27885: message-id=<666@prometheus.UUCP> Apr 16 10:45:54 borax.lcs.mit.edu: 27885 sendmail: AA27885: from=rlr, size=5772, class=0 Apr 16 10:46:47 borax.lcs.mit.edu: 27887 sendmail: AA27885: to=XXXX, delay=00:00:57, stat=Sent (The XXXX is put there at Erik Fair's request. It is the standard method that the bitnetters and certain non-usenet arpanetters use for posting.) In other words, the phony <666@prometheus.UUCP> "Ken Arndt" article actually came from a "Rich Rosen" account at MIT. Did Rich do it? Well, Rich is in New Jersey, whereas Foothead is at MIT, which even a Californian like me knows is in a different state. So far, this is just Foothead-style kneejerk "reasoning". (Either that, or just Foothead-style pseudopositioning.) But what does Rich have to say about it? I sent him a letter asking about the rlr@borax account. According to him, this got set up during the Brahms-Rosen "we are all Rich Rosen" wars. He now has a password on it, and uses it to forward mail from Massachusetts. We might wonder, does Foothead know about it? Well, lo and behold, we find the following from the mail log at borax (and eddie concurred): Apr 15 18:46:44 borax.lcs.mit.edu: 20516 sendmail: AA20516: message-id=<8704152247.AA14732@EDDIE.MIT.EDU> Apr 15 18:46:45 borax.lcs.mit.edu: 20516 sendmail: AA20516: from=<fh@EDDIE.MIT.EDU>, size=1925, class=0 Apr 15 18:46:56 borax.lcs.mit.edu: 20519 sendmail: AA20516: to=<rlr@BORAX.LCS.MIT.EDU>, delay=00:00:32, stat=Sent This was the night before the <666@prometheus.UUCP> posting! In other words, we get mail traffic from Foothead to rlr@borax, and then mail traffic from rlr@borax to ucbvax here in Berkeley. Does Rich Rosen know that Foothead is sending mail to rlr@borax? rlr@pyuxe, the original genuine Rich Rosen, says not. He wonders how it is that Foothead is sending mail to rlr@borax but it isn't reaching him--after all, he "knows" it's used to forward mail to him. I will take a chance, and leap to the con- clusion that perhaps Foothead knows how to edit .forward files. I also notice that Foothead's mail to rlr@borax is 1925 bytes long. The article that <666@prometheus.UUCP> was responding to was <9322@decwrl.DEC.COM>, which was 1663 bytes long on our system. That does leave room for mail headers. And what a coincidence, were Foothead the perpetrator, he would read and save the original on eddie, and somehow get it over to borax. (A suggestion for next time: use something other than e-mail. Magnetic tape perhaps? :-) What about the Paul Koloc connection? According to Koloc, his prometheus was broken into and a phony arndt@prometheus account was set up. This happened just before April 1, and an April Fools' "joke" seems likely. Paul then had to remove the account and send out cancel messages on the bogus articles. He says a number of attempted entries were then rebuffed, the log showing the following: BAD LOGIN ATTEMPT arndt tty02 Tue Mar 31 12:45:56 1987 BAD LOGIN ATTEMPT ogin: tty02 Wed Apr 1 13:34:36 1987 BAD LOGIN ATTEMPT arndt tty02 Fri Apr 3 11:52:47 1987 BAD LOGIN ATTEMPT arndt tty02 Fri Apr 3 11:53:01 1987 BAD LOGIN ATTEMPT hey,_pau tty02 Fri Apr 3 11:53:59 1987 BAD LOGIN ATTEMPT arndt tty02 Fri Apr 3 11:54:18 1987 BAD LOGIN ATTEMPT arndt tty02 Mon Apr 6 16:44:44 1987 BAD LOGIN ATTEMPT arndt tty02 Mon Apr 6 16:44:56 1987 BAD LOGIN ATTEMPT arndt tty02 Tue Apr 7 11:25:03 1987 BAD LOGIN ATTEMPT arndt tty02 Tue Apr 7 11:25:13 1987 Curioser and curioser! Bogus arndt@prometheus articles, and a bogus arndt@prometheus login. And simultaneously, valspeak gets run on pmk@prometheus articles. Since Foothead is strongly implicated in the first--his insistent attempts to point the finger before anyone even suggested he was involved are truly laughable--we wonder. And we do recall, another, just amazing coincidence, Foothead indeed has been on an anti-Koloc and anti-Arndt rampage from the very beginning of his known net.existence. Far be it from us to ask Foothead to explain anything, or exhibit minimal honesty. For someone who goes around exclaiming how certain other posters are notorious liars, seeing him go into detail here would be like getting sex and marriage tips from Tammy Bakker. The rest of you can draw your own conclusions; those on the ARPANET can even go telneting around for themselves if they wish to check the above. We have a question for the system administrators: now what? Do note that genuine prometheus.UUCP articles are effectively cancelled by the pre-existence of the phonies at prometheus's feeds. Prometheus itself did not see them, since the netnews transfer algorithm checks paths first to avoid "obvious" redundancies. Let us guess at the answer: nothing. Just sit while the net degenerates as more and more Feethead join in on the fun. Sounds reasonable. But in conclusion, we would like to thank Foothead for exposing the kneejerk inability of many netters to distinguishing the real Ken Arndt's stated beliefs from an obvious forgery. Oh no, they just had to flame automatically. WE could tell they were phony from the beginning. And we think a lot (as in many) of his beliefs are screwy too. Pat Robertson for President? Like, fer shur, gag us with a pitchfork! ucbvax!brahms!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720 ucbvax!brahms!gsmith Gene Ward Smith /Brahms Gang/Berkeley CA 94720 Some billion years ago, an anonymous speck of protoplasm protruded the first primitive pseudopodium into the primeval slime, and perhaps the first state of uncertainty occurred. --I J Good (*) UNIX is a registered Trademark of AT&T.
jbuck@epimass.UUCP (04/19/87)
I'm opposed to censorship. Despite all of "Mark Ethan Smith"'s
obnoxiousness, I don't think it was appropriate to throw him? her?
off of well and chinet. However, forging articles, breaking into
machines, altering others' articles, and changing .forward files
to redirect mail are grounds not only for being thrown off the net,
but possibly a criminal case can be made (for the prometheus
breakins).
If even 1/4 of the allegations in the parent article are true,
a certain "Foothead" character should be off the net.
--
- Joe Buck {hplabs,ihnp4,sun,ames}!oliveb!epimass!jbuck
seismo!epiwrl!epimass!jbuck {pesnta,tymix,apple}!epimass!jbuckambar@eddie.MIT.EDU (Jean Marie Diaz) (04/19/87)
In article <1065@epimass.UUCP> jbuck@epimass.UUCP (Joe Buck) writes: > >However, forging articles, breaking into >machines, altering others' articles, and changing .forward files >to redirect mail are grounds not only for being thrown off the net, >but possibly a criminal case can be made (for the prometheus >breakins). The application for tourist accounts on mit-eddie warns people that their accounts may be deactivated for no reason at all. This provision has not been invoked here for as long as I can remember, and it is not being invoked now. Faking mail and/or news is not tolerated here. The shell scripts in Foothead's home directory for doing both are ample reason to pull his account. Whether or not he is the perpetrator of the fake arndt@prometheus articles is not relevant, although I would add that files in /usr/rlr on borax seem to bear this out, as they contain the tell-tale line: To: (Erik Fair's magic address, which I won't post) At any rate, we will not tolerate people using mit-eddie as a base for harassing people. fh@mit-eddie is gone. Jean Marie Diaz, EECS/ECF Staff ARPA: ambar@eddie.mit.edu UUCP: {backboneslarerol nout3.2rat
rs@mirror.TMC.COM (Rich Salz) (04/19/87)
Nice work in tracking down what's going on, fellows; I appreciate
it, as do many others on the net, I'm sure.
/r$
--
--
Rich $alz "Drug tests p**s me off"
Mirror Systems, Cambridge Massachusetts rs@mirror.TMC.COM
{cbosgd, cca.cca.com, harvard!wjh12, ihnp4, mit-eddie, seismo}!mirror!rsooblick@eddie.MIT.EDU (Mikki Barry) (04/20/87)
In article <5553@eddie.MIT.EDU> ambar@eddie.UUCP (Jean Marie Diaz) writes: >In article <1065@epimass.UUCP> jbuck@epimass.UUCP (Joe Buck) writes: >>However, forging articles, breaking into >>machines, altering others' articles, and changing .forward files >>to redirect mail are grounds not only for being thrown off the net, >>but possibly a criminal case can be made (for the prometheus >>breakins). Yes, I heartily agree. But only if someone is actually doing these things, and it can be proven. >Faking mail and/or news is not tolerated here. The shell scripts in >Foothead's home directory for doing both are ample reason to pull his >account. Whether or not he is the perpetrator of the fake >arndt@prometheus articles is not relevant, although I would add that >files in /usr/rlr on borax seem to bear this out, as they contain the >tell-tale line: >To: (Erik Fair's magic address, which I won't post) An important factor that everyone seems to have missed here is that Foothead's home directory was PROTECTED. I have spoken to foothead on this issue, and he told me that not only are his directories protected, but the "shell scripts" in them were created to give net access to Pooh, and to Paul Zimmerman, a FACT, that I have checked with both of them. This was done with the full concent of OTHER EECS staff. Charging somebody with faking mail and news before you have proof, and while the only evidence you have is obtained by using your root privs to read other's protected directories is quite the case of the pot calling the kettle black. This is a certain case of "jumping the gun" at best, and blatent censorship at worst. You don't like foothead, fine. Delete his account, but don't make up lies to justify your actions. By the way, Ambar, did you check with anyone else on staff before trashing someone else's account? >At any rate, we will not tolerate people using mit-eddie as a base for >harassing people. fh@mit-eddie is gone. And I do not like the fact that you appear to be using your root privs to look through protected directories. I also don't like faked news and/or mail articles. If it is proven that fh did it, great. Kick him off the net forever. But trashing someone before you have proof is reprehensible. Mikk1Suf il
cetron@utah-cs.UUCP (Edward J Cetron) (04/20/87)
In article <5558@eddie.MIT.EDU> ooblick@eddie.UUCP (Mikki Barry) writes:
[...]
->An important factor that everyone seems to have missed here is that
->Foothead's home directory was PROTECTED. I have spoken to foothead on
->
[...]
->
->And I do not like the fact that you appear to be using your root privs
->to look through protected directories. I also don't like faked news and/or
->mail articles. If it is proven that fh did it, great. Kick him off the
->net forever. But trashing someone before you have proof is reprehensible.
->
->Mikki Barry
1. kicking anyone off without proof, i agree, is totally wrong. On the
other hand, TEMPORARILY disabling an account and contacting the owner to
ascertain what has/is happening IS legit. But in OUR shop, if/when it becomes
permanent, you can bet a formal written letter is sent.
but this is my main point, the following is:
2. On the machines that I am responsible for, its my ass on the line.
If one of our users starts to abuse the network, fake mail, run an illegal
escort service :-) or whatever from one of our machines, I'm going to catch it
just as bad as the offender (and you can bet I will pass it on). If AFTER
sufficient evidence or complaints are filed/found, I WILL ABSOLUTELY USE ANY
OF MY ROOT/SYSTEM PRIVILEGES TO GET TO THE BOTTOM OF THE SITUATION. This is not
to say I will unilaterally 'trash' a user (even though it is explained to ALL
users that I can and will if I deem it necessary) but it is also understood
that the machines in our facility are the center's NOT the users and that
NOTHING on the machines is considered sacrosanct. Only on two occasions have
I ever had to use those root permissions:
a) The lab was expecting a critical letter from an outside source
(just so happened to be mit :-) ) and the student whose account it was to be
sent to was gone for three days, so i monitored syslog until it arrived and
pulled it out of his directory. NOTE: this was lab business NOT personal mail
and gov't contracting agencies wait for no man.
b) we had a professor in one of the dept's who seemed to be raiding
student accounts for neat programs. After a student complained we monitored
his account. sure enough, several programs auto-magically appeared in his
account which had the same checksum as those in student accounts (and no, the
students were not his). Unfortunately, due to internal politics of this other
dept., in spite of the evidence, we could do nothing (not to mention this prof
had root privs) except cut off his root priv's. (though we finally got even
using a trojan horse program which he then also stole.....:-))
Both times I 'snooped', neither time did I feel guilty. I, and the
lab, expect our personal to be professionals and as such we respect their
privacy as much as possible - UP TO A POINT. If we see abuse or here of it
from reliable channels, I will investigate it using whatever means is
appropriate, if that means snooping, so be it.
If Ambar trashed an account without due reason, then that WAS wrong, but to
complain about using root priv's to obtain evidence is crap.
-ed cetron
Computer Services Manager
Center for Engineering Design
Univ. of Utah
cetron@cs.utah.edu
cetron@utahcca.bitnetmjranum@gouldsd.UUCP (Marcus J Ranum) (04/20/87)
In article <4510@utah-cs.UUCP>, cetron@utah-cs.UUCP (Edward J Cetron) writes: > a) The lab was expecting a critical letter from an outside source > (just so happened to be mit :-) ) and the student whose account it was to be > sent to was gone for three days, so i monitored syslog until it arrived and > pulled it out of his directory. NOTE: this was lab business NOT personal mail > and gov't contracting agencies wait for no man. What you are talking about here is a violation of Federal Law. Electronic mail is protected under the same protection as the US Mail, despite the speed difference ! It is legal for root to read a user's files, delete them, trash an account, or even edit a user's files, but electronic mail is protected. Note that net postings are not, since they are not addressed to an individual. If you think I am talking through my hat about this, ask your lawyer. If you are concerned about covering your ass as much as you seay, you'd think twice before posting a public admission of guilt in a situation like this. Whether it is LAB business OR personal mail would be irrelevant in the case that the student chose to press charges - you'd have to be able to prove that you KNEW it was addressed to other than him BEFORE you read it, AND then you'd have to explain why it was mailed to her/his address. Don't you know it's bad juju to read someone's stuff ? From what I can gather, though, if you have mailfiles owned by Oliver North it's okay to give 'em out. > -ed cetron > Computer Services Manager > Center for Engineering Design Marcus J Ranum news/uucp admin. -- Copyright, 1987 - Anarchist Software Foundation - ALL RIGHTS RESERVED In reproducing this document in any form, the licensee (you) agrees to pay the ASF 5$/copy distributed, and to admit that software law is a subject better left for lawyers and slimy nerds. Live Free or die !
cetron@utah-cs.UUCP (Edward J Cetron) (04/20/87)
In article <493@gouldsd.UUCP> mjranum@gouldsd.UUCP (Marcus J Ranum) writes: > What you are talking about here is a violation of Federal Law. Electronic >mail is protected under the same protection as the US Mail, despite the speed >difference ! It is legal for root to read a user's files, delete them, trash Wrongo, there has yet to be a law that specifically addresses e-mail in the same way as us mail is federally protected. There have/are several which address 'stealing' of information services and data but ALL of the ones that I have seen do NOT address the issue of the machines owner 'snooping'. Given that NONE of our users own any part of the machine, pay not even a penny for time on the machine, it is very hard to say that they have any RIGHT to any data on the machines. Now with the copyright laws, I am sure that one could conceivably be charged with unauthorized reproduction, or with plagarism if done in an academic environment. However, e-mail to/from our sites are NOT protected by any such law. By the way, I DID know in advance that the letter would be sent, I DID know in advance that the author of the letter was going to send it to a particular user (note he is NOT a student, not that it matters) and that he was sending it there since he had an alias to send it there on his computer and couldn't be persuaded to send it out correctly instead (too many %'s and and extra 5 words - but then faculty has its rank :-) ). If anyone DOES know of laws which are intended to put e-mail under protection similar to us mail, I'd be interested in seeing references. (and by the way, there ARE several times in which it IS legal for USPS people to open personal mail) -ed cetron
pdb@sei.cmu.edu (Patrick Barron) (04/20/87)
In article <493@gouldsd.UUCP> mjranum@gouldsd.UUCP (Marcus J Ranum) writes: > What you are talking about here is a violation of Federal Law. Electronic >mail is protected under the same protection as the US Mail, despite the speed >difference ! It is legal for root to read a user's files, delete them, trash >an account, or even edit a user's files, but electronic mail is protected. Haven't we been through this before? No, electronic mail is NOT protected the same way US Mail is. It's not even really "mail" as such. If I own the disk it's written on, then I have a perfect right to read any- thing on that disk, even electronic mail. Whether or not it's the "right" thing to do is an entirely different question - I think, in the situation Ed cited, it was certainly a reasonable thing to do. --Pat.
jbuck@epimass.UUCP (Joe Buck) (04/20/87)
In article <5558@eddie.MIT.EDU> ooblick@eddie.UUCP (Mikki Barry) writes: >An important factor that everyone seems to have missed here is that >Foothead's home directory was PROTECTED. I have spoken to foothead on >this issue, and he told me that not only are his directories protected, >but the "shell scripts" in them were created to give net access to >Pooh, and to Paul Zimmerman, a FACT, that I have checked with both of >them. This was done with the full concent of OTHER EECS staff. Foothead did not own any part of the machine he was using. Ambar was using her root privs properly; I would do the same on my machine. The info gathered against Foothead was quite sufficient to justify an investigation. >Charging somebody with faking mail and news before you have proof, and while >the only evidence you have is obtained by using your root privs to read >other's protected directories is quite the case of the pot calling the kettle >black. It is not. The system administrator not only has the right, but the DUTY, to investigate in cases like this. If she had come across any confidential information in the process of investigating, it would be her moral obligation not to reveal it to anyone else. But if she came across incriminating evidence -- burn the dude! -- - Joe Buck {hplabs,ihnp4,sun,ames}!oliveb!epimass!jbuck seismo!epiwrl!epimass!jbuck {pesnta,tymix,apple}!epimass!jbuck
jbuck@epimass.UUCP (Joe Buck) (04/21/87)
In article <493@gouldsd.UUCP> mjranum@gouldsd.UUCP (Marcus J Ranum) writes: >What you are talking about here is a violation of Federal Law. Electronic >mail is protected under the same protection as the US Mail, despite the speed >difference ! It is legal for root to read a user's files, delete them, trash >an account, or even edit a user's files, but electronic mail is protected. >Note that net postings are not, since they are not addressed to an individual. >If you think I am talking through my hat about this, ask your lawyer. You are talking through your hat, and obviously have never discussed this with a lawyer. Just because we call it "electronic mail" doesn't mean the gov't thinks it's mail. Please don't spread misinformation on the net when you obviously have no idea what you're talking about. >Don't you know it's bad juju to read someone's stuff ? Yes, it is. But UUCP mail has never been officially ruled to be "mail" according to the law. -- - Joe Buck {hplabs,ihnp4,sun,ames}!oliveb!epimass!jbuck seismo!epiwrl!epimass!jbuck {pesnta,tymix,apple}!epimass!jbuck
root@killer.UUCP (04/21/87)
In article <5558@eddie.MIT.EDU>, ooblick@eddie.MIT.EDU (Mikki Barry) writes: > In article <5553@eddie.MIT.EDU> ambar@eddie.UUCP (Jean Marie Diaz) writes: > >In article <1065@epimass.UUCP> jbuck@epimass.UUCP (Joe Buck) writes: > > >>However, forging articles, breaking into > >>machines, altering others' articles, and changing .forward files > >>to redirect mail are grounds not only for being thrown off the net, > >>but possibly a criminal case can be made (for the prometheus > >>breakins). > > Yes, I heartily agree. But only if someone is actually doing these things, > and it can be proven. > > >Faking mail and/or news is not tolerated here. The shell scripts in > >Foothead's home directory for doing both are ample reason to pull his > >account. Whether or not he is the perpetrator of the fake > >arndt@prometheus articles is not relevant, although I would add that > >files in /usr/rlr on borax seem to bear this out, as they contain the > >tell-tale line: > > An important factor that everyone seems to have missed here is that > Foothead's home directory was PROTECTED. I have spoken to foothead on > this issue, and he told me that not only are his directories protected, > > Charging somebody with faking mail and news before you have proof, and while > the only evidence you have is obtained by using your root privs to read > other's protected directories is quite the case of the pot calling the kettle > black. This is a certain case of "jumping the gun" at best, and blatent > censorship at worst. > > And I do not like the fact that you appear to be using your root privs > to look through protected directories. I also don't like faked news and/or > mail articles. If it is proven that fh did it, great. Kick him off the > net forever. But trashing someone before you have proof is reprehensible. > > Mikki Barry Mikki, In all reasonableness, the "tracing" of the origin of the fake articles was being traced to mit-eddie as the most common point of apparent origin. Next, if, as you state, his directory was PROTECTED and contained the utilities to fake articles, alter .forward files, and whatever else they would do, then this is reasonable proof that either the owner of that directory or someone who had access to it were the perpetrator(s). If it is fact that two other people also had access to this directory, it is possible that one of those *could* have disclosed this information to a third party who *could* have been the person actually causing the problems. However, the fact remains that the scripts for creating these fakes and altering the files did exist (I have to assume they were, in fact, found there) in a "protected" login directory is ample reason to state that the articles originated from that login id. Perhaps the statement that the individual was the one who actually typed the articles could be inaccurate but that, also, would be virtually impossible to PROVE unless there was a witness. Even software to monitor the exchange between a terminal device and the system could not conclusively prove that a particular person was the one with the "fingers on the keys". The POSSESSION of the necessary scripts IS ample proof to remove the login and the directory. I would not hesitate to do exactly the same. I do not use root privs to "snoop" or for any other purpose than to keep up with the maintenance of my system and the software. I do monitor the system performance but that is neccessary to maintain the system and keep it available for use. However, if there is a question of where what you may call "snooping" may end and the security of the system and the net are concerned, I will not hesitate to use whatever means at my disposal to protect them. I also would not hesitate to remove a login that contained such scripts as to fake articles, alter them as the ones in question were, or to access another users files without authorization from that user. One other note. I would also not hesitate to give pooh, you, or the other person access to my system if access to the net was needed. I would, however, require only that nothing such as the faked articles be done and would guarantee that your files were secure from me as well as from the other users. I also must guarantee that if those types of actions were traced to my system. I would certainly be looking for the origin with whatever means at my disposal. Hopefully, you will not view this as a flame - it certainly is not meant to be. Charles Boykin {cuae2,ihnp4}!killer!root
chapman@eris.UUCP (04/22/87)
In article <493@gouldsd.UUCP> mjranum@gouldsd.UUCP (Marcus J Ranum) writes: >What you are talking about here is a violation of Federal Law. Electronic >mail is protected under the same protection as the US Mail, despite the speed >difference ! WHOA, THERE! That's one helluva claim... Care to cite some sources to back up your statement? Your assertation that you're not just blowing smoke is all well and good, but I'd rather see you cite a specific Federal statute or state your credentials as a lawyer or _something_ to give me a little more reason to believe what you say. Brent -- Brent Chapman chapman@mica.berkeley.edu or ucbvax!mica!chapman
gsmith@brahms.UUCP (04/22/87)
In article <3198@mirror.TMC.COM>, rs@mirror (Rich Salz) writes: >Nice work in tracking down what's going on, fellows; I appreciate >it, as do many others on the net, I'm sure. Many thanks Rich, but much is still unclear. Certain things would be nice to clarify. Certain other things will probably never be genuinely known. The eddie sysadmins are no longer interested. It will probably never be known whether Lee Harvey Foothead was acting alone... rlr@pyuxe (the original and genuine Rich Rosen) wishes to declare his innocence in the whole affair. We know from the logs that fh@eddie was sending e-mail to both rlr@borax and rlr@pyuxe separately. In particu- lar, we conjecture that fh@eddie knew that the .forward file at rlr@borax was changed. The real Rich Rosen tells us further that he has changed his rlr@borax password since this all broke out in the open. (This is why we are cross-posting back to *.religion and even posting again--Rich Rosen has gotten e-mail congratulating him for his clever Arndt sendups, and wants us to be more explicit.) We also know, according to the logs, that no one *but* fh@eddie sent e-mail to rlr@borax the week before the phony article <666@prometheus> was posted. We should have mentioned this the first time around, but it did not occur to us that this negative item had separate significance. Along these lines, we received mail from a long-time reader of *.religion to the effect that six weeks ago or so he saw fh@eddie remotely logged on to rlr@borax. Matthew and I are also a bit taken aback at the abrupt sinking of the fh@eddie account. We were having our little fun, casting our net of little clue by little clue, baiting the Fishhead. We're confident he will flounder in from some other port and muddy the waters well. (OK, so we've overfished our metaphors. So sue us.) We do not claim the evidence we found was conclusive of anything, nor do we believe that "proof", short of a notarized confession, even exists in any true sense as a philosophical point, so your insistence on such, Mikki, was completely unrealistic. Hell, it's not generally known who "Foothead" really is in the first place. For all we can tell, some super clever hacker who hates fh@eddie to the core was setting him up for the big fall, confident that the brahms gang would track down the news, mail and login logs on four machines that he purposely forged just for this purpose. We doubt it very much. We suspect that fh@eddie, half-bright boy that he is, was merely half-clever enough to use rlr@borax to half-hide his tracks. As long-time readers of *.religion all remember, anything is possible, but only a few things actually happen. We personally disapprove of eddie's strict policy concerning forged news. We have posted at times articles apparently from Santa Claus or "the real Rich Rosen" with a standard brahms gang signature. We don't think anyone was fooled by them. And we enjoyed the mod.announce April Fools' Day forging of a "Mark Horton" article, and the fake ubizmo@brahms "UCB Wrath Dept" articles some time back immensely. The fake "arndt@prometheus" articles, however, were feet of a different odor entirely. We do not deny that some people find vicious harassment of others quite hilarious, but even Mikki has "heartily agreed" that these particular forgeries were out of acceptable net.bounds. We also are sorry that Gene Spafford judges talk.* based on Bonehead's personal campaign to turn talk.religion.misc into a proctological exam- ination room. From the very beginning he stated that his purpose was to outflame the brahms gang and anyone else, etc. The grapevine we've heard says that Foothead wanted to be the big metaflamer of the flamers--we think he has overdone it for some months now, and this latest has merely blown up in his face. Unfortunately, talk.religion.misc and talk.* suf- fers for this. As a final comment, it was refreshing to see the real Ken Arndt. In case there was any lingering doubt, do note that it was crossposted to two max- imally inappropriate groups. ucbvax!brahms!weemba Matthew P Wiener/Brahms Gang/Berkeley CA 94720 ucbvax!brahms!gsmith Gene Ward Smith /Brahms Gang/Berkeley CA 94720 Those imposters, then, whom they call mathematicians, I consulted without scruple, because they seemed to use no sacrifice, nor pray to any spirit for their divinations. --Saint Augustine
sguest@bacchus.UUCP (04/22/87)
Organization: In article <1129@cartan.Berkeley.EDU> gsmith@brahms.Berkeley.EDU (Gene Ward Smith) writes: >rlr@pyuxe (the original and genuine Rich Rosen) wishes to declare his >innocence in the whole affair. We know from the logs that fh@eddie was >sending e-mail to both rlr@borax and rlr@pyuxe separately. In particu- >lar, we conjecture that fh@eddie knew that the .forward file at rlr@borax >was changed. The real Rich Rosen tells us further that he has changed >his rlr@borax password since this all broke out in the open. >.... >Along these lines, we received mail from a long-time reader of *.religion >to the effect that six weeks ago or so he saw fh@eddie remotely logged >on to rlr@borax. A couple of interesting bits... Every login into fh@eddie which came from borax was preceeded (by 1-2 minutes) by a login into rlr@borax. This for a period of two weeks. On the night that fh@eddie's account was turned off, rlr@borax had NO .forward file. Enjoy!
ooblick@mit-eddie.UUCP (04/22/87)
Since I opened my mouth on this issue in the first place, I feel obliged to clarify my views. First, I admit a big error in being upset about root using privileges when someone is accused of wrongdoing. I should have thought first. However, when said "root" then posts to the net that fh was using scripts in his login to "forge news and mail", this is where I get upset. This was blatently untrue. The scripts were used to allow Pooh and Paul Zimmerman news and mail access. I have been told that "time" was the reason why this was not checked out before action was taken. However, the time it has taken in posting to the net in the first place, then in response to complaints from myself and others, seem to indicate that it would have been much more prudent to check first. Therefore, the reasons posted to the net for removing fh were bogus. On the other hand, fh could just as easily (and without so much bullshit) have been removed for NO reason, or because it sure looks like he at least had something to do with the phony arndt articles. Not that I am crushed because fh is no more (quite the contrary), I just don't like the "act now, check later" attitude, and hope that other sysadmins do not adopt it. Mikki Barry
phil@amdcad.UUCP (04/23/87)
In article <3258@jade.BERKELEY.EDU> chapman@eris.BERKELEY.EDU (Brent Chapman) writes: <In article <493@gouldsd.UUCP> mjranum@gouldsd.UUCP (Marcus J Ranum) writes: <<What you are talking about here is a violation of Federal Law. Electronic <<mail is protected under the same protection as the US Mail, despite the speed <<difference ! < <WHOA, THERE! That's one helluva claim... < <Care to cite some sources to back up your statement? After Mr. Ranum's claims about the status of the Lions books, I'm not much inclined to believe his statements without additional proof either. -- Phil Ngai, {ucbvax,decwrl,allegra}!amdcad!phil or amdcad!phil@decwrl.dec.com
glr@m-net.UUCP (Glen L. Roberts) (04/25/87)
In article <3258@jade.BERKELEY.EDU> chapman@eris.BERKELEY.EDU (Brent Chapman) writes: >In article <493@gouldsd.UUCP> mjranum@gouldsd.UUCP (Marcus J Ranum) writes: >>What you are talking about here is a violation of Federal Law. Electronic >>mail is protected under the same protection as the US Mail, despite the speed >>difference ! > >WHOA, THERE! That's one helluva claim... > >Care to cite some sources to back up your statement? > >Your assertation that you're not just blowing smoke is all well and good, but >I'd rather see you cite a specific Federal statute or state your credentials >as a lawyer or _something_ to give me a little more reason to believe what >you say. > > A lot of people don't think that electronic mail is protected. Well, its not the same protection as US Mail. However, since the Electronic Communications Privacy Act went into effect on January 17th, 1987, there are restrictions on reviewing electronic mail and other data, without authorization. New section [18 usc] 2701 Unlawful access to stored communications Subsection (a) of this new section creates a criminal offense for either intentionally access, without authorization, a facility through which an electronic communication service is provided, or for intentionally exceeding the authorization for accessing that facility. Subesection 2701, also provides that the offender must obtain, alter, or prevent authorized access to a wire or electronic communiction while it is in electronic storage in such an electronic storage system in order to commit a violation under the subsection. The term ``electronic storage'' is defined in section 2510(17) of title 18 [us criminal code] and includes both temporary, intermediate storage of a wire to electronic communication incidental to the transmission of the message, and any storage of such a communication by the electronic communication service for purposes of backup protection of the communication. This provision addresses the growing problem of unauthorized person deliberately gaining access to, and sometimes tampering with, electronic or wire communications that are NOT INTENDED to be available to the public. ... Subsection (b) of this new section provides punishment for violation of subsection (a). A distinction is drawn between offenses committed for purposes of commericial advantage, malicious destruction or damage, or for private commericial gain and all other types of violation. If the offense is committed for private or commericial gain or for malicious destruction the subsection provides A FINE OF NOT MORE THAN $250,000 OR IMPRISONMENT FOR NOT MORE THAN ONE YEAR OR BOTH, for a first offender.... -- Glen L. Roberts, Box 8275-UN, Ann Arbor, Michigan 48107 {!ihnp4!itivax!m-net!glr} <-- don't expect a reply, !Mail is brain damaged here ``No government door can be closed against the 1st Amendment and no government action is immune from its force.'' -Bursey v. US (466 F.2d 1059)
oleg@quad1.quad.com (Oleg Kiselev) (04/27/87)
References:
With all the flames and thundering declamations about Foothead's alleged
forgeries...
Yes, it was obvious that "arndt@prometheus.UUCP" articles were forged. I think
it's the responcibility of the site administration at prometheus to control
their users. Yes, the "arndt@prometheus.UUCP" articles with <ucbvax> article
ID's look like fakes as well. If it is proven that Foothead is behind it all,
I will be rather dissapointed in Foothead.
Mean while, I would like to remind Gene Ward Smith that the reason *I* nolonger
have an account on LOCUS.UCLA.EDU is because I gave Brahms Gang an access to
News posting at UCLA while brahms.berkeley.edu was off the net. That the same
individual that caused a temporary shut-down of brahms' posting priveleges was
rather displeased to see a few messages with crudely constructed headers come
from UCLA, signed by Brahms Gang. And UCLA was all too happy use these
"forgeries" as an excuse to kill my account, which, with the restrictive
computer access rules at UCLA, they could and should have done anyway since
I was nolonger involved with the project that required a UNIX system access.
But it's one thing to terminate an account on "expiration date reached" basis,
and completely different thing to shut a site (oacvax.ucla.edu) off eathernet
access, deny oacvax.ucla.edu NNTP access to the UCLA News server, launch an
"investigation" into alleged (and absurd) abuses of "system access" and vouch
to never ever allow me any access to any of the UCLA systems for as long as
I live (an empty and impotent threat, but an annoying one). And that's for
letting the Crussaders of the Net Justice have a posting access to the NET by
legitemately setting up an account on a UCLA machine that they could telnet to.
Draw your own conclusions. Tighter security of the NET is a great idea, but
I can look back at the rather injust treatment *I* received and wonder if some
people have been getting over-zealous...
--
Oleg Kiselev -- oleg@quad1.quad.com -- {...!psivax|seismo!gould}!quad1!oleg
DISCLAIMER: All grammatical and spelling errors are inserted deliberately to
test the software I am developing. In fact, that is the only reason I am
posting. Yeah, that's the ticket! All my postings are just test data! Yeah!!magore@watdcsu.UUCP (05/01/87)
In article <1221@m-net.UUCP> glr@m-net.UUCP (Glen L. Roberts) writes: [munch...] >New section [18 usc] 2701 Unlawful access to stored communications > > Subsection (a) of this new section creates a criminal offense for >either intentionally access, without authorization, a facility through >which an electronic communication service is provided, or for intentionally >exceeding the authorization for accessing that facility. Subesection 2701, >also provides that the offender must obtain, alter, or prevent authorized >access to a wire or electronic communiction while it is in electronic >storage in such an electronic storage system in order to commit a violation Hmmm, This raises a rather subtile [ or disturbing ] question. An aside and a general question to everyone: I wonder, in which cases does a user have the right to _prevent_ 'authorized' access? Isn't it also an issue if whether such right to privacy were ever in fact given in the mit-eddie case that started this discussion ? [ This could be an interesting loop hole ? ] Comments ??? [munch...] > A distinction is drawn between offenses committed for >purposes of commericial advantage, malicious destruction or damage, or >for private commericial gain and all other types of violation. If the >offense is committed for private or commericial gain or for malicious >destruction the subsection provides A FINE OF NOT MORE THAN $250,000 OR >IMPRISONMENT FOR NOT MORE THAN ONE YEAR OR BOTH, for a first offender.... >Glen L. Roberts, Box 8275-UN, Ann Arbor, Michigan 48107 I would, like to change the topic and ask a few new questions: If someone made, say a box to defraud the phone company by altering records and or fake signals, and the phone company used their 'priviledges' to track down said person, then which of the following could be said to be violating the law: 1) The phone company ? 2) The person obtaining unauthorised access and faking the records ? 3) Neither ? 4) Both of them ? 5) None of the above? [ explain ] Best Regards, # Mike Gore # Institute for Computer Research. ( watmath!mgvax!root - at home ) # These ideas/concepts do not imply views held by the University of Waterloo.
res@sdiris1.UUCP (Robert Sanders) (05/05/87)
In article <3333@watdcsu.UUCP>, magore@watdcsu.UUCP writes: > If someone made, say a box to defraud the phone company > by altering records and or fake signals, and the phone company used their > 'priviledges' to track down said person, then which of the following could > be said to be violating the law: > > # Mike Gore > # Institute for Computer Research. ( watmath!mgvax!root - at home ) > # These ideas/concepts do not imply views held by the University of Waterloo. There is an exception in the ECPA which allows system management to monitor/ record traffic in tracing unlawful activities by users... (I haven't read all of it yet, 53 pages of legalisims by congressmen who essentially know NOTHING about electronic communications... it wouldn't suprised me if it was held to prohibit charging for services, somewhere in the weird and idiotic phrasing... this law will be a major headache until repealed or rewritten...) -- Skip Sanders : sdcsvax!ucsdhub!jack!man!sdiris1!res Phone : 619-273-8725 (evenings)