Computer Underground Digest--Fri Sept 14, 1991 (Vol #3.33) Moderators: Jim Thomas and Gordon Meyer (TK0JUT2@NIU.BITNET) CONTENTS, #3.33 ( September 14, 1991) File 1--Moderators' Corner File 2--Clarification of "Boycott" Comment File 3--How BellSouth Calculated $79,000 File 4--Houston Chronicle spacemail follow File 5--More on Casolaro (INSLAW) Suicide (Mary McGrory reprint) File 6--"Freaker's Bureau Incorporated" (FBI) File 7--Review of Site Security Handbook (by Dark Adept) File 8--Complain to Journalists File 9--Spaf's Response to Reviews of _Unix Security_ Issues of CuD can be found in the Usenet alt.society.cu-digest news group, on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL0 and DL12 of TELECOM, on Genie, on the PC-EXEC BBS at (414) 789-4210, and by anonymous ftp from ftp.cs.widener.edu (147.31.254.20), chsun1.spc.uchicago.edu, and dagon.acc.stolaf.edu. To use the U. of Chicago email server, send mail with the subject "help" (without the quotes) to archive-server@chsun1.spc.uchicago.edu. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. Some authors do copyright their material, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ---------------------------------------------------------------------- Date: 14 Sep 91 11:21:19 CDT From: Moderators Subject: File 1--Moderators' Corner ++++++++++++ WIDENER FTP ADDRESS CHANGE ++++++++++++ The Internet address for ftp.cs.widener.edu (aka ashley.cs.widener.edu) will be changing from its current of 192.55.239.132 to 147.31.254.20 +++++++++ INFO ON "OTHER VICTIMS" WANTED +++++++++ We are putting together a story on the "other victims" of the 1990 searches/seizures by the Secret Service that focuses on the problems various raids caused for those who where touched by, but not directly involved in, those events. We're compiling a list of short, narrative stories that can each be summarized in a few paragraphs. If you or anybody you know was an indirect "victim," it would help if you would send us their name and an email or voice phone means of contacting them. If people have been victimized, but prefer anonymity, we can tell the story without the name: Jim Thomas Co-editor, Computer underground Digest Sociology / Northern Illinois University / DeKalb, IL 60115 email: tk0jut1@mvs.cso.niu.edu / jthomas@well.sf.ca.us Voice: (815) 756-3839 +++++++++ PHRACK 33 +++++++++ Phrack 33 (release date 1 Sept, '91) is out and can be obtained from the Cud archvives. FREE SPEECH BBS, Phrack's home board, will be up in a week or so, but may periodically be down for maintenance while testing some of the new features. The new number is (618) 549-4955. ++++++++++ NY BBS TAX ++++++++++ New York state has enacted a law that would appear to place a tax on BBSs that sell or exchange software. Although there is some confusion regarding the intent and applicability of the law, most agree that it is, at best, a poor worded and potentially harmful piece of legislation. The next Cu Digest (3.34) will be a special issue devoted to the law. +++++++ INFO ON THESES/DISSERTATIONS WANTED +++++++ We've received a few responses from people working on graduate theses or dissertations related to computer culture or computer crime. We'll put out the information, along with a list of the few that have been completed so far, but it appears that, to date, there are very, very few. If you or somebody you know is working on a related project, let us know in the next few weeks so we can include it in the bibliography. ------------------------------ Date: 08 Sep 91 17:44:51 CDT From: Jim Thomas Subject: File 2--Clarification of "Boycott" Comment In my review of _Cyberpunk_ (CuD 3.32), I quoted a passage that referred to a "national computer security expert's" call for a boycott of any company that hired Robert Morris. In context, the passage would appear to be less than charitable. Gene Spafford, the person associated with the boycott call, never made this claim, and he has tried without success to clarify what was actually said. He was misquoted in a speech, and the misquote has become a reality of its own. Although it seems like a relatively minor point, the continued circulation of the quotation error perpetuates an unjustified aura of extra-legal professional retaliation. Sometimes the slightest transposition of words leads to quite different meanings, and it appears that Gene is the victim of a shift of phrases that distorted his message. We discussed this with him, and the following scenario seems to be the source of the error. We have included a response he wrote to the CACM to correct the error, but it was also garbled by the editor to whom it was sent. In March 1990 at the DPMA Computer Virus & Security Conference in NYC, Gene gave the keynote address. He discussed community ethics and made a statement like "We should boycott any company that hires someone like Morris *because of* what he did." This was heard by at least one person present as meaning, "Because of what he did, we should boycott any company that hires Morris." What he meant, and what he thought was clear from context, was "We should boycott any company that believes what Morris did was a reason to hire him." The quote was reported in CACM and Spaf wrote a letter (published in the October 1990 issue) pointing out the error, but they misunderstood the way it was supposed to have text boldfaced to indicate the emphasis. The point did not get across clearly and was also incorrectly paraphrased in Peter Denning's editorial in the August 1990 CACM. Enclosed is the text of the letter he sent to CACM and which was published in the September 1990 issue without the indicated emphasis: [ The following uses TeX conventions: %%it text% is italics, and %%bf text% is boldface.] To the editor: The May issue of %%it Communications% contained a %%News Track'' account of some of my remarks on hiring known hackers/crackers. I believe the report was derived from my keynote presentation at the 3rd DPMA Virus Workshop, held March 14 in New York. Unfortunately, the item in question did not report the full context of my remarks, and thus the actual intent was obscured. It is my contention that we should not do business with companies that hire known computer miscreants %%bf because of their criminal escapades%. There are two reasons for this, one grounded in good business sense, and the other grounded in professional ethics. From a business standpoint, hiring a known computer criminal because of his criminal past is likely to be a liabilty. The individual has already shown that he (or she) has not felt constrained to respect legal and ethical boundaries, or that he has exhibited poor judgment in not thinking about adverse consequences. What indication is there that such behavior will not be repeated? Furthermore, there is no indication that someone who breaks into a system knows how to protect the system or make it better -- he has only shown that he knows how to break in. This is the origin of my %%arsonist'' statement, quoted in the article. As a customer of such a firm, it is possible I would never be as confident about the integrity of its products as if the hacker had not been hired. From a professional standpoint, I view the hiring of computer criminals %%bf because of their notoriety or criminal success% to be insulting and unconscionable. Consider that there are many tens of thousands of people who have worked for years to become knowledgeable and responsible members of the profession, and many thousands more currently studying the discipline. What will it mean to them if a criminal is hired to a position of responsibility because of a violation of professional standards? Should the rest of us seek distinguished appointments by spectacular violations of the law? What would it say to all of us that a business would value unethical behavior above a record of accomplishment and professionalism? To ignore or accept such behavior is to allow our profession to be besmirched. I view it as an insult, and to acquiesce quietly would appear to be a violation of our Code of Professional Conduct. Note that I am %%bf not% in any way suggesting that we act to prevent these individuals from being employed in a computing-related profession. If the individual involved has the necessary training and background, and is as qualified as other applicants, then he should be treated as any other individual applying for a position. This is especially true once an individual has served a sentence for their [sic] crimes. Robert T. Morris, for instance, has demonstrated a keen interest and more than moderate facility with computers. To protest his taking a computing-related job would be to unfairly embellish the sentence already imposed by the federal court. We should not seek to second-guess our legal system, nor extract revenge above and beyond the punishment already meted out. To do so would be petty and mean-spirited. In summary, my remarks at the Virus Workshop argued that we should protest if businesses reward these offenders for their actions; I did not mean to suggest that we forbid these individuals from ever working in computing-related jobs. I also did not suggest that we devise any additional punishment for Mr. Morris. He has been sentenced for his crime, and it is not for us to seek to augment his punishment. It is time for all of us to move on and put that whole incident behind us. Eugene Spafford Dept. of Computer Sciences Purdue University W. Lafayette, IN 47907-2004 spaf@cs.purdue.edu ------------------------------ Date: 24 Aug 91 00:33:31 GMT From: eff@org Subject: File 3--How BellSouth Calculated $79,000 (Moderators' note: The following article appeared in EFF 10 and explains how those infamous E911 documents wound up with a value of over $79,000. Guess it shows how figures lie and......) WHY THE BELLSOUTH E911 DOCUMENT COST $79,000 TO PRODUCE -==--==--==-<>-==--==--==- IN OVER THEIR HEADS --OR-- WHY THE 911 DOCUMENT COST $79,449 TO PRODUCE AT BELLSOUTH Over the months since it first came to light, many have wondered how BellSouth could spend the immense amount of money that it claimed it spent on producing the brochure known as the E911 document. Now it can be told! The following is BellSouth's actual estimate of its production costs as sent to Bill Cook in January of 1990. We were amazed that the company felt it necessary to add in the entire cost of a major computer system, printer and software. [Text of letter from K. Megahee to Bill Cook] BellSouth 1155 Peachtree Street. N E Atlanta, Georgia 30367 -6000 January 10, 1990 Bill Cook - Assistant United States Attorney United States Attorney's Office Chicago, Illinois Dear Mr. Cook: Per your request, I have attached a breakdown of the costs associated with the production of the BellSouth Standard Practice (BSP) numbered 660-225-104SV. That practice is BellSouth Proprietary Information and is not for disclosure outside BellSouth. Should you require more information or clarification, please contact my office at XXX-XXX-XXXX. FAX: XXX-XXX-XXXX Sincerely, Kimberly Megahee Staff Manager - Security, Southern Bell [Handwritten total] 17,099 37,850 24,500 ------ 79,449 [Attachment to letter itemizing expenses] DOCUMENTATION MANAGEMENT 1. Technical Writer To Write/Research Document -200 hrs x 35 = $7,000 (Contract Writer) -200 hrs x 31 = $6,200 (Paygrade 3 Project Mgr) 2. Formatting/Typing Time -Typing WS14 = 1 week = $721.00 -Formatting WS 14 = 1 week = $721.00 -Formatting Graphics WS16 = 1 week = $742.00 3. Editing Time -PG2 = 2 days x $24.46 = $367 4. Order Labels (Cost) = $5.00 5. Prepare Purchase Order -Blue Number Practice WS14 x 1 hr = $18.00 -Type PO WS10 x 1 hr = $17.00 -Get Signature (PG2 x 1 hr = $25.00) (PG3 x lhr = $31.00) (PG5 x 1 hr = $38.00) 6. Printing and Mailing Costs Printing= $313.00 Mailing WS10 x 50 hrs = $858.00 (Minimum of 50 locations/ 1 hr per location/ 115 copies 7. Place Document on Index -PG2 x 1 hr = $25.00 -WS14 x 1 hr = $18.00 Total Costs for involvement = $17,099. HARDWARE EXPENSES VT220 $850 Vaxstation II $31,000 Printer $6,000 Maintenance 10% of costs SOFTWARE EXPENSES Interleaf Software $22,000 VMS Software $2,500 //End of Document// ------------------------------ Date: Tue, 3 Sep 91 17:05:01 CDT From: edtjda@MAGIC322.CHRON.COM(Joe Abernathy) Subject: File 4--Houston Chronicle spacemail follow This story appeared on Page 1A of the Houston Chronicle on Monday, Sept. 2, 1991. Permission is granted for redistribution in the ACM Risks Digest, Patrick Townson's Telecom Digest, the newsgroup sci.space.shuttle, Computer Underground Digest, and the interesting_people mailing list. Our thanks to these groups for their ongoing contributions to the online community and our coverage of it. Please send comments and suggestions to edtjda@chron.com. NASA severs connection on electronic mail linkup By JOE ABERNATHY Copyright 1991, Houston Chronicle Although declaring the experiment a success, NASA has called a halt to a project by which space shuttle astronauts briefly were linked with the nation's computer networks through electronic mail. The e-mail experiment, conducted during the recent flight of Atlantis, was part of a larger effort to develop computer and communications systems for the space station Freedom, which is to be assembled during the late 1990s. The National Aeronautics and Space Administration cited unauthorized access as the reason for severing the network connection, but NASA officials did not provide details. The space agency initially attempted to carry out the project in secrecy, but word leaked out on the nation's computer networks. Details were closely guarded because of concerns over malicious computer hacking and astronauts' privacy. "Hello, Earth! Greetings from the STS-43 Crew! This is the first Applelink from space. Having a GREAT time, wish you were here!" read the first message home. It went from Atlantis astronauts Shannon Lucid and James Adamson to Marcia Ivins, a shuttle communicator at Johnson Space Center. It was the use of AppleLink -- a commercial electronic mail network connected to the global computer matrix -- that apparently contained the seeds of trouble. When an AppleLink electronic mail address for the shuttle was distributed online and then published in the Houston Chronicle, it generated about 80 responses from well-wishers. Although the address was created just for this purpose, the flight director nearly pulled the plug on the project, according to Debra Muratore, the NASA experiment manager. The project was concluded as scheduled and declared a success. But ultimately, it was decided, at least for now, to cease all interaction with public computer networks. The decision eventually could mean that NASA's premier research facility, the space station, may not have access to its premier research communications tool, the NASA Science Internet -- the space agency's portion of the vast Internet global computer network. Electronic mail, which is becoming commonplace in offices, is simply the transmission of messages via computers to one or more people, using electronic addresses. Users linked to the right networks can send electronic messages or other data to specific recipients nearly anywhere in the world -- and for a short time, could send them to space. "The problem was that the information had gotten leaked prematurely. There was no problem with security," Muratore said. Even previous to the leak of the addresss, however, the experiment was structured in such a way that it was vulnerable to hackers, she acknowledged. "As a result of this whole experience, at least my project plans never to use a public (electronic) mail system again," she said. Muratore indicated that the space agency may explore other ways of providing "connectivity" -- communication between orbiting astronauts and NASA's broader collection of computerized resources -- which will become increasingly important as the use of computerized information grows. The decision to sever the short-lived e-mail connection has drawn strong criticism among computer security experts and other scientists, who charge that NASA was attempting to design "security through obscurity." "This is another example of an ostrich-oriented protection policy -- stick your head in the sand and pretend no one will find out what you know," wrote Peter G. Neumann, moderator of the Association for Computing Machinery's RISKS Digest, a respected online publication that assesses the risks posed by technology. "Things like that don't stay 'secret' for very long." NASA told Newsday, but would not confirm for the Chronicle, that more than 80 "unauthorized" messages from around the world were sent to the Atlantis address -- which a source told the Chronicle was set up explicitly to handle public requests for a shuttle e-mail address. Private addresses were used for the actual experiments. "The old 'authorization' paradox has reared its ugly head again," wrote Neumann, who prepared a study for NASA on the security requirements of the space station. " 'Threatened by unauthorized e-mail,' eh? Sending e-mail to someone REQUIRES NO AUTHORIZATION." Muratore defended the use of secrecy as a security tool. "I feel that that was a viable option," she said. She said operators of AppleLink told NASA that it was impossible to keep public e-mail from being sent to the on-orbit address, so the only option was to try to keep it secret. But network users questioned this viewpoint. "Why is an e-mail system 'in jeopardy' when it receives 80 messages? And what is an 'unauthorized user?' " asked Daniel Fischer of the Max-Planck-Institut feur Radioastronomie, in Bonn, Germany. "Once the system is linked up to the real world, it should expect to receive real mail from everyone. "If NASA can't handle that, it really shouldn't get into e-mail at all," added Fischer, writing in an online discussion group composed of scientists involved with the space program. "Consider that (heavy response) a success, NASA!" The disposition of the electronic mail sent to Atlantis is still up in the air. A Chronicle message was not acknowledged, and no one has reported receiving a response. +++++++++++++++++++++++++++++++++++ Chronicle reporter Mark Carreau contributed to this report. ------------------------------ Date: Tue, 27 Aug 91 21:36 EDT From: "Silicon Surfer" Subject: File 5--More on Casolaro (INSLAW) Suicide (Mary McGrory reprint) Tentacles of Scandal Touch Journalist's Mysterious "Suicide" (By Mary McGrory, syndicated columnist) One thing in the sad muck is clear: Before he died, Danny Casolaro saw an octopus. He told his friend Bill Hamilton about it. The tentacles reached into all the scandals we are grappling with in this summer of conspiracies unlimited. The body of investigative reporter Joseph Daniel Casolaro, 44, was found in the bathtub of a West Virginia motel on Saturday, Aug. 10. Martinsburg police pronounced it a suicide and proceeded to embalm the body with extraordinary haste - before they got around to notifying Casolaro's family, which finally heard the news on Monday, Aug 12. His brother, Dr. Anthony Casolaro, doesn't believe it was a suicide. Nor does anyone who knew him - or talked to him in his last days. A crime reporter, Casolaro was a happy, outgoing, gregarious person, the kind who cracks wise with secretaries and waitresses and endears himself to children. The day before he died, according to the Martinsbug Morning Journal, Casolaro told a Pizza Hut waitress that he liked her brown eyes and that he was a member of the Edgar Allen Poe Society. He quoted "The Great Gatsby" to her. He told Hamilton, his brother, his girlfriend and others that he was on the point of cracking the story that had absorbed him for a year. He had begun investigating the Inslaw case, a tangled affair of government perfidy and international intrigue that has been in litigation since 1983. In his explorations, he found out about related scandals - BCCI, S&Ls, Iran-Contra, the October Surprise - but until last week, he found nothing about Inslaw. Then he, joyfully said, he hit Bingo. One more interview and the case was cracked. Suicides do not tell their intimates day before taking the hemlock that they are "ecstatic" or "euphoric". Casolaro did. Nor do they attend family birthday parties, as Danny Casolaro was planning to do hours before he died. The last known call he made was to his mother. He would be late, but he was headed home. A manic-depressive might do that. Nobody ever suggested that Danny Casolaro was one. All the circumstances beg for disbelief, none more than the supposed suicide note. "I'm sorry, especially to my son," from a man who lived by words, just doesn't ring true. Casolaro wrote a novel, a children's book. His prose style, at least as displayed in an outline submitted to Little Brown of a book he proposed to write about the octopus called, "Behold, A Pale Horse," is on the florid side. Such a terse farewell, unless composed or dictated at gunpoint, is entirely unconvincing. The man who could have resolved the Inslaw case, Richard Thornburgh, resigned as attorney general the day the West Virginia police came forward with an autopsy. Excess was the hallmark of his farewell ceremony: an honor guard, a trooping of colors, superlatives from subordinates. Willam P. Barr, his deputy and possible successor, spoke of Thornburgh's "leadership, integrity, professionalism and fairness," none of which Thornburgh - now, by the way, a candidate for the Senate - displayed in his handling of Inslaw. Although the Inslaw case occurred in the time of Ed Meese, Thornburgh took it to his busom. Bill Hamilton, a perfectly nice Midwesterner, invented Promis, a computer software program specially adapted to crime statistics, which he sold to the Justice Department. The second year, Justice stopped paying the bill. Hamilton and his wife, Nancy, believed that cronies of Meese got the franchise to sell it around the world. Promis has turned up in Canada and Pakistan. The link with the October Surprise is Earl Brian, allegedly the agent who paid off the Iranians to keep the hostages. He was paid back with huge profits from Promis. Thornburgh refused to discuss the case with the Hamiltons or their counsel, Elliot Richardson. He did not answer Richardson's letters. He did not return his phone calls. He refused to receive his distinguished predecessor. The Hamiltons have been to court many times. Judges have recused themselves, witnesses have disappeared or recanted. The man who knows the most, Michael Riconosciuto, was picked up in Washington state on drug charges and is in jail. What was merely sinister has now turned deadly. Thornburgh calls the Inslaw case "a little contract dispute." He refused to testify about it to the House Judiciary Committee. Richardson thinks it could be "dirtier than Watergate," and he should know. Thornburgh's conduct is the most powerful argument for believing that Danny Casolaro saw an octopus before he died. ------------------------------ Date: Fri, 13 Sep 91 16:37:57 EDT From: pkumar@SUGRFX.ACS.SYR.EDU(Parvin Kumar) Subject: File 6--"Freaker's Bureau Incorporated" (FBI) You may, or may not have noticed a new magazine in the cyberworld: FBI Presents. We at FBI are dedicated to bringing you the news, at whatever the cost may be. We Specialize in Anarchy And Phreaking files, but also attempt to bring you Hacking and Carding files whenever we find them available. Many of our articles deal with the rights of hackers and computer users as a whole. So if you are interested in these, pick up a copy! We are a monthly production, and we try to keep to our deadlines as well as possible. We are currently working on issue 3 of FBI Presents, It will include such features as... An Interview with Mitch Kapor of EFF, How To mass Mail. The Non-Box. (A box plan you will find VERY interesting!) It will be available some time around the end of September. So.. You can grab one of our previous issues at: chsun1.spc.uchicago.edu ashley.cs.widener.edu IF you would like to submit an article, which I *HOPE* you will do, you can send it to: au530@cleveland.freenet.edu You can also request an E-Mail subscription from this address. So RUN to your local FTP or favorite P/H/A BBS and grab a copy of F B I Presents. ------------------------------ Date: Tue, 10 Sep 91 11:45:43 PDT From: Dark Adept TNET> Subject: File 7--Review of Site Security Handbook (by Dark Adept) (Reviewed by Dark Adept) The RFC 1244 - Site Security Handbook Reviewed The Dark Adept -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The RFC (Request for Comment series) has produced a new tome: The Site Security Handbook. This little gem aired on July 26, 1991 on the newsgroup comp.doc. At 250K+, it is a somewhat large file to transfer around, but well worth it. It has its good points and bad points, but the good seem to outweigh the bad. So, saving the best for last, I will address some of the major bad points first. I. Stereotyping and other falsities ----------------------------------- This document completely explodes hacker myths and stereotypes. Here is an example: "As an illustration of some of the issues that need to be dealt with in security problems, consider the following scenarios (thanks to Russell Brand [2, BRAND] for these): - A system programmer gets a call reporting that a major underground cracker newsletter is being distributed from the administrative machine at his center to five thousand sites in the US and Western Europe. Eight weeks later, the authorities call to inform you the information in one of these newsletters was used to disable "911" in a major city for five hours." (RFC1244 p. 6) Very cute. Very believeable. Very much impossible, and very much a lie. I think we all know what this refers to (the Phrack/E911 incident), and I think that it is unprofessional of the editors of RFC 1244 to use this example which is nothing more than a scare tactic. Also please note that all the examples, while not as blatant as this, deal with someone on the outside breaking in. It makes one wonder why this is true when later in the document the editors state: "As an example, there is a great deal of publicity about intruders on computers systems; yet most surveys of computer security show that for most organizations, the actual loss from "insiders" is much greater." (RFC1244 p. 10) Why oh why, then, are all your examples so one-sided? Why the stereotyping of intruders? Why the little E911 parody? II. Relies more on accepted sources than reality ------------------------------------------------- Over and over and over and over again, ad nauseum, this manual refers to those security gods, CERT. Allow me to let you in on a little secret. CERT has not said anything revolutionary. In fact, much of what CERT says, and much of what is stated in this manual, has been found in hacker G-Philes over the years. examples: "...the Computer Emergency Response Team/Coordination Center (CERT/CC) at Carnegie-Mellon University (CMU) estimates that 80% or more of the problems they see have to do with poorly chosen passwords." (RFC1244 p. 8) Gee, does that sound familiar, or what? Every G-Phile around has in bold-faced italicized triple underlined print: "Try his wife's maiden name" or "try his name backwards" or "here is a list of common passwords" or, more to the point "people are idiots when they choose passwords" (hmm. I think that particular one was in one of my previous CuD articles). Here is another "cute" one: "The Computer Emergency Response Team (CERT - see section 3.9.7.3.1) has observed that well-known universities, government sites, and military sites seem to attract more intruders." (RFC1244 p. 12) Those veritable gods of observation! Gee, what would hackers break into? Maybe John Doe's collection of x-rated .gifs? I doubt it. In fact, 90% or more of every "hacker's atlas" (a G-Phile which is more or less a phonebook of data lines and who owns them) consists of phone numbers to the above named institutions. The main point is that RFC1244 does nothing more than collect statistics from G-Philes. This in itself is useful, however, but it would be more beneficial if the editors read the G-Philes themselves rather than using watered down information from CERT et al. Now for the good points. There are so many that I dare not try to list them all, just some highlights. It contains an extensive overview of a step-by-step way to implement security. From deciding who is to be involved to selecting a method (or methods) of security, this document mentions it. It has a list of many resources such as (ugh!) CERT, magazines (on-line and printed), software companies, etc. This is good since it provides the prospective securer with a starting point. It deals with security issues not usually thought of until a disaster happens, such as: how much should we tell the press? who should we notify? etc. This handbook is directed mainly at the Internet user/sysadmin, but it can be applied to a PC in a dentist's office. For a security novice, or someone who just wants to find out what real security entails, this is the book, and it's free! So, before you go hiring Tacky Thacky or ex-LoD, read this handbook first. At least then you'll know what you're buying. My rating: 3.5 hacks (out of 4). It loses the 0.5 for the stereotypes and lack of first hand info, but otherwise something to have around the office/terminal. ------------------------------ Date: Sun, 1 Sep 91 16:49:20 CDT From: "John E. Mollwitz" Subject: File 8--Complain to Journalists The national convention of The Society of Professional Journalists, an organization of roughly 18,000 members in the United States, Canada and Japan, is meeting Oct. 17-19 in Cleveland. As part of that convention, a seminar will be conducted on writing about computers and computer networks. Since over the years, cyberspace travelers have bemoaned the accuracy of articles relating to computers, computer networks and even telephones, we ask that you email or snail mail examples of articles that you have found solid and others that you have found less so. Please include a note of explanation. The panel then will try to compile the examples, and the comments and produce a handout for discussion. Sometime in the week after the convention, we will post the results of the session. The names of the panelists will be disclosed at that time since it is possible that some of the articles that may be submitted may have been written by a panelist. Mail paper examples to me at the address below. Where possible, the examples should include a copy of the article, the name of the publication and _specific_ comments. If the article is dismissed simply as "nonsense," state that it is because paragraph 5 has failed to adequately explain a concept, and that it would have been better to have said it this way or that. So, if you go into fits when you see the word "hacker" in print, please mail by Sept. 30. Thank you for your cooperation. John E. Mollwitz, Chair, Committee on New Information Technologies The Society of Professional Journalists c/o The Milwaukee Journal P.O. Box 661 Milwaukee, WI 53201-0661 Electronic Mail--Usenet: moll@mixcom.com; CompuServe: 72240,131; GEnie: J.Mollwitz; Prodigy: CKFB43A; ------------------------------ Date: Tue, 27 Aug 91 17:36:25 EST From: Gene Spafford Subject: File 9--Spaf's Response to Reviews of _Unix Security_ Just a couple of quick comments on some of the points made in the reviews of "Practical Unix Security" in Volume #3.30. Jim Thomas noted that we were brief in our explication of the laws concerning computer intrusion. That was intended -- rather than giving inexpert legal advice, we would prefer that the readers discover the finer points through consultation with trained legal counsel. Although we got advice from some experts in the area, we didn't feel up to a formal treatment of the legal aspects related to security; we made reference to other appropriate references in the appendix, and felt it best left at that. Legal action is a serious step that should not be undertaken solely on the basis of our treatment in the book! Neil Rickert commented in his review about our recommendation not to make the mail command the login shell on an account. He states that the user would get the login shell using the shell escape (viz., doing a % will result in a new invocation of mail), and this is not as clear a problem. On at least one system I have used, doing a "%!/bin/sh" has given me a shell no matter what the login shell was. On some systems, escaping into the editor with "%e" then allows the user to call up a shell. On some versions (including SunOS), doing a "%:set SHELL=/bin/sh" lets me bypass the current idea of login shell. Rather than give all the what-ifs, we decided to recommend against the practice -- it is a major accountability hole, too. Neil caught an error with the statement about "su" -- we were both thinking "suid" when we proofread it, and it slipped by. Mea culpa. As for us making sound Unix scarier that it is, well, some versions of Unix are pretty scary! We tried to keep the paranoia from overcoming us, but after 500 pages of describing potential problems in all the myriad forms of Unix, it became a losing battle. Then too, to get in the proper frame of mind to do serious security work, one needs a touch of paranoia. That's probably one of the key concepts that we must not have stressed enough later in the book -- not every system is vulnerable to every problem we described. Some systems have been tightened up, and others are like Swiss cheese. Simson and I are grateful for any other comments people care to make, here or in mail. ------------------------------ End of Computer Underground Digest #3.33 ************************************