[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 22 Volume 1 1999 June 26th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://packetstorm.harvard.edu/hwahaxornews/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Note: * * This issue covers events from June 6th thru June 26th so don't be too * rough on me, I know this is a weekly production but I had to do 3 wks * in only a few days so forgive some of the bad formatting. * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #22 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #22 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. AntiOnline crosses the line...................................... 03.1 .. More Questions Raised about John Vranesevich and AntiOnline ..... 04.0 .. The Difficulties of Reporting the Underground.................... 05.0 .. Mitnick Demonstrations Deemed a Huge Success .................... 06.0 .. New Trojan/Virus, PrettyPark .................................... 06.1 .. The rampage continues ........................................... 07.0 .. Eight Arrested in California (Piracy)............................ 08.0 .. 278 Internet Cafes Disciplined .................................. 09.0 .. Forbidden Knowledge Issue #5 .................................... 10.0 .. f41th Issue 6 ................................................... 11.0 .. Antidote Vol2 Issue 7 ........................................... 12.0 .. Will the Allies Drop CyberBombs on Milosevic? ................... 13.0 .. Melissa Suspect Still not Charged ............................... 14.0 ..*ToorCon '99 Security Expo --------- DATE CHANGED! -----------.... 15.0 .. ISS Gets Free Advertising ....................................... 16.0 .. Accounting Firms also get Free Advertising ...................... 17.0 .. Analyzer Starts Computer Security Business ...................... 18.0 .. $2.9Bil in Piracy in The US...................................... 19.0 .. Congress and NSA tangle over Echelon............................. 20.0 .. Emutronix Phone Hacking Products releases new Mach emulator...... 21.0 .. Is That Spelled With a "PH" or an "F" ........................... 22.0 .. The Demonizing of the Hacker .................................... 23.0 .. More Email Worms/Trojan ......................................... 24.0 .. Stanford Searches for "Hacker" .................................. 25.0 .. Mitnick Demo Pictures now Available.............................. 26.0 .. Does Cracking Affect Consumer Confidence? ....................... 27.0 .. Worm.ExploreZip is Causing Massive Damage ....................... 28.0 .. Don't Forget About BackDoor-G, it is Still Around ............... 29.0 .. MS Antritrust Trial Looks at Security ........................... 30.0 .. Web Defacements Hindering Open Government ....................... 31.0 .. Worm.ExploreZip Continues its Rampage ........................... 32.0 .. Senate web site hacked again(!).................................. 33.0 .. Mitnick Sentencing Hearing Rescheduled .......................... 34.0 .. Russia Looks to Beef Up its Version of Echelon................... 35.0 .. Company Claims CyberAttack by Competitor ........................ 36.0 .. LA set to Allow Internet Voting ................................. 37.0 .. CCC Camp Shapes Up .............................................. 38.0 .. Hong Kong Makes Major Piracy Bust ............................... 39.0 .. Ernst & Young Profile ........................................... 40.0 .. What is Your Privacy Worth? ..................................... 41.0 .. BSA Tactics Condemned by UK ..................................... 42.0 .. US Allows 128bit SSL Into Japan ................................. 43.0 .. Terroist About to Cause Electronic Chaos ........................ 44.0 .. Major Remote Hole Found in IIS .................................. 45.0 .. Outlook Express 4.5 Email Bug ................................... 46.0 .. Major Pirates Convicted ......................................... 47.0 .. Fear of Y2K Raises Security Concerns ............................ 48.0 .. Israeli Banks Thwart Attempted Cyber Break-In ................... 49.0 .. Navy Wants Tighter Network Security ............................. 50.0 .. IIS Hole Continues to Make News/Fix Available ................... 51.0 .. World Braces for International Day of Action .................... 52.0 .. ECD Targets Mexican Government .................................. 53.0 .. Cyber Attacks in Australia Double ............................... 54.0 .. SmartCards Next Stop for Internet Crime ......................... 55.0 .. Internet Was Designed without Security .......................... 56.0 .. Original Apple I On the Auction Block ........................... 57.0 .. Microsoft Calls eEye Irresponsible .............................. 58.0 .. Has the FBI Overreacted? ....................................... 59.0 .. Printer at Spa War Compromised ................................. 60.0 .. Popular Singapore Sites Defaced ................................. 61.0 .. DOD Says its CRAP! (Mustn't be Scottish) ........................ 62.0 .. DOE Still Unsecure ............................................. 63.0 .. Terrorists Use the Net ......................................... 64.0 .. Beat the CIA at their own game? - crypto sculpture cracking ..... 65.0 .. Pirates of Silicon Valley ....................................... 66.0 .. .mil hacker cartoon ............................................. 67.0 .. If Software Breaks Who is Liable? . ............................. 68.0 .. Trinux Release 0.61 ............................................ 69.0 .. Australia Looks to Increase Local Police Powers ................ 70.0 .. Aussie Gov Downloads Porn ...................................... 71.0 .. Software Glitch or Security Breach ............................. 72.0 .. Viruses Cost Companies Big Dough ............................... 73.0 .. B4B0 Issue 8 Released. ......................................... 74.0 .. f41th Issue 7 .................................................. 75.0 .. DOD Considers New Network ...................................... 76.0 .. NCIS Calls For National Computer Crime Squad ................... 77.0 .. !Hispahack Found Not Guilty .................................... 78.0 .. asahi.com Defaced ............................................... 79.0 .. NSTAC Releases Reports ......................................... 80.0 .. FBI This Week .................................................. 81.0 .. Cartoon Hackers?? (From HNN rumours section) .................... 82.0 .. Nuke Labs Stand Down ........................................... 83.0 .. X-Force Down Under is Hiring ................................... 84.0 .. More Canadian RedBoxing from HackCanada with the RIO ............ 85.0 .. SecureMac is Now Open .......................................... 86.0 .. Microsoft Demands Privacy ...................................... 87.0 .. Pentium III has 46 Bugs ........................................ 88.0 .. 'War' Against FBI Continues .................................... 89.0 .. Singapore Officials Arrest Two ................................. 90.0 .. GSA Looking for IDS ............................................ 91.0 ..+Theres Money in them thar videos! (DEFCON WEBCAST) .............. 92.0 .. Kasparov Defaced? .............................................. 93.0 .. Russ Cooper Interview .......................................... 94.0 .. Thanks-CGI Defaced With Its Own Script ......................... 95.0 .. *ToorCon Date Changes --------- DATE CHANGE! ----------......... 96.0 .. Gov Vulnerable Due to Lack of Training ......................... 97.0 .. Need skewled in juarez?: Teeside University Offers Degree in Warez 98.0 ..+FREE DefCon WebCasts ........................................... 99.0 .. Old Modem Flaw Still Haunts Users ............................... (... some modem users may be disconnected at the end of this ezine ;) 100.0 .. Another government server cracked today ......................... 101.0 .. MailMan.cookie attack ........................................... 102.0 .. misfrag.c nasty piece of code from P.A.T.C.H .................... 103.0 .. Double-byte code vulnerability, MS Security Bulletin ............ 104.0 .. 50 Ways to defeat your IDS....................................... 105.0 .. 50 reasons IDS systems work by Ron Gula.......................... 106.0 .. June 15th: Bruce Schneier's Cryptogram........................... 107.0 .. pop.c pop-2, remote exploit by smiler............................ 108.0 .. afio: security hole in 'afio -P pgp' encrypted archives.......... 109.0 .. C-Mail SMTP Server Remote Buffer Overflow Exploit................ 110.0 .. CIAC Bulletin J-044: Tru64/Digital UNIX (dtlogin) Security Vulnerability 111.0 .. The IIS4 eEye security advisory and threads as mentioned previously 112.0 .. BO server flooder sends random spoofed udp's to the attacker...... 113.0 .. frootcake.c revisited............................................. 114.0 .. gin.c spoofs packets containing + + + ATH0 which causes some modems to hang up 115.0 .. IIS Remote Exploit (injection code)............................... 116.0 .. ActiveX security revisited........................................ 117.0 .. denial of service attack against NT PDC from Win95 workstation.... 118.0 .. Microsoft win2k PASV vulnerability................................ 119.0 .. useradd -p stores cleartext passwords / shadow-980724............. 120.0 .. UID 65536 and shadow-19990307 root compromise..................... 121.0 .. big brother in your cc(!) ........................................ 122.0 .. TCP MD5 option problem (router DoS)............................... 123.0 .. tcpdump 3.4 bug? (DoS)........................................... 124.0 .. [ISN] A mouse that roars? ........................................ 125.0 .. [ISN] Product Review: NOVaSTOR DataSAFE........................... 126.0 .. [ISN] Technology a threat to right of privacy Silicon Valley...... =--------------------------------------------------------------------------= RUMOURS .Rumours from around and about, mainly HNN stuff (not hacked websites) AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: Aug19th-22nd Niagara Falls... ................. HA.HA .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ ...............http://www.l0pht.com/ NewsTrolls .......................http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ News/Humour site+ ................Link http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 Link http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack Link http://www.ottawacitizen.com/business/ Link http://search.yahoo.com.sg/search/news_sg?p=hack Link http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack Link http://www.zdnet.com/zdtv/cybercrime/ Link http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) Link NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm Link http://freespeech.org/eua/ Electronic Underground Affiliation Link http://ech0.cjb.net ech0 Security Link http://axon.jccc.net/hir/ Hackers Information Report Link http://net-security.org Net Security Link http://www.403-security.org Daily news and security related site Link Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia Qubik ............................: United Kingdom system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland And unofficially yet contributing too much to ignore ;) Spikeman .........................: World media Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Kevin Mitnick (watch yer back) Dicentra vexxation sAs72 Spikeman Astral p0lix Vexx g0at security Ken pr0xy Astral and the #innerpulse, crew (innerpulse is back!) and some inhabitants of #leetchans .... although I use the term 'leet loosely these days, ;) kewl sites: + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.packetstorm.harvard.edu/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ PacketStorm Security's site has MOVED, update your links to http://packetstorm.harvard.edu/ ++ Spikeman's DoS site is no more, it has been removed from the Genocide2600 servers, there are no immediate plans to revive the site but Spike says he hasn't ruled out the possibility completely and has had an offer to host the site from another provider. Mucho thanks to Spikeman for directing his efforts to our cause of bringing you the news we want to read about in a timely manner ... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ================================================================ Delivered-To: dok-cruciphux@dok.org Received: (qmail 11079 invoked from network); 14 Jun 1999 03:48:22 -0000 Received: from md.egroups.com (207.138.41.139) by physical.graffiti.datacrest.com with SMTP; 14 Jun 1999 03:48:22 -0000 Received: from [10.1.1.23] by md.egroups.com with NNFMP; 14 Jun 1999 04:48:18 -0000 Mailing-List: contact a-s_mag-owner@egroups.com X-Mailing-List: a-s_mag@egroups.com X-URL: http://www.egroups.com/list/a-s_mag/ Delivered-To: listsaver-egroups-a-s_mag@egroups.com Received: (qmail 3968 invoked by uid 7770); 14 Jun 1999 03:43:43 -0000 Received: from ah-img-2.compuserve.com (HELO hpamgaab.compuserve.com) (149.174.217.153) by vault.egroups.com with SMTP; 14 Jun 1999 03:43:43 -0000 Received: (from mailgate@localhost) by hpamgaab.compuserve.com (8.8.8/8.8.8/HP-1.5) id XAA29122 for a-s_mag@egroups.com; Sun, 13 Jun 1999 23:43:42 -0400 (EDT) Date: Sun, 13 Jun 1999 23:43:11 -0400 From: "Armageddon." Sender: "Armageddon." To: A-S subscribers Message-ID: <199906132343_MC2-793F-3C4B@compuserve.com> MIME-Version: 1.0 Content-Disposition: inline Subject: [a-s_mag] Important : A-S Meet-up date. Content-Type: text/plain; charset=ISO-8859-1 Hi, There has been a change to the date of the A-S meet-up, as you probablly read in A-S14 we said the date would be the 24th of July. This has had to be changed as its be discovered that its not actually going to clash with Compulsion as we planned. The new date is : 31st of July. I'll be re-uploading A-S14 correcting this in the magazine to soften the blow of readers who have the wrong date. Those who contacted us via email will all be contacted with the new details and posts will go out on the news groups and in as many other magazines that we know have readers who planned to attend as we can possibly get to. Sorry if this date change causes you problems, on the bright side however I can confirm that after the first A-S Meet-up we plan to hold one every month there after on the last Saturday of each month. In A-S15 we'll publish literally ALL the details we can find that you might need to know for the meet-up, including a selection of venues for accommodation and all their contact details. Cheers -Armageddon Editor of A-S Mag / HNC. http://www.antisocial.cjb.net http://www.hack-net.com ------------------------------------------------------------------------ Make the News Come to you! FREE email newsletters sent directly to your in-box USAToday, Forbes, Wired, and more. Sign-up NOW! http://clickhere.egroups.com/click/316 eGroups.com home: http://www.egroups.com/group/a-s_mag http://www.egroups.com - Simplifying group communications @HWA 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /*Well several problems kept me from producing the newsletter for the last couple if *weeks so this is a 'make-up' release covering June 6th-26th 1999. Some areas may *have been glossed over in order to keep the issue down in size,we'll be back to *"normal" (whatever that is) next week... meanwhile have fun. * *Issue #22 June6th-26th * *BTW The reason ZDNet articles are not reprinted here is because they are using some *funky method to defeat cutting and pasting of their text using framesets and shit if *anyone knows a way to grab the text (source doesn't work either for some sites) let *me know and i'll be most thankful... Cruci. * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. @HWA 03.0 AntiOnline Crosses the Line ~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by whoever After garnering intense media coverage (CNN, C|NET, WIRED, etc.) over his extremely early reporting of the MOD and gH attacks, John Vranesevich of AntiOnline has used that spotlight to further his own agenda. Now he has admitted to nurturing a hatred of hacking and the underground as a whole and at the same time aiding and abetting criminal acts, "Many times, I knew about these instances before hand, and could have stopped them." AntiOnline Statement A Change In Our Mission An AntiOnline Editorial Friday , June 04 1999 In the past, a hacker was an individual who literally had to spend years to learn the inner workings of computer technology, programming, and hardware. Only then could he begin to explore possible vulnerabilities, and develop, for himself, ways to exploit those vulnerabilities, and more importantly, ways to patch them. Through out these years of learning, the hacker would develop a certain respect for the technology that he was studying, and a certain level of maturity would inherently develop as well. Now, in present day society, with point and click utilities abound, a younger, less mature, less knowledgeable, and less respectful, generation of "hackers" have come to life. That's a quote from an editorial that I wrote in September of last year. Now, only 7 months later, we've seen things get even worse. When I started AntiOnline 5 years ago, it was a way for me to share with others the fascinating things that I myself was learning. The wonders of technology, how it could be used as a tool, how it could be used as an incredible way to learn, meet new people, and indeed, make the world a smaller and more understanding place. Since then, AntiOnline has grown to levels I never dreamed possible. I'm fortunate enough to be working full time on the site, I have my own office, equipment, and T1 line. The resources I have at my disposal are still small and modest, but I've come a long way from where I was a year ago, running AntiOnline out of my parent's living room. Unfortunately, I've found myself looking in the mirror with disgust these past few months. Looking back, I've seen myself talking with people who have broken into hundreds of governmental servers, stolen sensitive data from military sites, broken into atomic research centers, and yes, people who have even attempted to sell data to individuals that presented themselves as being foreign terrorists. I've seen people change the medical records of individuals in our armed services, and delete the work of tens of thousands of people that resided on large ISPs. Many times, I knew about these instances before hand, and could have stopped them. I felt at the time, that I was serving a larger good by simply writing up information that I knew about these instances, and posting them on AntiOnline for the world to read about. I felt that the incidents would be learning experiences, and that they would help technology to evolve, even if it was only in some small way. To me, the important thing was not telling the world the "who", but the "why" and the "how". I tried to stand in an invisible realm between the hacker culture, and main stream society. A realm which I now see does not exist. Looking back, I see those years as being not beneficial to anyone but myself. Those years acted as an educational experience for me. A time for me to learn about the "mechanics of the gun", but more importantly, a time for me to learn about the "people that pull the trigger". In the past 7 months, I have seen things go from bad to worse. Incidents are becoming more frequent and more serious. To some degree, things are in a state of anarchy. I now feel that I am in a position to help serve, even if in some very small way, the better good. A little note to the Federal and Military Authorities that read this site: I feel that I have been lax in my duties as a citizen to some degree. But, little known to the rest of the world, I have been working behind the scenes to change that. For the past few months, we've been working with an Air Force contractor to help them develop the "profile of a hacker". AntiOnline, as an organization, plans on taking that to an even higher level as the months progress. Several of you have already signed up for access to our knowledge base, including individuals from: The US Congress, The DISA, The Air Force, The Navy, and several police and computer forensics organizations. You will be given access information within the next week. A note to these organizations as a whole. I know that often times my exact position and role has been confusing. Let it be confusing no more. I hope that over the next few months, the level of trust between my organization and yours can continue to grow, and I hope that AntiOnline becomes a valuable tool in the fight against "CyberCrime". Now, a little note to the thousands of hackers that read this site: You yell and scream about freedom of speech, yet you destroy sites which have information that disagree with your own opinions. You yell and scream about privacy, yet you install trojans into other's systems, and read their personal e-mail and files. You truly are hypocrites. All of these grand manifestos that you develop are little more than excuses that you make up to justify your actions to yourself. Actions which you know are wrong. Actions which do not serve anyones interests but your own. Let me just say, that you've had free reign over things this past year or so. I know that some of you are playing what you feel is a game. A game that you think you are winning. Some of you sit back and laugh at organizations like the FBI. You make sure that you provide enough information to make it obvious who you are, yet are careful not to provide enough information to actually have it proven. I have been watching you these past 5 years. I know how you do the things you do, why you do the things you do, and I know who you are. Yours In CyberSpace, John Vranesevich Founder, AntiOnline As a side note, AntiOnline will be taking no press inquiries into this matter. Questions regarding this change in policy will not be answered by phone. Send all questions or comments to jp@antionline.com -=- A special report has now been released that details the close ties that John Vranesevich of AntiOnline has with the evil doers of the underground. This report claims that John Vranesevich actually paid individuals who later broke into web sites and then gave him 'exclusive' reports. This report is highly suggested reading for any journalist or reporter who has ever questioned Mr. Vranesevich about anything. It is also suggested that 'customers' of the AntiOnline Knowledge Base read this report and be familiar as to the type of person that is supplying this information. And finally any law enforcement officer who is investigating the whitehouse.gov or any other MOD cracks should absolutely read this report. AntiOnline Crosses the Line http://www.attrition.org/negation/special/ (Go here for full links and info) AntiOnline crosses the Line 6.7.99 INTRO: John Vranesevich is the founder of AntiOnline [www.antionline.com]. During the past five years, AO has grown from a five megabyte hobby web site, into a multi domain business venture with hundreds of thousands of dollars in venture capital. AntiOnline now claims to be the number one security resource on Internet. Despite this growth and development, AntiOnline has been under continual fire from critics and friends alike. Serious questions have been raised to the methods of reporting, staff background, journalistic integrity and business practice. Since AntiOnline has become a commercial entity (02-22-99), the site has released 67 pieces (some news articles, some 'specials'). Of these, 12 have been found to contain serious errata. So of the 'reporting' that AntiOnline has conducted, close to 20% has been inaccurate. Recently, information has come to light that suggests a far more serious agenda exists at AntiOnline. In the past, AntiOnline had two incidents that brought them into the spotlight, and put them on a journalistic pedestal so to speak. The first was centered around two teenagers in Cloverdale CA, and one adult in Israel that was known as "Analyzer". AntiOnline got the scoop that these three (and others) were responsible for compromising hundreds of military and government servers. Through repeated interviews and communication, AntiOnline managed to hype up these attacks which lead to them being described as "the most organized and systematic attack the Pentagon has seen to date." A short while later, it was discovered that this threat was nothing more than a group of mostly teenagers breaking into low security machines.(1) The second spotlight shone on AntiOnline after several exclusive stories and interviews with a group calling themselves "The Masters of Downloading". AntiOnline reported that the members of this group were responsible for compromising hundreds of "high security" Department of Defense computer systems, and stealing files they said were "obtained from the classified Defense Information System Network." Interviews between AntiOnline and the cracker said "I think international terrorist groups would be interested in the data we could gain access to.." Media outlets such as ZDNet unknowingly drew comparisons in the two stories. ZDnet said in one article(2) "The alleged hack - which follows a highly publicized attack on Pentagon computers by an Israeli hacker known as the "Analyzer" and his associates -- would be a major escalation of "informational warfare" on government computers." From all appearances, AntiOnline was single handedly responsible for a significant amount of the media sensationalism. Not only had AntiOnline driven the media hype behind the stories, they put various government and DOD organizations on full alert preparing for the fallout these attacks would cause. There is new information coming to light suggests that AntiOnline had a more integral part in the generation of their news. That the typical journalist/contact relationship did not exist, and in fact, AntiOnline may have been responsible for creating some of the news to report on. With these recent allegations coming to light, the ATTRITION staff and several associates set out to find out the details and foundations of the assertions. OUR GOAL: To prove Masters of Downloading (MOD, headed by a hacker named so1o) was paid by John Vranesevich/AntiOnline to hack www.senate.gov or another high profile site in order for AntiOnline to break major news. To further establish that AntiOnline employs active and potentially malicious hackers. REQUIREMENT: To prove this, we must first prove several points. allegation evidence ---------- -------- so1o is on Antionline payroll proof.1 (Email) so1o == Chris McNab proof.2 (Email) so1o is an MOD member proof.3 (Comparison of MOD/CZ hacks) proof.5 (IRC chat with so1o) AO reported on it first proof.4 (AntiOnline reports) ADDITIONAL: On June 3rd, 1999, John Vranesevich released an editorial titled "State of the Union". This piece calls into question the true relationship between Mr. Vranesevich and Chris McNab (a.k.a. so1o). The relevant text and concern it raises, coupled with the time of this editorial and subsequent information presents a more damning argument. On June 4th, 1999, John Vranesevich released a more dramatic and disturbing editorial titled A Change in Our Mission. To most of his readers, this was no doubt surprising, but expected. For a smaller group of us, the timing of this article suggests much more. On the afternoon of June 3rd, an individual questioned Mr. Vranesevich about his ties to so1o. When challenged, Vranesevich begins to deny his involvement with McNab. This denial comes after mail explicitly stating he WAS funding McNab, and after working with McNab on an AntiOnline "exclusive" on the MOD hacks. The following log and comments illustrate the denial and further backs our goal. CONCLUSION: One would hope that high ethical standards are above the law and are in effect with ANY media outlet. It seems that isn't true. Not only has AntiOnline descended into the realm of unethical journalism and business practice, they have done it while thumbing their nose at the Internet. As if they can commit these practices with impunity, John Vranesevich taunts "Well, it would take a lot more than an act of congress to get AntiOnline shut down =) I could always ship the site off to England ;-) That's another good thing about the Internet. The laws of one land don't hold true in them all ;-)". This was written as a reply to one comment in the AntiOnline mailbag on 7-13-98. As if this is not bad enough, Vranesevich has recently gone on to admit to some of his deeds. In a "change of mission statement" released on 6.4.99, he goes on to say "Many times, I knew about these instances before hand, and could have stopped them." The information presented above is more than adequate proof that John Vranesevich is funding an active hacker to break into high profile sites. The motivation for this is to increase the awareness and therefore the profitability of his web site AntiOnline. He pays people to break into sites in order to report on it as an 'exclusive'. Folks.. 1 + 1 still = 2. Direct comments or questions to: staff (staff@attrition.org) * Any instance of [snip...] is strictly removing unrelated material. Anything relevant to our argument or anything that would affect our allegations were left. What we do is no different than what JP does to his 'mailbag'. Except we leave in material that would possibly weaken our argument. His mailbag gets clipped to include only the material he wants to deal with. * Permission from Bronc and Ken was given to include the email here. @HWA 03.1 More Questions Raised about John Vranesevich and AntiOnline ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th from HNN http://www.hackernews.com contributed by Bronc Buster The rhetoric continues. Did he or didn't he? John Vranesevich has posted a rebuttal to the original attrition.org report that claimed he funded crack attempts. The rebuttal is more of a personal attack than a response to the allegations. Wired Online and Telepolis have written articles that try to shed some light on the situation. Bronc Buster has written an open letter to John Vranesevich that asks some very pointed questions. Questions that I think everyone would like an answer to. Attrition Report on John Vranesevich http://www.attrition.org/negation/special/ John Vranesevich Rebuttal http://www.antionline.com/cgi-bin/News?type=antionline&date=06-07-1999&story=brian.news Wired Online http://www.wired.com/news/news/culture/story/20062.html Telepolis- German http://www.heise.de/tp/deutsch/inhalt/te/2921/1.html Open letter from Bronc Buster http://www.hackernews.com/orig/broncjplet.html The Wired article and JP and Bronc's letters follow: Wired; Hacker Pundits Squabble by Polly Sprenger 12:15 p.m. 7.Jun.99.PDT A Web site addressing computer hacking issues has accused a computer security pundit of paying individuals to break into Web servers in exchange for exclusive coverage of the stories that result. John P. Vranesevich, editor of computer security magazine and resource center AntiOnline, denies the charges. Vranesevich is well known in the hacking and cracking community. He is often called on by news media, including Wired News, to provide perspective on Web site break-ins, viruses, and other security issues. A report by the group Attrition.org, released Monday, accuses Vranesevich of paying hackers to break into sites, thus guaranteeing him an exclusive on the stories. "We've never paid for a story," Vranesevich said. "We don't even pay our reporters for stories. [The allegations] are flat-out libelous and there's no proof to it. It's an attempt to destroy, defame, and discredit me." Vranesevich's detractors were already inflamed over his recent apparent shift in allegiance. On Friday, Vranesevich posted an editorial on his Web site that stated he was working with the Air Force and other government agencies to help track down crackers. "A little note to the thousands of hackers that read this site," Vranesevich warned, "I have been watching you these past five years. I know how you do the things you do, why you do the things you do, and I know who you are." His warnings have stirred the ire of attrition.org, led by Brian Martin (who goes by the name Jericho). Martin said he has been following Vranesevich's case for more than a year. Martin based his claims on two emails that allegedly show Vranesevich had a business relationship with "So1o," the hacker accused of breaking into senate.gov last year. Vranesevich said the emails displayed on Martin's site "never existed." Another chronicler of the computer security underground said that Vranesevich's reputation is less than pristine. "He has made a lot of enemies over the years," said Space Rogue, editor of the Hacker News Network. "This particular accusation has been unproven for awhile. It's been thought that this has been going on for some time, that he was paying people or was in league with them." Space Rogue cited one particular revelation in Vranesevich's Friday statement. "Many times, I knew about these instances [site hacks] beforehand, and could have stopped them," Vranesevich wrote. "That basically for me solidifies everything in the attrition report," Space Rogue said. Vranesevich said that he has never been popular with the underground hacker culture because of what he's done to expose it. "I often say that they hack a site first and make up a manifesto second," Vranesevich said. He points to his press citations in recent weeks, which include mentions in The New York Times, ABC News, and CNN. He also said that government agencies such as NASA rely on him to provide data on hacker profiles. But while Martin accuses Vranesevich of using his fame as a platform to prosperity, Vranesevich says he doesn't charge those agencies for access to data and will probably keep the information free of charge forever. "I think my track record speaks for itself," Vranesevich said. "I'm proud of how I've accomplished and what I've accomplished." JP's rebuttal AntiOnline Responds To Allegations Monday, June 7, 1999 at 11:51:56 by John Vranesevich - Founder of AntiOnline First off, for those of you that haven't read it, Brian Martin's Attrition website has today posted allegations that AntiOnline funded the Whitehouse.gov and Senate.gov hack so that we would have news to cover (However, I'm sure most of you have read it by now, because of organizations, and I use the term loosely, like the Hacker News Network). Needless to say, when I went forward with the statement that AntiOnline was going to help in the fight against malicious hackers, I expected some backlash from the hacker community. A few dozen extra hack attempts a day, some synfloods. Maybe I'd find myself with a $10,000 phone bill. But, they've apparently chosen something far more creative. First off, let me say this. Brian Martin (aka Cult_Hero) was raided by the FBI in connection with being a suspected member of the HFG (The group that hacked the New York Times), and Erik Ginorio (BroncBuster) is known, and admits, to breaking into dozens of sites (he calls himself a hacktivist). The fact that these two could think, or at least think up, some grandiose scheme which involved AntiOnline bankrolling hackers, is not surprising. They have both lived their lives trying to break, and evade, the law. For some reason, Brian Martin has become obsessed over AntiOnline. His website has dozens and dozens of pages of what he calls "errata" that he's written about it. He takes information posted on our site out of context, then criticizes us because of it. Many people have written in asking why we never posted any response to all of the allegations he has on his site about us. Personally, it's because I felt that I didn't need to justify myself, or my actions, to someone who is currently under FBI investigation, and who has never done anything for the security scene other than criticize others. I actually feel bad for him. The fact that he spends such a large portion of his life trying to "bring down" others using lies, deceit, and twistings of the truth, is sad in my eyes. As for these allegations that I paid people to break into government sites so that I could write a story. Let me just say, that such claims are so far fetched and preposterous, I'm not even going to respond to them on a point by point basis. It seems that almost all of the criticisms that I receive from people like Brian Martin revolve around money. He says in his "allegations" about AntiOnline that "During the past five years, AO has grown from a five megabyte hobby web site, into a multi domain business venture with hundreds of thousands of dollars in venture capital." Is that what he's so upset about? That I've made a ton of money? Well, let me put his mind at ease. The point in fact, is that I don't now, nor have I ever in my life, had a lot of money. Our venture funding wasn't in the amount of hundreds of thousands of dollars. I am not ashamed to say, and in fact, I'm very proud to say, that our original funding was in the amount of $75,000. I am very proud of the levels I have taken AntiOnline to with very little resources, and a lot of hard work. On average, I put in 17 hour days working on the site and related matters. At the age of 20, I'm trying to build a life long career for myself. So, to people like Mr. Martin, let me just say that anything my site has accomplished has not, and truly couldn't have been, from me throwing money at it. It came from my love for what I do, and my willingness to put in the time it takes to accomplish my dream. In a way, I take these allegations that have come against me as a sign that I'm on the right track with what I'm doing. If people like Brian Martin weren't yelling and screaming about me, I guess I'd take that as a sign that I'm off the beaten path. If people like Brian Martin didn't see me as a threat to them, they wouldn't be yelling. So, I'm going to view these recent allegations as a job well done letter from the malicious hackers of the world. I have always lived my life in a way which I was proud of, and I will continue to do so. I will NOT allow people like Brian Martin and Erik Ginorio to cause me to constantly be taking some sort of sick defensive on my site (Which is probably what their intentions are). That's not its purpose. So, if they come out with some new allegation, like I have secrets plans to assasinate the president with a herf gun or something, you won't find a response to them from me here. As a matter of fact, you won't find a response from me at all. I will let the work that I put forth, and the actions that I take in my daily life, be my response. Yours In CyberSpace, John Vranesevich Founder, AntiOnline Bronc's open letter; An open letter to John Vransevich (aka JP) 07 Jun 1999 from: Bronc Buster bronc@2600.com subject: in regards to the allegations at http://www.attrition.org/negation/special John Vransevich (aka JP), The staff of Attrition.org, a few other individuals, and I have been working over the last few weeks to peice togeather a complex web of clues. These clues were leading us to something we have suspected for a while; something that could tarnish the entire hacker community. What if someone, a reporter, was funding a known criminal to commit crimes so that they might have an inside scoop on the story? Not only would this be unethical, but illegal, and dangerous for us all. Several people have been asking how Antionline.com (AO) has had such an inside scoop on breaking stories, before anyone else regarding big hacks that you have reported on. We have begun to make a theory, based upon facts as to how we think this is happening. Here are a few simple YES or NO questions regarding these allegations and their impact.. 1) Because you had reported, in the past, the exclusive reports and interviews on how Masters of Downloading (MoD) had hacked(?) DISA and were alledged to have taken software off their server, it is obvious you knew who the person was who had comitted this crime. His handle is so1o (aka Chris McNab). You have admitted to this openly. Knowing this, you then started funding a company ran by Chris McNab to make some sort of security program. This you have also openly admitted to. Now Chris McNab, by your own admittance, comitted the crime of breaking into several Government servers and ultimatly defacing www.senate.gov. If you were funding this person, and you knew he was a criminal, not only who has comitted crimes in the past you knew about, but had crimes, such as the senate.gov hack, planned out that you knew about before hand, and he then gave you an exclusive on the story because he was getting money from you (regardless if he still is), doesn't this, in your mind, equal a totaly unethical, not to mention illegal, way to get a story? 2) On your site, you openly admit to prior knowledge of crimes that were comitted that you may or may not have reported on. This is illegal. Do you think this fact, combined with the fact that you, in some fashion, were supplying a known criminal (Chris McNab) with money is an ethical way to run your site/business? 3) In your response to the revealed allegations againt you, you posted on your site, there was no link provided (to attrition.org) so that anyone interested, who may see this on your site but not know about the allegations, to see both sides of the story and come to their own conclusions. Attirtion.org posted many links to your site, so that people could see both sides. Sense you posted a response, don't you think it isn't fair to your readers, to at least let them judge for themselves this matter? 4) Do you think that by making personal attacks against the people behind these allegations, and against the sites that are covering it, that the serious issues raised have been answered or at least addressed? 5) Do you in any way feel obligated to provide any answers to: a) The people making these allegations? b) Your readers and supporters? c) The hacking/security community in general? 6) Last but not least. Do you think anything positive can be gained by the hacking community by your actions in these matters? I personally think that your response to the criminal charges against you was childish and immature at best, and this matter warrents a serious reply. Slinging mud, and voicing your opinion about people is no way to counter facts. These are felonies, and invlove not only local, but federal laws. This is a serious matter, and like so many of the poor kids you cover who get busted, it appears you will not take it seriously until you too have been arrested and charged. Bronc Buster bronc@2600.com June 9th , a statement from OSAII Admissions Mike Hudack Editor-in-Chief The same day that a Wired News article about the Attrition special report accusing AntiOnline of unethical and even criminal practices came out, I spoke with John Vranesevich on the phone. The Wired News article quoted Vrasenevich (JP) specifically denying the existance of two e-mails which were used as evidence in the Attrition article. JP said the e-mails "never existed," according to Polly Strenger, author of the Wired News article. In my discussion with JP, however, he said "I was quoted out of context in those e-mails." I queried him further, asking him whether those e-mails really existed. He said "the e-mails existed but I was quoted totally out of context -- what I said was in jest." In a conversation hours later, however, he quickly backtracked, saying the e-mails were "manufactured, possibly from several e-mails." He said they were his words in the sense that "words taken from two pages in a book and made to look like a paragraph are the authors words. They´re still manufactured." This obvious contradiction between what I was being told the first time and what he had told Wired News wasn´t the end of it however. He went on to warn me not to "write articles against individuals or other sites. It doesn´t help your relationship with the mainstream -- I learned that the hard way." This statement was obviously a warning not to say anything about our conversation. He went on in his contradictions, however. In the Wired News article, JP is quoted as saying that the allegations against him are "flat-out libelous." In the telephone conversation, however, JP admitted that "the allegations weren´t really libelous. If anything they were borderline." He did say, however, that it was up to his "lawyer as to whether to pursue legal action." The clear dicotomy between his earlier statements to Wired News and his statements to me wasn´t the most fascinating issue, however. What was much more fascinating, as Polly Strenger said was "why didn´t he just say he was quoted out of context? That would have made a lot more sense." Later, in an open letter to JP, Bronc Buster called JP´s response to the allegations "childish" for attacking the individuals raising the allegations and not the allegations themselves. In his reponse, JP not once mentions that he was quoted out of context. Rather, he accuses Jericho and Modify (two authors of the allegations) of being subjects of an FBI investigation. He not once addresses the allegations being levelled against AntiOnline and himself. OSAll carefully weighed whether to come forward with JP´s statements, and has decided that it has an ethical obligation to do so. Any questions about this coverage, its fairness or OSAll´s relationship with either Attrition.org or AntiOnline.com should be directed to the editor, who can be contacted at editor@aviary-mag.com or by phone at 203-335-7100. @HWA 04.0 The Difficulties of Reporting the Underground ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by Space Rogue In light of all the media attention that hackers have gotten over the last few weeks it is apparent that most reporters and journalists are having a difficult time in accurately reporting the computer underground. While no one is claiming that it is easy, HNN editor Space Rogue takes a look at some of the more common pitfalls in this new Buffer Overflow article. Buffer Overflow http://www.hackernews.com/orig/buffero.html 05.0 Mitnick Demonstrations Deemed a Huge Success ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by Freaky, phar, and Silicon Monk Last Friday at 2pm in front of federal courthouses in over 16 cities people who could no longer sit down while excessive punishment was dealt by an overreaching government, gathered together to protest the large number of injustices perpetrated during the trial of Kevin Mitnick. At the demonstrations in Philadelphia a large paper mache Liberty Bell was displayed. Reba Mitnick, Kevin's grandmother was present at her local demonstration. In New York a skywriter wrote FREE KEVIN over Central Park and in San Francisco low flying airplanes carried FREE KEVIN banners. FREE KEVIN http://www.freekevin.com Mitnick Demonstartions - Pictures Here http://www.2600.net/demo/ CNN http://cnn.com/TECH/computing/9906/04/BC-INTERNET-HACKERS.reut/index.html Wired http://www.wired.com/news/news/politics/story/20053.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2270517,00.html Salon http://www.salon.com/tech/log/1999/06/04/mitnick/index.html Wired; Pro-Mitnick Demos in US, Russia by Polly Sprenger 3:00 a.m. 5.Jun.99.PDT In 15 American cities and Moscow, demonstrators staged protests Friday against the continued imprisonment of Kevin Mitnick, jailed after pleading guilty to seven counts of wire and computer fraud. "Just don't call him a 'celebrity cracker,'" growled Macki, the Webmaster for 2600, the hacker group and magazine that organized the events. Armed with yellow "Free Kevin" stickers and flyers describing Mitnick's case, Macki and nearly 20 other Mitnick supporters battled the miserable San Francisco wind to fight for the cause. "We're getting the word out to the worldwide and national consciousness about [Mitnick's] sentencing," said Marc Powell, a pink-haired member of the local hacker collective New Hack City. Clad in an "I [Heart] Feds" T-shirt, Powell said that although his own cyber-tomfoolery has been strictly within the law, he sympathized with Mitnick's imprisonment. As far as protests go, Mitnick's demonstration was relatively low-key. The attendees cheered as a low-flying airplane went by trailing a banner that said "Free Kevin Mitnick -- www.freekevin.com," but after seven or eight more passes, the enthusiasm waned. Some in the group had followed Mitnick's plight from the beginning, but others were just there to be part of an anti-government staging. Robin, a self-proclaimed anarchist and network administrator with a partially shaved head and a plethora of piercings, said he was in attendance because it was a strike back at the government. But others, like Perry McNulty, said Mitnick was a study in civil rights. "It's not just a hacker in jail," said McNulty, who has followed Mitnick's case for about a year. "A lot of civil rights have been violated. It could happen to any one of us." Salon Kevin Mitnick supporters plan rallies - - - - - - - - - - - - BY KAITLIN QUISTGAARD June 4, 1999 | Since his 1995 arrest for wire and computer fraud, famed hacker Kevin Mitnick has been behind bars. In March a judge sentenced him to a 46-month prison term after he pleaded guilty to a handful of the 25 charges filed against him. But on Friday, demonstrators in 15 U.S. cities and Moscow plan to protest what they see as the unjust treatment of Mitnick and ask for his parole to a halfway house. "The guy's been in there for something like four years and four months," says Emmanuel Goldstein, editor of "2600: the Hacker Quarterly." (Actually, 2600's Kevin Mitnick Lockdown Clock put it at exactly 4 years, 3 months, 16 days, 11 hours, 19 minutes and 41 seconds at that moment, but who's counting?) It's a heavy sentence for just looking at other people's software, says Goldstein: "The federal government is using him to send a message." "Even if Kevin were guilty of everything he was charged with," the 2600 site says, "the fact remains that there was no documented damage, no evidence of malicious activity, and nothing to suggest that Mitnick profited in any way by reading the software he is accused of accessing." The journal says it has uncovered letters showing that companies like Sun Microsystems and Nokia have claimed a combined total of $300 million in damages resulting from Mitnick's hacks. "This is a case of corporate vengeance, aided and abetted by a federal government seeking to intimidate hackers," the 2600 site argues. "We think Kevin Mitnick's suffering has gone on way too long." 2600 is encouraging demonstrators to meet at federal courthouses across the country and the U.S. Embassy in Moscow. The protest will coincide with the monthly 2600 meeting, which brings hackers together in various cities on the first Friday of the month. ("That way the people who spy on us have to spread themselves thin," says Goldstein, explaining the same-time, multiple-locations approach.) On June 14 a judge will formally sentence Mitnick and determine the damages he owes. The hacker group hopes to influence the court to go lightly on Mitnick. "The judge has the opportunity to sentence him to a halfway house," says Goldstein, "which is a whole lot better than a prison with murderers and rapists." salon.com | June 4, 1999 - - - - - - - - - - - - About the writer Kaitlin Quistgaard is an associate editor for Salon Technology. @HWA 06.0 New Trojan/Virus, PrettyPark ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by nvirB A new virus/trojan, PrettyPark arrives as an email attachment and then resends itself to users listed in the windows address book, it may possibly repeat this as often as every 30 seconds. It also attempts to log into IRC channels to deposit information. Opinions vary as to threat level of this new virus. At last report it had only been seen in France. MSNBC http://www.msnbc.com/news/276805.asp ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2270411,00.html MSNBC PrettyPark: Part worm, part Trojan Anti-virus companies unearth worm/Trojan that reportedly e-mails PC’s Windows Address Book every 30 seconds By Joel Deane and Michael Fitzgerald ZDNN June 4 — Anti-virus companies said Friday that W32/PrettyPark, a new e-mail worm program with Trojan horse characteristics, poses a potentially high risk to Internet users on Windows-based systems. Weigh in on PrettyPark New Back Orifice-like Trojan found CIH virus set to strike again Melissa spawns more offspring E-mailed wolves in sheep's clothing ALTHOUGH ASSESSMENTS OF PRETTYPARK’S capabilities vary, and damage reports are sketchy, anti-virus firms advised Friday that users update their anti-virus programs to guard against the worm/Trojan, which was discovered as early as May 12. Anti-virus company Panda Software said PrettyPark, which is also known as Pretty Worm, reaches users’ computers as an attached file in an e-mail message, just like the Melissa virus. Once executed, PrettyPark installs itself in the infected system, then sends messages with an attached copy of itself to addresses listed in the Windows Address Book. PrettyPark hits Windows users hard Panda said PrettyPark attempts to connect to an Internet relay chat server from a list of 13 possible servers, then send a message to a chat user — enabling the author of the virus to gather data on and monitor affected workstations. PrettyPark can then be manipulated as a Trojan horse, Panda said, to obtain data such as the list of available disks and confidential information such as logins and Internet connection passwords. Panda Software U.S. executive director Pedro Bustamante said Friday his company had replicated the “potentially high risk” worm/Trojan in its European anti-virus lab. “It could potentially be very high risk,” Bustamante said. “The interesting thing about this new Trojan is that, unlike Melissa, it doesn’t send itself once; it sends itself every 30 seconds.” Trend/Micro, Symantec and Network Associates reported Friday that they have been unable to duplicate PrettyPark. In a virus alert, Network Associates said PrettyPark was low risk. Trend/Micro director of technology Dan Schrader said the anti-virus company’s customers reported PrettyPark’s auto-spamming, but “can’t confirm the auto-spamming function.” “We’ve seen 40 incidents in the last 48 hours. All the incidents so far have been in France,” said Schrader, adding that PrettyPark was similar to the notorious Happy 99 executable that struck earlier this year. Schrader said PrettyPark has the potential to spread widely — if it can in fact automatically send itself to everyone in a user’s address book. But, because Trend/Micro has been unable to replicate this auto-spam capability, and because it so far seems to be centered in France, Trend/Micro suspects that someone may have spread it by hand. Symantec, Trend/Micro, Panda and Network Solutions have all posted anti-virus updates to cover PrettyPark. Luke Reiter of CyberCrime contributed to this report. @HWA 06.1 The rampage continues ~~~~~~~~~~~~~~~~~~~~~ June 8th 1999 From HNN http://www.hackernews.com/ PrettyPark Continues its Rampage contributed by nvirb PrettyPark the latest virus/trojan/worm is quickly spreading around the world. The virus arrives as an email attachment. Then after it is executed it hides behind a screen saver to mail out copies of itself and to connect to an IRC channel. In a quote given to MSNBC, Steve Trilling of Symantec said, "This virus took months to write, and its creator put a great deal of effort into it." MSNBC PrettyPark hits Windows users hard Victims of e-mail virus increase 2,000 percent over the weekend, Symantec reports By Shauna Sampson, ZDTV ZDNN June 7 — PrettyPark, a French e-mail virus, got a tremendous boost from home PC users this weekend. Anti-virus software maker Symantec said it has observed an increase of 2,000 percent in apparent victims since Friday. THESE VICTIMS OF THE VIRUS, which is being described as a worm with Trojan capabilities, are likely Microsoft Windows users who are being sent to a custom Internet relay chat channel without their knowledge. Once there, victims’ personal data — ranging from e-mail address book lists, operating system preferences and registration numbers, passwords, and form data (including stored credit card information) — can be potentially retrieved from the victim’s PC without their knowledge by the virus writer. PrettyPark is the first known worm with Trojan capabilities and its very own custom IRC channel. “This virus took months to write, and its creator put a great deal of effort into it,” says Steve Trilling of Symantec. Consumers are being hit harder by the virus because they are less likely to update their anti-virus software than large companies or businesses and are more likely to open and run executables sent by what appears to be family or friends. Malicious ‘worm’ spreading in e-mail The virus is spread when PC users open an attached e-mail program file named “PrettyPark.EXE”. When executed, it may display the Windows 3D pipe screen saver while it creates and sends duplicate files of itself to e-mail addresses listed in the user’s Internet address book. PrettyPark will run this routine every 30 seconds, without the user’s knowledge. It will also connect to the custom IRC channel while the PC owner is on the Internet or reading e-mail while connected to a remote server. So far only Windows-based systems seem to be vulnerable, the virus is definitely spreading and anti-virus software manufacturers are expecting to see more victims in the IRC chat rooms. In order to protect themselves from PrettyPark and other viruses, PC users should update their anti-virus software and avoid opening e-mail attachments. Researchers are trying to determine if other e-mail programs, such as Eudora and Lotus Notes, are vulnerable, presently the Mac and Linux operating systems do not seem to be affected. In a related story C|Net takes a look at the technology behind the Anti-Virus products available today. C|Net http://www.news.com/News/Item/0,4,37458,00.html Battling the unknown virus By Tim Clark Staff Writer, CNET News.com June 7, 1999, 1:35 p.m. PT Antivirus software makers are recycling some old tricks to combat computer viruses proliferating over the Internet. The technique, called "heuristics," checks for suspicious commands within software code to detect potential viruses. Heuristic techniques can detect new viruses never seen before, so they can keep malicious code from spreading. An older method, called signature-scanning, uses specific pieces of code to identify viruses. Both methods have down sides. Heuristic techniques can trigger false alarms that flag virus-free code as suspicious. Signature-scanning requires that a user be infected by a virus before an antivirus researcher can create a patch--and the virus can spread in the meantime. Most antivirus vendors use both techniques. "It's time for the industry as a whole to look at different approaches," said Roger Thompson, technical director of malicious code research at ICSA, a for-profit trade group for computer security vendors. "The time-honored method of signature scanning is a little worn and weary given new viruses coming out." Aladdin Knowledge Systems, which just added heuristics-based technology to its line of antivirus technology, claims it can snare 85 percent of the new viruses without many false alarms. The recent Melissa virus showed that heuristics are not foolproof, as some viruses slip through the antivirus screen and must be fought with the traditional methods. Melissa was a macro virus that spread quickly because it self-replicated, sending email from the infected machine to recipients in that user's address book. Melissa illustrates why macro viruses worry antivirus researchers. "Melissa was trivial technically and important strategically," said ICSA's Thompson, mainly because it demonstrated the kinds of disruptions a computer virus can cause, he said. "Macro viruses are easy to create and easy to modify," said Carey Nachenberg, chief researcher at Symantec's antivirus research center. To combat viruses like Melissa, heuristics are a must, he said. Macros are a simple programming language used to build templates in Lotus Notes or Microsoft Excel. Because of their simplicity, they can be used to create macro viruses, said Chris Christiansen, security analyst at International Data Corporation. "There are rumored to be numerous automated applications that automatically generate macro viruses," said Christiansen, saying they are available on Web sites used by malicious hackers. "An unsophisticated user could write a macro virus or take a corporate macro and corrupt it, then replace a legitimate macro." Today antivirus researchers are closely watching another virus -- the Pretty Park virus, which is currently circulating in France -- that posts passwords and other identifying data to Internet chat sites. So far, it's a low level alert because its self-replicating function apparently doesn't work. Overall, a higher percentage of macro viruses could be caught, said Alladin chief technology officer Shimon Gruper, at the cost of more false alarms. "Not everything gets caught, so you still need a rule to catch it," said Susan Orbuch, spokeswoman for Trend Micro. "When there was a lot of fear about Melissa variants, we quickly put together some heuristics to combat it." @HWA 07.0 Eight Arrested in California ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by st1p3r 15,000 mass produced pirated copies of Microsoft applications where confiscated and eight people where arrested during a raid in Southern California last Thursday. They have been indicted on 45 counts of counterfeiting, conspiracy and money laundering. Nando Times http://www.techserver.com/story/body/0,1634,56660-90472-643309-0,00.html Microsoft program counterfeiters arrested Copyright © 1999 Nando Media Copyright © 1999 Associated Press LOS ANGELES (June 5, 1999 5:12 p.m. EDT http://www.nandotimes.com) - Eight people have been arrested in a counterfeiting scheme that police said churned out 15,000 phony copies of Microsoft computer programs every month. The Southern California residents were arrested Thursday, a day after being indicted on 45 counts of counterfeiting, conspiracy and money laundering. All are expected to enter pleas Monday. Five other people also were named in the federal grand jury indictment, including three who were arrested in February and freed on bond, the U.S. attorney's office said Friday. The ring pressed counterfeit CD-ROM disks of Windows 98 and other popular programs, printed bogus "certificates of authenticity" and then packaged and sold the disks overseas, authorities contend. Authorities in February raided several warehouses and seized a room-sized CD-ROM replicator. Also seized were color printing presses, packaging machines and other counterfeit items that Microsoft officials estimated were worth about $56 million on the retail market. @HWA 08.0 278 Internet Cafes Disciplined ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by Anonymous Public Action Number One, has been launched jointly by the city of Shanghai China's police force along with commercial, telecommunications and education authorities to standardize the city's public Internet cafes. Only 350 of the cities estimated 2000 internet cafes are authorized to do business. The crackdown has resulted in fines and warnings for many establishments that do not control users forays into cyberspace Nando Times http://www.techserver.com/noframes/story/0,2294,56247-89863-639407-0,00.html Shanghai tightens hold on Internet cafes Copyright © 1999 Nando Media Copyright © 1999 Reuters News Service SHANGHAI (June 4, 1999 12:11 p.m. EDT http://www.nandotimes.com) - Chinese boomtown Shanghai has disciplined 278 unregistered Internet cafes in a crackdown on uncontrolled forays into cyberspace, the official Liberation Daily reported on Friday. The move was aimed at "standardizing the city's public Internet cafes" where customers can sip coffee and surf "the Net," the newspaper said. A city government official said some of the unregistered cafes would be fined while others would be given a warning. The crackdown, described as "Public Action Number One," was launched jointly by the city's police and commercial, telecommunications and education authorities. Shanghai now has more than 2,000 Internet cafes but only 1,500 of them have applied to register and only 350 are authorized, the newspaper said. Local authorities have tightened control of information vendors around the 10th anniversary of the Beijing crackdown on dissent on June 3-4, 1989, when the army shot its way into Tiananmen Square to end seven weeks of pro-democracy protests. Late last month, Shanghai ordered local paging stations and computer information vendors to stop disseminating political news temporarily, including news downloaded from the Internet. China has seen explosive growth in the use of the Internet in recent years but the government has also viewed it as a potential threat to its authority. There are now an estimated two million Internet users in China and some experts predict the number of Web surfers could top 10 million by next year. @HWA 09.0 Forbidden Knowledge Issue #5 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by Anonymous Issue Five of the increasingly improving Forbidden Knowledge e-zine has been released. It features articles on Memory and Addressing Protection in Multiuser Operating Systems and some other very interesting topics. Check it out at the main site or at Packetstorm. Forbidden Knowledge http://www.posthuman.za.net @HWA 10.0 f41th Issue 6 ~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by D4RKCYDE d4rkcyde has kept its work up and released issue 6 of the H/P ezine f4ith. The zine contains good h/p technical information and is available almost twice a month. Back issues are available. Issue 6 http://darkcyde.system7.org/files/faith/faith6.txt f41th 11.0 Antidote Vol2 Issue 7 ~~~~~~~~~~~~~~~~~~~~~ June 7th 1999 From HNN http://www.hackernews.com/ contributed by lordoak The newest issue of Antidote has been released with articles on PC Anywhere, Netscape, and much much more. Check it out. Antidote Vol2 Issue 7 http://www.thepoison.org/antidote/issues/vol2/7.txt 12.0 Will the Allies Drop CyberBombs on Milosevic? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 8th 1999 From HNN http://www.hackernews.com/ contributed by erewhon A well researched, no FUD, article that goes against the normal hype and sensationalism. William Larkin backs up HNNs earlier assessment of last weeks Newsweek reports of cyber attack against the bank accounts of Milosevich. A previous unseen transcript of a conference from the Air Force Association has allowed the Washington Post to conclude that Yugoslavia's bank accounts are probably pretty safe. (It is a welcome change to see good journalism now and again.) Washington Post http://www.washingtonpost.com/wp-srv/national/dotmil/arkin.htm The Good News on Forgery By William M. Arkin Special to washingtonpost.com Monday, June 21, 1999 "The decade begun in Kuwait ends in the skies over Serbia. No American government will, in the near future at least, simply assume that it has the military power needed to impose its will...." Thus retired Gen. John M. Shalikashvili grumbles about the "difference between being the greatest ... power in the world and omnipotence" and warns of the emergence of a "passive" and "isolationist" America as a result of the war in Yugoslavia. "The United States will be withdrawing from its aggressive leadership position not solely because it wishes to," says the former Chairman of the Joint Chiefs of Staff. "It will be withdrawing because it has seriously lost the trust of many of its NATO allies." Why? Besides committing insufficient military power in Yugoslavia, the air war, he says, is "not going to force a Serbian capitulation." The Shalikashvili essay, "The World After Kosovo," began circulating via e-mail about three weeks before Belgrade's withdrawal from Kosovo. It is a forgery. "Someone has stolen my name," Shalikashvili told the Seattle Post-Intelligencer, which revealed the fabrication on the final day of Operation Allied Force. Stolen, and Forwarded "This has been a major embarrassment to me," says a West Point graduate, after he circulated the Shalikashvili essay to his classmates. Like many other military observers, he received the commentary via e-mail. "I innocently passed along the article that had been forwarded to me clearly marked as being written by Gen. Shali from a network of senior retired military officers – a normally credible source!" As compliments and complaints alike poured in from friends and former aides, General Shalikashvili, who retired in October 1997, discussed with Defense Department spokesman Ken Bacon whether the electronic screed should be denounced from the Pentagon podium. They decided not to bring attention to the fake. Then Shalikashvili got a call from Deputy Secretary of State Strobe Talbott, who was asked by Finnish President Marti Ahtisaari whether the article might not complicate negotiations with President Slobodan Milosevic. Shalikashvili decided to go public: "I was hoping that it would go away, but this thing doesn't seem to be dying," he says. Floss, Dance, Don't be Fooled I know what you're thinking: The Internet has struck again. Faster than a speeding bullet an individual's identity has been stolen. An irresponsible and unregulated medium has perpetrated fraud and deceit. We've seen this time and again with the Web: Disgraces like Pierre Salinger's flogging of "intelligence" documents dealing with the TWA Flight 800 accident that turn out to be nothing more than conspiratorial drivel plucked from the Web. The "Floss, Dance, Don't Be Fooled" MIT commencement address that wasn't delivered by Kurt Vonnegut. The Internet does indeed have the capacity to amplify and duplicate what is real, as well as what is not. Yet for all the copying and forwarding and quoting of Shalikashvili's impostor discourse amongst a cyber-savvy network of retired generals and veterans who increasingly use e-mail as a lifeline, what is interesting is that the comments never really circulated outside of closed community. A check of Web-wide discussion group search engines (Deja.com, AltaVista, Forum One, Remarq) found that the essay was never sent to a single newsgroup. On the Web, there is only a single posting: on the FreeRepublic site ("The Web's premier conservative news discussion forum!"). Even here, where the retired military officer who distributed the essay described it as "the story of the current JCS members who have been silenced by the White House intimidation machine," the piece was quickly rejected. The same day it was posted, May 28, three participants identified the work as fraudulent. The system works! A Good Day for Bombing "The World After Kosovo" is a very good forgery. There is no obvious inflammatory language; it is a plausible viewpoint that someone could associate with a retired high-ranking officer. The news media, like the Web, proved less promiscuous than its popular reputation in running with the supposed dissent. When Pulitzer Prize-winning reporter Seymour Hersh received the e-mail from a recently retired two-star general, he was also warned that it may or may not be authentic. Hersh read the words with interest, but he says he would never have done anything with the file, including forwarding it, without contacting Shalikashvili first. Tom Ricks, the Pentagon correspondent for the Wall Street Journal, also received the Shalikashvili piece, in spades. "About 50 military officers credulously forwarded the 'Shali piece' to me," Ricks says. Ricks's newspaper made itself famous in January when it quoted from the e-mail of an Air Force general bragging about the bombing of Iraq. "It's a good day for bombing," the officer wrote. But after his utterances proved fair game for the mainstream media, the general, tail fin between his legs, told the Journal that he probably should have chosen his words better. E-mail has since proven a nettlesome medium for the closed world of retired and active duty officers. But before the Internet gets the blame, it should be made clear that the Shalikashvili episode is an embarrassment for a network of otherwise worldly military specialists who were fooled by the prose and perhaps even blinded by their own anti-Clinton animus. Though many questioned the authenticity of the retired general's words, they copied and forwarded the essay, Drudge-style. It was hardly a precision military formation. William M. Arkin can be reached for comment at william_arkin@washingtonpost.com © Copyright 1999 The Washington Post Company @HWA 13.0 Melissa Suspect Still not Charged ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 8th 1999 From HNN http://www.hackernews.com/ contributed by Scores Still free on $100,000 bail, David L. Smith has still not been officially charged with a crime. He has been accused of spreading the Melissa virus which rampaged through the countries computer networks within days of its release. A spokesperson for the defense claimed that they are just waiting on the DA. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2271206,00.html @HWA 14.0 ToorCon '99 Security Expo ~~~~~~~~~~~~~~~~~~~~~~~~~ DATE HAS CHANGED FOR THIS EVENT SEE SECTION 95.0 June 8th 1999 From HNN http://www.hackernews.com/ contributed by h1kari ToorCon will be held on August 7-8 in San Diego, California. It is being billed as a computer security convention hosted by the San Diego 2600 Meeting to help educate and inform the public on computer security related matters. ToorCon will feature: Speakers, Lectures, Hands-on Demonstrations, InstallFests, Root Contests, and raffles. HNN Cons Page http://www.hackernews.com/cons/cons.html @HWA 15.0 ISS Gets Free Advertising ~~~~~~~~~~~~~~~~~~~~~~~~~ June 8th 1999 From HNN http://www.hackernews.com/ contributed by lamer Here's a nice 'adverticle' for ISS. ISS must be really wonderful because they have "tangled" with cDc, that horrible hacker group that makes Microsoft's life "miserable". I don't suppose it's possible that MS makes its own life miserable by putting out 3rd rate software? Nah. And I don't suppose it is possible that the author of this article did any research other than contacting ISS? Nah. US News http://www.usnews.com/usnews/issue/990614/14hack.htm @HWA 16.0 Accounting Firms also get Free Advertising ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 8th 1999 From HNN http://www.hackernews.com/ contributed by Even lamer Not to be out done by ISS and the X-Force, Deloitte & Touche and PriceWaterhouse Coopers get there own adverticle detailing their joint venture the new cyber-"fraud squads". C|Net ISS Gets Free Advertising http://www.news.com/News/Item/Textonly/0,25,37419,00.html Accounting firms fight cybercrime By Dan Goodin Staff Writer, CNET News.com June 7, 1999, 4 a.m. PT URL: http://www.news.com/News/Item/0,4,37419,00.html The dramatic growth in computer-perpetrated crime has not been lost on big accounting firms, which smell a growing profit center in helping clients protect themselves against online trespassers. In the past six months, both Deloitte & Touche and PriceWaterhouse Coopers have formed new cyber-"fraud squads" to investigate crimes and evaluate security systems. The other big accounting firms, as well as IBM and smaller private investigation outfits, are also jumping into the game. "We think there are significant unmet needs," said Bill Boni, director of Price Waterhouse's cybercrime investigations group, which was created earlier this year. "It's certainly going to be an area of interest for all the large accounting firms." The reason for the interest is simple: Incidents of fraud and other crime perpetrated online are on the rise. Putting a number on the increase is difficult, since many incidents go unreported. One of the most useful measuring sticks, however, comes from annual reports released by the Computer Security Institute, which surveys 521 security practitioners from corporations, banks, government agencies, and universities. Last year, 32 percent said they reported serious incidents to law enforcement agencies, nearly twice the number as three years ago. Meanwhile, 55 percent said that company insiders gained unauthorized access to computer networks, and 30 percent reported intrusions by outsiders. The San Francisco-based group estimates that computer security breaches cost the respondents more than $123 million last year, and worldwide may cost businesses tens of billions of dollars, according to Richard Power, the organization's editorial director. "With the rise of the Internet and the transaction of e-commerce, corporations and government agencies are far more open to attack then ever before," Power told CNET News.com in an interview. "There are all kinds of new ways to make money through computer crime." That's where accounting firms come in. For a host of reasons, companies whose online security has been breached frequently prefer to take their problems to private investigators rather than law enforcement agencies. "Some [law enforcement agencies] have taken aggressive stances, but even in Silicon Valley you will find that most of the senior officials in police departments are not that sensitive to high-tech matters," said John O'Laughlin, director of worldwide security at Sun Microsystems. "Most of them are not up to speed in dealing with high-tech issues." Companies are also hesitant to go to authorities out of fear the matter will generate negative press. "Some of these companies don't want to admit that they've been compromised," said assistant U.S. attorney Chris Painter, who investigates high-tech crime. A benefit of taking a crime to private investigators is that companies can learn all the facts before deciding whether to take the matter to court. "They keep control of their information," said George Vinson, former head of the FBI's computer intrusion team in San Francisco and now practice leader for Deloitte & Touche's fraud and forensics team. "So many times [companies] are interested in settling something civilly rather than seeing it splashed on the A-1 page" of the local newspaper. The bulk of Vinson's work so far has been investigating claims of copyright infringement. Typically, that means comparing the source code of a client's software against that of a suspected infringing copy. Vinson also investigates people suspected of using the Internet to manipulate a company's stock price and tracks employees who misappropriate a company's trade secrets. The accounting firms also assess clients' security systems to make sure they are not vulnerable to attacks. The work is similar to what Vinson did while at the FBI. In 1996 his group brought down more than 20 Internet users in 10 states who used chat groups to trade software titles made by companies such as Adobe and Microsoft. And with more and more companies transacting business online, the demand for computer forensics services is only expected to continue, said Sun's O'Laughlin. "I don't think there's any question the e-commerce is here to stay," he said. "You're going to see that it's pretty vulnerable to fraud and abuse and [companies] want to get ahead of the curve." @HWA 17.0 Analyzer Starts Computer Security Business ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 9th 1999 From HNN http://www.hackernews.com/ Analyzer Starts Computer Security Business contributed by Code Kid Analyzer (Eric Tenenbaum) is still awaiting the final outcome in his trial in Israel after he was accused of breaking into the Pentagon computer systems. While waiting he has teamed up with three college students and hopes to raise 4.5 to 5 million dollars to create a security software package. Israel Business Globe http://www.globes.co.il/cgi-bin/Serve_Archive_Arena/pages/English/1.2.1.2/19990607/1 Tuesday , Jun 8, 1999 Sun-Thu at 18:00 (GMT+2) Headlines Exclusive: Analyzer Founds Computer Security Start-Up By Ronny Lifschitz Ehud Tenenbaum, known as the "Analyzer", still awaiting the commencement of hearings in his trial, following the exposure of his penetration of the Pentagon’s computers, is forming a computer security company. Tenenbaum’s partners are three students currently completing their studies in electronic engineering. The new company is negotiating with potential investors, and plans to raise $4.5-5 million for the purpose of developing a security software package, that will be able to monitor hackers’ activities. The other partners are Sharon Shani, Gil Bar-Noy, who was chairman of the students’ negotiating team in the tuition fee battle with the government, and another student, who prefers to remain anonymous. At the beginning of 1998, the three set up Webber Communications, a company which engaged primarily in the construction of Internet sites and consultation to Internet companies. "Our idea is very innovative, and is based on the hacker’s point of view", Tenenbaum explains to "Globes". "Our product will be able to adapt itself to the hackers’ evolving methods, and upgrade itself". Tenenbaum refused to give details of the type of security software the company is to develop, but said that he and his partners, who served with the IDF Intelligence Corps, will set up an intelligence system to monitor the modus operandi of hackers the world over, and thus close the gap existing between security companies and hackers. The young entrepreneurs believe that many organisations will purchase their future product, including NASA and the Pentagon. See accompanying feature: Analyzer II. Published by Israel's Business Arena June 7, 1999 @HWA 18.0 $2.9Bil in Piracy in The US ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 9th 1999 From HNN http://www.hackernews.com/ $2.9Bil in Piracy in The US contributed by Sinbad The Software Information & Industry Association has released a report that claims that the US is responsible for $2.9Bil worth of software piracy. The top ten cities alone represented $1Bil of that money. New York City was named the worst offending city with a piracy amount estimated at $259 million. It is kind of interesting how they come up with these numbers. Wired http://www.wired.com/news/news/business/story/20091.html Software Information & Industry Association http://www.siia.net/news/releases/piracy/6.8.99-Piracy-Release.htm Wired; ~~~~~~ Cities Singled Out for Piracy Wired News Report 4:15 p.m. 8.Jun.99.PDT Ten major metropolitan areas in the United States were responsible for more than US$1 billion in losses to software piracy in 1998, according to a study released today by the Software and Information Industry Association. New York, Los Angeles, and Chicago topped the list. Peter Beruk, vice president of the association's antipiracy program, said the cities were singled out because they feature the highest concentration of white-collar workers. The study estimated the losses for the New York metropolitan area to be $259 million, followed by that of Los Angeles with $159 million. Chicago was close behind with more than $112 million in losses. Beruk estimates that one in every four business software applications in use across the United States is an illegal copy. According to the SIIA report, the total loss throughout the US to software piracy in 1998 was $2.9 billion, a sizeable chunk of the $11 billion loss worldwide in 1998. - - - Brokers, beware: Online trades grew a record 47 percent to 500,000 a day in the first quarter, boosted by a strong stock market and the increasing appeal of Internet brokerages, an influential industry analyst said on Tuesday. "Online trading firms now appear to be penetrating the mass markets, not just the techno-philic early adopters," said analyst Bill Burnham, of securities firm Credit Suisse First Boston, in a research report. Almost 16 percent of all stock trades now take place in cyberspace, he added. "If the fourth quarter of 1998 was a record quarter for the industry, then the first quarter of 1999 was quite simply a complete blowout," Burnham said. Online trading grew at 34 percent to 340,000 a day between the third and fourth 1998 quarters. Online brokers, who two years ago handled, on average, just 95,500 trades a day, have been growing at a rapid pace, thanks in part to heavy advertising. Investors also keep flocking to Internet brokers because of low commissions -- an average $15.75 a trade -- and ease of use. The top five US Internet brokers -- Charles Schwab, ETrade Group, Waterhouse Securities, Datek Online, and Fidelity Investments -- had a 71.3 percent market share, up from 67.5 percent a year ago, Burnham said. ETrade and Ameritrade Holding, the No. 6 Internet broker, grew fastest in the first quarter, each processing at least 60 percent more trades than in the fourth quarter. - - - News Corp. invests in PlanetRx: PlanetRx.com, an online pharmacy, said Tuesday that it had raised an additional $50 million from private investors, including media company News Corp. News Corp. -- which owns companies such as 20th Century Fox, the Fox television network, and several newspapers around the world -- said PlanetRx.com's offerings would fit in with its plan to combine Fit TV, America's Health Network, and AHN.com into a new online health service. Other investors in this round of financing included ETrade, Tenet Healthcare, HealthSouth, and LVMH Group. The sizes of the individual investments weren't disclosed. PlanetRx.com plans to use the funding to advertise heavily, the company said. Reuters contributed to this report. Software Information & Industry Association; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For Immediate Release Contact: Peter Beruk, VP, Anti-Piracy Programs, 202-452-1600, ext. 314, or pberuk@siia.net Keith Kupferschmid, Intellectual Property Counsel, 202-452-1600, ext. 327, or kkupfer@siia.net Software & Information Industry Association Unveils Top Ten “Most Wanted” Metro Areas For Software Piracy In United States Cities Responsible For More Than $1 Billion Of Software Piracy Losses In 1998 (June 8, 1999 - Washington, D.C.) - Ten major metropolitan areas in the United States were responsible for more than $1 billion of losses to software piracy in 1998, it was revealed today. The announcement was made by SPA, the anti-piracy division of the Software & Information Industry Association (SIIA), the largest trade association for the software code and information content industry. SPA unveiled its list of America’s “most wanted” metropolitan areas during the release of its 1999 Annual Global Piracy Report. The report estimates that a total of $2.9 billion was lost to software piracy throughout the United States during 1998, and that 85 countries were responsible for losses totaling $11 billion worldwide. Heading the SPA list was the New York metropolitan area, with an estimated $259 million of piracy losses in 1998. The Los Angeles metropolitan area was next with $159 million followed by Chicago with more than $112 million in losses. Other metropolitan areas on the list (in descending order of losses) were Washington-Baltimore, Boston-Nashua, San Francisco-Oakland, Philadelphia-Wilmington, Dallas-Fort Worth, Detroit-Ann Arbor, and Atlanta. A spokesperson for SPA said that the “Top Ten Most Wanted Metropolitan Areas” list would be released annually to highlight the seriousness of software piracy throughout the United States. “Software piracy is a crime. Our report, issued today, estimates that one in every four business software applications in use across the United States is an illegal copy. Knowingly or unknowingly, hundreds of companies are engaged in criminal activity every day, the moment their employees boot up their computers. This is unacceptable,” said Ken Wasch, president of SIIA. “For more than 10 years, SPA has led the fight against software piracy at home and abroad. By combining enforcement and education, we have been successful in reducing the rate of piracy in the United States from 48% when we began our anti-piracy program to an estimated 25% in 1998. But we do not intend to declare victory until software piracy is eliminated completely.” “Over the coming weeks, we plan to raise public awareness about the crime - and consequences - of software piracy. We want all Americans to understand that, regardless of whether the piracy is committed between friends and co-workers or by businesses or whether it is committed through illegal rental, counterfeiting or increasingly via the Internet, it affects more than just the largest software publishers. Of SIIA’s 1,400 member companies, 60% have annual revenues of less than $2 million. Software piracy can put those companies - and their employees - out of business and out of work within a matter of weeks. Through heightened enforcement and education efforts, we will drive this message home,” Wasch said. “Additionally, we will continue to work closely with the Department of Justice and the FBI in their continuing efforts to eliminate software piracy around the world. We applaud the recent statement by the Department of Justice that the FBI is working closely with law enforcement officials in other countries to combat computer crimes and enhance coordination and improve their combined capabilities.” The Software & Information Industry Association (SIIA) is the principal trade association of the software code and information content industry. SIIA represents more than 1,400 leading high-tech companies that develop and market software and electronic content for business, education, consumers and the Internet. Hundreds of these companies look to SIIA to protect their intellectual property around the world. Additional information on its anti-piracy program can be found at www.spa.org/piracy. To report software piracy, call (800) 388-7478. SIIA was formed on Jan. 1, 1999, as a result of the merger between the Software Publishers Association (SPA) and the Information Industry Association (IIA). Information on SIIA and its wide-range of activities can be found at www.siia.net. Copies of the 1999 Global Piracy Report can be found at www.siia.net/news/releases/piracy/98globalpiracy.htm or by contacting David Phelps at 202-452-1600, ext. 320 The 1999 SPA “Ten Most Wanted Metropolitan Areas” List (based on revenue losses due to software piracy in 1998) 1. New York-Northern NJ-Long Island - - $259,804,592 2. Los Angeles-Anaheim-Riverside - - $159,572,768 3. Chicago-Gary-Kenosha - - $112,201,219 4. Washington-Baltimore - - $86,752,957 5. Boston-Nashua - - $80,740,945 6. San Francisco-Oakland - - $79,993,397 7. Philadelphia-Wilmington - - $59,829,725 8. Dallas-Fort Worth - - $62,080,995 9. Detroit-Ann Arbor-Flint - - $61,379,449 10. Atlanta - - $50,479,623 @HWA 19.0 Congress and NSA tangle over Echelon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 9th 1999 From HNN http://www.hackernews.com/ Congress and NSA tangle over Echelon contributed by oolong The US Congress and the NSA seem to be butting heads over ECHELON. While all this sounds altruistic, you can bet that it's the beginning of a high level power struggle over who controls the information. Federal Computer Week http://www.fcw.com/pubs/fcw/1999/0531/web-nsa-6-3-99.html JUNE 3, 1999 . . . 18:34 EDT Congress, NSA butt heads over Echelon BY DANIEL VERTON (dan_verton@fcw.com) Congress has squared off with the National Security Agency over a top-secret U.S. global electronic surveillance program, requesting top intelligence officials to report on the legal standards used to prevent privacy abuses against U.S. citizens. According to an amendment to the fiscal 2000 Intelligence Authorization Act proposed last month by Rep. Bob Barr (R-Ga.), the director of Central Intelligence, the director of NSA and the attorney general must submit a report within 60 days of the bill becoming law that outlines the legal standards being employed to safeguard the privacy of American citizens against Project Echelon. Echelon is NSA's Cold War-vintage global spying system, which consists of a worldwide network of clandestine listening posts capable of intercepting electronic communications such as e-mail, telephone conversations, faxes, satellite transmissions, microwave links and fiber-optic communications traffic. However, the European Union last year raised concerns that the system may be regularly violating the privacy of law-abiding citizens [FCW, Nov. 17, 1998]. However, NSA, the supersecret spy agency known best for its worldwide eavesdropping capabilities, for the first time in the history of the House Permanent Select Committee on Intelligence refused to hand over documents on the Echelon program, claiming attorney/client privilege. Congress is "concerned about the privacy rights of American citizens and whether or not there are constitutional safeguards being circumvented by the manner in which the intelligence agencies are intercepting and/or receiving international communications...from foreign nations that would otherwise be prohibited by...the limitations on the collection of domestic intelligence," Barr said. "This very straightforward amendment...will help guarantee the privacy rights of American citizens [and] will protect the oversight responsibilities of the Congress which are now under assault" by the intelligence community. Calling NSA's argument of attorney/client privilege "unpersuasive and dubious," committee chairman Rep. Peter J. Goss (R-Fla.) said the ability of the intelligence community to deny access to documents on intelligence programs could "seriously hobble the legislative oversight process" provided for by the Constitution and would "result in the envelopment of the executive branch in a cloak of secrecy." @HWA 20.0 Emutronix Phone Hacking Products releases new Mach emulator ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 9th 1999 From HNN http://www.hackernews.com/ Emutronix Revs Mach contributed by Fr3akm4n Emutronix Phonecard Hacking Products have released their latest version of the Mach Emulation Software. Version 2.1 incorporates an easier working panel and is much more user friendly. Emutronix http://fly.to/mach3 (I'd check this site out b4 it gets closed down cards start at $350 with a one year guarentee for any country except France... - Ed ) 21.0 Is That Spelled With a "PH" or an "F" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 10th 1999 From HNN http://www.hackernews.com/ contributed by smith The Concise Oxford Dictionary has added some new words to its vernacular. One notable inclusion is the word "Phreaking" with a definition of hacking into the telephone network. Other new words include firewall and portal among others. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2272766,00.html The Concise Oxford Dictionary http://www.oed.com @HWA 22.0 The Demonizing of the Hacker ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 10th 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond Are years in jail the correct answer for teenage script kiddies who deface web pages? Are dangerous precedents being created today that will limit personal freedom tomorrow? Are we running the risk of turning criminals into cultural icons? Peter Wayner takes a look at these complex questions. Salon http://www.salonmagazine.com/tech/feature/1999/06/09/hacker_penalties/index.html Should hackers spend years in prison? Stiff penalties for computer trespassing could create a broad new class of criminal -- including you and me. - - - - - - - - - - - - BY PETER WAYNER June 9, 1999 | The FBI recently declared war on those pesky hackers -- again. The news is filled with the story of some group known as Global Hell that is breaking into Web sites and causing mayhem. The FBI is cracking down, confiscating computers and taking names; and some hackers are actually fighting back and shutting down some government Web sites. The press loves hackers because computer crime is something new. (I'm using "hackers" the way the media does, to describe those who get their kicks breaking into computer systems, rather than the older usage describing those who delight in difficult software coding work.) Murder, rape, drug dealing, theft and fraud continue as always, with ups and downs in their rates -- but teenagers breaking into Web sites is something no one has seen before. The problem with the war against hackers is that most of what the hackers are supposedly doing would be trivial if it weren't happening on the Internet. The typical hacker attack on a Web site isn't much different from scrawling graffitti on the outside of a building. Many attackers are just poking around -- like suburban teenagers who hop a fence to jump into a pool. All of this would be great theater and a nice distraction from the war in Kosovo if it weren't inspiring some serious reprisals in the courts -- and some ominous inflation in sentencing that could wind up affecting everyone who uses computers in his or her daily life. Wars on hackers are usually followed by calls for legislators to "do something!" and campaigns for new laws to crack down on the bad guys. The problem is that "doing something" often produces laws that treat the same action much more harshly in cyberspace than in "meatspace." The archetype of the demon hacker is Kevin Mitnick, a young man who has spent more than four years in jail waiting for his trial. When he was arrested, Monica Lewinsky was in her last year of college. During this time, Mitnick and his attorneys have jousted with government lawyers in endless pre-trial maneuvers that seem to have ended recently when Mitnick decided to plead guilty, probably hoping to receive a sentence that would be limited to time served. But even that deal is uncertain and taking forever to evolve; meanwhile, for Mitnick it's just prison without a trial and with no bail. Many, no doubt, see the crackdown on folks like Kevin Mitnick as a great deal for society: Information can be stolen just like anything else; surely the thieves who traffic in such goods should be locked up, just like car-jackers and muggers. But there's also a hidden danger. The precedents that the courts set now for dealing with demons like Mitnick will also apply equally to everyone who follows. And it's not clear that the world is ready for Mitnick-like sentences for the crimes he might have committed, which remain murkily defined. Think about it: Someone who reads another person's Rolodex is just a snoop, but someone who clicks through somebody else's Palm Pilot is hacking a computer database. It's easy to see just how slippery the calculus of evil gets on the cutting edge of technology. 2600 Magazine, The Hacker Quarterly, recently posted letters from computer manufacturers like Sun and Motorola estimating their losses to Mitnick's alleged theft of computer source code. After Mitnick's arrest, he was said to have stolen billions of dollars of information. Some companies calculated their loss by simply listing the hundreds of millions of dollars in development cost of the software affected -- that is, the cost of all the programmers, their computers and other overhead. Other companies were a bit more careful and noted that the value was difficult to judge, but that recalls of products like cell phones could be costly. The problem is, the price tag of information is almost impossible to determine. If Mitnick did take a copy of these companies' source code, the companies weren't denied the use of it, as when a mugger steals cash. Mitnick's lawyers seem ready to point out that the companies involved didn't bother to announce an official price on what they lost to Mitnick -- something that the Securities and Exchange Commission requires public companies to do if the losses are significant enough. That would have required strict accounting measures. To make matters even cloudier, in the meantime, Sun Microsystems began giving away the source code to its operating system to students around the world. In other words, if Mitnick had only waited a few years, enrolled in a university and asked nicely, he might have been a poster boy for Sun's charity instead of a prisoner. Today, Sun is even circulating the source code to products like Java in hope of recruiting customers and snagging bug fixes. The company is practically begging people around the world to come take a look at its code. This big change in the customs and attitudes of the software industry strains the arguments against hackers. If giving away the source code is now a "good thing" for corporations, did Mitnick and the other hackers do a smaller good thing by grabbing it ahead of time? Is Mitnick now a bit closer to being a Robin Hood instead of a demon? If Linux triumphs, will children be told tales of the dark days when the Sheriff of Notingham sat on the boards of all of the corporations and forced them to keep their source code proprietary so only the nobles could enjoy its bounty? Is it true that begging forgiveness is always easier than asking permission? Such questions may be impossible to answer, but they illustrate just how confusing it can be in the nether-netherworld of information's hall of mirrors. As a commodity, information is fundamentally different from objects, and society has always graced it with special respect. The journalists who printed the stories about the allegedly racist words that appeared on a secret audio tape of Texaco employees looked like crusaders. But if it had been a digital tape, the reporters could be painted as hacking data compiled by a Texaco employee on Texaco time. In the long run, society is going to have to think differently about hackers and the crimes with which they are charged. Taking information when it's printed on paper is not always bad, and there's no reason we should change this rule just because the information is stored on a computer disk. The intent of the criminal and the extent of the malice has always played a crucial role in our system of criminal justice. Many owners of things will forgive a theft if the "borrower" merely returns it unharmed. Crimes like trespassing are rarely prosecuted if someone just hops a fence and does no damage. Computers and the Internet continue to frighten people, but prosecuting hackers runs the danger of setting nasty precedents that will begin to snare regular people, not programmers. Many convicted hackers are released from prison only to be denied the ability to use a computer or the Internet. In the past, this made it impossible for a person to get work as a programmer; today, they can't even push the order screen at McDonald's. After all, it's hooked up to a central database -- who knows what havoc a hacker could wreak while punching up an order of fries? One of the best ways to put this all in context is to take yourself back in time 100 years to the turn of the last century, when auto racing was just beginning to roar across the scene. The machines were grand in size and sound if not in speed -- Emile Levassor won the 1895 Paris-Bordeaux race with his four-horsepower jack rabbit that covered the distance at an average speed of 14.9 mph. Feats of technical prowess like that frightened the world, and by 1903 the French government was shutting down auto races -- or restricting the death-defying machines to a bearable 20 mph. A few decades later, James Dean became a rebel automobile hacker who scared parents around the globe. Today, he's just another cutie pie competing with Hanson for poster space on dorm room walls. One era's demon is another's icon. Is teen idol the next stop for Kevin Mitnick? salon.com | June 9, 1999 - - - - - - - - - - - - About the writer Peter Wayner is the author of "Disappearing Cryptography," "Digital Cash" and "Digital Copyright Protection." @HWA 23.0 More Email Worms/Trojan ~~~~~~~~~~~~~~~~~~~~~~~~ June 10th 1999 From HNN http://www.hackernews.com/ More Email Worms/Trojan contributed by zuc Symantec has discovered a new malicious piece of software that travels as an email attachment named "zipped_files.exe". Similar to Melissa this worm/trojan uses the MAPI commands and Microsoft Outlook on Windows systems to replicate. This code was originally discovered in Israel. Symantec http://www.symantec.com/avcenter/venc/data/worm.explore.zip.html Worm.ExploreZip Virus Name: Worm.ExploreZip Aliases: W32.ExploreZip Worm Infection Length: 210,432 bytes Area of Infection: Windows System directory, Email Attachments Likelihood: Common, Worldwide Detected as of: June 6, 1999 Characteristics: Worm, Trojan Horse Overview: Worm.ExploreZip is a worm that contains a malicious payload. The worm utilizes Microsoft Outlook, Outlook Express, Exchange to mail itself out by replying to unread messages in your Inbox. The worm will also search the mapped drives and networked machines for Windows installations and copy itself to the Windows directory of the remote machine and modify the WIN.INI accordingly. The payload of the worm will destroy any file with the extension .h, .c, .cpp, .asm, .doc, .ppt, or .xls on your hard drives, any mapped drives, and any network machines that are accessible each time it is executed. This continues to occur until the worm is removed. You may receive the worm as an attachment called zipped_files.exe. When run, this executable will copy itself to your Windows System directory with the filename Explore.exe or to your Windows directory with the filename _setup.exe. The worm modifies your WIN.INI or registry such that the file Explore.exe is executed each time you start Windows The worm was first discovered in Israel and submitted to the Symantec AntiVirus Research Center on June 6, 1999. Technical Description: Worm.ExploreZip utilizes MAPI commands and Microsoft Outlook/Microsoft Exchange on Windows 9x and NT systems to propagate itself. The worm e-mails itself out as an attachment with the filename zipped_files.exe in reply to unread messages it finds in your Inbox. Once it responds to a message in your Inbox, it will mark it so it will not respond to the message again. The e-mail message sent may appear to come from a known e-mail correspondent in response to a previously sent e-mail with the appropriate subject line and contains the following text: Hi Recipient Name! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye or sincerely Recipient Name The worm will continue to monitor the Inbox for new messages and respond accordingly. The worm will also search the mapped drives and networked machines for Windows installations and copy itself to the Windows directory of the remote machine and modify the WIN.INI accordingly. Once the attachment is executed, it may display the following window: The button displayed is the "OK" button and is dependent on the language of the infected operating system. The example above was taken from a Hebrew Windows system. The worm also copies itself to the Windows System (System32 on Windows NT) directory with the filename Explore.exe or _setup.exe and also modifies the WIN.INI file (Windows 9x) or the registry (on Windows NT) so, the program is executed each time Windows is started. You may find this file under your Windows Temporary directory or your attachments directory as well depending on the e-mail client you are using. E-mail clients will often temporarily store e-mail attachments in these directories under different temporary names. Payload: In addition, when Worm.ExploreZip is executed, it also searches through the C through Z drives of your computer system and accessible network machines for particular files. The worm selects a series of files to destroy of multiple file extensions (including .h, .c, .cpp, .asm, .doc, .xls, .ppt) by calling CreateFile() and making them 0 bytes long. One may notice extended hard drive activity when this occurs. This can result in non-recoverable data. This payload routine continues to happen while the worm is active on the system. Thus, any newly created files matching the extensions list will be destroyed as well. Repair Notes: Symantec AntiVirus Research Center has also provided a small utility called KILL_EZ to remove the virus from memory to avoid rebooting from a clean system disk. For more information on KILL_EZ utility, refer to the following URL: http://www.sarc.com/avcenter/kill_ez.html To remove this worm manually, one should perform the following steps: 1.Remove the line run=\Explore.exe or run=\_setup.exe from the WIN.INI file for Windows 9x systems. For Windows NT, remove the registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run which will refer to Explore.exe or _setup.exe 2.Delete the file Explore.exe or _setup.exe. One may need to reboot first or kill the process using Task Manager or Process View (if the file is currently in use). Norton AntiVirus users can protect themselves from this worm by downloading the current virus definitions either through LiveUpdate or from the following webpage: http://www.symantec.com/avcenter/download.html Write-up by: Eric Chien Written: June 6, 1999 Update: June 11, 1999 @HWA 24.0 Stanford Searches for "Hacker" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 10th 1999 From HNN http://www.hackernews.com/ Stanford Searches for "Hacker" contributed by Dead.Under.Water Stanford University was a victim of a spammer recently. A message, sent to some 25,000 Stanford email accounts, accused the school of giving housing preferences to minorities. Prosecutor Julius Finkelstein, head of Santa Clara County's high-tech crimes unit, said the "hacker" could be charged with such offenses as unauthorized use of a computer account and harassment via e-mail. Evidently sending hate filled emails grants you the hacker moniker? Yahoo News http://dailynews.yahoo.com/headlines/ap/technology/story.html?s=v/ap/19990603/tc/racist_mail_1.html ( this link didn't work as of June 24th -Ed ) @HWA 25.0 Mitnick Demo Pictures now Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 10th 1999 From HNN http://www.hackernews.com/ Mitnick Demo Pictures now Available contributed by Macki Pictures of the FREE KEVIN Demonstrations held last week in front of federal courthouses across the country have been posted. Pictures from the demonstrations in Cleveland, New York, and Moscow have been made available at the FREE KEVIN Demos website. Kevin Mitnick's sentencing hearing is scheduled for Monday, June 14th. FREE KEVIN Demonstrations http://www.2600.com/demo/index.html 26.0 Does Cracking Affect Consumer Confidence? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 10th 1999 From HNN http://www.hackernews.com/ Does Cracking Affect Consumer Confidence? contributed by evenprime Eric Lundquist thinks that it is wrong to crack servers because doing so undermines consumers' confidence in e-commerce. (In my opinion consumers would be wise not to trust e-commerace.) Interesting how the author never gets around to blaming vendors who tell people to place their trust in the rubbish that is being sold. ZD Net http://www.zdnet.com/zdnn/stories/comment/0,5859,406094,00.html 27.0 Worm.ExploreZip is Causing Massive Damage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 11th 1999 From HNN http://www.hackernews.com/ contributed by Merlock Worm.ExploreZip is quickly spreading across the world. First discovered last Sunday in Israel it has propagated into some of the largest companies in the US. The transmission method of this program is similar to Melissa which uses the email addresses in Microsoft Outlook address book, Worm.ExploreZip however, automatically replies to the incoming email of MS Exchange or MS Outlook users. Unlike Melissa Worm.ExploreZip carries a very malicious payload that will actually delete certain files and modify others. Companies such as Boeing, Price Waterhouse Coopers, GTE, and General Electric have lost entire hard drives to this virus. Many companies are attempting to be proactive by disconnecting themselves from the internet. Only users of Microsoft products are effected by this latest threat. ABC News http://www.abcnews.go.com/sections/tech/DailyNews/worm990610.html C|Net http://www.news.com/News/Item/0,4,37658,00.html?st.ne.fd.gif.d MSNBC http://www.msnbc.com/news/278660.asp ZD Net http://www.zdnet.com/pcweek/stories/news/0,4153,2273659,00.html Nando Times http://www.techserver.com/story/body/0,1634,58370-93054-664175-0,00.html PC World http://www.pcworld.com/pcwtoday/article/0,1510,11334,00.html ZD Net http://www.zdnet.com/zdnn/special/doublevirus.html C|Net; Data virus forces email shutdowns By Kim Girard Staff Writer, CNET News.com June 10, 1999, 7:10 p.m. PT update Corporations are scrambling to cope with a new data-destroying virus that is forcing the shutdown of email systems nationwide. The virus, first reported to the Symantec Antivirus Research Center on Sunday by five companies in Israel, is called Worm.ExploreZip or Troj_Explore.Zip. The worm uses Mail Application Programming Interface (MAPI) commands and Microsoft Outlook on Windows systems to propagate itself, Symantec said. In some ways, the virus is the sequel to the Melissa virus, which spread with unprecedented speed in March. Worm.ExploreZip spreads from computer to computer by taking advantage of automation features available to people using Microsoft email software on Windows machines. Although the new virus doesn't spread as fast as Melissa, it causes more damage, according to antivirus experts, deleting Microsoft Word, Excel, and Powerpoint document files, among others. (See CNET Topic Center on antivirus software.) Several firms have shut down their email systems entirely while IS staff root out the virus, according to Symantec. Boeing was hit particularly hard. The Seattle-based aerospace giant shut down its email system, which is used by at least 150,000 employees, at 2:30 p.m. today, a company spokesman said. The company was still assessing the damage caused by the virus, but the spokesman, who asked not to be named, said he knew of at least one employee whose entire hard drive was wiped out. "As soon as we became aware of it, we told everyone, and we put a message up on our internal Web site," he said. Late in the day the email still had not been restored. The company hopes to have it back up by tomorrow. PricewaterhouseCoopers took down its entire email system, used by 45,000 U.S. employees, also at 2:30 p.m. in response to the virus. The company was just bringing up parts of the system at 7 p.m., a company spokesman said, but he didn't know how much damage had been done or how many workers had been affected. Some companies said they disarmed the virus--actually a software "worm"--before it could cause many problems. Microsoft, for example, disconnected its email servers from the Internet at about 9 a.m. so that programmers could work on an antidote, company spokesman Dan Leach said. The servers were up and running two hours later, he added. Employees of antivirus software maker Symantec report that they have received email that includes the worm, which arrives as an attachment to the missives. Companies such as General Electric and Southern Company have had files deleted by the virus, according to Bloomberg. Virus protection firm Trend Micro spokeswoman Susan Orbuch said earlier today that the company had received 107 calls from customers concerning the virus. Thirteen of those calls came from those already infected, she said. Orbuch said that Trend Micro knew of five large companies that had been infected, as well as several public relations firms and a magazine. She declined to name the companies. Nate Meyer, spokesman for Credit Suisse First Boston, said the virus had struck the company's offices in New York, San Francisco, and Palo Alto, California, and that other offices worldwide may have been affected. He said he did not know how many of the company's computers were infected. Meyer said the Credit Suisse's technology department had been working on the problem for much of the day and had sent out a warning about it this morning. But he said the virus did not seem to have slowed the company's operations, adding that it had not disrupted the investment company's stock trading. Meyer noted that his own email had been working throughout the day. Quick repairs Representatives at AT&T and Intel reported that they were able to quickly repair their systems after being hit by the virus. "These are things that we have to do because of the communications reality that we live in today," an AT&T spokeswoman said. The virus disrupted work at Cambridge, Massachusetts-based industry analyst firm Forrester Research, where Internet access, including email, was cut off. Another analyst firm, Current Analysis, sent email to customers warning them not open any email attachments coming from the firm with the .exe extension because an employee's PC had been infected. The infected email may contain the message: "Hi [recipient name]! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye." Unlike the Melissa virus, which harvested from a user's address book, the new virus raids an email in-box when executed through Microsoft Exchange or Outlook. The worm attaches itself as a file called zip_files.exe and is sent off with a return email. Although the virus isn't expected to spread as quickly and to as many computers as Melissa did, it does destroy files. "It's an .exe file posing as a Zip file," said Eric Chien, senior researcher at the Symantec Antivirus Research Center. The worm is particularly insidious because it searches through hard drives and destroys files with extensions of .doc, .xls, .ppt, .c, .cpp, .h, or .asm, he said. Chien said that means whoever wrote the virus was targeting corporations--seeking to destroy developers' source code, as well as documents created using Microsoft Office applications, such as Word and Excel. "It singles out those files and destroys them," he said. "This hits the local drive and the file server." Extent of damage not known Chien said it is unclear how much damage the virus has done. "We've received multiple reports from major corporations in the U.S.," he said. "What we're hoping is that the initial jump on this Sunday night will prevent it from spreading." Panda Software said it has added free downloads for the detection and disinfection of the virus--which it called "extremely dangerous"--on its Web site. The company also urged people to update antivirus software. Esther Shin, a public relations specialist at Aventail, a Seattle-based business-to-business e-commerce firm, said two of her colleagues encountered the virus this morning. One of them lost all the files on his hard drive after he opened the attachment, she added. The email was worded to make the recipient believe that the message came from a Microsoft employee, she said. Shin said she got a similar email but didn't open the attachment. "When I got hit I called all my contacts," she said. Bloomberg and News.com's Troy Wolverton, Dan Goodin, and Tim Clark contributed to this report. @HWA 28.0 Don't Forget About BackDoor-G, it is Still Around ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 11th 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond Don't forget about BackDoor-G. It also arrives as an email attachment but instead of deleting files this one could allow someone else to control your computer behind the veil of a screensaver. The Irish Times http://www.ireland.com/newspaper/finance/1999/0604/fin320.htm Bug hits big screen by the backdoor Backdoor-G virus arrives by e-mail and sets up a screensaver which lets hacker control computer remotely As if you didn't already have enough worries. The wary computer user already feels bunkered in and hunkered down, in between hiding behind firewalls, running anti-virus programs and keeping a watchful eye on suspiciouslooking e-mails. You have to look out for infected files on floppy disks, panic over the latest holes in e-mail programs, and be cautious with how you set up company and personal websites. It's almost enough to send you back to a manual typewriter. Now comes an insidious screensaver virus - a new computer devastator that sneaks into your system via an e-mail and sets up a screensaver which lets some badguy hacker control your computer remotely, download files, and all that other stuff that appears in Tom Cruise films but which we would all rather believe couldn't happen in real life. According to security software company Network Associates, Backdoor-G is a so-called "trojan horse" program, which arrives into your computer hidden inside an attack program which potential victims receive as an unsolicited e-mail. The program has reportedly taken the form of both a screensaver and an update to a computer game. Open the e-mail and the program installs itself, allowing Backdoor-G to turn the victim's computer into a client system. In other words, it allows a hacker to operate the victim's computer remotely over the Internet. The hacker can thus gain access to just about anything on the victim's computer. Unfortunately, it's also almost impossible to detect once it executes because it is capable of changing its file name. And according to Network Associates, it spreads everywhere in your computer's system. Admittedly, the screensaver aspect of this virus has its amusement potential - hmmm, can't we all imagine a bitter and twisted screensaver we'd like to design to announce our conquest of the computer belonging to some particularly detested person in our lives? But the arrival of Backdoor-G is probably more apt to make you sigh in exasperation. Computers were supposed to make life easier, more manageable, more controllable. Okay, you can stop laughing, but you know what I mean. Instead, they just seem to bring more stress, hair loss, heartburn and overly-chewed fingernails. But it's perhaps wise to remind computer users that many, if not most, aggravations come not from the machines or even, sometimes, the software. They come from humans who still make far too many assumptions about what computers, software, and the Internet can or cannot do. Partly, that's our fault, because we accept products from hardware and software vendors which in any other industry would be considered too unreliable, unstable and under-tested to be released onto the market. We believe the vendors when they excuse themselves by telling us it's all too complicated to explain, it's the nature of the medium and so forth. That's appalling, but as long as we lack the collective spine to demand better, we're stuck with what we get. But it's hard to see how we can obliterate the virus problem, since a computer is a sitting duck for viruses because of the way in which we use them - sharing disks, transferring files, going on and off the Net and downloading things from places we don't know. Few people take even basic precautions against viruses and so, these things spread. In addition, many people never bother to make backups of their work, and thus are twicedevastated if struck by a virus or another form of computer attack. And even if the anti-virus software makers come up with a fix to one virus, some hacker is always brewing another that we cannot yet imagine. In the days that it takes to create an antidote, thousands or millions can be hit. In the case of particularly nasty viruses, entire companies can be brought down at the cost to the global economy of billions of pounds. So what's a poor computer user to do? There's not much else to recommend but to proceed with caution, which means educating yourself on how to keep your own machine as clean as possible by being vigilant against viruses and other forms of computer attack. Buy a good virus-scanning software package and use it. Be wary about what you download off the Net and scan it first. Don't open e-mail with attachments unless you know the sender (and even then, be cautious about all attachments). And create backups. Anyone who has ever lost irreplaceable, important files off a floppy disk or hard-drive knows the excruciating pain of that particular experience. You may still have to clean up a computer if a virus brings it down - and that's not a pleasant task - but having your files intact somewhere else at least keeps the misery from reaching bottomless depths. [SBX] A detector for the Backdoor-G virus is online at www.nai.com @HWA 29.0 MS Antritrust Trial Looks at Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 11th 1999 From HNN http://www.hackernews.com/ contributed by m4in District Court Judge Thomas Jackson has asked a government expert witness whether removing the browser from Windows will increase or diminish its security. Analysts think that the judge is wondering what the repercussions are of including the browser with the operating system. C|Net http://www.news.com/News/Item/0,4,37649,00.htm Wired http://www.wired.com/news/news/politics/story/20139.html C|Net's link seems to have died heres the wired story; Will Curiosity Kill the Browser? by Declan McCullagh 12:15 p.m. 10.Jun.99.PDT WASHINGTON -- On the last day of the government's case, the federal judge overseeing the Microsoft antitrust trial asked Thursday if including a browser with Windows could weaken a computer's security. "Are there any security issues involved in the choice of a browser [that may increase] the risk of penetration by a virus or something like that?" US District Judge Thomas Penfield Jackson asked a witness testifying for the government. Read ongoing US v. Microsoft coverage Edward Felten, a Princeton University scientist, said that some security-conscious network administrators may prefer to have no browsers on computers. Felten was the last witness called by the government, and Microsoft will call its rebuttal witnesses starting Monday. "Is there any way of absolutely assuring security?" Jackson asked. He also wondered which browsers are safer than others. Reading the portents in a judge's questions is, of course, a perilous task. Some wags in the press gallery suggested that His Honor must be shopping for a computer. Or was the technology-impaired Jackson simply confused? But the theory, if true, that would be most damaging to Microsoft goes like this: Jackson is wondering what the downsides are to Microsoft's decision to include Internet Explorer with Windows. This became an important question since a decision last summer by an appeals court, which unceremoniously overturned Jackson's December 1997 decision on a related Justice v. Microsoft case. In a 2-1 decision, the panel said judges should be "deferential to entrepreneurs' product design choices" and companies should be free to integrate products as they see fit -- so long as the improvements benefit customers. Jackson's comments could mean that he plans to weigh whether or not Microsoft's decision to integrate Internet Explorer with Windows was, on the whole, a good thing for the general public. Other government witnesses earlier in the trial have offered additional reasons why welding IE into the operating system reduces consumer choice. Microsoft has claimed that including IE produces a more useful product with Internet functionality that third-party software developers can rely on. Jim Allchin, a Microsoft vice president, testified that these features "simply cannot be achieved through the use of add-on products from third parties." But Felten said there was no reason Internet Explorer had to be shipped with the operating system. "Microsoft can deliver a version of Windows 98 from which the Internet Explorer browser has been removed and deliver it in such a way that does not affect the non-Web browsing functions of Windows 98," he said. The Justice Department pointed to a January 1997 email message from Allchin to Bill Gates that said another executive wanted Win98 "minus IE 4.0 in June.... IE 4.0 can be added next year." Felten claimed he had designed a program that removes browsing capability from Windows 98. But Microsoft had Felten demonstrate it and showed him he had not actually removed Web browsing features. The trial will continue on Monday when Microsoft calls AOL's David Colburn as a hostile witness. Microsoft said it will challenge the credibility of Colburn, an AOL executive who was a government witness earlier. @HWA 30.0 Web Defacements Hindering Open Government ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 11th 1999 From HNN http://www.hackernews.com/ contributed by Code Kid Eric Lundquist claims that web page defacements hold back the development of a web accessible government and that penalties for such actions should be proportional to the damage caused. Getting people to vote or file taxes online is difficult if government web sites can't keep the intruders out. MSNBC http://www.msnbc.com/news/278369.asp Hacking is no longer merely a prank COMMENTARY: Hacking retards the growth of a Web-accessible government and should hold penalties proportional to the crime By Eric Lundquist, PC Week ZDNN June 9 — Getting your site hacked used to be simply an embarrassment. Your carefully designed home page suddenly became a billboard for lewdness, racism or whatever the hacker desired to create. However, now — and more so in the future — a hacked site is a public indication that you are not ready to play in the digital age. Companies and government organizations are now realizing this, and hackers who protest that a hack is a prank are finding that a prank can result in a bunch of FBI agents coming through the front door. IN THIS DIGITAL AGE, your company — whether it be an Amazon, E-Trade or some idea still forming — is built on a brand, a process and an information infrastructure. The way your site appears on the Web; the process by which a Web visitor can maneuver and buy products; and the ability of your site to scale, connect to suppliers and customers, and securely maintain a digital relation will determine your success. Sites that scale and allow you to shop comfortably in a digital store can quickly extend their brands from books to auctions to pet foods and beyond. Sites that crumble while you and the rest of the panicked investment community try to bail out on a stock will find themselves abandoned and facing a new realm of legal liabilities. Hacked sites visibly and fundamentally shake the faith in the brand and the products being offered at the digital storefront. This loss of faith in the brand carries over to and is magnified in the government realm. Internet access is on the verge of becoming sufficiently ubiquitous to allow organizational functions to move to the Web. If the first big thing the Web allowed was personal access and community building from the ground up, the next big thing is allowing existing organizations to use the Web to assume previously cumbersome functions. Vote on the Web? Sure. Register your car via the Web. File your taxes. Get your refund. All these functions are certainly possible. What is missing is trust. Trust is a difficult dimension to describe, but it most clearly is apparent in its absence. Don’t ask a citizenry to register to vote via the Web if the government’s top legal agencies can’t keep their home pages free from graffiti. And it is the trust that is shaken when the White House site is hacked. Or the FBI site. Or the Senate site. Hacking is more than breaking a few minor laws. Hacking is certainly not just being a good digital citizen by showing the security gaps that now exist to prevent more serious transgressions in the future. Hacking is neither clever nor funny, nor something to be tossed off as adolescent humor from sci-fi-addled minds. Hacking retards the growth of a Web-accessible government and should hold penalties proportional to the crime. 31.0 Worm.ExploreZip Continues its Rampage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by nvirB After forcing some companies to completely shut down thier networks and keeping some administrators at work all weekend people are bracing for Worm.ExploreZip to resurface with a vengeance today as employees return to work. While Worm.ExploreZip has the fast spreading capabilities of Melissa it also contains a very destructive payload that can delete files. IT administrators are bracing for the expected onslaught of inevitable mutations. MSNBC http://www.msnbc.com/news/278660.asp Nando Times http://www.techserver.com/story/body/0,1634,59360-94597-674149-0,00.html C|Net http://www.news.com/News/Item/0,4,37697,00.html?st.ne.fd.tohhed.ni FBI and NIPC On the Hunt The FBI is hot on the trail looking for the creator of Worm.ExplorerZip. This is probably more of a PR stunt than anything. The odds of them actually finding whoever created this are slim to none. ZD Net HTTP://www.zdnet.com/zdtv/cybercrime/viruswatch/story/0,3700,2274493,00.html Wired http://www.wired.com/news/news/technology/story/20168.html Mac Vulnerable Too Symantec Utilities is claiming that if a Mac user runs Windows emulation software, names files with .doc, .ppt, .xls, etc..., and either checks his mail under emulation or is on a mixed environment network it is possible to contract this worm. (Ed Note: Any Mac user who is running this brain dead setup deserves to be infected.) ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2274574,00.html C|Net; How the email worm works By Stephen Shankland Staff Writer, CNET News.com June 10, 1999, 6:15 p.m. PT The Worm.ExploreZip virus, while different in some functional details from the Melissa virus that hit in March, takes advantage of a similar vulnerability: The fact that so many people now routinely use email. The new virus emerged this week, spreading from user to user by taking advantage of automation features available to users of Microsoft email software on Windows machines. Like Melissa, it requires some active participation of the victim: opening the malicious file, or "payload," attached to the email message. And again like Melissa, the malicious program then modifies the victim's computer system to send more copies of itself automatically by email. (See CNET Topic Center on antivirus software.) To encourage a person to open the attachment, both malicious programs use the similar ploy: Trick the victim into thinking he or she has just received a useful document from a trusted source. Both programs can get away with this, because the infected email comes from a person likely to be known by the recipient. But there the differences end. Where Melissa was relatively benign to users, Worm.ExploreZip deletes Microsoft Word, Excel, and Powerpoint document files, said Wes Wasson, head of security products marketing at Network Associates. Where Melissa tapped into address books set up in Microsoft Outlook, Worm.ExploreZip's modus operandi is just to bounce back incoming email automatically with a response including the malicious program, Wasson said. That means Worm.ExploreZip will spread more slowly, he said. "How fast it spreads correlates to how many emails you get," he said. Melissa, on the other hand, sent itself to 50 entries in the address book, and those entries themselves could each be mailing lists. Regardless of their propagation rate, both viruses depend on automated email features. Worm.ExploreZip basically uses a modified version of the same feature that allows a person on vacation to set up email software to automatically reply with an "try back later" message, Wasson said. The advent of email as a distribution mechanism has allowed a new class of viruses, Wasson said. In the old days, viruses had to be smaller, but Worm.ExploreZip is comparatively huge at more than 200 kilobytes, he said. "Now with email, I don't have to be slim like I was before," Wasson said. "Viruses and worms can be written in [the programming language] C. This is really cutting-edge science." The increasing power of email viruses means that sophisticated hackers who once looked down on viruses now see them as powerful tools to obtain information stored on target computers, particularly because using email makes it easier to obscure the origin of the attack, he said. "The hacker believes the virus is going to be more of a stealth approach," he said. Selling security Antivirus software sellers profit from virus scares. Sales of antivirus software jumped 67 percent in the week the Melissa virus hit, according to market research firm PC Data. Network Associates' Wasson acknowledges the sales boost, but insists his company is out there to help people, pointing as evidence to the company's free, virus clinic detection services available over the Internet. "Rather than hold [people] hostage and take advantage of an incident, we'll give it to them for free," he said. Network Associates' competitor TrendMicro offers a similar service. As more companies begin to become more wary of the risks posed by the Internet, Network Associates is offering more security consulting services. For example, the company hires itself out to find vulnerabilities in computer systems, Wasson said. "Customers come to us all the time, saying check my security out, bang on my firewall," he said, referring to the protective software designed to keep computer networks safe from unauthorized access. In addition, the company is offering new software next month called CyberCop Sting that not only sets off alarms when there's a burglar, but also lets companies set up decoy systems to lure intruders and record information about them, Wasson said. The strategy is similar to the technique described by author Clifford Stoll in his book, The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. -=- FBI investigating email worm By Tim Clark Staff Writer, CNET News.com June 11, 1999, 3:00 p.m. PT update In the wake of yesterday's attack by the virulent Worm.ExploreZip virus, the FBI said it is investigating the case as a possible crime. "As was the case with Melissa, the transmission of a virus can be a criminal matter, and the FBI is investigating," said Michael Vatis, director of the National Infrastructure Protection Center (NPIC). Vatis said the worm has the potential of doing significant damage to private sector and government computer systems. (See CNET Topic Center on antivirus software.) "It is critical for computer users to be aware of and take the well-publicized steps to protect against and mitigate potential damage caused by malicious code," he said in a statement released this afternoon. He added that transmission of malicious code can be a federal criminal offense and that the FBI is "aggressively investigating" the matter. The National Infrastructure Protection Center is monitoring developments and coordinating field office investigations, he said, urging victims of the virus to contact the FBI field office nearest them, or the NIPC Watch and Warning Unit, which can be reached by email at nipc.watch@fbi.gov. "Because of the destructive payload delivered by this virus, its potential impact is significant," Vatis said. "All email users should exercise caution when reading their email for the next few days and bring unusual messages to the attention of their system administrator." After the Melissa virus outbreak that began March 26, the FBI joined other agencies to identify and track down whoever had created, then spread the virus. On April 1, a 30-year-old New Jersey man, David L. Smith, was arrested by federal and state officials and charged in the case. He has pleaded not guilty and his case is still pending. -=- Data virus forces email shutdowns By Kim Girard Staff Writer, CNET News.com June 10, 1999, 7:10 p.m. PT update Corporations are scrambling to cope with a new data-destroying virus that is forcing the shutdown of email systems nationwide. The virus, first reported to the Symantec Antivirus Research Center on Sunday by five companies in Israel, is called Worm.ExploreZip or Troj_Explore.Zip. The worm uses Mail Application Programming Interface (MAPI) commands and Microsoft Outlook on Windows systems to propagate itself, Symantec said. In some ways, the virus is the sequel to the Melissa virus, which spread with unprecedented speed in March. Worm.ExploreZip spreads from computer to computer by taking advantage of automation features available to people using Microsoft email software on Windows machines. Although the new virus doesn't spread as fast as Melissa, it causes more damage, according to antivirus experts, deleting Microsoft Word, Excel, and Powerpoint document files, among others. (See CNET Topic Center on antivirus software.) Several firms have shut down their email systems entirely while IS staff root out the virus, according to Symantec. Boeing was hit particularly hard. The Seattle-based aerospace giant shut down its email system, which is used by at least 150,000 employees, at 2:30 p.m. today, a company spokesman said. The company was still assessing the damage caused by the virus, but the spokesman, who asked not to be named, said he knew of at least one employee whose entire hard drive was wiped out. "As soon as we became aware of it, we told everyone, and we put a message up on our internal Web site," he said. Late in the day the email still had not been restored. The company hopes to have it back up by tomorrow. PricewaterhouseCoopers took down its entire email system, used by 45,000 U.S. employees, also at 2:30 p.m. in response to the virus. The company was just bringing up parts of the system at 7 p.m., a company spokesman said, but he didn't know how much damage had been done or how many workers had been affected. Some companies said they disarmed the virus--actually a software "worm"--before it could cause many problems. Microsoft, for example, disconnected its email servers from the Internet at about 9 a.m. so that programmers could work on an antidote, company spokesman Dan Leach said. The servers were up and running two hours later, he added. Employees of antivirus software maker Symantec report that they have received email that includes the worm, which arrives as an attachment to the missives. Companies such as General Electric and Southern Company have had files deleted by the virus, according to Bloomberg. Virus protection firm Trend Micro spokeswoman Susan Orbuch said earlier today that the company had received 107 calls from customers concerning the virus. Thirteen of those calls came from those already infected, she said. Orbuch said that Trend Micro knew of five large companies that had been infected, as well as several public relations firms and a magazine. She declined to name the companies. Nate Meyer, spokesman for Credit Suisse First Boston, said the virus had struck the company's offices in New York, San Francisco, and Palo Alto, California, and that other offices worldwide may have been affected. He said he did not know how many of the company's computers were infected. Meyer said the Credit Suisse's technology department had been working on the problem for much of the day and had sent out a warning about it this morning. But he said the virus did not seem to have slowed the company's operations, adding that it had not disrupted the investment company's stock trading. Meyer noted that his own email had been working throughout the day. Quick repairs Representatives at AT&T and Intel reported that they were able to quickly repair their systems after being hit by the virus. "These are things that we have to do because of the communications reality that we live in today," an AT&T spokeswoman said. The virus disrupted work at Cambridge, Massachusetts-based industry analyst firm Forrester Research, where Internet access, including email, was cut off. Another analyst firm, Current Analysis, sent email to customers warning them not open any email attachments coming from the firm with the .exe extension because an employee's PC had been infected. The infected email may contain the message: "Hi [recipient name]! I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. bye." Unlike the Melissa virus, which harvested from a user's address book, the new virus raids an email in-box when executed through Microsoft Exchange or Outlook. The worm attaches itself as a file called zip_files.exe and is sent off with a return email. Although the virus isn't expected to spread as quickly and to as many computers as Melissa did, it does destroy files. "It's an .exe file posing as a Zip file," said Eric Chien, senior researcher at the Symantec Antivirus Research Center. The worm is particularly insidious because it searches through hard drives and destroys files with extensions of .doc, .xls, .ppt, .c, .cpp, .h, or .asm, he said. Chien said that means whoever wrote the virus was targeting corporations--seeking to destroy developers' source code, as well as documents created using Microsoft Office applications, such as Word and Excel. "It singles out those files and destroys them," he said. "This hits the local drive and the file server." Extent of damage not known Chien said it is unclear how much damage the virus has done. "We've received multiple reports from major corporations in the U.S.," he said. "What we're hoping is that the initial jump on this Sunday night will prevent it from spreading." Panda Software said it has added free downloads for the detection and disinfection of the virus--which it called "extremely dangerous"--on its Web site. The company also urged people to update antivirus software. Esther Shin, a public relations specialist at Aventail, a Seattle-based business-to-business e-commerce firm, said two of her colleagues encountered the virus this morning. One of them lost all the files on his hard drive after he opened the attachment, she added. The email was worded to make the recipient believe that the message came from a Microsoft employee, she said. Shin said she got a similar email but didn't open the attachment. "When I got hit I called all my contacts," she said. Bloomberg and News.com's Troy Wolverton, Dan Goodin, and Tim Clark contributed to this report. -=- 31.1 Removal of the Worm.ExploreZip virus (from MSNBC insert) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HOW TO GET RID OF IT If your computer is infected, security software company Network Associates recommends these steps to remove it: - If you’re running Windows 95 or 98: Restart your computer in MS-DOS mode, edit the WIN.INI file and remove the line run=c:\windows\system\explore.exe. Then delete the file c:\windows\system\explore.exe and restart Windows. - If you’re running Windows NT: Run REGEDIT (not REGEDT32) and locate the hive [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] and remove the following key: run=C:\\WINNT\\System32\\Explore.exe Restart Windows NT, then remove the file c:\winnt\system32\Explore.exe - If you’re unsure whether you’ve been infected, Network Associates recommends that you look in your My Documents folder to see whether you’re missing any familiar files, or look in the Sent Messages folder in your e-mail client to see if you are sending replies with attachments that you do not remember sending. Network Associates’ Gullotto warned that if this worm follows the pattern of recent malicious attachments, network administrators and users should be alert to e-mails that are suspicious but do not match exactly the characteristics of Worm.ExploreZip. Variants and copycats of malicious software often appear soon after the original. @HWA 32.0 Senate web site hacked again(!) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ Senate Web Site Attacked, Again! contributed by FedWatcher For the second time in almost as many weeks the official web site of the US Senate has been defaced. A group known The Varna Hacking Group from Bulgaria claimed responsibility. (Mirror provided by attrition.org) Wired http://www.wired.com/news/news/politics/story/20180.html MSNBC http://www.msnbc.com/news/279233.asp AP via Yahoo http://dailynews.yahoo.com/headlines/ap/technology/story.html?s=v/ap/19990611/tc/senate_hackers_1.html HNN Cracked Pages Archive http://www.hackernews.com/archive/crackarch.html Wired; US Senate Cracked Again by Polly Sprenger 4:30 p.m. 11.Jun.99.PDT For the second time in two weeks, crackers on Friday defaced the Web page of the US Senate. The official Senate Web site was down as of Friday afternoon while administrators repaired and restored the network. A cracker replaced the official page with one that said "free Kevin Mitnick, free Zyklon." An employee of US Senate Technical Operations said the site went down around 4 p.m. EST, but couldn't say when the site might come back up. "Those of us who haven't been hacked yet are just trying to lay low and beef up security as we can," said Sean Donelan, a network engineer for Data Research Associates, a nationwide Internet service provider that works with state governments, libraries, and schools. Donelan said that each government agency is having to reinforce security independently and that outside vendors working with the government departments consider their security solutions proprietary. "[We] are also trying not attract attention and not waving a red flag challenging anyone to 'test' our security," Donelan said. The Senate home page was previously cracked on 27 May. In that incident, crackers filled the page with comments critical of the FBI. That hack was claimed by the group Masters of Downloading, who broadcast the message "MAST3RZ 0F D0WNL0ADING, GL0B4L D0MIN8T10N '99!" on the Senate's site. The Varna Hacking Group claimed responsibility for the latest Web vandalism. The organization claims it is a "noncommercial hacking group." Varna is based in Bulgaria, according to reports of a 1998 attack that members claimed to have launched against the Cartoon Network. Zyklon, mentioned in Friday's incident, is alleged to be a 19-year-old hacker from Shoreline, Washington. He was indicted in early May for his alleged involvement in other government site hacks. Many of the recent hacks demanded justice for imprisoned cracker Kevin Mitnick, who has been in jail for more than four years awaiting trial on a broad swath of criminal charges. @HWA 33.0 Mitnick Sentencing Hearing Rescheduled ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by Macki This weekend Judge Pfaelzer granted Kevin Mitnick's defense a continuance, postponing tomorrow's previously scheduled sentencing hearing until July 12th. This will give the defense time to verify the damage claims which may be upwards of $80 million. Although it is not known for sure some people have speculated that the recent demonstrations (including a recent LA Times article on them) may have influenced Judge Pfaelzer to grant this request. She refused to hear a similar motion just days before the demonstrations. It is interesting to note that July 12th is the Monday after Defcon. FREE KEVIN http://www.kevinmitnick.com/home.html Letters Claiming Damage Amounts http://www.hackernews.com/orig/letters.html 34.0 Russia Looks to Beef Up its Version of Echelon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by Merlock Russia has recently leaked a story concerning its version of Echelon (the North American spy network system) called SORM (System for Operational-Investigative Activities). This group has been around for over a year now, but a new development has civil rights leaders in Russia scared. "SORM-2" will require all Russian ISP's to install black-box recording devices at their POPs at the ISP's expense!!! Russian web users have exclaimed that they have been spied on for years, only now they are going to have to pay for it. ABC News http://www.abcnews.go.com/sections/tech/DailyNews/russiansonline990612.html Russians Fight for Net Privacy Christopher Hamilton Special to ABCNEWS.com S T . P E T E R S B U R G , June 11 — In Russia, the Internet and free are words not necessarily found in the same sentence. Russian Internet users continue to struggle against a state security system mired in Soviet-era attitudes toward the free flow of information. The latest outrage: a ministerial act put forward by the Federal Security Service (FSB in its Russian acronym), the successor to the KGB. The act would boost the ability of law enforcement to monitor citizens’ Internet activities. The new act represents an addendum to an existing regulation called SORM — the Russian acronym for System for Operational-Investigative Activities. Currently awaiting approval from the Russian Ministry of Justice, SORM-2 would require Internet service providers to install at their own expense FSB-provided “black boxes” plus a hotline to the FSB. The devices would enable the FSB to monitor and record all electronic communications. Because SORM-2 is a regulation, it requires only approval from the Ministry of Justice, not review by Parliament or President Yeltsin. Existing law already affords the state security apparatus plentiful eavesdropping possibilities once a warrant is issued. SORM-2 would expand those capabilities, making full electronic surveillance as easy as a mouse click for the FSB. ‘Steps Toward Totalitarianism’ News of SORM-2 was leaked late last year on the Moscow Libertarium, a digital-freedom Web site sponsored by the Institute for Commercial Engineering in Moscow. “SORM-2 is a step toward removing the checks and balances between public and the state,” says Anatoly Levenchuk, who operates the Libertarium site. “First they will start investigations without warrants. Then they will decide who is guilty without a trial…These are steps toward totalitarianism.” “The FSB is used to collecting dossiers on citizens just in case,” said Yuri Vdovin of Citizen’s Watch, a St. Petersburg-based human rights organization. “They have been spying on us for years, but now I am going to have to pay for it.” Russian ISPs have already begun to feel the chill. Bayard-Slavia Communications, a Volgograd-based ISP that has repeatedly refused to provide information to the FSB without a warrant, was disconnected from its network provider in mid-May. The state communications agency, Goskomsvyaz, cited “improper formulation” of the company’s contract with the provider, Moscow-Teleport. Company director Nail Murzhanov has assembled a team of prominent activists and lawyers in St. Petersburg and vows to take the matter to court. Eugene Prygoff of Kuban Net, based in Krasnodar, also reports FSB pressure. “Things here in the provinces aren’t like in Moscow and Petersburg. They come and ask for full access to our clients’ e-mail. Sure, we ask for a court order and an explanation, but they have power in the structures that own the ISDN line, so we have to comply.” Turning to Encryption Hoping to prevent invasions of their privacy, many Russian Internet users are turning to encryption. According to Maksim Otstavnov, who maintains the Russian Web site for the encryption program PGP, or Pretty Good Privacy, hits increased about 10-fold after news of SORM-2 was leaked to the public last year. But the official status of cryptography in Russia remains unclear. In 1995, Yeltsin banned the use of PGP and other forms of encryption unless it is licensed and registered with FAPSI, the Russian equivalent of the U.S. National Security Agency. Whether his decree legally applies to private citizens is a matter of debate. The murky state of the law and the lack of public disclosure leaves citizens uninformed about laws that affect them. Citizen’s Watch has held numerous seminars on issues surrounding SORM and computer privacy. “We need to educate people and get them involved,” said Vdovin. Vdovin and Citizen’s Watch are drafting proposals for the State Duma, Russia’s lower house of Parliament, to create a system of checks and balances to rein in the FSB’s domestic spying activities. Meanwhile the shadowy struggle between the security agency and Internet service providers continues. According to Anatoly Levenchuk, “The FSB is already trying to establish ‘volunteer’ agreements similar to SORM-2 with providers. ISPs failing to comply face pressure tactics ranging from repeated visits from tax police to building inspectors threatening to shut them down.” In Russia, the state has always fought for access to its citizens’ private communications, while citizens have fought back as best they could. The battle over Internet privacy could determine who’s winning this ongoing struggle. 35.0 Company Claims CyberAttack by Competitor ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by Seraphic Artifex Lenox Healthcare Inc. is claiming that its competitor Vencor Inc. engaged in "dead of night computer hacking" according to a lawsuit filed in Los Angeles County Superior Court in California. These actions are allegedly in retaliation for Lenox's cooperation with a government investigation of Vencor. The lawsuit claims, among other things that Vencor broke into Lenox Healthcare's computer system to prevent Lenox from processing medical bills. (It will be interesting to see if these claims can proven in court.) The Berkshire Eagle http://search.newschoice.com/nebe/eagleheadlines/99-06-08_clarkesues08a1.asp Lenox Healthcare suing major nursing home firm Tuesday June 08, 1999 By Ellen G. Lahr Berkshire Eagle Staff PITTSFIELD -- Lenox Healthcare Inc. is suing one of the biggest U.S. nursing home companies, Vencor Inc., for engaging in extortion, death threats and "dead of night" computer hacking, allegedly in retaliation for Lenox's cooperation with a government investigation of Vencor. Vencor Inc., a publicly traded company with more than 300 nursing homes and 60 hospitals around the country, carried out "oppressive, unlawful and often maniacal actions" against Lenox Healthcare, according to a lawsuit filed in Los Angeles County Superior Court in California. The lawsuit also accuses a Vencor company lawyer of "threatening to appear at [Lenox Healthcare's] office with a gun and 'blow away' " Lenox Healthcare President Thomas M. Clarke if Clarke didn't make certain payments to Vencor. Efforts to gain comment from Vencor and its California attorney were unsuccessful yesterday. Both Clarke and his lawyer also declined to comment. $28 million deal Vencor and Lenox Healthcare have been locked in a web of contracts since Lenox Healthcare purchased or leased 30 of Vencor's facilities in 1996 in a $28 million business deal. About half of the facilities purchased or leased are concentrated in California. The lawsuit states that Vencor reneged on millions of dollars allegedly owed to Lenox Healthcare, and fraudulently compelled Clarke to pay $8.7 million for a California nursing facility that was worth far less. Vencor is teetering on the edge of bankruptcy because of an array of regulatory and financial problems, according to financial reports and the company's own annual report. The case also claims that: w After the 1996 business deal was completed, Vencor received millions of dollars in Medicare and Medicaid payments that should have gone to Lenox Healthcare. Vencor eventually turned over some $4 million to Lenox, but has retained nearly $1 million more. w Vencor allegedly broke into Lenox Healthcare's computer system to prevent Lenox Healthcare from processing medical bills, "thereby allowing Vencor to capitalize on the resulting interim financial crisis by extorting" money from Lenox Healthcare. w Vencor allegedly tried to cut off Lenox Healthcare's receipt of pharmaceutical supplies and therapy services "as a means of extorting further monies" from Lenox Healthcare. w The lawsuit also states that Vencor officials spread rumors that Lenox Healthcare was on the verge of bankruptcy, threatened to take over the business and placed Clarke under "extreme duress." w Vencor also is accused of undermining Lenox's efforts to obtain bank financing to offset losses created by Vencor's actions. Lenox claims that the crux of the case involves its cooperation with federal investigators who were probing Vencor's alleged Medicare fraud schemes. After the 1996 deal, Vencor retained contracts with Lenox Healthcare to provide certain rehabilitation services to the nursing home patients. Under the deal, Vencor would provide services such as physical and occupational therapies and then bill the nursing home for the services. The nursing home would bill Medicare and reimburse Vencor when payments were received. According to the suit, Lenox Healthcare discovered that Vencor was "padding its bills" for rehabilitation services. Vencor, the lawsuit says, billed the nursing home for therapeutic services when staff member were actually engaged in marketing and administrative tasks. Other billing fraud was common as well, said the lawsuit. Vencor claims Lenox Healthcare owes $9 million for "therapy services," but Lenox Healthcare believes it owes Vencor nothing, the lawsuit says. The lawsuit claims that Vencor's actions against Lenox Healthcare were motivated "in part by [its] plummeting stock price, a federal investigation of Vencor's discrimination against and eviction of Medicaid patients, and securities fraud allegations." The lawsuit accuses Vencor of carrying out a "vendetta" to seriously injure or financially ruin Lenox Healthcare. According to financial reports, Vencor has been ordered by the federal government to repay $90 million in excessive Medicare reimbursements. The company also was exposed for trying to evict Medicaid patients from its nursing homes to replace them with more lucrative private-paying patients. The lawsuit accuses Vencor of earning "a national reputation for erratic, abusive and vindictive conduct in the operation of its business activities." Lenox Healthcare, a privately owned long-term care company, owns or operates some 100 nursing homes, hospitals and assisted-living facilities around the country. @HWA 36.0 LA set to Allow Internet Voting ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by Anonymous The Louisiana Republican Party may allow people to vote via computer in the Jan. 29, 2000, presidential caucus. The company VoteHere.Net says its system is one of the toughest to defeat. One has to wonder just how tough it would it be to compromise the client side of the equation with programs like NetBus and Back Orifice floating around? US News and World Report http://www.usnews.com/usnews/issue/990621/internet.htm @HWA 37.0 CCC Camp Shapes Up ~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by tim The Chaos Communication Camp, scheduled to take place later this summer in Germany is shaping up nicely. There is now a FAQ, registration information and even some weird video stuff. Chaos Communication Camp http://www.ccc.de/camp/ Camp Trailer ftp://ftp.cs.tu-berlin.de/pub/NeXT/video/movies/quicktime/rendezvous_qt2.mov HNN Cons Page http://www.hackernews.com/cons/cons.html @HWA 38.0 Hong Kong Makes Major Piracy Bust ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by Sinbad Customs officials in Hong Kong have seized $2 million worth of of pirated software, production equipment, and vehicles in what is being called the largest bust of its kind. Officials confiscated 180,000 thousand pirated CDROM titles and arrested seven people. Nando Times http://www.techserver.com/story/body/0,1634,59240-94420-672929-0,00.html Hong Kong Customs seize record number of pirated CD-ROMs Copyright © 1999 Nando Media Copyright © 1999 Associated Press HONG KONG (June 13, 1999 9:53 a.m. EDT http://www.nandotimes.com) - Customs officials seized 180,000 illegal CD-ROMs along with production equipment in the latest raid to stop rampant copyright piracy, the government reported Sunday. Officials seized the record number of computer CD-ROMS, a large quantity of equipment and four vehicles, worth a total of $2 million, during the raid Saturday, a statement from Customs said. Seven people were arrested, but no charges had been filed, it said. Despite frequent raids, Hong Kong remains a center for copyright pirating. Pirated CDs, video CDs and computer software are widely available at shopping arcades and street vendors at a fraction of the cost of a genuine copy. @HWA 39.0 Ernst & Young Profile ~~~~~~~~~~~~~~~~~~~~~ June 14th 1999 From HNN http://www.hackernews.com/ contributed by afghan A nice adverticle for Ernst & Young's Global Securities Solutions Center and its quick response team. Not much 'news' here but a real strong pitch for the 'eXtreme hacking' course offered by the company. It also mentions how great the Palm Pilot is. Kansas City Star http://www.kcstar.com/item/pages/business.pat,business/30db0e56.611,.html Here is a link to PalmVNC that allows you to control an Xserver with a little ol' Palm Pilot as mentioned in the above article. (Not everything is proprietary.) PalmVNC http://www.icsi.berkeley.edu/~minenko/PalmVNC KC Star; Hacker U: Company offers security service, training against computer invaders By DAVID HAYES - The Kansas City Star Date: 06/11/99 22:15 These aren't your father's accountants. There isn't a button-down shirt among these Ernst & Young staffers. Not one of them is toting a calculator or adding machine. And that "generally accepted procedures" thing accounting firms like to talk about? Forget it. In fact, these employees of the Big Five accounting firm get a little testy if you even ask whether they have an accounting background. This is the Ernst & Young nerd squad. They aren't financial accountants looking for weaknesses in their clients' accounts-payable procedures. They're computer analysts looking for holes in their clients' computer security systems and ways to hack into their payroll. It's big business. Ernst & Young has 30 employees in its Global Securities Solutions Center in Kansas City, new headquarters for a national and international computer security operation that has 700 employees worldwide. The operation expects to grow both here and worldwide and take in about $60 million in 1999 -- up from $12 million three years ago. "We see this as being the wave of the future," said Lisa Schlosser, operations leader of eSecurity Solutions for Ernst & Young. The program addresses computer security issues on several fronts -- training information technology employees for clients; examining corporate computer systems for potential holes; and moving in a "quick response team" if a hacker breaks into a client's computer system. The service can be expensive -- $250,000 to more than $1 million, depending on the size of the client and the company's computer system, Schlosser said. Even large corporations with well-protected computer systems are ripe for a digital break-in, said Eric Schultze, a member of the quick-response team and anti-hacking trainer for Ernst & Young. One of the most critical computer break-ins Schultze said he had worked on involved a company that took security very seriously. "They had all types of physical security to get into the building," Schultze said. "But somebody got in and controlled their computer systems. It had been going on for four to five days before they discovered it." When that happens, Ernst & Young sends in its quick-response unit -- a team of three or more hacking experts, including some with law enforcement experience. The team has been called out three times in the last month. As computers have become more prevalent in the workplace, the problem has grown. "With any large corporation you can almost guarantee they've had a security breech somewhere," said George Kurtz, another member of the Ernst & Young team. To reduce the chance of such attacks, Ernst & Young has set up a training program for its employees and for clients. This week, 30 Ernst & Young employees from around the country and from Canada, Great Britain and Denmark attended the computer hacking boot camp at the Kansas City center. The weeklong program, called "eXtreme hacking -- Defending your site," is a $4,000 training course teaching "the greatest hacks out there today," Schultze said. And, of course, those who take the class are taught how to protect security systems from those computer break-ins. "We show them things they never thought were possible," Schultze said. Students in the class learn things like "account cracking," "exploiting reciprocal trust," "hijacking the GUI," and various ways to break into a computer system and find user passwords. On Thursday, Ernst & Young trainers showed fellow employees how a hacker could hijack a client's computer -- even rebooting it remotely -- using a Palm Pilot personal organizer. Ernst & Young has held about 10 classes around the country in the last year, mostly for the company's own employees. Similar classes now are planned at the Kansas City center about once a month, and the program is being opened to clients. Instructors arrive packing a storeroom's worth of boxes with notebook computers, routers, networking equipment, servers and other computer gear. The classroom is set up to simulate various types of corporate computer systems. Schultz said the classes grew out of a computer break-in at a big software company. "We showed the company stuff that amazed them," he said. "They said, `You guys can do that? Can you teach us?' " That's grown into a security practice that includes 23 laboratories across the country, all connected to a lab in Kansas City. The Kansas City lab includes every computer environment the company can think of, so that the latest hacking -- or anti-hacking -- tools can be tested before being deployed to other offices, Schlosser said. The initial two-day course has become a weeklong anti-hacking event with a combination of classroom lectures and hands-on simulations that end with a hacker's version of a capture-the-flag contest. Not just anyone with $4,000 will be able to take the class. "Obviously, we do some screening," Schultze said. The class is for "white hat" hackers -- those who hack to find vulnerabilities in systems, not their "black hat" counterparts who hack to do damage. The Ernst & Young computer security team uses both easily accessible hacking software tools and special programs developed by the company. The team showed students how to hack into a corporate computer using a Palm Pilot and a program called PALM VNC. Using the Palm Pilot's small screen, a hacker could see the hacked computer's desktop, and even when the cursor moved on the screen. "That was a pretty cool hack," said Royce Willis, from Ernst & Young's Chicago office. Kurtz showed the group another hijacking software program, called NetBus, that takes hacking a step further. Once a hacker breaks into a computer and installs NetBus, the program lets the hacker play sounds on the hacked computer, open the computer's CD-ROM drive or turn on a microphone attached to the computer to listen to what's being said in the room, he said. Schultze said VNC, NetBus and dozens of similar programs were created as administrative tools for computer systems administrators. "Any legitimate tool can be used for illegitimate purposes," Schultze said. After taking more than three days of anti-hacking classes and learning that the instructors had secretly put a program on her laptop that logged every letter or number she'd typed, Jenny Dho, from Ernst & Young's Montreal office, said she'd learned a lot. "It worries me for my clients' sake," Dho said. Dave Morgan, who traveled from Ernst & Young's office in Vienna, Va., to take the class, said: "Keeping up with this stuff is a full-time job. "Every day, something new is released into the wild. Hackers are always one step ahead of us." To reach David Hayes, technology writer, call (816) 234-4904 or send e-mail to dhayes@kcstar.com All content © 1999 The Kansas City Star @HWA 40.0 What is Your Privacy Worth? ~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 15th 1999 From HNN http://www.hackernews.com/ contributed by Anonymous Do you know what value your privacy holds? The $2.3 billion marketing information industry sure does but how do you convince a court how much your privacy is worth if you need or want to sue a company for damages? The Electronic Frontier Foundation intends to find out. They have started research into the problem of online identity value to make it easier for people to sue for damages. One factor in the equation will be how much companies charge for information, traditional use of a name for a direct mailing costs around seven cents, but on the Internet, each customer name is worth 15 cents. CAL LAW http://www.callaw.com/stories/edt0614f.html The Electronic Frontier Foundation http://www.eff.org/ CAL LAW; Putting a Price on Our Internet Identities By Renee Deger In more moribund moments, many life insurance policyholders have been known to joke bitterly about how much they'd be worth dead. Unfortunately, they have less of a clue of what they're worth alive, says one longtime plaintiffs lawyer. That's too bad, because marketing and retail companies are making a killing at dealing in the habits and preferences of living people -- information people often simply give away, knowingly or not. That cloud of ignorance is about to clear, and the average person may soon have a better idea of what they're worth as individuals. The San Francisco-based Internet think tank Electronic Frontier Foundation is embarking on an effort to put a price on the average person's identity so that people can sue for damages if their privacy is invaded -- especially their privacy as Web surfers. "An important part for an individual to negotiate with a Web site is the total cost of ownership [of themselves]," says Tara Lemmey, head of EFF. Still in its infancy, the effort to value individualism will be based in large part on how much money companies pay for customer information, and how much companies score for selling it. "How many times is [an individual profile of a] person selling, what's the value each time it's used, at what point does it decay -- that translates to what it's worth to a consumer," Lemmey says. The Internet has already turned the $2.3 billion marketing information industry on its ear. Traditional use of a name for a direct mailing is seven cents, but on the Internet, each customer name is worth 15 cents. Multiply that by millions of names being swapped millions of times. "Traditional list brokers jumped right in," says William Dean, president of San Francisco market researcher W.A. Dean & Associates. "Information on the Internet is worth more because people usually opt in" if they want to get more information or e-mails, Dean adds. Online information is so valuable that one start-up company earlier this year went so far as to offer free Compaq personal computers to anyone willing to be tracked. The computers doled out by FreePC, at www.freepc.com, are worth about $1,000 each, but the company is expected to recoup the money by selling the information it gleans from its "customers." Arnold Laub, a San Francisco plaintiffs attorney, is enticed by the prospects. "It's something that hasn't really been analyzed. If it's done right and the economists get involved, you can make a determination of interest and value," Laub says. "The problem is -- most people don't know the value of their identity," he says. Other factors of a human life have already been probed in detail, however. In personal injury and wrongful death claims, lawyers already can refer to actuarial tables and economic formulas to value lost livelihood. And in claims involving famous people who have already sold their likeness or their creations, lawyers can refer to prior contract terms. Whether the EFF's effort produces the same kinds of wallet-card-type dollar values on death and lost wages that plaintiffs lawyers utilize is still up in the air, however. Lemmey says the foundation's in-house lawyers have just begun to kick around the idea and are hoping to come up with a model to support broader debates. She says they want people to become more conscious of the value they add to commercial enterprises, and how much they can demand from a company that doesn't keep its promises. "If a company claims it's for one-time use or internal purposes only or sells it, what are the damages?" asks Lemmey. "No one knows." @HWA 41.0 BSA Tactics Condemned by UK ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 15th 1999 From HNN http://www.hackernews.com/ contributed by Warez Dude The Birmingham Chamber of Commerce and Industry, and the Advertising Standards Authority in England have condemned the practices of the Business Software Alliance. The two groups claim that recent tactics used by the BSA in its 'Crackdown 99' campaign are misleading and overly threatening. Wired http://www.wired.com/news/news/politics/story/20217.htm (url unavailable June 24th - Ed) @HWA 42.0 US Allows 128bit SSL Into Japan ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 15th 1999 From HNN http://www.hackernews.com/ contributed by secret Recent changes in the crypto export law have left open a small loophole that allows 128 SSL encryption out of the country. The recent export deregulation covered "online merchants," or electronic shops, if a user goes directly to VeriSign in the United States, it is possible to obtain a digital ID for 128-bit encryption at electronic shops in Japan. Asia Biz Tech http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/moren/73414 U.S. Export Loophole Allows 128-bit SSL Encryption to Be Used by Japanese Electronics Shops June 10, 1999 (TOKYO) -- A loophole in U.S. export restrictions of 128-bit Secure Socket Layer encryption is allowing Japanese electronics shops to adopt the stringent security method. It was found that the digital ID for the server that enables 128-bit encryption can be easily obtained at electronic shops.

SSL is a mechanism of encrypted communications between Web browsers and servers. In Japan, 40-bit SSL encryption is normally used. The 128-bit SSL encryption is far more secure at 10 to the 26th power.

Due to export restrictions imposed by the United States, the use of 128-bit encryption in Japan was not permitted until December 1998, when the United States partially deregulated 128-bit encryption exports and allowed their use in financial institutions and the health care industry.

Responding to this export deregulation of the U.S. government, VeriSign Inc. of the United States began to offer the service to provide Digital Authentication IDs for 128-bit SSL encryption for overseas countries, including Japan. This service is called www.verisign.com and it began in April 1999 in Japan. The recent export deregulation covered "online merchants," or electronic shops, but VeriSign Japan KK did not intend to provide such general shops with digital IDs for 128-bit encryption because of safety considerations. Its was found, however, that if a user goes directly to VeriSign in the United States, it is possible to obtain a digital ID for 128-bit encryption at electronic shops in Japan. Therefore, a highly secure SSL can be used in Japan as well as in the United States, unless these electronic shops sell drugs and materials considered to be used as weapons. (Nikkei Multimedia) @HWA 43.0 Terroist About to Cause Electronic Chaos ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 15th 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond Massive FUD (Fear, Uncertainty, and Doubt) in this article. We might as well just give up because the world will end tomorrow. Terrorists roaming the internet about to cause massive chaos around the globe. The threat of electronic terrorism is looming larger and larger each day. The Jerusalem Post Monday, June 14, 1999 30 Sivan 5759 Updated Mon., Jun. 14 08:52 Computer terror can't be ignored By YONAH ALEXANDER (June 14) - The latest "Melissa" virus, which spreads via infected e-mail, and the upsurge of computer intrusion by hackers into the Web sites of the White House, Senate, and the FBI, have once again focused attention on cyber-crime and its ominous international security implications. It should be recalled that in February 1998, Ehud Tenenbaum, an Israeli hacker also known as "The Analyzer," worked with two young collaborators from California to mount cyber-attacks against the Pentagon's systems, a nuclear weapons research lab and other significant targets. The prevailing assessment of intelligence agencies, strategic thinkers, and scientists is that not only hackers and "crackers" (criminal hackers) but also terrorists - individuals, groups, and state sponsors - are likely to exploit the vulnerability of the world's computer systems to conduct electronic warfare. It is estimated, for instance, that hostile perpetrators, with a budget of around $10 million and a team of some 30 computer experts strategically placed around the globe, could bring the US to its knees. The threat of electronic terrorist assaults grows with each passing day. There are three reasons for this: * The globalization of the Internet. Internet users currently number over 120 million; an estimated 1 billion people will be using it by the year 2005. This makes efforts to control Internet attacks a daunting challenge to intelligence services and law-enforcement agencies. * There are now some 30,000 hacker-oriented sites on the Internet, making the tools of disruption and destruction available to almost anyone. The easily available recipes for these new weapons - worms, Trojan horses, and logic bombs, among others - are making this form of warfare a permanent fixture of international life. * With the Cold War now behind us, terrorist organizations have cast off the limitations and ideologies of the formerly bipolar world and have become multidirectional. These new political realities, coupled with easily accessible cyber-weapons, have enhanced the threats posed by terror groups to the degree that they could alter life on our planet forever. The Internet already serves as an arena for propaganda and psychological warfare. Ideological extremists such as neo-Nazi groups have called for ethnic, racial, and religious violence. Traditional terrorist organizations, like Hizbullah, which is supported by Iran and Syria, maintains on its Web site a daily record of "heroic" battles of its fighters in southern Lebanon. And Afghanistan, the newest state sponsor of terrorism, pushes its radical brand of Islam on-line. Terrorists have also used their laptops to store operation plans. Ramzi Ahmed Yusuf, who is serving a life sentence the 1993 World Trade Center bombing in New York and other terrorist crimes, used his computer to develop a plot to blow up some dozen American airliners over the Pacific. And terror networks, such as the underground infrastructure of Osama bin Laden, who has been implicated in the US embassy bombings in Kenya and Tanzania last summer, are sustained via personal computers with satellite uplinks and encrypted messages. Is the worst yet to come? Consider waking one morning to the news that a group of terrorists employing electronic "sniffers" have sabotaged the global financial system by disrupting international fund-transfer networks, causing an unprecedented stocks plunge on the New York, London, and Tokyo exchanges. Clearly, there are numerous other devastating scenarios, including altering formulas for medication at pharmaceutical plants; "crashing" telephone systems; misrouting passenger trains; changing pressure in gas pipelines to cause valve failure; disrupting operations of air-traffic control towers; triggering oil refinery explosions and fires; scrambling the software used by emergency services; turning off power grids; and simultaneously detonating hundreds of computerized bombs around the world. In sum, this new medium of communication, command and control, supplemented by the repeated destructive keyboard attacks on civilian and military nerve centers that we have already seen, forces us to think the unthinkable - and take action to prevent it. If the expanding electronic perils are ignored by the international community, it is likely that the 21st century could produce a global Waterloo for civilization. (The writer is a professor and the director of the Inter-University Center for Terrorism Studies - Israel and the United States.) @HWA 44.0 Major Remote Hole Found in IIS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 16th 1999 From HNN http://www.hackernews.com/ contributed by Marc eEye Digital Security Team has found a major remotely exploitable hole in Microsoft's Internet Information Server. The buffer overflow of ISM.dll leaves approximately 90% of 1.3 million Microsoft web servers vulnerable to internet attack. The folks at eEye have graciously developed an exploit script to demonstrate this hole. Microsoft has provided a work around and is working on a patch. eEye Digital Security Team http://www.eeye.com/database/advisories/ad06081999/ad06081999.html Wired http://www.wired.com/news/news/technology/story/20231.html Microsoft http://www.microsoft.com/security/bulletins/ms99-019.asp eEye; Retina vs. IIS4, Round 2 Systems Affected: Internet Information Server 4.0 (IIS4) Microsoft Windows NT 4.0 SP3 Option Pack 4 Microsoft Windows NT 4.0 SP4 Option Pack 4 Microsoft Windows NT 4.0 SP5 Option Pack 4 Release Date: June 8, 1999 Advisory Code: AD06081999 Description: We have been debating how to start out this advisory. How do you explain that 90% or so of the Windows NT web servers on the Internet are open to a hole that lets an attacker execute arbitrary code on the remote web server? So the story starts... The Goal: Find a buffer overflow that will affect 90% of the Windows NT web servers on the Internet. Exploit this buffer overflow. The Theory: There will be overflows in at least one of the default IIS filtered extensions (i.e. .ASP, .IDC, .HTR). The way we think the exploit will take place is that IIS will pass the full URL to the DLL that handles the extension. Therefore if the ISAPI DLL does not do proper bounds checking it will overflow a buffer taking IIS (inetinfo.exe) with it and allow us to execute arbitrary code on the remote server. Entrance Retina: At the same time of working on this advisory we have been working on the AI mining logic for Retina's HTTP module. What better test scenario than this? We gave Retina a list of 10 or so extensions common to IIS and instructed it to find any possible holes relating to these extensions. The Grind: After about an hour Retina found what appeared to be a hole. It displayed that after sending "GET /[overflow].htr HTTP/1.0" it had crashed the server. We all crossed our fingers, started up the good ol' debugger and had Retina hit the server again. Note: [overflow] is 3k or so characters... but we will not get into the string lengths and such here. View the debug info and have a look for yourself. The Registers: EAX = 00F7FCC8 EBX = 00F41130 ECX = 41414141 EDX = 77F9485A ESI = 00F7FCC0 EDI = 00F7FCC0 EIP = 41414141 ESP = 00F4106C EBP = 00F4108C EFL = 00000246 Note: Retina was using "A" (0x41 in hex) for the character to overflow with. If you're not familiar with buffer overflows a quick note would be that getting our bytes into any of the registers is a good sign, and directly into EIP makes it even easier :) Explain This: The overflow is in relation to the .HTR extensions. IIS includes the capability to allow Windows NT users to change their password via the web directory /iisadmpwd/. This feature is implemented as a set of .HTR files and the ISAPI extension file ISM.DLL. So somewhere along the line when the URL is passed through to ISM.DLL, proper bounds checking is not done and our overflow takes place. The .HTR/ISM.DLL ISAPI filter is installed by default on IIS4 servers. Looks like we got our 90% of the Windows NT web servers part down. However can we exploit this? The Exploit: Yes. We can definitely exploit this and we have. We will not go into much detail here about how the buffer is exploited and such. However, one nice thing to note is that the exploit has been crafted in such a way to work on SP4 and SP5 machines, therefore there is no guessing of offsets and possible accidental crashing of the remote server. Click here for more details about the exploit and the code. The Fallout: Almost 90% of the Windows NT web servers on the Internet are affected by this hole. Even a server that's locked in a guarded room behind a Cisco Pix can be broken into with this hole. This is a reminder to all software vendors that testing for common security holes in your software is a must. Demand more from your software vendors. The Request. (Well one anyway.) Dear Microsoft, One of the things that we found out is that IIS did not log any trace of our attempted hack. We recommend that you pass all server requests to the logging service before passing it to any ISAPI filters etc...The logging service should be, as named, an actual service running in a separate memory space so that when inetinfo goes down intrusion signatures are still logged. Retina vs. IIS4, Round 2. KO. Fixes: 1.Remove the extension .HTR from the ISAPI DLL list. Microsoft has just updated their checklist to include this interim fix. 2.Apply the patch supplied by Microsoft when available. Vendor Status: We contacted Microsoft on June 8th 1999, eEye Digital Security Team provided all information needed to reproduce the exploit. and how to fix it. Microsoft security team did confirm the exploit and are releasing a patch for IIS. Related Links Retina - The Network Security Scanner http://www.eEye.com/retina/ Retina - Brain File used to uncover the hole http://www.eEye.com/database/advisories/ad06081999/ad06081999-brain.html Exploit - How we did it and the code. http://www.eEye.com/database/advisories/ad06081999/ad06081999-exploit.html NetCat - TCP/IP "Swiss Army knife" http://www.l0pht.com/~weld/netcat/ Greetings go out to: The former Secure Networks Inc., L0pht, Phrack, ADM, Rhino9, Attrition, HNN and any other security company or organization that believes in full disclosure. Copyright (c) 1999 eEye Digital Security Team Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to: eEye Digital Security Team info@eEye.com www.eEye.com -=- Wired; E-Commerce Sites: Open Sesame? by Niall McKay 11:40 a.m. 15.Jun.99.PDT A major security flaw in a Microsoft Web server could allow crackers to take complete control of e-commerce Web sites, security experts warned Tuesday. The flaw in Microsoft's Internet Information Server 4.0 allows unauthorized remote users to gain system-level access to the server, according to Firas Bushnaq, CEO of eEye, the Internet security firm that discovered it. "This hole is so serious it's scary," said Jim Blake, a network administrator for Irvine, a city in southern California. "With other [Windows NT] security holes, crackers have needed to gain some level of user access before executing code on the server. This is different.... Anybody off the Web can crack IIS," he said. More than 1.3 million Microsoft IIS servers are up and running on the Web. Nasdaq, Walt Disney, and Compaq are among the larger e-commerce operations run off the server, according to NetCraft Internet surveys. Microsoft confirmed that the problem exists and said that it is working on a fix. Customers, however, have not been notified. "Normally we will post the problem and the bug fix at the same time," said Microsoft spokeswoman Jennifer Todd. "We take these security issues very seriously, and the patch will be available [soon]." The fix will be posted to Microsoft's security Web site, "probably in the next couple of days," Todd said. The exploit is just one of a long list of security flaws affecting IIS 4.0. In May, security experts found an exploit that enabled crackers to gain read access to files held on IIS when they requested certain text files. Last summer, an exploit known as the $DATA Bug granted any non-technical Web users access to sensitive information within the source code used in Microsoft's Active Server Page, which is used on IIS. And in January, a similar IIS security hole was discovered, one that exposed the source code and certain system settings of files on Windows NT-based Web servers. But the latest problem appears to be the most serious because of the level of access it reportedly allows. "The exploit gives crackers access to any database or software residing on the Web server machine," said Bushnaq. "So they could steal credit-card information or even post counterfeit Web pages." For instance, crackers could exploit the bug to modify stock prices at one of the many news and stock information sites running IIS. The hole allows remote users to gain control of an IIS 4.0 server by creating what is known as a "buffer overflow" on .htr Web pages -- an IIS feature designed to enable users to remotely change their passwords. A buffer overflow can occur when a system is fed a value much larger than expected. In the case of the bug, the Dynamic Link Library (DLL) governing the .htr file extension, called ISM.DLL, can be overloaded by running a utility that loads too many characters into the library. Once overloaded, the DLL is disabled and the content of the overflow "bleeds" into the system. "Normally, this would just crash the system," said Space Rogue, a member of L0pht Heavy Industries, an independent security consulting firm that last year testified before the United States Senate on government information security. "But a good cracker can write an exploit where the data that overflows will actually be a executable program that will run as machine code," said Space Rogue. Such a move could give a cracker complete control of the target system. The overflow executable program can be used to run a system-level program that will deliver the equivalent of a DOS command window to an attacker's PC. To demonstrate the hole, eEye wrote a program called IIS Hack that will enable users to crack and execute code on any IIS 4.0 Web Server. However, disabling or removing the .htr password utility will not fix the problem, according to Bushnaq. "You have got to go through a series of steps to remove the faulty [code]." Eeye discovered the problem while beta testing a network security auditing tool. "Remote exploits are about the most serious problems you can have with a Web server," said Space Rogue. "It gives the attacker root privileges, so the cracker not only has access to the IIS server but [to] software running on that machine." "In many corporate sites today, this will give the cracker access to the entire network." Eeye is a software development firm specializing in security audit tools. Chief executive Bushnaq previously founded the electronic commerce site ECompany.com. -=- @HWA 45.0 Outlook Express 4.5 Email Bug ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 16th 1999 From HNN http://www.hackernews.com/ contributed by deepquest Maccentral.com is reporting on a bug in Outlook Express 4.5. Basically what it comes down to is if your machine has more than one email account, and you know the password for one account then you can gain access to all the accounts. Pretty damaging hole for multi users machines. MacCentral Online http://www.maccentral.com/news/9906/15.sonata.shtml Email encryption problems should be solved in Sonata by Dennis Sellers, dsellers@maccentral.com June 15, 1999, 9:45 am ET If you're using a free Mac email application, you inherently have a lack of secure encryption as Andrew Jung, a computer science student at Camosun College (Victoria BC, Canada), recently discovered. Jung was using Outlook Express 4.5 on the family iMac when he came upon what he described a "disturbing bug." Jung attempted to use the "Change Current User" menu item of Outlook Express to access his personal email account (three separate email accounts were on the family Mac) when he realized he'd forgotten his password. He clicked "Cancel" was returned to the account selection dialog. "I selected my step father's account, typed in his password, and got a message saying that his password was incorrect," Jung says. "I try again and again. No go. Then for the heck of it I looked up my password for my account, tried it, and got it. I did the procedure again over and over, and I can reproduce it every time. Whatever account I click and then cancel, that is the password for all the accounts." The situation can be reproduced this way: - Open Outlook Express and at the user account dialog select "New User." In the settings type in any password you want. - Select change user from File. - Select the newly created account, then click "OK." - Click cancel at the password prompt. - Select the user's account you would like to break into, and click "OK." - Type in YOUR password for the new account and you're in. DON'T try this at work or to access anyone's email account without permission. This was for "demonstration purposes" only. MacCentral contacted the Microsoft Macintosh Business Unit at Microsoft, and Product Manager Irving Kwong confirmed the problem. He says Outlook Express doesn't encrypt mail data stored in the application - but that the problem isn't unique to Microsoft's free email application. "Encryption functionality of mail data does not exist in any free Macintosh email application, as this level of security is best executed at the operating system level," Kwong says. "Outlook Express' password protection between multiple users on the same computer is not secure. The password merely acts as a padlock on users' personal preferences." So what is a secure solution? Kwong says it's coming with the next ramp of the Mac OS, codenamed Sonata. "You may remember Sonata's new multiple user environment being demonstrated at the WWDC," Kwong says (check out our story at http://www.maccentral.com/news/9905/10.sherlock.shtml). "We have been working on support for Sonata's multi-user functionality for Outlook Express and demonstrated this technology at the WWDC. This is the first offering of system-level security for multiple users sharing a Macintosh and is the best solution for true support, as it ensures password and data security. For Outlook Express customers and Macintosh users looking for a password secure solution for multiple users sharing a computer, we suggest using the upcoming version of Outlook Express with Sonata. The combination of Outlook Express and Sonata is a secure solution for Macintosh users doing email from the same computer. " Sonata is due in the second half of the year. @HWA 46.0 Major Pirates Convicted ~~~~~~~~~~~~~~~~~~~~~~~ June 16th 1999 From HNN http://www.hackernews.com/ contributed by Warez Dude Texan Convicted of Pirating $63mil, in Germany. A German State court has sentenced a Texas man to four years in prison for three counts of counterfeiting Microsoft programs. Microsoft said that this case was the "biggest in terms of the operation's sophistication and the magnitude of damage." Nando Times http://www.techserver.com/story/body/0,1634,60053-95659-682086-0,00.html Wired http://www.wired.com/news/news/politics/story/20239.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2276234,00.html Father and Son, Busted. Father and son where convicted in Massachusetts of conspiring to sell $20 million in stolen Microsoft Software. The father was fined over $1 Million and sentenced to almost six years in jail, the son was fined $100,000 and got ten months in jail. Nando Times http://www.techserver.com/story/body/0,1634,60069-95685-682199-0,00.html Nando Times; Texan convicted of software piracy in Germany Copyright © 1999 Nando Media Copyright © 1999 Associated Press AACHEN, Germany (June 15, 1999 3:33 p.m. EDT http://www.nandotimes.com) - A German state court convicted John-Joseph Staud, a Texas man, on Tuesday of counterfeiting more than $63 million worth of Microsoft computer programs. Staud, 39, was sentenced to four years in prison for three counts of counterfeiting patented programs and smuggling them into Germany for commercial purposes. Microsoft Corp. greeted the court's decision as "a meaningful signal" toward thwarting computer piracy. The software giant, based in Washington state, said the counterfeit case was its biggest in terms of the operation's sophistication and the magnitude of damage. The court denied Microsoft's request for damages, saying that should be handled by a court in England, where Staud allegedly ran a counterfeit compact disc production plant and printing operation. He also faces charges in England. Charges against Staud stemmed from a German customs office investigation last August that uncovered 300,000 counterfeited CD-ROMs with programs such as MS Office, Windows 95, and Windows NT, along with 400,000 installation handbooks. The materials, which had been smuggled into Germany, were found in a rented container and a warehouse in the town of Kreuzau, about 20 miles east of Aachen, which is located on the border with Belgium. -=- Wired; Germany Jails Software Pirate Reuters 4:30 p.m. 15.Jun.99.PDT A German court sentenced an American man to four years in prison without probation Tuesday for importing illegally copied Microsoft computer software. It was the first time Germany has issued a prison sentence in a crime involving software piracy, Microsoft (MSFT) said. "The 39-year-old Texan was sentenced today for four years without probation," a spokesman for the German regional court of Aachen said. The sentencing of the man, identified only as John S., follows the seizure by German customs officials of thousands of illegal copies of Microsoft software programs and manuals last August. Microsoft said fraud was proved in several instances in the case, with total damages amounting to about 120 million marks (US$64 million). "This sentence is a breakthrough in Germany and shows that counterfeiting software is really a serious crime," Rudolf Gallist, general manager of Microsoft GmbH, said in a statement. - - - More MS Software Pirates Jailed: Three more defendants in the "Crazy Bob's" stolen software ring were sentenced this week, federal prosecutors said Thursday. The three are the latest to be sentenced for their part in a conspiracy to sell US$20 million in Microsoft Corp. software stolen from a Massachusetts disc manufacturer. Marc Rosengard, an employee of Crazy Bob's discount computer shop in Wakefield, Mass., was sentenced on Thursday to 33 months in prison and three years supervised release, and must pay $20,000 in restitution to Microsoft, prosecutors said. Another defendant, Maxine Simons, 59, was sentenced on Wednesday by US District Court Judge George O'Toole to two years and nine months in prison and ordered to pay restitution of $908,000, prosecutors said. Her husband Robert Simons, who ran Crazy Bob's, was given a 70-month prison sentence on Tuesday. Their son, William Simons, was sentenced to one year and 10 months on Tuesday. Also sentenced on Wednesday was Gerald Coviello, 62, to two years and six months in prison. Maxine Simons and Coviello were convicted of conspiracy to transport stolen property following a three-week jury trial in March. Among other misdeeds, Crazy Bob's was accused of buying and reselling 32,000 stolen copies of Microsoft Office 97 Professional Edition. Worth $599 apiece, they were acquired from rogue former employees of KAO Infosystems of Plymouth, Massachusetts, which manufactured the discs. Copyright© 1999 Reuters Limited. -=- Nando Times #2 Sellers of $20 million of stolen software sentenced to prison Copyright © 1999 Nando Media Copyright © 1999 Reuters News Service BOSTON (June 15, 1999 4:04 p.m. EDT http://www.nandotimes.com) - A father and son pair accused of conspiring to sell more than $20 million in Microsoft Corp. software stolen from a Massachusetts manufacturer were sentenced to prison, prosecutors said Tuesday. Robert Simons, 62, who ran Crazy Bob's discount software store in Wakefield, Massachusetts, was sentenced to five years and 10 months imprisonment by U.S. District Judge George O'Toole Monday. Simons was also ordered to pay $908,000 in restitution to Microsoft and to forfeit $440,000 to the federal government. His son, William Simons, 35, a Crazy Bob's salesman, was sentenced to one year and 10 months in prison, and must pay $100,000 to Microsoft, prosecutors said. Crazy Bob's was accused of buying millions of dollars worth of computer discs stolen from KAO Infosystems, a disc manufacturer in Plymouth, Massachusetts, by two ex-KAO workers. The two former KAO employees pleaded guilty to related charges and were awaiting sentencing, prosecutors said. Among other misdeeds, the Simons were accused of buying 32,000 stolen copies of Microsoft Office 97 Professional Edition, worth $599 apiece, and reselling them to CD-ROM outlets in California and Great Britain, prosecutors said. @HWA 47.0 Fear of Y2K Raises Security Concerns ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 16th 1999 From HNN http://www.hackernews.com/ contributed by roach Australia Concerned Over Y2K and Security Fear that the Y2K bug will cause weaknesses in computer security are being raised. Some companies are spending money on Y2K issues and are ignoring important security issues. The fear is that cyber attacks may be misinterpreted as run of the mill Y2K problems. Australia News http://technology.news.com.au/techno/4297150.htm Australian Financial Review http://www.afr.com.au/content/990615/update/update38.html DOD Plans for Possible Y2K Attack The US DOD has started evaluating possible scenarios for cyber attacks that may be masquerading as Y2K computer glitches. While not saying how possible such an attack may be DOD said it is just being prepared for any contingency. Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0614/web-cybery2k-6-15-99.html Australian News; Bug scare aids cyber terror By STEFANIE BALOGH 16jun99 THE Y2K bug has left computer systems around the world vulnerable to cyber terrorist attacks when the new millennium dawns, an international computing expert warned yesterday. Constance Fortune, vice-president of Canada's Science Applications International Corporation, said because companies had focused resources on Y2K compliance, they had left their operations open to other security risks. Speaking at the 11th FIRST (Forum for Incident Response Security Team) computer security conference in Brisbane, Ms Fortune said amateur hackers and cyber criminals were poised to wreak havoc on New Year's Day and beyond. She predicted the problems could be more disastrous than any virus because multinational and government computer systems would be at their weakest. "Those who create viruses, worms and other destructive computer phenomena have found ways to take advantage of the Y2K problem," she warned. Ms Fortune said it was crucial for computer emergency response teams to be able to determine whether system failure was the result of Y2K problems or camouflaged security attacks. Ms Fortune also said northern hemisphere firms would closely watch as Australia embraced the millennium, hours before the US, Europe and Britain. "What happens in Australia as 2000 rolls in will provide us with a much-appreciated early warning of what we can expect only hours later," she said. Her warnings were echoed by information technology security expert Bill Caelli, who predicted the security problems caused by companies focusing on Y2K compliance could continue for 12-18 months. Professor Caelli, from the Queensland University of Technology, also said business and government had "lost 20 years" of work on computer security because they were more interested in cost-cutting. He also called for the Australian Government to introduce tougher legislation to force companies to upgrade information security and for the Government to end the practice of outsourcing its IT capabilities. -=- Federal Computer Week; JUNE 15, 1999 . . . 16:33 EDT DOD preps for possible cyberattacks brought on by Y2K BY BOB BREWIN (antenna@fcw.com) The Pentagon has started to develop plans that would shut back doors that hook its global networks to the Internet in case cyberfoes try to use any Year 2000 computer date code snafus to mount a cyberattack. Marvin Langston, deputy assistant secretary of Defense for command, control communications and intelligence, declined to estimate the possibility of such a cyberassault. He said the Pentagon has started to develop contingency plans to protect its networks at the end of the year in case "cyberattackers try to mask themselves in the confusion." "We want to be able to close down our back doors," said Langston, speaking at GovTechNet, a Washington, D.C., conference sponsored by FCW and the Armed Forces Communications and Electronics Association. Langston said hacker Web sites and discussion groups have mentioned seizing the opportunity to launch cyberattacks against DOD by using any computer or network that may be malfunctioning because of Year 2000 problems. DOD "has to be prepared to deal with it," Langston said. -=- @HWA 48.0 Israeli Banks Thwart Attempted Cyber Break-In ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 16th 1999 From HNN http://www.hackernews.com/ contributed by LirA Buried down in the fifth paragraph is a statement by Bank of Israel Supervisor of Banks Dr. Yitzhak Tal, who claims that the Israeli banking system has been the target of "primitive and insignificant" cyber attacks. Israel's Business Arena http://www.globes.co.il/cgi-bin/Serve_Archive_Arena/pages/English/1.2.1.20/19990614/1 Tuesday , Jun 15, 1999 Sun-Thu at 18:00 (GMT+2) Headlines Tal: Hackers Tried to Break Into Internet Banking Services By Zeev Klein Bank of Israel Supervisor of Banks Dr. Yitzhak Tal is opposed to mergers between large banks, because the Israeli banking system is still too centralist. Briefing economic correspondents yesterday upon the publication of the annual banking system report for 1998, Tal said, "It’s impossible to draw comparisons between Israel and the US or Europe. There, too, it’s still not clear what’s the cause for bank mergers. We’re different from them, and we must be more careful." According to Tal, mergers between small banks are not really beneficial. "I’m in favor of mergers between small banks, and against mergers between big banks. But a small bank plus a small bank gives yet another small bank," Tal said. As for mergers between medium-size banks, Tal said that the issue is under examination by the Bank of Israel. He stressed, however, that "at the moment we’re not faced with any specific request on which we must take a decision. We are rather seeking to work out our position in principle on the issue. There are arguments both ways. On the one hand, mergers between medium-size banks will increase the centralism of the system, which is very considerable as it is. On the other hand, it may well be that a new banking player that would compete with the large banks will enhance competitiveness. Our key consideration is improving competition, rather than stability," Tal said. Referring to the expansion of Internet banking services, Tal said, "We don’t have to be the trail blazers on Internet worldwide. We must be cautious, and see how this area develops throughout the world." Tal disclosed that hackers had recently attempted to break into the Internet banking system, but added that the efforts were primitive and insignificant, and did not result in any real damage to customers or to the banks. Tal did not expect any Y2K-related massive malfunction that might wipe out public deposits. According to him, "Public deposits aren’t going to be virtually wiped out.." Tal added that the banks are taking the proper measures to cope with Y2K. Published by Israel's Business Arena June 14, 1999 @HWA 49.0 Navy Wants Tighter Network Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 16th 1999 From HNN http://www.hackernews.com/ contributed by Lif3r The US Navy is looking into adding real-time intrusion detection capabilities into its network defenses. Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0614/web-navy-6-15-99.html JUNE 15, 1999 . . . 12:55 EDT Navy looks to upgrade network security BY DIANE FRANK (diane_frank@fcw.com) As part of its overall security strategy, the Navy is looking at several new auditing products that can offer real-time intrusion detection. The Navy is using the auditing and other security features that are part of Microsoft Corp.'s Windows NT and variations of the Unix operating system. But the Navy can only use that technology to find out about intrusions into a network after the fact, Cmdr. Larry Downs, director of operations for the Navy Fleet Information Warfare Center, said today at the GovTechNet conference in Washington, D.C. Companies recently have released several products that will enable Navy network administrators to learn about intrusions and attacks as the attacks occur. The Navy is interested in incorporating the products into its network security, Downs said. "The Navy is looking closely at this and will probably look to buy in the very near future," he said. @HWA 50.0 IIS Hole Continues to Make News/Fix Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 17th 1999 From HNN http://www.hackernews.com/ contributed by Marc The major hole publicly announced yesterday by eEye Digital Security Team in Microsofts Internet Information Server is continuing to make news. Internet News http://www.internetnews.com/prod-news/article/0,1087,9_139231,00.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2277295,00.html eEye Releases Fix Microsoft has issued a workaround for this bug however it does break functionality such as /iisadmpwd/. eEye Digital Security Team has released their own fix that resolves the problem and preserves functionality. It limits .htr requests to 200 characters, and logs the IP address of the person trying the overflow. This is a great deal better then the current recommendation from Microsoft which is to just remove the .htr ISAPI filter. eEye Digital Security Team http://www.eeye.com/database/advisories/ad06081999/ad06081999-ogle.html Microsft http://www.microsoft.com/security/bulletins/ms99-019.asp CERT Advisory Released A day late and a dollar short CERT (Computer Emergancy Responce Team) has released an advisory concerning this major problem. Unfortunatly they forgot to credit who found the problem. CERT http://www.cert.org/advisories/CA-99-07-IIS-Buffer-Overflow.html Irresponsible Security Companies This article on C|Net questions whether eEye did the right thing by releasing their advisory before Microsoft was ready with their patch. A quote in the article from a Microsoft representative called this "contrary to all of the normal rules of responsible security professionals." [rant on] Bullshit. The company that has shown the public how irresponsible they are is Microsoft. Microsoft knew about this problem for a week but did nothing until it was released to the public. It is extremely likely that someone else found this hole and did not tell anyone. They could have used this problem to install back doors on most of the servers in the world without anyone knowing. Microsoft could have stopped this action a week earlier and didn't. Microsoft is the one who is not acting like a 'responsible security professional'.[/rant off] C|Net http://www.news.com/News/Item/0,4,37949,00.html?st.ne.fd.mdh.ni C|Net; Microsoft server bug wrongly publicized? By Stephanie Miles, Stephen Shankland, and Wylie Wong Staff, CNET News.com June 16, 1999, 6:50 p.m. PT Microsoft offered a temporary fix for a problem with its Web server software that lets attackers "inject" a program that can run on a Windows NT-based system. In the meantime, the manner in which the bug was reported and publicized is generating controversy. The bug attacks Internet Information Server, Microsoft's software for serving up Web pages. Putting the right type of malicious code into a page request can cause IIS to crash, or worse, let an attacker run whatever programming code he wants. Firas Bushnaq, CEO of Eeye, today accused Microsoft of dragging its feet to solving the problem. His company alerted Microsoft on June 8, he said, but Microsoft told him to keep quiet about it. Bushnaq said he went public yesterday because he felt Microsoft wasn't doing anything to resolve the issue. But Bushnaq didn't stop at just publicizing the bug, and that's where the controversy comes in: EEye posted a program that will exploit the weakness, a move Microsoft says runs contrary to established procedures for reporting and patching bugs. Not surprisingly, Microsoft disputes Bushnaq's version of the story. "You can send a 'malformed' or very long request to a Web server. It could cause a buffer overflow, which means you can embed application code that will execute on the server," Bushnaq explained of the bug. "Anything that is residing on the Web server and everything connected to that--back-end databases, e-commerce information, credit card information--could be accessible," he continued. "It is extremely important for people to fix it." "We've got a security response process that we set up a year ago so that customers would have a place to report bugs and so that we could respond to it quickly," countered Scott Culp, a security product manager for Microsoft. No confirmed problems occurring as a result of the bug have been reported, he said. "For reasons we don't understand, at the beginning of this week they [Eeye] suddenly went public with the bug. It's contrary to all of the normal rules of responsible security professionals," he said. "You don't provide tools that malicious users can use to hurt innocent people." Microsoft rushed to post a workaround to the problem, but a true fix to patch the bug is not yet available. The workaround will protect users from malicious or arbitrary code, Culp said. "We're completing the patch right now, but we need to make sure that we've fully tested it. In the meantime, nobody needs to be vulnerable because of the workaround," he said. @HWA 51.0 World Braces for International Day of Action ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 17th 1999 From HNN http://www.hackernews.com/ contributed by barbie Officials in Australia and around the world are bracing for International Day of Action on June 18th known as J18. June 18 is also the same day as the G8 meeting in Cologne, Germany. J18 organizers are calling for disruption of financial centers, banking districts and multinational corporate power bases. Examples of possible activities include picketing, street parties, leafleting, rallies, marches, strikes, carnivals, and of course 'hacking'. Australian Financial Review http://www.afr.com.au/content/990616/update/update37.html Australian Financial Review - Yes, there are two stories J18 hackers 'could target Australia' on Friday Australian companies could be targeted by computer hackers this Friday as part of an international day of action against big business, a computer security conference was told today. But for those companies without adequate computer security, it may be too late to bolster defences, Byron Collie, from Australian Federal Police's national computer crime team said. Mr Collie told the conference the international day of action on Friday, known as J18, could include cyberattacks on business and banking computer networks. The J18 action coincides with the G8 meeting in Cologne, Germany. The official J18 site on the Internet calls for people to plan individual "actions" focusing on disrupting "financial centres, banking districts and multinational corporate power bases". "It is up to the groups themselves to decide what to do on the day," it says. "Examples could include picketing, street parties, leafleting, rallies, marches, strikes, carnivals, hacking, blockades, whatever." Mr Collie said there was a growing trend for computer hacking to be politically motivated and for a number of hackers to work in cooperation. "Motivation for these (hacking) activities have changed slightly from the usual teenage intruder-type activity," he told the Computer Security Incident Handling and Response conference. "There's a lot more political and issue motivated activities." Mr Collie said one example of "hackdivism" occurred during the Kosovo conflict when a Serbian computer expert distributed an e-mail calling for all Serbs throughout the world to launch a concentrated cyberattack on the computer systems of NATO countries. Late last year, as Indonesia was preparing for its elections, hackers shut down an East Timorese website based in Ireland, he said. "I would hope that you have every measure already in place," he told the conference delegates. AAP @HWA 52.0 ECD Targets Mexican Government ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 17th 1999 From HNN http://www.hackernews.com/ contributed by stealth The people at Electronic Civil Disobedience are planning a virtual 'sit-in' in protest of the treatment of the Zapatistas by the Mexican government. The sit-in will basically be a DoS attack against several Mexican government internet sites. This demonstration is planned to take place on June 18 from 10:00am to 4:00pm Mexico City time. Electronic Civil Disobedience http://www.thing.net/~rdom/ecd/ecd.html The June 18th Sit-in report from ECD ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ JUNE 18: THE VIRTUAL AND THE REAL ACTION ON THE INTERNET AND IN AUSTIN, TEXAS ZAPATISTA FLOODNET AND RECLAIM THE STREETS by Stefan Wray, June 19, 1999, 6:00 CDT "The resistance will be as transnational as capital." On June 18, 1999, simultaneous with the G8 meeting in Koln, Germany, people all over the world participated in actions and events under the banner "Reclaim The Streets." Email reports coming in today indicate that 10,000 people gathered in Nigeria and that San Francisco drew crowds of around 500. More news and reports of events will surely be posted in the coming days. What follows is a contribution to this emerging body of material. Reclaim the Streets European Headquarters http://www.gn.apc.org/rts/ Below are two separate and very different reports. The first describes the results of the virtual sit-in called by the Electronic Disturbance Theater opposing the Mexican government that involved thousands of people from 46 countries. The second is a longer narrative account describing events as they unfolded in Austin, Texas, an action that involved about 50 people and resulted in three arrests. It ends with some comments on hybridity, meshing the virtual and the real. THE VIRTUAL On June 15, the Electronic Disturbance Theater began sending out email announcements urging people to join in an act of Electronic Civil Disobedience to stop the war in Mexico. The call made in conjunction with the Reclaim The Streets day of action was intended to introduce a virtual component to the numerous off-line actions happening all over the world. But a strong motivation for the action was also due to the fact that in recent weeks there has been a significantly higher level of government and military harassment of Zapatista communities in Chiapas, with reports indicating as many as 5,000 Zapatistas have fled their communities. The suggested action was for people using computers to point their Internet browser to a specific URL during the hours of 4:00 and 10:00 p.m. GMT. By directing Internet browsers toward the Zapatista FloodNet URL, during this time period, people joined a virtual sit-in. What this meant was that their individual computer began sending re-load commands over and over again for the duration of the time they were connected to FloodNet. In a similar way that people were out in the streets, clogging up the streets, the repeated re-load command of the individual user - multiplied by the thousand engaged - clogged the Internet pathways leading to the targeted web site. In this case on June 18, FloodNet was directing these multiple re-load browser commands to the Mexican Embassy in the UK. (http://www.demon.co.uk/mexuk) The results of the June 18 Electronic Disturbance Theater virtual sit-in were that the Zapatista FloodNet URL received a total of 18,615 unique requests from people's computers in 46 different countries. Of that total, 5,373 hits on the FloodNet URL - 28.8 percent - came from people using commercial servers in the United States - the .com addresses. People using computers in the United Kingdom accounted for the second largest number of participants, 3,633 or 19.5 percent. People with university accounts in the U.S., 1,677 of them, made up the third largest category of participants at 9.0 percent. Interestingly, the fourth largest category of participants came from .mil addresses, from the U.S. military, for which there were 1,377 hits on the FloodNet URL, at 7.4 percent. Included among the military visitors were people using computers at DISA, the Defense Information Systems Agency. [In the same way that police help to block the streets when they show up at a demonstration, the military and government computer visitors to the FloodNet URL inadvertently join the action.] And the fifth largest group of participants were from Switzerland with 1,276 or 6.8 percent. The remaining 5,329, or 28.6 percent, of global participants in the June 18 virtual sit-in came from all continents including 21 countries in Europe (Austria, Belgium, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Lithuania, Macedonia, Netherlands, Norway, Poland, Portugal, Spain, Sweden and Yugoslavia), 7 countries in Latin American (Argentina, Brazil, Chile, Colombia, Mexico, Peru and Uruguay), 6 countries in Asia (Indonesia, Japan, Malaysia, Singapore, South Korea and Taiwan), 5 in the Middle East (Bahrain, Israel, Qatar, Saudi Arabia and Turkey), Australia and New Zealand, Canada, Georgia (former Soviet Union), and South Africa. The global Zapatista FloodNet action on June 18 is the first that the Electronic Disturbance Theater called for in 1999. The group began in the spring of 1998 and launched a series of FloodNet actions directed primarily against web sites of the Mexican government, but action targets also included the White House, the Frankfurt Stock Exchange, the Pentagon. The highlight was in September when the group showcased FloodNet at the Ars Electronica festival on Information Warfare in Linz, Austria. At that time one of the targets of FloodNet was a U.S. Department of Defense web site. This action is noteworthy because a Pentagon countermeasure since it may be one of the first known instances in which the DOD has engaged in an offensive act of information warfare against a domestic U.S. target - an act some say could have been illegal. More details on the Electronic Disturbance Theater can be found at: http://www.thing.net/~rdom/ecd/ecd.html THE BEGINNING OF THE REAL I turned off my computer, moved away from the screen, and left work at 5:00. My girlfriend picked me up in the car and we passed by the bank so I could cash my paycheck. Good thing too. My balance had literally been 99 cents. Then we drove to the radio station, KOOP, where we do a half-hour news program every Friday. It was hot inside the station, as it was outside. But the studio was nice and cool, so we sat there and waited for the Working Stiff show to end and the news to begin. We listened to John do a phone interview with someone from the pipe-fitters union. They were talking about a strike. We started off the news with a long piece from A-Infos about the World Trade Organization. It was a decent article but a bit too long to read on the air. The piece ended with a call for people to travel to Seattle later in the year to oppose the third WTO ministerial conference. After the news we walked over to join a handful of IWW folks who put out the Working Stiff Journal. They were at Lovejoys, a bar with a decent selection of beer just off 6th Street. I started talking to a few friends about the war in Yugoslavia and an idea I'd had that it might good to form a focus group on the history, present, and future of war. The idea being that the left doesn't really understand war anymore, or rather, that the left is using the same techniques to oppose war that it used 30 years ago, but that the way wars are fought has changed. The few who I talked to supported the idea and had some good suggestions. RUTA MAYA After swilling down a few pints, at around 7:30, my girlfriend and I left Lovejoys and drove over to Ruta Maya. All I knew was that the Critical Mass bike ride was to end up there. And the ride was Austin's effort to be part of the global Reclaim The Street actions that were happening all over the world. Ruta Maya is a coffee shop in downtown Austin's warehouse district. They import coffee from Chiapas. Local activist groups often stage benefits and events there. When we got to Ruta Maya people from the bike ride were already filtering in. They had started the ride up by the university. I wasn't on the ride so I only heard snapshots of what had happened. But I learned that a few had spent the previous night working on some stickers that said, "Closed" and "Out of Order." These were to put on ATM machines and other relevant symbols of capital. The ride passed by the Gap. For a moment Gap workers were harassed for selling clothes manufactured in sweatshops. The crowd inside and outside on the elevated sidewalk was a mix of Ruta Maya regulars, people who came to hear an acoustic guitarist playing inside, customers of Ruta Maya's cigar shop, anyone who happened to be walking by, and of course the cyclists from the Critical Mass/RTS ride. First I talked to some people involved in Free Radio Austin, a local micropower radio station shut down by the FCC a few weeks ago - which is incidentally scheduled to go back on the air today. We didn't talk about that, but about some of the problems with a new space here called Pueblos Unidos. A long story, but basically there is a power struggle among the original tenets of this allegedly collective warehouse space on the eastside of Austin. Too complicated to go into here. Conversations about Pueblos Unidos, the Grassroots News Network, and Point A threaded through the evening. The riders included people I've know from Earth First!, from the local bicycle activist scene, and a whole new set of folks from Point A who I don’t really know. I just thought that Ruta Maya was a gathering point after the ride was finished. But it turned out to be something else. THE STREET After not long, some people started talking about how to encourage others to start standing out in the street in front of Ruta Maya. People had just finished the ride and were all charged up with energy. A moment later, two young riders were moving a construction barricade and a few orange cones into the lane of traffic coming from the west. While at the other end of the block a group took similar barricades and placed them to stop traffic coming from the east. And then, one at a time, people started leaving the sidewalk or leaving the edges of the street to stand out in the middle. For a little while there were just about 10 people. A few standing near the barricade. A few more down at the other end of the street. And more starting to filter out right in front of Ruta Maya. I actually hadn't anticipated this. I wanted to sit down so I asked someone to pass me down a chair from the elevated sidewalk. I sat on the chair in the middle of one lane. Someone else picked up another chair and sat down near me. With barricades on both ends of the block, people sitting in chairs, cars lurching forward slowly and trying to get out, others in Ruta Maya started to take notice, and those less inclined to be the first ones to venture out into the street, followed. A Ruta Maya worker came out and said that needed his chair back. I didn't argue. Ruta Maya is a cool place. And by sitting there momentarily it had served to encourage a few more to join. Soon there were people in both lanes of traffic out in front of Ruta Maya. At its peak maybe there were as many as 50. Not a huge crowd. Enough to reclaim the street - temporarily. But not enough to remain once the police started to arrive. And of course they did. But before the police showed up, a few of the people whose idea it was to reclaim this particular section of street spoke loudly and explained what Reclaim The Streets was all about. Small flyers titled "Whose City Is This Anyway?" were passed out. And people started doing a "cheer" of sorts. Lacking were drums or other instruments that are always good for stirring up a crowd. THE POLICE I first noticed a brown shirted Sheriff's deputy get out of a sports utility vehicle. But he simply walked by, seemingly oblivious to what was happening. Soon thereafter the bike cops showed up. Like a number of urban police forces in the U.S., Austin has its police-on-bicycle contingent, mostly used for patrolling the busy downtown area. The bike cops started to move around the crowd and address people whom they thought might be leaders. I was actually standing with my back turned, talking to a friend, when one bike cop came up to us. Maybe because I was smoking a cigar he thought I was a 'revolutionary leader'. (Just kidding.) Anyway, the bike cop said to us, "I'm contacting my supervisor and if you aren't out of the street in ten minutes, we are going to start making arrests." I told the bike cop that I wasn't in charge. But anyway, my friend and I passed on this warning to a few others. So when the three police vans and the handful of marked and unmarked cars showed up - to inadvertently block the streets themselves - we were not surprised. The three vans barreled down the road from the east and the marked and unmarked cars from the west, stopping right at the intersection of 4th and Lavaca. Obviously, given that there were not many of us and given that we had neither anticipated nor were we prepared to take a stand, we mostly filtered back off the street and onto the side. But there were a few who - for whatever reason - were not so content to give up the street that quickly. Bike cops and regular police officers stood in the street in between the three vans and the rest of us on the side of the road. People were jeering at the cops. I didn't see exactly what happened - or what precipitated it - but in a flash a group of cops lunged forward and pulled someone from out of the crowd on the side, not even someone who was standing closer to the police, but someone behind another. And then another was arrested. And then a third. People were yelling and screaming and the cops: "You fucking pigs!"; "Don't you have any real criminals to arrest"; "Whose street? Our street!" They remained for awhile longer. Tensions quieted down. And the vans and the marked and unmarked cars drove off. All through this, my girlfriend had been trying to call a few local media outlets. She was at the payphone in front of Ruta Maya. At one point she told me she had got through to KXAN. But no media ever showed up. With the police gone, three of us on the way to jail, a number of the riders - who had only wanted to ride their bikes and not get involved with this mess - on their way out, the ones who had planned this Austin Reclaim The Street action bewilderedly consulted about how next to proceed. My girlfriend and I had both been arrested before and were quite familiar with the process. She knew the inside of Austin's jail and something about the procedure for getting out. She offered her advice to the younger activists and was ready to leave them to it. But I suggested maybe we ought to also go down to the police station to help sort things out. So we did. THE POLICE STATION By the time we parked the car and got inside the police station, there was already a crowd of perhaps 20 people, mostly sitting on the floor, inside the area where you ask about new arrestees. It looked like we were now reclaiming the police station, rather than the street! We weren't sure if the two young women and one young man were taken to this station. And there was speculation that they could have taken them to any number of substations throughout the city, as they are sometimes apt to do. None of the people whose idea it was to reclaim the section the street in front of Ruta Maya were prepared for arrests, and in Austin there aren't really known activist lawyers - like in some U.S. cities - readily available to help in moments like this. Although a few of the people who ended up being in the Austin RTS action were seasoned activists, most seemed to be people who had never actually had to deal with police arrests before. Or if they had, they certainly hadn't made any arrangements in advance. So everything was handled on the spot. My girlfriend has a friend who is a lawyer who has helped her out in the past. While she was on the phone to her, others were over at the main desk waiting to hear if in fact the three were at this station and what they were being held for. Finally, at some point between 9:30 and 10:00 we learned that yes in fact the three had been brought to this station, and what the charges were. One was charged with a Class C misdemeanor for refusing to obey the order of a police officer. Another was charged with a Class C misdemeanor for disorderly conduct. But the third was charged with a Class B misdemeanor, a more severe level, for "inciting a riot." First of all, there was no riot, by any stretch of the imagination. But more importantly, the young woman charged with inciting a riot - as I later learned - had merely begun to yell out a cheer. She had said, "Give me a 'P'," - and was probably going to spell "PIG" - at which point the cops lurched forward to grab her from out of the crowd. My girlfriend's friend who is a lawyer advised us that it would be best if a boisterous crowd did not linger in the police station waiting area as it might only antagonize them and encourage them to hold the three longer. So a group drifted off and went to Lovejoys - the bar where we had started the evening off earlier. My girlfriend and I, and a couple of friends of the people being detained, remained at the police station. We learned that the two with Class C misdemeanors would be able to be released for $200 bond, although it wouldn't be until much later in the night, actually the wee hours of the morning, but that the young woman charged with inciting a riot would have to wait until a judge came at 10:30 in the morning. When we saw that it was senseless to wait at the police station any longer, the rest of us left as well, joining others back at Lovejoys where we drank from pitchers of beer, mulled over what had just transpired, and continued an earlier thread about some of the internal dynamic of the new warehouse space in Austin called Pueblos Unidos. THE NEXT MORNING In the middle of the night the two with Class C misdemeanors were bailed out. And at 10:30 or so on June 19, my girlfriend's lawyer friend - a bit begrudgingly - had to go down to the station to deal with the magistrate and help the one with the inciting riot charge get released. My girlfriend went back to the police station in the morning as well - in part to console her lawyer friend who had had to be bothered on a Friday evening she was spending with her husband who works out of town all during the week. She was able to help get the one with the inciting riot charge out of jail, by being able to visit her while in custody and explain the procedure for getting a personal release - but did not agree to be the lawyer for these cases. Compounding factors were that two of the people arrested, including the one with the inciting a riot charge, had just returned to the country - literally on the afternoon of June 18 - after having been in Guatemala and Mexico. Now, a criminal lawyer will need to be found. People will have to spend precious and limited resources on the entire legal process. Those who must return to court will have added stress and worry. And what started out as evening or revelry ends up in the onerous world of the courts. AFTERTHOUGHTS ON THE REAL Several things are clear. While a degree of planning for this action was undertaken - in that minimally a date, time, and place were chosen and the action was given some form and content - there definitely were important elements in the planning process that were overlooked. The first, obviously being that it should have been known by the people whose intent it was to reclaim the street to realize that this sort of activity generally falls outside the boundary of the law, that the police were likely to show up, and that arrests were possible. And that given the possibility of arrest, contingency plans should have been made: i.e. there should have been a lawyer on stand by and even some sort of legal observer. The second oversight was that there was no attention given to drawing in media, nor were any of the participants using any audio or video recording devices. No photographs nor any videotape of the above arrests were made to supply concrete evidence demonstrating that in fact the Class B misdemeanor inciting to riot charge is ludicrous. And finally it seems that the nature and purpose of the action was not made clearly manifest to passersby or to unconnected people sitting inside or outside of Ruta Maya. All of these things - legal preparation, media work, and public relations - are aspects of street actions that are fairly important. And there are clearly people in Austin who have strong skills in all of these areas and whose services could have been called upon. I'm not sure, but I think the Austin RTS action was a last minute one, pulled off by just a few people who didn't have time to do everything needed. I don't want to sound too critical. During the moment - albeit a short one - there was a temporary autonmous zone. People did in fact reclaim a portion of a street. But the cost of doing this is that several people now unwittingly must face the hassle and expense of the court system. HYBRIDITY: THE VIRTUAL AND THE REAL One year ago I wrote a few short pieces with the theme of hybridity, talking about the goal of developing actions that combined on-line (virtual) and off-line (real) elements. In part this was a reaction to criticism the Electronic Disturbance Theater received which claimed that by acting purely in the virtual realm we were isolating ourselves from people who focused more or all of their attention on doing things in the street or in the flesh. We tried to introduce this idea of Electronic Civil Disobedience to the community of activists who every year, for the past few anyway, have gone to the School of the Americas to participate in the more traditional civil disobedience style of action. And at a national conference on civil disobedience held in Washington, DC, this past January, two from the EDT were part of a panel discussion on Electronic Civil Disobedience. Even so, this notion of joint computer-based and street-based actions has a long way to go. There is still a disjuncture, a gap, between what's happening now on the Net and what people are doing on the street. Many people engaged in yesterday's street action in Austin, for example, probably had no idea that the virtual component was even taking place. EDT's participation in the global RTS actions is another step in developing both the theory and practice of this sort of joint engagement. The Internet is inherently global and so Internet-based actions seem to be a logical match with global street actions. But this is not to say that the particular example of FloodNet is the most ideal way of meshing the street and Net together. The FloodNet action is something that individuals may join from their computers at home, work, or in an educational environment. Even though acting simultaneously, jointly, the participants in the on-line and off-line actions in this case may have been completely different sets of people. What can be done differently? Some examples from Amsterdam and London over the course of the last few years are instructive. During demonstrations against a meeting of the EU in Amsterdam - which involved massive police presence in the streets - people created web pages in which they mapped out the location of the police. The pages were constantly updated with relevant information to demonstrators from people sending in email messages or calling in from pay phones or cell phones. In another example, in London during an occupation/takeover of a Shell office, activists used a portable laptop connected to a cell phone to send out announcements to the media and others once they were inside. They were also able to directly update a web site during the occupation. Austin's Reclaim The Street action was about as low tech as you can go. The most sophisticated technology were probably the bicycles used for the first part of the action. Clearly there was no digital technology. No interface with the Net. The closest to this was probably when my girlfriend used the payphone right in front of Ruta Maya to unsuccessfully call media as the police were making arrests. For a moment she tapped in to the telephone infrastructure - which is basically what the Internet is. What would have happened or what could happen in the future if we are able to enhance these sorts of street actions with a real-time audio and video presence? Imagine if on the elevated sidewalk in front of Ruta Maya and out on the street several people had had video cameras and they were taping the entire action. Further imagine that there were cables running from the cameras to the interior of the café where people were sitting with laptop computers capable of handling video input and these laptops were connected to a phone line in the café - a live stream of audio and video being netcast about the RTS action to a global audience. Video recording and netcasting the street action may not have prevented people from being arrested, but it certainly would have captured a public record and people other than the participants and the observers at Ruta Maya would have known about it. As it stands there is no recorded imagery or audio of the Austin RTS action. Nor have there been any reports about it in the local media. Nor does anyone on the Net - apart from those reading this - know about it. One would think that in a town such as Austin - one credited as having one of the fastest growing economies in the U.S. largely linked to the high tech computer industry - that activists here would have the wherewithal to develop these sorts of uses of seemingly readily available digital technology. But there are obstacles. Some of the obstacles are ideological, perhaps. A lingering anti-technology critique. Some of the obstacles are economic. A genuine lack of access. Some obstacles may simply be that the ideas are still new. To conclude - well at least to stop, concluding may be too premature right now - in addition to an obvious need for more attention to some basic legal, media, and publicity training, there is a need to think about and to experiment more with ways of bringing the street and the Net closer together. We should address this question: how do we bring what is happening on the street onto the Net? The Zapatista FloodNet action in conjunction with the global Reclaim The Street actions is an example of real-virtual hybridity at a world-wide level. But it is only one form and it lies within the area of Internet as site for resistance and direct action. Finally, then, it seems there are at least two important areas where further exploration is needed: the first, greater experimentation with other forms of on-line action and electronic civil disobedience to be used jointly with actions on the street; the second, greater experimentation with bringing the street and the Net closer together so that what happens on the street is netcast in real-time onto the Net to a global audience. END @HWA 53.0 Cyber Attacks in Australia Double ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 17th 1999 From HNN http://www.hackernews.com/ contributed by Code Kid The Australian Computer Emergency Response Team (AusCERT) is claiming that cyber attacks in Australia have doubled over the last year. They claim that there has been a sharp rise in DoS attacks and recommend that companies have strong security and policies in place. Sydney Morning Herald http://www.smh.com.au/news/9906/16/text/business4.html Australian Computer Emergency Response Team http://www.auscert.org.au/ Sydney Morning Herald' On guard against hacker attacks Date: 16/06/99 By KIRSTY NEEDHAM The average hacker is no longer a clever but disgruntled techno-geek. Security experts warned yesterday that dangerous programs, ready for download and use against corporate Web sites, were being uncovered by simple keyword searches on the Internet. Hacker attacks in Australia have doubled this year, according to the Australian Computer Emergency Response Team (AusCERT), which has seen around 1,500 incidents. AusCERT is part of an international organisation, CERT, that co-ordinates efforts against Internet security breaches. One of the latest security problems has been a rise in "denial of service" attacks, where a Web site is crippled by a flood of requests for information. "This can be easy to do and there are tools available to would-be hackers," said Mr Eric Halil, AusCERT operations manager. "You don't have to be an expert to use them." Mr Halil said many Web sites were also being "probed" by automated scanning tools. "It is difficult to determine what the motives are. Some people are joy riders - they like to break and enter systems. "Others like breaking into well-known systems like financial institutions. They earn kudos with their peers," he said. A Forum of Incident Response and Security Teams (FIRST) conference in Brisbane this week is being attended by members from the military, business, government and academia in 22 countries. "Incidents tend to be international in nature. Even the local hacker around the corner breaking into a university will break in overseas first to cover the trail," said Mr Byron Collie, an agent with the Australian Federal Police who is on secondment to the Australian defence forces' directorate of information warfare. The FBI estimates that 80 per cent of attacks are made by disgruntled employees, with 20 per cent coming from outside the organisation. However, Mr Collie said this was shifting towards 50 per cent as companies failed to take adequate security measures. "Organisations need to have a security policy in place, including incident response procedures, if they want to conduct e-commerce or have any connectivity to the Internet," said Mr Collie. "Early law enforcement contact and protocols in handling evidence will ensure it is admissible in court. If it is left until the last minute or files have been bandied around in e-mail, it jeopardises prosecutions." Mr Mowgli Assor, a computer security specialist with Ohio State University, said there had been an increase in both hacking incidents and the tools available to attack computer networks. Infoguard, an incident response team set up by the FBI in March, was part of a move by the US Government to raise awareness of computer attacks, Mr Assor said. A reluctance by embarrassed companies to report attacks to the police or FBI had been seen as a problem, he said. "Disgruntled teenagers are growing up and not shedding their ways. Hackers have been becoming smarter and taking more careful approaches. Break-ins are harder to detect and protect against," Mr Assor said. @HWA 54.0 SmartCards Next Stop for Internet Crime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (Next stop? its already happening, see section 20.0 ... -Ed) June 17th 1999 From HNN http://www.hackernews.com/ contributed by chippy The Australian Institute of Criminology has released a report that claims that SmartCards will be the next stop for high-tech criminals. These new crimes will force officials to develop new forensic processes and tool to be able to extract data from such small storage devices. Australian Financial Review http://www.afr.com.au/content/990616/inform/inform2.html Australian Institute of Criminology http://www.aic.gov.au/ Australian Financial Review; Smartcards may be set to revolutionise crime By Helen Meredith Cyber crimebusters warn that smartcards will be the next target for digital law breakers, with the technology lending itself to concealment of data from law enforcement agencies. According to a report released yesterday by the Institute of Criminology, smartcards may have the single greatest impact on the conduct of crime in our society with their ability to store, process and secure significant quantities of data. They are expected to make the job of policing and bringing cyber criminals to book complicated, with experts forced to develop new forensic processes and tools that will enable them to analyse and extract data from digital storage devices such as smartcards. Entitled What is Forensic Computing? the AIC report was released to coincide with the opening of an international conference in Brisbane on the handling of computer security incidents. The Federal Minister for Justice, Senator Amanda Vanstone, speaking during the plenary session of the FIRST Conference, said: "We are used to seeing computer hackers portrayed in the media as youthful idealists who are simply engaging in a bit of mischievous fun." This did not match up with the reality of computer crime, she said. Damaging digital data and communications had the potential to ruin businesses and seriously affect national economic interests, with criminals using digital technology both to commit crimes and hide their activities. Senator Vanstone said a survey of businesses carried out by the Office of Strategic Crime Assessment in the Attorney-General's Department, in conjunction with the Victorian Police and consultant Deloitte Touche Tohmatsu, had shown that about a third of firms in the banking, technology, communications and computer sectors had suffered unauthorised use of their systems in the previous 12 months. The proportion of these attacks originating externally had increased, a trend that was expected to continue. Until recently, most assaults on computer systems had been identified as internal, usually involving disgruntled employees. Authorities were also concerned that about 42 per cent of businesses had not reported such external cyber intrusions. "I doubt very much that two in five businesses would fail to call in the police should the intrusion involve a physical breach of their security, such as a break and enter, even if nothing was taken," she said. The use of high-grade encryption, the loss of the human interface in financial transactions and the lack of a paper trail were serious impediments to law enforcement. AIC director Dr Adam Graycar said investigating sophisticated crimes and assembling the necessary evidence for presentation in a court of law had become a significant issue for police. A new specialist law enforcement field, forensic computing, had arisen as a result. This involved identifying digital evidence and preserving it through the investigation process. @HWA 55.0 Internet Was Designed without Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 17th 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond Why are viruses and 'evil hackers' seemingly running rampant all over the internet? Because in the beginning it was designed that way. Take a romp through the early formative years of the net, all in six or seven paragraphs. Washington Post http://www.washingtonpost.com/wp-srv/WPlate/1999-06/15/150l-061599-idx.html Vipers In the Sandbox Used to Be, the Internet Was a Safe Place to Play By John Schwartz Washington Post Staff Writer Tuesday, June 15, 1999; Page C01 Why are the newspapers full of reports of hackers defacing government Web sites and nasty viruses wreaking havoc on computers around the world? In no small part it is a cultural problem that goes back to the '60s origins of personal computing and the Internet. Many of the Internet pioneers were bearded longhairs, academics and engineers whose techno-hippie ethos suffused their new world. They knew each other, were part of a community. Trust was the rule. The early Internet was much more about openness and communication than walls and locks. The faults it was supposed to correct were in the machines, not in us: corrupted packets, not corrupted morals. "Once upon a time there was the time of innocence," says Clifford Stoll, whose work tracking down European hackers became a popular book, "The Cuckoo's Egg." "Once upon a time computers were not used except in academia, where there really is nothing that's mission-critical. Once upon a time computers were mainly play toys for the techno-weirds--techie play toys." In that environment, hacking was part of the fun of what Stoll has called the early Internet "sandbox." "In that environment, there seems to be a cachet of 'Hey! I wrote a virus! Hee-ho!' In that environment, it seems funny to break into somebody else's computer. . . . It seems somewhat innocent to read somebody else's e-mail." It started with hacking telephone systems. The founders of Apple Computer--Steve Jobs and Steve Wozniak--got their start in business peddling "blue boxes"--little devices that allowed users to hack the telephone network and make long-distance calls for free. These "phone phreaks" were seen by some as cultural heroes--free spirits striking a blow against the suits, the evil corporations seen as the enemies of spontaneity and creativity. Once computer systems were connected by networks, "remote hacking was an attractive challenge," Internet pioneer Vinton Cerf recalls via e-mail. "Surreptitiously making your way into the operating system from your secret hideout. . . . Much of the motivation was like picking locks or scaling walls--just to see if you could do it. Harm was not the objective, most of the time." Katie Hafner, who has written books about the history of the Internet and about the lives of hackers, says that this metaphor of nerds at play is compelling--and accurate. "It was a big open playscape for these guys," she says. "The Net was built as a completely open community. People would actually be offended if files were protected." To be sure, there were some early nods to security issues--the fledgling ARPANET, the precursor to today's Internet, required passwords. It was funded by the military, after all. However, "the subtext was this was an open community because this was an experiment," Hafner says. It was built by guys like Jon Postel, the Internet pioneer who died last year. Postel had a vision of an Internet that didn't need a center to survive, a network that could be governed by standards and consensus without ever putting anybody in charge. Utopian? Sure. Vulnerable? Uh-huh. That culture rejected attempts to create computer operating systems that incorporated security from the ground up, but were complex and cumbersome. Computer security expert Peter Neumann says: "Viruses exist only because of the shortsightedness of subsequent developers who almost completely ignored the security problems" that some designers had effectively solved. The problem is that the Net caught on, and in the biggest possible way. The anarchic, antiauthoritarian, don't-tell-us-how-to-run-our-lives ethic that defined the burgeoning network--and is still held out by most of the experts as the source of its vitality and strength--has retained that early vulnerability. Broader penetration of the Internet into society meant broader penetration of society into the Internet; it became more like the real world, and the real world is a tough place. In '60s terms, the idea of free spirits being outside the control of central authority was the best of all possible worlds. But with no one in charge, it was damnedly hard to plug security holes. A big wake-up call came in 1988 when Robert T. Morris Jr., then a student at Cornell University, released a computer program that single-handedly crashed systems across the Internet. His father, a famous programmer and security expert, was of the generation that had hacked for fun. Morris Jr. didn't mean to bring down the Net. "His mischief was kind of in the spirit of the Net," says Hafner. But by then the Internet was no longer a playscape, and the damage was real. Of course if the Net's problem is anarchy, the problem with personal computers is monarchy: Bill Gates. Microsoft "is indeed the evil empire when it comes to robust infrastructures," says Neumann. Two viruses that recently swept through the world's computers, Melissa and Explore.zip, took advantage of the fact that so many millions of PCs run on a suite of Microsoft's programs. The company's latest offerings include security options--but the options are turned off at the factory. The security measures make computing a little clunkier, and cut users off from some of the bells and whistles that Microsoft writes into its programs. Says computer security expert Eugene Spafford of Purdue University, it's as if consumers "said they wanted faster cars," and so the vendors maximize speed by providing "faster cars, but with no brakes and no air bags!" Release a virus that attacks that company's software specifically, and "it's analogous to the Spaniards bringing smallpox to the Incas," he says. "There was no immunity--they just wiped everybody out. . . . We've really set up our environment in an unsafe way." Of course today's Internet is a mirror of society. It may have been conceived in a spirit of trust and information wanting to be free and good practical jokes. But today it's about--money. The frontier is getting settled by corporations worth billions, all of which are promising to sell us our future. They have to deliver, so anti-virus programmers and network security consultants have a market opportunity. It's a tough time for a system that was created in an age of innocence. It will be interesting to see if a network strong enough to survive nuclear attack can survive its own success. © Copyright 1999 The Washington Post Company @HWA 56.0 Original Apple I On the Auction Block ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 17th 1999 From HNN http://www.hackernews.com/ contributed by Cuda What is being called the first Apple I ever sold will soon be sold via auction. The Auctioneers are expecting bids to go well over $40,000. One of of approximately 200 that where ever built this one includes original documentation including the original 8-page manual. The auction company will accept absentee bids online. Better hurry. The live bidding starts on Tuesday June 29, at 11 a.m La Salle Auctions http://www.lasallegallery.com/framemac.htm @HWA 57.0 Microsoft Calls eEye Irresponsible ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond A week after notifying Microsoft of a major hole in its Internet Information Server 4.0 eEye Digital Security Team went public with the information and published an exploit for the hole. The Microsoft spin machine labeled this action as 'Irresponsible'. The finger here should not be pointed at eEye who did the honorable thing by alerting the public and posting a real fix before Microsoft, but should instead be pointed at Microsoft for creating bad software, and even worse, concealing the information for up to a week. Unfortunately these articles don't seem understand that. LA Times http://www.latimes.com/HOME/BUSINESS/t000054445.html Nando Times http://www.techserver.com/story/body/0,1634,61071-97188-693078-0,00.html The UK Register http://www.theregister.co.uk/990618-000010.html Associated Press - Via San Jose Mecury News http://www.mercurycenter.com/breaking/docs/078774.htm InfoWorld http://www.infoworld.com/cgi-bin/displayStory.pl?990617.hneeye.htm eEye Digital Security Team http://www.eeye.com/ Microsoft http://www.microsoft.com/security/bulletins/ms99-019.asp Late Update Well, at least Forbes gets it. Forbes http://www.forbes.com/tool/html/99/Jun/0618/mu5.htm Forbes; Microsoft's security secret By Benjamin Polen EW YORK. 12:45PM EDT—Microsoft’s (nasdaq: MSFT) failure to immediately alert customers of a serious security flaw in its Internet Information Server (IIS) could hurt the company’s image and cost it customers as the software giant tries to establish a position within the competitive marketplace of mission-critical server applications. Microsoft knew about the vulnerability for a week but tried to delay telling customers until it could prepare a software patch. But Microsoft’s efforts to suppress notification of the IIS bug ultimately backfired and proved embarrassing when eEye, a privately held network security company, took the information to the public on Tuesday. eEye detected the bug during a beta test of a security program and alerted Microsoft of the problem on June 8. The vulnerability is so severe that anyone with modest programming skills and an Internet connection can gain complete control over a web server running IIS, which runs on 22.3% of the web servers on the Internet, according to research firm Netcraft. Despite the severity of the problem, Microsoft stopped responding to eEye's E-mails after June 11, according to Firas Bushnaq, CEO of eEye. After several days, eEye decided to post an advisory on its web site on Tuesday. The CERT Coordination Center, a federally funded computer security research institute at Carnegie-Mellon University, posted an advisory on the following day, lending credence to eEye's concerns. Firas Bushnaq said his company acted because Microsoft was "not taking the vulnerability seriously." When Microsoft still had not publicly acknowledged the vulnerability six hours after eEye posted the advisory, the security company went a step further and published source code that could be used against the IIS bug. "When it was at that level, we decided we had to release the exploit, we would definitely get more attention," said Bushnaq. For its part, Microsoft was not pleased with eEye’s decision to issue an advisory, much less any source code that could be used against their product. Microsoft deems eEye’s full disclosure decision as "irresponsible" and "beyond comprehension," according to Jason Garms, Microsoft’s lead product manager for Windows NT security. The disagreement between Microsoft and eEye highlights a burgeoning culture clash in the computer world where traditional corporate secrecy collides with the free-information ethos of the Net. On its web site, eEye explained why it felt justified in posting the advisory and the source code. "Our responsibility to our clients and the whole network community is to disclose as many details as possible.… This is the way we can contribute to the security community and keep software vendors working hard at producing more robust products." For its part, Microsoft hoped that by keeping knowledge of the vulnerability secret, it could protect its customers until a patch had been developed and tested. "Frankly, the feedback from customers is that they don’t want us to go and publicize our bugs before we have fixes for our problems," Garns said. But at least one industry analyst questions Microsoft’s handling of the situation. "If you want your customers to depend on your products for mission-critical applications, then you have to avoid at all costs any kind of behavior that suggests you’re not to be trusted and you’re not dependable," said Eric Hemmendinger, a senior analyst at the Aberdeen Group. "Having a problem occur is one thing. But not acknowledging it is another issue altogether. For that people should hold them accountable." Hemmendinger compared Microsoft’s attitude toward corporate information technology managers with that of a rude guest. "It’s like an immature person being invited to the party and not behaving responsibly. This is not the kind of behavior that gets you invited back to the party," he said. The situation could come back to haunt Microsoft as it tries to attract new corporate customers. "If you are considering using IIS and you become aware of things like this in Microsoft's behavior you got to take this into consideration," Hemmendinger said. "If they really want to be accepted in the data center this is not the right behavior." -=- UK register; Posted 18/06/99 12:33pm by John Lettice Major MS Web Server security hole exposed, plugged Security outfit eEye has roused Microsoft's ire and garnered itself some cheap publicity by going public with information on what it says is a serious security flaw in Microsoft's Internet Information Server (IIS) 4.0. The move hasn't helped the company's relationship with Microsoft any, but it seems to have triggered the appearance of a swift patch, full fix to follow. According to eEye the flaw allows arbitrary code to be run on any web server running IIS 4.0, and by using a buffer overflow bug in the software attackers can remotely execute code to enable access to all data on the server." So it's a serious one, although Microsoft says it hasn't had any reports of the security hole being used so far. eEye accuses Microsoft of failing to give the problem the attention it deserved. The company claims to have hassled MS for days, but "after the fifth day of reporting the bug to Microsoft, they stopped responding to our emails." So the company went public with the problem three days later, as an attempt to force Microsoft's hand. Microsoft swiftly posted a patch, but accuses eEye of irresponsibility in publicising a problem before a fix had been found. There's some justification in that, but there's also some in the view that being able to announce "we've found a hole, but we fixed it" is better than having to confirm "Yike, there's a huge security hole in our product." ® @HWA 58.0 Has the FBI Overreacted? ~~~~~~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ contributed by Weld Pond Scott Peterson has some interesting commentary about the recent crackdown of the FBI on web graffiti artists. The government has compared recent cracks to the use of terrorist weapons such as chemical and biological weapons. Mr. Peterson says it is nothing of the sort and that the recent crackdown fosters images of McCarthyism. Definitely some interesting viewpoints here and worth the time to read. PC Week http://www.zdnet.com/pcweek/stories/news/0,4153,406619,00.html ** Sorry the ZDNet nazis have cut and paste prevention in their html code so I couldn't reprint the article here.(And you can't either for personal record wtf kind of lame action is that?). the reason I do reprint the articles is because often times (see previous section links for examples) the stories are unavailable or pay only for archives, if anyone knows how to thwart ZDNet's (or anyone elses) anti cut and paste tactics email me hwa@press.usmc.net! and no view source doesn't work either ... 59.0 Printer at Spa War Compromised ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ contributed by Silicosis Ron Broersma, from the Space and Naval Systems Warfare Center, has claimed that Russians where able to redirect print jobs destined for a local printer back to Russia. While such a hack is possible in theory the difficulties of doing so would make it seem unlikely. DNS cache corruption seems like the most likely scenario. It is too bad that Mr. Broersma did not respond to the authors of this article with confirmation. CMP Net http://www.techweb.com/wire/story/TWB19990617S0007 Russians Hack U.S. Printer (06/17/99, 10:56 a.m. ET) By Lee Bruno and Robin Gareiss, Data Communications Welcome back, Cold War. It looks as though the Russians might be up to their old tricks, if the infiltration of the network at the Space and Naval Systems Warfare Center (Spa War) in San Diego, Calif., is any indication. The incursion was discovered by Ron Broersma, a Spa War networkoperations engineer, when a local network print job took an unusually long time. Monitoring tools revealed a file had been hijacked from the printing queue, sent to a server in Russia, and finally back to the Spa War printer. Broersma concluded the network intruder had hacked into the printer, and reconfigured routing tables on equipment elsewhere on the Spa War network to ship the file to Russia. Broersma relayed his account of the network printer hack at a recent meeting of the North American Network Operators' Group. He said he secured Spa War's printers after the attack by resetting router filters, and by eliminating older printers that, he said, are especially vulnerable. "It turned out to be a real tough problem for us," he said. Broersma has not returned subsequent phone calls for further comment, however. It's also not known who the Russian server belonged to, or what information was compromised. Networked printers are known to be especially vulnerable to hacking attacks. They have their own IP addresses, and they run various standard protocols that can be exploited. To make matters worse, printer vendors haven't added any strong security features to their products that would protect them against break-ins. @HWA 60.0 Popular Singapore Sites Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ contributed by lamer Two high profile sites in Singapore where recently defaced. MediaCity and Television Corporation Of Singapore. Unfortunately no mirrors of either site are available. The Electric New Paper http://newpaper.asia1.com.sg/spore/nplo05.html (link dead) @HWA 61.0 DOD Says its CRAP! (Mustn't be Scottish) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ DOD Labels Software as 'Crap' contributed by Code Kid Art Money, senior civilian IT official for the Defense Department, while speaking at at the GovTechNet International Conference in Washington, D.C, said "The quality of software we're getting from vendors today is crap, vendors are not building quality in." Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0614/web-crap-6-17-99.html JUNE 17, 1999 . . . 15:17 EDT Contractors' software 'crap,' says top DOD IT official BY BOB BREWIN (antenna@fcw.com) The Pentagon's top information technology official sharply criticized, in the plainest possible language, the quality of software that IT contractors currently supply to the Defense Department. "The quality of software we're getting from vendors today is crap," said Art Money, senior civilian official, who is acting as assistant secretary of Defense for command, control, communications and intelligence. "Vendors are not building quality in," Money said today at the GovTechNet International Conference in Washington, D.C. "We're finding holes in it." DOD buys hundreds of millions of dollars worth of software each year, including everything from shrink-wrapped packages designed to run on the desktop to customized systems running millions of lines of code. The quality of much of the software that DOD is receiving is so poor, Money said, that he is worried about the future of the U.S. software industry. Money predicted that if the U.S. software industry does not get its act together, it could suffer the same fate as the U.S. automobile manufacturing industry, with software sales moving offshore to Japan, for example. @HWA 62.0 DOE Still Unsecure ~~~~~~~~~~~~~~~~~~~ June 18th 1999 From HNN http://www.hackernews.com/ contributed by Space Rogue Even after one of the worst cases of spying in US history a special investigative report has found that the Department of Energy is not taking computer security seriously. The report labels computer security practices at DOE as "naive at best and dangerously irresponsible at worst." Federal Computer Week http://www.fcw.com:80/pubs/fcw/1999/0614/web-report-6-16-99.html Science at its Best, Security at its Worst - DOE Security Report http://jya.com/pfiab-doe.htm Federal Computer Week; JUNE 16, 1999 . . . 17:24 EDT Cybersecurity holes persist at DOE labs, study finds BY DANIEL VERTON (dan_verton@fcw.com) Despite what may be the worst spy case in U.S. history involving nuclear weapon design data, the computer networks at the nation's five weapons laboratories continue to be "riddled with vulnerabilities," according to a report by a special investigative panel of intelligence and security officials. According to the report, "Science at its Best, Security at its Worst," issued this month by the President's Foreign Intelligence Advisory Board, midlevel managers throughout the Energy Department have responded to the recent Chinese spy scandal with a "business as usual" attitude, while foreign nationals residing in "sensitive countries" continue to have unmonitored remote dial-up access to lab networks. The three-month study uncovered recurring problems with DOE's computer security program, including poor labeling and tracking of computer media, problems with lax password enforcement on laboratory computer workstations and a significant failure to control access to sensitive and classified networks. Computer security methods throughout DOE over the last two decades have been "naive at best and dangerously irresponsible at worst," the report said. In fact, "computer systems at some DOE facilities were so easy to access that even department analysts likened them to 'automatic teller machines,' [allowing] unauthorized withdrawals at our nation's expense," the report said. Security audits also uncovered what the report calls "remarkable" lapses in addressing security problems and procedural gaps at many DOE labs. According to the report, it took DOE 31 months to write and approve a network security plan, 24 months to order security labels for mislabeled software, 20 months to ensure that improperly stored classified computer media had been safeguarded and 51 months to properly safeguard cryptographic material used to secure telephones. It even took 11 months to remove a deceased employee from classified document access lists, according to the report. The report also outlined instances of classified information being placed on unclassified networks well after the department had developed a corrective action plan in July 1998. "The predominant attitude toward security and counterintelligence among many DOE and lab managers has ranged from half-hearted, grudging accommodation to smug disregard," the report concluded. -=- ** A few diagrams were omitted from this report go to the url at jya fo see the report with diagrams (they're most useful NOT)... - Ed 24 June 1999: Revise links to PFIAB report at the White House. 23 June 1999: Link to DOE Secretary Richardson's June 22 Senate testimony. 22 June 1999: Add notice on Senate joint hearings. [Congressional Record: June 21, 1999 (Digest)] From the Congressional Record Online via GPO Access [wais.access.gpo.gov] Monday, June 21, 1999 Daily Digest Senate COMMITTEE MEETINGS FOR TUESDAY, JUNE 22, 1999 (Committee meetings are open unless otherwise indicated) Senate Committee on Armed Services: with the Select Committee on Intelligence, and with the Committee on Energy and Natural Resources, and with the Committee on Governmental Affairs, to hold joint hearings on the President's Foreign Intelligence Advisory Board's report to the President: Science at its Best; Security at its Worst: A Report on Security Problems at the U.S. Department of Energy, 9:30 a.m., SD-106. 18 June 1999: Add balance of HTML conversion. 15 June 1999. Thanks to the White House Office of the PFIAB (202) 456-2352. From: Jane_E._Baker@pfiab.eop.gov To: jya@jya.com, dellaratta@exchangemonitor.com, jhorowitz@tribune.com, bullfrog@enteract.com, catpano@nytimes.com, jpcarson@mindspring.com Date: Tue, 15 Jun 1999 15:34:33 -0400 Subject: PFIAB RPT See attached file: Report of Presidents Foreign Intelligence Advisory Board, "Science At Its Best, Security At Its Worst: A Report on Security Problems at the U.S. Department of Energy," June, 1999: http://www.whitehouse.gov/WH/EOP/pfiab/pfiab_report.pdf (72 pages; 420K) See attached file: Unclassified Appendix to PFIAB Report: http://www.whitehouse.gov/WH/EOP/pfiab/appendix.pdf (34 pages; 191K) Source: http://www.whitehouse.gov/WH/EOP/pfiab/pfiab_report.pdf SCIENCE AT ITS BEST __________________________ SECURITY AT ITS WORST A Report on Security Problems at the U.S. Department of Energy [Presidential Seal] ____________________________ A Special Investigative Panel President’s Foreign Intelligence Advisory Board JUNE 1999 ABSTRACT On March 18, 1999, President William J. Clinton requested that the President’s Foreign Intelligence Advisory Board (PFIAB) undertake an inquiry and issue a report on “the security threat at the Department of Energy’s weapons labs and the adequacy of the measures that have been taken to address it.” Specifically, the President asked the PFIAB to “address the nature of the present counterintelligence security threat, the way in which it has evolved over the last two decades and the steps we have taken to counter it, as well as to recommend any additional steps that may be needed.” He also asked the PFIAB “to deliver its completed report to the Congress, and to the fullest extent possible consistent with our national security, release an unclassified version to the public.” In response, the Honorable Warren B. Rudman, Chairman of PFIAB, appointed board members Ms. Ann Z. Caracristi, Dr. Sidney Drell, and Mr. Stephen Friedman to form the Special Investigative Panel and obtained detailees from several federal agencies (CIA, DOD, FBI) to augment the work of the PFIAB staff. Over the past three months, the panel and staff interviewed more than 100 witnesses, reviewed more than 700 documents encompassing thousands of pages, and conducted onsite research and interviews at five of the Department of Energy’s national laboratories and plants: Livermore, Los Alamos, Oak Ridge, Pantex, and Sandia. The panel has produced a report and an appendix of supporting documents, both of which are unclassified to the fullest extent possible. A large volume of classified material, which was also reviewed and distilled for this report, has been relegated to a second appendix that is available only to authorized recipients. This report examines: The 20–year history of security and counterintelligence issues at the DOE national laboratories, with an emphasis on the five labs that focus on weapons–related research; The inherent tension between security concerns and scientific freedom at the labs and its effect on the institutional culture and efficacy of the Department; The growth and evolution of the foreign intelligence threat to the national labs, particularly in connection with the Foreign Visitor’s Program of the labs; The implementation and effectiveness of Presidential Decision Directive No. 61, the reforms instituted by Secretary of Energy Bill Richardson, and other related initiatives; and, Additional measures that should be taken to improve security and counterintelligence at the labs. PANEL MEMBERS The Honorable Warren B. Rudman, Chairman of the President’s Foreign Intelligence Advisory Board. Senator Rudman is a partner in the law firm of Paul, Weiss, Rifkind, Wharton, and Garrison. From 1980 to 1992, he served in the U.S. Senate, where he was a member of the Select Committee on Intelligence. Previously, he was Attorney General of New Hampshire. Ms. Ann Z. Caracristi, board member. Ms. Caracristi, of Washington, DC, is a former Deputy Director of the National Security Agency, where she served in a variety of senior management positions over a 40–year career. She is currently a member of the DCI/Secretary of Defense Joint Security Commission and recently chaired a DCI Task Force on intelligence training. She was a member of the Aspin/Brown Commission on the Roles and Capabilities of the Intelligence Community. Dr. Sidney D. Drell, board member. Dr. Drell, of Stanford, California is an Emeritus Professor of Theoretical Physics and a Senior Fellow at the Hoover Institution. He has served as a scientific consultant and advisor to several congressional committees, The White House, DOE, DOD, and the CIA. He is a member of the National Academy of Sciences and a past President of the American Physical Society. Mr. Stephen Friedman, board member. Mr. Friedman is Chairman of the Board of Trustees of Columbia University and a former Chairman of Goldman, Sachs, & Co. He was a member of the Aspin/Brown Commission on the Roles and Capabilities of the Intelligence Community and the Jeremiah Panel on the National Reconnaissance Office. PFIAB STAFF Randy W. Deitering, Executive Director Mark F. Moynihan, Assistant Director Roosevelt A. Roy, Administrative Officer Frank W. Fountain, Assistant Director and Counsel Brendan G. Melley, Assistant Director Jane E. Baker, Research/Administrative Officer PFIAB ADJUNCT STAFF Roy B., Defense Intelligence Agency Karen DeSpiegelaere, Federal Bureau of Investigation Jerry L., Central Intelligence Agency Christine V., Central Intelligence Agency David W. Swindle, Department of Defense, Naval Criminal Investigative Service Joseph S. O’Keefe, Department of Defense, Office of the Secretary of Defense TABEL OF CONTENTS FOREWORD I-IV FINDINGS 1 ROOT CAUSES 7 An International Enterprise 7 Big, Byzantine, and Bewildering Bureaucracy 8 Lack of Accountability 10 Culture and Attitudes 11 Changing Times, Changing Missions 12 RECURRING VULNERABILITIES 13 Management and Planning 13 Physical Security 18 Screening and Monitoring Personnel 20 Protection of Classified and Sensitive Information 21 Tracking Nuclear Materials 22 Foreign Visitors’ Program 23 ASSESSMENTS 29 Responsibility 29 Record of the Clinton Team 30 The 1995 “Walk-In” Document 30 W-88 Investigation 31 Damage Assessment 35 PDD-61: Birth and Intent 36 Timeliness of PDD-61 37 Secretary Richardson’s Initiatives 38 Prospects for Reforms 39 Trouble Ahead 40 Back to the Future 41 REORGANIZATION 43 Leadership 43 Restructuring 46 RECOMMENDATIONS 53 ENDNOTES APPENDIX Map of DOE Installations Chronology of Events Chronology of Reports on DOE Damage Assessment of China’s Acquisition of U.S. Nuclear Information Presidential Decision Directive 61 Bibliography FOREWORD FROM THE SPECIAL INVESTIGATIVE PANEL For the past two decades, the Department of Energy has embodied science at its best and security of secrets at its worst. Within DOE are a number of the crown jewels of the world’s government–sponsored scientific research and development organizations. With its record as the incubator for the work of many talented scientists and engineers—including many Nobel prize winners—DOE has provided the nation with far–reaching advantages. Its discoveries not only helped the United States to prevail in the Cold War, they undoubtedly will continue to provide both technological benefits and inspiration for the progress of generations to come. The vitality of its national laboratories is derived to a great extent from their ability to attract talent from the widest possible pool, and they should continue to capitalize on the expertise of immigrant scientists and engineers. However, we believe that the dysfunctional structure at the heart of the Department has too often resulted in the mismanagement of security in weapons–related activities and a lack of emphasis on counterintelligence. DOE was created in 1977 and heralded as the centerpiece of the federal solution to the energy crisis that had stunned the American economy. A vital part of this new initiative was the Energy Research and Development Administration (ERDA), the legacy agency of the Atomic Energy Commission (AEC) and inheritor of the national programs to develop safe and reliable nuclear weapons. The concept, at least, was straightforward: take the diverse and dispersed energy research centers of the nation, bring them under an umbrella organization with other energy–related enterprises, and spark their scientific progress through closer contacts and centralized management. __________________________________ At the birth of DOE, the brilliant scientific breakthroughs of the nuclear weapons laboratories came with a troubling record of security administration. Twenty years later, virtually every one of its original problems persists. However, the brilliant scientific breakthroughs at the nuclear weapons laboratories came with a very troubling record of security administration. For example, classified documents detailing the designs of the most advanced nuclear weapons were found on library shelves accessible to the public at the Los Alamos laboratory. Employees and researchers were receiving little, if any, training or instruction regarding espionage threats. Multiple chains of command and standards of performance negated accountability, resulting in pervasive inefficiency, confusion, and mistrust. Competition among laboratories for contracts, and among researchers for talent, resources, and support distracted management from security issues. Fiscal management was bedeviled by sloppy accounting. Inexact tracking of the quantities and flows of nuclear materials was a persistent worry. Geographic decentralization fractured policy implementation and changes in leadership regularly depleted the small reservoirs of institutional memory. Permeating all of these issues was a prevailing cultural attitude among some in the DOE scientific community that regarded the protection of nuclear know–how with either fatalism or naiveté. Twenty years later, every one of these problems still existed. Most still exist today. __________________________________ The panel found a department saturated with cynicism, an arrogant disregard for authority, and a staggering pattern of denial. In response to these problems, the Department has been the subject of a nearly unbroken history of dire warnings and attempted but aborted reforms. A cursory review of the open-source literature on the DOE record of management presents an abysmal picture. Second only to its world–class intellectual feats has been its ability to fend off systemic change. Over the last dozen years, DOE has averaged some kind of major departmental shake–up every two to three years. No President, Energy Secretary, or Congress has been able to stem the recurrence of fundamental problems. All have been thwarted time after time by the intransigence of this institution. The Special Investigative Panel found a large organization saturated with cynicism, an arrogant disregard for authority, and a staggering pattern of denial. For instance, even after President Clinton issued Presidential Decision Directive 61 ordering that the Department make fundamental changes in security procedures, compliance by Department bureaucrats was grudging and belated. Time after time over the past few decades, officials at DOE headquarters and the weapons labs themselves have been presented with overwhelming evidence that their lackadaisical oversight could lead to an increase in the nuclear threat against the United States. Throughout its history, the Department has been the subject of scores of critical reports from the General Accounting Office (GAO), the intelligence community, independent commissions, private management consultants, its Inspector General, and its own security experts. It has repeatedly attempted reforms. Yet the Department’s ingrained behavior and values have caused it to continue to falter and fail. PROSPECTS FOR REFORMS We believe that Secretary of Energy Richardson, in attempting to deal with many critical security matters facing the Department, is on the right track in some, though not all, of his changes. We concur with and encourage many of his recent initiatives, and we are heartened by his aggressive approach and command of the issues. But we believe that he has overstated the case when he asserts, as he did several weeks ago, that “Americans can be reassured: our nation’s nuclear secrets are, today, safe and secure.” After a review of more than 700 reports and studies, thousands of pages of classified and unclassified source documents, interviews with scores of senior federal officials, and visits to several of the DOE laboratories at the heart of this inquiry, the Special Investigative Panel has concluded the Department of Energy is incapable of reforming itself—bureaucratically and culturally—in a lasting way, even under an activist Secretary. The panel has found that DOE and the weapons laboratories have a deeply rooted culture of low regard for and, at times, hostility to security issues, which has continually frustrated the efforts of its internal and external critics, notably the GAO and the House Energy and Commerce Committee. Therefore, a reshuffling of offices and lines of accountability may be a necessary step toward meaningful reform, but it almost certainly will not be sufficient. Even if every aspect of the ongoing structural reforms is fully implemented, the most powerful guarantor of security at the nation’s weapons laboratories will not be laws, regulations, or management charts. It will be the attitudes and behavior of the men and women who are responsible for the operation of the labs each day. These will not change overnight, and they are likely to change only in a different cultural environment—one that values security as a vital and integral part of day–to–day activities and believes it can coexist with great science. We are convinced that when Secretary Richardson vacates the office his successor is not likely to have a comparable appreciation of the gravity of the Department’s past problems, nor a comparable interest in resolving them. The next Secretary of Energy will not have spent months at the tip of the sword created by the recent public outcry over DOE mismanagement of national secrets. Indeed, the core of the Department’s bureaucracy is quite capable of undoing Secretary Richardson’s reforms, and may well be inclined to do so if given the opportunity. Ultimately, the nature of the institution and the structure of the incentives under a culture of scientific research require great attention if they are to be made compatible with the levels of security and the degree of command–and–control warranted where the research and stewardship of nuclear weaponry is concerned. Yet it must be done. THE PFIAB INQUIRY The PFIAB panel is fully aware of the many recent allegations of management failures surrounding the Department of Energy and questions about the subsequent roles of entities such as the Department of Justice, the Federal Bureau of Investigation, and the Central Intelligence Agency. Much of the research we conducted has relevance to these allegations. However, the depth and the complexity of the issues call for examinations by institutions with greater resources and a wider charter: namely, Congress and standing executive agencies of the federal government. In the 90 days of our inquiry, the PFIAB panel conducted numerous interviews with senior federal officials who agreed to speak candidly—with the understanding that they would not be identified by name—about DOE’s problems and recent events. On balance, the panel finds that some very damaging security compromises may have occurred, as alleged by some in recent weeks. But we believe that in matters of intelligence and counterintelligence, one cannot brush off the reality that conclusions are often intrinsically based on probabilities, rather than certainties. Leaders, of course, are often obliged to act, and should act, based on the probability of impending danger, not only its certainty. And those entrusted with the public weal are indisputably served better by having more information about risks than less. So the panel would like to note the contributions of those who have helped to raise the public’s awareness of the risks to national security posed by problems at DOE. Although we do not concur with all of their conclusions, we believe that both intelligence officials at the Department of Energy and the members of the Cox Committee made substantial and constructive contributions to understanding and resolving security problems at DOE. As we note later in this report, we concur on balance with the damage assessment of espionage losses conducted by the Director of Central Intelligence. We also concur with the findings of the independent review of that assessment by Admiral David Jeremiah and his panel. Our mandate from President Clinton was restricted to an analysis of the structural and management problems in the Department’s security and counterintelligence operations. We abided by that. We also recognize the unique nature of the assignment given to us by the President. Never before in its history of more than 35 years has the PFIAB prepared a report for release to the general public. As a result, we have taken pains to ensure that the language of this report is “plain English,” not bureaucratese, and that the findings of the report are stated directly and candidly, not with the indirection and euphemisms often employed by policy insiders. SOLUTIONS Our panel has concluded that the Department of Energy, when faced with a profound public responsibility, has failed. Therefore, this report suggests two alternative organizational solutions, both of which we believe would substantially insulate the weapons laboratories from many of DOE’s historical problems and promote the building of a responsible culture over time. We also offer recommendations for improving various aspects of security and counterintelligence at DOE, such as personnel assurance, cyber–security, program management, and interdepartmental cooperation under the Foreign Intelligence Surveillance Act of 1978. The weapons research and stockpile management functions should be placed wholly within a new semi–autonomous agency within DOE that has a clear mission, streamlined bureaucracy, and drastically simplified lines of authority and accountability. Useful lessons along these lines can be taken from the National Security Agency (NSA) or Defense Advanced Research Projects Agency (DARPA) within the Department of Defense or the National Oceanographic and Atmospheric Administration (NOAA) within the Department of Commerce. The other alternative is a wholly independent agency, such as the National Aeronautics and Space Administration (NASA). There was substantial debate among the members of the panel about these two alternatives. Both have strengths and weaknesses. In the final analysis, the decision rests in the hands of the President and the Congress, and we trust that they will give serious deliberation to the merits and shortcomings of the alternatives before enacting major reforms. We all agree, nonetheless, that the labs should never be subordinated to the Department of Defense. With either proposal it will be important for the weapons labs to maintain effective scientific contact on nonclassified scientific research with the other DOE labs and the wider scientific community. To do otherwise would work to the detriment of the nation’s scientific progress and security over the long run. This argument draws on history: nations that honor and advance freedom of inquiry have fared better than those who have sought to arbitrarily suppress and control the community of science. __________________________________ The nuclear weapons and research functions of DOE need more autonomy, a clearer mission, a streamlined bureaucracy, and increased accountability. However, we would submit that we do not face an either/or proposition. The past 20 years have provided a controlled experiment of a sort, the results of which point to institutional models that hold promise. Organizations such as NASA and DARPA have advanced scientific and technological progress while maintaining a respectable record of security. Meanwhile, the Department of Energy, with its decentralized structure, confusing matrix of cross–cutting and overlapping management, and shoddy record of accountability has advanced scientific and technological progress, but at the cost of an abominable record of security with deeply troubling threats to American national security. Thomas Paine once said that “government, even in its best state, is but a necessary evil; in its worst state, an intolerable one.” This report finds that DOE’s performance, throughout its history, should have been regarded as intolerable. We believe the results and implications of this experiment are clear. It is time for the nation’s leaders to act decisively in the defense of America’s national security. Warren Rudman Chairman of the President’s Foreign Intelligence Advisory Board Ms. Ann Caracristi Board Member Dr. Sidney Drell Board Member Mr. Stephen Friedman Board Member FINDINGS On March 18, 1999, President Clinton tasked the Foreign Intelligence Advisory Board to review the history of the security and counterintelligence threats to the nation’s weapons labs and the effectiveness of the responses by the U.S. government. He also asked the Board to propose further improvements. This report, based on reviews of hundreds of source documents and studies, analysis of intelligence reports, and scores of interviews with senior level officials from several administrations, was prepared over the past 90 days in fulfillment of the President’s request. BOTTOM LINE Our bottom line: DOE represents the best of America’s scientific talent and achievement, but it has also been responsible for the worst security record on secrecy that the members of this panel have ever encountered. The national labs of the Department of Energy are among the crown jewels of the world’s government–sponsored scientific research and development organizations. With its record as the incubator for the work of many talented scientists and engineers—including many Nobel prize winners—it has provided the nation with far–reaching advantages. Its discoveries not only helped the United States to prevail in the Cold War, they will undoubtedly provide both technological benefits and inspiration for the progress of generations to come. Its vibrancy is derived to a great extent from its ability to attract talent from the widest possible pool, and it should continue to capitalize on the expertise of immigrant scientists and engineers. However, the Department has devoted far too little time, attention, and resources to the prosaic but grave responsibilities of security and counterintelligence in managing its weapons and other national security programs. FINDINGS The preponderance of evidence accumulated by the Special Investigative Panel, spanning the past 25 years, has compelled the members to reach many definite conclusions—some very disturbing—about the security and well–being of the nation’s weapons laboratories. As the repository of America’s most advanced know-how in nuclear and related armaments and the home of some of America’s finest scientific minds, these labs have been and will continue to be a major target of foreign intelligence services, friendly as well as hostile. Two landmark events, the end of the Cold War and the overwhelming victory of the United States and its allies in the Persian Gulf War, markedly altered the security equations and outlooks of nations throughout the world. Friends and foes of the United States intensified their efforts to close the technological gap between their forces and those of America, and some redoubled their efforts in the race for weapons of mass destruction. Under the restraints imposed by the Comprehensive Test Ban Treaty, powerful computers have replaced detonations as the best available means of testing the viability and performance capabilities of new nuclear weapons. So research done by U.S. weapons laboratories with high performance computers stands particularly high on the espionage hit list of other nations, many of which have used increasingly more sophisticated and diverse means to obtain the secrets necessary to join the nuclear club. ______________________________________ Snapshot: DOE Weapons Operations Percentage of Budget: Roughly $6 billion, a third of the Department’s $18 billion FY99 budget. Allocation of Weapons-Related Budget: Defense Programs $4.4 billion Nonproliferation/Nat. Sec. 0.7 Fissile Material Disposal 0.2 Naval Reactors 0.7 Number of Contract Employees: 34,190 Number of Contract Employees Per Lab Los Alamos 6,900 Sandia 7,500 L. Livermore 6,400 Pantex 2,860 Oak Ridge (Y-12) 5,500 Kansas City 3,150 Nevada Test Site 1,880 SOURCE: DEPT. OF ENERGY FIELD FACTBOOK, MAY 1998 More than 25 years worth of reports, studies and formal inquiries—by executive branch agencies, Congress, independent panels, and even DOE itself—have identified a multitude of chronic security and counterintelligence problems at all of the weapons labs (See Appendix). These reviews produced scores of stern, almost pleading, entreaties for change. Critical security flaws—in management and planning, personnel assurance, some physical security areas, control of nuclear materials, protection of documents and computerized information, and counterintelligence—have been cited for immediate attention and resolution … over and over and over … ad nauseam. The open–source information alone on the weapons laboratories overwhelmingly supports a troubling conclusion: their security and counterintelligence operations have been seriously hobbled and relegated to low-priority status for decades. The candid, closed–door testimony of current and former federal officials as well as the content of voluminous classified materials received by this panel in recent weeks reinforce this conclusion. When it comes to a genuine understanding of and appreciation for the value of security and counterintelligence programs, especially in the context of America’s nuclear arsenal and secrets, the DOE and its weapons labs have been Pollyannaish. The predominant attitude toward security and counterintelligence among many DOE and lab managers has ranged from half–hearted, grudging accommodation to smug disregard. Thus the panel is convinced that the potential for major leaks and thefts of sensitive information and material has been substantial. Moreover, such security lapses would have occurred in bureaucratic environments that would have allowed them to go undetected with relative ease. Organizational disarray, managerial neglect, and a culture of arrogance—both at DOE headquarters and the labs themselves—conspired to create an espionage scandal waiting to happen. The physical security efforts of the weapons labs (often called the “guns, guards, and gates”) have had some isolated shortcomings, but on balance they have developed some of the most advanced security technology in the world. However, perpetually weak systems of personnel assurance, information security, and counterintelligence have invited attack by foreign intelligence services. Among the defects this panel found: Inefficient personnel clearance programs, wherein haphazard background investigations could take years to complete and the backlogs numbered in the tens of thousands. Loosely controlled and casually monitored programs for thousands of unauthorized foreign scientists and assignees—despite more than a decade of critical reports from the General Accounting Office, the DOE Inspector General, and the intelligence community. This practice occasionally created bizarre circumstances in which regular lab employees with security clearances were supervised by foreign nationals on temporary assignment. Feckless systems for control of classified documents, which periodically resulted in thousands of documents being declared lost. Counterintelligence programs with part–time CI officers, who often operated with little experience, minimal budgets, and employed little more than crude “awareness” briefings of foreign threats and perfunctory and sporadic debriefings of scientists travelling to foreign countries. A lab security management reporting system that led everywhere but to responsible authority. Computer security methods that were naive at best and dangerously irresponsible at worst. Why were these problems so blatantly and repeatedly ignored? DOE has had a dysfunctional management structure and culture that only occasionally gave proper credence to the need for rigorous security and counterintelligence programs at the weapons labs. For starters, there has been a persisting lack of real leadership and effective management at DOE. The nature of the intelligence–gathering methods used by the People’s Republic of China poses a special challenge to the U.S. in general and the weapons labs in particular. More sophisticated than some of the blatant methods employed by the former Soviet bloc espionage services, PRC intelligence operatives know their strong suits and play them extremely well. Increasingly more nimble, discreet and transparent in their spying methods, the Chinese services have become very proficient in the art of seemingly innocuous elicitations of information. This modus operandi has proved very effective against unwitting and ill–prepared DOE personnel. Despite widely publicized assertions of wholesale losses of nuclear weapons technology from specific laboratories to particular nations, the factual record in the majority of cases regarding the DOE weapons laboratories supports plausible inferences—but not irrefutable proof—about the source and scope of espionage and the channels through which recipient nations received information. The panel was not charged, nor was it empowered, to conduct a technical assessment regarding the extent to which alleged losses at the national weapons laboratories may have directly advanced the weapons development programs of other nations. However, the panel did find these allegations to be germane to issues regarding the structure and effectiveness of DOE security programs, particularly the counterintelligence functions. The classified and unclassified evidence available to the panel, while pointing out systemic security vulnerabilities, falls short of being conclusive. The actual damage done to U.S. security interests is, at the least, currently unknown; at worst, it may be unknowable. Numerous variables are inescapable. Analysis of indigenous technology development in foreign research laboratories is fraught with uncertainty. Moreover, a nation that is a recipient of classified information is not always the sponsor of the espionage by which it was obtained. However, the panel does concur, on balance, with the findings of the recent DCI–sponsored damage assessment. We also concur with the findings of the subsequent independent review, led by retired Admiral David Jeremiah, of that damage assessment. The Department of Energy is a dysfunctional bureaucracy that has proven it is incapable of reforming itself. Accountability at DOE has been spread so thinly and erratically that it is now almost impossible to find. The long traditional and effective method of entrenched DOE and lab bureaucrats is to defeat security reform initiatives by waiting them out. They have been helped in this regard by the frequent changes in leadership at the highest levels of DOE—nine Secretaries of Energy in 22 years. Eventually, the reform–minded management transitions out, either due to a change in administrations or as a result of the traditional “revolving door” management practices at DOE. Then the bureaucracy reverts to old priorities and predilections. Such was the case in December 1990 with the reform recommendations carefully crafted by a special task force commissioned by then–Energy Secretary Watkins. The report skewered DOE for unacceptable “direction, coordination, conduct, and oversight” of safeguards and security. Two years later, the new administration rolled in, redefined priorities, and the initiatives all but evaporated. Deputy Secretary Charles Curtis in late 1996 investigated clear indications of serious security and CI problems and drew up a list of initiatives in response. Those initiatives also were dropped after he left office. Reorganization is clearly warranted to resolve the many specific problems with security and counterintelligence in the weapons laboratories, but also to address the lack of accountability that has become endemic throughout the entire Department. Layer upon layer of bureaucracy, accumulated over the years, has diffused responsibility to the point where scores claim it, no one has enough to make a difference, and all fight for more. Convoluted, confusing, and often contradictory reporting channels make the relationship between DOE headquarters and the labs, in particular, tense, internecine, and chaotic. In between the headquarters and the laboratories are field offices, which the panel found to be a locus of much confusion. In background briefings of the panel, senior DOE officials often described them as redundant operations that function as a shadow headquarters, often using their political clout and large payrolls to push their own agendas and budget priorities in Congress. Even with the latest DOE restructuring, the weapons labs are reporting to far too many DOE masters. The criteria for the selection of Energy Secretaries have been inconsistent in the past. Regardless of the outcome of ongoing or contemplated reforms, the minimum qualifications for an Energy Secretary should include experience in not only energy and scientific issues, but national security and intelligence issues as well. The list of former Secretaries, Deputy Secretaries, and Under Secretaries meeting all of these criteria is very short. Despite having a large proportion of its budget (roughly 30 percent) devoted to functions related to nuclear weapons, the Department of Energy has often been led by men and women with little expertise and background in national security. The result has been predictable: security issues have been a low priority, and leaders unfamiliar with these issues have delegated decisionmaking to lesser–ranking officials who lacked the incentives and authority to address problems with dispatch and forcefulness. For a Department in desperate need of strong leadership on security issues, this has been a disastrous trend. The bar for future nominees at the upper levels of the Department needs to be raised significantly. DOE cannot be fixed with a single legislative act: management must follow mandate. The research functions of the labs are vital to the nation’s long term interest, and instituting effective gates between weapons and nonweapons research functions will require both disinterested scientific expertise, judicious decisionmaking, and considerable political finesse. Thus both Congress and the executive branch—whether along the lines suggested by the Special Investigative Panel or others—should be prepared to monitor the progress of the Department’s reforms for years to come. This panel has no illusions about the future of security and counterintelligence at DOE. There is little reason to believe future DOE Secretaries will necessarily share the resolve of Secretary Richardson, or even his interest. When the next Secretary of Energy is sworn in, perhaps in the spring of 2001, the DOE and lab bureaucracies will still have advantages that could give them the upper hand: time and proven skills at artful dodging and passive intransigence. The Foreign Visitors’ and Assignments Program has been and should continue to be a valuable contribution to the scientific and technological progress of the nation. Foreign nationals working under the auspices of U.S. weapons labs have achieved remarkable scientific advances and contributed immensely to a wide array of America’s national security interests, including nonproliferation. Some have made contributions so unique that they are all but irreplaceable. The value of these contacts to the nation should not be lost amid the attempt to address deep, well–founded concerns about security lapses. That said, DOE clearly requires measures to ensure that legitimate use of the research laboratories for scientific collaboration is not an open door to foreign espionage agents. Losing national security secrets should never be accepted as an inevitable cost of obtaining scientific knowledge. In commenting on security issues at DOE, we believe that both Congressional and Executive Branch leaders have resorted to simplification and hyperbole in the past few months. The panel found neither the dramatic damage assessments nor the categorical reassurances of the Department’s advocates to be wholly substantiated. We concur with and encourage many of Secretary Richardson’s recent initiatives to address the security problems at the Department, and we are heartened by his aggressive approach and command of the issues. He has recognized the organizational dysfunction and cultural vagaries at DOE and taken strong, positive steps to try to reverse the legacy of more than 20 years of security mismanagement. However, the Board is extremely skeptical that any reform effort, no matter how well–intentioned, well–designed, and effectively applied, will gain more than a toehold at DOE, given its labyrinthine management structure, fractious and arrogant culture, and the fast–approaching reality of another transition in DOE leadership. Thus we believe that he has overstated the case when he asserts, as he did several weeks ago, that “Americans can be reassured: our nation’s nuclear secrets are, today, safe and secure.” Similarly, the evidence indicating widespread security vulnerabilities at the weapons laboratories has been ignored for far too long, and the work of the Cox Committee and intelligence officials at the Department has been invaluable in gaining the attention of the American public and in helping focus the political will necessary to resolve these problems. Nonetheless, there have been many attempts to take the valuable coin of damaging new information and decrease its value by manufacturing its counterfeit, innuendo; possible damage has been minted as probable disaster; workaday delay and bureaucratic confusion have been cast as diabolical conspiracies. Enough is enough. Fundamental change in DOE’s institutional culture—including the ingrained attitudes toward security among personnel of the weapons laboratories—will be just as important as organizational redesign. Never have the members of the Special Investigative Panel witnessed a bureaucratic culture so thoroughly saturated with cynicism and disregard for authority. Never before has this panel found such a cavalier attitude toward one of the most serious responsibilities in the federal government—control of the design information relating to nuclear weapons. Particularly egregious have been the failures to enforce cyber–security measures to protect and control important nuclear weapons design information. Never before has the panel found an agency with the bureaucratic insolence to dispute, delay, and resist implementation of a Presidential directive on security, as DOE’s bureaucracy tried to do to the Presidential Decision Directive No. 61 in February 1998. The best nuclear weapons expertise in the U.S. government resides at the national weapons labs, and this asset should be better used by the intelligence community. For years, the PFIAB has been keen on honing the intelligence community’s analytic effectiveness on a wide array of nonproliferation areas, including nuclear weapons. We believe that the DOE Office of Intelligence, particularly its analytic component, has historically been an impediment to this goal because of its ineffective attempts to manage the labs’ analysis. The office’s mission and size (about 70 people) is totally out of step with the Department’s intelligence needs. A streamlined intelligence liaison body, much like Department of Treasury’s Office of Intelligence Support—which numbers about 20 people, including a 24–hour watch team—would be far more appropriate. It should concentrate on making the intelligence community, which has the preponderance of overall analytic experience, more effective in fulfilling the DOE’s analysis and collection requirements. ROOT CAUSES The sources of DOE’s difficulties in both overseeing scientific research and maintaining security are numerous and deep. The Special Investigative Panel primarily focused its inquiry on the areas within DOE where the tension between science and security is most critical: the nuclear weapons laboratories.1 To a lesser extent, the panel examined security issues in other areas of DOE and broad organizational issues that have had a bearing on the functioning of the laboratories. Inherent in the work of the weapons laboratories, of course, is the basic tension between scientific inquiry, which thrives on freewheeling searches for and wide dissemination of information, and governmental secrecy, which requires just the opposite. But the historical context in which the labs were created and thrived has also figured into their subsequent problems with security. AN INTERNATIONAL ENTERPRISE U.S. research laboratories have always had a tradition of drawing on immigrant talent. Perhaps the first foreign–born contributor to our nation’s nuclear program was Albert Einstein. In his letter to President Roosevelt on August 2, 1939, Einstein advised the President of the possibility of the atomic bomb and the urgent need for government action. By 1943, the ranks of the Manhattan project at Los Alamos, New Mexico were filled with scientists and engineers from Italy (Fermi), Germany (Bethe), Poland (Ulam), Hungary (Wigner, Szilard, Von Neumann, and Teller), Russia (Kistiakovsy) and Austria (Rabi). Indeed, it is possible that the atomic bomb would never have been completed but for immigrant talent, and the diversity of talent applied to the project was hailed at the time as a model of international cooperation. Eleanor Roosevelt, in a 1945 radio address, declared that the development of the atomic bomb by “many minds belonging to different races and different religions sets the pattern for the way in which in the future we may be able to work out our difficulties.”2 The role of and reliance on immigrant talent in the United States—particularly at the graduate school and doctoral levels where much of the nation’s research is performed—has increased over the years. From 1975 to 1992, the aging of America’s baby boomers resulted in a decline in the overall size of the college–age population and, unlike other industrialized nations, the U.S. saw a decline in the number of American students receiving science and engineering degrees.3 From the 1950s until 1995, the number of non–U.S. citizens who earned doctorates in scientific and engineering fields from American universities steadily climbed, reaching 27 percent by 1985 and 40 percent by 1995. Two–thirds of those receiving those doctorates in 1995 held temporary residency visas, and Chinese doctoral recipients outnumbered recipients from all other regions combined.4 But the willingness to draw on foreign talent also has meant a greater risk of falling prey to those with foreign allegiances. One of the earliest and most infamous espionage scandals at the nation’s nuclear laboratories was centered on the physicist Klaus Fuchs, a German native and naturalized British citizen who spied on researchers at Los Alamos for the Soviet Union. More recent instances of actual and alleged foreign espionage at the nuclear weapons laboratories are detailed in the Classified Appendix to this report. As growth of the U.S. talent pool in science and engineering stagnated, and the amount of available talent abroad grew rapidly, the U.S. has had to rely on more foreign–born talent in national scientific research and development programs in order to maintain the best research facilities in the world. At the same time, since the end of the Cold War, DOE has entered into more extensive cooperative programs with foreign nations in efforts to reduce the threats of proliferation and diversion of nuclear weapons material. By June 1990, DOE had entered into 157 bilateral research and development agreements for scientific exchange purposes. Among others, parties to the agreements were the Soviet Union, the People’s Republic of China, Soviet bloc nations and countries that posed nuclear proliferation threats.5 In December 1990, a report to the DOE Secretary noted “a high probability of greatly increasing numbers of foreign visits and assignments to DOE facilities in future years.”6 The widening of foreign contacts concurrent with a greater influx of foreign–born talent has raised concerns about security compromises by scientists with foreign allegiances and highlighted the need for special care in implementing formal clearance procedures for involvement in classified work. BIG, BYZANTINE, AND BEWILDERING BUREAUCRACY DOE is not one of the federal government’s largest agencies in absolute terms, but its organizational structure is widely regarded as one of the most confusing. That is another legacy of its origins, and it has made the creation, implementation, coordination, and enforcement of consistent policies very difficult over the years. The effort to develop the atomic bomb was managed through an unlikely collaboration of the Manhattan Engineering District of the U.S. Army Corps of Engineers (hence the name, “the Manhattan Project”) and the University of California—two vastly dissimilar organizations in both culture and mission. The current form of the Department took shape in the first year of the Carter Administration through the merging of more than 40 different government agencies and organizations, an event from which it has arguably never recovered. The newly created DOE subsumed the Federal Energy Administration, the Energy Research and Development Administration (ERDA), the Federal Power Commission, and components and programs of several other government agencies. Included were the nuclear weapons research laboratories that were part of the ERDA and, formerly, of the Atomic Energy Commission. Many of these agencies and organizations have continued to operate under the DOE umbrella with the same organizational structure that they had prior to joining the Department. Even before the new Department was created, concerns were raised about how high the nuclear weapons–related operations would rank among the competing priorities of such a large bureaucracy. A study of the issue completed in the last year of the Ford Administration considered three alternatives: shifting the weapons operations to the Department of Defense, creating a new freestanding agency, or keeping the program within ERDA—the options still being discussed more than 20 years later. As one critic of the DOE plan told The Washington Post, “Under the AEC, weapons was half the program. Under ERDA, it was one–sixth. Under DOE, it will be one–tenth. It isn’t getting the attention it deserves.” Although the proportions cited by that critic would prove to be inaccurate, he accurately spotted the direction of the trend. _____________________________________ The DOE Management Challenge MISSION · Lead agency for development of national energy resources and technologies. · Responsible for the largest environmental cleanup effort in history. · Nuclear energy and weapons research and development. · Management of special nuclear materials stockpiles. · Protection of highly sensitive classified and proprietary information against foreign and corporate espionage. SIZE · If included among the Nation’s Fortune 500 firms, would rank in the top 50. · The fourth largest landowner in the United States. · Budget of roughly $18 billion comprises close to 3 percent of total discretionary spending at the federal level. · Employs more than 11,000 Federal employees and more than 100,000 contract employees. · Owns and manages more than 50 major installations spread across 2.4 million acres and 35 states. COMPLEXITY · A diverse workforce of military and civilian per-sonnel; U.S. citizens and foreign nationals; career federal officials and part-time researchers; white collar bureaucrats as well as scientists and engineers specializing in narrow esoteric fields. · Constituencies include the White House, Congress, the power industry, multinational defense and aerospace corporations, major universities, states and municipalities seeking or monitoring environmental cleanups. During 1978, its first year of operation within the new structure, DOE already had in place more than 9,500 prime contracts and more than 1,800 financial assistance awards, which together were spread among 188 universities and more than 3,200 contractors. And the Department was growing: from 1977 to 1978, grants and contracts with university researchers posted an increase of 22 percent.7 LACK OF ACCOUNTABILITY Depending on the issue at hand, a line worker in a DOE facility might be responsible to DOE headquarters in Washington, a manager in a field office in another state, a private contractor assigned to a DOE project, a research team leader from academia, or a lab director on another floor of the worker’s building. For example, prior to Secretary Richardson’s restructuring initiative earlier this year, a single laboratory, Sandia, was managed or accountable to nine different DOE security organizations. Last year, after years of reports highlighting the problem of confused lines of authority, DOE was still unable to ensure the effectiveness of security measures because of its inability to hold personnel accountable. A 1998 report lamented that “short of wholesale contract termination, there did not appear to be adequate penalty/reward systems to ensure effective day–to–day security oversight at the contractor level.”8 The problem is not only the diffuse nature of authority and accountability in the Department. It is the dynamic and often informal character of the authority that does exist. The inherently unpredictable outcomes of major experiments, the fluid missions of research teams, the mobility of individual researchers, the internal competition among laboratories, the ebb and flow of the academic community, the setting and onset of project deadlines, the cyclical nature of the federal budgeting process, and the shifting imperatives of energy and security policies dictated from the White House and Congress—all of these dynamic variables contribute to volatility in the Department’s workforce and an inability to give the weapons–related functions the priority they deserved. Newcomers, as a result, have an exceedingly hard time when they are assimilated; incumbents have a hard time in trying to administer consistent policies; and outsiders have a hard time divining departmental performance and which leaders and factions are credible. Such problems are not new to government organizations, but DOE’s accountability vacuum has only exacerbated them. Management and security problems have recurred so frequently that they have resulted in nonstop reform initiatives, external reviews, and changes in policy direction. As one observer noted in Science magazine in 1994: “Every administration sets up a panel to review the national labs. The problem is that nothing is done.” The constant managerial turnover over the years has generated nearly continuous structural reorganizations and repeated security policy reversals. Over the last dozen years, DOE has averaged some kind of major departmental shake–up every two to three years. During that time, security and counterintelligence responsibilities have been “punted” from one office to the next. CULTURE AND ATTITUDES In the course of this inquiry, many officials interviewed by the PFIAB panel cited the scientific culture of the weapons laboratories as a factor that complicates, perhaps even undermines, the ability of the Department to consistently implement its security procedures. Although there seemed to be no universally accepted definition of the culture, nearly everyone agreed that it is distinct and pervasive. One facet of the culture mentioned more than others is an arrogance borne of the simple fact that nuclear researchers specialize in one of the world’s most advanced, challenging, and esoteric fields of knowledge. Nuclear physicists, by definition, are required to think in literally other dimensions not accessible to laymen. Thus it is not surprising that they might bridle under the restraints and regulations of administrators and bureaucrats who do not entirely comprehend the precise nature of the operation being managed. Operating within a large, complex bureaucracy with transient leaders would only tend to accentuate a scientist’s sense of intellectual superiority: if administrators have little more than a vague sense of the contours of a research project, they are likely to have little basis to know which rules and regulations constitute unreasonable burdens on the researchers’ activities. With respect to at least some security issues, the potential for conflicts over priorities is obvious. For example, how are security officials to weigh the risks of unauthorized disclosures during international exchanges if they have only a general familiarity with the cryptic jargon used by the scientists who might participate? The prevailing culture of the weapons labs is widely perceived as contributing to security and counterintelligence problems. At the very least, restoring public confidence in the ability of the labs to protect nuclear secrets will require a thorough reappraisal of the culture within them. CHANGING TIMES, CHANGING MISSIONS The external pressures placed on the Department of Energy in general, and the weapons labs in particular, are also worth noting. For more than 50 years, America’s nuclear researchers have operated in a maelstrom of shifting and often contradictory attitudes. In the immediate aftermath of World War II, nuclear discoveries were simultaneously hailed as a destructive scourge and a panacea for a wide array of mankind’s problems. The production of nuclear arms was regarded during the 1950s and 1960s as one of the best indices of international power and the strength of the nation’s military deterrent. During the 1970s, the nation’s leadership turned to nuclear researchers for solutions to the energy crisis at the same time that the general public was becoming more alarmed about the nuclear buildup and the environmental implications of nuclear facilities. Over the past 20 years, some in Congress have repeatedly called for the dissolution of the Department of Energy, which has undoubtedly been a distraction to those trying to make long–term decisions affecting the scope and direction of the research at the labs. And in the aftermath of the Cold War, the Congress has looked to the nation’s nuclear weapons labs to help in stabilizing or dismantling nuclear stockpiles in other nations. Each time that the nation’s leadership has made a major change in the Department’s priorities or added another mission, it has placed additional pressure on a government agency already struggling to preserve and expand one of its most challenging historical roles: guarantor of the safety, security, and reliability of the nation’s nuclear weapons. RECURRING VULNERABILITIES Over the past 20 years, six DOE security issues have received the most scrutiny and criticism from both internal and external reviewers: long–term security planning and policy implementation; physical security over facilities and property; screening and monitoring of personnel; protection of classified and sensitive information, particularly information that is stored electronically in the Department’s computers; accounting for nuclear materials; and the foreign visitors’ programs. MANAGEMENT AND PLANNING Management of security and counterintelligence has suffered from chronic problems since the creation of the Department of Energy in 1977. During the past decade, the mismatch between DOE’s security programs and the severity of the threats faced by the Department grew more pronounced. While the number of nations possessing, developing, or seeking weapons of mass destruction continued to rise, America’s reliance on foreign scientists and engineers dramatically increased, and warnings mounted about the espionage goals of other nations, DOE spending on safe-guards and security decreased by roughly one–third.1 The widening gap between the level of security and the severity of the threat resulted in cases where sensitive nuclear weapons information was certainly lost to espionage. In countless other instances, such information was left vulnerable to theft or duplication for long periods, and the extent to which these serious lapses may have damaged American security is incalculable. DOE’s failure to respond to warnings from its own analysts, much less independent sources, underscores the depth of its managerial weakness and inability to implement legitimate policies regarding well–founded threats. _________________________________________ A Sample of Security Issues MANAGEMENT AND PLANNING Decentralized decisionmaking undermines consistency of policies. Lack of control for security budget has allowed diversion of funds to other priorities. Department leaders with little experience in security and intelligence. Lack of accountability. PHYSICAL SECURITY Training insufficient for some security personnel. Nuclear materials stored in aging buildings not designed for containment purposes. Recurring problems involving lost or stolen property. Poor management results in unnecessary training and purchasing costs. PERSONNEL SECURITY CLEARANCES Extended lags in obtaining clearances, reinvestigating backgrounds, and terminating clearance privileges for former employees. Some contractors not adequately investigated or subject to drug & substance abuse policies. Lack of uniform procedures and accurate data. Inadequate pre–employment screening. More clearances granted than necessary. PROTECTION OF CLASSIFIED INFORMATION Poor labeling and tracking of computer media containing classified information. Problems with lax enforcement of password policies. Network, email, and Internet connections make transfer of large amounts of data easier. ACCOUNTING FOR NUCLEAR MATERIALS Chronic problems in devising and operating an accurate accounting system of tracking stocks and flows of nuclear materials. FOREIGN VISITORS Weak systems for tracking visits and screening backgrounds of visiting scientists. Decentralization makes monitoring of discussions on sensitive topics difficult. During the mid–1980s, the predominant concern of DOE officials was improving the physical security of the nuclear weapons laboratories and plants. Following a January 1983 report2 that outlined vulnerabilities of the weapons labs to terrorism, the Department embarked on a five–year program of construction and purchases that would see its overall safeguards and security budget roughly double and its spending on upgrades nearly triple. Included was money for additional guards, security training, helicopters, fortified guard towers, vehicle barriers, emergency planning, and advanced alarm systems.3 Improving physical security in a wide array of nuclear weapons facilities whose replacement value was an estimated $100 billion4 , proved to be difficult. Reports through the late 1980s and early 1990s continued to highlight deficiencies in the management of physical security. In the late 1980s, priorities began to shift somewhat. Listening devices were discovered in weapons–related facilities,5 and a 1990 study advised the Department leadership of an intensifying threat from foreign espionage. Less and less able to rely on the former Soviet Union to supply technology and resources, an increasing number of states embarked on campaigns to bridge the economic and technological gap with the United States by developing indigenous capabilities in high technology areas. The study noted that the freer movement of goods, services and information in a less hostile world “intensified the prospects and opportunities for espionage as missing pieces of critically needed information became more easily identified.”6 An intelligence report further highlighted the changing foreign threat to the labs by noting that “new threats are emerging from nontraditional adversaries who target issues key to U.S. national security. DOE facilities and personnel remain priority targets for hostile intelligence collection.”7 Anecdotal evidence corroborates, and intelligence assessments agree, that foreign powers stepped up targeting of DOE during the early 1990s. (See Classified Appendix) While this threat may have been taken seriously at the highest levels of the DOE, it was not uniform throughout the Department. A former FBI senior official noted in discussions with the PFIAB investigative panel that DOE lab scientists during these years appeared naive about the level of sophistication of the nontraditional threat posed by Chinese intelligence collection. The trend in openness to foreign visitors and visits does not indicate any sense of heightened wariness. A 1997 GAO report concluded that from mid–1988 to the mid–1990s, the number of foreign visitors to key weapons labs increased from 3,800 to 5,900 annually and sensitive country visitors increased from 500 to more than 1,600.8 Meanwhile, the DOE budget for counterintelligence was in near–constant decline. How Long Does It Take? Each year DOE security officials compile audits to identify security lapses and vulnerabilities in the facilities and procedures of the nuclear weapons laboratories and plants. The following year, they report on whether the problems have been addressed. Given the sensitivity of what was being protected—information about how to build, miniaturize, store, and maximize the destructiveness of nuclear weapons—the numbers logged in the audits are remarkable: 11 No. of months a DOE employee was dead before Department officials realized four documents with CLASSIFIED and RESTRICTED DATA were still assigned to him. 20 No. of months before DOE officials could ensure that improperly stored classified computer media had been properly safeguarded. 24 No. of months it took to order security labels (SECRET, TOP SECRET, etc.) for mislabeled software. 31 No. of months that 2,750 out of 3,000 non-classified computer terminals were connected and being used on a classified network. 31 No. of months to write and approve a network security plan. 35 No. of months it took DOE officials to write a work order to replace a lock at a weapons lab facility containing sensitive nuclear information. 45 No. of months taken to correct a broken doorknob that was sticking in an open position and allowing access to sensitive areas. 51 No. of months to correct mistake that allowed secure telephone cryptographic materials to go improperly safeguarded. ? No. of months before security audit team discovered that the main telephone frame room door at a weapons lab had been forced open and the lock destroyed. SOURCE: DEPT. OF ENERGY As noted in the previous chapter, federal officials in charge of oversight of nuclear weapons laboratories have historically allowed decisionmaking on basic aspects of security to be decentralized and diffuse. With their budget spread piecemeal throughout a number of offices, security and counterintelligence officials often found themselves with a weak voice in internal bureaucratic battles and an inability to muster the authority to accomplish its goals. Indeed, an excerpt from a history of the early years of the Atomic Energy Commission, reads much like recent studies: Admiral Gingrich, who had just resigned as director of security [in 1949], had expressed to the Joint Committee [on Atomic Energy] a lack of confidence in the Commission’s security program. Gingrich complained that decentralization of administrative functions to the field offices had left him with little more than a staff function at headquarters; even there, he said, he did not control all the activities that seemed properly to belong to the director of security.9 More than 30 years later, decentralization still posed a problem for security managers. An internal DOE report in 1990 found that the Department lacked a comprehensive approach to management of threats and dissemination of information about them.10 A DOE annual report in 1992 found that security “has suffered from a lack of management focus and inconsistent procedural execution throughout the DOE complex. The result is that personnel are seldom held responsible for their disregard, either intentional or unintentional, of security requirements.”11 The counterintelligence effort at DOE in the late 1980s and mid–1990s was in its infancy and grossly underfunded. Although the Department could have filled its gap in some areas, such as counterintelligence information, through cooperation with the broader intelligence community, PFIAB research and interviews indicate that DOE headquarters’ relationship with the FBI—the United States’ primary domestic CI organization—was strained at best. DOE requested an FBI agent detailee in 1988 to assist in developing a CI program, but the agent found that DOE failed to provide management support or access to senior DOE decisionmakers. A formal relationship with the FBI was apparently not established until 1992: a Memorandum of Understanding between the FBI and DOE on respective responsibilities concerning the coordination and conduct of CI activities in the United States. However, in 1994 two FBI detailees assigned to DOE complained about their limited access and were pulled back to FBI because of a “lack of control of the CI program by DOE headquarters which resulted in futile attempts to better manage the issue of foreign visitors at the laboratories.”12 ________________________________ We asked a number of DOE officials to whom they report, to whom they were responsible. Invariably, their answer was: “It depends.” The haphazard assortment of agencies and missions folded into DOE has become so confusing as to become a running joke within the institution. In the course of the panel’s research and interviews, rare were the senior officials who expressed any sort of confidence in their understanding of the extent of the agency’s operations, facilities, or procedures. Time and again, PFIAB panel members posed the elementary questions to senior DOE officials. To whom do you report? To whom are you accountable? The answer, invariably, was: “It depends.” DOE’s relationship with the broader intelligence community was not well–defined until the mid–1990s. Coordination between DOE CI elements and the broader intelligence community, according to a 1992 intelligence report, was hampered from the 1980s through the early 1990s by DOE managers’ inadequate understanding of the intelligence community.13 The Department did not become a core member of the National Counterintelligence Policy Board (established in 1994 under PDD-24) until 1997. Over much of the past decade, rather than a heightened sensitivity to espionage threats recognized widely throughout the intelligence community, DOE lab officials have operated in an environment that allowed them to be sanguine, if not skeptical. Numerous DOE officials interviewed by the PFIAB panel stated that they believed that the threat perception was weakened further during the administration of Secretary O’Leary, who advanced the labs openness policies and downgraded security as an issue by terminating some security programs instituted by her predecessor. Even when the CI budget was expanded in the late–1990s, the expenditures fell short of the projected increases. In Fiscal Year 1997, for example, DOE’s CI budget was $3.7 million but the actual expenditures on CI were only two–thirds of that level, $2.3 million. Shortly before the 1997 GAO and FBI reports on DOE’s counterintelligence posture were issued, DOE began instituting changes to beef up its counterintelligence and foreign intelligence analytic capabilities.14 When DOE did devote its considerable resources to security, it too often faltered in implementation. A report to the Secretary in January 1994 noted “growing confusion within the Department with respect to Headquarters’ guidance for safeguards and security. At this time, there is no single office at Headquarters responsible for the safeguards and security program. Most recently, a number of program offices have substantially expanded their safeguards and security staff to office–size organizations. These multiple safeguards and security offices have resulted in duplication of guidance, unnecessary requests for information and clarification, and inefficient program execution. Unchecked, this counterproductive tendency threatens the success of the overall safeguards and security effort.”15 A 1996 DOE Inspector General report found that security personnel at the weapons programs had purchased and stockpiled far more firepower—ranging from handguns and rifles to submachine guns and grenade launchers—than could ever be used in an actual emergency. The Oak Ridge facilities had more than three weapons per armed security officer—on and off duty. Los Alamos National Laboratory had more than four.16 ____________________________________ Foreign agents could probably not shoot their way into U.S. weapons laboratories. But they could apply for an access pass to walk in and strike up a conversation. Around the same time, GAO security audits of the research laboratories at these sites found lax procedures for issuing access passes to secure areas, inadequate prescreening of the more than 1,500 visitors from sensitive countries that visited the weapons laboratories annually, and poor tracking of the content of discussions with foreign visitors. The implication: foreign agents could probably not shoot their way past the concertina wires and bolted doors to seize secrets from U.S. weapons laboratories, but they would not need to do so. They could probably apply for an access pass, walk in the front door, and strike up a conversation. PHYSICAL SECURITY The physical security of the Department of Energy’s weapons–related programs is roughly divided into two essential functions: tracking and control over the property and equipment within the weapons-related laboratories, and keeping unwarranted intruders out, often referred to as the realm of “guns, guards, and gates.” The general approach to security, of course, was defined by the emphasis on secrecy associated with nuclear weapons program during World War II. Los Alamos National Laboratory was created as a “closed city”—a community with a high degree of self-sufficiency, clearly defined and protected boundaries, and a minimum of ingress from and egress to the outer world. Although the community is no longer “closed,” the weapons laboratories at Los Alamos, like those at the other national laboratories, still retain formidable physical protections and barriers. In examining the history of the laboratories, the panel found only a few instances where an outsider could successfully penetrate the grounds of an operation by destruction of a physical safeguard or direct violent assault. __________________________________ Clearances to secure DOE areas have been granted simply for convenience, such as to reduce the length of an employee’s walk from the car to the office each morning. In visits to several of the weapons laboratories, the members of the Special Investigative Panel were impressed by the great amount of attention and investment devoted to perimeter control, weaponry, and security of building entrances and exits. Indeed, one cannot help but be struck by the forbidding and formidable garrison–type atmosphere that is prevalent at many of the facilities: barbed wire, chain–link fences, electronic sensors, and surveillance cameras. Further, the panel recognizes that the labs themselves have developed and produced some of the most sophisticated technical security devices in the world. Nonetheless, DOE reports and external reviews since at least 1984 have continued to raise concerns about aging security systems.17 Management of the secure environments at the laboratories has posed more serious problems. As noted earlier, DOE may be spending too much money in some areas, buying more weapons than could conceivably be used in an emergency situation. In other cases, it may be spending too little. Budget cuts in the early and mid-1990s led to 40 to 50 percent declines in officer strength and over-reliance on local law enforcement. Resources became so low that normal protective force operations required “the use of overtime scheduling to accomplish routine site protection.”18 GAO has found an assortment of problems at Los Alamos over the past decade: security personnel failed basic tests in such tasks as firing weapons, using a baton, or handcuffing a suspect, and inaccurate and incomplete records were kept on security training.19 Other DOE facilities have had substantial problems in man-agement of physical property. In 1990, Lawrence Livermore Laboratory could not account for 16 percent of its inventory of government equipment, acquired at a cost $18.6 million.20 In 1993, DOE sold 57 components of nuclear reprocessing equipment and associated documents, including blueprints, to an Idaho salvage dealer. Much of what was sold was subsequently found to be potentially useful to any nation attempting to develop or advance its own reprocessing operation.21 Following a GAO report in 1994, which found that the Rocky Flats facility was unable to account for large pieces of equipment such as forklifts and a semitrailer, some $21 million in inventory was written off.22 DOE had begun to consolidate its growing stockpile of sensitive nuclear material by 1992, but a 1997 DOE report to the Secretary found that significant quantities of the material “remain in aging buildings and structures, ranging in age from 12 to 50 years, that were never intended for use as storage facilities for extended periods.”23 SCREENING AND MONITORING OF PERSONNEL Insider threats to security have been a chronic problem at the nation’s weapons laboratories. From the earliest years, the importance of the labs’ missions and their decentralized structure have had an uneasy coexistence with the need for thorough background investigations of researchers and personnel needing access to sensitive areas and information. In 1947, the incoming director of security for the AEC was greeted with a backlog of more than 13,000 background investigations and a process where clearances had been dispersed to field offices that operated with few formal guidelines.24 Forty years later, GAO found that the backlog of personnel security investigations had increased more than nine-fold, to more than 120,000. Moreover, many clearances recorded as valid in the Department’s records should have been terminated years before.25 ____________________________________ Even after DOE discovered listening devices in some of its weapons laboratories, security audits found that thousands of “Q” clearances were being given to inappropriate personnel.26 The research of the PFIAB panel found that problems with personnel security clearances, while mitigated in some aspects, have persisted to an alarming degree. From the mid–1980s through the mid–1990s, the DOE Inspector General repeatedly warned Department officials that personnel were receiving clearances that were much higher than warranted and that out-dated clearances were not being withdrawn on a timely basis. The issue became more urgent with the discovery of a clandestine surveillance device at a nuclear facility.27 But problems persisted. DOE Inspector General reports in 1990 and 1991 found that one of the weapons laboratories had granted “Q” clearances (which provide access to U.S. government nuclear weapons data) to more than 2,000 employees who did not need access to classified information.28 A 1992 report to the Secretary of Energy noted that “DOE grants clearances requested by its three major defense program sponsored labs based on lab policies to clear all employees regardless of whether actual access to classified interests is required for job performance.”29 Three years later, a review of personnel security informed the Secretary there were “individuals who held security clearances for convenience only and limited security clearances to those individuals requiring direct access to classified matter or [special nuclear materials] to perform official duties.”30 More recent evidence is no more reassuring. A counterintelligence investigation at a nuclear facility discovered that the subject of an inquiry had been granted a “Q” clearance simply to avoid the delay caused by the normal processing of a visit.31 That same year, an illegal telephone wiretap was discovered at the same lab. The employee who installed it confessed, but was not prosecuted by the government.32 PROTECTION OF CLASSIFIED AND SENSITIVE INFORMATION Two vulnerabilities regarding classified and sensitive information at DOE have recurred repeatedly throughout the past 20 years: inappropriate release of classified information, either directly through inadvertence or indirectly through improper declassification; and the increasing mobility of classified and sensitive information through electronic media, such as computers. As computers have progressed from the large mainframes of the 1950s and 1960s to desktop models in the 1980s and decentralized networks in the 1990s, it has become progressively easier for individuals to retrieve and transport large amounts of data from one location to another. This has presented an obvious problem for secure environments. GAO found in 1991 that DOE inspections revealed more than 220 security weaknesses in computer systems across 16 facilities. Examples included a lack of management plans, inadequate access controls, and failures to test for compliance with security procedures.33 As a 1996 DOE report to the President said, “adversaries no longer have to scale a fence, defeat sensors, or bypass armed guards to steal nuclear or leading–edge ‘know-how’ or to shut down our critical infrastructure. They merely have to defeat the less ominous obstacles of cyber–defense.”34 _____________________________________ Computer systems at some DOE facilities were so easy to access that even Department analysts likened them to “automatic teller machines, [allowing] unauthorized withdrawals at our nation’s expense.” DOE’s cyber–defenses were, in fact, found to be “less ominous obstacles.” In 1994, an internal DOE review found that despite security improvement “users of unclassified computers continue to compromise classified information due to ongoing inadequacies in user awareness training, adherence to procedures, enforcement of security policies, and DOE and [lab] line management oversight.”35 Also in 1994, a report to the Energy Secretary cited five areas of concern: “failure to properly accredit systems processing classified information, lack of controls to provide access authorities and proper password management; no configuration management; improper labeling of magnetic media; and failure to perform management reviews.”36 Apparently, the warnings were to no avail. A year later, the annual report to the Secretary noted: “Overall, findings and surveys, much like last year, continue to reflect deficiencies in self–inspections and procedural requirements or inappropriate or inadequate site guidance … In the area of classified matter protection and control, like last year, marking, accountability, protection, and storage deficiencies are most numerous.”37 Some reports made extra efforts to puncture through the fog of bureaucratic language. A 1995 report to the President said: “By placing sensitive information on information systems, we increase the likelihood that inimicable interests, external and internal, will treat those systems as virtual automatic teller machines, making unauthorized withdrawals at our nation’s expenses.” Indeed, a report found security breaches at one of the major weapons facility in which documents with unclassified but sensitive information “were found to be stored on systems that were readily accessible to anyone with Internet access.”38 In other instances, personnel were found to be sending classified information to outsiders via an unclassified email system.39 Ahead of its Time In 1986, the DOE Office of Safeguards and Quality Assessment issued an inspection report on a weapons lab that warned of shortcomings in computer security and noted that the “ability of [a] user to deliberately declassify a classified file without detection and move classified information from the secure partition to the open partition can be made available to any authorized user either on or off site.”40 The warning turned out to be on the mark. In April of this year, Energy Secretary Bill Richardson issued a statement: “While I cannot comment on the specifics, I can confirm that classified nuclear weapons computer codes at Los Alamos were transferred to an unclassified computer system. This kind of egregious security breach is absolutely unacceptable ... .” Even though the hard evidence points to only sporadic penetrations of the labs by foreign intelligence services (see classified appendix), volumes of sensitive and classified information may have been lost over the years—via discarded or purloined documents; uninformed and often improperly vetted employees, and a maze of uncontrolled computer links. In one recent case discovered by PFIAB, lab officials initially refused to rectify a security vulnerability because “no probability is assigned to [a loss of sensitive information], just the allegation that it is possible.”41 As recent as last year’s annual DOE report to the President, security analysts were finding “numerous incidents of classified information being placed on unclassified systems, including several since the development of a corrective action plan in July 1998.”42 TRACKING OF NUCLEAR MATERIALS: HOW MUCH MUF? MUF stands for “materials unaccounted for,” the official term used until the late 1970s for discrepancies in the amount of nuclear materials that can be physically located in inventory versus the amount noted in Department records. MUF (now termed with the more politic phrase “inventory differences”) has been a recurring concern—and debate—in the nuclear research field since the beginning. The question at the center of the debate: if large quantities of nuclear material are impossible to measure with absolute precision, what constitutes a significant loss? As in many questions, the answer depends on whom you ask. Officials of nuclear research facilities have argued that the scale and complexity of the processing and handling of nuclear material inevitably result in losses that are detectable but inconsequential. Outside observers have tended to be less sanguine about what constitutes a significant loss from a security standpoint. In 1976, the General Accounting Office reported that the Nuclear Regulatory Commission and the Energy Research and Development Administration (DOE’s predecessor) could not account for 8,000 pounds of highly enriched uranium and plutonium. Officials of the two agencies responded that part of the accounting discrepancy could be ascribed to the statistical margin of error in their measuring equipment, the rest was probably dregs created during processing and left in machinery parts, wiping cloths, and scrap items.43 Critics of the agencies have pointed out that thieves could easily use the variance in statistical measures to cover their tracks, stealing an increment during each measuring period that falls just within the margin of error. They have also pointed out that if Department records are not accurate, it is impossible for anyone to estimate the stock of nuclear material at any given point, much less the difference between two levels as it proceeds from one stage of the nuclear cycle to the next. In December 1994, the Department released updated figures for the cumulative amount of MUF or inventory difference for the 50-year period beginning in 1944. The cumulative figure: 6,174 pounds. Of that amount, a cumulative total of about 10 pounds was ascribed to “accidental losses” and “approved write-offs.”44 GAO has continued to highlight the issue since DOE has become the steward of the nation’s nuclear weapons laboratories. GAO published a report in 1991 criticizing the insufficiency of the Department’s measuring systems and handling procedures45 ; in 1994, criticizing its methods of tracking exported nuclear material;46 and in 1995, for installing a new system that was allegedly faulty.47 Even if accurate systems of measurement and accounting had been in place, it is not clear whether DOE officials would have been qualified to manage them effectively. A 1995 report to the President warned that “severe budget reductions, diminished technical resources, increased responsibilities, and reduced mission training ... have undermined protection of special nuclear material and restricted data.”48 Last year, a report by an external review panel found “a lack of nuclear physical security expertise at all levels in the oversight process; ad hoc structuring of safeguards and security functions throughout the Department, and placement of oversight functions in positions which constrain their effectiveness.”49 The dispute over the accuracy of nuclear measurements, of course, is beyond the technical capabilities of this panel to resolve. But the panel members do believe that its persistence and the low priority given to the issue relative to other DOE scientific goals is indicative of the insti-tutional attitude that DOE has had toward security: nonscientists have a poor understanding of all things nuclear, so their judgments about acceptable levels of risk are suspect prima facie. FOREIGN VISITORS AND ASSIGNMENTS PROGRAM True to the tradition of international partnership molded by the experiences of the Manhattan Project, the weapons labs have remained a reservoir of the best international scientific talent. Recent examples abound: a supercomputing team from Oak Ridge National Lab, made up of three PRC citizens and a Hungarian, recently won the Gordon Bell Prize; a Bulgarian and a Canadian, both world-class scientists, are helping Lawrence Livermore National Lab solve problems in fluid dynamics; a Spanish scientist, also at Livermore, is collaborating with colleagues on laser propagation. But for more than a decade, the increasing prominence of foreign visitors in the weapons labs has increased concern about security risks. The PFIAB panel found that as early as 1985, the DCI raised concerns about the foreign visitors’ program with the Energy Secretary. A year later, researchers conducting internal DOE review could find only scant data on the number and composition of foreign nationals at the weapons labs. Although intelligence officials drafted suggestions for DOE’s foreign visitor control program, PFIAB found little evidence of reform efforts until the tenure of Secretary Watkins. A 1988 GAO report cited DOE for failing “to obtain timely and adequate information on foreign visitors before allowing them access to the laboratories.” The GAO found three cases where DOE allowed visitors with questionable backgrounds—possible foreign agents—access to the labs. In addition, the GAO found that about 10 percent of 637 visitors from sensitive countries were associated with foreign organizations suspected of conducting nuclear weapons activities but DOE did not request background data on them prior to their visit. DOE also had not conducted its own review of the visit and assignment program at the weapons labs despite the DOE requirement to conduct audits or reviews at a minimum of every five years. Moreover, GAO reported that few post–visit or host reports required by DOE Order 12402 were submitted within 30 days of the visitors’ departure and some were never completed.50 The following year, DOE revised its foreign visitor policy and commissioned an external study on the extent and significance of the foreign visitor problem. DOE’s effort to track and vet visitors, however, still lagged well behind the expansion of the visitor program, allowing foreigners with suspicious backgrounds to gain access to weapons facilities. A study published in June 1990 indicated DOE had a “crippling lack of essential data, most notably no centralized, retrievable listing of foreign national visitors to government facilities.”51 By September, 1992, DOE had instituted Visitor Assignment Management System (VAMS) databases, used to track visitors and assignees requesting to visit DOE. The system, however, failed to provide links between the labs that could be used for CI analysis and cross-checking of prospective visitors. Moreover, labs frequently did not even use the database and failed to enter visitor information. Instead, each lab developed its own computer program independently. Reviews of security determined that, despite an increase of more than 50 percent in foreign visits to the labs from the mid–1980s to the mid–1990s, DOE controls on foreign visitors actually weakened in two critical areas: screening for visitors that may pose security risks, and monitoring the content of discussions that might touch on classified information. In 1994, DOE headquarters delegated greater authority to approve nonsensitive country visitors to the laboratories, approving a partial exception for Los Alamos and Sandia National Laboratories to forego background checks to help “reduce costs and processing backlogs.” This resulted in almost automatic approval of some foreign visitors and fewer background checks. The FBI and GAO subsequently found that “questionable visitors, including suspected foreign intelligence agents, had access to the laboratories without DOE and/or laboratory officials’ advance knowledge of the visitors’ backgrounds.”52 Changes in records checks over the past decade also made it easier for individuals from sensitive countries to gain access to the laboratories. In 1988, for example, all visitors from Communist countries required records checks regardless of the purpose of the visit. By 1996, records checks were only required for visitors from sensitive countries who visited secure areas or discussed sensitive subjects. An internal DOE task force in 1996 determined that the Department’s definitions of sensitive topics were not specific enough to be useful. It directed the DOE office of intelligence to develop a new methodology for defining sensitive topics, but did not set a due date. The 1996 group also called for a Deputy Secretary–level review of foreign visits and assignments to be completed by June 1997.53 The PFIAB panel found no evidence to suggest that these tasks were accomplished. In 1997, GAO found that DOE lacked clear criteria for identifying visits that involve sensitive subjects, U.S. scientists may have discussed sensitive subjects with foreign nationals without DOE’s knowledge or approval; and the Department’s counterintelligence program had failed to produce comprehensive threat assessments that would identify likely facilities, technologies, and programs targeted by foreign intelligence.54 The study found that records checks were still not being conducted regularly on foreign visitors from sensitive countries.55 Last year, 7,600 foreign scientists paid visits to the weapons labs.56 Of that total, about 34 percent were from countries that are designated “sensitive” by the Department of Energy—meaning they represent a hostile intelligence threat. The GAO reported last year that foreign nationals had been allowed after-hours and unescorted access to buildings.57 Administration Track Records CARTER (Schlesinger: Aug '77-Aug '79; Duncan: Aug '79-Jan '81) '77 DOE established … First visiting U.S. scientists to China in '79 and '80 face Chinese elicitation effort. …Late 1970s FBI investigates possible espionage at a lab. …'80 GAO reports on problems safeguarding against the spread of nuclear weapons technology. REAGAN I (Edwards: Jan '81-Nov '82; Hodel: Nov '82-Feb '85; Herrington: Feb '85- ) '82 DOE's Inspection and Evaluation program formed …GAO reports safeguards and security of weapons labs not adequate, recommends independent assessments program. …'83 DOE issues threat guidance to provide a “consistent basis" for identifying vulnerabilities. …Memo to DOE, DOD states President has "decided to strengthen WH role … concerning the security of U.S. nuclear facilities."… President signs National Security Decision Directive (NSDD) on DOE security. … DOE Safeguards and Security Steering Group formed at President's direction to oversee fulfillment of physical security improvements … GAO reports security concerns at Rocky Flats facility. … DOE conducts eight internal security inspections at weapons facilities and DOE HQ; provides criticisms and recommendations to DOE management. … '84 DOE's Central Training Academy established for protective force personnel. REAGAN II (Herrington: Feb '85-Jan '89) '86 Rep. Dingell letter to President re: lab security vulnerabilities, management problems and lack of confidence in DOE. … Four GAO reports on DOE security and CI problems … External report requested by DOE finds problems with management of foreign visitors and adequate security. …'87 Three GAO reports on DOE highlight the transfer of technology to proliferating nations and inefficient security clearance program. …Seven internal DOE security inspections criticize management and security practices in '87-'88. …DOE initiates the Personnel Security Assurance Program (PSAP) … DOE focuses on insider protection and strengthens classified document controls. …Three DOE IG reports about security clearance problems from '86-'88. …'88 Intelligence Community paper reflects concerns with international scientific exchanges at the DOE labs. … President signs NSDD on Nuclear Weapons Safety, Security, and Control. … FBI detailee to DOE cites inaccessibility to senior DOE managers. …President states "Improved nuclear security is an important legacy for us to leave the next administration;" DOE official opines that Energy has done "essentially all that can be done against the outsider threat." … Senate Intelligence Committee staff briefed on CI activities at labs. … Four GAO reports address DOE security and counter-intelligence problems, including: major weaknesses in foreign visitor controls at labs, and foreign agents possibly gaining access to labs. BUSH (Watkins: Mar '89-Jan '93) '89 New Secretary concerned about 1988 GAO criticism of DOE CI/security, defers DOE annual report on security until he reviews issue; NSC concurs. … GAO finds insufficient control over weapons-related information and technology. …'90 Four IG reports on security … Secretary of Energy Advisory Board (SEAB) chartered … Interagency CI group prepares assessment of intelligence threat to government facilities from visiting foreign nationals. …GAO cites lack of clear, concise physical security standards and inconsistent material measurements at labs. … Freeze Task Force critical of split management of classified and unclassified computer security; finds direction, coordination, conduct and oversight of safeguards and security activities throughout DOE warrant structural changes. …External CI review highlights DOE's inability to manage comprehensive approach to foreign threat; inadequate oversight, control over secret document inventory; uncoordinated computer security responsibilities. …'91 Four IG reports criticize security…GAO reports property, classified document control problems at LLNL; 10,000 documents unaccounted; inability of DOE to track, monitor, and correct security deficiencies … '87, '89, and '91 GAO reports foreign countries routinely obtaining unclassified but sensitive information that could assist nuclear programs. …Memo to President highlights previous security problems at DOE, Secretary's efforts to fix the deficiencies. …'92 Two IG reports on security…SSCI-requested CI assessment finds DOE headquarters lacks authority to direct labs, CI resources, and current threat information. …GAO cites weak internal security oversight controls; incomplete safeguards and security planning at DOE facilities. …DOE Order on CI issued. …DOE and FBI formalize relationship for conduct of CI activities. …Internal security report to Secretary finds "personnel are seldom held responsible for their disregard, either intentional or unintentional, of security requirements." … Another report finds "Problems in management and oversight represent the most significant weakness" for the Department…and "security systems continue to be plagued with potential single point failures." ASSESSMENTS RESPONSIBILITY While cultural, structural, and historical problems have all figured into the management and security and counterintelligence failures of DOE, they should not be construed as an excuse for the deplorable irresponsibility within the agency, the pattern of inaction from those charged with implementation of policies, or the inconsistency of those in leadership positions. The panel identified numerous instances in which individuals were presented with glaring problems yet responded with foot–dragging, finger–pointing, bland reassurances, obfuscations, and even misrepresentations. The record of inattention and “false start” reforms goes back to the beginning of DOE. There have been several Presidents; National Security Advisors, Energy Secretaries, Deputy Secretaries, Assistant Secretaries, and Lab Directors; scores of DOE Office Directors and Lab managers; and a multitude of Energy Department bureaucrats and Lab scientists who all must shoulder the responsibility and accountability. As noted above, severe lapses in the security of the nation’s most critical technology, data, and materials were manifest at the creation of the DOE more than 20 years ago. Many, if not most, of the problems were identified repeatedly. Still, reforms flagged amid a lack of discipline and accountability. The fact that virtually every one of those problems persisted—indeed, many of the problems still exist—indicates a lack of sufficient attention by every President, Energy Secretary, and Congress. This determination is in no way a capitulation to the standard of “everyone is responsible, therefore no one is responsible.” Quite the contrary. Even a casual reading of the open–source reports on the Department’s problems presents one with a compelling narrative of incompetency that should have merited the aggressive action of the nation’s leadership. Few transgressions could violate the national trust more than inattention to one’s direct responsibility for controlling the technology of weapons of mass destruction. The PFIAB panel was not empowered, nor was it charged, to make determinations of whether specific acts of espionage or malfeasance occurred regarding alleged security lapses at the weapons labs. Nor was it tasked to issue performance appraisals of the various Presidents, Energy Secretaries, or members of the Congressional leadership during their respective terms in office. However, an inquiry into the extent to which the system of administrative accountability and responsibility broke down at various times in history has been necessary to fulfill our charter. In fairness, we have tried to examine the nature of the security problems at DOE’s weapons labs in many respects and at many levels, ranging from the circumstances of individuals and the dynamics of group behavior to the effectiveness of mid–level management, the clarity of the laws and regulations affecting the Department, and the effectiveness of leadership initiatives. THE RECORD OF THE CLINTON TEAM To its credit, in the past two years the Clinton Administration has proposed and begun to implement some of the most far–reaching reforms in DOE’s history. The 1998 Presidential Decision Directive on DOE counterintelligence (PDD-61) and Secretary Richardson’s initiatives are both substantial and positive steps. We offer an analysis of some of these initiatives, and their likelihood of success, elsewhere in this chapter and elsewhere in this report. However, the speed and sweep of the Administration’s ongoing response does not absolve it of its responsibility in years past. At the outset of the Clinton Administration—in 1993, when it inherited responsibility for DOE and the glaring record of mismanagement of the weapons laboratories—the incoming leadership did not give the security and counterintelligence problems at the labs the priority and attention they warranted. It will be incumbent on the DOE transition team for the incoming administration in 2001 to pay particular heed to these issues. While the track record of previous administrations’ responses to DOE’s problems is mixed (see box on previous administrations, on pp. 26-27), the panel members believe that the gravity of the security and counterintelligence mismanagement at the Department will, and should, overshadow post facto claims of due diligence by any administration—including the current one. Asserting that the degree of failure or success with DOE from one administration to the next is relative is, one might say, gilding a figleaf. The fact is that each successive administration had more evidence of DOE’s systemic failures in hand: the Reagan Administration arrived to find several years’ worth of troubling evidence from the Carter, Ford, and Nixon years; the evidence had mounted higher by the time that the Bush Administration took over; and higher still when the Clinton Administration came in. The Clinton Administration has acted forcefully, but it took pressure from below and outside the Administration to get the attention of the leadership, and there is some evidence to raise questions about whether its actions came later than they should have, given the course of events that led the recent flurry of activity. Clinton Administration Track Record O’Leary: Jan ’93–Jan ’97 ’93 New Secretary works to make labs more open…launches major declassification effort. … DOE ’92 Annual Report to President does not mention security problems highlighted same year in reports to Secretary .… GAO criticizes DOE’s ineffective management of personnel security cases. …Four IG reports on security…Internal report to Secretary on computer security uncovers lack of access controls; no configuration management; failure to perform management reviews. …’94 Three IG reports on security…FBI detailees to DOE recalled because of “lack of control of the CI program by DOE HQ.” …Internal report finds classified and unclassified information on lab computer network. …GAO reports computer security deficiencies found in 1985 at six facilities still not fixed. …’95 Four IG reports on security…Congress considers numerous bills between ’95–’99 to abolish DOE. … “Galvin Task Force” offers SEAB options for change within the labs. … “Walk-in” provides documents containing sensitive U.S. nuclear information. …DOE officials meet with FBI regarding potential espionage involving nuclear weapons data. …Analysis group formed at DOE to review Chinese weapons program; senior DOE, CIA, White House officials discuss options. … GAO reports on poor management of nuclear material tracking capabilities …Laboratory Operations (oversight) Board created. …’96 First three lab-to-lab exchanges between U.S. and China. …Internal DOE report discovers required nuclear material physical inventories not being performed. … Two IG reports on security…DOE Deputy Secretary directs six “initiatives” to lab directors and field office heads for the foreign visitors and CI programs (most initiatives ignored after he leaves DOE in 1997.) Pena: Mar ’97–Jun ’98 ’97 Mar New Secretary confirmed. … FBI report to Congress and DOE critical of DOE CI capabilities; addresses CI program oversight, foreign visits and assignments, CI analysis, professional training/CI awareness. … FBI Director personally delivers CI review to Secretary. …Two additional Lab–to–Lab exchanges held in Beijing. … DOE staff briefs Congressional staff, and NSC, CIA, FBI senior officials on Chinese nuclear program, possible Chinese espionage before Secretary informed…DOE increases budget for CI in FY 1997, hires more CI professionals. …Inter-agency Working Group reports that systemic and serious CI and security problems at DOE have been well documented over at least a ten year period … few of the recommendations in the past studies have been implemented, … A senior CI official states “There is every reason to believe the labs will resist” any outside assistance … National Security Advisor requests independent assessment of China's nuclear program and the impact of U.S. nuclear information. …Two DOE internal reports cite confusing, fragmented, dysfunctional security management structure. …External report finds multiple, uncoordinated internal and external oversight activities. …DCI and FBI Director meet with Secretary to discuss DOE CI problem and reform plan; … meeting notes state “Despite all the studies conducted, experience over time has shown that DOE’s structure and culture make reform difficult, if not impossible, from within.” … Internal DOE report states “in all candor, we have been hampered in meeting [the safeguards and security] obligations by organizational obstacles and competing internal interests.” … PDD–61 drafted, coordinated in inter-agency process. …DOE’s Laboratory Operations Board finds “inefficiencies due to the Department's complicated management structure.” …Peter Lee (formerly of LLNL) pleads guilty, inter alia, to transmitting classified national defense information to representatives of the PRC in ’85. …GAO finds faulty procedures for foreign visitor indices checks and controlling dissemination of sensitive information; lack of clear criteria for identifying visits that involve sensitive subjects; indirect and inconsistent CI funding; DOE CI programs not based on comprehensive assessment of foreign espionage threat. …Institute of Defense Analyses’ “120 Day Report” finds inadequate management of DOE workforce and confusing chains of com-mand. …’98 Feb. President signs PDD-61. …External report says DOE management and oversight of security problematic …Security Management Board created by Congress, meets twice in next 18 months…CIA/FBI report provided to Congress on Chinese espionage activities. … Jun 30 Secretary resigns, Deputy designated as Acting Secretary. … DOE’s 90-day report on CI reveals problems remain regarding separate management of classified and unclassified information. …Lab-to-lab exchange held in Beijing. Richardson: Aug ’98 – ’98 Aug 18 New Secretary sworn in …GAO again finds problems in DOE’s foreign visitor program; notes lack of clear procedures for identifying sensitive subjects. …External report highlights lack of DOE oversight expertise and ad hoc security structure. … Per PDD–61, assessment of the foreign collection threat against DOE published. …'99 DOE security review finds “unhealthy, adversarial environment of mistrust among DOE security organizations,” recommends several management process changes …Cox Committee publishes report…Lab-to-Lab exchange held in Beijing. …President directs PFIAB to review security, CI at labs; directs Intelligence Community to conduct damage assessment of possible security breaches at labs; directs CI community to review security of nuclear weapons information in USG. …DOE CI Implementation Plan delivered to Secretary. …GAO reports inadequate separation of classified and unclassified computer networks at same lab in 1988, 1992, 1994, and 1998. … “Chiles Report” describes management problems in nuclear weapons program. …Internal DOE report highlights computer security problems at a lab. … DOE counterintelligence implementation plan (per PDD–61) issued to labs. … DOE shuts down all classified computers at LANL, LLNL, and SNL. … DOE holds tri-lab computer security conference. … Secretary announces new security organization at DOE, to be headed by a “security czar.” THE 1995 ‘WALK-IN’ DOCUMENT In 1995, a U.S. intelligence agency obtained information that has come to be called the “walk-in” document. A copy of a classified PRC report, it contains a discussion of various U.S. nuclear warheads. The PFIAB has carefully reviewed this document, related information, and the circumstances surrounding its delivery. Serious questions remain as to when it was written, why it was written, and why it was provided to the U.S. We need not resolve these questions. The document unquestionably contains some information that is still highly sensitive, including descriptions, in varying degrees of specificity, of technical characteristics of seven U.S. thermonuclear warheads. This information had been widely available within the U.S. nuclear weapons community, including the weapons labs, other parts of DOE, the Department of Defense, and private contractors, for more than a decade. For example, key technical information concerning the W–88 warhead had been available to numerous U.S. government and military entities since at least 1983 and could well have come from many organizations other than the weapons labs. W-88 INVESTIGATION Despite the disclosure of information concerning seven warheads, despite the potential that the source or sources of these disclosures were other than the bomb designers at the national weapons labs, and despite the potential that the disclosures occurred as early as 1982, only one investigation was initiated. That investigation focused on only one warhead, the W–88, only one category of potential sources—bomb designers at the national labs—and on only a four-year window of opportunity. It should have been pursued in a more comprehensive manner. The allegations raised in the investigation should still be pursued vigorously. And the inquiry should be fully explored—regardless of the conclusions that may result. The episode began as an administrative inquiry conducted by the DOE Office of Energy Intelligence, with limited assistance from the FBI. It developed into an FBI investigation, which is still under way today. Allegations concerning this case and related activities high-lighted the need for improvements in the DOE’s counterintelligence program, led along the way to the issuance of a Presidential Decision Directive revamping the DOE’s counterintelligence program, formed a substantial part of the information underlying the Cox Committee’s conclusions on nuclear weapons information, and ultimately led, at least in part, to the President’s decision to ask this Board to evaluate security and counterintelligence at the DOE’s weapons labs. It is not within the mandate of our review to solve the W–88 case or any other potential compromises of nuclear weapons information. Further, it is not within our mandate to conduct a comprehensive and conclusive evaluation of the handling of the W–88 investigation by the DOJ and FBI. In fact, as we understand it, that is the purpose of a task force recently appointed by the Attorney General. We trust that among the issues that the task force will resolve are: Whether the FBI committed sufficient resources, including agents with appropriate expertise, and demonstrated a sense of urgency commensurate with an apparent compromise of classified U.S. nuclear weapons information; Whether the DOJ Office of Intelligence Policy Review (OIPR) applied an inappropriately high standard to the FBI’s request for electronic surveillance under the Foreign Intelligence Surveillance Act (FISA); Whether the FBI provided to DOJ OIPR all U.S. government information relevant to an appropriate evaluation of the FBI’s FISA request; Why the FBI’s FISA request did not include a request to monitor or search the subject’s workplace computer systems, particularly since an attorney in the FBI’s General Counsel Office had provided an opinion in 1996 that such monitoring or searching in this case would require FISA authorization; Why the FBI did not learn until recently that in 1995 the subject had executed a series of waivers authorizing monitoring of his workplace computer systems; Whether the FBI adequately raised to the Attorney General the FBI’s concerns over the declination of the FISA request; Whether communications regarding the subject’s job tenure broke down between DOE, FBI, and Los Alamos; Whether the DOJ OIPR maintained appropriate records concerning FISA requests that were declined; Whether the FBI appropriately relied on technical opinions provided by the DOE; Why DOE, rather than the FBI, conducted the first polygraph examination in this case when the case was an open FBI investigation; and, perhaps most importantly, Whether additional cases should be opened to investigate whether the apparent disclosures may have arisen out of organizations other than Los Alamos lab. Again, resolving these issues is not within our mandate. It is, however, explicitly within our mandate to identify additional steps that may need to be taken to address the security and counterintelligence threats to the weapons labs. Also, it is within our standing PFIAB obligation under Executive Order 12863 to assess the adequacy of counterintelligence activities beyond the labs. In this regard, what we have learned from our limited review of the W-88 case and other cases are significant lessons that extend well beyond these particular cases. These lessons relate directly to additional steps we believe must be taken to strengthen our safeguards against current security and foreign intelligence threats. Those steps are discussed further in the Classified Appendix to this report. We have learned, for example, that under the current personnel security clearance system a person who is under FBI investigation for suspected counterintelligence activities may sometimes be granted a new or renewed clearance. We also have learned that although the written standards for granting a first clearance and for renewing an existing clearance may be identical, the actual practice that has developed—certainly within DOE and we strongly suspect elsewhere—is that clearance renewals will be granted on a lower standard. We find such inconsistency unacceptable. We think it appropriate for the National Security Council to review and resolve these issues. We have also learned that the legal weapons designed to fight the counterintelligence battles of the 70s have not necessarily been rigorously adapted to fight the counterintelligence battles of the 90s (and beyond). For example, with the passage of more than twenty years since the enactment of the Foreign Intelligence Surveillance Act (FISA) of 1978, it may no longer be adequate to address the counterintelligence threats of the new millennium. We take no position on whether the statute itself needs to be changed. It may well still be sufficient. However, based on all of the information we have reviewed and the interviews we have conducted, and without expressing a view as to the appropriateness of the DOJ decision in the W–88 case, we do believe that the Department of Justice may be applying the FISA in a manner that is too restrictive, particularly in light of the evolution of a very sophisticated counterintelligence threat and the ongoing revolution in information systems. We also are concerned by the lack of uniform application across the government of various other investigative tools, such as employee waivers that grant officials appropriate authority to monitor sensitive government computer systems. Moreover, there does not exist today a systematic process to ensure that the competing interests of law enforcement and national security are appropriately balanced. Law enforcement, rightly so, is committed to building prosecutable cases. This goal is often furthered by leaving an espionage suspect in place to facilitate the gathering of more evidence. The national security interest, in contrast, is often furthered by immediately removing a suspect from access to sensitive information to avoid additional compromises. Striking the proper balance is never easy. It is made all the more difficult when there is no regular process to ensure that balance is struck. We have learned in our review that this difficult decision often is made by officials who either are too focused on the investigative details or are too unaware of the details to make a balanced decision. This is another matter deserving National Security Council attention. PFIAB EVALUATION OF THE INTELLIGENCE COMMUNITY DAMAGE ASSESSMENT Following receipt of the “walk-in” document, CIA, DOE, Congress, and others conducted numerous analyses in an effort to determine the extent of the classified nuclear weapons information the PRC has acquired and the resultant threat to U.S. national security. Opinions expressed in the media and elsewhere have ranged from one extreme to the other. On one end of the spectrum is the view that the Chinese have acquired very little classified information and can do little with it. On the other end is the view that the Chinese have nearly duplicated the W–88 warhead. After reviewing the available intelligence and interviewing the major participants in many of these studies, we conclude that none of these extreme views holds water. For us, the most accurate assessment of China’s acquisition of classified U.S. nuclear weapons information and the resultant threat to U.S. national security is presented in the April 1999 Intelligence Community Damage Assessment. Written by a team of experts, this assessment was reviewed and endorsed by an independent panel of national security and nuclear weapons specialists, chaired by Admiral David Jeremiah. We substantially agree with the assessment’s analysis and endorse its key findings. The full text of the assessment’s unclassified summary appears in the unclassified appendix. PRESIDENTIAL DECISION DIRECTIVE 61: BIRTH AND INTENT In mid–1997, it became clear to an increasingly broader range of senior administration officials that DOE’s counterintelligence program was in serious trouble.1 In late July, DOE officials briefed the President’s National Security Advisor, who concluded that, while the real magnitude and national security implications of the suspected espionage needed closer scrutiny, there was nonetheless a solid basis for taking steps to strengthen counterintelligence measures at the labs. He requested an independent CIA assessment of China’s nuclear program and the impact of U.S. nuclear information, and he directed that the National Counterintelligence Policy Board (NACIPB)2 review the DOE counterintelligence program. That September, the National Security Advisor received the CIA assessment, and the NACIPB reported back that it had found “systemic and serious CI and security problems at DOE [had] been well documented over at least a ten year period” and “few of the recommendations in the past studies [had] been implemented.” The NACIPB made 25 recommendations to significantly restructure the DOE CI program; it also proposed that a Presidential Decision Directive or Executive Order be handed down to effect these changes. At an October 15 meeting, the Director of Central Intelligence and the FBI Director discussed with Secretary Pena and his Deputy Secretary the need to reform the DOE CI program. The DCI and FBI Director sought to make clear there was an urgent need to act immediately, and “despite all the studies conducted, experience over time [had] shown that DOE’s structure and culture make reform difficult, if not impossible, from within.” All agreed to develop an action plan that would serve as the basis for a Presidential Decision Directive. Several senior officials involved felt that the necessary reforms would—without the mandate of a Presidential directive—have little hope of overcoming the anticipated bureaucratic resistance, both at DOE headquarters and at the labs. There was a clear fear that, “if the Secretary spoke, the bureaucracy wouldn’t listen; if the President spoke, the bureaucracy might at least listen.” That winter, the NSC coordinated a draft PDD between and among the many agencies and departments involved. Serious disagreements arose over several issues, particularly the creation of independent reporting lines to the Secretary for the Intelligence and Counterintelligence Offices. Also at issue was the subordination of the CI officers at the labs. Much of the resistance stemmed simply from individuals interested in preserving their turf won in previous DOE bureaucratic battles. After much bureaucratic maneuvering and even vicious in–fighting, these issues were finally resolved, or so it seemed; and on February 11, 1998, the President signed and issued the directive as PDD-61. The full PDD remains classified. An unclassified summary, which contains all significant provisions, is set forth in the unclassified annex. In our view, among the most significant of the 13 initiatives directed by PDD-61 are: The CI and foreign intelligence (FI) elements would be reconfigured into two independent offices and report directly to the Secretary of Energy; The Director of the new Office of CI (OCI) would be a senior executive from the FBI and would have direct access to the Secretary of Energy, the DCI and the Director of the FBI; Existing DOE contracts with the labs would be amended to include CI program goals and objectives and performance measures to evaluate compliance with these contractual obligations, and CI personnel assigned to the labs would have direct access to the lab directors and would concurrently report to the Director, OCI; The incoming Director, OCI would prepare a report for the Secretary of Energy ninety days after his arrival that would address progress on the initiative, a strategic plan for achieving long-term goals, and recommendations on whether and to what extent other organizational changes may be necessary to strengthen CI; and, Within 120 days, the Secretary of Energy would advise the Assistant to the President for National Security Affairs on the actions taken and specific remedies designed to implement this directive. On April 1, 1998, a senior executive from the FBI assumed his duties as the Director of the OCI, and began his 90–day study. He completed and forwarded it to the Secretary of Energy on July 1, the day after Secretary Pena resigned. The Acting Secretary led a review of the study and its recommendations. On August 18, Secretary Richardson was sworn in. On November 13, he submitted the action plan required by the PDD to the National Security Advisor. Secretary Richardson continued to develop an implementation plan. The completed implementation plan was delivered to Secretary Richardson on February 3, 1999, and issued to the labs on March 4. TIMELINESS OF PDD–61 Criticism has been raised that the PDD took too long to be issued and has taken too long to implement. Although the current National Security Advisor was briefed on counterintelligence concerns by DOE officials in April of 1996, we are not convinced that the briefing provided a sufficient basis to require initiation of a broad Presidential directive at that time. We are convinced, however, that the July 1997 briefing, which we are persuaded was much more comprehensive, was sufficient to warrant aggressive White House action. We believe that while the resulting PDD was developed and issued within a customary amount of time, these issues had such national security gravity that it should have been handled with more dispatch. That there were disagreements over various issues is not surprising; that the DOE bureaucracy dug in its heels so deeply in resisting clearly needed reform is very disturbing. In fact, we believe that the NACIPB, created by PDD in 1994, was a critical factor in ram–rodding the PDD through to signature. Before 1994, there was no real structure or effective process for handling these kinds of issues in a methodical way. Had the new structure not been in place and working, we doubt if the PDD would have made it. With regard to timeliness of implementation, we have far greater concern. It is not unreasonable to expect that senior DOE officials would require some time to evaluate the new OCI Director’s 90–day study, and we are aware that Secretary Richardson did not assume his DOE duties until mid–August. However, we find unacceptable the more than four months that elapsed before DOE advised the National Security Advisor on the actions taken and specific remedies developed to implement the Presidential directive, particularly one so crucial. More critically, we are disturbed by bureaucratic foot–dragging and even recalcitrance that ensued after issuance of the Presidential Decision Directive. Severe disagreements erupted over several issues, including whether the CI program would apply to all of the labs, not just the weapons labs, and the extent to which polygraph examinations would be used in the personnel security program. We understand that some DOE officials declined to assist in the implementation simply by declaring that, “It won’t work.” The polygraph program was finally accepted into the DOE’s security reforms only after the National Security Advisor and the DCI personally interceded. The fact that the Secretary’s implementation plan was not issued to the labs until more than a year after the PDD was issued tells us DOE is still unconvinced of Presidential authority. We find worrisome the reports of repeated and recent resistance by Office of Management and Budget officials to requests for funding to implement the counterintelligence reforms mandated by PDD-61. We find vexing the reports we heard of OMB budgeteers lecturing other government officials on the “unimportance” of counterintelligence at DOE. SECRETARY RICHARDSON’S INITIATIVES Since November of 1998 and especially since April of this year, Secretary Richardson has taken commendable steps to address DOE’s security and counterintelligence deficiencies. In November of last year, in the action plan required by PDD-61, Secretary Richardson detailed 31 actions to be taken to reform DOE’s counterintelligence program. These actions addressed the structure of the counterintelligence program, selection and training of field counterintelligence personnel, counterintelligence analysis, counterintelligence and security awareness, protections against potential “insider threats,” computer security, and relationships with the FBI, the Central Intelligence Agency, and the National Security Agency. Though many matters addressed in the action plan would require further evaluation before specific actions would be taken, immediate steps included granting to the Office of Counterintelligence (OCI) direct responsibility for programming and funding counterintelligence activities of all DOE field offices and laboratories; granting the Director, OCI the sole authority to propose candidates to serve as the counterintelligence officers at the weapons labs; and instituting a policy for a polygraph program for employees with access to sensitive information. In April of 1999, in an effort to eliminate multiple reporting channels and improve lines of communications, direction and accountability, Secretary Richardson ordered changes in the department’s management structure. In short, each of the 11 field offices reports to a Lead Program Secretarial Office (LPSO). The LPSO has “overall line accountability for site-wide environment, safety and health, for safeguards and security and for the implementation of policy promulgated by headquarters staff and support functions.” A newly established Field Management Council is to be charged with program integration. In May of 1999, Secretary Richardson announced substantial restructuring of the security apparatus at DOE. Among these is the new Office of Security and Emergency Operations, responsible for all safeguards and security policy, cyber–security, and emergency functions throughout DOE. It will report directly to the Secretary and consist of the Office of the Chief Information Officer, and Office of Emergency Management and Response, and an Office of Security Affairs, which will include the Office of Safeguards and Security, the Office of Nuclear and National Security Information, the Office of Foreign Visits and Assignments, and the Office of Plutonium, Uranium, and Special Material Inventory. Also announced was the creation of the Office of Independent Oversight and Performance Assurance. It also will report directly to the Secretary to provide independent oversight for safeguards and security, special nuclear materials accountability, and other related areas. To support additional cyber-security improvements, DOE will be asking Congress for an additional $50 million over the next two years. Improvements are to include continual monitoring of DOE computers for unauthorized and improper use. New controls will also be placed on computers and workstations, removable media, removable drives, and other devices that could be used to download files. In addition, warning “banners” are now mandatory on all computer systems to alert users that these systems are subject to search and review at the government’s discretion. Cyber–security training is also to be improved. Secretary Richardson further announced additional measures designed to strengthen DOE’s counterintelligence program. They include: a requirement that DOE officials responsible for maintaining personnel security clearances be notified of any information that might affect the issuance or maintenance of such a clearance, even when the information does not rise to the level of a criminal charge; and mandatory reporting by all DOE employees of any substantive contact with foreign nationals from sensitive countries. DOE also plans to strengthen its Security Management Board; accelerate actions necessary to correct deficiencies in security identified in the 1997/1998 Annual Report to the President on Safeguards and Security; expedite improvements in the physical security of DOE nuclear weapons sites; and delay the automatic declassification of documents more than 25 years old. In sum, as of mid-June of 1999, progress has been made in addressing counterintelligence and security. Of note, all of the PDD–61 requirements are reported to have been substantially implemented. Other important steps also reportedly have been completed. Among these are the assignment of experienced counterintelligence officers to the weapons labs. PROSPECTS FOR REFORMS Although we applaud Secretary Richardson’s initiative, we seriously doubt that his initiatives will achieve lasting success. Though certainly significant steps in the right direction, Secretary Richardson’s initiatives have not yet solved the many problems. Significant objectives, all of which were identified in the DOE OCI study completed nearly a year ago, have not yet been fully achieved. Among these unmet objectives are revising the DOE policy on foreign visits and establishing an effective polygraph examination program for selected, high–risk programs. Moreover, the Richardson initiatives simply do not go far enough. These moves have not yet accomplished some of the smallest fixes—despite huge levels of attention and Secretarial priority. Consider the following example: with all the emphasis of late on computer security, including a weeks–long stand–down of the weapons labs computer systems directed by the Secretary, the stark fact remains that, as of the date of this report, a nefarious employee can still download secret nuclear weapons information to a tape, put it in his or her pocket, and walk out the door. Money cannot really be the issue. The annual DOE budget is already $18 billion. There must be some other reason. Under the Richardson plan, even if the new “Security Czar” is given complete authority over the more than $800 million ostensibly allocated each year to security of nuclear weapons-related functions in DOE, he will still have to cross borders into other people’s fiefdoms, causing certain turmoil and infighting. If he gets no direct budget authority, he will be left with little more than policy guidance. Even then, as the head of a staff office, under the most recent Secretary Richardson reorganization he has to get the approval of yet another fiefdom, the newly created Field Management Council, before he can issue policy guidance. Moreover, he is unlikely to have much success in obtaining approval from that body when he is not even a member—and the majority of those who are members are the very program managers that his policy guidance would affect. TROUBLE AHEAD Perhaps the most troubling aspect of the PFIAB’s inquiry is the evidence that the lab bureaucracies—after months at the epicenter of an espionage scandal with serious implications for U.S. foreign policy—are still resisting reforms. Equally disconcerting, other agencies have joined the security skeptics list. In the past few weeks, officials from DOE and other agencies have reported to us: There is a heightened attention to security at the most senior levels of DOE and the labs, but at the mid–level tiers of management there has been lackluster response and “business as usual.” Unclassified but sensitive computer networks at several weapons labs are still riddled with vulnerabilities. Buildings that do not meet DOE security standards are still being used for open storage of weapons parts. Foreign nationals—some from sensitive countries—residing outside a weapons lab have remote dial-up access to unclassified networks without any monitoring by the lab. In an area of a weapons lab frequented by foreign nationals, a safe containing restricted data was found unsecured. It had not been checked by guards since August 1998. When confronted with the violation, a mid–level official is said to have implied that it was not an actual security lapse because the lock had to be “jiggled” to open the safe door. A weapons lab was instructed to monitor its outgoing email for possible security lapses. The lab took the minimal action necessary; it began monitoring emails but did not monitor the files attached to emails. When Secretary Richardson ordered the recent computer stand-down, there was great resistance, and when it came time to decide if the labs’ computers could be turned on again, a bevy of DOE officials fought to have final approval power. BACK TO THE FUTURE In 1976, federal officials conducted a study of the nation’s nuclear weapons laboratories and plants. In trying to devise a coherent and viable way of managing the labs, they settled on three possible solutions: place the weapons labs under the Department of Defense, make them a free–standing agency, or leave them within the Energy Research and Development Administration. Congress chose to leave the weapons labs within ERDA, the successor agency of the Atomic Energy Commission. Nearly a decade later, the oversight of the weapons labs was still of great concern. Senators Sam Nunn and John Warner led a push to place the weapons labs under the auspices of the Department of Defense. However, the Reagan Administration staved off their effort by agreeing to put together a blue–ribbon panel to study the issue. The panel studied the problem for six months and issued a report in July, 1985. Again, Congress and federal officials weighed whether the weapons labs should be transferred to the Department of Defense or restructured to be given more autonomy. The status quo prevailed. The weapons labs stayed within the Department of Energy. As this report has detailed, problems in the managerial relationship between DOE and the weapons labs have persisted, perhaps even increased, over the past 14 years. Indeed, the discussion today sounds hauntingly familiar to the discussions in the 1980s and 1970s. Today, however, there is a difference. The record of mismanagement of the weapons labs in matters of security and counterintelligence has become so long and so compelling as to demand a rejection of the status quo. There can be no doubt that the current structure of the Department of Energy has failed to give the nation’s weapons laboratories the level of care and attention they warrant. Thus, our panel is recommending deep and lasting structural change that will give the weapons laboratories the accountability, clear lines of authority, and priority they deserve. REORGANIZATION What makes a government agency run well? There are a multitude of characteristics that arguably can make for an efficient and effective government agency or department. This Panel holds no illusions about the completeness of its understanding nor the purity of its wisdom regarding government bureaucracies. Indeed, some people would say that truly comprehending the inner workings of a federal department is the intellectual equivalent of grasping the enormity of the universe. Over the course of many years, however, we, as members of the President’s Foreign Intelligence Advisory Board, have evaluated the performance of numerous federal entities, from the Department of Defense to the Foreign Broadcast Information Service. Some, we found, were in good order, others in pretty bad shape. In that sense, we believe we do know a lot about what makes some agencies work and not work. Although somewhat subjective and by no means exhaustive, our list of “good” things to look for includes several attributes. LEADERSHIP Certainly at the top, but also throughout the organization. The leaders and managers set the standards and expectations regarding performance and accountability. They are the foundation upon which a successful organizational culture is built. If management sets, demonstrates and enforces high standards for performance and accountability, there is a strong likelihood that the organization will follow. And, longevity is a key ingredient. For example, Daniel S. Goldin, Administrator of the National Aeronautics and Space Administration (NASA), was named to his post in the spring of 1992. Goldin has won considerable acclaim for demanding nothing but the best from his employees, and thereby turning around a bureaucracy that had become ossified and recalcitrant to higher authority, including the President. He did not do it overnight, though. His “watch” is now seven years long and still going. By contrast, the average stay for an Energy Secretary has been about two and a half years; a Deputy Secretary, less than two years; and an Under Secretary, less than 18 months.1 CLARITY OF MISSION Employees must know who they are and why they are there. Mission statements may seem corny to some, but from our experience good ones work. NASA’s is crisp, clear and bold: “NASA is an investment in America’s future. As explorers, pioneers and innovators, we boldly expand frontiers in air and space to inspire and serve America, and to benefit the quality of life on Earth.” The Energy Department also declares itself a department of the future; it’s slogan is “Science, Security and Energy: Powering the 21st Century.” However, we wonder if the DOE employees in the field really have a sense of purpose and direction. Those at the Oakland Operations Office are challenged to, “serve the public by executing programs and performing DOE contract management.” At Albuquerque Operations Office, the rallying cry is, “to contribute to the welfare of the nation by providing field-level federal management to assure effective, efficient, safe and secure accomplishment of the Department’s national defense, environmental quality, science and technology, technology transfer and commercialization and national energy objectives.”2 DEDICATION TO EXCELLENCE It is the responsibility of leadership to emphasize continuously and top-to-bottom the absolute importance of quality of performance. People truly dedicated to excellence usually achieve it. EMPHASIS ON CORE COMPETENCIES Those agencies that constantly emphasize the business areas in which they must absolutely excel, usually do so. At NASA, we are told, rarely, if ever, does the Administrator give a speech in which safety is not emphasized. DOE has appropriately emphasized excellence in the quality of its scientific and technical work, but only recently has begun to emphasize security, and only in recent months has articulated the importance of counterintelligence. The panel was hard pressed to find either words mentioned in speeches by most of Secretary Richardson’s predecessors. MINIMAL POLITICAL PRESSURES Blessed is the government manager whose operations fall into only a handful of Congressional districts and under the purview of only a couple of oversight committees. It doesn't take a nuclear scientist to understand that the more Congressional districts and committees with which a federal agency must contend, the more it is politically whip–sawed in its priorities and stuffed with pork. We suspect the Department of Energy probably holds some federal records: its multitudinous and widely cast operations come under the scrutiny of no less than 18 Congressional committees and fund well-paying federal and contractor jobs in more than 50 congressional districts. STREAMLINED FIELD OPERATIONS In just about any endeavor, but especially in managing government contracts, simpler is better. Managing government contracts has become a major function in more and more agencies and departments as they seek to cut costs. We know of a few good examples of agencies where this effort is both efficient and effective. One is the National Reconnaissance Office (NRO), a semi-autonomous Defense Department agency, which has long managed huge contracts with major industrial firms that have built and help operate our nation's surveillance satellites. The NRO, however, came under heavy fire several years ago for budget irregularities, partly as a result of tangled lines of bureaucratic authority. Today, after some substantial streamlining, multi-million dollar contracts are run out of program management offices at NRO Headquarters on a line of accountability leading directly to the contracting company. Rather than maintaining large field offices, the NRO employs only a handful of representatives in the field—typically only one or two people resident at their largest contractors. The rest is done from Washington. To manage their largest contracts, no more than 15 contracting officers—from worker–level to management —are involved. Some are worth several billion dollars. Currently, the NRO manages over 1,000 contracts worldwide, with a combined value numbering in the tens of billions of dollars. They manage these contracts using a staff of approximately 250 contract officers.3 Though we acknowledge that there are differences between the missions of NRO’s satellite contractors and DOE’s nuclear weapons lab contractors, we are stunned by the huge numbers of DOE employees involved in overseeing a