Default, Help Net Security newsletter issue #1, Friday 13 August 1999 (http://default.net-security.org) TABLE OF CONTENTS ----------------- I. Editorial II. Last weeks news on Help Net Security a) Help Net Security news headlines b) Vulnerabilities reported in last week c) Site News d) Defaced Pages III. Y2K: As the millenium approaches IV. A look into basic cryptography V. The history of Zero Knowledge Systems VI. Telecommunications 101 VII. Macintosh security: How to make your mac a babel tower! VIII. Computing: A closer look at hard- and software IX. An approach to Linux System Security X. Infection & Vacination XI. Spam: The problems with junk e-mail XII. Freedom of speech - related incidents XIIV. Meet the underground XIV. Guest column I. Editorial ------------ Hi there and welcome to the first edition of Default, the Net Security newsletter. The idea behind this news letter has several sides to it. On one side we want to keep you up-to-date regarding news and events from and in the security scene. On the other hand, we hope this to turn into an interactive medium through which we could educate and inform you and through interaction with you maybe even ourselves. We hope to in this way incorporate more of of the different kinds knowledge there seem to exist between the professional computing/security scene and the underground and to inform both sides about each sides knowledge base and accomplishments. This will not be a primary technical source of knowledge though, we start focussing on basics to get everyone on the same level regarding some of our topics before moving on to the technically more advanced issues. Most of all we want this to grow, hopefully through submissions and contributions by you, our readers. This being the first in hopefully a long series of newsletters, we had some problems to deal with. One of these is the absence of one of our editors. Due to his vacation we didn't have the chance to call on Doug Muths' expertise in the fields of viruses and spam. As soon as he gets back we hope to provide you with his contributions in a next issue. Furthermore we think that what lies before you is a pretty decent issue, one of what we hope many. We have sought (and found) a lot of assistance in both the underground as the professional security scene. We hope you'll be as pleased with the results as we are, though feedback is always welcomed. Remember, we can try to make this good, but we need your comments and contributions to make this the best. Well that's it for now, before you lies issue #1 of Default, we hope you enjoy it as much as we did making it. For the HNS and HNS Default Crew: Berislav Kucan aka BHZ, webmaster Help Net Security bhz@net-security.org Xander Teunissen aka Thejian, co-webmaster Help Net Security thejian@net-security.org II. Latest weeks news on Help Net Security ------------------------------------------ a) Help Net Security news headlines - Saturday 7th August 1999: Japan cracks down on unauthorized network access LinuxPPC crack contest update LA District Attorney drops Mitnick case Lockdown 2000 Proposal to ban "unapproved content" linking Chaos Computer Camp kicking off Cyberwar: The threat of chaos - Sunday 8th August 1999: HWA.Hax0r.News #28 released CrackTheBox goes a bit further again Mass hack on german domains - Monday 9th August 1999: Hackers take over tv-channel? Clinton keeps supporting y2k updates DOD worried Wired covering CCC New Melissa style virus Secure shell installation and configuration Backwork 2.1 released Sorting out security Will hackers make use of y2k confusion? Belgacom Skynet hacked - Tuesday 10th August 1999: Patch for Excel97 coming on August 16th Kevin Mitnick avoids stiff sentence IBM supports Linux Kevin could soon be free HK mail systems open to abuse Finalists new encryption standard named Sentencing hacker no cause for joy - Wednesday 11th August 1999: RedHat advisory and new linux kernel Taiwan strikes back Taiwan prosecutors probe web site intrusion Microsoft Office97 flaws Office harassment - Thursday 12th August 1999: Network-centric warfare Key to crypto success: don't be born in the USA New IE5 bug exposes passwords Error in Microsoft patch New mail attack identified - Friday 13th August 1999: Outsmarting the wily computer virus Startup wants to sell untappable phones Baltimore Technologies to ship encryption tool for XML Hacking your way to an IT career Code-cracking computer causes concern b) Vulnetabilities reported in last week (our thanks goes out to BugTraq for this list) 6-8 NT Exchange Server Encapsulated SMTP Adress Vulnerability 8-8 CREAR ALMail32 Buffer Overflow Vulnerability 8-8 WebTrends Enterprise Reporting Server Negative Content length DoS Vulnerability 8-8 Microsoft FrontPage Extensions for PWS DoS Vulnerability 9-8 Firewall-1 Port 0 DoS Vulnerability 9-8 Solaris stdcm_convert File Creation Vulnerability 9-8 NT Terminal Server Multiple Connection Request DoS Vulnerability 9-8 Multiple vendor profil(2) Vulnerability 11-8 NT IIS Malformed HTTP Request Header DoS Vulnerability 11-8 Multiple Vendor IRDP Vulnerability c) Help Net Security site news - Saturday 7th August 1999: Mailing list submission form Study on Linux System Security - Sunday 8th August 1999: Connection problems Mac archive updated Anonymous submission form back online - Monday 9th August 1999 Insert HNS headlines in your site - Wednesday 11th August 1999: Bookstore update d) Defaced pages: (mirrors provided by Attrition (http://www.attrition.org)) Site: Illinois Institute of Technology (www.iit.edu) Mirror: http://default.net-security.org/1/www.iit.edu.htm Site: Santa's Official Page (www.north-pole.net) Mirror: http://default.net-security.org/1/www.north-pole.net.htm Site: NorthStarNet (www.northstarnet.org) Mirror: http://default.net-security.org/1/www.northstarnet.org.htm Site: Official site of Korn (www.korn.com) Mirror: http://default.net-security.org/1/www.korn.com.htm Site: Malaysian Government (www.idhl.gov.my) Mirror: http://default.net-security.org/1/www.idhl.gov.my.htm Site: Institute for Telecommunication (elbert.its.bldrdoc.gov) Mirror: http://default.net-security.org/1/elbert.its.bldrdoc.gov.htm Site: Federal Energy Regulatory Commission (www.ferc.fed.us) Mirror: http://default.net-security.org/1/www.ferc.fed.us.htm Site: State of Michigan Official Site (www.state.mi.us) Mirror: http://default.net-security.org/1/www.state.mi.us.htm Site: China Securities Regulatory Commission(CN) (www.csrc.gov.cn) Mirror: http://default.net-security.org/1/www.csrc.gov.cn.htm Site: Wired Digital (www.wired.com) Mirror: http://default.net-security.org/1/www.wired.com.htm Site: Motorola (TW) (www.motorola.com.tw) Mirror: http://default.net-security.org/1/www.motorola.com.tw.htm III. Y2K: As the millenium approaches ------------------------------------- It is Wednesday 11.08 1999. Less than 4 months divide this and next millenium. What will happen then? People often think about armageddon, but it has its translation in the computer world - Y2K (year 2000). As I was always interested in new regarding sollution of this bug (The term "computer bug" was coined by Navy computer pioneer Grace Hopper in the 1950s after a moth got into one of her machines and it went haywire), I saw that many countries spent billions of dollars into preparing their systems for the new millenium. "The two-digit year is a convention as ancient as the feather pen-- writing the date on a personal letter with an apostrophe in the year, implying a prefix of 17- or 18- or 19-. But reading an apostrophe requires sentience and judgment. Computers possess neither. They cannot distinguish an "00" meaning 1900 from an "00" meaning 2000. When asked , for example, to update a woman's age on Jan. 1, 2000, a computer might subtract her year of birth (say, '51) from the current year ('00), and conclude she will not be born for another 51 years. A human would instantly realize the nature of the error, adjust his parameters, and recalculate" So we know the problem now, but how did it start? Robert Bemer is the man who wrote the American Standard Code for Information Interchange, the language through which different computer systems talk communicate. He also put in use "backslash" and "escape". In the late 1950s Robert Bemer helped in writin COBOL (computer language which had commands in plain English, so it was easy to use by everyone). There was nothing in COBOL requiring or even encouraging a two-digit year. Bremer blames the programmers and bosses for this glitch. He pointed out that they were instructed to cost-save. Now we could set a parallel: if that bosses weren't so shortsighted and if they invested in this issue, there wouldn't be a Y2K bug to talk about. So this was the brief history of the Y2K bug. Now goes the week in Y2K review. Y2K problem could be used for cyberattacks - United States Department of Defense concluded. Fixing systems and preparing them for the new millenium may expose information infrastructure to hack attempts, so DOD adviced all network managers to advise their men to change all passwords. It is just a precaution. To make everything easy for their system administrators, US Navy created three programs for helping automation of password exchange. Friends of the Earth and Greenpeace International, two "green" organizations are protesting over the globe and appealing to United States and Russia to scale down readiness of nuclear weapons to reduce the possibility of Y2K computer glitch which could really cause Armageddon (just think back in time what happend to Hiroshima and Nagasaki - this would be 100 times bigger cathastrophy). We know that United States spent billions of dollars on preparing every vital part of their infrastructure. But Russia is different topic, the way of living and social and financial state of Russia is on much lower level. Just to note, you saw hoe much money USA gives in Y2K sollutions, and inly two thirds of their nuclear plants are Y2K ready. BTW Nuclear Regulatory Commission published their guidliness: * Plants with non-safety systems that affect power operation that are Y2K-ready or those plants that have incomplete contingency plans for these systems will be subject to additional regulatory actions which may include issuance of an order requiring specific actions by the licensee. There are about 12 plants in this category. * Plants with non-safety, support systems and components that are not Y2K-ready or plants that have incomplete contingency plans for these systems could require additional meetings, audits, or requests for additional information. There are about 10 plants in this category. And the conclussion: The plants that have Y2K work remaining are continuing to progress toward Y2K readiness. As of August 1, five more plants have reported that they are Y2K-ready bringing the total to 73 operating nuclear power plants that are fully Y2K-ready. This reduces to 30 the number of plants that have remaining work on non-safety systems and components to be fully Y2K-ready. World Bank published Global Commodities Report - report talking about fears from millenium bug. Report speaks about "Concerns over the potential disruptions associated with Y2K may cause consumers, processors and distributors to stockpile crude oil and products. A shortage of ocean tankers may develop if importers rush to beat the end-of-the-year concerns over Y2K and this could contribute to the potential for price volatility". The World fears Year 2000. Lot of recent actions could proof this: India will stamp more money US Government got a suggestion to move New Year's Eve celebration on 3rd of January Japan will halt airplain voyages on the New Year's Eve Canada's telephone company tested their new Y2K prepared system and it crashed And a lot of other actions happend, but this is enough for the first issue. You can read below interesting article about testing your computer for Y2K written by Atlienz (atlienz@default.net-security.org) What is it? The problem is with the real time clock (RTC) in the computer which tells the computer the current date. When programmers initially established the date issue, they established the year portion of the date with only two digits instead of four. They chose two digits instead of four to save storage space, which at that time was very expensive. So any computer or software that is not Year 2000 compliant will experience problems on January 1, 2000. Some computers will revert back to a 1900, 1980 or a 1984 date which will throw off accounting programs that read that date. Preparation & Timing! If you feel capable, check your real time clock(RTC). Go to a DOS prompt (C:\>) and type "DATE". The current date will appear along with an option to change the date. Change the date to December 31, 1999. Then type "TIME". The current time will appear and you need to change that to 12:58 P.M.. Next, shutdown or turn off your computer and wait five minutes. Turn your computer on, and check the current date by again going to the DOS prompt and typing "DATE". If your computer displays January 1, 2000 then your system is 2000 compliant. If the system displays a year of 1980, 1984, 1900 or anything else besides 2000 then your computer is not 2000 compliant. Be sure to reset your computer back to the current date! Next, perform a complete software inventory and verification, including operating systems, productivity tools, games, etc. Record the Vendor, Title and Version. Contact each vendor and inquire if your version of the software is 2000 compliant. If not, ask whether the newer versions are compliant or if the vendor will bring the software into compliance. NOW is the time to take action toward finding a solution for the year 2000 issue. If you wait, resources such as computers, technician support and even information may be in short supply. ----------- In the next issue of Default - net security newsletter you can read about Y2K testing tools and ofcourse latest news from the millenium bug section. BHZ Berislav Kucan bhz@net-security.org IV. A look into basic cryptography ---------------------------------- Okay, this is Iconoclast, I have been asked to start working with net-security for their Default newsletter on a cryptography section. First and foremost, I am in no way qualified for this, and if I am ever wrong, please feel free to contact me and correct me. This will basically be YOUR section. I have been given free reign on how to run it, so this is how things will be. It will be run via your submissions and weekly news on the cryptography front. Most everything I hear is over my head, but we will learn together. For this, the first issue I have dug up an old "HOWTO" I wrote a while ago under another handle, edited it a bit, and added a lot and then split it into three sections (It was way too big for a single issue). So here we go, I will delve right into it. We will see how things work out. First of all, this is strictly to expand ones mind, if you see encryption out there... do not crack it. It is encrypted for a reason. I in no way claim any responsibility for anyone's actions other than my own. If you do something stupid, it is your own problem and fault, not mine, and not net-securities. I was recently approached by a friend who had been working on some 'indecipherable' password protection for restricted areas in web sites. He heard I dabbled in cryptanalysis so he asked me to crack his "indecipherable" code. First of all, he had no idea what he was doing. He should know that nothing is indecipherable. If you want to get into cryptography, the way is NOT to create an algorithm that is "virtually indecipherable" it's to get into cryptanalysis. Figure out other people's algorithms, and understand their weaknesses. Once you're already accepted into the scene (unlike myself) then maybe have a go at creating an algorithm. First try to identify the method of cryptography. If you see something like the following within the page source: xuuv://qqq.eipov.fhe/eizjen/enecnro.xueb You are in luck. It is a simple method with a simple method of cracking. It is called a transposition cipher. You recognize the format to go hand in hand with: http://www.someserver.ext/directory/site.html So you first start transposing characters (hence the name, transposition cipher) x=h u=t v=p q=w e=m b=l Now you now see it as: http://www.eipov.fhe/eizjen/enecnro.html Now take the letters that you know and work with them. You already know (I will put all of the plaintext in caps so you do not accidentally try to decrypt them later) HTTP://WWW.Mipov.fhM/MizjMn/MnMc.HTML Now you see fhM and immediately compare it to extensions that have **m in common.... com works use that and add the new information to your key. f=c h=o HTTP://WWW.Mipov.COM/MizjMn/MnMcnro.HTML Okay now you may have drawn a blank. Look at the referring page... Usually the encrypted page is within the same web server as the unencrypted page... lets say the referring page is from a web server called www.myisp.com now work with that in your key. HTTP://WWW.MYISP.COM/MizjMn/MnMcnro.HTML i=y p=i o=s v=p You now have: HTTP://WWW.MYISP.COM/MYzjMn/MnMcnrS.HTML Now its time to make educated guesses. MY**M*.... what can possibly fit in here (think English) MY**M* could be.... MYHOME Now check that with your key, one letter unencrypted should NOT correspond with more than one encrypted letter (in this basic a cipher). x=h u=t v=p q=w e=m b=l f=c h=o i=y p=i o=s v=p Aha it cannot be MYHOME because h=o and thus j cannot = o too (in this simple type of encryption) so keep thinking, you wont always get it on your first guess. MY**M* could be... MYNAME compare that with your already known key and it could work So now you have: HTTP://WWW.MYISP.COM/MYzjMn/MnMcnrS.HTML z=n j=A n=e HTTP://WWW.MYISP.COM/MYNAME/MEMcErS.HTML There are no conflicts as of yet. Once again, time to make another educated guess and the only word that comes to mind that could fit MEM*E*S is MEMBERS . Plug that in and see if it works, if not think of another word that may fit You have done it, you've decrypted the encrypted URL to be: http://www.myisp.com/myname/members.html This was incredibly basic. No important site will utilize such a basic cipher. They would use more standard, and field-proven ciphers. Okay, thats about it for this issue, there is much more to come that wouldnt fit in here today. Expect more, and expect interactive. For the time being, if you come across ANYTHING that you think couild be of use to anyone in the field of cryptography, please, drop me a line at crypt@default.net-security.org. Its been fun. Michael G. Komitee aka Iconoclast crypt@default.net-security.org V. The history of Zero Knowledge Systems ---------------------------------------- Austin & Hamnett Hill - the brothers behind Zero-Knowledge Systems, were involved with the Internet at a very young age. At 21 Austin founded the ISP Infobahn Online Services with money from his father and a small group of investors. They soon called upon Hamnett, a 23 year-old reformed Deadhead studying accounting in Montana, to be CFO. In late 1995 Infobahn merged with Accent Internet to create TotalNet, Canada's third largest ISP. At TotalNet, Austin and his partners earned founding investors more than a 10,000 per cent return on investments in under two years, growing the company to 150 employees in 18 months. He and Hamnett left as soon as they could sell the company; cashed in and got out as the summer of 1997 approached. "The entire time we were at TotalNet, there was an Internet revolution going on," says Austin, now 26 years-old. "Hamnett and I would always talk about what we could do. Then a month or two later somebody would do it. We realized we needed to get back out there -- privacy was going to be huge." But before they could get back in the game, there was work that needed doing: research to conduct, a business plan to build. An idea was in the back of Austin's mind, something that grew out of his strong beliefs in personal freedom and the rights of the individual. The seed was planted by an article in Wired about the Cypherpunks, Pretty Good Privacy and those building strong encryption tools to allow individuals to protect their privacy online. He knew this next project would be successful, but Austin, who never finished high school, wanted more than just monetary gain. "The idea of putting basic human rights into a piece of software and giving it to individuals was something that we felt in the end felt could only do more good than harm," says Austin. "Free speech isn't there only to protect the good speech." In short, he wanted freedom for all. "Both Hamnett and I have always had the sense that we wanted to do something, but for a long time we just didn't know what," says Austin. "Change is usually accomplished by a small group of people who believe in something strongly enough that they can make it happen. One of our basic premises was that it had to be done with a business." They were dedicated to giving every Net user an easy, secure way to protect their privacy -- something no one has been able to do. "Our biggest concern was how do we could bring this to the average person," explains Austin. "We wanted to make it absolutely secure so people didn't have to trust us - Zero-Knowledge: don't trust us." After a summer of careful research and planning, the Hills had a viable business plan and an idea for privacy software that would place the individual in complete control over their personal information and identity on the Internet. Deciding that venture capital would put too many restrictions on their business at the time, they put their own money into the project and rented office space. In the ensuing months they set out recruiting developers to code the software. "We wanted developers who were young and ambitious enough not to know it couldn't be done," says Austin. "We went through a whole group of developers, and finally ended up with a core group. At the same time we made a decision that people were going to be the most important thing at the company. The whole idea of treating people like resources just wasn't going to work." A Cypherpunk arrives By early 1998, the Hills had a name for their product, something that encompassed what it represented and what it would bring users: Freedom. Still, they knew a piece of the puzzle was missing. A big piece. The system they were trying to build was so complex that they needed one of the top cryptographers in the world to oversee its design and implementation. And due to US encryption export restrictions, it couldn't be an American. All along, Austin had his sights on a Canadian who was pursuing his Ph.D. at USC Berkeley. His name was Ian Goldberg. By 24 he had exposed security flaws in the Netscape browser, cracked a 40-bit code in record time (with the help of 250 computers) and written several seminal cryptography papers describing a system that would give users complete privacy. Unfortunately, Goldberg only did consulting and charged $10,000 a week in addition to first class air and accommodations. Undeterred, Austin tracked him down at his parent's home in Ontario and gave his pitch: "I told him we were going to build the system he had been talking about," says Austin. "He said: "OK, I do consulting and there's a long waiting list"." Austin said: "You don't understand, we want you to join our company." A few minutes later he hung up, rejected. The next day Austin was on a plane to Toronto and took Goldberg out to dinner. For four hours, Goldberg fired questions at Austin. "He wanted to make sure I knew what I was getting into, and not just with the technology stuff, about the implications of the technology," says Austin. "I felt I aced it. We asked him to come to Montreal. The first day he met with the developers and he was saying "You have to do this." By the second day it was "We." By the third day he came in and said, "You know what? You've got the team"." At dinner, Goldberg had seen someone with a good grasp of the technology and the political and social issues surrounding the project; after meeting the developers, he saw the technical know-how with a business plan to back it up. "They were going to make this happen," says Goldberg. "I wanted to be a part of it." With Goldberg on board, the Freedom team was set. The rest is history in the making... Jordan Socran Zero Knowledge Systems (http://www.zks.net) VI. Telecommunications 101 -------------------------- The current state of this section is yet to be determined. We of Help Net Security have been trying to contact several people from this field, but because of people being on vacation and others being too busy filling in for people who are on vacation we haven't had much luck yet. Untill then I will cover some basic issues here regarding certain types of telecommunication networks and their flaws. This will however be a completely theoretical discussion, meant to inform. I will not provide you with a step by step guide to exploiting your local telecom company nor will I take any responsibility for utilization of anything you learned from here. I myself have a bit of reading up to do on the matter of the different phonesystems used all over the world, but to get things going I'll start here today by explaining a bit about the wonderful world of pager communications. To send a message to someone's pager, you have to dial a phone number and leave your message after which the message is send to the actual paging device by a computer or operator. This is done through the use of a RIC. A RIC is as a fingerprint for an individual pager. The computer sending the message to the pager after you left it knows which phone number corresponds with which RIC, which enables it to deliver the message at the right pager. There are three kinds of pagers. First the tone-only, which has no display and just sounds a single tone to inform someone that a certain action needs to be taken. Then there's the numeric, which has a display which shows its owner just numeric messages (hence the name) like phonenumbers and so on. Last but not least we have the type of pager which is most commonly used nowadays, the alpha-numeric one. This type of pager displays not only numbers but can also show text-messages. In the past, most alpha-numeric pagers made use of a proprietary Motorola encoding format called GOLAY. We however will not discuss this protocol, since nowadays most pagers use the POCSAG (Post Office Code Standarization Advisory Groupstandard) protocol. You can tell GOLAY from POCSAG by the baud rate which is used to transmit signals. GOLAY uses 600 baud, where POCSAG pagers can currently transmit at a much higher rate, although the original (and still most often used) POCSAG was defined at being able to transmit 512 bytes a second. Using POCSAG a signal is formatted as one preamble and a minimum of one batch of codewords. The preamble is used by the receiving device to check wether the signal is indeed a POCSAG signal and to synchronize with the data-stream. A batch consists of one synchronization codeword, to mark the beginning of a batch of codewords, and eight frames which each on their turn contain two codewords. These codewords come in several types too, these can be two adress codewords, two idle codewords, two message codewords or any appropiate combination of these three. The synchronization codeword is made up of 32-bits, the eight frames are 64-bits and each contain the two codewords that are 32-bits in length. Pagers are split into 8 groups. The eight frames are used for this by starting a message to a pager with an adress codeword in the proper two codeword frame belonging to the group to which the particular pager is assigned. Immediately after this the codewords containing the actual message are send and then the message is terminated by either another adress codeword or an idle codeword. Nowadays there are several pieces of software availble on the Internet which allow anyone with a computer and a scanner to intercept and decode pager messages (which is illegal btw, neither I myself nor Help Net Security take no responsibility whatsoever, this is purely meant as a theoretical discussion). For this purpose, the alpha-numeric type of message is the most interesting of course because of the ability to send text in messages. To finish this section off for this week I'll give a general description on where the actual messages can be found in the strings of beeps. Within the address space of a pager, 4 different message classes can be found. These are specified by the function bits which are bits 12 and 11 of a codeword. In the original 21 bit address format, an alpha-numeric message would be indicated by the value 1 contained in both function bits. Furthermore alpha-numeric messages are generally encoded in 7 bit ASCII characters. When an ASCII message is send, every 20 bits will always be packed in a new codeword. The 7 bit characters within a codeword are packed from left to right, from bit 30 to 11, although the latter is sent first, so viewed as bits in a codeword the characters are reversed. Hmm that's all for this weeks folks. As I said before this was just a basic overview and there's a lot I left out in order to give this a pretty basic start. If you'd like a little more technical approach to the above, I'd recommend you look through the POCSAG texts by Brett Miller and Brad Dye. Next column I will try to dig a little deeper into the actual singling out of the message from an intercepted signal from a software point of view. Any and all suggestions for this section are welcomed and can be send to my regular e-mail adress at Help Net Security. Xander Teunissen aka Thejian, Help Net Security thejian@net-security.org VII. Macintosh security: How to make your mac a babel tower! ------------------------------------------------------------ Many people still think that macintosh is just a toy, an Operating System that you could use even drunk! Well to be more serious it offers many possibilies and can be easily intagrated in a Wintel or Unix enviroment. One of the thing that most people agree is the ease of use and the safety of the OS.We could have ten years of discussion about this. Just a fact: go to bugtraq (new url http://www.securityfocus.com) compare and count the the vulnerabilities on Linux, Win9* or NT, and Apple. Just a fact... When I mean safety, I even mean Denial of Service attack.Connecting a mac to the Internet offers less possility for an attacker to make a DOS or take remotly controle of your computer. Default configuration much more safe than on wintel. Have ever done a dumpACL or a dumpREG on windows NT? How to make a 24/24 safe connection on the web? The internet is getting wilder and wilder.From leet people to script kiddies the danger is often close, very close. A "click close" to an attachement.You don't have to be paranoiac, but we never know.Actually it depends which site you browse, and what you download!So get prepared to the worst and get those gears on your computer: - Against DOS and connections attempt: one of the best tools are 2 sharewares from sustworks: /IP NetMonitor: is a all in one tool (ping, traceroute, whois etc...) The most usefull are the network monitor (showing usage on incoming and outgoing bytes/sec) and the monitoring of connexions.It shows you're local ports and the remote ip and ports.You'll be able to look all the connexions in real time, plus it allows you to kill any of them! You can test that by simply browsing a site, then switch ip NetMonitor and kill the connection. Netscape will show a network error.It's very usefull if you don't have any firewall installed. look---> http://www.sustworks.com/products/ipnm/uipreview.html /IP NetRouter: is a software based router. You don't have to get one of those really expensive hardware router. Many people from the unix world use software based router because it very cheaper and very easy to set up. Let's consider to two computers: phenix and condor. Both are on the same LAN. Phenix is connected (dynamic, or static ip are supported)to the Internet(modem, cable, adsl, T1 what ever), condor isn't. First it'll allow you share this Internet connection, plus to add features like NAT (Network Address Translation) on condor or even ip filtering acting like a proxy from certain remote ip or ports.Another great feature is that we can provide Internet (http; ftp; pop3 all type of connexions) from the appletalk protocole. look--->:http://www.sustworks.com/products/ipnr/ppd1.html - Another kind Denial of service attack are based on javascript, html tags. Just try to disable javascript if your mail client does.Many mail clients like outlook, eudora are vulnerable to DOS.Those are not very armfull can easily crash your mail software. I'm only talking about remote DOS, local are another story. - Against Virus and other "versatile" intrusions: Even if the number of virus is growing on mac, approximativily 150 times less virus than on wintel.To check just count the number of virus in a wintel anti-virus virus definition and do the same on a mac based A-V, Norton detects 40 000 virus. It doesn't mean that it happenes only to the others. The risks remain hight but you won't get any virus like cIh virus flashing a bios! Always keep in mind that you are the best anti-virus. Use good sense before downloading, or opening attachement? Do I know this site, or the sender?This doesn't make you safe but reduce the risk.If you feel like playing with virus, not creating some but observing what they're doing try to get MacArmyKnife ( http://www.chaoticsoftware.com/ChaoticSoftware/ProductPages/MacArmyKnife.html). It's an extensive process manager that gives detailed information and control of all processes running, including background (hidden) processes. Like the process manager on NT. It's a basic approach to virus, you'd better get a real A-V like Norton AV or Virex.Since many new virus or worms are nothing less than hiden applescript replicating folders, deleting files it's realy easy to counter.About trojan like BO or NetBus well yes there're very few like those. Most famous is The Takedown Suite. It does almost all like a BO but the interface is a telnet window, it's not very easy to customize like BO2k! Any of those trojans can be monitored, and with few tools you can discover them if try to find hidden extensions, process or if you in IP NetMonitor any connection attempt a another ip (smtp gateway for exemple). AntiGax is one of the only free antivirus. Most inconvenient of those is that most of time focus one one kind of virus. They don't with virus signatures that you can get evry 2 weeks or every month.On the other hand Agax work with a plugin architecture creating heuristic-like mode (http://www.cse.unsw.edu.au/~s2191331/agax/agax.html). That means that if Antigax suspect a "Deja vu" activity it considers that as virus. Well there's a lot to say about heuristic mode in Anti-Virus. Sometimes it just makes you very crazy because any changes of the system folder, or download is a suspected activity. Having few tools like this will provide you a basic and cheap security.If you have few bucks to spend get a real antivirus, if you run a webserver as bastion host you get a shareware solution or a real mac based firewall like DoorStop (www.opendoor.com). Always keep in mind that no systems are safe.. There're only safer than other. Yes MacOS is not built to support 10 millions of hit a day but keep in mind that NO platforms offers you the choice of using so many other operating system (up to 4 os at the same time): LinuxPPC, Beos, Win95, Win98,Win NT, BSD, NetBSD, OS/2, MacOsX... "We don't need windows, to open gates.Just think different" /eot by Deepquest deepquest@netscape.net All rights not reserved- Serving since 1994 http://www.deepquest.pf VIII. Computing: A closer look at hard- and software ---------------------------------------------------- Win98 getting greedy.. 1. Give me some air to breathe You probably have more applications running than you think: Press Ctrl+Alt+Del to bring up the Close Program box. Even with all the obvious, top-level apps shut down, chances are you'll still see a bunch of invisible background applications running. Each running app eats a little of your CPU time, with a net result of slowing things down. Some apps are worse than others. Microsoft Office's Find Fast is a notorious CPU hog, as are many anti-virus and "disk doctor" apps that run constantly in the background. For programs like these, use the Custom option in each program's Setup applet to control what runs in the background. Use Win98's System Configuration Utility (\WINDOWS\SYSTEM\MSCONFIG.EXE) to control which system-level tasks load at startup. 2. Put it together Defragging is always a good idea, but it's triply beneficial in Win98. The Defrag applet (\WINDOWS\ DEFRAG.EXE) performs three tasks to enhance performance: It places the pieces of all your files into fast-loading contiguous areas of your hard disk, moves your most frequently used files to the front of the disk where they'll load fastest, and groups your applications' separate pieces into the most efficient load-order. Defrag often. 3. Aligning your files Win98's WAlign (\WINDOWS\SYSTEM\WALIGN. EXE) can restructure programs on your hard drive for the fastest-possible access once they're loaded into RAM and your CPU's cache: You can see load times improve by 20% or more. But on its own, WAlign only works on Microsoft Office programs. To align other apps, you either need to spend $70 for the full Win98 Resource Kit (which has a more powerful version called WinAlign) or you can download it at net-security.org/dload/wmalign.zip 4. Garbage can Win98 is a packrat. As you work, it collects a prodigious number of temporary files, and it does so for good reason: The \WINDOWS\TEMP, \WINDOWS\TEMPORARY INTERNET FILES and Recycle Bin files all exist to give you fast access to items you might need again. But there's a point of diminishing returns. And you can end up with hundreds of megabytes of these files, wasting space and decreasing performance as the operating system tries to wade through the rubbish. To keep the trash to a manageable minimum, periodically run Disk Cleanup from Start/Programs/Accessories/System Tools. 5. Swap what?! Win98 wants to manage your swap file (virtual memory) on its own. Windows is good at doing that for routine use: The swap file can grow or shrink as needed, and it doesn't have to be all in one place. But Win98 will work faster if the file is all in one place, and if the operating system doesn't have to constantly take time to enlarge or reduce the swap file area as you work. Right click on My Computer/Properties/Performance/Virtual Memory and select "Let me specify my own virtual memory settings." If you have more than one hard drive, place the swap file on the fastest drive you have. Now choose a minimum size for the swap file; a good starting point is to specify at least 2.5 times your system's RAM. Setting a large minimum size means the swap file will usually be large enough for your needs. Reboot when asked, and run Defrag to ensure the swap file's all in one piece. After you're done, you should experience noticeably less disk-thrashing. 6. LOW FAT? Many systems that came with Win98 or were upgraded from Win95 still run the old-style 16-bit File Allocation Table, or FAT16. Win98 also supports FAT32, which is better for several reasons. It makes far more efficient use of large hard drives. It can recover from some kinds of damage to the root directory or to other critical data structures on your disk. It allows programs to load up to 50% faster due to its better use of disk space. And it allows Defrag to relocate portions of your applications and their supporting files in the actual order they're called, for the fastest possible loading. If you're still running FAT16, select Start/Programs/Accessories/System Tools/Drive Converter(FAT32) and follow the on-screen directions. If you're not sure which FAT you're using, launch the Driver Converter and click on Next. 7. Yes, my lord.. Windows retains some internal performance settings carried over from the days when RAM was expensive. Today they're obsolete and even counterproductive. For example, in My Computer/Properties/Performance/File System, the Typical role is usually Desktop Computer. But if your PC has more than 32MB of RAM, it'll operate slightly faster if you select Network Server even if it isn't really a server. (The Network Server setting uses a little more RAM for various disk buffers and caches to speed disk operations.) For most systems with abundant RAM, it makes sense to use the server setting. 8. Dial up Networking By default, Windows' networking protocols are optimized for LAN-based communication. If you connect to the Web via a LAN, you're probably fine. But not if you use Dial-Up Networking. LANs and the Internet use different packet sizes, so the resulting packet fragmentation slows you down. Other default settings may slow you down as well, but all can be fixed by changing several Registry settings. The freeware application EasyMTU (available at most download sites) can do it all for you in seconds, and get your dial-up sessions operating at top speed. 9. Tweak on, babe. TweakUI lets you improve your PC's responsiveness by setting faster menu speeds, adjusting your mouse's double-click sensitivity, turning off time- and CPU-cycle-wasting animations, and much more. On most Win98 CDs, you'll find TweakUI in the \TOOLS\RESKIT\POWERTOY directory. Right-click on TWEAKUI.INF and select Install. After it installs, open Control Panel, click on the TweakUI icon and tweak away. Damir Kvajo aka Atlienz atlienz@default.net-security.org IX. An approach to Linux System Security ---------------------------------------- Since this is the first ``Default'', I think of it as of an informal chat with the readers in the local beer-house. The Linux section of Net-security.org (net-security.org/linux) is ment to be a source of technology information for both beginners and advanced users. Also, it will not be strictly Linux-oriented. With the growing number of Internet attacks, administrators who don't take proper care of the system may pay dearly. As we go further, standards for security are becoming higher and higher. There is no universal security system that can be installed on the server to offer ultimate security and protection. And that is good, because the general protection system just has to have security holes. But, having Linux as a server OS makes a good starting point for our custom security system. When the administrator manually secures his network(s)/host(s), he knows exactly how the system works, how it should be mantained and how it can be exploited. Recently I wrote a special report for Net-Security.Org, ``The Study on Linux System Security''. You can see it on http://www.net-security.org/linux/. Because of the deadline I already crossed, I had to relase the paper sooner than I actually wanted to, and I considered my work quite unfinished. Since it covered passive security issues (configuration files, access regulation etc..), the next paper I am already preparing to write will discuss only custom security implementations. Last time I was setting up a Linux system, I got portscanned and probed for exploits and system misconfiguration in less than 10 minutes that I was connected to the Internet on random IP, given by the ISP. However, since most of the people would never expect an intruder to visit them in such a short time, they wouldn't be actually prepared for him. But this time, I noticed the intruder before he even tried to do something malicious, just because I did some simple modifications in the configuration files. My next ``default'' article: Setting up a Linux Firewall. dev dev@net-security.org X. Infection & vacination -------------------------- This week in the trojan section. I looked at 2 well known trojans, and a smaller one. Plus there is a small list of commonly used ports for trojans and VirusScanner's cryptic language in English. For anyone who knows my site well they know most of this info can be found on my website. Well this is all here so you don't go find help, it comes to you. Vampire 1.0 is a new trojan horse with common features. The server comes in two different exe files. One copies and writes to the registry so it autoloads, the other just runs once. Both servers were made in Visual Basic so you will need runtime files. While there are rumors that Delphi versions are being made currently. This version has about 37 features. Some of these features include destructive ones (Format, delete certain files). Vampire 1.0 listens on port 6669 TCP, sending and receiving plain text commands. There is a low chance of infection on most computers due to the Visual Basic runtime files needed. But if you are here is the 3 step manual removal info: 1. Assuming you have been infected with the registry writing version, open regedit (Start..Run..Regedit). Browse to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Then delete the: Sockets key. 2. Either close the Sockets that's running in the memory or simply reboot your machine. 3. Finally browse on your computer to the c:\windows\system directory. Then find and delete Sockets.exe. There all clean and happy. SubSeven A was released recently. This version has a brand new client. The client is totally configurable and pleasing to the eye. MobMan really spent a lot of time making SubSeven easy to use for anyone. While on the server side nothing new except a few bug fixes. One fix is a more secure password authentication when logging on a SubSeven server. Previous versions(1.9 and below) had fallen to the same problem NetBus had: passwords that could be hacked remotely. Will with the dawn of a new SubSeven this problem appears, for now at least, to be fixed. Okay we have here 3 different ways to remove SubSeven 1.9 and 2.0. Of course this can be changed but here it is: Method 1: Out of the box(Sending without configuring it): 1. Open the system.ini(Usually c:\windows\system.ini) and remove the key: shell=Error mtmtask.dl under [boot]. This can be done with any text editing program, such as NotePad 2. Then reboot the computer or close mtmtask.dl 3. Finally browse on your computer to the windows directory(Usually c:\windows). Then find and delete mtmtask.dl Method 2: Customized to load using the win.ini: 1. Open the win.ini(Usually c:\windows\win.ini) and remove the key: run=mtmtask.dl under [Windows], this can be done with any text editing program 2. Then reboot the computer or close mtmtask.dl 3. Finally browse on your computer to the windows directory(Usually c:\windows). Then find and delete mtmtask.dl Method 3: Customized to load using the registry: 1. Open regedit(Start..Run..Regedit). Browse to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices and remove KERNEL32 key 2. Then reboot the computer or close mtmtask.dl 3. Finally browse on your computer to the windows directory(Usually c:\windows). Then find and delete mtmtask.dl Unless you have been sleeping for a long long time then you know Back Orifice 2000 has been released. Will after getting by the infected copies they handed out some plugins have been released. L0pht has a whole line of BO2K plugins in development. Their first BOTool is now available. This brings a point and click interface to file and registry managing. Fusion Solutions made a BlowFish encryption module also. While both the CAST-256 and IDEA plugins have been re-released with bug fixes. Removing Back Orifice 2000 can be some what troublesome. I suggest trying Antigen 2000(http://fs.arez.com/antigen) if your on a windows 95 or 98 computer. If you are a Delphi programmer with NT knowledge please contact FreshMan to help him make Antigen 2000 NT compatible. If you would rather manually remove it, then here is my 3 step removal for the one version of Back Orifice 2000 I found: 1. Open regedit(Start..Run..Regedit). Browse to: HKEY_LOCAL_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices and remove the UMG32.EXE key 2. Reboot the computer, or close UMG32.EXE 3. Finally browse on your computer to the windows system directory(Usually c:\windows\system). Then find and delete UMG32.EXE Here is my list of default trojan ports so far. Yes there are more, but patience is a good thing. I'll add more and more once I get around to testing the trojans. I am not about to steal (or accept) a pre-made list. Well here it is 30 so far: [Port] [Protocol] [Trojan Name(s)] 25 (TCP) Antigen, Kuang2 0.17 - 0.30 555 (TCP) Ini-Killer, Phase-0, Stealth Spy 666 (TCP) Attack FTP 1243 (TCP) SubSeven 1.0 - 2.0 1349 (UDP) Back Orifice DLL version 1492 (FTP) FTP99CMP 1999 (TCP) BackDoor 2.00 - 2.03 2115 (TCP) BUGS 4567 (TCP) File Nail 5000 (TCP) Bubbel 5400 (TCP) Blade Runner 0.80 Alpha 5401 (TCP) Blade Runner 0.80 Alpha 5402 (TCP) Blade Runner 0.80 Alpha 6669 (TCP) Vampire 7789 (TCP) ICQ Killer 10607 (TCP) Coma 12345 (TCP) NetBus 1.20 - 1.70 20034 (TCP) NetBus 2.0 Beta - 2.01 21544 (TCP) GirlFriend 1.0 Beta - 1.35 23456 (FTP) EvilFTP 30100 (TCP) NetSphere 30101 (TCP) NetSphere 30102 (TCP) NetSphere 31337 (UDP) Back Orifice 1.20 31338 (UDP) Deep BO 34324 (TCP) BigGluck 54321 (TCP) SchoolBus .69 - 1.11 65000 (TCP) Devil 69123 (TCP) ShitHeep After that lovely list here we have something useful to VirusScan users. This list has the name VirusScan uses and what it really is in English. The purpose of this is to help people infected that know they are infected. VirusScan is nice enough to tell you your infected, but tells you with a weird name and does not let you remove it. [Weird name] [English version] Acid.Shiver.c - Acid Shivers Antigen.a - Antigen BackDoor-C.dr - Excalibur BackDoor-E.srv - Net Monitor BackDoor-G.cfg - SubSeven configuration tool(Editserver.exe) BackDoor-G.srv - SubSeven 1.4 and up BackDoor-G.cli - SubSeven 1.4 and up client BackDoor-H.dr - Not sure actually, our infected file is called securewin.exe BackDoor-J.srv - Any version of Deep Throat or Invasor BackDoor-J-cli - Any version of Deep Throat client BackDoor-K.srv - Portal of Doom BackDoor-K.cli - Portal of Doom client BackDoor-L.srv - Millenuim or modified version by LeenTech BackDoor-L.cli - Millenuim client BackDoor-M.srv - WinCrash 2.0 DUNpws.f - Tapiras DUNpws.p - Naebi DUNpws.p.cfg - Naebi configuration tool DUNpws.r - TailGunner DUNpws.s - WinPC FixIt - Evil FTP GirlFriend.srv.a - GirlFriend 1.35 GirlFriend.srv.b - GirlFriend 1.35 GirlFriend.cli.b - GirlFriend 1.35 client GirlFriend.srv.c - GirlFriend 1.3 GirlFriend.cli.c - GirlFriend 1.3 client ICQRev - Gjamer trojan Justas.b - Shtirlitz Justas.cfg - Shtirlitz configuration tool MprMod - Remote Grab NetBus.srv - Any NetBus server NetBus.cli - Any NetBus client NetBus.dll - KeyHook.dll (DLL NetBus installs) NetBusPro.svr - NetBus Pro server Orifice - Naebi 2.18 Orifice.addon.a - Not sure but the Sheep.exe was infected with it(Assuming some plugin) Orifice.srv - BackOrifice 1.20, BackOrifice DLL Orifice.srv.b - Phineas Phucker(Copy of Back Orifice 1.20) Orifice.srv.c - BackOrifice 1.20 modifeid by LeenTech Orifice.dr - NetBus 1.7 in a fake picture program, ICQ Trojan modified by LeenTech, NetBus 2.0 pro modified by HackCity Orifice.cli.a - BackOrifice 1.20 console client Orifice.cli.b - BackOrifice 1.20 GUI client Orifice.config - BackOrifice 1.20 configuration tool Paradise Agent.srv.b - Masters/Hackers paradise 98 Paradise Agent.srv.c - Masters/Hackers paradise 98 9.7 Beta Paradise Agent.srv.d - Masters/Hackers paradise modified by LeenTech PSW.Kuang2 - Kuang SecretAgentDat2 - Hackers Paradise SPing - ICQ Trogen SpySender - Not sure TeleCommando.cli - TeleCommando client Trojan Sockets.svr - Blazer 5 Trojan Sockets.cli - Blazer 5 client Trojan Sockets.svr.a - Control du socket Trojan Sockets.cli.a - Control du Socket client Trojan Sockets.cli.b - Sockets 2.3 client W32/Cheval.gen - Sockets 2.3 trojan(Infects like a virus) WinCrash.svr - Any WinCrash below 2.0 WinCrash.cli.a - Any WinCrash client below 2.0 Zemac zemac@dark-e.com http://www.dark-e.com XI. Spam: The problems with junk e-mail --------------------------------------- For the virus and spam sections, we have enlisted the help of Doug Muth (http://claws-and-paws.com). As mentioned in our editorial however, he's on vacation at the moment. He will write on some of the social as well as technical issues regarding these sections when he gets back, but untill then we'd like to quote something on the issue of spam, taken from one of the projects his involved in, CAUCE.ORG. We all get junk mail at home. It's an accepted fact of life, at least in the U.S. So why is Unsolicited Commercial Email (UCE) -- a/k/a "spam" or "junk email" -- a problem? To understand the problem of UCE, you must first understand what is most often advertised via UCE. There are many places on the Internet where copies of UCE are reposted by recipients and system administrators in order to help notify the Internet community about where UCE is originating. Surveying mailing lists like SPAM-L@EVA.DC.LSOFT.COM and USENET newsgroups in the news.admin.net-abuse.* hierarchy, you will see that there are very few reputable marketers using UCE to advertise goods and services. To the contrary, the most commonly seen UCEs advertise: Chain letters Pyramid schemes (including Multilevel Marketing, or MLM) Other "Get Rich Quick" or "Make Money Fast" (MMF) schemes Offers of phone sex lines and ads for pornographic web sites Offers of software for collecting e-mail addresses and sending UCE Offers of bulk e-mailing services for sending UCE Stock offerings for unknown start-up corporations Quack health products and remedies Illegally pirated software ("Warez") So why is this such a problem? Cost-Shifting. Sending bulk email is amazingly cheap. With a 28.8 dialup connection and a PC, a spammer can send hundreds of thousands of messages per hour. Sounds great, huh? Well, it is for the spammer. However, every person receiving the spam must help pay the costs of dealing with it. And the costs for the recipients are much greater than the costs of the sender. Some junk emailers say, "Just hit the Delete key!" Unfortunately, the problem is much bigger than the time and effort of one person deleting a couple of emails. There are many different places along the process of transmitting and delivering email where costs are incurred. In the Internet world, "time" equals many different things besides the hourly rate that many people are still charged. For example, for an Internet Service Provider, "time" includes the load on the processor in their mail servers; "CPU time" is a precious commodity and processor performance is a critical issue for ISPs. When their CPUs are tied up processing spam, it creates a drag on all of the mail in that queue -- wanted and unwanted alike. This is also a problem with "filtering" schemes; filtering email consumes vast amounts of CPU time and is the primary reason most ISPs cannot implement it as a strategy for eliminating junk email. The problem is also compounded by the fact that ISPs purchase bandwidth -- their connection to the rest of the Internet -- based on their projected usage by their prospective user base. For most small to mid-sized ISPs, bandwidth costs are among one of the greatest portions of their budget and contributes to the reason why many ISPs have a tiny profit margin. Without junk email, greater consumption of bandwidth would normally track with increased numbers of customers. However, when an outside entity (e.g., the junk emailer) begins to consume an ISP's bandwidth, the ISP has few choices: 1) let the paying customers cope with slower internet access, 2) eat the costs of increasing bandwidth, or 3) raise rates. In short, the recipients are still forced to bear costs that the advertiser has avoided. "Time" also makes for some other interesting problems, especially coupled with volume. Recent public comments by AOL are a useful point of reference: of the estimated 30 million email messages each day, about 30% on average was unsolicited commercial email. With volumes such as that, it's a tremendous burden shifted to the ISP to process and store that amount of data. Volumes like that may undoubtedly contribute to many of the access, speed, and reliability problems we've seen with lots of ISPs. Indeed, many large ISPs have suffered major system outages as the result of massive junk email campaigns. If huge outfits like Netcom and AOL can barely cope with the flood, it is no wonder that smaller ISPs are dying under the crush of spam. Fraud. Spammers know that in survey after survey, the overwhelming majority (often approaching 95%) of recipients don't want to receive their messages. As a result, many junk emailers use tricks to get you to open their messages. For instance, they make the mail "subject" look like it is anything other than an advertisement. In many cases, ISPs and consumers have set up "filters" to help dispose of the crush of UCE. While filters often consume more resources at the ISP, making mail delivery and web surfing slower, they can sometimes help end-users cope a little bit better. Spammers know this, so as they see that mail is being blocked or filtered, the use tricks that help disguise the origin of their messages. One of the most common tricks is to relay their messages off the mail server of an innocent third party. This tactic doubles the damages: both the receiving system, and the innocent relay system are flooded with junk email. And for any mail that gets through, often times the flood of complaints goes back to the innocent site because they were made to look like the origin of the spam. Another common trick that spammers use is to forge the headers of messages, making it appear as though the message originated elsewhere, again providing a convenient target. Waste of Others' Resources. When a spammer sends an email message to a million people, it is carried by numerous other systems en route to its destination, once again shifting cost away from the originator. The carriers in between are suddenly bearing the burden of carrying advertisements for the spammer. The number of spams sent out each day is truly remarkable, and each one must be handled by other systems; there is no justification for forcing third parties to bear the load of unsolicited advertising. The methods employed by spammers to avoid being held responsible for their actions are very often fraudulent and tortious. Numerous court cases are underway between spammers and innocent victims who have been subjected to such floods. Unfortunately, while major corporations can afford to fight these cutting edge cyberlaw battles, small "mom-and-pop" ISPs and their customers are left to suffer the floods. There's a long tradition in this country of making commercial enterprises bear the costs of what that do to make money. For example, it would be far cheaper for chemical manufacturers to dump their waste into the rivers and lakes... however "externalities" (as the economists call it) are bad because they allow one person to profit at another's -- or everyone's -- expense. The great economist Ronald Coase won a Nobel Prize talking about exactly this kind of situation. He said that it is particularly dangerous for the free market when an inefficient business (one that can't bear the costs of its own activities) distributes its costs across a greater and greater numbers of victims. What makes this situation so dangerous is that when millions of people only suffer a small amount of damage, it is often more costly for the victims to go out and hire lawyers to recover the few bucks in damages they suffer. That population will likely continue to bear those unnecessary and detrimental costs unless and until their indivudual damage becomes so great that those costs outweigh the transaction costs of uniting and fighting back. And the spammers are counting on that: they hope that if they steal only a tiny bit from millions of people, very few people will bother to fight back. In economic terms, this is a prescription for disaster. Because when inefficiencies are allowed to continue, the free market no longer functions at peak efficiency. As you learn in college Microeconomics, the "invisible hands" normally balance the market and keep it efficient, but inefficiencies tip everything out of balance. And in the context of the Internet, these invisible marketplace forces aren't invisible anymore. The inefficiencies can be seen every time you have trouble accessing a web site, or whenever your email takes 3 hours to travel from AOL to Prodigy, or when your ISP's server is crashed by a flood of spam. CAUCE believes that stealing is stealing, whether you take a penny or a dollar or a thousand dollars. Remember, you only need to steal a penny from 4 million people in order to have enough to buy yourself a brand new Mercedes Benz. Displacement of Normal Email. Email is increasingly becoming a critical business tool. In the late 1980s, as more and more businesses began to use Fax machines, the marketers decided that they could Fax you their advertisements. For anyone in a busy office in the late 1980s, you will remember the piles and piles of office supply advertisements and business printing ads that came pouring out of your Fax machine... making it impossible to get the Fax that you were expecting from your East Coast office. This problem spawned the original Anti-Junk-Fax law that CAUCE is seeking to amend. In the first major court challenge to that law, a junk fax company called Destination Ventures lost their suit. The 9th Circuit Court of Appeals said that the law was constitutional because the imposition of such high costs and inconvenience onto businesses and consumers made the law a reasonable restriction. By extension, we argue that junk email isn't very different from junk faxes in the way it consumes the resources of others. Spam can and will overwhelm your electronic mail box if it isn't fought. Over time, unless the growth of UCE isn't stopped, it will destroy the usefulness and effectiveness of email as a communication tool. Annoyance Factor. Your email address is not the public domain! It is yours, you paid for it, and you should have control over what it is used for. If you wish to receive tons of unsolicited advertisements, you should be able to. But you shouldn't be forced to suffer the flood unless and until you actually request it. This is the heart of the "Opt In" approach supported by CAUCE. But what about junk mail makes it so annoying? In part, it's because accessing email for many people is still a bit of a struggle. For example, try as they may, many of the major online services are still hard to connect into. Their software doesn't always configure very easily. After a few calls to customer support, you finally got it installed. So, after being away for a few days, you try to get your email. Of course, you have to keep dialing, dialing, dialing... busy signals. Finally you connect -- only it might be a 9600 baud connection, because all of their 28.8 modems are busy. Still, you're finally connected and you see that "You've got mail!" But when you try to retrieve your email, the "System Is Not Responding. Please Try Again Later." After five or ten more minutes of this, you finally get your email to start downloading. You were only out of town for four days; there must be a lot of mail, because it takes you about 10 minutes to get it all downloaded. Once you've retrieved it all, you open it up, and what do you see? Five pornographic web site spams, three letters from some guy named Dave Rhodes and his cousin Christohper Erickson telling you how to make $50,000 in a week, somebody telling you that you're too fat and you need Pyruvate (sprinkled with Blue Green Algae), and two offers to buy stock in a "New Startup Company"...only the broker is a really bad speller and can't decide whether he's selling "stock" or "stork." Oh, and there was an email from the "Postmaster" telling you that when you tried to "Remove" yourself from a junk email list, the address: "Work.At.Home@noreply.org" was of course "Unknown." So after a half hour of delays and frustration, all you've got to show for your efforts is a box full of spam. Is it any wonder people are annoyed? Ethics. Spam is based on theft of service, fraud and deceit as well as cost shifting to the recipient. The great preponderance of products and services marketed by UCE are of dubious legality. Any business that depends on stealing from its customers, preying on the innocent, and abusing the open standards of the Internet is -- and should be -- doomed to failure. PLEASE NOTE: Non-profit, non-commercial publications may reprint this information if full credit is given. Others please contact CAUCE.ORG XII. Freedom of speech - related incidents ------------------------------------------ ******************************************************************* "Make men wise, and by that very operation you make them free. Civil liberty follows as a consequence of this; no usurped power can stand against the artillery of opinion." - William Godwin ******************************************************************* Every day the battle between freedom and repression rages through the global ether. Here are this week's links highlights from NewsTrolls(http://www.newstrolls.com): - Weekend Edition: China's crackdown on democracy activists gets harsher still: Liu Xianbin, who was also DENIED legal representation, gets 13 YEARS for 'subverting the state' Other recent sentences given out for 'subverting the state': Qin Yongmin, 12 years, Crime: seeking official recognition for China Democracy Party Wang Youcai, 11 years, Crime: seeking official recognition for China Democracy Party Xu Wenli, 12 years, Crime: founder of China Democracy Party She Wanbao, 12 years, Crime: member of China Democracy Party Gao Hongming, 8 years, Crime: chairman of China Democracy Party- Beijing Zha Jianguo , 9 years, Crime: chairman of China Democracy Party- Beijing Yue Tianxiang, 10 years, Crime: setting up an organization to protect the rights of laid-off workers Zhang Shanguang, 10 years, Crime: attempting to organize a workers rights group and reporting rural protests to a U.S. radio station. Fang Jue, 4 years, Crime: calling for democratic reforms in an essay Li Zhiyou, 3 years, Crime: scrawling anti-government graffiti, member of China Democracy Party Liu Xianli, 4 years, trying to interview China's best-known dissidents and publish a book on their activities Wang Ce, 4 years, Crime: "endangering state security" after sneaking back into the country last November. Peng Ming, 18 months re-education with no trial, Crime: founder of the China Development Union (CDU) environmental movement Lin Hai, 2 years, Crime: inciting the overthrow of the state through the Internet - Monday: In America, the strange bedfellows of Democrat Feinstein and Republican Hatch draft the Methamphetamine Anti-Proliferation Act which, if passed, would ban Internet discussions and links to unapproved drugs... From the Wired article: "If the measure becomes law, it will create a new federal felony -- punishable by a fine and three years in prison -- that covers Web pages that link to sites with information about where to buy "drug paraphernalia" such as roach clips, bowls, and bongs. Even editors of news organizations that publish articles about drug culture and link to related sites will be subject to arrest and prosecution." - Tuesday: The journalists' rights group Reporters Sans Frontieres (RSF) brand countries Enemies of The Internet for controlling access and censuring websites. The list includes China, North Korea, Cuba, Iraq, Iran, Libya, Saudi Arabia, Syria, Sierra Leone, Sudan, Tunisia, Vietnam, Myanmar, Azerbaijan, Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, Turkmenistan, Belarus and others - Wednesday: While everyone else was occupied with Kosovo, Clinton signed a directive creating the International Public Information group that will control the flow of US government news overseas. From the Washington Post article: "The group came about partly in response to the spread of unflattering or erroneous information about the United States received abroad via electronic mail, the Internet, cellular telephones and other communications advances...President Clinton signed a directive April 30, in the thick of the Kosovo war, that set out plans for IPI, although the White House did not formally announce the group's existence or role." - Thursday: Japan's Parlaiment passes the Wiretapping Bill From the San Jose Mercury article: "The wiretapping law is similar to those in other countries. But many Japanese, remembering secret police brutality during World War II and crackdowns on radical students and labor unions in the 1950s and 1960s, have long been reluctant to hand police greater powers. ``We cannot but feel the sense of danger that people's freedom and privacy are being violated,'' the national Asahi newspaper said in an editorial today." In just one week... diva aka Pasty Drone NewsTrolls, Inc. , http://www.newstrolls.com pastydrone@newstrolls.com XIIV. Meet the underground -------------------------- This section of our newsletter will be especially dedicated to the people defacing Web sites. For this first release of Default, I think there are first a few issues that need to be discussed regarding the subject of defacing and on wether or not we should give these people this kind of attention. I'll try to make my point of view on why we do give them the attention a bit clearer in this column. This means you will have a week more to get to "the good stuff" of this section, but untill then I hope you'll bear with me on this one for a moment. There always has been, and there will probably always be, a lot of argueing as to what real "hacking" is, if the people defacing sites are in reality "hackers" or "crackers" or nothing more than "script kiddies". I think we all have different opinions on that. To me personally this whole stereotyping thing is pretty stupid in itself. A while ago someone told me this: "There is no such thing as a "cracker", not really. A Cracker is something that somebody came up with for a hacker that does damage. Thats like saying "Bee's that don't sting aren't bee's". " I tend to agree on that, but would like to take this a bit further. All these names for each other are, once again in MY personal opinion, nothing more than stereotypes. Let's look at the concept of hacking for a moment as it being a learning experience, more specifically a learning experience regarding computers. We're not even going into the security part of it at the moment, I consider people like Dennis Ritchie and Ken Thompson or Linus Torvalds at least as much "hackers" as a lot of other people I know from the "underground" nowadays, though I've yet to see my first web page claiming "LINUS WAS HERE!". In my case, this learning experience is achieved through doing the stuff you read, I wouldn't know of any other or better way of learning than by trying things out yourself. But when you look at it like that, you might find some may want to try out what they've learned in the real world. I don't condone web site attacks, but I don't condemn them either. There are a lot of new developments in the wonderful world of computers, especially in the security scene. From a learning point of view, the best way to find out about these new developments is through encountering them in that same real world. With these "hackers" coming across new things and learning how they work, they inevitably come across flaws in those same systems. "Ok," you might say, "but they don't have to deface sites for it, just let them find the flaw and notify the vendor, even maybe help them try correct it." But what if you notify the vendors but they give you the impression to be dragging their feet, not being too interested in having to come out with yet another flaw in their beloved products, while this vulnerability could easily be exploited on a type of system that's widely used all over the Internet? (IIS bug springs to mind) And what if the vendor did fix it and the it hasn't reached one of the administrators who uses this product or the admin just hasn't got a clue. What if you come across a site which is vulnerable to this same problem? "Well, then report it to the admin.." While I personally might agree on that, that still doesn't mean it solves the problem. The US Army website incident springs to mind. That web site got defaced a month or so ago using the well-known Cold Fushion vulnerability. Two months before that, the administrator of that site was warned by the security-group L0pht Heavy Industries that his site was indeed vulnerable to this exploit. And that was the official main site of the US army in a period of time where the US government already had been embarrassed by several defacements on other sites! So I think we've established that this approach might not always work. Now I have to note that I altough I took this point of view to distance, it is not one which occurs very often. A lot of hacks are done by what might be called "script kiddies", who read about an exploit (yes "script kiddies" read bugtraq too you know) and use it for their own purposes, which mostly include fame and attention. But that doesn't mean that someone who comes across such an exploit on a page and uses it has to be a script kiddie, nor does it mean that when you come across such an exploit you should use it. Another thing that you might say is that by giving these groups attention in our newsletter, they might feel encouraged by the attention. And I must admit that even Help Net Security didn't even report hacks for a small period of time this year because of this view. But we are here to try and bring you the news. That means we have to report on things from an objective point of view. We can't just shut our eyes and pretend it isn't there. It's there allright and we won't make it go away by ignoring it. Maybe not by giving it even more attention either, but I feel there are a lot of people out there who actually deserve some attention and actually have something usefull to say. We want to give them the oppertunity to say it through a different type of medium, which will be this column. It all is a little game between vendors and administrators on one hand and the "hackers"/"crackers"/"script kiddies" on the other. You may not like it, but what if full disclosure would vanish? What if flaws weren't reported at all anymore? On which side would the problem be then? I've said it once and I'll say it again: You don't have to like hackers and what they do, you certainly don't have to condone but don't condemn it either. The "underground" is not nearly as big a problem as it would be when it would actually go underground. An extremely small part of defaced sites is actually erased by the attackers, defacements are mostly an embarrasement but that's it, a more mature reply than immediately calling for prosecution might be in order. Most hackers are of nature not as much malicious, but more curious, which helps out a lot more when it comes to discovering and fixing flaws then you see covered in the main-stream media. And to all you hackers out there, try maintaining some kind of ethics? And remember, it IS illegal, so if you don't want to do the time, don't do the crime. Heh, give me some replies and opinions on this people. Next week the interviews! Thejian Help Net Security thejian@net-security.org XIV. Guest column ----------------- This weeks guest column is by Natasha Grigori of the ACPO, a cause which Help Net Security supports fully. The mission of ACPO, and our goals: ACPO is a non-profit Group formed to actively seek out and stop the exploitation of children on the Internet. Our focus is to protect our children from the predatory and perverse criminal elements that seek to destroy their innocence. While we are firmly in favor of free speech in all its forms, especially on the Internet, we are opposed to the active sexual exploitation of children. We have chosen to act against the dissemination of child pornography over the Internet. Our motivation is the fact that there is a genuine connection between the distribution and acceptance of pedophile pornography and actual incidents of sexually abused children. Not to mention that all-existing hardcore pedophile pornographic material is the result of very real abuse. Our children are our future, as such we must protect them as we would our own lives and in doing so ensure a better future for us all. Our secondary focus is to educate. We want to provide individuals and organizations training about the Internet and its associated risks. We will counsel law enforcement on the Internet aspects of gathering information and evidence. We pursue all of our goals with the ethical and moral values of most anybody confronted with this abhorrent practice. We will tolerate only approaches, and condone no illegal activities. Failure to abide by the ACPO operations standards is ground enough for revocation of ACPO membership. Our goals can be broken down as follows: 1. Provide a maximum of information to concerned law enforcement authorities, including activity hotspots on the Internet and the results of our own investigations into the activities of online child pornographers. 2. Put a halt to sensationalism and hype regarding the Internet while promoting quality investigative journalism on pedophile pornography. 3. Create enough public pressure to bring authorities to the point of action. 4. Form a cooperative with other Internet groups with similar goals, which will benefit us all and increase our impact. We are working to provide a website to which our members will be able to turn for information and resources, and will add other means of communication. Our approach is somewhat different from other organizations, in that we are combining the drive for wide public support with the knowledge of Internet experts. This is our first public description of our mission. We view this as a work in progress that will continue to be refined. If you have any questions or concerns about our Mission Statement, please feel free to mail me at Natasha@infovlad.net You should get a response from me with in a week, possibly less. And BTW look for our exciting news next Friday. ============================ Thanks for being 'Child-Friendly' Natasha Grigori Founder ACPO http://www.antichildporn.org/ http://www.infovlad.net/antichildpornorg/ mailto:natasha@infovlad.net ============================