From dfox@fc.net Sat Jan 21 06:24:37 1995 Received: from freeside.fc.net (freeside.fc.net [198.6.198.2]) by bigboote.WPI.EDU (8.6.9/8.6) with ESMTP id GAA16091 for ; Sat, 21 Jan 1995 06:24:34 -0500 Received: (from dfox@localhost) by freeside.fc.net (8.6.8.1/8.6.6) id FAA02217 for mikecap@wpi.edu; Sat, 21 Jan 1995 05:21:35 -0600 Date: Sat, 21 Jan 1995 05:21:35 -0600 From: Malik Al-Rashim Message-Id: <199501211121.FAA02217@freeside.fc.net> To: mikecap@wpi.edu Subject: JAUC-File11 Status: O MY LIFE AS AN INTERNATIONAL ARMS COURIER By Matt Blaze (mab@research.att.com) Under an obscure provision of US law, devices and computer programs that use encryption techniques to hide information from prying eyes and ears are considered ``munitions'' and subject to the same rules that govern the international arms trade. In particular, taking such items out of this country requires the approval of the State Department, which decides whether exporting something might endanger national security. In the past, these restrictions were of little concern to the average citizen; encryption found most of its application in military and diplomatic communications equipment. Today, however, growing concern over electronic fraud and privacy means that encryption techniques are starting to find their way into more conventional commercial products like laptop computers and portable phones. Mostly to find out what the process was like, I recently applied for a temporary export license for a portable telephone encryption product that I wanted to take with me on a business trip to England and Belgium. The item in question is more properly called a ``telephone security device.'' This is a little box that scrambles telephone conversations to protect them against eavesdroppers; this sort of protection is sometimes important when discussing confidential business matters from faraway places. The particular model I bought was already approved for export; it employs a cipher algorithm that the government has already decided is not a threat to national security even should it fall into the hands of some rogue government. This model is aimed primarily, I presume, at international business travelers who want to communicate in a reasonably secure manner with their home offices in the states. In other words, a typical user buys two of them, leaving one at the home office and carrying the other when traveling abroad. The options that came with my device included a James Bond-ish looking acoustic coupler and handset to facilitate its connection to the hardwired phones that are still common in European hotel rooms. It turns out that there was recently some discussion in the government about exempting products like my secure phone from the licensing paperwork requirements. Unfortunately, however, this exemption never actually took effect. So even though the device I had was already approved for sale abroad, I still needed to get a temporary export license before I could take it with me. But I was assured that ``this is an easy, routine process''. Well, sure enough, about two weeks before I was to leave I got back my official US State Department ``license for the temporary export of unclassified defense articles''. So far, so good. From what I was able to figure out by reading the license (and having a few conversations with an export lawyer), I'm required to leave from an international airport with a Customs agent present (no problem there, although Customs is geared to arriving, rather than departing, travelers). At the airport, I'm supposed to fill out a form called a ``shipper's export declaration'' (SED) on which I have to declare that ``these commodities are authorized by the US government for export only to Belgium and the United Kingdom. They may not be resold, transshipped, or otherwise disposed of in any country, either in their original form or incorporated into other end-items without the prior written approval of the US Department of State''. Then I'm to present the SED and export license to a Customs official at the airport before I leave. The Customs officer is supposed to take my SED and endorse my license to show what I'm actually taking out of the country. On the way back in, I'm supposed to ``declare'' my item at Customs (even though it was manufactured in the US) and show them my license, and they're supposed to endorse the license again as proof that I have, in fact, returned the ``defense article'' to the safety of the United States. The first hitch I ran into was that no one could actually tell me where I could get an SED form. But when I called Customs they assured me that this was no big deal. ``Just come by when you get to the airport and we stamp the license. I guess you can just fill out the SED there,'' they said. I made sure to get to the airport early anyway. Although there was moderately heavy traffic near the airport, I made it to JFK two and a half hours before my 10pm flight. I was flying United, which has their own terminal at JFK, so Customs has an office right there in the same building from which I was to depart (JFK is awful to get around, so I was glad for this). I checked in for my flight (and got upgraded to first class, which bolstered my expectation that everything was going to be really easy from here on). Then, luggage, license and phone in hand, I made my way downstairs to Customs, expecting to fill out the SED form and ``just have my license stamped'' as they had assured me earlier on the telephone. I explained my situation to the security guard who controls entry to the Customs area, and he led me to ``the back office'' without much argument or delay. The head uniformed Customs guy in the back office (which I think is same office where they take the people suspected of being ``drug mules'' with cocaine-filled condoms in their stomaches) looked approachable enough. He had a sort of kindly, grandfatherly manner, and he was playing a video game on a laptop computer. I got the impression that most of the people he encounters are suspected drug smugglers, and he seemed pleased enough to be dealing with something a little different from the norm. When I explained what I was doing he looked at me as if I had just announced that I was a citizen of Mars who hadn't even bothered to obtain a visa. He explained, carefully, that a) I really do need the SED form; b) not only that, I should have already filled it out, in duplicate; c) he doesn't have blank SED forms; d) he, like everyone else in the entire US government that I had spoken to, has no idea where one gets them from, but people must get them from somewhere; and e) it doesn't really matter, because I'm in the wrong place anyway. I asked him where the right place is. ``The cargo building, of course,'' he told me, patiently. I remembered the cargo building because I passed it in the taxi just as the traffic jam began, about half an hour before I got to the United terminal. The airport shuttle bus doesn't stop there. I'd have to call a taxi. ``But I think they're closed now, and even if they were open you'd never make it before your flight'' he helpfully added, saving me the trip. He also complemented me for going to the trouble to get the license. I must have looked hurt and confused. Eventually he called in some fellow in a suit who I presume to have been his boss. ``Are you the guy who wants to export the fancy gun?'' the fellow in the suit asked me. ``It's not a gun, it's a telephone,'' I responded, with a straight face. ``Why do you have a license to export a telephone?'' Good question, I thought. I explained about the export law and showed him the thing. He agreed that it looked pretty harmless. The fellow in the suit reiterated points a through e almost verbatim (do they rehearse for these things?) and explained that this isn't really their department, since my license was issued by the State Department, not Customs, and my situation doesn't come up very often because exports usually go via the cargo building. He'd love to help me, but the computer in which these things get entered is over in Cargo. ``That's how the records get made. But you do have a valid license, which is nice.'' He also suggested that I would have had an easier time had I shipped the device instead of carrying it with me. I asked what I should do, given that my plane was scheduled to leave in less than an hour. Neither was sure, but the fellow in the suit seemed willing leave it to the discretion of the uniformed guy. ``How does this thing work, anyway?'' he asked. I explained as best as I could, trying to make it sound as harmless as it is. ``You mean like that Clipper chip?'' he asked. At this point, given that he has a computer and knows something about the Clipper chip, I figured that maybe there was some hope of making my flight. Or maybe I was about to spend the night in jail. In my mind, I put it at about a 90:10 hope:jail ratio. Then he asked, ``Do you know about this stuff?'' So we chatted about computers and cryptography for a while. Finally, the two of them decided that it wouldn't really hurt for them to just sign the form as long as I promised to call my lawyer and get the SED situation straightened out ASAP. They assured me that I won't be arrested or have any other trouble upon my return. I made my flight, validated license in hand. An aside: Throughout my trip, I discovered an interesting thing about the phone and the various options I was carrying with it. Under X-ray examination, it looks just like some kind of bomb. (I suspect it was the coiled handset cords). Every time I went through a security checkpoint, I had to dig the thing out of my luggage and show it to the guard. I almost missed the new ``Eurostar'' chunnel train (3hrs 15mins nonstop from London to Brussels, airport-style check-in and security) as the guards were trying to figure out whether my telephone was likely to explode. Coming back to the US was less eventful, though it did take me an extra hour or so to get through Customs. Expecting a bit of a hassle I didn't check any luggage and made sure to be the first person from my flight to reach the Customs line. The inspector was ready to wordlessly accept my declaration form and send me on my way when I opened my mouth and explained that I needed to get an export license stamped. That was obviously a new one for him. He finally decided that this had to be handled by something called the ``Ships Office''. I was sent to an unoccupied back room (a different back room from before) and told to wait. I thought about the recent Customs experiences of Phil Zimmermann. (Zimmermann, the author of a popular computer encryption program, was recently detained, questioned and searched by Customs officials investigating whether he violated the same regulations I was trying so hard to follow.) After about half an hour, an officer came in and asked me what I needed. I explained about my export license that had to be endorsed. She just shrugged and told me that she had to ``process the flight'' first. As best as I could tell, her job was to clear the airplane itself through Customs, that being, technically speaking, a very expensive import. It would take a little while. She was pleasant enough, though, and at least didn't look at me as if she intended to send me to jail or have me strip searched. Finally, she finished with the plane and asked me for my form. She studied it carefully, obviously never having seen one before, and eventually asked me what, exactly, she was supposed to do. I explained that I had never actually gone through this process before but I understood that she's supposed to record the fact that I was re-importing the device and stamp my license somewhere. She told me that she didn't know of any place for her to record this. After some discussion, we agreed that the best thing to do was to make a Xerox copy of my license and arrange for it to go wherever it had to go later. She stamped the back of the license and sent me on my way. It was a little over an hour after I first reached the Customs desk. My conclusion from all this is that it just isn't possible for an individual traveler to follow all the rules. Even having gone through the process now, I still have no idea how to obtain, let alone file, the proper forms, even for a device that's already been determined to be exportable. The export of export-controlled items is ordinarily handled by cargo shipment, not by hand carrying by travelers, and the system is simply not geared to deal with exceptions. Technically speaking, everyone with a laptop disk encryption program who travels abroad is in violation of the law, but since no one actually knows or checks, no mechanism exists to deal with those who want to follow the rules. While (fortunately) everyone I dealt with was sympathetic, no one in the government who I spoke with was able to actually help me follow the rules. I was permitted to leave and come back only because everyone involved eventually recognized that my telephone was pretty harmless, that my intentions were good, and that the best thing to do was be flexible. If anyone had taken a hard line and tried to enforce the letter of the law, I simply wouldn't have been able to take the thing with me, even with my license. Had I just put my telephone in my suitcase without telling anyone instead of calling attention to myself by trying to follow the rules, chances are no one would have noticed or cared. Unfortunately, however, these absurd rules carry the full force of law, and one ignores them only at the risk of being prosecuted for international arms trafficking. While it may seem far-fetched to imagine US citizens prosecuted as arms smugglers simply for carrying ordinary business products in their luggage, the law as written allows the government to do just that. At the same time, anyone who is aware of and who tries to follow the regulations is made to jump through pointless hoops that are so obscure that even the people charged with enforcing them don't know quite what to make of them. Copyright 1995 by Matt Blaze. All rights reserved. Electronic redistribution permitted provided this article is reproduced in its entirety. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% OPEN LETTER TO WIRED MAGAZINE By Chris Goggans (phrack@well.sf.ca.us) To Whom It May Concern: I am writing this under the assumption that the editorial staff at Wired will "forget" to print it in the upcoming issue, so I am also posting it on every relevant newsgroup and online discussion forum that I can think of. When I first read your piece "Gang War In Cyberspace" I nearly choked on my own stomach bile. The whole tone of this piece was so far removed from reality that I found myself questioning what color the sky must be in Wired's universe. Not that I've come to expect any better from Wired. Your magazine, which could have had the potential to actually do something, has become a parody...a politically correct art-school project that consistently falls short of telling the whole story or making a solid point. (Just another example of Kapor-Kash that ends up letting everyone down.) I did however expect more from Josh Quittner. I find it interesting that so much emphasis can be placed on an issue of supposed racial slurs as the focus of an imaginary "gang war," especially so many years after the fact. It's also interesting to me that people keep overlooking the fact that one of the first few members of our own little Legion of Doom was black (Paul Muad'dib.) Maybe if he had not died a few years back that wouldn't be so quickly forgotten. (Not that it makes a BIT of difference what color a hacker is as long as he or she has a brain and a modem, or these days at least a modem.) I also find it interesting that a magazine can so easily implicate someone as the originator of the so-called "fighting words" that allegedly sparked this online-battle, without even giving a second thought as to the damage that this may do to the person so named. One would think that a magazine would have more journalistic integrity than that (but then again, this IS Wired, and political correctness sells magazines and satisfies advertisers.) Thankfully, I'll only have to endure one month of the "Gee Chris, did you know you were a racist redneck?" phone calls. It's further odd that someone characterized as so sensitive to insults allegedly uttered on a party-line could have kept the company he did. Strangely enough, Quittner left out all mention of the MOD member who called himself "SuperNigger." Surely, John Lee must have taken umbrage to an upper-middle class man of Hebrew descent so shamefully mocking him and his entire race, wouldn't he? Certainly he wouldn't associate in any way with someone like that...especially be in the same group with, hang out with, and work on hacking projects with, would he? Please, of course he would, and he did. (And perhaps he still does...) The whole "racial issue" was a NON-ISSUE. However, such things make exciting copy and garner many column inches so keep being rehashed. In fact, several years back when the issue first came up, the statement was cited as being either "Hang up, you nigger," or "Hey, SuperNigger," but no one was sure which was actually said. Funny how the wording changes to fit the slant of the "journalist" over time, isn't it? I wish I could say for certain which was actually spoken, but alas, I was not privy to such things. Despite the hobby I supposedly so enjoyed according to Quittner, "doing conference bridges," I abhorred the things. We used to refer to them as "Multi-Loser Youps" (multi-user loops) and called their denizens "Bridge Bunnies." The bridge referred to in the story was popularized by the callers of the 5A BBS in Houston, Texas. (A bulletin board, that I never even got the chance to call, as I had recently been raided by the Secret Service and had no computer.) Many people from Texas did call the BBS, however, and subsequently used the bridge, but so did people from Florida, Arizona, Michigan, New York and Louisiana. And as numbers do in the underground, word of a new place to hang out caused it to propagate rapidly. To make any implications that such things were strictly a New York versus Texas issue is ludicrous, and again simply goes to show that a "journalist" was looking for more points to add to his (or her) particular angle. This is not to say that I did not have problems with any of the people who were in MOD. At the time I still harbored strong feelings towards Phiber Optik for the NYNEX-Infopath swindle, but that was about it. And that was YEARS ago. (Even I don't harbor a grudge that long.) Even the dozen or so annoying phone calls I received in late 1990 and early 1991 did little to evoke "a declaration of war." Like many people, I know how to forward my calls, or unplug the phone. Amazing how technology works, isn't it? Those prank calls also had about as much to do with the formation of Comsec as bubble-gum had to do with the discovery of nuclear fission. (I'm sure if you really put some brain power to it, and consulted Robert Anton Wilson, you could find some relationships.) At the risk of sounding glib, we could have cared less about hackers at Comsec. If there were no hackers, or computer criminals, there would be no need for computer security consultants. Besides, hackers account for so little in the real picture of computer crime, that their existence is more annoyance than something to actually fear. However, when those same hackers crossed the line and began tapping our phone lines, we were more than glad to go after them. This is one of my only rules of action: do whatever you want to anyone else, but mess with me and my livelihood and I will devote every ounce of my being to paying you back. That is exactly what we did. This is not to say that we were the only people from the computer underground who went to various law enforcement agencies with information about MOD and their antics. In fact, the number of hackers who did was staggering, especially when you consider the usual anarchy of the underground. None of these other people ever get mentioned and those of us at Comsec always take the lead role as the "narks," but we were far from alone. MOD managed to alienate the vast majority of the computer underground, and people reacted. All in all, both in this piece, and in the book itself, "MOD, The Gang That Ruled Cyberspace," Quittner has managed to paint a far too apologetic piece about a group of people who cared so very little about the networks they played in and the people who live there. In the last 15 years that I've been skulking around online, people in the community have always tended to treat each other and the computers systems they voyeured with a great deal of care and respect. MOD was one of the first true examples of a groupthink exercise in hacker sociopathy. Selling long distance codes, selling credit card numbers, destroying systems and harassing innocent people is not acceptable behavior among ANY group, even the computer underground. There have always been ego flares and group rivalries in the underground, and there always will be. The Legion of Doom itself was FOUNDED because of a spat between its founder (Lex Luthor) and members of a group called The Knights of Shadow. These rivalries keep things interesting, and keep the community moving forward, always seeking the newest bit of information in a series of healthy one-upsmanship. MOD was different. They took things too far against everyone, not just against two people in Texas. I certainly don't condemn everyone in the group. I don't even know a number of them (electronically or otherwise.) I honestly believe that Mark Abene (Phiber) and Paul Stira (Scorpion) got royally screwed while the group's two biggest criminals, Julio Fernandez (Outlaw) and Allen Wilson (Wing), rolled over on everyone else and walked away free and clear. This is repulsive when you find out that Wing in particular has gone on to be implicated in more damage to the Internet (as Posse and ILF) than anyone in the history of the computing. This I find truly disgusting, and hope that the Secret Service are proud of themselves. Imagine if I wrote a piece about the terrible treatment of a poor prisoner in Wisconsin who was bludgeoned to death by other inmates while guards looked away. Imagine if I tried to explain the fact that poor Jeff Dahmer was provoked to murder and cannibalism by the mocking of adolescent boys who teased and called him a faggot. How would you feel if I tried to convince you that we should look upon him with pity and think of him as a misunderstood political prisoner? You would probably feel about how I do about Quittner's story. 'Hacker' can just as easily be applied to "journalists" too, and with this piece Quittner has joined the Hack Journalist Hall of Fame, taking his place right next to Richard Sandza. Quittner did get a few things right. I do have a big cat named Spud, I do work at a computer company and I do sell fantastic t-shirts. Buy some. With Love, Chris Goggans aka Erik Bloodaxe %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% WHEN BIGOTRY OUTPACES TECHNOLOGY By Douglas Welch dewelch@pop.com Previously published in the Los Angeles Times, Monday, December 19, 1994. Page B15 Note: Electronic re-posting is ALLOWED but NO PAPER REPRINTS or inclusion in online digests without written permission from the author. All postings must retain this notice. Copyright (c) 1994 Douglas E. Welch dewelch@pop.com 76625,3301 * Communications: We need to attack the message, not the modem, to ensure on-line services are free from censorship. As each new technology marches onto the scene, there are some who instantly blame all the ills of society on it. Groups calling for the censorship of computer networks are forgetting that it is not the technology that is causing the problem, but the people using the technology. Instead of targeting the authors of hate speech on the computer networks, they are targeting the networks themselves. This only reinforces the immediate need for on-line computer services to be protected by the federal government as "common carriers," like telephone utilities. Hatemongers and bigots have always been a part of human society. Through ignorance and bullying, they gather their flock, but it is through open debate, education and reasoned discourse that they are best confronted. Instead, professed anti-hate groups are attacking the providers of on-line services in an effort to force them to remove offensive messages or prevent their posting. Rather than using the technology to fight back and denounce hate speech, they are seeking to remove the freedom of speech altogether. Were the situation reversed, I am sure you would hear them decrying the evils of censorship as loudly as they call for it now. Telephone companies cannot be sued when offensive or illegal calls are placed through their systems. On-line services deserve the same kind of "common carrier" status. There is no reason on-line services should have to be both provider and policeman. This places them in danger of being a censor. On-line users have several simpler options. They can merely ignore the message with the press of a key or set their "kill file" to ignore messages of certain content or from a certain user. Ultimately, on-line services provide users the chance to engage these hatemongers in a forum free of physical threat with hopes of liberating their narrow focus. The immediacy of posting a response can only be found in the on-line world. On-line services are no passing fad. they are rapidly gaining popularity on par with telephone and fax service. We need to stop treating on-line services like something new and ensure that they are free from censorship pressures. Censorship has always been defined as a "slipperly slope" that can easily lead to a repression of ideas and a lower quality of life. Whether we communicate via paper, phone lines or on-line computer services, our freedom of speech should be protected. Hate groups should be targeted for their messages, not how they send them. Douglas E. Welch is a computer consultant. He can be reached at dewelch@pop.com. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% LETTER FROM STEVE CASE; RE: CHILD PORN ON AOL By Steve Case Ever since we first launched America Online we've remained committed to fostering an electronic community that provides a fun, enjoyable and enriching experience for all members. We've asked our members to honor the privilege of interactivity, and we've strictly enforced our Terms of Service to help foster the kind of community of which we can all be proud. Recently, however, some material has been brought to our attention by some of our members which involves illegal activity -- the trading of images in electronic mail which appear to be child pornography. Upon receiving the material, and verifying that it was a violation of our Terms of Service, and in all likelihood illegal, we immediately contacted the FBI and terminated the accounts of the senders. While we recognize that any community around the United States with more than 1.5 million citizens will have its share of illegal activity, we were nonetheless disheartened to find that some members are abusing the communications features of AOL in this way. We simply will not tolerate such illegal activity on America Online. To anyone who may be using America Online for illegal purposes, be advised that we will terminate the accounts of those participating and we will notify the proper authorities of any illegal activity that is brought to our attention. Our policy is that all private communications -- including e-mail, instant messages, and private chat rooms -- are strictly private. We do not, will not, and legally cannot monitor any private communications. But if we are alerted to a potential offense and we are sent evidence, as we were recently, we will vigorously pursue the matter. In this case, electronic mail was forwarded to our attention by our members, and as recipients of the mail we were able to turn the material over to the authorities. We have over 250 people who help us provide assistance in the public areas of the service and give guidance to members who are new or who have questions. Of late, we've had a growing problem with member-created rooms whose title and discussion violate our Terms of Service. Member-created rooms have always been a unique and much-valued aspect of America Online. Often, these rooms provide the seeds for new special interest forums that later emerge. But as more members abuse the privilege and establish rooms that suggest illegal activity, or detract from the enjoyment of others with offensive titles, we are faced with looking at a higher level of safeguards as it relates to member-created rooms. We simply cannot keep up with the sheer volume of rooms created, and as a result, from time to time rooms that violate TOS remain open for some period of time. We're looking at several alternatives to improve the situation. We don't want to see our members denied the privilege of this fun and creative interactive environment due to the abuses of a few, but at the same time we do feel some action is warranted to safeguard this popular "neighborhood" in our community. Unfortunately, this is not the first time we have encountered this problem, nor is it unique to AOL. In 1991, we were faced with a similar situation. At that time, we went to our members -- as we're doing now -- advised them of the situation and asked for their help. And recently, recognizing the potential for abuses in this emerging medium, online service providers banded together to sponsor a "child safety" brochure that gives parents tips and guidelines to foster a productive and safe environment for children online. A copy of this brochure can be found in the Parents Information Center, keyword: Parents. We encourage parents to take the time to review it. In addition we strongly encourage parents to monitor their children's use of this medium, much as they would any other medium such as television, magazines, etc. We've also implemented "parental controls" which allow parents to restrict their children's online access. Each one of us needs to respect and honor the privileges of this electronic community. If you haven't reviewed our Terms of Service, take a few minutes now and do so. If you observe what you believe may be illegal activity on AOL, bring it to our attention. The problem is not widespread -- we believe only a mere fraction of this community is involved. Let's work together to insure that America Online remains the kind of community that you want your friends and family to enjoy. Thanks for your continued support. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%