TK0JUT2%NIU.BITNET@UICVM.uic.edu (10/27/90)
**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 2, Issue #2.09 (October 27, 1990) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet) ARCHIVISTS: Bob Krause / Alex Smith USENET readers can currently receive CuD as alt.society.cu-digest. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. It is assumed that non-personal mail to the moderators may be reprinted, unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ CONTENTS: File 1: Moderators' Corner File 2: Len Rose Arrest File 3: Mars was not "Censored" File 4: Response to Mars "Censoring" File 5: Steve Jackson Games (SJG) Update File 6: The Future of Hacking and the System Security Profession File 7: The Ultimate Interface: Hackers and the Private Sector File 8: CU in the News: "Hackers" and Bank Blackmail in England ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ---------------------------------------------------------------------- ******************************************************************** *** CuD #2.09, File 1 of 8: Moderator's corner *** ******************************************************************** From: Moderators Subject: Moderators' Corner Date: October 27, 1990 ++++++++++ In this file: 1. COPYRIGHT ARTICLE INFORMATION 2. BIBLIOGRAPHIC RESOURCES +++++++++++++++ Copyright Article Information +++++++++++++++ CuD is *NOT* copyright, and articles by moderators, anonymous articles, and other articles may be reprinted as long as the source is attributed. However, occasionally an individual article is copyright protected. The article in CuD 2.08 by Jim Warren on "PCs and Political Organizing" is an example of a submission that is copyprotected but remains freely available for others' use. We have heard horror tales of authors who make public posts and then later find their material plagiarized and copyright protected under another's name. So, do not copyright others' material as your own. That's tacky--very, very tacky. If a CuD article is listed as copyright (this notice was excluded from Jim Warren's article), you should check directly with that author (not CuD) for permission to reprint it. ++++++++++++++++++ Bibliographic Resources +++++++++++++++++++ We are trying to compile a list of bibliographic sources related to the CU to eventually place in the archives. If you are writing term paper, conference papers, or articles, or if you come across books, legal cases, or other references that seem relevant, send the full citation over to us. If you come across new books, or better, if you do a book review, send the titles or the review along as well. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: Moderators Subject: Len Rose Arrest Date: October 26, 1990 ******************************************************************** *** CuD #2.09: File 2 of 8: Len Rose Arrest *** ******************************************************************** Len Rose was arrested on state charges of "computer tampering" in Naperville, Ill., Naperville police confirmed Monday night. Len obtained a job at Interactive Systems Corporation, a software consulting firm, in Naperville and began Monday, October 15. Friday, he was fired. Bail was initially set at $50,000, and as of late Friday afternoon, he remained in jail. Len's wife speaks little English and is stuck in Naperville, lacking both friends and resources. Len currently has no money to post bond, and this leaves he and his family in a dreadful situation. We caution readers to remember that, under our Constitution, Len is *innocent* unless proven otherwise, but there is something quite troublesome about this affair. Hopefully, we'll soon learn what specific charges and what evidence led to those charges. Even if a "worst case" scenario evolves, there are surely better ways to handle such cases in less intrusive and devastating ways. Devastated lives and full invocation of the CJ process are simply not cost effective for handling these types of situations. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: Gene Spafford <spaf@CS.PURDUE.EDU> Subject: Mars was not "Censored" Date: Sat, 20 Oct 90 14:11:52 EST ******************************************************************** *** CuD #2.09: File 3 of 8: Mars was not "Censored" *** ******************************************************************** I'm against censorship in pretty much any guise. I'm opposed to people who try to have gif images pulled from sites soley because of their sexually-oriented content. However, if I were running a news site, I would not carry the current alt.sex.pictures newsgroup, nor would I have an archive of the images. This is not a contradiction in terms. First off, I am not trying to have anyone else's collection of images pulled because of the subject matter, nor am I trying to prevent others from seeing those images. So, if I'm not against the subject matter of the material, why would I prevent their transmission through my site and storage on my disk? Reason number 1 is most of those images were scanned in from magazines and films that have active copyright protection. Scanning them in and transmitting them around is a violation of copyright. Not only is that not legal, I don't view it as proper to infringe on copyright. Storing those images is an infringement. Reason #2 is the quality of most of those images is poor compared with the original. If you want stuff like that, almost any bookstore or videotape rental place has the originals. Or, you can order by mail. I don't see the value of tying up bandwidth and storage to transmit poor copies of material that is generally available elsewhere. If the machine was a personal machine, I wouldn't keep the images because I have no use for them. They may (or may not) be interesting to look at some of them once, but after that I don't see any use for them. And as things go, I barely have enough free disk on most of machines as it is. If the machine was a shared machine, this reason would need to be explored with the other users, but it holds with most people I've talked with about these images. The bottom line is that there may be legitimate reasons not to have these images or carry newsgroups or mailing lists containing them. I think prudes are dangerous, but I also realize that everyone declining to have these images online is not automatically bowing to censorship or forbidding their presence because of content. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: portal!cup.portal.com!dan-hankins@SUN.COM Subject: Response to Mars "Censoring" Date: Sun, 21 Oct 90 00:04:25 PDT ******************************************************************** *** CuD #2.09: File 4 of 8: Response to Mars "Censoring" *** ******************************************************************** In article <CuD #2.08 #3>, Karl Lehenbauer <karl@sugar.hackercorp.com> writes, >I used Prodigy several times, and it is a heavily censored system,... This is inaccurate. Prodigy is not censored, it is _edited_. There is a significant difference. When newspaper articles are removed by government order, that's censorship. When the newspaper owners decide to not run an article because it is counter to their editorial policies (or personal prejudices), then that's editing. The difference is that in the first case, the State is telling a citizen (by threat of force) what she can and cannot do with her own property. In the second, a citizen is disposing of his property as he sees fit. The Prodigy situation is far more like the second case than the first. Prodigy resources are owned by IBM and Sears. Since Prodigy is their property, they may dispose of it as they see fit. This includes editing their databases to remove any information inconsistent with their policies. Some may argue that the $10 a month (plus fees for other services provided) gives the Prodigy subscriber the right to post anything she desires. This isn't the case. The subscriber is paying for the right to use the resources as provided for in the contract. Unless IBM and Sears agree in the contract not to edit or abridge information residing on Prodigy, they continue to have the right, both morally and legally, to do so. Censorship is when some organization says, "You may not say X.". Editing is when some organization says, "You may not use _my property_ to say X." This is an important distinction to make explicit; there is an increasing tendency for people to believe that they have not only the right to say whatever they want, but also the unlimited right to use the property of others to do so. Mr. Lehenbauer also writes, >If this is IBM's view of the future of personal electronic communications... >it is a bleak future indeed... every message must be so inoffensive that >*nobody* is going to be offended by it... and that is censorship. IBM doesn't control electronic communications in this country; the Prodigy subscriber is certainly free to go elsewhere to express his views. This is what many of them are doing. BIX is getting a lot of former Prodigy users these days. It's not censorship. It's also worth mentioning here that although the Prodigy bulletin board system is edited, Sears and IBM have agreed to not edit email. Users are free to form email groups (like Internet mailing lists) to discuss whatever they want, from sex to explosives. They just have to pay extra for it. In article <CuD #2.08 #4), the moderators write, >In the MARS incident, the NSF flexed its fiscal muscles (according to those >on the receiving end). This is again not censorship. The NSF pays for the Internet, and has the right to say how those monies are spent. Since MARS resided on an Internet node, the NSF had the right to refuse to pay for those files to be transmitted across its network. In fact, the NSF has the right to refuse to pay for network connections for any site for any reason whatsoever, unless it has made a contract to the contrary. If this is "flexing its fiscal muscles", then so be it. The quoted article quotes some other postings. I reproduce here the relevant portions: >I also don't like the idea of the university having to censor this board to >suit the narrow-minded leanings of a few people... >Again i am sorry that CENSORSHIP found its way into another democratic haven >of society... This is just more of the sort of illogic I referred to earlier. If these folks want their X-rated pictures, then they can have them. They just can't expect somebody else (the NSF or their University) to pay for them. They are certainly free to start their own BBS or post the material on a private BBS or Usenet mail server that allows such stuff. >Can a few angry letters to a federal bureaucrat invoke threats of fiscal >blackmail? If I boycott your business because I find some of your activities objectionable, am I threatening you with fiscal blackmail? Why should the NSF or a university be any different? The NSF is just boycotting sites that carry material it finds offensive, and the universities are just exercising their right to control use of their property. >It would seem that officials could confiscate the equipment of a sysop who >maintained adult .gif/.gl files. If you are concluding this on the basis of the "federal prosecutions and application of RICO" referred to earlier, then I agree with you that it's something to be worried about. It would be a violation of various First Amendment rights. If you're concluding this by extension from the NSF actions, I must disagree. A government agency deciding what it wants to spend its money on is hardly analogous to confiscating someone's property. The legal right to do one does not provide the legal right to do the other. >A recent article... raised the spectre of "licensing" BBSs. Now _this_ is something to worry about. This reminds me of the situation in oppressive regimes, where printing presses and photocopiers are "licensed". Somehow I don't think they'll get away with this one. Any such regulation would be a clear violation of First (and other) Amendment rights. CLARIFICATION: When an organization is funded by extortion (i.e. taxes), those who fund it have a moral right to say how those funds will be spent, over and above the organization's aims. The receivers of the service _still_ don't have any rights of control, unless they have entered into a contract with the provider that gives them that right. In a constitutionally limited republic such as ours, that taxpayer control is exerted in one of two ways. The first is by electing to government those we believe will implement the policies we want. The second (and far more rare option) is referendum. As long as its decisions remain within the policies set for it by elected officials and referendum, the NSF has the right to spend (or refuse to spend) its money as it likes. If the article I read in CuD is any indication, the purpose of the NSFnet is to only support the exchange of "scholarly" information. X-rated GIFs don't belong in that category, in most folks' eyes. :END CLARIFICATION By the way, with PC-Pursuit costs, I pay $40 a month for Net access. Yet at work there is an Internet gateway I could sign up for access to and use to make my posts (for free!). The reason I don't is that I don't think it's moral to use IBM resources for purposes IBM wouldn't approve of, such as expressing disapproval of their policies; it's their property. So I'm not just spouting rhetoric that doesn't cost me anything. +++++++++ Dan Hankins dan-hankins@cup.portal.com dan-hankins@pro-realm.cts.com Complete the following: Pro is to Con as Progress is to ________. Disclaimer: I don't work for the NSF or Sears. Although I have a contract with IBM to provide programming services to them in return for a salary, this does not constitute approval for their policies. In particular, I think that their Prodigy policies, while not immoral, are particularly stupid. The kind of editing they do on the bulletin board, their ridiculously high email charges, and their complete lack of upload/download capability will simply drive customers to other services. I am not a Prodigy subscriber, nor do I intend to become one. For the same $10 a month, I like Portal much better. And I post things in alt.individualism that you'd never see on Prodigy BBS. I defend your right to freedom of expression. Just don't ask me or anyone else to foot the bill. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: Steve Jackson Subject: Steve Jackson Games (SJG) Update Date: October 23, 1990 ******************************************************************** *** CuD #2.09: File 5 of 8: Steve Jackson Games Update *** ******************************************************************** {The following, by Steve Jackson, is reprinted with permission from two posts on The Well--moderators}. ++++++++++++ UPDATE ON SJ GAMES ++++++++++++ We were raided on March 1. Most people here have heard that story, though I'm working on an article for upload. This is an excerpt, because I don't know when I'll have time to finish the whole thing. The brief story: The Secret Service took 3 computers, a laser printer, lots of assorted hardware, lots of disks and papers, and lots of my business data. In particular, they took every current copy, on paper or disk, of the new book we were about to send to the printer. Because of the confiscation of the GURPS Cyberpunk book, our business came to a standstill for six weeks - the time it took us to reconstruct it and get it to the printer. THE RETURN In early June, we started talking to the people setting up the EFF, and word leaked out; I got several inquiries from reporters. On June 20, quite suddenly, the Secret Service called to say we could have our property back. So we went to pick it up. They really did give most of our stuff back. They kept one hard disk and some assorted hardware, as well as some papers. Of the things they returned, one computer required $200 in repairs before it would work. Another has so much visible damage that I don't even want to turn it on. Loyd hasn't gotten ANY of his things back. And we still don't know why they raided us. They took our book; they took our BBS computer; they took a lot of things. And their application for a search warrant is STILL sealed. So we can speculate, but that's all. Nobody connected with the business has been arrested. Nobody has been indicted. Nobody has been charged. Nobody has even been QUESTIONED again. And these guys are still saying "No comment." Well, if I were in their shoes, I wouldn't have any comment, either. OUR CURRENT STATUS (SIGH) We're not a big business, and the cost of the raid (now well over $125,000) pushed us to the wall. We have been squeaking by ever since then - sometimes things look more hopeful, sometimes less. The problem is cash flow. We have kept up with our long-term debt (in fact, we've cleared all but $50K of it up, making most payments on the last day of the grace period), but we have been very slow-paying with current suppliers. We simply have no margin for error; any unexpected expense or failure of income will knock us off. As I write this, a couple of big receivables didn't come in when they should have; we're about to default on a note payment, and our big printers are demanding CASH NOW OR NO MORE PRINTING, for which I can't blame them. So the current news is not good. We should still be all right if we make it into 1991, but current cash is tighter than it has been for months. +++++++++++++ SIGNIFICANT STATUS UPDATE: +++++++++++++ The warrant application under which my offices were raided has been unsealed. It was unsealed a month ago! Apparently this was just after the last request from Silverglate and Good, but they were not informed that it had been unsealed. (Question of etiquette here?) At any rate, I got a copy today in a package from Senator Bentsen's office, in reply to my last letter asking if the Senator could help get this information. He could and did. Ver-r-r-r-y interesting. A copy has gone to Silverglate and Good, who should have comments shortly. Brief answers to oft-repeated questions, now that I really do know what's going on: Yes, this was connected to the Neidorf case. Specifically, my managing editor was being "accused" of receiving a copy of the Phrack issue with the E911 file and posting it on the BBS, Phoenix Project. The description of the E911 file included the same wild allegations that were exploded during the Phrack trial. No, there is nothing in the application to indicate that the GURPS CYBERPUNK game was a target when they came in the door (which does not mitigate the seriousness of their effective suppression of the text). Yes, they definitely knew that they were raiding a BBS system; it was one of the things they were after. The application specifically defined what a BBS is - though it did not mention the ECPA or the protections granted therein. No, they alleged no criminal behavior on my part or on the company's part. SJ Games was invaded because Loyd Blankenship was an employee and a co-sysop and frequent user of our BBS. No, there's nothing there to change my attitude toward Loyd. He is a valued employee, innocent until proven guilty, and they haven't even STARTED to prove anything. I am, no doubt, oversimplifying in my attempt to boil a large stack of paper down to a short update - but that does seem to me to be the gist of it. I'm sure the attorneys will have more to add soon. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: BORGVM Subject: The Future of Hacking and the System Security Profession Date: 22 Oct., '90 ******************************************************************** *** CuD #2.09: File 6 of 8: Hacking and System Security *** ******************************************************************** Before I begin the discussion of my views on the future of hacking and the system security profession, I feel it necessary to offer an introduction which I hope will aid in the understanding of my views. I am an ex-hacker, yet in saying so I do not rule out a few things which I associate with my personal perspective on hacking. To begin with, I have always associated hacking with a genuine lust for knowledge. Whether or not that knowledge was restricted solely depends on the views of the individual. For me, however, hacking was an acquisition of knowledge a form the military likes to give as a good reason to join it. You know, hands-on training, of course! It was an attempt to learn as many operating systems as possible. Their strengths in comparison to one another, their weaknesses, and their nuances. When I was hacking, data was sacred. It was something which must not be harmed. I can say with genuine conviction that every time I heard of destructive viruses, malicious crashes, or the like, I would become enraged far more than would your common security professional, who would most likely eye the event as a possibility to acquire cash, reputation in the foiling of the plot, or as leverage to gain funding and public support. Although my respect towards data is still very healthy, my urge to hack is not. After entering higher education, I have been granted an account on the mainframe with internet and bitnet access. This situation had served as a fuel towards my already healthy paranoia of law enforcement and their new technologies: its just not worth the risk. After my 'retirement', however, I began to ponder the devices available during the apex of my hacking career such as ANI (Automatic Number Identification) and CLID (Caller Line Identification) which could instantaneously register the number of any 800 caller, and processes inherent in some digital switching systems which register calls to local packet-switched networks, that about 20% of my hacks could be traced right to my doorstep by the right investigator. I also noted the increase in these types of investigators and the development of more organized computer-security networks involving FBI, Secret Service, and private computer security enterprises which developed highly efficient training methods: the numbers of security representatives in the telephone companies and computer networks has increased dramatically, and to a point where telephone company toll fraud is no longer convenient, for danger and convenience rarely coexist. I believe that the future will offer much protection from hacking, but only to a certain extent. One needs only to examine the header of a message originating from some microcomputer host which UUCP's it through half a dozen Usenet sites, the Internet, and finally to its BITNET destination to visualize, quite realistically, a phone number tagged onto the end of the originating userid. With digital technology advancing at its current rate, the possibilities are endless. It is for these reasons that the private computer security profession (at its current size) is only a short-term success sparked by mass press-generated hysteria, and blatant disinformation. The computer security profession did not receive its recognition from the voices of concerned individuals or even gluttonous corporations: it received the necessary attention and nurturing due to the paranoias of a corrupt military-minded government which knows exactly what it keeps on its systems and exactly why no one else must. You see, its a matter of 'national' security! Any good real hacker who has been around a few nets knows this. The time will come when a hacker will sit down at his terminal to hack a computer somewhere far away. This hacker might dial up a local network such as Tymnet or Telenet and connect to a computer somewhere. That remote computer's standard issue security drivers will sense an intrusion (user John Doe calling form a network address originating in California which is inconsistent with Mr. Doe's schedule,) request the network's CLID result, and forward the information directly to Mr. Hacker's local police department which is, in this day and age, fully equipped with the ability to centrally tap telco lines (data or otherwise.) The expert system at the police department verifies that the local data tap is indeed consistent with the victim computer's John Doe Session and sends out a dispatch. Sound like fantasy? Every bit of it is perfectly possible with our existing technology, and upon review of the chronology of computer security over the last three years, certainly probable. Data security professionals are as easily replacable by computers as are assembly-line workers. In this day (which will be, incidentally, just prior to the banning of Orwell's "1984") there will be a small but very knowledgeable and powerful group of hackers able to circumvent some of these security mechanisms. A group of hackers not large enough to present an obvious threat, but powerful enough to give a self-perpetuating technological dictatorship and its docile society a nice, re-asserting slap on the rear. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Subject: The Ultimate Interface: Hackers and the Private Sector From: Dark Adept Date: Tue, 23 Oct 90 22:19 CDT ******************************************************************** *** CuD #2.09: File 7 of 8: Hackers and the Private Sector *** ******************************************************************** The Ultimate Interface: Hackers and The Private Sector A major problem in Cyberspace is the lack of communication between hackers and non-hackers. Corporations are fully entitled to their privacy, and so they feel threatened by the hacker "menace." They view the hacker as the enemy, and so they persecute him. This is a valid belief since history shows that when a group does not understand another group, they try to destroy it. Saying this is valid does not make it right. If hackers and corporations and security companies and software companies, etc., etc., etc. were to overcome their differences much could be done. By trading bits and pieces of knowledge, the two opposing groups could together develop revolutionary advances in computing that would benefit all. The problem is to get the two groups to trust one another. In some upcoming G-Philes and submissions to CuD, I hope to break down this barrier of resentment by crossing over the lines of the Underground into the "real" world and providing valuable information about systems, security, interfacing, etc. from a hacker's/member-of-the-underground's point of view. I hope others will follow suit, and that the private sector will reciprocate by allowing technical information to flow into the Underground. Ultimately, I hope that there will be a rapport between hackers and members of the private sector so that we may learn from each other and make the best use possible of this greatest of inventions, the computer. Without further delay, then, I present the first of what I hope will be a long and successful series of articles. These must be short since they are merely articles, but I have planned a few full-length works that will be more in-depth; I will send them to the CuD archives as they become available. I hope you enjoy them. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- System Security: Security Levels and Partitioning by The Dark Adept Traditionally, security levels are used to prevent a user from gaining access to areas where he lacked legitimate interest. They also have another very useful purpose that is seldom recognized. They can be used as a firewall of sorts to stop the spread of viruses and the destruction of files by an intruder. A good analogy of this theory is ship design. When a ship is designed, the lower compartments are designed separate from each other so that if the hull is punctured, the flooding compartment may be sealed off thus localizing the damage and stopping the ship from sinking. In the same way accounts should be assigned security levels. However, if the accounts are fully isolated from one another, it is too restrictive to be of any real use. A user in Accounting would not be able to access the records from Personnel to find an employee's rate of pay, for example. Optimally, then, one would want a balance between freedom and security. This optimal assignment of security levels is accomplished through a two-stage step. The first stage is the creation of generic accounts. Many computer systems, such as those of schools, use generic accounts as their sole source of security. This is VERY dangerous. By generic accounts, I mean a set of basic accounts where each member has certain privileges assigned to it that differ from the other members. For example, in schools the teachers often receive one type of account, and students another. Besides the systems operator's account, these are the only two types of accounts available. The teachers have a wide-range of freedoms including being able to look into files that don't belong to their department since they can be trusted. The students have a limited amount of ability, mostly restricted to accessing their files only. But what happens if an intruder grabs a teacher's account? You got it, he has access to A LOT of stuff! Obviously, this won't do. However, generic accounts are useful if used in combination with other devices. This leads to the implementation of the second stage: security levels. Example: Let X, Y, and Z be generic accounts in system S with the following maximum abilities: X can access file areas A, B, C, D Y can access file areas B, D, J, K Z can access file areas B, C, J, L Assume some User, u, needs access to file areas B and L alone. Assign him account type Z with security modifications such that he may access only file areas B and L. This results in User u being restricted to the proper file areas, B and L, but allows ease of modification later if he needs access to areas C or J. It also allows for the greatest amount of security since his account type is Z so by definition he cannot access file areas A, D, or K without receiving a new account. Therefore, if an intruder takes control of account u, he cannot destroy more than areas B and L without modification. The most he can modify account u to have access to is areas B, C, J, and L. Therefore the damage will be localized to file areas B, C, J, and L. The only way he can enter the other areas is to get a new account. This is much more difficult than modifying one he already has. The same sort of setup may be applied to commands, usage times, dialup ports, etc. For example, say the editor of a newspaper has account Z that has maximum port capability of T, t1, t2, t3 where T is a terminal in his office and t1, t2, and t3 are outside lines. At first he is assigned a security level that allows access to T only so his account cannot be accessed from intruders outside thus stopping someone from deleting all of tomorrow's edition. Now, if he must go on location somewhere, it would be a simple matter to modify his account to give him access to t1 so he can call up and review the submissions. Yet, again, if there exist ports t4, t5, etc., these would NEVER be able to access the files since account type Z is incapable of being accessed through these ports. What follows here is a mathematical model of account partitioning using concepts of discrete mathematics. Since this is a text file and cannot use graphics characters, some common mathematical symbols must be defined using regular characters. Symbols: -------- | = "such that" (ordinarily a vertical bar) \e\ = "is an element of" (ordinarily an emphasized epsilon) <==> = "if and only if" Model: ----- Let S represent a computer system. Let S1 be a set of different areas of interest in a computer system. This is modelled by S1={a1,a2,a3,...,an} where n is some integer, and a1,a2, a3,... are the areas of interest in S. Let S2 be a set of different user accounts in a computer system. This is modelled by S2={u1,u2,u3,...,uq} where q is some integer, and u1,u2, u3,... are the user accounts in S. Let x \e\ S2. Let y \e\ S1. Let r be a relation on S defined as this: xry <==> x \e\ S2 | x has access to y. Now r becomes a partitioning relation on S2. The function that defines r is determined by how the operator wants his accounts set up. Further, the equivalence class of x, [x], defines the generic account. Example: Say S has accounts u1, and u2. It also has areas of interest a1, a2,a3. Now say the operator wants u1 to have access to a1 and a2, and u2 to have access to a1 and a3. By defining r in the proper manner he gets: r ={(u1,a1), (u1,a2), (u2,a1), (u2,a3)}. Now [u1]={a1, a2} and [u2] = {a2, a3}. Thereby defining the generic accounts. Now let G be the set of all of the equivalence classes determined by xry that define generic accounts in S. This is seen as G={[x]|x /e/ S2}. For clarity, let g1 = [u1], g2 = [u2], ... so we have G={g1,g2,...gq} where q is some integer. Now let d \e\ G. We define w to be a relation as such: dwy <==> d \e\ G | d has access to y. Now w becomes a partitioning relation on G. The function that defines w is determined by how the operator wants to implement a generic account for a particular user. Further, the equivalence class of d, [d], defines the specific user account. Example: Say S has generic account g1 set up. It has areas of interest a1, a2, and a3. g1 is partitioned in such a way that it can only access a1 and a3. Now say the operator wants a certain holder of a generic account type g1 to have access only to a1. By defining w in the proper manner he obtains: w={(g1,a1)}. Now [g1]={a1} thereby defining an appropriate user account. As some may have noticed, accounts can be partitioned ad infinitum. In most cases I have found two partitions to be sufficient. An interesting adaptation is also to use this method to define what users have access to which commands. It again allows much room for change while keeping things safely separate. The ultimate safety would come when the first partition is defined in the operating/timesharing system itself. For example, if Unix (Tm of AT&T) came with say 30 different file areas and accounts accessing those areas in specialized ways, then even if an intruder grabbed the root account, he could not change the first level of partitioning to access all those accounts. As I hope I have shown, the proper use of generic accounts and security levels allows the optimum balance of security and ability. By properly partitioning accounts, the system operator can isolate a problem to a relatively small area allowing faster restructuring afterward. I hope you have enjoyed this article. I can be reached for comments, criticism, and E-mail bombs at Ripco BBS (312)-528-5020. Also, if you liked this article, you may comment to Jim Thomas (editor of CuD) and he can pass the general reception on to me. Written 10/21/90 in Chicago, IL -- The Dark Adept ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ From: P.A.Taylor@EDINBURGH.AC.UK Subject: CU in the News: "Hackers" and Bank Blackmail in England Date: 24 Oct 90 12:59:34 bst ******************************************************************** *** CuD #2.09: File 8 of 8: CU in the News: Hackers/English Banks** ******************************************************************** Taken from: "The Independent On Sunday," October 14, '90: Mysterious computer experts demand money to reveal how they penetrated sophisticated security. HACKERS BLACKMAIL FIVE BANKS by Richard Thomson At least four British clearing banks and one merchant bank in the City are being blackmailed by a mysterious group of computer hackers who have broken into their central computer systems over the last six months. These breaches of computer security may be the largest and most sophisticated ever among British Banks. The electronic break-ins which began last May, could cause chaos for the banks involved. Once inside their systems, the hackers could steal information or indulge in sabotage, such as planting false data or damaging complex computer programs.It is unlikely, however, they would be able to steal money. So far, the hackers have contented themselves with demanding substantial sums of money in return for showing the banks how their systems where penetrated. None of the banks has yet paid. The break-ins are evidence of the rapid growth in computer fraud and manipulation in Britain. Although most hacking is relatively trivial, the latest cases show much sophistication. The hackers have concentrated on tapping the banks' electronic switching systems which, among other things, control the routing of funds around the world. Some of the hackers are in contact with each other, but they are believed to be operating individually. One computer expert described their level of expertise and knowledge of the clearing bank computer systems as "truly frightening". They are not believed to have links with organised crime, which has become heavily involved in computer hacking in the US over the last two to three years. It is a severe embarrassment for the banking community which is frightened that public awareness of the security breach could undermine public confidence. As a result, they have not called in the police but have hired a firm of private investigators, Network Security Management, which is owned by Hambros Bank and specialises in computer fraud. It is common for banks not to report fraud and security failures to the police for fear of damaging publicity. All the banks approached either denied that they were victims of the blackmail attempt or refused to comment. The hunt for the hackers is being led by David Price, managing director of NSM, who confirmed his firm was investigating computer security breaches at five British banks. "I am confident of success in catching the hackers," he said. "The amount of information they can get from the banks will vary depending on the computer systems and the ways the hackers broke into them," he added. "They could go back in and sabotage the systems, but they are not threatening to do so." The ease with which the hackers appear to have penetrated the systems highlights the vulnerability of the computer data. Clearing banks in particular rely on huge computer systems to control their operations, from cash dispenser payments to massive international transfers of funds. Security measures were tightened after a large computer fraud at a leading City bank three years ago Although the bank involved was never named, it is understood the money was never recovered. Nevertheless, the speed with which computer technology has developed in the last few years has made the detection of security breaches more difficult. According to an expert, who recently advised one of the big four clearers on its computer systems, there are few people who understand the banks system well enough even to detect a break-in. Computer-related fraud has boomed over the last decade as businesses have come to rely more heavily on electronic information. According to some reputable UK and US estimates, up to 5% of the gross national product of western economies disappears in fraud. Experts say that the senior managers of many companies simply do not appreciate the need for tight security. The British legal system has been slow to respond. The Computer Misuse Act which makes it illegal to access a computer without authorisation, came into effect only at the end of August this year. (end article) ++++++++++++++++++++++++++++++++++++++++++++ The follow-up article (from The Independent on Oct 21), also by Richard Thomson, is basically much of the same thing. He quotes a hacker from the US who's computer "nom de guerre" is Michael Jordan who makes the following points. 1.One large US bank is notorious for lax security and it has effectively become a training ground for hackers. 2. Guessing passwords is sometimes "absurdly simple", they tend to choose words like "Sex, Porsche, or Password" 3.Social Engineering techniques are used and he would spend approx 6 weeks trying to suss out from a manager's secretary etc. anything he could find out that would help him have a better chance of accessing a bank's system. The main body of the article is pretty glib; it has the usual stock phrases like..."Hackers and Bank employees have always been a danger, but now there are signs that yesterdays bank robbers have hung up their sawn-off shot-guns and are turning to computers instead." and even more hypey is ... " Mr Jordan claims to have been shown pictures of people in organised crime. "They're East End lads who've become more sophisticated now. I've been told that if they ask you to help them and you refuse, it's baseball bats at dawn." There's also a discussion of the reliability of fraud figures, a mention of how various definitions can exaggerate the actual role played by the computer. Detective Chief Superintendent Perry Nove head of the city fraud squad defines "computer fraud" as ... "It is when the computer system itself is attacked rather than just used to facilitate an offence" The main conclusion on the whole area of fraud is "...the subject remains cloaked in mythology and mystery.Naturally, no one knows how many frauds are commited that are never discovered. Matters are further obscured because banks fearful of bad publicity, sometimes do not report frauds to the police- a situation that Mr Nove accepts with resignation. There is general agreement among hackers and other experts that it is more widespread and more sophisticated in the US, that it is growing in Britain, but that British Banks are more secure than those in America and the Continent. That is about as reliable as the detailed information gets." I hope I've summed up the general tone of the whole article, it was in the business section of The Independent On Sunday, 21st Oct. The paper's normally a very good one, so the generally bad coverage this bloke Thomson gave to the subject of hacking, and the amount of what I'd call "casual empiricism" he used to back up his arguments, is sadly probably indicative of what the CU is up against in the way of ignorance and bad reporting. I thought it was quite ironic that he recognised the role of mystery and mythology, since he seemed to be doing his best to add to it. Finally, if he'd of mentioned the word expert once more ..grrrrrrr.... Cheers for now, P.A.T. ******************************************************************** ------------------------------ **END OF CuD #2.09** ********************************************************************