[I've been censoring this thread since it wasn't purely cryptography related and since I had heavy skepticism about the original report (which made it through to "Cryptography" some months ago. However, this particular message is sufficiently interesting as a followup that I'm letting it -- and only it -- through. --pm] Winn Schwartau reported the comments of "Lou Cipher" (a pseudonym of Mr. Cipher's choice), whom he identified as a "senior security manager at one of the country's largest financial institutions." >> "We have actually gotten on a plane and visited the physical >> location where the attacks began. We've broken in, stolen the >> computers and left a note: 'See how it feels?' " On one occasion, >> he says: "We had to resort to baseball bats. That's what these >> punks will understand. Then word gets around, and we're left >> alone. That's all we want, to be left alone." I growled about this on another list when it was first published, expressing great skepticism about the report. I was subsequently contacted by a friend -- a old pro in computer security -- who told me he had met "Mr. Cipher" and confirmed that the gentleman did indeed hold the type of position Mr. Schwartau described. He also confirmed that "Mr. Cipher" did indeed claim to have taken this sort of direct (and overtly illegal) action -- as unrealistic as it seemed to me and others of similar bourgeois bent. What seemed unlikely to me was that a reputable institution would place itself at risk by condoning such actions, or that a guy bred to corporate CYA ethics would place his job on the line by ordering such actions. OTOH, I and many others have seen "competitive analysis" ops in major US corporations turned loose with little in the way of operational guidance but a requirement that a team of freshly-suited ex-spooks produce results. I've also seen major computer companies offer lucrative consulting assignments to almost anyone who could obtain for them closely guarded technical information (from or about competitors.) I'm also familar with corporate security ops in a variety of industries (Big Oil, aerospace, defense procurement) which seemed to routinely run amuck. I'm also of the informed opinion that maybe one in five of the telephone taps set up by US police are actually legal. So _why not_ a network manager who thinks like a wildman? Where is it written that understanding RADIUS or network topology confers common sense, or good judgement? Where management rewards results -- and makes a point of not knowing how results are obtained -- I'm can easily see free-lance rent-a-cops being given such a vigilante assignment against a hacker. Given the horrendous cost of cleanup after an acknowledged hacker intrusion (even when no overt damage is done!) it could easily be cost-effective. I'm almost more surprised that it apparently works, at least according to "Mr. Cipher." I don't know why I expect a vandal, thief, virus writer, or hacker to have "courage of convictions" -- or some equivalent source of courage and constancy -- when he is physically hurt, confronted with tangible and costly losses, or faced with believable physical and economic threats. These guys are, in fact, creatures of the shadows, likely to suffer severe shock if they are just identified and confronted -- maybe all the more so, if they go nose to nose with someone who is not constrained by the niceties of the Law. The truth is, smart anti-hacker vigilantes are probably no more likely to be identified or caught than the typical car thief or other street-savvy crook. Good odds -- maybe even the basis for a viable business plan. The automated Payback software that Winn's article seemed to tout as locked and loaded in the IT armory of many major corporations would seem to be far more risky, given the quality of authentication on the Net today. The executive who issues a contract for such a physical attack would seems to be most at risk from his hired vigilantes, or anyone else who could finger him and his firm. I'll bet, however, there are spook protocols in some CIA manual for getting this sort of business done at arm's length. No direct contact. No proof as to the source of funds. The vigilantes would not even have to know who they are working for to get the message across with a certain air of self-righteousness. Surete, _Vin ----- Vin McLellan + The Privacy Guild + <[EMAIL PROTECTED]> 53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548 -- <@><@> --