Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
An article by George James probably from today's New York Times (I saw it
replayed in today's San Francisco Chronicle, p. A6) describes a successful
effort by American Cablevision of Queens (NY) to trap customers who had
illegally installed chips that let them pick up a variety of premium cable
channels for free. After analysis of ONE of the bogus chips, American
Cablevision was able to construct a signal (an "electronic bullet") whose
transmission disabled just the bogus chips, leaving the legitimate access
control boxes unaffected. They then simply waited to catch the 317 customers
who called in to complain that their screens had gone dark — and who were
asked to bring in their boxes, which American Cablevision then kept. "If
convicted, the subscribers could face fines of up to $100,000."
[Able Cable-Caper Sting-Thing Zaps Chips, Nabs Fabs.
Potential Variety headline? PGN]
As a citizen of the Netherlands, I must take offense at the remarks made by several people that the Netherlands are a law-less and a-social country. Bill Murray portrayes Holland in this way in RISKS 11.53. While I agree with him that the behaviour of the Dutch crackers isn't correct, you have to understand that unlike America has shown in it's operation Sundevil, Holland has a legislative system wherein someone is innocent untill proven guilty. This means that not the laws fail in Holland (the crackers could easily be busted for telephone-wire fraud) but that the burden of proof lies with the Dutch State. As you can imagine, this is a delicate matter. How does one prove, short of catching someone in the act, that Mr. A. was behind the keyboard at that time, doing such-and-such? Furthermore, I might add, that the media information has been incomplete, in that the Dutch crackers used Utrecht to crack several universities in the States, and _proceeded to crack other systems from there_. Following the line of argument that Bill Murray used, these universities should also be barred from the net, and yes, perhaps the whole of America should be. The problem is not that one single country lacks a powerfull law enforcement and acts as a rogue nation and hacker-haven. The problem is that as long as people can get onto the net, (students, 'authorised' personnel, outsiders, and whatever) security will have to be a major issue. Not just the issue of one single university like Utrecht, but of ALL sites on the internet. Because you do realise that a smart cracker could get away with this just as easily in the States as in Holland? So don't lay any guilt-trip on the Dutch will you? * Ralph Moonen, (+31) 35-871380
I don't think Mr. Rook knows much about computer networks. From what I know about the incident (I haven't seen the TV program) this could have been done from Every site on the Internet that has a Decnet node. And I agree that it is the responsability of each site to prevent break-ins into their own computers. Well, apparently he doesn't know that his own university does not condone any attempt to break into other systems. Our (computer science) students know this very well, and risk being excluded from computer access if they try. Delft University (not: the prestigious ..) had (or has) a course in computer security (not in hacking), where one of the assignments of the students was to find security weaknesses in computer systems. Yes, we try to encourage exploration but also responsability and ethical behaviour. Piet* van Oostrum, Dept of Computer Science, Utrecht University, Padualaan 14, 3508 TB Utrecht, The Netherlands. +31 30 531806 uunet!mcsun!ruuinf!piet
I too am part of this community, and I dismiss WHMurray's recent article
(comp.risks 11.53) as a blatantly obvious piece of fear-mongering.
Murray's attempt to isolate an entire nation from the free flow of information
would be scary if it weren't so wretchedly silly and patently self-serving.
>William Hugh Murray, Executive Consultant, Information System Security
^^^^^^^^^^^^^^^^^^^^^^^^^^^
And guess who'd love to take on the job of setting himself up as the Leader
of the DataPolice? Kids, be the first one on your block to have an Empire!
Follow in the steps of Hitler, Stalin, and Hoover. You too can have a full
and exciting career as a demogogue.
P.S. Who said: "Those who give up a little freedom for a little security
will soon have neither freedom nor security." ?
Mike Nemeth VORT Computing (403) 261-5015 ...calgary!vort!mike
Steve Bellovin (RISKS-11.52) points out that the US only requires a landowner
to put up a "no trespassing" sign to make trespassing illegal. A complementary
point to make is that both English and American common law gives me the
permanent right to walk across your property if I have been doing so regularly
with your knowledge for some substantial amount of time. If the trespassing
analogy is to apply to computer cracking, then this flip-side would seem to
apply as well.
Phil Agre, University of Sussex
In RISKS 11.51 Jerry Leichter claims that "in an information age we will find it necessary to control access to and dissemination of certain classes of information. In fact, we already do this." He proceeds to argue that defending encryption on free speech grounds is misguided. He is wrong both about the current state of government control of information and about what is desirable policy. The first amendment quite explicitly prohibits government controls of expression (i.e. communication of information) with very few exceptions, and I suggest that the current governmental attacks on this most basic right are pernicious and must be fought. Leichter's examples from crime and commerce are deceptive. One's first amendment rights of free speech do not exempt all expressive acts from prosecution. There is a large body of law that addresses the issue of when expression becomes action. Some examples include conspiracies, slander, copyright violations, and reckless endangerment (e.g. yelling "fire" in a crowded theater). What is prohibited is prosecution for _mere_ expression, even if individuals, organizations or the government would rather keep the information secret. As long as I am not conspiring to commit fraud or some other crime, I can publish your credit card number, or your swiss bank account number, or your income, etc. in a magazine article without fear of government prosecution. And I believe that ability to express things that make some people uncomfortable is a vital part of basic American liberty. Leichter's second example involves restrictions on a company selling credit or other private records. Commercial speech is regulated very differently than individual speech. For example, commercial advertising must not be false or deceptive (well, at least in law), and there are specific legal limits on the disclosures that credit bureaus, common carriers, doctors, lawyers, etc. can make under most circumstances. Commercial entities do not have the same free speech rights that individuals do. Finally, Leichter points out the National Security exception to freedom of expression, which, as he notes, is both pervasive, and, in the case of "born classified" information, constitutionally suspect. Leichter concludes by recommending a couple of science fiction stories about social control of information. Interesting as those stories are, let me suggest that you also read Thomas Emerson's "The System of Freedom of Expression." Any abridgement of a constitutional right must either balance a competing right or serve some compelling state interest. What compelling state interest could be sufficient to infringe on our rights to free expression and privacy by effectively prohibiting effective encryption? Surely the routine prosecutorial needs of the state can be met without recourse to such invasive, undiscriminating measures. Terrorism may be a threat, but not such a compelling one that we as a society ought to sacrifice one of our most basic constitutional rights in order to _possibly_ reduce the chance of a _potential_ attack. Technology can be used either to enhance or degrade the status of rights such as freedom of expression and privacy. Inexpensive, effective encryption is a basic enabling technology that empowers individuals in an increasingly technologically invasive society. I believe it should be defended against government attack in the strongest possible terms. Lawrence Hunter, National Library of Medicine [Please note that I am neither a lawyer nor am I speaking as a representative of the government.]
>1) I know of no area of human activity in which wilfull intrusion or condoning
>intrusion are seen as no more condemnable as failure to protect one's domain
>from intrusion to the best of one's ability.
In tort law, the law of trespass is balanced by the law concerning the
negligence of those who maintain attractive nuisances.
The issue is not whether computer trespass is wrong, but whether it is just to
punish the trespassers without imposing any liability upon those who failed to
meet minimum standards of computer security.
It is a fact that every generation faces the challenge of overcoming a wave of
barbarians--its own children. Is it wise social policy to send young men to
prison for doing the kinds of things that not-yet-fully-socialized young men
invariably do while imposing no social responsibility upon those charged with
maintaining system security? That is a question that has not been fully
debated.
It will never be fully discussed so long as too many people suppose that the
wrongness of trespass decides all the legal and ethical questions raised by
computer intrusion. It does not.
--Mike
Mike Godwin, EFF, Cambridge, MA, mnemonic@eff.org, (617) 864-0665
Brice O'Neel writes
> I don't believe that KSC is on the internet.
Try 128.217.11.25 (nasa2.ksc.nasa.gov). More are vulnerable than you
dreamed of. I never dreamed, for example, that OSHA is on the Internet
(not that it matters, mind you).
_Brint
[KSC's presence on the Internet was also noted by Ari Ollikainen
(ari@OldAhwahnee.Stanford.Edu), as reported somewhat red-facedly
by oneel@heawk1 ( Bruce Oneel ).
I have received NO incident reports indicating that any KSC systems were hacked, or involved in any hacking incidents relating to the Dutch hacker case. Ron Tencati, Security Manager, NASA Science Internet (NSI) Coordinator, NSI-CERT, STX/Code 930.4/Goddard Space Flight Center/Greenbelt,MD
As previous posters have noted when the Lotus Marketplace controversy was
taking place, sending form letters to your representatives is not terribly
productive; the Senators' or Represatitive's staff are fairly good about
detecting (and disregarding) form letters. If, however, you write your own
letter and send it off, it will be given much more weight, since presumably it
mattered enough to you to write your own letter. I do urge everyone to write
his/her own letter and send it off to Biden as well as your own Senators and
Representatives. If we raise enough fuss, hopefully the bill will be allowed
to die while it's still in committee.
- Ted
With respect to the London Docklands Light Railway incident, the report in
RISKS-11.52 ("Computer-controlled commuter trains collide...") misses one
vital point. The train that was hit was under manual control, following an
earlier failure.
ian
Please report problems with the web pages to the maintainer