******************************************************* ** ** ** PPPPP I RRRRR AAAAA TTTTT EEEEE ** ** P PP I R RR A A T E ** ** PPP I RRR AAAAA T EEEEE ** ** P I R R A A T E ** ** P I R R A A T EEEEE ** **keepin' the dream alive ** ******************************************************* -=> VOLUME 1, ISSUE 2, August, 1989 <=- **** WELCOME **** To the second issue of -=* PIRATE *=-! Special thanks for getting this issue out go to: Jedi Hatchet Molly Blade Runner Chris Robin Maxx Cougar The California Zephyr Taran King Knight Lightening Flint Epios Mikey Mouse Jim Richards Gene & Roger Any comments, or if you want to contribute, most of us can be reached at one of the following boards: BOOTLEGGER'S >>> PIRATE HOME BOARD RIPCO (Illinois) SYCAMORE ELITE (815-895-5573) THE UNDERGROUND (New Jersey) GREAT ESCAPE (Chicago) PACIFIC ALLIANCE (California) BITNET ADDRESS (Chris Robin): TK0EEE1@NIU.BITNET +++++++++++++++++++++++++++++++++++++++++++++++++++++ Dedicated to sharing knowledge, gossip, information, and tips for warez hobbyists. ** CONTENTS THIS ISSUE ** Phile 1. Introduction, editorial, and general comments Phile 2. Whither the World of Pirates? Phile 3. How to get things running Phile 4. Sysops and the Law -- Sysops' Legal Liability Phile 5. Hackers in the News Phile 6. Illinois and Texas Computer Laws Phile 7. Is Teleconnect Dangerous? They're after our rights! Phile 8. Viruses Phile 9. BBS NEWS: Review (ATLANTIS) and APPLE #s >--------=====END=====--------< ******************************************************* * PHILE 1: EDITORS' CORNER * ******************************************************* Here we go again with the second issue of *PIRATE*. Lots of feedback from the last issue, and some good suggestions. The legal stuff seemed to be the most popular, so we'll try to expand and upgrade it. Biggest criticism was the emphasis on IBM, so we'll try to keep the contributions relevant to all systems and to spread around the specific topics about equally between them. We've been asked about our assessment of the virus risk to pirates. In our view, it's pretty slight. VIRUSES ARE REAL! But there isn't cause yet for paranoia, and it seems that many of the so-called "viruses" are user-related, not nasty bugs. But, because we take viruses seriously, we've included a phile with some virus information. Seems to be the season for board crashes. Home board went down for a bit, and so did a few of those where we hang out. A bunch of regional and local boards also bit the dust. So, keep stuff backed up, gang...assume that yours is next! A few changes in this issue...the articles are in phile form so they can be uploaded individually to other boards. We've also tried to keep the issue a bit shorter, to about 2,000 lines. So, zip it up and upload to your favorite boards, and leave a message where you can. THE UNDERGROUND has been down for a while, but is back up and upgraded. GREAT ESCAPE is back up, as is PAC-ALLIANCE. All are looking better than ever. --------------- MORE TIPS --------------- Last issue we published a few basic tips for uploading. A few of them bear repeating: 1. BE SURE ANY PROGRAM YOU UPLOAD IS COMPLETE! Nothing is more lame than to upload a partial program. Copy a program from the original disks, is possible, using a *good* copy program. Then, zip it, and unzip it and install it to be sure it works. If there is a trick to installation or running, add a short zip phile. BE SURE THE PROGRAM WORKS! Then, make sure you add a zip phile comment to each zip phile describing the disk ("program disk, 1/5"; "drivers, 2/5"). 2. DON'T GIVE OUT THE NUMBER OF YOUR FAVORITE PIRATE BOARD WITHOUT THE SYSOP'S PERMISSION. Some sysops like publicity. But, elite boards may not want a bunch of new callers. Most boards ask for names of other boards you're on, so if you leave the name, be sure you ask the sysop if it's ok to also leave the number. We know some elite sysops who will bump a user who gives out the number without permission. 3. DON'T ACT LIKE AN IDIOT. One sure way to tell if users will be lamers is if they say something like "Hey, dude, I'm a pirate, and want complete access or I'll crash your board." Cool. Real cool, dude. Like, I mean, wow, ya know? Right, like, ok, here's all the philes. 4. DON'T BE A LEECH! Nothing is worse than seeing 25 calls a day and no new warez or messages. When you log on, READ THE BULLETINS AND MESSAGES, and contribute something, even if it's only a tip, some info, or a swap list. If anything is going on in your area--hacker busts, new boards, media stuff on law or related activities, post it (be sure to give the date and pages of the newspaper so others can check it out). Some boards (RIPCO, SYCAMORE ELITE, GROUND ZERO) there are gphile sections for articles. So, take the time to type out the story (or transcribe from tape if it's tv or radio) and upload as .zip or gphile. (Be sure to do this in ascii format). Or, send to CHRIS ROBIN on bitnet and s/he (are you male or femme, Chris?) will do the rest. 5. KNOW THE BOARD YOU'RE CALLING! As silly as it sounds, it's not uncommon, especially for new pholks, to try upload an IBM program to an Apple board, or wonder why a commodore game won't work on a non-commodore system. Also, be sure that if a game or program you upload has special requirements, such as a math co-processor or a VGA screen or a joy-stick, to note this in the description and put a zip comment in philes. Don't be afraid to add a README.1ST note to explain glitches to others. 6. ERASE IDENTIFYING ID NUMBERS. If you upload a registered program, try to get into it to erase any identification data or serial numbers. Either use a "search" program capable of finding text in a phile, or use a program like Magellan to search for the identifying text. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Thanks to contributors who have sent philes and other suggestions. Much of the info has apparently come from screen dumps from other boards. We will try to acknowledge these boards when possible, so if you send info, be sure to include the name of the board or the source, so we don't look like a bunch of rip-off artists. >--------=====END=====--------< ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Here's something that might help in communicating on BBSs. EPIOS got it from the Public Brand Software catalog for IBM, which says it was put together by Scott Fahlman with help from other partici-pants on FIDONET. :-) humorous; joking :-( sad :-') tongue in cheek :-() shout ;-) say no more; nudge nudge =:-() scares me, too :-! foot in mouth :-$ put your money where your mouth is o:-) don't blame me, I'm innocent %-/ don't blame me, I'm hung over <:-) don't blame me, I'm a dunce C:-) blame me, I'm an egghead :-)8 sent by a gentleman 8:-) sent by a little girl (8-) sent by an owl :-)====== sent by a giraffe (-:|:-) sent by siamese twins d:-) I like to play baseball q:-) I am a baseball catcher :-| I can play the harmonica :-8 I just ate a pickle Turn them sideways. >--------=====END=====--------< ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ******************************************************* * PHILE 2: THE CHANGING PIRATE WORLD * ******************************************************* There've been some complaints this summer about the changes in pirate boards. The following was snatched and sent to us from one of the best boards in the country. We've been complaining about lamerz for a long while, and it seems they are taking over. We've shared this with some other sysops, and they pretty much agree that kids, which is a state of mind, not an age, have pretty much moved in to tie up lines. Seems there's not a lot of ideas on what to do about upgrading the quality of losers, so we thought we'd toss this out for some discussion. * * * S1: I'm almost ready to quit. Things have not been that great with us and the competition is doing pretty good. Lost a lot of good users. Now all I ever get are losers or leeches. Getting kinda fed up I guess. . . . Well I and a few of the other sysops I know have, it's all going to the kiddies now, we have seen at least 30-35 new local pirate boards and about 100 or so new pirate boards nationally spring up within the last few months, and they are all pretty much 15 and 16 year olds who run things pretty shabby in our minds. They have hurt many boards including us for competition of callers. You will start to see many old timers like us go by the wayside for awhile while they clean up, then maybe later on, we might all come back like we did a few years ago when the smoke clears. S2: Yeh, the number of "kiddie Klubs" grows as the ease of getting modem/pc gets more popular, but those I've hit have been so fuckin' lame!!! Mostly the games, which is fine, but the way that other stuff, what little there is, is uploaded--like, just collapsing a hugh file into a single data set and uploading. God! S1: Get used to it, thats what you will find on most of them from now on, as we old guys start to fold our tents up. Many of my friends have been saying that when mine and 1 or 2 other boards they call go, that might be the end of their calling days for business stuff. S2: Yeh, it gets depressing to call some board, struggle for the access and find there's nothing there. Damn. From the guys I've talked to, they also bitch about the time, the new stuff coming out and how hard it is to keep on top of it all....but these guys are the "neurotic collectors, " and not much into using it. S1: Thats right, and they usually don't support you after they get what they are looking for. Thats what has hurt us. We had some great guys for awhile that kept supporting us until they got all the stuff they wanted, then they said adios. Plus the pcp cap has hurt... S2: Isn't there a law against lamerz, or has that been protected by the constitution? I haven't pulled down anything good since school let out in the spring and my original disk sources moved home for the summer. S1: Yep, most of these new pirate boards are guys back from Illinois U that ran campus boards, so they all started up for the summer and have been murdering the good boards with their instant access and easy files deals. They have been having giant leech parties and all. If I go down, it would be for quite awhile I guess, maybe a year or so, depends on how things are I guess. I really hate to, but things are so slow, I just can't see wasting the electricity when it goes unused all day. S1: Well, maybe come the fall, it'll pick up, 'because it does seem to be slow all over on nat'l boards....but you're right about the kids going home and opening up boards---at least a half-dozen from our school did, but these were guys who leeched from boards here, and my guess is will try to leech some more when they get home...take the money and run type thing... interests me, they usally just tell me how great they are and that whoever they mention can vouch for them even though they mention they aren't into files or calling BBS's that much. So you can see why I'm a bit hesitant in granting them access, besides they never read what I put up for new user access either, so they waste both of our time. Now I just usually give access to users here I have talked to about a guy who applies first before I go any farther. Thats how I can tell that they are either kids or losers since they don't know the ropes, it always glares out of what they type when I read these things, comes from years of experience sifting thru all this BS. When I find one that looks like a winner, it's like a needle in a haystack, happens only once in a long while or wait. Yes and it pisses me off very much. As soon as I reopened membership about 6 months ago after 2 great years of none of that BS, all of a sudden I'm getting losers constantly tying up my line each day recalling for access and it has been irritating me a lot. Thats why the number has to be changed at my expense. Would go would it be, they'd just tie up the line from guys who were willing to upload instead of download, everyone who is willing to pay, is new and has nothing, or isn't on any good boards. No this is like CB's. You can get away with anything as long as your parents don't know about it and you are anonymous from the law. I'm afraid it's a plague that will haunt BBS's for awhile unless enough of them start setting up guidelines like I tried to do, and not give them access, but as you can see, it doesn't work, when most of the boards are kids anyways. Yeh. Well, maybe they'll grow up, except there always seems to be more where they came from (grin)....well, it's maybe time to get all the sysops of good boards together in a union or something. We have tried many times. It's a lost because. Bummer. Can't think of any cheery words of wisdom....just hang in there and hope they all get run over by drunken white sox fans, or something. They are drunken white sox fans. Yeh well we will hang around at least a couple more weeks, then who knows. OK---but if you go down, you'll be missed. You just don't know it. S1: Well maybe and maybe not, I know there are better boards around, but if they are getting half of what we aren't then maybe they will fade also. I hope not. Like the Joni Mitchell song..."ya don't know what ya have til it's gone." Well , Tell it to the losers. right? S2: God, how far we've come in tek in just a few years. That's impressive. Well, one thing the kids don't have going for them is high tech and perseverance. * * * Old timers have seen a lot of changes in the pirate world in the last two years. Let us know your gripes and opinion. >--------=====END=====--------< ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ******************************************************* * PHILE 3: GETTING THINGS RUNNING * ******************************************************* Assuming that whoever uploaded a program is reasonably responsible, the next thing is to get the program running. A lot of sysops have to deal with angry users who often claim a program doesn't work if they can't get it running the first try. Too often this failure is caused by impatience or inexperience. In future issues, we will provide a few tips as they are forwarded to us, so if you have a program that requires some tricky maneuvers, pass along the info to us. We'll start out with some of the simplest techniques, so some of this may seem basic to a lot of you. But we've found a lot of folks who didn't know this kind of stuff, so we'll start out simple. 1. LOOK FOR "README" FILES. Any real pirate will stick in a text file that will provide tips on getting a program running. If a game has been cracked, there is often a separate *.bat program required to start it. If it's a complex utility, such as SPSSPC or ALDUS, sometimes there are tricks to installation that have been provided. So, simple as it sounds, look for some instructions. 2. FOLLOW INSTRUCTIONS: Many programs have installation instructions that should be followed. Many can't be run just by dumping into one humungous directory and then run. So, you may have to take each zip phile, copy it to a floppy, then run the installation from Drive A. This may sound obvious, but you'd be surprised how many novices don't bother to do this. THIS IS ALSO WHY IT'S SO IMPORTANT TO UPLOAD FILES EXACTLY AS THEY COME OF THE ORIGINAL DISK AND KEEP THE ZIP PHILES IN SEQUENCE. IF YOU ARE GOING TO UPLOAD A PROGRAM, DON'T JUST DUMP INTO A DIRECTION AND THEN ZIP IT FOR UPLOADING!! Other users may not be able to run it. 3. USE THE ESCAPE KEY. Some programs may tell you to install a disk that you may not have, then appear to lock up or refuse to respond if you do not put the right disk in. Sometimes this can be gotten around by hitting the escape key a few times, and installation will proceed as it should. For example, on user indicated that her version of SPSS-PC 3.1 kept saying "place diskette in drive g," and she had no drive g. She just put it in A and hit the escape key a few times and the installation conintued successfully. 4. BE AWARE OF DATE TRAPS: Some programs will install without any problem, but only run for 30 days. This is common when a complete program is available for "trial use," and quits after a certain amount of time. Sometimes lamerz will wait until the time has run out, then upload the program they installed, which won't be of use to anybody. Usually there will be a message like "your free trial period has expired." One way around this is to go into the program and change the date, using an convenient editor (Magellan, xtpro, or anything else). We recommend a phile manager type program, because you may have to search the files individually to find the one with the date. But sometimes the date phile is obvious (named something like date.dat). Another way around this, if you don't mind having the date of your PC not match the real date, is to keep the date fixed to a 30 day period. Pick a date that's easy to remember (january 1) and every few weeks re-set the date to january 1. Any time you have a date-controlled program, reset the date to january 1 and install it. You will have to change the date ever 30 days, and it's primitive, but it does work for most programs. It's easier than re-installing every 30 days. 5. MAKE SURE THE PROGRAM IS COMPATIBLE WITH YOUR PC. Again, this seems obvious, but some programs require special stuff (screens, 286 chips), so it could be that you have just downloaded something your PC can't handle. 6. BYPASS INSTALLATION. Sometimes you can't install a program, but can actually run it. If you can't, or don't want to, install a program, then try the directory dump and hit what you think look like the right *.exe commands. There is often a "setup" command that can be used in place of install, and a config.exe phile that allows configuration to your machine requirements (color, etc). Sometimes the program won't run as well as it would when properly installed, but usually will run well enough for most purposed. 7. BE ALERT FOR SPECIAL DIRECTORIES. Some programs install philes in special directories, so if you run a program from a dump without installing it, you could have a problem running it. Usually you will get a message. For example, if you dump a program called "gerbils" into a directory called //ger//, and it requires a special directory for the help philes, you might get an error message that says: "//ger//help directory not found." So then you just go back in and creat the proper directory, copy the philes you think belong in it to the directory, and try again. 8. KEEP TRYING. Getting stuff running often takes a lot of patience. It's often just a matter of luck, work, and some intelligent guessing. So, keep trying. Not all machines work alike, and what works on one may not work on others, so you may have to just work at it by trial and error. Often, though, once you get a few programs running and pick up some tricks and shortcuts, other programs are a lot easier. Most pirates don't use much of the stuff they snatch, and the challenge is to try to get stuff running, not use it. So, ***HAVE PATIENCE AND KEEP TRYING!!** >--------=====END=====--------< ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Some sysops are uptight enough about copyright software to warn users how to spot it, presumably so they won't use it or upload it. Here's a snatch from one of the largest boards in the country warning users how to spot it. We thought it might be of interest. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ What Files are Legal for Distribution on a BBS? ----------------------------------------------- Copyright (C) 1989 Exec-PC All Rights Reserved From Exec-PC Multi-user BBS, 414-964-5160 Bob Mahoney, SYSOP ----------------------------------------- Software that is a commercial product, sold in stores or via mailorder, that does not contain a statement saying it is OK to give copies to others is NOT legal for distribution on a BBS. Example: Lotus 1-2-3 is a commercial product, it is copyrighted, and the copyright notice states you MAY NOT copy it for others. Example: PC-Write (the Shareware version) is also copyrighted, but the copyright statement clearly states you MAY make unlimited copies for your friends. TRICKS TO MAKE AN EDUCATED GUESS: Sometimes it is difficult to guess whether or not some software or diskette is legal for BBS distribution. There are a few obvious guidelines I use on the Exec-PC BBS: There is no documentation: Probably an illegal copy. A Shareware author will always provide documentation with his product. If he does not, nobody will be willing to make a monetary contribution to his efforts. If the documentation takes the form of a very short (one or two screen long) and sketchy README file, be suspicious. The software is probably a hack (illegal pirated copy) of a commercial product, and someone wrote up a small hint file to help other pirates run the software. The software is too good to be true: It probably IS too good to be true! A good game, a good database, a good utility of any type, requires at least dozens of hours to write. The really good stuff requires thousands of hours to write, sometimes dozens of MAN YEARS to write. Nobody is going to give this away for free! If you get a copy of a game and it seems to good to be true, I bet it is an illegal copy. The software does strange things to your disk drives: For example, when it is run, the A: drive or B: drive spin for a moment, even though there is no disk present. This sometimes indicates the software is looking for a key disk, but someone has modified the software so the key disk is not needed. This is probably illegal software. The software does not have an easy escape to DOS, no EXIT command: This usually means the software is illegal, someone has hacked it to make it run, but it was too difficult to add a proper escape to DOS to the commercial product. DON'T GET ME WRONG, I am making it sound as if ALL software is illegal. This is not the case. It is usually very easy to recognize a fine, legal package, since the author is proud of his work and usually puts his name, his favorite BBS number, a disclaimer, a Shareware notice, or some other hint into the package. It may be as simple as an initial screen saying "This is Shareware written by so-and-so, this is Shareware, if you like it please send $XX to the following address", and other text of that type. If in doubt, ask the Sysop! END OF INFO >--------=====END=====--------< ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ******************************************************* * PHILE 4: SYSOPS' LIABILITY * ******************************************************* ** PIRATE reprints the following that arrived over the BITNET lines. Following with our policy, it is printed exactly as received. Only the date of the conference was removed. ** /*/ SYSLAW: THE SYSOPS LEGAL MANUAL CONFERENCE /*/ ================================================== Editors' Note: The following conference took place on GEnie. The only changes we have made to any of this text is the format and spelling errors. An additional note, I just finished reading the book. It is interesting and I encourage all BBS operators to purchase it. If you are interested contact: LLM PRESS, 150 Broadway (Suite 607), New York, NY 10038. (212) 766-3785) FORMAL CONFERENCE <[Holly] HS> Welcome to our formal conference with Jonathon Wallace, Thanks very much for inviting me.... <[Holly] HS> Can you tell us a little about yourself and your book before we start? I am a lawyer in private practice in New York City specializing in computer related matters including BBS law. I am the co-author with Rees Morrison, of SYSLAW: The Sysop's Legal Manual, and editor of The Computer Law Letter, a bimonthly newsletter. <[Mel] NIGHTDIVER> Jon, would you talk a bit about where free speech stops and libel begins. We obviously want to be able to criticize a product freely but I guess we have to stop at calling the developer names or spreading rumors that he is going bankrupt. Where does libel start? and what is the sysops liability for allowing such messages to stand? Libel varies from state to state. In many places its a knowingly false statement. In others it may even be a negligently false statement. The responsibility of a sysop is, in my opinion about equivalent to the liability of a newspaper publisher for a comment someone else makes in his paper. Constitutional law says that a public figure can only recover against a newspaper for a libel done with "actual malice". <[Mel] NIGHTDIVER> For our purposes who would you say is a public figure a developer pushing his product? A publisher of an online magazine? The sysop? There is no precise definition. Any of those might be held to be a public figure, as would your town councilman, but not your next door neighbor. <[Mel] NIGHTDIVER> I've heard the sysop's liability in libel compared to a news stand's liability but that boggles my mind because I never heard of a newsstand claiming a compilation copyright. Would you comment on the sysop's position? Ever since there have been BBS's, people have debated whether a sysop is a publisher, a newsstand, a common carrier, a bartender, etc. A sysop is NOT a common carrier (obligated to carry all messages, can't control content) Nor is a sysop a newsstand (too passive). I think a sysop is essentially a sort of publisher. She has the right to edit and control the contents of the BBS. I've got a few questions, but I'll try not to hog things for others. Awhile ago, I ran into a particularly nasty "anarchy" BBS in New York. It offered files on everything from literally how to poison people to "kitchen improvised plastic explosives". Is offering info like this legal? Is there any legal precedent? Dave, the law says that "information doesn't kill people.. people kill people." However distasteful, describing how to make poisons is constitutionally protected speech. <[Ralph] ST.REPORT> Evening Counselor, nice to see that information is information and not murderous non-sense. My question is, what recourse, if any does an individual have when they find that certain information has been labeled "overly informative" and has been censored as a result? Ralph, if you mean censored by the sysop the user really has no recourse. As I said, a sysop has the right to edit, modify and delete the BBS's contents. <[Ralph] ST.REPORT> I see, well a sysop was not the cause in this situation....in fact the sysop was quite fair about the entire matter... much more so than the individual.....I mean as individual to individual. Who censored the message, then? <[Ralph] ST.REPORT> The message was deleted as a result of the ensuing hulabaloo <-? voluntarily by me. Ralph---The sysop is the final arbiter in such cases. It is only censorship when the government intervenes to prevent speech. <[Ralph] ST.REPORT> I agree, in effect I censored myself to avoid more controversy, I was looking for your opinion and I thank you for your time. Yes I was wondering if you could comment on self-maintaining BBSs that automatically validate uploaded files. Is this illegal in itself, or could the sysop be in trouble if a copyrighted file is up for a bit of time till he realizes it? Bob, there are no precise rules in this area yet. My best guess is that the sysop has an obligation to exercise due care. For that reason I would try and set things up so that a pirated file would be discovered in under a couple of days. Therefore, the idea of a self-validating BBS makes me nervous. I see. right - but its that couple of days that the file might be up. ok something to think about. thanks. Jon, do you consider your SYSLAW book to apply much to information service sysops, or is it 95% for the private BBS operator? The book was written for the BBS sysop, but much of what's in it applies equally to service sysops...e.g., the discussion of copyright, libel, etc. Hi again. As I understand it, the libel law says (basically) that to commit libel, you have to say something false, know it's false, and do it with malice intended. First, am I right? (*grin*) Second, does that apply different to public figures vs. mere mortals? Dave, the rules you stated are correct for a media defendant (newspaper, etc.) libelling a public figure. If the "libeller" is a private citizen, the states are free to hold you to a mere negligence standard. Can you expand on "negligence"? Yes a careless false statement, e.g. something you didn't bother to verify. Along the lines of the self-validating files...what if users upload copyrighted text into the message bases? Song lyrics, documentation, that type of thing? Messages are never held for validation. I believe a sysop should arrange to read every new message every 24 hours or so. If its a big message base, get some assistant sysops to help. Of course, copyrighted text may not be easy to recognize, but if you do recognize copyrighted material it should be deleted unless its a fair use (e.g., brief quote from a book or song, etc.) <[John] JWEAVERJR> Can you comment on the differences between the legal standards for libel and slander? And, in particular, which category does this RTC (as a "printed record" of a live conversation) fall? Slander is spoken libel is written I am fairly sure that all online speech will be classified as libel, not slander. Frankly, I am more familiar with the libel standards, which we have been discussing than with slander, where they differ. I did come in a bit late, if this has already been answered; where might I find your book, and what's it retail at? The book is $19 plus $2 p&h from LLM Press 150 Broadway, Suite 610, NY NY 10038. Okay back to libel. Are editors of magazines in general held responsible for the content of their magazine, or is the writer of a given article deemed libellous that's held responsible? Or both? Potentially both. The standards would depend on if the libeller (sounds like a referee! grin) was a public figure or private person, also? e.g., negligence vs. malice? The US Constitution imposes the standards we discussed for media defendants, and leaves the states free to make their own laws in all other cases. Since networks are interstate, which states' laws applies? Dave, thats something the courts will have to settle. Magazines have been successfully sued in states where they sold only a few copies. <[Mel] NIGHTDIVER> I understand there have been some cases regarding private messages in a BB as opposed to public messages. Does that mean that if someone sends me Email here on GEnie and I forward it to someone else, that I could be in trouble? Mel, we are getting into a whole new area here. The Electronic Communications Privacy Act (ECPA) which protects the privacy of email. In the case you described. There would be no liability under ECPA, because the recipient of the message has the right to make it public. <[Holly] HS> I have a related question, Jonathon...are you familiar with Thompson v. Predaina? (The case that never was... *grin*) Yes, I read the pleadings, and have talked to and been flamed by, Linda Thompson . <[Holly] HS> Can you summarize the case a bit for the rest of us and give us your opinion? (I happen to personally know both parties... Linda was a friend of mine. Bob is a friend of mine. Key word: "was") Everyone's been flamed by Linda Thompson. *grin* Linda sued Bob under the ECPA claiming that he had disclosed private messages and files of hers to the public. He was not the recipient of the files or messages and, if the facts as stated in the complaint are true, it seems as if there was a technical ECPA violation. The case never went any further because (I am told). Predaina declared bankruptcy (since you know him, you can clarify if this turns out not to be the case). <[Holly] HS> Bob did declare bankruptcy, which was a wise move. I didn't read the complaint, however, I also know that when Linda (and Al) had a BBS, they were "guilty" of exactly what I understood Bob did. (Allegedly) I've often thought it was a too drastic move on his part. Based on the information I had, I doubted the case would have resulted in drastic damages, even if there was a technical violation. The moral of the story: Don't disclose private mail of which you are not the sender or recipient. <[Holly] HS> I think it was very precautionary on Bob's part. And, if I understand what happened, the case was dropped because Linda was suing partially on the grounds of character defamation which allowed Bob to dredge up some of Linda's rather tawdry past, allegedly. (I don't think I'm spelling that right. It looks wrong. :-) Thanks, Jonathon... I have a few more for later... :-) Hi Jon, this is deb! Christensen, I take care of the Commodore and Amiga areas here on GEnie. My question is an unresolved one about copyrights and music. Are there any 'fair use' guidelines which affect musical arrangements to computer transcriptions which people upload and distribute for their electronic friends? Deb....The upload of a copyrighted song or image in electronic form is a copyright violation. I have never yet heard of a case of a court finding such an upload to be a "fair use" mainly because courts haven't really yet dealt with the issue of uploads at all. However, I think the argument for a fair use is slim, considering that the standards of fair use include whether the use....is commercial, and how much of the work is copied. An upload to a commercial service of an entire song or image, for download by people paying connect charges, seems like a pretty clear copyright infringement. So, a musician does not have a right to arrange music and perform it for his friends? Is it the uploading that is a violation or the computer arrangement for the performance? A private performance is not a copyright violation but there is nothing private about an upload to a commercial service with more than 100,000 users. And to a public BBS? Public BBS: I would say its the same thing, even though not quite as commercial. Aha, so it isn't anything to do with cost involved. It is the actual transcription which is the problem? I *know* digitized music is a problem but had always presumed we had the same right to make an arrangement on a computer as we did on paper. :-( Deb, I would say you do have the same right to make an arrangement, just not to distribute it to other people. What are the legalities of telephone companies charging business rates for BBS telephone lines? I understand they have either proposed it, or tried it in some places. Your comments? It has happened a lot, but I understand in several places concerted efforts to communicate with the telco got them to back down. Not aware if anyone ever mounted a legal challenge, though. I see. I don't see how a bbs constitutes the charge, but I guess there is a large grey area there. The telco's argument was that the BBS was providing a quasi-commercial service. If you look at any BBS list, you will see a proportion of company sponsored BBS's that confuse the issue. Jon, earlier you stated that the recipient of EMail was free to distribute that mail. Is there any way to ensure privacy in EMail? Would a Copyright notice on each message prevent further distribution? I assume you are asking if there is a way to keep the recipient of a message from making it public. Yes. The answer is not really. Putting a copyright notice on might give many people pause, but suppose someone violated that copyright, what are the damages? Got two for you. First, with BBS's and networks being so (relatively) new, are there a large number of libel cases of stuff going over the nets, as opposed to say magazine cases? E.g., is it a growing practice? *grin* I am only aware of one case of online libel, the one discussed in my book, the Dun & Bradstreet case (and I guess Thompson v. Predaina also included that element). Second, do you find that judges and juries in such cases (jury assuming a jury trial, of course) have a great deal of "learning curve" to go through about networks? Most people I know outside computers don't know a genie from a compuserve from a hole in the wall. they can't imagine what the BBS world is like. Does this make such a case tougher/easier on an attorney? I frequently will try a computer case to the judge, waiving the jury demand less education to do but I wouldn't necessarily do that if I were the defendant in a libel case. Depends what part of the country you're in; in Manhattan, you could probably get a jury that knew what a modem was. And if not, it would probably be prudent to try to educate one vs. six ? Fair enough.. okay I'm done It really depends on the circumstances..deciding when to go for a jury also has to do with how much you need, and can exploit, a sympathy factor. <[Holly] HS> I have one last question myself before we wrap up.... (which is not intended as a pun with regard to my question... *grin*) Shrink wrap licenses, are they enforceable? Legal? There has been some disagreement on this but my personal opinion is that the average shrink wrap license would not stand up. It was never negotiated, never really agreed to and can't convert what is obviously a sale into something else any more than calling a car a plane will change it into one. <[Holly] HS> However, if it is visible before the buyer actually buys then can a presumption be made that they have read and agreed? There are still other problems. The buyer hasn't dealt with the publisher, but with a retailer. There is no "privity" of contract. <[Holly] HS> "privity" meaning... ? No direct contractual relationship between publisher and purchaser, despite the fiction that the license purpotts to create. <[Holly] HS> Then a company who insists that this disk and this software still belongs to them, you don't feel it is enforceable? It would depend on the circumstances, but if you buy an off the shelf product at Software to Go, in my opinion, you have purchased the copy even if there is a shrink wrap license that says you have only licensed it. <[Holly] HS> Interesting... another point of licensing... have you read the Apple licensing agreement? I read it some time ago, when the case started. <[Holly] HS> It states that Mac ROMs can only be used in an Apple machine. Although there is contention that the ROMs are the heart of the machine, so whether they goest, so goest the machine. Sorry, I thought you meant the Apple/Microsoft license. <[Holly] HS> For those of us who use an emulator, like Spectre or Magic Sac, it could be an important point. The question is a very tricky one. On the whole, it would be....difficult to prevent a legitimate purchaser of a ROM from doing anything he wanted with it, including sticking it in another machine. But I haven't seen the license you refer to. ======================================================================== (C) 1989 by Atari Corporation, GEnie, and the Atari Roundtables. May be reprinted only with this notice intact. The Atari Roundtables on GEnie are *official* information services of Atari Corporation. To sign up for GEnie service, call (with modem) 800-638-8369. Upon connection type HHH (RETURN after that). Wait for the U#= prompt. Type XJM11877,GEnie and hit RETURN. The system will prompt you for your information. >--------=====END=====--------< ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ******************************************************* * PHILE 5: HACKERS IN THE NEWS * ******************************************************* Here are some news stories that have come to us from various sources. Some don't have the dates or papers, so if you send anything in the future, be sure to but the actual source including page numbers. A couple are a few years old, but we judge them important enough to repeat. We suspect that some of the providers of this stuff snatched them and didn't include the names of people who did the work of transcribing, so thanks to whoever originally uploaded them so others could share. +++++++++++++++++++++++++++++++++++++++++++++ SOURCE: Chicago Tribune, July 27, 1989 (p. I-12) (from -=*JEDI*=-) ++++++++++++++++++++++++++++++++++++++++++++++ **************************************************** * U.S. Indicts Cornel Graduate Student in Computer * * Virus Case * ***************************************************** WASHINGTON (AP)--A Cornell Univesity graduate student was indicted Wednesday on a felony charge stemming from creation of a computer "virus" that paralyzed as many as 6,000 computers last fall. Robert Tappan Morris, 24, who has been suspended from the University for one year, was indicted by a federal grand jury in Syracuse, N.Y., on a single count of accessing without authorization at least four university and military computers. The computer-crime indictment charged that the virus, which spread acros a nationwide network of computers, prevented the authorized use of those computers by universities and military bases. The Justice Department said in a statement released in Washington that Morris was the first person to be charged under a provision of the Computer Fraud and Abuse Act of 1986 that outlaws unauthorized access to computers by hackers. The provision also makes it illegal to gain entry to a computer to damage or destroy files. The indictment comes after months of deliberations within the Justice Department over whether to charge Morris with a felony or a misdemeanor. Morris, of Arnold, Md., could face a five-year sentence and a $240000 fine if convicted of the charge. The law also provides for restitution of victims of a computer crime, but prosecutors did not specify how much damage was caused by the Nov. 2, 1988, incident that virtually shut down a military-university computer network used to transmit nonclassified data. An industry group estimated that as much as $96 million worth of damage was caused by the virus to 6,200 computers. But a Cornell University commission, which criticized Morris' actions as "reckless and impetuous," called this estimate "grossly exaggerated" and "self-serving." Officials said the virus did not erase any files of electronically stored data. The electronic program Morris allegedly used is called a virus because it spreads from computer to computer like a disease, blocking access to data contained in the machines. Defense attorney Thomas A. Gu idoboni (sic), said Morris "accepts this event as a step toward the final resolution of this matter." Morris "looks forward to his eventual vindication and his return to a normal life," Guidoboni said. As many as 6,000 university and military computers on the nationwise ARPANET network were infected by the virus that the Cornell University commission concluded was created by Morris. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ A 17-year-old Michigan boy has been charged with posting stolen long-distance phone codes on a bulletin board system operated in his home. Brent G. Patrick, alias (handle) "Shadow Stalker" online, was arraigned this week on one count of stealing or retaining a financial transaction device without consent. Patrick was released on $2,500 bond, pending an Aug. 11 hearing. The youth faces a maximum of four years in prison and a $2,000 fine if convicted. His BBS "Wizard Circle" has been closed. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ COMPUTERIST HELD WITHOUT BAIL (Dec. 16) A 25-year-old Californian who is described by a prosecutor as "very, very dangerous" and someone who "needs to be kept away from computers" has been ordered held without bail on charges he illegally accessed systems at England's Leeds University and Digital Equipment Corp. Kevin David Mitnick of Panorama City, Calif., is a convicted computer cracker who now is named in two new criminal fraud complaints in federal court in Los Angeles. US Magistrate Venetta Tassopulos granted the no-bail order late yesterday after Assistant US Attorney Leon Weidman, acknowledging it was unusual to seek detention in such cracking cases, said that since 1982 Mitnick also had illegally accessed systems at the L.A. police department, TRW Corp. and Pacific Telephone. "He could call up and get access to the whole world," Weidman said. Catherine Gewertz of United Press International quoted Weidman as saying Mitnick had served six months in juvenile hall for stealing computer manuals from a Pacific Telephone office in the San Fernando Valley and using a pay phone to destroy $200,000 worth of data in the files of a northern California company. Later Mitnick also was convicted on charges he penetrated TRW's system and altered credit information on several people, including his probation officer. Weidman said Mitnick also used a ruse to obtain the name of the police detective investigating him for cracking when he was a student at Pierce College. Weidman said Mitnick telephoned the dean at 3 a.m., identified himself as a campus security guard, reported a computer burglary in process and asked for the name of the detective investigating past break-ins. In other episodes, Mitnick allegedly accessed police computers and impersonated police officers and judges to gain information. The latest complaints against Mitnick charge he: -:- Used a computer in suburban Calabasas, Calif., to access the Leeds University system in England. -:- Altered long-distance phone costs incurred by that activity in order to cover his tracks. -:- Stole proprietary Digital Equipment software valued at more than $1 million and designed to protect its data. Mitnick allegedly stored the stolen data in a University of Southern California computer. MITNICK MAY BE 1ST TRIED UNDER NEW FEDERAL COMPUTER CRIME LAW (Dec. 17) That 25-year-old California computerist being held without bail on fraud charges may be the first person in the nation to be prosecuted under a federal law against accessing an interstate computer network for criminal purposes. As reported yesterday (GO OLT-28), a federal magistrate decided on the unusual step of detaining Kevin David Mitnick of Panorama City, Calif., without bail after Assistant US Attorney Leon Weidman called Mitnick a "very, very dangerous" person who "needs to be kept away from computers." Mitnick, who was convicted of computer fraud as a teen-ager, now faces charges of causing $4 million in damage to a Digital Equipment Corp. computer, stealin university computers in Los Angeles and England. If convicted, he could receive up to 20 years in prison and a $500,000 fine. The Associated Press reports that the FBI, the district attorney's office and the police just now are beginning to figure out Mitnick and his alleged high-tech escapades. Says Detective James K. Black, head of the L.A. police computer crime unit, "He's several levels above what you would characterize as a computer hacker. He started out with a real driving curiosity for computers that went beyond personal computers. ... He grew with the technology." At 17 Mitnick served six months in a youth facility after being convicted of cracking Pacific Bell's computer to alter telephone bills, penetrate other computers and steal $200,000 worth of data from a corporation. **************************** **************************** TWO TEENS ACCUSED OF CRACKING PHONES -- WHILE IN THE JAILHOUSE (Dec. 1) Two teen-agers in jail in San Jose, Calif., on computer cracking charges hav lost their jailhouse phone privileges. That's because authorities say the boys used a jail phone to make illegal collect calls. Police told United Press International they believe the two -- Jonathan Yaantis, 18, and Michael Torrell, 19, both believed to be from Skagit County, Wash. -- made as many as three illegal calls from the county jail. UPI says the calls were made to a phone "bridge," or illegal conference-call network used by phone "phreakers," and billed to an unauthorized number in Virginia. "The first of the calls was made just two days after they were arrested," sa Yaantis and Michael Torrell were arrested Nov. 2 by a San Jose police office who spotted them at a phone booth near a convenience store. He said they were operating a laptop computer attached by wires with alligator clips to the phon wires. Police said insulation had been stripped from the phone wires to allow the connection. Allegedly, one or both of the boys subsequently made calls from the jail to the cracker network on Nov. 6 and 7, Flory said. He added, "Their telephone privileges were cut off because we didn't want to be accessories, since they a The wire service says the pair is charged with several felonies, including damaging the phone company's line, theft and illegal use of phone card charge numbers and possession of a device to avoid phone charges. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ THE MAXFIELD STING Presented by The Sensei -- Syndicate Investivations Authors among the Private Sector BBS 201-366-4431 Aug. 31 1986 ============================================================================ Intro: The Syndicate Investigation is a Subformation of The Syndicate Syndicate Investigation gathers certain world events rather than Bell only information. ============================================================================ The File: Here is a dump from THE BOARD, a sting BBS run by John Maxfield and sponsored by WDIV-TV in Detriot. After reading a message posted by Bill from RNOC I got worried about a BBS I was on in 313. This is what I got when I went on one las time................. Good afternoon, Sally Ride. Welcome to MIKE WENDLAND'S I-TEAM sting board! (computer services provided by BOARDSCAN) 66 Megabytes strong. 300/1200 baud - 24 hours. Three (3) lines = no busy signals! Rotary hunting on 313-534-0400. Board: General Information & BBS's Message: 41 Title: YOU'VE BEEN HAD! To: ALL From: HI TECH Posted: 8/20/86 12.08 hours Greetings: You are now on THE BOARD, a sting" "sting" BBS operated by MIKE WENDLAND of the WDIV-TV I-Team. The purpose? To demonstrate and document the extent of criminal and potentially illegal hacking and telephone fraud activity by the so-called "hacking community." Thanks for your cooperation. In the past month and a half, we've received all sorts of information from you implicating many of you to credit card fraud, telephone billing fraud, vandalism and possible break-ins to government or public safety computers. And the beauty of this is we have your posts, your E-Mail and--- most importantly--- your REAL names and addresses. What are we going to do with it? Stay tuned to News 4. I plan a special series of reports about our experiences with THE BOARD, which saw users check in from coast-to-coast and Canada, users ranging in age from 12 to 48. For our regular users, I have been known as High Tech, among other ID's. John Maxfield of Boardscan served as our consultant and provided the = more, any key = quit. > HP2000 that this "sting" ran on. Through call forwarding and other conveniences made possible by telephone technology, the BBS operated remotely. here in the Detroit area. When will our reports be ready? In a few weeks. We now will be contacting many of you directly, talking with law enforcement and security agents from credit card companies and the telephone services. It should be a hell of a series. Thanks for your help. And don't bother trying any harassment. Remember, we've got YOUR real names.... Mike Wendland The I-team WDIV, Detroit, MI. = more, any key = quit. > Board: General Information & BBS's Message: 42 Title: BOARDSCAN To: ALL From: T.R. Posted: 8/20/86 12.54 hours This is John Maxfield of Boardscan. Welcome! Please address all letter bombs to Mike Wendland at WDIV-TV Detroit. This board was his idea. The Reaper (a.k.a. Cable Pair) = more, any key = quit. > Board: General Information & BBS's Message: 43 Title: BOARDSCAN To: ALL From: A.M. Posted: 8/20/86 13.30 hours Hey guys, he really had us for awhile, for any of you who posted illegal shit, I just cant wait to see his little news article...cable pair, you have some so If youve noticed, just *about* everything on the subboards is *legal*!!!so fuc You wanna get nasty? Well go ahead, call my house! threaten me! haahaha so wha bbs? freedom of speech...you lose... ax murderer Well if that isn't enough to fry your cakes I don't know what is. A final word of caution to everyone. DON'T GIVE OUT YOUR REAL VOICE NUMBER TO ANYONE, EVEN IF IT'S TO GET ACCESS TO THE BEST BBS IN THE WORLD!!!! ------------------- We all should have realized something was up when the instructions were 'HEL-5555.elite,3' as what hacker has enough access to an HP-3000 to run a BB on it?!? I even tried to get on,but like somebody said,when I called,I got no data,just a carrier.On all BBSs except this one,I use a pseudonym like 'Aloysius Smethley',or 'Waldo Snerd'! No BBS has a good reason to have your REAL name & address.Your # maybe,but they can always go to CN/A... Actually,I can't wait until it hits the fan-I want to hear about the thousands of amoral whiz kids with VIC-20s,running around,stealing millions,defrauding the innocent,and probably even giving-secrets-to-the-Russians!! /End of File// ============================================================================ Private Sector Official 2600 Magazine Bulliten Board 201-366-4431 20 Megs / 24 Hrs a Day / 300-1200 Bps Fed's win a around this time, but. . . .they could at least get their terms straight. COMPUTER HACKER, 18, GETS PRISON FOR FRAUD (From Chicago Tribune, Feb 15, p. II-1) An 18-year old computer hacker from the (Chicago) North Side, convicted in the first tiral arising from the federal Computer Fraud and Abuse Act of 1986, was sentenced Tuesday to 9 months in a federal juvenile prison in South Dakota and fined $10,000. U.S. District Court Judge Paul Plunket also sentenced the defendent, Herbert D. Zinn Jr., of 611 N. Artesian Ave., to 2 1/2 years of probation. Zinn was convicted Jan. 23 of breaking into AT&T and U.S. government computers in three states, illegally copying more than $1.2 million worth of coputer software, and of illegally publishing computer passwords on computer bulletin boards in Chicago and Texas. Computer bulletin boards are lists of public messes that any computer operator can read or add to by dialing a phone numer and plugging in his computer. "It is the government's view that what the defendant did is the result of contacts with people in these pirate bulletin boards," said Asasistant U.S. Atty. William J. Cook at the sentencing hearing. Cook labeled hackers who break into computers and share private information with computer bulletin boards as "nothing more than high-tech street gangs." Evidence was presented that federal agents executing search warrants in September on Zinn's home recovered 52 copyrighted AT&T computer programs that had been stolen from Bell Laboratory computers in Naperville and in Warren, N.J., as well as from U.S. government computers in Burlington, N.C. AT&T said the program had an estimated value of $1 million, according to the secret service. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ --------------------------------------------- SOURCE: Chicago Tribune, June 21, 1989 (p. II-4) (from -=*JEDI*=-) ---------------------------------------------- **************************************************** * WOMAN INDICTED AS COMPUTER HACKER MASTERMIND * * (by John Camper) * ***************************************************** A federal grand jury indicated Chicago woman Tuesday for allegedly masterminding a nationwide ring of computer hackers that stole more than $1.6 million of telephone and computer service from various companies. The indictment charges that Leslie Lynne Doucette, 35, of 6748 N. Ashland Ave, and 152 associates shared hundreds of stolen credit card numbers by breaking into corporate "voicemail" systems and turning them into computer bulletin boards. Voicemail is a computerized telephone answering machine. After a caller dials the machine's number he punches more numbers on his telephone to place messages in particular voicemail boxes or retrieve messages already there. The indictment charges that the hacker ring obtained more than $9,531.65 of merchandise and $1,453 in Western Union money orders by charging them to stolen bank credit card numbers. It says the group used stolen computer passwords to obtain $38,200 of voicemail servaice and stolen telephone credit card numbers to run up more than $286,362 of telephone service. But the biggest haul, more than $1,291,362, according to the indictment, represented telephone service that was stolen through the use of private branch exchange (BPX) "extender codes." A PBX system provides internl telephone service within a company. If a PBX system is equipped with an extender, a person can call the PBX system, punch in a code, and dial long distance at the expense of the company that owns the system. The only corporate victims of the alleged fraud named in the indictment are August Financial Corp. of Long Beach Calif., and A-1 Beeper Service of Mobile, Ala. Doucette has been held without bond in the Metropolitan Correctional Center since May 24, when she was arested on a raid on her apartment that netted 168 telephone credit card numbers and 39 extender codes, federal authorities said. The indictment does not name any members of the alleged ring, but authorities said the investigation is continuing. U.S. Atty. Anton R. Valukas said the indictment is the nation's first involving abuse of voicemail. "The proliferation of computer assisted telecommunications and the increasing reliance on this equipment by American and international business create a potential for serious harm," he said. Authorities said they discovered the scheme last December after a Rolling Meadows real estate broker reported that hackers had invaded his company' voicemail system and changed passwords. Authorities said they traced the calls into the Rolling Meadows voicemail system to telephones in private homes in Chicago, Columbus, Ohio, and suburban Detroit, Atlanta and Boston. Checks on those phones led them to voicemail systems in companies around the country, they said. >--------=====END=====--------< ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ As you are travelling the dark and misty swamp you come across what appears to be a small cave. You light a torch and enter. You have walked several hundred feet when you stumble into a bright blue portal. . . With a sudden burst of light and a loud explosion you are swept into . . . DRAGONFIRE . . . Press Any Key if You Dare." You have programmed your personal computer to dial into Dragonfire, a computer bulletin board in Gainesville, Texas. But before you get any information, Dragonfire demands your name, home city and phone number. So, for tonight's tour of the electronic wilderness you become Montana Wildhack of San Francisco. Dragonfire, Sherwood Forest (sic), Forbidden Zone, Blottoland, Plovernet, The Vault, Shadowland, PHBI and scores of other computer bulletin boards are hangouts of a new generation of vandals. These precocious teenagers use their electronic skills to play hide-and-seek with computer and telephone security forces. Many computer bulletin boards are perfectly legitimate: they resemble electronic versions of the familiar cork boards in supermarkets and school corridors, listing services and providing information someone out there is bound to find useful. But this is a walk on the wild side, a trip into the world of underground bulletin boards dedicated to encouraging -- and making -- mischief. The phone number for these boards are as closely guarded as a psychiatrist's home telephone number. Some numbers are posted on underground boards; others are exchanged over the telephone. A friendly hacker provided Dragonfire's number. Hook up and you see a broad choice of topics offered. For Phone Phreaks -- who delight in stealing service from AT&T and other phone networks . Phreakenstein's Lair is a potpourri of phone numbers, access codes and technical information. For computer hackers -- who dial into other people's computers -- Ranger's Lodge is chock-full of phone numbers and passwords for government, university and corporate computers. Moving through Dragonfire's offerings, you can only marvel at how conversant these teen-agers are with the technical esoterica of today's electronic age. Obviously they have spent a great deal of time studying computers, though their grammar and spelling indicate they haven't been diligent in other subjects. You are constantly reminded of how young they are. "Well it's that time of year again. School is back in session so let's get those high school computer phone numbers rolling in. Time to get straight A's, have perfect attendance (except when you've been up all night hacking school passwords), and messing up you worst teacher's paycheck." Forbidden Zone, in Detroit, is offering ammunition for hacker civil war --tips on crashing the most popular bulletin-board software. There also are plans for building black, red and blue boxes to mimic operator tones and get free phone service. And he re are the details for "the safest and best way to make and use nitroglycerine," compliments of Doctor Hex, who says he got it "from my chemistry teacher." Flip through the "pages." You have to wonder if this information is accurate. Can this really be the phone number and password for Taco Bell's computer? Do these kids really have the dial-up numbers for dozens of university computers? The temptation is too much. You sign off and have your computer dial the number for the Yale computer. Bingo -- the words Yale University appear on your screen. You enter the password. A menu appears. You hang up in a sweat. You are now a hacker. Punch in another number and your modem zips off the touch tones. Here comes the tedious side of all of this. Bulletin boards are popular. No vacancy in Bates Motel (named for Anthony Perkin's creepy motel in the movie "Psycho"); the line is busy. So are 221 B. Baker Street, PHBI, Shadowland and The Vault, Caesar's Palace rings and connects. This is different breed of board. Caesar's Palace is a combination Phreak board and computer store in Miami. This is the place to learn ways to mess up a department store's anti-shoplifting system, or make free calls on telephones with locks on the dial. Pure capitalism accompanies such anarchy, Caesar's Palace is offering good deals on disc drives, software, computers and all sorts of hardware. Orders are placed through electronic mail messages. 'Tele-Trial': Bored by Caesar's Palace, you enter the number for Blottoland, the board operated by one of the nation's most notorious computer phreaks -- King Blotto. This one has been busy all night, but it's now pretty late in Cleveland. The phone rings and you connect. To get past the blank screen, type the secondary password "S-L-I-M-E." King Blotto obliges, listing his rules: he must have your real name, phone number, address, occupation and interests. He will call and disclose the primary password, "if you belong on this board." If admitted, do not reveal the phone number or the secondary password, lest you face "tele-trial," the King warns as he dismisses you by hanging up. You expected heavy security, but this teenager's security is, as they say, awesome. Computers at the Defense Department and hundreds of businesses let you know when you've reached them. Here you need a password just to find out what system answered the phone. Then King Blotto asks questions -- and hangs up. Professional computer-security experts could learn something from this kid. He knows that ever since the 414 computer hackers were arrested in August 1982, law-enforcement officers have been searching for leads on computer bulletin boards. "Do you have any ties to or connections with any law enforcement agency or any agency which would inform such a law enforcement agency of this bulletin board?" Such is the welcoming message from Plovernet, a Florida board known for its great hacker/phreak files. There amid a string of valid VISA and MasterCard numbers are dozens of computer phone numbers and passwords. Here you also learn what Blotto means by tele-trial. "As some of you may or may not know, a session of the conference court was held and the Wizard was found guilty of some miscellaneous charges, and sentenced to four months without bulletin boards." If Wizard calls, system operators like King Blotto disconnect him. Paging through bulletin boards is a test of your patience. Each board has different commands. Few are easy to follow, leaving you to hunt and peck your way around. So far you haven't had the nerve to type "C," which summons the system operator for a live, computer-to-computer conversation. The time, however, however has come for you to ask a few questions of the "sysop." You dial a computer in Boston. It answers and you begin working your way throughout the menus. You scan a handful of dial- up numbers, including one for Arpanet, the Defense Department's research computer. Bravely tap C and in seconds the screen blanks and your cursor dances across the screen. Hello . . . What kind of computer do you have? Contact. The sysop is here. You exchange amenities and get "talking." How much hacking does he do? Not much, too busy. Is he afraid of being busted, having his computer confiscated like the Los Angeles man facing criminal changes because his computer bulletin board contained a stolen telephone-credit-card number? "Hmmmm . . . No," he replies. Finally, he asks the dreaded question: "How old are you?" "How old are YOU," you reply, stalling. "15," he types. Once you confess and he knows you're old enough to be his father, the conversation gets very serious. You fear each new question; he probably thinks you're a cop. But all he wants to know is your choice for president. The chat continues, until he asks, "What time is it there?" Just past midnight, you reply. Expletive. "it's 3:08 here," Sysop types. "I must be going to sleep. I've got school tomorrow." The cursor dances "*********** Thank you for Calling." The screen goes blank. Epilog: A few weeks after this reporter submitted this article to Newsweek, he found that his credit had been altered, his drivers' licence revoked, and EVEN HIS Social Security records changed! Just in case you all might like to construe this as a 'Victimless' crime. The next time a computer fouls up your billing on some matter, and COSTS YOU, think about it! This the follow-up to the previous article concerning the Newsweek reporter. It spells out SOME of the REAL dangers to ALL of us, due to this type of activity! The REVENGE of the Hackers In the mischievous fraternity of computer hackers, few things are prized more than the veil of secrecy. As NEWSWEEK San Francisco correspondent Richard Sandza found out after writing a story on the electronic unnerving. Also severe.... Sandza's report: "Conference!" someone yelled as I put the phone to my ear. Then came a mind-piercing "beep," and suddenly my kitchen seemed full of hyperactive 15-year-olds. "You the guy who wrote the article in NEWSWEEK?" someone shouted from the depths of static, and giggles. "We're going disconnect your phone," one shrieked. "We're going to blow up your house," called another. I hung up. Some irate readers write letters to the editor. A few call their lawyers. Hackers, however, use the computer and the telephone, and for more than simple comment. Within days, computer "bulletin boards" around the country were lit up with attacks on NEWSWEEK's "Montana Wildhack" (a name I took from a Kurt Vonnegut character), questioning everything from my manhood to my prose style. "Until we get real good revenge," said one message from Unknown Warrior, "I would like to suggest that everyone with an auto-l modem call Montana Butthack then hang up when he answers." Since then the hackers of America have called my home at least 2000 times. My harshest critics communicate on Dragonfire, a Gainesville, Texas, bulletin board where I am on teletrial, a video-lynching in which a computer user with grievance dials the board and presses charges against the offending party. Other hackers -- including the defendant --post concurrences or rebuttals. Despite the mealtime interruptions, all this was at most a minor nuisance; some was amusing, even fun. FRAUD: The fun stopped with a call from a man who identified himself only as Joe. "I'm calling to warn you," he said. When I barked back, he said, "Wait, I'm on your side. Someone has broken into TRW and obtained a list of all your credit-card numbers, your home address, social-security number and wife's name and is posting it on bulletin boards around the country." He named the charge cards in my wallet. Credit-card numbers are a very hot commodity among some hackers. To get one from a computer system and post it is the hacker equivalent of making the team. After hearing from Joe I visited the local office of the TRW credit bureau and got a copy of my credit record. Sure enough, it showed a Nov. 13 inquiry by the Lenox (Mass.) Savings Bank, an institution with no reason whatever to ask about me. Clearly some hacker had used Lenox's password to the TRW computers to get to my files (the bank has since changed the password). It wasn't long before I found out what was being done with my credit-card numbers, thanks to another friendly hacker who tipped me to Pirate 80, a bulletin board in Charleston, W.Va., where I found this: "I'm sure you guys have heard about Richard Stza or Montana Wildhack. He's the guy who wrote the obscene story about phreaking in NewsWeek Well, my friend did a credit card check on TRW . . . try this number, it' a VISA . . . Please nail this guy bad . . . Captain Quieg. Captain Quieg may himself be nailed. He has violated the Credit Card Fraud Act of 1984 signed by President Reagan on Oct. 12. The law provides a $10,000 fine and up to a 15-year prison term for "trafficking" in illegally obtained credit-card account numbers. He "friend" has committed a felony violation of the California computer-crime law. TRW spokeswoman Delia Fernandex said that TRW would "be more than happy to prosecute" both of them. TRW has good reason for concern. Its computers contain the credit histories of 120 million people. Last year TRW sold 50 million credit reports on their customers. But these highly confidential personal records are so poorly guarded that computerized teenagers can ransack the files and depart undetected. TRW passwords -- unlike many others -- often print out when entered by TRW's customers. Hackers then look for discarded printouts. A good source: the trash of banks and automobile dealerships, which routinely do credit checks. "Everybody hacks TRW," says Cleveland hacker King Blotto, whose bulletin board has security system the Pentagon would envy. "It's the easiest." For her her part, Fernandez insists that TRW "does everything it can to keep the system secure In my case, however, that was not enough. My credit limits would hardly support big-time fraud, but victimization takes many forms. Another hacker said it was likely that merchandise would be ordered in my name and shipped to me -- just to harass me. I used to use credit-card numbers against someone I didn't like," the hacker said. "I'd call Sears and have a dozen toilets shipped to his house." Meanwhile, back on Dragonfire, my teletrial was going strong. The charges, as pressed my Unknown Warrior, include "endangering all phreaks and hacks." The judge in this case is a hacker with the apt name of Ax Murderer. Possible sentences range from exile from the entire planet" to "kill the dude." King Blotto has taken up my defense, using hacker power to make his first pleading: he dialed up Dragonfire, broke into its operating system and "crashed" the bulletin board, destroying all of its messages naming me. The board is back up now, with a retrial in full swing. But then, exile from the electronic underground looks better all the time. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ******************************************************* * PHILE 6: ILLINOIS AND TEXAS COMPUTER STATUTES * ******************************************************* We're trying to collect as many anti-computer abuse statutes as we can from each state. We're also looking for anti-piracy laws and articles pass any complete texts along to us as you can. A good place to upload text files like this is PC-EXEC (414-964-5160) to make them widely available. Pass them along to us as well. +++++++++++++++++++++++++++++++++++++++++++++++++ + ILLINOIS COMPUTER STATUTE + +++++++++++++++++++++++++++++++++++++++++++++++++ (GPHILE FROM RIPCO) This file is a copy of the law which was passed last September and covers the description and penalties for "HACKING". It is of course, written in legal gibberish so some of you who got out of grammer school should be able to follow it. Full credit for this file goes to the SysOp of ORGASM! c1984. The following is the text of HOUSE BILL 3204, The Computer Tresspass Act of 1984, Illinois. HB3204 Enrolled (Illinois, Effective 18 September, 1984) AN ACT to protect the public from electronic tresspass and computer fraud. BE IT ENACTED BY THE PEOPLE OF THE STATE OF ILLINOIS, represented in the GENERAL ASSEMBLY: SECTION 1. Section 16-9 of the "Criminal Code of 1961", approved July 28, 1961, as amended, is amended to read as follows: (Ch. 38, par. 16-9) Sec. 16-9. UNLAWFUL USE OF A COMPUTER. (a) As used in this Section Part-8: 1. "COMPUTER" means an internally programmed, general purpose digital device capable of automatically accepting data, processing data and supplying the results of the operation. 2. "COMPUTER SYSTEM" means a set of related, connected or unconnected devices, including a computer and other devices, including but not limited to data input and output and storage devices, data communications circuits, and operating system computer programs and data, that make the system capable of performing the special purpose data processing tasks for which it is specified. 3. "COMPUTER PROGRAM" means a series of coded instructions or statements in a form acceptable to a computer to process data in order to achieve a certain result. 4. "TELECOMMUNICATION" means the transmission of information in intrastate commerce by means of a wire, cable, glass, microwave, satellite or electronic impulses, and any other transmission of signs, signals, writing, images, sounds, or other matter by electronic or other electromagnetic system. 5. "ELECTRONIC BULLETIN BOARD" means any created information stored in a data base or computer or computer system designed to hold and display passwords or enter keys made available for the use of gaining authorized entry to a computer of computer system or access to telephone lines of telecommunications facilities. 6. "IDENTIFICATION CODES/PASSWORD SYSTEMS" means confidential information that allows private protected access to computer and computer systems. 7. "ACCESS" means to approach, instruct, communicate with, store data in, retrieve or intercept data from, or otherwise make use of any resources or a computer, computer system, or computer network. 8. "COMPUTER NETWORK" means a set of two or more computer systems that transmit data over communications circuits connection time. 9. "DATA" means a representation of information, knowledge, facts, concepts, or instructions which are being prepared or have been prepared in a fomalized manner, and is intended to be stored or processed, or is being stored or processed, in a computer, computer system , or network, which shall be classified as property: and which may be in any form, including but not limited to, computer printouts, magnetic storage media, punch cards, or stored in memory, of the computer, computer system, or network. 10. "FINANCIAL INSTRUMENTS" means, but is not limited to, any check, cashiers check, draft, warrant, money order, certificate of deposit, negotiable instrument, letter of credit, bill of exchange, credit card, debit card, or marketable security, or any computer system representation thereof. 11. "PROPERTY" means, but is not limited to, electronic impulses, electronically produced data, information, financial instruments, software or programs, in either machine or human readable form, any other tangible item relating to a computer, computer system, computer network, any copies thereof. 12. "SERVICES" means, but is not limited to, computer time, data manipulation, and storage functions. (b) A person knowingly commits unlawful use of a computer when he: 1. Knowingly gains access to or obtains the use of a computer system, or any part thereof, without the consent of the owner (as defined in Section 15-2); or 2. Knowingly alters or destroys computer programs of data without the consent of the owner (as defined in Section 15-2); or 3. Knowingly obtains use of, alters, damages or destroys a computer system, or any part thereof, as a part of a deception for the purpose of obtaining money, property, or services from the owner of a computer system (as defined in Section 15-2); or 4. Knowingly accesses or causes to be accessed any computer, computer system, or computer network for the purpose of (1) devising or executing any scheme or artifice to defraud or (2) obtaining money, property, or services by means of fraudulent pretenses, representations, or promises. (c) SENTENCE: 1. A person convicted of a violation of subsections (b) (1) or (2) of this Section where the value of the use, alteration, or destruction is $1,000.00 or less shall be guilty of a petty offense. 2. A person convicted of a violation of subsections (b) (1) or (2) of ths section where the value of the use, alteration, or destruction is more than 1,000.00 shall be guilty of a Class A misdemeanor. 3. A person convicted of a violation of subsections (b) (3) or (4) of this Section where the value of the money, property, or services obtained is $1,000.00 or less shall be guilty of a Class A misdemeanor. 4. A person convicted of a violation of subsections (b) (3) of (4) of this Section where the value of the money, property, or services obtained is more than $1,000.00 shall be guilty of a Class 4 felony. (d) CIVIL REMEDIES. Any aggrieved person shall have a right of action in the Circut Court against any person violating any of the provisions of this Section and may recover for each violation: 1. Liquidated damages of $5,000.00 or actual damages, whichever is greater: 2. Reasonable attorney fees: 3 Such other relief, including an injunction, as the court may deem appropriate. Section 2. Section 79 of "AN ACT Concerning Public Utilities", approved June 29, 1921, as amended, is amended to read as follows: (Ch. 111 2/3, par 83) Sec. 79. It is hereby made the duty of the Commission to see that the provisions of the Constitution and statutes of this State, affecting public utilities, the enforcement of which is not specifically vested in some other officer or tribunal, are enforced and obeyed, and that violations thereof are promptly prosecuted and penalties due the State therefor recovered and collected, and to this end it may sue in the name of the people of the State. It shall be the duty of the Commission, at the direction and discretion of the Chairman, to assemble and maintain an Electronic Trespass Enforcement assistance Staff, consisting of experts in computer systems, electronics, and other professional disciplines to aid public utilities, businesses, individuals, and law enforcement agencies in detecting and preventing electronic trespass violations and enforcing the provisions of Section 16-9 of the "Criminal Code of 1961", approved July 28, 1961, as amended or any other relevant statute. No cause of action shall exist and no liability may be imposed, either civil or criminal, against the State, the Chairman of the Commission, or any of its members, or any employee of the Commission, for any act or omission by them in performance of any power or duty authorized by this Section, unless such act of omission was performed in bad faith and with intent to injure a particular person. Section 3. This act takes effect upon becoming a law. (signed) Michael J. Madigan, Speaker, House of Representatives. (signed) Philip J. Rock, President of the Senate APPROVED: This 18th day of September, 1984 A.D. (signed) James R. Thompson, Governer ** end ** ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++ + TEXAS COMPUTER LAW + +++++++++++++++++++++++++++++++++++++++++++++++++ >--------=====***=====--------< TEXAS COMPUTER LAW . >--------=====***=====--------< Relating to the creation and prosecution of offenses involving computers; providing penalties and an affirmative defense; adding Chapter 33 to the Penal Code. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: SECTION 1. Title 7, Penal Code, is amended by adding Chapter 33 to be read as follows: CHAPTER 33. COMPUTER CRIMES Section 33.02. BREACH OF COMPUTER SECURITY. (1) uses a computer without the effective consent of the owner of the computer or a person authorized to license access to the computer and the actor knows that there exists a computer security system intended to prevent him from making that use of the computer; or (2) gains access to data stored or maintained by a computer without the effective consent of the owner or license of the data and the actor knows that there exists a computer security system intended to prevent him from gaining access to that data. (b) A person commits an offense if the person intentionally or knowingly gives a password, identifying code, personal identification number or other confidential information about a computer security system to another person without the effective consent of the person employing their computer security system to restrict the use of a computer or to restrict access to data stored or maintained by a computer. (c) An offense under this section is a Class A misdemeanor. Section 33.03. HARMFUL ACCESS. (a) A person commits an offense if the person intentionally or knowingly: (1) causes a computer to malfunction or interrupts the operation of a computer without the effective consent of the owner of the computer or a person authorized to license access to the computer; or (2) alters, damages, or destroys data or a computer program stored, maintained or produced by a computer without the effective consent of the owner or licensee of the data or computer program. (b) An offense under this section is: (1) a Class B misdemeanor if the conduct did not cause any loss or damage or i the value of the loss or damage caused by the conduct is less than $200; (2) a Class A misdemeanor if value of the loss or damage caused by the conduct is $200 or more but less than $2,500; or (3) a felony of the third degree if value of the loss or damage caused by the conduct is $2,500 or more. Section 33.04. DEFENSE. It is an affirmative defense to prosecution under Section 33.02 and 33.03 of this code that the actor was an officer, employee o agent of a communications common carrier or an electric utility and committed the proscribed act or acts in the course of employment while engaged in an activity that is a necessary incident to the rendition of service or to the protection of the rights or property of the communications common carrier or electric utility. Section 33.05. ASSISTANCE BY ATTORNEY GENERAL. The attorney general, if requested to do so by a prosecuting attorney, may assist the prosecuting attorney in the investigation or prosecution of an offense under this chapter or of any other offense involving the use of a computer. SECTION 2. This act takes effect September 1, 1985 SECTION 3. The importance of this legislation and the crowded condition of the calendars in both houses create an emergency and an imperative public necessity that the constitutional rule requiring bills to be read on three several days in each house be suspended, and this rule is hereby suspended. (SB 72 passed the Senate on March 11, 1985, by a voice vote. The Senate then concurred in House amendment on May 25, 1985 by a voice vote. The House passed the bill, with one amendment, on May 22, 1985: 138-0 with 6 abstentions.) >--------=====***=====--------< Section 33.01 DEFINITIONS. In this chapter: (1) Communications common carrier' means a person who owns or operates a telephone system, in this state that includes equipment or facilities for the conveyance, transmission or reception of communications and who receives compensation from persons who use that system. (2) Computer' means an electronic device that performs logical, arithmetic, or memory functions by the manipulations of electronic or magnetic impulses and includes all input, output, processing, storage or communication facilities that are connected or related to the device. Computer' includes a network of two or more computers that are interconnected to function or communicate together. (3) Computer program' means an ordered set of data representing coded instructions or statements that when executed by a computer cause the computer to process data or perform certain functions. (4) Computer security system' means the design, procedures, or other measures that the person responsible for the operation and use of a computer employs to restrict the use of the computer to particular persons or uses that the owner or licensee of data stored or maintained by a computer in which the owner or licensee is entitled to store or maintain the data employs to restrict access to the data. (5) Data' means a representation of information, knowledge, facts concepts, or instructions that is being prepared or has been prepared in a formalized manner and is intended to be stored or processed, is being stored o processed or has been stored or processed in a computer. Data may be embodied in any form, including but not limited to computer printouts, magnetic storage media, and punchcards, or may be stored internally in the memory of the computer. (6) Electric utility' has the meaning assigned by Subsection (c), Section 3, Public Utility Regulatory Act (Article 1446c, Vernon's Civil Statutes). >--------=====END=====--------< ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ******************************************************* * PHILE 7: Teleconnect Wants Your Rights * ******************************************************* The Lifeblood of the BBS world is the telephone line. If teleco czars begin abusing their public trust by deciding who we can or cannot call, it endangers not only the BSS world, but fundamental freedoms of expression and assembly. Sometimes individual bureaucrats screw up. They make bad decisions, break agreements, or simply are incompetent. No big deal. The danger comes when, by policy, a national utility attempts to curtail or freedoms. TELECONNECT, a long distance carrier out of Iowa, has done this. The three contributions below illustrate how TELECONNECT has attempted to bully some of its users. In the first, TC attempted to block numbers to a bulletin board. In the second, it monitored one its users and decided who that user could and could not call. The third illustrates Teleconnects arrogance. BBS users tend to be a bit fragmented, and when we have a problem, we deal with it individually. We should start banding together. If you are having, or have had, a problem with your teleco crowd, let us know. We will not print real names without permission. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ BLOCKING OF LONG-DISTANCE CALLS by Jim Schmickley Hawkeye PC, Cedar Rapids, Iowa SUMMARY. This article describes the "blocking" by one long-distance telephone company of access through their system to certain telephone numbers, particularly BBS numbers. The blocking is applied in a very arbitrary manner, and the company arrogantly asserts that BBS SYSOPS and anyone who uses a computer modem are "hackers." The company doesn't really want to discuss the situation, but it appears the following scenario occurred. The proverbial "person or persons unknown" identified one or more "valid" long-distance account numbers, and subsequently used those numbers on one or more occasions to fraudulently call a legitimate computer bulletin board system (BBS). When the long-distance company discovered the fraudulent charges, they "blocked" the line without bothering to investigate or contacting the BBS System Operator to obtain his assistance. In fact, the company did not even determine the SYSOP's name. The long-distance carrier would like to pretend that the incident which triggered the actions described in this article was an isolated situation, not related to anything else in the world. However, there are major principles of free, uninhibited communications and individual rights deeply interwoven into the issue. And, there is still the lingering question, "If one long-distance company is interfering with their customers' communications on little more than a whim, are other long-distant companies also interfering with the American public's right of free 'electronic speech'?" CALL TO ACTION. Your inputs and protests are needed now to counter the long-distance company's claims that "no one was hurt by their blocking actions because nobody complained." Obviously nobody complained for a long time because the line blocking was carried out in such a manner that no one realized, until April 1988, what was being done. Please read through the rest of this article (yes, it's long, but you should find it very interesting) and judge for yourself. Then, please write to the organizations listed at the end of the article; insist that your right to telephone whatever number you choose should not be impaired by the arbitrary decision of some telephone company bureaucrat who really doesn't care about the rights of his customers. Protest in the strongest terms. And, remember: the rights you save WILL BE YOUR OWN! SETTING THE SCENE. Teleconnect is a long-distance carrier and telephone direct marketing company headquartered in Cedar Rapids, Iowa. The company is about eight years old, and has a long-distance business base of approximately 200,000 customers. Teleconnect has just completed its first public stock offering, and is presently (August 1988) involved in a merger which will make it the nation's fourth-largest long-distance carrier. It is a very rapidly-growing company, having achieved its spectacular growth by offering long-distance service at rates advertised as being 15% to 30% below AT&T's rates. When Teleconnect started out in the telephone interconnection business, few, if any, exchanges were set up for "equal access", so the company set up a network of local access numbers (essentially just unlisted local PABXs - private automatic branch exchanges) and assigned a six-digit account number to each customer. Later, a seventh "security" digit was added to all account numbers. (I know what you're thinking - what could be easier for a war-games dialer than to seek out "valid" seven-digit numbers?) Teleconnect now offers direct "equal access" dialing on most exchanges. But, the older access number/account code system is still in place for those exchanges which do not offer "equal access." And, that system is still very useful for customers who place calls from their offices or other locations away from home. "BLOCKING" DISCOVERED. In early April 1988, a friend mentioned that Teleconnect was "blocking" certain telephone lines where they detected computer tone. In particular, he had been unable to call Curt Kyhl's Stock Exchange BBS in Waterloo, Iowa. This sounded like something I should certainly look into, so I tried to call Curt's BBS. CONTACT WITH TELECONNECT. Teleconnect would not allow my call to go through. Instead, I got a recorded voice message stating that the call was a local call from my location. A second attempt got the same recorded message. At least, they were consistent. I called my Teleconnect service representative and asked just what the problem was. After I explained what happened, she suggested that it must be a local call. I explained that I really didn't think a 70 mile call from Cedar Rapids to Waterloo was a local call. She checked on the situation and informed me that the line was being "blocked." I asked why, and she "supposed it was at the customer's request." After being advised that statement made no sense, she admitted she really didn't know why. So, on to her supervisor. The first level supervisor verified the line was being "blocked by Teleconnect security", but she couldn't or wouldn't say why. Then, she challenged, "Why do you want to call that number?" That was the wrong question to ask this unhappy customer, and the lady quickly discovered that bit of information was none of her business, And, on to her supervisor. The second level supervisor refused to reveal any information of value to a mere customer, but she did suggest that any line Teleconnect was blocking could still be reached through AT&T or Northwestern Bell by dialing 10288-1. When questioned why Teleconnect, which for years had sold its long-distance service on the basis of a cost-saving over AT&T rates, was now suggesting that customers use AT&T, the lady had no answer. I was then informed that, if I needed more information, I should contact Dan Rogers, Teleconnect's Vice President for Customer Service. That sounded good; "Please connect me." Then, "I'm sorry, but Mr. Rogers is out of town, and won't be back until next week." "Next week?" "But he does call in regularly. Maybe he could call you back before that." Mr. Rogers did call me back, later that day, from Washington, D.C. where he and some Teleconnect "security people" were attending a conference on telephone security. TELECONNECT RESPONDS, A LITTLE. Dan Rogers prefaced his conversation with, "I'm just the mouthpiece; I don't understand all the technical details. But, our security people are blocking that number because we've had some problems with it in the past." I protested that the allegation of "problems" didn't make sense because the number was for a computer bulletin board system operated by a reputable businessman, Curt Kyhl. Mr. Rogers said that I had just given Teleconnect new information; they had not been able to determine whose number they were blocking. "Our people are good, but they're not that good. Northwestern Bell won't release subscriber information to us." And, when he got back to his office the following Monday, he would have the security people check to see if the block could be removed. The following Monday, another woman from Teleconnect called to inform me that they had checked the line, and they were removing the block from it. She added the comment that this was the first time in four years that anyone had requested that a line be unblocked. I suggested that it probably wouldn't be the last time. In a later telephone conversation, Dan Rogers verified that the block had been removed from Curt Kyhl's line, but warned that the line would be blocked again "if there were any more problems with it." A brief, non-conclusive discussion of Teleconnect's right to take such action then ensued. I added that the fact that Teleconnect "security" had been unable to determine the identity of the SYSOP of the blocked board just didn't make sense; that it didn't sound as if the "security people" were very competent. Mr. Rogers then admitted that every time the security people tried to call the number, they got a busy signal (and, although Mr. Rogers didn't admit it, they just "gave up", and arbitrarily blocked the line.) Oh, yes, the lying voice message, "This is a local call...", was not intended to deceive anyone according to Dan Rogers. It was just that Teleconnect could only put so many messages on their equipment, and that was the one they selected for blocked lines. BEGINNING THE PAPER TRAIL. Obviously, Teleconnect was not going to pay much attention to telephone calls from mere customers. On April 22, Ben Blackstock, practicing attorney and veteran SYSOP, wrote to Mr. Rogers urging that Teleconnect permit their customers to call whatever numbers they desired. Ben questioned Teleconnect's authority to block calls, and suggested that such action had serious overlays of "big brother." He also noted that "you cannot punish the innocent to get at someone who is apparently causing Teleconnect difficulty." Casey D. Mahon, Senior Vice President and General Counsel of Teleconnect, replied to Ben Blackstock's letter on April 28th. This response was the start of Teleconnect's seemingly endless stream of vague, general allegations regarding "hackers" and "computer billboards." Teleconnect insisted they did have authority to block access to telephone lines, and cited 18 USC 2511(2)(a)(i) as an example of the authority. The Teleconnect position was summed up in the letter: "Finally, please be advised the company is willing to 'unblock' the line in order to ascertain whether or not illegal hacking has ceased. In the event, however, that theft of Teleconnect long distance services through use of the bulletin board resumes, we will certainly block access through the Teleconnect network again and use our authority under federal law to ascertain the identity of the hacker or hackers." THE GAUNTLET IS PICKED UP. Mr. Blackstock checked the cited section of the U.S. Code, and discovered that it related only to "interception" of communications, but had nothing to do with "blocking". He advised me of his opinion and also wrote back to Casey Mahon challenging her interpretation of that section of federal law. In his letter, Ben noted that, "Either Teleconnect is providing a communication service that is not discriminatory, or it is not." He added that he would "become upset, to say the least" if he discovered that Teleconnect was blocking access to his BBS. Mr. Blackstock concluded by offering to cooperate with Teleconnect in seeking a declaratory judgment regarding their "right" to block a telephone number based upon the actions of some third party. To date, Teleconnect has not responded to that offer. On May 13th, I sent my own reply to Casey Mahon, and answered the issues of her letter point by point. I noted that even I, not an attorney, knew the difference between "interception" and "blocking", and if Teleconnect didn't, they could check with any football fan. My letter concluded: "Since Teleconnect's 'blocking' policies are ill-conceived, thoughtlessly arbitrary, anti-consumer, and of questionable legality, they need to be corrected immediately. Please advise me how Teleconnect is revising these policies to ensure that I and all other legitimate subscribers will have uninhibited access to any and all long-distance numbers we choose to call." Casey Mahon replied on June 3rd. Not unexpectedly, she brushed aside all my arguments. She also presented the first of the sweeping generalizations, with total avoidance of specifics, which we have since come to recognize as a Teleconnect trademark. One paragraph neatly sums Casey Mahon's letter: "While I appreciate the time and thought that obviously went into your letter, I do not agree with your conclusion that Teleconnect's efforts to prevent theft of its services are in any way inappropriate. The inter-exchange industry has been plagued, throughout its history, by individuals who devote substantial ingenuity to the theft of long distance services. It is not unheard of for an interexchange company to lose as much as $500,000 a month to theft. As you can imagine, such losses, over a period of time, could drive a company out of business." ESCALATION. By this time it was very obvious that Teleconnect was going to remain recalcitrant until some third party, preferably a regulatory agency, convinced them of the error of their ways. Accordingly, I assembled the file and added a letter of complaint addressed to the Iowa Utilities Board. The complaint simply asked that Teleconnect be directed to institute appropriate safeguards to ensure that "innocent third parties" would no longer be adversely affected by Teleconnect's arbitrary "blocking" policies. My letter of complaint was dated July 7th, and the Iowa Utilities Board replied on July 13th. The reply stated that Teleconnect was required to respond to my complaint by August 2nd, and the Board would then propose a resolution. If the proposed resolution was not satisfactory, I could request that the file be reopened and the complaint be reconsidered. If the results of that action were not satisfactory, a formal hearing could be requested. After filing the complaint, I also sent a copy of the file to Congressman Tom Tauke. Mr. Tauke represents the Second Congressional District of Iowa, which includes Cedar Rapids, and is also a member of the House Telecommunica-tions Subcommittee. I have subsequently had a personal conversation with Mr. Tauke as well as additional correspondence on the subject. He seems to have a deep and genuine interest in the issue, but at my request, is simply an interested observer at this time. It is our hope that the Iowa Utilities Board will propose an acceptable resolution without additional help. AN UNRESPONSIVE RESPONSE. Teleconnect's "response" to the Iowa Utilities Board was filed July 29th. As anticipated, it was a mass of vague generalities and unsubstantiated allegations. However, it offered one item of new, and shocking, information; Curt Kyhl's BBS had been blocked for ten months, from June 6, 1987 to mid-April 1988. (At this point it should be noted that Teleconnect's customers had no idea that the company was blocking some of our calls. We just assumed that calls weren't going through because of Teleconnect's technical problems.) Teleconnect avoided putting any specific, or even relevant, information in their letter. However, they did offer to whisper in the staff's ear; "Teleconnect would be willing to share detailed information regarding this specific case, and hacking in general, with the Board's staff, as it has in the past with various federal and local law enforcement agencies, including the United States Secret Service. Teleconnect respectfully requests, however, that the board agree to keep such information confidential, as to do otherwise would involve public disclosure of ongoing investigations of criminal conduct and the methods by which interexchange carriers, including Teleconnect, detect such theft." There is no indication of whether anyone felt that such a "confidential" meeting would violate Iowa's Open Meetings Law. And, nobody apparently questioned why, during a ten-months long "ongoing investigation", Teleconnect seemed unable to determine the name of the individual whose line they were blocking. Of course, whatever they did was justified because (in their own words), "Teleconnect had suffered substantial dollar losses as a result of the theft of long distance services by means of computer 'hacking' utilizing the computer billboard which is available at that number." Teleconnect's most vile allegation was, "Many times, the hacker will enter the stolen authorization code on computer billboards, allowing others to steal long distance services by utilizing the code." But no harm was done by the blocking of the BBS number because, "During the ten month period the number was blocked, Teleconnect received no complaints from anyone claiming to be the party to whom the number was assigned." The fact that Curt Kyhl had no way of knowing his line was being blocked might have had something to do with the fact that he didn't complain. It was also pointed out that I really had no right to complain since, "First, and foremost, Mr. Schmickley is not the subscriber to the number." That's true; I'm just a long-time Teleconnect customer who was refused service because of an alleged act performed by an unknown third party. Then Teleconnect dumped on the Utilities Board staff a copy of a seven page article from Business Week Magazine, entitled "Is Your Computer Secure?" This article was totally unrelated to the theft of long-distance service, except for an excerpt from a sidebar story about a West German hackers' club. The story reported that, "In 1984, Chaos uncovered a security hole in the videotex system that the German telephone authority, the Deutsche Bundespost, was building. When the agency ignored club warnings that messages in a customer's private electronic mailbox weren't secure, Chaos members set out to prove the point. They logged on to computers at Hamburger Sparkasse, a savings bank, and programmed them to make thousands of videotex calls to Chaos headquarters on one weekend. After only two days of this, the bank owed the Bundespost $75,000 in telephone charges." RESOLUTION WITH A RUBBER STAMP. The staff of the Iowa Utilities Board replied to my complaint by letter on August 19th. They apparently accepted the vague innuendo submitted by Teleconnect without any verification; "Considering the illegal actions reportedly to be taking place on number (319) 236-0834, it appears the blocking was reasonable. However, we believe the Board should be notified shortly after the blocking and permission should be obtained to continue the blocking for any period of time." However, it was also noted that, "Iowa Code 476.20 (1) (1987) states, 'A utility shall not, except in cases of emergency, discontinue, reduce, or impair service to a community or a part of a community, except for nonpayment of account or violation of rules and regulations, unless and until permission to do so is obtained from the Board." The letter further clarified, "Although the Iowa Code is subject to interpretation, it appears to staff that 'emergency' refers to a relatively short time..." CONSIDER THE EVIDENCE. Since it appeared obvious that the Utilities Board staff had not questioned or investigated a single one of Teleconnect's allegations, the staff's response was absolutely astounding. Accordingly, I filed a request for reconsideration on August 22nd. Three points were raised in the request for reconsideration: (1) The staff's evaluation should have been focused on the denial of service to me and countless others of Teleconnect's 200,000 customers, and not just on the blocking of incoming calls to one BBS. (2) The staff accepted all of Teleconnect's allegations as fact, although not one bit of hard evidence was presented in support of those allegations. (3) In the words of the staff's own citation, it appeared that Teleconnect had violated Iowa Code 476.20 (1) (1987) continuously over a ten months' period, perhaps as long as four years. Since Teleconnect had dumped a seven page irrelevant magazine article on the staff, it seemed only fair to now offer a two page completely relevant story to them. This was "On Your Computer - Bulletin Boards", from the June 1988 issue of "Changing Times". This excellent article cited nine BBSs as "good places to get started". Among the nine listed BBSs was Curt Kyhl's "Stock Exchange, Waterloo, Iowa (319-236-0834)." Even the geniuses at Teleconnect ought to be able to recognize that this BBS, recommended by a national magazine, is the very same one they blocked for ten months. MEANWHILE, BACK AT THE RANCH. You are now up-to-date on the entire story. Now, we are in the process of spreading the word so that all interested people can contact the Iowa authorities so they will get the message that this case is much bigger than the blocking of one BBS. YOU can help in two ways: First, upload this file to bulletin boards you call. Let's get this message distributed to BBS and modem users across the nation, because the threat is truly to communications across the nation. Second, read the notice appended to this article, and ACT. The notice was distributed at the last meeting of Hawkeye PC Users' Group. If you are a Teleconnect customer, it is very important that you write the agencies listed on the notice. If you are not a Teleconnect customer, but are interested in preserving your rights to uninhibited communications, you can help the cause by writing to those agencies, also. Please, people, write now! Before it is too late! T E L E C O N N E C T C U S T O M E R S = = = = = = = = = = = = = = = = = = = = = = = = If you are user of Teleconnect's long distance telephone service, you need to be aware of their "blocking" policy: Teleconnect has been "lashing out" against the callers of bulletin boards and other "computer numbers" by blocking access of legitimate subscribers to certain phone numbers to which calls have been made with fraudulent Teleconnect charge numbers. Curt Kyhl's Stock Exchange Bulletin Board in Waterloo has been "blocked" in such a manner. Teleconnect representatives have indicated that other "computer numbers" have been the objects of similar action in the past, and that they (Teleconnect) have a "right" to continue such action in the future. Aside from the trampling of individual rights guaranteed by the Bill of Rights of the U.S. Constitution, this arbitrary action serves only to "punish the innocent" Teleconnect customers and bulletin board operators, while doing absolutely nothing to identify, punish, or obtain payment from the guilty. The capping irony is that Teleconnect, which advertises as offering significant savings over AT&T long-distance rates, now suggests to complaining customers that the blocked number can still be dialed through AT&T. Please write to Teleconnect. Explain how long you have been a customer, that your modem generates a significant amount of the revenue they collect from you, and that you strongly object to their abritrarily deciding what numbers you may or may not call. Challenge their "right" to institute a "blocking" policy and insist that the policy be changed. Send your protests to: Teleconnect Company Mr. Dan Rogers, Vice President for Customer Service 500 Second Avenue, S.E. Cedar Rapids, Iowa 52401 A complaint filed with the Iowa Utilities Board has been initially resolved in favor of Teleconnect. A request for reconsideration has been filed, and the time is NOW for YOU to write letters to the State of Iowa. Please write NOW to: Mr. Gerald W. Winter, Supervisor, Consumer Services Iowa State Utilities Board Lucas State Office Building Des Moines, Iowa 50319 And to: Mr. James Maret Office of the Consumer Advocate Lucas State Office Building Des Moines, Iowa 50319 Write now. The rights you save WILL be your own. August 28,1988 After filing a request for reconsideration of my complaint, I received a reply from the Iowa State Utilities Board which said, in part: "Thank you for your letter dated August 22, 1988, with additional comments concerning your complaint on the blocking of access to certain telephone numbers by Teleconnect. "To ensure that the issues are properly investigated, we are forwarding your comments to the company and requesting a response by September 15, 1988." Again, this is a very large issue. Simply stated, it is: Does ANY telephone company have the right to "block" (or refuse to place) calls to ANY number on the basis of unsubstantiated, uninvestigated charges of "telephone fraud", especially when the alleged fraud was committed by a third party without the knowledge of the called party? In the specific case, the question becomes; Can a long distance carrier refuse to handle calls to a BBS solely because some unknown crook has placed fraudulently-charged calls to that BBS? Read BLOCKERS.ARC, and then make YOUR voice be heard by lodging protests with the agencies listed in that file. Incidentally, when you write, please cite file number C-88-161. If you have any additional information which might be helpful in this battle, please let me know. I check the following BBSs very regularly: Hawkeye RBBS, Ben Blackstock, SYSOP 319-363-3314 ($15/year) The Forum, John Oren, SYSOP 319-365-3163 (Register Free) You can also send info to me via U.S. Mail to: 7441 Commune Court, N.E. Cedar Rapids, Iowa 52402 I hope that, by this time, you realize how significant this battle is for all of us. If we lose, it opens the door for telephone companies to dictate to us just who we can (or cannot) call, especially with modems. We CAN'T let that happen! And, thanks for your support. Jim Schmickley Hawkeye PC Users' Group Cedar Rapids, Iowa ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ (Reprinted with permisson from author) 17 November, 1988 Customer Service Teleconnect P.O. Box 3013 Cedar Rapids, IA 52406-9101 Dear Persons: I am writing in response to my October Teleconnect bill, due 13 November, for $120.76. As you can see, it has not yet been paid, and I would hope to delay payment until we can come to some equi- table resolution of what appears to be a dispute. The records should show that I have paid previous bills responsibly. Hence, this is neither an attempt to delay nor avoid payment. My account number is: 01-xxxx-xxxxxx. My user phone is: 815-xxx- xxxx. The phone of record (under which the account is regis- tered) is: 815-xxx-xxxx. If possible, you might "flag" my bill so I will not begin receiv- ing dunning notices until we resolve the problem. I have several complaints. One is the bill itself, the other is the service. I feel my bill has been inflated because of the poor quality of the service you provide to certain areas of the coun- try. These lines are computer lines, and those over which the dispute occurs are 2400 baud lines. Dropping down to 1200 baud does not help much. As you can see from my bill, there are numer- ous repeat calls made to the same location within a short period of time. The primary problems occured to the following loca- tions: 1. Highland, CA 714-864-4592 2. Montgomery, AL 205-279-6549 3. Fairbanks, AK 907-479-7215 4. Lubbock, TX 806-794-4362 5. Perrine, FL 305-235-1645 6. Jacksonville, FL 904-721-1166 7. San Marcos, TX 512-754-8182 8. Birmingham, AL 205-979-8409 9. N. Phoenix, AZ 602-789-9269 The problem is simply that, to these destinations, Teleconnect can simply not hold a line. AT&T can. Although some of these des- tinations were held for a few minutes, generally, I cannot depend on TC service, and have more recently begun using AT&T instead. Even though it may appear from the records that I maintained some contact for several minutes, this time was useless, because I cold not complete my business, and the time was wasted. An equi- table resolution would be to strike these charges from my bill. I would also hope that the calls I place through AT&T to these destinations will be discounted, rather than pay the full cost. I have enclosed my latest AT&T bill, which includes calls that I made through them because of either blocking or lack of quality service. If I read it correctly, no discount was taken off. Is this correct? As you can see from the above list of numbers, there is a pattern in the poor quality service: The problem seems to lie in Western states and in the deep south. I have no problem with the midwest or with numbers in the east. I have been told that I should call a service representative when I have problems. This, however, is not an answer for several rea- sons. First, I have no time to continue to call for service in the middle of a project. The calls tend to be late at night, and time is precious. Second, on those times I have called, I either could not get through, or was put on hold for an indeterminable time. Fourth, judging from comments I have received in several calls to Teleconnect's service representatives, these seem to be problems for which there is no immediate solution, thus making repeated calls simply a waste of time. Finally, the number of calls on which I would be required to seek assistance would be excessive. The inability to hold a line does not seem to be an occasional anomaly, but a systematic pattern that suggests that the service to these areas is, indeed, inadequate. A second problem concerns the Teleconnect policy of blocking cer- tain numbers. Blocking is unacceptable. When calling a blocked number, all one receives is a recorded message that "this is a local call." Although I have complained about this once I learned of the intentional blocking, the message remained the same. I was told that one number (301-843-5052) would be unblocked, and for several hours it was. Then the blocking resumed. A public utility simply does not have the right to determine who its customers may or may not call. This constitutes a form of censorship. You should candidly tell your customers that you must approve of their calls or you will not place them. You also have the obligation to provide your customers with a list of those numbers you will not service so that they will not waste their time attempting to call. You might also change the message that indicates a blocked call by saying something "we don't approve of who you're calling, and won't let you call." I appreciate the need to protect your customers. However, block- ing numbers is not appropriate. It is not clear how blocking aids your investigation, or how blocking will eliminate whatever prob- lems impelled the action. I request the following: 1. Unblock the numbers currently blocked. 2. Provide me with a complete list of the numbers you are blocking 3. End the policy of blocking. I feel Teleconnect has been less than honest with its customers, and is a bit precipitous in trampling on rights, even in a worthy attempt to protect them from abuses of telephone cheats. How- ever, the poor quality of line service, combined with the appar- ent violation of Constitutional rights, cannot be tolerated. Those with whom I have spoken about this matter are polite, but the bottom line is that they do not respond to the problem. I would prefer to pay my bill only after we resolve this. Cheerfully, (Name removed by request) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ /*/ ST*ZMAG SPECIAL REPORT - by Jerry Cross /*/ (reprinted from Vol. #28, 7 July, 1989) =============================================== TELECONNECT CALL BLOCKING UPDATE Ctsy (Genesee Atari Group) Background ========== At the beginning of last year one of my bbs users uploaded a file he found on another bbs that he thought I would be interested in. It detailed the story of an Iowa bbs operator who discovered that Teleconnect, a long distance carrier, was blocking incoming calls to his bbs without his or the callers knowledge. As an employee of Michigan Bell I was very interested. I could not understand how a company could interfere with the transmissions of telephone calls, something that was completely unheard of with either AT&T or Michigan Bell in the past. The calls were being blocked, according to Teleconnect public relations officials, because large amounts of fraudulent calls were being placed through their system. Rather than attempting to discover who was placing these calls, Teleconnect decided to take the easy (and cheap) way out by simply block access to the number they were calling. But the main point was that a long distance company was intercepting phone calls. I was very concerned. I did some investigating around the Michigan area to see what the long distance carriers were doing, and if they, too, were intercepting or blocking phone calls. I also discovered that Teleconnect was just in the process of setting up shop to serve Michigan. Remember, too, that many of the former AT&T customers who did not specify which long distance carrier they wanted at the time of the AT&T breakup were placed into a pool, and divided up by the competing long distance companies. There are a number of Michigan users who are using certain long distance carriers not of their choice. My investigation discovered that Michigan Bell and AT&T have a solid, computer backed security system that makes it unnecessary for them to block calls. MCI, Sprint, and a few other companies would not comment or kept passing me around to other departments, or refused to comment about security measures. I also discussed this with Michigan Bell Security and was informed that any long distance company that needed help investigating call fraud would not only receive help, but MBT would actually prepare the case and appear in court for prosecution! My calls to Teleconnect were simply ignored. Letters to the public service commission, FCC, and other government departments were also ignored. I did, however, get some cooperation from our U.S. Representative Dale Kildee, who filed a complaint in my name to the FCC and the Interstate Commerce Commission. What follows is their summary of an FCC investigation to Mr. Kildee's office. ---- Dear Congressman Kildee: This is in further response to your October 18, 1988 memorandum enclosing correspondence from Mr. Gerald R. Cross, President of the Genesee Atari Group in Flint, Michigan concerning a reported incidence of blocking calls from access to Curt Kyhl's Stock Exchange Bulletin Board System in Waterloo, Iowa by Teleconnect, a long distance carrier. Mr. Cross, who also operates a bulletin board system (bbs), attaches information indicating that Teleconnect blocked callers from access via its network to Mr. Kyhl's BBS number in an effort to prevent unauthorized use of its customers' long distance calling authorization codes by computer "hackers". Mr. Cross is concerned that this type of blocking may be occurring in Michigan and that such practice could easily spread nationwide, thereby preventing access to BBSs by legitimate computer users. On November 7, 1988, the Informal Complaints Branch of the Common Carrier Bureau directed Teleconnect to investigate Mr. Cross' concerns and report the results of its investigation to this Commission. Enclosed, for your information, is a copy of Teleconnect's December 7, 1988 report and its response to a similar complaint filed with this Commission by Mr. James Schmickley. In accordance with the commission's rules, the carrier should have forwarded a copy of its December 7, 1988 report to Mr. Cross at the same time this report was filed with the Commission. I apologize for the delay in reporting the results of our investigation to your office. Teleconnect's report states that it is subject to fraudulent use of its network by individuals who use BBSs in order to unlawfully obtain personal authorization codes of consumers. Teleconnect also states that computer "hackers" employ a series of calling patterns to access a carrier's network in order to steal long distance services. The report further states that Teleconnect monitors calling patterns on a 24 hour basis in an effort to control, and eliminate when possible, code abuse. As a result of this monitoring, Teleconnect advises that its internal security staff detected repeated attempts to access the BBS numbers in question using multiple seven-digit access codes of legitimate Teleconnect customers. These calling patterns, according to Teleconnect, clearly indicated that theft of telecommunications services was occurring. The report states that Teleconnect makes a decision to block calls when the estimated loss of revenue reaches at least $500. Teleconnect notes that blocking is only initiated when signs of "hacking" and other unauthorized usage are present, when local calls are attempted over its long distance network or when a customer or other carrier has requested blocking of a certain number. Teleconnect maintains that blocking is in compliance with the provisions of Section A.20.a.04 of Teleconnect's Tariff F.C.C. No. #3 which provides that service may be refused or disconnected without prior notice by Teleconnect for fraudulent unauthorized use. The report also states that Teleconnect customers whose authorizations codes have been fraudulently used are immediately notified of such unauthorized use and are issued new access codes. Teleconnect further states that while an investigation is pending, customers are given instructions on how to utilize an alternative carrier's network by using "10XXX" carrier codes to access interstate or intrastate communications until blocking can be safely lifted. Teleconnect maintains that although its tariff does not require prior notice to the number targeted to be blocked, it does, in the case of a BBS, attempt to identify and contact the Systems Operator (SysOp), since the SysOp will often be able to assist in the apprehension of an unauthorized user. The report states that with regard to Mr. Kyle's Iowa BBS, Teleconnect was unable to identify Mr. Kyle as the owner of the targeted number because the number was unlisted and Mr. Kyhl's local carrier was not authorized to and did not release any information to Teleconnect by which identification could be made. The report also states that Teleconnect attempted to directly access the BBS to determine the identity of the owner but was unable to do so because its software was incompatible with the BBS. Teleconnect states that its actions are not discriminatory to BBSs and states that it currently provides access to literally hundreds of BBSs around the country. The report also states that Teleconnect's policy to block when unauthorized use is detected is employed whether or not such use involves a BBS. Teleconnect advises that when an investigation is concluded or when a complaint is received concerning the blocking, the blocking will be lifted, as in the case of the Iowa BBS. However, Teleconnect notes that blocking will be reinstated if illegal "hacking" recurs. Teleconnect advises that it currently has no ongoing investigations within the State of Michigan and therefore, is not presently blocking any BBSs in Michigan. However, Teleconnect states that it is honoring the request of other carriers and customers to block access to certain numbers. The Branch has reviewed the file on this case. In accordance with the Commission's rules for informal complaints it appears that the carrier's report is responsive to our Notice. Therefore, the Branch, on its own motion, is not prepared to recommend that the Commission take further action regarding this matter. -------- This letter leaves me with a ton of questions. First, lets be fair to Teleconnect. Long distance carriers are being robbed of hundreds of thousands of dollars annually by "hackers" and must do something to prevent it. However, call blocking is NOT going to stop it. The "hacker" still has access to the carrier network and will simply start calling other numbers until that number, too, is blocked, then go on to the next. The answer is to identify the "hacker" and put him out of business. Teleconnect is taking a cheap, quick fix approach that does nothing to solve the problem, and hurts the phone users as a whole. They claim that their customers are able to use other networks to complete their calls if the number is being blocked. What if other networks decide to use Teleconnect's approach? You would be forced to not only keep an index of those numbers you call, but also the long distance carrier that will let you call it! Maybe everyone will block that number, then what will you do? What if AT&T decided to block calls? Do they have this right too? And how do you find out if the number is being blocked? In the case of Mr. Kyhl's BBS, callers were given a recording that stated the number was not in service. It made NO mention that the call was blocked, and the caller would assume the service was disconnect. While trying to investigate why his calls were not going through, Mr. James Schmickley placed several calls to Teleconnect before they finally admitted the calls were being blocked! Only after repeated calls to Teleconnect was the blocking lifted. It should also be noted that Mr. Kyhl's bbs is not a pirate bbs, and has been listed in a major computer magazine as one of the best bbs's in the country. As mentioned before, MBT will work with the long distance carriers to find these "hackers". I assume that the other local carriers would do the same. I do not understand why Teleconnect could not get help in obtaining Mr. Kyhl's address. It is true the phone company will not give out this information, but WILL contact the customer to inform him that someone needs to contact him about possible fraud involving his phone line. If this policy is not being used, maybe the FCC should look into it. Call blocking is not restricted to BBSs, according to Teleconnect. They will block any number that reaches a $500 fraud loss. Lets say you ran a computer mail order business and didn't want to invest in a WATTS line. Why should an honest businessman be penalized because someone else is breaking the law? It could cost him far more the $500 from loss of sales because of Teleconnect's blocking policy. Teleconnect also claims that "they are honoring the request of other carriers and customers to block access to certain numbers". Again, MBT also has these rules. But they pertain to blocking numbers to "certain numbers" such as dial-a-porn services, and many 900- numbers. What customer would ever request that Teleconnect block incoming calls to his phone? And it is an insult to my intelligence for Teleconnect to claim they could not log on to Mr. Kyhl's BBS. Do they mean to say that with hundreds of thousands of dollars in computer equipment, well trained technicians, and easy access to phone lines, that they can't log on to a simple IBM bbs? Meanwhile, here I sit with a $50 Atari 800xl and $30 Atari modem and I have no problem at all accessing Mr. Kyhl's bbs! What's worse, the FCC (the agency in charge of regulating data transmission equipment), bought this line too! Incredible!!! And finally, I must admit I don't have the faintest idea what Section A.20.a.04 of Teleconnect's Tariff F.C.C. No. 3 states, Walk into your local library and ask for this information and you get a blank look from the librarian. I know, I tried! However, MBT also has similar rules in their tariffs. Teleconnect claims that the F.C.C. tariff claims that "service may be refused or disconnected without prior notice by Teleconnect for fraudulent, unauthorized use". This rule, as applied to MBT, pertains ONLY to the subscriber. If an MBT customer were caught illegally using their phone system then MBT has the right to disconnect their service. If a Teleconnect user wishes to call a blocked number, and does so legally, how can Teleconnect refuse use to give them service? This appears to violate the very same tarriff they claim gives them the right to block calls! I have a few simple answers to these questions. I plan, once again, to send out letters to the appropriate agencies and government representatives, but I doubt they will go anywhere without a mass letter writing campaign from all of you. First, order that long distance companies may not block calls without the consent of the customer being blocked. Every chance should be given to him to assist in identifying the "hacker", and he should not be penalized for other people's crimes. There should also be an agency designated to handle appeals if call blocking is set up on their line. Currently, there is no agency, public service commission, or government office (except the FCC) that you can complain to, and from my experience trying to get information on call blocking I seriously doubt that they will assist the customer. Next, order the local phone carriers to fully assist and give information to the long distance companies that will help identify illegal users of their systems. Finally, order the Secret Service to investigate illegal use of long distance access codes in the same manner that they investigate credit card theft. These two crimes go hand in hand. Stiff fines and penalties should be made mandatory for those caught stealing long distance services. If you would like further information, or just want to discuss this, I am available on Genie (G.Cross) and CompuServe (75046,267). Also, you can reach me on my bbs (FACTS, 313-736-4544). Only with your help can we put a stop to call blocking before it gets too far out of hand. >--------=====END=====--------< ******************************************************* * PHILE 8: VIRUSES * ******************************************************* ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ There has been a lot of concern about viruses, even though they still seem to be relatively rare. Forewarned is forearmed, as they say, and we've come across a pretty useful anti-virus newsletter called VIRUS-L that gives info on all the latest bugs, vaccines, and general gossip. It's called VIRUS-L, and we've found it helpful, so we've extracted some of the best of the stuff and passed it along. Thanks to FLINT (of the UNDERGROUND) and CHRIS ROBIN for pulling some of the stuff together. * * * VIRUS-L is a moderated, digested mail forum for discussing computer virus issues; comp.virus is a non-digested Usenet counterpart. Discussions are not limited to any one hardware/software platform - diversity is welcomed. Contributions should be relevant, concise, polite, etc., and sent to VIRUS-L@IBM1.CC.LEHIGH.EDU. Information on accessing anti-virus, document, and back-issue archives is distributed periodically on the list. Administrative mail (comments, suggestions, and so forth) should be sent to me at: krvw@SEI.CMU.EDU. - Ken van Wyk --------------------------------------------------------------------------- Date: Wed, 06 Sep 89 11:54:00 -0400 From: Peter W. Day Subject: Re: Appleshare and viruses >Date: 04 Sep 89 01:18:53 +0000 >From: gilbertd@silver.bacs.indiana.edu (Don Gilbert) >Subject: Appleshare and viruses ? > >What are the conditions under which current Mac viruses can >infect files on Appleshare volumes? I have not attempted to infect any files with a virus, whether on an AppleShare volume or otherwise, but based on what I know about Macintosh, AppleShare and viruses, here is what I think is true. A Mac virus can infect a file only if it can write to the file, no matter where the file is located. A micro cannot access an AppleShare volume directly: it must ask the server to access the AppleShare volume on its behalf. As a result, the server can enforce access privileges. Access privileges apply only to FOLDERS. For the benefit of other readers, the privileges are See Files, See folders and Make Changes. They apply individually to the owner, a group, and everyone. I experimented writing directly to files and folders on an AppleShare volume using Microsoft Word, typing the explicit file path in a Save As... dialog box. For a file to be changeable, the volume and folders in the file path must have See Folders privilege, and the final folder must have See Files and Make Changes privilege. The virus would probably need to search for files to infect, and would only find files along paths with See Folders privs for the volume and folders in the path, and See Files in the final folder. Macintoshes used with shared files are subject to trojans, and the trojan could be infected with a virus. Consider the following scenario: A user has a private folder on a volume shared with others using (say) AppleShare. The volume has a folder containing a shared application named, say, Prog1, and the folder has everyone See Files and See Folders but not Make Changes (i.e. it is read-only). The user makes a private copy of Prog1, and later runs a virus-infected program locally while the shared volume is mounted, and the copy of Prog1 becomes infected. The user now makes his AppleShare folder sharable (See Files, See Folders) to everyone (so that someone can copy a file he has, say). Another user double-clicks on a document created by Prog1, and the Mac Finder happens to find the infected copy of Prog1 before finding the other copy. As a result, the second user's files become infected. Thus I recommend that private folders be readable only by the owner as a matter of policy. Allowing everyone Make Changes creates drop folders so that users can exchange files. Drop Folders are safe enough in that AppleShare does not allow you to overwrite a file when you only have Make Changes priv. However, users should be told to run a virus check on any files that others drop in their folders. ------------------------------ --------------------------------------------------------------------------- Date: 04 Sep 89 16:41:39 +0000 From: jwright@atanasoff.cs.iastate.edu (Jim Wright) Subject: New Amiga virus ? This was recently posted to comp.sys.amiga... In article <716@mathrt0.math.chalmers.se> d8forma@dtek.chalmers.se (Martin Fors sen) writes: | | Last night a friend called me, since he suspected he had a virus. | I gladly grabbed my copy of VirusX (3.20) and drove over, but VirusX | reported no virus. However I saw the text from the virus myself, and | a closer look at the diskette showed that the file c/addbuffers had grown, | furthermore a file with a blank name had appeared in devs. | | The main symptom of this virus is that every fourth time you reboots the tex | | A Computer virus is a disease | | Terrorism is a transgession | | Software piracy is a crime | | this is the cure | | BGS9 Bundesgrensschutz sektion 9 | sonderkommando "EDV" | | On this disk the virus had replaced the file c/addbuffers, the size of this | new file was 2608 bytes. The above text is encoded in the program, but the | graphics.library :-) The orginal addbuffers command was stored in a "blank" | file in the devs directory. | The addbuffers command was the second in the startup sequence on this disk. | I think the virus looks in the startup-sequence for somthing (probably | files to infect), since I found the string sys:s/startup-sequence coded | in the virus. | I don't know if this virus does any damage, but the person first infected | hasn't noticed anything. | | The questions I now ask me is: | | Is this a known virus? | | and if the answer is no, | | What is Steve Tibbets mail adress? | | | MaF | | Chalmers |USENET:d8forma@dtek.chalmers.se | " Of course I'm not lost, | University |SNAIL: Martin Forssen | I just haven't pinpointed | of | Marielundsgatan 9 | exactly where we are at the | Technology |SWEDEN 431 67 Molndal | moment " (David Eddings) - -- Jim Wright jwright@atanasoff.cs.iastate.edu ------------------------------ Date: Fri, 01 Sep 00 11:51:00 -0400 From: Bob Babcock Subject: Re: Is this a virus? (PC) >When I copy some >files to a floppy but I misput a write protected diskette, I find the >error massage "retry, ...". At this time, if I answer "r" to the >massage and puting a non-protected diskette, then the FAT and >DIRECTORY of the protected diskette is transfered to the second non >protected diskette(and the files that I copied to). Is this a DOS's >bug or a virus? This is a known behavior of MS-DOS. The directory and FAT have already been read before the write protect error is sensed, and when you say retry, DOS doesn't know that you have changed disks, so it doesn't reread the directory info. ------------------------------ Date: Fri, 01 Sep 89 16:55:59 -0500 From: Joe Simpson Subject: Re: is this a virus? (PC) In response to the question about the FAT from a locked disk being written to another disk this is a feature of MS-DOS, not a virus. Another chilling scenario conserns running an application such as a word processor, opening a document, exchangeing data diskettes, and saving a "backup" of the file. This often hoses the "backup" disk and sometines affects the origional file. ------------------------------ Date: 01 Sep 89 15:41:00 -0400 From: "Damon Kelley; (RJE)" Subject: Kim's question concerning FATs (PC) In response to Kim: I'm no expert at MS-DOS or software-stuff, but I've been poking around in my computer's memory long enough to believe that what you are describing may be normal with MS-DOS. Often I see that within memory, data stays in its assigned spot until something moves or writes over it. I notice this effect with a certain software word-processing/graphing/spreadsheet package I have. Sometimes when I am retreiving data with my package, I place a data disk first before putting in the main program disk. The program needs to do something with the disk with the main program first, so the package asks for the main program disk. Whe the directory pops up for the main program disk, it shows a conglomeration of the files on the curent disk PLUS the files that were on the removed data disk and some random garbage. Nothing grave has happened to my files with this package (It came with my computer. It wasn't PD/Shareware, either.), so I feel that this may be either a DOS bug (not writing over completely the FAT) or something normal. Of course, I've never really had an opportunity to look at the directory track on any disks, so I can't confirm that this is absolutely true. I can find out. Has anyone out there found mixed FATs affecting the performance of their disks? ------------------------------ Date: Wed, 30 Aug 89 14:41:53 -0000 From: LBA002%PRIME-A.TEES-POLY.AC.UK@IBM1.CC.Lehigh.Edu Subject: nVIR A and nVIR B explained (Mac) I spotted this in the August issue of Apple2000 (a UK Mac user group magazine.) It first appeared on the Infomac network and the author is John Norstad of Academic Computing & Network Services, Northwestern University (hope it's OK with you to reproduce this John?) It may be old-hast to all the virus experts but I found it interesting & informative. nVIR A & B There has been some confusion over exactly what the nVIR A & nVIRB viruses actually do. In fact, I don't believe the details have ever been published. I just finished spending a few days researching the two nVIR viruses. This report presents my findings. As with all viruses, nVIR A & B replicate. When you run an infected application on a clean system the infection spreads from the application to the system file. After rebooting the infection in turn spreads from the system to other applications, as they are run. At first nVIR A & B only replicate. When the system file is first infected a counter is initialized to 1000. The counter is decremented by 1 each time the system is booted, and it is decremented by 2 each time an infected application is run. When the counter reaches 0 nVIR A will sometimes either say "Don't Panic" (if MacinTalk is installed in the system folder) or beep (if MacinTalk is not installed in the system folder.) This will happen on a system boot with a probability of 1/16. It will also happen when an infected application is launched with a probability of 31/256. In addition when an infected application is launched nVIR A may say "Don't Panic" twice or beep twice with a probability of 1/256. When the counter reaches 0 nVIR B will sometimes beep. nVIR B does not call MacinTalk. The beep will happen on a system boot with a probability of 1/8. A single beep will happen when an infected application is launched with a probability of 15/64. A double beep will happen when an application is launched with a probability of 1/64. I've discovered that it is possible for nVIRA and nVIRB to mate and sexually reproduce, resulting in new viruses combining parts of their parents. For example if a system is infected with nVIRA and if an application infected with nVIRB is tun on that system, part of the nVIRB infection is replaced by part of the nVIRA infection from the system. The resulting offspring contains parts from each of its parents, and behaves like nVIRA. Similarly if a system is infected with nVIRB and if an application infected with nVIRA is run on that system, part of the nVIRA infection in the application is replaced by part of the nVIRB infection from the system. The resulting offspring is very similar to its sibling described in the previous paragraph except that it has the opposite "sex" - each part is from the opposite parent. it behaves like nVIRB. These offspring are new viruses. if they are taken to a clean system they will infect that system, which will in turn infect other applications. The descendents are identical to the original offspring. I've also investigated some of the possibly incestual matings of these two kinds of children with each other and with their parents. Again the result is infections that contain various combinations of parts from their parents. (Hot stuff!) Rgds, Iain Noble ------------------------------ Date: Tue, 29 Aug 89 16:05:44 +0300 From: Y. Radai Subject: PC virus list; Swap virus; Israeli virus; Disassemblies For several reasons, one of which is very irregular receipt of VIRUS-L, I've been out of touch with it for several weeks now. So please forgive me if some of the postings referred to below are a few weeks old. PC Virus List ------------- Lan Nguyen asks whether a list of PC viruses, incl. date first dis- covered and source(s), exists. I will soon be submitting to VIRUS-L a considerably updated version of the list I first posted on May 16. Meanwhile, Lan, I'm sending you my list as it currently stands (29 viruses, 70 strains). The Swap Virus -------------- Yuval Tal writes: >I don't think that it is so important how we call the virus. I've >decided to call it the swap virus becuase the message "The Swapping- >Virus...' appears in it! ....... I think that calling it "The >Dropping Letter Virus" will be just fine. Well, "The Dropping Letter Virus" would be a poor choice since (as I mentioned in an earlier posting) this also describes the Cascade and Traceback viruses. Yuval has explained that he originally called it the Swap virus because it writes the following string into bytes B7-E4 of track 39, sector 7 (if sectors 6 and 7 are empty): The Swapping-Virus. (C) June, 1989 by the CIA However, he has not publicly explained how the words SWAP VIRUS FAT12 got into the boot sector of some of the diskettes infected by this virus, so let me fill in the details. As David Chess and John McAfee both pointed out quite correctly, these words are not part of the virus. What happened was that Yuval wrote a volume label SWAP VIRUS onto each infected diskette for identification. Had his system been DOS 3 the label would have been written only into the root directory. But since he was apparently using DOS 4, it was also written into bytes 2Bh-35h of the boot sector. (That still leaves the string FAT12 in bytes 36h-3Ah to be explained. Under DOS4, the field 36h-3Dh is supposed to be "reserved". Anyone got any comments on that?) So although I didn't know at the time that the words SWAP VIRUS came from Yuval, it seems that my (and his original) suggestion to call it the Swap virus is still the best choice. The Israeli/Friday-13/Jerusalem Virus ------------------------------------- In response to a query from Andrew Berman, David Rehbein gave a quite accurate description of the virus, except for one small point: >(It will infect and replicate itself in ANY executible, no matter >the extension..check especially .OVL and .SYS) To the best of my knowledge, no strain of this virus (or, for that matter, of any other virus that I know of) infects overlay or SYS files. Andrew Berman writes concerning this virus: > She think's >she's cleaned it out by copying only the source codes to new disks, >zapping the hard drives, and recompiling everything on the clean hard >disks. It's a pity that so many people try to eradicate the virus by such difficult means when (as has been mentioned on this list and else- where) there is a file named UNVIR6.ARC on SIMTEL20 (in ) containing a program called UNVIRUS which will easily eradicate this virus and 5-6 others as well, plus a program IMMUNE to prevent further infection. Disassembling of Viruses ------------------------ In response to a posting by Alan Roberts, David Chess replied: >I think it's probably a Good Thing if at least two or three people do >independant disassemblies of each virus, just to make it less likely >that something subtle will be missed. I know my disassemblies (except >the ones I've spent lots of time on) always contain sections marked >with vaguenesses like "Does something subtle with the EXE file header >here". .... I probably tend to lean towards "the more the merrier"! I can appreciate David's point. However, I would like to point out that the quality of (commented) disassemblies differs greatly from one person to another. As Joe Hirst of the British Computer Virus Re- search Centre writes (V2 #174): >Our aim will be to produce disassemblies which cannot be improved upon. And this isn't merely an aim. In my opinion, his disassemblies are an order of magnitude better than any others I've seen. He figures out and comments on the purpose of *every* instruction, and vagueness or doubt in his comments is extremely rare. What I'm suggesting is this: If you have the desire, ability, time and patience to disassemble a virus yourself, then have fun. But unless you're sure it's a brand new virus, you may be wasting your time from the point of view of practical value to the virus-busting community. And even if you are sure that it's a new virus, take into account that there are pros like Joe who can probably do the job much better than you. So what about David's point that any given disassembler may miss something subtle? Well, I'm not saying that Joe Hirst should be the *only* person to disassemble viruses. Even he is only human, so there should be one or two other good disassemblers to do the job indepen- dently. But no more than 1 or 2; I can't accept David's position of "the more the merrier". Btw, disassemblers don't always get the full picture. Take, for example, the Merritt-Alameda-Yale virus, of which I have seen three disassemblies. They all mentioned that the POP CS instruction is invalid on 286 machines, yet none of them mentioned the important fact that when such a machine hangs the virus has already installed itself in high RAM and hooked the keyboard interrupt, so that the infection can spread if a warm boot is then performed! That fact seems to have been noticed only by ordinary humans. Y. Radai Hebrew Univ. of Jerusalem Date: Thu, 24 Aug 89 08:36:01 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: V-REMOVE (PC) The HomeBase group is releasing a new disinfector program that is able to remove all known viruses, repair all infected COM files, repair most infected EXE files, replace infected partition tables and boot sectors, and generally make life easier for people with infected IBM PCs. Our previous practice of releasing one disinfector program per virus has given us a terrific maintenance headache, and so V-REMOVE (which does them all) is our next step on the path. What we need now are beta testers with Large virus libraries. Interested parties please contact John McAfee or Colin Haynes at 408 727 4559. Alan ------------------------------ Date: 25 Aug 89 22:42:33 +0000 From: trebor@biar.UUCP (Robert J Woodhead) Subject: Re: Locking Macintosh disks DANIEL%NCSUVM.BITNET@IBM1.CC.Lehigh.Edu (Daniel Carr) writes: >i bet this question has been asked before, so please excuse me, but >is it possible for a virus to infect a locked macintosh disk? If the diskette is hardware locked (ie: the little slide is slid so that you can see a hole) then the hardware won't write onto that disk, so if you stick it into an infected machine it won't get infected. If, on the other hand, files on an unlocked disk are locked in _software_, they may be fair game to a persnickety virus. Date: Fri, 25 Aug 89 07:45:00 -0400 From: WHMurray@DOCKMASTER.ARPA Subject: (Hardware) Destructive Virus (Story) >Does anyone on the list have some information about an alleged virus >that caused monitors on either older PCs, Ataris, or Amigas (I forgot which >platform.... The story is apocryphal. Roots are as follows: 1. Anything a computer can be programmed to do, a virus can do. Thus, if a computer can be programmed for behavior that will damage the hardware, then it can be destroyed by a virus. 2. Early IBM PC Monochrome Adapter had a flaw under which a certain set of instructions could interfere with the normal sweep circuit operation, causing camage to the monitor. 3. Based upon this combination of facts, there has been speculation about the possibility of a virus exploiting this, or similar, flaws. Much of it has been in this list. To my knowledge, no such virus has ever been detected. The number of such PCs is vanishingly small but larger than the ones that such a virus might find. Those that exist are so old that a monitor failure would be attributed to old age. A virus would likely go unnoticed. Of course, it is a little silly to build a computer such that it can be programmed to perform hardware damaging behavior. Such damage is likely to occur by error. That is how the flaw in the IBM's was discovered. William Hugh Murray, Fellow, Information System Security, Ernst & Young 2000 National City Center Cleveland, Ohio 44114 21 Locust Avenue, Suite 2D, New Canaan, Connecticut 06840 ------------------------------ Date: Fri, 25 Aug 89 08:19:02 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: Infecting applications on locked Mac disks... No. If the write-protect mechanism is working properly, any software operation will be unable to change the contents of the disk. If the write-protect mechanism is somehow faulty, all bets are off. Note: The write-protect mechanism on Mac disks is done in hardware. David Gursky Member of the Technical Staff, W-143 Special Projects Department The MITRE Corporation ------------------------------ Date: Thu, 24 Aug 89 17:05:47 -0700 From: Steve Clancy Subject: vaccine source (PC) I would like to offer our bulletin board system once again to the readers of Virus-L as a source of VIRUSCAN and other "vaccine/scanner" programs that are occasionally mentioned here. I attempt to keep up with the most recent versions I can locate of the various programs, and usually also have the current version of the Dirty Dozen trojan horse/list. The Wellspring RBBS is located in the Biomedical Library of the University of California, Irvine (U.S.A). Numbers and settings are as follows: Line # 1 - (714) 856-7996 300-9600 (HST) N81 - 24 hours Line # 2 - (714) 856-5087 300-1200 baud N81 - Evenings & Weekends Callers from Virus-L should use the following passwords to allow immediate access to downloading of files: First name Last name Password ---------- --------- -------- VL1 BITNET BIT1 VL2 BITNET BIT2 All files are located in the VIR files directory. The system uses standard RBBS commands. I attempt to get my files from the original source whenever possible. % Steve Clancy, Biomedical Library % WELLSPRING RBBS % % University of California, Irvine % 714-856-7996 300-9600 24hrs% % P.O. Box 19556 % 714-856-5087 300-1200 % % Irvine, CA 92713 U.S.A. % % % SLCLANCY@UCI % "Are we having fun yet?" % ------------------------------ Date: Mon, 28 Aug 89 13:45:10 -0700 From: fu@unix.sri.com (Christina Fu) Subject: Antidotes for the DATACRIME family (PC) Recently, I have had a chance to investigate the 1280, 1168 and DATACRIME II viruses, and found some interesting differences between the first two versions and DATACRIME II. As a result, I have developed an antidote for both 1280 and 1168, and an antidote for the DATACRIME II. Among the differences between these viruses, the most significant one for developing antidotes is that the DATACRIME II virus generates a mutually exclusive signature set than the other two. Because of the said difference, the antidote for the 1280 and 1168 becomes a de-antidote for the DATACRIME II, and vice versa. Which means, if a file is infected with either 1280 or 1168, it is still vulnerable of contracting DATACRIME II, and vice versa (this situation does not exist between 1280 and 1168, however). If we view these viruses as two different strains, then these antidotes make more sense, otherwise, they can be useless. Another interesting thing is that the DATACRIME II purposely avoids infecting files with a "b" as the second character in the name (such as IBMBIO.COM and IBMDOS.COM), while the other two avoids to infect files with a "d" as the seventh character in the name (such as COMMAND.COM), and aside from that, the DATACRIME II virus can also infect EXE files, unlike the other two. I am looking into providing them to the public free of charge (I do not claim responsibility or ask for donation). Any interested archive sites please let me know. By the way, I need a sample disclaimer for programs distributed in this manner. ------------------------------ Date: Mon, 21 Aug 89 13:36:00 -0400 From: WHMurray@DOCKMASTER.ARPA Subject: Hygeine Questions >1) Is the possibility of virus infection limited to executable > programs (.com or .exe extensions)? Or can an operating system be > infected from reading a document file or graphic image? While a virus must succeed in getting itself executed, there are a number of solutions to this problem besides infecting .exe and .com. While it will always be sufficient for a virus to dupe the user, the most successful ones are relying upon bootstrap programs and loaders to get control. >2) Are there generic "symptoms" to watch for which would indicate a virus? Any unusual behavior may signal the presence of a virus. Of course most such unusual behavior is simply an indication of user error. Since there is not much satisfaction to writing a virus if no one notices, most are not very subtle. However, the mandatory behavior for a successful virus is to write to shared media, e.g., floppy, diskette, network, or server. (While it may be useful to the virus or disruptive to the victim to write to a dedicated hard disk, this is not sufficient for the success of the virus.) >3) Any suggestions on guidelines for handling system archiving > procedures so that an infected system can be "cleaned up"? WRITE PROTECT all media. Preserve vendor media indefinitely. Never use the backup taken on one system on any other. Be patient when recovering; be careful not to reinfect. (Computer viruses are persistent on media.) Quarantine systems manifesting strange behavior. Never try to reproduce symptoms on a second machine. Never share media gratuitously. (Note that most PC viruses are traveling on shared MEDIA rather than on shared PROGRAMS.) ____________________________________________________________________ William Hugh Murray 216-861-5000 Fellow, 203-966-4769 Information System Security 203-964-7348 (CELLULAR) ARPA: WHMurray@DOCKMASTER Ernst & Young MCI-Mail: 315-8580 2000 National City Center TELEX: 6503158580 Cleveland, Ohio 44114 FAX: 203-966-8612 Compu-Serve: 75126,1722 INET: WH.MURRAY/EWINET.USA 21 Locust Avenue, Suite 2D DASnet: [DCM1WM]WMURRAY New Canaan, Connecticut 06840 PRODIGY: DXBM57A - -------------------------------------------------------------------- ------------------------------ Date: Fri, 18 Aug 89 19:07:11 -0500 From: Christoph Fischer Subject: NEW VIRUS DICOVERED AND DISASSEMBLED We just finished to disassemble a new virus, it was sent to us by the university of Cologne. We haven't found any clue that this virus showed up before. Here are the facts we found: 0. It works on PC/MS-DOS ver. 2.0 or higher 1. It infects COM files increasing them by 1206 to 1221 bytes (placing the viruscode on a pragraph start) 2. It infects EXE files in two passes: After the first pass the EXE file is 132 bytes longer; after the second pass its size increased by an aditional 1206 to 1221 bytes (see 1.) 3. The virus installs a TSR in memory wich will infect executable files upon loading them (INT 21 subfunction 4B00) using 8208 bytes of memory 4. The only "function" we found, was an audible alarm(BELL character) whenever another file was successfully infected. 5. It infects COM files that are bigger than 04B6h bytes and smaller than F593h bytes and start with a JMP (E9h) 6. It infects EXE files if they are smaller than FDB3 bytes (no lower limit) 7. It opens a file named "VACSINA. " without checking the return value. At the end it closes this file without ever touching it. The facts 4 and 7 make us belive it is a "Beta-Test" virus that might have escaped prematurely by accident. The word VACSINA is really odd beause of its spelling. All languages I checked (12) spell it VACC... only Norwegians write VAKSINE. Has anybod an idea? We produced an desinfectant and a guardian. The PC room at Cologne (28 PCs) was also infected by DOS62 (Vienna)| We call the virus VACSINA because of the unique filename it uses| Chris & Tobi & Rainer ***************************************************************** * TORSTEN BOERSTLER AND CHRISTOPH FISCHER AND RAINER STOBER * * Micro-BIT Virus Team / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ***************************************************************** ------------------------------ Date: Wed, 16 Aug 89 11:46:06 -0400 From: "Computer Emergency Response Team" Subject: CERT Internet Security Advisory Many computers connected to the Internet have recently experienced unauthorized system activity. Investigation shows that the activity has occurred for several months and is spreading. Several UNIX computers have had their "telnet" programs illicitly replaced with versions of "telnet" which log outgoing login sessions (including usernames and passwords to remote systems). It appears that access has been gained to many of the machines which have appeared in some of these session logs. (As a first step, frequent telnet users should change their passwords immediately.) While there is no cause for panic, there are a number of things that system administrators can do to detect whether the security on their machines has been compromised using this approach and to tighten security on their systems where necessary. At a minimum, all UNIX site administrators should do the following: o Test telnet for unauthorized changes by using the UNIX "strings" command to search for path/filenames of possible log files. Affected sites have noticed that their telnet programs were logging information in user accounts under directory names such as "..." and ".mail". In general, we suggest that site administrators be attentive to configuration management issues. These include the following: o Test authenticity of critical programs - Any program with access to the network (e.g., the TCP/IP suite) or with access to usernames and passwords should be periodically tested for unauthorized changes. Such a test can be done by comparing checksums of on-line copies of these programs to checksums of original copies. (Checksums can be calculated with the UNIX "sum" command.) Alternatively, these programs can be periodically reloaded from original tapes. o Privileged programs - Programs that grant privileges to users (e.g., setuid root programs/shells in UNIX) can be exploited to gain unrestricted access to systems. System administrators should watch for such programs being placed in places such as /tmp and /usr/tmp (on UNIX systems). A common malicious practice is to place a setuid shell (sh or csh) in the /tmp directory, thus creating a "back door" whereby any user can gain privileged system access. o Monitor system logs - System access logs should be periodically scanned (e.g., via UNIX "last" command) for suspicious or unlikely system activity. o Terminal servers - Terminal servers with unrestricted network access (that is, terminal servers which allow users to connect to and from any system on the Internet) are frequently used to camouflage network connections, making it difficult to track unauthorized activity. Most popular terminal servers can be configured to restrict network access to and from local hosts. o Passwords - Guest accounts and accounts with trivial passwords (e.g., username=password, password=none) are common targets. System administrators should make sure that all accounts are password protected and encourage users to use acceptable passwords as well as to change their passwords periodically, as a general practice. For more information on passwords, see Federal Information Processing Standard Publication (FIPS PUB) 112, available from the National Technical Information Service, U.S. Department of Commerce, Springfield, VA 22161. o Anonymous file transfer - Unrestricted file transfer access to a system can be exploited to obtain sensitive files such as the UNIX /etc/passwd file. If used, TFTP (Trivial File Transfer Protocol - which requires no username/password authentication) should always be configured to run as a non-privileged user and "chroot" to a file structure where the remote user cannot transfer the system /etc/passwd file. Anonymous FTP, too, should not allow the remote user to access this file, or any other critical system file. Configuring these facilities to "chroot" limits file access to a localized directory structure. o Apply fixes - Many of the old "holes" in UNIX have been closed. Check with your vendor and install all of the latest fixes. If system administrators do discover any unauthorized system activity, they are urged to contact the Computer Emergency Response Team (CERT). Date: Tue, 15 Aug 89 20:36:50 +0300 From: "Yuval Tal (972)-8-474592" Subject: Swapping Virus (PC) +------------------------------------------------------+ | The "Swapping" virus | +------------------------------------------------------+ | | | Disassembled on: August, 1989 | | | | Disassembled by: Yuval Tal | | | | Disassembled using: ASMGEN and DEBUG | | | +------------------------------------------------------+ Important note: If you find *ANYTHING* that you think I wrote incorrectly or is-understood something, please let me know ASAP. You can reach me: Bitnet: NYYUVAL@WEIZMANN InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU This text is divided into theree parts: 1) A report about the Swap Virus. 2) A disassembly of the Swap Virus. 3) How to install this virus? - ------------------------------------------------------------------------------ - R E P O R T - ------------------------------------------------------------------------------ - Virus Name..............: The Swap Virus Attacks.................: Floppy-disks only Virus Detection when....: June, 1989 at......: Israel Length of virus.........: 1. The virus itself is 740 bytes. 2. 2048 bytes in RAM. Operating system(s).....: PC/MS DOS version 2.0 or later Identifications.........: A) Boot-sector: 1) Bytes from $16A in the boot sector are: 31 C0 CD 13 B8 02 02 B9 06 27 BA 00 01 CD 13 9A 00 01 00 20 E9 XX XX 2) The first three bytes in the boot sector are: JMP 0196 (This is, if the boot sector was loaded to CS:0). B) FAT: Track 39 sectors 6-7 are marked as bad. C) The message: "The Swapping-Virus. (C) June, by the CIA" is located in bytes 02B5-02E4 on track 39, sector 7. Type of infection.......: Stays in RAM, hooks int $8 and int $13. A diskette is infected when it is inserted into the drive and ANY command that reads or writes from/to the diskette is executed. Hard disks are NOT infected ! Infection trigger.......: The virus starts to work after 10 minutes. Interrupt hooked........: $8 (Timer-Tick - Responsible for the letter dropping) $13 (Disk Drive - Infects!) Damage..................: Track 39 sectors 6-7 will be marked as bad in the FAT. Damage trigger..........: The damage is done whenever a diskette is infected. Particularities.........: A diskette will be infected only if track 39 sectors 6-7 are empty. +-----------------------------------------------------------------------+ | BitNet: NYYUVL@WEIZMANN CSNet: NYYUVAL@WEIZMANN.BITNET | | InterNet: NYYUVAL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU | | | | Yuval Tal | | The Weizmann Institute Of Science "To be of not to be" -- Hamlet | | Rehovot, Israel "Oo-bee-oo-bee-oo" -- Sinatra | +-----------------------------------------------------------------------+ ------------------------------ Date: Mon, 14 Aug 89 10:18:16 +0100 From: J.Holley@MASSEY.AC.NZ Subject: Marijuana Virus wreaks havoc in Australian Defence Department (PC) [Ed. This is from RISKS...] Quoted from The Dominion, Monday August 14 : A computer virus call marijuana has wreaked havoc in the Australian Defence Department and New Zealand is getting the blame. Data in a sensitive security area in Canberra was destroyed and when officers tried to use their terminals a message appeared : "Your PC is stoned - Legalise marijuana". Viruses are [guff on viruses] The New Zealand spawned marijunana has managed to spread itself widely throughout the region. Its presence in Australia has been known for the past two months. The problem was highlighted two weeks ago when a Mellbourne man was charged with computer trespass and attempted criminal damage for allegedly loading it into a computer at the Swinbourne Institute of Technology. The virus invaded the Defence Department earlier this month - hitting a security division repsonsible for the prevention of computer viruses. A director in the information systems division, Geoff Walker said an investigation was under way and the infection was possibly an embarrassing accident arising from virus prevention activities. New personal computers installed in the section gobbled data from their hard disk, then disabled them. Initially it was believed the virus was intoduced by a subcontractor installing the new computer system but that possibility has been ruled out. One more outlandish theory suggested New Zealnd, piqued at its exclusion from Kangaroo 89 military exercises under way in northern Australia, was showing its ability to infiltrate the Canberra citadel. New Zealand was not invited to take part in Kangaroo because of United States' policy of not taking part in exercises with New Zealand forces since Labour's antinuclear legislation. However, New Zealand observers were invited. New Zealand Defence Department spokesmand Lieutenant Colonel Peter Fry categorically denied the claim. "It would be totally irresponsible to do this kind of thing." In fact, New Zealand's Defence Department already had problems with the virus, he said. ------------------------------ Date: Mon, 14 Aug 89 18:12:37 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Posting VIRUSCAN (PC) In yesterday's Virus-L, Jim Wright stated: >(Posting VIRUSCAN to comp.binaries)... is not a good idea. Since it is >frequently updated it would be long out of date by the time it got through >c.b.i.p. I'd like to point out that, while ViruScan is indeed updated as soon as a new virus is discovered, even the first version of ViruScan is still statistically current. We need to differentiate between the NUMBER of viruse out there and the statistical PROBABILITY of infection from any given virus. Viruses are not created on one day and the next become major infection problems. It take many months, and in some cases - years, before a given virus becomes a statistically valid threat to the average computer user. A case in point is the Jerusalem virus. It's nearly 2 years old and was first reported in the States (other than by a researcher) in February of 1988. In August of '88 the reported infection rate was 3 infections per week. In July of '89, the rate was over 30 reports per day. Today the Jerusalem virus is a valid threat. Another more current case is the Icelandic virus. It's over 2 months old and we've had no reported infections in the U.S. Given even the limited information we have about virus epidemiology, any product that can identify 99% of the infection ocurrences today, will be able to identify close to the same percentage 5 to 6 months from now, irrespective of the number of new viruses created in the interim. For those that insist on the 100% figure, I suggest you bite the bullet and download the current version of ViruScan from HomeBase every month. P.S. Some people have suggested that the CVIA statistics are inaccurate or incomplete. The numbers come from a reporting network composed of member companies. These companies include such multinationals as Fujitsu, Phillips N.A., Amdahl, Arthur Anderson and Co., the Japan Trade Center, Weyerhauser, Amex Assurance and others whose combined PC base, either internal or through client responsibility, totals over 2 million computers. It is highly unlikely that a major virus problem could exist and not be reported by one or another of these agencies. ------------------------------ Date: Sun, 13 Aug 89 09:48:20 -0700 From: portal!cup.portal.com!Charles_M_Preston@Sun.COM Subject: Viruscan test (PC) For the past couple weeks I have been testing the latest versions of John McAfee's virus scanning program, Viruscan, downloaded as SCANV29.ARC, SCANV33.ARC, etc., and very briefly the resident version archived as SCANRES4.ARC. While I have not completed the testing protocol with each virus, perhaps an interim report will be of interest. The testing protocol is: 1. Scan a disk containing a copy of a virus in some form; 2. Have the virus infect at least one other program (for .COM and .EXE infectors) or disk (for boot infectors) so Viruscan must locate the virus signature as it would normally be found in an infected machine; 3. Modify the virus in the most common ways people change them (cosmetic changes to ASCII text messages or small modifications to the code and try Viruscan again. Step 2 arises from testing another PC anti-virus product which was supposed to scan for viruses. When I found that it would not detect a particular boot virus on an infected floppy, I asked the software vendor about it. I was told that it would detect a .COM program which would produce an infected disk - not useful to most people with infected disks, the common way this virus is seen Even though the viruses tested are not technically self-mutating, my intent is to test Viruscan against later generation infections, as they would be found in a normal computing environment. Naturally, there is a problem knowing which virus is actually being found, since they go under different names and are frequently modified. The viruses are currently identified by their length, method of infection, symptoms of activity or trigger, and any imbedded text strings, based on virus descriptions from a variety of sources. These include Computers & Security journal, and articles which have been on Virus-L, such as Jim Goodwin's descriptions modified by Dave Ferbrache, and reports by Joe Hirst from the British Computer Virus Research Centre. There is a proposal for checksumming of viruses in the June Computers & Security, which would allow confirmation that a found virus is the identical one already disassembled and described by someone. In the meantime, identification has been made as mentioned. So far, Viruscan has detected the following viruses: Boot infectors - Brain, Alameda/Yale, Ping-Pong, Den Zuk, Stoned, Israeli virus that causes characters to fall down the screen; .COM or .EXE infectors - Jerusalem -several versions including sURIV variants, 1701-1704-several versions, Lehigh, 1168, 1280, DOS62-Vienna, Saratoga, Icelandic, Icelandic 2, April First, and Fu Manchu. SCANV33 has a byte string to check for the 405.com virus, but does not detect it. SCANV34 has been modified to allow proper detection. SCANRES 0.7V34, the resident version of Viruscan, correctly detects the 405 virus when an infected program is run. I have not had any false positives on other commercial or shareware programs that have been scanned. Viruscan appears to check for viruses only in reasonable locations for those particular strains. If there is a virus that infects only .COM files, and an infected file has a .VOM or other extension, it will not be reported. Of course, it is not immediately executable, either. On the other side of the coin, if a disk has been infected by a boot infector, and still has a modified boot record, it will be reported by Viruscan. This is true even if the rest of the virus code normally hidden in other sectors has been destroyed, thus making the disk non-bootable and non infectious. This is a desirable warning, however, since the boot record is not original, and since other disks may be still infected. Disclaimer: I am a computer security consultant and have been working with PC and Macintosh microcomputer viruses and anti- virus products for about 18 months. I have no obligation to John McAfee except to report the outcome of the tests. I am a member of the Computer Virus Industry Association, which is operated by John McAfee. Charles M. Preston 907-344-5164 Information Integrity MCI Mail 214-1369 Box 240027 BIX cpreston Anchorage, AK 99524 cpreston@cup.portal.com ------------------------------ Date: 01 Aug 89 21:18:49 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: "Computer Condom" (from Risks digest)... hahahahahahahahah!!!!!!! right chief just like swamp land in them thar everglades... seriously though things will not improve until vendors start going for protected mode and other tricks...I am talking about 386's and 68030's here... maybe something could be done in this area with charge cars on a 286 but I doubt it... your need that virtual 8086 partition on the 386 to have any real safety and have to be operating protected mode to take advantage of it(DESQVIEW 386, THD386.sys etc) after that then there are still so many ways to get in!! cheers kelly ------------------------------ Date: Thu, 03 Aug 89 12:15:52 -0500 From: kichler@ksuvax1.cis.ksu.edu (Charles Kichler) Subject: New FTP source for anti-virals (PC) - Internet access required The following files dealing with computer viruses are now available by anonymous ftp (file transfer protocol) from 'hotel.cis.ksu.edu' [Ed. IP number is 129.130.10.12] located in Computer Science Dept. at Kansas State University, Manhattan, KS. The files have been and will be collected in the future from reliable sources, although no warranty is implied or stated. I will attempt to update the files as often as possible. If anyone becomes aware of new updates or new anti-viral programs, let me know. All files are in the /ftp/pub/Virus-L sub-directory. / DETECT2.ARC.1 GREENBRG.ARC.1 VACCINE.ARC.1 ./ DIRTYDZ9.ARC.1 IBMPAPER.ARC.1 VACCINEA.ARC.1 00-Index.doc DPROT102.ARC.1 IBMPROT.DOC.1 VACI13.ARC.1 ALERT13U.ARC.1 DPROTECT.ARC.1 INOCULAT.ARC.1 VCHECK11.ARC.1 BOMBCHEK.ARC.1 DPROTECT.CRC.1 MD40.ARC.1 VDETECT.ARC.1 BOMBSQAD.ARC.1 DVIR1701.EXE.1 NOVIRUS.ARC.1 VIRUS.ARC.1 CAWARE.ARC.1 EARLY.ARC.1 PROVECRC.ARC.1 VIRUSCK.ARC.1 CHECK-OS.ARC.1 EPW.ARC.1 READ.ME.FIRST VIRUSGRD.ARC.1 CHK4BOMB.ARC.1 F-PROT.ARC.1 SCANV30.ARC.1 pk36.exe CHKLHARC.ARC.1 FILE-CRC.ARC.2 SENTRY02.ARC.1 pk361.exe CHKSUM.ARC.1 FILECRC.ARC.2 SYSCHK1.ARC.1 uu213.arc CHKUP36.ARC.1 FILETEST.ARC.1 TRAPDISK.ARC.1 CONDOM.ARC.1 FIND1701.ARC.1 TROJ2.ARC.1 DELOUSE1.ARC.1 FSP_16.ARC.1 UNVIR6.ARC.1 The current list only includes programs for MS/PC-DOS computers. I will continue to expand the collection to include some worthwhile textual documents and possible programs for other machines and operating systems. The procedure is to first ftp to the hotel.cis.ksu.edu. [Ed. type: ftp hotel.cis.ksu.edu (or ftp 129.130.10.12). Enter "anonymous" (without the quotes) as a username and "your id" as a password.] Then use 'cd pub/Virus-L'. Next get the files you would like. You will need the 'pk361.exe' to expand the ARChived programs. Be sure to place ftp in a binary or tenex mode [Ed. type "bin" at ftp> prompt]. Please note that the highly recommended VirusScan program (SCANV30.ARC.1) is available. If there are any questions, send mail to me and I will make every effort to help you as soon as time allows. ------------------------------ Date: Tue, 01 Aug 89 12:33:15 -0400 From: Barry D. Hassler Subject: Re: "Computer Condom" (from Risks digest)... In article <0003.8907311200.AA25265@ge.sei.cmu.edu> dmg@lid.mitre.org (David Gu rsky) writes: >[From the Seattle Weekly, 5/3/89] > >PUT A CONDOM ON YOUR COMPUTER > >... >Cummings, the company's president, says the system "stops all viruses" by >monitoring the user network, the keyboard, and the program in use. He notes >that the system is programmable to alter the parameters of its control on >any given machine, but he guarantees that, "when programmed to your >requirements, it will not allow viruses to enter." Pardon me for my opinions (and lack of expertise in viral control), but I think these types of products are dangerous to the purchaser, while most likely being especially profitable for the seller. I just saw a copy of this floating around to some senior management-types after being forwarded several times, and dug up this copy to bounce my two cents off. First of all, I don't see any method which can be guaranteed to protect against all viruses (of course the "when programmed to your requirements" pretty well covers all bases, doesn't it?). Naturally, specific viruses or methods of attach can be covered with various types of watchdog software/hardware, but I don't think it is possible to cover all the avenues in any way. - ----- Barry D. Hassler hassler@asd.wpafb.af.mil System Software Analyst (513) 427-6369 Control Data Corporation ------------------------------ Date: Tue, 01 Aug 89 16:37:00 -0400 From: IA96000 Subject: axe by sea (PC) we have been testing various ways to help prevent a file from becoming infected and have stunbled on an interesting fact. system enhancement associates (the people who wrote arc) have also released axe, a program compression utility. basically axe reads a .exe or .com file, compresses it as much as possible, tacks a dos loader on the front of the file and then saves the new file. in many instances, the resulting file is from 15% to 50% smaller than the original file and loads and runs just like a regular dos file. what is interesting is when a virus attacks an axe'd file. the virus writes itself into the file as many viruses do. however, when you next attempt to load and run the file, it will not load and locks up the system. this is not because the viruys has taken control! this happens because when an axed file is loaded, it is decompressed and the checksum is compared to the original one generated when the file was axed. I know axe was never designed to be anti-viral, but it sure works well in this regard. since the file is actually in encrypted form on the disk, it screws up the virus! ------------------------------ Date: 01 Aug 89 00:00:00 +0000 From: David M. Chess Subject: Fixed-disk infectors (PC) Does anyone know of, or has anyone even heard credible rumors of, any boot-sector virus that will infect the boot sector (master or partition) of IBM-PC-type hard disks, besides the Bouncing Ball and the Stoned? Those are the only two I seem to see that do that; am I missing any? DC ------------------------------ Date: 01 Aug 89 21:23:30 +0000 From: kelly@uts.amdahl.com (Kelly Goen) Subject: Re: message virus (was: Computer Virus Research) we call those ansi 3.64 control sequences.... vt100 and other terminals have similar if not exactly the same features... ansi.sys implements a subset of ansi 3.64 without any protection the problem has been known at various unix sites for years only now its starting to show up on pc's because of the usage of ansi.sys and other programs that recognize these sequences.... cheers kelly ------------------------------ Date: 30 Jul 89 17:17:17 +0000 From: hutto@attctc.Dallas.TX.US (Jon Hutto) Subject: message virus (was: Computer Virus Research) redevined keys so as to when the sysop is in dos and hits a key, it starts deleting files and directories. The worst thing about this is that people have been able to do this for a long time. they are explained in the DOS Technical Reference manual. There are also rumors of a ZMODEM virus that spreads visa ZMODEM transfers, a rumor. ------------------------------ Date: Sat, 29 Jul 89 15:59:43 -0700 From: portal!cup.portal.com!Alan_J_Roberts@Sun.COM Subject: Jerusalem Disinfector Mark Zinzow asked if there were a public domain program that would restore programs infected with the Jerusalem virus to their original, uninfected condition. John McAfee's M-series programs have just been made shareware (M-1 removes the Jerusalem from COM and EXE files and restores them), and the programs are available on HomeBase - 408 988 4004. Alan ------------------------------ Date: Fri, 28 Jul 89 23:18:17 -0400 From: dmg@lid.mitre.org (David Gursky) Subject: "Computer Condom" (from Risks digest)... [From the Seattle Weekly, 5/3/89] PUT A CONDOM ON YOUR COMPUTER Every worry that your computer might be hanging out in a network where it will pick up some disgusting virus? Empirical Research Systems of Tacoma suggests you supply it with one of their "computer condoms". This high-tech prophylactic is a combination of hardware and software embodied in a controller card that simply replaces the one already in the machine. Rick Cummings, the company's president, says the system "stops all viruses" by monitoring the user network, the keyboard, and the program in use. He notes that the system is programmable to alter the parameters of its control on any given machine, but he guarantees that, "when programmed to your requirements, it will not allow viruses to enter." The technology was developed through successful efforts to protect a group of European banks from the massive virus that penetrated European computer networks last autumn. "Naturally these became our first orders," Cummings says. He has since picked up an additional 2500 firm orders in Europe, with 5000 more contingent on inspection of the product. In the United States, the product has been reviewed by Boeing Computer Services and computer technicians at the UW. It will be on the domestic market "early next autumn at a cost of under $1000," Cummings says. DG -- Pardon me while I laugh uncontrollably. ------------------------------ In our computerviruslab we have been working on the problem of mutants of several viruses. Initially we intended to make antiviruspackages more secure. Since a single byte added or removed from the virus code will cause most antiviruspackages to do erroneous repair attempts which might result in even bigger harm than the virus itself will do. Furthermore watertight identification leads to a better 'Epidemiology' of the different virusstrains. Thanks to the kind help of fellow virus researchers all over the world we were able to obtain and tryout quite a few viruses and their mutants. PROPOSAL VIRUS IDENTIFICATION ALGORITHM PURPOSE: Positive and secure identification of *known* viruses to prevent repair attempts on files infected by unknown mutants of a virus. REPLACES: Identification by a unique string of code. (Which might still be unaltered at the same offset in the code of a new variant of the virus) METHOD: 1. Identification of the *known* virusstrain by a unique string or other feature (sUMsDos, (C)Brain, or the 1Fh in the seconds of the filetime) 2. Relocation to segmentoffset 0 and possible decryption of the viruscode. (This might be necessary for mutiple parts of the virus) 3. Writing zero over sections that contain variant parts like garbage from the last infection attempt or a time- bomb counter. 4. Finally a CRC-sum is generated (maybe using more than one polynominal) If this signature matches the one calculated on the virus code for which the removalalgorithm was designed it is safe to apply this antivirusprogram. IMPLEMENTATION: We have done a testimplementation in C and for 2 virusstrains (6 viruses yet). Our goal is to prepare a toolset for quick addition of new variants to the set identifyable viruses. ADVANTAGE: Antivirus tools can identify exactly a specific virus without encorporating full or partial viruscode in the antivirusprogram. (This would be a security risk if done in comercial or PD software) Any comments sugestions welcome respond to VIRUS-L or directly we will summarize to the list| Currently we are also working on virus behavior in networks. For this we have setup a 4 machine Novell network. (PS2/80, PS2/60, Atari386, and a good old PC-XT). Here also any sugestions and help are welcome| ******************************************************************* * Christoph Fischer and Torsten Boerstler * * Micro-BIT Virus Center / University of Karlsruhe / West-Germany * * D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067 * * E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET * ******************************************************************* >--------=====END=====--------< ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ******************************************************* * PHILE 9: AT THE BOARDS: REVIEW AND APPLE LIST * ******************************************************* <<<<< REVIEW: ATLANTIS (215-464-4770) >>>>> (By "Roger." "Gene" is on vacation 'til next issue) ATLANTIS, in Pennsylvania, is one of the best anarchist boards around. Its gphiles aren't as good as those of some of the top boards, like RIPCO and some others, but it's still ranking up there as a pretty cool national board. Its users are from all over the country, so you get a good mix. It was running apple last time we checked, but is usually busy, so you have to be patient. The chat runs from lame highschool kid stuff like "why I hate algebra" to fairly sophisticated technical stuff. Deepdiver tries to keep stuff organized and under control, and does a decent job. The warez aren't all that hot, but if you're patient and hang around, you might be able to pull down some interesting goods. The text philes are its strength. There's all kinds of goodies on pyro-technics, and other junk that most of us learned in 11th grade chemistry that some idiots still like to mess around with. We don't go for all this rah-rah razzle dazzle silly shit, 'cause it's too dangerous. A couple of high schoolers blew themselves up a while back, and it was claimed that they got the idea for it from these kinds of anarchists boards, and there was some pressure in some places around the country to crack down on some of it, but not with a lot of success. So, if you're looking for a decent board, this one gets a "THUMBS UP" from gene and roger, but thumbs down for any lamer who tries anything fancy by trying to be a closet rambo demolitions pro. They only take applications on the first five days of each month, tho, so you might not get on right away. >--------=====END=====--------< Here's some apple boards passed on to us. Thanks to the gang at HILL OF TARA (815-727-4020) who collected them. Most are apparently still up, and some are elite. Have fun! ------------------------------------- Hill of Tara (815) 727-4020 Dark Castle (815) 729-0188 MISTY MT. (205) 979-8409 BASSLOPE (317) 353-9638 The ROCK (IBM) (307) 362-8299 Night Shade (815) 439-1264 Sherwood Forest (815) 436-5610 Havoc House (319) 364-8574 ALCATRAZ (815) 722-6710 X.A. System (815) 756-9567 Revelations BBS (815) 727-3398 The Petri Dish (815) 725-9399 The Dungeon (815) 942-4438 DATA III (901) 424-6787 Off the Wall (319) 354-7959 Remote Control (815) 942-8228 The Silver Tongue (312) 759-1916 Pro Carolina (803) 776-3936 Killer BBS (818) 967-0781 WHIZ (815) 467-2167 Sethanon Elite (313) 661-9359 The Informant (907) 479-7215 The Keep (704) 864-4592 TEAM.EFFORT (715) 423-6454 The Revelations (604) 929-1615 LORD OF THE EVIL DOMINIO (815) 723-2522 The Tower of Palanthas (805) 255-0214 The Phone Co. BBS (901) 767-1801 QuestHaven BBS (815) 544-3648 SYCAMORE ELITE (815) 895-5573 Atom's Apple (815) 942-6755 THE bandit's Castle (815) 758-5040 New Beginnings (617) 648-5874 Caddy Shack................(201) 920-2353 1200 PC SYS The Magic Bag..............(201) 988-9489 1200 PC SYS ProDOS News................(203) 783-9597 2400 Pokey's Place..............(204) 253-1342 1200 Infonet II.................(204) 661-2138 1200 NorthStar..................(204) 661-8337 1200 DOS........................(204) 832-5397 2400 SchoolNet..................(204) 889-3584 2400 The A.P.P.L.E. Crate.......(206) 251-0543 1200 PC The Bull Board.............(213) 473-3128 1200 PC SYS North Texas BBS............(214) 221-8876 300 PC Syndey Austrailia..........(214) 241-4378 1200 PC Peripherals Plus...........(214) 424-2001 2400 PC SYS The Intermission...........(214) 612-1233 1200 PC The Thieves' Guild.........(214) 661-2051 1200 PC The Darkened Lantern.......(214) 758-4215 1200 PC Texas Trading Post.........(214) 785-4997 1200 PC Information Unlimited II...(215) 250-0341 1200 PC Phoenix Systems............(215) 398-4983 2400 PC Tower of High Sorcery......(215) 934-6274 1200 PC Clound Nine BBS............(216) 650-2989 2400 PC The AppleTree..............(216) 758-7617 1200 PC After 5pm wk-24hrs wke Capitol Apple..............(301) 498-8140 1200 SYS The Razor's Edge...........(301) 561-6161 2400 The Inner World............(302) 323-0762 2400 The Whole Apple............(302) 734-1766 1200 Les-Com-Net................(303) 233-5824 1200 PC The Night Shift............(303) 322-1544 1200 PC SYS Aces High BBS..............(303) 329-6579 1200 PC L & L Support..............(303) 420-3568 2400 PC Dementia...................(303) 989-8470 1200 PC Denver Mensa GEHS BBS...................(304) 645-6437 300 The RainForest.............(305) 434-4927 2400 $ NOT PC Pursuit Accesible! The Chicken Ranch..........(305) 676-3873 1200 PC SYS Space Frontiers............(305) 773-1251 1200 PC SYS Dementia...................(309) 755-6684 1200 The Phoenix................(312) 798-9150 1200 PC The Roger Park ABBS........(312) 973-2227 300 PC Electronic Odyessy Elite...(313) 474-5795 2400 PC The Emerald Forest.........(314) 351-6073 1200 The Racket Club #1.........(314) 725-0090 300 Country Courthouse #1......(314) 725-0711 1200 The Racket Club #2.........(314) 725-9555 1200 Country Courthouse #2......(314) 725-9600 300 The Boiler Room............(317) 743-6762 1200 MOM-.................(318) 387-2298 300 Star BBS............(318) 688-0522 1200 The Pilot Exchange.........(404) 669-0410 2400 PC The DuckNet BBS............(405) 355-9678 2400 Polis......................(405) 366-7538 2400 Oklahoma On-Line...........(405) 672-7442 1200 .