Computer underground Digest Sun Aug 2, 1998 Volume 10 : Issue 44 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Field Agent Extraordinaire: David Smith Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #10.44 (Sun, Aug 2, 1998) File 1--S1482 (Bill to amend Comm Act - June 25 '98 version) File 2--GORE ANNOUNCES STEPS TOWARD ELECTRONIC BILL OF RIGHTS File 3--"HACKER MYTH CRUMBLE" (DEFCON VI Report (from NYT)) File 4--Teens Who Hacked Into U.S. Computers Plead Guilty File 5--E-mail Security Flaw Information (NYT & Knight/Ridder) File 6--Regarding the "ClearZone" proposal. File 7--Cu Digest Header Info (unchanged since 25 Apr, 1998) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Mon, 3 Aug 1998 23:49:56 -0500 From: jthomas@VENUS.SOCI.NIU.EDU(Jim Thomas) Subject: File 1--S1482 (Bill to amend Comm Act - June 25 '98 version) ((MODERATORS NOTE: In the past few issues, we've run commentary and snippets of text from S 1482, which many observers find a danger to Net freedom. Here again is the latests version of the Senate Bill)). To amend section 223 of the Communications Act of 1934 to establish a prohibition on commercial distribution on the World Wide Web of material that is harmful to minors, and for other... (Reported in the Senate) S 1482 RS Calendar No. 436 105th CONGRESS 2d Session S. 1482 [Report No. 105-225] To amend section 223 of the Communications Act of 1934 to establish a prohibition on commercial distribution on the World Wide Web of material that is harmful to minors, and for other purposes. IN THE SENATE OF THE UNITED STATES NOVEMBER 8, 1997 Mr. COATS introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation JUNE 25, 1998 Reported by Mr. MCCAIN, without amendment _________________________________________________________________ A BILL To amend section 223 of the Communications Act of 1934 to establish a prohibition on commercial distribution on the World Wide Web of material that is harmful to minors, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. PROHIBITION ON COMMERCIAL DISTRIBUTION ON THE WORLD WIDE WEB OF MATERIAL THAT IS HARMFUL TO MINORS. (a) PROHIBITION- (1) IN GENERAL- Section 223 of the Communications Act of 1934 (47 U.S.C. 223) is amended-- (A) by redesignating subsections (e), (f), (g), and (h) as subsections (f), (g), (h), and (i), respectively; and (B) by inserting after subsection (d) the following new subsection (e): `(e)(1) Whoever in interstate or foreign commerce in or through the World Wide Web is engaged in the business of the commercial distribution of material that is harmful to minors shall restrict access to such material by persons under 17 years of age. `(2) Any person who violates paragraph (1) shall be fined not more than $50,000, imprisoned not more than six months, or both. `(3) In addition to the penalties under paragraph (2), whoever intentionally violates paragraph (1) shall be subject to a fine of not more than $50,000 for each violation. For purposes of this paragraph, each day of violation shall constitute a separate violation. `(4) In addition to the penalties under paragraphs (2) and (3), whoever violates paragraph (1) shall be subject to a civil fine of not more than $50,000 for each violation. For purposes of this paragraph, each day of violation shall constitute a separate violation. `(5) It is an affirmative defense to prosecution under this subsection that the defendant restricted access to material that is harmful to minors by persons under 17 years of age by requiring use of a verified credit card, debit account, adult access code, or adult personal identification number or in accordance with such other procedures as the Commission may prescribe. `(6) This subsection may not be construed to authorize the Commission to regulate in any manner the content of any information provided on the World Wide Web. `(7) For purposes of this subsection: `(A) The term `material that is harmful to minors' means any communication, picture, image, graphic image file, article, recording, writing, or other matter of any kind that-- `(i) taken as a whole and with respect to minors, appeals to a prurient interest in nudity, sex, or excretion; `(ii) depicts, describes, or represents, in a patently offensive way with respect to what is suitable for minors, an actual or simulated sexual act or sexual contact, actual or simulated normal or perverted sexual acts, or a lewd exhibition of the genitals; and `(iii) lacks serious literary, artistic, political, or scientific value. `(B) The terms `sexual act' and `sexual contact' have the meanings assigned such terms in section 2246 of title 18, United States Code.'. (2) CONFORMING AMENDMENT- Subsection (g) of such section, as so redesignated, is amended by striking `(e), or (f)' and inserting `(f), or (g)'. (b) AVAILABILITY ON INTERNET OF DEFINITION OF MATERIAL THAT IS HARMFUL TO MINORS- The Attorney General, in the case of the Internet web site of the Department of Justice, and the Federal Communications Commission, in the case of the Internet web site of the Commission, shall each post or otherwise make available on such web site such information as is necessary to inform the public of the meaning of the term `material that is harmful to minors' under section 223(e) of the Communications Act of 1934, as amended by subsection (a) of this section. Calendar No. 436 105th CONGRESS 2d Session S. 1482 [Report No. 105-225] A BILL To amend section 223 of the Communications Act of 1934 to establish a prohibition on commercial distribution on the World Wide Web of material that is harmful to minors, and for other purposes. _________________________________________________________________ JUNE 25, 1998 ------------------------------ Date: Sun, 2 Aug 1998 14:16:49 -0500 From: jthomas@VENUS.SOCI.NIU.EDU(Jim Thomas) Subject: File 2--GORE ANNOUNCES STEPS TOWARD ELECTRONIC BILL OF RIGHTS THE WHITE HOUSE BRIEFING ROOM July 31, 1998 VICE PRESIDENT GORE ANNOUNCES NEW STEPS TOWARD AN ELECTRONIC BILL OF RIGHTS Message Creation Date was at 31-JUL-1998 12:01:00 THE WHITE HOUSE Office of the Vice President ____________________________________________________ For Immediate Release Contact: Friday, July 31, 1998 (202) 456-7035 VICE PRESIDENT GORE ANNOUNCES NEW STEPS TOWARD AN ELECTRONIC BILL OF RIGHTS New Efforts Will Protect Americans , in Four Key Areas Washington, DC -- Vice President Gore announced new steps toward an Electronic Bill of Rights, an effort to protect one of the oldest and most basic American values -- privacy -- with the rise of new technology. "We need an electronic bill of rights for this electronic age," Vice President Gore said in an event in the Roosevelt Room at the White House. "You should have the right to choose whether your personal information is disclosed; you should have the right to know how, when, and how much of that information is being used; and you should have the right to see it yourself, to know if it's accurate." Following a major address at New York University this May, the Vice President renewed the call for an Electronic Bill of Rights by asking everyone to do their part to protect individual privacy -- relying on private sector leadership where possible, on legislation when necessary, on responsible government handling of personal information, and on an informed public. The Vice President announced new action in four key areas: Protecting sensitive personal information. Taking new executive action and calling for tough new legislation to protect personal information such as medical and financial records -- and ensuring that existing privacy laws are strong enough to protect privacy as technology grows and changes; Stopping identity theft. Calling for strong new penalties for so-called "identity theft"; Protecting children's privacy on-line. Calling for strong new measures to protect children's privacy on-line -- by ensuring that data is not collected from children without their parents , consent; and Urging voluntary private sector action to protect privacy. Challenging the private sector to continue to take effective voluntary steps to protect privacy on-line. ### PROTECTING AMERICANS , PRIVACY IN THE INFORMATION AGE: AN ELECTRONIC BILL OF RIGHTS "Privacy is a basic American value -- in the Information Age, and in every age. And it must be protected. We need an electronic bill of rights for this electronic age. You should have the right to choose whether your personal information is disclosed; you should have the right to know how, when, and how much of that information is being used; and you should have the right to see it yourself, to know if it's accurate." -- Vice President Gore In a major address at New York University this May, Vice President Gore called for an Electronic Bill of Rights to protect one of the oldest and most basic American values -- privacy -- with the rise of new technology. Today at the White House, the Vice President will announce a series of measures that represent the latest step toward making the core principles of the Electronic Bill of Rights a reality. His plan calls on everyone to do their part to protect individual privacy -- relying on private sector leadership where possible, legislation when necessary, responsible government handling of personal information, and an informed public. The Vice President will announce new action in four key areas: Protecting sensitive personal information. Taking new executive action and calling for tough new legislation to protect personal information such as medical and financial records -- and ensuring that existing privacy statutes are strong enough to protect privacy as technology grows and changes; Stopping identity theft. Calling for strong new penalties for so-called "identity theft"; Protecting children's privacy on-line. Calling for strong new measures to protect children's privacy on-line -- by ensuring that data is not collected from children without their parents , consent; Urging voluntary private sector action to protect privacy. Challenging the private sector to continue to take effective voluntary steps to protect privacy on-line. Sensitive Personal Information Medical Records. Currently, Americans have stronger privacy protections for their video rentals than they do for their medical records. The Administration believes this is unacceptable. The Administration has proposed strong medical privacy recommendations and urged Congress to pass legislation that gives Americans the privacy protections they need. If Congress does not pass strong medical privacy legislation, the Administration fully intends to implement privacy protections consistent with the authority given to us by the law. For example, next week the Administration is releasing a proposed rule to establish standards for the security of health information used by health care providers, health plans, and others (e.g. security and confidentiality practices, access controls, audit trails, physical security, protection of remote access points, etc.) In 1996 Congress directed HHS to develop standards for unique health identifiers under the Health Insurance Portability and Accountability Act of 1996. However, because the availability of these identifiers without strong privacy protections in place raises serious privacy concerns, the Administration is committed to not implementing the identifiers until such protections are in place. It is also important to note that the privacy provisions passed in the House Republicans patients , rights legislation last week certainly do not pass this test, as this provision permits far too much disclosure of patient information without consent. Financial records: The Administration will direct Treasury and the banking regulators to strengthen the enforcement of the Fair Credit Reporting Act with respect to the sharing of information between banks and their affiliates and "opt-out" notices for consumers. The Administration will also ask that Congress give bank regulators the authority to examine financial institutions for compliance with the Fair Credit Reporting Act. Profiling: The Administration will work with the Federal Trade Commission to encourage companies that build dossiers about individuals by aggregating information from a variety of database sources to implement effective self-regulatory mechanisms. If industry attempts at self-regulation are not successful, the Administration will consider other means to ensure adequate privacy protection. Government information: The Administration will launch a "privacy dialogue" with state and local governments. This dialogue will include considering the appropriate balance between the privacy of personal information collected by governments, the right of individuals to access public records, and First Amendment values. For example, the digitization and widespread availability of public records has raised serious privacy concerns. Identity Theft Identity theft: The Administration will urge the Congress to pass legislation sponsored by Senators Kyl and Leahy to crack down on "identity theft," which is the fraudulent use of another person's identity to facilitate the commission of a crime, such as credit card fraud. According to law enforcement officials, the incidence of identity theft is increasing rapidly, and current federal and state laws do not provide sufficiently comprehensive privacy protection. Theft of personal financial information: The Administration will work with Congress to pass legislation sponsored by Representatives Leach and LaFalce that will make it a federal crime to obtain confidential customer information from a bank by fraudulent means. In some cases, people are obtaining information illegally and then using the information for a legal purpose --e.g., pretending to be a customer in order to trick confidential information out of a bank, and then selling that information to a private investigator or some other third party. Children's Privacy Children's privacy: The Administration will seek legislation that would specify a set of fair information principles applicable to the collection of data from children, such as a prohibition on the collection of data from children under 13 without prior parental consent. The Federal Trade Commission would have the authority to issue rules to enforce these standards. Legislation is needed because children under 13 may not understand the consequences of giving out personally identifiable information. Calling for Private Sector Efforts Privacy online: The Administration will continue to press for industry self regulation with enforcement mechanisms. The private sector continues to respond to the Administration's call for industry self regulation. For example, over 50 major companies and associations engaged in electronic commerce have recently created the "Online Privacy Alliance." The Administration will monitor the progress of online industry self regulation to ensure that the commitments made by companies are implemented, that the enforcement mechanisms are effective, and that the numbers of companies and organizations participating in these efforts expands so that the efforts become sufficiently broad based. Increasing Public Awareness Public education: The Administration will work with the private sector, the privacy and consumer advocacy communities, and non-profit organizations to develop a public education campaign to inform individuals about how to exercise choice with respect to the collection and dissemination of their personally identifiable information, and about the technologies that can make that choice possible. A Coordinated Approach Privacy coordination: OMB will be given responsibility for coordination of privacy issues, drawing on the expertise and resources of other government agencies. This will help improve the coordination of U.S. privacy policy, which cuts across the jurisdiction of many federal agencies. ------------------------------ Date: Mon, 03 Aug 98 23:04 CDT From: Jim Thomas (tk0jut1@mvs.cso.niu.edu) Subject: File 3--"HACKER MYTH CRUMBLE" (DEFCON VI Report (from NYT)) ((MODERATORS' NOTE: Defcon has come a long way from the early days of the conference. The New York Times ran several stories over the weekend describing events. Here are excerpts from two of them)) Hacker Convention Takes On a Corporate Tone (New York Times, 31 July, 1998) By MATT RICHTEL LAS VEGAS -- "Dark Tangent," the founder of the annual hacker convention known as Defcon, isn't the arch-criminal you might expect, stealthily breaking into corporate America's most private systems. Instead, he's having corporate America over for lunch -- and its managers are paying handsomely for the privilege. The sixth-annual Defcon opens Friday in Sin City, and some 2,000 rowdy hackers and their groupies are expected to attend. But on Wednesday and Thursday, Dark Tangent -- whose given name is Jeff Moss -- hosted a conference and buffet lunches for a different crowd: 350 representatives from Fortune 500 companies, the military and law enforcement. Each paid $1,000 to hear hackers share their technical secrets. "It's very fruitful," said Robin Hutchinson, a serious and clean-cut senior manager of electronic commerce for Ernst & Young, the accounting firm, which sent 11 computer professionals to the conference. "They've pulled together people who really know their stuff." ============== The Hacker Myth Crumbles at Convention By MATT RICHTEL LAS VEGAS -- Seventeen-year-old Heath Miller has come to his first Defcon hacker convention in full battle array, wearing a black T-shirt depicting a shrieking skull and army-green shorts so baggy they can keep his ankles warm. In short, he looks precisely like the devious computer whiz your mother warned you about. So much for first impressions. Miller is an excellent student, hopes to attend MIT and recently placed third in a national science contest with a project that it is not exactly a nefarious bit of hacking: He built a sensor system that lets school bus drivers monitor whether students are wearing their seat belts. The sixth-annual Defcon is in full swing in Las Vegas, but anyone who came here looking for Public Enemy #1 may want to pack up his dragnets and go home. Turns out that for the most part, this convention doesn't live up to its reputation as a gathering of clandestine, underground hackers plotting to cripple the Pentagon via modem. Instead, many are here just to party. Others are just young and bright, with creative minds and a passion for understanding computers. Sure, they might spend too many adolescent hours tanning by the light of the monitor, but that doesn't exactly make them the next coming of Hannibal Lecter. This is not to say that Defcon is devoid of more troubling impulses. Many here would clearly like the bragging rights granted to the discoverer of some new hack (known as an "exploit") that can be used to infiltrate critical corporate or government computers. Defcon founder Jeff Moss said that the convention has its share of "malicious" hackers. Some of what they saw is not likely to change their opinion of hackers. The formal proceedings include talks on "hacking into the travel industry" and creating a false identity, plus an extensive session on how to pick locks. And on Monday, Cult of the Dead Cow, one of the oldest and most respected hacking groups, plans to give out free copies of a program it claims can be used to hack into a Windows 95 or 98 computer from a remote location and essentially take control of it. For instance, the members of Cult of the Dead Cow defend their exploitation of a security flaw in Windows on the basis that they are pointing out a dangerous problem with the software, and also providing a possible tool. "There is a legitimate use for this as a network management tool," said a Dead Cow founder, who goes by the hacker handle "Death Veggie." ------------------------------ From: "Jim Galasyn" Subject: File 4--Teens Who Hacked Into U.S. Computers Plead Guilty Date: Thu, 30 Jul 1998 12:14:51 -0700 Teens Who Hacked Into U.S. Computers Plead Guilty By Rajiv Chandrasekaran Washington Post Staff Writer Thursday, July 30, 1998; Page A02 Two Northern California teenagers pleaded guilty yesterday to charges that they hacked into several U.S. government computers earlier this year and installed sophisticated programs to intercept passwords on the machines. In a plea agreement with federal prosecutors, the 16-year-old boys each pleaded guilty to one count of illegally accessing a government computer and one count of wiretapping. In exchange, prosecutors asked U.S. District Judge Maxine M. Chesney in San Francisco to sentence the boys to probation but did not specify for how long. The teenagers, working with other juveniles, were suspected of worming their way into at least 11 sensitive computer systems at U.S. military installations and dozens of systems at other government facilities, including federal laboratories that perform nuclear weapons research. The attacks, which occurred in January and February, were characterized by Deputy Defense Secretary John J. Hamre as "the most organized and systematic attack" on U.S. computer networks to be detected by authorities. As a condition of their probation, the juveniles have agreed to use a computer with a modem -- which permits communication with other computers -- only under the supervision of a teacher, employer or librarian. While on probation, the teenagers also are not permitted to possess a modem at home or to work in the computer field. ------------------------------ Date: Mon, 3 Aug 1998 23:37:30 -0500 From: jthomas@VENUS.SOCI.NIU.EDU(Jim Thomas) Subject: File 5--E-mail Security Flaw Information (NYT & Knight/Ridder) From the New York Times: Security Flaw Discovered in E-Mail Programs By JOHN MARKOFF SAN FRANCISCO -- A serious security flaw has been discovered in popular e-mail programs published by Microsoft Corp. and Netscape Communications Corp. that would permit a malicious person to send a message containing a virus that could crash a computer, destroy or even steal data.
So far, security tests have shown that the flaw exists in three of the four most popular e-mail programs, used by perhaps tens of millions of people around the world: Microsoft's Outlook Express and Outlook 98 and Netscape's Web browser, Navigator, which is part of its Communicator suite of Internet programs. While Microsoft is already providing fixes, the flaw is particularly worrisome in the Microsoft Outlook 98 program, which combines e-mail with a schedular, contact list, notes and other tasks, because this software allows an illicit program attached to a piece of e-mail to execute without any activity on the part of the person using the target computer. Most computer viruses can only infect a machine when the user opens an infected file or attempts to run an infected program. ================== From the Knight Ridder/Tribune News Service: FLAW COULD LET HACKERS DELIVER DEVASTATING E-MAIL By David L. Wilson Since Finnish researchers discovered the flaw last month, tests have established its presence in three programs widely used to read electronic mail: Microsoft Corp.'s Outlook Express and Outlook 98, and Netscape Communication's Corp.'s current Web browser, Communicator. Researchers are still checking to see whether other e-mail programs, such as Eudora, also contain the flaw. Most e-mailed hacker attacks involve "attachments" that are harmless unless the user runs the attached program. that allowed Robert T. Morris, a graduate student at Cornell University, to bring down the entire Internet 10 years ago using an electronic "worm," a bit of software whose only goal was to spread through the system and make copies of itself. "Now we have the potential for a new Internet-based worm that could be much, much worse than Morris' version," said Eugene Spafford, director of the new Center for Education and Research in Information Assurance and Security at Purdue University. Exploiting the flaw depends on use of an attachment to an e-mail or USENET message, but the problem does not lie with the attachment itself. In fact, it doesn't matter what's in the attachment: a text file, a song or even a movie. The attack comes from the "tags" that identify the attachment. The attack can be triggered without even opening the message. ------------------------------ Date: Sat, 1 Aug 1998 08:01:41 -0500 From: peter@LAPUTA.BITNET Subject: File 6--Regarding the "ClearZone" proposal. Regarding the "ClearZone" proposal: >A group of 13 companies lead by Cisco Systems announced on July 13 >that they would develop a product called ClearZone, which would >enable routers to capture e-mail, URLs, and other data before they >are encrypted and sent over the network that could then be given >to law enforcement agencies. I find it hard to understand the benefit to law enforcement agencies from this arrangement, let alone the privacy issue. If you are sending sensitive information over the Internet, surely you're already using end-to-end encryption with something like GPG, PGP, SSL, SSH, or swIPe (depending on the requirements of the transaction) rather than depending on your ISP or other carrier to keep your secrets safe. If you're not you should assume you're already compromised. Surely any reader of the Computer Underground Digest already knows this. Even if you're using a virtual network perimeter (also known as a Virtual Private Network, or VPN), unless you have the source code you have no way to tell where a back door might be hiding. ------------------------------ ------------------------------ Date: Thu, 25 Apr 1998 22:51:01 CST From: CuD Moderators Subject: File 7--Cu Digest Header Info (unchanged since 25 Apr, 1998) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-6436), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) CuD is readily accessible from the Net: UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD Web-accessible from: http://www.etext.org/CuD/CuD/ ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #10.44 ************************************