💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › CUD › cud1041.txt captured on 2022-06-12 at 11:08:39.
-=-=-=-=-=-=-
Computer underground Digest Sun July 26, 1998 Volume 10 : Issue 41
ISSN 1004-042X
Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
Archivist: Brendan Kehoe
Shadow Master: Stanton McCandlish
Shadow-Archivists: Dan Carosone / Paul Southworth
Ralph Sims / Jyrki Kuoppala
Ian Dickinson
Field Agent Extraordinaire: David Smith
Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
CONTENTS, #10.41 (Sun, July 26, 1998)
File 1--Groups Write Senate on Pending Net Censorship Bills (EPIC)
File 2--Joint Letter to USSentate IN RE S-1619 and S-1482
File 3--Followup to Rutstein review
File 4--Re: [Secure-NT] Followup to Rutstein review
File 5--Microsoft, Netscape, & Diversity
File 6--cDc releases BACK ORIFICE for MS Windows
File 7--Cu Digest Header Info (unchanged since 25 Apr, 1998)
CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION ApPEARS IN
THE CONCLUDING FILE AT THE END OF EACH ISSUE.
---------------------------------------------------------------------
Date: Mon, 20 Jul 1998 18:18:18 -0400
From: EPIC-News List <epic-news@epic.org>
Subject: File 1--Groups Write Senate on Pending Net Censorship Bills (EPIC)
Published by the
Electronic Privacy Information Center (EPIC)
Washington, D.C.
http://www.epic.org
[1] Groups Write Senate on Pending Net Censorship Bills
EPIC joined with a dozen other free speech and civil liberties
groups on July 14 in a letter sent to the U.S. Senate concerning
two pending Internet censorship bills, saying they violate the
First Amendment. The groups contend that the bills -- one
requiring Internet content filters and the other setting criminal
penalties for providing "inappropriate" online material to minors)
-- would severely restrict free expression on the Internet.
The Senate may soon vote on both bills. Sen. John McCain's
"Internet School Filtering Act" (S. 1619) would require schools
and libraries receiving federal Internet subsidies to install
filtering software designed to prevent children from accessing
"inappropriate" material. Sen. Dan Coats' bill (S. 1482) would
criminalize the "commercial" distribution on websites of material
that is "harmful to minors." The Coats bill, in adopting a
criminalization approach to online content, is similar to the
Communications Decency Act (CDA) struck down last year by the
Supreme Court. The bill, which has been dubbed "CDA II," could
come to the Senate floor as early as this week.
"One year ago, the Supreme Court unanimously ruled that the
Communications Decency Act of 1996, which made it a crime to
transmit 'indecent' materials on the Internet, violated the First
Amendment," the coalition letter states. "The two pending bills
ignore the central holding of the Court; expression on the
Internet is entitled to the highest degree of First Amendment
protection.
"We share the concern of Sens. McCain and Coats that the Internet
remain a safe and rewarding medium for young people," the letter
continues. "However, we strongly believe that these bills embrace
approaches --filtering and criminalization -- that are both
constitutionally suspect and ultimately ineffective in providing
our children with positive online experiences."
EPIC is supporting an online campaign to raise Congressional
awareness of the implications of these Internet censorship bills.
Faxes can be sent --free of charge -- to your Senators by visiting
the EPIC Free Speech Action page:
http://www.epic.org/free_speech/action/
If you sent faxes to the Senate earlier, you helped keep these
bills off the floor. Please reiterate your concerns once again
and let your Senators know that these measures remain
controversial.
The text of the coalition letter to the Senate is available at the
Internet Free Expression Alliance website:
http://www.ifea.net/joint_ltr_7_14.html
------------------------------
Date: Sun, 26 Jul 1998 11:52:05 -0500
From: jthomas@SUN.SOCI.NIU.EDU(Jim Thomas)
Subject: File 2--Joint Letter to USSentate IN RE S-1619 and S-1482
INTERNET FREE EXPRESSION ALLIANCE
INTERNET FREE EXPRESSION ALLIANCE
JOINT LETTER TO THE UNITED STATES SENATE
July 14, 1998
Re: S. 1619 and S. 1482
Dear Senator:
We are writing on behalf of the undersigned organizations to express
our concerns about two bills that would restrict free expression on
the Internet -- S. 1619 and S. 1482. We understand that both of
these bills may soon be considered by the Senate.
One year ago, the Supreme Court unanimously ruled that the
Communications Decency Act of 1996, which made it a crime to
transmit "indecent" materials on the Internet, violated the First
Amendment. The two pending bills ignore the central holding of the
Court; expression on the Internet is entitled to the highest degree
of First Amendment protection. The Internet School Filtering Act (S.
1619), sponsored by Senator McCain, would require that all public
libraries and schools that receive federal funds for Internet access
install blocking software to restrict minors' access to
"inappropriate" material. S. 1482, sponsored by Senator Coats, would
punish commercial online distributors of material deemed "harmful to
minors" with up to six months in jail and a $50,000 fine.
We share the concern of Sens. McCain and Coats that the Internet
remain a safe and rewarding medium for young people. However, we
strongly believe that these bills embrace approaches -- filtering
and criminalization -- that are both constitutionally suspect and
ultimately ineffective in providing our children with positive
online experiences. As such, we urge you to consider a better
approach to this issue, one that would encourage the development of
"Internet drivers' education" programs of the kind being
successfully employed in communities throughout the nation. These
programs may effectively supplement policies that limit Internet use
to educational and curricular purposes. Individual school districts
that find them useful currently are free to adopt such educational
use policies, even without specific legislation.
We urge you to consider this alternative approach because we believe
that parents and teachers -- not the federal government -- should
provide our children with guidance about accessing information on
the Internet. Clumsy and ineffective blocking programs are "quick
fix" solutions to parental concerns that provide a false sense of
security that minors will be protected from all material that
parents may find inappropriate. At the same time, filtering software
restricts access to valuable, constitutionally protected online
speech about topics ranging from safe sex, AIDS, gay and lesbian
issues, news articles, and women's rights. Religious groups such as
the Society of Friends and the Glide United Methodist Church have
been blocked by these imperfect censorship tools, as have policy
groups like the American Family Association. This type of arbitrary
censorship is a blatant violation of the First Amendment.
S. 1482 should be rejected because it contains many of the
unconstitutional provisions of the Communications Decency Act that
were unanimously overturned by the Supreme Court in Reno v. ACLU.
Like the CDA, S. 1482 would have the effect of criminalizing
protected speech among adults. Whatever governmental interest may
exist to protect children from harmful materials, that interest does
not justify the broad suppression of adult speech. While the bill is
ostensibly aimed at "commercial" web sites, that term is so broad
that it covers anything from an on-line book seller like Amazon.com
to a non-profit website that sells books or T-shirts.
The age verification affirmative defense of S. 1482 -- which
precisely duplicates the CDA's defense -- ignores the finding in
Reno v. ACLU that there simply is no way to verify age on the
Internet. As the Supreme Court noted, the vast majority of websites
are not financially or technically capable of requiring a credit
card or other form of identification to verify the age of users. The
government may not mandate the application of a legal standard to
the Internet -- whether it be "indecency" or speech that is "harmful
to minors" -- that requires speakers to distinguish between adults
and minors when such a distinction cannot be made.
Finally, S. 1482 will not be effective in keeping from minors
material that might be inappropriate for them. No criminal provision
will be more effective than efforts to educate parents and minors
about Internet safety and how to properly use online resources.
Moreover, the Internet is a global medium. Despite all the
enforcement efforts that might be made, a national censorship law
cannot protect children from online content they will always be able
to access from foreign sources.
For the foregoing reasons we urge you to oppose S. 1619 and S. 1482
and any other efforts to dilute the potential of this powerful
medium. We hope you will agree with our view that an educational
approach, as opposed to filtering requirements and new criminal
laws, is the best way to address the issue of how our children use
the Internet.
Sincerely,
Christopher Finan
President
American Booksellers Foundation for Free Expression
Laura W. Murphy
Washington Office Director
American Civil Liberties Union
Aki Namioka
President
Computer Professionals for Social Responsibility
Barry Steinhardt
President
Electronic Frontier Foundation
David L. Sobel
General Counsel
Electronic Privacy Information Center
Joan M. Garry
Executive Director
Gay & Lesbian Alliance Against Defamation
Nina Crowley
Director
Massachusetts Music Industry Coalition
David Greene
Program Director
National Campaign for Freedom of Expression
Joan Bertin
Executive Director
National Coalition Against Censorship
Audrie Krause
Executive Director
NetAction
Bennett Haselton
Co-ordinator
Peacefire
Diana Ayton-Shenker
Director, Freedom-to-Write
PEN American Center
Carole Shields
President
People For the American Way
------------------------------
Date: Wed, 22 Jul 1998 15:34:53 -0700 (PDT)
From: Mike Godwin <mnemonic@well.com>
Subject--[correction] EFF's Barry Steinhardt on Senate's Internet
Date--Wed, 22 Jul 1998 15:45:42 -0500
From--Daniel Weitzner <djw@cdt.org
At 12:34 PM -0500 7/22/98, Dave Farber wrote:
FOR IMMEDIATE RELEASE
July 21, 1998
CONTACTS:
Barry Steinhardt, EFF President, 212 549 2508, E-mail barrys@eff.org
Alexander Fowler, EFF Director of Public Affairs, 202 462 5826,
E-mail afowler@eff.org
ELECTRONIC FRONTIER FOUNDATION REACTS TO SENATE PASSAGE OF TWO INTERNET
FILTERING BILLS
Statement of Barry Steinhardt
President of the Electronic Frontier Foundation
This afternoon the Senate passed two draconian bills that would
ultimately prevent access to a wide array of content on the
Internet.
I don't mean to rain on EFF's parade, but they have mistakenly
reported that CDA II passed the Senate when, in fact, it has not.
Senator Coats' CDA II and Sen. McCain's School/Library filtering
act were both attached to an appropriations bill, but that bill
has not yet passed the Senate. Moreover, pro-free speech forces
should be aware that there are a number of additional steps in
the legislative process before final passage and Presidential
signature of these bill. So, there's still time to express your
opinion to your elected representatives. They bill could pass
today, tomorrow, or never, but it's still important to
EFF is not alone in its confusion about this legislative process.
Several press outlets also reported that the bills passed. The
source of confusion appears to be a press release put out by the
bill's sponsor (Senator Coats) declaring victory in the Senate a
bit early.
======================================================================
Daniel J. Weitzner, Deputy Director djw@cdt.org
Center for Democracy and Technology +1 202.637.9800 (v)
1634 'Eye' St., NW Suite 1100 +1 202.637.0968 (f)
Washington, DC 20006 USA http://www.cdt.org/
PGP-Encrypted mail welcomed
------------------------------
Date: Thu, 23 Jul 1998 13:19:38 -0800
From: "Rob Slade" <rslade@sprint.ca>
Subject: File 3--Followup to Rutstein review
Boy, did *this* ever open a can of worms! I cannot recall any
review that has generated this much response, this fast.
Sorry to those who did not get a personal response, and thanks to
the majority of you for your kind words about the reviews, but
there were just too many of you, mostly asking the same question.
Almost all of you wanted to know of an NT security book that I
could recommend.
Well, I am sorry to disappoint you, but *I'd* like to know of an
NT security book that I could recommend. I haven't found one yet.
(For those incipient authors who are experts in the field, and
have about a year to give to the task, there is an apparent market
niche.)
The reason for this lack may lie in a number of areas. As one
correspondent implied, many think that "NT security" is an
oxymoron. I note that while there are a variety of NT security
resources out there, and there have been a few attempts to start
one, there is no really good NT security FAQ available yet. There
are a number of sites with exploit information, and there is one
vendor that tries to sell you an NT security file, but the closest
I've seen to a good FAQ was a recent "top ten" list of things to
do to make NT marginally more secure than it is when it ships.
I suspect that part of the problem lies in the design of NT
itself, which does not make security provisions straightforward to
implement, but it may also be simply bad luck in the selection of
authors who have attempted to address the issue so far. Of the
number of NT security books I've reviewed to date, I still haven't
found a definitely good one, let alone anything to the standard of
Spafford and Garfinkel.
Just to reiterate, here are the titles I've reviewed so far:
<p><a href="bkpwntsg.rvw"> "PCWeek Microsoft Windows NT
Security"</a>, Nevin Lambert/Manish Patel, 1997,
1-56276-457-8, U$39.99/C$56.95/UK#36.99 - good introductory
or non-specialist guide, but there are holes
<p><a href="bkwntscg.rvw"> "Windows NT Security Guide"</a>, Stephen
A. Sutton, 1997, 0-201-41969-6, U$29.95/C$41.00 - too vague
for users, lacking detail for administrators
<p><a href="bkwntsec.rvw"> "Windows NT Security"</a>, Charles B.
Rutstein, 1997, 0-07-057833-8, U$34.95 - reasonable range,
but has gaps and lacks analysis
Normally, if I were recommending texts on security in the UNIX
field, I would also include works on system administration.
However, in the NT arena, while some admin authors have tried to
cover the topic it is just too big to handle as a subsection of a
larger work.
======================
rslade@sprint.ca rslade@vcn.bc.ca robertslade@usa.net
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2 800-SPRINGER
------------------------------
Date: Fri, 24 Jul 1998 09:32:58 -0400
From: David LeBlanc <dleblanc@mindspring.com>
Subject: File 4--Re: [Secure-NT] Followup to Rutstein review
At 01:19 PM 7/23/98 -0800, Rob Slade wrote:
>Almost all of you wanted to know of an NT
>security book that I could recommend.
>Well, I am sorry to disappoint you, but *I'd* like to know of an NT security
>book that I could recommend. I haven't found one yet.
I have to differ. I've found the reviews you've done of both Rutstein and
Sutton's books to be hypercritical. Both of those books are resources that
I find valuable. I personally recommend both of them, as well as Mark
Edward's book. If I were to give someone an NT security reading list, I'd
start with those three, add the NT Resource Kit, and the help system to
ISS' Internet Scanner for Windows NT.
As someone who lives and breathes NT security (and has for about 4 years),
and who has been approached to write a book on the topic, I'd like to think
I'm familiar with this area and would be a decent judge of the existing
material. I'd also note that Jim Kelly (architect of NT's security
subsystem, and author of the security reference monitor) had some very good
words to say about Rutstein's book. I know Jim and have a lot of respect
for him and his opinion.
>The reason for this lack may lie in a number of areas. As one correspondent
>implied, many think that "NT security" is an oxymoron.
Nice joke, but any professional in the field understands that perfect
security cannot be obtained. We've got a difficult job to do trying to
secure networks, and there are significant challenges securing _any_
operating system.
>I note that while there
>are a variety of NT security resources out there, and there have been a few
>attempts to start one, there is no really good NT security FAQ available
yet.
You may be missing Robert Malgrem's FAQ. Sutton's NSA paper isn't a FAQ,
but is the clearest, most comprehensive and up-to-date information
available on what to secure and how to secure it. I can find very, very
few things I feel he's left out and little I can argue with.
>There are a number of sites with exploit information, and there is one vendor
>that tries to sell you an NT security file, but the closest I've seen to a
good
>FAQ was a recent "top ten" list of things to do to make NT marginally more
>secure than it is when it ships.
Then you should read Sutton's paper. It could be that you're not aware of
all the resources.
>Of the number of NT security books I've reviewed to date, I still
>haven't found a definitely good one, let alone anything to the standard of
>Spafford and Garfinkel.
Let's not lose sight of another fact - Spafford and Garfinkel was first
published in 1991. That is nearly 25 years after UNIX was invented. I
would certainly hope that we will accumulate a well-defined body of
knowledge on NT security in the next 20 years. A comparison of a book
based on 3-4 years of experience to a book based on over 25 years (current
edition) is going to be flawed - you're talking apples and oranges.
------------------------------
Date: Wed, 22 Jul 1998 13:31:03 -0700 (PDT)
From: David Batterson <davidbat@yahoo.com>
Subject: File 5--Microsoft, Netscape, & Diversity
Browser-Enemies Microsoft and Netscape Are
Kindred Spirits Regarding Employee Diversity
by David Batterson
There are gay-friendly computer companies, and those that only
pretend to be. Let's separate the wheat from the chaff. If a company
isn't gay-friendly with its employees, do you want to buy from them?
A few of the many gay-friendly computer corporations (A-Z) are
Adobe Systems, Aldus, Apple Computer, AOL, Dell, Egghead, IBM,
Gateway, Lucent Technologies, NEC America, Oracle, Qualcomm, Seagate
Technology, Texas Instruments, US Robotics (now part of 3COM), Xerox
and Ziff-Davis.
Two companies are currently fighting a fierce browser-battle
that makes the Bette Davis v. Joan Crawford spats look like ballroom
dancing. While many favor Netscape's browser, that's not the issue
today.
What the focus is: are these companies a great place for those in the
GLBT community to work? The answer in both case is: definitely.
Both offer domestic partnership benefits, natch, and much more.
Microsoft has a huge commitment to diversity, and also devotes a
large Web section to it: www.microsoft.com/diversity/default.htm.
Microsoft currently offers two interactive diversity training
programs. The "Diversity Awareness" program is an introduction to
diversity. The program "focuses on reducing the image and influence
of stereotypes, identify elements that make each participant a
diverse person, and share communication strategies that help
participants in a diverse environment."
The company also has a variety of internal initiatives, including
an intranet site (internal to Microsoft employees only) called
"DiversityNet" where employees can find information vital to the
company's diversity efforts.
If you have any questions/comments about diversity at Microsoft or
their Diversity Web site, e-mail them at: diverse@microsoft.com.
GLBT job candidates are encouraged to submit resumes directly to:
Jobseek@microsoft.com.
While Netscape's diversity section in their corporate Web site is
not as elaborate as Microsoft's, it shows their true colors. Surf to:
home.netscape.com/comprod/about_netscape/hr/diversity/index.html.
Or just go to their main Web site, and search under "Jobs."
Netscape's diversity statement says: "Netscape is committed to
hiring the brightest and the best, and we execute this philosophy
without regard to race, color, creed, religion, national origin,
sexual orientation (perceived or otherwise), age, sex, or
disability."
It goes on: "Diversity in our work environment is not simply
something Netscape values, we strive for it. Project DIVA (Diversity
Involves Valuing All) is a four-step process conceived to actively
pursue the goal of cultural diversity within the company."
Netscape also has a program that works with university programs and
community organizations to increase the diversity of their applicant
pool. E-mail them for more info: diversity@netscape.com.
So there you have it. In the diversity competition between
Microsoft and Netscape, you'd have to call it a draw (and that's good
for us). If you work for either company (or know those who do), your
feedback is welcomed.
------------
Send comments to davidbat@yahoo.com. Copyright 1998, All Rights
Reserved. May not be reprinted without permission.
------------
David Batterson has written for gay papers (B.A.R., Just Out, Bay
Windows, The Texas Triangle, The Weekly News), as well as regional
and national computer publications.
------------------------------
Date: Fri, 24 Jul 1998 18:47:33 -0700 (PDT)
From: editor@cultdeadcow.com
Subject: File 6--cDc releases BACK ORIFICE for MS Windows
RUNNING A MICROSOFT OPERATING SYSTEM ON A NETWORK? OUR CONDOLENCES.
[July 21, San Francisco] The CULT OF THE DEAD COW (cDc) will release Back
Orifice, a remote MS Windows Administration tool at Defcon VI in Las Vegas
(www.defcon.org) on August 1. Programmed by Sir Dystic [cDc], Back Orifice
is a self-contained, self-installing utility which allows the user to
control and monitor computers running the Windows operating system over a
network.
Sir Dystic sounded like an overworked sysadmin when he said, "The two main
legitimate purposes for BO are, remote tech support aid and employee
monitoring and administering [of a Windows network]."
Back Orifice is going to be made available to anyone who takes the time to
download it. So what does that mean for anyone who's bought into
Microsoft's Swiss cheese approach to security? Plenty according to
Mike Bloom, Chief Technical Officer for Gomi Media in Toronto.
"The current path of learning I see around me is to learn what you have to
to cover your ass, go home and watch Jerry. Microsoft has capitalized on
this at the cost of production value which translates down to security. A
move like releasing [Back Orifice] means that the lowest common
denominator of user will have to come to understand the threat, and that
it is not from [Sir Dystic] writing an app that [potentially] turns Win32
security on its ear, but that Microsoft has leveraged itself into a
position where anyone who wants to can download an app [or write their
own!] and learn a few tricks and make serious shit happen."
None of this is lost on Microsoft. But then again, they don't care.
Security is way down on their list of priorities according to security
expert Russ Cooper of NT BUGTRAQ (www.ntbugtraq.com). "Microsoft doesn't
care about security because I don't believe they think it affects their
profit. And honestly, it probably doesn't." Nice. But regardless of which
side of the firewall you sit on, you can't afford not to have a copy of
Back Orifice. Here are the specs:
Back Orifice (BO) allows the user to remotely control almost all parts of
the operating system, including:
File system
Registry
System
Passwords
Network
Processes