[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 27 Volume 1 1999 July 31st 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== New mirror site, Stefan did a *very* nice job on this check it out, http://www.alldas.de/hwaidx1.htm HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #27 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #27 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. l0pht releases AntiSniff - Press release......................... 04.0 .. Pixar to remake TRON?............................................ 05.0 .. Meet the fed (zdtv:Defcon)....................................... 06.0 .. Poulsen at DefCon................................................ 07.0 .. Y2K Situation in Europe.......................................... 08.0 .. Applied Maximum Internet Security................................ 09.0 .. HPSBUX9907-100 CDE Leaves Current Directory in root PATH......... 10.0 .. Tiger vulnerability.............................................. 11.0 .. Tattooman (Ken Williams) climbs back in the ring................. 12.0 .. UPDATE ON THE PACKET STORM WEB SITE SITUATION.................... 13.0 .. Piracy is Big Business for Some ................................. 14.0 .. Mitnick sentencing postponed again............................... 15.0 .. Military Reserves to be Used for Cyber Defense .................. 16.0 .. Kodak's new PROM copy-killer?.................................... 17.0 .. Sandstorm Releases New Version of Phone Sweep ................... 18.0 .. Major FUD - US Under Attack by Russians.......................... 19.0 .. BO2K and SMS, Which One is Evil? ................................ 20.0 .. The Last True Hacker ............................................ 21.0 .. One Russian ISP Standing Up to FSB .............................. 22.0 .. Gameboy steals cars, makes free fone calls....................... 23.0 .. Mitnick Retains High Profile Lawyer For State Case .............. 24.0 .. Back Orifice for Macintosh? ..................................... 25.0 .. AOL Criminals Busted ............................................ 26.0 .. Press Does Not Know What to Say About BO2K ...................... 27.0 .. UCITA Moves Forward - Will Remove Vendor Liability............... 28.0 .. NSC Proposes FidNet - Infrastructure Protection or Surveillance Tool? 29.0 .. Local Cops Funded by IT Industry ................................ 30.0 .. Two Arrested for Corporate Espionage ............................ 31.0 .. Virus Infestations On the Rise .................................. 32.0 .. Granny Hacker from Heck visits Def Con parts 1 to 3.............. 33.0 .. FidNet Causing Massive Confusion ................................ 34.0 .. Lawmakers Want Drug Info Off the Net ............................ 35.0 .. Reno Wants Inet Crypto Banned ................................... 36.0 .. CCC Camp Happens Next Weekend ................................... 37.0 .. Computer Criminal Busted in UK .................................. 38.0 .. Researching an attack (KeyRoot) by Mnemonic....................... 39.0 .. Win98 Security Issues A KeyRoot/gH Advisory by Mnemonic........... 40.0 .. WLDoTrans.asp allows CC retrieval A gH Advisory by Mnemonic....... 41.0 .. bad CGI scripts allow web access A gH Advisory by Mnemonic........ 42.0 .. Can my firewall protect me? by Mnemonic........................... 43.0 .. How company specific programs can be used against the company by Mnemonic 44.0 .. Exploiting the netware bindery by Mnemonic........................ 45.0 .. Tax Break for Key Escrow Crypto .................................. 46.0 .. NSA Claims Israel Attacking US ................................... 47.0 .. Jail Time for Users of Crypto .................................... 48.0 .. Office97 Users Ripe for the Picking .............................. 49.0 .. China Sends Pirate to Jail ....................................... 50.0 .. MITNICK: FEDERAL GOVERNMENT MANIPULATED THE FACTS................. 51.0 .. ISPS ACCUSE CHINA OF INFOWAR...................................... 52.0 .. PETERSEN INTERVIEW: TRADING CYBERCRIME FOR CYBERPORN.............. 53.0 .. GHOSTS IN THE MACHINE............................................. 54.0 .. DATABASE PROTECTIONS OK-D......................................... 55.0 .. YET ANOTHER SITE SPITTING OUT PERSONAL INFO....................... 56.0 .. CALIFORNIA ADOPTS DIGITAL SIGNATURE LAW........................... 57.0 .. NEW AMMO AGAINST VIRUSES.......................................... 58.0 .. DOE SECRETARY ORDERS SECURITY BREAK............................... 59.0 .. EU MEMBERS NOT FOLLOWING DATA-PROTECTION RULES.................... 60.0 .. EXPERTS WARN ABOUT NEW Y2K-THREAT................................. 61.0 .. WILL YOUR CABLE MODEM CENSOR THE WEB?............................. 62.0 .. UNMASKING ANONYMOUS POSTERS....................................... 63.0 .. AOL Y2KFIX: A HOAX DISGUISED AS A HOAX?........................... 64.0 .. NO FBI SURVEILLANCE AFTER CRITICISMS.............................. 65.0 .. FEDS CRACK DOWN ON Y2K FRAUD...................................... 66.0 .. RED HAT DELIVERS LINUX E-COMMERCE SERVER.......................... 67.0 .. HACKING IN 1999 .................................................. 68.0 .. Y2k crash test for Windows and DOS................................ 69.0 .. CASSANDRA GOLD.................................................... 70.0 .. BELL CANADA Y2k TEST.............................................. 71.0 .. [RHSA-1999:025-01] Potential misuse of squid cachemgr.cgi ........ 72.0 .. [RHSA-1999:022-03] New Samba pacakges available (updated)......... 73.0 .. CERT® Advisory CA-99-10 Insecure Default Configuration on RaQ2 Servers 74.0 .. MS Security Bulletin: Patch Available for "Malformed Dialer Entry" Vulnerability 75.0 .. Senate asks for input into information infrastructure protection plan 76.0 .. FBI: beware outside Y2K workers................................... 77.0 .. HPSBUX9907-101 Security Vulnerability Software Distributor (SD)... 78.0 .. NSA spying on Americans? (who ya kidding??? of COURSE they are)... 79.0 .. AOL messaging policy might risk cable deals ...................... 80.0 .. Study calls for reserve virtual IT warfare unit................... 81.0 .. CERT IN-99-04: Similar Attacks Using Various RPC Services......... =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: Aug19th-22nd Niagara Falls... ................. Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ News/Humour site+ ................http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ Link http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 Link http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack Link http://www.ottawacitizen.com/business/ Link http://search.yahoo.com.sg/search/news_sg?p=hack Link http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack Link http://www.zdnet.com/zdtv/cybercrime/ Link http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) Link NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm Link http://freespeech.org/eua/ Electronic Underground Affiliation Link http://ech0.cjb.net ech0 Security Link http://axon.jccc.net/hir/ Hackers Information Report Link http://net-security.org Net Security Link http://www.403-security.org Daily news and security related site Link Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black eentity ...( '' '' ): Currently active/IRC+ man in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Ken Williams/tattooman of PacketStorm, hang in there Ken...:( & Kevin Mitnick (watch yer back) kewl sites: + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.packetstorm.harvard.edu/ ******* DOWN ********* SEE AA.A + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ AGENT STEAL INTERVIEW Justin Petersen tells CNN he now plans to begin a new life online, free of crime, with an adult Web site. The interview airs on CNN Sunday and Monday at 8 p.m. ET and 10 p.m. PT. ++ INFOWARCON'99 by BHZ, Saturday 24th July 1999 on 10:26 pm CET Infowar (www.infowar.com) announced this year's security gathering - InfowarCon '99. It will be held in Washington from September 8th - 9th and: "Designed for corporations, infrastructure firms, and finance, military, intelligence and law enforcement organizations, InfowarCon '99 provides proven tactics for defending the enterprise and infrastructures". Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * Nothing much to say, I have a summer cold, (gak!) here's * issue #27... start reading. :) * * hwa@press.usmc.net * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 l0pht releases AntiSniff - Press release ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For Immediate Release L0pht Heavy Industries Releases a Public Beta of Its Revolutionary New AntiSniff Network Security Software Boston, MA - July 22, 1999 - L0pht Heavy Industries, a world renowned computer security think tank, today announced the public beta release of its AntiSniff network security software, which can detect attackers surreptitiously monitoring a computer network. "AntiSniff is a whole new breed of network security tool, designed to detect the attack patterns used in compromising a computer network, instead of merely being reactive to already known vulnerabilities.", said Dr. Mudge, Chief Scientist at L0pht Heavy Industries. AntiSniff, which operates on both Windows NT and UNIX operating systems, will detect remote computers that are packet sniffing, that is, monitoring all network communications. In a recent survey, three-quarters of U.S. corporations, government agencies, financial institutions and universities reported suffering financial losses due to computer security breaches. Some of these attacks have become quite famous, such as the successfull attacks against the Senate & FBI webservers. Other attacks, however, don't get any media attention, and are far worse than the defacement of a web site. These attacks involve the invasion of government and corporate secrets, and personal privacy. Many of these attacks rely on packet sniffing to penetrate deep into a computer network. Network communication can be likened to large group of people standing together in a room and talking. When people talk to each other, others nearby have the ability to listen in. When computers communicate over networks, they normally only listen to communications destined to themselves. However, they also have the ability to enter promiscous mode, which allows them to listen to communications that are destined to other computers. When an attacker successfully compromises a computer, they install what is known as a packet sniffer, a tool that puts the computer into promiscuous mode, thus allowing them to monitor and record all network communications. The private information they gather, such as account names, passwords, credit cards, and even e-mail, is then used to compromise other computers. This is how, from one weak computer in a computer network, many computers, and the information they contain can be compromised. Until now, it has been impossible for network administrators to remotely detect if computers were listening in on all network communications. L0pht Heavy Industries' AntiSniff stops all this, by giving network administrators and information security professionals the ability to remotely detect computers that are packet sniffing, regardless of the operating system. Dr. Mudge explains, "AntiSniff works by running a number of non-intrusive tests, in a variety of fashions, which can determine whether or not a remote computer is listening in on all network communications. Now it is impossible for an attacker who is sniffing to hide." Current network security tools, such as network scanners, work by probing machines for software that contains bugs or software that's misconfigured. Intrusion Detection Systems (IDS), work by finding malicious signatures in network traffic. AntiSniff, on the other hand, is the first of it's kind. It remotely detects the passive act of eavesdropping on network communications. It will even detect packet sniffers installed by a rogue insider who may have legitimate administrative access to a machine, but still should not be monitoring all network traffic. The AntiSniff public beta is released for Windows NT, complete with a fully featured graphical interface, report generating tools, and alarm system. It is designed so that it can be used to quickly scan a network or scan continuously, triggering alarms when a "packet sniffing" machine is detected. The beta version has been made available free to all who would like to try it out. L0pht hopes to have the commercial release ready within a few weeks. Retail and site license pricing have not yet been determined. To further the research of the security community as a whole, as they have in previous products, L0pht will be releasing AntiSniff as a UNIX command-line tool, complete with full source code. For more information please contact AntiSniff@l0pht.com. The free beta download and full documentation are available at http://www.l0pht.com/antisniff/. About L0pht Heavy Industries L0pht Heavy Industries is a world renowned computer security think tank. Founded in 1992 as a computer research facility, the L0pht has grown into a leader in the field of computer security software. The L0pht's products include L0phtCrack, the industry standard NT password auditing tool. As a result of their innovative security research, the L0pht has released dozens of computer security advisories to the Internet community, warning of dangerous vulnerabilities in today's most widely used software. Many at the L0pht are considered top experts in the computer security field and have appeared on numerous network news programs and documentaries, as well as having testified about government computer security for the U.S. Senate. Visit the L0pht's web site at http://www.l0pht.com. All trademarks and registered trademarks are the property of their respective holders. @HWA 04.0 Pixar to remake TRON? ~~~~~~~~~~~~~~~~~~~~~ -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Pixar Studios to remake Disney's Tron? By Richard Barry, ZDNet (UK) July 23, 1999 4:13 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2301037,00.html?chkpt=hpqs014 It set the scene for a generation of hi-tech sci-fi movies and, arguably, inspired some of the best films of the genre. Tron, the legendary Disney movie loved by the thirty-something generation, is rumored to be in the re-make room with some very serious backers, including Steve Jobs. Jobs, on stage this week with the iBook, also has another day job, running Pixar Animation Studios (Nasdaq:PIXR), maker of "Toy Story" and "A Bug's Life." According to one source, Pixar may be working on a remake of the classic '80s sci-fi film. The source, who asked not to be identified, said Pixar is trying to decide whether to remake the original or create a sequel. It will begin work on the project once Toy Story II hits the theaters November 24. John Lasseter, Toy Story's director, will head the production. Lending fuel to the rumor, Lasseter has gone on record crediting Tron as the driving inspiration behind Toy Story. He saw the film while working as an animator on Mickey's Christmas Carol and had two best friends on the production team. "It [Tron] was the future. It was the potential I saw in computer animation," Lasseter said. A spokesperson for Pixar in Richmond, Calif., said she was not aware of any Tron projects, but if it were to happen, it would likely be led by Disney. Disney owns 50 percent of Pixar. The company did not return calls by press time. @HWA 05.0 Meet the fed (zdtv:Defcon) ~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.zdnet.com/zdtv/cybercrime/features/story/0,3700,2293749,00.html Phil Loranger, division chief for information assurance with the US Army, speaks out about Def Con Phil Loranger, the division chief for information assurance with the US Army, was interviewed by CyberCrime analyst Alex Wellen while at Def Con. Here are excerpts. Why come to Def Con? "This is an important conference to anybody [who] attends. It is a conference in which there is a lot of valuable and technical information exchanged. "There is an opportunity to meet some of the folks on the dark side, if you will, to see some of their thinking. "We've done this [for the] first time this year to put [on] a federal panel and get [a] frank and honest exchange. ... To get some feelings from what the industry considers to be some of the most elite people in the dark side of computer security, if you will. "We were invited to do a presentation and to participate in a panel." Do you use hackers to check out your systems, to verify your vulnerablities? "Hackers, by their very definition, are law breakers and criminals, and I don't see why they should be rewarded, especially using taxpayer dollars. "We have very talented people who have never broken the law and have struggled very hard through [their] academic years; and those are the folks we want to bring onto the payroll. "This is not to say that the people we are addressing here today at this conference are criminals. We are talking here in broad strokes saying that if you break into a system you're a criminal." How have you been received by attendees? "I have been experiencing a very cordial interchange among the people we've met. Meet the [Fed] panel was a less regulated environment, if you will. I think that it was not as rowdy as I had imagined, and I was pleased about that. "Isn't it wonderful that we're able to have conferences like this under our form of government that says it's OK to not agree with the people on the platform?" Will you return to Def Con next year? "I see us reacting to invitations to these if there are more, absolutely. "Where else can you come and have a member of the White House National Security Counsel, a member of the Office of the Secretary of Defense for Investigation, and a member of the military department stand there and interface with what I guess is considered ... we're considered to be their targets and so forth." @HWA 06.0 Poulsen at DefCon ~~~~~~~~~~~~~~~~~ My First Def Con On finding decadence and dialogue in the desert By Kevin Poulsen July 14, 1999 I'm wandering through the hall outside the main conference room at the Alexis Park Hotel, stepping gingerly over blue Ethernet cable while gripping a drink in one hand, a cigarette in the other. Las Vegas is a nexus of many vices, crammed into spurts of late-night binges and hangover mornings. Last weekend it became an oasis of decadence and dialogue in a desert turned to mud by a freak thunderstorm. It's the seventh annual Def Con, the computer underground convention: my first. Around me, a chaotic bazaar shows hackers of all shapes and sizes crowding around tables stacked with underground publication, T-shirts, and chunks of technology begging to be taken apart and reassembled. The younger attendees are drowning in caffeinated drinks-- primarily Jolt cola, which was apparently stocked by the hotel especially for this occasion. "How is publicly releasing a hacking tool different from giving out guns to children?" queries the voice behind the camera, aimed for a kill shot at my head. Earlier in the day, The Cult of the Dead Cow made a flashy standing-room-only presentation of Back Orifice 2000 -- a feature-packed but stealthy remote-control utility for Windows-- and it's fast becoming a symbol for the conference. I don't know how to answer a question comparing a computer program to a firearm, but when the voice rephrases, I offer my soundbite. "Secrecy only helps the bad guys." By my definition, everyone at Def Con is a good guy, except the handful of good gals. The thousands of hackers, security consultants, outlaws, and scenesters from around the world are laying bare their knowledge, and sometimes their flesh, to each other and to the roving (and steadily increasing) glass eyes of news organizations that they suspect just don't get it. Even the cops tend towards openness, good-naturedly accepting their "I Am the Fed" T-shirts when sharp-eyed hackers pick them from the crowd. The Primo Stuff The Dead Cow was the star of the show, but other highlights included the premiere of a nine-minute teaser for Freedom Downtime, 2600 editor Emmanuel Goldstein's work-in-progress about the legal travails of imprisoned hacker Kevin Mitnick. After seeing the trailer, Chaos Theory foresees Goldstein and his documentary appearing at Cannes. You heard it here first. Austin Hill, president of Zero Knowledge Systems Inc., described the workings of his company's much-anticipated Freedom Net, an elaborate system intended to cloak the online activities of privacy conscious netizens. Hill wins my Golden Aphorism award (which I just invented) for his answer to law enforcement's complaints that Internet anonymity makes their job harder: "Policing is only easy in a police state." Sessions at the conference covered public policy, tutorials on computer security and lock-picking, a plethora of technical discussions, and games, such as Hacker Jeopardy and a social engineering contest. At night, hackers raved on the conference dance floor and partied in the suites. And it's there, away from the rows of Linux boxes and laptops, and beyond the reach of the blue cables, that the excesses of the Def Con nightlife evoke a Hollywood party, circa 1985. Reclining next to the hot tub at a shindig in one of the more spacious suites-- a vice, once again, in each hand-- someone offers me a tiny Ziplock bag filled with white powder. The illusion is dispelled when I read the warning label affixed to the bag. The powder is 100 percent pure caffeine. Primo stuff at the hacker con. Editor's Note: Kevin Poulsen was a speaker at Def Con, and was on the team that won Hacker Jeopardy, which also included Jennifer Granick and Mark Lottor. @HWA 07.0 Y2K Situation in Europe ~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Friday 23rd July 1999 on 1:17 pm CET German Council of Trade and Industry published results of their testing about Y2K compliance in German companies. It looks like just 45 percent of companies are properly prepared for the new millennium. According to some IT professionals, year 2000 will be a year of bankruptcies. Western European countries are prepared for Y2K, but there is always something to work around. Read the story on NY Times. July 23, 1999 Europe Rides Bumpy Computer Road to Year 2000 By EDMUND L. ANDREWS HANOVER, Germany -- Perhaps fittingly, Germany's first real scare about Year 2000 computer crashes came on a Friday the 13th. It was March 1998, and most people here were greeting warnings about Year 2000 failures with a lack of interest. It seemed like a trivial problem, a matter of making sure that computer clocks would not misread the year 2000 as 1900. Then came the test at the Hanover city power company, organized by a confident data processing manager in the spirit of public education, with local media invited to watch. At first, everything seemed fine. But within a few minutes after "midnight," the computer began spewing out thousands of error messages. Then it froze up entirely, and the monitors went blank. Hanover did not go dark. But for a few minutes, it was impossible to monitor the electric grid or to trace equipment breakdowns. It took seven months to eradicate all the problems. "I really thought it would be fine," said Juergen Rehmer, the blue-jeans-clad manager who arranged the event. "We had made a lot of changes already, and I was quite certain that a full-system test wouldn't present any great difficulty." Rehmer's test was a watershed. It disrupted a widespread complacency about Year 2000 problems, and marked the first time that a German power company had issued a warning. At the time it occurred, the German government had yet to make its first assessment of the Year 2000 problem. Surveys by insurance companies showed that the vast majority of companies had not even begun to look at their systems. "The European view is that Anglo-American countries are in kind of an hysterical mold," said Peter Eibert, the Year 2000 coordinator at Ford Motor Co. of Europe, based in Cologne. Germany and many of Europe's most advanced countries are racing to make up for lost time. Corporations are pouring billions of dollars into reprogramming computers. Government agencies have set up hot lines. Industry associations hold countless conferences, often invoking the image of ticking time bomb. They are making headway. Most experts are increasingly confident that Europe is not likely to see catastrophic failures. A Year 2000 trial involving Europe's major banks went smoothly. Airlines and airports, which recognized the danger long ago, say they are ready. Nevertheless, many smaller companies and public institutions are running out of time. In a recent survey, the German Council of Trade and Industry found that only 45 percent of companies were properly prepared. Hermes, a German insurance company in Hamburg, estimates that 60 percent of German companies still hadn't started a comprehensive program by last fall. "We believe there will be a substantially higher rate of bankruptcies in the year 2000," said Walter Schmitt-Jamin, a managing director of Hermes. A doubling of the usual bankruptcy rate, slightly less than one percent of companies each year, is entirely possible, he added. The readiness varies considerably across Western Europe. In Britain, the Netherlands and much of Scandinavia, governments and corporations jumped on the problem two years ago. In Germany and France, government and business leaders were until recently more lackadaisical. Poorer countries like Italy, Spain and Portugal are struggling. The formerly Communist nations of Central Europe and Russia are much more seriously behind. LOT, the Polish national airline, announced recently that it will ground about 70 flights on New Year's Eve out of concern about Year 2000 breakdowns. The Russian government recently reported that only one-third of the country's banks were ready. Western European countries are well prepared in comparison. But they also have more to worry about. The 15 nations of the European Union, 11 of which have now adopted the euro as a single currency, is an increasingly unified economy linked by dense information networks. There is a boom in the construction of cross-border fiber-optic networks. Power companies buy and sell electricity over electronic trading systems. Car manufacturers order from suppliers over computer networks. Yet when car manufacturers sent the worldwide suppliers detailed Year 2000 questionnaires in early 1997, most of the responses provided little in the way of useful information. That became a source of growing anxiety here in Germany over the next year. Executives at General Motors' Opel subsidiary were startled to discover that industrial robots they bought in 1997 still had Year 2000 glitches. By August 1998, Opel had decided to start sending its own Year 2000 assessors on personal visits to key suppliers. "The key was to ask questions that indicated whether the suppliers knew what they were talking about," said Roger Aze, Opel's Year 2000 coordinator. "Do you have a person in charge of Y2K? Do you have a program and a schedule?" In the last several months, Opel started sending technical experts to its most critical suppliers -- the ones whose own assembly lines are linked directly by computer network to those of Opel and that deliver on a "just in time" basis. But Aze is still bracing for things outside their control: power disruptions or problems further down the supply chains. Power remains one of the biggest concerns. "The energy industry had overslept," Rehmer said bluntly. It wasn't until July 1998 -- four months after Hanover's surprising test failure -- that the German Association of Electric Utilities advised members to "Start now!" on Year 2000 preparation. Today, Year 2000 experts in Germany say severe disruptions are unlikely but cannot be ruled out. As a result, many big industrial manufacturers are scaling back production to insulate themselves for a shock of an abrupt power disruption. BASF AG, the chemical conglomerate based in Ludwigshafen, has decided to shut a number of its systems on New Year's Eve so it can get by on the electricity from its own on-site power plant. So many manufacturers are reducing their power consumption on New Year's Eve that the utility industry has begun to worry about disruptions caused by an abrupt plunge in demand. One of the key differences between European countries on Year 2000 issues is the degree to which governments became involved. In Britain, Prime Minister Tony Blair has built up a huge program to promote awareness and point companies toward solutions. Besides drumming up publicity, the government fielded several thousand "bug busters" to get out the word. The Netherlands started a similar program, known as the Dutch Millennium Platform, headed by Jan Timmer, the former chairman of Philips Electronics NV. Timmer irked business groups by exhorting them to act, but most now experts rank the Netherlands alongside the United States and Britain as among the best-prepared countries. By contrast, German leaders did not show much interest in the subject until a few months ago. The government issued a tepid report one year ago and a more thorough one this spring, and it only recently set up an Internet site devoted to the issue. Local governments have largely been quiet on the matter. In March, the German weekly news magazine Focus published a survey indicating that most German cities had not yet prepared themselves for problems. According to the survey, carried out with the German Conference of Cities, half the cities had yet to test their hospitals, and one-third had not tested their mass transit systems. The hospitals have had a rude awakening. Andreas Tecklenberg, director of a 260-bed hospital in the north German town of Eutin, was dismayed when only six out of 150 manufacturers gave him useful answers when he sent them queries about Year 2000 problems. Since then, he has started to get better information. At the moment, he estimates, about one-third of the hospital's systems are "green" or ready; about one-third are yellow, and one-third still red. "The devices will have to be watched," Tecklenberg said. "But fortunately, we can have people take over if equipment goes wrong." At the German Heart Center in Berlin, which specializes in heart surgery, administrators are avoiding elective surgery between Christmas and January 3. It has also imposed a ban on holidays for most of the medical and technical staff on New Year's Eve. "If you look at this from the American standpoint, we all started late here," acknowledged Marcus Werner, who coordinates the center's Year 2000 planning. Werner started his preparations in October and said he was now reasonably confident about the hospital's medical equipment. But like so many others, he worries about power. The hospital shares a back-up generator with the University of Berlin, but he is still worried about the software that will have to ration the relatively scarce electricity. "What it comes down to is things you basically have no control over," he said. @HWA 08.0 Applied Maximum Internet Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Friday 23rd July 1999 on 1:09 pm CET Applied Maximum Internet Security, 3 day computer security seminar will be held in Cardiff By The Sea (California) on August 16-18, 1999 and September 27-29, 1999. ex-underground based instructors will cover the topics from essentials of TCP/IP, over the usual hacking/cracking tools to attack strategies. The fee is $1,395 for 3 days. @HWA 09.0 HPSBUX9907-100 CDE Leaves Current Directory in root PATH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To: BugTraq Subject: [support_feedback@us-support.external.hp.com: Security Bulletins Digest] Date: Tue Jul 20 1999 13:58:28 Author: Patrick Oonk Message-ID: <19990720135828.J6635@atro.pine.nl> ----- Forwarded message from HP Electronic Support Center ----- Date: Tue, 20 Jul 1999 04:45:18 -0700 (PDT) Subject: Security Bulletins Digest From: support_feedback@us-support.external.hp.com (HP Electronic Support Center ) To: security_info@us-support.external.hp.com Reply-To: support_feedback@us-support.external.hp.com Errors-To: support_errors@us-support.external.hp.com HP Support Information Digests =============================================================================== o HP Electronic Support Center World Wide Web Service --------------------------------------------------- If you subscribed through the HP Electronic Support Center and would like to be REMOVED from this mailing list, access the HP Electronic Support Center on the World Wide Web at: http://us-support.external.hp.com Login using your HP Electronic Support Center User ID and Password. Then select Support Information Digests. You may then unsubscribe from the appropriate digest. =============================================================================== Digest Name: Daily Security Bulletins Digest Created: Tue Jul 20 3:00:02 PDT 1999 Table of Contents: Document ID Title --------------- ----------- HPSBUX9907-100 CDE Leaves Current Directory in root PATH The documents are listed below. ------------------------------------------------------------------------------- Document ID: HPSBUX9907-100 Date Loaded: 19990719 Title: CDE Leaves Current Directory in root PATH ------------------------------------------------------------------------- **REVISED 01** HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00100, 07 July 1999 Last Revised: 19 July 1999 ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. ------------------------------------------------------------------------- PROBLEM: The current directory is in the root user's PATH after logging in using CDE. PLATFORM: HP 9000 series 700/800 at HP-UX revision 10.X DAMAGE: Increase in privileges.. SOLUTION: Modify /usr/dt/bin/Xsession until a patch is available. AVAILABILITY: This advisory will be updated when patches are available. CHANGE SUMMARY: HTML to text conversion instructions for script added. ------------------------------------------------------------------------- I. A. Background - The PATH environemnt variable is constructed from several sources including dtsearchpath and scripts in /etc/dt/config/Xsession.d/ and /usr/dt/config/Xsession.d/. The resulting PATH contains the string "::" which will be interpreted as the current directory. The root user should not have the current directory in the PATH. B. Fixing the problem - Since the PATH environment variable can be affected by dtsearchpath and several scripts, the recommended solution is to clean up the root user's PATH after is has been created. **REVISED 01** Note: This file is in HTML format. If you are editing the text version from a mailing the line below: for (i=1; i<=n; i++) { must be changed. Replace the characters between the second "i" and the "=n" with the single "less than" character (ascii 0x3c). The line will then read: for (i=1; iX=n; i++) { where X stands for the "less than" character. In /usr/dt/bin/Xsession just before this: # ########################################################################### # # Startup section. Add this: ###################### Clean up $PATH for root ########################## if [ "$USER" = "root" ] then Log "Clean up PATH for root user" Log "Old PATH = $PATH" PATH=`echo $PATH | awk ' { # Remove elements from PATH that are # (a) "." # (b) "" # (c) blank # gsub (" ",":", $0) # Substitite ":" for each blank n = split ($0, path, ":") # Split into elements with ":" as delimiter first = 1 # To suppress leading ":" in new PATH for (i=1; i<=n; i++) { len = length(path[i]) dot = index(path[i], ".") dot_only = 0 if ((len == 1) && (dot==1)) { dot_only = 1 } # print element if it is not "" and not "." if (!(len==0) && !(dot_only==1)) { if(first != 1) { printf (":") # if not first element, print ":" in front } printf ("%s",path[i]) first = 0 } } } END { printf ("\n") }'` Log "New PATH = $PATH" fi ###################### End - Clean up $PATH for root #################### C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP Electronic Support Center via electronic mail, do the following: Use your browser to get to the HP Electronic Support Center page at: http://us-support.external.hp.com (for US, Canada, Asia-Pacific, & Latin-America) http://europe-support.external.hp.com (for Europe) Login with your user ID and password (or register for one). Remember to save the User ID assigned to you, and your password. Once you are in the Main Menu: To -subscribe- to future HP Security Bulletins, click on "Support Information Digests". To -review- bulletins already released from the main Menu, click on the "Search Technical Knowledge Database." Near the bottom of the next page, click on "Browse the HP Security Bulletin Archive". Once in the archive there is another link to our current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. The security patch matrix is also available via anonymous ftp: us-ffs.external.hp.com ~ftp/export/patches/hp-ux_patch_matrix D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. ________________________________________________________________________ -----End of Document ID: HPSBUX9907-100-------------------------------------- ----- End forwarded message ----- -- Patrick Oonk - PO1-6BONE - patrick@pine.nl - www.pine.nl/~patrick Pine Internet B.V. PGP key ID BE7497F1 Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- Excuse of the day: Police are examining all internet packets in the search for a narco-net-traficer [ (application/pgp-signature) ] @HWA 10.0 Tiger vulnerability ~~~~~~~~~~~~~~~~~~~ To: BugTraq Subject: tiger vulnerability Date: Tue Jul 20 1999 09:37:39 Author: Ellen L Mitchell Message-ID: <199907201437.JAB12684@net.tamu.edu> -----BEGIN PGP SIGNED MESSAGE----- A vulnerability in one of the scripts used by the unix security tool Tiger has been discovered and a patch issued. Tiger is a public domain package developed and maintained by Texas A&M University, used for checking security problems on a Unix system. Due to lack of checking, a local user can craft a command in such a way that he may have the command executed with the privileges of the process running Tiger (usually root). While no known compromises have occurred due to this vulnerability, it is recommended that the patch be applied if you run tiger. Patches for tiger have been issued and are available at ftp://net.tamu.edu/pub/security/TAMU/ Thanks to Michel Miqueu and Philippe Bourgeois of CERT-IST for reporting the problem. Ellen - -- Ellen Mitchell Network Group Texas A&M University -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN5SI2vjlKRxZFQKVAQGm2wQAqfJWT1nW5A3odbYWa+yvUYjRBkACBVac hslPIEtX8xVTOgrsHVK5ugT3lD0jz6jQc2DVkIhp89dS4st/+GrFu6ikcg2PaN1x a7YfqnpYxjRQuTEL9mVG67tyCvsxmOpzv/aTWwEd9AJofRbCUdWK1ruBe2P6Vd2s B/BdszrqfbI= =nyA0 -----END PGP SIGNATURE----- @HWA 11.0 Packet Storm Working on Corporate Sponsorship ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hackernews.com/ contributed by xripclaw Ken Williams has posted a statement saying that Packet Storm Security is not dead. He is currently working on a deal with a corporate sponsor that will allow him to have a professionally maintained site with full staff of security experts, administrators, and web designers. We look forward to new developments. Tattooman http://frey.rapidnet.com/~tattooman/ 12.0 UPDATE ON THE PACKET STORM WEB SITE SITUATION --------------------------------------------- hey, i've been working very hard with numerous corporate entities to try to get the web site back up and online as soon as possible. everything is looking very good now, and i hope to have the site back up and better than ever RSN (Real Soon Now). hopefully, the site will be run and hosted by a professional security firm (to be named at the appropriate time), and the new site will be more professionally maintained by a full staff of security experts, administrators, and web designers. with a very substantial amount of corporate funding, the new Packet Storm Security will be a completely revamped site with more features, more updates, more bandwidth, more of everything. news and updates will be posted here as soon as i get confirmation of the new plans, and contracts are signed. -- Ken Williams, Sat Jul 24 16:34:45 EDT 1999 everything is looking very good and i hope to have great news to post in the next couple of days. -- Ken Williams, Mon Jul 26 22:12:07 EDT 1999 Contact Info ------------ tattooman@genocide2600.com jkw@rage.resentment.org jkwilli2@unity.ncsu.edu PGP Keys -------- Keys with ASCII Blocks, Fingerprints, and IDs http://www4.ncsu.edu/~jkwilli2/ Keys with ASCII Blocks, Fingerprints, IDs, and Certificates http://www.keyserver.net:11371/pks/lookup?template=netensearch%2Cnetennomatch%2Cnetenerror&search=jkwilli2&op=vindex&fingerprint=on&submit=Get+List @HWA 13.0 Piracy is Big Business for Some ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hackernews.com/ contributed by PJ Churning out thousands of copies at a time for sale in the US and abroad, Southern California is now the home of the software counterfeiter. LA Times http://www.latimes.com/HOME/BUSINESS/UPDATES/lat_piracy990725.htm Who pays to arrest the pirates? Intel, Hewlett Packard, and others are funding public police forces. Evidently it is perfectly legal to grant local police departs hundreds of thousands of dollars so that they arrest the people you want them to. The police say there is no conflict of interest. LA Times http://www.latimes.com/HOME/BUSINESS/UPDATES/lat_piracy990726.htm LA Times http://www.latimes.com/HOME/BUSINESS/UPDATES/lat_piracy990725.htm Pirates of the High-Tech Age Southern California is now home to a sophisticated breed of criminals who, lured by high profits and low penalties, make and sell counterfeit computer software. By P.J. HUFFSTUTTER, TINI TRAN and DAVID REYES, Times Staff Writer Southern California is becoming the national base for counterfeiters who make bogus software that looks so good even computer experts can't tell the difference. Once a problem confined to Asia and Latin America, high-quality fake CD-ROMs made here are showing up for sale in foreign countries, on Internet sites and even in some retail stores like Fry's Electronics. Authorities have seized nearly $200 million in counterfeit software in dozens of cases in Southern California over the past three years. The disks are manufactured by a new breed of multicultural gangs who operate somewhat like legitimate software companies. Lured by high profits and low penalties, these criminals work cooperatively with each other, often "outsourcing" different aspects of the operation to business partners in order to save time and money. "The irony of all this is the counterfeiters are mimicking us," said Chris Chapin, manager of intellectual property enforcement for video game publisher Electronic Arts Inc. in Redwood City. "They are our worst business rivals." Feeding off the nation's growing number of PC-owners, the counterfeiters are supplying consumers with hot new products such as video games, tax programs and business tools. Software pirates can replicate, for as little as 50 cents, disks holding programs that computer companies price at hundreds of dollars. "Look, I can make more money off this than my lawyer can defending me," said one self-described pirate, nicknamed "hax3rz," who was selling illegal copies of top-selling video games on the Internet. "If they want it, I'll sell it." Southern California "is the capital for pirated [software] products in North America," said Nancy Anderson, senior attorney for Microsoft Corp.'s anti-piracy group. "Not Silicon Valley. Not New York. Not Texas. Not Washington. Here." High-tech piracy flourishes amid the anonymous industrial parks in the San Gabriel Valley cities of Walnut, Diamond Bar, City of Industry and Rowland Heights. Investigators have raided one business park in Walnut so many times that police have dubbed it "Pirates' Cove." But operations are also found elsewhere in the region. Earlier this year, in what industry experts describe as the nation's largest-ever software counterfeiting bust, Westminster police and the FBI arrested a dozen people and shut down an alleged piracy scheme with $60 million worth of fake Microsoft software sitting on a warehouse floor in the city of Paramount. Atul Sowmitra Dhurandhar, a 51-year-old native of India, and his wife were accused of money laundering and running the operation that for four years allegedly churned out counterfeit CD-ROMs from plants in three Southern California counties. They pleaded not guilty, and their trial begins in Los Angeles federal court this week. Like computer executives tapping personal contacts for deals, Dhurandhar allegedly used friends to create a business network: a convicted Chinese counterfeiter, who obtained a commercial CD-ROM replicator to copy the disks; a Mexican national, who is allegedly a Mexicali state judicial police officer, to smuggle product across the border; and another Mexican to hire illegal immigrants to run the CD replicator. But even as police break up the operations, the software industry still cannot get the public to support its plight. There is little widespread sympathy when a corporation such as Microsoft--which is worth more than $500 billion--complains that it loses hundreds of millions of dollars a year to piracy. The wealthy upper class traditionally is seen by the masses as the enemy, said Robert Kelly, professor of society and criminal justice at the City University of New York. In the past, it was oil barons and railroad tycoons. Today, notes Kelly, Microsoft head Bill Gates is the bad guy. "Fake software is not seen as a threat to the public good," said Alfred Blumstein, a public policy professor at Carnegie Mellon University. Despite software companies aggressively lobbying politicians and spending millions of dollars on anti-piracy advertising campaigns, the laws remain relatively soft on counterfeiters. The result: people who pirate millions of dollars' worth of software often receive only probation. "It's cheap, it's easy and there's almost no risk," said Sgt. Marcus Frank of the Westminster Police Department, who lead the Dhurandhar investigation. "If you were a criminal, wouldn't you do it?" The Key to Success: Networking Frank said the Dhurandhar investigation peaked last fall, when undercover officers staked out warehouses in Paramount, watching as a stream of truck drivers loaded pallets stacked high with fake Microsoft goods. The ringleaders had allegedly been shipping an estimated 15,000 fake Microsoft disks a month nationwide and overseas. By early February, police and the FBI had enough evidence to get a search warrant and raid the operation. Officers burst inside a warehouse one rainy afternoon and surprised six immigrant workers, who were busy printing counterfeit Microsoft user manuals. Here and at nearby facilities, investigators found top-of-the-line CD-ROM duplication equipment, high-speed printing presses and rows of bookbinding and shrink-wrapping machines. Piles of phony warranty cards spilled out of nearby crates. Sixty million dollars' worth of boxed, shiny silver compact disks, all sporting the Microsoft logo, towered over the officers. And tucked off in a corner, police say, was the investigative mother lode: files stuffed with Dhurandhar's business documents and checkbooks. The paperwork mapped out an elaborate counterfeiting network, according to police, and gave investigators leads on the scheme's money trail. Dhurandhar, his wife Mamta--who faces the same charges as her husband--and their attorneys have declined to discuss the case. Ten other suspects will join them at trial this week. Prosecutors say the Dhurandhar case is a textbook example of a modern software counterfeiting operation, where professional networking is the key to success. Someone knows someone with the machinery to copy the disks. Someone else knows of a print-shop owner willing to churn out bogus user manuals. Police say the players in the Southland's growing software piracy industry range from legitimate shop owners to street thugs to U.S.-based Asian gangs, such as the Wah Ching and Black Dragons, to savvy businessmen of all nationalities willing to run a wide-scale operation. Instead of a crime "family" with workers of one ethnicity answering to a boss, these software gangs operate as independent agents with no specific loyalties. Where traditional crime outfits work to improve the power and dominance of their family, these alliances of counterfeiters end when the job is done. "If you're a Crip, you're always a Crip," said Det. Jess Bembry, an expert in Asian organized crime with the Los Angeles Police Dept. These cases are different because "if it benefits them [financially], warring groups will stop fighting to make money together." Like computer executives sealing million-dollar agreements with a handshake, the ancient Chinese rite of guanxi (pronounced gwan-shee) is the unspoken social glue that defines interactions in some Asian societies. For legitimate businessmen throughout the world, guanxi means a person's social rapport is his key currency in the corporate world. It also is a philosophy that, say police, allows accused software counterfeiters such as the Dhurandhars to build a large manufacturing enterprise. Dhurandhar allegedly used several of his businesses, including a Long Beach print shop called Digital Colors, as fronts for the secret operation. Heavily tinted windows shielded the workers and gave no clue as to what was being manufactured inside. By day, the firm was a legitimate printing business, according to court documents. By night, it allegedly was a full-scale counterfeiting and assembly plant. Digital Colors, according to police investigators and the documents they seized, was one hub in a manufacturing labyrinth. Companies in the San Gabriel Valley handled the assembly work. Distributors in Los Angeles and Westminster hawked the goods, which included French, Portuguese and English versions of such bestsellers as Windows 95 and Windows 98, Microsoft's computer operating systems. In Long Beach, Digital Colors made the boxes, which were stored in Paramount warehouses, one of which housed a $1.5-million CD-ROM replicator that is as big as a high school classroom. Finished products allegedly were boxed, shrink-wrapped and sold to mid-level distributors. They, in turn, sold the fakes to other software distributors. Some products were loaded on trucks and hauled across the country, say police. Other goods were taken to Los Angeles International Airport, flown to Northern California and later shipped overseas. Ultimately, the disks allegedly were hawked at swap meets, over the Internet and at small retail shops in the U.S., Canada, Europe and South America. How much money the counterfeiters actually made still is unclear, said assistant U.S. attorney Stephen Larson, who is prosecuting the case. Court documents allege that the Dhurandhars used an elderly relative's bank account, and other accounts with Bank of America and Bank of Orange County, to launder at least $3.5 million in cash from sales of the fake software products. Profits allegedly were funneled into nearly $5 million worth of residential and commercial properties across Southern California, including a $2.7-million, Spanish-style home in Palos Verdes Estates perched above Lunada Bay, according to state property records and court documents. The Dhurandhars could step through their French doors and enjoy an expansive view of the ocean and Catalina Island. Federal and state authorities seized the properties and arrested the Dhurandhars in June at their home. Police say that Atul Dhurandhar was watering his lawn, and had $20,000 cash in his pocket, when they arrested him. A neighbor, when asked about the Dhurandhars, responded: "We never see them. They keep to themselves." Asian Economic Woes Intensify Piracy The piracy of intellectual property--whether software or music, film or pharmaceuticals--has flourished worldwide for decades. The rise of Southern California as a counterfeiting center is a more recent phenomenon. The other hotbed of software counterfeiting is Asia, where the threat of punishment is relatively low. In legitimate retail shops in Thailand last year, more than 80% of all computer software sold to consumers was pirated, according to the U.S. Trade Representative's office. Last year's Asian economic collapse intensified piracy. Asian police and U.S. federal investigators say formerly legitimate optical disc producers--the companies that manufacture CD-ROMs for software firms in Asia--are now moonlighting as software counterfeiters. Among the offerings in Asian black markets: Microsoft's business software package, Office 2000 Premium, which retails for nearly $8,700 in the United States. A week before Office 2000 debuted last month, shoppers who visited open-air markets in Hong Kong and Singapore picked up pirated versions for $20. Like their counterparts in the drug trade, software counterfeiters are well financed and mobile. When Hong Kong officials began cracking down on piracy in 1995, pirates relocated their manufacturing facilities to mainland China and nearby Macau, where there are fewer police agencies tracking copyright violators. Piracy also increased in Southern California. The U.S. Customs Department has tracked a steady increase in the value--and number--of high-tech counterfeit goods it seized this decade leaving the country. Although pirated movies and music get media attention, they made up only 2% of all compact disks customs seized in the U.S. last year. Kathlene Karg, director of anti-piracy operations for the Interactive Digital Software Association, said pirates are attracted to the U.S. market because they can charge more. "That's why they're starting to make and distribute their stuff in the U.S. The risk might be greater, but so are the potential profits," she said. The fakes made here are harder to detect. For one thing, say manufacturers, they look great. Counterfeits sold overseas rarely come in anything more elaborate than a plastic sleeve. Americans, however, prefer to buy nicely packaged goods, and pirates can charge more if consumers are convinced they're buying authentic--though drastically discounted--software. Fake versions of Office 2000, similar to those selling for $20 in Singapore, can be found on at least one Internet site for $175. The difference? A user's manual, a warranty card and a shrink-wrapped box. All fake, of course. "Nearly everything [counterfeit] of ours that we're seeing being made in Southern California is retail-ready," said Anne Murphy, an attorney with Microsoft's anti-counterfeiting team. "That's a big threat to our business because people think they're buying the real thing." In fact, high-grade counterfeits are starting to show up in mainstream stores such as Fry's Electronics, industry sources say. The San Jose Police Department's high-tech crime unit in the past year has investigated several such cases. Police officers said that small batches of bogus goods, sold to the chain through independent distributors, had been discovered in inventory at various Fry's stores. Officials at San Jose-based Fry's declined to comment. Investigators won't say whether some consumers had bought fakes. Noting that investigations are ongoing, police also refused to identify the stores that carried the goods, or to disclose what kind of software was counterfeited. Even if the people who made the bogus product are caught, the consequences could be minor. But the downside for consumers could be serious. Counterfeit software could be a copy of an early--and flawed--version of the real thing. It could include viruses that could destroy a person's computer data. And manufacturers refuse to fix fake goods. Federal penalties for counterfeiting are relatively low. If convicted, a person can be sent to prison for up to five years for software counterfeiting. But most software pirates avoid serious punishment and usually serve less than three years, according to officials at the U.S. Attorney's office. Though a federal statute--the Digital Millennium Copyright Act--enacted late last year allows for more serious financial penalties and jail terms, the law remains relatively untested. To date, federal and local prosecutors have focused largely on those accused of running major counterfeiting operations and laundering money, such as the Dhurandhars. Federal money laundering charges have a much stronger legal bite--a minimum of 10 years in prison--than counterfeiting, said Assistant U.S. Attorney Larson, who is chief of the department's organized crime strike force in Los Angeles. "It takes me longer to build a case than the time they end up spending in jail," grumbled Det. Jess Bembry, an expert in Asian crime with the Los Angeles County Sheriff Department. "It's ridiculous." Few consumers sympathize when Microsoft or other large software firms complain about counterfeiters. The Redmond, Wash.-based behemoth is the world's most valuable corporation and has continually exceeded Wall Street's profit expectations. Last week, Microsoft said its fiscal fourth-quarter profits jumped 62%, with earnings for the period climbing to a record $2.2 billion. Microsoft has fought piracy since 1976, when Bill Gates wrote his now-famous "Homebrew" open letter to computer hobbyists. The missive chastised computer users and called them "thieves" for not paying to use the operating software, known as BASIC. Some critics say that software firms fuel piracy by charging too much for their products, but the companies argue that the prices are set to recoup costs of developing and marketing new programs and make a profit. "Counterfeiting is stealing. We don't benefit by it. We don't cause it," said Murphy, the corporate attorney for Microsoft. There are three categories of software piracy. "Warez" is the Internet underground community where users gather at little-known online trading posts to swap files. In license infringement piracy, an individual or organization loads a software program onto multiple computers and doesn't pay the manufacturer for each installation. Finally, there is counterfeiting--the practice of taking a program, burning a copy of it onto a disk and selling the CD-ROM for a profit. American willingness to buy counterfeit disks terrifies software firms, which have not convinced the public that downloading a $300 business computer program is as unethical as stealing a $300 leather coat. In fact, the lack of public outrage has so emboldened the criminal sector that consumers sometimes shop for counterfeit brands. Take, for example, the Players, a Malaysian crime syndicate known for making fake console video games. Their products, which are sold throughout Asia and on the Internet, sport a small "Players" logo on the jewel case. This logo also is burned on the game disk itself--often in place of the icon for Sony Corp., the legitimate game publisher. "When it comes to money, morality gets put aside," said Frank of the Westminster Police Department. "Welcome to the new age of international relations." _ _ _ Times staff writer Rone Tempest in Hong Kong contributed to this report. LA Times http://www.latimes.com/HOME/BUSINESS/UPDATES/lat_piracy990726.htm Tech Firms Pay Police Agencies to Fight Cyber Crime Law enforcement: Intel funds sheriff's unit that chases computer pirates. Some fear conflict of interest. By P.J. HUFFSTUTTER, Times Staff Writer Gander through the headquarters of the Sacramento County Sheriff Department's high-tech team and see what cops call the "ideal model" for fighting cyber crime in an age of shrinking budgets. Fluorescent lights cast a jaundiced pall over the worn office cubicles, the frayed fabric pinned in spots with tacks. On each desk sits a computer, confiscated from a crime scene and still sporting an evidence tag. Windbreakers with the team logo are a luxury. Then there are the things visitors don't see. Like the $10,000 body wire Intel Corp. bought for the unit to use in undercover stings. Or the corporate jet Hewlett-Packard Co. used to fly officers to Silicon Valley, and the tens of thousands of dollars the computer firm spent for the team's travel expenses--flights, hotels, meals--when a recent case took officers out of town. Tired of being ripped off by high-tech criminals, some of America's most powerful computer companies are fighting back with a relatively simple approach: Subsidize the local police. From inside pilferage and brazen heists to Internet piracy and industrial espionage, digital crime in the United States cost computer hardware and software companies about $3 billion last year. Authorities, who concede they are barely making a dent in the problem, insist they don't have the staff, resources or public support to tackle the overwhelming number of complaints. But the computer companies do. Corporate largess ranges from a $100,000 annual grant from Intel that pays for police salaries in Oregon to Motorola Corp. and several other major PC firms donating $10,000 each to an annual fund to help underwrite the Austin (Texas) Police Department's cyber team. This controversial practice has divided the law enforcement community between those who embrace the help and those who insist it is a means of buying justice. It also underscores a nationwide dilemma: How can local police departments protect the high-tech sector--and the jobs and tax revenue it provides--if there isn't enough money to handle such cases? While investigating the Hewlett-Packard case, members of the Sacramento Valley Hi-Tech task force traveled nationwide, at company expense, to serve search warrants, arrest suspects and confiscate evidence. Before federal criminal charges were filed, however, Hewlett-Packard filed a civil fraud suit against a company in San Diego believed to be tied to the $500-million scheme. Hewlett-Packard used evidence gathered, in part, in the officers' travels to resolve its suit and ultimately obtain a stipulated judgment in its favor for $900,000. "When companies are directly paying for travel, investigations or salaries, I think that's a very dangerous line that quickly crosses into a conflict of interest," said former FBI Agent Joe Chiaramonte, president of the San Jose chapter of the High Technology Crime Investigation Assn., a trade group. But police Sgt. Tom Robinson, who heads up the Hillsboro, Ore., computer unit, sees it differently: "Frankly, any department that's not [accepting such grants] is missing the boat." Advocates such as Robinson insist the money represents the key to winning the war on cyber crime, and is a small investment for the multinational companies. "If you're inferring that we're paid off, that's not right," said Sacramento County Sheriff's Sgt. Michael Tsuchida. "I'll eat your dinner, sleep in your hotel and still arrest you if you're breaking the law." 'We All Realized We Needed Each Other' Traditionally, many corporations have shied away from revealing too much to law enforcement to avoid drawing public attention to internal troubles. But as computer piracy grows, companies today are much more willing to seek help from police agencies. Catching such criminals has long been the bailiwick of federal prosecutors, as tech-savvy criminals rarely stay within the neat confines of city limits when committing fraud on the Internet or stealing computer components. But federal law prevents prosecutors and the FBI from taking corporate contributions to pay for salaries or travel expenses, and limits the use of evidence collected by private investigators. State laws, however, have created a much broader gray area for local police. As a result, some local agencies rely on corporate handouts. When losses mounted from armed robberies at computer chip plants in Austin in the early '90s, the city's high-tech companies decided to finance a private nonprofit group to train officers to deal with the problem. Through the Austin Metro High Tech Foundation, firms including IBM and Dell Computer Corp. annually donate up to $10,000 each for investigators' training, travel and equipment. In return, businesses--including Applied Micro Devices, National Instruments and Motorola Corp.--say they expect law enforcement to treat computer crime as seriously as drugs and gang violence. Because Texas law restricts direct corporate contributions to particular police units, the funds are managed and distributed through the Austin Community Foundation, a nonprofit entity. "[The companies] can tell us what equipment we can or can't buy, but they can't tell us what to do with the cases," said Police Sgt. Robert Pulliam, who runs the department's five-person computer crime team. "We all realized we needed each other." This circle of financial interdependence has evolved slowly, from a long-standing tradition of police getting information from private investigators hired by the corporations. Companies typically approach police when they have enough evidence to back up a search warrant, said Los Angeles County Deputy Dist. Atty. William Clark, who prosecutes many trademark cases. Law enforcement then assembles the case. The corporate investigators often serve as experts, helping to identify fake products or explain the workings of stolen technology. Microsoft is the most aggressive technology firm when battling thieves, police say. In Hong Kong, the company runs its own stings, setting up fake storefronts as a means of gathering evidence, sources say. In the United States, Microsoft employs a security force of more than 200 people, some of them former law enforcement officers, who investigate cases and package the evidence, which they hand over to authorities for prosecution. "As a matter of policy, we don't pay law enforcement to do their jobs," said Anne Murphy, a corporate attorney with Microsoft's anti-counterfeiting group. "In certain cases, Microsoft has provided financial support for operating expenses for investigations." In 1997, the software giant approached the Los Angeles County Sheriff's Department and offered to help pay for a sting operation. The price? About $200,000 to purchase printing equipment from suspected software counterfeiters, and give officers the tools needed to create an undercover print shop. The department declined. "It's not about the money. It's about how the public perceives the money and how it's being used," said Det. Jess Bembry, who worked for the department's Asian Organized Crime unit at the time. "When defense attorneys start screaming, all anyone cares about is avoiding the perception of impropriety." The rich scent of wet soil and warm grass wafts across Hillsboro, a bedroom community of Portland, Ore., that has traded its agricultural roots for a future in high-tech manufacturing. This town of 68,000 more than doubles in population during weekdays, as workers flood into the catacomb of industrial facilities that have sprung up throughout the city's rolling hills. As Oregon's largest private employer, Intel's influence is pervasive. In blue-collar Hillsboro, it is difficult to distinguish the line between corporate philanthropy and corporate influence. At the Hillsboro Chamber of Commerce, a small plaque that reads "Intel Room" is affixed outside the door of the center's main meeting room--in honor of the company paying to furnish the small space. Though the town represents Oregon's largest high-tech hub, city managers have set aside only 2.7% of the Hillsboro Police Department's annual $9.2-million budget for its seven-person computer crime team. There's no need to commit more, city officials say, because Intel catches the shortfall: $100,000 a year, which pays the salary of one of the police officers and some expenses, according to a 1996 city memorandum of understanding obtained by The Times. Additionally, Intel purchased one officer's car, and helped pay for the team's offices, computer workstations, telephones and fax machines. Of all 231 cases Hillsboro's high-tech team has tackled between 1995 and April 30 of this year, about 41% involve Intel in some way. As of April, about one-fifth of the nearly $210 million the unit recovered is tied to Intel complaints. Police say the grant, which is permitted by Oregon state law, has not swayed their focus. Investigators attribute the case ratio to black-market demand for fake Intel computer chips and the company's size. "This may not be the ideal way for us to do business, but at least we're trying to do something about these crimes," said Police Sgt. Robinson, whose team includes members of the FBI and the U.S. attorney's office. "Without us, the criminals run rampant and impact everyone--the companies and the community," he said. Intel executives insist that their "nontraditional approach" of working with police is legitimate and harmless. It is, they say, merely part of a companywide philosophy to invest in the communities where employees live and work--not a means of gaining police protection. "It'd be dead wrong to criticize the police unless we could make a contribution," said Chuck Mulloy, a corporate spokesman for Intel. Other cities are modeling their efforts after Hillsboro. Chandler, Ariz., which has several Intel manufacturing and assembly centers, plans to pattern its own nascent computer team after Hillsboro. Such partnerships can hurt the police if companies stop paying, say critics. That's a concern in Hillsboro, where city officials admit there are no guarantees that the Intel grant won't disappear. "The police don't want to hear this, but if we lose the Intel grant, we'll default on the high-tech crime unit," said David Lawrence, Hillsboro's assistant city manager. "We'll have to go back to what we had before, which wasn't much." Inside a bland concrete warehouse on the edge of Sacramento's city limits, the Sacramento Valley Hi-Tech unit is the quintessential modern police model for fighting computer crime. The task force was created in 1995 and draws officers from 16 enforcement agencies. The team's diverse membership--officers from different jurisdictions who possess varied skills--is the key to its strength. "These guys have the best reputation among law enforcement," said L.A. County Sheriff's Det. Bembry. "They do amazing things with very few financial resources." Each agency pays for its officers' salaries, equipment and vehicle. But the departments don't feed into the team's general operating budget, which is zero, said Sgt. Tsuchida, who runs the unit. By comparison, the department's narcotics team receives at least $55,000 a year for similar costs. "We serve at least 50 search warrants a year," Tsuchida said. "We couldn't get the $150 a person to get the training to make sure everyone does it the same way. That's a safety concern." The financial slack is often covered by local technology companies, which contribute seized assets and occasionally kick in for travel and other expenses, Tsuchida said. "If the companies don't pay, we can't investigate" some out-of-town cases, said Sacramento County Sheriff's Lt. Jan Hoganson, who commands the unit. "We can't afford it." Cost was a factor in the recent Hewlett-Packard software theft case, which investigators say has links extending from the Central Valley to Southern California, the Pacific Northwest and Central America. Bill Conley, president of US Computer Corp. in Redmond, Wash., is one of several people Sacramento's unit arrested in conjunction with the case. The charges, of possessing stolen H-P goods, were later dropped, but Conley insists the case was tainted. "It was the Hewlett-Packard people--not the Redmond police, not the Sacramento cops--who led the whole thing, who took employees off and threatened to take them to jail," said Conley, 41. Police, prosecutors and Hewlett-Packard officials scoff at Conley's claim, and cite other types of white-collar crimes, such as insurance fraud, which routinely relies on the private sector for enforcement help. And Sacramento's Hoganson insists his team's focus is unbiased, they say, noting that of the 285 cases the team investigated in 1998, only 16 were tied to companies that are members of the unit's steering committee. But the California Supreme Court takes the issue seriously. In a 1996 trade secrets case, the court upheld the disqualification of a Santa Cruz County district attorney because the office had accepted more than $13,000 from a Scotts Valley software company, Borland International. The money was used to hire a computer expert to determine whether a former executive had taken proprietary information to a rival firm, Symantec Corp. Police and prosecutors say the Hewlett-Packard case is different because the corporation's involvement did not influence their decision to file criminal charges. "I don't see [it] as a conflict, because you're giving law enforcement the money--not the district attorney's office," said Robert Morgester, a deputy attorney general for the state attorney general's office who helped create and fund the Sacramento team. California legislators are trying to offset the money pinch, by rolling out a $1.3-million state grant to be divided among three task forces: Sacramento, San Jose and Los Angeles/Orange County. In addition, the governor's office has set aside an additional $1 million for the same purpose. Investigators say that although the grant helps, it's still not enough. "That money is already spent on training, hiring new people and getting my guys new computers," Tsuchida said. "We're not breaking any laws now, so why should we change what we're doing?" Copyright Los Angeles Times. 14.0 Mitnick sentencing postponed again... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.zdnet.com/zdnn/filters/bursts/0,3422,2302198,00.html Monday; Jul26th 10:46a Mitnick sentencing postponed again The sentencing of convicted hacker Kevin Mitnick was postponed for a second time today. The government is asking for Mitnick to be responsible for restitution on the order of $1.5 million, while the defense is asking for payments on the order of $5,000, based on his projected earnings potential during his supervised release. He will not be able to use a computer during that three year-period. More details to follow. --ZDNN staff @HWA 15.0 Military Reserves to be Used for Cyber Defense ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Sarge The Reserve Component Employment Study 2005, commissioned by Defense Secretary William Cohen, has concluded that Reserve units are probably the best choice to help secure military systems. The study says that members of a this new unit could work remotely and should be recruited from high-tech sectors of the civilian population. (Hmmmm, maybe I should reenlist?) Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0726/fcw-newsreserve-07-26-99.html JULY 26, 1999 Study calls for reserve virtual IT warfare unit BY DANIEL VERTON (dan_verton@fcw.com) A year-long study completed last week by a senior panel of Defense Department officials recommended an unprecedented expansion in the role the reserves play in national defense, including the formation of a virtual cyberdefense unit to protect the nation's critical infrastructure. The study, Reserve Component Employment Study 2005, was initiated in April 1998 at the request of Defense Secretary William Cohen and concluded that the reserves are "particularly well-suited to homeland defense missions." In addition, the study called for the formation of a "joint [reserve component] virtual information operations organization" and tasked various senior-level DOD organizations to complete a "proof of concept" study for creating the unit by June 30, 2000. The new reserve cyberdefense unit "would consist of individuals with information technology skills who could perform their duties from dispersed locations rather than working as a single consolidated unit at a specific training center," the report said. To accomplish their mission of protecting various critical infrastructure nodes, the unit would communicate from existing reserve centers and other DOD facilities across the country that have access to the Secret Internet Protocol Routing Network. To form the new unit, the study recommended looking for reserve members in regions of the country where high concentrations of IT skill already exist. In addition, the study suggested that the reserves consider recruiting high-tech-savvy people from the civilian sector, requiring them to join the reserves for a specific number of years in exchange for high-tech training provided by DOD. Establishing a "virtual organization" also would go a long way toward solving the department's problem of retaining personnel with critical IT skills and may allow DOD to reduce its reliance on external contractor support, the report said. "A 'virtual organization' [also] could support the Joint Task Force [for] Computer Network Defense," the report said. Cohen established the JTF-CND in December 1998 to monitor and take defensive actions against hackers and other unauthorized users who try to penetrate DOD networks. Rick Forno, a security officer for Network Solutions Inc. and the former senior security analyst at the House of Representatives' Information Resources Security Office, said the report's recommendation to use the reserves for cyber defense "is a great idea" and represents one of DOD's more innovative initiatives. "I'm thrilled that DOD is looking to go outside the box on the Info-Protect/InfoCorps idea in the reserve components," said Forno, who proposed a similar idea to DOD a year ago. However, "it comes down to endorsement and support from senior leadership [whether or not] they let this organization function as intended," he said. Anthony M. Valletta, vice president of C3I systems for SRA Federal Systems and former acting assistant secretary of Defense for command, control, communications and intelligence, said the concept of using the reserves in this manner is one that the intelligence community has proven works. "When we did this with the intelligence community, it worked extremely well," Valletta said. "We have a lot of expertise in the reserves that we need to take advantage of." The main challenge facing the reserve cyberdefense corps idea, according to Valletta, is training and equipping the reserves to carry out the mission. "We have to keep up with the technology, and the reserves have to have the latest capabilities," Valletta said. "That is a major change of philosophy in terms of equipping the reserves." However, the idea of establishing a JTF for Homeland Defense also is an idea that some groups, particularly civil liberties organizations, may question. "The main issue is the Posse Comitatus Act and the limits on military activity within the U.S.," said Mark Lowenthal, former deputy assistant secretary of State for intelligence and now a member of Valletta's C3I consulting team at SRA. "If it is limited to what are clearly DOD facilities, then there should be no problem," he said. "If it steps over that line, then there are some legal issues that have to be addressed." Other recommendations contained in the report include using the reserves as part of a Joint Task Force headquarters for Homeland Defense, which would work with the Federal Emergency Management Agency and other civil authorities to coordinate responses to attacks involving nuclear, chemical and biological weapons, and increasing the use of smart card technology to reduce delays in processing reserve members for active-duty assignments. @HWA 16.0 Kodak's new PROM copy-killer? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Kodak Introduces CD-PROM, Claims to Thwart Pirates contributed by WareZ dud3 Kodak has introduced a new CD technology it calls CD-PROM or CD-Programable Read Only Memory. It combines the standard CD with a small section of CDR that will contain specific information about the machine the software is registered to. Kodack claims this will stop piracy in its tracks. (It might stop the warez dudes from trading the latest version of Duke Nuke 'Em but it will do nothing to stop the professionals.) Express News http://www.expressnews.com/pantheon/news-bus/sheron-tech/2504rkodak_7-25nz.shtml Kodak develops anti-hacker CD Format is computer-specific, aims to foil non-customers By Don Sheron EXPRES-NEWS SCIENCE/TECHNOLOGY WRITER Software pirates have a new technological hurdle ahead of them. Kodak has developed a way to make CD programs more secure from hackers and unlicensed users. It's a customized CD called the CD-PROM (Compact Disc-Programmable ROM). This includes the standard write-once feature of commercial software, but the CD-PROM also includes a recordable feature that identifies a particular computer to the CD. "There's a lot of enthusiasm for this technology," said Bruce Ha, senior research associate at the Eastman Kodak Co. of Rochester, N.Y. "It's a format that people have been talking about for the past 10 years now." The new hybrid technology allows software manufacturers to produce low-cost CD-ROMs with the ability to add CD-R (recordable) information. CD-PROM works like a normal CD software product, but using the software requires start-up information specific to the licensed consumer. For instance, many software CDs require a registration code to unlock some or all of the program's features. To get the registration code, consumers can register their software online with the software manufacturer. To thwart Internet hackers, the CD-PROM will match the registration code with the licensed software, thus keeping hackers from using an illegal copy of the software. Similarly, a CD-PROM is designed to work on software shipped with a specific computer. The CD-PROM can be set up to read only the BIOS information on the computer with which it was shipped. The BIOS (basic input/output system) loads and executes the computer's operating system, such as Windows 98. "So (Microsoft) Office or any other program that comes bundled with that computer cannot be shared by anyone else," Ha said. But making a CD-PROM has been difficult. A normal CD contains data embedded into "pits" that are pressed into the platter. The platter is then covered by an aluminum reflective layer and a protective plastic coating. On a CD-R, a single groove is pressed into the platter instead of pits. An organic dye is added for recording new information onto the platter. A reflective layer of gold or silver covers the dye, and then the CD gets a protective coating. Some manufacturers have tried to add both pits and grooves onto a CD. But they have had problems with the disc being read properly. This can occur when the ROM reader switches to the recordable writer, or because the speed of the laser light reading the CD changes when it goes through different materials on the platter. To get around this, Kodak decided to use a single, continuous groove pressed into the platter. The master disc is designed to make the CD reader think that the groove actually contains a series of pits. Kodak is using the CD-PROM for its Picture CD product. Ha says no failures have been noticed after beta testing 20,000 discs in photo labs. Saturday, Jul 24,1999 @HWA 17.0 Sandstorm Releases New Version of Phone Sweep ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Brian Sandstorm Enterprises has released a new version of its $998 war dialing program called 'Phone Sweep' It does have at least one cool feature, auto recognition of over 200 remote systems. Ummm, thanks but I'd rather have the free, non-hardware copy protected, Tone Loc. Excite News http://news.excite.com/news/bw/990721/ma-sandstorm PhoneSweep http://www.sandstorm.net/phonesweep/ Tone Loc - toneloc.zip http://www.l0pht.com/~oblivion/blkcrwl/telecom/toneloc.zip Tone Loc Utilities http://www.l0pht.com/~oblivion/blkcrwl/telecom/toneutil.zip Sandstorm Enterprises Announces Single Call Detect -- Advanced Telephone Scanning Technology to be Incorporated Into New Release of PhoneSweep Updated 10:45 AM ET July 21, 1999 Most Significant Development in Wardialing Since the Movie "War Games" CAMBRIDGE, Mass. (BUSINESS WIRE) - Sandstorm Enterprises Inc., an information security tools company, has released an enhanced version of its PhoneSweep telephone scanner, incorporating "Single Call Detect" to dramatically speed scans. Additional features in PhoneSweep release 1.1 include an increase in the number of target systems recognized, to more than 200, and enhancements to the tool's brute force testing mode. PhoneSweep is intended for use by security professionals to audit corporate telephone systems for vulnerabilities, such as undocumented modems tied to internal networks. PhoneSweep works like a computer criminal's "war dialer," and Sandstorm has found an enthusiastic market for PhoneSweep among security professionals who had been using such "hackerware" for lack of a commercially-developed and supported alternative. "A surprising number of corporations, and even Federal agencies, have been using hacker tools like ToneLoc to carry out their telephone scans," said Dr. Ross Stapleton-Gray, Sandstorm's Vice President for Government Relations. "There's a certain irony -- and recklessness -- in relying upon unsupported, undocumented software to secure mission- or national security-critical networks." Single Call Detect allows PhoneSweep to determine if a telephone is answered with a voice, a second dial tone, a fax machine, or a data modem with a single call. The determination is made in less than five seconds, speeding the scanning process. "Dialing numbers and waiting for the modems to synchronize or time out, while simple, is neither efficient nor particularly effective," said James Van Bokkelen, Sandstorm's president. "Single Call Detect allows PhoneSweep to skip rapidly from number to number, ending a call as soon as a voice, busy or second dial tone is detected, and completing the average scan in less than half the time." The speed and accuracy afforded by Single Call Detect also reduces any inconvenience to organizations being scanned, as PhoneSweep promptly releases connections upon encountering a live or recorded voice. In developing PhoneSweep, Sandstorm worked with security expert Peter Shipley, who has scanned several million phone lines in the San Francisco Bay area. Shipley's research has shown unsecured "back doors" at hundreds of sites -- including government and commercial systems -- that allowed full control to any caller without first asking for a username and password. Sandstorm has used Shipley's results to train its recognition engine, and Shipley has used PhoneSweep's recognition system to categorize and tabulate the results of his project. Originally released last October, PhoneSweep is in use by both security departments and independent auditors at hundreds of sites in North America and overseas. PhoneSweep customers include both large and small companies, Federal and state governments and the military. PhoneSweep customers with current support contracts will all receive automatic upgrades to release 1.1. PhoneSweep Basic ($980) supports a single modem and up to 800 phone numbers per scanning profile. PhoneSweep Plus ($2800) supports four modems for simultaneous scanning, and 10,000 number profiles. PhoneSweep Plus8 ($5600) supports eight modems with 10,000 number profiles. Sandstorm Enterprises will be exhibiting at the 8th USENIX Security Symposium, August 23-26 in Washington D.C. PhoneSweep(TM) and Single Call Detect (TM) are trademarks of Sandstorm Enterprises Inc. Further details on PhoneSweep and "Single Call Detect" are available on the product Web site, at http://www.phonesweep.com Contact: Sandstorm Enterprises Inc. In Boston, MA Dick Guilmette, (617) 426-5056 dickg@sandstorm.net or In Washington, DC Dr. Ross Stapleton-Gray, (703) 685-5197 rsgray@sandstorm.net @HWA 18.0 Major FUD - US Under Attack by Russians ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by dis-crete This article is so filled with FUD (Fear Uncertainty and Doubt) and so many unconfirmable statements it makes me ill. The few facts that are present are old and the rest is there to scare the hell out of you. I'd still like to talk to the guy who claims his print job was redirected. He won't answer my emails. The London Times http://www.the-times.co.uk/news/pages/sti/99/07/25/stifgnusa03003.html?999 The Australian http://www.theaustralian.com.au/world/4161044.htm -=- The London Times http://www.the-times.co.uk/news/pages/sti/99/07/25/stifgnusa03003.html?999 Cyber assault: Clinton wants an extra $600m to combat threats such as Moonlight Maze Russian hackers steal US weapons secrets by Matthew Campbell Washington AMERICAN officials believe Russia may have stolen some of the nation's most sensitive military secrets, including weapons guidance systems and naval intelligence codes, in a concerted espionage offensive that investigators have called operation Moonlight Maze. The intelligence heist, that could cause damage to America in excess of that caused by Chinese espionage in nuclear laboratories, involved computer hacking over the past six months. This was so sophisticated and well co-ordinated that security experts trying to build ramparts against further incursions believe America may be losing the world's first "cyber war". Investigators suspect Russia is behind the series of "hits" against American computer systems since January. In one case, a technician trying to track a computer intruder watched in amazement as a secret document from a naval facility was "hijacked" to Moscow from under his nose. American experts have long warned of a "digital Pearl Harbor" in which an enemy exploits America's reliance on computer technology to steal secrets or spread chaos as effectively as any attack using missiles and bombs. In a secret briefing on Moonlight Maze, John Hamre, the deputy defence secretary, told a congressional committee: "We are in the middle of a cyber war." Besides military computer systems, private research and development institutes have been plundered in the same operation. Such institutes are reluctant to discuss losses, which experts claim may amount to hundreds of millions of dollars. "We're no longer dealing with a world of disgruntled teenagers," said a White House official, referring to previous cases of computer hacking in which pranksters have been found responsible for incursions. "It is impossible to overstate the seriousness of this problem. The president is very concerned about it." The offensive began early this year, when a startling new method of hacking into American computer systems was detected. A military computer server near San Antonio, Texas, was "probed" for several days by hackers who had entered the system through an overseas site on the internet. Dozens of infiltrations ensued at other military facilities and even at the Pentagon in Washington. When research laboratories also reported incursions using the internet technique, officials realised that a "cyber invasion" was under way. "There were deliberate and highly co-ordinated attacks occurring in our defence department systems that appeared to be coming from one country," said Curt Weldon, chairman of a congressional committee for military research and development. "Such a thing has never happened before. It's very real and very alarming." Even top secret military installations whose expertise is intelligence security have been breached. At the Space and Naval Warfare Systems Command (Spawar), a unit in San Diego, California, that specialises in safeguarding naval intelligence codes, Ron Broersma, an engineer, was alerted to the problem when a computer print job took an unusually long time. To his amazement, monitoring tools showed that the file had been removed from the printing queue and transmitted to an internet server in Moscow before being sent back to San Diego. "It turned out to be a real tough problem for us," he told a private computer seminar last month. It is not clear precisely what information was contained in the stolen document. Beyond its role in naval intelligence, Spawar is also responsible for providing electronic security systems for the Marine Corps and federal agencies. It is suspected that several other intrusions had gone undetected. Oleg Kalugin, a former head of Soviet counterintelligence now resident in Maryland, said such facilities were prime targets for Russian intelligence. He said the Federal Agency for Government Communications and Information, a former KGB unit that specialises in electronic eavesdropping, was certain to be exploiting the internet for spying on America. "That's what they're good at," he said. America's high-precision technologies, including weapons guidance systems, are of particular interest to a country such as Russia where economic woes have prompted crippling cutbacks in funding for military research. "Russia is quite good at producing technology but can't afford to finance the research," said Kalugin. "It's easier to steal it." The computer assaults have given fresh impetus to measures ordered by Clinton more than a year ago to protect the country's electronic infrastructure. Alerted to the threat of Moonlight Maze, the president has called for an extra $600m to help fund a variety of initiatives, including an infrastructure protection centre in the FBI to gauge the vulnerability of computer systems to attack. He has ordered the military to develop its own information warfare capabilities to respond to such attacks. But Weldon, describing dependence on computer systems as "the Achilles heel of developed nations", said this is not enough. He is advocating the creation of a unit in the Pentagon under a senior commander to oversee the defence of computer systems. According to other experts, America has been so preoccupied with beating the Y2K (year 2000) or millennium bug - a programming problem that could paralyse computers on the first stroke of the new year - that its military, scientific and commercial communities have neglected the overall security of their computer systems. At the same time, the huge number of systems being overhauled to make them Y2K-compliant has heightened the risk of infiltration. Alarmed by the theft of military documents whisked to Russia, American officials argue that the country should brace itself for other, equally disturbing forms of information warfare that, in theory, could bring the country to its knees. China, Libya and Iraq are developing information warfare capabilities and, according to one White House official, "we see well-funded terrorist groups that also have such capabilities". A series of war games conducted by experts last year revealed that the world's greatest superpower could be at the mercy of a handful of determined computer hackers paralysing airports, markets and military systems with a few taps on a computer laptop. Suspicions that Russia is responsible are based partly on the involvement of Moscow-based internet servers in some attacks. But experts caution that evidence of a Russian hand in the operation may not signal a Kremlin connection. "It could turn out to be Russian organised crime," said one expert. "And they could be acting as a front for the intelligence community." Ironically, the Russians are pressing for an international treaty to freeze information warfare. "We cannot permit the emergence of a fundamentally new area of international confrontation," Sergei Ivanov, the former Russian foreign minister, wrote in a letter to Kofi Annan, the United Nations secretary-general in October. Subsequently, Russia's relations with America have reached their lowest ebb since the cold war because of Nato's intervention in Yugoslavia. Relations with China have also suffered. An offensive in cyberspace may be their one way of retaliating without getting into a shooting war. The Australian http://www.theaustralian.com.au/world/4161044.htm US losing cyber war to Russian hackers From MATTHEW CAMPBELL of The Sunday Times in Washington 26jul99 US officials believe Russia may have stolen some of Washington's most sensitive military secrets, including weapons guidance systems and naval intelligence codes, in an espionage offensive that investigators have called Operation Moonlight Maze. The intelligence action, whose damage to the US could exceed that caused by Chinese espionage in nuclear laboratories, involved computer hacking in the past six months. The operations were so sophisticated that security experts trying to build defences against further incursions believe the US may be losing the world's first cyber war. Investigators suspect Russia is behind the series of hits against US computer systems since January. In one case, a US technician trying to track a computer intruder watched in amazement as a secret document from a naval facility was hijacked to Moscow from under his nose. In a secret briefing on Moonlight Maze, deputy Defence Secretary John Hamre told a congressional committee: "We are in the middle of a cyber war." Besides military computer systems, private research and development institutes have been plundered, US officials say. Such institutes are reluctant to discuss losses, which experts claim amount to hundreds of millions of dollars. "It is impossible to overstate the seriousness of this problem. The President is very concerned about it," a White House official said. The offensive began early this year, when a startling new method of hacking into US computer systems was detected. A military computer server near San Antonio, Texas, was infiltrated for several days by hackers who had entered the system, through an overseas site on the Internet. Dozens of security violations ensued at other military facilities, and even at the Pentagon, the US military headquarters in Washington. When research laboratories also reported Internet incursions, officials realised a cyber invasion was under way. "There were deliberate and highly co-ordinated attacks occurring in our defence department systems that appeared to be coming from one country," said Curt Weldon, chairman of the congressional committee for military research and development. "Such a thing has never happened before. It's very real and very alarming." Even top-secret military installations, whose expertise is intelligence security, have been breached. At the Space and Naval Warfare Systems Command in San Diego, California, which specialises in safeguarding naval intelligence codes, engineer Ron Broersma was alerted to the operation when a computer print-out took an unusually long time. To his amazement, monitoring checks showed the top-secret file had been removed from the printing queue and transmitted to an Internet server in Moscow before being sent back to San Diego. Alerted to the threat of Moonlight Maze, President Bill Clinton has called for an extra $US600 million ($923 million) to fund a variety of security initiatives, including an infrastructure protection centre in the FBI to gauge the vulnerability of computer systems. The White House has ordered the US military to develop its own information warfare capabilities. US officials warn other forms of electronic attack could potentially bring the country's military to its knees. China, Libya and Iraq are developing information warfare capabilities. And one White House official says: "We see well-funded terrorist groups that also have such capabilities." @HWA 19.0 BO2K and SMS, Which One is Evil? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by maierj We missed this last Friday but Jim Louderback, over at ZD Net has some interesting comments regarding SMS and BO2K. Last week cDc challenged MS to recall SMS. cDc says that SMS has the same feature set as BO2K, and since BO2K is being classified as a Virus/Trojan then SMS must be one to. Jim asks the question just what is a virus anyway? ZD Net http://www.zdnet.com/zdnn/stories/comment/0,5859,2300632,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Virus identity beginning to blur By Jim Louderback, ZDTV July 23, 1999 10:49 AM PT URL: http://www.zdnet.com/zdnn/stories/comment/0,5859,2300632,00.html So what is, or what is not a virus? That question took an interesting turn last week. The kind folks over at Cult of the Dead Cow launched a counter-attack at Microsoft. Their new Back Orifice product, which allows remote monitoring and administration of computers over a LAN or the Internet, has come under fire from many quarters. Because after a surreptitious install it is virtually undetectable by the end user, many are calling it a Trojan Horse. But a Trojan Horse is actually a program that calls itself one thing, but turns out to be something else. Unless a hacker or cracker developed a seemingly benign program that secretly installed Back Orifice's Server, it's just a program that does some powerful and possibly nasty things. But Microsoft and others have been bashing Back Orifice. Symantec included Back Orifice server detection in their Anti-Virus product. And up on Microsoft's security site, they're calling Back Orifice 'malicious' -- primarily because it "Includes stealth behavior that has no purpose other than to make it difficult to detect." But apparently that old stone and glass-house adage applies here. Microsoft's own Systems Management Server (a.k.a. SMS) happens to have features surprisingly 'malicious' -- just like Back Orifice. SMS, in fact, does let you remotely control a user's PC without the client being aware of it. Apparently Microsoft included this feature at the request of their customers. It should come as no surprise that some Microsoft actions could be characterized as malicious. Actually it's refreshing to have them finally admit it. And I got a good chuckle when the Cult of the Dead Cow issued a press release challenging Microsoft to recall SMS. And it's folly to assume that Symantec would scan for SMS in Norton AntiVirus, along with Back Orifice. But it still raises the question of what is a virus. That feature is a useful tool when respected software vendor Microsoft sells it for many hundreds of dollars. But when a company calling themselves, "the most influential group of hackers in the world" includes that same feature, and gives it away for free, suddenly it's a virus. But that's not all. It seems that many PC vendors have been shipping an ActiveX control that unknowingly opens up a user's system to rape and pillage. The HP version of the control allows an e-mail to automatically download a program locally, install it and run it. The SystemWizard Launch ActiveX control can be executed from an Outlook or Outlook Express client. According to Pharlap CEO Richard Smith, similar versions of this control are shipped on many major computer systems (but not all of them -- my IBM ThinkPad is safe). For more information on this topic, head over to www.tiac.net/users/smiths/acctroj/index.htm. So is the SystemWizard Launch ActiveX control a virus? Well it certainly has some elements of a Trojan horse. It sits on your PC, looking benign, until someone executes it in the right way. And it can severely compromise your security -- this is a perfect way to deliver Back Orifice or SMS, for instance. Should Symantec's Norton Anti-Virus scan for this control as well? Or should you just turn ActiveX off in your browser? I'm not sure I have an answer, but these lines are going to continue to blur. And as we connect more and more devices up the Internet, including phones, appliances and set-top boxes, "malicious" programs will have even more fertile ground to spread. And man, I'd hate to have my freezer infected with a virus. @HWA 20.0 The Last True Hacker ~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by found on slashdot So what exactly is a 'hacker'. Do the ethical hackers in the IBM ads count? Is Richard Stallman, as Steven Levy called him, the last true hacker? What about Linus Torvalds? Boston Globe http://www.boston.com/dailyglobe2/206/business/Scientists_and_hackers+.shtml ECONOMIC PRINCIPALS Scientists and hackers By David Warsh, Globe Staff, 07/25/99 If the essence of politics is to be found in the shifting meaning of words, then few words carry a more interesting charge these days than ''hacker.'' For example, as one of a series of recent ads, IBM Corp. has been parading a photograph of employee Nick Simicich, ''Ethical Hacker.'' Flowing-bearded, fish-shirted, felt-hatted, granny-glassed, Simicich is described as a ''paid professional paranoid.'' His job: to determine whether software systems are susceptible to hackers. His distinction: He protected the electrical power infrastructure in the United States from ''cyber-jackers bent on misdirecting electricity with bogus information.'' So much for the limits of the current definition of hacker: the principled tester-of-limits vs. the high-tech saboteur. But if you listen carefully to the leading innovators in computer systems, you realize that the applicability of the term is expanding rapidly. Consider the story of how Linus Torvalds, and not Richard Stallman of the Massachusetts Institute of Technology, came to pose the chief threat to the world's first centibillionaire, Bill Gates. Stallman would seem to be the hacker par excellence - ''the last true hacker,'' as author Steven Levy called him in his famous book. Even though it was Harvard College that he entered in 1970, it was down the street at MIT that Stallman found his spiritual home. There he imbibed deeply the peculiar sensibility that is one of MIT's enduring contributions to computer culture. He rendered a small jewel of a hack of one sort a few years ago when he posted an official-looking sign on the spot that serves as the Wellesley terminus of the shuttle bus that has connected Wellesley College and MIT since the mid-1960s. Barbedall Square, it read. At the MIT end of the line, of course, is Kendall Square. (It helps to say them out loud.) Such is the world of an MIT hacker: high-spirited, clever, accomplished, and, just possibly, but not necessarily, oriented to the occasional countercultural prank. According to Stallman, the use of ''hacker'' to mean ''security breaker'' is mass media confusion. Hackers themselves, he says, use the word to mean ''Someone who loves to program and enjoys being clever at it.'' Stallman's significance goes far beyond a few practical jokes, however. It was in 1981 that a little start-up company known as Symbolics Inc. hired away most of the staff of MIT's Artificial Intelligence Lab and set them to work writing proprietary software. At about the same time, Digital Equipment introduced its new VAX computers, with brand-new proprietary operating systems. The community of pioneering software sharers that had grown out of the Model Railroad Club at MIT suddenly collapsed. So Stallman did a historic thing. Instead of joining the proprietary world, he set out to make a free, shareable operating system that would work on any computer and run any program. There would be none of the nondisclosure agreements that characterized the nascent software industry. Stallman dubbed his ambitious project the GNU system. But first there would have to be tools. His first big achievement was EMACS, a compiler and text editor that rendered possible more ambitious programming. Other programs followed. All were freely made available to others under the ''copyleft'' license Stallman and his friends devised to keep the underlying source code open - that is, to protect the right of other users to know and modify the basic code. Stallman's Waterloo was the operating system's ''kernel,'' the core part of the operating system where memory is allocated among all the other programs: scheduling, signalling, device input/output, and so on. When Stallman turned his shoulder to the task in 1990, the dogma among computer scientists in cutting-edge American universities such as MIT was that something called a ''microkernel'' would be required to make a truly portable system. A microkernel would be a kind of coded general theory of all computer architectures; it would be required before such a system could run on any hardware. Cut to Helsinki in 1991. A young Finnish graduate student named Linus Torvalds, comfortably outside the circuits of grant-supported American computer science research, decided to try an alternative approach - a ''monolithic kernel,'' simpler, but far faster and already relatively well-understood. ''I am a pragmatic person,'' Torvalds has written. '' ... I didn't have to aim for such a lofty goal. I was interested in portability between real world systems, not theoretical systems.'' So Torvalds read up on the systems in use, in search of common denominators between them. Once he had a design for a certain task - for memory management, say - that would be on the most popular chips, he put it out to an extensive list of correspondent hackers to see how it could be improved. At first it was written to suit just one architecture: the Intel 386. Gradually a kernel emerged that could control the most popular microprocessors - the 68K, the Sparc, the Alpha and the Power PC. Torvalds then combined his kernel with a good bit of the GNU programs Stallman and his friends had written, and presto! The operating system that has become known as Linux - similar in spirit to AT&T's Unix system but not based on it - was ready to be distributed and more or less continually improved. And because it had been written - hacked - by an impassioned graduate student in Finland and a relentless code warrior in Cambridge and a few hundred collaborators for their individual satisfaction and shared use, it was available to others for free. And in the last 10 years the project originally envisaged by Stallman and Torvalds and a handful of others has grown into a credible threat to Windows NT - the Microsoft operating system with its secret proprietary source code on which rests Bill Gates' most basic hopes for the 21st century. ''Linux today has millions of users, thousand of developers, and a growing market,'' Torvalds has written in ''Open Sources: Voices from the Open Source Revolution,'' the O'Reilly & Associates anthology from which this account is drawn. ''I'd like to say I knew this would happen, that it's all part of the plan for world domination. ''But honestly this has all taken me a bit by surprise. I was much more aware of the transition from one Linux user to one hundred Linux users than the transition from one hundred to one million.'' And the point? Simply that the neatly barbered and quietly circumspect Torvalds is every bit as much a hacker as Stallman - a fact the flamboyant Stallman readily concedes. So what is a hacker, after all? Eric Raymond offers this definition in the third edition of his New Hacker's Dictionary: ''A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.'' Torvalds' success suggests that even that definition may be too narrow. Remember, it was only 150 years ago that thinkers and wordsmiths of all sorts were trying to agree on a term that could apply equally to all the different sorts of intellectuals who had emerged from the precincts of philosophy and natural history. It seemed clear these new professionals shared an ethic. Their methods and goals were unfamiliar and, quite possibly unique. They even admitted women to their ranks! In the England of the 1830s, it took a decade before the term ''scientist'' emerged and won common acceptance. This story ran on page G01 of the Boston Globe on 07/25/99. © Copyright 1999 Globe Newspaper Company. @HWA 21.0 One Russian ISP Standing Up to FSB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Arik ISP Bayard-Slavia Communications is refusing to go along with SORM-2 (System of Efficient Research Measures 2). In a supposed effort to reveal tax evaders and other criminals SORM-2 gives Russia's Federal Security Service (FSB) the right to look into private e-mail without a warrant. SORM-2 calls for ISPs to install special listening equipment to keep its ISP license. Bayard-Slavia is the only ISP we have heard of that is refusing to go along with these provisions. Information Week http://www.techweb.com/wire/story/TWB19990726S0003 Russian ISP Refuses To Spy On Customers (07/26/99, 6:35 a.m. ET) By Marina Moudrak, Data Communications At least one Russian ISP is refusing to go along with a directive that lets the government spy on customers -- and it's paying the price. The directive is known as System of Efficient ResearchMeasures 2 (SORM 2), and it gives Russia's Federal Security Service (FSB) the right to look into private e-mail without a warrant, under the pretense of sniffing out tax dodgers and corruption. It also calls for ISPs to pay for surveillance equipment in their servers and a link to FSB headquarters in Moscow. But ISP Bayard-Slavia Communications is refusing to go along with SORM-2, and now the government is taking action. According to Bayard-Slavia director general Nail Murzakhanov, the FSB tried to shut down the ISP by withdrawing its license and challenging its right to frequencies used for its satellite connection to Moscow. Eventually, it found a way to freeze the ISP's bank account so it couldn't pay for the satellite connection at all. "We will never help the FSB implement illegal shadowing," Murzakhanov said. "We're the first ISP to struggle against illegal information collection. Unfortunately, we're also likely to become the first to be destroyed because of insubordination." @HWA 22.0 GameBoy Steals Cars and Makes Free Calls ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by doc A GameBoy, GameBoy Pocket, or GameBoy Color has software available with the ability to turn your GameBoy into a RedBox (Toll Fraud Device) This software has been around for a while. These GUI based applications allow you use you GameBoy to make free long distance calls, crack answering machine passwords, and just use it as a tone dialer. Well the new GameBoy Color has an interesting feature, an IR port. As mentioned on HNN and elsewhere a few months ago there are vehicles that use IR as a locking mechanism. With currently available software you can now teach your GameBoy various IR codes including those to unlock vehicles. Wondering how you get these programs into your GameBoy? Well, Nintendo recently lost the court case against the person making and selling GameBoy ROMS which makes it real easy to transfer files around. Another example of how it is not the tool that is malicious but the user. Ratb0y's Homepage http://homepages.go.com/~ratb0y/gameboy.htm @HWA 23.0 Mitnick Retains High Profile Lawyer For State Case ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ryan Kevin Mitnick's sentencing for the Federal charges he has already pleaded guilty to was delayed again yesterday. In the meantime Kevin has retained well known defense attorney Tony Serra, to handle his state charges. This is a expose that does a decent job of giving a broad over view of the legal side of the Kevin Mitnick case. Cal Law - Tony Serra Profile http://www.callaw.com/weekly/feata726.html Wired- Sentencing Delayed http://www.wired.com/news/news/politics/story/20953.html -=- The Hacker and the Toker With the L.A. district attorney's office on his case, Kevin Mitnick hopes Tony Serra will help him beat the rap By Paul Elias , Omar Figueroa and Carolyn Hagin Tony Serra doesn't use a computer. He has never surfed the Net. On the whole, he'd rather sit in front of the fire with some 19th century American literature and enough marijuana to stone an elephant. The famous San Francisco defense lawyer is your basic hash-smoking Luddite. "My wife has a computer," he says. "She's on it every night. I can't get her off the fucking thing." It's no surprise then, that Serra has never defended anyone accused of a computer crime. He hasn't even come close in his 37-year legal career. "I do dope and murder, man," he says. "That's all I've done my entire life." As in defending the likes of Proposition 215, Black Panther Huey Newton and Ellie Nesler, the woman convicted of gunning down her child's molester. Serra once offered to defend Ted Kaczynski -- the king of the Luddites -- by invoking Kaczynski's anti-technology views. The Unabomber readily accepted the offer but a judge wouldn't allow it. But all of that was before Kevin Mitnick, the most revered martyr of hackerdom, placed a collect call to Serra's office last month looking for pro bono representation. Mitnick is the most notorious member of an emerging class of cybercriminals. Over the last decade, he has faced three federal prosecutions for hacking into other people's computers and related charges, and is now facing a case in state court. Luckily for Mitnick -- and for Serra -- the hacker's call was fielded by one of two bright acolytes who work in Serra's office, housed on a pier along the San Francisco waterfront. The two young lawyers then fiercely lobbied Serra to take the case, a single count of computer hacking that's being prosecuted by L.A. District Attorney Gil Garcetti's office. The charge was actually filed seven years ago, but Mitnick has yet to be arraigned. "Tony wasn't very excited about it at first," recalls Omar Figueroa, the 28-year-old lawyer who talked to Mitnick first. But when Figueroa and colleague Carolyn Hagin, 27, explained to Serra that the case was bigger than a mere fraud case -- that it came complete with a big counterculture community that knows how to get good press and involved a new civil rights frontier -- Serra relented. But with one proviso: Figueroa and Hagin would have to do all of the pretrial work, then give Serra a crash course in technology on the eve of trial. It's an arrangement that suits everybody just fine. "I've always had an interest in cybercrime," says Hagin. "It's part of our generation." Now even the 64-year-old Serra, who knows far more about Tibetan prayer flags and Native American rituals than he does about HTML and encryption, says he's looking forward to going to trial. "I view this as a political case," he says. Indeed, political cases are Serra's specialty, and he is the poet laureate of defense attorneys who successfully cast their clients as victims of oppressive government forces. "Political case" is also code for "good ink." Serra said the same thing about the Mendocino County murder trial of Eugene "Bear" Lincoln, a Native American who was accused of killing a white deputy sheriff during a shoot-out on a reservation in 1995. Press coverage was extensive and mostly favorable as Serra successfully turned the tables on Mendocino County prosecutors and sheriffs -- and the entire power structure of the area -- by arguing that Native Americans had suffered centuries worth of abuse and discrimination. An all-white jury acquitted Lincoln in 1997, believing he acted in self-defense. Word of Serra's victory circulated through the state's jails and prisons. Mitnick, along with much of the inmate population, was impressed by Serra's work on that case, and it reportedly prompted him to call Serra as his own case neared trial. Kevin Mitnick may not hold a college degree, but he is certainly no Luddite. Long before the Internet became a household staple and years before Yahoo and bandwidth emerged as commonplace jargon, the self-taught Mitnick was a cyberspace juvenile delinquent. At 17, Mitnick spent three months in L.A.'s Juvenile Detention Center for destroying Pacific Bell computer data. Two years later, in 1983, University of Southern California campus police arrested Mitnick while he was sitting at a computer in the school's terminal room, attempting to break into a Pentagon computer. He spent six months in a California Youth Authority prison after that arrest. But his two brief stints behind bars as a teen-ager seemed only to embolden him as an adult. Instead of using his computer skills for gainful employment, Mitnick couldn't shake his compulsion to hack. All of the myriad profiles of Mitnick available online paint him as the quintessential computer geek motivated not by money but by the ability to access highly sensitive information for the hell of it. He just couldn't resist the siren song of forbidden access. In 1987, he was arrested and convicted by a state court of stealing software from a software company and sentenced to 36 months of probation. Two years later, he pleaded guilty in federal court to breaking into a Digital Equipment Corp. computer, after which Los Angeles U.S. District Judge Mariana Pfaelzer sentenced him to a year in a prison and six months of therapy to combat his computer "addiction." In 1992, while Mitnick was working at the Tel Tec Detective Agency, the FBI -- suspecting that he was illegally using a commercial database system -- launched yet another investigation into his activities. Pfaelzer soon issued an arrest warrant for Mitnick, who was charged with one count of hacking and one count of violating the terms of his 1989 probation. But when federal authorities showed up to arrest him, Mitnick had vanished, and a two-year, high-tech cat-and-mouse game with his pursuers began. He ultimately made the FBI's most-wanted list. At one point, in late 1992, investigators from the California Department of Motor Vehicles almost caught Mitnick. Someone using a valid law enforcement requestor code called the DMV and requested that a photo of a police informer be faxed to a number in Studio City. The number turned out to be a Kinko's copy center, and Mitnick was seen leaving the store with the fax. But Mitnick spotted the investigators, dropped the fax and outran them. Federal authorities finally arrested Mitnick in February 1995 in Raleigh, N.C., after an extensive manhunt, which had been fueled by front-page coverage in The New York Times . He quickly agreed to plead guilty to violating his probation and to a new hacking charge filed by federal prosecutors in Raleigh and was sentenced to 22 months in prison. He was soon transferred to the Federal Detention Center in Los Angeles, where he faced 25 more counts of hacking and illegal copying of information during digital break-ins of companies, including Sun Microsystems Inc. In March of this year, he cut a plea bargain with federal prosecutors that requires him to serve an additional year in federal custody. In theory, he could move into a halfway house as early as next month to finish out his sentence. Though he pleaded guilty to the high-tech crimes against Sun and others, Mitnick claims he didn't share the information with anybody. Prosecutors and the victimized companies claim that $150 million worth of their research and development has been ruined. The government, though, is asking the court to order Mitnick to pay a more modest $1.5 million in restitution. But Mitnick's court-appointed lawyers, led by Donald Randolph of Santa Monica's Randolph & Levanas, contend that Mitnick caused little, if any, actual damage. They're arguing for a $5,000 fine. Pfaelzer has scheduled a hearing on the subject for July 26. Bespectacled and pudgy, Mitnick now uses his abundant nervous energy to review the case against him. He spends most of his waking hours poring over court documents and constantly calling his attorneys to discuss his case. "He reviews his case in detail," says Hagin, of Serra's office. "He's an extremely intelligent guy." Once Mitnick settles his federal affairs, he still has to contend with the L.A. DA's single charge of computer fraud for allegedly duping the DMV to fax him the informer's photo. It is that charge that may prevent him from getting into a halfway house to serve out the rest of his federal sentence. No bail in the state case, no halfway house. In fact, Mitnick fears prosecutors will try to have him moved from the federal jail to the dreaded county jail. "We've been waiting to prosecute him for five years," says L.A. Deputy District Attorney Larry Diamond, who brushes off criticism that the state charge and the $1 million bail amount to overkill. "Because he wants to finish his [federal] sentence in a halfway house," an unsympathetic Diamond retorts, "Kevin wants special treatment." In fact, argues Diamond, Mitnick has been receiving special treatment since Pfaelzer first put him on probation in 1989 for hacking. The 25-year veteran of the DA's office is unimpressed with just about every aspect of Mitnick's case. He dismisses Mitnick as "just another case" and Serra as "just another defense attorney." As for his view of Pfaelzer: "She's coddled 'poor Kevin' from day one." Diamond also rejects the argument that the bail is excessive -- the bail schedule calls for $25,000 -- saying Mitnick has been a "notorious fugitive." But Diamond reserves his harshest criticism for the federal prosecutors on the Mitnick case. "The real story here," he growls during a telephone interview from his Van Nuys office, "is how the U.S. attorney gave this case away." To begin with, Diamond believes Mitnick shouldn't even be appearing in front of Pfaelzer, but rather in a federal court in North Carolina because that's where he was arrested back in 1995. Not only was he charged with violating his probation but he was indicted by a Raleigh grand jury on 25 fresh charges of hacking, wire fraud and theft of intellectual property. Mitnick cut a quick plea deal with Raleigh prosecutors so he could be transferred back to L.A. to face yet another set of hacking charges. The Southern California case was also disposed of with a plea deal, which Mitnick entered in March. "It's bizarre," Diamond says of the federal proceedings. "Completely bizarre." L.A. Assistant U.S. Attorney David Schindler, who handled Mitnick's latest federal case, has heard it all before. In fact, he's getting blasted from both sides of the Mitnick issue. Critics such as Diamond say he's gone too soft on Mitnick. Meanwhile, a growing number of young computer nerds protest that Mitnick is a political prisoner who has done little -- if anything -- illegal, and is relentlessly being pursued by different sets of prosecutors. Even if he did all the things that he has done, the theory goes, he's already received the harshest punishment ever for hacking. Pro-Mitnick protesters are pleading their case on numerous Web sites. But Schindler, who has been locking up hackers since 1991, says Mitnick got the same prison sentence he would have received had he gone to trial. "What we gave away [with the plea bargain] was the right to argue for an upward departure" in Mitnick's sentence, says Schindler, referring to a prosecutor's ability to seek a longer prison term than the one called for in federal sentencing guidelines. Schindler concedes that Mitnick's sentence is the longest that he has seen during the years he's been prosecuting hackers. Kevin Poulsen, another infamous hacker that Schindler prosecuted, received a 51-month sentence. He was also ordered to pay about $100,000 in restitution. When all is said and done, Mitnick will have been sentenced to 68 months in federal custody, may yet do state time, and may also be ordered to pay several times the restitution Poulsen did. And as for Diamond's forum-shopping charge, Schindler says, "Mitnick begged us to transfer him to L.A." That J. Tony Serra has taken Kevin Mitnick's case goes to show how ubiquitous this Internet thing has become. The Digital Age has truly affected all segments of society if it has touched an aging radical lawyer like Serra, who has his marijuana prescribed by a doctor and who's known for driving rusting junkers around town, only to abandon them on the street the minute they finally give out on him. His association with Mitnick will certainly make him and his associates extremely simpatico with all of hackerdom. That crowd is facing increased government scrutiny as the Department of Justice continues to dedicate more money each year to fighting cybercrime. "This was our first case relating to computers," says Santa Monica defense attorney Gregory Vinson, who is assisting Randolph with Mitnick's federal case. "It's an area we are going to develop more." U.S. Attorney General Janet Reno has asked Congress to give the Justice Department's computer crimes and intellectual property division an additional $120 million to fight cybercrime next year. Other agencies -- federal and local -- are beefing up their cybercrime forces as well. "If someone would have told me two years ago that I would be prosecuting Internet fraud, I seriously would have laughed in their face," Jay Perlman, deputy chief of the Securities and Exchange Commission Office of Internet Enforcement, said recently at a cybercrime symposium in Virginia. In the wake of several Mitnick-inspired hack jobs on government Web sites in the past year, a federal multi-agency task force has been formed in Dallas specifically to fight hackers. The task force has issued 16 warrants in 12 jurisdictions, but has yet to charge anyone with a crime. "So far, cybercrime has mostly been a federal effort," says Jennifer Granick, a San Francisco criminal defense attorney who is carving out a nice niche for herself as a computer crime specialist. "But the locals are getting increasingly involved, too." By 2005, it's predicted that one billion people worldwide will be on the Internet, and prosecutors expect the number of cybercrime cases will rise accordingly. A closer look makes it clear that Serra and Mitnick have more in common than not. Both stand out as countercultural icons for their peers. Serra is a hero to every hippie who went to law school, while Mitnick appeals to disaffected youths who are known as hackers, crackers and high-tech poseurs. Both have inspired the creation of Hollywood movies. James Woods played a Serra-like character in 1989's True Believer while Mitnick's life goes on the big screen next month in Takedown , which chronicles the manhunt for him. So it's not a stretch to imagine Serra representing more hackers and others accused of computer crimes down the line. But first, he's got to learn how to use a computer -- or at least speak the language. "I don't even know any of the terminology," he says. "I'm organic, man." Tony Serra He hasn't even spoken with Mitnick yet. Instead, it's been Figueroa and Hagin who have been answering Mitnick's daily telephone calls. Truth is, this is really their case. Sure, Serra will handle the trial and all the big hearings such as a motion to dismiss. And it will be Serra pushing the David versus Goliath angle and garnering all of the press. But it's Figueroa and Hagin who will do the heavy lifting, such as wheedling discovery out of Diamond and handling Mitnick's bail appeal. That's the way it works in Serra's office, and the two young lawyers are appreciative. Both have been attorneys for less than a year and probably would not have landed work on such a high-profile case -- albeit for expenses only -- if not for Serra. He says he'll give them a chance to examine witnesses if Mitnick's case gets to trial. Both appear ready. Serra always seems to have smart neophyte lawyers in orbit around his office. Figueroa graduated from Stanford Law School while Hagin is a product of the University of San Francisco School of Law. Both gained invaluable experience as clerks to Serra when they rented a house in Ukiah during the Bear Lincoln trial, during which they wrote many of the case's motions. They also appear smart enough to ignore Serra's complaints of high-technology ignorance. "Tony pretends to be mystified by computers," says Figueroa. "But he's not. He'll be ready for trial." Paul Elias is a reporter at The Recorder ,a San Francisco affiliate of California Law Week . Wired- Sentencing Delayed http://www.wired.com/news/news/politics/story/20953.html More Delays for Mitnick by Douglas Thomas 3:00 a.m. 27.Jul.99.PDT The sentencing hearing for convicted cracker Kevin Mitnick was postponed for a fourth time Monday and rescheduled for 9 August. US District Judge Marianne Pfaelzer issued a continuance because of scheduling conflicts, according to a court clerk. Mitnick pleaded guilty on 26 March to five counts of a 25-count federal indictment and two related counts from a Northern California indictment. His plea agreement resulted in a 54-month prison sentence, making Mitnick eligible to be released into a halfway house pending Pfaelzer's approval and permission from the State of California. A pattern of delays has plagued the case from its onset. What remains to be determined in Mitnick's sentencing is the judgment for restitution which Pfaelzer has made clear she will issue. The government contends that Mitnick should be forced to repay US$1.5 million dollars in damages to the victim companies. In the pre-sentence investigation report, Mitnick's attorneys said their client is unable to pay anywhere near that amount and should only be required to repay about $5,000. Mitnick had already spent more than four years behind bars at the Los Angeles Metropolitan Detention Center. At the original hearing in March, sentencing was delayed until 14 June. That hearing was again continued to 12 July, when attorneys were unable to reach an agreement about the terms of restitution. The judge was unprepared to rule, due to a last minute filing by the government to which the defense was unprepared to respond. Mitnick Fans Await Denouement by Douglas Thomas 3:00 p.m. 13.Jul.99.PDT LOS ANGELES -- Kevin Mitnick's allies rallied here Monday, as the cracker's expected prison term is still up in the air. Mitnick's sentencing hearing was attended by a number of computer hackers, fresh from Las Vegas where they had attended the annual DefCon hacker meeting. Defense attorney Donald Randolph spoke to a gathering of a dozen or so hackers in the hallway. "It was nice to see some friendly faces," he said, and thanked them for their continued support. That support was much needed after US District Judge Marianne Pfaelzer had been particularly tough on both attorneys Monday, comparing them to bickering kids. She went so far as to call the government's motion to sanction attorney Randolph for the release of several letters from victim companies "childish." The current sentencing proceedings mark the climax to what has been a years-long campaign in the hacker community. Hackers have focused their attention on the case, launching Web sites like kevinmitnick.com, protests reaching as far as Moscow, and Web site defacements to draw attention to what they see as Mitnick's unjust prosecution and a violation of his Constitutional and civil rights. Kevinmitnick.com tracks media coverage of the case, and offers information, commentary, and online versions of most of the court filings. Other activists have printed "Free Kevin" bumper stickers and T-shirts, and some have proposed relatively mainstream money-making ventures to help contribute to Mitnick's legal defense fund. While the activists continually grouse over media coverage of the Mitnick case, citing inaccurate or misinformed accounts, they have also learned the importance of working to provide the press with accurate information. Particularly infuriating to hackers are claims that Mitnick has been accused or convicted of stealing credit card information (he hasn't), that he has appeared on either the America's Most Wanted TV program or on the FBI's "Ten Most Wanted List" (neither is true), or that he has threatened national security by breaking into NORAD (also not true). The importance of these media reports and mis-characterizations were driven home last week when a municipal court judge in Van Nuys, CA set Mitnick's bail for his upcoming state case at $1 million dollars, based primarily on media coverage of Mitnick's hacking exploits. Judge Pfaelzer barred Mitnick from the hearing, and wondered "when do newspaper stories count as evidence in a court of law?" Many hackers have challenged the court's decisions, ranging from the denial of a bail hearing to a four-year pre-trial incarceration. They charge that the court has repeatedly denied requests for access to court information considered vital to Mitnick's defense. Although the government's goal has been to "send a message" to hackers about the severity of these crimes and to demonstrate their willingness to prosecute them, hackers appear to be receiving a different message. One hacker said Monday that the court is doing little to deter him, and instead is, in effect, telling him "be more careful, don't get caught." Another hacker, Kerry Zero, said the government's agenda in this case is to set a foundation which "makes it easier to prosecute hackers in the future." Not surprisingly, many supporters painted Mitnick as the victim in the case. They said that the financial damages being claimed are overstated, and that no adequate explanation has been offered for why Mitnick was held for so long without a trial or bail. "All this talk about protecting the victim -- Kevin is the victim in this case," said one hacker, who asked not to be identified. After the hearing, three hackers, Teklord, Bonq, and Sig9, all expressed deeper concerns about the case. For Teklord, the result was one of dismay. "I'm confused about the government," he said. "The system is supposed to protect people and it's failing us." Bonq expressed a similar confusion. "I don't know who to trust." And after watching the hearing, Sig9 said he had "lost a lot of respect for the system." For many hackers, the Mitnick case has been a civics lesson in how the system works. Biff Macki, a hacker who has followed the Mitnick case for some time thinks the lesson is pretty clear-cut. "If the government wants you, they'll get you, no matter what," he said. The problem, he says, is in the system itself. "[The US government has] millions of dollars to spend and it is impossible to organize an adequate defense on 15 minutes of collect calls a day from federal prison." @HWA 24.0 Back Orifice for Macintosh? ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Nick SecureMac.com has a story about TakeDown Suite 2.5, a backdoor program similar to the original Back Orifice. Once installed the application allows someone to remotely administer the machine. This is similar functionality to Back Orifice, which only works under windows. TakeDown Suite operates by installing an invisible extension into the system folder, when the machine next reboots it is vulnerable. Now where is that idiot that said Macs where secure? Secure Mac http://www.securemac.com/ 25.0 AOL Criminals Busted ~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Lamer After sending out bogus emails to AOL customers asking for credit card numbers two teenagers where able to get 900 people to cough them up. With about a 2% return rate on the emails they sent out the pair started to use the credit card numbers. They bought computer equipment that they later sold on eBay and sold the numbers in chat rooms. The Department of Justice and FBI, both worked on the case but would not reveal how the two had been caught. (I am glad the author did not call these two 'hackers') APB Online http://www.apbonline.com/911/1999/07/23/netcredit0723_01.html AOL USERS DUPED BY TEENS, COPS SAY Hundreds Sent Credit Card Numbers in Response to E-Mails July 23, 1999 By Valerie Kalfrin SACRAMENTO, Calif. (APBNews.com) -- Two teenagers who police say illegally accessed America Online and wrote e-mails pretending to represent the company duped about 900 people into giving them their credit card numbers, authorities said today. Dino Dagdagan, 18, of Carson and a 17-year-old home-schooled Sacramento student are charged with felony possession of access to credit accounts and other crimes. The two allegedly sent out thousands of e-mails to America Online customers, claiming there was a problem with their accounts and asking the subscribers to visit a Web site to correct matters, officials said. Fake Web site But the Web site, too, was a fake, set up to glean the unsuspecting customers' credit card numbers, said Sgt. Rick Gibson, a spokesman for the Sacramento County Sheriff's Department. "People should call the company and make sure it's a true communication and a real Web site," Gibson told APBNews.com today. "Out of every 10,000 e-mails they sent out, about 200 customers would give them information." The 17-year-old allegedly traded or sold the numbers in Internet chat rooms while Dagdagan allegedly used the credit card accounts to buy computer equipment, which he then sold via the online auction site eBay, Gibson said. Task force tracks down suspects Customers alerted police to the scam about a month ago when they noticed purchases on their credit card bills that they had not made, police said. A Northern California multi-agency task force, including computer-crimes experts from the Department of Justice and FBI, helped track down the youths, Gibson noted, although he would not go into specifics. "We have ways of doing things," he said. The juvenile, who was released to his parents' custody last week, is accused of obtaining the illegal access to the Sterling, Va.-based Internet service provider, officials said. Dagdagan, who is free on $10,000 bond, also faces possession of stolen property and an additional computer-crimes charge. He's due to be arraigned July 28 in a Lynwood court. America Online's corporate headquarters did not return a phone call seeking comment today. @HWA 26.0 Press Does Not Know What to Say About BO2K ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The number of articles that are showering accolades onto BO2K is amazing. Ok, maybe they aren't all that positive, but at least neutral and not claiming it is a trojan/virus. Some people still aren't getting the full picture but at least this is progress. InformationWeek http://www.informationweek.com/745/45iujl.htm InternetView: Pariah's Software Has Value By Jason Levitt xcept for its peculiar name and seemingly sinister authors, Back Orifice 2000, the recently released remote administration software for the Windows and Windows 2000 platforms, might be considered a contender in any comparative product review. Instead, it's a pariah, demonized because it's been misused by some Internet villains, and ignored because its authors don't appear to have day jobs. Yet this software is deserving of closer attention, if only because it's high-quality programming released as free software under the GNU Public License. Sure, there's reason enough not to trust the software--the employees of the virtual vendor that created it, the Cult of the Dead Cow, won't reveal their real names. Nevertheless, BO2k doesn't look so bad stacked up against mainstream commercial competitors such as Symantec's pcAnywhere, Compaq's Carbon Copy, and Artisoft's CoSession Remote. Am I advocating the use of dangerous software on your LAN? Absolutely not. But I don't think BO2k should be dismissed because the authors have a political agenda. Even Jason Garms, Microsoft's lead product manager for Windows NT security, concedes BO2k does "little different from what legitimate remote-control software can do." So what is Microsoft's objection? According to Garms, it's that BO2k is "designed to be stealthy and evade detection by the user." This is a reasonable objection, and it's the primary reason it's difficult to take the software seriously as an end-user product. Such software is easy to abuse, especially when it's free and comes with complete source code. The Cult's "Minister of Propaganda," who goes by the name "Deth Vegetable," is the first to admit the cult is no fan of Microsoft, and, in fact, one reason for BO2k's existence is to convince Microsoft to "finally implement a security model in their Windows operating system." I would prefer Microsoft engineer a new operating system (see Internet Zone), but revamping the Windows security model to create a secure system would be nearly as much effort. Even open-source pundit Eric Raymond agrees that "BO2k exposes the fact that the so-called `security' of Windows is a bad joke." It's easy to see that free software that can control PCs remotely will be abused. But BO2k will ultimately help more than hinder, by revealing the inadequacies of the Windows security model and providing useful source code for developers. @HWA 27.0 UCITA Moves Forward - Will Remove Vendor Liability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench The National Conference of Commissioners on Uniform State Laws (NCCUSL) is likely to endorse the Uniform Computer Information Transactions Act (UCITA). This isn't a federal law but a law that will be passed around to all the states to enact individually making it even harder to defeat. The proposal will allow software manufacturers to sell software that is broken with no liability, even if they knew it didn't work. It gives vendors the right to disable software remotely without prior authorization from the customer. It would prevent reverse engineering and place a gag order on anyone who said anything bad about a product. ComputerWorld http://www.computerworld.com/home/print.nsf/all/990726B6A6 InfoWorld- UCITA Summary http://www.infoworld.com/cgi-bin/displayStory.pl?/features/990531ucita_home.htm -=- UCITA is going to hurt you if you don't watch out By Dan Gillmor 07/26/99 All IT managers have their share of horror stories in dealing with software and the companies that sell it -- buggy products, slow response by vendors and so on. But if some proposed legislation becomes law around the U.S., your worries may just be starting. By the time you read this, the National Conference of Commissioners on Uniform State Laws (NCCUSL) is likely to have endorsed the Uniform Computer Information Transactions Act (UCITA). This legislation is high on the software industry's wish list, because it would tilt the balance of power to vendors -- and away from users. Even if the mounting opposition somehow persuades the commissioners to back off, recent history shows that the software industry won't give up. This issue isn't going away, no matter what happens at the commissioners meeting this week in Denver. A variety of reputable consumer and professional organizations oppose this proposal -- among them, the Federal Trade Commission, the Association for Computing Machinery, the Association for Information Management and Consumers Union. Here are some of their objections: o Sellers could legally disclaim any obligation to sell products that work. They would be legally immune even if they knew about defects before the sale and deliberately failed to disclose the defects, no matter how serious. o In the event of a dispute, a vendor could disable a customer's software remotely, even if that totally disrupted the customer's business. The seller would have a unilateral right to decide that the customer was violating the terms of the contract; a buyer would have to take the vendor to court in response. o Reverse engineering, used by security experts to examine software, could be prohibited, increasing the risk that buggy products and viruses would go undetected. o A vendor could prohibit a user from publicly commenting on the quality or performance of a product. In other words, if it didn't work, you couldn't tell your colleagues at other companies or vice versa. UCITA is itself a backup plan. The industry's original strategy was to get a rewrite of the Uniform Commercial Code, the system designed to ensure uniform laws dealing with commerce. But when the American Law Institute -- the NCCUSL's co-drafter of Uniform Commercial Code proposals -- listened to the opponents and backed away from the idea, the software companies persuaded the NCCUSL to push ahead with UCITA anyway. (For more history and information, check out a detailed account at www.infoworld.com/ucita at the Web site of Computerworld's sister publication Infoworld.) If the commissioners endorse UCITA, the proposed law would move into state legislatures around the nation this year. Whatever happens, the industry's relentless pursuit of this legislation should be a wake-up call to other IT people. Get ready to fight this legislation in your statehouses. Whether it's UCITA or something else, the software barons won't stop pushing against your rights. Stay on your guard, or you'll regret it. -=- InfoWorld- UCITA Summary http://www.infoworld.com/cgi-bin/displayStory.pl?/features/990531ucita_home.htm May 31, 1999 UCITA: Summary information UCITA and the issues that revolve around it are extremely complex. It raises many thorny problems of which the wisest of the wise would have trouble striking a fair balance, and its potential consequences in the electronic-commerce world of the future is surely any mortal's prediction. Yet the process by which it could become the law of the land is obscure, convoluted, and highly legalistic, making it difficult for everyone who has a stake in what it says to have input into its development. The purpose of this page is to provide some background and resources for those who want to understand UCITA better and for those who want to find a way to have their voice heard. I obviously have my own point of view on the act and what I think it means for InfoWorld readers -- as I've said, I've gone from being naively optimistic about the chances for the law helping software customers to deeply concerned that it will only make things worse, and you can certainly learn why I feel that way here. But there's more than enough sources of information for you to make up your own mind and to decide what you want to do about it. This site includes: a brief explanation of what UCITA is and how the process works a background piece from Ed Foster on why he thinks UCITA is important to software customers links to InfoWorld stories and columns on UCITA and Article 2B a list of the top dozen issues opponents of UCITA are concerned about There are also a number of other Web sites that can provide you with all the details on the numerous issues involved in the 2B draft. The de facto clearinghouse for legal briefs and position papers from all sides in the process is the "Guide to the Proposed Law on Software Transactions" provided by Carol A. Kunze at http://www.2bguide.com/. This guide also provides further background on the UCC, reports that have appeared in the press about 2B and links to the current draft. Two recent papers posted there which do a good job of summarizing the opposing views on UCITA are the NCCUSL leadership's defense of the move from 2B to UCITA at http://www.2bguide.com/docs/nuaa.html and a rebuttal by law professor Jean Braucher at http://www.2bguide.com/docs/0499jb.html. Many sites about Article 2B have not yet been updated to reflect the change to UCITA. Two Web sites that have a great deal of background information on consumer-related issues in the draft (few of which have changed to any substantial degree) are Ralph Nader's Consumer Project on Technology site at http://www.cptech.org/ucc/ and the site of "Bad Software" author and attorney Cem Kaner at http://www.badsoftware.com. What you can do With the July meeting where UCITA will be up for approval by the NCCUSL commissioners fast approaching, readers must act quickly if they are to influence the outcome. One simple thing you can is to sign our e-mail petition, which reads as follows: "In light of the concerns previously expressed over proposed UCC Article 2B by a variety of interest groups, and the lack of time such groups have had to study and respond to its new reincarnation as a uniform act, the undersigned urge the National Conference of Commissioners on Uniform State Laws to not approve the Uniform Computer Information Transactions Act at this time." If you agree, "sign" the petition by sending an e-mail to us at ucita@infoworld.com with any additional comments you'd like to make and your name, title, company, city, and state. The results will be presented to the NCCUSL commissioners in Denver to help demonstrate to them that the concern about UCITA is widespread. An even more effective step is to write directly to the NCCUSL commissioners who represent your state. The Society for Information Management has urged its membership to do this, and InfoWorld readers could make a big difference by adding their voices to that of SIM's members. To get the list of commissioners for your state, along with a draft letter you can customize, visit SIM's site at http://www.simnet.org/public/programs/issues/ucccode.html. It's not too early to make sure your state legislators and the governor also are aware of your concerns about UCITA. While we won't know until the end of July whether UCITA will be approved for distribution to the state legislatures, that's where the fight will move next if the commissioners OK it. Even if they reject UCITA, there is a possibility that "rogue" versions of the law will be introduced in some states in any case. So the more aware those in your state's government are of the controversial nature of UCITA, the better. @HWA 28.0 NSC Proposes FidNet - Infrastructure Protection or Surveillance Tool? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond A draft prepared by the National Security Council last month, calls for a sophisticated software system to monitor activities on nonmilitary Government networks and a separate system to track networks used in crucial industries like banking, telecommunications and transportation. This system is to be called FidNet or the Federal Intrusion Detection Network. The effort is intended to alert law enforcement officials to attacks against the nation's Infrastructure. Opponents are saying that this could become a building block for a surveillance infrastructure with great potential for misuse. NY Times http://www.nytimes.com/library/tech/99/07/biztech/articles/28compute.html July 28, 1999 U.S. Drafting Plan for Computer Monitoring System By JOHN MARKOFF The Clinton Administration has developed a plan for an extensive computer monitoring system, overseen by the Federal Bureau of Investigation, to protect the nation's crucial data networks from intruders. The plan, an outgrowth of the Administration's anti-terrorism program, has already raised concerns from civil liberties groups. A draft prepared by officials at the National Security Council last month, which was provided to The New York Times by a civil liberties group, calls for a sophisticated software system to monitor activities on nonmilitary Government networks and a separate system to track networks used in crucial industries like banking, telecommunications and transportation. The effort, whose details are still being debated within the Administration, is intended to alert law enforcement officials to attacks that might cripple Government operations or the nation's economy. But because of the increasing power of the nation's computers and their emerging role as a backbone of the country's commerce, politics and culture, critics of the proposed system say it could become a building block for a surveillance infrastructure with great potential for misuse. They also argue that such a network of monitoring programs could itself be open to security breaches, giving intruders or unauthorized users a vast window into Government and corporate computer systems. Government officials said the changing nature of military threats in the information age had altered the nature of national security concerns and created a new sense of urgency to protect the nation's information infrastructure. "Our concern about an organized cyberattack has escalated dramatically," Jeffrey Hunker, the National Security Council's director of information protection, who is overseeing the plan, said Tuesday. "We do know of a number of hostile foreign governments that are developing sophisticated and well-organized offensive cyber attack capabilities, and we have good reason to believe that terrorists may be developing similar capabilities." As part of the plan, networks of thousands of software monitoring programs would constantly track computer activities looking for indications of computer network intrusions and other illegal acts. The plan calls for the creation of a Federal Intrusion Detection Network, or Fidnet, and specifies that the data it collects will be gathered at the National Infrastructure Protection Center, an interagency task force housed at the Federal Bureau of Investigation. Such a system, to be put fully in place by 2003, is meant to permit Government security experts to track "patterns of patterns" of information and respond in a coordinated manner against intruders and terrorists. The plan focuses on monitoring data flowing over Government and national computer networks. That means the systems would potentially have access to computer-to-computer communications like electronic mail and other documents, computer programs and remote log-ins. But an increasing percentage of network traffic, like banking and financial information, is routinely encrypted and would not be visible to the monitor software. Government officials argue that they are not interested in eavesdropping, but rather are looking for patterns of behavior that suggest illegal activity. Over the last three years, the Pentagon has begun to string together entire network surveillance systems using filters that report data to a central site, much as a burglar alarm might be reported at the local police station. Officials said such a system might have protected against intrusions recently reported in computers at the Bureau of Labor Statistics, which produces information like the consumer price index that can affect the performance of the stock market. The draft of the plan, which has been circulated widely within the executive branch, has generated concern among some officials over its privacy implications. Several officials involved in the debate over the plan said that the situation was "fluid" and that many aspects were still not final. The report is vague on several crucial points, including the kinds of data to be collected and the specific Federal and corporate computer networks to be monitored. The report also lacks details about the ways information collected in non-Governmental agencies would be maintained and under what conditions it would be made available to law enforcement personnel. Government officials said that the National Security Council was conducting a legal and technical review of the plan and that a final version is to be released in September, subject to President Clinton's approval. The plan was created in response to a Presidential directive in May 1998 requiring the Executive Branch to review the vulnerabilities of the Federal Government's computer systems in order to become a "model of information and security." In a cover letter to the draft Clinton writes: "A concerted attack on the computers of any one of our key economic sectors or Governmental agencies could have catastrophic effects." But the plan strikes at the heart of a growing controversy over how to protect the nation's computer systems while also protecting civil liberties -- particularly since it would put a new and powerful tool into the hands of the F.B.I. Increasingly, data flowing over the Internet is becoming a vital tool for law enforcement, and civil liberties experts said law enforcement agencies would be under great temptation to expand the use of the information in pursuit of suspected criminals. The draft of the plan "clearly recognizes the civil liberties implications," said James X. Dempsey, staff counsel for the Center for Democracy and Technology, a Washington civil liberties group, "But it brushes them away." The draft states that because Government employees, like those of many private companies, must consent to the monitoring of their computer activities, "the collection of certain data identified as anomalous activity or a suspicious event would not be considered a privacy issue." Dempsey conceded the legal validity of the point, but said there was tremendous potential for abuse. "My main concern is that Fidnet is an ill-defined monitoring system of potentially broad sweep," he said. "It seems to place monitoring and surveillance at the center of the Government's response to a problem that is not well suited to such measures." The Federal Government is making a concerted effort to insure that civil liberties and privacy rights are not violated by the plan, Hunker said. He said that data gathered from non-Government computer networks will be collected separately from the F.B.I.-controlled monitoring system at a separate location within a General Services Administration building. He said that was done to keep non-Government data at arm's length from law enforcement. The plan also has drawn concern from civil libertarians because it blends civilian and military functions in protecting the nation's computer networks. The draft notes that there is already a Department of Defense "contingent" working at the F.B.I.'s infrastructure protection center to integrate intelligence, counterintelligence and law enforcement efforts in protecting Pentagon computers. "The fight over this could make the fight over encryption look like nothing," said Mary Culnan, a professor at Georgetown University who served on a Presidential commission whose work led to the May 1998 directive on infrastructure protection. "The conceptual problem is that there are people running this program who don't understand how citizens feel about privacy in cyberspace." The Government has been discussing the proposal widely with a number of industry security committees and associations in recent months. Several industry executives said there is still reluctance on the part of industry to directly share information on computer intrusions with law enforcement. "They want to control the decision making process," said Mark Rasch, vice president and general counsel of Global Integrity, a company in Reston, Va., coordinating computer security for the financial services industries. One potential problem in carrying out the Government's plan is that intrusion-detection software technology is still immature, industry executives said. "The commercial intrusion detection systems are not ready for prime time," said Peter Neumann, a computer scientist at SRI International in Menlo Park, Calif., and a pioneer in the field of intrusion detection systems. Current systems tend to generate false alarms and thus require many skilled operators. But a significant portion of the $1.4 billion the Clinton Administration has requested for computer security for fiscal year 2000 is intended to be spent on research, and Government officials said they were hopeful that the planned effort would be able to rely on automated detection technologies and on artificial intelligence capabilities. For several years computer security specialists have used software variously known as packet filters, or "sniffers," as monitoring devices to track computer intruders. Like telephone wiretaps, such tools can be used to reconstruct the activities of a computer user as if a videotape were made of his computer display. At the same time, however, the software tools are routinely misused by illicit computer network users in stealing information such as passwords or other data. Commercial vendors are beginning to sell monitoring tools that combine packet filtering with more sophisticated and automated intrusion detection software that tries to detect abuse by looking for behavior patterns or certain sequences of commands. @HWA 28.0 Feds Get Gov Employees to Sign Away Rights ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Intelligence Authorization Act has been passed by the Senate, this new bill will give federal law enforcement new powers to search government computers belonging to individuals who have access to classified information. The bill requires employees who need access to classified information to sign a waiver allowing law enforcement officials to "access information stored in computers used in the performance of government duties." (They can't take your rights away but now they can get you to sign them away.) Federal Computer Week http://www.fcw.com/pubs/fcw/1999/0719/web-intell-7-23-99.html JULY 23, 1999 . . . 15:05 EDT Intelligence bill grants feds new computer security powers BY DANIEL VERTON (dan_verton@fcw.com) The Senate this week voted unanimously to pass the fiscal 2000 Intelligence Authorization Act, which would provide federal law enforcement officials new authority to search government computers belonging to individuals who have access to classified information. The new computer security provision comes in the wake of reports of espionage by China at the nation's nuclear laboratories and was part of a larger effort by the Senate Select Committee on Intelligence to improve government counterintelligence procedures. According to Sen. Richard C. Shelby (R-Ala.), chairman of the Senate Select Committee on Intelligence, the bill requires employees who need access to classified information to sign a waiver allowing law enforcement officials to "access information stored in computers used in the performance of government duties." The provision is aimed specifically at enhancing the FBI's ability to investigate cases of possible espionage sooner rather than later. The thorny issue of granting access to government computers for the purposes of investigating wrongdoing came into the limelight last month when officials at the Defense Threat Reduction Agency allegedly attempted to access the computer belonging to a senior technology trade advisor as he testified before Congress [FCW, July 19, 1999]. "This provision is intended to avoid the problems we have seen with the FBI's reluctance to access 'government' computers without a warrant in the course of an espionage investigation," Shelby said. "There should be no question that investigative agencies may search the computer of an individual with access to classified information." @HWA 29.0 Local Cops Funded by IT Industry ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Arik Pulling from the LA Times article that we linked to on Monday, the UK Register runs a story on how local US Police departments are legally accepting large grants from IT firms in exchange for going after pirates. Companies such as Intel and Hewlett-Packard offer cash and other perks to local law enforcement agencies while they work on cases beneficial to the corporation. Local Police agencies see nothing wrong with this. (Why hire private detectives when you can just hire the local police force.) The UK Register http://www.theregister.co.uk/990727-000017.html Posted 27/07/99 3:57pm by Tim Richardson US police funded by IT giants Hi-tech companies are paying out thousands of dollars to hard-up police departments in the US to help combat computer-related crime. According to a report in the LA Times, Intel regularly slips police departments in Oregon $100,000 a year to help pay the wages of a few law enforcement professionals. It's also more than happy to part with $10,000 to kit out the odd sheriff's department with a wire-tap or two. Then there's Hewlett-Packard which is more than happy to let police officers use its corporate jet if it helps catch a computer villain. Snag is, some people think this is an abuse of the system. They claim these firms are "buying justice" in their bid to crackdown on computer crime which reportedly cost the US $3 billion last year. But one outspoken officer told the LA Times that such allegations were way out of line. "If you're inferring that we're paid off, that's not right," Sgt Michael Tsuchida of the Sacramento County Sheriff's Office told the LA Times. "I'll eat your dinner, sleep in your hotel and still arrest you if you're breaking the law," he said. It's nice to know that the judgement of the boys in blue is not swayed by a few greenbacks. In a way, the hacks at The Register are no different. They swan off on fancy all-expenses-paid press trips, get taken out to swanky restaurants -- and still manage to dish the dirt about their hosts. The Register -- eating the hand that feeds IT. ® @HWA 30.0 Two Arrested for Corporate Espionage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by operand Interactive Connections, now known as Screaming Media, has had two former employees arrested on Tuesday on charges they allegedly broke into its computer system and stole secret business plans. If convicted, they face a possible maximum prison term of five years. They allegedly copied various proprietary files and software belonging to Interactive Connections. It is unknown what they then did with the information. Wired http://www.wired.com/news/news/politics/story/20966.html Turkey-Day Crackers Arrested Reuters 2:10 p.m. 27.Jul.99.PDT Two former employees of Interactive Connections, now known as Screaming Media, were arrested on Tuesday on charges they allegedly broke into its computer system and stole secret business plans. Ira Lee, 29, and Zissis Trabaris, 31, who had worked as software developers at the company, were each charged in federal court in Manhattan with one count of unlawful and unauthorized computer intrusion. If convicted, they face a possible maximum prison term of five years. Interactive Connections provides news filtering and distribution services, mostly for Web sites. Its clients include America Online and Sun Microsystems, federal prosecutors said. According to the complaint, the alleged crime occurred after the defendants' employment at Interactive Connections ended and shortly after The Wall Street Journal ran a favorable article about the company. The newspaper reported that the company was backed by James Robinson, former chief executive of American Express Co. The defendants allegedly entered Interactive's computer system from Lee's home computer on 25 November, the night before Thanksgiving. They allegedly stayed on the system for about four hours into Thanksgiving morning and copied various proprietary files and software belonging to Interactive and then transferred the information to various computers that the two men controlled, the complaint charged. Copyright 1999 Reuters Limited. @HWA 31.0 Virus Infestations On the Rise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by TurTleX Computer virus infection rates have doubled since 1998 and quadrupled since 1997 according to a report released by ICSA. The survey was based on responses from tech departments at 300 U.S. corporations and government agencies. Newsweek http://www.newsweek.com/nw-srv/tnw/today/cs/cs02mo_1.htm ICSA http://www.icsa.net/ -=- Newsweek http://www.newsweek.com/nw-srv/tnw/today/cs/cs02mo_1.htm TUESDAY, July 27, 1999 Stopping the Spread Are computer viruses becoming an epidemic? A recent survey conducted by ICSA.net, a company that provides computer security information to corporations, reports that computer virus infection rates have doubled since 1998 and quadrupled since 1997. Based on responses from tech departments at 300 U.S. corporations and government agencies, the survey also finds a comparable increase in costs. "The cost of having viruses, given the frequency of when you get them and what happens after you get them, is more than doubling every year," Peter Tippett, chairman of ICSA.net, told Newsweek.com. "We can't conclude that anything has happened that will prevent things from becoming twice as bad next year," he adds. One reason for the rise in infections are rates of transmission, which have dramatically increased in the past several years. Between 1980 and 1995 computer viruses were transmitted primarily via floppy disks, usually taking a year or more to become prevalent. By 1995, macro viruses—which primarily live in MS Word or Excel documents and spread via file sharing—had decreased that time to a few months. The most recent generation, dubbed "'Net-enabled" or "communications-enabled" viruses, use the Internet or e-mail to replicate, and can reach epidemic proportions within days. These new viruses could represent the greatest threat thus far. The solution, Tippett says, is to use anti-virus programs and tools correctly. The survey reported that 83 percent of the companies surveyed had anti-virus software on 90 percent of their computers, but often failed to use it properly. For example, 40 percent of those companies used "periodic scanning" on desktops—scanning for viruses once a day, for example, or every time the system restarts—instead of enabling anti-virus programs' full-time background scanning functions. Doing the latter, Tippett advises, increases the chance of discovering the virus before it spreads unknowingly to the next victim. Other advice: protect servers, gateways anddesktops, and update anti-virus programs often. — Laura Fording @HWA 32.0 Granny Hacker from Heck visits Def Con parts 1 to 3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From AntiOnline http://www.antionline.com/cgi-bin/News?type=antionline&date=07-12-1999&story=CMDC1.news Granny Hacker From Heck Visits Def Con Thursday, July 15, 1999 at 16:29:59 by Carolyn Meinel - Writing For AntiOnline July 1, 1999. A staffer from Loompanics calls to say that the Def Con convention staff has ordered them to not sell my "The Happy Hacker: A Guide to Mostly Harmless Hacking" (http://happyhacker.org/buyhh.html) at their upcoming computer criminal soiree. This means war! How can I best stick it to the Def Con d00dz? Oho, their web site (http://www.defcon.org) is advertising a Bastard Operator from Hell (BOFH) (http://www.rangsoc.demon.co.uk/bofh_last.htm) contest. A true BOFH should run a computer with all sorts of tantalizing services. Build something that looks like an eight year old could break in. Then the attacker runs exploit after exploit against the box. And every attack mysteriously SCREWS UP!!! Muhahaha. By offering a prize for the best victim computer, the Def Con guys hops to get better targets for the hackers playing Capture the Flag. Amarillo, TX, July 6 and 7, I'm out there with Happy Hacker Wargame director Vincent Larsen and wargame admin Jon to put together our BOFH entry: Fangz. Ah, yes, Fangz, an Intel box running Red Hat Linux (at least that's what any port scanner would tell you, snicker). It runs ftp, pop3, smtp, a DNS server, telnet with a guest account with no password, guest access to vi and a C compiler; and a Lithium Quake server with back doors in place. Ahem, every service is working according to the RFCs, but not quite running the way hackers would expect:):) OK, let's get this straight. All I did was provide the hardware and use the Hacker Wargame to test various iterations of Vincent and Jon's Process Based Security (http://www.sage-inc.com) modifications to Red Hat Linux. Red Hat is a hacker's paradise. A clean install of the latest version has over 200 ways to break into it. Vincent and Jon's version of Red Hat, however, would make the BOFH himself proud. That's why I decided against entering a FreeBSD or OpenBSD system. They have pretty good security, too. But they don't TORMENT hackers the way Process Based Security does. At sunrise Friday morning, July 9, I caught a ride on the Happy Hacker Godfather's King Air business jet, along with him and Jon. Also there was this giant Texan on board. I asked him, "You look like a bodyguard. You look like you could pick up someone by the neck and hold him out at arm's length." "I'm an interior decorator. That's my story and I'm sticking with it." Nine AM we are on site at the Alexis Park hotel. We stagger along with Fangz, a monitor, laptop, my favorite Ethernet hub, my crummy backup Ethernet hub, lots of spare 10BASE-T cabling, tools, and duct tape just in case I need to tape anyone to the wall. A Def Con "goon" (security guard) helps us out by taking us to the head of the registration line. Who should be handling, um, exceptional cases such as ourselves but Pete Shipley. As his mouth drops with surprise to see us Happy Hacksters out in force, he fails to flash his copyrighted vampire fangs. Now these are very important, copyrighted vampire fangz, er, I mean, fangs. Shipley's lawyer actually sent several letters to the publisher of my Happy Hacker book claiming that Shipley had gotten a copyright on wearing vampire fangs, so the guy on the cover of my book wearing fangs owed Shipley royalties. Or something like this. Anyhow, the publisher, being a hacker himself (Dr. Mark Ludwig), decided to have a little fun with Shipley. In the second edition he blotted out Shipley's fanged features with a green blob reading "hey man get my face off this cover." Anyhow, I think Mark using Shipley's copyrighted fangs on my book cover is why Shipley can't wear fangs any more. That must be what got Shipley to being such a major enemy of mine. After all, my lady BOFH personality ought to win the adulation of hackers everywhere. LART, LART, who has the LART?;^) (http://www.winternet.com/~eric/sysadmin/lart.1m.html) Shipley swears it isn't because I hacked him at Def Con 3 in front of dozens of witnesses (see Granny Hacker from Heck). Oh, yes, if you are a reporter, contact me and I'll give you phone numbers for two of those witnesses. Well, that fangless Shipley just about ruined my day. What next, would Cult of the Dead Cow's (http://cultdeadcow.com) Deth Vegetable trash can his Mr. T bust and prance on stage in a business suit? We got Fangz set up pretty quickly. All I did was some physical stuff. Meanwhile, Jon changed the gateway, DNS server and IP address himself because there are some interesting twists to Fangz. Then he spent the next few hours waiting for the Capture the Flag/BOFH contest to start by changing a few more things on Fangz, like the process control tables for the "mv" and "cat" commands. Oh, you say you never heard of Red Hat Linux "process control tables"? Muhahaha. Then... Priest pays me a visit. Priest. He's a tall middle aged guy whose trademark is the loud Hawaiian shirts and shorts he wears at every Def Con. At Def Con 5 he won his "I am the Fed" T-shirt by showing off an FBI badge. Of course I believe everything I see. "Carolyn," he gestures to me. He sidles up close and whispers, "I left the agency a few weeks ago. An Internet startup in California offered me a chance to get rich. I have a nondisclosure agreement for you. Interested?" Of course I like to get rich, too. I sincerely believe that Internet startups like to offer FBI agents tons of money. "Sure." Meanwhile the Capture the Flag/BOFH game has finally gotten started. Less than 100 of the 3,600 Def Con attendees have signed up to play the game. What? Less than one hundred? I ask several players. They all say there are perhaps only 200 people at Def Con who actually know how to break into computers. The rest? Feds, narcs, groupies, and fakes. And BOFHs:):) Suddenly people start shouting. I turn to see a man prancing on top of a table next to the Penguin Palace booth. He is naked except for an extremely tiny g-string. It's a good thing his genitals are tiny enough to fit into it. Then he pulls on his jeans and leads a parade of drooling teenagers out of the room. A tiny waisted bleached blonde with braless boobs in a spaghetti string shirt prances over to some Capture the Flag players. Not only is each boob the size of her head, they are powered by antigravity devices. From time to time she pulls up her shirt and sticks her naked boobs into the faces of the players. They keep on shooing her off -- "We're trying to hack, dammit!" (to be continued: groupies get drunk and laid; Feds, narcs and Cult of the Dead Cow urge code kiddies to hack more government Web sites so Congress will boost the Information Warfare budget from $1 billion to $1.4 billion; fangz LARTs hackers; Michael Schiffman beefs up his muscles with a bicycle pump; Shipley remains fangless; Priest attempts an entrapment scheme; and Granny Operator from Heck gets into trouble.) Granny Hacker Visits Defcon - Part 2 Wednesday, July 21, 1999 at 0:49:12 by Carolyn Meinel - Writing For AntiOnline Let’s see, where was I. Oh, yes, the lady with the giant breasts powered by antigravity machines is trying to distract people playing the Capture the Flag game against the Bastard Operator from Hell contestants. All the BOFHers are unscathed so far. I’m standing next to my box, every now and then checking to make sure at least a half dozen people have spawned shells in the guest ac count. I want Fangz to get a real workout! And who should sidle over but Priest, the giant guy in the buzz cut sandy hair and loud Hawaiian shirt who says he is “no longer with the agency.” Out of the corner of his mouth he mutters to me, “Dis has been committing too many felonies. If Dis doesn’t watch out, he will go to jail.” Dis. That’s one of the two or three hundred handles Brian Martin uses, but who knows, lots of other hackers may use it, too. Or maybe Priest just keeps on confusing Dis with Mitnick or someone like that. I mutter right back, “It’s not clear to me that Dis is committing any felonies.” Hoo, boy, now this is getting interesting. First Priest hints that he can make me rich, then he appeals to my presumed desire for revenge. Lots of people assume that since I am Brian Martin’s number one obsession (as seen at http://attrition.org), that I must hate him. Au contraire! Today is honesty day, no more kidding around. Martin is my public relations man, working overtime year after year to make sure everyone has heard of and buys my book, The Happy Hacker. By publicizing his fictional accounts of how I hacked 303.org and sekurity.org and let us NOT FORGET the New York Times, Martin has persuaded countless teenagers that I am a brilliant evil genius granny. Oh, while we are on the topic of honesty, Priest just emailed me to advise that he just might sue me for the first installment of Granny Hacker from Heck Goes to Def Con. Let’s see, what are his exact words, “I have to talk to my lawyer about a lawsuit...I at no time represented my self as an FBI agent nor did I ever display a 'badge' at Defcon 5 to get a Fed t-shirt. Further, at no time did I aproach you with an offer of employment or a commentary on what my orgainzation was doing.” Hmmm, another man from an alternate universe. I think his alternate universe is at http://www.exo.com, phone them up and they will give you a truly amazing shell account from which you can entertain yourself with the file permissions of the other users. Let’s see if I have this straight. Priest, a fictional entity who ran Def Con 7, and who has variously claimed to be an FBI agent and involved in a get rich quick Internet startup scheme, is trying to figure out how to sue the Granny Hacker from Heck for a humorous article that has lots of witnesses. If you have any leads on this man’s true identity, or want to add to reports of who this man has claimed to be from time to time, please contact me at 505-281-9675. “Don’t pay attention to the man behind the curtain...” Now, back to our regularly scheduled programming, Friday July 9. Jon takes a turn guarding Fangz, our Bastard Operator From Hell contestant. I go to the main ballroom to catch the first round of “Spot the Fed.” I pass a room out of which rock music booms. There are fog machines, spotlights waving about. I notice more young women than I had ever before seen at a Def Con, mostly beautiful, dancing with hackers in that party room. More gorgeous women lounge in the hallway, awkwardly flirting and beckoning. Are they hoping to marry the next Bill Gates? They certainly don’t have the look of Las Vegas prostitutes, not even the lady with the antigravity boobs. There’s intelligence in those eyes. I briefly think of Tracy Baldwin, a new FBI agent, who came to Albuquerque for her first assignment out of Quantico. Baldwin’s young, beautiful, tense like a coiled spring. Some of these women in the hallway remind me of her. Oh, yes, last November I gave Baldwin a hard time when she tried to convince me she might arrest me if I didn’t take a lie detector test about whether I hacked the New York Times. So now she gets to put up with being in a Granny Hacker story. In the ballroom, Priest is on stage with a microphone. He booms out, “To win your ‘I spotted the Fed’ T-shirt, you have to identify someone who carries a badge and has the power to arrest. Informers don’t count. You know how you spot an informer, don’t you? He’s someone who was raided and got back out on the street within 24 hours.” That made me think. A story in Forbes magazine last January had reported that the FBI had raided Brian Martin -- yet had not arrested him. According to an employee of the Internet Service Provider Martin uses (Inficad), not long thereafter “We were served a subpoena by the Fed's to perform certain actions on the attrition box co-located at our facility. As we do with all law enforcement matters we complied, and they performed what was required and permitted under the subpoena.” Many in that room know about Martin’s FBI raid. Some in that room remember Priest claiming to be a Fed. Why would a Fed, even an ex-Fed (if Priest was telling me the truth) be trying to publicly finger Martin as a supposed informant? All in good fun, I’m sure. A young man sitting next to me leans over. “Who is this Priest guy? He seems to be running Def Con.” I dunno, maybe being a ficticious character is his profession. ### Near midnight I am hovering over a laptop and hear a voice booming, “You. We’re closing down for the night. Out. Now.” I look up and see a knot of hackers scurrying for the nearest exit, behind them Priest playing the role of Nazi SS man. He swivels, points with outstretched arm at the next nearest group. “You. Out. Now.” He strides to another group. “You. Out. Now.” I am amazed. Aren’t hackers supposed to be anti-authoritarian? Isn’t herding hackers like herding cats? Not here. Oops, I’m wrong. A departing group breaks up and scatters rather than making it to the exit. Priest catches on within seconds. He points them out one by one: “I told you, out. Now.” When he has cleared the room of all but those of use playing the hacker war game, he comes over to us, now relaxed. I gesture at Fangz. “I don’t want to leave until everyone else is out of the room. I worry about physical sabotage of my Bastard Operator from Hell entry.” “No problem.” He lets me be the last non-staff person out. ### Saturday morning. July 10, 1999. I’m waiting by the pool for the con to reopen. A swarthy fellow speaks. “Carolyn, I’m a friend of Zyklon.” “Can you tell me just why, when he hacked the White House Web site, he called me a crack whore?” “I’ll ask. By the way, I have your Happy Hacker book. Loved it.” I can’t resist plugging my book. Buy out the latest printing, folks, and maybe I’ll shut up. Maybe not:) ### The hacking game is in full swing. A dumpy little fellow comes over to me. “Hi, remember I called you on the phone? I’m a reporter from Rolling Stone. Can you tell me why so many hackers hate you so much? They won’t ever tell me why, they just say ‘Carolyn sucks.’” “They don’t all hate me, just some noisy ones. Why don’t you talk to these young people?” I introduce him to a group of teenage boys who have clustered around me to get hints about my entry in the game: “Fangz.” Stuff like I tell them to use the pasv command to make its ftp server work. Sorry, Fangz is a little primitive, but the fewer features on its services, the harder it is to hack. Hey, give us credit, it’s RFC compliant and at least we don’t force players to use tftp, or cut and paste stuff through a terminal emulation program! The teens crowd around the reporter. “Tell people most hackers are good guys! We don’t commit crime! We make the Internet a better place!” they chorus. A tall, thin young man in skinhead garb and haircut walks up and hands me a flyer. It is about the new Web site, “Netcriminals.org.” It has a fake dossier on me, along with fake dossiers for several other people. Skinhead asks, “Do you know who I am?” I shake my head. He gives a tight grin. “Netmask.” Netmask. It is the first time we have met in real life, yet over the years he has occasionally sent me demented, obscene, yet humorous emails. Some people might say he must be my kind of guy, but ask my fellow choir memebers at St. Luke, I’m just a sweet old lady. Anyhow, Netmask and I had spoken once on the phone, or perhaps I should say, had spoken once that he had admitted to being Netmask. His erotic fantasies remind me of the man, or group, that has done major damage to almost every Internet Service Provider I had ever used: GALF. Netmask’s Web site -- 303.org -- features pictures of his 303 gang mowing down aspen trees with machine guns, dancing around a table covered with exotic guns, firebombing a car, and at one time it included instructions that presumably were meant as a humorous parody on instructions on how to molest children (under cocksoldier.com, hosted on the same box). They live near the Columbine school district near Denver. Netmask runs the kind of gang that could make reporters go nuts for a chance to interview him. I can see the headline, “Goth gun and bomb nut hackers run rampant in Columbine school district.” But I will resist the temptation to write lurid stuff about them, just check out http://www.303.org for yourself, if it is still up. Just before Def Con, Netmask had emailed me, “You up for a little hacker death match with me on friday? (at con)” I replied, “Sure on death match, if you'll talk with me afterward. My aim might be off, I'm used to beating up outlaw horses with well-aimed kicks, the half ton class opponent is kinda exhilarating. Haven't sparred with a human in a long time. Dunno why humans are afraid of me :):)” I was just kidding, I swear! I just give wild horses “love taps” when they attack me, is all. Hacker Death Match. That consists of putting on bulky foam rubber “sumo suits” and trying to knock each other down or out of the ring. Netmask had emailed back, “Im gonna pass on this actually.... Keeps me out of the media.. and keeps you less in the media..” Just now I am wearing karate shoes. It’s my Deadly Granny outfit. Make muggers quake in their boots when they see me. Netmask is staring at them. The karate shoes, I mean. His martial art is kick boxing. He looks up. We stare at each other awhile. Then I lean forward within six inches of his face and whisper, “The reason I respect you, is you aren’t a crybaby like the others.” He ducks and rushes off. ### Two PM. I had gotten press credentials earlier that day from an elderly oriental man so I could get into the front row with a tape recorder to cover the Cult of the Dead Cow. They are about to introduce their new program to enable people to break into computers: Back Orifice 2000. Priest gets up on stage to announce their imminent arrival. A voice shouts out, “There have been a lot of naked people here. Isn’t that against the law?” Priest laughs. “This is Las Vegas.” Another voice shouts, “What happens to the people who are running around naked?” Priest points at him. “They get laid!” The audience roars with laughter. Priest continues, “We have a treat for you tonight, live rock music.” Priest leaves the stage to cheers. The lights dim, then go out. From big speakers on stage come sounds of a storm, mooing of cows and an adult voice ordering a kid over and over again to put the cows in the barn. The mooing gradually grows ominous, then ridiculously loud. Rock music breaks out as two spotlights shine on each side of the stage. They project the logo of the Cult of the Dead Cow -- a cow skull in black against a white cross. The logos rotate. In the center of the stage a video projects themes of cattle interspersed with intimidating images from Nazi and Maoist social realistic art. Then, to cheers, the Cult of the Dead Cow gang enters from right stage, hurling glowing disks out to the audience. Nineteen of the twenty cult members prance, slouch and/or stagger up on stage. In front of them, their master of ceremonies leaps about in a ratty white fur coat, synthetic fur chaps, a belt made of handcuffs, doing a sick parody of a Pentecostal preacher, grabbing his crotch, making obscene jokes, and leading the audience in chants of (him)“Dead!” (audience) “Cow! (him) “Kiss! (audience) “Ass!” The rising lights reveal a parody of church vestments, banners with a Christian cross with the dead cow symbol in the center hanging on each side of the stage. He raises both hands over his head, palms toward the audience. “Every eight year old can hack shit! Hacking to save the world! Just don’t get fucking busted! And use a fucking spell checker!” Long cheering and laughter come from the crowd. “And now, the man who wrote Back Orifice 2000 -- Dildog!” Dildog describes the features as if it is merely a “remote administration tool” as he calls it, raising snickers from the crowd. He uses LCD projectors from both a “client” (attacker) and “server” (victim) computer to show how BO2000 hides itself. When he shows the option to disable the victim mouse and keyboard and allow the attacker’s mouse and keyboard to control the victim, the crowd cheers. They end the show with a man in red lace tights, shorts and red pasties held on with duct tape (who looks like a near terminal AIDS victim) shimmying across the stage while Deth Vegetable -- a gigantic sumo-style man in shorts -- smashes computers and a monitor with an electric guitar, the Master of Ceremonies waving his hands and screaming as he fires roman candles from a tube he clenches with his thighs against his crotch. Afterwards I go back to the press room to check for schedule changes. Somehow I have the premonition that Brian Martin’s talk “fakes walk among us” may be rescheduled. David Akin of the Canadian publication “National Post” approaches me as I am leaving and asks “Why do so many hackers hate you? They won’t tell me anything specific. Basically they just say ‘Carolyn sucks.’” Just then a disheveled man in an Attrition.org black T-shirt strides up yelling, “Get out of here. Only press are allowed here.” “I have a press pass.” I show it to him. “You aren’t a legitimate reporter! Get out of here.” “How many FUCKing hundreds of magazine articles do I have to write before you admit I am a reporter?” Oops, I said a bad word. I’m mortified. “We’ll consider you a reporter when you write real information!” “Real information! Your Attrition.org site is full of libel!” Just then the woman in charge of the press room, followed by several reporters, comes out and yells at me, “The conference staff says you are not a reporter. Give back your press pass. Now.” Akin turns to them, “You can’t do this! You can’t pull a reporter’s credentials just because you don’t like what he or she writes!” Somehow Priest materializes. “Come with me, I have some information for you.” We go into a deserted room. Chairs are stacked high. I can’t believe I am actually thinking this, but the first thing that comes to mind is that this will make a great scene for the “Granny Hacker Sticks it to the FBI” movie. Priest breaks the spell. “The press room incident. It never happened.” “What?” “We are explaining it to the reporters. They understand it was no big deal. You will never speak of this incident again.” “No way.” Puzzlement flashes across his face. He must be realizing that his nondisclosure agreement ploy has failed. “If you talk to a reporter about this, I will throw you out of the con. You *will* tell them it never happened.” “One problem. I don’t lie.” I begin to tremble. “I ... have ... my ... integrity.” Priest rubs his chin. I glare at him. He takes a deep breath. Time for a different ploy. “You don’t have to worry about Attrition.org. We have discredited them with the media. Brian Martin is on his way out.” I look at him, head tilted, puzzled. “A few months ago Brian Martin tried to get me fired.” “Uh, huh.” “We were talking on Internet Relay Chat. On condition of confidentiality. He sent a transcript of the conversation to my boss. Got me in major trouble.” “All he did was violate confidentiality? Sheesh, he didn’t alter the transcript?” “He altered the transcript. Fortunately I had my version burned into a CD-ROM. Also, two others had eavesdropped on our chat and burned their transcripts to CD-ROM, too. Ours all agreed.” I nodded. Yeah, right. How come there are always so many fantastic stories revolving around Brian Martin and Attrition.org? We ought to nominate attrition.org for a Hugo award at the next World Science Fiction Convention. Or is Priest the one who deserves the Hugo? Priest continues. “I want Martin behind bars. You know he was busted for the New York Times hack. Then immediately released. He’s now an unpaid informant.” I let out a long breath. If Priest is telling the truth -- a BIG assumption -- Martin is now too valuable for the agency to expend. “I’ve heard that Martin is ops (moderator) on three Global Hell IRC channels. So was he the one who got Zyklon busted for the White House hack?” Priest shrugs. “Is he informing on Global Hell?” He throws up his hands. “We have so much on our plates we can’t even pay attention to Global Hell.” “But they claim to be the ones hacking so many of those government Web sites.” “You have no idea of what we are contending with.” Internet startup. Get rich. Yeah, right, I hate it when people forget to stick to their stories. I reply, “I have a problem with your informant. I had to shut down our Happy Hacker IRC server when Martin got on it. It is my opinion that he may have been encouraging kids to commit crime. I am not operating a breeding ground for crime. I’m not going to bring Happy Hacker IRC back up until I get a more reliable group of moderators.” “Contributing to the delinquency of minors is a crime. Bring your IRC server back up and we can get Martin behind bars.” “How?” “Your network is located in Texas. Under Texas state law, even though Martin and any kid he involves in crime are both out of state, if discussions about committing a crime happened on a computer within Texas, that’s conspiracy. They’ll extradite both parties.” “I can’t do that. I will not expend some teenager to put Martin behind bars. I will not bring up our IRC server until I can make sure we can keep the criminals off.” And, I thought, not until we can keep FBI agent provocateurs out. “So, am I going to have to kick you out of the conference?” “My publisher would be overjoyed. Great publicity. Believe it or not, two independent groups have approached me about doing a movie. Getting kicked out would be a GREAT dramatic device.” Oh, man, I can almost taste the Granny Hacker from Heck movie! “But what do you want?” “I want to stay. I want to see if Fangz can win the Bastard Operator from Hell contest. But even if it does, I presume the conference organizers will come up with an excuse to deny us the prize.” “Yes, but at least you will know you won.” When I return to the game, I see someone at the console of Fangz. “Excuse me, that’s my computer. The rules say you have to hack it remotely, not from console.” “I was just checking to see whether it was broken.” He goes back to messing with the console of the computer next to Fangz, his entry in the Bastard Operator from Hell contest. A fat man with disheveled black hair and ragged beard and sloppy clothes joins him. The disheveled man slides a CD-ROM into the drive. They are violating the rules by changing their operating system. Again. A little later I see Priest walking by. I run over and hail him. “Excuse me, what is your real name?” He pauses in mid stride, looking so off balance I wonder if he might fall. His mouth flaps open and shut. Finally he sputters, “You must be kidding.” “I thought it was worth a try.” He falls back into his fast stride and disappears into the crowd. Poor Priest, he doesn’t realize yet that he has just persuaded an investigative reporter, yes, the Granny Reporter from Heck, to learn everything she can about him, stuff like his .bash_history (real hackers use tcsh) and maybe even his real name. ### To be continued: Jon’s lightning reflexes keep Joltcan.c exploit from DOSing Fangz; Michael Schiffman beefs up his muscles with a bicycle pump; fat guy who keeps on changing the operating system for his BOFH entry howls with rage about how mean and nasty Fangz is when people try to break in (recorded in real-audio, to be available from this web site); Granny Hacker from Heck gets into trouble, but a giant Texan interior decorator rescues her. Granny Hacker Visits Def Con - Part 3 Thursday, July 22, 1999 at 0:01:12 by Carolyn Meinel - Writing For AntiOnline Saturday, July 10, 1999. After dinner, I return to take a turn guarding Fangz. Jon points to a stain on the linen covering the table where Fangz sits. “Someone tried to kill it by pouring a can of Jolt at the keyboard. Also, the power has been turned off four times since you left. They are getting ugly.” He laughs. “I let someone reboot into single user mode as root. He changed the root password to ‘crackwhore.’ He was pissed when he rebooted and couldn’t get into root over the network.” Oh, yes, I knew what that was all about. He had set it up so root from console couldn’t write to the password file. We both snicker. Then I grow sober thinking of the hazards of people frequently turning off our power. The operating system we use can sometimes be destroyed if the power goes off while a file is being written to the disk. Kernel panic! Some hackers gather around me talking about the latest Web site hacks. They say the Defcon.org site is down because someone defaced it with parodies of the Antionline and Happy Hacker web sites. I didn’t do it! Honest! Um, John, what about you? They have an even better story about why Martin’s Attrition.org site is down for Def Con. Somehow the title of the index.html page changed to “Temple of Hate.” That’s what Antionline’s John Vranesevich and I like to call it. Then, mysteriously, just after it sprouted the “Temple of Hate” slogan, Attrition.org went down. (Later Martin explained that his webmaster had changed the name on purpose, that it wasn’t hacked, honest! And, just by coincidence, a hard drive failed right after the “Temple of Hate” headline went up. Just by coincidence, as soon as they got Attrition.org up again, they decided to change the headline to “We are the people our parents warned us about.” I didn’t do it! I swear! Repeat after me, “Hacking Web sites is childish.” Besides, why would I hack my own publicist?) At fifteen minutes before 10 PM, Priest comes in to shut down the room. “You. Out. Now.” Hackers meekly file to the doors. I go to my hotel room at the Hard Rock hotel across the street, and change into a short red velvet dress and black tights. This is for the formal “Black and White” ball, then sashay back to the Alexis hotel. I’m glamorous granny now, honest! In the lobby, two of the Trumpbour brothers greet me. They thank me for bringing our Happy Hacker Wargame team and some computers to their Summercon hacker gathering a month previously. “Def Con has a bad atmosphere. We like to keep our con pleasant.” I thank them for keeping alive the ideal of true hacking. Folks, if you go to just one hacker con next year, try Summer Con. It's run by real hackers, people who use their real names, not a bunch of fictitious characters such as Priest. Speak of the devil, Priest walks by just now dressed like a priest. I flash him my winningest smile, but he acts like he doesn’t see me. I begin walking through the lobby toward the Def Con ballroom. A voice behind me yells, “Carolyn! Why did you tell the FBI that I hacked the New York Times?” I turn and see a man so muscular that he looks like a bicycle pump has inflated him. By contrast, his narrow head sits on a skinny neck. He is wearing a tank top that shows off his tattoos. His muscles quiver with what I suspect might be rage. Behind and beside him is a crowd of kids that look like they average fourteen years of age. They goggle at us like spectators at a bull fight. I scan the group. I don’t recognize any of them. “Excuse me, but I don’t believe we have met.” Mr. Steroids says, “We have met. Several times. Think.” I scratch my head, rub my chin. I simply can’t think of having ever met anyone who gives the impression of being seriously pumped on steroids. I study his face. Steroids shouldn’t change that too much. Still doesn’t ring a bell. “Give me a hint.” “You know me. You told the FBI I hacked the New York Times.” I wonder if the FBI had tried to force him to become an informant. Did some agents do to him exactly what they did to me, claiming to have evidence that they really didn’t have? When they came after me for supposedly hacking the New York Times, I had told them to, um “fword” themselves. Seriously, I am against computer crime and am happy to help the FBI catch criminals. But I refuse to be an undercover informant and I oppose the use of undercover informants. OK, time for major soapbox speech here. IMNSHO, our taxpayer money should not fund the FBI to run around encouraging computer crime all in the name of some undercover operation. But, then, maybe I’m just paranoid. Maybe the FBI doesn't run Def Con. Maybe it is mere coincidence that Jeff Moss, who bills himself as the man who owns the Def Con conferences, is a full-time employee of Secure Computing, Inc. To be exact, the registration for Defcon.org reads: DEF CON (DEFCON-DOM) 2709 E. Madison Seattle, WA 98112 Domain Name: DEFCON.ORG Administrative Contact, Technical Contact, Zone Contact: Moss, Jeff (JM27) jm@DEFCON.ORG 206-626-2526 (FAX) 206-453-9567 Billing Contact: Moss, Jeff (JM27) jm@DEFCON.ORG 206-626-2526 (FAX) 206-453-9567 Maybe it is coincidence that the Secure Computing web site claims that it “is the market share leader in providing network perimeter security to the U.S. Federal government.” (http://www.securecomputing.com/C_Bg_Hist_FRS.html) Maybe the whole Priest thing is just a guy having mostly harmless Vogon fun by being a fictitious FBI agent. I’m wondering if the FBI really had told Mr. Steroids I had provided evidence against him. Is this how their Quantico academy teaches FBI agents to nullify recalcitrant reporters? Run around questioning, raiding and arresting people and telling them I provided the evidence? For once I’m dead serious here. Besides Mr. Steroids, Pete Shipley and his dis.org gangmates Ph0n-E and Cyber say the FBI has questioned them at length about allegations the FBI claimed I had made against them. Do you know what it feels like to have weird looking guys trembling with anger accusing me of getting them in trouble with the FBI? But then again, maybe the FBI isn’t doing anything of the sort and all these guys are just making up these stories. Anyhow, you’re tired of my rant, so let’s get back to the story. Serious mode off. Humor mode on. Steroids reaches into his jeans pocket and pulls out a battered wallet. “OK, I’ll give you a hint. Look at this.” He shows me his driver’s license, trembling in his hand. It says “Michael Schiffman.” His buddies draw closer, menacing. Er, as menacing as a gaggle of 13 through 15 year olds can get. Darn, I’m not wearing my karate shoes. They are staring at my 38 D bosom instead. I put on my best politician smile. “Michael Schiffman, nice to meet you!” Now I know who he is, a man better known as “Route” or “Daemon9.” He got mad at me long ago when I told my Happy Hacker mailing list that I opposed his hacker ezine, “Phrack.” In my opinion, he encourages people to commit senseless digital vandalism. “Why did you tell the FBI that Modify and I hacked the New York Times?” I thought fast. I could remember telling the FBI’s Tracy Baldwin that it was my opinion that there was only a 2% chance that Michael Schiffman could have been part of Hacking for Girliez. I had thought that was my way of debunking the idea he was involved. I figure it won’t do any good to tell him about the 2% bit, he’s too mad to grasp nuances just now. I reply, “The FBI told me that *I* hacked the New York Times.” Schiffman puffs out a breath. He looks like an impatient school teacher waiting for a slow student to get the right answer. OK, a psychotic teacher with steroid poisoning. He’s shaking. “Why did you tell them we did it?” “Modify hack the New York Times? Now that’s ridiculous. Why would I say that to the FBI? He couldn’t hack his way out of a paper bag.” Schiffman and company begin shouting, “Modify can so hack,” “Crack whore,” and other brilliant intellectual observations. I brilliantly retort, “I don’t have to listen to this.” Would they jump me? Was I about to be mobbed by children while not wearing karate shoes? I figure I am safer acting like they could not be any threat than by taking a martial arts defensive stance. I turn on my heel and walk away.. I enter the main ballroom at midnight -- time for Hacker Jeopardy to start. This is a takeoff on the TV quiz show, “Jeopardy.” To get to the empty seats on the far side of the ballroom, I walk around the back. In the middle of the back row I see a familiar face: Modify and three others are standing on their chairs. Are they trying to be noticed? As I pass them, Modify hands me a business card reading “Attrition.org -- We don’t play well with others.” Oh, yes, isn’t that a line from the movie “Hackers”? Does this mean they are trying to get a movie deal, too, something like “How Attrition.org Stuck it to Priest (whoever the heck he is)”? The guy standing on the chair next to Modify hisses at me, “You’d better watch out.” I stop to look over the guy who hissed at me. Yes, it must be Brian Martin. It has to be. He is standing next to Modify, his bosom buddy. But Martin, once buff, showing off his muscles with a tight T-shirt at previous Def Cons, has wasted away. He’s downright skinny now. Some two inches of his hairline has balded. The man is only 25 or 26, I think. Are those wrinkles on that sagging, emaciated face? Is that a stoop to his shoulders? The pressure of being my publicist, dealing with that non-hack of his attrition.org web site, and Priest’s attempts to brand him a narc and discredit him with journalists must be wearing him down. Priest tromps up on stage. “Is there anyone who needs to do anything before the game starts?” A transvestite prances up to Priest, clad in a tiny sheath evening dress. Someone throws the girlie a condom. S/He lifts his/her skirt to reveal a red sequined jock strap that appears to be rather full, and inserts the condom in it. S/He wriggles off stage, a pied piper leading a gaggle of boys out of the ballroom. ### Sunday morning some dazed-looking guys are lounging by the pool. One is the fellow who is managing the entry in the Bastard Operator from Hell contest that sits to the right of Fangz. I walk over and give him a cheery hello. He and his comrades start howling, “Your computer is stupid. It’s broken. It sucks.” I ask, “Why?” “Because it’s yours.” “Because the C compiler is broken.” I say, “Other people have compiled programs on it. Why can’t you?” “Because they fixed the compiler.” I say, “That’s called hacking.” ### Later that morning, there is great cheering as the Ghetto Hackers break into one computer, then another, then get “half a hack” on a third. At 1 PM the game is called to a close. Ghetto Hackers have won the “Capture the Flag” part of the contest. Of the remaining nine computers, the winner in the Bastard Operator from Hell is, in theory, to be awarded to whomever had been running the most services. That, I hope, means Fangz. I notice a crowd gathering. Priest is there. I ask him, “Is it OK to take down our equipment now?” He nods. Jon and I began taking the system apart, unplugging the Ethernet hub, power, etc. A kid from the Penguin Palace booth comes over and begins interviewing me on tape. “Carolyn, your box finished the game without being rooted. Does this mean you’re elite?” “No, it just means Fangz didn’t get rooted.” The fat, disheveled guy with the box next to Fangz begins shouting, “You didn’t get rooted because the hackers here are no good. They didn’t root my box and it had plenty of holes.” I reply, “You mean the Ghetto Hackers are no good? That’s not a fair comparison, you kept on changing your operating system from console.” “I cheated? I had FreeBSD on it for twelve hours! People did so have plenty of time to try to break in!” “Are you saying the Ghetto Hackers are no good?” He rubs his chin, thinking this one over. As I watch him, I suddenly realize who he is. Bluto, from the Popeye cartoons. Aha, I have pierced yet another hacker identity. Finally Bluto looks me in the eye and yells, “You cheated! Your box broke the rules! You have to be able to remotely administer it! That’s the rules of the game!” I look bewildered. “Wait, I distinctly heard them say you are *allowed* to administer it remotely, and forbidden to administer it from the console. They didn’t say we were *required* to do remote administration.” I realize a crowd has gathered. Shipley is among them. Bad sign. A skyscraper of a man looms to my right. It’s the giant Texan interior decorator. He holds a keyboard menacingly in his right hand, staring down Bluto. Good sign. Bluto yells again, “Can you remotely administer this box? Answer me now!” “Well, um, er, it doesn’t have secure shell, we have to telnet in to do anything.” I’m embarrassed. “Prove it! Create an account now!” “But we just took the system down...” “Prove it! Prove it!” Priest looms behind Bluto. He’s staring into my eyes. “That’s it, Carolyn. We just used up our last chit at this hotel. Last night some fucking idiot tried to steal their golf cart. One more incident and they close down the con. You. Out. Now.” I can hardly hear Priest for the shouting of Bluto, who is leaning awfully close and waving his arms. I make out strangled sounds like “non RFC services ... broken C libraries...” The Penguin Palace kid is still tape recording. The giant Texan interior decorator is still leaning over the table wielding Fangz’ keyboard like a weapon, in the face of Bluto. I hear a voice shouting, “It’s not fair, she isn’t causing the disruption.” Priest hisses at the kid with the recorder, “If you publish it, I’ll sue you.” Then he stares at me. “You. Out. Now.” I get this sinking feeling. “Does this mean otherwise you will strap us into chairs to listen to your Vogon poetry?” A guy in a Def Con Goon shirt hisses, “Resistance is futile.” Priest’s eyes glaze over as he recites, “Or I will rend thee in the #dc-stuff channel, see if I don’t!” My mind comes up with a “don’t panic” scenario. “Actually I quite like your poetry.” Priest’s mouth flaps open and shut. “You do? Tell me more.” “Er, ... interesting rhythmic devices...” The giant Texan interior decorator springs to my defense. “Counterpoints ... the surrealism of the underlying metaphor...” A dreamy smile softens the lumpy surface of Priest’s face. “So what you’re saying is I write poetry because underneath my mean callous heartless exterior I really just want to be loved?” “Yes, yes!” the giant Texan interior decorator and I urge him. “No, well, you’re both completely wrong, I just write poetry to throw my mean callous heartless exterior into sharp relief. You. Out. Now.” As we exit the hotel, walking by the pool, Priest trots up and tries to draw me aside. “We need to speak privately.” I think for a minute. Maybe he has reconsidered. Maybe he just wants me to sign that nondisclosure agreement after all and make me rich. Or could it be, shudder, more Vogon poetry? I gesture at Jon and the giant Texan interior decorator. “We can speak with them here.” “No, this is private.” “Then we can’t talk.” Jon, the giant Texan interior decorator and I pile into our rental car which the Happy Hacker Godfather has managed to materialize. Shipley is leaning into the window to snap one last picture of me. His lips part in a snarl. No fangs. I flash him a smile. Postscript: Just as I had anticipated, Priest rescheduled Brian Martin’s “Fakes Walk Among US” talk. To be exact, he rescheduled it to dev/null (“device null” for you non-Unix wizards). Martin refused to take the affront passively. He gathered a handful of people by the pool side to recount his stories about Antionline’s John Vranesevich and me. He may win this year’s Hugo yet. Want to find out why fictitious characters variously claiming to be with the FBI or a hot Internet startup recite Vogon poetry at me? See http://happyhacker.org for our “mostly harmless” instructions on how to break into computers. Happy hacking, and watch out for us grannies from heck! Oh, I almost forgot. Buy my book, The Happy Hacker: A Guide to Mostly Harmless Computer Hacking. Resistance is futile. Granny Hacker vs. "Bluto" via RealAudio: The Granny Hacker From Heck and "Bluto" go head to head by the pool: http://www.antionline.com/RealMedia/CarolynvsBluto.ram Granny Hacker From Heck Book Plug: Does your local bookstore say they have to special order The Happy Hacker? You don't want to wait several weeks to get it through Amazon.com? You can get the book fast for only $35. For US customers, this will include Priority 2nd day delivery. Send your check of money order for $34.95 (this includes shipping and handling) made out to Happy Hacker, 4 Fawn Rd., Cedar Crest NM 87008. @HWA 33.0 FidNet Causing Massive Confusion ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue There seems to be a lot of confusion around this new plan, proposal, draft or whatever it is regarding FidNet. This new Federal Intrusion Detection Network is designed to protect the nation's infrastructure from cyber attack. HNN has only been able to find parts of the document and have not read all 170 pages of it but from what we have found this network would actually be run by the GSA and not the FBI, it would only monitor government owned systems, and there is a provision for privacy concerns. This document is not finalized nor has it been officially released, until then this plan needs to be closely watched. (At least the government is doing something other than executing stupid search warrants.) Center For Democracy & Technology - Contains Transcripts of Parts of the Report http://www.cdt.org/policy/terrorism/fidnet/ ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2304083,00.html MSNBC http://www.msnbc.com/news/294532.asp ZDNet; -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- U.S. backs off private monitoring By Maria Seminerio and Margaret Kane, ZDNN July 28, 1999 2:26 PM PT URL: With criticism rolling in from all quarters, U.S. government officials on Wednesday backed away from a controversial plan to monitor private-sector networks for hacking activity. The proposed Federal Intrusion Detection Network (FIDNET) plan, details of which were revealed by the New York Times Wednesday, has been in the works for at least a year, a National Security Council spokesman told ZDNN. The proposal for the government to monitor critical systems for security breaches arose out of concerns about the growing vulnerability of government computer networks and sensitive private-sector networks to hackers, the spokesman said. (The NSC advises the president on national security issues.) But in spite of indications in a government document on the plan obtained by the Center for Democracy and Technology -- which indicates that private networks would also be watched -- the NSC spokesman denied that there is any plan for the surveillance of private online data. The document outlining details of the plan says the FIDNET monitoring system would cover "critical government and ultimately private-sector information." Information gathered about network security breaches within one of the plan's three "pillars" -- the Department of Defense computer network, other federal networks and private sector networks -- "would also be shared with the other two pillars," according to the document. The document coalesces with comments made by Jeffrey Hunker, senior director for critical infrastructure at the National Security Council, at the Black Hat Security Conference in Las Vegas earlier this month. "We depend on systems that were never meant to protect data from an organized threat," he told ZDNN. "The truth of the matter is that you all [the industry] own the systems that are going to be the target. It is not the federal government systems." However, in an interview with ZDNN, Jim Dempsey, senior staff counsel at CDT, said: "We feel the government should spend its resources closing the security holes that exist, rather than to watch people trying to break in," Jim Dempsey, senior staff counsel at CDT, said in an interview. In spite of assurances from government officials that any monitoring would be largely automated, somewhere down the line a person would have to step into the process, Dempsey said -- and this is where such a system could be abused. The government document detailing the plan acknowledges that "trained, experienced analysts" will have to step in to determine the nature of any suspected security breaches. Looking for 'anomalous activities' But the NSC spokesman said the government does not plan to monitor private networks or read e-mail messages, but rather to "look for anomalous activities" such as evidence of denial of service attacks on military and other government networks. This was little comfort to civil libertarians and other high-tech industry watchers, who blasted the plan as an Orwellian attack on privacy. "I think this is a very frightening proposal," said Barry Steinhardt, associate director of the American Civil Liberties Union, in an interview. "The FBI has abused its power in the past to spy on political dissenters. This type of system is ripe for abuse," Steinhardt said. "I think the threats (of network vulnerability) are completely overblown," said David Sobel, general counsel at the Electronic Privacy Information Center, in an interview. The perceived security threat is leading to "a Cold War mentality" that threatens ordinary citizens' privacy, Sobel said. "The most serious concern about this is that it could move us closer to a surveillance society," said Ed Black, president of the Computer and Communications Industry Association, in an interview. "It's critical that if they do this, they should not retain any of the information that is gathered." ZDNN's Robert Lemos contributed to this report. -=- MSNBC U.S. backs off private monitoring Under attack for its ‘Cold War mentality,’ the U.S. denies it plans to monitor private networks By Maria Seminerio and Margaret Kane ZDNN July 28 — With criticism rolling in from all quarters, U.S. government officials on Wednesday backed away from a controversial plan to monitor private-sector networks for hacking activity THE PROPOSED FEDERAL INTRUSION Detection Network (FIDNET) plan has been in the works for at least a year, a National Security Council spokesman told ZDNN. The proposal for the government to monitor critical systems for security breaches arose out of concerns about the growing vulnerability of government computer networks and sensitive private-sector networks to hackers, the spokesman said. (The NSC advises the president on national security issues.) But in spite of indications in a government document on the plan obtained by the Center for Democracy and Technology — which indicates that private networks would also be watched — the NSC spokesman denied that there is any plan for the surveillance of private online data. The document outlining details of the plan says the FIDNET monitoring system would cover “critical government and ultimately private-sector information.” Information gathered about network security breaches within one of the plan’s three “pillars” — the Department of Defense computer network, other federal networks and private sector networks — “would also be shared with the other two pillars,” according to the document. “We feel the government should spend its resources closing the security holes that exist, rather than to watch people trying to break in,” Jim Dempsey, senior staff counsel at CDT, said in an interview. In spite of assurances from government officials that any monitoring would be largely automated, somewhere down the line a person would have to step into the process, Dempsey said — and this is where such a system could be abused. The government document detailing the plan acknowledges that “trained, experienced analysts” will have to step in to determine the nature of any suspected security breaches. But the NSC spokesman said the government does not plan to monitor private networks or read e-mail messages, but rather to “look for anomalous activities” such as evidence of denial of service attacks on military and other government networks. This was little comfort to civil libertarians and other high-tech industry watchers, who blasted the plan as an Orwellian attack on privacy. “I think this is a very frightening proposal,” said Barry Steinhardt, associate director of the American Civil Liberties Union, in an interview. “The FBI has abused its power in the past to spy on political dissenters. This type of system is ripe for abuse,” Steinhardt said. “I think the threats (of network vulnerability) are completely overblown,” said David Sobel, general counsel at the Electronic Privacy Information Center, in an interview. The perceived security threat is leading to “a Cold War mentality” that threatens ordinary citizens’ privacy, Sobel said. “The most serious concern about this is that it could move us closer to a surveillance society,” said Ed Black, president of the Computer and Communications Industry Association, in an interview. “It’s critical that if they do this, they should not retain any of the information that is gathered.” @HWA 34.0 Lawmakers Want Drug Info Off the Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by St0n3r First it was bomb making information; now it is drug making information. The dominoes are falling. Sen. Orrin Hatch, R-Utah, is sponsoring a large anti-methamphetamine bill, one section of which may ban this type of information from the Internet. Nando Times Better grab the information now while you still can. Textfiles.com - via Attrition.org http://www.attrition.org/~modify/texts/mirrors/textfiles.com/drugs/ Secrets of Methamphetamine Manufacture; Including Recipes for Mda, Ecstacy, and Other Psychedelic Amphetamines - Via Amazon.com http://www.amazon.com/exec/obidos/ASIN/1559501448/thehackernewsnet The Construction and Operation of Clandestine Drug Laboratories - via Amazon.com http://www.amazon.com/exec/obidos/ASIN/1559501081 @HWA 35.0 Reno Wants Inet Crypto Banned ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Arik Janet Reno, Attorney General for the United States, has called for an outright ban on the distribution of cryptography on the internet. She made statements to this effect in a letter she sent last May to German Federal Secretary of Justice Herta Daeubler-Gmelin. The attorney general's comments take her recent congressional testimony against the Security and Freedom through Encryption (SAFE) Act, H.R. 850, one step farther. Telepolis- German http://www.heise.de/tp/deutsch/inhalt/te/5117/1.html Newsbytes http://www.newsbytes.com/pubNews/99/134030.html JYA.com http://jya.com/reno-ban.htm Newsbytes; Reno Calls For Ban Of Encryption Products On The Net By Staff, Newsbytes WASHINGTON, DC, U.S.A., 28 Jul 1999, 5:16 PM CST Attorney General Janet Reno, long-known for her opposition to the export of strong encryption products, has called for an outright ban of the distribution of such software via the Internet, according to a German publication. The German magazine Telepolis printed what it said was a letter Reno sent last May to German Federal Secretary of Justice Herta Daeubler- Gmelin. The letter calls for the addressing of "risks posed by electronic distribution of encryption software." "Although the Wassenaar Nations have now reached agreement to control the distribution of mass market encryption software of certain cryptographic strength," Reno wrote, "some Wassenaar Nations continue not to control encryption software that is distributed over the Internet, either because the software is in the `public domain' or because those nations do not control distribution of intangible items." "While I recognize that this issue is controversial, unless we address this situation, use of the Internet to distribute encryption products will render Wassenaar's controls immaterial," Reno concluded in the letter. The 1996 Wassenaar Arrangement restricts the export of high-tech equipment that can be used for military purposes to countries of proliferation concern, like Iran, Iraq and Libya. Reno's letter came as a "thank you" to Daeubler-Gmelin's and Germany's efforts to "achieve a fair resolution on encryption products" at a Wassenaar plenary session last December. (Note: Translation of the letter provided by NY Architects, http://jya.com ) Reno's proposal, if enacted eventually, would mean the end of Internet-enabled distribution of all software products using encryption, including highly popular Web browsers from companies like America Online's Netscape and Microsoft. Any communications products using encryption would also be banned from Internet distribution. The attorney general's comments take her recent congressional testimony against the Security and Freedom through Encryption (SAFE) Act, H.R. 850, one step farther. SAFE's intent is to allow the widespread availability of strong encryption for export. Specifically, the bill would relax the White House's controls on encryption export policy, and would make strong encryption products available in the US mass market available for export. H.R. 850 would also extend the relaxation of policies to other encryption-related computer products. In testimony earlier this month before the House Armed Services Committee, Reno restated an earlier claim that while encryption provides many important benefits to society, "the good of society requires narrow exceptions to this normal expectation of privacy." Reno also predicted crime prevention would become much more difficult if the bill is passed, because the process to unscramble encrypted messages without the recovery key would be very complex. "That, to me, is an unacceptable result, and we must not allow it to happen," Reno added. Reno also asked for support and funding of a centralized technical resource - "a `Technical Support Center,'" as Reno called it - within the Federal Bureau of Investigation (FBI). Such a center would support federal, state and local law enforcement in developing tools and techniques to respond to public threats caused by terrorists and criminals who use encryption. Reported By Newsbytes.com, http://www.newsbytes.com . 17:16 CST -=- JYA.com http://jya.com/reno-ban.htm 27 July 1999. Thanks to CS-H and Telepolis. Translation by JYA with Systran. Source: http://www.heise.de/tp/deutsch/inhalt/te/5117/1.html TELEPOLIS, 27 July 1999 The USA urges ban of encryption products on the Internet Janet Reno pressures Herta Däubler-Gmelin By Christiane Schulzki-Haddouti The Federal Cabinet ended the smoldering uncertainties in the German encryption policy at the beginning of June with publication of five key points. However, the encryption debate is not ended. In the next year a further Wassenaar round of negotiations will be on the table. The US is already trying now to persuade changes in positions. For the US the liberal export politics of the Europeans is a thorn in the eye. It therefore tries to close the last gaps. At the end of May US Attorney General Janet Reno requested in a letter (below) that Federal Secretary of Justice Herta Däubler-Gmelin control distribution of coding software which is becoming common "over the Internet." In addition it also positions "Public Domain" products. Reno's view is that the "use of the Internet to distribute encryption products will render Wassenaar's controls immaterial." At the end of year 2000 the Wassenaar agreement is to be negotiated; it regulates among other things the export of encyption products. Until then the USA wants with the 33 Wassenaar member states to develop a broad consent. It is strange that the letter was addressed to the Federal Department of Justice and not to the Federal Ministry for Economic Affairs, which, together with the Federal Ministry of the Interior, is responsible for encryption policy. The Americans probably well-know that the responsibilities are distributed within the German Federal Government. Therefore it is to be accepted that they figure a discussion with the Ministry of Justice has a larger chance of success. The Federal Department of Justice did not want to confirm to Telepolis the existence of the letter. From the outside the ministry it means, however, it already has given several letters of the same request. It is now working on a letter in reply. However, it is not well-known whether the answer to Reno's unjustified demand is to fail. Arne Brand of the virtual local association of the SPD is annoyed about the "concealment policy" of the Federal Government: "a cover broad I nevertheless only over a thing out, if I do not have an own point of view, but me the line of others to attach would like". Encryption export policy as politico-economic instrument Also, Hubertus Soquat, adviser in the Federal Ministry for Economic Affairs, did not want to confirm the existence of the letter; he nevertheless referred Telepolis to the basis of the encyryption benchmark figures adopted by the cabinet as clearly a position: "possibly the demand" the American placed into that the area to adjust in the future also encryption products in the "Public Domain" category to counter German encryption policy, which is based on the free availability of encryption products. The free availability covers the range from development up to use by the user. The Federal Government cannot therefore meet "possible American demands." Soquat is convinced of the fact that "encryption export policy is being handled as a politico-economic instrument of the USA, at least." Thomas Roessler, spokesperson of the "Foerdervereins information technology and society " (FITUG), sees the Reno letter as an attempt to keep "electronic interception capabilities of American and allied authorities in force for as long as possible." He says that such export control would have absurd consequences: "A computer journal, which contains a supplement CD-ROM on free cryptographic software, might not be sold at the kiosk anymore, or only by license to certain foreign customers. Also the publication of free cryptographic software for general access over the Internet would no longer be easily possible." Besides, says Roessler, already the 1998 results of negotiation would contradict which cryptographic mass market software to export control, the actual purpose of the Wassenaar agreement. This consists of contributing "to regional and international security and stability as transparency and larger responsibility with the transfer by conventional weapons and dual-use goods and - technologies promoted and thereby destabilizing accumulations of such - goods and weapons are prevented." Besides "bona fide" civilian transactions are not to be obstructed. Roessler: "Today, the use of strong cryptography is the best course of action, it interacts with the controlled transactions obviously in bona fide civil transactions. The conception that an internationally destabilizing imbalance of military strength can be caused by free or mass market available encryption software, is "absurd." Reno's letter has to do nothing with the avowed goals of the Wassennaar agreement, "however, but with the attempt to keep in force the electronic surveillance capabilities of American and allied authorities," says Roessler. Based on information of the "Electronics Frontiers Australia " (EFA) the export of "Public Domain" crypto software is already now forbidden in Australia, the USA, New Zealand, France and Russia, since these states do not use "the general software note" of the Wassenaar agreement. A reason is not well-known the EFA. Ingo Ruhmann of the "forum computer scientist inside for peace and social responsibility " (FifF) regards the attempt of Reno to subject encyption systems of stronger control as "thoughtless handling of essential fundamental rights of democratic states." Already it is now foreseen that the "general software note" will play a central role in the Wassenaar preliminaries. An avowed goal of the USA is to prevent the download of encryption programs over the Internet. Also the treatment of "Public Domain" encryption software will be a topic. Still there are arguments about the definition of the term "Public of Domain." The Wassenaar agreement describes it as software which was made available "without restrictions on its further distribution." From a legal view it designates, however, goods, which are free from copyright rights. Critically: According to the wording it is sufficient to exclude a further spread on CD or without documentation so that a software no more than is not regarded "into the public domain." Is looked for now a definition for a product, which is everyone accessible and freely available. Source: http://www.heise.de/tp/deutsch/inhalt/te/5117/2.html Federal Secretary of Justice Herta Däubler-Gmelin at the end of May Dear Minister Däubler-Gmelin: I wish to thank you and your Government for your efforts to achieve a fair resolution regarding multilateral export controls on encryption products at the recent Wassenaar plenary session on December 2-3, 1998. While no Nation, including the United States, was completely satisfied, I think we made significant progress toward a regime that can support the interests of national security and public safety in the face of the challenges posed by the increasing use of encryption internationally. Given the divergent cryptography policies that the Wassenaar Nations have supported in the past, and the continuing controversy that cryptography policy continues to generate, that 33 Nations managed to find common ground augurs well for our future ability to find solutions that satisfy the divergent needs of privacy, electronic commerce, national security, and public safety. Much work remains to be done. In particular, I believe we must soon address the risks posed by electronic distribution of encryption software. Although the Wassenaar Nations have now reached agreement to control the distribution of mass market encryption software of certain cryptographic strength, some Wassenaar Nations continue not to control encryption software that is distributed over the Internet, either because the software is in the "public domain" or because those Nations do not control distribution of intangible items. While I recognize that this issue is controversial, unless we address this situation, use of the Internet to distribute encryption products will render Wassenaar's controls immaterial. I look forward to our continuing discussions on these and other issues. And again, thank you for your past and future considerations of these issues. Sincerely, Janet Reno Source is the editors at JYA @HWA 36.0 CCC Camp Happens Next Weekend ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by TurTleX and tacscan In an open field next to a lake near Altlandsberg, outside Berlin, Germany several thousand people are expected to gather under tents with their computers. The Chaos Computer Club Camp will be taking place next weekend. Along with things like a 34MBit Internet link, discussions on cryptography and the Linux Death Match one of the scheduled events may be underwater lock picking. Industry Standard http://www.thestandard.net/articles/display/0,1449,5672,00.html?home.tf Computer World http://www.computerworld.com/home/news.nsf/all/9907272hackhol HNN Cons Page http://www.hackernews.com/cons/cons.html Industry Standard; July 27, 1999 Chaos Club Takes Hackers on Holiday By Mary Lisbeth D'Amico MUNICH – Hackers looking to get away from it all and at the same time hone their skills, will set up tents in a field near Berlin next week as part of a three-day event sponsored by Germany's premier hacker group, the Chaos Computer Club. "Nerds, hackers and phreaks from around the world," as the club calls them, are gathering Aug. 6 through 8 in Altlandsberg, near Berlin, where they will split their time between partying, swimming in a nearby lake and engaging in contests that test their hacking prowess. The club will provide electricity and Ethernet access in every tent. A special network will be set up so users can practice and hook up to the Net. Although press is allowed, journalists must be on their best behavior, the club says. Reporters must pay like everyone else, must wear a badge clearly identifying themselves, may not take pictures and may only quote those who consent to be interviewed. Pre-registration is already closed for the event, according to the club Web site, but those that show up with 150 marks (US$82) can try their luck. The grounds can comfortably fit between 1,500 and 2,000 people. Business visitors – defined by a club publication as anyone who is "rich or working for a company or government that wants you at the camp because there is a lot to learn or you have a certain commercial interest," are asked to pay 1,500 marks (US$820). Spaces remain for this type of participant. The camp will be divided into theme villages – including lock picking, cryptography and re-engineering – where participants can choose the topic that most interests them. A typical event will be the Linux Deathmatch, a real-time hacking competition in which teams of one to three players will try to hack one another. Participants can also propose their own topics to the event's sponsors. One group has also announced a "Hack the NT" contest, and the lock-pickers' project is even eyeing "underwater lock picking in the lake nearby." Mary Lisbeth D'Amico writes for the IDG News Service -=- Computer World http://www.computerworld.com/home/news.nsf/all/9907272hackhol 37.0 Computer Criminal Busted in UK ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by tacscan A UK man has been arrested and released on bail for allegedly breaking into the computers of the CurrantBun.Com Web site. The arrest was conducted by members of the Computer Crime Unit based at New Scotland Yard. CurrantBun.com is the portal of Britain's most popular newspaper, The Sun. After the break-in the personal information of over 50 people was distributed via the internet. The Register http://www.theregister.co.uk/990726-000006.html Posted 26/07/99 1:57pm by Tim Richardson Man arrested over alleged hacking offence A 19-year-old man has been arrested in connection with the alleged hacking of a Web site owned by a Wapping-based business premises. The man -- who has not been named by police -- was arrested last Wednesday and released without charge. He was bailed to appear at Holborn Police Station in October pending further investigations. It is understood the arrest was part of a special operation conducted by the Computer Crime Unit based at New Scotland Yard. Last month the CurrantBun.Com Web site was hacked and the personal details of 50 people were published on the Net. CurrantBun.com is the portal of Britain's most popular newspaper The Sun which is based at Wapping, London. David Habanec claimed responsibility for the alleged break-in at CurrantBun.com. At the time he made no secret that he was responsible and went out of his way to court publicity over the alleged intrusion. He even published details of how he carried out the breach of security. In an exclusive interview with The Register Habanec said he did it to gain notoriety among the Internet community. He also alleged it was part of a revenge attack against Cheshire-based ISP Telinco, the company that provides the network for CurrantBun.Com. ® @HWA 38.0 Researching an attack (KeyRoot) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.pure-security.net/ ____ ______ __ ___ _____ ____ __________ / / / ___/ \ \/ / / \ / \ ____ /___ ___/ / /__ / /__ \ / / <> / / __ \ / \ / / / ___/ / __/ / / / _/ \ / / __ \ / / / \ / /__ / / / /\ \ \____/ \ / \ \ /__/\__\ \_____/ /__/ \_/ \__\ \____/ \__\ http://www.weownyourlives.forever RESEARCHING AN ATTACK by Mnemonic xkyller@hotmail.com 7/27/99 =-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-==-=-=-= KeyRoot KeyRoot KeyRoot KeyRoot KeyRoot KeyRoot =-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-==-=-=-= Contents: 01 - Intro 02 - Web browsing 03 - Port scanning 04 - Determing the method of penetration 05 - Making the attack 06 - Ok that's it =-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-==-=-=-= Shouts to GRiDMAN for suggesting the topic to me =-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-==-=-=-= 01 - Intro I don't know why it wasn't obvious for me to write about it earlier. Although I'm sure the major audience that will continue reading after the intro are script kiddies, I thought about it for a while and decided to go ahead with releasing it. This white paper is geared towards people who want to single out a system and make an organized attack. Rather than attacking a random system you found to be exploitable to a certain security flaw. I hope I can be of some help to new security professionals or other hacker-type people or anyone else who breaks into systems. When you plan on breaking into someone else's system just plan on paying the consequences if you get caught. If you don't want to get caught take the necessary precautions. You still might get caught. =-=-=-=-=-=-=-=-=-= 02 - Web browsing After you know what system you're attacking you have to get some general information about the system like what platform are they running, what applications, things like that. A lot of times you can do this just by looking through their site. As you look through the take note of what it's running like if it says what operating system, what web server, firewall, administrative tools, or CGI scripts and remember what versions are being used either. The difference between version 1.0 and 3.0 can be the difference between a possible attack and no attack. FTP or telnet banners could also reveal information about the system. =-=-=-=-=-=-=-=-=-= 03 - Port scanning Port scanning is always a good idea whether you know anything at all about the system or not. The results of a port scan can in many cases show you what operating system is being run. For example a Unix machine wouldn't be running NetBIOS and an NT machine wouldn't be running mountd. In addition to this, what Internet applications are being run provides different ways you can break in. Like if you know that the system is Linux and is running qpop or nlock or some other exploit-able program then there's a possibility that you can penetrate the system that way. You should keep a temporary log of all port scanning that you do so that you can use the information when you actually make your attack. Here is an example of a very short port scan: KeyRoot Port Scanner (KeyScan) v1.0 by Mnemonic Scanning ip address 127.0.0.1 on ports 21, 23, 56 Scan started 3/6/2020 1:08 am 127.0.0.1 21 23 Scan completed 3/6/2020 1:10 am KeyRoot owns you I just scanned three ports on my local machine. Two of these ports were open (21 and 23). I can pretty much assume that I am running FTP and telnet. Other types of scans can determine what applications are being run on specific ports. =-=-=-=-=-=-=-=-=-= 04 - Determining the method of penetration Now you should know just about everything you need in order to make an attack. When you know what the system is running you basically know what it's vulnerable to. You can run some publicly-available exploit, write your own exploit, or use publicly-known attacks to penetrate the system. In many instances a system may be running programs that are exploitable only when you have an account on the system. If that's the case you're going to need to get a shell some how like guessing someone's password or something like that. Rooting the system means you have complete control over it. You have administrator rights. =-=-=-=-=-=-=-=-=-= 05 - Making the attack Ok so now you know how to attack the system go do it. In most cases when you're attacking a someone you need to be running the same platform as they are. This isn't the case with null connections or with platform-to- anotherplatform exploits. =-=-=-=-=-=-=-=-=-= 06 - Ok that's it Ummmm... yeah... peace to all my bro's in on EFNet. NtWaK0 and MostHateD and everyone else. =-=-=-=-=-=-=-=-=-= KeyRoot: living your life for you =-=-=-=-=-=-=-=-=-= 07 - KeyScan.c -----cut----- /* KeyScan.c by Mnemonic is just a very simple port scanner ____ ______ __ ___ _____ ____ __________ / / / ___/ \ \/ / / \ / \ ____ /___ ___/ / /__ / /__ \ / / <> / / __ \ / \ / / / ___/ / __/ / / / _/ \ / / __ \ / / / \ / /__ / / / /\ \ \____/ \ / \ \ /__/\__\ \_____/ /__/ \_/ \__\ \____/ \__\ For Linux/FreeBSD */ #include #include #include #include #include #include #define p0rt putaportnumberherethatyouwanttocheck int x, s; char *str = "KeyScan v1.0 by Mnemonic"; struct sockaddr_in addr, spoofedaddr; struct hostent *host; int openthesock(int sock, char *target, int port) { struct sockaddr_in blah; struct hostent *he; bzero((char *)&blah, sizeof(blah)); blah.sin_family=AF_INET; blah.sin_addr.s_addr=inet_addr(target); blah.sin_port=htons(port); if ((he = gethostbyname(target)) != NULL) { bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length); } else { if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) { perror("gethostbyname()"); return(-3); } } if (connect(sock,(struct sockaddr *)&blah,16)==-1) { close(sock); return(-4); } return; } void main(int argc, char *argv[]) { printf("\n\nKeyRoot Port Scanner (KeyScan) v1.0 by Mnemonic\n\n"); printf("Scanning ip address ", target, " on port ", p0rt); printf("\n\nScan started about five seconds ago hehehehe"); printf("\n\n", target); if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { printf("\n\nScan completed\n\n"); printf("KeyRoot owns you"); exit(-1); } openthesock(s, argv[1], p0rt); printf("\n ", p0rt); printf("\n\nScan completed\n\n"); send(s,str,strlen(str)); usleep(100000); close(s); printf("KeyRoot owns you"); } -----cut----- @HWA 39.0 Win98 Security Issues A KeyRoot/gH Advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From www.pure-security.net ***************************************** / \ / \ / Mnemonic Presents \ / Win98 Security Issues \ / A KeyRoot/gH Advisory \ / \ / \ ***************************************** ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Win98 Security Issues 7/16/99 Mnemonic and gH www.pure-security.net xkyller@hotmail.com KeyRoot Information Security ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Contents 1 - Abstract 2 - Root 3 - TCP/IP 4 - Encryption 5 - Permissions 6 - Conclusion ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1 - Abstract As much as I like Win98 it is totally insecure. Programs in the root directory can allow remote web access. This could mean to browse your system files with possibly read and write permissions, upload and download files, remotely execute code, and whatever else you can think of. If your system has important files on it then you could be in trouble. The Access Controls in Win98 are misleading and can allow an attacker to access your hard drive with read/write permissions unpassworded. Also there is no encryption scheme between the network components so basically anyone can sniff your passwords and whatever else you type, and improper permissions allow trojan horses to carry out instructions with no restrictions. All of these security issues have the potential of giving an attacker remote administration over your Win98 system. The possibilities that come with that are endless. This advisory goes over several security problems in the Win98 operating system. I think you’ll be interested reading it. Have fun! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2 - Root In Windows we have what is called the root directory. This is C:\WINDOWS. Files in the root directory can carry out system-wide processes that may be compromising to the security of the system. Explorer.exe has been exploited in past versions to allow remote access to Win95/98 over the web. In fact any program in the root directory has the potential of being exploited. Sometimes programs are written without security in mind or maybe the programmers look over parts of the code and don't realize there's a problem. There could be a buffer overflow or a poorly written function that allows remote browsing of databases. If you store medical or other personal information like credit card numbers, addresses, or company documents then this is obviously a concern. Nobody wants to wake up one morning and see that their fifteen-page paper that was suppose to be released tomorrow has been downloaded by a teen hacker. Windows 98 fails to incorporate security necessary to prevent these types of attacks. The only thing I can recommend at this time is that you download a free commercial firewall that's been released by a respectable company other than Microsoft. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3 - TCP/IP Many of today's Windows '98 users want to share files with other computers on their existing network. One of the easiest ways to do this is using the TCP/IP protocol. All the user has to do is go to settings in the start menu, control panel and when Explorer opens up, click on the network icon. When the network config folder opens there will be a list of what network components have been installed. Just one click on TCP/IP and then Add.. File and print sharing.. OK and it's done. The thing most people don't realize when setting up shares is that they don't stop to think or don't realize that people other than the intended people can also access these shares and without a password. They assume that the password will be the same as their Windows logon password. Well they assumed wrong. Windows '98 provides poor configuration for networks which leaves them succeptible to attack to anyone on the Internet or on the network. For example if I were on a network and new the ip address of the computer running shares I would open an MSDOS window and: C:\>net use p: \\targetip\ipc$ The command completed successfully. C:\>net view \\targetip Shared resources at \\targetip Share name Type Used as Comment ------------------------------------------------------------------------------- ADMIN$ Disk Remote Admin C$ Disk C Drive D$ Disk D Drive IPC$ IPC Remote IPC NETLOGON Disk Logon server share HPLaser4 Printer HP LaserJet 4si The command completed successfully. Basically what I just did was create a null connection with the IPC$ share and view what shares were on the network. Now I can map to any of these shares like C$ and browse them with read/write permissions. What this means is that I can take a look at any file on the system. The access control features of Windows 98 are poorly set up and make misconfiguration of NetBIOS easy. To learn more about NetBIOS check out The NT Wardoc by Rhino9. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 4 - Encryption You would think that in cooperation with the network components of Windows 98 that there would be some sort of encryption between host and client but there's not. If you do in fact have a password set on your shares any attacker who is sniffing the network can see you typing in your username and password in cleartext. Win98 provides no prevention of this. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 5 - Permissions In the Windows environment there are no permissions on files by default. The potential of what someone might do with access to all of the files that are a part of the Windows 98 operating system is risky. They could also download a program which may be a virus or a trojan horse that executes instructions without any restrictions. This can't be good for anyone. Your Windows 98 computer is at risk of being compromised because Microsoft didn’t pay attention and didn’t do a clean job. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 6 - Conclusion Although Win98 provides excellent point-and-click features it is far beyond not being secure. Since the update from Win 95 to Win 98 Microsoft has failed to improve the system as far as security is concerned. There is absolutely no protection at all. If that’s what you’re looking for in an operating system Windows is not the way to go. Switch to Unix or something. Basically that’s all you can do. Microsoft continues to downplay the security concerns of Windows 98 as I write this. I don’t think anyone’s addressed all of these issues in one informative advisory before so I decided to. I hope you’ve enjoyed this advisory! Keep tabs on gH and me and KeyRoot. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Brought to you by KeyRoot and gLobaL heLL. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @HWA 40.0 WLDoTrans.asp allows CC retrieval A gH Advisory by Mnemonic ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From www.pure-security.net ***************************************** / \ / \ / Mnemonic Presents \ / WLDoTrans.asp allows CC retrieval \ / A gH Advisory \ / \ / \ ***************************************** ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ WLDoTrans.asp allows CC retrieval 7/14/99 Mnemonic and gH www.pure-security.net xkyller@hotmail.com KeyRoot Information Security ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1 - Abstract Although there is client authentication and usually encryption between client and server, WLDoTrans.asp shows credit card information as clear text in hidden form fields. This can be retrieved by anyone local to the machine by viewing the page's source. If an attacker gets hold of the credit information they can buy things with your card. I hope you like the advisory. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2 - What is WLDoTrans.asp? WLDoTrans.asp is a secript used in a lot of online shopping. Basically it checks to see if the info a user enters in an ordering form is valid. It allows a users to purchase something like a hat or a t-shirt or anything else in the online market. When the user enters the information it gets encrypted before going to the server so that no one can intercept it and read it. This is suppose to allow for secure online shopping. However, as you will see, things aren't always secure as the little "you are in a secure area" boxes tell us. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3 - Description Although ordering forms usually encrypt the information before sending it off to the server it's not secure. Once the info reaches WLDoTrans.asp it gets decrypted in order to check and see if it's valid. When WLDoTrans.asp loads and you view the source you can see in clear text the credit information you entered. This includes the card type, the full credit card number, the expiration date, and the full name on the card. The line with the credit card should look like ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 4 - Impact Although the script is not accessible to anyone remotely, any time you step away from the computer there's nothing keeping someone from walking up to it and doing as they please. Even after you log out of an online shopping area, an attacker can press the "back" buttonin your web browser until they reach WLDoTrans.asp. All they have to do is view the source of the page and boom there it is. With your credit card number, type, and full name they can order anything they want to anywhere. It doesn't even have to be to them. They could decide to put you in debt and buy a plane. An attacker could easily run your credit card out and give you bad credit. You probably wouldn't even notice anything until you receive a bill for $800,000 or until someone says "sorry, this card is no good". ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 5 - What to do about it The most obvious way to fix the problem is to encrypt the hidden form fields (HFFs) which contain the credit card information. This is very easy and affordable and allows WLDoTrans.asp to function normally. Well encryption requires decryption on the server side and encryption on the web page side. Basically this would allow you to encrypt the hidden values before they're submitted to WLDoTrans.asp. When WLDoTrans.asp loads it is imperative that it displays only the encrypted values or risk retrieval of the credit card information. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Brought to you by KeyRoot and gLobaL heLL. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @HWA 41.0 bad CGI scripts allow web access A gH Advisory by Mnemonic ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From www.pure-security.net ***************************************** / \ / \ / Mnemonic Presents \ / bad CGI scripts allow web access \ / A gH Advisory \ / \ / \ ***************************************** ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ bad CGI scripts allow web access 7/14/99 Mnemonic and gH www.pure-security.net xkyller@hotmail.com KeyRoot Information Security ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1 - Abstract Many CGI scripts today accept hidden values that aren't correct. When an attacker enters a value other than what is expected the script behaves weird and sometimes will allow the retrieval of passwords, credit card information, or system browsing. Basically that's it. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2 - Description More than half of all websites today are dependent on some sort of CGI script. This could be to admin a system over the www, edit something, login, or make a payment. Many of these scripts are written by an inexperienced programmer or one who is unconcerned about the security of the site. Their reliance on faulty programs is a big security problem. What happens most of the time is that a user inputs something to the script and the script doesn't check to see if the value is an acceptible value. For example, here's a form from a system I was checking out a little while ago:
... ... With this example, the form came with my account. However, when I simply change the hidden form named "membername" from the value of my account name to the value of any other account name including the root and webmaster accounts. When the page was loaded with the value "webmaster" replacing my account all I did was click save and a new page loaded with the webmaster account's password smack dab in the middle. This kind of attack can work on any system running a CGI script. All that has to happen is a kid willing to take two or three minutes out of his boring life and think. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3 - Impact All this goes to show is that CGI scripts sometimes do weird things when they receive an input that they don't recognize. This could mean retrieval of account passwords, credit card information, or browsing the system and opening files. The impact of this problem is pretty deep. If an attacker can get the webmaster's password they have total control over that site. The attacker can open, alter, and delete files. They can delete or add users, change the content of the main webpage, and basically do anything to the system. If the attacker gets credit card information they can buy anything on someone else's credit card information and your system could be held responsible. Also if the attacker can browse the system's files they can retrieve the passwd file or some other file that can lead to root access. Basically it's not a good idea to have vulnerable CGI scripts at all. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 4 - What to do about it There only thing you can really do about this is to go back and look over the source to all of your CGI scripts and make sure there are checks in all of the right places. There can't be any place where an attacker can enter false data and have the script accept it. If you're at all worried that someone might try to exploit you then it's a good idea and it's easy. Take a few minutes during lunch while you're drinking a Cherry Pepsi and eating a Philly Sub to make corrections. Well that's it for this advisory. I hope you've enjoyed reading it as much as I enjoyed writing it. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Brought to you by KeyRoot and gLobaL heLL. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @HWA 42.0 Can my firewall protect me? by Mnemonic ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From www.pure-security.net Can my firewall protect me? by Mnemonic 7/7/99 KeyRoot Everytime I look through a computer magazine or search the Internet, I see an advertisement for a firewall. "Your solution to hackers" many of them boast. By calling a product a firewall, vendors fool a lot of companies into buying something they don't know what it does, or something that won't help them at all. A firewall is software that filters incoming and outgoing connections to a system. It also monitors all server requests and the activity of the system's users on the Internet. Although a company may feel safe running a firewall, they're still at a high risk of being attacked. The firewall may very well protect against Denial of Service (DoS) attacks, and basic attempts at gaining root, or supervisor, access on the system, many firewalls actually increase the risk of attack rather than adding protection. If a firewall is improperly setup, it may allow remote access to even the most stupid of hackers. Additionally, the firewall may have its own problems without the help of an under-practiced administrator. It may contain a buffer overflow, for example, in the source code. Or it may have some other problem which allows remote execution of files. The problem is today's security standards are no higher than a sign that says "back off" on a fence post. When a hacker knows that a system is running a firewall, they quickly check around to see what kind of firewall in order to exploit it. He doesn't get worried and try the next system that looks vulnerable. I know this from my own experience. A few days ago, I broke into a system, with permission of course, that boasted no kid could break into it. It was running NT 4.0, IIS 4.0, Remote Access, some Cisco Router, and MIP 2.0. The system was actually vulnerable to several publicly-available exploits that led to admin-level access. The firewall did nothing to prevent the attacks. If you would like to protect your system, the best way is to keep up on all of the latest attacks and how to protect yourself against each one individually. This method is much more affective than buying something that could actually weaken your security instead of providing a shield. If you'd like to get in touch with me I'm Mnemonic and I'm usually an op in #Legions on EFNet. Go check out RootFest or something. @HWA 43.0 How company specific programs can be used against the company by Mnemonic ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From www.pure-security.net -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- How company-specific programs can be used against the company 6/30/99 Mnemonic xkyller@hotmail.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- So you're sitting at your computer, drinking a Pepsi, reading your new magazine, whatever, and you decided to read this paper because it sounded cool. Well.. it is. No no, I mean it is but that's not the point. There are so many companies out there that depend on the Internet to do business. Whether their business is marketing, communication, or video games, the company's systems are in use by people who aren't always on-site. Many times a programmer will be hired to create programs that are made to carry out purposes that are specific to the needs of the company. This opens up a big security risk. If the program is configured incorrectly, or used in a way other than it was designed for, the program could behave iradically and give the user supervisor access. The purpose of this paper is to show how an attacker would exploit one of these programs, not how to eliminate the risk. However, in knowing the means of penetration, you should be able to design programs that will adamantly protect against tcp/ip based intrusions. Read over this paper carefully, and learn a thing or two. If you have any suggestions or comments feel free to contact me. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Contents: 1) Who's at risk? 2) Why it is a problem 3) How the programs are exploited 4) Why anyone would want to attack a company 5) Conclusion -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 1 - Who's at risk? There are a lot of companies out there and a lot of different work fields. It's hard to narrow it down to only a handful that are at risk, because everyone is at risk. Everyone that uses the Internet on a day-to-day basis that is. Any company that does online banking or that deals with any type of exchange of information or requires off-site use of their systems is at risk. For example, Booking Inc. might be set up in Saint Mary, Maryland and have an employee named Bob in Miami, Florida. Suppose Bob needs to access Booking's server to update the information about an airline that was suppose to arrive in a few weeks. Bob needs to replace it with information on another airline that will be arriving in its place, but he's nowhere near Booking Inc.'s location. The solution is to provide Bob with an easy way to do his job from where he is: the Internet. Booking Inc. hires a programmer to write them a software suite that will allow Bob to connect to Booking's system and update certain things in a certain way. This is the way most companies today think, but it's not a good way of thinking. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 2 - Why it is a problem The problem with this solution is that someone not employed by the company can use the same means of access as Bob to access the company's database. This isn't a good idea because from there, the attacker can flaunt around as if he were a part of your company. He could make transactions in the company's name, change schedules, or any number of things that would cost the company anywhere from nothing to thousands of dollars. No company can afford to leave their information that open. Access to the database doesn't mean just looking around. It means the ability to change things and go unnoticed. Many times a user will alter something that may pass without question until that something is called on. Then it really has an impact on the company. Too many companies don't realize there is a problem until it is too late, so I'm telling you now. If your company runs its own software there's a good chance that it is vulnerable to attack. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 3 - How the programs are exploited Since each program is different, there are obviously more ways to exploit the programs than I can mention here. Although, I will go over one of the most common methods of program exploitation. It is called a buffer overflow. A buffer is an area shared by software that can be called upon to recount things. It temporarily saves necessary data. This is where a program is designed to accept data, assign it a value, and store that value, that data, in a buffer. A buffer can only hold a certain amount of data. When a program receives an amount of data that is more than the buffer can handle, the program will not function properly. This is called a buffer overflow. The program will give the attacker privileges equivalent to that of its owner. For example, the program may be "owned" by the supervisor. That is, it can perform tasks with supervisor-equivalent privileges. Let's suppose that the software Booking Inc. has given Bob is called Doober, and that the host side of Doober has these lines: char flightnm[168] printf("Change flight number to?\n", flightnm); strcpy(flightnm); The problem is that flightnm can only hold data up to 168 bytes and doesn't check to see if the input will fit in the buffer. If Doober is owned by the supervisor, then an attacker could exploit Doober with a program that would input a string greater than 168 bytes. This would easily give the attacker supervisor rights. Here's another example: char buffer1[1024]; char buffer2[1024] ... memset(buffer1, 1, sizeof(buffer1)); memset(buffer2, 2, sizeof(buffer2)); ... memcpy(buffer2, buffer1, sizeof(buffer2)); If, however, you want to fix the problem, you can just add a line to make sure the input fits: ... memcpy(buffer2, buffer1, sizeof(buffer2)); if ((buffer2 != 1024) && (buffer2 > 1024) && (buffer1 != 1024) && (buffer1 > 1024)) { printf("That was too big\n"); exit(1); } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 5 - Conclusion If your system is running company-specific software, I more than believe that you're vulnerable to attack. I advise review the source code to all programs, and defining the type of access that the program has to the system. Bob from Booking Inc. may need to update airline information, but not the method of payment the airline's customers are using. So play it safe and all that jazz. If you have any comments or suggestions or if shx.c for SunOS doesn't compile right (I've used shx.c for BSD don't e-mail me about that), I'm Mnemonic at xkyller@hotmail.com. Peace out. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Legions of the Underground http://www.legions.org Keen Veracity http://www.underzine.com KeyRoot -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- @HWA 44.0 Exploiting the netware bindery by Mnemonic ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From www.pure-security.net ***************************************** / \ / \ / Mnemonic Presents \ / Exploiting the NetWare Bindery \ / A KeyRoot Advisory \ / \ / \ ***************************************** ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Exploiting The NetWare Bindery 7/4/99 Mnemonic and KeyRoot Information Security we'll get a webpage to go here xkyller@hotmail.com ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ For those of you who follow my stuff in Keen Veracity, some of the material in this advisory is repeated material from previous releases. This advisory should be accurate for versions of NetWare up to and including NetWare 3.x ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1 - Abstract For a long time, NetWare has been doing very poorly in the security field. Even with the many tools released by various people to bring to light NetWare's weaknesses, Novell continues to ignore the existance of its problems until the details of an attack have been released to the public. As a wannabe admin and a repetitive Pepsi drinker, I think it is necessary for me to release my research on NetWare security. The problem now is that the NetWare bindery is openly accessible to any NetWare user. This means to my password, your password, and that idiot in the office next to you's password. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2 - The NetWare Bindery NetWare's bindery is basically memory sectioned off for use of NetWare proccesses. It's a database where NetWare keeps information about the network resources and users that many function groups use to store and retrieve information. Each file server on a network system has its own bindery, and thus its own group of known objects. The NetWare bindery can best be compared to the Force. It binds the galaxy together. Yeah.. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 3 - Description There are actually two things I want to discuss here. The first is getting the password for someone else's account, and the other is getting the password for the account you're on. They're two seperate things. Now check it out: NetWare represents each shared application, printer, or a logged-in user as an object in the bindery. Each object has identifying characteristics, known as properties. Properties are dependant on objects which have these attributes: OBJECT ID OBJECT NAME OBJECT TYPE OBJECT FLAG OBJECT SECURITY PROPERTIES FLAG These are the properties attributes: OBJECT ID PROPERTY NAME PROPERTY FLAGS PROPERTY SECURITY VALUES FLAG The property name is a character string of up to 16 characters, including the null terminator. Propery names have the same restrictions on the use of characters as object names. The property flags are stored as a one-byte field. They indicate whether the property is static or dynamic, and whether it is an item or a set. Sets are lists of object IDs which are interpreted by NetWare. Item properties are unformatted binary fields stored in 128-byte segments which are interpreted by applications or NetWare APIs. Any user can retrieve the 128-byte segment which represents an object's password, and then convert this binary string into clear text. The user first calls GetObjectData() to get the name of the object. This function uses ScanBinderyObject() to populate a structure of type OBJECT. There are two ways of identifying objects. You can use the OBJECT ID or the OBJECT NAME and OBJECT TYPE. The last element is a dummy with all fields cleared to 0. Here the user calls GetUserAndApplicationData() to retrieve the password. For example: ... GLOBAL int GetUserAndAppInfo(char *argv[], int nMaxArgs, OBJECT *pObject) { strcpy(aop->obj.szObjectName, argv[nMaxArgs - 2])' aop->obj.wObjectType = OT_APPLICATION; strcpy(aop->szPassword, argv[nMaxArgs - 1]); fread(&szPassword, sizeof(int), 1, inpf); printf("\nThe password for that account is ", szPassword, "\n"); } The second thing I want to discuss is the retrieval of the password for the account that you're on. To do this we use functions in the Connection Services. So we can call GetConnectionNumber() to get the number that the file server has assigned to this workstation's connection. Then we call GetConnInfo() to get the name of the user among other information including the password. Take a look: ... void GetMyAccountPassword(char *argv[], int nMaxArgs, OBJECT *pObject) { FS_CONNECTION_INFO *pFSConnInfo; pFSConnInfo = GetConnInfo(GetConnectionNumber()); if (pFSConnInfo == NULL) return -1; /* this is where the user info is now */ *pObject = pFSConnInfo->fsLoggedObject.obj; free9pFSConnInfo); strcpy(aop->obj.szObjectName, argv[nMaxArgs - 2]); aop->obj.wObjectType = OT_APPLICATION; strcpy(aop->szPassword, argv[nMaxArgs -1]); fread(&szPassword, sizeof(int), 1, inpf); printf("\nThe password for the account you're on is ", szPassword, "\n"); } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 4 - Impact Wow. I shouldn't even have to go over this section. If your network is running NetWare and you have private data of any sort on the network, your data is succeptible to the will of the attacker. The severity of this attack is only as big as the system that is affected. A hacker may decide to get the password to the supervisor account if the supervisor is logged in. If that happens, the hacker will have complete control of every computer on the NetWare network. The hacker may decide to change or delete your data, or nothing at all. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 5 - What to do about it There is actually nothing that any of us can do about this right now. We can't deny people access to the NetWare bindery or monitor their queries of it. The best thing to do right now is to switch to something more secure until the problem is fixed in a later version of NetWare. It would be wise to presume that it works on all versions of NetWare. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Legions Interactive http://www.legions.org Keen Veracity http://www.underzine.com RootFest 2K http://www.rootfest.org ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @HWA 45.0 Tax Break for Key Escrow Crypto ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid H.R. 2617, a bill sponsored by Porter Goss (R-Florida), seeks to amend the Internal Revenue Code of 1986 to allow a tax credit for development costs of encryption products with plain text capability without the user's knowledge. This will give companies a great monetary incentive to create weak crypto. (It will also allow people to find out what publicly traded companies took advantage of this tax break, so you will know which products to avoid.) The Federal Register http://thomas.loc.gov/cgi-bin/query/D?r106:1:./temp/~r106TNpQz3:e0: Wired http://www.wired.com/news/news/politics/story/21014.html A Tax Break for Snoopable Code by Declan McCullagh 3:00 a.m. 30.Jul.99.PDT WASHINGTON -- If anyone in Washington qualifies as an ardent foe of encryption, it's congressman Porter Goss (R-Florida). Two years ago, the chairman of the House Intelligence committee tried to make it a crime to distribute privacy-protecting software, such as PGP or recent versions of Netscape Navigator and Internet Explorer. The plan failed, but Goss didn't give up. On Wednesday, he and the panel's ranking Democrat introduced a bill to jump-start the US market for encryption products with backdoors that would support government surveillance. The "Tax Relief for Responsible Encryption Act" gives companies a 15 percent tax break on the costs of developing government-snoopable encryption products. Such products might support key recovery -- in which a copy of the secret key needed to unlock scrambled data is placed within reach of law enforcement -- or "other techniques." "This legislation offers a way out of the stalemate between those who view commerce and national security as an 'either-or' proposition," Goss said in a statement. Goss and 22 other House members also sent a letter to President Clinton asking him to organize a "summit" of industry executives and government officials to extract an agreement on encryption regulation. "It has become evident that your leadership on this issue is vital to resolve the equally legitimate interests of law enforcement, national security, privacy, and industry.... We believe that without your personal involvement on this issue now, our national security and public safety will suffer serious and needless consequences," the legislators said. Law enforcement groups and their allies in the Clinton administration have long pressed for snoopable encryption products, complaining that a parade of undesirables -- such as pedophiles, drug smugglers, and money launderers -- might use crypto to communicate in secret. But the idea of the government subsidizing potential privacy invasions doesn't appear to be wildly popular. "I think the government's role is to protect the individual liberties of its citizens -- they should be giving companies incentives to strengthen encryption," said Jennifer DePalma, a graduate fellow at the Institute for Humane Studies at George Mason University in Arlington, Virginia. "They should let the free market continue to put an emphasis on protecting people's privacy," she said. For its part, the House Permanent Select Committee on Intelligence is insisting that it's pushing a voluntary approach. The committee members have abandoned their hope for a ban on unapproved encryption software, a source said. The administration has pushed for a key recovery scheme, whereby law enforcement would gain access to "plaintext," or unencrypted, information. But the market has rejected such options. "Mandatory recoverability is a nonstarter," a committee staff member said. "Law enforcement doesn't need us to mandate access to plaintext domestically." "The congressman does not want to mandate recovery of encryption products. He wants to encourage products that have societal benefits," a spokesman for Goss said. The committee last week said in a report that a bill to roll back some export restrictions on encryption products would harm children while protecting "criminals and international thugs." "Child pornographers could distribute their filth unimpeded," the report said. "Pedophiles could secretly entice the children of America into their clutches. Drug traffickers will make their plans ... without the slightest concern that they will be detected. Terrorists and spies can cause unspeakable damage without even the possibility of being stopped before it is too late." Rep. Julian C. Dixon (D-California) is cosponsoring the measure, HR 2616. @HWA 46.0 NSA Claims Israel Attacking US ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Turtlex Evidently there are not enough government computer security agencies. The NSA's new National Security Incident Response Center issued a warning last week regarding attacks originating from a machine inside Israel. The 'attacks' appeared to be numerous port scans of government and military computers. (Love the acronym NS-IRC, hehehe.) The Washington Times http://www.washtimes.com/news/news3.html White House says IPI system not aimed at U.S. By Ben Barber THE WASHINGTON TIMES White House spokesman David Leavy on Thursday adamantly denied a new International Public Information (IPI) system would be directed at American audiences. IPI is a secret Clinton administration program to control public information disseminated by the departments of State and Defense and intelligence agencies. It is meant to "influence foreign audiences in a way favorable to the achievement of U.S. foreign-policy objectives," according to a draft IPI charter obtained by The Washington Times. But critics claim that IPI will be used for domestic propaganda. White House says information system not aimed at U.S. By Ben Barber THE WASHINGTON TIMES White House spokesman David Leavy on Thursday adamantly denied a new International Public Information (IPI) system would be directed at American audiences. IPI is a secret Clinton administration program to control public information disseminated by the departments of State and Defense and intelligence agencies. It is meant to "influence foreign audiences in a way favorable to the achievement of U.S. foreign-policy objectives," according to a draft IPI charter obtained by The Washington Times. But critics claim that IPI will be used for domestic propaganda. -- Continued from Front Page -- "That is totally inaccurate," Mr. Leavy said. "The IPI initiative is designed to better organize the government and the instruments we have to support our public diplomacy, military activities and economic engagement overseas. There is no impact on the domestic press." Mr. Leavy said that U.S. information officials at home and abroad serve different functions. "There are officers who work with the media in the United States and officers who support the U.S. policy overseas. They are totally separate. They are totally different functions," Mr. Leavy said. But a former deputy chief of the U.S. Information Agency (USIA) under three presidents said he fears the IPI plan would mean U.S. propaganda aimed at foreigners would be used to influence American elections. Gene Kopp, who served under Presidents Nixon, Ford and Bush, said the elections of President Kennedy and President Carter were directly influenced by leaks of USIA foreign public-opinion polls showing a decline in U.S. prestige abroad. "I am concerned this could happen again under the IPI plan," said Mr. Kopp, currently a Washington lawyer. "The administration is transferring all assets, except broadcasting, to State, where they will not be separated in any way. It will be very difficult to separate what is disseminated in the United States and overseas." He said that the opportunity for abusing the system will be great. "The temptation to spin this stuff in a partisan way will be very strong -- probably irresistible," he said. "The other ominous feature is that this includes the intelligence agencies. They are in the business of misinformation. God only knows where that goes." New allegations emerged Thursday that the Clinton administration has been trying to control how American news organizations cover foreign affairs, at least since the Bosnia peacekeeping mission in 1996. According to a former government official, who insisted on anonymity, the White House created a Strategic Planning Directorate, which used the State Department and USIA to pressure American reporters into favorable coverage of the U.S. troop deployment in Bosnia-Herzegovina. It came into being just prior to the 1996 presidential election. "I heard them talk about it in conference telephone calls --how they had to control the media out there, the bureau chiefs, because if the Republicans picked this up [the Clinton administration] would be exposed as having no foreign policy," said the former government official. Shortly after President Clinton won re-election in 1996, the administration announced that U.S. troops would not be home by Christmas, as promised. Today, nearly three years later, some 7,000 U.S. troops remain in Bosnia. "The U.S. public wanted to know how long American troops had to be there," said the ex-official. "The Clinton people said 'only one year,' and [that] they would be home in December, after the election. But everyone knew the only way to keep the warring sides apart was robust international and American presence." This former official said this was widely discussed. "In the conference calls, they openly discussed how they had to prevent American journalists from discussing this," he said. The source said that USIA officials and National Security Adviser Samuel R. Berger tried to convince American editors not to publish accounts by their reporters who wrote that Bosnia was unsafe for Americans, that Muslim extremists were a threat, and that the warring sides would never be pacified. Ivo Daalder, who was a staffer on the National Security Council at the time, said discussions had no ulterior motives. Mr. Daalder, who is now at the Brookings Institution, said the talks among the USIA, National Security Council and other agencies "had the sole purpose of making sure they share information among them, and when the U.S. government speaks to the outside world, it does so in a coordinated manner." Mr. Daalder said "there was no deliberate campaign designed to put out false information prior to the 1996 presidential election." He said that USIA did increase staffing and efforts to convince American reporters in Bosnia of the administration's perspective in September, prior to the Bosnian elections. @HWA 47.0 Jail Time for Users of Crypto ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid The Electronic Communications Bill, proposed in Britain, could send users of encryption products to jail for up to two years. Basically if you send encrypted mail to someone who is being investigated by the police the police can ask you for your keys. If you refuse you could get up to two years in jail. Tip off the person who received the encrypted message and get five years. CNN http://www.cnn.com/TECH/computing/9907/29/ukencrypt.idg/index.html Use encryption, go to jail? July 29, 1999 Web posted at: 11:11 a.m. EDT (1511 GMT) by Douglas F. Gray LONDON (IDG) -- Encryption users could face up to two years in prison for refusing to hand over the keys to their code, according to Britain's proposed Electronic Communications Bill. The bill is causing concern among privacy advocates and opposition parties, who say the bill gives law enforcement wide-reaching power over private Internet communications. Most aggravating, the bill calls for a possible two years in prison for anyone refusing to turn over the encryption key or the message in plain text to law-enforcement officials. It also calls for a five-year prison term for tipping off senders that they are being investigated, according to Caspar Bowden, director of the London-based Foundation for Information Policy Research. Even discussing an investigation in public, such as complaining about alleged abuses of law enforcement to the media, may also be punishable by imprisonment, said Bowden. "Let's say that someone under investigation sends me a message with encryption that can only be decrypted by the receiver. The authorities come to me and tell me that they are investigating someone, but won't tell me who, so they ask for all my private keys," Bowden said. Refusing this request from the authorities could get him two years in prison, said Bowden. In such a case, the authorities would have all of Bowden's private keys, enabling law enforcement to read all encrypted correspondence that was sent to him. Bowden would then have no choice, he said, because by informing anyone of this, and asking them to change their key, he would break the "tipping off" clause of the bill and in turn and face five years imprisonment. "I can't complain to the newspaper, otherwise it's five years in jail. All I can do is go to a secret tribunal," Bowden said. He's not joking: The tribunal is five judges, only two have to participate, and only one has to lay the groundwork, he added. Bowden feels that the entire bill needs to be re-examined by the U.K.'s Department of Trade and Industry. "We would like to see the Electronic Communication Bill be about e-commerce, which is what they said; the law-enforcement section doesn't even belong in it," he added. There is also another method of hiding messages, called steganography. It's not really clear to commentators such as Bowden whether or not steganography is covered by the bill. With steganography, users can "sprinkle an encrypted message" into a photographic format, such as JPEG, or a music format such as MP3, both of which are very popular online. In actuality, the message does not necessarily need to be encrypted, just concealed within the file, according to Bowden. Although the bill does not mention technologies such as steganography, Bowden speculated that the authorities could enforce regulations in those cases by proving that there was a reason to search, such as the existence of a steganography program on the suspect's computer. Douglas F. Gray writes for the IDG News Service. @HWA 48.0 Office97 Users Ripe for the Picking ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue A hole in the Jet 3.51 driver (ODBCJT32.DLL) leaves users vulnerable to attack. Such an attack would leave the system in such a state that the attacker could execute shell commands and give full control over your machine to the bad guy. Microsoft has verified the problem and is working on a security bulletin, in the mean time they recommend users upgrade to Jet 4.0. MSNBC http://www.msnbc.com/news/295385.asp Hole opens Office 97 users to hijack Vulnerability in popular Microsoft suite could allow malicious coder to take control of computers without victim knowing By Mark Stevenson MSNBC July 30 — A vulnerability in Microsoft Office 97 can allow malicious code contained in an Excel 97 worksheet hidden in a Web page or sent in e-mail to take control of online computers without the victims’ being aware, Microsoft confirmed Thursday evening THE VULNERABILITY IS CONTAINED in the Jet 3.51 driver (ODBCJT32.DLL) that was shipped with the popular Office 97 software suite. (Microsoft is a partner in MSNBC.) Juan Carlos G. Cuartango, a Spanish Web developer who has discovered other important security holes, reported the problem to the NTBugTraq mailing list Thursday afternoon. Later Thursday, the Microsoft Security Team confirmed the bug in a posting to the same list. “If you open a malicious Excel worksheet implementing this vulnerability it will send shell commands to your operating system (Windows NT, 95 and 98 are all affected) that can: (infect) you (with) a virus, delete your disks, read your files,” Cuartango said in his posting to the list. “…(T)he worksheet will get full control over your machine.” The Microsoft posting said the company is preparing to release a security bulletin dealing with the vulnerability. Shortly before 5 a.m. ET Friday, the bulletin had not appeared on the Microsoft Office Update site or the Microsoft security site. “We’ve verified that this vulnerability in Jet 3.51 does exist, and urge all customers who are using Jet 3.51 to upgrade to Jet 4.0,” the Microsoft mail to NtBugTraq said. “This vulnerability should be taken seriously. Office 97 users in particular should consider immediately upgrading their database driver to Jet 4.0, as Jet 3.51 is installed by default in Office 97. Office 2000 users do not need to upgrade, as Office 2000 installs Jet 4.0 by default.” An Excel worksheet that contains code to take advantage of the vulnerability could be hidden in a frame on a Web page or sent in an e-mail. As long as the worksheet contained no macros, there would be no indication to the user who visited the Web page or opened the e-mail that any code had been executed, Cuartango reported. If the file is sent in e-mail, the recipient must be on-line to be affected, Cuartango said. He recommended not opening documents you are not expecting to receive and going off-line before opening e-mail. If the worksheet were instead sent as an attachment to e-mail, the recipient could avoid ill effects by not opening the attachment. @HWA 49.0 China Sends Pirate to Jail ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid In what is believed to be the first jail sentence for piracy in China, a man has been sentenced to four years in jail and fined US $2,400. The name of the company or the software was not mentioned. Wired http://www.wired.com/news/news/politics/story/21003.html China Jails a Software Pirate Reuters 2:45 p.m. 29.Jul.99.PDT BEIJING -- China has sentenced a man to four years in jail in what is believed to be the country's first criminal case involving software piracy, state media reported Thursday. A court in the eastern city of Hangzhou fined and sentenced Wang Antao for selling a slightly modified version of a company's software without permission, the China Daily said. Wang would have to pay 20,000 yuan (US$2,400) in fines and 280,000 ($33,800) in compensation to the company, which was not identified. The newspaper said it was the first such case in China, which has struggled to combat rampant piracy, fearing it will impede the growth of its nascent software industry. A study released this month by the US Business Software Alliance and Software & Information Industry Association found that 95 percent of China's newly installed business software in 1998 was pirated. Software piracy cost China $1.2 billion in 1998 -- more than in any other Asian nation, according to the report. @HWA 50.0 MITNICK: FEDERAL GOVERNMENT MANIPULATED THE FACTS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Saturday 31st July 1999 on 7:00 pm CET Did the US government manipulate the facts on the subject of Kevin Mitnick? He and his attorneys say so and are asking a federal judge to unseal a court filing that they claim proves this. Full story below. http://www.zdnet.com/zdnn/stories/news/0,4586,2306704,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Mitnick: 'I was never a malicious person' By Kevin Poulsen, ZDNN July 30, 1999 4:36 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2306704,00.html?chkpt=zdnnstop Kevin Mitnick and his attorneys are asking a federal judge to unseal a court filing that they claim proves the government was guilty of misconduct while building its case against the hacker. The goal, says Mitnick in a rare interview, is to clear his name. "At the beginning of this case the federal government manipulated the facts to allege losses that were grossly inflated," Mitnick said in a telephone interview Thursday night from the Los Angeles Metropolitan Detention Center. "Hopefully, if the court considers this motion and rules upon its merits, it will clear me publicly of the allegations that I caused these significant losses." The motion, filed by defense attorney Don Randolph on July 22, is the latest conflict in a case that's remained unusually acrimonious, considering that both sides reached a plea settlement in March. Under the terms of the agreement, Mitnick pleaded guilty to seven felonies and admitted to penetrating computers at such companies as Motorola (NYSE:MOT), Fujitsu and Sun Microsystems, (Nasdaq:SUNW) and downloading proprietary source code. On Aug. 9, he's expected to be sentenced to 46 months in prison, on top of the 22 months he received for cell phone cloning and an earlier supervised release violation. Mitnick vexed by 'snowball effect' The only sentencing issue left unresolved is the amount of money Mitnick will owe his victims. Prosecutors are seeking $1.5 million in restitution -- a modest figure compared to the more than $80 million the government quoted to an appeals court last year, when it successfully fought to hold the hacker without bail. That figure, though no longer promulgated by prosecutors, vexes Mitnick, who sees a "snowball effect" of bad press that began with a 1994 front-page article in the New York Times. "Because of this assault that was made upon me by John Markoff of the New York Times, then the federal government grossly exaggerating the losses in the case and the damages I caused, I have a desire to clear my name," Mitnick said. "The truth of the matter is that I was never a malicious person. I admit I was mischievous, but not malicious in any sense." Markoff reported on Mitnick for the New York Times, and went on to co-author Tsutomu Shimomura's book, "Takedown: The Pursuit and Capture of America's Most Wanted Computer Outlaw -- By The Man Who Did It," slated as an upcoming movie from Miramax. Markoff's portrayal of Mitnick, and the profit it ultimately earned him, has been the subject of some criticism from Mitnick's supporters, and raised eyebrows with a handful of journalists. Markoff's most enduring Mitnick anecdote is the story that the hacker cracked NORAD in the early 1980s, a claim that was recycled as recently as last May by another New York Times reporter. "I never even attempted to access their computer, let alone break into it," Mitnick said. "Nor did I do a host of allegations that he says I'm guilty of." For his part, Markoff says of the NORAD story: "I had a source who was a friend of Kevin's who told me that. I was not the first person to report it, nor the only person to report it." Government collusion? The July 22 motion filed by Mitnick's attorney accuses the government of coaching victim companies on how to artificially inflate their losses. The filing is based on documents Randolph subpoenaed from Sun, which show that shortly after Mitnick's February 1995 arrest, the FBI specifically instructed Sun to calculate its losses as "the value of the source code" Mitnick downloaded, and to keep the figure "realistic." Following the FBI's advice, Sun estimated $80 million in losses based on the amount they paid to license the Unix operating system. Six other companies responded, using software development costs as the primary calculus of loss. The total bill came to $299,927,389.61, significantly more than the $1.5 million the government says Mitnick inflicted in repair and monitoring costs, and theft of services and the $5 million to $10 million both sides stipulated to for purposes of sentencing. "At the beginning of this litigation, the government misrepresented to the federal judiciary, the public and the media the losses that occurred in my case," Mitnick said. To Randolph, it all smacks of collusion. "What comes out from the e-mails that we have, is that the so-called loss figures solicited by the government were research and development costs at best, fantasy at worst," he said. "I would classify it as government manipulation of the evidence." However, prosecutor David Schindler dismissed Randolph's claims as "silly and preposterous." "What would be inappropriate is to tell them what dollar amount to arrive at. In terms of the methodology, in terms of what is to be included in loss amounts, that direction is something we often provide because we're aware of what components are allowable under law, and which components are not," he said. Schindler said development costs are a valid indicator of victim loss, but acknowledges that putting a dollar figure on software can be difficult. Mitnick claims cover-up Mitnick and his attorney both say there's more to the story, but they can't talk about it. At Mitnick's last court appearance on July 12, the judge granted a government request that any filings relating to victim loss be sealed from the public. "As much as the government would like to, you can't take the recipe for ice and file it under seal and have it become confidential," said Mitnick, who, along with his attorney, is challenging the confidentiality of the loss information, and asking for the motion to be unsealed. Mitnick claims he smells a cover-up. "The government should not be permitted to bury the truth of the case from the public and the media by seeking and obtaining a protective order to essentially force me to enter a code of silence," he said. "Our only concern, as it has been from day one, is the protection of the victims of Mitnick's crimes," prosecutor Schindler said. "Why Mitnick and his lawyers want to continue to harass, embarrass and abuse them remains a mystery to us, but it's something that we will continue to oppose vigorously." Although the software costs are no longer being used against his client, Randolph claimed that by "manipulating the loss figures," the government raises the issue of whether even the more modest $1.5 million calculation is accurate. In the sealed motion, he's seeking an evidentiary hearing to explore the matter, and asking that Mitnick be released on a signature bond pending that hearing. And if Mitnick winds up owing money anyway? "We're asking for sanctions that the government pay the restitution," Mitnick said, "and that the judge recommend that I be immediately designated to a halfway house for the government's misconduct in this case." Excerpt of the Sun documents are available on the Free Kevin Web site, maintained by members of a tireless grass-roots movement that's protested the hacker's imprisonment for years. "I'd like to sincerely thank all my friends and supporters for all the support they've given me over this long period of time," Mitnick said. "I'd like to thank them from my heart." Kevin Poulsen writes a weekly column for ZDTV's CyberCrime. @HWA 51.0 ISPS ACCUSE CHINA OF INFOWAR ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Saturday 31st July 1999 on 1:30 am CET Two Canadian ISPs claim they've traced DoS attacks on their network back to Chinese government offices in Beijing and now accuse "Chinese government crackers with a political agenda" as Wired puts it. The attacks are thought to be motivated because of the ISPs hosting sites of the, last week in China outlawed, Falun Gong religious group. Full story below. http://www.wired.com/news/news/politics/story/21030.html ISPs Accuse China of Infowar by Oscar S. Cisneros 12:00 p.m. 30.Jul.99.PDT Two Canadian ISPs said Friday that their networks were attacked this week by Chinese government crackers with a political agenda. "The hack attempts I could trace [originated with] Chinese government offices in Beijing," said Eric Weigel, director of Bestnet Internet, a Hamilton, Ontario-based ISP. Weigel said he suspected that the "denial of service" attack, which ended at 4 a.m. EST Friday, was motivated by his organization's hosting a Web site for a religious group outlawed in China. "I know the Chinese government doesn't like the Falundafa Gong religion. They've arrested some people, but I don't know if anybody's been shot." The Chinese government last week banned the "wheel of law," or Falun Gong, sect, stating that the group corrupted people's minds, disrupted social order, and sabotaged stability. The nation's state-run television network launched a negative media blitz against Falun Gong. The group, which claims more than 2 million members, advocates meditation and exercise. In April, in a protest at Beijing's Zhongnanhai leadership compound, more than 10,000 Falun Gong members demanded protection for their religion. The government responded by destroying more than a million of the sect's books, tapes, and CDs. If Weigel's hunch is correct, that fury has now extended into the world of the Internet. "The Chinese government didn't even phone me up and say, 'Please remove this site,'" Weigel said. "That's pretty rude." Weigel said he traced the hack attacks back to the Beijing Application Institute for Information Technology and the Information Center of Xin An Beijing. The attackers used two common techniques to take on Bestnet and Nebula Internet Services, a smaller ISP in the nearby town of Burlington: They attempted to penetrate the ISPs' systems and also to flood their servers with incomplete requests for data -- a technique that overwhelms a Web server such that it is unable to serve up a Web site (in this case, Falun Gong's). Neither effort was successful at Bestnet, Weigel said. But the denial of service attack did thwart Nebula Internet Services, which hosted Falun Gong's site until last week. "They didn't have enough bandwidth to handle them, plus they're using a Windows machine," said Weigel. "I couldn't even copy the site using FTP -- they had to physically bring the files on a hard drive." Nebula's owner, Greg Alexander, said that the attacks started a month ago and coincided with media reports of a government crackdown on the sect. "The Chinese government has called the Falun Gong an enemy of the state and so we assumed that it's the Chinese government," he said. "They actually swamped our lines for two days -- we were maxed right out." Alexander also said a US Department of Transportation official contacted him to ask about an attack on a server at the Federal Aviation Administration. The unnamed official told him that the "probe" of the FAA's server originated from one of Nebula's machines. Alexander added that the specific IP address was at the time assigned to Falun Gong. "We didn't have control of our own IP address," he said. The Department of Transportation could not be reached for comment late Friday afternoon. Alexander speculated that if someone made the attack look as if it originated from Falun Gong's IP address, they did so to make "the US government think that these people are bad people." Reuters contributed to this report. @HWA 52.0 PETERSEN INTERVIEW: TRADING CYBERCRIME FOR CYBERPORN ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Saturday 31st July 1999 on 0:30 am CET Recently released hacker and FBI informant Justin Petersen, in an "exclusive interview" with CNN and Time, is claiming to leave behind a life of cybercrime to go into the cyberporn business. CNN will air the interview on Sunday and Monday at 8 pm ET and 10 pm PT. ZDNet. http://www.zdnet.com/zdnn/stories/news/0,4586,2306588,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Hacker turning to a life of porn By Joel Deane, ZDNN July 30, 1999 3:02 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2306588,00.html?chkpt=zdnnstop Former hacker and FBI informant Justin Petersen is back in the news -- claiming that he is leaving behind a life of cybercrime to join the cyberporn business. CNN and Time is promoting an "exclusive interview" with Petersen, who gained notoriety for informing on hackers Kevin Mitnick and Kevin Poulsen, and was recently released from prison after spending time in custody for parole violations. According to a CNN press release, Petersen talks at length about his life as a "high-tech thief" and Internet pioneer, saying he was "trolling around on the information superhighway when it was just a dirt road." Petersen has multiple convictions for computer crimes, including an attempted electronic bank heist. But Petersen tells CNN he now plans to begin a new life online, free of crime, with an adult Web site. The interview airs on CNN Sunday and Monday at 8 p.m. ET and 10 p.m. PT. @HWA 53.0 GHOSTS IN THE MACHINE ~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Friday 30th July 1999 on 5:30 pm CET Fact: PCs come with dangerous security holes. One of the major problems still is the scripting ability of machines, the ability to run applets and all of this in combination with the Web represent some serious security and privacy issues of which the regulare home user is not always aware of. And it doesn't stop there. This article discusses this with some examples and quotes from major manufacturers. Read it below. http://www.wired.com/news/news/technology/story/20995.html Ghosts in the Machine by Chris Oakes 3:00 a.m. 30.Jul.99.PDT When Richard Smith bought a new Compaq Presario last Friday, he suspected there might be a few holes in the security of the computer's Internet software. Sure enough. Within ten minutes of booting up the PC, Smith had flushed out the software equivalent of an assassin for hire. "I think this is one of the worst problems I've ever seen," said Smith, who has made a side-career during the last year of sniffing out major software holes. Compaq had granted its Internet software potent capabilities. A clever Web page or email message could put out an electronic hit on an unwitting Presario owner using a software demon that comes in the guise of an applet. The applet, called "SpawnApp," was installed by Compaq on its Presario line of PCs as part of its customer service applications. While Compaq intended to streamline customer support over the Net using handy Web tools -- Internet Explorer 4 and Java applications -- the company unwittingly put its customers at risk. "All you need is a little bit of JavaScript to misuse the control. They've left it wide open, so you can run anything. You can give a delete command that deletes everything in the [Windows] My Documents directory." "Anybody can use it because [Compaq's] told the world it's a safe thing." SpawnApp is a bridge, launching any DOS or Windows application. With simple coding, a rogue programmer could access the Java applet from the Net to launch any application on the computer. Programmers could use the applet to mess up some data -- perhaps nab some files and email messages, or change the PC's security settings for further breaches. The problem is apparently the tip of an iceberg that may plague more PCs than even manufacturers know. These ghosts in the software machine only get noticed when people like Smith do some digging. Companies often don't respond in force to alarms until the media spreads the word. Smith said he wasn't the first to arrive on the scene of the dangerous applet. Another programmer, Frank Farance, originally discovered the applet in November 1998, and yet the problem remained. Smith turned up a similar vulnerability on Hewlett-Packard's Pavilion line of PCs only a week earlier. HP moved quickly and provided a fix; Compaq is considering doing the same. With or without fixes, Smith sees the trend as a dangerous one. "If you take HP and Compaq together, they're in the top three or four manufacturers in the United States. They've both been shipping machines for a year which have pretty big openings ... So you've got some pretty big players messing up here." Compaq "signed" its applet, which is a standard security function meant to indicate the program's tasks were designed by the company and therefore safe to execute. But because further steps weren't taken, anyone could misuse the potentially dangerous set of functions, Smith said. Compaq confirmed that under some scenarios, the user may not see any warning if their browser or email program were to encounter malicious code that invokes the applet. "Compaq is looking at the possibility of updating [the system software] so that something like this could not occur," said Jim Ganthier, director of engineering for Presarios. He called the actual exploitation of the security hole highly unlikely, however. Smith said a simple solution to the problem is to delete the .REG (registry) file that makes Compaq a trusted publisher. That file can be found by the name CERTREG.REG, he said. Smith contends the security hole is the latest -- and most serious -- in a growing legacy of dangerous knotholes in standard-issue PC software. Other holes have largely centered on potential access to personal data, such as Microsoft's extraction of hardware-tracking ID numbers during the Windows registration process. Smith and others have also turned up a myriad JavaScript and ActiveX vulnerabilities that can crack a PC's file directories by way of Netscape Navigator or Internet Explorer. Smith considers the latest example severe because of the ability to launch any application on the PC -- without the user ever noticing. So with all these dangers -- caught only when a programmer like Smith pays close attention -- what are the prospects for security in a networked, e-commerce age? The current chain of events -- discovery, disclosure, and company reaction -- is the best, according to free marketeer Justin Matlick, author of Governing Internet Privacy: A Free Market Primer. "The best solution is going to let privacy-conscious consumers and organizations ferret these problems out and force the companies or industries to respond," Matlick said. "I think that the free market is much more responsive to these concerns than regulation could ever hope to be." If that means consumers can expect only a certain level of security on the computers they buy, so be it. "It's more important to me to use the product than it is to protect my privacy -- up to a certain level," Matlick said. Brooke Partridge, electronic support programs manager for Hewlett-Packard, agrees. "We're not going to sell a lot of computers if people are worried about whether or not our systems allow access to their information. Really there is an inherent economic incentive." Trust the market to find and fix holes in time? Nay, industry regulation is the only fix, if you ask electronic privacy advocate Jason Catlett. "That's completely wrong. There are far too few people paying attention to this to bring even a hundredth of the incidents to the attention of the media -- or even the companies themselves." The public has a right to a baseline standard of behavior that's determined by the best principles, Catlett argues. "All that's needed is a simple private right of action for individuals." For example, a PC customer should have the right to go after a company for US$500 if his data is exposed by negligence, he said. "That simple economic incentive would make a lot of companies clean up their act. That's exactly one of the risks that they should have as a routine part of their engineering." Nancy Wong of the Critical Infrastructure Assurance Office said information technology moves too fast for regulations. "There are so many different ways of opening up systems and inserting vulnerabilities unknowingly that it's very difficult to say that government regulation is going to be able to address that. "One of the reasons why I believe it's [a reactive situation] right now is because people really aren't thinking about security on an ongoing basis, or making systems secure at the same time they install systems." Meanwhile, Peter Neumann, a scientist with SRI International and a consultant to the President's Commission on Critical Infrastructure Protection, said Smith's findings are not news -- and only a fraction of the story. "Computer security is an oxymoron -- it doesn't exist. It's a joke. There's no way of fixing it short of producing new operating systems." Neumann predicts that e-commerce will fall on its face when massive dollar transactions begin to depend on the security of today's inadequate networked PCs. For true network security, airtight components like encryption must be built into any Internet computer, Neumann said. "When millions or trillions of dollars [are] going down the tube, people will start paying attention." But according to Compaq's Ganthier, all this worrying is overblown. Vulnerabilities are one thing; actual exploitation is another. "There's a whole bunch of if-then-else statements in there. To me it's like the Intel processor's serial numbers -- nobody's actually been able to demonstrate [an exploit]." Software sleuth Smith said Ganthier's argument is true enough, but only for the time being. "I've been looking at virus stuff for a while, but it's only been since the beginning of 1999 that virus writers have been exploiting email. Yet the capabilities have been there for three or four years." Everyday sabotage exploits may be just down the road in a cyber-crime future. "We just can't say," Smith said. "But we just need to close them up. There are a lot of vulnerabilities out there -- we just can't say which one is the one that will be used." @HWA 54.0 DATABASE PROTECTIONS OK-D ~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Friday 30th July 1999 on 3:00 am CET A bill which is supposed to give providers of database information a weapon against electronic pirates and hackers got approved by a House panel yesterday. The bill gives the FTC the authority to prevent people from obtaining and distributing databases without permission and gives disseminators of real-time stock market information the right to sue hackers and pirates for that same offense. Full story below. http://www.news.com/News/Item/0,4,39929,00.html?st.ne.fd.tohhed.ni Commerce subcommittee OKs database protections By Bloomberg News Special to CNET News.com July 29, 1999, 3:15 p.m. PT WASHINGTON--A House panel approved a bipartisan bill to give providers of database information such as mortgage rates or stock quotes a weapon against electronic pirates and hackers. The measure, passed on voice vote by the Telecommunications, Trade, and Consumer Protections Subcommittee, gives the Federal Trade Commission authority to prevent people from obtaining and distributing databases without permission. A section of the bill, approved last week by the same committee, gives stock exchanges and other disseminators of real-time stock market information the right to sue hackers and pirates. "This bill would, for the first time ever, create a federal stop sign to database privacy," said Rep. Tom Bliley (R-Virginia), who sponsored the bill. "But just as important, the bill will continue to protect consumers' access to information." A coalition of database owners, including financial data compilers, Internet companies, universities, and libraries, has lobbied in favor of the Bliley bill. Bloomberg, the parent company of Bloomberg News, has testified in favor of the bill. "[The bill] represents another arrow...you can seek if your information has been illegally pirated," said Skip Lockwood, coordinator of the Digital Futures Coalition, a lobbying firm that represents the shared interests of the educational and research communities and the computer industry. Support for an alternative bill The New York Stock Exchange, the National Association of Realtors, and other owners of large databases have championed another bill with broader information protections. That bill, sponsored by Rep. Howard Coble (R-North Carolina), has passed the full Judiciary Committee and is awaiting consideration by the full House. The Coble bill affords a wider range of legal protection to database compilers than the Bliley bill, said Edward Miller, policy analyst for the National Association of Realtors. Coble's bill allows database creators to go after pirates through the courts, while the Bliley bill puts the FTC in charge of policing piracy on most databases. The FTC bureaucracy could bog down attempts by real estate agencies to go after hackers who steal their listings, Miller said. In addition, the Bliley bill's definition of "database" could allow pirates to take substantial portions of information with no consequences, he said. "To us, [the Bliley Bill] looks like they have provided a textbook on how to pirate data and do it legally," Miller said. "It's just the wrong approach." Internet companies such as Yahoo and Lycos and financial data companies such as Bloomberg oppose Coble's bill because they say it gives too much protection to companies that compile information, such as the NYSE. They also think it will concentrate ownership of facts in the hands of a few, Lockwood said. "With Coble's bill, there's nothing through the Internet pipelines. There's nothing to pass around," Lockwood said. "You are going to allow a few large owners of mass amounts of information to lock out everybody else." Digital signatures The telecommunications subcommittee also unanimously approved legislation today to give electronic signatures the same legal validity as those penned in ink. The bill would allow e-commerce and trades to take place online without requiring handwritten signatures for documentation. The electronic signatures bill doesn't set a standard for what types of technology would be acceptable as "signatures." While electronic pens, fingerprint scanners, and iris scanners are all currently available, legislators said they didn't want to stifle the technology by setting a standard before the electronic signatures industry had fully developed. Last week, the subcommittee added an amendment to the electronic signatures bill allowing the Securities and Exchange Commission to still require some records filed with the agency to be signed by hand. If the Commerce Committee approves the subcommittee's two bills, they will be submitted to the full House. Copyright 1999, Bloomberg L.P. All Rights Reserved. @HWA 55.0 YET ANOTHER SITE SPITTING OUT PERSONAL INFO ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Friday 30th July 1999 on 2:20 am CET An adult Web site is, due to a malconfiguration, spitting out the names, addresses, emails and credit card numbers of nearly 1000 of its members to anyone with a Web browser. This story also once again proves some people's unwillingness to put some effort in security, "I had informed them about this security issue ... but for some reason they needed to have ... [the site set up that way]." Story below. http://www.wired.com/news/news/culture/story/21001.html Italian Smut Site Left Unzipped by James Glave 2:45 p.m. 29.Jul.99.PDT An adult Web site run by the man who launched the career of Italian porn queen Cicciolina is showing more than just cheek. It's also revealing the names, addresses, emails, and credit card numbers of nearly 1,000 of its members. The site, Diva Futura, is configured in such a manner that several databases containing confidential user information can be easily accessed by anyone with a Web browser. Diva Futura is owned by Italian porn king Riccardo Schicci, who last November was jailed in Italy on charges of running a prostitution racket. He is widely credited as the man who brought the porn movie industry to Italy. "As soon as I figured out that was [Schicci's] site, I smelled something bad and figured out that I wanted to get away," said a former Diva Futura member, now a student of European Studies at a Washington DC university. "I was so stupid and I was right," said the man, who spoke on condition of anonymity. "I did this thing two years ago when this kind of stuff was starting, and now I don't leave my credit card in any adult sites." Schicci was released from prison soon after he was incarcerated. Efforts to reach Diva Futura's current site administrators were unsuccessful and the page remained vulnerable as of Friday morning. Until recently, Web Creations, a New Jersey Web development firm, hosted the site. But the man listed as the site administrator in the Internet Network Information Center database said that the site's current owner had not paid the firm's past-due bill. Anil Gurnani said that the site's owners have moved the operation elsewhere. Gurnani told Wired News in an email, "This site is maintained by the client." He said that the site's technicians knew of the security issue and insisted on leaving the site configured that way. "I had informed them about this security issue ... but for some reason they needed to have ... [the site set up that way]." "This utter and complete lack of respect for private financial data is beyond reprehensible," said the Australian Web site developer who discovered the problem. "It is wildly reckless, and I find it inexcusable," he said in an email directed to the site's administrators. Responding to an email query, one member of the site said that e-commerce is still not widespread in Italy. The member, who lives in Pavia, Italy, said in broken English that he hoped the site would be fixed soon, but took the whole matter in stride. "What can I say?" he wrote. "Me and my friends a night still surfing on the Net, and we seek that URL ... you know who the Italians are ... geek ... really attracted about sex and so on, so I put my [card] number [on] the Net." An examination of the site's data reveals that between December 1997 and June 1998, the site handled approximately US$22,000 worth of membership transactions. As a member of the European Union, Italy is a signatory to the Data Protection Directive, a series of rules that protect the personal data of European consumers. Article 17 of the directive compels companies to secure the personal data of their customers, though specific enforcement measures are left to the discretion of each member nation. Diva Futura hosts images from Italian adult magazines Diva Futura, Bamby, Fans Club, and Le Aventure di Eva Henger. It also features streaming video, chat, and many images of Ilona Staller, more commonly known as Cicciolina. Agence France Presse last fall reported that in 1989 Riccardo Schicci spent time in prison for shooting a hard-core porno film on a public beach. Editor's Note: This story has been corrected. The original article incorrectly stated that Riccardo Schicci was once married to Cicciolina. Wired News regrets the error. @HWA 56.0 CALIFORNIA ADOPTS DIGITAL SIGNATURE LAW ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Friday 30th July 1999 on 1:30 am CET Gov. Gray Davis yesterday signed a bill into a California law which allows contracts with electronic signatures to count as legal documents. The new law applies to firms doing business in California and their customers in all 50 states, according to a statement released by one of the bill's sponsors ETrade Group Inc. Read more. http://www.computerworld.com/home/news.nsf/all/9907294dig Calif. adopts digital-signature law By Kathleen Ohlson California brokerage firms may enter into contracts with their customers through digital signatures, rather than filling out a pile of paperwork. Gov. Gray Davis yesterday signed into California law a bill that allows contracts with electronic signatures to count as legal documents, according to a statement from ETrade Group Inc., one of the sponsors of the bill. The new law applies to firms that conduct business in California and their customers in all 50 states, ETrade said. The Menlo Park, Calif.-based brokerage plans to use digital signatures to open and transfer customer account information, as well as add new privileges, such as margin agreements, ETrade said. The company doesn't know which digital signature technology it will use, but expects to use digital signatures "sometime in 1999," said Tim Alban, a spokesman for ETrade. Gomez Advisors' John Robb said while brokerages may sign up customers faster, they will have to overcome a few obstacles. There isn't any good digital signature technology available now for such applications, and digital signatures are currently not widely adopted, Robb said. Adopting digital signatures is a "state-by-state battle," since brokerages need to register in each state individually. However, this law is a "good first step," he added. Online brokerages will benefit if they can automate more account processing and keep costs down, Robb said. @HWA 57.0 NEW AMMO AGAINST VIRUSES ~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Friday 30th July 1999 on 1:00 am CET When Melissa hit, a lot of companies just pulled the plug on their (e-mail) servers, losing a lot of money because of this. This is definately not the way to go in the future according to the security branch which is shown in the latest network security products. A more proactive way of working is needed and that's just what these new products claim to bring you. ZDNet. http://www.techweb.com/wire/story/TWB19990729S0019 More Ammunition Used In Fight Against Viruses By David Drucker, InternetWeek Jul 29, 1999 (2:40 PM) URL: http://www.techweb.com/wire/story/TWB19990729S0019 In hindsight, IT managers weathered the Melissa virus pretty well. Even so, theirdefensive tactics were less than optimal. "A lot of people just disconnected [their e-mail servers], and that can't happen in the future," said Hurwitz Group analyst Diana Kelley. "The pulling-the-plug option is going to mean a huge loss of business, so being more proactive is going to be the way to go." The latest network security products are designed just for that purpose. Trend Micro is readying version 3.0 of ScanMail for Exchange, which includes tools to block unwanted file traffic until vendor patches are delivered. When a virus outbreak begins, antivirus vendors usually design patches specifically for the new virus and distribute them to customers within a few hours. But the delay can be long enough to significantly stall operations. "What we've learned from Melissa is that companies can't wait until we come up with a pattern file," said Dan Schrader, Trend Micro's vice president for new technology. ScanMail for Exchange 3.0 includes the eManager plug-in, a set of content-filtering controls that let users block files based on details such as file type, file name, or specific wording within messages. David Shaffer, IT manager at Power Construction, began using ScanMail a year ago when his company implemented Microsoft Exchange for its mail system. He said he believes the new features in version 3.0 will help him act faster the next time a major virus hits. "This gives us a way to respond in those critical three or four hours before a patch can be released, without shutting down internal or external mail," Shaffer said. Network Associates is also juicing up its virus-protection software. The updated version of GroupShield for Exchange can detect previously unknown viruses without raising excessive false alarms, the company said. The software uses so-called double heuristic technology, which detects new viruses by monitoring virus-like behavior. It is available now. According to a study on virus prevalence recently released by ICSA.net (formerly known as the International Computer Security Association), the rate of virus infections is doubling every year. The study found that a 1,000-person company experiences about 80 virus incidents per month. "espite good antivirus products, it's clear that the risk is growing," said ICSA.net chairman Peter Tippett. The speed with which viruses are spreading is the biggest danger, Tippett said. "It used to take a year or two for a virus to become predominant," he said. "Now it takes a day or two for Net-enabled viruses to spread. Users now have very little time to prepare." Trend Micro's ScanMail for Exchange 3.0 is scheduled to ship Aug. 15. The software is priced at $5,000, without the eManager plug-in, for up to 250 users; the plug-in is an additional $1,250 and can be purchased for previous versions. Network Associates' GroupShield for Exchange is available as a one-year subscription for 250 to 500 users, at a price of $29 per node, or $19 per node for 5,000 or more users. @HWA 58.0 DOE SECRETARY ORDERS SECURITY BREAK ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 29th July 1999 on 11:00 pm CET Energy Secretary Bill Richardson will today announce a department-wide work stoppage. This in order to focus more on and increase employee awareness about security issues. This is the third security stand-down this year since the China-affair (China allegedly stole US secrets on nuclear warheads and neutron bombs). Yahoo Dailynews. http://dailynews.yahoo.com/headlines/ts/story.html?s=v/nm/19990729/ts/nuclear_spying_2.html Thursday July 29 12:03 AM ET Energy Secretary Orders Security Training By Tabassum Zakaria WASHINGTON (Reuters) - Energy Secretary Bill Richardson will announce Thursday a department-wide work stoppage to focus on security issues in August as another step to increase employee awareness since the China spying scandal hit the nuclear labs. The nuclear weapons research laboratories have been the focus of security concerns after a congressional report said China stole U.S. secrets on seven nuclear warheads and the neutron bomb. China has repeatedly denied those allegations. The labs have already had two security stand-downs this year in which work stopped so employees could focus on security issues, and will be exempt from the August action. Every employee must realize ``that every job carries with it a security obligation,'' Richardson said. ``I'm ordering this action to ensure that (the Energy Department) is doing everything possible to protect America's secrets and sensitive technologies,'' he said. Richardson has taken other steps such as creating a ''security czar'' position within the department and hiring a retired four-star general to fill it. The Energy Department has been criticized as having an unwieldy bureaucracy that did not pay enough attention to security concerns raised in past years. And some members of Congress want broader change and have proposed restructuring the Energy Department so the nuclear weapons programs are separated into a semi-autonomous agency within the department. Others have called for totally removing the nuclear programs from the department which considers the labs its ``crown jewels.'' Energy Department sites with classified national security activities, excluding the labs, will stop routine work activities on Aug. 3 to participate in a daylong security training. Those sites include the Nevada Test Site, the Y-12 Plant in Oak Ridge, Tennessee, the Kansas City Plant, and the Pantex operation in Amarillo, Texas. By the end of August all other Energy Department facilities, including those that conduct unclassified work, will participate in a similar stand-down. Topics for non-classified areas will include computer network security, responsibilities for hosts of foreign visits, export control regulations, computer hackers and disgruntled employees. @HWA 59.0 EU MEMBERS NOT FOLLOWING DATA-PROTECTION RULES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 29th July 1999 on 10:30 pm CET The European Commission is proceeding with infringement proceedings against nine member states because of their failure to comply with the data-protection directive that took effect last October. The member states have received a two month delay to comply with the directive before an official complaint will be made to the Luxembourg-based Court of Justice. Full story. http://www.computerworld.com/home/news.nsf/all/9907294eudata (Online News, 07/29/99 11:43 AM) Most EU states not following data-protection rules By Elizabeth de Bony BRUSSELS -- The European Commission is proceeding with infringement proceedings against nine member states of the European Union for failing to comply with the data-protection directive that took effect last October, the Commission announced today. The Commission has given France, Luxembourg, the Netherlands, Germany, the U.K., Ireland, Denmark, Spain and Austria two months to comply with the directive. Failure to meet this deadline will prompt the Commission to proceed with the final stage of EU infringement proceedings involving a complaint to the Luxembourg-based Court of Justice. Condemnation by the Court of Justice can lead to the imposition of fines. The data-protection directive took effect on Oct. 25, 1998, and establishes a common regulatory framework for data transmission that aims to ensure both a high level of privacy for the individual and the free movement of personal data within the EU. Provisions also limit the transfer of personal data to countries outside the EU that respect similar standards of data protection. These provisions have led to more than two years of negotiations between the EU and the U.S. over whether the U.S. data-protection standards -- which depend largely on voluntary self-regulation -- meet the directive's standards. These discussions are continuing, but the fact that nine of the 15 member states have not even complied with the directive has taken much of the urgency out of these trans-Atlantic talks. To date only Greece, Portugal, Sweden, Italy, Belgium and Finland have fully implemented the directive. @HWA 60.0 EXPERTS WARN ABOUT NEW Y2K-THREAT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 29th July 1999 on 10:10 pm CET Two of the government's top computer security experts said today at a hearing on Y2K and cyberterrorism before a US Senate Committee that some programmers hired to fix Year 2000 problems may be quietly installing malicious software codes to sabotage companies or gain access to sensitive information after the new year. More. http://dailynews.yahoo.com/headlines/ap/technology/story.html?s=v/ap/19990729/tc/y2k_threats_3.html Thursday July 29 12:22 PM ET Experts Warn of New Y2K Threat By TED BRIDIS Associated Press Writer WASHINGTON (AP) - Two of the government's top computer security experts said today that some programmers hired to fix Year 2000 problems may be quietly installing malicious software codes to sabotage companies or gain access to sensitive information after the new year. The alarms were sounded at a hearing on the ``Y2K glitch'' and cyberterrorism before the Senate Committee on the Year 2000 Technology Problem. ``Many of these (rogue programmers) have no security clearance, do not work for the government, and yet they have access to critical systems that if sabotaged could wreak havoc to our financial institutions and our economy,'' said Sen. Christopher Dodd, D-Conn., the committee's vice chairman. A recent analysis by the Gartner Group predicted electronic thefts worth at least $1 billion, noting that the computer networks of financial institutions, corporations and governments handle transactions worth $11 trillion annually. Michael Vatis, director of the FBI's National Infrastructure Protection Center, said experts hired by U.S. companies to fix their computers could secretly program ``trap doors'' - ways to let them gain access later - or add malicious codes, such as a logic bomb or time-delayed virus that could disrupt systems. ``While systems have been and will continue to be extensively tested, the probability of finding malicious code is extremely small,'' agreed Richard Schaeffer, director of the Defense Department's Infrastructure and Information Assurance program. Neither expert suggested the possible scope of the problem. Schaeffer said problems are complicated by the New Year's rollover, when some computers programmed to recognize only the last two digits of a year may mistake 2000 for a full century earlier. ``It may be difficult to distinguish between a true Y2K event and some other anomaly caused by a perpetrator with malicious intent,'' Schaeffer said. Both experts said the risks were exacerbated by the amount of software repaired by companies overseas. Vatis called the situation ``a unique opportunity for foreign countries and companies to access, steal from or disrupt sensitive national and proprietary information systems.'' Vatis recommended that companies thoroughly check the backgrounds of companies they hire for software repairs. He also said they should test for the existence of trap doors after the repairs, possibly even hiring teams to try to electronically crack into their own networks. The latest warnings come on the heels of new disclosures about White House plans to create a government-wide security network to protect the nation's most important computer systems from hackers, thieves, terrorists and hostile countries. The 148-page proposal from the Clinton administration describes building an elaborate network of electronic obstacles, monitors and analyzers to prevent and watch for potentially suspicious activity on federal computer systems. Sen. Robert Bennett, R-Utah, said today that the scope of the Y2K problem shows that a successful attack on a computer system - such as the network that controls the traffic lights or subway in New York - ``could have as much impact on the economy as if somebody actually dropped a bomb.'' Civil liberties groups complain that the security tools also would make possible unprecedented electronic monitoring, especially because of the increasingly widespread use of computers by the government in almost every aspect of its citizens' daily lives. The White House defended the proposal. ``We are very concerned about protecting privacy rights,'' said Clinton's national security adviser, Sandy Berger. ``But there is also a privacy right in not having hostile entities attack systems. We're not only talking about 17-year-old kids in their basement. We're talking about governments that we know are developing systems to get access to our computer systems.'' The first 500 intrusion monitors would be installed on nonmilitary government computers next year, according to a draft copy of the proposal obtained by The Associated Press. The full system would be completed by May 2003. The plan also suggests ways to convince private companies to monitor their corporate computer networks and share information about threats. But it said explicitly that the government will not force companies to permit federal monitoring of their systems.  @HWA 61.0 WILL YOUR CABLE MODEM CENSOR THE WEB? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 29th July 1999 on 4:30 pm CET According to marketing materials from Cisco Systems cable companies can make use of certain features in Cisco products to behind the scenes slow down and limit access to selected Web sites. A Cisco spokesperson said the technology is available to phone companies, satellite firms and major Internet service providers to protect customers. Protect them from what? Offensive content or the competition of the provider? Read the whole article. http://www.pcworld.com/pcwtoday/article/0,1510,12034,00.html From PC World Online Will Your Cable Modem Censor the Web? Consumer groups balk at Cisco back-end equipment that can limit access to selected sites. by Reuters July 29, 1999, 4:34 a.m. PT A leading supplier of Internet gear for the cable industry is touting products to allow cable companies to block or restrict consumers from reaching any Web site they choose, drawing sharp criticism from public advocacy groups. The revelations comes at a critical juncture for the industry, which is spending billions of dollars to roll out high-speed Internet service over cable lines while fighting national and local efforts to regulate their fledgling new product. The industry has so far blunted the calls for regulation in all but two cities across the country, in part by committing to allow their customers to reach easily any Web site anywhere on the Internet, whether owned by a cable company or not. Putting the Brakes on Rival Sites But according to marketing materials from Cisco Systems, the top maker of computer networking equipment, cable companies will be able to work behind the scenes with sophisticated software included in Cisco products to slow down and limit access to selected Web sites. Without fully cutting off access to unaffiliated sites, the technology allows a cable company to make such destinations appear much more slowly on customers' computers than preferred sites, Cisco claimed in brochures distributed at a recent cable convention in Chicago. Consumer Groups Call for Regulation "This is the owner's manual that they're providing to the cable industry to monopolize the Internet," said Jeff Chester, executive director of the Center for Media Education. The non-profit Washington group, along with Consumers Union, the Consumer Federation of America and the Media Access Project, sent a letter Thursday to the Federal Communications Commission calling for regulation of cable Internet services. The FCC has so far decided to monitor closely the cable Internet market of less than one million subscribers, compared with almost 40 million going online over ordinary phone lines. The latest controversy appeared unlikely to change many minds at the agency. "We share the same goals as the consumer groups and we believe that there should be an open system as well," said Debra Lathen, head of the agency's cable bureau. "Where we diverge is how you get there. We believe the market is going to mandate--to require--an open system." "We will be very watchful; that is our obligation," Lathen added. Thanks, But No Thanks AT&T, whose ExciteAtHome Internet provider has used some Cisco products, pledged not to use the features to discriminate against other Web sites. "We are not in the content-management business; we're in the network management business," said spokesman Mark Siegel. Asked if AT&T would utilize the Cisco products to limit access to any Web sites, Siegel replied: "No, we don't do that." Cisco On the Defensive A Cisco spokesperson said the same technology was made available to all players, including phone companies, satellite firms and major Internet service providers. "This is consistent with Cisco's open standards philosophy and commitment to competition in the marketplace," spokesman Tom Galvin said. "This technology was designed with customers in mind who clearly want tools to protect against offensive content such as hate or obscene material." Cisco's marketing materials cited clearly commercial uses of the software, giving as an example a "push" Web site, which automatically downloads fresh news or other information to a customer's computer at set intervals. "You could restrict the incoming push broadcasts as well as subscribers' outgoing access to the push information site to discourage its use," Cisco's brochure said. "At the same time, you could promote and offer your own partner's services with full-speed features to encourage adoption of your services while increasing network efficiency." Copyright © 1998 Reuters Limited @HWA 62.0 UNMASKING ANONYMOUS POSTERS ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Thursday 29th July 1999 on 1:30 pm CET A new legal trend can be seen nowadays now attorneys more and more often use subpoenas to unmask the identities of anonymous posters to online discussion forums. Anyone can use that method in hopes of finding out the identity of an "anonymous" poster, it's a lot harder to defend yourself against it and then there are the other implications. Are certain groups trying to "chill" free speech? Read more about it here. http://www.wired.com/news/news/politics/story/20983.html Unmasking Anonymous Posters Oscar S. Cisneros 3:00 a.m. 29.Jul.99.PDT A new legal trend has privacy advocates up in arms: Attorneys are using subpoenas to unmask the identities of anonymous posters to online discussion forums. And the people whose identities are at stake rarely have the chance to fight back. Anonymous posters can seek to quash the subpoena and preserve their anonymity, said David Sobel, general counsel for the Electronic Privacy Information Center. But first, they have to have notice that the subpoena has been served. See also: Not-So-Privileged Info Without notice, "there's no one in the picture that's ready to challenge the subpoena and bring it before a judge," he said. Since subpoenas in civil lawsuits typically do not require a judge's stamp of approval, Sobel is concerned that individuals and companies are filing bogus lawsuits just to peel back the veil on a user's alias. "Anyone can file a lawsuit," Sobel said. "You get a lawyer. You file a lawsuit against John Doe. And suddenly you have the authority to issue a subpoena." Under their terms of service, many forum operators and ISPs promise not to divulge their users' personal information unless requested by a subpoena or court proceeding, Sobel said. But not all forum operators provide notice when a subpoena has been served. Although it's not written into their terms of service agreements, both America Online and Microsoft's MSN let users know about pending subpoenas, Sobel said. "At least the subscriber has a fighting chance. At least they know what's going on." Other forum operators -- notably Yahoo -- don't provide user notice. That's raised the ire of privacy advocates like Sobel and prompted users to erect a discussion group about the topic in one of Yahoo's forums. "When people start to get the awareness that Yahoo is doing nothing to protect their privacy, that's going to start affecting their traffic," Sobel said. Les French moderates a Yahoo discussion board for "Anonymous Yahoo message posters who are being sued." French started the forum after a former employer used a subpoena to reveal the identities behind his and other users' anonymous posts. "They went down to court, filed a lawsuit, and subpoenaed Yahoo. They didn't send any notice to their users," French said. "In my case, Yahoo provided them information which enabled [the company] to trace me back to Compuserve. And Compuserve, without notifying me, just turned over all the information in my account, including my credit card numbers. The only thing they didn't get was the password to my account." Yahoo could not be reached for comment. But an attorney for the company who brought suit against French said that the company is well within its rights to unmask anonymous posters. French and the other targets of the suit "essentially mixed fact with fiction" when describing the company online, said Stephan Pearson, assistant general counsel for Itex Corporation. Portland, Oregon-based Itex manages the records of bartering transactions between companies. "We made the decision to unmask the identities of people who we thought were making defamatory statements about Itex Corporation," Pearson said. French said that Itex has a different motivation: silencing criticism of the company's many business foibles. He said Itex has been beset by difficulties, including shifts in leadership, an ongoing Securities and Exchange Commission investigation, and being de-listed from the Nasdaq stock exchange for failing to file an annual report in 1998. "I believe the reason Itex filed the suit was to chill speech -- free speech -- there on Yahoo's boards," French said, adding that financial discussion boards are one way to keep companies honest, and remind the board of directors that investors are watching their every action. Pearson disagreed. "Our action is a defamation-of-business kind of action and defamation has never been protected speech," he said. Some defendants named in the suit after they were unmasked were dropped from it when it was determined that their comments didn't harm the company in an illegal way, he added. Regardless of the outcome of French and Itex's suit, privacy experts are worried the trend will only escalate without additional protections for consumers. EPIC's Sobel drew into question not only Yahoo's practices, but TrustE's as well. TrustE awards seals to Web pages and companies who adhere to their strict privacy policy standards. How can TrustE grant Yahoo a privacy seal when the company coughs up personal information without providing notice of a subpoena to users, Sobel asked. "It's not part of our program to require that they do put the user on notice of a subpoena," said Paola Benassi, TrustE spokeswoman. "If it becomes an issue, we'll definitely see what makes the most sense." Benassi defended Yahoo's privacy policy because she said it gives users notice that their information will be given out when Yahoo is served with a subpoena. She speculated that one cause for the lack of subpoena notice may be the volume of subpoenas, and the fact that many users are likely to set up accounts with false information. Privacy advocates remain concerned. "I think the word is rapidly spreading in the legal community that this is a great way to get information," said Sobel. "I think it is only matter of time before it becomes the norm in divorce cases -- the possibilities are endless." @HWA 63.0 AOL Y2KFIX: A HOAX DISGUISED AS A HOAX? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Wednesday 28th July 1999 on 11:50 pm CET A hoax disguised as a hoax warning is making its rounds around AOL users. It describes a fake "America Online Year 2000 Update" called Y2KFIX.EXE and allegedly fools users into giving up information on their accounts and credit cards. According to Symantic Y2KFIX.EXE doesn't match the characteristics of any known viruses. AOL also denies the existence of such an update. Story below -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- AOL users hit by unusual hoax By Matthew Broersma, ZDNN July 27, 1999 3:44 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2303536,00.html A new hoax is making the rounds of AOL users, posing -- confusingly enough -- as a hoax warning. The message, which seems to be sent by a concerned AOL (NYSE:AOL) user, describes a fake "America Online Year 2000 Update" called Y2KFIX.EXE. The fake message allegedly fools users into giving up information on their accounts and credit cards. But no such fake update exists. "There is currently no virus that has the characteristics ascribed to Y2KFIX.EXE," wrote Motoaki Yamamura of Symantec, in a briefing on Symantec's AntiVirus Research Center. "It is a sham, meant only to panic new or inexperienced computer users." Hoaxes thrive on the Internet like nowhere else, since it is so easy to pass along authentic-seeming messages without eliciting a closer examination. As outlined on the Department of Energy's "Internet Hoaxes" page, previous Internet frauds have involved everything from Blue Mountain Cards' greeting cards to a supposed tax on e-mail. Message sounds real The Y2KFIX prank is especially perplexing because there are, in fact, many schemes designed to trick people into revealing their AOL passwords or other personal information. "It sounds absolutely plausible," said AOL spokesman Rich D'Amato. The "AOL Year 2000 Update" hoax e-mail even includes a copy of the scam message it is supposedly warning against. This begins, "Hello, I am Richard Brunner of the AOL TECH Team and we have recently finished work on this project which is the AOL Year 2000 Update." This message is said to include an attachment called Y2KFIX.EXE, which, when executed, causes a fake AOL billing window to pop up, asking users for their names and credit card numbers, among other information. "It looks very legit. It says your billing cycle was up and they need more info," the hoax e-mail warns. Layers of deception AOL representatives say users can double-check the reality of scams at the service's "Neighborhood Watch" section. "This is a rumor perpetuating a hoax pretending to be a virus," D'Amato commented. "Plato wouldn't even accept that as poetry." The same trick e-mail also warms about a "flashing IM," or instant message, that will automatically steal your password unless you "sign off immediately." But AOL said that not only is the "flashing IM" a hoax, it isn't technically possible. @HWA 64.0 NO FBI SURVEILLANCE AFTER CRITICISMS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Wednesday 28th July 1999 on 11:15 pm CET The US Government has decided to not to blindly go through with a plan to create two broad, FBI-controlled computer monitoring systems to protect the nation's key data networks. Critics were afraid that the plan could lead to a surveillance infrastructure with grave potential for misuse. Some inquiries are now first more at place. ZDNet. -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- U.S. backs off private monitoring By Maria Seminerio and Margaret Kane, ZDNN July 28, 1999 2:26 PM PT URL: With criticism rolling in from all quarters, U.S. government officials on Wednesday backed away from a controversial plan to monitor private-sector networks for hacking activity. The proposed Federal Intrusion Detection Network (FIDNET) plan, details of which were revealed by the New York Times Wednesday, has been in the works for at least a year, a National Security Council spokesman told ZDNN. The proposal for the government to monitor critical systems for security breaches arose out of concerns about the growing vulnerability of government computer networks and sensitive private-sector networks to hackers, the spokesman said. (The NSC advises the president on national security issues.) But in spite of indications in a government document on the plan obtained by the Center for Democracy and Technology -- which indicates that private networks would also be watched -- the NSC spokesman denied that there is any plan for the surveillance of private online data. The document outlining details of the plan says the FIDNET monitoring system would cover "critical government and ultimately private-sector information." Information gathered about network security breaches within one of the plan's three "pillars" -- the Department of Defense computer network, other federal networks and private sector networks -- "would also be shared with the other two pillars," according to the document. The document coalesces with comments made by Jeffrey Hunker, senior director for critical infrastructure at the National Security Council, at the Black Hat Security Conference in Las Vegas earlier this month. "We depend on systems that were never meant to protect data from an organized threat," he told ZDNN. "The truth of the matter is that you all [the industry] own the systems that are going to be the target. It is not the federal government systems." However, in an interview with ZDNN, Jim Dempsey, senior staff counsel at CDT, said: "We feel the government should spend its resources closing the security holes that exist, rather than to watch people trying to break in," Jim Dempsey, senior staff counsel at CDT, said in an interview. In spite of assurances from government officials that any monitoring would be largely automated, somewhere down the line a person would have to step into the process, Dempsey said -- and this is where such a system could be abused. The government document detailing the plan acknowledges that "trained, experienced analysts" will have to step in to determine the nature of any suspected security breaches. Looking for 'anomalous activities' But the NSC spokesman said the government does not plan to monitor private networks or read e-mail messages, but rather to "look for anomalous activities" such as evidence of denial of service attacks on military and other government networks. This was little comfort to civil libertarians and other high-tech industry watchers, who blasted the plan as an Orwellian attack on privacy. "I think this is a very frightening proposal," said Barry Steinhardt, associate director of the American Civil Liberties Union, in an interview. "The FBI has abused its power in the past to spy on political dissenters. This type of system is ripe for abuse," Steinhardt said. "I think the threats (of network vulnerability) are completely overblown," said David Sobel, general counsel at the Electronic Privacy Information Center, in an interview. The perceived security threat is leading to "a Cold War mentality" that threatens ordinary citizens' privacy, Sobel said. "The most serious concern about this is that it could move us closer to a surveillance society," said Ed Black, president of the Computer and Communications Industry Association, in an interview. "It's critical that if they do this, they should not retain any of the information that is gathered." ZDNN's Robert Lemos contributed to this report. @HWA 65.0 FEDS CRACK DOWN ON Y2K FRAUD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by Thejian, Wednesday 28th July 1999 on 10:30 pm CET US regulators (read: Federal Trade Commision) yesterday took action against a Canada-based company that allegedly sold phony Y2K credit card protection against Y2K-related problems. This is said to be a first in a series of Y2K-fraud prevention by the FTC. The case was settled with $ 100.000 fine. Wired. http://www.wired.com/news/news/business/story/20980.html Feds Crack Down on Y2K Fraud Wired News Report 8:10 a.m. 28.Jul.99.PDT US regulators took action Wednesday against a company that allegedly sold phony Y2K credit card protection packages through a large-scale telemarketing effort. The Federal Trade Commission said the company, Canada-based NCCP Ltd., pretended to represent customers' credit card companies, and offered plans to cover theft of cards and special packages to protect against Y2K-related problems. However, the so-called packages contained only adhesive stickers, the FTC said. FTC officials said Wednesday's action was its first enforcement measure concerning a Y2K-related fraud. As part of an agreement with regulators, NCCP agreed to pay US$100,000 to settle charges that they falsely represented a credit card protection program. -- ETrade embraces UK: Online broker ETrade opened its fifth international enterprise Wednesday by launching an online investing Web site in the United Kingdom. The company opened ETrade UK in partnership with Electronic Share Information. The joint venture is the first Internet-only broker to receive regulatory approval in the UK, the companies said in a statement. The introductory rate for online transactions is ?.95 (about US$24). ETrade said the new Web site is only a step in its plan to gird the globe with an electronic trading network. The company's first four sites outside the United States are in Canada, Australia, France, and Sweden. @HWA 66.0 RED HAT DELIVERS LINUX E-COMMERCE SERVER ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by dev, Wednesday 28th July 1999 on 10:10 pm CET Red Hat, a maker of Linux open source software, introduced an e-commerce server package Tuesday that's designed to move small businesses more quickly onto the Internet. The product combines Red Hat's Linux 6.0 and Apache Web server. Integrated into the e-commerce server is RSA Data Security's 128-bit encryption engine. Read more on the interesting combination of open source software and business solutions here. Red Hat Delivers Linux E-Commerce Server By Eileen Colkin, InformationWeek Jul 27, 1999 (5:25 PM) URL: http://www.techweb.com/wire/story/TWB19990727S0026 Red Hat, a maker of Linux open source software, introduced an e-commerce server package Tuesday that's designed to move small businesses more quickly onto the Internet. The Red Hat Linux E-Commerce server combines Red Hat's Linux 6.0 open source operating system, which supports up to four processors with symmetric multiprocessing configuration, with the Apache Web open source server. Integrated into the e-commerce server is RSA Data Security's 128-bit encryption engine. The server package includes Red Hat's Linux 6.0 applications CD, containing applications such as Star Division's StarOffice, which offers word processing, spreadsheet, graphic design, presentation, HTML editor, e-mail/news reader, event planner, formula editor, and other applications. The CD also features IBM's ViaVoice voice-recognition software and Applix's Applixware for Linux, a full-office suite including a developer bundle. Also included in the server package is an e-commerce directory with offerings such as HP's WebQoS, which lets users prioritize Web server traffic based on business criteria, electronic shopping-cart software from MiniVend, and a credit card processing engine from CCVS. As part of the Apache Web server, the Apache ASP module offers multiplatform development, while the Apache DAV module lets users edit, manage, and publish Web pages from the desktop without going through FTP. A Netscape Roaming Module lets the Apache server also act as a Netscape Roaming Access server. Available immediately, the Red Hat Linux E-Commerce Server can be purchased on the Red Hat site or at retail sites for$149. Additional support packages are also available. @HWA 67.0 HACKING IN 1999 ~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Monday 26th July 1999 on 4:42 pm CET Our new Special Report, written by anonymous, gives you a retrospective on the past year's underground happenings. "What is a hacker these days? Someone who uses a web browser to hack remote systems? Or is a hacker still defined as it was originally. Hacking is mostly about gaining access to a remote system, not showing off that you outsmarted an admin". You can read about security bugs, hack groups and incidents that marked 1999, in our Special Report entitled Hacking in 1999 | The Current State of Hacking. Hacking in 1999 | The Current State of Hacking. Major Exploits released in 1999 In 1999, many things have happened, the allaire cold fusion bug has been widely advertised and put to use, many servers were compromised by using it, if you look to allot of the website defacement mirror sites, almost all were done by the cold fusion method. Yet another easy bug has been released in 1999 by eEye Digital Security Team, this bug was for the Microsoft IIS server, and again many people have used this method to make a name for themselves. After looking at exploits like this, it makes you wonder what a hacker is these days? Someone who uses a web browser to hack remote systems? Or is a hacker still defined as it was originally. Hacking is mostly about gaining access to a remote system, not showing off that you outsmarted an admin. Major Incidents that have Affected the 'Scene' The first major incident the busting of Eric Burns AKA Zyklon. When companies pressed lawsuits against him for thousands of dollars because he broke into their servers.Up to now he is still not allowed to touch a computer I assume. The second incident was the raiding of members of the well known group gH a.k.a global Hell. An approximate 19 people were raided if not more, not only from gH but from other groups such as Level Seven, team spl0it, milw0rm and IL(Iron Lungs) from HcV/Legion2000 and forpaxe. Kevin Mitnick was screwed around 2+ times, with them changing his court date around continuously and him now having to owe 1 mil. Read more about it at 2600, also support the FREE KEVIN movement. Just recently, a few incidents have happened as a result of John Veransevich otherwise known as JP from AntiOnline. First, Attrition makes a good accusation that JP indeed funded a hacker known as 'so1o' to deface the Senate Government website for him just to make a breaking news story (Although, I am not accusing him of doing this, because it was never proven). Another thing you notice about the "Anti Network" is the AntiCode website, which claims to be "the only place you need" for all of your exploits/network/security tools and utilities. But in reality this site is nothing more than an archive compiled from other known sites and the code ripped by AntiOnline it's self. Second MAJOR incident was when JP shut down a popular IRC server. And the third, probably most devastating to the underground community, was when JP caused Packetstorm Security to shut down, all of Ken Williams files were deleted forever, his work ruined. Not to mention many other things. You can read all those other things at : http://www.attrition.org/negation/index2.html A few conventions have passed, such as Defcon, Defcon is probably the most recognized of all hacker conventions, this year some major things happened at this convention, they had a line-up of great speakers, Carolyn P. Meinel showed up and was not allowed in because she was accused of not being a 'real' reporter (which I will not comment on), and shortly into the Defcon convention, their website was defaced by the very well know coding group known as ADM. Also Rootfest and the Blackhat Briefings have recently passed by. Who has showed up? Many new groups and individuals have showed up in 1999 up to now. To mention a few. and give a decent description of them and their actions + skills. Groups Forpaxe - Forpaxe showed up in early 99, they have been responsible for hitting a record number of .edu domains also quite a few .gov/.mil and numerous others. They are well known to all hackers and media. A member of the past groups Legion2000 and HcV was a part of this group in the beginning, Iron Lungs, which later got raided by the FBI. Now it appears to just be 2 individuals (m1crochip/in0de) which they state on all of their webpage defacements. They do what they do for a reason, so they are a decent group of individuals as far as I am concerned. Mirrors of their Website Defacements http://www.attrition.org/mirror/attrition/forpax.html Goat Security - This organization is a definite mentionable, everybody knows and remembers the goat team, it consisted of members of gH, HcV and I think even a few from LoU. They defaced a good amount of websites and made a widely known name for themselves. They definitely knew what they were doing, not like all of the CF(cold fusion) kiddies you see around these days. Mirrors of their Website Defacements http://www.attrition.org/mirror/attrition/goat.html gH (global Hell) - Possibly the most world wide known hacker group and most media exposed, gH defaced allot of high profile websites such as Macweek, Peoples Court, The Main Army Page and the Whitehouse. Many members were later raided by FBI agents due to the defacing of the Whitehouse website. They have skill and as far I saw it a very good team of people. This group will always be remembered. Mirrors of their Website Defacements http://www.attrition.org/mirror/attrition/gh.html Level Seven - This crew was responsible for numerous defacements, it is rumored also and stated on some of their defacements that members of this group were a part of gH (global Hell) and got raided. This group was another group that hacked for a decent reason. Mentionable mostly because of their tie-ins with gH. None the less they are a good group. Mirrors of their Website Defacements http://www.attrition.org/mirror/attrition/l7.html Stonehenge Crew - Not very much to say about this group other than they have a purpose for what they do. They always have a reason for defacing a website they hit. They have done around 14 webpage defacements. It is rumored they are also 'tight' with the known group gH. This is another good group. Mirrors of their Website Defacements http://www.attrition.org/mirror/attrition/henge.html Keebler Elves - Well, this group is probably the most skilled up to now in 1999. Many skilled individuals, coders and hacker alike in it, from what is said at least. They are best known for their hacks of the Department of Education, Virgin Records and the Monmouth Army Base. Probably has done the most recognized sites in 1999. And I wouldn't be surprised if they continue to hack big time names. This group deserves allot of respect. Why? Because they aren't like the rest. Mirrors of their Website Defacements http://www.attrition.org/mirror/attrition/keebler.html HFD (Hacking for Drunks) - This is another group well known for it's choice of sites to deface. Probably most well recognized for their 20th Century Fox International, Gibson and Blair Witch website hacks. They seem to have a good sense of humor and have done some entertaining defacements. Very good group. But name/logo kind of ripped from HFG(Hacking For Girls). Mirrors of their Website Defacements http://www.attrition.org/mirror/attrition/hfd.html bl0w team - A good Brazilian hackers group, consisting of 5 individuals, best noted for their 2600.co.uk and Telemar hacks. They do it all for an adequate reason and do not give up. I think there patriotism is admirable. They also seem to have a good amount of skill dealing with Solaris/NT systems. Mirrors of their Website Defacements http://www.attrition.org/mirror/attrition/bl0w.html INDIANHackers/EHA/Ant1 S3cur1ty Tskf0rc3/MST(Moscow Security Team) Nothing special, not really even worth the time, they did a 'few' sites and were never heard from again. None of them had really any reason for defacing websites other than to make themselves look big. Ant1 S3cur1ty Taskf0rc3 did a few with reason, but it was rare with these 4 groups. Mirrors of all the groups defacements : [INDIANHackers] http://www.attrition.org/mirror/attrition/ndian.html [EHA] http://www.attrition.org/mirror/attrition/eha.html [Ant1 s3cur1ty taskf0rce] http://www.attrition.org/mirror/attrition/asc.html [MST] http://www.attrition.org/mirror/attrition/mst.html -end- Individuals zo0mer - Hit allot of government/military systems and banks. But it appears he removes data from the boxes after he is done. What would be labeled a malacious script kiddie cracker. Mirror of all his/her hacks http://www.attrition.org/mirror/attrition/zoom.html p0gO - Probably best known for his defacing of Time Warner San Diego. Not to mention his mass hack, he appears to have good skills, also is recognized for his association with irc.psychic.com. Mirror of all his/her hacks http://www.attrition.org/mirror/attrition/pogo.html Xoloth1 - Well known hacker from the Netherlands. Hit some well known porn sites and what would appear to be his spotlight defacement Pentagon.co.yu. Xoloth hacks for all the rite reasons. Mirror of all his/her hacks http://www.attrition.org/mirror/attrition/xoloth.html v00d00 - First showed up on the scene doing a hack for Psychic, shortly after doing defacements when he was part of the group Defiance it appears. He appears to hack for the freedom of Kevin Mitnick AKA Condor and against war, racism and allot of problems that happen in the world these days. He does it for a good cause. That is all there is to say. Mirror of all his/her hacks http://www.attrition.org/mirror/attrition/v00.html Mozy - Started hacking for irc.psychic.com, later went individual, noted to be good friends with several known hackers. His defacements are quite humorous if you ask me. Keep it up. Mirror of all his/her hacks http://www.attrition.org/mirror/attrition/mozy.html dr_fdisk^ - Extremely well known Spanish hacker and for being in the group Raza Mexicana. Most well known for compromising such sites as Nic.bo and HBO, Latin America. Another hacker that does it for the freedom of Kevin Mitnick and many other reasons. Mirror of all his/her hacks http://www.attrition.org/mirror/attrition/fdisk.html There are other individuals I missed and they all deserve respect and to be noticed, I didn't for get them because I dislike them, just because this part of the article has gone far enough. What was hit? Aside from all the no-name sites that were hacked. In 1999 there has been several HIGH PROFILE web defacements. Below is a list with a link to the defaced site, provided by Attrition. - Klu Klux Klan - LOD Communication - 200cigarettes Movie - Whitepride - No Limit Records - Hotbot Search Engine - Summercon - eBay - Coca Cola (BE) - US Senate - HBO, Latin America - The White House - Army Main Site - and so many more.... Why do they do it? MOST of the time it is to make a name and become known/noticed, but on some occasions people do it for a reason, to prove faulty security, to protest against a certain problem in the world or a personal dispute. Well that pretty much covers 1999. Most of the remembered parts up to now anyways. Thanks allot, I prefer to remain anonymous. Sites to check out : Rootshell, http://www.rootshell.org Attrition, http://www.attrition.org HNN http://www.hackernews.com OSAll http://www.aviary-mag.com Written by anonymous for HNS (www.net-security.org) @HWA 68.0 Y2K crash test ~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Sunday 25th July 1999 on 2:21 pm CET Y2K Crash Test (Windows 95/98 version) collects information about your hardware, programs, Windows settings, and data files, tests their functionality during various dates known to cause problems with non-Y2K compliant files, displays comprehensive results, and allows you to print them. Download the program here (1.07Mb): http://www.net-security.org/dload/y2k/nocrash3.exe Screenshot: http://www.net-security.org/dload/y2k/nocrash.jpg Y2K TEST FOR DOS by BHZ, Sunday 25th July 1999 on 2:14 pm CET Y2K TEST for DOS is a millennium bug diagnostic and repair utility used to test how a PC will handle year 2000 dates and beyond. The included fix restores year 2000 compliance by installing a device driver that compensates for non-compliant real-time clocks, thereby fixing BIOS bugs including the Award 4.50G BIOS problem. Just to note it is updated version of the program we wrote about earlier. Download the program here (560kb). http://www.net-security.org/dload/y2k/y2kdos.zip Screenshot. http://www.net-security.org/dload/y2k/y2kdostest.gif 69.0 CASSANDRA GOLD ~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Sunday 25th July 1999 on 3:11 am CET Cassandra GOLD is new trojan detection and removal program that could be run on windows 95 and windows 98 operating systems. It currently can find 25 trojans NetBus 2.0 NetBus 1.7 NetBus 1.6 BackOrifice 1.20 Masters Paradise 9.7 Deep Throat 1.0 Deep Throat 2.0 Deep Throat 3.0 GirlFriend 1.35 (Old) GirlFriend 1.35 (New) WinCrash 1.03 WEB EX 1.2 Telecommando NetBus 2.01 SubSeven 1.5 GateCrasher 1.2 COMA HACK99 Hack-a-Tack Millenium NetSpy 2.0 OpC BO v2.0 Spying King BladeRunner NetSphere Download Cassandra GOLD US edition or http://www.net-security.org/dload/Cassandra-US.zip Cassandra GOLD Swedish edition. http://www.net-security.org/dload/Cassandra-SE.zip Homepage - http://www.win32software.com. @HWA 70.0 BELL CANADA Y2K TEST ~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Saturday 24th July 1999 on 11:05 pm CET Bell Canada (www.bell.ca), telephone operator in Canada was working hard on preparing new Y2K-ready system, and yesterday they transferred 7500 customer to the new system. It all worked good for 3 hours, but then the system crashed. So those "lucky ones" couldn't use their phone services for couple of hours, until it was all fixed. @HWA 71.0 [RHSA-1999:025-01] Potential misuse of squid cachemgr.cgi ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 30 Jul 1999 11:08:07 -0400 From: Bill Nottingham To: redhat-watch-list@redhat.com Cc: linux-security@redhat.com Subject: [linux-security] [RHSA-1999:025-01] Potential misuse of squid cachemgr.cgi --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: Potential misuse of squid cachemgr.cgi Advisory ID: RHSA-1999:025-01 Issue date: 1999-07-29 Updated on: Keywords: squid cachemgr.cgi connect Cross references: --------------------------------------------------------------------- 1. Topic: cachemgr.cgi, the manager interface to Squid, is installed by default in /home/httpd/cgi-bin. If a web server (such as apache) is running, this can allow remote users to sent connect() requests from the local machine to arbitrary hosts and ports. 2. Bug IDs fixed: 3. Relevant releases/architectures: Red Hat Linux 6.0, all architectures Red Hat Linux 5.2, all architectures 4. Obsoleted by: 5. Conflicts with: 6. RPMs required: Red Hat Linux 6.0: Intel: ftp://updates.redhat.com/6.0/i386/squid-2.2.STABLE4-5.i386.rpm Alpha: ftp://updates.redhat.com/6.0/alpha/squid-2.2.STABLE4-5.alpha.rpm Sparc: ftp://updates.redhat.com/6.0/sparc/squid-2.2.STABLE4-5.sparc.rpm Source packages: ftp://updates.redhat.com/6.0/SRPMS/squid-2.2.STABLE4-5.src.rpm Red Hat Linux 5.2: Intel: ftp://updates.redhat.com/5.2/i386/squid-2.2.STABLE4-0.5.2.i386.rpm Alpha: ftp://updates.redhat.com/5.2/alpha/squid-2.2.STABLE4-0.5.2.alpha.rpm Sparc: ftp://updates.redhat.com/5.2/sparc/squid-2.2.STABLE4-0.5.2.sparc.rpm Source packages: ftp://updates.redhat.com/5.2/SRPMS/squid-2.2.STABLE4-0.5.2.src.rpm 7. Problem description: A remote user could enter a hostname/IP address and port number, and the cachemgr CGI would attempt to connect to that host and port, printing the error if it fails. 8. Solution: For each RPM for your particular architecture, run: rpm -Uvh where filename is the name of the RPM. Alternatively, you can simply disable the cachemgr.cgi, by editing your http daemons access control files or deleting/moving the cachemgr.cgi binary. 9. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 80d527634fc8d8d2029532a628b3d924 squid-2.2.STABLE4-5.i386.rpm 65d18747148d7e3dae4249fe65c18c6b squid-2.2.STABLE4-5.alpha.rpm 734f84b949752fe39b5e58555210ff51 squid-2.2.STABLE4-5.sparc.rpm 02a93b0b1985f8d5c77eb8f3e8981eeb squid-2.2.STABLE4-5.src.rpm 175b42cc4b603242fbb95e345c14963c squid-2.2.STABLE4-0.5.2.i386.rpm f8dfc1198e32c645ed57769a44f3aa6d squid-2.2.STABLE4-0.5.2.alpha.rpm 2e11f629d2f15af8442d6b724ea4d020 squid-2.2.STABLE4-0.5.2.sparc.rpm 0ea1522539d2aebf298881571253e13d squid-2.2.STABLE4-0.5.2.src.rpm These packages are PGP signed by Red Hat Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nopgp 10. References: -- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe linux-security-request@redhat.com < /dev/null @HWA 72.0 [RHSA-1999:022-03] New Samba pacakges available (updated) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Thu, 29 Jul 1999 14:26:26 -0400 From: Bill Nottingham To: redhat-watch-list@redhat.com Cc: linux-security@redhat.com Subject: [linux-security] [RHSA-1999:022-03] New Samba pacakges available (updated) --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: New samba packages for Red Hat Linux 4.2, 5.2, 6.0 Advisory ID: RHSA-1999:022-02 Issue date: 1999-07-22 Updated on: 1999-07-29 Keywords: samba smbd nmbd security Cross references: --------------------------------------------------------------------- Revision History: 1999-07-23: Fix 'Conflicts with' section about smbmount with 2.0/2.2 kernels. 1999-07-29: Add note about %postun of Red Hat Linux 6.0 samba release. 1. Topic: Samba 2.0.5a has been released. Among the fixes in this release are several security issues present in previous Samba releases. 2. Bug IDs fixed: 1321 2557 2625 2779 2923 2982 3715 3. Relevant releases/architectures: Red Hat Linux 6.0, all architectures Red Hat Linux 5.2, all architectures Red Hat Linux 4.2, all architectures 4. Obsoleted by: 5. Conflicts with: The smbmount code shipped with Samba 2.0 is only compatible with the Linux 2.2 kernel, so it has not been built for the Red Hat Linux 4.2 and 5.2 releases. If smbmount support for the 2.2 kernel is needed under Red Hat Linux 4.2 or 5.2, the source RPM can be rebuilt with the following command line (RPM version 3.0 is required): rpm --define "KERN22 yes" --rebuild samba-2.0.5a-.src.rpm The samba package shipped with Red Hat Linux 6.0 (samba-2.0.3-8) has an erroneous post-uninstall script. If this package is upgraded to the errata release, it could cause /var/log/samba and /var/lock/samba to be missing. It is recommended that users of samba under Red Hat Linux 6.0 uninstall the previous release using 'rpm -e samba' before installing the errata release. 6. RPMs required: Red Hat Linux 6.0: Intel: ftp://updates.redhat.com/6.0/i386/ samba-2.0.5a-1.i386.rpm samba-client-2.0.5a-1.i386.rpm Alpha: ftp://updates.redhat.com/6.0/alpha/ samba-2.0.5a-1.alpha.rpm samba-client-2.0.5a-1.alpha.rpm Sparc: ftp://updates.redhat.com/6.0/sparc/ samba-2.0.5a-1.sparc.rpm samba-client-2.0.5a-1.sparc.rpm Source: ftp://updates.redhat.com/6.0/ samba-2.0.5a-1.src.rpm Red Hat Linux 5.2: Intel: ftp://updates.redhat.com/5.2/i386/ samba-2.0.5a-0.5.2.i386.rpm samba-client-2.0.5a-0.5.2.i386.rpm Alpha: ftp://updates.redhat.com/5.2/alpha/ samba-2.0.5a-0.5.2.alpha.rpm samba-client-2.0.5a-0.5.2.alpha.rpm Sparc: ftp://updates.redhat.com/5.2/sparc/ samba-2.0.5a-0.5.2.sparc.rpm samba-client-2.0.5a-0.5.2.sparc.rpm Source: ftp://updates.redhat.com/5.2/ samba-2.0.5a-0.5.2.src.rpm Red Hat Linux 4.2: Intel: ftp://updates.redhat.com/4.2/i386/ samba-2.0.5a-0.4.2.i386.rpm samba-client-2.0.5a-0.4.2.i386.rpm Alpha: ftp://updates.redhat.com/4.2/alpha/ samba-2.0.5a-0.4.2.alpha.rpm samba-client-2.0.5a-0.4.2.alpha.rpm Sparc: ftp://updates.redhat.com/4.2/sparc/ samba-2.0.5a-0.4.2.sparc.rpm samba-client-2.0.5a-0.4.2.sparc.rpm Source: ftp://updates.redhat.com/4.2/ samba-2.0.5a-0.4.2.src.rpm 7. Problem description: Several security issues were present in earlier samba releases. - a denial-of-service attack could be performed against nmbd. - a buffer overflow was present in the message service in smbd (not enabled by default under Red Hat Linux) - a race condition was present in smbmnt that could cause problems if installed setuid root (it is not installed setuid root by default under Red Hat Linux 6.0, and is not present under Red Hat Linux 4.2 or 5.2) Thanks go to Olaf Kirch (okir@caldera.de) for discovering the security holes, as well as the Samba team. 8. Solution: Install the updated RPMs, and restart the affected services by running: /etc/rc.d/init.d/smb restart For each RPM for your particular architecture, run: rpm -Uvh where filename is the name of the RPM. 9. Verification: MD5 sum Package Name -------------------------------------------------------------------------- 5167d97fb2f0949991555a3b8e86d509 samba-2.0.5a-1.i386.rpm 969d609925bc09f9c113907124828dc6 samba-client-2.0.5a-1.i386.rpm d8091f3fa0aeda8febf3553d5b92f53f samba-2.0.5a-1.alpha.rpm 99f334ef87347877d1b79d4801044547 samba-client-2.0.5a-1.alpha.rpm 58b1afe4c81028435e6cad1325d4bbee samba-2.0.5a-1.sparc.rpm 6e3939fcebba7ace639b766b1cf36cab samba-client-2.0.5a-1.sparc.rpm 5c87d78148a8a224e5f89e5dce9af1ae samba-2.0.5a-1.src.rpm 6ce227464edc1e79cf4433ede6d18c05 samba-2.0.5a-0.5.2.i386.rpm 0f8d4c9606af2fd809c55a6dd3f9beae samba-client-2.0.5a-0.5.2.i386.rpm cb51e889747ed1786996323863f64868 samba-2.0.5a-0.5.2.alpha.rpm f82cfb4807fa9399005a03d6dd65dca5 samba-client-2.0.5a-0.5.2.alpha.rpm d56551d53be6928556bb58517f265e9f samba-2.0.5a-0.5.2.sparc.rpm 371f7de9553d9c86c4b62d2a92c84bf0 samba-client-2.0.5a-0.5.2.sparc.rpm e411e3c19d19ab89d35e834c7d379589 samba-2.0.5a-0.5.2.src.rpm c5d267fc6b47a84f0571f0ce1a7a15aa samba-2.0.5a-0.4.2.i386.rpm 3d07e39245cdc5d8aa0ba8d50e6178f1 samba-client-2.0.5a-0.4.2.i386.rpm f3db3e6f607afbd861610570154fd19d samba-2.0.5a-0.4.2.alpha.rpm 7972cf576734d1b006258a8ca02c80ff samba-client-2.0.5a-0.4.2.alpha.rpm c44a4c13f171f31686d91da3b8370311 samba-2.0.5a-0.4.2.sparc.rpm a6c235a206349e347dfe35ac0064d901 samba-client-2.0.5a-0.4.2.sparc.rpm 0c326cb2a2b0964026d286fb5f6b8079 samba-2.0.5a-0.4.2.src.rpm These packages are PGP signed by Red Hat Inc. for security. Our key is available at: http://www.redhat.com/corp/contact.html You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nopgp 10. References: <19990721023513Z12865037-4222+1570@samba.anu.edu.au> -- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe linux-security-request@redhat.com < /dev/null @HWA 73.0 CERT® Advisory CA-99-10 Insecure Default Configuration on RaQ2 Servers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CERT® Advisory CA-99-10 Insecure Default Configuration on RaQ2 Servers Originally released: July 30, 1999 Source: CERT/CC See also: Cobalt Networks Security Announcement Systems Affected Cobalt Networks RaQ2 single rack unit Internet servers I. Description A vulnerability has been discovered in the default configuration of Cobalt Networks RaQ2 servers that allows remote users to install arbitrary software packages to the system. RaQ2 servers are configured with an administrative webserver to process remote requests to manage the unit. Systems installed with the default configuration have insufficient access control mechanisms to prevent remote users from adding arbitrary software packages to the system using this webserver. A document published by Cobalt Networks describes the vulnerability and solutions in more detail: http://www.cobaltnet.com/support/security/index.html II. Impact Any remote user who can establish a connection to an administrative port on a vulnerable RaQ2 server can install arbitrary software packages on the server. This access can then be used to gain root privileges on the system. III. Solution Configure your Systems to Guard Against this Vulnerability Install the patches provided by Cobalt Networks: http://www.cobaltnet.com/patches/RaQ2-Security-1.0.pkg (For RaQ2 servers) http://www.cobaltnet.com/patches/RaQ2J-Security-1.0.pkg (For Japanese versions of the RaQ2 system) The CERT/CC wishes to thank Cobalt Networks for their assistance in developing this advisory. This document is available from: http://www.cert.org/advisories/CA-99-10-cobalt-raq2.html. CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/. To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Revision History July 30, 1999: Initial release @HWA 74.0 MS Security Bulletin: Patch Available for "Malformed Dialer Entry" Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Microsoft Security Bulletin (MS99-026) -------------------------------------- Patch Available for "Malformed Dialer Entry" Vulnerability Originally Posted: July 29, 1999 Summary ====== Microsoft has released a patch that eliminates a security vulnerability in the Phone Dialer accessory in Microsoft® Windows NT®. The vulnerability could be used to run arbitrary code in a user’s security context on Windows NT systems. Frequently asked questions regarding this vulnerability can be found at http://www.microsoft.com/security/bulletins/MS99-026faq.asp Issue ==== Dialer.exe has an unchecked buffer in the portion of the program that processes the dialer.ini file. This vulnerability could be used to run arbitrary code via a classic buffer overrun technique. The circumstances of this vulnerability require a fairly complicated attack scenario that limits its scope. Dialer.exe runs in the security context of the user, so it would not benefit an attacker to simply modify a dialer.ini file and run it, as he or she would not gain additional privileges. Instead, the attacker would need to modify the dialer.ini file of another user who had higher privileges, then wait for that user to run Dialer. Although the unchecked buffer is present in all versions of Windows NT 4.0, the attack scenario would result in workstations that have dial-out capability being chiefly at risk. The FAQ discusses this in greater detail. Affected Software Versions ========================= Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Server 4.0 Microsoft Windows NT Server 4.0, Enterprise Edition Microsoft Windows NT Server 4.0, Terminal Server Edition Patch Availability ================= Windows NT Server; Windows NT Server 4.0, Enterprise Edition; and Windows NT Workstation 4.0: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/ NT40/hotfixes-postSP5/Dialer-fix/ Windows NT Server 4.0, Terminal Server Edition: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/ nt40tse/hotfixes-postSP4/Dialer-fix/ NOTE: Line breaks have been inserted into the above URLs for readability. More Information =============== Please see the following references for more information related to this issue. Microsoft Security Bulletin MS99-026: Frequently Asked Questions, http://www.microsoft.com/security/bulletins/MS99-026faq.asp. Microsoft Knowledge Base (KB) article Q237185, Dialer.exe Access Violation with Phone Entry more than 128 Bytes, http://support.microsoft.com/support/kb/articles/q237/1/85.asp. (Note: It may take 24 hours from the original posting of this bulletin for the KB article to be visible; however, a copy will be immediately available in the patch folder.) Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp. Obtaining Support on this Issue ============================== This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/support/contact/default.asp. Acknowledgments ============== Microsoft acknowledges David Litchfield of Arca Systems for discovering this vulnerability and reporting it to us. Revisions ======== July 29, 1999: Bulletin Created. -------------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. © 1999 Microsoft Corporation. All rights reserved. Terms of Use. @HWA 75.0 Senate asks for input into information infrastructure protection plan ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.fcw.com/pubs/fcw/1999/0726/web-plan-7-29-99.html JULY 29, 1999 . . . 18:15 EDT Citing privacy concerns, Senate asks for input into information infrastructure protection plan BY DIANE FRANK (diane_frank@fcw.com) The Senate today urged federal officials to brief Congress on a Clinton administration plan to protect the federal information infrastructure from cyberattacks. The request followed stories this week in the general press that inaccurately reported that the draft plan would have the FBI monitor interactions with government computers. During a hearing of the Senate Special Committee on the Year 2000 Technology Problem, Sen. Bob Bennett (R-Utah) and Sen. Christopher Dodd (D-Conn.) both called for the draft plan to be released to Congress and asked for a closed briefing within the next few weeks. The National Plan for Information Systems Protection is being developed by the Critical Infrastructure Assurance Office (CIAO), the National Infrastructure Protection Center (NIPC), and other high-level officials and groups within the government. It is based on the critical infrastructure protection plans from agencies and industry required by Presidential Decision Directive 63 and was originally scheduled to be sent to Congress and the president this fall, according to John Tritak, director of the CIAO. Published stories based on a copy of the June 7 draft of the plan that was leaked to a public interest group raised several concerns that the senators felt Congress should know more about, including privacy issues surrounding the monitoring inherent in the proposed Federal Intrusion Detection Network (FIDnet). "The issues, and specifically the FIDnet proposal reported by the [New York] Times, should be the subject of oversight by the Congress, which has yet to receive an official copy of the plan," Bennett said. "I am confident, given the timing of today's hearing, that a copy of the national plan will be forthcoming and that the oversight process can begin." Mail questions to webmaster@fcw.com Copyright 1999 FCW Government Technology Group 76.0 FBI: Beware outside Y2K workers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (Online News, 07/29/99 11:43 AM) FBI: Beware outside Y2K workers By Patrick Thibodeau WASHINGTON -- Private companies that have used outside firms to complete year 2000 repair work are running the risk that their systems have been compromised, a top Federal Bureau of Investigation official warned a congressional committee today. Michael Vatis, a deputy assistant director at the FBI and director of the National Infrastructure Protection Center, said he is concerned that Y2K contractors, both foreign and domestic, have used the Y2K remediation process to install malicious code. Vatis said the FBI doesn't have "concrete indications" that any group is planning to "to engage in unlawful intrusions" at the New Year. But the FBI is nonetheless expecting trouble, he said in testimony prepared for today's hearing by the U.S. Senate's Special Committee on the Year 2000 Technology Problem. Y2K contractors could compromise systems by installing trap doors, obtaining root access, implanting malicious code or mapping systems with the intent of selling information to economic competitors or foreign intelligence agencies. Those with the motives and the means to compromise systems include foreign governments for information warfare purposes, as well as those engaged in industrial espionage, terrorism or organized crime, said Vatis. The FBI expects to see increased and possibly violent activities among certain domestic groups. For instance, the coming of the millennium requires Christian Identity adherents to prepare for the "Second Coming of Christ" by taking violent action against their enemies. That kind of activity raises the possibility there could also be an increase in activity in the cyberworld, Vatis said in his testimony. Given "the vulnerabilities [that] could be implanted in critical systems," said Vatis, "it is imperative that the client companies do as much as possible to check the background of the companies doing their remediation work, oversee the remediation process closely, and review new code as closely as possible and remove any extraneous code." Moreover, Vatis advised companies to create "red teams" to try to crack their software and determine if trap doors exist. @HWA 77.0 HPSBUX9907-101 Security Vulnerability Software Distributor (SD) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HP Support Information Digests =============================================================================== HP Electronic Support Center World Wide Web Service --------------------------------------------------- If you subscribed through the HP Electronic Support Center and would like to be REMOVED from this mailing list, access the HP Electronic Support Center on the World Wide Web at: http://europe-support.external.hp.com Login using your HP Electronic Support Center User ID and Password. Then select Support Information Digests. You may then unsubscribe from the appropriate digest. =============================================================================== Digest Name: Daily Security Bulletins Digest Created: Mon Jul 26 15:00:02 METDST 1999 Table of Contents: Document ID Title --------------- ----------- HPSBUX9907-101 Security Vulnerability Software Distributor (SD) The documents are listed below. ------------------------------------------------------------------------------- Document ID: HPSBUX9907-101 Date Loaded: 19990725 Title: Security Vulnerability Software Distributor (SD) ------------------------------------------------------------------------- HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00101, 26 July 1999 ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer’s failure to fully implement instructions in this Security Bulletin as soon as possible. ------------------------------------------------------------------------- PROBLEM: Buffer overflows in Software Distributor (SD) commands. PLATFORM: HP9000 Series 700/800 running HP-UX 10.XX, and 11.00, plus SD OpenView/ITA on other specific vendor platforms. DAMAGE: Users can gain increased privileges. SOLUTION: Apply the appropriate patch noted below. AVAILABILITY: All patches are available now. ------------------------------------------------------------------------- I. A. Background A serious defect has been identified in the HP-UX SD filesets SW-DIST.RUPDATE SW-DIST.SD-AGENT SW-DIST.SD-CMDS. B. Fixing the problem - Install the applicable patch: SD-UX version B.10.10 on HP-UX release 10.01, 10.10: PHCO_15205 SD-OV version A.01.01 on HP-UX release 10.01, 10.10: PHCO_15205 SD-UX version B.10.20 on HP-UX release 10.20: * PHCO_15206 SD-OV version A.01.02 on HP-UX release 10.20: * PHCO_15206 HP-UX release 10.24: PHCO_19120 HP-UX release 11.00: * PHCO_18183 NOTE: There will be no patches for 10.00 nor 10.30. From http://ovweb.external.hp.com, retrieve the following: SDOV version A.01.02 for NT 3-4X: SDOV_00005 SDOV version A.01.00 sparcSUN 4.1: SDOV_00006 SDOV version A.01.00 sparcSOL 2.3: SDOV_00007 SDOV version A.01.00 sparcSOL 2.4: SDOV_00008 SDOV version A.01.00 sparcSOL 2.5: SDOV_00009 SDOV version A.01.00 AIX 3.2: SDOV_00010 SDOV version A.01.00 AIX 4.1: SDOV_00011 SDOV version A.01.00 AIX 4.2: SDOV_00012 SDOV version A.01.00 SNI5.42: SDOV_00013 NOTE: For HP OpenView IT/Administration (ITA) version 3.10 or lower, please apply the SD-OV patches to all the managed nodes AFTER the installation of the ITA agent. Older, obsolete versions of Software Distributor which are not listed above are vulnerable to this security problem. There are no patches available nor will any be created for these versions. If you are using one of these, you should upgrade to a newer version. These older versions may have been installed as standalone HP OpenView Software Distributor products, or as part of HP OpenView IT/Administration products. For SD-UX version A.02.01 and newer, do not apply this patch. This "just released" A.02.01 version does not have the security problem and customers **should not** attempt to apply a patch to this version. A.02.01 applies to HP-UX 11.00 & 10.20, to Solaris 2.5/2.6, and to AIX 4.2/4.3. For questions concerning SD-OV issues related to this bulletin #101, send e-mail to: SDOV@security.hp.com C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP Electronic Support Center via electronic mail, do the following: Use your browser to get to the HP Electronic Support Center page at: http://us-support.external.hp.com (for US, Canada, Asia-Pacific, & Latin-America) http://europe-support.external.hp.com (for Europe) Login with your user ID and password (or register for one). Remember to save the User ID assigned to you, and your password. Once you are in the Main Menu: To -subscribe- to future HP Security Bulletins, click on "Support Information Digests". To -review- bulletins already released from the main Menu, click on the "Search Technical Knowledge Database." Near the bottom of the next page, click on "Browse the HP Security Bulletin Archive". Once in the archive there is another link to our current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. The security patch matrix is also available via anonymous ftp: us-ffs.external.hp.com ~ftp/export/patches/hp-ux_patch_matrix D. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of ‘get key’ (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. ________________________________________________________________________ -----End of Document ID: HPSBUX9907-101-------------------------------------- @HWA 78.0 NSA spying on Americans? ~~~~~~~~~~~~~~~~~~~~~~~~ Big Brother Is Listening But Is He Breaking the Law When He Does It? Some fear the United States’ biggest spy agency is using new technology to spy illegally on Americans. (Thomas Schmid/ABCNEWS.com) By David Ruppe ABCNEWS.com N E W Y O R K, July 27 — Is Uncle Sam illicitly reading your e-mail? Listening in on your telephone calls? Scanning your faxes? Some in Congress suspect advances in communications technology in recent years may have enabled America’s biggest, and most secret, spy agency, the National Security Agency, to greatly increase its eavesdropping powers at the expense of Americans’ privacy. But they can’t be sure without a thorough congressional examination into the agency’s practices. And, they say, the NSA has not yet provided all the information requested by the House Select Intelligence Committee, which is looking into the question. That the National Security Agency intercepts Americans’ missives is clear. Observers point to the agency’s practice of intercepting massive volumes of communications through spy satellites and by listening to commercial communications satellites, which inevitably draws in the communications of U.S. citizens for whom the agency has no court order. “I have a problem with what the program appears to be doing, and that is, invading the privacy rights of American citizens without any reason, any court order, without any reasonable cause, without any probable cause, almost a dragnet invasion of privacy,” says Rep. Bob Barr, R-Ga., one of the NSA’s most outspoken critics. Intercepting U.S. Communications Government officials admit the NSA’s collection methods do draw in communications made by U.S. citizens. “Read the statute, the executive order, the legislative history, and what you’ll find is the underlying assumption is that you can’t avoid collecting U.S.-person information incidentally if you are going to do foreign intelligence collection,” says an official familiar with the agency. The NSA maintains that it follows the laws and procedures Congress approved in the 1970s and 1980s for analyzing, retaining and disseminating that information, which were designed to balance the agency’s needs for gathering information with citizens’ privacy rights as guaranteed by the Constitution’s Fourth Amendment. According to classified procedures described by government officials, if the NSA incidentally obtains a communication made by or to a U.S. citizen or organization in the United States for which there is no warrant or court order, the NSA can keep the message but must remove the name of the citizen or company. The law also includes an exception: The name of the person can be retained in the message, included in analysis, and disseminated within the government, the official familiar with the agency notes, if NSA officials judge it is “necessary to understand foreign intelligence information or assess its importance.” “There are always judgments: ‘Is it necessary to understand the foreign intelligence requirements?’ And people have to make those difficult choices all of the time,” the official says. “All I can tell you is, [they] err on the side of caution.” Limited Oversight Still, critics say there is no way to be sure the NSA’s judgments consistently respect citizens’ rights unless the congressional committees responsible for overseeing those rights have full access to information on how the agency applies the laws. The chairman of the the House Select Intelligence Committee, Rep. Porter Goss, R-Fla., has asked for all legal opinions and guidance provided by the NSA’s legal office to the agency. Such guidance, which is supplied to the NSA’s operations employees and other decision-makers, could show how the agency is applying the laws that restrict collection of information on Americans. Goss has not asserted that the NSA’s collection activities are breaking the law. But he does seem concerned — like Barr — that the agency, through its interpretation of the laws, may be assuming greater powers “in light of the enormous technological advances that have been made in the past several years.” The committee needs the information “to be sure the NSA General Counsel’s Office was interpreting NSA’s legal authorities correctly and that NSA was not being arbitrary and capricious in its execution of its mission,” he wrote. The NSA’s General Counsel’s office has turned over some of the legal guidance, but it has declined to surrender all such communications, invoking, in a most unusual move, executive privilege. Unreasonable Request? The fact that the NSA is not turning over all of the requested information suggests Fourth Amendment rights against unreasonable searches and seizures may be in jeopardy, says Barr, a former CIA analyst who is not on the committee. “It certainly raises that suspicion and it doesn’t serve them well to do that.” Barr’s suspicions seem to have found sympathy in the House, which amended its Intelligence Reauthorization bill with a provision by Barr that would require the NSA to make an annual report explaining its interpretation of the laws, including all materials showing its interpretation. Intelligence Gathering Regulation in America 1789 to 1966: Electronic surveillance basically was not regulated. 1928: The Supreme Court rules in Olmstead vs. United States that a wiretap on a phone did not violate Fourth Amendment rights against search and seizure. 1934: Congress enacts the Federal Communications Act, which prohibited the interception of any communications and the divulgence of the contents of intercepted communications by federal agents without a court order or a warrant. 1966: The Supreme Court rules in Katz vs. United States that basically all forms of eavesdropping require a warrant or court order. It ruled the Fourth Amendment allows for the protection of a person, not just a person’s property, against illegal searches, so that whatever a citizen “seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.” 1968: Congress codifies the Katz decision. Establishes requirements for obtaining a warrant, including demonstrating probable cause to a court, and limits to warrants. Sec. 2511 of the statute says warrants still are not needed for foreign intelligence electronic surveillance and national security surveillance. 1972: Supreme Court rules in 1972 that domestic security cases are law enforcement cases, not foreign intelligence cases, and so require a warrant to target a U.S. citizen. If there is a connection to a foreign power or agent of a foreign power then no court order is needed. 1975-1976: Church and Pike Committee investigations, specially ordered by Congress, expose government electronic surveillance collection, processing, retention, and dissemination of information on U.S. citizens. 1976 & 1977: Senate, then House, creates Select Intelligence Committee for overseeing activities of the U.S. intelligence community. 1978: Congress passes Foreign Intelligence Surveillance Act, that regulates foreign intelligence electronic surveillance. It requires a special court order procedure to authorize electronic surveillance for intelligence purposes on targeted U.S. persons. Ensuing regulations, which are classified, set out procedures for handling foreign intelligence electronic surveillance. The NSA’s position has been it has nothing to hide and has no problem fulfilling requests for specific information. But as last Thursday, the agency continued to view the committee’s request for all legal opinions and discussions as unreasonable. “[They] have no problem providing information on any subject,” says the government official familiar with the agency, who explained the NSA’s position. “But there has got to be some principle. The executive branch has to retain some information.” Turning over all legal guidance to the committee, the official argued, would be an enormous task and might also discourage employees from seeking the legal office’s advice in the future. ‘Cloak of Secrecy’ Goss, in a May committee report, rejected such arguments out of hand, reminding the agency of its legal requirement to furnish “any information or material concerning intelligence” requested by the House and Senate intelligence committees. The agency’s refusal to release information requested by the committee could “seriously hobble the legislative oversight process,” and would “result in the envelopment of the executive branch in a cloak of secrecy,” he wrote the chairman. “Without access to such documents, Congress would be left only with the ‘spin’ the executive branch agency opted to provide to the legislative branch,” Goss wrote. Barr concurs. “[NSA officials] are not the ones to tell the oversight folks what they can see,” he says. “If they can, then there is hollow oversight, and that’s arrogance.” X-Files or Reality? If you think suspicions of government eavesdropping on Americans sounds more like the stuff of the TV show X-Files than reality, you only have to go back to the 1970s to be dissuaded. Congressional hearings then revealed the NSA had been engaging in serious abuses of U.S. citizens’ Fourth Amendment rights. In short, the agency had been eavesdropping on hundreds of controversial American figures who had nothing to do with foreign intelligence, such as the Rev. Martin Luther King Jr., had delivered the intercepted information to other agencies, and had kept files on the figures. Following the hearings, Congress in 1978 passed the Foreign Intelligence Surveillance Act, restricting to a large extent the spy agency’s ability to collect information on Americans. The House and Senate Select Intelligence Committees were created to oversee the agencies. Few experts now believe the NSA could be doing anything so serious today. “If you ask me whether they are consciously ignoring all of those restrictions, my best guess would be no,” says Jeffrey Richelson, an intelligence analyst with the nongovernmental, nonprofit National Security Archive. “This is not the Vietnam War, this is not that period of time, and Nixon is not president.” James Bamford, author of the definitive book on the NSA, The Puzzle Palace, agrees. “I don’t think it’s as big a problem as some out there are pushing it,” he says. “On the other hand, it has been 25 years since there’s been a real hard-nosed congressional probe into intelligence, so they could probably get away with quite a bit at this point.” According to an official familiar with the NSA, in the 1970s the agency abandoned practices designed to get around the laws such as “reverse targeting.” Reverse targeting occurred when an NSA employee purposely conducted a search on an approved subject so that he could collect information on a person for whom there was no warrant. “To talk about what NSA used to do in the 1960s and 1970s, conclude that’s what [they’re] doing now … is just living in a dream world,” says the official. “That simply isn’t reality.” @HWA 79.0 AOL messaging policy might risk cable deals ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.news.com/News/Item/Textonly/0,25,39758,00.html AOL messaging policy might risk cable deals By Reuters Special to CNET News.com July 27, 1999, 3:25 a.m. PT URL: http://www.news.com/News/Item/0,4,39758,00.html America Online might back off efforts to block rival "instant messaging" services because the actions threaten to undermine its lobbying push to get access to high-speed cable Internet lines, public policy analysts said yesterday. Over the past few days, engineers at the No. 1 online service worked diligently to thwart efforts by Microsoft and Yahoo to allow consumers using their messaging products to connect with AOL customers and accounts. So-called instant messaging programs are used by tens of millions of Internet surfers to send and receive quick text messages that pop up immediately on the computer screens of their online pals. AOL is by far the market leader, with more than 80 million users of its two instant messaging products. AOL executives offered a variety of explanations for their efforts to block competitors' access, including that Microsoft had put the security and privacy of their customers at risk--a charge Microsoft vehemently denied. But analysts said that even if AOL was factually correct in some of its arguments, the moves would hurt the company's credibility on the cable open access issue where it is pushing to have exclusive deals banned. Cable companies have required customers buying high-speed net access over cable lines to also buy Internet services like email and Web page hosting from them. The exclusive deals are unfair to other Internet service providers, AOL argues. "Open is open," said Legg Mason Precursor Group analyst Scott Cleland, who has long predicted that AOL will ultimately prevail and gain access to cable high-speed Internet services. "When you're denying consumers a choice of something, it looks bad in any case." Online analyst Gary Arlen, president of Arlen Communications, predicted AOL's position on cable access would ultimately trump its decision to close up its instant messaging product. Cable companies like AT&T "will use AOL's instant messaging position as a defense," Arlen said. "Cable open access is truly the much bigger, longer-term issue. I don't know how the IM deal is going to work but I think that one will get settled." In fact, AT&T general counsel Jim Cicconi did just as Arlen predicted, issuing a statement calling AOL's moves "hypocritical and antithetical to the very ethos of the Internet." Some of AOL's supporters on the cable issue noted that cable was a regulated monopoly running on public property, as opposed to AOL's development of a software product for the unregulated Internet. But few seemed eager to enter the instant messaging fray on the record. Until recently, each of the various instant messaging products was a separate and incompatible communications tool, allowing contact only with others using the same product. Microsoft last week introduced a product called MSN Messenger that promised communications with people using AOL's instant messenger as well. To make the feat possible, Microsoft's messenger software asked users for their AOL user name and password. The information was not sent to Microsoft but allowed the Microsoft software to log users into AOL's network. AOL then changed the way its network was set up so Microsoft users were blocked out. Microsoft responded with a quick fix and, after several rounds, Microsoft said late yesterday that its newest version was communicating with AOL users. "There's a right way and a wrong way," said AOL spokeswoman Ann Brackbill, defending her company's right to block MSN. "But without the right coordination and standards, the privacy and security of consumers is going to be at risk." AOL will support the development of a universal Internet standard for connecting all instant messaging software, Brackbill added. "The only issue here is how the industry will work together to overcome the technical obstacles to interconnecting the various IM systems," she said. Microsoft product manager Deanna Sanford said AOL had in the past declined to support such an industry-wide effort underway at the Internet Engineering Task Force, a consensus-based standards writing body. "Ultimately, it would be great if we could all support some standards," Sanford said. "It would be great if AOL would." Story Copyright © 1999 Reuters Limited. All rights reserved. @HWA 80.0 Study calls for reserve virtual IT warfare unit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.fcw.com/pubs/fcw/1999/0726/fcw-newsreserve-07-26-99.html JULY 26, 1999 Study calls for reserve virtual IT warfare unit BY DANIEL VERTON (dan_verton@fcw.com) A year-long study completed last week by a senior panel of Defense Department officials recommended an unprecedented expansion in the role the reserves play in national defense, including the formation of a virtual cyberdefense unit to protect the nation's critical infrastructure. The study, Reserve Component Employment Study 2005, was initiated in April 1998 at the request of Defense Secretary William Cohen and concluded that the reserves are "particularly well-suited to homeland defense missions." In addition, the study called for the formation of a "joint [reserve component] virtual information operations organization" and tasked various senior-level DOD organizations to complete a "proof of concept" study for creating the unit by June 30, 2000. The new reserve cyberdefense unit "would consist of individuals with information technology skills who could perform their duties from dispersed locations rather than working as a single consolidated unit at a specific training center," the report said. To accomplish their mission of protecting various critical infrastructure nodes, the unit would communicate from existing reserve centers and other DOD facilities across the country that have access to the Secret Internet Protocol Routing Network. To form the new unit, the study recommended looking for reserve members in regions of the country where high concentrations of IT skill already exist. In addition, the study suggested that the reserves consider recruiting high-tech-savvy people from the civilian sector, requiring them to join the reserves for a specific number of years in exchange for high-tech training provided by DOD. Establishing a "virtual organization" also would go a long way toward solving the department's problem of retaining personnel with critical IT skills and may allow DOD to reduce its reliance on external contractor support, the report said. "A 'virtual organization' [also] could support the Joint Task Force [for] Computer Network Defense," the report said. Cohen established the JTF-CND in December 1998 to monitor and take defensive actions against hackers and other unauthorized users who try to penetrate DOD networks. Rick Forno, a security officer for Network Solutions Inc. and the former senior security analyst at the House of Representatives' Information Resources Security Office, said the report's recommendation to use the reserves for cyber defense "is a great idea" and represents one of DOD's more innovative initiatives. "I'm thrilled that DOD is looking to go outside the box on the Info-Protect/InfoCorps idea in the reserve components," said Forno, who proposed a similar idea to DOD a year ago. However, "it comes down to endorsement and support from senior leadership [whether or not] they let this organization function as intended," he said. Anthony M. Valletta, vice president of C3I systems for SRA Federal Systems and former acting assistant secretary of Defense for command, control, communications and intelligence, said the concept of using the reserves in this manner is one that the intelligence community has proven works. "When we did this with the intelligence community, it worked extremely well," Valletta said. "We have a lot of expertise in the reserves that we need to take advantage of." The main challenge facing the reserve cyberdefense corps idea, according to Valletta, is training and equipping the reserves to carry out the mission. "We have to keep up with the technology, and the reserves have to have the latest capabilities," Valletta said. "That is a major change of philosophy in terms of equipping the reserves." However, the idea of establishing a JTF for Homeland Defense also is an idea that some groups, particularly civil liberties organizations, may question. "The main issue is the Posse Comitatus Act and the limits on military activity within the U.S.," said Mark Lowenthal, former deputy assistant secretary of State for intelligence and now a member of Valletta's C3I consulting team at SRA. "If it is limited to what are clearly DOD facilities, then there should be no problem," he said. "If it steps over that line, then there are some legal issues that have to be addressed." Other recommendations contained in the report include using the reserves as part of a Joint Task Force headquarters for Homeland Defense, which would work with the Federal Emergency Management Agency and other civil authorities to coordinate responses to attacks involving nuclear, chemical and biological weapons, and increasing the use of smart card technology to reduce delays in processing reserve members for active-duty assignments. @HWA 81.0 CERT IN-99-04: Similar Attacks Using Various RPC Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CERT® Incident Note IN-99-04 The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. Similar Attacks Using Various RPC Services Thursday, July 22, 1999 Overview We have recently received an increasing number of reports that intruders are using similar methods to compromise systems. We have seen intruders exploit three different RPC service vulnerabilities; however, similar artifacts have been found on compromised systems. Vulnerabilities we have seen exploited as a part of these attacks include: CA-99-08 - Buffer Overflow Vulnerability in rpc.cmsd http://www.cert.org/advisories/CA-99-08-cmsd.html CA-99-05 - Vulnerability in statd exposes vulnerability in automountd http://www.cert.org/advisories/CA-99-05-statd-automountd.html CA-98.11 - Vulnerability in ToolTalk RPC Service http://www.cert.org/advisories/CA-98.11.tooltalk.html Description Recent reports involving these vulnerabilities have involved very similar intruder activity. The level of activity and the scope of the incidents suggests that intruders are using scripts to automate attacks. These attacks appear to attempt multiple exploitations but produce similar results. We have received reports of the following types of activity associated with these attacks: Core files for rpc.ttdbserverd located in the root "/" directory, left by an exploitation attempt against rpc.ttdbserverd Files named callog.* located in the cmsd spool directory, left by an exploitation attempt against rpc.cmsd Exploitations that execute similar commands to create a privileged back door into a compromised host. Typically, a second instance of the inetd daemon is started using an intruder-supplied configuration file. The configuration file commonly contains an entry that provides the intruder a privileged back door into the compromised host. The most common example we have seen looks like this: /bin/sh -c echo 'ingreslock stream tcp wait root /bin/sh -i' >> /tmp/bob;/usr/sbin/inetd -s /tmp/bob If successfully installed and executed, this back door may be used by an intruder to gain privileged (e.g., root) access to a compromised host by connecting to the port associated with the ingreslock service, which is typically TCP port 1524. The file names and service names are arbitrary; they may be changed to create an inetd configuration file in a different location or a back door on a different port. In many cases, scripts have been used to automate intruder exploitation of back doors installed on compromised hosts. This method has been used to install and execute various intruder tools and tool archives, initiate attacks on other hosts, and collect output from intruder tools such as packet sniffers. One common set of intruder tools we have seen is included in an archive file called neet.tar, which includes several intruder tools: A packet sniffer named update or update.hme that produces an output file named output or output.hme A back door program named doc that is installed as a replacement to /usr/sbin/inetd. The back door is activated when a connection is received from a particular source port and a special string is provided. We have seen the source port of 53982 commonly used. A replacement ps program to hide intruder processes. We have seen a configuration file installed at /tmp/ps_data on compromised hosts. Another common set of intruder tools we have seen is included in an archive file called leaf.tar, which includes serveral intruder tools: A replacement in.fingerd program with a back door for intruder access to the compromised host eggdrop, an IRC tool commonly installed on compromised hosts by intruders. In this activity, we've seen the binary installed as /usr/sbin/nfds Various files and scripts associated with eggdrop, many of which are installed in the directory /usr/lib/rel.so.1 A replacement root crontab entry used to start eggdrop It is possible that other tools and tool archives could be involved in similar activity. In some cases, we have seen intruder scripts remove or destroy system binaries and configuration files. Solutions If you believe a host has been compromised, we encourage you to disconnect the host from the network and review our steps for recovering from a root compromise: http://www.cert.org/tech_tips/root_compromise.html In many cases intruders have installed packet sniffers on compromised hosts and have used scripts to automate collection of the output logs. It may be the case that usernames and passwords used in network transactions with a compromised host, or on the same network segment as a compromised host, may have fallen into intruder hands and are no longer secure. We encourage you to address password security issues after any compromised hosts at your site have been secured. You should also review the state of security on other hosts on your network. If usernames and passwords have been compromised, an intruder may be able to gain unauthorized access to other hosts on your network. Also, an intruder may be able to use trust relationships between hosts to gain unauthorized access from a compromised host. Our intruder detection checklist can help you to evaluate a host's state of security: http://www.cert.org/tech_tips/intruder_detection_checklist.html We encourage you to ensure that your hosts are current with security patches or work-arounds for well-known vulnerabilities. In particular, you may wish to review the following CERT advisories for suggested solutions: CA-99-08 - Buffer Overflow Vulnerability in rpc.cmsd http://www.cert.org/advisories/CA-99-08-cmsd.html CA-99-05 - Vulnerability in statd exposes vulnerability in automountd http://www.cert.org/advisories/CA-99-05-statd-automountd.html CA-98.11 - Vulnerability in ToolTalk RPC Service http://www.cert.org/advisories/CA-98.11.tooltalk.html We also encourage you to regularly review security related patches released by your vendors. This document is available from: http://www.cert.org/incident_notes/IN-99-04.html. CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/. To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. @HWA !=----------=- -=----------=- -=----------=- -=----------=- -=----------=- O 0 o O O O 0 -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- END of main news articles content... read om for ads, humour, hacked websites etc -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- HWA.hax0r.news AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............. From: Tom Phoenix Newsgroups: alt.humor.best-of-usenet Subject: [comp.lang.pascal.delphi.databases] Re: Got Problems??? Date: 6 Nov 1996 07:01:42 GMT Message-ID: <55pd4m$jvu@darkstar.ucsc.edu> Originator: brian@cse.ucsc.edu From: "Albert D. Cahalan" Subject: Re: Got Problems??? Newsgroups: comp.lang.pascal.delphi.databases, comp.lang.pascal.delphi.misc David Moles writes: > Nathan Denny wrote: >> >> WHAT THE F**K!?!?!? >> >> Look at where that got posted! Like every development news group got >> hit by that. >> >> Blam! >> >> Nate:SCHCATS! > > It's all over comp.sys, too. Of course. They think all the computer hackers can't get a date. Instant fix: gcc date.c -o date All the way: gcc --entry For orgasm: gcc -O Even better: gcc -O2 Cruel: gcc -Wall For old hackers: gcc -fno-strength-reduce Transvestite: gcc -Wconversion With toy: gcc -pipe Man on top: gcc -traditional In restroom: gcc -quiet Explain how: gcc --verbose With drugs: gcc --user-dependencies Don't move: gcc -static At Microsoft: gcc -shared Side-by-side: gcc --profile Mouth first: gcc --preprocess Before drugs: gcc --prefix With disease: gcc --no-warnings With vibrator: gcc --machine Foreigner: gcc --language With chains: gcc --force-link With AIDS: gcc --extra-warnings Analism: gcc --dump Remove lice 1st: gcc --debug Talk about date: gcc --comments Take control: gcc --assert -- Moderators accept or reject articles based solely on the criteria posted in the Frequently Asked Questions. Article content is the responsibility of the submitter. Submit articles to ahbou-sub@acpub.duke.edu. To write to the moderators, send mail to ahbou-mod@acpub.duke.edu. -=- Humour in UNIX Man Pages Here are some excerpts from UNIX (specifically solaris 2.5, but also some other OSes and some freeware packages) manpages and headerfiles. Probably a bit esoteric, so if you do not find the stuff funny, don't worry..... Some are actually not for laughing, but they make you cry or shout in anger. man merge BUGS It normally does not make sense to merge binary files as if they were text, but merge tries to do it anyway. man diff -h Does a fast, half-hearted job. It works only when ... man tar ... The directory portion of file (see dirname(1)) cannot exceed 155 characters. The file name portion (see basename(1)) cannot exceed 100 characters. man csh NOTES Words can be no longer than 1024 characters. [And by the way: THIS IS REALLY TRUE! Solaris2.4: (mege@iqe3)[~] setenv test `cat /usr/dict/words | head -1000` (mege@iqe3)[~] csh iqe3[mege] echo $test Bus error cool, huh? ] /usr/local/sys/time.h /* * gettimeofday() and settimeofday() were included in SVr4 due to their * common use in BSD based applications. They were to be included exactly * as in BSD, with two parameters. However, AT&T/USL noted that the second * parameter was unused and deleted it, thereby making a routine included * for compatibility, uncompatible. * * XSH4.2 (spec 1170) defines gettimeofday and settimeofday to have two * parameters. * * This has caused general disagreement in the application community as to * the syntax of these routines. Solaris defaults to the XSH4.2 definition. * The flag _SVID_GETTOD * may be used to force the SVID version. */ man top BUGS Don't shoot me, but the default for - I has changed once again. So many people were confused by the fact that top wasn't showing them all the processes that I have decided to make the default behavior show idle processes, just like it did in version 2. But to appease folks who can't stand that behavior, I have added the ability to set "default" options in the environment variable TOP (see the OPTIONS section). Those who want the behavior that version 3.0 had need only set the environment variable TOP to "-I". man ps pcpu The ratio of CPU time used recently to CPU time available in the same period, expressed as a percentage. The meaning of ``recently'' in this context is unspecified. The CPU time available is determined in an unspecified manner. man chat ... < snip > ... COPYRIGHT The chat program is in public domain. This is not the GNU public license. If it breaks then you get to keep both pieces. man FvwmM4 NAME FvwmM4 - the FVWM M4 pre-processor ... AUTHOR FvwmM4 is the result of a random bit mutation on a hard disk, presumably a result of a cosmic-ray or some such thing. man ce_db_build ... BUGS ... Running ce_db_build on an empty ASCII file causes it to hang indefinitely as though it were in an infinite loop. Comment: Compare the time to fix this bug to the time required to write this comment into the manpage.... cat /bin/clear I really wonder how Microsoft sold this code to Sun Microsystems..... #!/usr/bin/sh # Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T # All Rights Reserved # THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF AT&T # The copyright notice above does not evidence any # actual or intended publication of such source code. #ident "@(#)clear.sh 1.7 93/04/07 SMI" /* SVr4.0 1.3 */ # Copyright (c) 1987, 1988 Microsoft Corporation # All Rights Reserved # This Module contains Proprietary Information of Microsoft # Corporation and should be treated as Confidential. # clear the screen with terminfo. # if an argument is given, print the clear string for that tty type tput ${1:+-T$1} clear 2> /dev/null -=- 10 Answers when asked about a bug - I don't think that this is really a bug - It would be too hard to implement right - Fixing this would need a change in the documentation - It wouldn't work right anyway - This bug is too hard to track down - This bug doesn't really interfere with normal use of the program - Well, how do you think it should work? - Why not fix it later? - No program can be absolutely bug-free - We'll fix that on the next major redesign -=- http://wwwhost.cc.utexas.edu/computer/vcl/bkreviews/bkcmcntd.html The Computer Contradictionary, Stan Kelly-Bootle Review written by Robert M. Slade. The only two computer dictionaries worth having are both from MIT Press: "The New Hacker's Dictionary" (cf. BKNHACKD.RVW), and this one. As news is something that someone, somewhere, wants hushed up, so the only computer terms of any importance are those that someone, somewhere, just made up. Everything else is the perverted verbiage of a marketing department. Where "Hacker's" (or TNHD) studies and stores the language of the anarchic technical crowd, the Contradictionary deals with the jargon of those who work in DP,T, and IS--those who truly understand MISmanagement. It is not intended to be a reference work--Kelly-Bootle notes that the reader should determine the meaning of a word *before* looking it up in this book--but a work of humour. Like all the best humour, of course, it has strong points to make. copyright Robert M. Slade, 1995 BKCMCNTD.RVW 950602 7 June 1999 Christine M. Henke, ACITS at UT Austin @HWA SITE.1 two sites this week #1 From #feed-the-goats http://www.pure-security.net/ SiteOps: ox1dation and mosthated Just check it out... recent face lift looks good, i've lifted some text warez from their archive for this issue. - Ed #2 http://www.hack.gr/ SiteOp: ? Straight from the site itself, check it out; HACK.gr SERVER PROFILE What is HACK.gr HACK.gr is a greek Web Server, focusing its interest in security of computer systems and networks. It is working experimentally since November 1997 and is still (!) in pilot phase. Who owns HACK.gr The hack.gr domain and web server are owned and administered by Aris Koxaras, Helias Fotopoulos and Costas Christoyannis. They are all students of the Computer Engineering and Informatics Department, in the Engineering School of the University of Patras and are working as Unix system administrators in the Department. Why HACK.gr - What hacker means The term hacker, in computer terminology, is used for those who have a deeper knowledge of the details of programmable systems. Jargon Dictionary uses the following meanings: - One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming - A person who is good at programming quickly An expert at a particular program, or one who frequently does work using it or on it However, mainly due to the mass media, a negative meaning of the word hacker is used to describe one who makes bad use of his knowledge in order either to obtain access to anauthorised information or to cause damage. Jargon Dictionary notes: - [deprecated] A malicious meddler who tries to discover sensitive information by poking around. The correct term for this sense is cracker. This use of the word by mass media, for cases of software piracy, violation of intellectual rights, publishing of pornographic material and cause of damages in computer systems is totally incorrect. Content of HACK.gr HACK.gr offers already an online magazine (HACK.gr Gazette), hosts the web page of the Black Hole column of the .net magazine and news from the greek demo scene. It offers a meta search engine for the Greek cyberspace (MSE) and is working on mirroring of foreign web sites, indices of documents and web pages for easy access to information, fora creation etc. HACK.gr hosts pages of independent sources, whose content is managed by specific rules, but does not agree necessarily with the official thesis of HACK.gr. Access to HACK.gr HACK.gr does not offer shell access to people other than its administrators. It only offers the capability of uploading web pages and e-mail aliases to users, whose pages are hosted in the site. The computer used is a Pentium with Linux Operating System, Apache Web Server and QMail e-mail server. Network access is offered by Groovy Net. Friends and ennemies HACK.gr was accepted with positive comments by system administrators, journalists and many netsurfers. Long time before the transition from the initial idea to its realisation, HACK.gr owners were "urged" by big Internet Providers to come at hosting agreement. Server hits turned out to be far more than expected, being more than 100,000 per month, though the server is still in pilot/experimental function. However, some people are trying to "hush" HACK.gr and obscure its image, attempting to charge it with cause of problems. Having perfect cooperation with the involved Internet Providers, HACK.gr has repeatingly shown responsible attitude and proved that it has nothing to do with those intrigues. HACK.gr has helped various sites in security matters and cooparated in various cases with "competitors", such as the Next Crawler meta search engine. - eentity @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... From HNN rumours section http://www.hackernews.com/ see the archives section on HNN or attrition.org for copies of many of these sites in their defaced form. July 27th MUSICIANS HACKED by BHZ, Tuesday 27th July 1999 on 11:50 pm CET One last article for me. Keebler elves hacked couple of musicians web sites. Sites from following artists had been hacked - Gipsy Kings, Jewel, Tricky Daddy, Sugar Ray, Stone Temple Pilots, Led Zeppelin and the official site of 3 tenors. You can find mirrors of hacked sites on Attrition. July 29th From www.net-security.com HIT2000 GETS DEFACED by Thejian, Thursday 29th July 1999 on 10:00 pm CET The dutch Hit2000 Con's Web site got hacked yesterday. An archive of the hack can be found here. (Thanx to Pine Security Digest for the initial report) http://members.xoom.com/_XOOM/testr12/index.html http://www.attrition.org/ Latest cracked pages courtesy of attrition.org [99.07.30] [PrestoChango] M (pvrc) Hypermart (pvrc.hypermart.net) [99.07.30] [Bazil Brush] D3 Net (www.d3.net) [99.07.30] [PhC] Qatar Net (QA) (www.qatar.net.qa) [99.07.30] [Sistom] M Crystalg (www.crystalg.com) [99.07.30] [LevelSeven] M Des Moines Metropolitan Transit Authority (www.dmmta.com) [99.07.30] [HiP] Emerald Systems (www.emeraldsystems.com) [99.07.30] [AntiChrist] Rahulcom (www.rahulcom.com) [99.07.30] [AntiChrist] Rajeev Gandhi (www.rajeevgandhi.com) [99.07.30] [AntiChrist] Royal Soft India (www.royalsoftindia.com) [99.07.30] [AntiChrist] Ushauthup (www.ushauthup.com) [99.07.30] [AntiChrist] India Made (www.indiamade.com) [99.07.30] [AntiChrist] Insurvey (www.insurvey.com) [99.07.30] [AntiChrist] Integral Pictures (www.integralpictures.com) [99.07.30] [AntiChrist] Jeevanseva (www.jeevanseva.com) [99.07.30] [AntiChrist] Omshiv (www.omshiv.com) [99.07.30] [AntiChrist] Pankaj Group (www.pankajgroup.com) [99.07.30] [AntiChrist] Pannatex (www.pannatex.com) [99.07.30] [AntiChrist] PRG India (www.prgindia.com) [99.07.30] [FL3M] K Marlboro Edu (rocket-science.marlboro.edu) [99.07.30] [AntiChrist] Onsoft (www.onsoft.org) [99.07.30] [AntiChrist] Adiam (www.adiam.com) [99.07.30] [AntiChrist] Admanum (www.admanum.com) [99.07.30] [AntiChrist] AD Techmission (www.adtpl.com) [99.07.30] [AntiChrist] Always India (www.alwaysindia.com) [99.07.30] [AntiChrist] Aqua Hundred (www.aquahundred.com) [99.07.30] [AntiChrist] Big Ben India (www.bigbenindia.com) [99.07.30] [AntiChrist] Classic Export (www.classicexport.com) [99.07.30] [AntiChrist] Ezee Mart (www.ezeemart.com) [99.07.30] [AntiChrist] Kapadia Group of Industries (www.glassageind.com) [99.07.30] [AntiChrist] Inside Out Goa (www.insideoutgoa.com) [99.07.30] [AntiChrist] Mothay (www.mothay.com) [99.07.30] [AntiChrist] K Ronak Exports (www.ronakexports.com) [99.07.30] [AntiChrist] Singhi (www.singhi.com) [99.07.30] [AntiChrist] Stallen South Asia (www.stallenasia.com) [99.07.30] [AntiChrist] Taps1 (www.tapsl.com) [99.07.30] [AntiChrist] World Info Pages (www.worldinfopages.com) [99.07.30] [FL3M] (redcom4) Navy (www.redcom4.navy.mil) (www.drugs.com) ,,,,,,,,,,,,,,,,,,,,,,Drugs.com (www.infocenter.com)..................Internet Broadcasting Corp (www.bigfish.com).....................Big Fish Records (www.gay.be)..........................Belgium Service des Gays (www.markmaker.com)...................Mark Maker (www.milleniumworldmarathon.com) .....Millenium World Marathon (www.mz.iao.fhg.de) ..................Fraunhofer-Institut für Arbeitswirtschaft und Organisation (IAO), Universität Stuttgart (www.mpas.gov.br) ....................Ministério da Previdência e Assistência Social (www.hazard.k12.ky.us) ...............Hazard School District (www.northsalem.k12.ny.us) ...........North Salem School District (www.paducah.k12.ky.us) ..............Paducah School District (www.suckysucky.org)..................KRU (www.calcoast.com)....................California Coast Online Network (www.lyrikal.com).....................The Lyrikal Krew (nazarenes.mckinney.tx.us)............Nazarenes Church of McKinney Texas (www.haplo.org).......................Web site of Matthew Jones More cracks... and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html hack-faq Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html Original jargon file New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ New jargon file HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Go there Brasil........: http://www.psynet.net/ka0z Go there http://www.elementais.cjb.net Go there Canada .......: http://www.hackcanada.com Go there Columbia......: http://www.cascabel.8m.com Go there http://www.intrusos.cjb.net Go there Indonesia.....: http://www.k-elektronik.org/index2.html Go there http://members.xoom.com/neblonica/ Go there http://hackerlink.or.id/ Go there Netherlands...: http://security.pine.nl/ Go there Russia........: http://www.tsu.ru/~eugene/ Go there Singapore.....: http://www.icepoint.com Go there Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. Go there Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]