January 13, 2000: How Network Solutions, Inc. made me a child pornographer.

KGB Report

Number 26, January 29, 2000

Written by Kevin G. Barkes

"Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench."-Gene Spafford

The above quotation is perhaps the best non-technical explanation for the ever-increasing number of highly publicized computer break-ins.

While many commercial websites tout they use "secure servers" to prohibit theft of credit card data, in many instances the security provided is illusory at best.

When traveling over the Internet, the packets of data containing your sensitive information are encrypted so that only your computer and the recipient's computer can read them. The problem is what the receiving site does with your data after it gets there.

Ideally, your information stays scrambled and is transferred to another computer that cannot be directly accessed from the Net.

What recent events show, however, is that in many cases your order is translated from its secure, encrypted form into plain English and is dumped into a database on an Internet accessible machine, where savvy net bandits can grab the data with almost laughable ease.

Imagine the night depository on a bank. You need a key to unlock the slot in order to dump in your money.

Now imagine the deposited funds land in an open cardboard box inside the bank. And that the bank's doors are unlocked and the windows are wide open. And that there are no guards on duty, and the security cameras are aimed only at the safe. That pretty much sums up the situation for many net commerce sites.

Unfortunately, it's impossible to tell whether a site is really secure. Some itty-bitty sites have superb security. Other giant sites might as well print a weekly insert to TV Guide with their customers' credit card numbers.

Many feel the term computer security is an oxymoron, anyway. Any security program can be breached, given enough time, money, intelligence, or persistence.

Consider Serge Humpich, 36, a French computer programmer, who in his spare time over a period of four years developed a counterfeit "smart card" which could fool all of the French banking system's electronic point of sale terminals. This meant, according to an article in The Register, he could pick out all 35 million French PINs (personal identification numbers) used on Visa and other credit cards.

Serge told the banks of the gap in their security, and offered to point out the weaknesses in their systems for a mere £20,000,000, far less than what it would cost to replace all the credit card terminals in France.

Prove it, the banks said. So, using one of his homemade cards, Serge bought ten Paris Metro tickets from a machine that didn't seem to notice it was being duped. He sent the tickets and receipts on to the credit card company as the requested proof of their system's vulnerability.

In response to its friendly little challenge, the credit card company sent 40 policemen to Serge's house, seized all his computer equipment and managed to get him fired from his job The prosecutor in the case has recommended a two-year suspended sentence and a £5,000 fine, which seems a bit stiff for taking up the banks' invitation to filch some Metro tickets which he returned anyway.

The real question is: how many Serges are out there who keep their mouths shut and quietly funnel funds out of the world's banking systems?

If computer security is, in fact, a shared hallucination of the banking establishment, should you avoid using your credit cards in cyberspace?

No. You probably have far more exposure visiting brick-and-mortar establishments, especially restaurants. Think about it: you routinely hand your card over to Laslo, your waiter, who disappears for a couple minutes before returning. During his absence, he could order 30 copies of Alfred Brendel's
Liszt: Hungarian Rhapsodies for his extended family, and you won't know until you get your bill at the end of the month.

Bear in mind you're only liable for $50 worth of unauthorized purchases on your card, and most issuers waive that if you're caught in a publicized wholesale website security breach. Incidentally, getting a new card in the mail from an issuer far in advance of the expiration date is a pretty good indicator someone's security suffered a major hit.
But beware of using your debit card. Different rules apply, and you could be turning over the equivalent of a ream of blank checks to the crooks.

Also, watch out for arrangements where you're offered the "convenience of check by phone"... you give the operator your account number, your bank's transit number and a check number, and the company presents to your bank an electronic draft that gets paid without question.

While there are all sorts of laws limiting the use of the information you provide, remember that you're still talking to a human being at the other end of the phone, that some companies outsource their order entry operations to other companies, and that some of those firms use folks currently enjoying the lush surroundings of some the country's leading penal institutions.
When I declined an offer to make a check-by-phone payment to a credit card company, the operator huffily told me, "You realize, we are a Fortune 500 company."

To which I responded, "And that's supposed to reassure me?"

Online update: Click here for chilling example of what can happen when others have your checking account numbers.
---
I'm so confused... Okay, so the entertainment industry, hysterical about the DVD hack which allows the discs to be played back on Linux computer systems, got a federal court judge to issue an injunction forbidding "[p]osting or otherwise disclosing or distributing, on their websites or elsewhere, the DeCSS program, the master keys or algorithms of the Content Scrambling system ("CSS"), or any other information derived from this proprietary information."

Included in the court documents filed by one of the DVD Copy Control Association people in the ongoing battle against those horrible hacker persons who posted the source code to their super-duper encryption program on The Evil Internet is... the source code to their super-duper encryption program. And it's available on the Internet.

If you think about it, filing the source code with the court does makes sense, since you'd need the original DeCSS source in order to prove that the hacked copies are indeed copies.

But by making the source available in publicly accessible court records, are the DVD people pretty much giving away what they went to court to protect in the first place?

And does the court order prohibiting disclosing or distributing the code apply to the court's own documents?

This sounds like one of those infinitely self-referential questions Captain Kirk would use to destroy an irritatingly smug super computer system on the original Star Trek series.

Realizing their error, the DVD people asked the judge to seal the documents containing the source code, which he did. But the genie's out of the bottle.

As of this writing, the court document was still available at

http://cryptome.org/dvd-hoy-reply.htm

Electronic versions of this newsletter do not have a hypertext link to the URL because some people think providing one would be in violation of the law.

If anything, this case shows how clueless the courts and business are about software. Perhaps Dave Farber, the newly appointed Chief Technologist of the Federal Communications Commission, made the best observation on the case.

In a radio interview, Professor Farber noted "if your security is good enough you can tell everyone about every detail of it and they still can't break your security. In the DVD case, the reason they kept it quiet was because it was very poor technology... it's bad to propagate that on the world, because it just invites people to go in and attempt to break or to break it."

Regarding proposed new software agreements that prevent reverse engineering or even making critical comments about the software, Farber said it results in "bad technology being propagated by just suing the hell" out of people.
---
My Life As A Kiddie Porn Purveyor: "the dot com people®", those friendly folk at Network Solutions, Inc., still list me as the owner of the domain name
lo-li-ta.org, a site which originally displayed nude photos of disturbingly young females. See the last KGB Report for details. While the web hosting service pulled the plug on the offending site within hours of my complaint, I've yet to get an official response from Network Solutions despite emails, faxes and letters.

One irony... in its instructions for complaining about falsely registered domain names, the company demands "Evidence of your name and address, such as preprinted corporate or personal stationery, a copy of your driver's license, or a utility bill." Too bad they don't apply the same standards to the initial registration procedure.

I've received scores of emails from folks giving me tips on how to change the dead link to some other less offensive sites, but they're missing the point.

The domain still shows up as being registered to me.

I didn't authorize the acquisition of the domain in the first place.

I don't want a domain named "lo-li-ta" associated with my company, even if it is linked to something as innocuous as the kgb.com web site.

I'm appalled by the fact the site operated for nearly a month until I discovered it.

I'm extraordinarily peeved that Network Solutions has failed to respond to my numerous emails, faxes and letters.

On the plus side, I'm not going to pay their invoice for the domain, which arrived a couple days after the letter from the German fellow who wanted to buy kiddie porn from me. So I know that eventually it will be yanked from their database when the account goes delinquent.
---
The Upgrade of Death... If you're toying with the idea of installing one of those bazillion free America Online Version 5 cd-roms that have infested the planet, restrain yourself. The net is awash with screaming victims of the software, which effectively takes over all net browsing and email functions, wipes out all previous networking configurations and makes it virtually impossible to connect with any other internet service provider- or, for that matter, your business' mail server. And that's if the installation is successful. The Associated Press says AOL 5.0 simply causes many systems to crash and stop functioning. AP quoted a magazine review that reported "AOL can reduce a perfectly good computer system to a paperweight."
---
DOH!
TheSimpsons.com, the web site devoted to the long-running Fox animated series, is offering free Internet access and email. The downloadable access software places a navigation bar with ads on your desktop, so surfing does come at a price.

The service is actually run by 1stUp.com, not Homer, so reliability shouldn't be a problem. Why is Fox entering the market? Notes the quasi-evil Mr. Burns on the site's free service promo: "My top men tell me the Internet is going to be big! Daguerreotype big!"
---

MISCELLANY


Warmer climes... After decades of reading endless snow closing announcements with his partner John Garry, Pittsburgh radio legend Larry O'Brien pulled up stakes and moved south to Hilton Head Island, South Carolina late last year, where he can be found indulging his passion for golf on a daily basis. If you reached Larry's answering machine during the Christmas holidays, you heard a typical O'Brien one-minute comedy routine, ending with, "I think I'm gonna do me some carolin'. Oh Caroline, honey?" Sigh. I still miss those guys in the morning.
---
Dare to be stupid: Confirming what many of us have suspected for a long time, there are a lot of incompetent people out there who not only don't know they're incompetent, but truly believe they're superior to the folks who actually know what they're doing.

In a recent
New York Times article, Dr. David A. Dunning had an elegant explanation for the situation: "the skills required for competence often are the same skills necessary to recognize competence." (Emphasis added.) Dr. Dunning's studies also revealed that an individual's appraisal of self-competence is pretty much inversely proportional to his or her intelligence.

That pretty much explains politics, computer security systems and network television programming. Thanks, Doc.

---

Credits: Thanks to Lou Pilla, Kevin McNeill, David Fitzsimmons and the usual assortment of Those Who Wish To Remain Nameless for their contributions this week.

---

What's with all the underlines? No, I'm not making an artistic statement. The words and phrases underlined in the newsletter indicate the presence of hypertext links available to those reading the Adobe Portable Document Format or web (HTML) versions of this document on their computers. If you were reading this online and clicked here, for example, your computer would fire up your web browser and display my daughter's web site.

Consider converting your Postal Service delivered print subscription to e-delivery. Drop us a line at kgbreport@kgb.com.


Your Assistance Is Requested...

Readers who get KGB Report via US Mail recently received a form enclosed in a pre-stamped return envelope.

If you want to continue receiving KGB Report, just seal the envelope and drop it in the mail. But, if you have the time, please answer the few questions on the form before returning it.

Please note: if your form isn't received by March 1, your subscription will be terminated.

Trivia

Answer to our previous question: Jan-Michael Vincent, Airwolf's Stringfellow Hawk, also appeared in an episode of NBC's late 60s revival of the hit 50s show Dragnet. The name of the episode (#28 in the series) was "The Grenade". The TVLand synopsis: "Friday and Gannon are called to a theatre to investigate an acid-throwing incident. A teenage suspect, traced to his home, runs away carrying a live grenade. MUST-SEE EPISODE. This one features a memorably tense climax at a teen party". Vincent was the acid victim.

This week's question: Invented by the Emerson Drug Company, this product was marketed from 1957 until 1968, when it was voluntarily withdrawn due to its cyclamate content. Reformulated with NutraStreet, it was reintroduced nationally in 1995. Name the product. Use your lifelines and email your final answer to trivia@kgb.com. For more fun, visit our recommended Trivia Site of the Week: http://www.kcircle.com.

 

Useless Web Site of the Week

http://driveways.com is the web-based home of Driveways of the Rich and Famous, a public-access cable television show that airs in LA, Manhattan and a few other cable systems. The site contains scores of small photos of... well, driveways of the rich and famous, as well as all sorts of fascinating trivia. For example, Regis and Joy Philbin don't have a garbage disposal. Mary Tyler Moore stiffs delivery people. Bill Gates' house may be worth $60 million, but the driveway gatehouse is incredibly cheap.

Quotes of the Week


Peter Allen (an engineer quoted in the Wall Street Journal) : "You can never be too rich, too thin, or have too much bandwidth."

Dave McNeill (Datalogics, Inc.): "Just because I speak English doesn't mean I use every word in the dictionary!"

How Digital Equipment Corp. (now Compaq) would market sushi: "Cold, Wet, Dead Fish."

---

The KGB Random Quotations Generator has over 4,000 entries and is frequently updated. Visit it online at http://www.kgbreport.com/kgbquote.shtml, and be sure to try the search feature.

KGB Report, Number 26, January 29, 2000

(electronic ISSN:1525-898X; print ISSN: 1525-9366)

Written by Kevin G. Barkes and published by KGB Consulting, Inc. , 1512 Annette Avenue, Library, Pennsylvania (USA) 15129-9735-125. email: kgbreport@kgb.com.
Copyright © 2000-2013 by Kevin G. Barkes. All rights reserved. No portion of this publication may be reproduced in any form without the consent of the publisher, except for brief excerpts with full source attribution. So there. Internet web site syndication provided by iSyndicate. This issue's Flesch-Kincaid reading level: grade 11.0
Free subscription information: Subscriptions to electronically distributed versions of KGB Report are available at no cost. For subscriptions in Adobe Portable Document Format (PDF), send requests to
pdfsub@kgb.com. For subscriptions in HTML format, send requests to htmlsub@kgb.com.
Printed subscriptions delivered via first class mail are also available. For additional information, send requests to the street address listed above or email mailsub@kgb.com.
Advertising information: Contact 412.854.2550 or email ads@kgb.com.