(Click this line for the BIG version of the cover. Press the BACK button on your browser to return here.)


Issue 14 - April 1994


BABBA Magazine - The
Bay Area Bulletin Board Advisor




About the Cover:

Sysop's view of the Bay Area Mega Board BBS. Photo courtesy of the Roadkill Grill BBS.




Publisher/Editor: Mark Shapiro

Modems/Disks: Fred Townsend
Operating Systems: Randy Just
Copy Editors: Bryce Wolfson and Cheryl Milstead
Administration: Veronica Shapiro
Production: Steve Kong

Distribution: Sean Andrade, Leo Bounds, Chris Brown, Jami Chism, Bill Clark, Robert Escamilla, Adam Fernades, Phil Gantz, Phil Intravia, David & Lisa Janakes, Joe Jenkins, Wendie Lash, Frank Leonard, Sara Levinson, Mark Murphy, Pete Nelson, Laurie Newell, Ed Ng, Evan Platt, Jack Porter, Steve Pomerantz, Gary Ray, Alex Riggs, Lee Root, and Leigh Shevchik.

Printed at: Fricke-Parks Press (510) 793-6543




The inside cover had a full-page ad for Delphi Internet (www.delphi.com)

Pages 2 and 3 had full-page ads for Laitron Computers.




Editor's Notes

BABBA is the first regional BBS magazine on the West Coast. We started a trend - because similar magazines are in the works.


The Bash Continues
When we started BABBA, the conventional media was bashing BBSs. We founded this publication as an objective source of BBS information. As we move into our second year of publication, we are saddened by a fresh round of BBS bashing from our local paper.

The local paper recently warned parents about the danger in letting their children (and teenagers) dial up a local BBS, such as those listed in "freebie" papers. The story indicated local BBSs could allow kids to get X-rated materials or be exposed to abusive adults. Of course, the story linked local BBSs with a potential for bestiality and "kiddie" porn.

The newspaper once again steered readers toward the belief that only giant online commercial services are safe. Small and medium-sized BBSs (and this magazine) have nothing against the giant online services. We do resent being classified as unsafe, or as being the sole source of adult material.

The BBSs and online services listed in BABBA keep children away from adult material and abusive adults. All have strict controls on adult material, and none have anything to do with child porn or bestiality. Should parents be careful as to what their child does online? - Of course, but local BBSs are no more dangerous than the commonly promoted online giants.


The Internet-BBS Connection
Recent advances in commercial, shareware, and freeware software have made it easier and less expensive for BBSs to offer Internet mail. Relatively soon, BBSs will be able to offer full Internet service. BBSs have already reduced the real-time load on the Internet network. BBSs are a valuable tool to keep the lanes on the "highway" open.

Burger King BBSs
Most commercial BBS software packages are moving in the direction of complete customization. This trend is more significant than even RIP graphics. As time permits, Sysops will be able to custom design their BBSs to their exact specifications. Some say this will confuse the callers, with each BBS having a different interface. We predict this new configurability will lead to focused online systems that are easier to understand.


Page 4 had ads for the Bay Area Mega Board, the Silicon Matchmaker (www.silicon.email.net), and the Tiger Team Information Network.




Questions Letters Comments

Q: Have you ever heard of a crack for the various PC remote-control applications, like (PC Anywhere), or (Carbon Copy)? Is it possible to crack through their security? I'd like to know because I may put one on our network, and I'd hate to have anyone hack their way through.

A: As far as we know, these products are safe. To protect against a chance of "outside" hacking, you can set your modem to answer on the 7th ring, for example. This may discourage the random-dialing criminal hackers. For ultimate security, get a call-back modem. These modems get a call, accept a password, and then dial out only to a pre-approved list of phone numbers.

Anyone that knows of any special risks or precautions on the above-named software packages, please contact us.

Q: Why do BBS callers tend to have such poor grammar?

A: In the online world, function usually wins over form. Some considered it wasteful to spend time creating perfect grammar. When typing a message in a full-screen editor, coherent well-formed sentences, grammar, punctuation, and spelling are all good ideas. In a single-line editor, it can be difficult to go back and correct mistakes.

When you are chatting with someone online, typing "catch yuo latr, im goinng to sleep now!" gets your point across. Some would argue that it would waste time to backspace and correct mistakes if the meaning is clear.

Q: Our local newspaper recently ran front-page articles featuring Vice President Al Gore and Governor Pete Wilson in staged chat sessions with the general public. Gore's session was on Internet, and Wilson's over America Online. Both sessions seemed to be dismal failures. Why did these chat sessions turn out to such fiascoes, and why do you think they were covered with such vigor? (RG, San Jose)

A: Real-time online chat is no place for practical discussions with political figureheads. Online chatting requires time and practice to master. It's not the fault of the politicians, placed in the spotlight, that they were inundated with rapid-fire questions from anonymous sources. The governor couldn't type one reply without a multitude of interruptions. It was as if the governor appeared in public in a dark room without security, advisors, or a megaphone. He'd get drowned out by hecklers, just as he was online.

Your local newspaper editors should know better, especially when their guest and his encounter with the online world will be publicized. Next time, they should establish some filters, perhaps replacing chat with an email conference for the guest.

C1: I can answer the question from L.K. in last month's issue, about not being able to find 14.4 kbps in the software settings. For modems having:

C2: Turning off autobaud detect is not a "by the way" bit of advice; it's absolutely essential in order to take advantage of any type of data compression. Autobaud detect tells the comm software to automatically match the port baud speed to the actual connect speed detected. If you do this on a compressed-data connection, you will never realize the benefits of data compression; data will move from PC to PC only at the modems actual connect speed. (David Hakala) A: Thanks Dave!

Q: What kind of computer(s) are used to produce this magazine?

A: Most articles and artwork arrive via modems connected to our IBM-PC based BBSs, or through the Internet. Preliminary (plain ASCII) editing is done on PCs. All "final" production work (and all BBS databases) are done with on Apple Macintosh computers.


Page 5 had ads for the Travel Connection BBS, the Fun University Network (www.wbs.net), and the Terminal One, Weasel Den 2, and iNFormation Exchange BBSs.



"BABBA BITS"

Ondex Online
In Mountain View, CA, the Ondex company has started its new Ondex online service database. Ondex is an online database of BBSs and Usenet newsgroups. Free to the caller, fees to Sysops listing with Ondex range from free to $10-20 a month. Callers can specify and search for the exact features (keywords) and find just the right online services.

New EFF Sysop Memberships
EFF (Electronic Frontier Foundation, www.eff.org) is the primary group standing up for the rights of all online services, protecting our constitutional rights. Membership in the EFF is normally $40 a year. The EFF is now offering a special $10 (tax-deductible) introductory (first year) membership rate for BBS Sysops. (This has long-expired.)

Members receive a subscription to EFF's biweekly electronic newsletter, their quarterly hardcopy newsletter, and access to their BBS. Sysop members also get a special diskette with some of EFF's most popular resources, which can be posted for distribution, as well as ASCII and ANSI EFF membership screens. Sysops can also access EFF's (The Outpost) BBS and join their (FTN and QWK-format) echomail network.

New/Upcoming BBS software
Judging from the press releases, it seems most commercial BBS packages are undergoing major revisions with tons of new features being added. Each package has or will soon release many new features. Rather than listing all the features, here are our opinions of the most useful new features on each package we've seen:

The Major BBS v6.2 (Galacticomm, www.galacticomm.com):

Synchronet v2.0 (was Digital Dynamics, "now" at www.weedpuller.com/synchronet) TBBS UltraChat is eSoft's (www.esoft.com) new UltraChat extension to their TBBS package lets a Sysop link a BBS to other BBSs. UltraChat is so configurable, it lets you emulate the chat features of any other BBS software package.


BABBA hits Madera
Thanks to Jack Porter of the ZDS-Online BBS, BABBA is distributed in Fresno and Madera. ZDS-Online will be at booth 5 at the April 7th Business Extravaganza at Hatfield Hall in Madera.


Page 6 had ads for CCnet Communications and a2i Communications (www.rahul.net).




Skipjack: Policy and Technology

Skipjack (formerly called Clipper) is a method for scrambling digital telephone connections (both voice and data) to thwart snoopers. It has been promoted by two government agencies and if passed into law, it would require all government phone-based communication equipment to use a style of encryption developed by the military and kept secret from the public. The government would hold decoding keys in escrow to access encrypted phone traffic.

Born of Fear
The encryption proposal was born of fear by law enforcement agencies that it was becoming technically impossible to wiretap digital phone lines. The FBI is alarmed that criminals could have private conversations without the fear of being heard. Introduced in 1991, the Senate anticrime bill (SB 266) would have required phone companies to convert subscriber's digital transmissions to analog for access by law enforcement agencies. This proposal died in committee.

Rebirth
The FBI, unable to find a congressional sponsor, brought its case to the new administration. On April 16, 1993, President Clinton announced the new initiative, a mix of policy and technology originally named Clipper. Because of trademark infringement, the technology has been renamed Skipjack, although the policy is commonly called Clipper. The initiative was presented as a way to balance the need for secure (encrypted) public communications and the need for law enforcement agencies to be able to decipher those coded communications.

In trying to head off the arrival of privately-developed encryption products that would effectively prevent law enforcement from listening in, the government is proposing we (at first?) voluntarily use a single encryption method (Skipjack), with the keys to be kept in escrow by two unnamed agencies (either government or private). The administration proposes placing a computer chip in each product that operates over digital phone lines (modems, computers, phones & fax machines). The chip comes from the National Security Administration (NSA), which is chartered with listening in on phone conversations, here and abroad.

Policy
Clinton's policy uses the economic power of the government to strongly encourage the rest of us to use Skipjack. Initially voluntary, plans for implementing Skipjack in modems and phones are moving forward. Expect Skipjack to become a federal standard this year, gradually replacing an older, government-developed encryption standard called DES.

The first products to use Skipjack will be telephone security devices built by AT&T for the FBI, the IRS, and local law enforcement agencies, among others. As the government funds the National Information Infrastructure (the data superhighway), it will use Skipjack as the method for ensuring private, secure communications.

The second prong of the proposal lies in the Digital Telephony bill, which has not yet come before Congress. This bill gives law enforcement agencies the authorization to wiretap Skipjack-encrypted communications. The vagueness of the wording and the wiretap methodology have generated much controversy. The NSA refuses to divulge the detailed algorithm for Skipjack, another source of controversy.

The decryption keys for every Skipjack device in the country would be kept in escrow by two unnamed, independent agencies, either government or private. The idea is if a government agency wants to listen in to a particular Skipjack-encoded conversation, it would present evidence of lawful authority (a term not clearly defined) to the escrow holders. Once they have the decryption keys they can crack the code and begin listening to the subjects conversations, with the required help of the phone company that carries the transmission.

Technology
The Skipjack chip will initially be manufactured by Mykotronx and VLSI Technology. Each chip will have a permanent key and a serial number that identifies the chip (and its owner) during communications. Installed in new phones or other telecommunications tools, the encryption turns any conversation into gibberish for all but the intended listener.

Like DES, Skipjack uses 64-bit blocks, and the chip supports all four DES modes of operation. Some consider Skipjack more secure than DES because the key size is 80 bits as compared with 56, and it uses 32 rounds of scrambling instead of 16.

Rumors
A rumor is floating around that the government will make all other encryption illegal. A variation on that rumor is that only (e.g.) 32-bit or higher encryption methods will be illegal, as anything less than 32-bit encryption can easily be cracked by powerful computers. Some consider the pending Digital Telephony bill to be even more of a "threat" than Skipjack.

Opinion:
Perhaps taxation is another reason for imposing Skipjack (and electronic currency) on us. The IRS would certainly be interested in any private transactions across the Internet. Another point is that, yet again, we are denied an opportunity to vote on an important issue that affects us all. We rarely get to vote on really important long-term issues. Ideally, our elected and appointed officials would prepare a few intelligent alternatives for the voters to choose - including none of the above.

Humor:
If you think using data compression products like DoubleSpace slow the performance of your computer, wait until you try encrypting and decrypting on the fly!


Page 7 had ads for Hyperworks Macintosh Consulting Services, and Prestige PC Services.




What's Wrong With Skipjack

(A guest editorial by A.Lizard - www.ecis.com/~alizard))

Skipjack (formerly known as Clipper) is the popular name for an ill-advised encryption standard that the government is trying to force on all of us. The government will require all computers, modems, and phones it buys to include Skipjack technology.

Skipjack is opposed, nearly unanimously, by industry, watchdog organizations, and ordinary citizens. Despite this, the Clinton administration is pushing ahead with their original plans.

No Expectation of Privacy
There are several good arguments against forcing encryption on the communications of an open society. Public communications in online services, bulletin boards and email are not private and have rarely been encrypted in the first place. You sometimes see notifications to this effect when you log in:

Pursuant to the Electronic Communication Privacy Act of 1986 (18 U.S.C. 2701 et seq.), notice is hereby given that there are no facilities provided by this system for sending or receiving private or confidential electronic communications. The operators of this BBS can read all messages left on this system, including Electronic Mail addressed to persons other than the system operators.

This message notifies the caller that email on that system is not private. It is the digital equivalent of a postcard: Anybody who handles the contents or manages the system usually can't help but read it. Would you send money, your credit card information, discussions of business negotiations, or intimate details of your love life via a postcard?

Your Sysop is not to blame for this lack of privacy. Many BBS packages lack the ability to keep messages private from the Sysop. Sysops are usually held responsible for what is placed on their systems. This situation mandates that Sysops preserve the ability to completely access any message on their system.

Optional email security is needed
The authenticity of online messages is problematic because email and messages can easily be forged by any person with access and motive. This can have results ranging from mild embarrassment of the victim to breakups of businesses or marriages.

The nature of networked email is that it resides on many systems on its way to the destination. At any of those systems there are a number of persons with high-level system access. While most Sysops and system administrators are ethical and wouldn't edit your email without a user request, or to correct a mail routing problem, all it takes is one bad apple, and that person doesn't even have to be at your local site.

Proving You are You
Paper envelopes leave traces when opened surreptitiously, but today's electronic mail can easily be read, modified, or copied without the user ever finding out. Encryption technology provides a secure digital envelope to protect your message before it hits the bit stream. Encryption can also provide unforgeable message authentication, even for the unencrypted text messages you post in public networked conferences.

Some hobbyist networks, such as RIME and some FIDO nodes, explicitly forbid the use of digital encryption. I believe Sysops should be free to impose any policy that amuses them on their systems, as long as it is consistent with federal law. As callers, we can choose whether or not to patronize a BBS based on those policies. I don't patronize online systems that forbid the use of digital encryption. "Trust us" in terms of email privacy is not acceptable to me.

Encryption is Coming
Within the next few years, transparent encryption & decryption of email on major public systems will be taken for granted. For the home PC, transparent encryption of files may be built into the motherboard or the hard drive controller. With the coming interactive cable TV systems, you'll be able to push a few buttons and order a product on one of the home shopping channels and pay with encrypted credit card numbers.

If encryption is a good idea... What's wrong with Skipjack?
Skipjack has serious competition as encryption technology. RSA (Rivest, Shamir, Adelman) is an internationally recognized, robust encryption algorithm used for key transmissions. A key is the information required for the recipient to unscramble an encrypted message.

You can bet that foreign computers will be using RSA-based key encryption. The problem with Skipjack (or more properly, the technologies based on the Skipjack algorithm) is our government holds copies of all private keys from the manufacturers of computers, modems and phones. Europeans have no interest in Skipjack technology because the US government will be holding the keys.

The government agencies will turn over your key to any law enforcement agent who submits a request that says that there is a warrant for the key. The agent is not required to produce the warrant. The government has stated they will process these requests within a few minutes, once the system is in place and fully up to speed. This means that these requests cannot be checked for veracity. While wiretaps, in theory, will still require a warrant, an agent willing to lie to get a key isn't going to be worried about tapping a phone illegally.

Is it Secure?
In the old days of cryptography, you kept your coding methods secret - knowing that if the bad guys found them out, you'd have to change your methods. Currently, secure encryption is usually tested by publishing your algorithm and defying anybody from the academic, amateur and professional cryptographic or mathematic community, to find a hole. If many people try and fail, you know your method is probably secure.

Unlike other methods, critical parts of Skipjack's algorithm remain classified, suggesting there may be big problems with it. How big? I don't know. If the Skipjack algorithm is not secure, it isn't just dishonest cops or a rogue government agency you have to worry about. I wouldn't be surprised if within a year of Skipjack going into general use, a file called KRAKSKIP.ZIP starts appearing on BBSs with everything a 14-year old "hacker" (for lack of a better word) needs to tap your Skipjack-secured phone or to read your email.

Once it's out, that file will be online everywhere. The Feds and other police agencies will probably use the potential existence of that file as an excuse to harass quite a few US BBS Sysops, demanding access to make sure that nothing illegal is going on.

Suppose, after we've been Skipjacked and it's been cracked, that your credit gets attacked. What will you do when your account reports a mysterious one-way trip to the Cayman Islands, a nice computer system, and a few thousand dollars of spending money? The Feds will say the communications channels encrypted by Skipjack are secure, that the burden of proof to your credit provider is yours!

If Mr. Clinton has his way, our systems will be using Skipjack. Skipjack-based systems will not be compatible with the rest of the world, who will properly see our computers as security risks. Does the president think we can impose our encryption standards on the world?

How would you like to try selling a mainframe to the Italian government, telling your prospect, "Of course our machine is secure - we use Skipjack". The potential customer would laugh while security escorts you out of the building! If any potential customers don't know about Skipjack's origin, our competitors will be telling them in full-page ads. "Free spy in every American computer."

Mandatory Compliance
The Clinton administration has announced that Skipjack is now a federal standard. It is wasting our money buying these chips in quantity, and it will use every form of economic pressure it can to force manufacturers to adopt it so you have no choice but to buy their Skipjacked products.

Will non-Skipjack methods of protecting your privacy become illegal? When asked, officials say, "Not at this time", using vague generalities. Can non-Skipjack methods of cryptography be made illegal? Probably. Can this be enforced? Very possibly, monitoring equipment could be used at telephone company central switches to sniff for forbidden crypto modes using pattern analysis, and could either block the messages, or store and forward them to the National Security Agency.

The justification used by the Clinton administration, the FBI, CIA, NSA, and other "spook shops" is that it'll help them catch drug dealers and terrorists. They go on to say that only stupid criminals will use their technology because it's known that the government can listen in. This basically is an admission that the only real reason for it is to allow the government to go on fishing expeditions in mailboxes and telephones for almost any reason.

"Big Brother Inside" is one way to describe this. This is the worst threat to civil liberties I've seen since the Nixon era. Skipjack could make impossible any political or religious organization the government doesn't like. When the government controls your communications, people can't talk to each other because it isn't safe.

Not Just Us
It isn't just computer scientists, the ACLU and we cyberspace types who oppose Skipjack. Apple, Microsoft, IBM, and other companies want Skipjack dumped as well, feeling that Skipjack will translate into billions in foreign export sales losses, and thousands of job losses over the next few years. The economic impact will affect each citizen no matter what he or she does for a living. AT&T developed the first telephones for the government with Skipjack built-in. Even so, AT&T is publicly opposed to Skipjack being forced on us.

What can You do about this?
The war against Skipjack isn't over, despite the administration making it a federal standard. If you want the Clinton "Skipjack" future, just sit and do nothing.

Congress needs to be encouraged to yank any government funding for implementing the Skipjack program in any form. If you have Usenet access, read the alt.privacy.clipper newsgroup. If not, keep an eye on the press, both newspaper and trade. They are covering this critical issue closely. If your favorite computer magazine does not cover Skipjack, write or telephone or email them and demand that they do.

Complain to your congressperson over the phone and by mail. Don't talk privacy - talk loss of sales by US companies to foreign competitors due to Bill Clinton and the FBI's insistence on adding the electronic spy chip called Skipjack to US computers, phones and modems.

Also, tell your representative to vote YES on HR 3627, a measure allowing US companies to sell crypto technology overseas legally. Encryption is already widely available in most places in the world. Passing HR 3627 would damage the administration case for Skipjack even further. If you're writing, you might enclose a copy of this article.

Who to contact:
(Remember, this article appeared April 1994, so don't email these people about these issues when you read this on the web.)

president@whitehouse.gov
vice-president@whitehouse.gov

Use a message title like "DUMP SKIPJACK" and a brief text message suggesting their continuing to push Skipjack will result in another GOP vote in '96 is all that's needed. These messages are counted - not read in detail.

clipper.petition@cpsr.org
Send the message "I oppose Skipjack". This is an electronic petition that the Computer Professionals for Social Responsibility is circulating against Skipjack.

leahy@eff.org
Senator Leahy needs your support in getting a Senate investigation of Skipjack. This will force the administration to explain just why they want to do this stupid thing to the American people. Show your support, and tell Senators Feinstein and Boxer as well, using snailmail.

Note - You can use Internet addresses to reach these folks through the major online services and several BBS networks such as FIDO. (Ask your Sysop/Customer Service representative how.)

You might contact the marketing departments at several computer makers and tell them that you won't buy anything with Skipjack built into it. This will give their lobbyists incentive to keep pushing.

Digital encryption that Works!
DES (Digital Encryption Standard) is an old "government standard". There are known methods of cracking DES, even if the "backdoor" widely believed to have been put in doesn't exist. I regard DES as something for "keeping honest people honest". For instance, if you've got a laptop, you might want a DES-encrypted hard drive.

While reading your encoded hard drive contents isn't impossible for the government or well-funded private investigative organizations, it will keep a thief out of the data on your hard disk, and the person who he sells it to, out of your secrets. DES isn't taken seriously by people outside of government. Companies generally use DES only when forced to, and this is one reason Skipjack is being promoted.

RSA
The current standard adopted by non-government organizations is the RSA public key/private key digital encryption system. Rumor has it that the US government uses it for discussing classified information. Can the NSA crack RSA? The consensus is that no organization or individual without facilities comparable to the NSA has a believable chance of cracking it. I can live with that. This is real security available to every computer user.

How RSA Works
As a user, you buy an RSA-based software package and generate a public key/private key pair. You give the public key to anybody who might conceivably want to send you confidential information. Messages are encoded with your public key and decoded with your private (secret) key. You do not show your private key to anybody without a court order. You treat a private key like a password or your own house key.

PGP
The most commonly available program for RSA encryption is called PGP, for Pretty Good Privacy. There are two versions. (A lot has happened since this article, so please visit www.pgp.com for PGP software information. Too bad PGP was bought out by a dumb big company.)

Freeware PGP
RSA Inc., owner of the RSA patents, has made a freeware version of PGP for DOS, and it has been ported to the Mac and Atari. The generic C source code is available to compile for Unix, VAX, etc. Tens of thousands of people use the freeware version of PGP daily. This is for educational - noncommercial - personal use. You can get PGP on many BBSs and several Internet sites, including: ftp://garbo.uwasa.fi/pub/pc/crypt/pgp23A.zip (for non-programmers) ftp://garbo.uwasa.fi/pub/pc/crypt/pgp23srcA.zip (source code version, in generic C)

Commercial PGP
ViaCrypt is a RSA-licensed commercial PGP program available from ViaCrypt in Phoenix, AZ. Viacrypt is DOS-only at this point. It is completely interoperable with the freeware PGP, so users of this program can send and receive crypto messages from any user of the freeware versions of PGP. It costs $98 (single-user price). For commercial business encryption purposes, there is nothing better at a comparable price. (Update, visit www.pgp.com)

Controversy
Although PGP is controversial, many corporations and private individuals use it. For discussion of the controversial legal issues, read the user documentation in the file archives; or if you've got Usenet access, read the messages in alt.security.pgp. The only thing that everybody agrees you cannot do with PGP, is to legally export it beyond US borders, because our government is under the delusion that the US has a monopoly on encryption technology.

The fact that current versions of freeware PGP are produced in Europe is of no interest to the government. If you import PGP from a European site, do not email a copy to a friend outside the US, or make it available for anon-ftp on your system, unless you can restrict distribution to US-only. Make your international friends ftp the file themselves from a non-US site.


Page 8 had an ad for Arsenal Computer.

Page 10 had an ad for Liberty BBS (www.liberty.com)

Page 11 had ads for the Computer Training Center (www.ctetrain.com), and RGB Technology.



End of page 11. Go back or go to page 12 or to Mark's home page.