**************************************************************************** >C O M P U T E R U N D E R G R O U N D< >D I G E S T< *** Volume 2, Issue #2.01 (Aug 31, 1990) ** **************************************************************************** MODERATORS: Jim Thomas / Gordon Meyer (TK0JUT2@NIU.bitnet) ARCHIVISTS: Bob Krause / Alex Smith USENET readers can currently receive CuD as alt.society.cu-digest. COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted as long as the source is cited. It is assumed that non-personal mail to the moderators may be reprinted, unless otherwise specified. Readers are encouraged to submit reasoned articles relating to the Computer Underground. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Contributors assume all responsibility for assuring that articles submitted do not violate copyright protections. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ CONTENTS: File 1: Moderators' Corner File 2: Proposed changees in Computer Abuse Act (S.2476) File 3: CPSR Seeks FBI data on Bulletin Board Monitoring File 4: Computers, Social Responsibility, and Political Action File 5: Another experience with the SS File 6: CU in the News ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ---------------------------------------------------------------------- ******************************************************************** *** CuD #2.01, File 1 of 6: Moderator's corner *** ******************************************************************** Date: August 31, 1990 From: Moderators Subject: Moderators' Corner ++++++++++ In this file: 1) ERRATA (National Computer Security Conference) 2) LAW ENFORCEMENT POLICY OF "FORFEITURE DEALS" ++++++++++++++++++ Errata: National Computer Security Conference ++++++++++++++++++ In CuD 2.00, a typo occured indicating that "Dorothy Denning will present my paper on computer hackers." This *should have read* that Dorothy Denning will present *her* paper on computer hackers. We regret the error, even though it could have padded our vitas. ++++++++++++++++++++ Law Enforcement Forfeiture "Deals" ++++++++++++++++++++ The recent crackdowns by law enforcement on computer hackers raise serious questions about Constitutional protections in investigations. One of the most troublesome practices is that of confiscating all computer and in some cases non-computer equipment, including printers, telephone answering machines, cassette tapes, books, personal papers, and other articles totally unrelated to the alleged offense. Some of the victims of confiscations have neither been indicted nor are under suspicion for wrong-doing. Others alleged to have infringed on the law have lost material unrelated to the offense of which they are suspected. A troublesome practice seems to be emerging from the confiscations. The victims are offered a "deal" in which they must choose between having their equipment forfeited in exchange either for a guilty plea or the dropping of charges and suffering only a material loss, or fighting the charges and, even if innocent, running the risk of lengthy delays in the return of the equipment. For those whose livelihood is invested in the lost articles, this is not a pleasant choice. The costs of fighting charges, especially if one is innocent (and we still have a judicial system supposedly based on presumptive innocence), can far exceed the value of the equipment. Even if all charges are dropped in exchange for forfeiture, the result is punishment without trial. Law enforcement officials may argue that the choice is voluntary, but such a choice is coercive, and a coercive choice is not a voluntary choice. The irony of this new version of "Let's Make a Deal" is that those entrusted to protect the Constitution seem to be hell-bent on subverting it. The Fourth, Sixth, and Seventh Amendments guarantee protection of property against unreasonable seizure, and due process protections, including a trial. It seems that the "forfeiture deals" are justice at its worst, and the due process model of justice embodied by Constitution principles has broken down. Agents seem to be trying cases in the media with hyperbole, disinformation, and distortion, and are abusing their power and status to punish by forfeiture what they cannot punish in court. It's a no-win situation for victims, but even worse, it erodes respect for law and law enforcement by creating a new form of social control by police that has historically been the domain of the courts. To my mind, the forfeiture practice is an abuse of law and perhaps even borders on lawlessness. Jim Thomas ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: August 15, 1990 From: Moderators Subject: Proposed changees in Computer Abuse Act (S.2476) ******************************************************************** *** CuD #2.01: File 2 of 6: Computer Abuse Act Amendment *** ******************************************************************** +++++++++++++++++++++++++ Proposed amendments in the computer abuse act, reported previously in CuD, do not seem to go far enough in removing the ambiguity from the language of the Act that currently gives broad powers to federal agents to target those they perceive as "dangerous" who in fact may not be. Following is the text of the revision. We invite responses (moderators). ++++++++++++++++++++++++ ******************************************************************* The following is the text of S.2476, a bill proposed to amend Title 18. For more information, contact: Committee on the Judiciary United States Senate Washington, DC 20510-6275 A summary of the changes follows the text of the bill. ******************************************************************* 101st CONGRESS 2D Session S.2476 To amend title 18 of the United States Code to clarify and expand legal prohibitions against computer abuse ------------------------------------ IN THE SENATE OF THE UNITED STATES April 19 (legislative day, April 18), 1990 Mr. Leahy (for himself, Mr. Humphrey, and Mr. Kohl) introduced the following bill; which was read twice and referred to the Committee on the Judiciary ------------------------------------ A BILL To amend title 18 of the United States Code to clarify and expand legal prohibitions against computer abuse. 1 Be it enacted by the Senate and House of Representa- 2 tives of the United States of America in Congress assembled, 3 SECTION 1. SHORT TITLE. 4 This Act may be cited as the "Computer Abuse Amend- 5 mends Act of 1990". 6 SEC.2. FINDINGS. 7 The Congress finds that-- 8 (1) the maintenance of the security and integrity 9 computer systems has become increasingly critical to 10 national security, interstate and foreign commerce, - 2 - 1 communications, education, science, and technology in 2 the United States; 3 (2) the deliberate abuse of computers and comput- 4 er systems to cause damage, disruption, and interfer- 5 ence with the efficient functioning of computer systems 6 has created significant problems for both government 7 and nongovernment computer systems, and such abuse 8 creates real and potential problems for national securi- 9 ty, commerce, business, science, and education, and 10 imposes significant burdens on interstate and foreign 11 commerce; 12 (3) in light of rapid developments in computer 13 technology, it is necessary to revise and clarify existing 14 Federal laws governing computer security and abuse to 15 assure that novel forms of serious computer abuse are 16 clearly prohibited; and 17 (4) it is the intent of this Act to exercise the full 18 scope of the powers of Congress under the Commerce 19 Clause of the United States Constitution to regulate 20 forms of computer abuse which arise in connection 21 with, and have a significant effect upon, interstate or 22 foreign commerce. - 3 - 1 SEC.3. AMENDMENTS TO THE COMPUTER FRAUD AND ABUSE 2 ACT. 3 (a) PROHIBITION.--Section 1030)(a)(5) of title 18, 4 United States Code, is amended to read as follows: 5 "(5)(A) through means of or in a manner affecting 6 a computer used in interstate commerce or communica- 7 tions, knowingly causes the transmission of a program, 8 information, code, or command to a computer or 9 a computer system if the person causing the transmission 10 intends that such program, information, code or 11 command will damage, disrupt, alter, destroy, or mis- 12 appropriate the functioning, use, programs, systems, 13 databases, or other information of or contained in the 14 affected computer or computer system and the trans- 15 mission of the harmful component of the program, 16 information, code, or command-- 17 "(i) occured without the knowledge and au- 18 thorization of the persons or entities who own or 19 are responsible for the computer system receiving 20 the program, information, code, or command; and 21 "(ii)(I) causes loss or damage to one or more 22 other persons of a value aggregating $1,000 or 23 more during any one-year period; or 24 "(II) modifies or impairs, or potentially modi- 25 fies or impairs, the medical examination, medical - 4 - 1 diagnosis, medical treatment, or medical care of 2 one or more individuals; or 3 "(B) through means of or in a manner affecting a 4 computer used in interstate commerce or communica- 5 tions, knowingly causes the transmission of a program, 6 information, code or command to a computer or com- 7 puter system if the person caused the transmission with 8 reckless disregard for whether the transmission will 9 damage, disrupt, alter, destroy or misappropriate the 10 functioning, use programs, systems, databases, or other 11 information of or contained in the affected computer or 12 computer system and the transmission of the harmful 13 component of the program, information, code, or com- 14 mand-- 15 "(i) occured without the knowledge and au- 16 thorization of the persons or entities who own or 17 are responsible for the computer system receiving 18 the program, information, code, or command; and 19 "(ii)(I) causes loss or damage to one or more 20 other persons of a value aggregating $1,000 or 21 more during any one-year period; or 22 "(II) modifies or impairs, or potentially modi- 23 fies or impairs, the medical examination, medical 24 diagnosis, medical treatment, or medical care of 25 one or more individuals; or". - 5 - 1 (b) PENALTY.--Section 1030(c) of title 18, United 2States Code is amended-- 3 (1) by striking "and" after the semicolon at the 4 end of paragraph (2)(B); 5 (2) in paragraph (3)(A) by inserting "(A)" after 6 "(a)(5)"; and 7 (3) in paragraph (3)(B) by striking the period at 8 the end thereof and inserting "; and"; and 9 (4) inserting at the end thereof the following: 10 "(4) a fine under this title or imprisonment for not 11 more than 1 year, or both, in the case of an offense 12 under subsection (a)(5)(B).". 13 (c) DEFINITION.--Section 1030(e) of title 18, United 14States Code, is amended-- 15 (1) in paragraph (6), by striking "and" after the 16 semicolon; 17 (2) in paragraph (7), by striking the period and in- 18 serting "; and"; 19 (3) by adding after paragraph (7) the following 20 new paragraph: 21 "(8) the term 'access' means-- 22 "(A) to gain access to the stored or displayed 23 information or to the functions of a computer or 24 computer system in such a way that infor- - 6 - 1 mation can be seen or otherwise deciphered or 2 such functions can be performed; or 3 "(B) to transmit, or cause the transmission 4 of, a program, information, code, or command to a 5 computer or computer system under circumstances 6 where the person causing the transmission in- 7 tends, or reasonably expects, that such program, 8 information, or command will significantly 9 damage, disrupt, alter, destroy, or misappropriate 10 the functioning, use, programs, systems, data- 11 bases, or other information of or contained in that 12 computer or computer systems, whether or not 13 the persons causing th transmission gains access 14 in the manner described in subparagraph (A).". 15 (d) CIVIL ACTION.--Section 1 3 of title 18, United 16 States Code, is amended by adding at the end thereof the 17 following new subsection: 18 "(g) Any person who suffers damage or loss by reason 19 of a violation of this section may maintain a civil action against 20 the violator to obtain compensatory damages and injunctive 21 relief or other equitable relief.". <> ******************************************************************** SUMMARY OF LEAHY/HUMPHREY COMPUTER ABUSE AMENDMENTS ACT OF 1990 (Provided by Senator Leahy's office) ******************************************************************** NEW CRIME Makes it a felony intentionally to cause harm to a computer or the information stored in it by transmitting a computer program or code (including computer viruses) without the knowledge and authorization of the person responsible for the computer attacked. Makes it a misdemeanor recklessly to cause harm to a computer or the information stored in it by transmitting a computer program or code (including computer viruses) without the knowledge and authorization of the person responsible for the computer attacked. JURISDICTION Covers harm to any computer or program that involves $1,000 worth of damage or tampering with medical records. PENALTY Find and/or imprisonment for up to five years for the felony. Fine and/or imprisonment for up to one yer for the misdemeanor. CIVIL CAUSE OF ACTION Creates a new, civil cause of action for those harmed by a violation of the Act for compensatory or injunctive relief. DEFINITION OF "ACCESS" Defines "access" -- a term used throughout the Computer Fraud and Abuse Ace -- to cover the remote transmission of a program to affect a computer or the information stored in it. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: July 24, 1990 From: Computer Professionals for Social Responsibility Subject: CPSR Seeks FBI data on Bulletin Board Monitoring ******************************************************************** *** CuD #2.01: File 3 of 6: CPSR Seeks FBI BBS monitoring data *** ******************************************************************** +++++++++++++ The following notice from CPSR is reprinted with permission. +++++++++++++ LAWSUIT SEEKS FBI RECORDS ON COMPUTER MONITORING Computer Professionals for Social Responsibility filed a lawsuit in Federal District Court today to obtain information from the FBI about the monitoring of computer bulletin boards. Marc Rotenberg, director of the CPSR Washington Office, said that the disclosure of the records would provide a starting point for an informed discussion about the proper scope of computer crime investigations. He said that the FBI's failure to respond to CPSR's original Freedom of Information Act request made the lawsuit necessary. A computer bulletin board is a publicly accessible computer system that is designed to promote the exchange of views and information. Computer bulletin boards are also used for confidential communications that are directed to one or more specific parties. The Freedom of Information Act provides a legal right for individuals to obtain records held by government agencies. Under the law, agencies are required to respond within ten working days. When agencies fail to respond within a reasonable period of time, requesters often begin legal proceedings to obtain the information. CPSR filed the original FOIA request in August, 1989. After a series of letters from CPSR to the FBI failed to produce a response, the FOIA request was considered at a Congressional hearing in February, 1990. A subsequent letter from the Treasury Department revealed that the Secret Service was in fact monitoring computer bulletin boards. The FBI's activities are still not known. The lawsuit comes at a time of growing concern over the conduct of computer crime investigations directed toward "computer hackers." In one case, charges were dropped against a newsletter publisher after claims that a confidential business document was disclosed turned out to be false. In another case a game manufacturer in Austin, Texas suffered substantial business losses after a Secret Service raid earlier this year, though no charges were ever brought against the owner or his company. The case is CPSR v. FBI. Civil Action No. 90-2096, U.S. District Court for the District of Columbia, August 28. For more information contact, the CPSR Washington Office, 1025 Connecticut Ave., NW, Suit 1015, Washington DC 20036 (202) 775-1588 or rotenberg@csli.stanford.edu. ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: 19 August, 1990 From: Bob Gleason Subject: Computers, Social Responsibility, and Political Action ******************************************************************** *** CuD #2.01: File 4 of 6: Computers, Social Responsibility *** ******************************************************************** ++++++++++++++++++++++++++ In a recent discussion on The Well, there have been debates about how to respond to law enforcement attacks on "hackers." Topics incuded how to educate the public, whether it is better to use the metaphor of "war" or "peace" in responding, and how, in general, does one mobilize a large group to address what are perceived to be threats to civil liberties. George Gleason argues for conciliation, but recognizes that the resolution lies in the broader problem of public apathy and wider social issues. +++++++++++++++++++++++++++++++ Twenty-five percent of Americans own personal computers. It is most likely that these individuals come almost entirely from the more privileged half of society. Most of the people who use computers do so in routine capacities such as clerical jobs or academic writing. Awareness of the political and personal empowerment possibilities of the computer, is limited to a small subculture, many of whose members are concentrated in the Bay Area and the urban Northeast. The fine points on which our arguments rest lie outside of the experience of most of the population. We are talking about specialised knowledge, and even though it has broad implications, it is difficult to understand without at least a certain familiarity with some of this specialised knowlede base. The position is similar to that of geneticists engaged in engineering microbes to alter plant behavior, and faced with public opposition to improbable consequences of their work. The other face of the debate over "elitism" rests on the contents of my statement, to which I next turn. Here we see a mainstream culture which is engaged in behavior that is ecologically and in other ways non-sustainable. We also see a vast scale of aacquiescence in a political agenda of creeping authoritarianism. We also see the continuation of cultural norms that support greed and self-centeredness to the exclusion of other values. A person can take an attitude of support for these cultural norms, or of mere acceptance of them, or of opposition to them. Those who support can be seen as doing so out of commitment to either an actual or potential benefit they may realize from their position: for instance a high-paying job in the military-industrial bureaucracy, or the symbolic identification with nationalistic themes, etc. More typical, and in fact the large majority by most measures, is a mood of acquiescence, plus or minus some grumbling. My argument is based on the position that acquiescence is nearly as problematic as active malice, and that acquiescence represents the utter abdication of personal responsibility for ethical choice. Now for any given individual, one or more of the following can be true: -He or she is being manipulated by the media or other large institutions. -He or she is more interested in personal gain than in public issues which involve consequences to others. -He or she is under sufficient pressure of circumstance as to have no opportunity to engage in various acts of personal liberation, public opposition, or even basic creativity. (For example, parenthood plus a full-time job). In the last case we can see at minimum the decision that the status quo is better than taking a chance on the unknown. Whether this decision is "right" or "wrong" isn't up to me. The question I have to raise though is, "How bad do things have to get before people rise up?" The extreme case can be seen in the black community: economic oppression, the destruction of an entire generation by drugs, poverty, violence, etc. One wonders why the signs of collective outrage have not become more evident in that community: the history of the political repression in the 60s supplies part of the answer. However, most people in the mainstream aren't under that kind of extreme pressure of circumstances. For them, acquiescence is either a matter of being manipulated or being selfish. Are we going to say that the public are brainwashed? Does this imply that we ourselves are relatively free of brainwashing? That would be awfully elitist, wouldn't it?; and as well, would create a mass "victim" role. If we truly believe that brainwashing by TV and so on is the cause of the predicament, we are left facing a force that is so powerful as to be unstoppable: How can our calls to freedom and lofty ideals ever begin to compete with the pleasures of the shopping mall and consumption lifestyle? How can our press conferences and pamphlets be heard and seen above the din of commercial jingles and junk mail? What have we to offer that can satisfy basic needs and desires? A meager existence in cramped housing and on a hippie diet, made tolerable by an ethic of sustainability? There is no substantial alternative economy anywhere in view. Our alternative culture is either barely able to survive or supported by rare cases of vast success whose effects even so are not able to build a truly large-scale example which can become self-supporting. Instead, are we going to say that the public are acting selfishly? That would cast the majority in a moderate version of the role of "Good Germans." Instead of an absence of insight and will, there would be an absence of ethics and basic compassion. The result of this is even more dire: it is not that people don't know what they want, it's that they want more or less what they're getting, *including* the consequences of intolerance and repression and injustice. In that case, what alternative have we to offer? Simulations of public executions, to stem the desire for the real thing? Simulations of other forms of evil, which serve to disguise good done in secret? That appears rather Machiavellian. Or instead should we fold inwardly and hide from the rising tide? A limited escape if that. Sixty percent of the public don't vote. Sixty five percent of people under 35 years of age don't read newspapers or watch broadcast news (source Newsweek poll a few weeks ago). When "don't know" is compounded with "don't care," we are in deep shit. Fact is, I believe that there may be some way out. As Huxley said, "Nothing less than everything is truly sufficient." It does cause me much despair to see that the vast majority of our resources are committed to fighting a holding action where success is measured in the absence of defeat. I believe that a key element in the overall solution needs to take the form of cohesive examples of alternative economic and cultural entities. Integral neighborhoods, intentional communities (not the same as "hippie communes" thank you), cooperative enterprises; generating a sustainable *and* prosperous way of living by higher ideals and deeply considered values. Not isolated on little islands, but integrated with the overall economic and cultural sphere while retaining distinct identity. And of course, publicized as such, to provide accessible models from which to proceed further. . . . We all have our cynical moods. Contemplating the overall scale of the predicament of what used to be called "civilization," is frightening and can as easily give rise to despair as it does inspiration and hope for change. I think one thing we all share here is a commitment to creating a better world in many ways. Argument and debate are valuable ways of clarifying views and reaching a more cohesive synthesis. My cause of despair is that a huge amount of talent and energy and resources are going into what is basically the equivalent of defence expenditures. On very many fronts. Realistically I'd like to suggest a concentration of political effort in one specific geographic area, to create and maintain an area which is conducive toward the creation of real alternative institutions of all kinds. From a strong and solid base like that, we can move outward and affect other areas. There are plenty of other ways to get at an agenda that actually moves forward instead of fighting defensively. I think the people who talk in terms of educating our opponents are on the right track: not us/them, but "all of us," and solving problems together. "Nothing less than everything is truly sufficient," isn't a cry of despair but an affirmation of the need for everyone to play whatever part their conscience moves them toward. Forward! *************** ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Subject: Another experience with the SS From: Anonymous, somewhere in Texas Date: Tue, 28 Aug 90 21:14:19 CDT ******************************************************************** *** CuD #2.01: File 5 of 6: Another Experience with the SS *** ******************************************************************** ++++++++++++++++++++++++++++++++++ %The moderators deleted the identity of the following article's author because of legitimate concerns for his welfare. He is considered by those familiar with his situation to be another victim of recent SS activity, and the need to conceal his identity further illustrates the chilling effect on freedom of speech that the SS has created--moderators.% +++++++++++++++++++++++++++++++++++++++++ I just remembered a Texas tie-in to the LOD name. I found this in Mike Cochran's book "And deliver us from evil," from Texas Monthly Press. In the concluding essay, he wrote, And, if there was a roll call for bizarre Texas crime, it surely would include: [ (accounts of mayhem removed) -- The Legion of Doom, an up-scale group of student vigilantes who used dead cats, car bombs, and other forms of intimidation to shape up the riffraff at Fort Worth's Paschal High. Their misguided crusade got them in a heap of trouble, but they all escaped jail. Speaking of reading... I re-read CUD 1.18 today. There are parts of John R. Simpson's response to Representative Don Edwards' FOI inquiry that, ahem, do not compute. Like this: "We do not keep records of the bulletin boards which we have monitored but we can provide information concerning a particular board if we are given the name of the board." Well, maybe they'd go check the board out again. But, as "records of the bulletin boards which we have monitored" may include communications program dialing directories and call logs, as well as telephone records of outgoing calls, I know that what Simpson has said isn't true. Let's see what's on those disks and phone bills, Uncle Sam! But the real corker is: "No, the U.S. Secret Service has not created a computer bulletin board nor a network which was offered to members of the public. We have created an undercover bulletin board which was offered to a select number of individuals who had demonstrated an interest in conducting criminal activities. This was done with the guidance of the U.S. Attorney's Office and was consistent with the Electronic Communications Privacy Act." When I was interviewed by the Secret Service in early 1990, SS Agent Timothy Foley discussed the UNIX system known as "attctc", formerly called "killer." Agent Foley discussed the status of jolnet and attctc, claiming that "I own jolnet" and "I own attctc." He also asked me why I thought AT&T would fund attctc. His answer to his own question was that attctc existed "for the "for the purpose of monitoring the hacker community." When it was still running, attctc was once referred to as "the largest mail hub in the Southwest." Did AT&T provide Secret Service agents with access to attctc? I had this view of attctc as a kink in the image of AT&T as an all-devouring monopoly, and approved of it as good for the image of AT&T. But if it was a listening post, well, I take it all back. It was >very< available to the public. What role did Uncle Sam and the Secret Service have in the management, funding and operation of attctc? ******************************************************************** >> END OF THIS FILE << *************************************************************************** ------------------------------ Date: August 30, 1990 From: Subject: CU in the News ******************************************************************** *** CuD #2.01: File 6 of 6: The CU in the News *** ******************************************************************** Source: Computerworld, Aug. 27, 1990, pg. 6, News Shorts "NSA Denise Killing Security Center" The National Security Agency (NSA) last week denied a published account that said the agency is dismantling its National Computer Security Center, a semipublic unit of the supersecret agency that was established by the U.S. Department of Defense in 1982 to evaluate and certify the security, or levels of trust, of computer systems. A spokeswoman for NSA said the center is being restructured to align its activities more closely with NSA's communications security work. The move was prompted by the blurring of distinction between telecommunications and computer systems, she said. Patrick Gallagher will remain director of the center, and the center will continue to meet its commitments to industry for product evaluation and certification, the spokeswoman said. ************************************************************ Source: Computerworld, Aug 20, 1990, p. 74: "Bozhe Moy! Hackers and viruses already plague Soviets" There have already been computer crimes and virus attacks in the USSR. Over the last several years, the number of incidents has appeared to increase along with other forms of crime. One of the earliest cases of a computer virus in the USSR occurred in 1988 when an unidentified programmer at the Gorky Automobile Works on the Volga River was charged with deliberately using a virus to shut down an assembly line in a dispute over work conditions. The man was convicted under Article 206, the so-called hooliganism law, which provides for a jail term of up to six years for "violating public order in a coarse manner and expressing a clear disrespect toward society." The comments about viruses heard at a number of meetings are worth reporting:"We are ready to meet the problem." (Moscow State University); "Viruses come from international exchanges but some day soon come from here." (National Academy of Economics); "The USSR recently joined Interpol. A requirement of that organization is that member states' police departments must ensure date security. The result has been that the police management has now become sensitized to that issue." (National Academy of Economics); "On the physical side [of security], we close what needs to be closed. Some say that only a sentry will be sufficient." (A Soviet bank security official); "How have we responded to viruses? Up until now we suffer." (Institute for Information Problems in the Information Sciences Department of the Academy of Sciences of the USSR). According to various Westerners, pirated software is all over the USSR, and the Soviets often get hit with viruses when they buy these "forbidden fruits" via the Hong Kong or Swiss connections. A number of the 70 known Bulgarian viruses also appear to be prevalent, along with two Soviet strains: Victor and a variant of the Vienna virus. According to Aryeh Goretsky at McAffee Associates, a computer security firm, other viruses that have been confirmed by Soviet and Eastern European antiviral programmers include the following: Yankee Doodle, Vacsina, Microsoft88 (534), Sunday, Amstrad or Pixel, Disk Killer 170X, Stoned, Ping Pong, Vienna, Jerusalem, Friday the 13th COM, Pakistani Brain, Disk Killer and W-13. Programs available to combat viruses are Aidstest by Lozynky and Anti-Kot and Anti-Kor by Kotik. Some Western antivirus programs and some homegrown versions were also found at various Soviet sites. It is noteworthy that viruses are increasing, even though a form of data security exists in the Soviet Union. This security is of the most basic type: It is largely composed of guards and locked doors restricting access to computer rooms. Other simple measures are used, such as limiting links between computers and systems and access controls to files. These measures are far from adequate,however, given the pressure to acquire and distribute microcomputers and to establish networks. What makes the situation worse is the lack of trained data security personnel, data security standards and tools, data security supports and, in some instances (but not in others), lack of knowledge of security techniques beyond basic approaches. Sadly, it appears certain that there will be an onslaught of computer crimes and virus attacks in the near future. If (and when) perestroika can lead to computer linkages of even a minimal sort, the types of crime and abuse problems that have become part of life in the West will be found in the USSR. A mixture of homegrown hackers, outsiders and even some business managers will create what could be a very fearful situation for the Soviet authorities. How they will respond to this challenge is, to a large degree, based on what authority will be functioning in the near future. Decisions about what information to protect and how to do it are not being developed in the USSR today. Unfortunately, it appears that these decisions will be put off there as they were in the U.S. for too long. Soviet computerists, both in state enterprises and the fledgling private sector, can learn about information security from U.S. experiences. The main issue is to try to be like us while avoiding the many problems (including security problems) that we developed in association with computerization. -Sanford Sherizen ******************************************************************** Source: Computerworld, August 20, 1990, pg. 102, Inside Lines: When a young computer hacker broke into an unclassified computer at the Pentagon last November, the U.S. Air Force was quick to draw a bead on him. The Air Force's Office of Special Investigations (OSI) is the only federal agency with a full-time staff of computer crime investigators, according to the OSI. There are 14 Air Force computer crime cops stationed at air bases around the world. The group was instrumental in tracking down the Hannover hacker, profiled in _The Cuckoo's Egg_ by Clifford Stoll. Talk with Soviet users From Computerworld, August 20, 1990, pg. 74, no author. Network connections to and from the USSR are few but growing all the time. Some of the choices include a bulletin board that provides electronic mail and teleconferencing with Soviet computer users called the San Francisco/ Moscow Teleport located at 3278 Sacramento St., San Francisco, Calif. 94115 (415) 931-8500. Another connection is through Peacenet via Jeff Sears, (415) 923-0900. A Russian text processing mailing list, Rustex-L, is also available. It is administered by Dimitri Vulius, Department of Mathematics, City University of New York Graduate Center, who can be contacted at DLV%CUNYVMS1.BITNET@cunyvm.cuny.edu. An excellent overview of Soviet technological growth is provided in a book entitled _Chip in the Curtain: Computer Technology in the Soviet Union_ by David A. Wellman, Washington, D.C., National Defense University Press, 1989. (202) 475-0948. From Computerworld, August 20, 1990, pg. 74, no author. ******************************************************************** ------------------------------ **END OF CuD #2.01** ******************************************************************** !