==Phrack Inc.== Volume Three, Issue 26, File 9 of 11 PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN P h r a c k W o r l d N e w s PWN PWN %%%%%%%%%%% %%%%%%%%% %%%%%%% PWN PWN Issue XXVI/Part 1 PWN PWN PWN PWN April 25, 1989 PWN PWN PWN PWN Created, Written, and Edited PWN PWN by Knight Lightning PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN PWN Welcome to Issue XXVI of Phrack World News. This issue features articles on Robert Tappen Morris, ITT, Telenet, PC Pursuit, a hacker's convention in Holland, government wiretapping, viruses, social security numbers, a rivalry between two different factions of TAP Magazine and much more. As we are getting closer to SummerCon '89, it is becoming increasingly more important for us to get an idea of who to be expecting and who we need to contact to supply with further information. Since we only communicate directly with a select group of people at this time, we recommend that you contact Red Knight, Aristotle, or Violence (or other members of the VOID hackers). These people will in turn contact us and then we can get back to you. Keep in mind that only people who are able to contact us will be receiving the exact location of SummerCon '89. Please do not wait till the last minute as important information and changes can occur at any time. :Knight Lightning _______________________________________________________________________________ Cornell Panel Concludes Morris Responsible For Computer Worm April 6, 1989 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% By Dennis Meredith (Cornell Chronicle) Graduate student Robert Tappan Morris Jr., working alone, created and spread the "worm" computer program that infected computers nationwide last November, concluded an internal investigative commission appointed by Provost Robert Barker. The commission said the program was not technically a "virus" -- a program that inserts itself into a host program to propagate -- as it has been referred to in popular reports. The commission described the program as a "worm," an independent program that propagates itself throughout a computer system. In its report, "The Computer Worm," the commission termed Morris's behavior "a juvenile act that ignored the clear potential consequences." This failure constituted "reckless disregard of those probable consequences," the commission stated. Barker, who had delayed release of the report for six weeks at the request of both federal prosecutors and Morris's defense attorney, said, "We feel an overriding obligation to our colleagues and to the public to reveal what we know about this profoundly disturbing incident." The commission had sought to determine the involvement of Morris or other members of the Cornell community in the worm attack. It also studied the motivation and ethical issues underlying the release of the worm. Evidence was gathered by interviewing Cornell faculty, staff, and graduate students and staff and former students at Harvard University, where Morris had done undergraduate work. Morris declined to be interviewed on advice of counsel. Morris had requested and has received a leave of absence from Cornell, and the university is prohibited by federal law from commenting further on his status as a student. The commission also was unable to reach Paul Graham, a Harvard graduate student who knew Morris well. Morris reportedly contacted Graham on November 2 1988, the day the worm was released, and several times before and after that. Relying on files from Morris's computer account, Cornell Computer Science Department documents, telephone records, media reports, and technical reports from other universities, the commission found that: - Morris violated the Computer Sciences Department's expressed policies against computer abuse. Although he apparently chose not to attend orientation meetings at which the policies were explained, Morris had been given a copy of them. Also, Cornell's policies are similar to those at Harvard, with which he should have been familiar. - No member of the Cornell community knew Morris was working on the worm. Although he had discussed computer security with fellow graduate students, he did not confide his plans to them. Cornell first became aware of Morris's involvement through a telephone call from the Washington Post to the science editor at Cornell's News Service. - Morris made only minimal efforts to halt the worm once it had propagated, and did not inform any person in a position of responsibility about the existence or content of the worm. - Morris probably did not intend for the worm to destroy data or files, but he probably did intend for it to spread widely. There is no evidence that he intended for the worm to replicate uncontrollably. - Media reports that 6,000 computers had been infected were based on an initial rough estimate that could not be confirmed. "The total number of affected computers was surely in the thousands," the commission concluded. - A computer security industry association's estimate that the worm caused about $96 million in damage is "grossly exaggerated" and "self-serving." - Although it was technically sophisticated, "the worm could have been created by many students, graduate or undergraduate ... particularly if forearmed with knowledge of the security flaws exploited or of similar flaws." The commission was led by Cornell's vice president for information technologies, M. Stuart Lynn. Other members were law professor Theodore Eisenberg, computer science Professor David Gries, engineering and computer science Professor Juris Hartmanis, physics professor Donald Holcomb, and Associate University Counsel Thomas Santoro. Release of the worm was not "an heroic event that pointed up the weaknesses of operating systems," the report said. "The fact that UNIX ... has many security flaws has been generally well known, as indeed are the potential dangers of viruses and worms." The worm attacked only computers that were attached to Internet, a national research computer network and that used certain versions of the UNIX operating system. An operating system is the basic program that controls the operation of a computer. "It is no act of genius or heroism to exploit such weaknesses," the commission said. The commission also did not accept arguments that one intended benefit of the worm was a heightened public awareness of computer security. "This was an accidental by-product of the event and the resulting display of media interest," the report asserted. "Society does not condone burglary on the grounds that it heightens concern about safety and security." In characterizing the action, the commission said, "It may simply have been the unfocused intellectual meandering of a hacker completely absorbed with his creation and unharnessed by considerations of explicit purpose or potential effect." Because the commission was unable to contact Graham, it could not determine whether Graham discussed the worm with Morris when Morris visited Harvard about two weeks before the worm was launched. "It would be interesting to know, for example, to what Graham was referring to in an Oct. 26 electronic mail message to Morris when he inquired as to whether there was 'Any news on the brilliant project?'" said the report. Many in the computer science community seem to favor disciplinary measures for Morris, the commission reported. "However, the general sentiment also seems to be prevalent that such disciplinary measures should allow for redemption and as such not be so harsh as to permanently damage the perpetrator's career," the report said. The commission emphasized, that this conclusion was only an impression from its investigations and not the result of a systematic poll of computer scientists. "Although the act was reckless and impetuous, it appears to have been an uncharacteristic act for Morris" because of his past efforts at Harvard and elsewhere to improve computer security, the commission report said. Of the need for increased security on research computers, the commission wrote, "A community of scholars should not have to build walls as high as the sky to protect a reasonable expectation of privacy, particularly when such walls will equally impede the free flow of information." The trust between scholars has yielded benefits to computer science and to the world at large, the commission report pointed out. "Violations of that trust cannot be condoned. Even if there are unintended side benefits, which is arguable, there is a greater loss to the community as a whole." The commission did not suggest any specific changes in the policies of the Cornell Department of Computer Science and noted that policies against computer abuse are in place for centralized computer facilities. However, the commission urged the appointment of a committee to develop a university-wide policy on computer abuse that would recognize the pervasive use of computers distributed throughout the campus. The commission also noted the "ambivalent attitude towards reporting UNIX security flaws" among universities and commercial vendors. While some computer users advocate reporting flaws, others worry that such information might highlight the vulnerability of the system. "Morris explored UNIX security amid this atmosphere of uncertainty, where there were no clear ground rules and where his peers and mentors gave no clear guidance," the report said. "It is hard to fault him for not reporting flaws that he discovered. From his viewpoint, that may have been the most responsible course of action, and one that was supported by his colleagues." The commission's report also included a brief account of the worm's course through Internet. After its release shortly after 7:26 p.m. on November 2, 1988, the worm spread to computers at the Massachusetts Institute of Technology, the Rand Corporation, the University of California at Berkeley and others, the commission report said. The worm consisted of two parts -- a short "probe" and a much larger "corpus." The problem would attempt to penetrate a computer, and if successful, send for the corpus. The program had four main methods of attack and several methods of defense to avoid discovery and elimination. The attack methods exploited various flaws and features in the UNIX operating systems of the target computers. The worm also attempted entry by "guessing" at passwords by such techniques as exploiting computer users' predilections for using common words as passwords. The study's authors acknowledged computer scientists at the University of California at Berkeley for providing a "decompiled" version of the worm and other technical information. The Cornell commission also drew on analyses of the worm by Eugene H. Spafford of Purdue University and Donn Seeley of the University of Utah. _______________________________________________________________________________ People Vs. ITT Communications Services, Inc. March 29, 1989 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% NOTICE OF CLASS ACTION AND PROPOSED SETTLEMENT TO CERTAIN CURRENT AND FORMER CUSTOMERS OF UNITED STATES TRANSMISSION SYSTEMS, INC. (NOW KNOWN AS ITT COMMUNICATIONS SERVICES, INC.) By order of the United States District Court for the Eastern District of Michigan, PLEASE TAKE NOTICE THAT: A class action lawsuit has been filed on behalf of certain former and current customers against United States Transmission Systems, Inc., now known as ITT Communications Services, Inc., hereinafter referred to as "USTS." The Court has preliminarily approved a settlement of this lawsuit. YOU ARE URGED TO READ THIS NOTICE CAREFULLY BECAUSE IT AFFECTS YOUR RIGHTS AND WILL BE BINDING ON YOU IN THE FUTURE. I. NOTICE OF A PENDING CLASS ACTION A. Description of the Lawsuit Plaintiffs have sued USTS, alleging that USTS charged customers for certain unanswered phone calls, holding time, busy signals, and central office recorded messages, hereinafter referred to as "unanswered calls," without adequately disclosing such charges to their customers or the public. Plaintiffs seek to present their own claims for charges for unanswered calls, as well as the claims of other current and former USTS customers for similar charges. USTS denies the violations alleged by plaintiffs, and contends that at all times, USTS has charged its subscribers fairly and properly and has disclosed fully and fairly the basis for its long distance charges. USTS has agreed to settle plaintiff's suit solely to avoid the expense, inconvenience and disruption of further litigation. This notice is not an expression of any opinion by the Court of the merits of this litigation or of the Settlement Agreement. The Complaint, the Settlement Agreement and other pleadings in this case may be inspected during normal business hours at the office of the Clerk of the United States District Court for the Eastern District of Michigan, 231 West Lafayette Boulevard, Detroit, MI 48226. B. The Settlement Class Plaintiffs and USTS have entered into a Settlement Agreement, which has been preliminarily approved by the Court. Under the terms of the Settlement Agreement, the parties have agreed, for purposes of settlement only, that this suit has been brought on behalf of the following class of persons similarly situated to Plaintiffs, hereinafter known as "the Class": All persons and entities that subscribed to and utilized the long distance telephone service of USTS or its predecessor ITT Corporate Communication Services, Inc., referred to collectively hereinafter as "USTS," at any time during the period January 1, 1979 through December 31, 1985. C. How to Remain a Class Member If you were a subscriber to and utilized USTS' long distance service at any time during this period, you are a member of the Class. You need do nothing to remain a member of the Class and participate in the benefits this settlement will provide. If you remain in the Class, you will be bound by the results of the settlement and/or the lawsuit. D. How to Exclude Yourself From the Class You are not required to be a member of the Class. Should you decide that you do not want to me a member of the Class, you must send an Exclusion Notice that states your name, your current address, and your desire to be excluded from the Class to the Clerk of the United States District Court for the Eastern District of Michigan at the address given at the end of this Notice, postmarked no later than April 20, 1989. If you choose to be excluded from the Class, you may not participate in the settlement. You will not, however, be bound by any judgment dismissing this action and you will be free to pursue on your own behalf any legal rights you may have. II. TERMS OF THE SETTLEMENT The Settlement Agreement requires USTS to provide to Class members up to 750,000 minutes of long distance telephone credits having a maximum value, at 30 cents per minute, of $225,000, hereinafter known as the "Settlement Credits," and cash refunds up to a maximum of $50,000. These benefits are available to Class members who file a proof of claim in a timely manner as described in Section III below. Class members may choose one benefit from the following options: A. A *standardized credit* toward USTS long distance telephone service of $1.50 for each year from 1979 through 1985 in which the Class member (i) was a USTS customer, and (ii) claims that s/he was charged by USTS for unanswered calls; or B. A *standardized cash refund* of 90 cents for each year from 1979 through 1985 in which the Class member was (i) was a USTS customer and (ii) claims that s/he was charged by USTS for unanswered calls; or, C. An *itemized credit* toward USTS long distance service of 30 cents for each minute of unanswered calls for which the Class member was charged during the Class period (January 1, 1979 through December 31, 1985) and for which the Class member has not been previously reimbursed or credited; or, D. An *itemized cash refund* of 30 cents for each minute of unanswered calls for which the Class member charged during the Class period (January 1, 1979 through December 31, 1985) and for which the Class member has not been previously reimbursed or credited. To obtain an *itemized* credit or cash refund, the Class member must itemize and attest to each unanswered call for for which a refund or credit is claimed. If the total credits claimed by Class members exceed 750,000 credit minutes, each Class member claiming Settlement Credits will receive his/her/its pro rata share of the total Settlement Credits available. Class members need not be current USTS customers to claim the standardized and itemized credits. USTS will automatically open an account for any Class member who requests credits and executes an authorization to open such an account. If a Class member incurs a local telephone company service charge in connection with the opening of a USTS account, USTS will issue a credit to the Class member's account for the full amount of such service charge upon receipt of the local telephone company's bill for the service charge. USTS is not responsible for any other service charge that a local telephone company may impose for ordering, using or terminating USTS service. The Settlement Agreement requires USTS to pay the costs of giving this Notice (up to a maximum of $120,000) and of administering the settlement described above. The Settlement Agreement further provides that upon final approval of the settlement, the Court will enter a judgment dismissing with prejudice all claims of plaintiffs and members of the Class that have been or might have been asserted in this action and that relate to USTS' billing practices and disclosure practices for unanswered calls. Counsel for the Class have investigated the facts and circumstances regarding the claims against USTS and their defenses. In view of those circumstances, counsel for the Class have concluded that this Settlement Agreement is fair and reasonable, and in the best interests of the Class. III. HOW TO FILE A CLAIM To receive Settlement Credits or a Cash Refund, you must first obtain a Proof of Claim Notice; then provide all the information requested and return it to the Clerk of the Court postmarked no later than June 30, 1989. To obtain claim forms: To file completed claim form: USTS Class Action Claim Administrator Clerk of the United States Court ITT Communication Services, Inc. ATTN: USTS Settlement 100 Plaza Drive 231 W. Lafayette Blvd. Room 740 Secaucus, NJ 07096 Detroit, MI 48226 If you have any further questions about this Notice, or the filing of Proof of Claim, *write* to the USTS Action Claim Administrator at the above address. If you have any questions about this lawsuit or your participation therein as a member of the Class, *write* to lead counsel for plaintiffs -- Sachnoff Weaver & Rubenstein, Ltd. ATTN: USTS Settlement 30 South Wacker Drive, Suite 2900 Chicago, IL 60606 Always consult your own attorney for legal advice and questions which concern you about your rights in any class action matter. DO NOT telephone the Court. DO NOT telephone the attorneys for plaintiff. DO NOT telephone the Claims Administrator; any office of USTS or any of its employees. DO NOT telephone any Telephone Company asking for information on this matter. Only *written correspondence filed in a timely manner will be considered by the Court. _______________________________________________________________________________ Telenet Announces New PC Pursuit Terms April 9, 1989 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Earlier this year, Telenet announced new terms for the PC Pursuit program, which placed time limits on the use of the service, and set new rates for usage of the service. ***** Most of the deal has been called OFF ***** In a letter dated March 29, 1989 from Floyd H. Trogdon, Vice President and General Manager of Network Services announced several revisions in the earlier plans. His latest letter supersedes all previous memos and usage agreements, and becomes effective July 1, 1989. There will be THREE membership plans: o REGULAR membership will be $30 per month for up to 30 hours of non-prime time (evenings and weekend) use. This can be used by the subscriber only. No others allowed to use it. o FAMILY membership will be $50 per month for up to 60 hours of non-prime time (evenings and weekend) use. This can be used by the subscriber and any immediate family members in the same household. If a single person expected to use more than 30 hours per month, s/he would still buy this "family" plan, even if the entire "family" consisted of just one person. o HANDICAPPED membership will be $30 per month for up to 90 hours of non-prime time (evening and weekend) use. To qualify for these terms, proof of physical handicap must be provided. Ask Telenet for the exact terms. EXCESS HOURS over 30 (or 60/90) per month during non-prime time hours will be billed at $3.00 per hour. This is a decrease from the earlier proposed charge of $4.50 per hour. PRIME-TIME USAGE will be billed at $10.50 per hour, regardless of how much time may be remaining on the PCP membership plan. The billing will be in arrears each month. That is, the July usage will be billed in August, etc. Call detail will be automatically provided to any subscriber going over thirty hours per month. GRACE PERIOD/FORGIVENESS: All calls will be given a one minute grace period for the purpose of establishing the connection. There will never be a charge for calls lasting one minute or less. If you disconnect promptly when you see that your call will not complete for whatever reason, there will be no charge. There will be a two minute minimum on all connections (after the first minute has passed). Otherwise, times will be rounded to the *nearest* minute for billing purposes. NEW PASSWORDS AND USER I.D.'s FOR EVERYONE: During April, 1989, all current subscribers to PC Pursuit will be issued new passwords and new user identities. On May 1, 1989, all existing passwords and ID's will be killed. New users after July 1, 1989 will pay $30 to set up an account. Password changes will be $5.00. *Existing* users will never have to pay a fee to adjust their account upward or downward from regular < == > family plans. Call detail will be provided in June, 1989 to users with more than 30 hours of usage to help them determine which plan they should use; however there will be no charge for extra hours until July. Because of the confusion and lack of good communication between Telenet and its users over the past few months, the official change in terms from unlimited use to measured use has been postponed from its original starting date in June to July 1. These are just excerpts from the letter to subscribers posted on the Net Exchange BBS. If you subscribe to PC Pursuit, I recommend you sign on and read the full memo, along with the accompanying Terms and Conditions and price schedules. Remember, any changes you may have made in February/March in anticipation of the changeover originally planned for May/June are now void. Telenet has stated all users will be defaulted to REGULAR memberships effective July 1 unless they specifically make changes to this during the months of May and June. Telenet Customer Service: 1-800-336-0437 Telenet Telemarketing: 1-800-TELENET Sign up via modem with credit card number handy: 1-800-835-3001. To read the full bulletins, log onto Net Exchange by calling into your local Telenet switcher and connecting to '@pursuit'. _______________________________________________________________________________