[Forwarded with permission of email@example.com, this represents one of the most amusing attempts at a breakin in recent memory. This reminds me of the confidence scam where people call elderly marks and ask them to cooperate in a bank investigation by withdrawing a large sum of money. Spaf] - ------- Forwarded Message Date: Mon, 01 Apr 91 17:05:55 -0500 From: ssw (Samuel S Wagstaff) To: spaf Subject: scam [ssw (Samuel S Wagstaff): scam] >From firstname.lastname@example.org Mon Apr 1 15:22:14 1991 Date: Mon, 1 Apr 91 15:20:25 EST From: "Diane J. Donaldson" <email@example.com> Subject: PLEASE READ THIS NOW There has been a recent attempt to break in to our system. Sudip Bose received the following letter: - --- >From firstname.lastname@example.org Mon Mar 25 19:13:34 1991 Date: Mon, 25 Mar 91 19:12:58 EST From: "Operator" <email@example.com> This is the system administration: Because of security faults, we request that you change your password to "systest001". This change is MANDATORY and should be done IMMEDIATLY. You can make this change by typing "passwd" at the shell prompt. Then, follow the directions from there on. Again, this change should be done IMMEDIATLY. We will inform you when to change your password back to normal, which should not be longer than ten minutes. Thank you for your cooperation, The system administration (root) - -- Fortunately, he realized it was a fake and told me about it. If anyone else received one of these messages, PLEASE LET ME KNOW IMMEDIATELY!!!! In case you don't know already, I NEVER need to have anyone change their password so that I can fix "security faults". I can change your password myself if I have to. Again, if you have ever received or ever do receive a message of this sort, let me know so I can try to track down the person doing this. Thanks! djd - -- End of Forwarded Message
I first saw this message on 25 Mar 91, but did not get around to running it in RISKS. (I am still backlogged.) In light of the date today, I include it now. However, it could have been a real hoax, not a prank, and I imagine there were people who were taken in. I heard of several reports of original appearances, spoofed out of different root addresses. So, what will the day bring us this year? For those of you who have been requesting information on back pranks, see my Inside Risks column in the April CACM, which should be out forthwith. (Fourthmonth.) I honor the best spoofs of the past, particularly Piet Beertema's 1984 NOT-BY-Chernenko Spoof (ACM SIGSOFT SEN July 1984) and Chuq von Rospach's 1988 NOT-BY-Spafford Spoof (SEN July 1988 and RISKS-6.52, 1 Apr 88). Apparently the NOT-BY-Spafford Spoof is making an annual reappearance again today. PGN [By the way, as of a few hours ago, I am now running on a SPARCstation. There are a few differences, so I won't be surprised if this RISKS mailing exhibits some of them...]
This week PBS is running a 3 hour program on the subject of risks. It's title is: "Living Against the Odds" and is hosted by Richard Lewis. My TV suplement gives the following blurb: "Specialists seek a perspective on life's many risks, from voluntary dangers like gambling and rock-scaling to natural disasters, accidents and hazardous environments." It is on Wednesday, April 3 in San Francisco, but, being PBS, the date may differ in other areas. R. Kevin Oberman Lawrence Livermore National Lab. [or firstname.lastname@example.org] [I hope PBS uses some of the stuff they got from The Risks Forum, but I think the slant of the program is rather different. PGN]
[...] It won't dwell specifically on automated or even technologic risk, but on risk acceptance and the risks of everyday life. It *might* increase public understanding of risk assessment and risk acceptance. Bill Ricker email@example.com
on tech & privacy
In RISKS 11.35, I summarized a short article from the 23 March 'Los Angeles Times' about Leonard Rose's guilty plea. Two corrections: 1. The article said, "The Baltimore indictment asserted that he was associated with a group of computer hackers known as the 'Legion of Doom.'" I used that as part of my "Subject:" line for the RISKS posting. I've now heard from several people that Leonard Rose was NOT a member of the Legion of Doom, and never claimed to be. (It may still be true that the indictment says he is.) The 'Washington Post' also ran the story of Rose's sentencing on 23 March, but published a correction on 26 March saying he was not a member of the Legion of Doom. I have not spotted any correction published in the 'Los Angeles Times.' 2. The LATimes article said, "Under the plea agreements, ... Rose ... will serve a year in prison." My RISKS posting omitted the reference to the plea agreements. The one-year sentence (actually, two concurrent one-year terms) is apparently the prosecutors' recommendation. Rose's formal sentencing is scheduled for May. [Corrections via Craig Neidorf, and, indirectly, Brendan Kehoe and Bob Izenberg. Anyone interested in more details may write me. -- RH] [See also two other items, noted for completeness to ensure that the message gets through... PGN]
[...] This is actually incorrect. Rose pled guilty to two counts of unauthorized possession of UNIX source code. Rose did not plead guilty to "distributing Trojan horse programs designed to gain unauthorized access to computer systems." "Rose, known as "Terminus", was alledgedly associated with the Legion of Doom "hacker group"." Federal prosecutors are unwilling to abandon the allegation that Rose was a member of the Legion of Doom. He was not, however, and the counts to which he pled guilty have nothing to do with any known Legion of Doom activities, real or alleged. --Mike Mike Godwin, (617) 864-0665 Electronic Frontier Foundation firstname.lastname@example.org
In RISKS DIGEST 11.35, Rodney Hoffman <Hoffman.El_Segundo@Xerox.com> writes: Why, oh why, does this trash persist? Despite media distortion, prosecutorial hyperbole, and inane headers such as Hoffman's ("LoD's Terminus"??--c'mon!!), the following are demonstrable facts: 1) Len Rose was never associated with Legion of Doom, period. The Washington Post's story of March 23, which was based on an alleged link between Len and the LoD, contained numerous blatantly false statements, and the Post retracted the LoD connection. The retraction destroyed the basis of the Post's story, but the damage was done. Rose became involved in Secret Service investigations because of the infamous E911 files published in Phrack. Rose was raided, and although he was not associated with the E911 files, the SS agents found him in possesion of unlicensed copies of of AT&T's Unix source code and login.c 2) The continued attempt to link Len to LoD, despite overwhelming evidence that there was no link, frames this case as one of computer security. Face it! The government (Messrs Cook, Foley, Willcox, et. al.) wanted this case to be about something it wasn't. This case was about unlicensed software, *not* about computer security. Possession of AT&T source code, in this context, simply meant that Len had a copy of Unix that he was not licensed to have and that he allegedly received it from and shared it with others who allegedly were not authorized to have it. Len pleaded guilty to two federal counts (one from Maryland, one from Illinois) under Title 18 s. 1343: Sec. 1343. Fraud by wire, radio, or television Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined not more than $1000 or imprisoned not more than five years, or both. 3) A not-so-trivial point: login.c required root access. If one had root access, there was no need to hack into a system because one was already there. Yet, despite the nature of the plea, the allegations of the indictment, and the facts of the case, some irresponsible prosecutors and media types (not to mention hysterical headers such as Hoffman's) insist on sending the message that Len was a "hacker" who posed a potential threat to the nation's computer security. At least one computer security consultant indicated that he used login.c to log passwords as a way of protecting security, not subverting it. I have yet to hear even a marginally literate Unix type claim that, despite prosecutors' claims in press releases (where they try to create meanings and images that they couldn't do at court), login.c is a realistic "hacking device." But, this is moot, because--I'll put it in caps--THE CASE WAS ABOUT SOFTWARE, NOT ABOUT SYSTEM SECURITY. Len Rose accepted a guilty plea in an attempt to make the best of a situation in which there could be no winners on either side. He was under pressure to fight the case from those who had access to all the evidence and felt he could "win," and to accept a plea from those who felt he had committed a transgression and should be punished. Len's wife and two small children were in the middle. He made the decision that he felt would balance the needs of justice with those of his family and help him move on to a future in which he could rebuild his life. Let's not, despite all evidence to the contrary, continue this "hacker image" that was not at issue in Len's plea nor in the spirit or letter of the statutes defining his transgressions.
According to a story by Henry Weinstein in the 30-Mar-91 'Los Angeles Times,' Arizona authorities have arrested Baron Monroe Majette, 19, also known as "Doc Savage," and charged him with three counts of fraudulent schemes and three counts of conspiracy. The charges outlined in the article are (a) falsely posing as an employee of Toys R Us to illegally gain access to a telephone conference call line for calls worth $8,100, and (b) using a computer to illegally gain access to TRW Credit's database and extracting names, addresses, SSNs, credit histories, and other data, then using the information to create false billing addresses, obtain credit cards, and make purchases exceeding $60,000. This arrest is a result of the federal - state Operation Sun Devil raids in May, 1990. From the end of the newspaper article: "Dale Boll, deputy director of the Secret Service's fraud division, defended the operation but said the agency would have done some things differently. He added that several new cases will be filed in coming months."
A friend of mine just bought a car. As he was talking to the person reviewing his finances, that person mentioned that Arrowhead (the bottled water supplier) was doing a check on my friend. (He was starting up bottled water delivery service (and they ran a credit check!!) ) It surprised both him and I that the names of recently-interested report-receivers would be printed with your credit report. This seems like an invasion of privacy. Does anyone know more?
Please report problems with the web pages to the maintainer