Re: Ross's TCPA paper

[Mike Rosing]

On 27 Jun 2002, David Wagner wrote:

 No, it's not.  Read Ross Anderson's article again.  Your analysis misses
 part of the point.  Here's an example of a more problematic vision:
 you can buy Microsoft Office for $500 and be able to view MS Office
 documents; or you can refrain from buying it and you won't be able to
 view MS Office documents.  Do you see why this is problematic?  It lets
 one vendor lock the world into a monopoly; noone else will be able to
 develop compatible MS Word viewers without the consent of Microsoft.
 (StarOffice on Linux won't work, because to get the session key to
 decrypt the Word document your viewer has to go online to microsoft.com
 and ask for it, but microsoft.com won't give you the key unless you've
 bought a secure trusted OS and purchased Microsoft Office for $500.)
 Now notice that the same idea can be used to inhibit competition in
 just about any computer market, and I hope you appreciate Ross's point.
 TCPA/DRM has the potential for anti-competitive effects, and the result
 may well be worse off than we are today.

As long as MS Office isn't mandated by law, who cares?  So what: somebody
sends me a file.  I tell them I can't read it.  Now, they have a choice,
they can give me MS Office or they can send me ascii.  The market will
determine if secure OS's are useful.

DRM isn't the problem.  Legislating DRM is the problem.  You can go buy
IBM portables with secure key chips built in right now to help protect
your box and your business data.  That's TCPA.  Nothing wrong with it,
it's a good idea.

It doesn't become wrong until it becomes forced down our throats.  That's
where S.2048 becomes something to worry about, it forces us to use
hardware we don't need (or may not need for our purposes).  TCPA and DRM
are not the problem here, and privacy and copyright are side issues too.
There is no need for the law to intervene, the market will decide how all
this stuff can be used efficiently and effectively.

And that's what the entertainment industry needs to figure out and fast
too.  The law is slow.  Technology is fast.

Patience, persistence, truth,
Dr. mike

RE: DRMs vs internet privacy (Re: Ross's TCPA paper)

[Lucky Green]

Adam Back wrote:
 I don't mean that you would necessarily have to correlate 
 your viewing habits with your TrueName for DRM systems.  
 Though that is mostly
 (exclusively?) the case for current deployed (or at least 
 implemented with a view of attempting commercial deployment) copy-mark
 (fingerprint) systems, there are a number of approaches which 
 have been suggested, or could be used to have viewing privacy.

The TCPA specs were carefully designed to permit the user to obtain
multiple certificates from multiple CA's and thus, if, and that's a big
if, the CA's don't collude and furthermore indeed discard the true name
identities of the customer, utilize multiple separate identities for
various online applications. I.e., the user could have one cert for
their True Name, one used to enable Microsoft Office, and one to
authenticate the user to other online services.

It is very much the intent of the TCPA to permit the use of pseudonymous
credentials for many, if not most, applications. Otherwise, the TCPA's
carefully planned attempts at winning over the online liberty groups
would have been doomed from the start.

--Lucky Green

RE: Ross's TCPA paper

[Lucky Green]

David wrote:
 It's not clear that enabling anti-competitive behavior is 
 good for society.  After all, there's a reason we have 
 anti-trust law. Ross Anderson's point -- and it seems to me 
 it's one worth considering
 -- is that, if there are potentially harmful effects that 
 come with the beneficial effects, maybe we should think about 
 them in advance.

I fully agree that the TCPA's efforts offer potentially beneficial
effects. Assuming the TPM has not been compromised, the TPM should
enable to detect if interested parties have replaced you NIC with the
rarer, but not unheard of, variant that ships out the contents of your
operating RAM via DMA and IP padding outside the abilities of your OS to
detect.

However, enabling platform security, as much as might be stressed
otherwise by the stakeholders, has never been the motive behind the
TCPA. The motive has been DRM. Does this mean that one should ignore the
benefits that TCPA might bring? Of course not. But it does mean that one
should carefully weigh the benefits against the risks.

--Lucky Green

Two additional TCPA/Palladium plays

[Lucky Green]

[Minor plug: I am scheduled to give a talk on TCPA at this year's DEF
CON security conference. I promise it will be an interesting talk.
http://www.defcon.org ]

Below are two more additional TCPA plays that I am in a position to
mention:

1) Permanently lock out competitors from your file formats.

From Steven Levy's article:
A more interesting possibility is that Palladium could help introduce
DRM to business and just plain people. It's a funny thing, says Bill
Gates. We came at this thinking about music, but then we realized that
e-mail and documents were far more interesting domains.

Here it is why it is a more interesting possibility to Microsoft for
Palladium to help introduce DRM to business and just plain people than
to solely utilize DRM to prevent copying of digital entertainment
content:

It is true that Microsoft, Intel, and other key TCPA members consider
DRM an enabler of the PC as the hub of the future home entertainment
network. As Ross pointed out, by adding DRM to the platform, Microsoft
and Intel, are able to grow the market for the platform.

However, this alone does little to enhance Microsoft's already sizable
existing core business. As Bill Gates stated, Microsoft plans to wrap
their entire set of file formats with DRM. How does this help
Microsoft's core business? Very simple: enabling DRM for MS Word
documents makes it illegal under the DMCA to create competing software
that can read or otherwise process the application's file format without
the application vendor's permission.

Future maintainers of open source office suites will be faced with a
very simple choice: don't enable the software to read Microsoft's file
formats or go to jail. Anyone who doubts that such a thing could happen
is encouraged to familiarize themselves with the case of Dmitry
Skylarov, who was arrested after last year's DEF CON conference for
creating software that permitted processing of a DRM-wrapped document
file format.

Permanently locking out competition is a feature that of course does not
just appeal to Microsoft alone. A great many dominant application
vendors are looking forward to locking out their competition. The beauty
of this play is that the application vendors themselves never need to
make that call to the FBI themselves and incur the resultant backlash
from the public that Adobe experienced in the Skylarov case. The content
providers or some of those utilizing the ubiquitously supported DRM
features will eagerly make that call instead.

In one fell swoop, application vendors, such as Microsoft and many
others, create a situation in which the full force of the U.S. judicial
system can be brought to bear on anyone attempting to compete with a
dominant application vendor. This is one of the several ways in which
TCPA enables stifling competition.

The above is one of the near to medium objectives the TCPA helps meet.
[The short-term core application objective is of course to ensure
payment for any and all copies of your application out there]. Below is
a mid to long term objective:

2) Lock documents to application licensing

As the Levy article mentions, Palladium will permit the creation of
documents with a given lifetime. This feature by necessity requires a
secure clock, not just at the desktop of the creator of the document,
but also on the desktops of all parties that might in the future read
such documents. Since PC's do not ship with secure clocks that the owner
of the PC is unable to alter and since the TCPA's specs do not mandate
such an expensive hardware solution, any implementation of limited
lifetime documents must by necessity obtain the time elsewhere. The
obvious source for secure time is a TPM authenticated time server that
distributes the time over the Internet.

In other words, Palladium and other TCPA-based applications will require
at least occasional Internet access to operate.

It is during such mandatory Internet access that licensing-related
information will be pushed to the desktop. One such set of information
would be blacklists of widely-distributed pirated copies of application
software (you don't need TCPA for this feature if the user downloads and
installs periodic software updates, but the user may choose to live with
application bugs that are fixed in the update rather than see her unpaid
software disabled).

With TCPA and DRM on all documents, the application vendor's powers
increase vastly: the application vendor can now not just invalidate
copies of applications for failure to pay ongoing licensing fees, but
can invalidate all documents that were ever created with the help of
this application. Regardless how widely the documents may have been
distributed or on who's computer the documents may reside at present.

Furthermore, this feature enables world-wide remote invalidation of a
document file for reasons other than failure to pay ongoing licensing
fees to the application vendor. To give just one example, documents can
be remotely invalidated pursuant 

Revenge of the WAVEoids: Palladium Clues May Lie In AMD Motherboard Design

[R. A. Hettinga]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I figured this was probably going on, but the following article is my
first confirmation.

WAVE, some of you might remember, was started by a former NatSemi
Chairman back before the internet got popular. It was going to be a
dial-up book-entry-to-the-screen content control system with special
boards and chips patented to down to it's socks. Sort of like 3Com,
I'm sure. First I heard about it was, ironically, in a 1990-ish Peter
Huber article in Forbes, touted as the Next Big Thing. (Convergence,
don'tcha know...) This is same Peter Huber who wrote the Geodesic
Network, which, along with bearer financial cryptography, is a
cornerstone of the way I look at the universe. Paradoxes abound, boys
and girls.


In the meantime, WAVE Systems stock has been listed, then de-listed,
then re-listed, and, God only knows what it is now.

I even got an offer from that Chairman and Grey Eminence of WAVE to
come speak to FC97, if we comped him, of course. As General Chair of
the conference I had to gently let him know that FC was a
peer-reviewed conference, and if his tech people wanted to send a
paper and it got accepted by the Program Committee, (a whole bunch of
top-drawer cryptographers, lawyers, and bankers), they were perfectly
welcome, and, he, like I, could sit in the audience, watch the talks,
and hit the beach in the afternoon with everyone else. Never got
anything back for some reason. :-). We even got the DivX guys
presenting papers that first (and second) year, so content control
was never an issue, though I expect that trade-secret skullduggery
certainly was.

Which makes sense. WAVE's stockholders, called WAVEoids by themselves
and others, are practically millennial in their belief that WAVE will
conquer the world and the company's failure to date is due to a giant
short-seller's conspiracy of some kind. Lots of Secret Sauce there,
somewhere...

If BillG has swallowed this stuff, hook, line, and sinker, as someone
has noted before, then, frankly, he must have access to better drugs
than most of us. It also means that he's grasping at conceptual
straws, economically, and if he persists in following this folly to
the bitter end, his dream of software-kudzu world domination will
finally choke his company once and for all.

So, be careful what you wish for, Bill. On a geodesic network, no
central node can route all the information. Like Gilmore says about
censorship on the same network, any putative top of an internet
pyramid chokes instead, and the network simply routes around it.

The paradox in all of this is that only way that crypto to the screen
is going to work is if the screen is literally *buying* the content
shown on that screen, for cash, in a raw commodity market of some
kind. And, if *that's* really the case, there's no need for IP law in
what amounts to information commodity market in perfect competition,
not a monopolistically competitive market requiring brands, patents,
and copyrights. Finally, such a system cannot use a
book-entry-to-the-device system, because the cheapest cash will be
done without identity at all.

In such a world digital rights management, and content control
are contradictions in terms, if not preposterous notions on their
face.

Cheers,
RAH

-BEGIN PGP SIGNATURE-
Version: PGP 7.5

iQA/AwUBPRqKFsPxH8jf3ohaEQLhkACgrjzGqd+sWTRURTPB/pOBBRclTykAoMLT
93jOFpW8m0p7u7i8c8FO6W/N
=iwOs
-END PGP SIGNATURE-


http://www.extremetech.com/print_article/0,3998,a=28570,00.asp

ExtremeTech


Palladium Clues May Lie In AMD Motherboard Design
June 26, 2002
By: Mark Hachman

A two-year-old whitepaper authored by AMD and encryption firm Wave Systems
may offer additional clues to the design of PCs incorporating Palladium,
Microsoft's new security initiative.

Wave, based in Lee, Mass., has partnered with Microsoft rival Sun
Microsystems, Hewlett-Packard, Verisign and RSA Data Systems, among others,
in creating the EMBASSY verification system, originally pitched as a tool
for e-commerce. In August of 2000, Wave and AMD authored a whitepaper on
how the solution could be integrated into a motherboard using AMD's Athlon
microprocessor, which a Wave executive said is now entering field trials
overseas.

Wave and AMD are developing a Trusted Client reference platform to enable
trust and security to be delivered to the PC, the whitepaper reads. By
integrating Wave's EMBASSY Trusted Client system into AMD's Athlon
motherboard reference design, we will deliver a template for building cost
optimized Trusted Client PCs.

The paper is authored by researchers Kevin R. Lefebvre and Bill Chang of
Wave, and Geoffrey Strongin, who is spearheading AMD's Palladium work.
Strongin said Monday that the company had begun work on a Palladium-type
solution before Microsoft approached the company. AMD and Wave announced a
partnership in March 2000.

Wave's board of directors includes George Gilder and Nolan Bushnell, the
founder of Atari.

The whitepaper, 

RE: Revenge of the WAVEoids: Palladium Clues May Lie In AMD Motherboard Design

[Lucky Green]

Bob wrote quoting Mark Hachman:
 The whitepaper can not be considered a roadmap to the design 
 of a Palladium-enabled PC, although it is one practical 
 solution. The whitepaper was written at around the time the 
 Trusted Computing Platform Association
 (TCPA) was formed in the fall of 2000; both Wave and AMD 
 belong to the TCPA. And, while Palladium uses some form of 
 CPU-level processing of security algorithms, the AMD-Wave 
 whitepaper's example seems wholly tied to an off-chip 
 security processor, the EMBASSY.

An EMBASSY-like CPU security co-processor would have seriously blown the
part cost design constraint on the TPM by an order of magnitude or two.
I am not asserting that security solutions that require special-purpose
CPU functionality are not in the queue, they very much are, but not in
the first phase. This level of functionality has been deferred to a
second phase in which security processing functionality can be moved
into the core CPU, since a second CPU-like part is unjustifiable from a
cost perspective.

Given the length of CPU design cycles and the massive cost of
architecting new functionality into a processor as complex as a modern
CPU, we may or may not see this functionality shipping. Much depends on
how well phase 1 of the TCPA effort fares.

--Lucky

Re: Ross's TCPA paper

[Marcel Popescu]

From: [EMAIL PROTECTED]

 As a side note, it seems that a corporation would actually have to
 demonstrate that I had seen and agreed to the thing and clicked
 acceptance.  Prior to that point, I could reverse engineer, since
 there is no statement that I cannot reverse engineer agreed to.  So
 what would happen if I reverse engineered the installation so that the
 agreement that was display stated that I could do what I liked with
 the software?  Ok, so there would be no mutual intent, but on the
 other hand, there would also be no agreement on the click-through
 agreement either.

I have an application that replaces the caption on the I agree button to
your liking; I wrote it exactly because of this reasoning.

http://picosoft.freeservers.com/NoLicense.htm

Of course, it's a stupid little program, I'm sure anyone can come up with
something better in no time... BTW, for any lawyers around here - shouldn't
the mere existence of this program be enough to blow up the idea that you
agreed to the click-through stuff?

Mark

federal bureaucrats growing increasingly unhappy

[Declan McCullagh]

2. Job satisfaction down among federal employees
By Raya Widenoja

Most civil servants have grown less satisfied with their jobs during the 
past year, particularly since the Sept. 11 terrorist attacks, according to 
a new report by the Brookings Institution.

The number of federal employees who said they were very satisfied with 
their jobs fell 6 percent over the past year, from 49 percent in 2001 to 43 
percent in 2002, according to the report, The Troubled State of the 
Federal Public Service. Federal employees also reported a general decline 
in morale among their peers: 58 percent of employees rated morale among 
their co-workers as very or somewhat high in 2001, compared with 53 
percent in 2002.

The report is based on two surveys completed before and after Sept. 11one 
conducted between February and June 2001 and the other between March and 
May 2002.

Full story: http://www.govexec.com/dailyfed/0602/062602r2.htm

Re: Terror Reading

[Harmon Seaver]

   Ah yes, you're absolutely correct. Larger libraries, especially university
libraries, have been online forever. I was thinking of the smaller public
libraries, most of which have been getting computerized more recently.


On Thu, Jun 27, 2002 at 01:57:38PM +0100, Ken Brown wrote:
 Harmon Seaver wrote:
 
  And the computer revolution has been
  going on in libraries for a decade now 
 
 ? 3 decades more like. I'm pretty sure that the first computerisation of
 lendings was brought into the library in my home town (Brighton in
 England) about the time I stopped working there part time, when I was in
 the 6th form (top 2 years of what Americans would call High School). I'd
 have left in time to revise for exams before going to University. So it
 would have been early 1975. The University library was all computerised
 while I was there.

-- 
Harmon Seaver   
CyberShamanix
http://www.cybershamanix.com

Re: Two additional TCPA/Palladium plays

[Harmon Seaver]

On Wed, Jun 26, 2002 at 09:10:25PM -0700, Lucky Green wrote:
 Below are two more additional TCPA plays that I am in a position to
 mention:
 
 1) Permanently lock out competitors from your file formats.
 
 From Steven Levy's article:
 A more interesting possibility is that Palladium could help introduce
 DRM to business and just plain people. It's a funny thing, says Bill
 Gates. We came at this thinking about music, but then we realized that
 e-mail and documents were far more interesting domains.
 
   Oh gawd -- we should all get on our knees daily and pray for this to come
about soonest. Especially for Outlook, just think how wonderful that would be,
people would send you mail and you'd say sorry, I can't read that, try another
mail agent -- better yet, since Outlook has the market share, all the spammers
would have to use it, and we'd need much simpler procmail recipes to filter it. 
   Aside from the anti-trust implications, it might alone bring about the end
for M$. 



-- 
Harmon Seaver   
CyberShamanix
http://www.cybershamanix.com

Re: Diffie-Hellman and MITM

[Mike Rosing]

On Thu, 27 Jun 2002, Marcel Popescu wrote:

 Is there a defense against MITM for Diffie-Hellman? Is there another
 protocol with equivalent properties, with such a defense? (Secure
 communications between two parties, with no shared secret and no out-of-band
 abilities, on an insecure network.)

What do you mean by no shared secret?  The point of DH is that you
get a shared secret.

Check out MQV protocol for MITM defense and forward secrecy.  It
uses permenent public keys and ephemeral public keys for each
session.  In any protocol, the out-of-band check of the public
keys is still a good thing.

Patience, persistence, truth,
Dr. mike

RE: Ross's TCPA paper

[Mike Rosing]

On Thu, 27 Jun 2002, Lucky Green wrote:

 David wrote:
  It's not clear that enabling anti-competitive behavior is
  good for society.  After all, there's a reason we have
  anti-trust law. Ross Anderson's point -- and it seems to me
  it's one worth considering
  -- is that, if there are potentially harmful effects that
  come with the beneficial effects, maybe we should think about
  them in advance.

 I fully agree that the TCPA's efforts offer potentially beneficial
 effects. Assuming the TPM has not been compromised, the TPM should
 enable to detect if interested parties have replaced you NIC with the
 rarer, but not unheard of, variant that ships out the contents of your
 operating RAM via DMA and IP padding outside the abilities of your OS to
 detect.

 However, enabling platform security, as much as might be stressed
 otherwise by the stakeholders, has never been the motive behind the
 TCPA. The motive has been DRM. Does this mean that one should ignore the
 benefits that TCPA might bring? Of course not. But it does mean that one
 should carefully weigh the benefits against the risks.

 --Lucky Green

I don't see DRM as anti-competitive, I see it as a road block. The
French government just signed a contract to put Linux into many of
their service machines to help people get data into and out of the
government (and I bet there's a lot!).  A Microsoft DRM file won't
work there, so Microsoft is screwed.

The majority of people and businesses want to do things as cheaply
as possible.  The whole reason Microsoft has gotten as big as they
are is because they are cheap.  That they happen to be crappy too
didn't bother most people, compared to a Sun or Dec workstation, a
PC running DOS or WinXX was a factor of 10 cheaper.

Controlling secrets for use within a company is what most companies
want.  The TCPA helps solve that problem, and if Microsoft can sell
them something that does it cheaply, they'll happily buy it.

The line gets crossed when Hollywood wants to sell movies over the
net, and they realize all those bits can be sent by anyone, anywhere,
anytime once they have them.  For Hollywood to mandate that all
platforms and devices protect their IP is insane, and we need to
make sure it doesn't happen.

However, we can build very special devices that connect directly
to Hollywood to play their stuff.  If somebody steals it, then
it's out and there's not much they can do.  Most people won't want
to do that - the special boxes can be cheap enough that it's not
worth the effort.  These special boxes are also TCP, but they are
not general computing platforms - they are special movie playing
or music playing platforms.

So technology can be made so we all win - IP is normativly protected,
PC's are generic, and consumers and business get solutions that are
low cost.  It's an economic win too because guys like me get more
work building more boxes :-)

Certainly there will be people who could tap into a special box and
transfer the data to the general net and make it work on a general
PC.  They will be called theives and eventually be apprehended.  If
Hollywood has any brains, these guys will have a lot of work to do.
People still counterfiet money too - but they usually lose money!!

There are lots of solutions here.  The law is not one of them.
There is more than enough applicable law to use, and anyone who
tries to force their solution down everyone's throat can be taken
in for anti-trust violations.

I see the risk as being too much law and fixed technology.  DRM and
TCP are useful tools, they should not be forged into weapons.

Patience, persistence, truth,
Dr. mike

Re: Revenge of the WAVEoids: Palladium Clues May Lie In AMD Motherboard Design

[Peter Gutmann]

R. A. Hettinga [EMAIL PROTECTED] writes:

WAVE, some of you might remember, was started by a former NatSemi Chairman
back before the internet got popular. It was going to be a dial-up book-entry-
to-the-screen content control system with special boards and chips patented to
down to it's socks.

Think of it as DIVX for PCs, with a similar chance of success (see my earlier
post about TCPA being a dumping ground for failed crypto hardware initiatives
from various vendors).  Its only real contribution is that the WAVEoid board on
Ragingbull (alongside the Rambus one) is occasionally amusing to read, mostly
because it shows that the dot-com sharemarket situation would be better
investigated by the DEA than the FTC.

Peter.

(Fwd) Nortel secret security part of court records now, gracia

[Iggy River]

I looked at the Nevada PUC (PUCN) web site and found that the most 
recent document on-line that relates to docket #{HYPERLINK 
dkt_00-6057/00-6057.htm}00-6057 (EDDIE 
MUNOZ VS CENTRAL TELEPHONE COMPANY-NEVADA 
DBA SPRINT OF NEVADA, COMPLAINT ALLEGING 
INCOMING CALLS ARE BEING BLOCKED OR DIVERTED 
FROM CUSTOMERS BUSINESS) is from 04/07/02 - and the link is 
broken.  Clearly the below referenced document (Nortel codes) will not 
appear on-line -- at least not courtesy of the PUCN.  However, chapter 703, 
PUBLIC UTILITIES COMMISSION OF NEVADA - GENERAL 
PROVISIONS, of the Nevada Revised Statues states) among other 
things):

NRS 703.190 Records open to public inspection; exception.
1. Except as otherwise provided in this section, all biennial reports, 
records, proceedings, papers and files of the commission must be open 
at all reasonable times to the public.
2. The commission shall, upon receipt of a request from a public utility, 
prohibit the disclosure of any information in its possession concerning the 
public utility if the commission determines that the information would 
otherwise be entitled to protection as a trade secret or confidential 
commercial information pursuant to {HYPERLINK NRS-049.html \l NRS049Sec325}NRS 
49.325 or {HYPERLINK NRS-600A.html \l NRS600ASec070}600A.070 or Rule 
26(c)(7) of the Nevada Rules of Civil Procedure. Upon making such a 
determination, the commission shall establish the period during which the 
information must not be disclosed and a procedure for protecting the 
information during and after that period.
[Part 12:109:1919; 1919 RL p. 3157; NCL ' 6111](NRS A 1995, 
385)

I don't know what the legal definition of confidential commercial 
information is, but I doubt that the code list could be construed as a 
trade secret *of the utility*, perhaps of Nortel, but according to the 
statute only the utility can move to limit public access to the documents.  
Perhaps this document is currently accessible in hard copy in NV?
I wonder how many people have visited the PUCN office in the past 
three days!

--- Forwarded message follows ---
Date sent:  Wed, 26 Jun 2002 09:23:14 -0700
From:   Major Variola (ret) [EMAIL PROTECTED]
Subject:Nortel secret security part of court records now, gracias Kevin
To: undisclosed-recipients: ;

Towards the bottom of this article its mentioned that Mitnick submitted
a list of Nortel's
[1] 'security' barriers to r00t [2] on a widely used piece of telco
switching equiptment.
One wonders how many copies of this info circulate in TLA's technical
intercept depts?

[1] (presumably obsolete :-)
[2] Should this be called tapr00t ??

--

http://online.securityfocus.com/news/497

  Mitnick Testifies Against Sprint in Vice Hack Case

  The ex-hacker details his past control of Las Vegas' telecom network,
and raids his old storage
  locker to produce the evidence.
  By Kevin Poulsen, Jun 24 2002 11:25PM

  LAS VEGAS--Since adult entertainment operator Eddie Munoz first told
state regulators in
  1994 that mercenary hackers were crippling his business by diverting,
monitoring and blocking
  his phone calls, officials at local telephone company Sprint of Nevada
have maintained that, as
  far as they know, their systems have never suffered a single
intrusion.

  The Sprint subsidiary lost that innocence Monday when convicted hacker
Kevin Mitnick shook
  up a hearing on the call-tampering allegations by detailing years of
his own illicit control of the
  company's Las Vegas switching systems, and the workings of a
computerized testing system that
  he says allows silent monitoring of any phone line served by the
incumbent telco.

  I had access to most, if not all, of the switches in Las Vegas,
testified Mitnick, at a hearing of
  Nevada's Public Utilities Commission (PUC). I had the same privileges
as a Northern Telecom
  technician.

  Mitnick's testimony played out like a surreal Lewis Carroll version of
a hacker trial -- with
  Mitnick calmly and methodically explaining under oath how he illegally
cracked Sprint of
  Nevada's network, while the attorney for the victim company attacked
his testimony, effectively
  accusing the ex-hacker of being innocent.

  The plaintiff in the case, Munoz, 43, is accusing Sprint of negligence
in allegedly allowing hackers
  to control their network to the benefit of a few crooked businesses.
Munoz is the publisher of an
  adult advertising paper that sells the services of a bevy of in-room
entertainers, whose phone
  numbers are supposed to ring to Munoz's switchboard. Instead, callers
frequently get false busy
  signals, or reach silence, Munoz claims. Occasionally calls appear to
be rerouted directly to a
  competitor. Munoz's complaints have been echoed by other outcall
service operators, bail
  bondsmen and private investigators -- some of whom appeared at two
days of hearings in
  March to testify for Munoz against Sprint.
  Mitnick