Path: sparky!uunet!timbuk.cray.com!shamash!shamash.cdc.com!
From: @shamash.cdc.com
Newsgroups: alt.security
Subject: Some words from a hacker.
Message-ID: <43...@shamash.cdc.com>
Date: 7 Jun 92 11:02:13 GMT
Sender: ro...@shamash.cdc.com
Organization: Control Data, Arden Hills, MN
Lines: 46
Yet another booring night. Sitting in front of an empty screen, with a
simple # prompt up there. Boored, I think. Boored boored boored boored. Lets
do something interesting tonight.. Get a com site.. IRC is dull, there's no-
one interesting on the net to talk to.. ftp nic.ddn.mil, grab the hosts.txt
file, look for a new domain.. Ahh.. cdc.com.. That name rings a bell. Lets
try the domain server..
...2 minutes later...
Wow. absoloutly nothing of interest here. [I won't say how I got in.. I
have a healty murderous wish for those idiots that use the rm -rf command
and I don't want them having to exercise all 3 brain cells in typing a few
commands..] So I think I might write something and post it to the net. It's
been a few months since my last post.
I think I will talk today about the average hacker mentality. There are
10, maybe 15 REAL hackers, (Not the average lame joe-cracker rm -rf stuff the
4 years of data that wasn't backed up...) wandering around the internet..
Most based mainly in the US, some around the world.. We aren't interested
in wreaking havok and giving sysadmins nightmares.. We are more interested
in having a look around, seeing what goes on there. Of course it is usually
the more interesting places that are firewalled and difficult to get in to,
but that is just more of a challenge, and a bigger achivement when you DO
get in and get a root shell.
Then of course, there is sun.com.. These are the people who say that
their systems are C2 secure. <laughter> Doesn't it WORRY the people that
buy suns that sun.com is so firewalled you cant' even TELNET to their machines?
Doesn't that give you a hint as how how secure THEY think SunOS is? But a
good point was raised by someone, (I can't rememebr who, but you know who you
are..) that a lot of Sun's are never connected to the internet.. And that they
WANT a + in their /etc/hosts.equiv. Personally, They might as well have made
it + + in there, and then not have to worry about even having to get root
somewhere else. But I digress.
Maybe I should give out some pointers.. But then, back to my original point
of giving the wannabe's ideas and clues on how to do this and that. Which is
highly undesirable. Well, I have had my say. Please post any replies to
alt.security, as I will be watching. Your comments, on wether you think I'm
doing a 'bad' thing, or not - and why.
Hopefully I encourage some discussion on this topic.
.signature deleted
Path: sparky!uunet!spool.mu.edu!agate!ucbvax!ulysses!ulysses.att.com!smb
From: s...@ulysses.att.com (Steven Bellovin)
Newsgroups: alt.security
Subject: Re: Some words from a hacker.
Message-ID: <16786@ulysses.att.com>
Date: 7 Jun 92 13:26:46 GMT
Article-I.D.: ulysses.16786
References: <43752@shamash.cdc.com>
Sender: net...@ulysses.att.com
Lines: 38
In article <43...@shamash.cdc.com>, @shamash.cdc.com writes:
> Then of course, there is sun.com.. These are the people who say that
> their systems are C2 secure. <laughter> Doesn't it WORRY the people that
> buy suns that sun.com is so firewalled you cant' even TELNET to their machines?
Apart from the technicality that you have to configure the C2 features
in SunOS, and that they're not present by default, you're misssing two
very important points. First, most system break-ins are caused by
administrator error. I don't care how secure a house is; if someone
leaves the screens open, mosquitos will fly in.
Second, and more subtle, one of the (many) failings of the notion that
Sun can proclaim C2 without a formal seal of approval is that they've
never said -- or had to say -- exactly what configuration is covered.
Maybe they mean a stand-alone system. Maybe they mean a single LAN,
where the underlying network is considered to be part of the TCB. In
either case, add a router to the Internet, and all bets are off. (One
of the Rainbow Books, I forget which one offhand, makes the point that
an Ethernet passing through a college dorm room is a very different
beast than one on a submerged nuclear submarine.) I haven't checked
the Red Book for C2, but I doubt that that's what they're claiming
adherence to.
> Doesn't that give you a hint as how how secure THEY think SunOS is?
I assure you, the security folks at Sun have a very good idea of just
how secure the system is (or isn't). But they're not the developers or
marketers.
> Your comments, on wether you think I'm
> doing a 'bad' thing, or not - and why.
Yes, I think you're doing a bad thing. Why? I could, and someday
will, write a long paper on the subject. For now, I'll give a very
simple answer: it's rude. The owners of the system don't want you
using it, and it's *their* system, not yours. I could point out that
they -- and I -- don't know that your intentions are harmless. But
that's irrelevant. It's theirs, not yours.
Path: sparky!uunet!mcsun!sun4nl!tuegate.tue.nl!svin02!wzv!rob
From: r...@wzv.win.tue.nl (Rob J. Nauta)
Newsgroups: alt.security
Subject: Re: Some words from a hacker.
Message-ID: <3397@wzv.win.tue.nl>
Date: 10 Jun 92 10:28:34 GMT
References: <root.708004004@merlin>
<1992Jun9.041038.10115@cybernet.cse.fau.edu>
<l3a329INNa9k@appserv.Eng.Sun.COM>
Organization: Sex, UNIX & Rock 'n Roll
Lines: 19
All this usual conversation about systems being like a house, a login:
prompt being like a door, and a password being like a key is fine and
dandy, but don't forget that the law doesn't allow comparisons,
analogies, similarities, etc. A key is a key, a password is information,
thus not a good. Under Dutch, and probably also European law, stealing
non-goods isn't stealing, but has to be dealt with in other ways.
European law also states possession of information cannot be illegal,
only using it can be illegal. Possession of eg. passwords for UNIX
systems, credit card numbers, unlisted phone numbers isn't illegal,
unlike in the USA.
Also, people will be emotionally attached to their own home, and see
an intrusion as an insult, whereas using a computer without permission
is a lot less illegal. Since you don't physically climb into the
system, the breaking and entering law doesn't apply, period.
This is of course why separate computer law is needed. If it was as
you guys are saying, there would be no need for them !
Rob
Xref: sparky comp.security.misc:364 alt.security:3493 misc.legal.computing:1066
Newsgroups: comp.security.misc,alt.security,misc.legal.computing
Path: sparky!uunet!mcsun!fuug!funic!nntp.hut.fi!usenet
From: j...@cs.HUT.FI (Jyrki Kuoppala)
Subject: Criminalizing unauthorized use
In-Reply-To: rob@wzv.win.tue.nl (Rob J. Nauta)
Message-ID: <1992Jun10.202836.20704@nntp.hut.fi>
Sender: use...@nntp.hut.fi (Usenet pseudouser id)
Nntp-Posting-Host: lusmu.cs.hut.fi
Reply-To: j...@cs.HUT.FI (Jyrki Kuoppala)
Organization: Helsinki University of Technology, Finland
References: <root.708004004@merlin>
<1992Jun9.041038.10115@cybernet.cse.fau.edu>
<l3a329INNa9k@appserv.Eng.Sun.COM> <3397@wzv.win.tue.nl>
Date: Wed, 10 Jun 1992 20:28:36 GMT
Lines: 54
In article <33...@wzv.win.tue.nl>, rob@wzv (Rob J. Nauta) writes:
>All this usual conversation about systems being like a house, a login:
>prompt being like a door, and a password being like a key is fine and
>dandy, but don't forget that the law doesn't allow comparisons,
>analogies, similarities, etc. A key is a key, a password is information,
>thus not a good. Under Dutch, and probably also European law,
European law? Never heard of such a thing before.
>stealing
>non-goods isn't stealing, but has to be dealt with in other ways.
Of course - stealing is taking something from someone.
>European law also states possession of information cannot be illegal,
>only using it can be illegal. Possession of eg. passwords for UNIX
>systems, credit card numbers, unlisted phone numbers isn't illegal,
>unlike in the USA.
Well, some countries have some individual freedom left still.
>Also, people will be emotionally attached to their own home, and see
>an intrusion as an insult, whereas using a computer without permission
>is a lot less illegal. Since you don't physically climb into the
>system, the breaking and entering law doesn't apply, period.
A good point.
OK, end of the flame/stupid comments section and to business:
>This is of course why separate computer law is needed. If it was as
>you guys are saying, there would be no need for them !
I don't agree this means a separate computer crime law is needed. In
Finland it's unauthorized use of some other person's property - covers
computers, bicycles, penciles, whatever. Also on the fraud / email
privacy laws / etc. the thing is taken care of by extending the normal
laws, not creating new ones. There's talk about creating a law
criminalizing "computer breakin" to "send a message" (I wish they used
telephones, Usenet, newspapers and such like everyone else) but that'd
have little practical significance.
Creating different computer laws is dangerous. Why should a crime
committed with the help of a computer be any different from a crime
committed by other means or other media? In USA, I understand the
computer crime laws have very harsh penalties - apparently much
harsher than you can get for similar crimes by other means. This
might be because less people know about these things and they will
swallow stupidities more easily when given the normal drug
traders/economic criminals/child pornographers bs line. Separate
computer crime laws can be used to gradually turn the society into a
much less free one this way.
//Jyrki
Xref: sparky comp.security.misc:458 alt.security:3570
misc.legal.computing:1091
Newsgroups: comp.security.misc,alt.security,misc.legal.computing
Path: sparky!uunet!mcsun!fuug!news.funet.fi!sunic2!ugle.unit.no!
nuug!nntp.nta.no!hal.nta.no!styri
From: st...@hal.nta.no (Haakon Styri)
Subject: Re: Criminalizing unauthorized use
Message-ID: <1992Jun16.120338.18714@nntp.nta.no>
Lines: 13
Sender: ne...@nntp.nta.no
Nntp-Posting-Host: balder.nta.no
Reply-To: st...@nta.no
Organization: Norwegian Telecom Research
References: <root.708004004@merlin>
<1992Jun9.041038.10115@cybernet.cse.fau.edu>
<l3a329INNa9k@appserv.Eng.Sun.COM> <3397@wzv.win.tue.nl>
<1992Jun10.202836.20704@nntp.hut.fi>
Date: Tue, 16 Jun 92 12:03:38 GMT
[text containing references to US, Dutch and European law deleted]
Before you guys start a flame fest I'd like to recommend a nice book:
Ullrich Sieber:
"The International Handbook on Computer Crime"
Wiley,
1986,
ISBN 0-471-91224-7
It's becoming a bit out of date, but still very useful. Contains a
compilation of computer crime acts and bills of some 19 countries.
Xref: sparky comp.security.misc:508 alt.security:3611 misc.legal.computing:1107
Path: sparky!uunet!cis.ohio-state.edu!ucbvax!ulysses!ulysses.att.com!smb
From: s...@ulysses.att.com (Steven Bellovin)
Newsgroups: comp.security.misc,alt.security,misc.legal.computing
Subject: Re: Criminalizing unauthorized use
Message-ID: <16863@ulysses.att.com>
Date: 21 Jun 92 00:42:49 GMT
References: <root.708004004@merlin>
<1992Jun9.041038.10115@cybernet.cse.fau.edu>
<1992Jun16.120338.18714@nntp.nta.no>
Sender: net...@ulysses.att.com
Lines: 73
In article <1992Jun16.1...@nntp.nta.no>, st...@hal.nta.no (Haakon Styri)
writes:
> [text containing references to US, Dutch and European law deleted]
>
> Before you guys start a flame fest I'd like to recommend a nice book:
>
> Ullrich Sieber:
> "The International Handbook on Computer Crime"
> Wiley,
> 1986,
> ISBN 0-471-91224-7
>
> It's becoming a bit out of date, but still very useful. Contains a
> compilation of computer crime acts and bills of some 19 countries.
I got a copy of this book from the AT&T Library Network; I highly
recommend it to anyone who thinks that special laws covering computer
crimes are unnecessary. For the most part, it backs up what I said
earlier, about existing laws being too specific. It's copiusly
footnoted, and filled with references to specific court opinions
and statutes. Let me give a few random examples to back up my point.
Emphasis is as in the original.
As was shown above, in the majority of computer fraud cases the
object of crime was computer-stored data representing *deposit
money*. Countries which include such money in the statutory
definitions of theft and embezzlement... cover at least some of
the cases of fraudulent `appropriate' of intangible assets...
However, many countries ... cannot treat these cases as theft or
embezzlement because deposit money is not considered to be a
tangible item but a claim.
The statutory definitions of fraud in most legal systems ...
require that a *person be deceived*... As the `deception' of a
computer is inappropriate in this case, the applicability of the
fraud provisions in these countries always depends on whether or
not the offender has also deceived a person checking the data.
The provisions of *forgery* in most countries... require *visual
readability* of the statement embodied in the document and
therefore do not cover electronically stored data... Furthermore,
the question is whether the printout is a *false document* or just
a genuine one containing incorrect statements of facts.
In most *Continental law countries*... one is reluctant to apply
the traditional provisions on theft and embezzlement to the
unauthorized abstraction of information, since these laws
generally require the taking of tangible property with the
intention of permanently depriving the victim.
In other criminal codes, however, ... the erasure of information
without damaging the physical medium does *not* fall under the
provisions of damage to property, since electric impulses are not
considered to be `tangible property' and interference with use of
the physical medium is not considered to be `destruction'.... In
cases of denial of access to authorized users, the legal situation
is unclear in mnay countries.
In many countries the unauthorized use of computer services or
`time' is not covered by penal law.... A New York Stat Court has
held that theft of services does not cover the unauthorized use of
computers.
As far as *wiretapping and the interception of data
communications* are concerned, the traditional wiretap statues of
most legal systems refer only to the interception of oral
commuications or conversations.
I could go on, but I think my point is clear: for whatever reason,
existing statues don't cover a lot of behavior that many of us would
regard as worthy of prosecution.
Path: sparky!uunet!mcsun!sun4nl!hacktic!utopia!global!peter
From: pe...@global.hacktic.nl (Peter Busser)
Newsgroups: alt.security
Subject: Criminalizing unauthorized use
Message-ID: <709468085snx@global.hacktic.nl>
Date: Thu, 25 Jun 92 10:28:05 GMT
References: <16863@ulysses.att.com>
Distribution: world
Organization: What organization???
Lines: 27
In article <16...@ulysses.att.com> s...@ulysses.att.com writes:
[stuff deleted]
> In other criminal codes, however, ... the erasure of information
> without damaging the physical medium does *not* fall under the
> provisions of damage to property, since electric impulses are not
> considered to be `tangible property' and interference with use of
> the physical medium is not considered to be `destruction'.... In
> cases of denial of access to authorized users, the legal situation
> is unclear in mnay countries.
[stuff deleted]
> I could go on, but I think my point is clear: for whatever reason,
> existing statues don't cover a lot of behavior that many of us would
> regard as worthy of prosecution.
I think the most difficult thing about this kind of legal stuff is the proof.
How can you prove that someone trashed your disk and not the OS:
if( manphase != GOOD ) erase_disk();
or the disk controler:
if(written == TOO_MANY) trash( disk );
??? I mean, with computers it is very hard to really PROVE anything.
Greetings,
Peter Busser
---
I don't do .sigs
Newsgroups: alt.security
Path: sparky!uunet!cis.ohio-state.edu!pacific.mps.ohio-state.edu!linac!
att!cbfsb!cbnewsg.cb.att.com!cooper
From: coo...@cbnewsg.cb.att.com (Ralph 'Hairy' Moonen)
Subject: Re: Criminalizing unauthorized use
Message-ID: <1992Jun29.073941.24114@cbfsb.cb.att.com>
Sender: ne...@cbfsb.cb.att.com
Organization: AT&T
References: <16863@ulysses.att.com> <709468085snx@global.hacktic.nl>
Date: Mon, 29 Jun 1992 07:39:41 GMT
Lines: 14
In article <709468...@global.hacktic.nl>, pe...@global.hacktic.nl
(Peter Busser) writes:
> I mean, with computers it is very hard to really PROVE anything.
>
> Greetings,
> Peter Busser
Very true, because for a hacking case you would have to PROVE someone was
at the keyboard at the time the hack took place and not someone else.
However, the law states that something has to be proven "beyond reasonable
doubt" which means that circumstantial evidence is also taken into account
and that makes it a lot easier to convict someone without having to actually
catch someone redhanded at the keyboard, with the modem connection still up.
--Ralph "Prove I wrote this message" Moonen
Path: sparky!uunet!mcsun!uknet!cam-cl!cam-cl!rja14
From: rj...@cl.cam.ac.uk (Ross Anderson)
Newsgroups: alt.security
Subject: Re: Criminalizing unauthorized use
Message-ID: <1992Jun29.155234.21049@cl.cam.ac.uk>
Date: 29 Jun 92 15:52:34 GMT
References: <16863@ulysses.att.com> <709468085snx@global.hacktic.nl>
<1992Jun29.073941.24114@cbfsb.cb.att.com>
Sender: ne...@cl.cam.ac.uk (The news facility)
Reply-To: rj...@cl.cam.ac.uk (Ross Anderson)
Organization: U of Cambridge Computer Lab, UK
Lines: 20
In <1992Jun29.0...@cbfsb.cb.att.com>, coo...@cbnewsg.cb.att.com
(Ralph 'Hairy' Moonen) writes:
>In article <709468...@global.hacktic.nl>, pe...@global.hacktic.nl
>(Peter Busser) writes:
>
>> I mean, with computers it is very hard to really PROVE anything.
>>
>Very true, because for a hacking case you would have to PROVE someone was
>at the keyboard at the time the hack took place and not someone else.
>However, the law states that something has to be proven "beyond reasonable
>doubt" which means that circumstantial evidence is also taken into account
>and that makes it a lot easier to convict someone without having to actually
>catch someone redhanded at the keyboard, with the modem connection still up.
The literature departments have done a lot of work on identifying authors
by feature extraction from text. Maybe this is a technology the computer
security community should plug in to.
Ross
Path: sparky!uunet!spool.mu.edu!agate!ucbvax!virtualnews.nyu.edu!brnstnd
From: brn...@nyu.edu (Dan Bernstein)
Newsgroups: alt.security
Subject: Re: Criminalizing unauthorized use
Message-ID: <10317.Jun3001.13.5792@virtualnews.nyu.edu>
Date: 30 Jun 92 01:13:57 GMT
Article-I.D.: virtualn.10317.Jun3001.13.5792
References: <16863@ulysses.att.com> <709468085snx@global.hacktic.nl>
<16906@ulysses.att.com>
Organization: IR
Lines: 19
It used to be that criminal behavior involved personal risk. Laws aside,
if you tried to steal something then you risked getting the shit beaten
out of you. Or your head stuck on a pike.
In computers this isn't true. Someone who breaks into a computer doesn't
have to be physically present. Laws aside, attacking a computer over a
network is essentially risk-free.
Adding laws never increases the criminal's risk. Adding law enforcement,
with some serious power, does. Why are we working on the first problem
when we haven't even started on the second?
If someone steals your passwords, beat the shit out of him. If someone
breaks into your computers, stick his head on a pike. Without the means
to do this it is foolish to worry about whether the laws support us.
Conversely, once we establish the fact that computer owners don't like
computer vandals, the laws will follow to make us right.
---Dan
Xref: sparky alt.security:3730 comp.security.misc:582
Path: sparky!uunet!spool.mu.edu!news.nd.edu!mentor.cc.purdue.edu!purdue!spaf
From: sp...@cs.purdue.EDU (Gene Spafford)
Newsgroups: alt.security,comp.security.misc
Subject: Re: Criminalizing unauthorized use
Message-ID: <SPAF.92Jun29213235@uther.cs.purdue.EDU>
Date: 30 Jun 92 02:32:35 GMT
Article-I.D.: uther.SPAF.92Jun29213235
References: <16863@ulysses.att.com> <709468085snx@global.hacktic.nl>
<1992Jun29.073941.24114@cbfsb.cb.att.com>
<1992Jun29.155234.21049@cl.cam.ac.uk>
Sender: ne...@mentor.cc.purdue.edu
Followup-To: alt.security
Organization: Department of Computer Sciences, Purdue University
Lines: 16
In-reply-to: rja14@cl.cam.ac.uk's message of 29 Jun 92 15:52:34 GMT
In article <1992Jun29.1...@cl.cam.ac.uk> rj...@cl.cam.ac.uk (Ross Anderson)
writes:
The literature departments have done a lot of work on identifying authors
by feature extraction from text. Maybe this is a technology the computer
security community should plug in to.
Interesting that you should mention that. A few months back, Stephen
Weeber and I did a paper on this very topic. A short version of the
paper has been accepted for presentation at the 15th National Computer
Security Conference in October, and a more extended version has been
submitted for consideration for publication in "Computers & Security."
If you want to get a copy of the tech report version of the conference
paper (short version), send your *surface postal* mail address to:
m...@cs.purdue.edu and request a copy of "Software Forensics: Can We
Track Code to its Authors?", by Spafford & Weeber, TR-92-010.
Path: sparky!uunet!wupost!usc!sol.ctr.columbia.edu!spool.mu.edu!
news.nd.edu!mentor.cc.purdue.edu!purdue!spaf
From: sp...@cs.purdue.EDU (Gene Spafford)
Newsgroups: alt.security
Subject: Re: Criminalizing unauthorized use
Message-ID: <SPAF.92Jun30091220@uther.cs.purdue.EDU>
Date: 30 Jun 92 14:12:20 GMT
Article-I.D.: uther.SPAF.92Jun30091220
References: <16863@ulysses.att.com> <709468085snx@global.hacktic.nl>
<1992Jun29.073941.24114@cbfsb.cb.att.com>
<1992Jun29.155234.21049@cl.cam.ac.uk>
<SPAF.92Jun29213235@uther.cs.purdue.EDU>
Sender: ne...@mentor.cc.purdue.edu
Followup-To: alt.security
Organization: Department of Computer Sciences, Purdue University
Lines: 3
In-reply-to: spaf@cs.purdue.EDU's message of 30 Jun 92 02:32:35 GMT
To save on paper, you can ftp the compressed PostScript of TR-92-010
from ftp.cs.purdue.edu, from the directory pub/spaf in the file
92-010.PS.Z
Path: sparky!uunet!zaphod.mps.ohio-state.edu!magnus.acs.ohio-state.edu!
cis.ohio-state.edu!ucbvax!PYR.SWAN.AC.UK!iiitac
From: iii...@PYR.SWAN.AC.UK (Alan Cox)
Newsgroups: alt.security
Subject: Re: Some words from a hacker.
Message-ID: <8910.9207091107@pyr.swan.ac.uk>
Date: 9 Jul 92 11:07:52 GMT
Sender: use...@ucbvax.BERKELEY.EDU
Lines: 34
The biggest problems in software are not nutters memorising opcodes (and yes
I can still write most Z80 in hex) but the fact people are buying total
and utter crud and whats more they then pay for bug fixes (sorry upgrades).
I've almost given up on commercial software now, after a while you get
fed up of buying a C compiler finding it doesn't work and when you phone up
and say 'XX C compiler doesn't compile this' they refuse to give you a free
upgrade - but the new 50 pound one might do it, and they won't even admit
to a bug unless you can prove it in 10 lines of code or less (bit hard when
the bugs are things like line numbers over 65536 wrap in error messages).
I think the true hacker mentality is about due for a comeback. How do I
justify spending 300 pounds on a compiler and a fortune on 'upgrades' when
I can go and get gcc and use that. Whats more if there are bugs I can either
take out a support contract, fix them myself or ask on the net for help.
Better than that all my fixes are of use to other people.
I think I can sum up my opinion of commercial software this way: My 386
runs X windows, tcp-ip, a free unix , gcc+, g++, a bulletin board
and other stuff. It's cost me nothing but a little time (and even working
on $$/hour its still cheaper than buying it).
And the compilers are only an example - how many unix vendors sell
'C2' security options - or should that be 'bug fixes fdor some of our
security cockups'.
Still in a world where people go for Beauty Treatment not Uglyness treatment
what can you expect.
Alan
Everything is my opinion and not that of my employers(tho I wouldn't mind
betting they agree with some of it 8-))