==Phrack Inc.== Volume Three, Issue Thirty-five, File 12 of 13 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Phrack World News PWN PWN PWN PWN Issue XXXV / Part Three PWN PWN PWN PWN Compiled by Dispater PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Prodigy Stumbles as a Forum...Again ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Mike Godwin (Electronic Frontier Foundation) On some days, Prodigy representatives tell us they're running "the Disney Channel of online services." On other days the service is touted as a forum for "the free expression of ideas." But management has missed the conflict between these two missions. And it is just this unperceived conflict that has led the B'nai B'rith's Anti-Defamation League to launch a protest against the online service.. On one level, the controversy stems from Prodigy's decision to censor messages responding to claims that, among other things, the Holocaust never took place. These messages--which included such statements as "Hitler had some valid points" and that "wherever Jews exercise influence and power, misery, warfare and economic exploitation ... follow"--were the sort likely to stir up indignant responses among Jews and non-Jews alike. But some Prodigy members have complained to the ADL that when they tried to respond to both the overt content of these messages and their implicit anti-Semitism, their responses were rejected by Prodigy's staff of censors. The rationale for the censorship? Prodigy has a policy of barring messages directed at other members, but allows messages that condemn a group. The result of this policy, mechanically applied, is that one member can post a message saying that "pogroms, 'persecutions,' and the mythical holocaust" are things that Jews "so very richly deserve" (this was an actual message). But another member might be barred from posting some like "Member A's comments are viciously anti-Semitic." It is no wonder that the Anti-Defamation League is upset at what looks very much like unequal treatment. But the problem exposed by this controversy is broader than simply a badly crafted policy. The problem is that Prodigy, while insisting on its Disney Channel metaphor, also gives lip service to the notion of a public forum. Henry Heilbrunn, a senior vice president of Prodigy, refers in the Wall Street Journal to the service's "policy of free expression," while Bruce Thurlby, Prodigy's manager of editorial business and operations, invokes in a letter to ADL "the right of individuals to express opinions that are contrary to personal standards or individual beliefs." Yet it is impossible for any free-expression policy to explain both the allowing of those anti-Semitic postings and the barring of responses to those postings from outraged and offended members. Historically, this country has embraced the principle that best cure for offensive or disturbing speech is more speech. No regime of censorship--even of the most neutral and well- meaning kind--can avoid the kind of result that appears in this case: some people get to speak while others get no chance to reply. So long as a board of censors is in place, Prodigy is no public forum. Thus, the service is left in a double bind. If Prodigy really means to be taken as a computer-network version of "the Disney Channel"--with all the content control that this metaphor implies--then it's taking responsibility for (and, to some members, even seeming to endorse) the anti-Semitic messages that were posted. On the other hand, if Prodigy really regards itself as a forum for free expression, it has no business refusing to allow members to respond to what they saw as lies, distortions, and hate. A true free-speech forum would allow not only the original messages but also the responses to them. So, what's the fix for Prodigy? The answer may lie in replacing the service's censors with a system of "conference hosts" of the sort one sees on CompuServe or on the WELL. As WELL manager Cliff Figallo conceives of his service, the management is like an apartment manager who normally allows tenants to do what they want, but who steps in if they do something outrageously disruptive. Hosts on the WELL normally steer discussions rather than censoring them, and merely offensive speech is almost never censored. But even if Prodigy doesn't adopt a "conference host" system, it ultimately will satisfy its members better if it does allow a true forum for free expression. And the service may be moving in that direction already: Heilbrunn is quoted in the Wall Street Journal as saying that Prodigy has been loosening its content restrictions over the past month. Good news, but not good enough--merely easing some content restrictions is likely to be no more successful at solving Prodigy's problems than Gorbachev's easing market restrictions was at solving the Soviet Union's problems. The best solution is to allow what Oliver Wendell Holmes called "the marketplace of ideas" to flourish--to get out of the censorship business. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Computer Network to Ban 'Repugnant' Comments ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >From Washington Post Prodigy has been charged with allowing "antisemitic slurs" to run on its network. Prodigy officials said they would *not* censor discussion of controversial subjects, such as the one that has been raging over the net for several months -- whether the Holocaust was a hoax. The controversial message that was labeled "repugnant" included the statements: "Hitler had some valid points...", and "...whenever Jews exercise influence and power, misery, warfare and economic exploitation [are the result]". There were six other messages that the Anti-Defamation League of B'nai B'rith are complaining about. The Hitler message was not available to all subscribers, it was just personal mail between users. The person who received the mail brought it to the ADL's attention. Civil liberties groups have compared computer networks to telephone companies, which do not censor calls. However, Prodigy officials object to that analogy, saying it is more like a newspaper, and that Prodigy must judge what is acceptable and what is not, much as a newspaper editor must. Prodigy officials take the position of, and I quote, "we were speaking in broader terms ... we were focused on the broad issue of free expression". _______________________________________________________________________________ More on Proctor & Gamble August 15, 1991 ~~~~~~~~~~~~~~~~~~~~~~~ by Randall Rothenberg (New York Times) Further Reading: Phrack Inc., Issue 33 , File.12, "Proctor & Gamble" Law-enforcement officials in Ohio have searched the records of every telephone user in southwestern Ohio to determine who, if anyone, called a Wall Street Journal reporter to provide information that Proctor & Gamble said was confidential and protected by state law. The investigation goes far beyond examining the telephone records of current and former employees of the giant consumer products company, an inquiry the Hamilton County prosecutor's office confirmed on Monday. The Journal reported the scope of the investigation Thursday. The prosecutor, Arthur Ney Jr., acting on a complaint by Procter & Gamble, ordered Cincinnati Bell to turn over all the telephone numbers from which people called the home or office of the reporter, Alecia Swasy, from March 1 to June 15. The situation began sometime before June 17 when Procter & Gamble, which makes Tide detergent, Crest toothpaste and other familiar supermarket products, asked the Cincinnati police to determine whether current or former employees were leaking confidential corporate information to The Wall Street Journal. On Monday the newspaper reported that the company had been bothered by two news articles published on June 10 and June 11 written by Ms. Swasy, a reporter based in Pittsburgh who covers Procter & Gamble. The articles cited unidentified sources saying that a senior executive was under pressure to resign from the company, and that it might sell some unprofitable divisions. But a spokeswoman for Procter and Gamble, Sydney McHugh, said Thursday that the company "had been observing a disturbing pattern of leaks" since the beginning of the year. She refused to elaborate, but said the decision to pursue legal action was reviewed at several levels in the company and was made by Jim Jessee, a corporate security officer. Two Ohio statutes protect the unauthorized disclosure of trade secrets. One makes it a felony to transmit formulas, customer lists or other tangible pieces of information that would be valuable to a company and its competitors. But another, broader law makes it a misdemeanor to disclose "any confidential matter or information" without the company's consent. The Cincinnati police approached the Hamilton County prosecutor's office, which sought and received from a grand jury a subpoena for telephone records. A copy of the subpoena, dated June 17, was given to The New York Times by someone involved in the case who insisted on anonymity. The subpoena ordered Cincinnati Bell to "identify all (513) area code numbers that have dialed" Ms. Swasy's home or office telephones in Pittsburgh during an eight-week period that started on March 1. Cincinnati Bell serves 655,297 telephone numbers in the 513 area code, in an area covering 1,156 square miles, said Cyndy Cantoni, a spokeswoman for the company. In the company's entire jurisdiction, which also covers parts of Kentucky and Pennsylvania, about 13 million toll calls are placed in an average month, she said. Ms. Cantoni said she could not comment on what Cincinnati Bell turned over to the authorities, but said the company routinely complied with subpoenas. Under normal procedure, the company's computers would have automatically searched its customer list and printed out only the originating numbers, and not the names or addresses, of calls to Ms. Swasy's numbers, Ms. Cantoni said. The Wall Street Journal, which is published by Dow Jones & Co., reported on Monday that neither Ms. Swasy nor executives at the Journal were informed of the subpoena by the authorities. Neither Terry Gaines, a first assistant prosecutor, nor Ed Ammann, a police department colonel involved with the investigation, returned repeated calls to their offices. Alan F. Westin of Columbia University, an authority on technology and privacy issues, said the legality of the Ohio authorities' search for the Procter & Gamble whistleblower may depend on how the investigation was pursued. If Procter & Gamble turned over the names and phone numbers of present and former employees to the police and the police matched that list against the numbers they were given by the telephone company, the rights of other, uninvolved parties may not have been violated, Westin said. But if the police learned the names of people unaffiliated with Procter & Gamble who called the Journal's reporter, he said, or if they turned over a list of numbers to Procter & Gamble for research, some Ohio residents' Fourth Amendment protections may have been sullied. "When technology allows you to run millions of calls involving 650,000 telephone subscribers through a computer in order to identify who called a person, potentially to find out whether a crime was committed, you raise the question of whether technological capacity has gone over the line in terms of what is a reasonable search and seizure," Westin said. _______________________________________________________________________________ Expert Fraud Shares Tricks of His Trade October 7, 1991 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by Bob Reilly (New York Times) PHOENIX -- A freelance writer didn't think the $333 that Forbes magazine paid him for a one-page article was enough money so he used his personal computer to duplicate the check in the amount of $30,000. And, the check cleared. A handyman fixes a bedroom window and gets paid by check. The handyman copies down the homeowner's bank account number, name, address and check number sequences and sends $4.95 to a company that prints fancy colored checks. The handyman masters the homeowner's signature and then proceeds to cash the checks after they arrive. American Express and Mastercard traveler's checks are duplicated on a colored photostat machine and spent in hotels and restaurants. A man rents a banquet room in a hotel for $800 and gets the bill in the mail a few days later. The man sends in a check for $400 with the notation "paid in full" written in the lower left-hand corner. The hotel cashes the check and sends a notice to the man saying $400 is still owed. The man refuses to pay the $400 and wins in court because the law says by cashing the check the hotel conceded the debt was paid. White-collar crime amounts to more than $50 billion a year, said Frank Abagnale, who cited the examples at a business-sponsored seminar in the Phoenix Civic Center. By contrast, bank robbers, who get most of the media attention, abscond with a paltry $450 million, he said. Abagnale is said to have conducted scams and frauds in 26 nations. Known as "The Imposter," he now advises government and industry. He says he served six years in jail in France, Sweden and the U.S. for his crimes, which included writing bad checks for more than $2.5 million. "As technology improves, so does the ability to commit fraud," said Abagnale. He claims that at 16 he impersonated an airline pilot, at 18 was a chief resident pediatrician in a Georgia hospital, at 19 passed the Louisiana state bar exam and served as an assistant attorney general for the state. Abagnale also claims he never flew an airplane or treated a patient but along the way used false names to get jobs and pass bad checks. He claims he even got a job at age 20 teaching sociology at Brigham Young University, beating out three Ph.D.s for the job. "I was always just one chapter ahead of the class," he said. Demeanor, style, confidence, clothes and the overt display of wealth also help the con man, Abagnale said. Abagnale claimed he got one teller to cash a napkin because he drove up to the bank in a chauffeur-driven Rolls Royce and entered wearing a $600 suit and all the confidence of a billionaire. The feat was recorded for television by CBS, he said. Another time he supposedly put the numbers of the bank account he was using on a bunch of deposit slips, placed the deposit slips in a bank for public use, and in one day alone more than $40,000 was deposited into his account by unsuspecting customers who picked up his slips because they had either run out of their own or hadn't yet got their own deposit slips. Abagnale asserted that there are several ways to discourage fraud, including: -- Use checks that are impossible to duplicate on a home computer. -- Don't cash checks that don't have at least one rough edge. -- Scan travelers checks by looking for impossible to reproduce pictures or symbols that can only be seen at eye level or by wetting the back, left-hand side of an American Express traveler's check, which will smudge if it is authentic. Abagnale is known as the author of a book called "Catch Me If You Can." "I always knew I would eventually get caught," he said. "Only a fool believes he won't. The law sometimes sleeps, but it never dies." Abagnale claimed he started a life of crime when his parents divorced and he was forced to choose between living with his mother or father. He said he couldn't make the choice and ran away. _______________________________________________________________________________ Dumb Jocks Learn First Lesson of Phreaking October 17, 1991 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >From Associate Press Four current Ball State University basketball players have admitted to investigators that they charged a total of $820.90 in unauthorized long distance calls. School officials announced the preliminary findings in the first phase of their report the the NCAA. What the investigators found, in regards to the unauthorized calls, was the following information: Person Yr Calls Cost ~~~~~~~~~~~~~~~~ ~~~ ~~~~~ ~~~~~~~ Jeermal Sylvester Sop 255 $769.93 Chandler Thompson Sen 28 $ 45.14 Michael Spicer Sen 3 $ 4.43 Keith Stalling Sen 1 $ 1.40 Investigators reported three of the men said former players had provided the long distance credit card numbers or authorization codes on which the calls were made. The fourth player Keith Stalling, could not explain how his call had been charged to the university. Head basketball coach Dick Hunsaker reiterated that neither he nor the coaching staff had made available the numbers that were assigned to the coaches. "When this problem was first discovered back in August, it came as a shock to me," Hunsaker said. "I'm disappointed with the judgement of the players involved, but I'm glad we're getting to the bottom of it quickly and clearing it up before the season starts." "Our attention now will focus on former players and other people not connected with the basketball program who might have used the same credit cards and access numbers," said the university's auditor. The investigation that began in August was conducted by the Ball State university's auditor and Department of Public Safety. The investigation started one week after a routine review of telephone records by athletic department officials. At the time, investigators said the total cost of the unauthorized calls was in the thousands of dollars. _______________________________________________________________________________ Silicon Government in California October 28, 1991 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >From UPI Sacramento California unveiled an easy-to-use computer system Wednesday that is designed to tell people about such topics as statewide job openings, where parents can find child care and how to re-register a car. Officials described the experimental "Info/California" program as an information-dispensing version of an automatic teller machine at a bank. It will operate in Sacramento and San Diego as a pilot project for the next nine months. Users will obtain free information on a variety of state services as they touch the television-like computer screen to evoke an on-screen narration and color graphics in English, Spanish and potentially other languages. "It literally puts state government at our fingertips," a computerized image of Gov. Pete Wilson said at a Capitol news conference. Secretary Russell Gould of the Health and Welfare Agency said the system may be especially useful to announce job openings as the economy rebounds from the recession. Job-seekers will need a fourth-grade literacy level to use the machine, which will refer them to Employment Development Department offices for follow-up. Director Frank Zolin of the Department of Motor Vehicles said the system will benefit 20 million drivers who want vehicle registration renewals, vanity license plate orders and faster service. John Poland, Central California manager for IBM -- the state's partner in the project -- said that besides telling the public about job opportunities, it will allow Californians to order birth certificates and get information about education, transportation, health and welfare at more than one site. During the nine-month trial, people will use the system at 15 kiosks in Sacramento and San Diego that will be similar to, and eventually integrated with, local system kiosks such as those in the courts in Los Angeles and Long Beach, and for community services in San Diego and Tulare counties. Info/California was authorized under 1988 legislation. It is based on an experimental touchscreen network in Hawaii that 30,260 people used over a six- month period. The state spent about $300,000 on the project, and IBM invested about $3 million to develop the technology. By performing functions now done by humans, the system may ultimately replace some state workers and produce cost savings for taxpayers. "We're working smart here," Gould said. "This may diminish some of the need for new state workers." _______________________________________________________________________________ Digital Tapes Deal Endorsed by Music Industry October 30, 1991 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >From (Congressional Monitor) Record industry executives joined with retailers and consumer groups in endorsing legislation (S 1623) that would pave the way for widescale introduction of digital audio tapes into the U.S. marketplace. For the first time, consumers would be allowed to legally make copies of prerecordings for home use. The agreement would allow artists, songwriters, and record companies to collect royalty fees on the sale of blank tapes and digital audio recorders. In addition, an electronics chip will be placed in the recorders to prevent anything other than the original recording to be copied. In testimony before the Senate Judiciary Committee's Subcommittee on Patents, Copyrights, and Trademarks, pop star Debbie Gibson said that many artists had been concerned that digital copying could spell the end of a profitable music industry. Unlike conventional tapes, digital audio recorders allow consumers to make a perfect copy of a prerecording. The record industry says it already loses $1 billion a year in sales due to illegal copying. And, the industry says, unchecked digital technology would dramatically increase that figure. Electronics manufacturers and retailers won the assurance that they will not be sued for copyright infringement due to the sale of blank tapes or recorders. _______________________________________________________________________________ Computer Cryptography: A Cure For The Common Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Anyone can sign a postcard, but how do you sign a piece of electronic mail? Without a "signature" to demonstrate that, say, an electronic transfer of funds really comes from someone authorized to make the transfer, progress towards all-electronic commerce is stymied. Ways of producing such signatures are available, thanks to the technology of public-key cryptography. They will not work to everyone's best advantage, though, until everyone uses the same public- key system. It is an obvious opportunity for standards-makers -- but in America they have turned up their noses at all the variations on the theme currently in use. The alternative standard for digital signatures now offered by America's National Institute of Standards and Technology (NIST) has brought a long- simmering controversy back to the boil. Public-key cryptography could become one of the most common technologies of the information age, underpinning all sorts of routine transactions. Not only does it promise to provide the digital equivalent of a signature, it could also give users an electronic envelope to keep private messages from prying eyes. The idea is to create codes that have two related keys. In conventional cryptography the sender and receiver share a single secret key; the sender uses it to encode the message, the receiver to decode it. In public-key techniques, each person has a pair of keys: a disclosed public key and a secret private key. Messages encoded with the private key can only be decoded with the corresponding public key, and vice versa. The public keys are published like telephone numbers. The private keys are secret. With this technology, digital signatures are simple. Encode your message, or just the name you sign it with, using your private key. If the recipient can decode the message with your public key, he can be confident it came from you. Sending a confidential message -- putting electronic mail in a tamper-proof envelope -- is equally straightforward. To send a secret to Alice encode it with her public key. Only Alice (or someone else who knows her private key) will be able to decode the message. The heart of any system of public-key cryptography is a mathematical function which takes in a message and a key, and puts out a code. This function must be fairly quick and easy to use, so that putting things into code does not take forever. It must be very hard to undo, so that getting things out of code does take forever, unless the decoder has the decoding key. Obviously, there must be no easy way to deduce the private key from the public key. Finding functions that meet these criteria is "a combination of mathematics and muddle," according to Roger Needham of the Cambridge Computer Laboratory. The greatest successes to arise from the muddle so far are those using functions called prime factorisation algorithms. They are based on the mathematical insight that, while it is easy to multiply two numbers together, it is very hard to work backwards to find the particular two numbers which were multiplied together to produce some given number. If Alice chooses two large prime numbers as her private key and publishes their 150-digit product as her public key, it would probably take a code-breaker thousands of years to work backwards to calculate her private keys. A variety of schemes have been worked out which use this insight as the basis for a workable public-key code. Most popular of these is the so-called RSA algorithm, named after the three MIT professors who created it -- Ronald Rivest, Adi Shamir and Len Adleman. It has been patented and is sold by a Silicon Valley company, called RSA, that employs 15 people, most of them ex-MIT graduate students. Faculty firms are to computer start-ups what family firms were to the industrial revolution. RSA has attracted both academic praise and a range of heavyweight commercial customers: Microsoft, Sun Microsystems, Digital Equipment and Lotus Development. But, despite repeated applications, it has never been endorsed by those in government. Rumors abound that the codebreakers in the National Security Agency have discouraged standard-setters from recommending RSA because they do not want to promote the use of codes they cannot break. RSA, for obvious reasons, does not discourage the rumors. Whatever the reason, the standard-setters at the NIST have sidestepped the debate over RSA with their new algorithm, DSA. As set out in the standard, DSA verifies the identity of the sender, but does not encrypt the message. It appends to the message a number calculated from the message and the sender's private key. The recipient can then use this number, the message and the sender's public key to verify that the message is what it seems. The NIST says that this technique is well suited to "smart cards" and other applications where there is not a lot of computing power available for working out codes. Because it hopes that DSA will be used for verifying the identity of everyone from welfare recipients to military contractors, its flexibility is a boon. Meanwhile, however, more and more companies are choosing a public-key cryptography system for communicating confidentially -- often RSA, sometimes something different. Someday, probably soon, governments will want to choose, too. Watch out for fireworks when they do. _______________________________________________________________________________ SWBT Sends Off First "Cross-Country" ISDN Call ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >From Southwestern Bell Telephone The nation's first "cross-country" public network ISDN was placed last week, courtesy of SWBT. The historic first call was the result of a two-year joint effort among SWBT, BellSouth Corp., US Sprint and Bellcore. SWBT's Advanced Technology Lab originated the call, which used US Sprint's digital facilities in Burlingame, Calif. The call terminated at a BellSouth switch in Atlanta, Ga. Using an ISDN video application, SWBT's trial director Ken Goodgold was able to see and talk to BellSouth's David Collins. "With this test, the geographic limits of ISDN-based services were stretched from a few miles to cross-country," Goodgold says. "We began with protocol testing and service verification, two key parts of the process," Goodgold says. "That required an extremely complex series of technical tests. The Advanced Technology Lab staff worked for months performing the tests leading up to the first successful call." Last week's test call was significant from a marketing perspective as well as a technical one. That's because it demonstrated the economic benifits of using ISDN for video information. "The cost of a long distance call is approximately the same, whether it's a voice transmission using a regular phone line or a video transmission using ISDN," Goodgold says. "That means a big reduction in cost to arrange a videoconference." US Sprint joined the test because ISDN has evolved beyond the local stage, says Terry Kero, the carrier's director of InfoCom Systems Development Labs. "After today, it will be technically possible to make an ISDN call across the country just as it is possible today to make a regular long distance call," Kero says. _______________________________________________________________________________