########## | Volume I July 26,1991 Number 9 |
########## | |
### | EFFECTOR ONLINE |
####### | |
####### | |
### | |
########## | The Electronic Newsletter of |
########## | The Electronic Frontier Foundation |
| (eff.org) |
########## | |
########## | |
### | Staff: |
####### | Gerard Van der Leun (email@example.com) |
####### | Mike Godwin (firstname.lastname@example.org) |
### | Mitchell Kapor (email@example.com) |
### | Chris Davis (firstname.lastname@example.org) |
### | Helen Rose (email@example.com) |
########## | Reproduction of Effector Online via all |
########## | electronic media is encouraged.. |
### | To reproduce signed articles individually |
####### | please contact the authors for their express |
####### | permission.. |
### | |
### | Published Fortnightly by |
### | The Electronic Frontier Foundation (eff.org) |
effector n, Computer Sci. A device for producing a desired change.
WE WUZ HACKED!
As Monty Python has wisely noted, "NOBODY expects the Spanish
knew about an unlocked door in your system, you'd lock it. Right? As
One of the machines here at eff.org is named "black-cube". As you might
that runs on the NeXT (and many other machines) has an authentication
one of the eff.org machines is a NeXT, or who might guess it by seeing
the name "black-cube" can exploit the weakness of "rexd" to gain entry
nto the system.
On July 1, this happened to us. If you run a NeXT, or even if you don't,
t could happen to you.
The sequence of events, as detailed in Chris Davis' report on the
ncident was as follows:
"At about 1 am on July 1, the NeXT was breached by an intruder using
the rexd remote execution daemon. The following things happened, in
uncertain but approximate order:
"(1) rexd mounted file systems from 'kropotkin.gnu.ai.mit.edu'. Only
that, the local disk, and the /home partition from the Sun were
"(2) the /etc/inetd.conf internet daemon configuration file was edited,
as user mkapor, to allow rexecd to be run.
"(3) the /etc/nu.cf new user program configuration file was edited or
modified in an unknown fashion as user mkapor (it's possible that only
the modification date was changed).
"(4) a file 'rc', a 16K Mach executable, was created in mkapor's home
"(5) the /etc/wtmp file was overwritten with an empty file, removing
login accounting timestamps
"User 'mycroft' was logged into kropotkin.gnu.ai.mit.edu at the appropriate
time, and admits entering the machine, but denies 2, 3, 4, and 5."
We note that "mycroft" was the name of Sherlock Holmes' older brother.
He was said to be even more brilliant that Holmes himself. But it
a certain specific knowledge, and the willingness to wander around in
other peoples' homes without being invited.
The security hole was apparently known to CERT (Computer Emergency
Response Team), but the alert was netcast before we owned the NeXT so
and have reviewed all other security programs and measures.
We were very careful to close all known security holes on our principal
machine. We were not quite careful enough to apply the same level of
Eternal vigilance is the price of network security.
"When the 'oppressors' become too strict, we have what is
known as a police state, wherein all dissent is forbidden,
as is chuckling, showing up in a bow tie, or referring to
the mayor as 'Fats.' Civil liberties are greatly curtailed
in a police state, and freedom of speech is unheard of,
although one is allowed to mime to a record. Opinions
critical of the government are not tolerated, particularly
about their dancing. Freedom of the press is also
curtailed and the ruling party 'manages' the news,
permitting the citizens to hear only acceptable political
ideas and ball scores that will not cause unrest."
Woody Allen, "Without Feathers" (Ballentine,1972)
THE AUSTIN EFF ORGANIZATIONAL MEETING
by Steve Jackson
An Austin meeting for those interested in the EFF and its mission
was held July 19 at the offices of Steve Jackson Games. About 60
people (50 or so actively interested, and another 10 along for the
ride) attended to cook hot dogs, drink sodas and beer, and talk
about Constitutional freedoms in the electronic age.
The meeting had been publicized almost exclusively over the net
and local BBSs; some attendees read about it first on the Well. Local
media were informed, but as far as we know, none mentioned it.
I introduced the idea of an Austin EFF chapter by pointing out
that the EFF *has* no local chapters, and one of the first missions of
an Austin group - if we started one - would be to find out what a
local chapter was good for.
Suggestions from the group included:
* Liaison with local law enforcement groups, both to influence
their attitudes and to offer expert assistance and cooperation.
* Liaison with media: offering information, correcting errors,
and if necessary being ready to go to editorial boards if facts are
* Education and communication with others: speaking at schools
and club meetings, writing opinion pieces for newspapers, and so on.
* Education and communication among ourselves. The issue of ``Just
what ARE the laws regarding sysop liability?" was specifically raised.
* Direct political action: querying candidates on their stands on
EFF-related issues, and initiating legislation to preserve civil
rights in the high-tech age.
* More organized input into national EFF concerns, especially
creation of "ethical standards and practices."
* Recruitment of members for the national EFF.
* General networking among people with common interests. (Earl
Cooley, sysop of SMOF - an old and respected, but underutilized, local
board - volunteered to host a local EFF discussion. SMOF, the `World's
Oldest Online SF Convention,' can be reached at 512-467-7317.)
Four people - Bruce Sterling, John Quarterman, Matt Lawrence
and myself - expressed willingness to serve on a local EFF board
"provided no one of us has to do all the work." Four seems to be
about the *minimum* workable number; we'll certainly be looking for
Another attendee was a Houston civil-libertarian, representing a
group of about 20 like-minded computer users; a Houston EFF chapter
is probably in the offing.
10 people signed up as national EFF members at the meeting (several
others had already joined), and many more membership forms were
distributed. A signup sheet was passed around so that everyone could
be contacted directly for further meetings. And there will be more
meetings; the "sense of the crowd" was clear on that. Our four
volunteers will now have to discuss the next step.
Thanks go to Loyd Blankenship, for making sure that all the food,
drink and furniture arrived at the right time and place; to
Monica Stephens, Mike and Brenda Hurst, and John Quarterman for
assorted help with cooking, cleanup and publicity; and to everyone
who brought chairs and food!
"Think Globally, Act Locally"
We are really encouraged and a bit overwhlemed by the spontaneous
nterest in forming chapters. In comp.org.eff.talk several other
ndividuals offered to help organize local chapters in different parts of
the country. Local activities to promote EFF causes can be a major factor
n civilizing the frontier. Over the summer we will be thinking about
coordinate and support activities from the already-busy EFF office. We'd
certainly like to see more discussion on comp.org.eff.talk about possible
MORE TITLES ON THE EFF MAGAZINE STAND
INTERTEXT, an electronic magazine devoted to fiction, is published
bi-monthly by Jason Snell (firstname.lastname@example.org).
Although primarily established as a place on the net to publish genres
other than sci-fi/fantasy, it does still contain some. The quality of
the fiction is about that of what you would find in alt.prose.
Jason welcomes submissions of all genres. INTERTEXT is also available
by e-mail subscription and is primarily archived on network.ucsd.edu.
QUANTA is the electronically distributed journal of Science Fiction
and Fantasy. As such, each issue contains fiction by amateur authors as well
as articles, reviews, and other items of interest.
You'll find pretty standard sci-fi/fantasy in QUANTA, with an
occasional gem or two. The editors of INTERTEXT and QUANTA are
friends and they tend to use some of the same editorial policies: they
QUANTA is edited by Daniel Applequist (email@example.com). Submissions
be sent to firstname.lastname@example.org.
PARSONS MESSENGER AND INTELLIGENCER is a fictional small-town
newspaper consisting primarily of editorials written by the fictional
Most of the letters and opinions etc. are stock stereotypes, but
a few are creative and interesting. It's a fresh idea, but it stales
THE UNPLASTIC NEWS is a brand new little magazine of quips and
quotes from anywhere and everywhere. It's published by Todd Tibbetts
(email@example.com), who is new to the net and hasn't quite figured
out how to effectively distribute Unplastic yet.
Unplastic's first issue is a collection of fully documented quotes
>from sources outside the net. I get the impression that Todd wants to
collect brilliant offerings from the net for future issues and mix them
n heavily with the quotes from other sources. If he can pull this off
All four titles are available via anonymous ftp from eff.org. They are
to be found in the Journals Directory.
Paraphrased from Time magazine:
the clock on the VCR or anything complicated," says the President.
-- Denis Coskun, Alias Research Inc., Toronto Canada firstname.lastname@example.org
HACKER HYSTERIA DOWNUNDER
by Mike Godwin, Staff Counsel, EFF
computer intrusion and vandalism should be illegal. But I was
astonished at both at the moral simplicity and the factual inaccuracy
of Tom Forester's newspaper column.
The article, "Hackers:Clamp Down Now", appeared in an Australian
newspaper earlier this summer. I had expected a well-reasoned article
from Forester, who co-authored COMPUTER ETHICS: CAUTIONARY TALES AND
ETHICAL DILEMMAS IN COMPUTING (Blackwell / Allen & Unwin, 1990). After
all, it was a book I had reviewed favorably for WHOLE EARTH REVIEW's
Summer 1991 issue.
But "Hackers:Clamp Down Now" turned out to be a potpourri of various
the American media a year ago and still persist in many quarters. It
Especially when written by someone who should know better.
Among other things, Forester writes:
>Breaking into a computer is no different from breaking into your
>neighbour's house. It is burglary plain and simple - though often
>accompanied by malicious damage and theft of information.
Yet nothing is "plain" or "simple" about analogizing computer trespass
to burglary. The English common law that informs the British,
American, and Australian legal systems has always treated burglary
*residence* and to his *person*.
But computer intrusion in general, and the cases Forester discusses in
or business, while it clearly ought to be protected "space" under the
law, is not a house "plain and simple." The kind of invasion and the
Consider this: anyone who has your phone number can dial your home--
can cause an electronic event to happen *inside your house*. That
"intruder" can even learn things about you from the attempt
(especially if you happen to answer, in which case he learns your
or information theft? Of course not--because we're so comfortable with
telephone technology that we no longer rely on metaphors to do our
thinking for us.
This is not to say that all computer intrusion is innocuous. Some of
t is quite harmful--as when a true "vandal" runs programs that damage
or delete important information. But it is important to continue to
make moral and legal distinctions, based on the intent of the actor
and the character of the damage.
Tom Forester seems to want to turn his back on making such
Forester supported his oddly simplistic moral stance with some odder
factual errors. Here are some of the more egregious ones.
>Last year, the so-called 'Legion of Doom' managed to completely
>stuff up the 911 emergency phone system in nine US states, thus
>endangering human life. They were also later charged with trading
>in stolen credit card numbers, long-distance phone card numbers
>and information about how to break into computers.
Only a person who is willfully ignorant of the record could make these
to damage the E911 system. If Forester had done even minimal research,
bureaucratic memo from an insecure Bell South computer and show it to
At the trial of Craig Neidorf, who was charged along with Legion of
Doom members, it was revealed that the information in that memo was
Thus, there was no proprietary information involved, much less a
threat to the E911 system. Forester is simply inventing facts in order
to support his thesis. For an academic, this is the gravest of sins.
>Leonard Rose Jr. was charged with selling illegal
>copies of a US $77,000 AT&T operating system.
Len Rose was never charged with "selling" anything. His crime
concerned his possession of the expensive source code, which he, like
many other Unix consultants, used in his work.
>Robert Morris, who launched the disastrous Internet worm, got a
>mere slap on the wrist in the form of a US $10,000 fine and 400
>hours' community service.
explanation for the lightness of Robert Morris Jr.'s sentence: that
Morris never intended to cause any damage to the networks. In any
case, Morris hardly qualifies as a "hacker" in the sense that Forester
uses the word; by all accounts, he was interested neither in "theft"
nor "burglary" nor "vandalism."
Of course, making such subtle distinctions would only blunt the force
of Forester's thesis, so he chooses to ignore them.
>Instead, [the hacker] tends to spend his time with the computer,
>rising at 2pm, then working right through to 6am,, consuming mountains
>of delivered pizza and gallons of soft drink.
This is the kind of stereotyping that Forester should be embarrassed
to parrot in a public forum.
>Some suffer from what Danish doctors are now calling "computer
>psychosis" - an inability to distinguish between the real world
>and the world inside the screen.
>For the hacker, the machine becomes a substitute for human
>contact, because it responds in rational manner, uncomplicated by
>feelings and emotions.
And here Forester diagnoses people whom he has never met. One is
forced to wonder where Forester acquired his medical or psychiatric
training. Of the people whose names he blithely cites, I have met or
understandable that they prefer working with computers to working with
>One day, these meddlers will hack into a vital military, utility
>or comms system and cause a human and social catastrophe. It's
>time we put a stop to their adolescent games right now.
History suggests that we have far more to fear from badly designed or
overly complex software than from hackers. Recent failures of phone
networks in the United States, for example, have been traced to
Even if we grant that there are some hackers with the ability to
Why hasn't it happened already? The answer seems to be that few
they are interested in exploring.
Of course, there are some "vandals" out there, and they should be
exploring and understanding systems. While they may well violate the
law now and then, the punishments they earn should take into account
both their intentions and their youth.
of socializing a wave of barbarians--its own children. We will do our
children into criminals. For an ethicist, Forester seems to have given
little thought to the ethics of lumping all computer trespass into one
category of serious crime.
"Twas midnight, and the UNIX hacks
Did gyre and gimble in their cave
All mimsy was the CS-VAX
And Cory raths outgrave.
"Beware the software rot, my son!
The faults that bite, the jobs that thrash!
Beware the broken pipe, and shun
The frumious system crash!"
STUDENT SUSPENDED FOR MAILING PASSWORDS
by Rita Rouvalis
The University of Georgia's (UGA) Student Judiciary has recently
/etc/passwd file to an unauthorized user who wanted to break into the
>The University will soon be issuing a news release about this incident.
>In the meantime, here is a summary:
>(1) A number of unauthorized users have been using various University
>of Georgia computers. Most of them have left much more of a trail than
>they realized and will be hearing from us.
>(2) The first person actually caught as part of this incident has now
>been sentenced to 2 quarters' suspension, plus a probated expulsion,
>by the Student Judiciary. This was a U.Ga. student whose name cannot
>be released due to confidentiality of educational records. What this
>student did was mail a copy of /etc/passwd from athena.cs.uga.edu to a
>"hacker" who had already penetrated another system, and who wanted to
>use a password-guessing program to break into athena. The student was
>fully aware that he was assisting in a break-in.
> -- Michael Covington, sysadmin UGA
Discussion was muddied considerably by confusion with other threads,
and opinions were posted without factual basis. If one looks at the
facts, one finds the student received surprisingly fair treatment from
the University of Georgia, whether or not one agrees with the actual
Upon investigating an intrusion into one of the AI Lab's machines, the
copy of Athena's /etc/passwd file with an email header indicating it
first that either the e-mail header was bogus, or that the student's
account had also been hacked, the Athena sysadmins deactivated the
account. Notice that this was a file saved under an unauthorized
username; no e-mail was ever intercepted.
Upon further investigation, the student admitted to being the
owner/sender of this e-mail message. He also apparently admitted to
being a member of an "elite group of hackers/phreakers," and knowing
that the /etc/passwd file would be used to try to crack Athena.
When the matter came before them, UGA officials felt the needs of the
Student Judiciary instead of filing criminal charges. The only
confidential as required by federal law.
According to UGA Student Judiciary policy, a student can choose either
an administrative hearing, or a student court hearing before three
a trained defender (also a student) and has the right to have other
to the Vice President and to the President (which this student has
Despite protests from a few netters about the sentence the student
ntent and personality of the student when handing down the sentence
-- a consideration not taken in too many hacker cases. Officials felt
that two quarters suspension would effectively remove the student from
the influence of the hackers/phreakers and realign his priorities.
Community service involving computers was not chosen for the express
While some netters may disagree with the sentence handed down, they
officials. Their measured deliberation of all the issues involved
EFFector Online will keep you posted as the case progresses...
machines involved, are reproduced by permission.
Letters From The Sun
From: email@example.com (Michael I Bushnell)
Subject: Free software and electronic freedom
There is a convergence of interests between advocates of free software
and the EFF, which I think bears some examination. I think we can
"assist" the government, the police, the media, and the courts by
not believe that education (though it will help) can solve our problem.
The people from AT&T who assign $50,000 price tags to login.c and claim
millions of dollars of damage done by Riggs, Darden, and Grant are
completely aware of the real nature of what was done. The same is
certainly true of Apple's claim that irrevocable damage was done by the
victims will not be ended solely be education.
The possiblility of perjury suits should be considered, of course, but
that is not the only way to end the problem. The computer shares with
certain other inventions several important characteristics: it is cheaper
than older alternatives; it is faster; and it offers new ways of thinking
about the world. The most obvious invention in the past with these
characteristics is the movable-type printing press. Suddenly books could
be published by only a few people, rather than requiring laborious
copying. Printing presses were cheaper than the hundreds of copyists
books encouraged people to see the world as somewhat smaller, as
nformation could suddenly be transmitted more quickly.
Gutenberg's first book was the Bible, published in German translation,
and the Church reacted vehemently to this new "problem". Its monopoly on
Biblical interpretation suddenly ended, and the Church quickly realized
that something "needed" to be done. The index of prohibited books became
ts most effective tool. Those who assisted in the production of
unauthorized books (rulers who refused to arrest recalcitrant printers,
for example) would be in turn vilified or even excommunicated.
Even today, in many countries, access to the printed word is difficult
and managed by the state. Those we are fighting must be more visibly
compared with past opponents to free speech. We must be more vocal in
admitting and even pointing out that, yes, the computer is powerful and
ensure the safe use of this power. Instead, thanks to the wisdom of
Voltaire, and his ultimate victory over Rousseau, we recognize that the
encourage the same attitude in the public towards computers: that
computers, and associated networks, must be encouraged to grow without
they are only dangerous to those who hide in shadows and plot power in
the dark of night, for they are tools for light if available to all.
"I'm hosed." -- Steve Jobs, after his NeXT machine froze up during a
MEMBERSHIP IN THE ELECTRONIC FRONTIER FOUNDATION
becoming a member now. Members receive our quarterly newsletter,
EFFECTOR, our bi-weekly electronic newsletter, EFFector Online (if you
believe that support should be freely given, you can receive these things
even if you do not elect to become a member.
Your membership/donation is fully tax deductible.
Our memberships are $20.00 per year for students, $40.00 per year for
>>>---------------- EFF@eff.org MEMBERSHIP FORM ---------------<<<
Mail to: The Electronic Frontier Foundation, Inc.
Online Office Nine
155 Second St.
$20.00 (student or low income membership)
$40.00 (regular membership)
[ ] I enclose an additional donation of $___________
Email address: ______________________________
to my Mastercard [ ] Visa [ ] American Express [ ]
Expiration date: ____________
other non-profit groups from time to time as it deems
appropriate [ ].
under any circumstances, sell any part of its membership list. We will,
>from time to time, share this list with other non-profit organizations
explicit permission, we assume that you do not wish your membership
The EFF is a non-profit, 501c3 organization.
Donations to the EFF are tax-deductible.