1993-10-07 - A new twist on the electronic horizon…

Header Data

From: fergp@sytex.com (Paul Ferguson)
To: cypherpunks@toad.com
Message Hash: a6efabccc5a43af8b7c2ea9ae70f0a35641db0f82b489530492f57dd47797467
Message ID: <P6Z1ac1w165w@sytex.com>
Reply To: N/A
UTC Datetime: 1993-10-07 04:19:16 UTC
Raw Date: Wed, 6 Oct 93 21:19:16 PDT

Raw message

From: fergp@sytex.com (Paul Ferguson)
Date: Wed, 6 Oct 93 21:19:16 PDT
To: cypherpunks@toad.com
Subject: A new twist on the electronic horizon...
Message-ID: <P6Z1ac1w165w@sytex.com>
MIME-Version: 1.0
Content-Type: text/plain

excerpted from:

RISKS-FORUM Digest  Tuesday 5 October 1993  Volume 15 : Issue 06

- --

Date: Fri, 1 Oct 1993 11:43:00 -0600
From: tmplee@tis.com (Theodore M.P. Lee)
Subject: RISKs of trusting e-mail

Until such time as either the general population learns what to expect or
digital authentication (such as PEM) becomes widespread, I suspect we will
hear more of this kind of incident. This academic year the University of
Wisconsin started providing e-mail accounts to all students at its Madison
campus. (6,000?, maybe) The students, both technical and non-technical, are
being encouraged to use e-mail as a way of interacting with their instructors.
They access the accounts either through University-supplied machines scattered
throughout the campus or through dial-up Serial Link Protocol (SLIP)
connections. A mix of Macintosh's, PC's and other assorted workstations are

Last week (note how early in the school year) a group of five students,
several from the Honors floor of one of the freshman dorms, were caught having
forged several pieces of e-mail. Most potentially damaging was a note saying
it was from the Director of Housing, to the Chancellor of the University,
David Ward; note that the previous Chancellor is now Pres.  Clinton's
Secretary of HHS, so the present Chancellor is new to the job.  The forged
message was a submission of resignation. Ward's secretary had just returned
from vacation and apparently assumed the proferred resignation was legitimate.
The secretary accepted it and started to act upon it -- it was only during the
course of that that it was discovered to be a fake.

The students also sent messages purporting to be from the Chancellor to 
other students asking them to pay their tuition. They also forged a message 
from the Chancellor (my information doesn't say who it went to) saying he 
was going to "come out of the closet" and announce it Sept. 25. 

The students were only caught through a combination of circumstances.  First,
since they used one of the dial-in connections there were logs of who dialed
in when. Secondly, during the course of their experiments they botched some
addresses which caused enough traffic to go to the dead-letter office that the
investigation could narrow what was happening. (It should be pointed out that
the forgery was fairly easy to accomplish using the Eudora mail client on a
Macintosh: the user has complete choice over the "from:" field of a message.)

The FBI is investigating whether any federal crime was involved and, 
needless-to-say, the students are likely to be expelled at the least.

Ted Lee, Trusted Information Systems, Inc., PO Box 1718, Minnetonka, MN  55345
   612-934-5424   tmplee@tis.com

Paul Ferguson               |   privacy \'pri-va-see\ n, pl, -cies;
Mindbank Consulting Group   |   1: the quality or state of being apart
Fairfax, Virginia USA       |   from others  2: secrecy
fergp@sytex.com             |
ferguson@icp.net            |   Privacy -- Use it or lose it.